diff -Nru snapd-2.32.3.2~14.04/advisor/backend.go snapd-2.37~rc1~14.04/advisor/backend.go
--- snapd-2.32.3.2~14.04/advisor/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/advisor/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,14 +20,16 @@
 package advisor
 
 import (
+	"encoding/json"
 	"os"
-	"strings"
+	"path/filepath"
 	"time"
 
 	"github.com/snapcore/bolt"
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/strutil"
 )
 
 var (
@@ -36,6 +38,7 @@
 )
 
 type writer struct {
+	fn        string
 	db        *bolt.DB
 	tx        *bolt.Tx
 	cmdBucket *bolt.Bucket
@@ -45,7 +48,7 @@
 type CommandDB interface {
 	// AddSnap adds the entries for commands pointing to the given
 	// snap name to the commands database.
-	AddSnap(snapName, summary string, commands []string) error
+	AddSnap(snapName, version, summary string, commands []string) error
 	// Commit persist the changes, and closes the database. If the
 	// database has already been committed/rollbacked, does nothing.
 	Commit() error
@@ -61,32 +64,24 @@
 // these closes the database again.
 func Create() (CommandDB, error) {
 	var err error
-	t := &writer{}
+	t := &writer{
+		fn: dirs.SnapCommandsDB + "." + strutil.MakeRandomString(12) + "~",
+	}
 
-	t.db, err = bolt.Open(dirs.SnapCommandsDB, 0644, &bolt.Options{Timeout: 1 * time.Second})
+	t.db, err = bolt.Open(t.fn, 0644, &bolt.Options{Timeout: 1 * time.Second})
 	if err != nil {
 		return nil, err
 	}
 
 	t.tx, err = t.db.Begin(true)
 	if err == nil {
-		err := t.tx.DeleteBucket(cmdBucketKey)
-		if err == nil || err == bolt.ErrBucketNotFound {
-			t.cmdBucket, err = t.tx.CreateBucket(cmdBucketKey)
+		t.cmdBucket, err = t.tx.CreateBucket(cmdBucketKey)
+		if err == nil {
+			t.pkgBucket, err = t.tx.CreateBucket(pkgBucketKey)
 		}
+
 		if err != nil {
 			t.tx.Rollback()
-
-		}
-
-		if err == nil {
-			err := t.tx.DeleteBucket(pkgBucketKey)
-			if err == nil || err == bolt.ErrBucketNotFound {
-				t.pkgBucket, err = t.tx.CreateBucket(pkgBucketKey)
-			}
-			if err != nil {
-				t.tx.Rollback()
-			}
 		}
 	}
 
@@ -98,23 +93,38 @@
 	return t, nil
 }
 
-func (t *writer) AddSnap(snapName, summary string, commands []string) error {
-	bname := []byte(snapName)
-
+func (t *writer) AddSnap(snapName, version, summary string, commands []string) error {
 	for _, cmd := range commands {
+		var sil []Package
+
 		bcmd := []byte(cmd)
 		row := t.cmdBucket.Get(bcmd)
-		if row == nil {
-			row = bname
-		} else {
-			row = append(append(row, ','), bname...)
+		if row != nil {
+			if err := json.Unmarshal(row, &sil); err != nil {
+				return err
+			}
+		}
+		// For the mapping of command->snap we do not need the summary, nothing is using that.
+		sil = append(sil, Package{Snap: snapName, Version: version})
+		row, err := json.Marshal(sil)
+		if err != nil {
+			return err
 		}
 		if err := t.cmdBucket.Put(bcmd, row); err != nil {
 			return err
 		}
 	}
 
-	if err := t.pkgBucket.Put([]byte(snapName), []byte(summary)); err != nil {
+	// TODO: use json here as well and put the version information here
+	bj, err := json.Marshal(Package{
+		Snap:    snapName,
+		Version: version,
+		Summary: summary,
+	})
+	if err != nil {
+		return err
+	}
+	if err := t.pkgBucket.Put([]byte(snapName), bj); err != nil {
 		return err
 	}
 
@@ -122,11 +132,35 @@
 }
 
 func (t *writer) Commit() error {
-	return t.done(true)
+	// either everything worked, and therefore this will fail, or something
+	// will fail, and that error is more important than this one if this one
+	// then fails as well. So, ignore the error.
+	defer os.Remove(t.fn)
+
+	if err := t.done(true); err != nil {
+		return err
+	}
+
+	dir, err := os.Open(filepath.Dir(dirs.SnapCommandsDB))
+	if err != nil {
+		return err
+	}
+	defer dir.Close()
+
+	if err := os.Rename(t.fn, dirs.SnapCommandsDB); err != nil {
+		return err
+	}
+
+	return dir.Sync()
 }
 
 func (t *writer) Rollback() error {
-	return t.done(false)
+	e1 := t.done(false)
+	e2 := os.Remove(t.fn)
+	if e1 == nil {
+		return e2
+	}
+	return e1
 }
 
 func (t *writer) done(commit bool) error {
@@ -154,7 +188,7 @@
 
 // DumpCommands returns the whole database as a map. For use in
 // testing and debugging.
-func DumpCommands() (map[string][]string, error) {
+func DumpCommands() (map[string]string, error) {
 	db, err := bolt.Open(dirs.SnapCommandsDB, 0644, &bolt.Options{
 		ReadOnly: true,
 		Timeout:  1 * time.Second,
@@ -175,10 +209,10 @@
 		return nil, nil
 	}
 
-	m := map[string][]string{}
+	m := map[string]string{}
 	c := b.Cursor()
 	for k, v := c.First(); k != nil; k, v = c.Next() {
-		m[string(k)] = strings.Split(string(v), ",")
+		m[string(k)] = string(v)
 	}
 
 	return m, nil
@@ -190,6 +224,10 @@
 
 // Open the database for reading.
 func Open() (Finder, error) {
+	// Check for missing file manually to workaround bug in bolt.
+	// bolt.Open() is using os.OpenFile(.., os.O_RDONLY |
+	// os.O_CREATE) even if ReadOnly mode is used. So we would get
+	// a misleading "permission denied" error without this check.
 	if !osutil.FileExists(dirs.SnapCommandsDB) {
 		return nil, os.ErrNotExist
 	}
@@ -220,12 +258,15 @@
 	if buf == nil {
 		return nil, nil
 	}
-
-	snaps := strings.Split(string(buf), ",")
-	cmds := make([]Command, len(snaps))
-	for i, snap := range snaps {
+	var sil []Package
+	if err := json.Unmarshal(buf, &sil); err != nil {
+		return nil, err
+	}
+	cmds := make([]Command, len(sil))
+	for i, si := range sil {
 		cmds[i] = Command{
-			Snap:    snap,
+			Snap:    si.Snap,
+			Version: si.Version,
 			Command: command,
 		}
 	}
@@ -245,10 +286,15 @@
 		return nil, nil
 	}
 
-	bsummary := b.Get([]byte(pkgName))
-	if bsummary == nil {
+	bj := b.Get([]byte(pkgName))
+	if bj == nil {
 		return nil, nil
 	}
+	var si Package
+	err = json.Unmarshal(bj, &si)
+	if err != nil {
+		return nil, err
+	}
 
-	return &Package{Snap: pkgName, Summary: string(bsummary)}, nil
+	return &Package{Snap: pkgName, Version: si.Version, Summary: si.Summary}, nil
 }
diff -Nru snapd-2.32.3.2~14.04/advisor/cmdfinder.go snapd-2.37~rc1~14.04/advisor/cmdfinder.go
--- snapd-2.32.3.2~14.04/advisor/cmdfinder.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/advisor/cmdfinder.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,6 +25,7 @@
 
 type Command struct {
 	Snap    string
+	Version string `json:"Version,omitempty"`
 	Command string
 }
 
diff -Nru snapd-2.32.3.2~14.04/advisor/cmdfinder_test.go snapd-2.37~rc1~14.04/advisor/cmdfinder_test.go
--- snapd-2.32.3.2~14.04/advisor/cmdfinder_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/advisor/cmdfinder_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -44,8 +44,8 @@
 
 	db, err := advisor.Create()
 	c.Assert(err, IsNil)
-	c.Assert(db.AddSnap("foo", "foo summary", []string{"foo", "meh"}), IsNil)
-	c.Assert(db.AddSnap("bar", "bar summary", []string{"bar", "meh"}), IsNil)
+	c.Assert(db.AddSnap("foo", "1.0", "foo summary", []string{"foo", "meh"}), IsNil)
+	c.Assert(db.AddSnap("bar", "2.0", "bar summary", []string{"bar", "meh"}), IsNil)
 	c.Assert(db.Commit(), IsNil)
 }
 
@@ -99,8 +99,8 @@
 	cmds, err := advisor.FindCommand("meh")
 	c.Assert(err, IsNil)
 	c.Check(cmds, DeepEquals, []advisor.Command{
-		{Snap: "foo", Command: "meh"},
-		{Snap: "bar", Command: "meh"},
+		{Snap: "foo", Version: "1.0", Command: "meh"},
+		{Snap: "bar", Version: "2.0", Command: "meh"},
 	})
 }
 
@@ -114,8 +114,8 @@
 	cmds, err := advisor.FindMisspelledCommand("moh")
 	c.Assert(err, IsNil)
 	c.Check(cmds, DeepEquals, []advisor.Command{
-		{Snap: "foo", Command: "meh"},
-		{Snap: "bar", Command: "meh"},
+		{Snap: "foo", Version: "1.0", Command: "meh"},
+		{Snap: "bar", Version: "2.0", Command: "meh"},
 	})
 }
 
@@ -128,10 +128,10 @@
 func (s *cmdfinderSuite) TestDumpCommands(c *C) {
 	cmds, err := advisor.DumpCommands()
 	c.Assert(err, IsNil)
-	c.Check(cmds, DeepEquals, map[string][]string{
-		"foo": {"foo"},
-		"bar": {"bar"},
-		"meh": {"foo", "bar"},
+	c.Check(cmds, DeepEquals, map[string]string{
+		"foo": `[{"snap":"foo","version":"1.0"}]`,
+		"bar": `[{"snap":"bar","version":"2.0"}]`,
+		"meh": `[{"snap":"foo","version":"1.0"},{"snap":"bar","version":"2.0"}]`,
 	})
 }
 
diff -Nru snapd-2.32.3.2~14.04/advisor/pkgfinder.go snapd-2.37~rc1~14.04/advisor/pkgfinder.go
--- snapd-2.32.3.2~14.04/advisor/pkgfinder.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/advisor/pkgfinder.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,8 +24,9 @@
 )
 
 type Package struct {
-	Snap    string
-	Summary string
+	Snap    string `json:"snap"`
+	Version string `json:"version"`
+	Summary string `json:"summary,omitempty"`
 }
 
 func FindPackage(pkgName string) (*Package, error) {
diff -Nru snapd-2.32.3.2~14.04/advisor/pkgfinder_test.go snapd-2.37~rc1~14.04/advisor/pkgfinder_test.go
--- snapd-2.32.3.2~14.04/advisor/pkgfinder_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/advisor/pkgfinder_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,40 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package advisor_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/advisor"
+)
+
+func (s *cmdfinderSuite) TestFindPackageHit(c *C) {
+	pkg, err := advisor.FindPackage("foo")
+	c.Assert(err, IsNil)
+	c.Check(pkg, DeepEquals, &advisor.Package{
+		Snap: "foo", Version: "1.0", Summary: "foo summary",
+	})
+}
+
+func (s *cmdfinderSuite) TestFindPackageMiss(c *C) {
+	pkg, err := advisor.FindPackage("moh")
+	c.Assert(err, IsNil)
+	c.Check(pkg, IsNil)
+}
diff -Nru snapd-2.32.3.2~14.04/arch/arch.go snapd-2.37~rc1~14.04/arch/arch.go
--- snapd-2.32.3.2~14.04/arch/arch.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/arch/arch.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,9 +22,8 @@
 import (
 	"log"
 	"runtime"
-	"syscall"
 
-	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/osutil"
 )
 
 // ArchitectureType is the type for a supported snappy architecture
@@ -78,8 +77,7 @@
 	// arch mapping. The Go arch sadly doesn't map this out
 	// for us so we have to fallback to uname here.
 	if goarch == "arm" {
-		machineName := release.Machine()
-		if machineName == "armv6l" {
+		if osutil.MachineName() == "armv6l" {
 			return "armel"
 		}
 	}
@@ -97,24 +95,7 @@
 // UbuntuArchitecture - however there maybe cases that you run e.g.
 // a snapd:i386 on an amd64 kernel.
 func UbuntuKernelArchitecture() string {
-	var utsname syscall.Utsname
-	if err := syscall.Uname(&utsname); err != nil {
-		log.Panicf("cannot get kernel architecture: %v", err)
-	}
-
-	// syscall.Utsname{} is using [65]int8 for all char[] inside it,
-	// this makes converting it so awkward. The alternative would be
-	// to use a unsafe.Pointer() to cast it to a [65]byte slice.
-	// see https://github.com/golang/go/issues/20753
-	kernelArch := make([]byte, 0, len(utsname.Machine))
-	for _, c := range utsname.Machine {
-		if c == 0 {
-			break
-		}
-		kernelArch = append(kernelArch, byte(c))
-	}
-
-	return ubuntuArchFromKernelArch(string(kernelArch))
+	return ubuntuArchFromKernelArch(osutil.MachineName())
 }
 
 // ubuntuArchFromkernelArch maps the kernel architecture as reported
diff -Nru snapd-2.32.3.2~14.04/asserts/account.go snapd-2.37~rc1~14.04/asserts/account.go
--- snapd-2.32.3.2~14.04/asserts/account.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/account.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,8 +26,6 @@
 )
 
 var (
-	accountValidationCertified = "certified"
-
 	// account ids look like snap-ids or a nice identifier
 	validAccountID = regexp.MustCompile("^(?:[a-z0-9A-Z]{32}|[-a-z0-9]{2,28})$")
 )
@@ -36,8 +34,8 @@
 // to its identifier and provides the authority's confidence in the name's validity.
 type Account struct {
 	assertionBase
-	certified bool
-	timestamp time.Time
+	validation string
+	timestamp  time.Time
 }
 
 // AccountID returns the account-id of the account.
@@ -55,9 +53,12 @@
 	return acc.HeaderString("display-name")
 }
 
-// IsCertified returns true if the authority has confidence in the account's name.
-func (acc *Account) IsCertified() bool {
-	return acc.certified
+// Validation returns the level of confidence of the authority in the
+// account's identity, expected to be "unproven" or "verified", and
+// for forward compatibility any value != "unproven" can be considered
+// at least "verified".
+func (acc *Account) Validation() string {
+	return acc.validation
 }
 
 // Timestamp returns the time when the account was issued.
@@ -82,11 +83,17 @@
 		return nil, err
 	}
 
-	_, err = checkNotEmptyString(assert.headers, "validation")
+	validation, err := checkNotEmptyString(assert.headers, "validation")
 	if err != nil {
 		return nil, err
 	}
-	certified := assert.headers["validation"] == accountValidationCertified
+	// backward compatibility with the hard-coded trusted account
+	// assertions
+	// TODO: generate revision 1 of them with validation
+	// s/certified/verified/
+	if validation == "certified" {
+		validation = "verified"
+	}
 
 	timestamp, err := checkRFC3339Date(assert.headers, "timestamp")
 	if err != nil {
@@ -100,7 +107,7 @@
 
 	return &Account{
 		assertionBase: assert,
-		certified:     certified,
+		validation:    validation,
 		timestamp:     timestamp,
 	}, nil
 }
diff -Nru snapd-2.32.3.2~14.04/asserts/account_test.go snapd-2.37~rc1~14.04/asserts/account_test.go
--- snapd-2.32.3.2~14.04/asserts/account_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/account_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -47,7 +47,7 @@
 	"account-id: abc-123\n" +
 	"display-name: Nice User\n" +
 	"username: nice\n" +
-	"validation: certified\n" +
+	"validation: verified\n" +
 	"TSLINE" +
 	"body-length: 0\n" +
 	"sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij" +
@@ -65,7 +65,7 @@
 	c.Check(account.AccountID(), Equals, "abc-123")
 	c.Check(account.DisplayName(), Equals, "Nice User")
 	c.Check(account.Username(), Equals, "nice")
-	c.Check(account.IsCertified(), Equals, true)
+	c.Check(account.Validation(), Equals, "verified")
 }
 
 func (s *accountSuite) TestOptional(c *C) {
@@ -83,12 +83,13 @@
 	}
 }
 
-func (s *accountSuite) TestIsCertified(c *C) {
+func (s *accountSuite) TestValidation(c *C) {
 	tests := []struct {
-		value       string
-		isCertified bool
+		value      string
+		isVerified bool
 	}{
-		{"certified", true},
+		{"certified", true}, // backward compat for hard-coded trusted assertions
+		{"verified", true},
 		{"unproven", false},
 		{"nonsense", false},
 	}
@@ -97,14 +98,18 @@
 	for _, test := range tests {
 		encoded := strings.Replace(
 			template,
-			"validation: certified\n",
+			"validation: verified\n",
 			fmt.Sprintf("validation: %s\n", test.value),
 			1,
 		)
 		assert, err := asserts.Decode([]byte(encoded))
 		c.Assert(err, IsNil)
 		account := assert.(*asserts.Account)
-		c.Check(account.IsCertified(), Equals, test.isCertified)
+		expected := test.value
+		if test.isVerified {
+			expected = "verified"
+		}
+		c.Check(account.Validation(), Equals, expected)
 	}
 }
 
@@ -121,8 +126,8 @@
 		{"display-name: Nice User\n", "", `"display-name" header is mandatory`},
 		{"display-name: Nice User\n", "display-name: \n", `"display-name" header should not be empty`},
 		{"username: nice\n", "username:\n  - foo\n  - bar\n", `"username" header must be a string`},
-		{"validation: certified\n", "", `"validation" header is mandatory`},
-		{"validation: certified\n", "validation: \n", `"validation" header should not be empty`},
+		{"validation: verified\n", "", `"validation" header is mandatory`},
+		{"validation: verified\n", "validation: \n", `"validation" header should not be empty`},
 		{s.tsLine, "", `"timestamp" header is mandatory`},
 		{s.tsLine, "timestamp: \n", `"timestamp" header should not be empty`},
 		{s.tsLine, "timestamp: 12:30\n", `"timestamp" header is not a RFC3339 date: .*`},
diff -Nru snapd-2.32.3.2~14.04/asserts/asserts.go snapd-2.37~rc1~14.04/asserts/asserts.go
--- snapd-2.32.3.2~14.04/asserts/asserts.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/asserts.go	2019-01-16 08:36:51.000000000 +0000
@@ -124,7 +124,8 @@
 
 	// 1: plugs and slots
 	// 2: support for $SLOT()/$PLUG()/$MISSING
-	maxSupportedFormat[SnapDeclarationType.Name] = 2
+	// 3: support for on-store/on-brand/on-model device scope constraints
+	maxSupportedFormat[SnapDeclarationType.Name] = 3
 }
 
 func MockMaxSupportedFormat(assertType *AssertionType, maxFormat int) (restore func()) {
diff -Nru snapd-2.32.3.2~14.04/asserts/assertstest/assertstest.go snapd-2.37~rc1~14.04/asserts/assertstest/assertstest.go
--- snapd-2.32.3.2~14.04/asserts/assertstest/assertstest.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/assertstest/assertstest.go	2019-01-16 08:36:51.000000000 +0000
@@ -313,7 +313,7 @@
 	ts := time.Now().Format(time.RFC3339)
 	trustedAcct := NewAccount(rootSigning, authorityID, map[string]interface{}{
 		"account-id": authorityID,
-		"validation": "certified",
+		"validation": "verified",
 		"timestamp":  ts,
 	}, "")
 	trustedKey := NewAccountKey(rootSigning, trustedAcct, map[string]interface{}{
@@ -324,7 +324,7 @@
 
 	genericAcct := NewAccount(rootSigning, "generic", map[string]interface{}{
 		"account-id": "generic",
-		"validation": "certified",
+		"validation": "verified",
 		"timestamp":  ts,
 	}, "")
 
diff -Nru snapd-2.32.3.2~14.04/asserts/assertstest/assertstest_test.go snapd-2.37~rc1~14.04/asserts/assertstest/assertstest_test.go
--- snapd-2.32.3.2~14.04/asserts/assertstest/assertstest_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/assertstest/assertstest_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -78,13 +78,13 @@
 	store := assertstest.NewStoreStack("super", nil)
 
 	c.Check(store.TrustedAccount.AccountID(), Equals, "super")
-	c.Check(store.TrustedAccount.IsCertified(), Equals, true)
+	c.Check(store.TrustedAccount.Validation(), Equals, "verified")
 
 	c.Check(store.TrustedKey.AccountID(), Equals, "super")
 	c.Check(store.TrustedKey.Name(), Equals, "root")
 
 	c.Check(store.GenericAccount.AccountID(), Equals, "generic")
-	c.Check(store.GenericAccount.IsCertified(), Equals, true)
+	c.Check(store.GenericAccount.Validation(), Equals, "verified")
 
 	db, err := asserts.OpenDatabase(&asserts.DatabaseConfig{
 		Backstore:       asserts.NewMemoryBackstore(),
@@ -128,7 +128,7 @@
 	acct := assertstest.NewAccount(store, "devel1", nil, "")
 	c.Check(acct.Username(), Equals, "devel1")
 	c.Check(acct.AccountID(), HasLen, 32)
-	c.Check(acct.IsCertified(), Equals, false)
+	c.Check(acct.Validation(), Equals, "unproven")
 
 	err = db.Add(storeAccKey)
 	c.Assert(err, IsNil)
diff -Nru snapd-2.32.3.2~14.04/asserts/database_test.go snapd-2.37~rc1~14.04/asserts/database_test.go
--- snapd-2.32.3.2~14.04/asserts/database_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/database_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -60,7 +60,7 @@
 		"authority-id": "canonical",
 		"account-id":   "trusted",
 		"display-name": "Trusted",
-		"validation":   "certified",
+		"validation":   "verified",
 		"timestamp":    "2015-01-01T14:00:00Z",
 	}
 	acct, err := asserts.AssembleAndSignInTest(asserts.AccountType, headers, nil, testPrivKey0)
@@ -339,7 +339,7 @@
 		"type":         "account",
 		"authority-id": "canonical",
 		"account-id":   "predefined",
-		"validation":   "certified",
+		"validation":   "verified",
 		"display-name": "Predef",
 		"timestamp":    time.Now().Format(time.RFC3339),
 	}
@@ -931,7 +931,7 @@
 		"type":         "account",
 		"authority-id": "canonical",
 		"account-id":   "predefined",
-		"validation":   "certified",
+		"validation":   "verified",
 		"display-name": "Predef",
 		"timestamp":    time.Now().Format(time.RFC3339),
 	}
@@ -1046,7 +1046,7 @@
 		"type":         "account",
 		"authority-id": "canonical",
 		"account-id":   "predefined",
-		"validation":   "certified",
+		"validation":   "verified",
 		"display-name": "Predef",
 		"timestamp":    time.Now().Format(time.RFC3339),
 	}
diff -Nru snapd-2.32.3.2~14.04/asserts/device_asserts.go snapd-2.37~rc1~14.04/asserts/device_asserts.go
--- snapd-2.32.3.2~14.04/asserts/device_asserts.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/device_asserts.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,6 +24,8 @@
 	"regexp"
 	"strings"
 	"time"
+
+	"github.com/snapcore/snapd/strutil"
 )
 
 // Model holds a model assertion, which is a statement by a brand
@@ -71,14 +73,45 @@
 	return mod.HeaderString("architecture")
 }
 
+// snapWithTrack represents a snap that includes optional track
+// information like `snapName=trackName`
+type snapWithTrack string
+
+func (s snapWithTrack) Snap() string {
+	return strings.SplitN(string(s), "=", 2)[0]
+}
+
+func (s snapWithTrack) Track() string {
+	l := strings.SplitN(string(s), "=", 2)
+	if len(l) > 1 {
+		return l[1]
+	}
+	return ""
+}
+
 // Gadget returns the gadget snap the model uses.
 func (mod *Model) Gadget() string {
-	return mod.HeaderString("gadget")
+	return snapWithTrack(mod.HeaderString("gadget")).Snap()
+}
+
+// GadgetTrack returns the gadget track the model uses.
+func (mod *Model) GadgetTrack() string {
+	return snapWithTrack(mod.HeaderString("gadget")).Track()
 }
 
 // Kernel returns the kernel snap the model uses.
 func (mod *Model) Kernel() string {
-	return mod.HeaderString("kernel")
+	return snapWithTrack(mod.HeaderString("kernel")).Snap()
+}
+
+// KernelTrack returns the kernel track the model uses.
+func (mod *Model) KernelTrack() string {
+	return snapWithTrack(mod.HeaderString("kernel")).Track()
+}
+
+// Base returns the base snap the model uses.
+func (mod *Model) Base() string {
+	return mod.HeaderString("base")
 }
 
 // Store returns the snap store the model uses.
@@ -113,11 +146,40 @@
 // limit model to only lowercase for now
 var validModel = regexp.MustCompile("^[a-zA-Z0-9](?:-?[a-zA-Z0-9])*$")
 
+func checkSnapWithTrackHeader(header string, headers map[string]interface{}) error {
+	_, ok := headers[header]
+	if !ok {
+		return nil
+	}
+	value, ok := headers[header].(string)
+	if !ok {
+		return fmt.Errorf(`%q header must be a string`, header)
+	}
+	l := strings.SplitN(value, "=", 2)
+
+	if err := validateSnapName(l[0], header); err != nil {
+		return err
+	}
+	if len(l) == 1 {
+		return nil
+	}
+	track := l[1]
+	if strings.Count(track, "/") != 0 {
+		return fmt.Errorf(`%q channel selector must be a track name only`, header)
+	}
+	channelRisks := []string{"stable", "candidate", "beta", "edge"}
+	if strutil.ListContains(channelRisks, track) {
+		return fmt.Errorf(`%q channel selector must be a track name`, header)
+	}
+	return nil
+}
+
 func checkModel(headers map[string]interface{}) (string, error) {
 	s, err := checkStringMatches(headers, "model", validModel)
 	if err != nil {
 		return "", err
 	}
+
 	// TODO: support the concept of case insensitive/preserving string headers
 	if strings.ToLower(s) != s {
 		return "", fmt.Errorf(`"model" header cannot contain uppercase letters`)
@@ -160,6 +222,29 @@
 	classicModelOptional = []string{"architecture", "gadget"}
 )
 
+var almostValidName = regexp.MustCompile("^[a-z0-9-]*[a-z][a-z0-9-]*$")
+
+// validateSnapName checks whether the name can be used as a snap name
+//
+// This function should be synchronized with the reference implementation
+// snap.ValidateName() in snap/validate.go
+func validateSnapName(name string, headerName string) error {
+	isValidName := func() bool {
+		if !almostValidName.MatchString(name) {
+			return false
+		}
+		if name[0] == '-' || name[len(name)-1] == '-' || strings.Contains(name, "--") {
+			return false
+		}
+		return true
+	}
+
+	if len(name) > 40 || !isValidName() {
+		return fmt.Errorf("invalid snap name in %q header: %s", headerName, name)
+	}
+	return nil
+}
+
 func assembleModel(assert assertionBase) (Assertion, error) {
 	err := checkAuthorityMatchesBrand(&assert)
 	if err != nil {
@@ -180,6 +265,9 @@
 		if _, ok := assert.headers["kernel"]; ok {
 			return nil, fmt.Errorf("cannot specify a kernel with a classic model")
 		}
+		if _, ok := assert.headers["base"]; ok {
+			return nil, fmt.Errorf("cannot specify a base with a classic model")
+		}
 	}
 
 	checker := checkNotEmptyString
@@ -195,6 +283,25 @@
 		}
 	}
 
+	// kernel/gadget must be valid snap names and can have (optional) tracks
+	// - validate those
+	if err := checkSnapWithTrackHeader("kernel", assert.headers); err != nil {
+		return nil, err
+	}
+	if err := checkSnapWithTrackHeader("gadget", assert.headers); err != nil {
+		return nil, err
+	}
+	// base, if provided, must be a valid snap name too
+	base, err := checkOptionalString(assert.headers, "base")
+	if err != nil {
+		return nil, err
+	}
+	if base != "" {
+		if err := validateSnapName(base, "base"); err != nil {
+			return nil, err
+		}
+	}
+
 	// store is optional but must be a string, defaults to the ubuntu store
 	_, err = checkOptionalString(assert.headers, "store")
 	if err != nil {
@@ -207,10 +314,16 @@
 		return nil, err
 	}
 
+	// required snap must be valid snap names
 	reqSnaps, err := checkStringList(assert.headers, "required-snaps")
 	if err != nil {
 		return nil, err
 	}
+	for _, name := range reqSnaps {
+		if err := validateSnapName(name, "required-snaps"); err != nil {
+			return nil, err
+		}
+	}
 
 	sysUserAuthority, err := checkOptionalSystemUserAuthority(assert.headers, assert.HeaderString("brand-id"))
 	if err != nil {
diff -Nru snapd-2.32.3.2~14.04/asserts/device_asserts_test.go snapd-2.37~rc1~14.04/asserts/device_asserts_test.go
--- snapd-2.32.3.2~14.04/asserts/device_asserts_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/device_asserts_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package asserts_test
 
 import (
+	"fmt"
 	"strings"
 	"time"
 
@@ -58,6 +59,7 @@
 		"display-name: Baz 3000\n" +
 		"architecture: amd64\n" +
 		"gadget: brand-gadget\n" +
+		"base: core18\n" +
 		"kernel: baz-linux\n" +
 		"store: brand-store\n" +
 		sysUserAuths +
@@ -100,7 +102,10 @@
 	c.Check(model.DisplayName(), Equals, "Baz 3000")
 	c.Check(model.Architecture(), Equals, "amd64")
 	c.Check(model.Gadget(), Equals, "brand-gadget")
+	c.Check(model.GadgetTrack(), Equals, "")
 	c.Check(model.Kernel(), Equals, "baz-linux")
+	c.Check(model.KernelTrack(), Equals, "")
+	c.Check(model.Base(), Equals, "core18")
 	c.Check(model.Store(), Equals, "brand-store")
 	c.Check(model.RequiredSnaps(), DeepEquals, []string{"foo", "bar"})
 	c.Check(model.SystemUserAuthority(), HasLen, 0)
@@ -121,6 +126,21 @@
 	c.Check(model.Store(), Equals, "")
 }
 
+func (mods *modelSuite) TestDecodeBaseIsOptional(c *C) {
+	withTimestamp := strings.Replace(modelExample, "TSLINE", mods.tsLine, 1)
+	encoded := strings.Replace(withTimestamp, "base: core18\n", "base: \n", 1)
+	a, err := asserts.Decode([]byte(encoded))
+	c.Assert(err, IsNil)
+	model := a.(*asserts.Model)
+	c.Check(model.Base(), Equals, "")
+
+	encoded = strings.Replace(withTimestamp, "base: core18\n", "", 1)
+	a, err = asserts.Decode([]byte(encoded))
+	c.Assert(err, IsNil)
+	model = a.(*asserts.Model)
+	c.Check(model.Base(), Equals, "")
+}
+
 func (mods *modelSuite) TestDecodeDisplayNameIsOptional(c *C) {
 	withTimestamp := strings.Replace(modelExample, "TSLINE", mods.tsLine, 1)
 	encoded := strings.Replace(withTimestamp, "display-name: Baz 3000\n", "display-name: \n", 1)
@@ -147,6 +167,92 @@
 	c.Check(model.RequiredSnaps(), HasLen, 0)
 }
 
+func (mods *modelSuite) TestDecodeValidatesSnapNames(c *C) {
+	withTimestamp := strings.Replace(modelExample, "TSLINE", mods.tsLine, 1)
+	encoded := strings.Replace(withTimestamp, reqSnaps, "required-snaps:\n  - foo_bar\n  - bar\n", 1)
+	a, err := asserts.Decode([]byte(encoded))
+	c.Assert(a, IsNil)
+	c.Assert(err, ErrorMatches, `assertion model: invalid snap name in "required-snaps" header: foo_bar`)
+
+	encoded = strings.Replace(withTimestamp, reqSnaps, "required-snaps:\n  - foo\n  - bar-;;''\n", 1)
+	a, err = asserts.Decode([]byte(encoded))
+	c.Assert(a, IsNil)
+	c.Assert(err, ErrorMatches, `assertion model: invalid snap name in "required-snaps" header: bar-;;''`)
+
+	encoded = strings.Replace(withTimestamp, "kernel: baz-linux\n", "kernel: baz-linux_instance\n", 1)
+	a, err = asserts.Decode([]byte(encoded))
+	c.Assert(a, IsNil)
+	c.Assert(err, ErrorMatches, `assertion model: invalid snap name in "kernel" header: baz-linux_instance`)
+
+	encoded = strings.Replace(withTimestamp, "gadget: brand-gadget\n", "gadget: brand-gadget_instance\n", 1)
+	a, err = asserts.Decode([]byte(encoded))
+	c.Assert(a, IsNil)
+	c.Assert(err, ErrorMatches, `assertion model: invalid snap name in "gadget" header: brand-gadget_instance`)
+
+	encoded = strings.Replace(withTimestamp, "base: core18\n", "base: core18_instance\n", 1)
+	a, err = asserts.Decode([]byte(encoded))
+	c.Assert(a, IsNil)
+	c.Assert(err, ErrorMatches, `assertion model: invalid snap name in "base" header: core18_instance`)
+}
+
+func (mods modelSuite) TestDecodeValidSnapNames(c *C) {
+	// reuse test cases for snap.ValidateName()
+
+	withTimestamp := strings.Replace(modelExample, "TSLINE", mods.tsLine, 1)
+
+	validNames := []string{
+		"a", "aa", "aaa", "aaaa",
+		"a-a", "aa-a", "a-aa", "a-b-c",
+		"a0", "a-0", "a-0a",
+		"01game", "1-or-2",
+		// a regexp stresser
+		"u-94903713687486543234157734673284536758",
+	}
+	for _, name := range validNames {
+		encoded := strings.Replace(withTimestamp, "kernel: baz-linux\n", fmt.Sprintf("kernel: %s\n", name), 1)
+		a, err := asserts.Decode([]byte(encoded))
+		c.Assert(err, IsNil)
+		model := a.(*asserts.Model)
+		c.Check(model.Kernel(), Equals, name)
+	}
+	invalidNames := []string{
+		// name cannot be empty, never reaches snap name validation
+		"",
+		// names cannot be too long
+		"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+		"xxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx",
+		"1111111111111111111111111111111111111111x",
+		"x1111111111111111111111111111111111111111",
+		"x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x",
+		// a regexp stresser
+		"u-9490371368748654323415773467328453675-",
+		// dashes alone are not a name
+		"-", "--",
+		// double dashes in a name are not allowed
+		"a--a",
+		// name should not end with a dash
+		"a-",
+		// name cannot have any spaces in it
+		"a ", " a", "a a",
+		// a number alone is not a name
+		"0", "123",
+		// identifier must be plain ASCII
+		"日本語", "한글", "ру́сский язы́к",
+		// instance names are invalid too
+		"foo_bar", "x_1",
+	}
+	for _, name := range invalidNames {
+		encoded := strings.Replace(withTimestamp, "kernel: baz-linux\n", fmt.Sprintf("kernel: %s\n", name), 1)
+		a, err := asserts.Decode([]byte(encoded))
+		c.Assert(a, IsNil)
+		if name != "" {
+			c.Assert(err, ErrorMatches, `assertion model: invalid snap name in "kernel" header: .*`)
+		} else {
+			c.Assert(err, ErrorMatches, `assertion model: "kernel" header should not be empty`)
+		}
+	}
+}
+
 func (mods *modelSuite) TestDecodeSystemUserAuthorityIsOptional(c *C) {
 	withTimestamp := strings.Replace(modelExample, "TSLINE", mods.tsLine, 1)
 	encoded := strings.Replace(withTimestamp, sysUserAuths, "", 1)
@@ -163,6 +269,26 @@
 	c.Check(model.SystemUserAuthority(), DeepEquals, []string{"foo", "bar"})
 }
 
+func (mods *modelSuite) TestDecodeKernelTrack(c *C) {
+	withTimestamp := strings.Replace(modelExample, "TSLINE", mods.tsLine, 1)
+	encoded := strings.Replace(withTimestamp, "kernel: baz-linux\n", "kernel: baz-linux=18\n", 1)
+	a, err := asserts.Decode([]byte(encoded))
+	c.Assert(err, IsNil)
+	model := a.(*asserts.Model)
+	c.Check(model.Kernel(), Equals, "baz-linux")
+	c.Check(model.KernelTrack(), Equals, "18")
+}
+
+func (mods *modelSuite) TestDecodeGadgetTrack(c *C) {
+	withTimestamp := strings.Replace(modelExample, "TSLINE", mods.tsLine, 1)
+	encoded := strings.Replace(withTimestamp, "gadget: brand-gadget\n", "gadget: brand-gadget=18\n", 1)
+	a, err := asserts.Decode([]byte(encoded))
+	c.Assert(err, IsNil)
+	model := a.(*asserts.Model)
+	c.Check(model.Gadget(), Equals, "brand-gadget")
+	c.Check(model.GadgetTrack(), Equals, "18")
+}
+
 const (
 	modelErrPrefix = "assertion model: "
 )
@@ -186,8 +312,16 @@
 		{"architecture: amd64\n", "architecture: \n", `"architecture" header should not be empty`},
 		{"gadget: brand-gadget\n", "", `"gadget" header is mandatory`},
 		{"gadget: brand-gadget\n", "gadget: \n", `"gadget" header should not be empty`},
+		{"gadget: brand-gadget\n", "gadget: brand-gadget=x/x/x\n", `"gadget" channel selector must be a track name only`},
+		{"gadget: brand-gadget\n", "gadget: brand-gadget=stable\n", `"gadget" channel selector must be a track name`},
+		{"gadget: brand-gadget\n", "gadget: brand-gadget=18/beta\n", `"gadget" channel selector must be a track name only`},
+		{"gadget: brand-gadget\n", "gadget:\n  - xyz \n", `"gadget" header must be a string`},
 		{"kernel: baz-linux\n", "", `"kernel" header is mandatory`},
 		{"kernel: baz-linux\n", "kernel: \n", `"kernel" header should not be empty`},
+		{"kernel: baz-linux\n", "kernel: baz-linux=x/x/x\n", `"kernel" channel selector must be a track name only`},
+		{"kernel: baz-linux\n", "kernel: baz-linux=stable\n", `"kernel" channel selector must be a track name`},
+		{"kernel: baz-linux\n", "kernel: baz-linux=18/beta\n", `"kernel" channel selector must be a track name only`},
+		{"kernel: baz-linux\n", "kernel:\n  - xyz \n", `"kernel" header must be a string`},
 		{"store: brand-store\n", "store:\n  - xyz\n", `"store" header must be a string`},
 		{mods.tsLine, "", `"timestamp" header is mandatory`},
 		{mods.tsLine, "timestamp: \n", `"timestamp" header should not be empty`},
@@ -255,6 +389,7 @@
 	c.Check(model.Architecture(), Equals, "amd64")
 	c.Check(model.Gadget(), Equals, "brand-gadget")
 	c.Check(model.Kernel(), Equals, "")
+	c.Check(model.KernelTrack(), Equals, "")
 	c.Check(model.Store(), Equals, "brand-store")
 	c.Check(model.RequiredSnaps(), DeepEquals, []string{"foo", "bar"})
 }
@@ -267,6 +402,7 @@
 		{"architecture: amd64\n", "architecture:\n  - foo\n", `"architecture" header must be a string`},
 		{"gadget: brand-gadget\n", "gadget:\n  - foo\n", `"gadget" header must be a string`},
 		{"gadget: brand-gadget\n", "kernel: brand-kernel\n", `cannot specify a kernel with a classic model`},
+		{"gadget: brand-gadget\n", "base: some-base\n", `cannot specify a base with a classic model`},
 	}
 
 	for _, test := range invalidTests {
diff -Nru snapd-2.32.3.2~14.04/asserts/export_test.go snapd-2.37~rc1~14.04/asserts/export_test.go
--- snapd-2.32.3.2~14.04/asserts/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,7 +55,7 @@
 				"type":         "account",
 				"authority-id": authorityID,
 				"account-id":   authorityID,
-				"validation":   "certified",
+				"validation":   "verified",
 			},
 		},
 		timestamp: time.Now().UTC(),
diff -Nru snapd-2.32.3.2~14.04/asserts/header_checks.go snapd-2.37~rc1~14.04/asserts/header_checks.go
--- snapd-2.32.3.2~14.04/asserts/header_checks.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/header_checks.go	2019-01-16 08:36:51.000000000 +0000
@@ -196,8 +196,10 @@
 	return b, nil
 }
 
-var anyString = regexp.MustCompile("")
-
+// checkStringListInMap returns the `name` entry in the `m` map as a (possibly nil) `[]string`
+// if `m` has an entry for `name` and it isn't a `[]string`, an error is returned
+// if pattern is not nil, all the strings must match that pattern, otherwise an error is returned
+// `what` is a descriptor, used for error messages
 func checkStringListInMap(m map[string]interface{}, name, what string, pattern *regexp.Regexp) ([]string, error) {
 	value, ok := m[name]
 	if !ok {
@@ -216,7 +218,7 @@
 		if !ok {
 			return nil, fmt.Errorf("%s must be a list of strings", what)
 		}
-		if !pattern.MatchString(s) {
+		if pattern != nil && !pattern.MatchString(s) {
 			return nil, fmt.Errorf("%s contains an invalid element: %q", what, s)
 		}
 		res[i] = s
@@ -225,7 +227,7 @@
 }
 
 func checkStringList(headers map[string]interface{}, name string) ([]string, error) {
-	return checkStringListMatches(headers, name, anyString)
+	return checkStringListMatches(headers, name, nil)
 }
 
 func checkStringListMatches(headers map[string]interface{}, name string, pattern *regexp.Regexp) ([]string, error) {
diff -Nru snapd-2.32.3.2~14.04/asserts/ifacedecls.go snapd-2.37~rc1~14.04/asserts/ifacedecls.go
--- snapd-2.32.3.2~14.04/asserts/ifacedecls.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/ifacedecls.go	2019-01-16 08:36:51.000000000 +0000
@@ -37,6 +37,8 @@
 const (
 	// feature label for $SLOT()/$PLUG()/$MISSING
 	dollarAttrConstraintsFeature = "dollar-attr-constraints"
+	// feature label for on-store/on-brand/on-model
+	deviceScopeConstraintsFeature = "device-scope-constraints"
 )
 
 type attrMatcher interface {
@@ -150,6 +152,14 @@
 
 func (matcher mapAttrMatcher) match(apath string, v interface{}, ctx AttrMatchContext) error {
 	switch x := v.(type) {
+	case Attrer:
+		// we get Atter from root-level Check (apath is "")
+		for k, matcher1 := range matcher {
+			v, _ := x.Lookup(k)
+			if err := matchEntry("", k, matcher1, v, ctx); err != nil {
+				return err
+			}
+		}
 	case map[string]interface{}: // maps in attributes look like this
 		for k, matcher1 := range matcher {
 			if err := matchEntry(apath, k, matcher1, x[k], ctx); err != nil {
@@ -340,9 +350,14 @@
 	NeverMatchAttributes  = &AttributeConstraints{matcher: fixedAttrMatcher{errors.New("not allowed")}}
 )
 
+// Attrer reflects part of the Attrer interface (see interfaces.Attrer).
+type Attrer interface {
+	Lookup(path string) (interface{}, bool)
+}
+
 // Check checks whether attrs don't match the constraints.
-func (c *AttributeConstraints) Check(attrs map[string]interface{}, ctx AttrMatchContext) error {
-	return c.matcher.match("", attrs, ctx)
+func (c *AttributeConstraints) Check(attrer Attrer, ctx AttrMatchContext) error {
+	return c.matcher.match("", attrer, ctx)
 }
 
 // OnClassicConstraint specifies a constraint based whether the system is classic and optional specific distros' sets.
@@ -351,6 +366,66 @@
 	SystemIDs []string
 }
 
+// DeviceScopeConstraint specifies a constraints based on which brand
+// store, brand or model the device belongs to.
+type DeviceScopeConstraint struct {
+	Store []string
+	Brand []string
+	// Model is a list of precise "<brand>/<model>" constraints
+	Model []string
+}
+
+var (
+	validStoreID         = regexp.MustCompile("^[-A-Z0-9a-z_]+$")
+	validBrandSlashModel = regexp.MustCompile("^(" +
+		strings.Trim(validAccountID.String(), "^$") +
+		")/(" +
+		strings.Trim(validModel.String(), "^$") +
+		")$")
+	deviceScopeConstraints = map[string]*regexp.Regexp{
+		"on-store": validStoreID,
+		"on-brand": validAccountID,
+		// on-model constraints are of the form list of
+		// <brand>/<model> strings where <brand> are account
+		// IDs as they appear in the respective model assertion
+		"on-model": validBrandSlashModel,
+	}
+)
+
+func detectDeviceScopeConstraint(cMap map[string]interface{}) bool {
+	// for consistency and simplicity we support all of on-store,
+	// on-brand, and on-model to appear together. The interpretation
+	// layer will AND them as usual
+	for field := range deviceScopeConstraints {
+		if cMap[field] != nil {
+			return true
+		}
+	}
+	return false
+}
+
+func compileDeviceScopeConstraint(cMap map[string]interface{}, context string) (constr *DeviceScopeConstraint, err error) {
+	// initial map size of 2: we expect usual cases to have just one of the
+	// constraints or rarely 2
+	deviceConstr := make(map[string][]string, 2)
+	for field, validRegexp := range deviceScopeConstraints {
+		vals, err := checkStringListInMap(cMap, field, fmt.Sprintf("%s in %s", field, context), validRegexp)
+		if err != nil {
+			return nil, err
+		}
+		deviceConstr[field] = vals
+	}
+
+	if len(deviceConstr) == 0 {
+		return nil, fmt.Errorf("internal error: misdetected device scope constraints in %s", context)
+	}
+	return &DeviceScopeConstraint{
+		Store: deviceConstr["on-store"],
+		Brand: deviceConstr["on-brand"],
+		Model: deviceConstr["on-model"],
+	}, nil
+}
+
 // rules
 
 var (
@@ -388,6 +463,7 @@
 	setAttributeConstraints(field string, cstrs *AttributeConstraints)
 	setIDConstraints(field string, cstrs []string)
 	setOnClassicConstraint(onClassic *OnClassicConstraint)
+	setDeviceScopeConstraint(deviceScope *DeviceScopeConstraint)
 }
 
 func baseCompileConstraints(context string, cDef constraintsDef, target constraintsHolder, attrConstraints, idConstraints []string) error {
@@ -452,8 +528,21 @@
 		}
 		target.setOnClassicConstraint(c)
 	}
-	if defaultUsed == len(attributeConstraints)+len(idConstraints)+1 {
-		return fmt.Errorf("%s must specify at least one of %s, %s, on-classic", context, strings.Join(attrConstraints, ", "), strings.Join(idConstraints, ", "))
+	if !detectDeviceScopeConstraint(cMap) {
+		defaultUsed++
+	} else {
+		c, err := compileDeviceScopeConstraint(cMap, context)
+		if err != nil {
+			return err
+		}
+		target.setDeviceScopeConstraint(c)
+	}
+	// checks whether defaults have been used for everything, which is not
+	// well-formed
+	// +1+1 accounts for defaults for missing on-classic plus missing
+	// on-store/on-brand/on-model
+	if defaultUsed == len(attributeConstraints)+len(idConstraints)+1+1 {
+		return fmt.Errorf("%s must specify at least one of %s, %s, on-classic, on-store, on-brand, on-model", context, strings.Join(attrConstraints, ", "), strings.Join(idConstraints, ", "))
 	}
 	return nil
 }
@@ -624,9 +713,14 @@
 	PlugAttributes *AttributeConstraints
 
 	OnClassic *OnClassicConstraint
+
+	DeviceScope *DeviceScopeConstraint
 }
 
 func (c *PlugInstallationConstraints) feature(flabel string) bool {
+	if flabel == deviceScopeConstraintsFeature {
+		return c.DeviceScope != nil
+	}
 	return c.PlugAttributes.feature(flabel)
 }
 
@@ -652,6 +746,10 @@
 	c.OnClassic = onClassic
 }
 
+func (c *PlugInstallationConstraints) setDeviceScopeConstraint(deviceScope *DeviceScopeConstraint) {
+	c.DeviceScope = deviceScope
+}
+
 func compilePlugInstallationConstraints(context string, cDef constraintsDef) (constraintsHolder, error) {
 	plugInstCstrs := &PlugInstallationConstraints{}
 	err := baseCompileConstraints(context, cDef, plugInstCstrs, []string{"plug-attributes"}, []string{"plug-snap-type"})
@@ -673,9 +771,14 @@
 	SlotAttributes *AttributeConstraints
 
 	OnClassic *OnClassicConstraint
+
+	DeviceScope *DeviceScopeConstraint
 }
 
 func (c *PlugConnectionConstraints) feature(flabel string) bool {
+	if flabel == deviceScopeConstraintsFeature {
+		return c.DeviceScope != nil
+	}
 	return c.PlugAttributes.feature(flabel) || c.SlotAttributes.feature(flabel)
 }
 
@@ -707,6 +810,10 @@
 	c.OnClassic = onClassic
 }
 
+func (c *PlugConnectionConstraints) setDeviceScopeConstraint(deviceScope *DeviceScopeConstraint) {
+	c.DeviceScope = deviceScope
+}
+
 var (
 	attributeConstraints = []string{"plug-attributes", "slot-attributes"}
 	plugIDConstraints    = []string{"slot-snap-type", "slot-publisher-id", "slot-snap-id"}
@@ -856,9 +963,14 @@
 	SlotAttributes *AttributeConstraints
 
 	OnClassic *OnClassicConstraint
+
+	DeviceScope *DeviceScopeConstraint
 }
 
 func (c *SlotInstallationConstraints) feature(flabel string) bool {
+	if flabel == deviceScopeConstraintsFeature {
+		return c.DeviceScope != nil
+	}
 	return c.SlotAttributes.feature(flabel)
 }
 
@@ -884,6 +996,10 @@
 	c.OnClassic = onClassic
 }
 
+func (c *SlotInstallationConstraints) setDeviceScopeConstraint(deviceScope *DeviceScopeConstraint) {
+	c.DeviceScope = deviceScope
+}
+
 func compileSlotInstallationConstraints(context string, cDef constraintsDef) (constraintsHolder, error) {
 	slotInstCstrs := &SlotInstallationConstraints{}
 	err := baseCompileConstraints(context, cDef, slotInstCstrs, []string{"slot-attributes"}, []string{"slot-snap-type"})
@@ -905,9 +1021,14 @@
 	PlugAttributes *AttributeConstraints
 
 	OnClassic *OnClassicConstraint
+
+	DeviceScope *DeviceScopeConstraint
 }
 
 func (c *SlotConnectionConstraints) feature(flabel string) bool {
+	if flabel == deviceScopeConstraintsFeature {
+		return c.DeviceScope != nil
+	}
 	return c.PlugAttributes.feature(flabel) || c.SlotAttributes.feature(flabel)
 }
 
@@ -943,6 +1064,10 @@
 	c.OnClassic = onClassic
 }
 
+func (c *SlotConnectionConstraints) setDeviceScopeConstraint(deviceScope *DeviceScopeConstraint) {
+	c.DeviceScope = deviceScope
+}
+
 func compileSlotConnectionConstraints(context string, cDef constraintsDef) (constraintsHolder, error) {
 	slotConnCstrs := &SlotConnectionConstraints{}
 	err := baseCompileConstraints(context, cDef, slotConnCstrs, attributeConstraints, slotIDConstraints)
diff -Nru snapd-2.32.3.2~14.04/asserts/ifacedecls_test.go snapd-2.37~rc1~14.04/asserts/ifacedecls_test.go
--- snapd-2.32.3.2~14.04/asserts/ifacedecls_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/ifacedecls_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -41,7 +41,14 @@
 	testutil.BaseTest
 }
 
-func attrs(yml string) map[string]interface{} {
+type attrerObject map[string]interface{}
+
+func (o attrerObject) Lookup(path string) (interface{}, bool) {
+	v, ok := o[path]
+	return v, ok
+}
+
+func attrs(yml string) *attrerObject {
 	var attrs map[string]interface{}
 	err := yaml.Unmarshal([]byte(yml), &attrs)
 	if err != nil {
@@ -56,11 +63,17 @@
 	if err != nil {
 		panic(err)
 	}
+
+	// NOTE: it's important to go through snap yaml here even though we're really interested in Attrs only,
+	// as InfoFromSnapYaml normalizes yaml values.
 	info, err := snap.InfoFromSnapYaml(snapYaml)
 	if err != nil {
 		panic(err)
 	}
-	return info.Plugs["plug"].Attrs
+
+	var ao attrerObject
+	ao = info.Plugs["plug"].Attrs
+	return &ao
 }
 
 func (s *attrConstraintsSuite) SetUpTest(c *C) {
@@ -81,24 +94,27 @@
 	cstrs, err := asserts.CompileAttributeConstraints(m["attrs"].(map[string]interface{}))
 	c.Assert(err, IsNil)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug := attrerObject(map[string]interface{}{
 		"foo": "FOO",
 		"bar": "BAR",
 		"baz": "BAZ",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, IsNil)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug = attrerObject(map[string]interface{}{
 		"foo": "FOO",
 		"bar": "BAZ",
 		"baz": "BAZ",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, ErrorMatches, `attribute "bar" value "BAZ" does not match \^\(BAR\)\$`)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug = attrerObject(map[string]interface{}{
 		"foo": "FOO",
 		"baz": "BAZ",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, ErrorMatches, `attribute "bar" has constraints but is unset`)
 }
 
@@ -110,29 +126,34 @@
 	cstrs, err := asserts.CompileAttributeConstraints(m["attrs"].(map[string]interface{}))
 	c.Assert(err, IsNil)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug := attrerObject(map[string]interface{}{
 		"bar": "BAR",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, IsNil)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug = attrerObject(map[string]interface{}{
 		"bar": "BARR",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, ErrorMatches, `attribute "bar" value "BARR" does not match \^\(BAR|BAZ\)\$`)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug = attrerObject(map[string]interface{}{
 		"bar": "BBAZ",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, ErrorMatches, `attribute "bar" value "BAZZ" does not match \^\(BAR|BAZ\)\$`)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug = attrerObject(map[string]interface{}{
 		"bar": "BABAZ",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, ErrorMatches, `attribute "bar" value "BABAZ" does not match \^\(BAR|BAZ\)\$`)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug = attrerObject(map[string]interface{}{
 		"bar": "BARAZ",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, ErrorMatches, `attribute "bar" value "BARAZ" does not match \^\(BAR|BAZ\)\$`)
 }
 
@@ -199,25 +220,28 @@
 	cstrs, err := asserts.CompileAttributeConstraints(m["attrs"].([]interface{}))
 	c.Assert(err, IsNil)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug := attrerObject(map[string]interface{}{
 		"foo": "FOO",
 		"bar": "BAR",
 		"baz": "BAZ",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, IsNil)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug = attrerObject(map[string]interface{}{
 		"foo": "FOO",
 		"bar": "BAZ",
 		"baz": "BAZ",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, IsNil)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug = attrerObject(map[string]interface{}{
 		"foo": "FOO",
 		"bar": "BARR",
 		"baz": "BAR",
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, ErrorMatches, `no alternative matches: attribute "bar" value "BARR" does not match \^\(BAR\)\$`)
 }
 
@@ -274,10 +298,11 @@
 `), nil)
 	c.Check(err, IsNil)
 
-	err = cstrs.Check(map[string]interface{}{
+	plug := attrerObject(map[string]interface{}{
 		"foo": int64(1),
 		"bar": true,
-	}, nil)
+	})
+	err = cstrs.Check(plug, nil)
 	c.Check(err, IsNil)
 }
 
@@ -461,12 +486,14 @@
 type plugSlotRulesSuite struct{}
 
 func checkAttrs(c *C, attrs *asserts.AttributeConstraints, witness, expected string) {
-	c.Check(attrs.Check(map[string]interface{}{
+	plug := attrerObject(map[string]interface{}{
 		witness: "XYZ",
-	}, nil), ErrorMatches, fmt.Sprintf(`attribute "%s".*does not match.*`, witness))
-	c.Check(attrs.Check(map[string]interface{}{
+	})
+	c.Check(attrs.Check(plug, nil), ErrorMatches, fmt.Sprintf(`attribute "%s".*does not match.*`, witness))
+	plug = attrerObject(map[string]interface{}{
 		witness: expected,
-	}, nil), IsNil)
+	})
+	c.Check(attrs.Check(plug, nil), IsNil)
 }
 
 func checkBoolPlugConnConstraints(c *C, cstrs []*asserts.PlugConnectionConstraints, always bool) {
@@ -750,6 +777,65 @@
 	c.Check(rule.AllowInstallation[0].OnClassic, DeepEquals, &asserts.OnClassicConstraint{Classic: true, SystemIDs: []string{"ubuntu", "debian"}})
 }
 
+func (s *plugSlotRulesSuite) TestCompilePlugRuleInstallationConstraintsDeviceScope(c *C) {
+	m, err := asserts.ParseHeaders([]byte(`iface:
+  allow-installation: true`))
+	c.Assert(err, IsNil)
+
+	rule, err := asserts.CompilePlugRule("iface", m["iface"].(map[string]interface{}))
+	c.Assert(err, IsNil)
+
+	c.Check(rule.AllowInstallation[0].DeviceScope, IsNil)
+
+	tests := []struct {
+		rule     string
+		expected asserts.DeviceScopeConstraint
+	}{
+		{`iface:
+  allow-installation:
+    on-store:
+      - my-store`, asserts.DeviceScopeConstraint{Store: []string{"my-store"}}},
+		{`iface:
+  allow-installation:
+    on-store:
+      - my-store
+      - other-store`, asserts.DeviceScopeConstraint{Store: []string{"my-store", "other-store"}}},
+		{`iface:
+  allow-installation:
+    on-brand:
+      - my-brand
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT`, asserts.DeviceScopeConstraint{Brand: []string{"my-brand", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT"}}},
+		{`iface:
+  allow-installation:
+    on-model:
+      - my-brand/bar
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz`, asserts.DeviceScopeConstraint{Model: []string{"my-brand/bar", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz"}}},
+		{`iface:
+  allow-installation:
+    on-store:
+      - store1
+      - store2
+    on-brand:
+      - my-brand
+    on-model:
+      - my-brand/bar
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz`, asserts.DeviceScopeConstraint{
+			Store: []string{"store1", "store2"},
+			Brand: []string{"my-brand"},
+			Model: []string{"my-brand/bar", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz"}}},
+	}
+
+	for _, t := range tests {
+		m, err = asserts.ParseHeaders([]byte(t.rule))
+		c.Assert(err, IsNil)
+
+		rule, err = asserts.CompilePlugRule("iface", m["iface"].(map[string]interface{}))
+		c.Assert(err, IsNil)
+
+		c.Check(rule.AllowInstallation[0].DeviceScope, DeepEquals, &t.expected)
+	}
+}
+
 func (s *plugSlotRulesSuite) TestCompilePlugRuleConnectionConstraintsIDConstraints(c *C) {
 	rule, err := asserts.CompilePlugRule("iface", map[string]interface{}{
 		"allow-connection": map[string]interface{}{
@@ -811,6 +897,65 @@
 	c.Check(rule.AllowConnection[0].OnClassic, DeepEquals, &asserts.OnClassicConstraint{Classic: true, SystemIDs: []string{"ubuntu", "debian"}})
 }
 
+func (s *plugSlotRulesSuite) TestCompilePlugRuleConnectionConstraintsDeviceScope(c *C) {
+	m, err := asserts.ParseHeaders([]byte(`iface:
+  allow-connection: true`))
+	c.Assert(err, IsNil)
+
+	rule, err := asserts.CompilePlugRule("iface", m["iface"].(map[string]interface{}))
+	c.Assert(err, IsNil)
+
+	c.Check(rule.AllowInstallation[0].DeviceScope, IsNil)
+
+	tests := []struct {
+		rule     string
+		expected asserts.DeviceScopeConstraint
+	}{
+		{`iface:
+  allow-connection:
+    on-store:
+      - my-store`, asserts.DeviceScopeConstraint{Store: []string{"my-store"}}},
+		{`iface:
+  allow-connection:
+    on-store:
+      - my-store
+      - other-store`, asserts.DeviceScopeConstraint{Store: []string{"my-store", "other-store"}}},
+		{`iface:
+  allow-connection:
+    on-brand:
+      - my-brand
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT`, asserts.DeviceScopeConstraint{Brand: []string{"my-brand", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT"}}},
+		{`iface:
+  allow-connection:
+    on-model:
+      - my-brand/bar
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz`, asserts.DeviceScopeConstraint{Model: []string{"my-brand/bar", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz"}}},
+		{`iface:
+  allow-connection:
+    on-store:
+      - store1
+      - store2
+    on-brand:
+      - my-brand
+    on-model:
+      - my-brand/bar
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz`, asserts.DeviceScopeConstraint{
+			Store: []string{"store1", "store2"},
+			Brand: []string{"my-brand"},
+			Model: []string{"my-brand/bar", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz"}}},
+	}
+
+	for _, t := range tests {
+		m, err = asserts.ParseHeaders([]byte(t.rule))
+		c.Assert(err, IsNil)
+
+		rule, err = asserts.CompilePlugRule("iface", m["iface"].(map[string]interface{}))
+		c.Assert(err, IsNil)
+
+		c.Check(rule.AllowConnection[0].DeviceScope, DeepEquals, &t.expected)
+	}
+}
+
 func (s *plugSlotRulesSuite) TestCompilePlugRuleConnectionConstraintsAttributesDefault(c *C) {
 	rule, err := asserts.CompilePlugRule("iface", map[string]interface{}{
 		"allow-connection": map[string]interface{}{
@@ -873,21 +1018,51 @@
 		{`iface:
   allow-connection:
     slot-snap-ids:
-      - foo`, `allow-connection in plug rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, slot-snap-type, slot-publisher-id, slot-snap-id, on-classic`},
+      - foo`, `allow-connection in plug rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, slot-snap-type, slot-publisher-id, slot-snap-id, on-classic, on-store, on-brand, on-model`},
 		{`iface:
   deny-connection:
     slot-snap-ids:
-      - foo`, `deny-connection in plug rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, slot-snap-type, slot-publisher-id, slot-snap-id, on-classic`},
+      - foo`, `deny-connection in plug rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, slot-snap-type, slot-publisher-id, slot-snap-id, on-classic, on-store, on-brand, on-model`},
 		{`iface:
   allow-auto-connection:
     slot-snap-ids:
-      - foo`, `allow-auto-connection in plug rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, slot-snap-type, slot-publisher-id, slot-snap-id, on-classic`},
+      - foo`, `allow-auto-connection in plug rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, slot-snap-type, slot-publisher-id, slot-snap-id, on-classic, on-store, on-brand, on-model`},
 		{`iface:
   deny-auto-connection:
     slot-snap-ids:
-      - foo`, `deny-auto-connection in plug rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, slot-snap-type, slot-publisher-id, slot-snap-id, on-classic`},
+      - foo`, `deny-auto-connection in plug rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, slot-snap-type, slot-publisher-id, slot-snap-id, on-classic, on-store, on-brand, on-model`},
 		{`iface:
   allow-connect: true`, `plug rule for interface "iface" must specify at least one of allow-installation, deny-installation, allow-connection, deny-connection, allow-auto-connection, deny-auto-connection`},
+		{`iface:
+  allow-installation:
+    on-store: true`, `on-store in allow-installation in plug rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-installation:
+    on-store: store1`, `on-store in allow-installation in plug rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-installation:
+    on-store:
+      - zoom!`, `on-store in allow-installation in plug rule for interface \"iface\" contains an invalid element: \"zoom!\"`},
+		{`iface:
+  allow-connection:
+    on-brand: true`, `on-brand in allow-connection in plug rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-connection:
+    on-brand: brand1`, `on-brand in allow-connection in plug rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-connection:
+    on-brand:
+      - zoom!`, `on-brand in allow-connection in plug rule for interface \"iface\" contains an invalid element: \"zoom!\"`},
+		{`iface:
+  allow-auto-connection:
+    on-model: true`, `on-model in allow-auto-connection in plug rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-auto-connection:
+    on-model: foo/bar`, `on-model in allow-auto-connection in plug rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-auto-connection:
+    on-model:
+      - foo/!qz`, `on-model in allow-auto-connection in plug rule for interface \"iface\" contains an invalid element: \"foo/!qz"`},
 	}
 
 	for _, t := range tests {
@@ -899,6 +1074,14 @@
 	}
 }
 
+var (
+	deviceScopeConstrs = map[string][]interface{}{
+		"on-store": {"store"},
+		"on-brand": {"brand"},
+		"on-model": {"brand/model"},
+	}
+)
+
 func (s *plugSlotRulesSuite) TestPlugRuleFeatures(c *C) {
 	combos := []struct {
 		subrule         string
@@ -928,6 +1111,8 @@
 			c.Assert(err, IsNil)
 			c.Check(asserts.RuleFeature(rule, "dollar-attr-constraints"), Equals, false, Commentf("%v", ruleMap))
 
+			c.Check(asserts.RuleFeature(rule, "device-scope-constraints"), Equals, false, Commentf("%v", ruleMap))
+
 			attrConstraintMap["a"] = "$MISSING"
 			rule, err = asserts.CompilePlugRule("iface", ruleMap)
 			c.Assert(err, IsNil)
@@ -939,6 +1124,20 @@
 			c.Assert(err, IsNil)
 			c.Check(asserts.RuleFeature(rule, "dollar-attr-constraints"), Equals, true, Commentf("%v", ruleMap))
 
+			c.Check(asserts.RuleFeature(rule, "device-scope-constraints"), Equals, false, Commentf("%v", ruleMap))
+
+		}
+
+		for deviceScopeConstr, value := range deviceScopeConstrs {
+			ruleMap := map[string]interface{}{
+				combo.subrule: map[string]interface{}{
+					deviceScopeConstr: value,
+				},
+			}
+
+			rule, err := asserts.CompilePlugRule("iface", ruleMap)
+			c.Assert(err, IsNil)
+			c.Check(asserts.RuleFeature(rule, "device-scope-constraints"), Equals, true, Commentf("%v", ruleMap))
 		}
 	}
 }
@@ -1196,6 +1395,65 @@
 	c.Check(rule.AllowInstallation[0].OnClassic, DeepEquals, &asserts.OnClassicConstraint{Classic: true, SystemIDs: []string{"ubuntu", "debian"}})
 }
 
+func (s *plugSlotRulesSuite) TestCompileSlotRuleInstallationConstraintsDeviceScope(c *C) {
+	m, err := asserts.ParseHeaders([]byte(`iface:
+  allow-installation: true`))
+	c.Assert(err, IsNil)
+
+	rule, err := asserts.CompileSlotRule("iface", m["iface"].(map[string]interface{}))
+	c.Assert(err, IsNil)
+
+	c.Check(rule.AllowInstallation[0].DeviceScope, IsNil)
+
+	tests := []struct {
+		rule     string
+		expected asserts.DeviceScopeConstraint
+	}{
+		{`iface:
+  allow-installation:
+    on-store:
+      - my-store`, asserts.DeviceScopeConstraint{Store: []string{"my-store"}}},
+		{`iface:
+  allow-installation:
+    on-store:
+      - my-store
+      - other-store`, asserts.DeviceScopeConstraint{Store: []string{"my-store", "other-store"}}},
+		{`iface:
+  allow-installation:
+    on-brand:
+      - my-brand
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT`, asserts.DeviceScopeConstraint{Brand: []string{"my-brand", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT"}}},
+		{`iface:
+  allow-installation:
+    on-model:
+      - my-brand/bar
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz`, asserts.DeviceScopeConstraint{Model: []string{"my-brand/bar", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz"}}},
+		{`iface:
+  allow-installation:
+    on-store:
+      - store1
+      - store2
+    on-brand:
+      - my-brand
+    on-model:
+      - my-brand/bar
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz`, asserts.DeviceScopeConstraint{
+			Store: []string{"store1", "store2"},
+			Brand: []string{"my-brand"},
+			Model: []string{"my-brand/bar", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz"}}},
+	}
+
+	for _, t := range tests {
+		m, err = asserts.ParseHeaders([]byte(t.rule))
+		c.Assert(err, IsNil)
+
+		rule, err = asserts.CompileSlotRule("iface", m["iface"].(map[string]interface{}))
+		c.Assert(err, IsNil)
+
+		c.Check(rule.AllowInstallation[0].DeviceScope, DeepEquals, &t.expected)
+	}
+}
+
 func (s *plugSlotRulesSuite) TestCompileSlotRuleConnectionConstraintsIDConstraints(c *C) {
 	rule, err := asserts.CompileSlotRule("iface", map[string]interface{}{
 		"allow-connection": map[string]interface{}{
@@ -1256,6 +1514,65 @@
 	c.Check(rule.AllowConnection[0].OnClassic, DeepEquals, &asserts.OnClassicConstraint{Classic: true, SystemIDs: []string{"ubuntu", "debian"}})
 }
 
+func (s *plugSlotRulesSuite) TestCompileSlotRuleConnectionConstraintsDeviceScope(c *C) {
+	m, err := asserts.ParseHeaders([]byte(`iface:
+  allow-connection: true`))
+	c.Assert(err, IsNil)
+
+	rule, err := asserts.CompileSlotRule("iface", m["iface"].(map[string]interface{}))
+	c.Assert(err, IsNil)
+
+	c.Check(rule.AllowConnection[0].DeviceScope, IsNil)
+
+	tests := []struct {
+		rule     string
+		expected asserts.DeviceScopeConstraint
+	}{
+		{`iface:
+  allow-connection:
+    on-store:
+      - my-store`, asserts.DeviceScopeConstraint{Store: []string{"my-store"}}},
+		{`iface:
+  allow-connection:
+    on-store:
+      - my-store
+      - other-store`, asserts.DeviceScopeConstraint{Store: []string{"my-store", "other-store"}}},
+		{`iface:
+  allow-connection:
+    on-brand:
+      - my-brand
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT`, asserts.DeviceScopeConstraint{Brand: []string{"my-brand", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT"}}},
+		{`iface:
+  allow-connection:
+    on-model:
+      - my-brand/bar
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz`, asserts.DeviceScopeConstraint{Model: []string{"my-brand/bar", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz"}}},
+		{`iface:
+  allow-connection:
+    on-store:
+      - store1
+      - store2
+    on-brand:
+      - my-brand
+    on-model:
+      - my-brand/bar
+      - s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz`, asserts.DeviceScopeConstraint{
+			Store: []string{"store1", "store2"},
+			Brand: []string{"my-brand"},
+			Model: []string{"my-brand/bar", "s9zGdwb16ysLeRW6nRivwZS5r9puP8JT/baz"}}},
+	}
+
+	for _, t := range tests {
+		m, err = asserts.ParseHeaders([]byte(t.rule))
+		c.Assert(err, IsNil)
+
+		rule, err = asserts.CompileSlotRule("iface", m["iface"].(map[string]interface{}))
+		c.Assert(err, IsNil)
+
+		c.Check(rule.AllowConnection[0].DeviceScope, DeepEquals, &t.expected)
+	}
+}
+
 func (s *plugSlotRulesSuite) TestCompileSlotRuleErrors(c *C) {
 	tests := []struct {
 		stanza string
@@ -1312,21 +1629,51 @@
 		{`iface:
   allow-connection:
     plug-snap-ids:
-      - foo`, `allow-connection in slot rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, plug-snap-type, plug-publisher-id, plug-snap-id, on-classic`},
+      - foo`, `allow-connection in slot rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, plug-snap-type, plug-publisher-id, plug-snap-id, on-classic, on-store, on-brand, on-model`},
 		{`iface:
   deny-connection:
     plug-snap-ids:
-      - foo`, `deny-connection in slot rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, plug-snap-type, plug-publisher-id, plug-snap-id, on-classic`},
+      - foo`, `deny-connection in slot rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, plug-snap-type, plug-publisher-id, plug-snap-id, on-classic, on-store, on-brand, on-model`},
 		{`iface:
   allow-auto-connection:
     plug-snap-ids:
-      - foo`, `allow-auto-connection in slot rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, plug-snap-type, plug-publisher-id, plug-snap-id, on-classic`},
+      - foo`, `allow-auto-connection in slot rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, plug-snap-type, plug-publisher-id, plug-snap-id, on-classic, on-store, on-brand, on-model`},
 		{`iface:
   deny-auto-connection:
     plug-snap-ids:
-      - foo`, `deny-auto-connection in slot rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, plug-snap-type, plug-publisher-id, plug-snap-id, on-classic`},
+      - foo`, `deny-auto-connection in slot rule for interface "iface" must specify at least one of plug-attributes, slot-attributes, plug-snap-type, plug-publisher-id, plug-snap-id, on-classic, on-store, on-brand, on-model`},
 		{`iface:
   allow-connect: true`, `slot rule for interface "iface" must specify at least one of allow-installation, deny-installation, allow-connection, deny-connection, allow-auto-connection, deny-auto-connection`},
+		{`iface:
+  allow-installation:
+    on-store: true`, `on-store in allow-installation in slot rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-installation:
+    on-store: store1`, `on-store in allow-installation in slot rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-installation:
+    on-store:
+      - zoom!`, `on-store in allow-installation in slot rule for interface \"iface\" contains an invalid element: \"zoom!\"`},
+		{`iface:
+  allow-connection:
+    on-brand: true`, `on-brand in allow-connection in slot rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-connection:
+    on-brand: brand1`, `on-brand in allow-connection in slot rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-connection:
+    on-brand:
+      - zoom!`, `on-brand in allow-connection in slot rule for interface \"iface\" contains an invalid element: \"zoom!\"`},
+		{`iface:
+  allow-auto-connection:
+    on-model: true`, `on-model in allow-auto-connection in slot rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-auto-connection:
+    on-model: foo/bar`, `on-model in allow-auto-connection in slot rule for interface \"iface\" must be a list of strings`},
+		{`iface:
+  allow-auto-connection:
+    on-model:
+      - foo//bar`, `on-model in allow-auto-connection in slot rule for interface \"iface\" contains an invalid element: \"foo//bar"`},
 	}
 
 	for _, t := range tests {
@@ -1365,11 +1712,101 @@
 			c.Assert(err, IsNil)
 			c.Check(asserts.RuleFeature(rule, "dollar-attr-constraints"), Equals, false, Commentf("%v", ruleMap))
 
+			c.Check(asserts.RuleFeature(rule, "device-scope-constraints"), Equals, false, Commentf("%v", ruleMap))
+
 			attrConstraintMap["a"] = "$PLUG(a)"
 			rule, err = asserts.CompileSlotRule("iface", ruleMap)
 			c.Assert(err, IsNil)
 			c.Check(asserts.RuleFeature(rule, "dollar-attr-constraints"), Equals, true, Commentf("%v", ruleMap))
 
+			c.Check(asserts.RuleFeature(rule, "device-scope-constraints"), Equals, false, Commentf("%v", ruleMap))
+		}
+
+		for deviceScopeConstr, value := range deviceScopeConstrs {
+			ruleMap := map[string]interface{}{
+				combo.subrule: map[string]interface{}{
+					deviceScopeConstr: value,
+				},
+			}
+
+			rule, err := asserts.CompileSlotRule("iface", ruleMap)
+			c.Assert(err, IsNil)
+			c.Check(asserts.RuleFeature(rule, "device-scope-constraints"), Equals, true, Commentf("%v", ruleMap))
+		}
+	}
+}
+
+func (s *plugSlotRulesSuite) TestValidOnStoreBrandModel(c *C) {
+	tests := []struct {
+		constr string
+		value  string
+		valid  bool
+	}{
+		{"on-store", "", false},
+		{"on-store", "foo", true},
+		{"on-store", "F_o-O88", true},
+		{"on-store", "foo!", false},
+		{"on-store", "foo.", false},
+		{"on-store", "foo/", false},
+		{"on-brand", "", false},
+		// custom set brands (length 2-28)
+		{"on-brand", "dwell", true},
+		{"on-brand", "Dwell", false},
+		{"on-brand", "dwell-88", true},
+		{"on-brand", "dwell_88", false},
+		{"on-brand", "dwell.88", false},
+		{"on-brand", "dwell:88", false},
+		{"on-brand", "dwell!88", false},
+		{"on-brand", "a", false},
+		{"on-brand", "ab", true},
+		{"on-brand", "0123456789012345678901234567", true},
+		// snappy id brands (fixed length 32)
+		{"on-brand", "01234567890123456789012345678", false},
+		{"on-brand", "012345678901234567890123456789", false},
+		{"on-brand", "0123456789012345678901234567890", false},
+		{"on-brand", "01234567890123456789012345678901", true},
+		{"on-brand", "abcdefghijklmnopqrstuvwxyz678901", true},
+		{"on-brand", "ABCDEFGHIJKLMNOPQRSTUVWCYZ678901", true},
+		{"on-brand", "ABCDEFGHIJKLMNOPQRSTUVWCYZ678901X", false},
+		{"on-brand", "ABCDEFGHIJKLMNOPQ!STUVWCYZ678901", false},
+		{"on-brand", "ABCDEFGHIJKLMNOPQ_STUVWCYZ678901", false},
+		{"on-brand", "ABCDEFGHIJKLMNOPQ-STUVWCYZ678901", false},
+		{"on-model", "", false},
+		{"on-model", "/", false},
+		{"on-model", "dwell/dwell1", true},
+		{"on-model", "dwell", false},
+		{"on-model", "dwell/", false},
+		{"on-model", "dwell//dwell1", false},
+		{"on-model", "dwell/-dwell1", false},
+		{"on-model", "dwell/dwell1-", false},
+		{"on-model", "dwell/dwell1-23", true},
+		{"on-model", "dwell/dwell1!", false},
+		{"on-model", "dwell/dwe_ll1", false},
+		{"on-model", "dwell/dwe.ll1", false},
+	}
+
+	check := func(constr, value string, valid bool) {
+		ruleMap := map[string]interface{}{
+			"allow-auto-connection": map[string]interface{}{
+				constr: []interface{}{value},
+			},
+		}
+
+		_, err := asserts.CompilePlugRule("iface", ruleMap)
+		if valid {
+			c.Check(err, IsNil, Commentf("%v", ruleMap))
+		} else {
+			c.Check(err, ErrorMatches, fmt.Sprintf(`%s in allow-auto-connection in plug rule for interface "iface" contains an invalid element: %q`, constr, value), Commentf("%v", ruleMap))
+		}
+	}
+
+	for _, t := range tests {
+		check(t.constr, t.value, t.valid)
+
+		if t.constr == "on-brand" {
+			// reuse and double check all brands also in the context of on-model!
+
+			check("on-model", t.value+"/foo", t.valid)
 		}
 	}
 }
diff -Nru snapd-2.32.3.2~14.04/asserts/snapasserts/snapasserts.go snapd-2.37~rc1~14.04/asserts/snapasserts/snapasserts.go
--- snapd-2.32.3.2~14.04/asserts/snapasserts/snapasserts.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/snapasserts/snapasserts.go	2019-01-16 08:36:51.000000000 +0000
@@ -53,34 +53,34 @@
 	return snapDecl, nil
 }
 
-// CrossCheck tries to cross check the name, hash digest and size of a snap plus its metadata in a SideInfo with the relevant snap assertions in a database that should have been populated with them.
-func CrossCheck(name, snapSHA3_384 string, snapSize uint64, si *snap.SideInfo, db Finder) error {
+// CrossCheck tries to cross check the instance name, hash digest and size of a snap plus its metadata in a SideInfo with the relevant snap assertions in a database that should have been populated with them.
+func CrossCheck(instanceName, snapSHA3_384 string, snapSize uint64, si *snap.SideInfo, db Finder) error {
 	// get relevant assertions and do cross checks
 	a, err := db.Find(asserts.SnapRevisionType, map[string]string{
 		"snap-sha3-384": snapSHA3_384,
 	})
 	if err != nil {
-		return fmt.Errorf("internal error: cannot find pre-populated snap-revision assertion for %q: %s", name, snapSHA3_384)
+		return fmt.Errorf("internal error: cannot find pre-populated snap-revision assertion for %q: %s", instanceName, snapSHA3_384)
 	}
 	snapRev := a.(*asserts.SnapRevision)
 
 	if snapRev.SnapSize() != snapSize {
-		return fmt.Errorf("snap %q file does not have expected size according to signatures (download is broken or tampered): %d != %d", name, snapSize, snapRev.SnapSize())
+		return fmt.Errorf("snap %q file does not have expected size according to signatures (download is broken or tampered): %d != %d", instanceName, snapSize, snapRev.SnapSize())
 	}
 
 	snapID := si.SnapID
 
 	if snapRev.SnapID() != snapID || snapRev.SnapRevision() != si.Revision.N {
-		return fmt.Errorf("snap %q does not have expected ID or revision according to assertions (metadata is broken or tampered): %s / %s != %d / %s", name, si.Revision, snapID, snapRev.SnapRevision(), snapRev.SnapID())
+		return fmt.Errorf("snap %q does not have expected ID or revision according to assertions (metadata is broken or tampered): %s / %s != %d / %s", instanceName, si.Revision, snapID, snapRev.SnapRevision(), snapRev.SnapID())
 	}
 
-	snapDecl, err := findSnapDeclaration(snapID, name, db)
+	snapDecl, err := findSnapDeclaration(snapID, instanceName, db)
 	if err != nil {
 		return err
 	}
 
-	if snapDecl.SnapName() != name {
-		return fmt.Errorf("cannot install snap %q that is undergoing a rename to %q", name, snapDecl.SnapName())
+	if snapDecl.SnapName() != snap.InstanceSnap(instanceName) {
+		return fmt.Errorf("cannot install %q, snap %q is undergoing a rename to %q", instanceName, snap.InstanceSnap(instanceName), snapDecl.SnapName())
 	}
 
 	return nil
@@ -142,4 +142,14 @@
 	}
 
 	return f.Fetch(ref)
+}
+
+// FetchStore fetches the store assertion and its prerequisites for the given store id using the given fetcher.
+func FetchStore(f asserts.Fetcher, storeID string) error {
+	ref := &asserts.Ref{
+		Type:       asserts.StoreType,
+		PrimaryKey: []string{storeID},
+	}
+
+	return f.Fetch(ref)
 }
diff -Nru snapd-2.32.3.2~14.04/asserts/snapasserts/snapasserts_test.go snapd-2.37~rc1~14.04/asserts/snapasserts/snapasserts_test.go
--- snapd-2.32.3.2~14.04/asserts/snapasserts/snapasserts_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/snapasserts/snapasserts_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -119,9 +119,12 @@
 		Revision: snap.R(12),
 	}
 
-	// everything cross checks
+	// everything cross checks, with the regular snap name
 	err = snapasserts.CrossCheck("foo", digest, size, si, s.localDB)
 	c.Check(err, IsNil)
+	// and a snap instance name
+	err = snapasserts.CrossCheck("foo_instance", digest, size, si, s.localDB)
+	c.Check(err, IsNil)
 }
 
 func (s *snapassertsSuite) TestCrossCheckErrors(c *C) {
@@ -148,6 +151,8 @@
 	// different size
 	err = snapasserts.CrossCheck("foo", digest, size+1, si, s.localDB)
 	c.Check(err, ErrorMatches, fmt.Sprintf(`snap "foo" file does not have expected size according to signatures \(download is broken or tampered\): %d != %d`, size+1, size))
+	err = snapasserts.CrossCheck("foo_instance", digest, size+1, si, s.localDB)
+	c.Check(err, ErrorMatches, fmt.Sprintf(`snap "foo_instance" file does not have expected size according to signatures \(download is broken or tampered\): %d != %d`, size+1, size))
 
 	// mismatched revision vs what we got from store original info
 	err = snapasserts.CrossCheck("foo", digest, size, &snap.SideInfo{
@@ -155,6 +160,11 @@
 		Revision: snap.R(21),
 	}, s.localDB)
 	c.Check(err, ErrorMatches, `snap "foo" does not have expected ID or revision according to assertions \(metadata is broken or tampered\): 21 / snap-id-1 != 12 / snap-id-1`)
+	err = snapasserts.CrossCheck("foo_instance", digest, size, &snap.SideInfo{
+		SnapID:   "snap-id-1",
+		Revision: snap.R(21),
+	}, s.localDB)
+	c.Check(err, ErrorMatches, `snap "foo_instance" does not have expected ID or revision according to assertions \(metadata is broken or tampered\): 21 / snap-id-1 != 12 / snap-id-1`)
 
 	// mismatched snap id vs what we got from store original info
 	err = snapasserts.CrossCheck("foo", digest, size, &snap.SideInfo{
@@ -162,10 +172,17 @@
 		Revision: snap.R(12),
 	}, s.localDB)
 	c.Check(err, ErrorMatches, `snap "foo" does not have expected ID or revision according to assertions \(metadata is broken or tampered\): 12 / snap-id-other != 12 / snap-id-1`)
+	err = snapasserts.CrossCheck("foo_instance", digest, size, &snap.SideInfo{
+		SnapID:   "snap-id-other",
+		Revision: snap.R(12),
+	}, s.localDB)
+	c.Check(err, ErrorMatches, `snap "foo_instance" does not have expected ID or revision according to assertions \(metadata is broken or tampered\): 12 / snap-id-other != 12 / snap-id-1`)
 
 	// changed name
 	err = snapasserts.CrossCheck("baz", digest, size, si, s.localDB)
-	c.Check(err, ErrorMatches, `cannot install snap "baz" that is undergoing a rename to "foo"`)
+	c.Check(err, ErrorMatches, `cannot install "baz", snap "baz" is undergoing a rename to "foo"`)
+	err = snapasserts.CrossCheck("baz_instance", digest, size, si, s.localDB)
+	c.Check(err, ErrorMatches, `cannot install "baz_instance", snap "baz" is undergoing a rename to "foo"`)
 
 }
 
@@ -206,6 +223,8 @@
 
 	err = snapasserts.CrossCheck("foo", digest, size, si, s.localDB)
 	c.Check(err, ErrorMatches, `cannot install snap "foo" with a revoked snap declaration`)
+	err = snapasserts.CrossCheck("foo_instance", digest, size, si, s.localDB)
+	c.Check(err, ErrorMatches, `cannot install snap "foo_instance" with a revoked snap declaration`)
 }
 
 func (s *snapassertsSuite) TestDeriveSideInfoHappy(c *C) {
diff -Nru snapd-2.32.3.2~14.04/asserts/snap_asserts.go snapd-2.37~rc1~14.04/asserts/snap_asserts.go
--- snapd-2.32.3.2~14.04/asserts/snap_asserts.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/snap_asserts.go	2019-01-16 08:36:51.000000000 +0000
@@ -152,7 +152,13 @@
 	if !(plugsOk || slotsOk) {
 		return 0, nil
 	}
+
 	formatnum = 1
+	setFormatNum := func(num int) {
+		if num > formatnum {
+			formatnum = num
+		}
+	}
 
 	plugs, err := checkMap(headers, "plugs")
 	if err != nil {
@@ -160,7 +166,10 @@
 	}
 	err = compilePlugRules(plugs, func(_ string, rule *PlugRule) {
 		if rule.feature(dollarAttrConstraintsFeature) {
-			formatnum = 2
+			setFormatNum(2)
+		}
+		if rule.feature(deviceScopeConstraintsFeature) {
+			setFormatNum(3)
 		}
 	})
 	if err != nil {
@@ -173,7 +182,10 @@
 	}
 	err = compileSlotRules(slots, func(_ string, rule *SlotRule) {
 		if rule.feature(dollarAttrConstraintsFeature) {
-			formatnum = 2
+			setFormatNum(2)
+		}
+		if rule.feature(deviceScopeConstraintsFeature) {
+			setFormatNum(3)
 		}
 	})
 	if err != nil {
diff -Nru snapd-2.32.3.2~14.04/asserts/snap_asserts_test.go snapd-2.37~rc1~14.04/asserts/snap_asserts_test.go
--- snapd-2.32.3.2~14.04/asserts/snap_asserts_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/snap_asserts_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -49,6 +49,12 @@
 	tsLine string
 }
 
+type emptyAttrerObject struct{}
+
+func (o emptyAttrerObject) Lookup(path string) (interface{}, bool) {
+	return nil, false
+}
+
 func (sds *snapDeclSuite) SetUpSuite(c *C) {
 	sds.ts = time.Now().Truncate(time.Second).UTC()
 	sds.tsLine = "timestamp: " + sds.ts.Format(time.RFC3339) + "\n"
@@ -298,23 +304,27 @@
 	c.Assert(plugRule1.DenyInstallation, HasLen, 1)
 	c.Check(plugRule1.DenyInstallation[0].PlugAttributes, Equals, asserts.NeverMatchAttributes)
 	c.Assert(plugRule1.AllowAutoConnection, HasLen, 1)
-	c.Check(plugRule1.AllowAutoConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "a1".*`)
-	c.Check(plugRule1.AllowAutoConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "b1".*`)
+
+	plug := emptyAttrerObject{}
+	slot := emptyAttrerObject{}
+
+	c.Check(plugRule1.AllowAutoConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "a1".*`)
+	c.Check(plugRule1.AllowAutoConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "b1".*`)
 	c.Check(plugRule1.AllowAutoConnection[0].SlotSnapTypes, DeepEquals, []string{"app"})
 	c.Check(plugRule1.AllowAutoConnection[0].SlotPublisherIDs, DeepEquals, []string{"acme"})
 	c.Assert(plugRule1.DenyAutoConnection, HasLen, 1)
-	c.Check(plugRule1.DenyAutoConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "a1".*`)
-	c.Check(plugRule1.DenyAutoConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "b1".*`)
+	c.Check(plugRule1.DenyAutoConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "a1".*`)
+	c.Check(plugRule1.DenyAutoConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "b1".*`)
 	plugRule2 := snapDecl.PlugRule("interface2")
 	c.Assert(plugRule2, NotNil)
 	c.Assert(plugRule2.AllowInstallation, HasLen, 1)
 	c.Check(plugRule2.AllowInstallation[0].PlugAttributes, Equals, asserts.AlwaysMatchAttributes)
 	c.Assert(plugRule2.AllowConnection, HasLen, 1)
-	c.Check(plugRule2.AllowConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "a2".*`)
-	c.Check(plugRule2.AllowConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "b2".*`)
+	c.Check(plugRule2.AllowConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "a2".*`)
+	c.Check(plugRule2.AllowConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "b2".*`)
 	c.Assert(plugRule2.DenyConnection, HasLen, 1)
-	c.Check(plugRule2.DenyConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "a2".*`)
-	c.Check(plugRule2.DenyConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "b2".*`)
+	c.Check(plugRule2.DenyConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "a2".*`)
+	c.Check(plugRule2.DenyConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "b2".*`)
 	c.Check(plugRule2.DenyConnection[0].SlotSnapIDs, DeepEquals, []string{"snapidsnapidsnapidsnapidsnapid01", "snapidsnapidsnapidsnapidsnapid02"})
 
 	slotRule3 := snapDecl.SlotRule("interface3")
@@ -322,24 +332,24 @@
 	c.Assert(slotRule3.DenyInstallation, HasLen, 1)
 	c.Check(slotRule3.DenyInstallation[0].SlotAttributes, Equals, asserts.NeverMatchAttributes)
 	c.Assert(slotRule3.AllowAutoConnection, HasLen, 1)
-	c.Check(slotRule3.AllowAutoConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "c1".*`)
-	c.Check(slotRule3.AllowAutoConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "d1".*`)
+	c.Check(slotRule3.AllowAutoConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "c1".*`)
+	c.Check(slotRule3.AllowAutoConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "d1".*`)
 	c.Check(slotRule3.AllowAutoConnection[0].PlugSnapTypes, DeepEquals, []string{"app"})
 	c.Check(slotRule3.AllowAutoConnection[0].PlugPublisherIDs, DeepEquals, []string{"acme"})
 	c.Assert(slotRule3.DenyAutoConnection, HasLen, 1)
-	c.Check(slotRule3.DenyAutoConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "c1".*`)
-	c.Check(slotRule3.DenyAutoConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "d1".*`)
+	c.Check(slotRule3.DenyAutoConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "c1".*`)
+	c.Check(slotRule3.DenyAutoConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "d1".*`)
 	slotRule4 := snapDecl.SlotRule("interface4")
 	c.Assert(slotRule4, NotNil)
 	c.Assert(slotRule4.AllowAutoConnection, HasLen, 1)
-	c.Check(slotRule4.AllowConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "c2".*`)
-	c.Check(slotRule4.AllowConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "d2".*`)
+	c.Check(slotRule4.AllowConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "c2".*`)
+	c.Check(slotRule4.AllowConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "d2".*`)
 	c.Assert(slotRule4.DenyAutoConnection, HasLen, 1)
-	c.Check(slotRule4.DenyConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "c2".*`)
-	c.Check(slotRule4.DenyConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "d2".*`)
+	c.Check(slotRule4.DenyConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "c2".*`)
+	c.Check(slotRule4.DenyConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "d2".*`)
 	c.Check(slotRule4.DenyConnection[0].PlugSnapIDs, DeepEquals, []string{"snapidsnapidsnapidsnapidsnapid01", "snapidsnapidsnapidsnapidsnapid02"})
 	c.Assert(slotRule4.AllowInstallation, HasLen, 1)
-	c.Check(slotRule4.AllowInstallation[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "e1".*`)
+	c.Check(slotRule4.AllowInstallation[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "e1".*`)
 	c.Check(slotRule4.AllowInstallation[0].SlotSnapTypes, DeepEquals, []string{"app"})
 }
 
@@ -396,6 +406,87 @@
 	c.Assert(err, IsNil)
 	c.Check(fmtnum, Equals, 2)
 
+	// combinations with on-store/on-brand/on-model => format 3
+	for _, side := range []string{"plugs", "slots"} {
+		for k, vals := range deviceScopeConstrs {
+
+			headers := map[string]interface{}{
+				side: map[string]interface{}{
+					"interface3": map[string]interface{}{
+						"allow-installation": map[string]interface{}{
+							k: vals,
+						},
+					},
+				},
+			}
+			fmtnum, err = asserts.SuggestFormat(asserts.SnapDeclarationType, headers, nil)
+			c.Assert(err, IsNil)
+			c.Check(fmtnum, Equals, 3)
+
+			for _, conn := range []string{"connection", "auto-connection"} {
+
+				headers = map[string]interface{}{
+					side: map[string]interface{}{
+						"interface3": map[string]interface{}{
+							"allow-" + conn: map[string]interface{}{
+								k: vals,
+							},
+						},
+					},
+				}
+				fmtnum, err = asserts.SuggestFormat(asserts.SnapDeclarationType, headers, nil)
+				c.Assert(err, IsNil)
+				c.Check(fmtnum, Equals, 3)
+			}
+		}
+	}
+
+	// higher format features win
+
+	headers = map[string]interface{}{
+		"plugs": map[string]interface{}{
+			"interface3": map[string]interface{}{
+				"allow-auto-connection": map[string]interface{}{
+					"on-store": []interface{}{"store"},
+				},
+			},
+		},
+		"slots": map[string]interface{}{
+			"interface4": map[string]interface{}{
+				"allow-auto-connection": map[string]interface{}{
+					"plug-attributes": map[string]interface{}{
+						"x": "$SLOT(x)",
+					},
+				},
+			},
+		},
+	}
+	fmtnum, err = asserts.SuggestFormat(asserts.SnapDeclarationType, headers, nil)
+	c.Assert(err, IsNil)
+	c.Check(fmtnum, Equals, 3)
+
+	headers = map[string]interface{}{
+		"plugs": map[string]interface{}{
+			"interface4": map[string]interface{}{
+				"allow-auto-connection": map[string]interface{}{
+					"slot-attributes": map[string]interface{}{
+						"x": "$SLOT(x)",
+					},
+				},
+			},
+		},
+		"slots": map[string]interface{}{
+			"interface3": map[string]interface{}{
+				"allow-auto-connection": map[string]interface{}{
+					"on-store": []interface{}{"store"},
+				},
+			},
+		},
+	}
+	fmtnum, err = asserts.SuggestFormat(asserts.SnapDeclarationType, headers, nil)
+	c.Assert(err, IsNil)
+	c.Check(fmtnum, Equals, 3)
+
 	// errors
 	headers = map[string]interface{}{
 		"plugs": "what",
@@ -1197,28 +1288,31 @@
 	c.Check(baseDecl.PlugRule("interfaceX"), IsNil)
 	c.Check(baseDecl.SlotRule("interfaceX"), IsNil)
 
+	plug := emptyAttrerObject{}
+	slot := emptyAttrerObject{}
+
 	plugRule1 := baseDecl.PlugRule("interface1")
 	c.Assert(plugRule1, NotNil)
 	c.Assert(plugRule1.DenyInstallation, HasLen, 1)
 	c.Check(plugRule1.DenyInstallation[0].PlugAttributes, Equals, asserts.NeverMatchAttributes)
 	c.Assert(plugRule1.AllowAutoConnection, HasLen, 1)
-	c.Check(plugRule1.AllowAutoConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "a1".*`)
-	c.Check(plugRule1.AllowAutoConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "b1".*`)
+	c.Check(plugRule1.AllowAutoConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "a1".*`)
+	c.Check(plugRule1.AllowAutoConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "b1".*`)
 	c.Check(plugRule1.AllowAutoConnection[0].SlotSnapTypes, DeepEquals, []string{"app"})
 	c.Check(plugRule1.AllowAutoConnection[0].SlotPublisherIDs, DeepEquals, []string{"acme"})
 	c.Assert(plugRule1.DenyAutoConnection, HasLen, 1)
-	c.Check(plugRule1.DenyAutoConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "a1".*`)
-	c.Check(plugRule1.DenyAutoConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "b1".*`)
+	c.Check(plugRule1.DenyAutoConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "a1".*`)
+	c.Check(plugRule1.DenyAutoConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "b1".*`)
 	plugRule2 := baseDecl.PlugRule("interface2")
 	c.Assert(plugRule2, NotNil)
 	c.Assert(plugRule2.AllowInstallation, HasLen, 1)
 	c.Check(plugRule2.AllowInstallation[0].PlugAttributes, Equals, asserts.AlwaysMatchAttributes)
 	c.Assert(plugRule2.AllowConnection, HasLen, 1)
-	c.Check(plugRule2.AllowConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "a2".*`)
-	c.Check(plugRule2.AllowConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "b2".*`)
+	c.Check(plugRule2.AllowConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "a2".*`)
+	c.Check(plugRule2.AllowConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "b2".*`)
 	c.Assert(plugRule2.DenyConnection, HasLen, 1)
-	c.Check(plugRule2.DenyConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "a2".*`)
-	c.Check(plugRule2.DenyConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "b2".*`)
+	c.Check(plugRule2.DenyConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "a2".*`)
+	c.Check(plugRule2.DenyConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "b2".*`)
 	c.Check(plugRule2.DenyConnection[0].SlotSnapIDs, DeepEquals, []string{"snapidsnapidsnapidsnapidsnapid01", "snapidsnapidsnapidsnapidsnapid02"})
 
 	slotRule3 := baseDecl.SlotRule("interface3")
@@ -1226,24 +1320,24 @@
 	c.Assert(slotRule3.DenyInstallation, HasLen, 1)
 	c.Check(slotRule3.DenyInstallation[0].SlotAttributes, Equals, asserts.NeverMatchAttributes)
 	c.Assert(slotRule3.AllowAutoConnection, HasLen, 1)
-	c.Check(slotRule3.AllowAutoConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "c1".*`)
-	c.Check(slotRule3.AllowAutoConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "d1".*`)
+	c.Check(slotRule3.AllowAutoConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "c1".*`)
+	c.Check(slotRule3.AllowAutoConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "d1".*`)
 	c.Check(slotRule3.AllowAutoConnection[0].PlugSnapTypes, DeepEquals, []string{"app"})
 	c.Check(slotRule3.AllowAutoConnection[0].PlugPublisherIDs, DeepEquals, []string{"acme"})
 	c.Assert(slotRule3.DenyAutoConnection, HasLen, 1)
-	c.Check(slotRule3.DenyAutoConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "c1".*`)
-	c.Check(slotRule3.DenyAutoConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "d1".*`)
+	c.Check(slotRule3.DenyAutoConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "c1".*`)
+	c.Check(slotRule3.DenyAutoConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "d1".*`)
 	slotRule4 := baseDecl.SlotRule("interface4")
 	c.Assert(slotRule4, NotNil)
 	c.Assert(slotRule4.AllowConnection, HasLen, 1)
-	c.Check(slotRule4.AllowConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "c2".*`)
-	c.Check(slotRule4.AllowConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "d2".*`)
+	c.Check(slotRule4.AllowConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "c2".*`)
+	c.Check(slotRule4.AllowConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "d2".*`)
 	c.Assert(slotRule4.DenyConnection, HasLen, 1)
-	c.Check(slotRule4.DenyConnection[0].PlugAttributes.Check(nil, nil), ErrorMatches, `attribute "c2".*`)
-	c.Check(slotRule4.DenyConnection[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "d2".*`)
+	c.Check(slotRule4.DenyConnection[0].PlugAttributes.Check(plug, nil), ErrorMatches, `attribute "c2".*`)
+	c.Check(slotRule4.DenyConnection[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "d2".*`)
 	c.Check(slotRule4.DenyConnection[0].PlugSnapIDs, DeepEquals, []string{"snapidsnapidsnapidsnapidsnapid01", "snapidsnapidsnapidsnapidsnapid02"})
 	c.Assert(slotRule4.AllowInstallation, HasLen, 1)
-	c.Check(slotRule4.AllowInstallation[0].SlotAttributes.Check(nil, nil), ErrorMatches, `attribute "e1".*`)
+	c.Check(slotRule4.AllowInstallation[0].SlotAttributes.Check(slot, nil), ErrorMatches, `attribute "e1".*`)
 	c.Check(slotRule4.AllowInstallation[0].SlotSnapTypes, DeepEquals, []string{"app"})
 
 }
diff -Nru snapd-2.32.3.2~14.04/asserts/store_asserts.go snapd-2.37~rc1~14.04/asserts/store_asserts.go
--- snapd-2.32.3.2~14.04/asserts/store_asserts.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/store_asserts.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,11 +26,12 @@
 )
 
 // Store holds a store assertion, defining the configuration needed to connect
-// a device to the store.
+// a device to the store or relative to a non-default store.
 type Store struct {
 	assertionBase
-	url       *url.URL
-	timestamp time.Time
+	url            *url.URL
+	friendlyStores []string
+	timestamp      time.Time
 }
 
 // Store returns the identifying name of the operator's store.
@@ -48,6 +49,12 @@
 	return store.url
 }
 
+// FriendlyStores returns stores holding snaps that are also exposed
+// through this one.
+func (store *Store) FriendlyStores() []string {
+	return store.friendlyStores
+}
+
 // Location returns a summary of the store's location/purpose.
 func (store *Store) Location() string {
 	return store.HeaderString("location")
@@ -59,7 +66,9 @@
 }
 
 func (store *Store) checkConsistency(db RODatabase, acck *AccountKey) error {
-	// Will be applied to a system's snapd so must be signed by a trusted authority.
+	// Will be applied to a system's snapd or influence snapd
+	// policy decisions (via friendly-stores) so must be signed by a trusted
+	// authority!
 	if !db.IsTrustedAccount(store.AuthorityID()) {
 		return fmt.Errorf("store assertion %q is not signed by a directly trusted authority: %s",
 			store.Store(), store.AuthorityID())
@@ -129,6 +138,11 @@
 		return nil, err
 	}
 
+	friendlyStores, err := checkStringList(assert.headers, "friendly-stores")
+	if err != nil {
+		return nil, err
+	}
+
 	_, err = checkOptionalString(assert.headers, "location")
 	if err != nil {
 		return nil, err
@@ -140,8 +154,9 @@
 	}
 
 	return &Store{
-		assertionBase: assert,
-		url:           url,
-		timestamp:     timestamp,
+		assertionBase:  assert,
+		url:            url,
+		friendlyStores: friendlyStores,
+		timestamp:      timestamp,
 	}, nil
 }
diff -Nru snapd-2.32.3.2~14.04/asserts/store_asserts_test.go snapd-2.37~rc1~14.04/asserts/store_asserts_test.go
--- snapd-2.32.3.2~14.04/asserts/store_asserts_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/store_asserts_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -63,6 +63,7 @@
 	c.Check(store.URL().String(), Equals, "https://store.example.com")
 	c.Check(store.Location(), Equals, "upstairs")
 	c.Check(store.Timestamp().Equal(s.ts), Equals, true)
+	c.Check(store.FriendlyStores(), HasLen, 0)
 }
 
 var storeErrPrefix = "assertion store: "
@@ -78,6 +79,7 @@
 		{s.tsLine, "", `"timestamp" header is mandatory`},
 		{s.tsLine, "timestamp: \n", `"timestamp" header should not be empty`},
 		{s.tsLine, "timestamp: 12:30\n", `"timestamp" header is not a RFC3339 date: .*`},
+		{"url: https://store.example.com\n", "friendly-stores: foo\n", `"friendly-stores" header must be a list of strings`},
 	}
 
 	for _, test := range tests {
@@ -187,6 +189,19 @@
 	c.Assert(err, IsNil)
 }
 
+func (s *storeSuite) TestFriendlyStores(c *C) {
+	encoded := strings.Replace(s.validExample, "url: https://store.example.com\n", `friendly-stores:
+  - store1
+  - store2
+  - store3
+`, 1)
+	assert, err := asserts.Decode([]byte(encoded))
+	c.Assert(err, IsNil)
+	store := assert.(*asserts.Store)
+	c.Check(store.URL(), IsNil)
+	c.Check(store.FriendlyStores(), DeepEquals, []string{"store1", "store2", "store3"})
+}
+
 func (s *storeSuite) TestCheckOperatorAccount(c *C) {
 	storeDB, db := makeStoreAndCheckDB(c)
 
diff -Nru snapd-2.32.3.2~14.04/asserts/sysdb/sysdb_test.go snapd-2.37~rc1~14.04/asserts/sysdb/sysdb_test.go
--- snapd-2.32.3.2~14.04/asserts/sysdb/sysdb_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/sysdb/sysdb_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -54,7 +54,7 @@
 
 	trustedAcct := assertstest.NewAccount(signingDB, "can0nical", map[string]interface{}{
 		"account-id": "can0nical",
-		"validation": "certified",
+		"validation": "verified",
 		"timestamp":  "2015-11-20T15:04:00Z",
 	}, "")
 
@@ -68,7 +68,7 @@
 
 	otherAcct := assertstest.NewAccount(signingDB, "gener1c", map[string]interface{}{
 		"account-id": "gener1c",
-		"validation": "certified",
+		"validation": "verified",
 		"timestamp":  "2015-11-20T15:04:00Z",
 	}, "")
 
@@ -152,6 +152,8 @@
 	})
 	c.Assert(err, IsNil)
 
+	c.Check(trustedAcc.(*asserts.Account).Validation(), Equals, "verified")
+
 	err = db.Check(trustedAcc)
 	c.Check(err, IsNil)
 
@@ -166,6 +168,8 @@
 	})
 	c.Assert(err, IsNil)
 
+	c.Check(genericAcc.(*asserts.Account).Validation(), Equals, "verified")
+
 	err = db.Check(genericAcc)
 	c.Check(err, IsNil)
 
diff -Nru snapd-2.32.3.2~14.04/asserts/systestkeys/trusted.go snapd-2.37~rc1~14.04/asserts/systestkeys/trusted.go
--- snapd-2.32.3.2~14.04/asserts/systestkeys/trusted.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/systestkeys/trusted.go	2019-01-16 08:36:51.000000000 +0000
@@ -89,21 +89,21 @@
 authority-id: testrootorg
 account-id: testrootorg
 display-name: Testrootorg
-timestamp: 2016-08-11T18:30:57+02:00
+timestamp: 2018-06-27T14:25:40+02:00
 username: testrootorg
-validation: certified
+validation: verified
 sign-key-sha3-384: hIedp1AvrWlcDI4uS_qjoFLzjKl5enu4G2FYJpgB3Pj-tUzGlTQBxMBsBmi-tnJR
 
-AcLBUgQAAQoABgUCV6yoQQAAelEQAEdSECpdmV5a2G5VMBzJFuHQUU1FzgZ7gPQjc3l0BibDWm8O
-rDi7IT3L80OkqS2AoQgHS5KtEvKqEmhyfcdzcXgvCkHR5kucRBJJaPy8z6gGMhzZIPlc+EqY+Cvb
-/MQPLvtYYvtAxq1vWz+aDGGwk2Z/dFUG+wofvNWodz400gYTZeFOCZwStBD84S7iY/3pMQgC3+SO
-QMr/VI+bgmOukFqZL0cX4ReiuUs2W45V6EC81UGBjk+k7AVTEXMR1Xo8f0yiRzlLoEdKQMCOC45Q
-n4eedjCToGRPFcktM0QhgfbcpPIQKHNqKGGvtQQXvW5PIZ7AS4rTfQScXTn1dqDsL/ZVdasvOpCP
-5o4WvoWMoU8+Hm4n6ckw4sXn//PZIQrtnkp2DO+9JXXZasIPg4k1mvUQ5Kb9qCcBbaM+OO1izOoC
-3PY8xHNQNfHNHwBMewhnU2NpdTS0mTepN/8iFsDT1vSZ28OE2hgbu1ltqx4AsRkCVyFFx6N6OYm2
-UDNozU9K5w0NY4u9HSTDz4KrBIalAaKY72CIUqeVsmAcYatXglbj7dVTZTw75M0v1thQiSoKFqHw
-CHykZ6BJRgminY1FqOg7tvqTwzYM7lwaE3K8JpAyzie7v+OSLSxy1vlwUmT2lT+h1i28/w+r+R3Q
-C0QC8xuHSvOv3YRtzKna3smAfRlB
+AcLBUgQAAQoABgUCWzOCRAAA31gQAE5QgyBuxF3DGlMP32+3G5soq0uDLKG+sqFIEj/8j1dwLG0u
+ut7UPEf5iTZFDqqyAaFBRUPxx1cGB/6WFrks3X3/325hVzv5DYA9d4508BXdlNBA++t7tTdb4rU6
+G57aVgbpMCdwdjRbRMv1LLVWnli1pj8Cvt/jiTMbJUwQ/CAO0UZA6EH+fAeHGB53NNvedAM1goWi
+pS3XvruDtv8qTbVW9jNSIX1ADcLAbmM2xV2Vo54lfgN5NJd/4K4S7sPSsX7QLBghFkB0m9i5g/Qu
+PecvJ9njebFF48yvG4W1owBNBfxD2oHNhK/GdtxsREDKgDXuIrhziXBzWNeYto8lCZ1D520k+xp+
+2rL1TYSy9IixOzAf2qBhUTQdXsoVfmBOyExlYVQDIFO+X4ufbhLzy2pTE4KWvFvF58HzGradbix6
+oUD5hiEjw1YoV8FKdMLDobcvGzgm+Kx/FQo2Iqm5GmfzPW/K3SntoptuHIDSk3B12F/F/EDoYiGS
+MDWJJ4NMbFLMemJhvEI23IuZOTBEt27sGcgOju4wYkcsaHPEeXTGUBUgQADugBTwJtWmuybkmovM
+aLn1kVYpht+0cZeAQR5L3nSOK7T3V+QvWSXt6PAiHJv+HnemrYarSmGVTDcpj1QuWXyX026RnkvP
+SD73HCe5QPTjrvFvIa6o6n9khFgs
 `
 
 	TestRootKeyID = "hIedp1AvrWlcDI4uS_qjoFLzjKl5enu4G2FYJpgB3Pj-tUzGlTQBxMBsBmi-tnJR"
diff -Nru snapd-2.32.3.2~14.04/asserts/user.go snapd-2.37~rc1~14.04/asserts/user.go
--- snapd-2.32.3.2~14.04/asserts/user.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/user.go	2019-01-16 08:36:51.000000000 +0000
@@ -39,6 +39,8 @@
 	sshKeys []string
 	since   time.Time
 	until   time.Time
+
+	forcePasswordChange bool
 }
 
 // BrandID returns the brand identifier that signed this assertion.
@@ -77,6 +79,12 @@
 	return su.HeaderString("password")
 }
 
+// ForcePasswordChange returns true if the user needs to change the password
+// after the first login.
+func (su *SystemUser) ForcePasswordChange() bool {
+	return su.forcePasswordChange
+}
+
 // SSHKeys returns the ssh keys for the user.
 func (su *SystemUser) SSHKeys() []string {
 	return su.sshKeys
@@ -150,6 +158,9 @@
 	}, nil
 }
 
+// see crypt(3) for the legal chars
+var isValidSaltAndHash = regexp.MustCompile(`^[a-zA-Z0-9./]+$`).MatchString
+
 func checkHashedPassword(headers map[string]interface{}, name string) (string, error) {
 	pw, err := checkOptionalString(headers, name)
 	if err != nil {
@@ -189,12 +200,10 @@
 		}
 	}
 
-	// see crypt(3) for the legal chars
-	validSaltAndHash := regexp.MustCompile(`^[a-zA-Z0-9./]+$`)
-	if !validSaltAndHash.MatchString(shd.Salt) {
+	if !isValidSaltAndHash(shd.Salt) {
 		return "", fmt.Errorf("%q header has invalid chars in salt %q", name, shd.Salt)
 	}
-	if !validSaltAndHash.MatchString(shd.Hash) {
+	if !isValidSaltAndHash(shd.Hash) {
 		return "", fmt.Errorf("%q header has invalid chars in hash %q", name, shd.Hash)
 	}
 
@@ -227,9 +236,17 @@
 	if _, err := checkStringMatches(assert.headers, "username", validSystemUserUsernames); err != nil {
 		return nil, err
 	}
-	if _, err := checkHashedPassword(assert.headers, "password"); err != nil {
+	password, err := checkHashedPassword(assert.headers, "password")
+	if err != nil {
 		return nil, err
 	}
+	forcePasswordChange, err := checkOptionalBool(assert.headers, "force-password-change")
+	if err != nil {
+		return nil, err
+	}
+	if forcePasswordChange && password == "" {
+		return nil, fmt.Errorf(`cannot use "force-password-change" with an empty "password"`)
+	}
 
 	sshKeys, err := checkStringList(assert.headers, "ssh-keys")
 	if err != nil {
@@ -253,11 +270,12 @@
 	}
 
 	return &SystemUser{
-		assertionBase: assert,
-		series:        series,
-		models:        models,
-		sshKeys:       sshKeys,
-		since:         since,
-		until:         until,
+		assertionBase:       assert,
+		series:              series,
+		models:              models,
+		sshKeys:             sshKeys,
+		since:               since,
+		until:               until,
+		forcePasswordChange: forcePasswordChange,
 	}, nil
 }
diff -Nru snapd-2.32.3.2~14.04/asserts/user_test.go snapd-2.37~rc1~14.04/asserts/user_test.go
--- snapd-2.32.3.2~14.04/asserts/user_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/asserts/user_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -102,6 +102,18 @@
 	}
 }
 
+func (s *systemUserSuite) TestDecodeForcePasswdChange(c *C) {
+
+	old := "password: $6$salt$hash\n"
+	new := "password: $6$salt$hash\nforce-password-change: true\n"
+
+	valid := strings.Replace(s.systemUserStr, old, new, 1)
+	a, err := asserts.Decode([]byte(valid))
+	c.Check(err, IsNil)
+	systemUser := a.(*asserts.SystemUser)
+	c.Check(systemUser.ForcePasswordChange(), Equals, true)
+}
+
 func (s *systemUserSuite) TestValidAt(c *C) {
 	a, err := asserts.Decode([]byte(s.systemUserStr))
 	c.Assert(err, IsNil)
@@ -164,6 +176,8 @@
 		{"password: $6$salt$hash\n", "password: $8$rounds=xxx$salt$hash\n", `"password" header has invalid number of rounds:.*`},
 		{"password: $6$salt$hash\n", "password: $8$rounds=1$salt$hash\n", `"password" header rounds parameter out of bounds: 1`},
 		{"password: $6$salt$hash\n", "password: $8$rounds=1999999999$salt$hash\n", `"password" header rounds parameter out of bounds: 1999999999`},
+		{"password: $6$salt$hash\n", "force-password-change: true\n", `cannot use "force-password-change" with an empty "password"`},
+		{"password: $6$salt$hash\n", "password: $6$salt$hash\nforce-password-change: xxx\n", `"force-password-change" header must be 'true' or 'false'`},
 		{s.sinceLine, "since: \n", `"since" header should not be empty`},
 		{s.sinceLine, "since: 12:30\n", `"since" header is not a RFC3339 date: .*`},
 		{s.untilLine, "until: \n", `"until" header should not be empty`},
diff -Nru snapd-2.32.3.2~14.04/boot/kernel_os.go snapd-2.37~rc1~14.04/boot/kernel_os.go
--- snapd-2.32.3.2~14.04/boot/kernel_os.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/boot/kernel_os.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,7 +22,6 @@
 import (
 	"fmt"
 	"os"
-	"os/exec"
 	"path/filepath"
 
 	"github.com/snapcore/snapd/logger"
@@ -49,13 +48,6 @@
 	return nil
 }
 
-func copyAll(src, dst string) error {
-	if output, err := exec.Command("cp", "-aLv", src, dst).CombinedOutput(); err != nil {
-		return fmt.Errorf("cannot copy %q -> %q: %s (%s)", src, dst, err, output)
-	}
-	return nil
-}
-
 // ExtractKernelAssets extracts kernel/initrd/dtb data from the given
 // kernel snap, if required, to a versioned bootloader directory so
 // that the bootloader can use it.
@@ -100,14 +92,16 @@
 	return dir.Sync()
 }
 
-// SetNextBoot will schedule the given OS or kernel snap to be used in
-// the next boot
+// SetNextBoot will schedule the given OS or base or kernel snap to be
+// used in the next boot. For base snaps it up to the caller to select
+// the right bootable base (from the model assertion).
 func SetNextBoot(s *snap.Info) error {
 	if release.OnClassic {
-		return nil
+		return fmt.Errorf("cannot set next boot on classic systems")
 	}
-	if s.Type != snap.TypeOS && s.Type != snap.TypeKernel {
-		return nil
+
+	if s.Type != snap.TypeOS && s.Type != snap.TypeKernel && s.Type != snap.TypeBase {
+		return fmt.Errorf("cannot set next boot to snap %q with type %q", s.SnapName(), s.Type)
 	}
 
 	bootloader, err := partition.FindBootloader()
@@ -117,7 +111,7 @@
 
 	var nextBoot, goodBoot string
 	switch s.Type {
-	case snap.TypeOS:
+	case snap.TypeOS, snap.TypeBase:
 		nextBoot = "snap_try_core"
 		goodBoot = "snap_core"
 	case snap.TypeKernel:
@@ -128,11 +122,22 @@
 
 	// check if we actually need to do anything, i.e. the exact same
 	// kernel/core revision got installed again (e.g. firstboot)
-	m, err := bootloader.GetBootVars(goodBoot)
+	// and we are not in any special boot mode
+	m, err := bootloader.GetBootVars("snap_mode", goodBoot)
 	if err != nil {
 		return err
 	}
 	if m[goodBoot] == blobName {
+		// If we were in anything but default ("") mode before
+		// and now switch to the good core/kernel again, make
+		// sure to clean the snap_mode here. This also
+		// mitigates https://forum.snapcraft.io/t/5253
+		if m["snap_mode"] != "" {
+			return bootloader.SetBootVars(map[string]string{
+				"snap_mode": "",
+				nextBoot:    "",
+			})
+		}
 		return nil
 	}
 
@@ -142,9 +147,10 @@
 	})
 }
 
-// KernelOrOsRebootRequired returns whether a reboot is required to swith to the given OS or kernel snap.
-func KernelOrOsRebootRequired(s *snap.Info) bool {
-	if s.Type != snap.TypeKernel && s.Type != snap.TypeOS {
+// ChangeRequiresReboot returns whether a reboot is required to switch
+// to the given OS, base or kernel snap.
+func ChangeRequiresReboot(s *snap.Info) bool {
+	if s.Type != snap.TypeKernel && s.Type != snap.TypeOS && s.Type != snap.TypeBase {
 		return false
 	}
 
@@ -159,7 +165,7 @@
 	case snap.TypeKernel:
 		nextBoot = "snap_try_kernel"
 		goodBoot = "snap_kernel"
-	case snap.TypeOS:
+	case snap.TypeOS, snap.TypeBase:
 		nextBoot = "snap_try_core"
 		goodBoot = "snap_core"
 	}
diff -Nru snapd-2.32.3.2~14.04/boot/kernel_os_test.go snapd-2.37~rc1~14.04/boot/kernel_os_test.go
--- snapd-2.32.3.2~14.04/boot/kernel_os_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/boot/kernel_os_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -156,7 +156,7 @@
 	// Create a fake OS snap that we try to update
 	snapInfo := snaptest.MockSnap(c, "name: os\ntype: os", &snap.SideInfo{Revision: snap.R(42)})
 	err := boot.SetNextBoot(snapInfo)
-	c.Assert(err, IsNil)
+	c.Assert(err, ErrorMatches, "cannot set next boot on classic systems")
 
 	c.Assert(s.bootloader.BootVars, HasLen, 0)
 }
@@ -178,7 +178,27 @@
 		"snap_mode":     "try",
 	})
 
-	c.Check(boot.KernelOrOsRebootRequired(info), Equals, true)
+	c.Check(boot.ChangeRequiresReboot(info), Equals, true)
+}
+
+func (s *kernelOSSuite) TestSetNextBootWithBaseForCore(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	info := &snap.Info{}
+	info.Type = snap.TypeBase
+	info.RealName = "core18"
+	info.Revision = snap.R(1818)
+
+	err := boot.SetNextBoot(info)
+	c.Assert(err, IsNil)
+
+	c.Assert(s.bootloader.BootVars, DeepEquals, map[string]string{
+		"snap_try_core": "core18_1818.snap",
+		"snap_mode":     "try",
+	})
+
+	c.Check(boot.ChangeRequiresReboot(info), Equals, true)
 }
 
 func (s *kernelOSSuite) TestSetNextBootForKernel(c *C) {
@@ -200,11 +220,11 @@
 
 	s.bootloader.BootVars["snap_kernel"] = "krnl_40.snap"
 	s.bootloader.BootVars["snap_try_kernel"] = "krnl_42.snap"
-	c.Check(boot.KernelOrOsRebootRequired(info), Equals, true)
+	c.Check(boot.ChangeRequiresReboot(info), Equals, true)
 
 	// simulate good boot
 	s.bootloader.BootVars["snap_kernel"] = "krnl_42.snap"
-	c.Check(boot.KernelOrOsRebootRequired(info), Equals, false)
+	c.Check(boot.ChangeRequiresReboot(info), Equals, false)
 }
 
 func (s *kernelOSSuite) TestSetNextBootForKernelForTheSameKernel(c *C) {
@@ -226,6 +246,29 @@
 	})
 }
 
+func (s *kernelOSSuite) TestSetNextBootForKernelForTheSameKernelTryMode(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	info := &snap.Info{}
+	info.Type = snap.TypeKernel
+	info.RealName = "krnl"
+	info.Revision = snap.R(40)
+
+	s.bootloader.BootVars["snap_kernel"] = "krnl_40.snap"
+	s.bootloader.BootVars["snap_try_kernel"] = "krnl_99.snap"
+	s.bootloader.BootVars["snap_mode"] = "try"
+
+	err := boot.SetNextBoot(info)
+	c.Assert(err, IsNil)
+
+	c.Assert(s.bootloader.BootVars, DeepEquals, map[string]string{
+		"snap_kernel":     "krnl_40.snap",
+		"snap_try_kernel": "",
+		"snap_mode":       "",
+	})
+}
+
 func (s *kernelOSSuite) TestInUse(c *C) {
 	for _, t := range []struct {
 		bootVarKey   string
diff -Nru snapd-2.32.3.2~14.04/client/apps.go snapd-2.37~rc1~14.04/client/apps.go
--- snapd-2.32.3.2~14.04/client/apps.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/apps.go	2019-01-16 08:36:51.000000000 +0000
@@ -31,14 +31,26 @@
 	"time"
 )
 
+// AppActivator is a thing that activates the app that is a service in the
+// system.
+type AppActivator struct {
+	Name string
+	// Type describes the type of the unit, either timer or socket
+	Type    string
+	Active  bool
+	Enabled bool
+}
+
 // AppInfo describes a single snap application.
 type AppInfo struct {
-	Snap        string `json:"snap,omitempty"`
-	Name        string `json:"name"`
-	DesktopFile string `json:"desktop-file,omitempty"`
-	Daemon      string `json:"daemon,omitempty"`
-	Enabled     bool   `json:"enabled,omitempty"`
-	Active      bool   `json:"active,omitempty"`
+	Snap        string         `json:"snap,omitempty"`
+	Name        string         `json:"name"`
+	DesktopFile string         `json:"desktop-file,omitempty"`
+	Daemon      string         `json:"daemon,omitempty"`
+	Enabled     bool           `json:"enabled,omitempty"`
+	Active      bool           `json:"active,omitempty"`
+	CommonID    string         `json:"common-id,omitempty"`
+	Activators  []AppActivator `json:"activators,omitempty"`
 }
 
 // IsService returns true if the application is a background daemon.
@@ -112,6 +124,15 @@
 		return nil, err
 	}
 
+	if rsp.StatusCode != 200 {
+		var r response
+		defer rsp.Body.Close()
+		if err := decodeInto(rsp.Body, &r); err != nil {
+			return nil, err
+		}
+		return nil, r.err(client)
+	}
+
 	ch := make(chan Log, 20)
 	go func() {
 		// logs come in application/json-seq, described in RFC7464: it's
diff -Nru snapd-2.32.3.2~14.04/client/apps_test.go snapd-2.37~rc1~14.04/client/apps_test.go
--- snapd-2.32.3.2~14.04/client/apps_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/apps_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -87,6 +87,22 @@
 	}
 }
 
+func (cs *clientSuite) TestClientAppCommonID(c *check.C) {
+	expected := []*client.AppInfo{{
+		Snap:     "foo",
+		Name:     "foo",
+		CommonID: "org.foo",
+	}}
+	buf, err := json.Marshal(expected)
+	c.Assert(err, check.IsNil)
+	cs.rsp = fmt.Sprintf(`{"type": "sync", "result": %s}`, buf)
+	for _, chkr := range appcheckers {
+		actual, err := chkr(cs, c)
+		c.Assert(err, check.IsNil)
+		c.Check(actual, check.DeepEquals, expected)
+	}
+}
+
 func testClientLogs(cs *clientSuite, c *check.C) ([]client.Log, error) {
 	ch, err := cs.cli.Logs([]string{"foo", "bar"}, client.LogOptions{N: -1, Follow: false})
 	c.Check(cs.req.URL.Path, check.Equals, "/v2/logs")
@@ -188,6 +204,14 @@
 	}
 }
 
+func (cs *clientSuite) TestClientLogsNotFound(c *check.C) {
+	cs.rsp = `{"type":"error","status-code":404,"status":"Not Found","result":{"message":"snap \"foo\" not found","kind":"snap-not-found","value":"foo"}}`
+	cs.status = 404
+	actual, err := testClientLogs(cs, c)
+	c.Assert(err, check.ErrorMatches, `snap "foo" not found`)
+	c.Check(actual, check.HasLen, 0)
+}
+
 func (cs *clientSuite) TestClientServiceStart(c *check.C) {
 	cs.rsp = `{"type": "async", "status-code": 202, "change": "24"}`
 
diff -Nru snapd-2.32.3.2~14.04/client/buy.go snapd-2.37~rc1~14.04/client/buy.go
--- snapd-2.32.3.2~14.04/client/buy.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/buy.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,13 +22,23 @@
 import (
 	"bytes"
 	"encoding/json"
-
-	"github.com/snapcore/snapd/store"
 )
 
-func (client *Client) Buy(opts *store.BuyOptions) (*store.BuyResult, error) {
+// BuyOptions specifies parameters to buy from the store.
+type BuyOptions struct {
+	SnapID   string  `json:"snap-id"`
+	Price    float64 `json:"price"`
+	Currency string  `json:"currency"` // ISO 4217 code as string
+}
+
+// BuyResult holds the state of a buy attempt.
+type BuyResult struct {
+	State string `json:"state,omitempty"`
+}
+
+func (client *Client) Buy(opts *BuyOptions) (*BuyResult, error) {
 	if opts == nil {
-		opts = &store.BuyOptions{}
+		opts = &BuyOptions{}
 	}
 
 	var body bytes.Buffer
@@ -36,7 +46,7 @@
 		return nil, err
 	}
 
-	var result store.BuyResult
+	var result BuyResult
 	_, err := client.doSync("POST", "/v2/buy", nil, nil, &body, &result)
 
 	if err != nil {
diff -Nru snapd-2.32.3.2~14.04/client/change.go snapd-2.37~rc1~14.04/client/change.go
--- snapd-2.32.3.2~14.04/client/change.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/change.go	2019-01-16 08:36:51.000000000 +0000
@@ -78,7 +78,7 @@
 	Data map[string]*json.RawMessage `json:"data"`
 }
 
-// Change fetches information about a Change given its ID
+// Change fetches information about a Change given its ID.
 func (client *Client) Change(id string) (*Change, error) {
 	var chgd changeAndData
 	_, err := client.doSync("GET", "/v2/changes/"+id, nil, nil, nil, &chgd)
diff -Nru snapd-2.32.3.2~14.04/client/change_test.go snapd-2.37~rc1~14.04/client/change_test.go
--- snapd-2.32.3.2~14.04/client/change_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/change_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -81,6 +81,24 @@
 	c.Assert(err, check.Equals, client.ErrNoData)
 }
 
+func (cs *clientSuite) TestClientChangeRestartingState(c *check.C) {
+	cs.rsp = `{"type": "sync", "result": {
+  "id":   "uno",
+  "kind": "foo",
+  "summary": "...",
+  "status": "Do",
+  "ready": false
+},
+ "maintenance": {"kind": "system-restart", "message": "system is restarting"}
+}`
+
+	chg, err := cs.cli.Change("uno")
+	c.Check(chg, check.NotNil)
+	c.Check(chg.ID, check.Equals, "uno")
+	c.Check(err, check.IsNil)
+	c.Check(cs.cli.Maintenance(), check.ErrorMatches, `system is restarting`)
+}
+
 func (cs *clientSuite) TestClientChangeError(c *check.C) {
 	cs.rsp = `{"type": "sync", "result": {
   "id":   "uno",
diff -Nru snapd-2.32.3.2~14.04/client/client.go snapd-2.37~rc1~14.04/client/client.go
--- snapd-2.32.3.2~14.04/client/client.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/client.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2015-2016 Canonical Ltd
+ * Copyright (C) 2015-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -66,6 +66,10 @@
 
 	// Socket is the path to the unix socket to use
 	Socket string
+
+	// DisableKeepAlive indicates whether the connections should not be kept
+	// alive for later reuse
+	DisableKeepAlive bool
 }
 
 // A Client knows how to talk to the snappy daemon.
@@ -75,6 +79,11 @@
 
 	disableAuth bool
 	interactive bool
+
+	maintenance error
+
+	warningCount     int
+	warningTimestamp time.Time
 }
 
 // New returns a new instance of Client
@@ -85,14 +94,13 @@
 
 	// By default talk over an UNIX socket.
 	if config.BaseURL == "" {
+		transport := &http.Transport{Dial: unixDialer(config.Socket), DisableKeepAlives: config.DisableKeepAlive}
 		return &Client{
 			baseURL: url.URL{
 				Scheme: "http",
 				Host:   "localhost",
 			},
-			doer: &http.Client{
-				Transport: &http.Transport{Dial: unixDialer(config.Socket)},
-			},
+			doer:        &http.Client{Transport: transport},
 			disableAuth: config.DisableAuth,
 			interactive: config.Interactive,
 		}
@@ -104,12 +112,24 @@
 	}
 	return &Client{
 		baseURL:     *baseURL,
-		doer:        &http.Client{},
+		doer:        &http.Client{Transport: &http.Transport{DisableKeepAlives: config.DisableKeepAlive}},
 		disableAuth: config.DisableAuth,
 		interactive: config.Interactive,
 	}
 }
 
+// Maintenance returns an error reflecting the daemon maintenance status or nil.
+func (client *Client) Maintenance() error {
+	return client.maintenance
+}
+
+// WarningsSummary returns the number of warnings that are ready to be shown to
+// the user, and the timestamp of the most recently added warning (useful for
+// silencing the warning alerts, and OKing the returned warnings).
+func (client *Client) WarningsSummary() (count int, timestamp time.Time) {
+	return client.warningCount, client.warningTimestamp
+}
+
 func (client *Client) WhoAmI() (string, error) {
 	user, err := readAuthData()
 	if os.IsNotExist(err) {
@@ -216,6 +236,19 @@
 	}
 }
 
+type hijacked struct {
+	do func(*http.Request) (*http.Response, error)
+}
+
+func (h hijacked) Do(req *http.Request) (*http.Response, error) {
+	return h.do(req)
+}
+
+// Hijack lets the caller take over the raw http request
+func (client *Client) Hijack(f func(*http.Request) (*http.Response, error)) {
+	client.doer = hijacked{f}
+}
+
 // do performs a request and decodes the resulting json into the given
 // value. It's low-level, for testing/experimenting only; you should
 // usually use a higher level interface that builds on this.
@@ -243,29 +276,37 @@
 	defer rsp.Body.Close()
 
 	if v != nil {
-		dec := json.NewDecoder(rsp.Body)
-		if err := dec.Decode(v); err != nil {
-			r := dec.Buffered()
-			buf, err1 := ioutil.ReadAll(r)
-			if err1 != nil {
-				buf = []byte(fmt.Sprintf("error reading buffered response body: %s", err1))
-			}
-			return fmt.Errorf("cannot decode %q: %s", buf, err)
+		if err := decodeInto(rsp.Body, v); err != nil {
+			return err
 		}
 	}
 
 	return nil
 }
 
+func decodeInto(reader io.Reader, v interface{}) error {
+	dec := json.NewDecoder(reader)
+	if err := dec.Decode(v); err != nil {
+		r := dec.Buffered()
+		buf, err1 := ioutil.ReadAll(r)
+		if err1 != nil {
+			buf = []byte(fmt.Sprintf("error reading buffered response body: %s", err1))
+		}
+		return fmt.Errorf("cannot decode %q: %s", buf, err)
+	}
+	return nil
+}
+
 // doSync performs a request to the given path using the specified HTTP method.
 // It expects a "sync" response from the API and on success decodes the JSON
-// response payload into the given value.
+// response payload into the given value using the "UseNumber" json decoding
+// which produces json.Numbers instead of float64 types for numbers.
 func (client *Client) doSync(method, path string, query url.Values, headers map[string]string, body io.Reader, v interface{}) (*ResultInfo, error) {
 	var rsp response
 	if err := client.do(method, path, query, headers, body, &rsp); err != nil {
 		return nil, err
 	}
-	if err := rsp.err(); err != nil {
+	if err := rsp.err(client); err != nil {
 		return nil, err
 	}
 	if rsp.Type != "sync" {
@@ -278,29 +319,37 @@
 		}
 	}
 
+	client.warningCount = rsp.WarningCount
+	client.warningTimestamp = rsp.WarningTimestamp
+
 	return &rsp.ResultInfo, nil
 }
 
 func (client *Client) doAsync(method, path string, query url.Values, headers map[string]string, body io.Reader) (changeID string, err error) {
+	_, changeID, err = client.doAsyncFull(method, path, query, headers, body)
+	return
+}
+
+func (client *Client) doAsyncFull(method, path string, query url.Values, headers map[string]string, body io.Reader) (result json.RawMessage, changeID string, err error) {
 	var rsp response
 
 	if err := client.do(method, path, query, headers, body, &rsp); err != nil {
-		return "", err
+		return nil, "", err
 	}
-	if err := rsp.err(); err != nil {
-		return "", err
+	if err := rsp.err(client); err != nil {
+		return nil, "", err
 	}
 	if rsp.Type != "async" {
-		return "", fmt.Errorf("expected async response for %q on %q, got %q", method, path, rsp.Type)
+		return nil, "", fmt.Errorf("expected async response for %q on %q, got %q", method, path, rsp.Type)
 	}
 	if rsp.StatusCode != 202 {
-		return "", fmt.Errorf("operation not accepted")
+		return nil, "", fmt.Errorf("operation not accepted")
 	}
 	if rsp.Change == "" {
-		return "", fmt.Errorf("async response without change reference")
+		return nil, "", fmt.Errorf("async response without change reference")
 	}
 
-	return rsp.Change, nil
+	return rsp.Result, rsp.Change, nil
 }
 
 type ServerVersion struct {
@@ -339,7 +388,12 @@
 	Type       string          `json:"type"`
 	Change     string          `json:"change"`
 
+	WarningCount     int       `json:"warning-count"`
+	WarningTimestamp time.Time `json:"warning-timestamp"`
+
 	ResultInfo
+
+	Maintenance *Error `json:"maintenance"`
 }
 
 // Error is the real value of response.Result when an error occurs.
@@ -359,6 +413,7 @@
 	ErrorKindTwoFactorRequired = "two-factor-required"
 	ErrorKindTwoFactorFailed   = "two-factor-failed"
 	ErrorKindLoginRequired     = "login-required"
+	ErrorKindInvalidAuthData   = "invalid-auth-data"
 	ErrorKindTermsNotAccepted  = "terms-not-accepted"
 	ErrorKindNoPaymentMethods  = "no-payment-methods"
 	ErrorKindPaymentDeclined   = "payment-declined"
@@ -367,18 +422,44 @@
 	ErrorKindSnapAlreadyInstalled   = "snap-already-installed"
 	ErrorKindSnapNotInstalled       = "snap-not-installed"
 	ErrorKindSnapNotFound           = "snap-not-found"
+	ErrorKindAppNotFound            = "app-not-found"
 	ErrorKindSnapLocal              = "snap-local"
 	ErrorKindSnapNeedsDevMode       = "snap-needs-devmode"
 	ErrorKindSnapNeedsClassic       = "snap-needs-classic"
 	ErrorKindSnapNeedsClassicSystem = "snap-needs-classic-system"
+	ErrorKindSnapNotClassic         = "snap-not-classic"
 	ErrorKindNoUpdateAvailable      = "snap-no-update-available"
 
+	ErrorKindRevisionNotAvailable     = "snap-revision-not-available"
+	ErrorKindChannelNotAvailable      = "snap-channel-not-available"
+	ErrorKindArchitectureNotAvailable = "snap-architecture-not-available"
+
+	ErrorKindChangeConflict = "snap-change-conflict"
+
 	ErrorKindNotSnap = "snap-not-a-snap"
 
-	ErrorKindNetworkTimeout      = "network-timeout"
+	ErrorKindNetworkTimeout = "network-timeout"
+	ErrorKindDNSFailure     = "dns-failure"
+
 	ErrorKindInterfacesUnchanged = "interfaces-unchanged"
+
+	ErrorKindBadQuery           = "bad-query"
+	ErrorKindConfigNoSuchOption = "option-not-found"
+
+	ErrorKindSystemRestart = "system-restart"
+	ErrorKindDaemonRestart = "daemon-restart"
 )
 
+// IsRetryable returns true if the given error is an error
+// that can be retried later.
+func IsRetryable(err error) bool {
+	switch e := err.(type) {
+	case *Error:
+		return e.Kind == ErrorKindChangeConflict
+	}
+	return false
+}
+
 // IsTwoFactorError returns whether the given error is due to problems
 // in two-factor authentication.
 func IsTwoFactorError(err error) bool {
@@ -421,17 +502,28 @@
 type SysInfo struct {
 	Series    string    `json:"series,omitempty"`
 	Version   string    `json:"version,omitempty"`
+	BuildID   string    `json:"build-id"`
 	OSRelease OSRelease `json:"os-release"`
 	OnClassic bool      `json:"on-classic"`
 	Managed   bool      `json:"managed"`
 
 	KernelVersion string `json:"kernel-version,omitempty"`
 
-	Refresh     RefreshInfo `json:"refresh,omitempty"`
-	Confinement string      `json:"confinement"`
+	Refresh         RefreshInfo         `json:"refresh,omitempty"`
+	Confinement     string              `json:"confinement"`
+	SandboxFeatures map[string][]string `json:"sandbox-features,omitempty"`
 }
 
-func (rsp *response) err() error {
+func (rsp *response) err(cli *Client) error {
+	if cli != nil {
+		maintErr := rsp.Maintenance
+		// avoid setting to (*client.Error)(nil)
+		if maintErr != nil {
+			cli.maintenance = maintErr
+		} else {
+			cli.maintenance = nil
+		}
+	}
 	if rsp.Type != "error" {
 		return nil
 	}
@@ -456,7 +548,7 @@
 		return fmt.Errorf("cannot unmarshal error: %v", err)
 	}
 
-	err := rsp.err()
+	err := rsp.err(nil)
 	if err == nil {
 		return fmt.Errorf("server error: %q", r.Status)
 	}
diff -Nru snapd-2.32.3.2~14.04/client/client_test.go snapd-2.37~rc1~14.04/client/client_test.go
--- snapd-2.32.3.2~14.04/client/client_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/client_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -51,6 +51,7 @@
 	doCalls int
 	header  http.Header
 	status  int
+	restore func()
 }
 
 var _ = Suite(&clientSuite{})
@@ -70,10 +71,13 @@
 	cs.doCalls = 0
 
 	dirs.SetRootDir(c.MkDir())
+
+	cs.restore = client.MockDoRetry(time.Millisecond, 10*time.Millisecond)
 }
 
 func (cs *clientSuite) TearDownTest(c *C) {
 	os.Unsetenv(client.TestAuthFileEnvKey)
+	cs.restore()
 }
 
 func (cs *clientSuite) Do(req *http.Request) (*http.Response, error) {
@@ -99,8 +103,6 @@
 }
 
 func (cs *clientSuite) TestClientDoReportsErrors(c *C) {
-	restore := client.MockDoRetry(10*time.Millisecond, 100*time.Millisecond)
-	defer restore()
 	cs.err = errors.New("ouchie")
 	err := cs.cli.Do("GET", "/", nil, nil, nil)
 	c.Check(err, ErrorMatches, "cannot communicate with server: ouchie")
@@ -216,7 +218,9 @@
                       "version": "2",
                       "os-release": {"id": "ubuntu", "version-id": "16.04"},
                       "on-classic": true,
-                      "confinement": "strict"}}`
+                      "build-id": "1234",
+                      "confinement": "strict",
+                      "sandbox-features": {"backend": ["feature-1", "feature-2"]}}}`
 	sysInfo, err := cs.cli.SysInfo()
 	c.Check(err, IsNil)
 	c.Check(sysInfo, DeepEquals, &client.SysInfo{
@@ -228,6 +232,10 @@
 		},
 		OnClassic:   true,
 		Confinement: "strict",
+		SandboxFeatures: map[string][]string{
+			"backend": {"feature-1", "feature-2"},
+		},
+		BuildID: "1234",
 	})
 }
 
@@ -343,6 +351,36 @@
 	c.Check(err, ErrorMatches, `.*cannot unmarshal.*`)
 }
 
+func (cs *clientSuite) TestClientMaintenance(c *C) {
+	cs.rsp = `{"type":"sync", "result":{"series":"42"}, "maintenance": {"kind": "system-restart", "message": "system is restarting"}}`
+	_, err := cs.cli.SysInfo()
+	c.Assert(err, IsNil)
+	c.Check(cs.cli.Maintenance().(*client.Error), DeepEquals, &client.Error{
+		Kind:    client.ErrorKindSystemRestart,
+		Message: "system is restarting",
+	})
+
+	cs.rsp = `{"type":"sync", "result":{"series":"42"}}`
+	_, err = cs.cli.SysInfo()
+	c.Assert(err, IsNil)
+	c.Check(cs.cli.Maintenance(), Equals, error(nil))
+}
+
+func (cs *clientSuite) TestClientAsyncOpMaintenance(c *C) {
+	cs.rsp = `{"type":"async", "status-code": 202, "change": "42", "maintenance": {"kind": "system-restart", "message": "system is restarting"}}`
+	_, err := cs.cli.Install("foo", nil)
+	c.Assert(err, IsNil)
+	c.Check(cs.cli.Maintenance().(*client.Error), DeepEquals, &client.Error{
+		Kind:    client.ErrorKindSystemRestart,
+		Message: "system is restarting",
+	})
+
+	cs.rsp = `{"type":"async", "status-code": 202, "change": "42"}`
+	_, err = cs.cli.Install("foo", nil)
+	c.Assert(err, IsNil)
+	c.Check(cs.cli.Maintenance(), Equals, error(nil))
+}
+
 func (cs *clientSuite) TestParseError(c *C) {
 	resp := &http.Response{
 		Status: "404 Not Found",
@@ -384,6 +422,15 @@
 	c.Check(client.IsTwoFactorError((*client.Error)(nil)), Equals, false)
 }
 
+func (cs *clientSuite) TestIsRetryable(c *C) {
+	// unhappy
+	c.Check(client.IsRetryable(nil), Equals, false)
+	c.Check(client.IsRetryable(errors.New("some-error")), Equals, false)
+	c.Check(client.IsRetryable(&client.Error{Kind: "something-else"}), Equals, false)
+	// happy
+	c.Check(client.IsRetryable(&client.Error{Kind: client.ErrorKindChangeConflict}), Equals, true)
+}
+
 func (cs *clientSuite) TestClientCreateUser(c *C) {
 	_, err := cs.cli.CreateUser(&client.CreateUserOptions{})
 	c.Assert(err, ErrorMatches, "cannot create a user without providing an email")
diff -Nru snapd-2.32.3.2~14.04/client/conf.go snapd-2.37~rc1~14.04/client/conf.go
--- snapd-2.32.3.2~14.04/client/conf.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/conf.go	2019-01-16 08:36:51.000000000 +0000
@@ -36,6 +36,8 @@
 }
 
 // Conf asks for a snap's current configuration.
+//
+// Note that the configuration may include json.Numbers.
 func (client *Client) Conf(snapName string, keys []string) (configuration map[string]interface{}, err error) {
 	// Prepare query
 	query := url.Values{}
diff -Nru snapd-2.32.3.2~14.04/client/export_test.go snapd-2.37~rc1~14.04/client/export_test.go
--- snapd-2.32.3.2~14.04/client/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package client
 
 import (
+	"encoding/json"
 	"io"
 	"net/url"
 )
@@ -43,3 +44,8 @@
 var TestStoreAuthFilename = storeAuthDataFilename
 
 var TestAuthFileEnvKey = authFileEnvKey
+
+func UnmarshalSnapshotAction(body io.Reader) (act snapshotAction, err error) {
+	err = json.NewDecoder(body).Decode(&act)
+	return
+}
diff -Nru snapd-2.32.3.2~14.04/client/icons.go snapd-2.37~rc1~14.04/client/icons.go
--- snapd-2.32.3.2~14.04/client/icons.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/icons.go	2019-01-16 08:36:51.000000000 +0000
@@ -31,6 +31,8 @@
 	Content  []byte
 }
 
+var contentDispositionMatcher = regexp.MustCompile(`attachment; filename=(.+)`).FindStringSubmatch
+
 // Icon returns the Icon belonging to an installed snap
 func (c *Client) Icon(pkgID string) (*Icon, error) {
 	const errPrefix = "cannot retrieve icon"
@@ -45,8 +47,7 @@
 		return nil, fmt.Errorf("%s: Not Found", errPrefix)
 	}
 
-	re := regexp.MustCompile(`attachment; filename=(.+)`)
-	matches := re.FindStringSubmatch(response.Header.Get("Content-Disposition"))
+	matches := contentDispositionMatcher(response.Header.Get("Content-Disposition"))
 
 	if matches == nil || matches[1] == "" {
 		return nil, fmt.Errorf("%s: cannot determine filename", errPrefix)
diff -Nru snapd-2.32.3.2~14.04/client/packages.go snapd-2.37~rc1~14.04/client/packages.go
--- snapd-2.32.3.2~14.04/client/packages.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/packages.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,18 +32,21 @@
 
 // Snap holds the data for a snap as obtained from snapd.
 type Snap struct {
-	ID               string        `json:"id"`
-	Title            string        `json:"title,omitempty"`
-	Summary          string        `json:"summary"`
-	Description      string        `json:"description"`
-	DownloadSize     int64         `json:"download-size,omitempty"`
-	Icon             string        `json:"icon,omitempty"`
-	InstalledSize    int64         `json:"installed-size,omitempty"`
-	InstallDate      time.Time     `json:"install-date,omitempty"`
-	Name             string        `json:"name"`
+	ID            string             `json:"id"`
+	Title         string             `json:"title,omitempty"`
+	Summary       string             `json:"summary"`
+	Description   string             `json:"description"`
+	DownloadSize  int64              `json:"download-size,omitempty"`
+	Icon          string             `json:"icon,omitempty"`
+	InstalledSize int64              `json:"installed-size,omitempty"`
+	InstallDate   time.Time          `json:"install-date,omitempty"`
+	Name          string             `json:"name"`
+	Publisher     *snap.StoreAccount `json:"publisher,omitempty"`
+	// Developer is also the publisher's username for historic reasons.
 	Developer        string        `json:"developer"`
 	Status           string        `json:"status"`
 	Type             string        `json:"type"`
+	Base             string        `json:"base,omitempty"`
 	Version          string        `json:"version"`
 	Channel          string        `json:"channel"`
 	TrackingChannel  string        `json:"tracking-channel,omitempty"`
@@ -58,9 +61,12 @@
 	Broken           string        `json:"broken,omitempty"`
 	Contact          string        `json:"contact"`
 	License          string        `json:"license,omitempty"`
+	CommonIDs        []string      `json:"common-ids,omitempty"`
+	MountedFrom      string        `json:"mounted-from,omitempty"`
 
-	Prices      map[string]float64 `json:"prices,omitempty"`
-	Screenshots []Screenshot       `json:"screenshots,omitempty"`
+	Prices      map[string]float64    `json:"prices,omitempty"`
+	Screenshots []snap.ScreenshotInfo `json:"screenshots,omitempty"`
+	Media       snap.MediaInfos       `json:"media,omitempty"`
 
 	// The flattended channel map with $track/$risk
 	Channels map[string]*snap.ChannelSnapInfo `json:"channels,omitempty"`
@@ -84,12 +90,6 @@
 	return json.Marshal(&m)
 }
 
-type Screenshot struct {
-	URL    string `json:"url"`
-	Width  int64  `json:"width,omitempty"`
-	Height int64  `json:"height,omitempty"`
-}
-
 // Statuses and types a snap may have.
 const (
 	StatusAvailable = "available"
@@ -122,6 +122,7 @@
 	Prefix  bool
 	Query   string
 	Section string
+	Scope   string
 }
 
 var ErrNoSnapsInstalled = errors.New("no snaps installed")
@@ -191,6 +192,9 @@
 	if opts.Section != "" {
 		q.Set("section", opts.Section)
 	}
+	if opts.Scope != "" {
+		q.Set("scope", opts.Scope)
+	}
 
 	return client.snapsFromPath("/v2/find", q)
 }
diff -Nru snapd-2.32.3.2~14.04/client/packages_test.go snapd-2.37~rc1~14.04/client/packages_test.go
--- snapd-2.32.3.2~14.04/client/packages_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/packages_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -28,6 +28,7 @@
 	"gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/snap"
 )
 
 func (cs *clientSuite) TestClientSnapsCallsEndpoint(c *check.C) {
@@ -81,6 +82,17 @@
 	c.Check(cs.req.URL.Query().Get("select"), check.Equals, "private")
 }
 
+func (cs *clientSuite) TestClientFindWithScopeSetsQuery(c *check.C) {
+	_, _, _ = cs.cli.Find(&client.FindOptions{
+		Scope: "mouthwash",
+	})
+	c.Check(cs.req.Method, check.Equals, "GET")
+	c.Check(cs.req.URL.Path, check.Equals, "/v2/find")
+	c.Check(cs.req.URL.Query(), check.DeepEquals, url.Values{
+		"q": []string{""}, "scope": []string{"mouthwash"},
+	})
+}
+
 func (cs *clientSuite) TestClientSnapsInvalidSnapsJSON(c *check.C) {
 	cs.rsp = `{
 		"type": "sync",
@@ -116,12 +128,19 @@
 			"license": "GPL-3.0",
 			"name": "hello-world",
 			"developer": "canonical",
+			"publisher": {
+                            "id": "canonical",
+                            "username": "canonical",
+                            "display-name": "Canonical",
+                            "validation": "verified"
+                        },
 			"resource": "/v2/snaps/hello-world.canonical",
 			"status": "available",
 			"type": "app",
 			"version": "1.0.18",
 			"confinement": "strict",
-			"private": true
+			"private": true,
+                        "common-ids": ["org.funky.snap"]
 		}],
 		"suggested-currency": "GBP"
 	}`
@@ -138,12 +157,19 @@
 		License:       "GPL-3.0",
 		Name:          "hello-world",
 		Developer:     "canonical",
-		Status:        client.StatusAvailable,
-		Type:          client.TypeApp,
-		Version:       "1.0.18",
-		Confinement:   client.StrictConfinement,
-		Private:       true,
-		DevMode:       false,
+		Publisher: &snap.StoreAccount{
+			ID:          "canonical",
+			Username:    "canonical",
+			DisplayName: "Canonical",
+			Validation:  "verified",
+		},
+		Status:      client.StatusAvailable,
+		Type:        client.TypeApp,
+		Version:     "1.0.18",
+		Confinement: client.StrictConfinement,
+		Private:     true,
+		DevMode:     false,
+		CommonIDs:   []string{"org.funky.snap"},
 	}})
 }
 
@@ -186,10 +212,17 @@
 			"license": "GPL-3.0",
 			"name": "chatroom",
 			"developer": "ogra",
+			"publisher": {
+                            "id": "ogra-id",
+                            "username": "ogra",
+                            "display-name": "Ogra",
+                            "validation": "unproven"
+                        },
 			"resource": "/v2/snaps/chatroom.ogra",
 			"status": "active",
 			"type": "app",
 			"version": "0.1-8",
+                        "revision": 42,
 			"confinement": "strict",
 			"private": true,
 			"devmode": true,
@@ -197,7 +230,13 @@
                         "screenshots": [
                             {"url":"http://example.com/shot1.png", "width":640, "height":480},
                             {"url":"http://example.com/shot2.png"}
-                        ]
+                        ],
+                        "media": [
+                            {"type": "icon", "url":"http://example.com/icon.png"},
+                            {"type": "screenshot", "url":"http://example.com/shot1.png", "width":640, "height":480},
+                            {"type": "screenshot", "url":"http://example.com/shot2.png"}
+                        ],
+                        "common-ids": ["org.funky.snap"]
 		}
 	}`
 	pkg, _, err := cs.cli.Snap(pkgName)
@@ -216,17 +255,30 @@
 		License:       "GPL-3.0",
 		Name:          "chatroom",
 		Developer:     "ogra",
-		Status:        client.StatusActive,
-		Type:          client.TypeApp,
-		Version:       "0.1-8",
-		Confinement:   client.StrictConfinement,
-		Private:       true,
-		DevMode:       true,
-		TryMode:       true,
-		Screenshots: []client.Screenshot{
+		Publisher: &snap.StoreAccount{
+			ID:          "ogra-id",
+			Username:    "ogra",
+			DisplayName: "Ogra",
+			Validation:  "unproven",
+		},
+		Status:      client.StatusActive,
+		Type:        client.TypeApp,
+		Version:     "0.1-8",
+		Revision:    snap.R(42),
+		Confinement: client.StrictConfinement,
+		Private:     true,
+		DevMode:     true,
+		TryMode:     true,
+		Screenshots: []snap.ScreenshotInfo{
 			{URL: "http://example.com/shot1.png", Width: 640, Height: 480},
 			{URL: "http://example.com/shot2.png"},
 		},
+		Media: []snap.MediaInfo{
+			{Type: "icon", URL: "http://example.com/icon.png"},
+			{Type: "screenshot", URL: "http://example.com/shot1.png", Width: 640, Height: 480},
+			{Type: "screenshot", URL: "http://example.com/shot2.png"},
+		},
+		CommonIDs: []string{"org.funky.snap"},
 	})
 }
 
diff -Nru snapd-2.32.3.2~14.04/client/snap_op.go snapd-2.37~rc1~14.04/client/snap_op.go
--- snapd-2.32.3.2~14.04/client/snap_op.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/snap_op.go	2019-01-16 08:36:51.000000000 +0000
@@ -39,6 +39,15 @@
 	Dangerous        bool   `json:"dangerous,omitempty"`
 	IgnoreValidation bool   `json:"ignore-validation,omitempty"`
 	Unaliased        bool   `json:"unaliased,omitempty"`
+
+	Users []string `json:"users,omitempty"`
+}
+
+func writeFieldBool(mw *multipart.Writer, key string, val bool) error {
+	if !val {
+		return nil
+	}
+	return mw.WriteField(key, "true")
 }
 
 func (opts *SnapOptions) writeModeFields(mw *multipart.Writer) error {
@@ -52,11 +61,7 @@
 		{"dangerous", opts.Dangerous},
 	}
 	for _, o := range fields {
-		if !o.b {
-			continue
-		}
-		err := mw.WriteField(o.f, "true")
-		if err != nil {
+		if err := writeFieldBool(mw, o.f, o.b); err != nil {
 			return err
 		}
 	}
@@ -64,6 +69,10 @@
 	return nil
 }
 
+func (opts *SnapOptions) writeOptionFields(mw *multipart.Writer) error {
+	return writeFieldBool(mw, "unaliased", opts.Unaliased)
+}
+
 type actionData struct {
 	Action   string `json:"action"`
 	Name     string `json:"name,omitempty"`
@@ -74,6 +83,7 @@
 type multiActionData struct {
 	Action string   `json:"action"`
 	Snaps  []string `json:"snaps,omitempty"`
+	Users  []string `json:"users,omitempty"`
 }
 
 // Install adds the snap with the given name from the given channel (or
@@ -123,6 +133,24 @@
 	return client.doSnapAction("switch", name, options)
 }
 
+// SnapshotMany snapshots many snaps (all, if names empty) for many users (all, if users is empty).
+func (client *Client) SnapshotMany(names []string, users []string) (setID uint64, changeID string, err error) {
+	result, changeID, err := client.doMultiSnapActionFull("snapshot", names, &SnapOptions{Users: users})
+	if err != nil {
+		return 0, "", err
+	}
+	if len(result) == 0 {
+		return 0, "", fmt.Errorf("server result does not contain snapshot set identifier")
+	}
+	var x struct {
+		SetID uint64 `json:"set-id"`
+	}
+	if err := json.Unmarshal(result, &x); err != nil {
+		return 0, "", err
+	}
+	return x.SetID, changeID, nil
+}
+
 var ErrDangerousNotApplicable = fmt.Errorf("dangerous option only meaningful when installing from a local file")
 
 func (client *Client) doSnapAction(actionName string, snapName string, options *SnapOptions) (changeID string, err error) {
@@ -150,25 +178,34 @@
 	if options != nil {
 		return "", fmt.Errorf("cannot use options for multi-action") // (yet)
 	}
+	_, changeID, err = client.doMultiSnapActionFull(actionName, snaps, options)
+
+	return changeID, err
+}
+
+func (client *Client) doMultiSnapActionFull(actionName string, snaps []string, options *SnapOptions) (result json.RawMessage, changeID string, err error) {
 	action := multiActionData{
 		Action: actionName,
 		Snaps:  snaps,
 	}
+	if options != nil {
+		action.Users = options.Users
+	}
 	data, err := json.Marshal(&action)
 	if err != nil {
-		return "", fmt.Errorf("cannot marshal multi-snap action: %s", err)
+		return nil, "", fmt.Errorf("cannot marshal multi-snap action: %s", err)
 	}
 
 	headers := map[string]string{
 		"Content-Type": "application/json",
 	}
 
-	return client.doAsync("POST", "/v2/snaps", nil, headers, bytes.NewBuffer(data))
+	return client.doAsyncFull("POST", "/v2/snaps", nil, headers, bytes.NewBuffer(data))
 }
 
-// InstallPath sideloads the snap with the given path, returning the UUID
-// of the background operation upon success.
-func (client *Client) InstallPath(path string, options *SnapOptions) (changeID string, err error) {
+// InstallPath sideloads the snap with the given path under optional provided name,
+// returning the UUID of the background operation upon success.
+func (client *Client) InstallPath(path, name string, options *SnapOptions) (changeID string, err error) {
 	f, err := os.Open(path)
 	if err != nil {
 		return "", fmt.Errorf("cannot open: %q", path)
@@ -176,6 +213,7 @@
 
 	action := actionData{
 		Action:      "install",
+		Name:        name,
 		SnapPath:    path,
 		SnapOptions: options,
 	}
@@ -243,6 +281,11 @@
 		pw.CloseWithError(err)
 		return
 	}
+
+	if err := action.writeOptionFields(mw); err != nil {
+		pw.CloseWithError(err)
+		return
+	}
 
 	fw, err := mw.CreateFormFile("snap", filepath.Base(snapPath))
 	if err != nil {
diff -Nru snapd-2.32.3.2~14.04/client/snap_op_test.go snapd-2.37~rc1~14.04/client/snap_op_test.go
--- snapd-2.32.3.2~14.04/client/snap_op_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/snap_op_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -72,6 +72,8 @@
 		_, err := s.op(cs.cli, nil, nil)
 		c.Check(err, check.ErrorMatches, `.*fail`, check.Commentf(s.action))
 	}
+	_, _, err := cs.cli.SnapshotMany(nil, nil)
+	c.Check(err, check.ErrorMatches, `.*fail`)
 }
 
 func (cs *clientSuite) TestClientOpSnapResponseError(c *check.C) {
@@ -88,6 +90,8 @@
 		_, err := s.op(cs.cli, nil, nil)
 		c.Check(err, check.ErrorMatches, `.*server error: "potatoes"`, check.Commentf(s.action))
 	}
+	_, _, err := cs.cli.SnapshotMany(nil, nil)
+	c.Check(err, check.ErrorMatches, `.*server error: "potatoes"`)
 }
 
 func (cs *clientSuite) TestClientOpSnapBadType(c *check.C) {
@@ -153,6 +157,7 @@
 		"type": "async"
 	}`
 	for _, s := range multiOps {
+		// Note body is essentially the same as TestClientMultiSnapshot; keep in sync
 		id, err := s.op(cs.cli, []string{pkgName}, nil)
 		c.Assert(err, check.IsNil)
 
@@ -172,6 +177,31 @@
 	}
 }
 
+func (cs *clientSuite) TestClientMultiSnapshot(c *check.C) {
+	// Note body is essentially the same as TestClientMultiOpSnap; keep in sync
+	cs.rsp = `{
+                "result": {"set-id": 42},
+		"change": "d728",
+		"status-code": 202,
+		"type": "async"
+	}`
+	setID, changeID, err := cs.cli.SnapshotMany([]string{pkgName}, nil)
+	c.Assert(err, check.IsNil)
+	c.Check(cs.req.Header.Get("Content-Type"), check.Equals, "application/json")
+
+	body, err := ioutil.ReadAll(cs.req.Body)
+	c.Assert(err, check.IsNil)
+	jsonBody := make(map[string]interface{})
+	err = json.Unmarshal(body, &jsonBody)
+	c.Assert(err, check.IsNil)
+	c.Check(jsonBody["action"], check.Equals, "snapshot")
+	c.Check(jsonBody["snaps"], check.DeepEquals, []interface{}{pkgName})
+	c.Check(jsonBody, check.HasLen, 2)
+	c.Check(cs.req.URL.Path, check.Equals, "/v2/snaps")
+	c.Check(setID, check.Equals, uint64(42))
+	c.Check(changeID, check.Equals, "d728")
+}
+
 func (cs *clientSuite) TestClientOpInstallPath(c *check.C) {
 	cs.rsp = `{
 		"change": "66b3",
@@ -184,7 +214,7 @@
 	err := ioutil.WriteFile(snap, bodyData, 0644)
 	c.Assert(err, check.IsNil)
 
-	id, err := cs.cli.InstallPath(snap, nil)
+	id, err := cs.cli.InstallPath(snap, "", nil)
 	c.Assert(err, check.IsNil)
 
 	body, err := ioutil.ReadAll(cs.req.Body)
@@ -199,6 +229,34 @@
 	c.Check(id, check.Equals, "66b3")
 }
 
+func (cs *clientSuite) TestClientOpInstallPathInstance(c *check.C) {
+	cs.rsp = `{
+		"change": "66b3",
+		"status-code": 202,
+		"type": "async"
+	}`
+	bodyData := []byte("snap-data")
+
+	snap := filepath.Join(c.MkDir(), "foo.snap")
+	err := ioutil.WriteFile(snap, bodyData, 0644)
+	c.Assert(err, check.IsNil)
+
+	id, err := cs.cli.InstallPath(snap, "foo_bar", nil)
+	c.Assert(err, check.IsNil)
+
+	body, err := ioutil.ReadAll(cs.req.Body)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(string(body), check.Matches, "(?s).*\r\nsnap-data\r\n.*")
+	c.Assert(string(body), check.Matches, "(?s).*Content-Disposition: form-data; name=\"action\"\r\n\r\ninstall\r\n.*")
+	c.Assert(string(body), check.Matches, "(?s).*Content-Disposition: form-data; name=\"name\"\r\n\r\nfoo_bar\r\n.*")
+
+	c.Check(cs.req.Method, check.Equals, "POST")
+	c.Check(cs.req.URL.Path, check.Equals, fmt.Sprintf("/v2/snaps"))
+	c.Assert(cs.req.Header.Get("Content-Type"), check.Matches, "multipart/form-data; boundary=.*")
+	c.Check(id, check.Equals, "66b3")
+}
+
 func (cs *clientSuite) TestClientOpInstallDangerous(c *check.C) {
 	cs.rsp = `{
 		"change": "66b3",
@@ -216,7 +274,7 @@
 	}
 
 	// InstallPath takes Dangerous
-	_, err = cs.cli.InstallPath(snap, &opts)
+	_, err = cs.cli.InstallPath(snap, "", &opts)
 	c.Assert(err, check.IsNil)
 
 	body, err := ioutil.ReadAll(cs.req.Body)
@@ -235,6 +293,41 @@
 	c.Assert(err, check.NotNil)
 }
 
+func (cs *clientSuite) TestClientOpInstallUnaliased(c *check.C) {
+	cs.rsp = `{
+		"change": "66b3",
+		"status-code": 202,
+		"type": "async"
+	}`
+	bodyData := []byte("snap-data")
+
+	snap := filepath.Join(c.MkDir(), "foo.snap")
+	err := ioutil.WriteFile(snap, bodyData, 0644)
+	c.Assert(err, check.IsNil)
+
+	opts := client.SnapOptions{
+		Unaliased: true,
+	}
+
+	_, err = cs.cli.Install("foo", &opts)
+	c.Assert(err, check.IsNil)
+
+	body, err := ioutil.ReadAll(cs.req.Body)
+	c.Assert(err, check.IsNil)
+	jsonBody := make(map[string]interface{})
+	err = json.Unmarshal(body, &jsonBody)
+	c.Assert(err, check.IsNil, check.Commentf("body: %v", string(body)))
+	c.Check(jsonBody["unaliased"], check.Equals, true, check.Commentf("body: %v", string(body)))
+
+	_, err = cs.cli.InstallPath(snap, "", &opts)
+	c.Assert(err, check.IsNil)
+
+	body, err = ioutil.ReadAll(cs.req.Body)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(string(body), check.Matches, "(?s).*Content-Disposition: form-data; name=\"unaliased\"\r\n\r\ntrue\r\n.*")
+}
+
 func formToMap(c *check.C, mr *multipart.Reader) map[string]string {
 	formData := map[string]string{}
 	for {
diff -Nru snapd-2.32.3.2~14.04/client/snapshot.go snapd-2.37~rc1~14.04/client/snapshot.go
--- snapd-2.32.3.2~14.04/client/snapshot.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/snapshot.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,175 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package client
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/snapcore/snapd/snap"
+)
+
+var (
+	ErrSnapshotSetNotFound   = errors.New("no snapshot set with the given ID")
+	ErrSnapshotSnapsNotFound = errors.New("no snapshot for the requested snaps found in the set with the given ID")
+)
+
+// A snapshotAction is used to request an operation on a snapshot.
+type snapshotAction struct {
+	SetID  uint64   `json:"set"`
+	Action string   `json:"action"`
+	Snaps  []string `json:"snaps,omitempty"`
+	Users  []string `json:"users,omitempty"`
+}
+
+// A Snapshot is a collection of archives with a simple metadata json file
+// (and hashsums of everything).
+type Snapshot struct {
+	// SetID is the ID of the snapshot set (a snapshot set is the result of a "snap save" invocation)
+	SetID uint64 `json:"set"`
+	// the time this snapshot's data collection was started
+	Time time.Time `json:"time"`
+
+	// information about the snap this data is for
+	Snap     string        `json:"snap"`
+	Revision snap.Revision `json:"revision"`
+	SnapID   string        `json:"snap-id,omitempty"`
+	Epoch    snap.Epoch    `json:"epoch,omitempty"`
+	Summary  string        `json:"summary"`
+	Version  string        `json:"version"`
+
+	// the snap's configuration at snapshot time
+	Conf map[string]interface{} `json:"conf,omitempty"`
+
+	// the hash of the archives' data, keyed by archive path
+	// (either 'archive.tgz' for the system archive, or
+	// user/<username>.tgz for each user)
+	SHA3_384 map[string]string `json:"sha3-384"`
+	// the sum of the archive sizes
+	Size int64 `json:"size,omitempty"`
+	// if the snapshot failed to open this will be the reason why
+	Broken string `json:"broken,omitempty"`
+}
+
+// IsValid checks whether the snapshot is missing information that
+// should be there for a snapshot that's just been opened.
+func (sh *Snapshot) IsValid() bool {
+	return !(sh == nil || sh.SetID == 0 || sh.Snap == "" || sh.Revision.Unset() || len(sh.SHA3_384) == 0 || sh.Time.IsZero())
+}
+
+// A SnapshotSet is a set of snapshots created by a single "snap save".
+type SnapshotSet struct {
+	ID        uint64      `json:"id"`
+	Snapshots []*Snapshot `json:"snapshots"`
+}
+
+// Time returns the earliest time in the set.
+func (ss SnapshotSet) Time() time.Time {
+	if len(ss.Snapshots) == 0 {
+		return time.Time{}
+	}
+	mint := ss.Snapshots[0].Time
+	for _, sh := range ss.Snapshots {
+		if sh.Time.Before(mint) {
+			mint = sh.Time
+		}
+	}
+	return mint
+}
+
+// Size returns the sum of the set's sizes.
+func (ss SnapshotSet) Size() int64 {
+	var sum int64
+	for _, sh := range ss.Snapshots {
+		sum += sh.Size
+	}
+	return sum
+}
+
+// SnapshotSets lists the snapshot sets in the system that belong to the
+// given set (if non-zero) and are for the given snaps (if non-empty).
+func (client *Client) SnapshotSets(setID uint64, snapNames []string) ([]SnapshotSet, error) {
+	q := make(url.Values)
+	if setID > 0 {
+		q.Add("set", strconv.FormatUint(setID, 10))
+	}
+	if len(snapNames) > 0 {
+		q.Add("snaps", strings.Join(snapNames, ","))
+	}
+
+	var snapshotSets []SnapshotSet
+	_, err := client.doSync("GET", "/v2/snapshots", q, nil, nil, &snapshotSets)
+	return snapshotSets, err
+}
+
+// ForgetSnapshots permanently removes the snapshot set, limited to the
+// given snaps (if non-empty).
+func (client *Client) ForgetSnapshots(setID uint64, snaps []string) (changeID string, err error) {
+	return client.snapshotAction(&snapshotAction{
+		SetID:  setID,
+		Action: "forget",
+		Snaps:  snaps,
+	})
+}
+
+// CheckSnapshots verifies the archive checksums in the given snapshot set.
+//
+// If snaps or users are non-empty, limit to checking only those
+// archives of the snapshot.
+func (client *Client) CheckSnapshots(setID uint64, snaps []string, users []string) (changeID string, err error) {
+	return client.snapshotAction(&snapshotAction{
+		SetID:  setID,
+		Action: "check",
+		Snaps:  snaps,
+		Users:  users,
+	})
+}
+
+// RestoreSnapshots extracts the given snapshot set.
+//
+// If snaps or users are non-empty, limit to checking only those
+// archives of the snapshot.
+func (client *Client) RestoreSnapshots(setID uint64, snaps []string, users []string) (changeID string, err error) {
+	return client.snapshotAction(&snapshotAction{
+		SetID:  setID,
+		Action: "restore",
+		Snaps:  snaps,
+		Users:  users,
+	})
+}
+
+func (client *Client) snapshotAction(action *snapshotAction) (changeID string, err error) {
+	data, err := json.Marshal(action)
+	if err != nil {
+		return "", fmt.Errorf("cannot marshal snapshot action: %v", err)
+	}
+
+	headers := map[string]string{
+		"Content-Type": "application/json",
+	}
+
+	return client.doAsync("POST", "/v2/snapshots", nil, headers, bytes.NewBuffer(data))
+}
diff -Nru snapd-2.32.3.2~14.04/client/snapshot_test.go snapd-2.37~rc1~14.04/client/snapshot_test.go
--- snapd-2.32.3.2~14.04/client/snapshot_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/snapshot_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,138 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package client_test
+
+import (
+	"net/url"
+	"time"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/snap"
+)
+
+func (cs *clientSuite) TestClientSnapshotIsValid(c *check.C) {
+	now := time.Now()
+	revno := snap.R(1)
+	sums := map[string]string{"user/foo.tgz": "some long hash"}
+	c.Check((&client.Snapshot{
+		SetID:    42,
+		Time:     now,
+		Snap:     "asnap",
+		Revision: revno,
+		SHA3_384: sums,
+	}).IsValid(), check.Equals, true)
+
+	for desc, snapshot := range map[string]*client.Snapshot{
+		"nil":     nil,
+		"empty":   {},
+		"no id":   { /*SetID: 42,*/ Time: now, Snap: "asnap", Revision: revno, SHA3_384: sums},
+		"no time": {SetID: 42 /*Time: now,*/, Snap: "asnap", Revision: revno, SHA3_384: sums},
+		"no snap": {SetID: 42, Time: now /*Snap: "asnap",*/, Revision: revno, SHA3_384: sums},
+		"no rev":  {SetID: 42, Time: now, Snap: "asnap" /*Revision: revno,*/, SHA3_384: sums},
+		"no sums": {SetID: 42, Time: now, Snap: "asnap", Revision: revno /*SHA3_384: sums*/},
+	} {
+		c.Check(snapshot.IsValid(), check.Equals, false, check.Commentf("%s", desc))
+	}
+
+}
+
+func (cs *clientSuite) TestClientSnapshotSetTime(c *check.C) {
+	// if set is empty, it doesn't explode (and returns the zero time)
+	c.Check(client.SnapshotSet{}.Time().IsZero(), check.Equals, true)
+	// if not empty, returns the earliest one
+	c.Check(client.SnapshotSet{Snapshots: []*client.Snapshot{
+		{Time: time.Unix(3, 0)},
+		{Time: time.Unix(1, 0)},
+		{Time: time.Unix(2, 0)},
+	}}.Time(), check.DeepEquals, time.Unix(1, 0))
+}
+
+func (cs *clientSuite) TestClientSnapshotSetSize(c *check.C) {
+	// if set is empty, doesn't explode (and returns 0)
+	c.Check(client.SnapshotSet{}.Size(), check.Equals, int64(0))
+	// if not empty, returns the sum
+	c.Check(client.SnapshotSet{Snapshots: []*client.Snapshot{
+		{Size: 1},
+		{Size: 2},
+		{Size: 3},
+	}}.Size(), check.DeepEquals, int64(6))
+}
+
+func (cs *clientSuite) TestClientSnapshotSets(c *check.C) {
+	cs.rsp = `{
+		"type": "sync",
+		"result": [{"id": 1}, {"id":2}]
+}`
+	sets, err := cs.cli.SnapshotSets(42, []string{"foo", "bar"})
+	c.Assert(err, check.IsNil)
+	c.Check(sets, check.DeepEquals, []client.SnapshotSet{{ID: 1}, {ID: 2}})
+	c.Check(cs.req.Method, check.Equals, "GET")
+	c.Check(cs.req.URL.Path, check.Equals, "/v2/snapshots")
+	c.Check(cs.req.URL.Query(), check.DeepEquals, url.Values{
+		"set":   []string{"42"},
+		"snaps": []string{"foo,bar"},
+	})
+}
+
+func (cs *clientSuite) testClientSnapshotActionFull(c *check.C, action string, users []string, f func() (string, error)) {
+	cs.rsp = `{
+		"status-code": 202,
+		"type": "async",
+		"change": "1too3"
+	}`
+	id, err := f()
+	c.Assert(err, check.IsNil)
+	c.Check(id, check.Equals, "1too3")
+
+	c.Assert(cs.req.Header.Get("Content-Type"), check.Equals, "application/json")
+
+	act, err := client.UnmarshalSnapshotAction(cs.req.Body)
+	c.Assert(err, check.IsNil)
+	c.Check(act.SetID, check.Equals, uint64(42))
+	c.Check(act.Action, check.Equals, action)
+	c.Check(act.Snaps, check.DeepEquals, []string{"asnap", "bsnap"})
+	c.Check(act.Users, check.DeepEquals, users)
+
+	c.Check(cs.req.Method, check.Equals, "POST")
+	c.Check(cs.req.URL.Path, check.Equals, "/v2/snapshots")
+	c.Check(cs.req.URL.Query(), check.HasLen, 0)
+}
+
+func (cs *clientSuite) TestClientForgetSnapshot(c *check.C) {
+	cs.testClientSnapshotActionFull(c, "forget", nil, func() (string, error) {
+		return cs.cli.ForgetSnapshots(42, []string{"asnap", "bsnap"})
+	})
+}
+
+func (cs *clientSuite) testClientSnapshotAction(c *check.C, action string, f func(uint64, []string, []string) (string, error)) {
+	cs.testClientSnapshotActionFull(c, action, []string{"auser", "buser"}, func() (string, error) {
+		return f(42, []string{"asnap", "bsnap"}, []string{"auser", "buser"})
+	})
+}
+
+func (cs *clientSuite) TestClientCheckSnapshots(c *check.C) {
+	cs.testClientSnapshotAction(c, "check", cs.cli.CheckSnapshots)
+}
+
+func (cs *clientSuite) TestClientRestoreSnapshots(c *check.C) {
+	cs.testClientSnapshotAction(c, "restore", cs.cli.RestoreSnapshots)
+}
diff -Nru snapd-2.32.3.2~14.04/client/warnings.go snapd-2.37~rc1~14.04/client/warnings.go
--- snapd-2.32.3.2~14.04/client/warnings.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/warnings.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,89 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package client
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/url"
+	"time"
+)
+
+// A Warning is a short messages that's meant to alert about system events.
+// There'll only ever be one Warning with the same message, and it can be
+// silenced for a while before repeating. After a (supposedly longer) while
+// it'll go away on its own (unless it recurrs).
+type Warning struct {
+	Message     string        `json:"message"`
+	FirstAdded  time.Time     `json:"first-added"`
+	LastAdded   time.Time     `json:"last-added"`
+	LastShown   time.Time     `json:"last-shown,omitempty"`
+	ExpireAfter time.Duration `json:"expire-after,omitempty"`
+	RepeatAfter time.Duration `json:"repeat-after,omitempty"`
+}
+
+type jsonWarning struct {
+	Warning
+	ExpireAfter string `json:"expire-after,omitempty"`
+	RepeatAfter string `json:"repeat-after,omitempty"`
+}
+
+// WarningsOptions contains options for querying snapd for warnings
+// supported options:
+// - All: return all warnings, instead of only the un-okayed ones.
+type WarningsOptions struct {
+	All bool
+}
+
+// Warnings returns the list of un-okayed warnings.
+func (client *Client) Warnings(opts WarningsOptions) ([]*Warning, error) {
+	var jws []*jsonWarning
+	q := make(url.Values)
+	if opts.All {
+		q.Add("select", "all")
+	}
+	_, err := client.doSync("GET", "/v2/warnings", q, nil, nil, &jws)
+
+	ws := make([]*Warning, len(jws))
+	for i, jw := range jws {
+		ws[i] = &jw.Warning
+		ws[i].ExpireAfter, _ = time.ParseDuration(jw.ExpireAfter)
+		ws[i].RepeatAfter, _ = time.ParseDuration(jw.RepeatAfter)
+	}
+
+	return ws, err
+}
+
+type warningsAction struct {
+	Action    string    `json:"action"`
+	Timestamp time.Time `json:"timestamp"`
+}
+
+// Okay asks snapd to chill about the warnings that would have been returned by
+// Warnings at the given time.
+func (client *Client) Okay(t time.Time) error {
+	var body bytes.Buffer
+	var op = warningsAction{Action: "okay", Timestamp: t}
+	if err := json.NewEncoder(&body).Encode(op); err != nil {
+		return err
+	}
+	_, err := client.doSync("POST", "/v2/warnings", nil, nil, &body, nil)
+	return err
+}
diff -Nru snapd-2.32.3.2~14.04/client/warnings_test.go snapd-2.37~rc1~14.04/client/warnings_test.go
--- snapd-2.32.3.2~14.04/client/warnings_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/client/warnings_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,121 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package client_test
+
+import (
+	"encoding/json"
+	"time"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/client"
+)
+
+func (cs *clientSuite) testWarnings(c *check.C, all bool) {
+	t1 := time.Date(2018, 9, 19, 12, 41, 18, 505007495, time.UTC)
+	t2 := time.Date(2018, 9, 19, 12, 44, 19, 680362867, time.UTC)
+	cs.rsp = `{
+		"result": [
+		    {
+			"expire-after": "672h0m0s",
+			"first-added": "2018-09-19T12:41:18.505007495Z",
+			"last-added": "2018-09-19T12:41:18.505007495Z",
+			"message": "hello world number one",
+			"repeat-after": "24h0m0s"
+		    },
+		    {
+			"expire-after": "672h0m0s",
+			"first-added": "2018-09-19T12:44:19.680362867Z",
+			"last-added": "2018-09-19T12:44:19.680362867Z",
+			"message": "hello world number two",
+			"repeat-after": "24h0m0s"
+		    }
+		],
+		"status": "OK",
+		"status-code": 200,
+		"type": "sync",
+		"warning-count": 2,
+		"warning-timestamp": "2018-09-19T12:44:19.680362867Z"
+	}`
+
+	ws, err := cs.cli.Warnings(client.WarningsOptions{All: all})
+	c.Assert(err, check.IsNil)
+	c.Check(ws, check.DeepEquals, []*client.Warning{
+		{
+			Message:     "hello world number one",
+			FirstAdded:  t1,
+			LastAdded:   t1,
+			ExpireAfter: time.Hour * 24 * 28,
+			RepeatAfter: time.Hour * 24,
+		},
+		{
+			Message:     "hello world number two",
+			FirstAdded:  t2,
+			LastAdded:   t2,
+			ExpireAfter: time.Hour * 24 * 28,
+			RepeatAfter: time.Hour * 24,
+		},
+	})
+	c.Check(cs.req.Method, check.Equals, "GET")
+	c.Check(cs.req.URL.Path, check.Equals, "/v2/warnings")
+	query := cs.req.URL.Query()
+	if all {
+		c.Check(query, check.HasLen, 1)
+		c.Check(query.Get("select"), check.Equals, "all")
+	} else {
+		c.Check(query, check.HasLen, 0)
+	}
+
+	// this could be done at the end of any sync method
+	count, stamp := cs.cli.WarningsSummary()
+	c.Check(count, check.Equals, 2)
+	c.Check(stamp, check.Equals, t2)
+}
+
+func (cs *clientSuite) TestWarningsAll(c *check.C) {
+	cs.testWarnings(c, true)
+}
+
+func (cs *clientSuite) TestWarnings(c *check.C) {
+	cs.testWarnings(c, false)
+}
+
+func (cs *clientSuite) TestOkay(c *check.C) {
+	cs.rsp = `{
+		"type": "sync",
+		"status-code": 200,
+		"result": { }
+	}`
+	t0 := time.Now()
+	err := cs.cli.Okay(t0)
+	c.Assert(err, check.IsNil)
+	c.Check(cs.req.Method, check.Equals, "POST")
+	c.Check(cs.req.URL.Query(), check.HasLen, 0)
+	var body map[string]interface{}
+	c.Assert(json.NewDecoder(cs.req.Body).Decode(&body), check.IsNil)
+	c.Check(body, check.HasLen, 2)
+	c.Check(body["action"], check.Equals, "okay")
+	c.Check(body["timestamp"], check.Equals, t0.Format(time.RFC3339Nano))
+
+	// note there's no warnings summary in the response
+	count, stamp := cs.cli.WarningsSummary()
+	c.Check(count, check.Equals, 0)
+	c.Check(stamp, check.Equals, time.Time{})
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/appinfo.go snapd-2.37~rc1~14.04/cmd/appinfo.go
--- snapd-2.32.3.2~14.04/cmd/appinfo.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/appinfo.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,133 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package cmd
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/progress"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/systemd"
+)
+
+func ClientAppInfoNotes(app *client.AppInfo) string {
+	if !app.IsService() {
+		return "-"
+	}
+
+	var notes = make([]string, 0, 2)
+	var seenTimer, seenSocket bool
+	for _, act := range app.Activators {
+		switch act.Type {
+		case "timer":
+			seenTimer = true
+		case "socket":
+			seenSocket = true
+		}
+	}
+	if seenTimer {
+		notes = append(notes, "timer-activated")
+	}
+	if seenSocket {
+		notes = append(notes, "socket-activated")
+	}
+	if len(notes) == 0 {
+		return "-"
+	}
+	return strings.Join(notes, ",")
+}
+
+func ClientAppInfosFromSnapAppInfos(apps []*snap.AppInfo) ([]client.AppInfo, error) {
+	// TODO: pass in an actual notifier here instead of null
+	//       (Status doesn't _need_ it, but benefits from it)
+	sysd := systemd.New(dirs.GlobalRootDir, progress.Null)
+
+	out := make([]client.AppInfo, 0, len(apps))
+	for _, app := range apps {
+		appInfo := client.AppInfo{
+			Snap:     app.Snap.InstanceName(),
+			Name:     app.Name,
+			CommonID: app.CommonID,
+		}
+		if fn := app.DesktopFile(); osutil.FileExists(fn) {
+			appInfo.DesktopFile = fn
+		}
+
+		appInfo.Daemon = app.Daemon
+		if !app.IsService() || !app.Snap.IsActive() {
+			out = append(out, appInfo)
+			continue
+		}
+
+		// collect all services for a single call to systemctl
+		serviceNames := make([]string, 0, 1+len(app.Sockets)+1)
+		serviceNames = append(serviceNames, app.ServiceName())
+
+		sockSvcFileToName := make(map[string]string, len(app.Sockets))
+		for _, sock := range app.Sockets {
+			sockUnit := filepath.Base(sock.File())
+			sockSvcFileToName[sockUnit] = sock.Name
+			serviceNames = append(serviceNames, sockUnit)
+		}
+		if app.Timer != nil {
+			timerUnit := filepath.Base(app.Timer.File())
+			serviceNames = append(serviceNames, timerUnit)
+		}
+
+		// sysd.Status() makes sure that we get only the units we asked
+		// for and raises an error otherwise
+		sts, err := sysd.Status(serviceNames...)
+		if err != nil {
+			return nil, fmt.Errorf("cannot get status of services of app %q: %v", app.Name, err)
+		}
+		if len(sts) != len(serviceNames) {
+			return nil, fmt.Errorf("cannot get status of services of app %q: expected %v results, got %v", app.Name, len(serviceNames), len(sts))
+		}
+		for _, st := range sts {
+			switch filepath.Ext(st.UnitName) {
+			case ".service":
+				appInfo.Enabled = st.Enabled
+				appInfo.Active = st.Active
+			case ".timer":
+				appInfo.Activators = append(appInfo.Activators, client.AppActivator{
+					Name:    app.Name,
+					Enabled: st.Enabled,
+					Active:  st.Active,
+					Type:    "timer",
+				})
+			case ".socket":
+				appInfo.Activators = append(appInfo.Activators, client.AppActivator{
+					Name:    sockSvcFileToName[st.UnitName],
+					Enabled: st.Enabled,
+					Active:  st.Active,
+					Type:    "socket",
+				})
+			}
+		}
+		out = append(out, appInfo)
+	}
+
+	return out, nil
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/appinfo_test.go snapd-2.37~rc1~14.04/cmd/appinfo_test.go
--- snapd-2.32.3.2~14.04/cmd/appinfo_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/appinfo_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,71 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package cmd_test
+
+import (
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/cmd"
+)
+
+func (*cmdSuite) TestAppStatusNotes(c *check.C) {
+	ai := client.AppInfo{}
+	c.Check(cmd.ClientAppInfoNotes(&ai), check.Equals, "-")
+
+	ai = client.AppInfo{
+		Daemon: "oneshot",
+	}
+	c.Check(cmd.ClientAppInfoNotes(&ai), check.Equals, "-")
+
+	ai = client.AppInfo{
+		Daemon: "oneshot",
+		Activators: []client.AppActivator{
+			{Type: "timer"},
+		},
+	}
+	c.Check(cmd.ClientAppInfoNotes(&ai), check.Equals, "timer-activated")
+
+	ai = client.AppInfo{
+		Daemon: "oneshot",
+		Activators: []client.AppActivator{
+			{Type: "socket"},
+		},
+	}
+	c.Check(cmd.ClientAppInfoNotes(&ai), check.Equals, "socket-activated")
+
+	// check that the output is stable regardless of the order of activators
+	ai = client.AppInfo{
+		Daemon: "oneshot",
+		Activators: []client.AppActivator{
+			{Type: "timer"},
+			{Type: "socket"},
+		},
+	}
+	c.Check(cmd.ClientAppInfoNotes(&ai), check.Equals, "timer-activated,socket-activated")
+	ai = client.AppInfo{
+		Daemon: "oneshot",
+		Activators: []client.AppActivator{
+			{Type: "socket"},
+			{Type: "timer"},
+		},
+	}
+	c.Check(cmd.ClientAppInfoNotes(&ai), check.Equals, "timer-activated,socket-activated")
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/autogen.sh snapd-2.37~rc1~14.04/cmd/autogen.sh
--- snapd-2.32.3.2~14.04/cmd/autogen.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/autogen.sh	2019-01-16 08:36:51.000000000 +0000
@@ -27,7 +27,7 @@
 . /etc/os-release
 case "$ID" in
 	arch)
-		extra_opts="--libexecdir=/usr/lib/snapd --with-snap-mount-dir=/var/lib/snapd/snap --disable-apparmor --enable-nvidia-biarch --enable-merged-usr"
+		extra_opts="--libexecdir=/usr/lib/snapd --with-snap-mount-dir=/var/lib/snapd/snap --enable-apparmor --enable-nvidia-biarch --enable-merged-usr"
 		;;
 	debian)
 		extra_opts="--libexecdir=/usr/lib/snapd"
@@ -41,8 +41,8 @@
 	fedora|centos|rhel)
 		extra_opts="--libexecdir=/usr/libexec/snapd --with-snap-mount-dir=/var/lib/snapd/snap --enable-merged-usr --disable-apparmor"
 		;;
-	opensuse)
-		extra_opts="--libexecdir=/usr/lib/snapd"
+	opensuse|opensuse-tumbleweed)
+		extra_opts="--libexecdir=/usr/lib/snapd --enable-nvidia-biarch --with-32bit-libdir=/usr/lib --enable-merged-usr"
 		;;
 	solus)
 		extra_opts="--enable-nvidia-biarch"
diff -Nru snapd-2.32.3.2~14.04/cmd/cmd.go snapd-2.37~rc1~14.04/cmd/cmd.go
--- snapd-2.32.3.2~14.04/cmd/cmd.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/cmd.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,205 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package cmd
-
-import (
-	"io/ioutil"
-	"log"
-	"os"
-	"path/filepath"
-	"regexp"
-	"strings"
-	"syscall"
-
-	"github.com/snapcore/snapd/dirs"
-	"github.com/snapcore/snapd/logger"
-	"github.com/snapcore/snapd/osutil"
-	"github.com/snapcore/snapd/release"
-	"github.com/snapcore/snapd/strutil"
-)
-
-// The SNAP_REEXEC environment variable controls whether the command
-// will attempt to re-exec itself from inside an ubuntu-core snap
-// present on the system. If not present in the environ it's assumed
-// to be set to 1 (do re-exec); that is: set it to 0 to disable.
-const reExecKey = "SNAP_REEXEC"
-
-var (
-	// newCore is the place to look for the core snap; everything in this
-	// location will be new enough to re-exec into.
-	newCore = "/snap/core/current"
-
-	// oldCore is the previous location of the core snap. Only things
-	// newer than minOldRevno will be ok to re-exec into.
-	oldCore = "/snap/ubuntu-core/current"
-
-	// selfExe is the path to a symlink pointing to the current executable
-	selfExe = "/proc/self/exe"
-
-	syscallExec = syscall.Exec
-	osReadlink  = os.Readlink
-)
-
-// distroSupportsReExec returns true if the distribution we are running on can use re-exec.
-//
-// This is true by default except for a "core/all" snap system where it makes
-// no sense and in certain distributions that we don't want to enable re-exec
-// yet because of missing validation or other issues.
-func distroSupportsReExec() bool {
-	if !release.OnClassic {
-		return false
-	}
-	if !release.DistroLike("debian", "ubuntu") {
-		logger.Debugf("re-exec not supported on distro %q yet", release.ReleaseInfo.ID)
-		return false
-	}
-	return true
-}
-
-// coreSupportsReExec returns true if the given core snap should be used as re-exec target.
-//
-// Ensure we do not use older version of snapd, look for info file and ignore
-// version of core that do not yet have it.
-func coreSupportsReExec(corePath string) bool {
-	fullInfo := filepath.Join(corePath, filepath.Join(dirs.CoreLibExecDir, "info"))
-	if !osutil.FileExists(fullInfo) {
-		return false
-	}
-	content, err := ioutil.ReadFile(fullInfo)
-	if err != nil {
-		logger.Noticef("cannot read snapd info file %q: %s", fullInfo, err)
-		return false
-	}
-	ver := regexp.MustCompile("(?m)^VERSION=(.*)$").FindStringSubmatch(string(content))
-	if len(ver) != 2 {
-		logger.Noticef("cannot find snapd version information in %q", content)
-		return false
-	}
-	// > 0 means our Version is bigger than the version of snapd in core
-	res, err := strutil.VersionCompare(Version, ver[1])
-	if err != nil {
-		logger.Debugf("cannot version compare %q and %q: %s", Version, ver[1], res)
-		return false
-	}
-	if res > 0 {
-		logger.Debugf("core snap (at %q) is older (%q) than distribution package (%q)", corePath, ver[1], Version)
-		return false
-	}
-	return true
-}
-
-// InternalToolPath returns the path of an internal snapd tool. The tool
-// *must* be located inside /usr/lib/snapd/.
-//
-// The return value is either the path of the tool in the current distribution
-// or in the core snap (or the ubuntu-core snap). This handles spiritual
-// "re-exec" where we run the tool from the core snap if the environment allows
-// us to do so.
-func InternalToolPath(tool string) string {
-	distroTool := filepath.Join(dirs.DistroLibExecDir, tool)
-
-	// find the internal path relative to the running snapd, this
-	// ensure we don't rely on the state of the system (like
-	// having a valid "current" symlink).
-	exe, err := osReadlink("/proc/self/exe")
-	if err != nil {
-		logger.Noticef("cannot read /proc/self/exe: %v, using tool outside core", err)
-		return distroTool
-	}
-
-	// ensure we never use this helper from anything but
-	if !strings.HasSuffix(exe, "/snapd") && !strings.HasSuffix(exe, ".test") {
-		log.Panicf("InternalToolPath can only be used from snapd, got: %s", exe)
-	}
-
-	if !strings.HasPrefix(exe, dirs.SnapMountDir) {
-		logger.Debugf("exe doesn't have snap mount dir prefix: %q vs %q", exe, dirs.SnapMountDir)
-		return distroTool
-	}
-
-	// if we are re-execed, then the tool is at the same location
-	// as snapd
-	return filepath.Join(filepath.Dir(exe), tool)
-}
-
-// mustUnsetenv will unset the given environment key or panic if it
-// cannot do that
-func mustUnsetenv(key string) {
-	if err := os.Unsetenv(key); err != nil {
-		log.Panicf("cannot unset %s: %s", key, err)
-	}
-}
-
-// ExecInCoreSnap makes sure you're executing the binary that ships in
-// the core snap.
-func ExecInCoreSnap() {
-	// Which executable are we?
-	exe, err := os.Readlink(selfExe)
-	if err != nil {
-		logger.Noticef("cannot read /proc/self/exe: %v", err)
-		return
-	}
-
-	// Special case for snapd re-execing from 2.21. In this
-	// version of snap/snapd we did set SNAP_REEXEC=0 when we
-	// re-execed. In this case we need to unset the reExecKey to
-	// ensure that subsequent run of snap/snapd (e.g. when using
-	// classic confinement) will *not* prevented from re-execing.
-	if strings.HasPrefix(exe, dirs.SnapMountDir) && !osutil.GetenvBool(reExecKey, true) {
-		mustUnsetenv(reExecKey)
-		return
-	}
-
-	// If we are asked not to re-execute use distribution packages. This is
-	// "spiritual" re-exec so use the same environment variable to decide.
-	if !osutil.GetenvBool(reExecKey, true) {
-		logger.Debugf("re-exec disabled by user")
-		return
-	}
-
-	// Did we already re-exec?
-	if strings.HasPrefix(exe, dirs.SnapMountDir) {
-		return
-	}
-
-	// If the distribution doesn't support re-exec or run-from-core then don't do it.
-	if !distroSupportsReExec() {
-		return
-	}
-
-	// Is this executable in the core snap too?
-	corePath := newCore
-	full := filepath.Join(newCore, exe)
-	if !osutil.FileExists(full) {
-		corePath = oldCore
-		full = filepath.Join(oldCore, exe)
-		if !osutil.FileExists(full) {
-			return
-		}
-	}
-
-	// If the core snap doesn't support re-exec or run-from-core then don't do it.
-	if !coreSupportsReExec(corePath) {
-		return
-	}
-
-	logger.Debugf("restarting into %q", full)
-	panic(syscallExec(full, os.Args, os.Environ()))
-}
diff -Nru snapd-2.32.3.2~14.04/cmd/cmd_linux.go snapd-2.37~rc1~14.04/cmd/cmd_linux.go
--- snapd-2.32.3.2~14.04/cmd/cmd_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/cmd_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,214 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package cmd
+
+import (
+	"bytes"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/strutil"
+)
+
+// The SNAP_REEXEC environment variable controls whether the command
+// will attempt to re-exec itself from inside an ubuntu-core snap
+// present on the system. If not present in the environ it's assumed
+// to be set to 1 (do re-exec); that is: set it to 0 to disable.
+const reExecKey = "SNAP_REEXEC"
+
+var (
+	// snapdSnap is the place to look for the snapd snap; we will re-exec
+	// here
+	snapdSnap = "/snap/snapd/current"
+
+	// coreSnap is the place to look for the core snap; we will re-exec
+	// here if there is no snapd snap
+	coreSnap = "/snap/core/current"
+
+	// selfExe is the path to a symlink pointing to the current executable
+	selfExe = "/proc/self/exe"
+
+	syscallExec = syscall.Exec
+	osReadlink  = os.Readlink
+)
+
+// distroSupportsReExec returns true if the distribution we are running on can use re-exec.
+//
+// This is true by default except for a "core/all" snap system where it makes
+// no sense and in certain distributions that we don't want to enable re-exec
+// yet because of missing validation or other issues.
+func distroSupportsReExec() bool {
+	if !release.OnClassic {
+		return false
+	}
+	if !release.DistroLike("debian", "ubuntu") {
+		logger.Debugf("re-exec not supported on distro %q yet", release.ReleaseInfo.ID)
+		return false
+	}
+	return true
+}
+
+// coreSupportsReExec returns true if the given core snap should be used as re-exec target.
+//
+// Ensure we do not use older version of snapd, look for info file and ignore
+// version of core that do not yet have it.
+func coreSupportsReExec(corePath string) bool {
+	fullInfo := filepath.Join(corePath, filepath.Join(dirs.CoreLibExecDir, "info"))
+	content, err := ioutil.ReadFile(fullInfo)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			logger.Noticef("cannot open snapd info file %q: %s", fullInfo, err)
+		}
+		return false
+	}
+
+	if !bytes.HasPrefix(content, []byte("VERSION=")) {
+		idx := bytes.Index(content, []byte("\nVERSION="))
+		if idx < 0 {
+			logger.Noticef("cannot find snapd version information in %q", content)
+			return false
+		}
+		content = content[idx+1:]
+	}
+	content = content[8:]
+	idx := bytes.IndexByte(content, '\n')
+	if idx > -1 {
+		content = content[:idx]
+	}
+	ver := string(content)
+	// > 0 means our Version is bigger than the version of snapd in core
+	res, err := strutil.VersionCompare(Version, ver)
+	if err != nil {
+		logger.Debugf("cannot version compare %q and %q: %v", Version, ver, err)
+		return false
+	}
+	if res > 0 {
+		logger.Debugf("core snap (at %q) is older (%q) than distribution package (%q)", corePath, ver, Version)
+		return false
+	}
+	return true
+}
+
+// InternalToolPath returns the path of an internal snapd tool. The tool
+// *must* be located inside /usr/lib/snapd/.
+//
+// The return value is either the path of the tool in the current distribution
+// or in the core snap (or the ubuntu-core snap). This handles spiritual
+// "re-exec" where we run the tool from the core snap if the environment allows
+// us to do so.
+func InternalToolPath(tool string) string {
+	distroTool := filepath.Join(dirs.DistroLibExecDir, tool)
+
+	// find the internal path relative to the running snapd, this
+	// ensure we don't rely on the state of the system (like
+	// having a valid "current" symlink).
+	exe, err := osReadlink("/proc/self/exe")
+	if err != nil {
+		logger.Noticef("cannot read /proc/self/exe: %v, using tool outside core", err)
+		return distroTool
+	}
+
+	// ensure we never use this helper from anything but
+	if !strings.HasSuffix(exe, "/snapd") && !strings.HasSuffix(exe, ".test") {
+		log.Panicf("InternalToolPath can only be used from snapd, got: %s", exe)
+	}
+
+	if !strings.HasPrefix(exe, dirs.SnapMountDir) {
+		logger.Debugf("exe doesn't have snap mount dir prefix: %q vs %q", exe, dirs.SnapMountDir)
+		return distroTool
+	}
+
+	// if we are re-execed, then the tool is at the same location
+	// as snapd
+	return filepath.Join(filepath.Dir(exe), tool)
+}
+
+// mustUnsetenv will unset the given environment key or panic if it
+// cannot do that
+func mustUnsetenv(key string) {
+	if err := os.Unsetenv(key); err != nil {
+		log.Panicf("cannot unset %s: %s", key, err)
+	}
+}
+
+// ExecInSnapdOrCoreSnap makes sure you're executing the binary that ships in
+// the snapd/core snap.
+func ExecInSnapdOrCoreSnap() {
+	// Which executable are we?
+	exe, err := os.Readlink(selfExe)
+	if err != nil {
+		logger.Noticef("cannot read /proc/self/exe: %v", err)
+		return
+	}
+
+	// Special case for snapd re-execing from 2.21. In this
+	// version of snap/snapd we did set SNAP_REEXEC=0 when we
+	// re-execed. In this case we need to unset the reExecKey to
+	// ensure that subsequent run of snap/snapd (e.g. when using
+	// classic confinement) will *not* prevented from re-execing.
+	if strings.HasPrefix(exe, dirs.SnapMountDir) && !osutil.GetenvBool(reExecKey, true) {
+		mustUnsetenv(reExecKey)
+		return
+	}
+
+	// If we are asked not to re-execute use distribution packages. This is
+	// "spiritual" re-exec so use the same environment variable to decide.
+	if !osutil.GetenvBool(reExecKey, true) {
+		logger.Debugf("re-exec disabled by user")
+		return
+	}
+
+	// Did we already re-exec?
+	if strings.HasPrefix(exe, dirs.SnapMountDir) {
+		return
+	}
+
+	// If the distribution doesn't support re-exec or run-from-core then don't do it.
+	if !distroSupportsReExec() {
+		return
+	}
+
+	// Is this executable in the core snap too?
+	corePath := snapdSnap
+	full := filepath.Join(snapdSnap, exe)
+	if !osutil.FileExists(full) {
+		corePath = coreSnap
+		full = filepath.Join(coreSnap, exe)
+		if !osutil.FileExists(full) {
+			return
+		}
+	}
+
+	// If the core snap doesn't support re-exec or run-from-core then don't do it.
+	if !coreSupportsReExec(corePath) {
+		return
+	}
+
+	logger.Debugf("restarting into %q", full)
+	panic(syscallExec(full, os.Args, os.Environ()))
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/cmd_linux_test.go snapd-2.37~rc1~14.04/cmd/cmd_linux_test.go
--- snapd-2.32.3.2~14.04/cmd/cmd_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/cmd_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,117 @@
+package cmd
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/snapcore/snapd/dirs"
+)
+
+const dataOK = `one line
+another line
+yadda yadda
+VERSION=42
+potatoes
+`
+
+const dataNOK = `a line
+another
+this is a very long line
+that wasn't long what are you talking about long lines are like, so long you need to add things like commas to them for them to even make sense
+a short one
+and another
+what is this
+why
+no
+stop
+`
+
+const dataHuge = `Lorem ipsum dolor sit amet, consectetur adipiscing elit.
+Quisque euismod ac elit ac auctor.
+Proin malesuada diam ac tellus maximus aliquam.
+Aenean tincidunt mi et tortor bibendum fringilla.
+Phasellus finibus, urna id convallis vestibulum, metus metus venenatis massa, et efficitur nisi elit in massa.
+Mauris at nisl leo.
+Nulla ullamcorper risus venenatis massa venenatis, ac finibus lacus aliquam.
+Nunc tempor convallis cursus.
+Maecenas id rhoncus orci, eget pretium eros.
+
+Donec et consectetur lacus.
+Nam nec mattis elit, id sollicitudin magna.
+Aenean sit amet diam vitae tellus finibus tristique.
+Duis et pharetra tortor, id pharetra erat.
+Suspendisse commodo venenatis blandit.
+Morbi tellus est, iaculis et tincidunt nec, semper ut ipsum.
+Mauris quis condimentum risus.
+Lorem ipsum dolor sit amet, consectetur adipiscing elit.
+Mauris gravida turpis ut urna laoreet, sit amet tempor odio porttitor.
+
+Aliquam nibh libero, venenatis ac vehicula at, blandit id odio.
+Etiam malesuada consectetur porta.
+Fusce consectetur ligula et metus interdum sollicitudin.
+Pellentesque odio neque, pharetra et gravida non, vestibulum nec lorem.
+Sed condimentum velit ex, sit amet viverra lectus aliquet quis.
+Aliquam tincidunt eu elit at condimentum.
+Donec feugiat urna tortor, pellentesque tincidunt quam congue eu.
+
+Phasellus vel libero molestie, semper erat at, suscipit nisi.
+Nullam euismod neque ut turpis molestie, eu fringilla elit volutpat.
+Phasellus maximus, urna eget porta congue, diam enim volutpat diam, nec ultrices lorem risus ac metus.
+Vivamus convallis eros non nunc pretium bibendum.
+Maecenas consectetur metus metus.
+Morbi scelerisque urna at arcu tristique feugiat.
+Vestibulum condimentum odio sed tortor vulputate, eget hendrerit mi consequat.
+Integer egestas finibus augue, ac scelerisque ex pretium aliquam.
+Aliquam erat volutpat.
+Suspendisse a nulla ultrices, porttitor tellus ut, bibendum diam.
+In nibh dui, tempus eget vestibulum in, euismod in ex.
+In tempus felis lectus.
+
+Maecenas suscipit turpis eget velit molestie, quis luctus nibh placerat.
+Nulla semper eleifend nisi ut dignissim.
+Donec eu massa maximus, blandit massa ac, lobortis risus.
+Donec id condimentum libero, vel fringilla diam.
+Praesent ultrices, ante congue sollicitudin sagittis, orci ex maximus ipsum, at convallis nunc nisl nec lorem.
+Duis iaculis finibus fermentum.
+Curabitur quis pharetra metus.
+Donec nisl ipsum, faucibus vitae odio sed, mattis feugiat nisl.
+Pellentesque nec justo in magna volutpat accumsan.
+Pellentesque porttitor justo non velit porta rhoncus.
+Nulla ut lectus quis lectus rutrum dignissim.
+Pellentesque posuere sagittis felis, quis varius purus pharetra eu.
+Nam blandit diam ullamcorper, auctor massa at, aliquet dui.
+Aliquam erat volutpat.
+Nullam sit amet augue nec diam sollicitudin ullamcorper a vitae neque.
+VERSION=42
+`
+
+func benchmarkCSRE(b *testing.B, data string) {
+	tempdir, err := ioutil.TempDir("", "")
+	if err != nil {
+		b.Fatalf("tempdir: %v", err)
+	}
+	defer os.RemoveAll(tempdir)
+	if err = os.MkdirAll(filepath.Join(tempdir, dirs.CoreLibExecDir), 0755); err != nil {
+		b.Fatalf("mkdirall: %v", err)
+	}
+
+	if err = ioutil.WriteFile(filepath.Join(tempdir, dirs.CoreLibExecDir, "info"), []byte(data), 0600); err != nil {
+		b.Fatalf("%v", err)
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		coreSupportsReExec(tempdir)
+	}
+}
+
+func BenchmarkCSRE_fakeOK(b *testing.B)   { benchmarkCSRE(b, dataOK) }
+func BenchmarkCSRE_fakeNOK(b *testing.B)  { benchmarkCSRE(b, dataNOK) }
+func BenchmarkCSRE_fakeHuge(b *testing.B) { benchmarkCSRE(b, dataHuge) }
+
+func BenchmarkCSRE_real(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		coreSupportsReExec("/snap/core/current")
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/cmd_other.go snapd-2.37~rc1~14.04/cmd/cmd_other.go
--- snapd-2.32.3.2~14.04/cmd/cmd_other.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/cmd_other.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,28 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+// +build !linux
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package cmd
+
+// ExecInSnapdOrCoreSnap makes sure you're executing the binary that ships in
+// the snapd/core snap.
+// On this OS this is a stub.
+func ExecInSnapdOrCoreSnap() {
+	return
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/cmd_test.go snapd-2.37~rc1~14.04/cmd/cmd_test.go
--- snapd-2.32.3.2~14.04/cmd/cmd_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/cmd_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -44,8 +44,8 @@
 	lastExecArgv  []string
 	lastExecEnvv  []string
 	fakeroot      string
-	newCore       string
-	oldCore       string
+	snapdPath     string
+	corePath      string
 }
 
 var _ = Suite(&cmdSuite{})
@@ -59,8 +59,8 @@
 	s.lastExecEnvv = nil
 	s.fakeroot = c.MkDir()
 	dirs.SetRootDir(s.fakeroot)
-	s.newCore = filepath.Join(dirs.SnapMountDir, "/core/42")
-	s.oldCore = filepath.Join(dirs.SnapMountDir, "/ubuntu-core/21")
+	s.snapdPath = filepath.Join(dirs.SnapMountDir, "/snapd/42")
+	s.corePath = filepath.Join(dirs.SnapMountDir, "/core/21")
 	c.Assert(os.MkdirAll(filepath.Join(s.fakeroot, "proc/self"), 0755), IsNil)
 }
 
@@ -95,7 +95,7 @@
 	restore := []func(){
 		release.MockOnClassic(true),
 		release.MockReleaseInfo(&release.OS{ID: "ubuntu"}),
-		cmd.MockCorePaths(s.oldCore, s.newCore),
+		cmd.MockCoreSnapdPaths(s.corePath, s.snapdPath),
 		cmd.MockVersion("2"),
 	}
 
@@ -148,7 +148,7 @@
 	// no distro supports re-exec when not on classic :-)
 	for _, id := range []string{
 		"fedora", "centos", "rhel", "opensuse", "suse", "poky",
-		"debian", "ubuntu", "arch",
+		"debian", "ubuntu", "arch", "archlinux",
 	} {
 		restore = release.MockReleaseInfo(&release.OS{ID: id})
 		defer restore()
@@ -163,41 +163,41 @@
 
 func (s *cmdSuite) TestCoreSupportsReExecBadInfo(c *C) {
 	// can't read snapd/info if it's a directory
-	p := s.newCore + "/usr/lib/snapd/info"
+	p := s.snapdPath + "/usr/lib/snapd/info"
 	c.Assert(os.MkdirAll(p, 0755), IsNil)
 
-	c.Check(cmd.CoreSupportsReExec(s.newCore), Equals, false)
+	c.Check(cmd.CoreSupportsReExec(s.snapdPath), Equals, false)
 }
 
 func (s *cmdSuite) TestCoreSupportsReExecBadInfoContent(c *C) {
 	// can't understand snapd/info if all it holds are potatoes
-	p := s.newCore + "/usr/lib/snapd"
+	p := s.snapdPath + "/usr/lib/snapd"
 	c.Assert(os.MkdirAll(p, 0755), IsNil)
 	c.Assert(ioutil.WriteFile(p+"/info", []byte("potatoes"), 0644), IsNil)
 
-	c.Check(cmd.CoreSupportsReExec(s.newCore), Equals, false)
+	c.Check(cmd.CoreSupportsReExec(s.snapdPath), Equals, false)
 }
 
 func (s *cmdSuite) TestCoreSupportsReExecBadVersion(c *C) {
 	// can't understand snapd/info if all its version is gibberish
-	s.fakeCoreVersion(c, s.newCore, "0:")
+	s.fakeCoreVersion(c, s.snapdPath, "0:")
 
-	c.Check(cmd.CoreSupportsReExec(s.newCore), Equals, false)
+	c.Check(cmd.CoreSupportsReExec(s.snapdPath), Equals, false)
 }
 
 func (s *cmdSuite) TestCoreSupportsReExecOldVersion(c *C) {
 	// can't re-exec if core version is too old
 	defer cmd.MockVersion("2")()
-	s.fakeCoreVersion(c, s.newCore, "0")
+	s.fakeCoreVersion(c, s.snapdPath, "0")
 
-	c.Check(cmd.CoreSupportsReExec(s.newCore), Equals, false)
+	c.Check(cmd.CoreSupportsReExec(s.snapdPath), Equals, false)
 }
 
 func (s *cmdSuite) TestCoreSupportsReExec(c *C) {
 	defer cmd.MockVersion("2")()
-	s.fakeCoreVersion(c, s.newCore, "9999")
+	s.fakeCoreVersion(c, s.snapdPath, "9999")
 
-	c.Check(cmd.CoreSupportsReExec(s.newCore), Equals, true)
+	c.Check(cmd.CoreSupportsReExec(s.snapdPath), Equals, true)
 }
 
 func (s *cmdSuite) TestInternalToolPathNoReexec(c *C) {
@@ -210,13 +210,13 @@
 }
 
 func (s *cmdSuite) TestInternalToolPathWithReexec(c *C) {
-	s.fakeInternalTool(c, s.newCore, "potato")
+	s.fakeInternalTool(c, s.snapdPath, "potato")
 	restore := cmd.MockOsReadlink(func(string) (string, error) {
-		return filepath.Join(s.newCore, "/usr/lib/snapd/snapd"), nil
+		return filepath.Join(s.snapdPath, "/usr/lib/snapd/snapd"), nil
 	})
 	defer restore()
 
-	c.Check(cmd.InternalToolPath("potato"), Equals, filepath.Join(dirs.SnapMountDir, "core/42/usr/lib/snapd/potato"))
+	c.Check(cmd.InternalToolPath("potato"), Equals, filepath.Join(dirs.SnapMountDir, "snapd/42/usr/lib/snapd/potato"))
 }
 
 func (s *cmdSuite) TestInternalToolPathFromIncorrectHelper(c *C) {
@@ -228,80 +228,80 @@
 	c.Check(func() { cmd.InternalToolPath("potato") }, PanicMatches, "InternalToolPath can only be used from snapd, got: /usr/bin/potato")
 }
 
-func (s *cmdSuite) TestExecInCoreSnap(c *C) {
-	defer s.mockReExecFor(c, s.newCore, "potato")()
+func (s *cmdSuite) TestExecInSnapdOrCoreSnap(c *C) {
+	defer s.mockReExecFor(c, s.snapdPath, "potato")()
 
-	c.Check(cmd.ExecInCoreSnap, PanicMatches, `>exec of "[^"]+/potato" in tests<`)
+	c.Check(cmd.ExecInSnapdOrCoreSnap, PanicMatches, `>exec of "[^"]+/potato" in tests<`)
 	c.Check(s.execCalled, Equals, 1)
-	c.Check(s.lastExecArgv0, Equals, filepath.Join(s.newCore, "/usr/lib/snapd/potato"))
+	c.Check(s.lastExecArgv0, Equals, filepath.Join(s.snapdPath, "/usr/lib/snapd/potato"))
 	c.Check(s.lastExecArgv, DeepEquals, os.Args)
 }
 
 func (s *cmdSuite) TestExecInOldCoreSnap(c *C) {
-	defer s.mockReExecFor(c, s.oldCore, "potato")()
+	defer s.mockReExecFor(c, s.corePath, "potato")()
 
-	c.Check(cmd.ExecInCoreSnap, PanicMatches, `>exec of "[^"]+/potato" in tests<`)
+	c.Check(cmd.ExecInSnapdOrCoreSnap, PanicMatches, `>exec of "[^"]+/potato" in tests<`)
 	c.Check(s.execCalled, Equals, 1)
-	c.Check(s.lastExecArgv0, Equals, filepath.Join(s.oldCore, "/usr/lib/snapd/potato"))
+	c.Check(s.lastExecArgv0, Equals, filepath.Join(s.corePath, "/usr/lib/snapd/potato"))
 	c.Check(s.lastExecArgv, DeepEquals, os.Args)
 }
 
-func (s *cmdSuite) TestExecInCoreSnapBailsNoCoreSupport(c *C) {
-	defer s.mockReExecFor(c, s.newCore, "potato")()
+func (s *cmdSuite) TestExecInSnapdOrCoreSnapBailsNoCoreSupport(c *C) {
+	defer s.mockReExecFor(c, s.snapdPath, "potato")()
 
 	// no "info" -> no core support:
-	c.Assert(os.Remove(filepath.Join(s.newCore, "/usr/lib/snapd/info")), IsNil)
+	c.Assert(os.Remove(filepath.Join(s.snapdPath, "/usr/lib/snapd/info")), IsNil)
 
-	cmd.ExecInCoreSnap()
+	cmd.ExecInSnapdOrCoreSnap()
 	c.Check(s.execCalled, Equals, 0)
 }
 
-func (s *cmdSuite) TestExecInCoreSnapMissingExe(c *C) {
-	defer s.mockReExecFor(c, s.newCore, "potato")()
+func (s *cmdSuite) TestExecInSnapdOrCoreSnapMissingExe(c *C) {
+	defer s.mockReExecFor(c, s.snapdPath, "potato")()
 
 	// missing exe:
-	c.Assert(os.Remove(filepath.Join(s.newCore, "/usr/lib/snapd/potato")), IsNil)
+	c.Assert(os.Remove(filepath.Join(s.snapdPath, "/usr/lib/snapd/potato")), IsNil)
 
-	cmd.ExecInCoreSnap()
+	cmd.ExecInSnapdOrCoreSnap()
 	c.Check(s.execCalled, Equals, 0)
 }
 
-func (s *cmdSuite) TestExecInCoreSnapBadSelfExe(c *C) {
-	defer s.mockReExecFor(c, s.newCore, "potato")()
+func (s *cmdSuite) TestExecInSnapdOrCoreSnapBadSelfExe(c *C) {
+	defer s.mockReExecFor(c, s.snapdPath, "potato")()
 
 	// missing self/exe:
 	c.Assert(os.Remove(filepath.Join(s.fakeroot, "proc/self/exe")), IsNil)
 
-	cmd.ExecInCoreSnap()
+	cmd.ExecInSnapdOrCoreSnap()
 	c.Check(s.execCalled, Equals, 0)
 }
 
-func (s *cmdSuite) TestExecInCoreSnapBailsNoDistroSupport(c *C) {
-	defer s.mockReExecFor(c, s.newCore, "potato")()
+func (s *cmdSuite) TestExecInSnapdOrCoreSnapBailsNoDistroSupport(c *C) {
+	defer s.mockReExecFor(c, s.snapdPath, "potato")()
 
 	// no distro support:
 	defer release.MockOnClassic(false)()
 
-	cmd.ExecInCoreSnap()
+	cmd.ExecInSnapdOrCoreSnap()
 	c.Check(s.execCalled, Equals, 0)
 }
 
-func (s *cmdSuite) TestExecInCoreSnapNoDouble(c *C) {
+func (s *cmdSuite) TestExecInSnapdOrCoreSnapNoDouble(c *C) {
 	selfExe := filepath.Join(s.fakeroot, "proc/self/exe")
 	err := os.Symlink(filepath.Join(s.fakeroot, "/snap/core/42/usr/lib/snapd"), selfExe)
 	c.Assert(err, IsNil)
 	cmd.MockSelfExe(selfExe)
 
-	cmd.ExecInCoreSnap()
+	cmd.ExecInSnapdOrCoreSnap()
 	c.Check(s.execCalled, Equals, 0)
 }
 
-func (s *cmdSuite) TestExecInCoreSnapDisabled(c *C) {
-	defer s.mockReExecFor(c, s.newCore, "potato")()
+func (s *cmdSuite) TestExecInSnapdOrCoreSnapDisabled(c *C) {
+	defer s.mockReExecFor(c, s.snapdPath, "potato")()
 
 	os.Setenv("SNAP_REEXEC", "0")
 	defer os.Unsetenv("SNAP_REEXEC")
 
-	cmd.ExecInCoreSnap()
+	cmd.ExecInSnapdOrCoreSnap()
 	c.Check(s.execCalled, Equals, 0)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/configure.ac snapd-2.37~rc1~14.04/cmd/configure.ac
--- snapd-2.32.3.2~14.04/cmd/configure.ac	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/configure.ac	2019-01-16 08:36:51.000000000 +0000
@@ -228,5 +228,13 @@
 AC_SUBST(HOST_ARCH32_TRIPLET)
 AC_DEFINE_UNQUOTED([HOST_ARCH32_TRIPLET], "${HOST_ARCH32_TRIPLET}", [Arch triplet for 32bit libraries])
 
+SYSTEMD_SYSTEM_GENERATOR_DIR="$($PKG_CONFIG --variable=systemdsystemgeneratordir systemd)"
+AS_IF([test "x$SYSTEMD_SYSTEM_GENERATOR_DIR" = "x"], [SYSTEMD_SYSTEM_GENERATOR_DIR=/lib/systemd/system-generators])
+AC_SUBST(SYSTEMD_SYSTEM_GENERATOR_DIR)
+
+# FIXME: get this via something like pkgconf once it is defined there
+SYSTEMD_SYSTEM_ENV_GENERATOR_DIR="${prefix}/lib/systemd/system-environment-generators"
+AC_SUBST(SYSTEMD_SYSTEM_ENV_GENERATOR_DIR)
+
 AC_CONFIG_FILES([Makefile])
 AC_OUTPUT
diff -Nru snapd-2.32.3.2~14.04/cmd/export_test.go snapd-2.37~rc1~14.04/cmd/export_test.go
--- snapd-2.32.3.2~14.04/cmd/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,14 +24,14 @@
 	CoreSupportsReExec   = coreSupportsReExec
 )
 
-func MockCorePaths(newOldCore, newNewCore string) func() {
-	oldOldCore := oldCore
-	oldNewCore := newCore
-	newCore = newNewCore
-	oldCore = newOldCore
+func MockCoreSnapdPaths(newCoreSnap, newSnapdSnap string) func() {
+	oldOldCore := coreSnap
+	oldNewCore := snapdSnap
+	snapdSnap = newSnapdSnap
+	coreSnap = newCoreSnap
 	return func() {
-		newCore = oldNewCore
-		oldCore = oldOldCore
+		snapdSnap = oldNewCore
+		coreSnap = oldOldCore
 	}
 }
 
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/apparmor-support.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/apparmor-support.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/apparmor-support.c	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/apparmor-support.c	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "apparmor-support.h"
+
+#include <string.h>
+#include <errno.h>
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif				// ifdef HAVE_APPARMOR
+
+#include "../libsnap-confine-private/cleanup-funcs.h"
+#include "../libsnap-confine-private/utils.h"
+
+// NOTE: Those constants map exactly what apparmor is returning and cannot be
+// changed without breaking apparmor functionality.
+#define SC_AA_ENFORCE_STR "enforce"
+#define SC_AA_COMPLAIN_STR "complain"
+#define SC_AA_MIXED_STR "mixed"
+#define SC_AA_UNCONFINED_STR "unconfined"
+
+void sc_init_apparmor_support(struct sc_apparmor *apparmor)
+{
+#ifdef HAVE_APPARMOR
+	// Use aa_is_enabled() to see if apparmor is available in the kernel and
+	// enabled at boot time. If it isn't log a diagnostic message and assume
+	// we're not confined.
+	if (aa_is_enabled() != true) {
+		switch (errno) {
+		case ENOSYS:
+			debug
+			    ("apparmor extensions to the system are not available");
+			break;
+		case ECANCELED:
+			debug
+			    ("apparmor is available on the system but has been disabled at boot");
+			break;
+		case ENOENT:
+			debug
+			    ("apparmor is available but the interface but the interface is not available");
+			break;
+		case EPERM:
+			// NOTE: fall-through
+		case EACCES:
+			debug
+			    ("insufficient permissions to determine if apparmor is enabled");
+			break;
+		default:
+			debug("apparmor is not enabled: %s", strerror(errno));
+			break;
+		}
+		apparmor->is_confined = false;
+		apparmor->mode = SC_AA_NOT_APPLICABLE;
+		return;
+	}
+	// Use aa_getcon() to check the label of the current process and
+	// confinement type. Note that the returned label must be released with
+	// free() but the mode is a constant string that must not be freed.
+	char *label SC_CLEANUP(sc_cleanup_string) = NULL;
+	char *mode = NULL;
+	if (aa_getcon(&label, &mode) < 0) {
+		die("cannot query current apparmor profile");
+	}
+	debug("apparmor label on snap-confine is: %s", label);
+	debug("apparmor mode is: %s", mode);
+	// The label has a special value "unconfined" that is applied to all
+	// processes without a dedicated profile. If that label is used then the
+	// current process is not confined. All other labels imply confinement.
+	if (label != NULL && strcmp(label, SC_AA_UNCONFINED_STR) == 0) {
+		apparmor->is_confined = false;
+	} else {
+		apparmor->is_confined = true;
+	}
+	// There are several possible results for the confinement type (mode) that
+	// are checked for below.
+	if (mode != NULL && strcmp(mode, SC_AA_COMPLAIN_STR) == 0) {
+		apparmor->mode = SC_AA_COMPLAIN;
+	} else if (mode != NULL && strcmp(mode, SC_AA_ENFORCE_STR) == 0) {
+		apparmor->mode = SC_AA_ENFORCE;
+	} else if (mode != NULL && strcmp(mode, SC_AA_MIXED_STR) == 0) {
+		apparmor->mode = SC_AA_MIXED;
+	} else {
+		apparmor->mode = SC_AA_INVALID;
+	}
+#else
+	apparmor->mode = SC_AA_NOT_APPLICABLE;
+	apparmor->is_confined = false;
+#endif				// ifdef HAVE_APPARMOR
+}
+
+void
+sc_maybe_aa_change_onexec(struct sc_apparmor *apparmor, const char *profile)
+{
+#ifdef HAVE_APPARMOR
+	if (apparmor->mode == SC_AA_NOT_APPLICABLE) {
+		return;
+	}
+	debug("requesting changing of apparmor profile on next exec to %s",
+	      profile);
+	if (aa_change_onexec(profile) < 0) {
+		if (secure_getenv("SNAPPY_LAUNCHER_INSIDE_TESTS") == NULL) {
+			die("cannot change profile for the next exec call");
+		}
+	}
+#endif				// ifdef HAVE_APPARMOR
+}
+
+void
+sc_maybe_aa_change_hat(struct sc_apparmor *apparmor,
+		       const char *subprofile, unsigned long magic_token)
+{
+#ifdef HAVE_APPARMOR
+	if (apparmor->mode == SC_AA_NOT_APPLICABLE) {
+		return;
+	}
+	if (apparmor->is_confined) {
+		debug("changing apparmor hat to %s", subprofile);
+		if (aa_change_hat(subprofile, magic_token) < 0) {
+			die("cannot change apparmor hat");
+		}
+	}
+#endif				// ifdef HAVE_APPARMOR
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/apparmor-support.h snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/apparmor-support.h
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/apparmor-support.h	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/apparmor-support.h	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef SNAP_CONFINE_APPARMOR_SUPPORT_H
+#define SNAP_CONFINE_APPARMOR_SUPPORT_H
+
+#include <stdbool.h>
+
+/**
+ * Type of apparmor confinement.
+ **/
+enum sc_apparmor_mode {
+	// The enforcement mode was not recognized.
+	SC_AA_INVALID = -1,
+	// The enforcement mode is not applicable because apparmor is disabled.
+	SC_AA_NOT_APPLICABLE = 0,
+	// The enforcement mode is "enforcing"
+	SC_AA_ENFORCE = 1,
+	// The enforcement mode is "complain"
+	SC_AA_COMPLAIN,
+	// The enforcement mode is "mixed"
+	SC_AA_MIXED,
+};
+
+/**
+ * Data required to manage apparmor wrapper.
+ **/
+struct sc_apparmor {
+	// The mode of enforcement. In addition to the two apparmor defined modes
+	// can be also SC_AA_INVALID (unknown mode reported by apparmor) and
+	// SC_AA_NOT_APPLICABLE (when we're not linked with apparmor).
+	enum sc_apparmor_mode mode;
+	// Flag indicating that the current process is confined.
+	bool is_confined;
+};
+
+/**
+ * Initialize apparmor support.
+ *
+ * This operation should be done even when apparmor support is disabled at
+ * compile time. Internally the supplied structure is initialized based on the
+ * information returned from aa_getcon(2) or if apparmor is disabled at compile
+ * time, with built-in constants.
+ *
+ * The main action performed here is to check if snap-confine is currently
+ * confined, this information is used later in sc_maybe_change_apparmor_hat()
+ *
+ * As with many functions in the snap-confine tree, all errors result in
+ * process termination.
+ **/
+void sc_init_apparmor_support(struct sc_apparmor *apparmor);
+
+/**
+ * Maybe call aa_change_onexec(2)
+ *
+ * This function does nothing when apparmor support is not enabled at compile
+ * time. If apparmor is enabled then profile change request is attempted.
+ *
+ * As with many functions in the snap-confine tree, all errors result in
+ * process termination. As an exception, when SNAPPY_LAUNCHER_INSIDE_TESTS
+ * environment variable is set then the process is not terminated.
+ **/
+void
+sc_maybe_aa_change_onexec(struct sc_apparmor *apparmor, const char *profile);
+
+/**
+ * Maybe call aa_change_hat(2)
+ *
+ * This function does nothing when apparmor support is not enabled at compile
+ * time. If apparmor is enabled then hat change is attempted.
+ *
+ * As with many functions in the snap-confine tree, all errors result in
+ * process termination.
+ **/
+void
+sc_maybe_aa_change_hat(struct sc_apparmor *apparmor,
+		       const char *subprofile, unsigned long magic_token);
+
+#endif
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/classic.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/classic.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/classic.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/classic.c	2019-01-16 08:36:51.000000000 +0000
@@ -1,25 +1,63 @@
 #include "config.h"
 #include "classic.h"
 #include "../libsnap-confine-private/cleanup-funcs.h"
+#include "../libsnap-confine-private/string-utils.h"
 
-#include <string.h>
+#include <stdbool.h>
 #include <stdio.h>
+#include <string.h>
 #include <unistd.h>
 
-char *os_release = "/etc/os-release";
+static const char *os_release = "/etc/os-release";
+static const char *meta_snap_yaml = "/meta/snap.yaml";
 
-bool is_running_on_classic_distribution()
+sc_distro sc_classify_distro(void)
 {
 	FILE *f SC_CLEANUP(sc_cleanup_file) = fopen(os_release, "r");
 	if (f == NULL) {
-		return true;
+		return SC_DISTRO_CLASSIC;
 	}
 
+	bool is_core = false;
+	int core_version = 0;
 	char buf[255] = { 0 };
+
 	while (fgets(buf, sizeof buf, f) != NULL) {
-		if (strcmp(buf, "ID=ubuntu-core\n") == 0) {
-			return false;
+		size_t len = strlen(buf);
+		if (len > 0 && buf[len - 1] == '\n') {
+			buf[len - 1] = '\0';
+		}
+		if (sc_streq(buf, "ID=\"ubuntu-core\"")
+		    || sc_streq(buf, "ID=ubuntu-core")) {
+			is_core = true;
+		} else if (sc_streq(buf, "VERSION_ID=\"16\"")
+			   || sc_streq(buf, "VERSION_ID=16")) {
+			core_version = 16;
+		} else if (sc_streq(buf, "VARIANT_ID=\"snappy\"")
+			   || sc_streq(buf, "VARIANT_ID=snappy")) {
+			is_core = true;
+		}
+	}
+
+	if (!is_core) {
+		/* Since classic systems don't have a /meta/snap.yaml file the simple
+		   presence of that file qualifies as SC_DISTRO_CORE_OTHER. */
+		if (access(meta_snap_yaml, F_OK) == 0) {
+			is_core = true;
 		}
 	}
-	return true;
+
+	if (is_core) {
+		if (core_version == 16) {
+			return SC_DISTRO_CORE16;
+		}
+		return SC_DISTRO_CORE_OTHER;
+	} else {
+		return SC_DISTRO_CLASSIC;
+	}
+}
+
+bool sc_should_use_normal_mode(sc_distro distro, const char *base_snap_name)
+{
+	return distro != SC_DISTRO_CORE16 || !sc_streq(base_snap_name, "core");
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/classic.h snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/classic.h
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/classic.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/classic.h	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,14 @@
 // Location of the host filesystem directory in the core snap.
 #define SC_HOSTFS_DIR "/var/lib/snapd/hostfs"
 
-bool is_running_on_classic_distribution(void);
+typedef enum sc_distro {
+	SC_DISTRO_CORE16,	// As present in both "core" and later on in "core16"
+	SC_DISTRO_CORE_OTHER,	// Any core distribution.
+	SC_DISTRO_CLASSIC,	// Any classic distribution.
+} sc_distro;
+
+sc_distro sc_classify_distro(void);
+
+bool sc_should_use_normal_mode(sc_distro distro, const char *base_snap_name);
 
 #endif
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/classic-test.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/classic-test.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/classic-test.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/classic-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -20,32 +20,104 @@
 
 #include <glib.h>
 
-const char *os_release_classic = ""
+/* restore_os_release is an internal helper for mock_os_release */
+static void restore_os_release(gpointer * old)
+{
+	unlink(os_release);
+	os_release = (const char *)old;
+}
+
+/* mock_os_release replaces the presence and contents of /etc/os-release
+   as seen by classic.c. The mocked value may be NULL to have the code refer
+   to an absent file. */
+static void mock_os_release(const char *mocked)
+{
+	const char *old = os_release;
+	if (mocked != NULL) {
+		os_release = "os-release.test";
+		g_file_set_contents(os_release, mocked, -1, NULL);
+	} else {
+		os_release = "os-release.missing";
+	}
+	g_test_queue_destroy((GDestroyNotify) restore_os_release,
+			     (gpointer) old);
+}
+
+/* restore_meta_snap_yaml is an internal helper for mock_meta_snap_yaml */
+static void restore_meta_snap_yaml(gpointer * old)
+{
+	unlink(meta_snap_yaml);
+	meta_snap_yaml = (const char *)old;
+}
+
+/* mock_meta_snap_yaml replaces the presence and contents of /meta/snap.yaml
+   as seen by classic.c. The mocked value may be NULL to have the code refer
+   to an absent file. */
+static void mock_meta_snap_yaml(const char *mocked)
+{
+	const char *old = meta_snap_yaml;
+	if (mocked != NULL) {
+		meta_snap_yaml = "snap-yaml.test";
+		g_file_set_contents(meta_snap_yaml, mocked, -1, NULL);
+	} else {
+		meta_snap_yaml = "snap-yaml.missing";
+	}
+	g_test_queue_destroy((GDestroyNotify) restore_meta_snap_yaml,
+			     (gpointer) old);
+}
+
+static const char *os_release_classic = ""
     "NAME=\"Ubuntu\"\n"
     "VERSION=\"17.04 (Zesty Zapus)\"\n" "ID=ubuntu\n" "ID_LIKE=debian\n";
 
 static void test_is_on_classic(void)
 {
-	g_file_set_contents("os-release.classic", os_release_classic,
-			    strlen(os_release_classic), NULL);
-	os_release = "os-release.classic";
-	g_assert_true(is_running_on_classic_distribution());
-	unlink("os-release.classic");
+	mock_os_release(os_release_classic);
+	mock_meta_snap_yaml(NULL);
+	g_assert_cmpint(sc_classify_distro(), ==, SC_DISTRO_CLASSIC);
+}
+
+static const char *os_release_core16 = ""
+    "NAME=\"Ubuntu Core\"\n" "VERSION_ID=\"16\"\n" "ID=ubuntu-core\n";
+
+static const char *meta_snap_yaml_core16 = ""
+    "name: core\n"
+    "version: 16-something\n" "type: core\n" "architectures: [amd64]\n";
+
+static void test_is_on_core_on16(void)
+{
+	mock_os_release(os_release_core16);
+	mock_meta_snap_yaml(meta_snap_yaml_core16);
+	g_assert_cmpint(sc_classify_distro(), ==, SC_DISTRO_CORE16);
 }
 
-const char *os_release_core = ""
-    "NAME=\"Ubuntu Core\"\n" "VERSION=\"16\"\n" "ID=ubuntu-core\n";
+static const char *os_release_core18 = ""
+    "NAME=\"Ubuntu Core\"\n" "VERSION_ID=\"18\"\n" "ID=ubuntu-core\n";
+
+static const char *meta_snap_yaml_core18 = ""
+    "name: core18\n" "type: base\n" "architectures: [amd64]\n";
 
-static void test_is_on_core(void)
+static void test_is_on_core_on18(void)
 {
-	g_file_set_contents("os-release.core", os_release_core,
-			    strlen(os_release_core), NULL);
-	os_release = "os-release.core";
-	g_assert_false(is_running_on_classic_distribution());
-	unlink("os-release.core");
+	mock_os_release(os_release_core18);
+	mock_meta_snap_yaml(meta_snap_yaml_core18);
+	g_assert_cmpint(sc_classify_distro(), ==, SC_DISTRO_CORE_OTHER);
 }
 
-const char *os_release_classic_with_long_line = ""
+const char *os_release_core20 = ""
+    "NAME=\"Ubuntu Core\"\n" "VERSION_ID=\"20\"\n" "ID=ubuntu-core\n";
+
+static const char *meta_snap_yaml_core20 = ""
+    "name: core20\n" "type: base\n" "architectures: [amd64]\n";
+
+static void test_is_on_core_on20(void)
+{
+	mock_os_release(os_release_core20);
+	mock_meta_snap_yaml(meta_snap_yaml_core20);
+	g_assert_cmpint(sc_classify_distro(), ==, SC_DISTRO_CORE_OTHER);
+}
+
+static const char *os_release_classic_with_long_line = ""
     "NAME=\"Ubuntu\"\n"
     "VERSION=\"17.04 (Zesty Zapus)\"\n"
     "ID=ubuntu\n"
@@ -54,12 +126,66 @@
 
 static void test_is_on_classic_with_long_line(void)
 {
-	g_file_set_contents("os-release.classic-with-long-line",
-			    os_release_classic, strlen(os_release_classic),
-			    NULL);
-	os_release = "os-release.classic-with-long-line";
-	g_assert_true(is_running_on_classic_distribution());
-	unlink("os-release.classic-with-long-line");
+	mock_os_release(os_release_classic_with_long_line);
+	mock_meta_snap_yaml(NULL);
+	g_assert_cmpint(sc_classify_distro(), ==, SC_DISTRO_CLASSIC);
+}
+
+static const char *os_release_fedora_base = ""
+    "NAME=Fedora\nID=fedora\nVARIANT_ID=snappy\n";
+
+static const char *meta_snap_yaml_fedora_base = ""
+    "name: fedora29\n" "type: base\n" "architectures: [amd64]\n";
+
+static void test_is_on_fedora_base(void)
+{
+	mock_os_release(os_release_fedora_base);
+	mock_meta_snap_yaml(meta_snap_yaml_fedora_base);
+	g_assert_cmpint(sc_classify_distro(), ==, SC_DISTRO_CORE_OTHER);
+}
+
+static const char *os_release_fedora_ws = ""
+    "NAME=Fedora\nID=fedora\nVARIANT_ID=workstation\n";
+
+static void test_is_on_fedora_ws(void)
+{
+	mock_os_release(os_release_fedora_ws);
+	mock_meta_snap_yaml(NULL);
+	g_assert_cmpint(sc_classify_distro(), ==, SC_DISTRO_CLASSIC);
+}
+
+static const char *os_release_custom = ""
+    "NAME=\"Custom Distribution\"\nID=custom\n";
+
+static const char *meta_snap_yaml_custom = ""
+    "name: custom\n"
+    "version: rolling\n"
+    "summary: Runtime environment based on Custom Distribution\n"
+    "type: base\n" "architectures: [amd64]\n";
+
+static void test_is_on_custom_base(void)
+{
+	mock_os_release(os_release_custom);
+
+	/* Without /meta/snap.yaml we treat "Custom Distribution" as classic. */
+	mock_meta_snap_yaml(NULL);
+	g_assert_cmpint(sc_classify_distro(), ==, SC_DISTRO_CLASSIC);
+
+	/* With /meta/snap.yaml we treat it as core instead. */
+	mock_meta_snap_yaml(meta_snap_yaml_custom);
+	g_assert_cmpint(sc_classify_distro(), ==, SC_DISTRO_CORE_OTHER);
+}
+
+static void test_should_use_normal_mode(void)
+{
+	g_assert_false(sc_should_use_normal_mode(SC_DISTRO_CORE16, "core"));
+	g_assert_true(sc_should_use_normal_mode(SC_DISTRO_CORE_OTHER, "core"));
+	g_assert_true(sc_should_use_normal_mode(SC_DISTRO_CLASSIC, "core"));
+
+	g_assert_true(sc_should_use_normal_mode(SC_DISTRO_CORE16, "core18"));
+	g_assert_true(sc_should_use_normal_mode
+		      (SC_DISTRO_CORE_OTHER, "core18"));
+	g_assert_true(sc_should_use_normal_mode(SC_DISTRO_CLASSIC, "core18"));
 }
 
 static void __attribute__ ((constructor)) init(void)
@@ -67,5 +193,12 @@
 	g_test_add_func("/classic/on-classic", test_is_on_classic);
 	g_test_add_func("/classic/on-classic-with-long-line",
 			test_is_on_classic_with_long_line);
-	g_test_add_func("/classic/on-core", test_is_on_core);
+	g_test_add_func("/classic/on-core-on16", test_is_on_core_on16);
+	g_test_add_func("/classic/on-core-on18", test_is_on_core_on18);
+	g_test_add_func("/classic/on-core-on20", test_is_on_core_on20);
+	g_test_add_func("/classic/on-fedora-base", test_is_on_fedora_base);
+	g_test_add_func("/classic/on-fedora-ws", test_is_on_fedora_ws);
+	g_test_add_func("/classic/on-custom-base", test_is_on_custom_base);
+	g_test_add_func("/classic/should-use-normal-mode",
+			test_should_use_normal_mode);
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/feature.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/feature.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/feature.c	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/feature.c	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#define _GNU_SOURCE
+
+#include "feature.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "cleanup-funcs.h"
+#include "utils.h"
+
+static const char *feature_flag_dir = "/var/lib/snapd/features";
+
+bool sc_feature_enabled(sc_feature_flag flag)
+{
+	const char *file_name;
+	switch (flag) {
+	case SC_PER_USER_MOUNT_NAMESPACE:
+		file_name = "per-user-mount-namespace";
+		break;
+	default:
+		die("unknown feature flag code %d", flag);
+	}
+
+	int dirfd SC_CLEANUP(sc_cleanup_close) = -1;
+	dirfd = open(feature_flag_dir, O_CLOEXEC | O_DIRECTORY | O_NOFOLLOW | O_PATH);
+	if (dirfd < 0 && errno == ENOENT) {
+		return false;
+	}
+	if (dirfd < 0) {
+		die("cannot open path %s", feature_flag_dir);
+	}
+
+	struct stat file_info;
+	if (fstatat(dirfd, file_name, &file_info, AT_SYMLINK_NOFOLLOW) < 0) {
+		if (errno == ENOENT) {
+			return false;
+		}
+		die("cannot inspect file %s/%s", feature_flag_dir, file_name);
+	}
+
+	return S_ISREG(file_info.st_mode);
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/feature.h snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/feature.h
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/feature.h	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/feature.h	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef SNAP_CONFINE_FEATURE_H
+#define SNAP_CONFINE_FEATURE_H
+
+#include <stdbool.h>
+
+typedef enum sc_feature_flag {
+	SC_PER_USER_MOUNT_NAMESPACE,
+} sc_feature_flag;
+
+/**
+ * sc_feature_enabled returns true if a given feature flag has been activated
+ * by the user via "snap set core experimental.xxx=true". This is determined by
+ * testing the presence of a file in /var/lib/snapd/features/ that is named
+ * after the flag name.
+**/
+bool sc_feature_enabled(sc_feature_flag flag);
+
+#endif
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/feature-test.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/feature-test.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/feature-test.c	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/feature-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "feature.h"
+#include "feature.c"
+
+#include <limits.h>
+
+#include <glib.h>
+
+#include "string-utils.h"
+#include "test-utils.h"
+
+static char *sc_testdir(void)
+{
+	char *d = g_dir_make_tmp(NULL, NULL);
+	g_assert_nonnull(d);
+	g_test_queue_free(d);
+	g_test_queue_destroy((GDestroyNotify) rm_rf_tmp, d);
+	return d;
+}
+
+// Set the feature flag directory to given value, useful for cleanup handlers.
+static void set_feature_flag_dir(const char *dir)
+{
+	feature_flag_dir = dir;
+}
+
+// Mock the location of the feature flag directory.
+static void sc_mock_feature_flag_dir(const char *d)
+{
+	g_test_queue_destroy((GDestroyNotify) set_feature_flag_dir,
+			     (void *)feature_flag_dir);
+	set_feature_flag_dir(d);
+}
+
+static void test_feature_enabled__missing_dir(void)
+{
+	const char *d = sc_testdir();
+	char subd[PATH_MAX];
+	sc_must_snprintf(subd, sizeof subd, "%s/absent", d);
+	sc_mock_feature_flag_dir(subd);
+	g_assert(!sc_feature_enabled(SC_PER_USER_MOUNT_NAMESPACE));
+}
+
+static void test_feature_enabled__missing_file(void)
+{
+	const char *d = sc_testdir();
+	sc_mock_feature_flag_dir(d);
+	g_assert(!sc_feature_enabled(SC_PER_USER_MOUNT_NAMESPACE));
+}
+
+static void test_feature_enabled__present_file(void)
+{
+	const char *d = sc_testdir();
+	sc_mock_feature_flag_dir(d);
+	char pname[PATH_MAX];
+	sc_must_snprintf(pname, sizeof pname, "%s/per-user-mount-namespace", d);
+	g_file_set_contents(pname, "", -1, NULL);
+
+	g_assert(sc_feature_enabled(SC_PER_USER_MOUNT_NAMESPACE));
+}
+
+static void __attribute__ ((constructor)) init(void)
+{
+	g_test_add_func("/feature/missing_dir",
+			test_feature_enabled__missing_dir);
+	g_test_add_func("/feature/missing_file",
+			test_feature_enabled__missing_file);
+	g_test_add_func("/feature/present_file",
+			test_feature_enabled__present_file);
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/locking.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/locking.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/locking.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/locking.c	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -21,6 +21,7 @@
 
 #include "locking.h"
 
+#include <errno.h>
 #include <fcntl.h>
 #include <signal.h>
 #include <stdarg.h>
@@ -84,7 +85,7 @@
 
 static const char *sc_lock_dir = SC_LOCK_DIR;
 
-int sc_lock(const char *scope)
+static int get_lock_directory(void)
 {
 	// Create (if required) and open the lock directory.
 	debug("creating lock directory %s (if missing)", sc_lock_dir);
@@ -92,54 +93,107 @@
 		die("cannot create lock directory %s", sc_lock_dir);
 	}
 	debug("opening lock directory %s", sc_lock_dir);
-	int dir_fd SC_CLEANUP(sc_cleanup_close) = -1;
-	dir_fd =
+	int dir_fd =
 	    open(sc_lock_dir, O_DIRECTORY | O_PATH | O_CLOEXEC | O_NOFOLLOW);
 	if (dir_fd < 0) {
 		die("cannot open lock directory");
 	}
-	// Construct the name of the lock file.
+	return dir_fd;
+}
+
+static void get_lock_name(char *lock_fname, size_t size, const char *scope,
+			  uid_t uid)
+{
+	if (uid == 0) {
+		// The root user doesn't have a per-user mount namespace.
+		// Doing so would be confusing for services which use $SNAP_DATA
+		// as home, and not in $SNAP_USER_DATA.
+		sc_must_snprintf(lock_fname, size, "%s.lock", scope ? : "");
+	} else {
+		sc_must_snprintf(lock_fname, size, "%s.%d.lock",
+				 scope ? : "", uid);
+	}
+}
+
+static int open_lock(const char *scope, uid_t uid)
+{
+	int dir_fd SC_CLEANUP(sc_cleanup_close) = -1;
 	char lock_fname[PATH_MAX] = { 0 };
-	sc_must_snprintf(lock_fname, sizeof lock_fname, "%s/%s.lock",
-			 sc_lock_dir, scope ? : "");
+	int lock_fd;
+
+	dir_fd = get_lock_directory();
+	get_lock_name(lock_fname, sizeof lock_fname, scope, uid);
 
 	// Open the lock file and acquire an exclusive lock.
-	debug("opening lock file: %s", lock_fname);
-	int lock_fd = openat(dir_fd, lock_fname,
-			     O_CREAT | O_RDWR | O_CLOEXEC | O_NOFOLLOW, 0600);
+	debug("opening lock file: %s/%s", sc_lock_dir, lock_fname);
+	lock_fd = openat(dir_fd, lock_fname,
+			 O_CREAT | O_RDWR | O_CLOEXEC | O_NOFOLLOW, 0600);
 	if (lock_fd < 0) {
-		die("cannot open lock file: %s", lock_fname);
+		die("cannot open lock file: %s/%s", sc_lock_dir, lock_fname);
 	}
+	return lock_fd;
+}
 
+static int sc_lock_generic(const char *scope, uid_t uid)
+{
+	int lock_fd = open_lock(scope, uid);
 	sc_enable_sanity_timeout();
-	debug("acquiring exclusive lock (scope %s)", scope ? : "(global)");
+	debug("acquiring exclusive lock (scope %s, uid %d)",
+	      scope ? : "(global)", uid);
 	if (flock(lock_fd, LOCK_EX) < 0) {
 		sc_disable_sanity_timeout();
 		close(lock_fd);
-		die("cannot acquire exclusive lock (scope %s)",
-		    scope ? : "(global)");
+		die("cannot acquire exclusive lock (scope %s, uid %d)",
+		    scope ? : "(global)", uid);
 	} else {
 		sc_disable_sanity_timeout();
 	}
 	return lock_fd;
 }
 
-void sc_unlock(const char *scope, int lock_fd)
+int sc_lock_global(void)
 {
-	// Release the lock and finish.
-	debug("releasing lock (scope: %s)", scope ? : "(global)");
-	if (flock(lock_fd, LOCK_UN) < 0) {
-		die("cannot release lock (scope: %s)", scope ? : "(global)");
+	return sc_lock_generic(NULL, 0);
+}
+
+int sc_lock_snap(const char *snap_name)
+{
+	return sc_lock_generic(snap_name, 0);
+}
+
+void sc_verify_snap_lock(const char *snap_name)
+{
+	int lock_fd, retval;
+
+	lock_fd = open_lock(snap_name, 0);
+	debug("trying to verify whether exclusive lock over snap %s is held",
+	      snap_name);
+	retval = flock(lock_fd, LOCK_EX | LOCK_NB);
+	if (retval == 0) {
+		/* We managed to grab the lock, the lock was not held! */
+		flock(lock_fd, LOCK_UN);
+		close(lock_fd);
+		errno = 0;
+		die("unexpectedly managed to acquire exclusive lock over snap %s", snap_name);
 	}
-	close(lock_fd);
+	if (retval < 0 && errno != EWOULDBLOCK) {
+		die("cannot verify exclusive lock over snap %s", snap_name);
+	}
+	/* We tried but failed to grab the lock because the file is already locked.
+	 * Good, this is what we expected. */
 }
 
-int sc_lock_global(void)
+int sc_lock_snap_user(const char *snap_name, uid_t uid)
 {
-	return sc_lock(NULL);
+	return sc_lock_generic(snap_name, uid);
 }
 
-void sc_unlock_global(int lock_fd)
+void sc_unlock(int lock_fd)
 {
-	return sc_unlock(NULL, lock_fd);
+	// Release the lock and finish.
+	debug("releasing lock %d", lock_fd);
+	if (flock(lock_fd, LOCK_UN) < 0) {
+		die("cannot release lock %d", lock_fd);
+	}
+	close(lock_fd);
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/locking.h snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/locking.h
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/locking.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/locking.h	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -17,17 +17,19 @@
 #ifndef SNAP_CONFINE_LOCKING_H
 #define SNAP_CONFINE_LOCKING_H
 
+// Include config.h which pulls in _GNU_SOURCE which in turn allows sys/types.h
+// to define O_PATH. Since locking.h is included from locking.c this is
+// required to see O_PATH there.
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+
 /**
- * Obtain a flock-based, exclusive lock.
+ * Obtain a flock-based, exclusive, globally scoped, lock.
  *
- * The scope may be the name of a snap or NULL (global lock).  Each subsequent
- * argument is of type sc_locked_fn and gets called with the scope argument.
- * The function guarantees that a filesystem lock is reliably acquired and
- * released on call to sc_unlock() immediately upon process death.
- *
- * The actual lock is placed in "/run/snapd/ns" and is either called
- * "/run/snapd/ns/.lock" if scope is NULL or
- * "/run/snapd/ns/$scope.lock" otherwise.
+ * The actual lock is placed in "/run/snap/ns/.lock"
  *
  * If the lock cannot be acquired for three seconds (via
  * sc_enable_sanity_timeout) then the function fails and the process dies.
@@ -35,29 +37,50 @@
  * The return value needs to be passed to sc_unlock(), there is no need to
  * check for errors as the function will die() on any problem.
  **/
-int sc_lock(const char *scope);
+int sc_lock_global(void);
 
 /**
- * Release a flock-based lock.
+ * Obtain a flock-based, exclusive, snap-scoped, lock.
+ *
+ * The actual lock is placed in "/run/snapd/ns/$SNAP_NAME.lock"
+ * It should be acquired only when holding the global lock.
  *
- * This function simply unlocks the lock and closes the file descriptor.
+ * If the lock cannot be acquired for three seconds (via
+ * sc_enable_sanity_timeout) then the function fails and the process dies.
+ *
+ * The return value needs to be passed to sc_unlock(), there is no need to
+ * check for errors as the function will die() on any problem.
  **/
-void sc_unlock(const char *scope, int lock_fd);
+int sc_lock_snap(const char *snap_name);
 
 /**
- * Obtain a flock-based, exclusive, globally scoped, lock.
+ * Verify that a flock-based, exclusive, snap-scoped, lock is held.
  *
- * This function is exactly like sc_lock(NULL), that is the acquired lock is
- * not specific to any snap but global.
+ * If the lock is not held the process dies. The details about the lock
+ * are exactly the same as for sc_lock_snap().
  **/
-int sc_lock_global(void);
+void sc_verify_snap_lock(const char *snap_name);
 
 /**
- * Release a flock-based, globally scoped, lock
+ * Obtain a flock-based, exclusive, snap-scoped, lock.
+ *
+ * The actual lock is placed in "/run/snapd/ns/$SNAP_NAME.$UID.lock"
+ * It should be acquired only when holding the snap-specific lock.
+ *
+ * If the lock cannot be acquired for three seconds (via
+ * sc_enable_sanity_timeout) then the function fails and the process dies.
+ * The return value needs to be passed to sc_unlock(), there is no need to
+ * check for errors as the function will die() on any problem.
+ **/
+int sc_lock_snap_user(const char *snap_name, uid_t uid);
+
+/**
+ * Release a flock-based lock.
  *
- * This function is exactly like sc_unlock(NULL, lock_fd).
+ * All kinds of locks can be unlocked the same way. This function simply
+ * unlocks the lock and closes the file descriptor.
  **/
-void sc_unlock_global(int lock_fd);
+void sc_unlock(int lock_fd);
 
 /**
  * Enable a sanity-check timeout.
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/locking-test.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/locking-test.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/locking-test.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/locking-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -32,6 +32,12 @@
 	sc_lock_dir = dir;
 }
 
+// A variant of unsetenv that is compatible with GDestroyNotify
+static void my_unsetenv(const char *k)
+{
+	unsetenv(k);
+}
+
 // Use temporary directory for locking.
 //
 // The directory is automatically reset to the real value at the end of the
@@ -50,7 +56,7 @@
 		g_test_queue_free(lock_dir);
 		g_assert_cmpint(setenv("SNAP_CONFINE_LOCK_DIR", lock_dir, 0),
 				==, 0);
-		g_test_queue_destroy((GDestroyNotify) unsetenv,
+		g_test_queue_destroy((GDestroyNotify) my_unsetenv,
 				     "SNAP_CONFINE_LOCK_DIR");
 		g_test_queue_destroy((GDestroyNotify) rm_rf_tmp, lock_dir);
 	}
@@ -63,10 +69,10 @@
 static void test_sc_lock_unlock(void)
 {
 	const char *lock_dir = sc_test_use_fake_lock_dir();
-	int fd = sc_lock("foo");
+	int fd = sc_lock_generic("foo", 123);
 	// Construct the name of the lock file
 	char *lock_file SC_CLEANUP(sc_cleanup_string) = NULL;
-	lock_file = g_strdup_printf("%s/foo.lock", lock_dir);
+	lock_file = g_strdup_printf("%s/foo.123.lock", lock_dir);
 	// Open the lock file again to obtain a separate file descriptor.
 	// According to flock(2) locks are associated with an open file table entry
 	// so this descriptor will be separate and can compete for the same lock.
@@ -80,12 +86,35 @@
 	g_assert_cmpint(err, ==, -1);
 	g_assert_cmpint(saved_errno, ==, EWOULDBLOCK);
 	// Unlock the lock.
-	sc_unlock("foo", fd);
+	sc_unlock(fd);
 	// Re-attempt the locking operation. This time it should succeed.
 	err = flock(lock_fd, LOCK_EX | LOCK_NB);
 	g_assert_cmpint(err, ==, 0);
 }
 
+// Check that holding a lock is properly detected.
+static void test_sc_verify_snap_lock__locked(void)
+{
+	(void)sc_test_use_fake_lock_dir();
+	int fd = sc_lock_snap("foo");
+	sc_verify_snap_lock("foo");
+	sc_unlock(fd);
+}
+
+// Check that holding a lock is properly detected.
+static void test_sc_verify_snap_lock__unlocked(void)
+{
+	(void)sc_test_use_fake_lock_dir();
+	if (g_test_subprocess()) {
+		sc_verify_snap_lock("foo");
+		return;
+	}
+	g_test_trap_subprocess(NULL, 0, 0);
+	g_test_trap_assert_failed();
+	g_test_trap_assert_stderr
+	    ("unexpectedly managed to acquire exclusive lock over snap foo\n");
+}
+
 static void test_sc_enable_sanity_timeout(void)
 {
 	if (g_test_subprocess()) {
@@ -106,4 +135,8 @@
 	g_test_add_func("/locking/sc_lock_unlock", test_sc_lock_unlock);
 	g_test_add_func("/locking/sc_enable_sanity_timeout",
 			test_sc_enable_sanity_timeout);
+	g_test_add_func("/locking/sc_verify_snap_lock__locked",
+			test_sc_verify_snap_lock__locked);
+	g_test_add_func("/locking/sc_verify_snap_lock__unlocked",
+			test_sc_verify_snap_lock__unlocked);
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/mount-opt.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/mount-opt.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/mount-opt.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/mount-opt.c	2019-01-16 08:36:51.000000000 +0000
@@ -256,9 +256,10 @@
     "(disabled) use debug build to see details";
 #endif
 
-void sc_do_mount(const char *source, const char *target,
-		 const char *fs_type, unsigned long mountflags,
-		 const void *data)
+static bool sc_do_mount_ex(const char *source, const char *target,
+			   const char *fs_type,
+			   unsigned long mountflags, const void *data,
+			   bool optional)
 {
 	char buf[10000] = { 0 };
 	const char *mount_cmd = NULL;
@@ -274,9 +275,11 @@
 	}
 	if (sc_faulty("mount", NULL)
 	    || mount(source, target, fs_type, mountflags, data) < 0) {
-		// Save errno as ensure can clobber it.
 		int saved_errno = errno;
-
+		if (optional && saved_errno == ENOENT) {
+			// The special-cased value that is allowed to fail.
+			return false;
+		}
 		// Drop privileges so that we can compute our nice error message
 		// without risking an attack on one of the string functions there.
 		sc_privs_drop();
@@ -288,6 +291,21 @@
 		errno = saved_errno;
 		die("cannot perform operation: %s", mount_cmd);
 	}
+	return true;
+}
+
+void sc_do_mount(const char *source, const char *target,
+		 const char *fs_type, unsigned long mountflags,
+		 const void *data)
+{
+	(void)sc_do_mount_ex(source, target, fs_type, mountflags, data, false);
+}
+
+bool sc_do_optional_mount(const char *source, const char *target,
+			  const char *fs_type, unsigned long mountflags,
+			  const void *data)
+{
+	return sc_do_mount_ex(source, target, fs_type, mountflags, data, true);
 }
 
 void sc_do_umount(const char *target, int flags)
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/mount-opt.h snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/mount-opt.h
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/mount-opt.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/mount-opt.h	2019-01-16 08:36:51.000000000 +0000
@@ -18,6 +18,7 @@
 #ifndef SNAP_CONFINE_MOUNT_OPT_H
 #define SNAP_CONFINE_MOUNT_OPT_H
 
+#include <stdbool.h>
 #include <stddef.h>
 
 /**
@@ -68,6 +69,19 @@
 		 const void *data);
 
 /**
+ * A thin wrapper around mount(2) with logging and error checks.
+ *
+ * This variant is allowed to silently fail when mount fails with ENOENT.
+ * That is, it can be used to perform mount operations and if either the source
+ * or the destination is not present, carry on as if nothing had happened.
+ *
+ * The return value indicates if the operation was successful or not.
+ **/
+bool sc_do_optional_mount(const char *source, const char *target,
+			  const char *fs_type, unsigned long mountflags,
+			  const void *data);
+
+/**
  * A thin wrapper around umount(2) with logging and error checks.
  **/
 void sc_do_umount(const char *target, int flags);
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/mount-opt-test.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/mount-opt-test.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/mount-opt-test.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/mount-opt-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -275,6 +275,50 @@
 	}
 }
 
+static bool missing_mount(struct sc_fault_state *state, void *ptr)
+{
+	errno = ENOENT;
+	return true;
+}
+
+static void test_sc_do_optional_mount_missing(void)
+{
+	sc_break("mount", missing_mount);
+	bool ok = sc_do_optional_mount("/foo", "/bar", "ext4", MS_RDONLY, NULL);
+	g_assert_false(ok);
+	sc_reset_faults();
+}
+
+static void test_sc_do_optional_mount_failure(gconstpointer snap_debug)
+{
+	if (g_test_subprocess()) {
+		sc_break("mount", broken_mount);
+		if (GPOINTER_TO_INT(snap_debug) == 1) {
+			g_setenv("SNAP_CONFINE_DEBUG", "1", true);
+		}
+		(void)sc_do_optional_mount("/foo", "/bar", "ext4", MS_RDONLY,
+					   NULL);
+
+		g_test_message("expected sc_do_mount not to return");
+		sc_reset_faults();
+		g_test_fail();
+		return;
+	}
+	g_test_trap_subprocess(NULL, 0, 0);
+	g_test_trap_assert_failed();
+	if (GPOINTER_TO_INT(snap_debug) == 0) {
+		g_test_trap_assert_stderr
+		    ("cannot perform operation: mount -t ext4 -o ro /foo /bar: Permission denied\n");
+	} else {
+		/* with snap_debug the debug output hides the actual mount commands *but*
+		 * they are still shown if there was an error
+		 */
+		g_test_trap_assert_stderr
+		    ("DEBUG: performing operation: (disabled) use debug build to see details\n"
+		     "cannot perform operation: mount -t ext4 -o ro /foo /bar: Permission denied\n");
+	}
+}
+
 static void __attribute__ ((constructor)) init(void)
 {
 	g_test_add_func("/mount/sc_mount_opt2str", test_sc_mount_opt2str);
@@ -288,4 +332,12 @@
 			     GINT_TO_POINTER(1), test_sc_do_mount);
 	g_test_add_data_func("/mount/sc_do_umount_with_debug",
 			     GINT_TO_POINTER(1), test_sc_do_umount);
+	g_test_add_func("/mount/sc_do_optional_mount_missing",
+			test_sc_do_optional_mount_missing);
+	g_test_add_data_func("/mount/sc_do_optional_mount_failure",
+			     GINT_TO_POINTER(0),
+			     test_sc_do_optional_mount_failure);
+	g_test_add_data_func("/mount/sc_do_optional_mount_failure_with_debug",
+			     GINT_TO_POINTER(1),
+			     test_sc_do_optional_mount_failure);
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/snap.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/snap.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/snap.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/snap.c	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 #include <stddef.h>
 #include <stdlib.h>
 #include <string.h>
+#include <ctype.h>
 
 #include "utils.h"
 #include "string-utils.h"
@@ -30,7 +31,7 @@
 bool verify_security_tag(const char *security_tag, const char *snap_name)
 {
 	const char *whitelist_re =
-	    "^snap\\.([a-z0-9](-?[a-z0-9])*)\\.([a-zA-Z0-9](-?[a-zA-Z0-9])*|hook\\.[a-z](-?[a-z])*)$";
+	    "^snap\\.([a-z0-9](-?[a-z0-9])*(_[a-z0-9]{1,10})?)\\.([a-zA-Z0-9](-?[a-zA-Z0-9])*|hook\\.[a-z](-?[a-z])*)$";
 	regex_t re;
 	if (regcomp(&re, whitelist_re, REG_EXTENDED) != 0)
 		die("can not compile regex %s", whitelist_re);
@@ -56,7 +57,7 @@
 bool sc_is_hook_security_tag(const char *security_tag)
 {
 	const char *whitelist_re =
-	    "^snap\\.[a-z](-?[a-z0-9])*\\.(hook\\.[a-z](-?[a-z])*)$";
+	    "^snap\\.[a-z](-?[a-z0-9])*(_[a-z0-9]{1,10})?\\.(hook\\.[a-z](-?[a-z])*)$";
 
 	regex_t re;
 	if (regcomp(&re, whitelist_re, REG_EXTENDED | REG_NOSUB) != 0)
@@ -97,6 +98,94 @@
 	return 0;
 }
 
+void sc_instance_name_validate(const char *instance_name,
+			       struct sc_error **errorp)
+{
+	// NOTE: This function should be synchronized with the two other
+	// implementations: validate_instance_name and snap.ValidateInstanceName.
+	struct sc_error *err = NULL;
+
+	// Ensure that name is not NULL
+	if (instance_name == NULL) {
+		err =
+		    sc_error_init(SC_SNAP_DOMAIN, SC_SNAP_INVALID_INSTANCE_NAME,
+				  "snap instance name cannot be NULL");
+		goto out;
+	}
+	// 40 char snap_name + '_' + 10 char instance_key + 1 extra overflow + 1
+	// NULL
+	char s[53] = { 0 };
+	strncpy(s, instance_name, sizeof(s) - 1);
+
+	char *t = s;
+	const char *snap_name = strsep(&t, "_");
+	const char *instance_key = strsep(&t, "_");
+	const char *third_separator = strsep(&t, "_");
+	if (third_separator != NULL) {
+		err =
+		    sc_error_init(SC_SNAP_DOMAIN, SC_SNAP_INVALID_INSTANCE_NAME,
+				  "snap instance name can contain only one underscore");
+		goto out;
+	}
+
+	sc_snap_name_validate(snap_name, &err);
+	if (err != NULL) {
+		goto out;
+	}
+	// When the instance_name is a normal snap name, instance_key will be
+	// NULL, so only validate instance_key when we found one.
+	if (instance_key != NULL) {
+		sc_instance_key_validate(instance_key, &err);
+	}
+
+ out:
+	sc_error_forward(errorp, err);
+}
+
+void sc_instance_key_validate(const char *instance_key,
+			      struct sc_error **errorp)
+{
+	// NOTE: see snap.ValidateInstanceName for reference of a valid instance key
+	// format
+	struct sc_error *err = NULL;
+
+	// Ensure that name is not NULL
+	if (instance_key == NULL) {
+		err = sc_error_init(SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME,
+				    "instance key cannot be NULL");
+		goto out;
+	}
+	// This is a regexp-free routine hand-coding the following pattern:
+	//
+	// "^[a-z]{1,10}$"
+	//
+	// The only motivation for not using regular expressions is so that we don't
+	// run untrusted input against a potentially complex regular expression
+	// engine.
+	int i = 0;
+	for (i = 0; instance_key[i] != '\0'; i++) {
+		if (islower(instance_key[i]) || isdigit(instance_key[i])) {
+			continue;
+		}
+		err =
+		    sc_error_init(SC_SNAP_DOMAIN, SC_SNAP_INVALID_INSTANCE_KEY,
+				  "instance key must use lower case letters or digits");
+		goto out;
+	}
+
+	if (i == 0) {
+		err =
+		    sc_error_init(SC_SNAP_DOMAIN, SC_SNAP_INVALID_INSTANCE_KEY,
+				  "instance key must contain at least one letter or digit");
+	} else if (i > 10) {
+		err =
+		    sc_error_init(SC_SNAP_DOMAIN, SC_SNAP_INVALID_INSTANCE_KEY,
+				  "instance key must be shorter than 10 characters");
+	}
+ out:
+	sc_error_forward(errorp, err);
+}
+
 void sc_snap_name_validate(const char *snap_name, struct sc_error **errorp)
 {
 	// NOTE: This function should be synchronized with the two other
@@ -123,15 +212,19 @@
 		goto out;
 	}
 	bool got_letter = false;
+	int n = 0, m;
 	for (; *p != '\0';) {
-		if (skip_lowercase_letters(&p) > 0) {
+		if ((m = skip_lowercase_letters(&p)) > 0) {
+			n += m;
 			got_letter = true;
 			continue;
 		}
-		if (skip_digits(&p) > 0) {
+		if ((m = skip_digits(&p)) > 0) {
+			n += m;
 			continue;
 		}
 		if (skip_one_char(&p, '-') > 0) {
+			n++;
 			if (*p == '\0') {
 				err =
 				    sc_error_init(SC_SNAP_DOMAIN,
@@ -155,8 +248,67 @@
 	if (!got_letter) {
 		err = sc_error_init(SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME,
 				    "snap name must contain at least one letter");
+		goto out;
+	}
+	if (n < 2) {
+		err = sc_error_init(SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME,
+				    "snap name must be longer than 1 character");
+		goto out;
+	}
+	if (n > 40) {
+		err = sc_error_init(SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME,
+				    "snap name must be shorter than 40 characters");
+		goto out;
 	}
 
  out:
 	sc_error_forward(errorp, err);
 }
+
+void sc_snap_drop_instance_key(const char *instance_name, char *snap_name,
+			       size_t snap_name_size)
+{
+	sc_snap_split_instance_name(instance_name, snap_name, snap_name_size,
+				    NULL, 0);
+}
+
+void sc_snap_split_instance_name(const char *instance_name, char *snap_name,
+				 size_t snap_name_size, char *instance_key,
+				 size_t instance_key_size)
+{
+	if (instance_name == NULL) {
+		die("internal error: cannot split instance name when it is unset");
+	}
+	if (snap_name == NULL && instance_key == NULL) {
+		die("internal error: cannot split instance name when both snap name and instance key are unset");
+	}
+
+	const char *pos = strchr(instance_name, '_');
+	const char *instance_key_start = "";
+	size_t snap_name_len = 0;
+	size_t instance_key_len = 0;
+	if (pos == NULL) {
+		snap_name_len = strlen(instance_name);
+	} else {
+		snap_name_len = pos - instance_name;
+		instance_key_start = pos + 1;
+		instance_key_len = strlen(instance_key_start);
+	}
+
+	if (snap_name != NULL) {
+		if (snap_name_len >= snap_name_size) {
+			die("snap name buffer too small");
+		}
+
+		memcpy(snap_name, instance_name, snap_name_len);
+		snap_name[snap_name_len] = '\0';
+	}
+
+	if (instance_key != NULL) {
+		if (instance_key_len >= instance_key_size) {
+			die("instance key buffer too small");
+		}
+		memcpy(instance_key, instance_key_start, instance_key_len);
+		instance_key[instance_key_len] = '\0';
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/snap.h snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/snap.h
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/snap.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/snap.h	2019-01-16 08:36:51.000000000 +0000
@@ -19,6 +19,7 @@
 #define SNAP_CONFINE_SNAP_H
 
 #include <stdbool.h>
+#include <stddef.h>
 
 #include "error.h"
 
@@ -30,6 +31,10 @@
 enum {
 	/** The name of the snap is not valid. */
 	SC_SNAP_INVALID_NAME = 1,
+	/** The instance key of the snap is not valid. */
+	SC_SNAP_INVALID_INSTANCE_KEY = 2,
+	/** The instance of the snap is not valid. */
+	SC_SNAP_INVALID_INSTANCE_NAME = 3,
 };
 
 /**
@@ -44,6 +49,31 @@
 void sc_snap_name_validate(const char *snap_name, struct sc_error **errorp);
 
 /**
+ * Validate the given instance key.
+ *
+ * Valid instance key cannot be NULL and must match a regular expression
+ * describing the strict naming requirements. Please refer to snapd source code
+ * for details.
+ *
+ * The error protocol is observed so if the caller doesn't provide an outgoing
+ * error pointer the function will die on any error.
+ **/
+void sc_instance_key_validate(const char *instance_key,
+			      struct sc_error **errorp);
+
+/**
+ * Validate the given snap instance name.
+ *
+ * Valid instance name must be composed of a valid snap name and a valid
+ * instance key.
+ *
+ * The error protocol is observed so if the caller doesn't provide an outgoing
+ * error pointer the function will die on any error.
+ **/
+void sc_instance_name_validate(const char *instance_name,
+			       struct sc_error **errorp);
+
+/**
  * Validate security tag against strict naming requirements and snap name.
  *
  *  The executable name is of form:
@@ -58,4 +88,32 @@
 
 bool sc_is_hook_security_tag(const char *security_tag);
 
+/**
+ * Extract snap name out of an instance name.
+ *
+ * A snap may be installed multiple times in parallel under distinct instance names.
+ * This function extracts the snap name out of a name that possibly contains a snap
+ * instance key.
+ *
+ * For example: snap_instance => snap, just-snap => just-snap
+ **/
+void sc_snap_drop_instance_key(const char *instance_name, char *snap_name,
+			       size_t snap_name_size);
+
+/**
+ * Extract snap name and instance key out of an instance name.
+ *
+ * A snap may be installed multiple times in parallel under distinct instance
+ * names. This function extracts the snap name and instance key out of the
+ * instance name. One of snap_name, instance_key must be non-NULL.
+ *
+ * For example:
+ *   name_instance => "name" & "instance"
+ *   just-name     => "just-name" & ""
+ *
+ **/
+void sc_snap_split_instance_name(const char *instance_name, char *snap_name,
+				 size_t snap_name_size, char *instance_key,
+				 size_t instance_key_size);
+
 #endif
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/snap-test.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/snap-test.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/snap-test.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/snap-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -30,6 +30,12 @@
 	g_assert_true(verify_security_tag("snap.f00.bar-baz1", "f00"));
 	g_assert_true(verify_security_tag("snap.foo.hook.bar", "foo"));
 	g_assert_true(verify_security_tag("snap.foo.hook.bar-baz", "foo"));
+	g_assert_true(verify_security_tag
+		      ("snap.foo_instance.bar-baz", "foo_instance"));
+	g_assert_true(verify_security_tag
+		      ("snap.foo_instance.hook.bar-baz", "foo_instance"));
+	g_assert_true(verify_security_tag
+		      ("snap.foo_bar.hook.bar-baz", "foo_bar"));
 
 	// Now, test the names we know are bad
 	g_assert_false(verify_security_tag
@@ -62,31 +68,63 @@
 	g_assert_false(verify_security_tag("snap..name.app", ".name"));
 	g_assert_false(verify_security_tag("snap.name..app", "name."));
 	g_assert_false(verify_security_tag("snap.name.app..", "name"));
+	// These contain invalid instance key
+	g_assert_false(verify_security_tag("snap.foo_.bar-baz", "foo"));
+	g_assert_false(verify_security_tag
+		       ("snap.foo_toolonginstance.bar-baz", "foo"));
+	g_assert_false(verify_security_tag
+		       ("snap.foo_inst@nace.bar-baz", "foo"));
+	g_assert_false(verify_security_tag
+		       ("snap.foo_in-stan-ce.bar-baz", "foo"));
+	g_assert_false(verify_security_tag("snap.foo_in stan.bar-baz", "foo"));
 
 	// Test names that are both good, but snap name doesn't match security tag
 	g_assert_false(verify_security_tag("snap.foo.hook.bar", "fo"));
 	g_assert_false(verify_security_tag("snap.foo.hook.bar", "fooo"));
 	g_assert_false(verify_security_tag("snap.foo.hook.bar", "snap"));
 	g_assert_false(verify_security_tag("snap.foo.hook.bar", "bar"));
+	g_assert_false(verify_security_tag("snap.foo_instance.bar", "foo_bar"));
 
 	// Regression test 12to8
 	g_assert_true(verify_security_tag("snap.12to8.128to8", "12to8"));
 	g_assert_true(verify_security_tag("snap.123test.123test", "123test"));
 	g_assert_true(verify_security_tag
 		      ("snap.123test.hook.configure", "123test"));
+}
 
+static void test_sc_is_hook_security_tag(void)
+{
+	// First, test the names we know are good
+	g_assert_true(sc_is_hook_security_tag("snap.foo.hook.bar"));
+	g_assert_true(sc_is_hook_security_tag("snap.foo.hook.bar-baz"));
+	g_assert_true(sc_is_hook_security_tag
+		      ("snap.foo_instance.hook.bar-baz"));
+	g_assert_true(sc_is_hook_security_tag("snap.foo_bar.hook.bar-baz"));
+
+	// Now, test the names we know are not valid hook security tags
+	g_assert_false(sc_is_hook_security_tag("snap.foo_instance.bar-baz"));
+	g_assert_false(sc_is_hook_security_tag("snap.name.app!hook.foo"));
+	g_assert_false(sc_is_hook_security_tag("snap.name.app.hook!foo"));
+	g_assert_false(sc_is_hook_security_tag("snap.name.app.hook.-foo"));
+	g_assert_false(sc_is_hook_security_tag("snap.name.app.hook.f00"));
 }
 
-static void test_sc_snap_name_validate(void)
+static void test_sc_snap_or_instance_name_validate(gconstpointer data)
 {
+	typedef void (*validate_func_t) (const char *, struct sc_error **);
+
+	validate_func_t validate = (validate_func_t) data;
+	bool is_instance =
+	    (validate == sc_instance_name_validate) ? true : false;
+
 	struct sc_error *err = NULL;
 
 	// Smoke test, a valid snap name
-	sc_snap_name_validate("hello-world", &err);
+	validate("hello-world", &err);
 	g_assert_null(err);
 
 	// Smoke test: invalid character 
-	sc_snap_name_validate("hello world", &err);
+	validate("hello world", &err);
 	g_assert_nonnull(err);
 	g_assert_true(sc_error_match
 		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
@@ -95,7 +133,7 @@
 	sc_error_free(err);
 
 	// Smoke test: no letters
-	sc_snap_name_validate("", &err);
+	validate("", &err);
 	g_assert_nonnull(err);
 	g_assert_true(sc_error_match
 		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
@@ -104,7 +142,7 @@
 	sc_error_free(err);
 
 	// Smoke test: leading dash
-	sc_snap_name_validate("-foo", &err);
+	validate("-foo", &err);
 	g_assert_nonnull(err);
 	g_assert_true(sc_error_match
 		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
@@ -113,7 +151,7 @@
 	sc_error_free(err);
 
 	// Smoke test: trailing dash
-	sc_snap_name_validate("foo-", &err);
+	validate("foo-", &err);
 	g_assert_nonnull(err);
 	g_assert_true(sc_error_match
 		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
@@ -122,7 +160,7 @@
 	sc_error_free(err);
 
 	// Smoke test: double dash
-	sc_snap_name_validate("f--oo", &err);
+	validate("f--oo", &err);
 	g_assert_nonnull(err);
 	g_assert_true(sc_error_match
 		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
@@ -131,27 +169,46 @@
 	sc_error_free(err);
 
 	// Smoke test: NULL name is not valid
-	sc_snap_name_validate(NULL, &err);
+	validate(NULL, &err);
 	g_assert_nonnull(err);
-	g_assert_true(sc_error_match
-		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
-	g_assert_cmpstr(sc_error_msg(err), ==, "snap name cannot be NULL");
+	// the only case when instance name validation diverges from snap name
+	// validation
+	if (!is_instance) {
+		g_assert_true(sc_error_match
+			      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
+		g_assert_cmpstr(sc_error_msg(err), ==,
+				"snap name cannot be NULL");
+	} else {
+		g_assert_true(sc_error_match
+			      (err, SC_SNAP_DOMAIN,
+			       SC_SNAP_INVALID_INSTANCE_NAME));
+		g_assert_cmpstr(sc_error_msg(err), ==,
+				"snap instance name cannot be NULL");
+	}
 	sc_error_free(err);
 
 	const char *valid_names[] = {
-		"a", "aa", "aaa", "aaaa",
+		"aa", "aaa", "aaaa",
 		"a-a", "aa-a", "a-aa", "a-b-c",
 		"a0", "a-0", "a-0a",
 		"01game", "1-or-2"
 	};
 	for (size_t i = 0; i < sizeof valid_names / sizeof *valid_names; ++i) {
 		g_test_message("checking valid snap name: %s", valid_names[i]);
-		sc_snap_name_validate(valid_names[i], &err);
+		validate(valid_names[i], &err);
 		g_assert_null(err);
 	}
 	const char *invalid_names[] = {
 		// name cannot be empty
 		"",
+		// too short
+		"a",
+		// names cannot be too long
+		"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+		"xxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx",
+		"1111111111111111111111111111111111111111x",
+		"x1111111111111111111111111111111111111111",
+		"x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x",
 		// dashes alone are not a name
 		"-", "--",
 		// double dashes in a name are not allowed
@@ -161,7 +218,7 @@
 		// name cannot have any spaces in it
 		"a ", " a", "a a",
 		// a number alone is not a name
-		"0", "123",
+		"0", "123", "1-2-3",
 		// identifier must be plain ASCII
 		"日本語", "한글", "ру́сский язы́к",
 	};
@@ -169,18 +226,29 @@
 	     ++i) {
 		g_test_message("checking invalid snap name: >%s<",
 			       invalid_names[i]);
-		sc_snap_name_validate(invalid_names[i], &err);
+		validate(invalid_names[i], &err);
 		g_assert_nonnull(err);
 		g_assert_true(sc_error_match
 			      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
 		sc_error_free(err);
 	}
 	// Regression test: 12to8 and 123test
-	sc_snap_name_validate("12to8", &err);
+	validate("12to8", &err);
 	g_assert_null(err);
-	sc_snap_name_validate("123test", &err);
+	validate("123test", &err);
 	g_assert_null(err);
 
+	// In case we switch to a regex, here's a test that could break things.
+	const char good_bad_name[] = "u-94903713687486543234157734673284536758";
+	char varname[sizeof good_bad_name] = { 0 };
+	for (size_t i = 3; i <= sizeof varname - 1; i++) {
+		g_assert_nonnull(memcpy(varname, good_bad_name, i));
+		varname[i] = 0;
+		g_test_message("checking valid snap name: >%s<", varname);
+		validate(varname, &err);
+		g_assert_null(err);
+		sc_error_free(err);
+	}
 }
 
 static void test_sc_snap_name_validate__respects_error_protocol(void)
@@ -197,11 +265,304 @@
 	    ("snap name must use lower case letters, digits or dashes\n");
 }
 
+static void test_sc_instance_name_validate(void)
+{
+	struct sc_error *err = NULL;
+
+	sc_instance_name_validate("hello-world", &err);
+	g_assert_null(err);
+	sc_instance_name_validate("hello-world_foo", &err);
+	g_assert_null(err);
+
+	// just the separator
+	sc_instance_name_validate("_", &err);
+	g_assert_nonnull(err);
+	g_assert_true(sc_error_match
+		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
+	g_assert_cmpstr(sc_error_msg(err), ==,
+			"snap name must contain at least one letter");
+	sc_error_free(err);
+
+	// just name, with separator, missing instance key
+	sc_instance_name_validate("hello-world_", &err);
+	g_assert_nonnull(err);
+	g_assert_true(sc_error_match
+		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_INSTANCE_KEY));
+	g_assert_cmpstr(sc_error_msg(err), ==,
+			"instance key must contain at least one letter or digit");
+	sc_error_free(err);
+
+	// only separator and instance key, missing name
+	sc_instance_name_validate("_bar", &err);
+	g_assert_nonnull(err);
+	g_assert_true(sc_error_match
+		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
+	g_assert_cmpstr(sc_error_msg(err), ==,
+			"snap name must contain at least one letter");
+	sc_error_free(err);
+
+	sc_instance_name_validate("", &err);
+	g_assert_nonnull(err);
+	g_assert_true(sc_error_match
+		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_NAME));
+	g_assert_cmpstr(sc_error_msg(err), ==,
+			"snap name must contain at least one letter");
+	sc_error_free(err);
+
+	// third separator
+	sc_instance_name_validate("foo_bar_baz", &err);
+	g_assert_nonnull(err);
+	g_assert_true(sc_error_match
+		      (err, SC_SNAP_DOMAIN, SC_SNAP_INVALID_INSTANCE_NAME));
+	g_assert_cmpstr(sc_error_msg(err), ==,
+			"snap instance name can contain only one underscore");
+	sc_error_free(err);
+
+	const char *valid_names[] = {
+		"aa", "aaa", "aaaa",
+		"aa_a", "aa_1", "aa_123", "aa_0123456789",
+	};
+	for (size_t i = 0; i < sizeof valid_names / sizeof *valid_names; ++i) {
+		g_test_message("checking valid instance name: %s",
+			       valid_names[i]);
+		sc_instance_name_validate(valid_names[i], &err);
+		g_assert_null(err);
+	}
+	const char *invalid_names[] = {
+		// too short
+		"a",
+		// only letters and digits in the instance key
+		"a_--23))", "a_ ", "a_091234#", "a_123_456",
+		// up to 10 characters for the instance key
+		"a_01234567891", "a_0123456789123",
+		// snap name must not be more than 40 characters, regardless of instance
+		// key
+		"01234567890123456789012345678901234567890_foobar",
+		"01234567890123456789-01234567890123456789_foobar",
+		// instance key  must be plain ASCII
+		"foobar_日本語",
+		// way too many underscores
+		"foobar_baz_zed_daz",
+		"foobar______",
+	};
+	for (size_t i = 0; i < sizeof invalid_names / sizeof *invalid_names;
+	     ++i) {
+		g_test_message("checking invalid instance name: >%s<",
+			       invalid_names[i]);
+		sc_instance_name_validate(invalid_names[i], &err);
+		g_assert_nonnull(err);
+		sc_error_free(err);
+	}
+}
+
+static void test_sc_snap_drop_instance_key_no_dest(void)
+{
+	if (g_test_subprocess()) {
+		sc_snap_drop_instance_key("foo_bar", NULL, 0);
+		g_test_fail();
+		return;
+	}
+	g_test_trap_subprocess(NULL, 0, 0);
+	g_test_trap_assert_failed();
+
+}
+
+static void test_sc_snap_drop_instance_key_short_dest(void)
+{
+	if (g_test_subprocess()) {
+		char dest[10] = { 0 };
+		sc_snap_drop_instance_key("foo-foo-foo-foo-foo_bar", dest,
+					  sizeof dest);
+		g_test_fail();
+		return;
+	}
+	g_test_trap_subprocess(NULL, 0, 0);
+	g_test_trap_assert_failed();
+}
+
+static void test_sc_snap_drop_instance_key_short_dest2(void)
+{
+	if (g_test_subprocess()) {
+		char dest[3] = { 0 };	// "foo" sans the nil byte
+		sc_snap_drop_instance_key("foo", dest, sizeof dest);
+		g_test_fail();
+		return;
+	}
+	g_test_trap_subprocess(NULL, 0, 0);
+	g_test_trap_assert_failed();
+}
+
+static void test_sc_snap_drop_instance_key_no_name(void)
+{
+	if (g_test_subprocess()) {
+		char dest[10] = { 0 };
+		sc_snap_drop_instance_key(NULL, dest, sizeof dest);
+		g_test_fail();
+		return;
+	}
+	g_test_trap_subprocess(NULL, 0, 0);
+	g_test_trap_assert_failed();
+}
+
+static void test_sc_snap_drop_instance_key_basic(void)
+{
+	char name[41] = { 0xff };
+
+	sc_snap_drop_instance_key("foo_bar", name, sizeof name);
+	g_assert_cmpstr(name, ==, "foo");
+
+	memset(name, 0xff, sizeof name);
+	sc_snap_drop_instance_key("foo-bar_bar", name, sizeof name);
+	g_assert_cmpstr(name, ==, "foo-bar");
+
+	memset(name, 0xff, sizeof name);
+	sc_snap_drop_instance_key("foo-bar", name, sizeof name);
+	g_assert_cmpstr(name, ==, "foo-bar");
+
+	memset(name, 0xff, sizeof name);
+	sc_snap_drop_instance_key("_baz", name, sizeof name);
+	g_assert_cmpstr(name, ==, "");
+
+	memset(name, 0xff, sizeof name);
+	sc_snap_drop_instance_key("foo", name, sizeof name);
+	g_assert_cmpstr(name, ==, "foo");
+}
+
+static void test_sc_snap_split_instance_name_trailing_nil(void)
+{
+	if (g_test_subprocess()) {
+		char dest[3] = { 0 };
+		// pretend there is no place for trailing \0
+		sc_snap_split_instance_name("_", NULL, 0, dest, 0);
+		g_test_fail();
+		return;
+	}
+	g_test_trap_subprocess(NULL, 0, 0);
+	g_test_trap_assert_failed();
+}
+
+static void test_sc_snap_split_instance_name_short_instance_dest(void)
+{
+	if (g_test_subprocess()) {
+		char dest[10] = { 0 };
+		sc_snap_split_instance_name("foo_barbarbarbar", NULL, 0,
+					    dest, sizeof dest);
+		g_test_fail();
+		return;
+	}
+	g_test_trap_subprocess(NULL, 0, 0);
+	g_test_trap_assert_failed();
+}
+
+static void test_sc_snap_split_instance_name_basic(void)
+{
+	char name[41] = { 0xff };
+	char instance[20] = { 0xff };
+
+	sc_snap_split_instance_name("foo_bar", name, sizeof name, instance,
+				    sizeof instance);
+	g_assert_cmpstr(name, ==, "foo");
+	g_assert_cmpstr(instance, ==, "bar");
+
+	memset(name, 0xff, sizeof name);
+	memset(instance, 0xff, sizeof instance);
+	sc_snap_split_instance_name("foo-bar_bar", name, sizeof name, instance,
+				    sizeof instance);
+	g_assert_cmpstr(name, ==, "foo-bar");
+	g_assert_cmpstr(instance, ==, "bar");
+
+	memset(name, 0xff, sizeof name);
+	memset(instance, 0xff, sizeof instance);
+	sc_snap_split_instance_name("foo-bar", name, sizeof name, instance,
+				    sizeof instance);
+	g_assert_cmpstr(name, ==, "foo-bar");
+	g_assert_cmpstr(instance, ==, "");
+
+	memset(name, 0xff, sizeof name);
+	memset(instance, 0xff, sizeof instance);
+	sc_snap_split_instance_name("_baz", name, sizeof name, instance,
+				    sizeof instance);
+	g_assert_cmpstr(name, ==, "");
+	g_assert_cmpstr(instance, ==, "baz");
+
+	memset(name, 0xff, sizeof name);
+	memset(instance, 0xff, sizeof instance);
+	sc_snap_split_instance_name("foo", name, sizeof name, instance,
+				    sizeof instance);
+	g_assert_cmpstr(name, ==, "foo");
+	g_assert_cmpstr(instance, ==, "");
+
+	memset(name, 0xff, sizeof name);
+	sc_snap_split_instance_name("foo_bar", name, sizeof name, NULL, 0);
+	g_assert_cmpstr(name, ==, "foo");
+
+	memset(instance, 0xff, sizeof instance);
+	sc_snap_split_instance_name("foo_bar", NULL, 0, instance,
+				    sizeof instance);
+	g_assert_cmpstr(instance, ==, "bar");
+
+	memset(name, 0xff, sizeof name);
+	memset(instance, 0xff, sizeof instance);
+	sc_snap_split_instance_name("hello_world_surprise", name, sizeof name,
+				    instance, sizeof instance);
+	g_assert_cmpstr(name, ==, "hello");
+	g_assert_cmpstr(instance, ==, "world_surprise");
+
+	memset(name, 0xff, sizeof name);
+	memset(instance, 0xff, sizeof instance);
+	sc_snap_split_instance_name("", name, sizeof name, instance,
+				    sizeof instance);
+	g_assert_cmpstr(name, ==, "");
+	g_assert_cmpstr(instance, ==, "");
+
+	memset(name, 0xff, sizeof name);
+	memset(instance, 0xff, sizeof instance);
+	sc_snap_split_instance_name("_", name, sizeof name, instance,
+				    sizeof instance);
+	g_assert_cmpstr(name, ==, "");
+	g_assert_cmpstr(instance, ==, "");
+
+	memset(name, 0xff, sizeof name);
+	memset(instance, 0xff, sizeof instance);
+	sc_snap_split_instance_name("foo_", name, sizeof name, instance,
+				    sizeof instance);
+	g_assert_cmpstr(name, ==, "foo");
+	g_assert_cmpstr(instance, ==, "");
+}
+
 static void __attribute__ ((constructor)) init(void)
 {
 	g_test_add_func("/snap/verify_security_tag", test_verify_security_tag);
-	g_test_add_func("/snap/sc_snap_name_validate",
-			test_sc_snap_name_validate);
+	g_test_add_func("/snap/sc_is_hook_security_tag",
+			test_sc_is_hook_security_tag);
+
+	g_test_add_data_func("/snap/sc_snap_name_validate",
+			     sc_snap_name_validate,
+			     test_sc_snap_or_instance_name_validate);
 	g_test_add_func("/snap/sc_snap_name_validate/respects_error_protocol",
 			test_sc_snap_name_validate__respects_error_protocol);
+
+	g_test_add_data_func("/snap/sc_instance_name_validate/just_name",
+			     sc_instance_name_validate,
+			     test_sc_snap_or_instance_name_validate);
+	g_test_add_func("/snap/sc_instance_name_validate/full",
+			test_sc_instance_name_validate);
+
+	g_test_add_func("/snap/sc_snap_drop_instance_key/basic",
+			test_sc_snap_drop_instance_key_basic);
+	g_test_add_func("/snap/sc_snap_drop_instance_key/no_dest",
+			test_sc_snap_drop_instance_key_no_dest);
+	g_test_add_func("/snap/sc_snap_drop_instance_key/no_name",
+			test_sc_snap_drop_instance_key_no_name);
+	g_test_add_func("/snap/sc_snap_drop_instance_key/short_dest",
+			test_sc_snap_drop_instance_key_short_dest);
+	g_test_add_func("/snap/sc_snap_drop_instance_key/short_dest2",
+			test_sc_snap_drop_instance_key_short_dest2);
+
+	g_test_add_func("/snap/sc_snap_split_instance_name/basic",
+			test_sc_snap_split_instance_name_basic);
+	g_test_add_func("/snap/sc_snap_split_instance_name/trailing_nil",
+			test_sc_snap_split_instance_name_trailing_nil);
+	g_test_add_func("/snap/sc_snap_split_instance_name/short_instance_dest",
+			test_sc_snap_split_instance_name_short_instance_dest);
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/string-utils.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/string-utils.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/string-utils.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/string-utils.c	2019-01-16 08:36:51.000000000 +0000
@@ -56,6 +56,22 @@
 	return strncmp(str - xlen + slen, suffix, xlen) == 0;
 }
 
+char *sc_strdup(const char *str)
+{
+	size_t len;
+	char *copy;
+	if (str == NULL) {
+		die("cannot duplicate NULL string");
+	}
+	len = strlen(str);
+	copy = malloc(len + 1);
+	if (copy == NULL) {
+		die("cannot allocate string copy (len: %zd)", len);
+	}
+	memcpy(copy, str, len + 1);
+	return copy;
+}
+
 int sc_must_snprintf(char *str, size_t size, const char *format, ...)
 {
 	int n;
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/string-utils.h snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/string-utils.h
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/string-utils.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/string-utils.h	2019-01-16 08:36:51.000000000 +0000
@@ -32,6 +32,11 @@
 bool sc_endswith(const char *str, const char *suffix);
 
 /**
+ * Allocate and return a copy of a string.
+**/
+char *sc_strdup(const char *str);
+
+/**
  * Safer version of snprintf.
  *
  * This version dies on any error condition.
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/string-utils-test.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/string-utils-test.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/string-utils-test.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/string-utils-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -780,6 +780,14 @@
 #undef DQ
 }
 
+static void test_sc_strdup(void)
+{
+	char *s = sc_strdup("snap install everything");
+	g_assert_nonnull(s);
+	g_assert_cmpstr(s, ==, "snap install everything");
+	free(s);
+}
+
 static void __attribute__ ((constructor)) init(void)
 {
 	g_test_add_func("/string-utils/sc_streq", test_sc_streq);
@@ -836,4 +844,5 @@
 	    ("/string-utils/sc_string_append_char_pair__uninitialized_buf",
 	     test_sc_string_append_char_pair__uninitialized_buf);
 	g_test_add_func("/string-utils/sc_string_quote", test_sc_string_quote);
+	g_test_add_func("/string-utils/sc_strdup", test_sc_strdup);
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/tool.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/tool.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/tool.c	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/tool.c	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "tool.h"
+
+#include <fcntl.h>
+#include <libgen.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include "../libsnap-confine-private/apparmor-support.h"
+#include "../libsnap-confine-private/cleanup-funcs.h"
+#include "../libsnap-confine-private/string-utils.h"
+#include "../libsnap-confine-private/utils.h"
+
+/**
+ * sc_open_snapd_tool returns a file descriptor of the given internal executable.
+ *
+ * The executable is located based on the location of the currently executing process.
+ * The returning file descriptor can be used with fexecve function, like in sc_call_snapd_tool.
+**/
+static int sc_open_snapd_tool(const char *tool_name);
+
+/**
+ * sc_call_snapd_tool calls a snapd tool by file descriptor.
+ *
+ * The idea with calling with an open file descriptor is to allow calling executables
+ * across mount namespaces, where the executable may not be visible in the new filesystem
+ * anymore. The caller establishes an open file descriptor in one namespace and later on
+ * performs the call in another mount namespace.
+ *
+ * The environment vector has special support for expanding the string "SNAPD_DEBUG=x".
+ * If such string is present, the "x" is replaced with either "0" or "1" depending on
+ * the result of is_sc_debug_enabled().
+ **/
+static void sc_call_snapd_tool(int tool_fd, const char *tool_name, char **argv,
+			       char **envp);
+
+/**
+ * sc_call_snapd_tool_with_apparmor calls a snapd tool by file descriptor,
+ * possibly confining the program with a specific apparmor profile.
+**/
+static void sc_call_snapd_tool_with_apparmor(int tool_fd, const char *tool_name,
+					     struct sc_apparmor *apparmor,
+					     const char *aa_profile,
+					     char **argv, char **envp);
+
+int sc_open_snap_update_ns(void)
+{
+	return sc_open_snapd_tool("snap-update-ns");
+}
+
+void sc_call_snap_update_ns(int snap_update_ns_fd, const char *snap_name,
+			    struct sc_apparmor *apparmor)
+{
+	char *snap_name_copy SC_CLEANUP(sc_cleanup_string) = NULL;
+	snap_name_copy = sc_strdup(snap_name);
+
+	char aa_profile[PATH_MAX] = { 0 };
+	sc_must_snprintf(aa_profile, sizeof aa_profile, "snap-update-ns.%s",
+			 snap_name);
+
+	char *argv[] = {
+		"snap-update-ns",
+		/* This tells snap-update-ns we are calling from snap-confine and locking is in place */
+		"--from-snap-confine",
+		snap_name_copy, NULL
+	};
+	char *envp[] = { "SNAPD_DEBUG=x", NULL };
+	sc_call_snapd_tool_with_apparmor(snap_update_ns_fd,
+					 "snap-update-ns", apparmor,
+					 aa_profile, argv, envp);
+}
+
+void sc_call_snap_update_ns_as_user(int snap_update_ns_fd,
+				    const char *snap_name,
+				    struct sc_apparmor *apparmor)
+{
+	char *snap_name_copy SC_CLEANUP(sc_cleanup_string) = NULL;
+	snap_name_copy = sc_strdup(snap_name);
+
+	char aa_profile[PATH_MAX] = { 0 };
+	sc_must_snprintf(aa_profile, sizeof aa_profile, "snap-update-ns.%s",
+			 snap_name);
+
+	const char *xdg_runtime_dir = getenv("XDG_RUNTIME_DIR");
+	char xdg_runtime_dir_env[PATH_MAX+strlen("XDG_RUNTIME_DIR=")];
+	if (xdg_runtime_dir != NULL) {
+		sc_must_snprintf(xdg_runtime_dir_env,
+				 sizeof(xdg_runtime_dir_env),
+				 "XDG_RUNTIME_DIR=%s", xdg_runtime_dir);
+	}
+
+	char *argv[] = {
+		"snap-update-ns",
+		/* This tells snap-update-ns we are calling from snap-confine and locking is in place */
+		/* TODO: enable this in sync with snap-update-ns changes, "--from-snap-confine", */
+		/* This tells snap-update-ns that we want to process the per-user profile */
+		"--user-mounts", snap_name_copy, NULL
+	};
+	char *envp[] = {
+		/* SNAPD_DEBUG=x is replaced by sc_call_snapd_tool_with_apparmor
+		 * with either SNAPD_DEBUG=0 or SNAPD_DEBUG=1, see that function
+		 * for details. */
+		"SNAPD_DEBUG=x",
+		xdg_runtime_dir_env, NULL
+	};
+	sc_call_snapd_tool_with_apparmor(snap_update_ns_fd,
+					 "snap-update-ns", apparmor,
+					 aa_profile, argv, envp);
+}
+
+int sc_open_snap_discard_ns(void)
+{
+	return sc_open_snapd_tool("snap-discard-ns");
+}
+
+void sc_call_snap_discard_ns(int snap_discard_ns_fd, const char *snap_name)
+{
+	char *snap_name_copy SC_CLEANUP(sc_cleanup_string) = NULL;
+	snap_name_copy = sc_strdup(snap_name);
+	char *argv[] =
+	    { "snap-discard-ns", "--from-snap-confine", snap_name_copy, NULL };
+	/* SNAPD_DEBUG=x is replaced by sc_call_snapd_tool_with_apparmor with
+	 * either SNAPD_DEBUG=0 or SNAPD_DEBUG=1, see that function for details. */
+	char *envp[] = { "SNAPD_DEBUG=x", NULL };
+	sc_call_snapd_tool(snap_discard_ns_fd, "snap-discard-ns", argv, envp);
+}
+
+static int sc_open_snapd_tool(const char *tool_name)
+{
+	// +1 is for the case where the link is exactly PATH_MAX long but we also
+	// want to store the terminating '\0'. The readlink system call doesn't add
+	// terminating null, but our initialization of buf handles this for us.
+	char buf[PATH_MAX + 1] = { 0 };
+	if (readlink("/proc/self/exe", buf, sizeof buf) < 0) {
+		die("cannot readlink /proc/self/exe");
+	}
+	if (buf[0] != '/') {	// this shouldn't happen, but make sure have absolute path
+		die("readlink /proc/self/exe returned relative path");
+	}
+	char *dir_name = dirname(buf);
+	int dir_fd SC_CLEANUP(sc_cleanup_close) = 1;
+	dir_fd = open(dir_name, O_PATH | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
+	if (dir_fd < 0) {
+		die("cannot open path %s", dir_name);
+	}
+	int tool_fd = -1;
+	tool_fd = openat(dir_fd, tool_name, O_PATH | O_NOFOLLOW | O_CLOEXEC);
+	if (tool_fd < 0) {
+		die("cannot open path %s/%s", dir_name, tool_name);
+	}
+	debug("opened %s executable as file descriptor %d", tool_name, tool_fd);
+	return tool_fd;
+}
+
+static void sc_call_snapd_tool(int tool_fd, const char *tool_name, char **argv,
+			       char **envp)
+{
+	sc_call_snapd_tool_with_apparmor(tool_fd, tool_name, NULL, NULL, argv,
+					 envp);
+}
+
+static void sc_call_snapd_tool_with_apparmor(int tool_fd, const char *tool_name,
+					     struct sc_apparmor *apparmor,
+					     const char *aa_profile,
+					     char **argv, char **envp)
+{
+	debug("calling snapd tool %s", tool_name);
+	pid_t child = fork();
+	if (child < 0) {
+		die("cannot fork to run snapd tool %s", tool_name);
+	}
+	if (child == 0) {
+		/* If the caller provided template environment entry for SNAPD_DEBUG
+		 * then expand it to the actual value. */
+		for (char **env = envp;
+		     /* Mama mia, that's a spicy meatball. */
+		     env != NULL && *env != NULL && **env != '\0'; env++) {
+			if (sc_streq(*env, "SNAPD_DEBUG=x")) {
+				/* NOTE: this is not released, on purpose. */
+				char *entry = sc_strdup(*env);
+				entry[strlen("SNAPD_DEBUG=x") - 1] =
+				    sc_is_debug_enabled()? '1' : '0';
+				*env = entry;
+			}
+		}
+		/* Switch apparmor profile for the process after exec. */
+		if (apparmor != NULL && aa_profile != NULL) {
+			sc_maybe_aa_change_onexec(apparmor, aa_profile);
+		}
+		fexecve(tool_fd, argv, envp);
+		die("cannot execute snapd tool %s", tool_name);
+	} else {
+		int status = 0;
+		debug("waiting for snapd tool %s to terminate", tool_name);
+		if (waitpid(child, &status, 0) < 0) {
+			die("cannot get snapd tool %s termination status via waitpid", tool_name);
+		}
+		if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
+			die("%s failed with code %i", tool_name,
+			    WEXITSTATUS(status));
+		} else if (WIFSIGNALED(status)) {
+			die("%s killed by signal %i", tool_name,
+			    WTERMSIG(status));
+		}
+		debug("%s finished successfully", tool_name);
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/tool.h snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/tool.h
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/tool.h	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/tool.h	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef SNAP_CONFINE_TOOL_H
+#define SNAP_CONFINE_TOOL_H
+
+/* Forward declaration, for real see apparmor-support.h */
+struct sc_apparmor;
+
+/**
+ * sc_open_snap_update_ns returns a file descriptor for the snap-update-ns tool.
+**/
+int sc_open_snap_update_ns(void);
+
+/**
+ * sc_call_snap_update_ns calls snap-update-ns from snap-confine
+ **/
+void sc_call_snap_update_ns(int snap_update_ns_fd, const char *snap_name,
+			    struct sc_apparmor *apparmor);
+
+/**
+ * sc_call_snap_update_ns calls snap-update-ns --user-mounts from snap-confine
+ **/
+void sc_call_snap_update_ns_as_user(int snap_update_ns_fd,
+				    const char *snap_name,
+				    struct sc_apparmor *apparmor);
+
+/**
+ * sc_open_snap_update_ns returns a file descriptor for the snap-discard-ns tool.
+**/
+int sc_open_snap_discard_ns(void);
+
+/**
+ * sc_call_snap_discard_ns calls the snap-discard-ns from snap confine.
+**/
+void sc_call_snap_discard_ns(int snap_discard_ns_fd, const char *snap_name);
+
+#endif
diff -Nru snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/utils-test.c snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/utils-test.c
--- snapd-2.32.3.2~14.04/cmd/libsnap-confine-private/utils-test.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/libsnap-confine-private/utils-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -99,6 +99,22 @@
 	g_test_trap_assert_stderr("death message: Operation not permitted\n");
 }
 
+// A variant of rmdir that is compatible with GDestroyNotify
+static void my_rmdir(const char *path)
+{
+	if (rmdir(path) != 0) {
+		die("cannot rmdir %s", path);
+	}
+}
+
+// A variant of chdir that is compatible with GDestroyNotify
+static void my_chdir(const char *path)
+{
+	if (chdir(path) != 0) {
+		die("cannot change dir to %s", path);
+	}
+}
+
 /**
  * Perform the rest of testing in a ephemeral directory.
  *
@@ -114,9 +130,9 @@
 	g_assert_cmpint(err, ==, 0);
 
 	g_test_queue_free(temp_dir);
-	g_test_queue_destroy((GDestroyNotify) rmdir, temp_dir);
+	g_test_queue_destroy((GDestroyNotify) my_rmdir, temp_dir);
 	g_test_queue_free(orig_dir);
-	g_test_queue_destroy((GDestroyNotify) chdir, orig_dir);
+	g_test_queue_destroy((GDestroyNotify) my_chdir, orig_dir);
 }
 
 /**
@@ -130,7 +146,7 @@
 				   G_FILE_TEST_IS_DIR));
 	// Use sc_nonfatal_mkpath to create the directory and ensure that it worked
 	// as expected.
-	g_test_queue_destroy((GDestroyNotify) rmdir, (char *)dirname);
+	g_test_queue_destroy((GDestroyNotify) my_rmdir, (char *)dirname);
 	int err = sc_nonfatal_mkpath(dirname, 0755);
 	g_assert_cmpint(err, ==, 0);
 	g_assert_cmpint(errno, ==, 0);
@@ -143,7 +159,7 @@
 	g_assert_cmpint(errno, ==, EEXIST);
 	// Now create a sub-directory of the original directory and observe the
 	// results. We should no longer see errno of EEXIST!
-	g_test_queue_destroy((GDestroyNotify) rmdir, (char *)subdirname);
+	g_test_queue_destroy((GDestroyNotify) my_rmdir, (char *)subdirname);
 	err = sc_nonfatal_mkpath(subdirname, 0755);
 	g_assert_cmpint(err, ==, 0);
 	g_assert_cmpint(errno, ==, 0);
diff -Nru snapd-2.32.3.2~14.04/cmd/Makefile.am snapd-2.37~rc1~14.04/cmd/Makefile.am
--- snapd-2.32.3.2~14.04/cmd/Makefile.am	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/Makefile.am	2019-01-16 08:36:51.000000000 +0000
@@ -15,7 +15,15 @@
 CHECK_CFLAGS += -Werror
 endif
 
-subdirs = snap-confine snap-discard-ns system-shutdown libsnap-confine-private snap-gdb-shim snapd-generator
+subdirs = \
+		  libsnap-confine-private \
+		  snap-confine \
+		  snap-discard-ns \
+		  snap-gdb-shim \
+		  snap-update-ns \
+		  snapd-env-generator \
+		  snapd-generator \
+		  system-shutdown
 
 # Run check-syntax when checking
 # TODO: conver those to autotools-style tests later
@@ -39,26 +47,31 @@
 if WITH_UNIT_TESTS
 check-unit-tests: snap-confine/unit-tests system-shutdown/unit-tests libsnap-confine-private/unit-tests
 	$(HAVE_VALGRIND) ./libsnap-confine-private/unit-tests
-	$(HAVE_VALGRIND) ./snap-confine/unit-tests
+	SNAP_DEVICE_HELPER=$(srcdir)/snap-confine/snap-device-helper $(HAVE_VALGRIND) ./snap-confine/unit-tests
 	$(HAVE_VALGRIND) ./system-shutdown/unit-tests
 else
 check-unit-tests:
 	echo "unit tests are disabled (rebuild with --enable-unit-tests)"
 endif
 
+new_format = snap-discard-ns/snap-discard-ns.c
 .PHONY: fmt
-fmt: $(foreach dir,$(subdirs),$(wildcard $(srcdir)/$(dir)/*.[ch]))
+fmt:: $(filter     $(addprefix %,$(new_format)),$(foreach dir,$(subdirs),$(wildcard $(srcdir)/$(dir)/*.[ch])))
+	clang-format -style='{BasedOnStyle: Google, IndentWidth: 4, ColumnLimit: 120}' -i $^
+
+fmt:: $(filter-out $(addprefix %,$(new_format)),$(foreach dir,$(subdirs),$(wildcard $(srcdir)/$(dir)/*.[ch])))
 	HOME=$(srcdir) indent $^
 
 # The hack target helps devlopers work on snap-confine on their live system by
 # installing a fresh copy of snap confine and the appropriate apparmor profile.
 .PHONY: hack
-hack: snap-confine/snap-confine snap-confine/snap-confine.apparmor snap-update-ns/snap-update-ns snap-seccomp/snap-seccomp
-	sudo install -D -m 6755 snap-confine/snap-confine $(DESTDIR)$(libexecdir)/snap-confine
+hack: snap-confine/snap-confine-debug snap-confine/snap-confine.apparmor snap-update-ns/snap-update-ns snap-seccomp/snap-seccomp snap-discard-ns/snap-discard-ns
+	sudo install -D -m 6755 snap-confine/snap-confine-debug $(DESTDIR)$(libexecdir)/snap-confine
 	sudo install -m 644 snap-confine/snap-confine.apparmor $(DESTDIR)/etc/apparmor.d/$(patsubst .%,%,$(subst /,.,$(libexecdir))).snap-confine.real
 	sudo install -d -m 755 $(DESTDIR)/var/lib/snapd/apparmor/snap-confine/
 	sudo apparmor_parser -r snap-confine/snap-confine.apparmor
 	sudo install -m 755 snap-update-ns/snap-update-ns $(DESTDIR)$(libexecdir)/snap-update-ns
+	sudo install -m 755 snap-discard-ns/snap-discard-ns $(DESTDIR)$(libexecdir)/snap-discard-ns
 	sudo install -m 755 snap-seccomp/snap-seccomp $(DESTDIR)$(libexecdir)/snap-seccomp
 
 # for the hack target also:
@@ -74,6 +87,8 @@
 noinst_LIBRARIES += libsnap-confine-private.a
 
 libsnap_confine_private_a_SOURCES = \
+	libsnap-confine-private/apparmor-support.c \
+	libsnap-confine-private/apparmor-support.h \
 	libsnap-confine-private/cgroup-freezer-support.c \
 	libsnap-confine-private/cgroup-freezer-support.h \
 	libsnap-confine-private/classic.c \
@@ -84,6 +99,8 @@
 	libsnap-confine-private/error.h \
 	libsnap-confine-private/fault-injection.c \
 	libsnap-confine-private/fault-injection.h \
+	libsnap-confine-private/feature.c \
+	libsnap-confine-private/feature.h \
 	libsnap-confine-private/locking.c \
 	libsnap-confine-private/locking.h \
 	libsnap-confine-private/mount-opt.c \
@@ -98,6 +115,8 @@
 	libsnap-confine-private/snap.h \
 	libsnap-confine-private/string-utils.c \
 	libsnap-confine-private/string-utils.h \
+	libsnap-confine-private/tool.c \
+	libsnap-confine-private/tool.h \
 	libsnap-confine-private/utils.c \
 	libsnap-confine-private/utils.h
 libsnap_confine_private_a_CFLAGS = $(CHECK_CFLAGS)
@@ -113,6 +132,7 @@
 	libsnap-confine-private/cleanup-funcs-test.c \
 	libsnap-confine-private/error-test.c \
 	libsnap-confine-private/fault-injection-test.c \
+	libsnap-confine-private/feature-test.c \
 	libsnap-confine-private/locking-test.c \
 	libsnap-confine-private/mount-opt-test.c \
 	libsnap-confine-private/mountinfo-test.c \
@@ -120,8 +140,8 @@
 	libsnap-confine-private/secure-getenv-test.c \
 	libsnap-confine-private/snap-test.c \
 	libsnap-confine-private/string-utils-test.c \
-	libsnap-confine-private/test-utils.c \
 	libsnap-confine-private/test-utils-test.c \
+	libsnap-confine-private/test-utils.c \
 	libsnap-confine-private/unit-tests-main.c \
 	libsnap-confine-private/unit-tests.c \
 	libsnap-confine-private/unit-tests.h \
@@ -178,15 +198,13 @@
 
 libexec_PROGRAMS += snap-confine/snap-confine
 if HAVE_RST2MAN
-dist_man_MANS += snap-confine/snap-confine.1
-CLEANFILES += snap-confine/snap-confine.1
+dist_man_MANS += snap-confine/snap-confine.8
+CLEANFILES += snap-confine/snap-confine.8
 endif
 EXTRA_DIST += snap-confine/snap-confine.rst
 EXTRA_DIST += snap-confine/snap-confine.apparmor.in
 
 snap_confine_snap_confine_SOURCES = \
-	snap-confine/apparmor-support.c \
-	snap-confine/apparmor-support.h \
 	snap-confine/cookie-support.c \
 	snap-confine/cookie-support.h \
 	snap-confine/mount-support-nvidia.c \
@@ -195,8 +213,6 @@
 	snap-confine/mount-support.h \
 	snap-confine/ns-support.c \
 	snap-confine/ns-support.h \
-	snap-confine/quirks.c \
-	snap-confine/quirks.h \
 	snap-confine/snap-confine-args.c \
 	snap-confine/snap-confine-args.h \
 	snap-confine/snap-confine.c \
@@ -242,7 +258,7 @@
 	snap-confine/seccomp-support.h
 snap_confine_snap_confine_CFLAGS += $(SECCOMP_CFLAGS)
 if STATIC_LIBSECCOMP
-snap_confine_snap_confine_STATIC += $(shell pkg-config --static --libs libseccomp)
+snap_confine_snap_confine_STATIC += $(shell $(PKG_CONFIG) --static --libs libseccomp)
 else
 snap_confine_snap_confine_extra_libs += $(SECCOMP_LIBS)
 endif  # STATIC_LIBSECCOMP
@@ -251,7 +267,7 @@
 if APPARMOR
 snap_confine_snap_confine_CFLAGS += $(APPARMOR_CFLAGS)
 if STATIC_LIBAPPARMOR
-snap_confine_snap_confine_STATIC += $(shell pkg-config --static --libs libapparmor)
+snap_confine_snap_confine_STATIC += $(shell $(PKG_CONFIG) --static --libs libapparmor)
 else
 snap_confine_snap_confine_extra_libs += $(APPARMOR_LIBS)
 endif  # STATIC_LIBAPPARMOR
@@ -281,14 +297,11 @@
 	libsnap-confine-private/unit-tests-main.c \
 	libsnap-confine-private/unit-tests.c \
 	libsnap-confine-private/unit-tests.h \
-	snap-confine/apparmor-support.c \
-	snap-confine/apparmor-support.h \
 	snap-confine/cookie-support-test.c \
 	snap-confine/mount-support-test.c \
 	snap-confine/ns-support-test.c \
-	snap-confine/quirks.c \
-	snap-confine/quirks.h \
-	snap-confine/snap-confine-args-test.c
+	snap-confine/snap-confine-args-test.c \
+	snap-confine/snap-device-helper-test.c
 snap_confine_unit_tests_CFLAGS = $(snap_confine_snap_confine_CFLAGS) $(GLIB_CFLAGS)
 snap_confine_unit_tests_LDADD = $(snap_confine_snap_confine_LDADD) $(GLIB_LIBS)
 snap_confine_unit_tests_LDFLAGS = $(snap_confine_snap_confine_LDFLAGS)
@@ -303,8 +316,7 @@
 endif  # WITH_UNIT_TESTS
 
 if HAVE_RST2MAN
-snap-confine/%.1: snap-confine/%.rst
-	mkdir -p snap-confine
+%.8: %.rst
 	$(HAVE_RST2MAN) $^ > $@
 endif
 
@@ -340,7 +352,12 @@
 ## snap-mgmt
 ##
 
-libexec_PROGRAMS += snap-mgmt/snap-mgmt
+libexec_SCRIPTS = snap-mgmt/snap-mgmt
+CLEANFILES += snap-mgmt/$(am__dirstamp) snap-mgmt/snap-mgmt
+
+snap-mgmt/$(am__dirstamp):
+	mkdir -p $$(dirname $@)
+	touch $@
 
 snap-mgmt/snap-mgmt: snap-mgmt/snap-mgmt.sh.in Makefile snap-mgmt/$(am__dirstamp)
 	sed -e 's,[@]SNAP_MOUNT_DIR[@],$(SNAP_MOUNT_DIR),' <$< >$@
@@ -375,37 +392,18 @@
 
 libexec_PROGRAMS += snap-discard-ns/snap-discard-ns
 if HAVE_RST2MAN
-dist_man_MANS += snap-discard-ns/snap-discard-ns.5
-CLEANFILES += snap-discard-ns/snap-discard-ns.5
+dist_man_MANS += snap-discard-ns/snap-discard-ns.8
+CLEANFILES += snap-discard-ns/snap-discard-ns.8
 endif
 EXTRA_DIST += snap-discard-ns/snap-discard-ns.rst
 
 snap_discard_ns_snap_discard_ns_SOURCES = \
-	snap-confine/ns-support.c \
-	snap-confine/ns-support.h \
-	snap-confine/apparmor-support.c \
-	snap-confine/apparmor-support.h \
 	snap-discard-ns/snap-discard-ns.c
 snap_discard_ns_snap_discard_ns_CFLAGS = $(CHECK_CFLAGS) $(AM_CFLAGS)
 snap_discard_ns_snap_discard_ns_LDFLAGS = $(AM_LDFLAGS)
 snap_discard_ns_snap_discard_ns_LDADD = libsnap-confine-private.a
 snap_discard_ns_snap_discard_ns_STATIC =
 
-if APPARMOR
-snap_discard_ns_snap_discard_ns_CFLAGS += $(APPARMOR_CFLAGS)
-if STATIC_LIBAPPARMOR
-snap_discard_ns_snap_discard_ns_STATIC += $(shell pkg-config --static --libs libapparmor)
-else
-snap_discard_ns_snap_discard_ns_LDADD += $(APPARMOR_LIBS)
-endif  # STATIC_LIBAPPARMOR
-endif  # APPARMOR
-
-if STATIC_LIBCAP
-snap_discard_ns_snap_discard_ns_STATIC += -lcap
-else
-snap_discard_ns_snap_discard_ns_LDADD += -lcap
-endif  # STATIC_LIBCAP
-
 # Use a hacked rule if we're doing static build. This allows us to inject the LIBS += .. rule below.
 snap-discard-ns/snap-discard-ns$(EXEEXT): $(snap_discard_ns_snap_discard_ns_OBJECTS) $(snap_discard_ns_snap_discard_ns_DEPENDENCIES) $(EXTRA_snap_discard_ns_snap_discard_ns_DEPENDENCIES) snap-discard-ns/$(am__dirstamp)
 	@rm -f snap-discard-ns/snap-discard-ns$(EXEEXT)
@@ -413,12 +411,6 @@
 
 snap-discard-ns/snap-discard-ns$(EXEEXT): LIBS += -Wl,-Bstatic $(snap_discard_ns_snap_discard_ns_STATIC) -Wl,-Bdynamic -pthread
 
-if HAVE_RST2MAN
-snap-discard-ns/%.5: snap-discard-ns/%.rst
-	mkdir -p snap-discard-ns
-	$(HAVE_RST2MAN) $^ > $@
-endif
-
 ##
 ## system-shutdown
 ##
@@ -459,7 +451,36 @@
 ## snapd-generator
 ##
 
-libexec_PROGRAMS += snapd-generator/snapd-generator
+systemdsystemgeneratordir = $(SYSTEMD_SYSTEM_GENERATOR_DIR)
+systemdsystemgenerator_PROGRAMS = snapd-generator/snapd-generator
 
 snapd_generator_snapd_generator_SOURCES = snapd-generator/main.c
 snapd_generator_snapd_generator_LDADD = libsnap-confine-private.a
+
+##
+## snapd-env-generator
+##
+
+systemdsystemenvgeneratordir=$(SYSTEMD_SYSTEM_ENV_GENERATOR_DIR)
+systemdsystemenvgenerator_PROGRAMS = snapd-env-generator/snapd-env-generator
+
+snapd_env_generator_snapd_env_generator_SOURCES = snapd-env-generator/main.c
+snapd_env_generator_snapd_env_generator_LDADD = libsnap-confine-private.a
+EXTRA_DIST += snapd-env-generator/snapd-env-generator.rst
+
+if HAVE_RST2MAN
+dist_man_MANS += snapd-env-generator/snapd-env-generator.8
+CLEANFILES += snapd-env-generator/snapd-env-generator.8
+endif
+
+##
+## snapd-apparmor
+##
+
+EXTRA_DIST += snapd-apparmor/snapd-apparmor
+
+install-exec-local::
+	install -d -m 755 $(DESTDIR)$(libexecdir)
+if APPARMOR
+	install -m 755 $(srcdir)/snapd-apparmor/snapd-apparmor $(DESTDIR)$(libexecdir)
+endif
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_abort.go snapd-2.37~rc1~14.04/cmd/snap/cmd_abort.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_abort.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_abort.go	2019-01-16 08:36:51.000000000 +0000
@@ -50,11 +50,13 @@
 		return ErrExtraArgs
 	}
 
-	cli := Client()
-	id, err := x.GetChangeID(cli)
+	id, err := x.GetChangeID()
 	if err != nil {
+		if err == noChangeFoundOK {
+			return nil
+		}
 		return err
 	}
-	_, err = cli.Abort(id)
+	_, err = x.client.Abort(id)
 	return err
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_abort_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_abort_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_abort_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_abort_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,89 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"fmt"
+	"net/http"
+
+	"gopkg.in/check.v1"
+
+	snap "github.com/snapcore/snapd/cmd/snap"
+)
+
+func (s *SnapSuite) TestAbortLast(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		switch n {
+		case 1:
+			c.Check(r.Method, check.Equals, "GET")
+			c.Check(r.URL.Path, check.Equals, "/v2/changes")
+			fmt.Fprintln(w, mockChangesJSON)
+		case 2:
+			c.Check(r.Method, check.Equals, "POST")
+			c.Check(r.URL.Path, check.Equals, "/v2/changes/two")
+			c.Check(DecodedRequestBody(c, r), check.DeepEquals, map[string]interface{}{"action": "abort"})
+			fmt.Fprintln(w, mockChangeJSON)
+		default:
+			c.Errorf("expected 2 queries, currently on %d", n)
+		}
+	})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"abort", "--last=install"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{})
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+
+	c.Assert(n, check.Equals, 2)
+}
+
+func (s *SnapSuite) TestAbortLastQuestionmark(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		c.Check(r.Method, check.Equals, "GET")
+		c.Assert(r.URL.Path, check.Equals, "/v2/changes")
+		switch n {
+		case 1, 2:
+			fmt.Fprintln(w, `{"type": "sync", "result": []}`)
+		case 3, 4:
+			fmt.Fprintln(w, mockChangesJSON)
+		default:
+			c.Errorf("expected 4 calls, now on %d", n)
+		}
+	})
+	for i := 0; i < 2; i++ {
+		rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"abort", "--last=foobar?"})
+		c.Assert(err, check.IsNil)
+		c.Assert(rest, check.DeepEquals, []string{})
+		c.Check(s.Stdout(), check.Matches, "")
+		c.Check(s.Stderr(), check.Equals, "")
+
+		_, err = snap.Parser(snap.Client()).ParseArgs([]string{"abort", "--last=foobar"})
+		if i == 0 {
+			c.Assert(err, check.ErrorMatches, `no changes found`)
+		} else {
+			c.Assert(err, check.ErrorMatches, `no changes of type "foobar" found`)
+		}
+	}
+
+	c.Check(n, check.Equals, 4)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_ack.go snapd-2.37~rc1~14.04/cmd/snap/cmd_ack.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_ack.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_ack.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,22 +23,24 @@
 	"fmt"
 	"io/ioutil"
 
-	"github.com/snapcore/snapd/i18n"
-
 	"github.com/jessevdk/go-flags"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/i18n"
 )
 
 type cmdAck struct {
+	clientMixin
 	AckOptions struct {
 		AssertionFile flags.Filename
 	} `positional-args:"true" required:"true"`
 }
 
-var shortAckHelp = i18n.G("Adds an assertion to the system")
+var shortAckHelp = i18n.G("Add an assertion to the system")
 var longAckHelp = i18n.G(`
 The ack command tries to add an assertion to the system assertion database.
 
-The assertion may also be a newer revision of a preexisting assertion that it
+The assertion may also be a newer revision of a pre-existing assertion that it
 will replace.
 
 To succeed the assertion must be valid, its signature verified with a known
@@ -50,27 +52,27 @@
 	addCommand("ack", shortAckHelp, longAckHelp, func() flags.Commander {
 		return &cmdAck{}
 	}, nil, []argDesc{{
-		// TRANSLATORS: This needs to be wrapped in <>s.
+		// TRANSLATORS: This needs to begin with < and end with >
 		name: i18n.G("<assertion file>"),
-		// TRANSLATORS: This should probably not start with a lowercase letter.
+		// TRANSLATORS: This should not start with a lowercase letter.
 		desc: i18n.G("Assertion file"),
 	}})
 }
 
-func ackFile(assertFile string) error {
+func ackFile(cli *client.Client, assertFile string) error {
 	assertData, err := ioutil.ReadFile(assertFile)
 	if err != nil {
 		return err
 	}
 
-	return Client().Ack(assertData)
+	return cli.Ack(assertData)
 }
 
 func (x *cmdAck) Execute(args []string) error {
 	if len(args) > 0 {
 		return ErrExtraArgs
 	}
-	if err := ackFile(string(x.AckOptions.AssertionFile)); err != nil {
+	if err := ackFile(x.client, string(x.AckOptions.AssertionFile)); err != nil {
 		return fmt.Errorf("cannot assert: %v", err)
 	}
 	return nil
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_advise.go snapd-2.37~rc1~14.04/cmd/snap/cmd_advise.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_advise.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_advise.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,56 +20,84 @@
 package main
 
 import (
+	"bufio"
 	"encoding/json"
 	"fmt"
+	"io"
+	"net"
+	"os"
+	"strconv"
 
 	"github.com/jessevdk/go-flags"
 
 	"github.com/snapcore/snapd/advisor"
 	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/osutil"
 )
 
 type cmdAdviseSnap struct {
 	Positionals struct {
-		CommandOrPkg string `required:"yes"`
+		CommandOrPkg string
 	} `positional-args:"true"`
 
-	Format  string `long:"format" default:"pretty"`
-	Command bool   `long:"command"`
+	Format string `long:"format" default:"pretty" choice:"pretty" choice:"json"`
+	// Command makes advise try to find snaps that provide this command
+	Command bool `long:"command"`
+
+	// FromApt tells advise that it got started from an apt hook
+	// and needs to communicate over a socket
+	FromApt bool `long:"from-apt"`
 }
 
-var shortAdviseSnapHelp = i18n.G("Advise on available snaps.")
+var shortAdviseSnapHelp = i18n.G("Advise on available snaps")
 var longAdviseSnapHelp = i18n.G(`
-The advise-snap command shows what snaps with the given command are
-available.
+The advise-snap command searches for and suggests the installation of snaps.
+
+If --command is given, it suggests snaps that provide the given command.
+Otherwise it suggests snaps with the given name.
 `)
 
 func init() {
 	cmd := addCommand("advise-snap", shortAdviseSnapHelp, longAdviseSnapHelp, func() flags.Commander {
 		return &cmdAdviseSnap{}
 	}, map[string]string{
+		// TRANSLATORS: This should not start with a lowercase letter.
 		"command": i18n.G("Advise on snaps that provide the given command"),
-		"format":  i18n.G("Use the given output format (pretty or json)"),
+		// TRANSLATORS: This should not start with a lowercase letter.
+		"from-apt": i18n.G("Advise will talk to apt via an apt hook"),
+		// TRANSLATORS: This should not start with a lowercase letter.
+		"format": i18n.G("Use the given output format"),
 	}, []argDesc{
-		{name: "<command or pkg>"},
+		// TRANSLATORS: This needs to begin with < and end with >
+		{name: i18n.G("<command or pkg>")},
 	})
 	cmd.hidden = true
 }
 
 func outputAdviseExactText(command string, result []advisor.Command) error {
-	fmt.Fprintf(Stdout, i18n.G("The program %q can be found in the following snaps:\n"), command)
+	fmt.Fprintf(Stdout, "\n")
+	// TRANSLATORS: %q is a command name (like "gimp" or "loimpress")
+	fmt.Fprintf(Stdout, i18n.G("Command %q not found, but can be installed with:\n"), command)
+	fmt.Fprintf(Stdout, "\n")
 	for _, snap := range result {
-		fmt.Fprintf(Stdout, " * %s\n", snap.Snap)
+		fmt.Fprintf(Stdout, "sudo snap install %s\n", snap.Snap)
 	}
-	fmt.Fprintf(Stdout, i18n.G("Try: snap install <selected snap>\n"))
+	fmt.Fprintf(Stdout, "\n")
+	fmt.Fprintln(Stdout, i18n.G("See 'snap info <snap name>' for additional versions."))
+	fmt.Fprintf(Stdout, "\n")
 	return nil
 }
 
 func outputAdviseMisspellText(command string, result []advisor.Command) error {
-	fmt.Fprintf(Stdout, i18n.G("No command %q found, did you mean:\n"), command)
+	fmt.Fprintf(Stdout, "\n")
+	fmt.Fprintf(Stdout, i18n.G("Command %q not found, did you mean:\n"), command)
+	fmt.Fprintf(Stdout, "\n")
 	for _, snap := range result {
-		fmt.Fprintf(Stdout, " Command %q from snap %q\n", snap.Command, snap.Snap)
+		fmt.Fprintf(Stdout, i18n.G(" command %q from snap %q\n"), snap.Command, snap.Snap)
 	}
+	fmt.Fprintf(Stdout, "\n")
+	fmt.Fprintln(Stdout, i18n.G("See 'snap info <snap name>' for additional versions."))
+	fmt.Fprintf(Stdout, "\n")
 	return nil
 }
 
@@ -79,11 +107,126 @@
 	return nil
 }
 
+type jsonRPC struct {
+	JsonRPC string `json:"jsonrpc"`
+	Method  string `json:"method"`
+	Params  struct {
+		Command         string   `json:"command"`
+		SearchTerms     []string `json:"search-terms"`
+		UnknownPackages []string `json:"unknown-packages"`
+	}
+}
+
+// readRpc reads a apt json rpc protocol 0.1 message as described in
+// https://salsa.debian.org/apt-team/apt/blob/master/doc/json-hooks-protocol.md#wire-protocol
+func readRpc(r *bufio.Reader) (*jsonRPC, error) {
+	line, err := r.ReadBytes('\n')
+	if err != nil && err != io.EOF {
+		return nil, fmt.Errorf("cannot read json-rpc: %v", err)
+	}
+	if osutil.GetenvBool("SNAP_APT_HOOK_DEBUG") {
+		fmt.Fprintf(os.Stderr, "%s\n", line)
+	}
+
+	var rpc jsonRPC
+	if err := json.Unmarshal(line, &rpc); err != nil {
+		return nil, err
+	}
+	// empty \n
+	emptyNL, _, err := r.ReadLine()
+	if err != nil {
+		return nil, err
+	}
+	if string(emptyNL) != "" {
+		return nil, fmt.Errorf("unexpected line: %q (empty)", emptyNL)
+	}
+
+	return &rpc, nil
+}
+
+func adviseViaAptHook() error {
+	sockFd := os.Getenv("APT_HOOK_SOCKET")
+	if sockFd == "" {
+		return fmt.Errorf("cannot find APT_HOOK_SOCKET env")
+	}
+	fd, err := strconv.Atoi(sockFd)
+	if err != nil {
+		return fmt.Errorf("expected APT_HOOK_SOCKET to be a decimal integer, found %q", sockFd)
+	}
+
+	f := os.NewFile(uintptr(fd), "apt-hook-socket")
+	if f == nil {
+		return fmt.Errorf("cannot open file descriptor %v", fd)
+	}
+	defer f.Close()
+
+	conn, err := net.FileConn(f)
+	if err != nil {
+		return fmt.Errorf("cannot connect to %v: %v", fd, err)
+	}
+	defer conn.Close()
+
+	r := bufio.NewReader(conn)
+
+	// handshake
+	rpc, err := readRpc(r)
+	if err != nil {
+		return err
+	}
+	if rpc.Method != "org.debian.apt.hooks.hello" {
+		return fmt.Errorf("expected 'hello' method, got: %v", rpc.Method)
+	}
+	if _, err := conn.Write([]byte(`{"jsonrpc":"2.0","id":0,"result":{"version":"0.1"}}` + "\n\n")); err != nil {
+		return err
+	}
+
+	// payload
+	rpc, err = readRpc(r)
+	if err != nil {
+		return err
+	}
+	if rpc.Method == "org.debian.apt.hooks.install.fail" {
+		for _, pkgName := range rpc.Params.UnknownPackages {
+			match, err := advisor.FindPackage(pkgName)
+			if err == nil && match != nil {
+				fmt.Fprintf(Stdout, "\n")
+				fmt.Fprintf(Stdout, i18n.G("No apt package %q, but there is a snap with that name.\n"), pkgName)
+				fmt.Fprintf(Stdout, i18n.G("Try \"snap install %s\"\n"), pkgName)
+				fmt.Fprintf(Stdout, "\n")
+			}
+		}
+
+	}
+	// if rpc.Method == "org.debian.apt.hooks.search.post" {
+	// 	// FIXME: do a snap search here
+	// 	// FIXME2: figure out why apt does not tell us the search results
+	// }
+
+	// bye
+	rpc, err = readRpc(r)
+	if err != nil {
+		return err
+	}
+	if rpc.Method != "org.debian.apt.hooks.bye" {
+		return fmt.Errorf("expected 'bye' method, got: %v", rpc.Method)
+	}
+
+	return nil
+}
+
 func (x *cmdAdviseSnap) Execute(args []string) error {
 	if len(args) > 0 {
 		return ErrExtraArgs
 	}
 
+	if x.FromApt {
+		return adviseViaAptHook()
+	}
+
+	if len(x.Positionals.CommandOrPkg) == 0 {
+		return fmt.Errorf("the required argument `<command or pkg>` was not provided")
+	}
+
 	if x.Command {
 		return adviseCommand(x.Positionals.CommandOrPkg, x.Format)
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_advise_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_advise_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_advise_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_advise_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,7 +20,14 @@
 package main_test
 
 import (
+	"bufio"
+	"bytes"
 	"fmt"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+	"syscall"
 
 	. "gopkg.in/check.v1"
 
@@ -65,13 +72,17 @@
 	restore := advisor.ReplaceCommandsFinder(mkSillyFinder)
 	defer restore()
 
-	rest, err := snap.Parser().ParseArgs([]string{"advise-snap", "--command", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"advise-snap", "--command", "hello"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
-	c.Assert(s.Stdout(), Equals, `The program "hello" can be found in the following snaps:
- * hello
- * hello-wcm
-Try: snap install <selected snap>
+	c.Assert(s.Stdout(), Equals, `
+Command "hello" not found, but can be installed with:
+
+sudo snap install hello
+sudo snap install hello-wcm
+
+See 'snap info <snap name>' for additional versions.
+
 `)
 	c.Assert(s.Stderr(), Equals, "")
 }
@@ -80,7 +91,7 @@
 	restore := advisor.ReplaceCommandsFinder(mkSillyFinder)
 	defer restore()
 
-	rest, err := snap.Parser().ParseArgs([]string{"advise-snap", "--command", "--format=json", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"advise-snap", "--command", "--format=json", "hello"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Assert(s.Stdout(), Equals, `[{"Snap":"hello","Command":"hello"},{"Snap":"hello-wcm","Command":"hello"}]`+"\n")
@@ -94,9 +105,14 @@
 	for _, misspelling := range []string{"helo", "0hello", "hell0", "hello0"} {
 		err := snap.AdviseCommand(misspelling, "pretty")
 		c.Assert(err, IsNil)
-		c.Assert(s.Stdout(), Equals, fmt.Sprintf(`No command "%s" found, did you mean:
- Command "hello" from snap "hello"
- Command "hello" from snap "hello-wcm"
+		c.Assert(s.Stdout(), Equals, fmt.Sprintf(`
+Command "%s" not found, did you mean:
+
+ command "hello" from snap "hello"
+ command "hello" from snap "hello-wcm"
+
+See 'snap info <snap name>' for additional versions.
+
 `, misspelling))
 		c.Assert(s.Stderr(), Equals, "")
 
@@ -104,3 +120,124 @@
 		s.stderr.Reset()
 	}
 }
+
+func (s *SnapSuite) TestAdviseFromAptIntegrationNoAptPackage(c *C) {
+	restore := advisor.ReplaceCommandsFinder(mkSillyFinder)
+	defer restore()
+
+	fds, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
+	c.Assert(err, IsNil)
+
+	os.Setenv("APT_HOOK_SOCKET", strconv.Itoa(int(fds[1])))
+	// note we don't close fds[1] ourselves; adviseViaAptHook might, or we might leak it
+	// (we don't close it here to avoid accidentally closing an arbitrary file descriptor that reused the number)
+
+	done := make(chan bool, 1)
+	go func() {
+		f := os.NewFile(uintptr(fds[0]), "advise-sock")
+		conn, err := net.FileConn(f)
+		c.Assert(err, IsNil)
+		defer conn.Close()
+		defer f.Close()
+
+		// handshake
+		_, err = conn.Write([]byte(`{"jsonrpc":"2.0","method":"org.debian.apt.hooks.hello","id":0,"params":{"versions":["0.1"]}}` + "\n\n"))
+		c.Assert(err, IsNil)
+
+		// reply from snap
+		r := bufio.NewReader(conn)
+		buf, _, err := r.ReadLine()
+		c.Assert(err, IsNil)
+		c.Assert(string(buf), Equals, `{"jsonrpc":"2.0","id":0,"result":{"version":"0.1"}}`)
+		// plus empty line
+		buf, _, err = r.ReadLine()
+		c.Assert(err, IsNil)
+		c.Assert(string(buf), Equals, ``)
+
+		// payload
+		_, err = conn.Write([]byte(`{"jsonrpc":"2.0","method":"org.debian.apt.hooks.install.fail","params":{"command":"install","search-terms":["aws-cli"],"unknown-packages":["hello"],"packages":[]}}` + "\n\n"))
+		c.Assert(err, IsNil)
+
+		// bye
+		_, err = conn.Write([]byte(`{"jsonrpc":"2.0","method":"org.debian.apt.hooks.bye","params":{}}` + "\n\n"))
+		c.Assert(err, IsNil)
+
+		done <- true
+	}()
+
+	cmd := snap.CmdAdviseSnap()
+	cmd.FromApt = true
+	err = cmd.Execute(nil)
+	c.Assert(err, IsNil)
+	c.Assert(s.Stdout(), Equals, `
+No apt package "hello", but there is a snap with that name.
+Try "snap install hello"
+
+`)
+	c.Assert(s.Stderr(), Equals, "")
+	c.Assert(<-done, Equals, true)
+}
+
+func (s *SnapSuite) TestReadRpc(c *C) {
+	rpc := strings.Replace(`
+{
+    "jsonrpc": "2.0",
+    "method": "org.debian.apt.hooks.install.pre-prompt",
+    "params": {
+        "command": "install",
+        "packages": [
+            {
+                "architecture": "amd64",
+                "automatic": false,
+                "id": 38033,
+                "mode": "install",
+                "name": "hello",
+                "versions": {
+                    "candidate": {
+                        "architecture": "amd64",
+                        "id": 22712,
+                        "pin": 500,
+                        "version": "4:17.12.3-1ubuntu1"
+                    },
+                    "install": {
+                        "architecture": "amd64",
+                        "id": 22712,
+                        "pin": 500,
+                        "version": "4:17.12.3-1ubuntu1"
+                    }
+                }
+            },
+            {
+                "architecture": "amd64",
+                "automatic": true,
+                "id": 38202,
+                "mode": "install",
+                "name": "hello-kpart",
+                "versions": {
+                    "candidate": {
+                        "architecture": "amd64",
+                        "id": 22713,
+                        "pin": 500,
+                        "version": "4:17.12.3-1ubuntu1"
+                    },
+                    "install": {
+                        "architecture": "amd64",
+                        "id": 22713,
+                        "pin": 500,
+                        "version": "4:17.12.3-1ubuntu1"
+                    }
+                }
+            }
+        ],
+        "search-terms": [
+            "hello"
+        ],
+        "unknown-packages": []
+    }
+}`, "\n", "", -1)
+	// all apt rpc ends with \n\n
+	rpc = rpc + "\n\n"
+	// this can be parsed without errors
+	_, err := snap.ReadRpc(bufio.NewReader(bytes.NewBufferString(rpc)))
+	c.Assert(err, IsNil)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_aliases.go snapd-2.37~rc1~14.04/cmd/snap/cmd_aliases.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_aliases.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_aliases.go	2019-01-16 08:36:51.000000000 +0000
@@ -31,12 +31,13 @@
 )
 
 type cmdAliases struct {
+	clientMixin
 	Positionals struct {
 		Snap installedSnapName `positional-arg-name:"<snap>"`
 	} `positional-args:"true"`
 }
 
-var shortAliasesHelp = i18n.G("Lists aliases in the system")
+var shortAliasesHelp = i18n.G("List aliases in the system")
 var longAliasesHelp = i18n.G(`
 The aliases command lists all aliases available in the system and their status.
 
@@ -45,8 +46,8 @@
 Lists only the aliases defined by the specified snap.
 
 An alias noted as undefined means it was explicitly enabled or disabled but is
-not defined in the current revision of the snap; possibly temporarely (e.g
-because of a revert), if not this can be cleared with snap alias --reset.
+not defined in the current revision of the snap, possibly temporarily (e.g.
+because of a revert). This can cleared with 'snap alias --reset'.
 `)
 
 func init() {
@@ -89,7 +90,7 @@
 		return ErrExtraArgs
 	}
 
-	allStatuses, err := Client().Aliases()
+	allStatuses, err := x.client.Aliases()
 	if err != nil {
 		return err
 	}
@@ -140,7 +141,7 @@
 		} else {
 			fmt.Fprintln(Stderr, i18n.G("No aliases are currently defined."))
 		}
-		fmt.Fprintln(Stderr, i18n.G("\nUse snap alias --help to learn how to create aliases manually."))
+		fmt.Fprintln(Stderr, i18n.G("\nUse 'snap help alias' to learn how to create aliases manually."))
 	}
 	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_aliases_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_aliases_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_aliases_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_aliases_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -31,7 +31,7 @@
 
 func (s *SnapSuite) TestAliasesHelp(c *C) {
 	msg := `Usage:
-  snap.test [OPTIONS] aliases [<snap>]
+  snap.test aliases [<snap>]
 
 The aliases command lists all aliases available in the system and their status.
 
@@ -40,18 +40,10 @@
 Lists only the aliases defined by the specified snap.
 
 An alias noted as undefined means it was explicitly enabled or disabled but is
-not defined in the current revision of the snap; possibly temporarely (e.g
-because of a revert), if not this can be cleared with snap alias --reset.
-
-Application Options:
-      --version     Print the version and exit
-
-Help Options:
-  -h, --help        Show this help message
+not defined in the current revision of the snap, possibly temporarily (e.g.
+because of a revert). This can cleared with 'snap alias --reset'.
 `
-	rest, err := Parser().ParseArgs([]string{"aliases", "--help"})
-	c.Assert(err.Error(), Equals, msg)
-	c.Assert(rest, DeepEquals, []string{})
+	s.testSubCommandHelp(c, "aliases", msg)
 }
 
 func (s *SnapSuite) TestAliases(c *C) {
@@ -76,7 +68,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"aliases"})
+	rest, err := Parser(Client()).ParseArgs([]string{"aliases"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -111,7 +103,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"aliases", "foo"})
+	rest, err := Parser(Client()).ParseArgs([]string{"aliases", "foo"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -134,10 +126,10 @@
 			"result": map[string]map[string]client.AliasStatus{},
 		})
 	})
-	_, err := Parser().ParseArgs([]string{"aliases"})
+	_, err := Parser(Client()).ParseArgs([]string{"aliases"})
 	c.Assert(err, IsNil)
 	c.Assert(s.Stdout(), Equals, "")
-	c.Assert(s.Stderr(), Equals, "No aliases are currently defined.\n\nUse snap alias --help to learn how to create aliases manually.\n")
+	c.Assert(s.Stderr(), Equals, "No aliases are currently defined.\n\nUse 'snap help alias' to learn how to create aliases manually.\n")
 }
 
 func (s *SnapSuite) TestAliasesNoneFilterSnap(c *C) {
@@ -155,10 +147,10 @@
 				}},
 		})
 	})
-	_, err := Parser().ParseArgs([]string{"aliases", "not-bar"})
+	_, err := Parser(Client()).ParseArgs([]string{"aliases", "not-bar"})
 	c.Assert(err, IsNil)
 	c.Assert(s.Stdout(), Equals, "")
-	c.Assert(s.Stderr(), Equals, "No aliases are currently defined for snap \"not-bar\".\n\nUse snap alias --help to learn how to create aliases manually.\n")
+	c.Assert(s.Stderr(), Equals, "No aliases are currently defined for snap \"not-bar\".\n\nUse 'snap help alias' to learn how to create aliases manually.\n")
 }
 
 func (s *SnapSuite) TestAliasesSorting(c *C) {
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_alias.go snapd-2.37~rc1~14.04/cmd/snap/cmd_alias.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_alias.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_alias.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,6 +32,7 @@
 )
 
 type cmdAlias struct {
+	waitMixin
 	Positionals struct {
 		SnapApp appName `required:"yes"`
 		Alias   string  `required:"yes"`
@@ -40,19 +41,20 @@
 
 // TODO: implement a completer for snapApp
 
-var shortAliasHelp = i18n.G("Sets up a manual alias")
+var shortAliasHelp = i18n.G("Set up a manual alias")
 var longAliasHelp = i18n.G(`
 The alias command aliases the given snap application to the given alias.
 
-Once this manual alias is setup the respective application command can be invoked just using the alias.
+Once this manual alias is setup the respective application command can be
+invoked just using the alias.
 `)
 
 func init() {
 	addCommand("alias", shortAliasHelp, longAliasHelp, func() flags.Commander {
 		return &cmdAlias{}
-	}, nil, []argDesc{
+	}, waitDescs, []argDesc{
 		{name: "<snap.app>"},
-		// TRANSLATORS: This needs to be wrapped in <>s.
+		// TRANSLATORS: This needs to begin with < and end with >
 		{name: i18n.G("<alias>")},
 	})
 }
@@ -65,21 +67,19 @@
 	snapName, appName := snap.SplitSnapApp(string(x.Positionals.SnapApp))
 	alias := x.Positionals.Alias
 
-	cli := Client()
-	id, err := cli.Alias(snapName, appName, alias)
+	id, err := x.client.Alias(snapName, appName, alias)
 	if err != nil {
 		return err
 	}
-
-	chg, err := wait(cli, id)
+	chg, err := x.wait(id)
 	if err != nil {
-		return err
-	}
-	if err := showAliasChanges(chg); err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
-	return nil
+	return showAliasChanges(chg)
 }
 
 type changedAlias struct {
@@ -98,9 +98,11 @@
 	}
 	w := tabwriter.NewWriter(Stdout, 2, 2, 1, ' ', 0)
 	if len(added) != 0 {
+		// TRANSLATORS: this is used to introduce a list of aliases that were added
 		printChangedAliases(w, i18n.G("Added"), added)
 	}
 	if len(removed) != 0 {
+		// TRANSLATORS: this is used to introduce a list of aliases that were removed
 		printChangedAliases(w, i18n.G("Removed"), removed)
 	}
 	w.Flush()
@@ -110,6 +112,7 @@
 func printChangedAliases(w io.Writer, label string, changed []*changedAlias) {
 	fmt.Fprintf(w, "%s:\n", label)
 	for _, a := range changed {
-		fmt.Fprintf(w, "\t- %s as %s\n", snap.JoinSnapApp(a.Snap, a.App), a.Alias)
+		// TRANSLATORS: the first %s is a snap command (e.g. "hello-world.echo"), the second is the alias
+		fmt.Fprintf(w, i18n.G("\t- %s as %s\n"), snap.JoinSnapApp(a.Snap, a.App), a.Alias)
 	}
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_alias_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_alias_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_alias_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_alias_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,22 +30,18 @@
 
 func (s *SnapSuite) TestAliasHelp(c *C) {
 	msg := `Usage:
-  snap.test [OPTIONS] alias [<snap.app>] [<alias>]
+  snap.test alias [alias-OPTIONS] [<snap.app>] [<alias>]
 
 The alias command aliases the given snap application to the given alias.
 
 Once this manual alias is setup the respective application command can be
 invoked just using the alias.
 
-Application Options:
-      --version         Print the version and exit
-
-Help Options:
-  -h, --help            Show this help message
+[alias command options]
+      --no-wait       Do not wait for the operation to finish but just print
+                      the change id.
 `
-	rest, err := Parser().ParseArgs([]string{"alias", "--help"})
-	c.Assert(err.Error(), Equals, msg)
-	c.Assert(rest, DeepEquals, []string{})
+	s.testSubCommandHelp(c, "alias", msg)
 }
 
 func (s *SnapSuite) TestAlias(c *C) {
@@ -67,7 +63,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"alias", "alias-snap.cmd1", "alias1"})
+	rest, err := Parser(Client()).ParseArgs([]string{"alias", "alias-snap.cmd1", "alias1"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Assert(s.Stdout(), Equals, ""+
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_auto_import.go snapd-2.37~rc1~14.04/cmd/snap/cmd_auto_import.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_auto_import.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_auto_import.go	2019-01-16 08:36:51.000000000 +0000
@@ -127,7 +127,7 @@
 	return osutil.CopyFile(src, dst, osutil.CopyFlagOverwrite)
 }
 
-func autoImportFromSpool() (added int, err error) {
+func autoImportFromSpool(cli *client.Client) (added int, err error) {
 	files, err := ioutil.ReadDir(dirs.SnapAssertsSpoolDir)
 	if os.IsNotExist(err) {
 		return 0, nil
@@ -138,7 +138,7 @@
 
 	for _, fi := range files {
 		cand := filepath.Join(dirs.SnapAssertsSpoolDir, fi.Name())
-		if err := ackFile(cand); err != nil {
+		if err := ackFile(cli, cand); err != nil {
 			logger.Noticef("error: cannot import %s: %s", cand, err)
 			continue
 		} else {
@@ -154,7 +154,7 @@
 	return added, nil
 }
 
-func autoImportFromAllMounts() (int, error) {
+func autoImportFromAllMounts(cli *client.Client) (int, error) {
 	cands, err := autoImportCandidates()
 	if err != nil {
 		return 0, err
@@ -162,7 +162,7 @@
 
 	added := 0
 	for _, cand := range cands {
-		err := ackFile(cand)
+		err := ackFile(cli, cand)
 		// the server is not ready yet
 		if _, ok := err.(client.ConnectionError); ok {
 			logger.Noticef("queuing for later %s", cand)
@@ -214,23 +214,24 @@
 }
 
 type cmdAutoImport struct {
+	clientMixin
 	Mount []string `long:"mount" arg-name:"<device path>"`
 
 	ForceClassic bool `long:"force-classic"`
 }
 
-var shortAutoImportHelp = i18n.G("Inspects devices for actionable information")
+var shortAutoImportHelp = i18n.G("Inspect devices for actionable information")
 
 var longAutoImportHelp = i18n.G(`
 The auto-import command searches available mounted devices looking for
 assertions that are signed by trusted authorities, and potentially
 performs system changes based on them.
 
-If one or more device paths are provided via --mount, these are temporariy
+If one or more device paths are provided via --mount, these are temporarily
 mounted to be inspected as well. Even in that case the command will still
 consider all available mounted devices for inspection.
 
-Imported assertions must be made available in the auto-import.assert file
+Assertions to be imported must be made available in the auto-import.assert file
 in the root of the filesystem.
 `)
 
@@ -241,15 +242,19 @@
 		func() flags.Commander {
 			return &cmdAutoImport{}
 		}, map[string]string{
-			"mount":         i18n.G("Temporarily mount device before inspecting"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"mount": i18n.G("Temporarily mount device before inspecting"),
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"force-classic": i18n.G("Force import on classic systems"),
 		}, nil)
 	cmd.hidden = true
 }
 
-func autoAddUsers() error {
+func (x *cmdAutoImport) autoAddUsers() error {
 	cmd := cmdCreateUser{
-		Known: true, Sudoer: true,
+		clientMixin: x.clientMixin,
+		Known:       true,
+		Sudoer:      true,
 	}
 	return cmd.Execute(nil)
 }
@@ -282,18 +287,18 @@
 		defer doUmount(mp)
 	}
 
-	added1, err := autoImportFromSpool()
+	added1, err := autoImportFromSpool(x.client)
 	if err != nil {
 		return err
 	}
 
-	added2, err := autoImportFromAllMounts()
+	added2, err := autoImportFromAllMounts(x.client)
 	if err != nil {
 		return err
 	}
 
 	if added1+added2 > 0 {
-		return autoAddUsers()
+		return x.autoAddUsers()
 	}
 
 	return nil
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_auto_import_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_auto_import_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_auto_import_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_auto_import_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -88,7 +88,7 @@
 	logbuf, restore := logger.MockLogger()
 	defer restore()
 
-	rest, err := snap.Parser().ParseArgs([]string{"auto-import"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"auto-import"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Check(s.Stdout(), Equals, `created user "foo"`+"\n")
@@ -120,7 +120,7 @@
 	restore = snap.MockMountInfoPath(makeMockMountInfo(c, content))
 	defer restore()
 
-	rest, err := snap.Parser().ParseArgs([]string{"auto-import"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"auto-import"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Check(s.Stdout(), Equals, "")
@@ -175,7 +175,7 @@
 	restore = snap.MockMountInfoPath(makeMockMountInfo(c, content))
 	defer restore()
 
-	rest, err := snap.Parser().ParseArgs([]string{"auto-import"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"auto-import"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Check(s.Stdout(), Equals, "")
@@ -204,7 +204,7 @@
 	restore = snap.MockMountInfoPath(makeMockMountInfo(c, content))
 	defer restore()
 
-	rest, err := snap.Parser().ParseArgs([]string{"auto-import"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"auto-import"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Check(s.Stdout(), Equals, "")
@@ -261,7 +261,7 @@
 	logbuf, restore := logger.MockLogger()
 	defer restore()
 
-	rest, err := snap.Parser().ParseArgs([]string{"auto-import"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"auto-import"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Check(s.Stdout(), Equals, `created user "foo"`+"\n")
@@ -297,6 +297,6 @@
 	restore = snap.MockMountInfoPath(makeMockMountInfo(c, content))
 	defer restore()
 
-	_, err = snap.Parser().ParseArgs([]string{"auto-import"})
+	_, err = snap.Parser(snap.Client()).ParseArgs([]string{"auto-import"})
 	c.Assert(err, ErrorMatches, "cannot queue .*, file size too big: 656384")
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_blame_generated.go snapd-2.37~rc1~14.04/cmd/snap/cmd_blame_generated.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_blame_generated.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_blame_generated.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,7 @@
+package main
+
+// generated by mkauthors.sh; do not edit
+
+func init() {
+	authors = []string{"Mark Shuttleworth", "Gustavo Niemeyer", "Sergio Schvezov", "Simon Fels", "Kyle Fazzari", "Leo Arias", "Sergio Cazzolato", "Gustavo Niemeyer", "Federico Gimenez", "Maciej Borzecki", "Jamie Strandboge", "Pawel Stolowski", "John R. Lenton", "Samuele Pedroni", "Zygmunt Krynicki", "Michael Vogt"}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_blame.go snapd-2.37~rc1~14.04/cmd/snap/cmd_blame.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_blame.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_blame.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,55 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+//go:generate mkauthors.sh
+
+import (
+	"fmt"
+	"math/rand"
+
+	"github.com/jessevdk/go-flags"
+)
+
+type cmdBlame struct{}
+
+var authors []string
+
+func init() {
+	cmd := addCommand("blame",
+		"",
+		"",
+		func() flags.Commander {
+			return &cmdBlame{}
+		}, nil, nil)
+	cmd.hidden = true
+}
+
+func (x *cmdBlame) Execute(args []string) error {
+	if len(args) > 0 {
+		return ErrExtraArgs
+	}
+	if len(authors) == 0 {
+		return nil
+	}
+
+	fmt.Fprintf(Stdout, "It's all %s's fault.\n", authors[rand.Intn(len(authors))])
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_booted.go snapd-2.37~rc1~14.04/cmd/snap/cmd_booted.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_booted.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_booted.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,8 +29,8 @@
 
 func init() {
 	cmd := addCommand("booted",
-		"internal",
-		"internal",
+		"Internal",
+		"The booted command is only retained for backwards compatibility.",
 		func() flags.Commander {
 			return &cmdBooted{}
 		}, nil, nil)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_buy.go snapd-2.37~rc1~14.04/cmd/snap/cmd_buy.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_buy.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_buy.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,30 +25,31 @@
 
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/i18n"
-	"github.com/snapcore/snapd/store"
 
 	"github.com/jessevdk/go-flags"
 )
 
-var shortBuyHelp = i18n.G("Buys a snap")
+var shortBuyHelp = i18n.G("Buy a snap")
 var longBuyHelp = i18n.G(`
 The buy command buys a snap from the store.
 `)
 
 type cmdBuy struct {
+	clientMixin
 	Positional struct {
 		SnapName remoteSnapName
 	} `positional-args:"yes" required:"yes"`
 }
 
 func init() {
-	addCommand("buy", shortBuyHelp, longBuyHelp, func() flags.Commander {
+	cmd := addCommand("buy", shortBuyHelp, longBuyHelp, func() flags.Commander {
 		return &cmdBuy{}
 	}, map[string]string{}, []argDesc{{
 		name: "<snap>",
-		// TRANSLATORS: This should probably not start with a lowercase letter.
+		// TRANSLATORS: This should not start with a lowercase letter.
 		desc: i18n.G("Snap name"),
 	}})
+	cmd.hidden = true
 }
 
 func (x *cmdBuy) Execute(args []string) error {
@@ -56,12 +57,10 @@
 		return ErrExtraArgs
 	}
 
-	return buySnap(string(x.Positional.SnapName))
+	return buySnap(x.client, string(x.Positional.SnapName))
 }
 
-func buySnap(snapName string) error {
-	cli := Client()
-
+func buySnap(cli *client.Client, snapName string) error {
 	user := cli.LoggedInUser()
 	if user == nil {
 		return fmt.Errorf(i18n.G("You need to be logged in to purchase software. Please run 'snap login' and try again."))
@@ -76,7 +75,7 @@
 		return err
 	}
 
-	opts := &store.BuyOptions{
+	opts := &client.BuyOptions{
 		SnapID:   snap.ID,
 		Currency: resultInfo.SuggestedCurrency,
 	}
@@ -109,10 +108,10 @@
 
 	// TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
 	fmt.Fprintf(Stdout, i18n.G(`Please re-enter your Ubuntu One password to purchase %q from %q
-for %s. Press ctrl-c to cancel.`), snap.Name, snap.Developer, formatPrice(opts.Price, opts.Currency))
+for %s. Press ctrl-c to cancel.`), snap.Name, snap.Publisher.Username, formatPrice(opts.Price, opts.Currency))
 	fmt.Fprint(Stdout, "\n")
 
-	err = requestLogin(user.Email)
+	err = requestLogin(cli, user.Email)
 	if err != nil {
 		return err
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_buy_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_buy_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_buy_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_buy_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -89,7 +89,7 @@
 }
 
 func (s *BuySnapSuite) TestBuyHelp(c *check.C) {
-	_, err := snap.Parser().ParseArgs([]string{"buy"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"buy"})
 	c.Assert(err, check.NotNil)
 	c.Check(err.Error(), check.Equals, "the required argument `<snap>` was not provided")
 	c.Check(s.Stdout(), check.Equals, "")
@@ -97,13 +97,13 @@
 }
 
 func (s *BuySnapSuite) TestBuyInvalidCharacters(c *check.C) {
-	_, err := snap.Parser().ParseArgs([]string{"buy", "a:b"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"buy", "a:b"})
 	c.Assert(err, check.NotNil)
 	c.Check(err.Error(), check.Equals, "cannot buy snap: invalid characters in name")
 	c.Check(s.Stdout(), check.Equals, "")
 	c.Check(s.Stderr(), check.Equals, "")
 
-	_, err = snap.Parser().ParseArgs([]string{"buy", "c*d"})
+	_, err = snap.Parser(snap.Client()).ParseArgs([]string{"buy", "c*d"})
 	c.Assert(err, check.NotNil)
 	c.Check(err.Error(), check.Equals, "cannot buy snap: invalid characters in name")
 	c.Check(s.Stdout(), check.Equals, "")
@@ -121,6 +121,12 @@
       "confinement": "strict",
       "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "download-size": 65536,
       "icon": "",
       "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
@@ -155,7 +161,7 @@
 	defer mockServer.checkCounts()
 	s.RedirectClientToTestServer(mockServer.serveHttp)
 
-	rest, err := snap.Parser().ParseArgs([]string{"buy", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"buy", "hello"})
 	c.Assert(err, check.NotNil)
 	c.Check(err.Error(), check.Equals, "cannot buy snap: snap is free")
 	c.Assert(rest, check.DeepEquals, []string{"hello"})
@@ -174,6 +180,12 @@
       "confinement": "strict",
       "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "download-size": 65536,
       "icon": "",
       "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
@@ -294,7 +306,7 @@
 	// Confirm the purchase.
 	s.password = "the password"
 
-	rest, err := snap.Parser().ParseArgs([]string{"buy", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"buy", "hello"})
 	c.Check(err, check.IsNil)
 	c.Check(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, `Please re-enter your Ubuntu One password to purchase "hello" from "canonical"
@@ -355,7 +367,7 @@
 	// Confirm the purchase.
 	s.password = "the password"
 
-	rest, err := snap.Parser().ParseArgs([]string{"buy", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"buy", "hello"})
 	c.Assert(err, check.NotNil)
 	c.Check(err.Error(), check.Equals, `Sorry, your payment method has been declined by the issuer. Please review your
 payment details at https://my.ubuntu.com/payment/edit and try again.`)
@@ -392,7 +404,7 @@
 	defer mockServer.checkCounts()
 	s.RedirectClientToTestServer(mockServer.serveHttp)
 
-	rest, err := snap.Parser().ParseArgs([]string{"buy", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"buy", "hello"})
 	c.Assert(err, check.NotNil)
 	c.Check(err.Error(), check.Equals, `You need to have a payment method associated with your account in order to buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.
 
@@ -427,7 +439,7 @@
 	defer mockServer.checkCounts()
 	s.RedirectClientToTestServer(mockServer.serveHttp)
 
-	rest, err := snap.Parser().ParseArgs([]string{"buy", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"buy", "hello"})
 	c.Assert(err, check.NotNil)
 	c.Check(err.Error(), check.Equals, `In order to buy "hello", you need to agree to the latest terms and conditions. Please visit https://my.ubuntu.com/payment/edit to do this.
 
@@ -441,7 +453,7 @@
 	// We don't login here
 	s.Logout(c)
 
-	rest, err := snap.Parser().ParseArgs([]string{"buy", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"buy", "hello"})
 	c.Check(err, check.NotNil)
 	c.Check(err.Error(), check.Equals, "You need to be logged in to purchase software. Please run 'snap login' and try again.")
 	c.Check(rest, check.DeepEquals, []string{"hello"})
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_can_manage_refreshes.go snapd-2.37~rc1~14.04/cmd/snap/cmd_can_manage_refreshes.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_can_manage_refreshes.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_can_manage_refreshes.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,7 +25,9 @@
 	"github.com/jessevdk/go-flags"
 )
 
-type cmdCanManageRefreshes struct{}
+type cmdCanManageRefreshes struct {
+	clientMixin
+}
 
 func init() {
 	cmd := addDebugCommand("can-manage-refreshes",
@@ -33,7 +35,7 @@
 		"(internal) return if refresh.schedule=managed can be used",
 		func() flags.Commander {
 			return &cmdCanManageRefreshes{}
-		})
+		}, nil, nil)
 	cmd.hidden = true
 }
 
@@ -43,7 +45,7 @@
 	}
 
 	var resp bool
-	if err := Client().Debug("can-manage-refreshes", nil, &resp); err != nil {
+	if err := x.client.Debug("can-manage-refreshes", nil, &resp); err != nil {
 		return err
 	}
 	fmt.Fprintf(Stdout, "%v\n", resp)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_changes.go snapd-2.37~rc1~14.04/cmd/snap/cmd_changes.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_changes.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_changes.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,7 +23,6 @@
 	"fmt"
 	"regexp"
 	"sort"
-	"time"
 
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/i18n"
@@ -34,24 +33,32 @@
 var shortChangesHelp = i18n.G("List system changes")
 var shortTasksHelp = i18n.G("List a change's tasks")
 var longChangesHelp = i18n.G(`
-The changes command displays a summary of the recent system changes performed.`)
+The changes command displays a summary of system changes performed recently.
+`)
 var longTasksHelp = i18n.G(`
-The tasks command displays a summary of tasks associated to an individual change.`)
+The tasks command displays a summary of tasks associated with an individual
+change.
+`)
 
 type cmdChanges struct {
+	clientMixin
+	timeMixin
 	Positional struct {
 		Snap string `positional-arg-name:"<snap>"`
 	} `positional-args:"yes"`
 }
 
-type cmdTasks struct{ changeIDMixin }
+type cmdTasks struct {
+	timeMixin
+	changeIDMixin
+}
 
 func init() {
 	addCommand("changes", shortChangesHelp, longChangesHelp,
-		func() flags.Commander { return &cmdChanges{} }, nil, nil)
+		func() flags.Commander { return &cmdChanges{} }, timeDescs, nil)
 	addCommand("tasks", shortTasksHelp, longTasksHelp,
 		func() flags.Commander { return &cmdTasks{} },
-		changeIDMixinOptDesc,
+		changeIDMixinOptDesc.also(timeDescs),
 		changeIDMixinArgDesc).alias = "change"
 }
 
@@ -63,14 +70,25 @@
 
 var allDigits = regexp.MustCompile(`^[0-9]+$`).MatchString
 
+func queryChanges(cli *client.Client, opts *client.ChangesOptions) ([]*client.Change, error) {
+	chgs, err := cli.Changes(opts)
+	if err != nil {
+		return nil, err
+	}
+	if err := warnMaintenance(cli); err != nil {
+		return nil, err
+	}
+	return chgs, nil
+}
+
 func (c *cmdChanges) Execute(args []string) error {
 	if len(args) > 0 {
 		return ErrExtraArgs
 	}
 
 	if allDigits(c.Positional.Snap) {
-		// TRANSLATORS: the %s is the argument given by the user to "snap changes"
-		return fmt.Errorf(i18n.G(`"snap changes" command expects a snap name, try: "snap tasks %s"`), c.Positional.Snap)
+		// TRANSLATORS: the %s is the argument given by the user to 'snap changes'
+		return fmt.Errorf(i18n.G(`'snap changes' command expects a snap name, try 'snap tasks %s'`), c.Positional.Snap)
 	}
 
 	if c.Positional.Snap == "everything" {
@@ -83,8 +101,7 @@
 		Selector: client.ChangesAll,
 	}
 
-	cli := Client()
-	changes, err := cli.Changes(&opts)
+	changes, err := queryChanges(c.client, &opts)
 	if err != nil {
 		return err
 	}
@@ -99,8 +116,8 @@
 
 	fmt.Fprintf(w, i18n.G("ID\tStatus\tSpawn\tReady\tSummary\n"))
 	for _, chg := range changes {
-		spawnTime := chg.SpawnTime.UTC().Format(time.RFC3339)
-		readyTime := chg.ReadyTime.UTC().Format(time.RFC3339)
+		spawnTime := c.fmtTime(chg.SpawnTime)
+		readyTime := c.fmtTime(chg.ReadyTime)
 		if chg.ReadyTime.IsZero() {
 			readyTime = "-"
 		}
@@ -114,18 +131,31 @@
 }
 
 func (c *cmdTasks) Execute([]string) error {
-	cli := Client()
-	id, err := c.GetChangeID(cli)
+	chid, err := c.GetChangeID()
 	if err != nil {
+		if err == noChangeFoundOK {
+			return nil
+		}
 		return err
 	}
 
-	return showChange(cli, id)
+	return c.showChange(chid)
 }
 
-func showChange(cli *client.Client, chid string) error {
+func queryChange(cli *client.Client, chid string) (*client.Change, error) {
 	chg, err := cli.Change(chid)
 	if err != nil {
+		return nil, err
+	}
+	if err := warnMaintenance(cli); err != nil {
+		return nil, err
+	}
+	return chg, nil
+}
+
+func (c *cmdTasks) showChange(chid string) error {
+	chg, err := queryChange(c.client, chid)
+	if err != nil {
 		return err
 	}
 
@@ -133,8 +163,8 @@
 
 	fmt.Fprintf(w, i18n.G("Status\tSpawn\tReady\tSummary\n"))
 	for _, t := range chg.Tasks {
-		spawnTime := t.SpawnTime.UTC().Format(time.RFC3339)
-		readyTime := t.ReadyTime.UTC().Format(time.RFC3339)
+		spawnTime := c.fmtTime(t.SpawnTime)
+		readyTime := c.fmtTime(t.ReadyTime)
 		if t.ReadyTime.IsZero() {
 			readyTime = "-"
 		}
@@ -166,3 +196,14 @@
 }
 
 const line = "......................................................................"
+
+func warnMaintenance(cli *client.Client) error {
+	if maintErr := cli.Maintenance(); maintErr != nil {
+		msg, err := errorToCmdMessage("", maintErr, nil)
+		if err != nil {
+			return err
+		}
+		fmt.Fprintf(Stderr, "WARNING: %s\n", msg)
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_changes_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_changes_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_changes_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_changes_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"gopkg.in/check.v1"
 
@@ -55,19 +56,38 @@
 	expectedChange := `(?ms)Status +Spawn +Ready +Summary
 Do +2016-04-21T01:02:03Z +2016-04-21T01:02:04Z +some summary
 `
-	rest, err := snap.Parser().ParseArgs([]string{"change", "42"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"change", "--abs-time", "42"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, expectedChange)
 	c.Check(s.Stderr(), check.Equals, "")
 
-	rest, err = snap.Parser().ParseArgs([]string{"tasks", "42"})
+	rest, err = snap.Parser(snap.Client()).ParseArgs([]string{"tasks", "--abs-time", "42"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, expectedChange)
 	c.Check(s.Stderr(), check.Equals, "")
 }
 
+func (s *SnapSuite) TestChangeSimpleRebooting(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		if n < 2 {
+			c.Check(r.Method, check.Equals, "GET")
+			c.Check(r.URL.Path, check.Equals, "/v2/changes/42")
+			fmt.Fprintln(w, strings.Replace(mockChangeJSON, `"type": "sync"`, `"type": "sync", "maintenance": {"kind": "system-restart", "message": "system is restarting"}`, 1))
+		} else {
+			c.Fatalf("expected to get 1 requests, now on %d", n+1)
+		}
+
+		n++
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"change", "42"})
+	c.Assert(err, check.IsNil)
+	c.Check(s.Stderr(), check.Equals, "WARNING: snapd is about to reboot the system\n")
+}
+
 var mockChangesJSON = `{"type": "sync", "result": [
   {
     "id":   "four",
@@ -124,23 +144,56 @@
 	expectedChange := `(?ms)Status +Spawn +Ready +Summary
 Do +2016-04-21T01:02:03Z +2016-04-21T01:02:04Z +some summary
 `
-	rest, err := snap.Parser().ParseArgs([]string{"tasks", "--last=install"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"tasks", "--abs-time", "--last=install"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, expectedChange)
 	c.Check(s.Stderr(), check.Equals, "")
 
-	_, err = snap.Parser().ParseArgs([]string{"tasks", "--last=foobar"})
+	_, err = snap.Parser(snap.Client()).ParseArgs([]string{"tasks", "--abs-time", "--last=foobar"})
 	c.Assert(err, check.NotNil)
 	c.Assert(err, check.ErrorMatches, `no changes of type "foobar" found`)
 }
 
+func (s *SnapSuite) TestTasksLastQuestionmark(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		c.Check(r.Method, check.Equals, "GET")
+		c.Assert(r.URL.Path, check.Equals, "/v2/changes")
+		switch n {
+		case 1, 2:
+			fmt.Fprintln(w, `{"type": "sync", "result": []}`)
+		case 3, 4:
+			fmt.Fprintln(w, mockChangesJSON)
+		default:
+			c.Errorf("expected 4 calls, now on %d", n)
+		}
+	})
+	for i := 0; i < 2; i++ {
+		rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"tasks", "--last=foobar?"})
+		c.Assert(err, check.IsNil)
+		c.Assert(rest, check.DeepEquals, []string{})
+		c.Check(s.Stdout(), check.Matches, "")
+		c.Check(s.Stderr(), check.Equals, "")
+
+		_, err = snap.Parser(snap.Client()).ParseArgs([]string{"tasks", "--last=foobar"})
+		if i == 0 {
+			c.Assert(err, check.ErrorMatches, `no changes found`)
+		} else {
+			c.Assert(err, check.ErrorMatches, `no changes of type "foobar" found`)
+		}
+	}
+
+	c.Check(n, check.Equals, 4)
+}
+
 func (s *SnapSuite) TestTasksSyntaxError(c *check.C) {
-	_, err := snap.Parser().ParseArgs([]string{"tasks", "--last=install", "42"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"tasks", "--abs-time", "--last=install", "42"})
 	c.Assert(err, check.NotNil)
 	c.Assert(err, check.ErrorMatches, `cannot use change ID and type together`)
 
-	_, err = snap.Parser().ParseArgs([]string{"tasks"})
+	_, err = snap.Parser(snap.Client()).ParseArgs([]string{"tasks"})
 	c.Assert(err, check.NotNil)
 	c.Assert(err, check.ErrorMatches, `please provide change ID or type with --last=<type>`)
 }
@@ -170,7 +223,7 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"change", "42"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"change", "--abs-time", "42"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, `(?ms)Status +Spawn +Ready +Summary
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_confinement.go snapd-2.37~rc1~14.04/cmd/snap/cmd_confinement.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_confinement.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_confinement.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,16 +27,20 @@
 	"github.com/jessevdk/go-flags"
 )
 
-var shortConfinementHelp = i18n.G("Prints the confinement mode the system operates in")
+var shortConfinementHelp = i18n.G("Print the confinement mode the system operates in")
 var longConfinementHelp = i18n.G(`
-The confinement command will print the confinement mode (strict, partial or none)
-the system operates in.
+The confinement command will print the confinement mode (strict,
+partial or none) the system operates in.
 `)
 
-type cmdConfinement struct{}
+type cmdConfinement struct {
+	clientMixin
+}
 
 func init() {
-	addDebugCommand("confinement", shortConfinementHelp, longConfinementHelp, func() flags.Commander { return &cmdConfinement{} })
+	addDebugCommand("confinement", shortConfinementHelp, longConfinementHelp, func() flags.Commander {
+		return &cmdConfinement{}
+	}, nil, nil)
 }
 
 func (cmd cmdConfinement) Execute(args []string) error {
@@ -44,8 +48,7 @@
 		return ErrExtraArgs
 	}
 
-	cli := Client()
-	sysInfo, err := cli.SysInfo()
+	sysInfo, err := cmd.client.SysInfo()
 	if err != nil {
 		return err
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_confinement_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_confinement_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_confinement_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_confinement_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,7 +32,7 @@
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintln(w, `{"type": "sync", "result": {"confinement": "strict"}}`)
 	})
-	_, err := snap.Parser().ParseArgs([]string{"debug", "confinement"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "confinement"})
 	c.Assert(err, IsNil)
 	c.Assert(s.Stdout(), Equals, "strict\n")
 	c.Assert(s.Stderr(), Equals, "")
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_connect.go snapd-2.37~rc1~14.04/cmd/snap/cmd_connect.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_connect.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_connect.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,13 +26,14 @@
 )
 
 type cmdConnect struct {
+	waitMixin
 	Positionals struct {
 		PlugSpec connectPlugSpec `required:"yes"`
 		SlotSpec connectSlotSpec
 	} `positional-args:"true"`
 }
 
-var shortConnectHelp = i18n.G("Connects a plug to a slot")
+var shortConnectHelp = i18n.G("Connect a plug to a slot")
 var longConnectHelp = i18n.G(`
 The connect command connects a plug to a slot.
 It may be called in the following ways:
@@ -56,10 +57,10 @@
 func init() {
 	addCommand("connect", shortConnectHelp, longConnectHelp, func() flags.Commander {
 		return &cmdConnect{}
-	}, nil, []argDesc{
-		// TRANSLATORS: This needs to be wrapped in <>s.
+	}, waitDescs, []argDesc{
+		// TRANSLATORS: This needs to begin with < and end with >
 		{name: i18n.G("<snap>:<plug>")},
-		// TRANSLATORS: This needs to be wrapped in <>s.
+		// TRANSLATORS: This needs to begin with < and end with >
 		{name: i18n.G("<snap>:<slot>")},
 	})
 }
@@ -76,12 +77,17 @@
 		x.Positionals.PlugSpec.Snap = ""
 	}
 
-	cli := Client()
-	id, err := cli.Connect(x.Positionals.PlugSpec.Snap, x.Positionals.PlugSpec.Name, x.Positionals.SlotSpec.Snap, x.Positionals.SlotSpec.Name)
+	id, err := x.client.Connect(x.Positionals.PlugSpec.Snap, x.Positionals.PlugSpec.Name, x.Positionals.SlotSpec.Snap, x.Positionals.SlotSpec.Name)
 	if err != nil {
 		return err
 	}
 
-	_, err = wait(cli, id)
-	return err
+	if _, err := x.wait(id); err != nil {
+		if err == noWait {
+			return nil
+		}
+		return err
+	}
+
+	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_connectivity_check.go snapd-2.37~rc1~14.04/cmd/snap/cmd_connectivity_check.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_connectivity_check.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_connectivity_check.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,64 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/jessevdk/go-flags"
+)
+
+type cmdConnectivityCheck struct {
+	clientMixin
+}
+
+func init() {
+	addDebugCommand("connectivity",
+		"Check network connectivity status",
+		"The connectivity command checks the network connectivity of snapd.",
+		func() flags.Commander {
+			return &cmdConnectivityCheck{}
+		}, nil, nil)
+}
+
+func (x *cmdConnectivityCheck) Execute(args []string) error {
+	if len(args) > 0 {
+		return ErrExtraArgs
+	}
+
+	var status struct {
+		Connectivity bool
+		Unreachable  []string
+	}
+	if err := x.client.Debug("connectivity", nil, &status); err != nil {
+		return err
+	}
+
+	fmt.Fprintf(Stdout, "Connectivity status:\n")
+	if len(status.Unreachable) == 0 {
+		fmt.Fprintf(Stdout, " * PASS\n")
+		return nil
+	}
+
+	for _, uri := range status.Unreachable {
+		fmt.Fprintf(Stdout, " * %s: unreachable\n", uri)
+	}
+	return fmt.Errorf("%v servers unreachable", len(status.Unreachable))
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_connectivity_check_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_connectivity_check_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_connectivity_check_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_connectivity_check_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,84 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	"gopkg.in/check.v1"
+
+	snap "github.com/snapcore/snapd/cmd/snap"
+)
+
+func (s *SnapSuite) TestConnectivityHappy(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		switch n {
+		case 0:
+			c.Check(r.Method, check.Equals, "POST")
+			c.Check(r.URL.Path, check.Equals, "/v2/debug")
+			c.Check(r.URL.RawQuery, check.Equals, "")
+			data, err := ioutil.ReadAll(r.Body)
+			c.Check(err, check.IsNil)
+			c.Check(data, check.DeepEquals, []byte(`{"action":"connectivity"}`))
+			fmt.Fprintln(w, `{"type": "sync", "result": {}}`)
+		default:
+			c.Fatalf("expected to get 1 requests, now on %d", n+1)
+		}
+
+		n++
+	})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "connectivity"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{})
+	c.Check(s.Stdout(), check.Equals, `Connectivity status:
+ * PASS
+`)
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapSuite) TestConnectivityUnhappy(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		switch n {
+		case 0:
+			c.Check(r.Method, check.Equals, "POST")
+			c.Check(r.URL.Path, check.Equals, "/v2/debug")
+			c.Check(r.URL.RawQuery, check.Equals, "")
+			data, err := ioutil.ReadAll(r.Body)
+			c.Check(err, check.IsNil)
+			c.Check(data, check.DeepEquals, []byte(`{"action":"connectivity"}`))
+			fmt.Fprintln(w, `{"type": "sync", "result": {"connectivity":false,"unreachable":["foo.bar.com"]}}`)
+		default:
+			c.Fatalf("expected to get 1 requests, now on %d", n+1)
+		}
+
+		n++
+	})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "connectivity"})
+	c.Assert(err, check.ErrorMatches, "1 servers unreachable")
+	// note that only the unreachable hosts are displayed
+	c.Check(s.Stdout(), check.Equals, `Connectivity status:
+ * foo.bar.com: unreachable
+`)
+	c.Check(s.Stderr(), check.Equals, "")
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_connect_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_connect_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_connect_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_connect_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -33,7 +33,7 @@
 
 func (s *SnapSuite) TestConnectHelp(c *C) {
 	msg := `Usage:
-  snap.test [OPTIONS] connect [<snap>:<plug>] [<snap>:<slot>]
+  snap.test connect [connect-OPTIONS] [<snap>:<plug>] [<snap>:<slot>]
 
 The connect command connects a plug to a slot.
 It may be called in the following ways:
@@ -53,15 +53,11 @@
 Connects the provided plug to the slot in the core snap with a name matching
 the plug name.
 
-Application Options:
-      --version            Print the version and exit
-
-Help Options:
-  -h, --help               Show this help message
+[connect command options]
+      --no-wait          Do not wait for the operation to finish but just print
+                         the change id.
 `
-	rest, err := Parser().ParseArgs([]string{"connect", "--help"})
-	c.Assert(err.Error(), Equals, msg)
-	c.Assert(rest, DeepEquals, []string{})
+	s.testSubCommandHelp(c, "connect", msg)
 }
 
 func (s *SnapSuite) TestConnectExplicitEverything(c *C) {
@@ -92,7 +88,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"connect", "producer:plug", "consumer:slot"})
+	rest, err := Parser(Client()).ParseArgs([]string{"connect", "producer:plug", "consumer:slot"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 }
@@ -125,7 +121,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"connect", "producer:plug", "consumer"})
+	rest, err := Parser(Client()).ParseArgs([]string{"connect", "producer:plug", "consumer"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 }
@@ -158,7 +154,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"connect", "plug", "consumer:slot"})
+	rest, err := Parser(Client()).ParseArgs([]string{"connect", "plug", "consumer:slot"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 }
@@ -191,7 +187,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"connect", "plug", "consumer"})
+	rest, err := Parser(Client()).ParseArgs([]string{"connect", "plug", "consumer"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 }
@@ -294,7 +290,7 @@
 	defer os.Unsetenv("GO_FLAGS_COMPLETION")
 
 	expected := []flags.Completion{}
-	parser := Parser()
+	parser := Parser(Client())
 	parser.CompletionHandler = func(obtained []flags.Completion) {
 		c.Check(obtained, DeepEquals, expected)
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_create_key.go snapd-2.37~rc1~14.04/cmd/snap/cmd_create_key.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_create_key.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_create_key.go	2019-01-16 08:36:51.000000000 +0000
@@ -39,13 +39,16 @@
 func init() {
 	cmd := addCommand("create-key",
 		i18n.G("Create cryptographic key pair"),
-		i18n.G("Create a cryptographic key pair that can be used for signing assertions."),
+		i18n.G(`
+The create-key command creates a cryptographic key pair that can be
+used for signing assertions.
+`),
 		func() flags.Commander {
 			return &cmdCreateKey{}
 		}, nil, []argDesc{{
-			// TRANSLATORS: This needs to be wrapped in <>s.
+			// TRANSLATORS: This needs to begin with < and end with >
 			name: i18n.G("<key-name>"),
-			// TRANSLATORS: This should probably not start with a lowercase letter.
+			// TRANSLATORS: This should not start with a lowercase letter.
 			desc: i18n.G("Name of key to create; defaults to 'default'"),
 		}})
 	cmd.hidden = true
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_create_key_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_create_key_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_create_key_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_create_key_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,7 +26,7 @@
 )
 
 func (s *SnapSuite) TestCreateKeyInvalidCharacters(c *C) {
-	_, err := snap.Parser().ParseArgs([]string{"create-key", "a b"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"create-key", "a b"})
 	c.Assert(err, NotNil)
 	c.Check(err.Error(), Equals, "key name \"a b\" is not valid; only ASCII letters, digits, and hyphens are allowed")
 	c.Check(s.Stdout(), Equals, "")
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_create_user.go snapd-2.37~rc1~14.04/cmd/snap/cmd_create_user.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_create_user.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_create_user.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,7 +29,7 @@
 	"github.com/jessevdk/go-flags"
 )
 
-var shortCreateUserHelp = i18n.G("Creates a local system user")
+var shortCreateUserHelp = i18n.G("Create a local system user")
 var longCreateUserHelp = i18n.G(`
 The create-user command creates a local system user with the username and SSH
 keys registered on the store account identified by the provided email address.
@@ -38,6 +38,7 @@
 `)
 
 type cmdCreateUser struct {
+	clientMixin
 	Positional struct {
 		Email string
 	} `positional-args:"yes"`
@@ -51,14 +52,18 @@
 func init() {
 	cmd := addCommand("create-user", shortCreateUserHelp, longCreateUserHelp, func() flags.Commander { return &cmdCreateUser{} },
 		map[string]string{
-			"json":          i18n.G("Output results in JSON format"),
-			"sudoer":        i18n.G("Grant sudo access to the created user"),
-			"known":         i18n.G("Use known assertions for user creation"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"json": i18n.G("Output results in JSON format"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"sudoer": i18n.G("Grant sudo access to the created user"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"known": i18n.G("Use known assertions for user creation"),
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"force-managed": i18n.G("Force adding the user, even if the device is already managed"),
 		}, []argDesc{{
-			// TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+			// TRANSLATORS: This is a noun and it needs to begin with < and end with >
 			name: i18n.G("<email>"),
-			// TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+			// TRANSLATORS: This should not start with a lowercase letter (unless it's "login.ubuntu.com"). Also, note users on login.ubuntu.com can have multiple email addresses.
 			desc: i18n.G("An email of a user on login.ubuntu.com"),
 		}})
 	cmd.hidden = true
@@ -69,8 +74,6 @@
 		return ErrExtraArgs
 	}
 
-	cli := Client()
-
 	options := client.CreateUserOptions{
 		Email:        x.Positional.Email,
 		Sudoer:       x.Sudoer,
@@ -83,9 +86,9 @@
 	var err error
 
 	if options.Email == "" && options.Known {
-		results, err = cli.CreateUsers([]*client.CreateUserOptions{&options})
+		results, err = x.client.CreateUsers([]*client.CreateUserOptions{&options})
 	} else {
-		result, err = cli.CreateUser(&options)
+		result, err = x.client.CreateUser(&options)
 		if err == nil {
 			results = append(results, result)
 		}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_create_user_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_create_user_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_create_user_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_create_user_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -71,7 +71,7 @@
 	n := 0
 	s.RedirectClientToTestServer(makeCreateUserChecker(c, &n, "one@email.com", false, false))
 
-	rest, err := snap.Parser().ParseArgs([]string{"create-user", "one@email.com"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"create-user", "one@email.com"})
 	c.Assert(err, check.IsNil)
 	c.Check(rest, check.DeepEquals, []string{})
 	c.Check(n, check.Equals, 1)
@@ -83,7 +83,7 @@
 	n := 0
 	s.RedirectClientToTestServer(makeCreateUserChecker(c, &n, "one@email.com", true, false))
 
-	rest, err := snap.Parser().ParseArgs([]string{"create-user", "--sudoer", "one@email.com"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"create-user", "--sudoer", "one@email.com"})
 	c.Assert(err, check.IsNil)
 	c.Check(rest, check.DeepEquals, []string{})
 	c.Check(n, check.Equals, 1)
@@ -101,7 +101,7 @@
 	}
 	actualResponse := &client.CreateUserResult{}
 
-	rest, err := snap.Parser().ParseArgs([]string{"create-user", "--json", "one@email.com"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"create-user", "--json", "one@email.com"})
 	c.Assert(err, check.IsNil)
 	c.Check(rest, check.DeepEquals, []string{})
 	c.Check(n, check.Equals, 1)
@@ -120,7 +120,7 @@
 	}}
 	var actualResponse []*client.CreateUserResult
 
-	rest, err := snap.Parser().ParseArgs([]string{"create-user", "--json", "--known"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"create-user", "--json", "--known"})
 	c.Assert(err, check.IsNil)
 	c.Check(rest, check.DeepEquals, []string{})
 	c.Check(n, check.Equals, 1)
@@ -133,7 +133,7 @@
 	n := 0
 	s.RedirectClientToTestServer(makeCreateUserChecker(c, &n, "one@email.com", false, true))
 
-	rest, err := snap.Parser().ParseArgs([]string{"create-user", "--known", "one@email.com"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"create-user", "--known", "one@email.com"})
 	c.Assert(err, check.IsNil)
 	c.Check(rest, check.DeepEquals, []string{})
 	c.Check(n, check.Equals, 1)
@@ -143,7 +143,7 @@
 	n := 0
 	s.RedirectClientToTestServer(makeCreateUserChecker(c, &n, "", false, true))
 
-	rest, err := snap.Parser().ParseArgs([]string{"create-user", "--known"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"create-user", "--known"})
 	c.Assert(err, check.IsNil)
 	c.Check(rest, check.DeepEquals, []string{})
 	c.Check(n, check.Equals, 1)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_debug.go snapd-2.37~rc1~14.04/cmd/snap/cmd_debug.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_debug.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_debug.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,7 +25,7 @@
 
 type cmdDebug struct{}
 
-var shortDebugHelp = i18n.G("Runs debug commands")
+var shortDebugHelp = i18n.G("Run debug commands")
 var longDebugHelp = i18n.G(`
 The debug command contains a selection of additional sub-commands.
 
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_delete_key.go snapd-2.37~rc1~14.04/cmd/snap/cmd_delete_key.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_delete_key.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_delete_key.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,13 +35,16 @@
 func init() {
 	cmd := addCommand("delete-key",
 		i18n.G("Delete cryptographic key pair"),
-		i18n.G("Delete the local cryptographic key pair with the given name."),
+		i18n.G(`
+The delete-key command deletes the local cryptographic key pair with
+the given name.
+`),
 		func() flags.Commander {
 			return &cmdDeleteKey{}
 		}, nil, []argDesc{{
-			// TRANSLATORS: This needs to be wrapped in <>s.
+			// TRANSLATORS: This needs to begin with < and end with >
 			name: i18n.G("<key-name>"),
-			// TRANSLATORS: This should probably not start with a lowercase letter.
+			// TRANSLATORS: This should not start with a lowercase letter.
 			desc: i18n.G("Name of key to delete"),
 		}})
 	cmd.hidden = true
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_delete_key_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_delete_key_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_delete_key_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_delete_key_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -28,7 +28,7 @@
 )
 
 func (s *SnapKeysSuite) TestDeleteKeyRequiresName(c *C) {
-	_, err := snap.Parser().ParseArgs([]string{"delete-key"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"delete-key"})
 	c.Assert(err, NotNil)
 	c.Check(err.Error(), Equals, "the required argument `<key-name>` was not provided")
 	c.Check(s.Stdout(), Equals, "")
@@ -36,7 +36,7 @@
 }
 
 func (s *SnapKeysSuite) TestDeleteKeyNonexistent(c *C) {
-	_, err := snap.Parser().ParseArgs([]string{"delete-key", "nonexistent"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"delete-key", "nonexistent"})
 	c.Assert(err, NotNil)
 	c.Check(err.Error(), Equals, "cannot find key named \"nonexistent\" in GPG keyring")
 	c.Check(s.Stdout(), Equals, "")
@@ -44,12 +44,12 @@
 }
 
 func (s *SnapKeysSuite) TestDeleteKey(c *C) {
-	rest, err := snap.Parser().ParseArgs([]string{"delete-key", "another"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"delete-key", "another"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Check(s.Stdout(), Equals, "")
 	c.Check(s.Stderr(), Equals, "")
-	_, err = snap.Parser().ParseArgs([]string{"keys", "--json"})
+	_, err = snap.Parser(snap.Client()).ParseArgs([]string{"keys", "--json"})
 	c.Assert(err, IsNil)
 	expectedResponse := []snap.Key{
 		{
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_disconnect.go snapd-2.37~rc1~14.04/cmd/snap/cmd_disconnect.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_disconnect.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_disconnect.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,13 +29,14 @@
 )
 
 type cmdDisconnect struct {
+	waitMixin
 	Positionals struct {
 		Offer disconnectSlotOrPlugSpec `required:"true"`
 		Use   disconnectSlotSpec
 	} `positional-args:"true"`
 }
 
-var shortDisconnectHelp = i18n.G("Disconnects a plug from a slot")
+var shortDisconnectHelp = i18n.G("Disconnect a plug from a slot")
 var longDisconnectHelp = i18n.G(`
 The disconnect command disconnects a plug from a slot.
 It may be called in the following ways:
@@ -53,10 +54,10 @@
 func init() {
 	addCommand("disconnect", shortDisconnectHelp, longDisconnectHelp, func() flags.Commander {
 		return &cmdDisconnect{}
-	}, nil, []argDesc{
-		// TRANSLATORS: This needs to be wrapped in <>s.
+	}, waitDescs, []argDesc{
+		// TRANSLATORS: This needs to begin with < and end with >
 		{name: i18n.G("<snap>:<plug>")},
-		// TRANSLATORS: This needs to be wrapped in <>s.
+		// TRANSLATORS: This needs to begin with < and end with >
 		{name: i18n.G("<snap>:<slot>")},
 	})
 }
@@ -79,8 +80,7 @@
 		return fmt.Errorf("please provide the plug or slot name to disconnect from snap %q", use.Snap)
 	}
 
-	cli := Client()
-	id, err := cli.Disconnect(offer.Snap, offer.Name, use.Snap, use.Name)
+	id, err := x.client.Disconnect(offer.Snap, offer.Name, use.Snap, use.Name)
 	if err != nil {
 		if client.IsInterfacesUnchangedError(err) {
 			fmt.Fprintf(Stdout, i18n.G("No connections to disconnect"))
@@ -90,6 +90,12 @@
 		return err
 	}
 
-	_, err = wait(cli, id)
-	return err
+	if _, err := x.wait(id); err != nil {
+		if err == noWait {
+			return nil
+		}
+		return err
+	}
+
+	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_disconnect_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_disconnect_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_disconnect_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_disconnect_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,7 +32,7 @@
 
 func (s *SnapSuite) TestDisconnectHelp(c *C) {
 	msg := `Usage:
-  snap.test [OPTIONS] disconnect [<snap>:<plug>] [<snap>:<slot>]
+  snap.test disconnect [disconnect-OPTIONS] [<snap>:<plug>] [<snap>:<slot>]
 
 The disconnect command disconnects a plug from a slot.
 It may be called in the following ways:
@@ -46,15 +46,11 @@
 Disconnects everything from the provided plug or slot.
 The snap name may be omitted for the core snap.
 
-Application Options:
-      --version            Print the version and exit
-
-Help Options:
-  -h, --help               Show this help message
+[disconnect command options]
+      --no-wait          Do not wait for the operation to finish but just print
+                         the change id.
 `
-	rest, err := Parser().ParseArgs([]string{"disconnect", "--help"})
-	c.Assert(err.Error(), Equals, msg)
-	c.Assert(rest, DeepEquals, []string{})
+	s.testSubCommandHelp(c, "disconnect", msg)
 }
 
 func (s *SnapSuite) TestDisconnectExplicitEverything(c *C) {
@@ -85,7 +81,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"disconnect", "producer:plug", "consumer:slot"})
+	rest, err := Parser(Client()).ParseArgs([]string{"disconnect", "producer:plug", "consumer:slot"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Assert(s.Stdout(), Equals, "")
@@ -120,7 +116,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"disconnect", "consumer:slot"})
+	rest, err := Parser(Client()).ParseArgs([]string{"disconnect", "consumer:slot"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Assert(s.Stdout(), Equals, "")
@@ -155,7 +151,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"disconnect", "consumer:plug-or-slot"})
+	rest, err := Parser(Client()).ParseArgs([]string{"disconnect", "consumer:plug-or-slot"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Assert(s.Stdout(), Equals, "")
@@ -166,7 +162,7 @@
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
 		c.Fatalf("expected nothing to reach the server")
 	})
-	rest, err := Parser().ParseArgs([]string{"disconnect", "consumer"})
+	rest, err := Parser(Client()).ParseArgs([]string{"disconnect", "consumer"})
 	c.Assert(err, ErrorMatches, `please provide the plug or slot name to disconnect from snap "consumer"`)
 	c.Assert(rest, DeepEquals, []string{"consumer"})
 	c.Assert(s.Stdout(), Equals, "")
@@ -190,7 +186,7 @@
 	defer os.Unsetenv("GO_FLAGS_COMPLETION")
 
 	expected := []flags.Completion{}
-	parser := Parser()
+	parser := Parser(Client())
 	parser.CompletionHandler = func(obtained []flags.Completion) {
 		c.Check(obtained, DeepEquals, expected)
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_download.go snapd-2.37~rc1~14.04/cmd/snap/cmd_download.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_download.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_download.go	2019-01-16 08:36:51.000000000 +0000
@@ -43,10 +43,10 @@
 	} `positional-args:"true" required:"true"`
 }
 
-var shortDownloadHelp = i18n.G("Downloads the given snap")
+var shortDownloadHelp = i18n.G("Download the given snap")
 var longDownloadHelp = i18n.G(`
 The download command downloads the given snap and its supporting assertions
-to the current directory under .snap and .assert file extensions, respectively.
+to the current directory with .snap and .assert file extensions, respectively.
 `)
 
 func init() {
@@ -56,7 +56,7 @@
 		"revision": i18n.G("Download the given revision of a snap, to which you must have developer access"),
 	}), []argDesc{{
 		name: "<snap>",
-		// TRANSLATORS: This should probably not start with a lowercase letter.
+		// TRANSLATORS: This should not start with a lowercase letter.
 		desc: i18n.G("Snap name"),
 	}})
 }
@@ -100,6 +100,9 @@
 	if x.Revision == "" {
 		revision = snap.R(0)
 	} else {
+		if x.Channel != "" {
+			return fmt.Errorf(i18n.G("cannot specify both channel and revision"))
+		}
 		var err error
 		revision, err = snap.ParseRevision(x.Revision)
 		if err != nil {
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_ensure_state_soon.go snapd-2.37~rc1~14.04/cmd/snap/cmd_ensure_state_soon.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_ensure_state_soon.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_ensure_state_soon.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,15 +23,17 @@
 	"github.com/jessevdk/go-flags"
 )
 
-type cmdEnsureStateSoon struct{}
+type cmdEnsureStateSoon struct {
+	clientMixin
+}
 
 func init() {
 	cmd := addDebugCommand("ensure-state-soon",
-		"(internal) trigger an ensure runn in the state engine",
-		"(internal) trigger an ensure runn in the state engine",
+		"(internal) trigger an ensure run in the state engine",
+		"(internal) trigger an ensure run in the state engine",
 		func() flags.Commander {
 			return &cmdEnsureStateSoon{}
-		})
+		}, nil, nil)
 	cmd.hidden = true
 }
 
@@ -40,5 +42,5 @@
 		return ErrExtraArgs
 	}
 
-	return Client().Debug("ensure-state-soon", nil, nil)
+	return x.client.Debug("ensure-state-soon", nil, nil)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_ensure_state_soon_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_ensure_state_soon_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_ensure_state_soon_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_ensure_state_soon_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -47,7 +47,7 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"debug", "ensure-state-soon"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "ensure-state-soon"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, "")
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_export_key.go snapd-2.37~rc1~14.04/cmd/snap/cmd_export_key.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_export_key.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_export_key.go	2019-01-16 08:36:51.000000000 +0000
@@ -39,15 +39,18 @@
 func init() {
 	cmd := addCommand("export-key",
 		i18n.G("Export cryptographic public key"),
-		i18n.G("Export a public key assertion body that may be imported by other systems."),
+		i18n.G(`
+The export-key command exports a public key assertion body that may be
+imported by other systems.
+`),
 		func() flags.Commander {
 			return &cmdExportKey{}
 		}, map[string]string{
 			"account": i18n.G("Format public key material as a request for an account-key for this account-id"),
 		}, []argDesc{{
-			// TRANSLATORS: This needs to be wrapped in <>s.
+			// TRANSLATORS: This needs to begin with < and end with >
 			name: i18n.G("<key-name>"),
-			// TRANSLATORS: This should probably not start with a lowercase letter.
+			// TRANSLATORS: This should not start with a lowercase letter.
 			desc: i18n.G("Name of key to export"),
 		}})
 	cmd.hidden = true
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_export_key_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_export_key_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_export_key_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_export_key_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,7 +30,7 @@
 )
 
 func (s *SnapKeysSuite) TestExportKeyNonexistent(c *C) {
-	_, err := snap.Parser().ParseArgs([]string{"export-key", "nonexistent"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"export-key", "nonexistent"})
 	c.Assert(err, NotNil)
 	c.Check(err.Error(), Equals, "cannot find key named \"nonexistent\" in GPG keyring")
 	c.Check(s.Stdout(), Equals, "")
@@ -38,7 +38,7 @@
 }
 
 func (s *SnapKeysSuite) TestExportKeyDefault(c *C) {
-	rest, err := snap.Parser().ParseArgs([]string{"export-key"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"export-key"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	pubKey, err := asserts.DecodePublicKey(s.stdout.Bytes())
@@ -48,7 +48,7 @@
 }
 
 func (s *SnapKeysSuite) TestExportKeyNonDefault(c *C) {
-	rest, err := snap.Parser().ParseArgs([]string{"export-key", "another"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"export-key", "another"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	pubKey, err := asserts.DecodePublicKey(s.stdout.Bytes())
@@ -61,7 +61,7 @@
 	storeSigning := assertstest.NewStoreStack("canonical", nil)
 	manager := asserts.NewGPGKeypairManager()
 	assertstest.NewAccount(storeSigning, "developer1", nil, "")
-	rest, err := snap.Parser().ParseArgs([]string{"export-key", "another", "--account=developer1"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"export-key", "another", "--account=developer1"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	assertion, err := asserts.Decode(s.stdout.Bytes())
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_find.go snapd-2.37~rc1~14.04/cmd/snap/cmd_find.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_find.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_find.go	2019-01-16 08:36:51.000000000 +0000
@@ -36,9 +36,17 @@
 	"github.com/snapcore/snapd/strutil"
 )
 
-var shortFindHelp = i18n.G("Finds packages to install")
+var shortFindHelp = i18n.G("Find packages to install")
 var longFindHelp = i18n.G(`
 The find command queries the store for available packages in the stable channel.
+
+With the --private flag, which requires the user to be logged-in to the store
+(see 'snap help login'), it instead searches for private snaps that the user
+has developer access to, either directly or through the store's collaboration
+feature.
+
+A green check mark (given color and unicode support) after a publisher name
+indicates that the publisher has been verified.
 `)
 
 func getPrice(prices map[string]float64, currency string) (float64, string, error) {
@@ -78,7 +86,7 @@
 		return ret
 	}
 
-	cli := Client()
+	cli := mkClient()
 	sections, err := cli.Sections()
 	if err != nil {
 		return nil
@@ -92,28 +100,42 @@
 	return ret
 }
 
-func getSections() (sections []string, err error) {
-	if cachedSections, err := os.Open(dirs.SnapSectionsFile); err == nil {
-		// try loading from cached sections file
-		defer cachedSections.Close()
-
-		r := bufio.NewScanner(cachedSections)
-		sections = make([]string, 0, 10)
-		for r.Scan() {
-			sections = append(sections, r.Text())
-		}
-		if r.Err() == nil && len(sections) > 0 {
-			return sections, nil
+func cachedSections() (sections []string, err error) {
+	cachedSections, err := os.Open(dirs.SnapSectionsFile)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
 		}
+		return nil, err
+	}
+	defer cachedSections.Close()
+
+	r := bufio.NewScanner(cachedSections)
+	for r.Scan() {
+		sections = append(sections, r.Text())
+	}
+	if r.Err() != nil {
+		return nil, r.Err()
 	}
 
+	return sections, nil
+}
+
+func getSections(cli *client.Client) (sections []string, err error) {
+	// try loading from cached sections file
+	sections, err = cachedSections()
+	if err != nil {
+		return nil, err
+	}
+	if sections != nil {
+		return sections, nil
+	}
 	// fallback to listing from the daemon
-	cli := Client()
 	return cli.Sections()
 }
 
-func showSections() error {
-	sections, err := getSections()
+func showSections(cli *client.Client) error {
+	sections, err := getSections(cli)
 	if err != nil {
 		return err
 	}
@@ -123,28 +145,36 @@
 	for _, sec := range sections {
 		fmt.Fprintf(Stdout, " * %s\n", sec)
 	}
-	fmt.Fprintf(Stdout, i18n.G("Please try: snap find --section=<selected section>\n"))
+	fmt.Fprintf(Stdout, i18n.G("Please try 'snap find --section=<selected section>'\n"))
 	return nil
 }
 
 type cmdFind struct {
+	clientMixin
 	Private    bool        `long:"private"`
+	Narrow     bool        `long:"narrow"`
 	Section    SectionName `long:"section" optional:"true" optional-value:"show-all-sections-please" default:"no-section-specified"`
 	Positional struct {
 		Query string
 	} `positional-args:"yes"`
+	colorMixin
 }
 
 func init() {
 	addCommand("find", shortFindHelp, longFindHelp, func() flags.Commander {
 		return &cmdFind{}
-	}, map[string]string{
+	}, colorDescs.also(map[string]string{
+		// TRANSLATORS: This should not start with a lowercase letter.
 		"private": i18n.G("Search private snaps"),
+		// TRANSLATORS: This should not start with a lowercase letter.
+		"narrow": i18n.G("Only search for snaps in “stable”"),
+		// TRANSLATORS: This should not start with a lowercase letter.
 		"section": i18n.G("Restrict the search to a given section"),
-	}, []argDesc{{
-		// TRANSLATORS: This needs to be wrapped in <>s.
+	}), []argDesc{{
+		// TRANSLATORS: This needs to begin with < and end with >
 		name: i18n.G("<query>"),
 	}}).alias = "search"
+
 }
 
 func (x *cmdFind) Execute(args []string) error {
@@ -164,7 +194,7 @@
 	//   the commandline at all
 	switch x.Section {
 	case "show-all-sections-please":
-		return showSections()
+		return showSections(x.client)
 	case "no-section-specified":
 		x.Section = ""
 	}
@@ -175,16 +205,21 @@
 		x.Section = "featured"
 	}
 
-	cli := Client()
-
 	if x.Section != "" && x.Section != "featured" {
-		sections, err := getSections()
+		sections, err := cachedSections()
 		if err != nil {
 			return err
 		}
 		if !strutil.ListContains(sections, string(x.Section)) {
-			// TRANSLATORS: the %q is the (quoted) name of the section the user entered
-			return fmt.Errorf(i18n.G("No matching section %q, use --section to list existing sections"), x.Section)
+			// try the store just in case it was added in the last 24 hours
+			sections, err = x.client.Sections()
+			if err != nil {
+				return err
+			}
+			if !strutil.ListContains(sections, string(x.Section)) {
+				// TRANSLATORS: the %q is the (quoted) name of the section the user entered
+				return fmt.Errorf(i18n.G("No matching section %q, use --section to list existing sections"), x.Section)
+			}
 		}
 	}
 
@@ -193,8 +228,13 @@
 		Section: string(x.Section),
 		Query:   x.Positional.Query,
 	}
-	snaps, resInfo, err := cli.Find(opts)
-	if e, ok := err.(*client.Error); ok && e.Kind == client.ErrorKindNetworkTimeout {
+
+	if !x.Narrow {
+		opts.Scope = "wide"
+	}
+
+	snaps, resInfo, err := x.client.Find(opts)
+	if e, ok := err.(*client.Error); ok && (e.Kind == client.ErrorKindNetworkTimeout || e.Kind == client.ErrorKindDNSFailure) {
 		logger.Debugf("cannot list snaps: %v", e)
 		return fmt.Errorf("unable to contact snap store")
 	}
@@ -216,19 +256,19 @@
 
 	// show featured header *after* we checked for errors from the find
 	if showFeatured {
-		fmt.Fprintf(Stdout, i18n.G("No search term specified. Here are some interesting snaps:\n\n"))
+		fmt.Fprint(Stdout, i18n.G("No search term specified. Here are some interesting snaps:\n\n"))
 	}
 
+	esc := x.getEscapes()
 	w := tabWriter()
-	fmt.Fprintln(w, i18n.G("Name\tVersion\tDeveloper\tNotes\tSummary"))
+	// TRANSLATORS: the %s is to insert a filler escape sequence (please keep it flush to the column header, with no extra spaces)
+	fmt.Fprintf(w, i18n.G("Name\tVersion\tPublisher%s\tNotes\tSummary\n"), fillerPublisher(esc))
 	for _, snap := range snaps {
-		// TODO: get snap.Publisher, so we can only show snap.Developer if it's different
-		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", snap.Name, snap.Version, snap.Developer, NotesFromRemote(snap, resInfo), snap.Summary)
+		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", snap.Name, snap.Version, shortPublisher(esc, snap.Publisher), NotesFromRemote(snap, resInfo), snap.Summary)
 	}
 	w.Flush()
-
 	if showFeatured {
-		fmt.Fprintf(Stdout, i18n.G("\nProvide a search term for more specific results.\n"))
+		fmt.Fprint(Stdout, i18n.G("\nProvide a search term for more specific results.\n"))
 	}
 	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_find_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_find_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_find_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_find_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -44,6 +44,12 @@
       "confinement": "strict",
       "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "download-size": 65536,
       "icon": "",
       "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
@@ -61,6 +67,12 @@
       "confinement": "strict",
       "description": "This is a simple hello world example.",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "download-size": 20480,
       "icon": "",
       "id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
@@ -78,6 +90,12 @@
       "confinement": "strict",
       "description": "1.0GB",
       "developer": "noise",
+      "publisher": {
+         "id": "noise-id",
+         "username": "noise",
+         "display-name": "Bret",
+         "validation": "unproven"
+      },
       "download-size": 512004096,
       "icon": "",
       "id": "asXOGCreK66DIAdyXmucwspTMgqA4rne",
@@ -119,14 +137,14 @@
 		n++
 	})
 
-	rest, err := snap.Parser().ParseArgs([]string{"find", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "hello"})
 
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 
-	c.Check(s.Stdout(), check.Matches, `Name +Version +Developer +Notes +Summary
-hello +2.10 +canonical +- +GNU Hello, the "hello world" snap
-hello-world +6.1 +canonical +- +Hello world example
+	c.Check(s.Stdout(), check.Matches, `Name +Version +Publisher +Notes +Summary
+hello +2.10 +canonical\* +- +GNU Hello, the "hello world" snap
+hello-world +6.1 +canonical\* +- +Hello world example
 hello-huge +1.0 +noise +- +a really big snap
 `)
 	c.Check(s.Stderr(), check.Equals, "")
@@ -145,6 +163,12 @@
       "confinement": "strict",
       "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "download-size": 65536,
       "icon": "",
       "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
@@ -162,6 +186,12 @@
       "confinement": "strict",
       "description": "1.0GB",
       "developer": "noise",
+      "publisher": {
+         "id": "noise-id",
+         "username": "noise",
+         "display-name": "Bret",
+         "validation": "unproven"
+      },
       "download-size": 512004096,
       "icon": "",
       "id": "asXOGCreK66DIAdyXmucwspTMgqA4rne",
@@ -190,7 +220,9 @@
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/find")
 			q := r.URL.Query()
+			c.Check(q, check.HasLen, 2)
 			c.Check(q.Get("q"), check.Equals, "hello")
+			c.Check(q.Get("scope"), check.Equals, "wide")
 			fmt.Fprintln(w, findHelloJSON)
 		default:
 			c.Fatalf("expected to get 1 requests, now on %d", n+1)
@@ -198,11 +230,38 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"find", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "hello"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `Name +Version +Developer +Notes +Summary
-hello +2.10 +canonical +- +GNU Hello, the "hello world" snap
+	c.Check(s.Stdout(), check.Matches, `Name +Version +Publisher +Notes +Summary
+hello +2.10 +canonical\* +- +GNU Hello, the "hello world" snap
+hello-huge +1.0 +noise +- +a really big snap
+`)
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapSuite) TestFindHelloNarrow(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		switch n {
+		case 0:
+			c.Check(r.Method, check.Equals, "GET")
+			c.Check(r.URL.Path, check.Equals, "/v2/find")
+			q := r.URL.Query()
+			c.Check(q, check.HasLen, 1)
+			c.Check(q.Get("q"), check.Equals, "hello")
+			fmt.Fprintln(w, findHelloJSON)
+		default:
+			c.Fatalf("expected to get 1 requests, now on %d", n+1)
+		}
+
+		n++
+	})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "--narrow", "hello"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{})
+	c.Check(s.Stdout(), check.Matches, `Name +Version +Publisher +Notes +Summary
+hello +2.10 +canonical\* +- +GNU Hello, the "hello world" snap
 hello-huge +1.0 +noise +- +a really big snap
 `)
 	c.Check(s.Stderr(), check.Equals, "")
@@ -219,6 +278,12 @@
       "confinement": "strict",
       "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "download-size": 65536,
       "icon": "",
       "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
@@ -255,11 +320,11 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"find", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "hello"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `Name +Version +Developer +Notes +Summary
-hello +2.10 +canonical +1.99GBP +GNU Hello, the "hello world" snap
+	c.Check(s.Stdout(), check.Matches, `Name +Version +Publisher +Notes +Summary
+hello +2.10 +canonical\* +1.99GBP +GNU Hello, the "hello world" snap
 `)
 	c.Check(s.Stderr(), check.Equals, "")
 }
@@ -275,6 +340,12 @@
       "confinement": "strict",
       "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "download-size": 65536,
       "icon": "",
       "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
@@ -310,11 +381,11 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"find", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "hello"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `Name +Version +Developer +Notes +Summary
-hello +2.10 +canonical +bought +GNU Hello, the "hello world" snap
+	c.Check(s.Stdout(), check.Matches, `Name +Version +Publisher +Notes +Summary
+hello +2.10 +canonical\* +bought +GNU Hello, the "hello world" snap
 `)
 	c.Check(s.Stderr(), check.Equals, "")
 }
@@ -334,7 +405,7 @@
 		n++
 	})
 
-	_, err := snap.Parser().ParseArgs([]string{"find"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"find"})
 	c.Assert(err, check.IsNil)
 	c.Check(s.Stderr(), check.Equals, "")
 	c.Check(n, check.Equals, 1)
@@ -392,7 +463,7 @@
 
 		n++
 	})
-	_, err := snap.Parser().ParseArgs([]string{"find", "hello"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "hello"})
 	c.Assert(err, check.ErrorMatches, `unable to contact snap store`)
 	c.Check(s.Stdout(), check.Equals, "")
 }
@@ -414,7 +485,7 @@
 		n++
 	})
 
-	rest, err := snap.Parser().ParseArgs([]string{"find", "--section"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "--section"})
 
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
@@ -422,7 +493,7 @@
 	c.Check(s.Stdout(), check.Equals, `No section specified. Available sections:
  * sec1
  * sec2
-Please try: snap find --section=<selected section>
+Please try 'snap find --section=<selected section>'
 `)
 	c.Check(s.Stderr(), check.Equals, "")
 
@@ -446,7 +517,7 @@
 
 		n++
 	})
-	_, err := snap.Parser().ParseArgs([]string{"find", "--section=foobar", "hello"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "--section=foobar", "hello"})
 	c.Assert(err, check.ErrorMatches, `No matching section "foobar", use --section to list existing sections`)
 }
 
@@ -477,7 +548,7 @@
 		n++
 	})
 
-	_, err := snap.Parser().ParseArgs([]string{"find", "--section=foobar", "hello"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "--section=foobar", "hello"})
 	c.Assert(err, check.IsNil)
 	c.Check(s.Stderr(), check.Equals, "No matching snaps for \"hello\" in section \"foobar\"\n")
 	c.Check(s.Stdout(), check.Equals, "")
@@ -486,20 +557,27 @@
 }
 
 func (s *SnapSuite) TestFindSnapCachedSection(c *check.C) {
+	numHits := 0
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
-		c.Fatalf("not expecting any requests")
+		numHits++
+		c.Check(numHits, check.Equals, 1)
+		c.Check(r.URL.Path, check.Equals, "/v2/sections")
+		EncodeResponseBody(c, w, map[string]interface{}{
+			"type":   "sync",
+			"result": []string{"sec1", "sec2", "sec3"},
+		})
 	})
 
 	os.MkdirAll(path.Dir(dirs.SnapSectionsFile), 0755)
 	ioutil.WriteFile(dirs.SnapSectionsFile, []byte("sec1\nsec2\nsec3"), 0644)
 
-	_, err := snap.Parser().ParseArgs([]string{"find", "--section=foobar", "hello"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "--section=foobar", "hello"})
 	c.Logf("stdout: %s", s.Stdout())
 	c.Assert(err, check.ErrorMatches, `No matching section "foobar", use --section to list existing sections`)
 
 	s.ResetStdStreams()
 
-	rest, err := snap.Parser().ParseArgs([]string{"find", "--section"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"find", "--section"})
 
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
@@ -508,8 +586,9 @@
  * sec1
  * sec2
  * sec3
-Please try: snap find --section=<selected section>
+Please try 'snap find --section=<selected section>'
 `)
 
 	s.ResetStdStreams()
+	c.Check(numHits, check.Equals, 1)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_first_boot.go snapd-2.37~rc1~14.04/cmd/snap/cmd_first_boot.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_first_boot.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_first_boot.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,8 +29,9 @@
 
 func init() {
 	cmd := addCommand("firstboot",
-		"internal",
-		"internal", func() flags.Commander {
+		"Internal",
+		"The firstboot command is only retained for backwards compatibility.",
+		func() flags.Commander {
 			return &cmdInternalFirstBoot{}
 		}, nil, nil)
 	cmd.hidden = true
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_get_base_declaration.go snapd-2.37~rc1~14.04/cmd/snap/cmd_get_base_declaration.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_get_base_declaration.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_get_base_declaration.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,15 +25,18 @@
 	"github.com/jessevdk/go-flags"
 )
 
-type cmdGetBaseDeclaration struct{}
+type cmdGetBaseDeclaration struct {
+	clientMixin
+}
 
 func init() {
-	addDebugCommand("get-base-declaration",
+	cmd := addDebugCommand("get-base-declaration",
 		"(internal) obtain the base declaration for all interfaces",
 		"(internal) obtain the base declaration for all interfaces",
 		func() flags.Commander {
 			return &cmdGetBaseDeclaration{}
-		})
+		}, nil, nil)
+	cmd.hidden = true
 }
 
 func (x *cmdGetBaseDeclaration) Execute(args []string) error {
@@ -43,7 +46,7 @@
 	var resp struct {
 		BaseDeclaration string `json:"base-declaration"`
 	}
-	if err := Client().Debug("get-base-declaration", nil, &resp); err != nil {
+	if err := x.client.Debug("get-base-declaration", nil, &resp); err != nil {
 		return err
 	}
 	fmt.Fprintf(Stdout, "%s\n", resp.BaseDeclaration)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_get_base_declaration_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_get_base_declaration_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_get_base_declaration_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_get_base_declaration_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -47,7 +47,7 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"debug", "get-base-declaration"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "get-base-declaration"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, "hello\n")
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_get.go snapd-2.37~rc1~14.04/cmd/snap/cmd_get.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_get.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_get.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,17 +22,15 @@
 import (
 	"encoding/json"
 	"fmt"
-	"os"
 	"sort"
 	"strings"
 
 	"github.com/jessevdk/go-flags"
 
 	"github.com/snapcore/snapd/i18n"
-	"golang.org/x/crypto/ssh/terminal"
 )
 
-var shortGetHelp = i18n.G("Prints configuration options")
+var shortGetHelp = i18n.G("Print configuration options")
 var longGetHelp = i18n.G(`
 The get command prints configuration options for the provided snap.
 
@@ -54,6 +52,7 @@
 `)
 
 type cmdGet struct {
+	clientMixin
 	Positional struct {
 		Snap installedSnapName `required:"yes"`
 		Keys []string
@@ -67,19 +66,22 @@
 func init() {
 	addCommand("get", shortGetHelp, longGetHelp, func() flags.Commander { return &cmdGet{} },
 		map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"d": i18n.G("Always return document, even with single key"),
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"l": i18n.G("Always return list, even with single key"),
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"t": i18n.G("Strict typing with nulls and quoted strings"),
 		}, []argDesc{
 			{
 				name: "<snap>",
-				// TRANSLATORS: This should probably not start with a lowercase letter.
+				// TRANSLATORS: This should not start with a lowercase letter.
 				desc: i18n.G("The snap whose conf is being requested"),
 			},
 			{
-				// TRANSLATORS: This needs to be wrapped in <>s.
+				// TRANSLATORS: This needs to begin with < and end with >
 				name: i18n.G("<key>"),
-				// TRANSLATORS: This should probably not start with a lowercase letter.
+				// TRANSLATORS: This should not start with a lowercase letter.
 				desc: i18n.G("Key of interest within the configuration"),
 			},
 		})
@@ -176,10 +178,6 @@
 	return nil
 }
 
-var isTerminal = func() bool {
-	return terminal.IsTerminal(int(os.Stdin.Fd()))
-}
-
 // outputDefault will be used when no commandline switch to override the
 // output where used. The output follows the following rules:
 // - a single key with a string value is printed directly
@@ -204,13 +202,13 @@
 
 	// conf looks like a map
 	if cfg, ok := confToPrint.(map[string]interface{}); ok {
-		if isTerminal() {
+		if isStdinTTY {
 			return x.outputList(cfg)
 		}
 
 		// TODO: remove this conditional and the warning below
 		// after a transition period.
-		fmt.Fprintf(Stderr, i18n.G(`WARNING: The output of "snap get" will become a list with columns - use -d or -l to force the output format.\n`))
+		fmt.Fprintf(Stderr, i18n.G(`WARNING: The output of 'snap get' will become a list with columns - use -d or -l to force the output format.\n`))
 		return x.outputJson(confToPrint)
 	}
 
@@ -245,8 +243,7 @@
 	snapName := string(x.Positional.Snap)
 	confKeys := x.Positional.Keys
 
-	cli := Client()
-	conf, err := cli.Conf(snapName, confKeys)
+	conf, err := x.client.Conf(snapName, confKeys)
 	if err != nil {
 		return err
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_get_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_get_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_get_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_get_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -66,7 +66,7 @@
 	stdout: "Key        Value\ntest-key1  test-value1\ntest-key2  2\n",
 }, {
 	args:   "get snapname document",
-	stderr: `WARNING: The output of "snap get" will become a list with columns - use -d or -l to force the output format.\n`,
+	stderr: `WARNING: The output of 'snap get' will become a list with columns - use -d or -l to force the output format.\n`,
 	stdout: "{\n\t\"document\": {\n\t\t\"key1\": \"value1\",\n\t\t\"key2\": \"value2\"\n\t}\n}\n",
 }, {
 	isTerminal: true,
@@ -98,7 +98,7 @@
 	isTerminal: false,
 	args:       "get snapname  test-key1 test-key2",
 	stdout:     "{\n\t\"test-key1\": \"test-value1\",\n\t\"test-key2\": 2\n}\n",
-	stderr:     `WARNING: The output of "snap get" will become a list with columns - use -d or -l to force the output format.\n`,
+	stderr:     `WARNING: The output of 'snap get' will become a list with columns - use -d or -l to force the output format.\n`,
 },
 }
 
@@ -109,10 +109,10 @@
 
 		c.Logf("Test: %s", test.args)
 
-		restore := snapset.MockIsTerminal(test.isTerminal)
+		restore := snapset.MockIsStdinTTY(test.isTerminal)
 		defer restore()
 
-		_, err := snapset.Parser().ParseArgs(strings.Fields(test.args))
+		_, err := snapset.Parser(snapset.Client()).ParseArgs(strings.Fields(test.args))
 		if test.error != "" {
 			c.Check(err, ErrorMatches, test.error)
 		} else {
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_handle_link.go snapd-2.37~rc1~14.04/cmd/snap/cmd_handle_link.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_handle_link.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_handle_link.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,91 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+	"time"
+
+	"github.com/jessevdk/go-flags"
+
+	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/userd/ui"
+)
+
+type cmdHandleLink struct {
+	waitMixin
+
+	Positional struct {
+		Uri string `positional-arg-name:"<uri>"`
+	} `positional-args:"yes" required:"yes"`
+}
+
+func init() {
+	cmd := addCommand("handle-link",
+		i18n.G("Handle a snap:// URI"),
+		i18n.G("The handle-link command installs the snap-store snap and then invokes it."),
+		func() flags.Commander {
+			return &cmdHandleLink{}
+		}, nil, nil)
+	cmd.hidden = true
+}
+
+func (x *cmdHandleLink) ensureSnapStoreInstalled() error {
+	// If the snap-store snap is installed, our work is done
+	if _, _, err := x.client.Snap("snap-store"); err == nil {
+		return nil
+	}
+
+	dialog, err := ui.New()
+	if err != nil {
+		return err
+	}
+	answeredYes := dialog.YesNo(
+		i18n.G("Install snap-aware Snap Store snap?"),
+		i18n.G("The Snap Store is required to open snaps from a web browser."),
+		&ui.DialogOptions{
+			Timeout: 5 * time.Minute,
+			Footer:  i18n.G("This dialog will close automatically after 5 minutes of inactivity."),
+		})
+	if !answeredYes {
+		return fmt.Errorf(i18n.G("Snap Store required"))
+	}
+
+	changeID, err := x.client.Install("snap-store", nil)
+	if err != nil {
+		return err
+	}
+	_, err = x.wait(changeID)
+	if err != nil && err != noWait {
+		return err
+	}
+	return nil
+}
+
+func (x *cmdHandleLink) Execute([]string) error {
+	if err := x.ensureSnapStoreInstalled(); err != nil {
+		return err
+	}
+
+	argv := []string{"snap", "run", "snap-store", x.Positional.Uri}
+	return syscall.Exec("/proc/self/exe", argv, os.Environ())
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_help.go snapd-2.37~rc1~14.04/cmd/snap/cmd_help.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_help.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_help.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,43 +20,257 @@
 package main
 
 import (
-	"os"
-
-	"github.com/snapcore/snapd/i18n"
+	"bytes"
+	"fmt"
+	"strings"
+	"unicode/utf8"
 
 	"github.com/jessevdk/go-flags"
+
+	"github.com/snapcore/snapd/i18n"
 )
 
-var shortHelpHelp = i18n.G("Help")
+var shortHelpHelp = i18n.G("Show help about a command")
 var longHelpHelp = i18n.G(`
-The help command shows helpful information. Unlike this. ;-)
+The help command displays information about snap commands.
 `)
 
+// addHelp adds --help like what go-flags would do for us, but hidden
+func addHelp(parser *flags.Parser) error {
+	var help struct {
+		ShowHelp func() error `short:"h" long:"help"`
+	}
+	help.ShowHelp = func() error {
+		// this function is called via --help (or -h). In that
+		// case, parser.Command.Active should be the command
+		// on which help is being requested (like "snap foo
+		// --help", active is foo), or nil in the toplevel.
+		if parser.Command.Active == nil {
+			// toplevel --help will get handled via ErrCommandRequired
+			return nil
+		}
+		// not toplevel, so ask for regular help
+		return &flags.Error{Type: flags.ErrHelp}
+	}
+	hlpgrp, err := parser.AddGroup("Help Options", "", &help)
+	if err != nil {
+		return err
+	}
+	hlpgrp.Hidden = true
+	hlp := parser.FindOptionByLongName("help")
+	hlp.Description = i18n.G("Show this help message")
+	hlp.Hidden = true
+
+	return nil
+}
+
 type cmdHelp struct {
-	Manpage bool `long:"man"`
-	parser  *flags.Parser
+	All        bool `long:"all"`
+	Manpage    bool `long:"man" hidden:"true"`
+	Positional struct {
+		// TODO: find a way to make Command tab-complete
+		Sub string `positional-arg-name:"<command>"`
+	} `positional-args:"yes"`
+	parser *flags.Parser
 }
 
 func init() {
 	addCommand("help", shortHelpHelp, longHelpHelp, func() flags.Commander { return &cmdHelp{} },
-		map[string]string{"man": i18n.G("Generate the manpage")}, nil)
+		map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"all": i18n.G("Show a short summary of all commands"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"man": i18n.G("Generate the manpage"),
+		}, nil)
 }
 
 func (cmd *cmdHelp) setParser(parser *flags.Parser) {
 	cmd.parser = parser
 }
 
+// manfixer is a hackish way to get the generated manpage into section 8
+// (go-flags doesn't have an option for this; I'll be proposing something
+// there soon, but still waiting on some other PRs to make it through)
+type manfixer struct {
+	done bool
+}
+
+func (w *manfixer) Write(buf []byte) (int, error) {
+	if !w.done {
+		w.done = true
+		if bytes.HasPrefix(buf, []byte(".TH snap 1 ")) {
+			// io.Writer.Write must not modify the buffer, even temporarily
+			n, _ := Stdout.Write(buf[:9])
+			Stdout.Write([]byte{'8'})
+			m, err := Stdout.Write(buf[10:])
+			return n + m + 1, err
+		}
+	}
+	return Stdout.Write(buf)
+}
+
 func (cmd cmdHelp) Execute(args []string) error {
 	if len(args) > 0 {
 		return ErrExtraArgs
 	}
-
 	if cmd.Manpage {
-		cmd.parser.WriteManPage(Stdout)
-		os.Exit(0)
+		// you shouldn't try to to combine --man with --all nor a
+		// subcommand, but --man is hidden so no real need to check.
+		cmd.parser.WriteManPage(&manfixer{})
+		return nil
+	}
+	if cmd.All {
+		if cmd.Positional.Sub != "" {
+			return fmt.Errorf(i18n.G("help accepts a command, or '--all', but not both."))
+		}
+		printLongHelp(cmd.parser)
+		return nil
+	}
+
+	if cmd.Positional.Sub != "" {
+		subcmd := cmd.parser.Find(cmd.Positional.Sub)
+		if subcmd == nil {
+			return fmt.Errorf(i18n.G("Unknown command %q. Try 'snap help'."), cmd.Positional.Sub)
+		}
+		// this makes "snap help foo" work the same as "snap foo --help"
+		cmd.parser.Command.Active = subcmd
+		return &flags.Error{Type: flags.ErrHelp}
+	}
+
+	return &flags.Error{Type: flags.ErrCommandRequired}
+}
+
+type helpCategory struct {
+	Label       string
+	Description string
+	Commands    []string
+}
+
+// helpCategories helps us by grouping commands
+var helpCategories = []helpCategory{
+	{
+		Label:       i18n.G("Basics"),
+		Description: i18n.G("basic snap management"),
+		Commands:    []string{"find", "info", "install", "list", "remove"},
+	}, {
+		Label:       i18n.G("...more"),
+		Description: i18n.G("slightly more advanced snap management"),
+		Commands:    []string{"refresh", "revert", "switch", "disable", "enable"},
+	}, {
+		Label:       i18n.G("History"),
+		Description: i18n.G("manage system change transactions"),
+		Commands:    []string{"changes", "tasks", "abort", "watch"},
+	}, {
+		Label:       i18n.G("Daemons"),
+		Description: i18n.G("manage services"),
+		Commands:    []string{"services", "start", "stop", "restart", "logs"},
+	}, {
+		Label:       i18n.G("Commands"),
+		Description: i18n.G("manage aliases"),
+		Commands:    []string{"alias", "aliases", "unalias", "prefer"},
+	}, {
+		Label:       i18n.G("Configuration"),
+		Description: i18n.G("system administration and configuration"),
+		Commands:    []string{"get", "set", "wait"},
+	}, {
+		Label:       i18n.G("Account"),
+		Description: i18n.G("authentication to snapd and the snap store"),
+		Commands:    []string{"login", "logout", "whoami"},
+	}, {
+		Label:       i18n.G("Permissions"),
+		Description: i18n.G("manage permissions"),
+		Commands:    []string{"interfaces", "interface", "connect", "disconnect"},
+	}, {
+		Label:       i18n.G("Snapshots"),
+		Description: i18n.G("archives of snap data"),
+		Commands:    []string{"saved", "save", "check-snapshot", "restore", "forget"},
+	}, {
+		Label:       i18n.G("Other"),
+		Description: i18n.G("miscellanea"),
+		Commands:    []string{"version", "warnings", "okay"},
+	}, {
+		Label:       i18n.G("Development"),
+		Description: i18n.G("developer-oriented features"),
+		Commands:    []string{"run", "pack", "try", "ack", "known", "download"},
+	},
+}
+
+var (
+	longSnapDescription = strings.TrimSpace(i18n.G(`
+The snap command lets you install, configure, refresh and remove snaps.
+Snaps are packages that work across many different Linux distributions,
+enabling secure delivery and operation of the latest apps and utilities.
+`))
+	snapUsage               = i18n.G("Usage: snap <command> [<options>...]")
+	snapHelpCategoriesIntro = i18n.G("Commands can be classified as follows:")
+	snapHelpAllFooter       = i18n.G("For more information about a command, run 'snap help <command>'.")
+	snapHelpFooter          = i18n.G("For a short summary of all commands, run 'snap help --all'.")
+)
+
+func printHelpHeader() {
+	fmt.Fprintln(Stdout, longSnapDescription)
+	fmt.Fprintln(Stdout)
+	fmt.Fprintln(Stdout, snapUsage)
+	fmt.Fprintln(Stdout)
+	fmt.Fprintln(Stdout, snapHelpCategoriesIntro)
+	fmt.Fprintln(Stdout)
+}
+
+func printHelpAllFooter() {
+	fmt.Fprintln(Stdout)
+	fmt.Fprintln(Stdout, snapHelpAllFooter)
+}
+
+func printHelpFooter() {
+	printHelpAllFooter()
+	fmt.Fprintln(Stdout, snapHelpFooter)
+}
+
+// this is called when the Execute returns a flags.Error with ErrCommandRequired
+func printShortHelp() {
+	printHelpHeader()
+	maxLen := 0
+	for _, categ := range helpCategories {
+		if l := utf8.RuneCountInString(categ.Label); l > maxLen {
+			maxLen = l
+		}
+	}
+	for _, categ := range helpCategories {
+		fmt.Fprintf(Stdout, "%*s: %s\n", maxLen+2, categ.Label, strings.Join(categ.Commands, ", "))
+	}
+	printHelpFooter()
+}
+
+// this is "snap help --all"
+func printLongHelp(parser *flags.Parser) {
+	printHelpHeader()
+	maxLen := 0
+	for _, categ := range helpCategories {
+		for _, command := range categ.Commands {
+			if l := len(command); l > maxLen {
+				maxLen = l
+			}
+		}
+	}
+
+	// flags doesn't have a LookupCommand?
+	commands := parser.Commands()
+	cmdLookup := make(map[string]*flags.Command, len(commands))
+	for _, cmd := range commands {
+		cmdLookup[cmd.Name] = cmd
 	}
 
-	return &flags.Error{
-		Type: flags.ErrHelp,
+	for _, categ := range helpCategories {
+		fmt.Fprintln(Stdout)
+		fmt.Fprintf(Stdout, "  %s (%s):\n", categ.Label, categ.Description)
+		for _, name := range categ.Commands {
+			cmd := cmdLookup[name]
+			if cmd == nil {
+				fmt.Fprintf(Stderr, "??? Cannot find command %q mentioned in help categories, please report!\n", name)
+			} else {
+				fmt.Fprintf(Stdout, "    %*s  %s\n", -maxLen, name, cmd.ShortDescription)
+			}
+		}
 	}
+	printHelpAllFooter()
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_help_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_help_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_help_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_help_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,8 +20,13 @@
 package main_test
 
 import (
+	"bytes"
+	"fmt"
 	"os"
+	"regexp"
+	"strings"
 
+	"github.com/jessevdk/go-flags"
 	"gopkg.in/check.v1"
 
 	snap "github.com/snapcore/snapd/cmd/snap"
@@ -32,50 +37,140 @@
 	defer func() { os.Args = origArgs }()
 
 	for _, cmdLine := range [][]string{
+		{"snap"},
 		{"snap", "help"},
 		{"snap", "--help"},
 		{"snap", "-h"},
 	} {
+		s.ResetStdStreams()
+
 		os.Args = cmdLine
+		comment := check.Commentf("%q", cmdLine)
 
 		err := snap.RunMain()
-		c.Assert(err, check.IsNil)
-		c.Check(s.Stdout(), check.Matches, `(?smU)Usage:
- +snap \[OPTIONS\] <command>
+		c.Assert(err, check.IsNil, comment)
+		c.Check(s.Stdout(), check.Matches, "(?s)"+strings.Join([]string{
+			snap.LongSnapDescription,
+			"",
+			regexp.QuoteMeta(snap.SnapUsage),
+			"", ".*", "",
+			snap.SnapHelpAllFooter,
+			snap.SnapHelpFooter,
+		}, "\n")+`\s*`, comment)
+		c.Check(s.Stderr(), check.Equals, "", comment)
+	}
+}
 
-Install, configure, refresh and remove snap packages. Snaps are
-'universal' packages that work across many different Linux systems,
-enabling secure distribution of the latest apps and utilities for
-cloud, servers, desktops and the internet of things.
+func (s *SnapSuite) TestHelpAllPrintsLongHelp(c *check.C) {
+	origArgs := os.Args
+	defer func() { os.Args = origArgs }()
 
-This is the CLI for snapd, a background service that takes care of
-snaps on the system. Start with 'snap list' to see installed snaps.
+	os.Args = []string{"snap", "help", "--all"}
 
+	err := snap.RunMain()
+	c.Assert(err, check.IsNil)
+	c.Check(s.Stdout(), check.Matches, "(?sm)"+strings.Join([]string{
+		snap.LongSnapDescription,
+		"",
+		regexp.QuoteMeta(snap.SnapUsage),
+		"",
+		snap.SnapHelpCategoriesIntro,
+		"", ".*", "",
+		snap.SnapHelpAllFooter,
+	}, "\n")+`\s*`)
+	c.Check(s.Stderr(), check.Equals, "")
+}
 
-Application Options:
- +--version +Print the version and exit
+func nonHiddenCommands() map[string]bool {
+	parser := snap.Parser(snap.Client())
+	commands := parser.Commands()
+	names := make(map[string]bool, len(commands))
+	for _, cmd := range commands {
+		if cmd.Hidden {
+			continue
+		}
+		names[cmd.Name] = true
+	}
+	return names
+}
+
+func (s *SnapSuite) testSubCommandHelp(c *check.C, sub, expected string) {
+	parser := snap.Parser(snap.Client())
+	rest, err := parser.ParseArgs([]string{sub, "--help"})
+	c.Assert(err, check.DeepEquals, &flags.Error{Type: flags.ErrHelp})
+	c.Assert(rest, check.HasLen, 0)
+	var buf bytes.Buffer
+	parser.WriteHelp(&buf)
+	c.Check(buf.String(), check.Equals, expected)
+}
+
+func (s *SnapSuite) TestSubCommandHelpPrintsHelp(c *check.C) {
+	origArgs := os.Args
+	defer func() { os.Args = origArgs }()
 
-Help Options:
- +-h, --help +Show this help message
+	for cmd := range nonHiddenCommands() {
+		s.ResetStdStreams()
+		os.Args = []string{"snap", cmd, "--help"}
 
-Available commands:
- +abort.*
-`)
-		c.Check(s.Stderr(), check.Equals, "")
+		err := snap.RunMain()
+		comment := check.Commentf("%q", cmd)
+		c.Assert(err, check.IsNil, comment)
+		// regexp matches "Usage: snap <the command>" plus an arbitrary
+		// number of [<something>] plus an arbitrary number of
+		// <<something>> optionally ending in ellipsis
+		c.Check(s.Stdout(), check.Matches, fmt.Sprintf(`(?sm)Usage:\s+snap %s(?: \[[^][]+\])*(?:(?: <[^<>]+>)+(?:\.\.\.)?)?$.*`, cmd), comment)
+		c.Check(s.Stderr(), check.Equals, "", comment)
 	}
 }
 
-func (s *SnapSuite) TestSubCommandHelpPrintsHelp(c *check.C) {
+func (s *SnapSuite) TestHelpCategories(c *check.C) {
+	// non-hidden commands that are not expected to appear in the help summary
+	excluded := []string{
+		"help",
+	}
+	all := nonHiddenCommands()
+	categorised := make(map[string]bool, len(all)+len(excluded))
+	for _, cmd := range excluded {
+		categorised[cmd] = true
+	}
+	seen := make(map[string]string, len(all))
+	for _, categ := range snap.HelpCategories {
+		for _, cmd := range categ.Commands {
+			categorised[cmd] = true
+			if seen[cmd] != "" {
+				c.Errorf("duplicated: %q in %q and %q", cmd, seen[cmd], categ.Label)
+			}
+			seen[cmd] = categ.Label
+		}
+	}
+	for cmd := range all {
+		if !categorised[cmd] {
+			c.Errorf("uncategorised: %q", cmd)
+		}
+	}
+	for cmd := range categorised {
+		if !all[cmd] {
+			c.Errorf("unknown (hidden?): %q", cmd)
+		}
+	}
+}
+
+func (s *SnapSuite) TestHelpCommandAllFails(c *check.C) {
 	origArgs := os.Args
 	defer func() { os.Args = origArgs }()
+	os.Args = []string{"snap", "help", "interfaces", "--all"}
+
+	err := snap.RunMain()
+	c.Assert(err, check.ErrorMatches, "help accepts a command, or '--all', but not both.")
+}
 
-	os.Args = []string{"snap", "install", "--help"}
+func (s *SnapSuite) TestManpageInSection8(c *check.C) {
+	origArgs := os.Args
+	defer func() { os.Args = origArgs }()
+	os.Args = []string{"snap", "help", "--man"}
 
 	err := snap.RunMain()
 	c.Assert(err, check.IsNil)
-	c.Check(s.Stdout(), check.Matches, `(?smU)Usage:
- +snap \[OPTIONS\] install \[install-OPTIONS\] <snap>...
-.*
-`)
-	c.Check(s.Stderr(), check.Equals, "")
+
+	c.Check(s.Stdout(), check.Matches, `\.TH snap 8 (?s).*`)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_info.go snapd-2.37~rc1~14.04/cmd/snap/cmd_info.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_info.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_info.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,13 +20,14 @@
 package main
 
 import (
-	"bytes"
 	"fmt"
 	"io"
 	"path/filepath"
 	"strings"
 	"text/tabwriter"
 	"time"
+	"unicode"
+	"unicode/utf8"
 
 	"github.com/jessevdk/go-flags"
 	"gopkg.in/yaml.v2"
@@ -40,15 +41,25 @@
 )
 
 type infoCmd struct {
+	clientMixin
+	colorMixin
+	timeMixin
+
 	Verbose    bool `long:"verbose"`
 	Positional struct {
 		Snaps []anySnapName `positional-arg-name:"<snap>" required:"1"`
 	} `positional-args:"yes" required:"yes"`
 }
 
-var shortInfoHelp = i18n.G("Show detailed information about a snap")
+var shortInfoHelp = i18n.G("Show detailed information about snaps")
 var longInfoHelp = i18n.G(`
-The info command shows detailed information about a snap, be it by name or by path.`)
+The info command shows detailed information about snaps.
+
+The snaps can be specified by name or by path; names are looked for both in the
+store and in the installed snaps; paths can refer to a .snap file, or to a
+directory that contains an unpacked snap suitable for 'snap try' (an example
+of this would be the 'prime' directory snapcraft produces).
+`)
 
 func init() {
 	addCommand("info",
@@ -56,9 +67,10 @@
 		longInfoHelp,
 		func() flags.Commander {
 			return &infoCmd{}
-		}, map[string]string{
-			"verbose": i18n.G("Include a verbose list of a snap's notes (otherwise, summarise notes)"),
-		}, nil)
+		}, colorDescs.also(timeDescs).also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"verbose": i18n.G("Include more details on the snap (expanded notes, base, etc.)"),
+		}), nil)
 }
 
 func norm(path string) string {
@@ -100,6 +112,12 @@
 	}
 }
 
+func maybePrintBase(w io.Writer, base string, verbose bool) {
+	if verbose && base != "" {
+		fmt.Fprintf(w, "base:\t%s\n", base)
+	}
+}
+
 func tryDirect(w io.Writer, path string, verbose bool) bool {
 	path = norm(path)
 
@@ -122,7 +140,7 @@
 		return false
 	}
 	fmt.Fprintf(w, "path:\t%q\n", path)
-	fmt.Fprintf(w, "name:\t%s\n", info.Name())
+	fmt.Fprintf(w, "name:\t%s\n", info.InstanceName())
 	fmt.Fprintf(w, "summary:\t%s\n", formatSummary(info.Summary()))
 
 	var notes *Notes
@@ -140,6 +158,7 @@
 	}
 	fmt.Fprintf(w, "version:\t%s %s\n", info.Version, notes)
 	maybePrintType(w, string(info.Type))
+	maybePrintBase(w, info.Base, verbose)
 	if sha3_384 != "" {
 		fmt.Fprintf(w, "sha3-384:\t%s\n", sha3_384)
 	}
@@ -156,27 +175,90 @@
 	return nil
 }
 
-// formatDescr formats a given string (typically a snap description)
+// runesTrimRightSpace returns text, with any trailing whitespace dropped.
+func runesTrimRightSpace(text []rune) []rune {
+	j := len(text)
+	for j > 0 && unicode.IsSpace(text[j-1]) {
+		j--
+	}
+	return text[:j]
+}
+
+// runesLastIndexSpace returns the index of the last whitespace rune
+// in the text. If the text has no whitespace, returns -1.
+func runesLastIndexSpace(text []rune) int {
+	for i := len(text) - 1; i >= 0; i-- {
+		if unicode.IsSpace(text[i]) {
+			return i
+		}
+	}
+	return -1
+}
+
+// wrapLine wraps a line to fit into width, preserving the line's indent, and
+// writes it out prepending padding to each line.
+func wrapLine(out io.Writer, text []rune, pad string, width int) error {
+	// Note: this is _wrong_ for much of unicode (because the width of a rune on
+	//       the terminal is anything between 0 and 2, not always 1 as this code
+	//       assumes) but fixing that is Hard. Long story short, you can get close
+	//       using a couple of big unicode tables (which is what wcwidth
+	//       does). Getting it 100% requires a terminfo-alike of unicode behaviour.
+	//       However, before this we'd count bytes instead of runes, so we'd be
+	//       even more broken. Think of it as successive approximations... at least
+	//       with this work we share tabwriter's opinion on the width of things!
+
+	// This (and possibly printDescr below) should move to strutil once
+	// we're happy with it getting wider (heh heh) use.
+
+	// discard any trailing whitespace
+	text = runesTrimRightSpace(text)
+	// establish the indent of the whole block
+	idx := 0
+	for idx < len(text) && unicode.IsSpace(text[idx]) {
+		idx++
+	}
+	indent := pad + string(text[:idx])
+	text = text[idx:]
+	width -= idx + utf8.RuneCountInString(pad)
+	var err error
+	for len(text) > width && err == nil {
+		// find a good place to chop the text
+		idx = runesLastIndexSpace(text[:width+1])
+		if idx < 0 {
+			// there's no whitespace; just chop at line width
+			idx = width
+		}
+		_, err = fmt.Fprint(out, indent, string(text[:idx]), "\n")
+		// prune any remaining whitespace before the start of the next line
+		for idx < len(text) && unicode.IsSpace(text[idx]) {
+			idx++
+		}
+		text = text[idx:]
+	}
+	if err != nil {
+		return err
+	}
+	_, err = fmt.Fprint(out, indent, string(text), "\n")
+	return err
+}
+
+// printDescr formats a given string (typically a snap description)
 // in a user friendly way.
 //
 // The rules are (intentionally) very simple:
-// - trim whitespace
-// - word wrap at "max" chars
-// - keep \n intact and break here
-// - ignore \r
-func formatDescr(descr string, max int) string {
-	out := bytes.NewBuffer(nil)
-	for _, line := range strings.Split(strings.TrimSpace(descr), "\n") {
-		if len(line) > max {
-			for _, chunk := range strutil.WordWrap(line, max) {
-				fmt.Fprintf(out, "  %s\n", chunk)
-			}
-		} else {
-			fmt.Fprintf(out, "  %s\n", line)
+// - trim trailing whitespace
+// - word wrap at "max" chars preserving line indent
+// - keep \n intact and break there
+func printDescr(w io.Writer, descr string, max int) error {
+	var err error
+	descr = strings.TrimRightFunc(descr, unicode.IsSpace)
+	for _, line := range strings.Split(descr, "\n") {
+		err = wrapLine(w, []rune(line), "  ", max)
+		if err != nil {
+			break
 		}
 	}
-
-	return strings.TrimSuffix(out.String(), "\n")
+	return err
 }
 
 func maybePrintCommands(w io.Writer, snapName string, allApps []client.AppInfo, n int) {
@@ -240,9 +322,19 @@
 var channelRisks = []string{"stable", "candidate", "beta", "edge"}
 
 // displayChannels displays channels and tracks in the right order
-func displayChannels(w io.Writer, remote *client.Snap) {
-	// \t\t\t so we get "installed" lined up with "channels"
-	fmt.Fprintf(w, "channels:\t\t\t\n")
+func (x *infoCmd) displayChannels(w io.Writer, chantpl string, esc *escapes, remote *client.Snap, revLen, sizeLen int) (maxRevLen, maxSizeLen int) {
+	fmt.Fprintln(w, "channels:")
+
+	releasedfmt := "2006-01-02"
+	if x.AbsTime {
+		releasedfmt = time.RFC3339
+	}
+
+	type chInfoT struct {
+		name, version, released, revision, size, notes string
+	}
+	var chInfos []*chInfoT
+	maxRevLen, maxSizeLen = revLen, sizeLen
 
 	// order by tracks
 	for _, tr := range remote.Tracks {
@@ -253,23 +345,36 @@
 			if tr == "latest" {
 				chName = risk
 			}
-			var version, revision, size, notes string
+			chInfo := chInfoT{name: chName}
 			if ok {
-				version = ch.Version
-				revision = fmt.Sprintf("(%s)", ch.Revision)
-				size = strutil.SizeToStr(ch.Size)
-				notes = NotesFromChannelSnapInfo(ch).String()
+				chInfo.version = ch.Version
+				chInfo.revision = fmt.Sprintf("(%s)", ch.Revision)
+				if len(chInfo.revision) > maxRevLen {
+					maxRevLen = len(chInfo.revision)
+				}
+				chInfo.released = ch.ReleasedAt.Format(releasedfmt)
+				chInfo.size = strutil.SizeToStr(ch.Size)
+				if len(chInfo.size) > maxSizeLen {
+					maxSizeLen = len(chInfo.size)
+				}
+				chInfo.notes = NotesFromChannelSnapInfo(ch).String()
 				trackHasOpenChannel = true
 			} else {
 				if trackHasOpenChannel {
-					version = "↑"
+					chInfo.version = esc.uparrow
 				} else {
-					version = "–" // that's an en dash (so yaml is happy)
+					chInfo.version = esc.dash
 				}
 			}
-			fmt.Fprintf(w, "  %s:\t%s\t%s\t%s\t%s\n", chName, version, revision, size, notes)
+			chInfos = append(chInfos, &chInfo)
 		}
 	}
+
+	for _, chInfo := range chInfos {
+		fmt.Fprintf(w, "  "+chantpl, chInfo.name, chInfo.version, chInfo.released, maxRevLen, chInfo.revision, maxSizeLen, chInfo.size, chInfo.notes)
+	}
+
+	return maxRevLen, maxSizeLen
 }
 
 func formatSummary(raw string) string {
@@ -281,8 +386,6 @@
 }
 
 func (x *infoCmd) Execute([]string) error {
-	cli := Client()
-
 	termWidth, _ := termSize()
 	termWidth -= 3
 	if termWidth > 100 {
@@ -290,6 +393,7 @@
 		termWidth = 100
 	}
 
+	esc := x.getEscapes()
 	w := tabwriter.NewWriter(Stdout, 2, 2, 1, ' ', 0)
 
 	noneOK := true
@@ -298,13 +402,17 @@
 		if i > 0 {
 			fmt.Fprintln(w, "---")
 		}
+		if snapName == "system" {
+			fmt.Fprintln(w, "system: You can't have it.")
+			continue
+		}
 
 		if tryDirect(w, snapName, x.Verbose) {
 			noneOK = false
 			continue
 		}
-		remote, resInfo, _ := cli.FindOne(snapName)
-		local, _, _ := cli.Snap(snapName)
+		remote, resInfo, _ := x.client.FindOne(snapName)
+		local, _, _ := x.client.Snap(snapName)
 
 		both := coalesce(local, remote)
 
@@ -320,19 +428,18 @@
 
 		fmt.Fprintf(w, "name:\t%s\n", both.Name)
 		fmt.Fprintf(w, "summary:\t%s\n", formatSummary(both.Summary))
-		// TODO: have publisher; use publisher here,
-		// and additionally print developer if publisher != developer
-		fmt.Fprintf(w, "publisher:\t%s\n", both.Developer)
+		fmt.Fprintf(w, "publisher:\t%s\n", longPublisher(esc, both.Publisher))
 		if both.Contact != "" {
 			fmt.Fprintf(w, "contact:\t%s\n", strings.TrimPrefix(both.Contact, "mailto:"))
 		}
 		license := both.License
 		if license == "" {
-			license = "unknown"
+			license = "unset"
 		}
 		fmt.Fprintf(w, "license:\t%s\n", license)
 		maybePrintPrice(w, remote, resInfo)
-		fmt.Fprintf(w, "description: |\n%s\n", formatDescr(both.Description, termWidth))
+		fmt.Fprintln(w, "description: |")
+		printDescr(w, both.Description, termWidth)
 		maybePrintCommands(w, snapName, both.Apps, termWidth)
 		maybePrintServices(w, snapName, both.Apps, termWidth)
 
@@ -364,18 +471,33 @@
 		// stops the notes etc trying to be aligned with channels
 		w.Flush()
 		maybePrintType(w, both.Type)
+		maybePrintBase(w, both.Base, x.Verbose)
 		maybePrintID(w, both)
+		var localRev, localSize string
+		var revLen, sizeLen int
 		if local != nil {
-			fmt.Fprintf(w, "tracking:\t%s\n", local.TrackingChannel)
-			fmt.Fprintf(w, "refreshed:\t%s\n", local.InstallDate.Format(time.RFC3339))
-		}
-		w.Flush()
-		if local != nil {
-			fmt.Fprintf(w, "installed:\t%s\t(%s)\t%s\t%s\n", local.Version, local.Revision, strutil.SizeToStr(local.InstalledSize), notes)
+			if local.TrackingChannel != "" {
+				fmt.Fprintf(w, "tracking:\t%s\n", local.TrackingChannel)
+			}
+			if !local.InstallDate.IsZero() {
+				fmt.Fprintf(w, "refresh-date:\t%s\n", x.fmtTime(local.InstallDate))
+			}
+			localRev = fmt.Sprintf("(%s)", local.Revision)
+			revLen = len(localRev)
+			localSize = strutil.SizeToStr(local.InstalledSize)
+			sizeLen = len(localSize)
 		}
 
+		chantpl := "%s:\t%s %s%*s %*s %s\n"
 		if remote != nil && remote.Channels != nil && remote.Tracks != nil {
-			displayChannels(w, remote)
+			chantpl = "%s:\t%s\t%s\t%*s\t%*s\t%s\n"
+
+			w.Flush()
+			revLen, sizeLen = x.displayChannels(w, chantpl, esc, remote, revLen, sizeLen)
+		}
+		if local != nil {
+			fmt.Fprintf(w, chantpl,
+				"installed", local.Version, "", revLen, localRev, sizeLen, localSize, notes)
 		}
 
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_info_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_info_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_info_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_info_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,7 @@
 	"bytes"
 	"fmt"
 	"net/http"
+	"time"
 
 	"gopkg.in/check.v1"
 
@@ -48,7 +49,13 @@
 
 var mixedAppInfos = append(append([]client.AppInfo(nil), cmdAppInfos...), svcAppInfos...)
 
-func (s *SnapSuite) TestMaybePrintServices(c *check.C) {
+type infoSuite struct {
+	BaseSnapSuite
+}
+
+var _ = check.Suite(&infoSuite{})
+
+func (s *infoSuite) TestMaybePrintServices(c *check.C) {
 	for _, infos := range [][]client.AppInfo{svcAppInfos, mixedAppInfos} {
 		var buf bytes.Buffer
 		snap.MaybePrintServices(&buf, "foo", infos, -1)
@@ -60,7 +67,7 @@
 	}
 }
 
-func (s *SnapSuite) TestMaybePrintServicesNoServices(c *check.C) {
+func (s *infoSuite) TestMaybePrintServicesNoServices(c *check.C) {
 	for _, infos := range [][]client.AppInfo{cmdAppInfos, nil} {
 		var buf bytes.Buffer
 		snap.MaybePrintServices(&buf, "foo", infos, -1)
@@ -69,7 +76,7 @@
 	}
 }
 
-func (s *SnapSuite) TestMaybePrintCommands(c *check.C) {
+func (s *infoSuite) TestMaybePrintCommands(c *check.C) {
 	for _, infos := range [][]client.AppInfo{cmdAppInfos, mixedAppInfos} {
 		var buf bytes.Buffer
 		snap.MaybePrintCommands(&buf, "foo", infos, -1)
@@ -81,7 +88,7 @@
 	}
 }
 
-func (s *SnapSuite) TestMaybePrintCommandsNoCommands(c *check.C) {
+func (s *infoSuite) TestMaybePrintCommandsNoCommands(c *check.C) {
 	for _, infos := range [][]client.AppInfo{svcAppInfos, nil} {
 		var buf bytes.Buffer
 		snap.MaybePrintCommands(&buf, "foo", infos, -1)
@@ -90,7 +97,7 @@
 	}
 }
 
-func (s *SnapSuite) TestInfoPriced(c *check.C) {
+func (s *infoSuite) TestInfoPriced(c *check.C) {
 	n := 0
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
 		switch n {
@@ -108,12 +115,12 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"info", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"info", "hello"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, `name:      hello
 summary:   GNU Hello, the "hello world" snap
-publisher: canonical
+publisher: Canonical*
 license:   Proprietary
 price:     1.99GBP
 description: |
@@ -135,6 +142,12 @@
       "confinement": "strict",
       "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "download-size": 65536,
       "icon": "",
       "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
@@ -156,7 +169,55 @@
 }
 `
 
-func (s *SnapSuite) TestInfoUnquoted(c *check.C) {
+const mockInfoJSONWithChannels = `
+{
+  "type": "sync",
+  "status-code": 200,
+  "status": "OK",
+  "result": [
+    {
+      "channel": "stable",
+      "confinement": "strict",
+      "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
+      "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
+      "download-size": 65536,
+      "icon": "",
+      "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
+      "name": "hello",
+      "private": false,
+      "resource": "/v2/snaps/hello",
+      "revision": "1",
+      "status": "available",
+      "summary": "The GNU Hello snap",
+      "type": "app",
+      "version": "2.10",
+      "license": "MIT",
+      "channels": {
+        "1/stable": {
+          "revision": "1",
+          "version": "2.10",
+          "channel": "1/stable",
+          "size": 65536,
+          "released-at": "2018-12-18T15:16:56.723501Z"
+        }
+      },
+      "tracks": ["1"]
+    }
+  ],
+  "sources": [
+    "store"
+  ],
+  "suggested-currency": "GBP"
+}
+`
+
+func (s *infoSuite) TestInfoUnquoted(c *check.C) {
 	n := 0
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
 		switch n {
@@ -169,17 +230,17 @@
 			c.Check(r.URL.Path, check.Equals, "/v2/snaps/hello")
 			fmt.Fprintln(w, "{}")
 		default:
-			c.Fatalf("expected to get 1 requests, now on %d (%v)", n+1, r)
+			c.Fatalf("expected to get 2 requests, now on %d (%v)", n+1, r)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"info", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"info", "hello"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, `name:      hello
 summary:   The GNU Hello snap
-publisher: canonical
+publisher: Canonical*
 license:   MIT
 description: |
   GNU hello prints a friendly greeting. This is part of the snapcraft tour at
@@ -199,7 +260,15 @@
       "confinement": "strict",
       "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
+      "install-date": "2006-01-02T22:04:07.123456789Z",
+      "installed-size": 1024,
       "name": "hello",
       "private": false,
       "resource": "/v2/snaps/hello",
@@ -209,8 +278,7 @@
       "type": "app",
       "version": "2.10",
       "license": "BSD-3",
-      "tracking-channel": "beta",
-      "installed-size": 1024
+      "tracking-channel": "beta"
     }
 }
 `
@@ -224,23 +292,30 @@
       "confinement": "strict",
       "description": "GNU hello prints a friendly greeting. This is part of the snapcraft tour at https://snapcraft.io/",
       "developer": "canonical",
+      "publisher": {
+         "id": "canonical",
+         "username": "canonical",
+         "display-name": "Canonical",
+         "validation": "verified"
+      },
       "id": "mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6",
+      "install-date": "2006-01-02T22:04:07.123456789Z",
+      "installed-size": 1024,
       "name": "hello",
       "private": false,
       "resource": "/v2/snaps/hello",
-      "revision": "1",
+      "revision": "100",
       "status": "available",
       "summary": "The GNU Hello snap",
       "type": "app",
       "version": "2.10",
       "license": "",
-      "tracking-channel": "beta",
-      "installed-size": 1024
+      "tracking-channel": "beta"
     }
 }
 `
 
-func (s *SnapSuite) TestInfoWithLocalDifferentLicense(c *check.C) {
+func (s *infoSuite) TestInfoWithLocalDifferentLicense(c *check.C) {
 	n := 0
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
 		switch n {
@@ -253,30 +328,30 @@
 			c.Check(r.URL.Path, check.Equals, "/v2/snaps/hello")
 			fmt.Fprintln(w, mockInfoJSONOtherLicense)
 		default:
-			c.Fatalf("expected to get 1 requests, now on %d (%v)", n+1, r)
+			c.Fatalf("expected to get 2 requests, now on %d (%v)", n+1, r)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"info", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"info", "--abs-time", "hello"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, `name:      hello
 summary:   The GNU Hello snap
-publisher: canonical
+publisher: Canonical*
 license:   BSD-3
 description: |
   GNU hello prints a friendly greeting. This is part of the snapcraft tour at
   https://snapcraft.io/
-snap-id:   mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6
-tracking:  beta
-refreshed: 0001-01-01T00:00:00Z
-installed: 2.10 (1) 1kB disabled
+snap-id:      mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6
+tracking:     beta
+refresh-date: 2006-01-02T22:04:07Z
+installed:    2.10 (1) 1kB disabled
 `)
 	c.Check(s.Stderr(), check.Equals, "")
 }
 
-func (s *SnapSuite) TestInfoWithLocalNoLicense(c *check.C) {
+func (s *infoSuite) TestInfoWithLocalNoLicense(c *check.C) {
 	n := 0
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
 		switch n {
@@ -289,25 +364,189 @@
 			c.Check(r.URL.Path, check.Equals, "/v2/snaps/hello")
 			fmt.Fprintln(w, mockInfoJSONNoLicense)
 		default:
-			c.Fatalf("expected to get 1 requests, now on %d (%v)", n+1, r)
+			c.Fatalf("expected to get 2 requests, now on %d (%v)", n+1, r)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"info", "hello"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"info", "--abs-time", "hello"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, `name:      hello
 summary:   The GNU Hello snap
-publisher: canonical
-license:   unknown
+publisher: Canonical*
+license:   unset
 description: |
   GNU hello prints a friendly greeting. This is part of the snapcraft tour at
   https://snapcraft.io/
-snap-id:   mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6
-tracking:  beta
-refreshed: 0001-01-01T00:00:00Z
-installed: 2.10 (1) 1kB disabled
+snap-id:      mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6
+tracking:     beta
+refresh-date: 2006-01-02T22:04:07Z
+installed:    2.10 (100) 1kB disabled
 `)
 	c.Check(s.Stderr(), check.Equals, "")
 }
+
+func (s *infoSuite) TestInfoWithChannelsAndLocal(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		switch n {
+		case 0, 2, 4:
+			c.Check(r.Method, check.Equals, "GET")
+			c.Check(r.URL.Path, check.Equals, "/v2/find")
+			fmt.Fprintln(w, mockInfoJSONWithChannels)
+		case 1, 3, 5:
+			c.Check(r.Method, check.Equals, "GET")
+			c.Check(r.URL.Path, check.Equals, "/v2/snaps/hello")
+			fmt.Fprintln(w, mockInfoJSONNoLicense)
+		default:
+			c.Fatalf("expected to get 6 requests, now on %d (%v)", n+1, r)
+		}
+
+		n++
+	})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"info", "--abs-time", "hello"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{})
+	c.Check(s.Stdout(), check.Equals, `name:      hello
+summary:   The GNU Hello snap
+publisher: Canonical*
+license:   unset
+description: |
+  GNU hello prints a friendly greeting. This is part of the snapcraft tour at
+  https://snapcraft.io/
+snap-id:      mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6
+tracking:     beta
+refresh-date: 2006-01-02T22:04:07Z
+channels:
+  1/stable:    2.10 2018-12-18T15:16:56Z   (1) 65kB -
+  1/candidate: ^                                    
+  1/beta:      ^                                    
+  1/edge:      ^                                    
+installed:     2.10                      (100)  1kB disabled
+`)
+	c.Check(s.Stderr(), check.Equals, "")
+	c.Check(n, check.Equals, 2)
+
+	// now the same but without abs-time
+	s.ResetStdStreams()
+	rest, err = snap.Parser(snap.Client()).ParseArgs([]string{"info", "hello"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{})
+	c.Check(s.Stdout(), check.Equals, `name:      hello
+summary:   The GNU Hello snap
+publisher: Canonical*
+license:   unset
+description: |
+  GNU hello prints a friendly greeting. This is part of the snapcraft tour at
+  https://snapcraft.io/
+snap-id:      mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6
+tracking:     beta
+refresh-date: 2006-01-02
+channels:
+  1/stable:    2.10 2018-12-18   (1) 65kB -
+  1/candidate: ^                          
+  1/beta:      ^                          
+  1/edge:      ^                          
+installed:     2.10            (100)  1kB disabled
+`)
+	c.Check(s.Stderr(), check.Equals, "")
+	c.Check(n, check.Equals, 4)
+
+	// now the same but with unicode on
+	s.ResetStdStreams()
+	rest, err = snap.Parser(snap.Client()).ParseArgs([]string{"info", "--unicode=always", "hello"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{})
+	c.Check(s.Stdout(), check.Equals, `name:      hello
+summary:   The GNU Hello snap
+publisher: Canonical✓
+license:   unset
+description: |
+  GNU hello prints a friendly greeting. This is part of the snapcraft tour at
+  https://snapcraft.io/
+snap-id:      mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6
+tracking:     beta
+refresh-date: 2006-01-02
+channels:
+  1/stable:    2.10 2018-12-18   (1) 65kB -
+  1/candidate: ↑                          
+  1/beta:      ↑                          
+  1/edge:      ↑                          
+installed:     2.10            (100)  1kB disabled
+`)
+	c.Check(s.Stderr(), check.Equals, "")
+	c.Check(n, check.Equals, 6)
+}
+
+func (s *infoSuite) TestInfoHumanTimes(c *check.C) {
+	// checks that tiemutil.Human is called when no --abs-time is given
+	restore := snap.MockTimeutilHuman(func(time.Time) string { return "TOTALLY NOT A ROBOT" })
+	defer restore()
+
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		switch n {
+		case 0:
+			c.Check(r.Method, check.Equals, "GET")
+			c.Check(r.URL.Path, check.Equals, "/v2/find")
+			fmt.Fprintln(w, "{}")
+		case 1:
+			c.Check(r.Method, check.Equals, "GET")
+			c.Check(r.URL.Path, check.Equals, "/v2/snaps/hello")
+			fmt.Fprintln(w, mockInfoJSONNoLicense)
+		default:
+			c.Fatalf("expected to get 2 requests, now on %d (%v)", n+1, r)
+		}
+
+		n++
+	})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"info", "hello"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{})
+	c.Check(s.Stdout(), check.Equals, `name:      hello
+summary:   The GNU Hello snap
+publisher: Canonical*
+license:   unset
+description: |
+  GNU hello prints a friendly greeting. This is part of the snapcraft tour at
+  https://snapcraft.io/
+snap-id:      mVyGrEwiqSi5PugCwyH7WgpoQLemtTd6
+tracking:     beta
+refresh-date: TOTALLY NOT A ROBOT
+installed:    2.10 (100) 1kB disabled
+`)
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (infoSuite) TestDescr(c *check.C) {
+	for k, v := range map[string]string{
+		"": "  \n",
+		`one:
+ * two three four five six  
+   * seven height nine ten
+`: `  one:
+   * two three four
+   five six
+     * seven height
+     nine ten
+`,
+		"abcdefghijklm nopqrstuvwxyz ABCDEFGHIJKLMNOPQR STUVWXYZ": `
+  abcdefghijklm
+  nopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQR
+  STUVWXYZ
+`[1:],
+		// not much we can do when it won't fit
+		"abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ": `
+  abcdefghijklmnopqr
+  stuvwxyz
+  ABCDEFGHIJKLMNOPQR
+  STUVWXYZ
+`[1:],
+	} {
+		var buf bytes.Buffer
+		snap.PrintDescr(&buf, k, 20)
+		c.Check(buf.String(), check.Equals, v, check.Commentf("%q", k))
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_interface.go snapd-2.37~rc1~14.04/cmd/snap/cmd_interface.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_interface.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_interface.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
 	"io"
 	"sort"
@@ -32,6 +33,7 @@
 )
 
 type cmdInterface struct {
+	clientMixin
 	ShowAttrs   bool `long:"attrs"`
 	ShowAll     bool `long:"all"`
 	Positionals struct {
@@ -39,7 +41,7 @@
 	} `positional-args:"true"`
 }
 
-var shortInterfaceHelp = i18n.G("Lists snap interfaces")
+var shortInterfaceHelp = i18n.G("Show details of snap interfaces")
 var longInterfaceHelp = i18n.G(`
 The interface command shows details of snap interfaces.
 
@@ -51,12 +53,14 @@
 	addCommand("interface", shortInterfaceHelp, longInterfaceHelp, func() flags.Commander {
 		return &cmdInterface{}
 	}, map[string]string{
+		// TRANSLATORS: This should not start with a lowercase letter.
 		"attrs": i18n.G("Show interface attributes"),
-		"all":   i18n.G("Include unused interfaces"),
+		// TRANSLATORS: This should not start with a lowercase letter.
+		"all": i18n.G("Include unused interfaces"),
 	}, []argDesc{{
-		// TRANSLATORS: This needs to be wrapped in <>s.
+		// TRANSLATORS: This needs to begin with < and end with >
 		name: i18n.G("<interface>"),
-		// TRANSLATORS: This should probably not start with a lowercase letter.
+		// TRANSLATORS: This should not start with a lowercase letter.
 		desc: i18n.G("Show details of a specific interface"),
 	}})
 }
@@ -69,7 +73,7 @@
 	if x.Positionals.Interface != "" {
 		// Show one interface in detail.
 		name := string(x.Positionals.Interface)
-		ifaces, err := Client().Interfaces(&client.InterfaceOptions{
+		ifaces, err := x.client.Interfaces(&client.InterfaceOptions{
 			Names: []string{name},
 			Doc:   true,
 			Plugs: true,
@@ -84,7 +88,7 @@
 		x.showOneInterface(ifaces[0])
 	} else {
 		// Show an overview of available interfaces.
-		ifaces, err := Client().Interfaces(&client.InterfaceOptions{
+		ifaces, err := x.client.Interfaces(&client.InterfaceOptions{
 			Connected: !x.ShowAll,
 		})
 		if err != nil {
@@ -179,7 +183,7 @@
 	for _, name := range names {
 		value := attrs[name]
 		switch value.(type) {
-		case string, int, bool:
+		case string, bool, json.Number:
 			fmt.Fprintf(w, "%s  %s:\t%v\n", indent, name, value)
 		}
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_interfaces.go snapd-2.37~rc1~14.04/cmd/snap/cmd_interfaces.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_interfaces.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_interfaces.go	2019-01-16 08:36:51.000000000 +0000
@@ -28,18 +28,19 @@
 )
 
 type cmdInterfaces struct {
+	clientMixin
 	Interface   string `short:"i"`
 	Positionals struct {
 		Query interfacesSlotOrPlugSpec `skip-help:"true"`
 	} `positional-args:"true"`
 }
 
-var shortInterfacesHelp = i18n.G("Lists interfaces in the system")
+var shortInterfacesHelp = i18n.G("List interfaces' slots and plugs")
 var longInterfacesHelp = i18n.G(`
 The interfaces command lists interfaces available in the system.
 
 By default all slots and plugs, used and offered by all snaps, are displayed.
- 
+
 $ snap interfaces <snap>:<slot or plug>
 
 Lists only the specified slot or plug.
@@ -50,18 +51,20 @@
 
 $ snap interfaces -i=<interface> [<snap>]
 
-Filters the complete output so only plugs and/or slots matching the provided details are listed.
+Filters the complete output so only plugs and/or slots matching the provided
+details are listed.
 `)
 
 func init() {
 	addCommand("interfaces", shortInterfacesHelp, longInterfacesHelp, func() flags.Commander {
 		return &cmdInterfaces{}
 	}, map[string]string{
+		// TRANSLATORS: This should not start with a lowercase letter.
 		"i": i18n.G("Constrain listing to specific interfaces"),
 	}, []argDesc{{
-		// TRANSLATORS: This needs to be wrapped in <>s.
+		// TRANSLATORS: This needs to begin with < and end with >
 		name: i18n.G("<snap>:<slot or plug>"),
-		// TRANSLATORS: This should probably not start with a lowercase letter.
+		// TRANSLATORS: This should not start with a lowercase letter.
 		desc: i18n.G("Constrain listing to a specific snap or snap:name"),
 	}})
 }
@@ -71,7 +74,7 @@
 		return ErrExtraArgs
 	}
 
-	ifaces, err := Client().Connections()
+	ifaces, err := x.client.Connections()
 	if err != nil {
 		return err
 	}
@@ -81,11 +84,32 @@
 	w := tabWriter()
 	defer w.Flush()
 	fmt.Fprintln(w, i18n.G("Slot\tPlug"))
+
+	wantedSnap := x.Positionals.Query.Snap
+
 	for _, slot := range ifaces.Slots {
-		if wanted := x.Positionals.Query.Snap; wanted != "" {
-			ok := wanted == slot.Snap
+		if wantedSnap != "" {
+			var ok bool
+			if wantedSnap == slot.Snap {
+				ok = true
+			}
+			// Normally snap nicknames are handled internally in the snapd
+			// layer. This specific command is an exception as it does
+			// client-side filtering. As a special case, when the user asked
+			// for the snap "core" but we see the "system" nickname or the
+			// "snapd" snap, treat that as a match.
+			//
+			// The system nickname was returned in 2.35.
+			// The snapd snap is returned by 2.36+ if snapd snap is installed
+			// and is the host for implicit interfaces.
+			if (wantedSnap == "core" || wantedSnap == "snapd" || wantedSnap == "system") && (slot.Snap == "core" || slot.Snap == "snapd" || slot.Snap == "system") {
+				ok = true
+			}
+
 			for i := 0; i < len(slot.Connections) && !ok; i++ {
-				ok = wanted == slot.Connections[i].Snap
+				if wantedSnap == slot.Connections[i].Snap {
+					ok = true
+				}
 			}
 			if !ok {
 				continue
@@ -97,9 +121,10 @@
 		if x.Interface != "" && slot.Interface != x.Interface {
 			continue
 		}
-		// The OS snap is special and enable abbreviated
-		// display syntax on the slot-side of the connection.
-		if slot.Snap == "core" || slot.Snap == "ubuntu-core" {
+		// There are two special snaps, the "core" and "snapd" snaps are
+		// abbreviated to an empty snap name. The "system" snap name is still
+		// here in case we talk to older snapd for some reason.
+		if slot.Snap == "core" || slot.Snap == "snapd" || slot.Snap == "system" {
 			fmt.Fprintf(w, ":%s\t", slot.Name)
 		} else {
 			fmt.Fprintf(w, "%s:%s\t", slot.Snap, slot.Name)
@@ -123,8 +148,10 @@
 	// Plugs are treated differently. Since the loop above already printed each connected
 	// plug, the loop below focuses on printing just the disconnected plugs.
 	for _, plug := range ifaces.Plugs {
-		if x.Positionals.Query.Snap != "" && x.Positionals.Query.Snap != plug.Snap {
-			continue
+		if wantedSnap != "" {
+			if wantedSnap != plug.Snap {
+				continue
+			}
 		}
 		if x.Positionals.Query.Name != "" && x.Positionals.Query.Name != plug.Name {
 			continue
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_interfaces_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_interfaces_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_interfaces_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_interfaces_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -50,7 +50,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -81,7 +81,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -132,7 +132,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -143,7 +143,7 @@
 
 	s.SetUpTest(c)
 	// should be the same
-	rest, err = Parser().ParseArgs([]string{"interfaces", "canonical-pi2"})
+	rest, err = Parser(Client()).ParseArgs([]string{"interfaces", "canonical-pi2"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Assert(s.Stdout(), Equals, expectedStdout)
@@ -151,7 +151,7 @@
 
 	s.SetUpTest(c)
 	// and the same again
-	rest, err = Parser().ParseArgs([]string{"interfaces", "keyboard-lights"})
+	rest, err = Parser(Client()).ParseArgs([]string{"interfaces", "keyboard-lights"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Assert(s.Stdout(), Equals, expectedStdout)
@@ -189,7 +189,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -256,7 +256,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -278,7 +278,7 @@
 			"result": client.Connections{
 				Slots: []client.Slot{
 					{
-						Snap:      "core",
+						Snap:      "system",
 						Name:      "network-listening",
 						Interface: "network-listening",
 						Label:     "Ability to be a network service",
@@ -302,7 +302,7 @@
 						Label:     "Ability to be a network service",
 						Connections: []client.SlotRef{
 							{
-								Snap: "core",
+								Snap: "system",
 								Name: "network-listening",
 							},
 						},
@@ -314,7 +314,7 @@
 						Label:     "Ability to be a network service",
 						Connections: []client.SlotRef{
 							{
-								Snap: "core",
+								Snap: "system",
 								Name: "network-listening",
 							},
 						},
@@ -323,7 +323,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -372,7 +372,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces", "-i=serial-port"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces", "-i=serial-port"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -415,7 +415,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces", "wake-up-alarm"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces", "wake-up-alarm"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -426,6 +426,61 @@
 	c.Assert(s.Stderr(), Equals, "")
 }
 
+func (s *SnapSuite) TestConnectionsOfSystemNicknameSnap(c *C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Method, Equals, "GET")
+		c.Check(r.URL.Path, Equals, "/v2/interfaces")
+		body, err := ioutil.ReadAll(r.Body)
+		c.Check(err, IsNil)
+		c.Check(body, DeepEquals, []byte{})
+		EncodeResponseBody(c, w, map[string]interface{}{
+			"type": "sync",
+			"result": client.Connections{
+				Slots: []client.Slot{
+					{
+						Snap:        "system",
+						Name:        "core-support",
+						Interface:   "some-iface",
+						Connections: []client.PlugRef{{Snap: "core", Name: "core-support-plug"}},
+					}, {
+						Snap:      "foo",
+						Name:      "foo-slot",
+						Interface: "foo-slot-iface",
+					},
+				},
+				Plugs: []client.Plug{
+					{
+						Snap:        "core",
+						Name:        "core-support-plug",
+						Interface:   "some-iface",
+						Connections: []client.SlotRef{{Snap: "system", Name: "core-support"}},
+					},
+				},
+			},
+		})
+	})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces", "system"})
+	c.Assert(err, IsNil)
+	c.Assert(rest, DeepEquals, []string{})
+	expectedStdout := "" +
+		"Slot           Plug\n" +
+		":core-support  core:core-support-plug\n"
+	c.Assert(s.Stdout(), Equals, expectedStdout)
+	c.Assert(s.Stderr(), Equals, "")
+
+	s.ResetStdStreams()
+
+	// when called with system nickname we get the same output
+	rest, err = Parser(Client()).ParseArgs([]string{"interfaces", "system"})
+	c.Assert(err, IsNil)
+	c.Assert(rest, DeepEquals, []string{})
+	expectedStdoutSystem := "" +
+		"Slot           Plug\n" +
+		":core-support  core:core-support-plug\n"
+	c.Assert(s.Stdout(), Equals, expectedStdoutSystem)
+	c.Assert(s.Stderr(), Equals, "")
+}
+
 func (s *SnapSuite) TestConnectionsOfSpecificSnapAndSlot(c *C) {
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
 		c.Check(r.Method, Equals, "GET")
@@ -459,7 +514,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces", "wake-up-alarm:snooze"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces", "wake-up-alarm:snooze"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -481,7 +536,7 @@
 			"result": client.Connections{},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces"})
 	c.Assert(err, ErrorMatches, "no interfaces found")
 	// XXX: not sure why this is returned, I guess that's what happens when a
 	// command Execute returns an error.
@@ -523,7 +578,7 @@
 			},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interfaces", "-i", "bool-file"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces", "-i", "bool-file"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -552,7 +607,7 @@
 	defer os.Unsetenv("GO_FLAGS_COMPLETION")
 
 	expected := []flags.Completion{}
-	parser := Parser()
+	parser := Parser(Client())
 	parser.CompletionHandler = func(obtained []flags.Completion) {
 		c.Check(obtained, DeepEquals, expected)
 	}
@@ -572,3 +627,48 @@
 	c.Assert(s.Stdout(), Equals, "")
 	c.Assert(s.Stderr(), Equals, "")
 }
+
+func (s *SnapSuite) TestConnectionsCoreNicknamedSystem(c *C) {
+	s.checkConnectionsSystemCoreRemapping(c, "core", "system")
+}
+
+func (s *SnapSuite) TestConnectionsSnapdNicknamedSystem(c *C) {
+	s.checkConnectionsSystemCoreRemapping(c, "snapd", "system")
+}
+
+func (s *SnapSuite) TestConnectionsSnapdNicknamedCore(c *C) {
+	s.checkConnectionsSystemCoreRemapping(c, "snapd", "core")
+}
+
+func (s *SnapSuite) TestConnectionsCoreSnap(c *C) {
+	s.checkConnectionsSystemCoreRemapping(c, "core", "core")
+}
+
+func (s *SnapSuite) checkConnectionsSystemCoreRemapping(c *C, apiSnapName, cliSnapName string) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Method, Equals, "GET")
+		c.Check(r.URL.Path, Equals, "/v2/interfaces")
+		body, err := ioutil.ReadAll(r.Body)
+		c.Check(err, IsNil)
+		c.Check(body, DeepEquals, []byte{})
+		EncodeResponseBody(c, w, map[string]interface{}{
+			"type": "sync",
+			"result": client.Connections{
+				Slots: []client.Slot{
+					{
+						Snap: apiSnapName,
+						Name: "network",
+					},
+				},
+			},
+		})
+	})
+	rest, err := Parser(Client()).ParseArgs([]string{"interfaces", cliSnapName})
+	c.Assert(err, IsNil)
+	c.Assert(rest, DeepEquals, []string{})
+	expectedStdout := "" +
+		"Slot      Plug\n" +
+		":network  -\n"
+	c.Assert(s.Stdout(), Equals, expectedStdout)
+	c.Assert(s.Stderr(), Equals, "")
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_interface_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_interface_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_interface_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_interface_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -33,29 +33,21 @@
 
 func (s *SnapSuite) TestInterfaceHelp(c *C) {
 	msg := `Usage:
-  snap.test [OPTIONS] interface [interface-OPTIONS] [<interface>]
+  snap.test interface [interface-OPTIONS] [<interface>]
 
 The interface command shows details of snap interfaces.
 
 If no interface name is provided, a list of interface names with at least
 one connection is shown, or a list of all interfaces if --all is provided.
 
-Application Options:
-      --version          Print the version and exit
-
-Help Options:
-  -h, --help             Show this help message
-
 [interface command options]
-          --attrs        Show interface attributes
-          --all          Include unused interfaces
+      --attrs          Show interface attributes
+      --all            Include unused interfaces
 
 [interface command arguments]
-  <interface>:           Show details of a specific interface
+  <interface>:         Show details of a specific interface
 `
-	rest, err := Parser().ParseArgs([]string{"interface", "--help"})
-	c.Assert(err.Error(), Equals, msg)
-	c.Assert(rest, DeepEquals, []string{})
+	s.testSubCommandHelp(c, "interface", msg)
 }
 
 func (s *SnapSuite) TestInterfaceListEmpty(c *C) {
@@ -71,7 +63,7 @@
 			"result": []*client.Interface{},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interface"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interface"})
 	c.Assert(err, ErrorMatches, "no interfaces currently connected")
 	c.Assert(rest, DeepEquals, []string{"interface"})
 	c.Assert(s.Stdout(), Equals, "")
@@ -91,7 +83,7 @@
 			"result": []*client.Interface{},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interface", "--all"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interface", "--all"})
 	c.Assert(err, ErrorMatches, "no interfaces found")
 	c.Assert(rest, DeepEquals, []string{"--all"}) // XXX: feels like a bug in go-flags.
 	c.Assert(s.Stdout(), Equals, "")
@@ -117,7 +109,7 @@
 			}},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interface"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interface"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -150,7 +142,7 @@
 			}},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interface", "--all"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interface", "--all"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -180,11 +172,11 @@
 					{Snap: "deepin-music", Name: "network"},
 					{Snap: "http", Name: "network"},
 				},
-				Slots: []client.Slot{{Snap: "core", Name: "network"}},
+				Slots: []client.Slot{{Snap: "system", Name: "network"}},
 			}},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interface", "network"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interface", "network"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -195,7 +187,7 @@
 		"  - deepin-music\n" +
 		"  - http\n" +
 		"slots:\n" +
-		"  - core\n"
+		"  - system\n"
 	c.Assert(s.Stdout(), Equals, expectedStdout)
 	c.Assert(s.Stderr(), Equals, "")
 }
@@ -224,12 +216,13 @@
 						"header":   "pin-array",
 						"location": "internal",
 						"path":     "/dev/ttyS0",
+						"number":   1,
 					},
 				}},
 			}},
 		})
 	})
-	rest, err := Parser().ParseArgs([]string{"interface", "--attrs", "serial-port"})
+	rest, err := Parser(Client()).ParseArgs([]string{"interface", "--attrs", "serial-port"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedStdout := "" +
@@ -241,6 +234,7 @@
 		"  - gizmo-gadget:debug-serial-port (serial port for debugging):\n" +
 		"      header:   pin-array\n" +
 		"      location: internal\n" +
+		"      number:   1\n" +
 		"      path:     /dev/ttyS0\n"
 	c.Assert(s.Stdout(), Equals, expectedStdout)
 	c.Assert(s.Stderr(), Equals, "")
@@ -266,7 +260,7 @@
 	defer os.Unsetenv("GO_FLAGS_COMPLETION")
 
 	expected := []flags.Completion{}
-	parser := Parser()
+	parser := Parser(Client())
 	parser.CompletionHandler = func(obtained []flags.Completion) {
 		c.Check(obtained, DeepEquals, expected)
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_keys.go snapd-2.37~rc1~14.04/cmd/snap/cmd_keys.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_keys.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_keys.go	2019-01-16 08:36:51.000000000 +0000
@@ -36,10 +36,16 @@
 func init() {
 	cmd := addCommand("keys",
 		i18n.G("List cryptographic keys"),
-		i18n.G("List cryptographic keys that can be used for signing assertions."),
+		i18n.G(`
+The keys command lists cryptographic keys that can be used for signing
+assertions.
+`),
 		func() flags.Commander {
 			return &cmdKeys{}
-		}, map[string]string{"json": i18n.G("Output results in JSON format")}, nil)
+		}, map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"json": i18n.G("Output results in JSON format"),
+		}, nil)
 	cmd.hidden = true
 }
 
@@ -60,7 +66,7 @@
 
 func outputText(keys []Key) error {
 	if len(keys) == 0 {
-		fmt.Fprintf(Stdout, "No keys registered, see `snapcraft create-key`")
+		fmt.Fprintf(Stderr, "No keys registered, see `snapcraft create-key`\n")
 		return nil
 	}
 
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_keys_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_keys_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_keys_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_keys_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,6 +25,7 @@
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"testing"
 
 	. "gopkg.in/check.v1"
 
@@ -60,6 +61,9 @@
 `)
 
 func (s *SnapKeysSuite) SetUpTest(c *C) {
+	if testing.Short() && s.GnupgCmd == "/usr/bin/gpg2" {
+		c.Skip("gpg2 does not do short tests")
+	}
 	s.BaseSnapSuite.SetUpTest(c)
 
 	s.tempdir = c.MkDir()
@@ -87,7 +91,7 @@
 }
 
 func (s *SnapKeysSuite) TestKeys(c *C) {
-	rest, err := snap.Parser().ParseArgs([]string{"keys"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"keys"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Check(s.Stdout(), Matches, `Name +SHA3-384
@@ -102,15 +106,15 @@
 	err := os.RemoveAll(s.tempdir)
 	c.Assert(err, IsNil)
 
-	rest, err := snap.Parser().ParseArgs([]string{"keys"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"keys"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
-	c.Check(s.Stdout(), Equals, "No keys registered, see `snapcraft create-key`")
-	c.Check(s.Stderr(), Equals, "")
+	c.Check(s.Stdout(), Equals, "")
+	c.Check(s.Stderr(), Equals, "No keys registered, see `snapcraft create-key`\n")
 }
 
 func (s *SnapKeysSuite) TestKeysJSON(c *C) {
-	rest, err := snap.Parser().ParseArgs([]string{"keys", "--json"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"keys", "--json"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	expectedResponse := []snap.Key{
@@ -132,7 +136,7 @@
 func (s *SnapKeysSuite) TestKeysJSONEmpty(c *C) {
 	err := os.RemoveAll(os.Getenv("SNAP_GNUPG_HOME"))
 	c.Assert(err, IsNil)
-	rest, err := snap.Parser().ParseArgs([]string{"keys", "--json"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"keys", "--json"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Check(s.Stdout(), Equals, "[]\n")
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_known.go snapd-2.37~rc1~14.04/cmd/snap/cmd_known.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_known.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_known.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,6 +32,7 @@
 )
 
 type cmdKnown struct {
+	clientMixin
 	KnownOptions struct {
 		// XXX: how to get a list of assert types for completion?
 		AssertTypeName assertTypeName `required:"true"`
@@ -41,7 +42,7 @@
 	Remote bool `long:"remote"`
 }
 
-var shortKnownHelp = i18n.G("Shows known assertions of the provided type")
+var shortKnownHelp = i18n.G("Show known assertions of the provided type")
 var longKnownHelp = i18n.G(`
 The known command shows known assertions of the provided type.
 If header=value pairs are provided after the assertion type, the assertions
@@ -53,14 +54,14 @@
 		return &cmdKnown{}
 	}, nil, []argDesc{
 		{
-			// TRANSLATORS: This needs to be wrapped in <>s.
+			// TRANSLATORS: This needs to begin with < and end with >
 			name: i18n.G("<assertion type>"),
-			// TRANSLATORS: This should probably not start with a lowercase letter.
+			// TRANSLATORS: This should not start with a lowercase letter.
 			desc: i18n.G("Assertion type name"),
 		}, {
-			// TRANSLATORS: This needs to be wrapped in <>s.
+			// TRANSLATORS: This needs to begin with < and end with >
 			name: i18n.G("<header filter>"),
-			// TRANSLATORS: This should probably not start with a lowercase letter.
+			// TRANSLATORS: This should not start with a lowercase letter.
 			desc: i18n.G("Constrain listing to those matching header=value"),
 		},
 	})
@@ -112,7 +113,7 @@
 	if x.Remote {
 		assertions, err = downloadAssertion(string(x.KnownOptions.AssertTypeName), headers)
 	} else {
-		assertions, err = Client().Known(string(x.KnownOptions.AssertTypeName), headers)
+		assertions, err = x.client.Known(string(x.KnownOptions.AssertTypeName), headers)
 	}
 	if err != nil {
 		return err
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_known_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_known_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_known_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_known_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -78,7 +78,7 @@
 		n++
 	}))
 
-	rest, err := snap.Parser().ParseArgs([]string{"known", "--remote", "model", "series=16", "brand-id=canonical", "model=pi99"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"known", "--remote", "model", "series=16", "brand-id=canonical", "model=pi99"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, mockModelAssertion)
@@ -86,7 +86,7 @@
 }
 
 func (s *SnapSuite) TestKnownRemoteMissingPrimaryKey(c *check.C) {
-	_, err := snap.Parser().ParseArgs([]string{"known", "--remote", "model", "series=16", "brand-id=canonical"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"known", "--remote", "model", "series=16", "brand-id=canonical"})
 	c.Assert(err, check.ErrorMatches, `cannot query remote assertion: must provide primary key: model`)
 }
 
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_list.go snapd-2.37~rc1~14.04/cmd/snap/cmd_list.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_list.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_list.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,19 +35,28 @@
 
 var shortListHelp = i18n.G("List installed snaps")
 var longListHelp = i18n.G(`
-The list command displays a summary of snaps installed in the current system.`)
+The list command displays a summary of snaps installed in the current system.
+
+A green check mark (given color and unicode support) after a publisher name
+indicates that the publisher has been verified.
+`)
 
 type cmdList struct {
+	clientMixin
 	Positional struct {
 		Snaps []installedSnapName `positional-arg-name:"<snap>"`
 	} `positional-args:"yes"`
 
 	All bool `long:"all"`
+	colorMixin
 }
 
 func init() {
 	addCommand("list", shortListHelp, longListHelp, func() flags.Commander { return &cmdList{} },
-		map[string]string{"all": i18n.G("Show all revisions")}, nil)
+		colorDescs.also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"all": i18n.G("Show all revisions"),
+		}), nil)
 }
 
 type snapsByName []*client.Snap
@@ -56,14 +65,6 @@
 func (s snapsByName) Less(i, j int) bool { return s[i].Name < s[j].Name }
 func (s snapsByName) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
 
-func (x *cmdList) Execute(args []string) error {
-	if len(args) > 0 {
-		return ErrExtraArgs
-	}
-
-	return listSnaps(installedSnapNames(x.Positional.Snaps), x.All)
-}
-
 var ErrNoMatchingSnaps = errors.New(i18n.G("no matching snaps installed"))
 
 // snapd will give us  and we want
@@ -102,13 +103,17 @@
 	return ch
 }
 
-func listSnaps(names []string, all bool) error {
-	cli := Client()
-	snaps, err := cli.List(names, &client.ListOptions{All: all})
+func (x *cmdList) Execute(args []string) error {
+	if len(args) > 0 {
+		return ErrExtraArgs
+	}
+
+	names := installedSnapNames(x.Positional.Snaps)
+	snaps, err := x.client.List(names, &client.ListOptions{All: x.All})
 	if err != nil {
 		if err == client.ErrNoSnapsInstalled {
 			if len(names) == 0 {
-				fmt.Fprintln(Stderr, i18n.G("No snaps are installed yet. Try \"snap install hello-world\"."))
+				fmt.Fprintln(Stderr, i18n.G("No snaps are installed yet. Try 'snap install hello-world'."))
 				return nil
 			} else {
 				return ErrNoMatchingSnaps
@@ -120,28 +125,25 @@
 	}
 	sort.Sort(snapsByName(snaps))
 
+	esc := x.getEscapes()
 	w := tabWriter()
-	defer w.Flush()
 
-	fmt.Fprintln(w, i18n.G("Name\tVersion\tRev\tTracking\tDeveloper\tNotes"))
+	// TRANSLATORS: the %s is to insert a filler escape sequence (please keep it flush to the column header, with no extra spaces)
+	fmt.Fprintf(w, i18n.G("Name\tVersion\tRev\tTracking\tPublisher%s\tNotes\n"), fillerPublisher(esc))
 
 	for _, snap := range snaps {
-		// Aid parsing of the output by not leaving the field empty.
-		dev := snap.Developer
-		if dev == "" {
-			dev = "-"
-		}
 		// doing it this way because otherwise it's a sea of %s\t%s\t%s
 		line := []string{
 			snap.Name,
 			snap.Version,
 			snap.Revision.String(),
 			fmtChannel(snap.TrackingChannel),
-			dev,
+			shortPublisher(esc, snap.Publisher),
 			NotesFromLocal(snap).String(),
 		}
 		fmt.Fprintln(w, strings.Join(line, "\t"))
 	}
+	w.Flush()
 
 	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_list_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_list_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_list_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_list_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,22 +30,21 @@
 
 func (s *SnapSuite) TestListHelp(c *check.C) {
 	msg := `Usage:
-  snap.test [OPTIONS] list [list-OPTIONS] [<snap>...]
+  snap.test list [list-OPTIONS] [<snap>...]
 
 The list command displays a summary of snaps installed in the current system.
 
-Application Options:
-      --version     Print the version and exit
-
-Help Options:
-  -h, --help        Show this help message
+A green check mark (given color and unicode support) after a publisher name
+indicates that the publisher has been verified.
 
 [list command options]
-          --all     Show all revisions
+      --all                           Show all revisions
+      --color=[auto|never|always]     Use a little bit of color to highlight
+                                      some things. (default: auto)
+      --unicode=[auto|never|always]   Use a little bit of Unicode to improve
+                                      legibility. (default: auto)
 `
-	rest, err := snap.Parser().ParseArgs([]string{"list", "--help"})
-	c.Assert(err.Error(), check.Equals, msg)
-	c.Assert(rest, check.DeepEquals, []string{})
+	s.testSubCommandHelp(c, "list", msg)
 }
 
 func (s *SnapSuite) TestList(c *check.C) {
@@ -56,17 +55,17 @@
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/snaps")
 			c.Check(r.URL.RawQuery, check.Equals, "")
-			fmt.Fprintln(w, `{"type": "sync", "result": [{"name": "foo", "status": "active", "version": "4.2", "developer": "bar", "revision":17, "tracking-channel": "potatoes"}]}`)
+			fmt.Fprintln(w, `{"type": "sync", "result": [{"name": "foo", "status": "active", "version": "4.2", "developer": "bar", "publisher": {"id": "bar-id", "username": "bar", "display-name": "Bar", "validation": "unproven"}, "revision":17, "tracking-channel": "potatoes"}]}`)
 		default:
 			c.Fatalf("expected to get 1 requests, now on %d", n+1)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"list"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"list"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `Name +Version +Rev +Tracking +Developer +Notes
+	c.Check(s.Stdout(), check.Matches, `Name +Version +Rev +Tracking +Publisher +Notes
 foo +4.2 +17 +potatoes +bar +-
 `)
 	c.Check(s.Stderr(), check.Equals, "")
@@ -80,17 +79,17 @@
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/snaps")
 			c.Check(r.URL.RawQuery, check.Equals, "select=all")
-			fmt.Fprintln(w, `{"type": "sync", "result": [{"name": "foo", "status": "active", "version": "4.2", "developer": "bar", "revision":17, "tracking-channel": "stable"}]}`)
+			fmt.Fprintln(w, `{"type": "sync", "result": [{"name": "foo", "status": "active", "version": "4.2", "developer": "bar", "publisher": {"id": "bar-id", "username": "bar", "display-name": "Bar", "validation": "unproven"}, "revision":17, "tracking-channel": "stable"}]}`)
 		default:
 			c.Fatalf("expected to get 1 requests, now on %d", n+1)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"list", "--all"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"list", "--all"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `Name +Version +Rev +Tracking +Developer +Notes
+	c.Check(s.Stdout(), check.Matches, `Name +Version +Rev +Tracking +Publisher +Notes
 foo +4.2 +17 +stable +bar +-
 `)
 	c.Check(s.Stderr(), check.Equals, "")
@@ -110,11 +109,11 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"list"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"list"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, "")
-	c.Check(s.Stderr(), check.Equals, "No snaps are installed yet. Try \"snap install hello-world\".\n")
+	c.Check(s.Stderr(), check.Equals, "No snaps are installed yet. Try 'snap install hello-world'.\n")
 }
 
 func (s *SnapSuite) TestListEmptyWithQuery(c *check.C) {
@@ -131,7 +130,7 @@
 
 		n++
 	})
-	_, err := snap.Parser().ParseArgs([]string{"list", "quux"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"list", "quux"})
 	c.Assert(err, check.ErrorMatches, `no matching snaps installed`)
 }
 
@@ -150,7 +149,7 @@
 
 		n++
 	})
-	_, err := snap.Parser().ParseArgs([]string{"list", "quux"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"list", "quux"})
 	c.Assert(err, check.ErrorMatches, "no matching snaps installed")
 }
 
@@ -162,17 +161,17 @@
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/snaps")
 			c.Check(r.URL.Query().Get("snaps"), check.Equals, "foo")
-			fmt.Fprintln(w, `{"type": "sync", "result": [{"name": "foo", "status": "active", "version": "4.2", "developer": "bar", "revision":17, "tracking-channel": "1.10/stable/fix1234"}]}`)
+			fmt.Fprintln(w, `{"type": "sync", "result": [{"name": "foo", "status": "active", "version": "4.2", "developer": "bar", "publisher": {"id": "bar-id", "username": "bar", "display-name": "Bar", "validation": "unproven"}, "revision":17, "tracking-channel": "1.10/stable/fix1234"}]}`)
 		default:
 			c.Fatalf("expected to get 1 requests, now on %d", n+1)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"list", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"list", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `Name +Version +Rev +Tracking +Developer +Notes
+	c.Check(s.Stdout(), check.Matches, `Name +Version +Rev +Tracking +Publisher +Notes
 foo +4.2 +17 +1\.10/stable/… +bar +-
 `)
 	c.Check(s.Stderr(), check.Equals, "")
@@ -188,7 +187,7 @@
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/snaps")
 			fmt.Fprintln(w, `{"type": "sync", "result": [
-{"name": "foo", "status": "active", "version": "4.2", "developer": "bar", "revision":17, "trymode": true}
+{"name": "foo", "status": "active", "version": "4.2", "developer": "bar", "publisher": {"id": "bar-id", "username": "bar", "display-name": "Bar", "validation": "unproven"}, "revision":17, "trymode": true}
 ,{"name": "dm1", "status": "active", "version": "5", "revision":1, "devmode": true, "confinement": "devmode"}
 ,{"name": "dm2", "status": "active", "version": "5", "revision":1, "devmode": true, "confinement": "strict"}
 ,{"name": "cf1", "status": "active", "version": "6", "revision":2, "confinement": "devmode", "jailmode": true}
@@ -199,10 +198,10 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"list"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"list"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?ms)^Name +Version +Rev +Tracking +Developer +Notes$`)
+	c.Check(s.Stdout(), check.Matches, `(?ms)^Name +Version +Rev +Tracking +Publisher +Notes$`)
 	c.Check(s.Stdout(), check.Matches, `(?ms).*^foo +4.2 +17 +- +bar +try$`)
 	c.Check(s.Stdout(), check.Matches, `(?ms).*^dm1 +.* +devmode$`)
 	c.Check(s.Stdout(), check.Matches, `(?ms).*^dm2 +.* +devmode$`)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_login.go snapd-2.37~rc1~14.04/cmd/snap/cmd_login.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_login.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_login.go	2019-01-16 08:36:51.000000000 +0000
@@ -31,21 +31,24 @@
 )
 
 type cmdLogin struct {
+	clientMixin
 	Positional struct {
 		Email string
 	} `positional-args:"yes"`
 }
 
-var shortLoginHelp = i18n.G("Authenticates on snapd and the store")
+var shortLoginHelp = i18n.G("Authenticate to snapd and the store")
 
 var longLoginHelp = i18n.G(`
-The login command authenticates on snapd and the snap store and saves credentials
-into the ~/.snap/auth.json file. Further communication with snapd will then be made
-using those credentials.
+The login command authenticates the user to snapd and the snap store, and saves
+credentials into the ~/.snap/auth.json file. Further communication with snapd
+will then be made using those credentials.
+
+It's not necessary to log in to interact with snapd. Doing so, however, enables
+purchasing of snaps using 'snap buy', as well as some some developer-oriented
+features as detailed in the help for the find, install and refresh commands.
 
-Login only works for local users in the sudo, admin or wheel groups.
-
-An account can be setup at https://login.ubuntu.com
+An account can be set up at https://login.ubuntu.com
 `)
 
 func init() {
@@ -55,14 +58,14 @@
 		func() flags.Commander {
 			return &cmdLogin{}
 		}, nil, []argDesc{{
-			// TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+			// TRANSLATORS: This is a noun, and it needs to begin with < and end with >
 			name: i18n.G("<email>"),
-			// TRANSLATORS: This should probably not start with a lowercase letter.
+			// TRANSLATORS: This should not start with a lowercase letter (unless it's "login.ubuntu.com")
 			desc: i18n.G("The login.ubuntu.com email to login as"),
 		}})
 }
 
-func requestLoginWith2faRetry(email, password string) error {
+func requestLoginWith2faRetry(cli *client.Client, email, password string) error {
 	var otp []byte
 	var err error
 
@@ -72,7 +75,6 @@
 		i18n.G("Wrong again. Once more: "),
 	}
 
-	cli := Client()
 	reader := bufio.NewReader(nil)
 
 	for i := 0; ; i++ {
@@ -92,7 +94,7 @@
 	}
 }
 
-func requestLogin(email string) error {
+func requestLogin(cli *client.Client, email string) error {
 	fmt.Fprint(Stdout, fmt.Sprintf(i18n.G("Password of %q: "), email))
 	password, err := ReadPassword(0)
 	fmt.Fprint(Stdout, "\n")
@@ -101,7 +103,7 @@
 	}
 
 	// strings.TrimSpace needed because we get \r from the pty in the tests
-	return requestLoginWith2faRetry(email, strings.TrimSpace(string(password)))
+	return requestLoginWith2faRetry(cli, email, strings.TrimSpace(string(password)))
 }
 
 func (x *cmdLogin) Execute(args []string) error {
@@ -109,6 +111,10 @@
 		return ErrExtraArgs
 	}
 
+	//TRANSLATORS: after the "... at" follows a URL in the next line
+	fmt.Fprint(Stdout, i18n.G("Personal information is handled as per our privacy notice at\n"))
+	fmt.Fprint(Stdout, "https://www.ubuntu.com/legal/dataprivacy/snap-store\n\n")
+
 	email := x.Positional.Email
 	if email == "" {
 		fmt.Fprint(Stdout, i18n.G("Email address: "))
@@ -119,7 +125,7 @@
 		email = string(in)
 	}
 
-	err := requestLogin(email)
+	err := requestLogin(x.client, email)
 	if err != nil {
 		return err
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_login_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_login_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_login_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_login_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -54,10 +54,13 @@
 
 	// send the password
 	s.password = "some-password\n"
-	rest, err := snap.Parser().ParseArgs([]string{"login", "foo@example.com"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"login", "foo@example.com"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
-	c.Check(s.Stdout(), Equals, `Password of "foo@example.com": 
+	c.Check(s.Stdout(), Equals, `Personal information is handled as per our privacy notice at
+https://www.ubuntu.com/legal/dataprivacy/snap-store
+
+Password of "foo@example.com": 
 Login successful
 `)
 	c.Check(s.Stderr(), Equals, "")
@@ -73,13 +76,16 @@
 	// send the password
 	s.password = "some-password"
 
-	rest, err := snap.Parser().ParseArgs([]string{"login"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"login"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	// test slightly ugly, on a real system STDOUT will be:
 	//    Email address: foo@example.com\n
 	// because the input to stdin is echoed
-	c.Check(s.Stdout(), Equals, `Email address: Password of "foo@example.com": 
+	c.Check(s.Stdout(), Equals, `Personal information is handled as per our privacy notice at
+https://www.ubuntu.com/legal/dataprivacy/snap-store
+
+Email address: Password of "foo@example.com": 
 Login successful
 `)
 	c.Check(s.Stderr(), Equals, "")
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_logout.go snapd-2.37~rc1~14.04/cmd/snap/cmd_logout.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_logout.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_logout.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,11 +25,15 @@
 	"github.com/snapcore/snapd/i18n"
 )
 
-type cmdLogout struct{}
+type cmdLogout struct {
+	clientMixin
+}
 
-var shortLogoutHelp = i18n.G("Log out of the store")
+var shortLogoutHelp = i18n.G("Log out of snapd and the store")
 
-var longLogoutHelp = i18n.G("This command logs the current user out of the store")
+var longLogoutHelp = i18n.G(`
+The logout command logs the current user out of snapd and the store.
+`)
 
 func init() {
 	addCommand("logout",
@@ -45,5 +49,5 @@
 		return ErrExtraArgs
 	}
 
-	return Client().Logout()
+	return cmd.client.Logout()
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_managed.go snapd-2.37~rc1~14.04/cmd/snap/cmd_managed.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_managed.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_managed.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,13 +27,15 @@
 	"github.com/jessevdk/go-flags"
 )
 
-var shortIsManagedHelp = i18n.G("Prints whether system is managed")
+var shortIsManagedHelp = i18n.G("Print whether the system is managed")
 var longIsManagedHelp = i18n.G(`
 The managed command will print true or false informing whether
 snapd has registered users.
 `)
 
-type cmdIsManaged struct{}
+type cmdIsManaged struct {
+	clientMixin
+}
 
 func init() {
 	cmd := addCommand("managed", shortIsManagedHelp, longIsManagedHelp, func() flags.Commander { return &cmdIsManaged{} }, nil, nil)
@@ -45,7 +47,7 @@
 		return ErrExtraArgs
 	}
 
-	sysinfo, err := Client().SysInfo()
+	sysinfo, err := cmd.client.SysInfo()
 	if err != nil {
 		return err
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_managed_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_managed_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_managed_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_managed_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -39,7 +39,7 @@
 			fmt.Fprintf(w, `{"type":"sync", "status-code": 200, "result": {"managed":%v}}`, managed)
 		})
 
-		_, err := snap.Parser().ParseArgs([]string{"managed"})
+		_, err := snap.Parser(snap.Client()).ParseArgs([]string{"managed"})
 		c.Assert(err, IsNil)
 		c.Check(s.Stdout(), Equals, fmt.Sprintf("%v\n", managed))
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_pack.go snapd-2.37~rc1~14.04/cmd/snap/cmd_pack.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_pack.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_pack.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,34 +21,66 @@
 
 import (
 	"fmt"
+	"path/filepath"
 
 	"github.com/jessevdk/go-flags"
 
 	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/pack"
 )
 
 type packCmd struct {
-	Positional struct {
+	CheckSkeleton bool   `long:"check-skeleton"`
+	Filename      string `long:"filename"`
+	Positional    struct {
 		SnapDir   string `positional-arg-name:"<snap-dir>"`
 		TargetDir string `positional-arg-name:"<target-dir>"`
 	} `positional-args:"yes"`
 }
 
-var shortPackHelp = i18n.G("Pack the given target dir as a snap")
+var shortPackHelp = i18n.G("Pack the given directory as a snap")
 var longPackHelp = i18n.G(`
-The pack command packs the given snap-dir as a snap.`)
+The pack command packs the given snap-dir as a snap and writes the result to
+target-dir. If target-dir is omitted, the result is written to current
+directory. If both source-dir and target-dir are omitted, the pack command packs
+the current directory.
+
+The default file name for a snap can be derived entirely from its snap.yaml, but
+in some situations it's simpler for a script to feed the filename in. In those
+cases, --filename can be given to override the default. If this filename is
+not absolute it will be taken as relative to target-dir.
+
+When used with --check-skeleton, pack only checks whether snap-dir contains
+valid snap metadata and raises an error otherwise. Application commands listed
+in snap metadata file, but appearing with incorrect permission bits result in an
+error. Commands that are missing from snap-dir are listed in diagnostic
+messages.
+`)
 
 func init() {
-	addCommand("pack",
+	cmd := addCommand("pack",
 		shortPackHelp,
 		longPackHelp,
 		func() flags.Commander {
 			return &packCmd{}
-		}, nil, nil)
+		}, map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"check-skeleton": i18n.G("Validate snap-dir metadata only"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"filename": i18n.G("Output to this filename"),
+		}, nil)
+	cmd.extra = func(cmd *flags.Command) {
+		// TRANSLATORS: this describes the default filename for a snap, e.g. core_16-2.35.2_amd64.snap
+		cmd.FindOptionByLongName("filename").DefaultMask = i18n.G("<name>_<version>_<architecture>.snap")
+	}
 }
 
 func (x *packCmd) Execute([]string) error {
+	if x.Positional.TargetDir != "" && x.Filename != "" && filepath.IsAbs(x.Filename) {
+		return fmt.Errorf(i18n.G("you can't specify an absolute filename while also specifying target dir."))
+	}
+
 	if x.Positional.SnapDir == "" {
 		x.Positional.SnapDir = "."
 	}
@@ -56,11 +88,22 @@
 		x.Positional.TargetDir = "."
 	}
 
-	snapPath, err := pack.Snap(x.Positional.SnapDir, x.Positional.TargetDir)
+	if x.CheckSkeleton {
+		err := pack.CheckSkeleton(x.Positional.SnapDir)
+		if err == snap.ErrMissingPaths {
+			return nil
+		}
+		return err
+	}
+
+	snapPath, err := pack.Snap(x.Positional.SnapDir, x.Positional.TargetDir, x.Filename)
 	if err != nil {
-		return fmt.Errorf("cannot pack %q: %v", x.Positional.SnapDir, err)
+		// TRANSLATORS: the %q is the snap-dir (the first positional
+		// argument to the command); the %v is an error
+		return fmt.Errorf(i18n.G("cannot pack %q: %v"), x.Positional.SnapDir, err)
 
 	}
-	fmt.Fprintf(Stdout, "built: %s\n", snapPath)
+	// TRANSLATORS: %s is the path to the built snap file
+	fmt.Fprintf(Stdout, i18n.G("built: %s\n"), snapPath)
 	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_pack_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_pack_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_pack_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_pack_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,103 @@
+package main_test
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"gopkg.in/check.v1"
+
+	snaprun "github.com/snapcore/snapd/cmd/snap"
+	"github.com/snapcore/snapd/logger"
+)
+
+const packSnapYaml = `name: hello
+version: 1.0.1
+apps:
+ app:
+  command: bin/hello
+`
+
+func makeSnapDirForPack(c *check.C, snapYaml string) string {
+	tempdir := c.MkDir()
+	c.Assert(os.Chmod(tempdir, 0755), check.IsNil)
+
+	// use meta/snap.yaml
+	metaDir := filepath.Join(tempdir, "meta")
+	err := os.Mkdir(metaDir, 0755)
+	c.Assert(err, check.IsNil)
+	err = ioutil.WriteFile(filepath.Join(metaDir, "snap.yaml"), []byte(snapYaml), 0644)
+	c.Assert(err, check.IsNil)
+
+	return tempdir
+}
+
+func (s *SnapSuite) TestPackCheckSkeletonNoAppFiles(c *check.C) {
+	_, r := logger.MockLogger()
+	defer r()
+
+	snapDir := makeSnapDirForPack(c, packSnapYaml)
+
+	// check-skeleton does not fail due to missing files
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"pack", "--check-skeleton", snapDir})
+	c.Assert(err, check.IsNil)
+}
+
+func (s *SnapSuite) TestPackCheckSkeletonBadMeta(c *check.C) {
+	// no snap name
+	snapYaml := `
+version: foobar
+apps:
+`
+	snapDir := makeSnapDirForPack(c, snapYaml)
+
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"pack", "--check-skeleton", snapDir})
+	c.Assert(err, check.ErrorMatches, `cannot validate snap "": snap name cannot be empty`)
+}
+
+func (s *SnapSuite) TestPackCheckSkeletonConflictingCommonID(c *check.C) {
+	// conflicting common-id
+	snapYaml := `name: foo
+version: foobar
+apps:
+  foo:
+    common-id: org.foo.foo
+  bar:
+    common-id: org.foo.foo
+`
+	snapDir := makeSnapDirForPack(c, snapYaml)
+
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"pack", "--check-skeleton", snapDir})
+	c.Assert(err, check.ErrorMatches, `cannot validate snap "foo": application ("bar" common-id "org.foo.foo" must be unique, already used by application "foo"|"foo" common-id "org.foo.foo" must be unique, already used by application "bar")`)
+}
+
+func (s *SnapSuite) TestPackPacksFailsForMissingPaths(c *check.C) {
+	_, r := logger.MockLogger()
+	defer r()
+
+	snapDir := makeSnapDirForPack(c, packSnapYaml)
+
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"pack", snapDir, snapDir})
+	c.Assert(err, check.ErrorMatches, ".* snap is unusable due to missing files")
+}
+
+func (s *SnapSuite) TestPackPacksASnap(c *check.C) {
+	snapDir := makeSnapDirForPack(c, packSnapYaml)
+
+	const helloBinContent = `#!/bin/sh
+printf "hello world"
+`
+	// an example binary
+	binDir := filepath.Join(snapDir, "bin")
+	err := os.Mkdir(binDir, 0755)
+	c.Assert(err, check.IsNil)
+	err = ioutil.WriteFile(filepath.Join(binDir, "hello"), []byte(helloBinContent), 0755)
+	c.Assert(err, check.IsNil)
+
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs([]string{"pack", snapDir, snapDir})
+	c.Assert(err, check.IsNil)
+
+	matches, err := filepath.Glob(snapDir + "/hello*.snap")
+	c.Assert(err, check.IsNil)
+	c.Assert(matches, check.HasLen, 1)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_paths.go snapd-2.37~rc1~14.04/cmd/snap/cmd_paths.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_paths.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_paths.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,62 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/jessevdk/go-flags"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/i18n"
+)
+
+var pathsHelp = i18n.G("Print system paths")
+var longPathsHelp = i18n.G(`
+The paths command prints the list of paths detected and used by snapd.
+`)
+
+type cmdPaths struct{}
+
+func init() {
+	addDebugCommand("paths", pathsHelp, longPathsHelp, func() flags.Commander {
+		return &cmdPaths{}
+	}, nil, nil)
+}
+
+func (cmd cmdPaths) Execute(args []string) error {
+	if len(args) > 0 {
+		return ErrExtraArgs
+	}
+
+	// TODO: include paths reported by snap-confine
+	for _, p := range []struct {
+		name string
+		path string
+	}{
+		{"SNAPD_MOUNT", dirs.SnapMountDir},
+		{"SNAPD_BIN", dirs.SnapBinariesDir},
+		{"SNAPD_LIBEXEC", dirs.DistroLibExecDir},
+	} {
+		fmt.Fprintf(Stdout, "%s=%s\n", p.name, p.path)
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_paths_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_paths_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_paths_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_paths_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,90 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	snap "github.com/snapcore/snapd/cmd/snap"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/release"
+)
+
+func (s *SnapSuite) TestPathsUbuntu(c *C) {
+	restore := release.MockReleaseInfo(&release.OS{ID: "ubuntu"})
+	defer restore()
+	defer dirs.SetRootDir("/")
+
+	dirs.SetRootDir("/")
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "paths"})
+	c.Assert(err, IsNil)
+	c.Assert(s.Stdout(), Equals, ""+
+		"SNAPD_MOUNT=/snap\n"+
+		"SNAPD_BIN=/snap/bin\n"+
+		"SNAPD_LIBEXEC=/usr/lib/snapd\n")
+	c.Assert(s.Stderr(), Equals, "")
+}
+
+func (s *SnapSuite) TestPathsFedora(c *C) {
+	restore := release.MockReleaseInfo(&release.OS{ID: "fedora"})
+	defer restore()
+	defer dirs.SetRootDir("/")
+
+	dirs.SetRootDir("/")
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "paths"})
+	c.Assert(err, IsNil)
+	c.Assert(s.Stdout(), Equals, ""+
+		"SNAPD_MOUNT=/var/lib/snapd/snap\n"+
+		"SNAPD_BIN=/var/lib/snapd/snap/bin\n"+
+		"SNAPD_LIBEXEC=/usr/libexec/snapd\n")
+	c.Assert(s.Stderr(), Equals, "")
+}
+
+func (s *SnapSuite) TestPathsArch(c *C) {
+	defer dirs.SetRootDir("/")
+
+	// old /etc/os-release contents
+	restore := release.MockReleaseInfo(&release.OS{ID: "arch", IDLike: []string{"archlinux"}})
+	defer restore()
+
+	dirs.SetRootDir("/")
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "paths"})
+	c.Assert(err, IsNil)
+	c.Assert(s.Stdout(), Equals, ""+
+		"SNAPD_MOUNT=/var/lib/snapd/snap\n"+
+		"SNAPD_BIN=/var/lib/snapd/snap/bin\n"+
+		"SNAPD_LIBEXEC=/usr/lib/snapd\n")
+	c.Assert(s.Stderr(), Equals, "")
+
+	s.ResetStdStreams()
+
+	// new contents, as set by filesystem-2018.12-1
+	restore = release.MockReleaseInfo(&release.OS{ID: "archlinux"})
+	defer restore()
+
+	dirs.SetRootDir("/")
+	_, err = snap.Parser(snap.Client()).ParseArgs([]string{"debug", "paths"})
+	c.Assert(err, IsNil)
+	c.Assert(s.Stdout(), Equals, ""+
+		"SNAPD_MOUNT=/var/lib/snapd/snap\n"+
+		"SNAPD_BIN=/var/lib/snapd/snap/bin\n"+
+		"SNAPD_LIBEXEC=/usr/lib/snapd\n")
+	c.Assert(s.Stderr(), Equals, "")
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_prefer.go snapd-2.37~rc1~14.04/cmd/snap/cmd_prefer.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_prefer.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_prefer.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,22 +26,23 @@
 )
 
 type cmdPrefer struct {
+	waitMixin
 	Positionals struct {
 		Snap installedSnapName `required:"yes"`
 	} `positional-args:"true"`
 }
 
-var shortPreferHelp = i18n.G("Prefer aliases from a snap and disable conflicts")
+var shortPreferHelp = i18n.G("Enable aliases from a snap, disabling any conflicting aliases")
 var longPreferHelp = i18n.G(`
 The prefer command enables all aliases of the given snap in preference
 to conflicting aliases of other snaps whose aliases will be disabled
-(removed for manual ones).
+(or removed, for manual ones).
 `)
 
 func init() {
 	addCommand("prefer", shortPreferHelp, longPreferHelp, func() flags.Commander {
 		return &cmdPrefer{}
-	}, nil, []argDesc{
+	}, waitDescs, []argDesc{
 		{name: "<snap>"},
 	})
 }
@@ -51,19 +52,17 @@
 		return ErrExtraArgs
 	}
 
-	cli := Client()
-	id, err := cli.Prefer(string(x.Positionals.Snap))
+	id, err := x.client.Prefer(string(x.Positionals.Snap))
 	if err != nil {
 		return err
 	}
-
-	chg, err := wait(cli, id)
+	chg, err := x.wait(id)
 	if err != nil {
-		return err
-	}
-	if err := showAliasChanges(chg); err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
-	return nil
+	return showAliasChanges(chg)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_prefer_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_prefer_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_prefer_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_prefer_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,21 +30,17 @@
 
 func (s *SnapSuite) TestPreferHelp(c *C) {
 	msg := `Usage:
-  snap.test [OPTIONS] prefer [<snap>]
+  snap.test prefer [prefer-OPTIONS] [<snap>]
 
 The prefer command enables all aliases of the given snap in preference
 to conflicting aliases of other snaps whose aliases will be disabled
-(removed for manual ones).
+(or removed, for manual ones).
 
-Application Options:
-      --version     Print the version and exit
-
-Help Options:
-  -h, --help        Show this help message
+[prefer command options]
+      --no-wait    Do not wait for the operation to finish but just print the
+                   change id.
 `
-	rest, err := Parser().ParseArgs([]string{"prefer", "--help"})
-	c.Assert(err.Error(), Equals, msg)
-	c.Assert(rest, DeepEquals, []string{})
+	s.testSubCommandHelp(c, "prefer", msg)
 }
 
 func (s *SnapSuite) TestPrefer(c *C) {
@@ -64,7 +60,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"prefer", "some-snap"})
+	rest, err := Parser(Client()).ParseArgs([]string{"prefer", "some-snap"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Assert(s.Stdout(), Equals, ""+
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_prepare_image.go snapd-2.37~rc1~14.04/cmd/snap/cmd_prepare_image.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_prepare_image.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_prepare_image.go	2019-01-16 08:36:51.000000000 +0000
@@ -40,23 +40,28 @@
 
 func init() {
 	cmd := addCommand("prepare-image",
-		i18n.G("Prepare a snappy image"),
-		i18n.G("Prepare a snappy image"),
+		i18n.G("Prepare a core device image"),
+		i18n.G(`
+The prepare-image command performs some of the steps necessary for creating
+core device images.
+`),
 		func() flags.Commander {
 			return &cmdPrepareImage{}
 		}, map[string]string{
-			"extra-snaps": "Extra snaps to be installed",
-			"channel":     "The channel to use",
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"extra-snaps": i18n.G("Extra snaps to be installed"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"channel": i18n.G("The channel to use"),
 		}, []argDesc{
 			{
-				// TRANSLATORS: This needs to be wrapped in <>s.
+				// TRANSLATORS: This needs to begin with < and end with >
 				name: i18n.G("<model-assertion>"),
-				// TRANSLATORS: This should probably not start with a lowercase letter.
+				// TRANSLATORS: This should not start with a lowercase letter.
 				desc: i18n.G("The model assertion name"),
 			}, {
-				// TRANSLATORS: This needs to be wrapped in <>s.
+				// TRANSLATORS: This needs to begin with < and end with >
 				name: i18n.G("<root-dir>"),
-				// TRANSLATORS: This should probably not start with a lowercase letter.
+				// TRANSLATORS: This should not start with a lowercase letter.
 				desc: i18n.G("The output directory"),
 			},
 		})
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_repair_repairs.go snapd-2.37~rc1~14.04/cmd/snap/cmd_repair_repairs.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_repair_repairs.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_repair_repairs.go	2019-01-16 08:36:51.000000000 +0000
@@ -54,7 +54,7 @@
 	} `positional-args:"yes"`
 }
 
-var shortRepairHelp = i18n.G("Shows specific repairs")
+var shortRepairHelp = i18n.G("Show specific repairs")
 var longRepairHelp = i18n.G(`
 The repair command shows the details about one or multiple repairs.
 `)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_repair_repairs_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_repair_repairs_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_repair_repairs_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_repair_repairs_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -45,7 +45,7 @@
 	mockSnapRepair := mockSnapRepair(c)
 	defer mockSnapRepair.Restore()
 
-	_, err := snap.Parser().ParseArgs([]string{"repair", "canonical-1"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"repair", "canonical-1"})
 	c.Assert(err, IsNil)
 	c.Check(mockSnapRepair.Calls(), DeepEquals, [][]string{
 		{"snap-repair", "show", "canonical-1"},
@@ -59,7 +59,7 @@
 	mockSnapRepair := mockSnapRepair(c)
 	defer mockSnapRepair.Restore()
 
-	_, err := snap.Parser().ParseArgs([]string{"repairs"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"repairs"})
 	c.Assert(err, IsNil)
 	c.Check(mockSnapRepair.Calls(), DeepEquals, [][]string{
 		{"snap-repair", "list"},
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_run.go snapd-2.37~rc1~14.04/cmd/snap/cmd_run.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_run.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_run.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,7 @@
 	"bufio"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"os/user"
@@ -33,36 +34,47 @@
 	"syscall"
 	"time"
 
+	"github.com/godbus/dbus"
 	"github.com/jessevdk/go-flags"
 
+	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/strace"
+	"github.com/snapcore/snapd/selinux"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snapenv"
+	"github.com/snapcore/snapd/strutil/shlex"
 	"github.com/snapcore/snapd/timeutil"
 	"github.com/snapcore/snapd/x11"
 )
 
 var (
-	syscallExec = syscall.Exec
-	userCurrent = user.Current
-	osGetenv    = os.Getenv
-	timeNow     = time.Now
+	syscallExec              = syscall.Exec
+	userCurrent              = user.Current
+	osGetenv                 = os.Getenv
+	timeNow                  = time.Now
+	selinuxIsEnabled         = selinux.IsEnabled
+	selinuxVerifyPathContext = selinux.VerifyPathContext
+	selinuxRestoreContext    = selinux.RestoreContext
 )
 
 type cmdRun struct {
+	clientMixin
 	Command  string `long:"command" hidden:"yes"`
 	HookName string `long:"hook" hidden:"yes"`
 	Revision string `short:"r" default:"unset" hidden:"yes"`
 	Shell    bool   `long:"shell" `
+
 	// This options is both a selector (use or don't use strace) and it
 	// can also carry extra options for strace. This is why there is
 	// "default" and "optional-value" to distinguish this.
-	Strace string `long:"strace" optional:"true" optional-value:"with-strace" default:"no-strace" default-mask:"-"`
-	Gdb    bool   `long:"gdb"`
+	Strace    string `long:"strace" optional:"true" optional-value:"with-strace" default:"no-strace" default-mask:"-"`
+	Gdb       bool   `long:"gdb"`
+	TraceExec bool   `long:"trace-exec"`
 
 	// not a real option, used to check if cmdRun is initialized by
 	// the parser
@@ -73,22 +85,34 @@
 func init() {
 	addCommand("run",
 		i18n.G("Run the given snap command"),
-		i18n.G("Run the given snap command with the right confinement and environment"),
+		i18n.G(`
+The run command executes the given snap command with the right confinement
+and environment.
+`),
 		func() flags.Commander {
 			return &cmdRun{}
 		}, map[string]string{
-			"command":    i18n.G("Alternative command to run"),
-			"hook":       i18n.G("Hook to run"),
-			"r":          i18n.G("Use a specific snap revision when running hook"),
-			"shell":      i18n.G("Run a shell instead of the command (useful for debugging)"),
-			"strace":     i18n.G("Run the command under strace (useful for debugging). Extra strace options can be specified as well here."),
-			"gdb":        i18n.G("Run the command with gdb"),
-			"timer":      i18n.G("Run as a timer service with given schedule"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"command": i18n.G("Alternative command to run"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"hook": i18n.G("Hook to run"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"r": i18n.G("Use a specific snap revision when running hook"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"shell": i18n.G("Run a shell instead of the command (useful for debugging)"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"strace": i18n.G("Run the command under strace (useful for debugging). Extra strace options can be specified as well here. Pass --raw to strace early snap helpers."),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"gdb": i18n.G("Run the command with gdb"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"timer": i18n.G("Run as a timer service with given schedule"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"trace-exec": i18n.G("Display exec calls timing data"),
 			"parser-ran": "",
 		}, nil)
 }
 
-func maybeWaitForSecurityProfileRegeneration() error {
+func maybeWaitForSecurityProfileRegeneration(cli *client.Client) error {
 	// check if the security profiles key has changed, if so, we need
 	// to wait for snapd to re-generate all profiles
 	mismatch, err := interfaces.SystemKeyMismatch()
@@ -121,7 +145,6 @@
 		}
 	}
 
-	cli := Client()
 	for i := 0; i < timeout; i++ {
 		if _, err := cli.SysInfo(); err == nil {
 			return nil
@@ -159,7 +182,7 @@
 		return fmt.Errorf(i18n.G("too many arguments for hook %q: %s"), x.HookName, strings.Join(args, " "))
 	}
 
-	if err := maybeWaitForSecurityProfileRegeneration(); err != nil {
+	if err := maybeWaitForSecurityProfileRegeneration(x.client); err != nil {
 		return err
 	}
 
@@ -233,28 +256,16 @@
 	return actualApp, argsOut
 }
 
-func getSnapInfo(snapName string, revision snap.Revision) (*snap.Info, error) {
+func getSnapInfo(snapName string, revision snap.Revision) (info *snap.Info, err error) {
 	if revision.Unset() {
-		curFn := filepath.Join(dirs.SnapMountDir, snapName, "current")
-		realFn, err := os.Readlink(curFn)
-		if err != nil {
-			return nil, fmt.Errorf("cannot find current revision for snap %s: %s", snapName, err)
-		}
-		rev := filepath.Base(realFn)
-		revision, err = snap.ParseRevision(rev)
-		if err != nil {
-			return nil, fmt.Errorf("cannot read revision %s: %s", rev, err)
-		}
-	}
-
-	info, err := snap.ReadInfo(snapName, &snap.SideInfo{
-		Revision: revision,
-	})
-	if err != nil {
-		return nil, err
+		info, err = snap.ReadCurrentInfo(snapName)
+	} else {
+		info, err = snap.ReadInfo(snapName, &snap.SideInfo{
+			Revision: revision,
+		})
 	}
 
-	return info, nil
+	return info, err
 }
 
 func createOrUpdateUserDataSymlink(info *snap.Info, usr *user.User) error {
@@ -308,35 +319,82 @@
 	}
 
 	// see snapenv.User
-	userData := info.UserDataDir(usr.HomeDir)
-	commonUserData := info.UserCommonDataDir(usr.HomeDir)
-	for _, d := range []string{userData, commonUserData} {
+	instanceUserData := info.UserDataDir(usr.HomeDir)
+	instanceCommonUserData := info.UserCommonDataDir(usr.HomeDir)
+	createDirs := []string{instanceUserData, instanceCommonUserData}
+	if info.InstanceKey != "" {
+		// parallel instance snaps get additional mapping in their mount
+		// namespace, namely /home/joe/snap/foo_bar ->
+		// /home/joe/snap/foo, make sure that the mount point exists and
+		// is owned by the user
+		snapUserDir := snap.UserSnapDir(usr.HomeDir, info.SnapName())
+		createDirs = append(createDirs, snapUserDir)
+	}
+	for _, d := range createDirs {
 		if err := os.MkdirAll(d, 0755); err != nil {
 			// TRANSLATORS: %q is the directory whose creation failed, %v the error message
 			return fmt.Errorf(i18n.G("cannot create %q: %v"), d, err)
 		}
 	}
 
-	return createOrUpdateUserDataSymlink(info, usr)
+	if err := createOrUpdateUserDataSymlink(info, usr); err != nil {
+		return err
+	}
+
+	return maybeRestoreSecurityContext(usr)
+}
+
+// maybeRestoreSecurityContext attempts to restore security context of ~/snap on
+// systems where it's applicable
+func maybeRestoreSecurityContext(usr *user.User) error {
+	snapUserHome := filepath.Join(usr.HomeDir, dirs.UserHomeSnapDir)
+	enabled, err := selinuxIsEnabled()
+	if err != nil {
+		return fmt.Errorf("cannot determine SELinux status: %v", err)
+	}
+	if !enabled {
+		logger.Debugf("SELinux not enabled")
+		return nil
+	}
+
+	match, err := selinuxVerifyPathContext(snapUserHome)
+	if err != nil {
+		return fmt.Errorf("failed to verify SELinux context of %v: %v", snapUserHome, err)
+	}
+	if match {
+		return nil
+	}
+	logger.Noticef("restoring default SELinux context of %v", snapUserHome)
+
+	if err := selinuxRestoreContext(snapUserHome, selinux.RestoreMode{Recursive: true}); err != nil {
+		return fmt.Errorf("cannot restore SELinux context of %v: %v", snapUserHome, err)
+	}
+	return nil
 }
 
 func (x *cmdRun) useStrace() bool {
 	return x.ParserRan == 1 && x.Strace != "no-strace"
 }
 
-func (x *cmdRun) straceOpts() []string {
+func (x *cmdRun) straceOpts() (opts []string, raw bool, err error) {
 	if x.Strace == "with-strace" {
-		return nil
+		return nil, false, nil
 	}
 
-	var opts []string
-	// TODO: use shlex?
-	for _, opt := range strings.Split(x.Strace, " ") {
-		if strings.TrimSpace(opt) != "" {
-			opts = append(opts, opt)
+	split, err := shlex.Split(x.Strace)
+	if err != nil {
+		return nil, false, err
+	}
+
+	opts = make([]string, 0, len(split))
+	for _, opt := range split {
+		if opt == "--raw" {
+			raw = true
+			continue
 		}
+		opts = append(opts, opt)
 	}
-	return opts
+	return opts, raw, nil
 }
 
 func (x *cmdRun) snapRunApp(snapApp string, args []string) error {
@@ -532,47 +590,99 @@
 	return targetPath, nil
 }
 
-func straceCmd() ([]string, error) {
-	current, err := user.Current()
-	if err != nil {
-		return nil, err
+func activateXdgDocumentPortal(info *snap.Info, snapApp, hook string) error {
+	// Don't do anything for apps or hooks that don't plug the
+	// desktop interface
+	//
+	// NOTE: This check is imperfect because we don't really know
+	// if the interface is connected or not but this is an
+	// acceptable compromise for not having to communicate with
+	// snapd in snap run. In a typical desktop session the
+	// document portal can be in use by many applications, not
+	// just by snaps, so this is at most, pre-emptively using some
+	// extra memory.
+	var plugs map[string]*snap.PlugInfo
+	if hook != "" {
+		plugs = info.Hooks[hook].Plugs
+	} else {
+		_, appName := snap.SplitSnapApp(snapApp)
+		plugs = info.Apps[appName].Plugs
+	}
+	plugsDesktop := false
+	for _, plug := range plugs {
+		if plug.Interface == "desktop" {
+			plugsDesktop = true
+			break
+		}
+	}
+	if !plugsDesktop {
+		return nil
 	}
-	sudoPath, err := exec.LookPath("sudo")
+
+	u, err := userCurrent()
 	if err != nil {
-		return nil, fmt.Errorf("cannot use strace without sudo: %s", err)
+		return fmt.Errorf(i18n.G("cannot get the current user: %s"), err)
+	}
+	xdgRuntimeDir := filepath.Join(dirs.XdgRuntimeDirBase, u.Uid)
+
+	// If $XDG_RUNTIME_DIR/doc appears to be a mount point, assume
+	// that the document portal is up and running.
+	expectedMountPoint := filepath.Join(xdgRuntimeDir, "doc")
+	if mounted, err := osutil.IsMounted(expectedMountPoint); err != nil {
+		logger.Noticef("Could not check document portal mount state: %s", err)
+	} else if mounted {
+		return nil
+	}
+
+	// If there is no session bus, our job is done.  We check this
+	// manually to avoid dbus.SessionBus() auto-launching a new
+	// bus.
+	busAddress := osGetenv("DBUS_SESSION_BUS_ADDRESS")
+	if len(busAddress) == 0 {
+		return nil
 	}
 
-	// Try strace from the snap first, we use new syscalls like
-	// "_newselect" that are known to not work with the strace of e.g.
-	// ubuntu 14.04.
+	// We've previously tried to start the document portal and
+	// were told the service is unknown: don't bother connecting
+	// to the session bus again.
 	//
-	// TODO: some architectures do not have some syscalls (e.g.
-	// s390x does not have _newselect). In
-	// https://github.com/strace/strace/issues/57 options are
-	// discussed.  We could use "-e trace=?syscall" but that is
-	// only available since strace 4.17 which is not even in
-	// ubutnu 17.10.
-	var stracePath string
-	cand := filepath.Join(dirs.SnapMountDir, "strace-static", "current", "bin", "strace")
-	if osutil.FileExists(cand) {
-		stracePath = cand
+	// As the file is in $XDG_RUNTIME_DIR, it will be cleared over
+	// full logout/login or reboot cycles.
+	portalsUnavailableFile := filepath.Join(xdgRuntimeDir, ".portals-unavailable")
+	if osutil.FileExists(portalsUnavailableFile) {
+		return nil
 	}
-	if stracePath == "" {
-		stracePath, err = exec.LookPath("strace")
-		if err != nil {
-			return nil, fmt.Errorf("cannot find an installed strace, please try: `snap install strace-static`")
+
+	conn, err := dbus.SessionBus()
+	if err != nil {
+		return err
+	}
+
+	portal := conn.Object("org.freedesktop.portal.Documents",
+		"/org/freedesktop/portal/documents")
+	var mountPoint []byte
+	if err := portal.Call("org.freedesktop.portal.Documents.GetMountPoint", 0).Store(&mountPoint); err != nil {
+		// It is not considered an error if
+		// xdg-document-portal is not available on the system.
+		if dbusErr, ok := err.(dbus.Error); ok && dbusErr.Name == "org.freedesktop.DBus.Error.ServiceUnknown" {
+			// We ignore errors here: if writing the file
+			// fails, we'll just try connecting to D-Bus
+			// again next time.
+			if err = ioutil.WriteFile(portalsUnavailableFile, []byte(""), 0644); err != nil {
+				logger.Noticef("WARNING: cannot write file at %s: %s", portalsUnavailableFile, err)
+			}
+			return nil
 		}
+		return err
 	}
 
-	return []string{
-		sudoPath, "-E",
-		stracePath,
-		"-u", current.Username,
-		"-f",
-		// these syscalls are excluded because they make strace hang
-		// on all or some architectures (gettimeofday on arm64)
-		"-e", "!select,pselect6,_newselect,clock_gettime,sigaltstack,gettid,gettimeofday",
-	}, nil
+	// Sanity check to make sure the document portal is exposed
+	// where we think it is.
+	actualMountPoint := strings.TrimRight(string(mountPoint), "\x00")
+	if actualMountPoint != expectedMountPoint {
+		return fmt.Errorf(i18n.G("Expected portal at %#v, got %#v"), expectedMountPoint, actualMountPoint)
+	}
+	return nil
 }
 
 func (x *cmdRun) runCmdUnderGdb(origCmd, env []string) error {
@@ -589,21 +699,76 @@
 	return gcmd.Run()
 }
 
+func (x *cmdRun) runCmdWithTraceExec(origCmd, env []string) error {
+	// setup private tmp dir with strace fifo
+	straceTmp, err := ioutil.TempDir("", "exec-trace")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(straceTmp)
+	straceLog := filepath.Join(straceTmp, "strace.fifo")
+	if err := syscall.Mkfifo(straceLog, 0640); err != nil {
+		return err
+	}
+	// ensure we have one writer on the fifo so that if strace fails
+	// nothing blocks
+	fw, err := os.OpenFile(straceLog, os.O_RDWR, 0640)
+	if err != nil {
+		return err
+	}
+	defer fw.Close()
+
+	// read strace data from fifo async
+	var slg *strace.ExecveTiming
+	var straceErr error
+	doneCh := make(chan bool, 1)
+	go func() {
+		// FIXME: make this configurable?
+		nSlowest := 10
+		slg, straceErr = strace.TraceExecveTimings(straceLog, nSlowest)
+		close(doneCh)
+	}()
+
+	cmd, err := strace.TraceExecCommand(straceLog, origCmd...)
+	if err != nil {
+		return err
+	}
+	// run
+	cmd.Env = env
+	cmd.Stdin = Stdin
+	cmd.Stdout = Stdout
+	cmd.Stderr = Stderr
+	err = cmd.Run()
+	// ensure we close the fifo here so that the strace.TraceExecCommand()
+	// helper gets a EOF from the fifo (i.e. all writers must be closed
+	// for this)
+	fw.Close()
+
+	// wait for strace reader
+	<-doneCh
+	if straceErr == nil {
+		slg.Display(Stderr)
+	} else {
+		logger.Noticef("cannot extract runtime data: %v", straceErr)
+	}
+	return err
+}
+
 func (x *cmdRun) runCmdUnderStrace(origCmd, env []string) error {
-	// prepend strace magic
-	cmd, err := straceCmd()
+	extraStraceOpts, raw, err := x.straceOpts()
+	if err != nil {
+		return err
+	}
+	cmd, err := strace.Command(extraStraceOpts, origCmd...)
 	if err != nil {
 		return err
 	}
-	cmd = append(cmd, x.straceOpts()...)
-	cmd = append(cmd, origCmd...)
 
 	// run with filter
-	gcmd := exec.Command(cmd[0], cmd[1:]...)
-	gcmd.Env = env
-	gcmd.Stdin = Stdin
-	gcmd.Stdout = Stdout
-	stderr, err := gcmd.StderrPipe()
+	cmd.Env = env
+	cmd.Stdin = Stdin
+	cmd.Stdout = Stdout
+	stderr, err := cmd.StderrPipe()
 	if err != nil {
 		return err
 	}
@@ -611,6 +776,15 @@
 	go func() {
 		defer func() { filterDone <- true }()
 
+		if raw {
+			// Passing --strace='--raw' disables the filtering of
+			// early strace output. This is useful when tracking
+			// down issues with snap helpers such as snap-confine,
+			// snap-exec ...
+			io.Copy(Stderr, stderr)
+			return
+		}
+
 		r := bufio.NewReader(stderr)
 
 		// The first thing from strace if things work is
@@ -658,31 +832,39 @@
 		}
 		io.Copy(Stderr, r)
 	}()
-	if err := gcmd.Start(); err != nil {
+	if err := cmd.Start(); err != nil {
 		return err
 	}
 	<-filterDone
-	err = gcmd.Wait()
+	err = cmd.Wait()
 	return err
 }
 
 func (x *cmdRun) runSnapConfine(info *snap.Info, securityTag, snapApp, hook string, args []string) error {
 	snapConfine := filepath.Join(dirs.DistroLibExecDir, "snap-confine")
-	// if we re-exec, we must run the snap-confine from the core snap
+	// if we re-exec, we must run the snap-confine from the core/snapd snap
 	// as well, if they get out of sync, havoc will happen
 	if isReexeced() {
-		// run snap-confine from the core snap. that will work because
-		// snap-confine on the core snap is mostly statically linked
-		// (except libudev and libc)
-		snapConfine = filepath.Join(dirs.SnapMountDir, "core/current", dirs.CoreLibExecDir, "snap-confine")
+		// exe is something like /snap/{snapd,core}/123/usr/bin/snap
+		exe, err := osReadlink("/proc/self/exe")
+		if err != nil {
+			return err
+		}
+		// snapBase will be "/snap/{core,snapd}/$rev/" because
+		// the snap binary is always at $root/usr/bin/snap
+		snapBase := filepath.Clean(filepath.Join(filepath.Dir(exe), "..", ".."))
+		// Run snap-confine from the core/snapd snap. That
+		// will work because snap-confine on the core/snapd snap is
+		// mostly statically linked (except libudev and libc)
+		snapConfine = filepath.Join(snapBase, dirs.CoreLibExecDir, "snap-confine")
 	}
 
 	if !osutil.FileExists(snapConfine) {
 		if hook != "" {
-			logger.Noticef("WARNING: skipping running hook %q of snap %q: missing snap-confine", hook, info.Name())
+			logger.Noticef("WARNING: skipping running hook %q of snap %q: missing snap-confine", hook, info.InstanceName())
 			return nil
 		}
-		return fmt.Errorf(i18n.G("missing snap-confine: try updating your snapd package"))
+		return fmt.Errorf(i18n.G("missing snap-confine: try updating your core/snapd package"))
 	}
 
 	if err := createUserDataDirs(info); err != nil {
@@ -694,6 +876,10 @@
 		logger.Noticef("WARNING: cannot copy user Xauthority file: %s", err)
 	}
 
+	if err := activateXdgDocumentPortal(info, snapApp, hook); err != nil {
+		logger.Noticef("WARNING: cannot start document portal: %s", err)
+	}
+
 	cmd := []string{snapConfine}
 	if info.NeedsClassic() {
 		cmd = append(cmd, "--classic")
@@ -745,7 +931,9 @@
 	}
 	env := snapenv.ExecEnv(info, extraEnv)
 
-	if x.Gdb {
+	if x.TraceExec {
+		return x.runCmdWithTraceExec(cmd, env)
+	} else if x.Gdb {
 		return x.runCmdUnderGdb(cmd, env)
 	} else if x.useStrace() {
 		return x.runCmdUnderStrace(cmd, env)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_run_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_run_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_run_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_run_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package main_test
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"os/user"
@@ -31,7 +32,9 @@
 
 	snaprun "github.com/snapcore/snapd/cmd/snap"
 	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/selinux"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/testutil"
@@ -48,38 +51,39 @@
 `)
 
 func (s *SnapSuite) TestInvalidParameters(c *check.C) {
-	invalidParameters := []string{"run", "--hook=configure", "--command=command-name", "snap-name"}
-	_, err := snaprun.Parser().ParseArgs(invalidParameters)
+	invalidParameters := []string{"run", "--hook=configure", "--command=command-name", "--", "snap-name"}
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs(invalidParameters)
 	c.Check(err, check.ErrorMatches, ".*you can only use one of --hook, --command, and --timer.*")
 
-	invalidParameters = []string{"run", "--hook=configure", "--timer=10:00-12:00", "snap-name"}
-	_, err = snaprun.Parser().ParseArgs(invalidParameters)
+	invalidParameters = []string{"run", "--hook=configure", "--timer=10:00-12:00", "--", "snap-name"}
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs(invalidParameters)
 	c.Check(err, check.ErrorMatches, ".*you can only use one of --hook, --command, and --timer.*")
 
-	invalidParameters = []string{"run", "--command=command-name", "--timer=10:00-12:00", "snap-name"}
-	_, err = snaprun.Parser().ParseArgs(invalidParameters)
+	invalidParameters = []string{"run", "--command=command-name", "--timer=10:00-12:00", "--", "snap-name"}
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs(invalidParameters)
 	c.Check(err, check.ErrorMatches, ".*you can only use one of --hook, --command, and --timer.*")
 
-	invalidParameters = []string{"run", "-r=1", "--command=command-name", "snap-name"}
-	_, err = snaprun.Parser().ParseArgs(invalidParameters)
+	invalidParameters = []string{"run", "-r=1", "--command=command-name", "--", "snap-name"}
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs(invalidParameters)
 	c.Check(err, check.ErrorMatches, ".*-r can only be used with --hook.*")
 
-	invalidParameters = []string{"run", "-r=1", "snap-name"}
-	_, err = snaprun.Parser().ParseArgs(invalidParameters)
+	invalidParameters = []string{"run", "-r=1", "--", "snap-name"}
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs(invalidParameters)
 	c.Check(err, check.ErrorMatches, ".*-r can only be used with --hook.*")
 
-	invalidParameters = []string{"run", "--hook=configure", "foo", "bar", "snap-name"}
-	_, err = snaprun.Parser().ParseArgs(invalidParameters)
+	invalidParameters = []string{"run", "--hook=configure", "--", "foo", "bar", "snap-name"}
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs(invalidParameters)
 	c.Check(err, check.ErrorMatches, ".*too many arguments for hook \"configure\": bar.*")
 }
 
 func (s *SnapSuite) TestSnapRunWhenMissingConfine(c *check.C) {
+	_, r := logger.MockLogger()
+	defer r()
+
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	var execs [][]string
@@ -91,10 +95,10 @@
 
 	// and run it!
 	// a regular run will fail
-	_, err = snaprun.Parser().ParseArgs([]string{"run", "snapname.app", "--arg1", "arg2"})
-	c.Assert(err, check.ErrorMatches, `.* your snapd package`)
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app", "--arg1", "arg2"})
+	c.Assert(err, check.ErrorMatches, `.* your core/snapd package`)
 	// a hook run will not fail
-	_, err = snaprun.Parser().ParseArgs([]string{"run", "--hook=configure", "snapname"})
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--hook=configure", "--", "snapname"})
 	c.Assert(err, check.IsNil)
 
 	// but nothing is run ever
@@ -105,11 +109,9 @@
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	execArg0 := ""
@@ -124,7 +126,7 @@
 	defer restorer()
 
 	// and run it!
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", "snapname.app", "--arg1", "arg2"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
 	c.Check(execArg0, check.Equals, filepath.Join(dirs.DistroLibExecDir, "snap-confine"))
@@ -140,11 +142,9 @@
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml)+"confinement: classic\n", &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml)+"confinement: classic\n", &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	execArg0 := ""
@@ -159,7 +159,7 @@
 	defer restorer()
 
 	// and run it!
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", "snapname.app", "--arg1", "arg2"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
 	c.Check(execArg0, check.Equals, filepath.Join(dirs.DistroLibExecDir, "snap-confine"))
@@ -179,11 +179,9 @@
 	defer mockSnapConfine(mountedCoreLibExecPath)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml)+"confinement: classic\n", &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml)+"confinement: classic\n", &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	restore := snaprun.MockOsReadlink(func(name string) (string, error) {
 		// pretend 'snap' is reexeced from 'core'
@@ -197,7 +195,7 @@
 		return nil
 	})
 	defer restorer()
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", "snapname.app", "--arg1", "arg2"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
 	c.Check(execArgs, check.DeepEquals, []string{
@@ -211,11 +209,9 @@
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R(42),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	execArg0 := ""
@@ -230,7 +226,7 @@
 	defer restorer()
 
 	// and run it!
-	_, err = snaprun.Parser().ParseArgs([]string{"run", "--command=my-command", "snapname.app", "arg1", "arg2"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--command=my-command", "--", "snapname.app", "arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Check(execArg0, check.Equals, filepath.Join(dirs.DistroLibExecDir, "snap-confine"))
 	c.Check(execArgs, check.DeepEquals, []string{
@@ -258,15 +254,37 @@
 	c.Check(osutil.FileExists(filepath.Join(fakeHome, "/snap/snapname/common")), check.Equals, true)
 }
 
+func (s *SnapSuite) TestParallelInstanceSnapRunCreateDataDirs(c *check.C) {
+	info, err := snap.InfoFromSnapYaml(mockYaml)
+	c.Assert(err, check.IsNil)
+	info.SideInfo.Revision = snap.R(42)
+	info.InstanceKey = "foo"
+
+	fakeHome := c.MkDir()
+	restorer := snaprun.MockUserCurrent(func() (*user.User, error) {
+		return &user.User{HomeDir: fakeHome}, nil
+	})
+	defer restorer()
+
+	err = snaprun.CreateUserDataDirs(info)
+	c.Assert(err, check.IsNil)
+	c.Check(osutil.FileExists(filepath.Join(fakeHome, "/snap/snapname_foo/42")), check.Equals, true)
+	c.Check(osutil.FileExists(filepath.Join(fakeHome, "/snap/snapname_foo/common")), check.Equals, true)
+	// mount point for snap instance mapping has been created
+	c.Check(osutil.FileExists(filepath.Join(fakeHome, "/snap/snapname")), check.Equals, true)
+	// and it's empty inside
+	m, err := filepath.Glob(filepath.Join(fakeHome, "/snap/snapname/*"))
+	c.Assert(err, check.IsNil)
+	c.Assert(m, check.HasLen, 0)
+}
+
 func (s *SnapSuite) TestSnapRunHookIntegration(c *check.C) {
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R(42),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	execArg0 := ""
@@ -281,7 +299,7 @@
 	defer restorer()
 
 	// Run a hook from the active revision
-	_, err = snaprun.Parser().ParseArgs([]string{"run", "--hook=configure", "snapname"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--hook=configure", "--", "snapname"})
 	c.Assert(err, check.IsNil)
 	c.Check(execArg0, check.Equals, filepath.Join(dirs.DistroLibExecDir, "snap-confine"))
 	c.Check(execArgs, check.DeepEquals, []string{
@@ -296,11 +314,9 @@
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R(42),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	execArg0 := ""
@@ -315,7 +331,7 @@
 	defer restorer()
 
 	// Specifically pass "unset" which would use the active version.
-	_, err = snaprun.Parser().ParseArgs([]string{"run", "--hook=configure", "-r=unset", "snapname"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--hook=configure", "-r=unset", "--", "snapname"})
 	c.Assert(err, check.IsNil)
 	c.Check(execArg0, check.Equals, filepath.Join(dirs.DistroLibExecDir, "snap-confine"))
 	c.Check(execArgs, check.DeepEquals, []string{
@@ -351,7 +367,7 @@
 	defer restorer()
 
 	// Run a hook on revision 41
-	_, err := snaprun.Parser().ParseArgs([]string{"run", "--hook=configure", "-r=41", "snapname"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--hook=configure", "-r=41", "--", "snapname"})
 	c.Assert(err, check.IsNil)
 	c.Check(execArg0, check.Equals, filepath.Join(dirs.DistroLibExecDir, "snap-confine"))
 	c.Check(execArgs, check.DeepEquals, []string{
@@ -364,11 +380,9 @@
 
 func (s *SnapSuite) TestSnapRunHookMissingRevisionIntegration(c *check.C) {
 	// Only create revision 42
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R(42),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	restorer := snaprun.MockSyscallExec(func(arg0 string, args []string, envv []string) error {
@@ -377,24 +391,22 @@
 	defer restorer()
 
 	// Attempt to run a hook on revision 41, which doesn't exist
-	_, err = snaprun.Parser().ParseArgs([]string{"run", "--hook=configure", "-r=41", "snapname"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--hook=configure", "-r=41", "--", "snapname"})
 	c.Assert(err, check.NotNil)
 	c.Check(err, check.ErrorMatches, "cannot find .*")
 }
 
 func (s *SnapSuite) TestSnapRunHookInvalidRevisionIntegration(c *check.C) {
-	_, err := snaprun.Parser().ParseArgs([]string{"run", "--hook=configure", "-r=invalid", "snapname"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--hook=configure", "-r=invalid", "--", "snapname"})
 	c.Assert(err, check.NotNil)
 	c.Check(err, check.ErrorMatches, "invalid snap revision: \"invalid\"")
 }
 
 func (s *SnapSuite) TestSnapRunHookMissingHookIntegration(c *check.C) {
 	// Only create revision 42
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R(42),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	called := false
@@ -404,23 +416,23 @@
 	})
 	defer restorer()
 
-	_, err = snaprun.Parser().ParseArgs([]string{"run", "--hook=missing-hook", "snapname"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--hook=missing-hook", "--", "snapname"})
 	c.Assert(err, check.ErrorMatches, `cannot find hook "missing-hook" in "snapname"`)
 	c.Check(called, check.Equals, false)
 }
 
 func (s *SnapSuite) TestSnapRunErorsForUnknownRunArg(c *check.C) {
-	_, err := snaprun.Parser().ParseArgs([]string{"run", "--unknown", "snapname.app", "--arg1", "arg2"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--unknown", "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.ErrorMatches, "unknown flag `unknown'")
 }
 
 func (s *SnapSuite) TestSnapRunErorsForMissingApp(c *check.C) {
-	_, err := snaprun.Parser().ParseArgs([]string{"run", "--command=shell"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--command=shell"})
 	c.Assert(err, check.ErrorMatches, "need the application to run as argument")
 }
 
 func (s *SnapSuite) TestSnapRunErorrForUnavailableApp(c *check.C) {
-	_, err := snaprun.Parser().ParseArgs([]string{"run", "not-there"})
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "not-there"})
 	c.Assert(err, check.ErrorMatches, fmt.Sprintf("cannot find current revision for snap not-there: readlink %s/not-there/current: no such file or directory", dirs.SnapMountDir))
 }
 
@@ -428,11 +440,9 @@
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R(42),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	execEnv := []string{}
@@ -452,7 +462,7 @@
 	defer os.Unsetenv("SNAP_THE_WORLD")
 
 	// and ensure those SNAP_ vars get overridden
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", "snapname.app", "--arg1", "arg2"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
 	c.Check(execEnv, testutil.Contains, "SNAP_REVISION=42")
@@ -481,14 +491,12 @@
 }
 
 func (s *SnapSuite) TestSnapRunAppIntegrationFromCore(c *check.C) {
-	defer mockSnapConfine(filepath.Join(dirs.SnapMountDir, "core", "current", dirs.CoreLibExecDir))()
+	defer mockSnapConfine(filepath.Join(dirs.SnapMountDir, "core", "111", dirs.CoreLibExecDir))()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// pretend to be running from core
 	restorer := snaprun.MockOsReadlink(func(string) (string, error) {
@@ -509,12 +517,51 @@
 	defer restorer()
 
 	// and run it!
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", "snapname.app", "--arg1", "arg2"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app", "--arg1", "arg2"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
+	c.Check(execArg0, check.Equals, filepath.Join(dirs.SnapMountDir, "/core/111", dirs.CoreLibExecDir, "snap-confine"))
+	c.Check(execArgs, check.DeepEquals, []string{
+		filepath.Join(dirs.SnapMountDir, "/core/111", dirs.CoreLibExecDir, "snap-confine"),
+		"snap.snapname.app",
+		filepath.Join(dirs.CoreLibExecDir, "snap-exec"),
+		"snapname.app", "--arg1", "arg2"})
+	c.Check(execEnv, testutil.Contains, "SNAP_REVISION=x2")
+}
+
+func (s *SnapSuite) TestSnapRunAppIntegrationFromSnapd(c *check.C) {
+	defer mockSnapConfine(filepath.Join(dirs.SnapMountDir, "snapd", "222", dirs.CoreLibExecDir))()
+
+	// mock installed snap
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
+		Revision: snap.R("x2"),
+	})
+
+	// pretend to be running from snapd
+	restorer := snaprun.MockOsReadlink(func(string) (string, error) {
+		return filepath.Join(dirs.SnapMountDir, "snapd/222/usr/bin/snap"), nil
+	})
+	defer restorer()
+
+	// redirect exec
+	execArg0 := ""
+	execArgs := []string{}
+	execEnv := []string{}
+	restorer = snaprun.MockSyscallExec(func(arg0 string, args []string, envv []string) error {
+		execArg0 = arg0
+		execArgs = args
+		execEnv = envv
+		return nil
+	})
+	defer restorer()
+
+	// and run it!
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
-	c.Check(execArg0, check.Equals, filepath.Join(dirs.SnapMountDir, "/core/current", dirs.CoreLibExecDir, "snap-confine"))
+	c.Check(execArg0, check.Equals, filepath.Join(dirs.SnapMountDir, "/snapd/222", dirs.CoreLibExecDir, "snap-confine"))
 	c.Check(execArgs, check.DeepEquals, []string{
-		filepath.Join(dirs.SnapMountDir, "/core/current", dirs.CoreLibExecDir, "snap-confine"),
+		filepath.Join(dirs.SnapMountDir, "/snapd/222", dirs.CoreLibExecDir, "snap-confine"),
 		"snap.snapname.app",
 		filepath.Join(dirs.CoreLibExecDir, "snap-exec"),
 		"snapname.app", "--arg1", "arg2"})
@@ -533,11 +580,9 @@
 
 	// mock installed snap; happily this also gives us a directory
 	// below /tmp which the Xauthority migration expects.
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err = os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	execArg0 := ""
@@ -563,7 +608,7 @@
 	})()
 
 	// and run it!
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", "snapname.app"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app"})
 	c.Check(execArg0, check.Equals, filepath.Join(dirs.DistroLibExecDir, "snap-confine"))
@@ -660,11 +705,9 @@
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// pretend we have sudo and simulate some useful output that would
 	// normally come from strace
@@ -688,7 +731,7 @@
 	c.Assert(err, check.IsNil)
 
 	// and run it under strace
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", "--strace", "snapname.app", "--arg1", "arg2"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--strace", "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
 	c.Check(sudoCmd.Calls(), check.DeepEquals, [][]string{
@@ -697,7 +740,7 @@
 			filepath.Join(straceCmd.BinDir(), "strace"),
 			"-u", user.Username,
 			"-f",
-			"-e", "!select,pselect6,_newselect,clock_gettime,sigaltstack,gettid,gettimeofday",
+			"-e", "!select,pselect6,_newselect,clock_gettime,sigaltstack,gettid,gettimeofday,nanosleep",
 			filepath.Join(dirs.DistroLibExecDir, "snap-confine"),
 			"snap.snapname.app",
 			filepath.Join(dirs.CoreLibExecDir, "snap-exec"),
@@ -706,17 +749,45 @@
 	})
 	c.Check(s.Stdout(), check.Equals, "stdout output 1\nstdout output 2\n")
 	c.Check(s.Stderr(), check.Equals, fmt.Sprintf("execve(%q)\ninteressting strace output\nand more\n", filepath.Join(dirs.SnapMountDir, "snapName/x2/bin/foo")))
+
+	s.ResetStdStreams()
+	sudoCmd.ForgetCalls()
+
+	// try again without filtering
+	rest, err = snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--strace=--raw", "--", "snapname.app", "--arg1", "arg2"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
+	c.Check(sudoCmd.Calls(), check.DeepEquals, [][]string{
+		{
+			"sudo", "-E",
+			filepath.Join(straceCmd.BinDir(), "strace"),
+			"-u", user.Username,
+			"-f",
+			"-e", "!select,pselect6,_newselect,clock_gettime,sigaltstack,gettid,gettimeofday,nanosleep",
+			filepath.Join(dirs.DistroLibExecDir, "snap-confine"),
+			"snap.snapname.app",
+			filepath.Join(dirs.CoreLibExecDir, "snap-exec"),
+			"snapname.app", "--arg1", "arg2",
+		},
+	})
+	c.Check(s.Stdout(), check.Equals, "stdout output 1\nstdout output 2\n")
+	expectedFullFmt := `execve("/path/to/snap-confine")
+snap-confine/snap-exec strace stuff
+getuid() = 1000
+execve("%s/snapName/x2/bin/foo")
+interessting strace output
+and more
+`
+	c.Check(s.Stderr(), check.Equals, fmt.Sprintf(expectedFullFmt, dirs.SnapMountDir))
 }
 
 func (s *SnapSuite) TestSnapRunAppWithStraceOptions(c *check.C) {
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// pretend we have sudo
 	sudoCmd := testutil.MockCommand(c, "sudo", "")
@@ -730,7 +801,7 @@
 	c.Assert(err, check.IsNil)
 
 	// and run it under strace
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", "--strace=-tt", "snapname.app", "--arg1", "arg2"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", `--strace=-tt --raw -o "file with spaces"`, "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
 	c.Check(sudoCmd.Calls(), check.DeepEquals, [][]string{
@@ -739,8 +810,10 @@
 			filepath.Join(straceCmd.BinDir(), "strace"),
 			"-u", user.Username,
 			"-f",
-			"-e", "!select,pselect6,_newselect,clock_gettime,sigaltstack,gettid,gettimeofday",
+			"-e", "!select,pselect6,_newselect,clock_gettime,sigaltstack,gettid,gettimeofday,nanosleep",
 			"-tt",
+			"-o",
+			"file with spaces",
 			filepath.Join(dirs.DistroLibExecDir, "snap-confine"),
 			"snap.snapname.app",
 			filepath.Join(dirs.CoreLibExecDir, "snap-exec"),
@@ -753,11 +826,9 @@
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	execArg0 := ""
@@ -772,7 +843,7 @@
 	defer restorer()
 
 	// and run it!
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", "--shell", "snapname.app", "--arg1", "arg2"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--shell", "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
 	c.Check(execArg0, check.Equals, filepath.Join(dirs.DistroLibExecDir, "snap-confine"))
@@ -788,11 +859,9 @@
 	defer mockSnapConfine(dirs.DistroLibExecDir)()
 
 	// mock installed snap
-	si := snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
 		Revision: snap.R("x2"),
 	})
-	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
-	c.Assert(err, check.IsNil)
 
 	// redirect exec
 	execArg0 := ""
@@ -814,7 +883,7 @@
 	defer restorer()
 
 	// pretend we are outside of timer range
-	rest, err := snaprun.Parser().ParseArgs([]string{"run", `--timer="mon,10:00~12:00,,fri,13:00"`, "snapname.app", "--arg1", "arg2"})
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", `--timer="mon,10:00~12:00,,fri,13:00"`, "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"})
 	c.Assert(execCalled, check.Equals, false)
@@ -830,7 +899,7 @@
 	defer restorer()
 
 	// and run it under strace
-	_, err = snaprun.Parser().ParseArgs([]string{"run", `--timer="mon,10:00~12:00,,fri,13:00"`, "snapname.app", "--arg1", "arg2"})
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", `--timer="mon,10:00~12:00,,fri,13:00"`, "--", "snapname.app", "--arg1", "arg2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(execCalled, check.Equals, true)
 	c.Check(execArg0, check.Equals, filepath.Join(dirs.DistroLibExecDir, "snap-confine"))
@@ -840,3 +909,203 @@
 		filepath.Join(dirs.CoreLibExecDir, "snap-exec"),
 		"snapname.app", "--arg1", "arg2"})
 }
+
+func (s *SnapSuite) TestRunCmdWithTraceExecUnhappy(c *check.C) {
+	defer mockSnapConfine(dirs.DistroLibExecDir)()
+
+	// mock installed snap
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
+		Revision: snap.R("1"),
+	})
+
+	// pretend we have sudo
+	sudoCmd := testutil.MockCommand(c, "sudo", "echo unhappy; exit 12")
+	defer sudoCmd.Restore()
+
+	// pretend we have strace
+	straceCmd := testutil.MockCommand(c, "strace", "")
+	defer straceCmd.Restore()
+
+	rest, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--trace-exec", "--", "snapname.app", "--arg1", "arg2"})
+	c.Assert(err, check.ErrorMatches, "exit status 12")
+	c.Assert(rest, check.DeepEquals, []string{"--", "snapname.app", "--arg1", "arg2"})
+	c.Check(s.Stdout(), check.Equals, "unhappy\n")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapSuite) TestSnapRunRestoreSecurityContextHappy(c *check.C) {
+	logbuf, restorer := logger.MockLogger()
+	defer restorer()
+
+	defer mockSnapConfine(dirs.DistroLibExecDir)()
+
+	// mock installed snap
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
+		Revision: snap.R("x2"),
+	})
+
+	fakeHome := c.MkDir()
+	restorer = snaprun.MockUserCurrent(func() (*user.User, error) {
+		return &user.User{HomeDir: fakeHome}, nil
+	})
+	defer restorer()
+
+	// redirect exec
+	execCalled := 0
+	restorer = snaprun.MockSyscallExec(func(_ string, args []string, envv []string) error {
+		execCalled++
+		return nil
+	})
+	defer restorer()
+
+	verifyCalls := 0
+	restoreCalls := 0
+	isEnabledCalls := 0
+	enabled := false
+	verify := true
+
+	snapUserDir := filepath.Join(fakeHome, dirs.UserHomeSnapDir)
+
+	restorer = snaprun.MockSELinuxVerifyPathContext(func(what string) (bool, error) {
+		c.Check(what, check.Equals, snapUserDir)
+		verifyCalls++
+		return verify, nil
+	})
+	defer restorer()
+
+	restorer = snaprun.MockSELinuxRestoreContext(func(what string, mode selinux.RestoreMode) error {
+		c.Check(mode, check.Equals, selinux.RestoreMode{Recursive: true})
+		c.Check(what, check.Equals, snapUserDir)
+		restoreCalls++
+		return nil
+	})
+	defer restorer()
+
+	restorer = snaprun.MockSELinuxIsEnabled(func() (bool, error) {
+		isEnabledCalls++
+		return enabled, nil
+	})
+	defer restorer()
+
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app"})
+	c.Assert(err, check.IsNil)
+	c.Check(execCalled, check.Equals, 1)
+	c.Check(isEnabledCalls, check.Equals, 1)
+	c.Check(verifyCalls, check.Equals, 0)
+	c.Check(restoreCalls, check.Equals, 0)
+
+	// pretend SELinux is on
+	enabled = true
+
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app"})
+	c.Assert(err, check.IsNil)
+	c.Check(execCalled, check.Equals, 2)
+	c.Check(isEnabledCalls, check.Equals, 2)
+	c.Check(verifyCalls, check.Equals, 1)
+	c.Check(restoreCalls, check.Equals, 0)
+
+	// pretend the context does not match
+	verify = false
+
+	logbuf.Reset()
+
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app"})
+	c.Assert(err, check.IsNil)
+	c.Check(execCalled, check.Equals, 3)
+	c.Check(isEnabledCalls, check.Equals, 3)
+	c.Check(verifyCalls, check.Equals, 2)
+	c.Check(restoreCalls, check.Equals, 1)
+
+	// and we let the user know what we're doing
+	c.Check(logbuf.String(), testutil.Contains, fmt.Sprintf("restoring default SELinux context of %s", snapUserDir))
+}
+
+func (s *SnapSuite) TestSnapRunRestoreSecurityContextFail(c *check.C) {
+	logbuf, restorer := logger.MockLogger()
+	defer restorer()
+
+	defer mockSnapConfine(dirs.DistroLibExecDir)()
+
+	// mock installed snap
+	snaptest.MockSnapCurrent(c, string(mockYaml), &snap.SideInfo{
+		Revision: snap.R("x2"),
+	})
+
+	fakeHome := c.MkDir()
+	restorer = snaprun.MockUserCurrent(func() (*user.User, error) {
+		return &user.User{HomeDir: fakeHome}, nil
+	})
+	defer restorer()
+
+	// redirect exec
+	execCalled := 0
+	restorer = snaprun.MockSyscallExec(func(_ string, args []string, envv []string) error {
+		execCalled++
+		return nil
+	})
+	defer restorer()
+
+	verifyCalls := 0
+	restoreCalls := 0
+	isEnabledCalls := 0
+	enabledErr := errors.New("enabled failed")
+	verifyErr := errors.New("verify failed")
+	restoreErr := errors.New("restore failed")
+
+	snapUserDir := filepath.Join(fakeHome, dirs.UserHomeSnapDir)
+
+	restorer = snaprun.MockSELinuxVerifyPathContext(func(what string) (bool, error) {
+		c.Check(what, check.Equals, snapUserDir)
+		verifyCalls++
+		return false, verifyErr
+	})
+	defer restorer()
+
+	restorer = snaprun.MockSELinuxRestoreContext(func(what string, mode selinux.RestoreMode) error {
+		c.Check(mode, check.Equals, selinux.RestoreMode{Recursive: true})
+		c.Check(what, check.Equals, snapUserDir)
+		restoreCalls++
+		return restoreErr
+	})
+	defer restorer()
+
+	restorer = snaprun.MockSELinuxIsEnabled(func() (bool, error) {
+		isEnabledCalls++
+		return enabledErr == nil, enabledErr
+	})
+	defer restorer()
+
+	_, err := snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app"})
+	// these errors are only logged, but we still run the snap
+	c.Assert(err, check.IsNil)
+	c.Check(execCalled, check.Equals, 1)
+	c.Check(logbuf.String(), testutil.Contains, "cannot determine SELinux status: enabled failed")
+	c.Check(isEnabledCalls, check.Equals, 1)
+	c.Check(verifyCalls, check.Equals, 0)
+	c.Check(restoreCalls, check.Equals, 0)
+	// pretend selinux is on
+	enabledErr = nil
+
+	logbuf.Reset()
+
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app"})
+	c.Assert(err, check.IsNil)
+	c.Check(execCalled, check.Equals, 2)
+	c.Check(logbuf.String(), testutil.Contains, fmt.Sprintf("failed to verify SELinux context of %s: verify failed", snapUserDir))
+	c.Check(isEnabledCalls, check.Equals, 2)
+	c.Check(verifyCalls, check.Equals, 1)
+	c.Check(restoreCalls, check.Equals, 0)
+
+	// pretend the context does not match
+	verifyErr = nil
+
+	logbuf.Reset()
+
+	_, err = snaprun.Parser(snaprun.Client()).ParseArgs([]string{"run", "--", "snapname.app"})
+	c.Assert(err, check.IsNil)
+	c.Check(execCalled, check.Equals, 3)
+	c.Check(logbuf.String(), testutil.Contains, fmt.Sprintf("cannot restore SELinux context of %s: restore failed", snapUserDir))
+	c.Check(isEnabledCalls, check.Equals, 3)
+	c.Check(verifyCalls, check.Equals, 2)
+	c.Check(restoreCalls, check.Equals, 1)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_sandbox_features.go snapd-2.37~rc1~14.04/cmd/snap/cmd_sandbox_features.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_sandbox_features.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_sandbox_features.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,88 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/jessevdk/go-flags"
+
+	"github.com/snapcore/snapd/i18n"
+)
+
+var shortSandboxFeaturesHelp = i18n.G("Print sandbox features available on the system")
+var longSandboxFeaturesHelp = i18n.G(`
+The sandbox command prints tags describing features of individual sandbox
+components used by snapd on a given system.
+`)
+
+type cmdSandboxFeatures struct {
+	clientMixin
+	Required []string `long:"required" arg-name:"<backend feature>"`
+}
+
+func init() {
+	addDebugCommand("sandbox-features", shortSandboxFeaturesHelp, longSandboxFeaturesHelp, func() flags.Commander {
+		return &cmdSandboxFeatures{}
+	}, map[string]string{
+		"required": i18n.G("Ensure that given backend:feature is available"),
+	}, nil)
+}
+
+func (cmd cmdSandboxFeatures) Execute(args []string) error {
+	if len(args) > 0 {
+		return ErrExtraArgs
+	}
+
+	sysInfo, err := cmd.client.SysInfo()
+	if err != nil {
+		return err
+	}
+
+	sandboxFeatures := sysInfo.SandboxFeatures
+
+	if len(cmd.Required) > 0 {
+		avail := make(map[string]bool)
+		for backend := range sandboxFeatures {
+			for _, feature := range sandboxFeatures[backend] {
+				avail[fmt.Sprintf("%s:%s", backend, feature)] = true
+			}
+		}
+		for _, required := range cmd.Required {
+			if !avail[required] {
+				return fmt.Errorf("sandbox feature not available: %q", required)
+			}
+		}
+	} else {
+		backends := make([]string, 0, len(sandboxFeatures))
+		for backend := range sandboxFeatures {
+			backends = append(backends, backend)
+		}
+		sort.Strings(backends)
+		w := tabWriter()
+		defer w.Flush()
+		for _, backend := range backends {
+			fmt.Fprintf(w, "%s:\t%s\n", backend, strings.Join(sandboxFeatures[backend], " "))
+		}
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_sandbox_features_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_sandbox_features_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_sandbox_features_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_sandbox_features_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,61 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"fmt"
+	"net/http"
+
+	. "gopkg.in/check.v1"
+
+	snap "github.com/snapcore/snapd/cmd/snap"
+)
+
+func (s *SnapSuite) TestSandboxFeatures(c *C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "sync", "result": {"sandbox-features": {"apparmor": ["a", "b", "c"], "selinux": ["1", "2", "3"]}}}`)
+	})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "sandbox-features"})
+	c.Assert(err, IsNil)
+	c.Assert(s.Stdout(), Equals, ""+
+		"apparmor:  a b c\n"+
+		"selinux:   1 2 3\n")
+	c.Assert(s.Stderr(), Equals, "")
+}
+
+func (s *SnapSuite) TestSandboxFeaturesRequired(c *C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "sync", "result": {"sandbox-features": {"apparmor": ["a", "b", "c"], "selinux": ["1", "2", "3"]}}}`)
+	})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "sandbox-features", "--required=apparmor:a", "--required=selinux:2"})
+	c.Assert(err, IsNil)
+	c.Assert(s.Stdout(), Equals, "")
+	c.Assert(s.Stderr(), Equals, "")
+}
+
+func (s *SnapSuite) TestSandboxFeaturesRequiredButMissing(c *C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "sync", "result": {"sandbox-features": {"apparmor": ["a", "b", "c"], "selinux": ["1", "2", "3"]}}}`)
+	})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"debug", "sandbox-features", "--required=magic:thing"})
+	c.Assert(err, ErrorMatches, `sandbox feature not available: "magic:thing"`)
+	c.Assert(s.Stdout(), Equals, "")
+	c.Assert(s.Stderr(), Equals, "")
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_services.go snapd-2.37~rc1~14.04/cmd/snap/cmd_services.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_services.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_services.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,16 +26,19 @@
 	"github.com/jessevdk/go-flags"
 
 	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/cmd"
 	"github.com/snapcore/snapd/i18n"
 )
 
 type svcStatus struct {
+	clientMixin
 	Positional struct {
 		ServiceNames []serviceName
 	} `positional-args:"yes"`
 }
 
 type svcLogs struct {
+	clientMixin
 	N          string `short:"n" default:"10"`
 	Follow     bool   `short:"f"`
 	Positional struct {
@@ -46,11 +49,13 @@
 var (
 	shortServicesHelp = i18n.G("Query the status of services")
 	longServicesHelp  = i18n.G(`
-The services command lists information about the services specified, or about the services in all currently installed snaps.
+The services command lists information about the services specified, or about
+the services in all currently installed snaps.
 `)
-	shortLogsHelp = i18n.G("Retrieve logs of services")
+	shortLogsHelp = i18n.G("Retrieve logs for services")
 	longLogsHelp  = i18n.G(`
-The logs command fetches logs of the given services and displays them in chronological order.
+The logs command fetches logs of the given services and displays them in
+chronological order.
 `)
 	shortStartHelp = i18n.G("Start services")
 	longStartHelp  = i18n.G(`
@@ -64,33 +69,40 @@
 	longRestartHelp  = i18n.G(`
 The restart command restarts the given services.
 
-If the --reload option is given, for each service whose app has a reload command, a reload is performed instead of a restart.
+If the --reload option is given, for each service whose app has a reload
+command, a reload is performed instead of a restart.
 `)
 )
 
 func init() {
 	argdescs := []argDesc{{
-		// TRANSLATORS: This needs to be wrapped in <>s.
+		// TRANSLATORS: This needs to begin with < and end with >
 		name: i18n.G("<service>"),
+		// TRANSLATORS: This should not start with a lowercase letter.
 		desc: i18n.G("A service specification, which can be just a snap name (for all services in the snap), or <snap>.<app> for a single service."),
 	}}
 	addCommand("services", shortServicesHelp, longServicesHelp, func() flags.Commander { return &svcStatus{} }, nil, argdescs)
 	addCommand("logs", shortLogsHelp, longLogsHelp, func() flags.Commander { return &svcLogs{} },
 		map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"n": i18n.G("Show only the given number of lines, or 'all'."),
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"f": i18n.G("Wait for new lines and print them as they come in."),
 		}, argdescs)
 
 	addCommand("start", shortStartHelp, longStartHelp, func() flags.Commander { return &svcStart{} },
 		waitDescs.also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"enable": i18n.G("As well as starting the service now, arrange for it to be started on boot."),
 		}), argdescs)
 	addCommand("stop", shortStopHelp, longStopHelp, func() flags.Commander { return &svcStop{} },
 		waitDescs.also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"disable": i18n.G("As well as stopping the service now, arrange for it to no longer be started on boot."),
 		}), argdescs)
 	addCommand("restart", shortRestartHelp, longRestartHelp, func() flags.Commander { return &svcRestart{} },
 		waitDescs.also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"reload": i18n.G("If the service has a reload command, use it instead of restarting."),
 		}), argdescs)
 }
@@ -108,15 +120,20 @@
 		return ErrExtraArgs
 	}
 
-	services, err := Client().Apps(svcNames(s.Positional.ServiceNames), client.AppOptions{Service: true})
+	services, err := s.client.Apps(svcNames(s.Positional.ServiceNames), client.AppOptions{Service: true})
 	if err != nil {
 		return err
 	}
 
+	if len(services) == 0 {
+		fmt.Fprintln(Stderr, i18n.G("There are no services provided by installed snaps."))
+		return nil
+	}
+
 	w := tabWriter()
 	defer w.Flush()
 
-	fmt.Fprintln(w, i18n.G("Service\tStartup\tCurrent"))
+	fmt.Fprintln(w, i18n.G("Service\tStartup\tCurrent\tNotes"))
 
 	for _, svc := range services {
 		startup := i18n.G("disabled")
@@ -127,7 +144,7 @@
 		if svc.Active {
 			current = i18n.G("active")
 		}
-		fmt.Fprintf(w, "%s.%s\t%s\t%s\n", svc.Snap, svc.Name, startup, current)
+		fmt.Fprintf(w, "%s.%s\t%s\t%s\t%s\n", svc.Snap, svc.Name, startup, current, cmd.ClientAppInfoNotes(svc))
 	}
 
 	return nil
@@ -147,7 +164,7 @@
 		sN = int(n)
 	}
 
-	logs, err := Client().Logs(svcNames(s.Positional.ServiceNames), client.LogOptions{N: sN, Follow: s.Follow})
+	logs, err := s.client.Logs(svcNames(s.Positional.ServiceNames), client.LogOptions{N: sN, Follow: s.Follow})
 	if err != nil {
 		return err
 	}
@@ -171,13 +188,12 @@
 	if len(args) > 0 {
 		return ErrExtraArgs
 	}
-	cli := Client()
 	names := svcNames(s.Positional.ServiceNames)
-	changeID, err := cli.Start(names, client.StartOptions{Enable: s.Enable})
+	changeID, err := s.client.Start(names, client.StartOptions{Enable: s.Enable})
 	if err != nil {
 		return err
 	}
-	if _, err := s.wait(cli, changeID); err != nil {
+	if _, err := s.wait(changeID); err != nil {
 		if err == noWait {
 			return nil
 		}
@@ -201,13 +217,12 @@
 	if len(args) > 0 {
 		return ErrExtraArgs
 	}
-	cli := Client()
 	names := svcNames(s.Positional.ServiceNames)
-	changeID, err := cli.Stop(names, client.StopOptions{Disable: s.Disable})
+	changeID, err := s.client.Stop(names, client.StopOptions{Disable: s.Disable})
 	if err != nil {
 		return err
 	}
-	if _, err := s.wait(cli, changeID); err != nil {
+	if _, err := s.wait(changeID); err != nil {
 		if err == noWait {
 			return nil
 		}
@@ -231,13 +246,12 @@
 	if len(args) > 0 {
 		return ErrExtraArgs
 	}
-	cli := Client()
 	names := svcNames(s.Positional.ServiceNames)
-	changeID, err := cli.Restart(names, client.RestartOptions{Reload: s.Reload})
+	changeID, err := s.client.Restart(names, client.RestartOptions{Reload: s.Reload})
 	if err != nil {
 		return err
 	}
-	if _, err := s.wait(cli, changeID); err != nil {
+	if _, err := s.wait(changeID); err != nil {
 		if err == noWait {
 			return nil
 		}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_services_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_services_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_services_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_services_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package main_test
 
 import (
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"time"
@@ -83,7 +84,7 @@
 
 func (s *appOpSuite) testOpNoArgs(c *check.C, op string) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{op})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{op})
 	c.Assert(err, check.ErrorMatches, `.* required argument .* not provided`)
 }
 
@@ -105,7 +106,7 @@
 		n++
 	})
 
-	_, err := snap.Parser().ParseArgs(s.args(op, names, extra, noWait))
+	_, err := snap.Parser(snap.Client()).ParseArgs(s.args(op, names, extra, noWait))
 	c.Assert(err, check.ErrorMatches, "error")
 	c.Check(n, check.Equals, 1)
 }
@@ -135,7 +136,7 @@
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs(s.args(op, names, extra, noWait))
+	rest, err := snap.Parser(snap.Client()).ParseArgs(s.args(op, names, extra, noWait))
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.HasLen, 0)
 	c.Check(s.Stderr(), check.Equals, "")
@@ -169,3 +170,85 @@
 		}
 	}
 }
+
+func (s *appOpSuite) TestAppStatus(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		switch n {
+		case 0:
+			c.Check(r.URL.Path, check.Equals, "/v2/apps")
+			c.Check(r.URL.Query(), check.HasLen, 1)
+			c.Check(r.URL.Query().Get("select"), check.Equals, "service")
+			c.Check(r.Method, check.Equals, "GET")
+			w.WriteHeader(200)
+			enc := json.NewEncoder(w)
+			enc.Encode(map[string]interface{}{
+				"type": "sync",
+				"result": []map[string]interface{}{
+					{"snap": "foo", "name": "bar", "daemon": "oneshot",
+						"active": false, "enabled": true,
+						"activators": []map[string]interface{}{
+							{"name": "bar", "type": "timer", "active": true, "enabled": true},
+						},
+					}, {"snap": "foo", "name": "baz", "daemon": "oneshot",
+						"active": false, "enabled": true,
+						"activators": []map[string]interface{}{
+							{"name": "baz-sock1", "type": "socket", "active": true, "enabled": true},
+							{"name": "baz-sock2", "type": "socket", "active": false, "enabled": true},
+						},
+					}, {"snap": "foo", "name": "zed",
+						"active": true, "enabled": true,
+					},
+				},
+				"status":      "OK",
+				"status-code": 200,
+			})
+		default:
+			c.Fatalf("expected to get 1 requests, now on %d", n+1)
+		}
+
+		n++
+	})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"services"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.HasLen, 0)
+	c.Check(s.Stderr(), check.Equals, "")
+	c.Check(s.Stdout(), check.Equals, `Service  Startup  Current   Notes
+foo.bar  enabled  inactive  timer-activated
+foo.baz  enabled  inactive  socket-activated
+foo.zed  enabled  active    -
+`)
+	// ensure that the fake server api was actually hit
+	c.Check(n, check.Equals, 1)
+}
+
+func (s *appOpSuite) TestAppStatusNoServices(c *check.C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		switch n {
+		case 0:
+			c.Check(r.URL.Path, check.Equals, "/v2/apps")
+			c.Check(r.URL.Query(), check.HasLen, 1)
+			c.Check(r.URL.Query().Get("select"), check.Equals, "service")
+			c.Check(r.Method, check.Equals, "GET")
+			w.WriteHeader(200)
+			enc := json.NewEncoder(w)
+			enc.Encode(map[string]interface{}{
+				"type":        "sync",
+				"result":      []map[string]interface{}{},
+				"status":      "OK",
+				"status-code": 200,
+			})
+		default:
+			c.Fatalf("expected to get 1 requests, now on %d", n+1)
+		}
+		n++
+	})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"services"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.HasLen, 0)
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "There are no services provided by installed snaps.\n")
+	// ensure that the fake server api was actually hit
+	c.Check(n, check.Equals, 1)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_set.go snapd-2.37~rc1~14.04/cmd/snap/cmd_set.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_set.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_set.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,7 +29,7 @@
 	"github.com/snapcore/snapd/jsonutil"
 )
 
-var shortSetHelp = i18n.G("Changes configuration options")
+var shortSetHelp = i18n.G("Change configuration options")
 var longSetHelp = i18n.G(`
 The set command changes the provided configuration options as requested.
 
@@ -44,6 +44,7 @@
 `)
 
 type cmdSet struct {
+	waitMixin
 	Positional struct {
 		Snap       installedSnapName
 		ConfValues []string `required:"1"`
@@ -51,15 +52,15 @@
 }
 
 func init() {
-	addCommand("set", shortSetHelp, longSetHelp, func() flags.Commander { return &cmdSet{} }, nil, []argDesc{
+	addCommand("set", shortSetHelp, longSetHelp, func() flags.Commander { return &cmdSet{} }, waitDescs, []argDesc{
 		{
 			name: "<snap>",
-			// TRANSLATORS: This should probably not start with a lowercase letter.
+			// TRANSLATORS: This should not start with a lowercase letter.
 			desc: i18n.G("The snap to configure (e.g. hello-world)"),
 		}, {
-			// TRANSLATORS: This needs to be wrapped in <>s.
+			// TRANSLATORS: This needs to begin with < and end with >
 			name: i18n.G("<conf value>"),
-			// TRANSLATORS: This should probably not start with a lowercase letter.
+			// TRANSLATORS: This should not start with a lowercase letter.
 			desc: i18n.G("Configuration value (key=value)"),
 		},
 	})
@@ -81,16 +82,18 @@
 		}
 	}
 
-	return configure(string(x.Positional.Snap), patchValues)
-}
-
-func configure(snapName string, patchValues map[string]interface{}) error {
-	cli := Client()
-	id, err := cli.SetConf(snapName, patchValues)
+	snapName := string(x.Positional.Snap)
+	id, err := x.client.SetConf(snapName, patchValues)
 	if err != nil {
 		return err
 	}
 
-	_, err = wait(cli, id)
-	return err
+	if _, err := x.wait(id); err != nil {
+		if err == noWait {
+			return nil
+		}
+		return err
+	}
+
+	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_set_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_set_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_set_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_set_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -39,7 +39,7 @@
 
 func (s *SnapSuite) TestInvalidSetParameters(c *check.C) {
 	invalidParameters := []string{"set", "snap-name", "key", "value"}
-	_, err := snapset.Parser().ParseArgs(invalidParameters)
+	_, err := snapset.Parser(snapset.Client()).ParseArgs(invalidParameters)
 	c.Check(err, check.ErrorMatches, ".*invalid configuration:.*(want key=value).*")
 }
 
@@ -53,7 +53,7 @@
 	s.mockSetConfigServer(c, "value")
 
 	// Set a config value for the active snap
-	_, err := snapset.Parser().ParseArgs([]string{"set", "snapname", "key=value"})
+	_, err := snapset.Parser(snapset.Client()).ParseArgs([]string{"set", "snapname", "key=value"})
 	c.Assert(err, check.IsNil)
 }
 
@@ -67,7 +67,7 @@
 	s.mockSetConfigServer(c, json.Number("1.2"))
 
 	// Set a config value for the active snap
-	_, err := snapset.Parser().ParseArgs([]string{"set", "snapname", "key=1.2"})
+	_, err := snapset.Parser(snapset.Client()).ParseArgs([]string{"set", "snapname", "key=1.2"})
 	c.Assert(err, check.IsNil)
 }
 
@@ -80,7 +80,7 @@
 	s.mockSetConfigServer(c, json.Number("1234567890"))
 
 	// Set a config value for the active snap
-	_, err := snapset.Parser().ParseArgs([]string{"set", "snapname", "key=1234567890"})
+	_, err := snapset.Parser(snapset.Client()).ParseArgs([]string{"set", "snapname", "key=1234567890"})
 	c.Assert(err, check.IsNil)
 }
 
@@ -94,7 +94,7 @@
 	s.mockSetConfigServer(c, map[string]interface{}{"subkey": "value"})
 
 	// Set a config value for the active snap
-	_, err := snapset.Parser().ParseArgs([]string{"set", "snapname", `key={"subkey":"value"}`})
+	_, err := snapset.Parser(snapset.Client()).ParseArgs([]string{"set", "snapname", `key={"subkey":"value"}`})
 	c.Assert(err, check.IsNil)
 }
 
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_sign_build.go snapd-2.37~rc1~14.04/cmd/snap/cmd_sign_build.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_sign_build.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_sign_build.go	2019-01-16 08:36:51.000000000 +0000
@@ -43,8 +43,11 @@
 	Grade       string  `long:"grade" choice:"devel" choice:"stable" default:"stable"`
 }
 
-var shortSignBuildHelp = i18n.G("Create snap build assertion")
-var longSignBuildHelp = i18n.G("Create snap-build assertion for the provided snap file.")
+var shortSignBuildHelp = i18n.G("Create a snap-build assertion")
+var longSignBuildHelp = i18n.G(`
+The sign-build command creates a snap-build assertion for the provided
+snap file.
+`)
 
 func init() {
 	cmd := addCommand("sign-build",
@@ -53,14 +56,18 @@
 		func() flags.Commander {
 			return &cmdSignBuild{}
 		}, map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"developer-id": i18n.G("Identifier of the signer"),
-			"snap-id":      i18n.G("Identifier of the snap package associated with the build"),
-			"k":            i18n.G("Name of the GnuPG key to use (defaults to 'default' as key name)"),
-			"grade":        i18n.G("Grade states the build quality of the snap (defaults to 'stable')"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"snap-id": i18n.G("Identifier of the snap package associated with the build"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"k": i18n.G("Name of the GnuPG key to use (defaults to 'default' as key name)"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"grade": i18n.G("Grade states the build quality of the snap (defaults to 'stable')"),
 		}, []argDesc{{
-			// TRANSLATORS: This needs to be wrapped in <>s.
+			// TRANSLATORS: This needs to begin with < and end with >
 			name: i18n.G("<filename>"),
-			// TRANSLATORS: This should probably not start with a lowercase letter.
+			// TRANSLATORS: This should not start with a lowercase letter.
 			desc: i18n.G("Filename of the snap you want to assert a build for"),
 		}})
 	cmd.hidden = true
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_sign_build_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_sign_build_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_sign_build_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_sign_build_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -38,7 +38,7 @@
 var _ = Suite(&SnapSignBuildSuite{})
 
 func (s *SnapSignBuildSuite) TestSignBuildMandatoryFlags(c *C) {
-	_, err := snap.Parser().ParseArgs([]string{"sign-build", "foo_1_amd64.snap"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"sign-build", "foo_1_amd64.snap"})
 	c.Assert(err, NotNil)
 	c.Check(err.Error(), Equals, "the required flags `--developer-id' and `--snap-id' were not specified")
 	c.Check(s.Stdout(), Equals, "")
@@ -46,7 +46,7 @@
 }
 
 func (s *SnapSignBuildSuite) TestSignBuildMissingSnap(c *C) {
-	_, err := snap.Parser().ParseArgs([]string{"sign-build", "foo_1_amd64.snap", "--developer-id", "dev-id1", "--snap-id", "snap-id-1"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"sign-build", "foo_1_amd64.snap", "--developer-id", "dev-id1", "--snap-id", "snap-id-1"})
 	c.Assert(err, NotNil)
 	c.Check(err.Error(), Equals, "cannot compute snap \"foo_1_amd64.snap\" digest: open foo_1_amd64.snap: no such file or directory")
 	c.Check(s.Stdout(), Equals, "")
@@ -63,7 +63,7 @@
 	os.Setenv("SNAP_GNUPG_HOME", tempdir)
 	defer os.Unsetenv("SNAP_GNUPG_HOME")
 
-	_, err := snap.Parser().ParseArgs([]string{"sign-build", snapFilename, "--developer-id", "dev-id1", "--snap-id", "snap-id-1"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"sign-build", snapFilename, "--developer-id", "dev-id1", "--snap-id", "snap-id-1"})
 	c.Assert(err, NotNil)
 	c.Check(err.Error(), Equals, "cannot use \"default\" key: cannot find key named \"default\" in GPG keyring")
 	c.Check(s.Stdout(), Equals, "")
@@ -87,7 +87,7 @@
 	os.Setenv("SNAP_GNUPG_HOME", tempdir)
 	defer os.Unsetenv("SNAP_GNUPG_HOME")
 
-	_, err := snap.Parser().ParseArgs([]string{"sign-build", snapFilename, "--developer-id", "dev-id1", "--snap-id", "snap-id-1"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"sign-build", snapFilename, "--developer-id", "dev-id1", "--snap-id", "snap-id-1"})
 	c.Assert(err, IsNil)
 
 	assertion, err := asserts.Decode([]byte(s.Stdout()))
@@ -122,7 +122,7 @@
 	os.Setenv("SNAP_GNUPG_HOME", tempdir)
 	defer os.Unsetenv("SNAP_GNUPG_HOME")
 
-	_, err := snap.Parser().ParseArgs([]string{"sign-build", snapFilename, "--developer-id", "dev-id1", "--snap-id", "snap-id-1", "--grade", "devel"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"sign-build", snapFilename, "--developer-id", "dev-id1", "--snap-id", "snap-id-1", "--grade", "devel"})
 	c.Assert(err, IsNil)
 	assertion, err := asserts.Decode([]byte(s.Stdout()))
 	c.Assert(err, IsNil)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_sign.go snapd-2.37~rc1~14.04/cmd/snap/cmd_sign.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_sign.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_sign.go	2019-01-16 08:36:51.000000000 +0000
@@ -31,7 +31,10 @@
 )
 
 var shortSignHelp = i18n.G("Sign an assertion")
-var longSignHelp = i18n.G(`Sign an assertion using the specified key, using the input for headers from a JSON mapping provided through stdin, the body of the assertion can be specified through a "body" pseudo-header.
+var longSignHelp = i18n.G(`
+The sign command signs an assertion using the specified key, using the
+input for headers from a JSON mapping provided through stdin. The body
+of the assertion can be specified through a "body" pseudo-header.
 `)
 
 type cmdSign struct {
@@ -41,7 +44,10 @@
 func init() {
 	cmd := addCommand("sign", shortSignHelp, longSignHelp, func() flags.Commander {
 		return &cmdSign{}
-	}, map[string]string{"k": i18n.G("Name of the key to use, otherwise use the default key")}, nil)
+	}, map[string]string{
+		// TRANSLATORS: This should not start with a lowercase letter.
+		"k": i18n.G("Name of the key to use, otherwise use the default key"),
+	}, nil)
 	cmd.hidden = true
 }
 
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_sign_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_sign_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_sign_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_sign_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -43,7 +43,7 @@
 func (s *SnapKeysSuite) TestHappyDefaultKey(c *C) {
 	s.stdin.Write(statement)
 
-	rest, err := snap.Parser().ParseArgs([]string{"sign"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"sign"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 
@@ -55,7 +55,7 @@
 func (s *SnapKeysSuite) TestHappyNonDefaultKey(c *C) {
 	s.stdin.Write(statement)
 
-	rest, err := snap.Parser().ParseArgs([]string{"sign", "-k", "another"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"sign", "-k", "another"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_snap_op.go snapd-2.37~rc1~14.04/cmd/snap/cmd_snap_op.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_snap_op.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_snap_op.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,11 +23,9 @@
 	"errors"
 	"fmt"
 	"os"
-	"os/signal"
 	"path/filepath"
 	"sort"
 	"strings"
-	"syscall"
 	"time"
 
 	"github.com/jessevdk/go-flags"
@@ -35,141 +33,56 @@
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/osutil"
-	"github.com/snapcore/snapd/progress"
 )
 
-func lastLogStr(logs []string) string {
-	if len(logs) == 0 {
-		return ""
-	}
-	return logs[len(logs)-1]
-}
-
 var (
-	maxGoneTime = 5 * time.Second
-	pollTime    = 100 * time.Millisecond
+	shortInstallHelp = i18n.G("Install snaps on the system")
+	shortRemoveHelp  = i18n.G("Remove snaps from the system")
+	shortRefreshHelp = i18n.G("Refresh snaps in the system")
+	shortTryHelp     = i18n.G("Test an unpacked snap in the system")
+	shortEnableHelp  = i18n.G("Enable a snap in the system")
+	shortDisableHelp = i18n.G("Disable a snap in the system")
 )
 
-type waitMixin struct {
-	NoWait bool `long:"no-wait" hidden:"true"`
-}
-
-// TODO: use waitMixin outside of cmd_snap_op.go
-
-var waitDescs = mixinDescs{
-	"no-wait": i18n.G("Do not wait for the operation to finish but just print the change id."),
-}
-
-var noWait = errors.New("no wait for op")
-
-func (wmx *waitMixin) wait(cli *client.Client, id string) (*client.Change, error) {
-	if wmx.NoWait {
-		fmt.Fprintf(Stdout, "%s\n", id)
-		return nil, noWait
-	}
-	return wait(cli, id)
-}
-
-func wait(cli *client.Client, id string) (*client.Change, error) {
-	pb := progress.MakeProgressBar()
-	defer func() {
-		pb.Finished()
-	}()
-
-	tMax := time.Time{}
-
-	var lastID string
-	lastLog := map[string]string{}
-	for {
-		chg, err := cli.Change(id)
-		if err != nil {
-			// a client.Error means we were able to communicate with
-			// the server (got an answer)
-			if e, ok := err.(*client.Error); ok {
-				return nil, e
-			}
-
-			// an non-client error here means the server most
-			// likely went away
-			// XXX: it actually can be a bunch of other things; fix client to expose it better
-			now := time.Now()
-			if tMax.IsZero() {
-				tMax = now.Add(maxGoneTime)
-			}
-			if now.After(tMax) {
-				return nil, err
-			}
-			pb.Spin(i18n.G("Waiting for server to restart"))
-			time.Sleep(pollTime)
-			continue
-		}
-		if !tMax.IsZero() {
-			pb.Finished()
-			tMax = time.Time{}
-		}
-
-		for _, t := range chg.Tasks {
-			switch {
-			case t.Status != "Doing":
-				continue
-			case t.Progress.Total == 1:
-				pb.Spin(t.Summary)
-				nowLog := lastLogStr(t.Log)
-				if lastLog[t.ID] != nowLog {
-					pb.Notify(nowLog)
-					lastLog[t.ID] = nowLog
-				}
-			case t.ID == lastID:
-				pb.Set(float64(t.Progress.Done))
-			default:
-				pb.Start(t.Summary, float64(t.Progress.Total))
-				lastID = t.ID
-			}
-			break
-		}
+var longInstallHelp = i18n.G(`
+The install command installs the named snaps on the system.
 
-		if chg.Ready {
-			if chg.Status == "Done" {
-				return chg, nil
-			}
+To install multiple instances of the same snap, append an underscore and a
+unique identifier (for each instance) to a snap's name.
 
-			if chg.Err != "" {
-				return chg, errors.New(chg.Err)
-			}
+With no further options, the snaps are installed tracking the stable channel,
+with strict security confinement.
 
-			return nil, fmt.Errorf(i18n.G("change finished in status %q with no error message"), chg.Status)
-		}
+Revision choice via the --revision override requires the the user to
+have developer access to the snap, either directly or through the
+store's collaboration feature, and to be logged in (see 'snap help login').
 
-		// note this very purposely is not a ticker; we want
-		// to sleep 100ms between calls, not call once every
-		// 100ms.
-		time.Sleep(pollTime)
-	}
-}
+Note a later refresh will typically undo a revision override, taking the snap
+back to the current revision of the channel it's tracking.
 
-var (
-	shortInstallHelp = i18n.G("Installs a snap to the system")
-	shortRemoveHelp  = i18n.G("Removes a snap from the system")
-	shortRefreshHelp = i18n.G("Refreshes a snap in the system")
-	shortTryHelp     = i18n.G("Tests a snap in the system")
-	shortEnableHelp  = i18n.G("Enables a snap in the system")
-	shortDisableHelp = i18n.G("Disables a snap in the system")
-)
-
-var longInstallHelp = i18n.G(`
-The install command installs the named snap in the system.
+Use --name to set the instance name when installing from snap file.
 `)
 
 var longRemoveHelp = i18n.G(`
-The remove command removes the named snap from the system.
+The remove command removes the named snap instance from the system.
 
-By default all the snap revisions are removed, including their data and the common
-data directory. When a --revision option is passed only the specified revision is
-removed.
+By default all the snap revisions are removed, including their data and the
+common data directory. When a --revision option is passed only the specified
+revision is removed.
 `)
 
 var longRefreshHelp = i18n.G(`
-The refresh command refreshes (updates) the named snap.
+The refresh command updates the specified snaps, or all snaps in the system if
+none are specified.
+
+With no further options, the snaps are refreshed to the current revision of the
+channel they're tracking, preserving their confinement options.
+
+Revision choice via the --revision override requires the the user to
+have developer access to the snap, either directly or through the
+store's collaboration feature, and to be logged in (see 'snap help login').
+
+Note a later refresh will typically undo a revision override.
 `)
 
 var longTryHelp = i18n.G(`
@@ -189,7 +102,7 @@
 
 var longDisableHelp = i18n.G(`
 The disable command disables a snap. The binaries and services of the
-snap will no longer be available. But all the data is still available
+snap will no longer be available, but all the data is still available
 and the snap can easily be enabled again.
 `)
 
@@ -205,8 +118,7 @@
 func (x *cmdRemove) removeOne(opts *client.SnapOptions) error {
 	name := string(x.Positional.Snaps[0])
 
-	cli := Client()
-	changeID, err := cli.Remove(name, opts)
+	changeID, err := x.client.Remove(name, opts)
 	if err != nil {
 		msg, err := errorToCmdMessage(name, err, opts)
 		if err != nil {
@@ -216,31 +128,33 @@
 		return nil
 	}
 
-	_, err = x.wait(cli, changeID)
-	if err == noWait {
-		return nil
-	}
-	if err != nil {
+	if _, err := x.wait(changeID); err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
-	fmt.Fprintf(Stdout, i18n.G("%s removed\n"), name)
+	if opts.Revision != "" {
+		fmt.Fprintf(Stdout, i18n.G("%s (revision %s) removed\n"), name, opts.Revision)
+	} else {
+		fmt.Fprintf(Stdout, i18n.G("%s removed\n"), name)
+	}
 	return nil
 }
 
 func (x *cmdRemove) removeMany(opts *client.SnapOptions) error {
 	names := installedSnapNames(x.Positional.Snaps)
-	cli := Client()
-	changeID, err := cli.RemoveMany(names, opts)
+	changeID, err := x.client.RemoveMany(names, opts)
 	if err != nil {
 		return err
 	}
 
-	chg, err := x.wait(cli, changeID)
-	if err == noWait {
-		return nil
-	}
+	chg, err := x.wait(changeID)
 	if err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
@@ -302,11 +216,16 @@
 }
 
 var channelDescs = mixinDescs{
-	"channel":   i18n.G("Use this channel instead of stable"),
-	"beta":      i18n.G("Install from the beta channel"),
-	"edge":      i18n.G("Install from the edge channel"),
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"channel": i18n.G("Use this channel instead of stable"),
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"beta": i18n.G("Install from the beta channel"),
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"edge": i18n.G("Install from the edge channel"),
+	// TRANSLATORS: This should not start with a lowercase letter.
 	"candidate": i18n.G("Install from the candidate channel"),
-	"stable":    i18n.G("Install from the stable channel"),
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"stable": i18n.G("Install from the stable channel"),
 }
 
 func (mx *channelMixin) setChannelFromCommandline() error {
@@ -338,8 +257,7 @@
 }
 
 // show what has been done
-func showDone(names []string, op string) error {
-	cli := Client()
+func showDone(cli *client.Client, names []string, op string, esc *escapes) error {
 	snaps, err := cli.List(names, nil)
 	if err != nil {
 		return err
@@ -352,17 +270,17 @@
 		}
 		switch op {
 		case "install":
-			if snap.Developer != "" {
-				// TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
-				fmt.Fprintf(Stdout, i18n.G("%s%s %s from '%s' installed\n"), snap.Name, channelStr, snap.Version, snap.Developer)
+			if snap.Publisher != nil {
+				// TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from Alice installed")
+				fmt.Fprintf(Stdout, i18n.G("%s%s %s from %s installed\n"), snap.Name, channelStr, snap.Version, longPublisher(esc, snap.Publisher))
 			} else {
 				// TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 				fmt.Fprintf(Stdout, i18n.G("%s%s %s installed\n"), snap.Name, channelStr, snap.Version)
 			}
 		case "refresh":
-			if snap.Developer != "" {
-				// TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
-				fmt.Fprintf(Stdout, i18n.G("%s%s %s from '%s' refreshed\n"), snap.Name, channelStr, snap.Version, snap.Developer)
+			if snap.Publisher != nil {
+				// TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from Alice refreshed")
+				fmt.Fprintf(Stdout, i18n.G("%s%s %s from %s refreshed\n"), snap.Name, channelStr, snap.Version, longPublisher(esc, snap.Publisher))
 			} else {
 				// TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 				fmt.Fprintf(Stdout, i18n.G("%s%s %s refreshed\n"), snap.Name, channelStr, snap.Version)
@@ -373,9 +291,9 @@
 		default:
 			fmt.Fprintf(Stdout, "internal error: unknown op %q", op)
 		}
-		if snap.TrackingChannel != snap.Channel {
-			// TRANSLATORS: first %s is a snap name, following %s is a channel name
-			fmt.Fprintf(Stdout, i18n.G("Snap %s is no longer tracking %s.\n"), snap.Name, snap.TrackingChannel)
+		if snap.TrackingChannel != snap.Channel && snap.Channel != "" {
+			// TRANSLATORS: first %s is a channel name, following %s is a snap name, last %s is a channel name again.
+			fmt.Fprintf(Stdout, i18n.G("Channel %s for %s is closed; temporarily forwarding to %s.\n"), snap.TrackingChannel, snap.Name, snap.Channel)
 		}
 	}
 
@@ -393,8 +311,11 @@
 }
 
 var modeDescs = mixinDescs{
-	"classic":  i18n.G("Put snap in classic mode and disable security confinement"),
-	"devmode":  i18n.G("Put snap in development mode and disable security confinement"),
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"classic": i18n.G("Put snap in classic mode and disable security confinement"),
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"devmode": i18n.G("Put snap in development mode and disable security confinement"),
+	// TRANSLATORS: This should not start with a lowercase letter.
 	"jailmode": i18n.G("Put snap in enforced confinement mode"),
 }
 
@@ -418,6 +339,7 @@
 }
 
 type cmdInstall struct {
+	colorMixin
 	waitMixin
 
 	channelMixin
@@ -431,39 +353,31 @@
 
 	Unaliased bool `long:"unaliased"`
 
+	Name string `long:"name"`
+
 	Positional struct {
 		Snaps []remoteSnapName `positional-arg-name:"<snap>"`
 	} `positional-args:"yes" required:"yes"`
 }
 
-func setupAbortHandler(changeId string) {
-	// Intercept sigint
-	c := make(chan os.Signal, 2)
-	signal.Notify(c, syscall.SIGINT)
-	go func() {
-		<-c
-		cli := Client()
-		_, err := cli.Abort(changeId)
-		if err != nil {
-			fmt.Fprintf(Stderr, err.Error()+"\n")
-		}
-	}()
-}
-
-func (x *cmdInstall) installOne(name string, opts *client.SnapOptions) error {
+func (x *cmdInstall) installOne(nameOrPath, desiredName string, opts *client.SnapOptions) error {
 	var err error
-	var installFromFile bool
 	var changeID string
+	var snapName string
+	var path string
 
-	cli := Client()
-	if strings.Contains(name, "/") || strings.HasSuffix(name, ".snap") || strings.Contains(name, ".snap.") {
-		installFromFile = true
-		changeID, err = cli.InstallPath(name, opts)
+	if strings.Contains(nameOrPath, "/") || strings.HasSuffix(nameOrPath, ".snap") || strings.Contains(nameOrPath, ".snap.") {
+		path = nameOrPath
+		changeID, err = x.client.InstallPath(path, x.Name, opts)
 	} else {
-		changeID, err = cli.Install(name, opts)
+		snapName = nameOrPath
+		if desiredName != "" {
+			return errors.New(i18n.G("cannot use explicit name when installing from store"))
+		}
+		changeID, err = x.client.Install(snapName, opts)
 	}
 	if err != nil {
-		msg, err := errorToCmdMessage(name, err, opts)
+		msg, err := errorToCmdMessage(nameOrPath, err, opts)
 		if err != nil {
 			return err
 		}
@@ -471,27 +385,22 @@
 		return nil
 	}
 
-	setupAbortHandler(changeID)
-
-	chg, err := x.wait(cli, changeID)
-	if err == noWait {
-		return nil
-	}
+	chg, err := x.wait(changeID)
 	if err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
 	// extract the snapName from the change, important for sideloaded
-	var snapName string
-
-	if installFromFile {
+	if path != "" {
 		if err := chg.Get("snap-name", &snapName); err != nil {
-			return fmt.Errorf("cannot extract the snap-name from local file %q: %s", name, err)
+			return fmt.Errorf("cannot extract the snap-name from local file %q: %s", nameOrPath, err)
 		}
-		name = snapName
 	}
 
-	return showDone([]string{name}, "install")
+	return showDone(x.client, []string{snapName}, "install", x.getEscapes())
 }
 
 func (x *cmdInstall) installMany(names []string, opts *client.SnapOptions) error {
@@ -502,8 +411,7 @@
 		}
 	}
 
-	cli := Client()
-	changeID, err := cli.InstallMany(names, opts)
+	changeID, err := x.client.InstallMany(names, opts)
 	if err != nil {
 		var snapName string
 		if err, ok := err.(*client.Error); ok {
@@ -517,13 +425,11 @@
 		return nil
 	}
 
-	setupAbortHandler(changeID)
-
-	chg, err := x.wait(cli, changeID)
-	if err == noWait {
-		return nil
-	}
+	chg, err := x.wait(changeID)
 	if err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
@@ -533,7 +439,7 @@
 	}
 
 	if len(installed) > 0 {
-		if err := showDone(installed, "install"); err != nil {
+		if err := showDone(x.client, installed, "install", x.getEscapes()); err != nil {
 			return err
 		}
 	}
@@ -572,20 +478,33 @@
 	x.setModes(opts)
 
 	names := remoteSnapNames(x.Positional.Snaps)
+	if len(names) == 0 {
+		return errors.New(i18n.G("cannot install zero snaps"))
+	}
+	for _, name := range names {
+		if len(name) == 0 {
+			return errors.New(i18n.G("cannot install snap with empty name"))
+		}
+	}
+
 	if len(names) == 1 {
-		return x.installOne(names[0], opts)
+		return x.installOne(names[0], x.Name, opts)
 	}
 
 	if x.asksForMode() || x.asksForChannel() {
 		return errors.New(i18n.G("a single snap name is needed to specify mode or channel flags"))
 	}
 
+	if x.Name != "" {
+		return errors.New(i18n.G("cannot use instance name when installing multiple snaps"))
+	}
 	return x.installMany(names, nil)
 }
 
 type cmdRefresh struct {
+	colorMixin
+	timeMixin
 	waitMixin
-
 	channelMixin
 	modeMixin
 
@@ -600,17 +519,16 @@
 }
 
 func (x *cmdRefresh) refreshMany(snaps []string, opts *client.SnapOptions) error {
-	cli := Client()
-	changeID, err := cli.RefreshMany(snaps, opts)
+	changeID, err := x.client.RefreshMany(snaps, opts)
 	if err != nil {
 		return err
 	}
 
-	chg, err := x.wait(cli, changeID)
-	if err == noWait {
-		return nil
-	}
+	chg, err := x.wait(changeID)
 	if err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
@@ -620,7 +538,7 @@
 	}
 
 	if len(refreshed) > 0 {
-		return showDone(refreshed, "refresh")
+		return showDone(x.client, refreshed, "refresh", x.getEscapes())
 	}
 
 	fmt.Fprintln(Stderr, i18n.G("All snaps up to date."))
@@ -629,8 +547,7 @@
 }
 
 func (x *cmdRefresh) refreshOne(name string, opts *client.SnapOptions) error {
-	cli := Client()
-	changeID, err := cli.Refresh(name, opts)
+	changeID, err := x.client.Refresh(name, opts)
 	if err != nil {
 		msg, err := errorToCmdMessage(name, err, opts)
 		if err != nil {
@@ -640,20 +557,26 @@
 		return nil
 	}
 
-	_, err = x.wait(cli, changeID)
-	if err == noWait {
-		return nil
-	}
-	if err != nil {
+	if _, err := x.wait(changeID); err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
-	return showDone([]string{name}, "refresh")
+	return showDone(x.client, []string{name}, "refresh", x.getEscapes())
+}
+
+func parseSysinfoTime(s string) time.Time {
+	t, err := time.Parse(time.RFC3339, s)
+	if err != nil {
+		return time.Time{}
+	}
+	return t
 }
 
 func (x *cmdRefresh) showRefreshTimes() error {
-	cli := Client()
-	sysinfo, err := cli.SysInfo()
+	sysinfo, err := x.client.SysInfo()
 	if err != nil {
 		return err
 	}
@@ -665,16 +588,27 @@
 	} else {
 		return errors.New("internal error: both refresh.timer and refresh.schedule are empty")
 	}
-	if sysinfo.Refresh.Last != "" {
-		fmt.Fprintf(Stdout, "last: %s\n", sysinfo.Refresh.Last)
+	last := parseSysinfoTime(sysinfo.Refresh.Last)
+	hold := parseSysinfoTime(sysinfo.Refresh.Hold)
+	next := parseSysinfoTime(sysinfo.Refresh.Next)
+
+	if !last.IsZero() {
+		fmt.Fprintf(Stdout, "last: %s\n", x.fmtTime(last))
 	} else {
 		fmt.Fprintf(Stdout, "last: n/a\n")
 	}
-	if sysinfo.Refresh.Hold != "" {
-		fmt.Fprintf(Stdout, "hold: %s\n", sysinfo.Refresh.Hold)
+	if !hold.IsZero() {
+		fmt.Fprintf(Stdout, "hold: %s\n", x.fmtTime(hold))
 	}
-	if sysinfo.Refresh.Next != "" {
-		fmt.Fprintf(Stdout, "next: %s\n", sysinfo.Refresh.Next)
+	// only show "next" if its after "hold" to not confuse users
+	if !next.IsZero() {
+		// Snapstate checks for holdTime.After(limitTime) so we need
+		// to check for before or equal here to be fully correct.
+		if next.Before(hold) || next.Equal(hold) {
+			fmt.Fprintf(Stdout, "next: %s (but held)\n", x.fmtTime(next))
+		} else {
+			fmt.Fprintf(Stdout, "next: %s\n", x.fmtTime(next))
+		}
 	} else {
 		fmt.Fprintf(Stdout, "next: n/a\n")
 	}
@@ -682,8 +616,7 @@
 }
 
 func (x *cmdRefresh) listRefresh() error {
-	cli := Client()
-	snaps, _, err := cli.Find(&client.FindOptions{
+	snaps, _, err := x.client.Find(&client.FindOptions{
 		Refresh: true,
 	})
 	if err != nil {
@@ -696,12 +629,14 @@
 
 	sort.Sort(snapsByName(snaps))
 
+	esc := x.getEscapes()
 	w := tabWriter()
 	defer w.Flush()
 
-	fmt.Fprintln(w, i18n.G("Name\tVersion\tRev\tDeveloper\tNotes"))
+	// TRANSLATORS: the %s is to insert a filler escape sequence (please keep it flush to the column header, with no extra spaces)
+	fmt.Fprintf(w, i18n.G("Name\tVersion\tRev\tPublisher%s\tNotes\n"), fillerPublisher(esc))
 	for _, snap := range snaps {
-		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", snap.Name, snap.Version, snap.Revision, snap.Developer, NotesFromRemote(snap, nil))
+		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", snap.Name, snap.Version, snap.Revision, shortPublisher(esc, snap.Publisher), NotesFromRemote(snap, nil))
 	}
 
 	return nil
@@ -717,14 +652,14 @@
 
 	if x.Time {
 		if x.asksForMode() || x.asksForChannel() {
-			return errors.New(i18n.G("--time does not take mode nor channel flags"))
+			return errors.New(i18n.G("--time does not take mode or channel flags"))
 		}
 		return x.showRefreshTimes()
 	}
 
 	if x.List {
-		if x.asksForMode() || x.asksForChannel() {
-			return errors.New(i18n.G("--list does not take mode nor channel flags"))
+		if len(x.Positional.Snaps) > 0 || x.asksForMode() || x.asksForChannel() {
+			return errors.New(i18n.G("--list does not accept additional arguments"))
 		}
 
 		return x.listRefresh()
@@ -785,7 +720,6 @@
 	if err := x.validateMode(); err != nil {
 		return err
 	}
-	cli := Client()
 	name := x.Positional.SnapDir
 	opts := &client.SnapOptions{}
 	x.setModes(opts)
@@ -809,21 +743,21 @@
 		return fmt.Errorf(i18n.G("cannot get full path for %q: %v"), name, err)
 	}
 
-	changeID, err := cli.Try(path, opts)
-	if e, ok := err.(*client.Error); ok && e.Kind == client.ErrorKindNotSnap {
-		return fmt.Errorf(i18n.G(`%q does not contain an unpacked snap.
-
-Try "snapcraft prime" in your project directory, then "snap try" again.`), path)
-	}
+	changeID, err := x.client.Try(path, opts)
 	if err != nil {
-		return err
-	}
-
-	chg, err := x.wait(cli, changeID)
-	if err == noWait {
+		msg, err := errorToCmdMessage(name, err, opts)
+		if err != nil {
+			return err
+		}
+		fmt.Fprintln(Stderr, msg)
 		return nil
 	}
+
+	chg, err := x.wait(changeID)
 	if err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
@@ -836,7 +770,7 @@
 	name = snapName
 
 	// show output as speced
-	snaps, err := cli.List([]string{name}, nil)
+	snaps, err := x.client.List([]string{name}, nil)
 	if err != nil {
 		return err
 	}
@@ -859,19 +793,17 @@
 }
 
 func (x *cmdEnable) Execute([]string) error {
-	cli := Client()
 	name := string(x.Positional.Snap)
 	opts := &client.SnapOptions{}
-	changeID, err := cli.Enable(name, opts)
+	changeID, err := x.client.Enable(name, opts)
 	if err != nil {
 		return err
 	}
 
-	_, err = x.wait(cli, changeID)
-	if err == noWait {
-		return nil
-	}
-	if err != nil {
+	if _, err := x.wait(changeID); err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
@@ -888,19 +820,17 @@
 }
 
 func (x *cmdDisable) Execute([]string) error {
-	cli := Client()
 	name := string(x.Positional.Snap)
 	opts := &client.SnapOptions{}
-	changeID, err := cli.Disable(name, opts)
+	changeID, err := x.client.Disable(name, opts)
 	if err != nil {
 		return err
 	}
 
-	_, err = x.wait(cli, changeID)
-	if err == noWait {
-		return nil
-	}
-	if err != nil {
+	if _, err := x.wait(changeID); err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
@@ -937,24 +867,22 @@
 		return err
 	}
 
-	cli := Client()
 	name := string(x.Positional.Snap)
 	opts := &client.SnapOptions{Revision: x.Revision}
 	x.setModes(opts)
-	changeID, err := cli.Revert(name, opts)
+	changeID, err := x.client.Revert(name, opts)
 	if err != nil {
 		return err
 	}
 
-	_, err = x.wait(cli, changeID)
-	if err == noWait {
-		return nil
-	}
-	if err != nil {
+	if _, err := x.wait(changeID); err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
-	return showDone([]string{name}, "revert")
+	return showDone(x.client, []string{name}, "revert", nil)
 }
 
 var shortSwitchHelp = i18n.G("Switches snap to a different channel")
@@ -964,6 +892,7 @@
 `)
 
 type cmdSwitch struct {
+	waitMixin
 	channelMixin
 
 	Positional struct {
@@ -979,18 +908,20 @@
 		return fmt.Errorf("missing --channel=<channel-name> parameter")
 	}
 
-	cli := Client()
 	name := string(x.Positional.Snap)
 	channel := string(x.Channel)
 	opts := &client.SnapOptions{
 		Channel: channel,
 	}
-	changeID, err := cli.Switch(name, opts)
+	changeID, err := x.client.Switch(name, opts)
 	if err != nil {
 		return err
 	}
 
-	if _, err = wait(cli, changeID); err != nil {
+	if _, err := x.wait(changeID); err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
@@ -1000,28 +931,42 @@
 
 func init() {
 	addCommand("remove", shortRemoveHelp, longRemoveHelp, func() flags.Commander { return &cmdRemove{} },
-		waitDescs.also(map[string]string{"revision": i18n.G("Remove only the given revision")}), nil)
+		waitDescs.also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"revision": i18n.G("Remove only the given revision"),
+		}), nil)
 	addCommand("install", shortInstallHelp, longInstallHelp, func() flags.Commander { return &cmdInstall{} },
-		waitDescs.also(channelDescs).also(modeDescs).also(map[string]string{
-			"revision":        i18n.G("Install the given revision of a snap, to which you must have developer access"),
-			"dangerous":       i18n.G("Install the given snap file even if there are no pre-acknowledged signatures for it, meaning it was not verified and could be dangerous (--devmode implies this)"),
+		colorDescs.also(waitDescs).also(channelDescs).also(modeDescs).also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"revision": i18n.G("Install the given revision of a snap, to which you must have developer access"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"dangerous": i18n.G("Install the given snap file even if there are no pre-acknowledged signatures for it, meaning it was not verified and could be dangerous (--devmode implies this)"),
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"force-dangerous": i18n.G("Alias for --dangerous (DEPRECATED)"),
-			"unaliased":       i18n.G("Install the given snap without enabling its automatic aliases"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"unaliased": i18n.G("Install the given snap without enabling its automatic aliases"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"name": i18n.G("Install the snap file under the given instance name"),
 		}), nil)
 	addCommand("refresh", shortRefreshHelp, longRefreshHelp, func() flags.Commander { return &cmdRefresh{} },
-		waitDescs.also(channelDescs).also(modeDescs).also(map[string]string{
-			"amend":             i18n.G("Allow refresh attempt on snap unknown to the store"),
-			"revision":          i18n.G("Refresh to the given revision"),
-			"list":              i18n.G("Show available snaps for refresh but do not perform a refresh"),
-			"time":              i18n.G("Show auto refresh information but do not perform a refresh"),
+		colorDescs.also(waitDescs).also(channelDescs).also(modeDescs).also(timeDescs).also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"amend": i18n.G("Allow refresh attempt on snap unknown to the store"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"revision": i18n.G("Refresh to the given revision, to which you must have developer access"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"list": i18n.G("Show the new versions of snaps that would be updated with the next refresh"),
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"time": i18n.G("Show auto refresh information but do not perform a refresh"),
+			// TRANSLATORS: This should not start with a lowercase letter.
 			"ignore-validation": i18n.G("Ignore validation by other snaps blocking the refresh"),
 		}), nil)
 	addCommand("try", shortTryHelp, longTryHelp, func() flags.Commander { return &cmdTry{} }, waitDescs.also(modeDescs), nil)
 	addCommand("enable", shortEnableHelp, longEnableHelp, func() flags.Commander { return &cmdEnable{} }, waitDescs, nil)
 	addCommand("disable", shortDisableHelp, longDisableHelp, func() flags.Commander { return &cmdDisable{} }, waitDescs, nil)
 	addCommand("revert", shortRevertHelp, longRevertHelp, func() flags.Commander { return &cmdRevert{} }, waitDescs.also(modeDescs).also(map[string]string{
-		"revision": "Revert to the given revision",
+		// TRANSLATORS: This should not start with a lowercase letter.
+		"revision": i18n.G("Revert to the given revision"),
 	}), nil)
-	addCommand("switch", shortSwitchHelp, longSwitchHelp, func() flags.Commander { return &cmdSwitch{} }, nil, nil)
-
+	addCommand("switch", shortSwitchHelp, longSwitchHelp, func() flags.Commander { return &cmdSwitch{} }, waitDescs.also(channelDescs), nil)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_snap_op_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_snap_op_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_snap_op_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_snap_op_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -28,6 +28,7 @@
 	"net/http/httptest"
 	"path/filepath"
 	"regexp"
+	"strings"
 	"time"
 
 	"gopkg.in/check.v1"
@@ -37,15 +38,18 @@
 	"github.com/snapcore/snapd/progress"
 	"github.com/snapcore/snapd/progress/progresstest"
 	"github.com/snapcore/snapd/testutil"
+	"os"
 )
 
 type snapOpTestServer struct {
 	c *check.C
 
-	checker func(r *http.Request)
-	n       int
-	total   int
-	channel string
+	checker   func(r *http.Request)
+	n         int
+	total     int
+	channel   string
+	rebooting bool
+	snap      string
 }
 
 var _ = check.Suite(&SnapOpSuite{})
@@ -54,21 +58,29 @@
 	switch t.n {
 	case 0:
 		t.checker(r)
-		t.c.Check(r.Method, check.Equals, "POST")
+		method := "POST"
+		if strings.HasSuffix(r.URL.Path, "/conf") {
+			method = "PUT"
+		}
+		t.c.Check(r.Method, check.Equals, method)
 		w.WriteHeader(202)
 		fmt.Fprintln(w, `{"type":"async", "change": "42", "status-code": 202}`)
 	case 1:
 		t.c.Check(r.Method, check.Equals, "GET")
 		t.c.Check(r.URL.Path, check.Equals, "/v2/changes/42")
-		fmt.Fprintln(w, `{"type": "sync", "result": {"status": "Doing"}}`)
+		if !t.rebooting {
+			fmt.Fprintln(w, `{"type": "sync", "result": {"status": "Doing"}}`)
+		} else {
+			fmt.Fprintln(w, `{"type": "sync", "result": {"status": "Doing"}, "maintenance": {"kind": "system-restart", "message": "system is restarting"}}}`)
+		}
 	case 2:
 		t.c.Check(r.Method, check.Equals, "GET")
 		t.c.Check(r.URL.Path, check.Equals, "/v2/changes/42")
-		fmt.Fprintln(w, `{"type": "sync", "result": {"ready": true, "status": "Done", "data": {"snap-name": "foo"}}}`)
+		fmt.Fprintf(w, `{"type": "sync", "result": {"ready": true, "status": "Done", "data": {"snap-name": "%s"}}}\n`, t.snap)
 	case 3:
 		t.c.Check(r.Method, check.Equals, "GET")
 		t.c.Check(r.URL.Path, check.Equals, "/v2/snaps")
-		fmt.Fprintf(w, `{"type": "sync", "result": [{"name": "foo", "status": "active", "version": "1.0", "developer": "bar", "revision":42, "channel":"%s"}]}\n`, t.channel)
+		fmt.Fprintf(w, `{"type": "sync", "result": [{"name": "%s", "status": "active", "version": "1.0", "developer": "bar", "publisher": {"id": "bar-id", "username": "bar", "display-name": "Bar", "validation": "unproven"}, "revision":42, "channel":"%s"}]}\n`, t.snap, t.channel)
 	default:
 		t.c.Fatalf("expected to get %d requests, now on %d", t.total, t.n+1)
 	}
@@ -96,6 +108,7 @@
 	s.srv = snapOpTestServer{
 		c:     c,
 		total: 4,
+		snap:  "foo",
 	}
 }
 
@@ -147,6 +160,31 @@
 	c.Check(meter.Labels, testutil.Contains, "Waiting for server to restart")
 }
 
+func (s *SnapOpSuite) TestWaitRebooting(c *check.C) {
+	meter := &progresstest.Meter{}
+	defer progress.MockMeter(meter)()
+	restore := snap.MockMaxGoneTime(time.Millisecond)
+	defer restore()
+
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "sync",
+"result": {
+"ready": false,
+"status": "Doing",
+"tasks": [{"kind": "bar", "summary": "...", "status": "Doing", "progress": {"done": 1, "total": 1}, "log": ["INFO: info"]}]
+},
+"maintenance": {"kind": "system-restart", "message": "system is restarting"}}`)
+	})
+
+	cli := snap.Client()
+	chg, err := snap.Wait(cli, "x")
+	c.Assert(chg, check.IsNil)
+	c.Assert(err, check.DeepEquals, &client.Error{Kind: client.ErrorKindSystemRestart, Message: "system is restarting"})
+
+	// last available info is still displayed
+	c.Check(meter.Notices, testutil.Contains, "INFO: info")
+}
+
 func (s *SnapOpSuite) TestInstall(c *check.C) {
 	s.srv.checker = func(r *http.Request) {
 		c.Check(r.URL.Path, check.Equals, "/v2/snaps/foo")
@@ -158,10 +196,10 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--channel", "candidate", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel", "candidate", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(candidate\) 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(candidate\) 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
@@ -179,10 +217,10 @@
 
 	s.RedirectClientToTestServer(s.srv.handle)
 	// snap install --channel=3.4 means 3.4/stable, this is what we test here
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--channel", "3.4", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel", "3.4", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(3.4/stable\) 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(3.4/stable\) 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
@@ -199,10 +237,10 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--channel", "3.4/hotfix-1", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel", "3.4/hotfix-1", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(3.4/hotfix-1\) 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(3.4/hotfix-1\) 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
@@ -220,10 +258,10 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--channel", "beta", "--devmode", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel", "beta", "--devmode", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(beta\) 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(beta\) 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
@@ -239,10 +277,10 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--classic", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--classic", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
@@ -258,15 +296,323 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--unaliased", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--unaliased", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
 }
 
+func (s *SnapOpSuite) TestInstallSnapNotFound(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "snap not found", "value": "foo", "kind": "snap-not-found"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("error: %v\n", err), check.Equals, `error: snap "foo" not found
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailable(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision available as specified", "value": "foo", "kind": "snap-revision-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" not available as specified (see 'snap info foo')
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableOnChannel(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision available as specified", "value": "foo", "kind": "snap-revision-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel=mytrack", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" not available on channel "mytrack/stable" (see 'snap info
+       foo')
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableAtRevision(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision available as specified", "value": "foo", "kind": "snap-revision-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--revision=2", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" revision 2 not available (see 'snap info foo')
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableForChannelTrackOK(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified channel", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "amd64",
+  "channel": "stable",
+  "releases": [{"architecture": "amd64", "channel": "beta"},
+               {"architecture": "amd64", "channel": "edge"}]
+}, "kind": "snap-channel-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" is not available on stable but is available to install on the
+       following channels:
+
+       beta       snap install --beta foo
+       edge       snap install --edge foo
+
+       Please be mindful pre-release channels may include features not
+       completely tested or implemented. Get more information with 'snap info
+       foo'.
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableForChannelTrackOKPrerelOK(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified channel", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "amd64",
+  "channel": "candidate",
+  "releases": [{"architecture": "amd64", "channel": "beta"},
+               {"architecture": "amd64", "channel": "edge"}]
+}, "kind": "snap-channel-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--candidate", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" is not available on candidate but is available to install on
+       the following channels:
+
+       beta       snap install --beta foo
+       edge       snap install --edge foo
+
+       Get more information with 'snap info foo'.
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableForChannelTrackOther(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified channel", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "amd64",
+  "channel": "stable",
+  "releases": [{"architecture": "amd64", "channel": "1.0/stable"},
+               {"architecture": "amd64", "channel": "2.0/stable"}]
+}, "kind": "snap-channel-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" is not available on latest/stable but is available to install
+       on the following tracks:
+
+       1.0/stable  snap install --channel=1.0 foo
+       2.0/stable  snap install --channel=2.0 foo
+
+       Please be mindful that different tracks may include different features.
+       Get more information with 'snap info foo'.
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableForChannelTrackLatestStable(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified channel", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "amd64",
+  "channel": "2.0/stable",
+  "releases": [{"architecture": "amd64", "channel": "stable"}]
+}, "kind": "snap-channel-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel=2.0/stable", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" is not available on 2.0/stable but is available to install on
+       the following tracks:
+
+       latest/stable  snap install --stable foo
+
+       Please be mindful that different tracks may include different features.
+       Get more information with 'snap info foo'.
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableForChannelTrackAndRiskOther(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified channel", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "amd64",
+  "channel": "2.0/stable",
+  "releases": [{"architecture": "amd64", "channel": "1.0/edge"}]
+}, "kind": "snap-channel-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel=2.0/stable", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" is not available on 2.0/stable but other tracks exist.
+
+       Please be mindful that different tracks may include different features.
+       Get more information with 'snap info foo'.
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableForArchitectureTrackAndRiskOK(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified architecture", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "arm64",
+  "channel": "stable",
+  "releases": [{"architecture": "amd64", "channel": "stable"},
+               {"architecture": "s390x", "channel": "stable"}]
+}, "kind": "snap-architecture-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" is not available on stable for this architecture (arm64) but
+       exists on other architectures (amd64, s390x).
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableForArchitectureTrackAndRiskOther(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified architecture", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "arm64",
+  "channel": "1.0/stable",
+  "releases": [{"architecture": "amd64", "channel": "stable"},
+               {"architecture": "s390x", "channel": "stable"}]
+}, "kind": "snap-architecture-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel=1.0/stable", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: snap "foo" is not available on this architecture (arm64) but exists on
+       other architectures (amd64, s390x).
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableInvalidChannel(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified channel", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "amd64",
+  "channel": "a/b/c/d",
+  "releases": [{"architecture": "amd64", "channel": "stable"}]
+}, "kind": "snap-channel-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel=a/b/c/d", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: requested channel "a/b/c/d" is not valid (see 'snap info foo' for valid
+       ones)
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableForChannelNonExistingBranchOnMainChannel(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified channel", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "amd64",
+  "channel": "stable/baz",
+  "releases": [{"architecture": "amd64", "channel": "stable"}]
+}, "kind": "snap-channel-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel=stable/baz", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: requested a non-existing branch on latest/stable for snap "foo": baz
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
+func (s *SnapOpSuite) TestInstallSnapRevisionNotAvailableForChannelNonExistingBranch(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "no snap revision on specified channel", "value": {
+  "snap-name": "foo",
+  "action": "install",
+  "architecture": "amd64",
+  "channel": "stable/baz",
+  "releases": [{"architecture": "amd64", "channel": "edge"}]
+}, "kind": "snap-channel-not-available"}, "status-code": 404}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--channel=stable/baz", "foo"})
+	c.Assert(err, check.NotNil)
+	c.Check(fmt.Sprintf("\nerror: %v\n", err), check.Equals, `
+error: requested a non-existing branch for snap "foo": latest/stable/baz
+`)
+
+	c.Check(s.Stdout(), check.Equals, "")
+	c.Check(s.Stderr(), check.Equals, "")
+}
+
 func testForm(r *http.Request, c *check.C) *multipart.Form {
 	contentType := r.Header.Get("Content-Type")
 	mediaType, params, err := mime.ParseMediaType(contentType)
@@ -321,10 +667,10 @@
 	err := ioutil.WriteFile(snapPath, snapBody, 0644)
 	c.Assert(err, check.IsNil)
 
-	rest, err := snap.Parser().ParseArgs([]string{"install", snapPath})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", snapPath})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
@@ -352,10 +698,10 @@
 	err := ioutil.WriteFile(snapPath, snapBody, 0644)
 	c.Assert(err, check.IsNil)
 
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--devmode", snapPath})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--devmode", snapPath})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
@@ -383,10 +729,10 @@
 	err := ioutil.WriteFile(snapPath, snapBody, 0644)
 	c.Assert(err, check.IsNil)
 
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--classic", snapPath})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--classic", snapPath})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
@@ -414,15 +760,60 @@
 	err := ioutil.WriteFile(snapPath, snapBody, 0644)
 	c.Assert(err, check.IsNil)
 
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--dangerous", snapPath})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--dangerous", snapPath})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
 }
 
+func (s *SnapOpSuite) TestInstallPathInstance(c *check.C) {
+	s.srv.checker = func(r *http.Request) {
+		c.Check(r.URL.Path, check.Equals, "/v2/snaps")
+
+		form := testForm(r, c)
+		defer form.RemoveAll()
+
+		c.Check(form.Value["action"], check.DeepEquals, []string{"install"})
+		c.Check(form.Value["name"], check.DeepEquals, []string{"foo_bar"})
+		c.Check(form.Value["devmode"], check.IsNil)
+		c.Check(form.Value["snap-path"], check.NotNil)
+		c.Check(form.Value, check.HasLen, 3)
+
+		name, _, body := formFile(form, c)
+		c.Check(name, check.Equals, "snap")
+		c.Check(string(body), check.Equals, "snap-data")
+	}
+
+	snapBody := []byte("snap-data")
+	s.RedirectClientToTestServer(s.srv.handle)
+	// instance is named foo_bar
+	s.srv.snap = "foo_bar"
+	snapPath := filepath.Join(c.MkDir(), "foo.snap")
+	err := ioutil.WriteFile(snapPath, snapBody, 0644)
+	c.Assert(err, check.IsNil)
+
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", snapPath, "--name", "foo_bar"})
+	c.Assert(rest, check.DeepEquals, []string{})
+	c.Assert(err, check.IsNil)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo_bar 1.0 from Bar installed`)
+	c.Check(s.Stderr(), check.Equals, "")
+	// ensure that the fake server api was actually hit
+	c.Check(s.srv.n, check.Equals, s.srv.total)
+}
+
+func (s *SnapSuite) TestInstallWithInstanceNoPath(c *check.C) {
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--name", "foo_bar", "some-snap"})
+	c.Assert(err, check.ErrorMatches, "cannot use explicit name when installing from store")
+}
+
+func (s *SnapSuite) TestInstallManyWithInstance(c *check.C) {
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--name", "foo_bar", "some-snap-1", "some-snap-2"})
+	c.Assert(err, check.ErrorMatches, "cannot use instance name when installing multiple snaps")
+}
+
 func (s *SnapOpSuite) TestRevertRunthrough(c *check.C) {
 	s.srv.total = 4
 	s.srv.channel = "potato"
@@ -434,12 +825,12 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"revert", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"revert", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	// tracking channel is "" in the test server
 	c.Check(s.Stdout(), check.Equals, `foo reverted to 1.0
-Snap foo is no longer tracking .
+Channel  for foo is closed; temporarily forwarding to potato.
 `)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
@@ -484,7 +875,7 @@
 		}
 	}
 
-	rest, err := snap.Parser().ParseArgs(cmd)
+	rest, err := snap.Parser(snap.Client()).ParseArgs(cmd)
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, "foo reverted to 1.0\n")
@@ -510,11 +901,25 @@
 }
 
 func (s *SnapOpSuite) TestRevertMissingName(c *check.C) {
-	_, err := snap.Parser().ParseArgs([]string{"revert"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"revert"})
 	c.Assert(err, check.NotNil)
 	c.Assert(err, check.ErrorMatches, "the required argument `<snap>` was not provided")
 }
 
+func (s *SnapSuite) TestRefreshListLessOptions(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		c.Fatal("expected to get 0 requests")
+	})
+
+	for _, flag := range []string{"--beta", "--channel=potato", "--classic"} {
+		_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--list", flag})
+		c.Assert(err, check.ErrorMatches, "--list does not accept additional arguments")
+
+		_, err = snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--list", flag, "some-snap"})
+		c.Assert(err, check.ErrorMatches, "--list does not accept additional arguments")
+	}
+}
+
 func (s *SnapSuite) TestRefreshList(c *check.C) {
 	n := 0
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
@@ -523,17 +928,17 @@
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/find")
 			c.Check(r.URL.Query().Get("select"), check.Equals, "refresh")
-			fmt.Fprintln(w, `{"type": "sync", "result": [{"name": "foo", "status": "active", "version": "4.2update1", "developer": "bar", "revision":17,"summary":"some summary"}]}`)
+			fmt.Fprintln(w, `{"type": "sync", "result": [{"name": "foo", "status": "active", "version": "4.2update1", "developer": "bar", "publisher": {"id": "bar-id", "username": "bar", "display-name": "Bar", "validation": "unproven"}, "revision":17,"summary":"some summary"}]}`)
 		default:
 			c.Fatalf("expected to get 1 requests, now on %d", n+1)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"refresh", "--list"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--list"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `Name +Version +Rev +Developer +Notes
+	c.Check(s.Stdout(), check.Matches, `Name +Version +Rev +Publisher +Notes
 foo +4.2update1 +17 +bar +-.*
 `)
 	c.Check(s.Stderr(), check.Equals, "")
@@ -548,19 +953,19 @@
 		case 0:
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/system-info")
-			fmt.Fprintln(w, `{"type": "sync", "status-code": 200, "result": {"refresh": {"schedule": "00:00-04:59/5:00-10:59/11:00-16:59/17:00-23:59", "last": "2017-04-25T17:35:00+0200", "next": "2017-04-26T00:58:00+0200"}}}`)
+			fmt.Fprintln(w, `{"type": "sync", "status-code": 200, "result": {"refresh": {"schedule": "00:00-04:59/5:00-10:59/11:00-16:59/17:00-23:59", "last": "2017-04-25T17:35:00+02:00", "next": "2017-04-26T00:58:00+02:00"}}}`)
 		default:
 			c.Fatalf("expected to get 1 requests, now on %d", n+1)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"refresh", "--time"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--time", "--abs-time"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, `schedule: 00:00-04:59/5:00-10:59/11:00-16:59/17:00-23:59
-last: 2017-04-25T17:35:00+0200
-next: 2017-04-26T00:58:00+0200
+last: 2017-04-25T17:35:00+02:00
+next: 2017-04-26T00:58:00+02:00
 `)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
@@ -574,19 +979,19 @@
 		case 0:
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/system-info")
-			fmt.Fprintln(w, `{"type": "sync", "status-code": 200, "result": {"refresh": {"timer": "0:00-24:00/4", "last": "2017-04-25T17:35:00+0200", "next": "2017-04-26T00:58:00+0200"}}}`)
+			fmt.Fprintln(w, `{"type": "sync", "status-code": 200, "result": {"refresh": {"timer": "0:00-24:00/4", "last": "2017-04-25T17:35:00+02:00", "next": "2017-04-26T00:58:00+02:00"}}}`)
 		default:
 			c.Fatalf("expected to get 1 requests, now on %d", n+1)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"refresh", "--time"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--time", "--abs-time"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, `timer: 0:00-24:00/4
-last: 2017-04-25T17:35:00+0200
-next: 2017-04-26T00:58:00+0200
+last: 2017-04-25T17:35:00+02:00
+next: 2017-04-26T00:58:00+02:00
 `)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
@@ -600,20 +1005,20 @@
 		case 0:
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/system-info")
-			fmt.Fprintln(w, `{"type": "sync", "status-code": 200, "result": {"refresh": {"timer": "0:00-24:00/4", "last": "2017-04-25T17:35:00+0200", "next": "2017-04-26T00:58:00+0200", "hold": "2017-04-28T00:00:00+0200"}}}`)
+			fmt.Fprintln(w, `{"type": "sync", "status-code": 200, "result": {"refresh": {"timer": "0:00-24:00/4", "last": "2017-04-25T17:35:00+02:00", "next": "2017-04-26T00:58:00+02:00", "hold": "2017-04-28T00:00:00+02:00"}}}`)
 		default:
 			c.Fatalf("expected to get 1 requests, now on %d", n+1)
 		}
 
 		n++
 	})
-	rest, err := snap.Parser().ParseArgs([]string{"refresh", "--time"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--time", "--abs-time"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Equals, `timer: 0:00-24:00/4
-last: 2017-04-25T17:35:00+0200
-hold: 2017-04-28T00:00:00+0200
-next: 2017-04-26T00:58:00+0200
+last: 2017-04-25T17:35:00+02:00
+hold: 2017-04-28T00:00:00+02:00
+next: 2017-04-26T00:58:00+02:00 (but held)
 `)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
@@ -626,16 +1031,10 @@
 		c.Check(r.URL.Path, check.Equals, "/v2/system-info")
 		fmt.Fprintln(w, `{"type": "sync", "status-code": 200, "result": {"refresh": {"last": "2017-04-25T17:35:00+0200", "next": "2017-04-26T00:58:00+0200"}}}`)
 	})
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--time"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--time"})
 	c.Assert(err, check.ErrorMatches, `internal error: both refresh.timer and refresh.schedule are empty`)
 }
 
-func (s *SnapSuite) TestRefreshListErr(c *check.C) {
-	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--list", "--beta"})
-	c.Check(err, check.ErrorMatches, "--list does not take .* flags")
-}
-
 func (s *SnapOpSuite) TestRefreshOne(c *check.C) {
 	s.RedirectClientToTestServer(s.srv.handle)
 	s.srv.checker = func(r *http.Request) {
@@ -645,9 +1044,9 @@
 			"action": "refresh",
 		})
 	}
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "foo"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "foo"})
 	c.Assert(err, check.IsNil)
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from 'bar' refreshed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo 1.0 from Bar refreshed`)
 
 }
 
@@ -662,9 +1061,9 @@
 		})
 		s.srv.channel = "beta"
 	}
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--beta", "foo"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--beta", "foo"})
 	c.Assert(err, check.IsNil)
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(beta\) 1.0 from 'bar' refreshed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(beta\) 1.0 from Bar refreshed`)
 }
 
 func (s *SnapOpSuite) TestRefreshOneClassic(c *check.C) {
@@ -677,7 +1076,7 @@
 			"classic": true,
 		})
 	}
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--classic", "one"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--classic", "one"})
 	c.Assert(err, check.IsNil)
 }
 
@@ -691,7 +1090,7 @@
 			"devmode": true,
 		})
 	}
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--devmode", "one"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--devmode", "one"})
 	c.Assert(err, check.IsNil)
 }
 
@@ -705,7 +1104,7 @@
 			"jailmode": true,
 		})
 	}
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--jailmode", "one"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--jailmode", "one"})
 	c.Assert(err, check.IsNil)
 }
 
@@ -719,43 +1118,63 @@
 			"ignore-validation": true,
 		})
 	}
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--ignore-validation", "one"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--ignore-validation", "one"})
 	c.Assert(err, check.IsNil)
 }
 
+func (s *SnapOpSuite) TestRefreshOneRebooting(c *check.C) {
+	s.RedirectClientToTestServer(s.srv.handle)
+	s.srv.checker = func(r *http.Request) {
+		c.Check(r.Method, check.Equals, "POST")
+		c.Check(r.URL.Path, check.Equals, "/v2/snaps/core")
+		c.Check(DecodedRequestBody(c, r), check.DeepEquals, map[string]interface{}{
+			"action": "refresh",
+		})
+	}
+	s.srv.rebooting = true
+
+	restore := mockArgs("snap", "refresh", "core")
+	defer restore()
+
+	err := snap.RunMain()
+	c.Check(err, check.IsNil)
+	c.Check(s.Stderr(), check.Equals, "snapd is about to reboot the system\n")
+
+}
+
 func (s *SnapOpSuite) TestRefreshOneModeErr(c *check.C) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--jailmode", "--devmode", "one"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--jailmode", "--devmode", "one"})
 	c.Assert(err, check.ErrorMatches, `cannot use devmode and jailmode flags together`)
 }
 
 func (s *SnapOpSuite) TestRefreshOneChanErr(c *check.C) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--beta", "--channel=foo", "one"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--beta", "--channel=foo", "one"})
 	c.Assert(err, check.ErrorMatches, `Please specify a single channel`)
 }
 
 func (s *SnapOpSuite) TestRefreshAllChannel(c *check.C) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--beta"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--beta"})
 	c.Assert(err, check.ErrorMatches, `a single snap name is needed to specify mode or channel flags`)
 }
 
 func (s *SnapOpSuite) TestRefreshManyChannel(c *check.C) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--beta", "one", "two"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--beta", "one", "two"})
 	c.Assert(err, check.ErrorMatches, `a single snap name is needed to specify mode or channel flags`)
 }
 
 func (s *SnapOpSuite) TestRefreshManyIgnoreValidation(c *check.C) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--ignore-validation", "one", "two"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--ignore-validation", "one", "two"})
 	c.Assert(err, check.ErrorMatches, `a single snap name must be specified when ignoring validation`)
 }
 
 func (s *SnapOpSuite) TestRefreshAllModeFlags(c *check.C) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--devmode"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--devmode"})
 	c.Assert(err, check.ErrorMatches, `a single snap name is needed to specify mode or channel flags`)
 }
 
@@ -769,7 +1188,7 @@
 			"amend":  true,
 		})
 	}
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--amend", "one"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--amend", "one"})
 	c.Assert(err, check.IsNil)
 }
 
@@ -820,7 +1239,7 @@
 		}
 	}
 
-	rest, err := snap.Parser().ParseArgs(cmd)
+	rest, err := snap.Parser(snap.Client()).ParseArgs(cmd)
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, fmt.Sprintf(`(?sm).*foo 1.0 mounted from .*%s`, tryDir))
@@ -861,19 +1280,77 @@
 	})
 
 	cmd := []string{"try", "/"}
-	_, err := snap.Parser().ParseArgs(cmd)
-	c.Assert(err, check.ErrorMatches, `"/" does not contain an unpacked snap.
+	_, err := snap.Parser(snap.Client()).ParseArgs(cmd)
+	c.Assert(err, testutil.EqualsWrapped, `
+"/" does not contain an unpacked snap.
+
+Try 'snapcraft prime' in your project directory, then 'snap try' again.`)
+}
+
+func (s *SnapOpSuite) TestTryMissingOpt(c *check.C) {
+	oldArgs := os.Args
+	defer func() {
+		os.Args = oldArgs
+	}()
+	os.Args = []string{"snap", "try", "./"}
+	var kind string
+
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Method, check.Equals, "POST", check.Commentf("%q", kind))
+		w.WriteHeader(400)
+		fmt.Fprintf(w, `
+{
+  "type": "error",
+  "result": {
+    "message":"error from server",
+    "value": "some-snap",
+    "kind": %q
+  },
+  "status-code": 400
+}`, kind)
+	})
+
+	type table struct {
+		kind, expected string
+	}
 
-Try "snapcraft prime" in your project directory, then "snap try" again.`)
+	tests := []table{
+		{"snap-needs-classic", "published using classic confinement"},
+		{"snap-needs-devmode", "only meant for development"},
+	}
+
+	for _, test := range tests {
+		kind = test.kind
+		c.Check(snap.RunMain(), testutil.ContainsWrapped, test.expected, check.Commentf("%q", kind))
+	}
+}
+
+func (s *SnapOpSuite) TestInstallConfinedAsClassic(c *check.C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Method, check.Equals, "POST")
+		w.WriteHeader(400)
+		fmt.Fprintf(w, `{
+  "type": "error",
+  "result": {
+    "message":"error from server",
+    "value": "some-snap",
+    "kind": "snap-not-classic"
+  },
+  "status-code": 400
+}`)
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--classic", "some-snap"})
+	c.Assert(err, check.ErrorMatches, `snap "some-snap" is not compatible with --classic`)
 }
 
 func (s *SnapSuite) TestInstallChannelDuplicationError(c *check.C) {
-	_, err := snap.Parser().ParseArgs([]string{"install", "--edge", "--beta", "some-snap"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--edge", "--beta", "some-snap"})
 	c.Assert(err, check.ErrorMatches, "Please specify a single channel")
 }
 
 func (s *SnapSuite) TestRefreshChannelDuplicationError(c *check.C) {
-	_, err := snap.Parser().ParseArgs([]string{"refresh", "--edge", "--beta", "some-snap"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"refresh", "--edge", "--beta", "some-snap"})
 	c.Assert(err, check.ErrorMatches, "Please specify a single channel")
 }
 
@@ -888,10 +1365,10 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"install", "--edge", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--edge", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
-	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(edge\) 1.0 from 'bar' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(edge\) 1.0 from Bar installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(s.srv.n, check.Equals, s.srv.total)
@@ -907,7 +1384,7 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"enable", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"enable", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, `(?sm).*foo enabled`)
@@ -926,7 +1403,7 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"disable", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"disable", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, `(?sm).*foo disabled`)
@@ -945,7 +1422,7 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"remove", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"remove", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, `(?sm).*foo removed`)
@@ -954,9 +1431,29 @@
 	c.Check(s.srv.n, check.Equals, s.srv.total)
 }
 
+func (s *SnapOpSuite) TestRemoveRevision(c *check.C) {
+	s.srv.total = 3
+	s.srv.checker = func(r *http.Request) {
+		c.Check(r.URL.Path, check.Equals, "/v2/snaps/foo")
+		c.Check(DecodedRequestBody(c, r), check.DeepEquals, map[string]interface{}{
+			"action":   "remove",
+			"revision": "17",
+		})
+	}
+
+	s.RedirectClientToTestServer(s.srv.handle)
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"remove", "--revision=17", "foo"})
+	c.Assert(err, check.IsNil)
+	c.Assert(rest, check.DeepEquals, []string{})
+	c.Check(s.Stdout(), check.Matches, `(?sm).*foo \(revision 17\) removed`)
+	c.Check(s.Stderr(), check.Equals, "")
+	// ensure that the fake server api was actually hit
+	c.Check(s.srv.n, check.Equals, s.srv.total)
+}
+
 func (s *SnapOpSuite) TestRemoveManyRevision(c *check.C) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"remove", "--revision=17", "one", "two"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"remove", "--revision=17", "one", "two"})
 	c.Assert(err, check.ErrorMatches, `a single snap name is needed to specify the revision`)
 }
 
@@ -990,7 +1487,7 @@
 		n++
 	})
 
-	rest, err := snap.Parser().ParseArgs([]string{"remove", "one", "two"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"remove", "one", "two"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, `(?sm).*one removed`)
@@ -1002,13 +1499,13 @@
 
 func (s *SnapOpSuite) TestInstallManyChannel(c *check.C) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"install", "--beta", "one", "two"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "--beta", "one", "two"})
 	c.Assert(err, check.ErrorMatches, `a single snap name is needed to specify mode or channel flags`)
 }
 
 func (s *SnapOpSuite) TestInstallManyMixFileAndStore(c *check.C) {
 	s.RedirectClientToTestServer(nil)
-	_, err := snap.Parser().ParseArgs([]string{"install", "store-snap", "./local.snap"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "store-snap", "./local.snap"})
 	c.Assert(err, check.ErrorMatches, `only one snap file can be installed at a time`)
 }
 
@@ -1038,7 +1535,7 @@
 		case 3:
 			c.Check(r.Method, check.Equals, "GET")
 			c.Check(r.URL.Path, check.Equals, "/v2/snaps")
-			fmt.Fprintf(w, `{"type": "sync", "result": [{"name": "one", "status": "active", "version": "1.0", "developer": "bar", "revision":42, "channel":"stable"},{"name": "two", "status": "active", "version": "2.0", "developer": "baz", "revision":42, "channel":"edge"}]}\n`)
+			fmt.Fprintf(w, `{"type": "sync", "result": [{"name": "one", "status": "active", "version": "1.0", "developer": "bar", "publisher": {"id": "bar-id", "username": "bar", "display-name": "Bar", "validation": "unproven"}, "revision":42, "channel":"stable"},{"name": "two", "status": "active", "version": "2.0", "developer": "baz", "publisher": {"id": "baz-id", "username": "baz", "display-name": "Baz", "validation": "unproven"}, "revision":42, "channel":"edge"}]}\n`)
 
 		default:
 			c.Fatalf("expected to get %d requests, now on %d", total, n+1)
@@ -1047,17 +1544,26 @@
 		n++
 	})
 
-	rest, err := snap.Parser().ParseArgs([]string{"install", "one", "two"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"install", "one", "two"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	// note that (stable) is omitted
-	c.Check(s.Stdout(), check.Matches, `(?sm).*one 1.0 from 'bar' installed`)
-	c.Check(s.Stdout(), check.Matches, `(?sm).*two \(edge\) 2.0 from 'baz' installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*one 1.0 from Bar installed`)
+	c.Check(s.Stdout(), check.Matches, `(?sm).*two \(edge\) 2.0 from Baz installed`)
 	c.Check(s.Stderr(), check.Equals, "")
 	// ensure that the fake server api was actually hit
 	c.Check(n, check.Equals, total)
 }
 
+func (s *SnapOpSuite) TestInstallZeroEmpty(c *check.C) {
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"install"})
+	c.Assert(err, check.ErrorMatches, "cannot install zero snaps")
+	_, err = snap.Parser(snap.Client()).ParseArgs([]string{"install", ""})
+	c.Assert(err, check.ErrorMatches, "cannot install snap with empty name")
+	_, err = snap.Parser(snap.Client()).ParseArgs([]string{"install", "", "bar"})
+	c.Assert(err, check.ErrorMatches, "cannot install snap with empty name")
+}
+
 func (s *SnapOpSuite) TestNoWait(c *check.C) {
 	s.srv.checker = func(r *http.Request) {}
 
@@ -1069,14 +1575,26 @@
 		{"revert", "--no-wait", "foo"},
 		{"refresh", "--no-wait", "foo"},
 		{"refresh", "--no-wait", "foo", "bar"},
+		{"refresh", "--no-wait"},
 		{"enable", "--no-wait", "foo"},
 		{"disable", "--no-wait", "foo"},
 		{"try", "--no-wait", "."},
+		{"switch", "--no-wait", "--channel=foo", "bar"},
+		// commands that use waitMixin from elsewhere
+		{"start", "--no-wait", "foo"},
+		{"stop", "--no-wait", "foo"},
+		{"restart", "--no-wait", "foo"},
+		{"alias", "--no-wait", "foo", "bar"},
+		{"unalias", "--no-wait", "foo"},
+		{"prefer", "--no-wait", "foo"},
+		{"set", "--no-wait", "foo", "bar=baz"},
+		{"disconnect", "--no-wait", "foo:bar"},
+		{"connect", "--no-wait", "foo:bar"},
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
 	for _, cmd := range cmds {
-		rest, err := snap.Parser().ParseArgs(cmd)
+		rest, err := snap.Parser(snap.Client()).ParseArgs(cmd)
 		c.Assert(err, check.IsNil, check.Commentf("%v", cmd))
 		c.Assert(rest, check.DeepEquals, []string{})
 		c.Check(s.Stdout(), check.Matches, "(?sm)42\n")
@@ -1088,6 +1606,95 @@
 	}
 }
 
+func (s *SnapOpSuite) TestNoWaitImmediateError(c *check.C) {
+
+	cmds := [][]string{
+		{"remove", "--no-wait", "foo"},
+		{"remove", "--no-wait", "foo", "bar"},
+		{"install", "--no-wait", "foo"},
+		{"install", "--no-wait", "foo", "bar"},
+		{"revert", "--no-wait", "foo"},
+		{"refresh", "--no-wait", "foo"},
+		{"refresh", "--no-wait", "foo", "bar"},
+		{"refresh", "--no-wait"},
+		{"enable", "--no-wait", "foo"},
+		{"disable", "--no-wait", "foo"},
+		{"try", "--no-wait", "."},
+		{"switch", "--no-wait", "--channel=foo", "bar"},
+		// commands that use waitMixin from elsewhere
+		{"start", "--no-wait", "foo"},
+		{"stop", "--no-wait", "foo"},
+		{"restart", "--no-wait", "foo"},
+		{"alias", "--no-wait", "foo", "bar"},
+		{"unalias", "--no-wait", "foo"},
+		{"prefer", "--no-wait", "foo"},
+		{"set", "--no-wait", "foo", "bar=baz"},
+		{"disconnect", "--no-wait", "foo:bar"},
+		{"connect", "--no-wait", "foo:bar"},
+	}
+
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "failure"}}`)
+	})
+
+	for _, cmd := range cmds {
+		_, err := snap.Parser(snap.Client()).ParseArgs(cmd)
+		c.Assert(err, check.ErrorMatches, "failure", check.Commentf("%v", cmd))
+	}
+}
+
+func (s *SnapOpSuite) TestWaitServerError(c *check.C) {
+	r := snap.MockMaxGoneTime(0)
+	defer r()
+
+	cmds := [][]string{
+		{"remove", "foo"},
+		{"remove", "foo", "bar"},
+		{"install", "foo"},
+		{"install", "foo", "bar"},
+		{"revert", "foo"},
+		{"refresh", "foo"},
+		{"refresh", "foo", "bar"},
+		{"refresh"},
+		{"enable", "foo"},
+		{"disable", "foo"},
+		{"try", "."},
+		{"switch", "--channel=foo", "bar"},
+		// commands that use waitMixin from elsewhere
+		{"start", "foo"},
+		{"stop", "foo"},
+		{"restart", "foo"},
+		{"alias", "foo", "bar"},
+		{"unalias", "foo"},
+		{"prefer", "foo"},
+		{"set", "foo", "bar=baz"},
+		{"disconnect", "foo:bar"},
+		{"connect", "foo:bar"},
+	}
+
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		if n == 1 {
+			w.WriteHeader(202)
+			fmt.Fprintln(w, `{"type":"async", "change": "42", "status-code": 202}`)
+			return
+		}
+		if n == 3 {
+			fmt.Fprintln(w, `{"type": "error", "result": {"message": "unexpected request"}}`)
+			return
+		}
+		fmt.Fprintln(w, `{"type": "error", "result": {"message": "server error"}}`)
+	})
+
+	for _, cmd := range cmds {
+		_, err := snap.Parser(snap.Client()).ParseArgs(cmd)
+		c.Assert(err, check.ErrorMatches, "server error", check.Commentf("%v", cmd))
+		// reset
+		n = 0
+	}
+}
+
 func (s *SnapOpSuite) TestSwitchHappy(c *check.C) {
 	s.srv.total = 3
 	s.srv.checker = func(r *http.Request) {
@@ -1099,7 +1706,7 @@
 	}
 
 	s.RedirectClientToTestServer(s.srv.handle)
-	rest, err := snap.Parser().ParseArgs([]string{"switch", "--beta", "foo"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"switch", "--beta", "foo"})
 	c.Assert(err, check.IsNil)
 	c.Assert(rest, check.DeepEquals, []string{})
 	c.Check(s.Stdout(), check.Matches, `(?sm).*"foo" switched to the "beta" channel`)
@@ -1109,12 +1716,12 @@
 }
 
 func (s *SnapOpSuite) TestSwitchUnhappy(c *check.C) {
-	_, err := snap.Parser().ParseArgs([]string{"switch"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"switch"})
 	c.Assert(err, check.ErrorMatches, "the required argument `<snap>` was not provided")
 }
 
 func (s *SnapOpSuite) TestSwitchAlsoUnhappy(c *check.C) {
-	_, err := snap.Parser().ParseArgs([]string{"switch", "foo"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"switch", "foo"})
 	c.Assert(err, check.ErrorMatches, `missing --channel=<channel-name> parameter`)
 }
 
@@ -1136,6 +1743,6 @@
 	})
 
 	cmd := []string{"install", "hello"}
-	_, err := snap.Parser().ParseArgs(cmd)
+	_, err := snap.Parser(snap.Client()).ParseArgs(cmd)
 	c.Assert(err, check.ErrorMatches, `unable to contact snap store`)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_snapshot.go snapd-2.37~rc1~14.04/cmd/snap/cmd_snapshot.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_snapshot.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_snapshot.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,331 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/jessevdk/go-flags"
+
+	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/strutil"
+	"github.com/snapcore/snapd/strutil/quantity"
+)
+
+func fmtSize(size int64) string {
+	return quantity.FormatAmount(uint64(size), -1)
+}
+
+var (
+	shortSavedHelp   = i18n.G("List currently stored snapshots")
+	shortSaveHelp    = i18n.G("Save a snapshot of the current data")
+	shortForgetHelp  = i18n.G("Delete a snapshot")
+	shortCheckHelp   = i18n.G("Check a snapshot")
+	shortRestoreHelp = i18n.G("Restore a snapshot")
+)
+
+var longSavedHelp = i18n.G(`
+The saved command displays a list of snapshots that have been created
+previously with the 'save' command.
+`)
+var longSaveHelp = i18n.G(`
+The save command creates a snapshot of the current user, system and
+configuration data for the given snaps.
+
+By default, this command saves the data of all snaps for all users.
+Alternatively, you can specify the data of which snaps to save, or
+for which users, or a combination of these.
+
+If a snap is included in a save operation, excluding its system and
+configuration data from the snapshot is not currently possible. This
+restriction may be lifted in the future.
+`)
+var longForgetHelp = i18n.G(`
+The forget command deletes a snapshot. This operation can not be
+undone.
+
+A snapshot contains archives for the user, system and configuration
+data of each snap included in the snapshot.
+
+By default, this command forgets all the data in a snapshot.
+Alternatively, you can specify the data of which snaps to forget.
+`)
+var longCheckHelp = i18n.G(`
+The check-snapshot command verifies the user, system and configuration
+data of the snaps included in the specified snapshot.
+
+The check operation runs the same data integrity verification that is
+performed when a snapshot is restored.
+
+By default, this command checks all the data in a snapshot.
+Alternatively, you can specify the data of which snaps to check, or
+for which users, or a combination of these.
+
+If a snap is included in a check-snapshot operation, excluding its
+system and configuration data from the check is not currently
+possible. This restriction may be lifted in the future.
+`)
+var longRestoreHelp = i18n.G(`
+The restore command replaces the current user, system and
+configuration data of included snaps, with the corresponding data from
+the specified snapshot.
+
+By default, this command restores all the data in a snapshot.
+Alternatively, you can specify the data of which snaps to restore, or
+for which users, or a combination of these.
+
+If a snap is included in a restore operation, excluding its system and
+configuration data from the restore is not currently possible. This
+restriction may be lifted in the future.
+`)
+
+type savedCmd struct {
+	clientMixin
+	durationMixin
+	ID         snapshotID `long:"id"`
+	Positional struct {
+		Snaps []installedSnapName `positional-arg-name:"<snap>"`
+	} `positional-args:"yes"`
+}
+
+func (x *savedCmd) Execute([]string) error {
+	setID := uint64(x.ID)
+	snaps := installedSnapNames(x.Positional.Snaps)
+	list, err := x.client.SnapshotSets(setID, snaps)
+	if err != nil {
+		return err
+	}
+	if len(list) == 0 {
+		fmt.Fprintln(Stdout, i18n.G("No snapshots found."))
+		return nil
+	}
+	w := tabWriter()
+	defer w.Flush()
+
+	fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\t%s\n",
+		// TRANSLATORS: 'Set' as in group or bag of things
+		i18n.G("Set"),
+		"Snap",
+		// TRANSLATORS: 'Age' as in how old something is
+		i18n.G("Age"),
+		i18n.G("Version"),
+		// TRANSLATORS: 'Rev' is an abbreviation of 'Revision'
+		i18n.G("Rev"),
+		i18n.G("Size"),
+		// TRANSLATORS: 'Notes' as in 'Comments'
+		i18n.G("Notes"))
+	for _, sg := range list {
+		for _, sh := range sg.Snapshots {
+			note := "-"
+			if sh.Broken != "" {
+				note = "broken: " + sh.Broken
+			}
+			size := quantity.FormatAmount(uint64(sh.Size), -1) + "B"
+			fmt.Fprintf(w, "%d\t%s\t%s\t%s\t%s\t%s\t%s\n", sg.ID, sh.Snap, x.fmtDuration(sh.Time), sh.Version, sh.Revision, size, note)
+		}
+	}
+	return nil
+}
+
+type saveCmd struct {
+	waitMixin
+	durationMixin
+	Users      string `long:"users"`
+	Positional struct {
+		Snaps []installedSnapName `positional-arg-name:"<snap>"`
+	} `positional-args:"yes"`
+}
+
+func (x *saveCmd) Execute([]string) error {
+	snaps := installedSnapNames(x.Positional.Snaps)
+	users := strutil.CommaSeparatedList(x.Users)
+	setID, changeID, err := x.client.SnapshotMany(snaps, users)
+	if err != nil {
+		return err
+	}
+	if _, err := x.wait(changeID); err != nil {
+		if err == noWait {
+			return nil
+		}
+		return err
+	}
+
+	y := &savedCmd{
+		clientMixin:   x.clientMixin,
+		durationMixin: x.durationMixin,
+		ID:            snapshotID(setID),
+	}
+	return y.Execute(nil)
+}
+
+type forgetCmd struct {
+	waitMixin
+	Positional struct {
+		ID    snapshotID          `positional-arg-name:"<id>"`
+		Snaps []installedSnapName `positional-arg-name:"<snap>"`
+	} `positional-args:"yes" required:"yes"`
+}
+
+func (x *forgetCmd) Execute([]string) error {
+	setID := uint64(x.Positional.ID)
+	snaps := installedSnapNames(x.Positional.Snaps)
+	changeID, err := x.client.ForgetSnapshots(setID, snaps)
+	if err != nil {
+		return err
+	}
+	_, err = x.wait(changeID)
+	if err == noWait {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	if len(snaps) > 0 {
+		// TRANSLATORS: the %s is a comma-separated list of quoted snap names
+		fmt.Fprintf(Stdout, i18n.NG("Snapshot #%d of snap %s forgotten.\n", "Snapshot #%d of snaps %s forgotten.\n", len(snaps)), x.Positional.ID, strutil.Quoted(snaps))
+	} else {
+		fmt.Fprintf(Stdout, i18n.G("Snapshot #%d forgotten.\n"), x.Positional.ID)
+	}
+	return nil
+}
+
+type checkSnapshotCmd struct {
+	waitMixin
+	Users      string `long:"users"`
+	Positional struct {
+		ID    snapshotID          `positional-arg-name:"<id>"`
+		Snaps []installedSnapName `positional-arg-name:"<snap>"`
+	} `positional-args:"yes" required:"yes"`
+}
+
+func (x *checkSnapshotCmd) Execute([]string) error {
+	setID := uint64(x.Positional.ID)
+	snaps := installedSnapNames(x.Positional.Snaps)
+	users := strutil.CommaSeparatedList(x.Users)
+	changeID, err := x.client.CheckSnapshots(setID, snaps, users)
+	if err != nil {
+		return err
+	}
+	_, err = x.wait(changeID)
+	if err == noWait {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	// TODO: also mention the home archives that were actually checked
+	if len(snaps) > 0 {
+		// TRANSLATORS: the %s is a comma-separated list of quoted snap names
+		fmt.Fprintf(Stdout, i18n.G("Snapshot #%d of snaps %s verified successfully.\n"),
+			x.Positional.ID, strutil.Quoted(snaps))
+	} else {
+		fmt.Fprintf(Stdout, i18n.G("Snapshot #%d verified successfully.\n"), x.Positional.ID)
+	}
+	return nil
+}
+
+type restoreCmd struct {
+	waitMixin
+	Users      string `long:"users"`
+	Positional struct {
+		ID    snapshotID          `positional-arg-name:"<id>"`
+		Snaps []installedSnapName `positional-arg-name:"<snap>"`
+	} `positional-args:"yes" required:"yes"`
+}
+
+func (x *restoreCmd) Execute([]string) error {
+	setID := uint64(x.Positional.ID)
+	snaps := installedSnapNames(x.Positional.Snaps)
+	users := strutil.CommaSeparatedList(x.Users)
+	changeID, err := x.client.RestoreSnapshots(setID, snaps, users)
+	if err != nil {
+		return err
+	}
+	_, err = x.wait(changeID)
+	if err == noWait {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	// TODO: also mention the home archives that were actually restored
+	if len(snaps) > 0 {
+		// TRANSLATORS: the %s is a comma-separated list of quoted snap names
+		fmt.Fprintf(Stdout, i18n.G("Restored snapshot #%d of snaps %s.\n"),
+			x.Positional.ID, strutil.Quoted(snaps))
+	} else {
+		fmt.Fprintf(Stdout, i18n.G("Restored snapshot #%d.\n"), x.Positional.ID)
+	}
+	return nil
+}
+
+func init() {
+	addCommand("saved",
+		shortSavedHelp,
+		longSavedHelp,
+		func() flags.Commander {
+			return &savedCmd{}
+		},
+		durationDescs.also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"id": i18n.G("Show only a specific snapshot."),
+		}),
+		nil)
+
+	addCommand("save",
+		shortSaveHelp,
+		longSaveHelp,
+		func() flags.Commander {
+			return &saveCmd{}
+		}, durationDescs.also(waitDescs).also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"users": i18n.G("Snapshot data of only specific users (comma-separated) (default: all users)"),
+		}), nil)
+
+	addCommand("restore",
+		shortRestoreHelp,
+		longRestoreHelp,
+		func() flags.Commander {
+			return &restoreCmd{}
+		}, waitDescs.also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"users": i18n.G("Restore data of only specific users (comma-separated) (default: all users)"),
+		}), nil)
+
+	addCommand("forget",
+		shortForgetHelp,
+		longForgetHelp,
+		func() flags.Commander {
+			return &forgetCmd{}
+		}, waitDescs, nil)
+
+	addCommand("check-snapshot",
+		shortCheckHelp,
+		longCheckHelp,
+		func() flags.Commander {
+			return &checkSnapshotCmd{}
+		}, waitDescs.also(map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"users": i18n.G("Check data of only specific users (comma-separated) (default: all users)"),
+		}), nil)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_unalias.go snapd-2.37~rc1~14.04/cmd/snap/cmd_unalias.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_unalias.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_unalias.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,21 +26,24 @@
 )
 
 type cmdUnalias struct {
+	waitMixin
 	Positionals struct {
 		AliasOrSnap aliasOrSnap `required:"yes"`
 	} `positional-args:"true"`
 }
 
-var shortUnaliasHelp = i18n.G("Unalias a manual alias or an entire snap")
+var shortUnaliasHelp = i18n.G("Remove a manual alias, or the aliases for an entire snap")
 var longUnaliasHelp = i18n.G(`
-The unalias command tears down a manual alias when given one or disables all aliases of a snap, removing also all manual ones, when given a snap name.
+The unalias command removes a single alias if the provided argument is a manual
+alias, or disables all aliases of a snap, including manual ones, if the
+argument is a snap name.
 `)
 
 func init() {
 	addCommand("unalias", shortUnaliasHelp, longUnaliasHelp, func() flags.Commander {
 		return &cmdUnalias{}
-	}, nil, []argDesc{
-		// TRANSLATORS: This needs to be wrapped in <>s.
+	}, waitDescs.also(nil), []argDesc{
+		// TRANSLATORS: This needs to begin with < and end with >
 		{name: i18n.G("<alias-or-snap>")},
 	})
 }
@@ -50,19 +53,17 @@
 		return ErrExtraArgs
 	}
 
-	cli := Client()
-	id, err := cli.Unalias(string(x.Positionals.AliasOrSnap))
+	id, err := x.client.Unalias(string(x.Positionals.AliasOrSnap))
 	if err != nil {
 		return err
 	}
-
-	chg, err := wait(cli, id)
+	chg, err := x.wait(id)
 	if err != nil {
-		return err
-	}
-	if err := showAliasChanges(chg); err != nil {
+		if err == noWait {
+			return nil
+		}
 		return err
 	}
 
-	return nil
+	return showAliasChanges(chg)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_unalias_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_unalias_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_unalias_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_unalias_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,20 +30,17 @@
 
 func (s *SnapSuite) TestUnaliasHelp(c *C) {
 	msg := `Usage:
-  snap.test [OPTIONS] unalias [<alias-or-snap>]
+  snap.test unalias [unalias-OPTIONS] [<alias-or-snap>]
 
-The unalias command tears down a manual alias when given one or disables all
-aliases of a snap, removing also all manual ones, when given a snap name.
+The unalias command removes a single alias if the provided argument is a manual
+alias, or disables all aliases of a snap, including manual ones, if the
+argument is a snap name.
 
-Application Options:
-      --version              Print the version and exit
-
-Help Options:
-  -h, --help                 Show this help message
+[unalias command options]
+      --no-wait            Do not wait for the operation to finish but just
+                           print the change id.
 `
-	rest, err := Parser().ParseArgs([]string{"unalias", "--help"})
-	c.Assert(err.Error(), Equals, msg)
-	c.Assert(rest, DeepEquals, []string{})
+	s.testSubCommandHelp(c, "unalias", msg)
 }
 
 func (s *SnapSuite) TestUnalias(c *C) {
@@ -64,7 +61,7 @@
 			c.Fatalf("unexpected path %q", r.URL.Path)
 		}
 	})
-	rest, err := Parser().ParseArgs([]string{"unalias", "alias1"})
+	rest, err := Parser(Client()).ParseArgs([]string{"unalias", "alias1"})
 	c.Assert(err, IsNil)
 	c.Assert(rest, DeepEquals, []string{})
 	c.Assert(s.Stdout(), Equals, ""+
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_userd.go snapd-2.37~rc1~14.04/cmd/snap/cmd_userd.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_userd.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_userd.go	2019-01-16 08:36:51.000000000 +0000
@@ -33,10 +33,14 @@
 
 type cmdUserd struct {
 	userd userd.Userd
+
+	Autostart bool `long:"autostart"`
 }
 
 var shortUserdHelp = i18n.G("Start the userd service")
-var longUserdHelp = i18n.G("The userd command starts the snap user session service.")
+var longUserdHelp = i18n.G(`
+The userd command starts the snap user session service.
+`)
 
 func init() {
 	cmd := addCommand("userd",
@@ -44,10 +48,10 @@
 		longUserdHelp,
 		func() flags.Commander {
 			return &cmdUserd{}
-		},
-		nil,
-		[]argDesc{},
-	)
+		}, map[string]string{
+			// TRANSLATORS: This should not start with a lowercase letter.
+			"autostart": i18n.G("Autostart user applications"),
+		}, nil)
 	cmd.hidden = true
 }
 
@@ -56,12 +60,16 @@
 		return ErrExtraArgs
 	}
 
+	if x.Autostart {
+		return x.runAutostart()
+	}
+
 	if err := x.userd.Init(); err != nil {
 		return err
 	}
 	x.userd.Start()
 
-	ch := make(chan os.Signal)
+	ch := make(chan os.Signal, 3)
 	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM, syscall.SIGUSR1)
 	select {
 	case sig := <-ch:
@@ -72,3 +80,10 @@
 
 	return x.userd.Stop()
 }
+
+func (x *cmdUserd) runAutostart() error {
+	if err := userd.AutostartSessionApps(); err != nil {
+		return fmt.Errorf("autostart failed for the following apps:\n%v", err)
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_userd_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_userd_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_userd_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_userd_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,6 +21,7 @@
 
 import (
 	"os"
+	"strings"
 	"syscall"
 	"time"
 
@@ -55,33 +56,47 @@
 }
 
 func (s *userdSuite) TestUserdBadCommandline(c *C) {
-	_, err := snap.Parser().ParseArgs([]string{"userd", "extra-arg"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"userd", "extra-arg"})
 	c.Assert(err, ErrorMatches, "too many arguments for command")
 }
 
-func (s *userdSuite) TestUserd(c *C) {
+func (s *userdSuite) TestUserdDBus(c *C) {
 	go func() {
+		myPid := os.Getpid()
 		defer func() {
-			me, err := os.FindProcess(os.Getpid())
+			me, err := os.FindProcess(myPid)
 			c.Assert(err, IsNil)
 			me.Signal(syscall.SIGUSR1)
 		}()
 
-		needle := "io.snapcraft.Launcher"
-		for i := 0; i < 10; i++ {
-			for _, objName := range s.SessionBus.Names() {
-				if objName == needle {
-					return
+		names := map[string]bool{
+			"io.snapcraft.Launcher": false,
+			"io.snapcraft.Settings": false,
+		}
+		for i := 0; i < 1000; i++ {
+			seenCount := 0
+			for name, seen := range names {
+				if seen {
+					seenCount++
+					continue
+				}
+				pid, err := testutil.DBusGetConnectionUnixProcessID(s.SessionBus, name)
+				c.Logf("name: %v pid: %v err: %v", name, pid, err)
+				if pid == myPid {
+					names[name] = true
+					seenCount++
 				}
-				time.Sleep(1 * time.Second)
 			}
-
+			if seenCount == len(names) {
+				return
+			}
+			time.Sleep(10 * time.Millisecond)
 		}
-		c.Fatalf("%s does not appeared on the bus", needle)
+		c.Fatalf("not all names have appeared on the bus: %v", names)
 	}()
 
-	rest, err := snap.Parser().ParseArgs([]string{"userd"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"userd"})
 	c.Assert(err, IsNil)
 	c.Check(rest, DeepEquals, []string{})
-	c.Check(s.Stdout(), Equals, "Exiting on user defined signal 1.\n")
+	c.Check(strings.ToLower(s.Stdout()), Equals, "exiting on user defined signal 1.\n")
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_version.go snapd-2.37~rc1~14.04/cmd/snap/cmd_version.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_version.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_version.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,20 +22,22 @@
 import (
 	"fmt"
 
+	"github.com/jessevdk/go-flags"
+
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/cmd"
 	"github.com/snapcore/snapd/i18n"
-
-	"github.com/jessevdk/go-flags"
 )
 
-var shortVersionHelp = i18n.G("Shows version details")
+var shortVersionHelp = i18n.G("Show version details")
 var longVersionHelp = i18n.G(`
 The version command displays the versions of the running client, server,
 and operating system.
 `)
 
-type cmdVersion struct{}
+type cmdVersion struct {
+	clientMixin
+}
 
 func init() {
 	addCommand("version", shortVersionHelp, longVersionHelp, func() flags.Commander { return &cmdVersion{} }, nil, nil)
@@ -46,27 +48,21 @@
 		return ErrExtraArgs
 	}
 
-	printVersions()
+	printVersions(cmd.client)
 	return nil
 }
 
-func printVersions() error {
-	sv, err := Client().ServerVersion()
-	if err != nil {
-		sv = &client.ServerVersion{
-			Version:     i18n.G("unavailable"),
-			Series:      "-",
-			OSID:        "-",
-			OSVersionID: "-",
-		}
-	}
-
+func printVersions(cli *client.Client) error {
+	sv := serverVersion(cli)
 	w := tabWriter()
 
 	fmt.Fprintf(w, "snap\t%s\n", cmd.Version)
 	fmt.Fprintf(w, "snapd\t%s\n", sv.Version)
 	fmt.Fprintf(w, "series\t%s\n", sv.Series)
 	if sv.OnClassic {
+		if sv.OSVersionID == "" {
+			sv.OSVersionID = "-"
+		}
 		fmt.Fprintf(w, "%s\t%s\n", sv.OSID, sv.OSVersionID)
 	}
 	if sv.KernelVersion != "" {
@@ -74,5 +70,5 @@
 	}
 	w.Flush()
 
-	return err
+	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_version_linux.go snapd-2.37~rc1~14.04/cmd/snap/cmd_version_linux.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_version_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_version_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,53 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/release"
+)
+
+func serverVersion(cli *client.Client) *client.ServerVersion {
+	if release.OnWSL {
+		return &client.ServerVersion{
+			Version:       i18n.G("unavailable"),
+			Series:        release.Series,
+			OSID:          "Windows Subsystem for Linux",
+			OnClassic:     true,
+			KernelVersion: fmt.Sprintf("%s (%s)", osutil.KernelVersion(), runtime.GOARCH),
+		}
+	}
+	sv, err := cli.ServerVersion()
+
+	if err != nil {
+		sv = &client.ServerVersion{
+			Version:     i18n.G("unavailable"),
+			Series:      "-",
+			OSID:        "-",
+			OSVersionID: "-",
+		}
+	}
+	return sv
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_version_other.go snapd-2.37~rc1~14.04/cmd/snap/cmd_version_other.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_version_other.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_version_other.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,41 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+// +build !linux
+
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/release"
+)
+
+func serverVersion(*client.Client) *client.ServerVersion {
+	return &client.ServerVersion{
+		Version:       i18n.G("unavailable"),
+		Series:        release.Series,
+		OSID:          runtime.GOOS,
+		OnClassic:     true,
+		KernelVersion: fmt.Sprintf("%s (%s)", osutil.KernelVersion(), runtime.GOARCH),
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_version_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_version_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_version_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_version_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -37,7 +37,7 @@
 	restore = mockVersion("4.56")
 	defer restore()
 
-	_, err := snap.Parser().ParseArgs([]string{"version"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"version"})
 	c.Assert(err, IsNil)
 	c.Assert(s.Stdout(), Equals, "snap    4.56\nsnapd   7.89\nseries  56\nubuntu  12.34\n")
 	c.Assert(s.Stderr(), Equals, "")
@@ -52,8 +52,23 @@
 	restore = mockVersion("4.56")
 	defer restore()
 
-	_, err := snap.Parser().ParseArgs([]string{"version"})
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"version"})
 	c.Assert(err, IsNil)
 	c.Assert(s.Stdout(), Equals, "snap    4.56\nsnapd   7.89\nseries  56\n")
 	c.Assert(s.Stderr(), Equals, "")
 }
+
+func (s *SnapSuite) TestVersionCommandOnClassicNoOsVersion(c *C) {
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, `{"type":"sync","status-code":200,"status":"OK","result":{"on-classic": true,"os-release":{"id":"arch","version-id":""},"series":"56","version":"7.89"}}`)
+	})
+	restore := mockArgs("snap", "version")
+	defer restore()
+	restore = mockVersion("4.56")
+	defer restore()
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"version"})
+	c.Assert(err, IsNil)
+	c.Assert(s.Stdout(), Equals, "snap    4.56\nsnapd   7.89\nseries  56\narch    -\n")
+	c.Assert(s.Stderr(), Equals, "")
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_wait.go snapd-2.37~rc1~14.04/cmd/snap/cmd_wait.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_wait.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_wait.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,155 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"math/rand"
+	"reflect"
+	"time"
+
+	"github.com/jessevdk/go-flags"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/i18n"
+)
+
+type cmdWait struct {
+	clientMixin
+	Positional struct {
+		Snap installedSnapName `required:"yes"`
+		Key  string
+	} `positional-args:"yes"`
+}
+
+func init() {
+	addCommand("wait",
+		"Wait for configuration",
+		"The wait command waits until a configration becomes true.",
+		func() flags.Commander {
+			return &cmdWait{}
+		}, nil, []argDesc{
+			{
+				name: "<snap>",
+				// TRANSLATORS: This should not start with a lowercase letter.
+				desc: i18n.G("The snap for which configuration will be checked"),
+			}, {
+				// TRANSLATORS: This needs to begin with < and end with >
+				name: i18n.G("<key>"),
+				// TRANSLATORS: This should not start with a lowercase letter.
+				desc: i18n.G("Key of interest within the configuration"),
+			},
+		})
+}
+
+var waitConfTimeout = 500 * time.Millisecond
+
+func isNoOption(err error) bool {
+	if e, ok := err.(*client.Error); ok && e.Kind == client.ErrorKindConfigNoSuchOption {
+		return true
+	}
+	return false
+}
+
+// trueishJSON takes an interface{} and returns true if the interface value
+// looks "true". For strings thats if len(string) > 0 for numbers that
+// they are != 0 and for maps/slices/arrays that they have elements.
+//
+// Note that *only* types that the json package decode with the
+// "UseNumber()" options turned on are handled here. If this ever
+// needs to becomes a generic "trueish" helper we need to resurrect
+// the code in 306ba60edfba8d6501060c6f773235d8c994a319 (and add nil
+// to it).
+func trueishJSON(vi interface{}) (bool, error) {
+	switch v := vi.(type) {
+	// limited to the types that json unmarhal can produce
+	case nil:
+		return false, nil
+	case bool:
+		return v, nil
+	case json.Number:
+		if i, err := v.Int64(); err == nil {
+			return i != 0, nil
+		}
+		if f, err := v.Float64(); err == nil {
+			return f != 0.0, nil
+		}
+	case string:
+		return v != "", nil
+	}
+	// arrays/slices/maps
+	typ := reflect.TypeOf(vi)
+	switch typ.Kind() {
+	case reflect.Array, reflect.Slice, reflect.Map:
+		s := reflect.ValueOf(vi)
+		switch s.Kind() {
+		case reflect.Array, reflect.Slice, reflect.Map:
+			return s.Len() > 0, nil
+		}
+	}
+
+	return false, fmt.Errorf("cannot test type %T for truth", vi)
+}
+
+func (x *cmdWait) Execute(args []string) error {
+	if len(args) > 0 {
+		return ErrExtraArgs
+	}
+
+	snapName := string(x.Positional.Snap)
+	confKey := x.Positional.Key
+
+	// This is fine because not providing a confKey is unsupported so this
+	// won't interfere with supported uses of `snap wait`.
+	if snapName == "godot" && confKey == "" {
+		switch rand.Intn(10) {
+		case 0:
+			fmt.Fprintln(Stdout, `The tears of the world are a constant quantity.
+For each one who begins to weep somewhere else another stops.
+The same is true of the laugh.`)
+		case 1:
+			fmt.Fprintln(Stdout, "Nothing happens. Nobody comes, nobody goes. It's awful.")
+		default:
+			fmt.Fprintln(Stdout, `"Let's go." "We can't." "Why not?" "We're waiting for Godot."`)
+		}
+		return nil
+	}
+	if confKey == "" {
+		return fmt.Errorf("the required argument `<key>` was not provided")
+	}
+
+	for {
+		conf, err := x.client.Conf(snapName, []string{confKey})
+		if err != nil && !isNoOption(err) {
+			return err
+		}
+		res, err := trueishJSON(conf[confKey])
+		if err != nil {
+			return err
+		}
+		if res {
+			break
+		}
+		time.Sleep(waitConfTimeout)
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_wait_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_wait_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_wait_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_wait_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,174 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	. "gopkg.in/check.v1"
+
+	snap "github.com/snapcore/snapd/cmd/snap"
+)
+
+func (s *SnapSuite) TestCmdWaitHappy(c *C) {
+	restore := snap.MockWaitConfTimeout(10 * time.Millisecond)
+	defer restore()
+
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Method, Equals, "GET")
+		c.Check(r.URL.Path, Equals, "/v2/snaps/system/conf")
+
+		fmt.Fprintln(w, fmt.Sprintf(`{"type":"sync", "status-code": 200, "result": {"seed.loaded":%v}}`, n > 1))
+		n++
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"wait", "system", "seed.loaded"})
+	c.Assert(err, IsNil)
+
+	// ensure we retried a bit but make the check not overly precise
+	// because this will run in super busy build hosts that where a
+	// 10 millisecond sleep actually takes much longer until the kernel
+	// hands control back to the process
+	c.Check(n > 2, Equals, true)
+}
+
+func (s *SnapSuite) TestCmdWaitMissingConfKey(c *C) {
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		n++
+	})
+
+	_, err := snap.Parser(snap.Client()).ParseArgs([]string{"wait", "snapName"})
+	c.Assert(err, ErrorMatches, "the required argument `<key>` was not provided")
+
+	c.Check(n, Equals, 0)
+}
+
+func (s *SnapSuite) TestTrueishJSON(c *C) {
+	tests := []struct {
+		v      interface{}
+		b      bool
+		errStr string
+	}{
+		// nil
+		{nil, false, ""},
+		// bool
+		{true, true, ""},
+		{false, false, ""},
+		// string
+		{"a", true, ""},
+		{"", false, ""},
+		// json.Number
+		{json.Number("1"), true, ""},
+		{json.Number("-1"), true, ""},
+		{json.Number("0"), false, ""},
+		{json.Number("1.0"), true, ""},
+		{json.Number("-1.0"), true, ""},
+		{json.Number("0.0"), false, ""},
+		// slices
+		{[]interface{}{"a"}, true, ""},
+		{[]interface{}{}, false, ""},
+		{[]string{"a"}, true, ""},
+		{[]string{}, false, ""},
+		// arrays
+		{[2]interface{}{"a", "b"}, true, ""},
+		{[0]interface{}{}, false, ""},
+		{[2]string{"a", "b"}, true, ""},
+		{[0]string{}, false, ""},
+		// maps
+		{map[string]interface{}{"a": "a"}, true, ""},
+		{map[string]interface{}{}, false, ""},
+		{map[interface{}]interface{}{"a": "a"}, true, ""},
+		{map[interface{}]interface{}{}, false, ""},
+		// invalid
+		{int(1), false, "cannot test type int for truth"},
+	}
+	for _, t := range tests {
+		res, err := snap.TrueishJSON(t.v)
+		if t.errStr == "" {
+			c.Check(err, IsNil)
+		} else {
+			c.Check(err, ErrorMatches, t.errStr)
+		}
+		c.Check(res, Equals, t.b, Commentf("unexpected result for %v (%T), did not get expected %v", t.v, t.v, t.b))
+	}
+}
+
+func (s *SnapSuite) TestCmdWaitIntegration(c *C) {
+	restore := snap.MockWaitConfTimeout(2 * time.Millisecond)
+	defer restore()
+
+	var tests = []struct {
+		v        string
+		willWait bool
+	}{
+		// not-waiting
+		{"1.0", false},
+		{"-1.0", false},
+		{"0.1", false},
+		{"-0.1", false},
+		{"1", false},
+		{"-1", false},
+		{`"a"`, false},
+		{`["a"]`, false},
+		{`{"a":"b"}`, false},
+		// waiting
+		{"0", true},
+		{"0.0", true},
+		{"{}", true},
+		{"[]", true},
+		{`""`, true},
+		{"null", true},
+	}
+
+	testValueCh := make(chan string, 2)
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		testValue := <-testValueCh
+		c.Check(r.Method, Equals, "GET")
+		c.Check(r.URL.Path, Equals, "/v2/snaps/system/conf")
+
+		fmt.Fprintln(w, fmt.Sprintf(`{"type":"sync", "status-code": 200, "result": {"test.value":%v}}`, testValue))
+		n++
+	})
+
+	for _, t := range tests {
+		n = 0
+		testValueCh <- t.v
+		if t.willWait {
+			// a "trueish" value to ensure wait does not wait forever
+			testValueCh <- "42"
+		}
+
+		_, err := snap.Parser(snap.Client()).ParseArgs([]string{"wait", "system", "test.value"})
+		c.Assert(err, IsNil)
+		if t.willWait {
+			// we waited once, then got a non-wait value
+			c.Check(n, Equals, 2)
+		} else {
+			// no waiting happened
+			c.Check(n, Equals, 1)
+		}
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_warnings.go snapd-2.37~rc1~14.04/cmd/snap/cmd_warnings.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_warnings.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_warnings.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,224 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/jessevdk/go-flags"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/strutil/quantity"
+)
+
+type cmdWarnings struct {
+	clientMixin
+	timeMixin
+	All     bool `long:"all"`
+	Verbose bool `long:"verbose"`
+}
+
+type cmdOkay struct{ clientMixin }
+
+var shortWarningsHelp = i18n.G("List warnings")
+var longWarningsHelp = i18n.G(`
+The warnings command lists the warnings that have been reported to the system.
+
+Once warnings have been listed with 'snap warnings', 'snap okay' may be used to
+silence them. A warning that's been silenced in this way will not be listed
+again unless it happens again, _and_ a cooldown time has passed.
+
+Warnings expire automatically, and once expired they are forgotten.
+`)
+
+var shortOkayHelp = i18n.G("Acknowledge warnings")
+var longOkayHelp = i18n.G(`
+The okay command acknowledges the warnings listed with 'snap warnings'.
+
+Once acknowledged a warning won't appear again unless it re-occurrs and
+sufficient time has passed.
+`)
+
+func init() {
+	addCommand("warnings", shortWarningsHelp, longWarningsHelp, func() flags.Commander { return &cmdWarnings{} }, timeDescs.also(map[string]string{
+		// TRANSLATORS: This should not start with a lowercase letter.
+		"all": i18n.G("Show all warnings"),
+		// TRANSLATORS: This should not start with a lowercase letter.
+		"verbose": i18n.G("Show more information"),
+	}), nil)
+	addCommand("okay", shortOkayHelp, longOkayHelp, func() flags.Commander { return &cmdOkay{} }, nil, nil)
+}
+
+func (cmd *cmdWarnings) Execute(args []string) error {
+	if len(args) > 0 {
+		return ErrExtraArgs
+	}
+	now := time.Now()
+
+	warnings, err := cmd.client.Warnings(client.WarningsOptions{All: cmd.All})
+	if err != nil {
+		return err
+	}
+	if len(warnings) == 0 {
+		if t, _ := lastWarningTimestamp(); t.IsZero() {
+			fmt.Fprintln(Stdout, i18n.G("No warnings."))
+		} else {
+			fmt.Fprintln(Stdout, i18n.G("No further warnings."))
+		}
+		return nil
+	}
+
+	if err := writeWarningTimestamp(now); err != nil {
+		return err
+	}
+
+	w := tabWriter()
+	if cmd.Verbose {
+		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
+			i18n.G("First occurrence"),
+			i18n.G("Last occurrence"),
+			i18n.G("Expires after"),
+			i18n.G("Acknowledged"),
+			i18n.G("Repeats after"),
+			i18n.G("Warning"))
+		for _, warning := range warnings {
+			lastShown := "-"
+			if !warning.LastShown.IsZero() {
+				lastShown = cmd.fmtTime(warning.LastShown)
+			}
+			fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
+				cmd.fmtTime(warning.FirstAdded),
+				cmd.fmtTime(warning.LastAdded),
+				quantity.FormatDuration(warning.ExpireAfter.Seconds()),
+				lastShown,
+				quantity.FormatDuration(warning.RepeatAfter.Seconds()),
+				warning.Message)
+		}
+	} else {
+		fmt.Fprintf(w, "%s\t%s\n", i18n.G("Last occurrence"), i18n.G("Warning"))
+		for _, warning := range warnings {
+			fmt.Fprintf(w, "%s\t%s\n", cmd.fmtTime(warning.LastAdded), warning.Message)
+		}
+	}
+	w.Flush()
+
+	return nil
+}
+
+func (cmd *cmdOkay) Execute(args []string) error {
+	if len(args) > 0 {
+		return ErrExtraArgs
+	}
+
+	last, err := lastWarningTimestamp()
+	if err != nil {
+		return fmt.Errorf("no client-side warning timestamp found: %v", err)
+	}
+
+	return cmd.client.Okay(last)
+}
+
+const warnFileEnvKey = "SNAPD_LAST_WARNING_TIMESTAMP_FILENAME"
+
+func warnFilename(homedir string) string {
+	if fn := os.Getenv(warnFileEnvKey); fn != "" {
+		return fn
+	}
+
+	return filepath.Join(dirs.GlobalRootDir, homedir, ".snap", "warnings.json")
+}
+
+type clientWarningData struct {
+	Timestamp time.Time `json:"timestamp"`
+}
+
+func writeWarningTimestamp(t time.Time) error {
+	user, err := osutil.RealUser()
+	if err != nil {
+		return err
+	}
+	uid, gid, err := osutil.UidGid(user)
+	if err != nil {
+		return err
+	}
+
+	filename := warnFilename(user.HomeDir)
+	if err := osutil.MkdirAllChown(filepath.Dir(filename), 0700, uid, gid); err != nil {
+		return err
+	}
+
+	aw, err := osutil.NewAtomicFile(filename, 0600, 0, uid, gid)
+	if err != nil {
+		return err
+	}
+	// Cancel once Committed is a NOP :-)
+	defer aw.Cancel()
+
+	enc := json.NewEncoder(aw)
+	if err := enc.Encode(clientWarningData{Timestamp: t}); err != nil {
+		return err
+	}
+
+	return aw.Commit()
+}
+
+func lastWarningTimestamp() (time.Time, error) {
+	user, err := osutil.RealUser()
+	if err != nil {
+		return time.Time{}, fmt.Errorf("cannot determine real user: %v", err)
+	}
+	f, err := os.Open(warnFilename(user.HomeDir))
+	if err != nil {
+		return time.Time{}, fmt.Errorf("cannot open timestamp file: %v", err)
+
+	}
+	dec := json.NewDecoder(f)
+	var d clientWarningData
+	if err := dec.Decode(&d); err != nil {
+		return time.Time{}, fmt.Errorf("cannot decode timestamp file: %v", err)
+	}
+	if dec.More() {
+		return time.Time{}, fmt.Errorf("spurious extra data in timestamp file")
+	}
+	return d.Timestamp, nil
+}
+
+func maybePresentWarnings(count int, timestamp time.Time) {
+	if count == 0 {
+		return
+	}
+
+	if last, _ := lastWarningTimestamp(); !timestamp.After(last) {
+		return
+	}
+
+	fmt.Fprintf(Stderr,
+		i18n.NG("WARNING: There is %d new warning. See 'snap warnings'.\n",
+			"WARNING: There are %d new warnings. See 'snap warnings'.\n",
+			count),
+		count)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_warnings_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_warnings_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_warnings_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_warnings_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,206 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"gopkg.in/check.v1"
+
+	snap "github.com/snapcore/snapd/cmd/snap"
+)
+
+type warningSuite struct {
+	BaseSnapSuite
+}
+
+var _ = check.Suite(&warningSuite{})
+
+const twoWarnings = `{
+			"result": [
+			    {
+				"expire-after": "672h0m0s",
+				"first-added": "2018-09-19T12:41:18.505007495Z",
+				"last-added": "2018-09-19T12:41:18.505007495Z",
+				"message": "hello world number one",
+				"repeat-after": "24h0m0s"
+			    },
+			    {
+				"expire-after": "672h0m0s",
+				"first-added": "2018-09-19T12:44:19.680362867Z",
+				"last-added": "2018-09-19T12:44:19.680362867Z",
+				"message": "hello world number two",
+				"repeat-after": "24h0m0s"
+			    }
+			],
+			"status": "OK",
+			"status-code": 200,
+			"type": "sync"
+		}`
+
+func mkWarningsFakeHandler(c *check.C, body string) func(w http.ResponseWriter, r *http.Request) {
+	var called bool
+	return func(w http.ResponseWriter, r *http.Request) {
+		if called {
+			c.Fatalf("expected a single request")
+		}
+		called = true
+		c.Check(r.URL.Path, check.Equals, "/v2/warnings")
+		c.Check(r.URL.Query(), check.HasLen, 0)
+
+		buf, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, check.IsNil)
+		c.Check(string(buf), check.Equals, "")
+		c.Check(r.Method, check.Equals, "GET")
+		w.WriteHeader(200)
+		fmt.Fprintln(w, body)
+	}
+}
+
+func (s *warningSuite) TestNoWarningsEver(c *check.C) {
+	s.RedirectClientToTestServer(mkWarningsFakeHandler(c, `{"type": "sync", "status-code": 200, "result": []}`))
+
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"warnings", "--abs-time"})
+	c.Assert(err, check.IsNil)
+	c.Check(rest, check.HasLen, 0)
+	c.Check(s.Stderr(), check.Equals, "")
+	c.Check(s.Stdout(), check.Equals, "No warnings.\n")
+}
+
+func (s *warningSuite) TestNoFurtherWarnings(c *check.C) {
+	snap.WriteWarningTimestamp(time.Now())
+
+	s.RedirectClientToTestServer(mkWarningsFakeHandler(c, `{"type": "sync", "status-code": 200, "result": []}`))
+
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"warnings", "--abs-time"})
+	c.Assert(err, check.IsNil)
+	c.Check(rest, check.HasLen, 0)
+	c.Check(s.Stderr(), check.Equals, "")
+	c.Check(s.Stdout(), check.Equals, "No further warnings.\n")
+}
+
+func (s *warningSuite) TestWarnings(c *check.C) {
+	s.RedirectClientToTestServer(mkWarningsFakeHandler(c, twoWarnings))
+
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"warnings", "--abs-time"})
+	c.Assert(err, check.IsNil)
+	c.Check(rest, check.HasLen, 0)
+	c.Check(s.Stderr(), check.Equals, "")
+	c.Check(s.Stdout(), check.Equals, `
+Last occurrence       Warning
+2018-09-19T12:41:18Z  hello world number one
+2018-09-19T12:44:19Z  hello world number two
+`[1:])
+}
+
+func (s *warningSuite) TestVerboseWarnings(c *check.C) {
+	s.RedirectClientToTestServer(mkWarningsFakeHandler(c, twoWarnings))
+
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"warnings", "--abs-time", "--verbose"})
+	c.Assert(err, check.IsNil)
+	c.Check(rest, check.HasLen, 0)
+	c.Check(s.Stderr(), check.Equals, "")
+	c.Check(s.Stdout(), check.Equals, `
+First occurrence      Last occurrence       Expires after  Acknowledged  Repeats after  Warning
+2018-09-19T12:41:18Z  2018-09-19T12:41:18Z  28d0h          -             1d00h          hello world number one
+2018-09-19T12:44:19Z  2018-09-19T12:44:19Z  28d0h          -             1d00h          hello world number two
+`[1:])
+}
+
+func (s *warningSuite) TestOkay(c *check.C) {
+	t0 := time.Now()
+	snap.WriteWarningTimestamp(t0)
+
+	var n int
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		if n != 1 {
+			c.Fatalf("expected 1 request, now on %d", n)
+		}
+		c.Check(r.URL.Path, check.Equals, "/v2/warnings")
+		c.Check(r.URL.Query(), check.HasLen, 0)
+		c.Assert(DecodedRequestBody(c, r), check.DeepEquals, map[string]interface{}{"action": "okay", "timestamp": t0.Format(time.RFC3339Nano)})
+		c.Check(r.Method, check.Equals, "POST")
+		w.WriteHeader(200)
+		fmt.Fprintln(w, `{
+			"status": "OK",
+			"status-code": 200,
+			"type": "sync"
+		}`)
+	})
+
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"okay"})
+	c.Assert(err, check.IsNil)
+	c.Check(rest, check.HasLen, 0)
+	c.Check(s.Stderr(), check.Equals, "")
+	c.Check(s.Stdout(), check.Equals, "")
+}
+
+func (s *warningSuite) TestListWithWarnings(c *check.C) {
+	var called bool
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		if called {
+			c.Fatalf("expected a single request")
+		}
+		called = true
+		c.Check(r.URL.Path, check.Equals, "/v2/snaps")
+		c.Check(r.URL.Query(), check.HasLen, 0)
+
+		buf, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, check.IsNil)
+		c.Check(string(buf), check.Equals, "")
+		c.Check(r.Method, check.Equals, "GET")
+		w.WriteHeader(200)
+		fmt.Fprintln(w, `{
+				"result": [{}],
+				"status": "OK",
+				"status-code": 200,
+				"type": "sync",
+				"warning-count": 2,
+				"warning-timestamp": "2018-09-19T12:44:19.680362867Z"
+			}`)
+	})
+	cli := snap.Client()
+	rest, err := snap.Parser(cli).ParseArgs([]string{"list"})
+	c.Assert(err, check.IsNil)
+
+	{
+		// TODO: I hope to get to refactor run() so we can
+		// call it from tests and not have to do this (whole
+		// block) by hand
+
+		count, stamp := cli.WarningsSummary()
+		c.Check(count, check.Equals, 2)
+		c.Check(stamp, check.Equals, time.Date(2018, 9, 19, 12, 44, 19, 680362867, time.UTC))
+
+		snap.MaybePresentWarnings(count, stamp)
+	}
+
+	c.Check(rest, check.HasLen, 0)
+	c.Check(s.Stdout(), check.Equals, `
+Name  Version  Rev    Tracking  Publisher  Notes
+               unset  -         -          disabled
+`[1:])
+	c.Check(s.Stderr(), check.Equals, "WARNING: There are 2 new warnings. See 'snap warnings'.\n")
+
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_watch.go snapd-2.37~rc1~14.04/cmd/snap/cmd_watch.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_watch.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_watch.go	2019-01-16 08:36:51.000000000 +0000
@@ -43,12 +43,19 @@
 	if len(args) > 0 {
 		return ErrExtraArgs
 	}
-	cli := Client()
-	id, err := x.GetChangeID(cli)
+	id, err := x.GetChangeID()
 	if err != nil {
+		if err == noChangeFoundOK {
+			return nil
+		}
 		return err
 	}
-	_, err = wait(cli, id)
+
+	// this is the only valid use of wait without a waitMixin (ie
+	// without --no-wait), so we fake it here.
+	wmx := &waitMixin{skipAbort: true}
+	wmx.client = x.client
+	_, err = wmx.wait(id)
 
 	return err
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_watch_test.go snapd-2.37~rc1~14.04/cmd/snap/cmd_watch_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_watch_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_watch_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,7 +32,7 @@
 )
 
 var fmtWatchChangeJSON = `{"type": "sync", "result": {
-  "id":   "42",
+  "id":   "two",
   "kind": "some-kind",
   "summary": "some summary...",
   "status": "Doing",
@@ -43,31 +43,112 @@
 func (s *SnapSuite) TestCmdWatch(c *C) {
 	meter := &progresstest.Meter{}
 	defer progress.MockMeter(meter)()
-	restore := snap.MockMaxGoneTime(time.Millisecond)
-	defer restore()
+	defer snap.MockMaxGoneTime(time.Millisecond)()
+	defer snap.MockPollTime(time.Millisecond)()
 
 	n := 0
 	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		n++
 		switch n {
-		case 0:
+		case 1:
 			c.Check(r.Method, Equals, "GET")
-			c.Check(r.URL.Path, Equals, "/v2/changes/42")
+			c.Check(r.URL.Path, Equals, "/v2/changes/two")
 			fmt.Fprintf(w, fmtWatchChangeJSON, 0, 100*1024)
-		case 1:
+		case 2:
 			c.Check(r.Method, Equals, "GET")
-			c.Check(r.URL.Path, Equals, "/v2/changes/42")
+			c.Check(r.URL.Path, Equals, "/v2/changes/two")
 			fmt.Fprintf(w, fmtWatchChangeJSON, 50*1024, 100*1024)
-		case 2:
+		case 3:
 			c.Check(r.Method, Equals, "GET")
-			c.Check(r.URL.Path, Equals, "/v2/changes/42")
-			fmt.Fprintln(w, `{"type": "sync", "result": {"id": "42", "ready": true, "status": "Done"}}`)
+			c.Check(r.URL.Path, Equals, "/v2/changes/two")
+			fmt.Fprintln(w, `{"type": "sync", "result": {"id": "two", "ready": true, "status": "Done"}}`)
+		default:
+			c.Errorf("expected 3 queries, currently on %d", n)
 		}
-		n++
 	})
 
-	_, err := snap.Parser().ParseArgs([]string{"watch", "42"})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"watch", "two"})
 	c.Assert(err, IsNil)
+	c.Assert(rest, HasLen, 0)
 	c.Check(n, Equals, 3)
+	c.Check(meter.Values, DeepEquals, []float64{51200})
+	c.Check(s.Stdout(), Equals, "")
+	c.Check(s.Stderr(), Equals, "")
+}
+
+func (s *SnapSuite) TestWatchLast(c *C) {
+	meter := &progresstest.Meter{}
+	defer progress.MockMeter(meter)()
+	defer snap.MockMaxGoneTime(time.Millisecond)()
+	defer snap.MockPollTime(time.Millisecond)()
 
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		switch n {
+		case 1:
+			c.Check(r.Method, Equals, "GET")
+			c.Check(r.URL.Path, Equals, "/v2/changes")
+			fmt.Fprintln(w, mockChangesJSON)
+		case 2:
+			c.Check(r.Method, Equals, "GET")
+			c.Check(r.URL.Path, Equals, "/v2/changes/two")
+			fmt.Fprintf(w, fmtWatchChangeJSON, 0, 100*1024)
+		case 3:
+			c.Check(r.Method, Equals, "GET")
+			c.Check(r.URL.Path, Equals, "/v2/changes/two")
+			fmt.Fprintf(w, fmtWatchChangeJSON, 50*1024, 100*1024)
+		case 4:
+			c.Check(r.Method, Equals, "GET")
+			c.Check(r.URL.Path, Equals, "/v2/changes/two")
+			fmt.Fprintln(w, `{"type": "sync", "result": {"id": "two", "ready": true, "status": "Done"}}`)
+		default:
+			c.Errorf("expected 4 queries, currently on %d", n)
+		}
+	})
+	rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"watch", "--last=install"})
+	c.Assert(err, IsNil)
+	c.Assert(rest, HasLen, 0)
+	c.Check(n, Equals, 4)
 	c.Check(meter.Values, DeepEquals, []float64{51200})
+	c.Check(s.Stdout(), Equals, "")
+	c.Check(s.Stderr(), Equals, "")
+}
+
+func (s *SnapSuite) TestWatchLastQuestionmark(c *C) {
+	meter := &progresstest.Meter{}
+	defer progress.MockMeter(meter)()
+	restore := snap.MockMaxGoneTime(time.Millisecond)
+	defer restore()
+
+	n := 0
+	s.RedirectClientToTestServer(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		c.Check(r.Method, Equals, "GET")
+		c.Assert(r.URL.Path, Equals, "/v2/changes")
+		switch n {
+		case 1, 2:
+			fmt.Fprintln(w, `{"type": "sync", "result": []}`)
+		case 3, 4:
+			fmt.Fprintln(w, mockChangesJSON)
+		default:
+			c.Errorf("expected 4 calls, now on %d", n)
+		}
+	})
+	for i := 0; i < 2; i++ {
+		rest, err := snap.Parser(snap.Client()).ParseArgs([]string{"watch", "--last=foobar?"})
+		c.Assert(err, IsNil)
+		c.Assert(rest, DeepEquals, []string{})
+		c.Check(s.Stdout(), Matches, "")
+		c.Check(s.Stderr(), Equals, "")
+
+		_, err = snap.Parser(snap.Client()).ParseArgs([]string{"watch", "--last=foobar"})
+		if i == 0 {
+			c.Assert(err, ErrorMatches, `no changes found`)
+		} else {
+			c.Assert(err, ErrorMatches, `no changes of type "foobar" found`)
+		}
+	}
+
+	c.Check(n, Equals, 4)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/cmd_whoami.go snapd-2.37~rc1~14.04/cmd/snap/cmd_whoami.go
--- snapd-2.32.3.2~14.04/cmd/snap/cmd_whoami.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/cmd_whoami.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,12 +27,14 @@
 	"github.com/jessevdk/go-flags"
 )
 
-var shortWhoAmIHelp = i18n.G("Prints the email the user is logged in with")
+var shortWhoAmIHelp = i18n.G("Show the email the user is logged in with")
 var longWhoAmIHelp = i18n.G(`
-The whoami command prints the email the user is logged in with.
+The whoami command shows the email the user is logged in with.
 `)
 
-type cmdWhoAmI struct{}
+type cmdWhoAmI struct {
+	clientMixin
+}
 
 func init() {
 	addCommand("whoami", shortWhoAmIHelp, longWhoAmIHelp, func() flags.Commander { return &cmdWhoAmI{} }, nil, nil)
@@ -43,7 +45,7 @@
 		return ErrExtraArgs
 	}
 
-	email, err := Client().WhoAmI()
+	email, err := cmd.client.WhoAmI()
 	if err != nil {
 		return err
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/color.go snapd-2.37~rc1~14.04/cmd/snap/color.go
--- snapd-2.32.3.2~14.04/cmd/snap/color.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/color.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,181 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"golang.org/x/crypto/ssh/terminal"
+
+	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/snap"
+)
+
+type colorMixin struct {
+	Color   string `long:"color" default:"auto" choice:"auto" choice:"never" choice:"always"`
+	Unicode string `long:"unicode" default:"auto" choice:"auto" choice:"never" choice:"always"` // do we want this hidden?
+}
+
+func (mx colorMixin) getEscapes() *escapes {
+	esc := colorTable(mx.Color)
+	if canUnicode(mx.Unicode) {
+		esc.dash = "–" // that's an en dash (so yaml is happy)
+		esc.uparrow = "↑"
+		esc.tick = "✓"
+	} else {
+		esc.dash = "--" // two dashes keeps yaml happy also
+		esc.uparrow = "^"
+		esc.tick = "*"
+	}
+
+	return &esc
+}
+
+func canUnicode(mode string) bool {
+	switch mode {
+	case "always":
+		return true
+	case "never":
+		return false
+	}
+	if !isStdoutTTY {
+		return false
+	}
+	var lang string
+	for _, k := range []string{"LC_MESSAGES", "LC_ALL", "LANG"} {
+		lang = os.Getenv(k)
+		if lang != "" {
+			break
+		}
+	}
+	if lang == "" {
+		return false
+	}
+	lang = strings.ToUpper(lang)
+	return strings.Contains(lang, "UTF-8") || strings.Contains(lang, "UTF8")
+}
+
+var isStdoutTTY = terminal.IsTerminal(1)
+
+func colorTable(mode string) escapes {
+	switch mode {
+	case "always":
+		return color
+	case "never":
+		return noesc
+	}
+	if !isStdoutTTY {
+		return noesc
+	}
+	if _, ok := os.LookupEnv("NO_COLOR"); ok {
+		// from http://no-color.org/:
+		//   command-line software which outputs text with ANSI color added should
+		//   check for the presence of a NO_COLOR environment variable that, when
+		//   present (regardless of its value), prevents the addition of ANSI color.
+		return mono // bold & dim is still ok
+	}
+	if term := os.Getenv("TERM"); term == "xterm-mono" || term == "linux-m" {
+		// these are often used to flag "I don't want to see color" more than "I can't do color"
+		// (if you can't *do* color, `color` and `mono` should produce the same results)
+		return mono
+	}
+	return color
+}
+
+var colorDescs = mixinDescs{
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"color": i18n.G("Use a little bit of color to highlight some things."),
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"unicode": i18n.G("Use a little bit of Unicode to improve legibility."),
+}
+
+type escapes struct {
+	green string
+	end   string
+
+	tick, dash, uparrow string
+}
+
+var (
+	color = escapes{
+		green: "\033[32m",
+		end:   "\033[0m",
+	}
+
+	mono = escapes{
+		green: "\033[1m",
+		end:   "\033[0m",
+	}
+
+	noesc = escapes{}
+)
+
+// fillerPublisher is used to add an no-op escape sequence to a header in a
+// tabwriter table, so that things line up.
+func fillerPublisher(esc *escapes) string {
+	return esc.green + esc.end
+}
+
+// longPublisher returns a string that'll present the publisher of a snap to the
+// terminal user:
+//
+// * if the publisher's username and display name match, it's just the display
+//   name; otherwise, it'll include the username in parentheses
+//
+// * if the publisher is verified, it'll include a green check mark; otherwise,
+//   it'll include a no-op escape sequence of the same length as the escape
+//   sequence used to make it green (this so that tabwriter gets things right).
+func longPublisher(esc *escapes, storeAccount *snap.StoreAccount) string {
+	if storeAccount == nil {
+		return esc.dash + esc.green + esc.end
+	}
+	badge := ""
+	if storeAccount.Validation == "verified" {
+		badge = esc.tick
+	}
+	// NOTE this makes e.g. 'Potato' == 'potato', and 'Potato Team' == 'potato-team',
+	// but 'Potato Team' != 'potatoteam', 'Potato Inc.' != 'potato' (in fact 'Potato Inc.' != 'potato-inc')
+	if strings.EqualFold(strings.Replace(storeAccount.Username, "-", " ", -1), storeAccount.DisplayName) {
+		return storeAccount.DisplayName + esc.green + badge + esc.end
+	}
+	return fmt.Sprintf("%s (%s%s%s%s)", storeAccount.DisplayName, storeAccount.Username, esc.green, badge, esc.end)
+}
+
+// shortPublisher returns a string that'll present the publisher of a snap to the
+// terminal user:
+//
+// * it'll always be just the username
+//
+// * if the publisher is verified, it'll include a green check mark; otherwise,
+//   it'll include a no-op escape sequence of the same length as the escape
+//   sequence used to make it green (this so that tabwriter gets things right).
+func shortPublisher(esc *escapes, storeAccount *snap.StoreAccount) string {
+	if storeAccount == nil {
+		return "-" + esc.green + esc.end
+	}
+	badge := ""
+	if storeAccount.Validation == "verified" {
+		badge = esc.tick
+	}
+	return storeAccount.Username + esc.green + badge + esc.end
+
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/color_test.go snapd-2.37~rc1~14.04/cmd/snap/color_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/color_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/color_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,196 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"os"
+	"runtime"
+	// "fmt"
+	// "net/http"
+
+	"gopkg.in/check.v1"
+
+	cmdsnap "github.com/snapcore/snapd/cmd/snap"
+	"github.com/snapcore/snapd/snap"
+)
+
+func setEnviron(env map[string]string) func() {
+	old := make(map[string]string, len(env))
+	ok := make(map[string]bool, len(env))
+
+	for k, v := range env {
+		old[k], ok[k] = os.LookupEnv(k)
+		if v != "" {
+			os.Setenv(k, v)
+		} else {
+			os.Unsetenv(k)
+		}
+	}
+
+	return func() {
+		for k := range ok {
+			if ok[k] {
+				os.Setenv(k, old[k])
+			} else {
+				os.Unsetenv(k)
+			}
+		}
+	}
+}
+
+func (s *SnapSuite) TestCanUnicode(c *check.C) {
+	// setenv is per thread
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	type T struct {
+		lang, lcAll, lcMsg string
+		expected           bool
+	}
+
+	for _, t := range []T{
+		{expected: false}, // all locale unset
+		{lang: "C", expected: false},
+		{lang: "C", lcAll: "C", expected: false},
+		{lang: "C", lcAll: "C", lcMsg: "C", expected: false},
+		{lang: "C.UTF-8", lcAll: "C", lcMsg: "C", expected: false}, // LC_MESSAGES wins
+		{lang: "C.UTF-8", lcAll: "C.UTF-8", lcMsg: "C", expected: false},
+		{lang: "C.UTF-8", lcAll: "C.UTF-8", lcMsg: "C.UTF-8", expected: true},
+		{lang: "C.UTF-8", lcAll: "C", lcMsg: "C.UTF-8", expected: true},
+		{lang: "C", lcAll: "C", lcMsg: "C.UTF-8", expected: true},
+		{lang: "C", lcAll: "C.UTF-8", expected: true},
+		{lang: "C.UTF-8", expected: true},
+		{lang: "C.utf8", expected: true}, // deals with a bit of rando weirdness
+	} {
+		restore := setEnviron(map[string]string{"LANG": t.lang, "LC_ALL": t.lcAll, "LC_MESSAGES": t.lcMsg})
+		c.Check(cmdsnap.CanUnicode("never"), check.Equals, false)
+		c.Check(cmdsnap.CanUnicode("always"), check.Equals, true)
+		restoreIsTTY := cmdsnap.MockIsStdoutTTY(true)
+		c.Check(cmdsnap.CanUnicode("auto"), check.Equals, t.expected)
+		cmdsnap.MockIsStdoutTTY(false)
+		c.Check(cmdsnap.CanUnicode("auto"), check.Equals, false)
+		restoreIsTTY()
+		restore()
+	}
+}
+
+func (s *SnapSuite) TestColorTable(c *check.C) {
+	// setenv is per thread
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	type T struct {
+		isTTY         bool
+		noColor, term string
+		expected      interface{}
+		desc          string
+	}
+
+	for _, t := range []T{
+		{isTTY: false, expected: cmdsnap.NoEscColorTable, desc: "not a tty"},
+		{isTTY: false, noColor: "1", expected: cmdsnap.NoEscColorTable, desc: "no tty *and* NO_COLOR set"},
+		{isTTY: false, term: "linux-m", expected: cmdsnap.NoEscColorTable, desc: "no tty *and* mono term set"},
+		{isTTY: true, expected: cmdsnap.ColorColorTable, desc: "is a tty"},
+		{isTTY: true, noColor: "1", expected: cmdsnap.MonoColorTable, desc: "is a tty, but NO_COLOR set"},
+		{isTTY: true, term: "linux-m", expected: cmdsnap.MonoColorTable, desc: "is a tty, but TERM=linux-m"},
+		{isTTY: true, term: "xterm-mono", expected: cmdsnap.MonoColorTable, desc: "is a tty, but TERM=xterm-mono"},
+	} {
+		restoreIsTTY := cmdsnap.MockIsStdoutTTY(t.isTTY)
+		restoreEnv := setEnviron(map[string]string{"NO_COLOR": t.noColor, "TERM": t.term})
+		c.Check(cmdsnap.ColorTable("never"), check.DeepEquals, cmdsnap.NoEscColorTable, check.Commentf(t.desc))
+		c.Check(cmdsnap.ColorTable("always"), check.DeepEquals, cmdsnap.ColorColorTable, check.Commentf(t.desc))
+		c.Check(cmdsnap.ColorTable("auto"), check.DeepEquals, t.expected, check.Commentf(t.desc))
+		restoreEnv()
+		restoreIsTTY()
+	}
+}
+
+func (s *SnapSuite) TestPublisherEscapes(c *check.C) {
+	// just check never/always; for auto checks look above
+	type T struct {
+		color, unicode    bool
+		username, display string
+		verified          bool
+		short, long, fill string
+	}
+	for _, t := range []T{
+		// non-verified equal under fold:
+		{color: false, unicode: false, username: "potato", display: "Potato",
+			short: "potato", long: "Potato", fill: ""},
+		{color: false, unicode: true, username: "potato", display: "Potato",
+			short: "potato", long: "Potato", fill: ""},
+		{color: true, unicode: false, username: "potato", display: "Potato",
+			short: "potato\x1b[32m\x1b[0m", long: "Potato\x1b[32m\x1b[0m", fill: "\x1b[32m\x1b[0m"},
+		{color: true, unicode: true, username: "potato", display: "Potato",
+			short: "potato\x1b[32m\x1b[0m", long: "Potato\x1b[32m\x1b[0m", fill: "\x1b[32m\x1b[0m"},
+		// verified equal under fold:
+		{color: false, unicode: false, username: "potato", display: "Potato", verified: true,
+			short: "potato*", long: "Potato*", fill: ""},
+		{color: false, unicode: true, username: "potato", display: "Potato", verified: true,
+			short: "potato✓", long: "Potato✓", fill: ""},
+		{color: true, unicode: false, username: "potato", display: "Potato", verified: true,
+			short: "potato\x1b[32m*\x1b[0m", long: "Potato\x1b[32m*\x1b[0m", fill: "\x1b[32m\x1b[0m"},
+		{color: true, unicode: true, username: "potato", display: "Potato", verified: true,
+			short: "potato\x1b[32m✓\x1b[0m", long: "Potato\x1b[32m✓\x1b[0m", fill: "\x1b[32m\x1b[0m"},
+		// non-verified, different
+		{color: false, unicode: false, username: "potato", display: "Carrot",
+			short: "potato", long: "Carrot (potato)", fill: ""},
+		{color: false, unicode: true, username: "potato", display: "Carrot",
+			short: "potato", long: "Carrot (potato)", fill: ""},
+		{color: true, unicode: false, username: "potato", display: "Carrot",
+			short: "potato\x1b[32m\x1b[0m", long: "Carrot (potato\x1b[32m\x1b[0m)", fill: "\x1b[32m\x1b[0m"},
+		{color: true, unicode: true, username: "potato", display: "Carrot",
+			short: "potato\x1b[32m\x1b[0m", long: "Carrot (potato\x1b[32m\x1b[0m)", fill: "\x1b[32m\x1b[0m"},
+		// verified, different
+		{color: false, unicode: false, username: "potato", display: "Carrot", verified: true,
+			short: "potato*", long: "Carrot (potato*)", fill: ""},
+		{color: false, unicode: true, username: "potato", display: "Carrot", verified: true,
+			short: "potato✓", long: "Carrot (potato✓)", fill: ""},
+		{color: true, unicode: false, username: "potato", display: "Carrot", verified: true,
+			short: "potato\x1b[32m*\x1b[0m", long: "Carrot (potato\x1b[32m*\x1b[0m)", fill: "\x1b[32m\x1b[0m"},
+		{color: true, unicode: true, username: "potato", display: "Carrot", verified: true,
+			short: "potato\x1b[32m✓\x1b[0m", long: "Carrot (potato\x1b[32m✓\x1b[0m)", fill: "\x1b[32m\x1b[0m"},
+		// some interesting equal-under-folds:
+		{color: false, unicode: false, username: "potato", display: "PoTaTo",
+			short: "potato", long: "PoTaTo", fill: ""},
+		{color: false, unicode: false, username: "potato-team", display: "Potato Team",
+			short: "potato-team", long: "Potato Team", fill: ""},
+	} {
+		pub := &snap.StoreAccount{Username: t.username, DisplayName: t.display}
+		if t.verified {
+			pub.Validation = "verified"
+		}
+		color := "never"
+		if t.color {
+			color = "always"
+		}
+		unicode := "never"
+		if t.unicode {
+			unicode = "always"
+		}
+
+		mx := cmdsnap.ColorMixin(color, unicode)
+		esc := cmdsnap.ColorMixinGetEscapes(mx)
+
+		c.Check(cmdsnap.ShortPublisher(esc, pub), check.Equals, t.short)
+		c.Check(cmdsnap.LongPublisher(esc, pub), check.Equals, t.long)
+		c.Check(cmdsnap.FillerPublisher(esc), check.Equals, t.fill)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/complete.go snapd-2.37~rc1~14.04/cmd/snap/complete.go
--- snapd-2.32.3.2~14.04/cmd/snap/complete.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/complete.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,7 @@
 	"bufio"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 
 	"github.com/jessevdk/go-flags"
@@ -36,7 +37,7 @@
 type installedSnapName string
 
 func (s installedSnapName) Complete(match string) []flags.Completion {
-	snaps, err := Client().List(nil, nil)
+	snaps, err := mkClient().List(nil, nil)
 	if err != nil {
 		return nil
 	}
@@ -103,7 +104,7 @@
 	if len(match) < 3 {
 		return nil
 	}
-	snaps, _, err := Client().Find(&client.FindOptions{
+	snaps, _, err := mkClient().Find(&client.FindOptions{
 		Prefix: true,
 		Query:  match,
 	})
@@ -147,7 +148,7 @@
 type changeID string
 
 func (s changeID) Complete(match string) []flags.Completion {
-	changes, err := Client().Changes(&client.ChangesOptions{Selector: client.ChangesAll})
+	changes, err := mkClient().Changes(&client.ChangesOptions{Selector: client.ChangesAll})
 	if err != nil {
 		return nil
 	}
@@ -165,7 +166,7 @@
 type assertTypeName string
 
 func (n assertTypeName) Complete(match string) []flags.Completion {
-	cli := Client()
+	cli := mkClient()
 	names, err := cli.AssertionTypes()
 	if err != nil {
 		return nil
@@ -295,7 +296,7 @@
 	parts := strings.SplitN(match, ":", 2)
 
 	// Ask snapd about available interfaces.
-	ifaces, err := Client().Connections()
+	ifaces, err := mkClient().Connections()
 	if err != nil {
 		return nil
 	}
@@ -386,7 +387,7 @@
 type interfaceName string
 
 func (s interfaceName) Complete(match string) []flags.Completion {
-	ifaces, err := Client().Interfaces(nil)
+	ifaces, err := mkClient().Interfaces(nil)
 	if err != nil {
 		return nil
 	}
@@ -404,7 +405,7 @@
 type appName string
 
 func (s appName) Complete(match string) []flags.Completion {
-	cli := Client()
+	cli := mkClient()
 	apps, err := cli.Apps(nil, client.AppOptions{})
 	if err != nil {
 		return nil
@@ -428,7 +429,7 @@
 type serviceName string
 
 func (s serviceName) Complete(match string) []flags.Completion {
-	cli := Client()
+	cli := mkClient()
 	apps, err := cli.Apps(nil, client.AppOptions{Service: true})
 	if err != nil {
 		return nil
@@ -453,7 +454,7 @@
 type aliasOrSnap string
 
 func (s aliasOrSnap) Complete(match string) []flags.Completion {
-	aliases, err := Client().Aliases()
+	aliases, err := mkClient().Aliases()
 	if err != nil {
 		return nil
 	}
@@ -473,3 +474,21 @@
 	}
 	return ret
 }
+
+type snapshotID uint64
+
+func (snapshotID) Complete(match string) []flags.Completion {
+	shots, err := mkClient().SnapshotSets(0, nil)
+	if err != nil {
+		return nil
+	}
+	var ret []flags.Completion
+	for _, sg := range shots {
+		sid := strconv.FormatUint(sg.ID, 10)
+		if strings.HasPrefix(sid, match) {
+			ret = append(ret, flags.Completion{Item: sid})
+		}
+	}
+
+	return ret
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/error.go snapd-2.37~rc1~14.04/cmd/snap/error.go
--- snapd-2.32.3.2~14.04/cmd/snap/error.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/error.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -27,6 +27,7 @@
 	"os"
 	"os/user"
 	"strings"
+	"text/tabwriter"
 
 	"golang.org/x/crypto/ssh/terminal"
 
@@ -34,6 +35,8 @@
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
 )
 
 var errorPrefix = i18n.G("error: %v\n")
@@ -76,7 +79,8 @@
 	width--
 
 	var buf bytes.Buffer
-	doc.ToText(&buf, para, strings.Repeat(" ", indent), "", width-indent)
+	indentStr := strings.Repeat(" ", indent)
+	doc.ToText(&buf, para, indentStr, indentStr, width-indent)
 
 	return strings.TrimSpace(buf.String())
 }
@@ -87,6 +91,10 @@
 	if !ok {
 		return "", e
 	}
+	// retryable errors are just passed through
+	if client.IsRetryable(err) {
+		return "", err
+	}
 
 	// ensure the "real" error is available if we ask for it
 	logger.Debugf("error: %s", err)
@@ -97,11 +105,17 @@
 	usesSnapName := true
 	var msg string
 	switch err.Kind {
-	case client.ErrorKindSnapNotFound:
-		// FIXME: the snap store _is_ sending us a different message when a
-		// snap does not exist vs. when it does not exist for the current
-		// arch/channel/revision. Surface that here somehow!
+	case client.ErrorKindNotSnap:
+		msg = i18n.G(`%q does not contain an unpacked snap.
 
+Try 'snapcraft prime' in your project directory, then 'snap try' again.`)
+		if snapName == "" || snapName == "./" {
+			errValStr, ok := err.Value.(string)
+			if ok && errValStr != "" {
+				snapName = errValStr
+			}
+		}
+	case client.ErrorKindSnapNotFound:
 		msg = i18n.G("snap %q not found")
 		if snapName == "" {
 			errValStr, ok := err.Value.(string)
@@ -109,21 +123,56 @@
 				snapName = errValStr
 			}
 		}
+	case client.ErrorKindChannelNotAvailable,
+		client.ErrorKindArchitectureNotAvailable:
+		values, ok := err.Value.(map[string]interface{})
+		if ok {
+			candName, _ := values["snap-name"].(string)
+			if candName != "" {
+				snapName = candName
+			}
+			action, _ := values["action"].(string)
+			arch, _ := values["architecture"].(string)
+			channel, _ := values["channel"].(string)
+			releases, _ := values["releases"].([]interface{})
+			if snapName != "" && action != "" && arch != "" && channel != "" && len(releases) != 0 {
+				usesSnapName = false
+				msg = snapRevisionNotAvailableMessage(err.Kind, snapName, action, arch, channel, releases)
+				break
+			}
+		}
+		fallthrough
+	case client.ErrorKindRevisionNotAvailable:
+		if snapName == "" {
+			errValStr, ok := err.Value.(string)
+			if ok && errValStr != "" {
+				snapName = errValStr
+			}
+		}
+
+		usesSnapName = false
+		// TRANSLATORS: %[1]q and %[1]s refer to the same thing (a snap name).
+		msg = fmt.Sprintf(i18n.G(`snap %[1]q not available as specified (see 'snap info %[1]s')`), snapName)
+
 		if opts != nil {
 			if opts.Revision != "" {
-				// TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
-				msg = fmt.Sprintf(i18n.G("snap %%q not found (at least at revision %q)"), opts.Revision)
+				// TRANSLATORS: %[1]q and %[1]s refer to the same thing (a snap name); %s is whatever the user used for --revision=
+				msg = fmt.Sprintf(i18n.G(`snap %[1]q revision %s not available (see 'snap info %[1]s')`), snapName, opts.Revision)
 			} else if opts.Channel != "" {
 				// (note --revision overrides --channel)
 
-				// TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
-				msg = fmt.Sprintf(i18n.G("snap %%q not found (at least in channel %q)"), opts.Channel)
+				// TRANSLATORS: %[1]q and %[1]s refer to the same thing (a snap name); %q is whatever foo the user used for --channel=foo
+				msg = fmt.Sprintf(i18n.G(`snap %[1]q not available on channel %q (see 'snap info %[1]s')`), snapName, opts.Channel)
 			}
 		}
 	case client.ErrorKindSnapAlreadyInstalled:
 		isError = false
-		msg = i18n.G(`snap %q is already installed, see "snap refresh --help"`)
+		msg = i18n.G(`snap %q is already installed, see 'snap help refresh'`)
 	case client.ErrorKindSnapNeedsDevMode:
+		if opts != nil && opts.Dangerous {
+			msg = i18n.G("snap %q requires devmode or confinement override")
+			break
+		}
 		msg = i18n.G(`
 The publisher of snap %q has indicated that they do not consider this revision
 to be of production quality and that it is only meant for development or testing
@@ -142,12 +191,14 @@
 
 If you understand and want to proceed repeat the command including --classic.
 `)
+	case client.ErrorKindSnapNotClassic:
+		msg = i18n.G(`snap %q is not compatible with --classic`)
 	case client.ErrorKindLoginRequired:
 		usesSnapName = false
 		u, _ := user.Current()
 		if u != nil && u.Username == "root" {
 			// TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
-			msg = fmt.Sprintf(i18n.G(`%s (see "snap login --help")`), err.Message)
+			msg = fmt.Sprintf(i18n.G(`%s (see 'snap help login')`), err.Message)
 		} else {
 			// TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 			msg = fmt.Sprintf(i18n.G(`%s (try with sudo)`), err.Message)
@@ -165,6 +216,10 @@
 		isError = true
 		usesSnapName = false
 		msg = i18n.G("unable to contact snap store")
+	case client.ErrorKindSystemRestart:
+		isError = false
+		usesSnapName = false
+		msg = i18n.G("snapd is about to reboot the system")
 	default:
 		usesSnapName = false
 		msg = err.Message
@@ -181,3 +236,165 @@
 
 	return msg, nil
 }
+
+func snapRevisionNotAvailableMessage(kind, snapName, action, arch, channel string, releases []interface{}) string {
+	// releases contains all available (arch x channel)
+	// as reported by the store through the daemon
+	req, err := snap.ParseChannel(channel, arch)
+	if err != nil {
+		// TRANSLATORS: %q is the invalid request channel, %s is the snap name
+		msg := fmt.Sprintf(i18n.G("requested channel %q is not valid (see 'snap info %s' for valid ones)"), channel, snapName)
+		return msg
+	}
+	avail := make([]*snap.Channel, 0, len(releases))
+	for _, v := range releases {
+		rel, _ := v.(map[string]interface{})
+		relCh, _ := rel["channel"].(string)
+		relArch, _ := rel["architecture"].(string)
+		if relArch == "" {
+			logger.Debugf("internal error: %q daemon error carries a release with invalid/empty architecture: %v", kind, v)
+			continue
+		}
+		a, err := snap.ParseChannel(relCh, relArch)
+		if err != nil {
+			logger.Debugf("internal error: %q daemon error carries a release with invalid/empty channel (%v): %v", kind, err, v)
+			continue
+		}
+		avail = append(avail, &a)
+	}
+
+	matches := map[string][]*snap.Channel{}
+	for _, a := range avail {
+		m := req.Match(a)
+		matchRepr := m.String()
+		if matchRepr != "" {
+			matches[matchRepr] = append(matches[matchRepr], a)
+		}
+	}
+
+	// no release is for this architecture
+	if kind == client.ErrorKindArchitectureNotAvailable {
+		// TODO: add "Get more information..." hints once snap info
+		// support showing multiple/all archs
+
+		// there are matching track+risk releases for other archs
+		if hits := matches["track:risk"]; len(hits) != 0 {
+			archs := strings.Join(archsForChannels(hits), ", ")
+			// TRANSLATORS: %q is for the snap name, %v is the requested channel, first %s is the system architecture short name, second %s is a comma separated list of available arch short names
+			msg := fmt.Sprintf(i18n.G("snap %q is not available on %v for this architecture (%s) but exists on other architectures (%s)."), snapName, req, arch, archs)
+			return msg
+		}
+
+		// not even that, generic error
+		archs := strings.Join(archsForChannels(avail), ", ")
+		// TRANSLATORS: %q is for the snap name, first %s is the system architecture short name, second %s is a comma separated list of available arch short names
+		msg := fmt.Sprintf(i18n.G("snap %q is not available on this architecture (%s) but exists on other architectures (%s)."), snapName, arch, archs)
+		return msg
+	}
+
+	// a branch was requested
+	if req.Branch != "" {
+		// there are matching arch+track+risk, give main track info
+		if len(matches["architecture:track:risk"]) != 0 {
+			trackRisk := snap.Channel{Track: req.Track, Risk: req.Risk}
+			trackRisk = trackRisk.Clean()
+
+			// TRANSLATORS: %q is for the snap name, first %s is the full requested channel
+			msg := fmt.Sprintf(i18n.G("requested a non-existing branch on %s for snap %q: %s"), trackRisk.Full(), snapName, req.Branch)
+			return msg
+		}
+
+		msg := fmt.Sprintf(i18n.G("requested a non-existing branch for snap %q: %s"), snapName, req.Full())
+		return msg
+	}
+
+	// TRANSLATORS: can optionally be concatenated after a blank line at the end of other error messages, together with the "Get more information ..." hint
+	preRelWarn := i18n.G("Please be mindful pre-release channels may include features not completely tested or implemented.")
+	// TRANSLATORS: can optionally be concatenated after a blank line at the end of other error messages, together with the "Get more information ..." hint
+	trackWarn := i18n.G("Please be mindful that different tracks may include different features.")
+	// TRANSLATORS: %s is for the snap name, will be concatenated after at the end of other error messages, possibly after a blank line
+	moreInfoHint := fmt.Sprintf(i18n.G("Get more information with 'snap info %s'."), snapName)
+
+	// there are matching arch+track releases => give hint and instructions
+	// about pre-release channels
+	if hits := matches["architecture:track"]; len(hits) != 0 {
+		// TRANSLATORS: %q is for the snap name, %v is the requested channel
+		msg := fmt.Sprintf(i18n.G("snap %q is not available on %v but is available to install on the following channels:\n"), snapName, req)
+		msg += installTable(snapName, action, hits, false)
+		msg += "\n"
+		if req.Risk == "stable" {
+			msg += "\n" + preRelWarn
+		}
+		msg += "\n" + moreInfoHint
+		return msg
+	}
+
+	// there are matching arch+risk releases => give hints and instructions
+	// about these other tracks
+	if hits := matches["architecture:risk"]; len(hits) != 0 {
+		// TRANSLATORS: %q is for the snap name, %s is the full requested channel
+		msg := fmt.Sprintf(i18n.G("snap %q is not available on %s but is available to install on the following tracks:\n"), snapName, req.Full())
+		msg += installTable(snapName, action, hits, true)
+		msg += "\n\n" + trackWarn
+		msg += "\n" + moreInfoHint
+		return msg
+	}
+
+	// generic error
+	// TRANSLATORS: %q is for the snap name, %s is the full requested channel
+	msg := fmt.Sprintf(i18n.G("snap %q is not available on %s but other tracks exist.\n"), snapName, req.Full())
+	msg += "\n\n" + trackWarn
+	msg += "\n" + moreInfoHint
+	return msg
+}
+
+func installTable(snapName, action string, avail []*snap.Channel, full bool) string {
+	b := &bytes.Buffer{}
+	w := tabwriter.NewWriter(b, len("candidate")+2, 1, 2, ' ', 0)
+	first := true
+	for _, a := range avail {
+		if first {
+			first = false
+		} else {
+			fmt.Fprint(w, "\n")
+		}
+		var ch string
+		if full {
+			ch = a.Full()
+		} else {
+			ch = a.String()
+		}
+		chOption := channelOption(a)
+		fmt.Fprintf(w, "%s\tsnap %s %s %s", ch, action, chOption, snapName)
+	}
+	w.Flush()
+	tbl := b.String()
+	// indent to drive fill/ToText to keep the tabulations intact
+	lines := strings.SplitAfter(tbl, "\n")
+	for i := range lines {
+		lines[i] = "  " + lines[i]
+	}
+	return strings.Join(lines, "")
+}
+
+func channelOption(c *snap.Channel) string {
+	if c.Branch == "" {
+		if c.Track == "" {
+			return fmt.Sprintf("--%s", c.Risk)
+		}
+		if c.Risk == "stable" {
+			return fmt.Sprintf("--channel=%s", c.Track)
+		}
+	}
+	return fmt.Sprintf("--channel=%s", c)
+}
+
+func archsForChannels(cs []*snap.Channel) []string {
+	archs := []string{}
+	for _, c := range cs {
+		if !strutil.ListContains(archs, c.Architecture) {
+			archs = append(archs, c.Architecture)
+		}
+	}
+	return archs
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/export_test.go snapd-2.37~rc1~14.04/cmd/snap/export_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,15 +25,20 @@
 
 	"github.com/jessevdk/go-flags"
 
+	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/overlord/auth"
+	"github.com/snapcore/snapd/selinux"
 	"github.com/snapcore/snapd/store"
 )
 
 var RunMain = run
 
 var (
+	Client = mkClient
+
+	FirstNonOptionIsRun = firstNonOptionIsRun
+
 	CreateUserDataDirs = createUserDataDirs
-	Wait               = wait
 	ResolveApp         = resolveApp
 	IsReexeced         = isReexeced
 	MaybePrintServices = maybePrintServices
@@ -42,6 +47,35 @@
 	AdviseCommand      = adviseCommand
 	Antialias          = antialias
 	FormatChannel      = fmtChannel
+	PrintDescr         = printDescr
+	TrueishJSON        = trueishJSON
+
+	CanUnicode           = canUnicode
+	ColorTable           = colorTable
+	MonoColorTable       = mono
+	ColorColorTable      = color
+	NoEscColorTable      = noesc
+	ColorMixinGetEscapes = (colorMixin).getEscapes
+	FillerPublisher      = fillerPublisher
+	LongPublisher        = longPublisher
+	ShortPublisher       = shortPublisher
+
+	ReadRpc = readRpc
+
+	WriteWarningTimestamp = writeWarningTimestamp
+	MaybePresentWarnings  = maybePresentWarnings
+
+	LongSnapDescription     = longSnapDescription
+	SnapUsage               = snapUsage
+	SnapHelpCategoriesIntro = snapHelpCategoriesIntro
+	SnapHelpAllFooter       = snapHelpAllFooter
+	SnapHelpFooter          = snapHelpFooter
+	HelpCategories          = helpCategories
+
+	LintArg  = lintArg
+	LintDesc = lintDesc
+
+	FixupArg = fixupArg
 )
 
 func MockPollTime(d time.Duration) (restore func()) {
@@ -130,11 +164,19 @@
 	return assertTypeName("").Complete(match)
 }
 
-func MockIsTerminal(t bool) (restore func()) {
-	oldIsTerminal := isTerminal
-	isTerminal = func() bool { return t }
+func MockIsStdoutTTY(t bool) (restore func()) {
+	oldIsStdoutTTY := isStdoutTTY
+	isStdoutTTY = t
+	return func() {
+		isStdoutTTY = oldIsStdoutTTY
+	}
+}
+
+func MockIsStdinTTY(t bool) (restore func()) {
+	oldIsStdinTTY := isStdinTTY
+	isStdinTTY = t
 	return func() {
-		isTerminal = oldIsTerminal
+		isStdinTTY = oldIsStdinTTY
 	}
 }
 
@@ -145,3 +187,57 @@
 		timeNow = oldTimeNow
 	}
 }
+
+func MockTimeutilHuman(h func(time.Time) string) (restore func()) {
+	oldH := timeutilHuman
+	timeutilHuman = h
+	return func() {
+		timeutilHuman = oldH
+	}
+}
+
+func MockWaitConfTimeout(d time.Duration) (restore func()) {
+	oldWaitConfTimeout := d
+	waitConfTimeout = d
+	return func() {
+		waitConfTimeout = oldWaitConfTimeout
+	}
+}
+
+func Wait(cli *client.Client, id string) (*client.Change, error) {
+	wmx := waitMixin{}
+	wmx.client = cli
+	return wmx.wait(id)
+}
+
+func ColorMixin(cmode, umode string) colorMixin {
+	return colorMixin{Color: cmode, Unicode: umode}
+}
+
+func CmdAdviseSnap() *cmdAdviseSnap {
+	return &cmdAdviseSnap{}
+}
+
+func MockSELinuxIsEnabled(isEnabled func() (bool, error)) (restore func()) {
+	old := selinuxIsEnabled
+	selinuxIsEnabled = isEnabled
+	return func() {
+		selinuxIsEnabled = old
+	}
+}
+
+func MockSELinuxVerifyPathContext(verifypathcon func(string) (bool, error)) (restore func()) {
+	old := selinuxVerifyPathContext
+	selinuxVerifyPathContext = verifypathcon
+	return func() {
+		selinuxVerifyPathContext = old
+	}
+}
+
+func MockSELinuxRestoreContext(restorecon func(string, selinux.RestoreMode) error) (restore func()) {
+	old := selinuxRestoreContext
+	selinuxRestoreContext = restorecon
+	return func() {
+		selinuxRestoreContext = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/interfaces_common.go snapd-2.37~rc1~14.04/cmd/snap/interfaces_common.go
--- snapd-2.32.3.2~14.04/cmd/snap/interfaces_common.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/interfaces_common.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,36 +26,6 @@
 	"github.com/snapcore/snapd/i18n"
 )
 
-// AttributePair contains a pair of key-value strings
-type AttributePair struct {
-	// The key
-	Key string
-	// The value
-	Value string
-}
-
-// UnmarshalFlag parses a string into an AttributePair
-func (ap *AttributePair) UnmarshalFlag(value string) error {
-	parts := strings.SplitN(value, "=", 2)
-	if len(parts) < 2 || parts[0] == "" {
-		ap.Key = ""
-		ap.Value = ""
-		return fmt.Errorf(i18n.G("invalid attribute: %q (want key=value)"), value)
-	}
-	ap.Key = parts[0]
-	ap.Value = parts[1]
-	return nil
-}
-
-// AttributePairSliceToMap converts a slice of AttributePair into a map
-func AttributePairSliceToMap(attrs []AttributePair) map[string]string {
-	result := make(map[string]string)
-	for _, attr := range attrs {
-		result[attr.Key] = attr.Value
-	}
-	return result
-}
-
 // SnapAndName holds a snap name and a plug or slot name.
 type SnapAndName struct {
 	Snap string
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/interfaces_common_test.go snapd-2.37~rc1~14.04/cmd/snap/interfaces_common_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/interfaces_common_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/interfaces_common_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,56 +25,6 @@
 	. "github.com/snapcore/snapd/cmd/snap"
 )
 
-type AttributePairSuite struct{}
-
-var _ = Suite(&AttributePairSuite{})
-
-func (s *AttributePairSuite) TestUnmarshalFlagAttributePair(c *C) {
-	var ap AttributePair
-	// Typical
-	err := ap.UnmarshalFlag("key=value")
-	c.Assert(err, IsNil)
-	c.Check(ap.Key, Equals, "key")
-	c.Check(ap.Value, Equals, "value")
-	// Empty key
-	err = ap.UnmarshalFlag("=value")
-	c.Assert(err, ErrorMatches, `invalid attribute: "=value" \(want key=value\)`)
-	c.Check(ap.Key, Equals, "")
-	c.Check(ap.Value, Equals, "")
-	// Empty value
-	err = ap.UnmarshalFlag("key=")
-	c.Assert(err, IsNil)
-	c.Check(ap.Key, Equals, "key")
-	c.Check(ap.Value, Equals, "")
-	// Both key and value empty
-	err = ap.UnmarshalFlag("=")
-	c.Assert(err, ErrorMatches, `invalid attribute: "=" \(want key=value\)`)
-	c.Check(ap.Key, Equals, "")
-	c.Check(ap.Value, Equals, "")
-	// Value containing =
-	err = ap.UnmarshalFlag("key=value=more")
-	c.Assert(err, IsNil)
-	c.Check(ap.Key, Equals, "key")
-	c.Check(ap.Value, Equals, "value=more")
-	// Malformed format
-	err = ap.UnmarshalFlag("malformed")
-	c.Assert(err, ErrorMatches, `invalid attribute: "malformed" \(want key=value\)`)
-	c.Check(ap.Key, Equals, "")
-	c.Check(ap.Value, Equals, "")
-}
-
-func (s *AttributePairSuite) TestAttributePairSliceToMap(c *C) {
-	attrs := []AttributePair{
-		{Key: "key1", Value: "value1"},
-		{Key: "key2", Value: "value2"},
-	}
-	m := AttributePairSliceToMap(attrs)
-	c.Check(m, DeepEquals, map[string]string{
-		"key1": "value1",
-		"key2": "value2",
-	})
-}
-
 type SnapAndNameSuite struct{}
 
 var _ = Suite(&SnapAndNameSuite{})
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/last.go snapd-2.37~rc1~14.04/cmd/snap/last.go
--- snapd-2.32.3.2~14.04/cmd/snap/last.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/last.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package main
 
 import (
+	"errors"
 	"fmt"
 
 	"github.com/snapcore/snapd/client"
@@ -27,24 +28,29 @@
 )
 
 type changeIDMixin struct {
+	clientMixin
 	LastChangeType string `long:"last"`
 	Positional     struct {
 		ID changeID `positional-arg-name:"<id>"`
 	} `positional-args:"yes"`
 }
 
-var changeIDMixinOptDesc = map[string]string{
-	"last": i18n.G("Select last change of given type (install, refresh, remove, try, auto-refresh etc.)"),
+var changeIDMixinOptDesc = mixinDescs{
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"last": i18n.G("Select last change of given type (install, refresh, remove, try, auto-refresh, etc.). A question mark at the end of the type means to do nothing (instead of returning an error) if no change of the given type is found. Note the question mark could need protecting from the shell."),
 }
 
 var changeIDMixinArgDesc = []argDesc{{
-	// TRANSLATORS: This needs to be wrapped in <>s.
+	// TRANSLATORS: This needs to begin with < and end with >
 	name: i18n.G("<change-id>"),
-	// TRANSLATORS: This should probably not start with a lowercase letter.
+	// TRANSLATORS: This should not start with a lowercase letter.
 	desc: i18n.G("Change ID"),
 }}
 
-func (l *changeIDMixin) GetChangeID(cli *client.Client) (string, error) {
+// should not be user-visible, but keep it clear and polite because mistakes happen
+var noChangeFoundOK = errors.New("no change found but that's ok")
+
+func (l *changeIDMixin) GetChangeID() (string, error) {
 	if l.Positional.ID == "" && l.LastChangeType == "" {
 		return "", fmt.Errorf(i18n.G("please provide change ID or type with --last=<type>"))
 	}
@@ -57,20 +63,33 @@
 		return string(l.Positional.ID), nil
 	}
 
+	cli := l.client
+	// note that at this point we know l.LastChangeType != ""
 	kind := l.LastChangeType
+	optional := false
+	if l := len(kind) - 1; kind[l] == '?' {
+		optional = true
+		kind = kind[:l]
+	}
 	// our internal change types use "-snap" postfix but let user skip it and use short form.
 	if kind == "refresh" || kind == "install" || kind == "remove" || kind == "connect" || kind == "disconnect" || kind == "configure" || kind == "try" {
 		kind += "-snap"
 	}
-	changes, err := cli.Changes(&client.ChangesOptions{Selector: client.ChangesAll})
+	changes, err := queryChanges(cli, &client.ChangesOptions{Selector: client.ChangesAll})
 	if err != nil {
 		return "", err
 	}
 	if len(changes) == 0 {
+		if optional {
+			return "", noChangeFoundOK
+		}
 		return "", fmt.Errorf(i18n.G("no changes found"))
 	}
 	chg := findLatestChangeByKind(changes, kind)
 	if chg == nil {
+		if optional {
+			return "", noChangeFoundOK
+		}
 		return "", fmt.Errorf(i18n.G("no changes of type %q found"), l.LastChangeType)
 	}
 
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/main.go snapd-2.37~rc1~14.04/cmd/snap/main.go
--- snapd-2.32.3.2~14.04/cmd/snap/main.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,8 +22,10 @@
 import (
 	"fmt"
 	"io"
+	"net/http"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"unicode"
 	"unicode/utf8"
@@ -39,6 +41,7 @@
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 )
 
@@ -88,6 +91,7 @@
 	optDescs                  map[string]string
 	argDescs                  []argDesc
 	alias                     string
+	extra                     func(*flags.Command)
 }
 
 // commands holds information about all non-debug commands.
@@ -114,12 +118,14 @@
 // addDebugCommand replaces parser.addCommand() in a way that is
 // compatible with re-constructing a pristine parser. It is meant for
 // adding debug commands.
-func addDebugCommand(name, shortHelp, longHelp string, builder func() flags.Commander) *cmdInfo {
+func addDebugCommand(name, shortHelp, longHelp string, builder func() flags.Commander, optDescs map[string]string, argDescs []argDesc) *cmdInfo {
 	info := &cmdInfo{
 		name:      name,
 		shortHelp: shortHelp,
 		longHelp:  longHelp,
 		builder:   builder,
+		optDescs:  optDescs,
+		argDescs:  argDescs,
 	}
 	debugCommands = append(debugCommands, info)
 	return info
@@ -152,35 +158,84 @@
 
 func lintArg(cmdName, optName, desc, origDesc string) {
 	lintDesc(cmdName, optName, desc, origDesc)
-	if optName[0] != '<' || optName[len(optName)-1] != '>' {
-		noticef("argument %q's %q should be wrapped in <>s", cmdName, optName)
+	if len(optName) > 0 && optName[0] == '<' && optName[len(optName)-1] == '>' {
+		return
+	}
+	if len(optName) > 0 && optName[0] == '<' && strings.HasSuffix(optName, ">s") {
+		// see comment in fixupArg about the >s case
+		return
 	}
+	noticef("argument %q's %q should begin with < and end with >", cmdName, optName)
+}
+
+func fixupArg(optName string) string {
+	// Due to misunderstanding some localized versions of option name are
+	// literally "<option>s" instead of "<option>". While translators can
+	// improve this over time we can be smarter and avoid silly messages
+	// logged whenever "snap" command is used.
+	//
+	// See: https://bugs.launchpad.net/snapd/+bug/1806761
+	if strings.HasSuffix(optName, ">s") {
+		return optName[:len(optName)-1]
+	}
+	return optName
+}
+
+type clientSetter interface {
+	setClient(*client.Client)
+}
+
+type clientMixin struct {
+	client *client.Client
+}
+
+func (ch *clientMixin) setClient(cli *client.Client) {
+	ch.client = cli
+}
+
+func firstNonOptionIsRun() bool {
+	if len(os.Args) < 2 {
+		return false
+	}
+	for _, arg := range os.Args[1:] {
+		if len(arg) == 0 || arg[0] == '-' {
+			continue
+		}
+		return arg == "run"
+	}
+	return false
 }
 
 // Parser creates and populates a fresh parser.
 // Since commands have local state a fresh parser is required to isolate tests
 // from each other.
-func Parser() *flags.Parser {
+func Parser(cli *client.Client) *flags.Parser {
 	optionsData.Version = func() {
-		printVersions()
+		printVersions(cli)
 		panic(&exitStatus{0})
 	}
-	parser := flags.NewParser(&optionsData, flags.HelpFlag|flags.PassDoubleDash|flags.PassAfterNonOption)
+	flagopts := flags.Options(flags.PassDoubleDash)
+	if firstNonOptionIsRun() {
+		flagopts |= flags.PassAfterNonOption
+	}
+	parser := flags.NewParser(&optionsData, flagopts)
 	parser.ShortDescription = i18n.G("Tool to interact with snaps")
-	parser.LongDescription = i18n.G(`
-Install, configure, refresh and remove snap packages. Snaps are
-'universal' packages that work across many different Linux systems,
-enabling secure distribution of the latest apps and utilities for
-cloud, servers, desktops and the internet of things.
-
-This is the CLI for snapd, a background service that takes care of
-snaps on the system. Start with 'snap list' to see installed snaps.
-`)
-	parser.FindOptionByLongName("version").Description = i18n.G("Print the version and exit")
+	parser.LongDescription = longSnapDescription
+	// hide the unhelpful "[OPTIONS]" from help output
+	parser.Usage = ""
+	if version := parser.FindOptionByLongName("version"); version != nil {
+		version.Description = i18n.G("Print the version and exit")
+		version.Hidden = true
+	}
+	// add --help like what go-flags would do for us, but hidden
+	addHelp(parser)
 
 	// Add all regular commands
 	for _, c := range commands {
 		obj := c.builder()
+		if x, ok := obj.(clientSetter); ok {
+			x.setClient(cli)
+		}
 		if x, ok := obj.(parserSetter); ok {
 			x.setParser(parser)
 		}
@@ -224,9 +279,13 @@
 				desc = c.argDescs[i].desc
 			}
 			lintArg(c.name, name, desc, arg.Description)
+			name = fixupArg(name)
 			arg.Name = name
 			arg.Description = desc
 		}
+		if c.extra != nil {
+			c.extra(cmd)
+		}
 	}
 	// Add the debug command
 	debugCommand, err := parser.AddCommand("debug", shortDebugHelp, longDebugHelp, &cmdDebug{})
@@ -236,26 +295,81 @@
 	}
 	// Add all the sub-commands of the debug command
 	for _, c := range debugCommands {
-		cmd, err := debugCommand.AddCommand(c.name, c.shortHelp, strings.TrimSpace(c.longHelp), c.builder())
+		obj := c.builder()
+		if x, ok := obj.(clientSetter); ok {
+			x.setClient(cli)
+		}
+		cmd, err := debugCommand.AddCommand(c.name, c.shortHelp, strings.TrimSpace(c.longHelp), obj)
 		if err != nil {
 			logger.Panicf("cannot add debug command %q: %v", c.name, err)
 		}
 		cmd.Hidden = c.hidden
+		opts := cmd.Options()
+		if c.optDescs != nil && len(opts) != len(c.optDescs) {
+			logger.Panicf("wrong number of option descriptions for %s: expected %d, got %d", c.name, len(opts), len(c.optDescs))
+		}
+		for _, opt := range opts {
+			name := opt.LongName
+			if name == "" {
+				name = string(opt.ShortName)
+			}
+			desc, ok := c.optDescs[name]
+			if !(c.optDescs == nil || ok) {
+				logger.Panicf("%s missing description for %s", c.name, name)
+			}
+			lintDesc(c.name, name, desc, opt.Description)
+			if desc != "" {
+				opt.Description = desc
+			}
+		}
+
+		args := cmd.Args()
+		if c.argDescs != nil && len(args) != len(c.argDescs) {
+			logger.Panicf("wrong number of argument descriptions for %s: expected %d, got %d", c.name, len(args), len(c.argDescs))
+		}
+		for i, arg := range args {
+			name, desc := arg.Name, ""
+			if c.argDescs != nil {
+				name = c.argDescs[i].name
+				desc = c.argDescs[i].desc
+			}
+			lintArg(c.name, name, desc, arg.Description)
+			name = fixupArg(name)
+			arg.Name = name
+			arg.Description = desc
+		}
 	}
 	return parser
 }
 
+var isStdinTTY = terminal.IsTerminal(0)
+
 // ClientConfig is the configuration of the Client used by all commands.
 var ClientConfig = client.Config{
 	// we need the powerful snapd socket
 	Socket: dirs.SnapdSocket,
 	// Allow interactivity if we have a terminal
-	Interactive: terminal.IsTerminal(0),
+	Interactive: isStdinTTY,
 }
 
 // Client returns a new client using ClientConfig as configuration.
-func Client() *client.Client {
-	return client.New(&ClientConfig)
+// commands should (in general) not use this, and instead use clientMixin.
+func mkClient() *client.Client {
+	cli := client.New(&ClientConfig)
+	goos := runtime.GOOS
+	if release.OnWSL {
+		goos = "Windows Subsystem for Linux"
+	}
+	if goos != "linux" {
+		cli.Hijack(func(*http.Request) (*http.Response, error) {
+			fmt.Fprintf(Stderr, i18n.G(`Interacting with snapd is not yet supported on %s.
+This command has been left available for documentation purposes only.
+`), goos)
+			os.Exit(1)
+			panic("execution continued past call to exit")
+		})
+	}
+	return cli
 }
 
 func init() {
@@ -277,7 +391,7 @@
 }
 
 func main() {
-	cmd.ExecInCoreSnap()
+	cmd.ExecInSnapdOrCoreSnap()
 
 	// check for magic symlink to /usr/bin/snap:
 	// 1. symlink from command-not-found to /usr/bin/snap: run c-n-f
@@ -296,7 +410,7 @@
 			}
 		}
 		if err := cmd.Execute(nil); err != nil {
-			fmt.Fprintf(Stderr, "%s\n", err)
+			fmt.Fprintln(Stderr, err)
 		}
 		return
 	}
@@ -311,12 +425,12 @@
 			os.Exit(46)
 		}
 		cmd := &cmdRun{}
-		args := []string{snapApp}
-		args = append(args, os.Args[1:]...)
+		cmd.client = mkClient()
+		os.Args[0] = snapApp
 		// this will call syscall.Exec() so it does not return
 		// *unless* there is an error, i.e. we setup a wrong
 		// symlink (or syscall.Exec() fails for strange reasons)
-		err = cmd.Execute(args)
+		err = cmd.Execute(os.Args)
 		fmt.Fprintf(Stderr, i18n.G("internal error, please report: running %q failed: %v\n"), snapApp, err)
 		os.Exit(46)
 	}
@@ -333,6 +447,9 @@
 	// no magic /o\
 	if err := run(); err != nil {
 		fmt.Fprintf(Stderr, errorPrefix, err)
+		if client.IsRetryable(err) {
+			os.Exit(10)
+		}
 		os.Exit(1)
 	}
 }
@@ -345,30 +462,60 @@
 	return fmt.Sprintf("internal error: exitStatus{%d} being handled as normal error", e.code)
 }
 
+var wrongDashes = string([]rune{
+	0x2010, // hyphen
+	0x2011, // non-breaking hyphen
+	0x2012, // figure dash
+	0x2013, // en dash
+	0x2014, // em dash
+	0x2015, // horizontal bar
+	0xfe58, // small em dash
+	0x2015, // figure dash
+	0x2e3a, // two-em dash
+	0x2e3b, // three-em dash
+})
+
 func run() error {
-	parser := Parser()
+	cli := mkClient()
+	parser := Parser(cli)
 	_, err := parser.Parse()
 	if err != nil {
 		if e, ok := err.(*flags.Error); ok {
-			if e.Type == flags.ErrHelp || e.Type == flags.ErrCommandRequired {
-				if parser.Command.Active != nil && parser.Command.Active.Name == "help" {
-					parser.Command.Active = nil
-				}
+			switch e.Type {
+			case flags.ErrCommandRequired:
+				printShortHelp()
+				return nil
+			case flags.ErrHelp:
 				parser.WriteHelp(Stdout)
 				return nil
-			}
-			if e.Type == flags.ErrUnknownCommand {
-				return fmt.Errorf(i18n.G(`unknown command %q, see "snap --help"`), os.Args[1])
+			case flags.ErrUnknownCommand:
+				return fmt.Errorf(i18n.G(`unknown command %q, see 'snap help'`), os.Args[1])
 			}
 		}
 
 		msg, err := errorToCmdMessage("", err, nil)
+
+		if cmdline := strings.Join(os.Args, " "); strings.ContainsAny(cmdline, wrongDashes) {
+			// TRANSLATORS: the %+q is the commandline (+q means quoted, with any non-ascii character called out). Please keep the lines to at most 80 characters.
+			fmt.Fprintf(Stderr, i18n.G(`Your command included some characters that look like dashes but are not:
+    %+q
+in some situations you might find that when copying from an online source such
+as a blog you need to replace “typographic” dashes and quotes with their ASCII
+equivalent.  Dashes in particular are homoglyphs on most terminals and in most
+fixed-width fonts, so it can be hard to tell.
+
+`), cmdline)
+		}
+
 		if err != nil {
 			return err
 		}
 
-		fmt.Fprintf(Stderr, msg)
+		fmt.Fprintln(Stderr, msg)
+		return nil
 	}
 
+	maybePresentWarnings(cli.WarningsSummary())
+
 	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/main_test.go snapd-2.37~rc1~14.04/cmd/snap/main_test.go
--- snapd-2.32.3.2~14.04/cmd/snap/main_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/main_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -28,6 +28,7 @@
 	"net/http/httptest"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	. "gopkg.in/check.v1"
@@ -37,6 +38,7 @@
 	"github.com/snapcore/snapd/cmd"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	snapdsnap "github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/testutil"
@@ -77,17 +79,22 @@
 	s.AuthFile = filepath.Join(c.MkDir(), "json")
 	os.Setenv(TestAuthFileEnvKey, s.AuthFile)
 
-	snapdsnap.MockSanitizePlugsSlots(func(snapInfo *snapdsnap.Info) {})
+	s.AddCleanup(snapdsnap.MockSanitizePlugsSlots(func(snapInfo *snapdsnap.Info) {}))
 
+	s.AddCleanup(interfaces.MockSystemKey(`
+{
+"build-id": "7a94e9736c091b3984bd63f5aebfc883c4d859e0",
+"apparmor-features": ["caps", "dbus"]
+}`))
 	err := os.MkdirAll(filepath.Dir(dirs.SnapSystemKeyFile), 0755)
 	c.Assert(err, IsNil)
 	err = interfaces.WriteSystemKey()
 	c.Assert(err, IsNil)
-	interfaces.MockSystemKey(`
-{
-"build-id": "7a94e9736c091b3984bd63f5aebfc883c4d859e0",
-"apparmor-features": ["caps", "dbus"]
-}`)
+
+	s.AddCleanup(snap.MockIsStdoutTTY(false))
+	s.AddCleanup(snap.MockIsStdinTTY(false))
+
+	s.AddCleanup(snap.MockSELinuxIsEnabled(func() (bool, error) { return false, nil }))
 }
 
 func (s *BaseSnapSuite) TearDownTest(c *C) {
@@ -254,7 +261,7 @@
 	defer restore()
 
 	err := snap.RunMain()
-	c.Assert(err, ErrorMatches, `unknown command "unknowncmd", see "snap --help"`)
+	c.Assert(err, ErrorMatches, `unknown command "unknowncmd", see 'snap help'`)
 }
 
 func (s *SnapSuite) TestResolveApp(c *C) {
@@ -292,3 +299,102 @@
 	_, err = snap.ResolveApp("baz")
 	c.Check(err, NotNil)
 }
+
+func (s *SnapSuite) TestFirstNonOptionIsRun(c *C) {
+	osArgs := os.Args
+	defer func() {
+		os.Args = osArgs
+	}()
+	for _, negative := range []string{
+		"",
+		"snap",
+		"snap verb",
+		"snap verb --flag arg",
+		"snap verb arg --flag",
+		"snap --global verb --flag arg",
+	} {
+		os.Args = strings.Fields(negative)
+		c.Check(snap.FirstNonOptionIsRun(), Equals, false)
+	}
+
+	for _, positive := range []string{
+		"snap run",
+		"snap run --flag",
+		"snap run --flag arg",
+		"snap run arg --flag",
+		"snap --global run",
+		"snap --global run --flag",
+		"snap --global run --flag arg",
+		"snap --global run arg --flag",
+	} {
+		os.Args = strings.Fields(positive)
+		c.Check(snap.FirstNonOptionIsRun(), Equals, true)
+	}
+}
+
+func (s *SnapSuite) TestLintDesc(c *C) {
+	log, restore := logger.MockLogger()
+	defer restore()
+
+	// LintDesc is happy about capitalized description.
+	snap.LintDesc("command", "<option>", "Description ...", "")
+	c.Check(log.String(), HasLen, 0)
+	log.Reset()
+
+	// LintDesc complains about lowercase description.
+	snap.LintDesc("command", "<option>", "description", "")
+	c.Check(log.String(), testutil.Contains, `description of command's "<option>" is lowercase: "description"`)
+	log.Reset()
+
+	// LintDesc does not complain about lowercase description starting with login.ubuntu.com
+	snap.LintDesc("command", "<option>", "login.ubuntu.com description", "")
+	c.Check(log.String(), HasLen, 0)
+	log.Reset()
+
+	// LintDesc panics when original description is present.
+	fn := func() {
+		snap.LintDesc("command", "<option>", "description", "original description")
+	}
+	c.Check(fn, PanicMatches, `description of command's "<option>" of "original description" set from tag \(=> no i18n\)`)
+	log.Reset()
+
+	// LintDesc panics when option name is empty.
+	fn = func() {
+		snap.LintDesc("command", "", "description", "")
+	}
+	c.Check(fn, PanicMatches, `option on "command" has no name`)
+	log.Reset()
+}
+
+func (s *SnapSuite) TestLintArg(c *C) {
+	log, restore := logger.MockLogger()
+	defer restore()
+
+	// LintArg is happy when option is enclosed with < >.
+	snap.LintArg("command", "<option>", "Description", "")
+	c.Check(log.String(), HasLen, 0)
+	log.Reset()
+
+	// LintArg complains about when option is not properly enclosed with < >.
+	snap.LintArg("command", "option", "Description", "")
+	c.Check(log.String(), testutil.Contains, `argument "command"'s "option" should begin with < and end with >`)
+	log.Reset()
+	snap.LintArg("command", "<option", "Description", "")
+	c.Check(log.String(), testutil.Contains, `argument "command"'s "<option" should begin with < and end with >`)
+	log.Reset()
+	snap.LintArg("command", "option>", "Description", "")
+	c.Check(log.String(), testutil.Contains, `argument "command"'s "option>" should begin with < and end with >`)
+	log.Reset()
+
+	// LintArg ignores the special case of <option>s.
+	snap.LintArg("command", "<option>s", "Description", "")
+	c.Check(log.String(), HasLen, 0)
+	log.Reset()
+}
+
+func (s *SnapSuite) TestFixupArg(c *C) {
+	c.Check(snap.FixupArg("option"), Equals, "option")
+	c.Check(snap.FixupArg("<option>"), Equals, "<option>")
+	// Trailing ">s" is fixed to just >.
+	c.Check(snap.FixupArg("<option>s"), Equals, "<option>")
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/times.go snapd-2.37~rc1~14.04/cmd/snap/times.go
--- snapd-2.32.3.2~14.04/cmd/snap/times.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/times.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,63 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"strings"
+	"time"
+
+	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/strutil/quantity"
+	"github.com/snapcore/snapd/timeutil"
+)
+
+var timeutilHuman = timeutil.Human
+
+type timeMixin struct {
+	AbsTime bool `long:"abs-time"`
+}
+
+var timeDescs = mixinDescs{
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"abs-time": i18n.G("Display absolute times (in RFC 3339 format). Otherwise, display relative times up to 60 days, then YYYY-MM-DD."),
+}
+
+func (mx timeMixin) fmtTime(t time.Time) string {
+	if mx.AbsTime {
+		return t.Format(time.RFC3339)
+	}
+	return timeutilHuman(t)
+}
+
+type durationMixin struct {
+	AbsTime bool `long:"abs-time"`
+}
+
+var durationDescs = mixinDescs{
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"abs-time": i18n.G("Display absolute times (in RFC 3339 format). Otherwise, display short relative times."),
+}
+
+func (mx durationMixin) fmtDuration(t time.Time) string {
+	if mx.AbsTime {
+		return t.Format(time.RFC3339)
+	}
+	return strings.TrimSpace(quantity.FormatDuration(time.Since(t).Seconds()))
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap/wait.go snapd-2.37~rc1~14.04/cmd/snap/wait.go
--- snapd-2.32.3.2~14.04/cmd/snap/wait.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap/wait.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,166 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016-2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"os/signal"
+	"time"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/progress"
+)
+
+var (
+	maxGoneTime = 5 * time.Second
+	pollTime    = 100 * time.Millisecond
+)
+
+type waitMixin struct {
+	clientMixin
+	NoWait    bool `long:"no-wait"`
+	skipAbort bool
+}
+
+var waitDescs = mixinDescs{
+	// TRANSLATORS: This should not start with a lowercase letter.
+	"no-wait": i18n.G("Do not wait for the operation to finish but just print the change id."),
+}
+
+var noWait = errors.New("no wait for op")
+
+func (wmx waitMixin) wait(id string) (*client.Change, error) {
+	if wmx.NoWait {
+		fmt.Fprintf(Stdout, "%s\n", id)
+		return nil, noWait
+	}
+	cli := wmx.client
+	// Intercept sigint
+	c := make(chan os.Signal, 2)
+	signal.Notify(c, os.Interrupt)
+	go func() {
+		sig := <-c
+		// sig is nil if c was closed
+		if sig == nil || wmx.skipAbort {
+			return
+		}
+		_, err := wmx.client.Abort(id)
+		if err != nil {
+			fmt.Fprintf(Stderr, err.Error()+"\n")
+		}
+	}()
+
+	pb := progress.MakeProgressBar()
+	defer func() {
+		pb.Finished()
+		// next two not strictly needed for CLI, but without
+		// them the tests will leak goroutines.
+		signal.Stop(c)
+		close(c)
+	}()
+
+	tMax := time.Time{}
+
+	var lastID string
+	lastLog := map[string]string{}
+	for {
+		var rebootingErr error
+		chg, err := cli.Change(id)
+		if err != nil {
+			// a client.Error means we were able to communicate with
+			// the server (got an answer)
+			if e, ok := err.(*client.Error); ok {
+				return nil, e
+			}
+
+			// an non-client error here means the server most
+			// likely went away
+			// XXX: it actually can be a bunch of other things; fix client to expose it better
+			now := time.Now()
+			if tMax.IsZero() {
+				tMax = now.Add(maxGoneTime)
+			}
+			if now.After(tMax) {
+				return nil, err
+			}
+			pb.Spin(i18n.G("Waiting for server to restart"))
+			time.Sleep(pollTime)
+			continue
+		}
+		if maintErr, ok := cli.Maintenance().(*client.Error); ok && maintErr.Kind == client.ErrorKindSystemRestart {
+			rebootingErr = maintErr
+		}
+		if !tMax.IsZero() {
+			pb.Finished()
+			tMax = time.Time{}
+		}
+
+		for _, t := range chg.Tasks {
+			switch {
+			case t.Status != "Doing":
+				continue
+			case t.Progress.Total == 1:
+				pb.Spin(t.Summary)
+				nowLog := lastLogStr(t.Log)
+				if lastLog[t.ID] != nowLog {
+					pb.Notify(nowLog)
+					lastLog[t.ID] = nowLog
+				}
+			case t.ID == lastID:
+				pb.Set(float64(t.Progress.Done))
+			default:
+				pb.Start(t.Summary, float64(t.Progress.Total))
+				lastID = t.ID
+			}
+			break
+		}
+
+		if chg.Ready {
+			if chg.Status == "Done" {
+				return chg, nil
+			}
+
+			if chg.Err != "" {
+				return chg, errors.New(chg.Err)
+			}
+
+			return nil, fmt.Errorf(i18n.G("change finished in status %q with no error message"), chg.Status)
+		}
+
+		if rebootingErr != nil {
+			return nil, rebootingErr
+		}
+
+		// note this very purposely is not a ticker; we want
+		// to sleep 100ms between calls, not call once every
+		// 100ms.
+		time.Sleep(pollTime)
+	}
+}
+
+func lastLogStr(logs []string) string {
+	if len(logs) == 0 {
+		return ""
+	}
+	return logs[len(logs)-1]
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/apparmor-support.c snapd-2.37~rc1~14.04/cmd/snap-confine/apparmor-support.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/apparmor-support.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/apparmor-support.c	1970-01-01 00:00:00.000000000 +0000
@@ -1,141 +0,0 @@
-/*
- * Copyright (C) 2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "apparmor-support.h"
-
-#include <string.h>
-#include <errno.h>
-#ifdef HAVE_APPARMOR
-#include <sys/apparmor.h>
-#endif				// ifdef HAVE_APPARMOR
-
-#include "../libsnap-confine-private/cleanup-funcs.h"
-#include "../libsnap-confine-private/utils.h"
-
-// NOTE: Those constants map exactly what apparmor is returning and cannot be
-// changed without breaking apparmor functionality.
-#define SC_AA_ENFORCE_STR "enforce"
-#define SC_AA_COMPLAIN_STR "complain"
-#define SC_AA_MIXED_STR "mixed"
-#define SC_AA_UNCONFINED_STR "unconfined"
-
-void sc_init_apparmor_support(struct sc_apparmor *apparmor)
-{
-#ifdef HAVE_APPARMOR
-	// Use aa_is_enabled() to see if apparmor is available in the kernel and
-	// enabled at boot time. If it isn't log a diagnostic message and assume
-	// we're not confined.
-	if (aa_is_enabled() != true) {
-		switch (errno) {
-		case ENOSYS:
-			debug
-			    ("apparmor extensions to the system are not available");
-			break;
-		case ECANCELED:
-			debug
-			    ("apparmor is available on the system but has been disabled at boot");
-			break;
-		case ENOENT:
-			debug
-			    ("apparmor is available but the interface but the interface is not available");
-			break;
-		case EPERM:
-			// NOTE: fall-through
-		case EACCES:
-			debug
-			    ("insufficient permissions to determine if apparmor is enabled");
-			break;
-		default:
-			debug("apparmor is not enabled: %s", strerror(errno));
-			break;
-		}
-		apparmor->is_confined = false;
-		apparmor->mode = SC_AA_NOT_APPLICABLE;
-		return;
-	}
-	// Use aa_getcon() to check the label of the current process and
-	// confinement type. Note that the returned label must be released with
-	// free() but the mode is a constant string that must not be freed.
-	char *label SC_CLEANUP(sc_cleanup_string) = NULL;
-	char *mode = NULL;
-	if (aa_getcon(&label, &mode) < 0) {
-		die("cannot query current apparmor profile");
-	}
-	debug("apparmor label on snap-confine is: %s", label);
-	debug("apparmor mode is: %s", mode);
-	// The label has a special value "unconfined" that is applied to all
-	// processes without a dedicated profile. If that label is used then the
-	// current process is not confined. All other labels imply confinement.
-	if (label != NULL && strcmp(label, SC_AA_UNCONFINED_STR) == 0) {
-		apparmor->is_confined = false;
-	} else {
-		apparmor->is_confined = true;
-	}
-	// There are several possible results for the confinement type (mode) that
-	// are checked for below.
-	if (mode != NULL && strcmp(mode, SC_AA_COMPLAIN_STR) == 0) {
-		apparmor->mode = SC_AA_COMPLAIN;
-	} else if (mode != NULL && strcmp(mode, SC_AA_ENFORCE_STR) == 0) {
-		apparmor->mode = SC_AA_ENFORCE;
-	} else if (mode != NULL && strcmp(mode, SC_AA_MIXED_STR) == 0) {
-		apparmor->mode = SC_AA_MIXED;
-	} else {
-		apparmor->mode = SC_AA_INVALID;
-	}
-#else
-	apparmor->mode = SC_AA_NOT_APPLICABLE;
-	apparmor->is_confined = false;
-#endif				// ifdef HAVE_APPARMOR
-}
-
-void
-sc_maybe_aa_change_onexec(struct sc_apparmor *apparmor, const char *profile)
-{
-#ifdef HAVE_APPARMOR
-	if (apparmor->mode == SC_AA_NOT_APPLICABLE) {
-		return;
-	}
-	debug("requesting changing of apparmor profile on next exec to %s",
-	      profile);
-	if (aa_change_onexec(profile) < 0) {
-		if (secure_getenv("SNAPPY_LAUNCHER_INSIDE_TESTS") == NULL) {
-			die("cannot change profile for the next exec call");
-		}
-	}
-#endif				// ifdef HAVE_APPARMOR
-}
-
-void
-sc_maybe_aa_change_hat(struct sc_apparmor *apparmor,
-		       const char *subprofile, unsigned long magic_token)
-{
-#ifdef HAVE_APPARMOR
-	if (apparmor->mode == SC_AA_NOT_APPLICABLE) {
-		return;
-	}
-	if (apparmor->is_confined) {
-		debug("changing apparmor hat to %s", subprofile);
-		if (aa_change_hat(subprofile, magic_token) < 0) {
-			die("cannot change apparmor hat");
-		}
-	}
-#endif				// ifdef HAVE_APPARMOR
-}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/apparmor-support.h snapd-2.37~rc1~14.04/cmd/snap-confine/apparmor-support.h
--- snapd-2.32.3.2~14.04/cmd/snap-confine/apparmor-support.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/apparmor-support.h	1970-01-01 00:00:00.000000000 +0000
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#ifndef SNAP_CONFINE_APPARMOR_SUPPORT_H
-#define SNAP_CONFINE_APPARMOR_SUPPORT_H
-
-#include <stdbool.h>
-
-/**
- * Type of apparmor confinement.
- **/
-enum sc_apparmor_mode {
-	// The enforcement mode was not recognized.
-	SC_AA_INVALID = -1,
-	// The enforcement mode is not applicable because apparmor is disabled.
-	SC_AA_NOT_APPLICABLE = 0,
-	// The enforcement mode is "enforcing"
-	SC_AA_ENFORCE = 1,
-	// The enforcement mode is "complain"
-	SC_AA_COMPLAIN,
-	// The enforcement mode is "mixed"
-	SC_AA_MIXED,
-};
-
-/**
- * Data required to manage apparmor wrapper.
- **/
-struct sc_apparmor {
-	// The mode of enforcement. In addition to the two apparmor defined modes
-	// can be also SC_AA_INVALID (unknown mode reported by apparmor) and
-	// SC_AA_NOT_APPLICABLE (when we're not linked with apparmor).
-	enum sc_apparmor_mode mode;
-	// Flag indicating that the current process is confined.
-	bool is_confined;
-};
-
-/**
- * Initialize apparmor support.
- *
- * This operation should be done even when apparmor support is disabled at
- * compile time. Internally the supplied structure is initialized based on the
- * information returned from aa_getcon(2) or if apparmor is disabled at compile
- * time, with built-in constants.
- *
- * The main action performed here is to check if snap-confine is currently
- * confined, this information is used later in sc_maybe_change_apparmor_hat()
- *
- * As with many functions in the snap-confine tree, all errors result in
- * process termination.
- **/
-void sc_init_apparmor_support(struct sc_apparmor *apparmor);
-
-/**
- * Maybe call aa_change_onexec(2)
- *
- * This function does nothing when apparmor support is not enabled at compile
- * time. If apparmor is enabled then profile change request is attempted.
- *
- * As with many functions in the snap-confine tree, all errors result in
- * process termination. As an exception, when SNAPPY_LAUNCHER_INSIDE_TESTS
- * environment variable is set then the process is not terminated.
- **/
-void
-sc_maybe_aa_change_onexec(struct sc_apparmor *apparmor, const char *profile);
-
-/**
- * Maybe call aa_change_hat(2)
- *
- * This function does nothing when apparmor support is not enabled at compile
- * time. If apparmor is enabled then hat change is attempted.
- *
- * As with many functions in the snap-confine tree, all errors result in
- * process termination.
- **/
-void
-sc_maybe_aa_change_hat(struct sc_apparmor *apparmor,
-		       const char *subprofile, unsigned long magic_token);
-
-#endif
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/mount-support.c snapd-2.37~rc1~14.04/cmd/snap-confine/mount-support.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/mount-support.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/mount-support.c	2019-01-16 08:36:51.000000000 +0000
@@ -14,7 +14,10 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  *
  */
+#ifdef HAVE_CONFIG_H
 #include "config.h"
+#endif
+
 #include "mount-support.h"
 
 #include <errno.h>
@@ -33,18 +36,17 @@
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
-#include <libgen.h>
 
+#include "../libsnap-confine-private/apparmor-support.h"
 #include "../libsnap-confine-private/classic.h"
 #include "../libsnap-confine-private/cleanup-funcs.h"
 #include "../libsnap-confine-private/mount-opt.h"
 #include "../libsnap-confine-private/mountinfo.h"
 #include "../libsnap-confine-private/snap.h"
 #include "../libsnap-confine-private/string-utils.h"
+#include "../libsnap-confine-private/tool.h"
 #include "../libsnap-confine-private/utils.h"
 #include "mount-support-nvidia.h"
-#include "apparmor-support.h"
-#include "quirks.h"
 
 #define MAX_BUF 1000
 
@@ -76,10 +78,7 @@
 	}
 	// now we create a 1777 /tmp inside our private dir
 	mode_t old_mask = umask(0);
-	char *d = strdup(tmpdir);
-	if (!d) {
-		die("cannot allocate memory for string copy");
-	}
+	char *d = sc_strdup(tmpdir);
 	sc_must_snprintf(tmpdir, sizeof(tmpdir), "%s/tmp", d);
 	free(d);
 
@@ -140,73 +139,24 @@
 	sc_do_mount("/dev/pts/ptmx", "/dev/ptmx", "none", MS_BIND, 0);
 }
 
-/**
- * Setup mount profiles by running snap-update-ns.
- *
- * The first argument is an open file descriptor (though opened with O_PATH, so
- * not as powerful), to a copy of snap-update-ns. The program is opened before
- * the root filesystem is pivoted so that it is easier to pick the right copy.
- **/
-static void sc_setup_mount_profiles(struct sc_apparmor *apparmor,
-				    int snap_update_ns_fd,
-				    const char *snap_name)
-{
-	debug("calling snap-update-ns to initialize mount namespace");
-	pid_t child = fork();
-	if (child < 0) {
-		die("cannot fork to run snap-update-ns");
-	}
-	if (child == 0) {
-		// We are the child, execute snap-update-ns under a dedicated profile.
-		char profile[PATH_MAX] = { 0 };
-		sc_must_snprintf(profile, sizeof profile, "snap-update-ns.%s",
-				 snap_name);
-		debug("launching snap-update-ns under per-snap profile %s",
-		      profile);
-		sc_maybe_aa_change_onexec(apparmor, profile);
-		char *snap_name_copy SC_CLEANUP(sc_cleanup_string) = NULL;
-		snap_name_copy = strdup(snap_name);
-		if (snap_name_copy == NULL) {
-			die("cannot copy snap name");
-		}
-		char *argv[] = {
-			"snap-update-ns", "--from-snap-confine", snap_name_copy,
-			NULL
-		};
-		char *envp[3] = { NULL };
-		if (sc_is_debug_enabled()) {
-			envp[0] = "SNAPD_DEBUG=1";
-		}
-		debug("fexecv(%d (snap-update-ns), %s %s %s,)",
-		      snap_update_ns_fd, argv[0], argv[1], argv[2]);
-		fexecve(snap_update_ns_fd, argv, envp);
-		die("cannot execute snap-update-ns");
-	}
-	// We are the parent, so wait for snap-update-ns to finish.
-	int status = 0;
-	debug("waiting for snap-update-ns to finish...");
-	if (waitpid(child, &status, 0) < 0) {
-		die("waitpid() failed for snap-update-ns process");
-	}
-	if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
-		die("snap-update-ns failed with code %i", WEXITSTATUS(status));
-	} else if (WIFSIGNALED(status)) {
-		die("snap-update-ns killed by signal %i", WTERMSIG(status));
-	}
-	debug("snap-update-ns finished successfully");
-}
-
 struct sc_mount {
 	const char *path;
 	bool is_bidirectional;
+	// Alternate path defines the rbind mount "alternative" of path.
+	// It exists so that we can make /media on systems that use /run/media.
+	const char *altpath;
+	// Optional mount points are not processed unless the source and
+	// destination both exist.
+	bool is_optional;
 };
 
 struct sc_mount_config {
 	const char *rootfs_dir;
 	// The struct is terminated with an entry with NULL path.
 	const struct sc_mount *mounts;
-	bool on_classic_distro;
-	bool uses_base_snap;
+	sc_distro distro;
+	bool normal_mode;
+	const char *base_snap_name;
 };
 
 /**
@@ -297,15 +247,43 @@
 		}
 		sc_must_snprintf(dst, sizeof dst, "%s/%s", scratch_dir,
 				 mnt->path);
-		sc_do_mount(mnt->path, dst, NULL, MS_REC | MS_BIND, NULL);
+		if (mnt->is_optional) {
+			bool ok = sc_do_optional_mount(mnt->path, dst, NULL,
+						       MS_REC | MS_BIND, NULL);
+			if (!ok) {
+				// If we cannot mount it, just continue.
+				continue;
+			}
+		} else {
+			sc_do_mount(mnt->path, dst, NULL, MS_REC | MS_BIND,
+				    NULL);
+		}
 		if (!mnt->is_bidirectional) {
 			// Mount events will only propagate inwards to the namespace. This
 			// way the running application cannot alter any global state apart
 			// from that of its own snap.
 			sc_do_mount("none", dst, NULL, MS_REC | MS_SLAVE, NULL);
 		}
+		if (mnt->altpath == NULL) {
+			continue;
+		}
+		// An alternate path of mnt->path is provided at another location.
+		// It should behave exactly the same as the original.
+		sc_must_snprintf(dst, sizeof dst, "%s/%s", scratch_dir,
+				 mnt->altpath);
+		struct stat stat_buf;
+		if (lstat(dst, &stat_buf) < 0) {
+			die("cannot lstat %s", dst);
+		}
+		if ((stat_buf.st_mode & S_IFMT) == S_IFLNK) {
+			die("cannot bind mount alternate path over a symlink: %s", dst);
+		}
+		sc_do_mount(mnt->path, dst, NULL, MS_REC | MS_BIND, NULL);
+		if (!mnt->is_bidirectional) {
+			sc_do_mount("none", dst, NULL, MS_REC | MS_SLAVE, NULL);
+		}
 	}
-	if (config->on_classic_distro) {
+	if (config->normal_mode) {
 		// Since we mounted /etc from the host filesystem to the scratch directory,
 		// we may need to put certain directories from the desired root filesystem
 		// (e.g. the core snap) back. This way the behavior of running snaps is not
@@ -336,7 +314,15 @@
 			}
 		}
 	}
-	if (config->uses_base_snap) {
+	// The "core" base snap is special as it contains snapd and friends.
+	// Other base snaps do not, so whenever a base snap other than core is
+	// in use we need extra provisions for setting up internal tooling to
+	// be available.
+	//
+	// However on a core18 (and similar) system the core snap is not
+	// a special base anymore and we should map our own tooling in.
+	if (config->distro == SC_DISTRO_CORE_OTHER
+	    || !sc_streq(config->base_snap_name, "core")) {
 		// when bases are used we need to bind-mount the libexecdir
 		// (that contains snap-exec) into /usr/lib/snapd of the
 		// base snap so that snap-exec is available for the snaps
@@ -348,7 +334,7 @@
 				 scratch_dir);
 
 		// bind mount the current $ROOT/usr/lib/snapd path,
-		// where $ROOT is either "/" or the "/snap/core/current"
+		// where $ROOT is either "/" or the "/snap/{core,snapd}/current"
 		// that we are re-execing from
 		char *src = NULL;
 		char self[PATH_MAX + 1] = { 0 };
@@ -357,7 +343,7 @@
 		}
 		// this cannot happen except when the kernel is buggy
 		if (strstr(self, "/snap-confine") == NULL) {
-			die("cannot use result from readlink: %s", src);
+			die("cannot use result from readlink: %s", self);
 		}
 		src = dirname(self);
 		// dirname(path) might return '.' depending on path.
@@ -369,17 +355,6 @@
 
 		sc_do_mount(src, dst, NULL, MS_BIND | MS_RDONLY, NULL);
 		sc_do_mount("none", dst, NULL, MS_SLAVE, NULL);
-
-		// FIXME: snapctl tool - our apparmor policy wants it in
-		//        /usr/bin/snapctl, we will need an empty file
-		//        here from the base snap or we need to move it
-		//        into a different location and just symlink it
-		//        (/usr/lib/snapd/snapctl -> /usr/bin/snapctl)
-		//        and in the base snap case adjust PATH
-		//src = "/usr/bin/snapctl";
-		//sc_must_snprintf(dst, sizeof dst, "%s%s", scratch_dir, src);
-		//sc_do_mount(src, dst, NULL, MS_REC | MS_BIND, NULL);
-		//sc_do_mount("none", dst, NULL, MS_REC | MS_SLAVE, NULL);
 	}
 	// Bind mount the directory where all snaps are mounted. The location of
 	// the this directory on the host filesystem may not match the location in
@@ -424,7 +399,7 @@
 	// uniform way after pivot_root but this is good enough and requires less
 	// code changes the nvidia code assumes it has access to the existing
 	// pre-pivot filesystem.
-	if (config->on_classic_distro) {
+	if (config->distro == SC_DISTRO_CLASSIC) {
 		sc_mount_nvidia_driver(scratch_dir);
 	}
 	// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
@@ -543,34 +518,6 @@
 	return false;
 }
 
-int sc_open_snap_update_ns(void)
-{
-	// +1 is for the case where the link is exactly PATH_MAX long but we also
-	// want to store the terminating '\0'. The readlink system call doesn't add
-	// terminating null, but our initialization of buf handles this for us.
-	char buf[PATH_MAX + 1] = { 0 };
-	if (readlink("/proc/self/exe", buf, sizeof buf) < 0) {
-		die("cannot readlink /proc/self/exe");
-	}
-	if (buf[0] != '/') {	// this shouldn't happen, but make sure have absolute path
-		die("readlink /proc/self/exe returned relative path");
-	}
-	char *bufcopy SC_CLEANUP(sc_cleanup_string) = NULL;
-	bufcopy = strdup(buf);
-	if (bufcopy == NULL) {
-		die("cannot copy buffer");
-	}
-	char *dname = dirname(bufcopy);
-	sc_must_snprintf(buf, sizeof buf, "%s/%s", dname, "snap-update-ns");
-	debug("snap-update-ns executable: %s", buf);
-	int fd = open(buf, O_PATH | O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
-	if (fd < 0) {
-		die("cannot open snap-update-ns executable");
-	}
-	debug("opened snap-update-ns executable as file descriptor %d", fd);
-	return fd;
-}
-
 void sc_populate_mount_ns(struct sc_apparmor *apparmor, int snap_update_ns_fd,
 			  const char *base_snap_name, const char *snap_name)
 {
@@ -582,11 +529,11 @@
 	if (vanilla_cwd == NULL) {
 		die("cannot get the current working directory");
 	}
-
-	bool on_classic_distro = is_running_on_classic_distribution();
-	// on classic or with alternative base snaps we need to setup
-	// a different confinement
-	if (on_classic_distro || !sc_streq(base_snap_name, "core")) {
+	// Classify the current distribution, as claimed by /etc/os-release.
+	sc_distro distro = sc_classify_distro();
+	// Check which mode we should run in, normal or legacy.
+	if (sc_should_use_normal_mode(distro, base_snap_name)) {
+		// In normal mode we use the base snap as / and set up several bind mounts.
 		const struct sc_mount mounts[] = {
 			{"/dev"},	// because it contains devices on host OS
 			{"/etc"},	// because that's where /etc/resolv.conf lives, perhaps a bad idea
@@ -599,15 +546,20 @@
 			{"/var/lib/snapd"},	// to get access to snapd state and seccomp profiles
 			{"/var/tmp"},	// to get access to the other temporary directory
 			{"/run"},	// to get /run with sockets and what not
-			{"/lib/modules"},	// access to the modules of the running kernel
+			{"/lib/modules",.is_optional = true},	// access to the modules of the running kernel
 			{"/usr/src"},	// FIXME: move to SecurityMounts in system-trace interface
 			{"/var/log"},	// FIXME: move to SecurityMounts in log-observe interface
 #ifdef MERGED_USR
-			{"/run/media", true},	// access to the users removable devices
+			{"/run/media", true, "/media"},	// access to the users removable devices
 #else
 			{"/media", true},	// access to the users removable devices
 #endif				// MERGED_USR
 			{"/run/netns", true},	// access to the 'ip netns' network namespaces
+			// The /mnt directory is optional in base snaps to ensure backwards
+			// compatibility with the first version of base snaps that was
+			// released.
+			{"/mnt",.is_optional = true},	// to support the removable-media interface
+			{"/var/lib/extrausers",.is_optional = true},	// access to UID/GID of extrausers (if available)
 			{},
 		};
 		char rootfs_dir[PATH_MAX] = { 0 };
@@ -631,30 +583,30 @@
 			}
 			die("cannot locate the base snap: %s", base_snap_name);
 		}
-		struct sc_mount_config classic_config = {
+		struct sc_mount_config normal_config = {
 			.rootfs_dir = rootfs_dir,
 			.mounts = mounts,
-			.on_classic_distro = true,
-			.uses_base_snap = !sc_streq(base_snap_name, "core"),
+			.distro = distro,
+			.normal_mode = true,
+			.base_snap_name = base_snap_name,
 		};
-		sc_bootstrap_mount_namespace(&classic_config);
+		sc_bootstrap_mount_namespace(&normal_config);
 	} else {
-		// This is what happens on an all-snap system. The rootfs we start with
-		// is the real outer rootfs.  There are no unidirectional bind mounts
-		// needed because everything is already OK. We still keep the
-		// bidirectional /media mount point so that snaps designed for mounting
-		// filesystems can use that space for whatever they need.
+		// In legacy mode we don't pivot and instead just arrange bi-
+		// directional mount propagation for two directories.
 		const struct sc_mount mounts[] = {
 			{"/media", true},
 			{"/run/netns", true},
 			{},
 		};
-		struct sc_mount_config all_snap_config = {
+		struct sc_mount_config legacy_config = {
 			.rootfs_dir = "/",
 			.mounts = mounts,
-			.uses_base_snap = !sc_streq(base_snap_name, "core"),
+			.distro = distro,
+			.normal_mode = false,
+			.base_snap_name = base_snap_name,
 		};
-		sc_bootstrap_mount_namespace(&all_snap_config);
+		sc_bootstrap_mount_namespace(&legacy_config);
 	}
 
 	// set up private mounts
@@ -665,12 +617,8 @@
 	// TODO: fold this into bootstrap
 	setup_private_pts();
 
-	// setup quirks for specific snaps
-	if (on_classic_distro) {
-		sc_setup_quirks();
-	}
 	// setup the security backend bind mounts
-	sc_setup_mount_profiles(apparmor, snap_update_ns_fd, snap_name);
+	sc_call_snap_update_ns(snap_update_ns_fd, snap_name, apparmor);
 
 	// Try to re-locate back to vanilla working directory. This can fail
 	// because that directory is no longer present.
@@ -723,3 +671,33 @@
 			    NULL);
 	}
 }
+
+static void sc_make_slave_mount_ns(void)
+{
+	if (unshare(CLONE_NEWNS) < 0) {
+		die("can not unshare mount namespace");
+	}
+	// In our new mount namespace, recursively change all mounts
+	// to slave mode, so we see changes from the parent namespace
+	// but don't propagate our own changes.
+	sc_do_mount("none", "/", NULL, MS_REC | MS_SLAVE, NULL);
+}
+
+void sc_setup_user_mounts(struct sc_apparmor *apparmor, int snap_update_ns_fd,
+			  const char *snap_name)
+{
+	debug("%s: %s", __FUNCTION__, snap_name);
+
+	char profile_path[PATH_MAX];
+	struct stat st;
+
+	sc_must_snprintf(profile_path, sizeof(profile_path),
+			 "/var/lib/snapd/mount/snap.%s.user-fstab", snap_name);
+	if (stat(profile_path, &st) != 0) {
+		// It is ok for the user fstab to not exist.
+		return;
+	}
+
+	sc_make_slave_mount_ns();
+	sc_call_snap_update_ns_as_user(snap_update_ns_fd, snap_name, apparmor);
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/mount-support.h snapd-2.37~rc1~14.04/cmd/snap-confine/mount-support.h
--- snapd-2.32.3.2~14.04/cmd/snap-confine/mount-support.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/mount-support.h	2019-01-16 08:36:51.000000000 +0000
@@ -18,7 +18,7 @@
 #ifndef SNAP_MOUNT_SUPPORT_H
 #define SNAP_MOUNT_SUPPORT_H
 
-#include "apparmor-support.h"
+#include "../libsnap-confine-private/apparmor-support.h"
 
 /**
  * Return a file descriptor referencing the snap-update-ns utility
@@ -30,13 +30,21 @@
 int sc_open_snap_update_ns(void);
 
 /**
+ * Return a file descriptor referencing the snap-discard-ns utility
+ *
+ * By calling this prior to changing the mount namespace, it is
+ * possible to execute the utility even if a different version is now
+ * mounted at the expected location.
+ **/
+int sc_open_snap_discard_ns(void);
+
+/**
  * Assuming a new mountspace, populate it accordingly.
  *
  * This function performs many internal tasks:
  * - prepares and chroots into the core snap (on classic systems)
  * - creates private /tmp
  * - creates private /dev/pts
- * - applies quirks for specific snaps (like LXD)
  * - processes mount profiles
  *
  * The function will also try to preserve the current working directory but if
@@ -53,4 +61,17 @@
  * ensure that "/snap" is mounted shared. See LP:#1668659
  */
 void sc_ensure_shared_snap_mount(void);
+
+/**
+ * Set up user mounts, private to this process.
+ *
+ * If any user mounts have been configured for this process, this does
+ * the following:
+ * - create a new mount namespace
+ * - reconfigure all existing mounts to slave mode
+ * - perform all user mounts
+ */
+void sc_setup_user_mounts(struct sc_apparmor *apparmor, int snap_update_ns_fd,
+			  const char *snap_name);
+
 #endif
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/mount-support-nvidia.c snapd-2.37~rc1~14.04/cmd/snap-confine/mount-support-nvidia.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/mount-support-nvidia.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/mount-support-nvidia.c	2019-01-16 08:36:51.000000000 +0000
@@ -45,8 +45,10 @@
 #define SC_LIBGL_DIR   SC_LIB "/gl"
 #define SC_LIBGL32_DIR SC_LIB "/gl32"
 #define SC_VULKAN_DIR  SC_LIB "/vulkan"
+#define SC_GLVND_DIR  SC_LIB "/glvnd"
 
 #define SC_VULKAN_SOURCE_DIR "/usr/share/vulkan"
+#define SC_EGL_VENDOR_SOURCE_DIR "/usr/share/glvnd"
 
 // Location for NVIDIA vulkan files (including _wayland)
 static const char *vulkan_globs[] = {
@@ -56,6 +58,14 @@
 static const size_t vulkan_globs_len =
     sizeof vulkan_globs / sizeof *vulkan_globs;
 
+// Location of EGL vendor files
+static const char *egl_vendor_globs[] = {
+	"egl_vendor.d/*nvidia*.json",
+};
+
+static const size_t egl_vendor_globs_len =
+    sizeof egl_vendor_globs / sizeof *egl_vendor_globs;
+
 #if defined(NVIDIA_BIARCH) || defined(NVIDIA_MULTIARCH)
 
 // List of globs that describe nvidia userspace libraries.
@@ -87,6 +97,7 @@
 	"libXvMCNVIDIA.so*",
 	"libXvMCNVIDIA_dynamic.so*",
 	"libcuda.so*",
+	"libcudart.so*",
 	"libnvcuvid.so*",
 	"libnvidia-cfg.so*",
 	"libnvidia-compiler.so*",
@@ -97,8 +108,10 @@
 	"libnvidia-fbc.so*",
 	"libnvidia-glcore.so*",
 	"libnvidia-glsi.so*",
+	"libnvidia-glvkspirv.so*",
 	"libnvidia-ifr.so*",
 	"libnvidia-ml.so*",
+	"libnvidia-opencl.so*",
 	"libnvidia-ptxjitcompiler.so*",
 	"libnvidia-tls.so*",
 	"tls/libnvidia-tls.so*",
@@ -153,12 +166,9 @@
 		char prefix_dir[512] = { 0 };
 		const char *pathname = glob_res.gl_pathv[i];
 		char *pathname_copy1
-		    SC_CLEANUP(sc_cleanup_string) = strdup(pathname);
+		    SC_CLEANUP(sc_cleanup_string) = sc_strdup(pathname);
 		char *pathname_copy2
-		    SC_CLEANUP(sc_cleanup_string) = strdup(pathname);
-		if (pathname_copy1 == NULL || pathname_copy2 == NULL) {
-			die("failed to copy pathname");
-		}
+		    SC_CLEANUP(sc_cleanup_string) = sc_strdup(pathname);
 		// POSIX dirname() and basename() may modify their input arguments
 		char *filename = basename(pathname_copy1);
 		char *directory_name = dirname(pathname_copy2);
@@ -272,7 +282,7 @@
 	}
 	// Remount $tgt_dir (i.e. .../lib/gl) read only
 	debug("remounting tmpfs as read-only %s", libgl_dir);
-	if (mount(NULL, buf, NULL, MS_REMOUNT | MS_RDONLY, NULL) != 0) {
+	if (mount(NULL, buf, NULL, MS_REMOUNT | MS_BIND | MS_RDONLY, NULL) != 0) {
 		die("cannot remount %s as read-only", buf);
 	}
 }
@@ -497,6 +507,18 @@
 					  vulkan_globs, vulkan_globs_len);
 }
 
+static void sc_mount_egl(const char *rootfs_dir)
+{
+	const char *egl_vendor_sources[] = { SC_EGL_VENDOR_SOURCE_DIR };
+	const size_t egl_vendor_sources_len =
+	    sizeof egl_vendor_sources / sizeof *egl_vendor_sources;
+
+	sc_mkdir_and_mount_and_glob_files(rootfs_dir, egl_vendor_sources,
+					  egl_vendor_sources_len, SC_GLVND_DIR,
+					  egl_vendor_globs,
+					  egl_vendor_globs_len);
+}
+
 void sc_mount_nvidia_driver(const char *rootfs_dir)
 {
 	/* If NVIDIA module isn't loaded, don't attempt to mount the drivers */
@@ -521,4 +543,5 @@
 
 	// Common for both driver mechanisms
 	sc_mount_vulkan(rootfs_dir);
+	sc_mount_egl(rootfs_dir);
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/ns-support.c snapd-2.37~rc1~14.04/cmd/snap-confine/ns-support.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/ns-support.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/ns-support.c	2019-01-16 08:36:51.000000000 +0000
@@ -24,7 +24,6 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/magic.h>
-#include <linux/kdev_t.h>
 #include <sched.h>
 #include <signal.h>
 #include <string.h>
@@ -33,6 +32,7 @@
 #include <sys/mount.h>
 #include <sys/prctl.h>
 #include <sys/stat.h>
+#include <sys/sysmacros.h>
 #include <sys/types.h>
 #include <sys/vfs.h>
 #include <sys/wait.h>
@@ -44,6 +44,7 @@
 #include "../libsnap-confine-private/locking.h"
 #include "../libsnap-confine-private/mountinfo.h"
 #include "../libsnap-confine-private/string-utils.h"
+#include "../libsnap-confine-private/tool.h"
 #include "../libsnap-confine-private/utils.h"
 #include "user-support.h"
 
@@ -67,57 +68,28 @@
  **/
 static const char *sc_ns_dir = SC_NS_DIR;
 
-/**
- * Name of the preserved mount namespace associated with SC_NS_DIR
- * and a given group identifier (typically SNAP_NAME).
- **/
-#define SC_NS_MNT_FILE ".mnt"
-
-/**
- * Read /proc/self/mountinfo and check if /run/snapd/ns is a private bind mount.
- *
- * We do this because /run/snapd/ns cannot be shared with any other peers as per:
- * https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt
- **/
-static bool sc_is_ns_group_dir_private(void)
-{
-	struct sc_mountinfo *info SC_CLEANUP(sc_cleanup_mountinfo) = NULL;
-	info = sc_parse_mountinfo(NULL);
-	if (info == NULL) {
-		die("cannot parse /proc/self/mountinfo");
-	}
-	struct sc_mountinfo_entry *entry = sc_first_mountinfo_entry(info);
-	while (entry != NULL) {
-		const char *mount_dir = entry->mount_dir;
-		const char *optional_fields = entry->optional_fields;
-		if (strcmp(mount_dir, sc_ns_dir) == 0
-		    && strcmp(optional_fields, "") == 0) {
-			// If /run/snapd/ns has no optional fields, we know it is mounted
-			// private and there is nothing else to do.
-			return true;
-		}
-		entry = sc_next_mountinfo_entry(entry);
-	}
-	return false;
-}
+enum {
+	HELPER_CMD_EXIT,
+	HELPER_CMD_CAPTURE_MOUNT_NS,
+	HELPER_CMD_CAPTURE_PER_USER_MOUNT_NS,
+};
 
 void sc_reassociate_with_pid1_mount_ns(void)
 {
 	int init_mnt_fd SC_CLEANUP(sc_cleanup_close) = -1;
 	int self_mnt_fd SC_CLEANUP(sc_cleanup_close) = -1;
+	const char *path_pid_1 = "/proc/1/ns/mnt";
+	const char *path_pid_self = "/proc/self/ns/mnt";
 
-	debug("checking if the current process shares mount namespace"
-	      " with the init process");
-
-	init_mnt_fd = open("/proc/1/ns/mnt",
+	init_mnt_fd = open(path_pid_1,
 			   O_RDONLY | O_CLOEXEC | O_NOFOLLOW | O_PATH);
 	if (init_mnt_fd < 0) {
-		die("cannot open mount namespace of the init process (O_PATH)");
+		die("cannot open path %s", path_pid_1);
 	}
-	self_mnt_fd = open("/proc/self/ns/mnt",
+	self_mnt_fd = open(path_pid_self,
 			   O_RDONLY | O_CLOEXEC | O_NOFOLLOW | O_PATH);
 	if (self_mnt_fd < 0) {
-		die("cannot open mount namespace of the current process (O_PATH)");
+		die("cannot open path %s", path_pid_1);
 	}
 	char init_buf[128] = { 0 };
 	char self_buf[128] = { 0 };
@@ -131,113 +103,127 @@
 			// error.
 			return;
 		}
-		die("cannot perform readlinkat() on the mount namespace file "
-		    "descriptor of the init process");
+		die("cannot read mount namespace identifier of pid 1");
 	}
 	memset(self_buf, 0, sizeof self_buf);
 	if (readlinkat(self_mnt_fd, "", self_buf, sizeof self_buf) < 0) {
-		die("cannot perform readlinkat() on the mount namespace file "
-		    "descriptor of the current process");
+		die("cannot read mount namespace identifier of the current process");
 	}
 	if (memcmp(init_buf, self_buf, sizeof init_buf) != 0) {
-		debug("the current process does not share mount namespace with "
-		      "the init process, re-association required");
-		// NOTE: we cannot use O_NOFOLLOW here because that file will always be a
+		debug("moving to mount namespace of pid 1");
+		// We cannot use O_NOFOLLOW here because that file will always be a
 		// symbolic link. We actually want to open it this way.
 		int init_mnt_fd_real SC_CLEANUP(sc_cleanup_close) = -1;
-		init_mnt_fd_real = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC);
+		init_mnt_fd_real = open(path_pid_1, O_RDONLY | O_CLOEXEC);
 		if (init_mnt_fd_real < 0) {
-			die("cannot open mount namespace of the init process");
+			die("cannot open %s", path_pid_1);
 		}
 		if (setns(init_mnt_fd_real, CLONE_NEWNS) < 0) {
-			die("cannot re-associate the mount namespace with the init process");
+			die("cannot join mount namespace of pid 1");
 		}
-	} else {
-		debug("re-associating is not required");
 	}
 }
 
-void sc_initialize_ns_groups(void)
+void sc_initialize_mount_ns(void)
 {
-	debug("creating namespace group directory %s", sc_ns_dir);
+	/* Ensure that /run/snapd/ns is a directory. */
 	if (sc_nonfatal_mkpath(sc_ns_dir, 0755) < 0) {
-		die("cannot create namespace group directory %s", sc_ns_dir);
+		die("cannot create directory %s", sc_ns_dir);
+	}
+
+	/* Read and analyze the mount table. We need to see whether /run/snapd/ns
+	 * is a mount point with private event propagation. */
+	struct sc_mountinfo *info SC_CLEANUP(sc_cleanup_mountinfo) = NULL;
+	info = sc_parse_mountinfo(NULL);
+	if (info == NULL) {
+		die("cannot parse /proc/self/mountinfo");
+	}
+
+	bool is_mnt = false;
+	bool is_private = false;
+	for (struct sc_mountinfo_entry * entry = sc_first_mountinfo_entry(info);
+	     entry != NULL; entry = sc_next_mountinfo_entry(entry)) {
+		/* Find /run/snapd/ns */
+		if (!sc_streq(entry->mount_dir, sc_ns_dir)) {
+			continue;
+		}
+		is_mnt = true;
+		if (strstr(entry->optional_fields, "shared:") == NULL) {
+			/* Mount event propagation is not set to shared, good. */
+			is_private = true;
+		}
+		break;
 	}
-	if (!sc_is_ns_group_dir_private()) {
-		debug
-		    ("bind mounting the namespace group directory over itself");
+
+	if (!is_mnt) {
 		if (mount(sc_ns_dir, sc_ns_dir, NULL, MS_BIND | MS_REC, NULL) <
 		    0) {
-			die("cannot bind mount namespace group directory over itself");
+			die("cannot self-bind mount %s", sc_ns_dir);
 		}
-		debug
-		    ("making the namespace group directory mount point private");
+	}
+
+	if (!is_private) {
 		if (mount(NULL, sc_ns_dir, NULL, MS_PRIVATE, NULL) < 0) {
-			die("cannot make the namespace group directory mount point private");
+			die("cannot change propagation type to MS_PRIVATE in %s", sc_ns_dir);
 		}
-	} else {
-		debug
-		    ("namespace group directory does not require intialization");
 	}
 }
 
-struct sc_ns_group {
+struct sc_mount_ns {
 	// Name of the namespace group ($SNAP_NAME).
 	char *name;
 	// Descriptor to the namespace group control directory.  This descriptor is
 	// opened with O_PATH|O_DIRECTORY so it's only used for openat() calls.
 	int dir_fd;
-	// Descriptor to an eventfd that is used to notify the child that it can
-	// now complete its job and exit.
-	int event_fd;
+	// Pair of descriptors for a pair for a pipe file descriptors (read end,
+	// write end) that snap-confine uses to send messages to the helper
+	// process and back.
+	int pipe_helper[2];
+	int pipe_master[2];
 	// Identifier of the child process that is used during the one-time (per
 	// group) initialization and capture process.
 	pid_t child;
-	// Flag set when this process created a fresh namespace should populate it.
-	bool should_populate;
 };
 
-static struct sc_ns_group *sc_alloc_ns_group(void)
+static struct sc_mount_ns *sc_alloc_mount_ns(void)
 {
-	struct sc_ns_group *group = calloc(1, sizeof *group);
+	struct sc_mount_ns *group = calloc(1, sizeof *group);
 	if (group == NULL) {
-		die("cannot allocate memory for namespace group");
+		die("cannot allocate memory for sc_mount_ns");
 	}
 	group->dir_fd = -1;
-	group->event_fd = -1;
+	group->pipe_helper[0] = -1;
+	group->pipe_helper[1] = -1;
+	group->pipe_master[0] = -1;
+	group->pipe_master[1] = -1;
 	// Redundant with calloc but some functions check for the non-zero value so
 	// I'd like to keep this explicit in the code.
 	group->child = 0;
 	return group;
 }
 
-struct sc_ns_group *sc_open_ns_group(const char *group_name,
-				     const unsigned flags)
+struct sc_mount_ns *sc_open_mount_ns(const char *group_name)
 {
-	struct sc_ns_group *group = sc_alloc_ns_group();
-	debug("opening namespace group directory %s", sc_ns_dir);
-	group->dir_fd =
-	    open(sc_ns_dir, O_DIRECTORY | O_PATH | O_CLOEXEC | O_NOFOLLOW);
+	struct sc_mount_ns *group = sc_alloc_mount_ns();
+	group->dir_fd = open(sc_ns_dir,
+			     O_DIRECTORY | O_PATH | O_CLOEXEC | O_NOFOLLOW);
 	if (group->dir_fd < 0) {
-		if (flags & SC_NS_FAIL_GRACEFULLY && errno == ENOENT) {
-			free(group);
-			return NULL;
-		}
-		die("cannot open directory for namespace group %s", group_name);
-	}
-	group->name = strdup(group_name);
-	if (group->name == NULL) {
-		die("cannot duplicate namespace group name %s", group_name);
+		die("cannot open directory %s", sc_ns_dir);
 	}
+	group->name = sc_strdup(group_name);
 	return group;
 }
 
-void sc_close_ns_group(struct sc_ns_group *group)
+void sc_close_mount_ns(struct sc_mount_ns *group)
 {
-	debug("releasing resources associated with namespace group %s",
-	      group->name);
+	if (group->child != 0) {
+		sc_wait_for_helper(group);
+	}
 	sc_cleanup_close(&group->dir_fd);
-	sc_cleanup_close(&group->event_fd);
+	sc_cleanup_close(&group->pipe_master[0]);
+	sc_cleanup_close(&group->pipe_master[1]);
+	sc_cleanup_close(&group->pipe_helper[0]);
+	sc_cleanup_close(&group->pipe_helper[1]);
 	free(group->name);
 	free(group);
 }
@@ -263,17 +249,18 @@
 	     sc_first_mountinfo_entry(mi); mie != NULL;
 	     mie = sc_next_mountinfo_entry(mie)) {
 		if (sc_streq(mie->mount_dir, base_squashfs_path)) {
-			base_snap_dev = MKDEV(mie->dev_major, mie->dev_minor);
-			debug("found base snap filesystem device %d:%d",
-			      mie->dev_major, mie->dev_minor);
+			base_snap_dev = makedev(mie->dev_major, mie->dev_minor);
+			debug("block device of snap %s, revision %s is %d:%d",
+			      base_snap_name, base_snap_rev, mie->dev_major,
+			      mie->dev_minor);
 			// Don't break when found, we are interested in the last
 			// entry as this is the "effective" one.
 			found = true;
 		}
 	}
 	if (!found) {
-		die("cannot find device backing the base snap %s",
-		    base_snap_name);
+		die("cannot find mount entry for snap %s revision %s",
+		    base_snap_name, base_snap_rev);
 	}
 	return base_snap_dev;
 }
@@ -301,11 +288,11 @@
 		// was used to do something weird. The initial rootfs was
 		// set up by snap-confine and that is the one we want to
 		// measure.
-		debug("found root filesystem inside the mount namespace %d:%d",
+		debug("block device of the root filesystem is %d:%d",
 		      mie->dev_major, mie->dev_minor);
-		return base_snap_dev != MKDEV(mie->dev_major, mie->dev_minor);
+		return base_snap_dev != makedev(mie->dev_major, mie->dev_minor);
 	}
-	die("cannot find mount entry of the root filesystem inside snap namespace");
+	die("cannot find mount entry of the root filesystem");
 }
 
 enum sc_discard_vote {
@@ -320,11 +307,11 @@
 // unconditionally.
 static int sc_inspect_and_maybe_discard_stale_ns(int mnt_fd,
 						 const char *snap_name,
-						 const char *base_snap_name)
+						 const char *base_snap_name,
+						 int snap_discard_ns_fd)
 {
 	char base_snap_rev[PATH_MAX] = { 0 };
 	char fname[PATH_MAX] = { 0 };
-	char mnt_fname[PATH_MAX] = { 0 };
 	dev_t base_snap_dev;
 	int event_fd SC_CLEANUP(sc_cleanup_close) = -1;
 
@@ -332,17 +319,20 @@
 	sc_must_snprintf(fname, sizeof fname, "%s/%s/current",
 			 SNAP_MOUNT_DIR, base_snap_name);
 	if (readlink(fname, base_snap_rev, sizeof base_snap_rev) < 0) {
-		die("cannot read revision of base snap %s", fname);
+		die("cannot read current revision of snap %s", snap_name);
 	}
 	if (base_snap_rev[sizeof base_snap_rev - 1] != '\0') {
-		die("cannot use symbolic link %s - value is too long", fname);
+		die("cannot read current revision of snap %s: value too long",
+		    snap_name);
 	}
 	// Find the device that is backing the current revision of the base snap.
 	base_snap_dev = find_base_snap_device(base_snap_name, base_snap_rev);
 
-	// Check if we are running on classic. Do it here because we will always
-	// (seemingly) run on a core system once we are inside a mount namespace.
-	bool is_classic = is_running_on_classic_distribution();
+	// Check if we are running in normal mode with pivot root. Do this here
+	// because once on the inside of the transformed mount namespace we can no
+	// longer tell.
+	bool is_normal_mode =
+	    sc_should_use_normal_mode(sc_classify_distro(), base_snap_name);
 
 	// Store the PID of this process. This is done instead of calls to
 	// getppid() below because then we can reliably track the PID of the
@@ -352,12 +342,12 @@
 	// Create an eventfd for the communication with the child.
 	event_fd = eventfd(0, EFD_CLOEXEC);
 	if (event_fd < 0) {
-		die("cannot create eventfd for communication with inspection process");
+		die("cannot create eventfd");
 	}
 	// Fork a child, it will do the inspection for us.
 	pid_t child = fork();
 	if (child < 0) {
-		die("cannot fork support process for namespace inspection");
+		die("cannot fork support process");
 	}
 
 	if (child == 0) {
@@ -374,22 +364,21 @@
 		// us up from eventfd_read() below. In the rare case that the PID
 		// numbers overflow and the now-dead parent PID is recycled we will
 		// still hang forever on the read from eventfd below.
-		debug("ensuring that parent process is still alive");
 		if (kill(parent, 0) < 0) {
 			switch (errno) {
 			case ESRCH:
-				debug("parent process has already terminated");
+				debug("parent process has terminated");
 				abort();
 			default:
-				die("cannot ensure that parent process is still alive");
+				die("cannot confirm that parent process is alive");
 				break;
 			}
 		}
 
-		debug("joining the namespace that we are about to probe");
+		debug("joining preserved mount namespace for inspection");
 		// Move to the mount namespace of the snap we're trying to inspect.
 		if (setns(mnt_fd, CLONE_NEWNS) < 0) {
-			die("cannot join the mount namespace in order to inspect it");
+			die("cannot join preserved mount namespace");
 		}
 		// Check if the namespace needs to be discarded.
 		//
@@ -399,22 +388,16 @@
 		// systemd. This makes us end up in a situation where the outer base
 		// snap will never match the rootfs inside the mount namespace.
 		bool should_discard =
-		    is_classic ? should_discard_current_ns(base_snap_dev) :
+		    is_normal_mode ? should_discard_current_ns(base_snap_dev) :
 		    false;
 
 		// Send this back to the parent: 2 - discard, 1 - keep.
 		// Note that we cannot just use 0 and 1 because of the semantics of eventfd(2).
-		debug
-		    ("sending information about the state of the mount namespace (%s)",
-		     should_discard ? "discard" : "keep");
-		if (eventfd_write
-		    (event_fd,
-		     should_discard ? SC_DISCARD_YES : SC_DISCARD_NO) < 0) {
-			die("cannot send information about the state of the mount namespace");
+		if (eventfd_write(event_fd, should_discard ?
+				  SC_DISCARD_YES : SC_DISCARD_NO) < 0) {
+			die("cannot send information to %s preserved mount namespace", should_discard ? "discard" : "keep");
 		}
 		// Exit, we're done.
-		debug
-		    ("support process for mount namespace inspection is about to finish");
 		exit(0);
 	}
 	// This is back in the parent process.
@@ -424,9 +407,8 @@
 	// Next, read the value written by the child process.
 	sc_enable_sanity_timeout();
 	eventfd_t value = 0;
-	debug("receiving information about the state of the mount namespace");
 	if (eventfd_read(event_fd, &value) < 0) {
-		die("cannot receive information about the state of the mount namespace");
+		die("cannot read from eventfd");
 	}
 	sc_disable_sanity_timeout();
 
@@ -441,68 +423,59 @@
 	}
 	// If the namespace is up-to-date then we are done.
 	if (value == SC_DISCARD_NO) {
-		debug("the mount namespace is up-to-date and can be reused");
+		debug("preserved mount namespace can be reused");
 		return 0;
 	}
 	// The namespace is stale, let's check if we can discard it.
-	debug("the mount namespace is stale and should be discarded");
 	if (sc_cgroup_freezer_occupied(snap_name)) {
 		// Some processes are still using the namespace so we cannot discard it
 		// as that would fracture the view that the set of processes inside
 		// have on what is mounted.
+		debug("preserved mount namespace is stale but occupied");
 		return 0;
 	}
 	// The namespace is both stale and empty. We can discard it now.
-	debug("discarding stale and empty mount namespace");
-	sc_must_snprintf(mnt_fname, sizeof mnt_fname,
-			 "%s/%s%s", sc_ns_dir, snap_name, SC_NS_MNT_FILE);
-
-	// Use MNT_DETACH as otherwise we get EBUSY.
-	if (umount2(mnt_fname, MNT_DETACH | UMOUNT_NOFOLLOW) < 0) {
-		die("cannot umount stale mount namespace %s", mnt_fname);
-	}
-	debug("stale mount namespace discarded");
+	sc_call_snap_discard_ns(snap_discard_ns_fd, snap_name);
 	return EAGAIN;
 }
 
-int sc_create_or_join_ns_group(struct sc_ns_group *group,
-			       struct sc_apparmor *apparmor,
-			       const char *base_snap_name,
-			       const char *snap_name)
+static void helper_fork(struct sc_mount_ns *group,
+			struct sc_apparmor *apparmor);
+static void helper_main(struct sc_mount_ns *group, struct sc_apparmor *apparmor,
+			pid_t parent);
+static void helper_capture_ns(struct sc_mount_ns *group, pid_t parent);
+static void helper_capture_per_user_ns(struct sc_mount_ns *group, pid_t parent);
+
+int sc_join_preserved_ns(struct sc_mount_ns *group, struct sc_apparmor
+			 *apparmor, const char *base_snap_name,
+			 const char *snap_name, int snap_discard_ns_fd)
 {
 	// Open the mount namespace file.
 	char mnt_fname[PATH_MAX] = { 0 };
-	sc_must_snprintf(mnt_fname, sizeof mnt_fname, "%s%s", group->name,
-			 SC_NS_MNT_FILE);
+	sc_must_snprintf(mnt_fname, sizeof mnt_fname, "%s.mnt", group->name);
 	int mnt_fd SC_CLEANUP(sc_cleanup_close) = -1;
 	// NOTE: There is no O_EXCL here because the file can be around but
 	// doesn't have to be a mounted namespace.
-	//
-	// If the mounted namespace is discarded with
-	// sc_discard_preserved_ns_group() it will revert to a regular file.  If
-	// snap-confine is killed for whatever reason after the file is created but
-	// before the file is bind-mounted it will also be a regular file.
 	mnt_fd = openat(group->dir_fd, mnt_fname,
 			O_CREAT | O_RDONLY | O_CLOEXEC | O_NOFOLLOW, 0600);
 	if (mnt_fd < 0) {
-		die("cannot open mount namespace file for namespace group %s",
-		    group->name);
+		die("cannot open preserved mount namespace %s", group->name);
 	}
 	// Check if we got an nsfs-based or procfs file or a regular file. This can
 	// be reliably tested because nsfs has an unique filesystem type
 	// NSFS_MAGIC.  On older kernels that don't support nsfs yet we can look
-	// for PROC_SUPER_MAGIC instead. 
+	// for PROC_SUPER_MAGIC instead.
 	// We can just ensure that this is the case thanks to fstatfs.
 	struct statfs ns_statfs_buf;
 	if (fstatfs(mnt_fd, &ns_statfs_buf) < 0) {
-		die("cannot perform fstatfs() on the mount namespace file descriptor");
+		die("cannot inspect filesystem of preserved mount namespace file");
 	}
 	// Stat the mount namespace as well, this is later used to check if the
 	// namespace is used by other processes if we are considering discarding a
 	// stale namespace.
 	struct stat ns_stat_buf;
 	if (fstat(mnt_fd, &ns_stat_buf) < 0) {
-		die("cannot perform fstat() on the mount namespace file descriptor");
+		die("cannot inspect preserved mount namespace file");
 	}
 #ifndef NSFS_MAGIC
 // Account for kernel headers old enough to not know about NSFS_MAGIC.
@@ -513,8 +486,9 @@
 
 		// Inspect and perhaps discard the preserved mount namespace.
 		if (sc_inspect_and_maybe_discard_stale_ns
-		    (mnt_fd, snap_name, base_snap_name) == EAGAIN) {
-			return EAGAIN;
+		    (mnt_fd, snap_name, base_snap_name,
+		     snap_discard_ns_fd) == EAGAIN) {
+			return ESRCH;
 		}
 		// Remember the vanilla working directory so that we may attempt to restore it later.
 		char *vanilla_cwd SC_CLEANUP(sc_cleanup_string) = NULL;
@@ -523,198 +497,274 @@
 			die("cannot get the current working directory");
 		}
 		// Move to the mount namespace of the snap we're trying to start.
-		debug
-		    ("attempting to re-associate the mount namespace with the namespace group %s",
-		     group->name);
 		if (setns(mnt_fd, CLONE_NEWNS) < 0) {
-			die("cannot re-associate the mount namespace with namespace group %s", group->name);
+			die("cannot join preserved mount namespace %s",
+			    group->name);
 		}
-		debug
-		    ("successfully re-associated the mount namespace with the namespace group %s",
-		     group->name);
+		debug("joined preserved mount namespace %s", group->name);
 
 		// Try to re-locate back to vanilla working directory. This can fail
 		// because that directory is no longer present.
 		if (chdir(vanilla_cwd) != 0) {
-			debug
-			    ("cannot remain in %s, moving to the void directory",
-			     vanilla_cwd);
+			debug("cannot enter %s, moving to void", vanilla_cwd);
 			if (chdir(SC_VOID_DIR) != 0) {
 				die("cannot change directory to %s",
 				    SC_VOID_DIR);
 			}
-			debug("successfully moved to %s", SC_VOID_DIR);
 		}
 		return 0;
 	}
-	debug("initializing new namespace group %s", group->name);
-	// Create a new namespace and ask the caller to populate it.
-	// For rationale of forking see this:
-	// https://lists.linuxfoundation.org/pipermail/containers/2013-August/033386.html
-	//
-	// The eventfd created here is used to synchronize the child and the parent
-	// processes. It effectively tells the child to perform the capture
-	// operation.
-	group->event_fd = eventfd(0, EFD_CLOEXEC);
-	if (group->event_fd < 0) {
-		die("cannot create eventfd for mount namespace capture");
+	return ESRCH;
+}
+
+int sc_join_preserved_per_user_ns(struct sc_mount_ns *group,
+				  const char *snap_name)
+{
+	uid_t uid = getuid();
+	char mnt_fname[PATH_MAX] = { 0 };
+	sc_must_snprintf(mnt_fname, sizeof mnt_fname, "%s.%d.mnt", group->name,
+			 (int)uid);
+
+	int mnt_fd SC_CLEANUP(sc_cleanup_close) = -1;
+	mnt_fd = openat(group->dir_fd, mnt_fname,
+			O_CREAT | O_RDONLY | O_CLOEXEC | O_NOFOLLOW, 0600);
+	if (mnt_fd < 0) {
+		die("cannot open preserved mount namespace %s", group->name);
+	}
+	struct statfs ns_statfs_buf;
+	if (fstatfs(mnt_fd, &ns_statfs_buf) < 0) {
+		die("cannot inspect filesystem of preserved mount namespace file");
+	}
+	struct stat ns_stat_buf;
+	if (fstat(mnt_fd, &ns_stat_buf) < 0) {
+		die("cannot inspect preserved mount namespace file");
+	}
+#ifndef NSFS_MAGIC
+	/* Define NSFS_MAGIC for Ubuntu 14.04 and other older systems. */
+#define NSFS_MAGIC 0x6e736673
+#endif
+	if (ns_statfs_buf.f_type == NSFS_MAGIC
+	    || ns_statfs_buf.f_type == PROC_SUPER_MAGIC) {
+		// TODO: refactor the cwd workflow across all of snap-confine.
+		char *vanilla_cwd SC_CLEANUP(sc_cleanup_string) = NULL;
+		vanilla_cwd = get_current_dir_name();
+		if (vanilla_cwd == NULL) {
+			die("cannot get the current working directory");
+		}
+		if (setns(mnt_fd, CLONE_NEWNS) < 0) {
+			die("cannot join preserved per-user mount namespace %s",
+			    group->name);
+		}
+		debug("joined preserved mount namespace %s", group->name);
+		if (chdir(vanilla_cwd) != 0) {
+			debug("cannot enter %s, moving to void", vanilla_cwd);
+			if (chdir(SC_VOID_DIR) != 0) {
+				die("cannot change directory to %s",
+				    SC_VOID_DIR);
+			}
+		}
+		return 0;
+	}
+	return ESRCH;
+}
+
+static void helper_fork(struct sc_mount_ns *group, struct sc_apparmor *apparmor)
+{
+	// Create a pipe for sending commands to the helper process.
+	if (pipe2(group->pipe_master, O_CLOEXEC | O_DIRECT) < 0) {
+		die("cannot create pipes for commanding the helper process");
+	}
+	if (pipe2(group->pipe_helper, O_CLOEXEC | O_DIRECT) < 0) {
+		die("cannot create pipes for responding to master process");
 	}
-	debug("forking support process for mount namespace capture");
 	// Store the PID of the "parent" process. This done instead of calls to
 	// getppid() because then we can reliably track the PID of the parent even
 	// if the child process is re-parented.
 	pid_t parent = getpid();
-	// Glibc defines pid as a signed 32bit integer. There's no standard way to
-	// print pid's portably so this is the best we can do.
+
+	// For rationale of forking see this:
+	// https://lists.linuxfoundation.org/pipermail/containers/2013-August/033386.html
 	pid_t pid = fork();
-	debug("forked support process has pid %d", (int)pid);
 	if (pid < 0) {
-		die("cannot fork support process for mount namespace capture");
+		die("cannot fork helper process for mount namespace capture");
 	}
 	if (pid == 0) {
-		// This is the child process which will capture the mount namespace.
-		//
-		// It will do so by bind-mounting the SC_NS_MNT_FILE after the parent
-		// process calls unshare() and finishes setting up the namespace
-		// completely.
-		// Change the hat to a sub-profile that has limited permissions
-		// necessary to accomplish the capture of the mount namespace.
-		debug
-		    ("changing apparmor hat of the support process for mount namespace capture");
-		sc_maybe_aa_change_hat(apparmor,
-				       "mount-namespace-capture-helper", 0);
-		// Configure the child to die as soon as the parent dies. In an odd
-		// case where the parent is killed then we don't want to complete our
-		// task or wait for anything.
-		if (prctl(PR_SET_PDEATHSIG, SIGINT, 0, 0, 0) < 0) {
-			die("cannot set parent process death notification signal to SIGINT");
-		}
-		// Check that parent process is still alive. If this is the case then
-		// we can *almost* reliably rely on the PR_SET_PDEATHSIG signal to wake
-		// us up from eventfd_read() below. In the rare case that the PID numbers
-		// overflow and the now-dead parent PID is recycled we will still hang
-		// forever on the read from eventfd below.
-		debug("ensuring that parent process is still alive");
-		if (kill(parent, 0) < 0) {
-			switch (errno) {
-			case ESRCH:
-				debug("parent process has already terminated");
-				abort();
-			default:
-				die("cannot ensure that parent process is still alive");
-				break;
-			}
-		}
-		if (fchdir(group->dir_fd) < 0) {
-			die("cannot move process for mount namespace capture to namespace group directory");
+		/* helper */
+		sc_cleanup_close(&group->pipe_master[1]);
+		sc_cleanup_close(&group->pipe_helper[0]);
+		helper_main(group, apparmor, parent);
+	} else {
+		/* master */
+		sc_cleanup_close(&group->pipe_master[0]);
+		sc_cleanup_close(&group->pipe_helper[1]);
+
+		// Glibc defines pid as a signed 32bit integer. There's no standard way to
+		// print pid's portably so this is the best we can do.
+		debug("forked support process %d", (int)pid);
+		group->child = pid;
+	}
+}
+
+static void helper_main(struct sc_mount_ns *group, struct sc_apparmor *apparmor,
+			pid_t parent)
+{
+	// This is the child process which will capture the mount namespace.
+	//
+	// It will do so by bind-mounting the .mnt after the parent process calls
+	// unshare() and finishes setting up the namespace completely. Change the
+	// hat to a sub-profile that has limited permissions necessary to
+	// accomplish the capture of the mount namespace.
+	sc_maybe_aa_change_hat(apparmor, "mount-namespace-capture-helper", 0);
+	// Configure the child to die as soon as the parent dies. In an odd
+	// case where the parent is killed then we don't want to complete our
+	// task or wait for anything.
+	if (prctl(PR_SET_PDEATHSIG, SIGINT, 0, 0, 0) < 0) {
+		die("cannot set parent process death notification signal to SIGINT");
+	}
+	// Check that parent process is still alive. If this is the case then we
+	// can *almost* reliably rely on the PR_SET_PDEATHSIG signal to wake us up
+	// from read(2) below. In the rare case that the PID numbers overflow and
+	// the now-dead parent PID is recycled we will still hang forever on the
+	// read from the pipe below.
+	if (kill(parent, 0) < 0) {
+		switch (errno) {
+		case ESRCH:
+			debug("parent process has terminated");
+			abort();
+		default:
+			die("cannot confirm that parent process is alive");
+			break;
 		}
-		debug
-		    ("waiting for a eventfd data from the parent process to continue");
-		eventfd_t value = 0;
+	}
+	if (fchdir(group->dir_fd) < 0) {
+		die("cannot move to directory with preserved namespaces");
+	}
+	int command = -1;
+	int run = 1;
+	while (run) {
+		debug("helper process waiting for command");
 		sc_enable_sanity_timeout();
-		if (eventfd_read(group->event_fd, &value) < 0) {
-			die("cannot read expected data from eventfd");
+		if (read(group->pipe_master[0], &command, sizeof command) < 0) {
+			die("cannot read command from the pipe");
 		}
 		sc_disable_sanity_timeout();
-		debug
-		    ("capturing mount namespace of process %d in namespace group %s",
-		     (int)parent, group->name);
-		char src[PATH_MAX] = { 0 };
-		char dst[PATH_MAX] = { 0 };
-		sc_must_snprintf(src, sizeof src, "/proc/%d/ns/mnt",
-				 (int)parent);
-		sc_must_snprintf(dst, sizeof dst, "%s%s", group->name,
-				 SC_NS_MNT_FILE);
-		if (mount(src, dst, NULL, MS_BIND, NULL) < 0) {
-			die("cannot bind-mount the mount namespace file %s -> %s", src, dst);
-		}
-		debug
-		    ("successfully captured mount namespace in namespace group %s",
-		     group->name);
-		exit(0);
-	} else {
-		group->child = pid;
-		// Unshare the mount namespace and set a flag instructing the caller that 
-		// the namespace is pristine and needs to be populated now.
-		debug("unsharing the mount namespace");
-		if (unshare(CLONE_NEWNS) < 0) {
-			die("cannot unshare the mount namespace");
+		debug("helper process received command %d", command);
+		switch (command) {
+		case HELPER_CMD_EXIT:
+			run = 0;
+			break;
+		case HELPER_CMD_CAPTURE_MOUNT_NS:
+			helper_capture_ns(group, parent);
+			break;
+		case HELPER_CMD_CAPTURE_PER_USER_MOUNT_NS:
+			helper_capture_per_user_ns(group, parent);
+			break;
+		}
+		if (write(group->pipe_helper[1], &command, sizeof command) < 0) {
+			die("cannot write ack");
 		}
-		group->should_populate = true;
 	}
-	return 0;
+	debug("helper process exiting");
+	exit(0);
+}
+
+static void helper_capture_ns(struct sc_mount_ns *group, pid_t parent)
+{
+	char src[PATH_MAX] = { 0 };
+	char dst[PATH_MAX] = { 0 };
+
+	debug("capturing per-snap mount namespace");
+	sc_must_snprintf(src, sizeof src, "/proc/%d/ns/mnt", (int)parent);
+	sc_must_snprintf(dst, sizeof dst, "%s.mnt", group->name);
+
+	/* Ensure the bind mount destination exists. */
+	int fd = open(dst, O_CREAT | O_CLOEXEC | O_NOFOLLOW | O_RDONLY, 0600);
+	if (fd < 0) {
+		die("cannot create file %s", dst);
+	}
+	close(fd);
+	if (mount(src, dst, NULL, MS_BIND, NULL) < 0) {
+		die("cannot preserve mount namespace of process %d as %s",
+		    (int)parent, dst);
+	}
+	debug("mount namespace of process %d preserved as %s",
+	      (int)parent, dst);
 }
 
-bool sc_should_populate_ns_group(struct sc_ns_group * group)
+static void helper_capture_per_user_ns(struct sc_mount_ns *group, pid_t parent)
 {
-	return group->should_populate;
+	char src[PATH_MAX] = { 0 };
+	char dst[PATH_MAX] = { 0 };
+	uid_t uid = getuid();
+
+	debug("capturing per-snap, per-user mount namespace");
+	sc_must_snprintf(src, sizeof src, "/proc/%d/ns/mnt", (int)parent);
+	sc_must_snprintf(dst, sizeof dst, "%s.%d.mnt", group->name, (int)uid);
+	if (mount(src, dst, NULL, MS_BIND, NULL) < 0) {
+		die("cannot preserve per-user mount namespace of process %d as %s", (int)parent, dst);
+	}
+	debug("per-user mount namespace of process %d preserved as %s",
+	      (int)parent, dst);
 }
 
-void sc_preserve_populated_ns_group(struct sc_ns_group *group)
+static void sc_message_capture_helper(struct sc_mount_ns *group, int command_id)
 {
+	int ack;
 	if (group->child == 0) {
-		die("precondition failed: we don't have a support process for mount namespace capture");
+		die("precondition failed: we don't have a helper process");
+	}
+	if (group->pipe_master[1] < 0) {
+		die("precondition failed: we don't have a pipe");
+	}
+	if (group->pipe_helper[0] < 0) {
+		die("precondition failed: we don't have a pipe");
 	}
-	if (group->event_fd < 0) {
-		die("precondition failed: we don't have an eventfd for mount namespace capture");
+	debug("sending command %d to helper process (pid: %d)",
+	      command_id, group->child);
+	if (write(group->pipe_master[1], &command_id, sizeof command_id) < 0) {
+		die("cannot send command %d to helper process", command_id);
 	}
-	debug
-	    ("asking support process for mount namespace capture (pid: %d) to perform the capture",
-	     group->child);
-	if (eventfd_write(group->event_fd, 1) < 0) {
-		die("cannot write eventfd");
+	debug("waiting for response from helper");
+	if (read(group->pipe_helper[0], &ack, sizeof ack) < 0) {
+		die("cannot receive ack from helper process");
+	}
+}
+
+static void sc_wait_for_capture_helper(struct sc_mount_ns *group)
+{
+	if (group->child == 0) {
+		die("precondition failed: we don't have a helper process");
 	}
-	debug
-	    ("waiting for the support process for mount namespace capture to exit");
+	debug("waiting for the helper process to exit");
 	int status = 0;
 	errno = 0;
 	if (waitpid(group->child, &status, 0) < 0) {
-		die("cannot wait for the support process for mount namespace capture");
+		die("cannot wait for the helper process");
 	}
 	if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
-		die("support process for mount namespace capture exited abnormally");
+		die("helper process exited abnormally");
 	}
-	debug("support process for mount namespace capture exited normally");
+	debug("helper process exited normally");
 	group->child = 0;
 }
 
-void sc_discard_preserved_ns_group(struct sc_ns_group *group)
+void sc_fork_helper(struct sc_mount_ns *group, struct sc_apparmor *apparmor)
 {
-	// Remember the current working directory
-	int old_dir_fd SC_CLEANUP(sc_cleanup_close) = -1;
-	old_dir_fd = open(".", O_PATH | O_DIRECTORY | O_CLOEXEC);
-	if (old_dir_fd < 0) {
-		die("cannot open current directory");
-	}
-	// Move to the mount namespace directory (/run/snapd/ns)
-	if (fchdir(group->dir_fd) < 0) {
-		die("cannot move to namespace group directory");
-	}
-	// Unmount ${group_name}.mnt which holds the preserved namespace
-	char mnt_fname[PATH_MAX] = { 0 };
-	sc_must_snprintf(mnt_fname, sizeof mnt_fname, "%s%s", group->name,
-			 SC_NS_MNT_FILE);
-	debug("unmounting preserved mount namespace file %s", mnt_fname);
-	if (umount2(mnt_fname, UMOUNT_NOFOLLOW) < 0) {
-		switch (errno) {
-		case EINVAL:
-			// EINVAL is returned when there's nothing to unmount (no bind-mount).
-			// Instead of checking for this explicitly (which is always racy) we
-			// just unmount and check the return code.
-			break;
-		case ENOENT:
-			// We may be asked to discard a namespace that doesn't yet
-			// exist (even the mount point may be absent). We just
-			// ignore that error and return gracefully.
-			break;
-		default:
-			die("cannot unmount preserved mount namespace file %s",
-			    mnt_fname);
-			break;
-		}
-	}
-	// Get back to the original directory
-	if (fchdir(old_dir_fd) < 0) {
-		die("cannot move back to original directory");
-	}
+	helper_fork(group, apparmor);
+}
+
+void sc_preserve_populated_mount_ns(struct sc_mount_ns *group)
+{
+	sc_message_capture_helper(group, HELPER_CMD_CAPTURE_MOUNT_NS);
+}
+
+void sc_preserve_populated_per_user_mount_ns(struct sc_mount_ns *group)
+{
+	sc_message_capture_helper(group, HELPER_CMD_CAPTURE_PER_USER_MOUNT_NS);
+}
+
+void sc_wait_for_helper(struct sc_mount_ns *group)
+{
+	sc_message_capture_helper(group, HELPER_CMD_EXIT);
+	sc_wait_for_capture_helper(group);
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/ns-support.h snapd-2.37~rc1~14.04/cmd/snap-confine/ns-support.h
--- snapd-2.32.3.2~14.04/cmd/snap-confine/ns-support.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/ns-support.h	2019-01-16 08:36:51.000000000 +0000
@@ -20,7 +20,7 @@
 
 #include <stdbool.h>
 
-#include "apparmor-support.h"
+#include "../libsnap-confine-private/apparmor-support.h"
 
 /**
  * Re-associate the current process with the mount namespace of pid 1.
@@ -29,7 +29,7 @@
  * of pid 1. In case they differ the current process is re-associated with the
  * mount namespace of pid 1.
  *
- * This function should be called before sc_initialize_ns_groups().
+ * This function should be called before sc_initialize_mount_ns().
  **/
 void sc_reassociate_with_pid1_mount_ns(void);
 
@@ -54,95 +54,95 @@
  *
  * For more details see namespaces(7).
  **/
-void sc_initialize_ns_groups(void);
+void sc_initialize_mount_ns(void);
 
 /**
  * Data required to manage namespaces amongst a group of processes.
  */
-struct sc_ns_group;
-
-enum {
-	SC_NS_FAIL_GRACEFULLY = 1
-};
+struct sc_mount_ns;
 
 /**
  * Open a namespace group.
  *
  * This will open and keep file descriptors for /run/snapd/ns/.
  *
- * If the flags argument is SC_NS_FAIL_GRACEFULLY then the function returns
- * NULL if the /run/snapd/ns directory doesn't exist. In all other cases it
- * calls die() and exits the process.
- *
  * The following methods should be called only while holding a lock protecting
  * that specific snap namespace:
- * - sc_create_or_join_ns_group()
- * - sc_should_populate_ns_group()
- * - sc_preserve_populated_ns_group()
- * - sc_discard_preserved_ns_group()
+ * - sc_create_or_join_mount_ns()
+ * - sc_preserve_populated_mount_ns()
  */
-struct sc_ns_group *sc_open_ns_group(const char *group_name,
-				     const unsigned flags);
+struct sc_mount_ns *sc_open_mount_ns(const char *group_name);
 
 /**
  * Close namespace group.
  *
  * This will close all of the open file descriptors and release allocated memory.
  */
-void sc_close_ns_group(struct sc_ns_group *group);
+void sc_close_mount_ns(struct sc_mount_ns *group);
 
 /**
- * Join the mount namespace associated with this group if one exists.
+ * Join a preserved mount namespace if one exists.
  *
  * Technically the function opens /run/snapd/ns/${group_name}.mnt and tries to
- * use setns() with the obtained file descriptor. If the call succeeds then the
- * function returns and subsequent call to sc_should_populate_ns_group() will
- * return false.
- *
- * If the call fails then an eventfd is constructed and a support process is
- * forked. The child process waits until data is written to the eventfd (this
- * can be done by calling sc_preserve_populated_ns_group()). In the meantime
- * the parent process unshares the mount namespace and sets a flag so that
- * sc_should_populate_ns_group() returns true.
+ * use setns() with the obtained file descriptor.
  *
- * @returns 0 on success and EAGAIN if the namespace was stale and needs
- * to be re-made.
+ * If the preserved mount namespace does not exist or exists but is stale and
+ * was discarded and returns ESRCH. If the mount namespace was joined the
+ * function returns zero.
  **/
-int sc_create_or_join_ns_group(struct sc_ns_group *group,
-			       struct sc_apparmor *apparmor,
-			       const char *base_snap_name,
-			       const char *snap_name);
+int sc_join_preserved_ns(struct sc_mount_ns *group, struct sc_apparmor
+			 *apparmor, const char *base_snap_name,
+			 const char *snap_name, int snap_discard_ns_fd);
+
+/**
+ * Join a preserved, per-user, mount namespace if one exists.
+ *
+ * Technically the function opens /run/snapd/ns/snap.$SNAP_NAME.$UID.mnt and
+ * tries to use setns() with the obtained file descriptor.
+ *
+ * The return is ESRCH if a preserved per-user mount namespace does not exist
+ * and cannot be joined or zero otherwise.
+**/
+int sc_join_preserved_per_user_ns(struct sc_mount_ns *group,
+				  const char *snap_name);
 
 /**
- * Check if the namespace needs to be populated.
+ * Fork off a helper process for mount namespace capture.
+ *
+ * This function forks the helper process. It needs to be paired with
+ * sc_wait_for_helper which instructs the helper to shut down and waits for
+ * that to happen.
  *
- * If the return value is true then at this stage the namespace is already
- * unshared. The caller should perform any mount operations that are desired
- * and then proceed to call sc_preserve_populated_ns_group().
+ * For rationale for forking and using a helper process please see
+ * https://lists.linuxfoundation.org/pipermail/containers/2013-August/033386.html
  **/
-bool sc_should_populate_ns_group(struct sc_ns_group *group);
+void sc_fork_helper(struct sc_mount_ns *group, struct sc_apparmor *apparmor);
 
 /**
  * Preserve prepared namespace group.
  *
  * This function signals the child support process for namespace capture to
- * perform the capture and shut down. It must be called after the call to
- * sc_create_or_join_ns_group() and only when sc_should_populate_ns_group()
- * returns true.
+ * perform the capture.
  *
- * Technically this function writes to an eventfd that causes the child process
- * to wake up, bind mount /proc/$ppid/ns/mnt to /run/snapd/ns/${group_name}.mnt
- * and then exit. The parent process (the caller) then collects the child
- * process and returns.
+ * Technically this function writes to pipe that causes the child process to
+ * wake up and bind mount /proc/$ppid/ns/mnt to
+ * /run/snapd/ns/${group_name}.mnt.
+ *
+ * The helper process will wait for subsequent commands. Please call
+ * sc_wait_for_helper() to terminate it.
  **/
-void sc_preserve_populated_ns_group(struct sc_ns_group *group);
+void sc_preserve_populated_mount_ns(struct sc_mount_ns *group);
+
+void sc_preserve_populated_per_user_mount_ns(struct sc_mount_ns *group);
 
 /**
- * Discard the preserved namespace group.
+ * Ask the helper process to terminate and wait for it to finish.
  *
- * This function unmounts the bind-mounted files representing the kernel mount
- * namespace.
+ * This function asks the helper process to exit by writing an appropriate
+ * command to the pipe used for the inter process communication between the
+ * main snap-confine process and the helper and then waits for the process to
+ * terminate cleanly.
  **/
-void sc_discard_preserved_ns_group(struct sc_ns_group *group);
+void sc_wait_for_helper(struct sc_mount_ns *group);
 
 #endif
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/ns-support-test.c snapd-2.37~rc1~14.04/cmd/snap-confine/ns-support-test.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/ns-support-test.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/ns-support-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -35,6 +35,12 @@
 	sc_ns_dir = dir;
 }
 
+// A variant of unsetenv that is compatible with GDestroyNotify
+static void my_unsetenv(const char *k)
+{
+	unsetenv(k);
+}
+
 // Use temporary directory for namespace groups.
 //
 // The directory is automatically reset to the real value at the end of the
@@ -53,7 +59,7 @@
 		g_test_queue_free(ns_dir);
 		g_assert_cmpint(setenv("SNAP_CONFINE_NS_DIR", ns_dir, 0), ==,
 				0);
-		g_test_queue_destroy((GDestroyNotify) unsetenv,
+		g_test_queue_destroy((GDestroyNotify) my_unsetenv,
 				     "SNAP_CONFINE_NS_DIR");
 		g_test_queue_destroy((GDestroyNotify) rm_rf_tmp, ns_dir);
 	}
@@ -64,114 +70,56 @@
 
 // Check that allocating a namespace group sets up internal data structures to
 // safe values.
-static void test_sc_alloc_ns_group(void)
+static void test_sc_alloc_mount_ns(void)
 {
-	struct sc_ns_group *group = NULL;
-	group = sc_alloc_ns_group();
+	struct sc_mount_ns *group = NULL;
+	group = sc_alloc_mount_ns();
 	g_test_queue_free(group);
 	g_assert_nonnull(group);
 	g_assert_cmpint(group->dir_fd, ==, -1);
-	g_assert_cmpint(group->event_fd, ==, -1);
+	g_assert_cmpint(group->pipe_master[0], ==, -1);
+	g_assert_cmpint(group->pipe_master[1], ==, -1);
+	g_assert_cmpint(group->pipe_helper[0], ==, -1);
+	g_assert_cmpint(group->pipe_helper[1], ==, -1);
 	g_assert_cmpint(group->child, ==, 0);
-	g_assert_cmpint(group->should_populate, ==, false);
 	g_assert_null(group->name);
 }
 
 // Initialize a namespace group.
 //
 // The group is automatically destroyed at the end of the test.
-static struct sc_ns_group *sc_test_open_ns_group(const char *group_name)
+static struct sc_mount_ns *sc_test_open_mount_ns(const char *group_name)
 {
 	// Initialize a namespace group
-	struct sc_ns_group *group = NULL;
+	struct sc_mount_ns *group = NULL;
 	if (group_name == NULL) {
 		group_name = "test-group";
 	}
-	group = sc_open_ns_group(group_name, 0);
-	g_test_queue_destroy((GDestroyNotify) sc_close_ns_group, group);
+	group = sc_open_mount_ns(group_name);
+	g_test_queue_destroy((GDestroyNotify) sc_close_mount_ns, group);
 	// Check if the returned group data looks okay
 	g_assert_nonnull(group);
 	g_assert_cmpint(group->dir_fd, !=, -1);
-	g_assert_cmpint(group->event_fd, ==, -1);
+	g_assert_cmpint(group->pipe_master[0], ==, -1);
+	g_assert_cmpint(group->pipe_master[1], ==, -1);
+	g_assert_cmpint(group->pipe_helper[0], ==, -1);
+	g_assert_cmpint(group->pipe_helper[1], ==, -1);
 	g_assert_cmpint(group->child, ==, 0);
-	g_assert_cmpint(group->should_populate, ==, false);
 	g_assert_cmpstr(group->name, ==, group_name);
 	return group;
 }
 
 // Check that initializing a namespace group creates the appropriate
 // filesystem structure.
-static void test_sc_open_ns_group(void)
+static void test_sc_open_mount_ns(void)
 {
 	const char *ns_dir = sc_test_use_fake_ns_dir();
-	sc_test_open_ns_group(NULL);
+	sc_test_open_mount_ns(NULL);
 	// Check that the group directory exists
 	g_assert_true(g_file_test
 		      (ns_dir, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_DIR));
 }
 
-static void test_sc_open_ns_group_graceful(void)
-{
-	sc_set_ns_dir("/nonexistent");
-	g_test_queue_destroy((GDestroyNotify) sc_set_ns_dir, SC_NS_DIR);
-	struct sc_ns_group *group =
-	    sc_open_ns_group("foo", SC_NS_FAIL_GRACEFULLY);
-	g_assert_null(group);
-}
-
-static void unmount_dir(void *dir)
-{
-	umount(dir);
-}
-
-static void test_sc_is_ns_group_dir_private(void)
-{
-	if (geteuid() != 0) {
-		g_test_skip("this test needs to run as root");
-		return;
-	}
-	const char *ns_dir = sc_test_use_fake_ns_dir();
-	g_test_queue_destroy(unmount_dir, (char *)ns_dir);
-
-	if (g_test_subprocess()) {
-		// The temporary directory should not be private initially
-		g_assert_false(sc_is_ns_group_dir_private());
-
-		/// do what "mount --bind /foo /foo; mount --make-private /foo" does.
-		int err;
-		err = mount(ns_dir, ns_dir, NULL, MS_BIND, NULL);
-		g_assert_cmpint(err, ==, 0);
-		err = mount(NULL, ns_dir, NULL, MS_PRIVATE, NULL);
-		g_assert_cmpint(err, ==, 0);
-
-		// The temporary directory should now be private
-		g_assert_true(sc_is_ns_group_dir_private());
-		return;
-	}
-	g_test_trap_subprocess(NULL, 0, G_TEST_SUBPROCESS_INHERIT_STDERR);
-	g_test_trap_assert_passed();
-}
-
-static void test_sc_initialize_ns_groups(void)
-{
-	if (geteuid() != 0) {
-		g_test_skip("this test needs to run as root");
-		return;
-	}
-	// NOTE: this is g_test_subprocess aware!
-	const char *ns_dir = sc_test_use_fake_ns_dir();
-	g_test_queue_destroy(unmount_dir, (char *)ns_dir);
-	if (g_test_subprocess()) {
-		// Initialize namespace groups using a fake directory.
-		sc_initialize_ns_groups();
-		// Check that the fake directory is now a private mount.
-		g_assert_true(sc_is_ns_group_dir_private());
-		return;
-	}
-	g_test_trap_subprocess(NULL, 0, G_TEST_SUBPROCESS_INHERIT_STDERR);
-	g_test_trap_assert_passed();
-}
-
 // Sanity check, ensure that the namespace filesystem identifier is what we
 // expect, aka NSFS_MAGIC.
 static void test_nsfs_fs_id(void)
@@ -200,13 +148,7 @@
 
 static void __attribute__ ((constructor)) init(void)
 {
-	g_test_add_func("/ns/sc_alloc_ns_group", test_sc_alloc_ns_group);
-	g_test_add_func("/ns/sc_open_ns_group", test_sc_open_ns_group);
-	g_test_add_func("/ns/sc_open_ns_group/graceful",
-			test_sc_open_ns_group_graceful);
+	g_test_add_func("/ns/sc_alloc_mount_ns", test_sc_alloc_mount_ns);
+	g_test_add_func("/ns/sc_open_mount_ns", test_sc_open_mount_ns);
 	g_test_add_func("/ns/nsfs_fs_id", test_nsfs_fs_id);
-	g_test_add_func("/system/ns/sc_is_ns_group_dir_private",
-			test_sc_is_ns_group_dir_private);
-	g_test_add_func("/system/ns/sc_initialize_ns_groups",
-			test_sc_initialize_ns_groups);
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/quirks.c snapd-2.37~rc1~14.04/cmd/snap-confine/quirks.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/quirks.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/quirks.c	1970-01-01 00:00:00.000000000 +0000
@@ -1,230 +0,0 @@
-/*
- * Copyright (C) 2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-#include "config.h"
-#include "quirks.h"
-
-#include <dirent.h>
-#include <string.h>
-#include <sys/mount.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include "../libsnap-confine-private/classic.h"
-#include "../libsnap-confine-private/cleanup-funcs.h"
-#include "../libsnap-confine-private/mount-opt.h"
-#include "../libsnap-confine-private/string-utils.h"
-#include "../libsnap-confine-private/utils.h"
-// XXX: for smaller patch, this should be in utils.h later
-#include "user-support.h"
-
-/**
- * Get the path to the mounted core snap in the execution environment.
- *
- * The core snap may be named just "core" (preferred) or "ubuntu-core"
- * (legacy).  The mount point does not depend on build-time configuration and
- * does not differ from distribution to distribution.
- **/
-static const char *sc_get_inner_core_mount_point(void)
-{
-	const char *core_path = "/snap/core/current/";
-	const char *ubuntu_core_path = "/snap/ubuntu-core/current/";
-	static const char *result = NULL;
-	if (result == NULL) {
-		if (access(core_path, F_OK) == 0) {
-			// Use the "core" snap if available.
-			result = core_path;
-		} else if (access(ubuntu_core_path, F_OK) == 0) {
-			// If not try to fall back to the "ubuntu-core" snap.
-			result = ubuntu_core_path;
-		} else {
-			die("cannot locate the core snap");
-		}
-	}
-	return result;
-}
-
-/**
- * Mount a tmpfs at a given directory.
- *
- * The empty tmpfs is used as a substrate to create additional directories and
- * then bind mounts to other destinations.
- *
- * It is useful to poke unexpected holes in the read-only core snap.
- **/
-static void sc_quirk_setup_tmpfs(const char *dirname)
-{
-	debug("mounting tmpfs at %s", dirname);
-	if (mount("none", dirname, "tmpfs", MS_NODEV | MS_NOSUID, NULL) != 0) {
-		die("cannot mount tmpfs at %s", dirname);
-	};
-}
-
-/**
- * Create an empty directory and bind mount something there.
- *
- * The empty directory is created at destdir. The bind mount is
- * done from srcdir to destdir. The bind mount is performed with
- * caller-defined flags.
- **/
-static void sc_quirk_mkdir_bind(const char *src_dir, const char *dest_dir,
-				unsigned flags)
-{
-	flags |= MS_BIND;
-	debug("creating empty directory at %s", dest_dir);
-	if (sc_nonfatal_mkpath(dest_dir, 0755) < 0) {
-		die("cannot create empty directory at %s", dest_dir);
-	}
-	char buf[1000] = { 0 };
-	const char *flags_str = sc_mount_opt2str(buf, sizeof buf, flags);
-	debug("performing operation: mount %s %s -o %s", src_dir, dest_dir,
-	      flags_str);
-	if (mount(src_dir, dest_dir, NULL, flags, NULL) != 0) {
-		die("cannot perform operation: mount %s %s -o %s", src_dir,
-		    dest_dir, flags_str);
-	}
-}
-
-/**
- * Create a writable mimic directory based on reference directory.
- *
- * The mimic directory is a tmpfs populated with bind mounts to the (possibly
- * read only) directories in the reference directory. While all the read-only
- * content stays read-only the actual mimic directory is writable so additional
- * content can be placed there.
- *
- * Flags are forwarded to sc_quirk_mkdir_bind()
- **/
-static void sc_quirk_create_writable_mimic(const char *mimic_dir,
-					   const char *ref_dir, unsigned flags)
-{
-	debug("creating writable mimic directory %s based on %s", mimic_dir,
-	      ref_dir);
-	sc_quirk_setup_tmpfs(mimic_dir);
-
-	// Now copy the ownership and permissions of the mimicked directory
-	struct stat stat_buf;
-	if (stat(ref_dir, &stat_buf) < 0) {
-		die("cannot stat %s", ref_dir);
-	}
-	if (chown(mimic_dir, stat_buf.st_uid, stat_buf.st_gid) < 0) {
-		die("cannot chown for %s", mimic_dir);
-	}
-	if (chmod(mimic_dir, stat_buf.st_mode) < 0) {
-		die("cannot chmod for %s", mimic_dir);
-	}
-
-	debug("bind-mounting all the files from the reference directory");
-	DIR *dirp SC_CLEANUP(sc_cleanup_closedir) = NULL;
-	dirp = opendir(ref_dir);
-	if (dirp == NULL) {
-		die("cannot open reference directory %s", ref_dir);
-	}
-	struct dirent *entryp = NULL;
-	do {
-		char src_name[PATH_MAX * 2] = { 0 };
-		char dest_name[PATH_MAX * 2] = { 0 };
-		// Set errno to zero, if readdir fails it will not only return null but
-		// set errno to a non-zero value. This is how we can differentiate
-		// end-of-directory from an actual error.
-		errno = 0;
-		entryp = readdir(dirp);
-		if (entryp == NULL && errno != 0) {
-			die("cannot read another directory entry");
-		}
-		if (entryp == NULL) {
-			break;
-		}
-		if (strcmp(entryp->d_name, ".") == 0
-		    || strcmp(entryp->d_name, "..") == 0) {
-			continue;
-		}
-		if (entryp->d_type != DT_DIR && entryp->d_type != DT_REG) {
-			die("unsupported entry type of file %s (%d)",
-			    entryp->d_name, entryp->d_type);
-		}
-		sc_must_snprintf(src_name, sizeof src_name, "%s/%s", ref_dir,
-				 entryp->d_name);
-		sc_must_snprintf(dest_name, sizeof dest_name, "%s/%s",
-				 mimic_dir, entryp->d_name);
-		sc_quirk_mkdir_bind(src_name, dest_name, flags);
-	} while (entryp != NULL);
-}
-
-/**
- * Setup a quirk for LXD.
- *
- * An existing LXD snap relies on pre-chroot behavior to access /var/lib/lxd
- * while in devmode. Since that directory doesn't exist in the core snap the
- * quirk punches a custom hole so that this directory shows the hostfs content
- * if such directory exists on the host.
- *
- * See: https://bugs.launchpad.net/snap-confine/+bug/1613845
- **/
-static void sc_setup_lxd_quirk(void)
-{
-	const char *hostfs_lxd_dir = SC_HOSTFS_DIR "/var/lib/lxd";
-	if (access(hostfs_lxd_dir, F_OK) == 0) {
-		const char *lxd_dir = "/var/lib/lxd";
-		debug("setting up quirk for LXD (see LP: #1613845)");
-		sc_quirk_mkdir_bind(hostfs_lxd_dir, lxd_dir,
-				    MS_REC | MS_SLAVE | MS_NODEV | MS_NOSUID |
-				    MS_NOEXEC);
-	}
-}
-
-void sc_setup_quirks(void)
-{
-	// because /var/lib/snapd is essential let's move it to /tmp/snapd for a sec
-	char snapd_tmp[] = "/tmp/snapd.quirks_XXXXXX";
-	if (mkdtemp(snapd_tmp) == 0) {
-		die("cannot create temporary directory for /var/lib/snapd mount point");
-	}
-	debug("performing operation: mount --move %s %s", "/var/lib/snapd",
-	      snapd_tmp);
-	if (mount("/var/lib/snapd", snapd_tmp, NULL, MS_MOVE, NULL)
-	    != 0) {
-		die("cannot perform operation: mount --move %s %s",
-		    "/var/lib/snapd", snapd_tmp);
-	}
-	// now let's make /var/lib the vanilla /var/lib from the core snap
-	char buf[PATH_MAX] = { 0 };
-	sc_must_snprintf(buf, sizeof buf, "%s/var/lib",
-			 sc_get_inner_core_mount_point());
-	sc_quirk_create_writable_mimic("/var/lib", buf,
-				       MS_RDONLY | MS_REC | MS_SLAVE | MS_NODEV
-				       | MS_NOSUID);
-	// now let's move /var/lib/snapd (that was originally there) back
-	debug("performing operation: umount %s", "/var/lib/snapd");
-	if (umount("/var/lib/snapd") != 0) {
-		die("cannot perform operation: umount %s", "/var/lib/snapd");
-	}
-	debug("performing operation: mount --move %s %s", snapd_tmp,
-	      "/var/lib/snapd");
-	if (mount(snapd_tmp, "/var/lib/snapd", NULL, MS_MOVE, NULL)
-	    != 0) {
-		die("cannot perform operation: mount --move %s %s", snapd_tmp,
-		    "/var/lib/snapd");
-	}
-	debug("performing operation: rmdir %s", snapd_tmp);
-	if (rmdir(snapd_tmp) != 0) {
-		die("cannot perform operation: rmdir %s", snapd_tmp);
-	}
-	// We are now ready to apply any quirks that relate to /var/lib
-	sc_setup_lxd_quirk();
-}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/quirks.h snapd-2.37~rc1~14.04/cmd/snap-confine/quirks.h
--- snapd-2.32.3.2~14.04/cmd/snap-confine/quirks.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/quirks.h	1970-01-01 00:00:00.000000000 +0000
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#ifndef SNAP_QUIRKS_H
-#define SNAP_QUIRKS_H
-
-/**
- * Setup various quirks that have to exists for now.
- *
- * This function applies non-standard tweaks that are required
- * because of requirement to stay compatible with certain snaps
- * that were tested with pre-chroot layout.
- **/
-void sc_setup_quirks(void);
-
-#endif
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/README.mount_namespace snapd-2.37~rc1~14.04/cmd/snap-confine/README.mount_namespace
--- snapd-2.32.3.2~14.04/cmd/snap-confine/README.mount_namespace	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/README.mount_namespace	2019-01-16 08:36:51.000000000 +0000
@@ -80,52 +80,6 @@
 mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, "newinstance,ptmxmode=0666,mode=0"...)
 mount("/dev/pts/ptmx", "/dev/ptmx", 0x5574dfe9a5c3, MS_BIND, NULL)
 
-# Classic only - process quirks mounts by:
-#   creating temporary quirks directory for moving /var/lib/snapd aside
-mkdir("/tmp/snapd.quirks_xKIzG3", 0700) = 0
-#   moving /var/lib/snapd aside
-mount("/var/lib/snapd", "/tmp/snapd.quirks_xKIzG3", NULL, MS_MOVE, NULL) = 0
-#   creating a tmpfs on /var/lib for our mount points
-mount("none", "/var/lib", "tmpfs", MS_NOSUID|MS_NODEV, NULL) = 0
-#   mimicking the vanilla /var/lib/* from the core snap in /var/lib in tmpfs
-#   (the directories to mimic are dynamically determined and will vary as the
-#   core snap changes. Syscalls for finding what to mount and creating the
-#   mount points are omitted)
-mount("/snap/ubuntu-core/current/var/lib/apparmor", "/var/lib/apparmor", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REC|MS_SLAVE, NULL) = 0
-mount("/snap/ubuntu-core/current/var/lib/classic", "/var/lib/classic", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/console-conf", "/var/lib/console-conf", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/dbus", "/var/lib/dbus", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/dhcp", "/var/lib/dhcp", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/extrausers", "/var/lib/extrausers", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/initramfs-tools", "/var/lib/initramfs-tools", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/initscripts", "/var/lib/initscripts", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/insserv", "/var/lib/insserv", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/logrotate", "/var/lib/logrotate", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/machines", "/var/lib/machines", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/misc", "/var/lib/misc", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/pam", "/var/lib/pam", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/python", "/var/lib/python", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/resolvconf", "/var/lib/resolvconf", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/snapd", "/var/lib/snapd", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/sudo", "/var/lib/sudo", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/systemd", "/var/lib/systemd", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/ubuntu-fan", "/var/lib/ubuntu-fan", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/ucf", "/var/lib/ucf", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/update-rc.d", "/var/lib/update-rc.d", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/urandom", "/var/lib/urandom", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/vim", "/var/lib/vim", ...) = 0
-mount("/snap/ubuntu-core/current/var/lib/waagent", "/var/lib/waagent", ...) = 0
-#   unmounting the /var/lib/snapd that was just mimicked
-umount2("/var/lib/snapd", 0)
-#   moving back the /var/lib/snapd that was set aside
-mount("/tmp/snapd.quirks_xKIzG3", "/var/lib/snapd", NULL, MS_MOVE, NULL) = 0
-#   cleaning up the temporary directory
-rmdir("/tmp/snapd.quirks_xKIzG3") = 0
-#   applying the actual quirk mounts as needed (for now, lxd, but more may
-#   come). Eg:
-mount("/var/lib/snapd/hostfs/var/lib/lxd", "/var/lib/lxd", NULL, MS_REC|MS_SLAVE|MS_NODEV|MS_NOSUID|MS_NOEXEC) = 0
-# End quirk mounts on classic
-
 # Process snap-defined mounts (eg, for content interface, mount the source to
 # the target as defined in /var/lib/snapd/mount/snap.<name>.<command>.fstab)
 # Eg:
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/seccomp-support.c snapd-2.37~rc1~14.04/cmd/snap-confine/seccomp-support.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/seccomp-support.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/seccomp-support.c	2019-01-16 08:36:51.000000000 +0000
@@ -83,10 +83,7 @@
 	}
 	// strtok_r() modifies its first argument, so work on a copy
 	char *tokenized SC_CLEANUP(sc_cleanup_string) = NULL;
-	tokenized = strdup(path);
-	if (tokenized == NULL) {
-		die("cannot allocate memory for copy of path");
-	}
+	tokenized = sc_strdup(path);
 	// allocate a string large enough to hold path, and initialize it to
 	// '/'
 	size_t checked_path_size = strlen(path) + 1;
@@ -110,10 +107,7 @@
 	char *buf_token = strtok_r(tokenized, "/", &buf_saveptr);
 	while (buf_token != NULL) {
 		char *prev SC_CLEANUP(sc_cleanup_string) = NULL;
-		prev = strdup(checked_path);	// needed by vsnprintf in sc_must_snprintf
-		if (prev == NULL) {
-			die("cannot allocate memory for copy of checked_path");
-		}
+		prev = sc_strdup(checked_path);	// needed by vsnprintf in sc_must_snprintf
 		// append '<buf_token>' if checked_path is '/', otherwise '/<buf_token>'
 		if (strlen(checked_path) == 1) {
 			sc_must_snprintf(checked_path, checked_path_size,
@@ -218,7 +212,8 @@
 		.len = num_read / sizeof(struct sock_filter),
 		.filter = (struct sock_filter *)bpf,
 	};
-	if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &prog) != 0) {
+	if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &prog) !=
+	    0) {
 		if (errno == ENOSYS) {
 			debug("kernel doesn't support the seccomp(2) syscall");
 		} else if (errno == EINVAL) {
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine.apparmor.in snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine.apparmor.in
--- snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine.apparmor.in	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine.apparmor.in	2019-01-16 08:36:51.000000000 +0000
@@ -13,6 +13,7 @@
     # We run privileged, so be fanatical about what we include and don't use
     # any abstractions
     /etc/ld.so.cache r,
+    /etc/ld.so.preload r,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
     # libc, you are funny
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
@@ -24,6 +25,9 @@
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
     # normal libs in order
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
@@ -47,6 +51,7 @@
 
     # cgroup: devices
     capability sys_admin,
+    capability dac_read_search,
     capability dac_override,
     /sys/fs/cgroup/devices/snap{,py}.*/ w,
     /sys/fs/cgroup/devices/snap{,py}.*/tasks w,
@@ -66,7 +71,7 @@
     /etc/udev/udev.conf r,
     /sys/**/uevent r,
     /usr/lib/snapd/snap-device-helper ixr, # drop
-    /lib/udev/snappy-app-dev ixr, # drop
+    /{,usr/}lib/udev/snappy-app-dev ixr, # drop
     /run/udev/** rw,
     /{,usr/}bin/tr ixr,
     /usr/lib/locale/** r,
@@ -117,9 +122,6 @@
     # reading seccomp filters
     /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r,
 
-    # ensuring correct permissions in sc_quirk_create_writable_mimic
-    /{tmp/snap.rootfs_*/,}var/lib/ rw,
-
     # LP: #1668659
     mount options=(rw rbind) /snap/ -> /snap/,
     mount options=(rw rshared) -> /snap/,
@@ -139,7 +141,7 @@
     # when a distro with merged /usr and / that uses apparmor shows up it
     # should be handled here.
     /{,run/}media/ w,
-    mount options=(rw rbind) /media/ -> /tmp/snap.rootfs_*/media/,
+    mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.rootfs_*/{,run/}media/,
     /run/netns/ w,
     mount options=(rw rbind) /run/netns/ -> /tmp/snap.rootfs_*/run/netns/,
     # unidirectional mounts (only for classic system)
@@ -176,6 +178,9 @@
     mount options=(rw rbind) /run/ -> /tmp/snap.rootfs_*/run/,
     mount options=(rw rslave) -> /tmp/snap.rootfs_*/run/,
 
+    mount options=(rw rbind) /var/lib/extrausers/ -> /tmp/snap.rootfs_*/var/lib/extrausers/,
+    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/extrausers/,
+
     mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
     mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,
 
@@ -185,18 +190,23 @@
     mount options=(rw rbind) /usr/src/ -> /tmp/snap.rootfs_*/usr/src/,
     mount options=(rw rslave) -> /tmp/snap.rootfs_*/usr/src/,
 
+    mount options=(rw rbind) /mnt/ -> /tmp/snap.rootfs_*/mnt/,
+    mount options=(rw rslave) -> /tmp/snap.rootfs_*/mnt/,
+
     # allow making host snap-exec available inside base snaps
     mount options=(rw bind) @LIBEXECDIR@/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
     mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/lib/snapd/,
 
     # allow making re-execed host snap-exec available inside base snaps
     mount options=(ro bind) @SNAP_MOUNT_DIR@/core/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
+    # allow making snapd snap tools available inside base snaps
+    mount options=(ro bind) @SNAP_MOUNT_DIR@/snapd/*/usr/lib/snapd/ -> /tmp/snap.rootfs_*/usr/lib/snapd/,
 
     mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.rootfs_*/usr/bin/snapctl,
     mount options=(rw slave) -> /tmp/snap.rootfs_*/usr/bin/snapctl,
 
     # /etc/alternatives (classic)
-    mount options=(rw bind) @SNAP_MOUNT_DIR@/{,ubuntu-}core/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
+    mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/alternatives/ -> /tmp/snap.rootfs_*/etc/alternatives/,
     mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/ssl/ -> /tmp/snap.rootfs_*/etc/ssl/,
     mount options=(rw bind) @SNAP_MOUNT_DIR@/*/*/etc/nsswitch.conf -> /tmp/snap.rootfs_*/etc/nsswitch.conf,
     # /etc/alternatives (core)
@@ -210,6 +220,7 @@
     # pivot_root preparation and execution
     mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
     mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
+    # pivot_root mediation in AppArmor is not complete. See LP: #1791711
     pivot_root,
     # cleanup
     umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/,
@@ -218,12 +229,18 @@
     umount /var/lib/snapd/hostfs/proc/,
     mount options=(rw rslave) -> /var/lib/snapd/hostfs/,
 
+    # set up user mount namespace
+    mount options=(rslave) -> /,
+
     # Allow reading the os-release file (possibly a symlink to /usr/lib).
     /{etc/,usr/lib/}os-release r,
 
+    # Allow creating /var/lib/snapd/hostfs, if missing
+    /var/lib/snapd/hostfs/ rw,
+
     # set up snap-specific private /tmp dir
     capability chown,
-    /tmp/ w,
+    /tmp/ rw,
     /tmp/snap.*/ w,
     /tmp/snap.*/tmp/ w,
     mount options=(rw private) ->  /tmp/,
@@ -259,12 +276,17 @@
     mount options=(rw bind) /usr/lib{,32}/nvidia-*/ -> /{tmp/snap.rootfs_*/,}var/lib/snapd/lib/gl{,32}/,
     /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/{,*} w,
     mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
-    mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
+    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/,
 
     # Vulkan support
     /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/{,*} w,
     mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
-    mount options=(remount ro) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
+    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/,
+
+    # GLVND EGL vendor
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/{,*} w,
+    mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
+    mount options=(remount ro bind) -> /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/,
 
     # create gl dirs as needed
     /tmp/snap.rootfs_*/ r,
@@ -276,6 +298,8 @@
     /tmp/snap.rootfs_*/var/lib/snapd/lib/gl{,32}/** rw,
     /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/ r,
     /tmp/snap.rootfs_*/var/lib/snapd/lib/vulkan/** rw,
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/ r,
+    /tmp/snap.rootfs_*/var/lib/snapd/lib/glvnd/** rw,
 
     # for chroot on steroids, we use pivot_root as a better chroot that makes
     # apparmor rules behave the same on classic and outside of classic.
@@ -315,35 +339,11 @@
 
     # Allow snap-confine to unmount stale mount namespaces.
     umount /run/snapd/ns/*.mnt,
+    /run/snapd/ns/snap.*.fstab w,
     # Required to correctly unmount bound mount namespace.
     # See LP: #1735459 for details.
     umount /,
 
-    # Support for the quirk system
-    /var/ r,
-    /var/lib/ r,
-    /var/lib/** rw,
-    /tmp/ r,
-    /tmp/snapd.quirks_*/ rw,
-    mount options=(move) /var/lib/snapd/ -> /tmp/snapd.quirks_*/,
-    mount fstype=tmpfs options=(rw nodev nosuid) none -> /var/lib/,
-    mount options=(ro rbind) /snap/{,ubuntu-}core/*/var/lib/** -> /var/lib/**,
-    umount /var/lib/snapd/,
-    mount options=(move) /tmp/snapd.quirks_*/ -> /var/lib/snapd/,
-    # On classic systems with a setuid root snap-confine when run by non-root
-    # user, the mimic_dir is created with the gid of the calling user (ie,
-    # not '0') so when setting the permissions (chmod) of the mimicked
-    # directory to that of the reference directory, a CAP_FSETID is triggered.
-    # snap-confine sets the directory up correctly, so simply silence the
-    # denial since we don't want to grant the capability as a whole to
-    # snap-confine.
-    deny capability fsetid,
-
-    # support for the LXD quirk
-    mount options=(rw rbind nodev nosuid noexec) /var/lib/snapd/hostfs/var/lib/lxd/ -> /var/lib/lxd/,
-    /var/lib/lxd/ w,
-    /var/lib/snapd/hostfs/var/lib/lxd r,
-
     # support for locking
     /run/snapd/lock/ rw,
     /run/snapd/lock/*.lock rwk,
@@ -351,6 +351,8 @@
     # support for the mount namespace sharing
     capability sys_ptrace,
     # allow snap-confine to read /proc/1/ns/mnt
+    ptrace read peer=unconfined,
+    # https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/21
     ptrace trace peer=unconfined,
 
     mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,
@@ -374,6 +376,9 @@
     # https://forum.snapcraft.io/t/snapd-2-27-6-2-in-debian-sid-blocked-on-apparmor-in-kernel-4-13-0-1/2813/3
     ptrace (trace, tracedby) peer=@LIBEXECDIR@/snap-confine,
 
+    # Allow reading snap cookies.
+    /var/lib/snapd/cookie/snap.* r,
+
     # For aa_change_hat() to go into ^mount-namespace-capture-helper
     @{PROC}/[0-9]*/attr/current w,
 
@@ -392,6 +397,9 @@
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
         # normal libs in order
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
@@ -476,4 +484,14 @@
     # reported as (LP: #1716339). The variants here represent different
     # locations of snap mount directory across distributions.
     /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,
+
+    # Allow executing snap-discard-ns, just like the set for snap-update-ns
+    # above but with the key difference that snap-discard-ns does not
+    # have a dedicated profile so we need to inherit snap-confine's profile.
+
+    /usr/lib{,exec,64}/snapd/snap-discard-ns rix,
+    /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-discard-ns rix,
+    /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-discard-ns rix,
+    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-discard-ns rix,
+
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine-args.c snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine-args.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine-args.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine-args.c	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 #include <string.h>
 
 #include "../libsnap-confine-private/utils.h"
+#include "../libsnap-confine-private/string-utils.h"
 
 struct sc_args {
 	// The security tag that the application is intended to run with
@@ -119,10 +120,7 @@
 				goto out;
 
 			}
-			args->base_snap = strdup(argv[optind + 1]);
-			if (args->base_snap == NULL) {
-				die("cannot allocate memory for base snap name");
-			}
+			args->base_snap = sc_strdup(argv[optind + 1]);
 			optind += 1;
 		} else {
 			// Report unhandled option switches
@@ -148,16 +146,10 @@
 				ignore_first_tag = false;
 				continue;
 			}
-			args->security_tag = strdup(argv[optind]);
-			if (args->security_tag == NULL) {
-				die("cannot allocate memory for security tag");
-			}
+			args->security_tag = sc_strdup(argv[optind]);
 		} else if (args->executable == NULL) {
 			// The second positional argument becomes the executable name.
-			args->executable = strdup(argv[optind]);
-			if (args->executable == NULL) {
-				die("cannot allocate memory for executable name");
-			}
+			args->executable = sc_strdup(argv[optind]);
 			// No more positional arguments are required.
 			// Stop the parsing process.
 			break;
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine-args-test.c snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine-args-test.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine-args-test.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine-args-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -42,7 +42,7 @@
 		argv = realloc(argv, sizeof(const char **) * (argc + 1));
 		g_assert_nonnull(argv);
 		if (arg != NULL) {
-			char *arg_copy = strdup(arg);
+			char *arg_copy = sc_strdup(arg);
 			g_test_queue_free(arg_copy);
 			argv[argc] = arg_copy;
 			argc += 1;
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine.c snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine.c	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015 Canonical Ltd
+ * Copyright (C) 2015-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -20,6 +20,7 @@
 
 #include <errno.h>
 #include <glob.h>
+#include <sched.h>
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -28,17 +29,17 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include "../libsnap-confine-private/apparmor-support.h"
 #include "../libsnap-confine-private/cgroup-freezer-support.h"
 #include "../libsnap-confine-private/classic.h"
 #include "../libsnap-confine-private/cleanup-funcs.h"
+#include "../libsnap-confine-private/feature.h"
 #include "../libsnap-confine-private/locking.h"
 #include "../libsnap-confine-private/secure-getenv.h"
 #include "../libsnap-confine-private/snap.h"
 #include "../libsnap-confine-private/utils.h"
-#include "apparmor-support.h"
 #include "mount-support.h"
 #include "ns-support.h"
-#include "quirks.h"
 #include "udev-support.h"
 #include "user-support.h"
 #include "cookie-support.h"
@@ -108,16 +109,16 @@
 		return 0;
 	}
 
-	const char *snap_name = getenv("SNAP_NAME");
-	if (snap_name == NULL) {
-		die("SNAP_NAME is not set");
+	const char *snap_instance = getenv("SNAP_INSTANCE_NAME");
+	if (snap_instance == NULL) {
+		die("SNAP_INSTANCE_NAME is not set");
 	}
-	sc_snap_name_validate(snap_name, NULL);
+	sc_instance_name_validate(snap_instance, NULL);
 
 	// Collect and validate the security tag and a few other things passed on
 	// command line.
 	const char *security_tag = sc_args_security_tag(args);
-	if (!verify_security_tag(security_tag, snap_name)) {
+	if (!verify_security_tag(security_tag, snap_instance)) {
 		die("security tag %s not allowed", security_tag);
 	}
 	const char *executable = sc_args_executable(args);
@@ -162,7 +163,7 @@
 	// Do no get snap context value if running a hook (we don't want to overwrite hook's SNAP_COOKIE)
 	if (!sc_is_hook_security_tag(security_tag)) {
 		struct sc_error *err SC_CLEANUP(sc_cleanup_error) = NULL;
-		snap_context = sc_cookie_get_from_snapd(snap_name, &err);
+		snap_context = sc_cookie_get_from_snapd(snap_instance, &err);
 		if (err != NULL) {
 			error("%s\n", sc_error_msg(err));
 		}
@@ -216,44 +217,54 @@
 			debug("ensuring that snap mount directory is shared");
 			sc_ensure_shared_snap_mount();
 			debug("unsharing snap namespace directory");
-			sc_initialize_ns_groups();
-			sc_unlock_global(global_lock_fd);
+			sc_initialize_mount_ns();
+			sc_unlock(global_lock_fd);
 
-			// Find and open snap-update-ns from the same
-			// path as where we (snap-confine) were
-			// called.
+			// Find and open snap-update-ns and snap-discard-ns from the same
+			// path as where we (snap-confine) were called.
 			int snap_update_ns_fd SC_CLEANUP(sc_cleanup_close) = -1;
 			snap_update_ns_fd = sc_open_snap_update_ns();
+			int snap_discard_ns_fd SC_CLEANUP(sc_cleanup_close) =
+			    -1;
+			snap_discard_ns_fd = sc_open_snap_discard_ns();
 
 			// Do per-snap initialization.
-			int snap_lock_fd = sc_lock(snap_name);
-			debug("initializing mount namespace: %s", snap_name);
-			struct sc_ns_group *group = NULL;
-			group = sc_open_ns_group(snap_name, 0);
-			if (sc_create_or_join_ns_group(group, &apparmor,
-						       base_snap_name,
-						       snap_name) == EAGAIN) {
-				// If the namespace was stale and was discarded we just need to
-				// try again. Since this is done with the per-snap lock held
-				// there are no races here.
-				if (sc_create_or_join_ns_group(group, &apparmor,
-							       base_snap_name,
-							       snap_name) ==
-				    EAGAIN) {
-					die("unexpectedly the namespace needs to be discarded again");
+			int snap_lock_fd = sc_lock_snap(snap_instance);
+			debug("initializing mount namespace: %s",
+			      snap_instance);
+			struct sc_mount_ns *group = NULL;
+			group = sc_open_mount_ns(snap_instance);
+
+			/* Stale mount namespace discarded or no mount namespace to
+			   join. We need to construct a new mount namespace ourselves.
+			   To capture it we will need a helper process so make one. */
+			sc_fork_helper(group, &apparmor);
+			int retval = sc_join_preserved_ns(group, &apparmor,
+							  base_snap_name,
+							  snap_instance,
+							  snap_discard_ns_fd);
+			if (retval == ESRCH) {
+				/* Create and populate the mount namespace. This performs all
+				   of the bootstrapping mounts, pivots into the new root
+				   filesystem and applies the per-snap mount profile using
+				   snap-update-ns. */
+				debug
+				    ("unsharing the mount namespace (per-snap)");
+				if (unshare(CLONE_NEWNS) < 0) {
+					die("cannot unshare the mount namespace");
 				}
-			}
-			if (sc_should_populate_ns_group(group)) {
 				sc_populate_mount_ns(&apparmor,
 						     snap_update_ns_fd,
-						     base_snap_name, snap_name);
-				sc_preserve_populated_ns_group(group);
+						     base_snap_name,
+						     snap_instance);
+
+				/* Preserve the mount namespace. */
+				sc_preserve_populated_mount_ns(group);
 			}
-			sc_close_ns_group(group);
-			// older versions of snap-confine created incorrect
-			// 777 permissions for /var/lib and we need to fixup
-			// for systems that had their NS created with an
-			// old version
+
+			/* Older versions of snap-confine created incorrect 777 permissions
+			   for /var/lib and we need to fixup for systems that had their NS
+			   created with an old version. */
 			sc_maybe_fixup_permissions();
 			sc_maybe_fixup_udev();
 
@@ -269,14 +280,49 @@
 					die("cannot set effective group id to root");
 				}
 			}
-			sc_cgroup_freezer_join(snap_name, getpid());
+			sc_cgroup_freezer_join(snap_instance, getpid());
 			if (geteuid() == 0 && real_gid != 0) {
 				if (setegid(real_gid) != 0) {
 					die("cannot set effective group id to %d", real_gid);
 				}
 			}
 
-			sc_unlock(snap_name, snap_lock_fd);
+			/* User mount profiles do not apply to non-root users. */
+			if (real_uid != 0) {
+				debug
+				    ("joining preserved per-user mount namespace");
+				retval =
+				    sc_join_preserved_per_user_ns(group,
+								  snap_instance);
+				if (retval == ESRCH) {
+					debug
+					    ("unsharing the mount namespace (per-user)");
+					if (unshare(CLONE_NEWNS) < 0) {
+						die("cannot unshare the mount namespace");
+					}
+					sc_setup_user_mounts(&apparmor,
+							     snap_update_ns_fd,
+							     snap_instance);
+					/* Preserve the mount per-user namespace. But only if the
+					 * experimental feature is enabled. This way if the feature is
+					 * disabled user mount namespaces will still exist but will be
+					 * entirely ephemeral. In addition the call
+					 * sc_join_preserved_user_ns() will never find a preserved
+					 * mount namespace and will always enter this code branch. */
+					if (sc_feature_enabled
+					    (SC_PER_USER_MOUNT_NAMESPACE)) {
+						sc_preserve_populated_per_user_mount_ns
+						    (group);
+					} else {
+						debug
+						    ("NOT preserving per-user mount namespace");
+					}
+				}
+			}
+
+			sc_unlock(snap_lock_fd);
+
+			sc_close_mount_ns(group);
 
 			// Reset path as we cannot rely on the path from the host OS to
 			// make sense. The classic distribution may use any PATH that makes
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine.rst snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine.rst
--- snapd-2.32.3.2~14.04/cmd/snap-confine/snap-confine.rst	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/snap-confine.rst	2019-01-16 08:36:51.000000000 +0000
@@ -10,7 +10,7 @@
 :Date:   2017-09-18
 :Copyright: Canonical Ltd.
 :Version: 2.28
-:Manual section: 1
+:Manual section: 8
 :Manual group: snappy
 
 SYNOPSIS
@@ -92,18 +92,6 @@
 
 As a security precaution only `bind` mounts are supported at this time.
 
-Quirks
-------
-
-`snap-confine` contains a quirk system that emulates some or the behavior of
-the older versions of snap-confine that certain snaps (still in devmode but
-useful and important) have grown to rely on. This section documents the list of
-quirks:
-
-- The `/var/lib/lxd` directory, if it exists on the host, is made available in
-  the execution environment. This allows various snaps, while running in
-  devmode, to access the LXD socket. LP: #1613845
-
 Sharing of the mount namespace
 ------------------------------
 
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/snap-device-helper snapd-2.37~rc1~14.04/cmd/snap-confine/snap-device-helper
--- snapd-2.32.3.2~14.04/cmd/snap-confine/snap-device-helper	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/snap-device-helper	2019-01-16 08:36:51.000000000 +0000
@@ -15,8 +15,19 @@
 [ -n "$DEVPATH" ] || { echo "no devpath given" >&2; exit 1; }
 [ -n "$MAJMIN" ] || { echo "no major/minor given" >&2; exit 0; }
 
-APPNAME="$( echo "$APPNAME" | tr '_' '.' )"
-app_dev_cgroup="/sys/fs/cgroup/devices/$APPNAME"
+NOSNAP="${APPNAME#snap_}"
+[ "$NOSNAP" != "$APPNAME" ] || { echo "malformed appname $APPNAME" >&2; exit 1; }
+
+if [ "${NOSNAP#*_*_}" = "${NOSNAP}" ]; then
+    # snap_<snap>_<app> -> snap.<snap>.<app>
+    SNAPAPP="snap.${NOSNAP%_*}.${NOSNAP#*_}"
+else
+    # snap_<snap>_<instance>_<app> -> snap.<snap>_<instance>.<app>
+    SNAPAPP="snap.${NOSNAP%_*}.${NOSNAP#*_*_}"
+fi
+
+DEVICES_CGROUP=${DEVICES_CGROUP:="/sys/fs/cgroup/devices"}
+app_dev_cgroup="$DEVICES_CGROUP/$SNAPAPP"
 
 # The cgroup is only present after snap start so ignore any cgroup changes
 # (eg, 'add' on boot, hotplug, hotunplug) when the cgroup doesn't exist
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/snap-device-helper-test.c snapd-2.37~rc1~14.04/cmd/snap-confine/snap-device-helper-test.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/snap-device-helper-test.c	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/snap-device-helper-test.c	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "../libsnap-confine-private/test-utils.h"
+
+#include <glib.h>
+#include <glib/gstdio.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <string.h>
+
+// TODO: build at runtime
+static const char *sdh_path_default = "snap-confine/snap-device-helper";
+
+// A variant of unsetenv that is compatible with GDestroyNotify
+static void my_unsetenv(const char *k)
+{
+	g_unsetenv(k);
+}
+
+// A variant of rm_rf_tmp that calls g_free() on its parameter
+static void rm_rf_tmp_free(gchar * dirpath)
+{
+	rm_rf_tmp(dirpath);
+	g_free(dirpath);
+}
+
+static gchar *find_sdh_path(void)
+{
+	const char *sdh_from_env = g_getenv("SNAP_DEVICE_HELPER");
+	if (sdh_from_env != NULL) {
+		return g_strdup(sdh_from_env);
+	}
+	return g_strdup(sdh_path_default);
+}
+
+static int run_sdh(gchar * action,
+		   gchar * appname, gchar * devpath, gchar * majmin)
+{
+	gchar *mod_appname = g_strdup(appname);
+	gchar *sdh_path = find_sdh_path();
+
+	// appnames have the following format:
+	// - snap.<snap>.<app>
+	// - snap.<snap>_<instance>.<app>
+	// snap-device-helper expects:
+	// - snap_<snap>_<app>
+	// - snap_<snap>_<instance>_<app>
+	for (size_t i = 0; i < strlen(mod_appname); i++) {
+		if (mod_appname[i] == '.') {
+			mod_appname[i] = '_';
+		}
+	}
+	g_debug("appname modified from %s to %s", appname, mod_appname);
+
+	GError *err = NULL;
+
+	GPtrArray *argv = g_ptr_array_new();
+	g_ptr_array_add(argv, sdh_path);
+	g_ptr_array_add(argv, action);
+	g_ptr_array_add(argv, mod_appname);
+	g_ptr_array_add(argv, devpath);
+	g_ptr_array_add(argv, majmin);
+	g_ptr_array_add(argv, NULL);
+
+	int status = 0;
+
+	gboolean ret = g_spawn_sync(NULL, (gchar **) argv->pdata, NULL, 0,
+				    NULL, NULL, NULL, NULL, &status, &err);
+	g_free(mod_appname);
+	g_free(sdh_path);
+	g_ptr_array_unref(argv);
+
+	if (!ret) {
+		g_debug("failed with: %s", err->message);
+		g_error_free(err);
+		return -2;
+	}
+
+	return WEXITSTATUS(status);
+}
+
+struct sdh_test_data {
+	char *action;
+	char *app;
+	char *file_with_data;
+	char *file_with_no_data;
+};
+
+static void test_sdh_action(gconstpointer test_data)
+{
+	struct sdh_test_data *td = (struct sdh_test_data *)test_data;
+
+	gchar *mock_dir = g_dir_make_tmp(NULL, NULL);
+	g_assert_nonnull(mock_dir);
+	g_test_queue_destroy((GDestroyNotify) rm_rf_tmp_free, mock_dir);
+
+	gchar *app_dir = g_build_filename(mock_dir, td->app, NULL);
+	gchar *with_data = g_build_filename(mock_dir,
+					    td->app,
+					    td->file_with_data,
+					    NULL);
+	gchar *without_data = g_build_filename(mock_dir,
+					       td->app,
+					       td->file_with_no_data,
+					       NULL);
+	gchar *data = NULL;
+
+	g_assert(g_mkdir_with_parents(app_dir, 0755) == 0);
+	g_free(app_dir);
+
+	g_debug("mock cgroup dir: %s", mock_dir);
+
+	g_setenv("DEVICES_CGROUP", mock_dir, TRUE);
+
+	g_test_queue_destroy((GDestroyNotify) my_unsetenv, "DEVICES_CGROUP");
+
+	int ret =
+	    run_sdh(td->action, td->app, "/devices/foo/block/sda/sda4", "8:4");
+	g_assert_cmpint(ret, ==, 0);
+	g_assert_true(g_file_get_contents(with_data, &data, NULL, NULL));
+	g_assert_cmpstr(data, ==, "b 8:4 rwm\n");
+	g_clear_pointer(&data, g_free);
+	g_assert(g_remove(with_data) == 0);
+
+	g_assert_false(g_file_get_contents(without_data, &data, NULL, NULL));
+
+	ret = run_sdh(td->action, td->app, "/devices/foo/tty/ttyS0", "4:64");
+	g_assert_cmpint(ret, ==, 0);
+	g_assert_true(g_file_get_contents(with_data, &data, NULL, NULL));
+	g_assert_cmpstr(data, ==, "c 4:64 rwm\n");
+	g_clear_pointer(&data, g_free);
+	g_assert(g_remove(with_data) == 0);
+
+	g_assert_false(g_file_get_contents(without_data, &data, NULL, NULL));
+
+	g_free(with_data);
+	g_free(without_data);
+}
+
+static void test_sdh_err(void)
+{
+	// missing appname
+	int ret = run_sdh("add", "", "/devices/foo/block/sda/sda4", "8:4");
+	g_assert_cmpint(ret, ==, 1);
+	// malformed appname
+	ret = run_sdh("add", "foo_bar", "/devices/foo/block/sda/sda4", "8:4");
+	g_assert_cmpint(ret, ==, 1);
+	// missing devpath
+	ret = run_sdh("add", "snap_foo_bar", "", "8:4");
+	g_assert_cmpint(ret, ==, 1);
+	// missing device major:minor numbers
+	ret = run_sdh("add", "snap_foo_bar", "/devices/foo/block/sda/sda4", "");
+	g_assert_cmpint(ret, ==, 0);
+
+	// mock some stuff so that we can reach the 'action' checks
+	gchar *mock_dir = g_dir_make_tmp(NULL, NULL);
+	g_assert_nonnull(mock_dir);
+	g_test_queue_destroy((GDestroyNotify) rm_rf_tmp_free, mock_dir);
+
+	gchar *app_dir = g_build_filename(mock_dir, "snap.foo.bar", NULL);
+	g_assert(g_mkdir_with_parents(app_dir, 0755) == 0);
+	g_free(app_dir);
+	g_setenv("DEVICES_CGROUP", mock_dir, TRUE);
+
+	g_test_queue_destroy((GDestroyNotify) my_unsetenv, "DEVICES_CGROUP");
+
+	ret =
+	    run_sdh("badaction", "snap_foo_bar", "/devices/foo/block/sda/sda4",
+		    "8:4");
+	g_assert_cmpint(ret, ==, 1);
+}
+
+static struct sdh_test_data add_data =
+    { "add", "snap.foo.bar", "devices.allow", "devices.deny" };
+static struct sdh_test_data change_data =
+    { "change", "snap.foo.bar", "devices.allow", "devices.deny" };
+static struct sdh_test_data remove_data =
+    { "remove", "snap.foo.bar", "devices.deny", "devices.allow" };
+static struct sdh_test_data instance_add_data =
+    { "add", "snap.foo_bar.baz", "devices.allow", "devices.deny" };
+static struct sdh_test_data instance_change_data =
+    { "change", "snap.foo_bar.baz", "devices.allow", "devices.deny" };
+static struct sdh_test_data instance_remove_data =
+    { "remove", "snap.foo_bar.baz", "devices.deny", "devices.allow" };
+
+static void __attribute__ ((constructor)) init(void)
+{
+
+	g_test_add_data_func("/snap-device-helper/add",
+			     &add_data, test_sdh_action);
+	g_test_add_data_func("/snap-device-helper/change", &change_data,
+			     test_sdh_action);
+	g_test_add_data_func("/snap-device-helper/remove", &remove_data,
+			     test_sdh_action);
+	g_test_add_func("/snap-device-helper/err", test_sdh_err);
+	g_test_add_data_func("/snap-device-helper/parallel/add",
+			     &instance_add_data, test_sdh_action);
+	g_test_add_data_func("/snap-device-helper/parallel/change",
+			     &instance_change_data, test_sdh_action);
+	g_test_add_data_func("/snap-device-helper/parallel/remove",
+			     &instance_remove_data, test_sdh_action);
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-confine/udev-support.c snapd-2.37~rc1~14.04/cmd/snap-confine/udev-support.c
--- snapd-2.32.3.2~14.04/cmd/snap-confine/udev-support.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-confine/udev-support.c	2019-01-16 08:36:51.000000000 +0000
@@ -19,7 +19,7 @@
 #include <ctype.h>
 #include <errno.h>
 #include <limits.h>
-#include <linux/kdev_t.h>
+#include <sys/sysmacros.h>
 #include <sched.h>
 #include <string.h>
 #include <sys/stat.h>
@@ -63,12 +63,12 @@
 		}
 		debug("running snap-device-helper add %s %s %s",
 		      udev_s->tagname, path, buf);
-                // This code runs inside the core snap. We have two paths
-                // for the udev helper.
-                //
-                // First try new "snap-device-helper" path first but
-                // when running against an older core snap fallback to
-                // the old name.
+		// This code runs inside the core snap. We have two paths
+		// for the udev helper.
+		//
+		// First try new "snap-device-helper" path first but
+		// when running against an older core snap fallback to
+		// the old name.
 		if (access("/usr/lib/snapd/snap-device-helper", X_OK) == 0)
 			execle("/usr/lib/snapd/snap-device-helper",
 			       "/usr/lib/snapd/snap-device-helper", "add",
@@ -108,9 +108,7 @@
 	dev_t devnum = udev_device_get_devnum(d);
 	udev_device_unref(d);
 
-	unsigned major = MAJOR(devnum);
-	unsigned minor = MINOR(devnum);
-	_run_snappy_app_dev_add_majmin(udev_s, path, major, minor);
+	_run_snappy_app_dev_add_majmin(udev_s, path, major(devnum), minor(devnum));
 }
 
 /*
@@ -264,34 +262,34 @@
 			break;
 		}
 		_run_snappy_app_dev_add_majmin(udev_s, nv_path,
-					       MAJOR(sbuf.st_rdev),
-					       MINOR(sbuf.st_rdev));
+					       major(sbuf.st_rdev),
+					       minor(sbuf.st_rdev));
 	}
 
 	// /dev/nvidiactl
 	if (stat(nvctl_path, &sbuf) == 0) {
 		_run_snappy_app_dev_add_majmin(udev_s, nvctl_path,
-					       MAJOR(sbuf.st_rdev),
-					       MINOR(sbuf.st_rdev));
+					       major(sbuf.st_rdev),
+					       minor(sbuf.st_rdev));
 	}
 	// /dev/nvidia-uvm
 	if (stat(nvuvm_path, &sbuf) == 0) {
 		_run_snappy_app_dev_add_majmin(udev_s, nvuvm_path,
-					       MAJOR(sbuf.st_rdev),
-					       MINOR(sbuf.st_rdev));
+					       major(sbuf.st_rdev),
+					       minor(sbuf.st_rdev));
 	}
 	// /dev/nvidia-modeset
 	if (stat(nvidia_modeset_path, &sbuf) == 0) {
 		_run_snappy_app_dev_add_majmin(udev_s, nvidia_modeset_path,
-					       MAJOR(sbuf.st_rdev),
-					       MINOR(sbuf.st_rdev));
+					       major(sbuf.st_rdev),
+					       minor(sbuf.st_rdev));
 	}
 	// /dev/uhid isn't represented in sysfs, so add it to the device cgroup
 	// if it exists and let AppArmor handle the mediation
 	if (stat("/dev/uhid", &sbuf) == 0) {
 		_run_snappy_app_dev_add_majmin(udev_s, "/dev/uhid",
-					       MAJOR(sbuf.st_rdev),
-					       MINOR(sbuf.st_rdev));
+					       major(sbuf.st_rdev),
+					       minor(sbuf.st_rdev));
 	}
 	// add the assigned devices
 	while (udev_s->assigned != NULL) {
diff -Nru snapd-2.32.3.2~14.04/cmd/snapctl/main_test.go snapd-2.37~rc1~14.04/cmd/snapctl/main_test.go
--- snapd-2.32.3.2~14.04/cmd/snapctl/main_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snapctl/main_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -34,7 +34,7 @@
 	. "gopkg.in/check.v1"
 )
 
-func Test(t *testing.T) { TestingT(t) }
+func TestT(t *testing.T) { TestingT(t) }
 
 type snapctlSuite struct {
 	server            *httptest.Server
diff -Nru snapd-2.32.3.2~14.04/cmd/snapd/export_test.go snapd-2.37~rc1~14.04/cmd/snapd/export_test.go
--- snapd-2.32.3.2~14.04/cmd/snapd/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snapd/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,44 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"time"
+)
+
+var (
+	Run = run
+)
+
+func MockSanityCheck(f func() error) (restore func()) {
+	oldSanityCheck := sanityCheck
+	sanityCheck = f
+	return func() {
+		sanityCheck = oldSanityCheck
+	}
+}
+
+func MockCheckRunningConditionsRetryDelay(d time.Duration) (restore func()) {
+	oldCheckRunningConditionsRetryDelay := checkRunningConditionsRetryDelay
+	checkRunningConditionsRetryDelay = d
+	return func() {
+		checkRunningConditionsRetryDelay = oldCheckRunningConditionsRetryDelay
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snapd/main.go snapd-2.37~rc1~14.04/cmd/snapd/main.go
--- snapd-2.32.3.2~14.04/cmd/snapd/main.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snapd/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -31,9 +31,15 @@
 	"github.com/snapcore/snapd/errtracker"
 	"github.com/snapcore/snapd/httputil"
 	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/sanity"
 	"github.com/snapcore/snapd/systemd"
 )
 
+var (
+	sanityCheck = sanity.Check
+)
+
 func init() {
 	err := logger.SimpleSetup()
 	if err != nil {
@@ -45,20 +51,60 @@
 }
 
 func main() {
-	cmd.ExecInCoreSnap()
-	if err := run(); err != nil {
+	cmd.ExecInSnapdOrCoreSnap()
+
+	ch := make(chan os.Signal, 2)
+	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
+	if err := run(ch); err != nil {
+		if err == daemon.ErrRestartSocket {
+			// Note that we don't prepend: "error: " here because
+			// ErrRestartSocket is not an error as such.
+			fmt.Fprintf(os.Stdout, "%v\n", err)
+			// the exit code must be in sync with
+			// data/systemd/snapd.service.in:SuccessExitStatus=
+			os.Exit(42)
+		}
 		fmt.Fprintf(os.Stderr, "error: %v\n", err)
 		os.Exit(1)
 	}
 }
 
-func run() error {
+func runWatchdog(d *daemon.Daemon) (*time.Ticker, error) {
+	// not running under systemd
+	if os.Getenv("WATCHDOG_USEC") == "" {
+		return nil, nil
+	}
+	usec := osutil.GetenvInt64("WATCHDOG_USEC")
+	if usec == 0 {
+		return nil, fmt.Errorf("cannot parse WATCHDOG_USEC: %q", os.Getenv("WATCHDOG_USEC"))
+	}
+	dur := time.Duration(usec/2) * time.Microsecond
+	logger.Debugf("Setting up sd_notify() watchdog timer every %s", dur)
+	wt := time.NewTicker(dur)
+
+	go func() {
+		for {
+			select {
+			case <-wt.C:
+				// TODO: poke the snapd API here and
+				//       only report WATCHDOG=1 if it
+				//       replies with valid data
+				systemd.SdNotify("WATCHDOG=1")
+			case <-d.Dying():
+				return
+			}
+		}
+	}()
+
+	return wt, nil
+}
+
+var checkRunningConditionsRetryDelay = 300 * time.Second
+
+func run(ch chan os.Signal) error {
 	t0 := time.Now().Truncate(time.Millisecond)
 	httputil.SetUserAgentFromVersion(cmd.Version)
 
-	ch := make(chan os.Signal, 2)
-	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
-
 	d, err := daemon.New()
 	if err != nil {
 		return err
@@ -66,21 +112,50 @@
 	if err := d.Init(); err != nil {
 		return err
 	}
+
+	// Run sanity check now, if anything goes wrong with the
+	// check we go into "degraded" mode where we always report
+	// the given error to any snap client.
+	var checkTicker <-chan time.Time
+	var tic *time.Ticker
+	if err := sanityCheck(); err != nil {
+		degradedErr := fmt.Errorf("system does not fully support snapd: %s", err)
+		logger.Noticef("%s", degradedErr)
+		d.SetDegradedMode(degradedErr)
+		tic = time.NewTicker(checkRunningConditionsRetryDelay)
+		checkTicker = tic.C
+	}
+
 	d.Version = cmd.Version
 
 	d.Start()
 
-	// notify systemd that we are ready
-	systemd.SdNotify("READY=1")
+	watchdog, err := runWatchdog(d)
+	if err != nil {
+		return fmt.Errorf("cannot run software watchdog: %v", err)
+	}
+	if watchdog != nil {
+		defer watchdog.Stop()
+	}
+
 	logger.Debugf("activation done in %v", time.Now().Truncate(time.Millisecond).Sub(t0))
 
-	select {
-	case sig := <-ch:
-		logger.Noticef("Exiting on %s signal.\n", sig)
-	case <-d.Dying():
-		// something called Stop()
+out:
+	for {
+		select {
+		case sig := <-ch:
+			logger.Noticef("Exiting on %s signal.\n", sig)
+			break out
+		case <-d.Dying():
+			// something called Stop()
+			break out
+		case <-checkTicker:
+			if err := sanityCheck(); err == nil {
+				d.SetDegradedMode(nil)
+				tic.Stop()
+			}
+		}
 	}
 
-	systemd.SdNotify("STOPPING=1")
-	return d.Stop()
+	return d.Stop(ch)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snapd/main_test.go snapd-2.37~rc1~14.04/cmd/snapd/main_test.go
--- snapd-2.32.3.2~14.04/cmd/snapd/main_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snapd/main_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,112 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"sync"
+	"testing"
+	"time"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/testutil"
+
+	snapd "github.com/snapcore/snapd/cmd/snapd"
+)
+
+// Hook up check.v1 into the "go test" runner
+func Test(t *testing.T) { TestingT(t) }
+
+type snapdSuite struct {
+	tmpdir string
+}
+
+var _ = Suite(&snapdSuite{})
+
+func (s *snapdSuite) SetUpTest(c *C) {
+	s.tmpdir = c.MkDir()
+	for _, d := range []string{"/var/lib/snapd", "/run"} {
+		err := os.MkdirAll(filepath.Join(s.tmpdir, d), 0755)
+		c.Assert(err, IsNil)
+	}
+	dirs.SetRootDir(s.tmpdir)
+}
+
+func (s *snapdSuite) TestSanityFailGoesIntoDegradedMode(c *C) {
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+
+	sanityErr := fmt.Errorf("foo failed")
+	sanityCalled := make(chan bool)
+	sanityClosed := false
+	restore = snapd.MockSanityCheck(func() error {
+		if !sanityClosed {
+			sanityClosed = true
+			close(sanityCalled)
+		}
+		return sanityErr
+	})
+	defer restore()
+
+	restore = snapd.MockCheckRunningConditionsRetryDelay(10 * time.Millisecond)
+	defer restore()
+
+	// run the daemon
+	ch := make(chan os.Signal)
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		err := snapd.Run(ch)
+		c.Check(err, IsNil)
+	}()
+
+	sanityCheckWasRun := false
+	select {
+	case <-time.After(5 * time.Second):
+	case _, stillOpen := <-sanityCalled:
+		c.Assert(stillOpen, Equals, false)
+		sanityCheckWasRun = true
+	}
+	c.Check(sanityCheckWasRun, Equals, true)
+	c.Check(logbuf.String(), testutil.Contains, "system does not fully support snapd: foo failed")
+
+	// verify that talking to the daemon yields the sanity error
+	// message
+	// disable keepliave as it would sometimes cause the daemon to be
+	// blocked when closing connections during graceful shutdown
+	cli := client.New(&client.Config{DisableKeepAlive: true})
+	_, err := cli.Abort("123")
+	c.Check(err, ErrorMatches, "system does not fully support snapd: foo failed")
+
+	// verify that the sysinfo command is still available
+	_, err = cli.SysInfo()
+	c.Check(err, IsNil)
+
+	// stop the daemon
+	close(ch)
+	wg.Wait()
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snapd-apparmor/snapd-apparmor snapd-2.37~rc1~14.04/cmd/snapd-apparmor/snapd-apparmor
--- snapd-2.32.3.2~14.04/cmd/snapd-apparmor/snapd-apparmor	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snapd-apparmor/snapd-apparmor	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,97 @@
+#!/bin/sh
+# This script is provided for integration with systemd on distributions where
+# apparmor profiles generated and managed by snapd are not loaded by the
+# system-wide apparmor systemd integration on early boot-up.
+#
+# Only the start operation is provided as all other activity is managed by
+# snapd as a part of the life-cycle of particular snaps.
+#
+# In addition the script assumes that the system-wide apparmor service has
+# already executed, initializing apparmor file-systems as necessary.
+
+# NOTE: This script doesn't set -e as it contains code copied from apparmor
+# init script that also does not set it. In addition the intent is to simply
+# load application profiles, as many as we can, even if for whatever reason
+# some of those fail.
+
+# The following portion is copied from /lib/apparmor/functions as shipped by Ubuntu
+# <copied-code>
+
+SECURITYFS="/sys/kernel/security"
+export AA_SFS="$SECURITYFS/apparmor"
+
+
+# Checks to see if the current container is capable of having internal AppArmor
+# profiles that should be loaded. Callers of this function should have already
+# verified that they're running inside of a container environment with
+# something like `systemd-detect-virt --container`.
+#
+# The only known container environments capable of supporting internal policy
+# are LXD and LXC environment.
+#
+# Returns 0 if the container environment is capable of having its own internal
+# policy and non-zero otherwise.
+#
+# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
+# system container technology being nested inside of a LXD/LXC container that
+# utilized an AppArmor namespace and profile stacking. The reason 0 will be
+# returned is because .ns_stacked will be "yes" and .ns_name will still match
+# "lx[dc]-*" since the nested system container technology will not have set up
+# a new AppArmor profile namespace. This will result in the nested system
+# container's boot process to experience failed policy loads but the boot
+# process should continue without any loss of functionality. This is an
+# unsupported configuration that cannot be properly handled by this function.
+is_container_with_internal_policy() {
+	ns_stacked_path="${AA_SFS}/.ns_stacked"
+	ns_name_path="${AA_SFS}/.ns_name"
+	ns_stacked
+	ns_name
+
+	if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
+		return 1
+	fi
+
+	read -r ns_stacked < "$ns_stacked_path"
+	if [ "$ns_stacked" != "yes" ]; then
+		return 1
+	fi
+
+	# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
+	# "lxc-", respectively. Return non-zero for all other namespace
+	# identifiers.
+	read -r ns_name < "$ns_name_path"
+	if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
+	   [ "${ns_name#lxc-*}" = "$ns_name" ]; then
+		return 1
+	fi
+
+	return 0
+}
+
+# This terminates code copied from /lib/apparmor/functions on Ubuntu
+# </copied-code>
+
+case "$1" in
+	start)
+		# <copied-code>
+		if [ -x /usr/bin/systemd-detect-virt ] && \
+				systemd-detect-virt --quiet --container && \
+				! is_container_with_internal_policy; then
+			exit 0
+		fi
+		# </copied-code>
+
+		for profile in /var/lib/snapd/apparmor/profiles/*; do
+			# Filter out profiles with names ending with ~, those are temporary files created by snapd.
+			test "${profile%\~}" != "${profile}" && continue
+			echo "$profile"
+		done | xargs \
+			-P"$(getconf _NPROCESSORS_ONLN)" \
+			apparmor_parser \
+			--replace \
+			--write-cache \
+			--cache-loc=/var/cache/apparmor \
+			-O no-expr-simplify \
+			--quiet
+		;;
+esac
diff -Nru snapd-2.32.3.2~14.04/cmd/snapd-env-generator/main.c snapd-2.37~rc1~14.04/cmd/snapd-env-generator/main.c
--- snapd-2.32.3.2~14.04/cmd/snapd-env-generator/main.c	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snapd-env-generator/main.c	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include<stdlib.h>
+#include<string.h>
+#include<stdio.h>
+#include<linux/limits.h>
+
+#include "libsnap-confine-private/string-utils.h"
+
+#include "config.h"
+
+// Systemd environment generators work since version 233 which ships
+// in Ubuntu 17.10+
+int main(int argc, char **argv)
+{
+	const char *snap_bin_dir = SNAP_MOUNT_DIR "/bin";
+
+	char *path = getenv("PATH");
+	if (path == NULL || sc_streq(path, "")) {
+		// do nothing, until systemd is fixed, see LP#1791691
+		return 0;
+	}
+	char buf[PATH_MAX + 1] = { 0 };
+	strncpy(buf, path, sizeof(buf) - 1);
+	char *s = buf;
+
+	char *tok = strsep(&s, ":");
+	while (tok != NULL) {
+		if (sc_streq(tok, snap_bin_dir))
+			return 0;
+		tok = strsep(&s, ":");
+	}
+
+	printf("PATH=%s:%s\n", path, snap_bin_dir);
+	return 0;
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snapd-env-generator/snapd-env-generator.rst snapd-2.37~rc1~14.04/cmd/snapd-env-generator/snapd-env-generator.rst
--- snapd-2.32.3.2~14.04/cmd/snapd-env-generator/snapd-env-generator.rst	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snapd-env-generator/snapd-env-generator.rst	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,30 @@
+=====================
+ snapd-env-generator
+=====================
+
+-----------------------------------------------
+internal tool to set /snap/bin to PATH 
+-----------------------------------------------
+
+:Author: michael.vogt@ubuntu.com
+:Date:   2018-08-31
+:Copyright: Canonical Ltd.
+:Version: 2.35
+:Manual section: 7
+:Manual group: snappy
+
+SYNOPSIS
+========
+
+	snapd-env-generator
+
+DESCRIPTION
+===========
+
+The `snapd-env-generator` is run by systemd to ensure that the snap
+bin dir (usually /snap/bin) is path of PATH.
+
+BUGS
+====
+
+Please report all bugs with https://bugs.launchpad.net/snapd/+filebug
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-discard-ns/snap-discard-ns.c snapd-2.37~rc1~14.04/cmd/snap-discard-ns/snap-discard-ns.c
--- snapd-2.32.3.2~14.04/cmd/snap-discard-ns/snap-discard-ns.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-discard-ns/snap-discard-ns.c	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015 Canonical Ltd
+ * Copyright (C) 2015-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -15,41 +15,208 @@
  *
  */
 
+#define _GNU_SOURCE
+
+#include <dirent.h>
 #include <errno.h>
+#include <fcntl.h>
+#include <fnmatch.h>
 #include <limits.h>
+#include <linux/magic.h>
+#include <stdio.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/vfs.h>
 #include <unistd.h>
 
+#include "../libsnap-confine-private/error.h"
 #include "../libsnap-confine-private/locking.h"
+#include "../libsnap-confine-private/snap.h"
 #include "../libsnap-confine-private/string-utils.h"
 #include "../libsnap-confine-private/utils.h"
-#include "../snap-confine/ns-support.h"
 
-int main(int argc, char **argv)
-{
-	if (argc != 2)
-		die("Usage: %s snap-name", argv[0]);
-	const char *snap_name = argv[1];
-
-	int snap_lock_fd = sc_lock(snap_name);
-	debug("initializing mount namespace: %s", snap_name);
-	struct sc_ns_group *group =
-	    sc_open_ns_group(snap_name, SC_NS_FAIL_GRACEFULLY);
-	if (group != NULL) {
-		sc_discard_preserved_ns_group(group);
-		sc_close_ns_group(group);
-	}
-	// Unlink the current mount profile, if any.
-	char profile_path[PATH_MAX] = { 0 };
-	sc_must_snprintf(profile_path, sizeof(profile_path),
-			 "/run/snapd/ns/snap.%s.fstab", snap_name);
-	if (unlink(profile_path) < 0) {
-		// Silently ignore ENOENT as the profile doens't have to be there.
-		if (errno != ENOENT) {
-			die("cannot remove current mount profile: %s",
-			    profile_path);
-		}
-	}
+#ifndef NSFS_MAGIC
+#define NSFS_MAGIC 0x6e736673
+#endif
+
+int main(int argc, char** argv) {
+    if (argc != 2 && argc != 3) {
+        printf("Usage: snap-discard-ns [--from-snap-confine] <SNAP-INSTANCE-NAME>\n");
+        return 0;
+    }
+    const char* snap_instance_name;
+    bool from_snap_confine;
+
+    if (argc == 3) {
+        if (!sc_streq(argv[1], "--from-snap-confine")) {
+            die("unexpected argument %s", argv[1]);
+        }
+        from_snap_confine = true;
+        snap_instance_name = argv[2];
+    } else {
+        from_snap_confine = false;
+        snap_instance_name = argv[1];
+    }
+
+    struct sc_error* err = NULL;
+    sc_instance_name_validate(snap_instance_name, &err);
+    sc_die_on_error(err);
+
+    int snap_lock_fd = -1;
+    if (from_snap_confine) {
+        sc_verify_snap_lock(snap_instance_name);
+    } else {
+        /* Grab the lock holding the snap instance. This prevents races from
+         * concurrently executing snap-confine. The lock is explicitly released
+         * during normal operation but it is not preserved across the life-cycle of
+         * the process anyway so no attempt is made to unlock it ahead of any call
+         * to die() */
+        snap_lock_fd = sc_lock_snap(snap_instance_name);
+    }
+    debug("discarding mount namespaces of snap %s", snap_instance_name);
+
+    const char* ns_dir_path = "/run/snapd/ns";
+    int ns_dir_fd = open(ns_dir_path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
+    if (ns_dir_fd < 0) {
+        /* The directory may legitimately not exist if no snap has started to
+         * prepare it. This is not an error condition. */
+        if (errno == ENOENT) {
+            return 0;
+        }
+        die("cannot open path %s", ns_dir_path);
+    }
+
+    /* Move to the namespace directory. This is used so that we don't need to
+     * traverse the path over and over in our upcoming umount2(2) calls. */
+    if (fchdir(ns_dir_fd) < 0) {
+        die("cannot move to directory %s", ns_dir_path);
+    }
+
+    /* Create shell patterns that describe the things we are interested in:
+     *
+     * Preserved mount namespaces to unmount and unlink:
+     * - "$SNAP_INSTANCE_NAME.mnt"
+     * - "$SNAP_INSTANCE_NAME.[0-9]+.mnt"
+     *
+     * Applied mount profiles to unlink:
+     * - "snap.$SNAP_INSTANCE_NAME.fstab"
+     * - "snap.$SNAP_INSTANCE_NAME.[0-9]+.fstab"
+     *
+     * Use PATH_MAX as the size of each buffer since those can store any file
+     * name. */
+    char sys_fstab_pattern[PATH_MAX];
+    char usr_fstab_pattern[PATH_MAX];
+    char sys_mnt_pattern[PATH_MAX];
+    char usr_mnt_pattern[PATH_MAX];
+    sc_must_snprintf(sys_fstab_pattern, sizeof sys_fstab_pattern, "snap\\.%s\\.fstab", snap_instance_name);
+    sc_must_snprintf(usr_fstab_pattern, sizeof usr_fstab_pattern, "snap\\.%s\\.*\\.fstab", snap_instance_name);
+    sc_must_snprintf(sys_mnt_pattern, sizeof sys_mnt_pattern, "%s\\.mnt", snap_instance_name);
+    sc_must_snprintf(usr_mnt_pattern, sizeof usr_mnt_pattern, "%s\\.*\\.mnt", snap_instance_name);
+
+    DIR* ns_dir = fdopendir(ns_dir_fd);
+    if (ns_dir == NULL) {
+        die("cannot fdopendir");
+    }
+    /* ns_dir_fd is now owned by ns_dir and will not be closed. */
+
+    while (true) {
+        /* Reset errno ahead of any call to readdir to differentiate errors
+         * from legitimate end of directory. */
+        errno = 0;
+        struct dirent* dent = readdir(ns_dir);
+        if (dent == NULL) {
+            if (errno != 0) {
+                die("cannot read next directory entry");
+            }
+            /* We've seen the whole directory. */
+            break;
+        }
+
+        /* We use dnet->d_name a lot so let's shorten it. */
+        const char* dname = dent->d_name;
+
+        /* Check the four patterns that we have against the name and set the
+         * two should flags to decide further actions. Note that we always
+         * unlink matching files so that is not reflected in the structure. */
+        bool should_unmount = false;
+        bool should_unlink = false;
+        struct variant {
+            const char* pattern;
+            bool unmount;
+        };
+        struct variant variants[4] = {
+            {.pattern = sys_mnt_pattern, .unmount = true},
+            {.pattern = usr_mnt_pattern, .unmount = true},
+            {.pattern = sys_fstab_pattern},
+            {.pattern = usr_fstab_pattern},
+        };
+        for (size_t i = 0; i < sizeof variants / sizeof *variants; ++i) {
+            struct variant* v = &variants[i];
+            debug("checking if %s matches %s", dname, v->pattern);
+            int match_result = fnmatch(v->pattern, dname, 0);
+            if (match_result == FNM_NOMATCH) {
+                continue;
+            } else if (match_result == 0) {
+                should_unmount |= v->unmount;
+                should_unlink = true;
+                debug("file %s matches pattern %s", dname, v->pattern);
+                /* One match is enough. */
+                break;
+            } else if (match_result < 0) {
+                die("cannot execute match against pattern %s", v->pattern);
+            }
+        }
+
+        /* Stat the candidate directory entry to know what we are dealing with.
+         */
+        struct stat file_info;
+        if (fstatat(ns_dir_fd, dname, &file_info, AT_SYMLINK_NOFOLLOW) < 0) {
+            die("cannot inspect file %s", dname);
+        }
+
+        /* We are only interested in regular files. The .mnt files, even if
+         * bind-mounted, appear as regular files and not as symbolic links due
+         * to the peculiarities of the Linux kernel. */
+        if (!S_ISREG(file_info.st_mode)) {
+            continue;
+        }
+
+        if (should_unmount) {
+            /* If we are asked to unmount the file double check that it is
+             * really a preserved mount namespace since the error code from
+             * umount2(2) is inconclusive. */
+            int path_fd = openat(ns_dir_fd, dname, O_PATH | O_CLOEXEC | O_NOFOLLOW);
+            if (path_fd < 0) {
+                die("cannot open path %s", dname);
+            }
+            struct statfs fs_info;
+            if (fstatfs(path_fd, &fs_info) < 0) {
+                die("cannot inspect file-system at %s", dname);
+            }
+            close(path_fd);
+            if (fs_info.f_type == NSFS_MAGIC || fs_info.f_type == PROC_SUPER_MAGIC) {
+                debug("unmounting %s", dname);
+                if (umount2(dname, MNT_DETACH | UMOUNT_NOFOLLOW) < 0) {
+                    die("cannot unmount %s", dname);
+                }
+            }
+        }
+
+        if (should_unlink) {
+            debug("unlinking %s", dname);
+            if (unlinkat(ns_dir_fd, dname, 0) < 0) {
+                die("cannot unlink %s", dname);
+            }
+        }
+    }
 
-	sc_unlock(snap_name, snap_lock_fd);
-	return 0;
+    /* Close the directory and release the lock, we're done. */
+    if (closedir(ns_dir) < 0) {
+        die("cannot close directory");
+    }
+    if (snap_lock_fd != -1) {
+        sc_unlock(snap_lock_fd);
+    }
+    return 0;
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-discard-ns/snap-discard-ns.rst snapd-2.37~rc1~14.04/cmd/snap-discard-ns/snap-discard-ns.rst
--- snapd-2.32.3.2~14.04/cmd/snap-discard-ns/snap-discard-ns.rst	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-discard-ns/snap-discard-ns.rst	2019-01-16 08:36:51.000000000 +0000
@@ -7,16 +7,16 @@
 ------------------------------------------------------------------------
 
 :Author: zygmunt.krynicki@canonical.com
-:Date:   2016-10-05
+:Date:   2018-10-17
 :Copyright: Canonical Ltd.
-:Version: 1.0.43
+:Version: 2.36
 :Manual section: 5
 :Manual group: snappy
 
 SYNOPSIS
 ========
 
-	snap-discard-ns SNAP_NAME
+	snap-discard-ns [--from-snap-confine] SNAP_INSTANCE_NAME
 
 DESCRIPTION
 ===========
@@ -27,7 +27,8 @@
 OPTIONS
 =======
 
-The `snap-discard-ns` program does not support any options.
+The --from-snap-confine option is used internally by snap-confine to tell
+snap-discard-ns that it is invoked from snap-confine and can disable locking.
 
 ENVIRONMENT
 ===========
@@ -43,11 +44,19 @@
 
 `snap-discard-ns` uses the following files:
 
-`/run/snapd/ns/$SNAP_NAME.mnt`:
+`/run/snapd/ns/$SNAP_INSTNACE_NAME.mnt`:
+`/run/snapd/ns/$SNAP_INSTNACE_NAME.*.mnt`:
 
-    The preserved mount namespace that is unmounted by `snap-discard-ns`.
+    The preserved mount namespace that is unmounted and removed by
+    `snap-discard-ns`. The second form is for the per-user mount namespace.
+
+`/run/snapd/ns/snap.$SNAP_INSTNACE_NAME.fstab`:
+`/run/snapd/ns/snap.$SNAP_INSTNACE_NAME.*.fstab`:
+
+    The current mount profile of a preserved mount namespace that is removed
+    by `snap-discard-ns`.
 
 BUGS
 ====
 
-Please report all bugs with https://bugs.launchpad.net/snap-confine/+filebug
+Please report all bugs with https://bugs.launchpad.net/snapd/+filebug
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-exec/main.go snapd-2.37~rc1~14.04/cmd/snap-exec/main.go
--- snapd-2.32.3.2~14.04/cmd/snap-exec/main.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-exec/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -124,6 +124,17 @@
 	return cmd, nil
 }
 
+func absoluteCommandChain(snapInfo *snap.Info, commandChain []string) []string {
+	chain := make([]string, 0, len(commandChain))
+	snapMountDir := snapInfo.MountDir()
+
+	for _, element := range commandChain {
+		chain = append(chain, filepath.Join(snapMountDir, element))
+	}
+
+	return chain
+}
+
 // expandEnvCmdArgs takes the string list of commandline arguments
 // and expands any $VAR with the given var from the env argument.
 func expandEnvCmdArgs(args []string, env map[string]string) []string {
@@ -200,6 +211,9 @@
 	}
 	fullCmd = append(fullCmd, cmdArgs...)
 	fullCmd = append(fullCmd, args...)
+
+	fullCmd = append(absoluteCommandChain(app.Snap, app.CommandChain), fullCmd...)
+
 	if err := syscallExec(fullCmd[0], fullCmd, env); err != nil {
 		return fmt.Errorf("cannot exec %q: %s", fullCmd[0], err)
 	}
@@ -229,6 +243,6 @@
 	env := append(os.Environ(), osutil.SubstituteEnv(hook.Env())...)
 
 	// run the hook
-	hookPath := filepath.Join(hook.Snap.HooksDir(), hook.Name)
-	return syscallExec(hookPath, []string{hookPath}, env)
+	cmd := append(absoluteCommandChain(hook.Snap, hook.CommandChain), filepath.Join(hook.Snap.HooksDir(), hook.Name))
+	return syscallExec(cmd[0], cmd, env)
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-exec/main_test.go snapd-2.37~rc1~14.04/cmd/snap-exec/main_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-exec/main_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-exec/main_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -65,6 +65,11 @@
    BASE_PATH: /some/path
    LD_LIBRARY_PATH: ${BASE_PATH}/lib
    MY_PATH: $PATH
+ app2:
+  command: run-app2
+  stop-command: stop-app2
+  post-stop-command: post-stop-app2
+  command-chain: [chain1, chain2]
  nostop:
   command: nostop
 `)
@@ -75,6 +80,13 @@
  configure:
 `)
 
+var mockHookCommandChainYaml = []byte(`name: snapname
+version: 1.0
+hooks:
+ configure:
+  command-chain: [chain1, chain2]
+`)
+
 var binaryTemplate = `#!/bin/sh
 echo "$(basename $0)" >> %[1]q
 for arg in "$@"; do
@@ -155,6 +167,51 @@
 	c.Check(execEnv, testutil.Contains, fmt.Sprintf("MY_PATH=%s", os.Getenv("PATH")))
 }
 
+func (s *snapExecSuite) TestSnapExecAppCommandChainIntegration(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	snaptest.MockSnap(c, string(mockYaml), &snap.SideInfo{
+		Revision: snap.R("42"),
+	})
+
+	execArgv0 := ""
+	execArgs := []string{}
+	restore := snapExec.MockSyscallExec(func(argv0 string, argv []string, env []string) error {
+		execArgv0 = argv0
+		execArgs = argv
+		return nil
+	})
+	defer restore()
+
+	chain1_path := fmt.Sprintf("%s/snapname/42/chain1", dirs.SnapMountDir)
+	chain2_path := fmt.Sprintf("%s/snapname/42/chain2", dirs.SnapMountDir)
+	app_path := fmt.Sprintf("%s/snapname/42/run-app2", dirs.SnapMountDir)
+	stop_path := fmt.Sprintf("%s/snapname/42/stop-app2", dirs.SnapMountDir)
+	post_stop_path := fmt.Sprintf("%s/snapname/42/post-stop-app2", dirs.SnapMountDir)
+
+	for _, t := range []struct {
+		cmd      string
+		args     []string
+		expected []string
+	}{
+		// Normal command
+		{expected: []string{chain1_path, chain2_path, app_path}},
+		{args: []string{"arg1", "arg2"}, expected: []string{chain1_path, chain2_path, app_path, "arg1", "arg2"}},
+
+		// Stop command
+		{cmd: "stop", expected: []string{chain1_path, chain2_path, stop_path}},
+		{cmd: "stop", args: []string{"arg1", "arg2"}, expected: []string{chain1_path, chain2_path, stop_path, "arg1", "arg2"}},
+
+		// Post-stop command
+		{cmd: "post-stop", expected: []string{chain1_path, chain2_path, post_stop_path}},
+		{cmd: "post-stop", args: []string{"arg1", "arg2"}, expected: []string{chain1_path, chain2_path, post_stop_path, "arg1", "arg2"}},
+	} {
+		err := snapExec.ExecApp("snapname.app2", "42", t.cmd, t.args)
+		c.Assert(err, IsNil)
+		c.Check(execArgv0, Equals, t.expected[0])
+		c.Check(execArgs, DeepEquals, t.expected)
+	}
+}
+
 func (s *snapExecSuite) TestSnapExecHookIntegration(c *C) {
 	dirs.SetRootDir(c.MkDir())
 	snaptest.MockSnap(c, string(mockHookYaml), &snap.SideInfo{
@@ -177,6 +234,31 @@
 	c.Check(execArgs, DeepEquals, []string{execArgv0})
 }
 
+func (s *snapExecSuite) TestSnapExecHookCommandChainIntegration(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	snaptest.MockSnap(c, string(mockHookCommandChainYaml), &snap.SideInfo{
+		Revision: snap.R("42"),
+	})
+
+	execArgv0 := ""
+	execArgs := []string{}
+	restore := snapExec.MockSyscallExec(func(argv0 string, argv []string, env []string) error {
+		execArgv0 = argv0
+		execArgs = argv
+		return nil
+	})
+	defer restore()
+
+	chain1_path := fmt.Sprintf("%s/snapname/42/chain1", dirs.SnapMountDir)
+	chain2_path := fmt.Sprintf("%s/snapname/42/chain2", dirs.SnapMountDir)
+	hook_path := fmt.Sprintf("%s/snapname/42/meta/hooks/configure", dirs.SnapMountDir)
+
+	err := snapExec.ExecHook("snapname", "42", "configure")
+	c.Assert(err, IsNil)
+	c.Check(execArgv0, Equals, chain1_path)
+	c.Check(execArgs, DeepEquals, []string{chain1_path, chain2_path, hook_path})
+}
+
 func (s *snapExecSuite) TestSnapExecHookMissingHookIntegration(c *C) {
 	dirs.SetRootDir(c.MkDir())
 	snaptest.MockSnap(c, string(mockHookYaml), &snap.SideInfo{
@@ -311,6 +393,14 @@
 	c.Check(execArgv0, Equals, "/bin/bash")
 	c.Check(execArgs, DeepEquals, []string{execArgv0, "-c", "echo foo"})
 	c.Check(execEnv, testutil.Contains, "LD_LIBRARY_PATH=/some/path/lib")
+
+	// launch and verify shell still runs the command chain
+	err = snapExec.ExecApp("snapname.app2", "42", "shell", []string{"-c", "echo foo"})
+	c.Assert(err, IsNil)
+	chain1 := fmt.Sprintf("%s/snapname/42/chain1", dirs.SnapMountDir)
+	chain2 := fmt.Sprintf("%s/snapname/42/chain2", dirs.SnapMountDir)
+	c.Check(execArgv0, Equals, chain1)
+	c.Check(execArgs, DeepEquals, []string{chain1, chain2, "/bin/bash", "-c", "echo foo"})
 }
 
 func (s *snapExecSuite) TestSnapExecAppIntegrationWithVars(c *C) {
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-failure/cmd_snapd.go snapd-2.37~rc1~14.04/cmd/snap-failure/cmd_snapd.go
--- snapd-2.32.3.2~14.04/cmd/snap-failure/cmd_snapd.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-failure/cmd_snapd.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,130 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+)
+
+func init() {
+	const (
+		short = "Run snapd failure handling"
+		long  = ""
+	)
+
+	if _, err := parser.AddCommand("snapd", short, long, &cmdSnapd{}); err != nil {
+		panic(err)
+	}
+
+}
+
+// We do not import anything from snapd here for safety reasons so make a
+// copy of the relevant struct data we care about.
+type sideInfo struct {
+	Revision string `json:"revision"`
+}
+
+type snapSeq struct {
+	Current  string      `json:"current"`
+	Sequence []*sideInfo `json:"sequence"`
+}
+
+type cmdSnapd struct{}
+
+var errNoSnapd = errors.New("no snapd sequence file found")
+
+func prevRevision(snapName string) (string, error) {
+	seqFile := filepath.Join(dirs.SnapSeqDir, snapName+".json")
+	content, err := ioutil.ReadFile(seqFile)
+	if os.IsNotExist(err) {
+		return "", errNoSnapd
+	}
+	if err != nil {
+		return "", err
+	}
+
+	var seq snapSeq
+	if err := json.Unmarshal(content, &seq); err != nil {
+		return "", err
+	}
+
+	var prev string
+	for i, si := range seq.Sequence {
+		if seq.Current == si.Revision {
+			if i == 0 {
+				return "", fmt.Errorf("no revision to go back to")
+			}
+			prev = seq.Sequence[i-1].Revision
+			break
+		}
+	}
+	if prev == "" {
+		return "", fmt.Errorf("internal error: current not found in sequence: %v %v", seq.Current, seq.Sequence)
+	}
+
+	return prev, nil
+}
+
+// FIXME: also do error reporting via errtracker
+func (c *cmdSnapd) Execute(args []string) error {
+	// find previous snapd
+	prevRev, err := prevRevision("snapd")
+	if err != nil {
+		if err == errNoSnapd {
+			return nil
+		}
+		return err
+	}
+	// stop the socket unit so that we can start snapd on its own
+	output, err := exec.Command("systemctl", "stop", "snapd.socket").CombinedOutput()
+	if err != nil {
+		return osutil.OutputErr(output, err)
+	}
+
+	// start previous snapd
+	snapdPath := filepath.Join(dirs.SnapMountDir, "snapd", prevRev, "/usr/lib/snapd/snapd")
+	cmd := exec.Command(snapdPath)
+	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env, "SNAPD_REVERT_TO_REV="+prevRev)
+	output, err = cmd.CombinedOutput()
+	if err != nil {
+		return osutil.OutputErr(output, err)
+	}
+
+	// at this point our manually started snapd stopped and
+	// removed the /run/snap* sockets (this is a feature of
+	// golang) - we need to restart snapd.socket to make them
+	// available again.
+	output, err = exec.Command("systemctl", "restart", "snapd.socket").CombinedOutput()
+	if err != nil {
+		return osutil.OutputErr(output, err)
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-failure/cmd_snapd_test.go snapd-2.37~rc1~14.04/cmd/snap-failure/cmd_snapd_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-failure/cmd_snapd_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-failure/cmd_snapd_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,38 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"os"
+
+	. "gopkg.in/check.v1"
+
+	failure "github.com/snapcore/snapd/cmd/snap-failure"
+)
+
+func (r *failureSuite) TestRun(c *C) {
+	origArgs := os.Args
+	defer func() { os.Args = origArgs }()
+	os.Args = []string{"snap-failure", "snapd"}
+	err := failure.Run()
+	c.Check(err, IsNil)
+	c.Check(r.Stdout(), HasLen, 0)
+	c.Check(r.Stderr(), HasLen, 0)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-failure/export_test.go snapd-2.37~rc1~14.04/cmd/snap-failure/export_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-failure/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-failure/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,25 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+var (
+	Run       = run
+	ParseArgs = parseArgs
+)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-failure/main.go snapd-2.37~rc1~14.04/cmd/snap-failure/main.go
--- snapd-2.32.3.2~14.04/cmd/snap-failure/main.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-failure/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,77 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	// TODO: consider not using go-flags at all
+	"github.com/jessevdk/go-flags"
+
+	"github.com/snapcore/snapd/logger"
+)
+
+var (
+	Stdout io.Writer = os.Stdout
+	Stderr io.Writer = os.Stderr
+
+	opts   struct{}
+	parser *flags.Parser = flags.NewParser(&opts, flags.HelpFlag|flags.PassDoubleDash|flags.PassAfterNonOption)
+)
+
+const (
+	shortHelp = "Handle snapd daemon failures"
+	longHelp  = `
+snap-failure is a tool that handles failures of the snapd daemon and
+reverts if appropriate.
+`
+)
+
+func init() {
+	err := logger.SimpleSetup()
+	if err != nil {
+		fmt.Fprintf(Stderr, "WARNING: failed to activate logging: %v\n", err)
+	}
+}
+
+func main() {
+	if err := run(); err != nil {
+		fmt.Fprintf(Stderr, "error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func run() error {
+	if err := parseArgs(os.Args[1:]); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func parseArgs(args []string) error {
+	parser.ShortDescription = shortHelp
+	parser.LongDescription = longHelp
+
+	_, err := parser.ParseArgs(args)
+	return err
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-failure/main_test.go snapd-2.37~rc1~14.04/cmd/snap-failure/main_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-failure/main_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-failure/main_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,75 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"bytes"
+	"testing"
+
+	. "gopkg.in/check.v1"
+
+	failure "github.com/snapcore/snapd/cmd/snap-failure"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/testutil"
+)
+
+// Hook up check.v1 into the "go test" runner
+func Test(t *testing.T) { TestingT(t) }
+
+type failureSuite struct {
+	testutil.BaseTest
+
+	rootdir string
+
+	stdout *bytes.Buffer
+	stderr *bytes.Buffer
+}
+
+func (r *failureSuite) SetUpTest(c *C) {
+	r.stdout = bytes.NewBuffer(nil)
+	r.stderr = bytes.NewBuffer(nil)
+
+	oldStdout := failure.Stdout
+	r.AddCleanup(func() { failure.Stdout = oldStdout })
+	failure.Stdout = r.stdout
+
+	oldStderr := failure.Stderr
+	r.AddCleanup(func() { failure.Stderr = oldStderr })
+	failure.Stderr = r.stderr
+
+	r.rootdir = c.MkDir()
+	dirs.SetRootDir(r.rootdir)
+	r.AddCleanup(func() { dirs.SetRootDir("/") })
+}
+
+func (r *failureSuite) Stdout() string {
+	return r.stdout.String()
+}
+
+func (r *failureSuite) Stderr() string {
+	return r.stderr.String()
+}
+
+var _ = Suite(&failureSuite{})
+
+func (r *failureSuite) TestUnknownArg(c *C) {
+	err := failure.ParseArgs([]string{})
+	c.Check(err, ErrorMatches, "Please specify the snapd command")
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-mgmt/snap-mgmt.sh.in snapd-2.37~rc1~14.04/cmd/snap-mgmt/snap-mgmt.sh.in
--- snapd-2.32.3.2~14.04/cmd/snap-mgmt/snap-mgmt.sh.in	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-mgmt/snap-mgmt.sh.in	2019-01-16 08:36:51.000000000 +0000
@@ -33,7 +33,7 @@
 }
 
 purge() {
-    # debian-9, fedora-27, ubuntu-16.04...
+    # shellcheck disable=SC1091
     distribution=$(. /etc/os-release; echo "${ID}-${VERSION_ID}")
 
     if [ "$distribution" = "ubuntu-14.04" ]; then
@@ -49,9 +49,9 @@
 
     units=$(systemctl list-unit-files --no-legend --full | grep -vF snap.mount.service || true)
     # *.snap mount points
-    mounts=$(echo "$units" | grep "^${SNAP_UNIT_PREFIX}[-.].*\.mount" | cut -f1 -d ' ')
+    mounts=$(echo "$units" | grep "^${SNAP_UNIT_PREFIX}[-.].*\\.mount" | cut -f1 -d ' ')
     # services from snaps
-    services=$(echo "$units" | grep "^snap\..*\.service" | cut -f1 -d ' ')
+    services=$(echo "$units" | grep '^snap\..*\.service' | cut -f1 -d ' ')
     for unit in $services $mounts; do
         # ensure its really a snap mount unit or systemd unit
         if ! grep -q 'What=/var/lib/snapd/snaps/' "/etc/systemd/system/$unit" && ! grep -q 'X-Snappy=yes' "/etc/systemd/system/$unit"; then
@@ -62,7 +62,7 @@
         echo "Stopping $unit"
         systemctl_stop "$unit"
 
-        if echo "$unit" | grep -q ".*\.mount" ; then
+        if echo "$unit" | grep -q '.*\.mount' ; then
             # Transform ${SNAP_MOUNT_DIR}/core/3440 -> core/3440 removing any
             # extra / preceding snap name, eg:
             #  /var/lib/snapd/snap/core/3440  -> core/3440
@@ -100,10 +100,12 @@
                 # udev rules
                 find /etc/udev/rules.d -name "*-snap.${snap}.rules" -execdir rm -f "{}" \;
                 # dbus policy files
-                find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+                if [ -d /etc/dbus-1/system.d ]; then
+                    find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+                fi
                 # timer files
                 find /etc/systemd/system -name "snap.${snap}.*.timer" | while read -r f; do
-                    systemctl_stop "$(basename $f)"
+                    systemctl_stop "$(basename "$f")"
                     rm -f "$f"
                 done
             fi
@@ -117,13 +119,13 @@
     echo "Discarding preserved snap namespaces"
     # opportunistic as those might not be actually mounted
     if [ -d /run/snapd/ns ]; then
-        if [ $(ls /run/snapd/ns/*.mnt | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.mnt" | wc -l)" -gt 0 ]; then
             for mnt in /run/snapd/ns/*.mnt; do
                 umount -l "$mnt" || true
                 rm -f "$mnt"
             done
         fi
-        if [ $(ls /run/snapd/ns/*.fstab | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.fstab" | wc -l)" -gt 0 ]; then
             for fstab in /run/snapd/ns/*.fstab; do
                 rm -f "$fstab"
             done
@@ -134,6 +136,9 @@
     echo "Removing downloaded snaps"
     rm -rf /var/lib/snapd/snaps/*
 
+    echo "Removing features exported from snapd to helper tools"
+    rm -rf /var/lib/snapd/features
+
     echo "Final directory cleanup"
     rm -rf "${SNAP_MOUNT_DIR}"
     rm -rf /var/snap
@@ -145,7 +150,11 @@
     rm -rf /var/lib/snapd/assertions/*
     rm -rf /var/lib/snapd/cookie/*
     rm -rf /var/lib/snapd/cache/*
+    rm -rf /var/lib/snapd/mount/*
+    rm -rf /var/lib/snapd/sequence/*
+    rm -rf /var/lib/snapd/apparmor/*
     rm -f /var/lib/snapd/state.json
+    rm -f /var/lib/snapd/system-key
 
     echo "Removing snapd catalog cache"
     rm -f /var/cache/snapd/*
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-repair/export_test.go snapd-2.37~rc1~14.04/cmd/snap-repair/export_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-repair/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-repair/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,7 +30,6 @@
 )
 
 var (
-	Parser    = parser
 	ParseArgs = parseArgs
 	Run       = run
 )
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-repair/runner.go snapd-2.37~rc1~14.04/cmd/snap-repair/runner.go
--- snapd-2.32.3.2~14.04/cmd/snap-repair/runner.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-repair/runner.go	2019-01-16 08:36:51.000000000 +0000
@@ -281,7 +281,7 @@
 	run := &Runner{
 		sequenceNext: make(map[string]int),
 	}
-	opts := httputil.ClientOpts{
+	opts := httputil.ClientOptions{
 		MayLogBody: false,
 		TLSConfig: &tls.Config{
 			Time: run.now,
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-seccomp/main.go snapd-2.37~rc1~14.04/cmd/snap-seccomp/main.go
--- snapd-2.32.3.2~14.04/cmd/snap-seccomp/main.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-seccomp/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -41,6 +41,7 @@
 //#include <sys/stat.h>
 //#include <sys/types.h>
 //#include <sys/utsname.h>
+//#include <sys/ptrace.h>
 //#include <termios.h>
 //#include <unistd.h>
 // //The XFS interface requires a 64 bit file system interface
@@ -144,6 +145,29 @@
 //		return htobe64(val);
 //}
 //
+// /* Define missing ptrace constants. They are available on some architectures
+//    only but the missing values are not reused on architectures that lack them.
+//    As such we can simply define the missing pair and have a simpler cross-arch
+//    code to support. */
+//
+// #ifndef PTRACE_GETREGS
+// #define PTRACE_GETREGS 12
+// #endif
+// #ifndef PTRACE_SETREGS
+// #define PTRACE_SETREGS 13
+// #endif
+// #ifndef PTRACE_GETFPREGS
+// #define PTRACE_GETFPREGS 14
+// #endif
+// #ifndef PTRACE_SETFPREGS
+// #define PTRACE_SETFPREGS 15
+// #endif
+// #ifndef PTRACE_GETFPXREGS
+// #define PTRACE_GETFPXREGS 18
+// #endif
+// #ifndef PTRACE_SETFPXREGS
+// #define PTRACE_SETFPXREGS 19
+// #endif
 import "C"
 
 import (
@@ -388,13 +412,20 @@
 	"NETLINK_RDMA":           C.NETLINK_RDMA,
 	"NETLINK_CRYPTO":         C.NETLINK_CRYPTO,
 	"NETLINK_INET_DIAG":      C.NETLINK_INET_DIAG, // synonymous with NETLINK_SOCK_DIAG
-}
 
-const (
-	SeccompRetAllow = C.SECCOMP_RET_ALLOW
-	SeccompRetKill  = C.SECCOMP_RET_KILL
-	SeccompRetLog   = C.SECCOMP_RET_LOG
-)
+	// man 2 ptrace
+	"PTRACE_ATTACH":     C.PTRACE_ATTACH,
+	"PTRACE_DETACH":     C.PTRACE_DETACH,
+	"PTRACE_GETREGS":    C.PTRACE_GETREGS,
+	"PTRACE_GETFPREGS":  C.PTRACE_GETFPREGS,
+	"PTRACE_GETFPXREGS": C.PTRACE_GETFPXREGS,
+	"PTRACE_GETREGSET":  C.PTRACE_GETREGSET,
+	"PTRACE_PEEKDATA":   C.PTRACE_PEEKDATA,
+	// <linux/ptrace.h> and <sys/ptrace.h> have different spellings for PEEKUS{,E}R
+	"PTRACE_PEEKUSR":  C.PTRACE_PEEKUSER,
+	"PTRACE_PEEKUSER": C.PTRACE_PEEKUSER,
+	"PTRACE_CONT":     C.PTRACE_CONT,
+}
 
 // UbuntuArchToScmpArch takes a dpkg architecture and converts it to
 // the seccomp.ScmpArch as used in the libseccomp-golang library
@@ -420,31 +451,6 @@
 	panic(fmt.Sprintf("cannot map ubuntu arch %q to a seccomp arch", ubuntuArch))
 }
 
-// ScmpArchToSeccompNativeArch takes a seccomp.ScmpArch and converts
-// it into the native kernel architecture uint32. This is required for
-// the tests to simulate the bpf kernel behaviour.
-func ScmpArchToSeccompNativeArch(scmpArch seccomp.ScmpArch) uint32 {
-	switch scmpArch {
-	case seccomp.ArchAMD64:
-		return C.SCMP_ARCH_X86_64
-	case seccomp.ArchARM64:
-		return C.SCMP_ARCH_AARCH64
-	case seccomp.ArchARM:
-		return C.SCMP_ARCH_ARM
-	case seccomp.ArchPPC64:
-		return C.SCMP_ARCH_PPC64
-	case seccomp.ArchPPC64LE:
-		return C.SCMP_ARCH_PPC64LE
-	case seccomp.ArchPPC:
-		return C.SCMP_ARCH_PPC
-	case seccomp.ArchS390X:
-		return C.SCMP_ARCH_S390X
-	case seccomp.ArchX86:
-		return C.SCMP_ARCH_X86
-	}
-	panic(fmt.Sprintf("cannot map scmpArch %q to a native seccomp arch", scmpArch))
-}
-
 // important for unit testing
 type SeccompData C.kernel_seccomp_data
 
@@ -464,7 +470,6 @@
 	if value, ok := seccompResolver[token]; ok {
 		return value, nil
 	}
-
 	// Negative numbers are not supported yet, but when they are,
 	// adjust this accordingly
 	return strconv.ParseUint(token, 10, 64)
@@ -711,7 +716,8 @@
 	if err != nil {
 		return err
 	}
-	defer fout.Close()
+	// Cancel once Committed is a NOP
+	defer fout.Cancel()
 
 	if err := secFilter.ExportBPF(fout.File); err != nil {
 		return err
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-seccomp/main_test.go snapd-2.37~rc1~14.04/cmd/snap-seccomp/main_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-seccomp/main_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-seccomp/main_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -748,7 +748,10 @@
 	// while 'root' user usually has uid 0, 'daemon' user uid may vary
 	// across distributions, best lookup the uid directly
 	daemonUid, err := osutil.FindUid("daemon")
-	c.Assert(err, IsNil)
+
+	if err != nil {
+		c.Skip("daemon user not available, perhaps we are in a buildroot jail")
+	}
 
 	for _, t := range []struct {
 		seccompWhitelist string
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/bootstrap.c snapd-2.37~rc1~14.04/cmd/snap-update-ns/bootstrap.c
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/bootstrap.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/bootstrap.c	2019-01-16 08:36:51.000000000 +0000
@@ -24,14 +24,18 @@
 
 #include "bootstrap.h"
 
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <grp.h>
 #include <limits.h>
 #include <sched.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/capability.h>
+#include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -39,233 +43,457 @@
 // bootstrap_errno contains a copy of errno if a system call fails.
 int bootstrap_errno = 0;
 // bootstrap_msg contains a static string if something fails.
-const char* bootstrap_msg = NULL;
+const char *bootstrap_msg = NULL;
 
 // setns_into_snap switches mount namespace into that of a given snap.
-static int
-setns_into_snap(const char* snap_name)
+static int setns_into_snap(const char *snap_name)
 {
-    // Construct the name of the .mnt file to open.
-    char buf[PATH_MAX] = {
-        0,
-    };
-    int n = snprintf(buf, sizeof buf, "/run/snapd/ns/%s.mnt", snap_name);
-    if (n >= sizeof buf || n < 0) {
-        bootstrap_errno = 0;
-        bootstrap_msg = "cannot format mount namespace file name";
-        return -1;
-    }
-
-    // Open the mount namespace file.
-    int fd = open(buf, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
-    if (fd < 0) {
-        bootstrap_errno = errno;
-        bootstrap_msg = "cannot open mount namespace file";
-        return -1;
-    }
-
-    // Switch to the mount namespace of the given snap.
-    int err = setns(fd, CLONE_NEWNS);
-    if (err < 0) {
-        bootstrap_errno = errno;
-        bootstrap_msg = "cannot switch mount namespace";
-    };
+	// Construct the name of the .mnt file to open.
+	char buf[PATH_MAX] = {
+		0,
+	};
+	int n = snprintf(buf, sizeof buf, "/run/snapd/ns/%s.mnt", snap_name);
+	if (n >= sizeof buf || n < 0) {
+		bootstrap_errno = 0;
+		bootstrap_msg = "cannot format mount namespace file name";
+		return -1;
+	}
+	// Open the mount namespace file.
+	int fd = open(buf, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
+	if (fd < 0) {
+		bootstrap_errno = errno;
+		bootstrap_msg = "cannot open mount namespace file";
+		return -1;
+	}
+	// Switch to the mount namespace of the given snap.
+	int err = setns(fd, CLONE_NEWNS);
+	if (err < 0) {
+		bootstrap_errno = errno;
+		bootstrap_msg = "cannot switch mount namespace";
+	};
 
-    close(fd);
-    return err;
+	close(fd);
+	return err;
+}
+
+// switch_to_privileged_user drops to the real user ID while retaining
+// CAP_SYS_ADMIN, for operations such as mount().
+static int switch_to_privileged_user()
+{
+	uid_t real_uid;
+	gid_t real_gid;
+
+	real_uid = getuid();
+	if (real_uid == 0) {
+		// We're running as root: no need to switch IDs
+		return 0;
+	}
+	real_gid = getgid();
+
+	// _LINUX_CAPABILITY_VERSION_3 valid for kernel >= 2.6.26. See
+	// https://github.com/torvalds/linux/blob/master/kernel/capability.c
+	struct __user_cap_header_struct hdr =
+	    { _LINUX_CAPABILITY_VERSION_3, 0 };
+	struct __user_cap_data_struct data[2] = { {0} };
+
+	data[0].effective = (CAP_TO_MASK(CAP_SYS_ADMIN) |
+			     CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));
+	data[0].permitted = data[0].effective;
+	data[0].inheritable = 0;
+	data[1].effective = 0;
+	data[1].permitted = 0;
+	data[1].inheritable = 0;
+
+	if (capset(&hdr, data) != 0) {
+		bootstrap_errno = errno;
+		bootstrap_msg = "cannot set permitted capabilities mask";
+		return -1;
+	}
+
+	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) != 0) {
+		bootstrap_errno = errno;
+		bootstrap_msg =
+		    "cannot tell kernel to keep capabilities over setuid";
+		return -1;
+	}
+
+	if (setgroups(1, &real_gid) != 0) {
+		bootstrap_errno = errno;
+		bootstrap_msg = "cannot drop supplementary groups";
+		return -1;
+	}
+
+	if (setgid(real_gid) != 0) {
+		bootstrap_errno = errno;
+		bootstrap_msg = "cannot switch to real group ID";
+		return -1;
+	}
+
+	if (setuid(real_uid) != 0) {
+		bootstrap_errno = errno;
+		bootstrap_msg = "cannot switch to real user ID";
+		return -1;
+	}
+	// After changing uid, our effective capabilities were dropped.
+	// Reacquire CAP_SYS_ADMIN, and discard CAP_SETUID/CAP_SETGID.
+	data[0].effective = CAP_TO_MASK(CAP_SYS_ADMIN);
+	data[0].permitted = data[0].effective;
+	if (capset(&hdr, data) != 0) {
+		bootstrap_errno = errno;
+		bootstrap_msg =
+		    "cannot enable capabilities after switching to real user";
+		return -1;
+	}
+
+	return 0;
 }
 
 // TODO: reuse the code from snap-confine, if possible.
-static int skip_lowercase_letters(const char** p)
+static int skip_lowercase_letters(const char **p)
 {
-    int skipped = 0;
-    const char* c;
-    for (c = *p; *c >= 'a' && *c <= 'z'; ++c) {
-        skipped += 1;
-    }
-    *p = (*p) + skipped;
-    return skipped;
+	int skipped = 0;
+	const char *c;
+	for (c = *p; *c >= 'a' && *c <= 'z'; ++c) {
+		skipped += 1;
+	}
+	*p = (*p) + skipped;
+	return skipped;
 }
 
 // TODO: reuse the code from snap-confine, if possible.
-static int skip_digits(const char** p)
+static int skip_digits(const char **p)
 {
-    int skipped = 0;
-    const char* c;
-    for (c = *p; *c >= '0' && *c <= '9'; ++c) {
-        skipped += 1;
-    }
-    *p = (*p) + skipped;
-    return skipped;
+	int skipped = 0;
+	const char *c;
+	for (c = *p; *c >= '0' && *c <= '9'; ++c) {
+		skipped += 1;
+	}
+	*p = (*p) + skipped;
+	return skipped;
 }
 
 // TODO: reuse the code from snap-confine, if possible.
-static int skip_one_char(const char** p, char c)
+static int skip_one_char(const char **p, char c)
 {
-    if (**p == c) {
-        *p += 1;
-        return 1;
-    }
-    return 0;
+	if (**p == c) {
+		*p += 1;
+		return 1;
+	}
+	return 0;
 }
 
 // validate_snap_name performs full validation of the given name.
-int validate_snap_name(const char* snap_name)
+int validate_snap_name(const char *snap_name)
 {
-    // NOTE: This function should be synchronized with the two other
-    // implementations: sc_snap_name_validate and snap.ValidateName.
+	// NOTE: This function should be synchronized with the two other
+	// implementations: sc_snap_name_validate and snap.ValidateName.
 
-    // Ensure that name is not NULL
-    if (snap_name == NULL) {
-        bootstrap_msg = "snap name cannot be NULL";
-        return -1;
-    }
-    // This is a regexp-free routine hand-codes the following pattern:
-    //
-    // "^([a-z0-9]+-?)*[a-z](-?[a-z0-9])*$"
-    //
-    // The only motivation for not using regular expressions is so that we
-    // don't run untrusted input against a potentially complex regular
-    // expression engine.
-    const char* p = snap_name;
-    if (skip_one_char(&p, '-')) {
-        bootstrap_msg = "snap name cannot start with a dash";
-        return -1;
-    }
-    bool got_letter = false;
-    for (; *p != '\0';) {
-        if (skip_lowercase_letters(&p) > 0) {
-            got_letter = true;
-            continue;
-        }
-        if (skip_digits(&p) > 0) {
-            continue;
-        }
-        if (skip_one_char(&p, '-') > 0) {
-            if (*p == '\0') {
-                bootstrap_msg = "snap name cannot end with a dash";
-                return -1;
-            }
-            if (skip_one_char(&p, '-') > 0) {
-                bootstrap_msg = "snap name cannot contain two consecutive dashes";
-                return -1;
-            }
-            continue;
-        }
-        bootstrap_msg = "snap name must use lower case letters, digits or dashes";
-        return -1;
-    }
-    if (!got_letter) {
-        bootstrap_msg = "snap name must contain at least one letter";
-        return -1;
-    }
+	// Ensure that name is not NULL
+	if (snap_name == NULL) {
+		bootstrap_msg = "snap name cannot be NULL";
+		return -1;
+	}
+	// This is a regexp-free routine hand-codes the following pattern:
+	//
+	// "^([a-z0-9]+-?)*[a-z](-?[a-z0-9])*$"
+	//
+	// The only motivation for not using regular expressions is so that we
+	// don't run untrusted input against a potentially complex regular
+	// expression engine.
+	const char *p = snap_name;
+	if (skip_one_char(&p, '-')) {
+		bootstrap_msg = "snap name cannot start with a dash";
+		return -1;
+	}
+	bool got_letter = false;
+	int n = 0, m;
+	for (; *p != '\0';) {
+		if ((m = skip_lowercase_letters(&p)) > 0) {
+			n += m;
+			got_letter = true;
+			continue;
+		}
+		if ((m = skip_digits(&p)) > 0) {
+			n += m;
+			continue;
+		}
+		if (skip_one_char(&p, '-') > 0) {
+			n++;
+			if (*p == '\0') {
+				bootstrap_msg =
+				    "snap name cannot end with a dash";
+				return -1;
+			}
+			if (skip_one_char(&p, '-') > 0) {
+				bootstrap_msg =
+				    "snap name cannot contain two consecutive dashes";
+				return -1;
+			}
+			continue;
+		}
+		bootstrap_msg =
+		    "snap name must use lower case letters, digits or dashes";
+		return -1;
+	}
+	if (!got_letter) {
+		bootstrap_msg = "snap name must contain at least one letter";
+		return -1;
+	}
+	if (n < 2) {
+		bootstrap_msg = "snap name must be longer than 1 character";
+		return -1;
+	}
+	if (n > 40) {
+		bootstrap_msg = "snap name must be shorter than 40 characters";
+		return -1;
+	}
+
+	bootstrap_msg = NULL;
+	return 0;
+}
+
+static int instance_key_validate(const char *instance_key)
+{
+	// NOTE: see snap.ValidateInstanceName for reference of a valid instance key
+	// format
 
-    bootstrap_msg = NULL;
-    return 0;
+	// Ensure that name is not NULL
+	if (instance_key == NULL) {
+		bootstrap_msg = "instance key cannot be NULL";
+		return -1;
+	}
+	// This is a regexp-free routine hand-coding the following pattern:
+	//
+	// "^[a-z]{1,10}$"
+	//
+	// The only motivation for not using regular expressions is so that we don't
+	// run untrusted input against a potentially complex regular expression
+	// engine.
+	int i = 0;
+	for (i = 0; instance_key[i] != '\0'; i++) {
+		if (islower(instance_key[i]) || isdigit(instance_key[i])) {
+			continue;
+		}
+		bootstrap_msg =
+		    "instance key must use lower case letters or digits";
+		return -1;
+	}
+
+	if (i == 0) {
+		bootstrap_msg =
+		    "instance key must contain at least one letter or digit";
+		return -1;
+	} else if (i > 10) {
+		bootstrap_msg =
+		    "instance key must be shorter than 10 characters";
+		return -1;
+	}
+	return 0;
+}
+
+// validate_instance_name performs full validation of the given snap instance name.
+int validate_instance_name(const char *instance_name)
+{
+	// NOTE: This function should be synchronized with the two other
+	// implementations: sc_instance_name_validate and snap.ValidateInstanceName.
+
+	if (instance_name == NULL) {
+		bootstrap_msg = "snap instance name cannot be NULL";
+		return -1;
+	}
+	// 40 char snap_name + '_' + 10 char instance_key + 1 extra overflow + 1
+	// NULL
+	char s[53] = { 0 };
+	strncpy(s, instance_name, sizeof(s) - 1);
+
+	char *t = s;
+	const char *snap_name = strsep(&t, "_");
+	const char *instance_key = strsep(&t, "_");
+	const char *third_separator = strsep(&t, "_");
+	if (third_separator != NULL) {
+		bootstrap_msg =
+		    "snap instance name can contain only one underscore";
+		return -1;
+	}
+
+	if (validate_snap_name(snap_name) < 0) {
+		return -1;
+	}
+	// When the instance_name is a normal snap name, instance_key will be
+	// NULL, so only validate instance_key when we found one.
+	if (instance_key != NULL && instance_key_validate(instance_key) < 0) {
+		return -1;
+	}
+
+	return 0;
+}
+
+// parse the -u argument, returns -1 on failure or 0 on success.
+static int parse_arg_u(int argc, char * const *argv, int *optind, unsigned long *uid_out)
+{
+	if (*optind + 1 == argc || argv[*optind + 1] == NULL) {
+		bootstrap_msg = "-u requires an argument";
+		bootstrap_errno = 0;
+		return -1;
+	}
+	const char *uid_text = argv[*optind + 1];
+	errno = 0;
+	char *uid_text_end = NULL;
+	unsigned long parsed_uid = strtoul(uid_text, &uid_text_end, 10);
+	if (
+			/* Reject overflow in parsed representation */
+			(parsed_uid == ULONG_MAX && errno != 0)
+			/* Reject leading whitespace allowed by strtoul. */
+			|| (isspace(*uid_text))
+			/* Reject empty string. */
+			|| (*uid_text == '\0')
+			/* Reject partially parsed strings. */
+			|| (*uid_text != '\0' && uid_text_end != NULL
+				&& *uid_text_end != '\0')) {
+		bootstrap_msg = "cannot parse user id";
+		bootstrap_errno = errno;
+		return -1;
+	}
+	if ((long)parsed_uid < 0) {
+		bootstrap_msg = "user id cannot be negative";
+		bootstrap_errno = 0;
+		return -1;
+	}
+	if (uid_out != NULL) {
+		*uid_out = parsed_uid;
+	}
+	*optind += 1; // Account for the argument to -u.
+	return 0;
 }
 
 // process_arguments parses given a command line
 // argc and argv are defined as for the main() function
-void process_arguments(int argc, char *const *argv, const char** snap_name_out, bool* should_setns_out)
+void process_arguments(int argc, char *const *argv, const char **snap_name_out,
+		       bool * should_setns_out, bool * process_user_fstab, unsigned long * uid_out)
 {
-    // Find the name of the called program. If it is ending with ".test" then do nothing.
-    // NOTE: This lets us use cgo/go to write tests without running the bulk
-    // of the code automatically.
-    //
-    if (argv == NULL || argc < 1) {
-        bootstrap_errno = 0;
-        bootstrap_msg = "argv0 is corrupted";
-        return;
-    }
-    const char* argv0 = argv[0];
-    const char* argv0_suffix_maybe = strstr(argv0, ".test");
-    if (argv0_suffix_maybe != NULL && argv0_suffix_maybe[strlen(".test")] == '\0') {
-        bootstrap_errno = 0;
-        bootstrap_msg = "bootstrap is not enabled while testing";
-        return;
-    }
-
-    bool should_setns = true;
-    const char* snap_name = NULL;
-
-    // Sanity check the command line arguments.  The go parts will
-    // scan this too.
-    int i;
-    for (i = 1; i < argc; i++) {
-        const char *arg = argv[i];
-        if (arg[0] == '-') {
-            /* We have an option */
-            if (!strcmp(arg, "--from-snap-confine")) {
-                // When we are running under "--from-snap-confine"
-                // option skip the setns call as snap-confine has
-                // already placed us in the right namespace.
-                should_setns = false;
-            } else {
-                bootstrap_errno = 0;
-                bootstrap_msg = "unsupported option";
-                return;
-            }
-        } else {
-            // We expect a single positional argument: the snap name
-            if (snap_name != NULL) {
-                bootstrap_errno = 0;
-                bootstrap_msg = "too many positional arguments";
-                return;
-            }
-            snap_name = arg;
-        }
-    }
-
-    // If there's no snap name given, just bail out.
-    if (snap_name == NULL) {
-        bootstrap_errno = 0;
-        bootstrap_msg = "snap name not provided";
-        return;
-    }
-
-    // Ensure that the snap name is valid so that we don't blindly setns into
-    // something that is controlled by a potential attacker.
-    if (validate_snap_name(snap_name) < 0) {
-        bootstrap_errno = 0;
-        // bootstap_msg is set by validate_snap_name;
-        return;
-    }
-    // We have a valid snap name now so let's store it.
-    if (snap_name_out != NULL) {
-        *snap_name_out = snap_name;
-    }
-    if (should_setns_out != NULL) {
-        *should_setns_out = should_setns;
-    }
-    bootstrap_errno = 0;
-    bootstrap_msg = NULL;
+	// Find the name of the called program. If it is ending with ".test" then do nothing.
+	// NOTE: This lets us use cgo/go to write tests without running the bulk
+	// of the code automatically.
+	//
+	if (argv == NULL || argc < 1) {
+		bootstrap_errno = 0;
+		bootstrap_msg = "argv0 is corrupted";
+		return;
+	}
+	const char *argv0 = argv[0];
+	const char *argv0_suffix_maybe = strstr(argv0, ".test");
+	if (argv0_suffix_maybe != NULL
+	    && argv0_suffix_maybe[strlen(".test")] == '\0') {
+		bootstrap_errno = 0;
+		bootstrap_msg = "bootstrap is not enabled while testing";
+		return;
+	}
+
+	bool should_setns = true;
+	bool user_fstab = false;
+	const char *snap_name = NULL;
+
+	// Sanity check the command line arguments.  The go parts will
+	// scan this too.
+	int i;
+	for (i = 1; i < argc; i++) {
+		const char *arg = argv[i];
+		if (arg[0] == '-') {
+			/* We have an option */
+			if (!strcmp(arg, "--from-snap-confine")) {
+				// When we are running under "--from-snap-confine"
+				// option skip the setns call as snap-confine has
+				// already placed us in the right namespace.
+				should_setns = false;
+			} else if (!strcmp(arg, "--user-mounts")) {
+				user_fstab = true;
+				// Processing the user-fstab file implies we're being
+				// called from snap-confine.
+				should_setns = false;
+			} else if (!strcmp(arg, "-u")) {
+				if (parse_arg_u(argc, argv, &i, uid_out)) {
+					return;
+				}
+				// Providing an user identifier implies we are performing an
+				// update of a specific user mount namespace and that we are
+				// invoked from snapd and we should setns ourselves. When
+				// invoked from snap-confine we are only called with
+				// --from-snap-confine and with --user-mounts.
+				should_setns = true;
+				user_fstab = true;
+			} else {
+				bootstrap_errno = 0;
+				bootstrap_msg = "unsupported option";
+				return;
+			}
+		} else {
+			// We expect a single positional argument: the snap name
+			if (snap_name != NULL) {
+				bootstrap_errno = 0;
+				bootstrap_msg = "too many positional arguments";
+				return;
+			}
+			snap_name = arg;
+		}
+	}
+
+	// If there's no snap name given, just bail out.
+	if (snap_name == NULL) {
+		bootstrap_errno = 0;
+		bootstrap_msg = "snap name not provided";
+		return;
+	}
+	// Ensure that the snap instance name is valid so that we don't blindly setns into
+	// something that is controlled by a potential attacker.
+	if (validate_instance_name(snap_name) < 0) {
+		bootstrap_errno = 0;
+		// bootstap_msg is set by validate_instance_name;
+		return;
+	}
+	// We have a valid snap name now so let's store it.
+	if (snap_name_out != NULL) {
+		*snap_name_out = snap_name;
+	}
+	if (should_setns_out != NULL) {
+		*should_setns_out = should_setns;
+	}
+	if (process_user_fstab != NULL) {
+		*process_user_fstab = user_fstab;
+	}
+	bootstrap_errno = 0;
+	bootstrap_msg = NULL;
 }
 
 // bootstrap prepares snap-update-ns to work in the namespace of the snap given
 // on command line.
 void bootstrap(int argc, char **argv, char **envp)
 {
-    // We may have been started via a setuid-root snap-confine. In order to
-    // prevent environment-based attacks we start by erasing all environment
-    // variables.
-    char *snapd_debug = getenv("SNAPD_DEBUG");
-    if (clearenv() != 0) {
-        bootstrap_errno = 0;
-        bootstrap_msg = "bootstrap could not clear the environment";
-        return;
-    }
-    if (snapd_debug != NULL) {
-        setenv("SNAPD_DEBUG", snapd_debug, 0);
-    }
-
-    // Analyze the read process cmdline to find the snap name and decide if we
-    // should use setns to jump into the mount namespace of a particular snap.
-    // This is spread out for easier testability.
-    const char* snap_name = NULL;
-    bool should_setns = false;
-    process_arguments(argc, argv, &snap_name, &should_setns);
-    if (snap_name != NULL && should_setns) {
-        setns_into_snap(snap_name);
-        // setns_into_snap sets bootstrap_{errno,msg}
-    }
+	// We may have been started via a setuid-root snap-confine. In order to
+	// prevent environment-based attacks we start by erasing all environment
+	// variables.
+	char *snapd_debug = getenv("SNAPD_DEBUG");
+	if (clearenv() != 0) {
+		bootstrap_errno = 0;
+		bootstrap_msg = "bootstrap could not clear the environment";
+		return;
+	}
+	if (snapd_debug != NULL) {
+		setenv("SNAPD_DEBUG", snapd_debug, 0);
+	}
+	// Analyze the read process cmdline to find the snap name and decide if we
+	// should use setns to jump into the mount namespace of a particular snap.
+	// This is spread out for easier testability.
+	const char *snap_name = NULL;
+	bool should_setns = false;
+	bool process_user_fstab = false;
+	unsigned long uid = 0;
+	process_arguments(argc, argv, &snap_name, &should_setns,
+			  &process_user_fstab, &uid);
+	if (process_user_fstab) {
+		switch_to_privileged_user();
+		// switch_to_privileged_user sets bootstrap_{errno,msg}
+	} else if (snap_name != NULL && should_setns) {
+		setns_into_snap(snap_name);
+		// setns_into_snap sets bootstrap_{errno,msg}
+	}
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/bootstrap.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/bootstrap.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/bootstrap.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/bootstrap.go	2019-01-16 08:36:51.000000000 +0000
@@ -73,6 +73,13 @@
 	return fmt.Errorf("%s", C.GoString(C.bootstrap_msg))
 }
 
+// This function is here to make clearing the boostrap errors accessible
+// from the tests.
+func clearBootstrapError() {
+	C.bootstrap_msg = nil
+	C.bootstrap_errno = 0
+}
+
 // END IMPORTANT
 
 func makeArgv(args []string) []*C.char {
@@ -90,28 +97,38 @@
 	}
 }
 
-// validateSnapName checks if snap name is valid.
+// validateInstanceName checks if snap instance name is valid.
 // This also sets bootstrap_msg on failure.
-func validateSnapName(snapName string) int {
-	cStr := C.CString(snapName)
+//
+// This function is here only to make the C.validate_instance_name
+// code testable from go.
+func validateInstanceName(instanceName string) int {
+	cStr := C.CString(instanceName)
 	defer C.free(unsafe.Pointer(cStr))
-	return int(C.validate_snap_name(cStr))
+	return int(C.validate_instance_name(cStr))
 }
 
 // processArguments parses commnad line arguments.
 // The argument cmdline is a string with embedded
 // NUL bytes, separating particular arguments.
-func processArguments(args []string) (snapName string, shouldSetNs bool) {
+//
+// This function is here only to make the C.validate_instance_name
+// code testable from go.
+func processArguments(args []string) (snapName string, shouldSetNs bool, processUserFstab bool, uid uint) {
 	argv := makeArgv(args)
 	defer freeArgv(argv)
 
 	var snapNameOut *C.char
 	var shouldSetNsOut C.bool
-	C.process_arguments(C.int(len(args)), &argv[0], &snapNameOut, &shouldSetNsOut)
+	var processUserFstabOut C.bool
+	var uidOut C.ulong
+	C.process_arguments(C.int(len(args)), &argv[0], &snapNameOut, &shouldSetNsOut, &processUserFstabOut, &uidOut)
 	if snapNameOut != nil {
 		snapName = C.GoString(snapNameOut)
 	}
 	shouldSetNs = bool(shouldSetNsOut)
+	processUserFstab = bool(processUserFstabOut)
+	uid = uint(uidOut)
 
-	return snapName, shouldSetNs
+	return snapName, shouldSetNs, processUserFstab, uid
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/bootstrap.h snapd-2.37~rc1~14.04/cmd/snap-update-ns/bootstrap.h
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/bootstrap.h	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/bootstrap.h	2019-01-16 08:36:51.000000000 +0000
@@ -24,10 +24,11 @@
 #include <unistd.h>
 
 extern int bootstrap_errno;
-extern const char* bootstrap_msg;
+extern const char *bootstrap_msg;
 
 void bootstrap(int argc, char **argv, char **envp);
-void process_arguments(int argc, char *const *argv, const char** snap_name_out, bool* should_setns_out);
-int validate_snap_name(const char* snap_name);
+void process_arguments(int argc, char *const *argv, const char **snap_name_out,
+		       bool * should_setns_out, bool * process_user_fstab, unsigned long * uid_out);
+int validate_instance_name(const char *instance_name);
 
 #endif
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/bootstrap_test.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/bootstrap_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/bootstrap_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/bootstrap_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,13 +30,47 @@
 var _ = Suite(&bootstrapSuite{})
 
 // Check that ValidateSnapName rejects "/" and "..".
-func (s *bootstrapSuite) TestValidateSnapName(c *C) {
-	c.Assert(update.ValidateSnapName("hello-world"), Equals, 0)
-	c.Assert(update.ValidateSnapName("hello/world"), Equals, -1)
-	c.Assert(update.ValidateSnapName("hello..world"), Equals, -1)
-	c.Assert(update.ValidateSnapName("INVALID"), Equals, -1)
-	c.Assert(update.ValidateSnapName("-invalid"), Equals, -1)
-	c.Assert(update.ValidateSnapName(""), Equals, -1)
+func (s *bootstrapSuite) TestValidateInstanceName(c *C) {
+	validNames := []string{
+		"aa",
+		"aa_a",
+		"hello-world",
+		"a123456789012345678901234567890123456789",
+		"a123456789012345678901234567890123456789_0123456789",
+		"hello-world_foo",
+		"foo_0123456789",
+		"foo_1234abcd",
+		"a123456789012345678901234567890123456789",
+		"a123456789012345678901234567890123456789_0123456789",
+	}
+	for _, name := range validNames {
+		c.Check(update.ValidateInstanceName(name), Equals, 0, Commentf("name %q should be valid but is not", name))
+	}
+
+	invalidNames := []string{
+		"",
+		"a",
+		"a_a",
+		"a123456789012345678901234567890123456789_01234567890",
+		"hello/world",
+		"hello..world",
+		"INVALID",
+		"-invalid",
+		"hello-world_",
+		"_foo",
+		"foo_01234567890",
+		"foo_123_456",
+		"foo__456",
+		"foo_",
+		"hello-world_foo_foo",
+		"foo01234567890012345678900123456789001234567890",
+		"foo01234567890012345678900123456789001234567890_foo",
+		"a123456789012345678901234567890123456789_0123456789_",
+	}
+	for _, name := range invalidNames {
+		c.Check(update.ValidateInstanceName(name), Equals, -1, Commentf("name %q should be invalid but is valid", name))
+	}
+
 }
 
 // Test various cases of command line handling.
@@ -45,34 +79,70 @@
 		cmdline     []string
 		snapName    string
 		shouldSetNs bool
+		userFstab   bool
+		uid         uint
 		errPattern  string
 	}{
 		// Corrupted buffer is dealt with.
-		{[]string{}, "", false, "argv0 is corrupted"},
+		{[]string{}, "", false, false, 0, "argv0 is corrupted"},
 		// When testing real bootstrap is identified and disabled.
-		{[]string{"argv0.test"}, "", false, "bootstrap is not enabled while testing"},
+		{[]string{"argv0.test"}, "", false, false, 0, "bootstrap is not enabled while testing"},
 		// Snap name is mandatory.
-		{[]string{"argv0"}, "", false, "snap name not provided"},
+		{[]string{"argv0"}, "", false, false, 0, "snap name not provided"},
 		// Snap name is parsed correctly.
-		{[]string{"argv0", "snapname"}, "snapname", true, ""},
+		{[]string{"argv0", "snapname"}, "snapname", true, false, 0, ""},
+		{[]string{"argv0", "snapname_instance"}, "snapname_instance", true, false, 0, ""},
 		// Onlye one snap name is allowed.
-		{[]string{"argv0", "snapone", "snaptwo"}, "", false, "too many positional arguments"},
+		{[]string{"argv0", "snapone", "snaptwo"}, "", false, false, 0, "too many positional arguments"},
 		// Snap name is validated correctly.
-		{[]string{"argv0", ""}, "", false, "snap name must contain at least one letter"},
-		{[]string{"argv0", "in--valid"}, "", false, "snap name cannot contain two consecutive dashes"},
-		{[]string{"argv0", "invalid-"}, "", false, "snap name cannot end with a dash"},
-		{[]string{"argv0", "@invalid"}, "", false, "snap name must use lower case letters, digits or dashes"},
-		{[]string{"argv0", "INVALID"}, "", false, "snap name must use lower case letters, digits or dashes"},
+		{[]string{"argv0", ""}, "", false, false, 0, "snap name must contain at least one letter"},
+		{[]string{"argv0", "in--valid"}, "", false, false, 0, "snap name cannot contain two consecutive dashes"},
+		{[]string{"argv0", "invalid-"}, "", false, false, 0, "snap name cannot end with a dash"},
+		{[]string{"argv0", "@invalid"}, "", false, false, 0, "snap name must use lower case letters, digits or dashes"},
+		{[]string{"argv0", "INVALID"}, "", false, false, 0, "snap name must use lower case letters, digits or dashes"},
+		{[]string{"argv0", "foo_01234567890"}, "", false, false, 0, "instance key must be shorter than 10 characters"},
+		{[]string{"argv0", "foo_0123456_2"}, "", false, false, 0, "snap instance name can contain only one underscore"},
 		// The option --from-snap-confine disables setns.
-		{[]string{"argv0", "--from-snap-confine", "snapname"}, "snapname", false, ""},
-		{[]string{"argv0", "snapname", "--from-snap-confine"}, "snapname", false, ""},
+		{[]string{"argv0", "--from-snap-confine", "snapname"}, "snapname", false, false, 0, ""},
+		{[]string{"argv0", "snapname", "--from-snap-confine"}, "snapname", false, false, 0, ""},
+		// The option --user-mounts switches to the real uid
+		{[]string{"argv0", "--user-mounts", "snapname"}, "snapname", false, true, 0, ""},
 		// Unknown options are reported.
-		{[]string{"argv0", "-invalid"}, "", false, "unsupported option"},
-		{[]string{"argv0", "--option"}, "", false, "unsupported option"},
-		{[]string{"argv0", "--from-snap-confine", "-invalid", "snapname"}, "", false, "unsupported option"},
+		{[]string{"argv0", "-invalid"}, "", false, false, 0, "unsupported option"},
+		{[]string{"argv0", "--option"}, "", false, false, 0, "unsupported option"},
+		{[]string{"argv0", "--from-snap-confine", "-invalid", "snapname"}, "", false, false, 0, "unsupported option"},
+		// The -u option can be used to specify the user id.
+		{[]string{"argv0", "snapname", "-u", "1234"}, "snapname", true, true, 1234, ""},
+		{[]string{"argv0", "-u", "1234", "snapname"}, "snapname", true, true, 1234, ""},
+		/* Empty user id is rejected. */
+		{[]string{"argv0", "-u", "", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		/* Partially parsed values are rejected. */
+		{[]string{"argv0", "-u", "1foo", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		/* Hexadecimal values are rejected. */
+		{[]string{"argv0", "-u", "0x16", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		{[]string{"argv0", "-u", " 0x16", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		{[]string{"argv0", "-u", "0x16 ", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		{[]string{"argv0", "-u", " 0x16 ", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		/* Octal-looking values are parsed as decimal. */
+		{[]string{"argv0", "-u", "042", "snapname"}, "snapname", true, true, 42, ""},
+		/* Spaces around octal values is rejected. */
+		{[]string{"argv0", "-u", " 042", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		{[]string{"argv0", "-u", "042 ", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		{[]string{"argv0", "-u", " 042 ", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		/* Space around the value is rejected. */
+		{[]string{"argv0", "-u", "42 ", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		{[]string{"argv0", "-u", " 42", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		{[]string{"argv0", "-u", " 42 ", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		{[]string{"argv0", "-u", "\n42 ", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		{[]string{"argv0", "-u", "42\t", "snapname"}, "", false, false, 0, "cannot parse user id"},
+		/* Negative values are rejected. */
+		{[]string{"argv0", "-u", "-1", "snapname"}, "", false, false, 0, "user id cannot be negative"},
+		/* The option -u requires an argument. */
+		{[]string{"argv0", "snapname", "-u"}, "", false, false, 0, "-u requires an argument"},
 	}
 	for _, tc := range cases {
-		snapName, shouldSetNs := update.ProcessArguments(tc.cmdline)
+		update.ClearBootstrapError()
+		snapName, shouldSetNs, userFstab, uid := update.ProcessArguments(tc.cmdline)
 		err := update.BootstrapError()
 		comment := Commentf("failed with cmdline %q, expected error pattern %q, actual error %q",
 			tc.cmdline, tc.errPattern, err)
@@ -81,7 +151,9 @@
 		} else {
 			c.Assert(err, IsNil, comment)
 		}
-		c.Check(snapName, Equals, tc.snapName)
-		c.Check(shouldSetNs, Equals, tc.shouldSetNs)
+		c.Check(snapName, Equals, tc.snapName, comment)
+		c.Check(shouldSetNs, Equals, tc.shouldSetNs, comment)
+		c.Check(userFstab, Equals, tc.userFstab, comment)
+		c.Check(uid, Equals, tc.uid, comment)
 	}
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/change.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/change.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/change.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/change.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package main
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -44,6 +45,13 @@
 	// Remount when needed
 )
 
+var (
+	// ErrIgnoredMissingMount is returned when a mount entry has
+	// been marked with x-snapd.ignore-missing, and the mount
+	// source or target do not exist.
+	ErrIgnoredMissingMount = errors.New("mount source or target are missing")
+)
+
 // Change describes a change to the mount table (action and the entry to act on).
 type Change struct {
 	Entry  osutil.MountEntry
@@ -56,9 +64,30 @@
 }
 
 // changePerform is Change.Perform that can be mocked for testing.
-var changePerform func(*Change) ([]*Change, error)
+var changePerform func(*Change, *Assumptions) ([]*Change, error)
+
+// mimicRequired provides information if an error warrants a writable mimic.
+//
+// The returned path is the location where a mimic should be constructed.
+func mimicRequired(err error) (needsMimic bool, path string) {
+	switch err.(type) {
+	case *ReadOnlyFsError:
+		rofsErr := err.(*ReadOnlyFsError)
+		return true, rofsErr.Path
+	case *TrespassingError:
+		tErr := err.(*TrespassingError)
+		return true, tErr.ViolatedPath
+	}
+	return false, ""
+}
+
+func (c *Change) createPath(path string, pokeHoles bool, as *Assumptions) ([]*Change, error) {
+	// If we've been asked to create a missing path, and the mount
+	// entry uses the ignore-missing option, return an error.
+	if c.Entry.XSnapdIgnoreMissing() {
+		return nil, ErrIgnoredMissingMount
+	}
 
-func (c *Change) createPath(path string, pokeHoles bool) ([]*Change, error) {
 	var err error
 	var changes []*Change
 
@@ -73,45 +102,39 @@
 	// create the parent directory and then the final element relative to it.
 	// The traversed space may be writable so we just try to create things
 	// first.
-	kind, _ := c.Entry.OptStr("x-snapd.kind")
+	kind := c.Entry.XSnapdKind()
 
 	// TODO: re-factor this, if possible, with inspection and preemptive
 	// creation after the current release ships. This should be possible but
 	// will affect tests heavily (churn, not safe before release).
+	rs := as.RestrictionsFor(path)
 	switch kind {
 	case "":
-		err = secureMkdirAll(path, mode, uid, gid)
+		err = MkdirAll(path, mode, uid, gid, rs)
 	case "file":
-		err = secureMkfileAll(path, mode, uid, gid)
+		err = MkfileAll(path, mode, uid, gid, rs)
 	case "symlink":
-		target, _ := c.Entry.OptStr("x-snapd.symlink")
-		if target == "" {
-			err = fmt.Errorf("cannot create symlink with empty target")
-		} else {
-			err = secureMksymlinkAll(path, mode, uid, gid, target)
-		}
+		err = MksymlinkAll(path, mode, uid, gid, c.Entry.XSnapdSymlink(), rs)
 	}
-	if err2, ok := err.(*ReadOnlyFsError); ok && pokeHoles {
-		// If the writing failed because the underlying file-system is read-only
-		// we can construct a writable mimic to fix that.
-		changes, err = createWritableMimic(err2.Path, path)
+	if needsMimic, mimicPath := mimicRequired(err); needsMimic && pokeHoles {
+		// If the error can be recovered by using a writable mimic
+		// then construct one and try again.
+		changes, err = createWritableMimic(mimicPath, path, as)
 		if err != nil {
-			err = fmt.Errorf("cannot create writable mimic over %q: %s", err2.Path, err)
+			err = fmt.Errorf("cannot create writable mimic over %q: %s", mimicPath, err)
 		} else {
 			// Try once again. Note that we care *just* about the error. We have already
 			// performed the hole poking and thus additional changes must be nil.
-			_, err = c.createPath(path, false)
+			_, err = c.createPath(path, false, as)
 		}
-	} else if err != nil {
-		err = fmt.Errorf("cannot create path %q: %s", path, err)
 	}
 	return changes, err
 }
 
-func (c *Change) ensureTarget() ([]*Change, error) {
+func (c *Change) ensureTarget(as *Assumptions) ([]*Change, error) {
 	var changes []*Change
 
-	kind, _ := c.Entry.OptStr("x-snapd.kind")
+	kind := c.Entry.XSnapdKind()
 	path := c.Entry.Dir
 
 	// We use lstat to ensure that we don't follow a symlink in case one was
@@ -137,13 +160,13 @@
 		case "symlink":
 			if fi.Mode()&os.ModeSymlink == os.ModeSymlink {
 				// Create path verifies the symlink or fails if it is not what we wanted.
-				_, err = c.createPath(path, false)
+				_, err = c.createPath(path, false, as)
 			} else {
 				err = fmt.Errorf("cannot create symlink in %q: existing file in the way", path)
 			}
 		}
 	} else if os.IsNotExist(err) {
-		changes, err = c.createPath(path, true)
+		changes, err = c.createPath(path, true, as)
 	} else {
 		// If we cannot inspect the element let's just bail out.
 		err = fmt.Errorf("cannot inspect %q: %v", path, err)
@@ -151,15 +174,17 @@
 	return changes, err
 }
 
-func (c *Change) ensureSource() error {
+func (c *Change) ensureSource(as *Assumptions) ([]*Change, error) {
+	var changes []*Change
+
 	// We only have to do ensure bind mount source exists.
 	// This also rules out symlinks.
 	flags, _ := osutil.MountOptsToCommonFlags(c.Entry.Options)
 	if flags&syscall.MS_BIND == 0 {
-		return nil
+		return nil, nil
 	}
 
-	kind, _ := c.Entry.OptStr("x-snapd.kind")
+	kind := c.Entry.XSnapdKind()
 	path := c.Entry.Name
 	fi, err := osLstat(path)
 
@@ -178,17 +203,31 @@
 			}
 		}
 	} else if os.IsNotExist(err) {
-		_, err = c.createPath(path, false)
+		// NOTE: This createPath is using pokeHoles, to make read-only places
+		// writable, but only for layouts and not for other (typically content
+		// sharing) mount entries.
+		//
+		// This is done because the changes made with pokeHoles=true are only
+		// visible in this current mount namespace and are not generally
+		// visible from other snaps because they inhabit different namespaces.
+		//
+		// In other words, changes made here are only observable by the single
+		// snap they apply to. As such they are useless for content sharing but
+		// very much useful to layouts.
+		pokeHoles := c.Entry.XSnapdOrigin() == "layout"
+		changes, err = c.createPath(path, pokeHoles, as)
 	} else {
 		// If we cannot inspect the element let's just bail out.
 		err = fmt.Errorf("cannot inspect %q: %v", path, err)
 	}
-	return err
+
+	return changes, err
 }
 
 // changePerformImpl is the real implementation of Change.Perform
-func changePerformImpl(c *Change) (changes []*Change, err error) {
+func changePerformImpl(c *Change, as *Assumptions) (changes []*Change, err error) {
 	if c.Action == Mount {
+		var changesSource, changesTarget []*Change
 		// We may be asked to bind mount a file, bind mount a directory, mount
 		// a filesystem over a directory, or create a symlink (which is abusing
 		// the "mount" concept slightly). That actual operation is performed in
@@ -197,7 +236,10 @@
 		// As a result of this ensure call we may need to make the medium writable
 		// and that's why we may return more changes as a result of performing this
 		// one.
-		changes, err = c.ensureTarget()
+		changesTarget, err = c.ensureTarget(as)
+		// NOTE: we are collecting changes even if things fail. This is so that
+		// upper layers can perform undo correctly.
+		changes = append(changes, changesTarget...)
 		if err != nil {
 			return changes, err
 		}
@@ -208,14 +250,17 @@
 		// This property holds as long as we don't interact with locations that
 		// are under the control of regular (non-snap) processes that are not
 		// suspended and may be racing with us.
-		err = c.ensureSource()
+		changesSource, err = c.ensureSource(as)
+		// NOTE: we are collecting changes even if things fail. This is so that
+		// upper layers can perform undo correctly.
+		changes = append(changes, changesSource...)
 		if err != nil {
 			return changes, err
 		}
 	}
 
 	// Perform the underlying mount / unmount / unlink call.
-	err = c.lowLevelPerform()
+	err = c.lowLevelPerform(as)
 	return changes, err
 }
 
@@ -229,38 +274,103 @@
 //
 // Perform may synthesize *additional* changes that were necessary to perform
 // this change (such as mounted tmpfs or overlayfs).
-func (c *Change) Perform() ([]*Change, error) {
-	return changePerform(c)
+func (c *Change) Perform(as *Assumptions) ([]*Change, error) {
+	return changePerform(c, as)
 }
 
 // lowLevelPerform is simple bridge from Change to mount / unmount syscall.
-func (c *Change) lowLevelPerform() error {
+func (c *Change) lowLevelPerform(as *Assumptions) error {
 	var err error
 	switch c.Action {
 	case Mount:
-		kind, _ := c.Entry.OptStr("x-snapd.kind")
+		kind := c.Entry.XSnapdKind()
 		switch kind {
 		case "symlink":
 			// symlinks are handled in createInode directly, nothing to do here.
 		case "", "file":
 			flags, unparsed := osutil.MountOptsToCommonFlags(c.Entry.Options)
-			err = sysMount(c.Entry.Name, c.Entry.Dir, c.Entry.Type, uintptr(flags), strings.Join(unparsed, ","))
+			// Use Secure.BindMount for bind mounts
+			if flags&syscall.MS_BIND == syscall.MS_BIND {
+				err = BindMount(c.Entry.Name, c.Entry.Dir, uint(flags))
+			} else {
+				err = sysMount(c.Entry.Name, c.Entry.Dir, c.Entry.Type, uintptr(flags), strings.Join(unparsed, ","))
+			}
 			logger.Debugf("mount %q %q %q %d %q (error: %v)", c.Entry.Name, c.Entry.Dir, c.Entry.Type, uintptr(flags), strings.Join(unparsed, ","), err)
+			if err == nil {
+				as.AddChange(c)
+			}
 		}
 		return err
 	case Unmount:
-		kind, _ := c.Entry.OptStr("x-snapd.kind")
+		kind := c.Entry.XSnapdKind()
 		switch kind {
 		case "symlink":
 			err = osRemove(c.Entry.Dir)
 			logger.Debugf("remove %q (error: %v)", c.Entry.Dir, err)
 		case "", "file":
+			// Detach the mount point instead of unmounting it if requested.
 			flags := umountNoFollow
-			if c.Entry.OptBool("x-snapd.detach") {
+			if c.Entry.XSnapdDetach() {
 				flags |= syscall.MNT_DETACH
 			}
+
+			// Perform the raw unmount operation.
 			err = sysUnmount(c.Entry.Dir, flags)
+			if err == nil {
+				as.AddChange(c)
+			}
 			logger.Debugf("umount %q (error: %v)", c.Entry.Dir, err)
+			if err != nil {
+				return err
+			}
+
+			// Open a path of the file we are considering the removal of.
+			path := c.Entry.Dir
+			var fd int
+			fd, err = OpenPath(path)
+			if err != nil {
+				return err
+			}
+			defer sysClose(fd)
+
+			// Don't attempt to remove anything from squashfs.
+			var statfsBuf syscall.Statfs_t
+			err = sysFstatfs(fd, &statfsBuf)
+			if err != nil {
+				return err
+			}
+			if statfsBuf.Type == SquashfsMagic {
+				return nil
+			}
+
+			if kind == "file" {
+				// Don't attempt to remove non-empty files since they cannot be
+				// the placeholders we created.
+				var statBuf syscall.Stat_t
+				err = sysFstat(fd, &statBuf)
+				if err != nil {
+					return err
+				}
+				if statBuf.Size != 0 {
+					return nil
+				}
+			}
+
+			// Remove the file or directory while using the full path. There's
+			// no way to avoid a race here since there's no way to unlink a
+			// file solely by file descriptor.
+			err = osRemove(path)
+			// Unpack the low-level error that osRemove wraps into PathError.
+			if packed, ok := err.(*os.PathError); ok {
+				err = packed.Err
+			}
+			// If we were removing a directory but it was not empty then just
+			// ignore the error. This is the equivalent of the non-empty file
+			// check we do above. See rmdir(2) for explanation why we accept
+			// more than one errno value.
+			if kind == "" && (err == syscall.ENOTEMPTY || err == syscall.EEXIST) {
+				return nil
+			}
 		}
 		return err
 	case Keep:
@@ -293,8 +403,8 @@
 	}
 
 	// Sort both lists by directory name with implicit trailing slash.
-	sort.Sort(byMagicDir(current))
-	sort.Sort(byMagicDir(desired))
+	sort.Sort(byOriginAndMagicDir(current))
+	sort.Sort(byOriginAndMagicDir(desired))
 
 	// Construct a desired directory map.
 	desiredMap := make(map[string]*osutil.MountEntry)
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/change_test.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/change_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/change_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/change_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,6 +21,8 @@
 
 import (
 	"errors"
+	"os"
+	"strings"
 	"syscall"
 
 	. "gopkg.in/check.v1"
@@ -33,6 +35,7 @@
 type changeSuite struct {
 	testutil.BaseTest
 	sys *testutil.SyscallRecorder
+	as  *update.Assumptions
 }
 
 var (
@@ -46,6 +49,12 @@
 	// Mock and record system interactions.
 	s.sys = &testutil.SyscallRecorder{}
 	s.BaseTest.AddCleanup(update.MockSystemCalls(s.sys))
+	s.as = &update.Assumptions{}
+}
+
+func (s *changeSuite) TearDownTest(c *C) {
+	s.BaseTest.TearDownTest(c)
+	s.sys.CheckForStrayDescriptors(c)
 }
 
 func (s *changeSuite) TestFakeFileInfo(c *C) {
@@ -300,6 +309,146 @@
 	})
 }
 
+// Parallel instance changes are executed first
+func (s *changeSuite) TestNeededChangesParallelInstancesManyComeFirst(c *C) {
+	desired := &osutil.MountProfile{Entries: []osutil.MountEntry{
+		{Dir: "/common/stuff", Name: "/dev/sda1"},
+		{Dir: "/common/stuff/extra"},
+		{Dir: "/common/unrelated"},
+		{Dir: "/foo/bar", Name: "/foo/bar_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+		{Dir: "/snap/foo", Name: "/snap/foo_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+	}}
+	changes := update.NeededChanges(&osutil.MountProfile{}, desired)
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Entry: osutil.MountEntry{Dir: "/foo/bar", Name: "/foo/bar_bar", Options: []string{osutil.XSnapdOriginOvername()}}, Action: update.Mount},
+		{Entry: osutil.MountEntry{Dir: "/snap/foo", Name: "/snap/foo_bar", Options: []string{osutil.XSnapdOriginOvername()}}, Action: update.Mount},
+		{Entry: osutil.MountEntry{Dir: "/common/stuff", Name: "/dev/sda1"}, Action: update.Mount},
+		{Entry: osutil.MountEntry{Dir: "/common/stuff/extra"}, Action: update.Mount},
+		{Entry: osutil.MountEntry{Dir: "/common/unrelated"}, Action: update.Mount},
+	})
+}
+
+// Parallel instance changes are kept if already present
+func (s *changeSuite) TestNeededChangesParallelInstancesKeep(c *C) {
+	desired := &osutil.MountProfile{Entries: []osutil.MountEntry{
+		{Dir: "/common/stuff", Name: "/dev/sda1"},
+		{Dir: "/common/unrelated"},
+		{Dir: "/foo/bar", Name: "/foo/bar_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+		{Dir: "/snap/foo", Name: "/snap/foo_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+	}}
+	current := &osutil.MountProfile{Entries: []osutil.MountEntry{
+		{Dir: "/snap/foo", Name: "/snap/foo_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+		{Dir: "/foo/bar", Name: "/foo/bar_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+	}}
+	changes := update.NeededChanges(current, desired)
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Entry: osutil.MountEntry{Dir: "/snap/foo", Name: "/snap/foo_bar", Options: []string{osutil.XSnapdOriginOvername()}}, Action: update.Keep},
+		{Entry: osutil.MountEntry{Dir: "/foo/bar", Name: "/foo/bar_bar", Options: []string{osutil.XSnapdOriginOvername()}}, Action: update.Keep},
+		{Entry: osutil.MountEntry{Dir: "/common/stuff", Name: "/dev/sda1"}, Action: update.Mount},
+		{Entry: osutil.MountEntry{Dir: "/common/unrelated"}, Action: update.Mount},
+	})
+}
+
+// Parallel instance with mounts inside
+func (s *changeSuite) TestNeededChangesParallelInstancesInsideMount(c *C) {
+	desired := &osutil.MountProfile{Entries: []osutil.MountEntry{
+		{Dir: "/foo/bar/baz"},
+		{Dir: "/foo/bar", Name: "/foo/bar_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+		{Dir: "/snap/foo", Name: "/snap/foo_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+	}}
+	current := &osutil.MountProfile{Entries: []osutil.MountEntry{
+		{Dir: "/foo/bar/zed"},
+		{Dir: "/snap/foo", Name: "/snap/foo_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+		{Dir: "/foo/bar", Name: "/foo/bar_bar", Options: []string{osutil.XSnapdOriginOvername()}},
+	}}
+	changes := update.NeededChanges(current, desired)
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Entry: osutil.MountEntry{Dir: "/foo/bar/zed"}, Action: update.Unmount},
+		{Entry: osutil.MountEntry{Dir: "/snap/foo", Name: "/snap/foo_bar", Options: []string{osutil.XSnapdOriginOvername()}}, Action: update.Keep},
+		{Entry: osutil.MountEntry{Dir: "/foo/bar", Name: "/foo/bar_bar", Options: []string{osutil.XSnapdOriginOvername()}}, Action: update.Keep},
+		{Entry: osutil.MountEntry{Dir: "/foo/bar/baz"}, Action: update.Mount},
+	})
+}
+
+func mustReadProfile(profileStr string) *osutil.MountProfile {
+	profile, err := osutil.ReadMountProfile(strings.NewReader(profileStr))
+	if err != nil {
+		panic(err)
+	}
+	return profile
+}
+
+func (s *changeSuite) TestRuntimeUsingSymlinks(c *C) {
+	// We start with a runtime shared from one snap to another and then exposed
+	// to /opt with a symbolic link. This is the initial state of the
+	// application in version v1.
+	initial := mustReadProfile("")
+	desired_v1 := mustReadProfile(
+		"none /opt/runtime none x-snapd.kind=symlink,x-snapd.symlink=/snap/app/x1/runtime,x-snapd.origin=layout 0 0\n" +
+			"/snap/runtime/x1/opt/runtime /snap/app/x1/runtime none bind,ro 0 0\n")
+	// The changes we compute are trivial, simply perform each operation in order.
+	changes := update.NeededChanges(initial, desired_v1)
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Entry: desired_v1.Entries[0], Action: update.Mount},
+		{Entry: desired_v1.Entries[1], Action: update.Mount},
+	})
+	// After performing both changes we have a new synthesized entry. We get an
+	// extra writable mimic over /opt so that we can add our symlink. The
+	// content sharing into $SNAP is applied as expected since the snap ships
+	// the required mount point.
+	current_v1 := mustReadProfile(
+		"/snap/runtime/x1/opt/runtime /snap/app/x1/runtime none bind,ro 0 0\n" +
+			"none /opt/runtime none x-snapd.kind=symlink,x-snapd.symlink=/snap/app/x1/runtime,x-snapd.origin=layout 0 0\n" +
+			"tmpfs /opt tmpfs x-snapd.synthetic,x-snapd.needed-by=/opt/runtime,mode=0755,uid=0,gid=0 0")
+
+	// We now proceed to replace app v1 with v2 which uses a bind mount instead
+	// of a symlink. First, let's start with the updated desired profile:
+	desired_v2 := mustReadProfile(
+		"/snap/app/x2/runtime /opt/runtime none rbind,rw,x-snapd.origin=layout 0 0\n" +
+			"/snap/runtime/x1/opt/runtime /snap/app/x2/runtime none bind,ro 0 0\n")
+
+	// Let's see what the update algorithm thinks.
+	changes = update.NeededChanges(current_v1, desired_v2)
+	c.Assert(changes, DeepEquals, []*update.Change{
+		// We are dropping the content interface bind mount because app changed revision
+		{Entry: current_v1.Entries[0], Action: update.Unmount},
+		// We are also dropping the symlink we had in /opt/runtime
+		{Entry: current_v1.Entries[1], Action: update.Unmount},
+		// But, we are keeping the /opt tmpfs because we still want /opt/runtime to exist (neat!)
+		{Entry: current_v1.Entries[2], Action: update.Keep},
+		// We are adding a new bind mount for /opt/runtime
+		{Entry: desired_v2.Entries[0], Action: update.Mount},
+		// We also adding the updated path of the content interface (for revision x2)
+		{Entry: desired_v2.Entries[1], Action: update.Mount},
+	})
+
+	// After performing all those changes this is the profile we observe.
+	current_v2 := mustReadProfile(
+		"tmpfs /opt tmpfs x-snapd.synthetic,x-snapd.needed-by=/opt/runtime,mode=0755,uid=0,gid=0 0 0\n" +
+			"/snap/app/x2/runtime /opt/runtime none rbind,rw,x-snapd.origin=layout 0 0\n" +
+			"/snap/runtime/x1/opt/runtime /snap/app/x2/runtime none bind,ro 0 0\n")
+
+	// So far so good. To trigger the issue we now revert or refresh to v1
+	// again. Let's see what happens here. The desired profiles are already
+	// known so let's see what the algorithm thinks now.
+	changes = update.NeededChanges(current_v2, desired_v1)
+	c.Assert(changes, DeepEquals, []*update.Change{
+		// We are, again, dropping the content interface bind mount because app changed revision
+		{Entry: current_v2.Entries[2], Action: update.Unmount},
+		// We are also dropping the bind mount from /opt/runtime since we want a symlink instead
+		{Entry: current_v2.Entries[1], Action: update.Unmount},
+		// Again, we reuse the tmpfs.
+		{Entry: current_v2.Entries[0], Action: update.Keep},
+		// We are providing a symlink /opt/runtime -> to $SNAP/runtime.
+		{Entry: desired_v1.Entries[0], Action: update.Mount},
+		// We are bind mounting the runtime from another snap into $SNAP/runtime
+		{Entry: desired_v1.Entries[1], Action: update.Mount},
+	})
+
+	// The problem is that the tmpfs contains leftovers from the things we
+	// created and those prevent the execution of this mount profile.
+}
+
 // ########################################
 // Topic: mounting & unmounting filesystems
 // ########################################
@@ -308,257 +457,327 @@
 func (s *changeSuite) TestPerformFilesystemMountLstatError(c *C) {
 	s.sys.InsertFault(`lstat "/target"`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot inspect "/target": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`lstat "/target"`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: errTesting},
+	})
 }
 
 // Change.Perform wants to mount a filesystem.
 func (s *changeSuite) TestPerformFilesystemMount(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`mount "device" "/target" "type" 0 ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `mount "device" "/target" "type" 0 ""`},
 	})
 }
 
 // Change.Perform wants to mount a filesystem but it fails.
 func (s *changeSuite) TestPerformFilesystemMountWithError(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
 	s.sys.InsertFault(`mount "device" "/target" "type" 0 ""`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, Equals, errTesting)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`mount "device" "/target" "type" 0 ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `mount "device" "/target" "type" 0 ""`, E: errTesting},
 	})
 }
 
 // Change.Perform wants to mount a filesystem but the mount point isn't there.
 func (s *changeSuite) TestPerformFilesystemMountWithoutMountPoint(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/target"`, syscall.ENOENT)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "target" 0755`,
-		`openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 4 0 0`,
-		`close 4`,
-		`close 3`,
-		`mount "device" "/target" "type" 0 ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "target" 0755`},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `mount "device" "/target" "type" 0 ""`},
 	})
 }
 
 // Change.Perform wants to create a filesystem but the mount point isn't there and cannot be created.
 func (s *changeSuite) TestPerformFilesystemMountWithoutMountPointWithErrors(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/target"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "target" 0755`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create path "/target": cannot mkdir path segment "target": testing`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot create directory "/target": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "target" 0755`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "target" 0755`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 // Change.Perform wants to mount a filesystem but the mount point isn't there and the parent is read-only.
 func (s *changeSuite) TestPerformFilesystemMountWithoutMountPointAndReadOnlyBase(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/rofs/target"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST)
 	s.sys.InsertFault(`openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, syscall.ENOENT, nil) // works on 2nd try
 	s.sys.InsertFault(`mkdirat 4 "target" 0755`, syscall.EROFS, nil)                               // works on 2nd try
-	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil)                                              // pretend /rofs is empty.
+	s.sys.InsertSysLstatResult(`lstat "/rofs" <ptr>`, syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755})
+	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil) // pretend /rofs is empty.
 	s.sys.InsertFault(`lstat "/tmp/.snap/rofs"`, syscall.ENOENT)
-	s.sys.InsertLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 7 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 6 <ptr>`, syscall.Statfs_t{})
 
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/rofs/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, DeepEquals, []*update.Change{
 		{Action: update.Mount, Entry: osutil.MountEntry{
 			Name: "tmpfs", Dir: "/rofs", Type: "tmpfs",
-			Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/rofs/target"}},
+			Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/rofs/target", "mode=0755", "uid=0", "gid=0"}},
 		},
 	})
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
 		// sniff mount target
-		`lstat "/rofs/target"`,
+		{C: `lstat "/rofs/target"`, E: syscall.ENOENT},
 
 		// /rofs/target is missing, create it
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`close 3`,
-		`mkdirat 4 "target" 0755`,
-		`close 4`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "target" 0755`, E: syscall.EROFS},
+		{C: `close 4`},
 
 		// error, read only filesystem, create a mimic
-		`readdir "/rofs"`,
-		`lstat "/tmp/.snap/rofs"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "tmp" 0755`,
-		`openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 4 0 0`,
-		`mkdirat 4 ".snap" 0755`,
-		`openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 5 0 0`,
-		`close 4`,
-		`close 3`,
-		`mkdirat 5 "rofs" 0755`,
-		`openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 3 0 0`,
-		`close 3`,
-		`close 5`,
-		`lstat "/rofs"`,
-		`mount "/rofs" "/tmp/.snap/rofs" "" MS_BIND|MS_REC ""`,
-		`lstat "/rofs"`,
-		`mount "tmpfs" "/rofs" "tmpfs" 0 ""`,
-		`unmount "/tmp/.snap/rofs" UMOUNT_NOFOLLOW|MNT_DETACH`,
+		{C: `lstat "/rofs" <ptr>`, R: syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755}},
+		{C: `readdir "/rofs"`, R: []os.FileInfo(nil)},
+		{C: `lstat "/tmp/.snap/rofs"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "tmp" 0755`},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `mkdirat 4 ".snap" 0755`},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `fchown 5 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `mkdirat 5 "rofs" 0755`},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 5`},
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 6},
+		{C: `openat 6 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 7},
+		{C: `fstat 7 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 6`},
+		{C: `close 5`},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/7" "" MS_BIND|MS_REC ""`},
+		{C: `close 7`},
+		{C: `close 4`},
+
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+		{C: `mount "tmpfs" "/rofs" "tmpfs" 0 "mode=0755,uid=0,gid=0"`},
+		{C: `unmount "/tmp/.snap/rofs" UMOUNT_NOFOLLOW|MNT_DETACH`},
+
+		// Perform clean up after the unmount operation.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `fstatfs 6 <ptr>`, R: syscall.Statfs_t{}},
+		{C: `remove "/tmp/.snap/rofs"`},
+		{C: `close 6`},
 
 		// mimic ready, re-try initial mkdir
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`close 3`,
-		`mkdirat 4 "target" 0755`,
-		`openat 4 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 3 0 0`,
-		`close 3`,
-		`close 4`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "target" 0755`},
+		{C: `openat 4 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 4`},
 
 		// mount the filesystem
-		`mount "device" "/rofs/target" "type" 0 ""`,
+		{C: `mount "device" "/rofs/target" "type" 0 ""`},
 	})
 }
 
 // Change.Perform wants to mount a filesystem but the mount point isn't there and the parent is read-only and mimic fails during planning.
 func (s *changeSuite) TestPerformFilesystemMountWithoutMountPointAndReadOnlyBaseErrorWhilePlanning(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/rofs/target"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST)
 	s.sys.InsertFault(`openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 4 "target" 0755`, syscall.EROFS)
 	s.sys.InsertFault(`lstat "/tmp/.snap/rofs"`, syscall.ENOENT)
-	s.sys.InsertLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertSysLstatResult(`lstat "/rofs" <ptr>`, syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755})
 	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil)
 	s.sys.InsertFault(`readdir "/rofs"`, errTesting) // make the writable mimic fail
 
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/rofs/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot create writable mimic over "/rofs": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
 		// sniff mount target
-		`lstat "/rofs/target"`,
+		{C: `lstat "/rofs/target"`, E: syscall.ENOENT},
 
 		// /rofs/target is missing, create it
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`close 3`,
-		`mkdirat 4 "target" 0755`,
-		`close 4`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "target" 0755`, E: syscall.EROFS},
+		{C: `close 4`},
 
 		// error, read only filesystem, create a mimic
-		`readdir "/rofs"`,
+		{C: `lstat "/rofs" <ptr>`, R: syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755}},
+		{C: `readdir "/rofs"`, E: errTesting},
 		// cannot create mimic, that's it
 	})
 }
 
 // Change.Perform wants to mount a filesystem but the mount point isn't there and the parent is read-only and mimic fails during execution.
 func (s *changeSuite) TestPerformFilesystemMountWithoutMountPointAndReadOnlyBaseErrorWhileExecuting(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/rofs/target"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST)
 	s.sys.InsertFault(`openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 4 "target" 0755`, syscall.EROFS)
 	s.sys.InsertFault(`lstat "/tmp/.snap/rofs"`, syscall.ENOENT)
-	s.sys.InsertLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertSysLstatResult(`lstat "/rofs" <ptr>`, syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755})
 	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil)
 	s.sys.InsertFault(`mkdirat 4 ".snap" 0755`, errTesting) // make the writable mimic fail
 
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/rofs/target", Type: "type"}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create writable mimic over "/rofs": cannot create path "/tmp/.snap/rofs": cannot mkdir path segment ".snap": testing`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot create writable mimic over "/rofs": cannot create directory "/tmp/.snap": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
 		// sniff mount target
-		`lstat "/rofs/target"`,
+		{C: `lstat "/rofs/target"`, E: syscall.ENOENT},
 
 		// /rofs/target is missing, create it
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`close 3`,
-		`mkdirat 4 "target" 0755`,
-		`close 4`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "target" 0755`, E: syscall.EROFS},
+		{C: `close 4`},
 
 		// error, read only filesystem, create a mimic
-		`readdir "/rofs"`,
-		`lstat "/tmp/.snap/rofs"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "tmp" 0755`,
-		`openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 4 0 0`,
-		`mkdirat 4 ".snap" 0755`,
-		`close 4`,
-		`close 3`,
+		{C: `lstat "/rofs" <ptr>`, R: syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755}},
+		{C: `readdir "/rofs"`, R: []os.FileInfo(nil)},
+		{C: `lstat "/tmp/.snap/rofs"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "tmp" 0755`},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `mkdirat 4 ".snap" 0755`, E: errTesting},
+		{C: `close 4`},
+		{C: `close 3`},
 		// cannot create mimic, that's it
 	})
 }
 
 // Change.Perform wants to mount a filesystem but there's a symlink in mount point.
 func (s *changeSuite) TestPerformFilesystemMountWithSymlinkInMountPoint(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoSymlink)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoSymlink)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/target" as mount point: not a directory`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoSymlink},
 	})
 }
 
 // Change.Perform wants to mount a filesystem but there's a file in mount point.
 func (s *changeSuite) TestPerformFilesystemMountWithFileInMountPoint(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoFile)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/target" as mount point: not a directory`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoFile},
 	})
 }
 
 // Change.Perform wants to unmount a filesystem.
 func (s *changeSuite) TestPerformFilesystemUnmount(c *C) {
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{})
 	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`unmount "/target" UMOUNT_NOFOLLOW`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{}},
+		{C: `remove "/target"`},
+		{C: `close 4`},
+	})
 	c.Assert(synth, HasLen, 0)
 }
 
 // Change.Perform wants to detach a bind mount.
 func (s *changeSuite) TestPerformFilesystemDetch(c *C) {
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{})
 	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "/something", Dir: "/target", Options: []string{"x-snapd.detach"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`unmount "/target" UMOUNT_NOFOLLOW|MNT_DETACH`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW|MNT_DETACH`},
+
+		// Perform clean up after the unmount operation.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{}},
+		{C: `remove "/target"`},
+		{C: `close 4`},
+	})
 	c.Assert(synth, HasLen, 0)
 }
 
@@ -566,35 +785,37 @@
 func (s *changeSuite) TestPerformFilesystemUnmountError(c *C) {
 	s.sys.InsertFault(`unmount "/target" UMOUNT_NOFOLLOW`, errTesting)
 	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, Equals, errTesting)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`unmount "/target" UMOUNT_NOFOLLOW`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW`, E: errTesting},
+	})
 	c.Assert(synth, HasLen, 0)
 }
 
 // Change.Perform passes non-flag options to the kernel.
 func (s *changeSuite) TestPerformFilesystemMountWithOptions(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type", Options: []string{"ro", "funky"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`mount "device" "/target" "type" MS_RDONLY "funky"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `mount "device" "/target" "type" MS_RDONLY "funky"`},
 	})
 }
 
 // Change.Perform doesn't pass snapd-specific options to the kernel.
 func (s *changeSuite) TestPerformFilesystemMountWithSnapdSpecificOptions(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type", Options: []string{"ro", "x-snapd.funky"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`mount "device" "/target" "type" MS_RDONLY ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `mount "device" "/target" "type" MS_RDONLY ""`},
 	})
 }
 
@@ -606,266 +827,525 @@
 func (s *changeSuite) TestPerformDirectoryBindMountTargetLstatError(c *C) {
 	s.sys.InsertFault(`lstat "/target"`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot inspect "/target": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`lstat "/target"`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: errTesting},
+	})
 }
 
 // Change.Perform wants to bind mount a directory but the source cannot be stat'ed.
 func (s *changeSuite) TestPerformDirectoryBindMountSourceLstatError(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
 	s.sys.InsertFault(`lstat "/source"`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot inspect "/source": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/source"`, E: errTesting},
 	})
 }
 
 // Change.Perform wants to bind mount a directory.
 func (s *changeSuite) TestPerformDirectoryBindMount(c *C) {
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoDir)
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
-		`mount "/source" "/target" "" MS_BIND ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/source"`, R: testutil.FileInfoDir},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`},
+		{C: `close 5`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to bind mount a directory but it fails.
 func (s *changeSuite) TestPerformDirectoryBindMountWithError(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoDir)
-	s.sys.InsertFault(`mount "/source" "/target" "" MS_BIND ""`, errTesting)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoDir)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, Equals, errTesting)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
-		`mount "/source" "/target" "" MS_BIND ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/source"`, R: testutil.FileInfoDir},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`, E: errTesting},
+		{C: `close 5`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to bind mount a directory but the mount point isn't there.
 func (s *changeSuite) TestPerformDirectoryBindMountWithoutMountPoint(c *C) {
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoDir)
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoDir)
 	s.sys.InsertFault(`lstat "/target"`, syscall.ENOENT)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "target" 0755`,
-		`openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 4 0 0`,
-		`close 4`,
-		`close 3`,
-		`lstat "/source"`,
-		`mount "/source" "/target" "" MS_BIND ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "target" 0755`},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `lstat "/source"`, R: testutil.FileInfoDir},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`},
+		{C: `close 5`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to bind mount a directory but the mount source isn't there.
 func (s *changeSuite) TestPerformDirectoryBindMountWithoutMountSource(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/source"`, syscall.ENOENT)
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "source" 0755`,
-		`openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 4 0 0`,
-		`close 4`,
-		`close 3`,
-		`mount "/source" "/target" "" MS_BIND ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/source"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "source" 0755`},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`},
+		{C: `close 5`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to create a directory bind mount but the mount point isn't there and cannot be created.
 func (s *changeSuite) TestPerformDirectoryBindMountWithoutMountPointWithErrors(c *C) {
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoDir)
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/target"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "target" 0755`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create path "/target": cannot mkdir path segment "target": testing`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot create directory "/target": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "target" 0755`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "target" 0755`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 // Change.Perform wants to create a directory bind mount but the mount source isn't there and cannot be created.
 func (s *changeSuite) TestPerformDirectoryBindMountWithoutMountSourceWithErrors(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/source"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "source" 0755`, errTesting)
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create path "/source": cannot mkdir path segment "source": testing`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot create directory "/source": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "source" 0755`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/source"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "source" 0755`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 // Change.Perform wants to bind mount a directory but the mount point isn't there and the parent is read-only.
 func (s *changeSuite) TestPerformDirectoryBindMountWithoutMountPointAndReadOnlyBase(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/rofs/target"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST)
 	s.sys.InsertFault(`openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, syscall.ENOENT, nil) // works on 2nd try
 	s.sys.InsertFault(`mkdirat 4 "target" 0755`, syscall.EROFS, nil)                               // works on 2nd try
-	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil)                                              // pretend /rofs is empty.
+	s.sys.InsertSysLstatResult(`lstat "/rofs" <ptr>`, syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755})
+	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil) // pretend /rofs is empty.
 	s.sys.InsertFault(`lstat "/tmp/.snap/rofs"`, syscall.ENOENT)
-	s.sys.InsertLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoDir)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 7 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 6 <ptr>`, syscall.Statfs_t{})
 
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/rofs/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, DeepEquals, []*update.Change{
 		{Action: update.Mount, Entry: osutil.MountEntry{
 			Name: "tmpfs", Dir: "/rofs", Type: "tmpfs",
-			Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/rofs/target"}},
+			Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/rofs/target", "mode=0755", "uid=0", "gid=0"}},
 		},
 	})
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
 		// sniff mount target
-		`lstat "/rofs/target"`,
+		{C: `lstat "/rofs/target"`, E: syscall.ENOENT},
 
 		// /rofs/target is missing, create it
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`close 3`,
-		`mkdirat 4 "target" 0755`,
-		`close 4`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "target" 0755`, E: syscall.EROFS},
+		{C: `close 4`},
 
 		// error, read only filesystem, create a mimic
-		`readdir "/rofs"`,
-		`lstat "/tmp/.snap/rofs"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "tmp" 0755`,
-		`openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 4 0 0`,
-		`mkdirat 4 ".snap" 0755`,
-		`openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 5 0 0`,
-		`close 4`,
-		`close 3`,
-		`mkdirat 5 "rofs" 0755`,
-		`openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 3 0 0`,
-		`close 3`,
-		`close 5`,
-		`lstat "/rofs"`,
-		`mount "/rofs" "/tmp/.snap/rofs" "" MS_BIND|MS_REC ""`,
-		`lstat "/rofs"`,
-		`mount "tmpfs" "/rofs" "tmpfs" 0 ""`,
-		`unmount "/tmp/.snap/rofs" UMOUNT_NOFOLLOW|MNT_DETACH`,
+		{C: `lstat "/rofs" <ptr>`, R: syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755}},
+		{C: `readdir "/rofs"`, R: []os.FileInfo(nil)},
+		{C: `lstat "/tmp/.snap/rofs"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "tmp" 0755`},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `mkdirat 4 ".snap" 0755`},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `fchown 5 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `mkdirat 5 "rofs" 0755`},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 5`},
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 6},
+		{C: `openat 6 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 7},
+		{C: `fstat 7 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 6`},
+		{C: `close 5`},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/7" "" MS_BIND|MS_REC ""`},
+		{C: `close 7`},
+		{C: `close 4`},
+
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+		{C: `mount "tmpfs" "/rofs" "tmpfs" 0 "mode=0755,uid=0,gid=0"`},
+		{C: `unmount "/tmp/.snap/rofs" UMOUNT_NOFOLLOW|MNT_DETACH`},
+
+		// Perform clean up after the unmount operation.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `fstatfs 6 <ptr>`, R: syscall.Statfs_t{}},
+		{C: `remove "/tmp/.snap/rofs"`},
+		{C: `close 6`},
 
 		// mimic ready, re-try initial mkdir
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`close 3`,
-		`mkdirat 4 "target" 0755`,
-		`openat 4 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 3 0 0`,
-		`close 3`,
-		`close 4`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "target" 0755`},
+		{C: `openat 4 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 4`},
 
 		// sniff mount source
-		`lstat "/source"`,
+		{C: `lstat "/source"`, R: testutil.FileInfoDir},
 
 		// mount the filesystem
-		`mount "/source" "/rofs/target" "" MS_BIND ""`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 5`},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/6" "" MS_BIND ""`},
+		{C: `close 6`},
+		{C: `close 4`},
+	})
+}
+
+// Change.Perform wants to bind mount a directory but the mount source isn't there and the parent is read-only.
+func (s *changeSuite) TestPerformDirectoryBindMountWithoutMountSourceAndReadOnlyBase(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
+	s.sys.InsertOsLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertFault(`lstat "/rofs/source"`, syscall.ENOENT)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST)
+	s.sys.InsertFault(`mkdirat 4 "source" 0755`, syscall.EROFS)
+
+	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/rofs/source", Dir: "/target", Options: []string{"bind"}}}
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot operate on read-only filesystem at /rofs`)
+	c.Assert(synth, HasLen, 0)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/rofs/source"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "source" 0755`, E: syscall.EROFS},
+		{C: `close 4`},
+	})
+}
+
+// Change.Perform wants to bind mount a directory but the mount source isn't there and the parent is read-only but this is for a layout.
+func (s *changeSuite) TestPerformDirectoryBindMountWithoutMountSourceAndReadOnlyBaseForLayout(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertFault(`lstat "/rofs/source"`, syscall.ENOENT)
+	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST)
+	s.sys.InsertFault(`openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, syscall.ENOENT, nil) // works on 2nd try
+	s.sys.InsertFault(`mkdirat 4 "source" 0755`, syscall.EROFS, nil)                               // works on 2nd try
+	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil)                                              // pretend /rofs is empty.
+	s.sys.InsertFault(`lstat "/tmp/.snap/rofs"`, syscall.ENOENT)
+	s.sys.InsertOsLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertSysLstatResult(`lstat "/rofs" <ptr>`, syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 7 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 6 <ptr>`, syscall.Statfs_t{})
+
+	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/rofs/source", Dir: "/target", Options: []string{"bind", "x-snapd.origin=layout"}}}
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, IsNil)
+	c.Check(synth, DeepEquals, []*update.Change{
+		{Action: update.Mount, Entry: osutil.MountEntry{
+			Name: "tmpfs", Dir: "/rofs", Type: "tmpfs",
+			Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/rofs/source", "mode=0755", "uid=0", "gid=0"}},
+		},
+	})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		// sniff mount target and source
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/rofs/source"`, E: syscall.ENOENT},
+
+		// /rofs/source is missing, create it
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "source" 0755`, E: syscall.EROFS},
+		{C: `close 4`},
+
+		// error /rofs is a read-only filesystem, create a mimic
+		{C: `lstat "/rofs" <ptr>`, R: syscall.Stat_t{Mode: 0755}},
+		{C: `readdir "/rofs"`, R: []os.FileInfo(nil)},
+		{C: `lstat "/tmp/.snap/rofs"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "tmp" 0755`},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `mkdirat 4 ".snap" 0755`},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `fchown 5 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `mkdirat 5 "rofs" 0755`},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 5`},
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 6},
+		{C: `openat 6 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 7},
+		{C: `fstat 7 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 6`},
+		{C: `close 5`},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/7" "" MS_BIND|MS_REC ""`},
+		{C: `close 7`},
+		{C: `close 4`},
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+		{C: `mount "tmpfs" "/rofs" "tmpfs" 0 "mode=0755,uid=0,gid=0"`},
+		{C: `unmount "/tmp/.snap/rofs" UMOUNT_NOFOLLOW|MNT_DETACH`},
+
+		// Perform clean up after the unmount operation.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `fstatfs 6 <ptr>`, R: syscall.Statfs_t{}},
+		{C: `remove "/tmp/.snap/rofs"`},
+		{C: `close 6`},
+
+		// /rofs/source was missing (we checked earlier), create it
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "source" 0755`},
+		{C: `openat 4 "source" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 4`},
+
+		// bind mount /rofs/source -> /target
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/5" "/proc/self/fd/4" "" MS_BIND ""`},
+		{C: `close 4`},
+		{C: `close 5`},
 	})
 }
 
 // Change.Perform wants to bind mount a directory but there's a symlink in mount point.
 func (s *changeSuite) TestPerformDirectoryBindMountWithSymlinkInMountPoint(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoSymlink)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoSymlink)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/target" as mount point: not a directory`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoSymlink},
 	})
 }
 
 // Change.Perform wants to bind mount a directory but there's a file in mount mount.
 func (s *changeSuite) TestPerformDirectoryBindMountWithFileInMountPoint(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoFile)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/target" as mount point: not a directory`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoFile},
 	})
 }
 
 // Change.Perform wants to bind mount a directory but there's a symlink in source.
 func (s *changeSuite) TestPerformDirectoryBindMountWithSymlinkInMountSource(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoSymlink)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoSymlink)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/source" as bind-mount source: not a directory`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/source"`, R: testutil.FileInfoSymlink},
 	})
 }
 
 // Change.Perform wants to bind mount a directory but there's a file in source.
 func (s *changeSuite) TestPerformDirectoryBindMountWithFileInMountSource(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoFile)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/source" as bind-mount source: not a directory`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/source"`, R: testutil.FileInfoFile},
 	})
 }
 
 // Change.Perform wants to unmount a directory bind mount.
 func (s *changeSuite) TestPerformDirectoryBindUnmount(c *C) {
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{})
 	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`unmount "/target" UMOUNT_NOFOLLOW`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW`},
+
+		// Perform clean up after the unmount operation.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{}},
+		{C: `remove "/target"`},
+		{C: `close 4`},
+	})
 	c.Assert(synth, HasLen, 0)
 }
 
@@ -873,9 +1353,11 @@
 func (s *changeSuite) TestPerformDirectoryBindUnmountError(c *C) {
 	s.sys.InsertFault(`unmount "/target" UMOUNT_NOFOLLOW`, errTesting)
 	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, Equals, errTesting)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`unmount "/target" UMOUNT_NOFOLLOW`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW`, E: errTesting},
+	})
 	c.Assert(synth, HasLen, 0)
 }
 
@@ -887,263 +1369,437 @@
 func (s *changeSuite) TestPerformFileBindMountTargetLstatError(c *C) {
 	s.sys.InsertFault(`lstat "/target"`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot inspect "/target": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`lstat "/target"`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: errTesting},
+	})
 }
 
 // Change.Perform wants to bind mount a file but the source cannot be stat'ed.
 func (s *changeSuite) TestPerformFileBindMountSourceLstatError(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoFile)
 	s.sys.InsertFault(`lstat "/source"`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot inspect "/source": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoFile},
+		{C: `lstat "/source"`, E: errTesting},
 	})
 }
 
 // Change.Perform wants to bind mount a file.
 func (s *changeSuite) TestPerformFileBindMount(c *C) {
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoFile)
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
-		`mount "/source" "/target" "" MS_BIND ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoFile},
+		{C: `lstat "/source"`, R: testutil.FileInfoFile},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`},
+		{C: `close 5`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to bind mount a file but it fails.
 func (s *changeSuite) TestPerformFileBindMountWithError(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoFile)
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoFile)
-	s.sys.InsertFault(`mount "/source" "/target" "" MS_BIND ""`, errTesting)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoFile)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, Equals, errTesting)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
-		`mount "/source" "/target" "" MS_BIND ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoFile},
+		{C: `lstat "/source"`, R: testutil.FileInfoFile},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`, E: errTesting},
+		{C: `close 5`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to bind mount a file but the mount point isn't there.
 func (s *changeSuite) TestPerformFileBindMountWithoutMountPoint(c *C) {
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoFile)
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoFile)
 	s.sys.InsertFault(`lstat "/target"`, syscall.ENOENT)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`,
-		`fchown 4 0 0`,
-		`close 4`,
-		`close 3`,
-		`lstat "/source"`,
-		`mount "/source" "/target" "" MS_BIND ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `lstat "/source"`, R: testutil.FileInfoFile},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`},
+		{C: `close 5`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to create a directory bind mount but the mount point isn't there and cannot be created.
 func (s *changeSuite) TestPerformFileBindMountWithoutMountPointWithErrors(c *C) {
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoFile)
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/target"`, syscall.ENOENT)
 	s.sys.InsertFault(`openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create path "/target": cannot open file "target": testing`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot open file "/target": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 // Change.Perform wants to bind mount a file but the mount source isn't there.
 func (s *changeSuite) TestPerformFileBindMountWithoutMountSource(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/source"`, syscall.ENOENT)
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`,
-		`fchown 4 0 0`,
-		`close 4`,
-		`close 3`,
-		`mount "/source" "/target" "" MS_BIND ""`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoFile},
+		{C: `lstat "/source"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/5" "" MS_BIND ""`},
+		{C: `close 5`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to create a file bind mount but the mount source isn't there and cannot be created.
 func (s *changeSuite) TestPerformFileBindMountWithoutMountSourceWithErrors(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/source"`, syscall.ENOENT)
 	s.sys.InsertFault(`openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, errTesting)
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoFile)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create path "/source": cannot open file "source": testing`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot open file "/source": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoFile},
+		{C: `lstat "/source"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 // Change.Perform wants to bind mount a file but the mount point isn't there and the parent is read-only.
 func (s *changeSuite) TestPerformFileBindMountWithoutMountPointAndReadOnlyBase(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/rofs/target"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST)
 	s.sys.InsertFault(`openat 4 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, syscall.EROFS, nil) // works on 2nd try
-	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil)                                                   // pretend /rofs is empty.
+	s.sys.InsertSysLstatResult(`lstat "/rofs" <ptr>`, syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755})
+	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil) // pretend /rofs is empty.
 	s.sys.InsertFault(`lstat "/tmp/.snap/rofs"`, syscall.ENOENT)
-	s.sys.InsertLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoFile)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 7 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 6 <ptr>`, syscall.Statfs_t{})
 
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/rofs/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, DeepEquals, []*update.Change{
 		{Action: update.Mount, Entry: osutil.MountEntry{
 			Name: "tmpfs", Dir: "/rofs", Type: "tmpfs",
-			Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/rofs/target"}},
+			Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/rofs/target", "mode=0755", "uid=0", "gid=0"}},
 		},
 	})
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
 		// sniff mount target
-		`lstat "/rofs/target"`,
+		{C: `lstat "/rofs/target"`, E: syscall.ENOENT},
 
 		// /rofs/target is missing, create it
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`close 3`,
-		`openat 4 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`,
-		`close 4`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `openat 4 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, E: syscall.EROFS},
+		{C: `close 4`},
 
 		// error, read only filesystem, create a mimic
-		`readdir "/rofs"`,
-		`lstat "/tmp/.snap/rofs"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "tmp" 0755`,
-		`openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 4 0 0`,
-		`mkdirat 4 ".snap" 0755`,
-		`openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 5 0 0`,
-		`close 4`,
-		`close 3`,
-		`mkdirat 5 "rofs" 0755`,
-		`openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 3 0 0`,
-		`close 3`,
-		`close 5`,
-		`lstat "/rofs"`,
-		`mount "/rofs" "/tmp/.snap/rofs" "" MS_BIND|MS_REC ""`,
-		`lstat "/rofs"`,
-		`mount "tmpfs" "/rofs" "tmpfs" 0 ""`,
-		`unmount "/tmp/.snap/rofs" UMOUNT_NOFOLLOW|MNT_DETACH`,
+		{C: `lstat "/rofs" <ptr>`, R: syscall.Stat_t{Mode: 0755}},
+		{C: `readdir "/rofs"`, R: []os.FileInfo(nil)},
+		{C: `lstat "/tmp/.snap/rofs"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "tmp" 0755`},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `mkdirat 4 ".snap" 0755`},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `fchown 5 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `mkdirat 5 "rofs" 0755`},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 5`},
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 6},
+		{C: `openat 6 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 7},
+		{C: `fstat 7 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 6`},
+		{C: `close 5`},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/7" "" MS_BIND|MS_REC ""`},
+		{C: `close 7`},
+		{C: `close 4`},
+
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+		{C: `mount "tmpfs" "/rofs" "tmpfs" 0 "mode=0755,uid=0,gid=0"`},
+		{C: `unmount "/tmp/.snap/rofs" UMOUNT_NOFOLLOW|MNT_DETACH`},
+
+		// Perform clean up after the unmount operation.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `fstatfs 6 <ptr>`, R: syscall.Statfs_t{}},
+		{C: `remove "/tmp/.snap/rofs"`},
+		{C: `close 6`},
 
 		// mimic ready, re-try initial mkdir
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`close 3`,
-		`openat 4 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`,
-		`fchown 3 0 0`,
-		`close 3`,
-		`close 4`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `openat 4 "target" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 4`},
 
 		// sniff mount source
-		`lstat "/source"`,
+		{C: `lstat "/source"`, R: testutil.FileInfoFile},
 
 		// mount the filesystem
-		`mount "/source" "/rofs/target" "" MS_BIND ""`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 5`},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/6" "" MS_BIND ""`},
+		{C: `close 6`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to bind mount a file but there's a symlink in mount point.
 func (s *changeSuite) TestPerformFileBindMountWithSymlinkInMountPoint(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoSymlink)
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoSymlink)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/target" as mount point: not a regular file`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoSymlink},
 	})
 }
 
 // Change.Perform wants to bind mount a file but there's a directory in mount point.
 func (s *changeSuite) TestPerformBindMountFileWithDirectoryInMountPoint(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/target" as mount point: not a regular file`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
 	})
 }
 
 // Change.Perform wants to bind mount a file but there's a symlink in source.
 func (s *changeSuite) TestPerformFileBindMountWithSymlinkInMountSource(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoFile)
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoSymlink)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoSymlink)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/source" as bind-mount source: not a regular file`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoFile},
+		{C: `lstat "/source"`, R: testutil.FileInfoSymlink},
 	})
 }
 
 // Change.Perform wants to bind mount a file but there's a directory in source.
 func (s *changeSuite) TestPerformFileBindMountWithDirectoryInMountSource(c *C) {
-	s.sys.InsertLstatResult(`lstat "/target"`, testutil.FileInfoFile)
-	s.sys.InsertLstatResult(`lstat "/source"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/source"`, testutil.FileInfoDir)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot use "/source" as bind-mount source: not a regular file`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/target"`,
-		`lstat "/source"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoFile},
+		{C: `lstat "/source"`, R: testutil.FileInfoDir},
+	})
+}
+
+// Change.Perform wants to unmount a file bind mount made on empty squashfs placeholder.
+func (s *changeSuite) TestPerformFileBindUnmountOnSquashfs(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.SquashfsMagic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{Size: 0})
+	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `close 4`},
+	})
+	c.Assert(synth, HasLen, 0)
+}
+
+// Change.Perform wants to unmount a file bind mount made on non-empty ext4 placeholder.
+func (s *changeSuite) TestPerformFileBindUnmountOnExt4NonEmpty(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{Size: 1})
+	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Size: 1}},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.Ext4Magic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Size: 1}},
+		{C: `close 4`},
 	})
+	c.Assert(synth, HasLen, 0)
 }
 
-// Change.Perform wants to unmount a file bind mount.
-func (s *changeSuite) TestPerformFileBindUnmount(c *C) {
+// Change.Perform wants to unmount a file bind mount made on empty tmpfs placeholder.
+func (s *changeSuite) TestPerformFileBindUnmountOnTmpfsEmpty(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{Size: 0})
 	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`unmount "/target" UMOUNT_NOFOLLOW`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Size: 0}},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.TmpfsMagic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Size: 0}},
+		{C: `remove "/target"`},
+		{C: `close 4`},
+	})
+	c.Assert(synth, HasLen, 0)
+}
+
+// Change.Perform wants to unmount a file bind mount made on empty tmpfs placeholder but it is busy!.
+func (s *changeSuite) TestPerformFileBindUnmountOnTmpfsEmptyButBusy(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{Size: 0})
+	s.sys.InsertFault(`remove "/target"`, syscall.EBUSY)
+	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, "device or resource busy")
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Size: 0}},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.TmpfsMagic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Size: 0}},
+		{C: `remove "/target"`, E: syscall.EBUSY},
+		{C: `close 4`},
+	})
 	c.Assert(synth, HasLen, 0)
 }
 
@@ -1151,12 +1807,42 @@
 func (s *changeSuite) TestPerformFileBindUnmountError(c *C) {
 	s.sys.InsertFault(`unmount "/target" UMOUNT_NOFOLLOW`, errTesting)
 	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.kind=file"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, Equals, errTesting)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`unmount "/target" UMOUNT_NOFOLLOW`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `unmount "/target" UMOUNT_NOFOLLOW`, E: errTesting},
+	})
 	c.Assert(synth, HasLen, 0)
 }
 
+// #############################################################
+// Topic: handling mounts with the x-snapd.ignore-missing option
+// #############################################################
+
+func (s *changeSuite) TestPerformMountWithIgnoredMissingMountSource(c *C) {
+	s.sys.InsertFault(`lstat "/source"`, syscall.ENOENT)
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.ignore-missing"}}}
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, Equals, update.ErrIgnoredMissingMount)
+	c.Assert(synth, HasLen, 0)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, R: testutil.FileInfoDir},
+		{C: `lstat "/source"`, E: syscall.ENOENT},
+	})
+}
+
+func (s *changeSuite) TestPerformMountWithIgnoredMissingMountPoint(c *C) {
+	s.sys.InsertFault(`lstat "/target"`, syscall.ENOENT)
+	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "/source", Dir: "/target", Options: []string{"bind", "x-snapd.ignore-missing"}}}
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, Equals, update.ErrIgnoredMissingMount)
+	c.Assert(synth, HasLen, 0)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/target"`, E: syscall.ENOENT},
+	})
+}
+
 // ########################
 // Topic: creating symlinks
 // ########################
@@ -1165,40 +1851,44 @@
 func (s *changeSuite) TestPerformCreateSymlinkNameLstatError(c *C) {
 	s.sys.InsertFault(`lstat "/name"`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot inspect "/name": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`lstat "/name"`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/name"`, E: errTesting},
+	})
 }
 
 // Change.Perform wants to create a symlink.
 func (s *changeSuite) TestPerformCreateSymlink(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/name"`, syscall.ENOENT)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/name"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`symlinkat "/oldname" 3 "name"`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/name"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `symlinkat "/oldname" 3 "name"`},
+		{C: `close 3`},
 	})
 }
 
 // Change.Perform wants to create a symlink but it fails.
 func (s *changeSuite) TestPerformCreateSymlinkWithError(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/name"`, syscall.ENOENT)
 	s.sys.InsertFault(`symlinkat "/oldname" 3 "name"`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create path "/name": cannot create symlink "name": testing`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot create symlink "/name": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/name"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`symlinkat "/oldname" 3 "name"`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/name"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `symlinkat "/oldname" 3 "name"`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
@@ -1206,174 +1896,413 @@
 func (s *changeSuite) TestPerformCreateSymlinkWithNoTargetError(c *C) {
 	s.sys.InsertFault(`lstat "/name"`, syscall.ENOENT)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink="}}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create path "/name": cannot create symlink with empty target`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot create symlink with empty target: "/name"`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/name"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/name"`, E: syscall.ENOENT},
 	})
 }
 
 // Change.Perform wants to create a symlink but the base directory isn't there.
 func (s *changeSuite) TestPerformCreateSymlinkWithoutBaseDir(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/base/name"`, syscall.ENOENT)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/base/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/base/name"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "base" 0755`,
-		`openat 3 "base" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 4 0 0`,
-		`close 3`,
-		`symlinkat "/oldname" 4 "name"`,
-		`close 4`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/base/name"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "base" 0755`},
+		{C: `openat 3 "base" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `close 3`},
+		{C: `symlinkat "/oldname" 4 "name"`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to create a symlink but the base directory isn't there and cannot be created.
 func (s *changeSuite) TestPerformCreateSymlinkWithoutBaseDirWithErrors(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/base/name"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "base" 0755`, errTesting)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/base/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create path "/base/name": cannot mkdir path segment "base": testing`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot create directory "/base": testing`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/base/name"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "base" 0755`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/base/name"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "base" 0755`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 // Change.Perform wants to create a symlink but the base directory isn't there and the parent is read-only.
 func (s *changeSuite) TestPerformCreateSymlinkWithoutBaseDirAndReadOnlyBase(c *C) {
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
 	s.sys.InsertFault(`lstat "/rofs/name"`, syscall.ENOENT)
 	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST)
 	s.sys.InsertFault(`symlinkat "/oldname" 4 "name"`, syscall.EROFS, nil) // works on 2nd try
-	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil)                      // pretend /rofs is empty.
+	s.sys.InsertSysLstatResult(`lstat "/rofs" <ptr>`, syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755})
+	s.sys.InsertReadDirResult(`readdir "/rofs"`, nil) // pretend /rofs is empty.
 	s.sys.InsertFault(`lstat "/tmp/.snap/rofs"`, syscall.ENOENT)
-	s.sys.InsertLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/rofs"`, testutil.FileInfoDir)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 7 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 6 <ptr>`, syscall.Statfs_t{})
 
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/rofs/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, DeepEquals, []*update.Change{
 		{Action: update.Mount, Entry: osutil.MountEntry{
 			Name: "tmpfs", Dir: "/rofs", Type: "tmpfs",
-			Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/rofs/name"}},
+			Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/rofs/name", "mode=0755", "uid=0", "gid=0"}},
 		},
 	})
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
 		// sniff symlink name
-		`lstat "/rofs/name"`,
+		{C: `lstat "/rofs/name"`, E: syscall.ENOENT},
 
 		// create base name (/rofs)
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`close 3`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
 		// create symlink
-		`symlinkat "/oldname" 4 "name"`, // (inserted fault happens here)
-		`close 4`,
+		{C: `symlinkat "/oldname" 4 "name"`, E: syscall.EROFS},
+		{C: `close 4`},
 
 		// error, read only filesystem, create a mimic
-		`readdir "/rofs"`,
-		`lstat "/tmp/.snap/rofs"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "tmp" 0755`,
-		`openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 4 0 0`,
-		`mkdirat 4 ".snap" 0755`,
-		`openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 5 0 0`,
-		`close 4`,
-		`close 3`,
-		`mkdirat 5 "rofs" 0755`,
-		`openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`fchown 3 0 0`,
-		`close 3`,
-		`close 5`,
-		`lstat "/rofs"`,
-		`mount "/rofs" "/tmp/.snap/rofs" "" MS_BIND|MS_REC ""`,
-		`lstat "/rofs"`,
-		`mount "tmpfs" "/rofs" "tmpfs" 0 ""`,
-		`unmount "/tmp/.snap/rofs" UMOUNT_NOFOLLOW|MNT_DETACH`,
+		{C: `lstat "/rofs" <ptr>`, R: syscall.Stat_t{Mode: 0755}},
+		{C: `readdir "/rofs"`, R: []os.FileInfo(nil)},
+		{C: `lstat "/tmp/.snap/rofs"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "tmp" 0755`},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 0 0`},
+		{C: `mkdirat 4 ".snap" 0755`},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `fchown 5 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `mkdirat 5 "rofs" 0755`},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 5`},
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 3`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 6},
+		{C: `openat 6 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 7},
+		{C: `fstat 7 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 6`},
+		{C: `close 5`},
+		{C: `close 3`},
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/7" "" MS_BIND|MS_REC ""`},
+		{C: `close 7`},
+		{C: `close 4`},
+
+		{C: `lstat "/rofs"`, R: testutil.FileInfoDir},
+		{C: `mount "tmpfs" "/rofs" "tmpfs" 0 "mode=0755,uid=0,gid=0"`},
+		{C: `unmount "/tmp/.snap/rofs" UMOUNT_NOFOLLOW|MNT_DETACH`},
+
+		// Perform clean up after the unmount operation.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 "rofs" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `fstatfs 6 <ptr>`, R: syscall.Statfs_t{}},
+		{C: `remove "/tmp/.snap/rofs"`},
+		{C: `close 6`},
 
 		// mimic ready, re-try initial base mkdir
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`mkdirat 3 "rofs" 0755`,
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,
-		`close 3`,
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
 		// create symlink
-		`symlinkat "/oldname" 4 "name"`, // (inserted fault happens here)
-		`close 4`,
+		{C: `symlinkat "/oldname" 4 "name"`},
+		{C: `close 4`},
 	})
 }
 
 // Change.Perform wants to create a symlink but there's a file in the way.
 func (s *changeSuite) TestPerformCreateSymlinkWithFileInTheWay(c *C) {
-	s.sys.InsertLstatResult(`lstat "/name"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/name"`, testutil.FileInfoFile)
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot create symlink in "/name": existing file in the way`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/name"`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/name"`, R: testutil.FileInfoFile},
 	})
 }
 
 // Change.Perform wants to create a symlink but a correct symlink is already present.
 func (s *changeSuite) TestPerformCreateSymlinkWithGoodSymlinkPresent(c *C) {
-	s.sys.InsertLstatResult(`lstat "/name"`, testutil.FileInfoSymlink)
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
+	s.sys.InsertOsLstatResult(`lstat "/name"`, testutil.FileInfoSymlink)
 	s.sys.InsertFault(`symlinkat "/oldname" 3 "name"`, syscall.EEXIST)
 	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{Mode: syscall.S_IFLNK})
 	s.sys.InsertReadlinkatResult(`readlinkat 4 "" <ptr>`, "/oldname")
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/name"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,   // -> 3
-		`symlinkat "/oldname" 3 "name"`,                 // -> EEXIST
-		`openat 3 "name" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, // -> 4
-		`fstat 4 <ptr>`,
-		`readlinkat 4 "" <ptr>`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/name"`, R: testutil.FileInfoSymlink},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `symlinkat "/oldname" 3 "name"`, E: syscall.EEXIST},
+		{C: `openat 3 "name" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Mode: syscall.S_IFLNK}},
+		{C: `readlinkat 4 "" <ptr>`, R: "/oldname"},
+		{C: `close 4`},
+		{C: `close 3`},
 	})
 }
 
 // Change.Perform wants to create a symlink but a incorrect symlink is already present.
 func (s *changeSuite) TestPerformCreateSymlinkWithBadSymlinkPresent(c *C) {
-	s.sys.InsertLstatResult(`lstat "/name"`, testutil.FileInfoSymlink)
+	defer s.as.MockUnrestrictedPaths("/")() // Treat test path as unrestricted.
+	s.sys.InsertOsLstatResult(`lstat "/name"`, testutil.FileInfoSymlink)
 	s.sys.InsertFault(`symlinkat "/oldname" 3 "name"`, syscall.EEXIST)
 	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{Mode: syscall.S_IFLNK})
 	s.sys.InsertReadlinkatResult(`readlinkat 4 "" <ptr>`, "/evil")
 	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
-	c.Assert(err, ErrorMatches, `cannot create path "/name": cannot create symbolic link "name": existing symbolic link in the way`)
+	synth, err := chg.Perform(s.as)
+	c.Assert(err, ErrorMatches, `cannot create symbolic link "/name": existing symbolic link in the way`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`lstat "/name"`,
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,   // -> 3
-		`symlinkat "/oldname" 3 "name"`,                 // -> EEXIST
-		`openat 3 "name" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, // -> 4
-		`fstat 4 <ptr>`,
-		`readlinkat 4 "" <ptr>`,
-		`close 3`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `lstat "/name"`, R: testutil.FileInfoSymlink},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `symlinkat "/oldname" 3 "name"`, E: syscall.EEXIST},
+		{C: `openat 3 "name" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Mode: syscall.S_IFLNK}},
+		{C: `readlinkat 4 "" <ptr>`, R: "/evil"},
+		{C: `close 4`},
+		{C: `close 3`},
 	})
 }
 
 func (s *changeSuite) TestPerformRemoveSymlink(c *C) {
 	chg := &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "unused", Dir: "/name", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`remove "/name"`})
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `remove "/name"`},
+	})
+}
+
+// Change.Perform wants to create a symlink in /etc and the write is made private.
+func (s *changeSuite) TestPerformCreateSymlinkWithAvoidedTrespassing(c *C) {
+	defer s.as.MockUnrestrictedPaths("/tmp/")() // Allow writing to /tmp
+
+	s.sys.InsertFault(`lstat "/etc/demo.conf"`, syscall.ENOENT)
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.SquashfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`,
+		// On 1st call ext4, on 2nd call tmpfs
+		syscall.Statfs_t{Type: update.Ext4Magic},
+		syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertSysLstatResult(`lstat "/etc" <ptr>`, syscall.Stat_t{Mode: 0755})
+	otherConf := testutil.FakeFileInfo("other.conf", 0755)
+	s.sys.InsertReadDirResult(`readdir "/etc"`, []os.FileInfo{otherConf})
+	s.sys.InsertFault(`lstat "/tmp/.snap/etc"`, syscall.ENOENT)
+	s.sys.InsertFault(`lstat "/tmp/.snap/etc/other.conf"`, syscall.ENOENT)
+	s.sys.InsertOsLstatResult(`lstat "/etc"`, testutil.FileInfoDir)
+	s.sys.InsertOsLstatResult(`lstat "/etc/other.conf"`, otherConf)
+	s.sys.InsertFault(`mkdirat 3 "tmp" 0755`, syscall.EEXIST)
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{Mode: syscall.S_IFREG})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{Mode: syscall.S_IFDIR})
+	s.sys.InsertFstatResult(`fstat 7 <ptr>`, syscall.Stat_t{Mode: syscall.S_IFDIR})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 6 <ptr>`, syscall.Statfs_t{})
+
+	// This is the change we want to perform:
+	// put a layout symlink at /etc/demo.conf -> /oldname
+	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "unused", Dir: "/etc/demo.conf", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/oldname"}}}
+	synth, err := chg.Perform(s.as)
+	c.Check(err, IsNil)
+	c.Check(synth, HasLen, 2)
+	// We have created some synthetic change (made /etc a new tmpfs and re-populate it)
+	c.Assert(synth[0], DeepEquals, &update.Change{
+		Entry:  osutil.MountEntry{Name: "tmpfs", Dir: "/etc", Type: "tmpfs", Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/etc/demo.conf", "mode=0755", "uid=0", "gid=0"}},
+		Action: "mount"})
+	c.Assert(synth[1], DeepEquals, &update.Change{
+		Entry:  osutil.MountEntry{Name: "/etc/other.conf", Dir: "/etc/other.conf", Options: []string{"bind", "x-snapd.kind=file", "x-snapd.synthetic", "x-snapd.needed-by=/etc/demo.conf"}},
+		Action: "mount"})
+
+	// And this is exactly how we made that happen:
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		// Attempt to construct a symlink /etc/demo.conf -> /oldname.
+		// This stops as soon as we notice that /etc is an ext4 filesystem.
+		// To avoid writing to it directly we need a writable mimic.
+		{C: `lstat "/etc/demo.conf"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.Ext4Magic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Mode: 0x4000}},
+		{C: `close 4`},
+
+		// Create a writable mimic over /etc, scan the contents of /etc first.
+		// For convenience we pretend that /etc is empty. The mimic
+		// replicates /etc in /tmp/.snap/etc for subsequent re-construction.
+		{C: `lstat "/etc" <ptr>`, R: syscall.Stat_t{Mode: 0755}},
+		{C: `readdir "/etc"`, R: []os.FileInfo{otherConf}},
+		{C: `lstat "/tmp/.snap/etc"`, E: syscall.ENOENT},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "tmp" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `mkdirat 4 ".snap" 0755`},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `fchown 5 0 0`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `mkdirat 5 "etc" 0755`},
+		{C: `openat 5 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 5`},
+
+		// Prepare a secure bind mount operation /etc -> /tmp/.snap/etc
+		{C: `lstat "/etc"`, R: testutil.FileInfoDir},
+
+		// Open an O_PATH descriptor to /etc. We need this as a source of a
+		// secure bind mount operation. We also ensure that the descriptor
+		// refers to a directory.
+		// NOTE: we keep fd 4 open for subsequent use.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Mode: syscall.S_IFDIR}},
+		{C: `close 3`},
+
+		// Open an O_PATH descriptor to /tmp/.snap/etc. We need this as a
+		// target of a secure bind mount operation. We also ensure that the
+		// descriptor refers to a directory.
+		// NOTE: we keep fd 7 open for subsequent use.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 6},
+		{C: `openat 6 "etc" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 7},
+		{C: `fstat 7 <ptr>`, R: syscall.Stat_t{Mode: syscall.S_IFDIR}},
+		{C: `close 6`},
+		{C: `close 5`},
+		{C: `close 3`},
+
+		// Perform the secure bind mount operation /etc -> /tmp/.snap/etc
+		// and release the two associated file descriptors.
+		{C: `mount "/proc/self/fd/4" "/proc/self/fd/7" "" MS_BIND|MS_REC ""`},
+		{C: `close 7`},
+		{C: `close 4`},
+
+		// Mount a tmpfs over /etc, re-constructing the original mode and
+		// ownership. Bind mount each original file over and detach the copy
+		// of /etc we had in /tmp/.snap/etc.
+
+		{C: `lstat "/etc"`, R: testutil.FileInfoDir},
+		{C: `mount "tmpfs" "/etc" "tmpfs" 0 "mode=0755,uid=0,gid=0"`},
+		// Here we restore the contents of /etc: here it's just one file - other.conf
+		{C: `lstat "/etc/other.conf"`, R: otherConf},
+		{C: `lstat "/tmp/.snap/etc/other.conf"`, E: syscall.ENOENT},
+
+		// Create /tmp/.snap/etc/other.conf as an empty file.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "tmp" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `mkdirat 4 ".snap" 0755`},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `fchown 5 0 0`},
+		{C: `mkdirat 5 "etc" 0755`},
+		{C: `openat 5 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 6},
+		{C: `fchown 6 0 0`},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+		// NOTE: This is without O_DIRECTORY and with O_CREAT|O_EXCL,
+		// we are creating an empty file for the subsequent bind mount.
+		{C: `openat 6 "other.conf" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 6`},
+
+		// Open O_PATH to /tmp/.snap/etc/other.conf
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 6},
+		{C: `openat 6 "other.conf" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 7},
+		{C: `fstat 7 <ptr>`, R: syscall.Stat_t{Mode: syscall.S_IFDIR}},
+		{C: `close 6`},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+
+		// Open O_PATH to /etc/other.conf
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "other.conf" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{Mode: syscall.S_IFREG}},
+		{C: `close 4`},
+		{C: `close 3`},
+
+		// Restore the /etc/other.conf file with a secure bind mount.
+		{C: `mount "/proc/self/fd/7" "/proc/self/fd/5" "" MS_BIND ""`},
+		{C: `close 5`},
+		{C: `close 7`},
+
+		// We're done restoring now.
+		{C: `unmount "/tmp/.snap/etc" UMOUNT_NOFOLLOW|MNT_DETACH`},
+
+		// Perform clean up after the unmount operation.
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "tmp" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 ".snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 5},
+		{C: `openat 5 "etc" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `fstatfs 6 <ptr>`, R: syscall.Statfs_t{}},
+		{C: `remove "/tmp/.snap/etc"`},
+		{C: `close 6`},
+
+		// The mimic is now complete and subsequent writes to /etc are private
+		// to the mount namespace of the process.
+
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.TmpfsMagic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{Mode: 0x4000}},
+		{C: `symlinkat "/oldname" 4 "demo.conf"`},
+		{C: `close 4`},
+	})
 }
 
 // ###########
@@ -1383,17 +2312,44 @@
 // Change.Perform handles unknown actions.
 func (s *changeSuite) TestPerformUnknownAction(c *C) {
 	chg := &update.Change{Action: update.Action(42)}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, ErrorMatches, `cannot process mount change: unknown action: .*`)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), HasLen, 0)
+	c.Assert(s.sys.RCalls(), HasLen, 0)
 }
 
 // Change.Perform wants to keep a mount entry unchanged.
 func (s *changeSuite) TestPerformKeep(c *C) {
 	chg := &update.Change{Action: update.Keep}
-	synth, err := chg.Perform()
+	synth, err := chg.Perform(s.as)
 	c.Assert(err, IsNil)
 	c.Assert(synth, HasLen, 0)
-	c.Assert(s.sys.Calls(), HasLen, 0)
+	c.Assert(s.sys.RCalls(), HasLen, 0)
+}
+
+// ############################################
+// Topic: change history tracked in Assumptions
+// ############################################
+
+func (s *changeSuite) TestPerformedChangesAreTracked(c *C) {
+	s.sys.InsertOsLstatResult(`lstat "/target"`, testutil.FileInfoDir)
+	c.Assert(s.as.PastChanges(), HasLen, 0)
+
+	chg := &update.Change{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
+	_, err := chg.Perform(s.as)
+	c.Assert(err, IsNil)
+	c.Assert(s.as.PastChanges(), DeepEquals, []*update.Change{
+		{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}},
+	})
+
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{})
+	chg = &update.Change{Action: update.Unmount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}}
+	_, err = chg.Perform(s.as)
+	c.Assert(err, IsNil)
+	c.Assert(s.as.PastChanges(), DeepEquals, []*update.Change{
+		// past changes stack in order.
+		{Action: update.Mount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}},
+		{Action: update.Unmount, Entry: osutil.MountEntry{Name: "device", Dir: "/target", Type: "type"}},
+	})
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/export_test.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/export_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,32 +30,38 @@
 
 var (
 	// change
-	ValidateSnapName = validateSnapName
-	ProcessArguments = processArguments
+	ValidateInstanceName = validateInstanceName
+	ProcessArguments     = processArguments
 	// freezer
 	FreezeSnapProcesses = freezeSnapProcesses
 	ThawSnapProcesses   = thawSnapProcesses
 	// utils
-	PlanWritableMimic  = planWritableMimic
-	ExecWritableMimic  = execWritableMimic
-	SecureMkdirAll     = secureMkdirAll
-	SecureMkfileAll    = secureMkfileAll
-	SecureMksymlinkAll = secureMksymlinkAll
-	SplitIntoSegments  = splitIntoSegments
+	PlanWritableMimic = planWritableMimic
+	ExecWritableMimic = execWritableMimic
 
 	// main
 	ComputeAndSaveChanges = computeAndSaveChanges
+	ApplyUserFstab        = applyUserFstab
+
+	// bootstrap
+	ClearBootstrapError = clearBootstrapError
+
+	// trespassing
+	IsReadOnly                   = isReadOnly
+	IsPrivateTmpfsCreatedBySnapd = isPrivateTmpfsCreatedBySnapd
 )
 
 // SystemCalls encapsulates various system interactions performed by this module.
 type SystemCalls interface {
-	Lstat(name string) (os.FileInfo, error)
+	OsLstat(name string) (os.FileInfo, error)
+	SysLstat(name string, buf *syscall.Stat_t) error
 	ReadDir(dirname string) ([]os.FileInfo, error)
 	Symlinkat(oldname string, dirfd int, newname string) error
 	Readlinkat(dirfd int, path string, buf []byte) (int, error)
 	Remove(name string) error
 
 	Close(fd int) error
+	Fchdir(fd int) error
 	Fchown(fd int, uid sys.UserID, gid sys.GroupID) error
 	Mkdirat(dirfd int, path string, mode uint32) error
 	Mount(source string, target string, fstype string, flags uintptr, data string) (err error)
@@ -63,6 +69,7 @@
 	Openat(dirfd int, path string, flags int, mode uint32) (fd int, err error)
 	Unmount(target string, flags int) error
 	Fstat(fd int, buf *syscall.Stat_t) error
+	Fstatfs(fd int, buf *syscall.Statfs_t) error
 }
 
 // MockSystemCalls replaces real system calls with those of the argument.
@@ -82,9 +89,12 @@
 	oldSysSymlinkat := sysSymlinkat
 	oldReadlinkat := sysReadlinkat
 	oldFstat := sysFstat
+	oldFstatfs := sysFstatfs
+	oldSysFchdir := sysFchdir
+	oldSysLstat := sysLstat
 
 	// override
-	osLstat = sc.Lstat
+	osLstat = sc.OsLstat
 	osRemove = sc.Remove
 	ioutilReadDir = sc.ReadDir
 
@@ -98,6 +108,9 @@
 	sysSymlinkat = sc.Symlinkat
 	sysReadlinkat = sc.Readlinkat
 	sysFstat = sc.Fstat
+	sysFstatfs = sc.Fstatfs
+	sysFchdir = sc.Fchdir
+	sysLstat = sc.SysLstat
 
 	return func() {
 		// restore
@@ -115,6 +128,9 @@
 		sysSymlinkat = oldSysSymlinkat
 		sysReadlinkat = oldReadlinkat
 		sysFstat = oldFstat
+		sysFstatfs = oldFstatfs
+		sysFchdir = oldSysFchdir
+		sysLstat = oldSysLstat
 	}
 }
 
@@ -130,7 +146,7 @@
 	return freezerCgroupDir
 }
 
-func MockChangePerform(f func(chg *Change) ([]*Change, error)) func() {
+func MockChangePerform(f func(chg *Change, as *Assumptions) ([]*Change, error)) func() {
 	origChangePerform := changePerform
 	changePerform = f
 	return func() {
@@ -153,3 +169,15 @@
 		osReadlink = old
 	}
 }
+
+func (as *Assumptions) IsRestricted(path string) bool {
+	return as.isRestricted(path)
+}
+
+func (as *Assumptions) PastChanges() []*Change {
+	return as.pastChanges
+}
+
+func (as *Assumptions) CanWriteToDirectory(dirFd int, dirName string) (bool, error) {
+	return as.canWriteToDirectory(dirFd, dirName)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/main.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/main.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/main.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/jessevdk/go-flags"
 
@@ -29,10 +30,12 @@
 	"github.com/snapcore/snapd/interfaces/mount"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/snap"
 )
 
 var opts struct {
 	FromSnapConfine bool `long:"from-snap-confine"`
+	UserMounts      bool `long:"user-mounts"`
 	Positionals     struct {
 		SnapName string `positional-arg-name:"SNAP_NAME" required:"yes"`
 	} `positional-args:"true"`
@@ -80,30 +83,35 @@
 		return err
 	}
 
-	snapName := opts.Positionals.SnapName
+	if opts.UserMounts {
+		return applyUserFstab(opts.Positionals.SnapName)
+	}
+	return applyFstab(opts.Positionals.SnapName, opts.FromSnapConfine)
+}
 
+func applyFstab(instanceName string, fromSnapConfine bool) error {
 	// Lock the mount namespace so that any concurrently attempted invocations
 	// of snap-confine are synchronized and will see consistent state.
-	lock, err := mount.OpenLock(snapName)
+	lock, err := mount.OpenLock(instanceName)
 	if err != nil {
-		return fmt.Errorf("cannot open lock file for mount namespace of snap %q: %s", snapName, err)
+		return fmt.Errorf("cannot open lock file for mount namespace of snap %q: %s", instanceName, err)
 	}
 	defer func() {
-		logger.Debugf("unlocking mount namespace of snap %q", snapName)
+		logger.Debugf("unlocking mount namespace of snap %q", instanceName)
 		lock.Close()
 	}()
 
-	logger.Debugf("locking mount namespace of snap %q", snapName)
-	if opts.FromSnapConfine {
+	logger.Debugf("locking mount namespace of snap %q", instanceName)
+	if fromSnapConfine {
 		// When --from-snap-confine is passed then we just ensure that the
 		// namespace is locked. This is used by snap-confine to use
 		// snap-update-ns to apply mount profiles.
 		if err := lock.TryLock(); err != osutil.ErrAlreadyLocked {
-			return fmt.Errorf("mount namespace of snap %q is not locked but --from-snap-confine was used", snapName)
+			return fmt.Errorf("mount namespace of snap %q is not locked but --from-snap-confine was used", instanceName)
 		}
 	} else {
 		if err := lock.Lock(); err != nil {
-			return fmt.Errorf("cannot lock mount namespace of snap %q: %s", snapName, err)
+			return fmt.Errorf("cannot lock mount namespace of snap %q: %s", instanceName, err)
 		}
 	}
 
@@ -112,19 +120,47 @@
 	// symlinks or perform other malicious activity (such as attempting to
 	// introduce a symlink that would cause us to mount something other
 	// than what we expected).
-	logger.Debugf("freezing processes of snap %q", snapName)
-	if err := freezeSnapProcesses(opts.Positionals.SnapName); err != nil {
+	logger.Debugf("freezing processes of snap %q", instanceName)
+	if err := freezeSnapProcesses(instanceName); err != nil {
 		return err
 	}
 	defer func() {
-		logger.Debugf("thawing processes of snap %q", snapName)
-		thawSnapProcesses(opts.Positionals.SnapName)
+		logger.Debugf("thawing processes of snap %q", instanceName)
+		thawSnapProcesses(instanceName)
 	}()
 
-	return computeAndSaveChanges(snapName)
+	// Allow creating directories related to this snap name.
+	//
+	// Note that we allow /var/snap instead of /var/snap/$SNAP_NAME because
+	// content interface connections can readily create missing mount points on
+	// both sides of the interface connection.
+	//
+	// We scope /snap/$SNAP_NAME because only one side of the connection can be
+	// created, as snaps are read-only, the mimic construction will kick-in and
+	// create the missing directory but this directory is only visible from the
+	// snap that we are operating on (either plug or slot side, the point is,
+	// the mount point is not universally visible).
+	//
+	// /snap/$SNAP_NAME needs to be there as the code that creates such mount
+	// points must traverse writable host filesystem that contains /snap/*/ and
+	// normally such access is off-limits. This approach allows /snap/foo
+	// without allowing /snap/bin, for example.
+	//
+	// /snap/$SNAP_INSTANCE_NAME and /snap/$SNAP_NAME are added to allow
+	// remapping for parallel installs only when the snap has an instance key
+	//
+	// TODO: Handle /home/*/snap/* when we do per-user mount namespaces and
+	// allow defining layout items that refer to SNAP_USER_DATA and
+	// SNAP_USER_COMMON.
+	as := &Assumptions{}
+	as.AddUnrestrictedPaths("/tmp", "/var/snap", "/snap/"+instanceName)
+	if snapName := snap.InstanceSnap(instanceName); snapName != instanceName {
+		as.AddUnrestrictedPaths("/snap/" + snapName)
+	}
+	return computeAndSaveChanges(instanceName, as)
 }
 
-func computeAndSaveChanges(snapName string) error {
+func computeAndSaveChanges(snapName string, as *Assumptions) error {
 	// Read the desired and current mount profiles. Note that missing files
 	// count as empty profiles so that we can gracefully handle a mount
 	// interface connection/disconnection.
@@ -141,9 +177,27 @@
 		return fmt.Errorf("cannot load current mount profile of snap %q: %s", snapName, err)
 	}
 	debugShowProfile(currentBefore, "current mount profile (before applying changes)")
+	// Synthesize mount changes that were applied before for the purpose of the tmpfs detector.
+	for _, entry := range currentBefore.Entries {
+		as.AddChange(&Change{Action: Mount, Entry: entry})
+	}
 
-	// Compute the needed changes and perform each change if needed, collecting
-	// those that we managed to perform or that were performed already.
+	currentAfter, err := applyProfile(snapName, currentBefore, desired, as)
+	if err != nil {
+		return err
+	}
+
+	logger.Debugf("saving current mount profile of snap %q", snapName)
+	if err := currentAfter.Save(currentProfilePath); err != nil {
+		return fmt.Errorf("cannot save current mount profile of snap %q: %s", snapName, err)
+	}
+	return nil
+}
+
+func applyProfile(snapName string, currentBefore, desired *osutil.MountProfile, as *Assumptions) (*osutil.MountProfile, error) {
+	// Compute the needed changes and perform each change if
+	// needed, collecting those that we managed to perform or that
+	// were performed already.
 	changesNeeded := NeededChanges(currentBefore, desired)
 	debugShowChanges(changesNeeded, "mount changes needed")
 
@@ -151,7 +205,7 @@
 	var changesMade []*Change
 	for _, change := range changesNeeded {
 		logger.Debugf("\t * %s", change)
-		synthesised, err := changePerform(change)
+		synthesised, err := changePerform(change, as)
 		changesMade = append(changesMade, synthesised...)
 		if len(synthesised) > 0 {
 			logger.Debugf("\tsynthesised additional mount changes:")
@@ -160,12 +214,15 @@
 			}
 		}
 		if err != nil {
-			// NOTE: we may have done something even if Perform itself has failed.
-			// We need to collect synthesized changes and store them.
-			if change.Entry.XSnapdOrigin() == "layout" {
-				return err
+			// We may have done something even if Perform itself has
+			// failed. We need to collect synthesized changes and
+			// store them.
+			origin := change.Entry.XSnapdOrigin()
+			if origin == "layout" || origin == "overname" {
+				return nil, err
+			} else if err != ErrIgnoredMissingMount {
+				logger.Noticef("cannot change mount namespace of snap %q according to change %s: %s", snapName, change, err)
 			}
-			logger.Noticef("cannot change mount namespace of snap %q according to change %s: %s", snapName, change, err)
 			continue
 		}
 
@@ -181,12 +238,7 @@
 		}
 	}
 	debugShowProfile(&currentAfter, "current mount profile (after applying changes)")
-
-	logger.Debugf("saving current mount profile of snap %q", snapName)
-	if err := currentAfter.Save(currentProfilePath); err != nil {
-		return fmt.Errorf("cannot save current mount profile of snap %q: %s", snapName, err)
-	}
-	return nil
+	return &currentAfter, nil
 }
 
 func debugShowProfile(profile *osutil.MountProfile, header string) {
@@ -210,3 +262,30 @@
 		logger.Debugf("%s: (none)", header)
 	}
 }
+
+func applyUserFstab(snapName string) error {
+	desiredProfilePath := fmt.Sprintf("%s/snap.%s.user-fstab", dirs.SnapMountPolicyDir, snapName)
+	desired, err := osutil.LoadMountProfile(desiredProfilePath)
+	if err != nil {
+		return fmt.Errorf("cannot load desired user mount profile of snap %q: %s", snapName, err)
+	}
+
+	// Replace XDG_RUNTIME_DIR in mount profile
+	xdgRuntimeDir := fmt.Sprintf("%s/%d", dirs.XdgRuntimeDirBase, os.Getuid())
+	for i := range desired.Entries {
+		if strings.HasPrefix(desired.Entries[i].Name, "$XDG_RUNTIME_DIR/") {
+			desired.Entries[i].Name = strings.Replace(desired.Entries[i].Name, "$XDG_RUNTIME_DIR", xdgRuntimeDir, 1)
+		}
+		if strings.HasPrefix(desired.Entries[i].Dir, "$XDG_RUNTIME_DIR/") {
+			desired.Entries[i].Dir = strings.Replace(desired.Entries[i].Dir, "$XDG_RUNTIME_DIR", xdgRuntimeDir, 1)
+		}
+	}
+
+	debugShowProfile(desired, "desired mount profile")
+
+	// TODO: configure the secure helper and inform it about directories that
+	// can be created without trespassing.
+	as := &Assumptions{}
+	_, err = applyProfile(snapName, &osutil.MountProfile{}, desired, as)
+	return err
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/main_test.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/main_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/main_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/main_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package main_test
 
 import (
+	"bytes"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -30,21 +31,34 @@
 
 	update "github.com/snapcore/snapd/cmd/snap-update-ns"
 	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/testutil"
 )
 
 func Test(t *testing.T) { TestingT(t) }
 
-type mainSuite struct{}
+type mainSuite struct {
+	testutil.BaseTest
+	as  *update.Assumptions
+	log *bytes.Buffer
+}
 
 var _ = Suite(&mainSuite{})
 
+func (s *mainSuite) SetUpTest(c *C) {
+	s.BaseTest.SetUpTest(c)
+	s.as = &update.Assumptions{}
+	buf, restore := logger.MockLogger()
+	s.BaseTest.AddCleanup(restore)
+	s.log = buf
+}
+
 func (s *mainSuite) TestComputeAndSaveChanges(c *C) {
 	dirs.SetRootDir(c.MkDir())
 	defer dirs.SetRootDir("/")
 
-	restore := update.MockChangePerform(func(chg *update.Change) ([]*update.Change, error) {
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
 		return nil, nil
 	})
 	defer restore()
@@ -65,7 +79,7 @@
 	err = ioutil.WriteFile(currentProfilePath, nil, 0644)
 	c.Assert(err, IsNil)
 
-	err = update.ComputeAndSaveChanges(snapName)
+	err = update.ComputeAndSaveChanges(snapName, s.as)
 	c.Assert(err, IsNil)
 
 	c.Check(currentProfilePath, testutil.FileEquals, `/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0
@@ -100,7 +114,7 @@
 	// represented here. The changes have only one goal: tell
 	// snap-update-ns how the mimic can be undone in case it is no longer
 	// needed.
-	restore := update.MockChangePerform(func(chg *update.Change) ([]*update.Change, error) {
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
 		// The change that we were asked to perform is to create a bind mount
 		// from within the snap to /usr/share/mysnap.
 		c.Assert(chg, DeepEquals, &update.Change{
@@ -132,7 +146,7 @@
 	})
 	defer restore()
 
-	c.Assert(update.ComputeAndSaveChanges(snapName), IsNil)
+	c.Assert(update.ComputeAndSaveChanges(snapName, s.as), IsNil)
 
 	c.Check(currentProfilePath, testutil.FileEquals,
 		`tmpfs /usr/share tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/mysnap 0 0
@@ -166,7 +180,7 @@
 	c.Assert(ioutil.WriteFile(desiredProfilePath, []byte(desiredProfileContent), 0644), IsNil)
 
 	n := -1
-	restore := update.MockChangePerform(func(chg *update.Change) ([]*update.Change, error) {
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
 		n++
 		switch n {
 		case 0:
@@ -209,7 +223,7 @@
 	})
 	defer restore()
 
-	c.Assert(update.ComputeAndSaveChanges(snapName), IsNil)
+	c.Assert(update.ComputeAndSaveChanges(snapName, s.as), IsNil)
 
 	c.Check(currentProfilePath, testutil.FileEquals, "")
 }
@@ -231,7 +245,7 @@
 	c.Assert(ioutil.WriteFile(desiredProfilePath, []byte(desiredProfileContent), 0644), IsNil)
 
 	n := -1
-	restore := update.MockChangePerform(func(chg *update.Change) ([]*update.Change, error) {
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
 		n++
 		switch n {
 		case 0:
@@ -251,7 +265,123 @@
 	defer restore()
 
 	// The error was not ignored, we bailed out.
-	c.Assert(update.ComputeAndSaveChanges(snapName), ErrorMatches, "testing")
+	c.Assert(update.ComputeAndSaveChanges(snapName, s.as), ErrorMatches, "testing")
 
 	c.Check(currentProfilePath, testutil.FileEquals, "")
 }
+
+func (s *mainSuite) TestApplyingParallelInstanceChanges(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	defer dirs.SetRootDir("/")
+
+	const snapName = "mysnap"
+	const currentProfileContent = ""
+	const desiredProfileContent = "/snap/mysnap_foo /snap/mysnap none rbind,x-snapd.origin=overname 0 0"
+
+	currentProfilePath := fmt.Sprintf("%s/snap.%s.fstab", dirs.SnapRunNsDir, snapName)
+	desiredProfilePath := fmt.Sprintf("%s/snap.%s.fstab", dirs.SnapMountPolicyDir, snapName)
+
+	c.Assert(os.MkdirAll(filepath.Dir(currentProfilePath), 0755), IsNil)
+	c.Assert(os.MkdirAll(filepath.Dir(desiredProfilePath), 0755), IsNil)
+	c.Assert(ioutil.WriteFile(currentProfilePath, []byte(currentProfileContent), 0644), IsNil)
+	c.Assert(ioutil.WriteFile(desiredProfilePath, []byte(desiredProfileContent), 0644), IsNil)
+
+	n := -1
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
+		n++
+		switch n {
+		case 0:
+			c.Assert(chg, DeepEquals, &update.Change{
+				Action: update.Mount,
+				Entry: osutil.MountEntry{
+					Name: "/snap/mysnap_foo",
+					Dir:  "/snap/mysnap", Type: "none",
+					Options: []string{"rbind", "x-snapd.origin=overname"},
+				},
+			})
+			return nil, fmt.Errorf("testing")
+		default:
+			panic(fmt.Sprintf("unexpected call n=%d, chg: %v", n, *chg))
+		}
+	})
+	defer restore()
+
+	// The error was not ignored, we bailed out.
+	c.Assert(update.ComputeAndSaveChanges(snapName, nil), ErrorMatches, "testing")
+
+	c.Check(currentProfilePath, testutil.FileEquals, "")
+}
+
+func (s *mainSuite) TestApplyIgnoredMissingMount(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	defer dirs.SetRootDir("/")
+
+	const snapName = "mysnap"
+	const currentProfileContent = ""
+	const desiredProfileContent = "/source /target none bind,x-snapd.ignore-missing 0 0"
+
+	currentProfilePath := fmt.Sprintf("%s/snap.%s.fstab", dirs.SnapRunNsDir, snapName)
+	desiredProfilePath := fmt.Sprintf("%s/snap.%s.fstab", dirs.SnapMountPolicyDir, snapName)
+
+	c.Assert(os.MkdirAll(filepath.Dir(currentProfilePath), 0755), IsNil)
+	c.Assert(os.MkdirAll(filepath.Dir(desiredProfilePath), 0755), IsNil)
+	c.Assert(ioutil.WriteFile(currentProfilePath, []byte(currentProfileContent), 0644), IsNil)
+	c.Assert(ioutil.WriteFile(desiredProfilePath, []byte(desiredProfileContent), 0644), IsNil)
+
+	n := -1
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
+		n++
+		switch n {
+		case 0:
+			c.Assert(chg, DeepEquals, &update.Change{
+				Action: update.Mount,
+				Entry: osutil.MountEntry{
+					Name:    "/source",
+					Dir:     "/target",
+					Type:    "none",
+					Options: []string{"bind", "x-snapd.ignore-missing"},
+				},
+			})
+			return nil, update.ErrIgnoredMissingMount
+		default:
+			panic(fmt.Sprintf("unexpected call n=%d, chg: %v", n, *chg))
+		}
+	})
+	defer restore()
+
+	// The error was ignored, and no mount was recorded in the profile
+	c.Assert(update.ComputeAndSaveChanges(snapName, s.as), IsNil)
+	c.Check(s.log.String(), Equals, "")
+	c.Check(currentProfilePath, testutil.FileEquals, "")
+}
+
+func (s *mainSuite) TestApplyUserFstab(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	defer dirs.SetRootDir("/")
+
+	var changes []update.Change
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
+		changes = append(changes, *chg)
+		return nil, nil
+	})
+	defer restore()
+
+	snapName := "foo"
+	desiredProfileContent := `$XDG_RUNTIME_DIR/doc/by-app/snap.foo $XDG_RUNTIME_DIR/doc none bind,rw 0 0`
+
+	desiredProfilePath := fmt.Sprintf("%s/snap.%s.user-fstab", dirs.SnapMountPolicyDir, snapName)
+	err := os.MkdirAll(filepath.Dir(desiredProfilePath), 0755)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(desiredProfilePath, []byte(desiredProfileContent), 0644)
+	c.Assert(err, IsNil)
+
+	err = update.ApplyUserFstab("foo")
+	c.Assert(err, IsNil)
+
+	xdgRuntimeDir := fmt.Sprintf("%s/%d", dirs.XdgRuntimeDirBase, os.Getuid())
+
+	c.Assert(changes, HasLen, 1)
+	c.Assert(changes[0].Action, Equals, update.Mount)
+	c.Assert(changes[0].Entry.Name, Equals, xdgRuntimeDir+"/doc/by-app/snap.foo")
+	c.Assert(changes[0].Entry.Dir, Matches, xdgRuntimeDir+"/doc")
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/secure_bindmount.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/secure_bindmount.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/secure_bindmount.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/secure_bindmount.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,97 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"syscall"
+)
+
+// BindMount performs a bind mount between two absolute paths containing no
+// symlinks.
+func BindMount(sourceDir, targetDir string, flags uint) error {
+	// This function only attempts to handle bind mounts. Expanding to other
+	// mounts will require examining do_mount() from fs/namespace.c of the
+	// kernel that called functions (eventually) verify `DCACHE_CANT_MOUNT` is
+	// not set (eg, by calling lock_mount()).
+	if flags&syscall.MS_BIND == 0 {
+		return fmt.Errorf("cannot perform non-bind mount operation")
+	}
+
+	// The kernel doesn't support recursively switching a tree of bind mounts
+	// to read only, and we haven't written a work around.
+	if flags&syscall.MS_RDONLY != 0 && flags&syscall.MS_REC != 0 {
+		return fmt.Errorf("cannot use MS_RDONLY and MS_REC together")
+	}
+
+	// Step 1: acquire file descriptors representing the source and destination
+	// directories, ensuring no symlinks are followed.
+	sourceFd, err := OpenPath(sourceDir)
+	if err != nil {
+		return err
+	}
+	defer sysClose(sourceFd)
+	targetFd, err := OpenPath(targetDir)
+	if err != nil {
+		return err
+	}
+	defer sysClose(targetFd)
+
+	// Step 2: perform a bind mount between the paths identified by the two
+	// file descriptors. We primarily care about privilege escalation here and
+	// trying to race the sysMount() by removing any part of the dir (sourceDir
+	// or targetDir) after we have an open file descriptor to it (sourceFd or
+	// targetFd) to then replace an element of the dir's path with a symlink
+	// will cause the fd path (ie, sourceFdPath or targetFdPath) to be marked
+	// as unmountable within the kernel (this path is also changed to show as
+	// '(deleted)'). Alternatively, simply renaming the dir (sourceDir or
+	// targetDir) after we have an open file descriptor to it (sourceFd or
+	// targetFd) causes the mount to happen with the newly renamed path, but
+	// this rename is controlled by DAC so while the user could race the mount
+	// source or target, this rename can't be used to gain privileged access to
+	// files. For systems with AppArmor enabled, this raced rename would be
+	// denied by the per-snap snap-update-ns AppArmor profle.
+	sourceFdPath := fmt.Sprintf("/proc/self/fd/%d", sourceFd)
+	targetFdPath := fmt.Sprintf("/proc/self/fd/%d", targetFd)
+	bindFlags := syscall.MS_BIND | (flags & syscall.MS_REC)
+	if err := sysMount(sourceFdPath, targetFdPath, "", uintptr(bindFlags), ""); err != nil {
+		return err
+	}
+
+	// Step 3: optionally change to readonly
+	if flags&syscall.MS_RDONLY != 0 {
+		// We need to look up the target directory a second time, because
+		// targetFd refers to the path shadowed by the mount point.
+		mountFd, err := OpenPath(targetDir)
+		if err != nil {
+			// FIXME: the mount occurred, but the user moved the target
+			// somewhere
+			return err
+		}
+		defer sysClose(mountFd)
+		mountFdPath := fmt.Sprintf("/proc/self/fd/%d", mountFd)
+		remountFlags := syscall.MS_REMOUNT | syscall.MS_BIND | syscall.MS_RDONLY
+		if err := sysMount("none", mountFdPath, "", uintptr(remountFlags), ""); err != nil {
+			sysUnmount(mountFdPath, syscall.MNT_DETACH|umountNoFollow)
+			return err
+		}
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/secure_bindmount_test.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/secure_bindmount_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/secure_bindmount_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/secure_bindmount_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,200 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"syscall"
+
+	. "gopkg.in/check.v1"
+
+	update "github.com/snapcore/snapd/cmd/snap-update-ns"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type secureBindMountSuite struct {
+	testutil.BaseTest
+	sys *testutil.SyscallRecorder
+}
+
+var _ = Suite(&secureBindMountSuite{})
+
+func (s *secureBindMountSuite) SetUpTest(c *C) {
+	s.BaseTest.SetUpTest(c)
+	s.sys = &testutil.SyscallRecorder{}
+	s.BaseTest.AddCleanup(update.MockSystemCalls(s.sys))
+}
+
+func (s *secureBindMountSuite) TearDownTest(c *C) {
+	s.sys.CheckForStrayDescriptors(c)
+	s.BaseTest.TearDownTest(c)
+}
+
+func (s *secureBindMountSuite) TestMount(c *C) {
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	err := update.BindMount("/source/dir", "/target/dir", syscall.MS_BIND)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/source"
+		{C: `close 3`}, // "/"
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/target"
+		{C: `close 3`}, // "/"
+		{C: `mount "/proc/self/fd/5" "/proc/self/fd/6" "" MS_BIND ""`},
+		{C: `close 6`}, // "/target/dir"
+		{C: `close 5`}, // "/source/dir"
+	})
+}
+
+func (s *secureBindMountSuite) TestMountRecursive(c *C) {
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	err := update.BindMount("/source/dir", "/target/dir", syscall.MS_BIND|syscall.MS_REC)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/source"
+		{C: `close 3`}, // "/"
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/target"
+		{C: `close 3`}, // "/"
+		{C: `mount "/proc/self/fd/5" "/proc/self/fd/6" "" MS_BIND|MS_REC ""`},
+		{C: `close 6`}, // "/target/dir"
+		{C: `close 5`}, // "/source/dir"
+	})
+}
+
+func (s *secureBindMountSuite) TestMountReadOnly(c *C) {
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 7 <ptr>`, syscall.Stat_t{})
+	err := update.BindMount("/source/dir", "/target/dir", syscall.MS_BIND|syscall.MS_RDONLY)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/source"
+		{C: `close 3`}, // "/"
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/target"
+		{C: `close 3`}, // "/"
+		{C: `mount "/proc/self/fd/5" "/proc/self/fd/6" "" MS_BIND ""`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 7},
+		{C: `fstat 7 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/target"
+		{C: `close 3`}, // "/"
+		{C: `mount "none" "/proc/self/fd/7" "" MS_REMOUNT|MS_BIND|MS_RDONLY ""`},
+		{C: `close 7`}, // "/target/dir"
+		{C: `close 6`}, // "/target/dir"
+		{C: `close 5`}, // "/source/dir"
+	})
+}
+
+func (s *secureBindMountSuite) TestBindFlagRequired(c *C) {
+	err := update.BindMount("/source/dir", "/target/dir", syscall.MS_REC)
+	c.Assert(err, ErrorMatches, "cannot perform non-bind mount operation")
+	c.Check(s.sys.RCalls(), HasLen, 0)
+}
+
+func (s *secureBindMountSuite) TestMountReadOnlyRecursive(c *C) {
+	err := update.BindMount("/source/dir", "/target/dir", syscall.MS_BIND|syscall.MS_RDONLY|syscall.MS_REC)
+	c.Assert(err, ErrorMatches, "cannot use MS_RDONLY and MS_REC together")
+	c.Check(s.sys.RCalls(), HasLen, 0)
+}
+
+func (s *secureBindMountSuite) TestBindMountFails(c *C) {
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mount "/proc/self/fd/5" "/proc/self/fd/6" "" MS_BIND ""`, errTesting)
+	err := update.BindMount("/source/dir", "/target/dir", syscall.MS_BIND|syscall.MS_RDONLY)
+	c.Assert(err, ErrorMatches, "testing")
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/source"
+		{C: `close 3`}, // "/"
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/target"
+		{C: `close 3`}, // "/"
+		{C: `mount "/proc/self/fd/5" "/proc/self/fd/6" "" MS_BIND ""`, E: errTesting},
+		{C: `close 6`}, // "/target/dir"
+		{C: `close 5`}, // "/source/dir"
+	})
+}
+
+func (s *secureBindMountSuite) TestRemountReadOnlyFails(c *C) {
+	s.sys.InsertFstatResult(`fstat 5 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 6 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatResult(`fstat 7 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mount "none" "/proc/self/fd/7" "" MS_REMOUNT|MS_BIND|MS_RDONLY ""`, errTesting)
+	err := update.BindMount("/source/dir", "/target/dir", syscall.MS_BIND|syscall.MS_RDONLY)
+	c.Assert(err, ErrorMatches, "testing")
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "source" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/source"
+		{C: `close 3`}, // "/"
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 6},
+		{C: `fstat 6 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/target"
+		{C: `close 3`}, // "/"
+		{C: `mount "/proc/self/fd/5" "/proc/self/fd/6" "" MS_BIND ""`},
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "target" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 7},
+		{C: `fstat 7 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`}, // "/target"
+		{C: `close 3`}, // "/"
+		{C: `mount "none" "/proc/self/fd/7" "" MS_REMOUNT|MS_BIND|MS_RDONLY ""`, E: errTesting},
+		{C: `unmount "/proc/self/fd/7" UMOUNT_NOFOLLOW|MNT_DETACH`},
+		{C: `close 7`}, // "/target/dir"
+		{C: `close 6`}, // "/target/dir"
+		{C: `close 5`}, // "/source/dir"
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/sorting.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/sorting.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/sorting.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/sorting.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,13 +25,26 @@
 	"github.com/snapcore/snapd/osutil"
 )
 
-// byMagicDir allows sorting an array of entries that automagically assumes
-// each entry ends with a trailing slash.
-type byMagicDir []osutil.MountEntry
+// byOriginAndMagicDir allows sorting an array of entries by the source of mount
+// entry (overname, layout, content) and lexically by mount point name.
+// Automagically adds a trailing slash to paths.
+type byOriginAndMagicDir []osutil.MountEntry
+
+func (c byOriginAndMagicDir) Len() int      { return len(c) }
+func (c byOriginAndMagicDir) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
+func (c byOriginAndMagicDir) Less(i, j int) bool {
+	iMe := c[i]
+	jMe := c[j]
+
+	iOrigin := iMe.XSnapdOrigin()
+	jOrigin := jMe.XSnapdOrigin()
+	if iOrigin == "overname" && iOrigin != jOrigin {
+		// should ith element be created by 'overname' mapping, it is
+		// always sorted before jth element, if that one comes from
+		// layouts or content interface
+		return true
+	}
 
-func (c byMagicDir) Len() int      { return len(c) }
-func (c byMagicDir) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
-func (c byMagicDir) Less(i, j int) bool {
 	iDir := c[i].Dir
 	jDir := c[j].Dir
 	if !strings.HasSuffix(iDir, "/") {
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/sorting_test.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/sorting_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/sorting_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/sorting_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -39,12 +39,34 @@
 		{Dir: "/a/b-1/3"},
 		{Dir: "/a/b/c"},
 	}
-	sort.Sort(byMagicDir(entries))
+	sort.Sort(byOriginAndMagicDir(entries))
 	// Entries sorted as if they had a trailing slash.
 	c.Assert(entries, DeepEquals, []osutil.MountEntry{
 		{Dir: "/a/b-1"},
 		{Dir: "/a/b-1/3"},
 		{Dir: "/a/b"},
+		{Dir: "/a/b/c"},
+	})
+}
+
+func (s *sortSuite) TestParallelInstancesAndSimple(c *C) {
+	// Naively sorted entries.
+	entries := []osutil.MountEntry{
+		{Dir: "/a/b"},
+		{Dir: "/a/b-1"},
+		{Dir: "/snap/bar", Options: []string{osutil.XSnapdOriginOvername()}},
+		{Dir: "/a/b-1/3"},
+		{Dir: "/foo/bar", Options: []string{osutil.XSnapdOriginOvername()}},
+		{Dir: "/a/b/c"},
+	}
+	sort.Sort(byOriginAndMagicDir(entries))
+	// Entries sorted as if they had a trailing slash.
+	c.Assert(entries, DeepEquals, []osutil.MountEntry{
+		{Dir: "/foo/bar", Options: []string{osutil.XSnapdOriginOvername()}},
+		{Dir: "/snap/bar", Options: []string{osutil.XSnapdOriginOvername()}},
+		{Dir: "/a/b-1"},
+		{Dir: "/a/b-1/3"},
+		{Dir: "/a/b"},
 		{Dir: "/a/b/c"},
 	})
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/trespassing.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/trespassing.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/trespassing.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/trespassing.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,255 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2017-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+	"syscall"
+
+	"github.com/snapcore/snapd/logger"
+)
+
+// Assumptions track the assumptions about the state of the filesystem.
+//
+// Assumptions constitute the global part of the write restriction management.
+// Assumptions are global in the sense that they span multiple distinct write
+// operations. In contrast, Restrictions track per-operation state.
+type Assumptions struct {
+	unrestrictedPaths []string
+	pastChanges       []*Change
+
+	// verifiedDevices represents the set of devices that are verified as a tmpfs
+	// that was mounted by snapd. Those are only discovered on-demand. The
+	// major:minor number is packed into one uint64 as in syscall.Stat_t.Dev
+	// field.
+	verifiedDevices map[uint64]bool
+}
+
+// AddUnrestrictedPaths adds a list of directories where writing is allowed
+// even if it would hit the real host filesystem (or transit through the host
+// filesystem). This is intended to be used with certain well-known locations
+// such as /tmp, $SNAP_DATA and $SNAP.
+func (as *Assumptions) AddUnrestrictedPaths(paths ...string) {
+	as.unrestrictedPaths = append(as.unrestrictedPaths, paths...)
+}
+
+// isRestricted checks whether a path falls under restricted writing scheme.
+//
+// Provided path is the full, absolute path of the entity that needs to be
+// created (directory, file or symbolic link).
+func (as *Assumptions) isRestricted(path string) bool {
+	// Anything rooted at one of the unrestricted paths is not restricted.
+	// Those are for things like /var/snap/, for example.
+	for _, p := range as.unrestrictedPaths {
+		if p == "/" || p == path || strings.HasPrefix(path, filepath.Clean(p)+"/") {
+			return false
+		}
+
+	}
+	// All other paths are restricted
+	return true
+}
+
+// MockUnrestrictedPaths replaces the set of path paths without any restrictions.
+func (as *Assumptions) MockUnrestrictedPaths(paths ...string) (restore func()) {
+	old := as.unrestrictedPaths
+	as.unrestrictedPaths = paths
+	return func() {
+		as.unrestrictedPaths = old
+	}
+}
+
+// AddChange records the fact that a change was applied to the system.
+func (as *Assumptions) AddChange(change *Change) {
+	as.pastChanges = append(as.pastChanges, change)
+}
+
+// canWriteToDirectory returns true if writing to a given directory is allowed.
+//
+// Writing is allowed in one of thee cases:
+// 1) The directory is in one of the explicitly permitted locations.
+//    This is the strongest permission as it explicitly allows writing to
+//    places that may show up on the host, one of the examples being $SNAP_DATA.
+// 2) The directory is on a read-only filesystem.
+// 3) The directory is on a tmpfs created by snapd.
+func (as *Assumptions) canWriteToDirectory(dirFd int, dirName string) (bool, error) {
+	if !as.isRestricted(dirName) {
+		return true, nil
+	}
+	var fsData syscall.Statfs_t
+	if err := sysFstatfs(dirFd, &fsData); err != nil {
+		return false, fmt.Errorf("cannot fstatfs %q: %s", dirName, err)
+	}
+	var fileData syscall.Stat_t
+	if err := sysFstat(dirFd, &fileData); err != nil {
+		return false, fmt.Errorf("cannot fstat %q: %s", dirName, err)
+	}
+	// Writing to read only directories is allowed because EROFS is handled
+	// by each of the writing helpers already.
+	if ok := isReadOnly(dirName, &fsData); ok {
+		return true, nil
+	}
+	// Writing to a trusted tmpfs is allowed because those are not leaking to
+	// the host. Also, each time we find a good tmpfs we explicitly remember the device major/minor,
+	if as.verifiedDevices[fileData.Dev] {
+		return true, nil
+	}
+	if ok := isPrivateTmpfsCreatedBySnapd(dirName, &fsData, &fileData, as.pastChanges); ok {
+		if as.verifiedDevices == nil {
+			as.verifiedDevices = make(map[uint64]bool)
+		}
+		// Don't record 0:0 as those are all to easy to add in tests and would
+		// skew tests using zero-initialized structures. Real device numbers
+		// are not zero either so this is not a test-only conditional.
+		if fileData.Dev != 0 {
+			as.verifiedDevices[fileData.Dev] = true
+		}
+		return true, nil
+	}
+	// If writing is not not allowed by one of the three rules above then it is
+	// disallowed.
+	return false, nil
+}
+
+// RestrictionsFor computes restrictions for the desired path.
+func (as *Assumptions) RestrictionsFor(desiredPath string) *Restrictions {
+	// Writing to a restricted path results in step-by-step validation of each
+	// directory, starting from the root of the file system. Unless writing is
+	// allowed a mimic must be constructed to ensure that writes are not visible in
+	// undesired locations of the host filesystem.
+	if as.isRestricted(desiredPath) {
+		return &Restrictions{assumptions: as, desiredPath: desiredPath, restricted: true}
+	}
+	return nil
+}
+
+// Restrictions contains meta-data of a compound write operation.
+//
+// This structure helps functions that write to the filesystem to keep track of
+// the ultimate destination across several calls (e.g. the function that
+// creates a file needs to call helpers to create subsequent directories).
+// Keeping track of the desired path aids in constructing useful error
+// messages.
+//
+// In addition the structure keeps track of the restricted write mode flag which
+// is based on the full path of the desired object being constructed. This allows
+// various write helpers to avoid trespassing on host filesystem in places that
+// are not expected to be written to by snapd (e.g. outside of $SNAP_DATA).
+type Restrictions struct {
+	assumptions *Assumptions
+	desiredPath string
+	restricted  bool
+}
+
+// Check verifies whether writing to a directory would trespass on the host.
+//
+// The check is only performed in restricted mode. If the check fails a
+// TrespassingError is returned.
+func (rs *Restrictions) Check(dirFd int, dirName string) error {
+	if rs == nil || !rs.restricted {
+		return nil
+	}
+	// In restricted mode check the directory before attempting to write to it.
+	ok, err := rs.assumptions.canWriteToDirectory(dirFd, dirName)
+	if ok || err != nil {
+		return err
+	}
+	if dirName == "/" {
+		// If writing to / is not allowed then we are in a tough spot because
+		// we cannot construct a writable mimic over /. This should never
+		// happen in normal circumstances because the root filesystem is some
+		// kind of base snap.
+		return fmt.Errorf("cannot recover from trespassing over /")
+	}
+	logger.Debugf("trespassing violated %q while striving to %q", dirName, rs.desiredPath)
+	logger.Debugf("restricted mode: %#v", rs.restricted)
+	logger.Debugf("unrestricted paths: %q", rs.assumptions.unrestrictedPaths)
+	logger.Debugf("verified devices: %v", rs.assumptions.verifiedDevices)
+	logger.Debugf("past changes: %v", rs.assumptions.pastChanges)
+	return &TrespassingError{ViolatedPath: filepath.Clean(dirName), DesiredPath: rs.desiredPath}
+}
+
+// Lift lifts write restrictions for the desired path.
+//
+// This function should be called when, as subsequent components of a path are
+// either discovered or created, the conditions for using restricted mode are
+// no longer true.
+func (rs *Restrictions) Lift() {
+	if rs != nil {
+		rs.restricted = false
+	}
+}
+
+// TrespassingError is an error when filesystem operation would affect the host.
+type TrespassingError struct {
+	ViolatedPath string
+	DesiredPath  string
+}
+
+// Error returns a formatted error message.
+func (e *TrespassingError) Error() string {
+	return fmt.Sprintf("cannot write to %q because it would affect the host in %q", e.DesiredPath, e.ViolatedPath)
+}
+
+// isReadOnly checks whether the underlying filesystem is read only or is mounted as such.
+func isReadOnly(dirName string, fsData *syscall.Statfs_t) bool {
+	// If something is mounted with f_flags & ST_RDONLY then is read-only.
+	if fsData.Flags&StReadOnly == StReadOnly {
+		return true
+	}
+	// If something is a known read-only file-system then it is safe.
+	// Older copies of snapd were not mounting squashfs as read only.
+	if fsData.Type == SquashfsMagic {
+		return true
+	}
+	return false
+}
+
+// isPrivateTmpfsCreatedBySnapd checks whether a directory resides on a tmpfs mounted by snapd
+//
+// The function inspects the directory and a list of changes that were applied
+// to the mount namespace. A directory is trusted if it is a tmpfs that was
+// mounted by snap-confine or snapd-update-ns. Note that sub-directories of a
+// trusted tmpfs are not considered trusted by this function.
+func isPrivateTmpfsCreatedBySnapd(dirName string, fsData *syscall.Statfs_t, fileData *syscall.Stat_t, changes []*Change) bool {
+	// If something is not a tmpfs it cannot be the trusted tmpfs we are looking for.
+	if fsData.Type != TmpfsMagic {
+		return false
+	}
+	// Any of the past changes that mounted a tmpfs exactly at the directory we
+	// are inspecting is considered as trusted. This is conservative because it
+	// doesn't trust sub-directories of a trusted tmpfs. This approach is
+	// sufficient for the intended use.
+	//
+	// The algorithm goes over all the changes in reverse and picks up the
+	// first tmpfs mount or unmount action that matches the directory name.
+	// The set of constraints in snap-update-ns and snapd prevent from mounting
+	// over an existing mount point so we don't need to consider e.g. a bind
+	// mount shadowing an active tmpfs.
+	for i := len(changes) - 1; i >= 0; i-- {
+		change := changes[i]
+		if change.Entry.Type == "tmpfs" && change.Entry.Dir == dirName {
+			return change.Action == Mount
+		}
+	}
+	return false
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/trespassing_test.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/trespassing_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/trespassing_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/trespassing_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,428 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2017-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	"syscall"
+
+	. "gopkg.in/check.v1"
+
+	update "github.com/snapcore/snapd/cmd/snap-update-ns"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type trespassingSuite struct {
+	testutil.BaseTest
+	sys *testutil.SyscallRecorder
+}
+
+var _ = Suite(&trespassingSuite{})
+
+func (s *trespassingSuite) SetUpTest(c *C) {
+	s.BaseTest.SetUpTest(c)
+	s.sys = &testutil.SyscallRecorder{}
+	s.BaseTest.AddCleanup(update.MockSystemCalls(s.sys))
+}
+
+func (s *trespassingSuite) TearDownTest(c *C) {
+	s.BaseTest.TearDownTest(c)
+	s.sys.CheckForStrayDescriptors(c)
+}
+
+// AddUnrestrictedPaths and IsRestricted
+
+func (s *trespassingSuite) TestAddUnrestrictedPaths(c *C) {
+	a := &update.Assumptions{}
+	c.Assert(a.IsRestricted("/etc/test.conf"), Equals, true)
+
+	a.AddUnrestrictedPaths("/etc")
+	c.Assert(a.IsRestricted("/etc/test.conf"), Equals, false)
+	c.Assert(a.IsRestricted("/etc/"), Equals, false)
+	c.Assert(a.IsRestricted("/etc"), Equals, false)
+	c.Assert(a.IsRestricted("/etc2"), Equals, true)
+
+	a.AddUnrestrictedPaths("/")
+	c.Assert(a.IsRestricted("/foo"), Equals, false)
+
+}
+
+func (s *trespassingSuite) TestMockUnrestrictedPaths(c *C) {
+	a := &update.Assumptions{}
+	c.Assert(a.IsRestricted("/etc/test.conf"), Equals, true)
+	restore := a.MockUnrestrictedPaths("/etc/")
+	c.Assert(a.IsRestricted("/etc/test.conf"), Equals, false)
+	restore()
+	c.Assert(a.IsRestricted("/etc/test.conf"), Equals, true)
+}
+
+// canWriteToDirectory and AddChange
+
+// We are not allowed to write to ext4.
+func (s *trespassingSuite) TestCanWriteToDirectoryWritableExt4(c *C) {
+	a := &update.Assumptions{}
+
+	path := "/etc"
+	fd, err := s.sys.Open(path, syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+
+	ok, err := a.CanWriteToDirectory(fd, path)
+	c.Assert(err, IsNil)
+	c.Assert(ok, Equals, false)
+}
+
+// We are allowed to write to ext4 that was mounted read-only.
+func (s *trespassingSuite) TestCanWriteToDirectoryReadOnlyExt4(c *C) {
+	a := &update.Assumptions{}
+
+	path := "/etc"
+	fd, err := s.sys.Open(path, syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic, Flags: update.StReadOnly})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+
+	ok, err := a.CanWriteToDirectory(fd, path)
+	c.Assert(err, IsNil)
+	c.Assert(ok, Equals, true)
+}
+
+// We are not allowed to write to tmpfs.
+func (s *trespassingSuite) TestCanWriteToDirectoryTmpfs(c *C) {
+	a := &update.Assumptions{}
+
+	path := "/etc"
+	fd, err := s.sys.Open(path, syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+
+	ok, err := a.CanWriteToDirectory(fd, path)
+	c.Assert(err, IsNil)
+	c.Assert(ok, Equals, false)
+}
+
+// We are allowed to write to tmpfs that was mounted by snapd.
+func (s *trespassingSuite) TestCanWriteToDirectoryTmpfsMountedBySnapd(c *C) {
+	a := &update.Assumptions{}
+
+	path := "/etc"
+	fd, err := s.sys.Open(path, syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+
+	a.AddChange(&update.Change{
+		Action: update.Mount,
+		Entry:  osutil.MountEntry{Type: "tmpfs", Dir: path}})
+
+	ok, err := a.CanWriteToDirectory(fd, path)
+	c.Assert(err, IsNil)
+	c.Assert(ok, Equals, true)
+}
+
+// We are allowed to write to directory beneath a tmpfs that was mounted by snapd.
+func (s *trespassingSuite) TestCanWriteToDirectoryUnderTmpfsMountedBySnapd(c *C) {
+	a := &update.Assumptions{}
+
+	fd, err := s.sys.Open("/etc", syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{Dev: 0x42})
+
+	a.AddChange(&update.Change{
+		Action: update.Mount,
+		Entry:  osutil.MountEntry{Type: "tmpfs", Dir: "/etc"}})
+
+	ok, err := a.CanWriteToDirectory(fd, "/etc")
+	c.Assert(err, IsNil)
+	c.Assert(ok, Equals, true)
+
+	// Now we have primed the assumption state with knowledge of 0x42 device as
+	// a verified tmpfs.  We can now exploit it by trying to write to
+	// /etc/conf.d and seeing that is allowed even though /etc/conf.d itself is
+	// not a mount point representing tmpfs.
+
+	fd2, err := s.sys.Open("/etc/conf.d", syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd2)
+
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{Dev: 0x42})
+
+	ok, err = a.CanWriteToDirectory(fd2, "/etc/conf.d")
+	c.Assert(err, IsNil)
+	c.Assert(ok, Equals, true)
+}
+
+// We are allowed to write to directory which is a bind mount of something, beneath a tmpfs that was mounted by snapd.
+func (s *trespassingSuite) TestCanWriteToDirectoryUnderReboundTmpfsMountedBySnapd(c *C) {
+	a := &update.Assumptions{}
+
+	fd, err := s.sys.Open("/etc", syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	c.Assert(fd, Equals, 3)
+	defer s.sys.Close(fd)
+
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{Dev: 0x42})
+
+	a.AddChange(&update.Change{
+		Action: update.Mount,
+		Entry:  osutil.MountEntry{Type: "tmpfs", Dir: "/etc"}})
+
+	ok, err := a.CanWriteToDirectory(fd, "/etc")
+	c.Assert(err, IsNil)
+	c.Assert(ok, Equals, true)
+
+	// Now we have primed the assumption state with knowledge of 0x42 device as
+	// a verified tmpfs. Unlike in the test above though the directory
+	// /etc/conf.d is a bind mount from another tmpfs that we know nothing
+	// about.
+	fd2, err := s.sys.Open("/etc/conf.d", syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	c.Assert(fd2, Equals, 4)
+	defer s.sys.Close(fd2)
+
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{Dev: 0xdeadbeef})
+
+	ok, err = a.CanWriteToDirectory(fd2, "/etc/conf.d")
+	c.Assert(err, IsNil)
+	c.Assert(ok, Equals, false)
+}
+
+// We are allowed to write to an unrestricted path.
+func (s *trespassingSuite) TestCanWriteToDirectoryUnrestricted(c *C) {
+	a := &update.Assumptions{}
+
+	path := "/var/snap/foo/common"
+	fd, err := s.sys.Open(path, syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+
+	a.AddUnrestrictedPaths(path)
+
+	ok, err := a.CanWriteToDirectory(fd, path)
+	c.Assert(err, IsNil)
+	c.Assert(ok, Equals, true)
+}
+
+// Errors from fstatfs are propagated to the caller.
+func (s *trespassingSuite) TestCanWriteToDirectoryErrorsFstatfs(c *C) {
+	a := &update.Assumptions{}
+
+	path := "/etc"
+	fd, err := s.sys.Open(path, syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+
+	s.sys.InsertFault(`fstatfs 3 <ptr>`, errTesting)
+
+	ok, err := a.CanWriteToDirectory(fd, path)
+	c.Assert(err, ErrorMatches, `cannot fstatfs "/etc": testing`)
+	c.Assert(ok, Equals, false)
+}
+
+// Errors from fstat are propagated to the caller.
+func (s *trespassingSuite) TestCanWriteToDirectoryErrorsFstat(c *C) {
+	a := &update.Assumptions{}
+
+	path := "/etc"
+	fd, err := s.sys.Open(path, syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{})
+	s.sys.InsertFault(`fstat 3 <ptr>`, errTesting)
+
+	ok, err := a.CanWriteToDirectory(fd, path)
+	c.Assert(err, ErrorMatches, `cannot fstat "/etc": testing`)
+	c.Assert(ok, Equals, false)
+}
+
+// RestrictionsFor, Check and LiftRestrictions
+
+func (s *trespassingSuite) TestRestrictionsForEtc(c *C) {
+	a := &update.Assumptions{}
+
+	// There are restrictions for writing in /etc.
+	rs := a.RestrictionsFor("/etc/test.conf")
+	c.Assert(rs, NotNil)
+
+	fd, err := s.sys.Open("/etc", syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+
+	// Check reports trespassing error, restrictions may be lifted though.
+	err = rs.Check(fd, "/etc")
+	c.Assert(err, ErrorMatches, `cannot write to "/etc/test.conf" because it would affect the host in "/etc"`)
+	c.Assert(err.(*update.TrespassingError).ViolatedPath, Equals, "/etc")
+	c.Assert(err.(*update.TrespassingError).DesiredPath, Equals, "/etc/test.conf")
+
+	rs.Lift()
+	c.Assert(rs.Check(fd, "/etc"), IsNil)
+}
+
+// Check returns errors from lower layers.
+func (s *trespassingSuite) TestRestrictionsForErrors(c *C) {
+	a := &update.Assumptions{}
+
+	rs := a.RestrictionsFor("/etc/test.conf")
+	c.Assert(rs, NotNil)
+
+	fd, err := s.sys.Open("/etc", syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+	s.sys.InsertFault(`fstatfs 3 <ptr>`, errTesting)
+
+	err = rs.Check(fd, "/etc")
+	c.Assert(err, ErrorMatches, `cannot fstatfs "/etc": testing`)
+}
+
+func (s *trespassingSuite) TestRestrictionsForVarSnap(c *C) {
+	a := &update.Assumptions{}
+	a.AddUnrestrictedPaths("/var/snap")
+
+	// There are no restrictions in $SNAP_COMMON.
+	rs := a.RestrictionsFor("/var/snap/foo/common/test.conf")
+	c.Assert(rs, IsNil)
+
+	// Nil restrictions have working Check and Lift methods.
+	c.Assert(rs.Check(3, "unused"), IsNil)
+	rs.Lift()
+}
+
+func (s *trespassingSuite) TestRestrictionsForRootfsEntries(c *C) {
+	a := &update.Assumptions{}
+
+	// The root directory is special, it's not a trespassing error we can
+	// recover from because we cannot construct a writable mimic for the root
+	// directory today.
+	rs := a.RestrictionsFor("/foo.conf")
+
+	fd, err := s.sys.Open("/", syscall.O_DIRECTORY, 0)
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+
+	// Nil restrictions have working Check and Lift methods.
+	c.Assert(rs.Check(fd, "/"), ErrorMatches, `cannot recover from trespassing over /`)
+}
+
+// isReadOnly
+
+func (s *trespassingSuite) TestIsReadOnlySquashfsMountedRo(c *C) {
+	path := "/some/path"
+	statfs := &syscall.Statfs_t{Type: update.SquashfsMagic, Flags: update.StReadOnly}
+	result := update.IsReadOnly(path, statfs)
+	c.Assert(result, Equals, true)
+}
+
+func (s *trespassingSuite) TestIsReadOnlySquashfsMountedRw(c *C) {
+	path := "/some/path"
+	statfs := &syscall.Statfs_t{Type: update.SquashfsMagic}
+	result := update.IsReadOnly(path, statfs)
+	c.Assert(result, Equals, true)
+}
+
+func (s *trespassingSuite) TestIsReadOnlyExt4MountedRw(c *C) {
+	path := "/some/path"
+	statfs := &syscall.Statfs_t{Type: update.Ext4Magic}
+	result := update.IsReadOnly(path, statfs)
+	c.Assert(result, Equals, false)
+}
+
+// isSnapdCreatedPrivateTmpfs
+
+func (s *trespassingSuite) TestIsPrivateTmpfsCreatedBySnapdNotATmpfs(c *C) {
+	path := "/some/path"
+	// An ext4 (which is not a tmpfs) is not a private tmpfs.
+	statfs := &syscall.Statfs_t{Type: update.Ext4Magic}
+	stat := &syscall.Stat_t{}
+	result := update.IsPrivateTmpfsCreatedBySnapd(path, statfs, stat, nil)
+	c.Assert(result, Equals, false)
+}
+
+func (s *trespassingSuite) TestIsPrivateTmpfsCreatedBySnapdNotTrusted(c *C) {
+	path := "/some/path"
+	// A tmpfs is not private if it doesn't come from a change we made.
+	statfs := &syscall.Statfs_t{Type: update.TmpfsMagic}
+	stat := &syscall.Stat_t{}
+	result := update.IsPrivateTmpfsCreatedBySnapd(path, statfs, stat, nil)
+	c.Assert(result, Equals, false)
+}
+
+func (s *trespassingSuite) TestIsPrivateTmpfsCreatedBySnapdViaChanges(c *C) {
+	path := "/some/path"
+	// A tmpfs is private because it was mounted by snap-update-ns.
+	statfs := &syscall.Statfs_t{Type: update.TmpfsMagic}
+	stat := &syscall.Stat_t{}
+
+	// A tmpfs was mounted in the past so it is private.
+	result := update.IsPrivateTmpfsCreatedBySnapd(path, statfs, stat, []*update.Change{
+		{Action: update.Mount, Entry: osutil.MountEntry{Name: "tmpfs", Dir: path, Type: "tmpfs"}},
+	})
+	c.Assert(result, Equals, true)
+
+	// A tmpfs was mounted but then it was unmounted so it is not private anymore.
+	result = update.IsPrivateTmpfsCreatedBySnapd(path, statfs, stat, []*update.Change{
+		{Action: update.Mount, Entry: osutil.MountEntry{Name: "tmpfs", Dir: path, Type: "tmpfs"}},
+		{Action: update.Unmount, Entry: osutil.MountEntry{Name: "tmpfs", Dir: path, Type: "tmpfs"}},
+	})
+	c.Assert(result, Equals, false)
+
+	// Finally, after the mounting and unmounting the tmpfs was mounted again.
+	result = update.IsPrivateTmpfsCreatedBySnapd(path, statfs, stat, []*update.Change{
+		{Action: update.Mount, Entry: osutil.MountEntry{Name: "tmpfs", Dir: path, Type: "tmpfs"}},
+		{Action: update.Unmount, Entry: osutil.MountEntry{Name: "tmpfs", Dir: path, Type: "tmpfs"}},
+		{Action: update.Mount, Entry: osutil.MountEntry{Name: "tmpfs", Dir: path, Type: "tmpfs"}},
+	})
+	c.Assert(result, Equals, true)
+}
+
+func (s *trespassingSuite) TestIsPrivateTmpfsCreatedBySnapdDeeper(c *C) {
+	path := "/some/path/below"
+	// A tmpfs is not private beyond the exact mount point from a change.
+	// That is, sub-directories of a private tmpfs are not recognized as private.
+	statfs := &syscall.Statfs_t{Type: update.TmpfsMagic}
+	stat := &syscall.Stat_t{}
+	result := update.IsPrivateTmpfsCreatedBySnapd(path, statfs, stat, []*update.Change{
+		{Action: update.Mount, Entry: osutil.MountEntry{Name: "tmpfs", Dir: "/some/path", Type: "tmpfs"}},
+	})
+	c.Assert(result, Equals, false)
+}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/utils.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/utils.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/utils.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/utils.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,11 +30,20 @@
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/osutil/sys"
+	"github.com/snapcore/snapd/strutil"
 )
 
 // not available through syscall
 const (
 	umountNoFollow = 8
+	// StReadOnly is the equivalent of ST_RDONLY
+	StReadOnly = 1
+	// SquashfsMagic is the equivalent of SQUASHFS_MAGIC
+	SquashfsMagic = 0x73717368
+	// Ext4Magic is the equivalent of EXT4_SUPER_MAGIC
+	Ext4Magic = 0xef53
+	// TmpfsMagic is the equivalent of TMPFS_MAGIC
+	TmpfsMagic = 0x01021994
 )
 
 // For mocking everything during testing.
@@ -51,8 +60,11 @@
 	sysUnmount    = syscall.Unmount
 	sysFchown     = sys.Fchown
 	sysFstat      = syscall.Fstat
+	sysFstatfs    = syscall.Fstatfs
 	sysSymlinkat  = osutil.Symlinkat
 	sysReadlinkat = osutil.Readlinkat
+	sysFchdir     = syscall.Fchdir
+	sysLstat      = syscall.Lstat
 
 	ioutilReadDir = ioutil.ReadDir
 )
@@ -66,61 +78,108 @@
 	return fmt.Sprintf("cannot operate on read-only filesystem at %s", e.Path)
 }
 
-// Create directories for all but the last segments and return the file
-// descriptor to the leaf directory. This function is a base for secure
-// variants of mkdir, touch and symlink.
-func secureMkPrefix(segments []string, perm os.FileMode, uid sys.UserID, gid sys.GroupID) (int, error) {
-	logger.Debugf("secure-mk-prefix %q %v %d %d -> ...", segments, perm, uid, gid)
-
-	// Declare var and don't assign-declare below to ensure we don't swallow
-	// any errors by mistake.
-	var err error
-	var fd int
+// OpenPath creates a path file descriptor for the given
+// path, making sure no components are symbolic links.
+//
+// The file descriptor is opened using the O_PATH, O_NOFOLLOW,
+// and O_CLOEXEC flags.
+func OpenPath(path string) (int, error) {
+	iter, err := strutil.NewPathIterator(path)
+	if err != nil {
+		return -1, fmt.Errorf("cannot open path: %s", err)
+	}
+	if !filepath.IsAbs(iter.Path()) {
+		return -1, fmt.Errorf("path %v is not absolute", iter.Path())
+	}
+	iter.Next() // Advance iterator to '/'
+	// We use the following flags to open:
+	//  O_PATH: we don't intend to use the fd for IO
+	//  O_NOFOLLOW: don't follow symlinks
+	//  O_DIRECTORY: we expect to find directories (except for the leaf)
+	//  O_CLOEXEC: don't leak file descriptors over exec() boundaries
+	openFlags := sys.O_PATH | syscall.O_NOFOLLOW | syscall.O_DIRECTORY | syscall.O_CLOEXEC
+	fd, err := sysOpen("/", openFlags, 0)
+	if err != nil {
+		return -1, err
+	}
+	for iter.Next() {
+		// Ensure the parent file descriptor is closed
+		defer sysClose(fd)
+		if !strings.HasSuffix(iter.CurrentName(), "/") {
+			openFlags &^= syscall.O_DIRECTORY
+		}
+		fd, err = sysOpenat(fd, iter.CurrentCleanName(), openFlags, 0)
+		if err != nil {
+			return -1, err
+		}
+	}
 
-	const openFlags = syscall.O_NOFOLLOW | syscall.O_CLOEXEC | syscall.O_DIRECTORY
+	var statBuf syscall.Stat_t
+	err = sysFstat(fd, &statBuf)
+	if err != nil {
+		sysClose(fd)
+		return -1, err
+	}
+	if statBuf.Mode&syscall.S_IFMT == syscall.S_IFLNK {
+		sysClose(fd)
+		return -1, fmt.Errorf("%q is a symbolic link", path)
+	}
+	return fd, nil
+}
+
+// MkPrefix creates all the missing directories in a given base path and
+// returns the file descriptor to the leaf directory as well as the restricted
+// flag. This function is a base for secure variants of mkdir, touch and
+// symlink. None of the traversed directories can be symbolic links.
+func MkPrefix(base string, perm os.FileMode, uid sys.UserID, gid sys.GroupID, rs *Restrictions) (int, error) {
+	iter, err := strutil.NewPathIterator(base)
+	if err != nil {
+		// TODO: Reword the error and adjust the tests.
+		return -1, fmt.Errorf("cannot split unclean path %q", base)
+	}
+	if !filepath.IsAbs(iter.Path()) {
+		return -1, fmt.Errorf("path %v is not absolute", iter.Path())
+	}
+	iter.Next() // Advance iterator to '/'
 
+	const openFlags = syscall.O_NOFOLLOW | syscall.O_CLOEXEC | syscall.O_DIRECTORY
 	// Open the root directory and start there.
-	fd, err = sysOpen("/", openFlags, 0)
+	//
+	// We don't have to check for possible trespassing on / here because we are
+	// going to check for it in sec.MkDir call below which verifies that
+	// trespassing restrictions are not violated.
+	fd, err := sysOpen("/", openFlags, 0)
 	if err != nil {
 		return -1, fmt.Errorf("cannot open root directory: %v", err)
 	}
-	if len(segments) > 1 {
+	for iter.Next() {
+		// Keep closing the previous descriptor as we go, so that we have the
+		// last one handy from the MkDir below.
 		defer sysClose(fd)
-	}
-
-	if len(segments) > 0 {
-		// Process all but the last segment.
-		for i := range segments[:len(segments)-1] {
-			fd, err = secureMkDir(fd, segments, i, perm, uid, gid)
-			if err != nil {
-				return -1, err
-			}
-			// Keep the final FD open (caller needs to close it).
-			if i < len(segments)-2 {
-				defer sysClose(fd)
-			}
+		fd, err = MkDir(fd, iter.CurrentBase(), iter.CurrentCleanName(), perm, uid, gid, rs)
+		if err != nil {
+			return -1, err
 		}
 	}
 
-	logger.Debugf("secure-mk-prefix %q %v %d %d -> %d", segments, perm, uid, gid, fd)
 	return fd, nil
 }
 
-// secureMkDir creates a directory at i-th entry of absolute path represented
-// by segments. This function can be used to construct subsequent elements of
-// the constructed path. The return value contains the newly created file
-// descriptor or -1 on error.
-func secureMkDir(fd int, segments []string, i int, perm os.FileMode, uid sys.UserID, gid sys.GroupID) (int, error) {
-	logger.Debugf("secure-mk-dir %d %q %d %v %d %d -> ...", fd, segments, i, perm, uid, gid)
+// MkDir creates a directory with a given name.
+//
+// The directory is represented with a file descriptor and its name (for
+// convenience). This function is meant to be used to construct subsequent
+// elements of some path. The return value contains the newly created file
+// descriptor for the new directory or -1 on error.
+func MkDir(dirFd int, dirName string, name string, perm os.FileMode, uid sys.UserID, gid sys.GroupID, rs *Restrictions) (int, error) {
+	if err := rs.Check(dirFd, dirName); err != nil {
+		return -1, err
+	}
 
-	segment := segments[i]
 	made := true
-	var err error
-	var newFd int
-
 	const openFlags = syscall.O_NOFOLLOW | syscall.O_CLOEXEC | syscall.O_DIRECTORY
 
-	if err = sysMkdirat(fd, segment, uint32(perm.Perm())); err != nil {
+	if err := sysMkdirat(dirFd, name, uint32(perm.Perm())); err != nil {
 		switch err {
 		case syscall.EEXIST:
 			made = false
@@ -128,16 +187,14 @@
 			// Treat EROFS specially: this is a hint that we have to poke a
 			// hole using tmpfs. The path below is the location where we
 			// need to poke the hole.
-			p := "/" + strings.Join(segments[:i], "/")
-			return -1, &ReadOnlyFsError{Path: p}
+			return -1, &ReadOnlyFsError{Path: dirName}
 		default:
-			return -1, fmt.Errorf("cannot mkdir path segment %q: %v", segment, err)
+			return -1, fmt.Errorf("cannot create directory %q: %v", filepath.Join(dirName, name), err)
 		}
 	}
-	newFd, err = sysOpenat(fd, segment, openFlags, 0)
+	newFd, err := sysOpenat(dirFd, name, openFlags, 0)
 	if err != nil {
-		return -1, fmt.Errorf("cannot open path segment %q (got up to %q): %v", segment,
-			"/"+strings.Join(segments[:i], "/"), err)
+		return -1, fmt.Errorf("cannot open directory %q: %v", filepath.Join(dirName, name), err)
 	}
 	if made {
 		// Chown each segment that we made.
@@ -145,25 +202,34 @@
 			// Close the FD we opened if we fail here since the caller will get
 			// an error and won't assume responsibility for the FD.
 			sysClose(newFd)
-			return -1, fmt.Errorf("cannot chown path segment %q to %d.%d (got up to %q): %v", segment, uid, gid,
-				"/"+strings.Join(segments[:i], "/"), err)
+			return -1, fmt.Errorf("cannot chown directory %q to %d.%d: %v", filepath.Join(dirName, name), uid, gid, err)
 		}
+		// As soon as we find a place that is safe to write we can switch off
+		// the restricted mode (and thus any subsequent checks). This is
+		// because we only allow "writing" to read-only filesystems where
+		// writes fail with EROFS or to a tmpfs that snapd has privately
+		// mounted inside the per-snap mount namespace. As soon as we start
+		// walking over such tmpfs any subsequent children are either read-
+		// only bind mounts from $SNAP, other tmpfs'es  (e.g. one explicitly
+		// constructed for a layout) or writable places that are bind-mounted
+		// from $SNAP_DATA or similar.
+		rs.Lift()
 	}
-	logger.Debugf("secure-mk-dir %d %q %d %v %d %d -> %d", fd, segments, i, perm, uid, gid, newFd)
 	return newFd, err
 }
 
-// secureMkFile creates a file at i-th entry of absolute path represented by
-// segments. This function is meant to be used to create the leaf file as a
-// preparation for a mount point. Existing files are reused without errors.
+// MkFile creates a file with a given name.
+//
+// The directory is represented with a file descriptor and its name (for
+// convenience). This function is meant to be used to create the leaf file as
+// a preparation for a mount point. Existing files are reused without errors.
 // Newly created files have the specified mode and ownership.
-func secureMkFile(fd int, segments []string, i int, perm os.FileMode, uid sys.UserID, gid sys.GroupID) error {
-	logger.Debugf("secure-mk-file %d %q %d %v %d %d", fd, segments, i, perm, uid, gid)
-	segment := segments[i]
-	made := true
-	var newFd int
-	var err error
+func MkFile(dirFd int, dirName string, name string, perm os.FileMode, uid sys.UserID, gid sys.GroupID, rs *Restrictions) error {
+	if err := rs.Check(dirFd, dirName); err != nil {
+		return err
+	}
 
+	made := true
 	// NOTE: Tests don't show O_RDONLY as has a value of 0 and is not
 	// translated to textual form. It is added here for explicitness.
 	const openFlags = syscall.O_NOFOLLOW | syscall.O_CLOEXEC | syscall.O_RDONLY
@@ -172,24 +238,23 @@
 	// we know if we need to chown it) but fall back to just opening an
 	// existing one.
 
-	newFd, err = sysOpenat(fd, segment, openFlags|syscall.O_CREAT|syscall.O_EXCL, uint32(perm.Perm()))
+	newFd, err := sysOpenat(dirFd, name, openFlags|syscall.O_CREAT|syscall.O_EXCL, uint32(perm.Perm()))
 	if err != nil {
 		switch err {
 		case syscall.EEXIST:
 			// If the file exists then just open it without O_CREAT and O_EXCL
-			newFd, err = sysOpenat(fd, segment, openFlags, 0)
+			newFd, err = sysOpenat(dirFd, name, openFlags, 0)
 			if err != nil {
-				return fmt.Errorf("cannot open file %q: %v", segment, err)
+				return fmt.Errorf("cannot open file %q: %v", filepath.Join(dirName, name), err)
 			}
 			made = false
 		case syscall.EROFS:
 			// Treat EROFS specially: this is a hint that we have to poke a
 			// hole using tmpfs. The path below is the location where we
 			// need to poke the hole.
-			p := "/" + strings.Join(segments[:i], "/")
-			return &ReadOnlyFsError{Path: p}
+			return &ReadOnlyFsError{Path: dirName}
 		default:
-			return fmt.Errorf("cannot open file %q: %v", segment, err)
+			return fmt.Errorf("cannot open file %q: %v", filepath.Join(dirName, name), err)
 		}
 	}
 	defer sysClose(newFd)
@@ -197,78 +262,67 @@
 	if made {
 		// Chown the file if we made it.
 		if err := sysFchown(newFd, uid, gid); err != nil {
-			return fmt.Errorf("cannot chown file %q to %d.%d: %v", segment, uid, gid, err)
+			return fmt.Errorf("cannot chown file %q to %d.%d: %v", filepath.Join(dirName, name), uid, gid, err)
 		}
 	}
 
 	return nil
 }
 
-// secureMkSymlink creates a symlink at i-th entry of absolute path represented by
-// segments. This function is meant to be used to create the leaf symlink.
+// MkSymlink creates a symlink with a given name.
+//
+// The directory is represented with a file descriptor and its name (for
+// convenience). This function is meant to be used to create the leaf symlink.
 // Existing and identical symlinks are reused without errors.
-func secureMkSymlink(fd int, segments []string, i int, oldname string) error {
-	logger.Debugf("secure-mk-symlink %d %q %d %q", fd, segments, i, oldname)
-	segment := segments[i]
-	var err error
-
-	// Open the final path segment as a file. Try to create the file (so that
-	// we know if we need to chown it) but fall back to just opening an
-	// existing one.
+func MkSymlink(dirFd int, dirName string, name string, oldname string, rs *Restrictions) error {
+	if err := rs.Check(dirFd, dirName); err != nil {
+		return err
+	}
 
-	// TODO: don't write links outside of tmpfs or $SNAP_{,USER_}{DATA,COMMON}
-	err = sysSymlinkat(oldname, fd, segment)
-	if err != nil {
+	// Create the final path segment as a symlink.
+	if err := sysSymlinkat(oldname, dirFd, name); err != nil {
 		switch err {
 		case syscall.EEXIST:
 			var objFd int
 			// If the file exists then just open it for examination.
 			// Maybe it's the symlink we were hoping to create.
-			objFd, err = sysOpenat(fd, segment, syscall.O_CLOEXEC|sys.O_PATH|syscall.O_NOFOLLOW, 0)
+			objFd, err = sysOpenat(dirFd, name, syscall.O_CLOEXEC|sys.O_PATH|syscall.O_NOFOLLOW, 0)
 			if err != nil {
-				return fmt.Errorf("cannot open existing file %q: %v", segment, err)
+				return fmt.Errorf("cannot open existing file %q: %v", filepath.Join(dirName, name), err)
 			}
+			defer sysClose(objFd)
 			var statBuf syscall.Stat_t
 			err = sysFstat(objFd, &statBuf)
 			if err != nil {
-				return fmt.Errorf("cannot inspect existing file %q: %v", segment, err)
+				return fmt.Errorf("cannot inspect existing file %q: %v", filepath.Join(dirName, name), err)
 			}
-			if statBuf.Mode&syscall.S_IFLNK != syscall.S_IFLNK {
-				return fmt.Errorf("cannot create symbolic link %q: existing file in the way", segment)
+			if statBuf.Mode&syscall.S_IFMT != syscall.S_IFLNK {
+				return fmt.Errorf("cannot create symbolic link %q: existing file in the way", filepath.Join(dirName, name))
 			}
 			var n int
 			buf := make([]byte, len(oldname)+2)
 			n, err = sysReadlinkat(objFd, "", buf)
 			if err != nil {
-				return fmt.Errorf("cannot read symbolic link %q: %v", segment, err)
+				return fmt.Errorf("cannot read symbolic link %q: %v", filepath.Join(dirName, name), err)
 			}
 			if string(buf[:n]) != oldname {
-				return fmt.Errorf("cannot create symbolic link %q: existing symbolic link in the way", segment)
+				return fmt.Errorf("cannot create symbolic link %q: existing symbolic link in the way", filepath.Join(dirName, name))
 			}
 			return nil
 		case syscall.EROFS:
 			// Treat EROFS specially: this is a hint that we have to poke a
 			// hole using tmpfs. The path below is the location where we
 			// need to poke the hole.
-			p := "/" + strings.Join(segments[:i], "/")
-			return &ReadOnlyFsError{Path: p}
+			return &ReadOnlyFsError{Path: dirName}
 		default:
-			return fmt.Errorf("cannot create symlink %q: %v", segment, err)
+			return fmt.Errorf("cannot create symlink %q: %v", filepath.Join(dirName, name), err)
 		}
 	}
 
 	return nil
 }
 
-func splitIntoSegments(name string) ([]string, error) {
-	if name != filepath.Clean(name) {
-		return nil, fmt.Errorf("cannot split unclean path %q", name)
-	}
-	segments := strings.FieldsFunc(filepath.Clean(name), func(c rune) bool { return c == '/' })
-	return segments, nil
-}
-
-// secureMkdirAll is the secure variant of os.MkdirAll.
+// MkdirAll is the secure variant of os.MkdirAll.
 //
 // Unlike the regular version this implementation does not follow any symbolic
 // links. At all times the new directory segment is created using mkdirat(2)
@@ -280,107 +334,106 @@
 // The uid and gid are used for the fchown(2) system call which is performed
 // after each segment is created and opened. The special value -1 may be used
 // to request that ownership is not changed.
-func secureMkdirAll(name string, perm os.FileMode, uid sys.UserID, gid sys.GroupID) error {
-	logger.Debugf("secure-mkdir-all %q %v %d %d", name, perm, uid, gid)
-
+func MkdirAll(path string, perm os.FileMode, uid sys.UserID, gid sys.GroupID, rs *Restrictions) error {
+	if path != filepath.Clean(path) {
+		// TODO: Reword the error and adjust the tests.
+		return fmt.Errorf("cannot split unclean path %q", path)
+	}
 	// Only support absolute paths to avoid bugs in snap-confine when
 	// called from anywhere.
-	if !filepath.IsAbs(name) {
-		return fmt.Errorf("cannot create directory with relative path: %q", name)
-	}
-
-	// Split the path into segments.
-	segments, err := splitIntoSegments(name)
-	if err != nil {
-		return err
+	if !filepath.IsAbs(path) {
+		return fmt.Errorf("cannot create directory with relative path: %q", path)
 	}
+	base, name := filepath.Split(path)
+	base = filepath.Clean(base) // Needed to chomp the trailing slash.
 
 	// Create the prefix.
-	fd, err := secureMkPrefix(segments, perm, uid, gid)
+	dirFd, err := MkPrefix(base, perm, uid, gid, rs)
 	if err != nil {
 		return err
 	}
-	defer sysClose(fd)
+	defer sysClose(dirFd)
 
-	if len(segments) > 0 {
-		// Create the final segment as a directory.
-		fd, err = secureMkDir(fd, segments, len(segments)-1, perm, uid, gid)
+	if name != "" {
+		// Create the leaf as a directory.
+		leafFd, err := MkDir(dirFd, base, name, perm, uid, gid, rs)
 		if err != nil {
 			return err
 		}
-		defer sysClose(fd)
+		defer sysClose(leafFd)
 	}
 
 	return nil
 }
 
-// secureMkfileAll is a secure implementation of "mkdir -p $(dirname $1) && touch $1".
+// MkfileAll is a secure implementation of "mkdir -p $(dirname $1) && touch $1".
 //
-// This function is like secureMkdirAll but it creates an empty file instead of
+// This function is like MkdirAll but it creates an empty file instead of
 // a directory for the final path component. Each created directory component
 // is chowned to the desired user and group.
-func secureMkfileAll(name string, perm os.FileMode, uid sys.UserID, gid sys.GroupID) error {
-	logger.Debugf("secure-mkfile-all %q %q %d %d", name, perm, uid, gid)
-
+func MkfileAll(path string, perm os.FileMode, uid sys.UserID, gid sys.GroupID, rs *Restrictions) error {
+	if path != filepath.Clean(path) {
+		// TODO: Reword the error and adjust the tests.
+		return fmt.Errorf("cannot split unclean path %q", path)
+	}
 	// Only support absolute paths to avoid bugs in snap-confine when
 	// called from anywhere.
-	if !filepath.IsAbs(name) {
-		return fmt.Errorf("cannot create file with relative path: %q", name)
+	if !filepath.IsAbs(path) {
+		return fmt.Errorf("cannot create file with relative path: %q", path)
 	}
 	// Only support file names, not directory names.
-	if strings.HasSuffix(name, "/") {
-		return fmt.Errorf("cannot create non-file path: %q", name)
-	}
-
-	// Split the path into segments.
-	segments, err := splitIntoSegments(name)
-	if err != nil {
-		return err
+	if strings.HasSuffix(path, "/") {
+		return fmt.Errorf("cannot create non-file path: %q", path)
 	}
+	base, name := filepath.Split(path)
+	base = filepath.Clean(base) // Needed to chomp the trailing slash.
 
 	// Create the prefix.
-	fd, err := secureMkPrefix(segments, perm, uid, gid)
+	dirFd, err := MkPrefix(base, perm, uid, gid, rs)
 	if err != nil {
 		return err
 	}
-	defer sysClose(fd)
+	defer sysClose(dirFd)
 
-	if len(segments) > 0 {
-		// Create the final segment as a file.
-		err = secureMkFile(fd, segments, len(segments)-1, perm, uid, gid)
+	if name != "" {
+		// Create the leaf as a file.
+		err = MkFile(dirFd, base, name, perm, uid, gid, rs)
 	}
 	return err
 }
 
-func secureMksymlinkAll(name string, perm os.FileMode, uid sys.UserID, gid sys.GroupID, oldname string) error {
-	logger.Debugf("secure-mksymlink-all %q %q %d %d %q", name, perm, uid, gid, oldname)
-
+// MksymlinkAll is a secure implementation of "ln -s".
+func MksymlinkAll(path string, perm os.FileMode, uid sys.UserID, gid sys.GroupID, oldname string, rs *Restrictions) error {
+	if path != filepath.Clean(path) {
+		// TODO: Reword the error and adjust the tests.
+		return fmt.Errorf("cannot split unclean path %q", path)
+	}
 	// Only support absolute paths to avoid bugs in snap-confine when
 	// called from anywhere.
-	if !filepath.IsAbs(name) {
-		return fmt.Errorf("cannot create symlink with relative path: %q", name)
+	if !filepath.IsAbs(path) {
+		return fmt.Errorf("cannot create symlink with relative path: %q", path)
 	}
 	// Only support file names, not directory names.
-	if strings.HasSuffix(name, "/") {
-		return fmt.Errorf("cannot create non-file path: %q", name)
+	if strings.HasSuffix(path, "/") {
+		return fmt.Errorf("cannot create non-file path: %q", path)
 	}
-
-	// Split the path into segments.
-	segments, err := splitIntoSegments(name)
-	if err != nil {
-		return err
+	if oldname == "" {
+		return fmt.Errorf("cannot create symlink with empty target: %q", path)
 	}
 
+	base, name := filepath.Split(path)
+	base = filepath.Clean(base) // Needed to chomp the trailing slash.
+
 	// Create the prefix.
-	fd, err := secureMkPrefix(segments, perm, uid, gid)
+	dirFd, err := MkPrefix(base, perm, uid, gid, rs)
 	if err != nil {
 		return err
 	}
-	defer sysClose(fd)
+	defer sysClose(dirFd)
 
-	if len(segments) > 0 {
-		// Create the final segment as a symlink.
-		err = secureMkSymlink(fd, segments, len(segments)-1, oldname)
+	if name != "" {
+		// Create the leaf as a symlink.
+		err = MkSymlink(dirFd, base, name, oldname, rs)
 	}
 	return err
 }
@@ -405,13 +458,20 @@
 
 	var changes []*Change
 
+	// Stat the original directory to know which mode and ownership to
+	// replicate on top of the tmpfs we are about to create below.
+	var sb syscall.Stat_t
+	if err := sysLstat(dir, &sb); err != nil {
+		return nil, err
+	}
+
 	// Bind mount the original directory elsewhere for safe-keeping.
 	changes = append(changes, &Change{
 		Action: Mount, Entry: osutil.MountEntry{
 			// NOTE: Here we recursively bind because we realized that not
-			// doing so doesn't work work on core devices which use bind
-			// mounts extensively to construct writable spaces in /etc and
-			// /var and elsewhere.
+			// doing so doesn't work on core devices which use bind mounts
+			// extensively to construct writable spaces in /etc and /var and
+			// elsewhere.
 			//
 			// All directories present in the original are also recursively
 			// bind mounted back to their original location. To unmount this
@@ -424,11 +484,20 @@
 			// umount2(2) system call.
 			Name: dir, Dir: safeKeepingDir, Options: []string{"rbind"}},
 	})
+
 	// Mount tmpfs over the original directory, hiding its contents.
+	// The mounted tmpfs will mimic the mode and ownership of the original
+	// directory.
 	changes = append(changes, &Change{
 		Action: Mount, Entry: osutil.MountEntry{
 			Name: "tmpfs", Dir: dir, Type: "tmpfs",
-			Options: []string{"x-snapd.synthetic", fmt.Sprintf("x-snapd.needed-by=%s", neededBy)},
+			Options: []string{
+				osutil.XSnapdSynthetic(),
+				osutil.XSnapdNeededBy(neededBy),
+				fmt.Sprintf("mode=%#o", sb.Mode&07777),
+				fmt.Sprintf("uid=%d", sb.Uid),
+				fmt.Sprintf("gid=%d", sb.Gid),
+			},
 		},
 	})
 	// Iterate over the items in the original directory (nothing is mounted _yet_).
@@ -449,10 +518,10 @@
 		case m.IsDir():
 			ch.Entry.Options = []string{"rbind"}
 		case m.IsRegular():
-			ch.Entry.Options = []string{"bind", "x-snapd.kind=file"}
+			ch.Entry.Options = []string{"bind", osutil.XSnapdKindFile()}
 		case m&os.ModeSymlink != 0:
 			if target, err := osReadlink(filepath.Join(dir, fi.Name())); err == nil {
-				ch.Entry.Options = []string{"x-snapd.kind=symlink", fmt.Sprintf("x-snapd.symlink=%s", target)}
+				ch.Entry.Options = []string{osutil.XSnapdKindSymlink(), osutil.XSnapdSymlink(target)}
 			} else {
 				continue
 			}
@@ -460,13 +529,13 @@
 			logger.Noticef("skipping unsupported file %s", fi)
 			continue
 		}
-		ch.Entry.Options = append(ch.Entry.Options, "x-snapd.synthetic")
-		ch.Entry.Options = append(ch.Entry.Options, fmt.Sprintf("x-snapd.needed-by=%s", neededBy))
+		ch.Entry.Options = append(ch.Entry.Options, osutil.XSnapdSynthetic())
+		ch.Entry.Options = append(ch.Entry.Options, osutil.XSnapdNeededBy(neededBy))
 		changes = append(changes, ch)
 	}
 	// Finally unbind the safe-keeping directory as we don't need it anymore.
 	changes = append(changes, &Change{
-		Action: Unmount, Entry: osutil.MountEntry{Name: "none", Dir: safeKeepingDir, Options: []string{"x-snapd.detach"}},
+		Action: Unmount, Entry: osutil.MountEntry{Name: "none", Dir: safeKeepingDir, Options: []string{osutil.XSnapdDetach()}},
 	})
 	return changes, nil
 }
@@ -499,10 +568,10 @@
 // In the event of a failure the undo plan is executed and an error is
 // returned. If the undo plan fails the function returns a FatalError as it
 // cannot fix the system from an inconsistent state.
-func execWritableMimic(plan []*Change) ([]*Change, error) {
+func execWritableMimic(plan []*Change, as *Assumptions) ([]*Change, error) {
 	undoChanges := make([]*Change, 0, len(plan)-2)
 	for i, change := range plan {
-		if _, err := changePerform(change); err != nil {
+		if _, err := changePerform(change, as); err != nil {
 			// Drat, we failed! Let's undo everything according to our own undo
 			// plan, by following it in reverse order.
 
@@ -523,9 +592,9 @@
 				// for how to undo" so we need to flip the actions.
 				recoveryUndoChange.Action = Unmount
 				if recoveryUndoChange.Entry.OptBool("rbind") {
-					recoveryUndoChange.Entry.Options = append(recoveryUndoChange.Entry.Options, "x-snapd.detach")
+					recoveryUndoChange.Entry.Options = append(recoveryUndoChange.Entry.Options, osutil.XSnapdDetach())
 				}
-				if _, err2 := changePerform(recoveryUndoChange); err2 != nil {
+				if _, err2 := changePerform(recoveryUndoChange, as); err2 != nil {
 					// Drat, we failed when trying to recover from an error.
 					// We cannot do anything at this stage.
 					return nil, &FatalError{error: fmt.Errorf("cannot undo change %q while recovering from earlier error %v: %v", recoveryUndoChange, err, err2)}
@@ -539,7 +608,7 @@
 			// change is the safe-keeping unmount.
 			continue
 		}
-		if kind, _ := change.Entry.OptStr("x-snapd.kind"); kind == "symlink" {
+		if change.Entry.XSnapdKind() == "symlink" {
 			// Don't represent symlinks in the undo plan. They are removed when
 			// the tmpfs is unmounted.
 			continue
@@ -573,12 +642,12 @@
 	return undoChanges, nil
 }
 
-func createWritableMimic(dir, neededBy string) ([]*Change, error) {
+func createWritableMimic(dir, neededBy string, as *Assumptions) ([]*Change, error) {
 	plan, err := planWritableMimic(dir, neededBy)
 	if err != nil {
 		return nil, err
 	}
-	changes, err := execWritableMimic(plan)
+	changes, err := execWritableMimic(plan, as)
 	if err != nil {
 		return nil, err
 	}
diff -Nru snapd-2.32.3.2~14.04/cmd/snap-update-ns/utils_test.go snapd-2.37~rc1~14.04/cmd/snap-update-ns/utils_test.go
--- snapd-2.32.3.2~14.04/cmd/snap-update-ns/utils_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/snap-update-ns/utils_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 import (
 	"bytes"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"syscall"
@@ -39,6 +40,7 @@
 	testutil.BaseTest
 	sys *testutil.SyscallRecorder
 	log *bytes.Buffer
+	as  *update.Assumptions
 }
 
 var _ = Suite(&utilsSuite{})
@@ -50,90 +52,135 @@
 	buf, restore := logger.MockLogger()
 	s.BaseTest.AddCleanup(restore)
 	s.log = buf
+	s.as = &update.Assumptions{}
 }
 
 func (s *utilsSuite) TearDownTest(c *C) {
-	s.sys.CheckForStrayDescriptors(c)
 	s.BaseTest.TearDownTest(c)
+	s.sys.CheckForStrayDescriptors(c)
 }
 
 // secure-mkdir-all
 
 // Ensure that we reject unclean paths.
 func (s *utilsSuite) TestSecureMkdirAllUnclean(c *C) {
-	err := update.SecureMkdirAll("/unclean//path", 0755, 123, 456)
+	err := update.MkdirAll("/unclean//path", 0755, 123, 456, nil)
 	c.Assert(err, ErrorMatches, `cannot split unclean path .*`)
-	c.Assert(s.sys.Calls(), HasLen, 0)
+	c.Assert(s.sys.RCalls(), HasLen, 0)
 }
 
 // Ensure that we refuse to create a directory with an relative path.
 func (s *utilsSuite) TestSecureMkdirAllRelative(c *C) {
-	err := update.SecureMkdirAll("rel/path", 0755, 123, 456)
+	err := update.MkdirAll("rel/path", 0755, 123, 456, nil)
 	c.Assert(err, ErrorMatches, `cannot create directory with relative path: "rel/path"`)
-	c.Assert(s.sys.Calls(), HasLen, 0)
+	c.Assert(s.sys.RCalls(), HasLen, 0)
 }
 
 // Ensure that we can "create the root directory.
 func (s *utilsSuite) TestSecureMkdirAllLevel0(c *C) {
-	c.Assert(update.SecureMkdirAll("/", 0755, 123, 456), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`close 3`,
+	c.Assert(update.MkdirAll("/", 0755, 123, 456, nil), IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `close 3`},
 	})
 }
 
 // Ensure that we can create a directory in the top-level directory.
 func (s *utilsSuite) TestSecureMkdirAllLevel1(c *C) {
-	os.Setenv("SNAPD_DEBUG", "1")
-	defer os.Unsetenv("SNAPD_DEBUG")
-	c.Assert(update.SecureMkdirAll("/path", 0755, 123, 456), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "path" 0755`,
-		`openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`fchown 4 123 456`,
-		`close 4`,
-		`close 3`,
+	c.Assert(update.MkdirAll("/path", 0755, 123, 456, nil), IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "path" 0755`},
+		{C: `openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 123 456`},
+		{C: `close 4`},
+		{C: `close 3`},
 	})
-	c.Assert(s.log.String(), testutil.Contains, `secure-mk-dir 3 ["path"] 0 -rwxr-xr-x 123 456 -> ...`)
-	c.Assert(s.log.String(), testutil.Contains, `secure-mk-dir 3 ["path"] 0 -rwxr-xr-x 123 456 -> 4`)
 }
 
 // Ensure that we can create a directory two levels from the top-level directory.
 func (s *utilsSuite) TestSecureMkdirAllLevel2(c *C) {
-	c.Assert(update.SecureMkdirAll("/path/to", 0755, 123, 456), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "path" 0755`,
-		`openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`fchown 4 123 456`,
-		`close 3`,
-		`mkdirat 4 "to" 0755`,
-		`openat 4 "to" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`fchown 3 123 456`,
-		`close 3`,
-		`close 4`,
+	c.Assert(update.MkdirAll("/path/to", 0755, 123, 456, nil), IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "path" 0755`},
+		{C: `openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 123 456`},
+		{C: `close 3`},
+		{C: `mkdirat 4 "to" 0755`},
+		{C: `openat 4 "to" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 123 456`},
+		{C: `close 3`},
+		{C: `close 4`},
 	})
 }
 
 // Ensure that we can create a directory three levels from the top-level directory.
 func (s *utilsSuite) TestSecureMkdirAllLevel3(c *C) {
-	c.Assert(update.SecureMkdirAll("/path/to/something", 0755, 123, 456), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "path" 0755`,
-		`openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`fchown 4 123 456`,
-		`mkdirat 4 "to" 0755`,
-		`openat 4 "to" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 5
-		`fchown 5 123 456`,
-		`close 4`,
-		`close 3`,
-		`mkdirat 5 "something" 0755`,
-		`openat 5 "something" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`fchown 3 123 456`,
-		`close 3`,
-		`close 5`,
+	c.Assert(update.MkdirAll("/path/to/something", 0755, 123, 456, nil), IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "path" 0755`},
+		{C: `openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 123 456`},
+		{C: `mkdirat 4 "to" 0755`},
+		{C: `openat 4 "to" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `fchown 5 123 456`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `mkdirat 5 "something" 0755`},
+		{C: `openat 5 "something" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 123 456`},
+		{C: `close 3`},
+		{C: `close 5`},
+	})
+}
+
+// Ensure that writes to /etc/demo are interrupted if /etc is restricted.
+func (s *utilsSuite) TestSecureMkdirAllWithRestrictedEtc(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.SquashfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	rs := s.as.RestrictionsFor("/etc/demo")
+	err := update.MkdirAll("/etc/demo", 0755, 123, 456, rs)
+	c.Assert(err, ErrorMatches, `cannot write to "/etc/demo" because it would affect the host in "/etc"`)
+	c.Assert(err.(*update.TrespassingError).ViolatedPath, Equals, "/etc")
+	c.Assert(err.(*update.TrespassingError).DesiredPath, Equals, "/etc/demo")
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		// we are inspecting the type of the filesystem we are about to perform operation on.
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		// ext4 is writable, refuse further operations.
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.Ext4Magic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`},
+	})
+}
+
+// Ensure that writes to /etc/demo allowed if /etc is unrestricted.
+func (s *utilsSuite) TestSecureMkdirAllWithUnrestrictedEtc(c *C) {
+	defer s.as.MockUnrestrictedPaths("/etc")() // Mark /etc as unrestricted.
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	rs := s.as.RestrictionsFor("/etc/demo")
+	c.Assert(update.MkdirAll("/etc/demo", 0755, 123, 456, rs), IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		// We are not interested in the type of filesystem at /
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		// We are not interested in the type of filesystem at /etc
+		{C: `close 3`},
+		{C: `mkdirat 4 "demo" 0755`},
+		{C: `openat 4 "demo" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 123 456`},
+		{C: `close 3`},
+		{C: `close 4`},
 	})
 }
 
@@ -141,16 +188,16 @@
 func (s *utilsSuite) TestSecureMkdirAllROFS(c *C) {
 	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST) // just realistic
 	s.sys.InsertFault(`mkdirat 4 "path" 0755`, syscall.EROFS)
-	err := update.SecureMkdirAll("/rofs/path", 0755, 123, 456)
+	err := update.MkdirAll("/rofs/path", 0755, 123, 456, nil)
 	c.Assert(err, ErrorMatches, `cannot operate on read-only filesystem at /rofs`)
 	c.Assert(err.(*update.ReadOnlyFsError).Path, Equals, "/rofs")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,        // -> 3
-		`mkdirat 3 "rofs" 0755`,                              // -> EEXIST
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`close 3`,
-		`mkdirat 4 "path" 0755`, // -> EROFS
-		`close 4`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "path" 0755`, E: syscall.EROFS},
+		{C: `close 4`},
 	})
 }
 
@@ -158,71 +205,72 @@
 func (s *utilsSuite) TestSecureMkdirAllExistingDirsDontChown(c *C) {
 	s.sys.InsertFault(`mkdirat 3 "abs" 0755`, syscall.EEXIST)
 	s.sys.InsertFault(`mkdirat 4 "path" 0755`, syscall.EEXIST)
-	err := update.SecureMkdirAll("/abs/path", 0755, 123, 456)
+	err := update.MkdirAll("/abs/path", 0755, 123, 456, nil)
 	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "abs" 0755`,
-		`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`close 3`,
-		`mkdirat 4 "path" 0755`,
-		`openat 4 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`close 3`,
-		`close 4`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "abs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `mkdirat 4 "path" 0755`, E: syscall.EEXIST},
+		{C: `openat 4 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `close 3`},
+		{C: `close 4`},
 	})
 }
 
 // Ensure that we we close everything when mkdirat fails.
 func (s *utilsSuite) TestSecureMkdirAllMkdiratError(c *C) {
 	s.sys.InsertFault(`mkdirat 3 "abs" 0755`, errTesting)
-	err := update.SecureMkdirAll("/abs", 0755, 123, 456)
-	c.Assert(err, ErrorMatches, `cannot mkdir path segment "abs": testing`)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "abs" 0755`,
-		`close 3`,
+	err := update.MkdirAll("/abs", 0755, 123, 456, nil)
+	c.Assert(err, ErrorMatches, `cannot create directory "/abs": testing`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "abs" 0755`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 // Ensure that we we close everything when fchown fails.
 func (s *utilsSuite) TestSecureMkdirAllFchownError(c *C) {
 	s.sys.InsertFault(`fchown 4 123 456`, errTesting)
-	err := update.SecureMkdirAll("/path", 0755, 123, 456)
-	c.Assert(err, ErrorMatches, `cannot chown path segment "path" to 123.456 \(got up to "/"\): testing`)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "path" 0755`,
-		`openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`fchown 4 123 456`,
-		`close 4`,
-		`close 3`,
+	err := update.MkdirAll("/path", 0755, 123, 456, nil)
+	c.Assert(err, ErrorMatches, `cannot chown directory "/path" to 123.456: testing`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "path" 0755`},
+		{C: `openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 123 456`, E: errTesting},
+		{C: `close 4`},
+		{C: `close 3`},
 	})
 }
 
 // Check error path when we cannot open root directory.
 func (s *utilsSuite) TestSecureMkdirAllOpenRootError(c *C) {
 	s.sys.InsertFault(`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, errTesting)
-	err := update.SecureMkdirAll("/abs/path", 0755, 123, 456)
+	err := update.MkdirAll("/abs/path", 0755, 123, 456, nil)
 	c.Assert(err, ErrorMatches, "cannot open root directory: testing")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> err
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, E: errTesting},
 	})
 }
 
 // Check error path when we cannot open non-root directory.
 func (s *utilsSuite) TestSecureMkdirAllOpenError(c *C) {
 	s.sys.InsertFault(`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, errTesting)
-	err := update.SecureMkdirAll("/abs/path", 0755, 123, 456)
-	c.Assert(err, ErrorMatches, `cannot open path segment "abs" \(got up to "/"\): testing`)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "abs" 0755`,
-		`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> err
-		`close 3`,
+	err := update.MkdirAll("/abs/path", 0755, 123, 456, nil)
+	c.Assert(err, ErrorMatches, `cannot open directory "/abs": testing`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "abs" 0755`},
+		{C: `openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 func (s *utilsSuite) TestPlanWritableMimic(c *C) {
+	s.sys.InsertSysLstatResult(`lstat "/foo" <ptr>`, syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755})
 	restore := update.MockReadDir(func(dir string) ([]os.FileInfo, error) {
 		c.Assert(dir, Equals, "/foo")
 		return []os.FileInfo{
@@ -259,7 +307,7 @@
 		// Store /foo in /tmp/.snap/foo while we set things up
 		{Entry: osutil.MountEntry{Name: "/foo", Dir: "/tmp/.snap/foo", Options: []string{"rbind"}}, Action: update.Mount},
 		// Put a tmpfs over /foo
-		{Entry: osutil.MountEntry{Name: "tmpfs", Dir: "/foo", Type: "tmpfs", Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/foo/bar"}}, Action: update.Mount},
+		{Entry: osutil.MountEntry{Name: "tmpfs", Dir: "/foo", Type: "tmpfs", Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/foo/bar", "mode=0755", "uid=0", "gid=0"}}, Action: update.Mount},
 		// Bind mount files and directories over. Note that files are identified by x-snapd.kind=file option.
 		{Entry: osutil.MountEntry{Name: "/tmp/.snap/foo/file", Dir: "/foo/file", Options: []string{"bind", "x-snapd.kind=file", "x-snapd.synthetic", "x-snapd.needed-by=/foo/bar"}}, Action: update.Mount},
 		{Entry: osutil.MountEntry{Name: "/tmp/.snap/foo/dir", Dir: "/foo/dir", Options: []string{"rbind", "x-snapd.synthetic", "x-snapd.needed-by=/foo/bar"}}, Action: update.Mount},
@@ -273,6 +321,7 @@
 }
 
 func (s *utilsSuite) TestPlanWritableMimicErrors(c *C) {
+	s.sys.InsertSysLstatResult(`lstat "/foo" <ptr>`, syscall.Stat_t{Uid: 0, Gid: 0, Mode: 0755})
 	restore := update.MockReadDir(func(dir string) ([]os.FileInfo, error) {
 		c.Assert(dir, Equals, "/foo")
 		return nil, errTesting
@@ -300,14 +349,14 @@
 	}
 
 	// Mock the act of performing changes, each of the change we perform is coming from the plan.
-	restore := update.MockChangePerform(func(chg *update.Change) ([]*update.Change, error) {
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
 		c.Assert(plan, testutil.DeepContains, chg)
 		return nil, nil
 	})
 	defer restore()
 
 	// The executed plan leaves us with a simplified view of the plan that is suitable for undo.
-	undoPlan, err := update.ExecWritableMimic(plan)
+	undoPlan, err := update.ExecWritableMimic(plan, s.as)
 	c.Assert(err, IsNil)
 	c.Assert(undoPlan, DeepEquals, []*update.Change{
 		{Entry: osutil.MountEntry{Name: "tmpfs", Dir: "/foo", Type: "tmpfs", Options: []string{"x-snapd.synthetic", "x-snapd.needed-by=/foo/bar"}}, Action: update.Mount},
@@ -335,7 +384,7 @@
 	// the recovery path are recorded.
 	var recoveryPlan []*update.Change
 	recovery := false
-	restore := update.MockChangePerform(func(chg *update.Change) ([]*update.Change, error) {
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
 		if !recovery {
 			c.Assert(plan, testutil.DeepContains, chg)
 			if chg.Entry.Name == "/tmp/.snap/foo/dir" {
@@ -350,7 +399,7 @@
 	defer restore()
 
 	// The executed plan fails, leaving us with the error and an empty undo plan.
-	undoPlan, err := update.ExecWritableMimic(plan)
+	undoPlan, err := update.ExecWritableMimic(plan, s.as)
 	c.Assert(err, Equals, errTesting)
 	c.Assert(undoPlan, HasLen, 0)
 	// The changes we managed to perform were undone correctly.
@@ -374,13 +423,13 @@
 	}
 
 	// Mock the act of performing changes and just fail on any request.
-	restore := update.MockChangePerform(func(chg *update.Change) ([]*update.Change, error) {
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
 		return nil, errTesting
 	})
 	defer restore()
 
 	// The executed plan fails, the recovery didn't fail (it's empty) so we just return that error.
-	undoPlan, err := update.ExecWritableMimic(plan)
+	undoPlan, err := update.ExecWritableMimic(plan, s.as)
 	c.Assert(err, Equals, errTesting)
 	c.Assert(undoPlan, HasLen, 0)
 }
@@ -401,7 +450,7 @@
 	// execute function ends up in a situation where it cannot perform the
 	// recovery path and will have to return a fatal error.
 	i := -1
-	restore := update.MockChangePerform(func(chg *update.Change) ([]*update.Change, error) {
+	restore := update.MockChangePerform(func(chg *update.Change, as *update.Assumptions) ([]*update.Change, error) {
 		i++
 		if i > 0 {
 			return nil, fmt.Errorf("failure-%d", i)
@@ -411,16 +460,23 @@
 	defer restore()
 
 	// The plan partially succeeded and we cannot undo those changes.
-	_, err := update.ExecWritableMimic(plan)
+	_, err := update.ExecWritableMimic(plan, s.as)
 	c.Assert(err, ErrorMatches, `cannot undo change ".*" while recovering from earlier error failure-1: failure-2`)
 	c.Assert(err, FitsTypeOf, &update.FatalError{})
 }
 
 // realSystemSuite is not isolated / mocked from the system.
-type realSystemSuite struct{}
+type realSystemSuite struct {
+	as *update.Assumptions
+}
 
 var _ = Suite(&realSystemSuite{})
 
+func (s *realSystemSuite) SetUpTest(c *C) {
+	s.as = &update.Assumptions{}
+	s.as.AddUnrestrictedPaths("/tmp")
+}
+
 // Check that we can actually create directories.
 // This doesn't test the chown logic as that requires root.
 func (s *realSystemSuite) TestSecureMkdirAllForReal(c *C) {
@@ -429,7 +485,7 @@
 	// Create d (which already exists) with mode 0777 (but c.MkDir() used 0700
 	// internally and since we are not creating the directory we should not be
 	// changing that.
-	c.Assert(update.SecureMkdirAll(d, 0777, sys.FlagID, sys.FlagID), IsNil)
+	c.Assert(update.MkdirAll(d, 0777, sys.FlagID, sys.FlagID, nil), IsNil)
 	fi, err := os.Stat(d)
 	c.Assert(err, IsNil)
 	c.Check(fi.IsDir(), Equals, true)
@@ -439,7 +495,7 @@
 	// check that it was applied. Note that default umask 022 is subtracted so
 	// effective directory has different permissions.
 	d1 := filepath.Join(d, "subdir")
-	c.Assert(update.SecureMkdirAll(d1, 0707, sys.FlagID, sys.FlagID), IsNil)
+	c.Assert(update.MkdirAll(d1, 0707, sys.FlagID, sys.FlagID, nil), IsNil)
 	fi, err = os.Stat(d1)
 	c.Assert(err, IsNil)
 	c.Check(fi.IsDir(), Equals, true)
@@ -448,7 +504,7 @@
 	// Create d2, which is a deeper subdirectory, with another distinct mode
 	// and check that it was applied.
 	d2 := filepath.Join(d, "subdir/subdir/subdir")
-	c.Assert(update.SecureMkdirAll(d2, 0750, sys.FlagID, sys.FlagID), IsNil)
+	c.Assert(update.MkdirAll(d2, 0750, sys.FlagID, sys.FlagID, nil), IsNil)
 	fi, err = os.Stat(d2)
 	c.Assert(err, IsNil)
 	c.Check(fi.IsDir(), Equals, true)
@@ -459,70 +515,70 @@
 
 // Ensure that we reject unclean paths.
 func (s *utilsSuite) TestSecureMkfileAllUnclean(c *C) {
-	err := update.SecureMkfileAll("/unclean//path", 0755, 123, 456)
+	err := update.MkfileAll("/unclean//path", 0755, 123, 456, nil)
 	c.Assert(err, ErrorMatches, `cannot split unclean path .*`)
-	c.Assert(s.sys.Calls(), HasLen, 0)
+	c.Assert(s.sys.RCalls(), HasLen, 0)
 }
 
 // Ensure that we refuse to create a file with an relative path.
 func (s *utilsSuite) TestSecureMkfileAllRelative(c *C) {
-	err := update.SecureMkfileAll("rel/path", 0755, 123, 456)
+	err := update.MkfileAll("rel/path", 0755, 123, 456, nil)
 	c.Assert(err, ErrorMatches, `cannot create file with relative path: "rel/path"`)
-	c.Assert(s.sys.Calls(), HasLen, 0)
+	c.Assert(s.sys.RCalls(), HasLen, 0)
 }
 
 // Ensure that we refuse creating the root directory as a file.
 func (s *utilsSuite) TestSecureMkfileAllLevel0(c *C) {
-	err := update.SecureMkfileAll("/", 0755, 123, 456)
+	err := update.MkfileAll("/", 0755, 123, 456, nil)
 	c.Assert(err, ErrorMatches, `cannot create non-file path: "/"`)
-	c.Assert(s.sys.Calls(), HasLen, 0)
+	c.Assert(s.sys.RCalls(), HasLen, 0)
 }
 
 // Ensure that we can create a file in the top-level directory.
 func (s *utilsSuite) TestSecureMkfileAllLevel1(c *C) {
-	c.Assert(update.SecureMkfileAll("/path", 0755, 123, 456), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,              // -> 3
-		`openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, // -> 4
-		`fchown 4 123 456`,
-		`close 4`,
-		`close 3`,
+	c.Assert(update.MkfileAll("/path", 0755, 123, 456, nil), IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, R: 4},
+		{C: `fchown 4 123 456`},
+		{C: `close 4`},
+		{C: `close 3`},
 	})
 }
 
 // Ensure that we can create a file two levels from the top-level directory.
 func (s *utilsSuite) TestSecureMkfileAllLevel2(c *C) {
-	c.Assert(update.SecureMkfileAll("/path/to", 0755, 123, 456), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "path" 0755`,
-		`openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`fchown 4 123 456`,
-		`close 3`,
-		`openat 4 "to" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, // -> 3
-		`fchown 3 123 456`,
-		`close 3`,
-		`close 4`,
+	c.Assert(update.MkfileAll("/path/to", 0755, 123, 456, nil), IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "path" 0755`},
+		{C: `openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 123 456`},
+		{C: `close 3`},
+		{C: `openat 4 "to" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, R: 3},
+		{C: `fchown 3 123 456`},
+		{C: `close 3`},
+		{C: `close 4`},
 	})
 }
 
 // Ensure that we can create a file three levels from the top-level directory.
 func (s *utilsSuite) TestSecureMkfileAllLevel3(c *C) {
-	c.Assert(update.SecureMkfileAll("/path/to/something", 0755, 123, 456), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "path" 0755`,
-		`openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`fchown 4 123 456`,
-		`mkdirat 4 "to" 0755`,
-		`openat 4 "to" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 5
-		`fchown 5 123 456`,
-		`close 4`,
-		`close 3`,
-		`openat 5 "something" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, // -> 3
-		`fchown 3 123 456`,
-		`close 3`,
-		`close 5`,
+	c.Assert(update.MkfileAll("/path/to/something", 0755, 123, 456, nil), IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "path" 0755`},
+		{C: `openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fchown 4 123 456`},
+		{C: `mkdirat 4 "to" 0755`},
+		{C: `openat 4 "to" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `fchown 5 123 456`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `openat 5 "something" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, R: 3},
+		{C: `fchown 3 123 456`},
+		{C: `close 3`},
+		{C: `close 5`},
 	})
 }
 
@@ -530,16 +586,16 @@
 func (s *utilsSuite) TestSecureMkfileAllROFS(c *C) {
 	s.sys.InsertFault(`mkdirat 3 "rofs" 0755`, syscall.EEXIST) // just realistic
 	s.sys.InsertFault(`openat 4 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, syscall.EROFS)
-	err := update.SecureMkfileAll("/rofs/path", 0755, 123, 456)
+	err := update.MkfileAll("/rofs/path", 0755, 123, 456, nil)
 	c.Check(err, ErrorMatches, `cannot operate on read-only filesystem at /rofs`)
 	c.Assert(err.(*update.ReadOnlyFsError).Path, Equals, "/rofs")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,        // -> 3
-		`mkdirat 3 "rofs" 0755`,                              // -> EEXIST
-		`openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`close 3`,
-		`openat 4 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, // -> EROFS
-		`close 4`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "rofs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "rofs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `openat 4 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, E: syscall.EROFS},
+		{C: `close 4`},
 	})
 }
 
@@ -547,17 +603,17 @@
 func (s *utilsSuite) TestSecureMkfileAllExistingDirsDontChown(c *C) {
 	s.sys.InsertFault(`mkdirat 3 "abs" 0755`, syscall.EEXIST)
 	s.sys.InsertFault(`openat 4 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, syscall.EEXIST)
-	err := update.SecureMkfileAll("/abs/path", 0755, 123, 456)
+	err := update.MkfileAll("/abs/path", 0755, 123, 456, nil)
 	c.Check(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "abs" 0755`,
-		`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 4
-		`close 3`,
-		`openat 4 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, // -> EEXIST
-		`openat 4 "path" O_NOFOLLOW|O_CLOEXEC 0`,                   // -> 3
-		`close 3`,
-		`close 4`,
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "abs" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `openat 4 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, E: syscall.EEXIST},
+		{C: `openat 4 "path" O_NOFOLLOW|O_CLOEXEC 0`, R: 3},
+		{C: `close 3`},
+		{C: `close 4`},
 	})
 }
 
@@ -565,62 +621,303 @@
 func (s *utilsSuite) TestSecureMkfileAllOpenat2ndError(c *C) {
 	s.sys.InsertFault(`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, syscall.EEXIST)
 	s.sys.InsertFault(`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC 0`, errTesting)
-	err := update.SecureMkfileAll("/abs", 0755, 123, 456)
-	c.Assert(err, ErrorMatches, `cannot open file "abs": testing`)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,             // -> 3
-		`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, // -> EEXIST
-		`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC 0`,                   // -> err
-		`close 3`,
+	err := update.MkfileAll("/abs", 0755, 123, 456, nil)
+	c.Assert(err, ErrorMatches, `cannot open file "/abs": testing`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "abs" O_NOFOLLOW|O_CLOEXEC 0`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 // Ensure that we we close everything when openat (non-exclusive) fails.
 func (s *utilsSuite) TestSecureMkfileAllOpenatError(c *C) {
 	s.sys.InsertFault(`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, errTesting)
-	err := update.SecureMkfileAll("/abs", 0755, 123, 456)
-	c.Assert(err, ErrorMatches, `cannot open file "abs": testing`)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,             // -> 3
-		`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, // -> err
-		`close 3`,
+	err := update.MkfileAll("/abs", 0755, 123, 456, nil)
+	c.Assert(err, ErrorMatches, `cannot open file "/abs": testing`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, E: errTesting},
+		{C: `close 3`},
 	})
 }
 
 // Ensure that we we close everything when fchown fails.
 func (s *utilsSuite) TestSecureMkfileAllFchownError(c *C) {
 	s.sys.InsertFault(`fchown 4 123 456`, errTesting)
-	err := update.SecureMkfileAll("/path", 0755, 123, 456)
-	c.Assert(err, ErrorMatches, `cannot chown file "path" to 123.456: testing`)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`,              // -> 3
-		`openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, // -> 4
-		`fchown 4 123 456`,
-		`close 4`,
-		`close 3`,
+	err := update.MkfileAll("/path", 0755, 123, 456, nil)
+	c.Assert(err, ErrorMatches, `cannot chown file "/path" to 123.456: testing`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "path" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, R: 4},
+		{C: `fchown 4 123 456`, E: errTesting},
+		{C: `close 4`},
+		{C: `close 3`},
 	})
 }
 
 // Check error path when we cannot open root directory.
 func (s *utilsSuite) TestSecureMkfileAllOpenRootError(c *C) {
 	s.sys.InsertFault(`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, errTesting)
-	err := update.SecureMkfileAll("/abs/path", 0755, 123, 456)
+	err := update.MkfileAll("/abs/path", 0755, 123, 456, nil)
 	c.Assert(err, ErrorMatches, "cannot open root directory: testing")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> err
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, E: errTesting},
 	})
 }
 
 // Check error path when we cannot open non-root directory.
 func (s *utilsSuite) TestSecureMkfileAllOpenError(c *C) {
 	s.sys.InsertFault(`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, errTesting)
-	err := update.SecureMkfileAll("/abs/path", 0755, 123, 456)
-	c.Assert(err, ErrorMatches, `cannot open path segment "abs" \(got up to "/"\): testing`)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> 3
-		`mkdirat 3 "abs" 0755`,
-		`openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, // -> err
-		`close 3`,
+	err := update.MkfileAll("/abs/path", 0755, 123, 456, nil)
+	c.Assert(err, ErrorMatches, `cannot open directory "/abs": testing`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "abs" 0755`},
+		{C: `openat 3 "abs" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, E: errTesting},
+		{C: `close 3`},
+	})
+}
+
+// We want to create a symlink in $SNAP_DATA and that's fine.
+func (s *utilsSuite) TestSecureMksymlinkAllInSnapData(c *C) {
+	s.sys.InsertFault(`mkdirat 3 "var" 0755`, syscall.EEXIST)
+	s.sys.InsertFault(`mkdirat 4 "snap" 0755`, syscall.EEXIST)
+	s.sys.InsertFault(`mkdirat 5 "foo" 0755`, syscall.EEXIST)
+	s.sys.InsertFault(`mkdirat 6 "42" 0755`, syscall.EEXIST)
+
+	err := update.MksymlinkAll("/var/snap/foo/42/symlink", 0755, 0, 0, "/oldname", nil)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "var" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "var" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `mkdirat 4 "snap" 0755`, E: syscall.EEXIST},
+		{C: `openat 4 "snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `mkdirat 5 "foo" 0755`, E: syscall.EEXIST},
+		{C: `openat 5 "foo" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 6},
+		{C: `mkdirat 6 "42" 0755`, E: syscall.EEXIST},
+		{C: `openat 6 "42" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 7},
+		{C: `close 6`},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `symlinkat "/oldname" 7 "symlink"`},
+		{C: `close 7`},
+	})
+}
+
+// We want to create a symlink in /etc but the host filesystem would be affected.
+func (s *utilsSuite) TestSecureMksymlinkAllInEtc(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.SquashfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	rs := s.as.RestrictionsFor("/etc/symlink")
+	err := update.MksymlinkAll("/etc/symlink", 0755, 0, 0, "/oldname", rs)
+	c.Assert(err, ErrorMatches, `cannot write to "/etc/symlink" because it would affect the host in "/etc"`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.Ext4Magic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`},
+	})
+}
+
+// We want to create a symlink deep in /etc but the host filesystem would be affected.
+// This just shows that we pick the right place to construct the mimic
+func (s *utilsSuite) TestSecureMksymlinkAllDeepInEtc(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.SquashfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	rs := s.as.RestrictionsFor("/etc/some/other/stuff/symlink")
+	err := update.MksymlinkAll("/etc/some/other/stuff/symlink", 0755, 0, 0, "/oldname", rs)
+	c.Assert(err, ErrorMatches, `cannot write to "/etc/some/other/stuff/symlink" because it would affect the host in "/etc"`)
+	c.Assert(err.(*update.TrespassingError).ViolatedPath, Equals, "/etc")
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.Ext4Magic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`},
+		{C: `close 3`},
+	})
+}
+
+// We want to create a file in /etc but the host filesystem would be affected.
+func (s *utilsSuite) TestSecureMkfileAllInEtc(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.SquashfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	rs := s.as.RestrictionsFor("/etc/file")
+	err := update.MkfileAll("/etc/file", 0755, 0, 0, rs)
+	c.Assert(err, ErrorMatches, `cannot write to "/etc/file" because it would affect the host in "/etc"`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.Ext4Magic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`},
+	})
+}
+
+// We want to create a directory in /etc but the host filesystem would be affected.
+func (s *utilsSuite) TestSecureMkdirAllInEtc(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.SquashfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.Ext4Magic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	rs := s.as.RestrictionsFor("/etc/dir")
+	err := update.MkdirAll("/etc/dir", 0755, 0, 0, rs)
+	c.Assert(err, ErrorMatches, `cannot write to "/etc/dir" because it would affect the host in "/etc"`)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.Ext4Magic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `close 4`},
+	})
+}
+
+// We want to create a directory in /snap/foo/42/dir and want to know what happens.
+func (s *utilsSuite) TestSecureMkdirAllInSNAP(c *C) {
+	// Allow creating directories under /snap/ related to this snap ("foo").
+	// This matches what is done inside main().
+	restore := s.as.MockUnrestrictedPaths("/snap/foo")
+	defer restore()
+
+	s.sys.InsertFault(`mkdirat 3 "snap" 0755`, syscall.EEXIST)
+	s.sys.InsertFault(`mkdirat 4 "foo" 0755`, syscall.EEXIST)
+	s.sys.InsertFault(`mkdirat 5 "42" 0755`, syscall.EEXIST)
+
+	rs := s.as.RestrictionsFor("/snap/foo/42/dir")
+	err := update.MkdirAll("/snap/foo/42/dir", 0755, 0, 0, rs)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "snap" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "snap" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `mkdirat 4 "foo" 0755`, E: syscall.EEXIST},
+		{C: `openat 4 "foo" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 5},
+		{C: `mkdirat 5 "42" 0755`, E: syscall.EEXIST},
+		{C: `openat 5 "42" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 6},
+		{C: `close 5`},
+		{C: `close 4`},
+		{C: `close 3`},
+		{C: `mkdirat 6 "dir" 0755`},
+		{C: `openat 6 "dir" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 6`},
+	})
+}
+
+// We want to create a symlink in /etc which is a tmpfs that we mounted so that is ok.
+func (s *utilsSuite) TestSecureMksymlinkAllInEtcAfterMimic(c *C) {
+	// Because /etc is not on a list of unrestricted paths the write to
+	// /etc/symlink must be validated with step-by-step operation.
+	rootStatfs := syscall.Statfs_t{Type: update.SquashfsMagic, Flags: update.StReadOnly}
+	rootStat := syscall.Stat_t{}
+	etcStatfs := syscall.Statfs_t{Type: update.TmpfsMagic}
+	etcStat := syscall.Stat_t{}
+	s.as.AddChange(&update.Change{Action: update.Mount, Entry: osutil.MountEntry{Dir: "/etc", Type: "tmpfs", Name: "tmpfs"}})
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, rootStatfs)
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, rootStat)
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, etcStatfs)
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, etcStat)
+	rs := s.as.RestrictionsFor("/etc/symlink")
+	err := update.MksymlinkAll("/etc/symlink", 0755, 0, 0, "/oldname", rs)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: rootStatfs},
+		{C: `fstat 3 <ptr>`, R: rootStat},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: etcStatfs},
+		{C: `fstat 4 <ptr>`, R: etcStat},
+		{C: `symlinkat "/oldname" 4 "symlink"`},
+		{C: `close 4`},
+	})
+}
+
+// We want to create a file in /etc which is a tmpfs created by snapd so that's okay.
+func (s *utilsSuite) TestSecureMkfileAllInEtcAfterMimic(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.SquashfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	s.as.AddChange(&update.Change{Action: update.Mount, Entry: osutil.MountEntry{Dir: "/etc", Type: "tmpfs", Name: "tmpfs"}})
+	rs := s.as.RestrictionsFor("/etc/file")
+	err := update.MkfileAll("/etc/file", 0755, 0, 0, rs)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.TmpfsMagic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `openat 4 "file" O_NOFOLLOW|O_CLOEXEC|O_CREAT|O_EXCL 0755`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 4`},
+	})
+}
+
+// We want to create a directory in /etc which is a tmpfs created by snapd so that is ok.
+func (s *utilsSuite) TestSecureMkdirAllInEtcAfterMimic(c *C) {
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: update.SquashfsMagic})
+	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFstatfsResult(`fstatfs 4 <ptr>`, syscall.Statfs_t{Type: update.TmpfsMagic})
+	s.sys.InsertFstatResult(`fstat 4 <ptr>`, syscall.Stat_t{})
+	s.sys.InsertFault(`mkdirat 3 "etc" 0755`, syscall.EEXIST)
+	s.as.AddChange(&update.Change{Action: update.Mount, Entry: osutil.MountEntry{Dir: "/etc", Type: "tmpfs", Name: "tmpfs"}})
+	rs := s.as.RestrictionsFor("/etc/dir")
+	err := update.MkdirAll("/etc/dir", 0755, 0, 0, rs)
+	c.Assert(err, IsNil)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: update.SquashfsMagic}},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 3 "etc" 0755`, E: syscall.EEXIST},
+		{C: `openat 3 "etc" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 4},
+		{C: `close 3`},
+		{C: `fstatfs 4 <ptr>`, R: syscall.Statfs_t{Type: update.TmpfsMagic}},
+		{C: `fstat 4 <ptr>`, R: syscall.Stat_t{}},
+		{C: `mkdirat 4 "dir" 0755`},
+		{C: `openat 4 "dir" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+		{C: `close 4`},
 	})
 }
 
@@ -633,7 +930,7 @@
 	// check that it was applied. Note that default umask 022 is subtracted so
 	// effective directory has different permissions.
 	f1 := filepath.Join(d, "file")
-	c.Assert(update.SecureMkfileAll(f1, 0707, sys.FlagID, sys.FlagID), IsNil)
+	c.Assert(update.MkfileAll(f1, 0707, sys.FlagID, sys.FlagID, nil), IsNil)
 	fi, err := os.Stat(f1)
 	c.Assert(err, IsNil)
 	c.Check(fi.Mode().IsRegular(), Equals, true)
@@ -642,7 +939,7 @@
 	// Create f2, which is a deeper subdirectory, with another distinct mode
 	// and check that it was applied.
 	f2 := filepath.Join(d, "subdir/subdir/file")
-	c.Assert(update.SecureMkfileAll(f2, 0750, sys.FlagID, sys.FlagID), IsNil)
+	c.Assert(update.MkfileAll(f2, 0750, sys.FlagID, sys.FlagID, nil), IsNil)
 	fi, err = os.Stat(f2)
 	c.Assert(err, IsNil)
 	c.Check(fi.Mode().IsRegular(), Equals, true)
@@ -657,7 +954,7 @@
 	// Create symlink f1 that points to "oldname" and check that it
 	// is correct. Note that symlink permissions are always set to 0777
 	f1 := filepath.Join(d, "symlink")
-	err := update.SecureMksymlinkAll(f1, 0755, sys.FlagID, sys.FlagID, "oldname")
+	err := update.MksymlinkAll(f1, 0755, sys.FlagID, sys.FlagID, "oldname", nil)
 	c.Assert(err, IsNil)
 	fi, err := os.Lstat(f1)
 	c.Assert(err, IsNil)
@@ -669,26 +966,29 @@
 	c.Check(target, Equals, "oldname")
 
 	// Create an identical symlink to see that it doesn't fail.
-	err = update.SecureMksymlinkAll(f1, 0755, sys.FlagID, sys.FlagID, "oldname")
+	err = update.MksymlinkAll(f1, 0755, sys.FlagID, sys.FlagID, "oldname", nil)
 	c.Assert(err, IsNil)
 
 	// Create a different symlink and see that it fails now
-	err = update.SecureMksymlinkAll(f1, 0755, sys.FlagID, sys.FlagID, "other")
-	c.Assert(err, ErrorMatches, `cannot create symbolic link "symlink": existing symbolic link in the way`)
+	err = update.MksymlinkAll(f1, 0755, sys.FlagID, sys.FlagID, "other", nil)
+	c.Assert(err, ErrorMatches, `cannot create symbolic link ".*/symlink": existing symbolic link in the way`)
 
 	// Create an file and check that it clashes with a symlink we attempt to create.
 	f2 := filepath.Join(d, "file")
-	err = update.SecureMkfileAll(f2, 0755, sys.FlagID, sys.FlagID)
+	err = update.MkfileAll(f2, 0755, sys.FlagID, sys.FlagID, nil)
 	c.Assert(err, IsNil)
-	err = update.SecureMksymlinkAll(f2, 0755, sys.FlagID, sys.FlagID, "oldname")
-	c.Assert(err, ErrorMatches, `cannot create symbolic link "file": existing file in the way`)
+	err = update.MksymlinkAll(f2, 0755, sys.FlagID, sys.FlagID, "oldname", nil)
+	c.Assert(err, ErrorMatches, `cannot create symbolic link ".*/file": existing file in the way`)
 
 	// Create an file and check that it clashes with a symlink we attempt to create.
 	f3 := filepath.Join(d, "dir")
-	err = update.SecureMkdirAll(f3, 0755, sys.FlagID, sys.FlagID)
+	err = update.MkdirAll(f3, 0755, sys.FlagID, sys.FlagID, nil)
 	c.Assert(err, IsNil)
-	err = update.SecureMksymlinkAll(f3, 0755, sys.FlagID, sys.FlagID, "oldname")
-	c.Assert(err, ErrorMatches, `cannot create symbolic link "dir": existing file in the way`)
+	err = update.MksymlinkAll(f3, 0755, sys.FlagID, sys.FlagID, "oldname", nil)
+	c.Assert(err, ErrorMatches, `cannot create symbolic link ".*/dir": existing file in the way`)
+
+	err = update.MksymlinkAll("/", 0755, sys.FlagID, sys.FlagID, "oldname", nil)
+	c.Assert(err, ErrorMatches, `cannot create non-file path: "/"`)
 }
 
 func (s *utilsSuite) TestCleanTrailingSlash(c *C) {
@@ -700,12 +1000,145 @@
 	c.Assert(filepath.Clean("other/path/.."), Equals, "other")
 }
 
-func (s *utilsSuite) TestSplitIntoSegments(c *C) {
-	sg, err := update.SplitIntoSegments("/foo/bar/froz")
+// secure-open-path
+
+func (s *utilsSuite) TestSecureOpenPath(c *C) {
+	stat := syscall.Stat_t{Mode: syscall.S_IFDIR}
+	s.sys.InsertFstatResult("fstat 5 <ptr>", stat)
+	fd, err := update.OpenPath("/foo/bar")
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+	c.Assert(fd, Equals, 5)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "foo" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 4},
+		{C: `openat 4 "bar" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 5},
+		{C: `fstat 5 <ptr>`, R: stat},
+		{C: `close 4`},
+		{C: `close 3`},
+	})
+}
+
+func (s *utilsSuite) TestSecureOpenPathSingleSegment(c *C) {
+	stat := syscall.Stat_t{Mode: syscall.S_IFDIR}
+	s.sys.InsertFstatResult("fstat 4 <ptr>", stat)
+	fd, err := update.OpenPath("/foo")
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+	c.Assert(fd, Equals, 4)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `openat 3 "foo" O_NOFOLLOW|O_CLOEXEC|O_PATH 0`, R: 4},
+		{C: `fstat 4 <ptr>`, R: stat},
+		{C: `close 3`},
+	})
+}
+
+func (s *utilsSuite) TestSecureOpenPathRoot(c *C) {
+	stat := syscall.Stat_t{Mode: syscall.S_IFDIR}
+	s.sys.InsertFstatResult("fstat 3 <ptr>", stat)
+	fd, err := update.OpenPath("/")
+	c.Assert(err, IsNil)
+	defer s.sys.Close(fd)
+	c.Assert(fd, Equals, 3)
+	c.Assert(s.sys.RCalls(), testutil.SyscallsEqual, []testutil.CallResultError{
+		{C: `open "/" O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY|O_PATH 0`, R: 3},
+		{C: `fstat 3 <ptr>`, R: stat},
+	})
+}
+
+func (s *realSystemSuite) TestSecureOpenPathDirectory(c *C) {
+	path := filepath.Join(c.MkDir(), "test")
+	c.Assert(os.Mkdir(path, 0755), IsNil)
+
+	fd, err := update.OpenPath(path)
+	c.Assert(err, IsNil)
+	defer syscall.Close(fd)
+
+	// check that the file descriptor is for the expected path
+	origDir, err := os.Getwd()
+	c.Assert(err, IsNil)
+	defer os.Chdir(origDir)
+
+	c.Assert(syscall.Fchdir(fd), IsNil)
+	cwd, err := os.Getwd()
 	c.Assert(err, IsNil)
-	c.Assert(sg, DeepEquals, []string{"foo", "bar", "froz"})
+	c.Check(cwd, Equals, path)
+}
+
+func (s *realSystemSuite) TestSecureOpenPathRelativePath(c *C) {
+	fd, err := update.OpenPath("relative/path")
+	c.Check(fd, Equals, -1)
+	c.Check(err, ErrorMatches, "path .* is not absolute")
+}
+
+func (s *realSystemSuite) TestSecureOpenPathUncleanPath(c *C) {
+	base := c.MkDir()
+	path := filepath.Join(base, "test")
+	c.Assert(os.Mkdir(path, 0755), IsNil)
+
+	fd, err := update.OpenPath(base + "//test")
+	c.Check(fd, Equals, -1)
+	c.Check(err, ErrorMatches, `cannot open path: cannot iterate over unclean path ".*//test"`)
+
+	fd, err = update.OpenPath(base + "/./test")
+	c.Check(fd, Equals, -1)
+	c.Check(err, ErrorMatches, `cannot open path: cannot iterate over unclean path ".*/./test"`)
+
+	fd, err = update.OpenPath(base + "/test/../test")
+	c.Check(fd, Equals, -1)
+	c.Check(err, ErrorMatches, `cannot open path: cannot iterate over unclean path ".*/test/../test"`)
+}
+
+func (s *realSystemSuite) TestSecureOpenPathFile(c *C) {
+	path := filepath.Join(c.MkDir(), "file.txt")
+	c.Assert(ioutil.WriteFile(path, []byte("hello"), 0644), IsNil)
+
+	fd, err := update.OpenPath(path)
+	c.Assert(err, IsNil)
+	defer syscall.Close(fd)
+
+	// Check that the file descriptor matches the file.
+	var pathStat, fdStat syscall.Stat_t
+	c.Assert(syscall.Stat(path, &pathStat), IsNil)
+	c.Assert(syscall.Fstat(fd, &fdStat), IsNil)
+	c.Check(pathStat, Equals, fdStat)
+}
+
+func (s *realSystemSuite) TestSecureOpenPathNotFound(c *C) {
+	path := filepath.Join(c.MkDir(), "test")
+
+	fd, err := update.OpenPath(path)
+	c.Check(fd, Equals, -1)
+	c.Check(err, ErrorMatches, "no such file or directory")
+}
+
+func (s *realSystemSuite) TestSecureOpenPathSymlink(c *C) {
+	base := c.MkDir()
+	dir := filepath.Join(base, "test")
+	c.Assert(os.Mkdir(dir, 0755), IsNil)
+
+	symlink := filepath.Join(base, "symlink")
+	c.Assert(os.Symlink(dir, symlink), IsNil)
+
+	fd, err := update.OpenPath(symlink)
+	c.Check(fd, Equals, -1)
+	c.Check(err, ErrorMatches, `".*" is a symbolic link`)
+}
+
+func (s *realSystemSuite) TestSecureOpenPathSymlinkedParent(c *C) {
+	base := c.MkDir()
+	dir := filepath.Join(base, "dir1")
+	symlink := filepath.Join(base, "symlink")
+
+	path := filepath.Join(dir, "dir2")
+	symlinkedPath := filepath.Join(symlink, "dir2")
+
+	c.Assert(os.Mkdir(dir, 0755), IsNil)
+	c.Assert(os.Symlink(dir, symlink), IsNil)
+	c.Assert(os.Mkdir(path, 0755), IsNil)
 
-	sg, err = update.SplitIntoSegments("/foo//fii/../.")
-	c.Assert(err, ErrorMatches, `cannot split unclean path ".+"`)
-	c.Assert(sg, HasLen, 0)
+	fd, err := update.OpenPath(symlinkedPath)
+	c.Check(fd, Equals, -1)
+	c.Check(err, ErrorMatches, "not a directory")
 }
diff -Nru snapd-2.32.3.2~14.04/cmd/system-shutdown/system-shutdown.c snapd-2.37~rc1~14.04/cmd/system-shutdown/system-shutdown.c
--- snapd-2.32.3.2~14.04/cmd/system-shutdown/system-shutdown.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/system-shutdown/system-shutdown.c	2019-01-16 08:36:51.000000000 +0000
@@ -65,10 +65,10 @@
 	   before doing whatever we were told to do, in which case there's
 	   nothing left to sync.
 
-           1) ... apart from the third way that we never talk about: we somehow
-	      are unable to umount everything cleanly, but go ahead with the
-	      reboot anyway because no error was returned. That's the only path
-	      we need to sync on explicitly.
+	   1) ... apart from the third way that we never talk about: we somehow
+	   are unable to umount everything cleanly, but go ahead with the
+	   reboot anyway because no error was returned. That's the only path
+	   we need to sync on explicitly.
 	 */
 
 	if (mkdir("/writable", 0755) < 0) {
@@ -87,12 +87,12 @@
 			die("cannot move writable out of the way");
 		}
 
-                if (umount_all()) {
-                        kmsg("- was able to unmount writable cleanly");
-                } else {
-                        kmsg("* was *NOT* able to unmount writable cleanly");
-                        sync(); // we don't know what happened but we're going ahead
-                }
+		if (umount_all()) {
+			kmsg("- was able to unmount writable cleanly");
+		} else {
+			kmsg("* was *NOT* able to unmount writable cleanly");
+			sync();	// we don't know what happened but we're going ahead
+		}
 	}
 
 	// argv[1] can be one of at least: halt, reboot, poweroff.
diff -Nru snapd-2.32.3.2~14.04/cmd/system-shutdown/system-shutdown-utils.c snapd-2.37~rc1~14.04/cmd/system-shutdown/system-shutdown-utils.c
--- snapd-2.32.3.2~14.04/cmd/system-shutdown/system-shutdown-utils.c	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/cmd/system-shutdown/system-shutdown-utils.c	2019-01-16 08:36:51.000000000 +0000
@@ -96,7 +96,7 @@
 		     strerror(errno));
 	} else {
 		if (ioctl(fd, LOOP_CLR_FD) < 0) {
-			kmsg("* unable to disassociate loop device %ss: %s",
+			kmsg("* unable to disassociate loop device %s: %s",
 			     src, strerror(errno));
 		}
 		close(fd);
diff -Nru snapd-2.32.3.2~14.04/daemon/api.go snapd-2.37~rc1~14.04/daemon/api.go
--- snapd-2.32.3.2~14.04/daemon/api.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/api.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2015-2016 Canonical Ltd
+ * Copyright (C) 2015-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -29,6 +29,7 @@
 	"mime/multipart"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -38,15 +39,16 @@
 	"strings"
 	"time"
 
-	"golang.org/x/net/context"
-
 	"github.com/gorilla/mux"
 	"github.com/jessevdk/go-flags"
+	"golang.org/x/net/context"
 
 	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/asserts/snapasserts"
 	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/cmd"
 	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/httputil"
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/jsonutil"
@@ -56,10 +58,12 @@
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/configstate"
 	"github.com/snapcore/snapd/overlord/configstate/config"
+	"github.com/snapcore/snapd/overlord/configstate/proxyconf"
 	"github.com/snapcore/snapd/overlord/devicestate"
 	"github.com/snapcore/snapd/overlord/hookstate/ctlcmd"
 	"github.com/snapcore/snapd/overlord/ifacestate"
 	"github.com/snapcore/snapd/overlord/servicestate"
+	"github.com/snapcore/snapd/overlord/snapshotstate"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/progress"
@@ -94,7 +98,9 @@
 	aliasesCmd,
 	appsCmd,
 	logsCmd,
+	warningsCmd,
 	debugCmd,
+	snapshotCmd,
 }
 
 var (
@@ -248,8 +254,26 @@
 		GET:    getAliases,
 		POST:   changeAliases,
 	}
+
+	warningsCmd = &Command{
+		Path:     "/v2/warnings",
+		UserOK:   true,
+		PolkitOK: "io.snapcraft.snapd.manage",
+		GET:      getWarnings,
+		POST:     ackWarnings,
+	}
+
+	buildID = "unknown"
 )
 
+func init() {
+	// cache the build-id on startup to ensure that changes in
+	// the underlying binary do not affect us
+	if bid, err := osutil.MyBuildID(); err == nil {
+		buildID = bid
+	}
+}
+
 func tbd(c *Command, r *http.Request, user *auth.UserState) Response {
 	return SyncResponse([]string{"TBD"}, nil)
 }
@@ -292,10 +316,11 @@
 	m := map[string]interface{}{
 		"series":         release.Series,
 		"version":        c.d.Version,
+		"build-id":       buildID,
 		"os-release":     release.ReleaseInfo,
 		"on-classic":     release.OnClassic,
 		"managed":        len(users) > 0,
-		"kernel-version": release.KernelVersion(),
+		"kernel-version": osutil.KernelVersion(),
 		"locations": map[string]interface{}{
 			"snap-mount-dir": dirs.SnapMountDir,
 			"snap-bin-dir":   dirs.SnapBinariesDir,
@@ -313,9 +338,39 @@
 		m["confinement"] = "strict"
 	}
 
+	// Convey richer information about features of available security backends.
+	if features := sandboxFeatures(c.d.overlord.InterfaceManager().Repository().Backends()); features != nil {
+		m["sandbox-features"] = features
+	}
+
 	return SyncResponse(m, nil)
 }
 
+func sandboxFeatures(backends []interfaces.SecurityBackend) map[string][]string {
+	result := make(map[string][]string, len(backends)+1)
+	for _, backend := range backends {
+		features := backend.SandboxFeatures()
+		if len(features) > 0 {
+			sort.Strings(features)
+			result[string(backend.Name())] = features
+		}
+	}
+
+	// Add information about supported confinement types as a fake backend
+	features := make([]string, 1, 3)
+	features[0] = "devmode"
+	if !release.ReleaseInfo.ForceDevMode() {
+		features = append(features, "strict")
+	}
+	if dirs.SupportsClassicConfinement() {
+		features = append(features, "classic")
+	}
+	sort.Strings(features)
+	result["confinement-options"] = features
+
+	return result
+}
+
 // userResponseData contains the data releated to user creation/login/query
 type userResponseData struct {
 	ID       int      `json:"id,omitempty"`
@@ -365,7 +420,10 @@
 		}, nil)
 	}
 
-	macaroon, discharge, err := store.LoginUser(loginData.Email, loginData.Password, loginData.Otp)
+	overlord := c.d.overlord
+	st := overlord.State()
+	theStore := getStore(c)
+	macaroon, discharge, err := theStore.LoginUser(loginData.Email, loginData.Password, loginData.Otp)
 	switch err {
 	case store.ErrAuthenticationNeeds2fa:
 		return SyncResponse(&resp{
@@ -412,20 +470,18 @@
 	case nil:
 		// continue
 	}
-	overlord := c.d.overlord
-	state := overlord.State()
-	state.Lock()
+	st.Lock()
 	if user != nil {
 		// local user logged-in, set its store macaroons
 		user.StoreMacaroon = macaroon
 		user.StoreDischarges = []string{discharge}
 		// user's email address authenticated by the store
 		user.Email = loginData.Email
-		err = auth.UpdateUser(state, user)
+		err = auth.UpdateUser(st, user)
 	} else {
-		user, err = auth.NewUser(state, loginData.Username, loginData.Email, macaroon, []string{discharge})
+		user, err = auth.NewUser(st, loginData.Username, loginData.Email, macaroon, []string{discharge})
 	}
-	state.Unlock()
+	st.Unlock()
 	if err != nil {
 		return InternalError("cannot persist authentication details: %v", err)
 	}
@@ -472,7 +528,7 @@
 
 	var macaroon string
 	var discharges []string
-	for _, field := range splitQS(authorizationData[1]) {
+	for _, field := range strutil.CommaSeparatedList(authorizationData[1]) {
 		if strings.HasPrefix(field, `root="`) {
 			macaroon = strings.TrimSuffix(field[6:], `"`)
 		}
@@ -569,7 +625,7 @@
 		return InternalError("%v", err)
 	}
 
-	return SyncResponse(sections, &Meta{})
+	return SyncResponse(sections, nil)
 }
 
 func searchStore(c *Command, r *http.Request, user *auth.UserState) Response {
@@ -581,6 +637,7 @@
 	q := query.Get("q")
 	section := query.Get("section")
 	name := query.Get("name")
+	scope := query.Get("scope")
 	private := false
 	prefix := false
 
@@ -618,6 +675,7 @@
 		Section: section,
 		Private: private,
 		Prefix:  prefix,
+		Scope:   scope,
 	}, user)
 	switch err {
 	case nil:
@@ -631,6 +689,17 @@
 	case store.ErrUnauthenticated, store.ErrInvalidCredentials:
 		return Unauthorized(err.Error())
 	default:
+		if e, ok := err.(*url.Error); ok {
+			if neterr, ok := e.Err.(*net.OpError); ok {
+				if dnserr, ok := neterr.Err.(*net.DNSError); ok {
+					return SyncResponse(&resp{
+						Type:   ResponseTypeError,
+						Result: &errorResult{Message: dnserr.Error(), Kind: errorKindDNSFailure},
+						Status: 400,
+					}, nil)
+				}
+			}
+		}
 		if e, ok := err.(net.Error); ok && e.Timeout() {
 			return SyncResponse(&resp{
 				Type:   ResponseTypeError,
@@ -657,8 +726,7 @@
 
 	theStore := getStore(c)
 	spec := store.SnapSpec{
-		Name:       name,
-		AnyChannel: true,
+		Name: name,
 	}
 	snapInfo, err := theStore.SnapInfo(spec, user)
 	switch err {
@@ -728,9 +796,9 @@
 func sendStorePackages(route *mux.Route, meta *Meta, found []*snap.Info) Response {
 	results := make([]*json.RawMessage, 0, len(found))
 	for _, x := range found {
-		url, err := route.URL("name", x.Name())
+		url, err := route.URL("name", x.InstanceName())
 		if err != nil {
-			logger.Noticef("Cannot build URL for snap %q revision %s: %v", x.Name(), x.Revision, err)
+			logger.Noticef("Cannot build URL for snap %q revision %s: %v", x.InstanceName(), x.Revision, err)
 			continue
 		}
 
@@ -771,7 +839,7 @@
 	}
 	var wanted map[string]bool
 	if ns := query.Get("snaps"); len(ns) > 0 {
-		nsl := splitQS(ns)
+		nsl := strutil.CommaSeparatedList(ns)
 		wanted = make(map[string]bool, len(nsl))
 		for _, name := range nsl {
 			wanted[name] = true
@@ -786,7 +854,7 @@
 	results := make([]*json.RawMessage, len(found))
 
 	for i, x := range found {
-		name := x.info.Name()
+		name := x.info.InstanceName()
 		rev := x.info.Revision
 
 		url, err := route.URL("name", name)
@@ -806,15 +874,6 @@
 	return SyncResponse(results, &Meta{Sources: []string{"local"}})
 }
 
-func resultHasType(r map[string]interface{}, allowedTypes []string) bool {
-	for _, t := range allowedTypes {
-		if r["type"] == t {
-			return true
-		}
-	}
-	return false
-}
-
 // licenseData holds details about the snap license, and may be
 // marshaled back as an error when the license agreement is pending,
 // and is expected as input to accept (or not) that license
@@ -845,6 +904,7 @@
 	LeaveOld bool         `json:"temp-dropped-leave-old"`
 	License  *licenseData `json:"license"`
 	Snaps    []string     `json:"snaps"`
+	Users    []string     `json:"users"`
 
 	// The fields below should not be unmarshalled into. Do not export them.
 	userID int
@@ -866,9 +926,10 @@
 }
 
 type snapInstructionResult struct {
-	summary  string
-	affected []string
-	tasksets []*state.TaskSet
+	Summary  string
+	Affected []string
+	Tasksets []*state.TaskSet
+	Result   map[string]interface{}
 }
 
 var (
@@ -882,7 +943,12 @@
 	snapstateRemoveMany        = snapstate.RemoveMany
 	snapstateRevert            = snapstate.Revert
 	snapstateRevertToRevision  = snapstate.RevertToRevision
-	snapstateSwitch            = snapstate.Switch
+
+	snapshotList    = snapshotstate.List
+	snapshotCheck   = snapshotstate.Check
+	snapshotForget  = snapshotstate.Forget
+	snapshotRestore = snapshotstate.Restore
+	snapshotSave    = snapshotstate.Save
 
 	assertstateRefreshSnapDeclarations = assertstate.RefreshSnapDeclarations
 )
@@ -893,8 +959,6 @@
 
 var ensureStateSoon = ensureStateSoonImpl
 
-var errNothingToInstall = errors.New("nothing to install")
-
 var errDevJailModeConflict = errors.New("cannot use devmode and jailmode flags together")
 var errClassicDevmodeConflict = errors.New("cannot use classic and devmode flags together")
 var errNoJailMode = errors.New("this system cannot honour the jailmode flag")
@@ -926,7 +990,7 @@
 	}
 
 	// TODO: use a per-request context
-	updated, tasksets, err := snapstateUpdateMany(context.TODO(), st, inst.Snaps, inst.userID)
+	updated, tasksets, err := snapstateUpdateMany(context.TODO(), st, inst.Snaps, inst.userID, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -938,7 +1002,7 @@
 			// TRANSLATORS: the %s is a comma-separated list of quoted snap names
 			msg = fmt.Sprintf(i18n.G("Refresh snaps %s: no updates"), strutil.Quoted(inst.Snaps))
 		} else {
-			msg = fmt.Sprintf(i18n.G("Refresh all snaps: no updates"))
+			msg = i18n.G("Refresh all snaps: no updates")
 		}
 	case 1:
 		msg = fmt.Sprintf(i18n.G("Refresh snap %q"), updated[0])
@@ -949,9 +1013,9 @@
 	}
 
 	return &snapInstructionResult{
-		summary:  msg,
-		affected: updated,
-		tasksets: tasksets,
+		Summary:  msg,
+		Affected: updated,
+		Tasksets: tasksets,
 	}, nil
 }
 
@@ -971,6 +1035,11 @@
 }
 
 func snapInstallMany(inst *snapInstruction, st *state.State) (*snapInstructionResult, error) {
+	for _, name := range inst.Snaps {
+		if len(name) == 0 {
+			return nil, fmt.Errorf(i18n.G("cannot install snap with empty name"))
+		}
+	}
 	installed, tasksets, err := snapstateInstallMany(st, inst.Snaps, inst.userID)
 	if err != nil {
 		return nil, err
@@ -989,13 +1058,17 @@
 	}
 
 	return &snapInstructionResult{
-		summary:  msg,
-		affected: installed,
-		tasksets: tasksets,
+		Summary:  msg,
+		Affected: installed,
+		Tasksets: tasksets,
 	}, nil
 }
 
 func snapInstall(inst *snapInstruction, st *state.State) (string, []*state.TaskSet, error) {
+	if len(inst.Snaps[0]) == 0 {
+		return "", nil, fmt.Errorf(i18n.G("cannot install snap with empty name"))
+	}
+
 	flags, err := inst.installFlags()
 	if err != nil {
 		return "", nil, err
@@ -1065,9 +1138,9 @@
 	}
 
 	return &snapInstructionResult{
-		summary:  msg,
-		affected: removed,
-		tasksets: tasksets,
+		Summary:  msg,
+		Affected: removed,
+		Tasksets: tasksets,
 	}, nil
 }
 
@@ -1141,6 +1214,28 @@
 	return msg, []*state.TaskSet{ts}, nil
 }
 
+func snapshotMany(inst *snapInstruction, st *state.State) (*snapInstructionResult, error) {
+	setID, snapshotted, ts, err := snapshotSave(st, inst.Snaps, inst.Users)
+	if err != nil {
+		return nil, err
+	}
+
+	var msg string
+	if len(inst.Snaps) == 0 {
+		msg = i18n.G("Snapshot all snaps")
+	} else {
+		// TRANSLATORS: the %s is a comma-separated list of quoted snap names
+		msg = fmt.Sprintf(i18n.G("Snapshot snaps %s"), strutil.Quoted(inst.Snaps))
+	}
+
+	return &snapInstructionResult{
+		Summary:  msg,
+		Affected: snapshotted,
+		Tasksets: []*state.TaskSet{ts},
+		Result:   map[string]interface{}{"set-id": setID},
+	}, nil
+}
+
 type snapActionFunc func(*snapInstruction, *state.State) (string, []*state.TaskSet, error)
 
 var snapInstructionDispTable = map[string]snapActionFunc{
@@ -1161,66 +1256,11 @@
 }
 
 func (inst *snapInstruction) errToResponse(err error) Response {
-	var kind errorKind
-	var snapName string
-
-	switch err {
-	case store.ErrSnapNotFound:
-		switch len(inst.Snaps) {
-		case 1:
-			return SnapNotFound(inst.Snaps[0], err)
-		// store.ErrSnapNotFound should only be returned for individual
-		// snap queries; in all other cases something's wrong
-		case 0:
-			return InternalError("store.SnapNotFound with no snap given")
-		default:
-			return InternalError("store.SnapNotFound with %d snaps", len(inst.Snaps))
-		}
-	case store.ErrNoUpdateAvailable:
-		kind = errorKindSnapNoUpdateAvailable
-	case store.ErrLocalSnap:
-		kind = errorKindSnapLocal
-	default:
-		handled := true
-		switch err := err.(type) {
-		case *snap.AlreadyInstalledError:
-			kind = errorKindSnapAlreadyInstalled
-			snapName = err.Snap
-		case *snap.NotInstalledError:
-			kind = errorKindSnapNotInstalled
-			snapName = err.Snap
-		case *snapstate.SnapNeedsDevModeError:
-			kind = errorKindSnapNeedsDevMode
-			snapName = err.Snap
-		case *snapstate.SnapNeedsClassicError:
-			kind = errorKindSnapNeedsClassic
-			snapName = err.Snap
-		case *snapstate.SnapNeedsClassicSystemError:
-			kind = errorKindSnapNeedsClassicSystem
-			snapName = err.Snap
-		case net.Error:
-			if err.Timeout() {
-				kind = errorKindNetworkTimeout
-			} else {
-				handled = false
-			}
-		default:
-			handled = false
-		}
-
-		if !handled {
-			if len(inst.Snaps) == 0 {
-				return BadRequest("cannot %s: %v", inst.Action, err)
-			}
-			return BadRequest("cannot %s %s: %v", inst.Action, strutil.Quoted(inst.Snaps), err)
-		}
+	if len(inst.Snaps) == 0 {
+		return errToResponse(err, nil, BadRequest, "cannot %s: %v", inst.Action)
 	}
 
-	return SyncResponse(&resp{
-		Type:   ResponseTypeError,
-		Result: &errorResult{Message: err.Error(), Kind: kind, Value: snapName},
-		Status: 400,
-	}, nil)
+	return errToResponse(err, inst.Snaps, BadRequest, "cannot %s %s: %v", inst.Action, strutil.Quoted(inst.Snaps))
 }
 
 func postSnap(c *Command, r *http.Request, user *auth.UserState) Response {
@@ -1308,14 +1348,14 @@
 		return BadRequest("cannot read snap info for %s: %s", trydir, err)
 	}
 
-	tset, err := snapstateTryPath(st, info.Name(), trydir, flags)
+	tset, err := snapstateTryPath(st, info.InstanceName(), trydir, flags)
 	if err != nil {
-		return BadRequest("cannot try %s: %s", trydir, err)
+		return errToResponse(err, []string{info.InstanceName()}, BadRequest, "cannot try %s: %s", trydir)
 	}
 
-	msg := fmt.Sprintf(i18n.G("Try %q snap from %s"), info.Name(), trydir)
-	chg := newChange(st, "try-snap", msg, []*state.TaskSet{tset}, []string{info.Name()})
-	chg.Set("api-data", map[string]string{"snap-name": info.Name()})
+	msg := fmt.Sprintf(i18n.G("Try %q snap from %s"), info.InstanceName(), trydir)
+	chg := newChange(st, "try-snap", msg, []*state.TaskSet{tset}, []string{info.InstanceName()})
+	chg.Set("api-data", map[string]string{"snap-name": info.InstanceName()})
 
 	ensureStateSoon(st)
 
@@ -1368,6 +1408,8 @@
 		op = snapInstallMany
 	case "remove":
 		op = snapRemoveMany
+	case "snapshot":
+		op = snapshotMany
 	default:
 		return BadRequest("unsupported multi-snap operation %q", inst.Action)
 	}
@@ -1377,17 +1419,17 @@
 	}
 
 	var chg *state.Change
-	if len(res.tasksets) == 0 {
-		chg = st.NewChange(inst.Action+"-snap", res.summary)
+	if len(res.Tasksets) == 0 {
+		chg = st.NewChange(inst.Action+"-snap", res.Summary)
 		chg.SetStatus(state.DoneStatus)
 	} else {
-		chg = newChange(st, inst.Action+"-snap", res.summary, res.tasksets, res.affected)
+		chg = newChange(st, inst.Action+"-snap", res.Summary, res.Tasksets, res.Affected)
 		ensureStateSoon(st)
 	}
 
-	chg.Set("api-data", map[string]interface{}{"snap-names": res.affected})
+	chg.Set("api-data", map[string]interface{}{"snap-names": res.Affected})
 
-	return AsyncResponse(nil, &Meta{Change: chg.ID()})
+	return AsyncResponse(res.Result, &Meta{Change: chg.ID()})
 }
 
 func postSnaps(c *Command, r *http.Request, user *auth.UserState) Response {
@@ -1431,6 +1473,8 @@
 	}
 	flags.RemoveSnapPath = true
 
+	flags.Unaliased = isTrue(form, "unaliased")
+
 	// find the file for the "snap" form field
 	var snapBody multipart.File
 	var origPath string
@@ -1459,7 +1503,8 @@
 	// we are in charge of the tempfile life cycle until we hand it off to the change
 	changeTriggered := false
 	// if you change this prefix, look for it in the tests
-	tmpf, err := ioutil.TempFile("", "snapd-sideload-pkg-")
+	// also see localInstallCleanup in snapstate/snapmgr.go
+	tmpf, err := ioutil.TempFile(dirs.SnapBlobDir, dirs.LocalInstallBlobTempPrefix)
 	if err != nil {
 		return InternalError("cannot create temporary file: %v", err)
 	}
@@ -1481,6 +1526,16 @@
 		origPath = form.Value["snap-path"][0]
 	}
 
+	var instanceName string
+
+	if len(form.Value["name"]) > 0 {
+		// caller has specified desired instance name
+		instanceName = form.Value["name"][0]
+		if err := snap.ValidateInstanceName(instanceName); err != nil {
+			return BadRequest(err.Error())
+		}
+	}
+
 	st := c.d.overlord.State()
 	st.Lock()
 	defer st.Unlock()
@@ -1516,22 +1571,31 @@
 		if err != nil {
 			return BadRequest("cannot read snap file: %v", err)
 		}
-		snapName = info.Name()
+		snapName = info.SnapName()
 		sideInfo = &snap.SideInfo{RealName: snapName}
 	}
 
-	msg := fmt.Sprintf(i18n.G("Install %q snap from file"), snapName)
+	if instanceName != "" {
+		requestedSnapName := snap.InstanceSnap(instanceName)
+		if requestedSnapName != snapName {
+			return BadRequest(fmt.Sprintf("instance name %q does not match snap name %q", instanceName, snapName))
+		}
+	} else {
+		instanceName = snapName
+	}
+
+	msg := fmt.Sprintf(i18n.G("Install %q snap from file"), instanceName)
 	if origPath != "" {
-		msg = fmt.Sprintf(i18n.G("Install %q snap from file %q"), snapName, origPath)
+		msg = fmt.Sprintf(i18n.G("Install %q snap from file %q"), instanceName, origPath)
 	}
 
-	tset, err := snapstateInstallPath(st, sideInfo, tempPath, "", flags)
+	tset, _, err := snapstateInstallPath(st, sideInfo, tempPath, instanceName, "", flags)
 	if err != nil {
-		return InternalError("cannot install snap file: %v", err)
+		return errToResponse(err, []string{snapName}, InternalError, "cannot install snap file: %v")
 	}
 
-	chg := newChange(st, "install-snap", msg, []*state.TaskSet{tset}, []string{snapName})
-	chg.Set("api-data", map[string]string{"snap-name": snapName})
+	chg := newChange(st, "install-snap", msg, []*state.TaskSet{tset}, []string{instanceName})
+	chg.Set("api-data", map[string]string{"snap-name": instanceName})
 
 	ensureStateSoon(st)
 
@@ -1578,24 +1642,11 @@
 	return iconGet(c.d.overlord.State(), name)
 }
 
-func splitQS(qs string) []string {
-	qsl := strings.Split(qs, ",")
-	split := make([]string, 0, len(qsl))
-	for _, elem := range qsl {
-		elem = strings.TrimSpace(elem)
-		if len(elem) > 0 {
-			split = append(split, elem)
-		}
-	}
-
-	return split
-}
-
 func getSnapConf(c *Command, r *http.Request, user *auth.UserState) Response {
 	vars := muxVars(r)
-	snapName := vars["name"]
+	snapName := configstate.RemapSnapFromRequest(vars["name"])
 
-	keys := splitQS(r.URL.Query().Get("keys"))
+	keys := strutil.CommaSeparatedList(r.URL.Query().Get("keys"))
 
 	s := c.d.overlord.State()
 	s.Lock()
@@ -1616,7 +1667,15 @@
 					currentConfValues = make(map[string]interface{})
 					break
 				}
-				return BadRequest("%v", err)
+				return SyncResponse(&resp{
+					Type: ResponseTypeError,
+					Result: &errorResult{
+						Message: err.Error(),
+						Kind:    errorKindConfigNoSuchOption,
+						Value:   err,
+					},
+					Status: 400,
+				}, nil)
 			} else {
 				return InternalError("%v", err)
 			}
@@ -1636,7 +1695,7 @@
 
 func setSnapConf(c *Command, r *http.Request, user *auth.UserState) Response {
 	vars := muxVars(r)
-	snapName := vars["name"]
+	snapName := configstate.RemapSnapFromRequest(vars["name"])
 
 	var patchValues map[string]interface{}
 	if err := jsonutil.DecodeWithNumber(r.Body, &patchValues); err != nil {
@@ -1649,10 +1708,11 @@
 
 	taskset, err := configstate.ConfigureInstalled(st, snapName, patchValues, 0)
 	if err != nil {
+		// TODO: just return snap-not-installed instead ?
 		if _, ok := err.(*snap.NotInstalledError); ok {
 			return SnapNotFound(snapName, err)
 		}
-		return InternalError("%v", err)
+		return errToResponse(err, []string{snapName}, InternalError, "%v")
 	}
 
 	summary := fmt.Sprintf("Change configuration of %q snap", snapName)
@@ -1675,17 +1735,17 @@
 }
 
 func getInterfaces(c *Command, r *http.Request, user *auth.UserState) Response {
+	// Collect query options from request arguments.
 	q := r.URL.Query()
 	pselect := q.Get("select")
 	if pselect != "all" && pselect != "connected" {
 		return BadRequest("unsupported select qualifier")
 	}
-	var names []string
+	var names []string // Interface names
 	namesStr := q.Get("names")
 	if namesStr != "" {
 		names = strings.Split(namesStr, ",")
 	}
-
 	opts := &interfaces.InfoOptions{
 		Names:     names,
 		Doc:       q.Get("doc") == "true",
@@ -1693,24 +1753,56 @@
 		Slots:     q.Get("slots") == "true",
 		Connected: pselect == "connected",
 	}
-	repo := c.d.overlord.InterfaceManager().Repository()
-	return SyncResponse(repo.Info(opts), nil)
+	// Query the interface repository (this returns []*interface.Info).
+	infos := c.d.overlord.InterfaceManager().Repository().Info(opts)
+	infoJSONs := make([]*interfaceJSON, 0, len(infos))
+
+	for _, info := range infos {
+		// Convert interfaces.Info into interfaceJSON
+		plugs := make([]*plugJSON, 0, len(info.Plugs))
+		for _, plug := range info.Plugs {
+			plugs = append(plugs, &plugJSON{
+				Snap:  plug.Snap.InstanceName(),
+				Name:  plug.Name,
+				Attrs: plug.Attrs,
+				Label: plug.Label,
+			})
+		}
+		slots := make([]*slotJSON, 0, len(info.Slots))
+		for _, slot := range info.Slots {
+			slots = append(slots, &slotJSON{
+				Snap:  slot.Snap.InstanceName(),
+				Name:  slot.Name,
+				Attrs: slot.Attrs,
+				Label: slot.Label,
+			})
+		}
+		infoJSONs = append(infoJSONs, &interfaceJSON{
+			Name:    info.Name,
+			Summary: info.Summary,
+			DocURL:  info.DocURL,
+			Plugs:   plugs,
+			Slots:   slots,
+		})
+	}
+	return SyncResponse(infoJSONs, nil)
 }
 
 func getLegacyConnections(c *Command, r *http.Request, user *auth.UserState) Response {
 	repo := c.d.overlord.InterfaceManager().Repository()
 	ifaces := repo.Interfaces()
 
-	var ifjson interfacesJSON
-
+	var ifjson interfaceJSON
 	plugConns := map[string][]interfaces.SlotRef{}
 	slotConns := map[string][]interfaces.PlugRef{}
 
-	for _, conn := range ifaces.Connections {
-		plugRef := conn.PlugRef.String()
-		slotRef := conn.SlotRef.String()
-		plugConns[plugRef] = append(plugConns[plugRef], conn.SlotRef)
-		slotConns[slotRef] = append(slotConns[slotRef], conn.PlugRef)
+	for _, cref := range ifaces.Connections {
+		plugRef := interfaces.PlugRef{Snap: cref.PlugRef.Snap, Name: cref.PlugRef.Name}
+		slotRef := interfaces.SlotRef{Snap: cref.SlotRef.Snap, Name: cref.SlotRef.Name}
+		plugID := plugRef.String()
+		slotID := slotRef.String()
+		plugConns[plugID] = append(plugConns[plugID], slotRef)
+		slotConns[slotID] = append(slotConns[slotID], plugRef)
 	}
 
 	for _, plug := range ifaces.Plugs {
@@ -1718,14 +1810,15 @@
 		for _, app := range plug.Apps {
 			apps = append(apps, app.Name)
 		}
-		pj := plugJSON{
-			Snap:        plug.Snap.Name(),
-			Name:        plug.Name,
+		plugRef := interfaces.PlugRef{Snap: plug.Snap.InstanceName(), Name: plug.Name}
+		pj := &plugJSON{
+			Snap:        plugRef.Snap,
+			Name:        plugRef.Name,
 			Interface:   plug.Interface,
 			Attrs:       plug.Attrs,
 			Apps:        apps,
 			Label:       plug.Label,
-			Connections: plugConns[plug.String()],
+			Connections: plugConns[plugRef.String()],
 		}
 		ifjson.Plugs = append(ifjson.Plugs, pj)
 	}
@@ -1734,58 +1827,22 @@
 		for _, app := range slot.Apps {
 			apps = append(apps, app.Name)
 		}
-
-		sj := slotJSON{
-			Snap:        slot.Snap.Name(),
-			Name:        slot.Name,
+		slotRef := interfaces.SlotRef{Snap: slot.Snap.InstanceName(), Name: slot.Name}
+		sj := &slotJSON{
+			Snap:        slotRef.Snap,
+			Name:        slotRef.Name,
 			Interface:   slot.Interface,
 			Attrs:       slot.Attrs,
 			Apps:        apps,
 			Label:       slot.Label,
-			Connections: slotConns[slot.String()],
+			Connections: slotConns[slotRef.String()],
 		}
 		ifjson.Slots = append(ifjson.Slots, sj)
 	}
-
 	return SyncResponse(ifjson, nil)
 }
 
-// plugJSON aids in marshaling Plug into JSON.
-type plugJSON struct {
-	Snap        string                 `json:"snap"`
-	Name        string                 `json:"plug"`
-	Interface   string                 `json:"interface"`
-	Attrs       map[string]interface{} `json:"attrs,omitempty"`
-	Apps        []string               `json:"apps,omitempty"`
-	Label       string                 `json:"label"`
-	Connections []interfaces.SlotRef   `json:"connections,omitempty"`
-}
-
-// slotJSON aids in marshaling Slot into JSON.
-type slotJSON struct {
-	Snap        string                 `json:"snap"`
-	Name        string                 `json:"slot"`
-	Interface   string                 `json:"interface"`
-	Attrs       map[string]interface{} `json:"attrs,omitempty"`
-	Apps        []string               `json:"apps,omitempty"`
-	Label       string                 `json:"label"`
-	Connections []interfaces.PlugRef   `json:"connections,omitempty"`
-}
-
-// interfacesJSON aids in marshaling plugs, slots and their connections into JSON.
-type interfacesJSON struct {
-	Plugs []plugJSON `json:"plugs,omitempty"`
-	Slots []slotJSON `json:"slots,omitempty"`
-}
-
-// interfaceAction is an action performed on the interface system.
-type interfaceAction struct {
-	Action string     `json:"action"`
-	Plugs  []plugJSON `json:"plugs,omitempty"`
-	Slots  []slotJSON `json:"slots,omitempty"`
-}
-
-func snapNamesFromConns(conns []interfaces.ConnRef) []string {
+func snapNamesFromConns(conns []*interfaces.ConnRef) []string {
 	m := make(map[string]bool)
 	for _, conn := range conns {
 		m[conn.PlugRef.Snap] = true
@@ -1801,8 +1858,6 @@
 
 // changeInterfaces controls the interfaces system.
 // Plugs can be connected to and disconnected from slots.
-// When enableInternalInterfaceActions is true plugs and slots can also be
-// explicitly added and removed.
 func changeInterfaces(c *Command, r *http.Request, user *auth.UserState) Response {
 	var a interfaceAction
 	decoder := json.NewDecoder(r.Body)
@@ -1812,9 +1867,6 @@
 	if a.Action == "" {
 		return BadRequest("interface action not specified")
 	}
-	if !c.d.enableInternalInterfaceActions && a.Action != "connect" && a.Action != "disconnect" {
-		return BadRequest("internal interface actions are disabled")
-	}
 	if len(a.Plugs) > 1 || len(a.Slots) > 1 {
 		return NotImplemented("many-to-many operations are not implemented")
 	}
@@ -1835,20 +1887,32 @@
 	st.Lock()
 	defer st.Unlock()
 
+	for i := range a.Plugs {
+		a.Plugs[i].Snap = ifacestate.RemapSnapFromRequest(a.Plugs[i].Snap)
+	}
+	for i := range a.Slots {
+		a.Slots[i].Snap = ifacestate.RemapSnapFromRequest(a.Slots[i].Snap)
+	}
+
 	switch a.Action {
 	case "connect":
-		var connRef interfaces.ConnRef
+		var connRef *interfaces.ConnRef
 		repo := c.d.overlord.InterfaceManager().Repository()
 		connRef, err = repo.ResolveConnect(a.Plugs[0].Snap, a.Plugs[0].Name, a.Slots[0].Snap, a.Slots[0].Name)
 		if err == nil {
 			var ts *state.TaskSet
+			affected = snapNamesFromConns([]*interfaces.ConnRef{connRef})
 			summary = fmt.Sprintf("Connect %s:%s to %s:%s", connRef.PlugRef.Snap, connRef.PlugRef.Name, connRef.SlotRef.Snap, connRef.SlotRef.Name)
 			ts, err = ifacestate.Connect(st, connRef.PlugRef.Snap, connRef.PlugRef.Name, connRef.SlotRef.Snap, connRef.SlotRef.Name)
+			if _, ok := err.(*ifacestate.ErrAlreadyConnected); ok {
+				change := newChange(st, a.Action+"-snap", summary, nil, affected)
+				change.SetStatus(state.DoneStatus)
+				return AsyncResponse(nil, &Meta{Change: change.ID()})
+			}
 			tasksets = append(tasksets, ts)
-			affected = snapNamesFromConns([]interfaces.ConnRef{connRef})
 		}
 	case "disconnect":
-		var conns []interfaces.ConnRef
+		var conns []*interfaces.ConnRef
 		repo := c.d.overlord.InterfaceManager().Repository()
 		summary = fmt.Sprintf("Disconnect %s:%s from %s:%s", a.Plugs[0].Snap, a.Plugs[0].Name, a.Slots[0].Snap, a.Slots[0].Name)
 		conns, err = repo.ResolveDisconnect(a.Plugs[0].Snap, a.Plugs[0].Name, a.Slots[0].Snap, a.Slots[0].Name)
@@ -1858,7 +1922,11 @@
 			}
 			for _, connRef := range conns {
 				var ts *state.TaskSet
-				ts, err = ifacestate.Disconnect(st, connRef.PlugRef.Snap, connRef.PlugRef.Name, connRef.SlotRef.Snap, connRef.SlotRef.Name)
+				conn, err := repo.Connection(connRef)
+				if err != nil {
+					break
+				}
+				ts, err = ifacestate.Disconnect(st, conn)
 				if err != nil {
 					break
 				}
@@ -1869,7 +1937,7 @@
 		}
 	}
 	if err != nil {
-		return BadRequest("%v", err)
+		return errToResponse(err, nil, BadRequest, "%v")
 	}
 
 	change := newChange(st, a.Action+"-snap", summary, tasksets, affected)
@@ -2125,12 +2193,20 @@
 	postCreateUserUcrednetGet = ucrednetGet
 	runSnapctlUcrednetGet     = ucrednetGet
 	ctlcmdRun                 = ctlcmd.Run
-	storeUserInfo             = store.UserInfo
 	osutilAddUser             = osutil.AddUser
 )
 
-func getUserDetailsFromStore(email string) (string, *osutil.AddUserOptions, error) {
-	v, err := storeUserInfo(email)
+func makeHttpClient(st *state.State) *http.Client {
+	proxyConf := proxyconf.New(st)
+	return httputil.NewHTTPClient(&httputil.ClientOptions{
+		Timeout:    10 * time.Second,
+		MayLogBody: true,
+		Proxy:      proxyConf.Conf,
+	})
+}
+
+func getUserDetailsFromStore(theStore snapstate.StoreService, email string) (string, *osutil.AddUserOptions, error) {
+	v, err := theStore.UserInfo(email)
 	if err != nil {
 		return "", nil, fmt.Errorf("cannot create user %q: %s", email, err)
 	}
@@ -2244,9 +2320,10 @@
 
 	gecos := fmt.Sprintf("%s,%s", email, su.Name())
 	opts := &osutil.AddUserOptions{
-		SSHKeys:  su.SSHKeys(),
-		Gecos:    gecos,
-		Password: su.Password(),
+		SSHKeys:             su.SSHKeys(),
+		Gecos:               gecos,
+		Password:            su.Password(),
+		ForcePasswordChange: su.ForcePasswordChange(),
 	}
 	return su.Username(), opts, nil
 }
@@ -2352,7 +2429,7 @@
 	if createData.Known {
 		username, opts, err = getUserDetailsFromAssertion(st, createData.Email)
 	} else {
-		username, opts, err = getUserDetailsFromStore(createData.Email)
+		username, opts, err = getUserDetailsFromStore(getStore(c), createData.Email)
 	}
 	if err != nil {
 		return BadRequest("%s", err)
@@ -2424,7 +2501,13 @@
 }
 
 type debugAction struct {
-	Action string `json:"action"`
+	Action  string `json:"action"`
+	Message string `json:"message"`
+}
+
+type ConnectivityStatus struct {
+	Connectivity bool     `json:"connectivity"`
+	Unreachable  []string `json:"unreachable,omitempty"`
 }
 
 func postDebug(c *Command, r *http.Request, user *auth.UserState) Response {
@@ -2439,6 +2522,12 @@
 	defer st.Unlock()
 
 	switch a.Action {
+	case "add-warning":
+		st.Warnf("%v", a.Message)
+		return SyncResponse(true, nil)
+	case "unshow-warnings":
+		st.UnshowAllWarnings()
+		return SyncResponse(true, nil)
 	case "ensure-state-soon":
 		ensureStateSoon(st)
 		return SyncResponse(true, nil)
@@ -2452,13 +2541,31 @@
 		}, nil)
 	case "can-manage-refreshes":
 		return SyncResponse(devicestate.CanManageRefreshes(st), nil)
+	case "connectivity":
+		s := snapstate.Store(st)
+		st.Unlock()
+		checkResult, err := s.ConnectivityCheck()
+		st.Lock()
+		if err != nil {
+			return InternalError("cannot run connectivity check: %v", err)
+		}
+		status := ConnectivityStatus{Connectivity: true}
+		for host, reachable := range checkResult {
+			if !reachable {
+				status.Connectivity = false
+				status.Unreachable = append(status.Unreachable, host)
+			}
+		}
+		sort.Strings(status.Unreachable)
+
+		return SyncResponse(status, nil)
 	default:
 		return BadRequest("unknown debug action: %v", a.Action)
 	}
 }
 
 func postBuy(c *Command, r *http.Request, user *auth.UserState) Response {
-	var opts store.BuyOptions
+	var opts client.BuyOptions
 
 	decoder := json.NewDecoder(r.Body)
 	err := decoder.Decode(&opts)
@@ -2501,16 +2608,15 @@
 	if err != nil {
 		return Forbidden("cannot get remote user: %s", err)
 	}
-	// we only allow "get" from regular users in snapctl
-	if uid != 0 && snapctlOptions.Args[0] != "get" {
-		return Forbidden("cannot use %q with uid %d, try with sudo", snapctlOptions.Args[0], uid)
-	}
 
 	// Ignore missing context error to allow 'snapctl -h' without a context;
 	// Actual context is validated later by get/set.
 	context, _ := c.d.overlord.HookManager().Context(snapctlOptions.ContextID)
-	stdout, stderr, err := ctlcmdRun(context, snapctlOptions.Args)
+	stdout, stderr, err := ctlcmdRun(context, snapctlOptions.Args, uid)
 	if err != nil {
+		if e, ok := err.(*ctlcmd.ForbiddenCommandError); ok {
+			return Forbidden(e.Error())
+		}
 		if e, ok := err.(*flags.Error); ok && e.Type == flags.ErrHelp {
 			stdout = []byte(e.Error())
 		} else {
@@ -2618,7 +2724,7 @@
 		taskset, err = snapstate.Prefer(st, a.Snap)
 	}
 	if err != nil {
-		return BadRequest("%v", err)
+		return errToResponse(err, nil, BadRequest, "%v")
 	}
 
 	var summary string
@@ -2705,27 +2811,28 @@
 		return BadRequest("invalid select parameter: %q", sel)
 	}
 
-	appInfos, rsp := appInfosFor(c.d.overlord.State(), splitQS(query.Get("names")), opts)
+	appInfos, rsp := appInfosFor(c.d.overlord.State(), strutil.CommaSeparatedList(query.Get("names")), opts)
 	if rsp != nil {
 		return rsp
 	}
 
-	return SyncResponse(clientAppInfosFromSnapAppInfos(appInfos), nil)
+	clientAppInfos, err := cmd.ClientAppInfosFromSnapAppInfos(appInfos)
+	if err != nil {
+		return InternalError("%v", err)
+	}
+
+	return SyncResponse(clientAppInfos, nil)
 }
 
 func getLogs(c *Command, r *http.Request, user *auth.UserState) Response {
 	query := r.URL.Query()
-	n := "10"
+	n := 10
 	if s := query.Get("n"); s != "" {
 		m, err := strconv.ParseInt(s, 0, 32)
 		if err != nil {
 			return BadRequest(`invalid value for n: %q: %v`, s, err)
 		}
-		if m < 0 {
-			n = "all"
-		} else {
-			n = s
-		}
+		n = int(m)
 	}
 	follow := false
 	if s := query.Get("follow"); s != "" {
@@ -2738,7 +2845,7 @@
 
 	// only services have logs for now
 	opts := appInfoOptions{service: true}
-	appInfos, rsp := appInfosFor(c.d.overlord.State(), splitQS(query.Get("names")), opts)
+	appInfos, rsp := appInfosFor(c.d.overlord.State(), strutil.CommaSeparatedList(query.Get("names")), opts)
 	if rsp != nil {
 		return rsp
 	}
@@ -2786,8 +2893,9 @@
 		return InternalError("no services found")
 	}
 
-	ts, err := servicestate.Control(st, appInfos, &inst, nil)
+	tss, err := servicestate.Control(st, appInfos, &inst, nil)
 	if err != nil {
+		// TODO: use errToResponse here too and introduce a proper error kind ?
 		if _, ok := err.(servicestate.ServiceActionConflictError); ok {
 			return Conflict(err.Error())
 		}
@@ -2795,7 +2903,65 @@
 	}
 	st.Lock()
 	defer st.Unlock()
-	chg := newChange(st, "service-control", fmt.Sprintf("Running service command"), []*state.TaskSet{ts}, inst.Names)
+	chg := newChange(st, "service-control", fmt.Sprintf("Running service command"), tss, inst.Names)
 	st.EnsureBefore(0)
 	return AsyncResponse(nil, &Meta{Change: chg.ID()})
 }
+
+var (
+	stateOkayWarnings    = (*state.State).OkayWarnings
+	stateAllWarnings     = (*state.State).AllWarnings
+	statePendingWarnings = (*state.State).PendingWarnings
+)
+
+func ackWarnings(c *Command, r *http.Request, _ *auth.UserState) Response {
+	defer r.Body.Close()
+	var op struct {
+		Action    string    `json:"action"`
+		Timestamp time.Time `json:"timestamp"`
+	}
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&op); err != nil {
+		return BadRequest("cannot decode request body into warnings operation: %v", err)
+	}
+	if op.Action != "okay" {
+		return BadRequest("unknown warning action %q", op.Action)
+	}
+	st := c.d.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+	n := stateOkayWarnings(st, op.Timestamp)
+
+	return SyncResponse(n, nil)
+}
+
+func getWarnings(c *Command, r *http.Request, _ *auth.UserState) Response {
+	query := r.URL.Query()
+	var all bool
+	sel := query.Get("select")
+	switch sel {
+	case "all":
+		all = true
+	case "pending", "":
+		all = false
+	default:
+		return BadRequest("invalid select parameter: %q", sel)
+	}
+
+	st := c.d.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+
+	var ws []*state.Warning
+	if all {
+		ws = stateAllWarnings(st)
+	} else {
+		ws, _ = statePendingWarnings(st)
+	}
+	if len(ws) == 0 {
+		// no need to confuse the issue
+		return SyncResponse([]state.Warning{}, nil)
+	}
+
+	return SyncResponse(ws, nil)
+}
diff -Nru snapd-2.32.3.2~14.04/daemon/api_json.go snapd-2.37~rc1~14.04/daemon/api_json.go
--- snapd-2.32.3.2~14.04/daemon/api_json.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/api_json.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,64 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package daemon
+
+import (
+	"github.com/snapcore/snapd/interfaces"
+)
+
+// plugJSON aids in marshaling snap.PlugInfo into JSON.
+type plugJSON struct {
+	Snap      string                 `json:"snap"`
+	Name      string                 `json:"plug"`
+	Interface string                 `json:"interface,omitempty"`
+	Attrs     map[string]interface{} `json:"attrs,omitempty"`
+	Apps      []string               `json:"apps,omitempty"`
+	Label     string                 `json:"label,omitempty"`
+	// Connections are synthesized, they are not on the original type.
+	Connections []interfaces.SlotRef `json:"connections,omitempty"`
+}
+
+// slotJSON aids in marshaling snap.SlotInfo into JSON.
+type slotJSON struct {
+	Snap      string                 `json:"snap"`
+	Name      string                 `json:"slot"`
+	Interface string                 `json:"interface,omitempty"`
+	Attrs     map[string]interface{} `json:"attrs,omitempty"`
+	Apps      []string               `json:"apps,omitempty"`
+	Label     string                 `json:"label,omitempty"`
+	// Connections are synthesized, they are not on the original type.
+	Connections []interfaces.PlugRef `json:"connections,omitempty"`
+}
+
+// interfaceJSON aids in marshaling interfaces.Info into JSON.
+type interfaceJSON struct {
+	Name    string      `json:"name,omitempty"`
+	Summary string      `json:"summary,omitempty"`
+	DocURL  string      `json:"doc-url,omitempty"`
+	Plugs   []*plugJSON `json:"plugs,omitempty"`
+	Slots   []*slotJSON `json:"slots,omitempty"`
+}
+
+// interfaceAction is an action performed on the interface system.
+type interfaceAction struct {
+	Action string     `json:"action"`
+	Plugs  []plugJSON `json:"plugs,omitempty"`
+	Slots  []slotJSON `json:"slots,omitempty"`
+}
diff -Nru snapd-2.32.3.2~14.04/daemon/api_mock_test.go snapd-2.37~rc1~14.04/daemon/api_mock_test.go
--- snapd-2.32.3.2~14.04/daemon/api_mock_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/api_mock_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -41,16 +41,17 @@
 	defer st.Unlock()
 
 	// Put a side info into the state
-	snapstate.Set(st, snapInfo.Name(), &snapstate.SnapState{
+	snapstate.Set(st, snapInfo.InstanceName(), &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
 			{
-				RealName: snapInfo.Name(),
+				RealName: snapInfo.SnapName(),
 				Revision: snapInfo.Revision,
 				SnapID:   "ididid",
 			},
 		},
-		Current: snapInfo.Revision,
+		Current:  snapInfo.Revision,
+		SnapType: string(snapInfo.Type),
 	})
 
 	// Put the snap into the interface repository
@@ -68,11 +69,6 @@
 	c.Assert(err, IsNil)
 }
 
-var simpleYaml = `
-name: simple
-version: 1
-`
-
 var consumerYaml = `
 name: consumer
 version: 1
@@ -93,6 +89,16 @@
 slots:
  slot:
   interface: test
+  key: value
+  label: label
+`
+
+var coreProducerYaml = `
+name: core
+version: 1
+slots:
+ slot:
+  interface: test
   key: value
   label: label
 `
diff -Nru snapd-2.32.3.2~14.04/daemon/api_snapshots.go snapd-2.37~rc1~14.04/daemon/api_snapshots.go
--- snapd-2.32.3.2~14.04/daemon/api_snapshots.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/api_snapshots.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,140 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package daemon
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"golang.org/x/net/context"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/overlord/auth"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/strutil"
+)
+
+var snapshotCmd = &Command{
+	// TODO: also support /v2/snapshots/<id>
+	Path:     "/v2/snapshots",
+	UserOK:   true,
+	PolkitOK: "io.snapcraft.snapd.manage",
+	GET:      listSnapshots,
+	POST:     changeSnapshots,
+}
+
+func listSnapshots(c *Command, r *http.Request, user *auth.UserState) Response {
+	query := r.URL.Query()
+	var setID uint64
+	if sid := query.Get("set"); sid != "" {
+		var err error
+		setID, err = strconv.ParseUint(sid, 10, 64)
+		if err != nil {
+			return BadRequest("'set', if given, must be a positive base 10 number; got %q", sid)
+		}
+	}
+
+	sets, err := snapshotList(context.TODO(), setID, strutil.CommaSeparatedList(r.URL.Query().Get("snaps")))
+	if err != nil {
+		return InternalError("%v", err)
+	}
+	return SyncResponse(sets, nil)
+}
+
+// A snapshotAction is used to request an operation on a snapshot
+// keep this in sync with client/snapshotAction...
+type snapshotAction struct {
+	SetID  uint64   `json:"set"`
+	Action string   `json:"action"`
+	Snaps  []string `json:"snaps,omitempty"`
+	Users  []string `json:"users,omitempty"`
+}
+
+func (action snapshotAction) String() string {
+	// verb of snapshot #N [for snaps %q] [for users %q]
+	var snaps string
+	var users string
+	if len(action.Snaps) > 0 {
+		snaps = " for snaps " + strutil.Quoted(action.Snaps)
+	}
+	if len(action.Users) > 0 {
+		users = " for users " + strutil.Quoted(action.Users)
+	}
+	return fmt.Sprintf("%s of snapshot set #%d%s%s", strings.Title(action.Action), action.SetID, snaps, users)
+}
+
+func changeSnapshots(c *Command, r *http.Request, user *auth.UserState) Response {
+	var action snapshotAction
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&action); err != nil {
+		return BadRequest("cannot decode request body into snapshot operation: %v", err)
+	}
+	if decoder.More() {
+		return BadRequest("extra content found after snapshot operation")
+	}
+
+	if action.SetID == 0 {
+		return BadRequest("snapshot operation requires snapshot set ID")
+	}
+
+	if action.Action == "" {
+		return BadRequest("snapshot operation requires action")
+	}
+
+	var affected []string
+	var ts *state.TaskSet
+	var err error
+
+	st := c.d.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+
+	switch action.Action {
+	case "check":
+		affected, ts, err = snapshotCheck(st, action.SetID, action.Snaps, action.Users)
+	case "restore":
+		affected, ts, err = snapshotRestore(st, action.SetID, action.Snaps, action.Users)
+	case "forget":
+		if len(action.Users) != 0 {
+			return BadRequest(`snapshot "forget" operation cannot specify users`)
+		}
+		affected, ts, err = snapshotForget(st, action.SetID, action.Snaps)
+	default:
+		return BadRequest("unknown snapshot operation %q", action.Action)
+	}
+
+	switch err {
+	case nil:
+		// woo
+	case client.ErrSnapshotSetNotFound, client.ErrSnapshotSnapsNotFound:
+		return NotFound("%v", err)
+	default:
+		return InternalError("%v", err)
+	}
+
+	chg := newChange(st, action.Action+"-snapshot", action.String(), []*state.TaskSet{ts}, affected)
+	chg.Set("api-data", map[string]interface{}{"snap-names": affected})
+	ensureStateSoon(st)
+
+	return AsyncResponse(nil, &Meta{Change: chg.ID()})
+}
diff -Nru snapd-2.32.3.2~14.04/daemon/api_snapshots_test.go snapd-2.37~rc1~14.04/daemon/api_snapshots_test.go
--- snapd-2.32.3.2~14.04/daemon/api_snapshots_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/api_snapshots_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,321 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package daemon_test
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"golang.org/x/net/context"
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/daemon"
+	"github.com/snapcore/snapd/overlord"
+	"github.com/snapcore/snapd/overlord/assertstate"
+	"github.com/snapcore/snapd/overlord/snapstate"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/store/storetest"
+)
+
+var _ = check.Suite(&snapshotSuite{})
+
+type snapshotSuite struct {
+	d *daemon.Daemon
+	o *overlord.Overlord
+}
+
+func (s *snapshotSuite) SetUpTest(c *check.C) {
+	s.o = overlord.Mock()
+	s.d = daemon.NewWithOverlord(s.o)
+
+	st := s.o.State()
+	// adds an assertion db
+	assertstate.Manager(st, s.o.TaskRunner())
+	st.Lock()
+	defer st.Unlock()
+	snapstate.ReplaceStore(st, storetest.Store{})
+}
+
+func (s *snapshotSuite) TearDownTest(c *check.C) {
+	s.o = nil
+	s.d = nil
+}
+
+func (s *snapshotSuite) TestSnapshotMany(c *check.C) {
+	defer daemon.MockSnapshotSave(func(s *state.State, snaps, users []string) (uint64, []string, *state.TaskSet, error) {
+		c.Check(snaps, check.HasLen, 2)
+		t := s.NewTask("fake-snapshot-2", "Snapshot two")
+		return 1, snaps, state.NewTaskSet(t), nil
+	})()
+
+	inst := daemon.MustUnmarshalSnapInstruction(c, `{"action": "snapshot", "snaps": ["foo", "bar"]}`)
+	st := s.o.State()
+	st.Lock()
+	res, err := daemon.SnapshotMany(inst, st)
+	st.Unlock()
+	c.Assert(err, check.IsNil)
+	c.Check(res.Summary, check.Equals, `Snapshot snaps "foo", "bar"`)
+	c.Check(res.Affected, check.DeepEquals, inst.Snaps)
+}
+
+func (s *snapshotSuite) TestListSnapshots(c *check.C) {
+	snapshots := []client.SnapshotSet{{ID: 1}, {ID: 42}}
+
+	defer daemon.MockSnapshotList(func(context.Context, uint64, []string) ([]client.SnapshotSet, error) {
+		return snapshots, nil
+	})()
+
+	c.Check(daemon.SnapshotCmd.Path, check.Equals, "/v2/snapshots")
+	req, err := http.NewRequest("GET", "/v2/snapshots", nil)
+	c.Assert(err, check.IsNil)
+
+	rsp := daemon.ListSnapshots(daemon.SnapshotCmd, req, nil)
+	c.Check(rsp.Type, check.Equals, daemon.ResponseTypeSync)
+	c.Check(rsp.Status, check.Equals, 200)
+	c.Check(rsp.Result, check.DeepEquals, snapshots)
+}
+
+func (s *snapshotSuite) TestListSnapshotsFiltering(c *check.C) {
+	snapshots := []client.SnapshotSet{{ID: 1}, {ID: 42}}
+
+	defer daemon.MockSnapshotList(func(_ context.Context, setID uint64, _ []string) ([]client.SnapshotSet, error) {
+		c.Assert(setID, check.Equals, uint64(42))
+		return snapshots[1:], nil
+	})()
+
+	req, err := http.NewRequest("GET", "/v2/snapshots?set=42", nil)
+	c.Assert(err, check.IsNil)
+
+	rsp := daemon.ListSnapshots(daemon.SnapshotCmd, req, nil)
+	c.Check(rsp.Type, check.Equals, daemon.ResponseTypeSync)
+	c.Check(rsp.Status, check.Equals, 200)
+	c.Check(rsp.Result, check.DeepEquals, []client.SnapshotSet{{ID: 42}})
+}
+
+func (s *snapshotSuite) TestListSnapshotsBadFiltering(c *check.C) {
+	defer daemon.MockSnapshotList(func(_ context.Context, setID uint64, _ []string) ([]client.SnapshotSet, error) {
+		c.Fatal("snapshotList should not be reached (should have been blocked by validation!)")
+		return nil, nil
+	})()
+
+	req, err := http.NewRequest("GET", "/v2/snapshots?set=no", nil)
+	c.Assert(err, check.IsNil)
+
+	rsp := daemon.ListSnapshots(daemon.SnapshotCmd, req, nil)
+	c.Assert(rsp.Type, check.Equals, daemon.ResponseTypeError)
+	c.Check(rsp.Status, check.Equals, 400)
+	c.Check(rsp.ErrorResult().Message, check.Equals, `'set', if given, must be a positive base 10 number; got "no"`)
+}
+
+func (s *snapshotSuite) TestListSnapshotsListError(c *check.C) {
+	defer daemon.MockSnapshotList(func(_ context.Context, setID uint64, _ []string) ([]client.SnapshotSet, error) {
+		return nil, errors.New("no")
+	})()
+
+	c.Check(daemon.SnapshotCmd.Path, check.Equals, "/v2/snapshots")
+	req, err := http.NewRequest("GET", "/v2/snapshots", nil)
+	c.Assert(err, check.IsNil)
+
+	rsp := daemon.ListSnapshots(daemon.SnapshotCmd, req, nil)
+	c.Assert(rsp.Type, check.Equals, daemon.ResponseTypeError)
+	c.Check(rsp.Status, check.Equals, 500)
+	c.Check(rsp.ErrorResult().Message, check.Equals, "no")
+}
+
+func (s *snapshotSuite) TestFormatSnapshotAction(c *check.C) {
+	type table struct {
+		action   string
+		expected string
+	}
+	tests := []table{
+		{
+			`{"set": 2, "action": "verb"}`,
+			`Verb of snapshot set #2`,
+		}, {
+			`{"set": 2, "action": "verb", "snaps": ["foo"]}`,
+			`Verb of snapshot set #2 for snaps "foo"`,
+		}, {
+			`{"set": 2, "action": "verb", "snaps": ["foo", "bar"]}`,
+			`Verb of snapshot set #2 for snaps "foo", "bar"`,
+		}, {
+			`{"set": 2, "action": "verb", "users": ["meep"]}`,
+			`Verb of snapshot set #2 for users "meep"`,
+		}, {
+			`{"set": 2, "action": "verb", "users": ["meep", "quux"]}`,
+			`Verb of snapshot set #2 for users "meep", "quux"`,
+		}, {
+			`{"set": 2, "action": "verb", "users": ["meep", "quux"], "snaps": ["foo", "bar"]}`,
+			`Verb of snapshot set #2 for snaps "foo", "bar" for users "meep", "quux"`,
+		},
+	}
+
+	for _, test := range tests {
+		action := daemon.MustUnmarshalSnapshotAction(c, test.action)
+		c.Check(action.String(), check.Equals, test.expected)
+	}
+}
+
+func (s *snapshotSuite) TestChangeSnapshots400(c *check.C) {
+	type table struct{ body, error string }
+	tests := []table{
+		{
+			body:  `"woodchucks`,
+			error: "cannot decode request body into snapshot operation:.*",
+		}, {
+			body:  `{}"woodchucks`,
+			error: "extra content found after snapshot operation",
+		}, {
+			body:  `{}`,
+			error: "snapshot operation requires snapshot set ID",
+		}, {
+			body:  `{"set": 42}`,
+			error: "snapshot operation requires action",
+		}, {
+			body:  `{"set": 42, "action": "carrots"}`,
+			error: `unknown snapshot operation "carrots"`,
+		}, {
+			body:  `{"set": 42, "action": "forget", "users": ["foo"]}`,
+			error: `snapshot "forget" operation cannot specify users`,
+		},
+	}
+
+	for i, test := range tests {
+		comm := check.Commentf("%d:%q", i, test.body)
+		req, err := http.NewRequest("POST", "/v2/snapshots", strings.NewReader(test.body))
+		c.Assert(err, check.IsNil, comm)
+
+		rsp := daemon.ChangeSnapshots(daemon.SnapshotCmd, req, nil)
+		c.Check(rsp.Type, check.Equals, daemon.ResponseTypeError, comm)
+		c.Check(rsp.Status, check.Equals, 400, comm)
+		c.Check(rsp.ErrorResult().Message, check.Matches, test.error, comm)
+	}
+}
+
+func (s *snapshotSuite) TestChangeSnapshots404(c *check.C) {
+	var done string
+	expectedError := errors.New("bzzt")
+	defer daemon.MockSnapshotCheck(func(*state.State, uint64, []string, []string) ([]string, *state.TaskSet, error) {
+		done = "check"
+		return nil, nil, expectedError
+	})()
+	defer daemon.MockSnapshotRestore(func(*state.State, uint64, []string, []string) ([]string, *state.TaskSet, error) {
+		done = "restore"
+		return nil, nil, expectedError
+	})()
+	defer daemon.MockSnapshotForget(func(*state.State, uint64, []string) ([]string, *state.TaskSet, error) {
+		done = "forget"
+		return nil, nil, expectedError
+	})()
+	for _, expectedError = range []error{client.ErrSnapshotSetNotFound, client.ErrSnapshotSnapsNotFound} {
+		for _, action := range []string{"check", "restore", "forget"} {
+			done = ""
+			comm := check.Commentf("%s/%s", action, expectedError)
+			body := fmt.Sprintf(`{"set": 42, "action": "%s"}`, action)
+			req, err := http.NewRequest("POST", "/v2/snapshots", strings.NewReader(body))
+			c.Assert(err, check.IsNil, comm)
+
+			rsp := daemon.ChangeSnapshots(daemon.SnapshotCmd, req, nil)
+			c.Check(rsp.Type, check.Equals, daemon.ResponseTypeError, comm)
+			c.Check(rsp.Status, check.Equals, 404, comm)
+			c.Check(rsp.ErrorResult().Message, check.Matches, expectedError.Error(), comm)
+			c.Check(done, check.Equals, action, comm)
+		}
+	}
+}
+
+func (s *snapshotSuite) TestChangeSnapshots500(c *check.C) {
+	var done string
+	expectedError := errors.New("bzzt")
+	defer daemon.MockSnapshotCheck(func(*state.State, uint64, []string, []string) ([]string, *state.TaskSet, error) {
+		done = "check"
+		return nil, nil, expectedError
+	})()
+	defer daemon.MockSnapshotRestore(func(*state.State, uint64, []string, []string) ([]string, *state.TaskSet, error) {
+		done = "restore"
+		return nil, nil, expectedError
+	})()
+	defer daemon.MockSnapshotForget(func(*state.State, uint64, []string) ([]string, *state.TaskSet, error) {
+		done = "forget"
+		return nil, nil, expectedError
+	})()
+	for _, action := range []string{"check", "restore", "forget"} {
+		comm := check.Commentf("%s", action)
+		body := fmt.Sprintf(`{"set": 42, "action": "%s"}`, action)
+		req, err := http.NewRequest("POST", "/v2/snapshots", strings.NewReader(body))
+		c.Assert(err, check.IsNil, comm)
+
+		rsp := daemon.ChangeSnapshots(daemon.SnapshotCmd, req, nil)
+		c.Check(rsp.Type, check.Equals, daemon.ResponseTypeError, comm)
+		c.Check(rsp.Status, check.Equals, 500, comm)
+		c.Check(rsp.ErrorResult().Message, check.Matches, expectedError.Error(), comm)
+		c.Check(done, check.Equals, action, comm)
+	}
+}
+
+func (s *snapshotSuite) TestChangeSnapshot(c *check.C) {
+	var done string
+	defer daemon.MockSnapshotCheck(func(*state.State, uint64, []string, []string) ([]string, *state.TaskSet, error) {
+		done = "check"
+		return []string{"foo"}, state.NewTaskSet(), nil
+	})()
+	defer daemon.MockSnapshotRestore(func(*state.State, uint64, []string, []string) ([]string, *state.TaskSet, error) {
+		done = "restore"
+		return []string{"foo"}, state.NewTaskSet(), nil
+	})()
+	defer daemon.MockSnapshotForget(func(*state.State, uint64, []string) ([]string, *state.TaskSet, error) {
+		done = "forget"
+		return []string{"foo"}, state.NewTaskSet(), nil
+	})()
+
+	st := s.o.State()
+	st.Lock()
+	defer st.Unlock()
+	for _, action := range []string{"check", "restore", "forget"} {
+		comm := check.Commentf("%s", action)
+		body := fmt.Sprintf(`{"set": 42, "action": "%s"}`, action)
+		req, err := http.NewRequest("POST", "/v2/snapshots", strings.NewReader(body))
+
+		c.Assert(err, check.IsNil, comm)
+
+		st.Unlock()
+		rsp := daemon.ChangeSnapshots(daemon.SnapshotCmd, req, nil)
+		st.Lock()
+
+		c.Check(rsp.Type, check.Equals, daemon.ResponseTypeAsync, comm)
+		c.Check(rsp.Status, check.Equals, 202, comm)
+		c.Check(done, check.Equals, action, comm)
+
+		chg := st.Change(rsp.Change)
+		c.Assert(chg, check.NotNil)
+		c.Assert(chg.Tasks(), check.HasLen, 0)
+
+		c.Check(chg.Kind(), check.Equals, action+"-snapshot")
+		var apiData map[string]interface{}
+		err = chg.Get("api-data", &apiData)
+		c.Assert(err, check.IsNil)
+		c.Check(apiData, check.DeepEquals, map[string]interface{}{
+			"snap-names": []interface{}{"foo"},
+		})
+
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/daemon/api_test.go snapd-2.37~rc1~14.04/daemon/api_test.go
--- snapd-2.32.3.2~14.04/daemon/api_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/api_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2016 Canonical Ltd
+ * Copyright (C) 2014-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -35,6 +35,7 @@
 	"os"
 	"os/user"
 	"path/filepath"
+	"regexp"
 	"sort"
 	"strconv"
 	"strings"
@@ -44,9 +45,9 @@
 	"golang.org/x/net/context"
 
 	"gopkg.in/check.v1"
-	"gopkg.in/macaroon.v1"
 	"gopkg.in/tomb.v2"
 
+	"github.com/snapcore/snapd/arch"
 	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/asserts/assertstest"
 	"github.com/snapcore/snapd/asserts/sysdb"
@@ -60,6 +61,7 @@
 	"github.com/snapcore/snapd/overlord/assertstate"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/configstate/config"
+	"github.com/snapcore/snapd/overlord/devicestate"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/hookstate/ctlcmd"
 	"github.com/snapcore/snapd/overlord/ifacestate"
@@ -86,9 +88,10 @@
 	d                 *Daemon
 	user              *auth.UserState
 	restoreBackends   func()
-	refreshCandidates []*store.RefreshCandidate
-	buyOptions        *store.BuyOptions
-	buyResult         *store.BuyResult
+	currentSnaps      []*store.CurrentSnap
+	actions           []*store.SnapAction
+	buyOptions        *client.BuyOptions
+	buyResult         *client.BuyResult
 	storeSigning      *assertstest.StoreStack
 	restoreRelease    func()
 	trustedRestorer   func()
@@ -100,19 +103,32 @@
 
 	journalctlRestorer func()
 	jctlSvcses         [][]string
-	jctlNs             []string
+	jctlNs             []int
 	jctlFollows        []bool
 	jctlRCs            []io.ReadCloser
 	jctlErrs           []error
 
+	connectivityResult     map[string]bool
+	loginUserStoreMacaroon string
+	loginUserDischarge     string
+	userInfoResult         *store.User
+	userInfoExpectedEmail  string
+
 	restoreSanitize func()
 }
 
+func (s *apiBaseSuite) pokeStateLock() {
+	// the store should be called without the state lock held. Try
+	// to acquire it.
+	st := s.d.overlord.State()
+	st.Lock()
+	st.Unlock()
+}
+
 func (s *apiBaseSuite) SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error) {
+	s.pokeStateLock()
+
 	s.user = user
-	if !spec.AnyChannel {
-		return nil, fmt.Errorf("api is expected to set AnyChannel")
-	}
 	if len(s.rsnaps) > 0 {
 		return s.rsnaps[0], s.err
 	}
@@ -120,44 +136,69 @@
 }
 
 func (s *apiBaseSuite) Find(search *store.Search, user *auth.UserState) ([]*snap.Info, error) {
+	s.pokeStateLock()
+
 	s.storeSearch = *search
 	s.user = user
 
 	return s.rsnaps, s.err
 }
 
-func (s *apiBaseSuite) LookupRefresh(snap *store.RefreshCandidate, user *auth.UserState) (*snap.Info, error) {
-	s.refreshCandidates = []*store.RefreshCandidate{snap}
-	s.user = user
-
-	return s.rsnaps[0], s.err
-}
+func (s *apiBaseSuite) SnapAction(ctx context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error) {
+	s.pokeStateLock()
 
-func (s *apiBaseSuite) ListRefresh(ctx context.Context, snaps []*store.RefreshCandidate, user *auth.UserState, flags *store.RefreshOptions) ([]*snap.Info, error) {
 	if ctx == nil {
 		panic("context required")
 	}
-	s.refreshCandidates = snaps
+	s.currentSnaps = currentSnaps
+	s.actions = actions
 	s.user = user
 
 	return s.rsnaps, s.err
 }
 
 func (s *apiBaseSuite) SuggestedCurrency() string {
+	s.pokeStateLock()
+
 	return s.suggestedCurrency
 }
 
-func (s *apiBaseSuite) Buy(options *store.BuyOptions, user *auth.UserState) (*store.BuyResult, error) {
+func (s *apiBaseSuite) Buy(options *client.BuyOptions, user *auth.UserState) (*client.BuyResult, error) {
+	s.pokeStateLock()
+
 	s.buyOptions = options
 	s.user = user
 	return s.buyResult, s.err
 }
 
 func (s *apiBaseSuite) ReadyToBuy(user *auth.UserState) error {
+	s.pokeStateLock()
+
 	s.user = user
 	return s.err
 }
 
+func (s *apiBaseSuite) ConnectivityCheck() (map[string]bool, error) {
+	s.pokeStateLock()
+
+	return s.connectivityResult, s.err
+}
+
+func (s *apiBaseSuite) LoginUser(username, password, otp string) (string, string, error) {
+	s.pokeStateLock()
+
+	return s.loginUserStoreMacaroon, s.loginUserDischarge, s.err
+}
+
+func (s *apiBaseSuite) UserInfo(email string) (userinfo *store.User, err error) {
+	s.pokeStateLock()
+
+	if s.userInfoExpectedEmail != email {
+		panic(fmt.Sprintf("%q != %q", s.userInfoExpectedEmail, email))
+	}
+	return s.userInfoResult, s.err
+}
+
 func (s *apiBaseSuite) muxVars(*http.Request) map[string]string {
 	return s.vars
 }
@@ -195,7 +236,7 @@
 	return buf, err
 }
 
-func (s *apiBaseSuite) journalctl(svcs []string, n string, follow bool) (rc io.ReadCloser, err error) {
+func (s *apiBaseSuite) journalctl(svcs []string, n int, follow bool) (rc io.ReadCloser, err error) {
 	s.jctlSvcses = append(s.jctlSvcses, svcs)
 	s.jctlNs = append(s.jctlNs, n)
 	s.jctlFollows = append(s.jctlFollows, follow)
@@ -224,6 +265,7 @@
 	err := os.MkdirAll(filepath.Dir(dirs.SnapStateFile), 0755)
 	c.Assert(err, check.IsNil)
 	c.Assert(os.MkdirAll(dirs.SnapMountDir, 0755), check.IsNil)
+	c.Assert(os.MkdirAll(dirs.SnapBlobDir, 0755), check.IsNil)
 
 	s.rsnaps = nil
 	s.suggestedCurrency = ""
@@ -232,7 +274,8 @@
 	s.vars = nil
 	s.user = nil
 	s.d = nil
-	s.refreshCandidates = nil
+	s.currentSnaps = nil
+	s.actions = nil
 	// Disable real security backends for all API tests
 	s.restoreBackends = ifacestate.MockSecurityBackends(nil)
 
@@ -291,8 +334,29 @@
 	// mark as already seeded
 	st.Set("seeded", true)
 	// registered
+	// realistic model setup
+	modelHdrs := map[string]interface{}{
+		"type":         "model",
+		"authority-id": "can0nical",
+		"series":       "16",
+		"brand-id":     "can0nical",
+		"model":        "pc",
+		"architecture": "amd64",
+		"gadget":       "gadget",
+		"kernel":       "kernel",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}
+	a, err := s.storeSigning.RootSigning.Sign(asserts.ModelType, modelHdrs, nil, "")
+	c.Assert(err, check.IsNil)
+	model := a.(*asserts.Model)
+
+	snapstate.Model = devicestate.Model
+
+	err = assertstate.Add(st, model)
+	c.Assert(err, check.IsNil)
+
 	auth.SetDevice(st, &auth.DeviceState{
-		Brand:  "canonical",
+		Brand:  "can0nical",
 		Model:  "pc",
 		Serial: "serialserial",
 	})
@@ -319,7 +383,7 @@
 
 	st := d.overlord.State()
 	// adds an assertion db
-	assertstate.Manager(st)
+	assertstate.Manager(st, o.TaskRunner())
 	st.Lock()
 	defer st.Unlock()
 	snapstate.ReplaceStore(st, s)
@@ -328,13 +392,9 @@
 	return d
 }
 
-type fakeSnapManager struct {
-	runner *state.TaskRunner
-}
-
-func newFakeSnapManager(st *state.State) *fakeSnapManager {
-	runner := state.NewTaskRunner(st)
+type fakeSnapManager struct{}
 
+func newFakeSnapManager(st *state.State, runner *state.TaskRunner) *fakeSnapManager {
 	runner.AddHandler("fake-install-snap", func(t *state.Task, _ *tomb.Tomb) error {
 		return nil
 	}, nil)
@@ -342,33 +402,22 @@
 		return fmt.Errorf("fake-install-snap-error errored")
 	}, nil)
 
-	return &fakeSnapManager{runner: runner}
-}
-
-func (m *fakeSnapManager) KnownTaskKinds() []string {
-	return m.runner.KnownTaskKinds()
+	return &fakeSnapManager{}
 }
 
 func (m *fakeSnapManager) Ensure() error {
-	m.runner.Ensure()
 	return nil
 }
 
-func (m *fakeSnapManager) Wait() {
-	m.runner.Wait()
-}
-
-func (m *fakeSnapManager) Stop() {
-	m.runner.Stop()
-}
-
 // sanity
 var _ overlord.StateManager = (*fakeSnapManager)(nil)
 
 func (s *apiBaseSuite) daemonWithFakeSnapManager(c *check.C) *Daemon {
 	d := s.daemonWithOverlordMock(c)
 	st := d.overlord.State()
-	d.overlord.AddManager(newFakeSnapManager(st))
+	runner := d.overlord.TaskRunner()
+	d.overlord.AddManager(newFakeSnapManager(st, runner))
+	d.overlord.AddManager(runner)
 	return d
 }
 
@@ -391,12 +440,14 @@
 	return df
 }
 
-func (s *apiBaseSuite) mkInstalledInState(c *check.C, daemon *Daemon, name, developer, version string, revision snap.Revision, active bool, extraYaml string) *snap.Info {
-	snapID := name + "-id"
+func (s *apiBaseSuite) mkInstalledInState(c *check.C, daemon *Daemon, instanceName, developer, version string, revision snap.Revision, active bool, extraYaml string) *snap.Info {
+	snapName, instanceKey := snap.SplitInstanceName(instanceName)
+
+	snapID := snapName + "-id"
 	// Collect arguments into a snap.SideInfo structure
 	sideInfo := &snap.SideInfo{
 		SnapID:   snapID,
-		RealName: name,
+		RealName: snapName,
 		Revision: revision,
 		Channel:  "stable",
 	}
@@ -405,10 +456,15 @@
 	yamlText := fmt.Sprintf(`
 name: %s
 version: %s
-%s`, name, version, extraYaml)
+%s`, snapName, version, extraYaml)
 
 	// Mock the snap on disk
-	snapInfo := snaptest.MockSnap(c, yamlText, sideInfo)
+	snapInfo := snaptest.MockSnapInstance(c, instanceName, yamlText, sideInfo)
+	if active {
+		dir, rev := filepath.Split(snapInfo.MountDir())
+		c.Assert(os.Symlink(rev, dir+"current"), check.IsNil)
+	}
+	c.Assert(snapInfo.InstanceName(), check.Equals, instanceName)
 
 	c.Assert(os.MkdirAll(snapInfo.DataDir(), 0755), check.IsNil)
 	metadir := filepath.Join(snapInfo.MountDir(), "meta")
@@ -437,7 +493,7 @@
 		snapDecl, err := s.storeSigning.Sign(asserts.SnapDeclarationType, map[string]interface{}{
 			"series":       "16",
 			"snap-id":      snapID,
-			"snap-name":    name,
+			"snap-name":    snapName,
 			"publisher-id": devAcct.AccountID(),
 			"timestamp":    time.Now().Format(time.RFC3339),
 		}, nil, "")
@@ -465,13 +521,14 @@
 		c.Assert(err, check.IsNil)
 
 		var snapst snapstate.SnapState
-		snapstate.Get(st, name, &snapst)
+		snapstate.Get(st, instanceName, &snapst)
 		snapst.Active = active
 		snapst.Sequence = append(snapst.Sequence, &snapInfo.SideInfo)
 		snapst.Current = snapInfo.SideInfo.Revision
 		snapst.Channel = "stable"
+		snapst.InstanceKey = instanceKey
 
-		snapstate.Set(st, name, &snapst)
+		snapstate.Set(st, instanceName, &snapst)
 	}
 
 	return snapInfo
@@ -504,11 +561,15 @@
 description: description
 summary: summary
 license: GPL-3.0
+base: base18
 apps:
   cmd:
     command: some.cmd
   cmd2:
     command: other.cmd
+  cmd3:
+    command: other.cmd
+    common-id: org.foo.cmd
   svc1:
     command: somed1
     daemon: simple
@@ -521,6 +582,22 @@
   svc4:
     command: somed4
     daemon: notify
+  svc5:
+    command: some5
+    timer: mon1,12:15
+    daemon: simple
+  svc6:
+    command: some6
+    daemon: simple
+    sockets:
+       sock:
+         listen-stream: $SNAP_COMMON/run.sock
+  svc7:
+    command: some7
+    daemon: simple
+    sockets:
+       other-sock:
+         listen-stream: $SNAP_COMMON/other-run.sock
 `)
 	df := s.mkInstalledDesktopFile(c, "foo_cmd.desktop", "[Desktop]\nExec=foo.cmd %U")
 	s.sysctlBufs = [][]byte{
@@ -544,6 +621,33 @@
 ActiveState=inactive
 UnitFileState=potatoes
 `),
+		[]byte(`Type=simple
+Id=snap.foo.svc5.service
+ActiveState=inactive
+UnitFileState=static
+
+Id=snap.foo.svc5.timer
+ActiveState=active
+UnitFileState=enabled
+`),
+		[]byte(`Type=simple
+Id=snap.foo.svc6.service
+ActiveState=inactive
+UnitFileState=static
+
+Id=snap.foo.svc6.sock.socket
+ActiveState=active
+UnitFileState=enabled
+`),
+		[]byte(`Type=simple
+Id=snap.foo.svc7.service
+ActiveState=inactive
+UnitFileState=static
+
+Id=snap.foo.svc7.other-sock.socket
+ActiveState=inactive
+UnitFileState=enabled
+`),
 	}
 
 	var snapst snapstate.SnapState
@@ -592,14 +696,22 @@
 			Summary:          "summary",
 			Description:      "description",
 			Developer:        "bar",
-			Status:           "active",
-			Icon:             "/v2/icons/foo/icon",
-			Type:             string(snap.TypeApp),
-			Private:          false,
-			DevMode:          false,
-			JailMode:         false,
-			Confinement:      string(snap.StrictConfinement),
-			TryMode:          false,
+			Publisher: &snap.StoreAccount{
+				ID:          "bar-id",
+				Username:    "bar",
+				DisplayName: "Bar",
+				Validation:  "unproven",
+			},
+			Status:      "active",
+			Icon:        "/v2/icons/foo/icon",
+			Type:        string(snap.TypeApp),
+			Base:        "base18",
+			Private:     false,
+			DevMode:     false,
+			JailMode:    false,
+			Confinement: string(snap.StrictConfinement),
+			TryMode:     false,
+			MountedFrom: filepath.Join(dirs.SnapBlobDir, "foo_10.snap"),
 			Apps: []client.AppInfo{
 				{
 					Snap: "foo", Name: "cmd",
@@ -608,6 +720,10 @@
 					// no desktop file
 					Snap: "foo", Name: "cmd2",
 				}, {
+					// has AppStream ID
+					Snap: "foo", Name: "cmd3",
+					CommonID: "org.foo.cmd",
+				}, {
 					// services
 					Snap: "foo", Name: "svc1",
 					Daemon:  "simple",
@@ -623,17 +739,41 @@
 					Daemon:  "oneshot",
 					Enabled: true,
 					Active:  true,
-				},
-				{
+				}, {
 					Snap: "foo", Name: "svc4",
 					Daemon:  "notify",
 					Enabled: false,
 					Active:  false,
+				}, {
+					Snap: "foo", Name: "svc5",
+					Daemon:  "simple",
+					Enabled: true,
+					Active:  false,
+					Activators: []client.AppActivator{
+						{Name: "svc5", Type: "timer", Active: true, Enabled: true},
+					},
+				}, {
+					Snap: "foo", Name: "svc6",
+					Daemon:  "simple",
+					Enabled: true,
+					Active:  false,
+					Activators: []client.AppActivator{
+						{Name: "sock", Type: "socket", Active: true, Enabled: true},
+					},
+				}, {
+					Snap: "foo", Name: "svc7",
+					Daemon:  "simple",
+					Enabled: true,
+					Active:  false,
+					Activators: []client.AppActivator{
+						{Name: "other-sock", Type: "socket", Active: false, Enabled: true},
+					},
 				},
 			},
-			Broken:  "",
-			Contact: "",
-			License: "GPL-3.0",
+			Broken:    "",
+			Contact:   "",
+			License:   "GPL-3.0",
+			CommonIDs: []string{"org.foo.cmd"},
 		},
 		Meta: meta,
 	}
@@ -642,6 +782,8 @@
 }
 
 func (s *apiSuite) TestSnapInfoWithAuth(c *check.C) {
+	s.daemon(c)
+
 	state := snapCmd.d.overlord.State()
 	state.Lock()
 	user, err := auth.NewUser(state, "username", "email@test.com", "macaroon", []string{"discharge"})
@@ -686,10 +828,32 @@
 	c.Check(rsp.Result, check.NotNil)
 }
 
+func (s *apiSuite) TestMapLocalOfTryResolvesSymlink(c *check.C) {
+	c.Assert(os.MkdirAll(dirs.SnapBlobDir, 0755), check.IsNil)
+
+	info := snap.Info{SideInfo: snap.SideInfo{RealName: "hello", Revision: snap.R(1)}}
+	snapst := snapstate.SnapState{}
+	mountFile := info.MountFile()
+	about := aboutSnap{info: &info, snapst: &snapst}
+
+	// if not a 'try', then MountedFrom is just MountFile()
+	c.Check(mapLocal(about).MountedFrom, check.Equals, mountFile)
+
+	// if it's a try, then MountedFrom resolves the symlink
+	// (note it doesn't matter, here, whether the target of the link exists)
+	snapst.TryMode = true
+	c.Assert(os.Symlink("/xyzzy", mountFile), check.IsNil)
+	c.Check(mapLocal(about).MountedFrom, check.Equals, "/xyzzy")
+
+	// if the readlink fails, it's unset
+	c.Assert(os.Remove(mountFile), check.IsNil)
+	c.Check(mapLocal(about).MountedFrom, check.Equals, "")
+}
+
 func (s *apiSuite) TestListIncludesAll(c *check.C) {
 	// Very basic check to help stop us from not adding all the
 	// commands to the command list.
-	found := countCommandDeclsIn(c, "api.go", check.Commentf("TestListIncludesAll"))
+	found := countCommandDecls(c, check.Commentf("TestListIncludesAll"))
 
 	c.Check(found, check.Equals, len(api),
 		check.Commentf(`At a glance it looks like you've not added all the Commands defined in api to the api list.`))
@@ -744,6 +908,11 @@
 	defer restore()
 	restore = release.MockForcedDevmode(true)
 	defer restore()
+	// reload dirs for release info to have effect
+	dirs.SetRootDir(dirs.GlobalRootDir)
+
+	buildID, err := osutil.MyBuildID()
+	c.Assert(err, check.IsNil)
 
 	sysInfoCmd.GET(sysInfoCmd, nil, nil).ServeHTTP(rec, nil)
 	c.Check(rec.Code, check.Equals, 200)
@@ -756,6 +925,7 @@
 			"id":         "distro-id",
 			"version-id": "1.2",
 		},
+		"build-id":   buildID,
 		"on-classic": true,
 		"managed":    false,
 		"locations": map[string]interface{}{
@@ -766,7 +936,8 @@
 			// only the "timer" field
 			"timer": "8:00~9:00/2",
 		},
-		"confinement": "partial",
+		"confinement":      "partial",
+		"sandbox-features": map[string]interface{}{"confinement-options": []interface{}{"classic", "devmode"}},
 	}
 	var rsp resp
 	c.Assert(json.Unmarshal(rec.Body.Bytes(), &rsp), check.IsNil)
@@ -791,6 +962,8 @@
 	defer restore()
 	restore = release.MockForcedDevmode(true)
 	defer restore()
+	// reload dirs for release info to have effect
+	dirs.SetRootDir(dirs.GlobalRootDir)
 
 	// set the legacy refresh schedule
 	st := d.overlord.State()
@@ -801,6 +974,16 @@
 	tr.Commit()
 	st.Unlock()
 
+	// add a test security backend
+	err := d.overlord.InterfaceManager().Repository().AddBackend(&ifacetest.TestSecurityBackend{
+		BackendName:             "apparmor",
+		SandboxFeaturesCallback: func() []string { return []string{"feature-1", "feature-2"} },
+	})
+	c.Assert(err, check.IsNil)
+
+	buildID, err := osutil.MyBuildID()
+	c.Assert(err, check.IsNil)
+
 	sysInfoCmd.GET(sysInfoCmd, nil, nil).ServeHTTP(rec, nil)
 	c.Check(rec.Code, check.Equals, 200)
 	c.Check(rec.HeaderMap.Get("Content-Type"), check.Equals, "application/json")
@@ -812,6 +995,7 @@
 			"id":         "distro-id",
 			"version-id": "1.2",
 		},
+		"build-id":   buildID,
 		"on-classic": true,
 		"managed":    false,
 		"locations": map[string]interface{}{
@@ -823,6 +1007,10 @@
 			"schedule": "00:00-9:00/12:00-13:00",
 		},
 		"confinement": "partial",
+		"sandbox-features": map[string]interface{}{
+			"apparmor":            []interface{}{"feature-1", "feature-2"},
+			"confinement-options": []interface{}{"classic", "devmode"}, // we know it's this because of the release.Mock... calls above
+		},
 	}
 	var rsp resp
 	c.Assert(json.Unmarshal(rec.Body.Bytes(), &rsp), check.IsNil)
@@ -833,68 +1021,12 @@
 	c.Check(rsp.Result, check.DeepEquals, expected)
 }
 
-func (s *apiSuite) makeDeveloperAPIServer(statusCode int, data string) *httptest.Server {
-	mockDeveloperAPIServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(statusCode)
-		io.WriteString(w, data)
-	}))
-	store.MacaroonACLAPI = mockDeveloperAPIServer.URL + "/acl/"
-	return mockDeveloperAPIServer
-}
-
-func (s *apiSuite) makeSSOServer(statusCode int, data string) *httptest.Server {
-	mockSSOServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(statusCode)
-		io.WriteString(w, data)
-	}))
-	store.UbuntuoneDischargeAPI = mockSSOServer.URL + "/tokens/discharge"
-	return mockSSOServer
-}
-
-func (s *apiSuite) makeStoreMacaroon() (string, error) {
-	m, err := macaroon.New([]byte("secret"), "some id", "location")
-	if err != nil {
-		return "", err
-	}
-	err = m.AddFirstPartyCaveat("caveat")
-	if err != nil {
-		return "", err
-	}
-	err = m.AddThirdPartyCaveat([]byte("shared-secret"), "third-party-caveat", store.UbuntuoneLocation)
-	if err != nil {
-		return "", err
-	}
-
-	return auth.MacaroonSerialize(m)
-}
-
-func (s *apiSuite) makeStoreMacaroonResponse(serializedMacaroon string) (string, error) {
-	data := map[string]string{
-		"macaroon": serializedMacaroon,
-	}
-	expectedData, err := json.Marshal(data)
-	if err != nil {
-		return "", err
-	}
-
-	return string(expectedData), nil
-}
-
 func (s *apiSuite) TestLoginUser(c *check.C) {
 	d := s.daemon(c)
 	state := d.overlord.State()
 
-	serializedMacaroon, err := s.makeStoreMacaroon()
-	c.Assert(err, check.IsNil)
-	responseData, err := s.makeStoreMacaroonResponse(serializedMacaroon)
-	c.Assert(err, check.IsNil)
-	mockDeveloperAPIServer := s.makeDeveloperAPIServer(200, responseData)
-	defer mockDeveloperAPIServer.Close()
-
-	discharge := `{"discharge_macaroon": "the-discharge-macaroon-serialized-data"}`
-	mockSSOServer := s.makeSSOServer(200, discharge)
-	defer mockSSOServer.Close()
-
+	s.loginUserStoreMacaroon = "user-macaroon"
+	s.loginUserDischarge = "the-discharge-macaroon-serialized-data"
 	buf := bytes.NewBufferString(`{"username": "email@.com", "password": "password"}`)
 	req, err := http.NewRequest("POST", "/v2/login", buf)
 	c.Assert(err, check.IsNil)
@@ -923,7 +1055,7 @@
 	c.Check(user.Username, check.Equals, "")
 	c.Check(user.Email, check.Equals, "email@.com")
 	c.Check(user.Discharges, check.IsNil)
-	c.Check(user.StoreMacaroon, check.Equals, serializedMacaroon)
+	c.Check(user.StoreMacaroon, check.Equals, s.loginUserStoreMacaroon)
 	c.Check(user.StoreDischarges, check.DeepEquals, []string{"the-discharge-macaroon-serialized-data"})
 	// snapd macaroon was setup too
 	snapdMacaroon, err := auth.MacaroonDeserialize(user.Macaroon)
@@ -936,17 +1068,8 @@
 	d := s.daemon(c)
 	state := d.overlord.State()
 
-	serializedMacaroon, err := s.makeStoreMacaroon()
-	c.Assert(err, check.IsNil)
-	responseData, err := s.makeStoreMacaroonResponse(serializedMacaroon)
-	c.Assert(err, check.IsNil)
-	mockDeveloperAPIServer := s.makeDeveloperAPIServer(200, responseData)
-	defer mockDeveloperAPIServer.Close()
-
-	discharge := `{"discharge_macaroon": "the-discharge-macaroon-serialized-data"}`
-	mockSSOServer := s.makeSSOServer(200, discharge)
-	defer mockSSOServer.Close()
-
+	s.loginUserStoreMacaroon = "user-macaroon"
+	s.loginUserDischarge = "the-discharge-macaroon-serialized-data"
 	buf := bytes.NewBufferString(`{"username": "username", "email": "email@.com", "password": "password"}`)
 	req, err := http.NewRequest("POST", "/v2/login", buf)
 	c.Assert(err, check.IsNil)
@@ -974,7 +1097,7 @@
 	c.Check(user.Username, check.Equals, "username")
 	c.Check(user.Email, check.Equals, "email@.com")
 	c.Check(user.Discharges, check.IsNil)
-	c.Check(user.StoreMacaroon, check.Equals, serializedMacaroon)
+	c.Check(user.StoreMacaroon, check.Equals, s.loginUserStoreMacaroon)
 	c.Check(user.StoreDischarges, check.DeepEquals, []string{"the-discharge-macaroon-serialized-data"})
 	// snapd macaroon was setup too
 	snapdMacaroon, err := auth.MacaroonDeserialize(user.Macaroon)
@@ -993,17 +1116,8 @@
 	state.Unlock()
 	c.Assert(err, check.IsNil)
 
-	serializedMacaroon, err := s.makeStoreMacaroon()
-	c.Assert(err, check.IsNil)
-	responseData, err := s.makeStoreMacaroonResponse(serializedMacaroon)
-	c.Assert(err, check.IsNil)
-	mockDeveloperAPIServer := s.makeDeveloperAPIServer(200, responseData)
-	defer mockDeveloperAPIServer.Close()
-
-	discharge := `{"discharge_macaroon": "the-discharge-macaroon-serialized-data"}`
-	mockSSOServer := s.makeSSOServer(200, discharge)
-	defer mockSSOServer.Close()
-
+	s.loginUserStoreMacaroon = "user-macaroon"
+	s.loginUserDischarge = "the-discharge-macaroon-serialized-data"
 	buf := bytes.NewBufferString(`{"username": "username", "email": "", "password": "password"}`)
 	req, err := http.NewRequest("POST", "/v2/login", buf)
 	c.Assert(err, check.IsNil)
@@ -1032,7 +1146,7 @@
 	c.Check(user.Email, check.Equals, localUser.Email)
 	c.Check(user.Macaroon, check.Equals, localUser.Macaroon)
 	c.Check(user.Discharges, check.IsNil)
-	c.Check(user.StoreMacaroon, check.Equals, serializedMacaroon)
+	c.Check(user.StoreMacaroon, check.Equals, s.loginUserStoreMacaroon)
 	c.Check(user.StoreDischarges, check.DeepEquals, []string{"the-discharge-macaroon-serialized-data"})
 }
 
@@ -1046,17 +1160,8 @@
 	state.Unlock()
 	c.Assert(err, check.IsNil)
 
-	serializedMacaroon, err := s.makeStoreMacaroon()
-	c.Assert(err, check.IsNil)
-	responseData, err := s.makeStoreMacaroonResponse(serializedMacaroon)
-	c.Assert(err, check.IsNil)
-	mockDeveloperAPIServer := s.makeDeveloperAPIServer(200, responseData)
-	defer mockDeveloperAPIServer.Close()
-
-	discharge := `{"discharge_macaroon": "the-discharge-macaroon-serialized-data"}`
-	mockSSOServer := s.makeSSOServer(200, discharge)
-	defer mockSSOServer.Close()
-
+	s.loginUserStoreMacaroon = "user-macaroon"
+	s.loginUserDischarge = "the-discharge-macaroon-serialized-data"
 	buf := bytes.NewBufferString(`{"username": "username", "email": "email@test.com", "password": "password"}`)
 	req, err := http.NewRequest("POST", "/v2/login", buf)
 	c.Assert(err, check.IsNil)
@@ -1085,7 +1190,7 @@
 	c.Check(user.Email, check.Equals, localUser.Email)
 	c.Check(user.Macaroon, check.Equals, localUser.Macaroon)
 	c.Check(user.Discharges, check.IsNil)
-	c.Check(user.StoreMacaroon, check.Equals, serializedMacaroon)
+	c.Check(user.StoreMacaroon, check.Equals, s.loginUserStoreMacaroon)
 	c.Check(user.StoreDischarges, check.DeepEquals, []string{"the-discharge-macaroon-serialized-data"})
 }
 
@@ -1099,17 +1204,8 @@
 	state.Unlock()
 	c.Assert(err, check.IsNil)
 
-	serializedMacaroon, err := s.makeStoreMacaroon()
-	c.Assert(err, check.IsNil)
-	responseData, err := s.makeStoreMacaroonResponse(serializedMacaroon)
-	c.Assert(err, check.IsNil)
-	mockDeveloperAPIServer := s.makeDeveloperAPIServer(200, responseData)
-	defer mockDeveloperAPIServer.Close()
-
-	discharge := `{"discharge_macaroon": "the-discharge-macaroon-serialized-data"}`
-	mockSSOServer := s.makeSSOServer(200, discharge)
-	defer mockSSOServer.Close()
-
+	s.loginUserStoreMacaroon = "user-macaroon"
+	s.loginUserDischarge = "the-discharge-macaroon-serialized-data"
 	// same local user, but using a new SSO account
 	buf := bytes.NewBufferString(`{"username": "username", "email": "new.email@test.com", "password": "password"}`)
 	req, err := http.NewRequest("POST", "/v2/login", buf)
@@ -1139,7 +1235,7 @@
 	c.Check(user.Email, check.Equals, expected.Email)
 	c.Check(user.Macaroon, check.Equals, localUser.Macaroon)
 	c.Check(user.Discharges, check.IsNil)
-	c.Check(user.StoreMacaroon, check.Equals, serializedMacaroon)
+	c.Check(user.StoreMacaroon, check.Equals, s.loginUserStoreMacaroon)
 	c.Check(user.StoreDischarges, check.DeepEquals, []string{"the-discharge-macaroon-serialized-data"})
 }
 
@@ -1178,9 +1274,9 @@
 }
 
 func (s *apiSuite) TestLoginUserDeveloperAPIError(c *check.C) {
-	mockDeveloperAPIServer := s.makeDeveloperAPIServer(200, "{}")
-	defer mockDeveloperAPIServer.Close()
+	s.daemon(c)
 
+	s.err = fmt.Errorf("error-from-login-user")
 	buf := bytes.NewBufferString(`{"username": "email@.com", "password": "password"}`)
 	req, err := http.NewRequest("POST", "/v2/login", buf)
 	c.Assert(err, check.IsNil)
@@ -1189,21 +1285,13 @@
 
 	c.Check(rsp.Type, check.Equals, ResponseTypeError)
 	c.Check(rsp.Status, check.Equals, 401)
-	c.Check(rsp.Result.(*errorResult).Message, testutil.Contains, "cannot get snap access permission")
+	c.Check(rsp.Result.(*errorResult).Message, testutil.Contains, "error-from-login-user")
 }
 
 func (s *apiSuite) TestLoginUserTwoFactorRequiredError(c *check.C) {
-	serializedMacaroon, err := s.makeStoreMacaroon()
-	c.Assert(err, check.IsNil)
-	responseData, err := s.makeStoreMacaroonResponse(serializedMacaroon)
-	c.Assert(err, check.IsNil)
-	mockDeveloperAPIServer := s.makeDeveloperAPIServer(200, responseData)
-	defer mockDeveloperAPIServer.Close()
-
-	discharge := `{"code": "TWOFACTOR_REQUIRED"}`
-	mockSSOServer := s.makeSSOServer(401, discharge)
-	defer mockSSOServer.Close()
+	s.daemon(c)
 
+	s.err = store.ErrAuthenticationNeeds2fa
 	buf := bytes.NewBufferString(`{"username": "email@.com", "password": "password"}`)
 	req, err := http.NewRequest("POST", "/v2/login", buf)
 	c.Assert(err, check.IsNil)
@@ -1216,17 +1304,9 @@
 }
 
 func (s *apiSuite) TestLoginUserTwoFactorFailedError(c *check.C) {
-	serializedMacaroon, err := s.makeStoreMacaroon()
-	c.Assert(err, check.IsNil)
-	responseData, err := s.makeStoreMacaroonResponse(serializedMacaroon)
-	c.Assert(err, check.IsNil)
-	mockDeveloperAPIServer := s.makeDeveloperAPIServer(200, responseData)
-	defer mockDeveloperAPIServer.Close()
-
-	discharge := `{"code": "TWOFACTOR_FAILURE"}`
-	mockSSOServer := s.makeSSOServer(403, discharge)
-	defer mockSSOServer.Close()
+	s.daemon(c)
 
+	s.err = store.Err2faFailed
 	buf := bytes.NewBufferString(`{"username": "email@.com", "password": "password"}`)
 	req, err := http.NewRequest("POST", "/v2/login", buf)
 	c.Assert(err, check.IsNil)
@@ -1239,17 +1319,9 @@
 }
 
 func (s *apiSuite) TestLoginUserInvalidCredentialsError(c *check.C) {
-	serializedMacaroon, err := s.makeStoreMacaroon()
-	c.Assert(err, check.IsNil)
-	responseData, err := s.makeStoreMacaroonResponse(serializedMacaroon)
-	c.Assert(err, check.IsNil)
-	mockDeveloperAPIServer := s.makeDeveloperAPIServer(200, responseData)
-	defer mockDeveloperAPIServer.Close()
-
-	discharge := `{"code": "INVALID_CREDENTIALS"}`
-	mockSSOServer := s.makeSSOServer(401, discharge)
-	defer mockSSOServer.Close()
+	s.daemon(c)
 
+	s.err = store.ErrInvalidCredentials
 	buf := bytes.NewBufferString(`{"username": "email@.com", "password": "password"}`)
 	req, err := http.NewRequest("POST", "/v2/login", buf)
 	c.Assert(err, check.IsNil)
@@ -1430,7 +1502,12 @@
 		SideInfo: snap.SideInfo{
 			RealName: "store",
 		},
-		Publisher: "foo",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
 	}}
 	s.mkInstalledInState(c, d, "local", "foo", "v1", snap.R(10), true, "")
 
@@ -1452,18 +1529,29 @@
 	s.mkInstalledInState(c, d, "local", "foo", "v1", snap.R(1), false, "")
 	s.mkInstalledInState(c, d, "local", "foo", "v2", snap.R(2), false, "")
 	s.mkInstalledInState(c, d, "local", "foo", "v3", snap.R(3), true, "")
+	s.mkInstalledInState(c, d, "local_foo", "foo", "v4", snap.R(4), true, "")
+	brokenInfo := s.mkInstalledInState(c, d, "local_bar", "foo", "v5", snap.R(5), true, "")
+	// make sure local_bar is 'broken'
+	err := os.Remove(filepath.Join(brokenInfo.MountDir(), "meta", "snap.yaml"))
+	c.Assert(err, check.IsNil)
 
+	expectedHappy := map[string]bool{
+		"local":     true,
+		"local_foo": true,
+		"local_bar": true,
+	}
 	for _, t := range []struct {
 		q        string
 		numSnaps int
 		typ      ResponseType
 	}{
-		{"?select=enabled", 1, "sync"},
-		{`?select=`, 1, "sync"},
-		{"", 1, "sync"},
-		{"?select=all", 3, "sync"},
+		{"?select=enabled", 3, "sync"},
+		{`?select=`, 3, "sync"},
+		{"", 3, "sync"},
+		{"?select=all", 5, "sync"},
 		{"?select=invalid-field", 0, "error"},
 	} {
+		c.Logf("trying: %v", t)
 		req, err := http.NewRequest("GET", fmt.Sprintf("/v2/snaps%s", t.q), nil)
 		c.Assert(err, check.IsNil)
 		rsp := getSnapsInfo(snapsCmd, req, nil).(*resp)
@@ -1472,19 +1560,30 @@
 		if rsp.Type != "error" {
 			snaps := snapList(rsp.Result)
 			c.Assert(snaps, check.HasLen, t.numSnaps)
-			c.Assert(snaps[0]["name"], check.Equals, "local")
+			seen := map[string]bool{}
+			for _, s := range snaps {
+				seen[s["name"].(string)] = true
+			}
+			c.Assert(seen, check.DeepEquals, expectedHappy)
 		}
 	}
 }
 
 func (s *apiSuite) TestFind(c *check.C) {
+	s.daemon(c)
+
 	s.suggestedCurrency = "EUR"
 
 	s.rsnaps = []*snap.Info{{
 		SideInfo: snap.SideInfo{
 			RealName: "store",
 		},
-		Publisher: "foo",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
 	}}
 
 	req, err := http.NewRequest("GET", "/v2/find?q=hi", nil)
@@ -1502,7 +1601,8 @@
 	c.Check(rsp.SuggestedCurrency, check.Equals, "EUR")
 
 	c.Check(s.storeSearch, check.DeepEquals, store.Search{Query: "hi"})
-	c.Check(s.refreshCandidates, check.HasLen, 0)
+	c.Check(s.currentSnaps, check.HasLen, 0)
+	c.Check(s.actions, check.HasLen, 0)
 }
 
 func (s *apiSuite) TestFindRefreshes(c *check.C) {
@@ -1513,7 +1613,12 @@
 		SideInfo: snap.SideInfo{
 			RealName: "store",
 		},
-		Publisher: "foo",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
 	}}
 	s.mockSnap(c, "name: store\nversion: 1.0")
 
@@ -1525,7 +1630,8 @@
 	snaps := snapList(rsp.Result)
 	c.Assert(snaps, check.HasLen, 1)
 	c.Assert(snaps[0]["name"], check.Equals, "store")
-	c.Check(s.refreshCandidates, check.HasLen, 1)
+	c.Check(s.currentSnaps, check.HasLen, 1)
+	c.Check(s.actions, check.HasLen, 1)
 }
 
 func (s *apiSuite) TestFindRefreshSideloaded(c *check.C) {
@@ -1536,7 +1642,12 @@
 		SideInfo: snap.SideInfo{
 			RealName: "store",
 		},
-		Publisher: "foo",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
 	}}
 
 	s.mockSnap(c, "name: store\nversion: 1.0")
@@ -1561,9 +1672,9 @@
 	rsp := searchStore(findCmd, req, nil).(*resp)
 
 	snaps := snapList(rsp.Result)
-	c.Assert(snaps, check.HasLen, 1)
-	c.Assert(snaps[0]["name"], check.Equals, "store")
-	c.Check(s.refreshCandidates, check.HasLen, 0)
+	c.Assert(snaps, check.HasLen, 0)
+	c.Check(s.currentSnaps, check.HasLen, 0)
+	c.Check(s.actions, check.HasLen, 0)
 }
 
 func (s *apiSuite) TestFindPrivate(c *check.C) {
@@ -1611,6 +1722,49 @@
 	})
 }
 
+func (s *apiSuite) TestFindScope(c *check.C) {
+	s.daemon(c)
+
+	s.rsnaps = []*snap.Info{}
+
+	req, err := http.NewRequest("GET", "/v2/find?q=foo&scope=creep", nil)
+	c.Assert(err, check.IsNil)
+
+	_ = searchStore(findCmd, req, nil).(*resp)
+
+	c.Check(s.storeSearch, check.DeepEquals, store.Search{
+		Query: "foo",
+		Scope: "creep",
+	})
+}
+
+func (s *apiSuite) TestFindCommonID(c *check.C) {
+	s.daemon(c)
+
+	s.rsnaps = []*snap.Info{{
+		SideInfo: snap.SideInfo{
+			RealName: "store",
+		},
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
+		CommonIDs: []string{"org.foo"},
+	}}
+	s.mockSnap(c, "name: store\nversion: 1.0")
+
+	req, err := http.NewRequest("GET", "/v2/find?name=foo", nil)
+	c.Assert(err, check.IsNil)
+
+	rsp := searchStore(findCmd, req, nil).(*resp)
+
+	snaps := snapList(rsp.Result)
+	c.Assert(snaps, check.HasLen, 1)
+	c.Check(snaps[0]["common-ids"], check.DeepEquals, []interface{}{"org.foo"})
+}
+
 func (s *apiSuite) TestFindOne(c *check.C) {
 	s.daemon(c)
 
@@ -1618,7 +1772,13 @@
 		SideInfo: snap.SideInfo{
 			RealName: "store",
 		},
-		Publisher: "foo",
+		Base: "base0",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "verified",
+		},
 		Channels: map[string]*snap.ChannelSnapInfo{
 			"stable": {
 				Revision: snap.R(42),
@@ -1637,6 +1797,13 @@
 	snaps := snapList(rsp.Result)
 	c.Assert(snaps, check.HasLen, 1)
 	c.Check(snaps[0]["name"], check.Equals, "store")
+	c.Check(snaps[0]["base"], check.Equals, "base0")
+	c.Check(snaps[0]["publisher"], check.DeepEquals, map[string]interface{}{
+		"id":           "foo-id",
+		"username":     "foo",
+		"display-name": "Foo",
+		"validation":   "verified",
+	})
 	m := snaps[0]["channels"].(map[string]interface{})["stable"].(map[string]interface{})
 
 	c.Check(m["revision"], check.Equals, "42")
@@ -1668,6 +1835,8 @@
 }
 
 func (s *apiSuite) TestFindBadQueryReturnsCorrectErrorKind(c *check.C) {
+	s.daemon(c)
+
 	s.err = store.ErrBadQuery
 	req, err := http.NewRequest("GET", "/v2/find?q=return-bad-query-please", nil)
 	c.Assert(err, check.IsNil)
@@ -1680,6 +1849,8 @@
 }
 
 func (s *apiSuite) TestFindPriced(c *check.C) {
+	s.daemon(c)
+
 	s.suggestedCurrency = "GBP"
 
 	s.rsnaps = []*snap.Info{{
@@ -1693,7 +1864,12 @@
 		SideInfo: snap.SideInfo{
 			RealName: "banana",
 		},
-		Publisher: "foo",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
 	}}
 
 	req, err := http.NewRequest("GET", "/v2/find?q=banana&channel=stable", nil)
@@ -1716,24 +1892,33 @@
 }
 
 func (s *apiSuite) TestFindScreenshotted(c *check.C) {
+	s.daemon(c)
+
 	s.rsnaps = []*snap.Info{{
 		Type:    snap.TypeApp,
 		Version: "v2",
-		Screenshots: []snap.ScreenshotInfo{
+		Media: []snap.MediaInfo{
 			{
+				Type:   "screenshot",
 				URL:    "http://example.com/screenshot.png",
 				Width:  800,
 				Height: 1280,
 			},
 			{
-				URL: "http://example.com/screenshot2.png",
+				Type: "screenshot",
+				URL:  "http://example.com/screenshot2.png",
 			},
 		},
 		MustBuy: true,
 		SideInfo: snap.SideInfo{
 			RealName: "test-screenshot",
 		},
-		Publisher: "foo",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
 	}}
 
 	req, err := http.NewRequest("GET", "/v2/find?q=test-screenshot", nil)
@@ -1750,9 +1935,23 @@
 			"url":    "http://example.com/screenshot.png",
 			"width":  float64(800),
 			"height": float64(1280),
+			"note":   snap.ScreenshotsDeprecationNotice,
+		},
+		map[string]interface{}{
+			"url":  "http://example.com/screenshot2.png",
+			"note": snap.ScreenshotsDeprecationNotice,
+		},
+	})
+	c.Check(snaps[0]["media"], check.DeepEquals, []interface{}{
+		map[string]interface{}{
+			"type":   "screenshot",
+			"url":    "http://example.com/screenshot.png",
+			"width":  float64(800),
+			"height": float64(1280),
 		},
 		map[string]interface{}{
-			"url": "http://example.com/screenshot2.png",
+			"type": "screenshot",
+			"url":  "http://example.com/screenshot2.png",
 		},
 	})
 }
@@ -1766,7 +1965,12 @@
 		SideInfo: snap.SideInfo{
 			RealName: "store",
 		},
-		Publisher: "foo",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
 	}}
 	s.mkInstalledInState(c, d, "local", "foo", "v1", snap.R(10), true, "")
 
@@ -1786,6 +1990,8 @@
 }
 
 func (s *apiSuite) TestSnapsStoreConfinement(c *check.C) {
+	s.daemon(c)
+
 	s.rsnaps = []*snap.Info{
 		{
 			// no explicit confinement in this one
@@ -1827,6 +2033,8 @@
 }
 
 func (s *apiSuite) TestSnapsInfoStoreWithAuth(c *check.C) {
+	s.daemon(c)
+
 	state := snapCmd.d.overlord.State()
 	state.Lock()
 	user, err := auth.NewUser(state, "username", "email@test.com", "macaroon", []string{"discharge"})
@@ -1852,7 +2060,12 @@
 		SideInfo: snap.SideInfo{
 			RealName: "remote",
 		},
-		Publisher: "foo",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
 	}}
 	s.mkInstalledInState(c, d, "local", "foo", "v1", snap.R(10), true, "")
 
@@ -1892,7 +2105,12 @@
 		SideInfo: snap.SideInfo{
 			RealName: "remote",
 		},
-		Publisher: "foo",
+		Publisher: snap.StoreAccount{
+			ID:          "foo-id",
+			Username:    "foo",
+			DisplayName: "Foo",
+			Validation:  "unproven",
+		},
 	}}
 	s.mkInstalledInState(c, d, "local", "foo", "v1", snap.R(10), true, "")
 
@@ -1906,27 +2124,9 @@
 	c.Assert(snaps, check.HasLen, 1)
 }
 
-func (s *apiSuite) TestSnapsInfoUnknownSource(c *check.C) {
-	s.rsnaps = []*snap.Info{{
-		SideInfo: snap.SideInfo{
-			RealName: "remote",
-		},
-		Publisher: "foo",
-	}}
-	s.mkInstalled(c, "local", "foo", "v1", snap.R(10), true, "")
-
-	req, err := http.NewRequest("GET", "/v2/snaps?sources=unknown", nil)
-	c.Assert(err, check.IsNil)
-
-	rsp := getSnapsInfo(snapsCmd, req, nil).(*resp)
-
-	c.Check(rsp.Sources, check.DeepEquals, []string{"local"})
-
-	snaps := snapList(rsp.Result)
-	c.Check(snaps, check.HasLen, 1)
-}
-
 func (s *apiSuite) TestSnapsInfoFilterRemote(c *check.C) {
+	s.daemon(c)
+
 	s.rsnaps = nil
 
 	req, err := http.NewRequest("GET", "/v2/snaps?q=foo&sources=store", nil)
@@ -2111,7 +2311,7 @@
 	// try a multipart/form-data upload
 	body := sideLoadBodyWithoutDevMode
 	head := map[string]string{"Content-Type": "multipart/thing; boundary=--hello--"}
-	chgSummary := s.sideloadCheck(c, body, head, snapstate.Flags{RemoveSnapPath: true})
+	chgSummary := s.sideloadCheck(c, body, head, "local", snapstate.Flags{RemoveSnapPath: true})
 	c.Check(chgSummary, check.Equals, `Install "local" snap from file "a/b/local.snap"`)
 }
 
@@ -2122,7 +2322,7 @@
 	restore := release.MockForcedDevmode(true)
 	defer restore()
 	flags := snapstate.Flags{RemoveSnapPath: true}
-	chgSummary := s.sideloadCheck(c, body, head, flags)
+	chgSummary := s.sideloadCheck(c, body, head, "local", flags)
 	c.Check(chgSummary, check.Equals, `Install "local" snap from file "a/b/local.snap"`)
 }
 
@@ -2141,7 +2341,7 @@
 	// try a multipart/form-data upload
 	flags := snapstate.Flags{RemoveSnapPath: true}
 	flags.DevMode = true
-	chgSummary := s.sideloadCheck(c, body, head, flags)
+	chgSummary := s.sideloadCheck(c, body, head, "local", flags)
 	c.Check(chgSummary, check.Equals, `Install "local" snap from file "x"`)
 }
 
@@ -2163,30 +2363,111 @@
 	head := map[string]string{"Content-Type": "multipart/thing; boundary=--hello--"}
 	// try a multipart/form-data upload
 	flags := snapstate.Flags{JailMode: true, RemoveSnapPath: true}
-	chgSummary := s.sideloadCheck(c, body, head, flags)
+	chgSummary := s.sideloadCheck(c, body, head, "local", flags)
 	c.Check(chgSummary, check.Equals, `Install "local" snap from file "x"`)
 }
 
-func (s *apiSuite) TestSideloadSnapJailModeAndDevmode(c *check.C) {
-	body := "" +
-		"----hello--\r\n" +
-		"Content-Disposition: form-data; name=\"snap\"; filename=\"x\"\r\n" +
-		"\r\n" +
-		"xyzzy\r\n" +
-		"----hello--\r\n" +
-		"Content-Disposition: form-data; name=\"jailmode\"\r\n" +
-		"\r\n" +
-		"true\r\n" +
-		"----hello--\r\n" +
-		"Content-Disposition: form-data; name=\"devmode\"\r\n" +
-		"\r\n" +
-		"true\r\n" +
-		"----hello--\r\n"
-	s.daemonWithOverlordMock(c)
+func (s *apiSuite) sideloadCheck(c *check.C, content string, head map[string]string, expectedInstanceName string, expectedFlags snapstate.Flags) string {
+	d := s.daemonWithFakeSnapManager(c)
 
-	req, err := http.NewRequest("POST", "/v2/snaps", bytes.NewBufferString(body))
-	c.Assert(err, check.IsNil)
-	req.Header.Set("Content-Type", "multipart/thing; boundary=--hello--")
+	soon := 0
+	ensureStateSoon = func(st *state.State) {
+		soon++
+		ensureStateSoonImpl(st)
+	}
+
+	c.Assert(expectedInstanceName != "", check.Equals, true, check.Commentf("expected instance name must be set"))
+	mockedName, _ := snap.SplitInstanceName(expectedInstanceName)
+
+	// setup done
+	installQueue := []string{}
+	unsafeReadSnapInfo = func(path string) (*snap.Info, error) {
+		return &snap.Info{SuggestedName: mockedName}, nil
+	}
+
+	snapstateInstall = func(s *state.State, name, channel string, revision snap.Revision, userID int, flags snapstate.Flags) (*state.TaskSet, error) {
+		// NOTE: ubuntu-core is not installed in developer mode
+		c.Check(flags, check.Equals, snapstate.Flags{})
+		installQueue = append(installQueue, name)
+
+		t := s.NewTask("fake-install-snap", "Doing a fake install")
+		return state.NewTaskSet(t), nil
+	}
+
+	snapstateInstallPath = func(s *state.State, si *snap.SideInfo, path, name, channel string, flags snapstate.Flags) (*state.TaskSet, *snap.Info, error) {
+		c.Check(flags, check.DeepEquals, expectedFlags)
+
+		c.Check(path, testutil.FileEquals, "xyzzy")
+
+		c.Check(name, check.Equals, expectedInstanceName)
+
+		installQueue = append(installQueue, si.RealName+"::"+path)
+		t := s.NewTask("fake-install-snap", "Doing a fake install")
+		return state.NewTaskSet(t), &snap.Info{SuggestedName: name}, nil
+	}
+
+	buf := bytes.NewBufferString(content)
+	req, err := http.NewRequest("POST", "/v2/snaps", buf)
+	c.Assert(err, check.IsNil)
+	for k, v := range head {
+		req.Header.Set(k, v)
+	}
+
+	rsp := postSnaps(snapsCmd, req, nil).(*resp)
+	c.Assert(rsp.Type, check.Equals, ResponseTypeAsync)
+	n := 1
+	c.Assert(installQueue, check.HasLen, n)
+	c.Check(installQueue[n-1], check.Matches, "local::.*/"+regexp.QuoteMeta(dirs.LocalInstallBlobTempPrefix)+".*")
+
+	st := d.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+	chg := st.Change(rsp.Change)
+	c.Assert(chg, check.NotNil)
+
+	c.Check(soon, check.Equals, 1)
+
+	c.Assert(chg.Tasks(), check.HasLen, n)
+
+	st.Unlock()
+	s.waitTrivialChange(c, chg)
+	st.Lock()
+
+	c.Check(chg.Kind(), check.Equals, "install-snap")
+	var names []string
+	err = chg.Get("snap-names", &names)
+	c.Assert(err, check.IsNil)
+	c.Check(names, check.DeepEquals, []string{expectedInstanceName})
+	var apiData map[string]interface{}
+	err = chg.Get("api-data", &apiData)
+	c.Assert(err, check.IsNil)
+	c.Check(apiData, check.DeepEquals, map[string]interface{}{
+		"snap-name": expectedInstanceName,
+	})
+
+	return chg.Summary()
+}
+
+func (s *apiSuite) TestSideloadSnapJailModeAndDevmode(c *check.C) {
+	body := "" +
+		"----hello--\r\n" +
+		"Content-Disposition: form-data; name=\"snap\"; filename=\"x\"\r\n" +
+		"\r\n" +
+		"xyzzy\r\n" +
+		"----hello--\r\n" +
+		"Content-Disposition: form-data; name=\"jailmode\"\r\n" +
+		"\r\n" +
+		"true\r\n" +
+		"----hello--\r\n" +
+		"Content-Disposition: form-data; name=\"devmode\"\r\n" +
+		"\r\n" +
+		"true\r\n" +
+		"----hello--\r\n"
+	s.daemonWithOverlordMock(c)
+
+	req, err := http.NewRequest("POST", "/v2/snaps", bytes.NewBufferString(body))
+	c.Assert(err, check.IsNil)
+	req.Header.Set("Content-Type", "multipart/thing; boundary=--hello--")
 
 	rsp := postSnaps(snapsCmd, req, nil).(*resp)
 	c.Assert(rsp.Type, check.Equals, ResponseTypeError)
@@ -2258,7 +2539,7 @@
 	c.Assert(err, check.IsNil)
 	req.Header.Set("Content-Type", "multipart/thing; boundary=--hello--")
 
-	snapstateInstallPath = func(s *state.State, si *snap.SideInfo, path, channel string, flags snapstate.Flags) (*state.TaskSet, error) {
+	snapstateInstallPath = func(s *state.State, si *snap.SideInfo, path, name, channel string, flags snapstate.Flags) (*state.TaskSet, *snap.Info, error) {
 		c.Check(flags, check.Equals, snapstate.Flags{RemoveSnapPath: true})
 		c.Check(si, check.DeepEquals, &snap.SideInfo{
 			RealName: "x",
@@ -2266,7 +2547,7 @@
 			Revision: snap.R(41),
 		})
 
-		return state.NewTaskSet(), nil
+		return state.NewTaskSet(), &snap.Info{SuggestedName: "x"}, nil
 	}
 
 	rsp := postSnaps(snapsCmd, req, nil).(*resp)
@@ -2336,6 +2617,82 @@
 	c.Assert(rsp.Result.(*errorResult).Message, check.Matches, `cannot find "snap" file field in provided multipart/form-data payload`)
 }
 
+func (s *apiSuite) TestSideloadSnapChangeConflict(c *check.C) {
+	body := "" +
+		"----hello--\r\n" +
+		"Content-Disposition: form-data; name=\"snap\"; filename=\"x\"\r\n" +
+		"\r\n" +
+		"xyzzy\r\n" +
+		"----hello--\r\n" +
+		"Content-Disposition: form-data; name=\"dangerous\"\r\n" +
+		"\r\n" +
+		"true\r\n" +
+		"----hello--\r\n"
+	s.daemonWithOverlordMock(c)
+
+	unsafeReadSnapInfo = func(path string) (*snap.Info, error) {
+		return &snap.Info{SuggestedName: "foo"}, nil
+	}
+
+	snapstateInstallPath = func(s *state.State, si *snap.SideInfo, path, name, channel string, flags snapstate.Flags) (*state.TaskSet, *snap.Info, error) {
+		return nil, nil, &snapstate.ChangeConflictError{Snap: "foo"}
+	}
+
+	req, err := http.NewRequest("POST", "/v2/snaps", bytes.NewBufferString(body))
+	c.Assert(err, check.IsNil)
+	req.Header.Set("Content-Type", "multipart/thing; boundary=--hello--")
+
+	rsp := postSnaps(snapsCmd, req, nil).(*resp)
+	c.Assert(rsp.Type, check.Equals, ResponseTypeError)
+	c.Check(rsp.Result.(*errorResult).Kind, check.Equals, errorKindSnapChangeConflict)
+}
+
+func (s *apiSuite) TestSideloadSnapInstanceName(c *check.C) {
+	// try a multipart/form-data upload
+	body := sideLoadBodyWithoutDevMode +
+		"Content-Disposition: form-data; name=\"name\"\r\n" +
+		"\r\n" +
+		"local_instance\r\n" +
+		"----hello--\r\n"
+	head := map[string]string{"Content-Type": "multipart/thing; boundary=--hello--"}
+	chgSummary := s.sideloadCheck(c, body, head, "local_instance", snapstate.Flags{RemoveSnapPath: true})
+	c.Check(chgSummary, check.Equals, `Install "local_instance" snap from file "a/b/local.snap"`)
+}
+
+func (s *apiSuite) TestSideloadSnapInstanceNameNoKey(c *check.C) {
+	// try a multipart/form-data upload
+	body := sideLoadBodyWithoutDevMode +
+		"Content-Disposition: form-data; name=\"name\"\r\n" +
+		"\r\n" +
+		"local\r\n" +
+		"----hello--\r\n"
+	head := map[string]string{"Content-Type": "multipart/thing; boundary=--hello--"}
+	chgSummary := s.sideloadCheck(c, body, head, "local", snapstate.Flags{RemoveSnapPath: true})
+	c.Check(chgSummary, check.Equals, `Install "local" snap from file "a/b/local.snap"`)
+}
+
+func (s *apiSuite) TestSideloadSnapInstanceNameMismatch(c *check.C) {
+	s.daemonWithFakeSnapManager(c)
+
+	unsafeReadSnapInfo = func(path string) (*snap.Info, error) {
+		return &snap.Info{SuggestedName: "bar"}, nil
+	}
+
+	body := sideLoadBodyWithoutDevMode +
+		"Content-Disposition: form-data; name=\"name\"\r\n" +
+		"\r\n" +
+		"foo_instance\r\n" +
+		"----hello--\r\n"
+
+	req, err := http.NewRequest("POST", "/v2/snaps", bytes.NewBufferString(body))
+	c.Assert(err, check.IsNil)
+	req.Header.Set("Content-Type", "multipart/thing; boundary=--hello--")
+
+	rsp := postSnaps(snapsCmd, req, nil).(*resp)
+	c.Assert(rsp.Type, check.Equals, ResponseTypeError)
+	c.Check(rsp.Result.(*errorResult).Message, check.Equals, `instance name "foo_instance" does not match snap name "bar"`)
+}
+
 func (s *apiSuite) TestTrySnap(c *check.C) {
 	d := s.daemonWithFakeSnapManager(c)
 
@@ -2471,85 +2828,31 @@
 	c.Check(rsp.Result.(*errorResult).Message, testutil.Contains, "not a snap directory")
 }
 
-func (s *apiSuite) sideloadCheck(c *check.C, content string, head map[string]string, expectedFlags snapstate.Flags) string {
-	d := s.daemonWithFakeSnapManager(c)
+func (s *apiSuite) TestTryChangeConflict(c *check.C) {
+	s.daemonWithOverlordMock(c)
 
-	soon := 0
-	ensureStateSoon = func(st *state.State) {
-		soon++
-		ensureStateSoonImpl(st)
-	}
+	// mock a try dir
+	tryDir := c.MkDir()
 
-	// setup done
-	installQueue := []string{}
 	unsafeReadSnapInfo = func(path string) (*snap.Info, error) {
-		return &snap.Info{SuggestedName: "local"}, nil
+		return &snap.Info{SuggestedName: "foo"}, nil
 	}
 
-	snapstateInstall = func(s *state.State, name, channel string, revision snap.Revision, userID int, flags snapstate.Flags) (*state.TaskSet, error) {
-		// NOTE: ubuntu-core is not installed in developer mode
-		c.Check(flags, check.Equals, snapstate.Flags{})
-		installQueue = append(installQueue, name)
-
-		t := s.NewTask("fake-install-snap", "Doing a fake install")
-		return state.NewTaskSet(t), nil
+	snapstateTryPath = func(s *state.State, name, path string, flags snapstate.Flags) (*state.TaskSet, error) {
+		return nil, &snapstate.ChangeConflictError{Snap: "foo"}
 	}
 
-	snapstateInstallPath = func(s *state.State, si *snap.SideInfo, path, channel string, flags snapstate.Flags) (*state.TaskSet, error) {
-		c.Check(flags, check.DeepEquals, expectedFlags)
-
-		c.Check(path, testutil.FileEquals, "xyzzy")
-
-		installQueue = append(installQueue, si.RealName+"::"+path)
-		t := s.NewTask("fake-install-snap", "Doing a fake install")
-		return state.NewTaskSet(t), nil
-	}
-
-	buf := bytes.NewBufferString(content)
-	req, err := http.NewRequest("POST", "/v2/snaps", buf)
-	c.Assert(err, check.IsNil)
-	for k, v := range head {
-		req.Header.Set(k, v)
-	}
-
-	rsp := postSnaps(snapsCmd, req, nil).(*resp)
-	c.Assert(rsp.Type, check.Equals, ResponseTypeAsync)
-	n := 1
-	c.Assert(installQueue, check.HasLen, n)
-	c.Check(installQueue[n-1], check.Matches, "local::.*/snapd-sideload-pkg-.*")
-
-	st := d.overlord.State()
-	st.Lock()
-	defer st.Unlock()
-	chg := st.Change(rsp.Change)
-	c.Assert(chg, check.NotNil)
-
-	c.Check(soon, check.Equals, 1)
-
-	c.Assert(chg.Tasks(), check.HasLen, n)
-
-	st.Unlock()
-	s.waitTrivialChange(c, chg)
-	st.Lock()
-
-	c.Check(chg.Kind(), check.Equals, "install-snap")
-	var names []string
-	err = chg.Get("snap-names", &names)
-	c.Assert(err, check.IsNil)
-	c.Check(names, check.DeepEquals, []string{"local"})
-	var apiData map[string]interface{}
-	err = chg.Get("api-data", &apiData)
+	req, err := http.NewRequest("POST", "/v2/snaps", nil)
 	c.Assert(err, check.IsNil)
-	c.Check(apiData, check.DeepEquals, map[string]interface{}{
-		"snap-name": "local",
-	})
 
-	return chg.Summary()
+	rsp := trySnap(snapsCmd, req, nil, tryDir, snapstate.Flags{}).(*resp)
+	c.Assert(rsp.Type, check.Equals, ResponseTypeError)
+	c.Check(rsp.Result.(*errorResult).Kind, check.Equals, errorKindSnapChangeConflict)
 }
 
-func (s *apiSuite) runGetConf(c *check.C, keys []string, statusCode int) map[string]interface{} {
-	s.vars = map[string]string{"name": "test-snap"}
-	req, err := http.NewRequest("GET", "/v2/snaps/test-snap/conf?keys="+strings.Join(keys, ","), nil)
+func (s *apiSuite) runGetConf(c *check.C, snapName string, keys []string, statusCode int) map[string]interface{} {
+	s.vars = map[string]string{"name": snapName}
+	req, err := http.NewRequest("GET", "/v2/snaps/"+snapName+"/conf?keys="+strings.Join(keys, ","), nil)
 	c.Check(err, check.IsNil)
 	rec := httptest.NewRecorder()
 	snapConfCmd.GET(snapConfCmd, req, nil).ServeHTTP(rec, req)
@@ -2572,16 +2875,40 @@
 	tr.Commit()
 	d.overlord.State().Unlock()
 
-	result := s.runGetConf(c, []string{"test-key1"}, 200)
+	result := s.runGetConf(c, "test-snap", []string{"test-key1"}, 200)
 	c.Check(result, check.DeepEquals, map[string]interface{}{"test-key1": "test-value1"})
 
-	result = s.runGetConf(c, []string{"test-key1", "test-key2"}, 200)
+	result = s.runGetConf(c, "test-snap", []string{"test-key1", "test-key2"}, 200)
 	c.Check(result, check.DeepEquals, map[string]interface{}{"test-key1": "test-value1", "test-key2": "test-value2"})
 }
 
+func (s *apiSuite) TestGetConfCoreSystemAlias(c *check.C) {
+	d := s.daemon(c)
+
+	// Set a config that we'll get in a moment
+	d.overlord.State().Lock()
+	tr := config.NewTransaction(d.overlord.State())
+	tr.Set("core", "test-key1", "test-value1")
+	tr.Commit()
+	d.overlord.State().Unlock()
+
+	result := s.runGetConf(c, "core", []string{"test-key1"}, 200)
+	c.Check(result, check.DeepEquals, map[string]interface{}{"test-key1": "test-value1"})
+
+	result = s.runGetConf(c, "system", []string{"test-key1"}, 200)
+	c.Check(result, check.DeepEquals, map[string]interface{}{"test-key1": "test-value1"})
+}
+
 func (s *apiSuite) TestGetConfMissingKey(c *check.C) {
-	result := s.runGetConf(c, []string{"test-key2"}, 400)
-	c.Check(result, check.DeepEquals, map[string]interface{}{"message": `snap "test-snap" has no "test-key2" configuration option`})
+	result := s.runGetConf(c, "test-snap", []string{"test-key2"}, 400)
+	c.Check(result, check.DeepEquals, map[string]interface{}{
+		"value": map[string]interface{}{
+			"SnapName": "test-snap",
+			"Key":      "test-key2",
+		},
+		"message": `snap "test-snap" has no "test-key2" configuration option`,
+		"kind":    "option-not-found",
+	})
 }
 
 func (s *apiSuite) TestGetRootDocument(c *check.C) {
@@ -2593,13 +2920,14 @@
 	tr.Commit()
 	d.overlord.State().Unlock()
 
-	result := s.runGetConf(c, nil, 200)
+	result := s.runGetConf(c, "test-snap", nil, 200)
 	c.Check(result, check.DeepEquals, map[string]interface{}{"test-key1": "test-value1", "test-key2": "test-value2"})
 }
 
 func (s *apiSuite) TestGetConfBadKey(c *check.C) {
+	s.daemon(c)
 	// TODO: this one in particular should really be a 400 also
-	result := s.runGetConf(c, []string{"."}, 500)
+	result := s.runGetConf(c, "test-snap", []string{"."}, 500)
 	c.Check(result, check.DeepEquals, map[string]interface{}{"message": `invalid option name: ""`})
 }
 
@@ -2651,6 +2979,59 @@
 	}})
 }
 
+func (s *apiSuite) TestSetConfCoreSystemAlias(c *check.C) {
+	d := s.daemon(c)
+	s.mockSnap(c, `
+name: core
+version: 1
+`)
+	// Mock the hook runner
+	hookRunner := testutil.MockCommand(c, "snap", "")
+	defer hookRunner.Restore()
+
+	d.overlord.Loop()
+	defer d.overlord.Stop()
+
+	text, err := json.Marshal(map[string]interface{}{"proxy.ftp": "value"})
+	c.Assert(err, check.IsNil)
+
+	buffer := bytes.NewBuffer(text)
+	req, err := http.NewRequest("PUT", "/v2/snaps/system/conf", buffer)
+	c.Assert(err, check.IsNil)
+
+	s.vars = map[string]string{"name": "system"}
+
+	rec := httptest.NewRecorder()
+	snapConfCmd.PUT(snapConfCmd, req, nil).ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 202)
+
+	var body map[string]interface{}
+	err = json.Unmarshal(rec.Body.Bytes(), &body)
+	c.Assert(err, check.IsNil)
+	id := body["change"].(string)
+
+	st := d.overlord.State()
+	st.Lock()
+	chg := st.Change(id)
+	st.Unlock()
+	c.Assert(chg, check.NotNil)
+
+	<-chg.Ready()
+
+	st.Lock()
+	err = chg.Err()
+	c.Assert(err, check.IsNil)
+
+	tr := config.NewTransaction(st)
+	st.Unlock()
+	c.Assert(err, check.IsNil)
+
+	var value string
+	tr.Get("core", "proxy.ftp", &value)
+	c.Assert(value, check.Equals, "value")
+
+}
+
 func (s *apiSuite) TestSetConfNumber(c *check.C) {
 	d := s.daemon(c)
 	s.mockSnap(c, configYaml)
@@ -2726,6 +3107,55 @@
 		"type": "error"})
 }
 
+func simulateConflict(o *overlord.Overlord, name string) {
+	st := o.State()
+	st.Lock()
+	defer st.Unlock()
+	t := st.NewTask("link-snap", "...")
+	snapsup := &snapstate.SnapSetup{SideInfo: &snap.SideInfo{
+		RealName: name,
+	}}
+	t.Set("snap-setup", snapsup)
+	chg := st.NewChange("manip", "...")
+	chg.AddTask(t)
+}
+
+func (s *apiSuite) TestSetConfChangeConflict(c *check.C) {
+	d := s.daemon(c)
+	s.mockSnap(c, configYaml)
+
+	simulateConflict(d.overlord, "config-snap")
+
+	text, err := json.Marshal(map[string]interface{}{"key": "value"})
+	c.Assert(err, check.IsNil)
+
+	buffer := bytes.NewBuffer(text)
+	req, err := http.NewRequest("PUT", "/v2/snaps/config-snap/conf", buffer)
+	c.Assert(err, check.IsNil)
+
+	s.vars = map[string]string{"name": "config-snap"}
+
+	rec := httptest.NewRecorder()
+	snapConfCmd.PUT(snapConfCmd, req, nil).ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 409)
+
+	var body map[string]interface{}
+	err = json.Unmarshal(rec.Body.Bytes(), &body)
+	c.Assert(err, check.IsNil)
+	c.Check(body, check.DeepEquals, map[string]interface{}{
+		"status-code": 409.,
+		"status":      "Conflict",
+		"result": map[string]interface{}{
+			"message": `snap "config-snap" has "manip" change in progress`,
+			"kind":    "snap-change-conflict",
+			"value": map[string]interface{}{
+				"change-kind": "manip",
+				"snap-name":   "config-snap",
+			},
+		},
+		"type": "error"})
+}
+
 func (s *apiSuite) TestAppIconGet(c *check.C) {
 	d := s.daemon(c)
 
@@ -2804,7 +3234,7 @@
 }
 
 func (s *apiSuite) TestNotInstalledSnapIcon(c *check.C) {
-	info := &snap.Info{SuggestedName: "notInstalledSnap", IconURL: "icon.svg"}
+	info := &snap.Info{SuggestedName: "notInstalledSnap", Media: []snap.MediaInfo{{Type: "icon", URL: "icon.svg"}}}
 	iconfile := snapIcon(info)
 	c.Check(iconfile, testutil.Contains, "icon.svg")
 }
@@ -3025,7 +3455,7 @@
 
 func (s *apiSuite) TestPostSnapsOp(c *check.C) {
 	assertstateRefreshSnapDeclarations = func(*state.State, int) error { return nil }
-	snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int) ([]string, []*state.TaskSet, error) {
+	snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int, flags *snapstate.Flags) ([]string, []*state.TaskSet, error) {
 		c.Check(names, check.HasLen, 0)
 		t := s.NewTask("fake-refresh-all", "Refreshing everything")
 		return []string{"fake1", "fake2"}, []*state.TaskSet{state.NewTaskSet(t)}, nil
@@ -3070,7 +3500,7 @@
 	} {
 		refreshSnapDecls = false
 
-		snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int) ([]string, []*state.TaskSet, error) {
+		snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int, flags *snapstate.Flags) ([]string, []*state.TaskSet, error) {
 			c.Check(names, check.HasLen, 0)
 			t := s.NewTask("fake-refresh-all", "Refreshing everything")
 			return tst.snaps, []*state.TaskSet{state.NewTaskSet(t)}, nil
@@ -3082,7 +3512,7 @@
 		res, err := snapUpdateMany(inst, st)
 		st.Unlock()
 		c.Assert(err, check.IsNil)
-		c.Check(res.summary, check.Equals, tst.msg)
+		c.Check(res.Summary, check.Equals, tst.msg)
 		c.Check(refreshSnapDecls, check.Equals, true)
 	}
 }
@@ -3094,7 +3524,7 @@
 		return assertstate.RefreshSnapDeclarations(s, userID)
 	}
 
-	snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int) ([]string, []*state.TaskSet, error) {
+	snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int, flags *snapstate.Flags) ([]string, []*state.TaskSet, error) {
 		c.Check(names, check.HasLen, 0)
 		return nil, nil, nil
 	}
@@ -3106,7 +3536,7 @@
 	res, err := snapUpdateMany(inst, st)
 	st.Unlock()
 	c.Assert(err, check.IsNil)
-	c.Check(res.summary, check.Equals, `Refresh all snaps: no updates`)
+	c.Check(res.Summary, check.Equals, `Refresh all snaps: no updates`)
 	c.Check(refreshSnapDecls, check.Equals, true)
 }
 
@@ -3117,7 +3547,7 @@
 		return nil
 	}
 
-	snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int) ([]string, []*state.TaskSet, error) {
+	snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int, flags *snapstate.Flags) ([]string, []*state.TaskSet, error) {
 		c.Check(names, check.HasLen, 2)
 		t := s.NewTask("fake-refresh-2", "Refreshing two")
 		return names, []*state.TaskSet{state.NewTaskSet(t)}, nil
@@ -3130,8 +3560,8 @@
 	res, err := snapUpdateMany(inst, st)
 	st.Unlock()
 	c.Assert(err, check.IsNil)
-	c.Check(res.summary, check.Equals, `Refresh snaps "foo", "bar"`)
-	c.Check(res.affected, check.DeepEquals, inst.Snaps)
+	c.Check(res.Summary, check.Equals, `Refresh snaps "foo", "bar"`)
+	c.Check(res.Affected, check.DeepEquals, inst.Snaps)
 	c.Check(refreshSnapDecls, check.Equals, true)
 }
 
@@ -3142,7 +3572,7 @@
 		return nil
 	}
 
-	snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int) ([]string, []*state.TaskSet, error) {
+	snapstateUpdateMany = func(_ context.Context, s *state.State, names []string, userID int, flags *snapstate.Flags) ([]string, []*state.TaskSet, error) {
 		c.Check(names, check.HasLen, 1)
 		t := s.NewTask("fake-refresh-1", "Refreshing one")
 		return names, []*state.TaskSet{state.NewTaskSet(t)}, nil
@@ -3155,8 +3585,8 @@
 	res, err := snapUpdateMany(inst, st)
 	st.Unlock()
 	c.Assert(err, check.IsNil)
-	c.Check(res.summary, check.Equals, `Refresh snap "foo"`)
-	c.Check(res.affected, check.DeepEquals, inst.Snaps)
+	c.Check(res.Summary, check.Equals, `Refresh snap "foo"`)
+	c.Check(res.Affected, check.DeepEquals, inst.Snaps)
 	c.Check(refreshSnapDecls, check.Equals, true)
 }
 
@@ -3174,8 +3604,22 @@
 	res, err := snapInstallMany(inst, st)
 	st.Unlock()
 	c.Assert(err, check.IsNil)
-	c.Check(res.summary, check.Equals, `Install snaps "foo", "bar"`)
-	c.Check(res.affected, check.DeepEquals, inst.Snaps)
+	c.Check(res.Summary, check.Equals, `Install snaps "foo", "bar"`)
+	c.Check(res.Affected, check.DeepEquals, inst.Snaps)
+}
+
+func (s *apiSuite) TestInstallManyEmptyName(c *check.C) {
+	snapstateInstallMany = func(_ *state.State, _ []string, _ int) ([]string, []*state.TaskSet, error) {
+		return nil, nil, errors.New("should not be called")
+	}
+	d := s.daemon(c)
+	inst := &snapInstruction{Action: "install", Snaps: []string{"", "bar"}}
+	st := d.overlord.State()
+	st.Lock()
+	res, err := snapInstallMany(inst, st)
+	st.Unlock()
+	c.Assert(res, check.IsNil)
+	c.Assert(err, check.ErrorMatches, "cannot install snap with empty name")
 }
 
 func (s *apiSuite) TestRemoveMany(c *check.C) {
@@ -3192,8 +3636,8 @@
 	res, err := snapRemoveMany(inst, st)
 	st.Unlock()
 	c.Assert(err, check.IsNil)
-	c.Check(res.summary, check.Equals, `Remove snaps "foo", "bar"`)
-	c.Check(res.affected, check.DeepEquals, inst.Snaps)
+	c.Check(res.Summary, check.Equals, `Remove snaps "foo", "bar"`)
+	c.Check(res.Affected, check.DeepEquals, inst.Snaps)
 }
 
 func (s *apiSuite) TestInstallFails(c *check.C) {
@@ -3203,14 +3647,14 @@
 	}
 
 	d := s.daemonWithFakeSnapManager(c)
-
+	s.vars = map[string]string{"name": "hello-world"}
 	buf := bytes.NewBufferString(`{"action": "install"}`)
 	req, err := http.NewRequest("POST", "/v2/snaps/hello-world", buf)
 	c.Assert(err, check.IsNil)
 
 	rsp := postSnap(snapCmd, req, nil).(*resp)
 
-	c.Check(rsp.Type, check.Equals, ResponseTypeAsync)
+	c.Assert(rsp.Type, check.Equals, ResponseTypeAsync)
 
 	st := d.overlord.State()
 	st.Lock()
@@ -3254,6 +3698,32 @@
 	c.Check(err, check.IsNil)
 }
 
+func (s *apiSuite) TestInstall(c *check.C) {
+	var calledName string
+
+	snapstateInstall = func(s *state.State, name, channel string, revision snap.Revision, userID int, flags snapstate.Flags) (*state.TaskSet, error) {
+		calledName = name
+
+		t := s.NewTask("fake-install-snap", "Doing a fake install")
+		return state.NewTaskSet(t), nil
+	}
+
+	d := s.daemon(c)
+	inst := &snapInstruction{
+		Action: "install",
+		// Install the snap in developer mode
+		DevMode: true,
+		Snaps:   []string{"fake"},
+	}
+
+	st := d.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+	_, _, err := inst.dispatch()(inst, st)
+	c.Check(err, check.IsNil)
+	c.Check(calledName, check.Equals, "fake")
+}
+
 func (s *apiSuite) TestInstallDevMode(c *check.C) {
 	var calledFlags snapstate.Flags
 
@@ -3307,22 +3777,39 @@
 	c.Check(calledFlags.JailMode, check.Equals, true)
 }
 
-func (s *apiSuite) TestInstallJailModeDevModeOS(c *check.C) {
-	restore := release.MockForcedDevmode(true)
-	defer restore()
-
+func (s *apiSuite) TestInstallJailModeDevModeOS(c *check.C) {
+	restore := release.MockForcedDevmode(true)
+	defer restore()
+
+	d := s.daemon(c)
+	inst := &snapInstruction{
+		Action:   "install",
+		JailMode: true,
+		Snaps:    []string{"foo"},
+	}
+
+	st := d.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+	_, _, err := inst.dispatch()(inst, st)
+	c.Check(err, check.ErrorMatches, "this system cannot honour the jailmode flag")
+}
+
+func (s *apiSuite) TestInstallEmptyName(c *check.C) {
+	snapstateInstall = func(_ *state.State, _, _ string, _ snap.Revision, _ int, _ snapstate.Flags) (*state.TaskSet, error) {
+		return nil, errors.New("should not be called")
+	}
 	d := s.daemon(c)
 	inst := &snapInstruction{
-		Action:   "install",
-		JailMode: true,
-		Snaps:    []string{"foo"},
+		Action: "install",
+		Snaps:  []string{""},
 	}
 
 	st := d.overlord.State()
 	st.Lock()
 	defer st.Unlock()
 	_, _, err := inst.dispatch()(inst, st)
-	c.Check(err, check.ErrorMatches, "this system cannot honour the jailmode flag")
+	c.Check(err, check.ErrorMatches, "cannot install snap with empty name")
 }
 
 func (s *apiSuite) TestInstallJailModeDevMode(c *check.C) {
@@ -3418,21 +3905,44 @@
 	return snaps
 }
 
+// inverseCaseMapper implements SnapMapper to use lower case internally and upper case externally.
+type inverseCaseMapper struct {
+	ifacestate.IdentityMapper // Embed the identity mapper to reuse empty state mapping functions.
+}
+
+func (m *inverseCaseMapper) RemapSnapFromRequest(snapName string) string {
+	return strings.ToLower(snapName)
+}
+
+func (m *inverseCaseMapper) RemapSnapToResponse(snapName string) string {
+	return strings.ToUpper(snapName)
+}
+
+func (m *inverseCaseMapper) SystemSnapName() string {
+	return "core"
+}
+
 // Tests for GET /v2/interfaces
 
-func (s *apiSuite) TestInterfaces(c *check.C) {
-	builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+func (s *apiSuite) TestInterfacesLegacy(c *check.C) {
+	restore := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer restore()
+	// Install an inverse case mapper to exercise the interface mapping at the same time.
+	restore = ifacestate.MockSnapMapper(&inverseCaseMapper{})
+	defer restore()
+
 	d := s.daemon(c)
 
 	s.mockSnap(c, consumerYaml)
 	s.mockSnap(c, producerYaml)
 
 	repo := d.overlord.InterfaceManager().Repository()
-	connRef := interfaces.ConnRef{
+	connRef := &interfaces.ConnRef{
 		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
 		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"},
 	}
-	c.Assert(repo.Connect(connRef), check.IsNil)
+	_, err := repo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, check.IsNil)
 
 	req, err := http.NewRequest("GET", "/v2/interfaces", nil)
 	c.Assert(err, check.IsNil)
@@ -3477,93 +3987,58 @@
 	})
 }
 
-/**
-// Tests for GET /v2/interface (note: singular!)
+func (s *apiSuite) TestInterfacesModern(c *check.C) {
+	restore := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer restore()
+	// Install an inverse case mapper to exercise the interface mapping at the same time.
+	restore = ifacestate.MockSnapMapper(&inverseCaseMapper{})
+	defer restore()
 
-func (s *apiSuite) TestInterfaceIndex(c *check.C) {
 	d := s.daemon(c)
 
-	s.mockIface(c, &ifacetest.TestInterface{
-		InterfaceName: "test",
-		InterfaceStaticInfo: interfaces.StaticInfo{
-			Summary: "summary",
-		},
-	})
 	s.mockSnap(c, consumerYaml)
 	s.mockSnap(c, producerYaml)
 
 	repo := d.overlord.InterfaceManager().Repository()
-	connRef := interfaces.ConnRef{
+	connRef := &interfaces.ConnRef{
 		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
 		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"},
 	}
-	c.Assert(repo.Connect(connRef), check.IsNil)
-
-	req, err := http.NewRequest("GET", "/v2/interface", nil)
+	_, err := repo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, check.IsNil)
-	rec := httptest.NewRecorder()
-	interfaceIndexCmd.GET(interfaceIndexCmd, req, nil).ServeHTTP(rec, req)
-	c.Check(rec.Code, check.Equals, 200)
-	var body map[string]interface{}
-	err = json.Unmarshal(rec.Body.Bytes(), &body)
-	c.Check(err, check.IsNil)
-	// The body contains large number of interface names, ensure that just the
-	// test one,  added above, exists.
-	c.Check(body["result"], testutil.DeepContains, map[string]interface{}{
-		"name":    "test",
-		"summary": "summary",
-		"used":    true,
-	})
-	c.Check(body["status"], check.Equals, "OK")
-	c.Check(body["status-code"], check.Equals, 200.0)
-	c.Check(body["type"], check.Equals, "sync")
-}
-
-// Tests for GET /v2/interface/test
-
-func (s *apiSuite) TestInterfaceDetail(c *check.C) {
-	_ = s.daemon(c)
-
-	s.mockIface(c, &ifacetest.TestInterface{
-		InterfaceName: "test",
-		InterfaceStaticInfo: interfaces.StaticInfo{
-			Summary: "summary",
-		},
-	})
-	s.mockSnap(c, consumerYaml)
-	s.mockSnap(c, producerYaml)
 
-	// NOTE: this is confusing, we must set s.vars manually,
-	s.vars = map[string]string{"name": "test"}
-	req, err := http.NewRequest("GET", "/v2/interface/test", nil)
+	req, err := http.NewRequest("GET", "/v2/interfaces?select=connected&doc=true&plugs=true&slots=true", nil)
 	c.Assert(err, check.IsNil)
 	rec := httptest.NewRecorder()
-	interfaceDetailCmd.GET(interfaceDetailCmd, req, nil).ServeHTTP(rec, req)
+	interfacesCmd.GET(interfacesCmd, req, nil).ServeHTTP(rec, req)
 	c.Check(rec.Code, check.Equals, 200)
 	var body map[string]interface{}
 	err = json.Unmarshal(rec.Body.Bytes(), &body)
 	c.Check(err, check.IsNil)
 	c.Check(body, check.DeepEquals, map[string]interface{}{
-		"result": map[string]interface{}{
-			"name":    "test",
-			"summary": "summary",
-			"plugs": []interface{}{
-				map[string]interface{}{
-					"snap":  "consumer",
-					"plug":  "plug",
-					"label": "label",
-					"attrs": map[string]interface{}{"key": "value"},
-				},
-			},
-			"slots": []interface{}{
-				map[string]interface{}{
-					"snap":  "producer",
-					"slot":  "slot",
-					"label": "label",
-					"attrs": map[string]interface{}{"key": "value"},
+		"result": []interface{}{
+			map[string]interface{}{
+				"name": "test",
+				"plugs": []interface{}{
+					map[string]interface{}{
+						"snap":  "consumer",
+						"plug":  "plug",
+						"label": "label",
+						"attrs": map[string]interface{}{
+							"key": "value",
+						},
+					}},
+				"slots": []interface{}{
+					map[string]interface{}{
+						"snap":  "producer",
+						"slot":  "slot",
+						"label": "label",
+						"attrs": map[string]interface{}{
+							"key": "value",
+						},
+					},
 				},
 			},
-			"used": true,
 		},
 		"status":      "OK",
 		"status-code": 200.0,
@@ -3571,35 +4046,15 @@
 	})
 }
 
-func (s *apiSuite) TestInterfaceDetail404(c *check.C) {
-	_ = s.daemon(c)
-
-	// NOTE: this is confusing, we must set s.vars manually,
-	s.vars = map[string]string{"name": "test"}
-	req, err := http.NewRequest("GET", "/v2/interface/test", nil)
-	c.Assert(err, check.IsNil)
-	rec := httptest.NewRecorder()
-	interfaceDetailCmd.GET(interfaceDetailCmd, req, nil).ServeHTTP(rec, req)
-	c.Check(rec.Code, check.Equals, 404)
-	var body map[string]interface{}
-	err = json.Unmarshal(rec.Body.Bytes(), &body)
-	c.Check(err, check.IsNil)
-	c.Check(body, check.DeepEquals, map[string]interface{}{
-		"result": map[string]interface{}{
-			"message": `cannot find interface named "test"`,
-		},
-		"status":      "Not Found",
-		"status-code": 404.0,
-		"type":        "error",
-	})
-}
-
-**/
-
 // Test for POST /v2/interfaces
 
 func (s *apiSuite) TestConnectPlugSuccess(c *check.C) {
-	builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	restore := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer restore()
+	// Install an inverse case mapper to exercise the interface mapping at the same time.
+	restore = ifacestate.MockSnapMapper(&inverseCaseMapper{})
+	defer restore()
+
 	d := s.daemon(c)
 
 	s.mockSnap(c, consumerYaml)
@@ -3610,8 +4065,8 @@
 
 	action := &interfaceAction{
 		Action: "connect",
-		Plugs:  []plugJSON{{Snap: "consumer", Name: "plug"}},
-		Slots:  []slotJSON{{Snap: "producer", Name: "slot"}},
+		Plugs:  []plugJSON{{Snap: "CONSUMER", Name: "plug"}},
+		Slots:  []slotJSON{{Snap: "PRODUCER", Name: "slot"}},
 	}
 	text, err := json.Marshal(action)
 	c.Assert(err, check.IsNil)
@@ -3642,7 +4097,10 @@
 	repo := d.overlord.InterfaceManager().Repository()
 	ifaces := repo.Interfaces()
 	c.Assert(ifaces.Connections, check.HasLen, 1)
-	c.Check(ifaces.Connections, check.DeepEquals, []*interfaces.ConnRef{{interfaces.PlugRef{Snap: "consumer", Name: "plug"}, interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
+	c.Check(ifaces.Connections, check.DeepEquals, []*interfaces.ConnRef{{
+		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"},
+	}})
 }
 
 func (s *apiSuite) TestConnectPlugFailureInterfaceMismatch(c *check.C) {
@@ -3721,6 +4179,60 @@
 	c.Assert(ifaces.Connections, check.HasLen, 0)
 }
 
+func (s *apiSuite) TestConnectAlreadyConnected(c *check.C) {
+	d := s.daemon(c)
+
+	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	// there is no consumer, no plug defined
+	s.mockSnap(c, producerYaml)
+	s.mockSnap(c, consumerYaml)
+
+	repo := d.overlord.InterfaceManager().Repository()
+	connRef := &interfaces.ConnRef{
+		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"},
+	}
+
+	d.overlord.Loop()
+	defer d.overlord.Stop()
+
+	_, err := repo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, check.IsNil)
+	conns := map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{
+			"auto": false,
+		},
+	}
+	st := d.overlord.State()
+	st.Lock()
+	st.Set("conns", conns)
+	st.Unlock()
+
+	action := &interfaceAction{
+		Action: "connect",
+		Plugs:  []plugJSON{{Snap: "consumer", Name: "plug"}},
+		Slots:  []slotJSON{{Snap: "producer", Name: "slot"}},
+	}
+	text, err := json.Marshal(action)
+	c.Assert(err, check.IsNil)
+	buf := bytes.NewBuffer(text)
+	req, err := http.NewRequest("POST", "/v2/interfaces", buf)
+	c.Assert(err, check.IsNil)
+	rec := httptest.NewRecorder()
+	interfacesCmd.POST(interfacesCmd, req, nil).ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 202)
+	var body map[string]interface{}
+	err = json.Unmarshal(rec.Body.Bytes(), &body)
+	c.Check(err, check.IsNil)
+	id := body["change"].(string)
+
+	st.Lock()
+	chg := st.Change(id)
+	c.Assert(chg.Tasks(), check.HasLen, 0)
+	c.Assert(chg.Status(), check.Equals, state.DoneStatus)
+	st.Unlock()
+}
+
 func (s *apiSuite) TestConnectPlugFailureNoSuchSlot(c *check.C) {
 	d := s.daemon(c)
 
@@ -3760,19 +4272,124 @@
 	c.Assert(ifaces.Connections, check.HasLen, 0)
 }
 
+func (s *apiSuite) TestConnectPlugChangeConflict(c *check.C) {
+	d := s.daemon(c)
+
+	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
+	// there is no producer, no slot defined
+
+	simulateConflict(d.overlord, "consumer")
+
+	action := &interfaceAction{
+		Action: "connect",
+		Plugs:  []plugJSON{{Snap: "consumer", Name: "plug"}},
+		Slots:  []slotJSON{{Snap: "producer", Name: "slot"}},
+	}
+	text, err := json.Marshal(action)
+	c.Assert(err, check.IsNil)
+	buf := bytes.NewBuffer(text)
+	req, err := http.NewRequest("POST", "/v2/interfaces", buf)
+	c.Assert(err, check.IsNil)
+	rec := httptest.NewRecorder()
+	interfacesCmd.POST(interfacesCmd, req, nil).ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 409)
+
+	var body map[string]interface{}
+	err = json.Unmarshal(rec.Body.Bytes(), &body)
+	c.Check(err, check.IsNil)
+	c.Check(body, check.DeepEquals, map[string]interface{}{
+		"status-code": 409.,
+		"status":      "Conflict",
+		"result": map[string]interface{}{
+			"message": `snap "consumer" has "manip" change in progress`,
+			"kind":    "snap-change-conflict",
+			"value": map[string]interface{}{
+				"change-kind": "manip",
+				"snap-name":   "consumer",
+			},
+		},
+		"type": "error"})
+}
+
+func (s *apiSuite) TestConnectCoreSystemAlias(c *check.C) {
+	revert := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer revert()
+	d := s.daemon(c)
+
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, coreProducerYaml)
+
+	d.overlord.Loop()
+	defer d.overlord.Stop()
+
+	action := &interfaceAction{
+		Action: "connect",
+		Plugs:  []plugJSON{{Snap: "consumer", Name: "plug"}},
+		Slots:  []slotJSON{{Snap: "system", Name: "slot"}},
+	}
+	text, err := json.Marshal(action)
+	c.Assert(err, check.IsNil)
+	buf := bytes.NewBuffer(text)
+	req, err := http.NewRequest("POST", "/v2/interfaces", buf)
+	c.Assert(err, check.IsNil)
+	rec := httptest.NewRecorder()
+	interfacesCmd.POST(interfacesCmd, req, nil).ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 202)
+	var body map[string]interface{}
+	err = json.Unmarshal(rec.Body.Bytes(), &body)
+	c.Check(err, check.IsNil)
+	id := body["change"].(string)
+
+	st := d.overlord.State()
+	st.Lock()
+	chg := st.Change(id)
+	st.Unlock()
+	c.Assert(chg, check.NotNil)
+
+	<-chg.Ready()
+
+	st.Lock()
+	err = chg.Err()
+	st.Unlock()
+	c.Assert(err, check.IsNil)
+
+	repo := d.overlord.InterfaceManager().Repository()
+	ifaces := repo.Interfaces()
+	c.Assert(ifaces.Connections, check.HasLen, 1)
+	c.Check(ifaces.Connections, check.DeepEquals, []*interfaces.ConnRef{{
+		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "core", Name: "slot"}}})
+}
+
 func (s *apiSuite) testDisconnect(c *check.C, plugSnap, plugName, slotSnap, slotName string) {
-	builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	restore := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer restore()
+	// Install an inverse case mapper to exercise the interface mapping at the same time.
+	restore = ifacestate.MockSnapMapper(&inverseCaseMapper{})
+	defer restore()
 	d := s.daemon(c)
 
 	s.mockSnap(c, consumerYaml)
 	s.mockSnap(c, producerYaml)
 
 	repo := d.overlord.InterfaceManager().Repository()
-	connRef := interfaces.ConnRef{
+	connRef := &interfaces.ConnRef{
 		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
 		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"},
 	}
-	c.Assert(repo.Connect(connRef), check.IsNil)
+	_, err := repo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	st := d.overlord.State()
+	st.Lock()
+	st.Set("conns", map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{
+			"interface": "test",
+		},
+	})
+	st.Unlock()
 
 	d.overlord.Loop()
 	defer d.overlord.Stop()
@@ -3795,7 +4412,6 @@
 	c.Check(err, check.IsNil)
 	id := body["change"].(string)
 
-	st := d.overlord.State()
 	st.Lock()
 	chg := st.Change(id)
 	st.Unlock()
@@ -3813,19 +4429,20 @@
 }
 
 func (s *apiSuite) TestDisconnectPlugSuccess(c *check.C) {
-	s.testDisconnect(c, "consumer", "plug", "producer", "slot")
+	s.testDisconnect(c, "CONSUMER", "plug", "PRODUCER", "slot")
 }
 
 func (s *apiSuite) TestDisconnectPlugSuccessWithEmptyPlug(c *check.C) {
-	s.testDisconnect(c, "", "", "producer", "slot")
+	s.testDisconnect(c, "", "", "PRODUCER", "slot")
 }
 
 func (s *apiSuite) TestDisconnectPlugSuccessWithEmptySlot(c *check.C) {
-	s.testDisconnect(c, "consumer", "plug", "", "")
+	s.testDisconnect(c, "CONSUMER", "plug", "", "")
 }
 
 func (s *apiSuite) TestDisconnectPlugFailureNoSuchPlug(c *check.C) {
-	builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	revert := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer revert()
 	s.daemon(c)
 
 	// there is no consumer, no plug defined
@@ -3858,7 +4475,8 @@
 }
 
 func (s *apiSuite) TestDisconnectPlugNothingToDo(c *check.C) {
-	builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	revert := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer revert()
 	s.daemon(c)
 
 	s.mockSnap(c, consumerYaml)
@@ -3892,7 +4510,8 @@
 }
 
 func (s *apiSuite) TestDisconnectPlugFailureNoSuchSlot(c *check.C) {
-	builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	revert := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer revert()
 	s.daemon(c)
 
 	s.mockSnap(c, consumerYaml)
@@ -3919,23 +4538,79 @@
 		"result": map[string]interface{}{
 			"message": "snap \"producer\" has no slot named \"slot\"",
 		},
-		"status":      "Bad Request",
-		"status-code": 400.0,
-		"type":        "error",
+		"status":      "Bad Request",
+		"status-code": 400.0,
+		"type":        "error",
+	})
+}
+
+func (s *apiSuite) TestDisconnectPlugFailureNotConnected(c *check.C) {
+	revert := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer revert()
+	s.daemon(c)
+
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
+
+	action := &interfaceAction{
+		Action: "disconnect",
+		Plugs:  []plugJSON{{Snap: "consumer", Name: "plug"}},
+		Slots:  []slotJSON{{Snap: "producer", Name: "slot"}},
+	}
+	text, err := json.Marshal(action)
+	c.Assert(err, check.IsNil)
+	buf := bytes.NewBuffer(text)
+	req, err := http.NewRequest("POST", "/v2/interfaces", buf)
+	c.Assert(err, check.IsNil)
+	rec := httptest.NewRecorder()
+	interfacesCmd.POST(interfacesCmd, req, nil).ServeHTTP(rec, req)
+
+	c.Check(rec.Code, check.Equals, 400)
+	var body map[string]interface{}
+	err = json.Unmarshal(rec.Body.Bytes(), &body)
+	c.Check(err, check.IsNil)
+	c.Check(body, check.DeepEquals, map[string]interface{}{
+		"result": map[string]interface{}{
+			"message": "cannot disconnect consumer:plug from producer:slot, it is not connected",
+		},
+		"status":      "Bad Request",
+		"status-code": 400.0,
+		"type":        "error",
+	})
+}
+
+func (s *apiSuite) TestDisconnectCoreSystemAlias(c *check.C) {
+	revert := builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
+	defer revert()
+	d := s.daemon(c)
+
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, coreProducerYaml)
+
+	repo := d.overlord.InterfaceManager().Repository()
+	connRef := &interfaces.ConnRef{
+		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "core", Name: "slot"},
+	}
+	_, err := repo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	st := d.overlord.State()
+	st.Lock()
+	st.Set("conns", map[string]interface{}{
+		"consumer:plug core:slot": map[string]interface{}{
+			"interface": "test",
+		},
 	})
-}
-
-func (s *apiSuite) TestDisconnectPlugFailureNotConnected(c *check.C) {
-	builtin.MockInterface(&ifacetest.TestInterface{InterfaceName: "test"})
-	s.daemon(c)
+	st.Unlock()
 
-	s.mockSnap(c, consumerYaml)
-	s.mockSnap(c, producerYaml)
+	d.overlord.Loop()
+	defer d.overlord.Stop()
 
 	action := &interfaceAction{
 		Action: "disconnect",
 		Plugs:  []plugJSON{{Snap: "consumer", Name: "plug"}},
-		Slots:  []slotJSON{{Snap: "producer", Name: "slot"}},
+		Slots:  []slotJSON{{Snap: "system", Name: "slot"}},
 	}
 	text, err := json.Marshal(action)
 	c.Assert(err, check.IsNil)
@@ -3944,19 +4619,26 @@
 	c.Assert(err, check.IsNil)
 	rec := httptest.NewRecorder()
 	interfacesCmd.POST(interfacesCmd, req, nil).ServeHTTP(rec, req)
-
-	c.Check(rec.Code, check.Equals, 400)
+	c.Check(rec.Code, check.Equals, 202)
 	var body map[string]interface{}
 	err = json.Unmarshal(rec.Body.Bytes(), &body)
 	c.Check(err, check.IsNil)
-	c.Check(body, check.DeepEquals, map[string]interface{}{
-		"result": map[string]interface{}{
-			"message": "cannot disconnect consumer:plug from producer:slot, it is not connected",
-		},
-		"status":      "Bad Request",
-		"status-code": 400.0,
-		"type":        "error",
-	})
+	id := body["change"].(string)
+
+	st.Lock()
+	chg := st.Change(id)
+	st.Unlock()
+	c.Assert(chg, check.NotNil)
+
+	<-chg.Ready()
+
+	st.Lock()
+	err = chg.Err()
+	st.Unlock()
+	c.Assert(err, check.IsNil)
+
+	ifaces := repo.Interfaces()
+	c.Assert(ifaces.Connections, check.HasLen, 0)
 }
 
 func (s *apiSuite) TestUnsupportedInterfaceRequest(c *check.C) {
@@ -4560,7 +5242,7 @@
 		  "currency": "EUR"
 		}`
 
-var validBuyOptions = &store.BuyOptions{
+var validBuyOptions = &client.BuyOptions{
 	SnapID:   "the-snap-id-1234abcd",
 	Price:    1.23,
 	Currency: "EUR",
@@ -4568,21 +5250,21 @@
 
 var buyTests = []struct {
 	input                string
-	result               *store.BuyResult
+	result               *client.BuyResult
 	err                  error
 	expectedStatus       int
 	expectedResult       interface{}
 	expectedResponseType ResponseType
-	expectedBuyOptions   *store.BuyOptions
+	expectedBuyOptions   *client.BuyOptions
 }{
 	{
 		// Success
 		input: validBuyInput,
-		result: &store.BuyResult{
+		result: &client.BuyResult{
 			State: "Complete",
 		},
 		expectedStatus: 200,
-		expectedResult: &store.BuyResult{
+		expectedResult: &client.BuyResult{
 			State: "Complete",
 		},
 		expectedResponseType: ResponseTypeSync,
@@ -4601,7 +5283,7 @@
 		expectedResult: &errorResult{
 			Message: "internal error banana",
 		},
-		expectedBuyOptions: &store.BuyOptions{
+		expectedBuyOptions: &client.BuyOptions{
 			SnapID:   "the-snap-id-1234abcd",
 			Price:    1.23,
 			Currency: "EUR",
@@ -4658,6 +5340,8 @@
 }
 
 func (s *apiSuite) TestBuySnap(c *check.C) {
+	s.daemon(c)
+
 	for _, test := range buyTests {
 		s.buyResult = test.result
 		s.err = test.err
@@ -4733,6 +5417,8 @@
 }
 
 func (s *apiSuite) TestReadyToBuy(c *check.C) {
+	s.daemon(c)
+
 	for _, test := range readyToBuyTests {
 		s.err = test.input
 
@@ -4778,7 +5464,6 @@
 	postCreateUserUcrednetGet = ucrednetGet
 	userLookup = user.Lookup
 	osutilAddUser = osutil.AddUser
-	storeUserInfo = store.UserInfo
 }
 
 func mkUserLookup(userHomeDir string) func(string) (*user.User, error) {
@@ -4794,15 +5479,12 @@
 	restore := release.MockOnClassic(false)
 	defer restore()
 
-	storeUserInfo = func(user string) (*store.User, error) {
-		c.Check(user, check.Equals, "popper@lse.ac.uk")
-		return &store.User{
-			Username:         "karl",
-			OpenIDIdentifier: "xxyyzz",
-		}, nil
+	s.userInfoExpectedEmail = "popper@lse.ac.uk"
+	s.userInfoResult = &store.User{
+		Username:         "karl",
+		OpenIDIdentifier: "xxyyzz",
 	}
-
-	buf := bytes.NewBufferString(`{"email": "popper@lse.ac.uk"}`)
+	buf := bytes.NewBufferString(fmt.Sprintf(`{"email": "%s"}`, s.userInfoExpectedEmail))
 	req, err := http.NewRequest("POST", "/v2/create-user", buf)
 	c.Assert(err, check.IsNil)
 
@@ -4816,16 +5498,12 @@
 	restore := release.MockOnClassic(false)
 	defer restore()
 
-	expectedEmail := "popper@lse.ac.uk"
 	expectedUsername := "karl"
-
-	storeUserInfo = func(user string) (*store.User, error) {
-		c.Check(user, check.Equals, expectedEmail)
-		return &store.User{
-			Username:         expectedUsername,
-			SSHKeys:          []string{"ssh1", "ssh2"},
-			OpenIDIdentifier: "xxyyzz",
-		}, nil
+	s.userInfoExpectedEmail = "popper@lse.ac.uk"
+	s.userInfoResult = &store.User{
+		Username:         expectedUsername,
+		SSHKeys:          []string{"ssh1", "ssh2"},
+		OpenIDIdentifier: "xxyyzz",
 	}
 	osutilAddUser = func(username string, opts *osutil.AddUserOptions) error {
 		c.Check(username, check.Equals, expectedUsername)
@@ -4835,7 +5513,7 @@
 		return nil
 	}
 
-	buf := bytes.NewBufferString(fmt.Sprintf(`{"email": "%s"}`, expectedEmail))
+	buf := bytes.NewBufferString(fmt.Sprintf(`{"email": "%s"}`, s.userInfoExpectedEmail))
 	req, err := http.NewRequest("POST", "/v2/create-user", buf)
 	c.Assert(err, check.IsNil)
 
@@ -4857,18 +5535,22 @@
 	state.Unlock()
 	c.Check(err, check.IsNil)
 	c.Check(user.Username, check.Equals, expectedUsername)
-	c.Check(user.Email, check.Equals, expectedEmail)
+	c.Check(user.Email, check.Equals, s.userInfoExpectedEmail)
 	c.Check(user.Macaroon, check.NotNil)
 	// auth saved to user home dir
 	outfile := filepath.Join(s.mockUserHome, ".snap", "auth.json")
 	c.Check(osutil.FileExists(outfile), check.Equals, true)
 	c.Check(outfile, testutil.FileEquals,
 		fmt.Sprintf(`{"id":%d,"username":"%s","email":"%s","macaroon":"%s"}`,
-			1, expectedUsername, expectedEmail, user.Macaroon))
+			1, expectedUsername, s.userInfoExpectedEmail, user.Macaroon))
 }
 
 func (s *postCreateUserSuite) TestGetUserDetailsFromAssertionModelNotFound(c *check.C) {
 	st := s.d.overlord.State()
+	st.Lock()
+	auth.SetDevice(st, nil)
+	st.Unlock()
+
 	email := "foo@example.com"
 
 	username, opts, err := getUserDetailsFromAssertion(st, email)
@@ -4885,7 +5567,7 @@
 
 	signerAcct := assertstest.NewAccount(s.storeSigning, accountID, map[string]interface{}{
 		"account-id":   accountID,
-		"verification": "certified",
+		"verification": "verified",
 	}, "")
 	s.storeSigning.Add(signerAcct)
 	assertAdd(st, signerAcct)
@@ -5037,6 +5719,53 @@
 		c.Check(opts.Gecos, check.Equals, "foo@bar.com,Boring Guy")
 		c.Check(opts.Sudoer, check.Equals, false)
 		c.Check(opts.Password, check.Equals, "$6$salt$hash")
+		c.Check(opts.ForcePasswordChange, check.Equals, false)
+		return nil
+	}
+
+	defer func() {
+		osutilAddUser = osutil.AddUser
+	}()
+
+	// do it!
+	buf := bytes.NewBufferString(`{"email": "foo@bar.com","known":true}`)
+	req, err := http.NewRequest("POST", "/v2/create-user", buf)
+	c.Assert(err, check.IsNil)
+
+	rsp := postCreateUser(createUserCmd, req, nil).(*resp)
+
+	expected := &userResponseData{
+		Username: "guy",
+	}
+
+	c.Check(rsp.Type, check.Equals, ResponseTypeSync)
+	c.Check(rsp.Result, check.FitsTypeOf, expected)
+	c.Check(rsp.Result, check.DeepEquals, expected)
+
+	// ensure the user was added to the state
+	st := s.d.overlord.State()
+	st.Lock()
+	users, err := auth.Users(st)
+	c.Assert(err, check.IsNil)
+	st.Unlock()
+	c.Check(users, check.HasLen, 1)
+}
+
+func (s *postCreateUserSuite) TestPostCreateUserFromAssertionWithForcePasswordChnage(c *check.C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	lusers := []map[string]interface{}{goodUser}
+	lusers[0]["force-password-change"] = "true"
+	s.makeSystemUsers(c, lusers)
+
+	// mock the calls that create the user
+	osutilAddUser = func(username string, opts *osutil.AddUserOptions) error {
+		c.Check(username, check.Equals, "guy")
+		c.Check(opts.Gecos, check.Equals, "foo@bar.com,Boring Guy")
+		c.Check(opts.Sudoer, check.Equals, false)
+		c.Check(opts.Password, check.Equals, "$6$salt$hash")
+		c.Check(opts.ForcePasswordChange, check.Equals, true)
 		return nil
 	}
 
@@ -5259,6 +5988,16 @@
 	c.Check(rsp.Result.(map[string]interface{})["managed"], check.Equals, true)
 }
 
+func (s *postCreateUserSuite) TestSysInfoWorksDegraded(c *check.C) {
+	s.d.SetDegradedMode(fmt.Errorf("some error"))
+
+	req, err := http.NewRequest("GET", "/v2/system-info", nil)
+	c.Assert(err, check.IsNil)
+
+	rsp := sysInfo(sysInfoCmd, req, nil).(*resp)
+	c.Check(rsp.Status, check.Equals, 200)
+}
+
 // aliases
 
 func (s *apiSuite) TestAliasSuccess(c *check.C) {
@@ -5313,6 +6052,53 @@
 	c.Check(osutil.IsSymlink(filepath.Join(dirs.SnapBinariesDir, "alias1")), check.Equals, true)
 }
 
+func (s *apiSuite) TestAliasChangeConflict(c *check.C) {
+	err := os.MkdirAll(dirs.SnapBinariesDir, 0755)
+	c.Assert(err, check.IsNil)
+	d := s.daemon(c)
+
+	s.mockSnap(c, aliasYaml)
+
+	simulateConflict(d.overlord, "alias-snap")
+
+	oldAutoAliases := snapstate.AutoAliases
+	snapstate.AutoAliases = func(*state.State, *snap.Info) (map[string]string, error) {
+		return nil, nil
+	}
+	defer func() { snapstate.AutoAliases = oldAutoAliases }()
+
+	action := &aliasAction{
+		Action: "alias",
+		Snap:   "alias-snap",
+		App:    "app",
+		Alias:  "alias1",
+	}
+	text, err := json.Marshal(action)
+	c.Assert(err, check.IsNil)
+	buf := bytes.NewBuffer(text)
+	req, err := http.NewRequest("POST", "/v2/aliases", buf)
+	c.Assert(err, check.IsNil)
+	rec := httptest.NewRecorder()
+	aliasesCmd.POST(aliasesCmd, req, nil).ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 409)
+
+	var body map[string]interface{}
+	err = json.Unmarshal(rec.Body.Bytes(), &body)
+	c.Check(err, check.IsNil)
+	c.Check(body, check.DeepEquals, map[string]interface{}{
+		"status-code": 409.,
+		"status":      "Conflict",
+		"result": map[string]interface{}{
+			"message": `snap "alias-snap" has "manip" change in progress`,
+			"kind":    "snap-change-conflict",
+			"value": map[string]interface{}{
+				"change-kind": "manip",
+				"snap-name":   "alias-snap",
+			},
+		},
+		"type": "error"})
+}
+
 func (s *apiSuite) TestAliasErrors(c *check.C) {
 	s.daemon(c)
 
@@ -5777,12 +6563,26 @@
 	c.Check(calledFlags.Unaliased, check.Equals, true)
 }
 
-func (s *apiSuite) TestSplitQS(c *check.C) {
-	c.Check(splitQS("foo,bar"), check.DeepEquals, []string{"foo", "bar"})
-	c.Check(splitQS("foo , bar"), check.DeepEquals, []string{"foo", "bar"})
-	c.Check(splitQS("foo ,, bar"), check.DeepEquals, []string{"foo", "bar"})
-	c.Check(splitQS(""), check.HasLen, 0)
-	c.Check(splitQS(","), check.HasLen, 0)
+func (s *apiSuite) TestInstallPathUnaliased(c *check.C) {
+	body := "" +
+		"----hello--\r\n" +
+		"Content-Disposition: form-data; name=\"snap\"; filename=\"x\"\r\n" +
+		"\r\n" +
+		"xyzzy\r\n" +
+		"----hello--\r\n" +
+		"Content-Disposition: form-data; name=\"devmode\"\r\n" +
+		"\r\n" +
+		"true\r\n" +
+		"----hello--\r\n" +
+		"Content-Disposition: form-data; name=\"unaliased\"\r\n" +
+		"\r\n" +
+		"true\r\n" +
+		"----hello--\r\n"
+	head := map[string]string{"Content-Type": "multipart/thing; boundary=--hello--"}
+	// try a multipart/form-data upload
+	flags := snapstate.Flags{Unaliased: true, RemoveSnapPath: true, DevMode: true}
+	chgSummary := s.sideloadCheck(c, body, head, "local", flags)
+	c.Check(chgSummary, check.Equals, `Install "local" snap from file "x"`)
 }
 
 func (s *apiSuite) TestSnapctlGetNoUID(c *check.C) {
@@ -5793,38 +6593,23 @@
 	c.Assert(rsp.Status, check.Equals, 403)
 }
 
-func (s *apiSuite) TestSnapctlGetUID(c *check.C) {
-	var uid uint32
+func (s *apiSuite) TestSnapctlForbiddenError(c *check.C) {
 	_ = s.daemon(c)
 
 	runSnapctlUcrednetGet = func(string) (uint32, uint32, string, error) {
-		return 100, uid, dirs.SnapSocket, nil
+		return 100, 9999, dirs.SnapSocket, nil
 	}
 	defer func() { runSnapctlUcrednetGet = ucrednetGet }()
-	ctlcmdRun = func(*hookstate.Context, []string) ([]byte, []byte, error) {
-		return nil, nil, nil
+	ctlcmdRun = func(ctx *hookstate.Context, arg []string, uid uint32) ([]byte, []byte, error) {
+		return nil, nil, &ctlcmd.ForbiddenCommandError{}
 	}
 	defer func() { ctlcmdRun = ctlcmd.Run }()
 
-	for _, t := range []struct {
-		uid uint32
-		cmd string
-		arg string
-
-		expectedCode int
-	}{
-		{1000, "get", "something", 200},
-		{0, "get", "something", 200},
-		{1000, "set", "some=thing", 403},
-		{0, "set", "some=thing", 200},
-	} {
-		uid = t.uid
-		buf := bytes.NewBufferString(fmt.Sprintf(`{"context-id": "some-context", "args": [%q, %q]}`, t.cmd, t.arg))
-		req, err := http.NewRequest("POST", "/v2/snapctl", buf)
-		c.Assert(err, check.IsNil)
-		rsp := runSnapctl(snapctlCmd, req, nil).(*resp)
-		c.Assert(rsp.Status, check.Equals, t.expectedCode)
-	}
+	buf := bytes.NewBufferString(fmt.Sprintf(`{"context-id": "some-context", "args": [%q, %q]}`, "set", "foo=bar"))
+	req, err := http.NewRequest("POST", "/v2/snapctl", buf)
+	c.Assert(err, check.IsNil)
+	rsp := runSnapctl(snapctlCmd, req, nil).(*resp)
+	c.Assert(rsp.Status, check.Equals, 403)
 }
 
 var _ = check.Suite(&postDebugSuite{})
@@ -5867,6 +6652,48 @@
 		testutil.Contains, "type: base-declaration")
 }
 
+func (s *postDebugSuite) TestPostDebugConnectivityHappy(c *check.C) {
+	_ = s.daemon(c)
+
+	buf := bytes.NewBufferString(`{"action": "connectivity"}`)
+	req, err := http.NewRequest("POST", "/v2/debug", buf)
+	c.Assert(err, check.IsNil)
+
+	s.connectivityResult = map[string]bool{
+		"good.host.com":         true,
+		"another.good.host.com": true,
+	}
+
+	rsp := postDebug(debugCmd, req, nil).(*resp)
+
+	c.Check(rsp.Type, check.Equals, ResponseTypeSync)
+	c.Check(rsp.Result, check.DeepEquals, ConnectivityStatus{
+		Connectivity: true,
+		Unreachable:  []string(nil),
+	})
+}
+
+func (s *postDebugSuite) TestPostDebugConnectivityUnhappy(c *check.C) {
+	_ = s.daemon(c)
+
+	buf := bytes.NewBufferString(`{"action": "connectivity"}`)
+	req, err := http.NewRequest("POST", "/v2/debug", buf)
+	c.Assert(err, check.IsNil)
+
+	s.connectivityResult = map[string]bool{
+		"good.host.com": true,
+		"bad.host.com":  false,
+	}
+
+	rsp := postDebug(debugCmd, req, nil).(*resp)
+
+	c.Check(rsp.Type, check.Equals, ResponseTypeSync)
+	c.Check(rsp.Result, check.DeepEquals, ConnectivityStatus{
+		Connectivity: false,
+		Unreachable:  []string{"bad.host.com"},
+	})
+}
+
 type appSuite struct {
 	apiBaseSuite
 	cmd *testutil.MockCmd
@@ -5881,7 +6708,7 @@
 	s.cmd = testutil.MockCommand(c, "systemctl", "").Also("journalctl", "")
 	s.daemon(c)
 	s.infoA = s.mkInstalledInState(c, s.d, "snap-a", "dev", "v1", snap.R(1), true, "apps: {svc1: {daemon: simple}, svc2: {daemon: simple, reload-command: x}}")
-	s.infoB = s.mkInstalledInState(c, s.d, "snap-b", "dev", "v1", snap.R(1), true, "apps: {svc3: {daemon: simple}, cmd1: {}}")
+	s.infoB = s.mkInstalledInState(c, s.d, "snap-b", "dev", "v1", snap.R(1), false, "apps: {svc3: {daemon: simple}, cmd1: {}}")
 	s.infoC = s.mkInstalledInState(c, s.d, "snap-c", "dev", "v1", snap.R(1), true, "")
 	s.infoD = s.mkInstalledInState(c, s.d, "snap-d", "dev", "v1", snap.R(1), true, "apps: {cmd2: {}, cmd3: {}}")
 	s.d.overlord.Loop()
@@ -5935,13 +6762,17 @@
 
 	for _, name := range svcNames {
 		snap, app := splitAppName(name)
-		c.Check(apps, testutil.DeepContains, client.AppInfo{
-			Snap:    snap,
-			Name:    app,
-			Daemon:  "simple",
-			Active:  true,
-			Enabled: true,
-		})
+		needle := client.AppInfo{
+			Snap:   snap,
+			Name:   app,
+			Daemon: "simple",
+		}
+		if snap != "snap-b" {
+			// snap-b is not active (all the others are)
+			needle.Active = true
+			needle.Enabled = true
+		}
+		c.Check(apps, testutil.DeepContains, needle)
 	}
 
 	for _, name := range []string{"snap-b.cmd1", "snap-d.cmd2", "snap-d.cmd3"} {
@@ -6009,13 +6840,17 @@
 
 	for _, name := range svcNames {
 		snap, app := splitAppName(name)
-		c.Check(svcs, testutil.DeepContains, client.AppInfo{
-			Snap:    snap,
-			Name:    app,
-			Daemon:  "simple",
-			Active:  true,
-			Enabled: true,
-		})
+		needle := client.AppInfo{
+			Snap:   snap,
+			Name:   app,
+			Daemon: "simple",
+		}
+		if snap != "snap-b" {
+			// snap-b is not active (all the others are)
+			needle.Active = true
+			needle.Enabled = true
+		}
+		c.Check(svcs, testutil.DeepContains, needle)
 	}
 
 	appNames := make([]string, len(svcs))
@@ -6199,7 +7034,7 @@
 	getLogs(logsCmd, req, nil).ServeHTTP(rec, req)
 
 	c.Check(s.jctlSvcses, check.DeepEquals, [][]string{{"snap.snap-a.svc2.service"}})
-	c.Check(s.jctlNs, check.DeepEquals, []string{"42"})
+	c.Check(s.jctlNs, check.DeepEquals, []int{42})
 	c.Check(s.jctlFollows, check.DeepEquals, []bool{false})
 
 	c.Check(rec.Code, check.Equals, 200)
@@ -6216,15 +7051,15 @@
 func (s *appSuite) TestLogsN(c *check.C) {
 	type T struct {
 		in  string
-		out string
+		out int
 	}
 
 	for _, t := range []T{
-		{in: "", out: "10"},
-		{in: "0", out: "0"},
-		{in: "-1", out: "all"},
-		{in: strconv.Itoa(math.MinInt32), out: "all"},
-		{in: strconv.Itoa(math.MaxInt32), out: strconv.Itoa(math.MaxInt32)},
+		{in: "", out: 10},
+		{in: "0", out: 0},
+		{in: "-1", out: -1},
+		{in: strconv.Itoa(math.MinInt32), out: math.MinInt32},
+		{in: strconv.Itoa(math.MaxInt32), out: math.MaxInt32},
 	} {
 
 		s.jctlRCs = []io.ReadCloser{ioutil.NopCloser(strings.NewReader(""))}
@@ -6236,7 +7071,7 @@
 		rec := httptest.NewRecorder()
 		getLogs(logsCmd, req, nil).ServeHTTP(rec, req)
 
-		c.Check(s.jctlNs, check.DeepEquals, []string{t.out})
+		c.Check(s.jctlNs, check.DeepEquals, []int{t.out})
 	}
 }
 
@@ -6299,7 +7134,7 @@
 	c.Assert(rsp.Type, check.Equals, ResponseTypeError)
 }
 
-func (s *appSuite) testPostApps(c *check.C, inst servicestate.Instruction, systemctlCall []string) *state.Change {
+func (s *appSuite) testPostApps(c *check.C, inst servicestate.Instruction, systemctlCall [][]string) *state.Change {
 	postBody, err := json.Marshal(inst)
 	c.Assert(err, check.IsNil)
 
@@ -6316,25 +7151,25 @@
 	defer st.Unlock()
 	chg := st.Change(rsp.Change)
 	c.Assert(chg, check.NotNil)
-	c.Check(chg.Tasks(), check.HasLen, 1)
+	c.Check(chg.Tasks(), check.HasLen, len(systemctlCall))
 
 	st.Unlock()
 	<-chg.Ready()
 	st.Lock()
 
-	c.Check(s.cmd.Calls(), check.DeepEquals, [][]string{systemctlCall})
+	c.Check(s.cmd.Calls(), check.DeepEquals, systemctlCall)
 	return chg
 }
 
 func (s *appSuite) TestPostAppsStartOne(c *check.C) {
 	inst := servicestate.Instruction{Action: "start", Names: []string{"snap-a.svc2"}}
-	expected := []string{"systemctl", "start", "snap.snap-a.svc2.service"}
+	expected := [][]string{{"systemctl", "start", "snap.snap-a.svc2.service"}}
 	s.testPostApps(c, inst, expected)
 }
 
 func (s *appSuite) TestPostAppsStartTwo(c *check.C) {
 	inst := servicestate.Instruction{Action: "start", Names: []string{"snap-a"}}
-	expected := []string{"systemctl", "start", "snap.snap-a.svc1.service", "snap.snap-a.svc2.service"}
+	expected := [][]string{{"systemctl", "start", "snap.snap-a.svc1.service", "snap.snap-a.svc2.service"}}
 	chg := s.testPostApps(c, inst, expected)
 	chg.State().Lock()
 	defer chg.State().Unlock()
@@ -6345,7 +7180,7 @@
 
 func (s *appSuite) TestPostAppsStartThree(c *check.C) {
 	inst := servicestate.Instruction{Action: "start", Names: []string{"snap-a", "snap-b"}}
-	expected := []string{"systemctl", "start", "snap.snap-a.svc1.service", "snap.snap-a.svc2.service", "snap.snap-b.svc3.service"}
+	expected := [][]string{{"systemctl", "start", "snap.snap-a.svc1.service", "snap.snap-a.svc2.service", "snap.snap-b.svc3.service"}}
 	chg := s.testPostApps(c, inst, expected)
 	// check the summary expands the snap into actual apps
 	c.Check(chg.Summary(), check.Equals, "Running service command")
@@ -6356,34 +7191,34 @@
 
 func (s *appSuite) TestPosetAppsStop(c *check.C) {
 	inst := servicestate.Instruction{Action: "stop", Names: []string{"snap-a.svc2"}}
-	expected := []string{"systemctl", "stop", "snap.snap-a.svc2.service"}
+	expected := [][]string{{"systemctl", "stop", "snap.snap-a.svc2.service"}}
 	s.testPostApps(c, inst, expected)
 }
 
 func (s *appSuite) TestPosetAppsRestart(c *check.C) {
 	inst := servicestate.Instruction{Action: "restart", Names: []string{"snap-a.svc2"}}
-	expected := []string{"systemctl", "restart", "snap.snap-a.svc2.service"}
+	expected := [][]string{{"systemctl", "restart", "snap.snap-a.svc2.service"}}
 	s.testPostApps(c, inst, expected)
 }
 
 func (s *appSuite) TestPosetAppsReload(c *check.C) {
 	inst := servicestate.Instruction{Action: "restart", Names: []string{"snap-a.svc2"}}
 	inst.Reload = true
-	expected := []string{"systemctl", "reload-or-restart", "snap.snap-a.svc2.service"}
+	expected := [][]string{{"systemctl", "reload-or-restart", "snap.snap-a.svc2.service"}}
 	s.testPostApps(c, inst, expected)
 }
 
 func (s *appSuite) TestPosetAppsEnableNow(c *check.C) {
 	inst := servicestate.Instruction{Action: "start", Names: []string{"snap-a.svc2"}}
 	inst.Enable = true
-	expected := []string{"systemctl", "enable", "--now", "snap.snap-a.svc2.service"}
+	expected := [][]string{{"systemctl", "enable", "snap.snap-a.svc2.service"}, {"systemctl", "start", "snap.snap-a.svc2.service"}}
 	s.testPostApps(c, inst, expected)
 }
 
 func (s *appSuite) TestPosetAppsDisableNow(c *check.C) {
 	inst := servicestate.Instruction{Action: "stop", Names: []string{"snap-a.svc2"}}
 	inst.Disable = true
-	expected := []string{"systemctl", "disable", "--now", "snap.snap-a.svc2.service"}
+	expected := [][]string{{"systemctl", "disable", "snap.snap-a.svc2.service"}, {"systemctl", "stop", "snap.snap-a.svc2.service"}}
 	s.testPostApps(c, inst, expected)
 }
 
@@ -6467,10 +7302,11 @@
 func (e fakeNetError) Timeout() bool   { return e.timeout }
 func (e fakeNetError) Temporary() bool { return e.temporary }
 
-func (s *appSuite) TestErrToResponseNoSnapsDoesNotPanic(c *check.C) {
+func (s *apiSuite) TestErrToResponseNoSnapsDoesNotPanic(c *check.C) {
 	si := &snapInstruction{Action: "frobble"}
 	errors := []error{
 		store.ErrSnapNotFound,
+		&store.RevisionNotAvailableError{},
 		store.ErrNoUpdateAvailable,
 		store.ErrLocalSnap,
 		&snap.AlreadyInstalledError{Snap: "foo"},
@@ -6492,3 +7328,226 @@
 		c.Check(status/100 == 4 || status/100 == 5, check.Equals, true, com)
 	}
 }
+
+func (s *apiSuite) TestErrToResponseForRevisionNotAvailable(c *check.C) {
+	si := &snapInstruction{Action: "frobble", Snaps: []string{"foo"}}
+
+	thisArch := arch.UbuntuArchitecture()
+
+	err := &store.RevisionNotAvailableError{
+		Action:  "install",
+		Channel: "stable",
+		Releases: []snap.Channel{
+			snaptest.MustParseChannel("beta", thisArch),
+		},
+	}
+	rsp := si.errToResponse(err).(*resp)
+	c.Check(rsp, check.DeepEquals, &resp{
+		Status: 404,
+		Type:   ResponseTypeError,
+		Result: &errorResult{
+			Message: "no snap revision on specified channel",
+			Kind:    errorKindSnapChannelNotAvailable,
+			Value: map[string]interface{}{
+				"snap-name":    "foo",
+				"action":       "install",
+				"channel":      "stable",
+				"architecture": thisArch,
+				"releases": []map[string]interface{}{
+					{"architecture": thisArch, "channel": "beta"},
+				},
+			},
+		},
+	})
+
+	err = &store.RevisionNotAvailableError{
+		Action:  "install",
+		Channel: "stable",
+		Releases: []snap.Channel{
+			snaptest.MustParseChannel("beta", "other-arch"),
+		},
+	}
+	rsp = si.errToResponse(err).(*resp)
+	c.Check(rsp, check.DeepEquals, &resp{
+		Status: 404,
+		Type:   ResponseTypeError,
+		Result: &errorResult{
+			Message: "no snap revision on specified architecture",
+			Kind:    errorKindSnapArchitectureNotAvailable,
+			Value: map[string]interface{}{
+				"snap-name":    "foo",
+				"action":       "install",
+				"channel":      "stable",
+				"architecture": thisArch,
+				"releases": []map[string]interface{}{
+					{"architecture": "other-arch", "channel": "beta"},
+				},
+			},
+		},
+	})
+
+	err = &store.RevisionNotAvailableError{}
+	rsp = si.errToResponse(err).(*resp)
+	c.Check(rsp, check.DeepEquals, &resp{
+		Status: 404,
+		Type:   ResponseTypeError,
+		Result: &errorResult{
+			Message: "no snap revision available as specified",
+			Kind:    errorKindSnapRevisionNotAvailable,
+			Value:   "foo",
+		},
+	})
+}
+
+func (s *apiSuite) testWarnings(c *check.C, all bool, body io.Reader) (calls string, result interface{}) {
+	s.daemon(c)
+
+	oldOK := stateOkayWarnings
+	oldAll := stateAllWarnings
+	oldPending := statePendingWarnings
+	stateOkayWarnings = func(*state.State, time.Time) int { calls += "ok"; return 0 }
+	stateAllWarnings = func(*state.State) []*state.Warning { calls += "all"; return nil }
+	statePendingWarnings = func(*state.State) ([]*state.Warning, time.Time) { calls += "show"; return nil, time.Time{} }
+	defer func() {
+		stateOkayWarnings = oldOK
+		stateAllWarnings = oldAll
+		statePendingWarnings = oldPending
+	}()
+
+	method := "GET"
+	f := warningsCmd.GET
+	if body != nil {
+		method = "POST"
+		f = warningsCmd.POST
+	}
+	q := url.Values{}
+	if all {
+		q.Set("select", "all")
+	}
+	req, err := http.NewRequest(method, "/v2/warnings?"+q.Encode(), body)
+	c.Assert(err, check.IsNil)
+
+	rsp, ok := f(warningsCmd, req, nil).(*resp)
+	c.Assert(ok, check.Equals, true)
+
+	c.Check(rsp.Type, check.Equals, ResponseTypeSync)
+	c.Check(rsp.Status, check.Equals, 200)
+	c.Assert(rsp.Result, check.NotNil)
+	return calls, rsp.Result
+}
+
+func (s *apiSuite) TestAllWarnings(c *check.C) {
+	calls, result := s.testWarnings(c, true, nil)
+	c.Check(calls, check.Equals, "all")
+	c.Check(result, check.DeepEquals, []state.Warning{})
+}
+
+func (s *apiSuite) TestSomeWarnings(c *check.C) {
+	calls, result := s.testWarnings(c, false, nil)
+	c.Check(calls, check.Equals, "show")
+	c.Check(result, check.DeepEquals, []state.Warning{})
+}
+
+func (s *apiSuite) TestAckWarnings(c *check.C) {
+	calls, result := s.testWarnings(c, false, bytes.NewReader([]byte(`{"action": "okay", "timestamp": "2006-01-02T15:04:05Z"}`)))
+	c.Check(calls, check.Equals, "ok")
+	c.Check(result, check.DeepEquals, 0)
+}
+
+func (s *apiSuite) TestErrToResponseForChangeConflict(c *check.C) {
+	si := &snapInstruction{Action: "frobble", Snaps: []string{"foo"}}
+
+	err := &snapstate.ChangeConflictError{Snap: "foo", ChangeKind: "install"}
+	rsp := si.errToResponse(err).(*resp)
+	c.Check(rsp, check.DeepEquals, &resp{
+		Status: 409,
+		Type:   ResponseTypeError,
+		Result: &errorResult{
+			Message: `snap "foo" has "install" change in progress`,
+			Kind:    errorKindSnapChangeConflict,
+			Value: map[string]interface{}{
+				"snap-name":   "foo",
+				"change-kind": "install",
+			},
+		},
+	})
+
+	// only snap
+	err = &snapstate.ChangeConflictError{Snap: "foo"}
+	rsp = si.errToResponse(err).(*resp)
+	c.Check(rsp, check.DeepEquals, &resp{
+		Status: 409,
+		Type:   ResponseTypeError,
+		Result: &errorResult{
+			Message: `snap "foo" has changes in progress`,
+			Kind:    errorKindSnapChangeConflict,
+			Value: map[string]interface{}{
+				"snap-name": "foo",
+			},
+		},
+	})
+
+	// only kind
+	err = &snapstate.ChangeConflictError{Message: "specific error msg", ChangeKind: "some-global-op"}
+	rsp = si.errToResponse(err).(*resp)
+	c.Check(rsp, check.DeepEquals, &resp{
+		Status: 409,
+		Type:   ResponseTypeError,
+		Result: &errorResult{
+			Message: "specific error msg",
+			Kind:    errorKindSnapChangeConflict,
+			Value: map[string]interface{}{
+				"change-kind": "some-global-op",
+			},
+		},
+	})
+}
+
+func (s *apiSuite) TestErrToResponse(c *check.C) {
+	aie := &snap.AlreadyInstalledError{Snap: "foo"}
+	nie := &snap.NotInstalledError{Snap: "foo"}
+	cce := &snapstate.ChangeConflictError{Snap: "foo"}
+	ndme := &snapstate.SnapNeedsDevModeError{Snap: "foo"}
+	nc := &snapstate.SnapNotClassicError{Snap: "foo"}
+	nce := &snapstate.SnapNeedsClassicError{Snap: "foo"}
+	ncse := &snapstate.SnapNeedsClassicSystemError{Snap: "foo"}
+	netoe := fakeNetError{message: "other"}
+	nettoute := fakeNetError{message: "timeout", timeout: true}
+	nettmpe := fakeNetError{message: "temp", temporary: true}
+
+	e := errors.New("other error")
+
+	makeErrorRsp := func(kind errorKind, err error, value interface{}) Response {
+		return SyncResponse(&resp{
+			Type:   ResponseTypeError,
+			Result: &errorResult{Message: err.Error(), Kind: kind, Value: value},
+			Status: 400,
+		}, nil)
+	}
+
+	tests := []struct {
+		err         error
+		expectedRsp Response
+	}{
+		{store.ErrSnapNotFound, SnapNotFound("foo", store.ErrSnapNotFound)},
+		{store.ErrNoUpdateAvailable, makeErrorRsp(errorKindSnapNoUpdateAvailable, store.ErrNoUpdateAvailable, "")},
+		{store.ErrLocalSnap, makeErrorRsp(errorKindSnapLocal, store.ErrLocalSnap, "")},
+		{aie, makeErrorRsp(errorKindSnapAlreadyInstalled, aie, "foo")},
+		{nie, makeErrorRsp(errorKindSnapNotInstalled, nie, "foo")},
+		{ndme, makeErrorRsp(errorKindSnapNeedsDevMode, ndme, "foo")},
+		{nc, makeErrorRsp(errorKindSnapNotClassic, nc, "foo")},
+		{nce, makeErrorRsp(errorKindSnapNeedsClassic, nce, "foo")},
+		{ncse, makeErrorRsp(errorKindSnapNeedsClassicSystem, ncse, "foo")},
+		{cce, SnapChangeConflict(cce)},
+		{nettoute, makeErrorRsp(errorKindNetworkTimeout, nettoute, "")},
+		{netoe, BadRequest("ERR: %v", netoe)},
+		{nettmpe, BadRequest("ERR: %v", nettmpe)},
+		{e, BadRequest("ERR: %v", e)},
+	}
+
+	for _, t := range tests {
+		com := check.Commentf("%v", t.err)
+		rsp := errToResponse(t.err, []string{"foo"}, BadRequest, "%s: %v", "ERR")
+		c.Check(rsp, check.DeepEquals, t.expectedRsp, com)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/daemon/command_counter_test.go snapd-2.37~rc1~14.04/daemon/command_counter_test.go
--- snapd-2.32.3.2~14.04/daemon/command_counter_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/command_counter_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,10 +26,22 @@
 	"go/token"
 	"io/ioutil"
 	"path/filepath"
+	"strings"
 
 	"gopkg.in/check.v1"
 )
 
+func countCommandDecls(c *check.C, comment check.CommentInterface) int {
+	n := 0
+	fns, _ := filepath.Glob("*.go")
+	for _, fn := range fns {
+		if !strings.HasSuffix(fn, "_test.go") {
+			n += countCommandDeclsIn(c, fn, comment)
+		}
+	}
+	return n
+}
+
 func countCommandDeclsIn(c *check.C, filename string, comment check.CommentInterface) int {
 	// NOTE: there's probably a
 	// better/easier way of doing this (patches welcome)
diff -Nru snapd-2.32.3.2~14.04/daemon/daemon.go snapd-2.37~rc1~14.04/daemon/daemon.go
--- snapd-2.32.3.2~14.04/daemon/daemon.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/daemon.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,6 +25,7 @@
 	"net/http"
 	"os"
 	"os/exec"
+	"os/signal"
 	"runtime"
 	"strconv"
 	"strings"
@@ -44,22 +45,37 @@
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/overlord"
 	"github.com/snapcore/snapd/overlord/auth"
+	"github.com/snapcore/snapd/overlord/standby"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/polkit"
+	"github.com/snapcore/snapd/systemd"
 )
 
+var ErrRestartSocket = fmt.Errorf("daemon stop requested to wait for socket activation")
+
+var systemdSdNotify = systemd.SdNotify
+
 // A Daemon listens for requests and routes them to the right command
 type Daemon struct {
-	Version       string
-	overlord      *overlord.Overlord
-	snapdListener net.Listener
-	snapdServe    *shutdownServer
-	snapListener  net.Listener
-	snapServe     *shutdownServer
-	tomb          tomb.Tomb
-	router        *mux.Router
-	// enableInternalInterfaceActions controls if adding and removing slots and plugs is allowed.
-	enableInternalInterfaceActions bool
+	Version         string
+	overlord        *overlord.Overlord
+	snapdListener   net.Listener
+	snapdServe      *shutdownServer
+	snapListener    net.Listener
+	snapServe       *shutdownServer
+	tomb            tomb.Tomb
+	router          *mux.Router
+	standbyOpinions *standby.StandbyOpinions
+
+	// set to remember we need to restart the system
+	restartSystem bool
+	// set to remember that we need to exit the daemon in a way that
+	// prevents systemd from restarting it
+	restartSocket bool
+	// degradedErr is set when the daemon is in degraded mode
+	degradedErr error
+
+	mu sync.Mutex
 }
 
 // A ResponseFunc handles one of the individual verbs for a method
@@ -92,6 +108,7 @@
 	accessOK accessResult = iota
 	accessUnauthorized
 	accessForbidden
+	accessCancelled
 )
 
 var polkitCheckAuthorization = polkit.CheckAuthorization
@@ -169,7 +186,7 @@
 				return accessOK
 			}
 		} else if err == polkit.ErrDismissed {
-			return accessForbidden
+			return accessCancelled
 		} else {
 			logger.Noticef("polkit error: %s", err)
 		}
@@ -179,11 +196,17 @@
 }
 
 func (c *Command) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	state := c.d.overlord.State()
-	state.Lock()
+	st := c.d.overlord.State()
+	st.Lock()
 	// TODO Look at the error and fail if there's an attempt to authenticate with invalid data.
-	user, _ := UserFromRequest(state, r)
-	state.Unlock()
+	user, _ := UserFromRequest(st, r)
+	st.Unlock()
+
+	// check if we are in degradedMode
+	if c.d.degradedErr != nil && r.Method != "GET" {
+		InternalError(c.d.degradedErr.Error()).ServeHTTP(w, r)
+		return
+	}
 
 	switch c.canAccess(r, user) {
 	case accessOK:
@@ -194,6 +217,9 @@
 	case accessForbidden:
 		Forbidden("forbidden").ServeHTTP(w, r)
 		return
+	case accessCancelled:
+		AuthCancelled("cancelled").ServeHTTP(w, r)
+		return
 	}
 
 	var rspf ResponseFunc
@@ -214,6 +240,24 @@
 		rsp = rspf(c, r, user)
 	}
 
+	if rsp, ok := rsp.(*resp); ok {
+		_, rst := st.Restarting()
+		switch rst {
+		case state.RestartSystem:
+			rsp.transmitMaintenance(errorKindSystemRestart, "system is restarting")
+		case state.RestartDaemon:
+			rsp.transmitMaintenance(errorKindDaemonRestart, "daemon is restarting")
+		case state.RestartSocket:
+			rsp.transmitMaintenance(errorKindDaemonRestart, "daemon is stopping to wait for socket activation")
+		}
+		if rsp.Type != ResponseTypeError {
+			st.Lock()
+			count, stamp := st.WarningsSummary()
+			st.Unlock()
+			rsp.addWarningsToMeta(count, stamp)
+		}
+	}
+
 	rsp.ServeHTTP(w, r)
 }
 
@@ -289,20 +333,32 @@
 	return listener, nil
 }
 
+// activationListeners builds a map of addresses to listeners that were passed
+// during systemd activation
+func activationListeners() (lns map[string]net.Listener, err error) {
+	// pass false to keep LISTEN_* environment variables passed by systemd
+	files := activation.Files(false)
+	lns = make(map[string]net.Listener, len(files))
+
+	for _, f := range files {
+		ln, err := net.FileListener(f)
+		if err != nil {
+			return nil, err
+		}
+		addr := ln.Addr().String()
+		lns[addr] = ln
+	}
+	return lns, nil
+}
+
 // Init sets up the Daemon's internal workings.
 // Don't call more than once.
 func (d *Daemon) Init() error {
-	listeners, err := activation.Listeners(false)
+	listenerMap, err := activationListeners()
 	if err != nil {
 		return err
 	}
 
-	listenerMap := make(map[string]net.Listener, len(listeners))
-
-	for _, listener := range listeners {
-		listenerMap[listener.Addr().String()] = listener
-	}
-
 	// The SnapdSocket is required-- without it, die.
 	if listener, err := getListener(dirs.SnapdSocket, listenerMap); err == nil {
 		d.snapdListener = &ucrednetListener{listener}
@@ -325,6 +381,20 @@
 	return nil
 }
 
+// SetDegradedMode puts the daemon into an degraded mode which will the
+// error given in the "err" argument for commands that are not marked
+// as readonlyOK.
+//
+// This is useful to report errors to the client when the daemon
+// cannot work because e.g. a sanity check failed or the system is out
+// of diskspace.
+//
+// When the system is fine again calling "DegradedMode(nil)" is enough
+// to put the daemon into full operation again.
+func (d *Daemon) SetDegradedMode(err error) {
+	d.degradedErr = err
+}
+
 func (d *Daemon) addRoutes() {
 	d.router = mux.NewRouter()
 
@@ -370,6 +440,18 @@
 	return srv.httpSrv.Serve(srv.l)
 }
 
+func (srv *shutdownServer) CanStandby() bool {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+
+	for _, state := range srv.conns {
+		if state != http.StateIdle {
+			return false
+		}
+	}
+	return true
+}
+
 func (srv *shutdownServer) trackConn(conn net.Conn, state http.ConnState) {
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
@@ -417,7 +499,15 @@
 	return fmt.Errorf("cannot gracefully finish, still active connections on %v after %v", srv.l.Addr(), shutdownTimeout)
 }
 
-var shutdownMsg = i18n.G("reboot scheduled to update the system - temporarily cancel with 'sudo shutdown -c'")
+func (d *Daemon) initStandbyHandling() {
+	d.standbyOpinions = standby.New(d.overlord.State())
+	d.standbyOpinions.AddOpinion(d.snapdServe)
+	d.standbyOpinions.AddOpinion(d.snapServe)
+	d.standbyOpinions.AddOpinion(d.overlord)
+	d.standbyOpinions.AddOpinion(d.overlord.SnapManager())
+	d.standbyOpinions.AddOpinion(d.overlord.DeviceManager())
+	d.standbyOpinions.Start()
+}
 
 // Start the Daemon
 func (d *Daemon) Start() {
@@ -427,10 +517,20 @@
 		case state.RestartDaemon:
 			d.tomb.Kill(nil)
 		case state.RestartSystem:
-			cmd := exec.Command("shutdown", "+10", "-r", shutdownMsg)
-			if out, err := cmd.CombinedOutput(); err != nil {
-				logger.Noticef("%s", osutil.OutputErr(out, err))
+			// try to schedule a fallback slow reboot already here
+			// in case we get stuck shutting down
+			if err := reboot(rebootWaitTimeout); err != nil {
+				logger.Noticef("%s", err)
 			}
+
+			d.mu.Lock()
+			defer d.mu.Unlock()
+			// remember we need to restart the system
+			d.restartSystem = true
+			d.tomb.Kill(nil)
+		case state.RestartSocket:
+			d.restartSocket = true
+			d.tomb.Kill(nil)
 		default:
 			logger.Noticef("internal error: restart handler called with unknown restart type: %v", t)
 			d.tomb.Kill(nil)
@@ -442,6 +542,9 @@
 	}
 	d.snapdServe = newShutdownServer(d.snapdListener, logit(d.router))
 
+	// enable standby handling
+	d.initStandbyHandling()
+
 	// the loop runs in its own goroutine
 	d.overlord.Loop()
 
@@ -462,34 +565,125 @@
 
 		return nil
 	})
+
+	// notify systemd that we are ready
+	systemdSdNotify("READY=1")
 }
 
+var shutdownMsg = i18n.G("reboot scheduled to update the system")
+
+func rebootImpl(rebootDelay time.Duration) error {
+	if rebootDelay < 0 {
+		rebootDelay = 0
+	}
+	mins := int64((rebootDelay + time.Minute - 1) / time.Minute)
+	cmd := exec.Command("shutdown", "-r", fmt.Sprintf("+%d", mins), shutdownMsg)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return osutil.OutputErr(out, err)
+	}
+	return nil
+}
+
+var reboot = rebootImpl
+
+var (
+	rebootNoticeWait  = 3 * time.Second
+	rebootWaitTimeout = 10 * time.Minute
+)
+
 // Stop shuts down the Daemon
-func (d *Daemon) Stop() error {
+func (d *Daemon) Stop(sigCh chan<- os.Signal) error {
 	d.tomb.Kill(nil)
+
+	d.mu.Lock()
+	restartSystem := d.restartSystem
+	restartSocket := d.restartSocket
+	d.mu.Unlock()
+
 	d.snapdListener.Close()
+	d.standbyOpinions.Stop()
 
 	if d.snapListener != nil {
 		// stop running hooks first
 		// and do it more gracefully if we are restarting
 		hookMgr := d.overlord.HookManager()
-		if d.overlord.State().Restarting() {
+		if ok, _ := d.overlord.State().Restarting(); ok {
 			logger.Noticef("gracefully waiting for running hooks")
 			hookMgr.GracefullyWaitRunningHooks()
 			logger.Noticef("done waiting for running hooks")
 		}
-		hookMgr.Stop()
+		hookMgr.StopHooks()
 		d.snapListener.Close()
 	}
 
+	if restartSystem {
+		// give time to polling clients to notice restart
+		time.Sleep(rebootNoticeWait)
+	}
+
 	d.tomb.Kill(d.snapdServe.finishShutdown())
 	if d.snapListener != nil {
 		d.tomb.Kill(d.snapServe.finishShutdown())
 	}
 
+	if !restartSystem {
+		// tell systemd that we are stopping
+		systemdSdNotify("STOPPING=1")
+
+	}
+
+	if restartSocket {
+		// At this point we processed all open requests (and
+		// stopped accepting new requests) - before going into
+		// socket activated mode we need to check if any of
+		// those open requests resulted in something that
+		// prevents us from going into socket activation mode.
+		//
+		// If this is the case we do a "normal" snapd restart
+		// to process the new changes.
+		if !d.standbyOpinions.CanStandby() {
+			d.restartSocket = false
+		}
+	}
 	d.overlord.Stop()
 
-	return d.tomb.Wait()
+	err := d.tomb.Wait()
+	if err != nil {
+		return err
+	}
+
+	if restartSystem {
+		// ask for shutdown and wait for it to happen.
+		// if we exit snapd will be restared by systemd
+		rebootDelay := 1 * time.Minute
+		ovr := os.Getenv("SNAPD_REBOOT_DELAY") // for tests
+		if ovr != "" {
+			d, err := time.ParseDuration(ovr)
+			if err == nil {
+				rebootDelay = d
+			}
+		}
+		if err := reboot(rebootDelay); err != nil {
+			return err
+		}
+		// wait for reboot to happen
+		logger.Noticef("Waiting for system reboot")
+		if sigCh != nil {
+			signal.Stop(sigCh)
+			if len(sigCh) > 0 {
+				// a signal arrived in between
+				return nil
+			}
+			close(sigCh)
+		}
+		time.Sleep(rebootWaitTimeout)
+		return fmt.Errorf("expected reboot did not happen")
+	}
+	if d.restartSocket {
+		return ErrRestartSocket
+	}
+
+	return nil
 }
 
 // Dying is a tomb-ish thing
@@ -503,9 +697,5 @@
 	if err != nil {
 		return nil, err
 	}
-	return &Daemon{
-		overlord: ovld,
-		// TODO: Decide when this should be disabled by default.
-		enableInternalInterfaceActions: true,
-	}, nil
+	return &Daemon{overlord: ovld}, nil
 }
diff -Nru snapd-2.32.3.2~14.04/daemon/daemon_test.go snapd-2.37~rc1~14.04/daemon/daemon_test.go
--- snapd-2.32.3.2~14.04/daemon/daemon_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/daemon_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,7 @@
 	"fmt"
 
 	"bytes"
+	"encoding/json"
 	"errors"
 	"io/ioutil"
 	"net"
@@ -31,6 +32,7 @@
 	"os"
 	"path/filepath"
 	"sync"
+	"syscall"
 	"testing"
 	"time"
 
@@ -41,8 +43,13 @@
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/overlord/auth"
+	"github.com/snapcore/snapd/overlord/ifacestate"
+	"github.com/snapcore/snapd/overlord/snapstate"
+	"github.com/snapcore/snapd/overlord/standby"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/polkit"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/systemd"
 	"github.com/snapcore/snapd/testutil"
 )
 
@@ -53,6 +60,8 @@
 	authorized      bool
 	err             error
 	lastPolkitFlags polkit.CheckFlags
+	notified        []string
+	restoreBackends func()
 }
 
 var _ = check.Suite(&daemonSuite{})
@@ -66,14 +75,22 @@
 	dirs.SetRootDir(c.MkDir())
 	err := os.MkdirAll(filepath.Dir(dirs.SnapStateFile), 0755)
 	c.Assert(err, check.IsNil)
+	systemdSdNotify = func(notif string) error {
+		s.notified = append(s.notified, notif)
+		return nil
+	}
+	s.notified = nil
 	polkitCheckAuthorization = s.checkAuthorization
+	s.restoreBackends = ifacestate.MockSecurityBackends(nil)
 }
 
 func (s *daemonSuite) TearDownTest(c *check.C) {
+	systemdSdNotify = systemd.SdNotify
 	dirs.SetRootDir("")
 	s.authorized = false
 	s.err = nil
 	logger.SetLogger(logger.NullLogger)
+	s.restoreBackends()
 }
 
 func (s *daemonSuite) TearDownSuite(c *check.C) {
@@ -86,6 +103,11 @@
 	c.Assert(err, check.IsNil)
 	d.addRoutes()
 
+	// don't actually try to talk to the store on snapstate.Ensure
+	// needs doing after the call to devicestate.Manager (which
+	// happens in daemon.New via overlord.New)
+	snapstate.CanAutoRefresh = nil
+
 	return d
 }
 
@@ -140,6 +162,87 @@
 	c.Check(rec.Code, check.Equals, 405)
 }
 
+func (s *daemonSuite) TestCommandRestartingState(c *check.C) {
+	d := newTestDaemon(c)
+
+	cmd := &Command{d: d}
+	cmd.GET = func(*Command, *http.Request, *auth.UserState) Response {
+		return SyncResponse(nil, nil)
+	}
+	req, err := http.NewRequest("GET", "", nil)
+	c.Assert(err, check.IsNil)
+	req.RemoteAddr = "pid=100;uid=0;" + req.RemoteAddr
+
+	rec := httptest.NewRecorder()
+	cmd.ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 200)
+	var rst struct {
+		Maintenance *errorResult `json:"maintenance"`
+	}
+	err = json.Unmarshal(rec.Body.Bytes(), &rst)
+	c.Assert(err, check.IsNil)
+	c.Check(rst.Maintenance, check.IsNil)
+
+	state.MockRestarting(d.overlord.State(), state.RestartSystem)
+	rec = httptest.NewRecorder()
+	cmd.ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 200)
+	err = json.Unmarshal(rec.Body.Bytes(), &rst)
+	c.Assert(err, check.IsNil)
+	c.Check(rst.Maintenance, check.DeepEquals, &errorResult{
+		Kind:    errorKindSystemRestart,
+		Message: "system is restarting",
+	})
+
+	state.MockRestarting(d.overlord.State(), state.RestartDaemon)
+	rec = httptest.NewRecorder()
+	cmd.ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 200)
+	err = json.Unmarshal(rec.Body.Bytes(), &rst)
+	c.Assert(err, check.IsNil)
+	c.Check(rst.Maintenance, check.DeepEquals, &errorResult{
+		Kind:    errorKindDaemonRestart,
+		Message: "daemon is restarting",
+	})
+}
+
+func (s *daemonSuite) TestFillsWarnings(c *check.C) {
+	d := newTestDaemon(c)
+
+	cmd := &Command{d: d}
+	cmd.GET = func(*Command, *http.Request, *auth.UserState) Response {
+		return SyncResponse(nil, nil)
+	}
+	req, err := http.NewRequest("GET", "", nil)
+	c.Assert(err, check.IsNil)
+	req.RemoteAddr = "pid=100;uid=0;" + req.RemoteAddr
+
+	rec := httptest.NewRecorder()
+	cmd.ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 200)
+	var rst struct {
+		WarningTimestamp *time.Time `json:"warning-timestamp,omitempty"`
+		WarningCount     int        `json:"warning-count,omitempty"`
+	}
+	err = json.Unmarshal(rec.Body.Bytes(), &rst)
+	c.Assert(err, check.IsNil)
+	c.Check(rst.WarningCount, check.Equals, 0)
+	c.Check(rst.WarningTimestamp, check.IsNil)
+
+	st := d.overlord.State()
+	st.Lock()
+	st.Warnf("hello world")
+	st.Unlock()
+
+	rec = httptest.NewRecorder()
+	cmd.ServeHTTP(rec, req)
+	c.Check(rec.Code, check.Equals, 200)
+	err = json.Unmarshal(rec.Body.Bytes(), &rst)
+	c.Assert(err, check.IsNil)
+	c.Check(rst.WarningCount, check.Equals, 1)
+	c.Check(rst.WarningTimestamp, check.NotNil)
+}
+
 func (s *daemonSuite) TestGuestAccess(c *check.C) {
 	get := &http.Request{Method: "GET"}
 	put := &http.Request{Method: "PUT"}
@@ -256,7 +359,7 @@
 
 	// if the user dismisses the auth request, forbid access
 	s.err = polkit.ErrDismissed
-	c.Check(cmd.canAccess(put, nil), check.Equals, accessForbidden)
+	c.Check(cmd.canAccess(put, nil), check.Equals, accessCancelled)
 }
 
 func (s *daemonSuite) TestPolkitAccessForGet(c *check.C) {
@@ -370,6 +473,17 @@
 	d := newTestDaemon(c)
 	// mark as already seeded
 	s.markSeeded(d)
+	// and pretend we have snaps
+	st := d.overlord.State()
+	st.Lock()
+	snapstate.Set(st, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1), SnapID: "core-snap-id"},
+		},
+		Current: snap.R(1),
+	})
+	st.Unlock()
 
 	l, err := net.Listen("tcp", "127.0.0.1:0")
 	c.Assert(err, check.IsNil)
@@ -382,6 +496,8 @@
 
 	d.Start()
 
+	c.Check(s.notified, check.DeepEquals, []string{"READY=1"})
+
 	snapdDone := make(chan struct{})
 	go func() {
 		select {
@@ -405,8 +521,10 @@
 	<-snapdDone
 	<-snapDone
 
-	err = d.Stop()
+	err = d.Stop(nil)
 	c.Check(err, check.IsNil)
+
+	c.Check(s.notified, check.DeepEquals, []string{"READY=1", "STOPPING=1"})
 }
 
 func (s *daemonSuite) TestRestartWiring(c *check.C) {
@@ -424,7 +542,7 @@
 	d.snapListener = &witnessAcceptListener{Listener: l, accept: snapAccept}
 
 	d.Start()
-	defer d.Stop()
+	defer d.Stop(nil)
 
 	snapdDone := make(chan struct{})
 	go func() {
@@ -476,6 +594,17 @@
 
 	// mark as already seeded
 	s.markSeeded(d)
+	// and pretend we have snaps
+	st := d.overlord.State()
+	st.Lock()
+	snapstate.Set(st, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1), SnapID: "core-snap-id"},
+		},
+		Current: snap.R(1),
+	})
+	st.Unlock()
 
 	snapdL, err := net.Listen("tcp", "127.0.0.1:0")
 	c.Assert(err, check.IsNil)
@@ -534,7 +663,7 @@
 	}()
 
 	<-responding
-	err = d.Stop()
+	err = d.Stop(nil)
 	doRespond <- false
 	c.Check(err, check.IsNil)
 
@@ -544,3 +673,315 @@
 		c.Fatal("never got proper response")
 	}
 }
+
+func (s *daemonSuite) TestRestartSystemWiring(c *check.C) {
+	d := newTestDaemon(c)
+	// mark as already seeded
+	s.markSeeded(d)
+
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	c.Assert(err, check.IsNil)
+
+	snapdAccept := make(chan struct{})
+	d.snapdListener = &witnessAcceptListener{Listener: l, accept: snapdAccept}
+
+	snapAccept := make(chan struct{})
+	d.snapListener = &witnessAcceptListener{Listener: l, accept: snapAccept}
+
+	d.Start()
+	defer d.Stop(nil)
+
+	snapdDone := make(chan struct{})
+	go func() {
+		select {
+		case <-snapdAccept:
+		case <-time.After(2 * time.Second):
+			c.Fatal("snapd accept was not called")
+		}
+		close(snapdDone)
+	}()
+
+	snapDone := make(chan struct{})
+	go func() {
+		select {
+		case <-snapAccept:
+		case <-time.After(2 * time.Second):
+			c.Fatal("snap accept was not called")
+		}
+		close(snapDone)
+	}()
+
+	<-snapdDone
+	<-snapDone
+
+	oldRebootNoticeWait := rebootNoticeWait
+	oldRebootWaitTimeout := rebootWaitTimeout
+	defer func() {
+		reboot = rebootImpl
+		rebootNoticeWait = oldRebootNoticeWait
+		rebootWaitTimeout = oldRebootWaitTimeout
+	}()
+	rebootWaitTimeout = 100 * time.Millisecond
+	rebootNoticeWait = 150 * time.Millisecond
+
+	var delays []time.Duration
+	reboot = func(d time.Duration) error {
+		delays = append(delays, d)
+		return nil
+	}
+
+	d.overlord.State().RequestRestart(state.RestartSystem)
+
+	defer func() {
+		d.mu.Lock()
+		d.restartSystem = false
+		d.mu.Unlock()
+	}()
+
+	select {
+	case <-d.Dying():
+	case <-time.After(2 * time.Second):
+		c.Fatal("RequestRestart -> overlord -> Kill chain didn't work")
+	}
+
+	d.mu.Lock()
+	rs := d.restartSystem
+	d.mu.Unlock()
+
+	c.Check(rs, check.Equals, true)
+
+	c.Check(delays, check.HasLen, 1)
+	c.Check(delays[0], check.DeepEquals, rebootWaitTimeout)
+
+	err = d.Stop(nil)
+
+	c.Check(err, check.ErrorMatches, "expected reboot did not happen")
+	c.Check(delays, check.HasLen, 2)
+	c.Check(delays[1], check.DeepEquals, 1*time.Minute)
+
+	// we are not stopping, we wait for the reboot instead
+	c.Check(s.notified, check.DeepEquals, []string{"READY=1"})
+}
+
+func (s *daemonSuite) TestRebootHelper(c *check.C) {
+	cmd := testutil.MockCommand(c, "shutdown", "")
+	defer cmd.Restore()
+
+	tests := []struct {
+		delay    time.Duration
+		delayArg string
+	}{
+		{-1, "+0"},
+		{0, "+0"},
+		{time.Minute, "+1"},
+		{10 * time.Minute, "+10"},
+		{30 * time.Second, "+1"},
+	}
+
+	for _, t := range tests {
+		err := reboot(t.delay)
+		c.Assert(err, check.IsNil)
+		c.Check(cmd.Calls(), check.DeepEquals, [][]string{
+			{"shutdown", "-r", t.delayArg, "reboot scheduled to update the system"},
+		})
+
+		cmd.ForgetCalls()
+	}
+}
+
+func makeDaemonListeners(c *check.C, d *Daemon) {
+	snapdL, err := net.Listen("tcp", "127.0.0.1:0")
+	c.Assert(err, check.IsNil)
+
+	snapL, err := net.Listen("tcp", "127.0.0.1:0")
+	c.Assert(err, check.IsNil)
+
+	snapdAccept := make(chan struct{})
+	snapdClosed := make(chan struct{})
+	d.snapdListener = &witnessAcceptListener{Listener: snapdL, accept: snapdAccept, closed: snapdClosed}
+
+	snapAccept := make(chan struct{})
+	d.snapListener = &witnessAcceptListener{Listener: snapL, accept: snapAccept}
+}
+
+// This test tests that when the snapd calls a restart of the system
+// a sigterm (from e.g. systemd) is handled when it arrives before
+// stop is fully done.
+func (s *daemonSuite) TestRestartShutdownWithSigtermInBetween(c *check.C) {
+	oldRebootNoticeWait := rebootNoticeWait
+	defer func() {
+		rebootNoticeWait = oldRebootNoticeWait
+	}()
+	rebootNoticeWait = 150 * time.Millisecond
+
+	cmd := testutil.MockCommand(c, "shutdown", "")
+	defer cmd.Restore()
+
+	d := newTestDaemon(c)
+	makeDaemonListeners(c, d)
+	s.markSeeded(d)
+
+	d.Start()
+	d.overlord.State().RequestRestart(state.RestartSystem)
+
+	ch := make(chan os.Signal, 2)
+	ch <- syscall.SIGTERM
+	// stop will check if we got a sigterm in between (which we did)
+	err := d.Stop(ch)
+	c.Assert(err, check.IsNil)
+}
+
+// This test tests that when there is a shutdown we close the sigterm
+// handler so that systemd can kill snapd.
+func (s *daemonSuite) TestRestartShutdown(c *check.C) {
+	oldRebootNoticeWait := rebootNoticeWait
+	oldRebootWaitTimeout := rebootWaitTimeout
+	defer func() {
+		reboot = rebootImpl
+		rebootNoticeWait = oldRebootNoticeWait
+		rebootWaitTimeout = oldRebootWaitTimeout
+	}()
+	rebootWaitTimeout = 100 * time.Millisecond
+	rebootNoticeWait = 150 * time.Millisecond
+
+	cmd := testutil.MockCommand(c, "shutdown", "")
+	defer cmd.Restore()
+
+	d := newTestDaemon(c)
+	makeDaemonListeners(c, d)
+	s.markSeeded(d)
+
+	d.Start()
+	d.overlord.State().RequestRestart(state.RestartSystem)
+
+	sigCh := make(chan os.Signal, 2)
+	// stop (this will timeout but thats not relevant for this test)
+	d.Stop(sigCh)
+
+	// ensure that the sigCh got closed as part of the stop
+	_, chOpen := <-sigCh
+	c.Assert(chOpen, check.Equals, false)
+}
+
+func (s *daemonSuite) TestRestartIntoSocketModeNoNewChanges(c *check.C) {
+	restore := standby.MockStandbyWait(5 * time.Millisecond)
+	defer restore()
+
+	d := newTestDaemon(c)
+	makeDaemonListeners(c, d)
+
+	// mark as already seeded, we also have no snaps so this will
+	// go into socket activation mode
+	s.markSeeded(d)
+
+	d.Start()
+	// pretend some ensure happened
+	for i := 0; i < 5; i++ {
+		d.overlord.StateEngine().Ensure()
+		time.Sleep(5 * time.Millisecond)
+	}
+
+	select {
+	case <-d.Dying():
+		// exit the loop
+	case <-time.After(15 * time.Second):
+		c.Errorf("daemon did not stop after 15s")
+	}
+	err := d.Stop(nil)
+	c.Check(err, check.Equals, ErrRestartSocket)
+	c.Check(d.restartSocket, check.Equals, true)
+}
+
+func (s *daemonSuite) TestRestartIntoSocketModePendingChanges(c *check.C) {
+	restore := standby.MockStandbyWait(5 * time.Millisecond)
+	defer restore()
+
+	d := newTestDaemon(c)
+	makeDaemonListeners(c, d)
+
+	// mark as already seeded, we also have no snaps so this will
+	// go into socket activation mode
+	s.markSeeded(d)
+	st := d.overlord.State()
+
+	d.Start()
+	// pretend some ensure happened
+	for i := 0; i < 5; i++ {
+		d.overlord.StateEngine().Ensure()
+		time.Sleep(5 * time.Millisecond)
+	}
+
+	select {
+	case <-d.Dying():
+		// Pretend we got change while shutting down, this can
+		// happen when e.g. the user requested a `snap install
+		// foo` at the same time as the code in the overlord
+		// checked that it can go into socket activated
+		// mode. I.e. the daemon was processing the request
+		// but no change was generated at the time yet.
+		st.Lock()
+		chg := st.NewChange("fake-install", "fake install some snap")
+		chg.AddTask(st.NewTask("fake-install-task", "fake install task"))
+		chgStatus := chg.Status()
+		st.Unlock()
+		// ensure our change is valid and ready
+		c.Check(chgStatus, check.Equals, state.DoStatus)
+	case <-time.After(5 * time.Second):
+		c.Errorf("daemon did not stop after 5s")
+	}
+	// when the daemon got a pending change it just restarts
+	err := d.Stop(nil)
+	c.Check(err, check.IsNil)
+	c.Check(d.restartSocket, check.Equals, false)
+}
+
+func (s *daemonSuite) TestShutdownServerCanShutdown(c *check.C) {
+	shush := newShutdownServer(nil, nil)
+	c.Check(shush.CanStandby(), check.Equals, true)
+
+	con := &net.IPConn{}
+	shush.conns[con] = http.StateActive
+	c.Check(shush.CanStandby(), check.Equals, false)
+
+	shush.conns[con] = http.StateIdle
+	c.Check(shush.CanStandby(), check.Equals, true)
+}
+
+func doTestReq(c *check.C, cmd *Command, mth string) *httptest.ResponseRecorder {
+	req, err := http.NewRequest(mth, "", nil)
+	c.Assert(err, check.IsNil)
+	req.RemoteAddr = "pid=100;uid=0;" + req.RemoteAddr
+	rec := httptest.NewRecorder()
+	cmd.ServeHTTP(rec, req)
+	return rec
+}
+
+func (s *daemonSuite) TestDegradedModeReply(c *check.C) {
+	d := newTestDaemon(c)
+	cmd := &Command{d: d}
+	cmd.GET = func(*Command, *http.Request, *auth.UserState) Response {
+		return SyncResponse(nil, nil)
+	}
+	cmd.POST = func(*Command, *http.Request, *auth.UserState) Response {
+		return SyncResponse(nil, nil)
+	}
+
+	// pretend we are in degraded mode
+	d.SetDegradedMode(fmt.Errorf("foo error"))
+
+	// GET is ok even in degraded mode
+	rec := doTestReq(c, cmd, "GET")
+	c.Check(rec.Code, check.Equals, 200)
+	// POST is not allowed
+	rec = doTestReq(c, cmd, "POST")
+	c.Check(rec.Code, check.Equals, 500)
+	// verify we get the error
+	var v struct{ Result errorResult }
+	c.Assert(json.NewDecoder(rec.Body).Decode(&v), check.IsNil)
+	c.Check(v.Result.Message, check.Equals, "foo error")
+
+	// clean degraded mode
+	d.SetDegradedMode(nil)
+	rec = doTestReq(c, cmd, "POST")
+	c.Check(rec.Code, check.Equals, 200)
+}
diff -Nru snapd-2.32.3.2~14.04/daemon/export_snapshots_test.go snapd-2.37~rc1~14.04/daemon/export_snapshots_test.go
--- snapd-2.32.3.2~14.04/daemon/export_snapshots_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/export_snapshots_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,112 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package daemon
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"golang.org/x/net/context"
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/overlord"
+	"github.com/snapcore/snapd/overlord/auth"
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+func NewWithOverlord(o *overlord.Overlord) *Daemon {
+	d := &Daemon{overlord: o}
+	d.addRoutes()
+	return d
+}
+
+func MockSnapshotSave(newSave func(*state.State, []string, []string) (uint64, []string, *state.TaskSet, error)) (restore func()) {
+	oldSave := snapshotSave
+	snapshotSave = newSave
+	return func() {
+		snapshotSave = oldSave
+	}
+}
+
+func MockSnapshotList(newList func(context.Context, uint64, []string) ([]client.SnapshotSet, error)) (restore func()) {
+	oldList := snapshotList
+	snapshotList = newList
+	return func() {
+		snapshotList = oldList
+	}
+}
+
+func MockSnapshotCheck(newCheck func(*state.State, uint64, []string, []string) ([]string, *state.TaskSet, error)) (restore func()) {
+	oldCheck := snapshotCheck
+	snapshotCheck = newCheck
+	return func() {
+		snapshotCheck = oldCheck
+	}
+}
+
+func MockSnapshotRestore(newRestore func(*state.State, uint64, []string, []string) ([]string, *state.TaskSet, error)) (restore func()) {
+	oldRestore := snapshotRestore
+	snapshotRestore = newRestore
+	return func() {
+		snapshotRestore = oldRestore
+	}
+}
+
+func MockSnapshotForget(newForget func(*state.State, uint64, []string) ([]string, *state.TaskSet, error)) (restore func()) {
+	oldForget := snapshotForget
+	snapshotForget = newForget
+	return func() {
+		snapshotForget = oldForget
+	}
+}
+
+func MustUnmarshalSnapInstruction(c *check.C, jinst string) *snapInstruction {
+	var inst snapInstruction
+	if err := json.Unmarshal([]byte(jinst), &inst); err != nil {
+		c.Fatalf("cannot unmarshal %q into snapInstruction: %v", jinst, err)
+	}
+	return &inst
+}
+
+func MustUnmarshalSnapshotAction(c *check.C, jact string) *snapshotAction {
+	var act snapshotAction
+	if err := json.Unmarshal([]byte(jact), &act); err != nil {
+		c.Fatalf("cannot unmarshal %q into snapshotAction: %v", jact, err)
+	}
+	return &act
+}
+
+func (rsp *resp) ErrorResult() *errorResult {
+	return rsp.Result.(*errorResult)
+}
+
+func ListSnapshots(c *Command, r *http.Request, user *auth.UserState) *resp {
+	return listSnapshots(c, r, user).(*resp)
+}
+
+func ChangeSnapshots(c *Command, r *http.Request, user *auth.UserState) *resp {
+	return changeSnapshots(c, r, user).(*resp)
+}
+
+var (
+	SnapshotMany = snapshotMany
+	SnapshotCmd  = snapshotCmd
+)
diff -Nru snapd-2.32.3.2~14.04/daemon/response.go snapd-2.37~rc1~14.04/daemon/response.go
--- snapd-2.32.3.2~14.04/daemon/response.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/response.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2015 Canonical Ltd
+ * Copyright (C) 2015-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -25,13 +25,19 @@
 	"fmt"
 	"io"
 	"mime"
+	"net"
 	"net/http"
 	"path/filepath"
 	"strconv"
+	"time"
 
+	"github.com/snapcore/snapd/arch"
 	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/overlord/snapstate"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/store"
 	"github.com/snapcore/snapd/systemd"
 )
 
@@ -57,22 +63,41 @@
 	Type   ResponseType `json:"type"`
 	Result interface{}  `json:"result,omitempty"`
 	*Meta
+	Maintenance *errorResult `json:"maintenance,omitempty"`
+}
+
+func (r *resp) transmitMaintenance(kind errorKind, message string) {
+	r.Maintenance = &errorResult{
+		Kind:    kind,
+		Message: message,
+	}
+}
+
+func (r *resp) addWarningsToMeta(count int, stamp time.Time) {
+	if r.Meta != nil && r.Meta.WarningCount != 0 {
+		return
+	}
+	if count == 0 {
+		return
+	}
+	if r.Meta == nil {
+		r.Meta = &Meta{}
+	}
+	r.Meta.WarningCount = count
+	r.Meta.WarningTimestamp = &stamp
 }
 
 // TODO This is being done in a rush to get the proper external
 //      JSON representation in the API in time for the release.
 //      The right code style takes a bit more work and unifies
 //      these fields inside resp.
+// Increment the counter if you read this: 42
 type Meta struct {
-	Sources           []string `json:"sources,omitempty"`
-	Paging            *Paging  `json:"paging,omitempty"`
-	SuggestedCurrency string   `json:"suggested-currency,omitempty"`
-	Change            string   `json:"change,omitempty"`
-}
-
-type Paging struct {
-	Page  int `json:"page"`
-	Pages int `json:"pages"`
+	Sources           []string   `json:"sources,omitempty"`
+	SuggestedCurrency string     `json:"suggested-currency,omitempty"`
+	Change            string     `json:"change,omitempty"`
+	WarningTimestamp  *time.Time `json:"warning-timestamp,omitempty"`
+	WarningCount      int        `json:"warning-count,omitempty"`
 }
 
 type respJSON struct {
@@ -81,15 +106,17 @@
 	StatusText string       `json:"status"`
 	Result     interface{}  `json:"result"`
 	*Meta
+	Maintenance *errorResult `json:"maintenance,omitempty"`
 }
 
 func (r *resp) MarshalJSON() ([]byte, error) {
 	return json.Marshal(respJSON{
-		Type:       r.Type,
-		Status:     r.Status,
-		StatusText: http.StatusText(r.Status),
-		Result:     r.Result,
-		Meta:       r.Meta,
+		Type:        r.Type,
+		Status:      r.Status,
+		StatusText:  http.StatusText(r.Status),
+		Result:      r.Result,
+		Meta:        r.Meta,
+		Maintenance: r.Maintenance,
 	})
 }
 
@@ -125,6 +152,7 @@
 	errorKindTwoFactorFailed   = errorKind("two-factor-failed")
 	errorKindLoginRequired     = errorKind("login-required")
 	errorKindInvalidAuthData   = errorKind("invalid-auth-data")
+	errorKindAuthCancelled     = errorKind("auth-cancelled")
 	errorKindTermsNotAccepted  = errorKind("terms-not-accepted")
 	errorKindNoPaymentMethods  = errorKind("no-payment-methods")
 	errorKindPaymentDeclined   = errorKind("payment-declined")
@@ -137,16 +165,29 @@
 	errorKindSnapLocal             = errorKind("snap-local")
 	errorKindSnapNoUpdateAvailable = errorKind("snap-no-update-available")
 
+	errorKindSnapRevisionNotAvailable     = errorKind("snap-revision-not-available")
+	errorKindSnapChannelNotAvailable      = errorKind("snap-channel-not-available")
+	errorKindSnapArchitectureNotAvailable = errorKind("snap-architecture-not-available")
+
+	errorKindSnapChangeConflict = errorKind("snap-change-conflict")
+
 	errorKindNotSnap = errorKind("snap-not-a-snap")
 
 	errorKindSnapNeedsDevMode       = errorKind("snap-needs-devmode")
 	errorKindSnapNeedsClassic       = errorKind("snap-needs-classic")
 	errorKindSnapNeedsClassicSystem = errorKind("snap-needs-classic-system")
+	errorKindSnapNotClassic         = errorKind("snap-not-classic")
 
 	errorKindBadQuery = errorKind("bad-query")
 
 	errorKindNetworkTimeout      = errorKind("network-timeout")
+	errorKindDNSFailure          = errorKind("dns-failure")
 	errorKindInterfacesUnchanged = errorKind("interfaces-unchanged")
+
+	errorKindConfigNoSuchOption = errorKind("option-not-found")
+
+	errorKindDaemonRestart = errorKind("daemon-restart")
+	errorKindSystemRestart = errorKind("system-restart")
 )
 
 type errorValue interface{}
@@ -188,8 +229,11 @@
 // makeErrorResponder builds an errorResponder from the given error status.
 func makeErrorResponder(status int) errorResponder {
 	return func(format string, v ...interface{}) Response {
-		res := &errorResult{
-			Message: fmt.Sprintf(format, v...),
+		res := &errorResult{}
+		if len(v) == 0 {
+			res.Message = format
+		} else {
+			res.Message = fmt.Sprintf(format, v...)
 		}
 		if status == 401 {
 			res.Kind = errorKindLoginRequired
@@ -350,6 +394,80 @@
 	}
 }
 
+// SnapRevisionNotAvailable is an error responder used when an
+// operation is requested for which no revivision can be found
+// in the given context (e.g. request an install from a stable
+// channel when this channel is empty).
+func SnapRevisionNotAvailable(snapName string, rnaErr *store.RevisionNotAvailableError) Response {
+	var value interface{} = snapName
+	kind := errorKindSnapRevisionNotAvailable
+	msg := rnaErr.Error()
+	if len(rnaErr.Releases) != 0 && rnaErr.Channel != "" {
+		thisArch := arch.UbuntuArchitecture()
+		values := map[string]interface{}{
+			"snap-name":    snapName,
+			"action":       rnaErr.Action,
+			"channel":      rnaErr.Channel,
+			"architecture": thisArch,
+		}
+		archOK := false
+		releases := make([]map[string]interface{}, 0, len(rnaErr.Releases))
+		for _, c := range rnaErr.Releases {
+			if c.Architecture == thisArch {
+				archOK = true
+			}
+			releases = append(releases, map[string]interface{}{
+				"architecture": c.Architecture,
+				"channel":      c.Name,
+			})
+		}
+		// we return all available releases (arch x channel)
+		// as reported in the store error, but we hint with
+		// the error kind whether there was anything at all
+		// available for this architecture
+		if archOK {
+			kind = errorKindSnapChannelNotAvailable
+			msg = "no snap revision on specified channel"
+		} else {
+			kind = errorKindSnapArchitectureNotAvailable
+			msg = "no snap revision on specified architecture"
+		}
+		values["releases"] = releases
+		value = values
+	}
+	return &resp{
+		Type: ResponseTypeError,
+		Result: &errorResult{
+			Message: msg,
+			Kind:    kind,
+			Value:   value,
+		},
+		Status: 404,
+	}
+}
+
+// SnapChangeConflict is an error responder used when an operation is
+// conflicts with another change.
+func SnapChangeConflict(cce *snapstate.ChangeConflictError) Response {
+	value := map[string]interface{}{}
+	if cce.Snap != "" {
+		value["snap-name"] = cce.Snap
+	}
+	if cce.ChangeKind != "" {
+		value["change-kind"] = cce.ChangeKind
+	}
+
+	return &resp{
+		Type: ResponseTypeError,
+		Result: &errorResult{
+			Message: cce.Error(),
+			Kind:    errorKindSnapChangeConflict,
+			Value:   value,
+		},
+		Status: 409,
+	}
+}
+
 // AppNotFound is an error responder used when an operation is
 // requested on a app that doesn't exist.
 func AppNotFound(format string, v ...interface{}) Response {
@@ -363,3 +481,94 @@
 		Status: 404,
 	}
 }
+
+// AuthCancelled is an error responder used when a user cancelled
+// the auth process.
+func AuthCancelled(format string, v ...interface{}) Response {
+	res := &errorResult{
+		Message: fmt.Sprintf(format, v...),
+		Kind:    errorKindAuthCancelled,
+	}
+	return &resp{
+		Type:   ResponseTypeError,
+		Result: res,
+		Status: 403,
+	}
+}
+
+func errToResponse(err error, snaps []string, fallback func(format string, v ...interface{}) Response, format string, v ...interface{}) Response {
+	var kind errorKind
+	var snapName string
+
+	switch err {
+	case store.ErrSnapNotFound:
+		switch len(snaps) {
+		case 1:
+			return SnapNotFound(snaps[0], err)
+		// store.ErrSnapNotFound should only be returned for individual
+		// snap queries; in all other cases something's wrong
+		case 0:
+			return InternalError("store.SnapNotFound with no snap given")
+		default:
+			return InternalError("store.SnapNotFound with %d snaps", len(snaps))
+		}
+	case store.ErrNoUpdateAvailable:
+		kind = errorKindSnapNoUpdateAvailable
+	case store.ErrLocalSnap:
+		kind = errorKindSnapLocal
+	default:
+		handled := true
+		switch err := err.(type) {
+		case *store.RevisionNotAvailableError:
+			// store.ErrRevisionNotAvailable should only be returned for
+			// individual snap queries; in all other cases something's wrong
+			switch len(snaps) {
+			case 1:
+				return SnapRevisionNotAvailable(snaps[0], err)
+			case 0:
+				return InternalError("store.RevisionNotAvailable with no snap given")
+			default:
+				return InternalError("store.RevisionNotAvailable with %d snaps", len(snaps))
+			}
+		case *snap.AlreadyInstalledError:
+			kind = errorKindSnapAlreadyInstalled
+			snapName = err.Snap
+		case *snap.NotInstalledError:
+			kind = errorKindSnapNotInstalled
+			snapName = err.Snap
+		case *snapstate.ChangeConflictError:
+			return SnapChangeConflict(err)
+		case *snapstate.SnapNeedsDevModeError:
+			kind = errorKindSnapNeedsDevMode
+			snapName = err.Snap
+		case *snapstate.SnapNeedsClassicError:
+			kind = errorKindSnapNeedsClassic
+			snapName = err.Snap
+		case *snapstate.SnapNeedsClassicSystemError:
+			kind = errorKindSnapNeedsClassicSystem
+			snapName = err.Snap
+		case *snapstate.SnapNotClassicError:
+			kind = errorKindSnapNotClassic
+			snapName = err.Snap
+		case net.Error:
+			if err.Timeout() {
+				kind = errorKindNetworkTimeout
+			} else {
+				handled = false
+			}
+		default:
+			handled = false
+		}
+
+		if !handled {
+			v = append(v, err)
+			return fallback(format, v...)
+		}
+	}
+
+	return SyncResponse(&resp{
+		Type:   ResponseTypeError,
+		Result: &errorResult{Message: err.Error(), Kind: kind, Value: snapName},
+		Status: 400,
+	}, nil)
+}
diff -Nru snapd-2.32.3.2~14.04/daemon/response_test.go snapd-2.37~rc1~14.04/daemon/response_test.go
--- snapd-2.32.3.2~14.04/daemon/response_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/response_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -107,3 +107,33 @@
 	c.Assert(err, check.IsNil)
 	c.Check(string(data), check.Equals, `{"type":"","status-code":0,"status":"","result":null}`)
 }
+
+func (responseSuite) TestErrorResponderPrintfsWithArgs(c *check.C) {
+	teapot := makeErrorResponder(418)
+
+	rec := httptest.NewRecorder()
+	rsp := teapot("system memory below %d%%.", 1)
+	req, err := http.NewRequest("GET", "", nil)
+	c.Assert(err, check.IsNil)
+	rsp.ServeHTTP(rec, req)
+
+	var v struct{ Result errorResult }
+	c.Assert(json.NewDecoder(rec.Body).Decode(&v), check.IsNil)
+
+	c.Check(v.Result.Message, check.Equals, "system memory below 1%.")
+}
+
+func (responseSuite) TestErrorResponderDoesNotPrintfAlways(c *check.C) {
+	teapot := makeErrorResponder(418)
+
+	rec := httptest.NewRecorder()
+	rsp := teapot("system memory below 1%.")
+	req, err := http.NewRequest("GET", "", nil)
+	c.Assert(err, check.IsNil)
+	rsp.ServeHTTP(rec, req)
+
+	var v struct{ Result errorResult }
+	c.Assert(json.NewDecoder(rec.Body).Decode(&v), check.IsNil)
+
+	c.Check(v.Result.Message, check.Equals, "system memory below 1%.")
+}
diff -Nru snapd-2.32.3.2~14.04/daemon/snap.go snapd-2.37~rc1~14.04/daemon/snap.go
--- snapd-2.32.3.2~14.04/daemon/snap.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/daemon/snap.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,18 +26,14 @@
 	"path/filepath"
 	"sort"
 	"strings"
-	"time"
 
 	"github.com/snapcore/snapd/client"
-	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/cmd"
 	"github.com/snapcore/snapd/logger"
-	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/overlord/assertstate"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
-	"github.com/snapcore/snapd/progress"
 	"github.com/snapcore/snapd/snap"
-	"github.com/snapcore/snapd/systemd"
 )
 
 var errNoSnap = errors.New("snap not installed")
@@ -47,38 +43,33 @@
 	// XXX: copy of snap.Snap.Icon which will go away
 	found, _ := filepath.Glob(filepath.Join(info.MountDir(), "meta", "gui", "icon.*"))
 	if len(found) == 0 {
-		return info.IconURL
+		return info.Media.IconURL()
 	}
 
 	return found[0]
 }
 
-// snapDate returns the time of the snap mount directory.
-func snapDate(info *snap.Info) time.Time {
-	st, err := os.Stat(info.MountDir())
-	if err != nil {
-		return time.Time{}
-	}
-
-	return st.ModTime()
-}
-
-func publisherName(st *state.State, info *snap.Info) (string, error) {
+func publisherAccount(st *state.State, info *snap.Info) (*snap.StoreAccount, error) {
 	if info.SnapID == "" {
-		return "", nil
+		return nil, nil
 	}
 
 	pubAcct, err := assertstate.Publisher(st, info.SnapID)
 	if err != nil {
-		return "", fmt.Errorf("cannot find publisher details: %v", err)
+		return nil, fmt.Errorf("cannot find publisher details: %v", err)
 	}
-	return pubAcct.Username(), nil
+	return &snap.StoreAccount{
+		ID:          pubAcct.AccountID(),
+		Username:    pubAcct.Username(),
+		DisplayName: pubAcct.DisplayName(),
+		Validation:  pubAcct.Validation(),
+	}, nil
 }
 
 type aboutSnap struct {
 	info      *snap.Info
 	snapst    *snapstate.SnapState
-	publisher string
+	publisher *snap.StoreAccount
 }
 
 // localSnapInfo returns the information about the current snap for the given name plus the SnapState with the active flag and other snap revisions.
@@ -100,7 +91,7 @@
 		return aboutSnap{}, fmt.Errorf("cannot read snap details: %v", err)
 	}
 
-	publisher, err := publisherName(st, info)
+	publisher, err := publisherAccount(st, info)
 	if err != nil {
 		return aboutSnap{}, err
 	}
@@ -130,22 +121,30 @@
 		}
 		var aboutThis []aboutSnap
 		var info *snap.Info
-		var publisher string
+		var publisher *snap.StoreAccount
 		var err error
 		if all {
 			for _, seq := range snapst.Sequence {
-				info, err = snap.ReadInfo(seq.RealName, seq)
+				info, err = snap.ReadInfo(name, seq)
 				if err != nil {
-					break
+					// single revision may be broken
+					_, instanceKey := snap.SplitInstanceName(name)
+					info = &snap.Info{
+						SideInfo:    *seq,
+						InstanceKey: instanceKey,
+						Broken:      err.Error(),
+					}
+					// clear the error
+					err = nil
 				}
-				publisher, err = publisherName(st, info)
+				publisher, err = publisherAccount(st, info)
 				aboutThis = append(aboutThis, aboutSnap{info, snapst, publisher})
 			}
 		} else {
 			info, err = snapst.CurrentInfo()
 			if err == nil {
-				var publisher string
-				publisher, err = publisherName(st, info)
+				var publisher *snap.StoreAccount
+				publisher, err = publisherAccount(st, info)
 				aboutThis = append(aboutThis, aboutSnap{info, snapst, publisher})
 			}
 		}
@@ -168,8 +167,8 @@
 func (a bySnapApp) Len() int      { return len(a) }
 func (a bySnapApp) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
 func (a bySnapApp) Less(i, j int) bool {
-	iName := a[i].Snap.Name()
-	jName := a[j].Snap.Name()
+	iName := a[i].Snap.InstanceName()
+	jName := a[j].Snap.InstanceName()
 	if iName == jName {
 		return a[i].Name < a[j].Name
 	}
@@ -232,7 +231,7 @@
 	found := make(map[string]bool)
 	appInfos := make([]*snap.AppInfo, 0, len(requested))
 	for _, snp := range snaps {
-		snapName := snp.info.Name()
+		snapName := snp.info.InstanceName()
 		apps := make([]*snap.AppInfo, 0, len(snp.info.Apps))
 		for _, app := range snp.info.Apps {
 			if !opts.service || app.IsService() {
@@ -275,38 +274,6 @@
 	return appInfos, nil
 }
 
-func clientAppInfosFromSnapAppInfos(apps []*snap.AppInfo) []client.AppInfo {
-	// TODO: pass in an actual notifier here instead of null
-	//       (Status doesn't _need_ it, but benefits from it)
-	sysd := systemd.New(dirs.GlobalRootDir, progress.Null)
-
-	out := make([]client.AppInfo, len(apps))
-	for i, app := range apps {
-		out[i] = client.AppInfo{
-			Snap: app.Snap.Name(),
-			Name: app.Name,
-		}
-		if fn := app.DesktopFile(); osutil.FileExists(fn) {
-			out[i].DesktopFile = fn
-		}
-
-		if app.IsService() {
-			// TODO: look into making a single call to Status for all services
-			if sts, err := sysd.Status(app.ServiceName()); err != nil {
-				logger.Noticef("cannot get status of service %q: %v", app.Name, err)
-			} else if len(sts) != 1 {
-				logger.Noticef("cannot get status of service %q: expected 1 result, got %d", app.Name, len(sts))
-			} else {
-				out[i].Daemon = sts[0].Daemon
-				out[i].Enabled = sts[0].Enabled
-				out[i].Active = sts[0].Active
-			}
-		}
-	}
-
-	return out
-}
-
 func mapLocal(about aboutSnap) *client.Snap {
 	localSnap, snapst := about.info, about.snapst
 	status := "installed"
@@ -320,22 +287,31 @@
 	}
 	sort.Sort(bySnapApp(snapapps))
 
-	apps := clientAppInfosFromSnapAppInfos(snapapps)
+	apps, err := cmd.ClientAppInfosFromSnapAppInfos(snapapps)
+	if err != nil {
+		logger.Noticef("cannot get full app info: %v", err)
+	}
 
 	// TODO: expose aliases information and state?
 
+	publisherUsername := ""
+	if about.publisher != nil {
+		publisherUsername = about.publisher.Username
+	}
 	result := &client.Snap{
 		Description:      localSnap.Description(),
-		Developer:        about.publisher,
+		Developer:        publisherUsername,
+		Publisher:        about.publisher,
 		Icon:             snapIcon(localSnap),
 		ID:               localSnap.SnapID,
-		InstallDate:      snapDate(localSnap),
+		InstallDate:      localSnap.InstallDate(),
 		InstalledSize:    localSnap.Size,
-		Name:             localSnap.Name(),
+		Name:             localSnap.InstanceName(),
 		Revision:         localSnap.Revision,
 		Status:           status,
 		Summary:          localSnap.Summary(),
 		Type:             string(localSnap.Type),
+		Base:             localSnap.Base,
 		Version:          localSnap.Version,
 		Channel:          localSnap.Channel,
 		TrackingChannel:  snapst.Channel,
@@ -350,6 +326,16 @@
 		Contact:          localSnap.Contact,
 		Title:            localSnap.Title(),
 		License:          localSnap.License,
+		CommonIDs:        localSnap.CommonIDs,
+		MountedFrom:      localSnap.MountFile(),
+	}
+
+	if result.TryMode {
+		// Readlink instead of EvalSymlinks because it's only expected
+		// to be one level, and should still resolve if the target does
+		// not exist (this might help e.g. snapcraft clean up after a
+		// prime dir)
+		result.MountedFrom, _ = os.Readlink(result.MountedFrom)
 	}
 
 	return result
@@ -366,26 +352,20 @@
 		confinement = snap.StrictConfinement
 	}
 
-	screenshots := make([]client.Screenshot, len(remoteSnap.Screenshots))
-	for i, screenshot := range remoteSnap.Screenshots {
-		screenshots[i] = client.Screenshot{
-			URL:    screenshot.URL,
-			Width:  screenshot.Width,
-			Height: screenshot.Height,
-		}
-	}
-
+	publisher := remoteSnap.Publisher
 	result := &client.Snap{
 		Description:  remoteSnap.Description(),
-		Developer:    remoteSnap.Publisher,
+		Developer:    remoteSnap.Publisher.Username,
+		Publisher:    &publisher,
 		DownloadSize: remoteSnap.Size,
 		Icon:         snapIcon(remoteSnap),
 		ID:           remoteSnap.SnapID,
-		Name:         remoteSnap.Name(),
+		Name:         remoteSnap.InstanceName(),
 		Revision:     remoteSnap.Revision,
 		Status:       status,
 		Summary:      remoteSnap.Summary(),
 		Type:         string(remoteSnap.Type),
+		Base:         remoteSnap.Base,
 		Version:      remoteSnap.Version,
 		Channel:      remoteSnap.Channel,
 		Private:      remoteSnap.Private,
@@ -393,10 +373,12 @@
 		Contact:      remoteSnap.Contact,
 		Title:        remoteSnap.Title(),
 		License:      remoteSnap.License,
-		Screenshots:  screenshots,
+		Screenshots:  remoteSnap.Media.Screenshots(),
+		Media:        remoteSnap.Media,
 		Prices:       remoteSnap.Prices,
 		Channels:     remoteSnap.Channels,
 		Tracks:       remoteSnap.Tracks,
+		CommonIDs:    remoteSnap.CommonIDs,
 	}
 
 	return result
diff -Nru snapd-2.32.3.2~14.04/data/apt/20snapd.conf snapd-2.37~rc1~14.04/data/apt/20snapd.conf
--- snapd-2.32.3.2~14.04/data/apt/20snapd.conf	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/apt/20snapd.conf	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+AptCli::Hooks::Install { "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"; };
diff -Nru snapd-2.32.3.2~14.04/data/completion/complete.sh snapd-2.37~rc1~14.04/data/completion/complete.sh
--- snapd-2.32.3.2~14.04/data/completion/complete.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/completion/complete.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,4 @@
-# -*- bash -*-
+# shellcheck shell=bash
 #
 #  Copyright (C) 2017 Canonical Ltd
 #
@@ -116,7 +116,7 @@
     _complete_from_snap_maybe() {
         local etel=snap/core/current/usr/lib/snapd/etelpmoc.sh
         # catch /snap/bin and /var/lib/snapd/snap/bin
-        if [[ "$(which "$1")" =~ /snap/bin/ && ( -e "/var/lib/snapd/$etel" || -e "/$etel" ) ]]; then
+        if [[ "$(command -v "$1")" =~ ^(/var/lib/snapd)?/snap/bin/ && ( -e "/var/lib/snapd/$etel" || -e "/$etel" )  ]]; then
             complete -F _complete_from_snap "$1"
             return 124
         fi
diff -Nru snapd-2.32.3.2~14.04/data/completion/etelpmoc.sh snapd-2.37~rc1~14.04/data/completion/etelpmoc.sh
--- snapd-2.32.3.2~14.04/data/completion/etelpmoc.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/completion/etelpmoc.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,4 @@
-#!/bin/bash
+# shellcheck shell=bash
 #
 #  Copyright (C) 2017 Canonical Ltd
 #
@@ -91,6 +91,10 @@
             o)
                 _compopts["$OPTARG"]=1
                 ;;
+            *)
+                # Do nothing, explicitly. This silences shellcheck's detector
+                # of unhandled command line options.
+                ;;
         esac
     done
     builtin compgen "$@"
@@ -176,7 +180,7 @@
                 _compfunc="$OPTARG"
                 ;;
             W)
-                readarray -t COMPREPLY < <( builtin compgen -W "$OPTARG" -- "${COMP_WORDS[$COMP_CWORD]}" )
+                readarray -t COMPREPLY < <( builtin compgen -W "$OPTARG" -- "${COMP_WORDS[COMP_CWORD]}" )
                 _compfunc=""
                 ;;
             *)
@@ -198,10 +202,19 @@
 
 if [ ! "$_bounce" ]; then
     if [ "$_compact" ]; then
-        readarray -t COMPREPLY < <( builtin compgen -A "$_compact" -- "${COMP_WORDS[$COMP_CWORD]}" )
+        readarray -t COMPREPLY < <( builtin compgen -A "$_compact" -- "${COMP_WORDS[COMP_CWORD]}" )
     elif [ "$_compfunc" ]; then
         # execute completion function (or the command if -C)
-        $_compfunc
+
+        # from https://www.gnu.org/software/bash/manual/html_node/Programmable-Completion.html:
+        #   When the function or command is invoked, the first argument ($1) is
+        #   the name of the command whose arguments are being completed, the
+        #   second argument ($2) is the word being completed, and the third
+        #   argument ($3) is the word preceding the word being completed on the
+        #   current command line.
+        # that's "$1" "${COMP_WORDS[COMP_CWORD]}" and "${COMP_WORDS[COMP_CWORD-1]}"
+        # (probably)
+        $_compfunc "$1" "${COMP_WORDS[COMP_CWORD]}" "${COMP_WORDS[COMP_CWORD-1]}"
     fi
 fi
 
@@ -209,4 +222,4 @@
 echo "${!_compopts[@]}"
 echo "$_bounce"
 echo ""
-printf "%s\n" "${COMPREPLY[@]}"
+printf "%s\\n" "${COMPREPLY[@]}"
diff -Nru snapd-2.32.3.2~14.04/data/desktop/Makefile snapd-2.37~rc1~14.04/data/desktop/Makefile
--- snapd-2.32.3.2~14.04/data/desktop/Makefile	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/desktop/Makefile	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,46 @@
+#
+# Copyright (C) 2018 Canonical Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+BINDIR = /usr/bin
+SYSCONFXDGAUTOSTARTDIR = /etc/xdg/autostart
+APPLICATIONSDIR = /usr/share/applications
+
+DESKTOP_SOURCES = snap-handle-link.desktop.in
+DESKTOP_FILES = $(DESKTOP_SOURCES:.in=)
+
+AUTOSTART_SOURCES = snap-userd-autostart.desktop.in
+AUTOSTART_FILES = $(AUTOSTART_SOURCES:.in=)
+
+.PHONY: all
+all: $(DESKTOP_FILES) $(AUTOSTART_FILES)
+
+.PHONY: install
+# NOTE: old (e.g. 14.04) GNU coreutils doesn't -D with -t
+install:: $(DESKTOP_FILES)
+	install -d -m 0755 $(DESTDIR)/$(APPLICATIONSDIR)
+	install -m 0644 -t $(DESTDIR)/$(APPLICATIONSDIR) $^
+
+install:: $(AUTOSTART_FILES)
+	install -d -m 0755 $(DESTDIR)/$(SYSCONFXDGAUTOSTARTDIR)
+	install -m 0644 -t $(DESTDIR)/$(SYSCONFXDGAUTOSTARTDIR) $^
+
+.PHONY: clean
+clean:
+	rm -f $(DESKTOP_FILES) $(AUTOSTART_FILES)
+
+%: %.in
+	cat $< | \
+		sed s:@bindir@:$(BINDIR):g | \
+		cat > $@
diff -Nru snapd-2.32.3.2~14.04/data/desktop/snap-handle-link.desktop.in snapd-2.37~rc1~14.04/data/desktop/snap-handle-link.desktop.in
--- snapd-2.32.3.2~14.04/data/desktop/snap-handle-link.desktop.in	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/desktop/snap-handle-link.desktop.in	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,7 @@
+[Desktop Entry]
+Name=Handler for snap:// URIs
+Comment=Prompt the user to install gnome-software then pass control to it
+Exec=@bindir@/snap handle-link %U
+MimeType=x-scheme-handler/snap;
+NoDisplay=true
+Type=Application
diff -Nru snapd-2.32.3.2~14.04/data/desktop/snap-userd-autostart.desktop.in snapd-2.37~rc1~14.04/data/desktop/snap-userd-autostart.desktop.in
--- snapd-2.32.3.2~14.04/data/desktop/snap-userd-autostart.desktop.in	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/desktop/snap-userd-autostart.desktop.in	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,5 @@
+[Desktop Entry]
+Name=Snap user application autostart helper
+Comment=Helper program for launching snap applications that are configured to start automatically.
+Exec=@bindir@/snap userd --autostart
+Type=Application
diff -Nru snapd-2.32.3.2~14.04/data/env/snapd.sh.in snapd-2.37~rc1~14.04/data/env/snapd.sh.in
--- snapd-2.32.3.2~14.04/data/env/snapd.sh.in	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/env/snapd.sh.in	2019-01-16 08:36:51.000000000 +0000
@@ -1,14 +1,22 @@
-#!/bin/sh --this-shebang-is-just-here-to-inform-shellcheck--
+# shellcheck shell=sh
 
 # Expand $PATH to include the directory where snappy applications go.
-if [ "${PATH#*/snap/bin}" = "${PATH}" ]; then
-    export PATH=$PATH:@SNAP_MOUNT_DIR@/bin
+snap_bin_path="@SNAP_MOUNT_DIR@/bin"
+if [ -n "${PATH##*${snap_bin_path}}" -a -n "${PATH##*${snap_bin_path}:*}" ]; then
+    export PATH=$PATH:${snap_bin_path}
 fi
 
-# desktop files (used by desktop environments within both X11 and Wayland) are
+# Ensure base distro defaults xdg path are set if nothing filed up some
+# defaults yet.
+if [ -z "$XDG_DATA_DIRS" ]; then
+    export XDG_DATA_DIRS="/usr/local/share:/usr/share"
+fi
+
+# Desktop files (used by desktop environments within both X11 and Wayland) are
 # looked for in XDG_DATA_DIRS; make sure it includes the relevant directory for
 # snappy applications' desktop files.
-if [ "${XDG_DATA_DIRS#*/snapd/desktop}" = "${XDG_DATA_DIRS}" ]; then
-    export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}:/var/lib/snapd/desktop"
+snap_xdg_path="/var/lib/snapd/desktop"
+if [ -n "${XDG_DATA_DIRS##*${snap_xdg_path}}" -a -n "${XDG_DATA_DIRS##*${snap_xdg_path}:*}" ]; then
+    export XDG_DATA_DIRS="${XDG_DATA_DIRS}:${snap_xdg_path}"
 fi
 
diff -Nru snapd-2.32.3.2~14.04/data/Makefile snapd-2.37~rc1~14.04/data/Makefile
--- snapd-2.32.3.2~14.04/data/Makefile	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/Makefile	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,6 @@
 all install clean:
 	$(MAKE) -C systemd $@
+	$(MAKE) -C systemd-env $@
 	$(MAKE) -C dbus $@
 	$(MAKE) -C env $@
+	$(MAKE) -C desktop $@
diff -Nru snapd-2.32.3.2~14.04/data/selinux/snappy.fc snapd-2.37~rc1~14.04/data/selinux/snappy.fc
--- snapd-2.32.3.2~14.04/data/selinux/snappy.fc	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/selinux/snappy.fc	2019-01-16 08:36:51.000000000 +0000
@@ -39,6 +39,7 @@
 /var/run/snapd\.socket 		-s	gen_context(system_u:object_r:snappy_var_run_t,s0)
 /var/run/snapd-snap\.socket 	-s	gen_context(system_u:object_r:snappy_var_run_t,s0)
 /var/lib/snapd(/.*)?			gen_context(system_u:object_r:snappy_var_lib_t,s0)
+/var/cache/snapd(/.*)?			gen_context(system_u:object_r:snappy_var_cache_t,s0)
 /var/snap(/.*)?				gen_context(system_u:object_r:snappy_var_t,s0)
 
 /run/snapd(/.*)?	        --	gen_context(system_u:object_r:snappy_var_run_t,s0)
diff -Nru snapd-2.32.3.2~14.04/data/selinux/snappy.if snapd-2.37~rc1~14.04/data/selinux/snappy.if
--- snapd-2.32.3.2~14.04/data/selinux/snappy.if	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/selinux/snappy.if	2019-01-16 08:36:51.000000000 +0000
@@ -256,18 +256,18 @@
 ## <rolecap/>
 #
 
-interface(`snappy_admin',
-         gen_require(`
-                 type snappy_t, snappy_config_t; 
-                 type snappy_var_run_t;
-         ')
+interface(`snappy_admin',`
+	gen_require(`
+		type snappy_t, snappy_config_t;
+		type snappy_var_run_t;
+	')
 
-         allow $1 snappy_t:process signal_perms;
+	allow $1 snappy_t:process signal_perms;
 
-         ps_process_pattern($1, snappy_t);
+	ps_process_pattern($1, snappy_t);
 
-         admin_pattern($1, snappy_config_t);
+	admin_pattern($1, snappy_config_t);
 
-         files_list_pids($1, snappy_var_run_t);
-         admin_pattern($1, snappy_var_run_t);
+	files_list_pids($1, snappy_var_run_t);
+	admin_pattern($1, snappy_var_run_t);
 ')
diff -Nru snapd-2.32.3.2~14.04/data/selinux/snappy.te snapd-2.37~rc1~14.04/data/selinux/snappy.te
--- snapd-2.32.3.2~14.04/data/selinux/snappy.te	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/selinux/snappy.te	2019-01-16 08:36:51.000000000 +0000
@@ -42,6 +42,9 @@
 type snappy_var_lib_t;
 files_type(snappy_var_lib_t)
 
+type snappy_var_cache_t;
+files_type(snappy_var_cache_t)
+
 type snappy_var_run_t;
 files_pid_file(snappy_var_run_t)
 
@@ -73,7 +76,7 @@
 # Allow snapd to read file contexts
 gen_require(` type file_context_t; ')
 allow snappy_t file_context_t:dir search;
-allow snappy_t file_context_t:file { getattr open read };
+allow snappy_t file_context_t:file { map getattr open read };
 
 # Allow snapd to read procfs
 gen_require(` type proc_t; ')
@@ -83,8 +86,12 @@
 gen_require(` type sysfs_t; ')
 allow snappy_t sysfs_t:dir read;
 allow snappy_t sysfs_t:file { getattr setattr open read write };
-allow snappy_t sysfs_t:lnk_file read;
+allow snappy_t sysfs_t:lnk_file { getattr read };
+
 
+# This silences a read AVC denial event on the lost+found directory.
+gen_require(` type lost_found_t; ')
+dontaudit snappy_t lost_found_t:dir read;
 
 # Allow snapd to read SSL cert store
 gen_require(` type cert_t; ')
@@ -126,12 +133,13 @@
 gen_require(` type udev_rules_t; type udev_exec_t; ')
 allow snappy_t udev_rules_t:dir { getattr open read write search add_name remove_name };
 allow snappy_t udev_rules_t:file { getattr open read write create rename unlink };
-allow snappy_t udev_exec_t:file { execute execute_no_trans getattr open read };
+allow snappy_t udev_exec_t:file { execute execute_no_trans getattr open read map };
 
 # Allow snapd to manipulate udev
 gen_require(` type udev_t; type udev_var_run_t; ')
 allow snappy_t udev_t:unix_stream_socket connectto;
 allow snappy_t udev_var_run_t:file { getattr open read };
+allow snappy_t udev_var_run_t:dir { read };
 allow snappy_t udev_var_run_t:sock_file { getattr open read write };
 
 # Allow snapd to read/write systemd units and use systemctl for managing snaps
@@ -142,11 +150,14 @@
 
 # Allow snapd to mount snaps
 gen_require(` type mount_exec_t; ')
-allow snappy_t mount_exec_t:file { execute execute_no_trans getattr open read };
+allow snappy_t mount_exec_t:file { map execute execute_no_trans getattr open read };
 
 # Allow snapd to execute unsquashfs
 gen_require(` type bin_t; ')
-allow snappy_t bin_t:file { execute execute_no_trans };
+allow snappy_t bin_t:file { map execute execute_no_trans };
+
+# Allow snappy to exec snap-seccomp
+allow snappy_t snappy_exec_t:file { execute_no_trans };
 
 # Allow snapd to get FUSE device attributes
 gen_require(` type fuse_device_t; ')
@@ -161,10 +172,31 @@
 # Allow snapd to manage mounts
 gen_require(` type fs_t; type mount_var_run_t; ')
 allow snappy_t fs_t:filesystem { mount unmount };
-allow snappy_t mount_var_run_t:dir search;
-allow snappy_t mount_var_run_t:file { getattr setattr open read write };
+allow snappy_t mount_var_run_t:dir { add_name remove_name write search };
+allow snappy_t mount_var_run_t:file { create getattr setattr open read write rename unlink lock };
+
+gen_require(` type user_tmp_t; ')
+allow snappy_t user_tmp_t:dir { read };
+
+gen_require(` type systemd_unit_file_t; ')
+allow snappy_t systemd_unit_file_t:dir { rmdir };
+
+gen_require(` type fixed_disk_device_t; ')
+allow snappy_t fixed_disk_device_t:blk_file { getattr };
+
+gen_require(` type loop_control_device_t; ')
+allow snappy_t loop_control_device_t:chr_file { getattr };
+
+gen_require(` type usr_t; ')
+allow snappy_t usr_t:dir { write };
+
+gen_require(` type home_root_t; ')
+allow snappy_t home_root_t:dir { read };
 
 # Allow snapd to manage its persistent data
+manage_dirs_pattern(snappy_t, snappy_var_cache_t, snappy_var_cache_t)
+manage_files_pattern(snappy_t, snappy_var_cache_t, snappy_var_cache_t)
+manage_lnk_files_pattern(snappy_t, snappy_var_cache_t, snappy_var_cache_t)
 manage_dirs_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t)
 manage_files_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t)
 manage_lnk_files_pattern(snappy_t, snappy_var_lib_t, snappy_var_lib_t)
@@ -177,9 +209,12 @@
 allow snappy_t tmp_t:dir { getattr setattr add_name create read remove_name rmdir write };
 allow snappy_t tmp_t:file { getattr setattr create open unlink write };
 
+# Allow snappy to mmap files in /var/cache
+allow snappy_t snappy_var_cache_t:file { map };
+
 # Allow snapd to use ssh-keygen
 gen_require(` type ssh_keygen_exec_t; ')
-allow snappy_t ssh_keygen_exec_t:file { execute execute_no_trans getattr open read };
+allow snappy_t ssh_keygen_exec_t:file { execute execute_no_trans getattr open read map };
 
 # Allow snapd to access passwd file for lookup
 auth_read_passwd(snappy_t);
@@ -188,6 +223,7 @@
 # we need to grant snapd access to "unlabeled files"
 gen_require(` type unlabeled_t; ')
 allow snappy_t unlabeled_t:dir { getattr search open read };
+allow snappy_t unlabeled_t:lnk_file { getattr read };
 allow snappy_t unlabeled_t:file { getattr open read };
 
 # Until we can figure out why some things are randomly getting unconfined_t,
diff -Nru snapd-2.32.3.2~14.04/data/sysctl/rhel7-snap.conf snapd-2.37~rc1~14.04/data/sysctl/rhel7-snap.conf
--- snapd-2.32.3.2~14.04/data/sysctl/rhel7-snap.conf	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/sysctl/rhel7-snap.conf	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+# RHEL 7.4+ specific:
+# Unexpected "Device or resource busy" error when removing a directory
+# see https://access.redhat.com/articles/3128691 for details
+fs.may_detach_mounts=1
diff -Nru snapd-2.32.3.2~14.04/data/systemd/Makefile snapd-2.37~rc1~14.04/data/systemd/Makefile
--- snapd-2.32.3.2~14.04/data/systemd/Makefile	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/Makefile	2019-01-16 08:36:51.000000000 +0000
@@ -20,10 +20,15 @@
 SYSTEMDSYSTEMUNITDIR := /lib/systemd/system
 
 SYSTEMD_UNITS_GENERATED := $(wildcard *.in)
-SYSTEMD_UNITS = $(SYSTEMD_UNITS_GENERATED:.in=) $(wildcard *.timer) $(wildcard *.socket)
+# NOTE: sort removes duplicates so this gives us all the units, generated or otherwise
+SYSTEMD_UNITS = $(sort $(SYSTEMD_UNITS_GENERATED:.in=) $(wildcard *.service) $(wildcard *.timer) $(wildcard *.socket))
 
 .PHONY: all
-all: $(SYSTEMD_UNITS)
+all: $(SYSTEMD_UNITS) check
+
+.PHONY: check
+check: snapd.run-from-snap snapd.core-fixup.sh
+	if command -v shellcheck >/dev/null; then shellcheck $^; fi
 
 .PHONY: install
 install: $(SYSTEMD_UNITS)
@@ -32,6 +37,7 @@
 	install -m 0644 -t $(DESTDIR)/$(SYSTEMDSYSTEMUNITDIR) $^
 	install -d -m 0755 $(DESTDIR)/$(LIBEXECDIR)/snapd
 	install -m 0755 -t $(DESTDIR)/$(LIBEXECDIR)/snapd snapd.core-fixup.sh
+	install -m 0755 -t $(DESTDIR)/$(LIBEXECDIR)/snapd snapd.run-from-snap
 
 .PHONY: clean
 clean:
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.apparmor.service.in snapd-2.37~rc1~14.04/data/systemd/snapd.apparmor.service.in
--- snapd-2.32.3.2~14.04/data/systemd/snapd.apparmor.service.in	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.apparmor.service.in	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,21 @@
+# This systemd unit is needed on distributions that use apparmor but don't have
+# special support for loading snapd apparmor profiles. Until upstream apparmor
+# user-space release contains a systemd unit that is actually shipped by
+# distributors and that contains the necessary extension points for snapd the
+# apparmor profiles for snap applications need to be loaded separately from
+# other applications.
+[Unit]
+Description=Load AppArmor profiles managed internally by snapd
+DefaultDependencies=no
+Before=sysinit.target
+# This dependency is meant to ensure that apparmor initialization (whatever that might entail) is complete.
+After=apparmor.service
+ConditionSecurity=apparmor
+
+[Service]
+Type=oneshot
+ExecStart=@libexecdir@/snapd/snapd-apparmor start
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.autoimport.service.in snapd-2.37~rc1~14.04/data/systemd/snapd.autoimport.service.in
--- snapd-2.32.3.2~14.04/data/systemd/snapd.autoimport.service.in	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.autoimport.service.in	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 [Unit]
 Description=Auto import assertions from block devices
-After=snapd.service snapd.socket
+After=snapd.service snapd.socket snapd.seeded.service
 # don't run on classic
 ConditionKernelCommandLine=snap_core
 
@@ -10,3 +10,5 @@
 
 [Install]
 WantedBy=multi-user.target
+# This cannot be started on firstboot
+# X-Snapd-Snap: do-not-start
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.core-fixup.service.in snapd-2.37~rc1~14.04/data/systemd/snapd.core-fixup.service.in
--- snapd-2.32.3.2~14.04/data/systemd/snapd.core-fixup.service.in	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.core-fixup.service.in	2019-01-16 08:36:51.000000000 +0000
@@ -3,7 +3,6 @@
 Before=snapd.service
 # don't run on classic
 ConditionKernelCommandLine=snap_core
-ConditionPathExists=!/var/lib/snapd/device/ownership-change.after
 Documentation=man:snap(1)
 
 [Service]
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.core-fixup.sh snapd-2.37~rc1~14.04/data/systemd/snapd.core-fixup.sh
--- snapd-2.32.3.2~14.04/data/systemd/snapd.core-fixup.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.core-fixup.sh	2019-01-16 08:36:51.000000000 +0000
@@ -11,6 +11,42 @@
     exit 0
 fi
 
+# Workaround https://forum.snapcraft.io/t/5253
+#
+# We see sometimes corrupted uboot.env files created by fsck.vfat.
+# On the fat filesystem they are indistinguishable because one
+# has a fat16 name UBOOT.ENV (and not lfn (long-file-name)) but
+# the other has a "uboot.env" lfn name and a FSCK0000.000 FAT16
+# name. The only known workaround is to remove all dupes and put
+# one file back in place.
+if [ "$(find /boot/uboot -name uboot.env | wc -l)" -gt 1 ]; then
+    echo "Corrupted uboot.env file detected"
+    # Ensure we have one uboot.env to go back to. Note that it does
+    # not matter which one we pick (we can't choose anyway, we get
+    # whatever the kernel gives us). The key part is that there is
+    # only a single one after this script finishes. The bootloader
+    # logic will recover in any case.
+    cp -a /boot/uboot/uboot.env /boot/uboot/uboot.env.save
+    # now delete all dupes
+    while ls /boot/uboot/uboot.env 2>/dev/null; do
+        rm -f /boot/uboot/uboot.env
+    done
+    # and move the saved one into place
+    mv /boot/uboot/uboot.env.save /boot/uboot/uboot.env
+
+    # ensure we sync the fs
+    sync
+fi
+
+
+# The code below deals with incorrect permissions that happened on
+# some buggy ubuntu-image versions.
+#
+# This needs to run only once so we can exit here.
+if [ -f /var/lib/snapd/device/ownership-change.after ]; then
+    exit 0
+fi
+
 # store important data in case we need it later
 if [ ! -f /var/lib/snapd/device/ownership-change.before ]; then
     mkdir -p /var/lib/snapd/device
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.failure.service.in snapd-2.37~rc1~14.04/data/systemd/snapd.failure.service.in
--- snapd-2.32.3.2~14.04/data/systemd/snapd.failure.service.in	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.failure.service.in	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,8 @@
+[Unit]
+Description=Failure handling of the snapd snap
+
+[Service]
+Type=oneshot
+ExecStart=@libexecdir@/snapd/snap-failure snapd
+RemainAfterExit=true
+# X-Snapd-Snap: do-not-start
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.run-from-snap snapd-2.37~rc1~14.04/data/systemd/snapd.run-from-snap
--- snapd-2.32.3.2~14.04/data/systemd/snapd.run-from-snap	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.run-from-snap	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# This script is deprecated
+
+echo "DEPRECATED: $0"
+echo "$@"
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.seeded.service.in snapd-2.37~rc1~14.04/data/systemd/snapd.seeded.service.in
--- snapd-2.32.3.2~14.04/data/systemd/snapd.seeded.service.in	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.seeded.service.in	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,14 @@
+[Unit]
+Description=Wait until snapd is fully seeded
+After=snapd.service snapd.socket
+Requires=snapd.socket
+
+[Service]
+Type=oneshot
+ExecStart=@bindir@/snap wait system seed.loaded
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target cloud-final.service
+# This is handled special in snapd
+# X-Snapd-Snap: do-not-start
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.service.in snapd-2.37~rc1~14.04/data/systemd/snapd.service.in
--- snapd-2.32.3.2~14.04/data/systemd/snapd.service.in	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.service.in	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,9 @@
 [Unit]
 Description=Snappy daemon
 Requires=snapd.socket
+OnFailure=snapd.failure.service
+# This is handled by snapd
+# X-Snapd-Snap: do-not-start
 
 [Service]
 # Disabled because it breaks lxd
@@ -10,7 +13,11 @@
 ExecStart=@libexecdir@/snapd/snapd
 EnvironmentFile=-@SNAPD_ENVIRONMENT_FILE@
 Restart=always
+WatchdogSec=5m
 Type=notify
+SuccessExitStatus=42
+RestartPreventExitStatus=42
+KillMode=process
 
 [Install]
 WantedBy=multi-user.target
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.snap-repair.service.in snapd-2.37~rc1~14.04/data/systemd/snapd.snap-repair.service.in
--- snapd-2.32.3.2~14.04/data/systemd/snapd.snap-repair.service.in	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.snap-repair.service.in	2019-01-16 08:36:51.000000000 +0000
@@ -9,3 +9,5 @@
 ExecStart=@libexecdir@/snapd/snap-repair run
 EnvironmentFile=-@SNAPD_ENVIRONMENT_FILE@
 Environment=SNAP_REPAIR_FROM_TIMER=1
+# There is no need to start this, the timer will run it
+# X-Snapd-Snap: do-not-start
diff -Nru snapd-2.32.3.2~14.04/data/systemd/snapd.system-shutdown.service.in snapd-2.37~rc1~14.04/data/systemd/snapd.system-shutdown.service.in
--- snapd-2.32.3.2~14.04/data/systemd/snapd.system-shutdown.service.in	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd/snapd.system-shutdown.service.in	2019-01-16 08:36:51.000000000 +0000
@@ -6,10 +6,13 @@
 ConditionKernelCommandLine=snap_core
 # don't run if system-shutdown isn't there
 ConditionPathExists=@libexecdir@/snapd/system-shutdown
+# X-Snapd-Snap: do-not-start
 
 [Service]
 Type=oneshot
-ExecStart=/bin/sh -euc 'mount /run -o remount,exec; mkdir -p /run/initramfs; cp @libexecdir@/snapd/system-shutdown /run/initramfs/shutdown'
+ExecStart=/bin/mount /run -o remount,exec
+ExecStart=/bin/mkdir -p /run/initramfs
+ExecStart=/bin/cp @libexecdir@/snapd/system-shutdown /run/initramfs/shutdown
 
 [Install]
 WantedBy=final.target
diff -Nru snapd-2.32.3.2~14.04/data/systemd-env/990-snapd.conf.in snapd-2.37~rc1~14.04/data/systemd-env/990-snapd.conf.in
--- snapd-2.32.3.2~14.04/data/systemd-env/990-snapd.conf.in	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd-env/990-snapd.conf.in	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+PATH=$PATH:@SNAP_MOUNT_DIR@/bin
diff -Nru snapd-2.32.3.2~14.04/data/systemd-env/Makefile snapd-2.37~rc1~14.04/data/systemd-env/Makefile
--- snapd-2.32.3.2~14.04/data/systemd-env/Makefile	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/systemd-env/Makefile	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2018 Canonical Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+SNAP_MOUNT_DIR := /snap
+ENVD := /usr/lib/environment.d/
+
+%.conf: %.conf.in
+	sed   < $< > $@ \
+		s:@SNAP_MOUNT_DIR@:${SNAP_MOUNT_DIR}:g
+
+GENERATED = 990-snapd.conf
+
+
+all: ${GENERATED}
+.PHONY: all
+
+install: ${GENERATED}
+	# NOTE: old (e.g. 14.04) GNU coreutils doesn't -D with -t
+	install -d -m 0755 ${DESTDIR}/${ENVD}
+	install -m 0644 -t ${DESTDIR}/${ENVD} $^
+.PHONY: install
+
+clean:
+	$(RM) ${GENERATED}
+.PHONY: clean
diff -Nru snapd-2.32.3.2~14.04/data/udev/rules.d/66-snapd-autoimport.rules snapd-2.37~rc1~14.04/data/udev/rules.d/66-snapd-autoimport.rules
--- snapd-2.32.3.2~14.04/data/udev/rules.d/66-snapd-autoimport.rules	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/data/udev/rules.d/66-snapd-autoimport.rules	2019-01-16 08:36:51.000000000 +0000
@@ -1,3 +1,3 @@
 # probe for assertions, must run before udisks2
-ACTION=="add", SUBSYSTEM=="block" \
+ACTION=="add", SUBSYSTEM=="block", KERNEL!="loop*", KERNEL!="ram*" \
     RUN+="/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/%k"
diff -Nru snapd-2.32.3.2~14.04/debian/changelog snapd-2.37~rc1~14.04/debian/changelog
--- snapd-2.32.3.2~14.04/debian/changelog	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/debian/changelog	2019-01-16 08:36:51.000000000 +0000
@@ -1,3 +1,1837 @@
+snapd (2.37~rc1~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1811233
+    - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+      have device node /dev/ttyACM[0-9]
+    - tests: fix enable-disable-unit-gpio test on external boards
+    - tests: define new "tests/smoke" suite and use that for
+      autopkgtests
+    - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+      library
+    - snapshotstate: don't task.Log without the lock
+    - overlord/configstate/configcore: support - and _ in cloud init
+      field names
+    - cmd/snap-confine: use makedev instead of MKDEV
+    - tests: review/fix the autopkgtest failures in disco
+    - systemd: allow only a single daemon-reload at the same time
+    - cmd/snap: only auto-enable unicode to a tty
+    - cmd/snap: right-align revision and size in info's channel map
+    - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+      different on Fedora
+    - tests: fix "No space left on device" issue on amazon-linux
+    - store: undo workaround for timezone-less released-at
+    - store, snap, cmd/snap: channels have released-at
+    - snap-confine: fix incorrect use "src" var in mount-support.c
+    - release: support probing SELinux state
+    - release-tools: display self-help
+    - interface: add new `{personal,system}-files` interface
+    - snap: give Epoch an Equal method
+    - many: remove unused interface code
+    - interfaces/many: use 'unsafe' with docker-support change_profile
+      rules
+    - run-checks: stop running HEAD of staticcheck
+    - release: use sync.Once around lazy intialized state
+    - overlord/ifacestate: include interface name in the hotplug-
+      disconnect task summary
+    - spread: show free space in debug output
+    - cmd/snap: attempt to restore SELinux context of snap user
+      directories
+    - image: do not write empty etc/cloud
+    - tests: skip snapd snap on reset for core systems
+    - cmd/snap-discard-ns: fix umount(2) typo
+    - overlord/ifacestate: hotplug-remove-slot task handler
+    - overlord/ifacestate: handler for hotplug-disconnect task
+    - ifacestate/hotplug: updateDevice helper
+    - tests: reset snapd state on tests restore
+    - interfaces: return security setup errors
+    - overlord: make InstallMany work like UpdateMany, issuing a single
+      request to get candidates
+    - systemd/systemd.go: add missing tests for systemd.IsActive
+    - overlord/ifacestate: addHotplugSeqWaitTask helper
+    - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+    - tests: new backend used to run upgrade test suite
+    - travis: short circuit failures in static and unit tests travis job
+    - cmd: automatically fix localized <option>s to <option>
+    - overlord/configstate,features: expose features to snapd tools
+    - selinux: package to query SELinux status and verify/restore file
+      contexts
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - cmd: add tests for lintArg and lintDesc
+    - httputil: retry on temporary net errors
+    - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+    - wrappers: only restart service in core18 when they are active
+    - overlord/ifacestate: helpers for serializing hotplug changes
+    - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interface
+    - snap/info: bind global plugs/slots to implicit hooks
+    - cmd/snap-confine: remove SC_NS_MNT_FILE
+    - spread: record each tests/upgrade job
+    - osutil: do not import dirs
+    - cmd/snap-confine: fix typo "a pipe"
+    - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+      devices
+    - tests: force test-snapd-daemon-notify exit 0 when the interface is
+      not connected
+    - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+    - centos: enable SELinux support on CentOS 7
+    - apparmor: allow hard link to snap-specific semaphore files
+    - tests/lib/pkgdb: disable weak deps on Fedora
+    - release: detect too old apparmor_parser
+    - tests: improve how the log is checked to see if the system is
+      waiting for a reboot
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - spread, tests: add Fedora 29
+    - cmd/snap-confine: refactor calling snapd tools into helper module
+    - apparmor: allow snap-update-ns access to common devices
+    - cmd/snap-confine: capture initialized per-user mount ns
+    - tests: reduce verbosity around package installation
+    - data: set KillMode=process for snapd
+    - cmd/snap: handle DNS error gracefully
+    - spread, tests: use checkpoints when dumping audit log
+    - tests/lib/prepare: make sure that SELinux context of repacked core
+      snap is controlled
+    - testutils: split checkers, tweak tests
+    - tests: fix for tests test-*-cgroup
+    - spread: show AVC audits when debugging, start auditd on Fedora
+    - spread: drop Fedora 27, add Fedora 29
+    - tests/lib/reset: restore context of removed snapd directories
+    - testutil: add File{Present,Absent} checkers
+    - snap: add new `snap run --trace-exec`
+    - tests: fix for failover test on how logs are checked
+    - snapctl: add "services"
+    - overlord/snapstate: use file timestamp to initialize timer
+    - cmd/libsnap: introduce and use sc_strdup
+    - interfaces: let NM access ifindex/ifupdown files
+    - overlord/snapstate: on refresh, check new rev can read current
+    - client, store: don't use store from client (use client from store)
+    - tests/main/parallel-install-store: verify installation of more
+      than one instance at a time
+    - overlord: don't write system key if security setup fails
+    - packaging/fedora/snapd.spec: fix bogus date in changelog
+    - snapstate: update fontconfig caches on install
+    - interfaces/apparmor/backend.go:411:38: regular expression does not
+      contain any meta characters (SA6004)
+    - asserts/header_checks.go:199:35: regular expression does not
+      contain any meta characters (SA6004)
+    - run staticcheck every time :-)
+    - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+      used with signal.Notify should be buffered (SA1017)
+    - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+      signal.Notify should be buffered (SA1017)
+    - spdx/parser.go:30:1: only the first constant has an explicit type
+      (SA9004)
+    - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+      first argument and no further arguments should use print-style
+      function instead (SA1006)
+    - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+    - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+      Did you mean to break out of the outer loop? (SA4011)
+    - daemon/api.go:992:22: printf-style function with dynamic first
+      argument and no further arguments should use print-style function
+      instead (SA1006)
+    - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+      to break out of the outer loop? (SA4011)
+    - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+      should be buffered (SA1017)
+    - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+      provided buffer, not even temporarily (SA1023)
+    - release: probe apparmor features lazily
+    - overlord,daemon: mock security backends for testing
+    - cmd/libsnap: move apparmor-support to libsnap
+    - cmd: drop cruft from snap-discard-ns build rules
+    - cmd/snap-confine: use snap-discard-ns ns to discard stale
+      namespaces
+    - cmd/snap-confine: handle mounted shared /run/snapd/ns
+    - many: fix composite literals with unkeyed fields
+    - dirs, wrappers, overlord/snapstate: make completion + bases work
+    - tests: revert "tests: restore in restore, not prepare"
+    - many: validate title
+    - snap: make description maximum in runes, not bytes
+    - tests: discard mount namespaces in reset.sh
+    - tests/lib: sync cla check back from snapcraft
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - daemon: remove enableInternalInterfaceActions
+    - mkversion: use "test -n" rather than "! test -z"
+    - run-checks: assorted fixes
+    - tests: restore in restore, not in prepare
+    - cmd/snap: fix missing newline in "snap keys" error message
+    - snap: epoch lists must contain no duplicate entries
+    - interfaces/avahi_observe: Fix typo in comment
+    - tests: add SPREAD_JOB to the description of
+      systemd_create_and_start_unit
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+    - packaging/fedora: use %_sysctldir macro
+    - cmd/snap-confine: remove unneeded unshare
+    - sanity: extend the kernel version check to cover CentOS/RHEL
+      kernels
+    - wrappers: remove all desktop files from a snap on removal
+    - snap: add an explicit check for `epoch: null` loading
+    - snap: check max description length in validate
+    - spread, tests: add CentOS support
+    - cmd/snap-confine: allow mapping more libc shards
+    - cmd/snap-discard-ns: add support for --from-snap-confine
+    - tests: make tinyproxy support systemd notify
+    - tests: fix shellcheck
+    - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+    - store: add a test for a non-zero epoch refresh (with epoch bump)
+    - store: v1 search doesn't send epoch, stop pretending it does
+    - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+    - overlord/snapstate: amend test should send local revision
+    - tests: use mock-gpio.py in enable-disable-units-gpio test
+    - snap: enforce minimal snap name len of 2
+    - cmd/libsnap: add sc_verify_snap_lock
+    - cmd/snap-update-ns: extra debugging of trespassing events
+    - userd: force zenity width if the text displayed is long
+    - overlord/snapstate, store: always send epochs
+    - cmd/snap-confine,snap-update-ns: discard quirks
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - cmd/snap-update-ns, tests: clean trespassing paths
+    - nvidia, interfaces/builtin: OpenCL fixes
+    - ifacestate/hotplug: removeDevice helper
+    - cmd: install snap-discard-ns in "make hack"
+    - overlord/ifacestate: setup security backends phased by backends
+      first
+    - ifacestate/helpers: added SystemSnapName mapper helper method
+    - overlord/ifacestate: set hotplug-key of the connection when
+      connecting hotplug slots
+    - snapd: allow snap-update-ns to read /proc/version
+    - cmd: handle tumbleweed and leap in autogen.sh
+    - interfaces/tests: MockHotplugSlot test helper
+    - store,daemon: make UserInfo,LoginUser part of the store interface
+    - overlord/ifacestate: use remapper when checking if system snap is
+      installed
+    - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+    - packaging/arch: fix bash completions path
+    - interfaces/builtin: add device-buttons interface for accessing
+      events
+    - tests, fakestore: extend refresh tests with parallel installed
+      snaps
+    - snap, store, overlord/snapshotstate: drop epoch pointers
+    - snap: make Epoch default to {[0],[0]} on load from yaml
+    - data/completion: pass documented arguments to completion functions
+    - tests: skip opensuse from interfaces-openvswitch-support test
+    - tests: simple reproducer for snap try and hooks bug
+    - snapstate: do not allow classic mode for strict snaps
+    - snap: make Epoch's MarshalJSON not simplify
+    - store: remove unused currentSnap and currentSnapJSON
+    - many: some small doc comment fixes in recent hotplug code
+    - ifacestate/udevmonitor: added callback to signal end of
+      enumeration
+    - cmd/libsnap: add simplified feature flag checker
+    - interfaces/opengl: add additional accesses for cuda
+    - tests: add core18 only hooks test and fix running core18 only on
+      classic
+    - sanity, release, cmd/snap: refuse to try to do things on WSL.
+    - cmd: make coreSupportsReExec faster
+    - overlord/ifacestate: don't remove the dash when generating unique
+      slot name
+    - cmd/snap-seccomp: add full complement of ptrace constants
+    - cmd: update autogen.sh for opensuse
+    - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+      overlord/snapstate: address review feedback
+    - packaging/opensuse: stop using golang-packaging
+    - overlord/snapshots: survive an unknown user
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - cmd/snap: unhide --name parameter to snap install, tweak help
+      message
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/main/snap-service-after-before-install: verify after/before
+      in snap install
+    - overlord/ifacestate: mark connections disconnected by hotplug with
+      hotplug-gone
+    - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+      startup
+    - tests: install dependencies during prepare
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - tests: core 18 does not support classic confinement
+    - tests: add debug output for degraded test
+    - strutil: make VersionCompare faster
+    - overlord/snapshotstate/backend: survive missing directories
+    - overlord/ifacestate: use map[string]*connState when passing conns
+      around
+    - tests: move fedora 28 to manual
+    - overlord/snapshotstate/backend: be more verbose when
+      SNAPPY_TESTING=1
+    - tests: removing fedora 26 system from spread.yaml
+    - tests: linode execution is not needed anymore
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests: fixes and new backend for tests on nested suite
+    - strutil: let MatchCounter work with a nil regexp
+    - ifacestate/helpers: findConnsForHotplugKey helper
+    - many: move regexp.(Must)Compile out of non-init functions into
+      variables
+    - store: also make snaps downloaded via deltas 0600
+    - snap: use Lstat to determine snap size, remove
+      ReadSnapInfoExceptSize
+    - interfaces/builtin: add adb-support interface
+    - tests: fail if install_snap_local fails
+    - strutil: add extra test to CommaSeparatedList as suggested by
+      mborzecki
+    - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+    - ifacestate: optimize disconnect hooks
+    - cmd/snap-update-ns: parse the -u <uid> command line option
+    - cmd/snap, tests: snapshots for all
+    - client, cmd/daemon: allow disabling keepalive, improve degraded
+      mode unit tests
+    - snap: only show "next" refresh time if its after the hold time
+    - overlord/snapstate: run tests for classic snaps even on systems
+      that don't support classic
+    - overlord/standby: fix a race between standby goroutine and stop
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - cmd: remove remnants of sc_should_populate_mount_ns
+    - client, daemon, cmd/snap: indicate that services are socket/timer
+      activated
+    - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+    - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+    - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+    - cmd/snap-discard-ns: add support for per-user mount namespaces
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook.
+    - tests/main: fixes for the new shellcheck
+    - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+      fly
+    - tests: initial setup for testing current branch on nested vm and
+      hotplug management
+    - cmd: refactor IPC and lifecycle of the helper process
+    - tests/main/parallel-install-store: the store has caught up, do not
+      expect failures
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+      ptrace, for the Breakpad crash reporter
+    - snap,client: use a different exit code for retryable errors
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - cmd/snap: tweak `snap services` output when there is no services
+    - interfaces/many: updates to support k8s worker nodes
+    - cmd/snap: gnome-software install via snap:// handler
+    - overlord/many: cleanup use of snapName vs. instanceName
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes* ifstate: fix decoding of json numbers
+    - cmd/snap: try not to panic on error from "snap try"
+    - tests: new cosmic image for spread tests on gce
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - overlord/snapshotstate/backend: detect path to tar in unit tests
+    - tests/unit/gccgo: drop gccgo unit tests
+    - cmd: use relative file names in locking APIs
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - overlord/snapshotstate/backend: fall back on sudo when no runuser
+    - cmd/snap-confine: reduce verbosity of debug and error messages
+    - systemd: extend Status() to work for socket and timer units
+    - interfaces: typo 'allows' for consistency with other ifaces
+    - systemd,wrappers: don't start disabled services
+    - ifacestate: simplify task chaining in ifacestate.Connect
+    - tests: ensure that goa-daemon is off
+    - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+    - cmd/snap: block 'snap help <cmd> --all'
+    - asserts, image: ensure kernel, gadget, base and required-snaps use
+      valid snap names
+    - apparmor: add unit test for probeAppArmorParser and simplify code
+    - interfaces/apparmor: conditionally add explicit deny rules for
+      ptrace
+    - po: sync translations from launchpad
+    - osutil: tweak handling of error adduser errors
+    - cmd: rename ns_group to mount_ns
+    - tests/main/interfaces-accounts-service: more debugging
+    - snap/pack, snap/squashfs: use type to determine mksquashfs args
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - tests: show list of processes when ifaces-accounts-service fails
+    - tests: do not run degraded test in autopkgtest env
+    - snap: overhaul validation error messages
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - interfaces: improve Attr error further
+    - snapstate: tweak GetFeatureFlagBool() to have a default argument
+    - many: cleanup remaining parallel installs TODOs
+    - image: improve validation of extra snaps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 Jan 2019 09:36:51 +0100
+
+snapd (2.36.3~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - httputil: retry on temporary net errors
+    - wrappers: only restart service in core18 when they are active
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interfacewhen installing selinux-policy-devel package.
+    - centos: enable SELinux support on CentOS 7
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - apparmor: allow hard link to snap-specific semaphore files
+    - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+      profile errors
+    - snap: add new `snap run --trace-exec` call
+    - interfaces/backends: detect too old apparmor_parser
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 14 Dec 2018 07:30:58 +0100
+
+snapd (2.36.2~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - snapstate: update fontconfig caches on install
+    - overlord,daemon: mock security backends for testing
+    - sanity, spread, tests: add CentOS
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - tests: add regression test for LP: #1803535
+    - snap-update-ns: fix trailing slas bug on trespassing error
+    - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+    - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+    - interfaces/opengl: add additional accesses for cuda
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 29 Nov 2018 10:48:29 +0100
+
+snapd (2.36.1~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - tests,snap-confine: add core18 only hooks test and fix running
+      core18 only hooks on classic
+    - interfaces/apparmor: allow access to
+      /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests/main/interfces-accounts-service: switch to busctl, more
+      debugging
+    - store: also make snaps downloaded via deltas 0600
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - tests/main: fixes for the new shellcheck
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 09 Nov 2018 14:42:28 +0100
+
+snapd (2.36~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - tests: the store has caught up, drop gccgo test, update cosmic
+      image
+    - cmd/snap: try not to panic on error from "snap try"`--devmode`
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - systemd,wrappers: don't start disabled services
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - tests: do not run degraded test in autopkgtest env
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces: include invalid type in Attr error
+    - many: enable layouts by default
+    - interfaces/default: don't scrub with change_profile with classic
+    - cmd/snap: speed up unit tests
+    - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+      flags
+    - daemon: expose snapshots to the API
+    - interfaces: updates for default, screen-inhibit-control, tpm,
+      {hardware,system,network}-observe
+    - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+      update test interface
+    - interfaces/tests: use TestInterface instead of a custom local
+      helper
+    - overlord/snapstate: export getFeatureFlagBool.
+    - osutil,asserts,daemon: support force password change in system-
+      user assertion
+    - snap, wrappers: support restart-delay, generate RestartSec=<value>
+      in service units
+    - tests/ifacestate: moved asserts-related mocking into helper
+    - image: fetch device store assertion if available
+    - many: enable AppArmor on Arch
+    - interfaces/repo: two helper methods for hotplug
+    - overlord/ifacestate: add hotplug slots with implicit slots
+    - interfaces/hotplug: helpers and struct updates
+    - tests: run the snapd tests on Ubuntu 18.10
+    - snapstate: only report errors if there is an actual error
+    - store: speedup unit tests
+    - spread-shellcheck: fix interleaved error messages, tweaks
+    - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+    - ifacestate: implementation of defaultDeviceKey function for
+      hotplug
+    - cmd/snap-update-ns: remove empty placeholders used for mounting
+    - snapshotstate: restore to current revision
+    - tests/lib: rework the CLA checker
+    - many: support and consider store friendly-stores when checking
+      device scope constraints
+    - overlord/snapstate: block parallel installs of snapd, core, base,
+      kernel, gadget snaps
+    - overlord/patch: patch for static plug/slot attributes
+    - interfaces: honor static attributes when reloading conns
+    - osutils: unit tests speedup; introduce «run-checks --short-
+      unit».
+    - systemd, wrappers: speed up wrappers unit tests
+    - client: speedup unit tests
+    - spread-shellcheck: use threads to parallelise
+    - snap: validate plug and slot names
+    - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+    - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+    - store: gracefully handle unexpected errors in 'action'
+      response
+    - cmd: put our manpages in section 8
+    - overlord: don't make become-operational interfere with user
+      requests
+    - store: tweak unmatched refresh result error log
+    - snap, client, daemon, store: use and expose "media" more
+    - tests,cmd/snap-update-ns: add test showing mount update bug
+      cmd/snap-update-ns: better detection of snapd-made tmpfs
+    - tests: spread tests for aliases with parallel installed snaps
+    - interfaces/seccomp: allow using statx by default
+    - store: gracefully handle unexpected errors in 'action' response
+    - overlord/snapshotstate: chown the tempdir
+    - cmd/snap: attempt to start the document portal if running with a
+      session bus
+    - snap: detect layouts vs layout in snap.yaml
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snapcraft.yaml: set grade to stable
+    - tests: shellchecks, final round
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snap: detect layouts vs layout in snap.yaml
+    - overlord/snapshotstate: store epoch in snapshot, check on restore
+    - cmd/snap: tweak UX of snap refresh --list
+    - overlord/snapstate: improve consistency, use validateInfoAndFlags
+      also in InstallPath
+    - snap: give Epoch a CanRead helper
+    - overlord/snapshotstate: small refactor of internal helpers
+    - interfaces/builtin: adding missing permission to create
+      /run/wpa_supplicant directory
+    - interfaces/builtin: avahi interface update
+    - client, daemon: support passing of 'unaliased' option when
+      installing from local files
+    - selftest: rename selftest.Run() to sanity.Check()
+    - interfaces/apparmor: report apparmor support level and policy
+    - ifacestate: helpers for generating slot names for hotplug
+    - overlord/ifacestate: make sure to pass in the Model assertion when
+      enforcing policies
+    - overlord/snapshotstate: store the SnapID in snapshot, block
+      restore if changed
+    - interfaces: generalize writable mimic profile
+    - asserts,interfaces/policy: add support for on-store/on-brand/on-
+      model plug/slot rule constraints
+    - many: fetch the device store assertion together and in the context
+      of interpreting snap-declarations
+    - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+      gccgo is fixed
+    - tests/main/parallel-install-services: add spread test for snaps
+      with services
+    - tests/main/snap-env: extend to cover parallel installations of
+      snaps
+    - tests/main/parallel-install-local: rename from *-sideload, extend
+      to run snaps
+    - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+    - cmd/snap: tame the help zoo
+    - tests/main/parallel-install-store: run installed snap
+    - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+      i18n)
+    - cmd: fix C formatting
+    - tests: remove unneeded cleanup from layout tests
+    - image: warn on missing default-providers
+    - selftest: add test to ensure selftest.checks is up-to-date
+    - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+      installs
+    - userd: extend the list of supported XDG Desktop properties when
+      autostarting user applications
+    - cmd/snap-update-ns: enforce trespassing checks
+    - selftest: actually run the kernel version selftest
+    - snapd: go into degraded mode when the selftest fails
+    - tests: add test that runs snapctl with a core18 snap
+    - tests: add snap install hook with base: core18
+    - overlord/{snapstate,assertstate}: parallel instances and
+      refresh validation
+    - interfaces/docker-support: add rules to read apparmor macros
+    - tests: make nfs test available for more systems
+    - tests: cleanup copy/paste dup in interfaces-network-setup-control
+    - tests: using single sh snap in interface tests
+    - overlord/snapstate: improve cleaup in mount-snap handler
+    - tests: don't fail interfaces-bluez test if bluez is already
+      installed
+    - tests: find snaps just for edge and beta channels
+    - daemon, snapstate: consistent snap list [--all] output with broken
+      snaps
+    - tests: fix listing to allow extra things in the notes column
+    - cmd/snap: improve UX when removing specific snap revision
+    - cmd/snap, tests/main/snap-info: highlight the current channel
+    - interfaces/testiface: added TestHotplugInterface
+    - snap: tweak commands
+    - interfaces/hotplug: hotplug spec takes one slot definition
+    - overlord/snapstate, snap: handle shared snap directories when
+      installing/remove snaps with instance key
+    - interfaces/opengl: misc accesses for VA-API
+    - client, cmd/snap: expose warnings to the world
+    - cmd/snap-update-ns: introduce trespassing state tracking
+    - cmd/snap: commands no longer build their own client
+    - tests: try to build cmd/snap for darwin
+    - daemon: make error responders not printf when called with 1
+      argument
+    - many: return real snap name in API response
+    - overlord/state: return latest LastAdded time in WarningsSummary
+    - many: mount namespace mapping for parallel installs of snaps
+    - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+      core-phase-2
+    - client, cmd/snap: on !linux, exit when the client tries to Do
+      something
+    - tests: refactor for nested suite and tests fixed
+    - tests: use lxd's waitready instead of polling lxd socket
+    - ifacestate: don't initialize udev monitor until we have a system
+      snap
+    - interfaces: extra argument for static attrs in
+      NewConnectedPlug/NewConnectedSlot
+    - packaging/arch: sync packaging with AUR
+    - snapstate/tests: serialize all appends in fake backend
+    - snap-confine: make /lib/modules optional
+    - cmd/snap: handle "snap interfaces core" better
+    - store: move download tests into downloadSuite
+    - tests,interfaces: run interfaces-account-control on UC18
+    - tests: fix install snaps test by adding link to /snap
+    - tests: fix for nested test suite
+    - daemon: fix snap list --all with parallel snap instances
+    - snapstate: refactor tests to use SetModel*
+    - wrappers: fix snap services order in tests
+    - many: provide salt for generating instance-key in store requests
+    - ifacestate: fix hang when retrying content providers
+    - snapd-env-generator: fix when PATH is empty or unset
+    - overlord/assertstate: propagate TaskSnapSetup error
+    - client: catch and expose logs errors
+    - overlord: integrate device enumeration with udev monitor
+    - daemon, overlord/state: warnings pipeline
+    - tests: add publisher regex to fix the snap-info test pass on sru
+    - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+      tweaks
+    - cmd/snap-update-ns: remove the unused Secure type
+    - osutil, o/snapshotstate, o/sss/backend: quick fixes
+    - tests: update the listing expression to support core from
+      different channels
+    - store: use stable instance key in store refresh requests
+    - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+    - overlord/patch: support for sublevel patches
+    - tests: update prepare/restore for nightly suite
+    - cmd/snap-update-ns: detach BindMount from the Secure type
+    - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+    - ifacestate: retry on "discard-snap" in autoconnect conflict check
+    - cmd/snap-update-ns: separate OpenPath from the Secure struct
+    - wrappers: remove Wants=network-online.target
+    - tests: add new core16-base test
+    - store: refactor tests so that they work as store_test package
+    - many: add refresh.rate-limit core option
+    - tests: run account-control test with different bases
+    - tests: port proxy test to use python tinyproxy
+    - overlord: introduce snapshotstate.
+    - testutil: allow Fstatfs results to vary over time
+    - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+    - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+    - many: remove deadcode
+    - tests: also run unit/gccgo in 18.04
+    - tests: introduce a helper for installing local snaps with --name
+    - tests: avoid removing core snap on reset
+    - snap: use snap.SideInfo in test to fix build with gccgo
+    - partition: remove unused runCommand
+    - image: fix incorrect error when using local bases
+    - overlord/snapstate: fix format
+    - cmd: fix format
+    - tests: setting "storage: preserve-size" just for amazon-linux
+      system
+    - tests: test for the hostname interface
+    - interfaces/modem-manager: allow access to more USB strings
+    - overlord: instantiate UDevMonitor
+    - interfaces/apparmor: tweak naming, rename to AddLayout()
+    - interfaces: take instance name in ifacetest.InstallSnap
+    - snapcraft: do not use --dirty in mkversion
+    - cmd: add systemd environment generator
+    - devicestate: support getting (http) proxy from core config
+    - many: rename ClientOpts to ClientOptions
+    - prepare-image-grub-core18: remove image root in restore
+    - overlord/ifacestate: remove "old-conn" from connect/undo connect
+      handlers
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - image: handle errors when downloadedSnapsInfoForBootConfig has no
+      data
+    - tests: use official core18 model assertion in tests
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - overlord,store: support proxy settings internally too
+    - cmd/snap: bring back 'snap version'
+    - interfaces/mount: tweak naming of things
+    - strutil: fix MatchCounter to also work with buffer reuse
+    - cmd,interfaces,tests: add /mnt to removable-media interface
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - snap/snapenv: drop some instance specific variables, use instance-
+      specific ones for user locations
+    - firstboot: sort by type when installing the firstboot snaps
+    - cmd, cmd/snap: better support for non-linux
+    - strutil: add new ParseByteSize
+    - image: detect and error if bases are missing
+    - interfaces/apparmor: do not downgrade confinement on arch with
+      linux-hardened 4.17.4+
+    - daemon: add pokeStateLock helper to the daemon tests
+    - snap/squashfs: improve error message from Build on mksquashfs
+      failure
+    - tests: remove /etc/alternatives from dirs-not-shared-with-host
+    - cmd: support re-exec into the "snapd" snap
+    - spdx: remove "Other Open Source" from the support licenses
+    - snap: add new type "TypeSnapd" and attach to the snapd snap
+    - interfaces: retain order of inserted security backends
+    - tests: spread test for parallel-installs desktop file handling
+    - overlord/devicestate: use OpenSSL's PEM format when generating
+      keys
+    - cmd: remove --skip-command-chain from snap run and snap-exec
+    - selftest: detect if apparmor is unusable and error
+    - snap,snap-exec: support command-chain for hooks
+    - tests: significantly reduce execution time for managers test
+    - snapstate: use new "snap.ByType" sorting
+    - overlord/snapstate: fix UpdateMany() to work with parallel
+      instances
+    - testutil: have File* checker produce more useful error output
+    - overlord/ifacestate: introduce connectOpts
+    - interfaces: parallel instances support, extend unit tests
+    - tests: normalize tests
+    - snapstate: make InstallPath() return *snap.Info too
+    - snap: add ByType sorting
+    - interfaces: add cifs-mount interface
+    - tests: use file based markers in snap-service-stop-mode
+    - osutil: reorg and stub out things to get it building on darwin
+    - tests/main/layout: cleanup after the test
+    - osutil/sys: small tweaks to let it build on darwin
+    - daemon, overlord/snapstate: set instance name when installing from
+      snap file
+    - many: move Uname to osutil, for more DRY and easier porting.
+    - cmd/snap: create snap user directory when running parallel
+      installed snaps
+    - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+    - tests: basic test for parallel installs from the store
+    - image: download the gadget from the model.GadgetTrack()
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - overlord: handle sigterm during shutdown better
+    - tests: add the original function to fix the errors on new kernels
+    - tests/main/lxd: pull lxd from candidate; reënable i386
+    - wayland: add extra sockets that are used by older toolkits (e.g.
+      gtk3)
+    - asserts: add support for gadget tracks in the model assertion
+    - overlord/snapstate: improve feature flag validation
+    - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+    - interfaces: workaround for activated services and newer DBus
+    - tests: get the linux-image-extra available for the current kernel
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - interfaces: disconnect hooks
+    - cmd/libsnap: unify detection of core/classic with go
+    - tests: fix autopkgtest failures in cosmic
+    - snap: fix advice json
+    - overlord/snapstate: parallel snap install
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - interfaces: add screencast-legacy for video and audio recording
+    - tests: skip unsupported architectures for fedora-base-smoke test
+    - tests: avoid using the journalctl cursor when it has not been
+      created yet
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - tests: enable lxd again everywhere
+    - tests: new test for udisks2 interface
+    - interfaces: add cpu-control for setting CPU tunables
+    - overlord/devicestate: fix tests, set seeded in registration
+      through proxy tests
+    - debian: add missing breaks on cosmic
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - tests: new test for juju client observe interface
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - snapcraft: set version information for the snapd snap
+    - cmd/snap, daemon: error out if trying to install a snap using
+      empty name
+    - hookstate: simplify some hook tests
+    - cmd/snap-confine: extend security tag validation to cover instance
+      names
+    - snap: fix mocking of systemkey in snap-run tests
+    - packaging/opensuse: fix static build of snap-update-ns and snap-
+      exec
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - cmd/libsnap-confine-private: intoduce helpers for validating snap
+      instance name and instance key
+    - snap,snap-exec: support command-chain for app
+    - interfaces/builtin: network-manager resolved DBus changes
+    - snap: tweak `snap wait` command
+    - cmd/snap-update-ns: introduce validation of snap instance names
+    - cmd/snap: fix some corner-case test setup weirdness
+    - cmd,dirs: fix various issues discovered by a Fedora base snap
+    - tests/lib/prepare: fix extra snaps test
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 24 Oct 2018 11:30:45 -0600
+
+snapd (2.35.5~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - osutil: workaround overlayfs on ubuntu 18.10
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 15 Oct 2018 22:23:02 +0200
+
+snapd (2.35.4~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 14:41:33 +0200
+
+snapd (2.35.3~14.04) trusty; urgency=medium
+
+    - overlord: don't make become-operational interfere with user
+      requests
+    - docker_support.go: add rules to read apparmor macros
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-
+      nsFixes:
+    - snapcraft.yaml: add workaround to fix snapcraft build
+    - interfaces/opengl: misc accesses for VA-API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 09:32:00 +0200
+
+snapd (2.35.2~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - cmd,overlord/snapstate: go 1.11 format fixes
+    - ifacestate: fix hang when retrying content providers
+    - snap-env-generator: do nothing when PATH is unset
+    - interfaces/modem-manager: allow access to more USB strings
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 12 Sep 2018 09:32:00 +0200
+
+snapd (2.35.1~14.04) trusty; urgency=medium
+
+  *  New upstream release, LP: #1786438
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - snapcraft: do not use --diry in mkversion.sh
+    - cmd: add systemd environment generator
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - tests: cherry-pick test fixes from master for 2.35
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - interfaces: retain order of inserted security backends
+    - selftest: detect if apparmor is unusable and error
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 03 Sep 2018 14:44:06 +0200
+
+snapd (2.35~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - asserts: add support for gadget tracks in the model assertion
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - overlord: handle sigterm during shutdown better
+    - wayland: add extra sockets that are used by older toolkits
+    - snap: fix advice json
+    - tests: fix autopkgtest failures in cosmic
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - interfaces: add cpu-control for setting CPU tunables
+    - debian: add missing breaks on comisc
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - hookstate: simplify some hook tests
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - interfaces/builtin: network-manager resolved DBus changes
+    - tests: add spread test for fedora29 base snap
+    - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+    - dirs: fix SnapMountDir inside a Fedora base snap
+    - tests: fix snapd-failover for core18 with external backend
+    - overlord/snapstate: always clean SnapState when doing Get()
+    - overlod/ifacestate: always use a new SnapState when fetching the
+      snap state
+    - overlord/devicestate: have the serial request talk to the proxy if
+      set
+    - interfaces/hotplug: udevadm output parser
+    - tests: New test for daemon-notify interface
+    - image: ensure "core" is ordered early if base: and core is used
+    - cmd/snap-confine: snap-device-helper parallel installs support
+    - tests: enable interfaces-framebuffer everywhere
+    - tests: reduce nc wait time from 2 to 1 second
+    - snap/snapenv: add snap instance specific variables
+    - cmd/snap-confine: add minimal test for snap-device-helper
+    - tests: enable snapctl test on core18
+    - overlord: added UDevMonitor for future hotplug support
+    - wrappers: do not glob when removing desktop files
+    - tests: add dbus monitor log to interfaces-accounts-service
+    - tests: add core-18 systems to external backend
+    - wrappers: account for changed app wrapper in parallel installed
+      snaps
+    - wrappers: make sure that the tests pass on non-Ubuntu too
+    - many: add snapd snap failure handling
+    - tests: new test for dvb interface
+    - configstate: accept refresh.timer=managed
+    - tests: new test for snap logs command
+    - wrapper: generate all the snapd unit files when generating
+      wrappers
+    - store: keep all files with link-count > 1 in the cache
+    - store: be less verbose in the common refresh case of "no updates"
+    - snap-confine: update snappy-app-dev path
+    - debian: ensure dependency on fixed apt on 18.04
+    - snapd: add initial software watchdog for snapd
+    - daemon, systemd: change journalctl -n=all to --no-tail
+    - systemd: fix snapd.apparmor.service.in dependencies
+    - snapstate: refuse to remove bases or core if snaps need them
+    - snap: introduce package-level helpers for building snap related
+      directory/file paths
+    - overlord/devicestate: deny parallel install of kernel or gadget
+      snaps
+    - store: clean up parallel-install TODOs in store tests
+    - timeutil: fix first weekday of the month schedule
+    - interfaces: match all possible tty but console
+    - tests: shellchecks part 5
+    - cmd/snap-confine: allow ptrace read for 4.18 kernels
+    - advise: make the bolt database do the atomic rename dance
+    - tests/main/apt-hooks: debug dump of commands.db
+    - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+      handling
+    - snap: validate instance name as part of Validate()
+    - daemon: if a snap is inactive, don't ask systemd about its
+      services.
+    - udev: skip TestParseUdevEvent on s390x
+    - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+    - asserts,image: add support for new kernel=track syntax
+    - tests: new gce image for fedora 27
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - store, overlord/snapstate: introduce instance name in store APIs
+    - tests: drive-by cleanup of redudant pkgname matching
+    - tests: ensure apt-hook is only run after catalog update ran
+    - tests: use pkill instead of kilall
+    - tests/main: another bunch of updates for Amazon Linux 2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the  directory tree
+    - tests: disable/fix more tests for Amazon Linux 2
+    - overlord: introduce InstanceKey to SnapState and SnapSetup,
+      renames
+    - daemon: make sure most change generating handlers can produce
+      errors with kinds
+    - tests/main/interfaces-calendar-service: skip the test on AMZN2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the directory tree
+    - cmd/snap: add a green check mark to verified publishers
+    - cmd/snap: fix two issues in the cmd/snap unit tests
+    - packaging/fedora: fix target path of /snap symlink
+    - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - strutil: detect and bail out of Unmarshal on duplicate key
+    - packaging/fedora(amzn2): disable SELinux, drop dependency on
+      squashfuse for AMZN2
+    - spread, tests: add support for Amazon Linux 2
+    - packaging/fedora: Add Amazon Linux 2 support
+    - many: make Wait/Stop optional on StateManagers
+    - snap/squashfs: stop printing unsquashfs info to stderr
+    - snap: add support for `snap advise-snap --from-apt`
+    - overlord/ifacestate: ignore connect if already connected
+    - tests: change the service snap used instead of network-bind-
+      consumer
+    - interfaces/network-control: update for wpa-supplicant and ifupdown
+    - tests: fix raciness in stop mode tests
+    - logger: try to not have double dates
+    - debian: use deb-systemd-invoke instead of systemctl directly
+    - tests: run all main tests on core18
+    - many: finish sharing a single TaskRunner with all the the managers
+    - interfaces/repo: added AllHotplugInterfaces helper
+    - snapstate: ensure kernel-track is honored on switch/refresh
+    - overlord/ifacestate: support implicit slots on snapd
+    - image: add support for "kernel-track" in `snap prepare-image`
+    - tests: add test that ensures we do not boot any system in degraded
+      state
+    - tests: update tests to work on core18
+    - cmd/snap: check for typographic dashes in command
+    - tests: fix tests expecting old email address
+    - client: add some existing error kinds that were not listed in
+      client.go
+    - tests: add missing slots in classic and core provider test snaps
+    - overlord,daemon,cmd: re-map snap names around the edges of snapd
+    - tests: use install_local in snap-run-hooks
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - overlord/snapstate: dedupe default content providers
+    - osutil/udev: sync with upstream
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord: have SnapManager use a passed in TaskRunner created by
+      Overlord
+    - many: streamline the generic conflict check mechanisms
+    - tests: remove unneeded setup code in snap-run-symlink
+    - cmd/snap: print unset license as "unset", instead of "unknown"
+    - asserts: add (optional) kernel-track to model assertion
+    - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+    - interfaces/pulseaudio: be clear that the interface allows playback
+      and record
+    - snap: support hook environment
+    - interfaces: fix typo "daemonNotify" (add missing "n")
+    - interfaces: tweak tests of daemon-notify, use common naming
+    - interfaces: allow invoking systemd-notify when daemon-notify is
+      connected
+    - store: make snap blobs be 0600
+    - interfaces,daemon: move JSON types to the daemon
+    - tests: prepare needs to handle bin/snapctl being a symlink
+    - tests: do not mask errors in interfaces-timezone-control (#5405)
+    - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+    - tests: add basic integration test for spread hold
+    - overlord/snapstate: improve PlugsOnly comment
+    - many: assorted shellcheck fixes
+    - store, daemon, client, cmd/snap: expose "scope", default to wide
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - client, cmd/snap: pass snap instance name when installing from
+      file
+    - cmd/snap: add 'debug paths' command
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: fix tests on arch
+    - tests: start active system units on reset
+    - tests: new test for joystick interface
+    - tests: moving install of dependencies to pkgdb helper
+    - tests: enable new fedora image with test dependencies installed
+    - tests: start using the new opensuse image with test dependencies
+    - tests: check catalog refresh before and after restart snapd
+    - tests: stop restarting journald service on prepare
+    - interfaces: make core-support a no-op interface
+    - interfaces: prefer "snapd" when resolving implicit connections
+    - interfaces/hotplug: add hotplug Specification and
+      HotplugDeviceInfo
+    - many: lessen the use of core-support
+    - tests: fixes for the autopkgtest failures in cosmic
+    - tests: remove extra ' which breaks interfaces-bluetooth-control
+      test
+    - dirs: fix antergos typo
+    - tests: use grep to avoid non-matching messages from MATCH
+    - dirs: improve distro detection for Antegros
+    - vendor: switch to latest bson
+    - interfaces/builtin: create can-bus interface
+    - tests: "snap connect" is idempotent so just connect
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - interfaces: treat "snapd" snap as type:os
+    - interfaces: tweak tests to have less repetition of "core" and
+      "ubuntu…
+    - tests: simplify econnreset test
+    - snap: add helper for renaming slots
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - tests: add artful for sru validation on google backend
+    - snap,interfaces: move interface name validation to snap
+    - overlord/snapstate: introduce path to fake backend ops
+    - cmd/snap-confine: fix snaps running on core18
+    - many: expose publisher's validation throughout the API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 20 Aug 2018 12:36:33 +0200
+
+snapd (2.34.3~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - snapstate: allow setting "refresh.timer=managed"
+    - spread: switch Fedora and openSUSE images
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 27 Jul 2018 19:08:44 +0200
+
+snapd (2.34.2~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - packaging: fix bogus date in fedora snapd.spec
+    - tests: fix tests expecting old email address
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 19 Jul 2018 12:05:50 +0200
+
+snapd (2.34.1~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - tests: cherry-pick test fixes from master for 2.34
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord/snapstate: dedupe default content providers
+    - interfaces/builtin: create can-bus interface
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Tue, 17 Jul 2018 19:46:56 +0200
+
+snapd (2.34~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - store, daemon, client, cmd/snap: expose "scope", default to wide*
+    - tests: fix arch tests
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+    - tests: run interfaces-contacts-service only where test-snapd-eds
+      is available
+    - many: expose publisher's validation throughout the API
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - dirs: improve distro detection for Antegros
+    - Revert "dirs: improve identification of Arch Linux like systems"
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - i18n: use xgettext-go --files-from to avoid running into cmdline
+      size limits
+    - interfaces: move ValidateName helper to utils
+    - snapstate,ifstate: wait for pending restarts before auto-
+      connecting
+    - snap: account for parallel installs in wrappers, place info and
+      tests
+    - configcore: fix incorrect handling of keys with numbers (like
+      gpu_mem_512)
+    - tests: fix tests when no keyboard input detected
+    - overlord/configstate: add watchdog options
+    - snap-mgmt: fix for non-existent dbus system policy dir,
+      shellchecks
+    - tests/main/snapd-notify: use systemd's service properties rater
+      than the journal
+    - snapstate: allow removal of snap.TypeOS when using a model with a
+      base
+    - interfaces: make findSnapdPath smarter
+    - tests: run "arp" tests only if arp is available
+    - spread: increase the number of auto retries for package downloads
+      in opensuse
+    - cmd/snap-confine: fix nvidia support under lxd
+    - corecfg: added experimental.hotplug feature flag
+    - image: block installation of parallel snap instances
+    - interfaces: moved normalize method to interfaces/utils and made it
+      public
+    - api/snapctl: allow -h and --help for regular users.
+    - interfaces/udisks2: also implement implicit classic slot
+    - cmd/snap-confine: include CUDA runtime libraries
+    - tests: disable auto-refresh test on core18
+    - many: switch to account validation: unproven|verified
+    - overlord/ifacestate: get/set connection state only via helpers
+    - tests: adding extra check to validate journalctl is showing
+      current test data
+    - data: add systemd environment configuration
+    - i18n: handle write errors in xgettext-go
+    - snap: helper for validating snap instance names
+    - snap{/snaptest}: set instance key based on snap name
+    - userd: fix running unit tests on KDE
+    - tests/main/econnreset: limit ingress traffic to 512kB/s
+    - snap: introduce a struct Channel to represent store channels, and
+      helpers to work with it
+    - tests: add fedora to distro_clean_package_cache function
+    - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+    - tests: add spread test to ensure snapd/core18 are not removable
+    - tests: tweaks for running the main tests on core18
+    - overlord/{config,snap}state: introduce experimental.parallel-
+      instances feature flag
+    - strutil: support iteration over almost clean paths
+    - strutil: add PathIterator.Rewind
+    - tests: update interfaces-timeserver-control to core18
+    - tests: add halt-timeout to google backend
+    - tests: skip security-udev-input-subsystem without /dev/input/by-
+      path
+    - snap: introduce the instance key field
+    - packaging/opensuse: remaining packaging updates for 2.33.1
+    - overlord/snapstate: disallow installing snapd on baseless models
+    - tests: disable core tests on all core systems (16 and 18)
+    - dirs: improve identification of Arch Linux like systems
+    - many: expose full publisher info over the snapd API
+    - tests: disable core tests on all core systems (16 and 18)
+    - tests/main/xdg-open: restore or clean up xdg-open
+    - tests/main/interfaces-firewall-control: shellcheck fix
+    - snapstate: sort "snapd" first
+    - systemd: require snapd.socket in snapd.seeded.service; make sure
+      snapd.seeded
+    - spread-shellcheck: use the latest shellcheck available from snaps
+    - tests: use "ss" instead of "netstat" (netstat is not available in
+      core18)
+    - data/complete: fix three out of four shellcheck warnings in
+      data/complete
+    - packaging/opensuse: fix typo, missing assignment
+    - tests: initial core18 spread image building
+    - overlord: introduce a gadget-connect task and use it at first boot
+    - data/completion: fix inconsistency in +x and shebang
+    - firstboot: mark essential snaps as "Required" in the state
+    - spread-shellcheck: use a whitelist of files that are allowed to
+      fail validation
+    - packaging/opensuse: build position-independent binaries
+    - ifacestate: prevent running interface hooks twice when self-
+      connecting on autoconnect
+    - data: remove /bin/sh from snapd.sh
+    - tests: fix shellcheck 0.5.0 warnings
+    - packaging/opensuse: snap-confine should be 06755
+    - packaging/opensuse: ship apparmor integration if enabled
+    - interfaces/udev,misc: only trigger udev events on input subsystem
+      as needed
+    - packaging/opensuse: add missing bits for snapd.seeded.service
+    - packaging/opensuse: don't use %-macros in comments
+    - tests: shellchecks part 4
+    - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+      parallel-install TODOs
+    - store: drop unused: channel map types, and details fixture.
+    - store: have a basic test about the unmarshalling of /search
+      results
+    - tests: show executed tests on current system when a test fails
+    - tests: fix for the download of the big snap
+    - interfaces/apparmor: add chopTree
+    - tests: remove double debug: | entry in tests and add more checks
+    - cmd/snap-update-ns: introduce mimicRequired helper
+    - interfaces: move assertions around for better failure line number
+    - store: log a nice clear "download succeeded" message
+    - snap: run snap-confine from the re-exec location
+    - snapstate: support restarting snapd from the snapd snap on core18
+    - tests: show status of the partial test-snapd-huge snap in
+      econnreset test
+    - tests: fix interfaces-calendar-service test when gvfsd-metadata
+      loks the xdg dirctory
+    - store: switch store.SnapInfo to use the new v2/info endpoint
+    - interfaces: add Repository.AllInterfaces
+    - snapstate: stop using evolving SnapSpec internally, use an
+      internal-only snapSpec instead
+    - cmd/libsnap-confine-private: introduce a helper for splitting snap
+      name
+    - tests: econnreset/retry tweaks
+    - store, et al: kill dead code that uses the bulk endpoint
+    - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+    - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+      Depth helper
+    - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+      available
+    - store: switch connectivity check to use v2/info
+    - devicestate: support seeding from a base snap instead of core
+    - snapstate,ifacestate: remove core-phase-2 handling
+    - interfaces/docker-support: update for docker 18.05
+    - tests: enable fedora 28 again
+    - overlord/ifacestate:  simplify checkConnectConflicts and also
+      connect signature
+    - snap: parse connect instructions in gadget.yaml
+    - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+      test
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - store, image: have 'snap download' use v2/refresh action=download
+    - interfaces/policy: test that base policy can be parsed
+    - tests: publish test-snapd-appstreamid for any architecture
+    - snap: don't include newline in hook environment
+    - cmd/snap-update-ns: use RCall with SyscallsEqual
+    - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+    - interfaces: add the dvb interface
+    - daemon: paging is not a thing.
+    - cmd/snap-mgmt: remove system key on purge
+    - testutil: syscall sequence checker
+    - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command* many: add `snap debug
+      connectivity` command
+    - configstate: deny configuration of base snaps and for the "snapd"
+      snap
+    - interfaces/raw-usb: also allow usb serial devices
+    - snap: reject more layout locations
+    - errtracker: do not send duplicated reports
+    - httputil: extra debug if an error is not retried
+    - cmd/snap-update-ns: improve wording in many errors
+    - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+    - cmd/snap-update-ns: add helper for checking for read-only
+      filesystems
+    - interfaces/builtin/docker: use commonInterface over specific
+      struct
+    - testutil: add test support for Fstatfs
+    - cmd/snap-update-ns: discard the concept of segments
+    - cmd/libsnap-confine-private: helper for extracting store snap name
+      from local-name
+    - tests: fix flaky test for hooks undo
+    - interfaces: add {contacts,calendar}-service interfaces
+    - tests: retry 'restarting into..' match in the snap-confine-from-
+      core test
+    - systemd: adjust TestWriteMountUnitForDirs() to use
+      squashfs.MockUseFuse(false)
+    - data: add helper that can generate/start/stop the snapd service
+    - sefltest: advise reboot into 4.4 on trusty running 3.13
+    - selftest: add new selftest package that tests squashfs mounting
+    - store, jsonutil: move store.getStructFields to
+      jsonutil.StructFields
+    - ifacestate: improved conflict and error handling when creating
+      autoconnect tasks
+    - cmd/snap-confine: applied make fmt
+    - interfaces/udev: call 'udevadm settle --timeout=10' after
+      triggering events
+    - tests: wait more time until snap start to be downloaded on
+      econnreset test
+    - snapstate: ensure fakestore returns TypeOS for the core snap
+    - tests: fix lxd test which hangs on restore
+    - cmd/snap-update-ns: add PathIterator
+    - asserts,image: add support for models with bases
+    - tests: shellchecks part 3
+    - overlord/hookstate: support undo for hooks
+    - interfaces/tpm: Allow access to the kernel resource manager
+    - tests: skip appstream-id test for core systems 32 bits
+    - interfaces/home: remove redundant common interface assignment
+    - tests: reprioritise a few tests that are known to be slow
+    - cmd/snap: small help tweaks and fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - spread-shellcheck: silly fix & pep8
+    - spread: switch fedora 28 to manual
+    - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+      it in snap info --verbose
+    - tests: fix lxd test - --auto now sets up networking
+    - tests: adding fedora-28 to spread.yaml
+    - interfaces: add juju-client-observe interface
+    - client, daemon: add a "mounted-from" entry to local snaps' JSON
+    - image: set model.DisplayName() in bootenv as "snap_menuentry"
+    - packaging/opensuse: Refactor packaging to support all openSUSE
+      targets
+    - interfaces/joystick: force use of the device cgroup with joystick
+      interface
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - interfaces: remove Plug/Slot types
+    - interface hooks: update old AutoConnect methods
+    - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+    - overlord/{config,snap}state: the number of inactive revisions is
+      config
+    - cmd/snap: check with snapd for unknown sections
+    - tests: moving test helpers from sh to bash
+    - data/systemd: add snapd.apparmor.service
+    - many: expose AppStream IDs (AKA common ID)
+    - many: hold refresh when on metered connections
+    - interfaces/joystick: also support modern evdev joysticks and
+      gamepads
+    - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+    - snapcraft: use dpkg-buildpackage options that work in xenial
+    - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+    - get-deps: work with an unset GOPATH too
+    - interfaces/apparmor: use strict template on openSUSE tumbleweed
+    - packaging: filter out verbose flags from "dh-golang"
+    - packaging: fix description
+    - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 06 Jul 2018 16:08:17 +0200
+
+snapd (2.33.1~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - many: improve udev trigger on refresh experience
+    - systemd: require snapd.socket in snapd.seeded.service
+    - snap: don't include newline in hook environment
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - tests: skip security-dev-input-event-denied when /dev/input/by-
+      path/ is missing
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 21 Jun 2018 17:37:56 +0200
+
+snapd (2.33~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command
+    - interfaces/raw-usb: also allow usb serial devices
+    - errtracker: do not send duplicated reports
+    - selftest: add new selftest package that tests squashfs mounting
+    - tests: backport lxd force stop and econnreset fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - interfaces/joystick: support modern evdev joysticks
+    - interfaces: add juju-client-observe
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - many: holding refresh on metered connections
+    - many: expose AppStream IDs (AKA common ID)
+    - tests: speed up save/restore snapd state for all-snap systems
+      during tests execution
+    - interfaces/apparmor: use helper to load stray profile
+    - tests: ubuntu core abstraction
+    - overlord/snapstate: don't panic in a corner case interaction of
+      cleanup tasks and pruning
+    - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+      snaps
+    - tests: new parameter for the journalctl rate limit
+    - spread-shellcheck: port to python
+    - interfaces/home: add 'read' attribute to allow non-owner read to
+      @{HOME}
+    - testutil: import check.v1 differently to workaround gccgo error
+    - interfaces/many: miscellaneous updates for default, desktop,
+      desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+      keys
+    - snapstate/hooks: reorder autoconnect and reconnect hooks
+    - daemon: update unit tests to match current master
+    - overlord/snapshotstate/backend: introducing the snapshot backend
+    - many: support 'system' nickname in interfaces
+    - userd: add the "snap" scheme to the whitelist
+    - many: make rebooting of core on refresh immediate, refactor logic
+      around it
+    - tests/main/snap-service-timer: account for service timer being in
+      the 'running' state
+    - interfaces/builtin: allow access to libGLESv* too for opengl
+      interface
+    - daemon: fix unit tests on arch
+    - interfaces/default,process-control: miscellaneous signal policy
+      fixes
+    - interfaces/bulitin: add write permission to optical-drive
+    - configstate: validate known core.* options
+    - snap, wrappers: systemd WatchdogSec support
+    - ifacestate: do not auto-connect manually disconnected interfaces
+    - systemd: mock useFuse() so testsuite passes in container via lxd
+      snap
+    - snap/env: fix env duplication logic
+    - snap: some doc comments fixes and additions
+    - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+      vendor files
+    - ifacestate: unify reconnect and autoconnect methods
+    - tests: fix user mounts test for external systems
+    - overlord/snapstate,overlord/auth,store: coalesce no auth user
+      refresh requests
+    - boot,partition: improve tests/docs around SetNextBoot()
+    - many: improve `snap wait` command
+    - snap: fix `snap interface --attrs` output when numbers are used
+    - cmd/snap-update-ns: poke holes when creating source paths for
+      layouts
+    - snapstate: support getting new bases/default-providers on refresh
+    - ifacemgr: remove stale connections on startup
+    - asserts: use Attrer in policy checks
+    - testutil: record system call errors / return values
+    - tests: increase timeouts to make tests reliable on slow boards
+    - repo: pass and return ConnRef via pointers
+    - interfaces: add xdg-document-portal support to desktop interface
+    - debian: add a zenity|kdialog suggests
+    - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+    - tests: go must be installed as a classic snap
+    - tests: use journalctl cursors instead rotating logs
+    - daemon: add confinement-options to /v2/system-info
+      daemon: refactor classic support flag to be more structured
+    - tests: build spread in the autopkgtests with a more recent go
+    - cmd/snap: fix the message when snap.channel != snap.tracking
+    - overlord/snapstate: allow core defaults configuration via 'system'
+      key
+    - many: add "snap debug sandbox-features" and needed bits
+    - interfaces: interface hooks for refresh
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - many: add wait command and `snapd.seeded` service
+    - interfaces: move host font update-ns AppArmor rules to desktop
+      interface
+    - jsonutil/safejson: introducing safejson.String &
+      safejson.Paragraph
+    - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+    - cmd/snap-update-ns,tests: mimic the mode and ownership of
+      directories
+    - cmd/snap-update-ns: add support for ignoring mounts with missing
+      source/target
+    - interfaces: interface hooks implementation
+    - cmd/libsnap: fix compile error on more restrictive gcc
+      cmd/libsnap: fix compilation errors on gcc 8
+    - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+    - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+    - tests: fix interfaces-network test for systems with partial
+      confinement
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+    - configcore: validate experimental.layouts option
+    - interfaces:minor autoconnect cleanup
+    - HACKING: fix typos
+    - spread: add adt for ubuntu 18.10
+    - tests: skip test lp-1721518 for arch, snapd is failing to start
+      after reboot
+    - interfaces/x11: allow X11 slot implementations
+    - tests: checking interfaces declaring the specific interface
+    - snap: improve error for snaps not available in the given context
+    - cmdstate: add missing test for default timeout handling
+    - tests: shellcheck spread tasks
+    - cmd/snap: update install/refresh help vs --revision
+    - cmd/snap-confine: add support for per-user mounts
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - tests: adding google-sru backend replacing linode-sur
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - systemd: replace ancient paths with 16.04+ standards
+    - overlord,systemd: store snap revision in mount units
+    - testutil: add test helper for SysLstat
+    - testutil,cmd: rename test helper of Lstat to OsLstat
+    - testutil: document all fake syscall/os functions
+    - osutil,interfaces,cmd: use less hardcoded strings
+    - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+    - testutil: don't dot-import check.v1
+    - store: getStructFields takes pointers now
+    - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+    - many: fix false negatives reported by vet
+    - osutil,interfaces: use uint32 for uid, gid
+    - many: fix various issues reported by shellcheck
+    - tests: add pending shutdown detection
+    - image: support refreshing soft-expired user macaroons in tooling
+    - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+      daemon tests
+    - interfaces/builtin: add support for software-watchdog interface
+    - spread: auto accept key changes when calling dnf
+    - snap,overlord/snapstate: introduce and use BrokenSnapError
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: bring back one missing test in snap-service-stop-mode
+    - debian: update LP bug for the 2.32.5 SRU
+    - userd: set up journal logging streams for autostarted apps
+    - snap,tests : don't fail if we cannot stat MountFile
+    - tests: smaller fixes for Arch tests
+    - tests: run interfaces-broadcom-asic-control early
+    - client: support for snapshot sets, snapshots, and snapshot actions
+    - tests: skip interfaces-content test on core devices
+    - cmd: generalize locking to global, snap and per-user locks
+    - release-tools: handle the snapd-x.y.z version
+    - packaging: fix incorrectly auto-generated changelog entry for
+      2.32.5
+    - tests: add arch to CI
+    - systemd: add helper for opening stream file descriptors to the
+      journal
+    - cmd/snap: handle distros with no version ID
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - tests: removing linode-sru backend
+    - tests: updating bionic version for spread tests on google
+    - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - overlord/snapstate: allow to get an error from readInfo instead of
+      a broken stub, use it in doMountSnap
+    - snap: snap.AppInfo is now a fmt.Stringer
+    - tests: move fedora 27 to google backend
+    - many: add `core.problem-reports.disabled` option
+    - cmd/snap-update-ns: remove the need for stash directory in secure
+      bind mount implementation
+    - errtracker: check for whoopsie.service instead of reading
+      /etc/whoopsie
+    - cmd/snap: user session application autostart v3
+    - tests: add test to ensure `snap refresh --amend` works with
+      different channels
+    - tests: add check for OOM error after each test
+    - cmd/snap-seccomp: graceful handling of non-multilib host
+    - interfaces/shutdown: allow calling SetWallMessage
+    - cmd/snap-update-ns: add secure bind mount implementation for use
+      with user mounts
+    - snap: fix `snap advise-snap --command` output to match spec
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - overlord/snapstate: introduce envvars to control the channels for
+      based and prereqs
+    - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+    - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+    - daemon,overlord/hookstate: stop/wait for running hooks before
+      closing the snapctl socket
+    - advisor: use json for package database
+    - interfaces/hostname-control: allow setting the hostname via
+      syscall and systemd
+    - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+      libraries
+    - interfaces: misc updates for default, firewall-control, fuse-
+      support and process-control
+    - data/selinux: Give snapd access to more aspects of the system
+    - many: use the new install/refresh API by switching snapstate to
+      use store.SnapAction
+    - errtracker: make TestJournalErrorSilentError work on gccgo
+    - ifacestate: add to the repo also snaps that are pending being
+      activated but have a done setup-profiles
+    - snapstate, ifacestate: inject auto-connect tasks try 2
+    - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+    - errtracker: add more fields to aid debugging
+    - interfaces: make system-key more robust against invalid fstab
+      entries
+    - overlord,interfaces: be more vocal about broken snaps and read
+      errors
+    - ifacestate: injectTasks helper
+    - osutil: fix fstab parser to allow for # in field values
+    - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+    - release-tools: add repack-debian-tarball.sh
+    - daemon,client: add build-id to /v2/system-info
+    - cmd: make fmt (indent 2.2.11)
+    - interfaces/content: add rule so slot can access writable files at
+      plug's mountpoint
+    - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+    - ifacestate: don't surface errors from stale connections
+    - cmd/snap-update-ns: convert Secure* family of functions into
+      methods
+    - tests: adjust canonical-livepatch test on GCE
+    - tests: fix quoting issues in econnreset test
+    - cmd/snap-confine: make /run/media an alias of /media
+    - cmd/snap-update-ns: rename i to segNum
+    - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+    - spread: disable StartLimitInterval option on opensuse-42.3
+    - configstate: give a chance to immediately recompute the next
+      refresh time when schedules are set
+    - cmd/snap-confine: attempt to detect if multiarch host uses
+      arch triplets
+    - store: add Store.SnapAction to support the new install/refresh API
+      endpoint
+    - tests: adding test for removable-media interface
+    - tests: update interface tests to remove extra checks and normalize
+      tests
+    - timeutil: in Human, count days with fingers
+    - vendor: update gopkg.in/yaml.v2 to the latest version
+    - cmd/snap-confine: fix Archlinux compatibility
+    - cmd/snapd: make sure signal handlers are established during early
+      daemon startup
+    - cmd/snap-confine: apparmor: allow creating prefix path for
+      gl/vulkan
+    - osutil: use tilde suffix for temporary files used for atomic
+      replacement
+    - tests: copy or sanity check core users using usernames
+    - tests: disentangle etc vs extrausers in core tests
+    - tests: fix snap-run tests when snapd is not running
+    - overlord/configstate: change how ssh is stopped/started
+    - snap: make `snap run` look at the system-key for security profiles
+    - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+      replacement
+    - tests: adding opensuse-42.3 to google
+    - cmd/snap: fix one issue with noWait error handling logic, add
+      tests plus other cleanups
+    - cmd/snap-confine: nvidia: preserve globbed file prefix
+    - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+      needed
+    - interfaces,release: probe seccomp features lazily
+    - tests: change debug for layout test
+    - advisor: deal with missing commands.db file
+    - interfaces/apparmor: simplify UpdateNS internals
+    - polkit: Pass caller uid to PolicyKit authority
+    - tests: moving debian 9 from linode to google backend
+    - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+    - po: specify charset in po/snappy.pot
+    - interfaces: harden snap-update-ns profile
+    - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+    - tests: update tests to deal with s390x quirks
+    - debian: run snap.mount upgrade fixup *before* debhelper
+    - tests: move xenial i386 to google backend
+    - snapstate: add compat mode for default-provider
+    - tests: a bunch of test fixes for s390x from looking at the
+      autopkgtest logs
+    - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+    - interfaces/builtin: let MM change qmi device attributes
+    - tests: add workaround for s390x failure
+    - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+    - daemon: support 'system' as nickname of the core snap
+    - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+    - devicestate: add DeviceManager.Registered returning a channel
+      closed when the device is known to be registered
+    - store: Sections and WriteCatalogs need to strictly send device
+      auth only if the device has a custom store
+    - tests: add bionic system to google backend
+    - many: fix shellcheck warnings in bionic
+    - cmd/snap-update-ns: don't fail on existing symlinks
+    - tests: make autopkgtest tests more targeted
+    - cmd/snap-update-ns: fix creation of layout symlinks
+    - spread,tests: move suite-level prepare/restore to central script
+    - many: propagate contexts enough to be able to mark store
+      operations done from the Ensure loop
+    - snap: don't create empty Change with "Hold" state on disconnect
+    - snap: unify snap name validation w/python; enforce length limit.
+    - cmd/snap: use shlex when parsing `snap run --strace` arguments
+    - osutil,testutil: add symlinkat(2) and readlinkat(2)
+    - tests: autopkgtest may have non edge core too
+    - tests: adding checks before stopping snapd service to avoid job
+      canceled on ubuntu 14.04
+    - errtracker: respect the /etc/whoopsie configuration
+    - overlord/snapstate:  hold refreshes for 2h after seeding on
+      classic
+    - cmd/snap: tweak and polish help strings
+    - snapstate: put layout feature behind feature flag
+    - tests: force profile re-generation via system-key
+    - snap/squashfs: when installing from seed, try symlink before cp
+    - wrappers: services which are socket or timer activated should not
+      be started during boot
+    - many: go vet cleanups
+    - tests: define MATCH from spread
+    - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+      fix
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - cmd/snap: in changes and tasks, default to human-friendly times
+    - many: support holding refreshes by setting refresh.hold
+    - Revert "cmd/snap: use timeutil.Human to show times in `snap
+      refresh -…-time`"
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - tests/main/snap-service-refresh-mode: refactor the test to rely on
+      comparing PIDs
+    - tests/main/media-sharing: improve the test to cover /media and
+      /run/media
+    - store: enable deltas for core devices too
+    - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+    - strutil/shlex: import github.com/google/shlex into the tree
+    - vendor: update github.com/mvo5/libseccomp-golang
+    - overlord/snapstate: block install of "system"
+    - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+    - many: add the snapd-generator
+    - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+    - polkit: ensure error is properly set if dialog is dismissed
+    - snap-confine, snap-seccomp: utilize new seccomp logging features
+    - progress: tweak ansimeter cvvis use to no longer confuse minicom
+    - xdgopenproxy: integrate xdg-open implementation into snapctl
+    - tests: avoid removing preinstalled snaps on core
+    - tests: chroot into core to run xdg-open there
+    - userd: add an OpenFile method for launching local files with xdg-
+      open
+    - tests: moving ubuntu core from linode to google backend
+    - run-checks: remove accidental bashism
+    - i18n: simplify NG usage by doing the modulo math in-package.
+    - snap/squashfs: set timezone when calling unsquashfs to get the
+      build date
+    - timeutil: timeutil.Human(t) gives a human-friendly string for t
+    - snap: add autostart app property
+    - tests: add support for external backend executions on listing test
+    - tests: make interface-broadcom-asic-control test work on rpi
+    - configstate: when disable "ssh" we must disable the "sshd" service
+    - interfaces/apparmor,system-key: add upperdir snippets for strict
+      snaps on livecd
+    - snap/squashfs: add BuildDate
+    - store: parse the JSON format used by the coming new store API to
+      convey snap information
+    - many: remove snapd.refresh.{timer,service}
+    - tests: adding ubuntu-14.04-64 to the google backend
+    - interfaces: add xdg-desktop-portal support to desktop interface
+    - packaging/arch: sync with snapd/snapd-git from AUR
+    - wrappers, tests/main/snap-service-timer: restore missing commit,
+      add spread test for timer services
+    - store: don't ask for snap_yaml_raw except on the details endpoint
+    - many: generate and use per-snap snap-update-ns profile
+    - tests: add debug for layout test
+    - wrappers: detect whether systemd-analyze can be used in unit tests
+    - osutil: allow creating strings out of MountInfoEntry
+    - servicestate: use systemctl enable+start and disable+stop instead
+      of --now flag
+    - osutil: handle file being matched by multiple patterns
+    - daemon, snap: fix InstallDate, make a method of *snap.Info
+    - wrappers: timer services
+    - wrappers: generator for systemd OnCalendar schedules
+    - asserts: fix flaky storeSuite.TestCheckAuthority
+    - tests: fix dependency for ubuntu artful
+    - spread: start moving towards google backend
+    - tests: add a spread test for layouts
+    - ifacestate: be consistent passing Retry.After as named field
+    - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+    - testutil: allow mocking syscall.Fstat
+    - overlord/snapstate: verify that default schedule is randomized and
+      is  not a single time
+    - many: simplify mocking of home-on-NFS
+    - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+    - store: move infoFromRemote into details.go close to snapDetails
+    - userd/tests: Test kdialog calls and mock kdialog too to make tests
+      work in KDE
+    - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+    - cmd/snap: add self-strace to `snap run`
+    - interfaces/screen-inhibit-control,network-status: fix dbus path
+      and interface typos
+    - update-pot: Force xgettext() to return true
+    - store: cleanup test naming, dropping remoteRepo  and
+      UbuntuStore(Repository)? references
+    - store: reorg auth refresh
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 08 Jun 2018 17:13:47 +0200
+
+snapd (2.32.9~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - tests: run all spread tests inside GCE
+    - tests: build spread in the autopkgtests with a more recent go
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 May 2018 10:20:08 +0200
+
+snapd (2.32.8~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 14:36:16 +0200
+
+snapd (2.32.7~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - many: add wait command and seeded target (2
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - cmd/libsnap: fix compile error on more restrictive gcc
+    - tests: cherry-pick commits to move spread to google backend
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - userd: set up journal logging streams for autostarted apps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 13:09:32 +0200
+
+snapd (2.32.6~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: run interfaces-boradcom-asic-control early
+    - tests: skip interfaces-content test on core devices
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Sun, 29 Apr 2018 19:21:53 +0200
+
+snapd (2.32.5~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1765090
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - daemon: support 'system' as nickname of the core snap
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 16 Apr 2018 11:41:48 +0200
+
+snapd (2.32.4~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1756173
+    - cmd/snap: user session application autostart
+    - overlord/snapstate: introduce envvars to control the channels for
+      bases and prereqs
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - many: use the new install/refresh /v2/snaps/refresh store API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 11 Apr 2018 16:30:45 +0200
+
 snapd (2.32.3.2~14.04) trusty; urgency=medium
 
   * New upstream release, LP: #1756173
diff -Nru snapd-2.32.3.2~14.04/debian/control snapd-2.37~rc1~14.04/debian/control
--- snapd-2.32.3.2~14.04/debian/control	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/debian/control	2019-01-16 08:36:51.000000000 +0000
@@ -33,6 +33,8 @@
                squashfs-tools,
                udev,
                xfslibs-dev
+Recommends: gnupg1 | gnupg
+Suggests: zenity | kdialog
 Standards-Version: 3.9.7
 Homepage: https://github.com/snapcore/snapd
 Vcs-Browser: https://github.com/snapcore/snapd
@@ -84,8 +86,7 @@
  enabling secure distribution of the latest apps and utilities for
  cloud, servers, desktops and the internet of things.
  .
- This is the CLI for snapd, a background service that takes care of
- snaps on the system. Start with 'snap list' to see installed snaps.
+ Start with 'snap list' to see installed snaps.
 
 Package: ubuntu-snappy
 Architecture: all
diff -Nru snapd-2.32.3.2~14.04/debian/rules snapd-2.37~rc1~14.04/debian/rules
--- snapd-2.32.3.2~14.04/debian/rules	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/debian/rules	2019-01-16 08:36:51.000000000 +0000
@@ -178,13 +178,15 @@
 	if [ -d share/locale ]; then \
 		cp -R share/locale debian/snapd/usr/share; \
 	fi
+	# chrorder generator
+	rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder
 
-	# install snapd's systemd units / upstart jobs, done
+	# Install snapd's systemd units / upstart jobs, done
 	# here instead of debian/snapd.install because the
 	# ubuntu/14.04 release branch adds/changes bits here
 	$(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \
 		SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR)
-	# we called this apps-bin-path.sh instead of snapd.sh, and
+	# We called this apps-bin-path.sh instead of snapd.sh, and
 	# it's a conf file so we're stuck with it
 	mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh
 
@@ -195,6 +197,10 @@
 
 	# trusty doesn't need the .real workaround
 
+	# On Ubuntu and Debian we don't need to install the apparmor helper service.
+	rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.apparmor.service
+	rm $(CURDIR)/debian/tmp/usr/lib/snapd/snapd-apparmor
+
 	dh_install
 
 override_dh_auto_install: snap.8
diff -Nru snapd-2.32.3.2~14.04/debian/snapd.install snapd-2.37~rc1~14.04/debian/snapd.install
--- snapd-2.32.3.2~14.04/debian/snapd.install	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/debian/snapd.install	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,12 @@
 usr/bin/snap
-usr/bin/snapctl
+usr/bin/snapctl /usr/lib/snapd/
 usr/lib/snapd/system-shutdown
 usr/bin/snap-exec /usr/lib/snapd/
 usr/bin/snap-repair /usr/lib/snapd/
+usr/bin/snap-failure /usr/lib/snapd/
 usr/bin/snap-update-ns /usr/lib/snapd/
 usr/bin/snapd /usr/lib/snapd/
 usr/bin/snap-seccomp /usr/lib/snapd/
-usr/lib/snapd/snapd-generator /lib/systemd/system-generators/
 
 # bash completion
 data/completion/snap /usr/share/bash-completion/completions
@@ -25,11 +25,15 @@
 usr/lib/snapd/snap-confine
 usr/lib/snapd/snap-discard-ns
 usr/lib/snapd/snap-mgmt
-usr/share/man/man1/snap-confine.1
-usr/share/man/man5/snap-discard-ns.5
+usr/share/man/
 # for compatibility with ancient snap installs that wrote the shell based
 # wrapper scripts instead of the modern symlinks
 usr/bin/ubuntu-core-launcher
 
 # gdb helper
 usr/lib/snapd/snap-gdb-shim
+
+# use "usr/lib" here because apparently systemd looks only there
+usr/lib/systemd/system-environment-generators
+# but system generators end up in lib
+lib/systemd/system-generators
diff -Nru snapd-2.32.3.2~14.04/debian/snapd.links snapd-2.37~rc1~14.04/debian/snapd.links
--- snapd-2.32.3.2~14.04/debian/snapd.links	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/debian/snapd.links	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+../../usr/lib/snapd/snap-device-helper  /lib/udev/snappy-app-dev
+usr/lib/snapd/snapctl usr/bin/snapctl
diff -Nru snapd-2.32.3.2~14.04/debian/snapd.postrm snapd-2.37~rc1~14.04/debian/snapd.postrm
--- snapd-2.32.3.2~14.04/debian/snapd.postrm	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/debian/snapd.postrm	2019-01-16 08:36:51.000000000 +0000
@@ -68,10 +68,12 @@
             # udev rules
             find /etc/udev/rules.d -name "*-snap.${snap}.rules" -execdir rm -f "{}" \;
             # dbus policy files
-            find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            if [ -d /etc/dbus-1/system.d ]; then
+                find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            fi
             # timer files
             find /etc/systemd/system -name "snap.${snap}.*.timer" | while read -r f; do
-                systemctl_stop "$(basename $f)"
+                systemctl_stop "$(basename "$f")"
                 rm -f "$f"
             done
         fi
@@ -96,13 +98,13 @@
     echo "Discarding preserved snap namespaces"
     # opportunistic as those might not be actually mounted
     if [ -d /run/snapd/ns ]; then
-        if [ $(ls /run/snapd/ns/*.mnt | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.mnt" | wc -l)" -gt 0 ]; then
             for mnt in /run/snapd/ns/*.mnt; do
                 umount -l "$mnt" || true
                 rm -f "$mnt"
             done
         fi
-        if [ $(ls /run/snapd/ns/*.fstab | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.fstab" | wc -l)" -gt 0 ]; then
             for fstab in /run/snapd/ns/*.fstab; do
                 rm -f "$fstab"
             done
diff -Nru snapd-2.32.3.2~14.04/debian/source/options snapd-2.37~rc1~14.04/debian/source/options
--- snapd-2.32.3.2~14.04/debian/source/options	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/debian/source/options	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+tar-ignore = "tests/lib/cache/*"
diff -Nru snapd-2.32.3.2~14.04/dirs/dirs.go snapd-2.37~rc1~14.04/dirs/dirs.go
--- snapd-2.32.3.2~14.04/dirs/dirs.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/dirs/dirs.go	2019-01-16 08:36:51.000000000 +0000
@@ -63,6 +63,7 @@
 	SnapCookieDir         string
 	SnapTrustedAccountKey string
 	SnapAssertsSpoolDir   string
+	SnapSeqDir            string
 
 	SnapStateFile     string
 	SnapSystemKeyFile string
@@ -80,6 +81,7 @@
 
 	SnapBinariesDir     string
 	SnapServicesDir     string
+	SnapSystemdConfDir  string
 	SnapDesktopFilesDir string
 	SnapBusPolicyDir    string
 
@@ -96,13 +98,18 @@
 
 	CompletionHelper string
 	CompletersDir    string
-	CompleteSh       string
 
 	SystemFontsDir           string
 	SystemLocalFontsDir      string
 	SystemFontconfigCacheDir string
 
 	FreezerCgroupDir string
+	SnapshotsDir     string
+
+	ErrtrackerDbDir string
+	SysfsDir        string
+
+	FeaturesDir string
 )
 
 const (
@@ -113,6 +120,14 @@
 	// are in the snap confinement environment.
 	CoreLibExecDir   = "/usr/lib/snapd"
 	CoreSnapMountDir = "/snap"
+
+	// Directory with snap data inside user's home
+	UserHomeSnapDir = "snap"
+
+	// LocalInstallBlobTempPrefix is used by local install code:
+	// * in daemon to spool the snap file to <SnapBlobDir>/<LocalInstallBlobTempPrefix>*
+	// * in snapstate to auto-cleans them up using the same prefix
+	LocalInstallBlobTempPrefix = ".local-install-"
 )
 
 var (
@@ -164,6 +179,21 @@
 	return false
 }
 
+var metaSnapPath = "/meta/snap.yaml"
+
+// isInsideBaseSnap returns true if the process is inside a base snap environment.
+//
+// The things that count as a base snap are:
+// - any base snap mounted at /
+// - any os snap mounted at /
+func isInsideBaseSnap() (bool, error) {
+	_, err := os.Stat(metaSnapPath)
+	if err != nil && os.IsNotExist(err) {
+		return false, nil
+	}
+	return err == nil, err
+}
+
 // SetRootDir allows settings a new global root directory, this is useful
 // for e.g. chroot operations
 func SetRootDir(rootdir string) {
@@ -172,14 +202,15 @@
 	}
 	GlobalRootDir = rootdir
 
-	if release.DistroLike("fedora", "arch", "manjaro") {
+	isInsideBase, _ := isInsideBaseSnap()
+	if !isInsideBase && release.DistroLike("fedora", "arch", "archlinux", "manjaro", "antergos") {
 		SnapMountDir = filepath.Join(rootdir, "/var/lib/snapd/snap")
 	} else {
 		SnapMountDir = filepath.Join(rootdir, defaultSnapMountDir)
 	}
 
 	SnapDataDir = filepath.Join(rootdir, "/var/snap")
-	SnapDataHomeGlob = filepath.Join(rootdir, "/home/*/snap/")
+	SnapDataHomeGlob = filepath.Join(rootdir, "/home/*/", UserHomeSnapDir)
 	SnapAppArmorDir = filepath.Join(rootdir, snappyDir, "apparmor", "profiles")
 	SnapConfineAppArmorDir = filepath.Join(rootdir, snappyDir, "apparmor", "snap-confine")
 	AppArmorCacheDir = filepath.Join(rootdir, "/var/cache/apparmor")
@@ -201,6 +232,7 @@
 	SnapAssertsDBDir = filepath.Join(rootdir, snappyDir, "assertions")
 	SnapCookieDir = filepath.Join(rootdir, snappyDir, "cookie")
 	SnapAssertsSpoolDir = filepath.Join(rootdir, "run/snapd/auto-import")
+	SnapSeqDir = filepath.Join(rootdir, snappyDir, "sequence")
 
 	SnapStateFile = filepath.Join(rootdir, snappyDir, "state.json")
 	SnapSystemKeyFile = filepath.Join(rootdir, snappyDir, "system-key")
@@ -221,6 +253,7 @@
 
 	SnapBinariesDir = filepath.Join(SnapMountDir, "bin")
 	SnapServicesDir = filepath.Join(rootdir, "/etc/systemd/system")
+	SnapSystemdConfDir = filepath.Join(rootdir, "/etc/systemd/system.conf.d")
 	SnapBusPolicyDir = filepath.Join(rootdir, "/etc/dbus-1/system.d")
 
 	SystemApparmorDir = filepath.Join(rootdir, "/etc/apparmor.d")
@@ -249,11 +282,51 @@
 
 	CompletionHelper = filepath.Join(CoreLibExecDir, "etelpmoc.sh")
 	CompletersDir = filepath.Join(rootdir, "/usr/share/bash-completion/completions/")
-	CompleteSh = filepath.Join(SnapMountDir, "core/current/usr/lib/snapd/complete.sh")
 
+	// These paths agree across all supported distros
 	SystemFontsDir = filepath.Join(rootdir, "/usr/share/fonts")
 	SystemLocalFontsDir = filepath.Join(rootdir, "/usr/local/share/fonts")
+	// The cache path is true for Ubuntu, Debian, openSUSE, Arch
 	SystemFontconfigCacheDir = filepath.Join(rootdir, "/var/cache/fontconfig")
+	if release.DistroLike("fedora") && !release.DistroLike("amzn") {
+		// Applies to Fedora and CentOS, Amazon Linux 2 is behind with
+		// updates to fontconfig and uses /var/cache/fontconfig instead,
+		// see:
+		// https://fedoraproject.org/wiki/Changes/FontconfigCacheDirChange
+		// https://bugzilla.redhat.com/show_bug.cgi?id=1416380
+		// https://bugzilla.redhat.com/show_bug.cgi?id=1377367
+		SystemFontconfigCacheDir = filepath.Join(rootdir, "/usr/lib/fontconfig/cache")
+	}
 
 	FreezerCgroupDir = filepath.Join(rootdir, "/sys/fs/cgroup/freezer/")
+	SnapshotsDir = filepath.Join(rootdir, snappyDir, "snapshots")
+
+	ErrtrackerDbDir = filepath.Join(rootdir, snappyDir, "errtracker.db")
+	SysfsDir = filepath.Join(rootdir, "/sys")
+
+	FeaturesDir = filepath.Join(rootdir, snappyDir, "features")
+}
+
+// what inside a (non-classic) snap is /usr/lib/snapd, outside can come from different places
+func libExecOutside(base string) string {
+	if base == "" {
+		// no explicit base; core is it
+		return filepath.Join(SnapMountDir, "core/current/usr/lib/snapd")
+	}
+	// if a base is set, libexec comes from the snapd snap if it's
+	// installed, and otherwise from the distro.
+	p := filepath.Join(SnapMountDir, "snapd/current/usr/lib/snapd")
+	if st, err := os.Stat(p); err == nil && st.IsDir() {
+		return p
+	}
+	return DistroLibExecDir
+}
+
+func CompleteShPath(base string) string {
+	return filepath.Join(libExecOutside(base), "complete.sh")
+}
+
+func IsCompleteShSymlink(compPath string) bool {
+	target, err := os.Readlink(compPath)
+	return err == nil && filepath.Base(target) == "complete.sh"
 }
diff -Nru snapd-2.32.3.2~14.04/dirs/dirs_test.go snapd-2.37~rc1~14.04/dirs/dirs_test.go
--- snapd-2.32.3.2~14.04/dirs/dirs_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/dirs/dirs_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package dirs_test
 
 import (
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -38,6 +39,7 @@
 type DirsTestSuite struct{}
 
 func (s *DirsTestSuite) TestStripRootDir(c *C) {
+	dirs.SetRootDir("/")
 	// strip does nothing if the default (empty) root directory is used
 	c.Check(dirs.StripRootDir("/foo/bar"), Equals, "/foo/bar")
 	// strip only works on absolute paths
@@ -93,6 +95,8 @@
 		{"debian", nil, true},
 		{"suse", nil, true},
 		{"yocto", nil, true},
+		{"arch", []string{"archlinux"}, false},
+		{"archlinux", nil, false},
 	} {
 		reset := release.MockReleaseInfo(&release.OS{ID: t.ID, IDLike: t.IDLike})
 		defer reset()
@@ -103,3 +107,52 @@
 		c.Check(dirs.SupportsClassicConfinement(), Equals, t.Expected, Commentf("unexpected result for %v", t.ID))
 	}
 }
+
+func (s *DirsTestSuite) TestInsideBaseSnap(c *C) {
+	d := c.MkDir()
+
+	snapYaml := filepath.Join(d, "snap.yaml")
+	restore := dirs.MockMetaSnapPath(snapYaml)
+	defer restore()
+
+	inside, err := dirs.IsInsideBaseSnap()
+	c.Assert(err, IsNil)
+	c.Assert(inside, Equals, false)
+
+	err = ioutil.WriteFile(snapYaml, []byte{}, 0755)
+	c.Assert(err, IsNil)
+
+	inside, err = dirs.IsInsideBaseSnap()
+	c.Assert(err, IsNil)
+	c.Assert(inside, Equals, true)
+}
+
+func (s *DirsTestSuite) TestCompleteShPath(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	defer dirs.SetRootDir("")
+
+	// old-style in-core complete.sh
+	c.Check(dirs.CompleteShPath(""), Equals, filepath.Join(dirs.SnapMountDir, "core/current/usr/lib/snapd/complete.sh"))
+	// new-style in-host complete.sh
+	c.Check(dirs.CompleteShPath("x"), Equals, filepath.Join(dirs.DistroLibExecDir, "complete.sh"))
+	// new-style in-snapd complete.sh
+	c.Check(os.MkdirAll(filepath.Join(dirs.SnapMountDir, "snapd/current/usr/lib/snapd"), 0755), IsNil)
+	c.Check(dirs.CompleteShPath("x"), Equals, filepath.Join(dirs.SnapMountDir, "snapd/current/usr/lib/snapd/complete.sh"))
+}
+
+func (s *DirsTestSuite) TestIsCompleteShSymlink(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	defer dirs.SetRootDir("")
+
+	tests := map[string]string{
+		filepath.Join(dirs.GlobalRootDir, "no-base"):        filepath.Join(dirs.SnapMountDir, "core/current/usr/lib/snapd/complete.sh"),
+		filepath.Join(dirs.GlobalRootDir, "no-snapd"):       filepath.Join(dirs.DistroLibExecDir, "complete.sh"),
+		filepath.Join(dirs.GlobalRootDir, "base-and-snapd"): filepath.Join(dirs.SnapMountDir, "snapd/current/usr/lib/snapd/complete.sh"),
+	}
+	for target, d := range tests {
+		c.Check(os.Symlink(d, target), IsNil)
+		c.Check(dirs.IsCompleteShSymlink(target), Equals, true)
+	}
+	c.Check(dirs.IsCompleteShSymlink("/etc/passwd"), Equals, false)
+	c.Check(dirs.IsCompleteShSymlink("/does-not-exist"), Equals, false)
+}
diff -Nru snapd-2.32.3.2~14.04/dirs/export_test.go snapd-2.37~rc1~14.04/dirs/export_test.go
--- snapd-2.32.3.2~14.04/dirs/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/dirs/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package dirs
+
+var (
+	IsInsideBaseSnap = isInsideBaseSnap
+)
+
+func MockMetaSnapPath(path string) (restore func()) {
+	old := metaSnapPath
+	metaSnapPath = path
+	return func() {
+		metaSnapPath = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/docs/MOVED.md snapd-2.37~rc1~14.04/docs/MOVED.md
--- snapd-2.32.3.2~14.04/docs/MOVED.md	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/docs/MOVED.md	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-### Moved to https://github.com/snapcore/snapd/wiki
+### Moved to https://forum.snapcraft.io/t/documentation-outline/3781
diff -Nru snapd-2.32.3.2~14.04/errtracker/errtracker.go snapd-2.37~rc1~14.04/errtracker/errtracker.go
--- snapd-2.32.3.2~14.04/errtracker/errtracker.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/errtracker/errtracker.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,6 +24,7 @@
 	"crypto/md5"
 	"crypto/sha512"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"net/http"
 	"os"
@@ -32,6 +33,7 @@
 	"strings"
 	"time"
 
+	"github.com/snapcore/bolt"
 	"gopkg.in/mgo.v2/bson"
 
 	"github.com/snapcore/snapd/arch"
@@ -67,6 +69,106 @@
 	timeNow  = time.Now
 )
 
+type reportsDB struct {
+	db *bolt.DB
+
+	// map of hash(dupsig) -> time-of-report
+	reportedBucket *bolt.Bucket
+
+	// time until an error report is cleaned from the database,
+	// usually 7 days
+	cleanupTime time.Duration
+}
+
+func hashString(s string) string {
+	h := sha512.New()
+	io.WriteString(h, s)
+	return fmt.Sprintf("%x", h.Sum(nil))
+}
+
+func newReportsDB(fname string) (*reportsDB, error) {
+	if err := os.MkdirAll(filepath.Dir(fname), 0755); err != nil {
+		return nil, err
+	}
+	bdb, err := bolt.Open(fname, 0600, &bolt.Options{
+		Timeout: 10 * time.Second,
+	})
+	if err != nil {
+		return nil, err
+	}
+	bdb.Update(func(tx *bolt.Tx) error {
+		_, err := tx.CreateBucketIfNotExists([]byte("reported"))
+		if err != nil {
+			return fmt.Errorf("create bucket: %s", err)
+		}
+		return nil
+	})
+
+	db := &reportsDB{
+		db:          bdb,
+		cleanupTime: time.Duration(7 * 24 * time.Hour),
+	}
+
+	return db, nil
+}
+
+func (db *reportsDB) Close() error {
+	return db.db.Close()
+}
+
+// AlreadyReported returns true if an identical report has been sent recently
+func (db *reportsDB) AlreadyReported(dupSig string) bool {
+	// robustness
+	if db == nil {
+		return false
+	}
+	var reported []byte
+	db.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte("reported"))
+		reported = b.Get([]byte(hashString(dupSig)))
+		return nil
+	})
+	return len(reported) > 0
+}
+
+func (db *reportsDB) cleanupOldRecords() {
+	db.db.Update(func(tx *bolt.Tx) error {
+		now := time.Now()
+
+		b := tx.Bucket([]byte("reported"))
+		b.ForEach(func(dupSigHash, reportTime []byte) error {
+			var t time.Time
+			t.UnmarshalBinary(reportTime)
+
+			if now.After(t.Add(db.cleanupTime)) {
+				if err := b.Delete(dupSigHash); err != nil {
+					return err
+				}
+			}
+			return nil
+		})
+		return nil
+	})
+}
+
+// MarkReported marks an error report as reported to the error tracker
+func (db *reportsDB) MarkReported(dupSig string) error {
+	// robustness
+	if db == nil {
+		return fmt.Errorf("cannot mark error report as reported with an uninitialized reports database")
+	}
+	db.cleanupOldRecords()
+
+	return db.db.Update(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte("reported"))
+		tb, err := time.Now().MarshalBinary()
+		if err != nil {
+			return err
+		}
+		return b.Put([]byte(hashString(dupSig)), tb)
+	})
+}
+
 func whoopsieEnabled() bool {
 	cmd := exec.Command("systemctl", "is-enabled", "whoopsie.service")
 	output, _ := cmd.CombinedOutput()
@@ -133,7 +235,27 @@
 	extra["ProblemType"] = "Snap"
 	extra["Snap"] = snap
 
-	return report(errMsg, dupSig, extra)
+	// check if we haven't already reported this error
+	db, err := newReportsDB(dirs.ErrtrackerDbDir)
+	if err != nil {
+		logger.Noticef("cannot open error reports database: %v", err)
+	}
+	defer db.Close()
+
+	if db.AlreadyReported(dupSig) {
+		return "already-reported", nil
+	}
+
+	// do the actual report
+	oopsID, err := report(errMsg, dupSig, extra)
+	if err != nil {
+		return "", err
+	}
+	if err := db.MarkReported(dupSig); err != nil {
+		logger.Noticef("cannot mark %s as reported: %s", oopsID, err)
+	}
+
+	return oopsID, nil
 }
 
 // ReportRepair reports an error with the given repair assertion script
@@ -313,7 +435,7 @@
 		"HostSnapdBuildID":   hostBuildID,
 		"CoreSnapdBuildID":   coreBuildID,
 		"Date":               timeNow().Format(time.ANSIC),
-		"KernelVersion":      release.KernelVersion(),
+		"KernelVersion":      osutil.KernelVersion(),
 		"ErrorMessage":       errMsg,
 		"DuplicateSignature": dupSig,
 
diff -Nru snapd-2.32.3.2~14.04/errtracker/errtracker_test.go snapd-2.37~rc1~14.04/errtracker/errtracker_test.go
--- snapd-2.32.3.2~14.04/errtracker/errtracker_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/errtracker/errtracker_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -164,7 +164,7 @@
 				"CoreSnapdBuildID":   s.coreBuildID,
 				"SnapdVersion":       "some-snapd-version",
 				"Date":               "Fri Feb 17 09:51:00 2017",
-				"KernelVersion":      release.KernelVersion(),
+				"KernelVersion":      osutil.KernelVersion(),
 				"ErrorMessage":       "failed to do stuff",
 				"DuplicateSignature": "[failed to do stuff]",
 				"Architecture":       arch.UbuntuArchitecture(),
@@ -193,7 +193,7 @@
 		case 1:
 			c.Check(r.Method, Equals, "POST")
 			c.Check(r.URL.Path, Matches, identifier)
-			fmt.Fprintf(w, "c14388aa-f78d-11e6-8df0-fa163eaf9b83 OOPSID")
+			fmt.Fprintf(w, "xxxxx-f78d-11e6-8df0-fa163eaf9b83 OOPSID")
 		default:
 			c.Fatalf("expected one request, got %d", n+1)
 		}
@@ -215,10 +215,19 @@
 	c.Check(id, Equals, "c14388aa-f78d-11e6-8df0-fa163eaf9b83 OOPSID")
 	c.Check(n, Equals, 1)
 
-	// run again, verify identifier is unchanged
+	// run again with the *same* dupSig and verify that it won't send
+	// that again
+	id, err = errtracker.Report("some-snap", "failed to do stuff", "[failed to do stuff]", map[string]string{
+		"Channel": "beta",
+	})
+	c.Check(err, IsNil)
+	c.Check(id, Equals, "already-reported")
+	c.Check(n, Equals, 1)
+
+	// run again with different data, verify identifier is unchanged
 	id, err = errtracker.Report("some-other-snap", "failed to do more stuff", "[failed to do more stuff]", nil)
 	c.Check(err, IsNil)
-	c.Check(id, Equals, "c14388aa-f78d-11e6-8df0-fa163eaf9b83 OOPSID")
+	c.Check(id, Equals, "xxxxx-f78d-11e6-8df0-fa163eaf9b83 OOPSID")
 	c.Check(n, Equals, 2)
 }
 
@@ -302,7 +311,7 @@
 				"CoreSnapdBuildID": s.coreBuildID,
 				"SnapdVersion":     "some-snapd-version",
 				"Date":             "Fri Feb 17 09:51:00 2017",
-				"KernelVersion":    release.KernelVersion(),
+				"KernelVersion":    osutil.KernelVersion(),
 				"Architecture":     arch.UbuntuArchitecture(),
 				"DidSnapdReExec":   "yes",
 
@@ -362,6 +371,26 @@
 	c.Check(id, Equals, "")
 }
 
+func (s *ErrtrackerTestSuite) TestReportWithNoWhoopsieInstalled(c *C) {
+	mockCmd := testutil.MockCommand(c, "systemctl", "echo Failed to get unit file state for whoopsie.service; exit 1")
+	defer mockCmd.Restore()
+
+	n := 0
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "1234-oopsid")
+		n++
+	}
+	server := httptest.NewServer(http.HandlerFunc(handler))
+	defer server.Close()
+	restorer := errtracker.MockCrashDbURL(server.URL)
+	defer restorer()
+
+	id, err := errtracker.Report("some-snap", "failed to do stuff", "[failed to do stuff]", nil)
+	c.Check(err, IsNil)
+	c.Check(id, Equals, "1234-oopsid")
+	c.Check(n, Equals, 1)
+}
+
 func (s *ErrtrackerTestSuite) TestProcCpuinfo(c *C) {
 	fn := filepath.Join(s.tmpdir, "cpuinfo")
 	// sanity check
@@ -473,22 +502,43 @@
 	})
 }
 
-func (s *ErrtrackerTestSuite) TestReportWithNoWhoopsieInstalled(c *C) {
-	mockCmd := testutil.MockCommand(c, "systemctl", "echo Failed to get unit file state for whoopsie.service; exit 1")
-	defer mockCmd.Restore()
+func (s *ErrtrackerTestSuite) TestReportsDB(c *C) {
+	db, err := errtracker.NewReportsDB(filepath.Join(s.tmpdir, "foo.db"))
+	c.Assert(err, IsNil)
 
-	n := 0
-	handler := func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, "1234-oopsid")
-		n++
-	}
-	server := httptest.NewServer(http.HandlerFunc(handler))
-	defer server.Close()
-	restorer := errtracker.MockCrashDbURL(server.URL)
-	defer restorer()
+	c.Check(db.AlreadyReported("some-dup-sig"), Equals, false)
 
-	id, err := errtracker.Report("some-snap", "failed to do stuff", "[failed to do stuff]", nil)
+	err = db.MarkReported("some-dup-sig")
 	c.Check(err, IsNil)
-	c.Check(id, Equals, "1234-oopsid")
-	c.Check(n, Equals, 1)
+
+	c.Check(db.AlreadyReported("some-dup-sig"), Equals, true)
+	c.Check(db.AlreadyReported("other-dup-sig"), Equals, false)
+}
+
+func (s *ErrtrackerTestSuite) TestReportsDBCleanup(c *C) {
+	db, err := errtracker.NewReportsDB(filepath.Join(s.tmpdir, "foo.db"))
+	c.Assert(err, IsNil)
+
+	errtracker.SetReportDBCleanupTime(db, 1*time.Millisecond)
+
+	err = db.MarkReported("some-dup-sig")
+	c.Check(err, IsNil)
+
+	time.Sleep(10 * time.Millisecond)
+	err = db.MarkReported("other-dup-sig")
+	c.Check(err, IsNil)
+
+	// this one got cleaned out
+	c.Check(db.AlreadyReported("some-dup-sig"), Equals, false)
+	// this one is still fresh
+	c.Check(db.AlreadyReported("other-dup-sig"), Equals, true)
+}
+
+func (s *ErrtrackerTestSuite) TestReportsDBnilDoesNotCrash(c *C) {
+	db, err := errtracker.NewReportsDB("/proc/1/environ")
+	c.Assert(err, NotNil)
+	c.Check(db, IsNil)
+
+	c.Check(db.AlreadyReported("dupSig"), Equals, false)
+	c.Check(db.MarkReported("dupSig"), ErrorMatches, "cannot mark error report as reported with an uninitialized reports database")
 }
diff -Nru snapd-2.32.3.2~14.04/errtracker/export_test.go snapd-2.37~rc1~14.04/errtracker/export_test.go
--- snapd-2.32.3.2~14.04/errtracker/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/errtracker/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -118,4 +118,9 @@
 	JournalError       = journalError
 	ProcCpuinfoMinimal = procCpuinfoMinimal
 	Environ            = environ
+	NewReportsDB       = newReportsDB
 )
+
+func SetReportDBCleanupTime(db *reportsDB, d time.Duration) {
+	db.cleanupTime = d
+}
diff -Nru snapd-2.32.3.2~14.04/features/export_test.go snapd-2.37~rc1~14.04/features/export_test.go
--- snapd-2.32.3.2~14.04/features/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/features/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,24 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package features
+
+// NumberOfFeature returns the number of known features.
+func NumberOfFeatures() int {
+	return int(lastFeature)
+}
diff -Nru snapd-2.32.3.2~14.04/features/features.go snapd-2.37~rc1~14.04/features/features.go
--- snapd-2.32.3.2~14.04/features/features.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/features/features.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,130 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package features
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+)
+
+// SnapdFeature is a named feature that may be on or off.
+type SnapdFeature int
+
+const (
+	// Layouts controls availability of snap layouts.
+	Layouts SnapdFeature = iota
+	// ParallelInstances controls availability installing a snap multiple times.
+	ParallelInstances
+	// Hotplug controls availability of dynamically creating slots based on system hardware.
+	Hotplug
+	// SnapdSnap controls possibility of installing the snapd snap.
+	SnapdSnap
+	// PerUserMountNamespace controls the persistence of per-user mount namespaces.
+	PerUserMountNamespace
+	// lastFeature is the final known feature, it is only used for testing.
+	lastFeature
+)
+
+// KnownFeatures returns the list of all known features.
+func KnownFeatures() []SnapdFeature {
+	features := make([]SnapdFeature, int(lastFeature))
+	for i := range features {
+		features[i] = SnapdFeature(i)
+	}
+	return features
+}
+
+// featureNames maps feature constant to stable string representation.
+// The constants here must be synchronized with cmd/libsnap-confine-private/feature.c
+var featureNames = map[SnapdFeature]string{
+	Layouts:               "layouts",
+	ParallelInstances:     "parallel-instances",
+	Hotplug:               "hotplug",
+	SnapdSnap:             "snapd-snap",
+	PerUserMountNamespace: "per-user-mount-namespace",
+}
+
+// featuresEnabledWhenUnset contains a set of features that are enabled when not explicitly configured.
+var featuresEnabledWhenUnset = map[SnapdFeature]bool{
+	Layouts: true,
+}
+
+// featuresExported contains a set of features that are exported outside of snapd.
+var featuresExported = map[SnapdFeature]bool{
+	PerUserMountNamespace: true,
+}
+
+// String returns the name of a snapd feature.
+// The function panics for bogus feature values.
+func (f SnapdFeature) String() string {
+	if name, ok := featureNames[f]; ok {
+		return name
+	}
+	panic(fmt.Sprintf("unknown feature flag code %d", f))
+}
+
+// IsEnabledWhenUnset returns true if a feature is enabled when not set.
+//
+// A feature may be enabled or disabled with explicit state in snapd. If
+// explicit state is absent the effective value is the implicit default
+// computed by this function.
+func (f SnapdFeature) IsEnabledWhenUnset() bool {
+	return featuresEnabledWhenUnset[f]
+}
+
+// IsExported returns true if a feature is copied from snapd state to a feature file.
+//
+// Certain features are available outside of snapd internal state and visible as control
+// files in a dedicated directory. Such features can be queried for, via IsEnabled, outside
+// of snapd.
+func (f SnapdFeature) IsExported() bool {
+	return featuresExported[f]
+}
+
+// ControlFile returns the path of the file controlling the exported feature.
+//
+// Snapd considers the feature enabled if the file is present.
+// The contents of the file are not important.
+//
+// The function panics for features that are not exported.
+func (f SnapdFeature) ControlFile() string {
+	if !f.IsExported() {
+		panic(fmt.Sprintf("cannot compute the control file of feature %q because that feature is not exported", f))
+	}
+	return filepath.Join(dirs.FeaturesDir, f.String())
+}
+
+// ConfigOption returns the snap name and configuration option associated with this feature.
+func (f SnapdFeature) ConfigOption() (snapName, confName string) {
+	return "core", "experimental." + f.String()
+}
+
+// IsEnabled checks if a given exported snapd feature is enabled.
+//
+// The function panics for features that are not exported.
+func (f SnapdFeature) IsEnabled() bool {
+	if !f.IsExported() {
+		panic(fmt.Sprintf("cannot check if feature %q is enabled because that feature is not exported", f))
+	}
+	return osutil.FileExists(f.ControlFile())
+}
diff -Nru snapd-2.32.3.2~14.04/features/features_test.go snapd-2.37~rc1~14.04/features/features_test.go
--- snapd-2.32.3.2~14.04/features/features_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/features/features_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,102 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package features_test
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/features"
+)
+
+func Test(t *testing.T) { TestingT(t) }
+
+type featureSuite struct{}
+
+var _ = Suite(&featureSuite{})
+
+func (*featureSuite) TestName(c *C) {
+	c.Check(features.Layouts.String(), Equals, "layouts")
+	c.Check(features.ParallelInstances.String(), Equals, "parallel-instances")
+	c.Check(features.Hotplug.String(), Equals, "hotplug")
+	c.Check(features.SnapdSnap.String(), Equals, "snapd-snap")
+	c.Check(features.PerUserMountNamespace.String(), Equals, "per-user-mount-namespace")
+	c.Check(func() { _ = features.SnapdFeature(1000).String() }, PanicMatches, "unknown feature flag code 1000")
+}
+
+func (*featureSuite) TestKnownFeatures(c *C) {
+	// Check that known features have names.
+	known := features.KnownFeatures()
+	for _, f := range known {
+		c.Check(f.String(), Not(Equals), "", Commentf("feature code: %d", int(f)))
+	}
+	c.Check(known, HasLen, features.NumberOfFeatures())
+}
+
+func (*featureSuite) TestIsExported(c *C) {
+	c.Check(features.Layouts.IsExported(), Equals, false)
+	c.Check(features.ParallelInstances.IsExported(), Equals, false)
+	c.Check(features.Hotplug.IsExported(), Equals, false)
+	c.Check(features.SnapdSnap.IsExported(), Equals, false)
+	c.Check(features.PerUserMountNamespace.IsExported(), Equals, true)
+}
+
+func (*featureSuite) TestIsEnabled(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	defer dirs.SetRootDir("")
+
+	// If the feature file is absent then the feature is disabled.
+	f := features.PerUserMountNamespace
+	c.Check(f.IsEnabled(), Equals, false)
+
+	// If the feature file is a regular file then the feature is enabled.
+	err := os.MkdirAll(dirs.FeaturesDir, 0755)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(filepath.Join(dirs.FeaturesDir, f.String()), nil, 0644)
+	c.Assert(err, IsNil)
+	c.Check(f.IsEnabled(), Equals, true)
+
+	// Features that are not exported cannot be queried.
+	c.Check(features.Layouts.IsEnabled, PanicMatches, `cannot check if feature "layouts" is enabled because that feature is not exported`)
+}
+
+func (*featureSuite) TestIsEnabledWhenUnset(c *C) {
+	c.Check(features.Layouts.IsEnabledWhenUnset(), Equals, true)
+	c.Check(features.ParallelInstances.IsEnabledWhenUnset(), Equals, false)
+	c.Check(features.Hotplug.IsEnabledWhenUnset(), Equals, false)
+	c.Check(features.SnapdSnap.IsEnabledWhenUnset(), Equals, false)
+	c.Check(features.PerUserMountNamespace.IsEnabledWhenUnset(), Equals, false)
+}
+
+func (*featureSuite) TestControlFile(c *C) {
+	c.Check(features.PerUserMountNamespace.ControlFile(), Equals, "/var/lib/snapd/features/per-user-mount-namespace")
+	// Features that are not exported don't have a control file.
+	c.Check(features.Layouts.ControlFile, PanicMatches, `cannot compute the control file of feature "layouts" because that feature is not exported`)
+}
+
+func (*featureSuite) TestConfigOption(c *C) {
+	snapName, configName := features.Layouts.ConfigOption()
+	c.Check(snapName, Equals, "core")
+	c.Check(configName, Equals, "experimental.layouts")
+}
diff -Nru snapd-2.32.3.2~14.04/get-deps.sh snapd-2.37~rc1~14.04/get-deps.sh
--- snapd-2.32.3.2~14.04/get-deps.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/get-deps.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,11 +1,22 @@
 #!/bin/sh
 
-set -eu
+set -e
 
-if ! which govendor >/dev/null;then
+if [ "$GOPATH" = "" ]; then
+    tmpdir=$(mktemp -d)
+    export GOPATH=$tmpdir
+    # shellcheck disable=SC2064
+    trap "rm -rf $tmpdir" EXIT
+
+    mkdir -p "$tmpdir/src/github.com/snapcore/"
+    ln -s "$(pwd)" "$tmpdir/src/github.com/snapcore/snapd"
+    cd "$tmpdir/src/github.com/snapcore/snapd"
+fi
+
+if ! command -v govendor >/dev/null;then
     export PATH="$PATH:${GOPATH%%:*}/bin"
 
-    if ! which govendor >/dev/null;then
+    if ! command -v govendor >/dev/null;then
 	    echo Installing govendor
 	    go get -u github.com/kardianos/govendor
     fi
@@ -14,10 +25,13 @@
 echo Obtaining dependencies
 govendor sync
 
-unused="$(govendor list +unused)"
-if [ "$unused" != "" ]; then
-    echo "Found unused ./vendor packages:"
-    echo "$unused"
-    echo "Please fix via 'govendor remove +unused'"
-    exit 1
+
+if [ "$1" != "--skip-unused-check" ]; then
+    unused="$(govendor list +unused)"
+    if [ "$unused" != "" ]; then
+        echo "Found unused ./vendor packages:"
+        echo "$unused"
+        echo "Please fix via 'govendor remove +unused'"
+        exit 1
+    fi
 fi
diff -Nru snapd-2.32.3.2~14.04/HACKING.md snapd-2.37~rc1~14.04/HACKING.md
--- snapd-2.32.3.2~14.04/HACKING.md	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/HACKING.md	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 # Hacking on snapd
 
-Hacking on snapd is fun and straightfoward. The code is extensively
+Hacking on snapd is fun and straightforward. The code is extensively
 unit tested and we use the [spread](https://github.com/snapcore/spread)
 integration test framework for the integration/system level tests.
 
@@ -105,7 +105,7 @@
 ### Contributing
 
 Contributions are always welcome! Please make sure that you sign the
-Canonical contributor licence agreement at
+Canonical contributor license agreement at
 http://www.ubuntu.com/legal/contributors
 
 Snapd can be found on Github, so in order to fork the source and contribute,
diff -Nru snapd-2.32.3.2~14.04/httputil/client.go snapd-2.37~rc1~14.04/httputil/client.go
--- snapd-2.32.3.2~14.04/httputil/client.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/httputil/client.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,58 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package httputil
+
+import (
+	"crypto/tls"
+	"net/http"
+	"net/url"
+	"time"
+)
+
+type ClientOptions struct {
+	Timeout    time.Duration
+	TLSConfig  *tls.Config
+	MayLogBody bool
+	Proxy      func(*http.Request) (*url.URL, error)
+}
+
+// NewHTTPCLient returns a new http.Client with a LoggedTransport, a
+// Timeout and preservation of range requests across redirects
+func NewHTTPClient(opts *ClientOptions) *http.Client {
+	if opts == nil {
+		opts = &ClientOptions{}
+	}
+
+	transport := newDefaultTransport()
+	transport.TLSClientConfig = opts.TLSConfig
+	if opts.Proxy != nil {
+		transport.Proxy = opts.Proxy
+	}
+
+	return &http.Client{
+		Transport: &LoggedTransport{
+			Transport: transport,
+			Key:       "SNAPD_DEBUG_HTTP",
+			body:      opts.MayLogBody,
+		},
+		Timeout:       opts.Timeout,
+		CheckRedirect: checkRedirect,
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/httputil/client_test.go snapd-2.37~rc1~14.04/httputil/client_test.go
--- snapd-2.32.3.2~14.04/httputil/client_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/httputil/client_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,62 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package httputil_test
+
+import (
+	"net/http"
+	"net/url"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/httputil"
+)
+
+type clientSuite struct{}
+
+var _ = check.Suite(&clientSuite{})
+
+func mustParse(c *check.C, rawurl string) *url.URL {
+	url, err := url.Parse("http://some-proxy:3128")
+	c.Assert(err, check.IsNil)
+	return url
+}
+
+type proxyProvider struct {
+	proxy *url.URL
+}
+
+func (p *proxyProvider) proxyCallback(*http.Request) (*url.URL, error) {
+	return p.proxy, nil
+}
+
+func (s *clientSuite) TestClientOptionsWithProxy(c *check.C) {
+	pp := proxyProvider{proxy: mustParse(c, "http://some-proxy:3128")}
+	cli := httputil.NewHTTPClient(&httputil.ClientOptions{
+		Proxy: pp.proxyCallback,
+	})
+	c.Assert(cli, check.NotNil)
+
+	trans := cli.Transport.(*httputil.LoggedTransport).Transport.(*http.Transport)
+	req, err := http.NewRequest("GET", "http://example.com", nil)
+	c.Check(err, check.IsNil)
+	url, err := trans.Proxy(req)
+	c.Check(err, check.IsNil)
+	c.Check(url.String(), check.Equals, "http://some-proxy:3128")
+}
diff -Nru snapd-2.32.3.2~14.04/httputil/logger.go snapd-2.37~rc1~14.04/httputil/logger.go
--- snapd-2.32.3.2~14.04/httputil/logger.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/httputil/logger.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,13 +20,11 @@
 package httputil
 
 import (
-	"crypto/tls"
 	"errors"
 	"net/http"
 	"net/http/httputil"
 	"os"
 	"strconv"
-	"time"
 
 	"github.com/snapcore/snapd/logger"
 )
@@ -88,33 +86,6 @@
 	return debugflag(flags)
 }
 
-type ClientOpts struct {
-	Timeout    time.Duration
-	TLSConfig  *tls.Config
-	MayLogBody bool
-}
-
-// NewHTTPCLient returns a new http.Client with a LoggedTransport, a
-// Timeout and preservation of range requests across redirects
-func NewHTTPClient(opts *ClientOpts) *http.Client {
-	if opts == nil {
-		opts = &ClientOpts{}
-	}
-
-	transport := newDefaultTransport()
-	transport.TLSClientConfig = opts.TLSConfig
-
-	return &http.Client{
-		Transport: &LoggedTransport{
-			Transport: transport,
-			Key:       "SNAPD_DEBUG_HTTP",
-			body:      opts.MayLogBody,
-		},
-		Timeout:       opts.Timeout,
-		CheckRedirect: checkRedirect,
-	}
-}
-
 func checkRedirect(req *http.Request, via []*http.Request) error {
 	if len(via) > 10 {
 		return errors.New("stopped after 10 redirects")
diff -Nru snapd-2.32.3.2~14.04/httputil/retry.go snapd-2.37~rc1~14.04/httputil/retry.go
--- snapd-2.32.3.2~14.04/httputil/retry.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/httputil/retry.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,6 +26,7 @@
 	"net/http"
 	"net/url"
 	"os"
+	"strings"
 	"syscall"
 	"time"
 
@@ -82,11 +83,36 @@
 				logger.Debugf("Retrying because of: %s", opErr)
 				return true
 			}
+			// FIXME: code below is not (unit) tested and
+			// it is unclear if we need it with the new
+			// opErr.Temporary() "if" below
+			if opErr.Op == "dial" {
+				logger.Debugf("Retrying because of: %#v (syscall error: %#v)", opErr, syscallErr.Err)
+				return true
+			}
+			logger.Debugf("Encountered syscall error: %#v", syscallErr)
+		}
+
+		// If we are unable to talk to a DNS go1.9+ will set
+		// opErr.IsTemporary - we also support go1.6 so we need to
+		// add a workaround here. This block can go away once we
+		// use go1.9+ only.
+		if dnsErr, ok := opErr.Err.(*net.DNSError); ok {
+			// The horror, the horror
+			// TODO: stop Arch to use the cgo resolver
+			// which requires the right side of the OR
+			if strings.Contains(dnsErr.Err, "connection refused") || strings.Contains(dnsErr.Err, "Temporary failure in name resolution") {
+				logger.Debugf("Retrying because of temporary net error (DNS): %#v", dnsErr)
+				return true
+			}
 		}
-		if opNetErr, ok := opErr.Err.(net.Error); ok {
-			// TODO: some DNS errors? just log for now
-			logger.Debugf("Not retrying: %#v", opNetErr)
+
+		// Retry for temporary network errors (like dns errors in 1.9+)
+		if opErr.Temporary() {
+			logger.Debugf("Retrying because of temporary net error: %#v", opErr)
+			return true
 		}
+		logger.Debugf("Encountered non temporary net.OpError: %#v", opErr)
 	}
 
 	if err == io.ErrUnexpectedEOF || err == io.EOF {
@@ -94,6 +120,10 @@
 		return true
 	}
 
+	if osutil.GetenvBool("SNAPD_DEBUG") {
+		logger.Debugf("Not retrying: %#v", err)
+	}
+
 	return false
 }
 
@@ -122,6 +152,7 @@
 				if ShouldRetryError(attempt, err) {
 					continue
 				} else {
+					maybeLogRetrySummary(startTime, endpoint, attempt, resp, err)
 					return nil, err
 				}
 			}
diff -Nru snapd-2.32.3.2~14.04/httputil/retry_test.go snapd-2.37~rc1~14.04/httputil/retry_test.go
--- snapd-2.32.3.2~14.04/httputil/retry_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/httputil/retry_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,8 +21,8 @@
 
 import (
 	"encoding/json"
-	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"time"
@@ -361,7 +361,7 @@
 
 	defer close(finished)
 
-	cli := httputil.NewHTTPClient(&httputil.ClientOpts{
+	cli := httputil.NewHTTPClient(&httputil.ClientOptions{
 		Timeout: 50 * time.Millisecond,
 	})
 
@@ -403,9 +403,7 @@
 	c.Assert(somewhatBrokenSrvCalls, Equals, 3)
 }
 
-func (s *retrySuite) TestRetryRequestFailOnDNS(c *C) {
-	// TODO: retry some types of DNS errors?
-
+func (s *retrySuite) TestRetryDoesNotFailForPermanentDNSErrors(c *C) {
 	url := "http://nonexistingserver909123.com/"
 
 	cli := httputil.NewHTTPClient(nil)
@@ -416,14 +414,50 @@
 		return cli.Get(url)
 	}
 
-	var got interface{}
 	readResponseBody := func(resp *http.Response) error {
-		if resp.StatusCode >= 500 {
-			return fmt.Errorf("proxy error")
+		return nil
+	}
+
+	_, err := httputil.RetryRequest("endp", doRequest, readResponseBody, testRetryStrategy)
+	c.Assert(err, NotNil)
+	// we try exactly once, a non-existing server is a permanent error
+	c.Assert(n, Equals, 1)
+}
+
+func (s *retrySuite) TestRetryOnTemporaryDNSfailure(c *C) {
+	n := 0
+	doRequest := func() (*http.Response, error) {
+		n++
+		return nil, &net.OpError{
+			Op:  "dial",
+			Net: "tcp",
+			Err: &net.DNSError{IsTemporary: true},
 		}
-		return json.NewDecoder(resp.Body).Decode(&got)
 	}
+	readResponseBody := func(resp *http.Response) error {
+		return nil
+	}
+	_, err := httputil.RetryRequest("endp", doRequest, readResponseBody, testRetryStrategy)
+	c.Assert(err, NotNil)
+	c.Assert(n > 1, Equals, true, Commentf("%v not > 1", n))
+}
 
+func (s *retrySuite) TestRetryOnTemporaryDNSfailureNotGo19(c *C) {
+	n := 0
+	doRequest := func() (*http.Response, error) {
+		n++
+		return nil, &net.OpError{
+			Op:  "dial",
+			Net: "tcp",
+			Err: &net.DNSError{
+				Err: "[::1]:42463->[::1]:53: read: connection refused",
+			},
+		}
+	}
+	readResponseBody := func(resp *http.Response) error {
+		return nil
+	}
 	_, err := httputil.RetryRequest("endp", doRequest, readResponseBody, testRetryStrategy)
 	c.Assert(err, NotNil)
+	c.Assert(n > 1, Equals, true, Commentf("%v not > 1", n))
 }
diff -Nru snapd-2.32.3.2~14.04/httputil/useragent.go snapd-2.37~rc1~14.04/httputil/useragent.go
--- snapd-2.32.3.2~14.04/httputil/useragent.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/httputil/useragent.go	2019-01-16 08:36:51.000000000 +0000
@@ -58,13 +58,14 @@
 		extraProdStr = " " + strings.Join(extraProds, " ")
 	}
 	origUserAgent := userAgent
+
 	// xxx this assumes ReleaseInfo's ID and VersionID don't have weird characters
 	// (see rfc 7231 for values of weird)
 	// assumption checks out in practice, q.v. https://github.com/zyga/os-release-zoo
 	userAgent = fmt.Sprintf("snapd/%v (%s)%s %s/%s (%s) linux/%s", version,
 		strings.Join(extras, "; "), extraProdStr, release.ReleaseInfo.ID,
 		release.ReleaseInfo.VersionID, string(arch.UbuntuArchitecture()),
-		sanitizeKernelVersion(release.KernelVersion()))
+		sanitizeKernelVersion(osutil.KernelVersion()))
 	return func() {
 		userAgent = origUserAgent
 	}
diff -Nru snapd-2.32.3.2~14.04/i18n/i18n.go snapd-2.37~rc1~14.04/i18n/i18n.go
--- snapd-2.32.3.2~14.04/i18n/i18n.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/i18n/i18n.go	2019-01-16 08:36:51.000000000 +0000
@@ -100,7 +100,20 @@
 	return locale.Gettext(msgid)
 }
 
+// https://www.gnu.org/software/gettext/manual/html_node/Plural-forms.html
+// (search for 1000)
+func ngn(d int) uint32 {
+	const max = 1000000
+	if d < 0 {
+		d = -d
+	}
+	if d > max {
+		return uint32((d % max) + max)
+	}
+	return uint32(d)
+}
+
 // NG is the shorthand for NGettext
-func NG(msgid string, msgidPlural string, n uint32) string {
-	return locale.NGettext(msgid, msgidPlural, n)
+func NG(msgid string, msgidPlural string, n int) string {
+	return locale.NGettext(msgid, msgidPlural, ngn(n))
 }
diff -Nru snapd-2.32.3.2~14.04/i18n/xgettext-go/main.go snapd-2.37~rc1~14.04/i18n/xgettext-go/main.go
--- snapd-2.32.3.2~14.04/i18n/xgettext-go/main.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/i18n/xgettext-go/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bytes"
 	"fmt"
 	"go/ast"
 	"go/parser"
@@ -172,13 +173,13 @@
 func processSingleGoSource(fset *token.FileSet, fname string) error {
 	fnameContent, err := ioutil.ReadFile(fname)
 	if err != nil {
-		panic(err)
+		return err
 	}
 
 	// Create the AST by parsing src.
 	f, err := parser.ParseFile(fset, fname, fnameContent, parser.ParseComments)
 	if err != nil {
-		panic(err)
+		return err
 	}
 
 	ast.Inspect(f, func(n ast.Node) bool {
@@ -192,6 +193,15 @@
 	return time.Now().Format("2006-01-02 15:04-0700")
 }
 
+// mustFprintf will write the given format string to the given
+// writer. Any error will make it panic.
+func mustFprintf(w io.Writer, format string, a ...interface{}) {
+	_, err := fmt.Fprintf(w, format, a...)
+	if err != nil {
+		panic(fmt.Sprintf("cannot write output: %v", err))
+	}
+}
+
 func writePotFile(out io.Writer) {
 
 	header := fmt.Sprintf(`# SOME DESCRIPTIVE TITLE.
@@ -213,7 +223,7 @@
         "Content-Transfer-Encoding: 8bit\n"
 
 `, opts.PackageName, opts.MsgIDBugsAddress, formatTime())
-	fmt.Fprintf(out, "%s", header)
+	mustFprintf(out, "%s", header)
 
 	// yes, this is the way to do it in go
 	sortedKeys := []string{}
@@ -229,19 +239,19 @@
 		msgidList := msgIDs[k]
 		for _, msgid := range msgidList {
 			if opts.AddComments || opts.AddCommentsTag != "" {
-				fmt.Fprintf(out, "%s", msgid.comment)
+				mustFprintf(out, "%s", msgid.comment)
 			}
 		}
 		if !opts.NoLocation {
-			fmt.Fprintf(out, "#:")
+			mustFprintf(out, "#:")
 			for _, msgid := range msgidList {
-				fmt.Fprintf(out, " %s:%d", msgid.fname, msgid.line)
+				mustFprintf(out, " %s:%d", msgid.fname, msgid.line)
 			}
-			fmt.Fprintf(out, "\n")
+			mustFprintf(out, "\n")
 		}
 		msgid := msgidList[0]
 		if msgid.formatHint != "" {
-			fmt.Fprintf(out, "#, %s\n", msgid.formatHint)
+			mustFprintf(out, "#, %s\n", msgid.formatHint)
 		}
 		var formatOutput = func(in string) string {
 			// split string with \n into multiple lines
@@ -250,21 +260,23 @@
 			// cleanup too aggressive splitting (empty "" lines)
 			return strings.TrimSuffix(out, "\"\n        \"")
 		}
-		fmt.Fprintf(out, "msgid   \"%v\"\n", formatOutput(k))
+		mustFprintf(out, "msgid   \"%v\"\n", formatOutput(k))
 		if msgid.msgidPlural != "" {
-			fmt.Fprintf(out, "msgid_plural   \"%v\"\n", formatOutput(msgid.msgidPlural))
-			fmt.Fprintf(out, "msgstr[0]  \"\"\n")
-			fmt.Fprintf(out, "msgstr[1]  \"\"\n")
+			mustFprintf(out, "msgid_plural   \"%v\"\n", formatOutput(msgid.msgidPlural))
+			mustFprintf(out, "msgstr[0]  \"\"\n")
+			mustFprintf(out, "msgstr[1]  \"\"\n")
 		} else {
-			fmt.Fprintf(out, "msgstr  \"\"\n")
+			mustFprintf(out, "msgstr  \"\"\n")
 		}
-		fmt.Fprintf(out, "\n")
+		mustFprintf(out, "\n")
 	}
 
 }
 
 // FIXME: this must be setable via go-flags
 var opts struct {
+	FilesFrom string `short:"f" long:"files-from" description:"get list of input files from FILE"`
+
 	Output string `short:"o" long:"output" description:"output to specified file"`
 
 	AddComments bool `short:"c" long:"add-comments" description:"place all comment blocks preceding keyword lines in output file"`
@@ -290,7 +302,18 @@
 		log.Fatalf("ParseArgs failed %s", err)
 	}
 
-	if err := processFiles(args[1:]); err != nil {
+	var files []string
+	if opts.FilesFrom != "" {
+		content, err := ioutil.ReadFile(opts.FilesFrom)
+		if err != nil {
+			log.Fatalf("cannot read file %v: %v", opts.FilesFrom, err)
+		}
+		content = bytes.TrimSpace(content)
+		files = strings.Split(string(content), "\n")
+	} else {
+		files = args[1:]
+	}
+	if err := processFiles(files); err != nil {
 		log.Fatalf("processFiles failed with: %s", err)
 	}
 
diff -Nru snapd-2.32.3.2~14.04/i18n/xgettext-go/main_test.go snapd-2.37~rc1~14.04/i18n/xgettext-go/main_test.go
--- snapd-2.32.3.2~14.04/i18n/xgettext-go/main_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/i18n/xgettext-go/main_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -33,7 +33,7 @@
 )
 
 // Hook up check.v1 into the "go test" runner
-func Test(t *testing.T) { TestingT(t) }
+func TestT(t *testing.T) { TestingT(t) }
 
 type xgettextTestSuite struct {
 }
diff -Nru snapd-2.32.3.2~14.04/image/export_test.go snapd-2.37~rc1~14.04/image/export_test.go
--- snapd-2.32.3.2~14.04/image/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/image/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -38,3 +38,11 @@
 func (tsto *ToolingStore) User() *auth.UserState {
 	return tsto.user
 }
+
+func (ls *localInfos) NameToPath() map[string]string {
+	return ls.nameToPath
+}
+
+func ToolingAuthContext() auth.AuthContext {
+	return toolingAuthContext{}
+}
diff -Nru snapd-2.32.3.2~14.04/image/helpers.go snapd-2.37~rc1~14.04/image/helpers.go
--- snapd-2.32.3.2~14.04/image/helpers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/image/helpers.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,6 +27,7 @@
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"net/url"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -48,8 +49,8 @@
 
 // A Store can find metadata on snaps, download snaps and fetch assertions.
 type Store interface {
-	SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error)
-	Download(ctx context.Context, name, targetFn string, downloadInfo *snap.DownloadInfo, pbar progress.Meter, user *auth.UserState) error
+	SnapAction(context.Context, []*store.CurrentSnap, []*store.SnapAction, *auth.UserState, *store.RefreshOptions) ([]*snap.Info, error)
+	Download(ctx context.Context, name, targetFn string, downloadInfo *snap.DownloadInfo, pbar progress.Meter, user *auth.UserState, dlOpts *store.DownloadOptions) error
 
 	Assertion(assertType *asserts.AssertionType, primaryKey []string, user *auth.UserState) (asserts.Assertion, error)
 }
@@ -72,7 +73,7 @@
 			return nil, err
 		}
 	}
-	sto := store.New(cfg, nil)
+	sto := store.New(cfg, toolingAuthContext{})
 	return &ToolingStore{
 		sto:  sto,
 		user: user,
@@ -154,6 +155,40 @@
 	}, nil
 }
 
+// toolingAuthContext implements trivially auth.AuthContext except
+// implementing UpdateUserAuth properly to be used to refresh a
+// soft-expired user macaroon.
+type toolingAuthContext struct{}
+
+func (tac toolingAuthContext) CloudInfo() (*auth.CloudInfo, error) {
+	return nil, nil
+}
+
+func (tac toolingAuthContext) Device() (*auth.DeviceState, error) {
+	return &auth.DeviceState{}, nil
+}
+
+func (tac toolingAuthContext) DeviceSessionRequestParams(_ string) (*auth.DeviceSessionRequestParams, error) {
+	return nil, auth.ErrNoSerial
+}
+
+func (tac toolingAuthContext) ProxyStoreParams(defaultURL *url.URL) (proxyStoreID string, proxySroreURL *url.URL, err error) {
+	return "", defaultURL, nil
+}
+
+func (tac toolingAuthContext) StoreID(fallback string) (string, error) {
+	return fallback, nil
+}
+
+func (tac toolingAuthContext) UpdateDeviceAuth(_ *auth.DeviceState, newSessionMacaroon string) (*auth.DeviceState, error) {
+	return nil, fmt.Errorf("internal error: no device state in tools")
+}
+
+func (tac toolingAuthContext) UpdateUserAuth(user *auth.UserState, discharges []string) (*auth.UserState, error) {
+	user.StoreDischarges = discharges
+	return user, nil
+}
+
 func NewToolingStoreFromModel(model *asserts.Model) (*ToolingStore, error) {
 	return newToolingStore(model.Architecture(), model.Store())
 }
@@ -186,15 +221,24 @@
 		targetDir = pwd
 	}
 
-	spec := store.SnapSpec{
-		Name:     name,
-		Channel:  opts.Channel,
-		Revision: revision,
+	logger.Debugf("Going to download snap %q (%s) from channel %q to %q.", name, revision, opts.Channel, opts.TargetDir)
+
+	actions := []*store.SnapAction{{
+		Action:       "download",
+		InstanceName: name,
+		Revision:     revision,
+	}}
+
+	if revision.Unset() {
+		actions[0].Channel = opts.Channel
 	}
-	snap, err := sto.SnapInfo(spec, tsto.user)
+
+	snaps, err := sto.SnapAction(context.TODO(), nil, actions, tsto.user, nil)
 	if err != nil {
-		return "", nil, fmt.Errorf("cannot find snap %q: %v", name, err)
+		// err will be 'cannot download snap "foo": <reasons>'
+		return "", nil, err
 	}
+	snap := snaps[0]
 
 	baseName := filepath.Base(snap.MountFile())
 	targetFn = filepath.Join(targetDir, baseName)
@@ -206,6 +250,7 @@
 			logger.Debugf("not downloading, using existing file %s", targetFn)
 			return targetFn, snap, nil
 		}
+		logger.Debugf("File exists but has wrong hash, ignoring (here).")
 	}
 
 	pb := progress.MakeProgressBar()
@@ -220,7 +265,7 @@
 		os.Exit(1)
 	}()
 
-	if err = sto.Download(context.TODO(), name, targetFn, &snap.DownloadInfo, pb, tsto.user); err != nil {
+	if err = sto.Download(context.TODO(), name, targetFn, &snap.DownloadInfo, pb, tsto.user, nil); err != nil {
 		return "", nil, err
 	}
 
@@ -261,7 +306,7 @@
 	}
 
 	// cross checks
-	if err := snapasserts.CrossCheck(info.Name(), sha3_384, size, &info.SideInfo, db); err != nil {
+	if err := snapasserts.CrossCheck(info.InstanceName(), sha3_384, size, &info.SideInfo, db); err != nil {
 		return nil, err
 	}
 
@@ -270,7 +315,7 @@
 		"snap-id": info.SnapID,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("internal error: lost snap declaration for %q: %v", info.Name(), err)
+		return nil, fmt.Errorf("internal error: lost snap declaration for %q: %v", info.InstanceName(), err)
 	}
 	return a.(*asserts.SnapDeclaration), nil
 }
diff -Nru snapd-2.32.3.2~14.04/image/image.go snapd-2.37~rc1~14.04/image/image.go
--- snapd-2.32.3.2~14.04/image/image.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/image/image.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,7 +24,6 @@
 	"io"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 
@@ -63,7 +62,7 @@
 
 func (li *localInfos) Name(pathOrName string) string {
 	if info := li.pathToInfo[pathOrName]; info != nil {
-		return info.Name()
+		return info.InstanceName()
 	}
 	return pathOrName
 }
@@ -86,33 +85,49 @@
 	return nil
 }
 
+// hasName returns true if the given "snapName" is found within the
+// list of snap names or paths.
+func (li *localInfos) hasName(snaps []string, snapName string) bool {
+	for _, snapNameOrPath := range snaps {
+		if li.Name(snapNameOrPath) == snapName {
+			return true
+		}
+	}
+	return false
+}
+
 func localSnaps(tsto *ToolingStore, opts *Options) (*localInfos, error) {
 	local := make(map[string]*snap.Info)
 	nameToPath := make(map[string]string)
 	for _, snapName := range opts.Snaps {
-		if strings.HasSuffix(snapName, ".snap") && osutil.FileExists(snapName) {
-			snapFile, err := snap.Open(snapName)
-			if err != nil {
-				return nil, err
-			}
-			info, err := snap.ReadInfoFromSnapFile(snapFile, nil)
-			if err != nil {
-				return nil, err
-			}
-			// local snap gets local revision
-			info.Revision = snap.R(-1)
-			nameToPath[info.Name()] = snapName
-			local[snapName] = info
-
-			si, err := snapasserts.DeriveSideInfo(snapName, tsto)
-			if err != nil && !asserts.IsNotFound(err) {
-				return nil, err
-			}
-			if err == nil {
-				info.SnapID = si.SnapID
-				info.Revision = si.Revision
-				info.Channel = opts.Channel
-			}
+		if !strings.HasSuffix(snapName, ".snap") {
+			continue
+		}
+
+		if !osutil.FileExists(snapName) {
+			return nil, fmt.Errorf("local snap %s not found", snapName)
+		}
+
+		snapFile, err := snap.Open(snapName)
+		if err != nil {
+			return nil, err
+		}
+		info, err := snap.ReadInfoFromSnapFile(snapFile, nil)
+		if err != nil {
+			return nil, err
+		}
+		// local snap gets local revision
+		info.Revision = snap.R(-1)
+		nameToPath[info.InstanceName()] = snapName
+		local[snapName] = info
+
+		si, err := snapasserts.DeriveSideInfo(snapName, tsto)
+		if err != nil && !asserts.IsNotFound(err) {
+			return nil, err
+		}
+		if err == nil {
+			info.SnapID = si.SnapID
+			info.Revision = si.Revision
 		}
 	}
 	return &localInfos{
@@ -121,12 +136,44 @@
 	}, nil
 }
 
+func validateSnapNames(snaps []string) error {
+	for _, snapName := range snaps {
+		if _, instanceKey := snap.SplitInstanceName(snapName); instanceKey != "" {
+			// be specific about this error
+			return fmt.Errorf("cannot use snap %q, parallel snap instances are unsupported", snapName)
+		}
+		if err := snap.ValidateName(snapName); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// validateNonLocalSnaps raises an error when snaps that would be pulled from
+// the store use an instance key in their names
+func validateNonLocalSnaps(snaps []string) error {
+	nonLocalSnaps := make([]string, 0, len(snaps))
+	for _, snapName := range snaps {
+		if !strings.HasSuffix(snapName, ".snap") {
+			nonLocalSnaps = append(nonLocalSnaps, snapName)
+		}
+	}
+	return validateSnapNames(nonLocalSnaps)
+}
+
 func Prepare(opts *Options) error {
 	model, err := decodeModelAssertion(opts)
 	if err != nil {
 		return err
 	}
 
+	if err := validateNonLocalSnaps(opts.Snaps); err != nil {
+		return err
+	}
+	if _, err := snap.ParseChannel(opts.Channel, ""); err != nil {
+		return fmt.Errorf("cannot use channel: %v", err)
+	}
+
 	// TODO: might make sense to support this later
 	if model.Classic() {
 		return fmt.Errorf("cannot prepare image of a classic model")
@@ -193,6 +240,13 @@
 		TargetDir: opts.GadgetUnpackDir,
 		Channel:   opts.Channel,
 	}
+	if model.GadgetTrack() != "" {
+		gch, err := makeChannelFromTrack("gadget", model.GadgetTrack(), opts.Channel)
+		if err != nil {
+			return err
+		}
+		dlOpts.Channel = gch
+	}
 	snapFn, _, err := acquireSnap(tsto, model.Gadget(), dlOpts, local)
 	if err != nil {
 		return err
@@ -233,21 +287,20 @@
 }
 
 func installCloudConfig(gadgetDir string) error {
-	var err error
+	cloudConfig := filepath.Join(gadgetDir, "cloud.conf")
+	if !osutil.FileExists(cloudConfig) {
+		return nil
+	}
 
 	cloudDir := filepath.Join(dirs.GlobalRootDir, "/etc/cloud")
 	if err := os.MkdirAll(cloudDir, 0755); err != nil {
 		return err
 	}
-
-	cloudConfig := filepath.Join(gadgetDir, "cloud.conf")
-	if osutil.FileExists(cloudConfig) {
-		dst := filepath.Join(cloudDir, "cloud.cfg")
-		err = osutil.CopyFile(cloudConfig, dst, osutil.CopyFlagOverwrite)
-	}
-	return err
+	dst := filepath.Join(cloudDir, "cloud.cfg")
+	return osutil.CopyFile(cloudConfig, dst, osutil.CopyFlagOverwrite)
 }
 
+// defaultCore is used if no base is specified by the model
 const defaultCore = "core"
 
 var trusted = sysdb.Trusted()
@@ -260,6 +313,36 @@
 	}
 }
 
+func makeChannelFromTrack(what, track, defaultChannel string) (string, error) {
+	errPrefix := fmt.Sprintf("cannot use track %q for %s from model assertion", track, what)
+	mch, err := snap.ParseChannel(track, "")
+	if err != nil {
+		return "", fmt.Errorf("%s: %v", errPrefix, err)
+	}
+	if defaultChannel != "" {
+		dch, err := snap.ParseChannel(defaultChannel, "")
+		if err != nil {
+			return "", fmt.Errorf("internal error: cannot parse channel %q", defaultChannel)
+		}
+		mch.Risk = dch.Risk
+	}
+	return mch.Clean().String(), nil
+}
+
+// neededDefaultProviders returns the names of all default-providers for
+// the content plugs that the given snap.Info needs.
+func neededDefaultProviders(info *snap.Info) (cps []string) {
+	for _, plug := range info.Plugs {
+		if plug.Interface == "content" {
+			var dprovider string
+			if err := plug.Attr("default-provider", &dprovider); err == nil && dprovider != "" {
+				cps = append(cps, dprovider)
+			}
+		}
+	}
+	return cps
+}
+
 func bootstrapToRootDir(tsto *ToolingStore, model *asserts.Model, opts *Options, local *localInfos) error {
 	// FIXME: try to avoid doing this
 	if opts.RootDir != "" {
@@ -271,6 +354,9 @@
 	if osutil.FileExists(dirs.SnapStateFile) {
 		return fmt.Errorf("cannot bootstrap over existing system")
 	}
+	if snaps, _ := filepath.Glob(filepath.Join(dirs.SnapBlobDir, "*.snap")); len(snaps) > 0 {
+		return fmt.Errorf("need an empty snap dir in rootdir, got: %v", snaps)
+	}
 
 	// TODO: developer database in home or use snapd (but need
 	// a bit more API there, potential issues when crossing stores/series)
@@ -299,20 +385,34 @@
 
 	snapSeedDir := filepath.Join(dirs.SnapSeedDir, "snaps")
 	assertSeedDir := filepath.Join(dirs.SnapSeedDir, "assertions")
-	dlOpts := &DownloadOptions{
-		TargetDir: snapSeedDir,
-		Channel:   opts.Channel,
-	}
-
 	for _, d := range []string{snapSeedDir, assertSeedDir} {
 		if err := os.MkdirAll(d, 0755); err != nil {
 			return err
 		}
 	}
 
+	baseName := defaultCore
+	if model.Base() != "" {
+		baseName = model.Base()
+	}
+
 	snaps := []string{}
-	// core,kernel,gadget first
-	snaps = append(snaps, local.PreferLocal(defaultCore))
+	// always add an implicit snapd first when a base is used
+	if model.Base() != "" {
+		snaps = append(snaps, "snapd")
+		// TODO: once we order snaps by what they need this
+		//       can go aways
+		// Here we ensure that "core" is seeded very early
+		// when bases are in use. This fixes the issue
+		// that when people use model assertions with
+		// required snaps like bluez which at this point
+		// still requires core will hang forever in seeding.
+		if strutil.ListContains(opts.Snaps, "core") {
+			snaps = append(snaps, "core")
+		}
+	}
+	// core/base,kernel,gadget first
+	snaps = append(snaps, local.PreferLocal(baseName))
 	snaps = append(snaps, local.PreferLocal(model.Kernel()))
 	snaps = append(snaps, local.PreferLocal(model.Gadget()))
 	// then required and the user requested stuff
@@ -323,7 +423,7 @@
 
 	seen := make(map[string]bool)
 	var locals []string
-	downloadedSnapsInfo := map[string]*snap.Info{}
+	downloadedSnapsInfoForBootConfig := map[string]*snap.Info{}
 	var seedYaml snap.Seed
 	for _, snapName := range snaps {
 		name := local.Name(snapName)
@@ -338,10 +438,45 @@
 			fmt.Fprintf(Stdout, "Fetching %s\n", snapName)
 		}
 
+		snapChannel := opts.Channel
+		if name == model.Kernel() && model.KernelTrack() != "" {
+			kch, err := makeChannelFromTrack("kernel", model.KernelTrack(), opts.Channel)
+			if err != nil {
+				return err
+			}
+			snapChannel = kch
+		}
+		if name == model.Gadget() && model.GadgetTrack() != "" {
+			gch, err := makeChannelFromTrack("gadget", model.GadgetTrack(), opts.Channel)
+			if err != nil {
+				return err
+			}
+			snapChannel = gch
+		}
+		dlOpts := &DownloadOptions{
+			TargetDir: snapSeedDir,
+			Channel:   snapChannel,
+		}
+
 		fn, info, err := acquireSnap(tsto, name, dlOpts, local)
 		if err != nil {
 			return err
 		}
+		// Sanity check, note that we could support this case
+		// if we have a use-case but it requires changes in the
+		// devicestate/firstboot.go ordering code.
+		if info.Type == snap.TypeGadget && info.Base != model.Base() {
+			return fmt.Errorf("cannot use gadget snap because its base %q is different from model base %q", info.Base, model.Base())
+		}
+		if info.Base != "" && !local.hasName(snaps, info.Base) {
+			return fmt.Errorf("cannot add snap %q without also adding its base %q explicitly", name, info.Base)
+		}
+		// warn about missing default providers
+		for _, dp := range neededDefaultProviders(info) {
+			if !local.hasName(snaps, dp) {
+				fmt.Fprintf(Stderr, "WARNING: the default content provider %q requested by snap %q is not getting installed.", dp, info.InstanceName())
+			}
+		}
 
 		seen[name] = true
 		typ := info.Type
@@ -368,24 +503,32 @@
 			}
 		} else {
 			locals = append(locals, name)
+			// local snaps have no channel
+			snapChannel = ""
 		}
 
-		// kernel/os are required for booting
-		if typ == snap.TypeKernel || typ == snap.TypeOS {
+		// kernel/os/model.base are required for booting
+		if typ == snap.TypeKernel || local.Name(snapName) == baseName {
 			dst := filepath.Join(dirs.SnapBlobDir, filepath.Base(fn))
-			if err := osutil.CopyFile(fn, dst, 0); err != nil {
+			// construct a relative symlink from the blob dir
+			// to the seed file
+			relSymlink, err := filepath.Rel(dirs.SnapBlobDir, fn)
+			if err != nil {
+				return fmt.Errorf("cannot build symlink: %v", err)
+			}
+			if err := os.Symlink(relSymlink, dst); err != nil {
 				return err
 			}
-			// store the snap.Info for kernel/os so
+			// store the snap.Info for kernel/os/base so
 			// that the bootload can DTRT
-			downloadedSnapsInfo[dst] = info
+			downloadedSnapsInfoForBootConfig[dst] = info
 		}
 
 		// set seed.yaml
 		seedYaml.Snaps = append(seedYaml.Snaps, &snap.SeedSnap{
-			Name:    info.Name(),
+			Name:    info.InstanceName(),
 			SnapID:  info.SnapID, // cross-ref
-			Channel: info.Channel,
+			Channel: snapChannel,
 			File:    filepath.Base(fn),
 			DevMode: info.NeedsDevMode(),
 			Contact: info.Contact,
@@ -397,6 +540,16 @@
 		fmt.Fprintf(Stderr, "WARNING: %s were installed from local snaps disconnected from a store and cannot be refreshed subsequently!\n", strutil.Quoted(locals))
 	}
 
+	// fetch device store assertion (and prereqs) if available
+	if model.Store() != "" {
+		err := snapasserts.FetchStore(f, model.Store())
+		if err != nil {
+			if nfe, ok := err.(*asserts.NotFoundError); !ok || nfe.Type != asserts.StoreType {
+				return err
+			}
+		}
+	}
+
 	for _, aRef := range f.addedRefs {
 		var afn string
 		// the names don't matter in practice as long as they don't conflict
@@ -427,7 +580,7 @@
 		return err
 	}
 
-	if err := setBootvars(downloadedSnapsInfo); err != nil {
+	if err := setBootvars(downloadedSnapsInfoForBootConfig, model); err != nil {
 		return err
 	}
 
@@ -439,10 +592,14 @@
 	return nil
 }
 
-func setBootvars(downloadedSnapsInfo map[string]*snap.Info) error {
+func setBootvars(downloadedSnapsInfoForBootConfig map[string]*snap.Info, model *asserts.Model) error {
+	if len(downloadedSnapsInfoForBootConfig) != 2 {
+		return fmt.Errorf("setBootvars can only be called with exactly one kernel and exactly one core/base boot info: %v", downloadedSnapsInfoForBootConfig)
+	}
+
 	// Set bootvars for kernel/core snaps so the system boots and
 	// does the first-time initialization. There is also no
-	// mounted kernel/core snap, but just the blobs.
+	// mounted kernel/core/base snap, but just the blobs.
 	bootloader, err := partition.FindBootloader()
 	if err != nil {
 		return fmt.Errorf("cannot set kernel/core boot variables: %s", err)
@@ -458,12 +615,25 @@
 		"snap_try_core":   "",
 		"snap_try_kernel": "",
 	}
+	if model.DisplayName() != "" {
+		m["snap_menuentry"] = model.DisplayName()
+	}
+
 	for _, fn := range snaps {
 		bootvar := ""
 
-		info := downloadedSnapsInfo[fn]
+		info := downloadedSnapsInfoForBootConfig[fn]
+		if info == nil {
+			// this should never happen, if it does print some
+			// debug info
+			keys := make([]string, 0, len(downloadedSnapsInfoForBootConfig))
+			for k := range downloadedSnapsInfoForBootConfig {
+				keys = append(keys, k)
+			}
+			return fmt.Errorf("cannot get download info for snap %s, available infos: %v", fn, keys)
+		}
 		switch info.Type {
-		case snap.TypeOS:
+		case snap.TypeOS, snap.TypeBase:
 			bootvar = "snap_core"
 		case snap.TypeKernel:
 			bootvar = "snap_kernel"
@@ -484,14 +654,6 @@
 	return nil
 }
 
-func runCommand(cmdStr ...string) error {
-	cmd := exec.Command(cmdStr[0], cmdStr[1:]...)
-	if output, err := cmd.CombinedOutput(); err != nil {
-		return fmt.Errorf("cannot run %v: %s", cmdStr, osutil.OutputErr(output, err))
-	}
-	return nil
-}
-
 func extractKernelAssets(snapPath string, info *snap.Info) error {
 	snapf, err := snap.Open(snapPath)
 	if err != nil {
diff -Nru snapd-2.32.3.2~14.04/image/image_test.go snapd-2.37~rc1~14.04/image/image_test.go
--- snapd-2.32.3.2~14.04/image/image_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/image/image_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,7 @@
 	"bytes"
 	"fmt"
 	"io/ioutil"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -49,11 +50,11 @@
 
 type emptyStore struct{}
 
-func (s *emptyStore) SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error) {
+func (s *emptyStore) SnapAction(context.Context, []*store.CurrentSnap, []*store.SnapAction, *auth.UserState, *store.RefreshOptions) ([]*snap.Info, error) {
 	return nil, fmt.Errorf("cannot find snap")
 }
 
-func (s *emptyStore) Download(ctx context.Context, name, targetFn string, downloadInfo *snap.DownloadInfo, pbar progress.Meter, user *auth.UserState) error {
+func (s *emptyStore) Download(ctx context.Context, name, targetFn string, downloadInfo *snap.DownloadInfo, pbar progress.Meter, user *auth.UserState, dlOpts *store.DownloadOptions) error {
 	return fmt.Errorf("cannot download")
 }
 
@@ -73,6 +74,7 @@
 
 	downloadedSnaps map[string]string
 	storeSnapInfo   map[string]*snap.Info
+	storeActions    []*store.SnapAction
 	tsto            *image.ToolingStore
 
 	storeSigning *assertstest.StoreStack
@@ -106,7 +108,7 @@
 
 	brandAcct := assertstest.NewAccount(s.storeSigning, "my-brand", map[string]interface{}{
 		"account-id":   "my-brand",
-		"verification": "certified",
+		"verification": "verified",
 	}, "")
 	s.storeSigning.Add(brandAcct)
 
@@ -118,6 +120,7 @@
 		"authority-id":   "my-brand",
 		"brand-id":       "my-brand",
 		"model":          "my-model",
+		"display-name":   "my display name",
 		"architecture":   "amd64",
 		"gadget":         "pc",
 		"kernel":         "pc-kernel",
@@ -131,6 +134,12 @@
 		"account-id": "other",
 	}, "")
 	s.storeSigning.Add(otherAcct)
+
+	// mock the mount cmds (for the extract kernel assets stuff)
+	c1 := testutil.MockCommand(c, "mount", "")
+	s.AddCleanup(c1.Restore)
+	c2 := testutil.MockCommand(c, "umount", "")
+	s.AddCleanup(c2.Restore)
 }
 
 func (s *imageSuite) addSystemSnapAssertions(c *C, snapName string, publisher string) {
@@ -167,14 +176,33 @@
 	partition.ForceBootloader(nil)
 	image.Stdout = os.Stdout
 	image.Stderr = os.Stderr
+	s.storeActions = nil
 }
 
 // interface for the store
-func (s *imageSuite) SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error) {
-	return s.storeSnapInfo[spec.Name], nil
+func (s *imageSuite) SnapAction(_ context.Context, _ []*store.CurrentSnap, actions []*store.SnapAction, _ *auth.UserState, _ *store.RefreshOptions) ([]*snap.Info, error) {
+	if len(actions) != 1 {
+		return nil, fmt.Errorf("expected 1 action, got %d", len(actions))
+	}
+
+	if actions[0].Action != "download" {
+		return nil, fmt.Errorf("unexpected action %q", actions[0].Action)
+	}
+
+	if _, instanceKey := snap.SplitInstanceName(actions[0].InstanceName); instanceKey != "" {
+		return nil, fmt.Errorf("unexpected instance key in %q", actions[0].InstanceName)
+	}
+	// record
+	s.storeActions = append(s.storeActions, actions[0])
+
+	if info, ok := s.storeSnapInfo[actions[0].InstanceName]; ok {
+		info.Channel = actions[0].Channel
+		return []*snap.Info{info}, nil
+	}
+	return nil, fmt.Errorf("no %q in the fake store", actions[0].InstanceName)
 }
 
-func (s *imageSuite) Download(ctx context.Context, name, targetFn string, downloadInfo *snap.DownloadInfo, pbar progress.Meter, user *auth.UserState) error {
+func (s *imageSuite) Download(ctx context.Context, name, targetFn string, downloadInfo *snap.DownloadInfo, pbar progress.Meter, user *auth.UserState, dlOpts *store.DownloadOptions) error {
 	return osutil.CopyFile(s.downloadedSnaps[name], targetFn, 0)
 }
 
@@ -189,6 +217,13 @@
 type: gadget
 `
 
+const packageGadgetWithBase = `
+name: pc18
+version: 1.0
+type: gadget
+base: core18
+`
+
 const packageKernel = `
 name: pc-kernel
 version: 4.4-1
@@ -201,6 +236,24 @@
 type: os
 `
 
+const packageCore18 = `
+name: core18
+version: 18.04
+type: base
+`
+
+const snapdSnap = `
+name: snapd
+version: 3.14
+type: application
+`
+
+const otherBase = `
+name: other-base
+version: 2.5029
+type: base
+`
+
 const devmodeSnap = `
 name: devmode-snap
 version: 1.0
@@ -213,6 +266,22 @@
 version: 1.0
 `
 
+const snapReqOtherBase = `
+name: snap-req-other-base
+version: 1.0
+base: other-base
+`
+
+const snapReqContentProvider = `
+name: snap-req-content-provider
+version: 1.0
+plugs:
+ gtk-3-themes:
+  interface: content
+  default-provider: gtk-common-themes
+  target: $SNAP/data-dir/themes
+`
+
 func (s *imageSuite) TestMissingModelAssertions(c *C) {
 	_, err := image.DecodeModelAssertion(&image.Options{})
 	c.Assert(err, ErrorMatches, "cannot read model assertion: open : no such file or directory")
@@ -285,6 +354,105 @@
 	}
 }
 
+func (s *imageSuite) TestModelAssertionNoParallelInstancesOfSnaps(c *C) {
+	const mod = `type: model
+authority-id: brand
+series: 16
+brand-id: brand
+model: baz-3000
+architecture: armhf
+gadget: brand-gadget
+kernel: kernel
+required-snaps:
+  - foo_instance
+timestamp: 2016-01-02T10:00:00-05:00
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==
+`
+
+	fn := filepath.Join(c.MkDir(), "model.assertion")
+	err := ioutil.WriteFile(fn, []byte(mod), 0644)
+	c.Assert(err, IsNil)
+	_, err = image.DecodeModelAssertion(&image.Options{
+		ModelFile: fn,
+	})
+	c.Check(err, ErrorMatches, `.* assertion model: invalid snap name in "required-snaps" header: foo_instance`)
+}
+
+func (s *imageSuite) TestModelAssertionNoParallelInstancesOfKernel(c *C) {
+	const mod = `type: model
+authority-id: brand
+series: 16
+brand-id: brand
+model: baz-3000
+architecture: armhf
+gadget: brand-gadget
+kernel: kernel_instance
+timestamp: 2016-01-02T10:00:00-05:00
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==
+`
+
+	fn := filepath.Join(c.MkDir(), "model.assertion")
+	err := ioutil.WriteFile(fn, []byte(mod), 0644)
+	c.Assert(err, IsNil)
+	_, err = image.DecodeModelAssertion(&image.Options{
+		ModelFile: fn,
+	})
+	c.Check(err, ErrorMatches, `.* assertion model: invalid snap name in "kernel" header: kernel_instance`)
+}
+
+func (s *imageSuite) TestModelAssertionNoParallelInstancesOfGadget(c *C) {
+	const mod = `type: model
+authority-id: brand
+series: 16
+brand-id: brand
+model: baz-3000
+architecture: armhf
+gadget: brand-gadget_instance
+kernel: kernel
+timestamp: 2016-01-02T10:00:00-05:00
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==
+`
+
+	fn := filepath.Join(c.MkDir(), "model.assertion")
+	err := ioutil.WriteFile(fn, []byte(mod), 0644)
+	c.Assert(err, IsNil)
+	_, err = image.DecodeModelAssertion(&image.Options{
+		ModelFile: fn,
+	})
+	c.Check(err, ErrorMatches, `.* assertion model: invalid snap name in "gadget" header: brand-gadget_instance`)
+}
+
+func (s *imageSuite) TestModelAssertionNoParallelInstancesOfBase(c *C) {
+	const mod = `type: model
+authority-id: brand
+series: 16
+brand-id: brand
+model: baz-3000
+architecture: armhf
+gadget: brand-gadget
+kernel: kernel
+base: core18_instance
+timestamp: 2016-01-02T10:00:00-05:00
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==
+`
+
+	fn := filepath.Join(c.MkDir(), "model.assertion")
+	err := ioutil.WriteFile(fn, []byte(mod), 0644)
+	c.Assert(err, IsNil)
+	_, err = image.DecodeModelAssertion(&image.Options{
+		ModelFile: fn,
+	})
+	c.Check(err, ErrorMatches, `.* assertion model: invalid snap name in "base" header: core18_instance`)
+}
+
 func (s *imageSuite) TestHappyDecodeModelAssertion(c *C) {
 	fn := filepath.Join(c.MkDir(), "model.assertion")
 	err := ioutil.WriteFile(fn, asserts.Encode(s.model), 0644)
@@ -307,7 +475,7 @@
 	c.Assert(err, IsNil)
 
 	if !rev.Unset() {
-		info.SnapID = info.Name() + "-Id"
+		info.SnapID = info.InstanceName() + "-Id"
 		info.Revision = rev
 	}
 	return info
@@ -340,15 +508,58 @@
 	}
 }
 
+func (s *imageSuite) TestDownloadUnpackGadgetFromTrack(c *C) {
+	s.downloadedSnaps["pc"] = snaptest.MakeTestSnapWithFiles(c, packageGadget, nil)
+	s.storeSnapInfo["pc"] = infoFromSnapYaml(c, packageGadget, snap.R(1818))
+
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":       "16",
+		"authority-id": "my-brand",
+		"brand-id":     "my-brand",
+		"model":        "my-model",
+		"architecture": "amd64",
+		"gadget":       "pc=18",
+		"kernel":       "pc-kernel=18",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+
+	gadgetUnpackDir := filepath.Join(c.MkDir(), "gadget-unpack-dir")
+	opts := &image.Options{
+		GadgetUnpackDir: gadgetUnpackDir,
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+
+	err = image.DownloadUnpackGadget(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+
+	c.Check(s.storeActions, HasLen, 1)
+	c.Check(s.storeActions[0], DeepEquals, &store.SnapAction{
+		Action:       "download",
+		Channel:      "18/stable",
+		InstanceName: "pc",
+	})
+
+}
+
 func (s *imageSuite) setupSnaps(c *C, gadgetUnpackDir string, publishers map[string]string) {
 	err := os.MkdirAll(gadgetUnpackDir, 0755)
 	c.Assert(err, IsNil)
 	err = ioutil.WriteFile(filepath.Join(gadgetUnpackDir, "grub.conf"), nil, 0644)
 	c.Assert(err, IsNil)
 
-	s.downloadedSnaps["pc"] = snaptest.MakeTestSnapWithFiles(c, packageGadget, [][]string{{"grub.cfg", "I'm a grub.cfg"}})
-	s.storeSnapInfo["pc"] = infoFromSnapYaml(c, packageGadget, snap.R(1))
-	s.addSystemSnapAssertions(c, "pc", publishers["pc"])
+	if _, ok := publishers["pc"]; ok {
+		s.downloadedSnaps["pc"] = snaptest.MakeTestSnapWithFiles(c, packageGadget, [][]string{{"grub.cfg", "I'm a grub.cfg"}})
+		s.storeSnapInfo["pc"] = infoFromSnapYaml(c, packageGadget, snap.R(1))
+		s.addSystemSnapAssertions(c, "pc", publishers["pc"])
+	}
+	if _, ok := publishers["pc18"]; ok {
+		s.downloadedSnaps["pc18"] = snaptest.MakeTestSnapWithFiles(c, packageGadgetWithBase, [][]string{{"grub.cfg", "I'm a grub.cfg"}})
+		s.storeSnapInfo["pc18"] = infoFromSnapYaml(c, packageGadgetWithBase, snap.R(4))
+		s.addSystemSnapAssertions(c, "pc18", publishers["pc18"])
+	}
 
 	s.downloadedSnaps["pc-kernel"] = snaptest.MakeTestSnapWithFiles(c, packageKernel, nil)
 	s.storeSnapInfo["pc-kernel"] = infoFromSnapYaml(c, packageKernel, snap.R(2))
@@ -358,10 +569,30 @@
 	s.storeSnapInfo["core"] = infoFromSnapYaml(c, packageCore, snap.R(3))
 	s.addSystemSnapAssertions(c, "core", "canonical")
 
+	s.downloadedSnaps["core18"] = snaptest.MakeTestSnapWithFiles(c, packageCore18, nil)
+	s.storeSnapInfo["core18"] = infoFromSnapYaml(c, packageCore18, snap.R(18))
+	s.addSystemSnapAssertions(c, "core18", "canonical")
+
+	s.downloadedSnaps["snapd"] = snaptest.MakeTestSnapWithFiles(c, snapdSnap, nil)
+	s.storeSnapInfo["snapd"] = infoFromSnapYaml(c, snapdSnap, snap.R(18))
+	s.addSystemSnapAssertions(c, "snapd", "canonical")
+
+	s.downloadedSnaps["other-base"] = snaptest.MakeTestSnapWithFiles(c, otherBase, nil)
+	s.storeSnapInfo["other-base"] = infoFromSnapYaml(c, otherBase, snap.R(18))
+	s.addSystemSnapAssertions(c, "other-base", "other")
+
 	s.downloadedSnaps["required-snap1"] = snaptest.MakeTestSnapWithFiles(c, requiredSnap1, nil)
 	s.storeSnapInfo["required-snap1"] = infoFromSnapYaml(c, requiredSnap1, snap.R(3))
 	s.storeSnapInfo["required-snap1"].Contact = "foo@example.com"
 	s.addSystemSnapAssertions(c, "required-snap1", "other")
+
+	s.downloadedSnaps["snap-req-other-base"] = snaptest.MakeTestSnapWithFiles(c, snapReqOtherBase, nil)
+	s.storeSnapInfo["snap-req-other-base"] = infoFromSnapYaml(c, snapReqOtherBase, snap.R(5))
+	s.addSystemSnapAssertions(c, "snap-req-other-base", "other")
+
+	s.downloadedSnaps["snap-req-content-provider"] = snaptest.MakeTestSnapWithFiles(c, snapReqContentProvider, nil)
+	s.storeSnapInfo["snap-req-content-provider"] = infoFromSnapYaml(c, snapReqContentProvider, snap.R(5))
+	s.addSystemSnapAssertions(c, "snap-req-content-provider", "other")
 }
 
 func (s *imageSuite) TestBootstrapToRootDir(c *C) {
@@ -373,20 +604,12 @@
 	seedsnapsdir := filepath.Join(seeddir, "snaps")
 	seedassertsdir := filepath.Join(seeddir, "assertions")
 
-	// FIXME: bootstrapToRootDir needs an unpacked gadget yaml
-	gadgetUnpackDir := filepath.Join(c.MkDir(), "gadget")
-
+	gadgetUnpackDir := c.MkDir()
 	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
 		"pc":        "canonical",
 		"pc-kernel": "canonical",
 	})
 
-	// mock the mount cmds (for the extract kernel assets stuff)
-	c1 := testutil.MockCommand(c, "mount", "")
-	defer c1.Restore()
-	c2 := testutil.MockCommand(c, "umount", "")
-	defer c2.Restore()
-
 	opts := &image.Options{
 		RootDir:         rootdir,
 		GadgetUnpackDir: gadgetUnpackDir,
@@ -444,10 +667,11 @@
 	}
 
 	// check the bootloader config
-	m, err := s.bootloader.GetBootVars("snap_kernel", "snap_core")
+	m, err := s.bootloader.GetBootVars("snap_kernel", "snap_core", "snap_menuentry")
 	c.Assert(err, IsNil)
 	c.Check(m["snap_kernel"], Equals, "pc-kernel_2.snap")
 	c.Check(m["snap_core"], Equals, "core_3.snap")
+	c.Check(m["snap_menuentry"], Equals, "my display name")
 
 	c.Check(s.stderr.String(), Equals, "")
 }
@@ -458,21 +682,12 @@
 
 	rootdir := filepath.Join(c.MkDir(), "imageroot")
 	seedassertsdir := filepath.Join(rootdir, "var/lib/snapd/seed/assertions")
-
-	// FIXME: bootstrapToRootDir needs an unpacked gadget yaml
-	gadgetUnpackDir := filepath.Join(c.MkDir(), "gadget")
-
+	gadgetUnpackDir := c.MkDir()
 	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
 		"pc":        "canonical",
 		"pc-kernel": "my-brand",
 	})
 
-	// mock the mount cmds (for the extract kernel assets stuff)
-	c1 := testutil.MockCommand(c, "mount", "")
-	defer c1.Restore()
-	c2 := testutil.MockCommand(c, "umount", "")
-	defer c2.Restore()
-
 	opts := &image.Options{
 		Snaps: []string{
 			s.downloadedSnaps["core"],
@@ -524,7 +739,7 @@
 		c.Check(osutil.FileExists(p), Equals, true)
 
 		c.Check(seed.Snaps[i], DeepEquals, &snap.SeedSnap{
-			Name:       info.Name(),
+			Name:       info.InstanceName(),
 			SnapID:     info.SnapID,
 			File:       fn,
 			Unasserted: unasserted,
@@ -573,15 +788,7 @@
 	defer restore()
 
 	rootdir := filepath.Join(c.MkDir(), "imageroot")
-
-	// FIXME: bootstrapToRootDir needs an unpacked gadget yaml
-	gadgetUnpackDir := filepath.Join(c.MkDir(), "gadget")
-
-	err := os.MkdirAll(gadgetUnpackDir, 0755)
-	c.Assert(err, IsNil)
-	err = ioutil.WriteFile(filepath.Join(gadgetUnpackDir, "grub.conf"), nil, 0644)
-	c.Assert(err, IsNil)
-
+	gadgetUnpackDir := c.MkDir()
 	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
 		"pc":        "canonical",
 		"pc-kernel": "canonical",
@@ -590,17 +797,12 @@
 	s.downloadedSnaps["devmode-snap"] = snaptest.MakeTestSnapWithFiles(c, devmodeSnap, nil)
 	s.storeSnapInfo["devmode-snap"] = infoFromSnapYaml(c, devmodeSnap, snap.R(0))
 
-	// mock the mount cmds (for the extract kernel assets stuff)
-	c1 := testutil.MockCommand(c, "mount", "")
-	defer c1.Restore()
-	c2 := testutil.MockCommand(c, "umount", "")
-	defer c2.Restore()
-
 	opts := &image.Options{
 		Snaps: []string{s.downloadedSnaps["devmode-snap"]},
 
 		RootDir:         rootdir,
 		GadgetUnpackDir: gadgetUnpackDir,
+		Channel:         "beta",
 	}
 	local, err := image.LocalSnaps(s.tsto, opts)
 	c.Assert(err, IsNil)
@@ -613,6 +815,40 @@
 	c.Assert(err, IsNil)
 
 	c.Check(seed.Snaps, HasLen, 5)
+	c.Check(seed.Snaps[0], DeepEquals, &snap.SeedSnap{
+		Name:    "core",
+		SnapID:  "core-Id",
+		File:    "core_3.snap",
+		Channel: "beta",
+	})
+	c.Check(seed.Snaps[1], DeepEquals, &snap.SeedSnap{
+		Name:    "pc-kernel",
+		SnapID:  "pc-kernel-Id",
+		File:    "pc-kernel_2.snap",
+		Channel: "beta",
+	})
+	c.Check(seed.Snaps[2], DeepEquals, &snap.SeedSnap{
+		Name:    "pc",
+		SnapID:  "pc-Id",
+		File:    "pc_1.snap",
+		Channel: "beta",
+	})
+	c.Check(seed.Snaps[3], DeepEquals, &snap.SeedSnap{
+		Name:    "required-snap1",
+		SnapID:  "required-snap1-Id",
+		File:    "required-snap1_3.snap",
+		Contact: "foo@example.com",
+		Channel: "beta",
+	})
+	// ensure local snaps are put last in seed.yaml
+	c.Check(seed.Snaps[4], DeepEquals, &snap.SeedSnap{
+		Name:       "devmode-snap",
+		DevMode:    true,
+		Unasserted: true,
+		File:       "devmode-snap_x1.snap",
+		// no channel for unasserted snaps
+		Channel: "",
+	})
 
 	// check devmode-snap
 	info := &snap.Info{
@@ -635,26 +871,107 @@
 	})
 }
 
-func (s *imageSuite) TestBootstrapToRootDirKernelPublisherMismatch(c *C) {
+func (s *imageSuite) TestBootstrapWithBase(c *C) {
 	restore := image.MockTrusted(s.storeSigning.Trusted)
 	defer restore()
 
+	// replace model with a model that uses core18
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":         "16",
+		"authority-id":   "my-brand",
+		"brand-id":       "my-brand",
+		"model":          "my-model",
+		"architecture":   "amd64",
+		"gadget":         "pc18",
+		"kernel":         "pc-kernel",
+		"base":           "core18",
+		"required-snaps": []interface{}{"other-base"},
+		"timestamp":      time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+
 	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core18":     "canonical",
+		"pc18":       "canonical",
+		"pc-kernel":  "canonical",
+		"snapd":      "canonical",
+		"other-base": "other",
+	})
+
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+
+	// check seed yaml
+	seed, err := snap.ReadSeedYaml(filepath.Join(rootdir, "var/lib/snapd/seed/seed.yaml"))
+	c.Assert(err, IsNil)
+
+	c.Check(seed.Snaps, HasLen, 5)
+
+	// check the files are in place
+	for i, name := range []string{"snapd", "core18_18.snap", "pc-kernel", "pc18", "other-base"} {
+		unasserted := false
+		info := s.storeSnapInfo[name]
+		if info == nil {
+			switch name {
+			case "core18_18.snap":
+				info = &snap.Info{
+					SideInfo: snap.SideInfo{
+						SnapID:   "core18-Id",
+						RealName: "core18",
+						Revision: snap.R("18"),
+					},
+				}
+			}
+		}
+
+		fn := filepath.Base(info.MountFile())
+		p := filepath.Join(rootdir, "var/lib/snapd/seed/snaps", fn)
+		c.Check(osutil.FileExists(p), Equals, true)
+
+		c.Check(seed.Snaps[i], DeepEquals, &snap.SeedSnap{
+			Name:       info.InstanceName(),
+			SnapID:     info.SnapID,
+			File:       fn,
+			Unasserted: unasserted,
+		})
+	}
+
+	l, err := ioutil.ReadDir(filepath.Join(rootdir, "var/lib/snapd/seed/snaps"))
+	c.Assert(err, IsNil)
+	c.Check(l, HasLen, 5)
+
+	// check the bootloader config
+	m, err := s.bootloader.GetBootVars("snap_kernel", "snap_core")
+	c.Assert(err, IsNil)
+	c.Check(m["snap_kernel"], Equals, "pc-kernel_2.snap")
+	c.Assert(err, IsNil)
+	c.Check(m["snap_core"], Equals, "core18_18.snap")
+
+	c.Check(s.stderr.String(), Equals, "")
+
+}
 
-	// FIXME: bootstrapToRootDir needs an unpacked gadget yaml
-	gadgetUnpackDir := filepath.Join(c.MkDir(), "gadget")
+func (s *imageSuite) TestBootstrapToRootDirKernelPublisherMismatch(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
 
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
 	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
 		"pc":        "canonical",
 		"pc-kernel": "other",
 	})
 
-	// mock the mount cmds (for the extract kernel assets stuff)
-	c1 := testutil.MockCommand(c, "mount", "")
-	defer c1.Restore()
-	c2 := testutil.MockCommand(c, "umount", "")
-	defer c2.Restore()
-
 	opts := &image.Options{
 		RootDir:         rootdir,
 		GadgetUnpackDir: gadgetUnpackDir,
@@ -673,7 +990,7 @@
 	dirs.SetRootDir(targetDir)
 	err := image.InstallCloudConfig(emptyGadgetDir)
 	c.Assert(err, IsNil)
-	c.Check(osutil.FileExists(filepath.Join(targetDir, "etc/cloud")), Equals, true)
+	c.Check(osutil.FileExists(filepath.Join(targetDir, "etc/cloud")), Equals, false)
 }
 
 func (s *imageSuite) TestInstallCloudConfigWithCloudConfig(c *C) {
@@ -735,21 +1052,12 @@
 
 	rootdir := filepath.Join(c.MkDir(), "imageroot")
 	assertsdir := filepath.Join(rootdir, "var/lib/snapd/seed/assertions")
-
-	// FIXME: bootstrapToRootDir needs an unpacked gadget yaml
-	gadgetUnpackDir := filepath.Join(c.MkDir(), "gadget")
-
+	gadgetUnpackDir := c.MkDir()
 	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
 		"pc":        "canonical",
 		"pc-kernel": "my-brand",
 	})
 
-	// mock the mount cmds (for the extract kernel assets stuff)
-	c1 := testutil.MockCommand(c, "mount", "")
-	defer c1.Restore()
-	c2 := testutil.MockCommand(c, "umount", "")
-	defer c2.Restore()
-
 	opts := &image.Options{
 		Snaps: []string{
 			s.downloadedSnaps["core"],
@@ -801,7 +1109,7 @@
 		c.Check(osutil.FileExists(p), Equals, true, Commentf("cannot find %s", p))
 
 		c.Check(seed.Snaps[i], DeepEquals, &snap.SeedSnap{
-			Name:       info.Name(),
+			Name:       info.InstanceName(),
 			SnapID:     info.SnapID,
 			File:       fn,
 			Unasserted: false,
@@ -843,3 +1151,589 @@
 
 	c.Check(s.stderr.String(), Equals, "")
 }
+
+func (s *imageSuite) TestNoLocalParallelSnapInstances(c *C) {
+	fn := filepath.Join(c.MkDir(), "model.assertion")
+	err := ioutil.WriteFile(fn, asserts.Encode(s.model), 0644)
+	c.Assert(err, IsNil)
+
+	err = image.Prepare(&image.Options{
+		ModelFile: fn,
+		Snaps:     []string{"foo_instance"},
+	})
+	c.Assert(err, ErrorMatches, `cannot use snap "foo_instance", parallel snap instances are unsupported`)
+}
+
+func (s *imageSuite) TestNoInvalidSnapNames(c *C) {
+	fn := filepath.Join(c.MkDir(), "model.assertion")
+	err := ioutil.WriteFile(fn, asserts.Encode(s.model), 0644)
+	c.Assert(err, IsNil)
+
+	err = image.Prepare(&image.Options{
+		ModelFile: fn,
+		Snaps:     []string{"foo.invalid.name"},
+	})
+	c.Assert(err, ErrorMatches, `invalid snap name: "foo.invalid.name"`)
+}
+
+func (s *imageSuite) TestPrepareInvalidChannel(c *C) {
+	fn := filepath.Join(c.MkDir(), "model.assertion")
+	err := ioutil.WriteFile(fn, asserts.Encode(s.model), 0644)
+	c.Assert(err, IsNil)
+
+	err = image.Prepare(&image.Options{
+		ModelFile: fn,
+		Channel:   "x/x/x/x",
+	})
+	c.Assert(err, ErrorMatches, `cannot use channel: channel name has too many components: x/x/x/x`)
+}
+
+func (s *imageSuite) TestBootstrapWithKernelAndGadgetTrack(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+
+	// replace model with a model that uses core18
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":       "16",
+		"authority-id": "my-brand",
+		"brand-id":     "my-brand",
+		"model":        "my-model",
+		"architecture": "amd64",
+		"gadget":       "pc=18",
+		"kernel":       "pc-kernel=18",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core":      "canonical",
+		"pc":        "canonical",
+		"pc-kernel": "canonical",
+	})
+
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+
+	// check seed yaml
+	seed, err := snap.ReadSeedYaml(filepath.Join(rootdir, "var/lib/snapd/seed/seed.yaml"))
+	c.Assert(err, IsNil)
+
+	c.Check(seed.Snaps, HasLen, 3)
+	c.Check(seed.Snaps[0], DeepEquals, &snap.SeedSnap{
+		Name:   "core",
+		SnapID: "core-Id",
+		File:   "core_3.snap",
+	})
+	c.Check(seed.Snaps[1], DeepEquals, &snap.SeedSnap{
+		Name:    "pc-kernel",
+		SnapID:  "pc-kernel-Id",
+		File:    "pc-kernel_2.snap",
+		Channel: "18/stable",
+	})
+	c.Check(seed.Snaps[2], DeepEquals, &snap.SeedSnap{
+		Name:    "pc",
+		SnapID:  "pc-Id",
+		File:    "pc_1.snap",
+		Channel: "18/stable",
+	})
+}
+
+func (s *imageSuite) TestBootstrapWithKernelTrackWithDefaultChannel(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+
+	// replace model with a model that uses core18
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":       "16",
+		"authority-id": "my-brand",
+		"brand-id":     "my-brand",
+		"model":        "my-model",
+		"architecture": "amd64",
+		"gadget":       "pc",
+		"kernel":       "pc-kernel=18",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core":      "canonical",
+		"pc":        "canonical",
+		"pc-kernel": "canonical",
+	})
+
+	rootdir := c.MkDir()
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+		Channel:         "edge",
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+
+	// check seed yaml
+	seed, err := snap.ReadSeedYaml(filepath.Join(rootdir, "var/lib/snapd/seed/seed.yaml"))
+	c.Assert(err, IsNil)
+
+	c.Check(seed.Snaps, HasLen, 3)
+	c.Check(seed.Snaps[0], DeepEquals, &snap.SeedSnap{
+		Name:    "core",
+		SnapID:  "core-Id",
+		File:    "core_3.snap",
+		Channel: "edge",
+	})
+	c.Check(seed.Snaps[1], DeepEquals, &snap.SeedSnap{
+		Name:    "pc-kernel",
+		SnapID:  "pc-kernel-Id",
+		File:    "pc-kernel_2.snap",
+		Channel: "18/edge",
+	})
+	c.Check(seed.Snaps[2], DeepEquals, &snap.SeedSnap{
+		Name:    "pc",
+		SnapID:  "pc-Id",
+		File:    "pc_1.snap",
+		Channel: "edge",
+	})
+}
+
+func (s *imageSuite) TestBootstrapWithKernelTrackOnLocalSnap(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+
+	// replace model with a model that uses core18
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":       "16",
+		"authority-id": "my-brand",
+		"brand-id":     "my-brand",
+		"model":        "my-model",
+		"architecture": "amd64",
+		"gadget":       "pc",
+		"kernel":       "pc-kernel=18",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core":      "canonical",
+		"pc":        "canonical",
+		"pc-kernel": "canonical",
+	})
+
+	// pretend we downloaded the core,kernel already
+	cfn := s.downloadedSnaps["core"]
+	kfn := s.downloadedSnaps["pc-kernel"]
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+		Snaps:           []string{kfn, cfn},
+		Channel:         "beta",
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+	c.Check(local.NameToPath(), HasLen, 2)
+
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+
+	// check seed yaml
+	seed, err := snap.ReadSeedYaml(filepath.Join(rootdir, "var/lib/snapd/seed/seed.yaml"))
+	c.Assert(err, IsNil)
+
+	c.Check(seed.Snaps, HasLen, 3)
+	c.Check(seed.Snaps[0], DeepEquals, &snap.SeedSnap{
+		Name:    "core",
+		SnapID:  "core-Id",
+		File:    "core_3.snap",
+		Channel: "beta",
+	})
+	c.Check(seed.Snaps[1], DeepEquals, &snap.SeedSnap{
+		Name:    "pc-kernel",
+		SnapID:  "pc-kernel-Id",
+		File:    "pc-kernel_2.snap",
+		Channel: "18/beta",
+	})
+}
+
+func (s *imageSuite) TestBootstrapWithBaseAndLegacyCoreOrdering(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+
+	// replace model with a model that uses core18
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":         "16",
+		"authority-id":   "my-brand",
+		"brand-id":       "my-brand",
+		"model":          "my-model",
+		"architecture":   "amd64",
+		"base":           "core18",
+		"gadget":         "pc18",
+		"kernel":         "pc-kernel",
+		"required-snaps": []interface{}{"required-snap1"},
+		"timestamp":      time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core18":    "canonical",
+		"core":      "canonical",
+		"pc18":      "canonical",
+		"pc-kernel": "canonical",
+	})
+
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+		Snaps:           []string{"core"},
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+
+	// check seed yaml
+	seed, err := snap.ReadSeedYaml(filepath.Join(rootdir, "var/lib/snapd/seed/seed.yaml"))
+	c.Assert(err, IsNil)
+
+	c.Check(seed.Snaps, HasLen, 6)
+	c.Check(seed.Snaps[0], DeepEquals, &snap.SeedSnap{
+		Name:   "snapd",
+		SnapID: "snapd-Id",
+		File:   "snapd_18.snap",
+	})
+	c.Check(seed.Snaps[1], DeepEquals, &snap.SeedSnap{
+		Name:   "core",
+		SnapID: "core-Id",
+		File:   "core_3.snap",
+	})
+	c.Check(seed.Snaps[2], DeepEquals, &snap.SeedSnap{
+		Name:   "core18",
+		SnapID: "core18-Id",
+		File:   "core18_18.snap",
+	})
+	c.Check(seed.Snaps[3], DeepEquals, &snap.SeedSnap{
+		Name:   "pc-kernel",
+		SnapID: "pc-kernel-Id",
+		File:   "pc-kernel_2.snap",
+	})
+	c.Check(seed.Snaps[4], DeepEquals, &snap.SeedSnap{
+		Name:   "pc18",
+		SnapID: "pc18-Id",
+		File:   "pc18_4.snap",
+	})
+	c.Check(seed.Snaps[5], DeepEquals, &snap.SeedSnap{
+		Name:    "required-snap1",
+		SnapID:  "required-snap1-Id",
+		File:    "required-snap1_3.snap",
+		Contact: "foo@example.com",
+	})
+}
+func (s *imageSuite) TestBootstrapGadgetBaseModelBaseMismatch(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+	// replace model with a model that uses core18 and a gadget
+	// without a base
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":         "16",
+		"authority-id":   "my-brand",
+		"brand-id":       "my-brand",
+		"model":          "my-model",
+		"architecture":   "amd64",
+		"base":           "core18",
+		"gadget":         "pc",
+		"kernel":         "pc-kernel",
+		"required-snaps": []interface{}{"required-snap1"},
+		"timestamp":      time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core18":    "canonical",
+		"pc":        "canonical",
+		"pc-kernel": "canonical",
+	})
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, ErrorMatches, `cannot use gadget snap because its base "" is different from model base "core18"`)
+}
+
+func (s *imageSuite) TestBootstrapToRootDirSnapReqBase(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":         "16",
+		"authority-id":   "my-brand",
+		"brand-id":       "my-brand",
+		"model":          "my-model",
+		"architecture":   "amd64",
+		"gadget":         "pc",
+		"kernel":         "pc-kernel",
+		"required-snaps": []interface{}{"snap-req-other-base"},
+		"timestamp":      time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core":                "canonical",
+		"pc":                  "canonical",
+		"pc-kernel":           "canonical",
+		"snap-req-other-base": "canonical",
+	})
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, ErrorMatches, `cannot add snap "snap-req-other-base" without also adding its base "other-base" explicitly`)
+}
+
+func (s *imageSuite) TestBootstrapToRootDirStoreAssertionMissing(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":       "16",
+		"authority-id": "my-brand",
+		"brand-id":     "my-brand",
+		"model":        "my-model",
+		"architecture": "amd64",
+		"gadget":       "pc",
+		"kernel":       "pc-kernel",
+		"store":        "my-store",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core":      "canonical",
+		"pc":        "canonical",
+		"pc-kernel": "canonical",
+	})
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+}
+
+func (s *imageSuite) TestBootstrapToRootDirStoreAssertionFetched(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+
+	// add store assertion
+	storeAs, err := s.storeSigning.Sign(asserts.StoreType, map[string]interface{}{
+		"store":       "my-store",
+		"operator-id": "canonical",
+		"timestamp":   time.Now().UTC().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	err = s.storeSigning.Add(storeAs)
+	c.Assert(err, IsNil)
+
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":       "16",
+		"authority-id": "my-brand",
+		"brand-id":     "my-brand",
+		"model":        "my-model",
+		"architecture": "amd64",
+		"gadget":       "pc",
+		"kernel":       "pc-kernel",
+		"store":        "my-store",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	seeddir := filepath.Join(rootdir, "var/lib/snapd/seed")
+	seedassertsdir := filepath.Join(seeddir, "assertions")
+
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core":      "canonical",
+		"pc":        "canonical",
+		"pc-kernel": "canonical",
+	})
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+
+	// check the store assertion was fetched
+	p := filepath.Join(seedassertsdir, "my-store.store")
+	c.Check(osutil.FileExists(p), Equals, true)
+}
+
+func (s *imageSuite) TestBootstrapToRootDirSnapReqBaseFromLocal(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":         "16",
+		"authority-id":   "my-brand",
+		"brand-id":       "my-brand",
+		"model":          "my-model",
+		"architecture":   "amd64",
+		"gadget":         "pc",
+		"kernel":         "pc-kernel",
+		"required-snaps": []interface{}{"snap-req-other-base"},
+		"timestamp":      time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core":                "canonical",
+		"pc":                  "canonical",
+		"pc-kernel":           "canonical",
+		"snap-req-other-base": "canonical",
+		"other-base":          "canonical",
+	})
+	bfn := s.downloadedSnaps["other-base"]
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+		Snaps:           []string{bfn},
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+}
+
+func (s *imageSuite) TestBootstrapToRootDirMissingContentProvider(c *C) {
+	restore := image.MockTrusted(s.storeSigning.Trusted)
+	defer restore()
+	rawmodel, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":         "16",
+		"authority-id":   "my-brand",
+		"brand-id":       "my-brand",
+		"model":          "my-model",
+		"architecture":   "amd64",
+		"gadget":         "pc",
+		"kernel":         "pc-kernel",
+		"required-snaps": []interface{}{"snap-req-content-provider"},
+		"timestamp":      time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	model := rawmodel.(*asserts.Model)
+	rootdir := filepath.Join(c.MkDir(), "imageroot")
+	gadgetUnpackDir := c.MkDir()
+	s.setupSnaps(c, gadgetUnpackDir, map[string]string{
+		"core":                  "canonical",
+		"pc":                    "canonical",
+		"pc-kernel":             "canonical",
+		"snap-req-content-snap": "canonical",
+	})
+	opts := &image.Options{
+		RootDir:         rootdir,
+		GadgetUnpackDir: gadgetUnpackDir,
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, IsNil)
+	err = image.BootstrapToRootDir(s.tsto, model, opts, local)
+	c.Assert(err, IsNil)
+
+	c.Check(s.stderr.String(), Equals, `WARNING: the default content provider "gtk-common-themes" requested by snap "snap-req-content-provider" is not getting installed.`)
+}
+
+func (s *imageSuite) TestMissingLocalSnaps(c *C) {
+	opts := &image.Options{
+		Snaps: []string{"i-am-missing.snap"},
+	}
+	local, err := image.LocalSnaps(s.tsto, opts)
+	c.Assert(err, ErrorMatches, "local snap i-am-missing.snap not found")
+	c.Assert(local, IsNil)
+}
+
+type toolingAuthContextSuite struct {
+	ac auth.AuthContext
+}
+
+var _ = Suite(&toolingAuthContextSuite{})
+
+func (s *toolingAuthContextSuite) SetUpTest(c *C) {
+	s.ac = image.ToolingAuthContext()
+}
+
+func (s *toolingAuthContextSuite) TestNopBits(c *C) {
+	info, err := s.ac.CloudInfo()
+	c.Assert(err, IsNil)
+	c.Check(info, IsNil)
+
+	device, err := s.ac.Device()
+	c.Assert(err, IsNil)
+	c.Check(device, DeepEquals, &auth.DeviceState{})
+
+	p, err := s.ac.DeviceSessionRequestParams("")
+	c.Assert(err, Equals, auth.ErrNoSerial)
+	c.Check(p, IsNil)
+
+	defURL, err := url.Parse("http://store")
+	c.Assert(err, IsNil)
+	proxyStoreID, proxyStoreURL, err := s.ac.ProxyStoreParams(defURL)
+	c.Assert(err, IsNil)
+	c.Check(proxyStoreID, Equals, "")
+	c.Check(proxyStoreURL, Equals, defURL)
+
+	storeID, err := s.ac.StoreID("")
+	c.Assert(err, IsNil)
+	c.Check(storeID, Equals, "")
+
+	storeID, err = s.ac.StoreID("my-store")
+	c.Assert(err, IsNil)
+	c.Check(storeID, Equals, "my-store")
+
+	_, err = s.ac.UpdateDeviceAuth(nil, "")
+	c.Assert(err, NotNil)
+}
+
+func (s *toolingAuthContextSuite) TestUpdateUserAuth(c *C) {
+	u := &auth.UserState{
+		StoreMacaroon:   "macaroon",
+		StoreDischarges: []string{"discharge1"},
+	}
+
+	u1, err := s.ac.UpdateUserAuth(u, []string{"discharge2"})
+	c.Assert(err, IsNil)
+	c.Check(u1, Equals, u)
+	c.Check(u1.StoreDischarges, DeepEquals, []string{"discharge2"})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/apparmor/apparmor.go snapd-2.37~rc1~14.04/interfaces/apparmor/apparmor.go
--- snapd-2.32.3.2~14.04/interfaces/apparmor/apparmor.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/apparmor/apparmor.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,52 +30,75 @@
 	"io"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"strings"
 
-	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
 )
 
-// LoadProfile loads an apparmor profile from the given file.
-//
-// If no such profile was previously loaded then it is simply added to the kernel.
-// If there was a profile with the same name before, that profile is replaced.
-func LoadProfile(fname string) error {
-	return loadProfile(fname, dirs.AppArmorCacheDir)
+// ValidateNoAppArmorRegexp will check that the given string does not
+// contain AppArmor regular expressions (AARE), double quotes or \0.
+func ValidateNoAppArmorRegexp(s string) error {
+	const AARE = `?*[]{}^"` + "\x00"
+
+	if strings.ContainsAny(s, AARE) {
+		return fmt.Errorf("%q contains a reserved apparmor char from %s", s, AARE)
+	}
+	return nil
 }
 
-// UnloadProfile removes the named profile from the running kernel.
+type aaParserFlags int
+
+const (
+	// skipReadCache causes apparmor_parser to be invoked with --skip-read-cache.
+	// This allows us to essentially overwrite a cache that we know is stale regardless
+	// of the time and date settings (apparmor_parser caching is based on mtime).
+	// Note that writing of the cache relies on --write-cache but we pass that
+	// command-line option unconditionally.
+	skipReadCache aaParserFlags = 1 << iota
+)
+
+// loadProfiles loads apparmor profiles from the given files.
 //
-// The operation is done with: apparmor_parser --remove $name
-// The binary cache file is removed from /var/cache/apparmor
-func UnloadProfile(name string) error {
-	return unloadProfile(name, dirs.AppArmorCacheDir)
-}
+// If no such profiles were previously loaded then they are simply added to the kernel.
+// If there were some profiles with the same name before, those profiles are replaced.
+func loadProfiles(fnames []string, cacheDir string, flags aaParserFlags) error {
+	if len(fnames) == 0 {
+		return nil
+	}
 
-func loadProfile(fname, cacheDir string) error {
 	// Use no-expr-simplify since expr-simplify is actually slower on armhf (LP: #1383858)
 	args := []string{"--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s", cacheDir)}
+	if flags&skipReadCache != 0 {
+		args = append(args, "--skip-read-cache")
+	}
 	if !osutil.GetenvBool("SNAPD_DEBUG") {
 		args = append(args, "--quiet")
 	}
-	args = append(args, fname)
+	args = append(args, fnames...)
 
 	output, err := exec.Command("apparmor_parser", args...).CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("cannot load apparmor profile: %s\napparmor_parser output:\n%s", err, string(output))
+		return fmt.Errorf("cannot load apparmor profiles: %s\napparmor_parser output:\n%s", err, string(output))
 	}
 	return nil
 }
 
-func unloadProfile(name, cacheDir string) error {
-	output, err := exec.Command("apparmor_parser", "--remove", name).CombinedOutput()
+// UnloadProfiles removes the named profiles from the running kernel.
+//
+// The operation is done with: apparmor_parser --remove $names...
+// The binary cache file is removed from /var/cache/apparmor
+func unloadProfiles(names []string, cacheDir string) error {
+	if len(names) == 0 {
+		return nil
+	}
+
+	args := []string{"--remove"}
+	args = append(args, names...)
+	output, err := exec.Command("apparmor_parser", args...).CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("cannot unload apparmor profile: %s\napparmor_parser output:\n%s", err, string(output))
 	}
-	err = os.Remove(filepath.Join(cacheDir, name))
-	// It is not an error if the cache file wasn't there to remove.
-	if err != nil && !os.IsNotExist(err) {
+	if err := osutil.UnlinkMany(cacheDir, names); err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("cannot remove apparmor profile cache: %s", err)
 	}
 	return nil
diff -Nru snapd-2.32.3.2~14.04/interfaces/apparmor/apparmor_test.go snapd-2.37~rc1~14.04/interfaces/apparmor/apparmor_test.go
--- snapd-2.32.3.2~14.04/interfaces/apparmor/apparmor_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/apparmor/apparmor_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -51,23 +51,41 @@
 	apparmor.MockProfilesPath(&s.BaseTest, s.profilesFilename)
 }
 
-// Tests for LoadProfile()
+// Tests for LoadProfiles()
 
-func (s *appArmorSuite) TestLoadProfileRunsAppArmorParserReplace(c *C) {
+func (s *appArmorSuite) TestLoadProfilesRunsAppArmorParserReplace(c *C) {
 	cmd := testutil.MockCommand(c, "apparmor_parser", "")
 	defer cmd.Restore()
-	err := apparmor.LoadProfile("/path/to/snap.samba.smbd")
+	err := apparmor.LoadProfiles([]string{"/path/to/snap.samba.smbd"}, dirs.AppArmorCacheDir, 0)
 	c.Assert(err, IsNil)
 	c.Assert(cmd.Calls(), DeepEquals, [][]string{
 		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", "--cache-loc=/var/cache/apparmor", "--quiet", "/path/to/snap.samba.smbd"},
 	})
 }
 
-func (s *appArmorSuite) TestLoadProfileReportsErrors(c *C) {
+func (s *appArmorSuite) TestLoadProfilesMany(c *C) {
+	cmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer cmd.Restore()
+	err := apparmor.LoadProfiles([]string{"/path/to/snap.samba.smbd", "/path/to/another.profile"}, dirs.AppArmorCacheDir, 0)
+	c.Assert(err, IsNil)
+	c.Assert(cmd.Calls(), DeepEquals, [][]string{
+		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", "--cache-loc=/var/cache/apparmor", "--quiet", "/path/to/snap.samba.smbd", "/path/to/another.profile"},
+	})
+}
+
+func (s *appArmorSuite) TestLoadProfilesNone(c *C) {
+	cmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer cmd.Restore()
+	err := apparmor.LoadProfiles([]string{}, dirs.AppArmorCacheDir, 0)
+	c.Assert(err, IsNil)
+	c.Check(cmd.Calls(), HasLen, 0)
+}
+
+func (s *appArmorSuite) TestLoadProfilesReportsErrors(c *C) {
 	cmd := testutil.MockCommand(c, "apparmor_parser", "exit 42")
 	defer cmd.Restore()
-	err := apparmor.LoadProfile("/path/to/snap.samba.smbd")
-	c.Assert(err.Error(), Equals, `cannot load apparmor profile: exit status 42
+	err := apparmor.LoadProfiles([]string{"/path/to/snap.samba.smbd"}, dirs.AppArmorCacheDir, 0)
+	c.Assert(err.Error(), Equals, `cannot load apparmor profiles: exit status 42
 apparmor_parser output:
 `)
 	c.Assert(cmd.Calls(), DeepEquals, [][]string{
@@ -75,12 +93,12 @@
 	})
 }
 
-func (s *appArmorSuite) TestLoadProfileRunsAppArmorParserReplaceWithSnapdDebug(c *C) {
+func (s *appArmorSuite) TestLoadProfilesRunsAppArmorParserReplaceWithSnapdDebug(c *C) {
 	os.Setenv("SNAPD_DEBUG", "1")
 	defer os.Unsetenv("SNAPD_DEBUG")
 	cmd := testutil.MockCommand(c, "apparmor_parser", "")
 	defer cmd.Restore()
-	err := apparmor.LoadProfile("/path/to/snap.samba.smbd")
+	err := apparmor.LoadProfiles([]string{"/path/to/snap.samba.smbd"}, dirs.AppArmorCacheDir, 0)
 	c.Assert(err, IsNil)
 	c.Assert(cmd.Calls(), DeepEquals, [][]string{
 		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", "--cache-loc=/var/cache/apparmor", "/path/to/snap.samba.smbd"},
@@ -89,22 +107,40 @@
 
 // Tests for Profile.Unload()
 
-func (s *appArmorSuite) TestUnloadProfileRunsAppArmorParserRemove(c *C) {
+func (s *appArmorSuite) TestUnloadProfilesRunsAppArmorParserRemove(c *C) {
 	dirs.SetRootDir(c.MkDir())
 	defer dirs.SetRootDir("")
 	cmd := testutil.MockCommand(c, "apparmor_parser", "")
 	defer cmd.Restore()
-	err := apparmor.UnloadProfile("snap.samba.smbd")
+	err := apparmor.UnloadProfiles([]string{"snap.samba.smbd"}, dirs.AppArmorCacheDir)
 	c.Assert(err, IsNil)
 	c.Assert(cmd.Calls(), DeepEquals, [][]string{
 		{"apparmor_parser", "--remove", "snap.samba.smbd"},
 	})
 }
 
-func (s *appArmorSuite) TestUnloadProfileReportsErrors(c *C) {
+func (s *appArmorSuite) TestUnloadProfilesMany(c *C) {
+	cmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer cmd.Restore()
+	err := apparmor.UnloadProfiles([]string{"/path/to/snap.samba.smbd", "/path/to/another.profile"}, dirs.AppArmorCacheDir)
+	c.Assert(err, IsNil)
+	c.Assert(cmd.Calls(), DeepEquals, [][]string{
+		{"apparmor_parser", "--remove", "/path/to/snap.samba.smbd", "/path/to/another.profile"},
+	})
+}
+
+func (s *appArmorSuite) TestUnloadProfilesNone(c *C) {
+	cmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer cmd.Restore()
+	err := apparmor.UnloadProfiles([]string{}, dirs.AppArmorCacheDir)
+	c.Assert(err, IsNil)
+	c.Check(cmd.Calls(), HasLen, 0)
+}
+
+func (s *appArmorSuite) TestUnloadProfilesReportsErrors(c *C) {
 	cmd := testutil.MockCommand(c, "apparmor_parser", "exit 42")
 	defer cmd.Restore()
-	err := apparmor.UnloadProfile("snap.samba.smbd")
+	err := apparmor.UnloadProfiles([]string{"snap.samba.smbd"}, dirs.AppArmorCacheDir)
 	c.Assert(err.Error(), Equals, `cannot unload apparmor profile: exit status 42
 apparmor_parser output:
 `)
@@ -121,7 +157,7 @@
 
 	fname := filepath.Join(dirs.AppArmorCacheDir, "profile")
 	ioutil.WriteFile(fname, []byte("blob"), 0600)
-	err = apparmor.UnloadProfile("profile")
+	err = apparmor.UnloadProfiles([]string{"profile"}, dirs.AppArmorCacheDir)
 	c.Assert(err, IsNil)
 	_, err = os.Stat(fname)
 	c.Check(os.IsNotExist(err), Equals, true)
@@ -183,3 +219,19 @@
 	c.Assert(err, ErrorMatches, `syntax error, expected: name \(mode\)`)
 	c.Check(profiles, IsNil)
 }
+
+func (s *appArmorSuite) TestValidateFreeFromAAREUnhappy(c *C) {
+	var testCases = []string{"a?", "*b", "c[c", "dd]", "e{", "f}", "g^", `h"`, "f\000", "g\x00"}
+
+	for _, s := range testCases {
+		c.Check(apparmor.ValidateNoAppArmorRegexp(s), ErrorMatches, ".* contains a reserved apparmor char from .*", Commentf("%q is not raising an error", s))
+	}
+}
+
+func (s *appArmorSuite) TestValidateFreeFromAAREhappy(c *C) {
+	var testCases = []string{"foo", "BaR", "b-z", "foo+bar", "b00m!", "be/ep", "a%b", "a&b", "a(b", "a)b", "a=b", "a#b", "a~b", "a'b", "a_b", "a,b", "a;b", "a>b", "a<b", "a|b"}
+
+	for _, s := range testCases {
+		c.Check(apparmor.ValidateNoAppArmorRegexp(s), IsNil, Commentf("%q raised an error but shouldn't", s))
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/apparmor/backend.go snapd-2.37~rc1~14.04/interfaces/apparmor/backend.go
--- snapd-2.32.3.2~14.04/interfaces/apparmor/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/apparmor/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -42,7 +42,6 @@
 	"fmt"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"sort"
@@ -54,14 +53,18 @@
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
 )
 
 var (
 	procSelfExe           = "/proc/self/exe"
+	isHomeUsingNFS        = osutil.IsHomeUsingNFS
 	isRootWritableOverlay = osutil.IsRootWritableOverlay
+	kernelFeatures        = release.AppArmorKernelFeatures
+	parserFeatures        = release.AppArmorParserFeatures
 )
 
-// Backend is responsible for maintaining apparmor profiles for ubuntu-core-launcher.
+// Backend is responsible for maintaining apparmor profiles for snaps and parts of snapd.
 type Backend struct{}
 
 // Name returns the name of the backend.
@@ -100,7 +103,7 @@
 	// Check if NFS is mounted at or under $HOME. Because NFS is not
 	// transparent to apparmor we must alter our profile to counter that and
 	// allow snap-confine to work.
-	if nfs, err := osutil.IsHomeUsingNFS(); err != nil {
+	if nfs, err := isHomeUsingNFS(); err != nil {
 		logger.Noticef("cannot determine if NFS is in use: %v", err)
 	} else if nfs {
 		policy["nfs-support"] = &osutil.FileState{
@@ -163,33 +166,28 @@
 		return fmt.Errorf("cannot find system apparmor profile for snap-confine")
 	}
 
-	// We are not using apparmor.LoadProfile() because it uses other cache.
-	cmd := exec.Command("apparmor_parser", "--replace",
-		// Use no-expr-simplify since expr-simplify is actually slower on armhf (LP: #1383858)
-		"-O", "no-expr-simplify",
-		"--write-cache", "--cache-loc", dirs.SystemApparmorCacheDir,
-		profilePath)
-
-	if output, err := cmd.CombinedOutput(); err != nil {
+	// We are not using apparmor.LoadProfiles() because it uses other cache.
+	if err := loadProfiles([]string{profilePath}, dirs.SystemApparmorCacheDir, skipReadCache); err != nil {
 		// When we cannot reload the profile then let's remove the generated
 		// policy. Maybe we have caused the problem so it's better to let other
 		// things work.
 		osutil.EnsureDirState(dirs.SnapConfineAppArmorDir, glob, nil)
-		return fmt.Errorf("cannot reload snap-confine apparmor profile: %v", osutil.OutputErr(output, err))
+		return fmt.Errorf("cannot reload snap-confine apparmor profile: %v", err)
 	}
 	return nil
 }
 
-// snapConfineFromCoreProfile returns the apparmor profile for snap-confine in the given core snap.
-func snapConfineFromCoreProfile(coreInfo *snap.Info) (dir, glob string, content map[string]*osutil.FileState, err error) {
+// snapConfineFromSnapProfile returns the apparmor profile for
+// snap-confine in the given core/snapd snap.
+func snapConfineFromSnapProfile(info *snap.Info) (dir, glob string, content map[string]*osutil.FileState, err error) {
 	// Find the vanilla apparmor profile for snap-confine as present in the given core snap.
 
 	// We must test the ".real" suffix first, this is a workaround for
 	// https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858004
-	vanillaProfilePath := filepath.Join(coreInfo.MountDir(), "/etc/apparmor.d/usr.lib.snapd.snap-confine.real")
+	vanillaProfilePath := filepath.Join(info.MountDir(), "/etc/apparmor.d/usr.lib.snapd.snap-confine.real")
 	vanillaProfileText, err := ioutil.ReadFile(vanillaProfilePath)
 	if os.IsNotExist(err) {
-		vanillaProfilePath = filepath.Join(coreInfo.MountDir(), "/etc/apparmor.d/usr.lib.snapd.snap-confine")
+		vanillaProfilePath = filepath.Join(info.MountDir(), "/etc/apparmor.d/usr.lib.snapd.snap-confine")
 		vanillaProfileText, err = ioutil.ReadFile(vanillaProfilePath)
 	}
 	if err != nil {
@@ -197,13 +195,20 @@
 	}
 
 	// Replace the path to vanilla snap-confine with the path to the mounted snap-confine from core.
-	snapConfineInCore := filepath.Join(coreInfo.MountDir(), "usr/lib/snapd/snap-confine")
+	snapConfineInCore := filepath.Join(info.MountDir(), "usr/lib/snapd/snap-confine")
 	patchedProfileText := bytes.Replace(
 		vanillaProfileText, []byte("/usr/lib/snapd/snap-confine"), []byte(snapConfineInCore), -1)
-	// /snap/core/111/usr/lib/snapd/snap-confine -> snap.core.111.usr.lib.snapd.snap-confine
-	patchedProfileName := strings.Replace(snapConfineInCore[1:], "/", ".", -1)
-	// snap.core.111.usr.lib.snapd.snap-confine -> snap.core.*.usr.lib.snapd.snap-confine
-	patchedProfileGlob := strings.Replace(patchedProfileName, "."+coreInfo.Revision.String()+".", ".*.", 1)
+
+	// We need to add a uniqe prefix that can never collide with a
+	// snap on the system. Using "snap-confine.*" is similar to
+	// "snap-update-ns.*" that is already used there
+	//
+	// So
+	//   /snap/core/111/usr/lib/snapd/snap-confine
+	// becomes
+	//   snap-confine.core.111
+	patchedProfileName := fmt.Sprintf("snap-confine.%s.%s", info.InstanceName(), info.Revision)
+	patchedProfileGlob := fmt.Sprintf("snap-confine.%s.*", info.InstanceName())
 
 	// Return information for EnsureDirState that describes the re-exec profile for snap-confine.
 	content = map[string]*osutil.FileState{
@@ -212,25 +217,27 @@
 			Mode:    0644,
 		},
 	}
-	return dirs.SystemApparmorDir, patchedProfileGlob, content, nil
+
+	return dirs.SnapAppArmorDir, patchedProfileGlob, content, nil
 }
 
-// setupSnapConfineReexec will setup apparmor profiles on a classic
-// system on the hosts /etc/apparmor.d directory. This is needed for
-// running snap-confine from the core snap.
+// setupSnapConfineReexec will setup apparmor profiles inside the host's
+// /var/lib/snapd/apparmor/profiles directory. This is needed for
+// running snap-confine from the core or snapd snap.
 //
 // Additionally it will cleanup stale apparmor profiles it created.
-func setupSnapConfineReexec(coreInfo *snap.Info) error {
-	err := os.MkdirAll(dirs.SnapConfineAppArmorDir, 0755)
-	if err != nil {
+func setupSnapConfineReexec(info *snap.Info) error {
+	if err := os.MkdirAll(dirs.SnapConfineAppArmorDir, 0755); err != nil {
 		return fmt.Errorf("cannot create snap-confine policy directory: %s", err)
 	}
-
-	dir, glob, content, err := snapConfineFromCoreProfile(coreInfo)
-	cache := dirs.SystemApparmorCacheDir
+	dir, glob, content, err := snapConfineFromSnapProfile(info)
+	cache := dirs.AppArmorCacheDir
 	if err != nil {
 		return fmt.Errorf("cannot compute snap-confine profile: %s", err)
 	}
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("cannot create snap-confine directory %q: %s", dir, err)
+	}
 
 	changed, removed, errEnsure := osutil.EnsureDirState(dir, glob, content)
 	if len(changed) == 0 {
@@ -245,7 +252,11 @@
 			changed = append(changed, fname)
 		}
 	}
-	errReload := reloadProfiles(changed, dir, cache)
+	pathnames := make([]string, len(changed))
+	for i, profile := range changed {
+		pathnames[i] = filepath.Join(dir, profile)
+	}
+	errReload := loadProfiles(pathnames, cache, 0)
 	errUnload := unloadProfiles(removed, cache)
 	if errEnsure != nil {
 		return fmt.Errorf("cannot synchronize snap-confine apparmor profile: %s", errEnsure)
@@ -259,6 +270,21 @@
 	return nil
 }
 
+// nsProfile returns name of the apparmor profile for snap-update-ns for a given snap.
+func nsProfile(snapName string) string {
+	return fmt.Sprintf("snap-update-ns.%s", snapName)
+}
+
+// profileGlobs returns a list of globs that describe the apparmor profiles of
+// a given snap.
+//
+// Currently the list is just a pair. The first glob describes profiles for all
+// apps and hooks while the second profile describes the snap-update-ns profile
+// for the whole snap.
+func profileGlobs(snapName string) []string {
+	return []string{interfaces.SecurityTagGlob(snapName), nsProfile(snapName)}
+}
+
 // Setup creates and loads apparmor profiles specific to a given snap.
 // The snap can be in developer mode to make security violations non-fatal to
 // the offending application process.
@@ -266,30 +292,40 @@
 // This method should be called after changing plug, slots, connections between
 // them or application present in the snap.
 func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository) error {
-	snapName := snapInfo.Name()
+	snapName := snapInfo.InstanceName()
 	spec, err := repo.SnapSpecification(b.Name(), snapName)
 	if err != nil {
 		return fmt.Errorf("cannot obtain apparmor specification for snap %q: %s", snapName, err)
 	}
 
-	// Set the snapName for AddUpdateNS snippet.
-	//
-	// TODO: remove this along with Specification.snapName as it is not really
-	// needed in practice and the corresponding code can be simplified away.
-	spec.(*Specification).snapName = snapName
-	spec.(*Specification).AddSnapLayout(snapInfo)
-	spec.(*Specification).snapName = ""
+	// Add snippets for parallel snap installation mapping
+	spec.(*Specification).AddOvername(snapInfo)
+
+	// Add snippets derived from the layout definition.
+	spec.(*Specification).AddLayout(snapInfo)
 
 	// core on classic is special
 	if snapName == "core" && release.OnClassic && release.AppArmorLevel() != release.NoAppArmor {
 		if err := setupSnapConfineReexec(snapInfo); err != nil {
-			logger.Noticef("cannot create host snap-confine apparmor configuration: %s", err)
+			return fmt.Errorf("cannot create host snap-confine apparmor configuration: %s", err)
+		}
+	}
+
+	// Deal with the "snapd" snap - we do the setup slightly differently
+	// here because this will run both on classic and on Ubuntu Core 18
+	// systems but /etc/apparmor.d is not writable on core18 systems
+	if snapName == "snapd" && release.AppArmorLevel() != release.NoAppArmor {
+		if err := setupSnapConfineReexec(snapInfo); err != nil {
+			return fmt.Errorf("cannot create host snap-confine apparmor configuration: %s", err)
 		}
 	}
+
 	// core on core devices is also special, the apparmor cache gets
 	// confused too easy, especially at rollbacks, so we delete the cache.
 	// See LP:#1460152 and
 	// https://forum.snapcraft.io/t/core-snap-revert-issues-on-core-devices/
+	//
+	// TODO: we need to deal with the "snapd" snap here soon
 	if snapName == "core" && !release.OnClassic {
 		if li, err := filepath.Glob(filepath.Join(dirs.SystemApparmorCacheDir, "*")); err == nil {
 			for _, p := range li {
@@ -308,28 +344,49 @@
 		return fmt.Errorf("cannot obtain expected security files for snap %q: %s", snapName, err)
 	}
 	dir := dirs.SnapAppArmorDir
-	glob1 := fmt.Sprintf("snap*.%s*", snapInfo.Name())
-	glob2 := fmt.Sprintf("snap-update-ns.%s", snapInfo.Name())
+	globs := profileGlobs(snapInfo.InstanceName())
 	cache := dirs.AppArmorCacheDir
 	if err := os.MkdirAll(dir, 0755); err != nil {
 		return fmt.Errorf("cannot create directory for apparmor profiles %q: %s", dir, err)
 	}
-	_, removed, errEnsure := osutil.EnsureDirStateGlobs(dir, []string{glob1, glob2}, content)
-	// NOTE: load all profiles instead of just the changed profiles.  We're
-	// relying on apparmor cache to make this efficient. This gives us
-	// certainty that each call to Setup ends up with working profiles.
-	all := make([]string, 0, len(content))
+	changed, removed, errEnsure := osutil.EnsureDirStateGlobs(dir, globs, content)
+	// Find the set of unchanged profiles.
+	unchanged := make([]string, 0, len(content)-len(changed))
 	for name := range content {
-		all = append(all, name)
+		// changed is pre-sorted by EnsureDirStateGlobs
+		x := sort.SearchStrings(changed, name)
+		if x < len(changed) && changed[x] == name {
+			continue
+		}
+		unchanged = append(unchanged, name)
 	}
-	sort.Strings(all)
-	errReload := reloadProfiles(all, dir, cache)
+	sort.Strings(unchanged)
+	// Load all changed profiles with a flag that asks apparmor to skip reading
+	// the cache (since we know those changed for sure).  This allows us to
+	// work despite time being wrong (e.g. in the past). For more details see
+	// https://forum.snapcraft.io/t/apparmor-profile-caching/1268/18
+	pathnames := make([]string, len(changed))
+	for i, profile := range changed {
+		pathnames[i] = filepath.Join(dir, profile)
+	}
+	errReloadChanged := loadProfiles(pathnames, cache, skipReadCache)
+	// Load all unchanged profiles anyway. This ensures those are correct in
+	// the kernel even if the files on disk were not changed. We rely on
+	// apparmor cache to make this performant.
+	pathnames = make([]string, len(unchanged))
+	for i, profile := range unchanged {
+		pathnames[i] = filepath.Join(dir, profile)
+	}
+	errReloadOther := loadProfiles(pathnames, cache, 0)
 	errUnload := unloadProfiles(removed, cache)
 	if errEnsure != nil {
 		return fmt.Errorf("cannot synchronize security files for snap %q: %s", snapName, errEnsure)
 	}
-	if errReload != nil {
-		return errReload
+	if errReloadChanged != nil {
+		return errReloadChanged
+	}
+	if errReloadOther != nil {
+		return errReloadOther
 	}
 	return errUnload
 }
@@ -337,10 +394,9 @@
 // Remove removes and unloads apparmor profiles of a given snap.
 func (b *Backend) Remove(snapName string) error {
 	dir := dirs.SnapAppArmorDir
-	glob1 := fmt.Sprintf("snap*.%s*", snapName)
-	glob2 := fmt.Sprintf("snap-update-ns.%s", snapName)
+	globs := profileGlobs(snapName)
 	cache := dirs.AppArmorCacheDir
-	_, removed, errEnsure := osutil.EnsureDirStateGlobs(dir, []string{glob1, glob2}, nil)
+	_, removed, errEnsure := osutil.EnsureDirStateGlobs(dir, globs, nil)
 	errUnload := unloadProfiles(removed, cache)
 	if errEnsure != nil {
 		return fmt.Errorf("cannot synchronize security files for snap %q: %s", snapName, errEnsure)
@@ -350,10 +406,12 @@
 
 var (
 	templatePattern = regexp.MustCompile("(###[A-Z_]+###)")
-	attachPattern   = regexp.MustCompile(`\(attach_disconnected\)`)
 )
 
-const attachComplain = "(attach_disconnected,complain)"
+const (
+	attachPattern  = "(attach_disconnected,mediate_deleted)"
+	attachComplain = "(attach_disconnected,mediate_deleted,complain)"
+)
 
 func (b *Backend) deriveContent(spec *Specification, snapInfo *snap.Info, opts interfaces.ConfinementOptions) (content map[string]*osutil.FileState, err error) {
 	content = make(map[string]*osutil.FileState, len(snapInfo.Apps)+len(snapInfo.Hooks)+1)
@@ -361,18 +419,18 @@
 	// Add profile for each app.
 	for _, appInfo := range snapInfo.Apps {
 		securityTag := appInfo.SecurityTag()
-		addContent(securityTag, snapInfo, opts, spec.SnippetForTag(securityTag), content)
+		addContent(securityTag, snapInfo, opts, spec.SnippetForTag(securityTag), content, spec)
 	}
 	// Add profile for each hook.
 	for _, hookInfo := range snapInfo.Hooks {
 		securityTag := hookInfo.SecurityTag()
-		addContent(securityTag, snapInfo, opts, spec.SnippetForTag(securityTag), content)
+		addContent(securityTag, snapInfo, opts, spec.SnippetForTag(securityTag), content, spec)
 	}
 	// Add profile for snap-update-ns if we have any apps or hooks.
 	// If we have neither then we don't have any need to create an executing environment.
 	// This applies to, for example, kernel snaps or gadget snaps (unless they have hooks).
 	if len(content) > 0 {
-		snippets := strings.Join(spec.UpdateNS()[snapInfo.Name()], "\n")
+		snippets := strings.Join(spec.UpdateNS(), "\n")
 		addUpdateNSProfile(snapInfo, opts, snippets, content)
 	}
 
@@ -388,35 +446,74 @@
 	// Compute the template by injecting special updateNS snippets.
 	policy := templatePattern.ReplaceAllStringFunc(updateNSTemplate, func(placeholder string) string {
 		switch placeholder {
-		case "###SNAP_NAME###":
-			return snapInfo.Name()
+		case "###SNAP_INSTANCE_NAME###":
+			return snapInfo.InstanceName()
 		case "###SNIPPETS###":
+			if overlayRoot, _ := isRootWritableOverlay(); overlayRoot != "" {
+				snippets += strings.Replace(overlayRootSnippet, "###UPPERDIR###", overlayRoot, -1)
+			}
 			return snippets
 		}
 		return ""
 	})
 
 	// Ensure that the snap-update-ns profile is on disk.
-	profileName := fmt.Sprintf("snap-update-ns.%s", snapInfo.Name())
+	profileName := nsProfile(snapInfo.InstanceName())
 	content[profileName] = &osutil.FileState{
 		Content: []byte(policy),
 		Mode:    0644,
 	}
 }
 
-func addContent(securityTag string, snapInfo *snap.Info, opts interfaces.ConfinementOptions, snippetForTag string, content map[string]*osutil.FileState) {
-	var policy string
+func downgradeConfinement() bool {
+	kver := osutil.KernelVersion()
+	switch {
+	case release.DistroLike("opensuse-tumbleweed"):
+		if cmp, _ := strutil.VersionCompare(kver, "4.16"); cmp >= 0 {
+			// As a special exception, for openSUSE Tumbleweed which ships Linux
+			// 4.16, do not downgrade the confinement template.
+			return false
+		}
+	case release.DistroLike("arch", "archlinux"):
+		// The default kernel has AppArmor enabled since 4.18.8, the
+		// hardened one since 4.17.4
+		return false
+	}
+	return true
+}
+
+func addContent(securityTag string, snapInfo *snap.Info, opts interfaces.ConfinementOptions, snippetForTag string, content map[string]*osutil.FileState, spec *Specification) {
+	// Normally we use a specific apparmor template for all snap programs.
+	policy := defaultTemplate
+	ignoreSnippets := false
+	// Classic confinement (unless overridden by JailMode) has a dedicated
+	// permissive template that applies a strict, but very open, policy.
+	if opts.Classic && !opts.JailMode {
+		policy = classicTemplate
+		ignoreSnippets = true
+	}
 	// When partial AppArmor is detected, use the classic template for now. We could
 	// use devmode, but that could generate confusing log entries for users running
 	// snaps on systems with partial AppArmor support.
-	level := release.AppArmorLevel()
-	if level == release.PartialAppArmor || (opts.Classic && !opts.JailMode) {
-		policy = classicTemplate
-	} else {
-		policy = defaultTemplate
+	if release.AppArmorLevel() == release.PartialAppArmor {
+		// By default, downgrade confinement to the classic template when
+		// partial AppArmor support is detected. We don't want to use strict
+		// in general yet because older versions of the kernel did not
+		// provide backwards compatible interpretation of confinement
+		// so the meaning of the template would change across kernel
+		// versions and we have not validated that the current template
+		// is operational on older kernels.
+		if downgradeConfinement() {
+			policy = classicTemplate
+			ignoreSnippets = true
+		}
 	}
+	// If a snap is in devmode (or is using classic confinement) then make the
+	// profile non-enforcing where violations are logged but not denied.
+	// This is also done for classic so that no confinement applies. Just in
+	// case the profile we start with is not permissive enough.
 	if (opts.DevMode || opts.Classic) && !opts.JailMode {
-		policy = attachPattern.ReplaceAllString(policy, attachComplain)
+		policy = strings.Replace(policy, attachPattern, attachComplain, -1)
 	}
 	policy = templatePattern.ReplaceAllStringFunc(policy, func(placeholder string) string {
 		switch placeholder {
@@ -424,6 +521,14 @@
 			return templateVariables(snapInfo, securityTag)
 		case "###PROFILEATTACH###":
 			return fmt.Sprintf("profile \"%s\"", securityTag)
+		case "###CHANGEPROFILE_RULE###":
+			features, _ := parserFeatures()
+			for _, f := range features {
+				if f == "unsafe" {
+					return fmt.Sprintf("change_profile unsafe /**,")
+				}
+			}
+			return fmt.Sprintf("change_profile,")
 		case "###SNIPPETS###":
 			var tagSnippets string
 			if opts.Classic && opts.JailMode {
@@ -431,16 +536,16 @@
 				// and jailmode together. This snippet provides access to the core snap
 				// so that the dynamic linker and shared libraries can be used.
 				tagSnippets = classicJailmodeSnippet + "\n" + snippetForTag
-			} else if level == release.PartialAppArmor || (opts.Classic && !opts.JailMode) {
-				// When classic confinement (without jailmode) is in effect we
-				// are ignoring all apparmor snippets as they may conflict with
-				// the super-broad template we are starting with.
+			} else if ignoreSnippets {
+				// When classic confinement template is in effect we are
+				// ignoring all apparmor snippets as they may conflict with the
+				// super-broad template we are starting with.
 			} else {
 				// Check if NFS is mounted at or under $HOME. Because NFS is not
 				// transparent to apparmor we must alter the profile to counter that and
 				// allow access to SNAP_USER_* files.
 				tagSnippets = snippetForTag
-				if nfs, _ := osutil.IsHomeUsingNFS(); nfs {
+				if nfs, _ := isHomeUsingNFS(); nfs {
 					tagSnippets += nfsSnippet
 				}
 
@@ -449,6 +554,25 @@
 					tagSnippets += snippet
 				}
 			}
+
+			if !ignoreSnippets {
+				// For policy with snippets that request
+				// suppression of 'ptrace (trace)' denials, add
+				// the suppression rule unless another
+				// interface said it uses them.
+				if spec.SuppressPtraceTrace() && !spec.UsesPtraceTrace() {
+					tagSnippets += ptraceTraceDenySnippet
+				}
+
+				// Use 'ix' rules in the home interface unless an
+				// interface asked to suppress them
+				repl := "ix"
+				if spec.SuppressHomeIx() {
+					repl = ""
+				}
+				tagSnippets = strings.Replace(tagSnippets, "###HOME_IX###", repl, -1)
+			}
+
 			return tagSnippets
 		}
 		return ""
@@ -460,26 +584,43 @@
 	}
 }
 
-func reloadProfiles(profiles []string, profileDir, cacheDir string) error {
-	for _, profile := range profiles {
-		err := loadProfile(filepath.Join(profileDir, profile), cacheDir)
-		if err != nil {
-			return fmt.Errorf("cannot load apparmor profile %q: %s", profile, err)
-		}
-	}
-	return nil
+// NewSpecification returns a new, empty apparmor specification.
+func (b *Backend) NewSpecification() interfaces.Specification {
+	return &Specification{}
 }
 
-func unloadProfiles(profiles []string, cacheDir string) error {
-	for _, profile := range profiles {
-		if err := unloadProfile(profile, cacheDir); err != nil {
-			return fmt.Errorf("cannot unload apparmor profile %q: %s", profile, err)
+// SandboxFeatures returns the list of apparmor features supported by the kernel.
+func (b *Backend) SandboxFeatures() []string {
+	if release.AppArmorLevel() == release.NoAppArmor {
+		return nil
+	}
+
+	kFeatures, _ := kernelFeatures()
+	pFeatures, _ := parserFeatures()
+	tags := make([]string, 0, len(kFeatures)+len(pFeatures))
+	for _, feature := range kFeatures {
+		// Prepend "kernel:" to apparmor kernel features to namespace them and
+		// allow us to introduce our own tags later.
+		tags = append(tags, "kernel:"+feature)
+	}
+
+	for _, feature := range pFeatures {
+		// Prepend "parser:" to apparmor kernel features to namespace
+		// them and allow us to introduce our own tags later.
+		tags = append(tags, "parser:"+feature)
+	}
+
+	level := "full"
+	policy := "default"
+	if release.AppArmorLevel() == release.PartialAppArmor {
+		level = "partial"
+
+		if downgradeConfinement() {
+			policy = "downgraded"
 		}
 	}
-	return nil
-}
+	tags = append(tags, fmt.Sprintf("support-level:%s", level))
+	tags = append(tags, fmt.Sprintf("policy:%s", policy))
 
-// NewSpecification returns a new, empty apparmor specification.
-func (b *Backend) NewSpecification() interfaces.Specification {
-	return &Specification{}
+	return tags
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/apparmor/backend_test.go snapd-2.37~rc1~14.04/interfaces/apparmor/backend_test.go
--- snapd-2.32.3.2~14.04/interfaces/apparmor/backend_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/apparmor/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -25,7 +25,6 @@
 	"os"
 	"os/user"
 	"path/filepath"
-	"strings"
 
 	. "gopkg.in/check.v1"
 
@@ -92,11 +91,7 @@
 	s.BackendSuite.SetUpTest(c)
 	c.Assert(s.Repo.AddBackend(s.Backend), IsNil)
 
-	// Prepare a directory for apparmor profiles.
-	// NOTE: Normally this is a part of the OS snap.
-	err := os.MkdirAll(dirs.SnapAppArmorDir, 0700)
-	c.Assert(err, IsNil)
-	err = os.MkdirAll(dirs.AppArmorCacheDir, 0700)
+	err := os.MkdirAll(dirs.AppArmorCacheDir, 0700)
 	c.Assert(err, IsNil)
 	// Mock away any real apparmor interaction
 	s.parserCmd = testutil.MockCommand(c, "apparmor_parser", fakeAppArmorParser)
@@ -115,7 +110,7 @@
 }
 
 func (s *backendSuite) TestInstallingSnapWritesAndLoadsProfiles(c *C) {
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, ifacetest.SambaYamlV1, 1)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
 	updateNSProfile := filepath.Join(dirs.SnapAppArmorDir, "snap-update-ns.samba")
 	profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
 	// file called "snap.sambda.smbd" was created
@@ -123,13 +118,12 @@
 	c.Check(err, IsNil)
 	// apparmor_parser was used to load that file
 	c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile},
-		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", profile},
+		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--skip-read-cache", "--quiet", updateNSProfile, profile},
 	})
 }
 
 func (s *backendSuite) TestInstallingSnapWithHookWritesAndLoadsProfiles(c *C) {
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, ifacetest.HookYaml, 1)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.HookYaml, 1)
 	profile := filepath.Join(dirs.SnapAppArmorDir, "snap.foo.hook.configure")
 	updateNSProfile := filepath.Join(dirs.SnapAppArmorDir, "snap-update-ns.foo")
 
@@ -138,8 +132,7 @@
 	c.Check(err, IsNil)
 	// apparmor_parser was used to load that file
 	c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile},
-		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", profile},
+		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--skip-read-cache", "--quiet", updateNSProfile, profile},
 	})
 }
 
@@ -154,7 +147,7 @@
 `
 
 func (s *backendSuite) TestInstallingSnapWithLayoutWritesAndLoadsProfiles(c *C) {
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, layoutYaml, 1)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", layoutYaml, 1)
 	appProfile := filepath.Join(dirs.SnapAppArmorDir, "snap.myapp.myapp")
 	updateNSProfile := filepath.Join(dirs.SnapAppArmorDir, "snap-update-ns.myapp")
 	// both profiles were created
@@ -165,8 +158,7 @@
 	// TODO: check for layout snippets inside the generated file once we have some snippets to check for.
 	// apparmor_parser was used to load them
 	c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile},
-		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", appProfile},
+		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--skip-read-cache", "--quiet", updateNSProfile, appProfile},
 	})
 }
 
@@ -179,21 +171,20 @@
 	// Installing a snap that doesn't have either hooks or apps doesn't generate
 	// any apparmor profiles because there is no executable content that would need
 	// an execution environment and the corresponding mount namespace.
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, gadgetYaml, 1)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", gadgetYaml, 1)
 	c.Check(s.parserCmd.Calls(), HasLen, 0)
 }
 
 func (s *backendSuite) TestProfilesAreAlwaysLoaded(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 1)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 1)
 		s.parserCmd.ForgetCalls()
 		err := s.Backend.Setup(snapInfo, opts, s.Repo)
 		c.Assert(err, IsNil)
 		updateNSProfile := filepath.Join(dirs.SnapAppArmorDir, "snap-update-ns.samba")
 		profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
 		c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", profile},
+			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile, profile},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -201,7 +192,7 @@
 
 func (s *backendSuite) TestRemovingSnapRemovesAndUnloadsProfiles(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 1)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 1)
 		s.parserCmd.ForgetCalls()
 		s.RemoveSnap(c, snapInfo)
 		profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
@@ -214,15 +205,14 @@
 		c.Check(os.IsNotExist(err), Equals, true)
 		// apparmor_parser was used to unload the profile
 		c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-			{"apparmor_parser", "--remove", "snap-update-ns.samba"},
-			{"apparmor_parser", "--remove", "snap.samba.smbd"},
+			{"apparmor_parser", "--remove", "snap-update-ns.samba", "snap.samba.smbd"},
 		})
 	}
 }
 
 func (s *backendSuite) TestRemovingSnapWithHookRemovesAndUnloadsProfiles(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.HookYaml, 1)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.HookYaml, 1)
 		s.parserCmd.ForgetCalls()
 		s.RemoveSnap(c, snapInfo)
 		profile := filepath.Join(dirs.SnapAppArmorDir, "snap.foo.hook.configure")
@@ -235,15 +225,14 @@
 		c.Check(os.IsNotExist(err), Equals, true)
 		// apparmor_parser was used to unload the profile
 		c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-			{"apparmor_parser", "--remove", "snap-update-ns.foo"},
-			{"apparmor_parser", "--remove", "snap.foo.hook.configure"},
+			{"apparmor_parser", "--remove", "snap-update-ns.foo", "snap.foo.hook.configure"},
 		})
 	}
 }
 
 func (s *backendSuite) TestUpdatingSnapMakesNeccesaryChanges(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 1)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 1)
 		s.parserCmd.ForgetCalls()
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1, 2)
 		updateNSProfile := filepath.Join(dirs.SnapAppArmorDir, "snap-update-ns.samba")
@@ -251,8 +240,8 @@
 		// apparmor_parser was used to reload the profile because snap revision
 		// is inside the generated policy.
 		c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
+			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--skip-read-cache", "--quiet", profile},
 			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", profile},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -260,7 +249,7 @@
 
 func (s *backendSuite) TestUpdatingSnapToOneWithMoreApps(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 1)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 1)
 		s.parserCmd.ForgetCalls()
 		// NOTE: the revision is kept the same to just test on the new application being added
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1WithNmbd, 1)
@@ -270,11 +259,10 @@
 		// file called "snap.sambda.nmbd" was created
 		_, err := os.Stat(nmbdProfile)
 		c.Check(err, IsNil)
-		// apparmor_parser was used to load the both profiles
+		// apparmor_parser was used to load all the profiles, the nmbd profile is new so we force invalidate its cache (if any).
 		c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", nmbdProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", smbdProfile},
+			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--skip-read-cache", "--quiet", nmbdProfile},
+			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile, smbdProfile},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -282,7 +270,7 @@
 
 func (s *backendSuite) TestUpdatingSnapToOneWithMoreHooks(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1WithNmbd, 1)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1WithNmbd, 1)
 		s.parserCmd.ForgetCalls()
 		// NOTE: the revision is kept the same to just test on the new application being added
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlWithHook, 1)
@@ -294,12 +282,10 @@
 		// Verify that profile "snap.samba.hook.configure" was created
 		_, err := os.Stat(hookProfile)
 		c.Check(err, IsNil)
-		// apparmor_parser was used to load all the profiles
+		// apparmor_parser was used to load all the profiles, the hook profile has changed so we force invalidate its cache.
 		c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", hookProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", nmbdProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", smbdProfile},
+			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--skip-read-cache", "--quiet", hookProfile},
+			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile, nmbdProfile, smbdProfile},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -307,7 +293,7 @@
 
 func (s *backendSuite) TestUpdatingSnapToOneWithFewerApps(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1WithNmbd, 1)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1WithNmbd, 1)
 		s.parserCmd.ForgetCalls()
 		// NOTE: the revision is kept the same to just test on the application being removed
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1, 1)
@@ -319,8 +305,7 @@
 		c.Check(os.IsNotExist(err), Equals, true)
 		// apparmor_parser was used to remove the unused profile
 		c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", smbdProfile},
+			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile, smbdProfile},
 			{"apparmor_parser", "--remove", "snap.samba.nmbd"},
 		})
 		s.RemoveSnap(c, snapInfo)
@@ -329,7 +314,7 @@
 
 func (s *backendSuite) TestUpdatingSnapToOneWithFewerHooks(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlWithHook, 1)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlWithHook, 1)
 		s.parserCmd.ForgetCalls()
 		// NOTE: the revision is kept the same to just test on the application being removed
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1WithNmbd, 1)
@@ -343,15 +328,70 @@
 		c.Check(os.IsNotExist(err), Equals, true)
 		// apparmor_parser was used to remove the unused profile
 		c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", nmbdProfile},
-			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", smbdProfile},
+			{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s/var/cache/apparmor", s.RootDir), "--quiet", updateNSProfile, nmbdProfile, smbdProfile},
 			{"apparmor_parser", "--remove", "snap.samba.hook.configure"},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
 }
 
+const snapcraftPrYaml = `name: snapcraft-pr
+version: 1
+apps:
+  snapcraft-pr:
+    cmd: snapcraft-pr
+`
+
+const snapcraftYaml = `name: snapcraft
+version: 1
+apps:
+  snapcraft:
+    cmd: snapcraft
+`
+
+func (s *backendSuite) TestInstallingSnapDoesntBreakSnapsWithPrefixName(c *C) {
+	snapcraftProfile := filepath.Join(dirs.SnapAppArmorDir, "snap.snapcraft.snapcraft")
+	snapcraftPrProfile := filepath.Join(dirs.SnapAppArmorDir, "snap.snapcraft-pr.snapcraft-pr")
+	// Install snapcraft-pr and check that its profile was created.
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", snapcraftPrYaml, 1)
+	_, err := os.Stat(snapcraftPrProfile)
+	c.Check(err, IsNil)
+
+	// Install snapcraft (sans the -pr suffix) and check that its profile was created.
+	// Check that this didn't remove the profile of snapcraft-pr installed earlier.
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", snapcraftYaml, 1)
+	_, err = os.Stat(snapcraftProfile)
+	c.Check(err, IsNil)
+	_, err = os.Stat(snapcraftPrProfile)
+	c.Check(err, IsNil)
+}
+
+func (s *backendSuite) TestRemovingSnapDoesntBreakSnapsWIthPrefixName(c *C) {
+	snapcraftProfile := filepath.Join(dirs.SnapAppArmorDir, "snap.snapcraft.snapcraft")
+	snapcraftPrProfile := filepath.Join(dirs.SnapAppArmorDir, "snap.snapcraft-pr.snapcraft-pr")
+
+	// Install snapcraft-pr and check that its profile was created.
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", snapcraftPrYaml, 1)
+	_, err := os.Stat(snapcraftPrProfile)
+	c.Check(err, IsNil)
+
+	// Install snapcraft (sans the -pr suffix) and check that its profile was created.
+	// Check that this didn't remove the profile of snapcraft-pr installed earlier.
+	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{}, "", snapcraftYaml, 1)
+	_, err = os.Stat(snapcraftProfile)
+	c.Check(err, IsNil)
+	_, err = os.Stat(snapcraftPrProfile)
+	c.Check(err, IsNil)
+
+	// Remove snapcraft (sans the -pr suffix) and check that its profile was removed.
+	// Check that this didn't remove the profile of snapcraft-pr installed earlier.
+	s.RemoveSnap(c, snapInfo)
+	_, err = os.Stat(snapcraftProfile)
+	c.Check(os.IsNotExist(err), Equals, true)
+	_, err = os.Stat(snapcraftPrProfile)
+	c.Check(err, IsNil)
+}
+
 func (s *backendSuite) TestRealDefaultTemplateIsNormallyUsed(c *C) {
 	restore := release.MockAppArmorLevel(release.FullAppArmor)
 	defer restore()
@@ -381,41 +421,44 @@
 }
 
 const commonPrefix = `
+# This is a snap name without the instance key
 @{SNAP_NAME}="samba"
+# This is a snap name with instance key
+@{SNAP_INSTANCE_NAME}="samba"
 @{SNAP_REVISION}="1"
 @{PROFILE_DBUS}="snap_2esamba_2esmbd"
-@{INSTALL_DIR}="/snap"`
+@{INSTALL_DIR}="/{,var/lib/snapd/}snap"`
 
 var combineSnippetsScenarios = []combineSnippetsScenario{{
 	// By default apparmor is enforcing mode.
 	opts:    interfaces.ConfinementOptions{},
-	content: commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected) {\n\n}\n",
+	content: commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected,mediate_deleted) {\n\n}\n",
 }, {
 	// Snippets are injected in the space between "{" and "}"
 	opts:    interfaces.ConfinementOptions{},
 	snippet: "snippet",
-	content: commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n",
+	content: commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected,mediate_deleted) {\nsnippet\n}\n",
 }, {
 	// DevMode switches apparmor to non-enforcing (complain) mode.
 	opts:    interfaces.ConfinementOptions{DevMode: true},
 	snippet: "snippet",
-	content: commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected,complain) {\nsnippet\n}\n",
+	content: commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected,mediate_deleted,complain) {\nsnippet\n}\n",
 }, {
 	// JailMode switches apparmor to enforcing mode even in the presence of DevMode.
 	opts:    interfaces.ConfinementOptions{DevMode: true},
 	snippet: "snippet",
-	content: commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected,complain) {\nsnippet\n}\n",
+	content: commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected,mediate_deleted,complain) {\nsnippet\n}\n",
 }, {
 	// Classic confinement (without jailmode) uses apparmor in complain mode by default and ignores all snippets.
 	opts:    interfaces.ConfinementOptions{Classic: true},
 	snippet: "snippet",
-	content: "\n#classic" + commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected,complain) {\n\n}\n",
+	content: "\n#classic" + commonPrefix + "\nprofile \"snap.samba.smbd\" (attach_disconnected,mediate_deleted,complain) {\n\n}\n",
 }, {
 	// Classic confinement in JailMode uses enforcing apparmor.
 	opts:    interfaces.ConfinementOptions{Classic: true, JailMode: true},
 	snippet: "snippet",
 	content: commonPrefix + `
-profile "snap.samba.smbd" (attach_disconnected) {
+profile "snap.samba.smbd" (attach_disconnected,mediate_deleted) {
 
   # Read-only access to the core snap.
   @{INSTALL_DIR}/core/** r,
@@ -434,7 +477,7 @@
 func (s *backendSuite) TestCombineSnippets(c *C) {
 	restore := release.MockAppArmorLevel(release.FullAppArmor)
 	defer restore()
-	restore = osutil.MockMountInfo("") // mock away NFS detection
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
 	defer restore()
 	restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
 	defer restore()
@@ -442,18 +485,18 @@
 	// NOTE: replace the real template with a shorter variant
 	restoreTemplate := apparmor.MockTemplate("\n" +
 		"###VAR###\n" +
-		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###PROFILEATTACH### (attach_disconnected,mediate_deleted) {\n" +
 		"###SNIPPETS###\n" +
 		"}\n")
 	defer restoreTemplate()
 	restoreClassicTemplate := apparmor.MockClassicTemplate("\n" +
 		"#classic\n" +
 		"###VAR###\n" +
-		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###PROFILEATTACH### (attach_disconnected,mediate_deleted) {\n" +
 		"###SNIPPETS###\n" +
 		"}\n")
 	defer restoreClassicTemplate()
-	for _, scenario := range combineSnippetsScenarios {
+	for i, scenario := range combineSnippetsScenarios {
 		s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
 			if scenario.snippet == "" {
 				return nil
@@ -461,9 +504,47 @@
 			spec.AddSnippet(scenario.snippet)
 			return nil
 		}
-		snapInfo := s.InstallSnap(c, scenario.opts, ifacetest.SambaYamlV1, 1)
+		snapInfo := s.InstallSnap(c, scenario.opts, "", ifacetest.SambaYamlV1, 1)
+		profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
+		c.Check(profile, testutil.FileEquals, scenario.content, Commentf("scenario %d: %#v", i, scenario))
+		stat, err := os.Stat(profile)
+		c.Assert(err, IsNil)
+		c.Check(stat.Mode(), Equals, os.FileMode(0644))
+		s.RemoveSnap(c, snapInfo)
+	}
+}
+
+func (s *backendSuite) TestCombineSnippetsChangeProfile(c *C) {
+	restore := release.MockAppArmorLevel(release.FullAppArmor)
+	defer restore()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
+	defer restore()
+	restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+	defer restore()
+
+	restoreClassicTemplate := apparmor.MockClassicTemplate("###CHANGEPROFILE_RULE###")
+	defer restoreClassicTemplate()
+
+	type changeProfileScenario struct {
+		features []string
+		expected string
+	}
+
+	var changeProfileScenarios = []changeProfileScenario{{
+		features: []string{},
+		expected: "change_profile,",
+	}, {
+		features: []string{"unsafe"},
+		expected: "change_profile unsafe /**,",
+	}}
+
+	for i, scenario := range changeProfileScenarios {
+		restore = apparmor.MockParserFeatures(func() ([]string, error) { return scenario.features, nil })
+		defer restore()
+
+		snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{Classic: true}, "", ifacetest.SambaYamlV1, 1)
 		profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
-		c.Check(profile, testutil.FileEquals, scenario.content)
+		c.Check(profile, testutil.FileEquals, scenario.expected, Commentf("scenario %d: %#v", i, scenario))
 		stat, err := os.Stat(profile)
 		c.Assert(err, IsNil)
 		c.Check(stat.Mode(), Equals, os.FileMode(0644))
@@ -471,8 +552,204 @@
 	}
 }
 
+func (s *backendSuite) TestParallelInstallCombineSnippets(c *C) {
+	restore := release.MockAppArmorLevel(release.FullAppArmor)
+	defer restore()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
+	defer restore()
+	restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+	defer restore()
+
+	// NOTE: replace the real template with a shorter variant
+	restoreTemplate := apparmor.MockTemplate("\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected,mediate_deleted) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreTemplate()
+	restoreClassicTemplate := apparmor.MockClassicTemplate("\n" +
+		"#classic\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected,mediate_deleted) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreClassicTemplate()
+	s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
+		return nil
+	}
+	expected := `
+# This is a snap name without the instance key
+@{SNAP_NAME}="samba"
+# This is a snap name with instance key
+@{SNAP_INSTANCE_NAME}="samba_foo"
+@{SNAP_REVISION}="1"
+@{PROFILE_DBUS}="snap_2esamba_5ffoo_2esmbd"
+@{INSTALL_DIR}="/{,var/lib/snapd/}snap"
+profile "snap.samba_foo.smbd" (attach_disconnected,mediate_deleted) {
+
+}
+`
+	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{}, "samba_foo", ifacetest.SambaYamlV1, 1)
+	c.Assert(snapInfo, NotNil)
+	profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba_foo.smbd")
+	stat, err := os.Stat(profile)
+	c.Assert(err, IsNil)
+	c.Check(profile, testutil.FileEquals, expected)
+	c.Check(stat.Mode(), Equals, os.FileMode(0644))
+	s.RemoveSnap(c, snapInfo)
+}
+
+// On openSUSE Tumbleweed partial apparmor support doesn't change apparmor template to classic.
+// Strict confinement template, along with snippets, are used.
+func (s *backendSuite) TestCombineSnippetsOpenSUSETumbleweed(c *C) {
+	restore := release.MockAppArmorLevel(release.PartialAppArmor)
+	defer restore()
+	restore = release.MockReleaseInfo(&release.OS{ID: "opensuse-tumbleweed"})
+	defer restore()
+	restore = osutil.MockKernelVersion("4.16.10-1-default")
+	defer restore()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
+	defer restore()
+	restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+	defer restore()
+	// NOTE: replace the real template with a shorter variant
+	restoreTemplate := apparmor.MockTemplate("\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreTemplate()
+	restoreClassicTemplate := apparmor.MockClassicTemplate("\n" +
+		"#classic\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreClassicTemplate()
+	s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
+		spec.AddSnippet("snippet")
+		return nil
+	}
+
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
+	profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
+	c.Check(profile, testutil.FileEquals, commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n")
+}
+
+// On openSUSE Tumbleweed running older kernel partial apparmor support changes
+// apparmor template to classic.
+func (s *backendSuite) TestCombineSnippetsOpenSUSETumbleweedOldKernel(c *C) {
+	restore := release.MockAppArmorLevel(release.PartialAppArmor)
+	defer restore()
+	restore = release.MockReleaseInfo(&release.OS{ID: "opensuse-tumbleweed"})
+	defer restore()
+	restore = osutil.MockKernelVersion("4.14")
+	defer restore()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
+	defer restore()
+	restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+	defer restore()
+	// NOTE: replace the real template with a shorter variant
+	restoreTemplate := apparmor.MockTemplate("\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreTemplate()
+	restoreClassicTemplate := apparmor.MockClassicTemplate("\n" +
+		"#classic\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreClassicTemplate()
+	s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
+		spec.AddSnippet("snippet")
+		return nil
+	}
+
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
+	profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
+	c.Check(profile, testutil.FileEquals, "\n#classic"+commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\n\n}\n")
+}
+
+func (s *backendSuite) TestCombineSnippetsArchOldIDSufficientHardened(c *C) {
+	restore := release.MockAppArmorLevel(release.PartialAppArmor)
+	defer restore()
+	restore = release.MockReleaseInfo(&release.OS{ID: "arch", IDLike: []string{"archlinux"}})
+	defer restore()
+	restore = osutil.MockKernelVersion("4.18.2.a-1-hardened")
+	defer restore()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
+	defer restore()
+	restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+	defer restore()
+	// NOTE: replace the real template with a shorter variant
+	restoreTemplate := apparmor.MockTemplate("\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreTemplate()
+	restoreClassicTemplate := apparmor.MockClassicTemplate("\n" +
+		"#classic\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreClassicTemplate()
+	s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
+		spec.AddSnippet("snippet")
+		return nil
+	}
+
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
+	profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
+	c.Check(profile, testutil.FileEquals, commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n")
+}
+
+func (s *backendSuite) TestCombineSnippetsArchSufficientHardened(c *C) {
+	restore := release.MockAppArmorLevel(release.PartialAppArmor)
+	defer restore()
+	restore = release.MockReleaseInfo(&release.OS{ID: "archlinux"})
+	defer restore()
+	restore = osutil.MockKernelVersion("4.18.2.a-1-hardened")
+	defer restore()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
+	defer restore()
+	restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "", nil })
+	defer restore()
+	// NOTE: replace the real template with a shorter variant
+	restoreTemplate := apparmor.MockTemplate("\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreTemplate()
+	restoreClassicTemplate := apparmor.MockClassicTemplate("\n" +
+		"#classic\n" +
+		"###VAR###\n" +
+		"###PROFILEATTACH### (attach_disconnected) {\n" +
+		"###SNIPPETS###\n" +
+		"}\n")
+	defer restoreClassicTemplate()
+	s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
+		spec.AddSnippet("snippet")
+		return nil
+	}
+
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
+	profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
+	c.Check(profile, testutil.FileEquals, commonPrefix+"\nprofile \"snap.samba.smbd\" (attach_disconnected) {\nsnippet\n}\n")
+}
+
 const coreYaml = `name: core
 version: 1
+type: os
+`
+
+const snapdYaml = `name: snapd
+version: 1
 `
 
 func (s *backendSuite) writeVanillaSnapConfineProfile(c *C, coreInfo *snap.Info) {
@@ -484,7 +761,6 @@
     /etc/ld.so.cache r,
 }
 `)
-	c.Assert(os.MkdirAll(dirs.SystemApparmorDir, 0755), IsNil)
 	c.Assert(os.MkdirAll(filepath.Dir(vanillaProfilePath), 0755), IsNil)
 	c.Assert(ioutil.WriteFile(vanillaProfilePath, vanillaProfileText, 0644), IsNil)
 }
@@ -494,9 +770,9 @@
 	coreInfo := snaptest.MockInfo(c, coreYaml, &snap.SideInfo{Revision: snap.R(111)})
 	s.writeVanillaSnapConfineProfile(c, coreInfo)
 	// We expect to see the same profile, just anchored at a different directory.
-	expectedProfileDir := filepath.Join(dirs.GlobalRootDir, "/etc/apparmor.d")
-	expectedProfileName := strings.Replace(filepath.Join(coreInfo.MountDir(), "usr/lib/snapd/snap-confine")[1:], "/", ".", -1)
-	expectedProfileGlob := strings.Replace(expectedProfileName, "."+coreInfo.Revision.String()+".", ".*.", -1)
+	expectedProfileDir := filepath.Join(dirs.GlobalRootDir, "/var/lib/snapd/apparmor/profiles")
+	expectedProfileName := "snap-confine.core.111"
+	expectedProfileGlob := "snap-confine.core.*"
 	expectedProfileText := fmt.Sprintf(`#include <tunables/global>
 %s/usr/lib/snapd/snap-confine (attach_disconnected) {
     # We run privileged, so be fanatical about what we include and don't use
@@ -508,7 +784,7 @@
 	c.Assert(expectedProfileName, testutil.Contains, coreInfo.Revision.String())
 
 	// Compute the profile and see if it matches.
-	dir, glob, content, err := apparmor.SnapConfineFromCoreProfile(coreInfo)
+	dir, glob, content, err := apparmor.SnapConfineFromSnapProfile(coreInfo)
 	c.Assert(err, IsNil)
 	c.Assert(dir, Equals, expectedProfileDir)
 	c.Assert(glob, Equals, expectedProfileGlob)
@@ -520,6 +796,52 @@
 	})
 }
 
+func (s *backendSuite) TestSnapConfineProfileFromSnapdSnap(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+	dirs.SetRootDir(s.RootDir)
+
+	snapdInfo := snaptest.MockInfo(c, snapdYaml, &snap.SideInfo{Revision: snap.R(222)})
+	s.writeVanillaSnapConfineProfile(c, snapdInfo)
+
+	// We expect to see the same profile, just anchored at a different directory.
+	expectedProfileDir := filepath.Join(dirs.GlobalRootDir, "/var/lib/snapd/apparmor/profiles")
+	expectedProfileName := "snap-confine.snapd.222"
+	expectedProfileGlob := "snap-confine.snapd.*"
+	expectedProfileText := fmt.Sprintf(`#include <tunables/global>
+%s/usr/lib/snapd/snap-confine (attach_disconnected) {
+    # We run privileged, so be fanatical about what we include and don't use
+    # any abstractions
+    /etc/ld.so.cache r,
+}
+`, snapdInfo.MountDir())
+
+	c.Assert(expectedProfileName, testutil.Contains, snapdInfo.Revision.String())
+
+	// Compute the profile and see if it matches.
+	dir, glob, content, err := apparmor.SnapConfineFromSnapProfile(snapdInfo)
+	c.Assert(err, IsNil)
+	c.Assert(dir, Equals, expectedProfileDir)
+	c.Assert(glob, Equals, expectedProfileGlob)
+	c.Assert(content, DeepEquals, map[string]*osutil.FileState{
+		expectedProfileName: {
+			Content: []byte(expectedProfileText),
+			Mode:    0644,
+		},
+	})
+}
+
+func (s *backendSuite) TestSnapConfineFromSnapProfileCreatesAllDirs(c *C) {
+	c.Assert(osutil.IsDirectory(dirs.SnapAppArmorDir), Equals, false)
+	coreInfo := snaptest.MockInfo(c, coreYaml, &snap.SideInfo{Revision: snap.R(111)})
+
+	s.writeVanillaSnapConfineProfile(c, coreInfo)
+
+	err := apparmor.SetupSnapConfineReexec(coreInfo)
+	c.Assert(err, IsNil)
+	c.Assert(osutil.IsDirectory(dirs.SnapAppArmorDir), Equals, true)
+}
+
 func (s *backendSuite) TestSetupHostSnapConfineApparmorForReexecCleans(c *C) {
 	restorer := release.MockOnClassic(true)
 	defer restorer()
@@ -529,15 +851,15 @@
 	coreInfo := snaptest.MockInfo(c, coreYaml, &snap.SideInfo{Revision: snap.R(111)})
 	s.writeVanillaSnapConfineProfile(c, coreInfo)
 
-	canaryName := strings.Replace(filepath.Join(dirs.SnapMountDir, "/core/2718/usr/lib/snapd/snap-confine"), "/", ".", -1)[1:]
-	canary := filepath.Join(dirs.SystemApparmorDir, canaryName)
+	canaryName := "snap-confine.core.2718"
+	canary := filepath.Join(dirs.SnapAppArmorDir, canaryName)
 	err := os.MkdirAll(filepath.Dir(canary), 0755)
 	c.Assert(err, IsNil)
 	err = ioutil.WriteFile(canary, nil, 0644)
 	c.Assert(err, IsNil)
 
 	// install the new core snap on classic triggers cleanup
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, coreYaml, 111)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", coreYaml, 111)
 
 	c.Check(osutil.FileExists(canary), Equals, false)
 	c.Check(s.parserCmd.Calls(), testutil.DeepContains, []string{
@@ -556,12 +878,12 @@
 
 	// Install the new core snap on classic triggers a new snap-confine
 	// for this snap-confine on core
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, coreYaml, 111)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", coreYaml, 111)
 
-	newAA, err := filepath.Glob(filepath.Join(dirs.SystemApparmorDir, "*"))
+	newAA, err := filepath.Glob(filepath.Join(dirs.SnapAppArmorDir, "*"))
 	c.Assert(err, IsNil)
 	c.Assert(newAA, HasLen, 1)
-	c.Check(newAA[0], Matches, `.*/etc/apparmor.d/.*.snap.core.111.usr.lib.snapd.snap-confine`)
+	c.Check(newAA[0], Matches, `.*/var/lib/snapd/apparmor/profiles/snap-confine.core.111`)
 
 	// This is the key, rewriting "/usr/lib/snapd/snap-confine
 	c.Check(newAA[0], testutil.FileContains, "/snap/core/111/usr/lib/snapd/snap-confine (attach_disconnected) {")
@@ -575,7 +897,7 @@
 `, dirs.SnapMountDir))
 
 	c.Check(s.parserCmd.Calls(), DeepEquals, [][]string{
-		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s", dirs.SystemApparmorCacheDir), "--quiet", newAA[0]},
+		{"apparmor_parser", "--replace", "--write-cache", "-O", "no-expr-simplify", fmt.Sprintf("--cache-loc=%s", dirs.AppArmorCacheDir), "--quiet", newAA[0]},
 	})
 
 	// snap-confine directory was created
@@ -603,7 +925,7 @@
 
 	// install the new core snap on classic triggers a new snap-confine
 	// for this snap-confine on core
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, coreYaml, 111)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", coreYaml, 111)
 
 	l, err := filepath.Glob(filepath.Join(dirs.SystemApparmorCacheDir, "*"))
 	c.Assert(err, IsNil)
@@ -611,76 +933,10 @@
 	c.Check(l, DeepEquals, []string{dirsAreKept, symlinksAreKept})
 }
 
-func (s *backendSuite) TestIsHomeUsingNFS(c *C) {
-	cases := []struct {
-		mountinfo, fstab string
-		nfs              bool
-		errorPattern     string
-	}{{
-		// Errors from parsing mountinfo and fstab are propagated.
-		mountinfo:    "bad syntax",
-		errorPattern: "cannot parse .*/mountinfo.*, .*",
-	}, {
-		fstab:        "bad syntax",
-		errorPattern: "cannot parse .*/fstab.*, .*",
-	}, {
-		// NFSv3 {tcp,udp} and NFSv4 currently mounted at /home/zyga/nfs are recognized.
-		mountinfo: "1074 28 0:59 / /home/zyga/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=54125,mountproto=tcp,local_lock=none,addr=127.0.0.1",
-		nfs:       true,
-	}, {
-		mountinfo: "1074 28 0:59 / /home/zyga/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=udp,timeo=11,retrans=3,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=47875,mountproto=udp,local_lock=none,addr=127.0.0.1",
-		nfs:       true,
-	}, {
-		mountinfo: "680 27 0:59 / /home/zyga/nfs rw,relatime shared:478 - nfs4 localhost:/srv/nfs rw,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1",
-		nfs:       true,
-	}, {
-		// NFSv3 {tcp,udp} and NFSv4 currently mounted at /home/zyga/nfs are ignored (not in $HOME).
-		mountinfo: "1074 28 0:59 / /mnt/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=54125,mountproto=tcp,local_lock=none,addr=127.0.0.1",
-	}, {
-		mountinfo: "1074 28 0:59 / /mnt/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=udp,timeo=11,retrans=3,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=47875,mountproto=udp,local_lock=none,addr=127.0.0.1",
-	}, {
-		mountinfo: "680 27 0:59 / /mnt/nfs rw,relatime shared:478 - nfs4 localhost:/srv/nfs rw,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1",
-	}, {
-		// NFS that may be mounted at /home and /home/zyga/nfs is recognized.
-		// Two spellings are possible, "nfs" and "nfs4" (they are equivalent
-		// nowadays).
-		fstab: "localhost:/srv/nfs /home nfs defaults 0 0",
-		nfs:   true,
-	}, {
-		fstab: "localhost:/srv/nfs /home nfs4 defaults 0 0",
-		nfs:   true,
-	}, {
-		fstab: "localhost:/srv/nfs /home/zyga/nfs nfs defaults 0 0",
-		nfs:   true,
-	}, {
-		fstab: "localhost:/srv/nfs /home/zyga/nfs nfs4 defaults 0 0",
-		nfs:   true,
-	}, {
-		// NFS that may be mounted at /mnt/nfs is ignored (not in $HOME).
-		fstab: "localhost:/srv/nfs /mnt/nfs nfs defaults 0 0",
-	}}
-	for _, tc := range cases {
-		restore := osutil.MockMountInfo(tc.mountinfo)
-		defer restore()
-		restore = osutil.MockEtcFstab(tc.fstab)
-		defer restore()
-
-		nfs, err := osutil.IsHomeUsingNFS()
-		if tc.errorPattern != "" {
-			c.Assert(err, ErrorMatches, tc.errorPattern, Commentf("test case %#v", tc))
-		} else {
-			c.Assert(err, IsNil)
-		}
-		c.Assert(nfs, Equals, tc.nfs)
-	}
-}
-
 // snap-confine policy when NFS is not used.
 func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyNoNFS(c *C) {
 	// Make it appear as if NFS was not used.
-	restore := osutil.MockMountInfo("")
-	defer restore()
-	restore = osutil.MockEtcFstab("")
+	restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
 	defer restore()
 
 	// Intercept interaction with apparmor_parser
@@ -702,30 +958,6 @@
 	c.Assert(cmd.Calls(), HasLen, 0)
 }
 
-func MockEnableNFSWorkaroundCondition() (restore func()) {
-	// Mock mountinfo and fstab so that snapd thinks that NFS workaround
-	// is necessary. The details don't matter here. See TestIsHomeUsingNFS
-	// for details about what triggers the workaround.
-	restore1 := osutil.MockMountInfo("")
-	restore2 := osutil.MockEtcFstab("localhost:/srv/nfs /home nfs4 defaults 0 0")
-	return func() {
-		restore1()
-		restore2()
-	}
-}
-
-func MockDisableNFSWorkaroundCondition() (restore func()) {
-	// Mock mountinfo and fstab so that snapd thinks that NFS workaround is not
-	// necessary. The details don't matter here. See TestIsHomeUsingNFS for
-	// details about what triggers the workaround.
-	restore1 := osutil.MockMountInfo("")
-	restore2 := osutil.MockEtcFstab("")
-	return func() {
-		restore1()
-		restore2()
-	}
-}
-
 // Ensure that both names of the snap-confine apparmor profile are supported.
 
 func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyWithNFS1(c *C) {
@@ -739,7 +971,7 @@
 // snap-confine policy when NFS is used and snapd has not re-executed.
 func (s *backendSuite) testSetupSnapConfineGeneratedPolicyWithNFS(c *C, profileFname string) {
 	// Make it appear as if NFS workaround was needed.
-	restore := MockEnableNFSWorkaroundCondition()
+	restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil })
 	defer restore()
 
 	// Intercept interaction with apparmor_parser
@@ -784,9 +1016,11 @@
 	c.Assert(cmd.Calls(), HasLen, 1)
 	c.Assert(cmd.Calls(), DeepEquals, [][]string{{
 		"apparmor_parser", "--replace",
-		"-O", "no-expr-simplify",
 		"--write-cache",
-		"--cache-loc", dirs.SystemApparmorCacheDir,
+		"-O", "no-expr-simplify",
+		"--cache-loc=" + dirs.SystemApparmorCacheDir,
+		"--skip-read-cache",
+		"--quiet",
 		profilePath,
 	}})
 }
@@ -794,7 +1028,7 @@
 // snap-confine policy when NFS is used and snapd has re-executed.
 func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyWithNFSAndReExec(c *C) {
 	// Make it appear as if NFS workaround was needed.
-	restore := MockEnableNFSWorkaroundCondition()
+	restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil })
 	defer restore()
 
 	// Intercept interaction with apparmor_parser
@@ -834,8 +1068,8 @@
 
 // Test behavior when isHomeUsingNFS fails.
 func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError1(c *C) {
-	// Make corrupt mountinfo.
-	restore := osutil.MockMountInfo("corrupt")
+	// Make it appear as if NFS detection was broken.
+	restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, fmt.Errorf("broken") })
 	defer restore()
 
 	// Intercept interaction with apparmor_parser
@@ -871,7 +1105,7 @@
 // Test behavior when os.Readlink "/proc/self/exe" fails.
 func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError2(c *C) {
 	// Make it appear as if NFS workaround was needed.
-	restore := MockEnableNFSWorkaroundCondition()
+	restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil })
 	defer restore()
 
 	// Intercept interaction with apparmor_parser
@@ -900,7 +1134,7 @@
 // Test behavior when exec.Command "apparmor_parser" fails
 func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError3(c *C) {
 	// Make it appear as if NFS workaround was needed.
-	restore := MockEnableNFSWorkaroundCondition()
+	restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil })
 	defer restore()
 
 	// Intercept interaction with apparmor_parser and make it fail.
@@ -921,7 +1155,7 @@
 
 	// Setup generated policy for snap-confine.
 	err = (&apparmor.Backend{}).Initialize()
-	c.Assert(err, ErrorMatches, "cannot reload snap-confine apparmor profile: testing")
+	c.Assert(err, ErrorMatches, "cannot reload snap-confine apparmor profile: .*\n.*\ntesting\n")
 
 	// While created the policy file initially we also removed it so that
 	// no side-effects remain.
@@ -935,8 +1169,10 @@
 
 // Test behavior when MkdirAll fails
 func (s *backendSuite) TestSetupSnapConfineGeneratedPolicyError4(c *C) {
-	// Create a directory where we would expect to find the local policy.
-	err := ioutil.WriteFile(dirs.SnapConfineAppArmorDir, []byte(""), 0644)
+	// Create a file where we would expect to find the local policy.
+	err := os.MkdirAll(filepath.Dir(dirs.SnapConfineAppArmorDir), 0755)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(dirs.SnapConfineAppArmorDir, []byte(""), 0644)
 	c.Assert(err, IsNil)
 
 	// Setup generated policy for snap-confine.
@@ -954,7 +1190,7 @@
 	}
 
 	// Make it appear as if NFS workaround was not needed.
-	restore := MockDisableNFSWorkaroundCondition()
+	restore := apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
 	defer restore()
 
 	// Intercept interaction with apparmor_parser and make it fail.
@@ -1078,9 +1314,11 @@
 	c.Assert(cmd.Calls(), HasLen, 1)
 	c.Assert(cmd.Calls(), DeepEquals, [][]string{{
 		"apparmor_parser", "--replace",
-		"-O", "no-expr-simplify",
 		"--write-cache",
-		"--cache-loc", dirs.SystemApparmorCacheDir,
+		"-O", "no-expr-simplify",
+		"--cache-loc=" + dirs.SystemApparmorCacheDir,
+		"--skip-read-cache",
+		"--quiet",
 		profilePath,
 	}})
 }
@@ -1165,7 +1403,7 @@
 func (s *backendSuite) TestNFSAndOverlaySnippets(c *C) {
 	restore := release.MockAppArmorLevel(release.FullAppArmor)
 	defer restore()
-	restore = MockEnableNFSWorkaroundCondition()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return true, nil })
 	defer restore()
 	restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "/upper", nil })
 	defer restore()
@@ -1174,10 +1412,12 @@
 	}
 
 	for _, scenario := range nfsAndOverlaySnippetsScenarios {
-		snapInfo := s.InstallSnap(c, scenario.opts, ifacetest.SambaYamlV1, 1)
+		snapInfo := s.InstallSnap(c, scenario.opts, "", ifacetest.SambaYamlV1, 1)
 		profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
 		c.Check(profile, testutil.FileContains, scenario.overlaySnippet)
 		c.Check(profile, testutil.FileContains, scenario.nfsSnippet)
+		updateNSProfile := filepath.Join(dirs.SnapAppArmorDir, "snap-update-ns.samba")
+		c.Check(updateNSProfile, testutil.FileContains, scenario.overlaySnippet)
 		s.RemoveSnap(c, snapInfo)
 	}
 }
@@ -1209,7 +1449,7 @@
 func (s *backendSuite) TestCasperOverlaySnippets(c *C) {
 	restore := release.MockAppArmorLevel(release.FullAppArmor)
 	defer restore()
-	restore = MockEnableNFSWorkaroundCondition()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
 	defer restore()
 	restore = apparmor.MockIsRootWritableOverlay(func() (string, error) { return "/upper", nil })
 	defer restore()
@@ -1218,9 +1458,283 @@
 	}
 
 	for _, scenario := range casperOverlaySnippetsScenarios {
-		snapInfo := s.InstallSnap(c, scenario.opts, ifacetest.SambaYamlV1, 1)
+		snapInfo := s.InstallSnap(c, scenario.opts, "", ifacetest.SambaYamlV1, 1)
 		profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
 		c.Check(profile, testutil.FileContains, scenario.overlaySnippet)
 		s.RemoveSnap(c, snapInfo)
 	}
 }
+
+func (s *backendSuite) TestProfileGlobs(c *C) {
+	globs := apparmor.ProfileGlobs("foo")
+	c.Assert(globs, DeepEquals, []string{"snap.foo.*", "snap-update-ns.foo"})
+}
+
+func (s *backendSuite) TestNsProfile(c *C) {
+	c.Assert(apparmor.NsProfile("foo"), Equals, "snap-update-ns.foo")
+}
+
+func (s *backendSuite) TestSandboxFeatures(c *C) {
+	restore := release.MockAppArmorLevel(release.FullAppArmor)
+	defer restore()
+	restore = apparmor.MockKernelFeatures(func() ([]string, error) { return []string{"foo", "bar"}, nil })
+	defer restore()
+	restore = apparmor.MockParserFeatures(func() ([]string, error) { return []string{"baz", "norf"}, nil })
+	defer restore()
+
+	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"kernel:foo", "kernel:bar", "parser:baz", "parser:norf", "support-level:full", "policy:default"})
+}
+
+func (s *backendSuite) TestSandboxFeaturesPartial(c *C) {
+	restore := release.MockAppArmorLevel(release.PartialAppArmor)
+	defer restore()
+	restore = release.MockReleaseInfo(&release.OS{ID: "opensuse-tumbleweed"})
+	defer restore()
+	restore = osutil.MockKernelVersion("4.16.10-1-default")
+	defer restore()
+	restore = apparmor.MockKernelFeatures(func() ([]string, error) { return []string{"foo", "bar"}, nil })
+	defer restore()
+	restore = apparmor.MockParserFeatures(func() ([]string, error) { return []string{"baz", "norf"}, nil })
+	defer restore()
+
+	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"kernel:foo", "kernel:bar", "parser:baz", "parser:norf", "support-level:partial", "policy:default"})
+
+	restore = osutil.MockKernelVersion("4.14.1-default")
+	defer restore()
+
+	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"kernel:foo", "kernel:bar", "parser:baz", "parser:norf", "support-level:partial", "policy:downgraded"})
+}
+
+func (s *backendSuite) TestParallelInstanceSetupSnapUpdateNS(c *C) {
+	dirs.SetRootDir(s.RootDir)
+
+	const trivialSnapYaml = `name: some-snap
+version: 1.0
+apps:
+  app:
+    command: app-command
+`
+	snapInfo := snaptest.MockInfo(c, trivialSnapYaml, &snap.SideInfo{Revision: snap.R(222)})
+	snapInfo.InstanceKey = "instance"
+
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "some-snap_instance", trivialSnapYaml, 1)
+	profileUpdateNS := filepath.Join(dirs.SnapAppArmorDir, "snap-update-ns.some-snap_instance")
+	c.Check(profileUpdateNS, testutil.FileContains, `profile snap-update-ns.some-snap_instance (`)
+	c.Check(profileUpdateNS, testutil.FileContains, `
+  # Allow parallel instance snap mount namespace adjustments
+  mount options=(rw rbind) /snap/some-snap_instance/ -> /snap/some-snap/,
+  mount options=(rw rbind) /var/snap/some-snap_instance/ -> /var/snap/some-snap/,
+`)
+}
+
+func (s *backendSuite) TestDowngradeConfinement(c *C) {
+
+	restore := release.MockAppArmorLevel(release.PartialAppArmor)
+	defer restore()
+
+	for _, tc := range []struct {
+		distro   string
+		kernel   string
+		expected bool
+	}{
+		{"opensuse-tumbleweed", "4.16.10-1-default", false},
+		{"opensuse-tumbleweed", "4.14.1-default", true},
+		{"arch", "4.18.2.a-1-hardened", false},
+		{"arch", "4.18.8-arch1-1-ARCH", false},
+		{"archlinux", "4.18.2.a-1-hardened", false},
+	} {
+		c.Logf("trying: %+v", tc)
+		restore := release.MockReleaseInfo(&release.OS{ID: tc.distro})
+		defer restore()
+		restore = osutil.MockKernelVersion(tc.kernel)
+		defer restore()
+		c.Check(apparmor.DowngradeConfinement(), Equals, tc.expected, Commentf("unexpected result for %+v", tc))
+	}
+}
+
+func (s *backendSuite) TestPtraceTraceRule(c *C) {
+	restoreTemplate := apparmor.MockTemplate("template\n###SNIPPETS###\n")
+	defer restoreTemplate()
+	restore := release.MockAppArmorLevel(release.FullAppArmor)
+	defer restore()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
+	defer restore()
+
+	needle := `deny ptrace (trace),`
+	for _, tc := range []struct {
+		opts     interfaces.ConfinementOptions
+		uses     bool
+		suppress bool
+		expected bool
+	}{
+		// strict, only suppress if suppress == true and uses == false
+		{
+			opts:     interfaces.ConfinementOptions{},
+			uses:     false,
+			suppress: false,
+			expected: false,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{},
+			uses:     false,
+			suppress: true,
+			expected: true,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{},
+			uses:     true,
+			suppress: false,
+			expected: false,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{},
+			uses:     true,
+			suppress: true,
+			expected: false,
+		},
+		// devmode, only suppress if suppress == true and uses == false
+		{
+			opts:     interfaces.ConfinementOptions{DevMode: true},
+			uses:     false,
+			suppress: false,
+			expected: false,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{DevMode: true},
+			uses:     false,
+			suppress: true,
+			expected: true,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{DevMode: true},
+			uses:     true,
+			suppress: false,
+			expected: false,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{DevMode: true},
+			uses:     true,
+			suppress: true,
+			expected: false,
+		},
+		// classic, never suppress
+		{
+			opts:     interfaces.ConfinementOptions{Classic: true},
+			uses:     false,
+			suppress: false,
+			expected: false,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{Classic: true},
+			uses:     false,
+			suppress: true,
+			expected: false,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{Classic: true},
+			uses:     true,
+			suppress: false,
+			expected: false,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{Classic: true},
+			uses:     true,
+			suppress: true,
+			expected: false,
+		},
+		// classic with jail, only suppress if suppress == true and uses == false
+		{
+			opts:     interfaces.ConfinementOptions{Classic: true, JailMode: true},
+			uses:     false,
+			suppress: false,
+			expected: false,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{Classic: true, JailMode: true},
+			uses:     false,
+			suppress: true,
+			expected: true,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{Classic: true, JailMode: true},
+			uses:     true,
+			suppress: false,
+			expected: false,
+		},
+		{
+			opts:     interfaces.ConfinementOptions{Classic: true, JailMode: true},
+			uses:     true,
+			suppress: true,
+			expected: false,
+		},
+	} {
+		s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
+			if tc.uses {
+				spec.SetUsesPtraceTrace()
+			}
+			if tc.suppress {
+				spec.SetSuppressPtraceTrace()
+			}
+			return nil
+		}
+
+		snapInfo := s.InstallSnap(c, tc.opts, "", ifacetest.SambaYamlV1, 1)
+		s.parserCmd.ForgetCalls()
+
+		err := s.Backend.Setup(snapInfo, tc.opts, s.Repo)
+		c.Assert(err, IsNil)
+
+		profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
+		data, err := ioutil.ReadFile(profile)
+		c.Assert(err, IsNil)
+
+		if tc.expected {
+			c.Assert(string(data), testutil.Contains, needle)
+		} else {
+			c.Assert(string(data), Not(testutil.Contains), needle)
+		}
+		s.RemoveSnap(c, snapInfo)
+	}
+}
+
+func (s *backendSuite) TestHomeIxRule(c *C) {
+	restoreTemplate := apparmor.MockTemplate("template\n###SNIPPETS###\nneedle rwkl###HOME_IX###,\n")
+	defer restoreTemplate()
+	restore := release.MockAppArmorLevel(release.FullAppArmor)
+	defer restore()
+	restore = apparmor.MockIsHomeUsingNFS(func() (bool, error) { return false, nil })
+	defer restore()
+
+	for _, tc := range []struct {
+		opts     interfaces.ConfinementOptions
+		suppress bool
+		expected string
+	}{
+		{
+			opts:     interfaces.ConfinementOptions{},
+			suppress: true,
+			expected: "needle rwkl,",
+		},
+		{
+			opts:     interfaces.ConfinementOptions{},
+			suppress: false,
+			expected: "needle rwklix,",
+		},
+	} {
+		s.Iface.AppArmorPermanentSlotCallback = func(spec *apparmor.Specification, slot *snap.SlotInfo) error {
+			if tc.suppress {
+				spec.SetSuppressHomeIx()
+			}
+			spec.AddSnippet("needle rwkl###HOME_IX###,")
+			return nil
+		}
+
+		snapInfo := s.InstallSnap(c, tc.opts, "", ifacetest.SambaYamlV1, 1)
+		profile := filepath.Join(dirs.SnapAppArmorDir, "snap.samba.smbd")
+		data, err := ioutil.ReadFile(profile)
+		c.Assert(err, IsNil)
+
+		c.Assert(string(data), testutil.Contains, tc.expected)
+		s.RemoveSnap(c, snapInfo)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/apparmor/export_test.go snapd-2.37~rc1~14.04/interfaces/apparmor/export_test.go
--- snapd-2.32.3.2~14.04/interfaces/apparmor/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/apparmor/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,9 +26,24 @@
 )
 
 var (
-	SnapConfineFromCoreProfile = snapConfineFromCoreProfile
+	NsProfile                  = nsProfile
+	ProfileGlobs               = profileGlobs
+	SnapConfineFromSnapProfile = snapConfineFromSnapProfile
+	DowngradeConfinement       = downgradeConfinement
+	LoadProfiles               = loadProfiles
+	UnloadProfiles             = unloadProfiles
+	SetupSnapConfineReexec     = setupSnapConfineReexec
 )
 
+// MockIsHomeUsingNFS mocks the real implementation of osutil.IsHomeUsingNFS
+func MockIsHomeUsingNFS(new func() (bool, error)) (restore func()) {
+	old := isHomeUsingNFS
+	isHomeUsingNFS = new
+	return func() {
+		isHomeUsingNFS = old
+	}
+}
+
 // MockIsRootWritableOverlay mocks the real implementation of osutil.IsRootWritableOverlay
 func MockIsRootWritableOverlay(new func() (string, error)) (restore func()) {
 	old := isRootWritableOverlay
@@ -74,6 +89,22 @@
 }
 
 // SetSpecScope sets the scope of a given specification
-func SetSpecScope(spec *Specification, securityTags []string, snapName string) (restore func()) {
-	return spec.setScope(securityTags, snapName)
+func SetSpecScope(spec *Specification, securityTags []string) (restore func()) {
+	return spec.setScope(securityTags)
+}
+
+func MockKernelFeatures(f func() ([]string, error)) (resture func()) {
+	old := kernelFeatures
+	kernelFeatures = f
+	return func() {
+		kernelFeatures = old
+	}
+}
+
+func MockParserFeatures(f func() ([]string, error)) (resture func()) {
+	old := parserFeatures
+	parserFeatures = f
+	return func() {
+		parserFeatures = old
+	}
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/apparmor/spec.go snapd-2.37~rc1~14.04/interfaces/apparmor/spec.go
--- snapd-2.32.3.2~14.04/interfaces/apparmor/spec.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/apparmor/spec.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -28,31 +28,51 @@
 
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
 )
 
 // Specification assists in collecting apparmor entries associated with an interface.
 type Specification struct {
 	// scope for various Add{...}Snippet functions
 	securityTags []string
-	snapName     string
 
 	// snippets are indexed by security tag and describe parts of apparmor policy
 	// for snap application and hook processes. The security tag encodes the identity
 	// of the application or hook.
 	snippets map[string][]string
-	// updateNS are indexed by snap name and describe parts of apparmor policy
-	// for snap-update-ns executing on behalf of a given snap.
-	updateNS map[string][]string
+	// updateNS describe parts of apparmor policy for snap-update-ns executing
+	// on behalf of a given snap.
+	updateNS []string
+
+	// AppArmor deny rules cannot be undone by allow rules which makes
+	// deny rules difficult to work with arbitrary combinations of
+	// interfaces. Sometimes it is useful to suppress noisy denials and
+	// because that can currently only be done with explicit deny rules,
+	// adding explicit deny rules unconditionally makes it difficult for
+	// interfaces to be used in combination. Define the suppressPtraceTrace
+	// to allow an interface to request suppression and define
+	// usesPtraceTrace to omit the explicit deny rules such that:
+	//   if suppressPtraceTrace && !usesPtraceTrace {
+	//       add 'deny ptrace (trace),'
+	//   }
+	suppressPtraceTrace bool
+	usesPtraceTrace     bool
+
+	// The home interface typically should have 'ix' as part of its rules,
+	// but specifying certain change_profile rules with these rules cases
+	// a 'conflicting x modifiers' parser error. Allow interfaces that
+	// require this type of change_profile rule to suppress 'ix' so that
+	// the calling interface can be used with the home interface. Ideally,
+	// we would not need this, but we currently do (LP: #1797786)
+	suppressHomeIx bool
 }
 
 // setScope sets the scope of subsequent AddSnippet family functions.
 // The returned function resets the scope to an empty scope.
-func (spec *Specification) setScope(securityTags []string, snapName string) (restore func()) {
+func (spec *Specification) setScope(securityTags []string) (restore func()) {
 	spec.securityTags = securityTags
-	spec.snapName = snapName
 	return func() {
 		spec.securityTags = nil
-		spec.snapName = ""
 	}
 }
 
@@ -72,16 +92,10 @@
 
 // AddUpdateNS adds a new apparmor snippet for the snap-update-ns program.
 func (spec *Specification) AddUpdateNS(snippet string) {
-	if spec.snapName == "" {
-		return
-	}
-	if spec.updateNS == nil {
-		spec.updateNS = make(map[string][]string)
-	}
-	spec.updateNS[spec.snapName] = append(spec.updateNS[spec.snapName], snippet)
+	spec.updateNS = append(spec.updateNS, snippet)
 }
 
-// AddSnapLayout adds apparmor snippets based on the layout of the snap.
+// AddLayout adds apparmor snippets based on the layout of the snap.
 //
 // The per-snap snap-update-ns profiles are composed via a template and
 // snippets for the snap. The snippets may allow (depending on the snippet):
@@ -98,7 +112,7 @@
 //   the data)
 // Importantly, the above mount operations are happening within the per-snap
 // mount namespace.
-func (spec *Specification) AddSnapLayout(si *snap.Info) {
+func (spec *Specification) AddLayout(si *snap.Info) {
 	if len(si.Layout) == 0 {
 		return
 	}
@@ -135,7 +149,7 @@
 	for _, path := range paths {
 		var buf bytes.Buffer
 		l := si.Layout[path]
-		fmt.Fprintf(&buf, "  # Layout %s\n", l)
+		fmt.Fprintf(&buf, "  # Layout %s\n", l.String())
 		path := si.ExpandSnapVariables(l.Path)
 		switch {
 		case l.Bind != "":
@@ -144,30 +158,51 @@
 			fmt.Fprintf(&buf, "  mount options=(rbind, rw) %s/ -> %s/,\n", bind, path)
 			fmt.Fprintf(&buf, "  umount %s/,\n", path)
 			// Allow constructing writable mimic in both bind-mount source and mount point.
-			WritableProfile(&buf, path)
-			WritableProfile(&buf, bind)
+			WritableProfile(&buf, path, 2) // At least / and /some-top-level-directory
+			WritableProfile(&buf, bind, 4) // At least /, /snap/, /snap/$SNAP_NAME and /snap/$SNAP_NAME/$SNAP_REVISION
 		case l.BindFile != "":
 			bindFile := si.ExpandSnapVariables(l.BindFile)
 			// Allow bind mounting the layout element.
 			fmt.Fprintf(&buf, "  mount options=(bind, rw) %s -> %s,\n", bindFile, path)
 			fmt.Fprintf(&buf, "  umount %s,\n", path)
 			// Allow constructing writable mimic in both bind-mount source and mount point.
-			WritableFileProfile(&buf, path)
-			WritableFileProfile(&buf, bindFile)
+			WritableFileProfile(&buf, path, 2)     // At least / and /some-top-level-directory
+			WritableFileProfile(&buf, bindFile, 4) // At least /, /snap/, /snap/$SNAP_NAME and /snap/$SNAP_NAME/$SNAP_REVISION
 		case l.Type == "tmpfs":
 			fmt.Fprintf(&buf, "  mount fstype=tmpfs tmpfs -> %s/,\n", path)
 			fmt.Fprintf(&buf, "  umount %s/,\n", path)
 			// Allow constructing writable mimic to mount point.
-			WritableProfile(&buf, path)
+			WritableProfile(&buf, path, 2) // At least / and /some-top-level-directory
 		case l.Symlink != "":
 			// Allow constructing writable mimic to symlink parent directory.
 			fmt.Fprintf(&buf, "  %s rw,\n", path)
-			WritableProfile(&buf, path)
+			WritableProfile(&buf, path, 2) // At least / and /some-top-level-directory
 		}
 		spec.AddUpdateNS(buf.String())
 	}
 }
 
+// AddOvername adds AppArmor snippets allowing remapping of snap
+// directories for parallel installed snaps
+//
+// Specifically snap-update-ns will apply the following bind mounts
+// - /snap/foo_bar -> /snap/foo
+// - /var/snap/foo_bar -> /var/snap/foo
+// - /home/joe/snap/foo_bar -> /home/joe/snap/foo
+func (spec *Specification) AddOvername(si *snap.Info) {
+	if si.InstanceKey == "" {
+		return
+	}
+	var buf bytes.Buffer
+
+	// /snap/foo_bar -> /snap/foo
+	fmt.Fprintf(&buf, "  # Allow parallel instance snap mount namespace adjustments\n")
+	fmt.Fprintf(&buf, "  mount options=(rw rbind) /snap/%s/ -> /snap/%s/,\n", si.InstanceName(), si.SnapName())
+	// /var/snap/foo_bar -> /var/snap/foo
+	fmt.Fprintf(&buf, "  mount options=(rw rbind) /var/snap/%s/ -> /var/snap/%s/,\n", si.InstanceName(), si.SnapName())
+	spec.AddUpdateNS(buf.String())
+}
+
 // isProbably writable returns true if the path is probably representing writable area.
 func isProbablyWritable(path string) bool {
 	return strings.HasPrefix(path, "/var/snap/") || strings.HasPrefix(path, "/home/") || strings.HasPrefix(path, "/root/")
@@ -182,8 +217,65 @@
 	return path == "/" || path == "/snap" || path == "/var" || path == "/var/snap" || path == "/tmp" || path == "/usr" || path == "/etc"
 }
 
+// WritableMimicProfile writes apparmor rules for a writable mimic at the given path.
+func WritableMimicProfile(buf *bytes.Buffer, path string, assumedPrefixDepth int) {
+	fmt.Fprintf(buf, "  # Writable mimic %s\n", path)
+
+	iter, err := strutil.NewPathIterator(path)
+	if err != nil {
+		panic(err)
+	}
+
+	// Handle the prefix that is assumed to exist first.
+	fmt.Fprintf(buf, "  # .. permissions for traversing the prefix that is assumed to exist\n")
+	for iter.Next() {
+		if iter.Depth() < assumedPrefixDepth {
+			fmt.Fprintf(buf, "  %s r,\n", iter.CurrentPath())
+		}
+	}
+
+	// Rewind the iterator and handle the part that needs to be created.
+	iter.Rewind()
+	for iter.Next() {
+		if iter.Depth() < assumedPrefixDepth {
+			continue
+		}
+		// Assume that the mimic needs to be created at the given prefix of the
+		// full mimic path. This is called a mimic "variant". Both of the paths
+		// must end with a slash as this is important for apparmor file vs
+		// directory path semantics.
+		mimicPath := filepath.Join(iter.CurrentBase(), iter.CurrentCleanName()) + "/"
+		mimicAuxPath := filepath.Join("/tmp/.snap", iter.CurrentPath()) + "/"
+		fmt.Fprintf(buf, "  # .. variant with mimic at %s\n", mimicPath)
+		fmt.Fprintf(buf, "  # Allow reading the mimic directory, it must exist in the first place.\n")
+		fmt.Fprintf(buf, "  %s r,\n", mimicPath)
+		fmt.Fprintf(buf, "  # Allow setting the read-only directory aside via a bind mount.\n")
+		fmt.Fprintf(buf, "  %s rw,\n", mimicAuxPath)
+		fmt.Fprintf(buf, "  mount options=(rbind, rw) %s -> %s,\n", mimicPath, mimicAuxPath)
+		fmt.Fprintf(buf, "  # Allow mounting tmpfs over the read-only directory.\n")
+		fmt.Fprintf(buf, "  mount fstype=tmpfs options=(rw) tmpfs -> %s,\n", mimicPath)
+		fmt.Fprintf(buf, "  # Allow creating empty files and directories for bind mounting things\n"+
+			"  # to reconstruct the now-writable parent directory.\n")
+		fmt.Fprintf(buf, "  %s*/ rw,\n", mimicAuxPath)
+		fmt.Fprintf(buf, "  %s*/ rw,\n", mimicPath)
+		fmt.Fprintf(buf, "  mount options=(rbind, rw) %s*/ -> %s*/,\n", mimicAuxPath, mimicPath)
+		fmt.Fprintf(buf, "  %s* rw,\n", mimicAuxPath)
+		fmt.Fprintf(buf, "  %s* rw,\n", mimicPath)
+		fmt.Fprintf(buf, "  mount options=(bind, rw) %s* -> %s*,\n", mimicAuxPath, mimicPath)
+		fmt.Fprintf(buf, "  # Allow unmounting the auxiliary directory.\n"+
+			"  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)\n")
+		fmt.Fprintf(buf, "  umount %s,\n", mimicAuxPath)
+		fmt.Fprintf(buf, "  # Allow unmounting the destination directory as well as anything\n"+
+			"  # inside.  This lets us perform the undo plan in case the writable\n"+
+			"  # mimic fails.\n")
+		fmt.Fprintf(buf, "  umount %s,\n", mimicPath)
+		fmt.Fprintf(buf, "  umount %s*,\n", mimicPath)
+		fmt.Fprintf(buf, "  umount %s*/,\n", mimicPath)
+	}
+}
+
 // WritableFileProfile writes a profile for snap-update-ns for making given file writable.
-func WritableFileProfile(buf *bytes.Buffer, path string) {
+func WritableFileProfile(buf *bytes.Buffer, path string, assumedPrefixDepth int) {
 	if path == "/" {
 		return
 	}
@@ -195,33 +287,12 @@
 		}
 	} else {
 		parentPath := parent(path)
-		fmt.Fprintf(buf, "  # Writable mimic %s\n", parentPath)
-		// Allow setting the read-only directory aside via a bind mount.
-		fmt.Fprintf(buf, "  mount options=(rbind, rw) %s/ -> /tmp/.snap%s/,\n", parentPath, parentPath)
-		// Allow mounting tmpfs over the read-only directory.
-		fmt.Fprintf(buf, "  mount fstype=tmpfs options=(rw) tmpfs -> %s/,\n", parentPath)
-		// Allow bind mounting things to reconstruct the now-writable parent directory.
-		fmt.Fprintf(buf, "  mount options=(rbind, rw) /tmp/.snap%s/** -> %s/**,\n", parentPath, parentPath)
-		fmt.Fprintf(buf, "  mount options=(bind, rw) /tmp/.snap%s/* -> %s/*,\n", parentPath, parentPath)
-		// Allow unmounting the temporary directory.
-		fmt.Fprintf(buf, "  umount /tmp/.snap%s/,\n", parentPath)
-		// Allow unmounting the destination directory as well as anything inside.
-		// This lets us perform the undo plan in case the writable mimic fails.
-		fmt.Fprintf(buf, "  umount %s{,/**},\n", parentPath)
-		// Allow creating directories on demand.
-		fmt.Fprintf(buf, "  %s/** rw,\n", parentPath)
-		for p := parentPath; !isProbablyPresent(p); p = parent(p) {
-			fmt.Fprintf(buf, "  %s/ rw,\n", p)
-		}
-		fmt.Fprintf(buf, "  /tmp/.snap%s/** rw,\n", parentPath)
-		for p := filepath.Join("/tmp/.snap/", parentPath); !isProbablyPresent(p); p = parent(p) {
-			fmt.Fprintf(buf, "  %s/ rw,\n", p)
-		}
+		WritableMimicProfile(buf, parentPath, assumedPrefixDepth)
 	}
 }
 
 // WritableProfile writes a profile for snap-update-ns for making given directory writable.
-func WritableProfile(buf *bytes.Buffer, path string) {
+func WritableProfile(buf *bytes.Buffer, path string, assumedPrefixDepth int) {
 	if path == "/" {
 		return
 	}
@@ -232,28 +303,7 @@
 		}
 	} else {
 		parentPath := parent(path)
-		fmt.Fprintf(buf, "  # Writable mimic %s\n", parentPath)
-		// Allow setting the read-only directory aside via a bind mount.
-		fmt.Fprintf(buf, "  mount options=(rbind, rw) %s/ -> /tmp/.snap%s/,\n", parentPath, parentPath)
-		// Allow mounting tmpfs over the read-only directory.
-		fmt.Fprintf(buf, "  mount fstype=tmpfs options=(rw) tmpfs -> %s/,\n", parentPath)
-		// Allow bind mounting things to reconstruct the now-writable parent directory.
-		fmt.Fprintf(buf, "  mount options=(rbind, rw) /tmp/.snap%s/** -> %s/**,\n", parentPath, parentPath)
-		fmt.Fprintf(buf, "  mount options=(bind, rw) /tmp/.snap%s/* -> %s/*,\n", parentPath, parentPath)
-		// Allow unmounting the temporary directory.
-		fmt.Fprintf(buf, "  umount /tmp/.snap%s/,\n", parentPath)
-		// Allow unmounting the destination directory as well as anything inside.
-		// This lets us perform the undo plan in case the writable mimic fails.
-		fmt.Fprintf(buf, "  umount %s{,/**},\n", parentPath)
-		// Allow creating directories on demand.
-		fmt.Fprintf(buf, "  %s/** rw,\n", parentPath)
-		for p := parentPath; !isProbablyPresent(p); p = parent(p) {
-			fmt.Fprintf(buf, "  %s/ rw,\n", p)
-		}
-		fmt.Fprintf(buf, "  /tmp/.snap%s/** rw,\n", parentPath)
-		for p := filepath.Join("/tmp/.snap/", parentPath); !isProbablyPresent(p); p = parent(p) {
-			fmt.Fprintf(buf, "  %s/ rw,\n", p)
-		}
+		WritableMimicProfile(buf, parentPath, assumedPrefixDepth)
 	}
 }
 
@@ -286,8 +336,10 @@
 }
 
 // UpdateNS returns a deep copy of all the added snap-update-ns snippets.
-func (spec *Specification) UpdateNS() map[string][]string {
-	return copySnippets(spec.updateNS)
+func (spec *Specification) UpdateNS() []string {
+	cp := make([]string, len(spec.updateNS))
+	copy(cp, spec.updateNS)
+	return cp
 }
 
 func snippetFromLayout(layout *snap.Layout) string {
@@ -316,7 +368,7 @@
 		AppArmorConnectedPlug(spec *Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error
 	}
 	if iface, ok := iface.(definer); ok {
-		restore := spec.setScope(plug.SecurityTags(), plug.Snap().Name())
+		restore := spec.setScope(plug.SecurityTags())
 		defer restore()
 		return iface.AppArmorConnectedPlug(spec, plug, slot)
 	}
@@ -329,7 +381,7 @@
 		AppArmorConnectedSlot(spec *Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error
 	}
 	if iface, ok := iface.(definer); ok {
-		restore := spec.setScope(slot.SecurityTags(), slot.Snap().Name())
+		restore := spec.setScope(slot.SecurityTags())
 		defer restore()
 		return iface.AppArmorConnectedSlot(spec, plug, slot)
 	}
@@ -342,7 +394,7 @@
 		AppArmorPermanentPlug(spec *Specification, plug *snap.PlugInfo) error
 	}
 	if iface, ok := iface.(definer); ok {
-		restore := spec.setScope(plug.SecurityTags(), plug.Snap.Name())
+		restore := spec.setScope(plug.SecurityTags())
 		defer restore()
 		return iface.AppArmorPermanentPlug(spec, plug)
 	}
@@ -355,9 +407,36 @@
 		AppArmorPermanentSlot(spec *Specification, slot *snap.SlotInfo) error
 	}
 	if iface, ok := iface.(definer); ok {
-		restore := spec.setScope(slot.SecurityTags(), slot.Snap.Name())
+		restore := spec.setScope(slot.SecurityTags())
 		defer restore()
 		return iface.AppArmorPermanentSlot(spec, slot)
 	}
 	return nil
 }
+
+// SetUsesPtraceTrace records when to omit explicit ptrace deny rules
+func (spec *Specification) SetUsesPtraceTrace() {
+	spec.usesPtraceTrace = true
+}
+
+func (spec *Specification) UsesPtraceTrace() bool {
+	return spec.usesPtraceTrace
+}
+
+// SetSuppressPtraceTrace to request explicit ptrace deny rules
+func (spec *Specification) SetSuppressPtraceTrace() {
+	spec.suppressPtraceTrace = true
+}
+
+func (spec *Specification) SuppressPtraceTrace() bool {
+	return spec.suppressPtraceTrace
+}
+
+// SetSuppressHomeIx to request explicit ptrace deny rules
+func (spec *Specification) SetSuppressHomeIx() {
+	spec.suppressHomeIx = true
+}
+
+func (spec *Specification) SuppressHomeIx() bool {
+	return spec.suppressHomeIx
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/apparmor/spec_test.go snapd-2.37~rc1~14.04/interfaces/apparmor/spec_test.go
--- snapd-2.32.3.2~14.04/interfaces/apparmor/spec_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/apparmor/spec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -90,8 +90,8 @@
 	s.BaseTest.AddCleanup(snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {}))
 
 	s.spec = &apparmor.Specification{}
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *specSuite) TearDownTest(c *C) {
@@ -113,7 +113,7 @@
 
 // AddSnippet adds a snippet for the given security tag.
 func (s *specSuite) TestAddSnippet(c *C) {
-	restore := apparmor.SetSpecScope(s.spec, []string{"snap.demo.command", "snap.demo.service"}, "demo")
+	restore := apparmor.SetSpecScope(s.spec, []string{"snap.demo.command", "snap.demo.service"})
 	defer restore()
 
 	// Add two snippets in the context we are in.
@@ -132,7 +132,7 @@
 
 // AddUpdateNS adds a snippet for the snap-update-ns profile for a given snap.
 func (s *specSuite) TestAddUpdateNS(c *C) {
-	restore := apparmor.SetSpecScope(s.spec, []string{"snap.demo.command", "snap.demo.service"}, "demo")
+	restore := apparmor.SetSpecScope(s.spec, []string{"snap.demo.command", "snap.demo.service"})
 	defer restore()
 
 	// Add a two snap-update-ns snippets in the context we are in.
@@ -140,8 +140,8 @@
 	s.spec.AddUpdateNS("s-u-n snippet 2")
 
 	// The snippets were recorded correctly and in the right place.
-	c.Assert(s.spec.UpdateNS(), DeepEquals, map[string][]string{
-		"demo": {"s-u-n snippet 1", "s-u-n snippet 2"},
+	c.Assert(s.spec.UpdateNS(), DeepEquals, []string{
+		"s-u-n snippet 1", "s-u-n snippet 2",
 	})
 	c.Assert(s.spec.SnippetForTag("snap.demo.command"), Equals, "")
 	c.Assert(s.spec.SecurityTags(), HasLen, 0)
@@ -167,10 +167,10 @@
 
 func (s *specSuite) TestApparmorSnippetsFromLayout(c *C) {
 	snapInfo := snaptest.MockInfo(c, snapWithLayout, &snap.SideInfo{Revision: snap.R(42)})
-	restore := apparmor.SetSpecScope(s.spec, []string{"snap.vanguard.vanguard"}, "vanguard")
+	restore := apparmor.SetSpecScope(s.spec, []string{"snap.vanguard.vanguard"})
 	defer restore()
 
-	s.spec.AddSnapLayout(snapInfo)
+	s.spec.AddLayout(snapInfo)
 	c.Assert(s.spec.Snippets(), DeepEquals, map[string][]string{
 		"snap.vanguard.vanguard": {
 			"# Layout path: /etc/foo.conf\n/etc/foo.conf mrwklix,",
@@ -179,104 +179,308 @@
 			"# Layout path: /var/tmp\n/var/tmp{,/**} mrwklix,",
 		},
 	})
+	updateNS := s.spec.UpdateNS()
 
 	profile0 := `  # Layout /etc/foo.conf: bind-file $SNAP/foo.conf
   mount options=(bind, rw) /snap/vanguard/42/foo.conf -> /etc/foo.conf,
   umount /etc/foo.conf,
   # Writable mimic /etc
+  # .. permissions for traversing the prefix that is assumed to exist
+  / r,
+  # .. variant with mimic at /etc/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /etc/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/etc/ rw,
   mount options=(rbind, rw) /etc/ -> /tmp/.snap/etc/,
+  # Allow mounting tmpfs over the read-only directory.
   mount fstype=tmpfs options=(rw) tmpfs -> /etc/,
-  mount options=(rbind, rw) /tmp/.snap/etc/** -> /etc/**,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/etc/*/ rw,
+  /etc/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/etc/*/ -> /etc/*/,
+  /tmp/.snap/etc/* rw,
+  /etc/* rw,
   mount options=(bind, rw) /tmp/.snap/etc/* -> /etc/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
   umount /tmp/.snap/etc/,
-  umount /etc{,/**},
-  /etc/** rw,
-  /tmp/.snap/etc/** rw,
-  /tmp/.snap/etc/ rw,
-  /tmp/.snap/ rw,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /etc/,
+  umount /etc/*,
+  umount /etc/*/,
   # Writable mimic /snap/vanguard/42
+  # .. permissions for traversing the prefix that is assumed to exist
+  / r,
+  /snap/ r,
+  /snap/vanguard/ r,
+  # .. variant with mimic at /snap/vanguard/42/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/vanguard/42/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/vanguard/42/ rw,
   mount options=(rbind, rw) /snap/vanguard/42/ -> /tmp/.snap/snap/vanguard/42/,
+  # Allow mounting tmpfs over the read-only directory.
   mount fstype=tmpfs options=(rw) tmpfs -> /snap/vanguard/42/,
-  mount options=(rbind, rw) /tmp/.snap/snap/vanguard/42/** -> /snap/vanguard/42/**,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/vanguard/42/*/ rw,
+  /snap/vanguard/42/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/vanguard/42/*/ -> /snap/vanguard/42/*/,
+  /tmp/.snap/snap/vanguard/42/* rw,
+  /snap/vanguard/42/* rw,
   mount options=(bind, rw) /tmp/.snap/snap/vanguard/42/* -> /snap/vanguard/42/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
   umount /tmp/.snap/snap/vanguard/42/,
-  umount /snap/vanguard/42{,/**},
-  /snap/vanguard/42/** rw,
-  /snap/vanguard/42/ rw,
-  /snap/vanguard/ rw,
-  /tmp/.snap/snap/vanguard/42/** rw,
-  /tmp/.snap/snap/vanguard/42/ rw,
-  /tmp/.snap/snap/vanguard/ rw,
-  /tmp/.snap/snap/ rw,
-  /tmp/.snap/ rw,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/vanguard/42/,
+  umount /snap/vanguard/42/*,
+  umount /snap/vanguard/42/*/,
 `
+	c.Assert(updateNS[0], Equals, profile0)
+
 	profile1 := `  # Layout /usr/foo: bind $SNAP/usr/foo
   mount options=(rbind, rw) /snap/vanguard/42/usr/foo/ -> /usr/foo/,
   umount /usr/foo/,
   # Writable mimic /usr
+  # .. permissions for traversing the prefix that is assumed to exist
+  / r,
+  # .. variant with mimic at /usr/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /usr/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/usr/ rw,
   mount options=(rbind, rw) /usr/ -> /tmp/.snap/usr/,
+  # Allow mounting tmpfs over the read-only directory.
   mount fstype=tmpfs options=(rw) tmpfs -> /usr/,
-  mount options=(rbind, rw) /tmp/.snap/usr/** -> /usr/**,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/usr/*/ rw,
+  /usr/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/usr/*/ -> /usr/*/,
+  /tmp/.snap/usr/* rw,
+  /usr/* rw,
   mount options=(bind, rw) /tmp/.snap/usr/* -> /usr/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
   umount /tmp/.snap/usr/,
-  umount /usr{,/**},
-  /usr/** rw,
-  /tmp/.snap/usr/** rw,
-  /tmp/.snap/usr/ rw,
-  /tmp/.snap/ rw,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /usr/,
+  umount /usr/*,
+  umount /usr/*/,
   # Writable mimic /snap/vanguard/42/usr
+  # .. permissions for traversing the prefix that is assumed to exist
+  / r,
+  /snap/ r,
+  /snap/vanguard/ r,
+  # .. variant with mimic at /snap/vanguard/42/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/vanguard/42/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/vanguard/42/ rw,
+  mount options=(rbind, rw) /snap/vanguard/42/ -> /tmp/.snap/snap/vanguard/42/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /snap/vanguard/42/,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/vanguard/42/*/ rw,
+  /snap/vanguard/42/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/vanguard/42/*/ -> /snap/vanguard/42/*/,
+  /tmp/.snap/snap/vanguard/42/* rw,
+  /snap/vanguard/42/* rw,
+  mount options=(bind, rw) /tmp/.snap/snap/vanguard/42/* -> /snap/vanguard/42/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/snap/vanguard/42/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/vanguard/42/,
+  umount /snap/vanguard/42/*,
+  umount /snap/vanguard/42/*/,
+  # .. variant with mimic at /snap/vanguard/42/usr/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/vanguard/42/usr/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/vanguard/42/usr/ rw,
   mount options=(rbind, rw) /snap/vanguard/42/usr/ -> /tmp/.snap/snap/vanguard/42/usr/,
+  # Allow mounting tmpfs over the read-only directory.
   mount fstype=tmpfs options=(rw) tmpfs -> /snap/vanguard/42/usr/,
-  mount options=(rbind, rw) /tmp/.snap/snap/vanguard/42/usr/** -> /snap/vanguard/42/usr/**,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/vanguard/42/usr/*/ rw,
+  /snap/vanguard/42/usr/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/vanguard/42/usr/*/ -> /snap/vanguard/42/usr/*/,
+  /tmp/.snap/snap/vanguard/42/usr/* rw,
+  /snap/vanguard/42/usr/* rw,
   mount options=(bind, rw) /tmp/.snap/snap/vanguard/42/usr/* -> /snap/vanguard/42/usr/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
   umount /tmp/.snap/snap/vanguard/42/usr/,
-  umount /snap/vanguard/42/usr{,/**},
-  /snap/vanguard/42/usr/** rw,
-  /snap/vanguard/42/usr/ rw,
-  /snap/vanguard/42/ rw,
-  /snap/vanguard/ rw,
-  /tmp/.snap/snap/vanguard/42/usr/** rw,
-  /tmp/.snap/snap/vanguard/42/usr/ rw,
-  /tmp/.snap/snap/vanguard/42/ rw,
-  /tmp/.snap/snap/vanguard/ rw,
-  /tmp/.snap/snap/ rw,
-  /tmp/.snap/ rw,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/vanguard/42/usr/,
+  umount /snap/vanguard/42/usr/*,
+  umount /snap/vanguard/42/usr/*/,
 `
+	c.Assert(updateNS[1], Equals, profile1)
+
 	profile2 := `  # Layout /var/cache/mylink: symlink $SNAP_DATA/link/target
   /var/cache/mylink rw,
   # Writable mimic /var/cache
+  # .. permissions for traversing the prefix that is assumed to exist
+  / r,
+  # .. variant with mimic at /var/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /var/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/var/ rw,
+  mount options=(rbind, rw) /var/ -> /tmp/.snap/var/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /var/,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/var/*/ rw,
+  /var/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/var/*/ -> /var/*/,
+  /tmp/.snap/var/* rw,
+  /var/* rw,
+  mount options=(bind, rw) /tmp/.snap/var/* -> /var/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/var/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /var/,
+  umount /var/*,
+  umount /var/*/,
+  # .. variant with mimic at /var/cache/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /var/cache/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/var/cache/ rw,
   mount options=(rbind, rw) /var/cache/ -> /tmp/.snap/var/cache/,
+  # Allow mounting tmpfs over the read-only directory.
   mount fstype=tmpfs options=(rw) tmpfs -> /var/cache/,
-  mount options=(rbind, rw) /tmp/.snap/var/cache/** -> /var/cache/**,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/var/cache/*/ rw,
+  /var/cache/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/var/cache/*/ -> /var/cache/*/,
+  /tmp/.snap/var/cache/* rw,
+  /var/cache/* rw,
   mount options=(bind, rw) /tmp/.snap/var/cache/* -> /var/cache/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
   umount /tmp/.snap/var/cache/,
-  umount /var/cache{,/**},
-  /var/cache/** rw,
-  /var/cache/ rw,
-  /tmp/.snap/var/cache/** rw,
-  /tmp/.snap/var/cache/ rw,
-  /tmp/.snap/var/ rw,
-  /tmp/.snap/ rw,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /var/cache/,
+  umount /var/cache/*,
+  umount /var/cache/*/,
 `
+	c.Assert(updateNS[2], Equals, profile2)
+
 	profile3 := `  # Layout /var/tmp: type tmpfs, mode: 01777
   mount fstype=tmpfs tmpfs -> /var/tmp/,
   umount /var/tmp/,
   # Writable mimic /var
+  # .. permissions for traversing the prefix that is assumed to exist
+  / r,
+  # .. variant with mimic at /var/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /var/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/var/ rw,
   mount options=(rbind, rw) /var/ -> /tmp/.snap/var/,
+  # Allow mounting tmpfs over the read-only directory.
   mount fstype=tmpfs options=(rw) tmpfs -> /var/,
-  mount options=(rbind, rw) /tmp/.snap/var/** -> /var/**,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/var/*/ rw,
+  /var/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/var/*/ -> /var/*/,
+  /tmp/.snap/var/* rw,
+  /var/* rw,
   mount options=(bind, rw) /tmp/.snap/var/* -> /var/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
   umount /tmp/.snap/var/,
-  umount /var{,/**},
-  /var/** rw,
-  /tmp/.snap/var/** rw,
-  /tmp/.snap/var/ rw,
-  /tmp/.snap/ rw,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /var/,
+  umount /var/*,
+  umount /var/*/,
 `
-	updateNS := s.spec.UpdateNS()["vanguard"]
-	c.Assert(updateNS[0], Equals, profile0)
-	c.Assert(updateNS[1], Equals, profile1)
-	c.Assert(updateNS[2], Equals, profile2)
 	c.Assert(updateNS[3], Equals, profile3)
 	c.Assert(updateNS, DeepEquals, []string{profile0, profile1, profile2, profile3})
 }
+
+const snapTrivial = `
+name: some-snap
+version: 0
+apps:
+  app:
+    command: app-command
+`
+
+func (s *specSuite) TestApparmorOvernameSnippetsNotInstanceKeyed(c *C) {
+	snapInfo := snaptest.MockInfo(c, snapTrivial, &snap.SideInfo{Revision: snap.R(42)})
+	restore := apparmor.SetSpecScope(s.spec, []string{"snap.some-snap.app"})
+	defer restore()
+
+	s.spec.AddOvername(snapInfo)
+	c.Assert(s.spec.Snippets(), HasLen, 0)
+	// non instance-keyed snaps require no extra snippets
+	c.Assert(s.spec.UpdateNS(), HasLen, 0)
+}
+
+func (s *specSuite) TestApparmorOvernameSnippets(c *C) {
+	snapInfo := snaptest.MockInfo(c, snapTrivial, &snap.SideInfo{Revision: snap.R(42)})
+	snapInfo.InstanceKey = "instance"
+
+	restore := apparmor.SetSpecScope(s.spec, []string{"snap.some-snap_instace.app"})
+	defer restore()
+
+	s.spec.AddOvername(snapInfo)
+	c.Assert(s.spec.Snippets(), HasLen, 0)
+
+	updateNS := s.spec.UpdateNS()
+	c.Assert(updateNS, HasLen, 1)
+
+	profile := `  # Allow parallel instance snap mount namespace adjustments
+  mount options=(rw rbind) /snap/some-snap_instance/ -> /snap/some-snap/,
+  mount options=(rw rbind) /var/snap/some-snap_instance/ -> /var/snap/some-snap/,
+`
+	c.Assert(updateNS[0], Equals, profile)
+}
+
+func (s *specSuite) TestUsesPtraceTrace(c *C) {
+	c.Assert(s.spec.UsesPtraceTrace(), Equals, false)
+	s.spec.SetUsesPtraceTrace()
+	c.Assert(s.spec.UsesPtraceTrace(), Equals, true)
+}
+
+func (s *specSuite) TestSuppressPtraceTrace(c *C) {
+	c.Assert(s.spec.SuppressPtraceTrace(), Equals, false)
+	s.spec.SetSuppressPtraceTrace()
+	c.Assert(s.spec.SuppressPtraceTrace(), Equals, true)
+}
+
+func (s *specSuite) TestSetSuppressHomeIx(c *C) {
+	c.Assert(s.spec.SuppressHomeIx(), Equals, false)
+	s.spec.SetSuppressHomeIx()
+	c.Assert(s.spec.SuppressHomeIx(), Equals, true)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/apparmor/template.go snapd-2.37~rc1~14.04/interfaces/apparmor/template.go
--- snapd-2.32.3.2~14.04/interfaces/apparmor/template.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/apparmor/template.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,9 +32,20 @@
 
 #include <tunables/global>
 
+# snapd supports the concept of 'parallel installs' where snaps with the same
+# name are differentiated by '_<instance>' such that foo, foo_bar and foo_baz
+# may all be installed on the system. To support this, SNAP_NAME is set to the
+# name (eg, 'foo') while SNAP_INSTANCE_NAME is set to the instance name (eg
+# 'foo_bar'). The profile name and most rules therefore reference
+# SNAP_INSTANCE_NAME. In some cases, snapd will adjust the snap's runtime
+# environment so the snap doesn't have to be aware of the distinction (eg,
+# SNAP, SNAP_DATA and SNAP_COMMON are all bind mounted onto a directory with
+# SNAP_NAME so the security policy will allow writing to both locations (since
+# they are equivalent).
+
 ###VAR###
 
-###PROFILEATTACH### (attach_disconnected) {
+###PROFILEATTACH### (attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/openssl>
@@ -44,6 +55,7 @@
   /etc/ld.so.preload r,
 
   # The base abstraction doesn't yet have this
+  /etc/sysconfig/clock r,
   /lib/terminfo/** rk,
   /usr/share/terminfo/** k,
   /usr/share/zoneinfo/** k,
@@ -57,8 +69,9 @@
   # for details)
   deny /usr/lib/python3*/{,**/}__pycache__/ w,
   deny /usr/lib/python3*/{,**/}__pycache__/**.pyc.[0-9]* w,
-  deny @{INSTALL_DIR}/@{SNAP_NAME}/**/__pycache__/             w,
-  deny @{INSTALL_DIR}/@{SNAP_NAME}/**/__pycache__/*.pyc.[0-9]* w,
+  # bind mount used here (see 'parallel installs', above)
+  deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/             w,
+  deny @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/__pycache__/*.pyc.[0-9]* w,
 
   # for perl apps/services
   #include <abstractions/perl>
@@ -92,8 +105,8 @@
 
   # for bash 'binaries' (do *not* use abstractions/bash)
   # user-specific bash files
-  /bin/bash ixr,
-  /bin/dash ixr,
+  /{,usr/}bin/bash ixr,
+  /{,usr/}bin/dash ixr,
   /etc/bash.bashrc r,
   /etc/{passwd,group,nsswitch.conf} r,  # very common
   /etc/default/nss r,
@@ -106,6 +119,8 @@
   # Common utilities for shell scripts
   /{,usr/}bin/arch ixr,
   /{,usr/}bin/{,g,m}awk ixr,
+  /{,usr/}bin/base32 ixr,
+  /{,usr/}bin/base64 ixr,
   /{,usr/}bin/basename ixr,
   /{,usr/}bin/bunzip2 ixr,
   /{,usr/}bin/bzcat ixr,
@@ -121,6 +136,9 @@
   /{,usr/}bin/cpio ixr,
   /{,usr/}bin/cut ixr,
   /{,usr/}bin/date ixr,
+  /{,usr/}bin/dbus-daemon ixr,
+  /{,usr/}bin/dbus-run-session ixr,
+  /{,usr/}bin/dbus-send ixr,
   /{,usr/}bin/dd ixr,
   /{,usr/}bin/diff{,3} ixr,
   /{,usr/}bin/dir ixr,
@@ -134,6 +152,7 @@
   /{,usr/}bin/find ixr,
   /{,usr/}bin/flock ixr,
   /{,usr/}bin/fmt ixr,
+  /{,usr/}bin/fold ixr,
   /{,usr/}bin/getconf ixr,
   /{,usr/}bin/getent ixr,
   /{,usr/}bin/getopt ixr,
@@ -253,6 +272,7 @@
 
   # snapctl and its requirements
   /usr/bin/snapctl ixr,
+  /usr/lib/snapd/snapctl ixr,
   @{PROC}/sys/net/core/somaxconn r,
   /run/snapd-snap.socket rw,
 
@@ -283,6 +303,15 @@
   # value or those in its thread group.
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+  # Allow reading and writing to our file descriptors in /proc which, for
+  # example, allow access to /dev/std{in,out,err} which are all symlinks to
+  # /proc/self/fd/{0,1,2} respectively. To support the open(..., O_TMPFILE)
+  # linkat() temporary file technique, allow all fds. Importantly, access to
+  # another's task's fd via this proc interface is mediated via 'ptrace (read)'
+  # (readonly) and 'ptrace (trace)' (read/write) which is denied by default, so
+  # this rule by itself doesn't allow opening another snap's fds via proc.
+  owner @{PROC}/@{pid}/{,task/@{tid}}fd/[0-9]* rw,
+
   # Miscellaneous accesses
   /dev/{,u}random w,
   /etc/machine-id r,
@@ -319,7 +348,8 @@
   @{PROC}/sys/kernel/random/boot_id r,
   /sys/devices/virtual/tty/{console,tty*}/active r,
   /sys/fs/cgroup/memory/memory.limit_in_bytes r,
-  /sys/fs/cgroup/memory/snap.@{SNAP_NAME}{,.*}/memory.limit_in_bytes r,
+  /sys/fs/cgroup/memory/snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.limit_in_bytes r,
+  /sys/module/apparmor/parameters/enabled r,
   /{,usr/}lib/ r,
 
   # Reads of oom_adj and oom_score_adj are safe
@@ -346,29 +376,34 @@
   @{PROC}/@{pid}/net/dev r,
 
   # Read-only for the install directory
-  @{INSTALL_DIR}/@{SNAP_NAME}/                   r,
-  @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/    r,
-  @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/**  mrklix,
+  # bind mount used here (see 'parallel installs', above)
+  @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/                   r,
+  @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/    r,
+  @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}}/**  mrklix,
 
   # Read-only install directory for other revisions to help with bugs like
   # LP: #1616650 and LP: #1655992
-  @{INSTALL_DIR}/@{SNAP_NAME}/**  mrkix,
+  @{INSTALL_DIR}/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**  mrkix,
 
   # Read-only home area for other versions
-  owner @{HOME}/snap/@{SNAP_NAME}/                  r,
-  owner @{HOME}/snap/@{SNAP_NAME}/**                mrkix,
+  # bind mount *not* used here (see 'parallel installs', above)
+  owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/                  r,
+  owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/**                mrkix,
 
   # Writable home area for this version.
-  owner @{HOME}/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
-  owner @{HOME}/snap/@{SNAP_NAME}/common/** wl,
+  # bind mount *not* used here (see 'parallel installs', above)
+  owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/** wl,
+  owner @{HOME}/snap/@{SNAP_INSTANCE_NAME}/common/** wl,
 
   # Read-only system area for other versions
-  /var/snap/@{SNAP_NAME}/   r,
-  /var/snap/@{SNAP_NAME}/** mrkix,
+  # bind mount used here (see 'parallel installs', above)
+  /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/   r,
+  /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/** mrkix,
 
   # Writable system area only for this version
-  /var/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
-  /var/snap/@{SNAP_NAME}/common/** wl,
+  # bind mount used here (see 'parallel installs', above)
+  /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/** wl,
+  /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/** wl,
 
   # The ubuntu-core-launcher creates an app-specific private restricted /tmp
   # and will fail to launch the app if something goes wrong. As such, we can
@@ -378,25 +413,35 @@
 
   # App-specific access to files and directories in /dev/shm. We allow file
   # access in /dev/shm for shm_open() and files in subdirectories for open()
-  /{dev,run}/shm/snap.@{SNAP_NAME}.** mrwlkix,
+  # bind mount *not* used here (see 'parallel installs', above)
+  /{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix,
   # Also allow app-specific access for sem_open()
-  /{dev,run}/shm/sem.snap.@{SNAP_NAME}.* mrwk,
+  /{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk,
 
   # Snap-specific XDG_RUNTIME_DIR that is based on the UID of the user
-  owner /run/user/[0-9]*/snap.@{SNAP_NAME}/   rw,
-  owner /run/user/[0-9]*/snap.@{SNAP_NAME}/** mrwklix,
+  # bind mount *not* used here (see 'parallel installs', above)
+  owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/   rw,
+  owner /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,
 
   # Allow apps from the same package to communicate with each other via an
   # abstract or anonymous socket
-  unix peer=(label=snap.@{SNAP_NAME}.*),
+  unix (bind, listen) addr="@snap.@{SNAP_INSTANCE_NAME}.**",
+  unix peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
 
   # Allow apps from the same package to communicate with each other via DBus.
   # Note: this does not grant access to the DBus sockets of well known buses
   # (will still need to use an appropriate interface for that).
-  dbus (receive, send) peer=(label=snap.@{SNAP_NAME}.*),
+  dbus (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.*),
 
   # Allow apps from the same package to signal each other via signals
-  signal peer=snap.@{SNAP_NAME}.*,
+  signal peer=snap.@{SNAP_INSTANCE_NAME}.*,
+
+  # Allow receiving signals from all snaps (and focus on mediating sending of
+  # signals)
+  signal (receive) peer=snap.*,
+
+  # Allow receiving signals from unconfined (eg, systemd)
+  signal (receive) peer=unconfined,
 
   # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'
   /{,s}bin/udevadm ixr,
@@ -443,6 +488,11 @@
   # Allow read-access to / for navigating to other parts of the filesystem.
   / r,
 
+  # Snap-specific run directory. Bind mount *not* used here
+  # (see 'parallel installs', above)
+  /run/snap.@{SNAP_INSTANCE_NAME}/ rw,
+  /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,
+
 ###SNIPPETS###
 }
 `
@@ -461,7 +511,7 @@
 
 ###VAR###
 
-###PROFILEATTACH### (attach_disconnected) {
+###PROFILEATTACH### (attach_disconnected,mediate_deleted) {
   # set file rules so that exec() inherits our profile unless there is
   # already a profile for it (eg, snap-confine)
   / rwkl,
@@ -469,7 +519,7 @@
   /** pix,
 
   capability,
-  change_profile,
+  ###CHANGEPROFILE_RULE###
   dbus,
   network,
   mount,
@@ -521,6 +571,19 @@
   "###UPPERDIR###/{,**/}" r,
 `
 
+var ptraceTraceDenySnippet = `
+# While commands like 'ps', 'ip netns identify <pid>', 'ip netns pids foo', etc
+# trigger a 'ptrace (trace)' denial, they aren't actually tracing other
+# processes. Unfortunately, the kernel overloads trace such that the LSMs are
+# unable to distinguish between tracing other processes and other accesses.
+# ptrace (trace) can be used to break out of the seccomp sandbox unless the
+# kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until snapd
+# has full ptrace support conditional on kernel support, explicitly deny to
+# silence noisy denials/avoid confusion and accidentally giving away this
+# dangerous access frivolously.
+deny ptrace (trace),
+`
+
 // updateNSTemplate defines the apparmor profile for per-snap snap-update-ns.
 //
 // The per-snap snap-update-ns profiles are composed via a template and
@@ -540,12 +603,12 @@
 
 #include <tunables/global>
 
-profile snap-update-ns.###SNAP_NAME### (attach_disconnected) {
+profile snap-update-ns.###SNAP_INSTANCE_NAME### (attach_disconnected) {
   # The next four rules mirror those above. We want to be able to read
   # and map snap-update-ns into memory but it may come from a variety of places.
   /usr/lib{,exec,64}/snapd/snap-update-ns mr,
   /var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
-  /{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
+  /{,var/lib/snapd/}snap/{core,snapd}/*/usr/lib/snapd/snap-update-ns mr,
   /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns mr,
 
   # Allow reading the dynamic linker cache.
@@ -557,29 +620,42 @@
   /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
   /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
 
+  # Common devices accesses
+  /dev/null rw,
+  /dev/full rw,
+  /dev/zero rw,
+  /dev/random r,
+  /dev/urandom r,
+
   # Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
   @{PROC}/@{pid}/cmdline r,
 
+  # Allow reading file descriptor paths
+  @{PROC}/@{pid}/fd/* r,
+  # Allow reading /proc/version. For release.go WSL detection.
+  @{PROC}/version r,
+
   # Allow reading the os-release file (possibly a symlink to /usr/lib).
   /{etc/,usr/lib/}os-release r,
 
   # Allow creating/grabbing global and per-snap lock files.
-  /run/snapd/lock/###SNAP_NAME###.lock rwk,
+  /run/snapd/lock/###SNAP_INSTANCE_NAME###.lock rwk,
   /run/snapd/lock/.lock rwk,
 
   # Allow reading stored mount namespaces,
   /run/snapd/ns/ r,
-  /run/snapd/ns/###SNAP_NAME###.mnt r,
+  /run/snapd/ns/###SNAP_INSTANCE_NAME###.mnt r,
 
   # Allow reading per-snap desired mount profiles. Those are written by
   # snapd and represent the desired layout and content connections.
-  /var/lib/snapd/mount/snap.###SNAP_NAME###.fstab r,
+  /var/lib/snapd/mount/snap.###SNAP_INSTANCE_NAME###.fstab r,
+  /var/lib/snapd/mount/snap.###SNAP_INSTANCE_NAME###.user-fstab r,
 
   # Allow reading and writing actual per-snap mount profiles. Note that
   # the wildcard in the rule to allow an atomic write + rename strategy.
   # Those files are written by snap-update-ns and represent the actual
   # mount profile at a given moment.
-  /run/snapd/ns/snap.###SNAP_NAME###.fstab{,.*} rw,
+  /run/snapd/ns/snap.###SNAP_INSTANCE_NAME###.fstab{,.*} rw,
 
   # NOTE: at this stage the /snap directory is stable as we have called
   # pivot_root already.
@@ -588,21 +664,24 @@
   capability sys_admin,
   # Needed for mimic construction.
   capability chown,
+  # Needed for dropping to calling user when processing per-user mounts
+  capability setuid,
+  capability setgid,
+  # Allow snap-update-ns to override file ownership and permission checks.
+  # This is required because writable mimics now preserve the permissions
+  # of the original and hence we may be asked to create a directory when the
+  # parent is a tmpfs without DAC write access.
+  capability dac_override,
 
   # Allow freezing and thawing the per-snap cgroup freezers
-  /sys/fs/cgroup/freezer/snap.###SNAP_NAME###/freezer.state rw,
+  /sys/fs/cgroup/freezer/snap.###SNAP_INSTANCE_NAME###/freezer.state rw,
 
   # Allow the content interface to bind fonts from the host filesystem
-  mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/###SNAP_NAME###/*/**,
-  umount /snap/###SNAP_NAME###/*/**,
+  mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/###SNAP_INSTANCE_NAME###/*/**,
+  umount /snap/###SNAP_INSTANCE_NAME###/*/**,
 
-  # Allow the desktop interface to bind fonts from the host filesystem
-  mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /usr/share/fonts/,
-  umount /usr/share/fonts/,
-  mount options=(ro bind) /var/lib/snapd/hostfs/usr/local/share/fonts/ -> /usr/local/share/fonts/,
-  umount /usr/local/share/fonts/,
-  mount options=(ro bind) /var/lib/snapd/hostfs/var/cache/fontconfig/ -> /var/cache/fontconfig/,
-  umount /var/cache/fontconfig/,
+  # set up user mount namespace
+  mount options=(rslave) -> /,
 
   # Allow traversing from the root directory and several well-known places.
   # Specific directory permissions are added by snippets below.
@@ -625,6 +704,10 @@
   # sharing and propagates mount events outside of the snap namespace.
   audit deny mount -> /media,
 
+  # Commonly needed permissions for writable mimics.
+  /tmp/ r,
+  /tmp/.snap/{,**} rw,
+
 ###SNIPPETS###
 }
 `
diff -Nru snapd-2.32.3.2~14.04/interfaces/apparmor/template_vars.go snapd-2.37~rc1~14.04/interfaces/apparmor/template_vars.go
--- snapd-2.32.3.2~14.04/interfaces/apparmor/template_vars.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/apparmor/template_vars.go	2019-01-16 08:36:51.000000000 +0000
@@ -31,10 +31,13 @@
 // apparmor template and by apparmor snippets.
 func templateVariables(info *snap.Info, securityTag string) string {
 	var buf bytes.Buffer
-	fmt.Fprintf(&buf, "@{SNAP_NAME}=\"%s\"\n", info.Name())
+	fmt.Fprintf(&buf, "# This is a snap name without the instance key\n")
+	fmt.Fprintf(&buf, "@{SNAP_NAME}=\"%s\"\n", info.SnapName())
+	fmt.Fprintf(&buf, "# This is a snap name with instance key\n")
+	fmt.Fprintf(&buf, "@{SNAP_INSTANCE_NAME}=\"%s\"\n", info.InstanceName())
 	fmt.Fprintf(&buf, "@{SNAP_REVISION}=\"%s\"\n", info.Revision)
 	fmt.Fprintf(&buf, "@{PROFILE_DBUS}=\"%s\"\n",
 		dbus.SafePath(securityTag))
-	fmt.Fprintf(&buf, "@{INSTALL_DIR}=\"/snap\"")
+	fmt.Fprintf(&buf, "@{INSTALL_DIR}=\"/{,var/lib/snapd/}snap\"")
 	return buf.String()
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/backend.go snapd-2.37~rc1~14.04/interfaces/backend.go
--- snapd-2.32.3.2~14.04/interfaces/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -91,4 +91,7 @@
 
 	// NewSpecification returns a new specification associated with this backend.
 	NewSpecification() Specification
+
+	// SandboxFeatures returns a list of tags that identify sandbox features.
+	SandboxFeatures() []string
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/backends/backends.go snapd-2.37~rc1~14.04/interfaces/backends/backends.go
--- snapd-2.32.3.2~14.04/interfaces/backends/backends.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/backends/backends.go	2019-01-16 08:36:51.000000000 +0000
@@ -37,6 +37,8 @@
 
 func backends() []interfaces.SecurityBackend {
 	all := []interfaces.SecurityBackend{
+		// Because of how the GPIO interface is implemented the systemd backend
+		// must be earlier in the sequence than the apparmor backend.
 		&systemd.Backend{},
 		&seccomp.Backend{},
 		&dbus.Backend{},
@@ -65,7 +67,7 @@
 	// When some features are missing the backend will generate more permissive
 	// profiles that keep applications operational, in forced-devmode.
 	switch release.AppArmorLevel() {
-	case release.FullAppArmor, release.PartialAppArmor:
+	case release.PartialAppArmor, release.FullAppArmor:
 		all = append(all, &apparmor.Backend{})
 	}
 	return all
diff -Nru snapd-2.32.3.2~14.04/interfaces/backends/backends_test.go snapd-2.37~rc1~14.04/interfaces/backends/backends_test.go
--- snapd-2.32.3.2~14.04/interfaces/backends/backends_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/backends/backends_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -36,7 +36,7 @@
 var _ = Suite(&backendsSuite{})
 
 func (s *backendsSuite) TestIsAppArmorEnabled(c *C) {
-	for _, level := range []release.AppArmorLevelType{release.NoAppArmor, release.PartialAppArmor, release.FullAppArmor} {
+	for _, level := range []release.AppArmorLevelType{release.NoAppArmor, release.UnusableAppArmor, release.PartialAppArmor, release.FullAppArmor} {
 		restore := release.MockAppArmorLevel(level)
 		defer restore()
 
@@ -45,11 +45,32 @@
 		for i, backend := range all {
 			names[i] = string(backend.Name())
 		}
-
-		if level == release.NoAppArmor {
+		switch level {
+		case release.NoAppArmor, release.UnusableAppArmor:
 			c.Assert(names, Not(testutil.Contains), "apparmor")
-		} else {
+		case release.PartialAppArmor, release.FullAppArmor:
 			c.Assert(names, testutil.Contains, "apparmor")
 		}
+
+	}
+}
+
+func (s *backendsSuite) TestEssentialOrdering(c *C) {
+	restore := release.MockAppArmorLevel(release.FullAppArmor)
+	defer restore()
+
+	all := backends.Backends()
+	aaIndex := -1
+	sdIndex := -1
+	for i, backend := range all {
+		switch backend.Name() {
+		case "apparmor":
+			aaIndex = i
+		case "systemd":
+			sdIndex = i
+		}
 	}
+	c.Assert(aaIndex, testutil.IntNotEqual, -1)
+	c.Assert(sdIndex, testutil.IntNotEqual, -1)
+	c.Assert(sdIndex, testutil.IntLessThan, aaIndex)
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/account_control.go snapd-2.37~rc1~14.04/interfaces/builtin/account_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/account_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/account_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -52,6 +52,9 @@
 /etc/default/nss r,
 /etc/pam.d/{,*} r,
 
+# Needed by chpasswd
+/lib/@{multiarch}/security/* ixr,
+
 # Useradd needs netlink
 network netlink raw,
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/account_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/account_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/account_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/account_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -66,11 +66,11 @@
 				},
 				Name: "app1"}},
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 
 	plugSnap := snaptest.MockInfo(c, accountCtlMockPlugSnapInfo, nil)
 	s.plugInfo = plugSnap.Plugs["account-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *AccountControlSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/accounts_service.go snapd-2.37~rc1~14.04/interfaces/builtin/accounts_service.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/accounts_service.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/accounts_service.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,12 +56,17 @@
     peer=(label=unconfined),
 
 # Allow clients to introspect the service
+# do not use peer=(label=unconfined) here since this is DBus activated
+dbus (receive, send)
+    bus=session
+    interface=org.freedesktop.DBus.Properties
+    path=/org/gnome/OnlineAccounts{,/**}
+    member="Get{,All}",
 dbus (send)
     bus=session
     interface=org.freedesktop.DBus.Introspectable
     path=/com/ubuntu/OnlineAccounts{,/**}
-    member=Introspect
-    peer=(label=unconfined),
+    member=Introspect,
 `
 
 func init() {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/adb_support.go snapd-2.37~rc1~14.04/interfaces/builtin/adb_support.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/adb_support.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/adb_support.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,187 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"bytes"
+	"fmt"
+	"sort"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/udev"
+)
+
+const adbSupportSummary = `allows operating as Android Debug Bridge service`
+
+const adbSupportBaseDeclarationSlots = `
+  adb-support:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+// adbSupportVendors contains the map of USB vendor IDs to vendor name.
+//
+// The map contains the list of vendors that make or made devices that ADB may
+// want to talk to. It was derived from https://forum.snapcraft.io/t//5443/3
+var adbSupportVendors = map[int]string{
+	0x03f0: "HP",
+	0x03fc: "ECS",
+	0x0408: "QUANTA",
+	0x0409: "NEC",
+	0x0414: "GIGABYTE",
+	0x0451: "TI",
+	0x0471: "PHILPS",
+	0x0482: "KYOCERA",
+	0x0489: "FOXCONN",
+	0x04b7: "COMPAL",
+	0x04c5: "FUJITSU",
+	0x04da: "PMC-SIERRA",
+	0x04dd: "SHARP",
+	0x04e8: "SAMSUNG",
+	0x0502: "ACER",
+	0x0531: "WACOM",
+	0x054c: "SONY",
+	0x05c6: "Qualcomm",
+	0x067e: "INTERMEC",
+	0x091e: "GARMIN-ASUS",
+	0x0930: "TOSHIBA",
+	0x0955: "NVIDIA",
+	0x0b05: "ASUS",
+	0x0bb4: "HTC",
+	0x0c2e: "HONEYWELL",
+	0x0db0: "MSI",
+	0x0e79: "ARCHOS",
+	0x0e8d: "MTK",
+	0x0f1c: "FUNAI",
+	0x0fce: "SONY ERICSSON",
+	0x1004: "LGE",
+	0x109b: "HISENSE",
+	0x10a9: "PANTECH",
+	0x1219: "COMPALCOMM",
+	0x12d1: "HUAWEI",
+	0x1662: "POSITIVO",
+	0x16d5: "ANYDATA",
+	0x17ef: "LENOVO",
+	0x18d1: "GOOGLE",
+	0x1949: "LAB126",
+	0x19a5: "HARRIS",
+	0x19d2: "ZTE",
+	0x1b8e: "AMLOGIC",
+	0x1bbb: "T_AND_A",
+	0x1d09: "TECHFAITH",
+	0x1d45: "QISDA",
+	0x1d4d: "PEGATRON",
+	0x1d91: "BYD",
+	0x1e85: "GIGASET",
+	0x1ebf: "YULONG_COOLPAD",
+	0x1f3a: "ALLWINNER",
+	0x1f53: "SK TELESYS",
+	0x2006: "LENOVOMOBILE",
+	0x201e: "HAIER",
+	0x2080: "NOOK",
+	0x2116: "KT TECH",
+	0x2207: "ROCKCHIP",
+	0x2237: "KOBO",
+	0x2257: "OTGV",
+	0x22b8: "MOTOROLA",
+	0x22d9: "OPPO",
+	0x2314: "INQ_MOBILE",
+	0x2340: "TELEEPOCH",
+	0x2420: "IRIVER",
+	0x24e3: "K-TOUCH",
+	0x25e3: "LUMIGON",
+	0x2717: "XIAOMI",
+	0x271d: "GIONEE",
+	0x2836: "OUYA",
+	0x2916: "YOTADEVICES",
+	0x297f: "EMERGING_TECH",
+	0x29a9: "SMARTISAN",
+	0x29e4: "PRESTIGIO",
+	0x2a45: "MEIZU",
+	0x2a47: "BQ",
+	0x2a49: "UNOWHY",
+	0x2ae5: "FAIRPHONE",
+	0x413c: "DELL",
+	0x8087: "INTEL", // https://twitter.com/zygoon/status/1032233406564913152
+	0xE040: "VIZIO",
+}
+
+var adbSupportConnectedPlugAppArmor = `
+# Allow adb (server) to access all usb devices and rely on the device cgroup for mediation.
+/dev/bus/usb/[0-9][0-9][0-9]/[0-9][0-9][0-9] rw,
+
+# Allow access to udev meta-data about character devices with major number 189
+# as per https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
+# those describe "USB serial converters - alternate devices".
+/run/udev/data/c189:* r,
+
+# Allow reading the serial number of all the USB devices.
+/sys/devices/**/usb*/*/serial r,
+`
+
+type adbSupportInterface struct {
+	commonInterface
+	sortedVendorIDs []int
+}
+
+func (iface *adbSupportInterface) UDevConnectedPlug(spec *udev.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	for _, vendorID := range iface.vendorIDs() {
+		spec.TagDevice(fmt.Sprintf("SUBSYSTEM==\"usb\", ATTR{idVendor}==\"%04x\"", vendorID))
+	}
+	return nil
+}
+
+func (iface *adbSupportInterface) UDevConnectedSlot(spec *udev.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	var buf bytes.Buffer
+	fmt.Fprintf(&buf, "# Concatenation of all adb-support udev rules.\n")
+	for _, vendorID := range iface.vendorIDs() {
+		fmt.Fprintf(&buf, "# %s\n", adbSupportVendors[vendorID])
+		// TODO: consider changing to 0660 once we have support for system groups.
+		fmt.Fprintf(&buf, "SUBSYSTEM==\"usb\", ATTR{idVendor}==\"%04x\", MODE=\"0666\"\n", vendorID)
+	}
+	spec.AddSnippet(buf.String())
+	return nil
+}
+
+// vendorIDs returns a sorted list of vendor IDs supported by adb interface.
+func (iface *adbSupportInterface) vendorIDs() []int {
+	if iface.sortedVendorIDs == nil {
+		vendorIDs := make([]int, 0, len(adbSupportVendors))
+		for vendorID := range adbSupportVendors {
+			vendorIDs = append(vendorIDs, vendorID)
+		}
+		sort.Ints(vendorIDs)
+		iface.sortedVendorIDs = vendorIDs
+	}
+	return iface.sortedVendorIDs
+}
+
+func init() {
+	registerIface(&adbSupportInterface{commonInterface: commonInterface{
+		name:                  "adb-support",
+		summary:               adbSupportSummary,
+		implicitOnCore:        true,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  adbSupportBaseDeclarationSlots,
+		connectedPlugAppArmor: adbSupportConnectedPlugAppArmor,
+	}})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/adb_support_test.go snapd-2.37~rc1~14.04/interfaces/builtin/adb_support_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/adb_support_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/adb_support_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,156 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/interfaces/udev"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type adbSupportSuite struct {
+	iface    interfaces.Interface
+	slotInfo *snap.SlotInfo
+	slot     *interfaces.ConnectedSlot
+	plugInfo *snap.PlugInfo
+	plug     *interfaces.ConnectedPlug
+}
+
+var _ = Suite(&adbSupportSuite{
+	iface: builtin.MustInterface("adb-support"),
+})
+
+const adbConsumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [adb-support]
+`
+
+const adbCoreYaml = `name: provider
+version: 0
+apps:
+ app:
+  slots: [adb-support]
+`
+
+func (s *adbSupportSuite) SetUpTest(c *C) {
+	s.plug, s.plugInfo = MockConnectedPlug(c, adbConsumerYaml, nil, "adb-support")
+	s.slot, s.slotInfo = MockConnectedSlot(c, adbCoreYaml, nil, "adb-support")
+}
+
+func (s *adbSupportSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "adb-support")
+}
+
+func (s *adbSupportSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "adb-support",
+		Interface: "adb-support",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), IsNil)
+}
+
+func (s *adbSupportSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *adbSupportSuite) TestSecCompSpec(c *C) {
+	spec := &seccomp.Specification{}
+	c.Assert(spec.AddPermanentPlug(s.iface, s.plugInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	spec = &seccomp.Specification{}
+	c.Assert(spec.AddPermanentSlot(s.iface, s.slotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	spec = &seccomp.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	spec = &seccomp.Specification{}
+	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+}
+
+func (s *adbSupportSuite) TestAppArmorSpec(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddPermanentPlug(s.iface, s.plugInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddPermanentPlug(s.iface, s.plugInfo), IsNil)
+	c.Assert(spec.AddPermanentSlot(s.iface, s.slotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 1)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/dev/bus/usb/[0-9][0-9][0-9]/[0-9][0-9][0-9] rw,")
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/run/udev/data/c189:* r,")
+
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+}
+
+func (s *adbSupportSuite) TestUDevSpec(c *C) {
+	spec := &udev.Specification{}
+	c.Assert(spec.AddPermanentPlug(s.iface, s.plugInfo), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 0)
+
+	spec = &udev.Specification{}
+	c.Assert(spec.AddPermanentSlot(s.iface, s.slotInfo), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 0)
+
+	spec = &udev.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 81)
+	c.Assert(spec.Snippets(), testutil.Contains, `# adb-support
+SUBSYSTEM=="usb", ATTR{idVendor}=="0502", TAG+="snap_consumer_app"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# adb-support
+SUBSYSTEM=="usb", ATTR{idVendor}=="19d2", TAG+="snap_consumer_app"`)
+
+	spec = &udev.Specification{}
+	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 1)
+	c.Assert(spec.Snippets()[0], testutil.Contains, `SUBSYSTEM=="usb", ATTR{idVendor}=="0502", MODE="0666"`)
+}
+
+func (s *adbSupportSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, true)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows operating as Android Debug Bridge service`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "adb-support")
+}
+
+func (s *adbSupportSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/all.go snapd-2.37~rc1~14.04/interfaces/builtin/all.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/all.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/all.go	2019-01-16 08:36:51.000000000 +0000
@@ -68,7 +68,7 @@
 			continue
 		}
 		// Reject plug with invalid name
-		if err := interfaces.ValidateName(plugName); err != nil {
+		if err := snap.ValidatePlugName(plugName); err != nil {
 			snapInfo.BadInterfaces[plugName] = err.Error()
 			badPlugs = append(badPlugs, plugName)
 			continue
@@ -88,7 +88,7 @@
 			continue
 		}
 		// Reject slot with invalid name
-		if err := interfaces.ValidateName(slotName); err != nil {
+		if err := snap.ValidateSlotName(slotName); err != nil {
 			snapInfo.BadInterfaces[slotName] = err.Error()
 			badSlots = append(badSlots, slotName)
 			continue
@@ -121,8 +121,12 @@
 	}
 }
 
-func MockInterface(iface interfaces.Interface) {
-	allInterfaces[iface.Name()] = iface
+func MockInterface(iface interfaces.Interface) func() {
+	name := iface.Name()
+	allInterfaces[name] = iface
+	return func() {
+		delete(allInterfaces, name)
+	}
 }
 
 type byIfaceName []interfaces.Interface
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/all_test.go snapd-2.37~rc1~14.04/interfaces/builtin/all_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/all_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/all_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -196,15 +196,9 @@
 
 // pre-specification snippet functions
 type snippetDefiner1 interface {
-	ConnectedPlugSnippet(plug *interfaces.Plug, slot *interfaces.Slot, sec interfaces.SecuritySystem) error
-}
-type snippetDefiner2 interface {
-	ConnectedSlotSnippet(plug *interfaces.Plug, slot *interfaces.Slot, sec interfaces.SecuritySystem) error
-}
-type snippetDefiner3 interface {
 	PermanentPlugSnippet(plug *snap.PlugInfo, sec interfaces.SecuritySystem) error
 }
-type snippetDefiner4 interface {
+type snippetDefiner2 interface {
 	PermanentSlotSnippet(slot *snap.SlotInfo, sec interfaces.SecuritySystem) error
 }
 
@@ -214,209 +208,22 @@
 }
 
 type oldSanitizePlug1 interface {
-	SanitizePlug(plug *interfaces.Plug) error
-}
-type oldSanitizePlug2 interface {
 	SanitizePlug(plug *snap.PlugInfo) error
 }
 type oldSanitizeSlot1 interface {
-	SanitizeSlot(slot *interfaces.Slot) error
-}
-type oldSanitizeSlot2 interface {
 	SanitizeSlot(slot *snap.SlotInfo) error
 }
 
-// specification definers before the introduction of connection attributes
-type oldApparmorDefiner1 interface {
-	AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldApparmorDefiner2 interface {
-	AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldApparmorDefiner3 interface {
-	AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldApparmorDefiner4 interface {
-	AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldApparmorDefiner5 interface {
-	AppArmorPermanentPlug(spec *apparmor.Specification, plug *interfaces.Plug) error
-}
-type oldApparmorDefiner6 interface {
-	AppArmorPermanentSlot(spec *apparmor.Specification, slot *interfaces.Slot) error
-}
-
-type oldDbusDefiner1 interface {
-	DBusConnectedPlug(spec *dbus.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldDbusDefiner2 interface {
-	DBusConnectedSlot(spec *dbus.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldDbusDefiner3 interface {
-	DBusConnectedPlug(spec *dbus.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldDbusDefiner4 interface {
-	DBusConnectedSlot(spec *dbus.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldDbusDefiner5 interface {
-	DBusPermanentPlug(spec *dbus.Specification, plug *interfaces.Plug) error
-}
-type oldDbusDefiner6 interface {
-	DBusPermanentSlot(spec *dbus.Specification, slot *interfaces.Slot) error
-}
-
-type oldKmodDefiner1 interface {
-	KModConnectedPlug(spec *kmod.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldKmodDefiner2 interface {
-	KModConnectedSlot(spec *kmod.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldKmodDefiner3 interface {
-	KModConnectedPlug(spec *kmod.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldKmodDefiner4 interface {
-	KModConnectedSlot(spec *kmod.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldKmodDefiner5 interface {
-	KModPermanentPlug(spec *kmod.Specification, plug *interfaces.Plug) error
-}
-type oldKmodDefiner6 interface {
-	KModPermanentSlot(spec *kmod.Specification, slot *interfaces.Slot) error
-}
-
-type oldMountDefiner1 interface {
-	MountConnectedPlug(spec *mount.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldMountDefiner2 interface {
-	MountConnectedSlot(spec *mount.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldMountDefiner3 interface {
-	MountConnectedPlug(spec *mount.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldMountDefiner4 interface {
-	MountConnectedSlot(spec *mount.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldMountDefiner5 interface {
-	MountPermanentPlug(spec *mount.Specification, plug *interfaces.Plug) error
-}
-type oldMountDefiner6 interface {
-	MountPermanentSlot(spec *mount.Specification, slot *interfaces.Slot) error
-}
-
-type oldSeccompDefiner1 interface {
-	SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldSeccompDefiner2 interface {
-	SecCompConnectedSlot(spec *seccomp.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldSeccompDefiner3 interface {
-	SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldSeccompDefiner4 interface {
-	SecCompConnectedSlot(spec *seccomp.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldSeccompDefiner5 interface {
-	SecCompPermanentPlug(spec *seccomp.Specification, plug *interfaces.Plug) error
-}
-type oldSeccompDefiner6 interface {
-	SecCompPermanentSlot(spec *seccomp.Specification, slot *interfaces.Slot) error
-}
-
-type oldSystemdDefiner1 interface {
-	SystemdConnectedPlug(spec *systemd.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldSystemdDefiner2 interface {
-	SystemdConnectedSlot(spec *systemd.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldSystemdDefiner3 interface {
-	SystemdConnectedPlug(spec *systemd.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldSystemdDefiner4 interface {
-	SystemdConnectedSlot(spec *systemd.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldSystemdDefiner5 interface {
-	SystemdPermanentPlug(spec *seccomp.Specification, plug *interfaces.Plug) error
-}
-type oldSystemdDefiner6 interface {
-	SystemdPermanentSlot(spec *seccomp.Specification, slot *interfaces.Slot) error
-}
-
-type oldUdevDefiner1 interface {
-	UDevConnectedPlug(spec *udev.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldUdevDefiner2 interface {
-	UDevConnectedSlot(spec *udev.Specification, plug *interfaces.Plug, slot *interfaces.Slot) error
-}
-type oldUdevDefiner3 interface {
-	UDevConnectedPlug(spec *udev.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldUdevDefiner4 interface {
-	UDevConnectedSlot(spec *udev.Specification, plug *interfaces.Plug, plugAttrs map[string]interface{}, slot *interfaces.Slot, slotAttrs map[string]interface{}) error
-}
-type oldUdevDefiner5 interface {
-	UDevPermanentPlug(spec *udev.Specification, plug *interfaces.Plug) error
-}
-type oldUdevDefiner6 interface {
-	UDevPermanentSlot(spec *udev.Specification, slot *interfaces.Slot) error
-}
-
 // allBadDefiners contains all old/unused specification definers for all known backends.
 var allBadDefiners = []reflect.Type{
 	// pre-specification snippet methods
 	reflect.TypeOf((*snippetDefiner1)(nil)).Elem(),
 	reflect.TypeOf((*snippetDefiner2)(nil)).Elem(),
-	reflect.TypeOf((*snippetDefiner3)(nil)).Elem(),
-	reflect.TypeOf((*snippetDefiner4)(nil)).Elem(),
 	// old auto-connect function
 	reflect.TypeOf((*legacyAutoConnect)(nil)).Elem(),
 	// old sanitize methods
 	reflect.TypeOf((*oldSanitizePlug1)(nil)).Elem(),
-	reflect.TypeOf((*oldSanitizePlug2)(nil)).Elem(),
 	reflect.TypeOf((*oldSanitizeSlot1)(nil)).Elem(),
-	reflect.TypeOf((*oldSanitizeSlot2)(nil)).Elem(),
-	// pre-attribute definers
-	reflect.TypeOf((*oldApparmorDefiner1)(nil)).Elem(),
-	reflect.TypeOf((*oldApparmorDefiner2)(nil)).Elem(),
-	reflect.TypeOf((*oldApparmorDefiner3)(nil)).Elem(),
-	reflect.TypeOf((*oldApparmorDefiner4)(nil)).Elem(),
-	reflect.TypeOf((*oldApparmorDefiner5)(nil)).Elem(),
-	reflect.TypeOf((*oldApparmorDefiner6)(nil)).Elem(),
-	reflect.TypeOf((*oldDbusDefiner1)(nil)).Elem(),
-	reflect.TypeOf((*oldDbusDefiner2)(nil)).Elem(),
-	reflect.TypeOf((*oldDbusDefiner3)(nil)).Elem(),
-	reflect.TypeOf((*oldDbusDefiner4)(nil)).Elem(),
-	reflect.TypeOf((*oldDbusDefiner5)(nil)).Elem(),
-	reflect.TypeOf((*oldDbusDefiner6)(nil)).Elem(),
-	reflect.TypeOf((*oldKmodDefiner1)(nil)).Elem(),
-	reflect.TypeOf((*oldKmodDefiner2)(nil)).Elem(),
-	reflect.TypeOf((*oldKmodDefiner3)(nil)).Elem(),
-	reflect.TypeOf((*oldKmodDefiner4)(nil)).Elem(),
-	reflect.TypeOf((*oldKmodDefiner5)(nil)).Elem(),
-	reflect.TypeOf((*oldKmodDefiner6)(nil)).Elem(),
-	reflect.TypeOf((*oldMountDefiner1)(nil)).Elem(),
-	reflect.TypeOf((*oldMountDefiner2)(nil)).Elem(),
-	reflect.TypeOf((*oldMountDefiner3)(nil)).Elem(),
-	reflect.TypeOf((*oldMountDefiner4)(nil)).Elem(),
-	reflect.TypeOf((*oldMountDefiner5)(nil)).Elem(),
-	reflect.TypeOf((*oldMountDefiner6)(nil)).Elem(),
-	reflect.TypeOf((*oldSeccompDefiner1)(nil)).Elem(),
-	reflect.TypeOf((*oldSeccompDefiner2)(nil)).Elem(),
-	reflect.TypeOf((*oldSeccompDefiner3)(nil)).Elem(),
-	reflect.TypeOf((*oldSeccompDefiner4)(nil)).Elem(),
-	reflect.TypeOf((*oldSeccompDefiner5)(nil)).Elem(),
-	reflect.TypeOf((*oldSeccompDefiner6)(nil)).Elem(),
-	reflect.TypeOf((*oldSystemdDefiner1)(nil)).Elem(),
-	reflect.TypeOf((*oldSystemdDefiner2)(nil)).Elem(),
-	reflect.TypeOf((*oldSystemdDefiner3)(nil)).Elem(),
-	reflect.TypeOf((*oldSystemdDefiner4)(nil)).Elem(),
-	reflect.TypeOf((*oldSystemdDefiner5)(nil)).Elem(),
-	reflect.TypeOf((*oldSystemdDefiner6)(nil)).Elem(),
-	reflect.TypeOf((*oldUdevDefiner1)(nil)).Elem(),
-	reflect.TypeOf((*oldUdevDefiner2)(nil)).Elem(),
-	reflect.TypeOf((*oldUdevDefiner3)(nil)).Elem(),
-	reflect.TypeOf((*oldUdevDefiner4)(nil)).Elem(),
-	reflect.TypeOf((*oldUdevDefiner5)(nil)).Elem(),
-	reflect.TypeOf((*oldUdevDefiner6)(nil)).Elem(),
 }
 
 // Check that no interface defines older definer methods.
@@ -498,10 +305,10 @@
 	})
 	defer restore()
 
-	snapInfo := snaptest.MockInfo(c, testConsumerInvalidSlotNameYaml, nil)
+	snapInfo := snaptest.MockInvalidInfo(c, testConsumerInvalidSlotNameYaml, nil)
 	snap.SanitizePlugsSlots(snapInfo)
 	c.Assert(snapInfo.BadInterfaces, HasLen, 1)
-	c.Check(snap.BadInterfacesSummary(snapInfo), Matches, `snap "consumer" has bad plugs or slots: ttyS5 \(invalid interface name: "ttyS5"\)`)
+	c.Check(snap.BadInterfacesSummary(snapInfo), Matches, `snap "consumer" has bad plugs or slots: ttyS5 \(invalid slot name: "ttyS5"\)`)
 }
 
 func (s *AllSuite) TestSanitizeErrorsOnInvalidPlugNames(c *C) {
@@ -510,10 +317,10 @@
 	})
 	defer restore()
 
-	snapInfo := snaptest.MockInfo(c, testConsumerInvalidPlugNameYaml, nil)
+	snapInfo := snaptest.MockInvalidInfo(c, testConsumerInvalidPlugNameYaml, nil)
 	snap.SanitizePlugsSlots(snapInfo)
 	c.Assert(snapInfo.BadInterfaces, HasLen, 1)
-	c.Check(snap.BadInterfacesSummary(snapInfo), Matches, `snap "consumer" has bad plugs or slots: ttyS3 \(invalid interface name: "ttyS3"\)`)
+	c.Check(snap.BadInterfacesSummary(snapInfo), Matches, `snap "consumer" has bad plugs or slots: ttyS3 \(invalid plug name: "ttyS3"\)`)
 }
 
 func (s *AllSuite) TestSanitizeErrorsOnInvalidSlotInterface(c *C) {
@@ -590,7 +397,7 @@
 		for _, sig := range sigs {
 			meth, ok := ifaceType.MethodByName(sig.name)
 			if !ok {
-				// all specificiation methods are optional.
+				// all specification methods are optional.
 				continue
 			}
 			methType := meth.Type
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/alsa_test.go snapd-2.37~rc1~14.04/interfaces/builtin/alsa_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/alsa_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/alsa_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -105,8 +105,7 @@
 }
 
 func (s *AlsaInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *AlsaInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/autopilot_test.go snapd-2.37~rc1~14.04/interfaces/builtin/autopilot_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/autopilot_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/autopilot_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "autopilot-introspection",
 		Interface: "autopilot-introspection",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, mockAutopilotPlugSnapInfo, nil)
 	s.plugInfo = plugSnap.Plugs["autopilot-introspection"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *AutopilotInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/avahi_control.go snapd-2.37~rc1~14.04/interfaces/builtin/avahi_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/avahi_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/avahi_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -165,7 +165,7 @@
 	return nil
 }
 
-func (iface *avahiControlInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *avahiControlInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/avahi_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/avahi_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/avahi_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/avahi_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -192,9 +192,8 @@
 }
 
 func (s *AvahiControlInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.coreSlotInfo}), Equals, true)
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.appSlotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.coreSlotInfo), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.appSlotInfo), Equals, true)
 }
 
 func (s *AvahiControlInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/avahi_observe.go snapd-2.37~rc1~14.04/interfaces/builtin/avahi_observe.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/avahi_observe.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/avahi_observe.go	2019-01-16 08:36:51.000000000 +0000
@@ -45,6 +45,10 @@
 const avahiObservePermanentSlotAppArmor = `
 network netlink,
 
+# Allow access to daemon to create socket
+/{,var/}run/avahi-daemon/  w,
+/{,var/}run/avahi-daemon/{pid,socket} rw,
+
 # Description: Allow operating as the avahi service. This gives
 # privileged access to the system.
 #include <abstractions/dbus-strict>
@@ -232,6 +236,8 @@
 # Description: allows domain, record, service, and service type browsing
 # as well as address, host and service resolving
 
+/{,var/}run/avahi-daemon/socket rw,
+
 #include <abstractions/dbus-strict>
 dbus (send)
     bus=system
@@ -256,12 +262,12 @@
 
 # Don't allow introspection since it reveals too much (path is not service
 # specific for unconfined)
+# do not use peer=(label=unconfined) here since this is DBus activated
 #dbus (send)
 #    bus=system
 #    path=/
 #    interface=org.freedesktop.DBus.Introspectable
-#    member=Introspect
-#    peer=(label=unconfined),
+#    member=Introspect,
 
 # These allows tampering with other snap's browsers, so don't autoconnect for
 # now.
@@ -460,7 +466,7 @@
 	return nil
 }
 
-func (iface *avahiObserveInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *avahiObserveInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/avahi_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/avahi_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/avahi_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/avahi_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -192,9 +192,8 @@
 }
 
 func (s *AvahiObserveInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.coreSlotInfo}), Equals, true)
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.appSlotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.coreSlotInfo), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.appSlotInfo), Equals, true)
 }
 
 func (s *AvahiObserveInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/bluetooth_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/bluetooth_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/bluetooth_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/bluetooth_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -64,10 +64,10 @@
 				},
 				Name: "app1"}},
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, btcontrolMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["bluetooth-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *BluetoothControlInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/bluez.go snapd-2.37~rc1~14.04/interfaces/builtin/bluez.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/bluez.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/bluez.go	2019-01-16 08:36:51.000000000 +0000
@@ -48,79 +48,91 @@
 # Description: Allow operating as the bluez service. This gives privileged
 # access to the system.
 
-  network bluetooth,
+network bluetooth,
 
-  capability net_admin,
-  capability net_bind_service,
+capability net_admin,
+capability net_bind_service,
 
-  # libudev
-  network netlink raw,
+# libudev
+network netlink raw,
+
+# File accesses
+/sys/bus/usb/drivers/btusb/     r,
+/sys/bus/usb/drivers/btusb/**   r,
+/sys/class/bluetooth/           r,
+/sys/devices/**/bluetooth/      rw,
+/sys/devices/**/bluetooth/**    rw,
+/sys/devices/**/id/chassis_type r,
+
+# TODO: use snappy hardware assignment for this once LP: #1498917 is fixed
+/dev/rfkill rw,
+
+# DBus accesses
+#include <abstractions/dbus-strict>
+dbus (send)
+   bus=system
+   path=/org/freedesktop/DBus
+   interface=org.freedesktop.DBus
+   member={Request,Release}Name
+   peer=(name=org.freedesktop.DBus, label=unconfined),
+
+dbus (send)
+  bus=system
+  path=/org/freedesktop/*
+  interface=org.freedesktop.DBus.Properties
+  peer=(label=unconfined),
+
+# Allow binding the service to the requested connection name
+dbus (bind)
+    bus=system
+    name="org.bluez",
+
+# Allow binding the service to the requested connection name
+dbus (bind)
+    bus=system
+    name="org.bluez.obex",
+
+# Allow traffic to/from our interface with any method for unconfined clients
+# to talk to our bluez services. For the org.bluez interface we don't specify
+# an Object Path since according to the bluez specification these can be
+# anything (https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/doc).
+dbus (receive, send)
+    bus=system
+    interface=org.bluez.*
+    peer=(label=unconfined),
+dbus (receive, send)
+    bus=system
+    path=/org/bluez{,/**}
+    interface=org.freedesktop.DBus.*
+    peer=(label=unconfined),
 
-  # File accesses
-  /sys/bus/usb/drivers/btusb/     r,
-  /sys/bus/usb/drivers/btusb/**   r,
-  /sys/class/bluetooth/           r,
-  /sys/devices/**/bluetooth/      rw,
-  /sys/devices/**/bluetooth/**    rw,
-  /sys/devices/**/id/chassis_type r,
-
-  # TODO: use snappy hardware assignment for this once LP: #1498917 is fixed
-  /dev/rfkill rw,
-
-  # DBus accesses
-  #include <abstractions/dbus-strict>
-  dbus (send)
-     bus=system
-     path=/org/freedesktop/DBus
-     interface=org.freedesktop.DBus
-     member={Request,Release}Name
-     peer=(name=org.freedesktop.DBus, label=unconfined),
+# Allow traffic to/from org.freedesktop.DBus for bluez service. This rule is
+# not snap-specific and grants privileged access to the org.freedesktop.DBus
+# on the system bus.
+dbus (receive, send)
+    bus=system
+    path=/
+    interface=org.freedesktop.DBus.*
+    peer=(label=unconfined),
 
-  dbus (send)
+# Allow access to hostname system service
+dbus (receive, send)
     bus=system
-    path=/org/freedesktop/*
+    path=/org/freedesktop/hostname1
     interface=org.freedesktop.DBus.Properties
     peer=(label=unconfined),
 
-  # Allow binding the service to the requested connection name
-  dbus (bind)
-      bus=system
-      name="org.bluez",
-
-  # Allow binding the service to the requested connection name
-  dbus (bind)
-      bus=system
-      name="org.bluez.obex",
-
-  # Allow traffic to/from our interface with any method for unconfined clients
-  # to talk to our bluez services. For the org.bluez interface we don't specify
-  # an Object Path since according to the bluez specification these can be
-  # anything (https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/doc).
-  dbus (receive, send)
-      bus=system
-      interface=org.bluez.*
-      peer=(label=unconfined),
-  dbus (receive, send)
-      bus=system
-      path=/org/bluez{,/**}
-      interface=org.freedesktop.DBus.*
-      peer=(label=unconfined),
-
-  # Allow traffic to/from org.freedesktop.DBus for bluez service. This rule is
-  # not snap-specific and grants privileged access to the org.freedesktop.DBus
-  # on the system bus.
-  dbus (receive, send)
-      bus=system
-      path=/
-      interface=org.freedesktop.DBus.*
-      peer=(label=unconfined),
-
-  # Allow access to hostname system service
-  dbus (receive, send)
-      bus=system
-      path=/org/freedesktop/hostname1
-      interface=org.freedesktop.DBus.Properties
-      peer=(label=unconfined),
+# do not use peer=(label=unconfined) here since this is DBus activated
+dbus (send)
+    bus=system
+    path=/org/freedesktop/hostname1
+    interface=org.freedesktop.DBus.Properties
+    member="Get{,All}",
+dbus (send)
+    bus=system
+    path=/org/freedesktop/hostname1
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect,
 `
 
 const bluezConnectedSlotAppArmor = `
@@ -262,7 +274,7 @@
 	return nil
 }
 
-func (iface *bluezInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *bluezInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/bluez_test.go snapd-2.37~rc1~14.04/interfaces/builtin/bluez_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/bluez_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/bluez_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -265,9 +265,8 @@
 }
 
 func (s *BluezInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.coreSlotInfo}), Equals, true)
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.appSlotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.coreSlotInfo), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.appSlotInfo), Equals, true)
 }
 
 func (s *BluezInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/bool_file.go snapd-2.37~rc1~14.04/interfaces/builtin/bool_file.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/bool_file.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/bool_file.go	2019-01-16 08:36:51.000000000 +0000
@@ -138,7 +138,7 @@
 // candidate and declaration-based checks allow.
 //
 // By default we allow what declarations allowed.
-func (iface *boolFileInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *boolFileInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	return true
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/bool_file_test.go snapd-2.37~rc1~14.04/interfaces/builtin/bool_file_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/bool_file_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/bool_file_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -98,21 +98,21 @@
     bad-interface-plug: other-interface
 `, &snap.SideInfo{})
 	s.gpioSlotInfo = info.Slots["gpio"]
-	s.gpioSlot = interfaces.NewConnectedSlot(s.gpioSlotInfo, nil)
+	s.gpioSlot = interfaces.NewConnectedSlot(s.gpioSlotInfo, nil, nil)
 	s.ledSlotInfo = info.Slots["led"]
-	s.ledSlot = interfaces.NewConnectedSlot(s.ledSlotInfo, nil)
+	s.ledSlot = interfaces.NewConnectedSlot(s.ledSlotInfo, nil, nil)
 	s.missingPathSlotInfo = info.Slots["missing-path"]
-	s.missingPathSlot = interfaces.NewConnectedSlot(s.missingPathSlotInfo, nil)
+	s.missingPathSlot = interfaces.NewConnectedSlot(s.missingPathSlotInfo, nil, nil)
 	s.badPathSlotInfo = info.Slots["bad-path"]
-	s.badPathSlot = interfaces.NewConnectedSlot(s.badPathSlotInfo, nil)
+	s.badPathSlot = interfaces.NewConnectedSlot(s.badPathSlotInfo, nil, nil)
 	s.parentDirPathSlotInfo = info.Slots["parent-dir-path"]
-	s.parentDirPathSlot = interfaces.NewConnectedSlot(s.parentDirPathSlotInfo, nil)
+	s.parentDirPathSlot = interfaces.NewConnectedSlot(s.parentDirPathSlotInfo, nil, nil)
 	s.badInterfaceSlotInfo = info.Slots["bad-interface-slot"]
-	s.badInterfaceSlot = interfaces.NewConnectedSlot(s.badInterfaceSlotInfo, nil)
+	s.badInterfaceSlot = interfaces.NewConnectedSlot(s.badInterfaceSlotInfo, nil, nil)
 	s.plugInfo = plugSnapinfo.Plugs["plug"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 	s.badInterfacePlugInfo = info.Plugs["bad-interface-plug"]
-	s.badInterfacePlug = interfaces.NewConnectedPlug(s.badInterfacePlugInfo, nil)
+	s.badInterfacePlug = interfaces.NewConnectedPlug(s.badInterfacePlugInfo, nil, nil)
 }
 
 // TODO: add test for permanent slot when we have hook support.
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/broadcom_asic_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/broadcom_asic_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/broadcom_asic_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/broadcom_asic_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -53,7 +53,7 @@
 `
 	info := snaptest.MockInfo(c, producerYaml, nil)
 	s.slotInfo = info.Slots["broadcom-asic-control"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 
 	const consumerYaml = `name: consumer
 version: 0
@@ -63,7 +63,7 @@
 `
 	info = snaptest.MockInfo(c, consumerYaml, nil)
 	s.plugInfo = info.Plugs["broadcom-asic-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *BroadcomAsicControlSuite) TestName(c *C) {
@@ -120,8 +120,7 @@
 }
 
 func (s *BroadcomAsicControlSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *BroadcomAsicControlSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/browser_support.go snapd-2.37~rc1~14.04/interfaces/builtin/browser_support.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/browser_support.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/browser_support.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,8 +57,8 @@
 /var/tmp/ r,
 owner /var/tmp/etilqs_* rw,
 
-# Chrome/Chromium should be modified to use snap.$SNAP_NAME.* or the snap
-# packaging adjusted to use LD_PRELOAD technique from LP: #1577514
+# Chrome/Chromium should be modified to use snap.$SNAP_INSTANCE_NAME.* or
+# the snap packaging adjusted to use LD_PRELOAD technique from LP: #1577514
 owner /{dev,run}/shm/{,.}org.chromium.* mrw,
 owner /{dev,run}/shm/{,.}com.google.Chrome.* mrw,
 owner /{dev,run}/shm/.io.nwjs.* mrw,
@@ -66,8 +66,9 @@
 # Chrome's Singleton API sometimes causes an ouid/fsuid mismatch denial, so
 # for now, allow non-owner read on the singleton socket (LP: #1731012). See
 # https://forum.snapcraft.io/t/electron-snap-killed-when-using-app-makesingleinstance-api/2667/20
-/run/user/[0-9]*/snap.@{SNAP_NAME}/{,.}org.chromium.*/SS r,
-/run/user/[0-9]*/snap.@{SNAP_NAME}/{,.}com.google.Chrome.*/SS r,
+# parallel-installs: $XDG_RUNTIME_DIR is not remapped, need to use SNAP_INSTANCE_NAME
+/run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/{,.}org.chromium.*/SS r,
+/run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/{,.}com.google.Chrome.*/SS r,
 
 # Allow reading platform files
 /run/udev/data/+platform:* r,
@@ -105,19 +106,6 @@
 deny capability mknod,
 `
 
-const browserSupportConnectedPlugAppArmorWithoutSandbox = `
-# ptrace can be used to break out of the seccomp sandbox, but ps requests
-# 'ptrace (trace)' even though it isn't tracing other processes. Unfortunately,
-# this is due to the kernel overloading trace such that the LSMs are unable to
-# distinguish between tracing other processes and other accesses. We deny the
-# trace here to silence the log.
-# Note: for now, explicitly deny to avoid confusion and accidentally giving
-# away this dangerous access frivolously. We may conditionally deny this in the
-# future. If the kernel has https://lkml.org/lkml/2016/5/26/354 we could also
-# allow this.
-deny ptrace (trace) peer=snap.@{SNAP_NAME}.**,
-`
-
 const browserSupportConnectedPlugAppArmorWithSandbox = `
 # Leaks installed applications
 # TODO: should this be somewhere else?
@@ -191,7 +179,7 @@
 /run/udev/data/b252:[0-9]* r,
 /run/udev/data/b253:[0-9]* r,
 /run/udev/data/b259:[0-9]* r,
-/run/udev/data/c24[2-9]:[0-9]* r,
+/run/udev/data/c24[0-9]:[0-9]* r,
 /run/udev/data/c25[0-4]:[0-9]* r,
 
 /sys/bus/**/devices/ r,
@@ -203,8 +191,8 @@
 
 # Policy needed only when using the chrome/chromium setuid sandbox
 capability sys_ptrace,
-ptrace (trace) peer=snap.@{SNAP_NAME}.**,
-unix (receive, send) peer=(label=snap.@{SNAP_NAME}.**),
+ptrace (trace) peer=snap.@{SNAP_INSTANCE_NAME}.**,
+unix (receive, send) peer=(label=snap.@{SNAP_INSTANCE_NAME}.**),
 
 # If this were going to be allowed to all snaps, then for all the following
 # rules we would want to wrap in a 'browser_sandbox' profile, but a limitation
@@ -214,7 +202,8 @@
 # profile browser_sandbox {
 #   ...
 #   # This rule needs to work but generates a parser error
-#   @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/opt/google/chrome/chrome px -> snap.@{SNAP_NAME}.@{SNAP_APP},
+#   @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/opt/google/chrome/chrome px -> snap.@{SNAP_INSTANCE_NAME}.@{SNAP_APP},
+#   @{INSTALL_DIR}/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/opt/google/chrome/chrome px -> snap.@{SNAP_INSTANCE_NAME}.@{SNAP_APP},
 #   ...
 # }
 
@@ -283,6 +272,23 @@
 # Policy needed for Mozilla userns sandbox
 unshare
 quotactl
+
+# The Breakpad crash reporter uses ptrace to read register/memory state
+# from the crashed process, but it doesn't need to modify any state; see
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1461848.
+#
+# These rules allow that but don't allow ptrace operations that
+# write registers, which can be used to bypass security; see
+# https://lkml.org/lkml/2016/5/26/354.
+ptrace PTRACE_ATTACH
+ptrace PTRACE_DETACH
+ptrace PTRACE_GETREGS
+ptrace PTRACE_GETFPREGS
+ptrace PTRACE_GETFPXREGS
+ptrace PTRACE_GETREGSET
+ptrace PTRACE_PEEKDATA
+ptrace PTRACE_PEEKUSER
+ptrace PTRACE_CONT
 `
 
 type browserSupportInterface struct{}
@@ -319,7 +325,7 @@
 	if allowSandbox {
 		spec.AddSnippet(browserSupportConnectedPlugAppArmorWithSandbox)
 	} else {
-		spec.AddSnippet(browserSupportConnectedPlugAppArmorWithoutSandbox)
+		spec.SetSuppressPtraceTrace()
 	}
 	return nil
 }
@@ -335,7 +341,7 @@
 	return nil
 }
 
-func (iface *browserSupportInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *browserSupportInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	return true
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/browser_support_test.go snapd-2.37~rc1~14.04/interfaces/builtin/browser_support_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/browser_support_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/browser_support_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "browser-support",
 		Interface: "browser-support",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, browserMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["browser-support"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *BrowserSupportInterfaceSuite) TestName(c *C) {
@@ -108,7 +108,6 @@
 	snippet := apparmorSpec.SnippetForTag("snap.other.app2")
 	c.Assert(string(snippet), testutil.Contains, `# Description: Can access various APIs needed by modern browsers`)
 	c.Assert(string(snippet), Not(testutil.Contains), `capability sys_admin,`)
-	c.Assert(string(snippet), testutil.Contains, `deny ptrace (trace) peer=snap.@{SNAP_NAME}.**`)
 
 	seccompSpec := &seccomp.Specification{}
 	err = seccompSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
@@ -132,7 +131,7 @@
 `
 
 	info := snaptest.MockInfo(c, mockSnapYaml, nil)
-	plug := interfaces.NewConnectedPlug(info.Plugs["browser-support"], nil)
+	plug := interfaces.NewConnectedPlug(info.Plugs["browser-support"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, s.slot)
@@ -141,7 +140,6 @@
 	snippet := apparmorSpec.SnippetForTag("snap.browser-support-plug-snap.app2")
 	c.Assert(snippet, testutil.Contains, `# Description: Can access various APIs needed by modern browsers`)
 	c.Assert(snippet, Not(testutil.Contains), `capability sys_admin,`)
-	c.Assert(snippet, testutil.Contains, `deny ptrace (trace) peer=snap.@{SNAP_NAME}.**`)
 
 	seccompSpec := &seccomp.Specification{}
 	err = seccompSpec.AddConnectedPlug(s.iface, plug, s.slot)
@@ -164,7 +162,7 @@
   plugs: [browser-support]
 `
 	info := snaptest.MockInfo(c, mockSnapYaml, nil)
-	plug := interfaces.NewConnectedPlug(info.Plugs["browser-support"], nil)
+	plug := interfaces.NewConnectedPlug(info.Plugs["browser-support"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, s.slot)
@@ -172,8 +170,7 @@
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.browser-support-plug-snap.app2"})
 	snippet := apparmorSpec.SnippetForTag("snap.browser-support-plug-snap.app2")
 	c.Assert(snippet, testutil.Contains, `# Description: Can access various APIs needed by modern browsers`)
-	c.Assert(snippet, testutil.Contains, `ptrace (trace) peer=snap.@{SNAP_NAME}.**`)
-	c.Assert(snippet, Not(testutil.Contains), `deny ptrace (trace) peer=snap.@{SNAP_NAME}.**`)
+	c.Assert(snippet, testutil.Contains, `ptrace (trace) peer=snap.@{SNAP_INSTANCE_NAME}.**`)
 
 	seccompSpec := &seccomp.Specification{}
 	err = seccompSpec.AddConnectedPlug(s.iface, plug, s.slot)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/calendar_service.go snapd-2.37~rc1~14.04/interfaces/builtin/calendar_service.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/calendar_service.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/calendar_service.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,142 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"github.com/snapcore/snapd/release"
+)
+
+const calendarServiceSummary = `allows communication with Evolution Data Service Calendar`
+
+const calendarServiceBaseDeclarationSlots = `
+  calendar-service:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const calendarServiceConnectedPlugAppArmor = `
+# Description: Allow access to Evolution Data Service for calendars
+
+#include <abstractions/dbus-session-strict>
+
+# Allow use of ObjectManager APIs, used to enumerate sources
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.ObjectManager
+	path=/org/gnome/evolution/dataserver{,/**}
+	peer=(label=unconfined),
+
+# Allow access to properties on sources
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/SourceManager{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/Calendar{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/CalendarFactory
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/CalendarView{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/Subprocess{,/**}
+	peer=(label=unconfined),
+# Allow access to methods
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.Calendar
+	path=/org/gnome/evolution/dataserver/{Subprocess,Calendar}{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.CalendarFactory
+	path=/org/gnome/evolution/dataserver/CalendarFactory
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.CalendarView
+	path=/org/gnome/evolution/dataserver/CalendarView{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.Source
+	path=/org/gnome/evolution/dataserver/SourceManager{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.Source.Removable
+	path=/org/gnome/evolution/dataserver/SourceManager{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.SourceManager
+	path=/org/gnome/evolution/dataserver/SourceManager
+	peer=(label=unconfined),
+
+# Allow clients to introspect the service
+dbus (send)
+	bus=session
+	interface=org.freedesktop.DBus.Introspectable
+	path=/org/gnome/evolution/dataserver/Calendar{,/**}
+	member=Introspect
+	peer=(label=unconfined),
+dbus (send)
+	bus=session
+	interface=org.freedesktop.DBus.Introspectable
+	path=/org/gnome/evolution/dataserver/CalendarFactory
+	member=Introspect
+	peer=(label=unconfined),
+dbus (send)
+	bus=session
+	interface=org.freedesktop.DBus.Introspectable
+	path=/org/gnome/evolution/dataserver/CalendarView{,/**}
+	member=Introspect
+	peer=(label=unconfined),
+dbus (send)
+	bus=session
+	interface=org.freedesktop.DBus.Introspectable
+	path=/org/gnome/evolution/dataserver/SourceManager{,/**}
+	member=Introspect
+	peer=(label=unconfined),
+`
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "calendar-service",
+		summary:               calendarServiceSummary,
+		implicitOnClassic:     !(release.ReleaseInfo.ID == "ubuntu" && release.ReleaseInfo.VersionID == "14.04"),
+		reservedForOS:         true,
+		baseDeclarationSlots:  calendarServiceBaseDeclarationSlots,
+		connectedPlugAppArmor: calendarServiceConnectedPlugAppArmor,
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/calendar_service_test.go snapd-2.37~rc1~14.04/interfaces/builtin/calendar_service_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/calendar_service_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/calendar_service_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,93 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type CalendarServiceInterfaceSuite struct {
+	iface    interfaces.Interface
+	slot     *interfaces.ConnectedSlot
+	slotInfo *snap.SlotInfo
+	plug     *interfaces.ConnectedPlug
+	plugInfo *snap.PlugInfo
+}
+
+var _ = Suite(&CalendarServiceInterfaceSuite{
+	iface: builtin.MustInterface("calendar-service"),
+})
+
+func (s *CalendarServiceInterfaceSuite) SetUpTest(c *C) {
+	const coreYaml = `name: core
+version: 0
+type: os
+slots:
+ calendar-service:
+  interface: calendar-service
+`
+	s.slot, s.slotInfo = MockConnectedSlot(c, coreYaml, nil, "calendar-service")
+
+	var consumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [calendar-service]
+`
+	s.plug, s.plugInfo = MockConnectedPlug(c, consumerYaml, nil, "calendar-service")
+}
+
+func (s *CalendarServiceInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "calendar-service")
+}
+
+func (s *CalendarServiceInterfaceSuite) TestSanitize(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+}
+
+func (s *CalendarServiceInterfaceSuite) TestAppArmorConnectedPlug(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 1)
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `interface=org.gnome.evolution.dataserver.Source`)
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `interface=org.gnome.evolution.dataserver.Calendar`)
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `interface=org.gnome.evolution.dataserver.CalendarFactory`)
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `interface=org.gnome.evolution.dataserver.CalendarView`)
+}
+
+func (s *CalendarServiceInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Check(si.ImplicitOnCore, Equals, false)
+	c.Check(si.ImplicitOnClassic, Equals, !(release.ReleaseInfo.ID == "ubuntu" && release.ReleaseInfo.VersionID == "14.04"))
+	c.Check(si.Summary, Equals, "allows communication with Evolution Data Service Calendar")
+	c.Check(si.BaseDeclarationSlots, testutil.Contains, "calendar-service")
+}
+
+func (s *CalendarServiceInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/camera.go snapd-2.37~rc1~14.04/interfaces/builtin/camera.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/camera.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/camera.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,8 +35,13 @@
 
 # Allow detection of cameras. Leaks plugged in USB device info
 /sys/bus/usb/devices/ r,
+/sys/devices/pci**/usb*/**/busnum r,
+/sys/devices/pci**/usb*/**/devnum r,
 /sys/devices/pci**/usb*/**/idVendor r,
 /sys/devices/pci**/usb*/**/idProduct r,
+/sys/devices/pci**/usb*/**/interface r,
+/sys/devices/pci**/usb*/**/modalias r,
+/sys/devices/pci**/usb*/**/speed r,
 /run/udev/data/c81:[0-9]* r, # video4linux (/dev/video*, etc)
 /sys/class/video4linux/ r,
 /sys/devices/pci**/usb*/**/video4linux/** r,
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/camera_test.go snapd-2.37~rc1~14.04/interfaces/builtin/camera_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/camera_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/camera_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -105,8 +105,7 @@
 }
 
 func (s *CameraInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *CameraInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/can_bus.go snapd-2.37~rc1~14.04/interfaces/builtin/can_bus.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/can_bus.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/can_bus.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,56 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+const canBusSummary = `allows access to the CAN bus`
+
+const canBusBaseDeclarationSlots = `
+  can-bus:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const canBusConnectedPlugAppArmor = `
+# Description: Can use CAN networking
+network can,
+`
+
+const canBusConnectedPlugSecComp = `
+# Description: Can use CAN networking
+bind
+
+# We allow AF_CAN in the default template since it is mediated via the AppArmor rule
+#socket AF_CAN
+`
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "can-bus",
+		summary:               canBusSummary,
+		implicitOnCore:        true,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  canBusBaseDeclarationSlots,
+		connectedPlugAppArmor: canBusConnectedPlugAppArmor,
+		connectedPlugSecComp:  canBusConnectedPlugSecComp,
+		reservedForOS:         true,
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/can_bus_test.go snapd-2.37~rc1~14.04/interfaces/builtin/can_bus_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/can_bus_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/can_bus_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,107 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type CanBusInterfaceSuite struct {
+	iface    interfaces.Interface
+	slotInfo *snap.SlotInfo
+	slot     *interfaces.ConnectedSlot
+	plugInfo *snap.PlugInfo
+	plug     *interfaces.ConnectedPlug
+}
+
+var _ = Suite(&CanBusInterfaceSuite{
+	iface: builtin.MustInterface("can-bus"),
+})
+
+const canBusConsumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [can-bus]
+`
+
+const canBusCoreYaml = `name: core
+version: 0
+type: os
+slots:
+  can-bus:
+`
+
+func (s *CanBusInterfaceSuite) SetUpTest(c *C) {
+	s.plug, s.plugInfo = MockConnectedPlug(c, canBusConsumerYaml, nil, "can-bus")
+	s.slot, s.slotInfo = MockConnectedSlot(c, canBusCoreYaml, nil, "can-bus")
+}
+
+func (s *CanBusInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "can-bus")
+}
+
+func (s *CanBusInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "can-bus",
+		Interface: "can-bus",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"can-bus slots are reserved for the core snap")
+}
+
+func (s *CanBusInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *CanBusInterfaceSuite) TestAppArmorSpec(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "network can,\n")
+}
+
+func (s *CanBusInterfaceSuite) TestSecCompSpec(c *C) {
+	spec := &seccomp.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "bind\n")
+}
+
+func (s *CanBusInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, true)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows access to the CAN bus`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "can-bus")
+}
+
+func (s *CanBusInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/cifs_mount.go snapd-2.37~rc1~14.04/interfaces/builtin/cifs_mount.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/cifs_mount.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/cifs_mount.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,78 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+const cifsMountSummary = `allows mounting and unmounting CIFS filesystems`
+
+const cifsMountBaseDeclarationSlots = `
+  cifs-mount:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const cifsMountConnectedPlugSecComp = `
+# Description: Allow mount and umount syscall access.
+mount
+umount
+umount2
+`
+
+const cifsMountConnectedPlugAppArmor = `
+# Description: Allow mounting and unmounting CIFS filesystems.
+
+# Required for mounts and unmounts
+capability sys_admin,
+
+# Allow mounts to our snap-specific writable directories
+# parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for
+# completeness allow SNAP_INSTANCE_NAME too
+mount fstype=cifs //** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**},
+mount fstype=cifs //** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**},
+
+# NOTE: due to LP: #1613403, fstype is not mediated and as such, these rules
+# allow, for example, unmounting bind mounts from the content interface
+# parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for
+# completeness allow SNAP_INSTANCE_NAME too
+umount /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**},
+umount /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**},
+
+# Due to an unsolved issue with namespace awareness of libmount the unmount tries to access
+# /run/mount/utab but fails. The resulting apparmor warning can be ignored. The log warning
+# was not removed via an explicit deny to not interfere with other interfaces which might
+# decide to allow access (deny rules have precedence).
+#  - https://github.com/snapcore/snapd/pull/5340#issuecomment-398071797
+#  - https://forum.snapcraft.io/t/namespace-awareness-of-run-mount-utab-and-libmount/5987
+#deny /run/mount/utab w,
+`
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "cifs-mount",
+		summary:               cifsMountSummary,
+		implicitOnCore:        true,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  cifsMountBaseDeclarationSlots,
+		connectedPlugAppArmor: cifsMountConnectedPlugAppArmor,
+		connectedPlugSecComp:  cifsMountConnectedPlugSecComp,
+		reservedForOS:         true,
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/cifs_mount_test.go snapd-2.37~rc1~14.04/interfaces/builtin/cifs_mount_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/cifs_mount_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/cifs_mount_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,107 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016-2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type CifsMountInterfaceSuite struct {
+	iface    interfaces.Interface
+	slotInfo *snap.SlotInfo
+	slot     *interfaces.ConnectedSlot
+	plugInfo *snap.PlugInfo
+	plug     *interfaces.ConnectedPlug
+}
+
+const cifsMountConsumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [cifs-mount]
+`
+
+const cifsMountCoreYaml = `name: core
+version: 0
+type: os
+slots:
+  cifs-mount:
+`
+
+var _ = Suite(&CifsMountInterfaceSuite{
+	iface: builtin.MustInterface("cifs-mount"),
+})
+
+func (s *CifsMountInterfaceSuite) SetUpTest(c *C) {
+	s.plug, s.plugInfo = MockConnectedPlug(c, cifsMountConsumerYaml, nil, "cifs-mount")
+	s.slot, s.slotInfo = MockConnectedSlot(c, cifsMountCoreYaml, nil, "cifs-mount")
+}
+
+func (s *CifsMountInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "cifs-mount")
+}
+
+func (s *CifsMountInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "cifs-mount",
+		Interface: "cifs-mount",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"cifs-mount slots are reserved for the core snap")
+}
+
+func (s *CifsMountInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *CifsMountInterfaceSuite) TestAppArmorSpec(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `#deny /run/mount/utab w,`)
+}
+
+func (s *CifsMountInterfaceSuite) TestSecCompSpec(c *C) {
+	spec := &seccomp.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "umount2\n")
+}
+
+func (s *CifsMountInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, true)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows mounting and unmounting CIFS filesystems`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "cifs-mount")
+}
+
+func (s *CifsMountInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/classic_support.go snapd-2.37~rc1~14.04/interfaces/builtin/classic_support.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/classic_support.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/classic_support.go	2019-01-16 08:36:51.000000000 +0000
@@ -65,18 +65,20 @@
 /{,usr/}bin/mountpoint ixr,
 /run/mount/utab rw,
 @{PROC}/[0-9]*/mountinfo r,
-mount options=(rw bind) /home/ -> /var/snap/@{SNAP_NAME}/**/,
-mount options=(rw bind) /run/ -> /var/snap/@{SNAP_NAME}/**/,
-mount options=(rw bind) /proc/ -> /var/snap/@{SNAP_NAME}/**/,
-mount options=(rw bind) /sys/ -> /var/snap/@{SNAP_NAME}/**/,
-mount options=(rw bind) /dev/ -> /var/snap/@{SNAP_NAME}/**/,
-mount options=(rw bind) / -> /var/snap/@{SNAP_NAME}/**/,
+# parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for
+# completeness allow SNAP_INSTANCE_NAME too
+mount options=(rw bind) /home/ -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/,
+mount options=(rw bind) /run/ -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/,
+mount options=(rw bind) /proc/ -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/,
+mount options=(rw bind) /sys/ -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/,
+mount options=(rw bind) /dev/ -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/,
+mount options=(rw bind) / -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/,
 mount fstype=devpts options=(rw) devpts -> /dev/pts/,
-mount options=(rw rprivate) -> /var/snap/@{SNAP_NAME}/**/,
+mount options=(rw rprivate) -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/,
 
 # reset
 /{,usr/}bin/umount ixr,
-umount /var/snap/@{SNAP_NAME}/**/,
+umount /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**/,
 
 # These rules allow running anything unconfined as well as managing systemd
 /usr/bin/systemd-run Uxr,
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/classic_support_test.go snapd-2.37~rc1~14.04/interfaces/builtin/classic_support_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/classic_support_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/classic_support_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "classic-support",
 		Interface: "classic-support",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, classicSupportMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["classic-support"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *ClassicSupportInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/common_files.go snapd-2.37~rc1~14.04/interfaces/builtin/common_files.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/common_files.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/common_files.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,166 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"bytes"
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/snap"
+)
+
+type commonFilesInterface struct {
+	commonInterface
+
+	apparmorHeader    string
+	extraPathValidate func(string) error
+}
+
+// filesAAPerm can either be files{Read,Write} and converted to a string
+// expands into the right apparmor permissions for the files interface.
+type filesAAPerm int
+
+const (
+	filesRead filesAAPerm = iota
+	filesWrite
+)
+
+func (a filesAAPerm) String() string {
+	switch a {
+	case filesRead:
+		return "rk" // [r]ead and loc[k]
+	case filesWrite:
+		return "rwkl" // [r]ead, [w]rite, loc[k] and [l]ink//
+	}
+	panic(fmt.Sprintf("invalid perm: %d", a))
+}
+
+func formatPath(ip interface{}) (string, error) {
+	p, ok := ip.(string)
+	if !ok {
+		return "", fmt.Errorf("%[1]v (%[1]T) is not a string", ip)
+	}
+	prefix := ""
+	// Note that the {personal,system}-files interface impose
+	// limitations on the $HOME usage - system-files forbids it,
+	// personal only allows starting with $HOME in the path.
+	if strings.Contains(p, "$HOME") {
+		p = strings.Replace(p, "$HOME", "@{HOME}", -1)
+		prefix = "owner "
+	}
+	p = filepath.Clean(p)
+	p += "{,/,/**}"
+
+	return fmt.Sprintf("%s%q", prefix, p), nil
+}
+
+func allowPathAccess(buf *bytes.Buffer, perm filesAAPerm, paths []interface{}) error {
+	for _, rawPath := range paths {
+		p, err := formatPath(rawPath)
+		if err != nil {
+			return err
+		}
+		fmt.Fprintf(buf, "%s %s,\n", p, perm)
+	}
+	return nil
+}
+
+func (iface *commonFilesInterface) validatePaths(attrName string, paths []interface{}) error {
+	for _, npp := range paths {
+		np, ok := npp.(string)
+		if !ok {
+			return fmt.Errorf("%q must be a list of strings", attrName)
+		}
+		if err := iface.validateSinglePath(np); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (iface *commonFilesInterface) validateSinglePath(np string) error {
+	if strings.HasSuffix(np, "/") {
+		return fmt.Errorf(`%q cannot end with "/"`, np)
+	}
+	p := filepath.Clean(np)
+	if p != np {
+		return fmt.Errorf("cannot use %q: try %q", np, filepath.Clean(np))
+	}
+	if strings.Contains(p, "~") {
+		return fmt.Errorf(`%q cannot contain "~"`, p)
+	}
+	if err := apparmor.ValidateNoAppArmorRegexp(p); err != nil {
+		return err
+	}
+
+	// extraPathValidation must be implemented by the interface
+	// that build on top of the abstract commonFilesInterface
+	if iface.extraPathValidate == nil {
+		panic("extraPathValidate must be set when using the commonFilesInterface")
+	}
+	if err := iface.extraPathValidate(np); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (iface *commonFilesInterface) BeforePreparePlug(plug *snap.PlugInfo) error {
+	hasValidAttr := false
+	for _, att := range []string{"read", "write"} {
+		if _, ok := plug.Attrs[att]; !ok {
+			continue
+		}
+		paths, ok := plug.Attrs[att].([]interface{})
+		if !ok {
+			return fmt.Errorf("cannot add %s plug: %q must be a list of strings", iface.name, att)
+		}
+		if err := iface.validatePaths(att, paths); err != nil {
+			return fmt.Errorf("cannot add %s plug: %s", iface.name, err)
+		}
+		hasValidAttr = true
+	}
+	if !hasValidAttr {
+		return fmt.Errorf(`cannot add %s plug: needs valid "read" or "write" attribute`, iface.name)
+	}
+
+	return nil
+}
+
+func (iface *commonFilesInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	var reads, writes []interface{}
+	_ = plug.Attr("read", &reads)
+	_ = plug.Attr("write", &writes)
+
+	errPrefix := fmt.Sprintf(`cannot connect plug %s: `, plug.Name())
+	buf := bytes.NewBufferString(iface.apparmorHeader)
+	if err := allowPathAccess(buf, filesRead, reads); err != nil {
+		return fmt.Errorf("%s%v", errPrefix, err)
+	}
+	if err := allowPathAccess(buf, filesWrite, writes); err != nil {
+		return fmt.Errorf("%s%v", errPrefix, err)
+	}
+	spec.AddSnippet(buf.String())
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/common.go snapd-2.37~rc1~14.04/interfaces/builtin/common.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/common.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/common.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -30,8 +30,6 @@
 	"github.com/snapcore/snapd/snap"
 )
 
-type evalSymlinksFn func(string) (string, error)
-
 // evalSymlinks is either filepath.EvalSymlinks or a mocked function for
 // applicable for testing.
 var evalSymlinks = filepath.EvalSymlinks
@@ -57,6 +55,10 @@
 	connectedSlotKModModules []string
 	permanentPlugKModModules []string
 	permanentSlotKModModules []string
+
+	usesPtraceTrace     bool
+	suppressPtraceTrace bool
+	suppressHomeIx      bool
 }
 
 // Name returns the interface name.
@@ -88,6 +90,14 @@
 }
 
 func (iface *commonInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	if iface.usesPtraceTrace {
+		spec.SetUsesPtraceTrace()
+	} else if iface.suppressPtraceTrace {
+		spec.SetSuppressPtraceTrace()
+	}
+	if iface.suppressHomeIx {
+		spec.SetSuppressHomeIx()
+	}
 	if iface.connectedPlugAppArmor != "" {
 		spec.AddSnippet(iface.connectedPlugAppArmor)
 	}
@@ -99,7 +109,7 @@
 // candidate and declaration-based checks allow.
 //
 // By default we allow what declarations allowed.
-func (iface *commonInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *commonInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	return !iface.rejectAutoConnectPairs
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/common_test.go snapd-2.37~rc1~14.04/interfaces/builtin/common_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/common_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/common_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -22,6 +22,7 @@
 import (
 	. "gopkg.in/check.v1"
 
+	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/udev"
 	"github.com/snapcore/snapd/testutil"
 )
@@ -82,3 +83,106 @@
 		evalSymlinks = orig
 	})
 }
+
+func (s *commonIfaceSuite) TestSuppressPtraceTrace(c *C) {
+	plug, _ := MockConnectedPlug(c, `
+name: consumer
+version: 0
+apps:
+  app:
+    plugs: [common]
+`, nil, "common")
+	slot, _ := MockConnectedSlot(c, `
+name: producer
+version: 0
+slots:
+  common:
+`, nil, "common")
+
+	// setting nothing
+	iface := &commonInterface{
+		name:                "common",
+		suppressPtraceTrace: false,
+		usesPtraceTrace:     false,
+	}
+	spec := &apparmor.Specification{}
+	c.Assert(spec.UsesPtraceTrace(), Equals, false)
+	c.Assert(spec.SuppressPtraceTrace(), Equals, false)
+	c.Assert(spec.AddConnectedPlug(iface, plug, slot), IsNil)
+	c.Assert(spec.UsesPtraceTrace(), Equals, false)
+	c.Assert(spec.SuppressPtraceTrace(), Equals, false)
+
+	// setting only uses
+	iface = &commonInterface{
+		name:                "common",
+		suppressPtraceTrace: false,
+		usesPtraceTrace:     true,
+	}
+	spec = &apparmor.Specification{}
+	c.Assert(spec.UsesPtraceTrace(), Equals, false)
+	c.Assert(spec.SuppressPtraceTrace(), Equals, false)
+	c.Assert(spec.AddConnectedPlug(iface, plug, slot), IsNil)
+	c.Assert(spec.UsesPtraceTrace(), Equals, true)
+	c.Assert(spec.SuppressPtraceTrace(), Equals, false)
+
+	// setting only suppress
+	iface = &commonInterface{
+		name:                "common",
+		suppressPtraceTrace: true,
+		usesPtraceTrace:     false,
+	}
+	spec = &apparmor.Specification{}
+	c.Assert(spec.UsesPtraceTrace(), Equals, false)
+	c.Assert(spec.SuppressPtraceTrace(), Equals, false)
+	c.Assert(spec.AddConnectedPlug(iface, plug, slot), IsNil)
+	c.Assert(spec.UsesPtraceTrace(), Equals, false)
+	c.Assert(spec.SuppressPtraceTrace(), Equals, true)
+
+	// setting both, only uses is set
+	iface = &commonInterface{
+		name:                "common",
+		suppressPtraceTrace: true,
+		usesPtraceTrace:     true,
+	}
+	spec = &apparmor.Specification{}
+	c.Assert(spec.UsesPtraceTrace(), Equals, false)
+	c.Assert(spec.SuppressPtraceTrace(), Equals, false)
+	c.Assert(spec.AddConnectedPlug(iface, plug, slot), IsNil)
+	c.Assert(spec.UsesPtraceTrace(), Equals, true)
+	c.Assert(spec.SuppressPtraceTrace(), Equals, false)
+}
+
+func (s *commonIfaceSuite) TestSuppressHomeIx(c *C) {
+	plug, _ := MockConnectedPlug(c, `
+name: consumer
+version: 0
+apps:
+  app:
+    plugs: [common]
+`, nil, "common")
+	slot, _ := MockConnectedSlot(c, `
+name: producer
+version: 0
+slots:
+  common:
+`, nil, "common")
+
+	// setting nothing
+	iface := &commonInterface{
+		name:           "common",
+		suppressHomeIx: false,
+	}
+	spec := &apparmor.Specification{}
+	c.Assert(spec.SuppressHomeIx(), Equals, false)
+	c.Assert(spec.AddConnectedPlug(iface, plug, slot), IsNil)
+	c.Assert(spec.SuppressHomeIx(), Equals, false)
+
+	iface = &commonInterface{
+		name:           "common",
+		suppressHomeIx: true,
+	}
+	spec = &apparmor.Specification{}
+	c.Assert(spec.SuppressHomeIx(), Equals, false)
+	c.Assert(spec.AddConnectedPlug(iface, plug, slot), IsNil)
+	c.Assert(spec.SuppressHomeIx(), Equals, true)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/contacts_service.go snapd-2.37~rc1~14.04/interfaces/builtin/contacts_service.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/contacts_service.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/contacts_service.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,161 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"github.com/snapcore/snapd/release"
+)
+
+const contactsServiceSummary = `allows communication with Evolution Data Service Address Book`
+
+const contactsServiceBaseDeclarationSlots = `
+  contacts-service:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const contactsServiceConnectedPlugAppArmor = `
+# Description: Allow access to Evolution Data Service for contacts
+
+#include <abstractions/dbus-session-strict>
+
+# Allow use of ObjectManager APIs, used to enumerate sources
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.ObjectManager
+	path=/org/gnome/evolution/dataserver{,/**}
+	peer=(label=unconfined),
+
+# Allow access to properties on sources
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/SourceManager{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/AddressBook{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/AddressBookFactory
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/AddressBookCursor{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/AddressBookView{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.freedesktop.DBus.Properties
+	path=/org/gnome/evolution/dataserver/Subprocess{,/**}
+	peer=(label=unconfined),
+# Allow access to methods
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.AddressBook
+	path=/org/gnome/evolution/dataserver/{Subprocess,AddressBook}{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.AddressBookFactory
+	path=/org/gnome/evolution/dataserver/AddressBookFactory
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.AddressBookCursor
+	path=/org/gnome/evolution/dataserver/AddressBookCursor{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.AddressBookView
+	path=/org/gnome/evolution/dataserver/AddressBookView{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.Source
+	path=/org/gnome/evolution/dataserver/SourceManager{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.Source.Removable
+	path=/org/gnome/evolution/dataserver/SourceManager{,/**}
+	peer=(label=unconfined),
+dbus (receive, send)
+	bus=session
+	interface=org.gnome.evolution.dataserver.SourceManager
+	path=/org/gnome/evolution/dataserver/SourceManager
+	peer=(label=unconfined),
+
+# Allow clients to introspect the service
+dbus (send)
+	bus=session
+	interface=org.freedesktop.DBus.Introspectable
+	path=/org/gnome/evolution/dataserver/AddressBook{,/**}
+	member=Introspect
+	peer=(label=unconfined),
+dbus (send)
+	bus=session
+	interface=org.freedesktop.DBus.Introspectable
+	path=/org/gnome/evolution/dataserver/AddressBookFactory
+	member=Introspect
+	peer=(label=unconfined),
+dbus (send)
+	bus=session
+	interface=org.freedesktop.DBus.Introspectable
+	path=/org/gnome/evolution/dataserver/AddressBookCursor{,/**}
+	member=Introspect
+	peer=(label=unconfined),
+dbus (send)
+	bus=session
+	interface=org.freedesktop.DBus.Introspectable
+	path=/org/gnome/evolution/dataserver/AddressBookView{,/**}
+	member=Introspect
+	peer=(label=unconfined),
+dbus (send)
+	bus=session
+	interface=org.freedesktop.DBus.Introspectable
+	path=/org/gnome/evolution/dataserver/SourceManager{,/**}
+	member=Introspect
+	peer=(label=unconfined),
+
+# Allow access to cached avatars
+owner @{HOME}/.cache/evolution/addressbook/[0-9a-f]*/*.jpeg r,
+`
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "contacts-service",
+		summary:               contactsServiceSummary,
+		implicitOnClassic:     !(release.ReleaseInfo.ID == "ubuntu" && release.ReleaseInfo.VersionID == "14.04"),
+		reservedForOS:         true,
+		baseDeclarationSlots:  contactsServiceBaseDeclarationSlots,
+		connectedPlugAppArmor: contactsServiceConnectedPlugAppArmor,
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/contacts_service_test.go snapd-2.37~rc1~14.04/interfaces/builtin/contacts_service_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/contacts_service_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/contacts_service_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,93 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type ContactsServiceInterfaceSuite struct {
+	iface    interfaces.Interface
+	slot     *interfaces.ConnectedSlot
+	slotInfo *snap.SlotInfo
+	plug     *interfaces.ConnectedPlug
+	plugInfo *snap.PlugInfo
+}
+
+var _ = Suite(&ContactsServiceInterfaceSuite{
+	iface: builtin.MustInterface("contacts-service"),
+})
+
+func (s *ContactsServiceInterfaceSuite) SetUpTest(c *C) {
+	const coreYaml = `name: core
+version: 0
+type: os
+slots:
+ contacts-service:
+  interface: contacts-service
+`
+	s.slot, s.slotInfo = MockConnectedSlot(c, coreYaml, nil, "contacts-service")
+
+	var consumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [contacts-service]
+`
+	s.plug, s.plugInfo = MockConnectedPlug(c, consumerYaml, nil, "contacts-service")
+}
+
+func (s *ContactsServiceInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "contacts-service")
+}
+
+func (s *ContactsServiceInterfaceSuite) TestSanitize(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+}
+
+func (s *ContactsServiceInterfaceSuite) TestAppArmorConnectedPlug(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 1)
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `interface=org.gnome.evolution.dataserver.Source`)
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `interface=org.gnome.evolution.dataserver.AddressBook`)
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `interface=org.gnome.evolution.dataserver.AddressBookFactory`)
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `interface=org.gnome.evolution.dataserver.AddressBookView`)
+}
+
+func (s *ContactsServiceInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Check(si.ImplicitOnCore, Equals, false)
+	c.Check(si.ImplicitOnClassic, Equals, !(release.ReleaseInfo.ID == "ubuntu" && release.ReleaseInfo.VersionID == "14.04"))
+	c.Check(si.Summary, Equals, "allows communication with Evolution Data Service Address Book")
+	c.Check(si.BaseDeclarationSlots, testutil.Contains, "contacts-service")
+}
+
+func (s *ContactsServiceInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/content.go snapd-2.37~rc1~14.04/interfaces/builtin/content.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/content.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/content.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,7 +25,6 @@
 	"path/filepath"
 	"strings"
 
-	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/mount"
@@ -169,21 +168,19 @@
 // $SNAP_COMMON. If there are no variables then $SNAP is implicitly assumed
 // (this is the behavior that was used before the variables were supporter).
 func resolveSpecialVariable(path string, snapInfo *snap.Info) string {
-	if strings.HasPrefix(path, "$SNAP/") || path == "$SNAP" {
-		// NOTE: We use dirs.CoreSnapMountDir here as the path used will be always
-		// inside the mount namespace snap-confine creates and there we will
-		// always have a /snap directory available regardless if the system
-		// we're running on supports this or not.
-		return strings.Replace(path, "$SNAP", filepath.Join(dirs.CoreSnapMountDir, snapInfo.Name(), snapInfo.Revision.String()), 1)
-	}
-	if strings.HasPrefix(path, "$SNAP_DATA/") || path == "$SNAP_DATA" {
-		return strings.Replace(path, "$SNAP_DATA", snapInfo.DataDir(), 1)
-	}
-	if strings.HasPrefix(path, "$SNAP_COMMON/") || path == "$SNAP_COMMON" {
-		return strings.Replace(path, "$SNAP_COMMON", snapInfo.CommonDataDir(), 1)
-	}
-	// NOTE: assume $SNAP by default if nothing else is provided, for compatibility
-	return filepath.Join(filepath.Join(dirs.CoreSnapMountDir, snapInfo.Name(), snapInfo.Revision.String()), path)
+	// Content cannot be mounted at arbitrary locations, validate the path
+	// for extra safety.
+	if err := snap.ValidatePathVariables(path); err == nil && strings.HasPrefix(path, "$") {
+		// The path starts with $ and ValidatePathVariables() ensures
+		// path contains only $SNAP, $SNAP_DATA, $SNAP_COMMON, and no
+		// other $VARs are present. It is ok to use
+		// ExpandSnapVariables() since it only expands $SNAP, $SNAP_DATA
+		// and $SNAP_COMMON
+		return snapInfo.ExpandSnapVariables(path)
+	}
+	// Always prefix with $SNAP if nothing else is provided or the path
+	// contains invalid variables.
+	return snapInfo.ExpandSnapVariables(filepath.Join("$SNAP", path))
 }
 
 func sourceTarget(plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot, relSrc string) (string, string) {
@@ -233,8 +230,12 @@
 			fmt.Fprintf(&buf, "  # Read-write content sharing %s -> %s (w#%d)\n", plug.Ref(), slot.Ref(), i)
 			fmt.Fprintf(&buf, "  mount options=(bind, rw) %s/ -> %s/,\n", source, target)
 			fmt.Fprintf(&buf, "  umount %s/,\n", target)
-			apparmor.WritableProfile(&buf, source)
-			apparmor.WritableProfile(&buf, target)
+			// TODO: The assumed prefix depth could be optimized to be more
+			// precise since content sharing can only take place in a fixed
+			// list of places with well-known paths (well, constrained set of
+			// paths). This can be done when the prefix is actually consumed.
+			apparmor.WritableProfile(&buf, source, 1)
+			apparmor.WritableProfile(&buf, target, 1)
 			spec.AddUpdateNS(buf.String())
 		}
 	}
@@ -253,10 +254,12 @@
 			source, target := sourceTarget(plug, slot, r)
 			var buf bytes.Buffer
 			fmt.Fprintf(&buf, "  # Read-only content sharing %s -> %s (r#%d)\n", plug.Ref(), slot.Ref(), i)
-			fmt.Fprintf(&buf, "  mount options=(bind, ro) %s/ -> %s/,\n", source, target)
+			fmt.Fprintf(&buf, "  mount options=(bind) %s/ -> %s/,\n", source, target)
+			fmt.Fprintf(&buf, "  remount options=(bind, ro) %s/,\n", target)
 			fmt.Fprintf(&buf, "  umount %s/,\n", target)
-			apparmor.WritableProfile(&buf, source)
-			apparmor.WritableProfile(&buf, target)
+			// Look at the TODO comment above.
+			apparmor.WritableProfile(&buf, source, 1)
+			apparmor.WritableProfile(&buf, target, 1)
 			spec.AddUpdateNS(buf.String())
 		}
 	}
@@ -286,7 +289,7 @@
 	return nil
 }
 
-func (iface *contentInterface) AutoConnect(plug *interfaces.Plug, slot *interfaces.Slot) bool {
+func (iface *contentInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/content_test.go snapd-2.37~rc1~14.04/interfaces/builtin/content_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/content_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/content_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -225,13 +225,19 @@
 
 func (s *ContentSuite) TestResolveSpecialVariable(c *C) {
 	info := snaptest.MockInfo(c, "{name: name, version: 0}", &snap.SideInfo{Revision: snap.R(42)})
-	c.Check(builtin.ResolveSpecialVariable("foo", info), Equals, filepath.Join(dirs.CoreSnapMountDir, "name/42/foo"))
 	c.Check(builtin.ResolveSpecialVariable("$SNAP/foo", info), Equals, filepath.Join(dirs.CoreSnapMountDir, "name/42/foo"))
 	c.Check(builtin.ResolveSpecialVariable("$SNAP_DATA/foo", info), Equals, "/var/snap/name/42/foo")
 	c.Check(builtin.ResolveSpecialVariable("$SNAP_COMMON/foo", info), Equals, "/var/snap/name/common/foo")
 	c.Check(builtin.ResolveSpecialVariable("$SNAP", info), Equals, filepath.Join(dirs.CoreSnapMountDir, "name/42"))
 	c.Check(builtin.ResolveSpecialVariable("$SNAP_DATA", info), Equals, "/var/snap/name/42")
 	c.Check(builtin.ResolveSpecialVariable("$SNAP_COMMON", info), Equals, "/var/snap/name/common")
+	c.Check(builtin.ResolveSpecialVariable("$SNAP_DATA/", info), Equals, "/var/snap/name/42/")
+	// automatically prefixed with $SNAP
+	c.Check(builtin.ResolveSpecialVariable("foo", info), Equals, filepath.Join(dirs.CoreSnapMountDir, "name/42/foo"))
+	c.Check(builtin.ResolveSpecialVariable("foo/snap/bar", info), Equals, "/snap/name/42/foo/snap/bar")
+	// contain invalid variables
+	c.Check(builtin.ResolveSpecialVariable("$PRUNE/bar", info), Equals, "/snap/name/42//bar")
+	c.Check(builtin.ResolveSpecialVariable("bar/$PRUNE/foo", info), Equals, "/snap/name/42/bar//foo")
 }
 
 // Check that legacy syntax works and allows sharing read-only snap content
@@ -243,7 +249,7 @@
   target: import
 `
 	consumerInfo := snaptest.MockInfo(c, consumerYaml, &snap.SideInfo{Revision: snap.R(7)})
-	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil)
+	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil, nil)
 	const producerYaml = `name: producer
 version: 0
 slots:
@@ -252,7 +258,7 @@
    - export
 `
 	producerInfo := snaptest.MockInfo(c, producerYaml, &snap.SideInfo{Revision: snap.R(5)})
-	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil)
+	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil, nil)
 
 	spec := &mount.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, plug, slot), IsNil)
@@ -276,7 +282,7 @@
   command: foo
 `
 	consumerInfo := snaptest.MockInfo(c, consumerYaml, &snap.SideInfo{Revision: snap.R(7)})
-	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil)
+	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil, nil)
 	const producerYaml = `name: producer
 version: 0
 slots:
@@ -285,7 +291,7 @@
    - $SNAP/export
 `
 	producerInfo := snaptest.MockInfo(c, producerYaml, &snap.SideInfo{Revision: snap.R(5)})
-	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil)
+	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil, nil)
 
 	spec := &mount.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, plug, slot), IsNil)
@@ -310,41 +316,216 @@
 
 	updateNS := apparmorSpec.UpdateNS()
 	profile0 := `  # Read-only content sharing consumer:content -> producer:content (r#0)
-  mount options=(bind, ro) /snap/producer/5/export/ -> /snap/consumer/7/import/,
+  mount options=(bind) /snap/producer/5/export/ -> /snap/consumer/7/import/,
+  remount options=(bind, ro) /snap/consumer/7/import/,
   umount /snap/consumer/7/import/,
   # Writable mimic /snap/producer/5
+  # .. permissions for traversing the prefix that is assumed to exist
+  # .. variant with mimic at /
+  # Allow reading the mimic directory, it must exist in the first place.
+  / r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/ rw,
+  mount options=(rbind, rw) / -> /tmp/.snap/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/*/ rw,
+  /*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/*/ -> /*/,
+  /tmp/.snap/* rw,
+  /* rw,
+  mount options=(bind, rw) /tmp/.snap/* -> /*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /,
+  umount /*,
+  umount /*/,
+  # .. variant with mimic at /snap/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/ rw,
+  mount options=(rbind, rw) /snap/ -> /tmp/.snap/snap/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /snap/,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/*/ rw,
+  /snap/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/*/ -> /snap/*/,
+  /tmp/.snap/snap/* rw,
+  /snap/* rw,
+  mount options=(bind, rw) /tmp/.snap/snap/* -> /snap/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/snap/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/,
+  umount /snap/*,
+  umount /snap/*/,
+  # .. variant with mimic at /snap/producer/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/producer/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/producer/ rw,
+  mount options=(rbind, rw) /snap/producer/ -> /tmp/.snap/snap/producer/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /snap/producer/,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/producer/*/ rw,
+  /snap/producer/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/producer/*/ -> /snap/producer/*/,
+  /tmp/.snap/snap/producer/* rw,
+  /snap/producer/* rw,
+  mount options=(bind, rw) /tmp/.snap/snap/producer/* -> /snap/producer/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/snap/producer/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/producer/,
+  umount /snap/producer/*,
+  umount /snap/producer/*/,
+  # .. variant with mimic at /snap/producer/5/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/producer/5/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/producer/5/ rw,
   mount options=(rbind, rw) /snap/producer/5/ -> /tmp/.snap/snap/producer/5/,
+  # Allow mounting tmpfs over the read-only directory.
   mount fstype=tmpfs options=(rw) tmpfs -> /snap/producer/5/,
-  mount options=(rbind, rw) /tmp/.snap/snap/producer/5/** -> /snap/producer/5/**,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/producer/5/*/ rw,
+  /snap/producer/5/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/producer/5/*/ -> /snap/producer/5/*/,
+  /tmp/.snap/snap/producer/5/* rw,
+  /snap/producer/5/* rw,
   mount options=(bind, rw) /tmp/.snap/snap/producer/5/* -> /snap/producer/5/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
   umount /tmp/.snap/snap/producer/5/,
-  umount /snap/producer/5{,/**},
-  /snap/producer/5/** rw,
-  /snap/producer/5/ rw,
-  /snap/producer/ rw,
-  /tmp/.snap/snap/producer/5/** rw,
-  /tmp/.snap/snap/producer/5/ rw,
-  /tmp/.snap/snap/producer/ rw,
-  /tmp/.snap/snap/ rw,
-  /tmp/.snap/ rw,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/producer/5/,
+  umount /snap/producer/5/*,
+  umount /snap/producer/5/*/,
   # Writable mimic /snap/consumer/7
+  # .. permissions for traversing the prefix that is assumed to exist
+  # .. variant with mimic at /
+  # Allow reading the mimic directory, it must exist in the first place.
+  / r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/ rw,
+  mount options=(rbind, rw) / -> /tmp/.snap/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/*/ rw,
+  /*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/*/ -> /*/,
+  /tmp/.snap/* rw,
+  /* rw,
+  mount options=(bind, rw) /tmp/.snap/* -> /*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /,
+  umount /*,
+  umount /*/,
+  # .. variant with mimic at /snap/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/ rw,
+  mount options=(rbind, rw) /snap/ -> /tmp/.snap/snap/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /snap/,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/*/ rw,
+  /snap/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/*/ -> /snap/*/,
+  /tmp/.snap/snap/* rw,
+  /snap/* rw,
+  mount options=(bind, rw) /tmp/.snap/snap/* -> /snap/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/snap/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/,
+  umount /snap/*,
+  umount /snap/*/,
+  # .. variant with mimic at /snap/consumer/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/consumer/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/consumer/ rw,
+  mount options=(rbind, rw) /snap/consumer/ -> /tmp/.snap/snap/consumer/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /snap/consumer/,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/consumer/*/ rw,
+  /snap/consumer/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/consumer/*/ -> /snap/consumer/*/,
+  /tmp/.snap/snap/consumer/* rw,
+  /snap/consumer/* rw,
+  mount options=(bind, rw) /tmp/.snap/snap/consumer/* -> /snap/consumer/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/snap/consumer/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/consumer/,
+  umount /snap/consumer/*,
+  umount /snap/consumer/*/,
+  # .. variant with mimic at /snap/consumer/7/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/consumer/7/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/consumer/7/ rw,
   mount options=(rbind, rw) /snap/consumer/7/ -> /tmp/.snap/snap/consumer/7/,
+  # Allow mounting tmpfs over the read-only directory.
   mount fstype=tmpfs options=(rw) tmpfs -> /snap/consumer/7/,
-  mount options=(rbind, rw) /tmp/.snap/snap/consumer/7/** -> /snap/consumer/7/**,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/consumer/7/*/ rw,
+  /snap/consumer/7/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/consumer/7/*/ -> /snap/consumer/7/*/,
+  /tmp/.snap/snap/consumer/7/* rw,
+  /snap/consumer/7/* rw,
   mount options=(bind, rw) /tmp/.snap/snap/consumer/7/* -> /snap/consumer/7/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
   umount /tmp/.snap/snap/consumer/7/,
-  umount /snap/consumer/7{,/**},
-  /snap/consumer/7/** rw,
-  /snap/consumer/7/ rw,
-  /snap/consumer/ rw,
-  /tmp/.snap/snap/consumer/7/** rw,
-  /tmp/.snap/snap/consumer/7/ rw,
-  /tmp/.snap/snap/consumer/ rw,
-  /tmp/.snap/snap/ rw,
-  /tmp/.snap/ rw,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/consumer/7/,
+  umount /snap/consumer/7/*,
+  umount /snap/consumer/7/*/,
 `
-	c.Assert(updateNS["consumer"][0], Equals, profile0)
-	c.Assert(updateNS, DeepEquals, map[string][]string{"consumer": {profile0}})
+	c.Assert(updateNS[0], Equals, profile0)
+	c.Assert(updateNS, DeepEquals, []string{profile0})
 }
 
 // Check that sharing of writable data is possible
@@ -359,7 +540,7 @@
   command: foo
 `
 	consumerInfo := snaptest.MockInfo(c, consumerYaml, &snap.SideInfo{Revision: snap.R(7)})
-	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil)
+	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil, nil)
 	const producerYaml = `name: producer
 version: 0
 slots:
@@ -368,7 +549,7 @@
    - $SNAP_DATA/export
 `
 	producerInfo := snaptest.MockInfo(c, producerYaml, &snap.SideInfo{Revision: snap.R(5)})
-	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil)
+	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil, nil)
 
 	spec := &mount.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, plug, slot), IsNil)
@@ -406,8 +587,8 @@
   /var/snap/consumer/7/ rw,
   /var/snap/consumer/ rw,
 `
-	c.Assert(updateNS["consumer"][0], Equals, profile0)
-	c.Assert(updateNS, DeepEquals, map[string][]string{"consumer": {profile0}})
+	c.Assert(updateNS[0], Equals, profile0)
+	c.Assert(updateNS, DeepEquals, []string{profile0})
 }
 
 // Check that sharing of writable common data is possible
@@ -422,7 +603,7 @@
   command: foo
 `
 	consumerInfo := snaptest.MockInfo(c, consumerYaml, &snap.SideInfo{Revision: snap.R(7)})
-	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil)
+	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil, nil)
 	const producerYaml = `name: producer
 version: 0
 slots:
@@ -431,7 +612,7 @@
    - $SNAP_COMMON/export
 `
 	producerInfo := snaptest.MockInfo(c, producerYaml, &snap.SideInfo{Revision: snap.R(5)})
-	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil)
+	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil, nil)
 
 	spec := &mount.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, plug, slot), IsNil)
@@ -469,8 +650,8 @@
   /var/snap/consumer/common/ rw,
   /var/snap/consumer/ rw,
 `
-	c.Assert(updateNS["consumer"][0], Equals, profile0)
-	c.Assert(updateNS, DeepEquals, map[string][]string{"consumer": {profile0}})
+	c.Assert(updateNS[0], Equals, profile0)
+	c.Assert(updateNS, DeepEquals, []string{profile0})
 }
 
 func (s *ContentSuite) TestInterfaces(c *C) {
@@ -487,7 +668,7 @@
  app:
   command: foo
 `, &snap.SideInfo{Revision: snap.R(1)}, "content")
-	connectedPlug := interfaces.NewConnectedPlug(plug, nil)
+	connectedPlug := interfaces.NewConnectedPlug(plug, nil, nil)
 
 	slot := MockSlot(c, `name: producer
 version: 0
@@ -502,7 +683,7 @@
      - $SNAP_COMMON/write-common
      - $SNAP_DATA/write-data
 `, &snap.SideInfo{Revision: snap.R(2)}, "content")
-	connectedSlot := interfaces.NewConnectedSlot(slot, nil)
+	connectedSlot := interfaces.NewConnectedSlot(slot, nil, nil)
 
 	// Create the mount and apparmor specifications.
 	mountSpec := &mount.Specification{}
@@ -568,6 +749,8 @@
   /var/snap/consumer/common/ rw,
   /var/snap/consumer/ rw,
 `
+	c.Assert(updateNS[0], Equals, profile0)
+
 	profile1 := `  # Read-write content sharing consumer:content -> producer:content (w#1)
   mount options=(bind, rw) /var/snap/producer/2/write-data/ -> /var/snap/consumer/common/import/write-data/,
   umount /var/snap/consumer/common/import/write-data/,
@@ -581,8 +764,11 @@
   /var/snap/consumer/common/ rw,
   /var/snap/consumer/ rw,
 `
+	c.Assert(updateNS[1], Equals, profile1)
+
 	profile2 := `  # Read-only content sharing consumer:content -> producer:content (r#0)
-  mount options=(bind, ro) /var/snap/producer/common/read-common/ -> /var/snap/consumer/common/import/read-common/,
+  mount options=(bind) /var/snap/producer/common/read-common/ -> /var/snap/consumer/common/import/read-common/,
+  remount options=(bind, ro) /var/snap/consumer/common/import/read-common/,
   umount /var/snap/consumer/common/import/read-common/,
   # Writable directory /var/snap/producer/common/read-common
   /var/snap/producer/common/read-common/ rw,
@@ -594,8 +780,11 @@
   /var/snap/consumer/common/ rw,
   /var/snap/consumer/ rw,
 `
+	c.Assert(updateNS[2], Equals, profile2)
+
 	profile3 := `  # Read-only content sharing consumer:content -> producer:content (r#1)
-  mount options=(bind, ro) /var/snap/producer/2/read-data/ -> /var/snap/consumer/common/import/read-data/,
+  mount options=(bind) /var/snap/producer/2/read-data/ -> /var/snap/consumer/common/import/read-data/,
+  remount options=(bind, ro) /var/snap/consumer/common/import/read-data/,
   umount /var/snap/consumer/common/import/read-data/,
   # Writable directory /var/snap/producer/2/read-data
   /var/snap/producer/2/read-data/ rw,
@@ -607,36 +796,122 @@
   /var/snap/consumer/common/ rw,
   /var/snap/consumer/ rw,
 `
+	c.Assert(updateNS[3], Equals, profile3)
+
 	profile4 := `  # Read-only content sharing consumer:content -> producer:content (r#2)
-  mount options=(bind, ro) /snap/producer/2/read-snap/ -> /var/snap/consumer/common/import/read-snap/,
+  mount options=(bind) /snap/producer/2/read-snap/ -> /var/snap/consumer/common/import/read-snap/,
+  remount options=(bind, ro) /var/snap/consumer/common/import/read-snap/,
   umount /var/snap/consumer/common/import/read-snap/,
   # Writable mimic /snap/producer/2
+  # .. permissions for traversing the prefix that is assumed to exist
+  # .. variant with mimic at /
+  # Allow reading the mimic directory, it must exist in the first place.
+  / r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/ rw,
+  mount options=(rbind, rw) / -> /tmp/.snap/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/*/ rw,
+  /*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/*/ -> /*/,
+  /tmp/.snap/* rw,
+  /* rw,
+  mount options=(bind, rw) /tmp/.snap/* -> /*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /,
+  umount /*,
+  umount /*/,
+  # .. variant with mimic at /snap/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/ rw,
+  mount options=(rbind, rw) /snap/ -> /tmp/.snap/snap/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /snap/,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/*/ rw,
+  /snap/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/*/ -> /snap/*/,
+  /tmp/.snap/snap/* rw,
+  /snap/* rw,
+  mount options=(bind, rw) /tmp/.snap/snap/* -> /snap/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/snap/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/,
+  umount /snap/*,
+  umount /snap/*/,
+  # .. variant with mimic at /snap/producer/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/producer/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/producer/ rw,
+  mount options=(rbind, rw) /snap/producer/ -> /tmp/.snap/snap/producer/,
+  # Allow mounting tmpfs over the read-only directory.
+  mount fstype=tmpfs options=(rw) tmpfs -> /snap/producer/,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/producer/*/ rw,
+  /snap/producer/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/producer/*/ -> /snap/producer/*/,
+  /tmp/.snap/snap/producer/* rw,
+  /snap/producer/* rw,
+  mount options=(bind, rw) /tmp/.snap/snap/producer/* -> /snap/producer/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
+  umount /tmp/.snap/snap/producer/,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/producer/,
+  umount /snap/producer/*,
+  umount /snap/producer/*/,
+  # .. variant with mimic at /snap/producer/2/
+  # Allow reading the mimic directory, it must exist in the first place.
+  /snap/producer/2/ r,
+  # Allow setting the read-only directory aside via a bind mount.
+  /tmp/.snap/snap/producer/2/ rw,
   mount options=(rbind, rw) /snap/producer/2/ -> /tmp/.snap/snap/producer/2/,
+  # Allow mounting tmpfs over the read-only directory.
   mount fstype=tmpfs options=(rw) tmpfs -> /snap/producer/2/,
-  mount options=(rbind, rw) /tmp/.snap/snap/producer/2/** -> /snap/producer/2/**,
+  # Allow creating empty files and directories for bind mounting things
+  # to reconstruct the now-writable parent directory.
+  /tmp/.snap/snap/producer/2/*/ rw,
+  /snap/producer/2/*/ rw,
+  mount options=(rbind, rw) /tmp/.snap/snap/producer/2/*/ -> /snap/producer/2/*/,
+  /tmp/.snap/snap/producer/2/* rw,
+  /snap/producer/2/* rw,
   mount options=(bind, rw) /tmp/.snap/snap/producer/2/* -> /snap/producer/2/*,
+  # Allow unmounting the auxiliary directory.
+  # TODO: use fstype=tmpfs here for more strictness (LP: #1613403)
   umount /tmp/.snap/snap/producer/2/,
-  umount /snap/producer/2{,/**},
-  /snap/producer/2/** rw,
-  /snap/producer/2/ rw,
-  /snap/producer/ rw,
-  /tmp/.snap/snap/producer/2/** rw,
-  /tmp/.snap/snap/producer/2/ rw,
-  /tmp/.snap/snap/producer/ rw,
-  /tmp/.snap/snap/ rw,
-  /tmp/.snap/ rw,
+  # Allow unmounting the destination directory as well as anything
+  # inside.  This lets us perform the undo plan in case the writable
+  # mimic fails.
+  umount /snap/producer/2/,
+  umount /snap/producer/2/*,
+  umount /snap/producer/2/*/,
   # Writable directory /var/snap/consumer/common/import/read-snap
   /var/snap/consumer/common/import/read-snap/ rw,
   /var/snap/consumer/common/import/ rw,
   /var/snap/consumer/common/ rw,
   /var/snap/consumer/ rw,
 `
-	c.Assert(updateNS["consumer"][0], Equals, profile0)
-	c.Assert(updateNS["consumer"][1], Equals, profile1)
-	c.Assert(updateNS["consumer"][2], Equals, profile2)
-	c.Assert(updateNS["consumer"][3], Equals, profile3)
-	c.Assert(updateNS["consumer"][4], Equals, profile4)
-	c.Assert(updateNS, DeepEquals, map[string][]string{"consumer": {profile0, profile1, profile2, profile3, profile4}})
+	c.Assert(updateNS[4], Equals, profile4)
+	c.Assert(updateNS, DeepEquals, []string{profile0, profile1, profile2, profile3, profile4})
 }
 
 func (s *ContentSuite) TestModernContentInterfacePlugins(c *C) {
@@ -653,7 +928,7 @@
   command: foo
 
 `, &snap.SideInfo{Revision: snap.R(1)}, "plugins")
-	connectedPlug := interfaces.NewConnectedPlug(plug, nil)
+	connectedPlug := interfaces.NewConnectedPlug(plug, nil, nil)
 
 	// XXX: realistically the plugin may be a single file and we don't support
 	// those very well.
@@ -665,7 +940,7 @@
   source:
     read: [$SNAP/plugin]
 `, &snap.SideInfo{Revision: snap.R(1)}, "plugin-for-app")
-	connectedSlotOne := interfaces.NewConnectedSlot(slotOne, nil)
+	connectedSlotOne := interfaces.NewConnectedSlot(slotOne, nil, nil)
 
 	slotTwo := MockSlot(c, `name: plugin-two
 version: 0
@@ -675,7 +950,7 @@
   source:
     read: [$SNAP/plugin]
 `, &snap.SideInfo{Revision: snap.R(1)}, "plugin-for-app")
-	connectedSlotTwo := interfaces.NewConnectedSlot(slotTwo, nil)
+	connectedSlotTwo := interfaces.NewConnectedSlot(slotTwo, nil, nil)
 
 	// Create the mount and apparmor specifications.
 	mountSpec := &mount.Specification{}
@@ -728,7 +1003,7 @@
  app:
   command: foo
 `, &snap.SideInfo{Revision: snap.R(1)}, "content")
-	connectedPlug := interfaces.NewConnectedPlug(plug, nil)
+	connectedPlug := interfaces.NewConnectedPlug(plug, nil, nil)
 
 	slot := MockSlot(c, `name: producer
 version: 0
@@ -740,7 +1015,7 @@
     write:
      - $SNAP_DATA/directory
 `, &snap.SideInfo{Revision: snap.R(2)}, "content")
-	connectedSlot := interfaces.NewConnectedSlot(slot, nil)
+	connectedSlot := interfaces.NewConnectedSlot(slot, nil, nil)
 
 	// Create the mount and apparmor specifications.
 	mountSpec := &mount.Specification{}
@@ -790,7 +1065,7 @@
   target: $SNAP_COMMON/import
 `
 	consumerInfo := snaptest.MockInfo(c, consumerYaml, &snap.SideInfo{Revision: snap.R(7)})
-	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil)
+	plug := interfaces.NewConnectedPlug(consumerInfo.Plugs["content"], nil, nil)
 	const producerYaml = `name: producer
 version: 0
 slots:
@@ -802,7 +1077,7 @@
     command: bar
 `
 	producerInfo := snaptest.MockInfo(c, producerYaml, &snap.SideInfo{Revision: snap.R(5)})
-	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil)
+	slot := interfaces.NewConnectedSlot(producerInfo.Slots["content"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, slot)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/core_support.go snapd-2.37~rc1~14.04/interfaces/builtin/core_support.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/core_support.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/core_support.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -36,71 +36,9 @@
     deny-auto-connection: true
 `
 
-const coreSupportConnectedPlugAppArmor = `
-# Description: Can control all aspects of systemd via the systemctl command,
-# update rsyslog configuration, update systemd-timesyncd configuration and
-# update/apply sysctl configuration. The interface allows execution of the
-# systemctl binary unconfined and modifying all sysctl configuration. As such,
-# this gives device ownership to the snap.
-
-/bin/systemctl Uxr,
-
-/usr/bin/snapctl ixr,
-
-# Allow modifying rsyslog configuration for such things as remote logging. For
-# now, only allow modifying NN-snap*.conf and snap*.conf files.
-/etc/rsyslog.d/{,*}                     r,
-/etc/rsyslog.d/{,[0-9][0-9]-}snap*.conf w,
-
-# Allow modifying /etc/systemd/timesyncd.conf for adjusting systemd-timesyncd's
-# timeservers
-/etc/systemd/timesyncd.conf rw,
-
-# Allow modifying sysctl configuration and applying the changes. For now, allow
-# reading all sysctl files but only allow modifying NN-snap*.conf and
-# snap*.conf files in /etc/sysctl.d.
-/etc/sysctl.conf                       r,
-/etc/sysctl.d/{,*}                     r,
-/etc/sysctl.d/{,[0-9][0-9]-}snap*.conf w,
-/{,usr/}{,s}bin/sysctl                 ixr,
-@{PROC}/sys/{,**}                      r,
-@{PROC}/sys/**                         w,
-
-# Allow modifying logind configuration. For now, allow reading all logind
-# configuration but only allow modifying NN-snap*.conf and snap*.conf files
-# in /etc/systemd/logind.conf.d. Also allow creating the logind.conf.d
-# directory as it may not be there for existing installs (wirtable-path
-# magic oddness).
-/etc/systemd/logind.conf                             r,
-/etc/systemd/logind.conf.d/                          rw,
-/etc/systemd/logind.conf.d/{,*}                      r,
-/etc/systemd/logind.conf.d/{,[0-9][0-9]-}snap*.conf* w,
-
-# Allow managing the hostname with a core config option
-/etc/hostname                         rw,
-/{,usr/}{,s}bin/hostnamectl           ixr,
-
-# Allow sync to be used
-/bin/sync ixr,
-
-# Allow modifying swapfile configuration for swapfile.service shipped in
-# the core snap, general mgmt of the service is handled via systemctl
-/etc/default/swapfile rw,
-
-# Allow read/write access to the pi2 boot config.txt and the directory
-# so that it can dirsync it. 
-# WARNING: improperly editing this file may render the system unbootable.
-owner /boot/uboot/           r,
-owner /boot/uboot/config.txt rwk,
-owner /boot/uboot/config.txt.* rwk,
-
-# Allow read/write /etc/environment so that proxy configuration can
-# be written
-owner /etc/              r,
-owner /etc/environment   rwk,
-owner /etc/environment.* rwk,
-`
-
+// This interface is deprecated and doesn't grant any permissions but for the
+// moment we chose not to remove it in case something tests for its presence.
+// This hollow interface should be removed once it is deemed safe to do so.
 func init() {
 	registerIface(&commonInterface{
 		name:                 "core-support",
@@ -109,9 +47,6 @@
 		implicitOnClassic:    true,
 		baseDeclarationPlugs: coreSupportBaseDeclarationPlugs,
 		baseDeclarationSlots: coreSupportBaseDeclarationSlots,
-		// NOTE: core-support implicitly contains the rules from network-bind.
-		connectedPlugAppArmor: coreSupportConnectedPlugAppArmor + networkBindConnectedPlugAppArmor,
-		connectedPlugSecComp:  "" + networkBindConnectedPlugSecComp,
-		reservedForOS:         true,
+		reservedForOS:        true,
 	})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/core_support_test.go snapd-2.37~rc1~14.04/interfaces/builtin/core_support_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/core_support_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/core_support_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -25,6 +25,7 @@
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/interfaces/seccomp"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/testutil"
@@ -54,11 +55,11 @@
 		Name:      "core-support",
 		Interface: "core-support",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfo, nil)
 	s.plugInfo = plugSnap.Plugs["core-support"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *CoreSupportInterfaceSuite) TestName(c *C) {
@@ -80,20 +81,13 @@
 	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
 }
 
-func (s *CoreSupportInterfaceSuite) TestUsedSecuritySystems(c *C) {
-	// connected plugs have a non-nil security snippet for apparmor
+func (s *CoreSupportInterfaceSuite) TestNoSecuritySystems(c *C) {
 	apparmorSpec := &apparmor.Specification{}
-	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
-	c.Assert(err, IsNil)
-	c.Assert(apparmorSpec.SecurityTags(), HasLen, 1)
-}
-
-func (s *CoreSupportInterfaceSuite) TestConnectedPlugSnippet(c *C) {
-	apparmorSpec := &apparmor.Specification{}
-	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
-	c.Assert(err, IsNil)
-	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.hook.prepare-device"})
-	c.Assert(apparmorSpec.SnippetForTag("snap.other.hook.prepare-device"), testutil.Contains, `/bin/systemctl Uxr,`)
+	c.Assert(apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(apparmorSpec.SecurityTags(), HasLen, 0)
+	seccompSpec := &seccomp.Specification{}
+	c.Assert(seccompSpec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(seccompSpec.SecurityTags(), HasLen, 0)
 }
 
 func (s *CoreSupportInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/cpu_control.go snapd-2.37~rc1~14.04/interfaces/builtin/cpu_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/cpu_control.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/cpu_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,49 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+const cpuControlSummary = `allows setting CPU tunables`
+
+const cpuControlBaseDeclarationSlots = `
+  cpu-control:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const cpuControlConnectedPlugAppArmor = `
+# Description: This interface allows for setting CPU tunables
+/sys/devices/system/cpu/**/ r,
+/sys/devices/system/cpu/cpu*/online rw,
+/sys/devices/system/cpu/smt/control rw,
+`
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "cpu-control",
+		summary:               cpuControlSummary,
+		implicitOnCore:        true,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  cpuControlBaseDeclarationSlots,
+		connectedPlugAppArmor: cpuControlConnectedPlugAppArmor,
+		reservedForOS:         true,
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/cpu_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/cpu_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/cpu_control_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/cpu_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,95 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type CpuControlInterfaceSuite struct {
+	iface    interfaces.Interface
+	slotInfo *snap.SlotInfo
+	slot     *interfaces.ConnectedSlot
+	plugInfo *snap.PlugInfo
+	plug     *interfaces.ConnectedPlug
+}
+
+const cpuControlMockPlugSnapInfoYaml = `name: consumer
+version: 1.0
+apps:
+ app:
+  command: foo
+  plugs: [cpu-control]
+`
+
+var _ = Suite(&CpuControlInterfaceSuite{
+	iface: builtin.MustInterface("cpu-control"),
+})
+
+func (s *CpuControlInterfaceSuite) SetUpTest(c *C) {
+	s.slotInfo = &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "core", Type: snap.TypeOS},
+		Name:      "cpu-control",
+		Interface: "cpu-control",
+	}
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
+	plugSnap := snaptest.MockInfo(c, cpuControlMockPlugSnapInfoYaml, nil)
+	s.plugInfo = plugSnap.Plugs["cpu-control"]
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+}
+
+func (s *CpuControlInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "cpu-control")
+}
+
+func (s *CpuControlInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "cpu-control",
+		Interface: "cpu-control",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"cpu-control slots are reserved for the core snap")
+}
+
+func (s *CpuControlInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *CpuControlInterfaceSuite) TestUsedSecuritySystems(c *C) {
+	// connected plugs have a non-nil security snippet for apparmor
+	spec := &apparmor.Specification{}
+	err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/sys/devices/system/cpu/cpu*/online rw,\n")
+}
+
+func (s *CpuControlInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/daemon_notify.go snapd-2.37~rc1~14.04/interfaces/builtin/daemon_notify.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/daemon_notify.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/daemon_notify.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,104 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+)
+
+const daemonNotifySummary = `allows sending daemon status changes to service manager`
+
+const daemonNotifyBaseDeclarationSlots = `
+  daemon-notify:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const daemonNotifyConnectedPlugAppArmorTemplate = `
+# Allow sending notification messages to systemd through the notify socket
+{{notify-socket-rule}},
+
+# Allow using systemd-notify in shell scripts.
+/{,usr/}bin/systemd-notify ixr,
+`
+
+type daemoNotifyInterface struct {
+	commonInterface
+}
+
+var osGetenv = os.Getenv
+
+func (iface *daemoNotifyInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	// If the system has defined it, use NOTIFY_SOCKET from the environment. Note
+	// this is safe because it is examined on snapd start and snaps cannot manipulate
+	// the environment of snapd.
+	notifySocket := osGetenv("NOTIFY_SOCKET")
+	if notifySocket == "" {
+		notifySocket = "/run/systemd/notify"
+	}
+	if !strings.HasPrefix(notifySocket, "/") && !strings.HasPrefix(notifySocket, "@") {
+		// must be an absolute path or an abstract socket path
+		return fmt.Errorf("cannot use %q as notify socket path: not absolute", notifySocket)
+	}
+	if err := apparmor.ValidateNoAppArmorRegexp(notifySocket); err != nil {
+		return fmt.Errorf("cannot use %q as notify socket path: %s", notifySocket, err)
+	}
+
+	var rule string
+
+	switch {
+	case strings.HasPrefix(notifySocket, "/"):
+		rule = fmt.Sprintf(`"%s" w`, notifySocket)
+	case strings.HasPrefix(notifySocket, "@/org/freedesktop/systemd1/notify/"):
+		// special case for Ubuntu 14.04 where the manpage states that
+		// /run/systemd/notify is used, but in fact the services get an
+		// abstract socket path such as
+		// @/org/freedesktop/systemd1/notify/13334051644891137417, the
+		// last part changing with each reboot
+		rule = `unix (connect, send) type=dgram peer=(label=unconfined,addr="@/org/freedesktop/systemd1/notify/[0-9]*")`
+	case strings.HasPrefix(notifySocket, "@"):
+		rule = fmt.Sprintf(`unix (connect, send) type=dgram peer=(label=unconfined,addr="%s")`, notifySocket)
+	default:
+		return fmt.Errorf("cannot use %q as notify socket path", notifySocket)
+	}
+
+	snippet := strings.Replace(daemonNotifyConnectedPlugAppArmorTemplate,
+		"{{notify-socket-rule}}", rule, 1)
+	spec.AddSnippet(snippet)
+	return nil
+}
+
+func init() {
+	registerIface(&daemoNotifyInterface{commonInterface: commonInterface{
+		name:                 "daemon-notify",
+		summary:              daemonNotifySummary,
+		implicitOnCore:       true,
+		implicitOnClassic:    true,
+		baseDeclarationSlots: daemonNotifyBaseDeclarationSlots,
+		reservedForOS:        true,
+	}})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/daemon_notify_test.go snapd-2.37~rc1~14.04/interfaces/builtin/daemon_notify_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/daemon_notify_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/daemon_notify_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,175 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type daemoNotifySuite struct {
+	iface    interfaces.Interface
+	slotInfo *snap.SlotInfo
+	slot     *interfaces.ConnectedSlot
+	plugInfo *snap.PlugInfo
+	plug     *interfaces.ConnectedPlug
+}
+
+var _ = Suite(&daemoNotifySuite{
+	iface: builtin.MustInterface("daemon-notify"),
+})
+
+const daemoNotifyMockSlotSnapInfoYaml = `name: provider
+version: 1.0
+type: os
+slots:
+  daemon-notify:
+    interface: daemon-notify
+`
+const daemoNotifyMockPlugSnapInfoYaml = `name: consumer
+version: 1.0
+apps:
+ app:
+  command: foo
+  plugs: [daemon-notify]
+`
+
+func (s *daemoNotifySuite) SetUpTest(c *C) {
+	s.slot, s.slotInfo = builtin.MockConnectedSlot(c, daemoNotifyMockSlotSnapInfoYaml, nil, "daemon-notify")
+	s.plug, s.plugInfo = builtin.MockConnectedPlug(c, daemoNotifyMockPlugSnapInfoYaml, nil, "daemon-notify")
+}
+
+func (s *daemoNotifySuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "daemon-notify")
+}
+
+func (s *daemoNotifySuite) TestBeforePrepareSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	nonOsDaemonNotifySlotSnapInfoYaml := `name: non-os-daemon-notify
+version: 1.0
+slots:
+  daemon-notify:
+    interface: daemon-notify
+`
+	si := builtin.MockSlot(c, nonOsDaemonNotifySlotSnapInfoYaml, nil, "daemon-notify")
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, si), ErrorMatches,
+		"daemon-notify slots are reserved for the core snap")
+}
+
+func (s *daemoNotifySuite) TestBeforePreparePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *daemoNotifySuite) TestAppArmorConnectedPlugNotifySocketDefault(c *C) {
+	restore := builtin.MockOsGetenv(func(what string) string {
+		c.Assert(what, Equals, "NOTIFY_SOCKET")
+		return ""
+	})
+	defer restore()
+
+	// connected plugs have a non-nil security snippet for apparmor
+	spec := &apparmor.Specification{}
+	err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "\n\"/run/systemd/notify\" w,")
+}
+
+func (s *daemoNotifySuite) TestAppArmorConnectedPlugNotifySocketEnvAbstractSpecial(c *C) {
+	restore := builtin.MockOsGetenv(func(what string) string {
+		c.Assert(what, Equals, "NOTIFY_SOCKET")
+		return "@/org/freedesktop/systemd1/notify/13334051644891137417"
+	})
+	defer restore()
+
+	// connected plugs have a non-nil security snippet for apparmor
+	spec := &apparmor.Specification{}
+	err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains,
+		"\nunix (connect, send) type=dgram peer=(label=unconfined,addr=\"@/org/freedesktop/systemd1/notify/[0-9]*\"),")
+}
+
+func (s *daemoNotifySuite) TestAppArmorConnectedPlugNotifySocketEnvAbstractAny(c *C) {
+	restore := builtin.MockOsGetenv(func(what string) string {
+		c.Assert(what, Equals, "NOTIFY_SOCKET")
+		return "@foo/bar"
+	})
+	defer restore()
+
+	// connected plugs have a non-nil security snippet for apparmor
+	spec := &apparmor.Specification{}
+	err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains,
+		"\nunix (connect, send) type=dgram peer=(label=unconfined,addr=\"@foo/bar\"),")
+}
+
+func (s *daemoNotifySuite) TestAppArmorConnectedPlugNotifySocketEnvFsPath(c *C) {
+	restore := builtin.MockOsGetenv(func(what string) string {
+		c.Assert(what, Equals, "NOTIFY_SOCKET")
+		return "/foo/bar"
+	})
+	defer restore()
+
+	// connected plugs have a non-nil security snippet for apparmor
+	spec := &apparmor.Specification{}
+	err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "\n\"/foo/bar\" w,")
+}
+
+func (s *daemoNotifySuite) TestAppArmorConnectedPlugNotifySocketEnvBadFormat(c *C) {
+	var socketPath string
+	restore := builtin.MockOsGetenv(func(what string) string {
+		c.Assert(what, Equals, "NOTIFY_SOCKET")
+		return socketPath
+	})
+	defer restore()
+
+	for idx, tc := range []struct {
+		format string
+		error  string
+	}{
+		{"foo/bar", `cannot use \".*\" as notify socket path: not absolute`},
+		{"[", `cannot use ".*" as notify socket path: not absolute`},
+		{"@^", `cannot use \".*\" as notify socket path: \".*\" contains a reserved apparmor char from .*`},
+		{`/foo/bar"[]`, `cannot use \".*\" as notify socket path: \".*\" contains a reserved apparmor char from .*`},
+	} {
+		c.Logf("trying %d: %v", idx, tc)
+		socketPath = tc.format
+		// connected plugs have a non-nil security snippet for apparmor
+		spec := &apparmor.Specification{}
+		err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+		c.Assert(err, ErrorMatches, tc.error)
+	}
+}
+
+func (s *daemoNotifySuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/dbus.go snapd-2.37~rc1~14.04/interfaces/builtin/dbus.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/dbus.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/dbus.go	2019-01-16 08:36:51.000000000 +0000
@@ -220,6 +220,12 @@
 	}
 }
 
+// snapd has AppArmor rules (see above) allowing binds to busName-PID
+// so to avoid overlap with different snaps (eg, busName running as PID
+// 123 and busName-123), don't allow busName to end with -PID. If that
+// rule is removed, this limitation can be lifted.
+var isInvalidSnappyBusName = regexp.MustCompile("-[0-9]+$").MatchString
+
 // Obtain yaml-specified bus well-known name
 func (iface *dbusInterface) getAttribs(attribs interfaces.Attrer) (string, string, error) {
 	// bus attribute
@@ -243,12 +249,7 @@
 		return "", "", err
 	}
 
-	// snapd has AppArmor rules (see above) allowing binds to busName-PID
-	// so to avoid overlap with different snaps (eg, busName running as PID
-	// 123 and busName-123), don't allow busName to end with -PID. If that
-	// rule is removed, this limitation can be lifted.
-	invalidSnappyBusName := regexp.MustCompile("-[0-9]+$")
-	if invalidSnappyBusName.MatchString(name) {
+	if isInvalidSnappyBusName(name) {
 		return "", "", fmt.Errorf("DBus bus name must not end with -NUMBER")
 	}
 
@@ -427,7 +428,7 @@
 	return err
 }
 
-func (iface *dbusInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *dbusInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/dbus_test.go snapd-2.37~rc1~14.04/interfaces/builtin/dbus_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/dbus_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/dbus_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -120,22 +120,22 @@
 
 func (s *DbusInterfaceSuite) SetUpTest(c *C) {
 	s.sessionSlotInfo = s.snapInfo.Slots["test-session-slot"]
-	s.sessionSlot = interfaces.NewConnectedSlot(s.sessionSlotInfo, nil)
+	s.sessionSlot = interfaces.NewConnectedSlot(s.sessionSlotInfo, nil, nil)
 	s.systemSlotInfo = s.snapInfo.Slots["test-system-slot"]
-	s.systemSlot = interfaces.NewConnectedSlot(s.systemSlotInfo, nil)
+	s.systemSlot = interfaces.NewConnectedSlot(s.systemSlotInfo, nil, nil)
 	s.connectedSessionSlotInfo = s.snapInfo.Slots["test-session-connected-slot"]
-	s.connectedSessionSlot = interfaces.NewConnectedSlot(s.connectedSessionSlotInfo, nil)
+	s.connectedSessionSlot = interfaces.NewConnectedSlot(s.connectedSessionSlotInfo, nil, nil)
 	s.connectedSystemSlotInfo = s.snapInfo.Slots["test-system-connected-slot"]
-	s.connectedSystemSlot = interfaces.NewConnectedSlot(s.connectedSystemSlotInfo, nil)
+	s.connectedSystemSlot = interfaces.NewConnectedSlot(s.connectedSystemSlotInfo, nil, nil)
 
 	s.sessionPlugInfo = s.snapInfo.Plugs["test-session-plug"]
-	s.sessionPlug = interfaces.NewConnectedPlug(s.sessionPlugInfo, nil)
+	s.sessionPlug = interfaces.NewConnectedPlug(s.sessionPlugInfo, nil, nil)
 	s.systemPlugInfo = s.snapInfo.Plugs["test-system-plug"]
-	s.systemPlug = interfaces.NewConnectedPlug(s.systemPlugInfo, nil)
+	s.systemPlug = interfaces.NewConnectedPlug(s.systemPlugInfo, nil, nil)
 	s.connectedSessionPlugInfo = s.snapInfo.Plugs["test-session-connected-plug"]
-	s.connectedSessionPlug = interfaces.NewConnectedPlug(s.connectedSessionPlugInfo, nil)
+	s.connectedSessionPlug = interfaces.NewConnectedPlug(s.connectedSessionPlugInfo, nil, nil)
 	s.connectedSystemPlugInfo = s.snapInfo.Plugs["test-system-connected-plug"]
-	s.connectedSystemPlug = interfaces.NewConnectedPlug(s.connectedSystemPlugInfo, nil)
+	s.connectedSystemPlug = interfaces.NewConnectedPlug(s.connectedSystemPlugInfo, nil, nil)
 }
 
 func (s *DbusInterfaceSuite) TestName(c *C) {
@@ -509,11 +509,11 @@
 `
 
 	plugInfo := snaptest.MockInfo(c, plugYaml, nil)
-	matchingPlug := interfaces.NewConnectedPlug(plugInfo.Plugs["this"], nil)
+	matchingPlug := interfaces.NewConnectedPlug(plugInfo.Plugs["this"], nil, nil)
 
 	slotInfo := snaptest.MockInfo(c, slotYaml, nil)
-	matchingSlot := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil)
-	nonmatchingSlot := interfaces.NewConnectedSlot(slotInfo.Slots["that"], nil)
+	matchingSlot := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil, nil)
+	nonmatchingSlot := interfaces.NewConnectedSlot(slotInfo.Slots["that"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, matchingPlug, matchingSlot)
@@ -558,11 +558,11 @@
 `
 
 	plugInfo := snaptest.MockInfo(c, plugYaml, nil)
-	matchingPlug := interfaces.NewConnectedPlug(plugInfo.Plugs["that"], nil)
+	matchingPlug := interfaces.NewConnectedPlug(plugInfo.Plugs["that"], nil, nil)
 
 	slotInfo := snaptest.MockInfo(c, slotYaml, nil)
-	matchingSlot := interfaces.NewConnectedSlot(slotInfo.Slots["that"], nil)
-	nonmatchingSlot := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil)
+	matchingSlot := interfaces.NewConnectedSlot(slotInfo.Slots["that"], nil, nil)
+	nonmatchingSlot := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, matchingPlug, matchingSlot)
@@ -611,12 +611,12 @@
 `
 
 	plugInfo := snaptest.MockInfo(c, plugYaml, nil)
-	matchingPlug1 := interfaces.NewConnectedPlug(plugInfo.Plugs["this"], nil)
-	matchingPlug2 := interfaces.NewConnectedPlug(plugInfo.Plugs["that"], nil)
+	matchingPlug1 := interfaces.NewConnectedPlug(plugInfo.Plugs["this"], nil, nil)
+	matchingPlug2 := interfaces.NewConnectedPlug(plugInfo.Plugs["that"], nil, nil)
 
 	slotInfo := snaptest.MockInfo(c, slotYaml, nil)
-	matchingSlot1 := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil)
-	matchingSlot2 := interfaces.NewConnectedSlot(slotInfo.Slots["that"], nil)
+	matchingSlot1 := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil, nil)
+	matchingSlot2 := interfaces.NewConnectedSlot(slotInfo.Slots["that"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, matchingPlug1, matchingSlot1)
@@ -654,10 +654,10 @@
 `
 
 	plugInfo := snaptest.MockInfo(c, plugYaml, nil)
-	plug := interfaces.NewConnectedPlug(plugInfo.Plugs["this"], nil)
+	plug := interfaces.NewConnectedPlug(plugInfo.Plugs["this"], nil, nil)
 
 	slotInfo := snaptest.MockInfo(c, slotYaml, nil)
-	slot := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil)
+	slot := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, slot)
@@ -684,10 +684,10 @@
 `
 
 	plugInfo := snaptest.MockInfo(c, plugYaml, nil)
-	plug := interfaces.NewConnectedPlug(plugInfo.Plugs["this"], nil)
+	plug := interfaces.NewConnectedPlug(plugInfo.Plugs["this"], nil, nil)
 
 	slotInfo := snaptest.MockInfo(c, slotYaml, nil)
-	slot := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil)
+	slot := interfaces.NewConnectedSlot(slotInfo.Slots["this"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, slot)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/dcdbas_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/dcdbas_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/dcdbas_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/dcdbas_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,9 +56,9 @@
 		Name:      "dcdbas-control",
 		Interface: "dcdbas-control",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	s.plugInfo = consumingSnapInfo.Plugs["dcdbas-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *DcdbasControlInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/desktop.go snapd-2.37~rc1~14.04/interfaces/builtin/desktop.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/desktop.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/desktop.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,9 @@
 package builtin
 
 import (
+	"bytes"
+	"fmt"
+
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
@@ -108,6 +111,14 @@
     member={ActionInvoked,NotificationClosed}
     peer=(label=unconfined),
 
+# DesktopAppInfo Launched
+dbus (send)
+    bus=session
+    path=/org/gtk/gio/DesktopAppInfo
+    interface=org.gtk.gio.DesktopAppInfo
+    member=Launched
+    peer=(label=unconfined),
+
 # Allow requesting interest in receiving media key events. This tells Gnome
 # settings that our application should be notified when key events we are
 # interested in are pressed, and allows us to receive those events.
@@ -126,7 +137,6 @@
 # Allow use of snapd's internal 'xdg-open'
 /usr/bin/xdg-open ixr,
 /usr/share/applications/{,*} r,
-/usr/bin/dbus-send ixr,
 dbus (send)
     bus=session
     path=/
@@ -167,13 +177,30 @@
 
 # Allow use of snapd's internal 'xdg-settings'
 /usr/bin/xdg-settings ixr,
-/usr/bin/dbus-send ixr,
 dbus (send)
     bus=session
     path=/io/snapcraft/Settings
     interface=io.snapcraft.Settings
     member={Check,Get,Set}
     peer=(label=unconfined),
+
+## Allow access to xdg-document-portal file system.  Access control is
+## handled by bind mounting a snap-specific sub-tree to this location.
+owner /run/user/[0-9]*/doc/ r,
+owner /run/user/[0-9]*/doc/** rw,
+
+# Allow access to xdg-desktop-portal and xdg-document-portal
+dbus (receive, send)
+    bus=session
+    interface=org.freedesktop.portal.*
+    path=/org/freedesktop/portal/{desktop,documents}{,/**}
+    peer=(label=unconfined),
+
+dbus (receive, send)
+    bus=session
+    interface=org.freedesktop.DBus.Properties
+    path=/org/freedesktop/portal/{desktop,documents}{,/**}
+    peer=(label=unconfined),
 `
 
 type desktopInterface struct{}
@@ -194,38 +221,77 @@
 	return sanitizeSlotReservedForOS(iface, slot)
 }
 
-func (iface *desktopInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *desktopInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
 
+func (iface *desktopInterface) fontconfigDirs() []string {
+	return []string{
+		dirs.SystemFontsDir,
+		dirs.SystemLocalFontsDir,
+		dirs.SystemFontconfigCacheDir,
+	}
+}
+
 func (iface *desktopInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
 	spec.AddSnippet(desktopConnectedPlugAppArmor)
+
+	// Allow mounting document portal
+	var buf bytes.Buffer
+	fmt.Fprintf(&buf, "  # Mount the document portal\n")
+	fmt.Fprintf(&buf, "  mount options=(bind) /run/user/[0-9]*/doc/by-app/snap.%s/ -> /run/user/[0-9]*/doc/,\n", plug.Snap().InstanceName())
+	fmt.Fprintf(&buf, "  umount /run/user/[0-9]*/doc/,\n\n")
+	spec.AddUpdateNS(buf.String())
+
+	if !release.OnClassic {
+		// We only need the font mount rules on classic systems
+		return nil
+	}
+
+	// Allow mounting fonts
+	for _, dir := range iface.fontconfigDirs() {
+		var buf bytes.Buffer
+		source := "/var/lib/snapd/hostfs" + dir
+		target := dirs.StripRootDir(dir)
+		fmt.Fprintf(&buf, "  # Read-only access to %s\n", target)
+		fmt.Fprintf(&buf, "  mount options=(bind) %s/ -> %s/,\n", source, target)
+		fmt.Fprintf(&buf, "  remount options=(bind, ro) %s/,\n", target)
+		fmt.Fprintf(&buf, "  umount %s/,\n\n", target)
+		spec.AddUpdateNS(buf.String())
+	}
+
 	return nil
 }
 
 func (iface *desktopInterface) MountConnectedPlug(spec *mount.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	appId := "snap." + plug.Snap().InstanceName()
+	spec.AddUserMountEntry(osutil.MountEntry{
+		Name:    "$XDG_RUNTIME_DIR/doc/by-app/" + appId,
+		Dir:     "$XDG_RUNTIME_DIR/doc",
+		Options: []string{"bind", "rw", osutil.XSnapdIgnoreMissing()},
+	})
+
 	if !release.OnClassic {
-		// There is nothing to expose on an all-snaps system
+		// We only need the font mount rules on classic systems
 		return nil
 	}
 
-	fontconfigDirs := []string{
-		dirs.SystemFontsDir,
-		dirs.SystemLocalFontsDir,
-		dirs.SystemFontconfigCacheDir,
-	}
-
-	for _, dir := range fontconfigDirs {
+	for _, dir := range iface.fontconfigDirs() {
 		if !osutil.IsDirectory(dir) {
 			continue
 		}
+		// Since /etc/fonts/fonts.conf in the snap mount ns is the same
+		// as on the host, we need to preserve the original directory
+		// paths for the fontconfig runtime to poke the correct
+		// locations
 		spec.AddMountEntry(osutil.MountEntry{
 			Name:    "/var/lib/snapd/hostfs" + dir,
 			Dir:     dirs.StripRootDir(dir),
 			Options: []string{"bind", "ro"},
 		})
 	}
+
 	return nil
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/desktop_legacy.go snapd-2.37~rc1~14.04/interfaces/builtin/desktop_legacy.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/desktop_legacy.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/desktop_legacy.go	2019-01-16 08:36:51.000000000 +0000
@@ -224,6 +224,13 @@
     path=/org/gtk/vfs/mounttracker
     interface=org.gtk.vfs.MountTracker
     member=LookupMount,
+
+# This leaks the names of snaps with desktop files
+/var/lib/snapd/desktop/applications/ r,
+/var/lib/snapd/desktop/applications/mimeinfo.cache r,
+# parallel-installs: this leaks read access to desktop files owned by keyed
+# instances of @{SNAP_NAME} to @{SNAP_NAME} snap
+/var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_NAME}_*.desktop r,
 `
 
 const desktopLegacyConnectedPlugSecComp = `
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/desktop_test.go snapd-2.37~rc1~14.04/interfaces/builtin/desktop_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/desktop_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/desktop_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -92,6 +92,14 @@
 }
 
 func (s *DesktopInterfaceSuite) TestAppArmorSpec(c *C) {
+	tmpdir := c.MkDir()
+	dirs.SetRootDir(tmpdir)
+	c.Assert(os.MkdirAll(filepath.Join(tmpdir, "/usr/share/fonts"), 0777), IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(tmpdir, "/usr/local/share/fonts"), 0777), IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(tmpdir, "/var/cache/fontconfig"), 0777), IsNil)
+	restore := release.MockOnClassic(false)
+	defer restore()
+
 	// connected plug to core slot
 	spec := &apparmor.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.coreSlot), IsNil)
@@ -99,6 +107,30 @@
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Description: Can access basic graphical desktop resources")
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "#include <abstractions/fonts>")
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/etc/gtk-3.0/settings.ini r,")
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Allow access to xdg-desktop-portal and xdg-document-portal")
+
+	// On an all-snaps system, the only UpdateNS rule is for the
+	// document portal.
+	updateNS := spec.UpdateNS()
+	c.Assert(updateNS, HasLen, 1)
+	c.Check(updateNS[0], Equals, `  # Mount the document portal
+  mount options=(bind) /run/user/[0-9]*/doc/by-app/snap.consumer/ -> /run/user/[0-9]*/doc/,
+  umount /run/user/[0-9]*/doc/,
+
+`)
+
+	// On a classic system, there are UpdateNS rules for the host
+	// system font mounts
+	restore = release.MockOnClassic(true)
+	defer restore()
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.coreSlot), IsNil)
+	updateNS = spec.UpdateNS()
+	c.Assert(updateNS, HasLen, 4)
+	c.Check(updateNS[0], testutil.Contains, "# Mount the document portal")
+	c.Check(updateNS[1], testutil.Contains, "# Read-only access to /usr/share/fonts")
+	c.Check(updateNS[2], testutil.Contains, "# Read-only access to /usr/local/share/fonts")
+	c.Check(updateNS[3], testutil.Contains, "# Read-only access to /var/cache/fontconfig")
 
 	// connected plug to core slot
 	spec = &apparmor.Specification{}
@@ -116,11 +148,17 @@
 	restore := release.MockOnClassic(false)
 	defer restore()
 
-	// On all-snaps systems, no mount entries are added
+	// On all-snaps systems, the font related mount entries are missing
 	spec := &mount.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.coreSlot), IsNil)
 	c.Check(spec.MountEntries(), HasLen, 0)
 
+	entries := spec.UserMountEntries()
+	c.Check(entries, HasLen, 1)
+	c.Check(entries[0].Name, Equals, "$XDG_RUNTIME_DIR/doc/by-app/snap.consumer")
+	c.Check(entries[0].Dir, Equals, "$XDG_RUNTIME_DIR/doc")
+	c.Check(entries[0].Options, DeepEquals, []string{"bind", "rw", "x-snapd.ignore-missing"})
+
 	// On classic systems, a number of font related directories
 	// are bind mounted from the host system if they exist.
 	restore = release.MockOnClassic(true)
@@ -128,7 +166,7 @@
 	spec = &mount.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.coreSlot), IsNil)
 
-	entries := spec.MountEntries()
+	entries = spec.MountEntries()
 	c.Assert(entries, HasLen, 3)
 
 	const hostfs = "/var/lib/snapd/hostfs"
@@ -143,6 +181,29 @@
 	c.Check(entries[2].Name, Equals, hostfs+dirs.SystemFontconfigCacheDir)
 	c.Check(entries[2].Dir, Equals, "/var/cache/fontconfig")
 	c.Check(entries[2].Options, DeepEquals, []string{"bind", "ro"})
+
+	entries = spec.UserMountEntries()
+	c.Assert(entries, HasLen, 1)
+	c.Check(entries[0].Dir, Equals, "$XDG_RUNTIME_DIR/doc")
+
+	// Fedora is a little special with their fontconfig cache location
+	restore = release.MockReleaseInfo(&release.OS{ID: "fedora"})
+	defer restore()
+
+	tmpdir = c.MkDir()
+	dirs.SetRootDir(tmpdir)
+	c.Assert(dirs.SystemFontconfigCacheDir, Equals, filepath.Join(tmpdir, "/usr/lib/fontconfig/cache"))
+	c.Assert(os.MkdirAll(filepath.Join(tmpdir, "/usr/share/fonts"), 0777), IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(tmpdir, "/usr/local/share/fonts"), 0777), IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(tmpdir, "/usr/lib/fontconfig/cache"), 0777), IsNil)
+	spec = &mount.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.coreSlot), IsNil)
+	entries = spec.MountEntries()
+	c.Assert(entries, HasLen, 3)
+
+	c.Check(entries[2].Name, Equals, hostfs+dirs.SystemFontconfigCacheDir)
+	c.Check(entries[2].Dir, Equals, "/usr/lib/fontconfig/cache")
+	c.Check(entries[2].Options, DeepEquals, []string{"bind", "ro"})
 }
 
 func (s *DesktopInterfaceSuite) TestStaticInfo(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/device_buttons.go snapd-2.37~rc1~14.04/interfaces/builtin/device_buttons.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/device_buttons.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/device_buttons.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,93 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/udev"
+)
+
+const deviceButtonsSummary = `allows access to device buttons as input events`
+
+const deviceButtonsBaseDeclarationSlots = `
+  device-buttons:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const deviceButtonsConnectedPlugAppArmor = `
+# Description: Allow reading and writing events to device buttons exposed as
+#              input events.
+
+#
+# evdev-based interface
+#
+
+# /dev/input/event* is unfortunately not namespaced and includes all input
+# devices, including keyboards and mice, which allows input sniffing and
+# injection. Until we have inode tagging of devices, we use a glob rule here
+# and rely on udev tagging to only add evdev devices to the snap's device
+# cgroup that are marked with ENV{ID_INPUT_KEY}=="1" and are not marked with
+# ENV{ID_INPUT_KEYBOARD}. As such, even though AppArmor allows all evdev,
+# the device cgroup does not.
+/dev/input/event[0-9]* rw,
+
+# Allow reading for supported event reports for all input devices. See
+# https://www.kernel.org/doc/Documentation/input/event-codes.txt
+# FIXME: this is a very minor information leak and snapd should instead query
+# udev for the specific accesses associated with the above devices.
+/sys/devices/**/input[0-9]*/capabilities/* r,
+`
+
+// Add the device buttons realized in terms of GPIO. They come up with
+// ENV{ID_INPUT_KEY} set to "1" value and at the same time make sure these are
+// not a keyboard.
+//
+// Because of the unconditional /dev/input/event[0-9]* AppArmor rule, we need
+// to ensure that the device cgroup is in effect even when there are no
+// gpio keys present so that we don't give away all input to the snap.
+var deviceButtonsConnectedPlugUDev = []string{
+	`KERNEL=="event[0-9]*", SUBSYSTEM=="input", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}!="1"`,
+	`KERNEL=="full", SUBSYSTEM=="mem"`,
+}
+
+type deviceButtonsInterface struct {
+	commonInterface
+}
+
+func (iface *deviceButtonsInterface) UDevConnectedPlug(spec *udev.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	spec.TriggerSubsystem("input/key")
+	return iface.commonInterface.UDevConnectedPlug(spec, plug, slot)
+}
+
+func init() {
+	registerIface(&deviceButtonsInterface{commonInterface{
+		name:                  "device-buttons",
+		summary:               deviceButtonsSummary,
+		implicitOnCore:        true,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  deviceButtonsBaseDeclarationSlots,
+		connectedPlugAppArmor: deviceButtonsConnectedPlugAppArmor,
+		connectedPlugUDev:     deviceButtonsConnectedPlugUDev,
+		reservedForOS:         true,
+	}})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/device_buttons_test.go snapd-2.37~rc1~14.04/interfaces/builtin/device_buttons_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/device_buttons_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/device_buttons_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,117 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/interfaces/udev"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type DeviceButtonsInterfaceSuite struct {
+	iface    interfaces.Interface
+	slotInfo *snap.SlotInfo
+	slot     *interfaces.ConnectedSlot
+	plugInfo *snap.PlugInfo
+	plug     *interfaces.ConnectedPlug
+}
+
+var _ = Suite(&DeviceButtonsInterfaceSuite{
+	iface: builtin.MustInterface("device-buttons"),
+})
+
+const gpioKeysConsumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [device-buttons]
+`
+
+const gpioKeysCoreYaml = `name: core
+version: 0
+type: os
+slots:
+  device-buttons:
+`
+
+func (s *DeviceButtonsInterfaceSuite) SetUpTest(c *C) {
+	s.plug, s.plugInfo = MockConnectedPlug(c, gpioKeysConsumerYaml, nil, "device-buttons")
+	s.slot, s.slotInfo = MockConnectedSlot(c, gpioKeysCoreYaml, nil, "device-buttons")
+}
+
+func (s *DeviceButtonsInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "device-buttons")
+}
+
+func (s *DeviceButtonsInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "device-buttons",
+		Interface: "device-buttons",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"device-buttons slots are reserved for the core snap")
+}
+
+func (s *DeviceButtonsInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *DeviceButtonsInterfaceSuite) TestAppArmorSpec(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `/dev/input/event[0-9]* rw,`)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `/sys/devices/**/input[0-9]*/capabilities/* r,`)
+}
+
+func (s *DeviceButtonsInterfaceSuite) TestUDevSpec(c *C) {
+	spec := &udev.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 3)
+	c.Assert(spec.Snippets(), testutil.Contains, `# device-buttons
+KERNEL=="event[0-9]*", SUBSYSTEM=="input", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}!="1", TAG+="snap_consumer_app"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# device-buttons
+KERNEL=="full", SUBSYSTEM=="mem", TAG+="snap_consumer_app"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_consumer_app", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_consumer_app $devpath $major:$minor"`)
+	c.Assert(spec.TriggeredSubsystems(), DeepEquals, []string{"input/key"})
+}
+
+func (s *DeviceButtonsInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, true)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows access to device buttons as input events`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "device-buttons")
+}
+
+func (s *DeviceButtonsInterfaceSuite) TestAutoConnect(c *C) {
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
+}
+
+func (s *DeviceButtonsInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/docker.go snapd-2.37~rc1~14.04/interfaces/builtin/docker.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/docker.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/docker.go	2019-01-16 08:36:51.000000000 +0000
@@ -19,12 +19,6 @@
 
 package builtin
 
-import (
-	"github.com/snapcore/snapd/interfaces"
-	"github.com/snapcore/snapd/interfaces/apparmor"
-	"github.com/snapcore/snapd/interfaces/seccomp"
-)
-
 const dockerSummary = `allows access to Docker socket`
 
 const dockerBaseDeclarationSlots = `
@@ -50,34 +44,12 @@
 socket AF_NETLINK - NETLINK_GENERIC
 `
 
-type dockerInterface struct{}
-
-func (iface *dockerInterface) Name() string {
-	return "docker"
-}
-
-func (iface *dockerInterface) StaticInfo() interfaces.StaticInfo {
-	return interfaces.StaticInfo{
-		Summary:              dockerSummary,
-		BaseDeclarationSlots: dockerBaseDeclarationSlots,
-	}
-}
-
-func (iface *dockerInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
-	spec.AddSnippet(dockerConnectedPlugAppArmor)
-	return nil
-}
-
-func (iface *dockerInterface) SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
-	spec.AddSnippet(dockerConnectedPlugSecComp)
-	return nil
-}
-
-func (iface *dockerInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
-	// allow what declarations allowed
-	return true
-}
-
 func init() {
-	registerIface(&dockerInterface{})
+	registerIface(&commonInterface{
+		name:                  "docker",
+		summary:               dockerSummary,
+		baseDeclarationSlots:  dockerBaseDeclarationSlots,
+		connectedPlugAppArmor: dockerConnectedPlugAppArmor,
+		connectedPlugSecComp:  dockerConnectedPlugSecComp,
+	})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/docker_support.go snapd-2.37~rc1~14.04/interfaces/builtin/docker_support.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/docker_support.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/docker_support.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -25,6 +25,7 @@
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 )
 
@@ -60,6 +61,11 @@
 /{,var/}run/runc/       rw,
 /{,var/}run/runc/**     mrwklix,
 
+# Socket for docker-container-shim
+unix (bind,listen) type=stream addr="@/containerd-shim/moby/*/shim.sock\x00",
+
+/{,var/}run/mount/utab r,
+
 # Wide read access to /proc, but somewhat limited writes for now
 @{PROC}/ r,
 @{PROC}/** r,
@@ -76,6 +82,10 @@
 /sys/fs/cgroup/*/docker/   rw,
 /sys/fs/cgroup/*/docker/** rw,
 
+# Also allow cgroup writes to kubernetes pods
+/sys/fs/cgroup/*/kubepods/ rw,
+/sys/fs/cgroup/*/kubepods/** rw,
+
 # Allow tracing ourself (especially the "runc" process we create)
 ptrace (trace) peer=@{profile_name},
 
@@ -106,14 +116,16 @@
 /sbin/apparmor_parser ixr,
 /etc/apparmor.d/cache/ r,
 /etc/apparmor.d/cache/.features r,
-/etc/apparmor.d/cache/docker* rw,
+/etc/apparmor.d/{,cache/}docker* rw,
+/etc/apparmor.d/tunables/{,**} r,
+/etc/apparmor.d/abstractions/{,**} r,
 /etc/apparmor/parser.conf r,
 /etc/apparmor/subdomain.conf r,
 /sys/kernel/security/apparmor/.replace rw,
 /sys/kernel/security/apparmor/{,**} r,
 
 # use 'privileged-containers: true' to support --security-opts
-change_profile -> docker-default,
+change_profile unsafe /** -> docker-default,
 signal (send) peer=docker-default,
 ptrace (read, trace) peer=docker-default,
 
@@ -518,13 +530,17 @@
 # These rules are here to allow Docker to launch unconfined containers but
 # allow the docker daemon itself to go unconfined. Since it runs as root, this
 # grants device ownership.
-change_profile -> *,
+change_profile unsafe /**,
 signal (send) peer=unconfined,
 ptrace (read, trace) peer=unconfined,
 
 # This grants raw access to device files and thus device ownership
 /dev/** mrwkl,
 @{PROC}/** mrwkl,
+
+# When kubernetes drives docker, it creates files in the container at arbitrary
+# locations.
+/** wl,
 `
 
 const dockerSupportPrivilegedSecComp = `
@@ -553,13 +569,22 @@
 	}
 }
 
+var (
+	parserFeatures = release.AppArmorParserFeatures
+)
+
 func (iface *dockerSupportInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
 	var privileged bool
 	_ = plug.Attr("privileged-containers", &privileged)
+
+	// The 'change_profile unsafe' rules conflict with the 'ix' rules in
+	// the home interface, so suppress them (LP: #1797786)
+	spec.SetSuppressHomeIx()
 	spec.AddSnippet(dockerSupportConnectedPlugAppArmor)
 	if privileged {
 		spec.AddSnippet(dockerSupportPrivilegedAppArmor)
 	}
+	spec.UsesPtraceTrace()
 	return nil
 }
 
@@ -583,7 +608,7 @@
 	return nil
 }
 
-func (iface *dockerSupportInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *dockerSupportInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/docker_support_test.go snapd-2.37~rc1~14.04/interfaces/builtin/docker_support_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/docker_support_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/docker_support_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -59,10 +59,10 @@
 		Name:      "docker-support",
 		Interface: "docker-support",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, dockerSupportMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["docker-support"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *DockerSupportInterfaceSuite) TestName(c *C) {
@@ -126,13 +126,13 @@
 	c.Assert(interfaces.BeforePreparePlug(s.iface, plug), IsNil)
 
 	apparmorSpec := &apparmor.Specification{}
-	err = apparmorSpec.AddConnectedPlug(s.iface, interfaces.NewConnectedPlug(plug, nil), s.slot)
+	err = apparmorSpec.AddConnectedPlug(s.iface, interfaces.NewConnectedPlug(plug, nil, nil), s.slot)
 	c.Assert(err, IsNil)
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.docker.app"})
-	c.Assert(apparmorSpec.SnippetForTag("snap.docker.app"), testutil.Contains, `change_profile -> *,`)
+	c.Assert(apparmorSpec.SnippetForTag("snap.docker.app"), testutil.Contains, `change_profile unsafe /**,`)
 
 	seccompSpec := &seccomp.Specification{}
-	err = seccompSpec.AddConnectedPlug(s.iface, interfaces.NewConnectedPlug(plug, nil), s.slot)
+	err = seccompSpec.AddConnectedPlug(s.iface, interfaces.NewConnectedPlug(plug, nil, nil), s.slot)
 	c.Assert(err, IsNil)
 	c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.docker.app"})
 	c.Check(seccompSpec.SnippetForTag("snap.docker.app"), testutil.Contains, "@unrestricted")
@@ -159,13 +159,13 @@
 	c.Assert(interfaces.BeforePreparePlug(s.iface, plug), IsNil)
 
 	apparmorSpec := &apparmor.Specification{}
-	err = apparmorSpec.AddConnectedPlug(s.iface, interfaces.NewConnectedPlug(plug, nil), s.slot)
+	err = apparmorSpec.AddConnectedPlug(s.iface, interfaces.NewConnectedPlug(plug, nil, nil), s.slot)
 	c.Assert(err, IsNil)
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.docker.app"})
-	c.Assert(apparmorSpec.SnippetForTag("snap.docker.app"), Not(testutil.Contains), `change_profile -> *,`)
+	c.Assert(apparmorSpec.SnippetForTag("snap.docker.app"), Not(testutil.Contains), `change_profile unsafe /**,`)
 
 	seccompSpec := &seccomp.Specification{}
-	err = seccompSpec.AddConnectedPlug(s.iface, interfaces.NewConnectedPlug(plug, nil), s.slot)
+	err = seccompSpec.AddConnectedPlug(s.iface, interfaces.NewConnectedPlug(plug, nil, nil), s.slot)
 	c.Assert(err, IsNil)
 	c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.docker.app"})
 	c.Check(seccompSpec.SnippetForTag("snap.docker.app"), Not(testutil.Contains), "@unrestricted")
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/docker_test.go snapd-2.37~rc1~14.04/interfaces/builtin/docker_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/docker_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/docker_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -59,10 +59,10 @@
 		Name:      "docker-daemon",
 		Interface: "docker",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, dockerMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["docker"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *DockerInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/dummy.go snapd-2.37~rc1~14.04/interfaces/builtin/dummy.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/dummy.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/dummy.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,101 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"fmt"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/snap"
+)
+
+type dummyInterface struct{}
+
+const dummyInterfaceSummary = `allows testing without providing any additional permissions`
+const dummyInterfaceBaseDeclarationSlots = `
+  dummy:
+    allow-installation:
+      slot-snap-type:
+        - app
+    deny-auto-connection: true
+`
+
+func (iface *dummyInterface) String() string {
+	return iface.Name()
+}
+
+// Name returns the name of the dummy interface.
+func (iface *dummyInterface) Name() string {
+	return "dummy"
+}
+
+func (iface *dummyInterface) StaticInfo() interfaces.StaticInfo {
+	return interfaces.StaticInfo{
+		Summary:              dummyInterfaceSummary,
+		BaseDeclarationSlots: dummyInterfaceBaseDeclarationSlots,
+	}
+}
+
+func (iface *dummyInterface) BeforePreparePlug(plug *snap.PlugInfo) error {
+	return nil
+}
+
+func (iface *dummyInterface) BeforePrepareSlot(slot *snap.SlotInfo) error {
+	return nil
+}
+
+func (iface *dummyInterface) BeforeConnectPlug(plug *interfaces.ConnectedPlug) error {
+	var value string
+	if err := plug.Attr("before-connect", &value); err != nil {
+		return err
+	}
+	value = fmt.Sprintf("plug-changed(%s)", value)
+	return plug.SetAttr("before-connect", value)
+}
+
+func (iface *dummyInterface) BeforeConnectSlot(slot *interfaces.ConnectedSlot) error {
+	var num int64
+	if err := slot.Attr("producer-num-1", &num); err != nil {
+		return err
+	}
+	var value string
+	if err := slot.Attr("before-connect", &value); err != nil {
+		return err
+	}
+	value = fmt.Sprintf("slot-changed(%s)", value)
+	return slot.SetAttr("before-connect", value)
+}
+
+func (iface *dummyInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	return nil
+}
+
+func (iface *dummyInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	return nil
+}
+
+func (iface *dummyInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
+	return true
+}
+
+func init() {
+	registerIface(&dummyInterface{})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/dvb.go snapd-2.37~rc1~14.04/interfaces/builtin/dvb.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/dvb.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/dvb.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+const dvbSummary = `allows access to all DVB (Digital Video Broadcasting) devices and APIs`
+
+const dvbBaseDeclarationSlots = `
+  dvb:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const dvbConnectedPlugAppArmor = `
+# Allow access to all DVB devices
+/dev/dvb/adapter[0-9]*/* rw,
+# From https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
+/run/udev/data/c212:[0-9]* r,
+`
+
+var dvbConnectedPlugUDev = []string{`SUBSYSTEM=="dvb"`}
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "dvb",
+		summary:               dvbSummary,
+		implicitOnCore:        true,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  dvbBaseDeclarationSlots,
+		connectedPlugAppArmor: dvbConnectedPlugAppArmor,
+		connectedPlugUDev:     dvbConnectedPlugUDev,
+		reservedForOS:         true,
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/dvb_test.go snapd-2.37~rc1~14.04/interfaces/builtin/dvb_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/dvb_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/dvb_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,110 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/interfaces/udev"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type DvbInterfaceSuite struct {
+	iface    interfaces.Interface
+	slot     *interfaces.ConnectedSlot
+	slotInfo *snap.SlotInfo
+	plug     *interfaces.ConnectedPlug
+	plugInfo *snap.PlugInfo
+}
+
+var _ = Suite(&DvbInterfaceSuite{
+	iface: builtin.MustInterface("dvb"),
+})
+
+const dvbConsumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [dvb]
+`
+
+const dvbCoreYaml = `name: core
+version: 0
+type: os
+slots:
+  dvb:
+`
+
+func (s *DvbInterfaceSuite) SetUpTest(c *C) {
+	s.plug, s.plugInfo = MockConnectedPlug(c, dvbConsumerYaml, nil, "dvb")
+	s.slot, s.slotInfo = MockConnectedSlot(c, dvbCoreYaml, nil, "dvb")
+}
+
+func (s *DvbInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "dvb")
+}
+
+func (s *DvbInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "dvb",
+		Interface: "dvb",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"dvb slots are reserved for the core snap")
+}
+
+func (s *DvbInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *DvbInterfaceSuite) TestAppArmorSpec(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/dev/dvb/adapter[0-9]*/* rw,")
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/run/udev/data/c212:[0-9]* r,")
+}
+
+func (s *DvbInterfaceSuite) TestUDevSpec(c *C) {
+	spec := &udev.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 2)
+	c.Assert(spec.Snippets(), testutil.Contains, `# dvb
+SUBSYSTEM=="dvb", TAG+="snap_consumer_app"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_consumer_app", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_consumer_app $devpath $major:$minor"`)
+}
+
+func (s *DvbInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, true)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows access to all DVB (Digital Video Broadcasting) devices and APIs`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "dvb")
+}
+
+func (s *DvbInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/export_test.go snapd-2.37~rc1~14.04/interfaces/builtin/export_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -66,7 +66,7 @@
 	if plugInfo, ok := info.Plugs[plugName]; ok {
 		return plugInfo
 	}
-	panic(fmt.Sprintf("cannot find plug %q in snap %q", plugName, info.Name()))
+	panic(fmt.Sprintf("cannot find plug %q in snap %q", plugName, info.InstanceName()))
 }
 
 func MockSlot(c *C, yaml string, si *snap.SideInfo, slotName string) *snap.SlotInfo {
@@ -74,21 +74,31 @@
 	if slotInfo, ok := info.Slots[slotName]; ok {
 		return slotInfo
 	}
-	panic(fmt.Sprintf("cannot find slot %q in snap %q", slotName, info.Name()))
+	panic(fmt.Sprintf("cannot find slot %q in snap %q", slotName, info.InstanceName()))
 }
 
 func MockConnectedPlug(c *C, yaml string, si *snap.SideInfo, plugName string) (*interfaces.ConnectedPlug, *snap.PlugInfo) {
 	info := snaptest.MockInfo(c, yaml, si)
 	if plugInfo, ok := info.Plugs[plugName]; ok {
-		return interfaces.NewConnectedPlug(plugInfo, nil), plugInfo
+		return interfaces.NewConnectedPlug(plugInfo, nil, nil), plugInfo
 	}
-	panic(fmt.Sprintf("cannot find plug %q in snap %q", plugName, info.Name()))
+	panic(fmt.Sprintf("cannot find plug %q in snap %q", plugName, info.InstanceName()))
 }
 
 func MockConnectedSlot(c *C, yaml string, si *snap.SideInfo, slotName string) (*interfaces.ConnectedSlot, *snap.SlotInfo) {
 	info := snaptest.MockInfo(c, yaml, si)
 	if slotInfo, ok := info.Slots[slotName]; ok {
-		return interfaces.NewConnectedSlot(slotInfo, nil), slotInfo
+		return interfaces.NewConnectedSlot(slotInfo, nil, nil), slotInfo
 	}
-	panic(fmt.Sprintf("cannot find slot %q in snap %q", slotName, info.Name()))
+	panic(fmt.Sprintf("cannot find slot %q in snap %q", slotName, info.InstanceName()))
+}
+
+func MockOsGetenv(mock func(string) string) (restore func()) {
+	old := osGetenv
+	restore = func() {
+		osGetenv = old
+	}
+	osGetenv = mock
+
+	return restore
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/firewall_control.go snapd-2.37~rc1~14.04/interfaces/builtin/firewall_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/firewall_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/firewall_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -72,13 +72,12 @@
 network inet6 raw,
 
 # iptables (note, we don't want to allow loading modules, but
-# we can allow reading @{PROC}/sys/kernel/modprobe). Also,
-# snappy needs to have iptable_filter and ip6table_filter loaded,
-# they don't autoload.
-unix (bind) type=stream addr="@xtables",
-/{,var/}run/xtables.lock rwk,
+# we can allow reading @{PROC}/sys/kernel/modprobe).
 @{PROC}/sys/kernel/modprobe r,
 
+unix (bind, listen) type=stream addr="@xtables",
+/{,var/}run/xtables.lock rwk,
+
 @{PROC}/@{pid}/net/ r,
 @{PROC}/@{pid}/net/** r,
 
@@ -103,11 +102,15 @@
 /sys/module/iptable_filter/initstate  r,
 /sys/module/ip6table_filter/          r,
 /sys/module/ip6table_filter/initstate r,
+/sys/module/nf_*/initstate            r,
 
 # read netfilter module parameters
 /sys/module/nf_*/                     r,
 /sys/module/nf_*/parameters/{,*}      r,
 
+# write netfilter module parameters
+/sys/module/nf_conntrack/parameters/hashsize w,
+
 # various firewall related sysctl files
 @{PROC}/sys/net/bridge/bridge-nf-call-arptables rw,
 @{PROC}/sys/net/bridge/bridge-nf-call-iptables rw,
@@ -126,6 +129,9 @@
 @{PROC}/sys/net/ipv4/tcp_syncookies w,
 @{PROC}/sys/net/ipv6/conf/*/forwarding w,
 @{PROC}/sys/net/netfilter/nf_conntrack_helper rw,
+@{PROC}/sys/net/netfilter/nf_conntrack_max rw,
+@{PROC}/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait rw,
+@{PROC}/sys/net/netfilter/nf_conntrack_tcp_timeout_established rw,
 `
 
 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/firewall-control
@@ -146,6 +152,7 @@
 setuid
 `
 
+// These don't auto-load via iptables, etc
 var firewallControlConnectedPlugKmod = []string{
 	"arp_tables",
 	"br_netfilter",
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/firewall_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/firewall_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/firewall_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/firewall_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -115,8 +115,7 @@
 }
 
 func (s *FirewallControlInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *FirewallControlInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/framebuffer_test.go snapd-2.37~rc1~14.04/interfaces/builtin/framebuffer_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/framebuffer_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/framebuffer_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -107,8 +107,7 @@
 }
 
 func (s *FramebufferInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *FramebufferInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/fuse_support.go snapd-2.37~rc1~14.04/interfaces/builtin/fuse_support.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/fuse_support.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/fuse_support.go	2019-01-16 08:36:51.000000000 +0000
@@ -63,14 +63,18 @@
 #         are not obligated to use fusermount to mount fuse filesystems, so
 #         be very strict and only support the default (rw,nosuid,nodev) and
 #         read-only.
-mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /home/*/snap/@{SNAP_NAME}/@{SNAP_REVISION}/{,**/},
-mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /home/*/snap/@{SNAP_NAME}/@{SNAP_REVISION}/{,**/},
-mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /var/snap/@{SNAP_NAME}/@{SNAP_REVISION}/{,**/},
-mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /var/snap/@{SNAP_NAME}/@{SNAP_REVISION}/{,**/},
-mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /home/*/snap/@{SNAP_NAME}/common/{,**/},
-mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /home/*/snap/@{SNAP_NAME}/common/{,**/},
-mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /var/snap/@{SNAP_NAME}/common/{,**/},
-mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /var/snap/@{SNAP_NAME}/common/{,**/},
+#
+# parallel-installs: SNAP_USER_{DATA,COMMON} are not remapped, need to use SNAP_INSTANCE_NAME
+mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /home/*/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/{,**/},
+mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /home/*/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/{,**/},
+mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /home/*/snap/@{SNAP_INSTANCE_NAME}/common/{,**/},
+mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /home/*/snap/@{SNAP_INSTANCE_NAME}/common/{,**/},
+# parallel-installs: SNAP_{DATA,COMMON} are remapped, use SNAP_NAME instead, for
+# completeness allow SNAP_INSTANCE_NAME too
+mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**/},
+mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**/},
+mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**/},
+mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**/},
 
 # Explicitly deny reads to /etc/fuse.conf. We do this to ensure that
 # the safe defaults of fuse are used (which are enforced by our mount
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/fuse_support_test.go snapd-2.37~rc1~14.04/interfaces/builtin/fuse_support_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/fuse_support_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/fuse_support_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -114,8 +114,7 @@
 }
 
 func (s *FuseSupportInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *FuseSupportInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/fwupd.go snapd-2.37~rc1~14.04/interfaces/builtin/fwupd.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/fwupd.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/fwupd.go	2019-01-16 08:36:51.000000000 +0000
@@ -264,7 +264,7 @@
 	return nil
 }
 
-func (iface *fwupdInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *fwupdInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/fwupd_test.go snapd-2.37~rc1~14.04/interfaces/builtin/fwupd_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/fwupd_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/fwupd_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -64,9 +64,9 @@
 	slotSnap := snaptest.MockInfo(c, mockSlotSnapInfoYaml, nil)
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.slotInfo = slotSnap.Slots["fwupd"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	s.plugInfo = plugSnap.Plugs["fwupd"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *FwupdInterfaceSuite) TestName(c *C) {
@@ -89,7 +89,7 @@
 
 	// connected plugs have a non-nil security snippet for apparmor
 	apparmorSpec := &apparmor.Specification{}
-	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, interfaces.NewConnectedSlot(slot, nil))
+	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, interfaces.NewConnectedSlot(slot, nil, nil))
 	c.Assert(err, IsNil)
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.uefi-fw-tools.app"})
 	c.Assert(apparmorSpec.SnippetForTag("snap.uefi-fw-tools.app"), testutil.Contains, `peer=(label="snap.uefi-fw-tools.*"),`)
@@ -111,7 +111,7 @@
 	}
 
 	apparmorSpec := &apparmor.Specification{}
-	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, interfaces.NewConnectedSlot(slot, nil))
+	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, interfaces.NewConnectedSlot(slot, nil, nil))
 	c.Assert(err, IsNil)
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.uefi-fw-tools.app"})
 	c.Assert(apparmorSpec.SnippetForTag("snap.uefi-fw-tools.app"), testutil.Contains, `peer=(label="snap.uefi-fw-tools.{app1,app2}"),`)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/gpg_keys.go snapd-2.37~rc1~14.04/interfaces/builtin/gpg_keys.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/gpg_keys.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/gpg_keys.go	2019-01-16 08:36:51.000000000 +0000
@@ -19,7 +19,7 @@
 
 package builtin
 
-const gpgKeysSummary = `allows reading gpg user configuration and keys`
+const gpgKeysSummary = `allows reading gpg user configuration and keys and updating gpg's random seed file`
 
 const gpgKeysBaseDeclarationSlots = `
   gpg-keys:
@@ -31,7 +31,7 @@
 
 const gpgKeysConnectedPlugAppArmor = `
 # Description: Can read gpg user configuration as well as public and private
-# keys.
+# keys. Also allows updating gpg's random seed file.
 
 # Allow gpg encrypt, decrypt, list-keys, verify, sign, etc
 /usr/bin/gpg{,1,2,v} ixr,
@@ -42,7 +42,12 @@
 # trustdb. For now, silence the denial since no other policy references this
 deny @{HOME}/.gnupg/trustdb.gpg w,
 
-# 'wk' is required for gpg encrypt and sign
+# 'wk' is required for gpg encrypt and sign unless --no-random-seed-file is
+# used. Ideally we would not allow this access, but denying it causes gpg to
+# hang for all applications that don't specify --no-random-seed-file. Allow it
+# with the understanding that this interface already requires a high level of
+# trust to access the user's keys and the level of trust for the random_seed
+# is commensurate with accessing the private keys.
 owner @{HOME}/.gnupg/random_seed wk,
 `
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/gpg_keys_test.go snapd-2.37~rc1~14.04/interfaces/builtin/gpg_keys_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/gpg_keys_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/gpg_keys_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -90,13 +90,12 @@
 	si := interfaces.StaticInfoOf(s.iface)
 	c.Assert(si.ImplicitOnCore, Equals, true)
 	c.Assert(si.ImplicitOnClassic, Equals, true)
-	c.Assert(si.Summary, Equals, `allows reading gpg user configuration and keys`)
+	c.Assert(si.Summary, Equals, `allows reading gpg user configuration and keys and updating gpg's random seed file`)
 	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "gpg-keys")
 }
 
 func (s *GpgKeysInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *GpgKeysInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/gpg_public_keys_test.go snapd-2.37~rc1~14.04/interfaces/builtin/gpg_public_keys_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/gpg_public_keys_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/gpg_public_keys_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -95,8 +95,7 @@
 }
 
 func (s *GpgPublicKeysInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *GpgPublicKeysInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/gpio.go snapd-2.37~rc1~14.04/interfaces/builtin/gpio.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/gpio.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/gpio.go	2019-01-16 08:36:51.000000000 +0000
@@ -40,7 +40,6 @@
 `
 
 var gpioSysfsGpioBase = "/sys/class/gpio/gpio"
-var gpioSysfsExport = "/sys/class/gpio/export"
 
 // gpioInterface type
 type gpioInterface struct{}
@@ -108,7 +107,7 @@
 		return err
 	}
 
-	serviceName := interfaces.InterfaceServiceName(slot.Snap().Name(), fmt.Sprintf("gpio-%d", gpioNum))
+	serviceName := interfaces.InterfaceServiceName(slot.Snap().InstanceName(), fmt.Sprintf("gpio-%d", gpioNum))
 	service := &systemd.Service{
 		Type:            "oneshot",
 		RemainAfterExit: true,
@@ -118,7 +117,7 @@
 	return spec.AddService(serviceName, service)
 }
 
-func (iface *gpioInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *gpioInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/gpio_memory_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/gpio_memory_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/gpio_memory_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/gpio_memory_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -104,8 +104,7 @@
 }
 
 func (s *GpioMemoryControlInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *GpioMemoryControlInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/gpio_test.go snapd-2.37~rc1~14.04/interfaces/builtin/gpio_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/gpio_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/gpio_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -74,17 +74,17 @@
     bad-interface-plug: other-interface
 `, nil)
 	s.gadgetGpioSlotInfo = gadgetInfo.Slots["my-pin"]
-	s.gadgetGpioSlot = interfaces.NewConnectedSlot(s.gadgetGpioSlotInfo, nil)
+	s.gadgetGpioSlot = interfaces.NewConnectedSlot(s.gadgetGpioSlotInfo, nil, nil)
 	s.gadgetMissingNumberSlotInfo = gadgetInfo.Slots["missing-number"]
-	s.gadgetMissingNumberSlot = interfaces.NewConnectedSlot(s.gadgetMissingNumberSlotInfo, nil)
+	s.gadgetMissingNumberSlot = interfaces.NewConnectedSlot(s.gadgetMissingNumberSlotInfo, nil, nil)
 	s.gadgetBadNumberSlotInfo = gadgetInfo.Slots["bad-number"]
-	s.gadgetBadNumberSlot = interfaces.NewConnectedSlot(s.gadgetBadNumberSlotInfo, nil)
+	s.gadgetBadNumberSlot = interfaces.NewConnectedSlot(s.gadgetBadNumberSlotInfo, nil, nil)
 	s.gadgetBadInterfaceSlotInfo = gadgetInfo.Slots["bad-interface-slot"]
-	s.gadgetBadInterfaceSlot = interfaces.NewConnectedSlot(s.gadgetBadInterfaceSlotInfo, nil)
+	s.gadgetBadInterfaceSlot = interfaces.NewConnectedSlot(s.gadgetBadInterfaceSlotInfo, nil, nil)
 	s.gadgetPlugInfo = gadgetInfo.Plugs["plug"]
-	s.gadgetPlug = interfaces.NewConnectedPlug(s.gadgetPlugInfo, nil)
+	s.gadgetPlug = interfaces.NewConnectedPlug(s.gadgetPlugInfo, nil, nil)
 	s.gadgetBadInterfacePlugInfo = gadgetInfo.Plugs["bad-interface-plug"]
-	s.gadgetBadInterfacePlug = interfaces.NewConnectedPlug(s.gadgetBadInterfacePlugInfo, nil)
+	s.gadgetBadInterfacePlug = interfaces.NewConnectedPlug(s.gadgetBadInterfacePlugInfo, nil, nil)
 
 	osInfo := snaptest.MockInfo(c, `
 name: my-core
@@ -97,7 +97,7 @@
         direction: out
 `, nil)
 	s.osGpioSlotInfo = osInfo.Slots["my-pin"]
-	s.osGpioSlot = interfaces.NewConnectedSlot(s.osGpioSlotInfo, nil)
+	s.osGpioSlot = interfaces.NewConnectedSlot(s.osGpioSlotInfo, nil, nil)
 
 	appInfo := snaptest.MockInfo(c, `
 name: my-app
@@ -109,7 +109,7 @@
         direction: out
 `, nil)
 	s.appGpioSlotInfo = appInfo.Slots["my-pin"]
-	s.appGpioSlot = interfaces.NewConnectedSlot(s.appGpioSlotInfo, nil)
+	s.appGpioSlot = interfaces.NewConnectedSlot(s.appGpioSlotInfo, nil, nil)
 }
 
 func (s *GpioInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/greengrass_support.go snapd-2.37~rc1~14.04/interfaces/builtin/greengrass_support.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/greengrass_support.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/greengrass_support.go	2019-01-16 08:36:51.000000000 +0000
@@ -90,22 +90,26 @@
 @{PROC}/filesystems r,
 
 # setup the overlay so we may pivot_root into it
-mount fstype=overlay no_source -> /var/snap/@{SNAP_NAME}/**,
-mount options=(rw, bind) /var/snap/@{SNAP_NAME}/*/rootfs/ -> /var/snap/@{SNAP_NAME}/*/rootfs/,
-mount options=(rw, rbind) /var/snap/@{SNAP_NAME}/*/rootfs/ -> /var/snap/@{SNAP_NAME}/*/rootfs/,
-mount fstype=proc proc -> /var/snap/@{SNAP_NAME}/*/rootfs/proc/,
-mount options=(rw, nosuid, strictatime) fstype=tmpfs tmpfs -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/,
-mount options=(rw, nosuid, nodev, noexec) fstype=mqueue mqueue -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/mqueue/,
-mount options=(rw, nosuid, noexec) fstype=devpts devpts -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/pts/,
-mount options=(rw, nosuid, nodev, noexec) fstype=tmpfs shm -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/shm/,
+# parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for
+# completeness allow SNAP_INSTANCE_NAME too
+mount fstype=overlay no_source -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**,
+mount options=(rw, bind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/ -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/,
+mount options=(rw, rbind) /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/ -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/,
+mount fstype=proc proc -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/proc/,
+mount options=(rw, nosuid, strictatime) fstype=tmpfs tmpfs -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/,
+mount options=(rw, nosuid, nodev, noexec) fstype=mqueue mqueue -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/mqueue/,
+mount options=(rw, nosuid, noexec) fstype=devpts devpts -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/pts/,
+mount options=(rw, nosuid, nodev, noexec) fstype=tmpfs shm -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/shm/,
 
 # add a few common devices
-mount options=(rw, bind) /dev/full -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/full,
-mount options=(rw, bind) /dev/null -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/null,
-mount options=(rw, bind) /dev/random -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/random,
-mount options=(rw, bind) /dev/tty -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/tty,
-mount options=(rw, bind) /dev/urandom -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/urandom,
-mount options=(rw, bind) /dev/zero -> /var/snap/@{SNAP_NAME}/*/rootfs/dev/zero,
+# parallel-installs: SNAP_{DATA,COMMON} are remapped, need to use SNAP_NAME, for
+# completeness allow SNAP_INSTANCE_NAME too
+mount options=(rw, bind) /dev/full -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/full,
+mount options=(rw, bind) /dev/null -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/null,
+mount options=(rw, bind) /dev/random -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/random,
+mount options=(rw, bind) /dev/tty -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/tty,
+mount options=(rw, bind) /dev/urandom -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/urandom,
+mount options=(rw, bind) /dev/zero -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/*/rootfs/dev/zero,
 
 # allow mounting lambda, runtime and whatever else in SNAP_DATA into the
 # pivot_root
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/greengrass_support_test.go snapd-2.37~rc1~14.04/interfaces/builtin/greengrass_support_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/greengrass_support_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/greengrass_support_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "greengrass-support",
 		Interface: "greengrass-support",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, ggMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["greengrass-support"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *GreengrassSupportInterfaceSuite) TestName(c *C) {
@@ -92,7 +92,7 @@
 	err = apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
 	c.Assert(err, IsNil)
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app2"})
-	c.Check(apparmorSpec.SnippetForTag("snap.other.app2"), testutil.Contains, "mount fstype=overlay no_source -> /var/snap/@{SNAP_NAME}/**,\n")
+	c.Check(apparmorSpec.SnippetForTag("snap.other.app2"), testutil.Contains, "mount fstype=overlay no_source -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/**,\n")
 }
 
 func (s *GreengrassSupportInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/gsettings_test.go snapd-2.37~rc1~14.04/interfaces/builtin/gsettings_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/gsettings_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/gsettings_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "gsettings",
 		Interface: "gsettings",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, gsettingsMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["gsettings"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *GsettingsInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/hardware_observe.go snapd-2.37~rc1~14.04/interfaces/builtin/hardware_observe.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/hardware_observe.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/hardware_observe.go	2019-01-16 08:36:51.000000000 +0000
@@ -37,6 +37,9 @@
 # used by lscpu and 'lspci -A intel-conf1/intel-conf2'
 capability sys_rawio,
 
+# see loaded kernel modules
+@{PROC}/modules r,
+
 # used by lspci
 capability sys_admin,
 /etc/modprobe.d/{,*} r,
@@ -52,15 +55,30 @@
 /sys/firmware/dmi/tables/DMI r,
 /sys/firmware/dmi/tables/smbios_entry_point r,
 
+# power information
+/sys/power/{,**} r,
+
 # interrupts
 @{PROC}/interrupts r,
 
+# libsensors
+/etc/sensors3.conf r,
+/etc/sensors.d/{,*} r,
+
 # Needed for udevadm
 /run/udev/data/** r,
 network netlink raw,
 
 # util-linux
+/{,usr/}bin/lsblk ixr,
 /{,usr/}bin/lscpu ixr,
+/{,usr/}bin/lsmem ixr,
+
+# lsmem
+/sys/devices/system/memory/block_size_bytes r,
+/sys/devices/system/memory/memory[0-9]*/removable r,
+/sys/devices/system/memory/memory[0-9]*/state r,
+/sys/devices/system/memory/memory[0-9]*/valid_zones r,
 
 # lsusb
 # Note: lsusb and its database have to be shipped in the snap if not on classic
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/hardware_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/hardware_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/hardware_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/hardware_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "hardware-observe",
 		Interface: "hardware-observe",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, hwobserveMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["hardware-observe"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *HardwareObserveInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/hardware_random_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/hardware_random_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/hardware_random_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/hardware_random_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -105,8 +105,7 @@
 }
 
 func (s *HardwareRandomControlInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *HardwareRandomControlInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/hardware_random_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/hardware_random_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/hardware_random_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/hardware_random_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -105,8 +105,7 @@
 }
 
 func (s *HardwareRandomObserveInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *HardwareRandomObserveInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/hidraw.go snapd-2.37~rc1~14.04/interfaces/builtin/hidraw.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/hidraw.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/hidraw.go	2019-01-16 08:36:51.000000000 +0000
@@ -189,7 +189,7 @@
 	return nil
 }
 
-func (iface *hidrawInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *hidrawInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/hidraw_test.go snapd-2.37~rc1~14.04/interfaces/builtin/hidraw_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/hidraw_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/hidraw_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -101,19 +101,19 @@
     bad-interface: other-interface
 `, nil)
 	s.testSlot1Info = osSnapInfo.Slots["test-port-1"]
-	s.testSlot1 = interfaces.NewConnectedSlot(s.testSlot1Info, nil)
+	s.testSlot1 = interfaces.NewConnectedSlot(s.testSlot1Info, nil, nil)
 	s.testSlot2Info = osSnapInfo.Slots["test-port-2"]
-	s.testSlot2 = interfaces.NewConnectedSlot(s.testSlot2Info, nil)
+	s.testSlot2 = interfaces.NewConnectedSlot(s.testSlot2Info, nil, nil)
 	s.missingPathSlotInfo = osSnapInfo.Slots["missing-path"]
-	s.missingPathSlot = interfaces.NewConnectedSlot(s.missingPathSlotInfo, nil)
+	s.missingPathSlot = interfaces.NewConnectedSlot(s.missingPathSlotInfo, nil, nil)
 	s.badPathSlot1Info = osSnapInfo.Slots["bad-path-1"]
-	s.badPathSlot1 = interfaces.NewConnectedSlot(s.badPathSlot1Info, nil)
+	s.badPathSlot1 = interfaces.NewConnectedSlot(s.badPathSlot1Info, nil, nil)
 	s.badPathSlot2Info = osSnapInfo.Slots["bad-path-2"]
-	s.badPathSlot2 = interfaces.NewConnectedSlot(s.badPathSlot2Info, nil)
+	s.badPathSlot2 = interfaces.NewConnectedSlot(s.badPathSlot2Info, nil, nil)
 	s.badPathSlot3Info = osSnapInfo.Slots["bad-path-3"]
-	s.badPathSlot3 = interfaces.NewConnectedSlot(s.badPathSlot3Info, nil)
+	s.badPathSlot3 = interfaces.NewConnectedSlot(s.badPathSlot3Info, nil, nil)
 	s.badInterfaceSlotInfo = osSnapInfo.Slots["bad-interface"]
-	s.badInterfaceSlot = interfaces.NewConnectedSlot(s.badInterfaceSlotInfo, nil)
+	s.badInterfaceSlot = interfaces.NewConnectedSlot(s.badInterfaceSlotInfo, nil, nil)
 
 	gadgetSnapInfo := snaptest.MockInfo(c, `
 name: some-device
@@ -147,15 +147,15 @@
       path: /dev/my-device
 `, nil)
 	s.testUDev1Info = gadgetSnapInfo.Slots["test-udev-1"]
-	s.testUDev1 = interfaces.NewConnectedSlot(s.testUDev1Info, nil)
+	s.testUDev1 = interfaces.NewConnectedSlot(s.testUDev1Info, nil, nil)
 	s.testUDev2Info = gadgetSnapInfo.Slots["test-udev-2"]
-	s.testUDev2 = interfaces.NewConnectedSlot(s.testUDev2Info, nil)
+	s.testUDev2 = interfaces.NewConnectedSlot(s.testUDev2Info, nil, nil)
 	s.testUDevBadValue1Info = gadgetSnapInfo.Slots["test-udev-bad-value-1"]
-	s.testUDevBadValue1 = interfaces.NewConnectedSlot(s.testUDevBadValue1Info, nil)
+	s.testUDevBadValue1 = interfaces.NewConnectedSlot(s.testUDevBadValue1Info, nil, nil)
 	s.testUDevBadValue2Info = gadgetSnapInfo.Slots["test-udev-bad-value-2"]
-	s.testUDevBadValue2 = interfaces.NewConnectedSlot(s.testUDevBadValue2Info, nil)
+	s.testUDevBadValue2 = interfaces.NewConnectedSlot(s.testUDevBadValue2Info, nil, nil)
 	s.testUDevBadValue3Info = gadgetSnapInfo.Slots["test-udev-bad-value-3"]
-	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue3Info, nil)
+	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue3Info, nil, nil)
 
 	consumingSnapInfo := snaptest.MockInfo(c, `
 name: client-snap
@@ -180,11 +180,11 @@
         plugs: [plug-for-device-3]
 `, nil)
 	s.testPlugPort1Info = consumingSnapInfo.Plugs["plug-for-device-1"]
-	s.testPlugPort1 = interfaces.NewConnectedPlug(s.testPlugPort1Info, nil)
+	s.testPlugPort1 = interfaces.NewConnectedPlug(s.testPlugPort1Info, nil, nil)
 	s.testPlugPort2Info = consumingSnapInfo.Plugs["plug-for-device-2"]
-	s.testPlugPort2 = interfaces.NewConnectedPlug(s.testPlugPort2Info, nil)
+	s.testPlugPort2 = interfaces.NewConnectedPlug(s.testPlugPort2Info, nil, nil)
 	s.testPlugPort3Info = consumingSnapInfo.Plugs["plug-for-device-3"]
-	s.testPlugPort3 = interfaces.NewConnectedPlug(s.testPlugPort3Info, nil)
+	s.testPlugPort3 = interfaces.NewConnectedPlug(s.testPlugPort3Info, nil, nil)
 }
 
 func (s *HidrawInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/home.go snapd-2.37~rc1~14.04/interfaces/builtin/home.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/home.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/home.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -19,6 +19,13 @@
 
 package builtin
 
+import (
+	"fmt"
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/snap"
+)
+
 const homeSummary = `allows access to non-hidden files in the home directory`
 
 const homeBaseDeclarationSlots = `
@@ -26,11 +33,17 @@
     allow-installation:
       slot-snap-type:
         - core
+    deny-connection:
+      plug-attributes:
+        read: all
     deny-auto-connection:
-      on-classic: false
+      -
+        on-classic: false
+      -
+        plug-attributes:
+          read: all
 `
 
-// http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/home
 const homeConnectedPlugAppArmor = `
 # Description: Can access non-hidden files in user's $HOME. This is restricted
 # because it gives file access to all of the user's $HOME.
@@ -42,35 +55,77 @@
 
 # Allow read/write access to all files in @{HOME}, except snap application
 # data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
-owner @{HOME}/[^s.]**             rwklix,
-owner @{HOME}/s[^n]**             rwklix,
-owner @{HOME}/sn[^a]**            rwklix,
-owner @{HOME}/sna[^p]**           rwklix,
-owner @{HOME}/snap[^/]**          rwklix,
+owner @{HOME}/[^s.]**             rwkl###HOME_IX###,
+owner @{HOME}/s[^n]**             rwkl###HOME_IX###,
+owner @{HOME}/sn[^a]**            rwkl###HOME_IX###,
+owner @{HOME}/sna[^p]**           rwkl###HOME_IX###,
+owner @{HOME}/snap[^/]**          rwkl###HOME_IX###,
 
 # Allow creating a few files not caught above
-owner @{HOME}/{s,sn,sna}{,/} rwklix,
+owner @{HOME}/{s,sn,sna}{,/} rwkl###HOME_IX###,
 
 # Allow access to @{HOME}/snap/ to allow directory traversals from
-# @{HOME}/snap/@{SNAP_NAME} through @{HOME}/snap to @{HOME}. While this leaks
-# snap names, it fixes usability issues for snaps that require this
-# transitional interface.
+# @{HOME}/snap/@{SNAP_INSTANCE_NAME} through @{HOME}/snap to @{HOME}.
+# While this leaks snap names, it fixes usability issues for snaps
+# that require this transitional interface.
 owner @{HOME}/snap/ r,
 
 # Allow access to gvfs mounts for files owned by the user (including hidden
 # files; only allow writes to files, not the mount point).
 owner /run/user/[0-9]*/gvfs/{,**} r,
 owner /run/user/[0-9]*/gvfs/*/**  w,
+
+# Disallow writes to the well-known directory included in
+# the user's PATH on several distributions
+audit deny @{HOME}/bin/{,**} wl,
+`
+
+const homeConnectedPlugAppArmorWithAllRead = `
+# Allow non-owner read to non-hidden and non-snap files and directories
+@{HOME}/               r,
+@{HOME}/[^s.]**        r,
+@{HOME}/s[^n]**        r,
+@{HOME}/sn[^a]**       r,
+@{HOME}/sna[^p]**      r,
+@{HOME}/snap[^/]**     r,
+@{HOME}/{s,sn,sna}{,/} r,
 `
 
+type homeInterface struct {
+	commonInterface
+}
+
+func (iface *homeInterface) BeforePreparePlug(plug *snap.PlugInfo) error {
+	// It's fine if 'read' isn't specified, but if it is, it needs to be
+	// 'all'
+	if r, ok := plug.Attrs["read"]; ok && r != "all" {
+		return fmt.Errorf(`home plug requires "read" be 'all'`)
+	}
+
+	return nil
+}
+
+func (iface *homeInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	var read string
+	_ = plug.Attr("read", &read)
+	// 'owner' is the standard policy
+	spec.AddSnippet(homeConnectedPlugAppArmor)
+
+	// 'all' grants standard policy plus read access to home without owner
+	// match
+	if read == "all" {
+		spec.AddSnippet(homeConnectedPlugAppArmorWithAllRead)
+	}
+	return nil
+}
+
 func init() {
-	registerIface(&commonInterface{
-		name:                  "home",
-		summary:               homeSummary,
-		implicitOnCore:        true,
-		implicitOnClassic:     true,
-		baseDeclarationSlots:  homeBaseDeclarationSlots,
-		connectedPlugAppArmor: homeConnectedPlugAppArmor,
-		reservedForOS:         true,
-	})
+	registerIface(&homeInterface{commonInterface{
+		name:                 "home",
+		summary:              homeSummary,
+		implicitOnCore:       true,
+		implicitOnClassic:    true,
+		baseDeclarationSlots: homeBaseDeclarationSlots,
+		reservedForOS:        true,
+	}})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/home_test.go snapd-2.37~rc1~14.04/interfaces/builtin/home_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/home_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/home_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -55,10 +55,10 @@
 		Name:      "home",
 		Interface: "home",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfo, nil)
 	s.plugInfo = plugSnap.Plugs["home"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *HomeInterfaceSuite) TestName(c *C) {
@@ -76,17 +76,106 @@
 		"home slots are reserved for the core snap")
 }
 
-func (s *HomeInterfaceSuite) TestSanitizePlug(c *C) {
+func (s *HomeInterfaceSuite) TestSanitizePlugNoAttrib(c *C) {
 	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
 }
 
-func (s *HomeInterfaceSuite) TestUsedSecuritySystems(c *C) {
-	// connected plugs have a non-nil security snippet for apparmor
+func (s *HomeInterfaceSuite) TestSanitizePlugWithAttrib(c *C) {
+	const mockSnapYaml = `name: home-plug-snap
+version: 1.0
+plugs:
+ home:
+  read: all
+`
+	info := snaptest.MockInfo(c, mockSnapYaml, nil)
+	plug := info.Plugs["home"]
+	c.Assert(interfaces.BeforePreparePlug(s.iface, plug), IsNil)
+}
+
+func (s *HomeInterfaceSuite) TestSanitizePlugWithBadAttrib(c *C) {
+	const mockSnapYaml = `name: home-plug-snap
+version: 1.0
+plugs:
+ home:
+  read: bad
+`
+	info := snaptest.MockInfo(c, mockSnapYaml, nil)
+	plug := info.Plugs["home"]
+	c.Assert(interfaces.BeforePreparePlug(s.iface, plug), ErrorMatches,
+		`home plug requires "read" be 'all'`)
+}
+
+func (s *HomeInterfaceSuite) TestSanitizePlugWithEmptyAttrib(c *C) {
+	const mockSnapYaml = `name: home-plug-snap
+version: 1.0
+plugs:
+ home:
+  read: ""
+`
+	info := snaptest.MockInfo(c, mockSnapYaml, nil)
+	plug := info.Plugs["home"]
+	c.Assert(interfaces.BeforePreparePlug(s.iface, plug), ErrorMatches,
+		`home plug requires "read" be 'all'`)
+}
+
+func (s *HomeInterfaceSuite) TestSanitizePlugWithBadAttribOwner(c *C) {
+	const mockSnapYaml = `name: home-plug-snap
+version: 1.0
+plugs:
+ home:
+  read: owner
+`
+	info := snaptest.MockInfo(c, mockSnapYaml, nil)
+	plug := info.Plugs["home"]
+	c.Assert(interfaces.BeforePreparePlug(s.iface, plug), ErrorMatches,
+		`home plug requires "read" be 'all'`)
+}
+
+func (s *HomeInterfaceSuite) TestSanitizePlugWithBadAttribDict(c *C) {
+	const mockSnapYaml = `name: home-plug-snap
+version: 1.0
+plugs:
+ home:
+  read:
+   all: bad
+   bad: all
+`
+	info := snaptest.MockInfo(c, mockSnapYaml, nil)
+	plug := info.Plugs["home"]
+	c.Assert(interfaces.BeforePreparePlug(s.iface, plug), ErrorMatches,
+		`home plug requires "read" be 'all'`)
+}
+
+func (s *HomeInterfaceSuite) TestConnectedPlugAppArmorWithoutAttrib(c *C) {
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
 	c.Assert(err, IsNil)
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app"})
 	c.Check(apparmorSpec.SnippetForTag("snap.other.app"), testutil.Contains, `owner @{HOME}/ r,`)
+	c.Check(apparmorSpec.SnippetForTag("snap.other.app"), testutil.Contains, `audit deny @{HOME}/bin/{,**} wl,`)
+	c.Check(apparmorSpec.SnippetForTag("snap.other.app"), Not(testutil.Contains), `# Allow non-owner read`)
+}
+
+func (s *HomeInterfaceSuite) TestConnectedPlugAppArmorWithAttribAll(c *C) {
+	const mockSnapYaml = `name: home-plug-snap
+version: 1.0
+plugs:
+ home:
+  read: all
+apps:
+ app2:
+  command: foo
+`
+	info := snaptest.MockInfo(c, mockSnapYaml, nil)
+	plug := interfaces.NewConnectedPlug(info.Plugs["home"], nil, nil)
+
+	apparmorSpec := &apparmor.Specification{}
+	err := apparmorSpec.AddConnectedPlug(s.iface, plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.home-plug-snap.app2"})
+	c.Check(apparmorSpec.SnippetForTag("snap.home-plug-snap.app2"), testutil.Contains, `audit deny @{HOME}/bin/{,**} wl,`)
+	c.Check(apparmorSpec.SnippetForTag("snap.home-plug-snap.app2"), testutil.Contains, `owner @{HOME}/ r,`)
+	c.Check(apparmorSpec.SnippetForTag("snap.home-plug-snap.app2"), testutil.Contains, `# Allow non-owner read`)
 }
 
 func (s *HomeInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/hostname_control.go snapd-2.37~rc1~14.04/interfaces/builtin/hostname_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/hostname_control.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/hostname_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,91 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+const hostnameControlSummary = `allows configuring the system hostname`
+
+const hostnameControlBaseDeclarationSlots = `
+  hostname-control:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const hostnameControlConnectedPlugAppArmor = `
+# Description: Can configure the system hostname.
+# /{,usr/}bin/hostname ixr, # already allowed by default
+/etc/hostname w,            # read allowed by default
+
+# on core /etc/hostname is a link to /etc/writable/hostname
+/etc/writable/hostname w,
+
+#include <abstractions/dbus-strict>
+/{,usr/}{,s}bin/hostnamectl           ixr,
+
+# Allow access to hostname system service
+# do not use peer=(label=unconfined) here since this is DBus activated
+dbus (send)
+    bus=system
+    path=/org/freedesktop/hostname1
+    interface=org.freedesktop.DBus.Properties
+    member="Get{,All}",
+dbus (send)
+    bus=system
+    path=/org/freedesktop/hostname1
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect,
+
+dbus (receive)
+    bus=system
+    path=/org/freedesktop/hostname1
+    interface=org.freedesktop.DBus.Properties
+    member=PropertiesChanged
+    peer=(label=unconfined),
+dbus(receive, send)
+    bus=system
+    path=/org/freedesktop/hostname1
+    interface=org.freedesktop.hostname1
+    member=Set{,Pretty,Static}Hostname
+    peer=(label=unconfined),
+
+# Needed to use 'sethostname' and 'hostnamectl set-hostname'. See man 7
+# capabilities
+capability sys_admin,
+`
+
+const hostnameControlConnectedPlugSecComp = `
+# Description: Can configure the system hostname.
+sethostname
+`
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "hostname-control",
+		summary:               hostnameControlSummary,
+		implicitOnCore:        true,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  hostnameControlBaseDeclarationSlots,
+		connectedPlugAppArmor: hostnameControlConnectedPlugAppArmor,
+		connectedPlugSecComp:  hostnameControlConnectedPlugSecComp,
+		reservedForOS:         true,
+	})
+
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/hostname_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/hostname_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/hostname_control_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/hostname_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,110 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type HostnameControlInterfaceSuite struct {
+	iface    interfaces.Interface
+	slotInfo *snap.SlotInfo
+	slot     *interfaces.ConnectedSlot
+	plugInfo *snap.PlugInfo
+	plug     *interfaces.ConnectedPlug
+}
+
+var _ = Suite(&HostnameControlInterfaceSuite{
+	iface: builtin.MustInterface("hostname-control"),
+})
+
+const hostnameControlConsumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [hostname-control]
+`
+
+const hostnameControlCoreYaml = `name: core
+version: 0
+type: os
+slots:
+  hostname-control:
+`
+
+func (s *HostnameControlInterfaceSuite) SetUpTest(c *C) {
+	s.plug, s.plugInfo = MockConnectedPlug(c, hostnameControlConsumerYaml, nil, "hostname-control")
+	s.slot, s.slotInfo = MockConnectedSlot(c, hostnameControlCoreYaml, nil, "hostname-control")
+}
+
+func (s *HostnameControlInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "hostname-control")
+}
+
+func (s *HostnameControlInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "hostname-control",
+		Interface: "hostname-control",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"hostname-control slots are reserved for the core snap")
+}
+
+func (s *HostnameControlInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *HostnameControlInterfaceSuite) TestAppArmorSpec(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/{,usr/}{,s}bin/hostnamectl")
+}
+
+func (s *HostnameControlInterfaceSuite) TestSecCompSpec(c *C) {
+	spec := &seccomp.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "sethostname\n")
+}
+
+func (s *HostnameControlInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, true)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows configuring the system hostname`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "hostname-control")
+}
+
+func (s *HostnameControlInterfaceSuite) TestAutoConnect(c *C) {
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
+}
+func (s *HostnameControlInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/i2c.go snapd-2.37~rc1~14.04/interfaces/builtin/i2c.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/i2c.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/i2c.go	2019-01-16 08:36:51.000000000 +0000
@@ -42,13 +42,19 @@
     deny-auto-connection: true
 `
 
-const i2cConnectedPlugAppArmor = `
+const i2cConnectedPlugAppArmorPath = `
 # Description: Can access I2C controller
 
 %s rw,
 /sys/devices/platform/{*,**.i2c}/%s/** rw,
 `
 
+const i2cConnectedPlugAppArmorSysfsName = `
+# Description: Can access I2C sysfs name
+
+/sys/bus/i2c/devices/%s/** rw,
+`
+
 // The type for i2c interface
 type i2cInterface struct{}
 
@@ -73,18 +79,31 @@
 // identification
 var i2cControlDeviceNodePattern = regexp.MustCompile("^/dev/i2c-[0-9]+$")
 
+// Pattern to match allowed i2c sysfs names.
+var i2cValidSysfsName = regexp.MustCompile("^[a-zA-Z0-9_-]+$")
+
 // Check validity of the defined slot
 func (iface *i2cInterface) BeforePrepareSlot(slot *snap.SlotInfo) error {
 	if err := sanitizeSlotReservedForOSOrGadget(iface, slot); err != nil {
 		return err
 	}
 
+	sysfsName, ok := slot.Attrs["sysfs-name"].(string)
+	if ok {
+		if !i2cValidSysfsName.MatchString(sysfsName) {
+			return fmt.Errorf("%s sysfs-name attribute must be a valid sysfs-name", iface.Name())
+		}
+		if _, ok := slot.Attrs["path"].(string); ok {
+			return fmt.Errorf("%s slot can only use path or sysfs-name", iface.Name())
+		}
+		return nil
+	}
+
 	// Validate the path
 	path, ok := slot.Attrs["path"].(string)
 	if !ok || path == "" {
-		return fmt.Errorf("%s slot must have a path attribute", iface.Name())
+		return fmt.Errorf("%s slot must have a path or sysfs-name attribute", iface.Name())
 	}
-
 	path = filepath.Clean(path)
 
 	if !i2cControlDeviceNodePattern.MatchString(path) {
@@ -95,13 +114,22 @@
 }
 
 func (iface *i2cInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+
+	// check if sysfsName is set and if so stop after that
+	var sysfsName string
+	if err := slot.Attr("sysfs-name", &sysfsName); err == nil {
+		spec.AddSnippet(fmt.Sprintf(i2cConnectedPlugAppArmorSysfsName, sysfsName))
+		return nil
+	}
+
+	// do path if sysfsName is not set (they can't be set both)
 	var path string
 	if err := slot.Attr("path", &path); err != nil {
 		return nil
 	}
 
 	cleanedPath := filepath.Clean(path)
-	spec.AddSnippet(fmt.Sprintf(i2cConnectedPlugAppArmor, cleanedPath, strings.TrimPrefix(path, "/dev/")))
+	spec.AddSnippet(fmt.Sprintf(i2cConnectedPlugAppArmorPath, cleanedPath, strings.TrimPrefix(path, "/dev/")))
 	return nil
 }
 
@@ -114,7 +142,7 @@
 	return nil
 }
 
-func (iface *i2cInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *i2cInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// Allow what is allowed in the declarations
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/i2c_test.go snapd-2.37~rc1~14.04/interfaces/builtin/i2c_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/i2c_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/i2c_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -40,28 +40,36 @@
 	testSlot1Info *snap.SlotInfo
 
 	// Gadget Snap
-	testUDev1                 *interfaces.ConnectedSlot
-	testUDev1Info             *snap.SlotInfo
-	testUDev2                 *interfaces.ConnectedSlot
-	testUDev2Info             *snap.SlotInfo
-	testUDev3                 *interfaces.ConnectedSlot
-	testUDev3Info             *snap.SlotInfo
-	testUDevBadValue1         *interfaces.ConnectedSlot
-	testUDevBadValue1Info     *snap.SlotInfo
-	testUDevBadValue2         *interfaces.ConnectedSlot
-	testUDevBadValue2Info     *snap.SlotInfo
-	testUDevBadValue3         *interfaces.ConnectedSlot
-	testUDevBadValue3Info     *snap.SlotInfo
-	testUDevBadValue4         *interfaces.ConnectedSlot
-	testUDevBadValue4Info     *snap.SlotInfo
-	testUDevBadValue5         *interfaces.ConnectedSlot
-	testUDevBadValue5Info     *snap.SlotInfo
-	testUDevBadValue6         *interfaces.ConnectedSlot
-	testUDevBadValue6Info     *snap.SlotInfo
-	testUDevBadValue7         *interfaces.ConnectedSlot
-	testUDevBadValue7Info     *snap.SlotInfo
-	testUDevBadInterface1     *interfaces.ConnectedSlot
-	testUDevBadInterface1Info *snap.SlotInfo
+	testUDev1                  *interfaces.ConnectedSlot
+	testUDev1Info              *snap.SlotInfo
+	testUDev2                  *interfaces.ConnectedSlot
+	testUDev2Info              *snap.SlotInfo
+	testUDev3                  *interfaces.ConnectedSlot
+	testUDev3Info              *snap.SlotInfo
+	testSysfsName1             *interfaces.ConnectedSlot
+	testSysfsName1Info         *snap.SlotInfo
+	testUDevBadValue1          *interfaces.ConnectedSlot
+	testUDevBadValue1Info      *snap.SlotInfo
+	testUDevBadValue2          *interfaces.ConnectedSlot
+	testUDevBadValue2Info      *snap.SlotInfo
+	testUDevBadValue3          *interfaces.ConnectedSlot
+	testUDevBadValue3Info      *snap.SlotInfo
+	testUDevBadValue4          *interfaces.ConnectedSlot
+	testUDevBadValue4Info      *snap.SlotInfo
+	testUDevBadValue5          *interfaces.ConnectedSlot
+	testUDevBadValue5Info      *snap.SlotInfo
+	testUDevBadValue6          *interfaces.ConnectedSlot
+	testUDevBadValue6Info      *snap.SlotInfo
+	testUDevBadValue7          *interfaces.ConnectedSlot
+	testUDevBadValue7Info      *snap.SlotInfo
+	testUDevBadInterface1      *interfaces.ConnectedSlot
+	testUDevBadInterface1Info  *snap.SlotInfo
+	testSysfsNameBadValue1     *interfaces.ConnectedSlot
+	testSysfsNameBadValue1Info *snap.SlotInfo
+	testSysfsNameAndPath       *interfaces.ConnectedSlot
+	testSysfsNameAndPathInfo   *snap.SlotInfo
+	testSysfsNameEmpty         *interfaces.ConnectedSlot
+	testSysfsNameEmptyInfo     *snap.SlotInfo
 
 	// Consuming Snap
 	testPlugPort1     *interfaces.ConnectedPlug
@@ -100,6 +108,9 @@
   test-udev-3:
     interface: i2c
     path: /dev/i2c-0
+  test-sysfs-name-1:
+    interface: i2c
+    sysfs-name: 1-0050
   test-udev-bad-value-1:
     interface: i2c
     path: /dev/i2c
@@ -122,28 +133,46 @@
     interface: i2c
   test-udev-bad-interface-1:
     interface: other-interface
+  test-sysfs-name-bad-value-1:
+    interface: i2c
+    sysfs-name: /slash/not/allowed
+  test-sysfs-name-and-path:
+    interface: i2c
+    path: /dev/i2c-0
+    sysfs-name: 1-0050
+  test-sysfs-name-empty:
+    interface: i2c
+    sysfs-name: ""
 `, nil)
 	s.testUDev1Info = gadgetSnapInfo.Slots["test-udev-1"]
-	s.testUDev1 = interfaces.NewConnectedSlot(s.testUDev1Info, nil)
+	s.testUDev1 = interfaces.NewConnectedSlot(s.testUDev1Info, nil, nil)
 	s.testUDev2Info = gadgetSnapInfo.Slots["test-udev-2"]
-	s.testUDev2 = interfaces.NewConnectedSlot(s.testUDev2Info, nil)
+	s.testUDev2 = interfaces.NewConnectedSlot(s.testUDev2Info, nil, nil)
 	s.testUDev3Info = gadgetSnapInfo.Slots["test-udev-3"]
-	s.testUDev3 = interfaces.NewConnectedSlot(s.testUDev3Info, nil)
+	s.testUDev3 = interfaces.NewConnectedSlot(s.testUDev3Info, nil, nil)
+	s.testSysfsName1Info = gadgetSnapInfo.Slots["test-sysfs-name-1"]
+	s.testSysfsName1 = interfaces.NewConnectedSlot(s.testSysfsName1Info, nil, nil)
 	s.testUDevBadValue1Info = gadgetSnapInfo.Slots["test-udev-bad-value-1"]
-	s.testUDevBadValue1 = interfaces.NewConnectedSlot(s.testUDevBadValue1Info, nil)
+	s.testUDevBadValue1 = interfaces.NewConnectedSlot(s.testUDevBadValue1Info, nil, nil)
 	s.testUDevBadValue2Info = gadgetSnapInfo.Slots["test-udev-bad-value-2"]
-	s.testUDevBadValue2 = interfaces.NewConnectedSlot(s.testUDevBadValue2Info, nil)
+	s.testUDevBadValue2 = interfaces.NewConnectedSlot(s.testUDevBadValue2Info, nil, nil)
 	s.testUDevBadValue3Info = gadgetSnapInfo.Slots["test-udev-bad-value-3"]
-	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue3Info, nil)
+	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue3Info, nil, nil)
 	s.testUDevBadValue4Info = gadgetSnapInfo.Slots["test-udev-bad-value-4"]
-	s.testUDevBadValue4 = interfaces.NewConnectedSlot(s.testUDevBadValue4Info, nil)
+	s.testUDevBadValue4 = interfaces.NewConnectedSlot(s.testUDevBadValue4Info, nil, nil)
 	s.testUDevBadValue5Info = gadgetSnapInfo.Slots["test-udev-bad-value-5"]
-	s.testUDevBadValue5 = interfaces.NewConnectedSlot(s.testUDevBadValue5Info, nil)
+	s.testUDevBadValue5 = interfaces.NewConnectedSlot(s.testUDevBadValue5Info, nil, nil)
 	s.testUDevBadValue6Info = gadgetSnapInfo.Slots["test-udev-bad-value-6"]
-	s.testUDevBadValue6 = interfaces.NewConnectedSlot(s.testUDevBadValue6Info, nil)
+	s.testUDevBadValue6 = interfaces.NewConnectedSlot(s.testUDevBadValue6Info, nil, nil)
 	s.testUDevBadValue7Info = gadgetSnapInfo.Slots["test-udev-bad-value-7"]
-	s.testUDevBadValue7 = interfaces.NewConnectedSlot(s.testUDevBadValue7Info, nil)
+	s.testUDevBadValue7 = interfaces.NewConnectedSlot(s.testUDevBadValue7Info, nil, nil)
 	s.testUDevBadInterface1Info = gadgetSnapInfo.Slots["test-udev-bad-interface-1"]
+	s.testSysfsNameBadValue1Info = gadgetSnapInfo.Slots["test-sysfs-name-bad-value-1"]
+	s.testSysfsNameBadValue1 = interfaces.NewConnectedSlot(s.testSysfsNameBadValue1Info, nil, nil)
+	s.testSysfsNameAndPathInfo = gadgetSnapInfo.Slots["test-sysfs-name-and-path"]
+	s.testSysfsNameAndPath = interfaces.NewConnectedSlot(s.testSysfsNameAndPathInfo, nil, nil)
+	s.testSysfsNameEmptyInfo = gadgetSnapInfo.Slots["test-sysfs-name-empty"]
+	s.testSysfsNameEmpty = interfaces.NewConnectedSlot(s.testSysfsNameEmptyInfo, nil, nil)
 
 	// Snap Consumers
 	consumingSnapInfo := snaptest.MockInfo(c, `
@@ -158,7 +187,7 @@
     plugs: [i2c]
 `, nil)
 	s.testPlugPort1Info = consumingSnapInfo.Plugs["plug-for-port-1"]
-	s.testPlugPort1 = interfaces.NewConnectedPlug(s.testPlugPort1Info, nil)
+	s.testPlugPort1 = interfaces.NewConnectedPlug(s.testPlugPort1Info, nil, nil)
 }
 
 func (s *I2cInterfaceSuite) TestName(c *C) {
@@ -173,6 +202,7 @@
 	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDev1Info), IsNil)
 	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDev2Info), IsNil)
 	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDev3Info), IsNil)
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testSysfsName1Info), IsNil)
 }
 
 func (s *I2cInterfaceSuite) TestSanitizeBadGadgetSnapSlot(c *C) {
@@ -181,8 +211,11 @@
 	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDevBadValue3Info), ErrorMatches, "i2c path attribute must be a valid device node")
 	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDevBadValue4Info), ErrorMatches, "i2c path attribute must be a valid device node")
 	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDevBadValue5Info), ErrorMatches, "i2c path attribute must be a valid device node")
-	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDevBadValue6Info), ErrorMatches, "i2c slot must have a path attribute")
-	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDevBadValue7Info), ErrorMatches, "i2c slot must have a path attribute")
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDevBadValue6Info), ErrorMatches, "i2c slot must have a path or sysfs-name attribute")
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testUDevBadValue7Info), ErrorMatches, "i2c slot must have a path or sysfs-name attribute")
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testSysfsNameBadValue1Info), ErrorMatches, "i2c sysfs-name attribute must be a valid sysfs-name")
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testSysfsNameAndPathInfo), ErrorMatches, "i2c slot can only use path or sysfs-name")
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.testSysfsNameEmptyInfo), ErrorMatches, "i2c sysfs-name attribute must be a valid sysfs-name")
 }
 
 func (s *I2cInterfaceSuite) TestUDevSpec(c *C) {
@@ -194,7 +227,13 @@
 	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_client-snap_app-accessing-1-port", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_client-snap_app-accessing-1-port $devpath $major:$minor"`)
 }
 
-func (s *I2cInterfaceSuite) TestAppArmorSpec(c *C) {
+func (s *I2cInterfaceSuite) TestUDevSpecSysfsName(c *C) {
+	spec := &udev.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.testPlugPort1, s.testSysfsName1), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 0)
+}
+
+func (s *I2cInterfaceSuite) TestAppArmorSpecPath(c *C) {
 	spec := &apparmor.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.testPlugPort1, s.testUDev1), IsNil)
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.client-snap.app-accessing-1-port"})
@@ -202,6 +241,17 @@
 	c.Assert(spec.SnippetForTag("snap.client-snap.app-accessing-1-port"), testutil.Contains, `/sys/devices/platform/{*,**.i2c}/i2c-1/** rw,`)
 }
 
+func (s *I2cInterfaceSuite) TestAppArmorSpecSysfsName(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.testPlugPort1, s.testSysfsName1), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.client-snap.app-accessing-1-port"})
+	c.Assert(spec.SnippetForTag("snap.client-snap.app-accessing-1-port"), Equals, `
+# Description: Can access I2C sysfs name
+
+/sys/bus/i2c/devices/1-0050/** rw,
+`)
+}
+
 func (s *I2cInterfaceSuite) TestAutoConnect(c *C) {
 	c.Check(s.iface.AutoConnect(nil, nil), Equals, true)
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/iio.go snapd-2.37~rc1~14.04/interfaces/builtin/iio.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/iio.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/iio.go	2019-01-16 08:36:51.000000000 +0000
@@ -126,7 +126,7 @@
 	return nil
 }
 
-func (iface *iioInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *iioInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// Allow what is allowed in the declarations
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/iio_test.go snapd-2.37~rc1~14.04/interfaces/builtin/iio_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/iio_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/iio_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -129,29 +129,29 @@
     interface: other-interface
 `, nil)
 	s.testUDev1Info = gadgetSnapInfo.Slots["test-udev-1"]
-	s.testUDev1 = interfaces.NewConnectedSlot(s.testUDev1Info, nil)
+	s.testUDev1 = interfaces.NewConnectedSlot(s.testUDev1Info, nil, nil)
 	s.testUDev2Info = gadgetSnapInfo.Slots["test-udev-2"]
-	s.testUDev2 = interfaces.NewConnectedSlot(s.testUDev2Info, nil)
+	s.testUDev2 = interfaces.NewConnectedSlot(s.testUDev2Info, nil, nil)
 	s.testUDev3Info = gadgetSnapInfo.Slots["test-udev-3"]
-	s.testUDev3 = interfaces.NewConnectedSlot(s.testUDev3Info, nil)
+	s.testUDev3 = interfaces.NewConnectedSlot(s.testUDev3Info, nil, nil)
 	s.testUDevBadValue1Info = gadgetSnapInfo.Slots["test-udev-bad-value-1"]
-	s.testUDevBadValue1 = interfaces.NewConnectedSlot(s.testUDevBadValue1Info, nil)
+	s.testUDevBadValue1 = interfaces.NewConnectedSlot(s.testUDevBadValue1Info, nil, nil)
 	s.testUDevBadValue2Info = gadgetSnapInfo.Slots["test-udev-bad-value-2"]
-	s.testUDevBadValue2 = interfaces.NewConnectedSlot(s.testUDevBadValue2Info, nil)
+	s.testUDevBadValue2 = interfaces.NewConnectedSlot(s.testUDevBadValue2Info, nil, nil)
 	s.testUDevBadValue3Info = gadgetSnapInfo.Slots["test-udev-bad-value-3"]
-	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue3Info, nil)
+	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue3Info, nil, nil)
 	s.testUDevBadValue4Info = gadgetSnapInfo.Slots["test-udev-bad-value-4"]
-	s.testUDevBadValue4 = interfaces.NewConnectedSlot(s.testUDevBadValue4Info, nil)
+	s.testUDevBadValue4 = interfaces.NewConnectedSlot(s.testUDevBadValue4Info, nil, nil)
 	s.testUDevBadValue5Info = gadgetSnapInfo.Slots["test-udev-bad-value-5"]
-	s.testUDevBadValue5 = interfaces.NewConnectedSlot(s.testUDevBadValue5Info, nil)
+	s.testUDevBadValue5 = interfaces.NewConnectedSlot(s.testUDevBadValue5Info, nil, nil)
 	s.testUDevBadValue6Info = gadgetSnapInfo.Slots["test-udev-bad-value-6"]
-	s.testUDevBadValue6 = interfaces.NewConnectedSlot(s.testUDevBadValue6Info, nil)
+	s.testUDevBadValue6 = interfaces.NewConnectedSlot(s.testUDevBadValue6Info, nil, nil)
 	s.testUDevBadValue7Info = gadgetSnapInfo.Slots["test-udev-bad-value-7"]
-	s.testUDevBadValue7 = interfaces.NewConnectedSlot(s.testUDevBadValue7Info, nil)
+	s.testUDevBadValue7 = interfaces.NewConnectedSlot(s.testUDevBadValue7Info, nil, nil)
 	s.testUDevBadValue8Info = gadgetSnapInfo.Slots["test-udev-bad-value-8"]
-	s.testUDevBadValue8 = interfaces.NewConnectedSlot(s.testUDevBadValue8Info, nil)
+	s.testUDevBadValue8 = interfaces.NewConnectedSlot(s.testUDevBadValue8Info, nil, nil)
 	s.testUDevBadInterface1Info = gadgetSnapInfo.Slots["test-udev-bad-interface-1"]
-	s.testUDevBadInterface1 = interfaces.NewConnectedSlot(s.testUDevBadInterface1Info, nil)
+	s.testUDevBadInterface1 = interfaces.NewConnectedSlot(s.testUDevBadInterface1Info, nil, nil)
 
 	// Snap Consumers
 	consumingSnapInfo := snaptest.MockInfo(c, `
@@ -166,7 +166,7 @@
     plugs: [iio]
 `, nil)
 	s.testPlugPort1Info = consumingSnapInfo.Plugs["plug-for-port-1"]
-	s.testPlugPort1 = interfaces.NewConnectedPlug(s.testPlugPort1Info, nil)
+	s.testPlugPort1 = interfaces.NewConnectedPlug(s.testPlugPort1Info, nil, nil)
 }
 
 func (s *IioInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/io_ports_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/io_ports_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/io_ports_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/io_ports_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -113,8 +113,7 @@
 }
 
 func (s *ioPortsControlInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *ioPortsControlInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/joystick.go snapd-2.37~rc1~14.04/interfaces/builtin/joystick.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/joystick.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/joystick.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -19,6 +19,11 @@
 
 package builtin
 
+import (
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/udev"
+)
+
 const joystickSummary = `allows access to joystick devices`
 
 const joystickBaseDeclarationSlots = `
@@ -30,13 +35,33 @@
 `
 
 const joystickConnectedPlugAppArmor = `
-# Description: Allow reading and writing to joystick devices (/dev/input/js*).
+# Description: Allow reading and writing to joystick devices
+
+#
+# Old joystick interface
+#
 
 # Per https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/devices.txt
 # only js0-js31 is valid so limit the /dev and udev entries to those devices.
 /dev/input/js{[0-9],[12][0-9],3[01]} rw,
 /run/udev/data/c13:{[0-9],[12][0-9],3[01]} r,
 
+#
+# New evdev-joystick interface
+#
+
+# Per https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/devices.txt
+# the minor is 65 and up so limit udev to that.
+/run/udev/data/c13:{6[5-9],[7-9][0-9],[1-9][0-9][0-9]*} r,
+
+# /dev/input/event* is unfortunately not namespaced and includes all input
+# devices, including keyboards and mice, which allows input sniffing and
+# injection. Until we have inode tagging of devices, we use a glob rule here
+# and rely on udev tagging to only add evdev devices to the snap's device
+# cgroup that are marked with ENV{ID_INPUT_JOYSTICK}=="1". As such, even though
+# AppArmor allows all evdev, the device cgroup does not.
+/dev/input/event[0-9]* rw,
+
 # Allow reading for supported event reports for all input devices. See
 # https://www.kernel.org/doc/Documentation/input/event-codes.txt
 # FIXME: this is a very minor information leak and snapd should instead query
@@ -44,10 +69,35 @@
 /sys/devices/**/input[0-9]*/capabilities/* r,
 `
 
-var joystickConnectedPlugUDev = []string{`KERNEL=="js[0-9]*"`}
+// Add the old joystick device (js*) and any evdev input interfaces which are
+// marked as joysticks. Note, some input devices are known to come up as
+// joysticks when they are not and while this rule would tag them, on systems
+// where this is happening the device is non-functional for its intended
+// purpose. In other words, in practice, users with such devices will have
+// updated their udev rules to set ENV{ID_INPUT_JOYSTICK}="" to make it work,
+// which means this rule will no longer match.
+//
+// Because of the unconditional /dev/input/event[0-9]* AppArmor rule, we need
+// to ensure that the device cgroup is in effect even when there are no
+// joysticks present so that we don't give away all input to the snap. Use
+// /dev/full for this purpose.
+var joystickConnectedPlugUDev = []string{
+	`KERNEL=="js[0-9]*"`,
+	`KERNEL=="event[0-9]*", SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="1"`,
+	`KERNEL=="full", SUBSYSTEM=="mem"`,
+}
+
+type joystickInterface struct {
+	commonInterface
+}
+
+func (iface *joystickInterface) UDevConnectedPlug(spec *udev.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	spec.TriggerSubsystem("input/joystick")
+	return iface.commonInterface.UDevConnectedPlug(spec, plug, slot)
+}
 
 func init() {
-	registerIface(&commonInterface{
+	registerIface(&joystickInterface{commonInterface{
 		name:                  "joystick",
 		summary:               joystickSummary,
 		implicitOnCore:        true,
@@ -56,5 +106,5 @@
 		connectedPlugAppArmor: joystickConnectedPlugAppArmor,
 		connectedPlugUDev:     joystickConnectedPlugUDev,
 		reservedForOS:         true,
-	})
+	}})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/joystick_test.go snapd-2.37~rc1~14.04/interfaces/builtin/joystick_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/joystick_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/joystick_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -85,15 +85,21 @@
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `/dev/input/js{[0-9],[12][0-9],3[01]} rw,`)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `/run/udev/data/c13:{6[5-9],[7-9][0-9],[1-9][0-9][0-9]*} r,`)
 }
 
 func (s *JoystickInterfaceSuite) TestUDevSpec(c *C) {
 	spec := &udev.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
-	c.Assert(spec.Snippets(), HasLen, 2)
+	c.Assert(spec.Snippets(), HasLen, 4)
 	c.Assert(spec.Snippets(), testutil.Contains, `# joystick
 KERNEL=="js[0-9]*", TAG+="snap_consumer_app"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# joystick
+KERNEL=="event[0-9]*", SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="1", TAG+="snap_consumer_app"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# joystick
+KERNEL=="full", SUBSYSTEM=="mem", TAG+="snap_consumer_app"`)
 	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_consumer_app", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_consumer_app $devpath $major:$minor"`)
+	c.Assert(spec.TriggeredSubsystems(), DeepEquals, []string{"input/joystick"})
 }
 
 func (s *JoystickInterfaceSuite) TestStaticInfo(c *C) {
@@ -105,8 +111,7 @@
 }
 
 func (s *JoystickInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *JoystickInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/juju_client_observe.go snapd-2.37~rc1~14.04/interfaces/builtin/juju_client_observe.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/juju_client_observe.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/juju_client_observe.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,46 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+const jujuClientObserveSummary = `allows read access to juju client configuration`
+
+const jujuClientObserveBaseDeclarationSlots = `
+  juju-client-observe:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const jujuClientObserveConnectedPlugAppArmor = `
+# Description: Can access juju client configuration
+owner @{HOME}/.local/share/juju/{,**} r,
+`
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "juju-client-observe",
+		summary:               jujuClientObserveSummary,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  jujuClientObserveBaseDeclarationSlots,
+		connectedPlugAppArmor: jujuClientObserveConnectedPlugAppArmor,
+		reservedForOS:         true,
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/juju_client_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/juju_client_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/juju_client_observe_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/juju_client_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,99 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type JujuClientObserveInterfaceSuite struct {
+	iface    interfaces.Interface
+	slotInfo *snap.SlotInfo
+	slot     *interfaces.ConnectedSlot
+	plugInfo *snap.PlugInfo
+	plug     *interfaces.ConnectedPlug
+}
+
+var _ = Suite(&JujuClientObserveInterfaceSuite{
+	iface: builtin.MustInterface("juju-client-observe"),
+})
+
+const jujuClientObserveConsumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [juju-client-observe]
+`
+
+const jujuClientObserveCoreYaml = `name: core
+version: 0
+type: os
+slots:
+  juju-client-observe:
+`
+
+func (s *JujuClientObserveInterfaceSuite) SetUpTest(c *C) {
+	s.plug, s.plugInfo = MockConnectedPlug(c, jujuClientObserveConsumerYaml, nil, "juju-client-observe")
+	s.slot, s.slotInfo = MockConnectedSlot(c, jujuClientObserveCoreYaml, nil, "juju-client-observe")
+}
+
+func (s *JujuClientObserveInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "juju-client-observe")
+}
+
+func (s *JujuClientObserveInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "juju-client-observe",
+		Interface: "juju-client-observe",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"juju-client-observe slots are reserved for the core snap")
+}
+
+func (s *JujuClientObserveInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *JujuClientObserveInterfaceSuite) TestAppArmorSpec(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "owner @{HOME}/.local/share/juju/{,**} r,\n")
+}
+
+func (s *JujuClientObserveInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, false)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows read access to juju client configuration`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "juju-client-observe")
+}
+
+func (s *JujuClientObserveInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/kernel_module_control.go snapd-2.37~rc1~14.04/interfaces/builtin/kernel_module_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/kernel_module_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/kernel_module_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -38,19 +38,22 @@
 const kernelModuleControlConnectedPlugAppArmor = `
 # Description: Allow insertion, removal and querying of modules.
 
-  capability sys_module,
-  @{PROC}/modules r,
+capability sys_module,
+@{PROC}/modules r,
+/{,usr/}bin/kmod ixr,
 
-  # FIXME: moved to physical-memory-observe (remove this in series 18)
-  /dev/mem r,
+# FIXME: moved to physical-memory-observe (remove this in series 18)
+/dev/mem r,
 
-  # Required to use SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER when
-  # /proc/sys/kernel/dmesg_restrict is '1' (syslog(2)). These operations are
-  # required to verify kernel modules that are loaded.
-  capability syslog,
+# Required to use SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER when
+# /proc/sys/kernel/dmesg_restrict is '1' (syslog(2)). These operations are
+# required to verify kernel modules that are loaded.
+capability syslog,
 
-  # Allow plug side to read information about loaded kernel modules
-  /sys/module/{,**} r,
+# Allow reading information about loaded kernel modules
+/sys/module/{,**} r,
+/etc/modprobe.d/{,**} r,
+/lib/modprobe.d/{,**} r,
 `
 
 const kernelModuleControlConnectedPlugSecComp = `
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/kernel_module_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/kernel_module_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/kernel_module_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/kernel_module_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -113,8 +113,7 @@
 }
 
 func (s *KernelModuleControlInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *KernelModuleControlInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/kernel_module_observe.go snapd-2.37~rc1~14.04/interfaces/builtin/kernel_module_observe.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/kernel_module_observe.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/kernel_module_observe.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,58 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+const kernelModuleObserveSummary = `allows querying of kernel modules`
+
+const kernelModuleObserveBaseDeclarationSlots = `
+  kernel-module-observe:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const kernelModuleObserveConnectedPlugAppArmor = `
+# Description: Allow querying of kernel modules.
+/{,usr/}bin/kmod ixr, # seccomp and no SYS_MODULE prevents loading/removing
+@{PROC}/modules r,
+
+# Required to use SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER when
+# /proc/sys/kernel/dmesg_restrict is '1' (syslog(2)). These operations are
+# required to verify kernel modules that are loaded.
+capability syslog,
+
+# Allow reading information about loaded kernel modules
+/sys/module/{,**} r,
+/etc/modprobe.d/{,**} r,
+/lib/modprobe.d/{,**} r,
+`
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "kernel-module-observe",
+		summary:               kernelModuleObserveSummary,
+		implicitOnCore:        true,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  kernelModuleObserveBaseDeclarationSlots,
+		connectedPlugAppArmor: kernelModuleObserveConnectedPlugAppArmor,
+		reservedForOS:         true,
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/kernel_module_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/kernel_module_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/kernel_module_observe_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/kernel_module_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,101 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+	. "gopkg.in/check.v1"
+)
+
+type KernelModuleObserveInterfaceSuite struct {
+	iface    interfaces.Interface
+	slotInfo *snap.SlotInfo
+	slot     *interfaces.ConnectedSlot
+	plugInfo *snap.PlugInfo
+	plug     *interfaces.ConnectedPlug
+}
+
+var _ = Suite(&KernelModuleObserveInterfaceSuite{
+	iface: builtin.MustInterface("kernel-module-observe"),
+})
+
+const kernelmodobsConsumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [kernel-module-observe]
+`
+
+const kernelmodobsCoreYaml = `name: core
+version: 0
+type: os
+slots:
+  kernel-module-observe:
+`
+
+func (s *KernelModuleObserveInterfaceSuite) SetUpTest(c *C) {
+	s.plug, s.plugInfo = MockConnectedPlug(c, kernelmodobsConsumerYaml, nil, "kernel-module-observe")
+	s.slot, s.slotInfo = MockConnectedSlot(c, kernelmodobsCoreYaml, nil, "kernel-module-observe")
+}
+
+func (s *KernelModuleObserveInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "kernel-module-observe")
+}
+
+func (s *KernelModuleObserveInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "kernel-module-observe",
+		Interface: "kernel-module-observe",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"kernel-module-observe slots are reserved for the core snap")
+}
+
+func (s *KernelModuleObserveInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *KernelModuleObserveInterfaceSuite) TestAppArmorSpec(c *C) {
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Description: Allow querying of kernel modules")
+}
+
+func (s *KernelModuleObserveInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, true)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows querying of kernel modules`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "kernel-module-observe")
+}
+
+func (s *KernelModuleObserveInterfaceSuite) TestAutoConnect(c *C) {
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
+}
+
+func (s *KernelModuleObserveInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/kubernetes_support.go snapd-2.37~rc1~14.04/interfaces/builtin/kubernetes_support.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/kubernetes_support.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/kubernetes_support.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -19,6 +19,18 @@
 
 package builtin
 
+import (
+	"fmt"
+	"strings"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/kmod"
+	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/interfaces/udev"
+	"github.com/snapcore/snapd/snap"
+)
+
 const kubernetesSupportSummary = `allows operating as the Kubernetes service`
 
 const kubernetesSupportBaseDeclarationPlugs = `
@@ -35,65 +47,219 @@
     deny-auto-connection: true
 `
 
-const kubernetesSupportConnectedPlugAppArmor = `
-# Description: can use kubernetes to control Docker containers. This interface
-# is restricted because it gives wide ranging access to the host and other
-# processes.
-
-# what is this for?
-#include <abstractions/dbus-strict>
+const kubernetesSupportConnectedPlugAppArmorCommon = `
+# Common rules for running as a kubernetes node
 
-# Allow reading all information regarding cgroups for all processes
+# reading cgroups
 capability sys_resource,
-@{PROC}/@{pid}/cgroup r,
 /sys/fs/cgroup/{,**} r,
 
-# Allow adjusting the OOM score for Docker containers. Note, this allows
-# adjusting for all processes, not just containers.
+# Allow adjusting the OOM score for containers. Note, this allows adjusting for
+# all processes, not just containers.
 @{PROC}/@{pid}/oom_score_adj rw,
-/sys/kernel/mm/hugepages/ r,
+@{PROC}/sys/vm/overcommit_memory rw,
+/sys/kernel/mm/hugepages/{,**} r,
 
-@{PROC}/sys/kernel/panic rw,
-@{PROC}/sys/kernel/panic_on_oops rw,
+capability dac_override,
+
+/usr/bin/systemd-run Cxr -> systemd_run,
+profile systemd_run (attach_disconnected,mediate_deleted) {
+  # Common rules for kubernetes use of systemd_run
+  #include <abstractions/base>
+
+  /usr/bin/systemd-run r,
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/environ r,
+  @{PROC}/cmdline r,
+
+  # setsockopt()
+  capability net_admin,
+
+  /run/systemd/private rw,
+  /bin/true ixr,
+  ptrace trace peer=unconfined,
+###KUBERNETES_SUPPORT_SYSTEMD_RUN###
+}
+`
+
+const kubernetesSupportConnectedPlugAppArmorKubelet = `
+# Allow running as the kubelet service
+
+# Ideally this would be snap-specific
+/run/dockershim.sock rw,
+
+# allow managing pods' cgroups
+/sys/fs/cgroup/*/kubepods/{,**} rw,
+
+# Allow tracing our own processes. Note, this allows seccomp sandbox escape on
+# kernels < 4.8
+capability sys_ptrace,
+ptrace (trace) peer=snap.@{SNAP_NAME}.*,
+
+# Allow ptracing other processes (as part of ps-style process lookups). Note,
+# the peer needs a corresponding tracedby rule. As a special case, disallow
+# ptracing unconfined.
+ptrace (trace),
+deny ptrace (trace) peer=unconfined,
+
+@{PROC}/[0-9]*/attr/ r,
+@{PROC}/[0-9]*/fdinfo/ r,
+@{PROC}/[0-9]*/map_files/ r,
+@{PROC}/[0-9]*/ns/ r,
+
+# kubernetes will verify and set panic and panic_on_oops to values it considers
+# sane
+@{PROC}/sys/kernel/panic w,
+@{PROC}/sys/kernel/panic_on_oops w,
 @{PROC}/sys/kernel/keys/root_maxbytes r,
 @{PROC}/sys/kernel/keys/root_maxkeys r,
-@{PROC}/sys/vm/overcommit_memory rw,
-@{PROC}/sys/vm/panic_on_oom r,
 
-@{PROC}/diskstats r,
-@{PROC}/@{pid}/cmdline r,
+/dev/kmsg r,
+
+# kubelet calls out to systemd-run for some mounts, but not all of them and not
+# unmounts...
+capability sys_admin,
+mount /var/snap/@{SNAP_NAME}/common/{,**} -> /var/snap/@{SNAP_NAME}/common/{,**},
+mount options=(rw, rshared) -> /var/snap/@{SNAP_NAME}/common/{,**},
+
+/bin/umount ixr,
+deny /run/mount/utab rw,
+umount /var/snap/@{SNAP_INSTANCE_NAME}/common/**,
+`
+
+const kubernetesSupportConnectedPlugAppArmorKubeletSystemdRun = `
+  # kubelet mount rules
+  capability sys_admin,
+  /bin/mount ixr,
+  mount fstype="tmpfs" tmpfs -> /var/snap/@{SNAP_INSTANCE_NAME}/common/**,
+  deny /run/mount/utab rw,
+`
+
+const kubernetesSupportConnectedPlugSeccompKubelet = `
+# Allow running as the kubelet service
+mount
+umount
+umount2
+
+unshare
+setns - CLONE_NEWNET
+`
+
+var kubernetesSupportConnectedPlugUDevKubelet = []string{
+	`KERNEL=="kmsg"`,
+}
+
+const kubernetesSupportConnectedPlugAppArmorKubeproxy = `
+# Allow running as the kubeproxy service
+
+# managing our own cgroup
+/sys/fs/cgroup/*/kube-proxy/{,**} rw,
 
 # Allow reading the state of modules kubernetes needs
+/sys/module/libcrc32c/initstate r,
 /sys/module/llc/initstate r,
 /sys/module/stp/initstate r,
-
-# Allow listing kernel modules. Note, seccomp blocks module loading syscalls
-/sys/module/apparmor/parameters/enabled r,
-/bin/kmod ixr,
-/etc/modprobe.d/{,**} r,
-
-# Allow ptracing Docker containers
-ptrace (read, trace) peer=docker-default,
-ptrace (read, trace) peer=snap.docker.dockerd,
-
-# Should we have a 'privileged' mode for kubernetes like we do with
-# docker-support? Right now kubernetes needs this which allows it to control
-# all processes on the system and on <4.8 kernels, escape confinement.
-ptrace (read, trace) peer=unconfined,
+/sys/module/ip_vs/initstate r,
+/sys/module/ip_vs_rr/initstate r,
+/sys/module/ip_vs_sh/initstate r,
+/sys/module/ip_vs_wrr/initstate r,
 `
 
-var kubernetesSupportConnectedPlugKmod = []string{`llc`, `stp`}
+var kubernetesSupportConnectedPlugKmodKubeProxy = []string{
+	`ip_vs_rr`,
+	`ip_vs_sh`,
+	`ip_vs_wrr`,
+	`libcrc32c`,
+	`llc`,
+	`stp`,
+}
+
+type kubernetesSupportInterface struct {
+	commonInterface
+}
+
+func (iface *kubernetesSupportInterface) BeforePrepareSlot(slot *snap.SlotInfo) error {
+	iface.commonInterface.BeforePrepareSlot(slot)
+	return sanitizeSlotReservedForOS(iface, slot)
+}
+
+func k8sFlavor(plug *interfaces.ConnectedPlug) string {
+	var flavor string
+	_ = plug.Attr("flavor", &flavor)
+	return flavor
+}
+
+func (iface *kubernetesSupportInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	snippet := kubernetesSupportConnectedPlugAppArmorCommon
+	systemd_run_extra := ""
+
+	switch k8sFlavor(plug) {
+	case "kubelet":
+		systemd_run_extra = kubernetesSupportConnectedPlugAppArmorKubeletSystemdRun
+		snippet += kubernetesSupportConnectedPlugAppArmorKubelet
+		spec.UsesPtraceTrace()
+	case "kubeproxy":
+		snippet += kubernetesSupportConnectedPlugAppArmorKubeproxy
+	default:
+		systemd_run_extra = kubernetesSupportConnectedPlugAppArmorKubeletSystemdRun
+		snippet += kubernetesSupportConnectedPlugAppArmorKubelet
+		snippet += kubernetesSupportConnectedPlugAppArmorKubeproxy
+		spec.UsesPtraceTrace()
+	}
+
+	old := "###KUBERNETES_SUPPORT_SYSTEMD_RUN###"
+	spec.AddSnippet(strings.Replace(snippet, old, systemd_run_extra, -1))
+	return nil
+}
+
+func (iface *kubernetesSupportInterface) SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	flavor := k8sFlavor(plug)
+	if flavor == "kubelet" || flavor == "" {
+		snippet := kubernetesSupportConnectedPlugSeccompKubelet
+		spec.AddSnippet(snippet)
+	}
+	return nil
+}
+
+func (iface *kubernetesSupportInterface) UDevConnectedPlug(spec *udev.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	flavor := k8sFlavor(plug)
+	if flavor == "kubelet" || flavor == "" {
+		for _, rule := range kubernetesSupportConnectedPlugUDevKubelet {
+			spec.TagDevice(rule)
+		}
+	}
+	return nil
+}
+
+func (iface *kubernetesSupportInterface) KModConnectedPlug(spec *kmod.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	flavor := k8sFlavor(plug)
+	if flavor == "kubeproxy" || flavor == "" {
+		for _, m := range kubernetesSupportConnectedPlugKmodKubeProxy {
+			if err := spec.AddModule(m); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (iface *kubernetesSupportInterface) BeforePreparePlug(plug *snap.PlugInfo) error {
+	// It's fine if flavor isn't specified, but if it is, it needs to be
+	// either "kubelet" or "kubeproxy"
+	if t, ok := plug.Attrs["flavor"]; ok && t != "kubelet" && t != "kubeproxy" {
+		return fmt.Errorf(`kubernetes-support plug requires "flavor" to be either "kubelet" or "kubeproxy"`)
+	}
+
+	return nil
+}
 
 func init() {
-	registerIface(&commonInterface{
-		name:                     "kubernetes-support",
-		summary:                  kubernetesSupportSummary,
-		implicitOnCore:           true,
-		implicitOnClassic:        true,
-		baseDeclarationPlugs:     kubernetesSupportBaseDeclarationPlugs,
-		baseDeclarationSlots:     kubernetesSupportBaseDeclarationSlots,
-		connectedPlugAppArmor:    kubernetesSupportConnectedPlugAppArmor,
-		connectedPlugKModModules: kubernetesSupportConnectedPlugKmod,
-		reservedForOS:            true,
-	})
+	registerIface(&kubernetesSupportInterface{commonInterface{
+		name:                 "kubernetes-support",
+		summary:              kubernetesSupportSummary,
+		implicitOnClassic:    true,
+		implicitOnCore:       true,
+		baseDeclarationPlugs: kubernetesSupportBaseDeclarationPlugs,
+		baseDeclarationSlots: kubernetesSupportBaseDeclarationSlots,
+	}})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/kubernetes_support_test.go snapd-2.37~rc1~14.04/interfaces/builtin/kubernetes_support_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/kubernetes_support_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/kubernetes_support_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -26,25 +26,48 @@
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/builtin"
 	"github.com/snapcore/snapd/interfaces/kmod"
+	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/interfaces/udev"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/testutil"
 )
 
 type KubernetesSupportInterfaceSuite struct {
-	iface    interfaces.Interface
-	slotInfo *snap.SlotInfo
-	slot     *interfaces.ConnectedSlot
-	plugInfo *snap.PlugInfo
-	plug     *interfaces.ConnectedPlug
-}
-
-const k8sMockPlugSnapInfoYaml = `name: other
-version: 1.0
+	iface             interfaces.Interface
+	slotInfo          *snap.SlotInfo
+	slot              *interfaces.ConnectedSlot
+	plugInfo          *snap.PlugInfo
+	plug              *interfaces.ConnectedPlug
+	plugKubeletInfo   *snap.PlugInfo
+	plugKubelet       *interfaces.ConnectedPlug
+	plugKubeproxyInfo *snap.PlugInfo
+	plugKubeproxy     *interfaces.ConnectedPlug
+	plugBadInfo       *snap.PlugInfo
+	plugBad           *interfaces.ConnectedPlug
+}
+
+const k8sMockPlugSnapInfoYaml = `name: kubernetes-support
+version: 0
+plugs:
+  k8s-default:
+    interface: kubernetes-support
+  k8s-kubelet:
+    interface: kubernetes-support
+    flavor: kubelet
+  k8s-kubeproxy:
+    interface: kubernetes-support
+    flavor: kubeproxy
+  k8s-bad:
+    interface: kubernetes-support
+    flavor: bad
 apps:
- app2:
-  command: foo
-  plugs: [kubernetes-support]
+ default:
+  plugs: [k8s-default]
+ kubelet:
+  plugs: [k8s-kubelet]
+ kubeproxy:
+  plugs: [k8s-kubeproxy]
 `
 
 var _ = Suite(&KubernetesSupportInterfaceSuite{
@@ -57,10 +80,20 @@
 		Name:      "kubernetes-support",
 		Interface: "kubernetes-support",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, k8sMockPlugSnapInfoYaml, nil)
-	s.plugInfo = plugSnap.Plugs["kubernetes-support"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+
+	s.plugInfo = plugSnap.Plugs["k8s-default"]
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+
+	s.plugKubeletInfo = plugSnap.Plugs["k8s-kubelet"]
+	s.plugKubelet = interfaces.NewConnectedPlug(s.plugKubeletInfo, nil, nil)
+
+	s.plugKubeproxyInfo = plugSnap.Plugs["k8s-kubeproxy"]
+	s.plugKubeproxy = interfaces.NewConnectedPlug(s.plugKubeproxyInfo, nil, nil)
+
+	s.plugBadInfo = plugSnap.Plugs["k8s-bad"]
+	s.plugBad = interfaces.NewConnectedPlug(s.plugBadInfo, nil, nil)
 }
 
 func (s *KubernetesSupportInterfaceSuite) TestName(c *C) {
@@ -80,22 +113,126 @@
 
 func (s *KubernetesSupportInterfaceSuite) TestSanitizePlug(c *C) {
 	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugKubeletInfo), IsNil)
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugKubeproxyInfo), IsNil)
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugBadInfo), ErrorMatches, `kubernetes-support plug requires "flavor" to be either "kubelet" or "kubeproxy"`)
 }
 
-func (s *KubernetesSupportInterfaceSuite) TestUsedSecuritySystems(c *C) {
-	kmodSpec := &kmod.Specification{}
-	err := kmodSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
-	c.Assert(err, IsNil)
-	c.Assert(kmodSpec.Modules(), DeepEquals, map[string]bool{
-		"llc": true,
-		"stp": true,
+func (s *KubernetesSupportInterfaceSuite) TestKModConnectedPlug(c *C) {
+	// default should have kubeproxy modules
+	spec := &kmod.Specification{}
+	err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.Modules(), DeepEquals, map[string]bool{
+		"llc":       true,
+		"stp":       true,
+		"ip_vs_rr":  true,
+		"ip_vs_sh":  true,
+		"ip_vs_wrr": true,
+		"libcrc32c": true,
+	})
+
+	// kubeproxy should have its modules
+	spec = &kmod.Specification{}
+	err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.Modules(), DeepEquals, map[string]bool{
+		"llc":       true,
+		"stp":       true,
+		"ip_vs_rr":  true,
+		"ip_vs_sh":  true,
+		"ip_vs_wrr": true,
+		"libcrc32c": true,
 	})
 
-	apparmorSpec := &apparmor.Specification{}
-	err = apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	// kubelet shouldn't have anything
+	spec = &kmod.Specification{}
+	err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.Modules(), DeepEquals, map[string]bool{})
+}
+
+func (s *KubernetesSupportInterfaceSuite) TestAppArmorConnectedPlug(c *C) {
+	// default should have kubeproxy and kubelet rules
+	spec := &apparmor.Specification{}
+	err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.default"})
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Common rules for running as a kubernetes node\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubelet service\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubeproxy service\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Common rules for kubernetes use of systemd_run\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# kubelet mount rules\n")
+
+	// kubeproxy should have only its rules
+	spec = &apparmor.Specification{}
+	err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubeproxy"})
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Common rules for running as a kubernetes node\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Allow running as the kubeproxy service\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), Not(testutil.Contains), "# Allow running as the kubelet service\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Common rules for kubernetes use of systemd_run\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), Not(testutil.Contains), "# kubelet mount rules\n")
+
+	// kubelet should have only its rules
+	spec = &apparmor.Specification{}
+	err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubelet"})
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Common rules for running as a kubernetes node\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow running as the kubelet service\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), Not(testutil.Contains), "# Allow running as the kubeproxy service\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Common rules for kubernetes use of systemd_run\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# kubelet mount rules\n")
+}
+
+func (s *KubernetesSupportInterfaceSuite) TestSecCompConnectedPlug(c *C) {
+	// default should have kubelet rules
+	spec := &seccomp.Specification{}
+	err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.default"})
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubelet service\n")
+
+	// kubeproxy should not have any rules
+	spec = &seccomp.Specification{}
+	err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	// kubelet should have only its rules
+	spec = &seccomp.Specification{}
+	err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubelet"})
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow running as the kubelet service\n")
+}
+
+func (s *KubernetesSupportInterfaceSuite) TestUDevConnectedPlug(c *C) {
+	// default should have kubelet rules
+	spec := &udev.Specification{}
+	err := spec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.Snippets(), HasLen, 2)
+	c.Assert(spec.Snippets(), testutil.Contains, `# kubernetes-support
+KERNEL=="kmsg", TAG+="snap_kubernetes-support_default"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_kubernetes-support_default", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_kubernetes-support_default $devpath $major:$minor"`)
+
+	// kubeproxy should not have any rules
+	spec = &udev.Specification{}
+	err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(spec.Snippets(), HasLen, 0)
+
+	// kubelet should have only its rules
+	spec = &udev.Specification{}
+	err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot)
 	c.Assert(err, IsNil)
-	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app2"})
-	c.Check(apparmorSpec.SnippetForTag("snap.other.app2"), testutil.Contains, "# Allow reading the state of modules kubernetes needs\n")
+	c.Assert(spec.Snippets(), HasLen, 2)
+	c.Assert(spec.Snippets(), testutil.Contains, `# kubernetes-support
+KERNEL=="kmsg", TAG+="snap_kubernetes-support_kubelet"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_kubernetes-support_kubelet", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_kubernetes-support_kubelet $devpath $major:$minor"`)
 }
 
 func (s *KubernetesSupportInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/kvm_test.go snapd-2.37~rc1~14.04/interfaces/builtin/kvm_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/kvm_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/kvm_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -110,8 +110,7 @@
 }
 
 func (s *kvmInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *kvmInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/locale_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/locale_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/locale_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/locale_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -52,13 +52,13 @@
 `
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["locale-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 	s.slotInfo = &snap.SlotInfo{
 		Snap:      &snap.Info{SuggestedName: "core", Type: snap.TypeOS},
 		Name:      "locale-control",
 		Interface: "locale-control",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *LocaleControlInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/location_control.go snapd-2.37~rc1~14.04/interfaces/builtin/location_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/location_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/location_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -246,7 +246,7 @@
 	return nil
 }
 
-func (iface *locationControlInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *locationControlInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/location_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/location_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/location_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/location_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -65,10 +65,10 @@
 `
 	snapInfo := snaptest.MockInfo(c, plugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["location-client"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 	snapInfo = snaptest.MockInfo(c, slotSnapInfoYaml, nil)
 	s.slotInfo = snapInfo.Slots["location"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *LocationControlInterfaceSuite) TestName(c *C) {
@@ -87,7 +87,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -109,7 +109,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -129,7 +129,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -150,7 +150,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
@@ -172,7 +172,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
@@ -192,7 +192,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/location_observe.go snapd-2.37~rc1~14.04/interfaces/builtin/location_observe.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/location_observe.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/location_observe.go	2019-01-16 08:36:51.000000000 +0000
@@ -300,7 +300,7 @@
 	return nil
 }
 
-func (iface *locationObserveInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *locationObserveInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/location_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/location_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/location_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/location_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -59,10 +59,10 @@
 `
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["location-observe"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 	snapInfo = snaptest.MockInfo(c, mockSlotSnapInfoYaml, nil)
 	s.slotInfo = snapInfo.Slots["location-observe"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *LocationObserveInterfaceSuite) TestName(c *C) {
@@ -81,7 +81,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -103,7 +103,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -123,7 +123,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -144,7 +144,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
@@ -166,7 +166,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
@@ -186,7 +186,7 @@
 		Name:      "location",
 		Interface: "location",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/log_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/log_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/log_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/log_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,10 +55,10 @@
 		Name:      "log-observe",
 		Interface: "log-observe",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["log-observe"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *LogObserveInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/maliit.go snapd-2.37~rc1~14.04/interfaces/builtin/maliit.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/maliit.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/maliit.go	2019-01-16 08:36:51.000000000 +0000
@@ -163,7 +163,7 @@
 	return nil
 }
 
-func (iface *maliitInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *maliitInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/maliit_test.go snapd-2.37~rc1~14.04/interfaces/builtin/maliit_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/maliit_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/maliit_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -61,10 +61,10 @@
 `
 	slotSnap := snaptest.MockInfo(c, mockCoreSlotSnapInfoYaml, nil)
 	s.slotInfo = slotSnap.Slots["maliit"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["maliit"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *MaliitInterfaceSuite) TestName(c *C) {
@@ -83,7 +83,7 @@
 		Name:      "maliit",
 		Interface: "maliit",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -105,7 +105,7 @@
 		Name:      "maliit",
 		Interface: "maliit",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -132,7 +132,7 @@
 		Name:      "maliit",
 		Interface: "maliit",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -153,7 +153,7 @@
 		Name:      "maliit",
 		Interface: "maliit",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
@@ -175,7 +175,7 @@
 		Name:      "maliit",
 		Interface: "maliit",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	c.Assert(s.slot, NotNil)
@@ -196,7 +196,7 @@
 		Name:      "maliit",
 		Interface: "maliit",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/media_hub.go snapd-2.37~rc1~14.04/interfaces/builtin/media_hub.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/media_hub.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/media_hub.go	2019-01-16 08:36:51.000000000 +0000
@@ -194,7 +194,7 @@
 	return nil
 }
 
-func (iface *mediaHubInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *mediaHubInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/media_hub_test.go snapd-2.37~rc1~14.04/interfaces/builtin/media_hub_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/media_hub_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/media_hub_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -64,10 +64,10 @@
 `
 	snapInfo := snaptest.MockInfo(c, mockSlotSnapInfoYaml, nil)
 	s.slotInfo = snapInfo.Slots["media-hub"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	snapInfo = snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["media-hub"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *MediaHubInterfaceSuite) TestName(c *C) {
@@ -87,7 +87,8 @@
 		Name:      "media-hub",
 		Interface: "media-hub",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -113,7 +114,8 @@
 		Name:      "media-hub",
 		Interface: "media-hub",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -135,7 +137,8 @@
 		Name:      "media-hub",
 		Interface: "media-hub",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/mir.go snapd-2.37~rc1~14.04/interfaces/builtin/mir.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/mir.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/mir.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (c) 2016-2017 Canonical Ltd
+ * Copyright (c) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -139,6 +139,7 @@
 }
 
 func (iface *mirInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error {
+	spec.TriggerSubsystem("input")
 	spec.TagDevice(`KERNEL=="tty[0-9]*"`)
 	spec.TagDevice(`KERNEL=="mice"`)
 	spec.TagDevice(`KERNEL=="mouse[0-9]*"`)
@@ -147,7 +148,7 @@
 	return nil
 }
 
-func (iface *mirInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *mirInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	return true
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/mir_test.go snapd-2.37~rc1~14.04/interfaces/builtin/mir_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/mir_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/mir_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -75,15 +75,15 @@
 	// mir snap with mir-server slot on an core/all-snap install.
 	snapInfo := snaptest.MockInfo(c, mirMockSlotSnapInfoYaml, nil)
 	s.coreSlotInfo = snapInfo.Slots["mir"]
-	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil)
+	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil, nil)
 	// mir slot on a core snap in a classic install.
 	snapInfo = snaptest.MockInfo(c, mirMockClassicSlotSnapInfoYaml, nil)
 	s.classicSlotInfo = snapInfo.Slots["mir"]
-	s.classicSlot = interfaces.NewConnectedSlot(s.classicSlotInfo, nil)
+	s.classicSlot = interfaces.NewConnectedSlot(s.classicSlotInfo, nil, nil)
 	// snap with the mir plug
 	snapInfo = snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["mir"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *MirInterfaceSuite) TestName(c *C) {
@@ -159,6 +159,7 @@
 	c.Assert(udevSpec.Snippets(), testutil.Contains, `# mir
 KERNEL=="ts[0-9]*", TAG+="snap_mir-server_mir"`)
 	c.Assert(udevSpec.Snippets(), testutil.Contains, `TAG=="snap_mir-server_mir", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_mir-server_mir $devpath $major:$minor"`)
+	c.Assert(udevSpec.TriggeredSubsystems(), DeepEquals, []string{"input"})
 }
 
 func (s *MirInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/modem_manager.go snapd-2.37~rc1~14.04/interfaces/builtin/modem_manager.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/modem_manager.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/modem_manager.go	2019-01-16 08:36:51.000000000 +0000
@@ -67,7 +67,7 @@
 
 # For {mbim,qmi}-proxy
 unix (bind, listen) type=stream addr="@{mbim,qmi}-proxy",
-/sys/devices/**/usb**/descriptors r,
+/sys/devices/**/usb**/{descriptors,manufacturer,product} r,
 # See https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-class-net-qmi
 /sys/devices/**/net/*/qmi/* rw,
 
@@ -127,12 +127,12 @@
     interface=org.freedesktop.login1.Manager
     member={PrepareForSleep,SessionNew,SessionRemoved}
     peer=(label=unconfined),
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/login1
     interface=org.freedesktop.login1.Manager
-    member=Inhibit
-    peer=(label=unconfined),
+    member=Inhibit,
 `
 
 const modemManagerConnectedSlotAppArmor = `
@@ -184,6 +184,18 @@
     path=/org/freedesktop/ModemManager1{,/**}
     interface=org.freedesktop.DBus.*
     peer=(label=unconfined),
+
+# do not use peer=(label=unconfined) here since this is DBus activated
+dbus (send)
+    bus=system
+    path=/org/freedesktop/ModemManager1{,/**}
+    interface=org.freedesktop.DBus.Introspectable
+    member=Introspect,
+dbus (send)
+    bus=system
+    path=/org/freedesktop/ModemManager1{,/**}
+    interface=org.freedesktop.DBus.Properties
+    member="Get{,All}",
 `
 
 const modemManagerPermanentSlotSecComp = `
@@ -1249,7 +1261,7 @@
 
 func (iface *modemManagerInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error {
 	spec.AddSnippet(modemManagerPermanentSlotUDev)
-	spec.TagDevice(`KERNEL=="tty[A-Z]*[0-9]*|cdc-wdm[0-9]*"`)
+	spec.TagDevice(`KERNEL=="tty[a-zA-Z]*[0-9]*|cdc-wdm[0-9]*"`)
 	return nil
 }
 
@@ -1266,7 +1278,7 @@
 	return nil
 }
 
-func (iface *modemManagerInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *modemManagerInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/modem_manager_test.go snapd-2.37~rc1~14.04/interfaces/builtin/modem_manager_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/modem_manager_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/modem_manager_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -72,10 +72,10 @@
 		Name:      "mmcli",
 		Interface: "modem-manager",
 	}
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 	slotSnap := snaptest.MockInfo(c, modemmgrMockSlotSnapInfoYaml, nil)
 	s.slotInfo = slotSnap.Slots["modem-manager"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *ModemManagerInterfaceSuite) TestName(c *C) {
@@ -94,11 +94,12 @@
 		Name:      "modem-manager",
 		Interface: "modem-manager",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	plugSnap := snaptest.MockInfo(c, modemmgrMockPlugSnapInfoYaml, nil)
-	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil)
+	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, slot)
@@ -120,11 +121,12 @@
 		Name:      "modem-manager",
 		Interface: "modem-manager",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	plugSnap := snaptest.MockInfo(c, modemmgrMockPlugSnapInfoYaml, nil)
-	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil)
+	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, slot)
@@ -144,11 +146,12 @@
 		Name:      "modem-manager",
 		Interface: "modem-manager",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	plugSnap := snaptest.MockInfo(c, modemmgrMockPlugSnapInfoYaml, nil)
-	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil)
+	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, slot)
@@ -160,7 +163,7 @@
 func (s *ModemManagerInterfaceSuite) TestConnectedPlugSnippetUsesUnconfinedLabelNot(c *C) {
 	release.OnClassic = false
 	plugSnap := snaptest.MockInfo(c, modemmgrMockPlugSnapInfoYaml, nil)
-	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil)
+	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, s.slot)
@@ -175,7 +178,7 @@
 	release.OnClassic = true
 
 	plugSnap := snaptest.MockInfo(c, modemmgrMockPlugSnapInfoYaml, nil)
-	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil)
+	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil, nil)
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, s.slot)
 	c.Assert(err, IsNil)
@@ -185,7 +188,7 @@
 
 func (s *ModemManagerInterfaceSuite) TestUsedSecuritySystems(c *C) {
 	plugSnap := snaptest.MockInfo(c, modemmgrMockPlugSnapInfoYaml, nil)
-	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil)
+	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil, nil)
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, plug, s.slot)
 	c.Assert(err, IsNil)
@@ -206,7 +209,7 @@
 	c.Assert(udevSpec.Snippets(), HasLen, 3)
 	c.Assert(udevSpec.Snippets()[0], testutil.Contains, `SUBSYSTEMS=="usb"`)
 	c.Assert(udevSpec.Snippets(), testutil.Contains, `# modem-manager
-KERNEL=="tty[A-Z]*[0-9]*|cdc-wdm[0-9]*", TAG+="snap_modem-manager_mm"`)
+KERNEL=="tty[a-zA-Z]*[0-9]*|cdc-wdm[0-9]*", TAG+="snap_modem-manager_mm"`)
 	c.Assert(udevSpec.Snippets(), testutil.Contains, `TAG=="snap_modem-manager_mm", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_modem-manager_mm $devpath $major:$minor"`)
 }
 
@@ -230,7 +233,7 @@
 
 func (s *ModemManagerInterfaceSuite) TestConnectedPlugDBus(c *C) {
 	plugSnap := snaptest.MockInfo(c, modemmgrMockPlugSnapInfoYaml, nil)
-	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil)
+	plug := interfaces.NewConnectedPlug(plugSnap.Plugs["modem-manager"], nil, nil)
 
 	dbusSpec := &dbus.Specification{}
 	err := dbusSpec.AddConnectedPlug(s.iface, plug, s.slot)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/mount_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/mount_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/mount_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/mount_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,10 +55,10 @@
 		Name:      "mount-observe",
 		Interface: "mount-observe",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["mount-observe"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *MountObserveInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/mpris.go snapd-2.37~rc1~14.04/interfaces/builtin/mpris.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/mpris.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/mpris.go	2019-01-16 08:36:51.000000000 +0000
@@ -196,9 +196,14 @@
 	return nil
 }
 
+var isValidDBusElement = regexp.MustCompile("^[a-zA-Z0-9_-]*$").MatchString
+
 func (iface *mprisInterface) getName(attribs map[string]interface{}) (string, error) {
-	// default to snap name if 'name' attribute not set
-	mprisName := "@{SNAP_NAME}"
+	// default to snap instance name if 'name' attribute not set
+	// parallel-installs: snaps utilizing the mpris interface must adjust
+	// themselves accordingly for parallel installs and use
+	// SNAP_INSTANCE_NAME as part of their well-known name.
+	mprisName := "@{SNAP_INSTANCE_NAME}"
 	for attr := range attribs {
 		if attr != "name" {
 			return "", fmt.Errorf("unknown attribute '%s'", attr)
@@ -212,8 +217,7 @@
 			return "", fmt.Errorf("name element %v is not a string", raw)
 		}
 
-		validDBusElement := regexp.MustCompile("^[a-zA-Z0-9_-]*$")
-		if !validDBusElement.MatchString(name) {
+		if !isValidDBusElement(name) {
 			return "", fmt.Errorf("invalid name element: %q", name)
 		}
 		mprisName = name
@@ -226,7 +230,7 @@
 	return err
 }
 
-func (iface *mprisInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *mprisInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/mpris_test.go snapd-2.37~rc1~14.04/interfaces/builtin/mpris_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/mpris_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/mpris_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -61,10 +61,10 @@
 
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["mpris"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 	snapInfo = snaptest.MockInfo(c, mockSlotSnapInfoYaml, nil)
 	s.slotInfo = snapInfo.Slots["mpris"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *MprisInterfaceSuite) TestName(c *C) {
@@ -97,7 +97,7 @@
 	slot := info.Slots["mpris-slot"]
 	name, err := builtin.MprisGetName(s.iface, slot.Attrs)
 	c.Assert(err, IsNil)
-	c.Assert(name, Equals, "@{SNAP_NAME}")
+	c.Assert(name, Equals, "@{SNAP_INSTANCE_NAME}")
 }
 func (s *MprisInterfaceSuite) TestGetNameBadDot(c *C) {
 	const mockSnapYaml = `name: mpris-client
@@ -160,7 +160,7 @@
 		Name:      "mpris",
 		Interface: "mpris",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -182,7 +182,7 @@
 		Name:      "mpris",
 		Interface: "mpris",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -202,7 +202,7 @@
 		Name:      "mpris",
 		Interface: "mpris",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -223,7 +223,7 @@
 		Name:      "mpris",
 		Interface: "mpris",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
@@ -245,7 +245,7 @@
 		Name:      "mpris",
 		Interface: "mpris",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
@@ -265,7 +265,7 @@
 		Name:      "mpris",
 		Interface: "mpris",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.slot)
@@ -281,7 +281,7 @@
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.mpris.app"})
 
 	// verify bind rule
-	c.Assert(apparmorSpec.SnippetForTag("snap.mpris.app"), testutil.Contains, "dbus (bind)\n    bus=session\n    name=\"org.mpris.MediaPlayer2.@{SNAP_NAME}{,.*}\",\n")
+	c.Assert(apparmorSpec.SnippetForTag("snap.mpris.app"), testutil.Contains, "dbus (bind)\n    bus=session\n    name=\"org.mpris.MediaPlayer2.@{SNAP_INSTANCE_NAME}{,.*}\",\n")
 }
 
 func (s *MprisInterfaceSuite) TestPermanentSlotAppArmorWithName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/netlink_audit_test.go snapd-2.37~rc1~14.04/interfaces/builtin/netlink_audit_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/netlink_audit_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/netlink_audit_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "netlink-audit",
 		Interface: "netlink-audit",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, netlinkAuditMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["netlink-audit"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *NetlinkAuditInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/netlink_connector_test.go snapd-2.37~rc1~14.04/interfaces/builtin/netlink_connector_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/netlink_connector_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/netlink_connector_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,10 +56,10 @@
 		Name:      "netlink-connector",
 		Interface: "netlink-connector",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, netlinkConnectorMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["netlink-connector"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *NetlinkConnectorInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_bind_test.go snapd-2.37~rc1~14.04/interfaces/builtin/network_bind_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_bind_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_bind_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "network-bind",
 		Interface: "network-bind",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, netbindMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["network-bind"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 func (s *NetworkBindInterfaceSuite) TestName(c *C) {
 	c.Assert(s.iface.Name(), Equals, "network-bind")
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_control.go snapd-2.37~rc1~14.04/interfaces/builtin/network_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -101,10 +101,15 @@
 /{,usr/}{,s}bin/arpd ixr,
 /{,usr/}{,s}bin/bridge ixr,
 /{,usr/}{,s}bin/dhclient Pxr,             # use ixr instead if want to limit to snap dirs
+/{,usr/}{,s}bin/dhclient-script ixr,
 /{,usr/}{,s}bin/ifconfig ixr,
+/{,usr/}{,s}bin/ifdown ixr,
+/{,usr/}{,s}bin/ifquery ixr,
+/{,usr/}{,s}bin/ifup ixr,
 /{,usr/}{,s}bin/ip ixr,
 /{,usr/}{,s}bin/ipmaddr ixr,
 /{,usr/}{,s}bin/iptunnel ixr,
+/{,usr/}{,s}bin/iw ixr,
 /{,usr/}{,s}bin/nameif ixr,
 /{,usr/}{,s}bin/netstat ixr,              # -p not supported
 /{,usr/}{,s}bin/nstat ixr,
@@ -119,6 +124,7 @@
 /{,usr/}{,s}bin/routel ixr,
 /{,usr/}{,s}bin/rtacct ixr,
 /{,usr/}{,s}bin/rtmon ixr,
+/{,usr/}{,s}bin/ss ixr,
 /{,usr/}{,s}bin/sysctl ixr,
 /{,usr/}{,s}bin/tc ixr,
 /{,usr/}{,s}bin/wpa_action ixr,
@@ -149,6 +155,9 @@
 @{PROC}/@{pid}/loginuid r,
 @{PROC}/@{pid}/mounts r,
 
+# static host tables
+/etc/hosts w,
+
 # resolvconf
 /sbin/resolvconf ixr,
 /run/resolvconf/{,**} r,
@@ -159,6 +168,21 @@
 /bin/run-parts ixr,
 /etc/resolvconf/update.d/* ix,
 
+# wpa_suplicant
+/{,var/}run/wpa_supplicant/ w,
+/{,var/}run/wpa_supplicant/** rw,
+/etc/wpa_supplicant/{,**} ixr,
+
+#ifup,ifdown, dhclient
+/{,var/}run/dhclient.*.pid rw,
+/var/lib/dhcp/ r,
+/var/lib/dhcp/** rw,
+
+/run/network/ifstate* rw,
+/run/network/.ifstate* rw,
+/run/network/ifup-* rw,
+/run/network/ifdown-* rw,
+
 # route
 /etc/networks r,
 /etc/ethers r,
@@ -193,14 +217,9 @@
 mount options=(rw, bind) / -> /run/netns/*,
 umount /,
 
-# 'ip netns identify <pid>' and 'ip netns pids foo'
+# 'ip netns identify <pid>' and 'ip netns pids foo'. Intenionally omit 'ptrace
+# (trace)' here since ip netns doesn't actually need to trace other processes.
 capability sys_ptrace,
-# FIXME: ptrace can be used to break out of the seccomp sandbox unless the
-# kernel has 93e35efb8de45393cf61ed07f7b407629bf698ea (in 4.8+). Until this is
-# the default in snappy kernels, deny but audit as a reminder to get the
-# kernels patched.
-audit deny ptrace (trace) peer=snap.@{SNAP_NAME}.*, # eventually by default
-audit deny ptrace (trace), # for all other peers (process-control or other)
 
 # 'ip netns exec foo /bin/sh'
 mount options=(rw, rslave) /,
@@ -271,6 +290,7 @@
 		connectedPlugSecComp:  networkControlConnectedPlugSecComp,
 		connectedPlugUDev:     networkControlConnectedPlugUDev,
 		reservedForOS:         true,
+		suppressPtraceTrace:   true,
 	})
 
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/network_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -113,8 +113,7 @@
 }
 
 func (s *NetworkControlInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 func (s *NetworkControlInterfaceSuite) TestInterfaces(c *C) {
 	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_manager.go snapd-2.37~rc1~14.04/interfaces/builtin/network_manager.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_manager.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_manager.go	2019-01-16 08:36:51.000000000 +0000
@@ -79,6 +79,7 @@
 /sys/devices/**/**/net/**/dev_id r,
 /sys/devices/virtual/net/**/phys_port_id r,
 /sys/devices/virtual/net/**/dev_id r,
+/sys/devices/**/net/**/ifindex r,
 
 /dev/rfkill rw,
 
@@ -110,6 +111,8 @@
 /run/resolvconf/** w,
 /etc/resolvconf/{,**} r,
 /lib/resolvconf/* ix,
+# NM peeks into ifupdown configuration
+/run/network/ifstate* r,
 # Required by resolvconf
 /bin/run-parts ixr,
 /etc/resolvconf/update.d/* ix,
@@ -144,6 +147,13 @@
      peer=(name="org.freedesktop.resolve1"),
 
 dbus (send)
+     bus=system
+     path="/org/freedesktop/resolve1"
+     interface="org.freedesktop.resolve1.Manager"
+     member="SetLink{DNS,Domains}"
+     peer=(label=unconfined),
+
+dbus (send)
    bus=system
    path=/org/freedesktop/DBus
    interface=org.freedesktop.DBus
@@ -190,6 +200,13 @@
     path=/org/freedesktop/hostname1
     interface=org.freedesktop.DBus.Properties
     peer=(label=unconfined),
+# do not use peer=(label=unconfined) here since this is DBus activated
+dbus (send)
+    bus=system
+    path=/org/freedesktop/hostname1
+    interface=org.freedesktop.DBus.Properties
+    member="Get{,All}",
+
 dbus(receive, send)
     bus=system
     path=/org/freedesktop/hostname1
@@ -198,12 +215,12 @@
     peer=(label=unconfined),
 
 # Sleep monitor inside NetworkManager needs this
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/login1
     member=Inhibit
-    interface=org.freedesktop.login1.Manager
-    peer=(label=unconfined),
+    interface=org.freedesktop.login1.Manager,
 dbus (receive)
     bus=system
     path=/org/freedesktop/login1
@@ -476,7 +493,7 @@
 	return nil
 }
 
-func (iface *networkManagerInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *networkManagerInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_manager_test.go snapd-2.37~rc1~14.04/interfaces/builtin/network_manager_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_manager_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_manager_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -68,11 +68,11 @@
 func (s *NetworkManagerInterfaceSuite) SetUpTest(c *C) {
 	plugSnap := snaptest.MockInfo(c, netmgrMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["network-manager"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 
 	slotSnap := snaptest.MockInfo(c, netmgrMockSlotSnapInfoYaml, nil)
 	s.slotInfo = slotSnap.Slots["network-manager"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *NetworkManagerInterfaceSuite) TestName(c *C) {
@@ -91,7 +91,8 @@
 		Name:      "network-manager",
 		Interface: "network-manager",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	// connected plugs have a non-nil security snippet for apparmor
@@ -115,7 +116,8 @@
 		Name:      "network-manager",
 		Interface: "network-manager",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -136,7 +138,8 @@
 		Name:      "network-manager",
 		Interface: "network-manager",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
@@ -146,7 +149,7 @@
 }
 
 func (s *NetworkManagerInterfaceSuite) TestConnectedPlugSnippedUsesUnconfinedLabelOnClassic(c *C) {
-	slot := interfaces.NewConnectedSlot(&snap.SlotInfo{}, nil)
+	slot := interfaces.NewConnectedSlot(&snap.SlotInfo{}, nil, nil)
 	release.OnClassic = true
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, slot)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_observe.go snapd-2.37~rc1~14.04/interfaces/builtin/network_observe.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_observe.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_observe.go	2019-01-16 08:36:51.000000000 +0000
@@ -64,6 +64,9 @@
 
 #include <abstractions/ssl_certs>
 
+# see loaded kernel modules
+@{PROC}/modules r,
+
 @{PROC}/@{pid}/net/ r,
 @{PROC}/@{pid}/net/** r,
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/network_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "network-observe",
 		Interface: "network-observe",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, netobsMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["network-observe"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *NetworkObserveInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_setup_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/network_setup_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_setup_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_setup_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,9 +56,9 @@
 		Name:      "network-setup-control",
 		Interface: "network-setup-control",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	s.plugInfo = consumingSnapInfo.Plugs["network-setup-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *NetworkSetupControlInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_setup_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/network_setup_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_setup_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_setup_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,11 +55,11 @@
 		Name:      "network-setup-observe",
 		Interface: "network-setup-observe",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["network-setup-observe"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *NetworkSetupObserveInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_status.go snapd-2.37~rc1~14.04/interfaces/builtin/network_status.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_status.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_status.go	2019-01-16 08:36:51.000000000 +0000
@@ -144,7 +144,7 @@
 	return nil
 }
 
-func (iface *networkStatusInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *networkStatusInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_status_test.go snapd-2.37~rc1~14.04/interfaces/builtin/network_status_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_status_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_status_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -53,7 +53,7 @@
 `
 	providerInfo := snaptest.MockInfo(c, providerYaml, nil)
 	s.slotInfo = providerInfo.Slots["network-status"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 
 	const consumerYaml = `name: consumer
 version: 1.0
@@ -64,7 +64,7 @@
 `
 	consumerInfo := snaptest.MockInfo(c, consumerYaml, nil)
 	s.plugInfo = consumerInfo.Plugs["network-status"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *NetworkStatusSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/network_test.go snapd-2.37~rc1~14.04/interfaces/builtin/network_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/network_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/network_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "network",
 		Interface: "network",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, netMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["network"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *NetworkInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/ofono.go snapd-2.37~rc1~14.04/interfaces/builtin/ofono.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/ofono.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/ofono.go	2019-01-16 08:36:51.000000000 +0000
@@ -334,7 +334,7 @@
 	     Similar case for chnlat*.
 	   So we intetionally skipped modem, rild and chnlat.
 	*/
-	spec.TagDevice(`KERNEL=="tty[A-Z]*[0-9]*|cdc-wdm[0-9]*"`)
+	spec.TagDevice(`KERNEL=="tty[a-zA-Z]*[0-9]*|cdc-wdm[0-9]*"`)
 	spec.TagDevice(`KERNEL=="tun"`)
 	spec.TagDevice(`KERNEL=="dsp"`)
 	return nil
@@ -352,7 +352,7 @@
 	return nil
 }
 
-func (iface *ofonoInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *ofonoInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/ofono_test.go snapd-2.37~rc1~14.04/interfaces/builtin/ofono_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/ofono_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/ofono_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -65,10 +65,10 @@
 `
 	snapInfo := snaptest.MockInfo(c, mockSlotSnapInfoYaml, nil)
 	s.slotInfo = snapInfo.Slots["ofono"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	snapInfo = snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["ofono"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *OfonoInterfaceSuite) TestName(c *C) {
@@ -87,7 +87,8 @@
 		Name:      "ofono",
 		Interface: "ofono",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -110,7 +111,8 @@
 		Name:      "ofono",
 		Interface: "ofono",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -131,7 +133,8 @@
 		Name:      "ofono",
 		Interface: "ofono",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -201,7 +204,7 @@
 	c.Assert(spec.Snippets(), HasLen, 5)
 	c.Assert(spec.Snippets()[0], testutil.Contains, `LABEL="ofono_isi_end"`)
 	c.Assert(spec.Snippets(), testutil.Contains, `# ofono
-KERNEL=="tty[A-Z]*[0-9]*|cdc-wdm[0-9]*", TAG+="snap_ofono_app"`)
+KERNEL=="tty[a-zA-Z]*[0-9]*|cdc-wdm[0-9]*", TAG+="snap_ofono_app"`)
 	c.Assert(spec.Snippets(), testutil.Contains, `# ofono
 KERNEL=="tun", TAG+="snap_ofono_app"`)
 	c.Assert(spec.Snippets(), testutil.Contains, `# ofono
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/online_accounts_service.go snapd-2.37~rc1~14.04/interfaces/builtin/online_accounts_service.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/online_accounts_service.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/online_accounts_service.go	2019-01-16 08:36:51.000000000 +0000
@@ -134,7 +134,7 @@
 	return nil
 }
 
-func (iface *onlineAccountsServiceInterface) AutoConnect(plug *interfaces.Plug, slot *interfaces.Slot) bool {
+func (iface *onlineAccountsServiceInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
 	return true
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/online_accounts_service_test.go snapd-2.37~rc1~14.04/interfaces/builtin/online_accounts_service_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/online_accounts_service_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/online_accounts_service_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,7 +56,7 @@
 `
 	providerInfo := snaptest.MockInfo(c, providerYaml, nil)
 	s.slotInfo = providerInfo.Slots["online-accounts-service"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 
 	var consumerYaml = `name: consumer
 version: 1.0
@@ -67,7 +67,7 @@
 `
 	consumerInfo := snaptest.MockInfo(c, consumerYaml, nil)
 	s.plugInfo = consumerInfo.Plugs["online-accounts-service"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *OnlineAccountsServiceInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/opengl.go snapd-2.37~rc1~14.04/interfaces/builtin/opengl.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/opengl.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/opengl.go	2019-01-16 08:36:51.000000000 +0000
@@ -40,19 +40,26 @@
 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvidia*.so{,.*} rm,
 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}tls/libnvidia*.so{,.*} rm,
 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnvcuvid.so{,.*} rm,
-/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}lib{GL,EGL}*nvidia.so{,.*} rm,
+/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}lib{GL,GLESv1_CM,GLESv2,EGL}*nvidia.so{,.*} rm,
 /var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libGLdispatch.so{,.*} rm,
+/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}vdpau/libvdpau_nvidia.so{,.*} rm,
 
 # Support reading the Vulkan ICD files
 /var/lib/snapd/lib/vulkan/ r,
 /var/lib/snapd/lib/vulkan/** r,
 /var/lib/snapd/hostfs/usr/share/vulkan/icd.d/*nvidia*.json r,
 
+# Support reading the GLVND EGL vendor files
+/var/lib/snapd/lib/glvnd/ r,
+/var/lib/snapd/lib/glvnd/** r,
+/var/lib/snapd/hostfs/usr/share/glvnd/egl_vendor.d/*nvidia*.json r,
+
 # Main bi-arch GL libraries
-/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}{,nvidia*/}lib{GL,EGL,GLX}.so{,.*} rm,
+/var/lib/snapd/hostfs/{,usr/}lib{,32,64,x32}/{,@{multiarch}/}{,nvidia*/}lib{GL,GLU,GLESv1_CM,GLESv2,EGL,GLX}.so{,.*} rm,
 
 /dev/dri/ r,
 /dev/dri/card0 rw,
+
 # nvidia
 /etc/vdpau_wrapper.cfg r,
 @{PROC}/driver/nvidia/params r,
@@ -63,6 +70,20 @@
 # eglfs
 /dev/vchiq rw,
 
+# va-api
+/dev/dri/renderD[0-9]* rw,
+
+# cuda
+@{PROC}/sys/vm/mmap_min_addr r,
+@{PROC}/devices r,
+/sys/devices/system/memory/block_size_bytes r,
+unix (bind,listen) type=seqpacket addr="@cuda-uvmfd-[0-9a-f]*",
+/{dev,run}/shm/cuda.* rw,
+
+# OpenCL ICD files
+/etc/OpenCL/vendors/ r,
+/etc/OpenCL/vendors/** r,
+
 # Parallels guest tools 3D acceleration (video toolgate)
 @{PROC}/driver/prl_vtg rw,
 
@@ -94,6 +115,7 @@
 var openglConnectedPlugUDev = []string{
 	`SUBSYSTEM=="drm", KERNEL=="card[0-9]*"`,
 	`KERNEL=="vchiq"`,
+	`KERNEL=="renderD[0-9]*"`,
 }
 
 func init() {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/opengl_test.go snapd-2.37~rc1~14.04/interfaces/builtin/opengl_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/opengl_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/opengl_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -86,14 +86,17 @@
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `/dev/nvidia* rw,`)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `/dev/dri/renderD[0-9]* rw,`)
 }
 
 func (s *OpenglInterfaceSuite) TestUDevSpec(c *C) {
 	spec := &udev.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
-	c.Assert(spec.Snippets(), HasLen, 3)
+	c.Assert(spec.Snippets(), HasLen, 4)
 	c.Assert(spec.Snippets(), testutil.Contains, `# opengl
 SUBSYSTEM=="drm", KERNEL=="card[0-9]*", TAG+="snap_consumer_app"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# opengl
+KERNEL=="renderD[0-9]*", TAG+="snap_consumer_app"`)
 	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_consumer_app", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_consumer_app $devpath $major:$minor"`)
 }
 
@@ -106,8 +109,7 @@
 }
 
 func (s *OpenglInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *OpenglInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/openvswitch_support_test.go snapd-2.37~rc1~14.04/interfaces/builtin/openvswitch_support_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/openvswitch_support_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/openvswitch_support_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,10 +56,10 @@
 		Name:      "openvswitch-support",
 		Interface: "openvswitch-support",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["openvswitch-support"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *OpenvSwitchSupportInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/openvswitch_test.go snapd-2.37~rc1~14.04/interfaces/builtin/openvswitch_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/openvswitch_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/openvswitch_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,10 +55,10 @@
 		Name:      "openvswitch",
 		Interface: "openvswitch",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["openvswitch"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *OpenvSwitchInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/optical_drive.go snapd-2.37~rc1~14.04/interfaces/builtin/optical_drive.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/optical_drive.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/optical_drive.go	2019-01-16 08:36:51.000000000 +0000
@@ -19,13 +19,27 @@
 
 package builtin
 
-const opticalDriveSummary = `allows read access to optical drives`
+import (
+	"fmt"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/snap"
+)
+
+const opticalDriveSummary = `allows access to optical drives`
 
 const opticalDriveBaseDeclarationSlots = `
   optical-drive:
     allow-installation:
       slot-snap-type:
         - core
+    deny-connection:
+      plug-attributes:
+        write: true
+    deny-auto-connection:
+      plug-attributes:
+        write: true
 `
 
 const opticalDriveConnectedPlugAppArmor = `
@@ -41,14 +55,50 @@
 	`KERNEL=="scd[0-9]*"`,
 }
 
+// opticalDriveInterface is the type for optical drive interfaces.
+type opticalDriveInterface struct {
+	commonInterface
+}
+
+// BeforePrepareSlot checks and possibly modifies a slot.
+// Valid "optical-drive" slots may contain the attribute "write".
+// If defined, the attribute "write" must be either "true" or "false".
+func (iface *opticalDriveInterface) BeforePreparePlug(plug *snap.PlugInfo) error {
+	// It's fine if 'write' isn't specified, but if it is, it needs to be bool
+	if w, ok := plug.Attrs["write"]; ok {
+		_, ok = w.(bool)
+		if !ok {
+			return fmt.Errorf(`optical-drive "write" attribute must be a boolean`)
+		}
+	}
+
+	return nil
+}
+
+func (iface *opticalDriveInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	var write bool
+	_ = plug.Attr("write", &write)
+
+	// Add the common readonly policy
+	spec.AddSnippet(opticalDriveConnectedPlugAppArmor)
+
+	// 'write: true' grants write access to the devices
+	if write {
+		spec.AddSnippet("# Allow write access to optical drives")
+		spec.AddSnippet("/dev/sr[0-9]* w,")
+		spec.AddSnippet("/dev/scd[0-9]* w,")
+	}
+	return nil
+}
+
 func init() {
-	registerIface(&commonInterface{
-		name:                  "optical-drive",
-		summary:               opticalDriveSummary,
-		implicitOnClassic:     true,
-		baseDeclarationSlots:  opticalDriveBaseDeclarationSlots,
-		connectedPlugAppArmor: opticalDriveConnectedPlugAppArmor,
-		connectedPlugUDev:     opticalDriveConnectedPlugUDev,
-		reservedForOS:         true,
-	})
+	registerIface(&opticalDriveInterface{commonInterface: commonInterface{
+		name:                 "optical-drive",
+		summary:              opticalDriveSummary,
+		implicitOnCore:       false,
+		implicitOnClassic:    true,
+		baseDeclarationSlots: opticalDriveBaseDeclarationSlots,
+		connectedPlugUDev:    opticalDriveConnectedPlugUDev,
+		reservedForOS:        true,
+	}})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/optical_drive_test.go snapd-2.37~rc1~14.04/interfaces/builtin/optical_drive_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/optical_drive_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/optical_drive_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,6 +27,7 @@
 	"github.com/snapcore/snapd/interfaces/builtin"
 	"github.com/snapcore/snapd/interfaces/udev"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/testutil"
 )
 
@@ -34,8 +35,14 @@
 	iface    interfaces.Interface
 	slotInfo *snap.SlotInfo
 	slot     *interfaces.ConnectedSlot
-	plugInfo *snap.PlugInfo
-	plug     *interfaces.ConnectedPlug
+
+	// Consuming Snap
+	testPlugReadonly     *interfaces.ConnectedPlug
+	testPlugReadonlyInfo *snap.PlugInfo
+	testPlugWritable     *interfaces.ConnectedPlug
+	testPlugWritableInfo *snap.PlugInfo
+	testPlugDefault      *interfaces.ConnectedPlug
+	testPlugDefaultInfo  *snap.PlugInfo
 }
 
 var _ = Suite(&OpticalDriveInterfaceSuite{
@@ -44,9 +51,20 @@
 
 const opticalDriveConsumerYaml = `name: consumer
 version: 0
+plugs:
+ plug-for-readonly:
+  interface: optical-drive
+  write: false
+ plug-for-writable:
+  interface: optical-drive
+  write: true
 apps:
  app:
   plugs: [optical-drive]
+ app-readonly:
+  plugs: [plug-for-readonly]
+ app-writable:
+  plugs: [plug-for-writable]
 `
 
 const opticalDriveCoreYaml = `name: core
@@ -57,7 +75,15 @@
 `
 
 func (s *OpticalDriveInterfaceSuite) SetUpTest(c *C) {
-	s.plug, s.plugInfo = MockConnectedPlug(c, opticalDriveConsumerYaml, nil, "optical-drive")
+	consumingSnapInfo := snaptest.MockInfo(c, opticalDriveConsumerYaml, nil)
+
+	s.testPlugDefaultInfo = consumingSnapInfo.Plugs["optical-drive"]
+	s.testPlugDefault = interfaces.NewConnectedPlug(s.testPlugDefaultInfo, nil, nil)
+	s.testPlugReadonlyInfo = consumingSnapInfo.Plugs["plug-for-readonly"]
+	s.testPlugReadonly = interfaces.NewConnectedPlug(s.testPlugReadonlyInfo, nil, nil)
+	s.testPlugWritableInfo = consumingSnapInfo.Plugs["plug-for-writable"]
+	s.testPlugWritable = interfaces.NewConnectedPlug(s.testPlugWritableInfo, nil, nil)
+
 	s.slot, s.slotInfo = MockConnectedSlot(c, opticalDriveCoreYaml, nil, "optical-drive")
 }
 
@@ -77,20 +103,56 @@
 }
 
 func (s *OpticalDriveInterfaceSuite) TestSanitizePlug(c *C) {
-	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.testPlugDefaultInfo), IsNil)
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.testPlugReadonlyInfo), IsNil)
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.testPlugWritableInfo), IsNil)
 }
 
 func (s *OpticalDriveInterfaceSuite) TestAppArmorSpec(c *C) {
-	spec := &apparmor.Specification{}
-	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
-	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
-	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `/dev/sr[0-9]* r,`)
+	type options struct {
+		appName         string
+		includeSnippets []string
+		excludeSnippets []string
+	}
+	checkConnectedPlugSnippet := func(plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot, opts *options) {
+		apparmorSpec := &apparmor.Specification{}
+		err := apparmorSpec.AddConnectedPlug(s.iface, plug, slot)
+		c.Assert(err, IsNil)
+		c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{opts.appName})
+		for _, expectedSnippet := range opts.includeSnippets {
+			c.Assert(apparmorSpec.SnippetForTag(opts.appName), testutil.Contains, expectedSnippet)
+		}
+		for _, unexpectedSnippet := range opts.excludeSnippets {
+			c.Assert(apparmorSpec.SnippetForTag(opts.appName), Not(testutil.Contains), unexpectedSnippet)
+		}
+	}
+
+	expectedSnippet1 := `/dev/scd[0-9]* r,`
+	expectedSnippet2 := `/dev/scd[0-9]* w,`
+
+	checkConnectedPlugSnippet(s.testPlugDefault, s.slot, &options{
+		appName:         "snap.consumer.app",
+		includeSnippets: []string{expectedSnippet1},
+		excludeSnippets: []string{expectedSnippet2},
+	})
+	checkConnectedPlugSnippet(s.testPlugReadonly, s.slot, &options{
+		appName:         "snap.consumer.app-readonly",
+		includeSnippets: []string{expectedSnippet1},
+		excludeSnippets: []string{expectedSnippet2},
+	})
+	checkConnectedPlugSnippet(s.testPlugWritable, s.slot, &options{
+		appName:         "snap.consumer.app-writable",
+		includeSnippets: []string{expectedSnippet1, expectedSnippet2},
+		excludeSnippets: []string{},
+	})
 }
 
 func (s *OpticalDriveInterfaceSuite) TestUDevSpec(c *C) {
 	spec := &udev.Specification{}
-	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
-	c.Assert(spec.Snippets(), HasLen, 3)
+	c.Assert(spec.AddConnectedPlug(s.iface, s.testPlugDefault, s.slot), IsNil)
+	c.Assert(spec.AddConnectedPlug(s.iface, s.testPlugReadonly, s.slot), IsNil)
+	c.Assert(spec.AddConnectedPlug(s.iface, s.testPlugWritable, s.slot), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 9) // three rules multiplied by three apps
 	c.Assert(spec.Snippets(), testutil.Contains, `# optical-drive
 KERNEL=="sr[0-9]*", TAG+="snap_consumer_app"`)
 	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_consumer_app", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_consumer_app $devpath $major:$minor"`)
@@ -100,15 +162,10 @@
 	si := interfaces.StaticInfoOf(s.iface)
 	c.Assert(si.ImplicitOnCore, Equals, false)
 	c.Assert(si.ImplicitOnClassic, Equals, true)
-	c.Assert(si.Summary, Equals, `allows read access to optical drives`)
+	c.Assert(si.Summary, Equals, `allows access to optical drives`)
 	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "optical-drive")
 }
 
-func (s *OpticalDriveInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
-}
-
 func (s *OpticalDriveInterfaceSuite) TestInterfaces(c *C) {
 	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/password_manager_service.go snapd-2.37~rc1~14.04/interfaces/builtin/password_manager_service.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/password_manager_service.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/password_manager_service.go	2019-01-16 08:36:51.000000000 +0000
@@ -19,7 +19,7 @@
 
 package builtin
 
-const passwordManagerServiceSummary = `allow access to common password manager services`
+const passwordManagerServiceSummary = `allows access to common password manager services`
 
 const passwordManagerBaseDeclarationSlots = `
   password-manager-service:
@@ -64,7 +64,7 @@
     peer=(label=unconfined),
 
 # KWallet's client API is still in use in KDE/Plasma. It's DBus API relies upon
-# member data for access to its 'folders' and 'entries' and is therefore does
+# member data for access to its 'folders' and 'entries' and it therefore does
 # not allow for application isolation via AppArmor. For details, see:
 # - https://cgit.kde.org/kdelibs.git/tree/kdeui/util/kwallet.h?h=v4.14.33
 #
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/password_manager_service_test.go snapd-2.37~rc1~14.04/interfaces/builtin/password_manager_service_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/password_manager_service_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/password_manager_service_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,10 +55,10 @@
 		Name:      "password-manager-service",
 		Interface: "password-manager-service",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["password-manager-service"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *passwordManagerServiceInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/personal_files.go snapd-2.37~rc1~14.04/interfaces/builtin/personal_files.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/personal_files.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/personal_files.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,79 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"fmt"
+	"strings"
+)
+
+const personalFilesSummary = `allows access to personal files or directories`
+
+const personalFilesBaseDeclarationPlugs = `
+  personal-files:
+    allow-installation: false
+    deny-auto-connection: true
+`
+
+const personalFilesBaseDeclarationSlots = `
+  personal-files:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const personalFilesConnectedPlugAppArmor = `
+# Description: Can access specific personal files or directories in the 
+# users's home directory.
+# This is restricted because it gives file access to arbitrary locations.
+`
+
+type personalFilesInterface struct {
+	commonFilesInterface
+}
+
+func validateSinglePathHome(np string) error {
+	if !strings.HasPrefix(np, "$HOME/") {
+		return fmt.Errorf(`%q must start with "$HOME/"`, np)
+	}
+	if strings.Count(np, "$HOME") > 1 {
+		return fmt.Errorf(`$HOME must only be used at the start of the path of %q`, np)
+	}
+	return nil
+}
+
+func init() {
+	registerIface(&personalFilesInterface{
+		commonFilesInterface{
+			commonInterface: commonInterface{
+				name:                 "personal-files",
+				summary:              personalFilesSummary,
+				implicitOnCore:       true,
+				implicitOnClassic:    true,
+				baseDeclarationPlugs: personalFilesBaseDeclarationPlugs,
+				baseDeclarationSlots: personalFilesBaseDeclarationSlots,
+				reservedForOS:        true,
+			},
+			apparmorHeader:    personalFilesConnectedPlugAppArmor,
+			extraPathValidate: validateSinglePathHome,
+		},
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/personal_files_test.go snapd-2.37~rc1~14.04/interfaces/builtin/personal_files_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/personal_files_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/personal_files_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,159 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	"strings"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type personalFilesInterfaceSuite struct {
+	iface    interfaces.Interface
+	slot     *interfaces.ConnectedSlot
+	slotInfo *snap.SlotInfo
+	plug     *interfaces.ConnectedPlug
+	plugInfo *snap.PlugInfo
+}
+
+var _ = Suite(&personalFilesInterfaceSuite{
+	iface: builtin.MustInterface("personal-files"),
+})
+
+func (s *personalFilesInterfaceSuite) SetUpTest(c *C) {
+	const mockPlugSnapInfo = `name: other
+version: 1.0
+plugs:
+ personal-files:
+  read: [$HOME/.read-dir, $HOME/.read-file]
+  write:  [$HOME/.write-dir, $HOME/.write-file]
+apps:
+ app:
+  command: foo
+  plugs: [personal-files]
+`
+	s.slotInfo = &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "core", Type: snap.TypeOS},
+		Name:      "personal-files",
+		Interface: "personal-files",
+	}
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
+	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfo, nil)
+	s.plugInfo = plugSnap.Plugs["personal-files"]
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+}
+
+func (s *personalFilesInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "personal-files")
+}
+
+func (s *personalFilesInterfaceSuite) TestConnectedPlugAppArmor(c *C) {
+	apparmorSpec := &apparmor.Specification{}
+	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app"})
+	c.Check(apparmorSpec.SnippetForTag("snap.other.app"), Equals, `
+# Description: Can access specific personal files or directories in the 
+# users's home directory.
+# This is restricted because it gives file access to arbitrary locations.
+owner "@{HOME}/.read-dir{,/,/**}" rk,
+owner "@{HOME}/.read-file{,/,/**}" rk,
+owner "@{HOME}/.write-dir{,/,/**}" rwkl,
+owner "@{HOME}/.write-file{,/,/**}" rwkl,
+`)
+}
+
+func (s *personalFilesInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "personal-files",
+		Interface: "personal-files",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"personal-files slots are reserved for the core snap")
+}
+
+func (s *personalFilesInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *personalFilesInterfaceSuite) TestSanitizePlugHappy(c *C) {
+	const mockSnapYaml = `name: personal-files-plug-snap
+version: 1.0
+plugs:
+ personal-files:
+  read: ["$HOME/file1", "$HOME/.hidden1"]
+  write: ["$HOME/dir1", "$HOME/.hidden2"]
+`
+	info := snaptest.MockInfo(c, mockSnapYaml, nil)
+	plug := info.Plugs["personal-files"]
+	c.Assert(interfaces.BeforePreparePlug(s.iface, plug), IsNil)
+}
+
+func (s *personalFilesInterfaceSuite) TestSanitizePlugUnhappy(c *C) {
+	const mockSnapYaml = `name: personal-files-plug-snap
+version: 1.0
+plugs:
+ personal-files:
+  $t
+`
+	errPrefix := `cannot add personal-files plug: `
+	var testCases = []struct {
+		inp    string
+		errStr string
+	}{
+		{`read: ""`, `"read" must be a list of strings`},
+		{`read: [ 123 ]`, `"read" must be a list of strings`},
+		{`read: [ "$HOME/foo/./bar" ]`, `cannot use "\$HOME/foo/./bar": try "\$HOME/foo/bar"`},
+		{`read: [ "../foo" ]`, `"../foo" must start with "\$HOME/"`},
+		{`read: [ "/foo[" ]`, `"/foo\[" contains a reserved apparmor char from .*`},
+		{`write: ""`, `"write" must be a list of strings`},
+		{`write: bar`, `"write" must be a list of strings`},
+		{`read: [ "~/foo" ]`, `"~/foo" cannot contain "~"`},
+		{`read: [ "$HOME/foo/~/foo" ]`, `"\$HOME/foo/~/foo" cannot contain "~"`},
+		{`read: [ "$HOME/foo/../foo" ]`, `cannot use "\$HOME/foo/../foo": try "\$HOME/foo"`},
+		{`read: [ "$HOME/home/$HOME/foo" ]`, `\$HOME must only be used at the start of the path of "\$HOME/home/\$HOME/foo"`},
+		{`read: [ "$HOME/sweet/$HOME" ]`, `\$HOME must only be used at the start of the path of "\$HOME/sweet/\$HOME"`},
+		{`read: [ "/@{FOO}" ]`, `"/@{FOO}" contains a reserved apparmor char from .*`},
+		{`read: [ "/home/@{HOME}/foo" ]`, `"/home/@{HOME}/foo" contains a reserved apparmor char from .*`},
+		{`read: [ "${HOME}/foo" ]`, `"\${HOME}/foo" contains a reserved apparmor char from .*`},
+		{`read: [ "$HOME" ]`, `"\$HOME" must start with "\$HOME/"`},
+	}
+
+	for _, t := range testCases {
+		yml := strings.Replace(mockSnapYaml, "$t", t.inp, -1)
+		info := snaptest.MockInfo(c, yml, nil)
+		plug := info.Plugs["personal-files"]
+
+		c.Check(interfaces.BeforePreparePlug(s.iface, plug), ErrorMatches, errPrefix+t.errStr, Commentf("unexpected error for %q", t.inp))
+	}
+}
+
+func (s *personalFilesInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/physical_memory_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/physical_memory_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/physical_memory_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/physical_memory_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -105,8 +105,7 @@
 }
 
 func (s *PhysicalMemoryControlInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *PhysicalMemoryControlInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/physical_memory_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/physical_memory_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/physical_memory_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/physical_memory_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -106,8 +106,7 @@
 }
 
 func (s *PhysicalMemoryObserveInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *PhysicalMemoryObserveInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/ppp.go snapd-2.37~rc1~14.04/interfaces/builtin/ppp.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/ppp.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/ppp.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,7 +57,7 @@
 
 var pppConnectedPlugUDev = []string{
 	`KERNEL=="ppp"`,
-	`KERNEL=="tty[A-Z]*[0-9]*"`,
+	`KERNEL=="tty[a-zA-Z]*[0-9]*"`,
 }
 
 func init() {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/ppp_test.go snapd-2.37~rc1~14.04/interfaces/builtin/ppp_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/ppp_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/ppp_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -115,8 +115,7 @@
 }
 
 func (s *PppInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *PppInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/process_control.go snapd-2.37~rc1~14.04/interfaces/builtin/process_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/process_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/process_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -42,7 +42,9 @@
 capability sys_resource,
 capability sys_nice,
 
-signal,
+signal (send),
+/{,usr/}bin/kill ixr,
+/{,usr/}bin/pkill ixr,
 `
 
 const processControlConnectedPlugSecComp = `
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/process_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/process_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/process_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/process_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "process-control",
 		Interface: "process-control",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, procctlMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["process-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *ProcessControlInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/pulseaudio.go snapd-2.37~rc1~14.04/interfaces/builtin/pulseaudio.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/pulseaudio.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/pulseaudio.go	2019-01-16 08:36:51.000000000 +0000
@@ -41,6 +41,8 @@
 `
 
 const pulseaudioConnectedPlugAppArmor = `
+# Allow communicating with pulseaudio service for playback and, on some
+# distributions, recording.
 /{run,dev}/shm/pulse-shm-* mrwk,
 
 owner /{,var/}run/pulse/ r,
@@ -172,7 +174,7 @@
 	return nil
 }
 
-func (iface *pulseAudioInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *pulseAudioInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	return true
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/pulseaudio_test.go snapd-2.37~rc1~14.04/interfaces/builtin/pulseaudio_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/pulseaudio_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/pulseaudio_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -75,15 +75,15 @@
 	// pulseaudio snap with pulseaudio slot on an core/all-snap install.
 	snapInfo := snaptest.MockInfo(c, pulseaudioMockCoreSlotSnapInfoYaml, nil)
 	s.coreSlotInfo = snapInfo.Slots["pulseaudio"]
-	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil)
+	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil, nil)
 	// pulseaudio slot on a core snap in a classic install.
 	snapInfo = snaptest.MockInfo(c, pulseaudioMockClassicSlotSnapInfoYaml, nil)
 	s.classicSlotInfo = snapInfo.Slots["pulseaudio"]
-	s.classicSlot = interfaces.NewConnectedSlot(s.classicSlotInfo, nil)
+	s.classicSlot = interfaces.NewConnectedSlot(s.classicSlotInfo, nil, nil)
 	// snap with the pulseaudio plug
 	snapInfo = snaptest.MockInfo(c, pulseaudioMockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["pulseaudio"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *PulseAudioInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/raw_usb.go snapd-2.37~rc1~14.04/interfaces/builtin/raw_usb.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/raw_usb.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/raw_usb.go	2019-01-16 08:36:51.000000000 +0000
@@ -34,6 +34,9 @@
 # This gives privileged access to the system.
 /dev/bus/usb/[0-9][0-9][0-9]/[0-9][0-9][0-9] rw,
 
+# Allow access to all ttyUSB devices too
+/dev/tty{USB,ACM}[0-9]* rw,
+
 # Allow detection of usb devices. Leaks plugged in USB device info
 /sys/bus/usb/devices/ r,
 /sys/devices/pci**/usb[0-9]** r,
@@ -45,7 +48,10 @@
 /run/udev/data/+usb:* r,
 `
 
-var rawusbConnectedPlugUDev = []string{`SUBSYSTEM=="usb"`}
+var rawusbConnectedPlugUDev = []string{
+	`SUBSYSTEM=="usb"`,
+	`SUBSYSTEM=="tty", ENV{ID_BUS}=="usb"`,
+}
 
 func init() {
 	registerIface(&commonInterface{
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/raw_usb_test.go snapd-2.37~rc1~14.04/interfaces/builtin/raw_usb_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/raw_usb_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/raw_usb_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -90,9 +90,11 @@
 func (s *RawUsbInterfaceSuite) TestUDevSpec(c *C) {
 	spec := &udev.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
-	c.Assert(spec.Snippets(), HasLen, 2)
+	c.Assert(spec.Snippets(), HasLen, 3)
 	c.Assert(spec.Snippets(), testutil.Contains, `# raw-usb
 SUBSYSTEM=="usb", TAG+="snap_consumer_app"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# raw-usb
+SUBSYSTEM=="tty", ENV{ID_BUS}=="usb", TAG+="snap_consumer_app"`)
 	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_consumer_app", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_consumer_app $devpath $major:$minor"`)
 }
 
@@ -105,8 +107,7 @@
 }
 
 func (s *RawUsbInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *RawUsbInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/removable_media.go snapd-2.37~rc1~14.04/interfaces/builtin/removable_media.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/removable_media.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/removable_media.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -42,6 +42,11 @@
 # Mount points could be in /run/media/<user>/* or /media/<user>/*
 /{,run/}media/*/ r,
 /{,run/}media/*/** rwk,
+
+# Allow read-only access to /mnt to enumerate items.
+/mnt/ r,
+# Allow write access to anything under /mnt
+/mnt/** rwk,
 `
 
 func init() {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/removable_media_test.go snapd-2.37~rc1~14.04/interfaces/builtin/removable_media_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/removable_media_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/removable_media_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,9 +56,9 @@
 		Name:      "removable-media",
 		Interface: "removable-media",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	s.plugInfo = consumingSnapInfo.Plugs["removable-media"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *RemovableMediaInterfaceSuite) TestName(c *C) {
@@ -87,6 +87,7 @@
 	c.Assert(err, IsNil)
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.client-snap.other"})
 	c.Check(apparmorSpec.SnippetForTag("snap.client-snap.other"), testutil.Contains, "/{,run/}media/*/ r")
+	c.Check(apparmorSpec.SnippetForTag("snap.client-snap.other"), testutil.Contains, "/mnt/** rwk,")
 }
 
 func (s *RemovableMediaInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/screencast_legacy.go snapd-2.37~rc1~14.04/interfaces/builtin/screencast_legacy.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/screencast_legacy.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/screencast_legacy.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,64 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+const screencastLegacySummary = `allows screen recording and audio recording, and also writing to arbitrary filesystem paths`
+
+const screencastLegacyBaseDeclarationSlots = `
+  screencast-legacy:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const screencastLegacyConnectedPlugAppArmor = `
+# Description: Can access common desktop screenshot, screencast and recording
+# methods thus giving privileged access to screen output and microphone via the
+# desktop session manager.
+
+#include <abstractions/dbus-session-strict>
+
+# gnome-shell screenshot and screencast. Note these APIs permit specifying
+# absolute file names as arguments to DBus methods which tells gnome-shell to
+# save to arbitrary locations permitted by the unconfined user.
+dbus (send)
+    bus=session
+    path=/org/gnome/Shell/Screen{cast,shot}
+    interface=org.freedesktop.DBus.Properties
+    member=Get{,All}
+    peer=(label=unconfined),
+dbus (send)
+    bus=session
+    path=/org/gnome/Shell/Screen{cast,shot}
+    interface=org.gnome.Shell.Screen{cast,shot}
+    peer=(label=unconfined),
+`
+
+func init() {
+	registerIface(&commonInterface{
+		name:                  "screencast-legacy",
+		summary:               screencastLegacySummary,
+		implicitOnClassic:     true,
+		baseDeclarationSlots:  screencastLegacyBaseDeclarationSlots,
+		connectedPlugAppArmor: screencastLegacyConnectedPlugAppArmor,
+		reservedForOS:         true,
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/screencast_legacy_test.go snapd-2.37~rc1~14.04/interfaces/builtin/screencast_legacy_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/screencast_legacy_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/screencast_legacy_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,107 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type ScreencastLegacyInterfaceSuite struct {
+	iface        interfaces.Interface
+	coreSlotInfo *snap.SlotInfo
+	coreSlot     *interfaces.ConnectedSlot
+	plugInfo     *snap.PlugInfo
+	plug         *interfaces.ConnectedPlug
+}
+
+var _ = Suite(&ScreencastLegacyInterfaceSuite{
+	iface: builtin.MustInterface("screencast-legacy"),
+})
+
+const screencastLegacyConsumerYaml = `name: consumer
+version: 0
+apps:
+ app:
+  plugs: [screencast-legacy]
+`
+
+const screencastLegacyCoreYaml = `name: core
+version: 0
+type: os
+slots:
+  screencast-legacy:
+`
+
+func (s *ScreencastLegacyInterfaceSuite) SetUpTest(c *C) {
+	s.plug, s.plugInfo = MockConnectedPlug(c, screencastLegacyConsumerYaml, nil, "screencast-legacy")
+	s.coreSlot, s.coreSlotInfo = MockConnectedSlot(c, screencastLegacyCoreYaml, nil, "screencast-legacy")
+}
+
+func (s *ScreencastLegacyInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "screencast-legacy")
+}
+
+func (s *ScreencastLegacyInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.coreSlotInfo), IsNil)
+	// screencast-legacy slot currently only used with core
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "screencast-legacy",
+		Interface: "screencast-legacy",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"screencast-legacy slots are reserved for the core snap")
+}
+
+func (s *ScreencastLegacyInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *ScreencastLegacyInterfaceSuite) TestAppArmorSpec(c *C) {
+	// connected plug to core slot
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.coreSlot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Description: Can access common desktop screenshot, screencast and recording")
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "path=/org/gnome/Shell/Screen{cast,shot}")
+
+	// connected plug to core slot
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.coreSlot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+}
+
+func (s *ScreencastLegacyInterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, false)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows screen recording and audio recording, and also writing to arbitrary filesystem paths`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "screencast-legacy")
+}
+
+func (s *ScreencastLegacyInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/screen_inhibit_control.go snapd-2.37~rc1~14.04/interfaces/builtin/screen_inhibit_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/screen_inhibit_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/screen_inhibit_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -68,7 +68,7 @@
 dbus (send)
     bus=session
     path=/{,org/freedesktop/,org/gnome/}ScreenSaver
-    interface=org.freedesktop.ScreenSaver
+    interface=org.{freedesktop,gnome}.ScreenSaver
     member={Inhibit,UnInhibit,SimulateUserActivity}
     peer=(label=unconfined),
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/screen_inhibit_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/screen_inhibit_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/screen_inhibit_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/screen_inhibit_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,10 +55,10 @@
 		Name:      "screen-inhibit-control",
 		Interface: "screen-inhibit-control",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["screen-inhibit-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *ScreenInhibitControlInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/serial_port.go snapd-2.37~rc1~14.04/interfaces/builtin/serial_port.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/serial_port.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/serial_port.go	2019-01-16 08:36:51.000000000 +0000
@@ -203,7 +203,7 @@
 	return nil
 }
 
-func (iface *serialPortInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *serialPortInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/serial_port_test.go snapd-2.37~rc1~14.04/interfaces/builtin/serial_port_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/serial_port_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/serial_port_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -172,45 +172,45 @@
     bad-interface: other-interface
 `, nil)
 	s.testSlot1Info = osSnapInfo.Slots["test-port-1"]
-	s.testSlot1 = interfaces.NewConnectedSlot(s.testSlot1Info, nil)
+	s.testSlot1 = interfaces.NewConnectedSlot(s.testSlot1Info, nil, nil)
 	s.testSlot2Info = osSnapInfo.Slots["test-port-2"]
-	s.testSlot2 = interfaces.NewConnectedSlot(s.testSlot2Info, nil)
+	s.testSlot2 = interfaces.NewConnectedSlot(s.testSlot2Info, nil, nil)
 	s.testSlot3Info = osSnapInfo.Slots["test-port-3"]
-	s.testSlot3 = interfaces.NewConnectedSlot(s.testSlot3Info, nil)
+	s.testSlot3 = interfaces.NewConnectedSlot(s.testSlot3Info, nil, nil)
 	s.testSlot4Info = osSnapInfo.Slots["test-port-4"]
-	s.testSlot4 = interfaces.NewConnectedSlot(s.testSlot4Info, nil)
+	s.testSlot4 = interfaces.NewConnectedSlot(s.testSlot4Info, nil, nil)
 	s.testSlot5Info = osSnapInfo.Slots["test-port-5"]
-	s.testSlot5 = interfaces.NewConnectedSlot(s.testSlot5Info, nil)
+	s.testSlot5 = interfaces.NewConnectedSlot(s.testSlot5Info, nil, nil)
 	s.testSlot6Info = osSnapInfo.Slots["test-port-6"]
-	s.testSlot6 = interfaces.NewConnectedSlot(s.testSlot6Info, nil)
+	s.testSlot6 = interfaces.NewConnectedSlot(s.testSlot6Info, nil, nil)
 	s.testSlot7Info = osSnapInfo.Slots["test-port-7"]
-	s.testSlot7 = interfaces.NewConnectedSlot(s.testSlot7Info, nil)
+	s.testSlot7 = interfaces.NewConnectedSlot(s.testSlot7Info, nil, nil)
 	s.testSlot8Info = osSnapInfo.Slots["test-port-8"]
-	s.testSlot8 = interfaces.NewConnectedSlot(s.testSlot8Info, nil)
+	s.testSlot8 = interfaces.NewConnectedSlot(s.testSlot8Info, nil, nil)
 	s.missingPathSlotInfo = osSnapInfo.Slots["missing-path"]
-	s.missingPathSlot = interfaces.NewConnectedSlot(s.missingPathSlotInfo, nil)
+	s.missingPathSlot = interfaces.NewConnectedSlot(s.missingPathSlotInfo, nil, nil)
 	s.badPathSlot1Info = osSnapInfo.Slots["bad-path-1"]
-	s.badPathSlot1 = interfaces.NewConnectedSlot(s.badPathSlot1Info, nil)
+	s.badPathSlot1 = interfaces.NewConnectedSlot(s.badPathSlot1Info, nil, nil)
 	s.badPathSlot2Info = osSnapInfo.Slots["bad-path-2"]
-	s.badPathSlot2 = interfaces.NewConnectedSlot(s.badPathSlot2Info, nil)
+	s.badPathSlot2 = interfaces.NewConnectedSlot(s.badPathSlot2Info, nil, nil)
 	s.badPathSlot3Info = osSnapInfo.Slots["bad-path-3"]
-	s.badPathSlot3 = interfaces.NewConnectedSlot(s.badPathSlot3Info, nil)
+	s.badPathSlot3 = interfaces.NewConnectedSlot(s.badPathSlot3Info, nil, nil)
 	s.badPathSlot4Info = osSnapInfo.Slots["bad-path-4"]
-	s.badPathSlot4 = interfaces.NewConnectedSlot(s.badPathSlot4Info, nil)
+	s.badPathSlot4 = interfaces.NewConnectedSlot(s.badPathSlot4Info, nil, nil)
 	s.badPathSlot5Info = osSnapInfo.Slots["bad-path-5"]
-	s.badPathSlot5 = interfaces.NewConnectedSlot(s.badPathSlot5Info, nil)
+	s.badPathSlot5 = interfaces.NewConnectedSlot(s.badPathSlot5Info, nil, nil)
 	s.badPathSlot6Info = osSnapInfo.Slots["bad-path-6"]
-	s.badPathSlot6 = interfaces.NewConnectedSlot(s.badPathSlot6Info, nil)
+	s.badPathSlot6 = interfaces.NewConnectedSlot(s.badPathSlot6Info, nil, nil)
 	s.badPathSlot7Info = osSnapInfo.Slots["bad-path-7"]
-	s.badPathSlot7 = interfaces.NewConnectedSlot(s.badPathSlot7Info, nil)
+	s.badPathSlot7 = interfaces.NewConnectedSlot(s.badPathSlot7Info, nil, nil)
 	s.badPathSlot8Info = osSnapInfo.Slots["bad-path-8"]
-	s.badPathSlot8 = interfaces.NewConnectedSlot(s.badPathSlot8Info, nil)
+	s.badPathSlot8 = interfaces.NewConnectedSlot(s.badPathSlot8Info, nil, nil)
 	s.badPathSlot9Info = osSnapInfo.Slots["bad-path-9"]
-	s.badPathSlot9 = interfaces.NewConnectedSlot(s.badPathSlot9Info, nil)
+	s.badPathSlot9 = interfaces.NewConnectedSlot(s.badPathSlot9Info, nil, nil)
 	s.badPathSlot10Info = osSnapInfo.Slots["bad-path-10"]
-	s.badPathSlot10 = interfaces.NewConnectedSlot(s.badPathSlot10Info, nil)
+	s.badPathSlot10 = interfaces.NewConnectedSlot(s.badPathSlot10Info, nil, nil)
 	s.badInterfaceSlotInfo = osSnapInfo.Slots["bad-interface"]
-	s.badInterfaceSlot = interfaces.NewConnectedSlot(s.badInterfaceSlotInfo, nil)
+	s.badInterfaceSlot = interfaces.NewConnectedSlot(s.badInterfaceSlotInfo, nil, nil)
 
 	gadgetSnapInfo := snaptest.MockInfo(c, `
 name: some-device
@@ -262,21 +262,21 @@
       path: /dev/serial-port-overinterfacenumber
 `, nil)
 	s.testUDev1Info = gadgetSnapInfo.Slots["test-udev-1"]
-	s.testUDev1 = interfaces.NewConnectedSlot(s.testUDev1Info, nil)
+	s.testUDev1 = interfaces.NewConnectedSlot(s.testUDev1Info, nil, nil)
 	s.testUDev2Info = gadgetSnapInfo.Slots["test-udev-2"]
-	s.testUDev2 = interfaces.NewConnectedSlot(s.testUDev2Info, nil)
+	s.testUDev2 = interfaces.NewConnectedSlot(s.testUDev2Info, nil, nil)
 	s.testUDev3Info = gadgetSnapInfo.Slots["test-udev-3"]
-	s.testUDev3 = interfaces.NewConnectedSlot(s.testUDev3Info, nil)
+	s.testUDev3 = interfaces.NewConnectedSlot(s.testUDev3Info, nil, nil)
 	s.testUDevBadValue1Info = gadgetSnapInfo.Slots["test-udev-bad-value-1"]
-	s.testUDevBadValue1 = interfaces.NewConnectedSlot(s.testUDevBadValue1Info, nil)
+	s.testUDevBadValue1 = interfaces.NewConnectedSlot(s.testUDevBadValue1Info, nil, nil)
 	s.testUDevBadValue2Info = gadgetSnapInfo.Slots["test-udev-bad-value-2"]
-	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue2Info, nil)
+	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue2Info, nil, nil)
 	s.testUDevBadValue3Info = gadgetSnapInfo.Slots["test-udev-bad-value-3"]
-	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue3Info, nil)
+	s.testUDevBadValue3 = interfaces.NewConnectedSlot(s.testUDevBadValue3Info, nil, nil)
 	s.testUDevBadValue4Info = gadgetSnapInfo.Slots["test-udev-bad-value-4"]
-	s.testUDevBadValue4 = interfaces.NewConnectedSlot(s.testUDevBadValue4Info, nil)
+	s.testUDevBadValue4 = interfaces.NewConnectedSlot(s.testUDevBadValue4Info, nil, nil)
 	s.testUDevBadValue5Info = gadgetSnapInfo.Slots["test-udev-bad-value-5"]
-	s.testUDevBadValue5 = interfaces.NewConnectedSlot(s.testUDevBadValue5Info, nil)
+	s.testUDevBadValue5 = interfaces.NewConnectedSlot(s.testUDevBadValue5Info, nil, nil)
 
 	consumingSnapInfo := snaptest.MockInfo(c, `
 name: client-snap
@@ -301,11 +301,11 @@
         plugs: [plug-for-port-3]
 `, nil)
 	s.testPlugPort1Info = consumingSnapInfo.Plugs["plug-for-port-1"]
-	s.testPlugPort1 = interfaces.NewConnectedPlug(s.testPlugPort1Info, nil)
+	s.testPlugPort1 = interfaces.NewConnectedPlug(s.testPlugPort1Info, nil, nil)
 	s.testPlugPort2Info = consumingSnapInfo.Plugs["plug-for-port-2"]
-	s.testPlugPort2 = interfaces.NewConnectedPlug(s.testPlugPort2Info, nil)
+	s.testPlugPort2 = interfaces.NewConnectedPlug(s.testPlugPort2Info, nil, nil)
 	s.testPlugPort3Info = consumingSnapInfo.Plugs["plug-for-port-3"]
-	s.testPlugPort3 = interfaces.NewConnectedPlug(s.testPlugPort3Info, nil)
+	s.testPlugPort3 = interfaces.NewConnectedPlug(s.testPlugPort3Info, nil, nil)
 }
 
 func (s *SerialPortInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/shutdown.go snapd-2.37~rc1~14.04/interfaces/builtin/shutdown.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/shutdown.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/shutdown.go	2019-01-16 08:36:51.000000000 +0000
@@ -49,19 +49,17 @@
     peer=(label=unconfined),
 
 # Allow clients to introspect
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/systemd1
     interface=org.freedesktop.DBus.Introspectable
-    member=Introspect
-    peer=(label=unconfined),
-
+    member=Introspect,
 dbus (send)
     bus=system
     path=/org/freedesktop/login1
     interface=org.freedesktop.DBus.Introspectable
-    member=Introspect
-    peer=(label=unconfined),
+    member=Introspect,
 `
 
 func init() {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/shutdown_test.go snapd-2.37~rc1~14.04/interfaces/builtin/shutdown_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/shutdown_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/shutdown_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -52,13 +52,13 @@
     plugs: [shutdown]
 `, nil)
 	s.plugInfo = consumingSnapInfo.Plugs["shutdown"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 	s.slotInfo = &snap.SlotInfo{
 		Snap:      &snap.Info{SuggestedName: "core", Type: snap.TypeOS},
 		Name:      "shutdown",
 		Interface: "shutdown",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *ShutdownInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/snapd_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/snapd_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/snapd_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/snapd_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,9 +56,9 @@
 		Name:      "snapd-control",
 		Interface: "snapd-control",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	s.plugInfo = consumingSnapInfo.Plugs["snapd-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *SnapdControlInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/spi.go snapd-2.37~rc1~14.04/interfaces/builtin/spi.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/spi.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/spi.go	2019-01-16 08:36:51.000000000 +0000
@@ -73,7 +73,7 @@
 	if err := sanitizeSlotReservedForOSOrGadget(iface, slot); err != nil {
 		return err
 	}
-	_, err := iface.path(&interfaces.SlotRef{Snap: slot.Snap.Name(), Name: slot.Name}, slot)
+	_, err := iface.path(&interfaces.SlotRef{Snap: slot.Snap.InstanceName(), Name: slot.Name}, slot)
 	return err
 }
 
@@ -96,7 +96,7 @@
 	return nil
 }
 
-func (iface *spiInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *spiInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// Allow what is allowed in the declarations
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/spi_test.go snapd-2.37~rc1~14.04/interfaces/builtin/spi_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/spi_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/spi_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -81,9 +81,9 @@
     path: /dev/spidev0.1
 `, nil)
 	s.slotOs1Info = info.Slots["spi-1"]
-	s.slotOs1 = interfaces.NewConnectedSlot(s.slotOs1Info, nil)
+	s.slotOs1 = interfaces.NewConnectedSlot(s.slotOs1Info, nil, nil)
 	s.slotOs2Info = info.Slots["spi-2"]
-	s.slotOs2 = interfaces.NewConnectedSlot(s.slotOs2Info, nil)
+	s.slotOs2 = interfaces.NewConnectedSlot(s.slotOs2Info, nil, nil)
 
 	info = snaptest.MockInfo(c, `
 name: gadget
@@ -115,21 +115,21 @@
     interface: spi
 `, nil)
 	s.slotGadget1Info = info.Slots["spi-1"]
-	s.slotGadget1 = interfaces.NewConnectedSlot(s.slotGadget1Info, nil)
+	s.slotGadget1 = interfaces.NewConnectedSlot(s.slotGadget1Info, nil, nil)
 	s.slotGadget2Info = info.Slots["spi-2"]
-	s.slotGadget2 = interfaces.NewConnectedSlot(s.slotGadget2Info, nil)
+	s.slotGadget2 = interfaces.NewConnectedSlot(s.slotGadget2Info, nil, nil)
 	s.slotGadgetBad1Info = info.Slots["bad-spi-1"]
-	s.slotGadgetBad1 = interfaces.NewConnectedSlot(s.slotGadgetBad1Info, nil)
+	s.slotGadgetBad1 = interfaces.NewConnectedSlot(s.slotGadgetBad1Info, nil, nil)
 	s.slotGadgetBad2Info = info.Slots["bad-spi-2"]
-	s.slotGadgetBad2 = interfaces.NewConnectedSlot(s.slotGadgetBad2Info, nil)
+	s.slotGadgetBad2 = interfaces.NewConnectedSlot(s.slotGadgetBad2Info, nil, nil)
 	s.slotGadgetBad3Info = info.Slots["bad-spi-3"]
-	s.slotGadgetBad3 = interfaces.NewConnectedSlot(s.slotGadgetBad3Info, nil)
+	s.slotGadgetBad3 = interfaces.NewConnectedSlot(s.slotGadgetBad3Info, nil, nil)
 	s.slotGadgetBad4Info = info.Slots["bad-spi-4"]
-	s.slotGadgetBad4 = interfaces.NewConnectedSlot(s.slotGadgetBad4Info, nil)
+	s.slotGadgetBad4 = interfaces.NewConnectedSlot(s.slotGadgetBad4Info, nil, nil)
 	s.slotGadgetBad5Info = info.Slots["bad-spi-5"]
-	s.slotGadgetBad5 = interfaces.NewConnectedSlot(s.slotGadgetBad5Info, nil)
+	s.slotGadgetBad5 = interfaces.NewConnectedSlot(s.slotGadgetBad5Info, nil, nil)
 	s.slotGadgetBad6Info = info.Slots["bad-spi-6"]
-	s.slotGadgetBad6 = interfaces.NewConnectedSlot(s.slotGadgetBad6Info, nil)
+	s.slotGadgetBad6 = interfaces.NewConnectedSlot(s.slotGadgetBad6Info, nil, nil)
 
 	info = snaptest.MockInfo(c, `
 name: consumer
@@ -147,9 +147,9 @@
     plugs: [spi-1]
 `, nil)
 	s.plug1Info = info.Plugs["spi-1"]
-	s.plug1 = interfaces.NewConnectedPlug(s.plug1Info, nil)
+	s.plug1 = interfaces.NewConnectedPlug(s.plug1Info, nil, nil)
 	s.plug2Info = info.Plugs["spi-2"]
-	s.plug2 = interfaces.NewConnectedPlug(s.plug2Info, nil)
+	s.plug2 = interfaces.NewConnectedPlug(s.plug2Info, nil, nil)
 }
 
 func (s *spiInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/ssh_keys_test.go snapd-2.37~rc1~14.04/interfaces/builtin/ssh_keys_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/ssh_keys_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/ssh_keys_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -95,8 +95,7 @@
 }
 
 func (s *SshKeysInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *SshKeysInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/ssh_public_keys_test.go snapd-2.37~rc1~14.04/interfaces/builtin/ssh_public_keys_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/ssh_public_keys_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/ssh_public_keys_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -95,8 +95,7 @@
 }
 
 func (s *SshPublicKeysInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *SshPublicKeysInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/storage_framework_service.go snapd-2.37~rc1~14.04/interfaces/builtin/storage_framework_service.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/storage_framework_service.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/storage_framework_service.go	2019-01-16 08:36:51.000000000 +0000
@@ -153,7 +153,7 @@
 	return nil
 }
 
-func (iface *storageFrameworkServiceInterface) AutoConnect(plug *interfaces.Plug, slot *interfaces.Slot) bool {
+func (iface *storageFrameworkServiceInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
 	return true
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/storage_framework_service_test.go snapd-2.37~rc1~14.04/interfaces/builtin/storage_framework_service_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/storage_framework_service_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/storage_framework_service_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -53,7 +53,7 @@
 `
 	providerInfo := snaptest.MockInfo(c, providerYaml, nil)
 	s.slotInfo = providerInfo.Slots["storage-framework-service"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 
 	const consumerYaml = `name: consumer
 version: 1.0
@@ -64,7 +64,7 @@
 `
 	consumerInfo := snaptest.MockInfo(c, consumerYaml, nil)
 	s.plugInfo = consumerInfo.Plugs["storage-framework-service"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/system_files.go snapd-2.37~rc1~14.04/interfaces/builtin/system_files.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/system_files.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/system_files.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,79 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin
+
+import (
+	"fmt"
+	"strings"
+)
+
+const systemFilesSummary = `allows access to system files or directories`
+
+const systemFilesBaseDeclarationPlugs = `
+  system-files:
+    allow-installation: false
+    deny-auto-connection: true
+`
+
+const systemFilesBaseDeclarationSlots = `
+  system-files:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
+const systemFilesConnectedPlugAppArmor = `
+# Description: Can access specific system files or directories.
+# This is restricted because it gives file access to arbitrary locations.
+`
+
+type systemFilesInterface struct {
+	commonFilesInterface
+}
+
+func validateSinglePathSystem(np string) error {
+	if !strings.HasPrefix(np, "/") {
+		return fmt.Errorf(`%q must start with "/"`, np)
+	}
+	if strings.Contains(np, "$HOME") {
+		return fmt.Errorf(`$HOME cannot be used in %q`, np)
+	}
+
+	return nil
+}
+
+func init() {
+	registerIface(&systemFilesInterface{
+		commonFilesInterface{
+			commonInterface: commonInterface{
+				name:                 "system-files",
+				summary:              systemFilesSummary,
+				implicitOnCore:       true,
+				implicitOnClassic:    true,
+				baseDeclarationPlugs: systemFilesBaseDeclarationPlugs,
+				baseDeclarationSlots: systemFilesBaseDeclarationSlots,
+				reservedForOS:        true,
+			},
+			apparmorHeader:    systemFilesConnectedPlugAppArmor,
+			extraPathValidate: validateSinglePathSystem,
+		},
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/system_files_test.go snapd-2.37~rc1~14.04/interfaces/builtin/system_files_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/system_files_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/system_files_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,182 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package builtin_test
+
+import (
+	"strings"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type systemFilesInterfaceSuite struct {
+	iface    interfaces.Interface
+	slot     *interfaces.ConnectedSlot
+	slotInfo *snap.SlotInfo
+	plug     *interfaces.ConnectedPlug
+	plugInfo *snap.PlugInfo
+}
+
+var _ = Suite(&systemFilesInterfaceSuite{
+	iface: builtin.MustInterface("system-files"),
+})
+
+func (s *systemFilesInterfaceSuite) SetUpTest(c *C) {
+	const mockPlugSnapInfo = `name: other
+version: 1.0
+plugs:
+ system-files:
+  read: [/etc/read-dir2, /etc/read-file2]
+  write:  [/etc/write-dir2, /etc/write-file2]
+apps:
+ app:
+  command: foo
+  plugs: [system-files]
+`
+	s.slotInfo = &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "core", Type: snap.TypeOS},
+		Name:      "system-files",
+		Interface: "system-files",
+	}
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
+	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfo, nil)
+	s.plugInfo = plugSnap.Plugs["system-files"]
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+}
+
+func (s *systemFilesInterfaceSuite) TestName(c *C) {
+	c.Assert(s.iface.Name(), Equals, "system-files")
+}
+
+func (s *systemFilesInterfaceSuite) TestConnectedPlugAppArmor(c *C) {
+	apparmorSpec := &apparmor.Specification{}
+	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app"})
+	c.Check(apparmorSpec.SnippetForTag("snap.other.app"), Equals, `
+# Description: Can access specific system files or directories.
+# This is restricted because it gives file access to arbitrary locations.
+"/etc/read-dir2{,/,/**}" rk,
+"/etc/read-file2{,/,/**}" rk,
+"/etc/write-dir2{,/,/**}" rwkl,
+"/etc/write-file2{,/,/**}" rwkl,
+`)
+}
+
+func (s *systemFilesInterfaceSuite) TestSanitizeSlot(c *C) {
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	slot := &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "some-snap"},
+		Name:      "system-files",
+		Interface: "system-files",
+	}
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
+		"system-files slots are reserved for the core snap")
+}
+
+func (s *systemFilesInterfaceSuite) TestSanitizePlug(c *C) {
+	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
+}
+
+func (s *systemFilesInterfaceSuite) TestSanitizePlugHappy(c *C) {
+	const mockSnapYaml = `name: system-files-plug-snap
+version: 1.0
+plugs:
+ system-files:
+  read: ["/etc/file1"]
+  write: ["/etc/dir1"]
+`
+	info := snaptest.MockInfo(c, mockSnapYaml, nil)
+	plug := info.Plugs["system-files"]
+	c.Assert(interfaces.BeforePreparePlug(s.iface, plug), IsNil)
+}
+
+func (s *systemFilesInterfaceSuite) TestSanitizePlugUnhappy(c *C) {
+	const mockSnapYaml = `name: system-files-plug-snap
+version: 1.0
+plugs:
+ system-files:
+  $t
+`
+	errPrefix := `cannot add system-files plug: `
+	var testCases = []struct {
+		inp    string
+		errStr string
+	}{
+		{`read: ""`, `"read" must be a list of strings`},
+		{`read: [ 123 ]`, `"read" must be a list of strings`},
+		{`read: [ "/foo/./bar" ]`, `cannot use "/foo/./bar": try "/foo/bar"`},
+		{`read: [ "../foo" ]`, `"../foo" must start with "/"`},
+		{`read: [ "/foo[" ]`, `"/foo\[" contains a reserved apparmor char from .*`},
+		{`write: ""`, `"write" must be a list of strings`},
+		{`write: bar`, `"write" must be a list of strings`},
+		{`read: [ "~/foo" ]`, `"~/foo" cannot contain "~"`},
+		{`read: [ "/foo/~/foo" ]`, `"/foo/~/foo" cannot contain "~"`},
+		{`read: [ "/foo/../foo" ]`, `cannot use "/foo/../foo": try "/foo"`},
+		{`read: [ "/home/$HOME/foo" ]`, `\$HOME cannot be used in "/home/\$HOME/foo"`},
+		{`read: [ "$HOME/sweet/$HOME" ]`, `"\$HOME/sweet/\$HOME" must start with "/"`},
+		{`read: [ "/@{FOO}" ]`, `"/@{FOO}" contains a reserved apparmor char from .*`},
+		{`read: [ "/home/@{HOME}/foo" ]`, `"/home/@{HOME}/foo" contains a reserved apparmor char from .*`},
+	}
+
+	for _, t := range testCases {
+		yml := strings.Replace(mockSnapYaml, "$t", t.inp, -1)
+		info := snaptest.MockInfo(c, yml, nil)
+		plug := info.Plugs["system-files"]
+
+		c.Check(interfaces.BeforePreparePlug(s.iface, plug), ErrorMatches, errPrefix+t.errStr, Commentf("unexpected error for %q", t.inp))
+	}
+}
+
+func (s *systemFilesInterfaceSuite) TestConnectedPlugAppArmorInternalError(c *C) {
+	const mockPlugSnapInfo = `name: other
+version: 1.0
+plugs:
+ system-files:
+  read: [ 123 , 345 ]
+apps:
+ app:
+  command: foo
+  plugs: [system-files]
+`
+	s.slotInfo = &snap.SlotInfo{
+		Snap:      &snap.Info{SuggestedName: "core", Type: snap.TypeOS},
+		Name:      "system-files",
+		Interface: "system-files",
+	}
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
+	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfo, nil)
+	s.plugInfo = plugSnap.Plugs["system-files"]
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+
+	apparmorSpec := &apparmor.Specification{}
+	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	c.Assert(err, ErrorMatches, `cannot connect plug system-files: 123 \(int64\) is not a string`)
+}
+
+func (s *systemFilesInterfaceSuite) TestInterfaces(c *C) {
+	c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/system_observe.go snapd-2.37~rc1~14.04/interfaces/builtin/system_observe.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/system_observe.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/system_observe.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,7 +29,6 @@
     deny-auto-connection: true
 `
 
-// http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/system-observe
 const systemObserveConnectedPlugAppArmor = `
 # Description: Can query system status information. This is restricted because
 # it gives privileged read access to all processes on the system and should
@@ -38,31 +37,27 @@
 # Needed by 'ps'
 @{PROC}/tty/drivers r,
 
-# This ptrace is an information leak
+# This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here
+# since since ps doesn't actually need to trace other processes.
 ptrace (read),
 
-# ptrace can be used to break out of the seccomp sandbox, but ps requests
-# 'ptrace (trace)' even though it isn't tracing other processes. Unfortunately,
-# this is due to the kernel overloading trace such that the LSMs are unable to
-# distinguish between tracing other processes and other accesses. We deny the
-# trace here to silence the log.
-# Note: for now, explicitly deny to avoid confusion and accidentally giving
-# away this dangerous access frivolously. We may conditionally deny this in the
-# future.
-deny ptrace (trace),
-
 # Other miscellaneous accesses for observing the system
+@{PROC}/modules r,
 @{PROC}/stat r,
 @{PROC}/vmstat r,
 @{PROC}/diskstats r,
 @{PROC}/kallsyms r,
 @{PROC}/partitions r,
+@{PROC}/sys/kernel/panic r,
+@{PROC}/sys/kernel/panic_on_oops r,
+@{PROC}/sys/vm/panic_on_oom r,
 
 # These are not process-specific (/proc/*/... and /proc/*/task/*/...)
 @{PROC}/*/{,task/,task/*/} r,
 @{PROC}/*/{,task/*/}auxv r,
 @{PROC}/*/{,task/*/}cmdline r,
 @{PROC}/*/{,task/*/}exe r,
+@{PROC}/*/{,task/*/}fdinfo/* r,
 @{PROC}/*/{,task/*/}stat r,
 @{PROC}/*/{,task/*/}statm r,
 @{PROC}/*/{,task/*/}status r,
@@ -73,20 +68,20 @@
 
 #include <abstractions/dbus-strict>
 
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/hostname1
     interface=org.freedesktop.DBus.Properties
-    member=Get{,All}
-    peer=(label=unconfined),
+    member=Get{,All},
 
 # Allow clients to introspect hostname1
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/hostname1
     interface=org.freedesktop.DBus.Introspectable
-    member=Introspect
-    peer=(label=unconfined),
+    member=Introspect,
 
 # Allow clients to enumerate DBus connection names on common buses
 dbus (send)
@@ -95,6 +90,14 @@
     interface=org.freedesktop.DBus
     member=ListNames
     peer=(label=unconfined),
+
+# Allow clients to obtain the DBus machine ID on common buses. We do not
+# mediate the path since any peer can be used.
+dbus (send)
+    bus={session,system}
+    interface=org.freedesktop.DBus.Peer
+    member=GetMachineId
+    peer=(label=unconfined),
 `
 
 const systemObserveConnectedPlugSecComp = `
@@ -120,5 +123,6 @@
 		connectedPlugAppArmor: systemObserveConnectedPlugAppArmor,
 		connectedPlugSecComp:  systemObserveConnectedPlugSecComp,
 		reservedForOS:         true,
+		suppressPtraceTrace:   true,
 	})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/system_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/system_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/system_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/system_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "system-observe",
 		Interface: "system-observe",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, sysobsMockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["system-observe"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *SystemObserveInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/system_trace_test.go snapd-2.37~rc1~14.04/interfaces/builtin/system_trace_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/system_trace_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/system_trace_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,10 +55,10 @@
 		Name:      "system-trace",
 		Interface: "system-trace",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfo, nil)
 	s.plugInfo = plugSnap.Plugs["system-trace"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *SystemTraceInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/thumbnailer_service.go snapd-2.37~rc1~14.04/interfaces/builtin/thumbnailer_service.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/thumbnailer_service.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/thumbnailer_service.go	2019-01-16 08:36:51.000000000 +0000
@@ -127,7 +127,9 @@
 func (iface *thumbnailerServiceInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
 	snippet := thumbnailerServiceConnectedSlotAppArmor
 	old := "###PLUG_SNAP_NAME###"
-	new := plug.Snap().Name()
+	// parallel-installs: PLUG_SNAP_NAME is used in the context of dbus
+	// mediation rules, need to use the actual instance name
+	new := plug.Snap().InstanceName()
 	snippet = strings.Replace(snippet, old, new, -1)
 
 	old = "###PLUG_SECURITY_TAGS###"
@@ -137,7 +139,7 @@
 	return nil
 }
 
-func (iface *thumbnailerServiceInterface) AutoConnect(plug *interfaces.Plug, slot *interfaces.Slot) bool {
+func (iface *thumbnailerServiceInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
 	return true
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/thumbnailer_service_test.go snapd-2.37~rc1~14.04/interfaces/builtin/thumbnailer_service_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/thumbnailer_service_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/thumbnailer_service_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -71,15 +71,15 @@
 	// thumbnailer-service snap with thumbnailer-service slot on an core/all-snap install.
 	snapInfo := snaptest.MockInfo(c, thumbnailerServiceMockCoreSlotSnapInfoYaml, nil)
 	s.coreSlotInfo = snapInfo.Slots["thumbnailer-service"]
-	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil)
+	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil, nil)
 	// thumbnailer-service slot on a core snap in a classic install.
 	snapInfo = snaptest.MockInfo(c, thumbnailerServiceMockClassicSlotSnapInfoYaml, nil)
 	s.classicSlotInfo = snapInfo.Slots["thumbnailer-service"]
-	s.classicSlot = interfaces.NewConnectedSlot(s.classicSlotInfo, nil)
+	s.classicSlot = interfaces.NewConnectedSlot(s.classicSlotInfo, nil, nil)
 
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfo, nil)
 	s.plugInfo = plugSnap.Plugs["thumbnailer-service"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *ThumbnailerServiceInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/time_control.go snapd-2.37~rc1~14.04/interfaces/builtin/time_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/time_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/time_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -38,12 +38,12 @@
 #include <abstractions/dbus-strict>
 
 # Introspection of org.freedesktop.timedate1
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/timedate1
     interface=org.freedesktop.DBus.Introspectable
-    member=Introspect
-    peer=(label=unconfined),
+    member=Introspect,
 
 dbus (send)
     bus=system
@@ -53,12 +53,12 @@
     peer=(label=unconfined),
 
 # Read all properties from timedate1
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/timedate1
     interface=org.freedesktop.DBus.Properties
-    member=Get{,All}
-    peer=(label=unconfined),
+    member=Get{,All},
 
 # Receive timedate1 property changed events
 dbus (receive)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/time_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/time_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/time_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/time_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -114,8 +114,7 @@
 }
 
 func (s *TimeControlInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *TimeControlInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/timeserver_control.go snapd-2.37~rc1~14.04/interfaces/builtin/timeserver_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/timeserver_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/timeserver_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -43,12 +43,12 @@
 /etc/systemd/timesyncd.conf rw,
 
 # Introspection of org.freedesktop.timedate1
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/timedate1
     interface=org.freedesktop.DBus.Introspectable
-    member=Introspect
-    peer=(label=unconfined),
+    member=Introspect,
 
 dbus (send)
     bus=system
@@ -58,12 +58,12 @@
     peer=(label=unconfined),
 
 # Read all properties from timedate1
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/timedate1
     interface=org.freedesktop.DBus.Properties
-    member=Get{,All}
-    peer=(label=unconfined),
+    member=Get{,All},
 
 # Receive timedate1 property changed events
 dbus (receive)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/timeserver_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/timeserver_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/timeserver_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/timeserver_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,10 +55,10 @@
 		Name:      "timeserver-control",
 		Interface: "timeserver-control",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["timeserver-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *TimeserverControlInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/timezone_control.go snapd-2.37~rc1~14.04/interfaces/builtin/timezone_control.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/timezone_control.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/timezone_control.go	2019-01-16 08:36:51.000000000 +0000
@@ -45,12 +45,12 @@
 /etc/{,writable/}localtime.tmp rw, # Required for the timedatectl wrapper (LP: #1650688)
 
 # Introspection of org.freedesktop.timedate1
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/timedate1
     interface=org.freedesktop.DBus.Introspectable
-    member=Introspect
-    peer=(label=unconfined),
+    member=Introspect,
 
 dbus (send)
     bus=system
@@ -60,12 +60,12 @@
     peer=(label=unconfined),
 
 # Read all properties from timedate1
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/timedate1
     interface=org.freedesktop.DBus.Properties
-    member=Get{,All}
-    peer=(label=unconfined),
+    member=Get{,All},
 
 # Receive timedate1 property changed events
 dbus (receive)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/timezone_control_test.go snapd-2.37~rc1~14.04/interfaces/builtin/timezone_control_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/timezone_control_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/timezone_control_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,10 +55,10 @@
 		Name:      "timezone-control",
 		Interface: "timezone-control",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["timezone-control"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *TimezoneControlInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/tpm.go snapd-2.37~rc1~14.04/interfaces/builtin/tpm.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/tpm.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/tpm.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,12 +30,17 @@
 `
 
 const tpmConnectedPlugAppArmor = `
-# Description: for those who need to talk to the system TPM chip over /dev/tpm0
+# Description: for those who need to talk to the system TPM chip over
+# /dev/tpm[0-9]* and kernel TPM resource manager /dev/tpmrm[0-0]* (4.12+)
 
-/dev/tpm0 rw,
+/dev/tpm[0-9]* rw,
+/dev/tpmrm[0-9]* rw,
 `
 
-var tpmConnectedPlugUDev = []string{`KERNEL=="tpm[0-9]*"`}
+var tpmConnectedPlugUDev = []string{
+	`KERNEL=="tpm[0-9]*"`,
+	`KERNEL=="tpmrm[0-9]*"`,
+}
 
 func init() {
 	registerIface(&commonInterface{
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/tpm_test.go snapd-2.37~rc1~14.04/interfaces/builtin/tpm_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/tpm_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/tpm_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -84,15 +84,17 @@
 	spec := &apparmor.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
-	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/dev/tpm0")
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/dev/tpm[0-9]*")
 }
 
 func (s *TpmInterfaceSuite) TestUDevSpec(c *C) {
 	spec := &udev.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
-	c.Assert(spec.Snippets(), HasLen, 2)
+	c.Assert(spec.Snippets(), HasLen, 3)
 	c.Assert(spec.Snippets(), testutil.Contains, `# tpm
 KERNEL=="tpm[0-9]*", TAG+="snap_consumer_app"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# tpm
+KERNEL=="tpmrm[0-9]*", TAG+="snap_consumer_app"`)
 	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_consumer_app", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_consumer_app $devpath $major:$minor"`)
 }
 
@@ -105,8 +107,7 @@
 }
 
 func (s *TpmInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *TpmInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/ubuntu_download_manager.go snapd-2.37~rc1~14.04/interfaces/builtin/ubuntu_download_manager.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/ubuntu_download_manager.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/ubuntu_download_manager.go	2019-01-16 08:36:51.000000000 +0000
@@ -230,13 +230,13 @@
 	new := plugAppLabelExpr(plug)
 	snippet := strings.Replace(downloadConnectedSlotAppArmor, old, new, -1)
 	old = "###PLUG_NAME###"
-	new = plug.Snap().Name()
+	new = plug.Snap().InstanceName()
 	snippet = strings.Replace(snippet, old, new, -1)
 	spec.AddSnippet(snippet)
 	return nil
 }
 
-func (iface *ubuntuDownloadManagerInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *ubuntuDownloadManagerInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/ubuntu_download_manager_test.go snapd-2.37~rc1~14.04/interfaces/builtin/ubuntu_download_manager_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/ubuntu_download_manager_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/ubuntu_download_manager_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -52,13 +52,13 @@
 `
 	snapInfo := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["ubuntu-download-manager"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 	s.slotInfo = &snap.SlotInfo{
 		Snap:      &snap.Info{SuggestedName: "core", Type: snap.TypeOS},
 		Name:      "ubuntu-download-manager",
 		Interface: "ubuntu-download-manager",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *UbuntuDownloadManagerInterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/udisks2.go snapd-2.37~rc1~14.04/interfaces/builtin/udisks2.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/udisks2.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/udisks2.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -27,6 +27,7 @@
 	"github.com/snapcore/snapd/interfaces/dbus"
 	"github.com/snapcore/snapd/interfaces/seccomp"
 	"github.com/snapcore/snapd/interfaces/udev"
+	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 )
 
@@ -37,7 +38,9 @@
     allow-installation:
       slot-snap-type:
         - app
-    deny-connection: true
+        - core
+    deny-connection:
+      on-classic: false
     deny-auto-connection: true
 `
 
@@ -152,6 +155,12 @@
     path=/org/freedesktop/UDisks2/**
     interface=org.freedesktop.DBus.Properties
     peer=(label=###SLOT_SECURITY_TAGS###),
+# do not use peer=(label=unconfined) here since this is DBus activated
+dbus (send)
+    bus=system
+    path=/org/freedesktop/UDisks2/**
+    interface=org.freedesktop.DBus.Properties
+    member="Get{,All}",
 
 dbus (receive, send)
     bus=system
@@ -167,12 +176,12 @@
     peer=(label=###SLOT_SECURITY_TAGS###),
 
 # Allow clients to introspect the service
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/UDisks2
     interface=org.freedesktop.DBus.Introspectable
-    member=Introspect
-    peer=(label=###SLOT_SECURITY_TAGS###),
+    member=Introspect,
 `
 
 const udisks2PermanentSlotSecComp = `
@@ -375,55 +384,73 @@
 func (iface *udisks2Interface) StaticInfo() interfaces.StaticInfo {
 	return interfaces.StaticInfo{
 		Summary:              udisks2Summary,
+		ImplicitOnClassic:    true,
 		BaseDeclarationSlots: udisks2BaseDeclarationSlots,
 	}
 }
 
 func (iface *udisks2Interface) DBusConnectedPlug(spec *dbus.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
-	spec.AddSnippet(udisks2ConnectedPlugDBus)
+	if !release.OnClassic {
+		spec.AddSnippet(udisks2ConnectedPlugDBus)
+	}
 	return nil
 }
 
 func (iface *udisks2Interface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error {
-	spec.AddSnippet(udisks2PermanentSlotDBus)
+	if !release.OnClassic {
+		spec.AddSnippet(udisks2PermanentSlotDBus)
+	}
 	return nil
 }
 
 func (iface *udisks2Interface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
 	old := "###SLOT_SECURITY_TAGS###"
-	new := slotAppLabelExpr(slot)
+	var new string
+	if release.OnClassic {
+		new = "unconfined"
+	} else {
+		new = slotAppLabelExpr(slot)
+	}
 	snippet := strings.Replace(udisks2ConnectedPlugAppArmor, old, new, -1)
 	spec.AddSnippet(snippet)
 	return nil
 }
 
 func (iface *udisks2Interface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
-	spec.AddSnippet(udisks2PermanentSlotAppArmor)
+	if !release.OnClassic {
+		spec.AddSnippet(udisks2PermanentSlotAppArmor)
+	}
 	return nil
 }
 
 func (iface *udisks2Interface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error {
-	spec.AddSnippet(udisks2PermanentSlotUDev)
-	spec.TagDevice(`SUBSYSTEM=="block"`)
-	// # This tags all USB devices, so we'll use AppArmor to mediate specific access (eg, /dev/sd* and /dev/mmcblk*)
-	spec.TagDevice(`SUBSYSTEM=="usb"`)
+	if !release.OnClassic {
+		spec.AddSnippet(udisks2PermanentSlotUDev)
+		spec.TagDevice(`SUBSYSTEM=="block"`)
+		// # This tags all USB devices, so we'll use AppArmor to mediate specific access (eg, /dev/sd* and /dev/mmcblk*)
+		spec.TagDevice(`SUBSYSTEM=="usb"`)
+	}
 	return nil
 }
 
 func (iface *udisks2Interface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
-	old := "###PLUG_SECURITY_TAGS###"
-	new := plugAppLabelExpr(plug)
-	snippet := strings.Replace(udisks2ConnectedSlotAppArmor, old, new, -1)
-	spec.AddSnippet(snippet)
+	if !release.OnClassic {
+		old := "###PLUG_SECURITY_TAGS###"
+		new := plugAppLabelExpr(plug)
+		snippet := strings.Replace(udisks2ConnectedSlotAppArmor, old, new, -1)
+		spec.AddSnippet(snippet)
+	}
 	return nil
 }
 
 func (iface *udisks2Interface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
-	spec.AddSnippet(udisks2PermanentSlotSecComp)
+	if !release.OnClassic {
+		spec.AddSnippet(udisks2PermanentSlotSecComp)
+	}
 	return nil
 }
 
-func (iface *udisks2Interface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *udisks2Interface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/udisks2_test.go snapd-2.37~rc1~14.04/interfaces/builtin/udisks2_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/udisks2_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/udisks2_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -28,16 +28,19 @@
 	"github.com/snapcore/snapd/interfaces/dbus"
 	"github.com/snapcore/snapd/interfaces/seccomp"
 	"github.com/snapcore/snapd/interfaces/udev"
+	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/testutil"
 )
 
 type UDisks2InterfaceSuite struct {
-	iface    interfaces.Interface
-	slotInfo *snap.SlotInfo
-	slot     *interfaces.ConnectedSlot
-	plugInfo *snap.PlugInfo
-	plug     *interfaces.ConnectedPlug
+	iface           interfaces.Interface
+	slotInfo        *snap.SlotInfo
+	slot            *interfaces.ConnectedSlot
+	classicSlotInfo *snap.SlotInfo
+	classicSlot     *interfaces.ConnectedSlot
+	plugInfo        *snap.PlugInfo
+	plug            *interfaces.ConnectedPlug
 }
 
 var _ = Suite(&UDisks2InterfaceSuite{
@@ -96,9 +99,18 @@
   slots: [udisks2]
 `
 
+const udisks2ClassicYaml = `name: core
+version: 0
+type: os
+slots:
+ udisks2:
+  interface: udisks2
+`
+
 func (s *UDisks2InterfaceSuite) SetUpTest(c *C) {
 	s.plug, s.plugInfo = MockConnectedPlug(c, udisks2ConsumerYaml, nil, "udisks2")
 	s.slot, s.slotInfo = MockConnectedSlot(c, udisks2ProducerYaml, nil, "udisks2")
+	s.classicSlot, s.classicSlotInfo = MockConnectedSlot(c, udisks2ClassicYaml, nil, "udisks2")
 }
 
 func (s *UDisks2InterfaceSuite) TestName(c *C) {
@@ -107,9 +119,14 @@
 
 func (s *UDisks2InterfaceSuite) TestSanitizeSlot(c *C) {
 	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.classicSlotInfo), IsNil)
 }
 
 func (s *UDisks2InterfaceSuite) TestAppArmorSpec(c *C) {
+	// on a core system with udisks2 slot coming from a regular app snap.
+	restore := release.MockOnClassic(false)
+	defer restore()
+
 	// The label uses short form when exactly one app is bound to the udisks2 slot
 	spec := &apparmor.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
@@ -159,7 +176,33 @@
 	c.Assert(spec.SnippetForTag("snap.producer.app"), testutil.Contains, `peer=(label=unconfined),`)
 }
 
+func (s *UDisks2InterfaceSuite) TestAppArmorSpecOnClassic(c *C) {
+	// on a core system with udisks2 slot coming from a the classic distro.
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	// connected plug to core slot
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.classicSlot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `peer=(label=unconfined),`)
+
+	// connected classic slot to plug
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.classicSlot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	// permanent classic slot
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddPermanentSlot(s.iface, s.classicSlotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+}
+
 func (s *UDisks2InterfaceSuite) TestDBusSpec(c *C) {
+	// on a core system with udisks2 slot coming from a regular app snap.
+	restore := release.MockOnClassic(false)
+	defer restore()
+
 	spec := &dbus.Specification{}
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
@@ -172,7 +215,24 @@
 	c.Assert(spec.SnippetForTag("snap.producer.app"), testutil.Contains, `send_interface="org.freedesktop.DBus.Introspectable"`)
 }
 
+func (s *UDisks2InterfaceSuite) TestDBusSpecOnClassic(c *C) {
+	// on a core system with udisks2 slot coming from a the classic distro.
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	// connected plug to core slot
+	spec := &dbus.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.classicSlot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+	c.Assert(spec.AddPermanentSlot(s.iface, s.classicSlotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+}
+
 func (s *UDisks2InterfaceSuite) TestUDevSpec(c *C) {
+	// on a core system with udisks2 slot coming from a regular app snap.
+	restore := release.MockOnClassic(false)
+	defer restore()
+
 	spec := &udev.Specification{}
 	c.Assert(spec.AddPermanentSlot(s.iface, s.slotInfo), IsNil)
 	c.Assert(spec.Snippets(), HasLen, 4)
@@ -184,24 +244,47 @@
 	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_producer_app", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_producer_app $devpath $major:$minor"`)
 }
 
+func (s *UDisks2InterfaceSuite) TestUDevSpecOnClassic(c *C) {
+	// on a core system with udisks2 slot coming from a the classic distro.
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	spec := &udev.Specification{}
+	c.Assert(spec.AddPermanentSlot(s.iface, s.classicSlotInfo), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 0)
+}
+
 func (s *UDisks2InterfaceSuite) TestSecCompSpec(c *C) {
+	// on a core system with udisks2 slot coming from a regular app snap.
+	restore := release.MockOnClassic(false)
+	defer restore()
+
 	spec := &seccomp.Specification{}
 	c.Assert(spec.AddPermanentSlot(s.iface, s.slotInfo), IsNil)
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.producer.app"})
 	c.Assert(spec.SnippetForTag("snap.producer.app"), testutil.Contains, "mount\n")
 }
 
+func (s *UDisks2InterfaceSuite) TestSecCompSpecOnClassic(c *C) {
+	// on a core system with udisks2 slot coming from a the classic distro.
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	spec := &seccomp.Specification{}
+	c.Assert(spec.AddPermanentSlot(s.iface, s.classicSlotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+}
+
 func (s *UDisks2InterfaceSuite) TestStaticInfo(c *C) {
 	si := interfaces.StaticInfoOf(s.iface)
 	c.Assert(si.ImplicitOnCore, Equals, false)
-	c.Assert(si.ImplicitOnClassic, Equals, false)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
 	c.Assert(si.Summary, Equals, `allows operating as or interacting with the UDisks2 service`)
 	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "udisks2")
 }
 
 func (s *UDisks2InterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME: fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.slotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.slotInfo), Equals, true)
 }
 
 func (s *UDisks2InterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/unity7.go snapd-2.37~rc1~14.04/interfaces/builtin/unity7.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/unity7.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/unity7.go	2019-01-16 08:36:51.000000000 +0000
@@ -96,7 +96,6 @@
 # interface.
 /usr/bin/xdg-open ixr,
 /usr/share/applications/{,*} r,
-/usr/bin/dbus-send ixr,
 
 # This allow access to the first version of the snapd-xdg-open
 # version which was shipped outside of snapd
@@ -117,7 +116,6 @@
 
 # Allow use of snapd's internal 'xdg-settings'
 /usr/bin/xdg-settings ixr,
-/usr/bin/dbus-send ixr,
 dbus (send)
     bus=session
     path=/io/snapcraft/Settings
@@ -484,7 +482,9 @@
 # this leaks the names of snaps with desktop files
 /var/lib/snapd/desktop/applications/ r,
 /var/lib/snapd/desktop/applications/mimeinfo.cache r,
-/var/lib/snapd/desktop/applications/@{SNAP_NAME}_*.desktop r,
+# parallel-installs: when @{SNAP_INSTANCE_NAME} == @{SNAP_NAME},
+# this leaks read access to desktop files of parallel installs of the snap
+/var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_NAME}_*.desktop r,
 
 # then allow talking to Unity DBus service
 dbus (send)
@@ -501,6 +501,8 @@
     member={Register,Unregister}Application
     peer=(label=unconfined),
 
+# When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule
+# allows the snap to access parallel installs of this snap.
 dbus (receive)
     bus=session
     interface=org.freedesktop.DBus.Properties
@@ -508,6 +510,8 @@
     member=GetAll
     peer=(label=unconfined),
 
+# When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule
+# allows the snap to access parallel installs of this snap.
 dbus (receive, send)
     bus=session
     interface=com.canonical.indicator.messages.application
@@ -641,7 +645,11 @@
 	// but we don't care about that here because the rule above already
 	// does that) to '_'. Since we know that the desktop filename starts
 	// with the snap name, perform this conversion on the snap name.
-	new := strings.Replace(plug.Snap().Name(), "-", "_", -1)
+	//
+	// parallel-installs: UNITY_SNAP_NAME is used in the context of dbus
+	// mediation, this unintentionally opens access to dbus paths of keyed
+	// instances of @{SNAP_NAME} to @{SNAP_NAME} snap
+	new := strings.Replace(plug.Snap().InstanceName(), "-", "_", -1)
 	old := "###UNITY_SNAP_NAME###"
 	snippet := strings.Replace(unity7ConnectedPlugAppArmor, old, new, -1)
 	spec.AddSnippet(snippet)
@@ -657,7 +665,7 @@
 	return sanitizeSlotReservedForOS(iface, slot)
 }
 
-func (iface *unity7Interface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *unity7Interface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/unity7_test.go snapd-2.37~rc1~14.04/interfaces/builtin/unity7_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/unity7_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/unity7_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "unity7",
 		Interface: "unity7",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, unity7mockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["unity7"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *Unity7InterfaceSuite) TestName(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/unity8_calendar_test.go snapd-2.37~rc1~14.04/interfaces/builtin/unity8_calendar_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/unity8_calendar_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/unity8_calendar_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -66,15 +66,15 @@
 		Name:      "unity8-calendar",
 		Interface: "unity8-calendar",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfo, nil)
 	s.plugInfo = plugSnap.Plugs["unity8-calendar"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 
 	slotSnap := snaptest.MockInfo(c, mockCoreSlotInfoYaml, nil)
 	s.coreSlotInfo = slotSnap.Slots["unity8-calendar"]
-	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil)
+	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil, nil)
 }
 
 func (s *Unity8CalendarInterfaceSuite) TestName(c *C) {
@@ -105,7 +105,8 @@
 		Name:      "unity8-calendar",
 		Interface: "unity8-calendar",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -128,7 +129,8 @@
 		Name:      "unity8-calendar",
 		Interface: "unity8-calendar",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -149,7 +151,8 @@
 		Name:      "unity8-calendar",
 		Interface: "unity8-calendar",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/unity8_contacts_test.go snapd-2.37~rc1~14.04/interfaces/builtin/unity8_contacts_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/unity8_contacts_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/unity8_contacts_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -67,15 +67,15 @@
 		Name:      "unity8-contacts",
 		Interface: "unity8-contacts",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfo, nil)
 	s.plugInfo = plugSnap.Plugs["unity8-contacts"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 
 	slotSnap := snaptest.MockInfo(c, mockCoreSlotInfoYaml, nil)
 	s.coreSlotInfo = slotSnap.Slots["unity8-contacts"]
-	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil)
+	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil, nil)
 }
 
 func (s *Unity8ContactsInterfaceSuite) TestName(c *C) {
@@ -106,7 +106,8 @@
 		Name:      "unity8-contacts",
 		Interface: "unity8-contacts",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -129,7 +130,8 @@
 		Name:      "unity8-contacts",
 		Interface: "unity8-contacts",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -150,7 +152,8 @@
 		Name:      "unity8-contacts",
 		Interface: "unity8-contacts",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/unity8.go snapd-2.37~rc1~14.04/interfaces/builtin/unity8.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/unity8.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/unity8.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,6 +24,7 @@
 
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/snap"
 )
 
 const unity8Summary = `allows operating as or interacting with Unity 8`
@@ -113,7 +114,7 @@
 	return nil
 }
 
-func (iface *unity8Interface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *unity8Interface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/unity8_pim_common.go snapd-2.37~rc1~14.04/interfaces/builtin/unity8_pim_common.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/unity8_pim_common.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/unity8_pim_common.go	2019-01-16 08:36:51.000000000 +0000
@@ -52,7 +52,7 @@
 
 # Allow services to communicate with each other
 dbus (receive, send)
-	peer=(label="snap.@{SNAP_NAME}.*"),
+	peer=(label="snap.@{SNAP_INSTANCE_NAME}.*"),
 
 # Allow binding the service to the requested connection name
 dbus (bind)
@@ -165,7 +165,7 @@
 	return nil
 }
 
-func (iface *unity8PimCommonInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *unity8PimCommonInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/unity8_test.go snapd-2.37~rc1~14.04/interfaces/builtin/unity8_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/unity8_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/unity8_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,10 +57,10 @@
 		Name:      "unity8-session",
 		Interface: "unity8",
 	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 	plugSnap := snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = plugSnap.Plugs["unity8"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 
 }
 
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/upower_observe.go snapd-2.37~rc1~14.04/interfaces/builtin/upower_observe.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/upower_observe.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/upower_observe.go	2019-01-16 08:36:51.000000000 +0000
@@ -75,12 +75,12 @@
     path=/org/freedesktop/login1{,/**}
     interface=org.freedesktop.DBus.Properties
     peer=(label=unconfined),
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     path=/org/freedesktop/login1{,/**}
     interface=org.freedesktop.DBus.Properties
-    member=Get{,All}
-    peer=(label=unconfined),
+    member=Get{,All},
 
 # Allow receiving any signals from the logind service
 dbus (receive)
@@ -96,7 +96,7 @@
     bus=system
     path=/org/freedesktop/login1{,/**}
     interface=org.freedesktop.login1.Manager
-    member={CanPowerOff,CanSuspend,CanHibernate,CanHybridSleep,PowerOff,Suspend,Hibernate,HybrisSleep}
+    member={CanPowerOff,CanSuspend,CanHibernate,CanHybridSleep,PowerOff,Suspend,Hibernate,HybridSleep}
     peer=(label=unconfined),
 `
 
@@ -169,19 +169,12 @@
     peer=(label=###SLOT_SECURITY_TAGS###),
 
 # Read all properties from UPower and devices
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
-    path=/org/freedesktop/UPower{,/devices/**}
+    path=/org/freedesktop/UPower{,/Wakeups,/devices/**}
     interface=org.freedesktop.DBus.Properties
-    member=Get{,All}
-    peer=(label=###SLOT_SECURITY_TAGS###),
-
-dbus (send)
-    bus=system
-    path=/org/freedesktop/UPower/Wakeups
-    interface=org.freedesktop.DBus.Properties
-    member=Get{,All}
-    peer=(label=###SLOT_SECURITY_TAGS###),
+    member=Get{,All},
 
 dbus (send)
     bus=system
@@ -213,12 +206,12 @@
     peer=(label=###SLOT_SECURITY_TAGS###),
 
 # Allow clients to introspect the service
+# do not use peer=(label=unconfined) here since this is DBus activated
 dbus (send)
     bus=system
     interface=org.freedesktop.DBus.Introspectable
     path=/org/freedesktop/UPower
-    member=Introspect
-    peer=(label=###SLOT_SECURITY_TAGS###),
+    member=Introspect,
 `
 
 type upowerObserveInterface struct{}
@@ -274,7 +267,7 @@
 	return sanitizeSlotReservedForOSOrApp(iface, slot)
 }
 
-func (iface *upowerObserveInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *upowerObserveInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/upower_observe_test.go snapd-2.37~rc1~14.04/interfaces/builtin/upower_observe_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/upower_observe_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/upower_observe_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -74,15 +74,15 @@
 	// upower snap with upower-server slot on an core/all-snap install.
 	snapInfo := snaptest.MockInfo(c, upowerMockSlotSnapInfoYaml, nil)
 	s.coreSlotInfo = snapInfo.Slots["upower-observe"]
-	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil)
+	s.coreSlot = interfaces.NewConnectedSlot(s.coreSlotInfo, nil, nil)
 	// upower-observe slot on a core snap in a classic install.
 	snapInfo = snaptest.MockInfo(c, upowerMockClassicSlotSnapInfoYaml, nil)
 	s.classicSlotInfo = snapInfo.Slots["upower-observe"]
-	s.classicSlot = interfaces.NewConnectedSlot(s.classicSlotInfo, nil)
+	s.classicSlot = interfaces.NewConnectedSlot(s.classicSlotInfo, nil, nil)
 	// snap with the upower-observe plug
 	snapInfo = snaptest.MockInfo(c, mockPlugSnapInfoYaml, nil)
 	s.plugInfo = snapInfo.Plugs["upower-observe"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 }
 
 func (s *UPowerObserveInterfaceSuite) TestName(c *C) {
@@ -116,7 +116,7 @@
 		Name:      "upower",
 		Interface: "upower-observe",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
 
 	release.OnClassic = false
 
@@ -140,7 +140,8 @@
 		Name:      "upower",
 		Interface: "upower",
 		Apps:      map[string]*snap.AppInfo{"app1": app1, "app2": app2},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -161,7 +162,8 @@
 		Name:      "upower",
 		Interface: "upower",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
+
 	release.OnClassic = false
 
 	apparmorSpec := &apparmor.Specification{}
@@ -231,7 +233,7 @@
 		Name:      "upower",
 		Interface: "upower-observe",
 		Apps:      map[string]*snap.AppInfo{"app": app},
-	}, nil)
+	}, nil, nil)
 
 	apparmorSpec := &apparmor.Specification{}
 	err := apparmorSpec.AddConnectedSlot(s.iface, plug, s.coreSlot)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/utils.go snapd-2.37~rc1~14.04/interfaces/builtin/utils.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/utils.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/utils.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,12 +35,12 @@
 // all the apps bound to a given slot. The result has one of three forms,
 // depending on how apps are bound to the slot:
 //
-// - "snap.$snap.$app" if there is exactly one app bound
-// - "snap.$snap.{$app1,...$appN}" if there are some, but not all, apps bound
-// - "snap.$snap.*" if all apps are bound to the slot
+// - "snap.$snap_instance.$app" if there is exactly one app bound
+// - "snap.$snap_instance.{$app1,...$appN}" if there are some, but not all, apps bound
+// - "snap.$snap_instance.*" if all apps are bound to the slot
 func appLabelExpr(apps map[string]*snap.AppInfo, snap *snap.Info) string {
 	var buf bytes.Buffer
-	fmt.Fprintf(&buf, `"snap.%s.`, snap.Name())
+	fmt.Fprintf(&buf, `"snap.%s.`, snap.InstanceName())
 	if len(apps) == 1 {
 		for appName := range apps {
 			buf.WriteString(appName)
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/utils_test.go snapd-2.37~rc1~14.04/interfaces/builtin/utils_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/utils_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/utils_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -77,15 +77,28 @@
 func MockConnectedPlug(c *C, yaml string, si *snap.SideInfo, plugName string) (*interfaces.ConnectedPlug, *snap.PlugInfo) {
 	info := snaptest.MockInfo(c, yaml, si)
 	if plugInfo, ok := info.Plugs[plugName]; ok {
-		return interfaces.NewConnectedPlug(plugInfo, nil), plugInfo
+		return interfaces.NewConnectedPlug(plugInfo, nil, nil), plugInfo
 	}
-	panic(fmt.Sprintf("cannot find plug %q in snap %q", plugName, info.Name()))
+	panic(fmt.Sprintf("cannot find plug %q in snap %q", plugName, info.InstanceName()))
 }
 
 func MockConnectedSlot(c *C, yaml string, si *snap.SideInfo, slotName string) (*interfaces.ConnectedSlot, *snap.SlotInfo) {
 	info := snaptest.MockInfo(c, yaml, si)
 	if slotInfo, ok := info.Slots[slotName]; ok {
-		return interfaces.NewConnectedSlot(slotInfo, nil), slotInfo
+		return interfaces.NewConnectedSlot(slotInfo, nil, nil), slotInfo
+	}
+	panic(fmt.Sprintf("cannot find slot %q in snap %q", slotName, info.InstanceName()))
+}
+
+func MockHotplugSlot(c *C, yaml string, si *snap.SideInfo, hotplugKey, ifaceName, slotName string, staticAttrs map[string]interface{}) *snap.SlotInfo {
+	info := snaptest.MockInfo(c, yaml, si)
+	if _, ok := info.Slots[slotName]; ok {
+		panic(fmt.Sprintf("slot %q already present in the snap yaml", slotName))
+	}
+	return &snap.SlotInfo{
+		Snap:       info,
+		Name:       slotName,
+		Attrs:      staticAttrs,
+		HotplugKey: hotplugKey,
 	}
-	panic(fmt.Sprintf("cannot find slot %q in snap %q", slotName, info.Name()))
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/wayland.go snapd-2.37~rc1~14.04/interfaces/builtin/wayland.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/wayland.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/wayland.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -53,11 +53,9 @@
 /dev/tty[0-9]* rw,
 
 # Create the Wayland socket and lock file
-owner /run/user/[0-9]*/wayland-[0-9]* rw,
+owner /run/user/[0-9]*/wayland-[0-9]* rwk,
 # Allow access to common client Wayland sockets from non-snap clients
-/run/user/[0-9]*/wayland-shared-* rw,
-/run/user/[0-9]*/wayland-cursor-shared-* rw,
-/run/user/[0-9]*/xwayland-shared-* rw,
+/run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
 
 # Allow write access to create /run/user/* to create XDG_RUNTIME_DIR (until lp:1738197 is fixed)
 /run/user/[0-9]*/ w,
@@ -93,9 +91,7 @@
 
 const waylandConnectedSlotAppArmor = `
 # Allow access to common client Wayland sockets for connected snaps
-owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/wayland-shared-* rw,
-owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/wayland-cursor-shared-* rw,
-owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/xwayland-shared-* rw,
+owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
 `
 
 const waylandConnectedPlugAppArmor = `
@@ -128,7 +124,7 @@
 func (iface *waylandInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
 	if !release.OnClassic {
 		old := "###PLUG_SECURITY_TAGS###"
-		new := "snap." + plug.Snap().Name() // forms the snap-specific subdirectory name of /run/user/*/ used for XDG_RUNTIME_DIR
+		new := "snap." + plug.Snap().InstanceName() // forms the snap-instance-specific subdirectory name of /run/user/*/ used for XDG_RUNTIME_DIR
 		snippet := strings.Replace(waylandConnectedSlotAppArmor, old, new, -1)
 		spec.AddSnippet(snippet)
 	}
@@ -151,6 +147,7 @@
 
 func (iface *waylandInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error {
 	if !release.OnClassic {
+		spec.TriggerSubsystem("input")
 		spec.TagDevice(`KERNEL=="tty[0-9]*"`)
 		spec.TagDevice(`KERNEL=="mice"`)
 		spec.TagDevice(`KERNEL=="mouse[0-9]*"`)
@@ -160,7 +157,7 @@
 	return nil
 }
 
-func (iface *waylandInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
+func (iface *waylandInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
 	// allow what declarations allowed
 	return true
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/wayland_test.go snapd-2.37~rc1~14.04/interfaces/builtin/wayland_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/wayland_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/wayland_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -104,7 +104,7 @@
 	spec = &apparmor.Specification{}
 	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.coreSlot), IsNil)
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.wayland.app1"})
-	c.Assert(spec.SnippetForTag("snap.wayland.app1"), testutil.Contains, "owner /run/user/[0-9]*/snap.consumer/wayland-shared-* rw,")
+	c.Assert(spec.SnippetForTag("snap.wayland.app1"), testutil.Contains, "owner /run/user/[0-9]*/snap.consumer/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,")
 
 	// permanent core slot
 	spec = &apparmor.Specification{}
@@ -182,6 +182,7 @@
 	c.Assert(spec.Snippets(), testutil.Contains, `# wayland
 KERNEL=="tty[0-9]*", TAG+="snap_wayland_app1"`)
 	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_wayland_app1", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_wayland_app1 $devpath $major:$minor"`)
+	c.Assert(spec.TriggeredSubsystems(), DeepEquals, []string{"input"})
 
 	// on a classic system with wayland slot coming from the core snap.
 	restore = release.MockOnClassic(true)
@@ -190,6 +191,7 @@
 	spec = &udev.Specification{}
 	c.Assert(spec.AddPermanentSlot(s.iface, s.coreSlotInfo), IsNil)
 	c.Assert(spec.Snippets(), HasLen, 0)
+	c.Assert(spec.TriggeredSubsystems(), IsNil)
 }
 
 func (s *WaylandInterfaceSuite) TestStaticInfo(c *C) {
@@ -201,9 +203,8 @@
 }
 
 func (s *WaylandInterfaceSuite) TestAutoConnect(c *C) {
-	// FIXME fix AutoConnect methods to use ConnectedPlug/Slot
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.coreSlotInfo}), Equals, true)
-	c.Assert(s.iface.AutoConnect(&interfaces.Plug{PlugInfo: s.plugInfo}, &interfaces.Slot{SlotInfo: s.classicSlotInfo}), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.coreSlotInfo), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.classicSlotInfo), Equals, true)
 }
 
 func (s *WaylandInterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/x11.go snapd-2.37~rc1~14.04/interfaces/builtin/x11.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/x11.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/x11.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -19,19 +19,96 @@
 
 package builtin
 
-const x11Summary = `allows interacting with the X11 server`
+import (
+	"strings"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/interfaces/udev"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/snap"
+)
+
+const x11Summary = `allows interacting with or running as an X11 server`
 
 const x11BaseDeclarationSlots = `
   x11:
     allow-installation:
       slot-snap-type:
+        - app
         - core
+    deny-connection:
+      on-classic: false
+    deny-auto-connection:
+      on-classic: false
+`
+
+const x11PermanentSlotAppArmor = `
+# Description: Allow operating as an X11 display server. This gives privileged access
+# to the system.
+
+# needed since X11 is a display server and needs to configure tty devices
+capability sys_tty_config,
+/dev/tty[0-9]* rw,
+
+# Needed for mode setting via drmSetMaster() and drmDropMaster()
+capability sys_admin,
+
+# NOTE: this allows reading and inserting all input events
+/dev/input/* rw,
+
+# For using udev
+network netlink raw,
+/run/udev/data/c13:[0-9]* r,
+/run/udev/data/+input:input[0-9]* r,
+/run/udev/data/+platform:* r,
+
+# the unix socket to use to connect to the display
+unix (bind, listen, accept)
+     type=stream
+     addr="@/tmp/.X11-unix/X[0-9]*",
+unix (bind, listen, accept)
+     type=stream
+     addr="@/tmp/.ICE-unix/[0-9]*",
+
+# For Xorg to detect screens
+/sys/devices/pci**/boot_vga r,
+/sys/devices/pci**/resources r,
+`
+
+const x11PermanentSlotSecComp = `
+# Description: Allow operating as an X11 server. This gives privileged access
+# to the system.
+# Needed for server launch
+bind
+listen
+# Needed by server upon client connect
+accept
+accept4
+# for udev
+socket AF_NETLINK - NETLINK_KOBJECT_UEVENT
+`
+
+const x11ConnectedSlotAppArmor = `
+# Description: Allow clients access to the X11 server socket
+unix (connect, receive, send, accept)
+    type=stream
+    addr="@/tmp/.X11-unix/X[0-9]*"
+    peer=(label=###PLUG_SECURITY_TAGS###),
+unix (connect, receive, send, accept)
+    type=stream
+    addr="@/tmp/.ICE-unix/[0-9]*"
+    peer=(label=###PLUG_SECURITY_TAGS###),
 `
 
 const x11ConnectedPlugAppArmor = `
 # Description: Can access the X server. Restricted because X does not prevent
 # eavesdropping or apps interfering with one another.
 
+# The X abstraction doesn't check the peer label, but in this case that's
+# ok because x11ConnectedSlotAppArmor will limit which clients can connect
+# to the slot implementation.
 #include <abstractions/X>
 #include <abstractions/fonts>
 owner @{HOME}/.local/share/fonts/{,**} r,
@@ -60,14 +137,53 @@
 bind
 `
 
+type x11Interface struct {
+	commonInterface
+}
+
+func (iface *x11Interface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	if !release.OnClassic {
+		old := "###PLUG_SECURITY_TAGS###"
+		new := plugAppLabelExpr(plug)
+		snippet := strings.Replace(x11ConnectedSlotAppArmor, old, new, -1)
+		spec.AddSnippet(snippet)
+	}
+	return nil
+}
+
+func (iface *x11Interface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
+	if !release.OnClassic {
+		spec.AddSnippet(x11PermanentSlotSecComp)
+	}
+	return nil
+}
+
+func (iface *x11Interface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
+	if !release.OnClassic {
+		spec.AddSnippet(x11PermanentSlotAppArmor)
+	}
+	return nil
+}
+
+func (iface *x11Interface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error {
+	if !release.OnClassic {
+		spec.TriggerSubsystem("input")
+		spec.TagDevice(`KERNEL=="tty[0-9]*"`)
+		spec.TagDevice(`KERNEL=="mice"`)
+		spec.TagDevice(`KERNEL=="mouse[0-9]*"`)
+		spec.TagDevice(`KERNEL=="event[0-9]*"`)
+		spec.TagDevice(`KERNEL=="ts[0-9]*"`)
+	}
+	return nil
+}
+
 func init() {
-	registerIface(&commonInterface{
+	registerIface(&x11Interface{commonInterface{
 		name:                  "x11",
 		summary:               x11Summary,
 		implicitOnClassic:     true,
 		baseDeclarationSlots:  x11BaseDeclarationSlots,
 		connectedPlugAppArmor: x11ConnectedPlugAppArmor,
 		connectedPlugSecComp:  x11ConnectedPlugSecComp,
-		reservedForOS:         true,
-	})
+	}})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/builtin/x11_test.go snapd-2.37~rc1~14.04/interfaces/builtin/x11_test.go
--- snapd-2.32.3.2~14.04/interfaces/builtin/x11_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/builtin/x11_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -26,41 +26,54 @@
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/builtin"
 	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/interfaces/udev"
+	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
-	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/testutil"
 )
 
 type X11InterfaceSuite struct {
-	iface    interfaces.Interface
-	slotInfo *snap.SlotInfo
-	slot     *interfaces.ConnectedSlot
-	plugInfo *snap.PlugInfo
-	plug     *interfaces.ConnectedPlug
+	iface           interfaces.Interface
+	coreSlotInfo    *snap.SlotInfo
+	coreSlot        *interfaces.ConnectedSlot
+	classicSlotInfo *snap.SlotInfo
+	classicSlot     *interfaces.ConnectedSlot
+	plugInfo        *snap.PlugInfo
+	plug            *interfaces.ConnectedPlug
 }
 
-const x11MockPlugSnapInfoYaml = `name: other
-version: 1.0
+var _ = Suite(&X11InterfaceSuite{
+	iface: builtin.MustInterface("x11"),
+})
+
+const x11MockPlugSnapInfoYaml = `name: consumer
+version: 0
 apps:
- app2:
-  command: foo
+ app:
   plugs: [x11]
 `
 
-var _ = Suite(&X11InterfaceSuite{
-	iface: builtin.MustInterface("x11"),
-})
+// an x11 slot on an x11 snap (as installed on a core/all-snap system)
+const x11CoreYaml = `name: x11
+version: 0
+apps:
+ app1:
+  slots: [x11]
+`
+
+// an x11 slot on the core snap (as automatically added on classic)
+const x11ClassicYaml = `name: core
+version: 0
+type: os
+slots:
+ x11:
+  interface: x11
+`
 
 func (s *X11InterfaceSuite) SetUpTest(c *C) {
-	s.slotInfo = &snap.SlotInfo{
-		Snap:      &snap.Info{SuggestedName: "core", Type: snap.TypeOS},
-		Name:      "x11",
-		Interface: "x11",
-	}
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
-	plugSnap := snaptest.MockInfo(c, x11MockPlugSnapInfoYaml, nil)
-	s.plugInfo = plugSnap.Plugs["x11"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug, s.plugInfo = MockConnectedPlug(c, x11MockPlugSnapInfoYaml, nil, "x11")
+	s.coreSlot, s.coreSlotInfo = MockConnectedSlot(c, x11CoreYaml, nil, "x11")
+	s.classicSlot, s.classicSlotInfo = MockConnectedSlot(c, x11ClassicYaml, nil, "x11")
 }
 
 func (s *X11InterfaceSuite) TestName(c *C) {
@@ -68,36 +81,135 @@
 }
 
 func (s *X11InterfaceSuite) TestSanitizeSlot(c *C) {
-	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil)
-	slot := &snap.SlotInfo{
-		Snap:      &snap.Info{SuggestedName: "some-snap"},
-		Name:      "x11",
-		Interface: "x11",
-	}
-	c.Assert(interfaces.BeforePrepareSlot(s.iface, slot), ErrorMatches,
-		"x11 slots are reserved for the core snap")
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.coreSlotInfo), IsNil)
+	c.Assert(interfaces.BeforePrepareSlot(s.iface, s.classicSlotInfo), IsNil)
 }
 
 func (s *X11InterfaceSuite) TestSanitizePlug(c *C) {
 	c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil)
 }
 
-func (s *X11InterfaceSuite) TestUsedSecuritySystems(c *C) {
-	// connected plugs have a non-nil security snippet for apparmor
-	apparmorSpec := &apparmor.Specification{}
-	err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
+func (s *X11InterfaceSuite) TestAppArmorSpec(c *C) {
+	// on a core system with x11 slot coming from a regular app snap.
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	// connected plug to core slot
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.coreSlot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "fontconfig")
+
+	// connected core slot to plug
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.coreSlot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.x11.app1"})
+	c.Assert(spec.SnippetForTag("snap.x11.app1"), testutil.Contains, `peer=(label="snap.consumer.app"),`)
+
+	// permanent core slot
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddPermanentSlot(s.iface, s.coreSlotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.x11.app1"})
+	c.Assert(spec.SnippetForTag("snap.x11.app1"), testutil.Contains, "capability sys_tty_config,")
+}
+
+func (s *X11InterfaceSuite) TestAppArmorSpecOnClassic(c *C) {
+	// on a classic system with x11 slot coming from the core snap.
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	// connected plug to classic slot
+	spec := &apparmor.Specification{}
+	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.classicSlot), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "owner /run/user/[0-9]*/.Xauthority r,")
+
+	// connected classic slot to plug
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddConnectedSlot(s.iface, s.plug, s.classicSlot), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	// permanent classic slot
+	spec = &apparmor.Specification{}
+	c.Assert(spec.AddPermanentSlot(s.iface, s.classicSlotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+}
+
+func (s *X11InterfaceSuite) TestSecCompOnClassic(c *C) {
+	// on a classic system with x11 slot coming from the core snap.
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	seccompSpec := &seccomp.Specification{}
+	err := seccompSpec.AddPermanentSlot(s.iface, s.classicSlotInfo)
+	c.Assert(err, IsNil)
+	err = seccompSpec.AddConnectedPlug(s.iface, s.plug, s.classicSlot)
 	c.Assert(err, IsNil)
-	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app2"})
-	c.Assert(apparmorSpec.SnippetForTag("snap.other.app2"), testutil.Contains, `fontconfig`)
+
+	// app snap has additional seccomp rules
+	c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"})
+	c.Assert(seccompSpec.SnippetForTag("snap.consumer.app"), testutil.Contains, "bind\n")
 }
 
-// The shutdown system call is allowed
-func (s *X11InterfaceSuite) TestLP1574526(c *C) {
+func (s *X11InterfaceSuite) TestSecCompOnCore(c *C) {
+	// on a core system with x11 slot coming from a snap.
+	restore := release.MockOnClassic(false)
+	defer restore()
+
 	seccompSpec := &seccomp.Specification{}
-	err := seccompSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
+	err := seccompSpec.AddPermanentSlot(s.iface, s.coreSlotInfo)
 	c.Assert(err, IsNil)
-	c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.other.app2"})
-	c.Check(seccompSpec.SnippetForTag("snap.other.app2"), testutil.Contains, "bind\n")
+	err = seccompSpec.AddConnectedPlug(s.iface, s.plug, s.coreSlot)
+	c.Assert(err, IsNil)
+
+	// both app and x11 have secomp rules set
+	c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.consumer.app", "snap.x11.app1"})
+	c.Assert(seccompSpec.SnippetForTag("snap.x11.app1"), testutil.Contains, "listen\n")
+	c.Assert(seccompSpec.SnippetForTag("snap.consumer.app"), testutil.Contains, "bind\n")
+}
+
+func (s *X11InterfaceSuite) TestUDev(c *C) {
+	// on a core system with x11 slot coming from a regular app snap.
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	spec := &udev.Specification{}
+	c.Assert(spec.AddPermanentSlot(s.iface, s.coreSlotInfo), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 6)
+	c.Assert(spec.Snippets(), testutil.Contains, `# x11
+KERNEL=="event[0-9]*", TAG+="snap_x11_app1"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# x11
+KERNEL=="mice", TAG+="snap_x11_app1"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# x11
+KERNEL=="mouse[0-9]*", TAG+="snap_x11_app1"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# x11
+KERNEL=="ts[0-9]*", TAG+="snap_x11_app1"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `# x11
+KERNEL=="tty[0-9]*", TAG+="snap_x11_app1"`)
+	c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_x11_app1", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_x11_app1 $devpath $major:$minor"`)
+	c.Assert(spec.TriggeredSubsystems(), DeepEquals, []string{"input"})
+
+	// on a classic system with x11 slot coming from the core snap.
+	restore = release.MockOnClassic(true)
+	defer restore()
+
+	spec = &udev.Specification{}
+	c.Assert(spec.AddPermanentSlot(s.iface, s.coreSlotInfo), IsNil)
+	c.Assert(spec.Snippets(), HasLen, 0)
+	c.Assert(spec.TriggeredSubsystems(), IsNil)
+}
+
+func (s *X11InterfaceSuite) TestStaticInfo(c *C) {
+	si := interfaces.StaticInfoOf(s.iface)
+	c.Assert(si.ImplicitOnCore, Equals, false)
+	c.Assert(si.ImplicitOnClassic, Equals, true)
+	c.Assert(si.Summary, Equals, `allows interacting with or running as an X11 server`)
+	c.Assert(si.BaseDeclarationSlots, testutil.Contains, "x11")
+}
+
+func (s *X11InterfaceSuite) TestAutoConnect(c *C) {
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.coreSlotInfo), Equals, true)
+	c.Assert(s.iface.AutoConnect(s.plugInfo, s.classicSlotInfo), Equals, true)
 }
 
 func (s *X11InterfaceSuite) TestInterfaces(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/connection.go snapd-2.37~rc1~14.04/interfaces/connection.go
--- snapd-2.32.3.2~14.04/interfaces/connection.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/connection.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,14 +22,16 @@
 import (
 	"fmt"
 	"reflect"
+	"strings"
 
+	"github.com/snapcore/snapd/interfaces/utils"
 	"github.com/snapcore/snapd/snap"
 )
 
 // Connection represents a connection between a particular plug and slot.
 type Connection struct {
-	plug *ConnectedPlug
-	slot *ConnectedSlot
+	Plug *ConnectedPlug
+	Slot *ConnectedSlot
 }
 
 // ConnectedPlug represents a plug that is connected to a slot.
@@ -49,29 +51,51 @@
 // Attrer is an interface with Attr getter method common
 // to ConnectedSlot, ConnectedPlug, PlugInfo and SlotInfo types.
 type Attrer interface {
-	Attr(key string, val interface{}) error
+	// Attr returns attribute value for given path, or an error. Dotted paths are supported.
+	Attr(path string, value interface{}) error
+	// Lookup returns attribute value for given path, or false. Dotted paths are supported.
+	Lookup(path string) (value interface{}, ok bool)
 }
 
-func getAttribute(snapName string, ifaceName string, staticAttrs map[string]interface{}, dynamicAttrs map[string]interface{}, key string, val interface{}) error {
+func lookupAttr(staticAttrs map[string]interface{}, dynamicAttrs map[string]interface{}, path string) (interface{}, bool) {
 	var v interface{}
-	var ok bool
+	comps := strings.FieldsFunc(path, func(r rune) bool { return r == '.' })
+	if len(comps) == 0 {
+		return nil, false
+	}
+	if _, ok := dynamicAttrs[comps[0]]; ok {
+		v = dynamicAttrs
+	} else {
+		v = staticAttrs
+	}
 
-	v, ok = dynamicAttrs[key]
-	if !ok {
-		v, ok = staticAttrs[key]
+	for _, comp := range comps {
+		m, ok := v.(map[string]interface{})
+		if !ok {
+			return nil, false
+		}
+		v, ok = m[comp]
+		if !ok {
+			return nil, false
+		}
 	}
 
+	return v, true
+}
+
+func getAttribute(snapName string, ifaceName string, staticAttrs map[string]interface{}, dynamicAttrs map[string]interface{}, path string, val interface{}) error {
+	v, ok := lookupAttr(staticAttrs, dynamicAttrs, path)
 	if !ok {
-		return fmt.Errorf("snap %q does not have attribute %q for interface %q", snapName, key, ifaceName)
+		return fmt.Errorf("snap %q does not have attribute %q for interface %q", snapName, path, ifaceName)
 	}
 
 	rt := reflect.TypeOf(val)
 	if rt.Kind() != reflect.Ptr || val == nil {
-		return fmt.Errorf("internal error: cannot get %q attribute of interface %q with non-pointer value", key, ifaceName)
+		return fmt.Errorf("internal error: cannot get %q attribute of interface %q with non-pointer value", path, ifaceName)
 	}
 
 	if reflect.TypeOf(v) != rt.Elem() {
-		return fmt.Errorf("snap %q has interface %q with invalid value type for %q attribute", snapName, ifaceName, key)
+		return fmt.Errorf("snap %q has interface %q with invalid value type %T for %q attribute: %T", snapName, ifaceName, v, path, val)
 	}
 	rv := reflect.ValueOf(val)
 	rv.Elem().Set(reflect.ValueOf(v))
@@ -79,20 +103,32 @@
 }
 
 // NewConnectedSlot creates an object representing a connected slot.
-func NewConnectedSlot(slot *snap.SlotInfo, dynamicAttrs map[string]interface{}) *ConnectedSlot {
+func NewConnectedSlot(slot *snap.SlotInfo, staticAttrs, dynamicAttrs map[string]interface{}) *ConnectedSlot {
+	var static map[string]interface{}
+	if staticAttrs != nil {
+		static = staticAttrs
+	} else {
+		static = slot.Attrs
+	}
 	return &ConnectedSlot{
 		slotInfo:     slot,
-		staticAttrs:  copyAttributes(slot.Attrs),
-		dynamicAttrs: normalize(dynamicAttrs).(map[string]interface{}),
+		staticAttrs:  utils.CopyAttributes(static),
+		dynamicAttrs: utils.NormalizeInterfaceAttributes(dynamicAttrs).(map[string]interface{}),
 	}
 }
 
 // NewConnectedPlug creates an object representing a connected plug.
-func NewConnectedPlug(plug *snap.PlugInfo, dynamicAttrs map[string]interface{}) *ConnectedPlug {
+func NewConnectedPlug(plug *snap.PlugInfo, staticAttrs, dynamicAttrs map[string]interface{}) *ConnectedPlug {
+	var static map[string]interface{}
+	if staticAttrs != nil {
+		static = staticAttrs
+	} else {
+		static = plug.Attrs
+	}
 	return &ConnectedPlug{
 		plugInfo:     plug,
-		staticAttrs:  copyAttributes(plug.Attrs),
-		dynamicAttrs: normalize(dynamicAttrs).(map[string]interface{}),
+		staticAttrs:  utils.CopyAttributes(static),
+		dynamicAttrs: utils.NormalizeInterfaceAttributes(dynamicAttrs).(map[string]interface{}),
 	}
 }
 
@@ -128,19 +164,28 @@
 
 // StaticAttr returns a static attribute with the given key, or error if attribute doesn't exist.
 func (plug *ConnectedPlug) StaticAttr(key string, val interface{}) error {
-	return getAttribute(plug.Snap().Name(), plug.Interface(), plug.staticAttrs, nil, key, val)
+	return getAttribute(plug.Snap().InstanceName(), plug.Interface(), plug.staticAttrs, nil, key, val)
 }
 
 // StaticAttrs returns all static attributes.
 func (plug *ConnectedPlug) StaticAttrs() map[string]interface{} {
-	return plug.staticAttrs
+	return utils.CopyAttributes(plug.staticAttrs)
+}
+
+// DynamicAttrs returns all dynamic attributes.
+func (plug *ConnectedPlug) DynamicAttrs() map[string]interface{} {
+	return utils.CopyAttributes(plug.dynamicAttrs)
 }
 
 // Attr returns a dynamic attribute with the given name. It falls back to returning static
 // attribute if dynamic one doesn't exist. Error is returned if neither dynamic nor static
 // attribute exist.
 func (plug *ConnectedPlug) Attr(key string, val interface{}) error {
-	return getAttribute(plug.Snap().Name(), plug.Interface(), plug.staticAttrs, plug.dynamicAttrs, key, val)
+	return getAttribute(plug.Snap().InstanceName(), plug.Interface(), plug.staticAttrs, plug.dynamicAttrs, key, val)
+}
+
+func (plug *ConnectedPlug) Lookup(path string) (interface{}, bool) {
+	return lookupAttr(plug.staticAttrs, plug.dynamicAttrs, path)
 }
 
 // SetAttr sets the given dynamic attribute. Error is returned if the key is already used by a static attribute.
@@ -151,13 +196,13 @@
 	if plug.dynamicAttrs == nil {
 		plug.dynamicAttrs = make(map[string]interface{})
 	}
-	plug.dynamicAttrs[key] = normalize(value)
+	plug.dynamicAttrs[key] = utils.NormalizeInterfaceAttributes(value)
 	return nil
 }
 
 // Ref returns the PlugRef for this plug.
 func (plug *ConnectedPlug) Ref() *PlugRef {
-	return &PlugRef{Snap: plug.Snap().Name(), Name: plug.Name()}
+	return &PlugRef{Snap: plug.Snap().InstanceName(), Name: plug.Name()}
 }
 
 // Interface returns the name of the interface for this slot.
@@ -192,19 +237,28 @@
 
 // StaticAttr returns a static attribute with the given key, or error if attribute doesn't exist.
 func (slot *ConnectedSlot) StaticAttr(key string, val interface{}) error {
-	return getAttribute(slot.Snap().Name(), slot.Interface(), slot.staticAttrs, nil, key, val)
+	return getAttribute(slot.Snap().InstanceName(), slot.Interface(), slot.staticAttrs, nil, key, val)
 }
 
 // StaticAttrs returns all static attributes.
 func (slot *ConnectedSlot) StaticAttrs() map[string]interface{} {
-	return slot.staticAttrs
+	return utils.CopyAttributes(slot.staticAttrs)
+}
+
+// DynamicAttrs returns all dynamic attributes.
+func (slot *ConnectedSlot) DynamicAttrs() map[string]interface{} {
+	return utils.CopyAttributes(slot.dynamicAttrs)
 }
 
 // Attr returns a dynamic attribute with the given name. It falls back to returning static
 // attribute if dynamic one doesn't exist. Error is returned if neither dynamic nor static
 // attribute exist.
 func (slot *ConnectedSlot) Attr(key string, val interface{}) error {
-	return getAttribute(slot.Snap().Name(), slot.Interface(), slot.staticAttrs, slot.dynamicAttrs, key, val)
+	return getAttribute(slot.Snap().InstanceName(), slot.Interface(), slot.staticAttrs, slot.dynamicAttrs, key, val)
+}
+
+func (slot *ConnectedSlot) Lookup(path string) (interface{}, bool) {
+	return lookupAttr(slot.staticAttrs, slot.dynamicAttrs, path)
 }
 
 // SetAttr sets the given dynamic attribute. Error is returned if the key is already used by a static attribute.
@@ -215,62 +269,16 @@
 	if slot.dynamicAttrs == nil {
 		slot.dynamicAttrs = make(map[string]interface{})
 	}
-	slot.dynamicAttrs[key] = normalize(value)
+	slot.dynamicAttrs[key] = utils.NormalizeInterfaceAttributes(value)
 	return nil
 }
 
 // Ref returns the SlotRef for this slot.
 func (slot *ConnectedSlot) Ref() *SlotRef {
-	return &SlotRef{Snap: slot.Snap().Name(), Name: slot.Name()}
+	return &SlotRef{Snap: slot.Snap().InstanceName(), Name: slot.Name()}
 }
 
 // Interface returns the name of the interface for this connection.
 func (conn *Connection) Interface() string {
-	return conn.plug.plugInfo.Interface
-}
-
-func copyAttributes(value map[string]interface{}) map[string]interface{} {
-	return copyRecursive(value).(map[string]interface{})
-}
-
-func copyRecursive(value interface{}) interface{} {
-	// note: ensure all the mutable types (or types that need a conversion)
-	// are handled here.
-	switch v := value.(type) {
-	case []interface{}:
-		arr := make([]interface{}, len(v))
-		for i, el := range v {
-			arr[i] = copyRecursive(el)
-		}
-		return arr
-	case map[string]interface{}:
-		mp := make(map[string]interface{}, len(v))
-		for key, item := range v {
-			mp[key] = copyRecursive(item)
-		}
-		return mp
-	}
-	return value
-}
-
-func normalize(value interface{}) interface{} {
-	// Normalize ints/floats using their 64-bit variants.
-	// That kind of normalization happens in normalizeYamlValue(..) for static attributes
-	// when the yaml is loaded, but it needs to be done here as well because we're also
-	// dealing with dynamic attributes set by the code of interfaces.
-	switch v := value.(type) {
-	case int:
-		return int64(v)
-	case float32:
-		return float64(v)
-	case []interface{}:
-		for i, el := range v {
-			v[i] = normalize(el)
-		}
-	case map[string]interface{}:
-		for key, item := range v {
-			v[key] = normalize(item)
-		}
-	}
-	return value
+	return conn.Plug.plugInfo.Interface
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/connection_test.go snapd-2.37~rc1~14.04/interfaces/connection_test.go
--- snapd-2.32.3.2~14.04/interfaces/connection_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/connection_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 import (
 	. "gopkg.in/check.v1"
 
+	"github.com/snapcore/snapd/interfaces/utils"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/testutil"
@@ -47,6 +48,8 @@
     plug:
         interface: interface
         attr: value
+        complex:
+            c: d
 `, nil)
 	s.plug = consumer.Plugs["plug"]
 	producer := snaptest.MockInfo(c, `
@@ -58,6 +61,9 @@
     slot:
         interface: interface
         attr: value
+        number: 100
+        complex:
+            a: b
 `, nil)
 	s.slot = producer.Slots["slot"]
 }
@@ -73,7 +79,7 @@
 var _ Attrer = (*snap.SlotInfo)(nil)
 
 func (s *connSuite) TestStaticSlotAttrs(c *C) {
-	slot := NewConnectedSlot(s.slot, nil)
+	slot := NewConnectedSlot(s.slot, nil, nil)
 	c.Assert(slot, NotNil)
 
 	var val string
@@ -82,30 +88,37 @@
 
 	attrs := slot.StaticAttrs()
 	c.Assert(attrs, DeepEquals, map[string]interface{}{
-		"attr": "value",
+		"attr":    "value",
+		"number":  int64(100),
+		"complex": map[string]interface{}{"a": "b"},
 	})
 	slot.StaticAttr("attr", &val)
 	c.Assert(val, Equals, "value")
 
 	c.Assert(slot.StaticAttr("unknown", &val), ErrorMatches, `snap "producer" does not have attribute "unknown" for interface "interface"`)
-	c.Check(slot.StaticAttr("attr", &intVal), ErrorMatches, `snap "producer" has interface "interface" with invalid value type for "attr" attribute`)
+	c.Check(slot.StaticAttr("attr", &intVal), ErrorMatches, `snap "producer" has interface "interface" with invalid value type string for "attr" attribute: \*int`)
 	c.Check(slot.StaticAttr("attr", val), ErrorMatches, `internal error: cannot get "attr" attribute of interface "interface" with non-pointer value`)
+
+	// static attributes passed via args take precedence over slot.Attrs
+	slot2 := NewConnectedSlot(s.slot, map[string]interface{}{"foo": "bar"}, nil)
+	slot2.StaticAttr("foo", &val)
+	c.Assert(val, Equals, "bar")
 }
 
 func (s *connSuite) TestSlotRef(c *C) {
-	slot := NewConnectedSlot(s.slot, nil)
+	slot := NewConnectedSlot(s.slot, nil, nil)
 	c.Assert(slot, NotNil)
 	c.Assert(*slot.Ref(), DeepEquals, SlotRef{Snap: "producer", Name: "slot"})
 }
 
 func (s *connSuite) TestPlugRef(c *C) {
-	plug := NewConnectedPlug(s.plug, nil)
+	plug := NewConnectedPlug(s.plug, nil, nil)
 	c.Assert(plug, NotNil)
 	c.Assert(*plug.Ref(), DeepEquals, PlugRef{Snap: "consumer", Name: "plug"})
 }
 
 func (s *connSuite) TestStaticPlugAttrs(c *C) {
-	plug := NewConnectedPlug(s.plug, nil)
+	plug := NewConnectedPlug(s.plug, nil, nil)
 	c.Assert(plug, NotNil)
 
 	var val string
@@ -114,14 +127,20 @@
 
 	attrs := plug.StaticAttrs()
 	c.Assert(attrs, DeepEquals, map[string]interface{}{
-		"attr": "value",
+		"attr":    "value",
+		"complex": map[string]interface{}{"c": "d"},
 	})
 	plug.StaticAttr("attr", &val)
 	c.Assert(val, Equals, "value")
 
 	c.Assert(plug.StaticAttr("unknown", &val), ErrorMatches, `snap "consumer" does not have attribute "unknown" for interface "interface"`)
-	c.Check(plug.StaticAttr("attr", &intVal), ErrorMatches, `snap "consumer" has interface "interface" with invalid value type for "attr" attribute`)
+	c.Check(plug.StaticAttr("attr", &intVal), ErrorMatches, `snap "consumer" has interface "interface" with invalid value type string for "attr" attribute: \*int`)
 	c.Check(plug.StaticAttr("attr", val), ErrorMatches, `internal error: cannot get "attr" attribute of interface "interface" with non-pointer value`)
+
+	// static attributes passed via args take precedence over plug.Attrs
+	plug2 := NewConnectedPlug(s.plug, map[string]interface{}{"foo": "bar"}, nil)
+	plug2.StaticAttr("foo", &val)
+	c.Assert(val, Equals, "bar")
 }
 
 func (s *connSuite) TestDynamicSlotAttrs(c *C) {
@@ -129,7 +148,7 @@
 		"foo":    "bar",
 		"number": int(100),
 	}
-	slot := NewConnectedSlot(s.slot, attrs)
+	slot := NewConnectedSlot(s.slot, nil, attrs)
 	c.Assert(slot, NotNil)
 
 	var strVal string
@@ -152,16 +171,106 @@
 	c.Assert(num, Equals, int64(222))
 
 	c.Check(slot.Attr("unknown", &strVal), ErrorMatches, `snap "producer" does not have attribute "unknown" for interface "interface"`)
-	c.Check(slot.Attr("foo", &intVal), ErrorMatches, `snap "producer" has interface "interface" with invalid value type for "foo" attribute`)
+	c.Check(slot.Attr("foo", &intVal), ErrorMatches, `snap "producer" has interface "interface" with invalid value type string for "foo" attribute: \*int64`)
 	c.Check(slot.Attr("number", intVal), ErrorMatches, `internal error: cannot get "number" attribute of interface "interface" with non-pointer value`)
 }
 
+func (s *connSuite) TestDottedPathSlot(c *C) {
+	attrs := map[string]interface{}{
+		"nested": map[string]interface{}{
+			"foo": "bar",
+		},
+	}
+	var strVal string
+
+	slot := NewConnectedSlot(s.slot, nil, attrs)
+	c.Assert(slot, NotNil)
+
+	// static attribute complex.a
+	c.Assert(slot.Attr("complex.a", &strVal), IsNil)
+	c.Assert(strVal, Equals, "b")
+
+	v, ok := slot.Lookup("complex.a")
+	c.Assert(ok, Equals, true)
+	c.Assert(v, Equals, "b")
+
+	// dynamic attribute nested.foo
+	c.Assert(slot.Attr("nested.foo", &strVal), IsNil)
+	c.Assert(strVal, Equals, "bar")
+
+	v, ok = slot.Lookup("nested.foo")
+	c.Assert(ok, Equals, true)
+	c.Assert(v, Equals, "bar")
+
+	_, ok = slot.Lookup("..")
+	c.Assert(ok, Equals, false)
+}
+
+func (s *connSuite) TestDottedPathPlug(c *C) {
+	attrs := map[string]interface{}{
+		"a": "b",
+		"nested": map[string]interface{}{
+			"foo": "bar",
+		},
+	}
+	var strVal string
+
+	plug := NewConnectedPlug(s.plug, nil, attrs)
+	c.Assert(plug, NotNil)
+
+	v, ok := plug.Lookup("a")
+	c.Assert(ok, Equals, true)
+	c.Assert(v, Equals, "b")
+
+	// static attribute complex.c
+	c.Assert(plug.Attr("complex.c", &strVal), IsNil)
+	c.Assert(strVal, Equals, "d")
+
+	v, ok = plug.Lookup("complex.c")
+	c.Assert(ok, Equals, true)
+	c.Assert(v, Equals, "d")
+
+	// dynamic attribute nested.foo
+	c.Assert(plug.Attr("nested.foo", &strVal), IsNil)
+	c.Assert(strVal, Equals, "bar")
+
+	v, ok = plug.Lookup("nested.foo")
+	c.Assert(ok, Equals, true)
+	c.Assert(v, Equals, "bar")
+
+	_, ok = plug.Lookup("nested.x")
+	c.Assert(ok, Equals, false)
+
+	_, ok = plug.Lookup("nested.foo.y")
+	c.Assert(ok, Equals, false)
+
+	_, ok = plug.Lookup("..")
+	c.Assert(ok, Equals, false)
+}
+
+func (s *connSuite) TestLookupFailure(c *C) {
+	attrs := map[string]interface{}{}
+
+	slot := NewConnectedSlot(s.slot, nil, attrs)
+	c.Assert(slot, NotNil)
+	plug := NewConnectedPlug(s.plug, nil, attrs)
+	c.Assert(plug, NotNil)
+
+	v, ok := slot.Lookup("a")
+	c.Assert(ok, Equals, false)
+	c.Assert(v, IsNil)
+
+	v, ok = plug.Lookup("a")
+	c.Assert(ok, Equals, false)
+	c.Assert(v, IsNil)
+}
+
 func (s *connSuite) TestDynamicPlugAttrs(c *C) {
 	attrs := map[string]interface{}{
 		"foo":    "bar",
 		"number": int(100),
 	}
-	plug := NewConnectedPlug(s.plug, attrs)
+	plug := NewConnectedPlug(s.plug, nil, attrs)
 	c.Assert(plug, NotNil)
 
 	var strVal string
@@ -184,16 +293,16 @@
 	c.Assert(num, Equals, int64(222))
 
 	c.Check(plug.Attr("unknown", &strVal), ErrorMatches, `snap "consumer" does not have attribute "unknown" for interface "interface"`)
-	c.Check(plug.Attr("foo", &intVal), ErrorMatches, `snap "consumer" has interface "interface" with invalid value type for "foo" attribute`)
+	c.Check(plug.Attr("foo", &intVal), ErrorMatches, `snap "consumer" has interface "interface" with invalid value type string for "foo" attribute: \*int64`)
 	c.Check(plug.Attr("number", intVal), ErrorMatches, `internal error: cannot get "number" attribute of interface "interface" with non-pointer value`)
 }
 
 func (s *connSuite) TestOverwriteStaticAttrError(c *C) {
 	attrs := map[string]interface{}{}
 
-	plug := NewConnectedPlug(s.plug, attrs)
+	plug := NewConnectedPlug(s.plug, nil, attrs)
 	c.Assert(plug, NotNil)
-	slot := NewConnectedSlot(s.slot, attrs)
+	slot := NewConnectedSlot(s.slot, nil, attrs)
 	c.Assert(slot, NotNil)
 
 	err := plug.SetAttr("attr", "overwrite")
@@ -214,7 +323,7 @@
 		"e": map[string]interface{}{"e1": "E1"},
 	}
 
-	cpy := CopyAttributes(orig)
+	cpy := utils.CopyAttributes(orig)
 	c.Check(cpy, DeepEquals, orig)
 
 	cpy["d"].([]interface{})[0] = 999
@@ -222,3 +331,29 @@
 	cpy["e"].(map[string]interface{})["e1"] = "x"
 	c.Check(orig["e"].(map[string]interface{})["e1"], Equals, "E1")
 }
+
+func (s *connSuite) TestNewConnectedPlugExplicitStaticAttrs(c *C) {
+	staticAttrs := map[string]interface{}{
+		"baz": "boom",
+	}
+	dynAttrs := map[string]interface{}{
+		"foo": "bar",
+	}
+	plug := NewConnectedPlug(s.plug, staticAttrs, dynAttrs)
+	c.Assert(plug, NotNil)
+	c.Assert(plug.StaticAttrs(), DeepEquals, map[string]interface{}{"baz": "boom"})
+	c.Assert(plug.DynamicAttrs(), DeepEquals, map[string]interface{}{"foo": "bar"})
+}
+
+func (s *connSuite) TestNewConnectedSlotExplicitStaticAttrs(c *C) {
+	staticAttrs := map[string]interface{}{
+		"baz": "boom",
+	}
+	dynAttrs := map[string]interface{}{
+		"foo": "bar",
+	}
+	slot := NewConnectedSlot(s.slot, staticAttrs, dynAttrs)
+	c.Assert(slot, NotNil)
+	c.Assert(slot.StaticAttrs(), DeepEquals, map[string]interface{}{"baz": "boom"})
+	c.Assert(slot.DynamicAttrs(), DeepEquals, map[string]interface{}{"foo": "bar"})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/core.go snapd-2.37~rc1~14.04/interfaces/core.go
--- snapd-2.32.3.2~14.04/interfaces/core.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/core.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,22 +27,11 @@
 	"github.com/snapcore/snapd/snap"
 )
 
-// Plug represents the potential of a given snap to connect to a slot.
-type Plug struct {
-	*snap.PlugInfo
-	Connections []SlotRef `json:"connections,omitempty"`
-}
-
-// Ref returns reference to a plug
-func (plug *Plug) Ref() PlugRef {
-	return PlugRef{Snap: plug.Snap.Name(), Name: plug.Name}
-}
-
 // Sanitize plug with a given snapd interface.
 func BeforePreparePlug(iface Interface, plugInfo *snap.PlugInfo) error {
 	if iface.Name() != plugInfo.Interface {
 		return fmt.Errorf("cannot sanitize plug %q (interface %q) using interface %q",
-			PlugRef{Snap: plugInfo.Snap.Name(), Name: plugInfo.Name}, plugInfo.Interface, iface.Name())
+			PlugRef{Snap: plugInfo.Snap.InstanceName(), Name: plugInfo.Name}, plugInfo.Interface, iface.Name())
 	}
 	var err error
 	if iface, ok := iface.(PlugSanitizer); ok {
@@ -62,22 +51,11 @@
 	return fmt.Sprintf("%s:%s", ref.Snap, ref.Name)
 }
 
-// Slot represents a capacity offered by a snap.
-type Slot struct {
-	*snap.SlotInfo
-	Connections []PlugRef `json:"connections,omitempty"`
-}
-
-// Ref returns reference to a slot
-func (slot *Slot) Ref() SlotRef {
-	return SlotRef{Snap: slot.Snap.Name(), Name: slot.Name}
-}
-
 // Sanitize slot with a given snapd interface.
 func BeforePrepareSlot(iface Interface, slotInfo *snap.SlotInfo) error {
 	if iface.Name() != slotInfo.Interface {
 		return fmt.Errorf("cannot sanitize slot %q (interface %q) using interface %q",
-			SlotRef{Snap: slotInfo.Snap.Name(), Name: slotInfo.Name}, slotInfo.Interface, iface.Name())
+			SlotRef{Snap: slotInfo.Snap.InstanceName(), Name: slotInfo.Name}, slotInfo.Interface, iface.Name())
 	}
 	var err error
 	if iface, ok := iface.(SlotSanitizer); ok {
@@ -122,8 +100,8 @@
 // NewConnRef creates a connection reference for given plug and slot
 func NewConnRef(plug *snap.PlugInfo, slot *snap.SlotInfo) *ConnRef {
 	return &ConnRef{
-		PlugRef: PlugRef{Snap: plug.Snap.Name(), Name: plug.Name},
-		SlotRef: SlotRef{Snap: slot.Snap.Name(), Name: slot.Name},
+		PlugRef: PlugRef{Snap: plug.Snap.InstanceName(), Name: plug.Name},
+		SlotRef: SlotRef{Snap: slot.Snap.InstanceName(), Name: slot.Name},
 	}
 }
 
@@ -133,22 +111,22 @@
 }
 
 // ParseConnRef parses an ID string
-func ParseConnRef(id string) (ConnRef, error) {
+func ParseConnRef(id string) (*ConnRef, error) {
 	var conn ConnRef
 	parts := strings.SplitN(id, " ", 2)
 	if len(parts) != 2 {
-		return conn, fmt.Errorf("malformed connection identifier: %q", id)
+		return nil, fmt.Errorf("malformed connection identifier: %q", id)
 	}
 	plugParts := strings.Split(parts[0], ":")
 	slotParts := strings.Split(parts[1], ":")
 	if len(plugParts) != 2 || len(slotParts) != 2 {
-		return conn, fmt.Errorf("malformed connection identifier: %q", id)
+		return nil, fmt.Errorf("malformed connection identifier: %q", id)
 	}
 	conn.PlugRef.Snap = plugParts[0]
 	conn.PlugRef.Name = plugParts[1]
 	conn.SlotRef.Snap = slotParts[0]
 	conn.SlotRef.Name = slotParts[1]
-	return conn, nil
+	return &conn, nil
 }
 
 // Interface describes a group of interchangeable capabilities with common features.
@@ -162,7 +140,7 @@
 	// implicitly auto-connected assuming they will be an
 	// unambiguous connection candidate and declaration-based checks
 	// allow.
-	AutoConnect(plug *Plug, slot *Slot) bool
+	AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool
 }
 
 // PlugSanitizer can be implemented by Interfaces that have reasons to sanitize their plugs.
@@ -238,17 +216,7 @@
 	SecuritySystemd SecuritySystem = "systemd"
 )
 
-// Regular expression describing correct identifiers.
-var validName = regexp.MustCompile("^[a-z](?:-?[a-z0-9])*$")
-
-// ValidateName checks if a string can be used as a plug or slot name.
-func ValidateName(name string) error {
-	valid := validName.MatchString(name)
-	if !valid {
-		return fmt.Errorf("invalid interface name: %q", name)
-	}
-	return nil
-}
+var isValidBusName = regexp.MustCompile(`^[a-zA-Z_-][a-zA-Z0-9_-]*(\.[a-zA-Z_-][a-zA-Z0-9_-]*)+$`).MatchString
 
 // ValidateDBusBusName checks if a string conforms to
 // https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names
@@ -259,9 +227,18 @@
 		return fmt.Errorf("DBus bus name is too long (must be <= 255)")
 	}
 
-	validBusName := regexp.MustCompile("^[a-zA-Z_-][a-zA-Z0-9_-]*(\\.[a-zA-Z_-][a-zA-Z0-9_-]*)+$")
-	if !validBusName.MatchString(busName) {
+	if !isValidBusName(busName) {
 		return fmt.Errorf("invalid DBus bus name: %q", busName)
 	}
 	return nil
 }
+
+// UnknownPlugSlotError is an error reported when plug or slot cannot be found.
+type UnknownPlugSlotError struct {
+	Msg string
+}
+
+// Error returns the message associated with unknown plug or slot error.
+func (e *UnknownPlugSlotError) Error() string {
+	return e.Msg
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/core_test.go snapd-2.37~rc1~14.04/interfaces/core_test.go
--- snapd-2.32.3.2~14.04/interfaces/core_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/core_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -51,38 +51,6 @@
 	s.BaseTest.TearDownTest(c)
 }
 
-func (s *CoreSuite) TestValidateName(c *C) {
-	validNames := []string{
-		"a", "aa", "aaa", "aaaa",
-		"a-a", "aa-a", "a-aa", "a-b-c",
-		"a0", "a-0", "a-0a",
-	}
-	for _, name := range validNames {
-		err := ValidateName(name)
-		c.Assert(err, IsNil)
-	}
-	invalidNames := []string{
-		// name cannot be empty
-		"",
-		// dashes alone are not a name
-		"-", "--",
-		// double dashes in a name are not allowed
-		"a--a",
-		// name should not end with a dash
-		"a-",
-		// name cannot have any spaces in it
-		"a ", " a", "a a",
-		// a number alone is not a name
-		"0", "123",
-		// identifier must be plain ASCII
-		"日本語", "한글", "ру́сский язы́к",
-	}
-	for _, name := range invalidNames {
-		err := ValidateName(name)
-		c.Assert(err, ErrorMatches, `invalid interface name: ".*"`)
-	}
-}
-
 func (s *CoreSuite) TestValidateDBusBusName(c *C) {
 	// https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names
 	validNames := []string{
@@ -136,14 +104,6 @@
 	c.Assert(err, ErrorMatches, `DBus bus name is too long \(must be <= 255\)`)
 }
 
-// Plug.Ref works as expected
-func (s *CoreSuite) TestPlugRef(c *C) {
-	plug := &Plug{PlugInfo: &snap.PlugInfo{Snap: &snap.Info{SuggestedName: "consumer"}, Name: "plug"}}
-	ref := plug.Ref()
-	c.Check(ref.Snap, Equals, "consumer")
-	c.Check(ref.Name, Equals, "plug")
-}
-
 // PlugRef.String works as expected
 func (s *CoreSuite) TestPlugRefString(c *C) {
 	ref := PlugRef{Snap: "snap", Name: "plug"}
@@ -152,14 +112,6 @@
 	c.Check(refPtr.String(), Equals, "snap:plug")
 }
 
-// Slot.Ref works as expected
-func (s *CoreSuite) TestSlotRef(c *C) {
-	slot := &Slot{SlotInfo: &snap.SlotInfo{Snap: &snap.Info{SuggestedName: "producer"}, Name: "slot"}}
-	ref := slot.Ref()
-	c.Check(ref.Snap, Equals, "producer")
-	c.Check(ref.Name, Equals, "slot")
-}
-
 // SlotRef.String works as expected
 func (s *CoreSuite) TestSlotRefString(c *C) {
 	ref := SlotRef{Snap: "snap", Name: "slot"}
@@ -181,7 +133,7 @@
 func (s *CoreSuite) TestParseConnRef(c *C) {
 	ref, err := ParseConnRef("consumer:plug producer:slot")
 	c.Assert(err, IsNil)
-	c.Check(ref, DeepEquals, ConnRef{
+	c.Check(ref, DeepEquals, &ConnRef{
 		PlugRef: PlugRef{Snap: "consumer", Name: "plug"},
 		SlotRef: SlotRef{Snap: "producer", Name: "slot"},
 	})
diff -Nru snapd-2.32.3.2~14.04/interfaces/dbus/backend.go snapd-2.37~rc1~14.04/interfaces/dbus/backend.go
--- snapd-2.32.3.2~14.04/interfaces/dbus/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/dbus/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -78,7 +78,7 @@
 //
 // DBus has no concept of a complain mode so confinment type is ignored.
 func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository) error {
-	snapName := snapInfo.Name()
+	snapName := snapInfo.InstanceName()
 	// Get the snippets that apply to this snap
 	spec, err := repo.SnapSpecification(b.Name(), snapName)
 	if err != nil {
@@ -86,6 +86,8 @@
 	}
 
 	// core on classic is special
+	//
+	// TODO: we need to deal with the "snapd" snap here soon
 	if snapName == "core" && release.OnClassic {
 		if err := setupDbusServiceForUserd(snapInfo); err != nil {
 			logger.Noticef("cannot create host `snap userd` dbus service file: %s", err)
@@ -168,3 +170,8 @@
 func (b *Backend) NewSpecification() interfaces.Specification {
 	return &Specification{}
 }
+
+// SandboxFeatures returns list of features supported by snapd for dbus communication.
+func (b *Backend) SandboxFeatures() []string {
+	return []string{"mediated-bus-access"}
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/dbus/backend_test.go snapd-2.37~rc1~14.04/interfaces/dbus/backend_test.go
--- snapd-2.32.3.2~14.04/interfaces/dbus/backend_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/dbus/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -73,7 +73,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.smbd.conf")
 		// file called "snap.sambda.smbd.conf" was created
 		_, err := os.Stat(profile)
@@ -93,7 +93,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.HookYaml, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.HookYaml, 0)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.foo.hook.configure.conf")
 
 		// Verify that "snap.foo.hook.configure.conf" was created
@@ -110,7 +110,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		s.RemoveSnap(c, snapInfo)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.smbd.conf")
 		// file called "snap.sambda.smbd.conf" was removed
@@ -130,7 +130,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.HookYaml, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.HookYaml, 0)
 		s.RemoveSnap(c, snapInfo)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.foo.hook.configure.conf")
 
@@ -147,7 +147,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1WithNmbd, 0)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.nmbd.conf")
 		// file called "snap.sambda.nmbd.conf" was created
@@ -168,7 +168,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlWithHook, 0)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.hook.configure.conf")
 
@@ -186,7 +186,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1WithNmbd, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1WithNmbd, 0)
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1, 0)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.nmbd.conf")
 		// file called "snap.sambda.nmbd.conf" was removed
@@ -207,7 +207,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlWithHook, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlWithHook, 0)
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1, 0)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.hook.configure.conf")
 
@@ -227,7 +227,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.smbd.conf")
 		c.Check(profile, testutil.FileEquals, "<?xml>\n<policy>...</policy>\n</xml>")
 		stat, err := os.Stat(profile)
@@ -239,7 +239,7 @@
 
 func (s *backendSuite) TestCombineSnippetsWithoutAnySnippets(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		profile := filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.smbd.conf")
 		_, err := os.Stat(profile)
 		// Without any snippets, there the .conf file is not created.
@@ -266,7 +266,7 @@
 	}
 	// Install a snap with two apps, only one of which needs a .conf file
 	// because the interface is app-bound.
-	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{}, sambaYamlWithIfaceBoundToNmbd, 0)
+	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{}, "", sambaYamlWithIfaceBoundToNmbd, 0)
 	defer s.RemoveSnap(c, snapInfo)
 	// Check that only one of the .conf files is actually created
 	_, err := os.Stat(filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.smbd.conf"))
@@ -274,3 +274,7 @@
 	_, err = os.Stat(filepath.Join(dirs.SnapBusPolicyDir, "snap.samba.nmbd.conf"))
 	c.Check(err, IsNil)
 }
+
+func (s *backendSuite) TestSandboxFeatures(c *C) {
+	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"mediated-bus-access"})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/dbus/spec_test.go snapd-2.37~rc1~14.04/interfaces/dbus/spec_test.go
--- snapd-2.32.3.2~14.04/interfaces/dbus/spec_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/dbus/spec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -83,8 +83,8 @@
 
 func (s *specSuite) SetUpTest(c *C) {
 	s.spec = &dbus.Specification{}
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 // The spec.Specification can be used through the interfaces.Specification interface
diff -Nru snapd-2.32.3.2~14.04/interfaces/export_test.go snapd-2.37~rc1~14.04/interfaces/export_test.go
--- snapd-2.32.3.2~14.04/interfaces/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,18 +25,6 @@
 func (c ByConnRef) Swap(i, j int)      { byConnRef(c).Swap(i, j) }
 func (c ByConnRef) Less(i, j int) bool { return byConnRef(c).Less(i, j) }
 
-type BySlotRef bySlotRef
-
-func (c BySlotRef) Len() int           { return bySlotRef(c).Len() }
-func (c BySlotRef) Swap(i, j int)      { bySlotRef(c).Swap(i, j) }
-func (c BySlotRef) Less(i, j int) bool { return bySlotRef(c).Less(i, j) }
-
-type ByPlugRef byPlugRef
-
-func (c ByPlugRef) Len() int           { return byPlugRef(c).Len() }
-func (c ByPlugRef) Swap(i, j int)      { byPlugRef(c).Swap(i, j) }
-func (c ByPlugRef) Less(i, j int) bool { return byPlugRef(c).Less(i, j) }
-
 type ByPlugSnapAndName byPlugSnapAndName
 
 func (c ByPlugSnapAndName) Len() int           { return byPlugSnapAndName(c).Len() }
@@ -49,28 +37,30 @@
 func (c BySlotSnapAndName) Swap(i, j int)      { bySlotSnapAndName(c).Swap(i, j) }
 func (c BySlotSnapAndName) Less(i, j int) bool { return bySlotSnapAndName(c).Less(i, j) }
 
-type ByBackendName byBackendName
-
-func (c ByBackendName) Len() int           { return byBackendName(c).Len() }
-func (c ByBackendName) Swap(i, j int)      { byBackendName(c).Swap(i, j) }
-func (c ByBackendName) Less(i, j int) bool { return byBackendName(c).Less(i, j) }
-
 type ByInterfaceName byInterfaceName
 
 func (c ByInterfaceName) Len() int           { return byInterfaceName(c).Len() }
 func (c ByInterfaceName) Swap(i, j int)      { byInterfaceName(c).Swap(i, j) }
 func (c ByInterfaceName) Less(i, j int) bool { return byInterfaceName(c).Less(i, j) }
 
-type ByPlugInfo byPlugInfo
-
-func (c ByPlugInfo) Len() int           { return byPlugInfo(c).Len() }
-func (c ByPlugInfo) Swap(i, j int)      { byPlugInfo(c).Swap(i, j) }
-func (c ByPlugInfo) Less(i, j int) bool { return byPlugInfo(c).Less(i, j) }
-
-type BySlotInfo bySlotInfo
-
-func (c BySlotInfo) Len() int           { return bySlotInfo(c).Len() }
-func (c BySlotInfo) Swap(i, j int)      { bySlotInfo(c).Swap(i, j) }
-func (c BySlotInfo) Less(i, j int) bool { return bySlotInfo(c).Less(i, j) }
-
-var CopyAttributes = copyAttributes
+var (
+	FindSnapdPath = findSnapdPath
+)
+
+// MockIsHomeUsingNFS mocks the real implementation of osutil.IsHomeUsingNFS
+func MockIsHomeUsingNFS(new func() (bool, error)) (restore func()) {
+	old := isHomeUsingNFS
+	isHomeUsingNFS = new
+	return func() {
+		isHomeUsingNFS = old
+	}
+}
+
+// MockOsReadlink mocks the real implementation of os.Readlink
+func MockOsReadlink(new func(string) (string, error)) (restore func()) {
+	old := osReadlink
+	osReadlink = new
+	return func() {
+		osReadlink = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/hotplug/deviceinfo.go snapd-2.37~rc1~14.04/interfaces/hotplug/deviceinfo.go
--- snapd-2.32.3.2~14.04/interfaces/hotplug/deviceinfo.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/hotplug/deviceinfo.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,87 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package hotplug
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"github.com/snapcore/snapd/dirs"
+)
+
+// HotplugDeviceInfo carries information about added/removed device detected at runtime.
+type HotplugDeviceInfo struct {
+	// map of all attributes returned for given uevent.
+	data map[string]string
+}
+
+// NewHotplugDeviceInfo creates HotplugDeviceInfo structure related to udev add or remove event.
+func NewHotplugDeviceInfo(env map[string]string) (*HotplugDeviceInfo, error) {
+	if _, ok := env["DEVPATH"]; !ok {
+		return nil, fmt.Errorf("missing device path attribute")
+	}
+	return &HotplugDeviceInfo{
+		data: env,
+	}, nil
+}
+
+// Returns the value of "SUBSYSTEM" attribute of the udev event associated with the device, e.g. "usb".
+// Subsystem value is always present.
+func (h *HotplugDeviceInfo) Subsystem() string {
+	return h.data["SUBSYSTEM"]
+}
+
+// Returns full device path under /sysfs, e.g /sys/devices/pci0000:00/0000:00:14.0/usb1/1-2.
+// The path is derived from DEVPATH attribute of the udev event.
+func (h *HotplugDeviceInfo) DevicePath() string {
+	// DEVPATH is guaranteed to exist (checked in the ctor).
+	path, _ := h.Attribute("DEVPATH")
+	return filepath.Join(dirs.SysfsDir, path)
+}
+
+// Returns the value of "MINOR" attribute of the udev event associated with the device.
+// The Minor value may be empty.
+func (h *HotplugDeviceInfo) Minor() string {
+	return h.data["MINOR"]
+}
+
+// Returns the value of "MAJOR" attribute of the udev event associated with the device.
+// The Major value may be empty.
+func (h *HotplugDeviceInfo) Major() string {
+	return h.data["MAJOR"]
+}
+
+// Returns the value of "DEVNAME" attribute of the udev event associated with the device, e.g. "ttyUSB0".
+// The DeviceName value may be empty.
+func (h *HotplugDeviceInfo) DeviceName() string {
+	return h.data["DEVNAME"]
+}
+
+// Returns the value of "DEVTYPE" attribute of the udev event associated with the device, e.g. "usb_device".
+// The DeviceType value may be empty.
+func (h *HotplugDeviceInfo) DeviceType() string {
+	return h.data["DEVTYPE"]
+}
+
+// Generic method for getting arbitrary attribute from the uevent data.
+func (h *HotplugDeviceInfo) Attribute(name string) (string, bool) {
+	val, ok := h.data[name]
+	return val, ok
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/hotplug/deviceinfo_test.go snapd-2.37~rc1~14.04/interfaces/hotplug/deviceinfo_test.go
--- snapd-2.32.3.2~14.04/interfaces/hotplug/deviceinfo_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/hotplug/deviceinfo_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,98 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package hotplug
+
+import (
+	"path/filepath"
+	"testing"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/testutil"
+)
+
+func Test(t *testing.T) { TestingT(t) }
+
+type hotplugSuite struct {
+	testutil.BaseTest
+}
+
+var _ = Suite(&hotplugSuite{})
+
+func (s *hotplugSuite) SetUpTest(c *C) {
+	s.BaseTest.SetUpTest(c)
+	dirs.SetRootDir(c.MkDir())
+}
+
+func (s *hotplugSuite) TearDownTest(c *C) {
+	s.BaseTest.TearDownTest(c)
+	dirs.SetRootDir("")
+}
+
+func (s *hotplugSuite) TestBasicProperties(c *C) {
+	env := map[string]string{
+		"DEVPATH": "/devices/pci0000:00/0000:00:14.0/usb2/2-3", "DEVNAME": "bus/usb/002/003",
+		"DEVTYPE": "usb_device",
+		"PRODUCT": "1d50/6108/0", "DEVNUM": "003",
+		"SEQNUM": "4053",
+		"ACTION": "add", "SUBSYSTEM": "usb",
+		"MAJOR": "189", "MINOR": "130",
+		"TYPE": "0/0/0", "BUSNUM": "002",
+	}
+
+	di, err := NewHotplugDeviceInfo(env)
+	c.Assert(err, IsNil)
+
+	c.Assert(di.DeviceName(), Equals, "bus/usb/002/003")
+	c.Assert(di.DeviceType(), Equals, "usb_device")
+	c.Assert(di.DevicePath(), Equals, filepath.Join(dirs.SysfsDir, "/devices/pci0000:00/0000:00:14.0/usb2/2-3"))
+	c.Assert(di.Subsystem(), Equals, "usb")
+	c.Assert(di.Major(), Equals, "189")
+	c.Assert(di.Minor(), Equals, "130")
+
+	minor, ok := di.Attribute("MINOR")
+	c.Assert(ok, Equals, true)
+	c.Assert(minor, Equals, "130")
+
+	_, ok = di.Attribute("FOO")
+	c.Assert(ok, Equals, false)
+}
+
+func (s *hotplugSuite) TestPropertiesMissing(c *C) {
+	env := map[string]string{
+		"DEVPATH": "/devices/pci0000:00/0000:00:14.0/usb2/2-3",
+		"ACTION":  "add", "SUBSYSTEM": "usb",
+	}
+
+	di, err := NewHotplugDeviceInfo(map[string]string{})
+	c.Assert(err, NotNil)
+	c.Assert(err, ErrorMatches, `missing device path attribute`)
+
+	di, err = NewHotplugDeviceInfo(env)
+	c.Assert(err, IsNil)
+
+	c.Assert(di.DeviceName(), Equals, "")
+	c.Assert(di.DeviceType(), Equals, "")
+	c.Assert(di.DevicePath(), Equals, filepath.Join(dirs.SysfsDir, "/devices/pci0000:00/0000:00:14.0/usb2/2-3"))
+	c.Assert(di.Subsystem(), Equals, "usb")
+	c.Assert(di.Major(), Equals, "")
+	c.Assert(di.Minor(), Equals, "")
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/hotplug/spec.go snapd-2.37~rc1~14.04/interfaces/hotplug/spec.go
--- snapd-2.32.3.2~14.04/interfaces/hotplug/spec.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/hotplug/spec.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,89 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package hotplug
+
+import (
+	"fmt"
+
+	"github.com/snapcore/snapd/interfaces/utils"
+
+	"github.com/snapcore/snapd/snap"
+)
+
+// Definer can be implemented by interfaces that need to create slots in response to hotplug events.
+type Definer interface {
+	HotplugDeviceDetected(di *HotplugDeviceInfo, spec *Specification) error
+}
+
+// HotplugKeyHandler can be implemented by interfaces that need to provide a non-standard key for hotplug devices.
+type HotplugKeyHandler interface {
+	HotplugKey(di *HotplugDeviceInfo) (string, error)
+}
+
+// RequestedSlotSpec is a definition of the slot to create in response to a hotplug event.
+type RequestedSlotSpec struct {
+	// Name is how the interface wants to name the slot. When left empty,
+	// one will be generated on demand. The hotplug machinery appends a
+	// suffix to ensure uniqueness of the name.
+	Name  string
+	Label string
+	Attrs map[string]interface{}
+}
+
+// Specification contains a slot definition to create in response to a hotplug event.
+type Specification struct {
+	slot *RequestedSlotSpec
+}
+
+// NewSpecification creates an empty hotplug Specification.
+func NewSpecification() *Specification {
+	return &Specification{}
+}
+
+// SetSlot sets the slot specification.
+func (h *Specification) SetSlot(slotSpec *RequestedSlotSpec) error {
+	if h.slot != nil {
+		return fmt.Errorf("slot specification already created")
+	}
+	// only validate name if not empty, otherwise name is created by hotplug
+	// subsystem later on when the spec is processed.
+	if slotSpec.Name != "" {
+		if err := snap.ValidateSlotName(slotSpec.Name); err != nil {
+			return err
+		}
+	}
+	attrs := slotSpec.Attrs
+	if attrs == nil {
+		attrs = make(map[string]interface{})
+	} else {
+		attrs = utils.CopyAttributes(slotSpec.Attrs)
+	}
+	h.slot = &RequestedSlotSpec{
+		Name:  slotSpec.Name,
+		Label: slotSpec.Label,
+		Attrs: utils.NormalizeInterfaceAttributes(attrs).(map[string]interface{}),
+	}
+	return nil
+}
+
+// Slot returns the specification of the requested slot.
+func (h *Specification) Slot() *RequestedSlotSpec {
+	return h.slot
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/hotplug/spec_test.go snapd-2.37~rc1~14.04/interfaces/hotplug/spec_test.go
--- snapd-2.32.3.2~14.04/interfaces/hotplug/spec_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/hotplug/spec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,71 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package hotplug
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type hotplugSpecSuite struct {
+	testutil.BaseTest
+}
+
+var _ = Suite(&hotplugSpecSuite{})
+
+func (s *hotplugSpecSuite) SetUpTest(c *C) {
+	s.BaseTest.SetUpTest(c)
+	dirs.SetRootDir(c.MkDir())
+}
+
+func (s *hotplugSpecSuite) TearDownTest(c *C) {
+	s.BaseTest.TearDownTest(c)
+	dirs.SetRootDir("")
+}
+
+func (s *hotplugSpecSuite) TestSetSlot(c *C) {
+	spec := NewSpecification()
+	c.Assert(spec.SetSlot(&RequestedSlotSpec{Name: "slot1", Label: "A slot", Attrs: map[string]interface{}{"foo": "bar"}}), IsNil)
+	c.Assert(spec.Slot(), DeepEquals, &RequestedSlotSpec{Name: "slot1", Label: "A slot", Attrs: map[string]interface{}{"foo": "bar"}})
+}
+
+func (s *hotplugSpecSuite) TestSetSlotEmptyName(c *C) {
+	spec := NewSpecification()
+	c.Assert(spec.SetSlot(&RequestedSlotSpec{Label: "A slot", Attrs: map[string]interface{}{"foo": "bar"}}), IsNil)
+	c.Assert(spec.Slot(), DeepEquals, &RequestedSlotSpec{Name: "", Label: "A slot", Attrs: map[string]interface{}{"foo": "bar"}})
+}
+
+func (s *hotplugSpecSuite) TestSetSlotInvalidName(c *C) {
+	spec := NewSpecification()
+	err := spec.SetSlot(&RequestedSlotSpec{Name: "slot!", Label: "A slot"})
+	c.Assert(err, ErrorMatches, `invalid slot name: "slot!"`)
+}
+
+func (s *hotplugSpecSuite) TestAddSlotAlreadyCreated(c *C) {
+	spec := NewSpecification()
+	c.Assert(spec.SetSlot(&RequestedSlotSpec{Name: "slot1", Label: "A slot", Attrs: map[string]interface{}{"foo": "bar"}}), IsNil)
+	err := spec.SetSlot(&RequestedSlotSpec{Name: "slot1", Label: "A slot", Attrs: map[string]interface{}{"foo": "bar"}})
+	c.Assert(err, NotNil)
+	c.Assert(err, ErrorMatches, `slot specification already created`)
+
+	c.Assert(spec.Slot(), DeepEquals, &RequestedSlotSpec{Name: "slot1", Label: "A slot", Attrs: map[string]interface{}{"foo": "bar"}})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/hotplug/udevadm.go snapd-2.37~rc1~14.04/interfaces/hotplug/udevadm.go
--- snapd-2.32.3.2~14.04/interfaces/hotplug/udevadm.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/hotplug/udevadm.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,126 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package hotplug
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os/exec"
+	"strings"
+)
+
+// udevadm export output is divided in per-device blocks, blocks are separated
+// with empty lines, each block starts with device path (P:) line, within a block
+// there is one attribute per line, example:
+//
+// P: /devices/virtual/workqueue/nvme-wq
+// E: DEVPATH=/devices/virtual/workqueue/nvme-wq
+// E: SUBSYSTEM=workqueue
+// <empty-line>
+// P: /devices/virtual/block/dm-1
+// N: dm-1
+// S: disk/by-id/dm-name-linux-root
+// E: DEVNAME=/dev/dm-1
+// E: USEC_INITIALIZED=8899394
+// <empty-line>
+
+var udevadmBin = `udevadm`
+
+func parseEnvBlock(block string) (map[string]string, error) {
+	env := make(map[string]string)
+	for i, line := range strings.Split(block, "\n") {
+		if i == 0 && !strings.HasPrefix(line, "P: ") {
+			return nil, fmt.Errorf("no device block marker found before %q", line)
+		}
+		// We are only interested in 'E' properties as they carry all the interesting data,
+		// including DEVPATH and DEVNAME which seem to mirror the 'P' and 'N' values.
+		if strings.HasPrefix(line, "E: ") {
+			if kv := strings.SplitN(line[3:], "=", 2); len(kv) == 2 {
+				env[kv[0]] = kv[1]
+			} else {
+				return nil, fmt.Errorf("cannot parse udevadm output %q", line)
+			}
+		}
+	}
+	return env, nil
+}
+
+func scanDoubleNewline(data []byte, atEOF bool) (advance int, token []byte, err error) {
+	if atEOF && len(data) == 0 {
+		return 0, nil, nil
+	}
+
+	if i := bytes.Index(data, []byte("\n\n")); i >= 0 {
+		// we found data
+		return i + 2, data[0:i], nil
+	}
+
+	// If we're at EOF, return what is left.
+	if atEOF {
+		return len(data), data, nil
+	}
+	// Request more data.
+	return 0, nil, nil
+}
+
+func parseUdevadmOutput(cmd *exec.Cmd, rd *bufio.Scanner) (devices []*HotplugDeviceInfo, parseErrors []error) {
+	for rd.Scan() {
+		block := rd.Text()
+		env, err := parseEnvBlock(block)
+		if err != nil {
+			parseErrors = append(parseErrors, err)
+		} else {
+			dev, err := NewHotplugDeviceInfo(env)
+			if err != nil {
+				parseErrors = append(parseErrors, err)
+			} else {
+				devices = append(devices, dev)
+			}
+		}
+	}
+
+	if err := rd.Err(); err != nil {
+		parseErrors = append(parseErrors, fmt.Errorf("cannot read udevadm output: %s", err))
+	}
+	if err := cmd.Wait(); err != nil {
+		parseErrors = append(parseErrors, fmt.Errorf("cannot read udevadm output: %s", err))
+	}
+	return devices, parseErrors
+}
+
+// EnumerateExistingDevices enumerates all devices by parsing 'udevadm info -e' command output.
+// Non-fatal parsing errors are reported via parseErrors and they don't stop the parser.
+func EnumerateExistingDevices() (devices []*HotplugDeviceInfo, parseErrors []error, fatalError error) {
+	cmd := exec.Command(udevadmBin, "info", "-e")
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	rd := bufio.NewScanner(stdout)
+	rd.Split(scanDoubleNewline)
+	if err = cmd.Start(); err != nil {
+		return nil, nil, err
+	}
+
+	devices, parseErrors = parseUdevadmOutput(cmd, rd)
+	return devices, parseErrors, nil
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/hotplug/udevadm_test.go snapd-2.37~rc1~14.04/interfaces/hotplug/udevadm_test.go
--- snapd-2.32.3.2~14.04/interfaces/hotplug/udevadm_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/hotplug/udevadm_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,126 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package hotplug
+
+import (
+	"github.com/snapcore/snapd/testutil"
+
+	. "gopkg.in/check.v1"
+)
+
+type udevadmSuite struct {
+	testutil.BaseTest
+}
+
+var _ = Suite(&udevadmSuite{})
+
+func (s *udevadmSuite) SetUpTest(c *C) {
+	s.BaseTest.SetUpTest(c)
+}
+
+func (s *udevadmSuite) TearDownTest(c *C) {
+	s.BaseTest.TearDownTest(c)
+}
+
+func (s *udevadmSuite) TestParsingHappy(c *C) {
+	cmd := testutil.MockCommand(c, udevadmBin, `#!/bin/sh
+cat << __END__
+P: /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0
+E: DEVPATH=/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0
+E: DRIVER=ftdi_sio
+E: SUBSYSTEM=usb-serial
+
+P: /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0/tty/ttyUSB0
+N: ttyUSB0
+S: serial/by-id/usb-FTDI_FT232R_USB_UART_AH06W0EQ-if00-port0
+S: serial/by-path/pci-0000:00:14.0-usb-0:2:1.0-port0
+E: DEVLINKS=/dev/serial/by-path/pci-0000:00:14.0-usb-0:2:1.0-port0 /dev/serial/by-id/usb-FTDI_FT232R_USB_UART_AH06W0EQ-if00-port0
+E: DEVNAME=/dev/ttyUSB0
+E: DEVPATH=/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0/tty/ttyUSB0
+E: ID_BUS=usb
+E: ID_MODEL=FT232R_USB_UART
+E: ID_MODEL_FROM_DATABASE=FT232 Serial (UART) IC
+E: ID_MODEL_ID=6001
+E: ID_PATH=pci-0000:00:14.0-usb-0:2:1.0
+E: ID_PATH_TAG=pci-0000_00_14_0-usb-0_2_1_0
+E: ID_PCI_CLASS_FROM_DATABASE=Serial bus controller
+E: ID_PCI_INTERFACE_FROM_DATABASE=XHCI
+E: ID_PCI_SUBCLASS_FROM_DATABASE=USB controller
+E: ID_REVISION=0600
+E: ID_SERIAL=FTDI_FT232R_USB_UART_AH06W0EQ
+E: ID_SERIAL_SHORT=AH06W0EQ
+E: ID_TYPE=generic
+E: ID_USB_DRIVER=ftdi_sio
+E: ID_USB_INTERFACES=:ffffff:
+E: ID_USB_INTERFACE_NUM=00
+E: ID_VENDOR=FTDI
+E: ID_VENDOR_FROM_DATABASE=Future Technology Devices International, Ltd
+E: ID_VENDOR_ID=0403
+E: MAJOR=188
+E: MINOR=0
+E: SUBSYSTEM=tty
+E: TAGS=:systemd:
+__END__
+`)
+	defer cmd.Restore()
+
+	devices, perrs, err := EnumerateExistingDevices()
+	c.Assert(err, IsNil)
+	c.Assert(perrs, HasLen, 0)
+	c.Assert(devices, HasLen, 2)
+
+	v, _ := devices[0].Attribute("DEVPATH")
+	c.Assert(v, Equals, "/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0")
+
+	v, _ = devices[1].Attribute("DEVPATH")
+	c.Assert(v, Equals, "/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0/tty/ttyUSB0")
+
+	v, _ = devices[1].Attribute("MAJOR")
+	c.Assert(v, Equals, "188")
+
+	v, _ = devices[1].Attribute("TAGS")
+	c.Assert(v, Equals, ":systemd:")
+}
+
+func (s *udevadmSuite) TestParsingError(c *C) {
+	cmd := testutil.MockCommand(c, udevadmBin, `#!/bin/sh
+cat << __END__
+P: /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0
+E: DEVPATH
+
+E: K=V
+
+P: /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0
+E: DEVPATH=foo
+__END__
+`)
+	defer cmd.Restore()
+
+	devices, perrs, err := EnumerateExistingDevices()
+	c.Assert(err, IsNil)
+	c.Assert(perrs, HasLen, 2)
+	c.Assert(perrs[0], ErrorMatches, `cannot parse udevadm output "E: DEVPATH"`)
+	c.Assert(perrs[1], ErrorMatches, `no device block marker found before "E: K=V"`)
+
+	// successfully parsed devices are still reported
+	c.Assert(devices, HasLen, 1)
+	v, _ := devices[0].Attribute("DEVPATH")
+	c.Assert(v, Equals, "foo")
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/ifacetest/backend.go snapd-2.37~rc1~14.04/interfaces/ifacetest/backend.go
--- snapd-2.32.3.2~14.04/interfaces/ifacetest/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/ifacetest/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,6 +35,8 @@
 	SetupCallback func(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository) error
 	// RemoveCallback is a callback that is optionally called in Remove
 	RemoveCallback func(snapName string) error
+	// SandboxFeaturesCallback is a callback that is optionally called in SandboxFeatures
+	SandboxFeaturesCallback func() []string
 }
 
 // TestSetupCall stores details about calls to TestSecurityBackend.Setup
@@ -76,3 +78,10 @@
 func (b *TestSecurityBackend) NewSpecification() interfaces.Specification {
 	return &Specification{}
 }
+
+func (b *TestSecurityBackend) SandboxFeatures() []string {
+	if b.SandboxFeaturesCallback == nil {
+		return nil
+	}
+	return b.SandboxFeaturesCallback()
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/ifacetest/backendtest.go snapd-2.37~rc1~14.04/interfaces/ifacetest/backendtest.go
--- snapd-2.32.3.2~14.04/interfaces/ifacetest/backendtest.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/ifacetest/backendtest.go	2019-01-16 08:36:51.000000000 +0000
@@ -147,10 +147,17 @@
 // Support code for tests
 
 // InstallSnap "installs" a snap from YAML.
-func (s *BackendSuite) InstallSnap(c *C, opts interfaces.ConfinementOptions, snapYaml string, revision int) *snap.Info {
+func (s *BackendSuite) InstallSnap(c *C, opts interfaces.ConfinementOptions, instanceName, snapYaml string, revision int) *snap.Info {
 	snapInfo := snaptest.MockInfo(c, snapYaml, &snap.SideInfo{
 		Revision: snap.R(revision),
 	})
+
+	if instanceName != "" {
+		_, instanceKey := snap.SplitInstanceName(instanceName)
+		snapInfo.InstanceKey = instanceKey
+		c.Assert(snapInfo.InstanceName(), Equals, instanceName)
+	}
+
 	s.addPlugsSlots(c, snapInfo)
 	err := s.Backend.Setup(snapInfo, opts, s.Repo)
 	c.Assert(err, IsNil)
@@ -162,7 +169,7 @@
 	newSnapInfo := snaptest.MockInfo(c, snapYaml, &snap.SideInfo{
 		Revision: snap.R(revision),
 	})
-	c.Assert(newSnapInfo.Name(), Equals, oldSnapInfo.Name())
+	c.Assert(newSnapInfo.InstanceName(), Equals, oldSnapInfo.InstanceName())
 	s.removePlugsSlots(c, oldSnapInfo)
 	s.addPlugsSlots(c, newSnapInfo)
 	err := s.Backend.Setup(newSnapInfo, opts, s.Repo)
@@ -172,7 +179,7 @@
 
 // RemoveSnap "removes" an "installed" snap.
 func (s *BackendSuite) RemoveSnap(c *C, snapInfo *snap.Info) {
-	err := s.Backend.Remove(snapInfo.Name())
+	err := s.Backend.Remove(snapInfo.InstanceName())
 	c.Assert(err, IsNil)
 	s.removePlugsSlots(c, snapInfo)
 }
@@ -189,12 +196,12 @@
 }
 
 func (s *BackendSuite) removePlugsSlots(c *C, snapInfo *snap.Info) {
-	for _, plug := range s.Repo.Plugs(snapInfo.Name()) {
-		err := s.Repo.RemovePlug(plug.Snap.Name(), plug.Name)
+	for _, plug := range s.Repo.Plugs(snapInfo.InstanceName()) {
+		err := s.Repo.RemovePlug(plug.Snap.InstanceName(), plug.Name)
 		c.Assert(err, IsNil)
 	}
-	for _, slot := range s.Repo.Slots(snapInfo.Name()) {
-		err := s.Repo.RemoveSlot(slot.Snap.Name(), slot.Name)
+	for _, slot := range s.Repo.Slots(snapInfo.InstanceName()) {
+		err := s.Repo.RemoveSlot(slot.Snap.InstanceName(), slot.Name)
 		c.Assert(err, IsNil)
 	}
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/ifacetest/spec_test.go snapd-2.37~rc1~14.04/interfaces/ifacetest/spec_test.go
--- snapd-2.32.3.2~14.04/interfaces/ifacetest/spec_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/ifacetest/spec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -70,8 +70,8 @@
 
 func (s *SpecificationSuite) SetUpTest(c *C) {
 	s.spec = &ifacetest.Specification{}
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 // AddSnippet is not broken
diff -Nru snapd-2.32.3.2~14.04/interfaces/ifacetest/testiface.go snapd-2.37~rc1~14.04/interfaces/ifacetest/testiface.go
--- snapd-2.32.3.2~14.04/interfaces/ifacetest/testiface.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/ifacetest/testiface.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,7 @@
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/dbus"
+	"github.com/snapcore/snapd/interfaces/hotplug"
 	"github.com/snapcore/snapd/interfaces/kmod"
 	"github.com/snapcore/snapd/interfaces/mount"
 	"github.com/snapcore/snapd/interfaces/seccomp"
@@ -38,14 +39,14 @@
 	InterfaceName       string
 	InterfaceStaticInfo interfaces.StaticInfo
 	// AutoConnectCallback is the callback invoked inside AutoConnect
-	AutoConnectCallback func(*interfaces.Plug, *interfaces.Slot) bool
+	AutoConnectCallback func(*snap.PlugInfo, *snap.SlotInfo) bool
 	// BeforePreparePlugCallback is the callback invoked inside BeforePreparePlug()
 	BeforePreparePlugCallback func(plug *snap.PlugInfo) error
 	// BeforePrepareSlotCallback is the callback invoked inside BeforePrepareSlot()
 	BeforePrepareSlotCallback func(slot *snap.SlotInfo) error
 
-	ValidatePlugCallback func(plug *interfaces.Plug, attrs map[string]interface{}) error
-	ValidateSlotCallback func(slot *interfaces.Slot, attrs map[string]interface{}) error
+	BeforeConnectPlugCallback func(plug *interfaces.ConnectedPlug) error
+	BeforeConnectSlotCallback func(slot *interfaces.ConnectedSlot) error
 
 	// Support for interacting with the test backend.
 
@@ -104,6 +105,17 @@
 	SystemdPermanentSlotCallback func(spec *systemd.Specification, slot *snap.SlotInfo) error
 }
 
+// TestHotplugInterface is an interface for various kinds of tests
+// needing a hotplug-aware interface.  It is public so that it can be
+// consumed from other packages.
+type TestHotplugInterface struct {
+	TestInterface
+
+	// Support for interacting with hotplug subsystem.
+	HotplugKeyCallback            func(deviceInfo *hotplug.HotplugDeviceInfo) (string, error)
+	HotplugDeviceDetectedCallback func(deviceInfo *hotplug.HotplugDeviceInfo, spec *hotplug.Specification) error
+}
+
 // String() returns the same value as Name().
 func (t *TestInterface) String() string {
 	return t.Name()
@@ -134,16 +146,16 @@
 	return nil
 }
 
-func (t *TestInterface) ValidatePlug(plug *interfaces.Plug, attrs map[string]interface{}) error {
-	if t.ValidatePlugCallback != nil {
-		return t.ValidatePlugCallback(plug, attrs)
+func (t *TestInterface) BeforeConnectPlug(plug *interfaces.ConnectedPlug) error {
+	if t.BeforeConnectPlugCallback != nil {
+		return t.BeforeConnectPlugCallback(plug)
 	}
 	return nil
 }
 
-func (t *TestInterface) ValidateSlot(slot *interfaces.Slot, attrs map[string]interface{}) error {
-	if t.ValidateSlotCallback != nil {
-		return t.ValidateSlotCallback(slot, attrs)
+func (t *TestInterface) BeforeConnectSlot(slot *interfaces.ConnectedSlot) error {
+	if t.BeforeConnectSlotCallback != nil {
+		return t.BeforeConnectSlotCallback(slot)
 	}
 	return nil
 }
@@ -151,7 +163,7 @@
 // AutoConnect returns whether plug and slot should be implicitly
 // auto-connected assuming they will be an unambiguous connection
 // candidate.
-func (t *TestInterface) AutoConnect(plug *interfaces.Plug, slot *interfaces.Slot) bool {
+func (t *TestInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
 	if t.AutoConnectCallback != nil {
 		return t.AutoConnectCallback(plug, slot)
 	}
@@ -398,3 +410,19 @@
 	}
 	return nil
 }
+
+// Support for interacting with hotplug subsystem.
+
+func (t *TestHotplugInterface) HotplugKey(deviceInfo *hotplug.HotplugDeviceInfo) (string, error) {
+	if t.HotplugKeyCallback != nil {
+		return t.HotplugKeyCallback(deviceInfo)
+	}
+	return "", nil
+}
+
+func (t *TestHotplugInterface) HotplugDeviceDetected(deviceInfo *hotplug.HotplugDeviceInfo, spec *hotplug.Specification) error {
+	if t.HotplugDeviceDetectedCallback != nil {
+		return t.HotplugDeviceDetectedCallback(deviceInfo, spec)
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/ifacetest/testiface_test.go snapd-2.37~rc1~14.04/interfaces/ifacetest/testiface_test.go
--- snapd-2.32.3.2~14.04/interfaces/ifacetest/testiface_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/ifacetest/testiface_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,6 +27,7 @@
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/dbus"
+	"github.com/snapcore/snapd/interfaces/hotplug"
 	"github.com/snapcore/snapd/interfaces/ifacetest"
 	"github.com/snapcore/snapd/interfaces/seccomp"
 	"github.com/snapcore/snapd/snap"
@@ -62,8 +63,8 @@
 // TestInterface has a working Name() function
 func (s *TestInterfaceSuite) TestName(c *C) {
 	c.Assert(s.iface.Name(), Equals, "test")
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *TestInterfaceSuite) TestStaticInfo(c *C) {
@@ -73,27 +74,27 @@
 }
 
 // TestInterface has provisions to customize validation
-/*func (s *TestInterfaceSuite) TestValidatePlugError(c *C) {
+func (s *TestInterfaceSuite) TestBeforeConnectPlugError(c *C) {
 	iface := &ifacetest.TestInterface{
 		InterfaceName: "test",
-		ValidatePlugCallback: func(plug *interfaces.Plug, attrs map[string]interface{}) error {
-			return fmt.Errorf("validate plug failed")
+		BeforeConnectPlugCallback: func(plug *interfaces.ConnectedPlug) error {
+			return fmt.Errorf("plug validation failed")
 		},
 	}
-	err := iface.ValidatePlug(s.plug, nil)
-	c.Assert(err, ErrorMatches, "validate plug failed")
+	err := iface.BeforeConnectPlug(s.plug)
+	c.Assert(err, ErrorMatches, "plug validation failed")
 }
 
-func (s *TestInterfaceSuite) TestValidateSlotError(c *C) {
+func (s *TestInterfaceSuite) TestBeforeConnectSlotError(c *C) {
 	iface := &ifacetest.TestInterface{
 		InterfaceName: "test",
-		ValidateSlotCallback: func(slot *interfaces.Slot, attrs map[string]interface{}) error {
-			return fmt.Errorf("validate slot failed")
+		BeforeConnectSlotCallback: func(slot *interfaces.ConnectedSlot) error {
+			return fmt.Errorf("slot validation failed")
 		},
 	}
-	err := iface.ValidateSlot(s.slot, nil)
-	c.Assert(err, ErrorMatches, "validate slot failed")
-}*/
+	err := iface.BeforeConnectSlot(s.slot)
+	c.Assert(err, ErrorMatches, "slot validation failed")
+}
 
 // TestInterface doesn't do any sanitization by default
 func (s *TestInterfaceSuite) TestSanitizePlugOK(c *C) {
@@ -164,7 +165,78 @@
 func (s *TestInterfaceSuite) TestAutoConnect(c *C) {
 	c.Check(s.iface.AutoConnect(nil, nil), Equals, true)
 
-	iface := &ifacetest.TestInterface{AutoConnectCallback: func(*interfaces.Plug, *interfaces.Slot) bool { return false }}
+	iface := &ifacetest.TestInterface{AutoConnectCallback: func(*snap.PlugInfo, *snap.SlotInfo) bool { return false }}
 
 	c.Check(iface.AutoConnect(nil, nil), Equals, false)
 }
+
+func (s *TestInterfaceSuite) TestHotplugKeyError(c *C) {
+	iface := &ifacetest.TestHotplugInterface{
+		TestInterface: ifacetest.TestInterface{
+			InterfaceName: "test",
+		},
+		HotplugKeyCallback: func(deviceInfo *hotplug.HotplugDeviceInfo) (string, error) {
+			return "", fmt.Errorf("error")
+		},
+	}
+
+	c.Assert(iface.Name(), Equals, "test")
+
+	dev := &hotplug.HotplugDeviceInfo{}
+	key, err := iface.HotplugKey(dev)
+	c.Assert(err, ErrorMatches, "error")
+	c.Assert(key, Equals, "")
+}
+
+func (s *TestInterfaceSuite) TestHotplugKeyOK(c *C) {
+	var iface interfaces.Interface
+	iface = &ifacetest.TestHotplugInterface{
+		TestInterface: ifacetest.TestInterface{
+			InterfaceName: "test",
+		},
+		HotplugKeyCallback: func(deviceInfo *hotplug.HotplugDeviceInfo) (string, error) {
+			return "key", nil
+		},
+	}
+
+	hotplugIface, ok := iface.(hotplug.HotplugKeyHandler)
+	c.Assert(ok, Equals, true)
+
+	dev := &hotplug.HotplugDeviceInfo{}
+	key, err := hotplugIface.HotplugKey(dev)
+	c.Assert(err, IsNil)
+	c.Assert(key, Equals, "key")
+}
+
+func (s *TestInterfaceSuite) TestHotplugDeviceDetectedOK(c *C) {
+	iface := &ifacetest.TestHotplugInterface{
+		TestInterface: ifacetest.TestInterface{
+			InterfaceName: "test",
+		},
+		HotplugDeviceDetectedCallback: func(deviceInfo *hotplug.HotplugDeviceInfo, spec *hotplug.Specification) error {
+			spec.SetSlot(&hotplug.RequestedSlotSpec{
+				Name: "slot",
+			})
+			return nil
+		},
+	}
+
+	dev := &hotplug.HotplugDeviceInfo{}
+	spec := hotplug.NewSpecification()
+	c.Assert(iface.HotplugDeviceDetected(dev, spec), IsNil)
+	c.Assert(spec.Slot().Name, Equals, "slot")
+}
+
+func (s *TestInterfaceSuite) TestHotplugDeviceDetectedError(c *C) {
+	iface := &ifacetest.TestHotplugInterface{
+		TestInterface: ifacetest.TestInterface{
+			InterfaceName: "test",
+		},
+		HotplugDeviceDetectedCallback: func(deviceInfo *hotplug.HotplugDeviceInfo, spec *hotplug.Specification) error {
+			return fmt.Errorf("error")
+		},
+	}
+	dev := &hotplug.HotplugDeviceInfo{}
+	spec := hotplug.NewSpecification()
+	c.Assert(iface.HotplugDeviceDetected(dev, spec), ErrorMatches, "error")
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/json.go snapd-2.37~rc1~14.04/interfaces/json.go
--- snapd-2.32.3.2~14.04/interfaces/json.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/json.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,118 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package interfaces
-
-import (
-	"encoding/json"
-)
-
-// plugJSON aids in marshaling Plug into JSON.
-type plugJSON struct {
-	Snap        string                 `json:"snap"`
-	Name        string                 `json:"plug"`
-	Interface   string                 `json:"interface,omitempty"`
-	Attrs       map[string]interface{} `json:"attrs,omitempty"`
-	Apps        []string               `json:"apps,omitempty"`
-	Label       string                 `json:"label,omitempty"`
-	Connections []SlotRef              `json:"connections,omitempty"`
-}
-
-// MarshalJSON returns the JSON encoding of plug.
-func (plug *Plug) MarshalJSON() ([]byte, error) {
-	var names []string
-	for name := range plug.Apps {
-		names = append(names, name)
-	}
-	return json.Marshal(&plugJSON{
-		Snap:        plug.Snap.Name(),
-		Name:        plug.Name,
-		Interface:   plug.Interface,
-		Attrs:       plug.Attrs,
-		Apps:        names,
-		Label:       plug.Label,
-		Connections: plug.Connections,
-	})
-}
-
-// slotJSON aids in marshaling Slot into JSON.
-type slotJSON struct {
-	Snap        string                 `json:"snap"`
-	Name        string                 `json:"slot"`
-	Interface   string                 `json:"interface,omitempty"`
-	Attrs       map[string]interface{} `json:"attrs,omitempty"`
-	Apps        []string               `json:"apps,omitempty"`
-	Label       string                 `json:"label,omitempty"`
-	Connections []PlugRef              `json:"connections,omitempty"`
-}
-
-// MarshalJSON returns the JSON encoding of slot.
-func (slot *Slot) MarshalJSON() ([]byte, error) {
-	var names []string
-	for name := range slot.Apps {
-		names = append(names, name)
-	}
-	return json.Marshal(&slotJSON{
-		Snap:        slot.Snap.Name(),
-		Name:        slot.Name,
-		Interface:   slot.Interface,
-		Attrs:       slot.Attrs,
-		Apps:        names,
-		Label:       slot.Label,
-		Connections: slot.Connections,
-	})
-}
-
-// interfaceInfoJSON aids in marshaling Info into JSON.
-type interfaceInfoJSON struct {
-	Name    string      `json:"name,omitempty"`
-	Summary string      `json:"summary,omitempty"`
-	DocURL  string      `json:"doc-url,omitempty"`
-	Plugs   []*plugJSON `json:"plugs,omitempty"`
-	Slots   []*slotJSON `json:"slots,omitempty"`
-}
-
-// MarshalJSON returns the JSON encoding of Info.
-func (info *Info) MarshalJSON() ([]byte, error) {
-	plugs := make([]*plugJSON, 0, len(info.Plugs))
-	for _, plug := range info.Plugs {
-		plugs = append(plugs, &plugJSON{
-			Snap:  plug.Snap.Name(),
-			Name:  plug.Name,
-			Attrs: plug.Attrs,
-			Label: plug.Label,
-		})
-	}
-	slots := make([]*slotJSON, 0, len(info.Slots))
-	for _, slot := range info.Slots {
-		slots = append(slots, &slotJSON{
-			Snap:  slot.Snap.Name(),
-			Name:  slot.Name,
-			Attrs: slot.Attrs,
-			Label: slot.Label,
-		})
-	}
-	return json.Marshal(&interfaceInfoJSON{
-		Name:    info.Name,
-		Summary: info.Summary,
-		DocURL:  info.DocURL,
-		Plugs:   plugs,
-		Slots:   slots,
-	})
-}
diff -Nru snapd-2.32.3.2~14.04/interfaces/json_test.go snapd-2.37~rc1~14.04/interfaces/json_test.go
--- snapd-2.32.3.2~14.04/interfaces/json_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/json_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,147 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2014-2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package interfaces_test
-
-import (
-	"encoding/json"
-
-	. "gopkg.in/check.v1"
-
-	. "github.com/snapcore/snapd/interfaces"
-	"github.com/snapcore/snapd/snap"
-)
-
-type JSONSuite struct {
-	plug *Plug
-	slot *Slot
-}
-
-var _ = Suite(&JSONSuite{
-	plug: &Plug{
-		PlugInfo: &snap.PlugInfo{
-			Snap:      &snap.Info{SuggestedName: "snap-name"},
-			Name:      "plug-name",
-			Interface: "interface",
-			Attrs:     map[string]interface{}{"key": "value"},
-			Apps: map[string]*snap.AppInfo{
-				"app-name": {
-					Name: "app-name",
-				},
-			},
-			Label: "label",
-		},
-		Connections: []SlotRef{{
-			Snap: "other-snap-name",
-			Name: "slot-name",
-		}},
-	},
-	slot: &Slot{
-		SlotInfo: &snap.SlotInfo{
-			Snap:      &snap.Info{SuggestedName: "snap-name"},
-			Name:      "slot-name",
-			Interface: "interface",
-			Attrs:     map[string]interface{}{"key": "value"},
-			Apps: map[string]*snap.AppInfo{
-				"app-name": {
-					Name: "app-name",
-				},
-			},
-			Label: "label",
-		},
-		Connections: []PlugRef{{
-			Snap: "other-snap-name",
-			Name: "plug-name",
-		}},
-	},
-})
-
-func (s *JSONSuite) TestPlugMarshalJSON(c *C) {
-	data, err := json.Marshal(s.plug)
-	c.Assert(err, IsNil)
-	var repr map[string]interface{}
-	err = json.Unmarshal(data, &repr)
-	c.Assert(err, IsNil)
-	c.Check(repr, DeepEquals, map[string]interface{}{
-		"snap":      "snap-name",
-		"plug":      "plug-name",
-		"interface": "interface",
-		"attrs":     map[string]interface{}{"key": "value"},
-		"apps":      []interface{}{"app-name"},
-		"label":     "label",
-		"connections": []interface{}{
-			map[string]interface{}{"snap": "other-snap-name", "slot": "slot-name"},
-		},
-	})
-}
-
-func (s *JSONSuite) TestSlotMarshalJSON(c *C) {
-	data, err := json.Marshal(s.slot)
-	c.Assert(err, IsNil)
-	var repr map[string]interface{}
-	err = json.Unmarshal(data, &repr)
-	c.Assert(err, IsNil)
-	c.Check(repr, DeepEquals, map[string]interface{}{
-		"snap":      "snap-name",
-		"slot":      "slot-name",
-		"interface": "interface",
-		"attrs":     map[string]interface{}{"key": "value"},
-		"apps":      []interface{}{"app-name"},
-		"label":     "label",
-		"connections": []interface{}{
-			map[string]interface{}{"snap": "other-snap-name", "plug": "plug-name"},
-		},
-	})
-}
-
-func (s *JSONSuite) TestInfoMarshalJSON(c *C) {
-	ifaceInfo := &Info{
-		Name:    "iface",
-		Summary: "interface summary",
-		DocURL:  "http://example.org/",
-		Plugs:   []*snap.PlugInfo{s.plug.PlugInfo},
-		Slots:   []*snap.SlotInfo{s.slot.SlotInfo},
-	}
-	data, err := json.Marshal(ifaceInfo)
-	c.Assert(err, IsNil)
-	var repr map[string]interface{}
-	err = json.Unmarshal(data, &repr)
-	c.Assert(err, IsNil)
-	c.Check(repr, DeepEquals, map[string]interface{}{
-		"name":    "iface",
-		"summary": "interface summary",
-		"doc-url": "http://example.org/",
-		"plugs": []interface{}{
-			map[string]interface{}{
-				"snap":  "snap-name",
-				"plug":  "plug-name",
-				"attrs": map[string]interface{}{"key": "value"},
-				"label": "label",
-			},
-		},
-		"slots": []interface{}{
-			map[string]interface{}{
-				"snap":  "snap-name",
-				"slot":  "slot-name",
-				"attrs": map[string]interface{}{"key": "value"},
-				"label": "label",
-			},
-		},
-	})
-}
diff -Nru snapd-2.32.3.2~14.04/interfaces/kmod/backend.go snapd-2.37~rc1~14.04/interfaces/kmod/backend.go
--- snapd-2.32.3.2~14.04/interfaces/kmod/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/kmod/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -67,7 +67,7 @@
 //
 // If the method fails it should be re-tried (with a sensible strategy) by the caller.
 func (b *Backend) Setup(snapInfo *snap.Info, confinement interfaces.ConfinementOptions, repo *interfaces.Repository) error {
-	snapName := snapInfo.Name()
+	snapName := snapInfo.InstanceName()
 	// Get the snippets that apply to this snap
 	spec, err := repo.SnapSpecification(b.Name(), snapName)
 	if err != nil {
@@ -121,7 +121,7 @@
 		buffer.WriteString(module)
 		buffer.WriteRune('\n')
 	}
-	content[fmt.Sprintf("%s.conf", snap.SecurityTag(snapInfo.Name()))] = &osutil.FileState{
+	content[fmt.Sprintf("%s.conf", snap.SecurityTag(snapInfo.InstanceName()))] = &osutil.FileState{
 		Content: buffer.Bytes(),
 		Mode:    0644,
 	}
@@ -131,3 +131,8 @@
 func (b *Backend) NewSpecification() interfaces.Specification {
 	return &Specification{}
 }
+
+// SandboxFeatures returns the list of features supported by snapd for loading kernel modules.
+func (b *Backend) SandboxFeatures() []string {
+	return []string{"mediated-modprobe"}
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/kmod/backend_test.go snapd-2.37~rc1~14.04/interfaces/kmod/backend_test.go
--- snapd-2.32.3.2~14.04/interfaces/kmod/backend_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/kmod/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -81,7 +81,7 @@
 
 	for _, opts := range testedConfinementOpts {
 		s.modprobeCmd.ForgetCalls()
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 
 		c.Assert(osutil.FileExists(path), Equals, true)
 		c.Assert(path, testutil.FileEquals, "# This file is automatically generated.\nmodule1\nmodule2\n")
@@ -106,7 +106,7 @@
 	c.Assert(osutil.FileExists(path), Equals, false)
 
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		c.Assert(osutil.FileExists(path), Equals, true)
 		s.RemoveSnap(c, snapInfo)
 		c.Assert(osutil.FileExists(path), Equals, false)
@@ -122,7 +122,7 @@
 	}
 
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		s.modprobeCmd.ForgetCalls()
 		err := s.Backend.Setup(snapInfo, opts, s.Repo)
 		c.Assert(err, IsNil)
@@ -131,3 +131,7 @@
 		s.RemoveSnap(c, snapInfo)
 	}
 }
+
+func (s *backendSuite) TestSandboxFeatures(c *C) {
+	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"mediated-modprobe"})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/kmod/spec_test.go snapd-2.37~rc1~14.04/interfaces/kmod/spec_test.go
--- snapd-2.32.3.2~14.04/interfaces/kmod/spec_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/kmod/spec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -82,8 +82,8 @@
 
 func (s *specSuite) SetUpTest(c *C) {
 	s.spec = &kmod.Specification{}
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 // AddModule is not broken
diff -Nru snapd-2.32.3.2~14.04/interfaces/mount/backend.go snapd-2.37~rc1~14.04/interfaces/mount/backend.go
--- snapd-2.32.3.2~14.04/interfaces/mount/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/mount/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,12 +56,13 @@
 // Setup creates mount mount profile files specific to a given snap.
 func (b *Backend) Setup(snapInfo *snap.Info, confinement interfaces.ConfinementOptions, repo *interfaces.Repository) error {
 	// Record all changes to the mount system for this snap.
-	snapName := snapInfo.Name()
+	snapName := snapInfo.InstanceName()
 	spec, err := repo.SnapSpecification(b.Name(), snapName)
 	if err != nil {
 		return fmt.Errorf("cannot obtain mount security snippets for snap %q: %s", snapName, err)
 	}
-	spec.(*Specification).AddSnapLayout(snapInfo)
+	spec.(*Specification).AddOvername(snapInfo)
+	spec.(*Specification).AddLayout(snapInfo)
 	content := deriveContent(spec.(*Specification), snapInfo)
 	// synchronize the content with the filesystem
 	glob := fmt.Sprintf("snap.%s.*fstab", snapName)
@@ -107,7 +108,7 @@
 // deriveContent computes .fstab tables based on requests made to the specification.
 func deriveContent(spec *Specification, snapInfo *snap.Info) map[string]*osutil.FileState {
 	content := make(map[string]*osutil.FileState, 2)
-	snapName := snapInfo.Name()
+	snapName := snapInfo.InstanceName()
 	// Add the per-snap fstab file.
 	// This file is read by snap-update-ns in the global pass.
 	addMountProfile(content, fmt.Sprintf("snap.%s.fstab", snapName), spec.MountEntries())
@@ -121,3 +122,17 @@
 func (b *Backend) NewSpecification() interfaces.Specification {
 	return &Specification{}
 }
+
+// SandboxFeatures returns the list of features supported by snapd for composing mount namespaces.
+func (b *Backend) SandboxFeatures() []string {
+	return []string{
+		"freezer-cgroup-v1",       /* Snapd creates a freezer cgroup (v1) for each snap */
+		"layouts",                 /* Mount profiles take layout data into account */
+		"mount-namespace",         /* Snapd creates a mount namespace for each snap */
+		"per-snap-persistency",    /* Per-snap profiles are persisted across invocations */
+		"per-snap-profiles",       /* Per-snap profiles allow changing mount namespace of a given snap */
+		"per-snap-updates",        /* Changes to per-snap mount profiles are applied instantly */
+		"per-snap-user-profiles",  /* Per-snap profiles allow changing mount namespace of a given snap for a given user */
+		"stale-base-invalidation", /* Mount namespaces that go stale because base snap changes are automatically invalidated */
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/mount/backend_test.go snapd-2.37~rc1~14.04/interfaces/mount/backend_test.go
--- snapd-2.32.3.2~14.04/interfaces/mount/backend_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/mount/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -139,7 +139,7 @@
 	}
 
 	// confinement options are irrelevant to this security backend
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, mockSnapYaml, 0)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", mockSnapYaml, 0)
 
 	// ensure both security effects from iface/iface2 are combined
 	// (because mount profiles are global in the whole snap)
@@ -167,5 +167,55 @@
 
 	// Ensure that backend.Setup() creates the required dir on demand
 	os.Remove(dirs.SnapMountPolicyDir)
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, mockSnapYaml, 0)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", mockSnapYaml, 0)
+}
+
+func (s *backendSuite) TestParallelInstanceSetup(c *C) {
+	old := dirs.SnapDataDir
+	defer func() {
+		dirs.SnapDataDir = old
+	}()
+	dirs.SnapDataDir = "/var/snap"
+	snapEntry := osutil.MountEntry{Name: "/snap/snap-name_instance", Dir: "/snap/snap-name", Type: "none", Options: []string{"rbind", osutil.XSnapdOriginOvername()}}
+	dataEntry := osutil.MountEntry{Name: "/var/snap/snap-name_instance", Dir: "/var/snap/snap-name", Type: "none", Options: []string{"rbind", osutil.XSnapdOriginOvername()}}
+	fsEntry1 := osutil.MountEntry{Name: "/src-1", Dir: "/dst-1", Type: "none", Options: []string{"bind", "ro"}}
+	fsEntry2 := osutil.MountEntry{Name: "/src-2", Dir: "/dst-2", Type: "none", Options: []string{"bind", "ro"}}
+	userFsEntry := osutil.MountEntry{Name: "/src-3", Dir: "/dst-3", Type: "none", Options: []string{"bind", "ro"}}
+
+	// Give the plug a permanent effect
+	s.Iface.MountPermanentPlugCallback = func(spec *mount.Specification, plug *snap.PlugInfo) error {
+		if err := spec.AddMountEntry(fsEntry1); err != nil {
+			return err
+		}
+		return spec.AddUserMountEntry(userFsEntry)
+	}
+	// Give the slot a permanent effect
+	s.iface2.MountPermanentSlotCallback = func(spec *mount.Specification, slot *snap.SlotInfo) error {
+		return spec.AddMountEntry(fsEntry2)
+	}
+
+	// confinement options are irrelevant to this security backend
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "snap-name_instance", mockSnapYaml, 0)
+
+	// Check that snap fstab file contains parallel instance setup and data from interfaces
+	expected := strings.Join([]string{snapEntry.String(), dataEntry.String(), fsEntry2.String(), fsEntry1.String()}, "\n") + "\n"
+	fn := filepath.Join(dirs.SnapMountPolicyDir, "snap.snap-name_instance.fstab")
+	c.Check(fn, testutil.FileEquals, expected)
+
+	// Check that the user-fstab file was written with user mount only
+	fn = filepath.Join(dirs.SnapMountPolicyDir, "snap.snap-name_instance.user-fstab")
+	c.Check(fn, testutil.FileEquals, userFsEntry.String()+"\n")
+}
+
+func (s *backendSuite) TestSandboxFeatures(c *C) {
+	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{
+		"freezer-cgroup-v1",
+		"layouts",
+		"mount-namespace",
+		"per-snap-persistency",
+		"per-snap-profiles",
+		"per-snap-updates",
+		"per-snap-user-profiles",
+		"stale-base-invalidation",
+	})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/mount/spec.go snapd-2.37~rc1~14.04/interfaces/mount/spec.go
--- snapd-2.32.3.2~14.04/interfaces/mount/spec.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/mount/spec.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,8 +21,10 @@
 
 import (
 	"fmt"
+	"path"
 	"sort"
 
+	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
@@ -35,20 +37,31 @@
 // holds internal state that is used by the mount backend during the interface
 // setup process.
 type Specification struct {
-	layoutMountEntries []osutil.MountEntry
-	mountEntries       []osutil.MountEntry
-	userMountEntries   []osutil.MountEntry
+	// The mount profile is internally re-sorted by snap-update-ns based on
+	// the source of given mount entry and MountEntry.Dir. See
+	// cmd/snap-update-ns/sorting.go for details.
+
+	layout   []osutil.MountEntry
+	general  []osutil.MountEntry
+	user     []osutil.MountEntry
+	overname []osutil.MountEntry
 }
 
 // AddMountEntry adds a new mount entry.
 func (spec *Specification) AddMountEntry(e osutil.MountEntry) error {
-	spec.mountEntries = append(spec.mountEntries, e)
+	spec.general = append(spec.general, e)
 	return nil
 }
 
 //AddUserMountEntry adds a new user mount entry.
 func (spec *Specification) AddUserMountEntry(e osutil.MountEntry) error {
-	spec.userMountEntries = append(spec.userMountEntries, e)
+	spec.user = append(spec.user, e)
+	return nil
+}
+
+// AddOvernameMountEntry adds a new overname mount entry.
+func (spec *Specification) AddOvernameMountEntry(e osutil.MountEntry) error {
+	spec.overname = append(spec.overname, e)
 	return nil
 }
 
@@ -66,7 +79,7 @@
 	}
 	if layout.BindFile != "" {
 		mountSource := layout.Snap.ExpandSnapVariables(layout.BindFile)
-		entry.Options = []string{"bind", "rw", "x-snapd.kind=file"}
+		entry.Options = []string{"bind", "rw", osutil.XSnapdKindFile()}
 		entry.Name = mountSource
 	}
 
@@ -80,7 +93,7 @@
 		entry.Options = []string{osutil.XSnapdKindSymlink(), osutil.XSnapdSymlink(oldname)}
 	}
 
-	var uid int
+	var uid uint32
 	// Only root is allowed here until we support custom users. Root is default.
 	switch layout.User {
 	case "root", "":
@@ -90,7 +103,7 @@
 		entry.Options = append(entry.Options, osutil.XSnapdUser(uid))
 	}
 
-	var gid int
+	var gid uint32
 	// Only root is allowed here until we support custom groups. Root is default.
 	// This is validated in spec.go.
 	switch layout.Group {
@@ -110,8 +123,8 @@
 	return entry
 }
 
-// AddSnapLayout adds mount entries based on the layout of the snap.
-func (spec *Specification) AddSnapLayout(si *snap.Info) {
+// AddLayout adds mount entries based on the layout of the snap.
+func (spec *Specification) AddLayout(si *snap.Info) {
 	// TODO: handle layouts in base snaps as well as in this snap.
 
 	// walk the layout elements in deterministic order, by mount point name
@@ -123,23 +136,27 @@
 
 	for _, path := range paths {
 		entry := mountEntryFromLayout(si.Layout[path])
-		spec.layoutMountEntries = append(spec.layoutMountEntries, entry)
+		spec.layout = append(spec.layout, entry)
 	}
 }
 
 // MountEntries returns a copy of the added mount entries.
 func (spec *Specification) MountEntries() []osutil.MountEntry {
-	result := make([]osutil.MountEntry, 0, len(spec.layoutMountEntries)+len(spec.mountEntries))
-	result = append(result, spec.layoutMountEntries...)
-	result = append(result, spec.mountEntries...)
+	result := make([]osutil.MountEntry, 0, len(spec.overname)+len(spec.layout)+len(spec.general))
+	// overname is the mappings that were added to support parallel
+	// installation of snaps and must come first, as they establish the base
+	// namespace for any further operations
+	result = append(result, spec.overname...)
+	result = append(result, spec.layout...)
+	result = append(result, spec.general...)
 	unclashMountEntries(result)
 	return result
 }
 
 // UserMountEntries returns a copy of the added user mount entries.
 func (spec *Specification) UserMountEntries() []osutil.MountEntry {
-	result := make([]osutil.MountEntry, len(spec.userMountEntries))
-	copy(result, spec.userMountEntries)
+	result := make([]osutil.MountEntry, len(spec.user))
+	copy(result, spec.user)
 	unclashMountEntries(result)
 	return result
 }
@@ -206,3 +223,31 @@
 	}
 	return nil
 }
+
+// AddOvername records mappings of snap directories.
+//
+// When the snap is installed with an instance key, set up its mount namespace
+// such that it appears as a non-instance key snap. This ensures compatibility
+// with code making assumptions about $SNAP{,_DATA,_COMMON} locations. That is,
+// given a snap foo_bar, the mappings added are:
+//
+// - /snap/foo_bar      -> /snap/foo
+// - /var/snap/foo_bar  -> /var/snap/foo
+func (spec *Specification) AddOvername(info *snap.Info) {
+	if info.InstanceKey == "" {
+		return
+	}
+
+	// /snap/foo_bar -> /snap/foo
+	spec.AddOvernameMountEntry(osutil.MountEntry{
+		Name:    path.Join(dirs.CoreSnapMountDir, info.InstanceName()),
+		Dir:     path.Join(dirs.CoreSnapMountDir, info.SnapName()),
+		Options: []string{"rbind", osutil.XSnapdOriginOvername()},
+	})
+	// /var/snap/foo_bar -> /var/snap/foo
+	spec.AddOvernameMountEntry(osutil.MountEntry{
+		Name:    path.Join(dirs.SnapDataDir, info.InstanceName()),
+		Dir:     path.Join(dirs.SnapDataDir, info.SnapName()),
+		Options: []string{"rbind", osutil.XSnapdOriginOvername()},
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/mount/spec_test.go snapd-2.37~rc1~14.04/interfaces/mount/spec_test.go
--- snapd-2.32.3.2~14.04/interfaces/mount/spec_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/mount/spec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -72,8 +72,8 @@
 
 func (s *specSuite) SetUpTest(c *C) {
 	s.spec = &mount.Specification{}
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 // AddMountEntry and AddUserMountEntry are not not broken
@@ -154,7 +154,7 @@
 
 func (s *specSuite) TestMountEntryFromLayout(c *C) {
 	snapInfo := snaptest.MockInfo(c, snapWithLayout, &snap.SideInfo{Revision: snap.R(42)})
-	s.spec.AddSnapLayout(snapInfo)
+	s.spec.AddLayout(snapInfo)
 	c.Assert(s.spec.MountEntries(), DeepEquals, []osutil.MountEntry{
 		// Layout result is sorted by mount path.
 		{Dir: "/etc/foo.conf", Name: "/snap/vanguard/42/foo.conf", Options: []string{"bind", "rw", "x-snapd.kind=file", "x-snapd.origin=layout"}},
@@ -163,3 +163,64 @@
 		{Dir: "/usr", Name: "/snap/vanguard/42/usr", Options: []string{"rbind", "rw", "x-snapd.origin=layout"}},
 	})
 }
+
+func (s *specSuite) TestParallelInstanceMountEntryFromLayout(c *C) {
+	snapInfo := snaptest.MockInfo(c, snapWithLayout, &snap.SideInfo{Revision: snap.R(42)})
+	snapInfo.InstanceKey = "instance"
+	s.spec.AddLayout(snapInfo)
+	s.spec.AddOvername(snapInfo)
+	c.Assert(s.spec.MountEntries(), DeepEquals, []osutil.MountEntry{
+		// Parallel instance mappings come first
+		{Dir: "/snap/vanguard", Name: "/snap/vanguard_instance", Options: []string{"rbind", "x-snapd.origin=overname"}},
+		{Dir: "/var/snap/vanguard", Name: "/var/snap/vanguard_instance", Options: []string{"rbind", "x-snapd.origin=overname"}},
+		// Layout result is sorted by mount path.
+		{Dir: "/etc/foo.conf", Name: "/snap/vanguard/42/foo.conf", Options: []string{"bind", "rw", "x-snapd.kind=file", "x-snapd.origin=layout"}},
+		{Dir: "/mylink", Options: []string{"x-snapd.kind=symlink", "x-snapd.symlink=/snap/vanguard/42/link/target", "x-snapd.origin=layout"}},
+		{Dir: "/mytmp", Name: "tmpfs", Type: "tmpfs", Options: []string{"x-snapd.mode=01777", "x-snapd.origin=layout"}},
+		{Dir: "/usr", Name: "/snap/vanguard/42/usr", Options: []string{"rbind", "rw", "x-snapd.origin=layout"}},
+	})
+}
+
+func (s *specSuite) TestSpecificationUberclash(c *C) {
+	// When everything clashes for access to /foo, what happens?
+	const uberclashYaml = `name: uberclash
+version: 0
+layout:
+  /foo:
+    type: tmpfs
+`
+	snapInfo := snaptest.MockInfo(c, uberclashYaml, &snap.SideInfo{Revision: snap.R(42)})
+	entry := osutil.MountEntry{Dir: "/foo", Type: "tmpfs", Name: "tmpfs"}
+	s.spec.AddMountEntry(entry)
+	s.spec.AddUserMountEntry(entry)
+	s.spec.AddLayout(snapInfo)
+	c.Assert(s.spec.MountEntries(), DeepEquals, []osutil.MountEntry{
+		{Dir: "/foo", Type: "tmpfs", Name: "tmpfs", Options: []string{"x-snapd.origin=layout"}},
+		// This is the non-layout entry, it was renamed to "foo-2"
+		{Dir: "/foo-2", Type: "tmpfs", Name: "tmpfs"},
+	})
+	c.Assert(s.spec.UserMountEntries(), DeepEquals, []osutil.MountEntry{
+		// This is the user entry, it was _not_ renamed and it would clash with
+		// /foo but there is no way to request things like that for now.
+		{Dir: "/foo", Type: "tmpfs", Name: "tmpfs"},
+	})
+}
+
+func (s *specSuite) TestParallelInstanceMountEntriesNoInstanceKey(c *C) {
+	snapInfo := &snap.Info{SideInfo: snap.SideInfo{RealName: "foo", Revision: snap.R(42)}}
+	s.spec.AddOvername(snapInfo)
+	c.Assert(s.spec.MountEntries(), HasLen, 0)
+	c.Assert(s.spec.UserMountEntries(), HasLen, 0)
+}
+
+func (s *specSuite) TestParallelInstanceMountEntriesReal(c *C) {
+	snapInfo := &snap.Info{SideInfo: snap.SideInfo{RealName: "foo", Revision: snap.R(42)}, InstanceKey: "instance"}
+	s.spec.AddOvername(snapInfo)
+	c.Assert(s.spec.MountEntries(), DeepEquals, []osutil.MountEntry{
+		// /snap/foo_instance -> /snap/foo
+		{Name: "/snap/foo_instance", Dir: "/snap/foo", Options: []string{"rbind", "x-snapd.origin=overname"}},
+		// /var/snap/foo_instance -> /var/snap/foo
+		{Name: "/var/snap/foo_instance", Dir: "/var/snap/foo", Options: []string{"rbind", "x-snapd.origin=overname"}},
+	})
+	c.Assert(s.spec.UserMountEntries(), HasLen, 0)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/policy/basedeclaration_test.go snapd-2.37~rc1~14.04/interfaces/policy/basedeclaration_test.go
--- snapd-2.32.3.2~14.04/interfaces/policy/basedeclaration_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/policy/basedeclaration_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -70,8 +70,8 @@
 	slotSnap := snaptest.MockInfo(c, slotYaml, nil)
 	plugSnap := snaptest.MockInfo(c, plugYaml, nil)
 	return &policy.ConnectCandidate{
-		Plug:            plugSnap.Plugs[iface],
-		Slot:            slotSnap.Slots[iface],
+		Plug:            interfaces.NewConnectedPlug(plugSnap.Plugs[iface], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(slotSnap.Slots[iface], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 }
@@ -145,6 +145,7 @@
 		"home":          true,
 		"lxd-support":   true,
 		"snapd-control": true,
+		"dummy":         true,
 	}
 
 	// these simply auto-connect, anything else doesn't
@@ -221,6 +222,55 @@
 	c.Check(err, ErrorMatches, `auto-connection denied by slot rule of interface \"home\"`)
 }
 
+func (s *baseDeclSuite) TestHomeReadAll(c *C) {
+	const plugYaml = `name: plug-snap
+version: 0
+plugs:
+  home:
+    read: all
+`
+	restore := release.MockOnClassic(true)
+	defer restore()
+	cand := s.connectCand(c, "home", "", plugYaml)
+	err := cand.Check()
+	c.Check(err, NotNil)
+
+	err = cand.CheckAutoConnect()
+	c.Check(err, NotNil)
+
+	release.OnClassic = false
+	err = cand.Check()
+	c.Check(err, NotNil)
+
+	err = cand.CheckAutoConnect()
+	c.Check(err, NotNil)
+}
+
+func (s *baseDeclSuite) TestHomeReadDefault(c *C) {
+	const plugYaml = `name: plug-snap
+version: 0
+plugs:
+  home: null
+`
+	restore := release.MockOnClassic(true)
+	defer restore()
+	cand := s.connectCand(c, "home", "", plugYaml)
+	err := cand.Check()
+	c.Check(err, IsNil)
+
+	// Same as TestInterimAutoConnectionHome()
+	err = cand.CheckAutoConnect()
+	c.Check(err, IsNil)
+
+	release.OnClassic = false
+	err = cand.Check()
+	c.Check(err, IsNil)
+
+	// Same as TestInterimAutoConnectionHome()
+	err = cand.CheckAutoConnect()
+	c.Check(err, NotNil)
+}
+
 func (s *baseDeclSuite) TestAutoConnectionSnapdControl(c *C) {
 	cand := s.connectCand(c, "snapd-control", "", "")
 	err := cand.CheckAutoConnect()
@@ -472,6 +522,7 @@
 
 	slotInstallation = map[string][]string{
 		// other
+		"adb-support":             {"core"},
 		"autopilot-introspection": {"core"},
 		"avahi-control":           {"app", "core"},
 		"avahi-observe":           {"app", "core"},
@@ -506,15 +557,17 @@
 		"serial-port": {"core", "gadget"},
 		"spi":         {"core", "gadget"},
 		"storage-framework-service": {"app"},
+		"dummy":                     {"app"},
 		"thumbnailer-service":       {"app"},
 		"ubuntu-download-manager":   {"app"},
-		"udisks2":                   {"app"},
+		"udisks2":                   {"app", "core"},
 		"uhid":                      {"core"},
 		"unity8":                    {"app"},
 		"unity8-calendar":           {"app"},
 		"unity8-contacts":           {"app"},
 		"upower-observe":            {"app", "core"},
 		"wayland":                   {"app", "core"},
+		"x11":                       {"app", "core"},
 		// snowflakes
 		"classic-support": nil,
 		"docker":          nil,
@@ -593,7 +646,9 @@
 		"kernel-module-control": true,
 		"kubernetes-support":    true,
 		"lxd-support":           true,
+		"personal-files":        true,
 		"snapd-control":         true,
+		"system-files":          true,
 		"unity8":                true,
 	}
 
@@ -646,7 +701,6 @@
 		"storage-framework-service": true,
 		"thumbnailer-service":       true,
 		"ubuntu-download-manager":   true,
-		"udisks2":                   true,
 		"unity8-calendar":           true,
 		"unity8-contacts":           true,
 	}
@@ -719,7 +773,10 @@
 		"kernel-module-control": true,
 		"kubernetes-support":    true,
 		"lxd-support":           true,
+		"personal-files":        true,
 		"snapd-control":         true,
+		"system-files":          true,
+		"udisks2":               true,
 		"unity8":                true,
 		"wayland":               true,
 	}
@@ -811,6 +868,13 @@
 `)
 }
 
+func (s *baseDeclSuite) TestDoesNotPanic(c *C) {
+	// In case there are any issues in the actual interfaces we'd get a panic
+	// on snapd startup. This test prevents this from happing unnoticed.
+	_, err := policy.ComposeBaseDeclaration(builtin.Interfaces())
+	c.Assert(err, IsNil)
+}
+
 func (s *baseDeclSuite) TestBrowserSupportAllowSandbox(c *C) {
 	const plugYaml = `name: plug-snap
 version: 0
@@ -825,3 +889,58 @@
 	err = cand.CheckAutoConnect()
 	c.Check(err, NotNil)
 }
+
+func (s *baseDeclSuite) TestOpticalDriveWrite(c *C) {
+	type options struct {
+		readonlyYamls []string
+		writableYamls []string
+	}
+
+	opts := &options{
+		readonlyYamls: []string{
+			// Non-specified "write" attribute
+			`name: plug-snap
+version: 0
+plugs:
+  optical-drive: null
+`,
+			// Undefined "write" attribute
+			`name: plug-snap
+version: 0
+plugs:
+  optical-drive: {}
+`,
+			// False "write" attribute
+			`name: plug-snap
+version: 0
+plugs:
+  optical-drive:
+    write: false
+`,
+		},
+		writableYamls: []string{
+			// True "write" attribute
+			`name: plug-snap
+version: 0
+plugs:
+  optical-drive:
+    write: true
+`,
+		},
+	}
+
+	checkOpticalDriveAutoConnect := func(plugYaml string, checker Checker) {
+		cand := s.connectCand(c, "optical-drive", "", plugYaml)
+		err := cand.Check()
+		c.Check(err, checker)
+		err = cand.CheckAutoConnect()
+		c.Check(err, checker)
+	}
+
+	for _, plugYaml := range opts.readonlyYamls {
+		checkOpticalDriveAutoConnect(plugYaml, IsNil)
+	}
+	for _, plugYaml := range opts.writableYamls {
+		checkOpticalDriveAutoConnect(plugYaml, NotNil)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/policy/export_test.go snapd-2.37~rc1~14.04/interfaces/policy/export_test.go
--- snapd-2.32.3.2~14.04/interfaces/policy/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/policy/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,4 +22,5 @@
 var (
 	NestedGet              = nestedGet
 	ComposeBaseDeclaration = composeBaseDeclaration
+	CheckSnapType          = checkSnapType
 )
diff -Nru snapd-2.32.3.2~14.04/interfaces/policy/helpers.go snapd-2.37~rc1~14.04/interfaces/policy/helpers.go
--- snapd-2.32.3.2~14.04/interfaces/policy/helpers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/policy/helpers.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,16 +26,31 @@
 	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
 )
 
 // check helpers
 
-func checkSnapType(snapType snap.Type, types []string) error {
+func snapIDSnapd(snapID string) bool {
+	var snapIDsSnapd = []string{
+		// production
+		"PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4",
+		// TODO: when snapd snap is uploaded to staging, replace this with
+		// the real snap-id.
+		"todo-staging-snapd-id",
+	}
+	return strutil.ListContains(snapIDsSnapd, snapID)
+}
+
+func checkSnapType(snap *snap.Info, types []string) error {
 	if len(types) == 0 {
 		return nil
 	}
-	s := string(snapType)
-	if s == "os" { // we use "core" in the assertions
+	snapID := snap.SnapID
+	s := string(snap.Type)
+	if s == "os" || snapIDSnapd(snapID) {
+		// we use "core" in the assertions and we need also to
+		// allow for the "snapd" snap
 		s = "core"
 	}
 	for _, t := range types {
@@ -80,14 +95,54 @@
 	return nil
 }
 
+func checkDeviceScope(c *asserts.DeviceScopeConstraint, model *asserts.Model, store *asserts.Store) error {
+	if c == nil {
+		return nil
+	}
+	if model == nil {
+		return fmt.Errorf("cannot match on-store/on-brand/on-model without model")
+	}
+	if store != nil && store.Store() != model.Store() {
+		return fmt.Errorf("store assertion and model store must match")
+	}
+	if len(c.Store) != 0 {
+		if !strutil.ListContains(c.Store, model.Store()) {
+			mismatch := true
+			if store != nil {
+				for _, sto := range c.Store {
+					if strutil.ListContains(store.FriendlyStores(), sto) {
+						mismatch = false
+						break
+					}
+				}
+			}
+			if mismatch {
+				return fmt.Errorf("on-store mismatch")
+			}
+		}
+	}
+	if len(c.Brand) != 0 {
+		if !strutil.ListContains(c.Brand, model.BrandID()) {
+			return fmt.Errorf("on-brand mismatch")
+		}
+	}
+	if len(c.Model) != 0 {
+		brandModel := fmt.Sprintf("%s/%s", model.BrandID(), model.Model())
+		if !strutil.ListContains(c.Model, brandModel) {
+			return fmt.Errorf("on-model mismatch")
+		}
+	}
+	return nil
+}
+
 func checkPlugConnectionConstraints1(connc *ConnectCandidate, cstrs *asserts.PlugConnectionConstraints) error {
-	if err := cstrs.PlugAttributes.Check(connc.plugAttrs(), connc); err != nil {
+	if err := cstrs.PlugAttributes.Check(connc.Plug, connc); err != nil {
 		return err
 	}
-	if err := cstrs.SlotAttributes.Check(connc.slotAttrs(), connc); err != nil {
+	if err := cstrs.SlotAttributes.Check(connc.Slot, connc); err != nil {
 		return err
 	}
-	if err := checkSnapType(connc.slotSnapType(), cstrs.SlotSnapTypes); err != nil {
+	if err := checkSnapType(connc.Slot.Snap(), cstrs.SlotSnapTypes); err != nil {
 		return err
 	}
 	if err := checkID("snap id", connc.slotSnapID(), cstrs.SlotSnapIDs, nil); err != nil {
@@ -102,6 +157,9 @@
 	if err := checkOnClassic(cstrs.OnClassic); err != nil {
 		return err
 	}
+	if err := checkDeviceScope(cstrs.DeviceScope, connc.Model, connc.Store); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -121,13 +179,13 @@
 }
 
 func checkSlotConnectionConstraints1(connc *ConnectCandidate, cstrs *asserts.SlotConnectionConstraints) error {
-	if err := cstrs.PlugAttributes.Check(connc.plugAttrs(), connc); err != nil {
+	if err := cstrs.PlugAttributes.Check(connc.Plug, connc); err != nil {
 		return err
 	}
-	if err := cstrs.SlotAttributes.Check(connc.slotAttrs(), connc); err != nil {
+	if err := cstrs.SlotAttributes.Check(connc.Slot, connc); err != nil {
 		return err
 	}
-	if err := checkSnapType(connc.plugSnapType(), cstrs.PlugSnapTypes); err != nil {
+	if err := checkSnapType(connc.Plug.Snap(), cstrs.PlugSnapTypes); err != nil {
 		return err
 	}
 	if err := checkID("snap id", connc.plugSnapID(), cstrs.PlugSnapIDs, nil); err != nil {
@@ -142,6 +200,9 @@
 	if err := checkOnClassic(cstrs.OnClassic); err != nil {
 		return err
 	}
+	if err := checkDeviceScope(cstrs.DeviceScope, connc.Model, connc.Store); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -160,25 +221,28 @@
 	return firstErr
 }
 
-func checkSlotInstallationConstraints1(slot *snap.SlotInfo, cstrs *asserts.SlotInstallationConstraints) error {
+func checkSlotInstallationConstraints1(ic *InstallCandidate, slot *snap.SlotInfo, cstrs *asserts.SlotInstallationConstraints) error {
 	// TODO: allow evaluated attr constraints here too?
-	if err := cstrs.SlotAttributes.Check(slot.Attrs, nil); err != nil {
+	if err := cstrs.SlotAttributes.Check(slot, nil); err != nil {
 		return err
 	}
-	if err := checkSnapType(slot.Snap.Type, cstrs.SlotSnapTypes); err != nil {
+	if err := checkSnapType(slot.Snap, cstrs.SlotSnapTypes); err != nil {
 		return err
 	}
 	if err := checkOnClassic(cstrs.OnClassic); err != nil {
 		return err
 	}
+	if err := checkDeviceScope(cstrs.DeviceScope, ic.Model, ic.Store); err != nil {
+		return err
+	}
 	return nil
 }
 
-func checkSlotInstallationConstraints(slot *snap.SlotInfo, cstrs []*asserts.SlotInstallationConstraints) error {
+func checkSlotInstallationConstraints(ic *InstallCandidate, slot *snap.SlotInfo, cstrs []*asserts.SlotInstallationConstraints) error {
 	var firstErr error
 	// OR of constraints
 	for _, cstrs1 := range cstrs {
-		err := checkSlotInstallationConstraints1(slot, cstrs1)
+		err := checkSlotInstallationConstraints1(ic, slot, cstrs1)
 		if err == nil {
 			return nil
 		}
@@ -189,25 +253,28 @@
 	return firstErr
 }
 
-func checkPlugInstallationConstraints1(plug *snap.PlugInfo, cstrs *asserts.PlugInstallationConstraints) error {
+func checkPlugInstallationConstraints1(ic *InstallCandidate, plug *snap.PlugInfo, cstrs *asserts.PlugInstallationConstraints) error {
 	// TODO: allow evaluated attr constraints here too?
-	if err := cstrs.PlugAttributes.Check(plug.Attrs, nil); err != nil {
+	if err := cstrs.PlugAttributes.Check(plug, nil); err != nil {
 		return err
 	}
-	if err := checkSnapType(plug.Snap.Type, cstrs.PlugSnapTypes); err != nil {
+	if err := checkSnapType(plug.Snap, cstrs.PlugSnapTypes); err != nil {
 		return err
 	}
 	if err := checkOnClassic(cstrs.OnClassic); err != nil {
 		return err
 	}
+	if err := checkDeviceScope(cstrs.DeviceScope, ic.Model, ic.Store); err != nil {
+		return err
+	}
 	return nil
 }
 
-func checkPlugInstallationConstraints(plug *snap.PlugInfo, cstrs []*asserts.PlugInstallationConstraints) error {
+func checkPlugInstallationConstraints(ic *InstallCandidate, plug *snap.PlugInfo, cstrs []*asserts.PlugInstallationConstraints) error {
 	var firstErr error
 	// OR of constraints
 	for _, cstrs1 := range cstrs {
-		err := checkPlugInstallationConstraints1(plug, cstrs1)
+		err := checkPlugInstallationConstraints1(ic, plug, cstrs1)
 		if err == nil {
 			return nil
 		}
diff -Nru snapd-2.32.3.2~14.04/interfaces/policy/helpers_test.go snapd-2.37~rc1~14.04/interfaces/policy/helpers_test.go
--- snapd-2.32.3.2~14.04/interfaces/policy/helpers_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/policy/helpers_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,9 +20,12 @@
 package policy_test
 
 import (
-	. "gopkg.in/check.v1"
-
+	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/policy"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+
+	. "gopkg.in/check.v1"
 )
 
 type helpersSuite struct{}
@@ -30,25 +33,68 @@
 var _ = Suite(&helpersSuite{})
 
 func (s *helpersSuite) TestNestedGet(c *C) {
-	_, err := policy.NestedGet("slot", nil, "a")
-	c.Check(err, ErrorMatches, `slot attribute "a" not found`)
+	consumer := snaptest.MockInfo(c, `
+name: consumer
+version: 0
+apps:
+    app:
+plugs:
+    plug:
+        interface: interface
+`, nil)
+	plugInfo := consumer.Plugs["plug"]
+	plug := interfaces.NewConnectedPlug(plugInfo, nil, map[string]interface{}{
+		"a": "123",
+	})
 
-	_, err = policy.NestedGet("plug", map[string]interface{}{
+	producer := snaptest.MockInfo(c, `
+name: producer
+version: 0
+apps:
+    app:
+slots:
+    slot:
+        interface: interface
+`, nil)
+	slotInfo := producer.Slots["slot"]
+	slot := interfaces.NewConnectedSlot(slotInfo, nil, map[string]interface{}{
 		"a": "123",
-	}, "a.b")
+	})
+
+	_, err := policy.NestedGet("slot", slot, "b")
+	c.Check(err, ErrorMatches, `slot attribute "b" not found`)
+
+	_, err = policy.NestedGet("plug", plug, "a.b")
 	c.Check(err, ErrorMatches, `plug attribute "a\.b" not found`)
 
-	v, err := policy.NestedGet("slot", map[string]interface{}{
-		"a": "123",
-	}, "a")
+	v, err := policy.NestedGet("slot", slot, "a")
 	c.Check(err, IsNil)
 	c.Check(v, Equals, "123")
 
-	v, err = policy.NestedGet("slot", map[string]interface{}{
+	slot = interfaces.NewConnectedSlot(slotInfo, nil, map[string]interface{}{
 		"a": map[string]interface{}{
 			"b": []interface{}{"1", "2", "3"},
 		},
-	}, "a.b")
+	})
+
+	v, err = policy.NestedGet("slot", slot, "a.b")
 	c.Check(err, IsNil)
 	c.Check(v, DeepEquals, []interface{}{"1", "2", "3"})
 }
+
+func (s *helpersSuite) TestSnapdTypeCheck(c *C) {
+	// Type checking the snapd snap is done in a special way.
+	// It appears to be of type "core" while in reality it is of type "app".
+	sideInfo := &snap.SideInfo{
+		SnapID: "PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4",
+	}
+	snapInfo := snaptest.MockInfo(c, `
+name: snapd
+version: 1
+type: app
+slots:
+    network:
+`, sideInfo)
+	err := policy.CheckSnapType(snapInfo, []string{"core"})
+	c.Assert(err, IsNil)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/policy/policy.go snapd-2.37~rc1~14.04/interfaces/policy/policy.go
--- snapd-2.32.3.2~14.04/interfaces/policy/policy.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/policy/policy.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,9 +24,9 @@
 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/snapcore/snapd/asserts"
+	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/snap"
 )
 
@@ -34,7 +34,11 @@
 type InstallCandidate struct {
 	Snap            *snap.Info
 	SnapDeclaration *asserts.SnapDeclaration
+
 	BaseDeclaration *asserts.BaseDeclaration
+
+	Model *asserts.Model
+	Store *asserts.Store
 }
 
 func (ic *InstallCandidate) checkSlotRule(slot *snap.SlotInfo, rule *asserts.SlotRule, snapRule bool) error {
@@ -42,10 +46,10 @@
 	if snapRule {
 		context = fmt.Sprintf(" for %q snap", ic.SnapDeclaration.SnapName())
 	}
-	if checkSlotInstallationConstraints(slot, rule.DenyInstallation) == nil {
+	if checkSlotInstallationConstraints(ic, slot, rule.DenyInstallation) == nil {
 		return fmt.Errorf("installation denied by %q slot rule of interface %q%s", slot.Name, slot.Interface, context)
 	}
-	if checkSlotInstallationConstraints(slot, rule.AllowInstallation) != nil {
+	if checkSlotInstallationConstraints(ic, slot, rule.AllowInstallation) != nil {
 		return fmt.Errorf("installation not allowed by %q slot rule of interface %q%s", slot.Name, slot.Interface, context)
 	}
 	return nil
@@ -56,10 +60,10 @@
 	if snapRule {
 		context = fmt.Sprintf(" for %q snap", ic.SnapDeclaration.SnapName())
 	}
-	if checkPlugInstallationConstraints(plug, rule.DenyInstallation) == nil {
+	if checkPlugInstallationConstraints(ic, plug, rule.DenyInstallation) == nil {
 		return fmt.Errorf("installation denied by %q plug rule of interface %q%s", plug.Name, plug.Interface, context)
 	}
-	if checkPlugInstallationConstraints(plug, rule.AllowInstallation) != nil {
+	if checkPlugInstallationConstraints(ic, plug, rule.AllowInstallation) != nil {
 		return fmt.Errorf("installation not allowed by %q plug rule of interface %q%s", plug.Name, plug.Interface, context)
 	}
 	return nil
@@ -116,55 +120,32 @@
 
 // ConnectCandidate represents a candidate connection.
 type ConnectCandidate struct {
-	// TODO: later we need to carry dynamic attributes once we have those
-	Plug                *snap.PlugInfo
+	Plug                *interfaces.ConnectedPlug
 	PlugSnapDeclaration *asserts.SnapDeclaration
 
-	Slot                *snap.SlotInfo
+	Slot                *interfaces.ConnectedSlot
 	SlotSnapDeclaration *asserts.SnapDeclaration
 
 	BaseDeclaration *asserts.BaseDeclaration
-}
 
-func (connc *ConnectCandidate) plugAttrs() map[string]interface{} {
-	return connc.Plug.Attrs
+	Model *asserts.Model
+	Store *asserts.Store
 }
 
-func (connc *ConnectCandidate) slotAttrs() map[string]interface{} {
-	return connc.Slot.Attrs
-}
-
-func nestedGet(which string, attrs map[string]interface{}, path string) (interface{}, error) {
-	notFound := fmt.Errorf("%s attribute %q not found", which, path)
-	comps := strings.Split(path, ".")
-	var v interface{} = attrs
-	for _, comp := range comps {
-		m, ok := v.(map[string]interface{})
-		if !ok {
-			return nil, notFound
-		}
-		v, ok = m[comp]
-		if !ok {
-			return nil, notFound
-		}
+func nestedGet(which string, attrs interfaces.Attrer, path string) (interface{}, error) {
+	val, ok := attrs.Lookup(path)
+	if !ok {
+		return nil, fmt.Errorf("%s attribute %q not found", which, path)
 	}
-	return v, nil
+	return val, nil
 }
 
 func (connc *ConnectCandidate) PlugAttr(arg string) (interface{}, error) {
-	return nestedGet("plug", connc.Plug.Attrs, arg)
+	return nestedGet("plug", connc.Plug, arg)
 }
 
 func (connc *ConnectCandidate) SlotAttr(arg string) (interface{}, error) {
-	return nestedGet("slot", connc.Slot.Attrs, arg)
-}
-
-func (connc *ConnectCandidate) plugSnapType() snap.Type {
-	return connc.Plug.Snap.Type
-}
-
-func (connc *ConnectCandidate) slotSnapType() snap.Type {
-	return connc.Slot.Snap.Type
+	return nestedGet("slot", connc.Slot, arg)
 }
 
 func (connc *ConnectCandidate) plugSnapID() string {
@@ -207,10 +188,10 @@
 		allowConst = rule.AllowAutoConnection
 	}
 	if checkPlugConnectionConstraints(connc, denyConst) == nil {
-		return fmt.Errorf("%s denied by plug rule of interface %q%s", kind, connc.Plug.Interface, context)
+		return fmt.Errorf("%s denied by plug rule of interface %q%s", kind, connc.Plug.Interface(), context)
 	}
 	if checkPlugConnectionConstraints(connc, allowConst) != nil {
-		return fmt.Errorf("%s not allowed by plug rule of interface %q%s", kind, connc.Plug.Interface, context)
+		return fmt.Errorf("%s not allowed by plug rule of interface %q%s", kind, connc.Plug.Interface(), context)
 	}
 	return nil
 }
@@ -227,10 +208,10 @@
 		allowConst = rule.AllowAutoConnection
 	}
 	if checkSlotConnectionConstraints(connc, denyConst) == nil {
-		return fmt.Errorf("%s denied by slot rule of interface %q%s", kind, connc.Plug.Interface, context)
+		return fmt.Errorf("%s denied by slot rule of interface %q%s", kind, connc.Plug.Interface(), context)
 	}
 	if checkSlotConnectionConstraints(connc, allowConst) != nil {
-		return fmt.Errorf("%s not allowed by slot rule of interface %q%s", kind, connc.Plug.Interface, context)
+		return fmt.Errorf("%s not allowed by slot rule of interface %q%s", kind, connc.Plug.Interface(), context)
 	}
 	return nil
 }
@@ -241,10 +222,10 @@
 		return fmt.Errorf("internal error: improperly initialized ConnectCandidate")
 	}
 
-	iface := connc.Plug.Interface
+	iface := connc.Plug.Interface()
 
-	if connc.Slot.Interface != iface {
-		return fmt.Errorf("cannot connect mismatched plug interface %q to slot interface %q", iface, connc.Slot.Interface)
+	if connc.Slot.Interface() != iface {
+		return fmt.Errorf("cannot connect mismatched plug interface %q to slot interface %q", iface, connc.Slot.Interface())
 	}
 
 	if plugDecl := connc.PlugSnapDeclaration; plugDecl != nil {
diff -Nru snapd-2.32.3.2~14.04/interfaces/policy/policy_test.go snapd-2.37~rc1~14.04/interfaces/policy/policy_test.go
--- snapd-2.32.3.2~14.04/interfaces/policy/policy_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/policy/policy_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,6 +26,7 @@
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/asserts"
+	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/policy"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
@@ -130,6 +131,14 @@
           s: S2
         plug-attributes:
           p: P2
+  auto-plug-on-store1:
+    allow-auto-connection: false
+  auto-plug-on-my-brand:
+    allow-auto-connection: false
+  auto-plug-on-my-model2:
+    allow-auto-connection: false
+  auto-plug-on-multi:
+    allow-auto-connection: false
   install-plug-attr-ok:
     allow-installation:
       plug-attributes:
@@ -157,6 +166,8 @@
       on-classic:
         - ubuntu
         - debian
+  install-plug-device-scope:
+    allow-installation: false
 slots:
   base-slot-allow: true
   base-slot-not-allow:
@@ -246,6 +257,14 @@
           s: S2
         plug-attributes:
           p: P2
+  auto-slot-on-store1:
+    allow-auto-connection: false
+  auto-slot-on-my-brand:
+    allow-auto-connection: false
+  auto-slot-on-my-model2:
+    allow-auto-connection: false
+  auto-slot-on-multi:
+    allow-auto-connection: false
   install-slot-coreonly:
     allow-installation:
       slot-snap-type:
@@ -277,6 +296,8 @@
       on-classic:
         - ubuntu
         - debian
+  install-slot-device-scope:
+    allow-installation: false
 timestamp: 2016-09-30T12:00:00Z
 sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
 
@@ -369,6 +390,9 @@
      interface: slot-plug-attr
      c: "Z"
 
+   slot-plug-attr-dynamic:
+     interface: slot-plug-attr
+
    slot-plug-attr-match:
      interface: slot-plug-attr
      c: "C"
@@ -412,6 +436,11 @@
      interface: auto-plug-or
      p: P2
 
+   auto-plug-on-store1:
+   auto-plug-on-my-brand:
+   auto-plug-on-my-model2:
+   auto-plug-on-multi:
+
    slot-or-p1-s1:
      interface: slot-or
      p: P1
@@ -436,6 +465,11 @@
      interface: auto-slot-or
      p: P2
 
+   auto-slot-on-store1:
+   auto-slot-on-my-brand:
+   auto-slot-on-my-model2:
+   auto-slot-on-multi:
+
    slot-on-classic-true:
    slot-on-classic-distros:
    slot-on-classic-false:
@@ -532,6 +566,9 @@
      interface: plug-plug-attr
      c: "C"
 
+   plug-plug-attr-dynamic:
+     interface: plug-plug-attr
+
    plug-slot-attr-mismatch:
      interface: plug-slot-attr
      c: "Z"
@@ -564,6 +601,11 @@
      interface: auto-plug-or
      s: S1
 
+   auto-plug-on-store1:
+   auto-plug-on-my-brand:
+   auto-plug-on-my-model2:
+   auto-plug-on-multi:
+
    slot-or-p1-s1:
      interface: slot-or
      s: S1
@@ -588,6 +630,11 @@
      interface: auto-slot-or
      s: S1
 
+   auto-slot-on-store1:
+   auto-slot-on-my-brand:
+   auto-slot-on-my-model2:
+   auto-slot-on-multi:
+
    slot-on-classic-true:
    slot-on-classic-distros:
    slot-on-classic-false:
@@ -632,6 +679,30 @@
   auto-snap-slot-deny-snap-plug-allow:
     deny-auto-connection: false
   auto-base-deny-snap-plug-allow: true
+  auto-plug-on-store1:
+    allow-auto-connection:
+      on-store:
+        - store1
+  auto-plug-on-my-brand:
+    allow-auto-connection:
+      on-brand:
+        - my-brand
+        - my-brand-subbrand
+  auto-plug-on-my-model2:
+    allow-auto-connection:
+      on-model:
+        - my-brand-subbrand/my-model2
+  auto-plug-on-multi:
+    allow-auto-connection:
+      on-brand:
+        - my-brand
+        - my-brand-subbrand
+      on-store:
+        - store1
+        - other-store
+      on-model:
+        - my-brand/my-model1
+        - my-brand-subbrand/my-model2
 timestamp: 2016-09-30T12:00:00Z
 sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
 
@@ -672,6 +743,30 @@
     deny-auto-connection: true
   auto-base-allow-snap-slot-not-allow:
     allow-auto-connection: false
+  auto-slot-on-store1:
+    allow-auto-connection:
+      on-store:
+        - store1
+  auto-slot-on-my-brand:
+    allow-auto-connection:
+      on-brand:
+        - my-brand
+        - my-brand-subbrand
+  auto-slot-on-my-model2:
+    allow-auto-connection:
+      on-model:
+        - my-brand-subbrand/my-model2
+  auto-slot-on-multi:
+    allow-auto-connection:
+      on-brand:
+        - my-brand
+        - my-brand-subbrand
+      on-store:
+        - store1
+        - other-store
+      on-model:
+        - my-brand/my-model1
+        - my-brand-subbrand/my-model2
 timestamp: 2016-09-30T12:00:00Z
 sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
 
@@ -713,8 +808,8 @@
 
 func (s *policySuite) TestBaselineDefaultIsAllow(c *C) {
 	cand := policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["random"],
-		Slot:            s.slotSnap.Slots["random"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["random"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["random"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 
@@ -724,8 +819,8 @@
 
 func (s *policySuite) TestInterfaceMismatch(c *C) {
 	cand := policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["mismatchy"],
-		Slot:            s.slotSnap.Slots["mismatchy"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["mismatchy"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["mismatchy"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 
@@ -757,8 +852,8 @@
 
 	for _, t := range tests {
 		cand := policy.ConnectCandidate{
-			Plug:            s.plugSnap.Plugs[t.iface],
-			Slot:            s.slotSnap.Slots[t.iface],
+			Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
 			BaseDeclaration: s.baseDecl,
 		}
 
@@ -796,8 +891,8 @@
 
 	for _, t := range tests {
 		cand := policy.ConnectCandidate{
-			Plug:            s.plugSnap.Plugs[t.iface],
-			Slot:            s.slotSnap.Slots[t.iface],
+			Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
 			BaseDeclaration: s.baseDecl,
 		}
 
@@ -830,8 +925,8 @@
 
 	for _, t := range tests {
 		cand := policy.ConnectCandidate{
-			Plug:                s.plugSnap.Plugs[t.iface],
-			Slot:                s.slotSnap.Slots[t.iface],
+			Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
 			PlugSnapDeclaration: s.plugDecl,
 			SlotSnapDeclaration: s.slotDecl,
 			BaseDeclaration:     s.baseDecl,
@@ -866,8 +961,8 @@
 
 	for _, t := range tests {
 		cand := policy.ConnectCandidate{
-			Plug:                s.plugSnap.Plugs[t.iface],
-			Slot:                s.slotSnap.Slots[t.iface],
+			Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
 			PlugSnapDeclaration: s.plugDecl,
 			SlotSnapDeclaration: s.slotDecl,
 			BaseDeclaration:     s.baseDecl,
@@ -903,33 +998,33 @@
 `, nil)
 
 	cand := policy.ConnectCandidate{
-		Plug:            gadgetSnap.Plugs["gadgethelp"],
-		Slot:            coreSnap.Slots["gadgethelp"],
+		Plug:            interfaces.NewConnectedPlug(gadgetSnap.Plugs["gadgethelp"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(coreSnap.Slots["gadgethelp"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), IsNil)
 
 	cand = policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["gadgethelp"],
-		Slot:            coreSnap.Slots["gadgethelp"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["gadgethelp"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(coreSnap.Slots["gadgethelp"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	for _, trustedSide := range []*snap.Info{coreSnap, gadgetSnap} {
 		cand = policy.ConnectCandidate{
-			Plug:                s.plugSnap.Plugs["trustedhelp"],
+			Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["trustedhelp"], nil, nil),
 			PlugSnapDeclaration: s.plugDecl,
-			Slot:                trustedSide.Slots["trustedhelp"],
+			Slot:                interfaces.NewConnectedSlot(trustedSide.Slots["trustedhelp"], nil, nil),
 			BaseDeclaration:     s.baseDecl,
 		}
 		c.Check(cand.Check(), IsNil)
 	}
 
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["trustedhelp"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["trustedhelp"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.slotSnap.Slots["trustedhelp"],
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["trustedhelp"], nil, nil),
 		BaseDeclaration:     s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
@@ -938,8 +1033,8 @@
 func (s *policySuite) TestPlugSnapIDCheckConnection(c *C) {
 	// no plug-side declaration
 	cand := policy.ConnectCandidate{
-		Plug:                s.randomSnap.Plugs["precise-plug-snap-id"],
-		Slot:                s.slotSnap.Slots["precise-plug-snap-id"],
+		Plug:                interfaces.NewConnectedPlug(s.randomSnap.Plugs["precise-plug-snap-id"], nil, nil),
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["precise-plug-snap-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -947,9 +1042,9 @@
 
 	// plug-side declaration, wrong snap-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.randomSnap.Plugs["precise-plug-snap-id"],
+		Plug:                interfaces.NewConnectedPlug(s.randomSnap.Plugs["precise-plug-snap-id"], nil, nil),
 		PlugSnapDeclaration: s.randomDecl,
-		Slot:                s.slotSnap.Slots["precise-plug-snap-id"],
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["precise-plug-snap-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -957,9 +1052,9 @@
 
 	// right snap-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["precise-plug-snap-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["precise-plug-snap-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.slotSnap.Slots["precise-plug-snap-id"],
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["precise-plug-snap-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -969,18 +1064,18 @@
 func (s *policySuite) TestSlotSnapIDCheckConnection(c *C) {
 	// no slot-side declaration
 	cand := policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["precise-slot-snap-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["precise-slot-snap-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.randomSnap.Slots["precise-slot-snap-id"],
+		Slot:                interfaces.NewConnectedSlot(s.randomSnap.Slots["precise-slot-snap-id"], nil, nil),
 		BaseDeclaration:     s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// slot-side declaration, wrong snap-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["precise-slot-snap-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["precise-slot-snap-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.randomSnap.Slots["precise-slot-snap-id"],
+		Slot:                interfaces.NewConnectedSlot(s.randomSnap.Slots["precise-slot-snap-id"], nil, nil),
 		SlotSnapDeclaration: s.randomDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -988,9 +1083,9 @@
 
 	// right snap-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["precise-slot-snap-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["precise-slot-snap-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.slotSnap.Slots["precise-slot-snap-id"],
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["precise-slot-snap-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1000,8 +1095,8 @@
 func (s *policySuite) TestPlugPublisherIDCheckConnection(c *C) {
 	// no plug-side declaration
 	cand := policy.ConnectCandidate{
-		Plug:                s.randomSnap.Plugs["checked-plug-publisher-id"],
-		Slot:                s.slotSnap.Slots["checked-plug-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.randomSnap.Plugs["checked-plug-publisher-id"], nil, nil),
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["checked-plug-publisher-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1009,9 +1104,9 @@
 
 	// plug-side declaration, wrong publisher-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.randomSnap.Plugs["checked-plug-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.randomSnap.Plugs["checked-plug-publisher-id"], nil, nil),
 		PlugSnapDeclaration: s.randomDecl,
-		Slot:                s.slotSnap.Slots["checked-plug-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["checked-plug-publisher-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1019,9 +1114,9 @@
 
 	// right publisher-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["checked-plug-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["checked-plug-publisher-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.slotSnap.Slots["checked-plug-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["checked-plug-publisher-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1031,18 +1126,18 @@
 func (s *policySuite) TestSlotPublisherIDCheckConnection(c *C) {
 	// no slot-side declaration
 	cand := policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["checked-slot-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["checked-slot-publisher-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.randomSnap.Slots["checked-slot-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(s.randomSnap.Slots["checked-slot-publisher-id"], nil, nil),
 		BaseDeclaration:     s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// slot-side declaration, wrong publisher-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["checked-slot-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["checked-slot-publisher-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.randomSnap.Slots["checked-slot-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(s.randomSnap.Slots["checked-slot-publisher-id"], nil, nil),
 		SlotSnapDeclaration: s.randomDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1050,9 +1145,9 @@
 
 	// right publisher-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["checked-slot-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["checked-slot-publisher-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.slotSnap.Slots["checked-slot-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["checked-slot-publisher-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1062,26 +1157,26 @@
 func (s *policySuite) TestDollarPlugPublisherIDCheckConnection(c *C) {
 	// no known publishers
 	cand := policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["same-plug-publisher-id"],
-		Slot:            s.randomSnap.Slots["same-plug-publisher-id"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["same-plug-publisher-id"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.randomSnap.Slots["same-plug-publisher-id"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// no slot-side declaration
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["same-plug-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["same-plug-publisher-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.randomSnap.Slots["same-plug-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(s.randomSnap.Slots["same-plug-publisher-id"], nil, nil),
 		BaseDeclaration:     s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// slot-side declaration, wrong publisher-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["same-plug-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["same-plug-publisher-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                s.randomSnap.Slots["same-plug-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(s.randomSnap.Slots["same-plug-publisher-id"], nil, nil),
 		SlotSnapDeclaration: s.randomDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1109,9 +1204,9 @@
 	samePubSlotDecl := a.(*asserts.SnapDeclaration)
 
 	cand = policy.ConnectCandidate{
-		Plug:                s.plugSnap.Plugs["same-plug-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs["same-plug-publisher-id"], nil, nil),
 		PlugSnapDeclaration: s.plugDecl,
-		Slot:                samePubSlotSnap.Slots["same-plug-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(samePubSlotSnap.Slots["same-plug-publisher-id"], nil, nil),
 		SlotSnapDeclaration: samePubSlotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1121,16 +1216,16 @@
 func (s *policySuite) TestDollarSlotPublisherIDCheckConnection(c *C) {
 	// no known publishers
 	cand := policy.ConnectCandidate{
-		Plug:            s.randomSnap.Plugs["same-slot-publisher-id"],
-		Slot:            s.slotSnap.Slots["same-slot-publisher-id"],
+		Plug:            interfaces.NewConnectedPlug(s.randomSnap.Plugs["same-slot-publisher-id"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["same-slot-publisher-id"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// no plug-side declaration
 	cand = policy.ConnectCandidate{
-		Plug:                s.randomSnap.Plugs["same-slot-publisher-id"],
-		Slot:                s.slotSnap.Slots["same-slot-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.randomSnap.Plugs["same-slot-publisher-id"], nil, nil),
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["same-slot-publisher-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1138,9 +1233,9 @@
 
 	// plug-side declaration, wrong publisher-id
 	cand = policy.ConnectCandidate{
-		Plug:                s.randomSnap.Plugs["same-slot-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(s.randomSnap.Plugs["same-slot-publisher-id"], nil, nil),
 		PlugSnapDeclaration: s.randomDecl,
-		Slot:                s.slotSnap.Slots["same-slot-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["same-slot-publisher-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1168,9 +1263,9 @@
 	samePubPlugDecl := a.(*asserts.SnapDeclaration)
 
 	cand = policy.ConnectCandidate{
-		Plug:                samePubPlugSnap.Plugs["same-slot-publisher-id"],
+		Plug:                interfaces.NewConnectedPlug(samePubPlugSnap.Plugs["same-slot-publisher-id"], nil, nil),
 		PlugSnapDeclaration: samePubPlugDecl,
-		Slot:                s.slotSnap.Slots["same-slot-publisher-id"],
+		Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots["same-slot-publisher-id"], nil, nil),
 		SlotSnapDeclaration: s.slotDecl,
 		BaseDeclaration:     s.baseDecl,
 	}
@@ -1429,8 +1524,8 @@
 			}
 		}
 		cand := policy.ConnectCandidate{
-			Plug:            s.plugSnap.Plugs[t.iface],
-			Slot:            s.slotSnap.Slots[t.iface],
+			Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
 			BaseDeclaration: s.baseDecl,
 		}
 		err := cand.Check()
@@ -1473,8 +1568,8 @@
 			}
 		}
 		cand := policy.ConnectCandidate{
-			Plug:            s.plugSnap.Plugs[t.iface],
-			Slot:            s.slotSnap.Slots[t.iface],
+			Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
 			BaseDeclaration: s.baseDecl,
 		}
 		err := cand.Check()
@@ -1540,27 +1635,373 @@
 	}
 }
 
+var (
+	otherModel *asserts.Model
+	myModel1   *asserts.Model
+	myModel2   *asserts.Model
+	myModel3   *asserts.Model
+
+	substore1 *asserts.Store
+)
+
+func init() {
+	a, err := asserts.Decode([]byte(`type: model
+authority-id: other-brand
+series: 16
+brand-id: other-brand
+model: other-model
+classic: true
+gadget: gadget
+timestamp: 2018-09-12T12:00:00Z
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==`))
+	if err != nil {
+		panic(err)
+	}
+	otherModel = a.(*asserts.Model)
+
+	a, err = asserts.Decode([]byte(`type: model
+authority-id: my-brand
+series: 16
+brand-id: my-brand
+model: my-model1
+store: store1
+architecture: armhf
+kernel: krnl
+gadget: gadget
+timestamp: 2018-09-12T12:00:00Z
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==`))
+	if err != nil {
+		panic(err)
+	}
+	myModel1 = a.(*asserts.Model)
+
+	a, err = asserts.Decode([]byte(`type: model
+authority-id: my-brand-subbrand
+series: 16
+brand-id: my-brand-subbrand
+model: my-model2
+store: store2
+architecture: armhf
+kernel: krnl
+gadget: gadget
+timestamp: 2018-09-12T12:00:00Z
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==`))
+	if err != nil {
+		panic(err)
+	}
+	myModel2 = a.(*asserts.Model)
+
+	a, err = asserts.Decode([]byte(`type: model
+authority-id: my-brand
+series: 16
+brand-id: my-brand
+model: my-model3
+store: substore1
+architecture: armhf
+kernel: krnl
+gadget: gadget
+timestamp: 2018-09-12T12:00:00Z
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==`))
+	if err != nil {
+		panic(err)
+	}
+	myModel3 = a.(*asserts.Model)
+
+	a, err = asserts.Decode([]byte(`type: store
+store: substore1
+authority-id: canonical
+operator-id: canonical
+friendly-stores:
+  - a-store
+  - store1
+  - store2
+timestamp: 2018-09-12T12:00:00Z
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==`))
+	if err != nil {
+		panic(err)
+	}
+	substore1 = a.(*asserts.Store)
+}
+
+func (s *policySuite) TestPlugDeviceScopeCheckAutoConnection(c *C) {
+	tests := []struct {
+		model *asserts.Model
+		iface string
+		err   string // "" => no error
+	}{
+		{nil, "auto-plug-on-store1", `auto-connection not allowed by plug rule of interface "auto-plug-on-store1" for "plug-snap" snap`},
+		{otherModel, "auto-plug-on-store1", `auto-connection not allowed by plug rule of interface "auto-plug-on-store1" for "plug-snap" snap`},
+		{myModel1, "auto-plug-on-store1", ""},
+		{myModel2, "auto-plug-on-store1", `auto-connection not allowed by plug rule of interface "auto-plug-on-store1" for "plug-snap" snap`},
+		{otherModel, "auto-plug-on-my-brand", `auto-connection not allowed by plug rule of interface "auto-plug-on-my-brand" for "plug-snap" snap`},
+		{myModel1, "auto-plug-on-my-brand", ""},
+		{myModel2, "auto-plug-on-my-brand", ""},
+		{otherModel, "auto-plug-on-my-model2", `auto-connection not allowed by plug rule of interface "auto-plug-on-my-model2" for "plug-snap" snap`},
+		{myModel1, "auto-plug-on-my-model2", `auto-connection not allowed by plug rule of interface "auto-plug-on-my-model2" for "plug-snap" snap`},
+		{myModel2, "auto-plug-on-my-model2", ""},
+		// on-store/on-brand/on-model are ANDed for consistency!
+		{otherModel, "auto-plug-on-multi", `auto-connection not allowed by plug rule of interface "auto-plug-on-multi" for "plug-snap" snap`},
+		{myModel1, "auto-plug-on-multi", ""},
+		{myModel2, "auto-plug-on-multi", `auto-connection not allowed by plug rule of interface "auto-plug-on-multi" for "plug-snap" snap`},
+	}
+
+	for _, t := range tests {
+		cand := policy.ConnectCandidate{
+			Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
+			PlugSnapDeclaration: s.plugDecl,
+			SlotSnapDeclaration: s.slotDecl,
+
+			BaseDeclaration: s.baseDecl,
+
+			Model: t.model,
+		}
+		err := cand.CheckAutoConnect()
+		if t.err == "" {
+			c.Check(err, IsNil)
+		} else {
+			c.Check(err, ErrorMatches, t.err)
+		}
+	}
+}
+
+func (s *policySuite) TestPlugDeviceScopeFriendlyStoreCheckAutoConnection(c *C) {
+	tests := []struct {
+		model *asserts.Model
+		store *asserts.Store
+		iface string
+		err   string // "" => no error
+	}{
+		{nil, nil, "auto-plug-on-store1", `auto-connection not allowed by plug rule of interface "auto-plug-on-store1" for "plug-snap" snap`},
+		{myModel3, nil, "auto-plug-on-store1", `auto-connection not allowed by plug rule of interface "auto-plug-on-store1" for "plug-snap" snap`},
+		{myModel3, substore1, "auto-plug-on-store1", ""},
+		{myModel2, substore1, "auto-plug-on-store1", `auto-connection not allowed by plug rule of interface "auto-plug-on-store1" for "plug-snap" snap`},
+	}
+
+	for _, t := range tests {
+		cand := policy.ConnectCandidate{
+			Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
+			PlugSnapDeclaration: s.plugDecl,
+			SlotSnapDeclaration: s.slotDecl,
+
+			BaseDeclaration: s.baseDecl,
+
+			Model: t.model,
+			Store: t.store,
+		}
+		err := cand.CheckAutoConnect()
+		if t.err == "" {
+			c.Check(err, IsNil)
+		} else {
+			c.Check(err, ErrorMatches, t.err)
+		}
+	}
+}
+
+func (s *policySuite) TestSlotDeviceScopeCheckAutoConnection(c *C) {
+	tests := []struct {
+		model *asserts.Model
+		iface string
+		err   string // "" => no error
+	}{
+		{nil, "auto-slot-on-store1", `auto-connection not allowed by slot rule of interface "auto-slot-on-store1" for "slot-snap" snap`},
+		{otherModel, "auto-slot-on-store1", `auto-connection not allowed by slot rule of interface "auto-slot-on-store1" for "slot-snap" snap`},
+		{myModel1, "auto-slot-on-store1", ""},
+		{myModel2, "auto-slot-on-store1", `auto-connection not allowed by slot rule of interface "auto-slot-on-store1" for "slot-snap" snap`},
+		{otherModel, "auto-slot-on-my-brand", `auto-connection not allowed by slot rule of interface "auto-slot-on-my-brand" for "slot-snap" snap`},
+		{myModel1, "auto-slot-on-my-brand", ""},
+		{myModel2, "auto-slot-on-my-brand", ""},
+		{otherModel, "auto-slot-on-my-model2", `auto-connection not allowed by slot rule of interface "auto-slot-on-my-model2" for "slot-snap" snap`},
+		{myModel1, "auto-slot-on-my-model2", `auto-connection not allowed by slot rule of interface "auto-slot-on-my-model2" for "slot-snap" snap`},
+		{myModel2, "auto-slot-on-my-model2", ""},
+		// on-store/on-brand/on-model are ANDed for consistency!
+		{otherModel, "auto-slot-on-multi", `auto-connection not allowed by slot rule of interface "auto-slot-on-multi" for "slot-snap" snap`},
+		{myModel1, "auto-slot-on-multi", ""},
+		{myModel2, "auto-slot-on-multi", `auto-connection not allowed by slot rule of interface "auto-slot-on-multi" for "slot-snap" snap`},
+	}
+
+	for _, t := range tests {
+		cand := policy.ConnectCandidate{
+			Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
+			PlugSnapDeclaration: s.plugDecl,
+			SlotSnapDeclaration: s.slotDecl,
+
+			BaseDeclaration: s.baseDecl,
+
+			Model: t.model,
+		}
+		err := cand.CheckAutoConnect()
+		if t.err == "" {
+			c.Check(err, IsNil)
+		} else {
+			c.Check(err, ErrorMatches, t.err)
+		}
+	}
+}
+
+func (s *policySuite) TestSlotDeviceScopeFriendlyStoreCheckAutoConnection(c *C) {
+	tests := []struct {
+		model *asserts.Model
+		store *asserts.Store
+		iface string
+		err   string // "" => no error
+	}{
+		{nil, nil, "auto-slot-on-store1", `auto-connection not allowed by slot rule of interface "auto-slot-on-store1" for "slot-snap" snap`},
+		{myModel3, nil, "auto-slot-on-store1", `auto-connection not allowed by slot rule of interface "auto-slot-on-store1" for "slot-snap" snap`},
+		{myModel3, substore1, "auto-slot-on-store1", ""},
+		{myModel2, substore1, "auto-slot-on-store1", `auto-connection not allowed by slot rule of interface "auto-slot-on-store1" for "slot-snap" snap`},
+	}
+
+	for _, t := range tests {
+		cand := policy.ConnectCandidate{
+			Plug:                interfaces.NewConnectedPlug(s.plugSnap.Plugs[t.iface], nil, nil),
+			Slot:                interfaces.NewConnectedSlot(s.slotSnap.Slots[t.iface], nil, nil),
+			PlugSnapDeclaration: s.plugDecl,
+			SlotSnapDeclaration: s.slotDecl,
+
+			BaseDeclaration: s.baseDecl,
+
+			Model: t.model,
+			Store: t.store,
+		}
+		err := cand.CheckAutoConnect()
+		if t.err == "" {
+			c.Check(err, IsNil)
+		} else {
+			c.Check(err, ErrorMatches, t.err)
+		}
+	}
+}
+
+func (s *policySuite) TestDeviceScopeInstallation(c *C) {
+	const plugSnap = `name: install-snap
+version: 0
+plugs:
+  install-plug-device-scope:`
+
+	const slotSnap = `name: install-snap
+version: 0
+slots:
+  install-slot-device-scope:`
+
+	const plugOnStore1 = `plugs:
+  install-plug-device-scope:
+    allow-installation:
+      on-store:
+        - store1
+`
+	const plugOnMulti = `plugs:
+  install-plug-device-scope:
+    allow-installation:
+      on-brand:
+        - my-brand
+        - my-brand-subbrand
+      on-store:
+        - store1
+        - other-store
+      on-model:
+        - my-brand/my-model1
+        - my-brand-subbrand/my-model2
+`
+	const slotOnStore2 = `slots:
+  install-slot-device-scope:
+    allow-installation:
+      on-store:
+        - store2
+`
+
+	tests := []struct {
+		model       *asserts.Model
+		store       *asserts.Store
+		installYaml string
+		plugsSlots  string
+		err         string // "" => no error
+	}{
+		{nil, nil, plugSnap, plugOnStore1, `installation not allowed by "install-plug-device-scope" plug rule of interface "install-plug-device-scope" for "install-snap" snap`},
+		{otherModel, nil, plugSnap, plugOnStore1, `installation not allowed by "install-plug-device-scope" plug rule of interface "install-plug-device-scope" for "install-snap" snap`},
+		{myModel1, nil, plugSnap, plugOnStore1, ""},
+		{myModel2, nil, plugSnap, plugOnStore1, `installation not allowed by "install-plug-device-scope" plug rule of interface "install-plug-device-scope" for "install-snap" snap`},
+		{otherModel, nil, plugSnap, plugOnMulti, `installation not allowed by "install-plug-device-scope" plug rule of interface "install-plug-device-scope" for "install-snap" snap`},
+		{myModel1, nil, plugSnap, plugOnMulti, ""},
+		{myModel2, nil, plugSnap, plugOnMulti, `installation not allowed by "install-plug-device-scope" plug rule of interface "install-plug-device-scope" for "install-snap" snap`},
+		{otherModel, nil, slotSnap, slotOnStore2, `installation not allowed by "install-slot-device-scope" slot rule of interface "install-slot-device-scope" for "install-snap" snap`},
+		{myModel1, nil, slotSnap, slotOnStore2, `installation not allowed by "install-slot-device-scope" slot rule of interface "install-slot-device-scope" for "install-snap" snap`},
+		{myModel2, nil, slotSnap, slotOnStore2, ""},
+		// friendly-stores
+		{myModel3, nil, plugSnap, plugOnStore1, `installation not allowed by "install-plug-device-scope" plug rule of interface "install-plug-device-scope" for "install-snap" snap`},
+		{myModel3, substore1, plugSnap, plugOnStore1, ""},
+		{myModel2, substore1, plugSnap, plugOnStore1, `installation not allowed by "install-plug-device-scope" plug rule of interface "install-plug-device-scope" for "install-snap" snap`},
+		{myModel3, nil, slotSnap, slotOnStore2, `installation not allowed by "install-slot-device-scope" slot rule of interface "install-slot-device-scope" for \"install-snap\" snap`},
+		{myModel3, substore1, slotSnap, slotOnStore2, ""},
+		{myModel2, substore1, slotSnap, slotOnStore2, `installation not allowed by "install-slot-device-scope" slot rule of interface "install-slot-device-scope" for \"install-snap\" snap`},
+	}
+
+	for _, t := range tests {
+		installSnap := snaptest.MockInfo(c, t.installYaml, nil)
+
+		a, err := asserts.Decode([]byte(strings.Replace(`type: snap-declaration
+authority-id: canonical
+series: 16
+snap-name: install-snap
+snap-id: installsnap6idididididididididid
+publisher-id: publisher
+@plugsSlots@
+timestamp: 2016-09-30T12:00:00Z
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+AXNpZw==`, "@plugsSlots@", strings.TrimSpace(t.plugsSlots), 1)))
+		c.Assert(err, IsNil)
+		snapDecl := a.(*asserts.SnapDeclaration)
+
+		cand := policy.InstallCandidate{
+			Snap:            installSnap,
+			SnapDeclaration: snapDecl,
+			BaseDeclaration: s.baseDecl,
+			Model:           t.model,
+			Store:           t.store,
+		}
+		err = cand.Check()
+		if t.err == "" {
+			c.Check(err, IsNil)
+		} else {
+			c.Check(err, ErrorMatches, t.err)
+		}
+	}
+}
+
 func (s *policySuite) TestSlotDollarSlotAttrConnection(c *C) {
 	// no corresponding attr
 	cand := policy.ConnectCandidate{
-		Plug:            s.randomSnap.Plugs["slot-slot-attr"],
-		Slot:            s.slotSnap.Slots["slot-slot-attr"],
+		Plug:            interfaces.NewConnectedPlug(s.randomSnap.Plugs["slot-slot-attr"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["slot-slot-attr"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// different attr values
 	cand = policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["slot-slot-attr-mismatch"],
-		Slot:            s.slotSnap.Slots["slot-slot-attr"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["slot-slot-attr-mismatch"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["slot-slot-attr"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// plug attr == slot attr
 	cand = policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["slot-slot-attr-match"],
-		Slot:            s.slotSnap.Slots["slot-slot-attr"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["slot-slot-attr-match"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["slot-slot-attr"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), IsNil)
@@ -1569,16 +2010,16 @@
 func (s *policySuite) TestSlotDollarPlugAttrConnection(c *C) {
 	// different attr values
 	cand := policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["slot-plug-attr-mismatch"],
-		Slot:            s.slotSnap.Slots["slot-plug-attr"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["slot-plug-attr-mismatch"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["slot-plug-attr"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// plug attr == slot attr
 	cand = policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["slot-plug-attr-match"],
-		Slot:            s.slotSnap.Slots["slot-plug-attr"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["slot-plug-attr-match"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["slot-plug-attr"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), IsNil)
@@ -1587,16 +2028,16 @@
 func (s *policySuite) TestPlugDollarPlugAttrConnection(c *C) {
 	// different attr values
 	cand := policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["plug-plug-attr"],
-		Slot:            s.slotSnap.Slots["plug-plug-attr-mismatch"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["plug-plug-attr"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["plug-plug-attr-mismatch"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// plug attr == slot attr
 	cand = policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["plug-plug-attr"],
-		Slot:            s.slotSnap.Slots["plug-plug-attr-match"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["plug-plug-attr"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["plug-plug-attr-match"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), IsNil)
@@ -1605,16 +2046,16 @@
 func (s *policySuite) TestPlugDollarSlotAttrConnection(c *C) {
 	// different attr values
 	cand := policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["plug-slot-attr"],
-		Slot:            s.slotSnap.Slots["plug-slot-attr-mismatch"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["plug-slot-attr"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["plug-slot-attr-mismatch"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// plug attr == slot attr
 	cand = policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["plug-slot-attr"],
-		Slot:            s.slotSnap.Slots["plug-slot-attr-match"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["plug-slot-attr"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["plug-slot-attr-match"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), IsNil)
@@ -1623,16 +2064,58 @@
 func (s *policySuite) TestDollarMissingConnection(c *C) {
 	// not missing
 	cand := policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["slot-plug-missing-mismatch"],
-		Slot:            s.slotSnap.Slots["slot-plug-missing"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["slot-plug-missing-mismatch"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["slot-plug-missing"], nil, nil),
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
 
 	// missing
 	cand = policy.ConnectCandidate{
-		Plug:            s.plugSnap.Plugs["slot-plug-missing-match"],
-		Slot:            s.slotSnap.Slots["slot-plug-missing"],
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["slot-plug-missing-match"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["slot-plug-missing"], nil, nil),
+		BaseDeclaration: s.baseDecl,
+	}
+	c.Check(cand.Check(), IsNil)
+}
+
+func (s *policySuite) TestSlotDollarPlugDynamicAttrConnection(c *C) {
+	// "c" attribute of the plug missing
+	cand := policy.ConnectCandidate{
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["slot-plug-attr-dynamic"], nil, map[string]interface{}{}),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["slot-plug-attr"], nil, nil),
+		BaseDeclaration: s.baseDecl,
+	}
+	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
+
+	// plug attr == slot attr, "c" attribute of the plug provided by dynamic attribute
+	cand = policy.ConnectCandidate{
+		Plug: interfaces.NewConnectedPlug(s.plugSnap.Plugs["slot-plug-attr-dynamic"], nil, map[string]interface{}{
+			"c": "C",
+		}),
+
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["slot-plug-attr"], nil, nil),
+		BaseDeclaration: s.baseDecl,
+	}
+	c.Check(cand.Check(), IsNil)
+}
+
+func (s *policySuite) TestPlugDollarSlotDynamicAttrConnection(c *C) {
+	// "c" attribute of the slot missing
+	cand := policy.ConnectCandidate{
+		Plug:            interfaces.NewConnectedPlug(s.plugSnap.Plugs["plug-plug-attr"], nil, nil),
+		Slot:            interfaces.NewConnectedSlot(s.slotSnap.Slots["plug-plug-attr-dynamic"], nil, map[string]interface{}{}),
+		BaseDeclaration: s.baseDecl,
+	}
+	c.Check(cand.Check(), ErrorMatches, "connection not allowed.*")
+
+	// plug attr == slot attr, "c" attribute of the slot provided by dynamic attribute
+	cand = policy.ConnectCandidate{
+		Plug: interfaces.NewConnectedPlug(s.plugSnap.Plugs["plug-plug-attr"], nil, nil),
+		Slot: interfaces.NewConnectedSlot(s.slotSnap.Slots["plug-plug-attr-dynamic"], nil, map[string]interface{}{
+			"c": "C",
+		}),
+
 		BaseDeclaration: s.baseDecl,
 	}
 	c.Check(cand.Check(), IsNil)
diff -Nru snapd-2.32.3.2~14.04/interfaces/repo.go snapd-2.37~rc1~14.04/interfaces/repo.go
--- snapd-2.32.3.2~14.04/interfaces/repo.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/repo.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,6 +25,7 @@
 	"strings"
 	"sync"
 
+	"github.com/snapcore/snapd/interfaces/hotplug"
 	"github.com/snapcore/snapd/snap"
 )
 
@@ -33,6 +34,8 @@
 	// Protects the internals from concurrent access.
 	m      sync.Mutex
 	ifaces map[string]Interface
+	// subset of ifaces that implement HotplugDeviceAdded method
+	hotplugIfaces map[string]Interface
 	// Indexed by [snapName][plugName]
 	plugs map[string]map[string]*snap.PlugInfo
 	slots map[string]map[string]*snap.SlotInfo
@@ -40,18 +43,18 @@
 	slotPlugs map[*snap.SlotInfo]map[*snap.PlugInfo]*Connection
 	// given a plug and a slot, are they connected?
 	plugSlots map[*snap.PlugInfo]map[*snap.SlotInfo]*Connection
-	backends  map[SecuritySystem]SecurityBackend
+	backends  []SecurityBackend
 }
 
 // NewRepository creates an empty plug repository.
 func NewRepository() *Repository {
 	repo := &Repository{
-		ifaces:    make(map[string]Interface),
-		plugs:     make(map[string]map[string]*snap.PlugInfo),
-		slots:     make(map[string]map[string]*snap.SlotInfo),
-		slotPlugs: make(map[*snap.SlotInfo]map[*snap.PlugInfo]*Connection),
-		plugSlots: make(map[*snap.PlugInfo]map[*snap.SlotInfo]*Connection),
-		backends:  make(map[SecuritySystem]SecurityBackend),
+		ifaces:        make(map[string]Interface),
+		hotplugIfaces: make(map[string]Interface),
+		plugs:         make(map[string]map[string]*snap.PlugInfo),
+		slots:         make(map[string]map[string]*snap.SlotInfo),
+		slotPlugs:     make(map[*snap.SlotInfo]map[*snap.PlugInfo]*Connection),
+		plugSlots:     make(map[*snap.PlugInfo]map[*snap.SlotInfo]*Connection),
 	}
 
 	return repo
@@ -71,16 +74,47 @@
 	defer r.m.Unlock()
 
 	interfaceName := i.Name()
-	if err := ValidateName(interfaceName); err != nil {
+	if err := snap.ValidateInterfaceName(interfaceName); err != nil {
 		return err
 	}
 	if _, ok := r.ifaces[interfaceName]; ok {
 		return fmt.Errorf("cannot add interface: %q, interface name is in use", interfaceName)
 	}
 	r.ifaces[interfaceName] = i
+
+	if _, ok := i.(hotplug.Definer); ok {
+		r.hotplugIfaces[interfaceName] = i
+	}
+
 	return nil
 }
 
+// AllInterfaces returns all the interfaces added to the repository, ordered by name.
+func (r *Repository) AllInterfaces() []Interface {
+	r.m.Lock()
+	defer r.m.Unlock()
+
+	ifaces := make([]Interface, 0, len(r.ifaces))
+	for _, iface := range r.ifaces {
+		ifaces = append(ifaces, iface)
+	}
+	sort.Sort(byInterfaceName(ifaces))
+	return ifaces
+}
+
+// AllHotplugInterfaces returns all interfaces that handle hotplug events.
+func (r *Repository) AllHotplugInterfaces() []Interface {
+	r.m.Lock()
+	defer r.m.Unlock()
+
+	ifaces := make([]Interface, 0, len(r.hotplugIfaces))
+	for _, iface := range r.hotplugIfaces {
+		ifaces = append(ifaces, iface)
+	}
+	sort.Sort(byInterfaceName(ifaces))
+	return ifaces
+}
+
 // InfoOptions describes options for Info.
 //
 // Names: return just this subset if non-empty.
@@ -196,10 +230,12 @@
 	defer r.m.Unlock()
 
 	name := backend.Name()
-	if _, ok := r.backends[name]; ok {
-		return fmt.Errorf("cannot add backend %q, security system name is in use", name)
+	for _, other := range r.backends {
+		if other.Name() == name {
+			return fmt.Errorf("cannot add backend %q, security system name is in use", name)
+		}
 	}
-	r.backends[name] = backend
+	r.backends = append(r.backends, backend)
 	return nil
 }
 
@@ -242,6 +278,29 @@
 	return r.plugs[snapName][plugName]
 }
 
+// Connection returns the specified Connection object or an error.
+func (r *Repository) Connection(connRef *ConnRef) (*Connection, error) {
+	// Ensure that such plug exists
+	plug := r.plugs[connRef.PlugRef.Snap][connRef.PlugRef.Name]
+	if plug == nil {
+		return nil, fmt.Errorf("snap %q has no plug named %q", connRef.PlugRef.Snap, connRef.PlugRef.Name)
+	}
+	// Ensure that such slot exists
+	slot := r.slots[connRef.SlotRef.Snap][connRef.SlotRef.Name]
+	if slot == nil {
+		return nil, fmt.Errorf("snap %q has no slot named %q", connRef.SlotRef.Snap, connRef.SlotRef.Name)
+	}
+	// Ensure that slot and plug are connected
+	conn, ok := r.slotPlugs[slot][plug]
+	if !ok {
+		return nil, fmt.Errorf("no connection from %s:%s to %s:%s",
+			connRef.PlugRef.Snap, connRef.PlugRef.Name,
+			connRef.SlotRef.Snap, connRef.SlotRef.Name)
+	}
+
+	return conn, nil
+}
+
 // AddPlug adds a plug to the repository.
 // Plug names must be valid snap names, as defined by ValidateName.
 // Plug name must be unique within a particular snap.
@@ -249,14 +308,14 @@
 	r.m.Lock()
 	defer r.m.Unlock()
 
-	snapName := plug.Snap.Name()
+	snapName := plug.Snap.InstanceName()
 
 	// Reject snaps with invalid names
-	if err := snap.ValidateName(snapName); err != nil {
+	if err := snap.ValidateInstanceName(snapName); err != nil {
 		return err
 	}
-	// Reject plug with invalid names
-	if err := ValidateName(plug.Name); err != nil {
+	// Reject plugs with invalid names
+	if err := snap.ValidatePlugName(plug.Name); err != nil {
 		return err
 	}
 	i := r.ifaces[plug.Interface]
@@ -344,14 +403,14 @@
 	r.m.Lock()
 	defer r.m.Unlock()
 
-	snapName := slot.Snap.Name()
+	snapName := slot.Snap.InstanceName()
 
 	// Reject snaps with invalid names
-	if err := snap.ValidateName(snapName); err != nil {
+	if err := snap.ValidateInstanceName(snapName); err != nil {
 		return err
 	}
-	// Reject plug with invalid names
-	if err := ValidateName(slot.Name); err != nil {
+	// Reject slots with invalid names
+	if err := snap.ValidateSlotName(slot.Name); err != nil {
 		return err
 	}
 	// TODO: ensure that apps are correct
@@ -397,27 +456,27 @@
 
 // ResolveConnect resolves potentially missing plug or slot names and returns a
 // fully populated connection reference.
-func (r *Repository) ResolveConnect(plugSnapName, plugName, slotSnapName, slotName string) (ConnRef, error) {
+func (r *Repository) ResolveConnect(plugSnapName, plugName, slotSnapName, slotName string) (*ConnRef, error) {
 	r.m.Lock()
 	defer r.m.Unlock()
 
-	ref := ConnRef{}
-
 	if plugSnapName == "" {
-		return ref, fmt.Errorf("cannot resolve connection, plug snap name is empty")
+		return nil, fmt.Errorf("cannot resolve connection, plug snap name is empty")
 	}
 	if plugName == "" {
-		return ref, fmt.Errorf("cannot resolve connection, plug name is empty")
+		return nil, fmt.Errorf("cannot resolve connection, plug name is empty")
 	}
 	// Ensure that such plug exists
 	plug := r.plugs[plugSnapName][plugName]
 	if plug == nil {
-		return ref, fmt.Errorf("snap %q has no plug named %q", plugSnapName, plugName)
+		return nil, fmt.Errorf("snap %q has no plug named %q", plugSnapName, plugName)
 	}
 
 	if slotSnapName == "" {
 		// Use the core snap if the slot-side snap name is empty
 		switch {
+		case r.slots["snapd"] != nil:
+			slotSnapName = "snapd"
 		case r.slots["core"] != nil:
 			slotSnapName = "core"
 		case r.slots["ubuntu-core"] != nil:
@@ -425,7 +484,7 @@
 		default:
 			// XXX: perhaps this should not be an error and instead it should
 			// silently assume "core" now?
-			return ref, fmt.Errorf("cannot resolve connection, slot snap name is empty")
+			return nil, fmt.Errorf("cannot resolve connection, slot snap name is empty")
 		}
 	}
 	if slotName == "" {
@@ -439,27 +498,26 @@
 		}
 		switch len(candidates) {
 		case 0:
-			return ref, fmt.Errorf("snap %q has no %q interface slots", slotSnapName, plug.Interface)
+			return nil, fmt.Errorf("snap %q has no %q interface slots", slotSnapName, plug.Interface)
 		case 1:
 			slotName = candidates[0]
 		default:
 			sort.Strings(candidates)
-			return ref, fmt.Errorf("snap %q has multiple %q interface slots: %s", slotSnapName, plug.Interface, strings.Join(candidates, ", "))
+			return nil, fmt.Errorf("snap %q has multiple %q interface slots: %s", slotSnapName, plug.Interface, strings.Join(candidates, ", "))
 		}
 	}
 
 	// Ensure that such slot exists
 	slot := r.slots[slotSnapName][slotName]
 	if slot == nil {
-		return ref, fmt.Errorf("snap %q has no slot named %q", slotSnapName, slotName)
+		return nil, fmt.Errorf("snap %q has no slot named %q", slotSnapName, slotName)
 	}
 	// Ensure that plug and slot are compatible
 	if slot.Interface != plug.Interface {
-		return ref, fmt.Errorf("cannot connect %s:%s (%q interface) to %s:%s (%q interface)",
+		return nil, fmt.Errorf("cannot connect %s:%s (%q interface) to %s:%s (%q interface)",
 			plugSnapName, plugName, plug.Interface, slotSnapName, slotName, slot.Interface)
 	}
-	ref = *NewConnRef(plug, slot)
-	return ref, nil
+	return NewConnRef(plug, slot), nil
 }
 
 // ResolveDisconnect resolves potentially missing plug or slot names and
@@ -477,11 +535,11 @@
 // In both cases the snap name can be omitted to implicitly refer to the core
 // snap. If there's no core snap it is simply assumed to be called "core" to
 // provide consistent error messages.
-func (r *Repository) ResolveDisconnect(plugSnapName, plugName, slotSnapName, slotName string) ([]ConnRef, error) {
+func (r *Repository) ResolveDisconnect(plugSnapName, plugName, slotSnapName, slotName string) ([]*ConnRef, error) {
 	r.m.Lock()
 	defer r.m.Unlock()
 
-	coreSnapName, _ := r.guessCoreSnapName()
+	coreSnapName, _ := r.guessSystemSnapName()
 	if coreSnapName == "" {
 		// This is not strictly speaking true BUT when there's no core snap the
 		// produced error messages are consistent to when the is a core snap
@@ -517,7 +575,7 @@
 			return nil, fmt.Errorf("cannot disconnect %s:%s from %s:%s, it is not connected",
 				plugSnapName, plugName, slotSnapName, slotName)
 		}
-		return []ConnRef{*NewConnRef(plug, slot)}, nil
+		return []*ConnRef{NewConnRef(plug, slot)}, nil
 	// 2: <snap>:<plug or slot> (through 1st pair)
 	// Return a list of connections involving specified plug or slot.
 	case plugName != "" && slotName == "" && slotSnapName == "":
@@ -539,9 +597,22 @@
 	}
 }
 
+// slotValidator can be implemented by Interfaces that need to validate the slot before the security is lifted.
+type slotValidator interface {
+	BeforeConnectSlot(slot *ConnectedSlot) error
+}
+
+// plugValidator can be implemented by Interfaces that need to validate the plug before the security is lifted.
+type plugValidator interface {
+	BeforeConnectPlug(plug *ConnectedPlug) error
+}
+
+type PolicyFunc func(*ConnectedPlug, *ConnectedSlot) (bool, error)
+
 // Connect establishes a connection between a plug and a slot.
 // The plug and the slot must have the same interface.
-func (r *Repository) Connect(ref ConnRef) error {
+// When connections are reloaded policyCheck is null (we don't check policy again).
+func (r *Repository) Connect(ref *ConnRef, plugStaticAttrs, plugDynamicAttrs, slotStaticAttrs, slotDynamicAttrs map[string]interface{}, policyCheck PolicyFunc) (*Connection, error) {
 	r.m.Lock()
 	defer r.m.Unlock()
 
@@ -553,23 +624,47 @@
 	// Ensure that such plug exists
 	plug := r.plugs[plugSnapName][plugName]
 	if plug == nil {
-		return fmt.Errorf("cannot connect plug %q from snap %q, no such plug", plugName, plugSnapName)
+		return nil, &UnknownPlugSlotError{Msg: fmt.Sprintf("cannot connect plug %q from snap %q: no such plug", plugName, plugSnapName)}
 	}
 	// Ensure that such slot exists
 	slot := r.slots[slotSnapName][slotName]
 	if slot == nil {
-		return fmt.Errorf("cannot connect plug to slot %q from snap %q, no such slot", slotName, slotSnapName)
+		return nil, &UnknownPlugSlotError{fmt.Sprintf("cannot connect slot %q from snap %q: no such slot", slotName, slotSnapName)}
 	}
 	// Ensure that plug and slot are compatible
 	if slot.Interface != plug.Interface {
-		return fmt.Errorf(`cannot connect plug "%s:%s" (interface %q) to "%s:%s" (interface %q)`,
+		return nil, fmt.Errorf(`cannot connect plug "%s:%s" (interface %q) to "%s:%s" (interface %q)`,
 			plugSnapName, plugName, plug.Interface, slotSnapName, slotName, slot.Interface)
 	}
-	// Ensure that slot and plug are not connected yet
-	if r.slotPlugs[slot][plug] != nil {
-		// But if they are don't treat this as an error.
-		return nil
+
+	iface, ok := r.ifaces[plug.Interface]
+	if !ok {
+		return nil, fmt.Errorf("internal error: unknown interface %q", plug.Interface)
 	}
+
+	cplug := NewConnectedPlug(plug, plugStaticAttrs, plugDynamicAttrs)
+	cslot := NewConnectedSlot(slot, slotStaticAttrs, slotDynamicAttrs)
+
+	// policyCheck is null when reloading connections
+	if policyCheck != nil {
+		if i, ok := iface.(plugValidator); ok {
+			if err := i.BeforeConnectPlug(cplug); err != nil {
+				return nil, fmt.Errorf("cannot connect plug %q of snap %q: %s", plug.Name, plug.Snap.InstanceName(), err)
+			}
+		}
+		if i, ok := iface.(slotValidator); ok {
+			if err := i.BeforeConnectSlot(cslot); err != nil {
+				return nil, fmt.Errorf("cannot connect slot %q of snap %q: %s", slot.Name, slot.Snap.InstanceName(), err)
+			}
+		}
+
+		// autoconnect policy checker returns false to indicate disallowed auto-connection, but it's not an error.
+		ok, err := policyCheck(cplug, cslot)
+		if err != nil || !ok {
+			return nil, err
+		}
+	}
+
 	// Connect the plug
 	if r.slotPlugs[slot] == nil {
 		r.slotPlugs[slot] = make(map[*snap.PlugInfo]*Connection)
@@ -578,14 +673,10 @@
 		r.plugSlots[plug] = make(map[*snap.SlotInfo]*Connection)
 	}
 
-	// TODO: store copy of attributes from hooks
-	cplug := NewConnectedPlug(plug, nil)
-	cslot := NewConnectedSlot(slot, nil)
-
-	conn := &Connection{plug: cplug, slot: cslot}
+	conn := &Connection{Plug: cplug, Slot: cslot}
 	r.slotPlugs[slot][plug] = conn
 	r.plugSlots[plug][slot] = conn
-	return nil
+	return conn, nil
 }
 
 // Disconnect disconnects the named plug from the slot of the given snap.
@@ -632,21 +723,21 @@
 
 // Connected returns references for all connections that are currently
 // established with the provided plug or slot.
-func (r *Repository) Connected(snapName, plugOrSlotName string) ([]ConnRef, error) {
+func (r *Repository) Connected(snapName, plugOrSlotName string) ([]*ConnRef, error) {
 	r.m.Lock()
 	defer r.m.Unlock()
 
 	return r.connected(snapName, plugOrSlotName)
 }
 
-func (r *Repository) connected(snapName, plugOrSlotName string) ([]ConnRef, error) {
+func (r *Repository) connected(snapName, plugOrSlotName string) ([]*ConnRef, error) {
 	if snapName == "" {
-		snapName, _ = r.guessCoreSnapName()
+		snapName, _ = r.guessSystemSnapName()
 		if snapName == "" {
-			return nil, fmt.Errorf("snap name is empty")
+			return nil, fmt.Errorf("internal error: cannot obtain core snap name while computing connections")
 		}
 	}
-	var conns []ConnRef
+	var conns []*ConnRef
 	if plugOrSlotName == "" {
 		return nil, fmt.Errorf("plug or slot name is empty")
 	}
@@ -658,14 +749,87 @@
 
 	if plug, ok := r.plugs[snapName][plugOrSlotName]; ok {
 		for slotInfo := range r.plugSlots[plug] {
-			connRef := *NewConnRef(plug, slotInfo)
+			connRef := NewConnRef(plug, slotInfo)
 			conns = append(conns, connRef)
 		}
 	}
 
 	if slot, ok := r.slots[snapName][plugOrSlotName]; ok {
 		for plugInfo := range r.slotPlugs[slot] {
-			connRef := *NewConnRef(plugInfo, slot)
+			connRef := NewConnRef(plugInfo, slot)
+			conns = append(conns, connRef)
+		}
+	}
+
+	return conns, nil
+}
+
+// ConnectionsForHotplugKey returns all hotplug connections for given interface name and hotplug key.
+func (r *Repository) ConnectionsForHotplugKey(ifaceName, hotplugKey string) ([]*ConnRef, error) {
+	r.m.Lock()
+	defer r.m.Unlock()
+
+	snapName, err := r.guessSystemSnapName()
+	if err != nil {
+		return nil, err
+	}
+	var conns []*ConnRef
+	for _, slotInfo := range r.slots[snapName] {
+		if slotInfo.Interface == ifaceName && slotInfo.HotplugKey == hotplugKey {
+			for plugInfo := range r.slotPlugs[slotInfo] {
+				connRef := NewConnRef(plugInfo, slotInfo)
+				conns = append(conns, connRef)
+			}
+		}
+	}
+
+	return conns, nil
+}
+
+// SlotForHotplugKey returns a hotplug slot for given interface name and hotplug key or nil
+// if there is no slot.
+func (r *Repository) SlotForHotplugKey(ifaceName, hotplugKey string) (*snap.SlotInfo, error) {
+	r.m.Lock()
+	defer r.m.Unlock()
+
+	snapName, err := r.guessSystemSnapName()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, slotInfo := range r.slots[snapName] {
+		if slotInfo.Interface == ifaceName && slotInfo.HotplugKey == hotplugKey {
+			return slotInfo, nil
+		}
+	}
+	return nil, nil
+}
+
+func (r *Repository) Connections(snapName string) ([]*ConnRef, error) {
+	r.m.Lock()
+	defer r.m.Unlock()
+
+	if snapName == "" {
+		snapName, _ = r.guessSystemSnapName()
+		if snapName == "" {
+			return nil, fmt.Errorf("internal error: cannot obtain core snap name while computing connections")
+		}
+	}
+
+	var conns []*ConnRef
+	for _, plugInfo := range r.plugs[snapName] {
+		for slotInfo := range r.plugSlots[plugInfo] {
+			connRef := NewConnRef(plugInfo, slotInfo)
+			conns = append(conns, connRef)
+		}
+	}
+	for _, slotInfo := range r.slots[snapName] {
+		for plugInfo := range r.slotPlugs[slotInfo] {
+			// self-connection, ignore here as we got it already in the plugs loop above
+			if plugInfo.Snap == slotInfo.Snap {
+				continue
+			}
+			connRef := NewConnRef(plugInfo, slotInfo)
 			conns = append(conns, connRef)
 		}
 	}
@@ -674,8 +838,10 @@
 }
 
 // coreSnapName returns the name of the core snap if one exists
-func (r *Repository) guessCoreSnapName() (string, error) {
+func (r *Repository) guessSystemSnapName() (string, error) {
 	switch {
+	case r.slots["snapd"] != nil:
+		return "snapd", nil
 	case r.slots["core"] != nil:
 		return "core", nil
 	case r.slots["ubuntu-core"] != nil:
@@ -686,7 +852,7 @@
 }
 
 // DisconnectAll disconnects all provided connection references.
-func (r *Repository) DisconnectAll(conns []ConnRef) {
+func (r *Repository) DisconnectAll(conns []*ConnRef) {
 	r.m.Lock()
 	defer r.m.Unlock()
 
@@ -712,15 +878,13 @@
 }
 
 // Backends returns all the security backends.
+// The order is the same as the order in which they were inserted.
 func (r *Repository) Backends() []SecurityBackend {
 	r.m.Lock()
 	defer r.m.Unlock()
 
-	result := make([]SecurityBackend, 0, len(r.backends))
-	for _, backend := range r.backends {
-		result = append(result, backend)
-	}
-	sort.Sort(byBackendName(result))
+	result := make([]SecurityBackend, len(r.backends))
+	copy(result, r.backends)
 	return result
 }
 
@@ -760,7 +924,13 @@
 	r.m.Lock()
 	defer r.m.Unlock()
 
-	backend := r.backends[securitySystem]
+	var backend SecurityBackend
+	for _, b := range r.backends {
+		if b.Name() == securitySystem {
+			backend = b
+			break
+		}
+	}
 	if backend == nil {
 		return nil, fmt.Errorf("cannot handle interfaces of snap %q, security system %q is not known", snapName, securitySystem)
 	}
@@ -774,7 +944,7 @@
 			return nil, err
 		}
 		for _, conn := range r.slotPlugs[slotInfo] {
-			if err := spec.AddConnectedSlot(iface, conn.plug, conn.slot); err != nil {
+			if err := spec.AddConnectedSlot(iface, conn.Plug, conn.Slot); err != nil {
 				return nil, err
 			}
 		}
@@ -786,7 +956,7 @@
 			return nil, err
 		}
 		for _, conn := range r.plugSlots[plugInfo] {
-			if err := spec.AddConnectedPlug(iface, conn.plug, conn.slot); err != nil {
+			if err := spec.AddConnectedPlug(iface, conn.Plug, conn.Slot); err != nil {
 				return nil, err
 			}
 		}
@@ -819,7 +989,7 @@
 	r.m.Lock()
 	defer r.m.Unlock()
 
-	snapName := snapInfo.Name()
+	snapName := snapInfo.InstanceName()
 
 	if r.plugs[snapName] != nil || r.slots[snapName] != nil {
 		return fmt.Errorf("cannot register interfaces for snap %q more than once", snapName)
@@ -909,7 +1079,7 @@
 
 	result := make([]string, 0, len(seen))
 	for info := range seen {
-		result = append(result, info.Name())
+		result = append(result, info.InstanceName())
 	}
 	sort.Strings(result)
 	return result, nil
@@ -917,7 +1087,7 @@
 
 // AutoConnectCandidateSlots finds and returns viable auto-connection candidates
 // for a given plug.
-func (r *Repository) AutoConnectCandidateSlots(plugSnapName, plugName string, policyCheck func(*Plug, *Slot) bool) []*snap.SlotInfo {
+func (r *Repository) AutoConnectCandidateSlots(plugSnapName, plugName string, policyCheck func(*ConnectedPlug, *ConnectedSlot) (bool, error)) []*snap.SlotInfo {
 	r.m.Lock()
 	defer r.m.Unlock()
 
@@ -934,15 +1104,13 @@
 			}
 			iface := slotInfo.Interface
 
-			// FIXME: use ConnectedPlug/Slot for AutoConnect (once it's refactored to use tasks).
-			plug := &Plug{PlugInfo: plugInfo}
-			slot := &Slot{SlotInfo: slotInfo}
 			// declaration based checks disallow
-			if !policyCheck(plug, slot) {
+			ok, err := policyCheck(NewConnectedPlug(plugInfo, nil, nil), NewConnectedSlot(slotInfo, nil, nil))
+			if !ok || err != nil {
 				continue
 			}
 
-			if r.ifaces[iface].AutoConnect(plug, slot) {
+			if r.ifaces[iface].AutoConnect(plugInfo, slotInfo) {
 				candidates = append(candidates, slotInfo)
 			}
 		}
@@ -952,7 +1120,7 @@
 
 // AutoConnectCandidatePlugs finds and returns viable auto-connection candidates
 // for a given slot.
-func (r *Repository) AutoConnectCandidatePlugs(slotSnapName, slotName string, policyCheck func(*Plug, *Slot) bool) []*snap.PlugInfo {
+func (r *Repository) AutoConnectCandidatePlugs(slotSnapName, slotName string, policyCheck func(*ConnectedPlug, *ConnectedSlot) (bool, error)) []*snap.PlugInfo {
 	r.m.Lock()
 	defer r.m.Unlock()
 
@@ -969,15 +1137,13 @@
 			}
 			iface := slotInfo.Interface
 
-			// FIXME: use ConnectedPlug/Slot for AutoConnect (once it's refactored to use tasks).
-			plug := &Plug{PlugInfo: plugInfo}
-			slot := &Slot{SlotInfo: slotInfo}
 			// declaration based checks disallow
-			if !policyCheck(plug, slot) {
+			ok, err := policyCheck(NewConnectedPlug(plugInfo, nil, nil), NewConnectedSlot(slotInfo, nil, nil))
+			if !ok || err != nil {
 				continue
 			}
 
-			if r.ifaces[iface].AutoConnect(plug, slot) {
+			if r.ifaces[iface].AutoConnect(plugInfo, slotInfo) {
 				candidates = append(candidates, plugInfo)
 			}
 		}
diff -Nru snapd-2.32.3.2~14.04/interfaces/repo_test.go snapd-2.37~rc1~14.04/interfaces/repo_test.go
--- snapd-2.32.3.2~14.04/interfaces/repo_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/repo_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,11 +35,16 @@
 	testutil.BaseTest
 	iface     Interface
 	plug      *snap.PlugInfo
+	plugSelf  *snap.PlugInfo
 	slot      *snap.SlotInfo
-	coreSnap  *snap.Info
 	emptyRepo *Repository
 	// Repository pre-populated with s.iface
 	testRepo *Repository
+
+	// "Core"-like snaps with the same set of interfaces.
+	coreSnap       *snap.Info
+	ubuntuCoreSnap *snap.Info
+	snapdSnap      *snap.Info
 }
 
 var _ = Suite(&RepositorySuite{
@@ -48,11 +53,7 @@
 	},
 })
 
-func (s *RepositorySuite) SetUpTest(c *C) {
-	s.BaseTest.SetUpTest(c)
-	s.BaseTest.AddCleanup(snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {}))
-
-	consumer := snaptest.MockInfo(c, `
+const consumerYaml = `
 name: consumer
 version: 0
 apps:
@@ -64,9 +65,9 @@
         interface: interface
         label: label
         attr: value
-`, nil)
-	s.plug = consumer.Plugs["plug"]
-	producer := snaptest.MockInfo(c, `
+`
+
+const producerYaml = `
 name: producer
 version: 0
 apps:
@@ -78,8 +79,31 @@
         interface: interface
         label: label
         attr: value
-`, nil)
+plugs:
+    self:
+        interface: interface
+        label: label
+`
+
+func (s *RepositorySuite) SetUpTest(c *C) {
+	s.BaseTest.SetUpTest(c)
+	s.BaseTest.AddCleanup(snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {}))
+
+	consumer := snaptest.MockInfo(c, consumerYaml, nil)
+	s.plug = consumer.Plugs["plug"]
+	producer := snaptest.MockInfo(c, producerYaml, nil)
 	s.slot = producer.Slots["slot"]
+	s.plugSelf = producer.Plugs["self"]
+	// NOTE: Each of the snaps below have one slot so that they can be picked
+	// up by the repository. Some tests rename the "slot" slot as appropriate.
+	s.ubuntuCoreSnap = snaptest.MockInfo(c, `
+name: ubuntu-core
+version: 0
+type: os
+slots:
+    slot:
+        interface: interface
+`, nil)
 	// NOTE: The core snap has a slot so that it shows up in the
 	// repository. The repository doesn't record snaps unless they
 	// have at least one interface.
@@ -88,9 +112,18 @@
 version: 0
 type: os
 slots:
-    network:
+    slot:
+        interface: interface
+`, nil)
+	s.snapdSnap = snaptest.MockInfo(c, `
+name: snapd
+version: 0
+type: app
+slots:
+    slot:
         interface: interface
 `, nil)
+
 	s.emptyRepo = NewRepository()
 	s.testRepo = NewRepository()
 	err := s.testRepo.AddInterface(s.iface)
@@ -101,11 +134,22 @@
 	s.BaseTest.TearDownTest(c)
 }
 
-func addPlugsSlots(c *C, repo *Repository, yamls ...string) []*snap.Info {
-	result := make([]*snap.Info, len(yamls))
-	for i, yaml := range yamls {
-		info := snaptest.MockInfo(c, yaml, nil)
-		result[i] = info
+type instanceNameAndYaml struct {
+	Name string
+	Yaml string
+}
+
+func addPlugsSlotsFromInstances(c *C, repo *Repository, iys []instanceNameAndYaml) []*snap.Info {
+	result := make([]*snap.Info, 0, len(iys))
+	for _, iy := range iys {
+		info := snaptest.MockInfo(c, iy.Yaml, nil)
+		if iy.Name != "" {
+			instanceName := iy.Name
+			c.Assert(snap.ValidateInstanceName(instanceName), IsNil)
+			_, info.InstanceKey = snap.SplitInstanceName(instanceName)
+		}
+
+		result = append(result, info)
 		for _, plugInfo := range info.Plugs {
 			err := repo.AddPlug(plugInfo)
 			c.Assert(err, IsNil)
@@ -146,6 +190,25 @@
 	c.Assert(s.emptyRepo.Interface(iface.Name()), IsNil)
 }
 
+// Tests for Repository.AllInterfaces()
+
+func (s *RepositorySuite) TestAllInterfaces(c *C) {
+	c.Assert(s.emptyRepo.AllInterfaces(), HasLen, 0)
+	c.Assert(s.testRepo.AllInterfaces(), DeepEquals, []Interface{s.iface})
+
+	// Add three interfaces in some non-sorted order.
+	i1 := &ifacetest.TestInterface{InterfaceName: "i1"}
+	i2 := &ifacetest.TestInterface{InterfaceName: "i2"}
+	i3 := &ifacetest.TestInterface{InterfaceName: "i3"}
+	c.Assert(s.emptyRepo.AddInterface(i3), IsNil)
+	c.Assert(s.emptyRepo.AddInterface(i1), IsNil)
+	c.Assert(s.emptyRepo.AddInterface(i2), IsNil)
+
+	// The result is always sorted.
+	c.Assert(s.emptyRepo.AllInterfaces(), DeepEquals, []Interface{i1, i2, i3})
+
+}
+
 func (s *RepositorySuite) TestAddBackend(c *C) {
 	backend := &ifacetest.TestSecurityBackend{BackendName: "test"}
 	c.Assert(s.emptyRepo.AddBackend(backend), IsNil)
@@ -158,7 +221,8 @@
 	b2 := &ifacetest.TestSecurityBackend{BackendName: "b2"}
 	c.Assert(s.emptyRepo.AddBackend(b2), IsNil)
 	c.Assert(s.emptyRepo.AddBackend(b1), IsNil)
-	c.Assert(s.emptyRepo.Backends(), DeepEquals, []SecurityBackend{b1, b2})
+	// The order of insertion is retained.
+	c.Assert(s.emptyRepo.Backends(), DeepEquals, []SecurityBackend{b2, b1})
 }
 
 // Tests for Repository.Interface()
@@ -198,7 +262,7 @@
 	err := s.testRepo.AddPlug(s.plug)
 	c.Assert(err, IsNil)
 	c.Assert(s.testRepo.AllPlugs(""), HasLen, 1)
-	c.Assert(s.testRepo.Plug(s.plug.Snap.Name(), s.plug.Name), DeepEquals, s.plug)
+	c.Assert(s.testRepo.Plug(s.plug.Snap.InstanceName(), s.plug.Name), DeepEquals, s.plug)
 }
 
 func (s *RepositorySuite) TestAddPlugClashingPlug(c *C) {
@@ -207,7 +271,7 @@
 	err = s.testRepo.AddPlug(s.plug)
 	c.Assert(err, ErrorMatches, `snap "consumer" has plugs conflicting on name "plug"`)
 	c.Assert(s.testRepo.AllPlugs(""), HasLen, 1)
-	c.Assert(s.testRepo.Plug(s.plug.Snap.Name(), s.plug.Name), DeepEquals, s.plug)
+	c.Assert(s.testRepo.Plug(s.plug.Snap.InstanceName(), s.plug.Name), DeepEquals, s.plug)
 }
 
 func (s *RepositorySuite) TestAddPlugClashingSlot(c *C) {
@@ -227,7 +291,7 @@
 	err = s.testRepo.AddPlug(plug)
 	c.Assert(err, ErrorMatches, `snap "snap" has plug and slot conflicting on name "clashing"`)
 	c.Assert(s.testRepo.AllSlots(""), HasLen, 1)
-	c.Assert(s.testRepo.Slot(slot.Snap.Name(), slot.Name), DeepEquals, slot)
+	c.Assert(s.testRepo.Slot(slot.Snap.InstanceName(), slot.Name), DeepEquals, slot)
 }
 
 func (s *RepositorySuite) TestAddPlugFailsWithInvalidSnapName(c *C) {
@@ -248,7 +312,7 @@
 		Interface: "interface",
 	}
 	err := s.testRepo.AddPlug(plug)
-	c.Assert(err, ErrorMatches, `invalid interface name: "bad-name-"`)
+	c.Assert(err, ErrorMatches, `invalid plug name: "bad-name-"`)
 	c.Assert(s.testRepo.AllPlugs(""), HasLen, 0)
 }
 
@@ -258,38 +322,69 @@
 	c.Assert(s.emptyRepo.AllPlugs(""), HasLen, 0)
 }
 
+func (s *RepositorySuite) TestAddPlugParallelInstance(c *C) {
+	c.Assert(s.testRepo.AllPlugs(""), HasLen, 0)
+
+	err := s.testRepo.AddPlug(s.plug)
+	c.Assert(err, IsNil)
+	c.Assert(s.testRepo.AllPlugs(""), HasLen, 1)
+
+	consumer := snaptest.MockInfo(c, consumerYaml, nil)
+	consumer.InstanceKey = "instance"
+	err = s.testRepo.AddPlug(consumer.Plugs["plug"])
+	c.Assert(err, IsNil)
+	c.Assert(s.testRepo.AllPlugs(""), HasLen, 2)
+
+	c.Assert(s.testRepo.Plug(s.plug.Snap.InstanceName(), s.plug.Name), DeepEquals, s.plug)
+	c.Assert(s.testRepo.Plug(consumer.InstanceName(), "plug"), DeepEquals, consumer.Plugs["plug"])
+}
+
 // Tests for Repository.Plug()
 
 func (s *RepositorySuite) TestPlug(c *C) {
 	err := s.testRepo.AddPlug(s.plug)
 	c.Assert(err, IsNil)
-	c.Assert(s.emptyRepo.Plug(s.plug.Snap.Name(), s.plug.Name), IsNil)
-	c.Assert(s.testRepo.Plug(s.plug.Snap.Name(), s.plug.Name), DeepEquals, s.plug)
+	c.Assert(s.emptyRepo.Plug(s.plug.Snap.InstanceName(), s.plug.Name), IsNil)
+	c.Assert(s.testRepo.Plug(s.plug.Snap.InstanceName(), s.plug.Name), DeepEquals, s.plug)
 }
 
 func (s *RepositorySuite) TestPlugSearch(c *C) {
-	addPlugsSlots(c, s.testRepo, `
-name: x
+	addPlugsSlotsFromInstances(c, s.testRepo, []instanceNameAndYaml{
+		{Name: "xx", Yaml: `
+name: xx
 version: 0
 plugs:
     a: interface
     b: interface
     c: interface
-`, `
-name: y
+`},
+		{Name: "yy", Yaml: `
+name: yy
 version: 0
 plugs:
     a: interface
     b: interface
     c: interface
-`)
+`},
+		{Name: "zz_instance", Yaml: `
+name: zz
+version: 0
+plugs:
+    a: interface
+    b: interface
+    c: interface
+`},
+	})
 	// Plug() correctly finds plugs
-	c.Assert(s.testRepo.Plug("x", "a"), Not(IsNil))
-	c.Assert(s.testRepo.Plug("x", "b"), Not(IsNil))
-	c.Assert(s.testRepo.Plug("x", "c"), Not(IsNil))
-	c.Assert(s.testRepo.Plug("y", "a"), Not(IsNil))
-	c.Assert(s.testRepo.Plug("y", "b"), Not(IsNil))
-	c.Assert(s.testRepo.Plug("y", "c"), Not(IsNil))
+	c.Assert(s.testRepo.Plug("xx", "a"), Not(IsNil))
+	c.Assert(s.testRepo.Plug("xx", "b"), Not(IsNil))
+	c.Assert(s.testRepo.Plug("xx", "c"), Not(IsNil))
+	c.Assert(s.testRepo.Plug("yy", "a"), Not(IsNil))
+	c.Assert(s.testRepo.Plug("yy", "b"), Not(IsNil))
+	c.Assert(s.testRepo.Plug("yy", "c"), Not(IsNil))
+	c.Assert(s.testRepo.Plug("zz_instance", "a"), Not(IsNil))
+	c.Assert(s.testRepo.Plug("zz_instance", "b"), Not(IsNil))
+	c.Assert(s.testRepo.Plug("zz_instance", "c"), Not(IsNil))
 }
 
 // Tests for Repository.RemovePlug()
@@ -297,13 +392,13 @@
 func (s *RepositorySuite) TestRemovePlugSucceedsWhenPlugExistsAndDisconnected(c *C) {
 	err := s.testRepo.AddPlug(s.plug)
 	c.Assert(err, IsNil)
-	err = s.testRepo.RemovePlug(s.plug.Snap.Name(), s.plug.Name)
+	err = s.testRepo.RemovePlug(s.plug.Snap.InstanceName(), s.plug.Name)
 	c.Assert(err, IsNil)
 	c.Assert(s.testRepo.AllPlugs(""), HasLen, 0)
 }
 
 func (s *RepositorySuite) TestRemovePlugFailsWhenPlugDoesntExist(c *C) {
-	err := s.emptyRepo.RemovePlug(s.plug.Snap.Name(), s.plug.Name)
+	err := s.emptyRepo.RemovePlug(s.plug.Snap.InstanceName(), s.plug.Name)
 	c.Assert(err, ErrorMatches, `cannot remove plug "plug" from snap "consumer", no such plug`)
 }
 
@@ -313,38 +408,53 @@
 	err = s.testRepo.AddSlot(s.slot)
 	c.Assert(err, IsNil)
 	connRef := NewConnRef(s.plug, s.slot)
-	err = s.testRepo.Connect(*connRef)
+	_, err = s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 	// Removing a plug used by a slot returns an appropriate error
-	err = s.testRepo.RemovePlug(s.plug.Snap.Name(), s.plug.Name)
+	err = s.testRepo.RemovePlug(s.plug.Snap.InstanceName(), s.plug.Name)
 	c.Assert(err, ErrorMatches, `cannot remove plug "plug" from snap "consumer", it is still connected`)
 	// The plug is still there
-	slot := s.testRepo.Plug(s.plug.Snap.Name(), s.plug.Name)
+	slot := s.testRepo.Plug(s.plug.Snap.InstanceName(), s.plug.Name)
 	c.Assert(slot, Not(IsNil))
 }
 
 // Tests for Repository.AllPlugs()
 
 func (s *RepositorySuite) TestAllPlugsWithoutInterfaceName(c *C) {
-	snaps := addPlugsSlots(c, s.testRepo, `
+	snaps := addPlugsSlotsFromInstances(c, s.testRepo, []instanceNameAndYaml{
+		{Name: "snap-a", Yaml: `
 name: snap-a
 version: 0
 plugs:
     name-a: interface
-`, `
+`},
+		{Name: "snap-b", Yaml: `
 name: snap-b
 version: 0
 plugs:
     name-a: interface
     name-b: interface
     name-c: interface
-`)
+`},
+		{Name: "snap-b_instance", Yaml: `
+name: snap-b
+version: 0
+plugs:
+    name-a: interface
+    name-b: interface
+    name-c: interface
+`},
+	})
+	c.Assert(snaps, HasLen, 3)
 	// The result is sorted by snap and name
 	c.Assert(s.testRepo.AllPlugs(""), DeepEquals, []*snap.PlugInfo{
 		snaps[0].Plugs["name-a"],
 		snaps[1].Plugs["name-a"],
 		snaps[1].Plugs["name-b"],
 		snaps[1].Plugs["name-c"],
+		snaps[2].Plugs["name-a"],
+		snaps[2].Plugs["name-b"],
+		snaps[2].Plugs["name-c"],
 	})
 }
 
@@ -352,46 +462,79 @@
 	// Add another interface so that we can look for it
 	err := s.testRepo.AddInterface(&ifacetest.TestInterface{InterfaceName: "other-interface"})
 	c.Assert(err, IsNil)
-	snaps := addPlugsSlots(c, s.testRepo, `
+	snaps := addPlugsSlotsFromInstances(c, s.testRepo, []instanceNameAndYaml{
+		{Name: "snap-a", Yaml: `
 name: snap-a
 version: 0
 plugs:
     name-a: interface
-`, `
+`},
+		{Name: "snap-b", Yaml: `
 name: snap-b
 version: 0
 plugs:
     name-a: interface
     name-b: other-interface
     name-c: interface
-`)
-	c.Assert(s.testRepo.AllPlugs("other-interface"), DeepEquals, []*snap.PlugInfo{snaps[1].Plugs["name-b"]})
+`},
+		{Name: "snap-b_instance", Yaml: `
+name: snap-b
+version: 0
+plugs:
+    name-a: interface
+    name-b: other-interface
+    name-c: interface
+`},
+	})
+	c.Assert(snaps, HasLen, 3)
+	c.Assert(s.testRepo.AllPlugs("other-interface"), DeepEquals, []*snap.PlugInfo{
+		snaps[1].Plugs["name-b"],
+		snaps[2].Plugs["name-b"],
+	})
 }
 
 // Tests for Repository.Plugs()
 
 func (s *RepositorySuite) TestPlugs(c *C) {
-	snaps := addPlugsSlots(c, s.testRepo, `
+	snaps := addPlugsSlotsFromInstances(c, s.testRepo, []instanceNameAndYaml{
+		{Name: "snap-a", Yaml: `
 name: snap-a
 version: 0
 plugs:
     name-a: interface
-`, `
+`},
+		{Name: "snap-b", Yaml: `
 name: snap-b
 version: 0
 plugs:
     name-a: interface
     name-b: interface
     name-c: interface
-`)
+`},
+		{Name: "snap-b_instance", Yaml: `
+name: snap-b
+version: 0
+plugs:
+    name-a: interface
+    name-b: interface
+    name-c: interface
+`},
+	})
+	c.Assert(snaps, HasLen, 3)
 	// The result is sorted by snap and name
 	c.Assert(s.testRepo.Plugs("snap-b"), DeepEquals, []*snap.PlugInfo{
 		snaps[1].Plugs["name-a"],
 		snaps[1].Plugs["name-b"],
 		snaps[1].Plugs["name-c"],
 	})
+	c.Assert(s.testRepo.Plugs("snap-b_instance"), DeepEquals, []*snap.PlugInfo{
+		snaps[2].Plugs["name-a"],
+		snaps[2].Plugs["name-b"],
+		snaps[2].Plugs["name-c"],
+	})
 	// The result is empty if the snap is not known
 	c.Assert(s.testRepo.Plugs("snap-x"), HasLen, 0)
+	c.Assert(s.testRepo.Plugs("snap-b_other"), HasLen, 0)
 }
 
 // Tests for Repository.AllSlots()
@@ -399,45 +542,66 @@
 func (s *RepositorySuite) TestAllSlots(c *C) {
 	err := s.testRepo.AddInterface(&ifacetest.TestInterface{InterfaceName: "other-interface"})
 	c.Assert(err, IsNil)
-	snaps := addPlugsSlots(c, s.testRepo, `
+	snaps := addPlugsSlotsFromInstances(c, s.testRepo, []instanceNameAndYaml{
+		{Name: "snap-a", Yaml: `
 name: snap-a
 version: 0
 slots:
     name-a: interface
     name-b: interface
-`, `
+`},
+		{Name: "snap-b", Yaml: `
 name: snap-b
 version: 0
 slots:
     name-a: other-interface
-`)
+`},
+		{Name: "snap-b_instance", Yaml: `
+name: snap-b
+version: 0
+slots:
+    name-a: other-interface
+`},
+	})
+	c.Assert(snaps, HasLen, 3)
 	// AllSlots("") returns all slots, sorted by snap and slot name
 	c.Assert(s.testRepo.AllSlots(""), DeepEquals, []*snap.SlotInfo{
 		snaps[0].Slots["name-a"],
 		snaps[0].Slots["name-b"],
 		snaps[1].Slots["name-a"],
+		snaps[2].Slots["name-a"],
 	})
 	// AllSlots("") returns all slots, sorted by snap and slot name
 	c.Assert(s.testRepo.AllSlots("other-interface"), DeepEquals, []*snap.SlotInfo{
 		snaps[1].Slots["name-a"],
+		snaps[2].Slots["name-a"],
 	})
 }
 
 // Tests for Repository.Slots()
 
 func (s *RepositorySuite) TestSlots(c *C) {
-	snaps := addPlugsSlots(c, s.testRepo, `
+	snaps := addPlugsSlotsFromInstances(c, s.testRepo, []instanceNameAndYaml{
+		{Name: "snap-a", Yaml: `
 name: snap-a
 version: 0
 slots:
     name-a: interface
     name-b: interface
-`, `
+`},
+		{Name: "snap-b", Yaml: `
 name: snap-b
 version: 0
 slots:
     name-a: interface
-`)
+`},
+		{Name: "snap-b_instance", Yaml: `
+name: snap-b
+version: 0
+slots:
+    name-a: interface
+`},
+	})
 	// Slots("snap-a") returns slots present in that snap
 	c.Assert(s.testRepo.Slots("snap-a"), DeepEquals, []*snap.SlotInfo{
 		snaps[0].Slots["name-a"],
@@ -447,8 +611,14 @@
 	c.Assert(s.testRepo.Slots("snap-b"), DeepEquals, []*snap.SlotInfo{
 		snaps[1].Slots["name-a"],
 	})
+	// Slots("snap-b_instance") returns slots present in that snap
+	c.Assert(s.testRepo.Slots("snap-b_instance"), DeepEquals, []*snap.SlotInfo{
+		snaps[2].Slots["name-a"],
+	})
 	// Slots("snap-c") returns no slots (because that snap doesn't exist)
 	c.Assert(s.testRepo.Slots("snap-c"), HasLen, 0)
+	// Slots("snap-b_other") returns no slots (the snap does not exist)
+	c.Assert(s.testRepo.Slots("snap-b_other"), HasLen, 0)
 	// Slots("") returns no slots
 	c.Assert(s.testRepo.Slots(""), HasLen, 0)
 }
@@ -458,12 +628,12 @@
 func (s *RepositorySuite) TestSlotSucceedsWhenSlotExists(c *C) {
 	err := s.testRepo.AddSlot(s.slot)
 	c.Assert(err, IsNil)
-	slot := s.testRepo.Slot(s.slot.Snap.Name(), s.slot.Name)
+	slot := s.testRepo.Slot(s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(slot, DeepEquals, s.slot)
 }
 
 func (s *RepositorySuite) TestSlotFailsWhenSlotDoesntExist(c *C) {
-	slot := s.testRepo.Slot(s.slot.Snap.Name(), s.slot.Name)
+	slot := s.testRepo.Slot(s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(slot, IsNil)
 }
 
@@ -481,7 +651,7 @@
 		Interface: "interface",
 	}
 	err := s.emptyRepo.AddSlot(slot)
-	c.Assert(err, ErrorMatches, `invalid interface name: "bad-name-"`)
+	c.Assert(err, ErrorMatches, `invalid slot name: "bad-name-"`)
 	c.Assert(s.emptyRepo.AllSlots(""), HasLen, 0)
 }
 
@@ -522,33 +692,50 @@
 	err = s.testRepo.AddSlot(slot)
 	c.Assert(err, ErrorMatches, `snap "snap" has plug and slot conflicting on name "clashing"`)
 	c.Assert(s.testRepo.AllPlugs(""), HasLen, 1)
-	c.Assert(s.testRepo.Plug(plug.Snap.Name(), plug.Name), DeepEquals, plug)
+	c.Assert(s.testRepo.Plug(plug.Snap.InstanceName(), plug.Name), DeepEquals, plug)
 }
 
 func (s *RepositorySuite) TestAddSlotStoresCorrectData(c *C) {
 	err := s.testRepo.AddSlot(s.slot)
 	c.Assert(err, IsNil)
-	slot := s.testRepo.Slot(s.slot.Snap.Name(), s.slot.Name)
+	slot := s.testRepo.Slot(s.slot.Snap.InstanceName(), s.slot.Name)
 	// The added slot has the same data
 	c.Assert(slot, DeepEquals, s.slot)
 }
 
+func (s *RepositorySuite) TestAddSlotParallelInstance(c *C) {
+	c.Assert(s.testRepo.AllSlots(""), HasLen, 0)
+
+	err := s.testRepo.AddSlot(s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(s.testRepo.AllSlots(""), HasLen, 1)
+
+	producer := snaptest.MockInfo(c, producerYaml, nil)
+	producer.InstanceKey = "instance"
+	err = s.testRepo.AddSlot(producer.Slots["slot"])
+	c.Assert(err, IsNil)
+	c.Assert(s.testRepo.AllSlots(""), HasLen, 2)
+
+	c.Assert(s.testRepo.Slot(s.slot.Snap.InstanceName(), s.slot.Name), DeepEquals, s.slot)
+	c.Assert(s.testRepo.Slot(producer.InstanceName(), "slot"), DeepEquals, producer.Slots["slot"])
+}
+
 // Tests for Repository.RemoveSlot()
 
 func (s *RepositorySuite) TestRemoveSlotSuccedsWhenSlotExistsAndDisconnected(c *C) {
 	err := s.testRepo.AddSlot(s.slot)
 	c.Assert(err, IsNil)
 	// Removing a vacant slot simply works
-	err = s.testRepo.RemoveSlot(s.slot.Snap.Name(), s.slot.Name)
+	err = s.testRepo.RemoveSlot(s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err, IsNil)
 	// The slot is gone now
-	slot := s.testRepo.Slot(s.slot.Snap.Name(), s.slot.Name)
+	slot := s.testRepo.Slot(s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(slot, IsNil)
 }
 
 func (s *RepositorySuite) TestRemoveSlotFailsWhenSlotDoesntExist(c *C) {
 	// Removing a slot that doesn't exist returns an appropriate error
-	err := s.testRepo.RemoveSlot(s.slot.Snap.Name(), s.slot.Name)
+	err := s.testRepo.RemoveSlot(s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err, Not(IsNil))
 	c.Assert(err, ErrorMatches, `cannot remove slot "slot" from snap "producer", no such slot`)
 }
@@ -559,13 +746,13 @@
 	err = s.testRepo.AddSlot(s.slot)
 	c.Assert(err, IsNil)
 	connRef := NewConnRef(s.plug, s.slot)
-	err = s.testRepo.Connect(*connRef)
+	_, err = s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 	// Removing a slot occupied by a plug returns an appropriate error
-	err = s.testRepo.RemoveSlot(s.slot.Snap.Name(), s.slot.Name)
+	err = s.testRepo.RemoveSlot(s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err, ErrorMatches, `cannot remove slot "slot" from snap "producer", it is still connected`)
 	// The slot is still there
-	slot := s.testRepo.Slot(s.slot.Snap.Name(), s.slot.Name)
+	slot := s.testRepo.Slot(s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(slot, Not(IsNil))
 }
 
@@ -576,27 +763,31 @@
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "producer", "slot")
 	c.Check(err, IsNil)
-	c.Check(conn, Equals, ConnRef{
+	c.Check(conn, DeepEquals, &ConnRef{
 		PlugRef: PlugRef{Snap: "consumer", Name: "plug"},
 		SlotRef: SlotRef{Snap: "producer", Name: "slot"},
 	})
 }
 
+// ResolveConnect uses the "snapd" snap when slot snap name is empty
+func (s *RepositorySuite) TestResolveConnectImplicitSnapdSlot(c *C) {
+	c.Assert(s.testRepo.AddSnap(s.snapdSnap), IsNil)
+	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
+	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "", "slot")
+	c.Check(err, IsNil)
+	c.Check(conn, DeepEquals, &ConnRef{
+		PlugRef: PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: SlotRef{Snap: "snapd", Name: "slot"},
+	})
+}
+
 // ResolveConnect uses the "core" snap when slot snap name is empty
 func (s *RepositorySuite) TestResolveConnectImplicitCoreSlot(c *C) {
-	coreSnap := snaptest.MockInfo(c, `
-name: core
-version: 0
-type: os
-slots:
-    slot:
-        interface: interface
-`, nil)
-	c.Assert(s.testRepo.AddSnap(coreSnap), IsNil)
+	c.Assert(s.testRepo.AddSnap(s.coreSnap), IsNil)
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "", "slot")
 	c.Check(err, IsNil)
-	c.Check(conn, Equals, ConnRef{
+	c.Check(conn, DeepEquals, &ConnRef{
 		PlugRef: PlugRef{Snap: "consumer", Name: "plug"},
 		SlotRef: SlotRef{Snap: "core", Name: "slot"},
 	})
@@ -604,44 +795,30 @@
 
 // ResolveConnect uses the "ubuntu-core" snap when slot snap name is empty
 func (s *RepositorySuite) TestResolveConnectImplicitUbuntuCoreSlot(c *C) {
-	ubuntuCoreSnap := snaptest.MockInfo(c, `
-name: ubuntu-core
-version: 0
-type: os
-slots:
-    slot:
-        interface: interface
-`, nil)
-	c.Assert(s.testRepo.AddSnap(ubuntuCoreSnap), IsNil)
+	c.Assert(s.testRepo.AddSnap(s.ubuntuCoreSnap), IsNil)
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "", "slot")
 	c.Check(err, IsNil)
-	c.Check(conn, Equals, ConnRef{
+	c.Check(conn, DeepEquals, &ConnRef{
 		PlugRef: PlugRef{Snap: "consumer", Name: "plug"},
 		SlotRef: SlotRef{Snap: "ubuntu-core", Name: "slot"},
 	})
 }
 
-// ResolveConnect prefers the "core" snap if (by any chance) both are available
-func (s *RepositorySuite) TestResolveConnectImplicitSlotPrefersCore(c *C) {
-	coreSnap := snaptest.MockInfo(c, `
-name: core
-version: 0
-type: os
-slots:
-    slot:
-        interface: interface
-`, nil)
-	ubuntuCoreSnap := snaptest.MockInfo(c, `
-name: ubuntu-core
-version: 0
-type: os
-slots:
-    slot:
-        interface: interface
-`, nil)
-	c.Assert(s.testRepo.AddSnap(coreSnap), IsNil)
-	c.Assert(s.testRepo.AddSnap(ubuntuCoreSnap), IsNil)
+// ResolveConnect prefers the "snapd" snap if "snapd" and "core" are available
+func (s *RepositorySuite) TestResolveConnectImplicitSlotPrefersSnapdOverCore(c *C) {
+	c.Assert(s.testRepo.AddSnap(s.snapdSnap), IsNil)
+	c.Assert(s.testRepo.AddSnap(s.coreSnap), IsNil)
+	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
+	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "", "slot")
+	c.Check(err, IsNil)
+	c.Check(conn.SlotRef.Snap, Equals, "snapd")
+}
+
+// ResolveConnect prefers the "core" snap if "core" and "ubuntu-core" are available
+func (s *RepositorySuite) TestResolveConnectImplicitSlotPrefersCoreOverUbuntuCore(c *C) {
+	c.Assert(s.testRepo.AddSnap(s.coreSnap), IsNil)
+	c.Assert(s.testRepo.AddSnap(s.ubuntuCoreSnap), IsNil)
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "", "slot")
 	c.Check(err, IsNil)
@@ -652,19 +829,13 @@
 func (s *RepositorySuite) TestResolveConnectNoImplicitCandidates(c *C) {
 	err := s.testRepo.AddInterface(&ifacetest.TestInterface{InterfaceName: "other-interface"})
 	c.Assert(err, IsNil)
-	coreSnap := snaptest.MockInfo(c, `
-name: core
-version: 0
-type: os
-slots:
-    slot:
-        interface: other-interface
-`, nil)
-	c.Assert(s.testRepo.AddSnap(coreSnap), IsNil)
+	// Tweak the "slot" slot so that it has an incompatible interface type.
+	s.coreSnap.Slots["slot"].Interface = "other-interface"
+	c.Assert(s.testRepo.AddSnap(s.coreSnap), IsNil)
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "", "")
 	c.Check(err, ErrorMatches, `snap "core" has no "interface" interface slots`)
-	c.Check(conn, Equals, ConnRef{})
+	c.Check(conn, IsNil)
 }
 
 // ResolveConnect detects ambiguities when slot snap name is empty
@@ -684,28 +855,28 @@
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "", "")
 	c.Check(err, ErrorMatches, `snap "core" has multiple "interface" interface slots: slot-a, slot-b`)
-	c.Check(conn, Equals, ConnRef{})
+	c.Check(conn, IsNil)
 }
 
 // Pug snap name cannot be empty
 func (s *RepositorySuite) TestResolveConnectEmptyPlugSnapName(c *C) {
 	conn, err := s.testRepo.ResolveConnect("", "plug", "producer", "slot")
 	c.Check(err, ErrorMatches, "cannot resolve connection, plug snap name is empty")
-	c.Check(conn, Equals, ConnRef{})
+	c.Check(conn, IsNil)
 }
 
 // Plug name cannot be empty
 func (s *RepositorySuite) TestResolveConnectEmptyPlugName(c *C) {
 	conn, err := s.testRepo.ResolveConnect("consumer", "", "producer", "slot")
 	c.Check(err, ErrorMatches, "cannot resolve connection, plug name is empty")
-	c.Check(conn, Equals, ConnRef{})
+	c.Check(conn, IsNil)
 }
 
 // Plug must exist
 func (s *RepositorySuite) TestResolveNoSuchPlug(c *C) {
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "consumer", "slot")
 	c.Check(err, ErrorMatches, `snap "consumer" has no plug named "plug"`)
-	c.Check(conn, Equals, ConnRef{})
+	c.Check(conn, IsNil)
 }
 
 // Slot snap name cannot be empty if there's no core snap around
@@ -713,7 +884,7 @@
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "", "slot")
 	c.Check(err, ErrorMatches, "cannot resolve connection, slot snap name is empty")
-	c.Check(conn, Equals, ConnRef{})
+	c.Check(conn, IsNil)
 }
 
 // Slot name cannot be empty if there's no core snap around
@@ -721,7 +892,7 @@
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "producer", "")
 	c.Check(err, ErrorMatches, `snap "producer" has no "interface" interface slots`)
-	c.Check(conn, Equals, ConnRef{})
+	c.Check(conn, IsNil)
 }
 
 // Slot must exists
@@ -729,7 +900,7 @@
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "producer", "slot")
 	c.Check(err, ErrorMatches, `snap "producer" has no slot named "slot"`)
-	c.Check(conn, Equals, ConnRef{})
+	c.Check(conn, IsNil)
 }
 
 // Plug and slot must have matching types
@@ -746,12 +917,12 @@
 	conn, err := s.testRepo.ResolveConnect("consumer", "plug", "producer", "slot")
 	c.Check(err, ErrorMatches,
 		`cannot connect consumer:plug \("other-interface" interface\) to producer:slot \("interface" interface\)`)
-	c.Check(conn, Equals, ConnRef{})
+	c.Check(conn, IsNil)
 }
 
 // Tests for Repository.ResolveDisconnect()
 
-// All the was to resolve a 'snap disconnect' between two snaps.
+// All the ways to resolve a 'snap disconnect' between two snaps.
 // The actual snaps are not installed though.
 func (s *RepositorySuite) TestResolveDisconnectMatrixNoSnaps(c *C) {
 	scenarios := []struct {
@@ -821,9 +992,83 @@
 	}
 }
 
-// All the was to resolve a 'snap disconnect' between two snaps.
+// All the ways to resolve a 'snap disconnect' between two snaps.
+// The actual snaps are not installed though but a snapd snap is.
+func (s *RepositorySuite) TestResolveDisconnectMatrixJustSnapdSnap(c *C) {
+	// Rename the "slot" from the snapd snap so that it is not picked up below.
+	c.Assert(snaptest.RenameSlot(s.snapdSnap, "slot", "unused"), IsNil)
+	c.Assert(s.testRepo.AddSnap(s.snapdSnap), IsNil)
+	scenarios := []struct {
+		plugSnapName, plugName, slotSnapName, slotName string
+		errMsg                                         string
+	}{
+		// Case 0 (INVALID)
+		// Nothing is provided
+		{"", "", "", "", "allowed forms are .*"},
+		// Case 1 (FAILURE)
+		// Disconnect anything connected to a specific plug or slot.
+		// The snap name is implicit and refers to the snapd snap.
+		{"", "", "", "slot", `snap "snapd" has no plug or slot named "slot"`},
+		// Case 2 (INVALID)
+		// The slot name is not provided.
+		{"", "", "producer", "", "allowed forms are .*"},
+		// Case 3 (FAILURE)
+		// Disconnect anything connected to a specific plug or slot
+		{"", "", "producer", "slot", `snap "producer" has no plug or slot named "slot"`},
+		// Case 4 (FAILURE)
+		// Disconnect anything connected to a specific plug or slot
+		{"", "plug", "", "", `snap "snapd" has no plug or slot named "plug"`},
+		// Case 5 (FAILURE)
+		// Disconnect a specific connection.
+		// The plug and slot side implicit refers to the snapd snap.
+		{"", "plug", "", "slot", `snap "snapd" has no plug named "plug"`},
+		// Case 6 (INVALID)
+		// Slot name is not provided.
+		{"", "plug", "producer", "", "allowed forms are .*"},
+		// Case 7 (FAILURE)
+		// Disconnect a specific connection.
+		// The plug side implicit refers to the snapd snap.
+		{"", "plug", "producer", "slot", `snap "snapd" has no plug named "plug"`},
+		// Case 8 (INVALID)
+		// Plug name is not provided.
+		{"consumer", "", "", "", "allowed forms are .*"},
+		// Case 9 (INVALID)
+		// Plug name is not provided.
+		{"consumer", "", "", "slot", "allowed forms are .*"},
+		// Case 10 (INVALID)
+		// Plug name is not provided.
+		{"consumer", "", "producer", "", "allowed forms are .*"},
+		// Case 11 (INVALID)
+		// Plug name is not provided.
+		{"consumer", "", "producer", "slot", "allowed forms are .*"},
+		// Case 12 (FAILURE)
+		// Disconnect anything connected to a specific plug or slot.
+		{"consumer", "plug", "", "", `snap "consumer" has no plug or slot named "plug"`},
+		// Case 13 (FAILURE)
+		// Disconnect a specific connection.
+		// The snap name is implicit and refers to the snapd snap.
+		{"consumer", "plug", "", "slot", `snap "consumer" has no plug named "plug"`},
+		// Case 14 (INVALID)
+		// The slot name was not provided.
+		{"consumer", "plug", "producer", "", "allowed forms are .*"},
+		// Case 15 (FAILURE)
+		// Disconnect a specific connection.
+		{"consumer", "plug", "producer", "slot", `snap "consumer" has no plug named "plug"`},
+	}
+	for i, scenario := range scenarios {
+		c.Logf("checking scenario %d: %q", i, scenario)
+		connRefList, err := s.testRepo.ResolveDisconnect(
+			scenario.plugSnapName, scenario.plugName, scenario.slotSnapName, scenario.slotName)
+		c.Check(err, ErrorMatches, scenario.errMsg)
+		c.Check(connRefList, HasLen, 0)
+	}
+}
+
+// All the ways to resolve a 'snap disconnect' between two snaps.
 // The actual snaps are not installed though but a core snap is.
 func (s *RepositorySuite) TestResolveDisconnectMatrixJustCoreSnap(c *C) {
+	// Rename the "slot" from the core snap so that it is not picked up below.
+	c.Assert(snaptest.RenameSlot(s.coreSnap, "slot", "unused"), IsNil)
 	c.Assert(s.testRepo.AddSnap(s.coreSnap), IsNil)
 	scenarios := []struct {
 		plugSnapName, plugName, slotSnapName, slotName string
@@ -891,10 +1136,12 @@
 	}
 }
 
-// All the was to resolve a 'snap disconnect' between two snaps.
+// All the ways to resolve a 'snap disconnect' between two snaps.
 // The actual snaps as well as the core snap are installed.
 // The snaps are not connected.
 func (s *RepositorySuite) TestResolveDisconnectMatrixDisconnectedSnaps(c *C) {
+	// Rename the "slot" from the core snap so that it is not picked up below.
+	c.Assert(snaptest.RenameSlot(s.coreSnap, "slot", "unused"), IsNil)
 	c.Assert(s.testRepo.AddSnap(s.coreSnap), IsNil)
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
@@ -969,15 +1216,18 @@
 	}
 }
 
-// All the was to resolve a 'snap disconnect' between two snaps.
+// All the ways to resolve a 'snap disconnect' between two snaps.
 // The actual snaps as well as the core snap are installed.
 // The snaps are connected.
 func (s *RepositorySuite) TestResolveDisconnectMatrixTypical(c *C) {
+	// Rename the "slot" from the core snap so that it is not picked up below.
+	c.Assert(snaptest.RenameSlot(s.coreSnap, "slot", "unused"), IsNil)
 	c.Assert(s.testRepo.AddSnap(s.coreSnap), IsNil)
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
 	connRef := NewConnRef(s.plug, s.slot)
-	c.Assert(s.testRepo.Connect(*connRef), IsNil)
+	_, err := s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
 
 	scenarios := []struct {
 		plugSnapName, plugName, slotSnapName, slotName string
@@ -1046,7 +1296,7 @@
 			c.Check(connRefList, HasLen, 0)
 		} else {
 			c.Check(err, IsNil)
-			c.Check(connRefList, DeepEquals, []ConnRef{*connRef})
+			c.Check(connRefList, DeepEquals, []*ConnRef{connRef})
 		}
 	}
 }
@@ -1058,8 +1308,8 @@
 	c.Assert(err, IsNil)
 	// Connecting an unknown plug returns an appropriate error
 	connRef := NewConnRef(s.plug, s.slot)
-	err = s.testRepo.Connect(*connRef)
-	c.Assert(err, ErrorMatches, `cannot connect plug "plug" from snap "consumer", no such plug`)
+	_, err = s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, ErrorMatches, `cannot connect plug "plug" from snap "consumer": no such plug`)
 }
 
 func (s *RepositorySuite) TestConnectFailsWhenSlotDoesNotExist(c *C) {
@@ -1067,8 +1317,8 @@
 	c.Assert(err, IsNil)
 	// Connecting to an unknown slot returns an error
 	connRef := NewConnRef(s.plug, s.slot)
-	err = s.testRepo.Connect(*connRef)
-	c.Assert(err, ErrorMatches, `cannot connect plug to slot "slot" from snap "producer", no such slot`)
+	_, err = s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, ErrorMatches, `cannot connect slot "slot" from snap "producer": no such slot`)
 }
 
 func (s *RepositorySuite) TestConnectSucceedsWhenIdenticalConnectExists(c *C) {
@@ -1077,10 +1327,15 @@
 	err = s.testRepo.AddSlot(s.slot)
 	c.Assert(err, IsNil)
 	connRef := NewConnRef(s.plug, s.slot)
-	err = s.testRepo.Connect(*connRef)
+	conn, err := s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
+	c.Assert(conn, NotNil)
+	c.Assert(conn.Plug, NotNil)
+	c.Assert(conn.Slot, NotNil)
+	c.Assert(conn.Plug.Name(), Equals, "plug")
+	c.Assert(conn.Slot.Name(), Equals, "slot")
 	// Connecting exactly the same thing twice succeeds without an error but does nothing.
-	err = s.testRepo.Connect(*connRef)
+	_, err = s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 	// Only one connection is actually present.
 	c.Assert(s.testRepo.Interfaces(), DeepEquals, &Interfaces{
@@ -1105,7 +1360,7 @@
 	c.Assert(err, IsNil)
 	// Connecting a plug to an incompatible slot fails with an appropriate error
 	connRef := NewConnRef(s.plug, s.slot)
-	err = s.testRepo.Connect(*connRef)
+	_, err = s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, ErrorMatches, `cannot connect plug "consumer:plug" \(interface "other-interface"\) to "producer:slot" \(interface "interface"\)`)
 }
 
@@ -1116,7 +1371,7 @@
 	c.Assert(err, IsNil)
 	// Connecting a plug works okay
 	connRef := NewConnRef(s.plug, s.slot)
-	err = s.testRepo.Connect(*connRef)
+	_, err = s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 }
 
@@ -1124,10 +1379,10 @@
 
 // Disconnect fails if any argument is empty
 func (s *RepositorySuite) TestDisconnectFailsOnEmptyArgs(c *C) {
-	err1 := s.testRepo.Disconnect(s.plug.Snap.Name(), s.plug.Name, s.slot.Snap.Name(), "")
-	err2 := s.testRepo.Disconnect(s.plug.Snap.Name(), s.plug.Name, "", s.slot.Name)
-	err3 := s.testRepo.Disconnect(s.plug.Snap.Name(), "", s.slot.Snap.Name(), s.slot.Name)
-	err4 := s.testRepo.Disconnect("", s.plug.Name, s.slot.Snap.Name(), s.slot.Name)
+	err1 := s.testRepo.Disconnect(s.plug.Snap.InstanceName(), s.plug.Name, s.slot.Snap.InstanceName(), "")
+	err2 := s.testRepo.Disconnect(s.plug.Snap.InstanceName(), s.plug.Name, "", s.slot.Name)
+	err3 := s.testRepo.Disconnect(s.plug.Snap.InstanceName(), "", s.slot.Snap.InstanceName(), s.slot.Name)
+	err4 := s.testRepo.Disconnect("", s.plug.Name, s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err1, ErrorMatches, `cannot disconnect, slot name is empty`)
 	c.Assert(err2, ErrorMatches, `cannot disconnect, slot snap name is empty`)
 	c.Assert(err3, ErrorMatches, `cannot disconnect, plug name is empty`)
@@ -1137,14 +1392,14 @@
 // Disconnect fails if plug doesn't exist
 func (s *RepositorySuite) TestDisconnectFailsWithoutPlug(c *C) {
 	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
-	err := s.testRepo.Disconnect(s.plug.Snap.Name(), s.plug.Name, s.slot.Snap.Name(), s.slot.Name)
+	err := s.testRepo.Disconnect(s.plug.Snap.InstanceName(), s.plug.Name, s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err, ErrorMatches, `snap "consumer" has no plug named "plug"`)
 }
 
 // Disconnect fails if slot doesn't exist
 func (s *RepositorySuite) TestDisconnectFailsWithutSlot(c *C) {
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
-	err := s.testRepo.Disconnect(s.plug.Snap.Name(), s.plug.Name, s.slot.Snap.Name(), s.slot.Name)
+	err := s.testRepo.Disconnect(s.plug.Snap.InstanceName(), s.plug.Name, s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err, ErrorMatches, `snap "producer" has no slot named "slot"`)
 }
 
@@ -1152,7 +1407,7 @@
 func (s *RepositorySuite) TestDisconnectFailsWhenNotConnected(c *C) {
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
-	err := s.testRepo.Disconnect(s.plug.Snap.Name(), s.plug.Name, s.slot.Snap.Name(), s.slot.Name)
+	err := s.testRepo.Disconnect(s.plug.Snap.InstanceName(), s.plug.Name, s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err, ErrorMatches, `cannot disconnect consumer:plug from producer:slot, it is not connected`)
 }
 
@@ -1160,8 +1415,11 @@
 func (s *RepositorySuite) TestDisconnectSucceeds(c *C) {
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
-	c.Assert(s.testRepo.Connect(*NewConnRef(s.plug, s.slot)), IsNil)
-	err := s.testRepo.Disconnect(s.plug.Snap.Name(), s.plug.Name, s.slot.Snap.Name(), s.slot.Name)
+	_, err := s.testRepo.Connect(NewConnRef(s.plug, s.slot), nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+	_, err = s.testRepo.Connect(NewConnRef(s.plug, s.slot), nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+	err = s.testRepo.Disconnect(s.plug.Snap.InstanceName(), s.plug.Name, s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err, IsNil)
 	c.Assert(s.testRepo.Interfaces(), DeepEquals, &Interfaces{
 		Plugs: []*snap.PlugInfo{s.plug},
@@ -1174,19 +1432,19 @@
 // Connected fails if snap name is empty and there's no core snap around
 func (s *RepositorySuite) TestConnectedFailsWithEmptySnapName(c *C) {
 	_, err := s.testRepo.Connected("", s.plug.Name)
-	c.Check(err, ErrorMatches, "snap name is empty")
+	c.Check(err, ErrorMatches, "internal error: cannot obtain core snap name while computing connections")
 }
 
 // Connected fails if plug or slot name is empty
 func (s *RepositorySuite) TestConnectedFailsWithEmptyPlugSlotName(c *C) {
-	_, err := s.testRepo.Connected(s.plug.Snap.Name(), "")
+	_, err := s.testRepo.Connected(s.plug.Snap.InstanceName(), "")
 	c.Check(err, ErrorMatches, "plug or slot name is empty")
 }
 
 // Connected fails if plug or slot doesn't exist
 func (s *RepositorySuite) TestConnectedFailsWithoutPlugOrSlot(c *C) {
-	_, err1 := s.testRepo.Connected(s.plug.Snap.Name(), s.plug.Name)
-	_, err2 := s.testRepo.Connected(s.slot.Snap.Name(), s.slot.Name)
+	_, err1 := s.testRepo.Connected(s.plug.Snap.InstanceName(), s.plug.Name)
+	_, err2 := s.testRepo.Connected(s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Check(err1, ErrorMatches, `snap "consumer" has no plug or slot named "plug"`)
 	c.Check(err2, ErrorMatches, `snap "producer" has no plug or slot named "slot"`)
 }
@@ -1195,15 +1453,16 @@
 func (s *RepositorySuite) TestConnectedFindsConnections(c *C) {
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
-	c.Assert(s.testRepo.Connect(*NewConnRef(s.plug, s.slot)), IsNil)
+	_, err := s.testRepo.Connect(NewConnRef(s.plug, s.slot), nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
 
-	conns, err := s.testRepo.Connected(s.plug.Snap.Name(), s.plug.Name)
+	conns, err := s.testRepo.Connected(s.plug.Snap.InstanceName(), s.plug.Name)
 	c.Assert(err, IsNil)
-	c.Check(conns, DeepEquals, []ConnRef{*NewConnRef(s.plug, s.slot)})
+	c.Check(conns, DeepEquals, []*ConnRef{NewConnRef(s.plug, s.slot)})
 
-	conns, err = s.testRepo.Connected(s.slot.Snap.Name(), s.slot.Name)
+	conns, err = s.testRepo.Connected(s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err, IsNil)
-	c.Check(conns, DeepEquals, []ConnRef{*NewConnRef(s.plug, s.slot)})
+	c.Check(conns, DeepEquals, []*ConnRef{NewConnRef(s.plug, s.slot)})
 }
 
 // Connected uses the core snap if snap name is empty
@@ -1215,11 +1474,47 @@
 	}
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	c.Assert(s.testRepo.AddSlot(slot), IsNil)
-	c.Assert(s.testRepo.Connect(*NewConnRef(s.plug, slot)), IsNil)
+	_, err := s.testRepo.Connect(NewConnRef(s.plug, slot), nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
 
 	conns, err := s.testRepo.Connected("", s.slot.Name)
 	c.Assert(err, IsNil)
-	c.Check(conns, DeepEquals, []ConnRef{*NewConnRef(s.plug, slot)})
+	c.Check(conns, DeepEquals, []*ConnRef{NewConnRef(s.plug, slot)})
+}
+
+// Connected finds connections when asked from plug or from slot side
+func (s *RepositorySuite) TestConnections(c *C) {
+	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
+	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
+	_, err := s.testRepo.Connect(NewConnRef(s.plug, s.slot), nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+
+	conns, err := s.testRepo.Connections(s.plug.Snap.InstanceName())
+	c.Assert(err, IsNil)
+	c.Check(conns, DeepEquals, []*ConnRef{NewConnRef(s.plug, s.slot)})
+
+	conns, err = s.testRepo.Connections(s.slot.Snap.InstanceName())
+	c.Assert(err, IsNil)
+	c.Check(conns, DeepEquals, []*ConnRef{NewConnRef(s.plug, s.slot)})
+
+	conns, err = s.testRepo.Connections("abc")
+	c.Assert(err, IsNil)
+	c.Assert(conns, HasLen, 0)
+}
+
+func (s *RepositorySuite) TestConnectionsWithSelfConnected(c *C) {
+	c.Assert(s.testRepo.AddPlug(s.plugSelf), IsNil)
+	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
+	_, err := s.testRepo.Connect(NewConnRef(s.plugSelf, s.slot), nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+
+	conns, err := s.testRepo.Connections(s.plugSelf.Snap.InstanceName())
+	c.Assert(err, IsNil)
+	c.Check(conns, DeepEquals, []*ConnRef{NewConnRef(s.plugSelf, s.slot)})
+
+	conns, err = s.testRepo.Connections(s.slot.Snap.InstanceName())
+	c.Assert(err, IsNil)
+	c.Check(conns, DeepEquals, []*ConnRef{NewConnRef(s.plugSelf, s.slot)})
 }
 
 // Tests for Repository.DisconnectAll()
@@ -1227,9 +1522,10 @@
 func (s *RepositorySuite) TestDisconnectAll(c *C) {
 	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
 	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
-	c.Assert(s.testRepo.Connect(*NewConnRef(s.plug, s.slot)), IsNil)
+	_, err := s.testRepo.Connect(NewConnRef(s.plug, s.slot), nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
 
-	conns := []ConnRef{*NewConnRef(s.plug, s.slot)}
+	conns := []*ConnRef{NewConnRef(s.plug, s.slot)}
 	s.testRepo.DisconnectAll(conns)
 	c.Assert(s.testRepo.Interfaces(), DeepEquals, &Interfaces{
 		Plugs: []*snap.PlugInfo{s.plug},
@@ -1246,7 +1542,7 @@
 	c.Assert(err, IsNil)
 	// After connecting the result is as expected
 	connRef := NewConnRef(s.plug, s.slot)
-	err = s.testRepo.Connect(*connRef)
+	_, err = s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 	ifaces := s.testRepo.Interfaces()
 	c.Assert(ifaces, DeepEquals, &Interfaces{
@@ -1255,7 +1551,7 @@
 		Connections: []*ConnRef{NewConnRef(s.plug, s.slot)},
 	})
 	// After disconnecting the connections become empty
-	err = s.testRepo.Disconnect(s.plug.Snap.Name(), s.plug.Name, s.slot.Snap.Name(), s.slot.Name)
+	err = s.testRepo.Disconnect(s.plug.Snap.InstanceName(), s.plug.Name, s.slot.Snap.InstanceName(), s.slot.Name)
 	c.Assert(err, IsNil)
 	ifaces = s.testRepo.Interfaces()
 	c.Assert(ifaces, DeepEquals, &Interfaces{
@@ -1297,28 +1593,28 @@
 	c.Assert(repo.AddSlot(s.slot), IsNil)
 
 	// Snaps should get static security now
-	spec, err := repo.SnapSpecification(testSecurity, s.plug.Snap.Name())
+	spec, err := repo.SnapSpecification(testSecurity, s.plug.Snap.InstanceName())
 	c.Assert(err, IsNil)
 	c.Check(spec.(*ifacetest.Specification).Snippets, DeepEquals, []string{"static plug snippet"})
 
-	spec, err = repo.SnapSpecification(testSecurity, s.slot.Snap.Name())
+	spec, err = repo.SnapSpecification(testSecurity, s.slot.Snap.InstanceName())
 	c.Assert(err, IsNil)
 	c.Check(spec.(*ifacetest.Specification).Snippets, DeepEquals, []string{"static slot snippet"})
 
 	// Establish connection between plug and slot
 	connRef := NewConnRef(s.plug, s.slot)
-	err = repo.Connect(*connRef)
+	_, err = repo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 
 	// Snaps should get static and connection-specific security now
-	spec, err = repo.SnapSpecification(testSecurity, s.plug.Snap.Name())
+	spec, err = repo.SnapSpecification(testSecurity, s.plug.Snap.InstanceName())
 	c.Assert(err, IsNil)
 	c.Check(spec.(*ifacetest.Specification).Snippets, DeepEquals, []string{
 		"static plug snippet",
 		"connection-specific plug snippet",
 	})
 
-	spec, err = repo.SnapSpecification(testSecurity, s.slot.Snap.Name())
+	spec, err = repo.SnapSpecification(testSecurity, s.slot.Snap.InstanceName())
 	c.Assert(err, IsNil)
 	c.Check(spec.(*ifacetest.Specification).Snippets, DeepEquals, []string{
 		"static slot snippet",
@@ -1345,13 +1641,14 @@
 	c.Assert(repo.AddPlug(s.plug), IsNil)
 	c.Assert(repo.AddSlot(s.slot), IsNil)
 	connRef := NewConnRef(s.plug, s.slot)
-	c.Assert(repo.Connect(*connRef), IsNil)
+	_, err := repo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
 
-	spec, err := repo.SnapSpecification(testSecurity, s.plug.Snap.Name())
+	spec, err := repo.SnapSpecification(testSecurity, s.plug.Snap.InstanceName())
 	c.Assert(err, ErrorMatches, "cannot compute snippet for consumer")
 	c.Assert(spec, IsNil)
 
-	spec, err = repo.SnapSpecification(testSecurity, s.slot.Snap.Name())
+	spec, err = repo.SnapSpecification(testSecurity, s.slot.Snap.InstanceName())
 	c.Assert(err, ErrorMatches, "cannot compute snippet for provider")
 	c.Assert(spec, IsNil)
 }
@@ -1374,13 +1671,14 @@
 	c.Assert(repo.AddPlug(s.plug), IsNil)
 	c.Assert(repo.AddSlot(s.slot), IsNil)
 	connRef := NewConnRef(s.plug, s.slot)
-	c.Assert(repo.Connect(*connRef), IsNil)
+	_, err := repo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
 
-	spec, err := repo.SnapSpecification(testSecurity, s.plug.Snap.Name())
+	spec, err := repo.SnapSpecification(testSecurity, s.plug.Snap.InstanceName())
 	c.Assert(err, ErrorMatches, "cannot compute snippet for consumer")
 	c.Assert(spec, IsNil)
 
-	spec, err = repo.SnapSpecification(testSecurity, s.slot.Snap.Name())
+	spec, err = repo.SnapSpecification(testSecurity, s.slot.Snap.InstanceName())
 	c.Assert(err, ErrorMatches, "cannot compute snippet for provider")
 	c.Assert(spec, IsNil)
 }
@@ -1393,8 +1691,8 @@
 	err = repo.AddInterface(&ifacetest.TestInterface{InterfaceName: "manual"})
 	c.Assert(err, IsNil)
 
-	policyCheck := func(plug *Plug, slot *Slot) bool {
-		return slot.Interface == "auto"
+	policyCheck := func(plug *ConnectedPlug, slot *ConnectedSlot) (bool, error) {
+		return slot.Interface() == "auto", nil
 	}
 
 	// Add a pair of snaps with plugs/slots using those two interfaces
@@ -1420,13 +1718,13 @@
 
 	candidateSlots := repo.AutoConnectCandidateSlots("consumer", "auto", policyCheck)
 	c.Assert(candidateSlots, HasLen, 1)
-	c.Check(candidateSlots[0].Snap.Name(), Equals, "producer")
+	c.Check(candidateSlots[0].Snap.InstanceName(), Equals, "producer")
 	c.Check(candidateSlots[0].Interface, Equals, "auto")
 	c.Check(candidateSlots[0].Name, Equals, "auto")
 
 	candidatePlugs := repo.AutoConnectCandidatePlugs("producer", "auto", policyCheck)
 	c.Assert(candidatePlugs, HasLen, 1)
-	c.Check(candidatePlugs[0].Snap.Name(), Equals, "consumer")
+	c.Check(candidatePlugs[0].Snap.InstanceName(), Equals, "consumer")
 	c.Check(candidatePlugs[0].Interface, Equals, "auto")
 	c.Check(candidatePlugs[0].Name, Equals, "auto")
 }
@@ -1437,8 +1735,8 @@
 	err := repo.AddInterface(&ifacetest.TestInterface{InterfaceName: "auto"})
 	c.Assert(err, IsNil)
 
-	policyCheck := func(plug *Plug, slot *Slot) bool {
-		return slot.Interface == "auto"
+	policyCheck := func(plug *ConnectedPlug, slot *ConnectedSlot) (bool, error) {
+		return slot.Interface() == "auto", nil
 	}
 
 	// Add a producer snap for "auto"
@@ -1477,13 +1775,13 @@
 	// Both can auto-connect
 	candidateSlots := repo.AutoConnectCandidateSlots("consumer1", "auto", policyCheck)
 	c.Assert(candidateSlots, HasLen, 1)
-	c.Check(candidateSlots[0].Snap.Name(), Equals, "producer")
+	c.Check(candidateSlots[0].Snap.InstanceName(), Equals, "producer")
 	c.Check(candidateSlots[0].Interface, Equals, "auto")
 	c.Check(candidateSlots[0].Name, Equals, "auto")
 
 	candidateSlots = repo.AutoConnectCandidateSlots("consumer2", "auto", policyCheck)
 	c.Assert(candidateSlots, HasLen, 1)
-	c.Check(candidateSlots[0].Snap.Name(), Equals, "producer")
+	c.Check(candidateSlots[0].Snap.InstanceName(), Equals, "producer")
 	c.Check(candidateSlots[0].Interface, Equals, "auto")
 	c.Check(candidateSlots[0].Name, Equals, "auto")
 
@@ -1628,8 +1926,8 @@
 	c.Assert(err, IsNil)
 	_, err = s.addSnap(c, testProducerYaml)
 	c.Assert(err, IsNil)
-	connRef := ConnRef{PlugRef: PlugRef{Snap: "consumer", Name: "iface"}, SlotRef: SlotRef{Snap: "producer", Name: "iface"}}
-	err = s.repo.Connect(connRef)
+	connRef := &ConnRef{PlugRef: PlugRef{Snap: "consumer", Name: "iface"}, SlotRef: SlotRef{Snap: "producer", Name: "iface"}}
+	_, err = s.repo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 	err = s.repo.RemoveSnap("consumer")
 	c.Assert(err, ErrorMatches, "cannot remove connected plug consumer.iface")
@@ -1640,8 +1938,8 @@
 	c.Assert(err, IsNil)
 	_, err = s.addSnap(c, testProducerYaml)
 	c.Assert(err, IsNil)
-	connRef := ConnRef{PlugRef: PlugRef{Snap: "consumer", Name: "iface"}, SlotRef: SlotRef{Snap: "producer", Name: "iface"}}
-	err = s.repo.Connect(connRef)
+	connRef := &ConnRef{PlugRef: PlugRef{Snap: "consumer", Name: "iface"}, SlotRef: SlotRef{Snap: "producer", Name: "iface"}}
+	_, err = s.repo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 	err = s.repo.RemoveSnap("producer")
 	c.Assert(err, ErrorMatches, "cannot remove connected slot producer.iface")
@@ -1649,8 +1947,8 @@
 
 type DisconnectSnapSuite struct {
 	testutil.BaseTest
-	repo   *Repository
-	s1, s2 *snap.Info
+	repo               *Repository
+	s1, s2, s2Instance *snap.Info
 }
 
 var _ = Suite(&DisconnectSnapSuite{})
@@ -1688,6 +1986,18 @@
 	c.Assert(err, IsNil)
 	err = s.repo.AddSnap(s.s2)
 	c.Assert(err, IsNil)
+	s.s2Instance = snaptest.MockInfo(c, `
+name: s2
+version: 0
+plugs:
+    iface-b:
+slots:
+    iface-a:
+`, nil)
+	s.s2Instance.InstanceKey = "instance"
+	c.Assert(err, IsNil)
+	err = s.repo.AddSnap(s.s2Instance)
+	c.Assert(err, IsNil)
 }
 
 func (s *DisconnectSnapSuite) TearDownTest(c *C) {
@@ -1701,8 +2011,8 @@
 }
 
 func (s *DisconnectSnapSuite) TestOutgoingConnection(c *C) {
-	connRef := ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "iface-a"}, SlotRef: SlotRef{Snap: "s2", Name: "iface-a"}}
-	err := s.repo.Connect(connRef)
+	connRef := &ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "iface-a"}, SlotRef: SlotRef{Snap: "s2", Name: "iface-a"}}
+	_, err := s.repo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 	// Disconnect s1 with which has an outgoing connection to s2
 	affected, err := s.repo.DisconnectSnap("s1")
@@ -1712,8 +2022,8 @@
 }
 
 func (s *DisconnectSnapSuite) TestIncomingConnection(c *C) {
-	connRef := ConnRef{PlugRef: PlugRef{Snap: "s2", Name: "iface-b"}, SlotRef: SlotRef{Snap: "s1", Name: "iface-b"}}
-	err := s.repo.Connect(connRef)
+	connRef := &ConnRef{PlugRef: PlugRef{Snap: "s2", Name: "iface-b"}, SlotRef: SlotRef{Snap: "s1", Name: "iface-b"}}
+	_, err := s.repo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 	// Disconnect s1 with which has an incoming connection from s2
 	affected, err := s.repo.DisconnectSnap("s1")
@@ -1725,11 +2035,11 @@
 func (s *DisconnectSnapSuite) TestCrossConnection(c *C) {
 	// This test is symmetric wrt s1 <-> s2 connections
 	for _, snapName := range []string{"s1", "s2"} {
-		connRef1 := ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "iface-a"}, SlotRef: SlotRef{Snap: "s2", Name: "iface-a"}}
-		err := s.repo.Connect(connRef1)
+		connRef1 := &ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "iface-a"}, SlotRef: SlotRef{Snap: "s2", Name: "iface-a"}}
+		_, err := s.repo.Connect(connRef1, nil, nil, nil, nil, nil)
 		c.Assert(err, IsNil)
-		connRef2 := ConnRef{PlugRef: PlugRef{Snap: "s2", Name: "iface-b"}, SlotRef: SlotRef{Snap: "s1", Name: "iface-b"}}
-		err = s.repo.Connect(connRef2)
+		connRef2 := &ConnRef{PlugRef: PlugRef{Snap: "s2", Name: "iface-b"}, SlotRef: SlotRef{Snap: "s1", Name: "iface-b"}}
+		_, err = s.repo.Connect(connRef2, nil, nil, nil, nil, nil)
 		c.Assert(err, IsNil)
 		affected, err := s.repo.DisconnectSnap(snapName)
 		c.Assert(err, IsNil)
@@ -1738,11 +2048,27 @@
 	}
 }
 
-func contentPolicyCheck(plug *Plug, slot *Slot) bool {
-	return plug.Snap.PublisherID == slot.Snap.PublisherID
+func (s *DisconnectSnapSuite) TestParallelInstances(c *C) {
+	_, err := s.repo.Connect(&ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "iface-a"}, SlotRef: SlotRef{Snap: "s2_instance", Name: "iface-a"}}, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+	affected, err := s.repo.DisconnectSnap("s1")
+	c.Assert(err, IsNil)
+	c.Check(affected, testutil.Contains, "s1")
+	c.Check(affected, testutil.Contains, "s2_instance")
+
+	_, err = s.repo.Connect(&ConnRef{PlugRef: PlugRef{Snap: "s2_instance", Name: "iface-b"}, SlotRef: SlotRef{Snap: "s1", Name: "iface-b"}}, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+	affected, err = s.repo.DisconnectSnap("s1")
+	c.Assert(err, IsNil)
+	c.Check(affected, testutil.Contains, "s1")
+	c.Check(affected, testutil.Contains, "s2_instance")
+}
+
+func contentPolicyCheck(plug *ConnectedPlug, slot *ConnectedSlot) (bool, error) {
+	return plug.Snap().Publisher.ID == slot.Snap().Publisher.ID, nil
 }
 
-func contentAutoConnect(plug *Plug, slot *Slot) bool {
+func contentAutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
 	return plug.Attrs["content"] == slot.Attrs["content"]
 }
 
@@ -1809,8 +2135,8 @@
 func (s *RepositorySuite) TestAutoConnectContentInterfaceNoMatchingDeveloper(c *C) {
 	repo, plugSnap, slotSnap := makeContentConnectionTestSnaps(c, "mylib", "mylib")
 	// real code will use the assertions, this is just for emulation
-	plugSnap.PublisherID = "fooid"
-	slotSnap.PublisherID = "barid"
+	plugSnap.Publisher.ID = "fooid"
+	slotSnap.Publisher.ID = "barid"
 
 	candidateSlots := repo.AutoConnectCandidateSlots("content-plug-snap", "imported-content", contentPolicyCheck)
 	c.Check(candidateSlots, HasLen, 0)
@@ -1830,36 +2156,59 @@
 	c.Assert(r.AddInterface(i3), IsNil)
 
 	// Add some test snaps.
-	s1 := snaptest.MockInfo(c, fmt.Sprintf(`
+	s1 := snaptest.MockInfo(c, `
 name: s1
 version: 0
 apps:
   s1:
     plugs: [i1, i2]
-`), nil)
+`, nil)
 	c.Assert(r.AddSnap(s1), IsNil)
 
-	s2 := snaptest.MockInfo(c, fmt.Sprintf(`
+	s2 := snaptest.MockInfo(c, `
 name: s2
 version: 0
 apps:
   s2:
     slots: [i1, i3]
-`), nil)
+`, nil)
 	c.Assert(r.AddSnap(s2), IsNil)
 
-	s3 := snaptest.MockInfo(c, fmt.Sprintf(`
+	s3 := snaptest.MockInfo(c, `
 name: s3
 version: 0
 type: os
 slots:
   i2:
-`), nil)
+`, nil)
 	c.Assert(r.AddSnap(s3), IsNil)
+	s3Instance := snaptest.MockInfo(c, `
+name: s3
+version: 0
+type: os
+slots:
+  i2:
+`, nil)
+	s3Instance.InstanceKey = "instance"
+	c.Assert(r.AddSnap(s3Instance), IsNil)
+	s4 := snaptest.MockInfo(c, `
+name: s4
+version: 0
+apps:
+  s1:
+    plugs: [i2]
+`, nil)
+	c.Assert(r.AddSnap(s4), IsNil)
 
 	// Connect a few things for the tests below.
-	c.Assert(r.Connect(ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "i1"}, SlotRef: SlotRef{Snap: "s2", Name: "i1"}}), IsNil)
-	c.Assert(r.Connect(ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "i2"}, SlotRef: SlotRef{Snap: "s3", Name: "i2"}}), IsNil)
+	_, err := r.Connect(&ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "i1"}, SlotRef: SlotRef{Snap: "s2", Name: "i1"}}, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+	_, err = r.Connect(&ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "i1"}, SlotRef: SlotRef{Snap: "s2", Name: "i1"}}, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+	_, err = r.Connect(&ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "i2"}, SlotRef: SlotRef{Snap: "s3", Name: "i2"}}, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+	_, err = r.Connect(&ConnRef{PlugRef: PlugRef{Snap: "s4", Name: "i2"}, SlotRef: SlotRef{Snap: "s3_instance", Name: "i2"}}, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
 
 	// Without any names or options we get the summary of all the interfaces.
 	infos := r.Info(nil)
@@ -1884,13 +2233,13 @@
 	// We can ask for a list of plugs.
 	infos = r.Info(&InfoOptions{Names: []string{"i2"}, Plugs: true})
 	c.Assert(infos, DeepEquals, []*Info{
-		{Name: "i2", Summary: "i2 summary", Plugs: []*snap.PlugInfo{s1.Plugs["i2"]}},
+		{Name: "i2", Summary: "i2 summary", Plugs: []*snap.PlugInfo{s1.Plugs["i2"], s4.Plugs["i2"]}},
 	})
 
 	// We can ask for a list of slots too.
 	infos = r.Info(&InfoOptions{Names: []string{"i2"}, Slots: true})
 	c.Assert(infos, DeepEquals, []*Info{
-		{Name: "i2", Summary: "i2 summary", Slots: []*snap.SlotInfo{s3.Slots["i2"]}},
+		{Name: "i2", Summary: "i2 summary", Slots: []*snap.SlotInfo{s3.Slots["i2"], s3Instance.Slots["i2"]}},
 	})
 
 	// We can also ask for only those interfaces that have connected plugs or slots.
@@ -1900,3 +2249,205 @@
 		{Name: "i2", Summary: "i2 summary"},
 	})
 }
+
+const ifacehooksSnap1 = `
+name: s1
+version: 0
+plugs:
+  consumer:
+    interface: iface2
+    attr0: val0
+`
+
+const ifacehooksSnap2 = `
+name: s2
+version: 0
+slots:
+  producer:
+    interface: iface2
+    attr0: val0
+`
+
+func (s *RepositorySuite) TestBeforeConnectValidation(c *C) {
+	err := s.emptyRepo.AddInterface(&ifacetest.TestInterface{
+		InterfaceName: "iface2",
+		BeforeConnectSlotCallback: func(slot *ConnectedSlot) error {
+			var val string
+			if err := slot.Attr("attr1", &val); err != nil {
+				return err
+			}
+			return slot.SetAttr("attr1", fmt.Sprintf("%s-validated", val))
+		},
+		BeforeConnectPlugCallback: func(plug *ConnectedPlug) error {
+			var val string
+			if err := plug.Attr("attr1", &val); err != nil {
+				return err
+			}
+			return plug.SetAttr("attr1", fmt.Sprintf("%s-validated", val))
+		},
+	})
+	c.Assert(err, IsNil)
+
+	s1 := snaptest.MockInfo(c, ifacehooksSnap1, nil)
+	c.Assert(s.emptyRepo.AddSnap(s1), IsNil)
+	s2 := snaptest.MockInfo(c, ifacehooksSnap2, nil)
+	c.Assert(s.emptyRepo.AddSnap(s2), IsNil)
+
+	plugDynAttrs := map[string]interface{}{"attr1": "val1"}
+	slotDynAttrs := map[string]interface{}{"attr1": "val1"}
+
+	policyCheck := func(plug *ConnectedPlug, slot *ConnectedSlot) (bool, error) { return true, nil }
+	conn, err := s.emptyRepo.Connect(&ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "consumer"}, SlotRef: SlotRef{Snap: "s2", Name: "producer"}}, nil, plugDynAttrs, nil, slotDynAttrs, policyCheck)
+	c.Assert(err, IsNil)
+	c.Assert(conn, NotNil)
+
+	c.Assert(conn.Plug, NotNil)
+	c.Assert(conn.Slot, NotNil)
+
+	c.Assert(conn.Plug.StaticAttrs(), DeepEquals, map[string]interface{}{"attr0": "val0"})
+	c.Assert(conn.Plug.DynamicAttrs(), DeepEquals, map[string]interface{}{"attr1": "val1-validated"})
+	c.Assert(conn.Slot.StaticAttrs(), DeepEquals, map[string]interface{}{"attr0": "val0"})
+	c.Assert(conn.Slot.DynamicAttrs(), DeepEquals, map[string]interface{}{"attr1": "val1-validated"})
+}
+
+func (s *RepositorySuite) TestBeforeConnectValidationFailure(c *C) {
+	err := s.emptyRepo.AddInterface(&ifacetest.TestInterface{
+		InterfaceName: "iface2",
+		BeforeConnectSlotCallback: func(slot *ConnectedSlot) error {
+			return fmt.Errorf("invalid slot")
+		},
+		BeforeConnectPlugCallback: func(plug *ConnectedPlug) error {
+			return fmt.Errorf("invalid plug")
+		},
+	})
+	c.Assert(err, IsNil)
+
+	s1 := snaptest.MockInfo(c, ifacehooksSnap1, nil)
+	c.Assert(s.emptyRepo.AddSnap(s1), IsNil)
+	s2 := snaptest.MockInfo(c, ifacehooksSnap2, nil)
+	c.Assert(s.emptyRepo.AddSnap(s2), IsNil)
+
+	plugDynAttrs := map[string]interface{}{"attr1": "val1"}
+	slotDynAttrs := map[string]interface{}{"attr1": "val1"}
+
+	policyCheck := func(plug *ConnectedPlug, slot *ConnectedSlot) (bool, error) { return true, nil }
+
+	conn, err := s.emptyRepo.Connect(&ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "consumer"}, SlotRef: SlotRef{Snap: "s2", Name: "producer"}}, nil, plugDynAttrs, nil, slotDynAttrs, policyCheck)
+	c.Assert(err, NotNil)
+	c.Assert(err, ErrorMatches, `cannot connect plug "consumer" of snap "s1": invalid plug`)
+	c.Assert(conn, IsNil)
+}
+
+func (s *RepositorySuite) TestBeforeConnectValidationPolicyCheckFailure(c *C) {
+	err := s.emptyRepo.AddInterface(&ifacetest.TestInterface{
+		InterfaceName:             "iface2",
+		BeforeConnectSlotCallback: func(slot *ConnectedSlot) error { return nil },
+		BeforeConnectPlugCallback: func(plug *ConnectedPlug) error { return nil },
+	})
+	c.Assert(err, IsNil)
+
+	s1 := snaptest.MockInfo(c, ifacehooksSnap1, nil)
+	c.Assert(s.emptyRepo.AddSnap(s1), IsNil)
+	s2 := snaptest.MockInfo(c, ifacehooksSnap2, nil)
+	c.Assert(s.emptyRepo.AddSnap(s2), IsNil)
+
+	plugDynAttrs := map[string]interface{}{"attr1": "val1"}
+	slotDynAttrs := map[string]interface{}{"attr1": "val1"}
+
+	policyCheck := func(plug *ConnectedPlug, slot *ConnectedSlot) (bool, error) {
+		return false, fmt.Errorf("policy check failed")
+	}
+
+	conn, err := s.emptyRepo.Connect(&ConnRef{PlugRef: PlugRef{Snap: "s1", Name: "consumer"}, SlotRef: SlotRef{Snap: "s2", Name: "producer"}}, nil, plugDynAttrs, nil, slotDynAttrs, policyCheck)
+	c.Assert(err, NotNil)
+	c.Assert(err, ErrorMatches, `policy check failed`)
+	c.Assert(conn, IsNil)
+}
+
+func (s *RepositorySuite) TestConnection(c *C) {
+	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
+	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
+
+	connRef := NewConnRef(s.plug, s.slot)
+
+	conn, err := s.testRepo.Connection(connRef)
+	c.Assert(err, ErrorMatches, `no connection from consumer:plug to producer:slot`)
+
+	_, err = s.testRepo.Connect(connRef, nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+
+	conn, err = s.testRepo.Connection(connRef)
+	c.Assert(err, IsNil)
+	c.Assert(conn.Plug.Name(), Equals, "plug")
+	c.Assert(conn.Slot.Name(), Equals, "slot")
+
+	conn, err = s.testRepo.Connection(&ConnRef{PlugRef: PlugRef{Snap: "a", Name: "b"}, SlotRef: SlotRef{Snap: "producer", Name: "slot"}})
+	c.Assert(err, ErrorMatches, `snap "a" has no plug named "b"`)
+
+	conn, err = s.testRepo.Connection(&ConnRef{PlugRef: PlugRef{Snap: "consumer", Name: "plug"}, SlotRef: SlotRef{Snap: "a", Name: "b"}})
+	c.Assert(err, ErrorMatches, `snap "a" has no slot named "b"`)
+}
+
+func (s *RepositorySuite) TestConnectWithStaticAttrs(c *C) {
+	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
+	c.Assert(s.testRepo.AddSlot(s.slot), IsNil)
+
+	connRef := NewConnRef(s.plug, s.slot)
+
+	plugAttrs := map[string]interface{}{"foo": "bar"}
+	slotAttrs := map[string]interface{}{"boo": "baz"}
+	_, err := s.testRepo.Connect(connRef, plugAttrs, nil, slotAttrs, nil, nil)
+	c.Assert(err, IsNil)
+
+	conn, err := s.testRepo.Connection(connRef)
+	c.Assert(err, IsNil)
+	c.Assert(conn.Plug.Name(), Equals, "plug")
+	c.Assert(conn.Slot.Name(), Equals, "slot")
+	c.Assert(conn.Plug.StaticAttrs(), DeepEquals, plugAttrs)
+	c.Assert(conn.Slot.StaticAttrs(), DeepEquals, slotAttrs)
+}
+
+func (s *RepositorySuite) TestAllHotplugInterfaces(c *C) {
+	repo := NewRepository()
+	c.Assert(repo.AddInterface(&ifacetest.TestInterface{InterfaceName: "iface1"}), IsNil)
+	c.Assert(repo.AddInterface(&ifacetest.TestHotplugInterface{TestInterface: ifacetest.TestInterface{InterfaceName: "iface2"}}), IsNil)
+	c.Assert(repo.AddInterface(&ifacetest.TestHotplugInterface{TestInterface: ifacetest.TestInterface{InterfaceName: "iface3"}}), IsNil)
+
+	hi := repo.AllHotplugInterfaces()
+	c.Assert(hi, HasLen, 2)
+	c.Assert(hi[0].Name(), Equals, "iface2")
+	c.Assert(hi[1].Name(), Equals, "iface3")
+}
+
+func (s *RepositorySuite) TestHotplugMethods(c *C) {
+	c.Assert(s.testRepo.AddPlug(s.plug), IsNil)
+
+	coreSlot := &snap.SlotInfo{
+		Snap:       s.coreSnap,
+		Name:       "dummy-slot",
+		Interface:  "interface",
+		HotplugKey: "1234",
+	}
+	c.Assert(s.testRepo.AddSlot(coreSlot), IsNil)
+
+	slotInfo, err := s.testRepo.SlotForHotplugKey("interface", "1234")
+	c.Assert(err, IsNil)
+	c.Check(slotInfo, DeepEquals, coreSlot)
+
+	// no slot for device key 9999
+	slotInfo, err = s.testRepo.SlotForHotplugKey("interface", "9999")
+	c.Assert(err, IsNil)
+	c.Check(slotInfo, IsNil)
+
+	_, err = s.testRepo.Connect(NewConnRef(s.plug, coreSlot), nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+
+	conns, err := s.testRepo.ConnectionsForHotplugKey("interface", "1234")
+	c.Assert(err, IsNil)
+	c.Check(conns, DeepEquals, []*ConnRef{NewConnRef(s.plug, coreSlot)})
+
+	// no connections for device 9999
+	conns, err = s.testRepo.ConnectionsForHotplugKey("interface", "9999")
+	c.Assert(err, IsNil)
+	c.Check(conns, HasLen, 0)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/seccomp/backend.go snapd-2.37~rc1~14.04/interfaces/seccomp/backend.go
--- snapd-2.32.3.2~14.04/interfaces/seccomp/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/seccomp/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -17,19 +17,19 @@
  *
  */
 
-// Package seccomp implements integration between snappy and
-// ubuntu-core-launcher around seccomp.
+// Package seccomp implements integration between snapd and snap-confine around
+// seccomp.
 //
 // Snappy creates so-called seccomp profiles for each application (for each
-// snap) present in the system.  Upon each execution of ubuntu-core-launcher,
-// the profile is read and "compiled" to an eBPF program and injected into the
+// snap) present in the system.  Upon each execution of snap-confine, the
+// profile is read and "compiled" to an eBPF program and injected into the
 // kernel for the duration of the execution of the process.
 //
 // There is no binary cache for seccomp, each time the launcher starts an
 // application the profile is parsed and re-compiled.
 //
 // The actual profiles are stored in /var/lib/snappy/seccomp/bpf/*.{src,bin}.
-// This directory is hard-coded in ubuntu-core-launcher.
+// This directory is hard-coded in snap-confine.
 package seccomp
 
 import (
@@ -40,15 +40,24 @@
 	"path/filepath"
 	"strings"
 
+	"github.com/snapcore/snapd/arch"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
 )
 
-var osReadlink = os.Readlink
+var (
+	osReadlink               = os.Readlink
+	kernelFeatures           = release.SecCompActions
+	ubuntuKernelArchitecture = arch.UbuntuKernelArchitecture
+	releaseInfoId            = release.ReleaseInfo.ID
+	releaseInfoVersionId     = release.ReleaseInfo.VersionID
+	requiresSocketcall       = requiresSocketcallImpl
+)
 
 func seccompToBpfPath() string {
 	// FIXME: use cmd.InternalToolPath here once:
@@ -70,7 +79,7 @@
 	return filepath.Join(filepath.Dir(exe), "snap-seccomp")
 }
 
-// Backend is responsible for maintaining seccomp profiles for ubuntu-core-launcher.
+// Backend is responsible for maintaining seccomp profiles for snap-confine.
 type Backend struct{}
 
 // Initialize does nothing.
@@ -90,7 +99,7 @@
 // This method should be called after changing plug, slots, connections between
 // them or application present in the snap.
 func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository) error {
-	snapName := snapInfo.Name()
+	snapName := snapInfo.InstanceName()
 	// Get the snippets that apply to this snap
 	spec, err := repo.SnapSpecification(b.Name(), snapName)
 	if err != nil {
@@ -140,25 +149,29 @@
 // deriveContent combines security snippets collected from all the interfaces
 // affecting a given snap into a content map applicable to EnsureDirState.
 func (b *Backend) deriveContent(spec *Specification, opts interfaces.ConfinementOptions, snapInfo *snap.Info) (content map[string]*osutil.FileState, err error) {
+	// Some base snaps and systems require the socketcall() in the default
+	// template
+	addSocketcall := requiresSocketcall(snapInfo.Base)
+
 	for _, hookInfo := range snapInfo.Hooks {
 		if content == nil {
 			content = make(map[string]*osutil.FileState)
 		}
 		securityTag := hookInfo.SecurityTag()
-		addContent(securityTag, opts, spec.SnippetForTag(securityTag), content)
+		addContent(securityTag, opts, spec.SnippetForTag(securityTag), content, addSocketcall)
 	}
 	for _, appInfo := range snapInfo.Apps {
 		if content == nil {
 			content = make(map[string]*osutil.FileState)
 		}
 		securityTag := appInfo.SecurityTag()
-		addContent(securityTag, opts, spec.SnippetForTag(securityTag), content)
+		addContent(securityTag, opts, spec.SnippetForTag(securityTag), content, addSocketcall)
 	}
 
 	return content, nil
 }
 
-func addContent(securityTag string, opts interfaces.ConfinementOptions, snippetForTag string, content map[string]*osutil.FileState) {
+func addContent(securityTag string, opts interfaces.ConfinementOptions, snippetForTag string, content map[string]*osutil.FileState, addSocketcall bool) {
 	var buffer bytes.Buffer
 	if opts.Classic && !opts.JailMode {
 		// NOTE: This is understood by snap-confine
@@ -182,6 +195,10 @@
 		buffer.WriteString(bindSyscallWorkaround)
 	}
 
+	if addSocketcall {
+		buffer.WriteString(socketcallSyscallDeprecated)
+	}
+
 	path := fmt.Sprintf("%s.src", securityTag)
 	content[path] = &osutil.FileState{
 		Content: buffer.Bytes(),
@@ -193,3 +210,85 @@
 func (b *Backend) NewSpecification() interfaces.Specification {
 	return &Specification{}
 }
+
+// SandboxFeatures returns the list of seccomp features supported by the kernel.
+func (b *Backend) SandboxFeatures() []string {
+	features := kernelFeatures()
+	tags := make([]string, 0, len(features)+1)
+	for _, feature := range features {
+		// Prepend "kernel:" to apparmor kernel features to namespace them and
+		// allow us to introduce our own tags later.
+		tags = append(tags, "kernel:"+feature)
+	}
+	tags = append(tags, "bpf-argument-filtering")
+	return tags
+}
+
+// Determine if the system requires the use of socketcall(). Factors:
+// - if the kernel architecture is amd64, armhf or arm64, do not require
+//   socketcall (unused on these architectures)
+// - if the kernel architecture is i386 or s390x
+//   - if the kernel is < 4.3, force the use of socketcall()
+//   - for backwards compatibility, if the system is Ubuntu 14.04 or lower,
+//     force use of socketcall()
+//   - for backwards compatibility, if the base snap is unspecified, "core" or
+//     "core16", then force use of socketcall()
+//   - otherwise (ie, if new enough kernel, not 14.04, and a non-16 base
+//     snap), don't force use of socketcall()
+// - if the kernel architecture is not any of the above, force the use of
+//   socketcall()
+func requiresSocketcallImpl(baseSnap string) bool {
+	switch ubuntuKernelArchitecture() {
+	case "i386", "s390x":
+		// glibc sysdeps/unix/sysv/linux/i386/kernel-features.h and
+		// sysdeps/unix/sysv/linux/s390/kernel-features.h added the
+		// individual socket syscalls in 4.3.
+		if cmp, _ := strutil.VersionCompare(osutil.KernelVersion(), "4.3"); cmp < 0 {
+			return true
+		}
+
+		// For now, on 14.04, always require socketcall()
+		if releaseInfoId == "ubuntu" {
+			if cmp, _ := strutil.VersionCompare(releaseInfoVersionId, "14.04"); cmp <= 0 {
+				return true
+			}
+		}
+
+		// Detect when the base snap requires the use of socketcall().
+		//
+		// TODO: eventually try to auto-detect this. For now, err on
+		// the side of security and only require it for base snaps
+		// where we know we want it added. Technically, core16's glibc
+		// is new enough, but it always had socketcall in the template,
+		// so ensure backwards compatibility.
+		if baseSnap == "" || baseSnap == "core" || baseSnap == "core16" {
+			return true
+		}
+
+		// If none of the above, we don't need the syscall
+		return false
+	case "powerpc":
+		// glibc's sysdeps/unix/sysv/linux/powerpc/kernel-features.h
+		// states that the individual syscalls are all available as of
+		// 2.6.37. snapd isn't expected to run on these kernels so just
+		// default to unneeded.
+		return false
+	case "sparc", "sparc64":
+		// glibc's sysdeps/unix/sysv/linux/sparc/kernel-features.h
+		// indicates that socketcall() is used and the individual
+		// syscalls are undefined.
+		return true
+	default:
+		// amd64, arm64, armhf, ppc64el, etc
+		// glibc's sysdeps/unix/sysv/linux/kernel-features.h says that
+		// __ASSUME_SOCKETCALL will be defined on archs that need it.
+		// Modern architectures do not implement the socketcall()
+		// syscall and all the older architectures except sparc (see
+		// above) have introduced the individual syscalls, so default
+		// to unneeded.
+		return false
+	}
+
+	// If we got here, something went wrong, but if the code above changes
+	// the compiler will complain about the lack of 'return'.
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/seccomp/backend_test.go snapd-2.37~rc1~14.04/interfaces/seccomp/backend_test.go
--- snapd-2.32.3.2~14.04/interfaces/seccomp/backend_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/seccomp/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -30,6 +30,7 @@
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/ifacetest"
 	"github.com/snapcore/snapd/interfaces/seccomp"
+	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
@@ -79,7 +80,7 @@
 }
 
 func (s *backendSuite) TestInstallingSnapWritesProfiles(c *C) {
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, ifacetest.SambaYamlV1, 0)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 0)
 	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
 	// file called "snap.sambda.smbd" was created
 	_, err := os.Stat(profile + ".src")
@@ -91,7 +92,7 @@
 }
 
 func (s *backendSuite) TestInstallingSnapWritesHookProfiles(c *C) {
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, ifacetest.HookYaml, 0)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.HookYaml, 0)
 	profile := filepath.Join(dirs.SnapSeccompDir, "snap.foo.hook.configure")
 
 	// Verify that profile named "snap.foo.hook.configure" was created.
@@ -117,7 +118,7 @@
 	c.Assert(err, IsNil)
 	snapSeccompOnCore := testutil.MockCommand(c, snapSeccompOnCorePath, "")
 
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, ifacetest.SambaYamlV1, 0)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 0)
 	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
 	// file called "snap.sambda.smbd" was created
 	_, err = os.Stat(profile + ".src")
@@ -132,7 +133,7 @@
 
 func (s *backendSuite) TestRemovingSnapRemovesProfiles(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		s.RemoveSnap(c, snapInfo)
 		profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
 		// file called "snap.sambda.smbd" was removed
@@ -143,7 +144,7 @@
 
 func (s *backendSuite) TestRemovingSnapRemovesHookProfiles(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.HookYaml, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.HookYaml, 0)
 		s.RemoveSnap(c, snapInfo)
 		profile := filepath.Join(dirs.SnapSeccompDir, "snap.foo.hook.configure")
 
@@ -155,7 +156,7 @@
 
 func (s *backendSuite) TestUpdatingSnapToOneWithMoreApps(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1WithNmbd, 0)
 		profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.nmbd")
 		_, err := os.Stat(profile + ".src")
@@ -171,7 +172,7 @@
 
 func (s *backendSuite) TestUpdatingSnapToOneWithHooks(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlWithHook, 0)
 		profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.hook.configure")
 
@@ -188,7 +189,7 @@
 
 func (s *backendSuite) TestUpdatingSnapToOneWithFewerApps(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1WithNmbd, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1WithNmbd, 0)
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1, 0)
 		profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.nmbd")
 		// file called "snap.sambda.nmbd" was removed
@@ -200,7 +201,7 @@
 
 func (s *backendSuite) TestUpdatingSnapToOneWithNoHooks(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlWithHook, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlWithHook, 0)
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1, 0)
 		profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.hook.configure")
 
@@ -265,6 +266,8 @@
 	defer restore()
 	restore = release.MockSecCompActions([]string{"log"})
 	defer restore()
+	restore = seccomp.MockRequiresSocketcall(func(string) bool { return false })
+	defer restore()
 
 	// NOTE: replace the real template with a shorter variant
 	restore = seccomp.MockTemplate([]byte("default\n"))
@@ -277,7 +280,7 @@
 			return nil
 		}
 
-		snapInfo := s.InstallSnap(c, scenario.opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, scenario.opts, "", ifacetest.SambaYamlV1, 0)
 		profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
 		c.Check(profile+".src", testutil.FileEquals, scenario.content)
 		stat, err := os.Stat(profile + ".src")
@@ -300,6 +303,8 @@
 func (s *backendSuite) TestCombineSnippetsOrdering(c *C) {
 	restore := release.MockForcedDevmode(false)
 	defer restore()
+	restore = seccomp.MockRequiresSocketcall(func(string) bool { return false })
+	defer restore()
 
 	// NOTE: replace the real template with a shorter variant
 	restore = seccomp.MockTemplate([]byte("default\n"))
@@ -317,7 +322,7 @@
 		return nil
 	}
 
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, snapYaml, 0)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", snapYaml, 0)
 	profile := filepath.Join(dirs.SnapSeccompDir, "snap.foo.foo")
 	c.Check(profile+".src", testutil.FileEquals, "default\naaa\nzzz\n")
 	stat, err := os.Stat(profile + ".src")
@@ -337,6 +342,30 @@
 	c.Assert(profile+".src", testutil.FileContains, "\nbind\n")
 }
 
+func (s *backendSuite) TestSocketcallIsAddedWhenRequired(c *C) {
+	restore := seccomp.MockRequiresSocketcall(func(string) bool { return true })
+	defer restore()
+
+	snapInfo := snaptest.MockInfo(c, ifacetest.SambaYamlV1, nil)
+	// NOTE: we don't call seccomp.MockTemplate()
+	err := s.Backend.Setup(snapInfo, interfaces.ConfinementOptions{}, s.Repo)
+	c.Assert(err, IsNil)
+	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
+	c.Assert(profile+".src", testutil.FileContains, "\nsocketcall\n")
+}
+
+func (s *backendSuite) TestSocketcallIsNotAddedWhenNotRequired(c *C) {
+	restore := seccomp.MockRequiresSocketcall(func(string) bool { return false })
+	defer restore()
+
+	snapInfo := snaptest.MockInfo(c, ifacetest.SambaYamlV1, nil)
+	// NOTE: we don't call seccomp.MockTemplate()
+	err := s.Backend.Setup(snapInfo, interfaces.ConfinementOptions{}, s.Repo)
+	c.Assert(err, IsNil)
+	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
+	c.Assert(profile+".src", Not(testutil.FileContains), "\nsocketcall\n")
+}
+
 const ClassicYamlV1 = `
 name: test-classic
 version: 1
@@ -350,17 +379,17 @@
 	restore := release.MockSecCompActions([]string{"allow", "errno", "kill", "log", "trace", "trap"})
 	defer restore()
 
-	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{DevMode: true}, ifacetest.SambaYamlV1, 0)
+	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{DevMode: true}, "", ifacetest.SambaYamlV1, 0)
 	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
 	c.Assert(profile+".src", Not(testutil.FileContains), "# complain mode logging unavailable\n")
 	s.RemoveSnap(c, snapInfo)
 
-	snapInfo = s.InstallSnap(c, interfaces.ConfinementOptions{DevMode: false}, ifacetest.SambaYamlV1, 0)
+	snapInfo = s.InstallSnap(c, interfaces.ConfinementOptions{DevMode: false}, "", ifacetest.SambaYamlV1, 0)
 	profile = filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
 	c.Assert(profile+".src", Not(testutil.FileContains), "# complain mode logging unavailable\n")
 	s.RemoveSnap(c, snapInfo)
 
-	snapInfo = s.InstallSnap(c, interfaces.ConfinementOptions{Classic: true}, ClassicYamlV1, 0)
+	snapInfo = s.InstallSnap(c, interfaces.ConfinementOptions{Classic: true}, "", ClassicYamlV1, 0)
 	profile = filepath.Join(dirs.SnapSeccompDir, "snap.test-classic.sh")
 	c.Assert(profile+".src", Not(testutil.FileContains), "# complain mode logging unavailable\n")
 	s.RemoveSnap(c, snapInfo)
@@ -370,18 +399,161 @@
 	restore := release.MockSecCompActions([]string{"allow", "errno", "kill", "trace", "trap"})
 	defer restore()
 
-	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{DevMode: true}, ifacetest.SambaYamlV1, 0)
+	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{DevMode: true}, "", ifacetest.SambaYamlV1, 0)
 	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
 	c.Assert(profile+".src", testutil.FileContains, "# complain mode logging unavailable\n")
 	s.RemoveSnap(c, snapInfo)
 
-	snapInfo = s.InstallSnap(c, interfaces.ConfinementOptions{DevMode: false}, ifacetest.SambaYamlV1, 0)
+	snapInfo = s.InstallSnap(c, interfaces.ConfinementOptions{DevMode: false}, "", ifacetest.SambaYamlV1, 0)
 	profile = filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
 	c.Assert(profile+".src", Not(testutil.FileContains), "# complain mode logging unavailable\n")
 	s.RemoveSnap(c, snapInfo)
 
-	snapInfo = s.InstallSnap(c, interfaces.ConfinementOptions{Classic: true}, ClassicYamlV1, 0)
+	snapInfo = s.InstallSnap(c, interfaces.ConfinementOptions{Classic: true}, "", ClassicYamlV1, 0)
 	profile = filepath.Join(dirs.SnapSeccompDir, "snap.test-classic.sh")
 	c.Assert(profile+".src", Not(testutil.FileContains), "# complain mode logging unavailable\n")
 	s.RemoveSnap(c, snapInfo)
 }
+
+func (s *backendSuite) TestSandboxFeatures(c *C) {
+	restore := seccomp.MockKernelFeatures(func() []string { return []string{"foo", "bar"} })
+	defer restore()
+
+	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{"kernel:foo", "kernel:bar", "bpf-argument-filtering"})
+}
+
+func (s *backendSuite) TestRequiresSocketcallByNotNeededArch(c *C) {
+	testArchs := []string{"amd64", "armhf", "arm64", "powerpc", "ppc64el", "unknownDefault"}
+	for _, arch := range testArchs {
+		restore := seccomp.MockUbuntuKernelArchitecture(func() string { return arch })
+		defer restore()
+		c.Assert(seccomp.RequiresSocketcall(""), Equals, false)
+	}
+}
+
+func (s *backendSuite) TestRequiresSocketcallForceByArch(c *C) {
+	testArchs := []string{"sparc", "sparc64"}
+	for _, arch := range testArchs {
+		restore := seccomp.MockUbuntuKernelArchitecture(func() string { return arch })
+		defer restore()
+		c.Assert(seccomp.RequiresSocketcall(""), Equals, true)
+	}
+}
+
+func (s *backendSuite) TestRequiresSocketcallForcedViaUbuntuRelease(c *C) {
+	// specify "core18" with 4.4 kernel so as not to influence the release
+	// check.
+	base := "core18"
+	restore := osutil.MockKernelVersion("4.4")
+	defer restore()
+
+	tests := []struct {
+		distro          string
+		arch            string
+		release         string
+		needsSocketcall bool
+	}{
+		// with core18 as base and 4.4 kernel, we only require
+		// socketcall on i386/s390
+		{"ubuntu", "i386", "14.04", true},
+		{"ubuntu", "s390x", "14.04", true},
+		{"ubuntu", "other", "14.04", false},
+
+		// releases after 14.04 aren't forced
+		{"ubuntu", "i386", "other", false},
+		{"ubuntu", "s390x", "other", false},
+		{"ubuntu", "other", "other", false},
+
+		// other distros aren't forced
+		{"other", "i386", "14.04", false},
+		{"other", "s390x", "14.04", false},
+		{"other", "other", "14.04", false},
+		{"other", "i386", "other", false},
+		{"other", "s390x", "other", false},
+		{"other", "other", "other", false},
+	}
+
+	for _, t := range tests {
+		restore = seccomp.MockReleaseInfoId(t.distro)
+		defer restore()
+		restore = seccomp.MockUbuntuKernelArchitecture(func() string { return t.arch })
+		defer restore()
+		restore = seccomp.MockReleaseInfoVersionId(t.release)
+		defer restore()
+
+		c.Assert(seccomp.RequiresSocketcall(base), Equals, t.needsSocketcall)
+	}
+}
+
+func (s *backendSuite) TestRequiresSocketcallForcedViaKernelVersion(c *C) {
+	// specify "core18" with non-ubuntu so as not to influence the kernel
+	// check.
+	base := "core18"
+
+	restore := seccomp.MockReleaseInfoId("other")
+	defer restore()
+
+	tests := []struct {
+		arch            string
+		version         string
+		needsSocketcall bool
+	}{
+		// i386 needs socketcall on <= 4.2 kernels
+		{"i386", "4.2", true},
+		{"i386", "4.3", false},
+		{"i386", "4.4", false},
+
+		// s390x needs socketcall on <= 4.2 kernels
+		{"s390x", "4.2", true},
+		{"s390x", "4.3", false},
+		{"s390x", "4.4", false},
+
+		// other architectures don't require it
+		{"other", "4.2", false},
+		{"other", "4.3", false},
+		{"other", "4.4", false},
+	}
+
+	for _, t := range tests {
+		restore := seccomp.MockUbuntuKernelArchitecture(func() string { return t.arch })
+		defer restore()
+		restore = osutil.MockKernelVersion(t.version)
+		defer restore()
+
+		// specify "core18" here so as not to influence the
+		// kernel check.
+		c.Assert(seccomp.RequiresSocketcall(base), Equals, t.needsSocketcall)
+	}
+}
+
+func (s *backendSuite) TestRequiresSocketcallForcedViaBaseSnap(c *C) {
+	// Mock up as non-Ubuntu, i386 with new enough kernel so the base snap
+	// check is reached
+	restore := seccomp.MockReleaseInfoId("other")
+	defer restore()
+	restore = seccomp.MockUbuntuKernelArchitecture(func() string { return "i386" })
+	defer restore()
+	restore = osutil.MockKernelVersion("4.3")
+	defer restore()
+
+	testBases := []string{"", "core", "core16"}
+	for _, baseSnap := range testBases {
+		c.Assert(seccomp.RequiresSocketcall(baseSnap), Equals, true)
+	}
+}
+
+func (s *backendSuite) TestRequiresSocketcallNotForcedViaBaseSnap(c *C) {
+	// Mock up as non-Ubuntu, i386 with new enough kernel so the base snap
+	// check is reached
+	restore := seccomp.MockReleaseInfoId("other")
+	defer restore()
+	restore = seccomp.MockUbuntuKernelArchitecture(func() string { return "i386" })
+	defer restore()
+	restore = osutil.MockKernelVersion("4.3")
+	defer restore()
+
+	testBases := []string{"bare", "core18", "fedora-core"}
+	for _, baseSnap := range testBases {
+		c.Assert(seccomp.RequiresSocketcall(baseSnap), Equals, false)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/seccomp/export_test.go snapd-2.37~rc1~14.04/interfaces/seccomp/export_test.go
--- snapd-2.32.3.2~14.04/interfaces/seccomp/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/seccomp/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -36,3 +36,47 @@
 		osReadlink = realOsReadlink
 	}
 }
+
+func MockKernelFeatures(f func() []string) (resture func()) {
+	old := kernelFeatures
+	kernelFeatures = f
+	return func() {
+		kernelFeatures = old
+	}
+}
+
+func MockRequiresSocketcall(f func(string) bool) (restore func()) {
+	old := requiresSocketcall
+	requiresSocketcall = f
+	return func() {
+		requiresSocketcall = old
+	}
+}
+
+func MockUbuntuKernelArchitecture(f func() string) (restore func()) {
+	old := ubuntuKernelArchitecture
+	ubuntuKernelArchitecture = f
+	return func() {
+		ubuntuKernelArchitecture = old
+	}
+}
+
+func MockReleaseInfoId(s string) (restore func()) {
+	old := releaseInfoId
+	releaseInfoId = s
+	return func() {
+		releaseInfoId = old
+	}
+}
+
+func MockReleaseInfoVersionId(s string) (restore func()) {
+	old := releaseInfoVersionId
+	releaseInfoVersionId = s
+	return func() {
+		releaseInfoVersionId = old
+	}
+}
+
+var (
+	RequiresSocketcall = requiresSocketcall
+)
diff -Nru snapd-2.32.3.2~14.04/interfaces/seccomp/spec_test.go snapd-2.37~rc1~14.04/interfaces/seccomp/spec_test.go
--- snapd-2.32.3.2~14.04/interfaces/seccomp/spec_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/seccomp/spec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -83,8 +83,8 @@
 
 func (s *specSuite) SetUpTest(c *C) {
 	s.spec = &seccomp.Specification{}
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 // The spec.Specification can be used through the interfaces.Specification interface
diff -Nru snapd-2.32.3.2~14.04/interfaces/seccomp/template.go snapd-2.37~rc1~14.04/interfaces/seccomp/template.go
--- snapd-2.32.3.2~14.04/interfaces/seccomp/template.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/seccomp/template.go	2019-01-16 08:36:51.000000000 +0000
@@ -483,6 +483,7 @@
 oldfstat
 oldlstat
 oldstat
+statx
 
 statfs
 statfs64
@@ -550,11 +551,6 @@
 pwrite
 pwrite64
 pwritev
-
-# FIXME: remove this after LP: #1446748 is implemented
-# This is an older interface and single entry point that can be used instead
-# of socket(), bind(), connect(), etc individually.
-socketcall
 `)
 
 // Go's net package attempts to bind early to check whether IPv6 is available or not.
@@ -571,3 +567,12 @@
 # LP #1644573
 bind
 `
+
+// socketcall is an older interface and single entry point that can be used
+// instead of socket(), bind(), connect(), etc individually. It isn't needed
+// by most architectures with new enough kernels and glibc, so we leave it out
+// of the default policy and add only when needed.
+const socketcallSyscallDeprecated = `
+# Add socketcall() for system and/or base that requires it. LP: #1446748
+socketcall
+`
diff -Nru snapd-2.32.3.2~14.04/interfaces/sorting.go snapd-2.37~rc1~14.04/interfaces/sorting.go
--- snapd-2.32.3.2~14.04/interfaces/sorting.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/sorting.go	2019-01-16 08:36:51.000000000 +0000
@@ -42,35 +42,16 @@
 	return c[i].SlotRef.Name < c[j].SlotRef.Name
 }
 
-type bySlotRef []SlotRef
-
-func (c bySlotRef) Len() int      { return len(c) }
-func (c bySlotRef) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
-func (c bySlotRef) Less(i, j int) bool {
-	if c[i].Snap != c[j].Snap {
-		return c[i].Snap < c[j].Snap
-	}
-	return c[i].Name < c[j].Name
-}
-
-type byPlugRef []PlugRef
-
-func (c byPlugRef) Len() int      { return len(c) }
-func (c byPlugRef) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
-func (c byPlugRef) Less(i, j int) bool {
-	if c[i].Snap != c[j].Snap {
-		return c[i].Snap < c[j].Snap
-	}
-	return c[i].Name < c[j].Name
-}
-
 type byPlugSnapAndName []*snap.PlugInfo
 
 func (c byPlugSnapAndName) Len() int      { return len(c) }
 func (c byPlugSnapAndName) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
 func (c byPlugSnapAndName) Less(i, j int) bool {
-	if c[i].Snap.Name() != c[j].Snap.Name() {
-		return c[i].Snap.Name() < c[j].Snap.Name()
+	if c[i].Snap.SnapName() != c[j].Snap.SnapName() {
+		return c[i].Snap.SnapName() < c[j].Snap.SnapName()
+	}
+	if c[i].Snap.InstanceKey != c[j].Snap.InstanceKey {
+		return c[i].Snap.InstanceKey < c[j].Snap.InstanceKey
 	}
 	return c[i].Name < c[j].Name
 }
@@ -80,20 +61,15 @@
 func (c bySlotSnapAndName) Len() int      { return len(c) }
 func (c bySlotSnapAndName) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
 func (c bySlotSnapAndName) Less(i, j int) bool {
-	if c[i].Snap.Name() != c[j].Snap.Name() {
-		return c[i].Snap.Name() < c[j].Snap.Name()
+	if c[i].Snap.SnapName() != c[j].Snap.SnapName() {
+		return c[i].Snap.SnapName() < c[j].Snap.SnapName()
+	}
+	if c[i].Snap.InstanceKey != c[j].Snap.InstanceKey {
+		return c[i].Snap.InstanceKey < c[j].Snap.InstanceKey
 	}
 	return c[i].Name < c[j].Name
 }
 
-type byBackendName []SecurityBackend
-
-func (c byBackendName) Len() int      { return len(c) }
-func (c byBackendName) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
-func (c byBackendName) Less(i, j int) bool {
-	return c[i].Name() < c[j].Name()
-}
-
 func sortedSnapNamesWithPlugs(m map[string]map[string]*snap.PlugInfo) []string {
 	keys := make([]string, 0, len(m))
 	for key := range m {
@@ -137,25 +113,3 @@
 func (c byInterfaceName) Less(i, j int) bool {
 	return c[i].Name() < c[j].Name()
 }
-
-type byPlugInfo []*snap.PlugInfo
-
-func (c byPlugInfo) Len() int      { return len(c) }
-func (c byPlugInfo) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
-func (c byPlugInfo) Less(i, j int) bool {
-	if c[i].Snap.Name() != c[j].Snap.Name() {
-		return c[i].Snap.Name() < c[j].Snap.Name()
-	}
-	return c[i].Name < c[j].Name
-}
-
-type bySlotInfo []*snap.SlotInfo
-
-func (c bySlotInfo) Len() int      { return len(c) }
-func (c bySlotInfo) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
-func (c bySlotInfo) Less(i, j int) bool {
-	if c[i].Snap.Name() != c[j].Snap.Name() {
-		return c[i].Snap.Name() < c[j].Snap.Name()
-	}
-	return c[i].Name < c[j].Name
-}
diff -Nru snapd-2.32.3.2~14.04/interfaces/sorting_test.go snapd-2.37~rc1~14.04/interfaces/sorting_test.go
--- snapd-2.32.3.2~14.04/interfaces/sorting_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/sorting_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,7 +26,6 @@
 
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/ifacetest"
-	"github.com/snapcore/snapd/snap"
 )
 
 type SortingSuite struct{}
@@ -37,82 +36,6 @@
 	return &interfaces.ConnRef{PlugRef: interfaces.PlugRef{Snap: plugSnap, Name: plug}, SlotRef: interfaces.SlotRef{Snap: slotSnap, Name: slot}}
 }
 
-func (s *SortingSuite) TestSortBySlotRef(c *C) {
-	list := []interfaces.SlotRef{
-		{
-			Snap: "snap-2",
-			Name: "name-2",
-		},
-		{
-			Snap: "snap-1",
-			Name: "name-2",
-		},
-		{
-			Snap: "snap-1",
-			Name: "name-1",
-		},
-	}
-	sort.Sort(interfaces.BySlotRef(list))
-	c.Assert(list, DeepEquals, []interfaces.SlotRef{
-		{
-			Snap: "snap-1",
-			Name: "name-1",
-		},
-		{
-			Snap: "snap-1",
-			Name: "name-2",
-		},
-		{
-			Snap: "snap-2",
-			Name: "name-2",
-		},
-	})
-}
-
-func (s *SortingSuite) TestSortByPlugRef(c *C) {
-	list := []interfaces.PlugRef{
-		{
-			Snap: "snap-2",
-			Name: "name-2",
-		},
-		{
-			Snap: "snap-1",
-			Name: "name-2",
-		},
-		{
-			Snap: "snap-1",
-			Name: "name-1",
-		},
-	}
-	sort.Sort(interfaces.ByPlugRef(list))
-	c.Assert(list, DeepEquals, []interfaces.PlugRef{
-		{
-			Snap: "snap-1",
-			Name: "name-1",
-		},
-		{
-			Snap: "snap-1",
-			Name: "name-2",
-		},
-		{
-			Snap: "snap-2",
-			Name: "name-2",
-		},
-	})
-}
-
-func (s *SortingSuite) TestByBackendName(c *C) {
-	list := []interfaces.SecurityBackend{
-		&ifacetest.TestSecurityBackend{BackendName: "backend-2"},
-		&ifacetest.TestSecurityBackend{BackendName: "backend-1"},
-	}
-	sort.Sort(interfaces.ByBackendName(list))
-	c.Assert(list, DeepEquals, []interfaces.SecurityBackend{
-		&ifacetest.TestSecurityBackend{BackendName: "backend-1"},
-		&ifacetest.TestSecurityBackend{BackendName: "backend-2"},
-	})
-}
-
 func (s *SortingSuite) TestByInterfaceName(c *C) {
 	list := []interfaces.Interface{
 		&ifacetest.TestInterface{InterfaceName: "iface-2"},
@@ -125,38 +48,6 @@
 	})
 }
 
-func (s *SortingSuite) TestByPlugInfo(c *C) {
-	list := []*snap.PlugInfo{
-		{Snap: &snap.Info{SuggestedName: "name-2"}, Name: "plug-2"},
-		{Snap: &snap.Info{SuggestedName: "name-2"}, Name: "plug-1"},
-		{Snap: &snap.Info{SuggestedName: "name-1"}, Name: "plug-2"},
-		{Snap: &snap.Info{SuggestedName: "name-1"}, Name: "plug-1"},
-	}
-	sort.Sort(interfaces.ByPlugInfo(list))
-	c.Assert(list, DeepEquals, []*snap.PlugInfo{
-		{Snap: &snap.Info{SuggestedName: "name-1"}, Name: "plug-1"},
-		{Snap: &snap.Info{SuggestedName: "name-1"}, Name: "plug-2"},
-		{Snap: &snap.Info{SuggestedName: "name-2"}, Name: "plug-1"},
-		{Snap: &snap.Info{SuggestedName: "name-2"}, Name: "plug-2"},
-	})
-}
-
-func (s *SortingSuite) TestBySlotInfo(c *C) {
-	list := []*snap.SlotInfo{
-		{Snap: &snap.Info{SuggestedName: "name-2"}, Name: "plug-2"},
-		{Snap: &snap.Info{SuggestedName: "name-2"}, Name: "plug-1"},
-		{Snap: &snap.Info{SuggestedName: "name-1"}, Name: "plug-2"},
-		{Snap: &snap.Info{SuggestedName: "name-1"}, Name: "plug-1"},
-	}
-	sort.Sort(interfaces.BySlotInfo(list))
-	c.Assert(list, DeepEquals, []*snap.SlotInfo{
-		{Snap: &snap.Info{SuggestedName: "name-1"}, Name: "plug-1"},
-		{Snap: &snap.Info{SuggestedName: "name-1"}, Name: "plug-2"},
-		{Snap: &snap.Info{SuggestedName: "name-2"}, Name: "plug-1"},
-		{Snap: &snap.Info{SuggestedName: "name-2"}, Name: "plug-2"},
-	})
-}
-
 func (s *SortingSuite) TestByConnRef(c *C) {
 	list := []*interfaces.ConnRef{
 		newConnRef("name-1", "plug-3", "name-2", "slot-1"),
@@ -164,6 +55,8 @@
 		newConnRef("name-1", "plug-2", "name-2", "slot-2"),
 		newConnRef("name-1", "plug-1", "name-2", "slot-4"),
 		newConnRef("name-1", "plug-1", "name-2", "slot-1"),
+		newConnRef("name-1", "plug-1", "name-2_instance", "slot-1"),
+		newConnRef("name-1_instance", "plug-1", "name-2", "slot-1"),
 	}
 	sort.Sort(interfaces.ByConnRef(list))
 
@@ -171,7 +64,9 @@
 		newConnRef("name-1", "plug-1", "name-2", "slot-1"),
 		newConnRef("name-1", "plug-1", "name-2", "slot-3"),
 		newConnRef("name-1", "plug-1", "name-2", "slot-4"),
+		newConnRef("name-1", "plug-1", "name-2_instance", "slot-1"),
 		newConnRef("name-1", "plug-2", "name-2", "slot-2"),
 		newConnRef("name-1", "plug-3", "name-2", "slot-1"),
+		newConnRef("name-1_instance", "plug-1", "name-2", "slot-1"),
 	})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/systemd/backend.go snapd-2.37~rc1~14.04/interfaces/systemd/backend.go
--- snapd-2.32.3.2~14.04/interfaces/systemd/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/systemd/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -54,7 +54,7 @@
 // them or application present in the snap.
 func (b *Backend) Setup(snapInfo *snap.Info, confinement interfaces.ConfinementOptions, repo *interfaces.Repository) error {
 	// Record all the extra systemd services for this snap.
-	snapName := snapInfo.Name()
+	snapName := snapInfo.InstanceName()
 	// Get the services that apply to this snap
 	spec, err := repo.SnapSpecification(b.Name(), snapName)
 	if err != nil {
@@ -126,6 +126,11 @@
 	return &Specification{}
 }
 
+// SandboxFeatures returns nil
+func (b *Backend) SandboxFeatures() []string {
+	return nil
+}
+
 // deriveContent computes .service files based on requests made to the specification.
 func deriveContent(spec *Specification, snapInfo *snap.Info) map[string]*osutil.FileState {
 	services := spec.Services()
diff -Nru snapd-2.32.3.2~14.04/interfaces/systemd/backend_test.go snapd-2.37~rc1~14.04/interfaces/systemd/backend_test.go
--- snapd-2.32.3.2~14.04/interfaces/systemd/backend_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/systemd/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -84,7 +84,7 @@
 	s.Iface.SystemdPermanentSlotCallback = func(spec *systemd.Specification, slot *snap.SlotInfo) error {
 		return spec.AddService("snap.samba.interface.foo.service", &systemd.Service{ExecStart: "/bin/true"})
 	}
-	s.InstallSnap(c, interfaces.ConfinementOptions{}, ifacetest.SambaYamlV1, 1)
+	s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
 	service := filepath.Join(dirs.SnapServicesDir, "snap.samba.interface.foo.service")
 	// the service file was created
 	_, err := os.Stat(service)
@@ -104,7 +104,7 @@
 		return spec.AddService("snap.samba.interface.foo.service", &systemd.Service{ExecStart: "/bin/true"})
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 1)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 1)
 		s.systemctlArgs = nil
 		s.RemoveSnap(c, snapInfo)
 		service := filepath.Join(dirs.SnapServicesDir, "snap.samba.interface.foo.service")
@@ -129,7 +129,7 @@
 		}
 		return spec.AddService("snap.samba.interface.bar.service", &systemd.Service{ExecStart: "/bin/false"})
 	}
-	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{}, ifacetest.SambaYamlV1, 1)
+	snapInfo := s.InstallSnap(c, interfaces.ConfinementOptions{}, "", ifacetest.SambaYamlV1, 1)
 	s.systemctlArgs = nil
 	serviceFoo := filepath.Join(dirs.SnapServicesDir, "snap.samba.interface.foo.service")
 	serviceBar := filepath.Join(dirs.SnapServicesDir, "snap.samba.interface.bar.service")
@@ -153,3 +153,7 @@
 		{"systemctl", "daemon-reload"},
 	})
 }
+
+func (s *backendSuite) TestSandboxFeatures(c *C) {
+	c.Assert(s.Backend.SandboxFeatures(), IsNil)
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/system_key.go snapd-2.37~rc1~14.04/interfaces/system_key.go
--- snapd-2.32.3.2~14.04/interfaces/system_key.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/system_key.go	2019-01-16 08:36:51.000000000 +0000
@@ -64,25 +64,36 @@
 	// kernel version or similar settings. If those change we may
 	// need to change the generated profiles (e.g. when the user
 	// boots into a more featureful seccomp).
-	AppArmorFeatures []string `json:"apparmor-features"`
-	NFSHome          bool     `json:"nfs-home"`
-	OverlayRoot      string   `json:"overlay-root"`
-	SecCompActions   []string `json:"seccomp-features"`
+	AppArmorFeatures       []string `json:"apparmor-features"`
+	AppArmorParserMtime    int64    `json:"apparmor-parser-mtime"`
+	AppArmorParserFeatures []string `json:"apparmor-parser-features"`
+	NFSHome                bool     `json:"nfs-home"`
+	OverlayRoot            string   `json:"overlay-root"`
+	SecCompActions         []string `json:"seccomp-features"`
 }
 
-var mockedSystemKey *systemKey
+var (
+	isHomeUsingNFS  = osutil.IsHomeUsingNFS
+	mockedSystemKey *systemKey
+	osReadlink      = os.Readlink
+)
 
 func findSnapdPath() (string, error) {
 	snapdPath := filepath.Join(dirs.DistroLibExecDir, "snapd")
 
 	// find the right snapdPath by looking if we are re-execing or not
-	exe, err := os.Readlink("/proc/self/exe")
+	exe, err := osReadlink("/proc/self/exe")
 	if err != nil {
 		return "", err
 	}
 
 	if strings.HasPrefix(exe, dirs.SnapMountDir) {
-		return filepath.Join(dirs.SnapMountDir, "core/current/usr/lib/snapd/snapd"), nil
+		// reexecd' snapd may be coming from either 'core' or 'snapd'
+		// snaps, find the local prefix to the snap:
+		// /snap/snapd/123/usr/bin/snap       -> /snap/snapd/123
+		// /snap/core/234/usr/lib/snapd/snapd -> /snap/core/234
+		prefix := strings.Split(exe, "/usr/")[0]
+		return filepath.Join(prefix, "/usr/lib/snapd/snapd"), nil
 	}
 	return snapdPath, nil
 }
@@ -107,12 +118,15 @@
 	sk.BuildID = buildID
 
 	// Add apparmor-features (which is already sorted)
-	sk.AppArmorFeatures = release.AppArmorFeatures()
+	sk.AppArmorFeatures, _ = release.AppArmorKernelFeatures()
+
+	// Add apparmor-parser-mtime
+	sk.AppArmorParserMtime = release.AppArmorParserMtime()
 
 	// Add if home is using NFS, if so we need to have a different
 	// security profile and if this changes we need to change our
 	// profile.
-	sk.NFSHome, err = osutil.IsHomeUsingNFS()
+	sk.NFSHome, err = isHomeUsingNFS()
 	if err != nil {
 		// just log the error here
 		logger.Noticef("cannot determine nfs usage in generateSystemKey: %v", err)
@@ -140,6 +154,12 @@
 	if err != nil {
 		return err
 	}
+
+	// We only want to calculate this when the mtime of the parser changes.
+	// Since we calculate the mtime() as part of generateSystemKey, we can
+	// simply unconditionally write this out here.
+	sk.AppArmorParserFeatures, _ = release.AppArmorParserFeatures()
+
 	sks, err := json.Marshal(sk)
 	if err != nil {
 		return err
@@ -172,6 +192,12 @@
 //    network-manager this is of course catastrophic.
 // To prevent this, in step(4) we have this wait-for-snapd
 // step to ensure the expected profiles are on disk.
+//
+// The apparmor-parser-features system-key is handled specially
+// and not included in this comparison because it is written out
+// to disk whenever apparmor-parser-mtime changes (in this manner
+// snap run only has to obtain the mtime of apparmor_parser and
+// doesn't have to invoke it)
 func SystemKeyMismatch() (bool, error) {
 	mySystemKey, err := generateSystemKey()
 	if err != nil {
@@ -209,6 +235,13 @@
 		}
 	}
 
+	// since we always write out apparmor-parser-feature when
+	// apparmor-parser-mtime changes, we don't need to compare it here
+	// (allowing snap run to only need to check the mtime of the parser)
+	// so just set both to nil to make the DeepEqual happy
+	diskSystemKey.AppArmorParserFeatures = nil
+	mySystemKey.AppArmorParserFeatures = nil
+
 	// TODO: write custom struct compare
 	return !reflect.DeepEqual(mySystemKey, &diskSystemKey), nil
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/system_key_test.go snapd-2.37~rc1~14.04/interfaces/system_key_test.go
--- snapd-2.32.3.2~14.04/interfaces/system_key_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/system_key_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -41,7 +41,6 @@
 	tmp              string
 	apparmorFeatures string
 	buildID          string
-	restorers        []func()
 }
 
 var _ = Suite(&systemKeySuite{})
@@ -63,19 +62,14 @@
 	c.Assert(err, IsNil)
 	s.buildID = id
 
-	s.restorers = []func(){
-		osutil.MockMountInfo(""), osutil.MockEtcFstab(""),
-		release.MockSecCompActions([]string{"allow", "errno", "kill", "log", "trace", "trap"}),
-	}
+	s.AddCleanup(interfaces.MockIsHomeUsingNFS(func() (bool, error) { return false, nil }))
+	s.AddCleanup(release.MockSecCompActions([]string{"allow", "errno", "kill", "log", "trace", "trap"}))
 }
 
 func (s *systemKeySuite) TearDownTest(c *C) {
 	s.BaseTest.TearDownTest(c)
 
 	dirs.SetRootDir("/")
-	for _, fn := range s.restorers {
-		fn()
-	}
 }
 
 func (s *systemKeySuite) TestInterfaceWriteSystemKey(c *C) {
@@ -85,7 +79,16 @@
 	systemKey, err := ioutil.ReadFile(dirs.SnapSystemKeyFile)
 	c.Assert(err, IsNil)
 
-	apparmorFeaturesStr, err := json.Marshal(release.AppArmorFeatures())
+	kernelFeatures, _ := release.AppArmorKernelFeatures()
+
+	apparmorFeaturesStr, err := json.Marshal(kernelFeatures)
+	c.Assert(err, IsNil)
+
+	apparmorParserMtime, err := json.Marshal(release.AppArmorParserMtime())
+	c.Assert(err, IsNil)
+
+	parserFeatures, _ := release.AppArmorParserFeatures()
+	apparmorParserFeaturesStr, err := json.Marshal(parserFeatures)
 	c.Assert(err, IsNil)
 
 	seccompActionsStr, err := json.Marshal(release.SecCompActions())
@@ -99,7 +102,7 @@
 
 	overlayRoot, err := osutil.IsRootWritableOverlay()
 	c.Assert(err, IsNil)
-	c.Check(string(systemKey), Equals, fmt.Sprintf(`{"version":1,"build-id":"%s","apparmor-features":%s,"nfs-home":%v,"overlay-root":%q,"seccomp-features":%s}`, buildID, apparmorFeaturesStr, nfsHome, overlayRoot, seccompActionsStr))
+	c.Check(string(systemKey), Equals, fmt.Sprintf(`{"version":1,"build-id":"%s","apparmor-features":%s,"apparmor-parser-mtime":%s,"apparmor-parser-features":%s,"nfs-home":%v,"overlay-root":%q,"seccomp-features":%s}`, buildID, apparmorFeaturesStr, apparmorParserMtime, apparmorParserFeaturesStr, nfsHome, overlayRoot, seccompActionsStr))
 }
 
 func (s *systemKeySuite) TestInterfaceSystemKeyMismatchHappy(c *C) {
@@ -126,7 +129,39 @@
 	s.AddCleanup(interfaces.MockSystemKey(`
 {
 "build-id": "7a94e9736c091b3984bd63f5aebfc883c4d859e0",
-"apparmor_features": ["caps", "dbus", "more", "and", "more"]
+"apparmor-features": ["caps", "dbus", "more", "and", "more"]
+}
+`))
+	mismatch, err = interfaces.SystemKeyMismatch()
+	c.Assert(err, IsNil)
+	c.Check(mismatch, Equals, true)
+}
+
+func (s *systemKeySuite) TestInterfaceSystemKeyMismatchParserMtimeHappy(c *C) {
+	s.AddCleanup(interfaces.MockSystemKey(`
+{
+"build-id": "7a94e9736c091b3984bd63f5aebfc883c4d859e0",
+"apparmor-parser-mtime": 1234
+}
+`))
+
+	// no system-key yet -> Error
+	c.Assert(osutil.FileExists(dirs.SnapSystemKeyFile), Equals, false)
+	_, err := interfaces.SystemKeyMismatch()
+	c.Assert(err, Equals, interfaces.ErrSystemKeyMissing)
+
+	// create a system-key -> no mismatch anymore
+	err = interfaces.WriteSystemKey()
+	c.Assert(err, IsNil)
+	mismatch, err := interfaces.SystemKeyMismatch()
+	c.Assert(err, IsNil)
+	c.Check(mismatch, Equals, false)
+
+	// change our system-key to have a different parser mtime
+	s.AddCleanup(interfaces.MockSystemKey(`
+{
+"build-id": "7a94e9736c091b3984bd63f5aebfc883c4d859e0",
+"apparmor-parser-mtime": 5678
 }
 `))
 	mismatch, err = interfaces.SystemKeyMismatch()
@@ -153,3 +188,27 @@
 	_, err = interfaces.SystemKeyMismatch()
 	c.Assert(err, Equals, interfaces.ErrSystemKeyVersion)
 }
+
+func (s *systemKeySuite) TestInterfaceSystemKeyFindSnapdPathNormal(c *C) {
+	p, err := interfaces.FindSnapdPath()
+	c.Assert(err, IsNil)
+	c.Check(p, Equals, filepath.Join(dirs.DistroLibExecDir, "snapd"))
+}
+
+func (s *systemKeySuite) TestInterfaceSystemKeyFindSnapdPathReexec(c *C) {
+	s.AddCleanup(interfaces.MockOsReadlink(func(string) (string, error) {
+		return filepath.Join(dirs.SnapMountDir, "core/111/usr/bin/snap"), nil
+	}))
+	p, err := interfaces.FindSnapdPath()
+	c.Assert(err, IsNil)
+	c.Check(p, Equals, filepath.Join(dirs.SnapMountDir, "/core/111/usr/lib/snapd/snapd"))
+}
+
+func (s *systemKeySuite) TestInterfaceSystemKeyFindSnapdPathSnapdSnap(c *C) {
+	s.AddCleanup(interfaces.MockOsReadlink(func(string) (string, error) {
+		return filepath.Join(dirs.SnapMountDir, "snapd/22/usr/bin/snap"), nil
+	}))
+	p, err := interfaces.FindSnapdPath()
+	c.Assert(err, IsNil)
+	c.Check(p, Equals, filepath.Join(dirs.SnapMountDir, "/snapd/22/usr/lib/snapd/snapd"))
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/udev/backend.go snapd-2.37~rc1~14.04/interfaces/udev/backend.go
--- snapd-2.32.3.2~14.04/interfaces/udev/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/udev/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -63,19 +63,20 @@
 //
 // If the method fails it should be re-tried (with a sensible strategy) by the caller.
 func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository) error {
-	snapName := snapInfo.Name()
+	snapName := snapInfo.InstanceName()
 	spec, err := repo.SnapSpecification(b.Name(), snapName)
 	if err != nil {
 		return fmt.Errorf("cannot obtain udev specification for snap %q: %s", snapName, err)
 	}
 	content := b.deriveContent(spec.(*Specification), snapInfo)
+	subsystemTriggers := spec.(*Specification).TriggeredSubsystems()
 
 	dir := dirs.SnapUdevRulesDir
 	if err := os.MkdirAll(dir, 0755); err != nil {
 		return fmt.Errorf("cannot create directory for udev rules %q: %s", dir, err)
 	}
 
-	rulesFilePath := snapRulesFilePath(snapInfo.Name())
+	rulesFilePath := snapRulesFilePath(snapInfo.InstanceName())
 
 	if len(content) == 0 {
 		// Make sure that the rules file gets removed when we don't have any
@@ -84,7 +85,10 @@
 		if err != nil && !os.IsNotExist(err) {
 			return err
 		} else if err == nil {
-			return ReloadRules()
+			// FIXME: somehow detect the interfaces that were
+			// disconnected and set subsystemTriggers appropriately.
+			// ATM, it is always going to be empty on disconnect.
+			return ReloadRules(subsystemTriggers)
 		}
 		return nil
 	}
@@ -118,7 +122,10 @@
 		return err
 	}
 
-	return ReloadRules()
+	// FIXME: somehow detect the interfaces that were disconnected and set
+	// subsystemTriggers appropriately. ATM, it is always going to be empty
+	// on disconnect.
+	return ReloadRules(subsystemTriggers)
 }
 
 // Remove removes udev rules specific to a given snap.
@@ -136,7 +143,11 @@
 	} else if err != nil {
 		return err
 	}
-	return ReloadRules()
+
+	// FIXME: somehow detect the interfaces that were disconnected and set
+	// subsystemTriggers appropriately. ATM, it is always going to be empty
+	// on disconnect.
+	return ReloadRules(nil)
 }
 
 func (b *Backend) deriveContent(spec *Specification, snapInfo *snap.Info) (content []string) {
@@ -150,3 +161,11 @@
 func (b *Backend) NewSpecification() interfaces.Specification {
 	return &Specification{}
 }
+
+// SandboxFeatures returns the list of features supported by snapd for mediating access to kernel devices.
+func (b *Backend) SandboxFeatures() []string {
+	return []string{
+		"device-cgroup-v1", /* Snapd creates a device group (v1) for each snap */
+		"tagging",          /* Tagging dynamically associates new devices with specific snaps */
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/udev/backend_test.go snapd-2.37~rc1~14.04/interfaces/udev/backend_test.go
--- snapd-2.32.3.2~14.04/interfaces/udev/backend_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/udev/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -90,7 +90,7 @@
 	}
 	for _, opts := range testedConfinementOpts {
 		s.udevadmCmd.ForgetCalls()
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
 		// file called "70-snap.sambda.rules" was created
 		_, err := os.Stat(fname)
@@ -98,7 +98,11 @@
 		// udevadm was used to reload rules and re-run triggers
 		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
 			{"udevadm", "control", "--reload-rules"},
-			{"udevadm", "trigger"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			// FIXME: temporary until spec.TriggerSubsystem() can
+			// be called during disconnect
+			{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+			{"udevadm", "settle", "--timeout=10"},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -116,7 +120,7 @@
 	}
 	for _, opts := range testedConfinementOpts {
 		s.udevadmCmd.ForgetCalls()
-		snapInfo := s.InstallSnap(c, opts, ifacetest.HookYaml, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.HookYaml, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.foo.rules")
 
 		// Verify that "70-snap.foo.rules" was created.
@@ -126,7 +130,11 @@
 		// Verify that udevadm was used to reload rules and re-run triggers.
 		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
 			{"udevadm", "control", "--reload-rules"},
-			{"udevadm", "trigger"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			// FIXME: temporary until spec.TriggerSubsystem() can
+			// be called during disconnect
+			{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+			{"udevadm", "settle", "--timeout=10"},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -139,7 +147,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		s.udevadmCmd.ForgetCalls()
 		err := s.Backend.Setup(snapInfo, opts, s.Repo)
 		c.Assert(err, IsNil)
@@ -156,7 +164,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		s.udevadmCmd.ForgetCalls()
 		s.RemoveSnap(c, snapInfo)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
@@ -166,7 +174,11 @@
 		// udevadm was used to reload rules and re-run triggers
 		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
 			{"udevadm", "control", "--reload-rules"},
-			{"udevadm", "trigger"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			// FIXME: temporary until spec.TriggerSubsystem() can
+			// be called during disconnect
+			{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+			{"udevadm", "settle", "--timeout=10"},
 		})
 	}
 }
@@ -178,7 +190,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		s.udevadmCmd.ForgetCalls()
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1WithNmbd, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
@@ -188,7 +200,11 @@
 		// udevadm was used to reload rules and re-run triggers
 		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
 			{"udevadm", "control", "--reload-rules"},
-			{"udevadm", "trigger"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			// FIXME: temporary until spec.TriggerSubsystem() can
+			// be called during disconnect
+			{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+			{"udevadm", "settle", "--timeout=10"},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -205,7 +221,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		s.udevadmCmd.ForgetCalls()
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlWithHook, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
@@ -217,7 +233,11 @@
 		// Verify that udevadm was used to reload rules and re-run triggers
 		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
 			{"udevadm", "control", "--reload-rules"},
-			{"udevadm", "trigger"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			// FIXME: temporary until spec.TriggerSubsystem() can
+			// be called during disconnect
+			{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+			{"udevadm", "settle", "--timeout=10"},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -230,7 +250,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1WithNmbd, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1WithNmbd, 0)
 		s.udevadmCmd.ForgetCalls()
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
@@ -240,7 +260,11 @@
 		// udevadm was used to reload rules and re-run triggers
 		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
 			{"udevadm", "control", "--reload-rules"},
-			{"udevadm", "trigger"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			// FIXME: temporary until spec.TriggerSubsystem() can
+			// be called during disconnect
+			{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+			{"udevadm", "settle", "--timeout=10"},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -257,7 +281,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlWithHook, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlWithHook, 0)
 		s.udevadmCmd.ForgetCalls()
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
@@ -267,7 +291,11 @@
 		// Verify that udevadm was used to reload rules and re-run triggers
 		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
 			{"udevadm", "control", "--reload-rules"},
-			{"udevadm", "trigger"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			// FIXME: temporary until spec.TriggerSubsystem() can
+			// be called during disconnect
+			{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+			{"udevadm", "settle", "--timeout=10"},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -280,7 +308,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
 		if opts.DevMode || opts.Classic {
 			c.Check(fname, testutil.FileEquals, "# This file is automatically generated.\n# udev tagging/device cgroups disabled with non-strict mode snaps\n#dummy\n")
@@ -301,7 +329,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
 		if opts.DevMode || opts.Classic {
 			c.Check(fname, testutil.FileEquals, "# This file is automatically generated.\n# udev tagging/device cgroups disabled with non-strict mode snaps\n#dummy1\n#dummy2\n")
@@ -321,7 +349,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.PlugNoAppsYaml, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.PlugNoAppsYaml, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.foo.rules")
 		if opts.DevMode || opts.Classic {
 			c.Check(fname, testutil.FileEquals, "# This file is automatically generated.\n# udev tagging/device cgroups disabled with non-strict mode snaps\n#dummy\n")
@@ -342,7 +370,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SlotNoAppsYaml, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SlotNoAppsYaml, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.foo.rules")
 		if opts.DevMode || opts.Classic {
 			c.Check(fname, testutil.FileEquals, "# This file is automatically generated.\n# udev tagging/device cgroups disabled with non-strict mode snaps\n#dummy\n")
@@ -358,7 +386,7 @@
 
 func (s *backendSuite) TestCombineSnippetsWithoutAnySnippets(c *C) {
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
 		_, err := os.Stat(fname)
 		// Without any snippets, there the .rules file is not created.
@@ -374,7 +402,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
 		s.udevadmCmd.ForgetCalls()
 		snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1NoSlot, 0)
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
@@ -384,7 +412,11 @@
 		// Verify that udevadm was used to reload rules and re-run triggers
 		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
 			{"udevadm", "control", "--reload-rules"},
-			{"udevadm", "trigger"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			// FIXME: temporary until spec.TriggerSubsystem() can
+			// be called during disconnect
+			{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+			{"udevadm", "settle", "--timeout=10"},
 		})
 		s.RemoveSnap(c, snapInfo)
 	}
@@ -397,7 +429,7 @@
 		return nil
 	}
 	for _, opts := range testedConfinementOpts {
-		snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1NoSlot, 0)
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1NoSlot, 0)
 		// file called "70-snap.sambda.rules" does not exist
 		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
 		_, err := os.Stat(fname)
@@ -413,3 +445,60 @@
 		s.RemoveSnap(c, snapInfo)
 	}
 }
+
+func (s *backendSuite) TestInstallingSnapWritesAndLoadsRulesWithInputSubsystem(c *C) {
+	// NOTE: Hand out a permanent snippet so that .rules file is generated.
+	s.Iface.UDevPermanentSlotCallback = func(spec *udev.Specification, slot *snap.SlotInfo) error {
+		spec.TriggerSubsystem("input")
+		spec.AddSnippet("dummy")
+		return nil
+	}
+	for _, opts := range testedConfinementOpts {
+		s.udevadmCmd.ForgetCalls()
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
+		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
+		// file called "70-snap.sambda.rules" was created
+		_, err := os.Stat(fname)
+		c.Check(err, IsNil)
+		// udevadm was used to reload rules and re-run triggers
+		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
+			{"udevadm", "control", "--reload-rules"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			{"udevadm", "trigger", "--subsystem-match=input"},
+			{"udevadm", "settle", "--timeout=10"},
+		})
+		s.RemoveSnap(c, snapInfo)
+	}
+}
+
+func (s *backendSuite) TestInstallingSnapWritesAndLoadsRulesWithInputJoystickSubsystem(c *C) {
+	// NOTE: Hand out a permanent snippet so that .rules file is generated.
+	s.Iface.UDevPermanentSlotCallback = func(spec *udev.Specification, slot *snap.SlotInfo) error {
+		spec.TriggerSubsystem("input/joystick")
+		spec.AddSnippet("dummy")
+		return nil
+	}
+	for _, opts := range testedConfinementOpts {
+		s.udevadmCmd.ForgetCalls()
+		snapInfo := s.InstallSnap(c, opts, "", ifacetest.SambaYamlV1, 0)
+		fname := filepath.Join(dirs.SnapUdevRulesDir, "70-snap.samba.rules")
+		// file called "70-snap.sambda.rules" was created
+		_, err := os.Stat(fname)
+		c.Check(err, IsNil)
+		// udevadm was used to reload rules and re-run triggers
+		c.Check(s.udevadmCmd.Calls(), DeepEquals, [][]string{
+			{"udevadm", "control", "--reload-rules"},
+			{"udevadm", "trigger", "--subsystem-nomatch=input"},
+			{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+			{"udevadm", "settle", "--timeout=10"},
+		})
+		s.RemoveSnap(c, snapInfo)
+	}
+}
+
+func (s *backendSuite) TestSandboxFeatures(c *C) {
+	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{
+		"device-cgroup-v1",
+		"tagging",
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/udev/spec.go snapd-2.37~rc1~14.04/interfaces/udev/spec.go
--- snapd-2.32.3.2~14.04/interfaces/udev/spec.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/udev/spec.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -26,6 +26,7 @@
 
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
 )
 
 type entry struct {
@@ -41,7 +42,8 @@
 	entries  []entry
 	iface    string
 
-	securityTags []string
+	securityTags             []string
+	udevadmSubsystemTriggers []string
 }
 
 func (spec *Specification) addEntry(snippet, tag string) {
@@ -163,3 +165,27 @@
 	}
 	return nil
 }
+
+// Informs ReloadRules() to also do 'udevadm trigger <subsystem specific>'.
+// IMPORTANT: because there is currently no way to call TriggerSubsystem during
+// interface disconnect, TriggerSubsystem() should typically only by used in
+// UDevPermanentSlot since the rules are permanent until the snap is removed.
+func (spec *Specification) TriggerSubsystem(subsystem string) {
+	if subsystem == "" {
+		return
+	}
+
+	if strutil.ListContains(spec.udevadmSubsystemTriggers, subsystem) {
+		return
+	}
+	spec.udevadmSubsystemTriggers = append(spec.udevadmSubsystemTriggers, subsystem)
+}
+
+func (spec *Specification) TriggeredSubsystems() []string {
+	if len(spec.udevadmSubsystemTriggers) == 0 {
+		return nil
+	}
+	c := make([]string, len(spec.udevadmSubsystemTriggers))
+	copy(c, spec.udevadmSubsystemTriggers)
+	return c
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/udev/spec_test.go snapd-2.37~rc1~14.04/interfaces/udev/spec_test.go
--- snapd-2.32.3.2~14.04/interfaces/udev/spec_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/udev/spec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -79,9 +79,9 @@
         interface: test
 `, nil)
 	s.plugInfo = info1.Plugs["name"]
-	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil)
+	s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil)
 	s.slotInfo = info2.Slots["name"]
-	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil)
+	s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil)
 }
 
 func (s *specSuite) SetUpTest(c *C) {
diff -Nru snapd-2.32.3.2~14.04/interfaces/udev/udev.go snapd-2.37~rc1~14.04/interfaces/udev/udev.go
--- snapd-2.32.3.2~14.04/interfaces/udev/udev.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/udev/udev.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -24,18 +24,84 @@
 	"os/exec"
 )
 
-// ReloadRules runs two commands that reload udev rule database.
+// ReloadRules runs three commands that reload udev rule database.
 //
 // The commands are: udevadm control --reload-rules
-//                   udevadm trigger
-func ReloadRules() error {
+//                   udevadm trigger --subsystem-nomatch=input
+//                   udevadm settle --timeout=3
+// and optionally trigger other subsystems as defined in the interfaces. Eg:
+//                   udevadm trigger --subsystem-match=input
+//                   udevadm trigger --property-match=ID_INPUT_JOYSTICK=1
+func ReloadRules(subsystemTriggers []string) error {
 	output, err := exec.Command("udevadm", "control", "--reload-rules").CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("cannot reload udev rules: %s\nudev output:\n%s", err, string(output))
 	}
-	output, err = exec.Command("udevadm", "trigger").CombinedOutput()
+
+	// By default, trigger for all events except the input subsystem since
+	// it can cause noticeable blocked input on, for example, classic
+	// desktop.
+	output, err = exec.Command("udevadm", "trigger", "--subsystem-nomatch=input").CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("cannot run udev triggers: %s\nudev output:\n%s", err, string(output))
 	}
+
+	// FIXME: track if also should trigger the joystick property if it
+	// wasn't already since we are not able to detect interfaces that are
+	// removed and set subsystemTriggers correctly. When we can, remove
+	// this. Allows joysticks to be removed from the device cgroup on
+	// interface disconnect.
+	inputJoystickTriggered := false
+
+	for _, subsystem := range subsystemTriggers {
+		if subsystem == "input/joystick" {
+			// If one of the interfaces said it uses the input
+			// subsystem for joysticks, then trigger the joystick
+			// events in a way that is specific to joysticks to not
+			// block other inputs.
+			output, err = exec.Command("udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1").CombinedOutput()
+			if err != nil {
+				return fmt.Errorf("cannot run udev triggers for joysticks: %s\nudev output:\n%s", err, string(output))
+			}
+			inputJoystickTriggered = true
+		} else if subsystem == "input/key" {
+			// If one of the interfaces said it uses the input
+			// subsystem for input keys, then trigger the keys
+			// events in a way that is specific to input keys
+			// to not block other inputs.
+			output, err = exec.Command("udevadm", "trigger", "--property-match=ID_INPUT_KEY=1", "--property-match=ID_INPUT_KEYBOARD!=1").CombinedOutput()
+			if err != nil {
+				return fmt.Errorf("cannot run udev triggers for keys: %s\nudev output:\n%s", err, string(output))
+			}
+		} else if subsystem != "" {
+			// If one of the interfaces said it uses a subsystem,
+			// then do it too.
+			output, err = exec.Command("udevadm", "trigger", "--subsystem-match="+subsystem).CombinedOutput()
+			if err != nil {
+				return fmt.Errorf("cannot run udev triggers for %s subsystem: %s\nudev output:\n%s", subsystem, err, string(output))
+			}
+
+			if subsystem == "input" {
+				inputJoystickTriggered = true
+			}
+		}
+	}
+
+	// FIXME: if not already triggered, trigger the joystick property if it
+	// wasn't already since we are not able to detect interfaces that are
+	// removed and set subsystemTriggers correctly. When we can, remove
+	// this. Allows joysticks to be removed from the device cgroup on
+	// interface disconnect.
+	if !inputJoystickTriggered {
+		output, err = exec.Command("udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1").CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("cannot run udev triggers for joysticks: %s\nudev output:\n%s", err, string(output))
+		}
+	}
+
+	// give our triggered events a chance to be handled before exiting.
+	// Ignore errors since we don't want to error on still pending events.
+	_ = exec.Command("udevadm", "settle", "--timeout=10").Run()
+
 	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/udev/udev_test.go snapd-2.37~rc1~14.04/interfaces/udev/udev_test.go
--- snapd-2.32.3.2~14.04/interfaces/udev/udev_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/udev/udev_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -41,11 +41,15 @@
 func (s *uDevSuite) TestReloadUDevRulesRunsUDevAdm(c *C) {
 	cmd := testutil.MockCommand(c, "udevadm", "")
 	defer cmd.Restore()
-	err := udev.ReloadRules()
+	err := udev.ReloadRules(nil)
 	c.Assert(err, IsNil)
 	c.Assert(cmd.Calls(), DeepEquals, [][]string{
 		{"udevadm", "control", "--reload-rules"},
-		{"udevadm", "trigger"},
+		{"udevadm", "trigger", "--subsystem-nomatch=input"},
+		// FIXME: temporary until spec.TriggerSubsystem() can be
+		// called during disconnect
+		{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+		{"udevadm", "settle", "--timeout=10"},
 	})
 }
 
@@ -57,7 +61,7 @@
 fi
 	`)
 	defer cmd.Restore()
-	err := udev.ReloadRules()
+	err := udev.ReloadRules(nil)
 	c.Assert(err.Error(), Equals, ""+
 		"cannot reload udev rules: exit status 1\n"+
 		"udev output:\n"+
@@ -67,7 +71,7 @@
 	})
 }
 
-func (s *uDevSuite) TestReloadUDevRulesReportsErrorsFromTrigger(c *C) {
+func (s *uDevSuite) TestReloadUDevRulesReportsErrorsFromDefaultTrigger(c *C) {
 	cmd := testutil.MockCommand(c, "udevadm", `
 if [ "$1" = "trigger" ]; then
 	echo "failure 2"
@@ -75,13 +79,93 @@
 fi
 	`)
 	defer cmd.Restore()
-	err := udev.ReloadRules()
+	err := udev.ReloadRules(nil)
 	c.Assert(err.Error(), Equals, ""+
 		"cannot run udev triggers: exit status 2\n"+
 		"udev output:\n"+
 		"failure 2\n")
 	c.Assert(cmd.Calls(), DeepEquals, [][]string{
 		{"udevadm", "control", "--reload-rules"},
-		{"udevadm", "trigger"},
+		{"udevadm", "trigger", "--subsystem-nomatch=input"},
+	})
+}
+
+func (s *uDevSuite) TestReloadUDevRulesRunsUDevAdmWithSubsystem(c *C) {
+	cmd := testutil.MockCommand(c, "udevadm", "")
+	defer cmd.Restore()
+	err := udev.ReloadRules([]string{"input"})
+	c.Assert(err, IsNil)
+	c.Assert(cmd.Calls(), DeepEquals, [][]string{
+		{"udevadm", "control", "--reload-rules"},
+		{"udevadm", "trigger", "--subsystem-nomatch=input"},
+		{"udevadm", "trigger", "--subsystem-match=input"},
+		{"udevadm", "settle", "--timeout=10"},
+	})
+}
+
+func (s *uDevSuite) TestReloadUDevRulesReportsErrorsFromSubsystemTrigger(c *C) {
+	cmd := testutil.MockCommand(c, "udevadm", `
+if [ "$2" = "--subsystem-match=input" ]; then
+	echo "failure 2"
+	exit 2
+fi
+	`)
+	defer cmd.Restore()
+	err := udev.ReloadRules([]string{"input"})
+	c.Assert(err.Error(), Equals, ""+
+		"cannot run udev triggers for input subsystem: exit status 2\n"+
+		"udev output:\n"+
+		"failure 2\n")
+	c.Assert(cmd.Calls(), DeepEquals, [][]string{
+		{"udevadm", "control", "--reload-rules"},
+		{"udevadm", "trigger", "--subsystem-nomatch=input"},
+		{"udevadm", "trigger", "--subsystem-match=input"},
+	})
+}
+
+func (s *uDevSuite) TestReloadUDevRulesRunsUDevAdmWithJoystick(c *C) {
+	cmd := testutil.MockCommand(c, "udevadm", "")
+	defer cmd.Restore()
+	err := udev.ReloadRules([]string{"input/joystick"})
+	c.Assert(err, IsNil)
+	c.Assert(cmd.Calls(), DeepEquals, [][]string{
+		{"udevadm", "control", "--reload-rules"},
+		{"udevadm", "trigger", "--subsystem-nomatch=input"},
+		{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+		{"udevadm", "settle", "--timeout=10"},
+	})
+}
+
+func (s *uDevSuite) TestReloadUDevRulesReportsErrorsFromJoystickTrigger(c *C) {
+	cmd := testutil.MockCommand(c, "udevadm", `
+if [ "$2" = "--property-match=ID_INPUT_JOYSTICK=1" ]; then
+	echo "failure 2"
+	exit 2
+fi
+	`)
+	defer cmd.Restore()
+	err := udev.ReloadRules([]string{"input/joystick"})
+	c.Assert(err.Error(), Equals, ""+
+		"cannot run udev triggers for joysticks: exit status 2\n"+
+		"udev output:\n"+
+		"failure 2\n")
+	c.Assert(cmd.Calls(), DeepEquals, [][]string{
+		{"udevadm", "control", "--reload-rules"},
+		{"udevadm", "trigger", "--subsystem-nomatch=input"},
+		{"udevadm", "trigger", "--property-match=ID_INPUT_JOYSTICK=1"},
+	})
+}
+
+func (s *uDevSuite) TestReloadUDevRulesRunsUDevAdmWithTwoSubsystems(c *C) {
+	cmd := testutil.MockCommand(c, "udevadm", "")
+	defer cmd.Restore()
+	err := udev.ReloadRules([]string{"input", "tty"})
+	c.Assert(err, IsNil)
+	c.Assert(cmd.Calls(), DeepEquals, [][]string{
+		{"udevadm", "control", "--reload-rules"},
+		{"udevadm", "trigger", "--subsystem-nomatch=input"},
+		{"udevadm", "trigger", "--subsystem-match=input"},
+		{"udevadm", "trigger", "--subsystem-match=tty"},
+		{"udevadm", "settle", "--timeout=10"},
 	})
 }
diff -Nru snapd-2.32.3.2~14.04/interfaces/utils/utils.go snapd-2.37~rc1~14.04/interfaces/utils/utils.go
--- snapd-2.32.3.2~14.04/interfaces/utils/utils.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/utils/utils.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,82 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package utils
+
+import (
+	"encoding/json"
+)
+
+// NormalizeInterfaceAttributes normalises types of an attribute values.
+// The following transformations are applied: int -> int64, float32 -> float64.
+// The normalisation proceeds recursively through maps and slices.
+func NormalizeInterfaceAttributes(value interface{}) interface{} {
+	// Normalize ints/floats using their 64-bit variants.
+	switch v := value.(type) {
+	case int:
+		return int64(v)
+	case float32:
+		return float64(v)
+	case []interface{}:
+		vc := make([]interface{}, len(v))
+		for i, el := range v {
+			vc[i] = NormalizeInterfaceAttributes(el)
+		}
+		return vc
+	case map[string]interface{}:
+		vc := make(map[string]interface{}, len(v))
+		for key, item := range v {
+			vc[key] = NormalizeInterfaceAttributes(item)
+		}
+		return vc
+	case json.Number:
+		jsonval := value.(json.Number)
+		if asInt, err := jsonval.Int64(); err == nil {
+			return asInt
+		}
+		asFloat, _ := jsonval.Float64()
+		return asFloat
+	}
+	return value
+}
+
+// CopyAttributes makes a deep copy of the attributes map.
+func CopyAttributes(value map[string]interface{}) map[string]interface{} {
+	return copyRecursive(value).(map[string]interface{})
+}
+
+func copyRecursive(value interface{}) interface{} {
+	// note: ensure all the mutable types (or types that need a conversion)
+	// are handled here.
+	switch v := value.(type) {
+	case []interface{}:
+		arr := make([]interface{}, len(v))
+		for i, el := range v {
+			arr[i] = copyRecursive(el)
+		}
+		return arr
+	case map[string]interface{}:
+		mp := make(map[string]interface{}, len(v))
+		for key, item := range v {
+			mp[key] = copyRecursive(item)
+		}
+		return mp
+	}
+	return value
+}
diff -Nru snapd-2.32.3.2~14.04/interfaces/utils/utils_test.go snapd-2.37~rc1~14.04/interfaces/utils/utils_test.go
--- snapd-2.32.3.2~14.04/interfaces/utils/utils_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/interfaces/utils/utils_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,82 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package utils_test
+
+import (
+	"encoding/json"
+	"testing"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces/utils"
+)
+
+func Test(t *testing.T) {
+	TestingT(t)
+}
+
+type utilsSuite struct{}
+
+var _ = Suite(&utilsSuite{})
+
+func (s *utilsSuite) TestNormalizeInterfaceAttributes(c *C) {
+	normalize := utils.NormalizeInterfaceAttributes
+	c.Assert(normalize(false), Equals, false)
+	c.Assert(normalize(nil), Equals, nil)
+	c.Assert(normalize(42), Equals, int64(42))
+	c.Assert(normalize(3.14), Equals, float64(3.14))
+	// Funny that, I noticed it only because of missing test coverage.
+	c.Assert(normalize(float32(3.14)), Equals, float64(3.140000104904175))
+	c.Assert(normalize("banana"), Equals, "banana")
+	c.Assert(normalize([]interface{}{42, 3.14, "banana", json.Number("21"), json.Number("0.5")}), DeepEquals,
+		[]interface{}{int64(42), float64(3.14), "banana", int64(21), float64(0.5)})
+	c.Assert(normalize(map[string]interface{}{"i": 42, "f": 3.14, "s": "banana"}),
+		DeepEquals, map[string]interface{}{"i": int64(42), "f": float64(3.14), "s": "banana"})
+	c.Assert(normalize(json.Number("1")), Equals, int64(1))
+	c.Assert(normalize(json.Number("2.5")), Equals, float64(2.5))
+
+	// Normalize doesn't mutate slices it is given
+	sliceIn := []interface{}{42}
+	sliceOut := normalize(sliceIn)
+	c.Assert(sliceIn, DeepEquals, []interface{}{42})
+	c.Assert(sliceOut, DeepEquals, []interface{}{int64(42)})
+
+	// Normalize doesn't mutate maps it is given
+	mapIn := map[string]interface{}{"i": 42}
+	mapOut := normalize(mapIn)
+	c.Assert(mapIn, DeepEquals, map[string]interface{}{"i": 42})
+	c.Assert(mapOut, DeepEquals, map[string]interface{}{"i": int64(42)})
+}
+
+func (s *utilsSuite) TestCopyAttributes(c *C) {
+	cpattr := utils.CopyAttributes
+
+	attrsIn := map[string]interface{}{"i": 42}
+	attrsOut := cpattr(attrsIn)
+	attrsIn["i"] = "changed"
+	c.Assert(attrsIn, DeepEquals, map[string]interface{}{"i": "changed"})
+	c.Assert(attrsOut, DeepEquals, map[string]interface{}{"i": 42})
+
+	attrsIn = map[string]interface{}{"ao": []interface{}{1, 2, 3}}
+	attrsOut = cpattr(attrsIn)
+	attrsIn["ao"].([]interface{})[1] = "changed"
+	c.Assert(attrsIn, DeepEquals, map[string]interface{}{"ao": []interface{}{1, "changed", 3}})
+	c.Assert(attrsOut, DeepEquals, map[string]interface{}{"ao": []interface{}{1, 2, 3}})
+}
diff -Nru snapd-2.32.3.2~14.04/jsonutil/json.go snapd-2.37~rc1~14.04/jsonutil/json.go
--- snapd-2.32.3.2~14.04/jsonutil/json.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/jsonutil/json.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,10 @@
 	"encoding/json"
 	"fmt"
 	"io"
+	"reflect"
+	"strings"
+
+	"github.com/snapcore/snapd/strutil"
 )
 
 // DecodeWithNumber decodes input data using json.Decoder, ensuring numbers are preserved
@@ -38,3 +42,25 @@
 	}
 	return nil
 }
+
+// StructFields takes a pointer to a struct and a list of exceptions,
+// and returns a list of the fields in the struct that are JSON-tagged
+// and whose tag is not in the list of exceptions.
+// The struct can be nil.
+func StructFields(s interface{}, exceptions ...string) []string {
+	st := reflect.TypeOf(s).Elem()
+	num := st.NumField()
+	fields := make([]string, 0, num)
+	for i := 0; i < num; i++ {
+		tag := st.Field(i).Tag.Get("json")
+		idx := strings.IndexByte(tag, ',')
+		if idx > -1 {
+			tag = tag[:idx]
+		}
+		if tag != "" && !strutil.ListContains(exceptions, tag) {
+			fields = append(fields, tag)
+		}
+	}
+
+	return fields
+}
diff -Nru snapd-2.32.3.2~14.04/jsonutil/json_test.go snapd-2.37~rc1~14.04/jsonutil/json_test.go
--- snapd-2.32.3.2~14.04/jsonutil/json_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/jsonutil/json_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -63,3 +63,28 @@
 		"d": nil,
 	})
 }
+
+func (utilSuite) TestStructFields(c *C) {
+	type aStruct struct {
+		Foo int `json:"hello"`
+		Bar int `json:"potato,stuff"`
+	}
+	c.Assert(jsonutil.StructFields((*aStruct)(nil)), DeepEquals, []string{"hello", "potato"})
+}
+
+func (utilSuite) TestStructFieldsExcept(c *C) {
+	type aStruct struct {
+		Foo int `json:"hello"`
+		Bar int `json:"potato,stuff"`
+	}
+	c.Assert(jsonutil.StructFields((*aStruct)(nil), "potato"), DeepEquals, []string{"hello"})
+	c.Assert(jsonutil.StructFields((*aStruct)(nil), "hello"), DeepEquals, []string{"potato"})
+}
+
+func (utilSuite) TestStructFieldsSurvivesNoTag(c *C) {
+	type aStruct struct {
+		Foo int `json:"hello"`
+		Bar int
+	}
+	c.Assert(jsonutil.StructFields((*aStruct)(nil)), DeepEquals, []string{"hello"})
+}
diff -Nru snapd-2.32.3.2~14.04/jsonutil/safejson/safejson.go snapd-2.37~rc1~14.04/jsonutil/safejson/safejson.go
--- snapd-2.32.3.2~14.04/jsonutil/safejson/safejson.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/jsonutil/safejson/safejson.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,202 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package safejson
+
+import (
+	"fmt"
+	"strconv"
+	"unicode"
+	"unicode/utf16"
+	"unicode/utf8"
+
+	"github.com/snapcore/snapd/strutil"
+)
+
+// String accepts any valid JSON string. Its Clean method will remove
+// characters that aren't expected in a short descriptive text.
+// I.e.: Cc, Co, Cf, Cs, noncharacters, and � (U+FFFD, the replacement
+// character) are removed.
+type String struct {
+	s string
+}
+
+func (str *String) UnmarshalJSON(in []byte) (err error) {
+	str.s, err = unmarshal(in, uOpt{})
+	return
+}
+
+// Clean returns the string, with Cc, Co, Cf, Cs, noncharacters,
+// and � (U+FFFD) removed.
+func (str String) Clean() string {
+	return str.s
+}
+
+// Paragraph accepts any valid JSON string. Its Clean method will remove
+// characters that aren't expected in a long descriptive text.
+// I.e.: Cc (except for \n), Co, Cf, Cs, noncharacters, and � (U+FFFD,
+// the replacement character) are removed.
+type Paragraph struct {
+	s string
+}
+
+func (par *Paragraph) UnmarshalJSON(in []byte) (err error) {
+	par.s, err = unmarshal(in, uOpt{nlOK: true})
+	return
+}
+
+// Clean returns the string, with Cc minus \n, Co, Cf, Cs, noncharacters,
+// and � (U+FFFD) removed.
+func (par Paragraph) Clean() string {
+	return par.s
+}
+
+func unescapeUCS2(in []byte) (rune, bool) {
+	if len(in) < 6 || in[0] != '\\' || in[1] != 'u' {
+		return -1, false
+	}
+	u, err := strconv.ParseUint(string(in[2:6]), 16, 32)
+	if err != nil {
+		return -1, false
+	}
+	return rune(u), true
+}
+
+type uOpt struct {
+	nlOK   bool
+	simple bool
+}
+
+func unmarshal(in []byte, o uOpt) (string, error) {
+	// heavily based on (inspired by?) unquoteBytes from encoding/json
+
+	if len(in) < 2 || in[0] != '"' || in[len(in)-1] != '"' {
+		// maybe it's a null and that's alright
+		if len(in) == 4 && in[0] == 'n' && in[1] == 'u' && in[2] == 'l' && in[3] == 'l' {
+			return "", nil
+		}
+		return "", fmt.Errorf("missing string delimiters: %q", in)
+	}
+
+	// prune the quotes
+	in = in[1 : len(in)-1]
+	i := 0
+	// try the fast track
+	for i < len(in) {
+		// 0x00..0x19 is the first of Cc
+		// 0x20..0x7e is all of printable ASCII (minus control chars)
+		if in[i] < 0x20 || in[i] > 0x7e || in[i] == '\\' || in[i] == '"' {
+			break
+		}
+		i++
+	}
+	if i == len(in) {
+		// wee
+		return string(in), nil
+	}
+	if o.simple {
+		return "", fmt.Errorf("character %q in string %q unsupported for this value", in[i], in)
+	}
+	// in[i] is the first problematic one
+	out := make([]byte, i, len(in)+2*utf8.UTFMax)
+	copy(out, in)
+	var r, r2 rune
+	var n int
+	var c byte
+	var ubuf [utf8.UTFMax]byte
+	var ok bool
+	for i < len(in) {
+		c = in[i]
+		switch {
+		case c == '"':
+			return "", fmt.Errorf("unexpected unescaped quote at %d in \"%s\"", i, in)
+		case c < 0x20:
+			return "", fmt.Errorf("unexpected control character at %d in %q", i, in)
+		case c == '\\':
+			// handle escapes
+			i++
+			if i == len(in) {
+				return "", fmt.Errorf("unexpected end of string (trailing backslash) in \"%s\"", in)
+			}
+			switch in[i] {
+			case 'u':
+				// oh dear, a unicode wotsit
+				r, ok = unescapeUCS2(in[i-1:])
+				if !ok {
+					x := in[i-1:]
+					if len(x) > 6 {
+						x = x[:6]
+					}
+					return "", fmt.Errorf(`badly formed \u escape %q at %d of "%s"`, x, i, in)
+				}
+				i += 5
+				if utf16.IsSurrogate(r) {
+					// sigh
+					r2, ok = unescapeUCS2(in[i:])
+					if !ok {
+						x := in[i:]
+						if len(x) > 6 {
+							x = x[:6]
+						}
+						return "", fmt.Errorf(`badly formed \u escape %q at %d of "%s"`, x, i, in)
+					}
+					i += 6
+					r = utf16.DecodeRune(r, r2)
+				}
+				if r <= 0x9f {
+					// otherwise, it's Cc (both halves, as we're looking at runes)
+					if (o.nlOK && r == '\n') || (r >= 0x20 && r <= 0x7e) {
+						out = append(out, byte(r))
+					}
+				} else if r != unicode.ReplacementChar && !unicode.Is(strutil.Ctrl, r) {
+					n = utf8.EncodeRune(ubuf[:], r)
+					out = append(out, ubuf[:n]...)
+				}
+			case 'b', 'f', 'r', 't':
+				// do nothing
+				i++
+			case 'n':
+				if o.nlOK {
+					out = append(out, '\n')
+				}
+				i++
+			case '"', '/', '\\':
+				// the spec says just ", / and \ can be backslash-escaped
+				// but go adds ' to the list (in unquoteBytes)
+				out = append(out, in[i])
+				i++
+			default:
+				return "", fmt.Errorf(`unknown escape '%c' at %d of "%s"`, in[i], i, in)
+			}
+		case c <= 0x7e:
+			// printable ASCII, except " or \
+			out = append(out, c)
+			i++
+		default:
+			r, n = utf8.DecodeRune(in[i:])
+			j := i + n
+			if r > 0x9f && r != unicode.ReplacementChar && !unicode.Is(strutil.Ctrl, r) {
+				out = append(out, in[i:j]...)
+			}
+			i = j
+		}
+	}
+
+	return string(out), nil
+}
diff -Nru snapd-2.32.3.2~14.04/jsonutil/safejson/safejson_test.go snapd-2.37~rc1~14.04/jsonutil/safejson/safejson_test.go
--- snapd-2.32.3.2~14.04/jsonutil/safejson/safejson_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/jsonutil/safejson/safejson_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,148 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package safejson_test
+
+import (
+	"encoding/json"
+	"testing"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/jsonutil/safejson"
+)
+
+func Test(t *testing.T) { check.TestingT(t) }
+
+type escapeSuite struct{}
+
+var _ = check.Suite(escapeSuite{})
+
+var table = map[string]string{
+	"null":           "",
+	`"hello"`:        "hello",
+	`"árbol"`:        "árbol",
+	`"\u0020"`:       " ",
+	`"\uD83D\uDE00"`: "😀",
+	`"a\b\r\tb"`:     "ab",
+	`"\\\""`:         `\"`,
+	// escape sequences (NOTE just the control char is stripped)
+	`"\u001b[3mhello\u001b[m"`: "[3mhello[m",
+	`"a\u0080z"`:               "az",
+	"\"a\u0080z\"":             "az",
+	"\"a\u007fz\"":             "az",
+	"\"a\u009fz\"":             "az",
+	// replacement char
+	`"a\uFFFDb"`: "ab",
+	// private unicode chars
+	`"a\uE000b"`:       "ab",
+	`"a\uDB80\uDC00b"`: "ab",
+}
+
+func (escapeSuite) TestStrings(c *check.C) {
+	var u safejson.String
+	for j, s := range table {
+		comm := check.Commentf(j)
+		c.Assert(json.Unmarshal([]byte(j), &u), check.IsNil, comm)
+		c.Check(u.Clean(), check.Equals, s, comm)
+
+		c.Assert(u.UnmarshalJSON([]byte(j)), check.IsNil, comm)
+		c.Check(u.Clean(), check.Equals, s, comm)
+	}
+}
+
+func (escapeSuite) TestBadStrings(c *check.C) {
+	var u1 safejson.String
+
+	cc0 := make([][]byte, 0x20)
+	for i := range cc0 {
+		cc0[i] = []byte{'"', byte(i), '"'}
+	}
+	badesc := make([][]byte, 0, 0x7f-0x21-9)
+	for c := byte('!'); c <= '~'; c++ {
+		switch c {
+		case '"', '\\', '/', 'b', 'f', 'n', 'r', 't', 'u':
+			continue
+		default:
+			badesc = append(badesc, []byte{'"', '\\', c, '"'})
+		}
+	}
+
+	table := map[string][][]byte{
+		// these are from json itself (so we're not checking them):
+		"invalid character '.+' in string literal":     cc0,
+		"invalid character '.+' in string escape code": badesc,
+		`invalid character '.+' in \\u .*`:             {[]byte(`"\u02"`), []byte(`"\u02zz"`)},
+		"invalid character '\"' after top-level value": {[]byte(`"""`)},
+		"unexpected end of JSON input":                 {[]byte(`"\"`)},
+	}
+
+	for e, js := range table {
+		for _, j := range js {
+			comm := check.Commentf("%q", j)
+			c.Check(json.Unmarshal(j, &u1), check.ErrorMatches, e, comm)
+		}
+	}
+
+	table = map[string][][]byte{
+		// these are from our lib
+		`missing string delimiters.*`:                 {{}, {'"'}},
+		`unexpected control character at 0 in "\\.+"`: cc0,
+		`unknown escape '.' at 1 of "\\."`:            badesc,
+		`badly formed \\u escape.*`: {
+			[]byte(`"\u02"`), []byte(`"\u02zz"`), []byte(`"a\u02xxz"`),
+			[]byte(`"\uD83Da"`), []byte(`"\uD83Da\u20"`), []byte(`"\uD83Da\u20zzz"`),
+		},
+		`unexpected unescaped quote at 0 in """`:            {[]byte(`"""`)},
+		`unexpected end of string \(trailing backslash\).*`: {[]byte(`"\"`)},
+	}
+
+	for e, js := range table {
+		for _, j := range js {
+			comm := check.Commentf("%q", j)
+			c.Check(u1.UnmarshalJSON(j), check.ErrorMatches, e, comm)
+		}
+	}
+}
+
+func (escapeSuite) TestParagraph(c *check.C) {
+	var u safejson.Paragraph
+	for j1, v1 := range table {
+		for j2, v2 := range table {
+			if j2 == "null" && j1 != "null" {
+				continue
+			}
+
+			var j, s string
+
+			if j1 == "null" {
+				j = j2
+				s = v2
+			} else {
+				j = j1[:len(j1)-1] + "\\n" + j2[1:]
+				s = v1 + "\n" + v2
+			}
+
+			comm := check.Commentf(j)
+			c.Assert(json.Unmarshal([]byte(j), &u), check.IsNil, comm)
+			c.Check(u.Clean(), check.Equals, s, comm)
+		}
+	}
+
+}
diff -Nru snapd-2.32.3.2~14.04/logger/export_test.go snapd-2.37~rc1~14.04/logger/export_test.go
--- snapd-2.32.3.2~14.04/logger/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/logger/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,3 +25,12 @@
 
 	return logger
 }
+
+func GetLoggerFlags() int {
+	log, ok := GetLogger().(Log)
+	if !ok {
+		return -1
+	}
+
+	return log.log.Flags()
+}
diff -Nru snapd-2.32.3.2~14.04/logger/logger.go snapd-2.37~rc1~14.04/logger/logger.go
--- snapd-2.32.3.2~14.04/logger/logger.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/logger/logger.go	2019-01-16 08:36:51.000000000 +0000
@@ -133,7 +133,12 @@
 
 // SimpleSetup creates the default (console) logger
 func SimpleSetup() error {
-	l, err := New(os.Stderr, DefaultFlags)
+	flags := log.Lshortfile
+	if term := os.Getenv("TERM"); term != "" {
+		// snapd is probably not running under systemd
+		flags = DefaultFlags
+	}
+	l, err := New(os.Stderr, flags)
 	if err == nil {
 		SetLogger(l)
 	}
diff -Nru snapd-2.32.3.2~14.04/logger/logger_test.go snapd-2.37~rc1~14.04/logger/logger_test.go
--- snapd-2.32.3.2~14.04/logger/logger_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/logger/logger_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,7 +21,9 @@
 
 import (
 	"bytes"
+	"log"
 	"os"
+	"runtime"
 	"testing"
 
 	. "gopkg.in/check.v1"
@@ -49,14 +51,35 @@
 }
 
 func (s *LogSuite) TestDefault(c *C) {
+	// env shenanigans
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	oldTerm, hadTerm := os.LookupEnv("TERM")
+	defer func() {
+		if hadTerm {
+			os.Setenv("TERM", oldTerm)
+		} else {
+			os.Unsetenv("TERM")
+		}
+	}()
+
 	if logger.GetLogger() != nil {
 		logger.SetLogger(nil)
 	}
 	c.Check(logger.GetLogger(), IsNil)
 
+	os.Setenv("TERM", "dumb")
 	err := logger.SimpleSetup()
-	c.Check(err, IsNil)
+	c.Assert(err, IsNil)
+	c.Check(logger.GetLogger(), NotNil)
+	c.Check(logger.GetLoggerFlags(), Equals, logger.DefaultFlags)
+
+	os.Unsetenv("TERM")
+	err = logger.SimpleSetup()
+	c.Assert(err, IsNil)
 	c.Check(logger.GetLogger(), NotNil)
+	c.Check(logger.GetLoggerFlags(), Equals, log.Lshortfile)
 }
 
 func (s *LogSuite) TestNew(c *C) {
diff -Nru snapd-2.32.3.2~14.04/mkauthors.sh snapd-2.37~rc1~14.04/mkauthors.sh
--- snapd-2.32.3.2~14.04/mkauthors.sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/mkauthors.sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+#!/bin/bash
+set -e
+
+# debugging if anything fails is tricky as dh-golang eats up all output
+# uncomment the lines below to get a useful trace if you have to touch
+# this again (my advice is: DON'T)
+#set -x
+#logfile=/tmp/mkauthors.log
+#exec >> $logfile 2>&1
+#echo "env: $(set)"
+#echo "mkauthors.sh run from: $0"
+#echo "pwd: $(pwd)"
+
+# GO_GENERATE_BUILDDIR may be the toplevel pkg dir, but during
+# "dpkg-buildpackage" it will become a different _build/ dir that
+# dh-golang creates and that only contains a subset of the files of
+# the toplevel buildir.
+GO_GENERATE_BUILDDIR="$(pwd)"
+
+# run from "go generate" adjust path
+if [ "$GOPACKAGE" = "cmd" ]; then
+    GO_GENERATE_BUILDDIR="$(pwd)/.."
+fi
+
+# Let's try to derive authors from git
+if ! command -v git >/dev/null; then
+    exit
+fi
+
+# see if we are in a git branch, if not, do nothing
+if [ ! -d .git ]; then
+    exit
+fi
+
+raw_authors="$(git shortlog -s|sort -n|tail -n14|cut -f2)"
+authors=""
+while read -r author; do
+    authors="$authors \"$author\","
+done <<< "$raw_authors"
+
+
+cat <<EOF > "$GO_GENERATE_BUILDDIR/cmd/snap/cmd_blame_generated.go"
+package main
+
+// generated by mkauthors.sh; do not edit
+
+func init() {
+	authors = []string{"Mark Shuttleworth", "Gustavo Niemeyer", $authors}
+}
+EOF
+
+go fmt "$GO_GENERATE_BUILDDIR/cmd/snap/cmd_blame_generated.go" >/dev/null
diff -Nru snapd-2.32.3.2~14.04/mkversion.sh snapd-2.37~rc1~14.04/mkversion.sh
--- snapd-2.32.3.2~14.04/mkversion.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/mkversion.sh	2019-01-16 08:36:51.000000000 +0000
@@ -26,16 +26,24 @@
     GO_GENERATE_BUILDDIR="$(pwd)/.."
 fi
 
+OUTPUT_ONLY=false
+if [ "$1" = "--output-only" ]; then
+    OUTPUT_ONLY=true
+    shift
+fi
+
 # If the version is passed in as an argument to mkversion.sh, let's use that.
-if [ ! -z "$1" ]; then
+if [ -n "$1" ]; then
     v="$1"
     o=shell
 fi
 
 if [ -z "$v" ]; then
     # Let's try to derive the version from git..
-    if which git >/dev/null; then
-        v="$(git describe --dirty --always | sed -e 's/-/+git/;y/-/./' )"
+    if command -v git >/dev/null; then
+        # not using "--dirty" here until the following bug is fixed:
+        # https://bugs.launchpad.net/snapcraft/+bug/1662388
+        v="$(git describe --always | sed -e 's/-/+git/;y/-/./' )"
         o=git
     fi
 fi
@@ -52,6 +60,11 @@
     exit 1
 fi
 
+if [ "$OUTPUT_ONLY" = true ]; then
+    echo "$v"
+    exit 0
+fi
+
 echo "*** Setting version to '$v' from $o." >&2
 
 cat <<EOF > "$GO_GENERATE_BUILDDIR/cmd/version_generated.go"
diff -Nru snapd-2.32.3.2~14.04/netutil/metered.go snapd-2.37~rc1~14.04/netutil/metered.go
--- snapd-2.32.3.2~14.04/netutil/metered.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/netutil/metered.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,65 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package netutil
+
+import (
+	"fmt"
+
+	"github.com/godbus/dbus"
+
+	"github.com/snapcore/snapd/logger"
+)
+
+const (
+	// https://developer.gnome.org/NetworkManager/stable/nm-dbus-types.html#NMMetered
+	NetworkManagerMeteredUnknown  = 0
+	NetworkManagerMeteredYes      = 1
+	NetworkManagerMeteredNo       = 2
+	NetworkManagerMeteredGuessYes = 3
+	NetworkManagerMeteredGuessNo  = 4
+)
+
+// IsOnMeteredConnection checks whether the current default network connection
+// is metered. If the state can not be determined, returns false and an error.
+func IsOnMeteredConnection() (bool, error) {
+	// obtain a shared connection to system bus, no need to close it
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return false, fmt.Errorf("cannot connect to system bus: %v", err)
+	}
+
+	return isNMOnMetered(conn)
+}
+
+func isNMOnMetered(conn *dbus.Conn) (bool, error) {
+	nmObj := conn.Object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager")
+	// https://developer.gnome.org/NetworkManager/stable/gdbus-org.freedesktop.NetworkManager.html
+	dbusV, err := nmObj.GetProperty("org.freedesktop.NetworkManager.Metered")
+	if err != nil {
+		return false, err
+	}
+	v, ok := dbusV.Value().(uint32)
+	if !ok {
+		return false, fmt.Errorf("network manager returned invalid value for metering verification: %s", dbusV)
+	}
+	logger.Debugf("metered state reported by NetworkManager: %s", dbusV)
+
+	return v == NetworkManagerMeteredGuessYes || v == NetworkManagerMeteredYes, nil
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/context_test.go snapd-2.37~rc1~14.04/osutil/context_test.go
--- snapd-2.32.3.2~14.04/osutil/context_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/context_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,7 @@
 	"io"
 	"os/exec"
 	"strings"
+	"testing"
 	"time"
 
 	"golang.org/x/net/context"
@@ -74,6 +75,10 @@
 }
 
 func (ctxSuite) TestRunRace(c *check.C) {
+	if testing.Short() {
+		c.Skip("skippinng non-short test")
+	}
+
 	// first, time how long /bin/false takes
 	t0 := time.Now()
 	cmderr := exec.Command("/bin/false").Run()
diff -Nru snapd-2.32.3.2~14.04/osutil/exec.go snapd-2.37~rc1~14.04/osutil/exec.go
--- snapd-2.32.3.2~14.04/osutil/exec.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/exec.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,12 +35,11 @@
 
 	"gopkg.in/tomb.v2"
 
-	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/strutil"
 )
 
-func parseCoreLdSoConf(confPath string) []string {
-	root := filepath.Join(dirs.SnapMountDir, "/core/current")
+func parseCoreLdSoConf(snapMountDir string, confPath string) []string {
+	root := filepath.Join(snapMountDir, "/core/current")
 
 	f, err := os.Open(filepath.Join(root, confPath))
 	if err != nil {
@@ -64,7 +63,7 @@
 				return nil
 			}
 			for _, f := range files {
-				out = append(out, parseCoreLdSoConf(f[len(root):])...)
+				out = append(out, parseCoreLdSoConf(snapMountDir, f[len(root):])...)
 			}
 		default:
 			out = append(out, filepath.Join(root, line))
@@ -105,8 +104,8 @@
 //
 // At the moment it can only run ELF files, expects a standard ld.so
 // interpreter, and can't handle RPATH.
-func CommandFromCore(name string, cmdArgs ...string) (*exec.Cmd, error) {
-	root := filepath.Join(dirs.SnapMountDir, "/core/current")
+func CommandFromCore(snapMountDir string, name string, cmdArgs ...string) (*exec.Cmd, error) {
+	root := filepath.Join(snapMountDir, "/core/current")
 
 	cmdPath := filepath.Join(root, name)
 	interp, err := elfInterp(cmdPath)
@@ -134,7 +133,7 @@
 		seen[coreLdSo] = true
 	}
 
-	ldLibraryPathForCore := parseCoreLdSoConf("/etc/ld.so.conf")
+	ldLibraryPathForCore := parseCoreLdSoConf(snapMountDir, "/etc/ld.so.conf")
 
 	ldSoArgs := []string{"--library-path", strings.Join(ldLibraryPathForCore, ":"), cmdPath}
 	allArgs := append(ldSoArgs, cmdArgs...)
diff -Nru snapd-2.32.3.2~14.04/osutil/exec_test.go snapd-2.37~rc1~14.04/osutil/exec_test.go
--- snapd-2.32.3.2~14.04/osutil/exec_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/exec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -77,7 +77,7 @@
 
 	os.MkdirAll(filepath.Join(root, "/usr/bin"), 0755)
 	osutil.CopyFile(truePath, filepath.Join(root, "/usr/bin/xdelta3"), 0)
-	cmd, err := osutil.CommandFromCore("/usr/bin/xdelta3", "--some-xdelta-arg")
+	cmd, err := osutil.CommandFromCore(dirs.SnapMountDir, "/usr/bin/xdelta3", "--some-xdelta-arg")
 	c.Assert(err, IsNil)
 
 	out, err := exec.Command("/bin/sh", "-c", fmt.Sprintf("readelf -l %s |grep interpreter:|cut -f2 -d:|cut -f1 -d]", truePath)).Output()
@@ -108,7 +108,7 @@
 	c.Assert(os.MkdirAll(filepath.Dir(coreInterp), 0755), IsNil)
 	c.Assert(os.Symlink(filepath.Base(coreInterp), coreInterp), IsNil)
 
-	_, err = osutil.CommandFromCore("/usr/bin/xdelta3", "--some-xdelta-arg")
+	_, err = osutil.CommandFromCore(dirs.SnapMountDir, "/usr/bin/xdelta3", "--some-xdelta-arg")
 	c.Assert(err, ErrorMatches, "cannot run command from core: symlink cycle found")
 
 }
diff -Nru snapd-2.32.3.2~14.04/osutil/export_test.go snapd-2.37~rc1~14.04/osutil/export_test.go
--- snapd-2.32.3.2~14.04/osutil/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,7 +20,9 @@
 package osutil
 
 import (
+	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"os/user"
@@ -106,3 +108,50 @@
 
 	return func() { osReadlink = realOsReadlink }
 }
+
+//MockMountInfo mocks content of /proc/self/mountinfo read by IsHomeUsingNFS
+func MockMountInfo(text string) (restore func()) {
+	old := procSelfMountInfo
+	f, err := ioutil.TempFile("", "mountinfo")
+	if err != nil {
+		panic(fmt.Errorf("cannot open temporary file: %s", err))
+	}
+	if err := ioutil.WriteFile(f.Name(), []byte(text), 0644); err != nil {
+		panic(fmt.Errorf("cannot write mock mountinfo file: %s", err))
+	}
+	procSelfMountInfo = f.Name()
+	return func() {
+		os.Remove(procSelfMountInfo)
+		procSelfMountInfo = old
+	}
+}
+
+// MockEtcFstab mocks content of /etc/fstab read by IsHomeUsingNFS
+func MockEtcFstab(text string) (restore func()) {
+	old := etcFstab
+	f, err := ioutil.TempFile("", "fstab")
+	if err != nil {
+		panic(fmt.Errorf("cannot open temporary file: %s", err))
+	}
+	if err := ioutil.WriteFile(f.Name(), []byte(text), 0644); err != nil {
+		panic(fmt.Errorf("cannot write mock fstab file: %s", err))
+	}
+	etcFstab = f.Name()
+	return func() {
+		if etcFstab == "/etc/fstab" {
+			panic("respectfully refusing to remove /etc/fstab")
+		}
+		os.Remove(etcFstab)
+		etcFstab = old
+	}
+}
+
+// MockUname mocks syscall.Uname as used by MachineName and KernelVersion
+func MockUname(f func(*syscall.Utsname) error) (restore func()) {
+	old := syscallUname
+	syscallUname = f
+
+	return func() {
+		syscallUname = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/flock_test.go snapd-2.37~rc1~14.04/osutil/flock_test.go
--- snapd-2.32.3.2~14.04/osutil/flock_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/flock_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -134,7 +134,7 @@
 		if osutil.FileExists(lockPath) {
 			break
 		}
-		time.Sleep(1 * time.Second)
+		time.Sleep(time.Millisecond)
 	}
 
 	lock, err := osutil.NewFileLock(lockPath)
diff -Nru snapd-2.32.3.2~14.04/osutil/mkdirallchown.go snapd-2.37~rc1~14.04/osutil/mkdirallchown.go
--- snapd-2.32.3.2~14.04/osutil/mkdirallchown.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mkdirallchown.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,14 +22,22 @@
 import (
 	"os"
 	"path/filepath"
+	"sync"
 	"syscall"
 
 	"github.com/snapcore/snapd/osutil/sys"
 )
 
+// XXX: we need to come back and fix this; this is a hack to unblock us.
+//      As part of the fixing we should unify with the similar code in
+//      cmd/snap-update-ns/utils.(*Secure).MkdirAll
+var mu sync.Mutex
+
 // MkdirAllChown is like os.MkdirAll but it calls os.Chown on any
 // directories it creates.
 func MkdirAllChown(path string, perm os.FileMode, uid sys.UserID, gid sys.GroupID) error {
+	mu.Lock()
+	defer mu.Unlock()
 	return mkdirAllChown(filepath.Clean(path), perm, uid, gid)
 }
 
diff -Nru snapd-2.32.3.2~14.04/osutil/mockable.go snapd-2.37~rc1~14.04/osutil/mockable.go
--- snapd-2.32.3.2~14.04/osutil/mockable.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mockable.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,8 +20,6 @@
 package osutil
 
 import (
-	"fmt"
-	"io/ioutil"
 	"os"
 	"os/user"
 	"syscall"
@@ -45,40 +43,3 @@
 	etcFstab          = "/etc/fstab"
 	sudoersDotD       = "/etc/sudoers.d"
 )
-
-//MockMountInfo mocks content of /proc/self/mountinfo read by IsHomeUsingNFS
-func MockMountInfo(text string) (restore func()) {
-	old := procSelfMountInfo
-	f, err := ioutil.TempFile("", "mountinfo")
-	if err != nil {
-		panic(fmt.Errorf("cannot open temporary file: %s", err))
-	}
-	if err := ioutil.WriteFile(f.Name(), []byte(text), 0644); err != nil {
-		panic(fmt.Errorf("cannot write mock mountinfo file: %s", err))
-	}
-	procSelfMountInfo = f.Name()
-	return func() {
-		os.Remove(procSelfMountInfo)
-		procSelfMountInfo = old
-	}
-}
-
-// MockEtcFstab mocks content of /etc/fstab read by IsHomeUsingNFS
-func MockEtcFstab(text string) (restore func()) {
-	old := etcFstab
-	f, err := ioutil.TempFile("", "fstab")
-	if err != nil {
-		panic(fmt.Errorf("cannot open temporary file: %s", err))
-	}
-	if err := ioutil.WriteFile(f.Name(), []byte(text), 0644); err != nil {
-		panic(fmt.Errorf("cannot write mock fstab file: %s", err))
-	}
-	etcFstab = f.Name()
-	return func() {
-		if etcFstab == "/etc/fstab" {
-			panic("respectfully refusing to remove /etc/fstab")
-		}
-		os.Remove(etcFstab)
-		etcFstab = old
-	}
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/mount_darwin.go snapd-2.37~rc1~14.04/osutil/mount_darwin.go
--- snapd-2.32.3.2~14.04/osutil/mount_darwin.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mount_darwin.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,25 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+// IsMounted is not implemented on darwin
+func IsMounted(baseDir string) (bool, error) {
+	return false, ErrDarwin
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountentry.go snapd-2.37~rc1~14.04/osutil/mountentry.go
--- snapd-2.32.3.2~14.04/osutil/mountentry.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountentry.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,392 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil
-
-import (
-	"fmt"
-	"math"
-	"os"
-	"regexp"
-	"strconv"
-	"strings"
-	"syscall"
-)
-
-// MountEntry describes an /etc/fstab-like mount entry.
-//
-// Fields are named after names in struct returned by getmntent(3).
-//
-// struct mntent {
-//     char *mnt_fsname;   /* name of mounted filesystem */
-//     char *mnt_dir;      /* filesystem path prefix */
-//     char *mnt_type;     /* mount type (see Mntent.h) */
-//     char *mnt_opts;     /* mount options (see Mntent.h) */
-//     int   mnt_freq;     /* dump frequency in days */
-//     int   mnt_passno;   /* pass number on parallel fsck */
-// };
-type MountEntry struct {
-	Name    string
-	Dir     string
-	Type    string
-	Options []string
-
-	DumpFrequency   int
-	CheckPassNumber int
-}
-
-func equalStrings(a, b []string) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	for i := 0; i < len(a); i++ {
-		if a[i] != b[i] {
-			return false
-		}
-	}
-	return true
-}
-
-// Equal checks if one entry is equal to another
-func (e *MountEntry) Equal(o *MountEntry) bool {
-	return (e.Name == o.Name && e.Dir == o.Dir && e.Type == o.Type &&
-		equalStrings(e.Options, o.Options) && e.DumpFrequency == o.DumpFrequency &&
-		e.CheckPassNumber == o.CheckPassNumber)
-}
-
-// escape replaces whitespace characters so that getmntent can parse it correctly.
-var escape = strings.NewReplacer(
-	" ", `\040`,
-	"\t", `\011`,
-	"\n", `\012`,
-	"\\", `\134`,
-).Replace
-
-// unescape replaces escape sequences used by setmnt with whitespace characters.
-var unescape = strings.NewReplacer(
-	`\040`, " ",
-	`\011`, "\t",
-	`\012`, "\n",
-	`\134`, "\\",
-).Replace
-
-// Escape returns the given path with space, tab, newline and forward slash escaped.
-func Escape(path string) string {
-	return escape(path)
-}
-
-// Unescape returns the given path with space, tab, newline and forward slash unescaped.
-func Unescape(path string) string {
-	return unescape(path)
-}
-
-func (e MountEntry) String() string {
-	// Name represents name of the device in a mount entry.
-	name := "none"
-	if e.Name != "" {
-		name = escape(e.Name)
-	}
-	// Dir represents mount directory in a mount entry.
-	dir := "none"
-	if e.Dir != "" {
-		dir = escape(e.Dir)
-	}
-	// Type represents file system type in a mount entry.
-	fsType := "none"
-	if e.Type != "" {
-		fsType = escape(e.Type)
-	}
-	// Options represents mount options in a mount entry.
-	options := "defaults"
-	if len(e.Options) != 0 {
-		options = escape(strings.Join(e.Options, ","))
-	}
-	return fmt.Sprintf("%s %s %s %s %d %d",
-		name, dir, fsType, options, e.DumpFrequency, e.CheckPassNumber)
-}
-
-// ParseMountEntry parses a fstab-like entry.
-func ParseMountEntry(s string) (MountEntry, error) {
-	var e MountEntry
-	var err error
-	var df, cpn int
-	fields := strings.FieldsFunc(s, func(r rune) bool { return r == ' ' || r == '\t' })
-	// Look for any inline comments. The first field that starts with '#' is a comment.
-	for i, field := range fields {
-		if strings.HasPrefix(field, "#") {
-			fields = fields[:i]
-			break
-		}
-	}
-	// Do all error checks before any assignments to `e'
-	if len(fields) < 3 || len(fields) > 6 {
-		return e, fmt.Errorf("expected between 3 and 6 fields, found %d", len(fields))
-	}
-	e.Name = unescape(fields[0])
-	e.Dir = unescape(fields[1])
-	e.Type = unescape(fields[2])
-	// Parse Options if we have at least 4 fields
-	if len(fields) > 3 {
-		e.Options = strings.Split(unescape(fields[3]), ",")
-	}
-	// Parse DumpFrequency if we have at least 5 fields
-	if len(fields) > 4 {
-		df, err = strconv.Atoi(fields[4])
-		if err != nil {
-			return e, fmt.Errorf("cannot parse dump frequency: %q", fields[4])
-		}
-	}
-	e.DumpFrequency = df
-	// Parse CheckPassNumber if we have at least 6 fields
-	if len(fields) > 5 {
-		cpn, err = strconv.Atoi(fields[5])
-		if err != nil {
-			return e, fmt.Errorf("cannot parse check pass number: %q", fields[5])
-		}
-	}
-	e.CheckPassNumber = cpn
-	return e, nil
-}
-
-// MountOptsToCommonFlags converts mount options strings to a mount flag,
-// returning unparsed flags. The unparsed flags will not contain any snapd-
-// specific mount option, those starting with the string "x-snapd."
-func MountOptsToCommonFlags(opts []string) (flags int, unparsed []string) {
-	for _, opt := range opts {
-		switch opt {
-		case "ro":
-			flags |= syscall.MS_RDONLY
-		case "nosuid":
-			flags |= syscall.MS_NOSUID
-		case "nodev":
-			flags |= syscall.MS_NODEV
-		case "noexec":
-			flags |= syscall.MS_NOEXEC
-		case "sync":
-			flags |= syscall.MS_SYNCHRONOUS
-		case "remount":
-			flags |= syscall.MS_REMOUNT
-		case "mand":
-			flags |= syscall.MS_MANDLOCK
-		case "dirsync":
-			flags |= syscall.MS_DIRSYNC
-		case "noatime":
-			flags |= syscall.MS_NOATIME
-		case "nodiratime":
-			flags |= syscall.MS_NODIRATIME
-		case "bind":
-			flags |= syscall.MS_BIND
-		case "rbind":
-			flags |= syscall.MS_BIND | syscall.MS_REC
-		case "move":
-			flags |= syscall.MS_MOVE
-		case "silent":
-			flags |= syscall.MS_SILENT
-		case "acl":
-			flags |= syscall.MS_POSIXACL
-		case "private":
-			flags |= syscall.MS_PRIVATE
-		case "rprivate":
-			flags |= syscall.MS_PRIVATE | syscall.MS_REC
-		case "slave":
-			flags |= syscall.MS_SLAVE
-		case "rslave":
-			flags |= syscall.MS_SLAVE | syscall.MS_REC
-		case "shared":
-			flags |= syscall.MS_SHARED
-		case "rshared":
-			flags |= syscall.MS_SHARED | syscall.MS_REC
-		case "relatime":
-			flags |= syscall.MS_RELATIME
-		case "strictatime":
-			flags |= syscall.MS_STRICTATIME
-		default:
-			if !strings.HasPrefix(opt, "x-snapd.") {
-				unparsed = append(unparsed, opt)
-			}
-		}
-	}
-	return flags, unparsed
-}
-
-// MountOptsToFlags converts mount options strings to a mount flag.
-func MountOptsToFlags(opts []string) (flags int, err error) {
-	flags, unparsed := MountOptsToCommonFlags(opts)
-	for _, opt := range unparsed {
-		if !strings.HasPrefix(opt, "x-snapd.") {
-			return 0, fmt.Errorf("unsupported mount option: %q", opt)
-		}
-	}
-	return flags, nil
-}
-
-// OptStr returns the value part of a key=value mount option.
-// The name of the option must not contain the trailing "=" character.
-func (e *MountEntry) OptStr(name string) (string, bool) {
-	prefix := name + "="
-	for _, opt := range e.Options {
-		if strings.HasPrefix(opt, prefix) {
-			kv := strings.SplitN(opt, "=", 2)
-			return kv[1], true
-		}
-	}
-	return "", false
-}
-
-// OptBool returns true if a given mount option is present.
-func (e *MountEntry) OptBool(name string) bool {
-	for _, opt := range e.Options {
-		if opt == name {
-			return true
-		}
-	}
-	return false
-}
-
-var (
-	validModeRe      = regexp.MustCompile("^0[0-7]{3}$")
-	validUserGroupRe = regexp.MustCompile("(^[0-9]+$)")
-)
-
-// XSnapdMode returns the file mode associated with x-snapd.mode mount option.
-// If the mode is not specified explicitly then a default mode of 0755 is assumed.
-func (e *MountEntry) XSnapdMode() (os.FileMode, error) {
-	if opt, ok := e.OptStr("x-snapd.mode"); ok {
-		if !validModeRe.MatchString(opt) {
-			return 0, fmt.Errorf("cannot parse octal file mode from %q", opt)
-		}
-		var mode os.FileMode
-		n, err := fmt.Sscanf(opt, "%o", &mode)
-		if err != nil || n != 1 {
-			return 0, fmt.Errorf("cannot parse octal file mode from %q", opt)
-		}
-		return mode, nil
-	}
-	return 0755, nil
-}
-
-// XSnapdUID returns the user associated with x-snapd-user mount option.  If
-// the mode is not specified explicitly then a default "root" use is
-// returned.
-func (e *MountEntry) XSnapdUID() (uid uint64, err error) {
-	if opt, ok := e.OptStr("x-snapd.uid"); ok {
-		if !validUserGroupRe.MatchString(opt) {
-			return math.MaxUint64, fmt.Errorf("cannot parse user name %q", opt)
-		}
-		// Try to parse a numeric ID first.
-		if n, err := fmt.Sscanf(opt, "%d", &uid); n == 1 && err == nil {
-			return uid, nil
-		}
-		return uid, nil
-	}
-	return 0, nil
-}
-
-// XSnapdGID returns the user associated with x-snapd-user mount option.  If
-// the mode is not specified explicitly then a default "root" use is
-// returned.
-func (e *MountEntry) XSnapdGID() (gid uint64, err error) {
-	if opt, ok := e.OptStr("x-snapd.gid"); ok {
-		if !validUserGroupRe.MatchString(opt) {
-			return math.MaxUint64, fmt.Errorf("cannot parse group name %q", opt)
-		}
-		// Try to parse a numeric ID first.
-		if n, err := fmt.Sscanf(opt, "%d", &gid); n == 1 && err == nil {
-			return gid, nil
-		}
-		return gid, nil
-	}
-	return 0, nil
-}
-
-// XSnapdEntryID returns the identifier of a given mount enrty.
-//
-// Identifiers are kept in the x-snapd.id mount option. The value is a string
-// that identifies a mount entry and is stable across invocations of snapd. In
-// absence of that identifier the entry mount point is returned.
-func (e *MountEntry) XSnapdEntryID() string {
-	if val, ok := e.OptStr("x-snapd.id"); ok {
-		return val
-	}
-	return e.Dir
-}
-
-// XSnapdNeededBy the identifier of an entry which needs this entry to function.
-//
-// The "needed by" identifiers are kept in the x-snapd.needed-by mount option.
-// The value is a string that identifies another mount entry which, in order to
-// be feasible, has spawned one or more additional support entries. Each such
-// entry contains the needed-by attribute.
-func (e *MountEntry) XSnapdNeededBy() string {
-	val, _ := e.OptStr("x-snapd.needed-by")
-	return val
-}
-
-// XSnapdOrigin returns the origin of a given mount entry.
-//
-// Currently only "layout" entries are identified with a unique origin string.
-func (e *MountEntry) XSnapdOrigin() string {
-	val, _ := e.OptStr("x-snapd.origin")
-	return val
-}
-
-// XSnapdSynthetic returns true of a given mount entry is synthetic.
-//
-// Synthetic mount entries are created by snap-update-ns itself, separately
-// from what snapd instructed. Such entries are needed to make other things
-// possible.  They are identified by having the "x-snapd.synthetic" mount
-// option.
-func (e *MountEntry) XSnapdSynthetic() bool {
-	return e.OptBool("x-snapd.synthetic")
-}
-
-// XSnapdKindSymlink returns the string "x-snapd.kind=symlink".
-func XSnapdKindSymlink() string {
-	return "x-snapd.kind=symlink"
-}
-
-// XSnapdKindFile returns the string "x-snapd.kind=file".
-func XSnapdKindFile() string {
-	return "x-snapd.kind=file"
-}
-
-// XSnapdOriginLayout returns the string "x-snapd.origin=layout"
-func XSnapdOriginLayout() string {
-	return "x-snapd.origin=layout"
-}
-
-// XSnapdUser returns the string "x-snapd.user=%d".
-func XSnapdUser(uid int) string {
-	return fmt.Sprintf("x-snapd.user=%d", uid)
-}
-
-// XSnapdGroup returns the string "x-snapd.group=%d".
-func XSnapdGroup(gid int) string {
-	return fmt.Sprintf("x-snapd.group=%d", gid)
-}
-
-// XSnapdMode returns the string "x-snapd.mode=%#o".
-func XSnapdMode(mode uint32) string {
-	return fmt.Sprintf("x-snapd.mode=%#o", mode)
-}
-
-// XSnapdSymlink returns the string "x-snapd.symlink=%s".
-func XSnapdSymlink(oldname string) string {
-	return fmt.Sprintf("x-snapd.symlink=%s", oldname)
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountentry_linux.go snapd-2.37~rc1~14.04/osutil/mountentry_linux.go
--- snapd-2.32.3.2~14.04/osutil/mountentry_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountentry_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,458 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"fmt"
+	"math"
+	"os"
+	"regexp"
+	"strconv"
+	"strings"
+	"syscall"
+)
+
+// MountEntry describes an /etc/fstab-like mount entry.
+//
+// Fields are named after names in struct returned by getmntent(3).
+//
+// struct mntent {
+//     char *mnt_fsname;   /* name of mounted filesystem */
+//     char *mnt_dir;      /* filesystem path prefix */
+//     char *mnt_type;     /* mount type (see Mntent.h) */
+//     char *mnt_opts;     /* mount options (see Mntent.h) */
+//     int   mnt_freq;     /* dump frequency in days */
+//     int   mnt_passno;   /* pass number on parallel fsck */
+// };
+type MountEntry struct {
+	Name    string
+	Dir     string
+	Type    string
+	Options []string
+
+	DumpFrequency   int
+	CheckPassNumber int
+}
+
+func equalStrings(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := 0; i < len(a); i++ {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
+// Equal checks if one entry is equal to another
+func (e *MountEntry) Equal(o *MountEntry) bool {
+	return (e.Name == o.Name && e.Dir == o.Dir && e.Type == o.Type &&
+		equalStrings(e.Options, o.Options) && e.DumpFrequency == o.DumpFrequency &&
+		e.CheckPassNumber == o.CheckPassNumber)
+}
+
+// escape replaces whitespace characters so that getmntent can parse it correctly.
+var escape = strings.NewReplacer(
+	" ", `\040`,
+	"\t", `\011`,
+	"\n", `\012`,
+	"\\", `\134`,
+).Replace
+
+// unescape replaces escape sequences used by setmnt with whitespace characters.
+var unescape = strings.NewReplacer(
+	`\040`, " ",
+	`\011`, "\t",
+	`\012`, "\n",
+	`\134`, "\\",
+).Replace
+
+// Escape returns the given path with space, tab, newline and forward slash escaped.
+func Escape(path string) string {
+	return escape(path)
+}
+
+// Unescape returns the given path with space, tab, newline and forward slash unescaped.
+func Unescape(path string) string {
+	return unescape(path)
+}
+
+func (e MountEntry) String() string {
+	// Name represents name of the device in a mount entry.
+	name := "none"
+	if e.Name != "" {
+		name = escape(e.Name)
+	}
+	// Dir represents mount directory in a mount entry.
+	dir := "none"
+	if e.Dir != "" {
+		dir = escape(e.Dir)
+	}
+	// Type represents file system type in a mount entry.
+	fsType := "none"
+	if e.Type != "" {
+		fsType = escape(e.Type)
+	}
+	// Options represents mount options in a mount entry.
+	options := "defaults"
+	if len(e.Options) != 0 {
+		options = escape(strings.Join(e.Options, ","))
+	}
+	return fmt.Sprintf("%s %s %s %s %d %d",
+		name, dir, fsType, options, e.DumpFrequency, e.CheckPassNumber)
+}
+
+// ParseMountEntry parses a fstab-like entry.
+func ParseMountEntry(s string) (MountEntry, error) {
+	var e MountEntry
+	var err error
+	var df, cpn int
+	fields := strings.FieldsFunc(s, func(r rune) bool { return r == ' ' || r == '\t' })
+	// Look for any inline comments. The first field that starts with '#' is a comment.
+	for i, field := range fields {
+		if strings.HasPrefix(field, "#") {
+			fields = fields[:i]
+			break
+		}
+	}
+	// Do all error checks before any assignments to `e'
+	if len(fields) < 3 || len(fields) > 6 {
+		return e, fmt.Errorf("expected between 3 and 6 fields, found %d", len(fields))
+	}
+	e.Name = unescape(fields[0])
+	e.Dir = unescape(fields[1])
+	e.Type = unescape(fields[2])
+	// Parse Options if we have at least 4 fields
+	if len(fields) > 3 {
+		e.Options = strings.Split(unescape(fields[3]), ",")
+	}
+	// Parse DumpFrequency if we have at least 5 fields
+	if len(fields) > 4 {
+		df, err = strconv.Atoi(fields[4])
+		if err != nil {
+			return e, fmt.Errorf("cannot parse dump frequency: %q", fields[4])
+		}
+	}
+	e.DumpFrequency = df
+	// Parse CheckPassNumber if we have at least 6 fields
+	if len(fields) > 5 {
+		cpn, err = strconv.Atoi(fields[5])
+		if err != nil {
+			return e, fmt.Errorf("cannot parse check pass number: %q", fields[5])
+		}
+	}
+	e.CheckPassNumber = cpn
+	return e, nil
+}
+
+// MountOptsToCommonFlags converts mount options strings to a mount flag,
+// returning unparsed flags. The unparsed flags will not contain any snapd-
+// specific mount option, those starting with the string "x-snapd."
+func MountOptsToCommonFlags(opts []string) (flags int, unparsed []string) {
+	for _, opt := range opts {
+		switch opt {
+		case "ro":
+			flags |= syscall.MS_RDONLY
+		case "nosuid":
+			flags |= syscall.MS_NOSUID
+		case "nodev":
+			flags |= syscall.MS_NODEV
+		case "noexec":
+			flags |= syscall.MS_NOEXEC
+		case "sync":
+			flags |= syscall.MS_SYNCHRONOUS
+		case "remount":
+			flags |= syscall.MS_REMOUNT
+		case "mand":
+			flags |= syscall.MS_MANDLOCK
+		case "dirsync":
+			flags |= syscall.MS_DIRSYNC
+		case "noatime":
+			flags |= syscall.MS_NOATIME
+		case "nodiratime":
+			flags |= syscall.MS_NODIRATIME
+		case "bind":
+			flags |= syscall.MS_BIND
+		case "rbind":
+			flags |= syscall.MS_BIND | syscall.MS_REC
+		case "move":
+			flags |= syscall.MS_MOVE
+		case "silent":
+			flags |= syscall.MS_SILENT
+		case "acl":
+			flags |= syscall.MS_POSIXACL
+		case "private":
+			flags |= syscall.MS_PRIVATE
+		case "rprivate":
+			flags |= syscall.MS_PRIVATE | syscall.MS_REC
+		case "slave":
+			flags |= syscall.MS_SLAVE
+		case "rslave":
+			flags |= syscall.MS_SLAVE | syscall.MS_REC
+		case "shared":
+			flags |= syscall.MS_SHARED
+		case "rshared":
+			flags |= syscall.MS_SHARED | syscall.MS_REC
+		case "relatime":
+			flags |= syscall.MS_RELATIME
+		case "strictatime":
+			flags |= syscall.MS_STRICTATIME
+		default:
+			if !strings.HasPrefix(opt, "x-snapd.") {
+				unparsed = append(unparsed, opt)
+			}
+		}
+	}
+	return flags, unparsed
+}
+
+// MountOptsToFlags converts mount options strings to a mount flag.
+func MountOptsToFlags(opts []string) (flags int, err error) {
+	flags, unparsed := MountOptsToCommonFlags(opts)
+	for _, opt := range unparsed {
+		if !strings.HasPrefix(opt, "x-snapd.") {
+			return 0, fmt.Errorf("unsupported mount option: %q", opt)
+		}
+	}
+	return flags, nil
+}
+
+// OptStr returns the value part of a key=value mount option.
+// The name of the option must not contain the trailing "=" character.
+func (e *MountEntry) OptStr(name string) (string, bool) {
+	prefix := name + "="
+	for _, opt := range e.Options {
+		if strings.HasPrefix(opt, prefix) {
+			kv := strings.SplitN(opt, "=", 2)
+			return kv[1], true
+		}
+	}
+	return "", false
+}
+
+// OptBool returns true if a given mount option is present.
+func (e *MountEntry) OptBool(name string) bool {
+	for _, opt := range e.Options {
+		if opt == name {
+			return true
+		}
+	}
+	return false
+}
+
+var (
+	validModeRe      = regexp.MustCompile("^0[0-7]{3}$")
+	validUserGroupRe = regexp.MustCompile("(^[0-9]+$)")
+)
+
+// XSnapdMode returns the file mode associated with x-snapd.mode mount option.
+// If the mode is not specified explicitly then a default mode of 0755 is assumed.
+func (e *MountEntry) XSnapdMode() (os.FileMode, error) {
+	if opt, ok := e.OptStr("x-snapd.mode"); ok {
+		if !validModeRe.MatchString(opt) {
+			return 0, fmt.Errorf("cannot parse octal file mode from %q", opt)
+		}
+		var mode os.FileMode
+		n, err := fmt.Sscanf(opt, "%o", &mode)
+		if err != nil || n != 1 {
+			return 0, fmt.Errorf("cannot parse octal file mode from %q", opt)
+		}
+		return mode, nil
+	}
+	return 0755, nil
+}
+
+// XSnapdUID returns the user associated with x-snapd-user mount option.  If
+// the mode is not specified explicitly then a default "root" use is
+// returned.
+func (e *MountEntry) XSnapdUID() (uid uint64, err error) {
+	if opt, ok := e.OptStr("x-snapd.uid"); ok {
+		if !validUserGroupRe.MatchString(opt) {
+			return math.MaxUint64, fmt.Errorf("cannot parse user name %q", opt)
+		}
+		// Try to parse a numeric ID first.
+		if n, err := fmt.Sscanf(opt, "%d", &uid); n == 1 && err == nil {
+			return uid, nil
+		}
+		return uid, nil
+	}
+	return 0, nil
+}
+
+// XSnapdGID returns the user associated with x-snapd-user mount option.  If
+// the mode is not specified explicitly then a default "root" use is
+// returned.
+func (e *MountEntry) XSnapdGID() (gid uint64, err error) {
+	if opt, ok := e.OptStr("x-snapd.gid"); ok {
+		if !validUserGroupRe.MatchString(opt) {
+			return math.MaxUint64, fmt.Errorf("cannot parse group name %q", opt)
+		}
+		// Try to parse a numeric ID first.
+		if n, err := fmt.Sscanf(opt, "%d", &gid); n == 1 && err == nil {
+			return gid, nil
+		}
+		return gid, nil
+	}
+	return 0, nil
+}
+
+// XSnapdEntryID returns the identifier of a given mount enrty.
+//
+// Identifiers are kept in the x-snapd.id mount option. The value is a string
+// that identifies a mount entry and is stable across invocations of snapd. In
+// absence of that identifier the entry mount point is returned.
+func (e *MountEntry) XSnapdEntryID() string {
+	if val, ok := e.OptStr("x-snapd.id"); ok {
+		return val
+	}
+	return e.Dir
+}
+
+// XSnapdNeededBy the identifier of an entry which needs this entry to function.
+//
+// The "needed by" identifiers are kept in the x-snapd.needed-by mount option.
+// The value is a string that identifies another mount entry which, in order to
+// be feasible, has spawned one or more additional support entries. Each such
+// entry contains the needed-by attribute.
+func (e *MountEntry) XSnapdNeededBy() string {
+	val, _ := e.OptStr("x-snapd.needed-by")
+	return val
+}
+
+// XSnapdOrigin returns the origin of a given mount entry.
+//
+// Currently only "layout" entries are identified with a unique origin string.
+func (e *MountEntry) XSnapdOrigin() string {
+	val, _ := e.OptStr("x-snapd.origin")
+	return val
+}
+
+// XSnapdSynthetic returns true of a given mount entry is synthetic.
+//
+// Synthetic mount entries are created by snap-update-ns itself, separately
+// from what snapd instructed. Such entries are needed to make other things
+// possible.  They are identified by having the "x-snapd.synthetic" mount
+// option.
+func (e *MountEntry) XSnapdSynthetic() bool {
+	return e.OptBool("x-snapd.synthetic")
+}
+
+// XSnapdKind returns the kind of a given mount entry.
+//
+// There are three kinds of mount entries today: one for directories, one for
+// files and one for symlinks. The values are "", "file" and "symlink" respectively.
+//
+// Directories use the empty string (in fact they don't need the option at
+// all) as this was the default and is retained for backwards compatibility.
+func (e *MountEntry) XSnapdKind() string {
+	val, _ := e.OptStr("x-snapd.kind")
+	return val
+}
+
+// XSnapdDetach returns true if a mount entry should be detached rather than unmounted.
+//
+// Whenever we create a recursive bind mount we don't want to just unmount it
+// as it may have replicated additional mount entries. For simplicity and
+// race-free behavior we just detach such mount entries and let the kernel do
+// the rest.
+func (e *MountEntry) XSnapdDetach() bool {
+	return e.OptBool("x-snapd.detach")
+}
+
+// XSnapdSymlink returns the target for a symlink mount entry.
+//
+// For non-symlinks an empty string is returned.
+func (e *MountEntry) XSnapdSymlink() string {
+	val, _ := e.OptStr("x-snapd.symlink")
+	return val
+}
+
+// XSnapdIgnoreMissing returns true if a mount entry should be ignored
+// if the source or target are missing.
+//
+// By default, snap-update-ns will try to create missing source and
+// target paths when processing a mount entry.  In some cases, this
+// behaviour is not desired and it would be better to ignore the mount
+// entry when the source or target are missing.
+func (e *MountEntry) XSnapdIgnoreMissing() bool {
+	return e.OptBool("x-snapd.ignore-missing")
+}
+
+// XSnapdNeededBy returns the string "x-snapd.needed-by=..." with the given path appended.
+func XSnapdNeededBy(path string) string {
+	return fmt.Sprintf("x-snapd.needed-by=%s", path)
+}
+
+// XSnapdSynthetic returns the string "x-snapd.synthetic".
+func XSnapdSynthetic() string {
+	return "x-snapd.synthetic"
+}
+
+// XSnapdDetach returns the string "x-snapd.detach".
+func XSnapdDetach() string {
+	return "x-snapd.detach"
+}
+
+// XSnapdKindSymlink returns the string "x-snapd.kind=symlink".
+func XSnapdKindSymlink() string {
+	return "x-snapd.kind=symlink"
+}
+
+// XSnapdKindFile returns the string "x-snapd.kind=file".
+func XSnapdKindFile() string {
+	return "x-snapd.kind=file"
+}
+
+// XSnapdOriginLayout returns the string "x-snapd.origin=layout"
+func XSnapdOriginLayout() string {
+	return "x-snapd.origin=layout"
+}
+
+// XSnapdOriginOvername returns the string "x-snapd.origin=overname"
+func XSnapdOriginOvername() string {
+	return "x-snapd.origin=overname"
+}
+
+// XSnapdUser returns the string "x-snapd.user=%d".
+func XSnapdUser(uid uint32) string {
+	return fmt.Sprintf("x-snapd.user=%d", uid)
+}
+
+// XSnapdGroup returns the string "x-snapd.group=%d".
+func XSnapdGroup(gid uint32) string {
+	return fmt.Sprintf("x-snapd.group=%d", gid)
+}
+
+// XSnapdMode returns the string "x-snapd.mode=%#o".
+func XSnapdMode(mode uint32) string {
+	return fmt.Sprintf("x-snapd.mode=%#o", mode)
+}
+
+// XSnapdSymlink returns the string "x-snapd.symlink=%s".
+func XSnapdSymlink(oldname string) string {
+	return fmt.Sprintf("x-snapd.symlink=%s", oldname)
+}
+
+// XSnapdIgnoreMissing returns the string "x-snapd.ignore-missing".
+func XSnapdIgnoreMissing() string {
+	return "x-snapd.ignore-missing"
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountentry_linux_test.go snapd-2.37~rc1~14.04/osutil/mountentry_linux_test.go
--- snapd-2.32.3.2~14.04/osutil/mountentry_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountentry_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,434 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil_test
+
+import (
+	"math"
+	"os"
+	"syscall"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+type entrySuite struct{}
+
+var _ = Suite(&entrySuite{})
+
+func (s *entrySuite) TestString(c *C) {
+	ent0 := osutil.MountEntry{}
+	c.Assert(ent0.String(), Equals, "none none none defaults 0 0")
+	ent1 := osutil.MountEntry{
+		Name:    "/var/snap/foo/common",
+		Dir:     "/var/snap/bar/common",
+		Options: []string{"bind"},
+	}
+	c.Assert(ent1.String(), Equals,
+		"/var/snap/foo/common /var/snap/bar/common none bind 0 0")
+	ent2 := osutil.MountEntry{
+		Name:    "/dev/sda5",
+		Dir:     "/media/foo",
+		Type:    "ext4",
+		Options: []string{"rw,noatime"},
+	}
+	c.Assert(ent2.String(), Equals, "/dev/sda5 /media/foo ext4 rw,noatime 0 0")
+	ent3 := osutil.MountEntry{
+		Name:    "/dev/sda5",
+		Dir:     "/media/My Files",
+		Type:    "ext4",
+		Options: []string{"rw,noatime"},
+	}
+	c.Assert(ent3.String(), Equals, `/dev/sda5 /media/My\040Files ext4 rw,noatime 0 0`)
+}
+
+func (s *entrySuite) TestEqual(c *C) {
+	var a, b *osutil.MountEntry
+	a = &osutil.MountEntry{}
+	b = &osutil.MountEntry{}
+	c.Assert(a.Equal(b), Equals, true)
+	a = &osutil.MountEntry{Dir: "foo"}
+	b = &osutil.MountEntry{Dir: "foo"}
+	c.Assert(a.Equal(b), Equals, true)
+	a = &osutil.MountEntry{Options: []string{"ro"}}
+	b = &osutil.MountEntry{Options: []string{"ro"}}
+	c.Assert(a.Equal(b), Equals, true)
+	a = &osutil.MountEntry{Dir: "foo"}
+	b = &osutil.MountEntry{Dir: "bar"}
+	c.Assert(a.Equal(b), Equals, false)
+	a = &osutil.MountEntry{}
+	b = &osutil.MountEntry{Options: []string{"ro"}}
+	c.Assert(a.Equal(b), Equals, false)
+	a = &osutil.MountEntry{Options: []string{"ro"}}
+	b = &osutil.MountEntry{Options: []string{"rw"}}
+	c.Assert(a.Equal(b), Equals, false)
+}
+
+// Test that typical fstab entry is parsed correctly.
+func (s *entrySuite) TestParseMountEntry1(c *C) {
+	e, err := osutil.ParseMountEntry("UUID=394f32c0-1f94-4005-9717-f9ab4a4b570b /               ext4    errors=remount-ro 0       1")
+	c.Assert(err, IsNil)
+	c.Assert(e.Name, Equals, "UUID=394f32c0-1f94-4005-9717-f9ab4a4b570b")
+	c.Assert(e.Dir, Equals, "/")
+	c.Assert(e.Type, Equals, "ext4")
+	c.Assert(e.Options, DeepEquals, []string{"errors=remount-ro"})
+	c.Assert(e.DumpFrequency, Equals, 0)
+	c.Assert(e.CheckPassNumber, Equals, 1)
+
+	e, err = osutil.ParseMountEntry("none /tmp tmpfs")
+	c.Assert(err, IsNil)
+	c.Assert(e.Name, Equals, "none")
+	c.Assert(e.Dir, Equals, "/tmp")
+	c.Assert(e.Type, Equals, "tmpfs")
+	c.Assert(e.Options, IsNil)
+	c.Assert(e.DumpFrequency, Equals, 0)
+	c.Assert(e.CheckPassNumber, Equals, 0)
+}
+
+// Test that hash inside a field value is supported.
+func (s *entrySuite) TestHashInFieldValue(c *C) {
+	e, err := osutil.ParseMountEntry("mhddfs#/mnt/dir1,/mnt/dir2 /mnt/dir fuse defaults,allow_other 0 0")
+	c.Assert(err, IsNil)
+	c.Assert(e.Name, Equals, "mhddfs#/mnt/dir1,/mnt/dir2")
+	c.Assert(e.Dir, Equals, "/mnt/dir")
+	c.Assert(e.Type, Equals, "fuse")
+	c.Assert(e.Options, DeepEquals, []string{"defaults", "allow_other"})
+	c.Assert(e.DumpFrequency, Equals, 0)
+	c.Assert(e.CheckPassNumber, Equals, 0)
+}
+
+// Test that options are parsed correctly
+func (s *entrySuite) TestParseMountEntry2(c *C) {
+	e, err := osutil.ParseMountEntry("name dir type options,comma,separated 0 0")
+	c.Assert(err, IsNil)
+	c.Assert(e.Name, Equals, "name")
+	c.Assert(e.Dir, Equals, "dir")
+	c.Assert(e.Type, Equals, "type")
+	c.Assert(e.Options, DeepEquals, []string{"options", "comma", "separated"})
+	c.Assert(e.DumpFrequency, Equals, 0)
+	c.Assert(e.CheckPassNumber, Equals, 0)
+}
+
+// Test that whitespace escape codes are honored
+func (s *entrySuite) TestParseMountEntry3(c *C) {
+	e, err := osutil.ParseMountEntry(`na\040me d\011ir ty\012pe optio\134ns 0 0`)
+	c.Assert(err, IsNil)
+	c.Assert(e.Name, Equals, "na me")
+	c.Assert(e.Dir, Equals, "d\tir")
+	c.Assert(e.Type, Equals, "ty\npe")
+	c.Assert(e.Options, DeepEquals, []string{`optio\ns`})
+	c.Assert(e.DumpFrequency, Equals, 0)
+	c.Assert(e.CheckPassNumber, Equals, 0)
+}
+
+// Test that number of fields is checked
+func (s *entrySuite) TestParseMountEntry4(c *C) {
+	for _, s := range []string{
+		"", "1", "1 2" /* skip 3, 4, 5 and 6 fields (valid case) */, "1 2 3 4 5 6 7",
+	} {
+		_, err := osutil.ParseMountEntry(s)
+		c.Assert(err, ErrorMatches, "expected between 3 and 6 fields, found [01237]")
+	}
+}
+
+// Test that integers are parsed and error checked
+func (s *entrySuite) TestParseMountEntry5(c *C) {
+	_, err := osutil.ParseMountEntry("name dir type options foo 0")
+	c.Assert(err, ErrorMatches, "cannot parse dump frequency: .*")
+	_, err = osutil.ParseMountEntry("name dir type options 0 foo")
+	c.Assert(err, ErrorMatches, "cannot parse check pass number: .*")
+}
+
+// Test that last two integer fields default to zero if not present.
+func (s *entrySuite) TestParseMountEntry6(c *C) {
+	e, err := osutil.ParseMountEntry("name dir type options")
+	c.Assert(err, IsNil)
+	c.Assert(e.DumpFrequency, Equals, 0)
+	c.Assert(e.CheckPassNumber, Equals, 0)
+
+	e, err = osutil.ParseMountEntry("name dir type options 5")
+	c.Assert(err, IsNil)
+	c.Assert(e.DumpFrequency, Equals, 5)
+	c.Assert(e.CheckPassNumber, Equals, 0)
+
+	e, err = osutil.ParseMountEntry("name dir type options 5 7")
+	c.Assert(err, IsNil)
+	c.Assert(e.DumpFrequency, Equals, 5)
+	c.Assert(e.CheckPassNumber, Equals, 7)
+}
+
+// Test (string) options -> (int) flag conversion code.
+func (s *entrySuite) TestMountOptsToFlags(c *C) {
+	flags, err := osutil.MountOptsToFlags(nil)
+	c.Assert(err, IsNil)
+	c.Assert(flags, Equals, 0)
+	flags, err = osutil.MountOptsToFlags([]string{"ro", "nodev", "nosuid"})
+	c.Assert(err, IsNil)
+	c.Assert(flags, Equals, syscall.MS_RDONLY|syscall.MS_NODEV|syscall.MS_NOSUID)
+	_, err = osutil.MountOptsToFlags([]string{"bogus"})
+	c.Assert(err, ErrorMatches, `unsupported mount option: "bogus"`)
+	// The x-snapd-prefix is reserved for non-kernel parameters that do not
+	// translate to kernel level mount flags. This is similar to systemd or
+	// udisks that use fstab options to convey additional data.
+	flags, err = osutil.MountOptsToFlags([]string{"x-snapd.foo"})
+	c.Assert(err, IsNil)
+	c.Assert(flags, Equals, 0)
+}
+
+// Test (string) options -> (int, unparsed) flag conversion code.
+func (s *entrySuite) TestMountOptsToCommonFlags(c *C) {
+	flags, unparsed := osutil.MountOptsToCommonFlags(nil)
+	c.Assert(flags, Equals, 0)
+	c.Assert(unparsed, HasLen, 0)
+	flags, unparsed = osutil.MountOptsToCommonFlags([]string{"ro", "nodev", "nosuid"})
+	c.Assert(flags, Equals, syscall.MS_RDONLY|syscall.MS_NODEV|syscall.MS_NOSUID)
+	c.Assert(unparsed, HasLen, 0)
+	flags, unparsed = osutil.MountOptsToCommonFlags([]string{"bogus"})
+	c.Assert(flags, Equals, 0)
+	c.Assert(unparsed, DeepEquals, []string{"bogus"})
+	// The x-snapd-prefix is reserved for non-kernel parameters that do not
+	// translate to kernel level mount flags. This is similar to systemd or
+	// udisks that use fstab options to convey additional data. Those are not
+	// returned as "unparsed" as we don't want to pass them to the kernel.
+	flags, unparsed = osutil.MountOptsToCommonFlags([]string{"x-snapd.foo"})
+	c.Assert(flags, Equals, 0)
+	c.Assert(unparsed, HasLen, 0)
+}
+
+func (s *entrySuite) TestOptStr(c *C) {
+	e := &osutil.MountEntry{Options: []string{"key=value"}}
+	val, ok := e.OptStr("key")
+	c.Assert(ok, Equals, true)
+	c.Assert(val, Equals, "value")
+
+	val, ok = e.OptStr("missing")
+	c.Assert(ok, Equals, false)
+	c.Assert(val, Equals, "")
+}
+
+func (s *entrySuite) TestOptBool(c *C) {
+	e := &osutil.MountEntry{Options: []string{"key"}}
+	val := e.OptBool("key")
+	c.Assert(val, Equals, true)
+
+	val = e.OptBool("missing")
+	c.Assert(val, Equals, false)
+}
+
+func (s *entrySuite) TestOptionHelpers(c *C) {
+	c.Assert(osutil.XSnapdUser(1000), Equals, "x-snapd.user=1000")
+	c.Assert(osutil.XSnapdGroup(1000), Equals, "x-snapd.group=1000")
+	c.Assert(osutil.XSnapdMode(0755), Equals, "x-snapd.mode=0755")
+	c.Assert(osutil.XSnapdSymlink("oldname"), Equals, "x-snapd.symlink=oldname")
+}
+
+func (s *entrySuite) TestXSnapdMode(c *C) {
+	// Mode has a default value.
+	e := &osutil.MountEntry{}
+	mode, err := e.XSnapdMode()
+	c.Assert(err, IsNil)
+	c.Assert(mode, Equals, os.FileMode(0755))
+
+	// Mode is parsed from the x-snapd.mode= option.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.mode=0700"}}
+	mode, err = e.XSnapdMode()
+	c.Assert(err, IsNil)
+	c.Assert(mode, Equals, os.FileMode(0700))
+
+	// Empty value is invalid.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.mode="}}
+	_, err = e.XSnapdMode()
+	c.Assert(err, ErrorMatches, `cannot parse octal file mode from ""`)
+
+	// As well as other bogus values.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.mode=pasta"}}
+	_, err = e.XSnapdMode()
+	c.Assert(err, ErrorMatches, `cannot parse octal file mode from "pasta"`)
+
+	// And even valid values with trailing garbage.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.mode=0700pasta"}}
+	mode, err = e.XSnapdMode()
+	c.Assert(err, ErrorMatches, `cannot parse octal file mode from "0700pasta"`)
+	c.Assert(mode, Equals, os.FileMode(0))
+}
+
+func (s *entrySuite) TestXSnapdUID(c *C) {
+	// User has a default value.
+	e := &osutil.MountEntry{}
+	uid, err := e.XSnapdUID()
+	c.Assert(err, IsNil)
+	c.Assert(uid, Equals, uint64(0))
+
+	// User is parsed from the x-snapd.uid= option.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.uid=root"}}
+	uid, err = e.XSnapdUID()
+	c.Assert(err, ErrorMatches, `cannot parse user name "root"`)
+	c.Assert(uid, Equals, uint64(math.MaxUint64))
+
+	// Numeric names are used as-is.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.uid=123"}}
+	uid, err = e.XSnapdUID()
+	c.Assert(err, IsNil)
+	c.Assert(uid, Equals, uint64(123))
+
+	// And even valid values with trailing garbage.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.uid=0bogus"}}
+	uid, err = e.XSnapdUID()
+	c.Assert(err, ErrorMatches, `cannot parse user name "0bogus"`)
+	c.Assert(uid, Equals, uint64(math.MaxUint64))
+}
+
+func (s *entrySuite) TestXSnapdGID(c *C) {
+	// Group has a default value.
+	e := &osutil.MountEntry{}
+	gid, err := e.XSnapdGID()
+	c.Assert(err, IsNil)
+	c.Assert(gid, Equals, uint64(0))
+
+	e = &osutil.MountEntry{Options: []string{"x-snapd.gid=root"}}
+	gid, err = e.XSnapdGID()
+	c.Assert(err, ErrorMatches, `cannot parse group name "root"`)
+	c.Assert(gid, Equals, uint64(math.MaxUint64))
+
+	// Numeric names are used as-is.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.gid=456"}}
+	gid, err = e.XSnapdGID()
+	c.Assert(err, IsNil)
+	c.Assert(gid, Equals, uint64(456))
+
+	// And even valid values with trailing garbage.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.gid=0bogus"}}
+	gid, err = e.XSnapdGID()
+	c.Assert(err, ErrorMatches, `cannot parse group name "0bogus"`)
+	c.Assert(gid, Equals, uint64(math.MaxUint64))
+}
+
+func (s *entrySuite) TestXSnapdEntryID(c *C) {
+	// Entry ID is optional and defaults to the mount point.
+	e := &osutil.MountEntry{Dir: "/foo"}
+	c.Assert(e.XSnapdEntryID(), Equals, "/foo")
+
+	// Entry ID is parsed from the x-snapd.id= option.
+	e = &osutil.MountEntry{Dir: "/foo", Options: []string{"x-snapd.id=foo"}}
+	c.Assert(e.XSnapdEntryID(), Equals, "foo")
+}
+
+func (s *entrySuite) TestXSnapdNeededBy(c *C) {
+	// The needed-by attribute is optional.
+	e := &osutil.MountEntry{}
+	c.Assert(e.XSnapdNeededBy(), Equals, "")
+
+	// The needed-by attribute parsed from the x-snapd.needed-by= option.
+	e = &osutil.MountEntry{Options: []string{"x-snap.id=foo", "x-snapd.needed-by=bar"}}
+	c.Assert(e.XSnapdNeededBy(), Equals, "bar")
+
+	// There's a helper function that returns this option string.
+	c.Assert(osutil.XSnapdNeededBy("foo"), Equals, "x-snapd.needed-by=foo")
+}
+
+func (s *entrySuite) TestXSnapdSynthetic(c *C) {
+	// Entries are not synthetic unless tagged as such.
+	e := &osutil.MountEntry{}
+	c.Assert(e.XSnapdSynthetic(), Equals, false)
+
+	// Tagging is done with x-snapd.synthetic option.
+	e = &osutil.MountEntry{Options: []string{"x-snapd.synthetic"}}
+	c.Assert(e.XSnapdSynthetic(), Equals, true)
+
+	// There's a helper function that returns this option string.
+	c.Assert(osutil.XSnapdSynthetic(), Equals, "x-snapd.synthetic")
+}
+
+func (s *entrySuite) TestXSnapdOrigin(c *C) {
+	// Entries have no origin by default.
+	e := &osutil.MountEntry{}
+	c.Assert(e.XSnapdOrigin(), Equals, "")
+
+	// Origin can be indicated with the x-snapd.origin= option.
+	e = &osutil.MountEntry{Options: []string{osutil.XSnapdOriginLayout()}}
+	c.Assert(e.XSnapdOrigin(), Equals, "layout")
+
+	// There's a helper function that returns this option string.
+	c.Assert(osutil.XSnapdOriginLayout(), Equals, "x-snapd.origin=layout")
+
+	// Origin can also indicate a parallel snap instance setup
+	e = &osutil.MountEntry{Options: []string{osutil.XSnapdOriginOvername()}}
+	c.Assert(e.XSnapdOrigin(), Equals, "overname")
+	c.Assert(osutil.XSnapdOriginOvername(), Equals, "x-snapd.origin=overname")
+}
+
+func (s *entrySuite) TestXSnapdDetach(c *C) {
+	// Entries are not detached by default.
+	e := &osutil.MountEntry{}
+	c.Assert(e.XSnapdDetach(), Equals, false)
+
+	// Detach can be requested with the x-snapd.detach option.
+	e = &osutil.MountEntry{Options: []string{osutil.XSnapdDetach()}}
+	c.Assert(e.XSnapdDetach(), Equals, true)
+
+	// There's a helper function that returns this option string.
+	c.Assert(osutil.XSnapdDetach(), Equals, "x-snapd.detach")
+}
+
+func (s *entrySuite) TestXSnapdKind(c *C) {
+	// Entries have a kind (directory, file or symlink). Directory is spelled
+	// as an empty string though, for backwards compatibility.
+	e := &osutil.MountEntry{}
+	c.Assert(e.XSnapdKind(), Equals, "")
+
+	// A bind mount entry can refer to a file using the x-snapd.kind=file option string.
+	e = &osutil.MountEntry{Options: []string{osutil.XSnapdKindFile()}}
+	c.Assert(e.XSnapdKind(), Equals, "file")
+
+	// There's a helper function that returns this option string.
+	c.Assert(osutil.XSnapdKindFile(), Equals, "x-snapd.kind=file")
+
+	// A mount entry can create a symlink by using the x-snapd.kind=symlink option string.
+	e = &osutil.MountEntry{Options: []string{osutil.XSnapdKindSymlink()}}
+	c.Assert(e.XSnapdKind(), Equals, "symlink")
+
+	// There's a helper function that returns this option string.
+	c.Assert(osutil.XSnapdKindSymlink(), Equals, "x-snapd.kind=symlink")
+}
+
+func (s *entrySuite) TestXSnapdSymlink(c *C) {
+	// Entries without the x-snapd.symlink key return an empty string
+	e := &osutil.MountEntry{}
+	c.Assert(e.XSnapdSymlink(), Equals, "")
+
+	// A mount entry can list a symlink target
+	e = &osutil.MountEntry{Options: []string{osutil.XSnapdSymlink("target")}}
+	c.Assert(e.XSnapdSymlink(), Equals, "target")
+}
+
+func (s *entrySuite) TestXSnapdIgnoreMissing(c *C) {
+	// By default entries will not have the ignore missing flag set
+	e := &osutil.MountEntry{}
+	c.Assert(e.XSnapdIgnoreMissing(), Equals, false)
+
+	// A mount entry can specify that it should be ignored if the
+	// mount source or target are missing with the
+	// x-snapd.ignore-missing option.
+	e = &osutil.MountEntry{Options: []string{osutil.XSnapdIgnoreMissing()}}
+	c.Assert(e.XSnapdIgnoreMissing(), Equals, true)
+
+	// There's a helper function that returns this option string.
+	c.Assert(osutil.XSnapdIgnoreMissing(), Equals, "x-snapd.ignore-missing")
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountentry_test.go snapd-2.37~rc1~14.04/osutil/mountentry_test.go
--- snapd-2.32.3.2~14.04/osutil/mountentry_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountentry_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,371 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil_test
-
-import (
-	"math"
-	"os"
-	"syscall"
-
-	. "gopkg.in/check.v1"
-
-	"github.com/snapcore/snapd/osutil"
-)
-
-type entrySuite struct{}
-
-var _ = Suite(&entrySuite{})
-
-func (s *entrySuite) TestString(c *C) {
-	ent0 := osutil.MountEntry{}
-	c.Assert(ent0.String(), Equals, "none none none defaults 0 0")
-	ent1 := osutil.MountEntry{
-		Name:    "/var/snap/foo/common",
-		Dir:     "/var/snap/bar/common",
-		Options: []string{"bind"},
-	}
-	c.Assert(ent1.String(), Equals,
-		"/var/snap/foo/common /var/snap/bar/common none bind 0 0")
-	ent2 := osutil.MountEntry{
-		Name:    "/dev/sda5",
-		Dir:     "/media/foo",
-		Type:    "ext4",
-		Options: []string{"rw,noatime"},
-	}
-	c.Assert(ent2.String(), Equals, "/dev/sda5 /media/foo ext4 rw,noatime 0 0")
-	ent3 := osutil.MountEntry{
-		Name:    "/dev/sda5",
-		Dir:     "/media/My Files",
-		Type:    "ext4",
-		Options: []string{"rw,noatime"},
-	}
-	c.Assert(ent3.String(), Equals, `/dev/sda5 /media/My\040Files ext4 rw,noatime 0 0`)
-}
-
-func (s *entrySuite) TestEqual(c *C) {
-	var a, b *osutil.MountEntry
-	a = &osutil.MountEntry{}
-	b = &osutil.MountEntry{}
-	c.Assert(a.Equal(b), Equals, true)
-	a = &osutil.MountEntry{Dir: "foo"}
-	b = &osutil.MountEntry{Dir: "foo"}
-	c.Assert(a.Equal(b), Equals, true)
-	a = &osutil.MountEntry{Options: []string{"ro"}}
-	b = &osutil.MountEntry{Options: []string{"ro"}}
-	c.Assert(a.Equal(b), Equals, true)
-	a = &osutil.MountEntry{Dir: "foo"}
-	b = &osutil.MountEntry{Dir: "bar"}
-	c.Assert(a.Equal(b), Equals, false)
-	a = &osutil.MountEntry{}
-	b = &osutil.MountEntry{Options: []string{"ro"}}
-	c.Assert(a.Equal(b), Equals, false)
-	a = &osutil.MountEntry{Options: []string{"ro"}}
-	b = &osutil.MountEntry{Options: []string{"rw"}}
-	c.Assert(a.Equal(b), Equals, false)
-}
-
-// Test that typical fstab entry is parsed correctly.
-func (s *entrySuite) TestParseMountEntry1(c *C) {
-	e, err := osutil.ParseMountEntry("UUID=394f32c0-1f94-4005-9717-f9ab4a4b570b /               ext4    errors=remount-ro 0       1")
-	c.Assert(err, IsNil)
-	c.Assert(e.Name, Equals, "UUID=394f32c0-1f94-4005-9717-f9ab4a4b570b")
-	c.Assert(e.Dir, Equals, "/")
-	c.Assert(e.Type, Equals, "ext4")
-	c.Assert(e.Options, DeepEquals, []string{"errors=remount-ro"})
-	c.Assert(e.DumpFrequency, Equals, 0)
-	c.Assert(e.CheckPassNumber, Equals, 1)
-
-	e, err = osutil.ParseMountEntry("none /tmp tmpfs")
-	c.Assert(err, IsNil)
-	c.Assert(e.Name, Equals, "none")
-	c.Assert(e.Dir, Equals, "/tmp")
-	c.Assert(e.Type, Equals, "tmpfs")
-	c.Assert(e.Options, IsNil)
-	c.Assert(e.DumpFrequency, Equals, 0)
-	c.Assert(e.CheckPassNumber, Equals, 0)
-}
-
-// Test that hash inside a field value is supported.
-func (s *entrySuite) TestHashInFieldValue(c *C) {
-	e, err := osutil.ParseMountEntry("mhddfs#/mnt/dir1,/mnt/dir2 /mnt/dir fuse defaults,allow_other 0 0")
-	c.Assert(err, IsNil)
-	c.Assert(e.Name, Equals, "mhddfs#/mnt/dir1,/mnt/dir2")
-	c.Assert(e.Dir, Equals, "/mnt/dir")
-	c.Assert(e.Type, Equals, "fuse")
-	c.Assert(e.Options, DeepEquals, []string{"defaults", "allow_other"})
-	c.Assert(e.DumpFrequency, Equals, 0)
-	c.Assert(e.CheckPassNumber, Equals, 0)
-}
-
-// Test that options are parsed correctly
-func (s *entrySuite) TestParseMountEntry2(c *C) {
-	e, err := osutil.ParseMountEntry("name dir type options,comma,separated 0 0")
-	c.Assert(err, IsNil)
-	c.Assert(e.Name, Equals, "name")
-	c.Assert(e.Dir, Equals, "dir")
-	c.Assert(e.Type, Equals, "type")
-	c.Assert(e.Options, DeepEquals, []string{"options", "comma", "separated"})
-	c.Assert(e.DumpFrequency, Equals, 0)
-	c.Assert(e.CheckPassNumber, Equals, 0)
-}
-
-// Test that whitespace escape codes are honored
-func (s *entrySuite) TestParseMountEntry3(c *C) {
-	e, err := osutil.ParseMountEntry(`na\040me d\011ir ty\012pe optio\134ns 0 0`)
-	c.Assert(err, IsNil)
-	c.Assert(e.Name, Equals, "na me")
-	c.Assert(e.Dir, Equals, "d\tir")
-	c.Assert(e.Type, Equals, "ty\npe")
-	c.Assert(e.Options, DeepEquals, []string{`optio\ns`})
-	c.Assert(e.DumpFrequency, Equals, 0)
-	c.Assert(e.CheckPassNumber, Equals, 0)
-}
-
-// Test that number of fields is checked
-func (s *entrySuite) TestParseMountEntry4(c *C) {
-	for _, s := range []string{
-		"", "1", "1 2" /* skip 3, 4, 5 and 6 fields (valid case) */, "1 2 3 4 5 6 7",
-	} {
-		_, err := osutil.ParseMountEntry(s)
-		c.Assert(err, ErrorMatches, "expected between 3 and 6 fields, found [01237]")
-	}
-}
-
-// Test that integers are parsed and error checked
-func (s *entrySuite) TestParseMountEntry5(c *C) {
-	_, err := osutil.ParseMountEntry("name dir type options foo 0")
-	c.Assert(err, ErrorMatches, "cannot parse dump frequency: .*")
-	_, err = osutil.ParseMountEntry("name dir type options 0 foo")
-	c.Assert(err, ErrorMatches, "cannot parse check pass number: .*")
-}
-
-// Test that last two integer fields default to zero if not present.
-func (s *entrySuite) TestParseMountEntry6(c *C) {
-	e, err := osutil.ParseMountEntry("name dir type options")
-	c.Assert(err, IsNil)
-	c.Assert(e.DumpFrequency, Equals, 0)
-	c.Assert(e.CheckPassNumber, Equals, 0)
-
-	e, err = osutil.ParseMountEntry("name dir type options 5")
-	c.Assert(err, IsNil)
-	c.Assert(e.DumpFrequency, Equals, 5)
-	c.Assert(e.CheckPassNumber, Equals, 0)
-
-	e, err = osutil.ParseMountEntry("name dir type options 5 7")
-	c.Assert(err, IsNil)
-	c.Assert(e.DumpFrequency, Equals, 5)
-	c.Assert(e.CheckPassNumber, Equals, 7)
-}
-
-// Test (string) options -> (int) flag conversion code.
-func (s *entrySuite) TestMountOptsToFlags(c *C) {
-	flags, err := osutil.MountOptsToFlags(nil)
-	c.Assert(err, IsNil)
-	c.Assert(flags, Equals, 0)
-	flags, err = osutil.MountOptsToFlags([]string{"ro", "nodev", "nosuid"})
-	c.Assert(err, IsNil)
-	c.Assert(flags, Equals, syscall.MS_RDONLY|syscall.MS_NODEV|syscall.MS_NOSUID)
-	_, err = osutil.MountOptsToFlags([]string{"bogus"})
-	c.Assert(err, ErrorMatches, `unsupported mount option: "bogus"`)
-	// The x-snapd-prefix is reserved for non-kernel parameters that do not
-	// translate to kernel level mount flags. This is similar to systemd or
-	// udisks that use fstab options to convey additional data.
-	flags, err = osutil.MountOptsToFlags([]string{"x-snapd.foo"})
-	c.Assert(err, IsNil)
-	c.Assert(flags, Equals, 0)
-}
-
-// Test (string) options -> (int, unparsed) flag conversion code.
-func (s *entrySuite) TestMountOptsToCommonFlags(c *C) {
-	flags, unparsed := osutil.MountOptsToCommonFlags(nil)
-	c.Assert(flags, Equals, 0)
-	c.Assert(unparsed, HasLen, 0)
-	flags, unparsed = osutil.MountOptsToCommonFlags([]string{"ro", "nodev", "nosuid"})
-	c.Assert(flags, Equals, syscall.MS_RDONLY|syscall.MS_NODEV|syscall.MS_NOSUID)
-	c.Assert(unparsed, HasLen, 0)
-	flags, unparsed = osutil.MountOptsToCommonFlags([]string{"bogus"})
-	c.Assert(flags, Equals, 0)
-	c.Assert(unparsed, DeepEquals, []string{"bogus"})
-	// The x-snapd-prefix is reserved for non-kernel parameters that do not
-	// translate to kernel level mount flags. This is similar to systemd or
-	// udisks that use fstab options to convey additional data. Those are not
-	// returned as "unparsed" as we don't want to pass them to the kernel.
-	flags, unparsed = osutil.MountOptsToCommonFlags([]string{"x-snapd.foo"})
-	c.Assert(flags, Equals, 0)
-	c.Assert(unparsed, HasLen, 0)
-}
-
-func (s *entrySuite) TestOptStr(c *C) {
-	e := &osutil.MountEntry{Options: []string{"key=value"}}
-	val, ok := e.OptStr("key")
-	c.Assert(ok, Equals, true)
-	c.Assert(val, Equals, "value")
-
-	val, ok = e.OptStr("missing")
-	c.Assert(ok, Equals, false)
-	c.Assert(val, Equals, "")
-}
-
-func (s *entrySuite) TestOptBool(c *C) {
-	e := &osutil.MountEntry{Options: []string{"key"}}
-	val := e.OptBool("key")
-	c.Assert(val, Equals, true)
-
-	val = e.OptBool("missing")
-	c.Assert(val, Equals, false)
-}
-
-func (s *entrySuite) TestOptionHelpers(c *C) {
-	c.Assert(osutil.XSnapdKindSymlink(), Equals, "x-snapd.kind=symlink")
-	c.Assert(osutil.XSnapdKindFile(), Equals, "x-snapd.kind=file")
-	c.Assert(osutil.XSnapdUser(1000), Equals, "x-snapd.user=1000")
-	c.Assert(osutil.XSnapdGroup(1000), Equals, "x-snapd.group=1000")
-	c.Assert(osutil.XSnapdMode(0755), Equals, "x-snapd.mode=0755")
-	c.Assert(osutil.XSnapdSymlink("oldname"), Equals, "x-snapd.symlink=oldname")
-}
-
-func (s *entrySuite) TestXSnapdMode(c *C) {
-	// Mode has a default value.
-	e := &osutil.MountEntry{}
-	mode, err := e.XSnapdMode()
-	c.Assert(err, IsNil)
-	c.Assert(mode, Equals, os.FileMode(0755))
-
-	// Mode is parsed from the x-snapd.mode= option.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.mode=0700"}}
-	mode, err = e.XSnapdMode()
-	c.Assert(err, IsNil)
-	c.Assert(mode, Equals, os.FileMode(0700))
-
-	// Empty value is invalid.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.mode="}}
-	_, err = e.XSnapdMode()
-	c.Assert(err, ErrorMatches, `cannot parse octal file mode from ""`)
-
-	// As well as other bogus values.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.mode=pasta"}}
-	_, err = e.XSnapdMode()
-	c.Assert(err, ErrorMatches, `cannot parse octal file mode from "pasta"`)
-
-	// And even valid values with trailing garbage.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.mode=0700pasta"}}
-	mode, err = e.XSnapdMode()
-	c.Assert(err, ErrorMatches, `cannot parse octal file mode from "0700pasta"`)
-	c.Assert(mode, Equals, os.FileMode(0))
-}
-
-func (s *entrySuite) TestXSnapdUID(c *C) {
-	// User has a default value.
-	e := &osutil.MountEntry{}
-	uid, err := e.XSnapdUID()
-	c.Assert(err, IsNil)
-	c.Assert(uid, Equals, uint64(0))
-
-	// User is parsed from the x-snapd.uid= option.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.uid=root"}}
-	uid, err = e.XSnapdUID()
-	c.Assert(err, ErrorMatches, `cannot parse user name "root"`)
-	c.Assert(uid, Equals, uint64(math.MaxUint64))
-
-	// Numeric names are used as-is.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.uid=123"}}
-	uid, err = e.XSnapdUID()
-	c.Assert(err, IsNil)
-	c.Assert(uid, Equals, uint64(123))
-
-	// And even valid values with trailing garbage.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.uid=0bogus"}}
-	uid, err = e.XSnapdUID()
-	c.Assert(err, ErrorMatches, `cannot parse user name "0bogus"`)
-	c.Assert(uid, Equals, uint64(math.MaxUint64))
-}
-
-func (s *entrySuite) TestXSnapdGID(c *C) {
-	// Group has a default value.
-	e := &osutil.MountEntry{}
-	gid, err := e.XSnapdGID()
-	c.Assert(err, IsNil)
-	c.Assert(gid, Equals, uint64(0))
-
-	e = &osutil.MountEntry{Options: []string{"x-snapd.gid=root"}}
-	gid, err = e.XSnapdGID()
-	c.Assert(err, ErrorMatches, `cannot parse group name "root"`)
-	c.Assert(gid, Equals, uint64(math.MaxUint64))
-
-	// Numeric names are used as-is.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.gid=456"}}
-	gid, err = e.XSnapdGID()
-	c.Assert(err, IsNil)
-	c.Assert(gid, Equals, uint64(456))
-
-	// And even valid values with trailing garbage.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.gid=0bogus"}}
-	gid, err = e.XSnapdGID()
-	c.Assert(err, ErrorMatches, `cannot parse group name "0bogus"`)
-	c.Assert(gid, Equals, uint64(math.MaxUint64))
-}
-
-func (s *entrySuite) TestXSnapdEntryID(c *C) {
-	// Entry ID is optional and defaults to the mount point.
-	e := &osutil.MountEntry{Dir: "/foo"}
-	c.Assert(e.XSnapdEntryID(), Equals, "/foo")
-
-	// Entry ID is parsed from the x-snapd.id= option.
-	e = &osutil.MountEntry{Dir: "/foo", Options: []string{"x-snapd.id=foo"}}
-	c.Assert(e.XSnapdEntryID(), Equals, "foo")
-}
-
-func (s *entrySuite) TestXSnapdNeededBy(c *C) {
-	// The needed-by attribute is optional.
-	e := &osutil.MountEntry{}
-	c.Assert(e.XSnapdNeededBy(), Equals, "")
-
-	// The needed-by attribute parsed from the x-snapd.needed-by= option.
-	e = &osutil.MountEntry{Options: []string{"x-snap.id=foo", "x-snapd.needed-by=bar"}}
-	c.Assert(e.XSnapdNeededBy(), Equals, "bar")
-}
-
-func (s *entrySuite) TestXSnapdSynthetic(c *C) {
-	// Entries are not synthetic unless tagged as such.
-	e := &osutil.MountEntry{}
-	c.Assert(e.XSnapdSynthetic(), Equals, false)
-
-	// Tagging is done with x-snapd.synthetic option.
-	e = &osutil.MountEntry{Options: []string{"x-snapd.synthetic"}}
-	c.Assert(e.XSnapdSynthetic(), Equals, true)
-}
-
-func (s *entrySuite) TextXSnapdOriginLayout(c *C) {
-	c.Assert(osutil.XSnapdOriginLayout(), Equals, "x-snapd.origin=layout")
-}
-
-func (s *entrySuite) TestXSnapdOrigin(c *C) {
-	// Entries have no origin by default.
-	e := &osutil.MountEntry{}
-	c.Assert(e.XSnapdOrigin(), Equals, "")
-
-	// Origin can be indicated with the x-snapd.origin= option
-	e = &osutil.MountEntry{Options: []string{"x-snapd.origin=layout"}}
-	c.Assert(e.XSnapdOrigin(), Equals, "layout")
-
-	// The helpful helper for this constant actually works.
-	e = &osutil.MountEntry{Options: []string{osutil.XSnapdOriginLayout()}}
-	c.Assert(e.XSnapdOrigin(), Equals, "layout")
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/mount.go snapd-2.37~rc1~14.04/osutil/mount.go
--- snapd-2.32.3.2~14.04/osutil/mount.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mount.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,34 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2014-2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil
-
-// IsMounted checks if a given directory is a mount point.
-func IsMounted(baseDir string) (bool, error) {
-	entries, err := LoadMountInfo(procSelfMountInfo)
-	if err != nil {
-		return false, err
-	}
-	for _, entry := range entries {
-		if baseDir == entry.MountDir {
-			return true, nil
-		}
-	}
-	return false, nil
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountinfo.go snapd-2.37~rc1~14.04/osutil/mountinfo.go
--- snapd-2.32.3.2~14.04/osutil/mountinfo.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountinfo.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,157 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil
-
-import (
-	"bufio"
-	"fmt"
-	"io"
-	"os"
-	"strconv"
-	"strings"
-)
-
-// MountInfoEntry contains data from /proc/$PID/mountinfo
-//
-// For details please refer to mountinfo documentation at
-// https://www.kernel.org/doc/Documentation/filesystems/proc.txt
-type MountInfoEntry struct {
-	MountID        int
-	ParentID       int
-	DevMajor       int
-	DevMinor       int
-	Root           string
-	MountDir       string
-	MountOptions   map[string]string
-	OptionalFields []string
-	FsType         string
-	MountSource    string
-	SuperOptions   map[string]string
-}
-
-// LoadMountInfo loads list of mounted entries from a given file.
-//
-// The file is typically ProcSelfMountInfo but any other process mount table
-// can be read the same way.
-func LoadMountInfo(fname string) ([]*MountInfoEntry, error) {
-	f, err := os.Open(fname)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-	return ReadMountInfo(f)
-}
-
-// ReadMountInfo reads and parses a mountinfo file.
-func ReadMountInfo(reader io.Reader) ([]*MountInfoEntry, error) {
-	scanner := bufio.NewScanner(reader)
-	var entries []*MountInfoEntry
-	for scanner.Scan() {
-		s := scanner.Text()
-		entry, err := ParseMountInfoEntry(s)
-		if err != nil {
-			return nil, err
-		}
-		entries = append(entries, entry)
-	}
-	if err := scanner.Err(); err != nil {
-		return nil, err
-	}
-	return entries, nil
-}
-
-// ParseMountInfoEntry parses a single line of /proc/$PID/mountinfo file.
-func ParseMountInfoEntry(s string) (*MountInfoEntry, error) {
-	var e MountInfoEntry
-	var err error
-	fields := strings.Fields(s)
-	// The format is variable-length, but at least 10 fields are mandatory.
-	// The (7) below is a list of optional field which is terminated with (8).
-	// 36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue
-	// (1)(2)(3)   (4)   (5)      (6)      (7)   (8) (9)   (10)         (11)
-	if len(fields) < 10 {
-		return nil, fmt.Errorf("incorrect number of fields, expected at least 10 but found %d", len(fields))
-	}
-	// Parse MountID (decimal number).
-	e.MountID, err = strconv.Atoi(fields[0])
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse mount ID: %q", fields[0])
-	}
-	// Parse ParentID (decimal number).
-	e.ParentID, err = strconv.Atoi(fields[1])
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse parent mount ID: %q", fields[1])
-	}
-	// Parses DevMajor:DevMinor pair (decimal numbers separated by colon).
-	subFields := strings.FieldsFunc(fields[2], func(r rune) bool { return r == ':' })
-	if len(subFields) != 2 {
-		return nil, fmt.Errorf("cannot parse device major:minor number pair: %q", fields[2])
-	}
-	e.DevMajor, err = strconv.Atoi(subFields[0])
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse device major number: %q", subFields[0])
-	}
-	e.DevMinor, err = strconv.Atoi(subFields[1])
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse device minor number: %q", subFields[1])
-	}
-	// NOTE: All string fields use the same escape/unescape logic as fstab files.
-	// Parse Root, MountDir and MountOptions fields.
-	e.Root = unescape(fields[3])
-	e.MountDir = unescape(fields[4])
-	e.MountOptions = parseMountOpts(unescape(fields[5]))
-	// Optional fields are terminated with a "-" value and start
-	// after the mount options field. Skip ahead until we see the "-"
-	// marker.
-	var i int
-	for i = 6; i < len(fields) && fields[i] != "-"; i++ {
-	}
-	if i == len(fields) {
-		return nil, fmt.Errorf("list of optional fields is not terminated properly")
-	}
-	e.OptionalFields = fields[6:i]
-	for j := range e.OptionalFields {
-		e.OptionalFields[j] = unescape(e.OptionalFields[j])
-	}
-	// Parse the last three fixed fields.
-	tailFields := fields[i+1:]
-	if len(tailFields) != 3 {
-		return nil, fmt.Errorf("incorrect number of tail fields, expected 3 but found %d", len(tailFields))
-	}
-	e.FsType = unescape(tailFields[0])
-	e.MountSource = unescape(tailFields[1])
-	e.SuperOptions = parseMountOpts(unescape(tailFields[2]))
-	return &e, nil
-}
-
-func parseMountOpts(opts string) map[string]string {
-	result := make(map[string]string)
-	for _, opt := range strings.Split(opts, ",") {
-		keyValue := strings.SplitN(opt, "=", 2)
-		key := keyValue[0]
-		if len(keyValue) == 2 {
-			value := keyValue[1]
-			result[key] = value
-		} else {
-			result[key] = ""
-		}
-	}
-	return result
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountinfo_linux.go snapd-2.37~rc1~14.04/osutil/mountinfo_linux.go
--- snapd-2.32.3.2~14.04/osutil/mountinfo_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountinfo_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,202 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+// MountInfoEntry contains data from /proc/$PID/mountinfo
+//
+// For details please refer to mountinfo documentation at
+// https://www.kernel.org/doc/Documentation/filesystems/proc.txt
+type MountInfoEntry struct {
+	MountID        int
+	ParentID       int
+	DevMajor       int
+	DevMinor       int
+	Root           string
+	MountDir       string
+	MountOptions   map[string]string
+	OptionalFields []string
+	FsType         string
+	MountSource    string
+	SuperOptions   map[string]string
+}
+
+func flattenMap(m map[string]string) string {
+	keys := make([]string, 0, len(m))
+	for key := range m {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+	var buf bytes.Buffer
+	for i, key := range keys {
+		if i > 0 {
+			buf.WriteRune(',')
+		}
+		if m[key] != "" {
+			fmt.Fprintf(&buf, "%s=%s", escape(key), escape(m[key]))
+		} else {
+			buf.WriteString(escape(key))
+		}
+	}
+	return buf.String()
+}
+
+func flattenList(l []string) string {
+	var buf bytes.Buffer
+	for i, item := range l {
+		if i > 0 {
+			buf.WriteRune(',')
+		}
+		buf.WriteString(escape(item))
+	}
+	return buf.String()
+}
+
+func (mi *MountInfoEntry) String() string {
+	maybeSpace := " "
+	if len(mi.OptionalFields) == 0 {
+		maybeSpace = ""
+	}
+	return fmt.Sprintf("%d %d %d:%d %s %s %s %s%s- %s %s %s",
+		mi.MountID, mi.ParentID, mi.DevMajor, mi.DevMinor, escape(mi.Root),
+		escape(mi.MountDir), flattenMap(mi.MountOptions), flattenList(mi.OptionalFields),
+		maybeSpace, escape(mi.FsType), escape(mi.MountSource),
+		flattenMap(mi.SuperOptions))
+}
+
+// LoadMountInfo loads list of mounted entries from a given file.
+//
+// The file is typically ProcSelfMountInfo but any other process mount table
+// can be read the same way.
+func LoadMountInfo(fname string) ([]*MountInfoEntry, error) {
+	f, err := os.Open(fname)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	return ReadMountInfo(f)
+}
+
+// ReadMountInfo reads and parses a mountinfo file.
+func ReadMountInfo(reader io.Reader) ([]*MountInfoEntry, error) {
+	scanner := bufio.NewScanner(reader)
+	var entries []*MountInfoEntry
+	for scanner.Scan() {
+		s := scanner.Text()
+		entry, err := ParseMountInfoEntry(s)
+		if err != nil {
+			return nil, err
+		}
+		entries = append(entries, entry)
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+	return entries, nil
+}
+
+// ParseMountInfoEntry parses a single line of /proc/$PID/mountinfo file.
+func ParseMountInfoEntry(s string) (*MountInfoEntry, error) {
+	var e MountInfoEntry
+	var err error
+	fields := strings.Fields(s)
+	// The format is variable-length, but at least 10 fields are mandatory.
+	// The (7) below is a list of optional field which is terminated with (8).
+	// 36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue
+	// (1)(2)(3)   (4)   (5)      (6)      (7)   (8) (9)   (10)         (11)
+	if len(fields) < 10 {
+		return nil, fmt.Errorf("incorrect number of fields, expected at least 10 but found %d", len(fields))
+	}
+	// Parse MountID (decimal number).
+	e.MountID, err = strconv.Atoi(fields[0])
+	if err != nil {
+		return nil, fmt.Errorf("cannot parse mount ID: %q", fields[0])
+	}
+	// Parse ParentID (decimal number).
+	e.ParentID, err = strconv.Atoi(fields[1])
+	if err != nil {
+		return nil, fmt.Errorf("cannot parse parent mount ID: %q", fields[1])
+	}
+	// Parses DevMajor:DevMinor pair (decimal numbers separated by colon).
+	subFields := strings.FieldsFunc(fields[2], func(r rune) bool { return r == ':' })
+	if len(subFields) != 2 {
+		return nil, fmt.Errorf("cannot parse device major:minor number pair: %q", fields[2])
+	}
+	e.DevMajor, err = strconv.Atoi(subFields[0])
+	if err != nil {
+		return nil, fmt.Errorf("cannot parse device major number: %q", subFields[0])
+	}
+	e.DevMinor, err = strconv.Atoi(subFields[1])
+	if err != nil {
+		return nil, fmt.Errorf("cannot parse device minor number: %q", subFields[1])
+	}
+	// NOTE: All string fields use the same escape/unescape logic as fstab files.
+	// Parse Root, MountDir and MountOptions fields.
+	e.Root = unescape(fields[3])
+	e.MountDir = unescape(fields[4])
+	e.MountOptions = parseMountOpts(unescape(fields[5]))
+	// Optional fields are terminated with a "-" value and start
+	// after the mount options field. Skip ahead until we see the "-"
+	// marker.
+	var i int
+	for i = 6; i < len(fields) && fields[i] != "-"; i++ {
+	}
+	if i == len(fields) {
+		return nil, fmt.Errorf("list of optional fields is not terminated properly")
+	}
+	e.OptionalFields = fields[6:i]
+	for j := range e.OptionalFields {
+		e.OptionalFields[j] = unescape(e.OptionalFields[j])
+	}
+	// Parse the last three fixed fields.
+	tailFields := fields[i+1:]
+	if len(tailFields) != 3 {
+		return nil, fmt.Errorf("incorrect number of tail fields, expected 3 but found %d", len(tailFields))
+	}
+	e.FsType = unescape(tailFields[0])
+	e.MountSource = unescape(tailFields[1])
+	e.SuperOptions = parseMountOpts(unescape(tailFields[2]))
+	return &e, nil
+}
+
+func parseMountOpts(opts string) map[string]string {
+	result := make(map[string]string)
+	for _, opt := range strings.Split(opts, ",") {
+		keyValue := strings.SplitN(opt, "=", 2)
+		key := keyValue[0]
+		if len(keyValue) == 2 {
+			value := keyValue[1]
+			result[key] = value
+		} else {
+			result[key] = ""
+		}
+	}
+	return result
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountinfo_linux_test.go snapd-2.37~rc1~14.04/osutil/mountinfo_linux_test.go
--- snapd-2.32.3.2~14.04/osutil/mountinfo_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountinfo_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,168 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil_test
+
+import (
+	"io/ioutil"
+	"path/filepath"
+	"strings"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+type mountinfoSuite struct{}
+
+var _ = Suite(&mountinfoSuite{})
+
+// Check that parsing the example from kernel documentation works correctly.
+func (s *mountinfoSuite) TestParseMountInfoEntry1(c *C) {
+	real := "36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue"
+	canonical := "36 35 98:0 /mnt1 /mnt2 noatime,rw master:1 - ext3 /dev/root errors=continue,rw"
+	entry, err := osutil.ParseMountInfoEntry(real)
+	c.Assert(err, IsNil)
+	c.Assert(entry.String(), Equals, canonical)
+
+	c.Assert(entry.MountID, Equals, 36)
+	c.Assert(entry.ParentID, Equals, 35)
+	c.Assert(entry.DevMajor, Equals, 98)
+	c.Assert(entry.DevMinor, Equals, 0)
+	c.Assert(entry.Root, Equals, "/mnt1")
+	c.Assert(entry.MountDir, Equals, "/mnt2")
+	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw": "", "noatime": ""})
+	c.Assert(entry.OptionalFields, DeepEquals, []string{"master:1"})
+	c.Assert(entry.FsType, Equals, "ext3")
+	c.Assert(entry.MountSource, Equals, "/dev/root")
+	c.Assert(entry.SuperOptions, DeepEquals, map[string]string{"rw": "", "errors": "continue"})
+}
+
+// Check that various combinations of optional fields are parsed correctly.
+func (s *mountinfoSuite) TestParseMountInfoEntry2(c *C) {
+	// No optional fields.
+	real := "36 35 98:0 /mnt1 /mnt2 rw,noatime - ext3 /dev/root rw,errors=continue"
+	canonical := "36 35 98:0 /mnt1 /mnt2 noatime,rw - ext3 /dev/root errors=continue,rw"
+	entry, err := osutil.ParseMountInfoEntry(real)
+	c.Assert(err, IsNil)
+	c.Assert(entry.String(), Equals, canonical)
+
+	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw": "", "noatime": ""})
+	c.Assert(entry.OptionalFields, HasLen, 0)
+	c.Assert(entry.FsType, Equals, "ext3")
+	// One optional field.
+	entry, err = osutil.ParseMountInfoEntry(
+		"36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue")
+	c.Assert(err, IsNil)
+	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw": "", "noatime": ""})
+	c.Assert(entry.OptionalFields, DeepEquals, []string{"master:1"})
+	c.Assert(entry.FsType, Equals, "ext3")
+	// Two optional fields.
+	entry, err = osutil.ParseMountInfoEntry(
+		"36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 slave:2 - ext3 /dev/root rw,errors=continue")
+	c.Assert(err, IsNil)
+	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw": "", "noatime": ""})
+	c.Assert(entry.OptionalFields, DeepEquals, []string{"master:1", "slave:2"})
+	c.Assert(entry.FsType, Equals, "ext3")
+}
+
+// Check that white-space is unescaped correctly.
+func (s *mountinfoSuite) TestParseMountInfoEntry3(c *C) {
+	real := `36 35 98:0 /mnt\0401 /mnt\0402 noatime,rw\040 mas\040ter:1 - ext\0403 /dev/ro\040ot rw\040,errors=continue`
+	canonical := `36 35 98:0 /mnt\0401 /mnt\0402 noatime,rw\040 mas\040ter:1 - ext\0403 /dev/ro\040ot errors=continue,rw\040`
+	entry, err := osutil.ParseMountInfoEntry(real)
+	c.Assert(err, IsNil)
+	c.Assert(entry.String(), Equals, canonical)
+
+	c.Assert(entry.MountID, Equals, 36)
+	c.Assert(entry.ParentID, Equals, 35)
+	c.Assert(entry.DevMajor, Equals, 98)
+	c.Assert(entry.DevMinor, Equals, 0)
+	c.Assert(entry.Root, Equals, "/mnt 1")
+	c.Assert(entry.MountDir, Equals, "/mnt 2")
+	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw ": "", "noatime": ""})
+	// This field is still escaped as it is space-separated and needs further parsing.
+	c.Assert(entry.OptionalFields, DeepEquals, []string{"mas ter:1"})
+	c.Assert(entry.FsType, Equals, "ext 3")
+	c.Assert(entry.MountSource, Equals, "/dev/ro ot")
+	c.Assert(entry.SuperOptions, DeepEquals, map[string]string{"rw ": "", "errors": "continue"})
+}
+
+// Check that various malformed entries are detected.
+func (s *mountinfoSuite) TestParseMountInfoEntry4(c *C) {
+	var err error
+	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
+	c.Assert(err, ErrorMatches, "incorrect number of tail fields, expected 3 but found 4")
+	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root")
+	c.Assert(err, ErrorMatches, "incorrect number of tail fields, expected 3 but found 2")
+	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3")
+	c.Assert(err, ErrorMatches, "incorrect number of fields, expected at least 10 but found 9")
+	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 -")
+	c.Assert(err, ErrorMatches, "incorrect number of fields, expected at least 10 but found 8")
+	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1")
+	c.Assert(err, ErrorMatches, "incorrect number of fields, expected at least 10 but found 7")
+	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 garbage1 garbage2 garbage3")
+	c.Assert(err, ErrorMatches, "list of optional fields is not terminated properly")
+	_, err = osutil.ParseMountInfoEntry("foo 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
+	c.Assert(err, ErrorMatches, `cannot parse mount ID: "foo"`)
+	_, err = osutil.ParseMountInfoEntry("36 bar 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
+	c.Assert(err, ErrorMatches, `cannot parse parent mount ID: "bar"`)
+	_, err = osutil.ParseMountInfoEntry("36 35 froz:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
+	c.Assert(err, ErrorMatches, `cannot parse device major number: "froz"`)
+	_, err = osutil.ParseMountInfoEntry("36 35 98:bot /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
+	c.Assert(err, ErrorMatches, `cannot parse device minor number: "bot"`)
+	_, err = osutil.ParseMountInfoEntry("36 35 corrupt /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
+	c.Assert(err, ErrorMatches, `cannot parse device major:minor number pair: "corrupt"`)
+}
+
+// Test that empty mountinfo is parsed without errors.
+func (s *mountinfoSuite) TestReadMountInfo1(c *C) {
+	entries, err := osutil.ReadMountInfo(strings.NewReader(""))
+	c.Assert(err, IsNil)
+	c.Assert(entries, HasLen, 0)
+}
+
+const mountInfoSample = "" +
+	"19 25 0:18 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw\n" +
+	"20 25 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:13 - proc proc rw\n" +
+	"21 25 0:6 / /dev rw,nosuid,relatime shared:2 - devtmpfs udev rw,size=1937696k,nr_inodes=484424,mode=755\n"
+
+// Test that mountinfo is parsed without errors.
+func (s *mountinfoSuite) TestReadMountInfo2(c *C) {
+	entries, err := osutil.ReadMountInfo(strings.NewReader(mountInfoSample))
+	c.Assert(err, IsNil)
+	c.Assert(entries, HasLen, 3)
+}
+
+// Test that loading mountinfo from a file works as expected.
+func (s *mountinfoSuite) TestLoadMountInfo1(c *C) {
+	fname := filepath.Join(c.MkDir(), "mountinfo")
+	err := ioutil.WriteFile(fname, []byte(mountInfoSample), 0644)
+	c.Assert(err, IsNil)
+	entries, err := osutil.LoadMountInfo(fname)
+	c.Assert(err, IsNil)
+	c.Assert(entries, HasLen, 3)
+}
+
+// Test that loading mountinfo from a missing file reports an error.
+func (s *mountinfoSuite) TestLoadMountInfo2(c *C) {
+	fname := filepath.Join(c.MkDir(), "mountinfo")
+	_, err := osutil.LoadMountInfo(fname)
+	c.Assert(err, ErrorMatches, "*. no such file or directory")
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountinfo_test.go snapd-2.37~rc1~14.04/osutil/mountinfo_test.go
--- snapd-2.32.3.2~14.04/osutil/mountinfo_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountinfo_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,159 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil_test
-
-import (
-	"io/ioutil"
-	"path/filepath"
-	"strings"
-
-	. "gopkg.in/check.v1"
-
-	"github.com/snapcore/snapd/osutil"
-)
-
-type mountinfoSuite struct{}
-
-var _ = Suite(&mountinfoSuite{})
-
-// Check that parsing the example from kernel documentation works correctly.
-func (s *mountinfoSuite) TestParseMountInfoEntry1(c *C) {
-	entry, err := osutil.ParseMountInfoEntry(
-		"36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue")
-	c.Assert(err, IsNil)
-	c.Assert(entry.MountID, Equals, 36)
-	c.Assert(entry.ParentID, Equals, 35)
-	c.Assert(entry.DevMajor, Equals, 98)
-	c.Assert(entry.DevMinor, Equals, 0)
-	c.Assert(entry.Root, Equals, "/mnt1")
-	c.Assert(entry.MountDir, Equals, "/mnt2")
-	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw": "", "noatime": ""})
-	c.Assert(entry.OptionalFields, DeepEquals, []string{"master:1"})
-	c.Assert(entry.FsType, Equals, "ext3")
-	c.Assert(entry.MountSource, Equals, "/dev/root")
-	c.Assert(entry.SuperOptions, DeepEquals, map[string]string{"rw": "", "errors": "continue"})
-}
-
-// Check that various combinations of optional fields are parsed correctly.
-func (s *mountinfoSuite) TestParseMountInfoEntry2(c *C) {
-	// No optional fields.
-	entry, err := osutil.ParseMountInfoEntry(
-		"36 35 98:0 /mnt1 /mnt2 rw,noatime - ext3 /dev/root rw,errors=continue")
-	c.Assert(err, IsNil)
-	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw": "", "noatime": ""})
-	c.Assert(entry.OptionalFields, HasLen, 0)
-	c.Assert(entry.FsType, Equals, "ext3")
-	// One optional field.
-	entry, err = osutil.ParseMountInfoEntry(
-		"36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue")
-	c.Assert(err, IsNil)
-	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw": "", "noatime": ""})
-	c.Assert(entry.OptionalFields, DeepEquals, []string{"master:1"})
-	c.Assert(entry.FsType, Equals, "ext3")
-	// Two optional fields.
-	entry, err = osutil.ParseMountInfoEntry(
-		"36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 slave:2 - ext3 /dev/root rw,errors=continue")
-	c.Assert(err, IsNil)
-	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw": "", "noatime": ""})
-	c.Assert(entry.OptionalFields, DeepEquals, []string{"master:1", "slave:2"})
-	c.Assert(entry.FsType, Equals, "ext3")
-}
-
-// Check that white-space is unescaped correctly.
-func (s *mountinfoSuite) TestParseMountInfoEntry3(c *C) {
-	entry, err := osutil.ParseMountInfoEntry(
-		`36 35 98:0 /mnt\0401 /mnt\0402 rw\040,noatime mas\040ter:1 - ext\0403 /dev/ro\040ot rw\040,errors=continue`)
-	c.Assert(err, IsNil)
-	c.Assert(entry.MountID, Equals, 36)
-	c.Assert(entry.ParentID, Equals, 35)
-	c.Assert(entry.DevMajor, Equals, 98)
-	c.Assert(entry.DevMinor, Equals, 0)
-	c.Assert(entry.Root, Equals, "/mnt 1")
-	c.Assert(entry.MountDir, Equals, "/mnt 2")
-	c.Assert(entry.MountOptions, DeepEquals, map[string]string{"rw ": "", "noatime": ""})
-	// This field is still escaped as it is space-separated and needs further parsing.
-	c.Assert(entry.OptionalFields, DeepEquals, []string{"mas ter:1"})
-	c.Assert(entry.FsType, Equals, "ext 3")
-	c.Assert(entry.MountSource, Equals, "/dev/ro ot")
-	c.Assert(entry.SuperOptions, DeepEquals, map[string]string{"rw ": "", "errors": "continue"})
-}
-
-// Check that various malformed entries are detected.
-func (s *mountinfoSuite) TestParseMountInfoEntry4(c *C) {
-	var err error
-	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
-	c.Assert(err, ErrorMatches, "incorrect number of tail fields, expected 3 but found 4")
-	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root")
-	c.Assert(err, ErrorMatches, "incorrect number of tail fields, expected 3 but found 2")
-	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3")
-	c.Assert(err, ErrorMatches, "incorrect number of fields, expected at least 10 but found 9")
-	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 -")
-	c.Assert(err, ErrorMatches, "incorrect number of fields, expected at least 10 but found 8")
-	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1")
-	c.Assert(err, ErrorMatches, "incorrect number of fields, expected at least 10 but found 7")
-	_, err = osutil.ParseMountInfoEntry("36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 garbage1 garbage2 garbage3")
-	c.Assert(err, ErrorMatches, "list of optional fields is not terminated properly")
-	_, err = osutil.ParseMountInfoEntry("foo 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
-	c.Assert(err, ErrorMatches, `cannot parse mount ID: "foo"`)
-	_, err = osutil.ParseMountInfoEntry("36 bar 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
-	c.Assert(err, ErrorMatches, `cannot parse parent mount ID: "bar"`)
-	_, err = osutil.ParseMountInfoEntry("36 35 froz:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
-	c.Assert(err, ErrorMatches, `cannot parse device major number: "froz"`)
-	_, err = osutil.ParseMountInfoEntry("36 35 98:bot /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
-	c.Assert(err, ErrorMatches, `cannot parse device minor number: "bot"`)
-	_, err = osutil.ParseMountInfoEntry("36 35 corrupt /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue foo")
-	c.Assert(err, ErrorMatches, `cannot parse device major:minor number pair: "corrupt"`)
-}
-
-// Test that empty mountinfo is parsed without errors.
-func (s *mountinfoSuite) TestReadMountInfo1(c *C) {
-	entries, err := osutil.ReadMountInfo(strings.NewReader(""))
-	c.Assert(err, IsNil)
-	c.Assert(entries, HasLen, 0)
-}
-
-const mountInfoSample = "" +
-	"19 25 0:18 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw\n" +
-	"20 25 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:13 - proc proc rw\n" +
-	"21 25 0:6 / /dev rw,nosuid,relatime shared:2 - devtmpfs udev rw,size=1937696k,nr_inodes=484424,mode=755\n"
-
-// Test that mountinfo is parsed without errors.
-func (s *mountinfoSuite) TestReadMountInfo2(c *C) {
-	entries, err := osutil.ReadMountInfo(strings.NewReader(mountInfoSample))
-	c.Assert(err, IsNil)
-	c.Assert(entries, HasLen, 3)
-}
-
-// Test that loading mountinfo from a file works as expected.
-func (s *mountinfoSuite) TestLoadMountInfo1(c *C) {
-	fname := filepath.Join(c.MkDir(), "mountinfo")
-	err := ioutil.WriteFile(fname, []byte(mountInfoSample), 0644)
-	c.Assert(err, IsNil)
-	entries, err := osutil.LoadMountInfo(fname)
-	c.Assert(err, IsNil)
-	c.Assert(entries, HasLen, 3)
-}
-
-// Test that loading mountinfo from a missing file reports an error.
-func (s *mountinfoSuite) TestLoadMountInfo2(c *C) {
-	fname := filepath.Join(c.MkDir(), "mountinfo")
-	_, err := osutil.LoadMountInfo(fname)
-	c.Assert(err, ErrorMatches, "*. no such file or directory")
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/mount_linux.go snapd-2.37~rc1~14.04/osutil/mount_linux.go
--- snapd-2.32.3.2~14.04/osutil/mount_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mount_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,34 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2014-2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+// IsMounted checks if a given directory is a mount point.
+func IsMounted(baseDir string) (bool, error) {
+	entries, err := LoadMountInfo(procSelfMountInfo)
+	if err != nil {
+		return false, err
+	}
+	for _, entry := range entries {
+		if baseDir == entry.MountDir {
+			return true, nil
+		}
+	}
+	return false, nil
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/mount_linux_test.go snapd-2.37~rc1~14.04/osutil/mount_linux_test.go
--- snapd-2.32.3.2~14.04/osutil/mount_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mount_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,63 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+type mountSuite struct{}
+
+var _ = Suite(&mountSuite{})
+
+func (s *mountSuite) TestIsMountedHappyish(c *C) {
+	// note the different optional fields
+	const content = "" +
+		"44 24 7:1 / /snap/ubuntu-core/855 rw,relatime shared:27 - squashfs /dev/loop1 ro\n" +
+		"44 24 7:1 / /snap/something/123 rw,relatime - squashfs /dev/loop2 ro\n" +
+		"44 24 7:1 / /snap/random/456 rw,relatime opt:1 shared:27 - squashfs /dev/loop1 ro\n"
+	defer osutil.MockMountInfo(content)()
+
+	mounted, err := osutil.IsMounted("/snap/ubuntu-core/855")
+	c.Check(err, IsNil)
+	c.Check(mounted, Equals, true)
+
+	mounted, err = osutil.IsMounted("/snap/something/123")
+	c.Check(err, IsNil)
+	c.Check(mounted, Equals, true)
+
+	mounted, err = osutil.IsMounted("/snap/random/456")
+	c.Check(err, IsNil)
+	c.Check(mounted, Equals, true)
+
+	mounted, err = osutil.IsMounted("/random/made/up/name")
+	c.Check(err, IsNil)
+	c.Check(mounted, Equals, false)
+}
+
+func (s *mountSuite) TestIsMountedBroken(c *C) {
+	defer osutil.MockMountInfo("44 24 7:1 ...truncated-stuff")()
+
+	mounted, err := osutil.IsMounted("/snap/ubuntu-core/855")
+	c.Check(err, ErrorMatches, "incorrect number of fields, .*")
+	c.Check(mounted, Equals, false)
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountprofile.go snapd-2.37~rc1~14.04/osutil/mountprofile.go
--- snapd-2.32.3.2~14.04/osutil/mountprofile.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountprofile.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,108 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-)
-
-// MountProfile represents an array of mount entries.
-type MountProfile struct {
-	Entries []MountEntry
-}
-
-// LoadMountProfile loads a mount profile from a given file.
-//
-// The file may be absent, in such case an empty profile is returned without errors.
-func LoadMountProfile(fname string) (*MountProfile, error) {
-	f, err := os.Open(fname)
-	if err != nil && os.IsNotExist(err) {
-		return &MountProfile{}, nil
-	}
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-	return ReadMountProfile(f)
-}
-
-// Save saves a mount profile (fstab-like) to a given file.
-// The profile is saved with an atomic write+rename+sync operation.
-func (p *MountProfile) Save(fname string) error {
-	var buf bytes.Buffer
-	if _, err := p.WriteTo(&buf); err != nil {
-		return err
-	}
-	return AtomicWriteFile(fname, buf.Bytes(), 0644, AtomicWriteFlags(0))
-}
-
-// ReadMountProfile reads and parses a mount profile.
-//
-// The supported format is described by fstab(5).
-func ReadMountProfile(reader io.Reader) (*MountProfile, error) {
-	var p MountProfile
-	scanner := bufio.NewScanner(reader)
-	for scanner.Scan() {
-		s := scanner.Text()
-		s = strings.TrimSpace(s)
-		// Skip lines that only contain a comment, that is, those that start
-		// with the '#' character (ignoring leading spaces). This specifically
-		// allows us to parse '#' inside individual fields, which the fstab(5)
-		// specification allows.
-		if strings.IndexByte(s, '#') == 0 {
-			continue
-		}
-		// Skip lines that are totally empty
-		if s == "" {
-			continue
-		}
-		entry, err := ParseMountEntry(s)
-		if err != nil {
-			return nil, err
-		}
-		p.Entries = append(p.Entries, entry)
-	}
-	if err := scanner.Err(); err != nil {
-		return nil, err
-	}
-	return &p, nil
-}
-
-// WriteTo writes a mount profile to the given writer.
-//
-// The supported format is described by fstab(5).
-// Note that there is no support for comments.
-func (p *MountProfile) WriteTo(writer io.Writer) (int64, error) {
-	var written int64
-	for i := range p.Entries {
-		var n int
-		var err error
-		if n, err = fmt.Fprintf(writer, "%s\n", p.Entries[i]); err != nil {
-			return written, err
-		}
-		written += int64(n)
-	}
-	return written, nil
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountprofile_linux.go snapd-2.37~rc1~14.04/osutil/mountprofile_linux.go
--- snapd-2.32.3.2~14.04/osutil/mountprofile_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountprofile_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,108 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+)
+
+// MountProfile represents an array of mount entries.
+type MountProfile struct {
+	Entries []MountEntry
+}
+
+// LoadMountProfile loads a mount profile from a given file.
+//
+// The file may be absent, in such case an empty profile is returned without errors.
+func LoadMountProfile(fname string) (*MountProfile, error) {
+	f, err := os.Open(fname)
+	if err != nil && os.IsNotExist(err) {
+		return &MountProfile{}, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	return ReadMountProfile(f)
+}
+
+// Save saves a mount profile (fstab-like) to a given file.
+// The profile is saved with an atomic write+rename+sync operation.
+func (p *MountProfile) Save(fname string) error {
+	var buf bytes.Buffer
+	if _, err := p.WriteTo(&buf); err != nil {
+		return err
+	}
+	return AtomicWriteFile(fname, buf.Bytes(), 0644, AtomicWriteFlags(0))
+}
+
+// ReadMountProfile reads and parses a mount profile.
+//
+// The supported format is described by fstab(5).
+func ReadMountProfile(reader io.Reader) (*MountProfile, error) {
+	var p MountProfile
+	scanner := bufio.NewScanner(reader)
+	for scanner.Scan() {
+		s := scanner.Text()
+		s = strings.TrimSpace(s)
+		// Skip lines that only contain a comment, that is, those that start
+		// with the '#' character (ignoring leading spaces). This specifically
+		// allows us to parse '#' inside individual fields, which the fstab(5)
+		// specification allows.
+		if strings.IndexByte(s, '#') == 0 {
+			continue
+		}
+		// Skip lines that are totally empty
+		if s == "" {
+			continue
+		}
+		entry, err := ParseMountEntry(s)
+		if err != nil {
+			return nil, err
+		}
+		p.Entries = append(p.Entries, entry)
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+	return &p, nil
+}
+
+// WriteTo writes a mount profile to the given writer.
+//
+// The supported format is described by fstab(5).
+// Note that there is no support for comments.
+func (p *MountProfile) WriteTo(writer io.Writer) (int64, error) {
+	var written int64
+	for i := range p.Entries {
+		var n int
+		var err error
+		if n, err = fmt.Fprintf(writer, "%s\n", p.Entries[i]); err != nil {
+			return written, err
+		}
+		written += int64(n)
+	}
+	return written, nil
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountprofile_linux_test.go snapd-2.37~rc1~14.04/osutil/mountprofile_linux_test.go
--- snapd-2.32.3.2~14.04/osutil/mountprofile_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountprofile_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,152 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil_test
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type profileSuite struct{}
+
+var _ = Suite(&profileSuite{})
+
+// Test that loading a profile from inexisting file returns an empty profile.
+func (s *profileSuite) TestLoadMountProfile1(c *C) {
+	dir := c.MkDir()
+	p, err := osutil.LoadMountProfile(filepath.Join(dir, "missing"))
+	c.Assert(err, IsNil)
+	c.Assert(p.Entries, HasLen, 0)
+}
+
+// Test that loading profile from a file works as expected.
+func (s *profileSuite) TestLoadMountProfile2(c *C) {
+	dir := c.MkDir()
+	fname := filepath.Join(dir, "existing")
+	err := ioutil.WriteFile(fname, []byte("name-1 dir-1 type-1 options-1 1 1 # 1st entry"), 0644)
+	c.Assert(err, IsNil)
+	p, err := osutil.LoadMountProfile(fname)
+	c.Assert(err, IsNil)
+	c.Assert(p.Entries, HasLen, 1)
+	c.Assert(p.Entries, DeepEquals, []osutil.MountEntry{
+		{Name: "name-1", Dir: "dir-1", Type: "type-1", Options: []string{"options-1"}, DumpFrequency: 1, CheckPassNumber: 1},
+	})
+}
+
+// Test that loading profile with various comments works as expected.
+func (s *profileSuite) TestLoadMountProfile3(c *C) {
+	dir := c.MkDir()
+	fname := filepath.Join(dir, "existing")
+	err := ioutil.WriteFile(fname, []byte(`
+   # comment with leading spaces
+name#-1 dir#-1 type#-1 options#-1 1 1 # inline comment
+# comment without leading spaces
+
+
+`), 0644)
+	c.Assert(err, IsNil)
+	p, err := osutil.LoadMountProfile(fname)
+	c.Assert(err, IsNil)
+	c.Assert(p.Entries, HasLen, 1)
+	c.Assert(p.Entries, DeepEquals, []osutil.MountEntry{
+		{Name: "name#-1", Dir: "dir#-1", Type: "type#-1", Options: []string{"options#-1"}, DumpFrequency: 1, CheckPassNumber: 1},
+	})
+}
+
+// Test that saving a profile to a file works correctly.
+func (s *profileSuite) TestSaveMountProfile1(c *C) {
+	dir := c.MkDir()
+	fname := filepath.Join(dir, "profile")
+	p := &osutil.MountProfile{
+		Entries: []osutil.MountEntry{
+			{Name: "name-1", Dir: "dir-1", Type: "type-1", Options: []string{"options-1"}, DumpFrequency: 1, CheckPassNumber: 1},
+		},
+	}
+	err := p.Save(fname)
+	c.Assert(err, IsNil)
+
+	stat, err := os.Stat(fname)
+	c.Assert(err, IsNil)
+	c.Assert(stat.Mode().Perm(), Equals, os.FileMode(0644))
+
+	c.Assert(fname, testutil.FileEquals, "name-1 dir-1 type-1 options-1 1 1\n")
+}
+
+// Test that empty fstab is parsed without errors
+func (s *profileSuite) TestReadMountProfile1(c *C) {
+	p, err := osutil.ReadMountProfile(strings.NewReader(""))
+	c.Assert(err, IsNil)
+	c.Assert(p.Entries, HasLen, 0)
+}
+
+// Test that '#'-comments are skipped
+func (s *profileSuite) TestReadMountProfile2(c *C) {
+	p, err := osutil.ReadMountProfile(strings.NewReader("# comment"))
+	c.Assert(err, IsNil)
+	c.Assert(p.Entries, HasLen, 0)
+}
+
+// Test that simple profile can be loaded correctly.
+func (s *profileSuite) TestReadMountProfile3(c *C) {
+	p, err := osutil.ReadMountProfile(strings.NewReader(`
+		name-1 dir-1 type-1 options-1 1 1 # 1st entry
+		name-2 dir-2 type-2 options-2 2 2 # 2nd entry`))
+	c.Assert(err, IsNil)
+	c.Assert(p.Entries, HasLen, 2)
+	c.Assert(p.Entries, DeepEquals, []osutil.MountEntry{
+		{Name: "name-1", Dir: "dir-1", Type: "type-1", Options: []string{"options-1"}, DumpFrequency: 1, CheckPassNumber: 1},
+		{Name: "name-2", Dir: "dir-2", Type: "type-2", Options: []string{"options-2"}, DumpFrequency: 2, CheckPassNumber: 2},
+	})
+}
+
+// Test that writing an empty fstab file works correctly.
+func (s *profileSuite) TestWriteTo1(c *C) {
+	p := &osutil.MountProfile{}
+	var buf bytes.Buffer
+	n, err := p.WriteTo(&buf)
+	c.Assert(err, IsNil)
+	c.Assert(n, Equals, int64(0))
+	c.Assert(buf.String(), Equals, "")
+}
+
+// Test that writing an trivial fstab file works correctly.
+func (s *profileSuite) TestWriteTo2(c *C) {
+	p := &osutil.MountProfile{
+		Entries: []osutil.MountEntry{
+			{Name: "name-1", Dir: "dir-1", Type: "type-1", Options: []string{"options-1"}, DumpFrequency: 1, CheckPassNumber: 1},
+			{Name: "name-2", Dir: "dir-2", Type: "type-2", Options: []string{"options-2"}, DumpFrequency: 2, CheckPassNumber: 2},
+		},
+	}
+	var buf bytes.Buffer
+	n, err := p.WriteTo(&buf)
+	c.Assert(err, IsNil)
+	c.Assert(n, Equals, int64(68))
+	c.Assert(buf.String(), Equals, ("" +
+		"name-1 dir-1 type-1 options-1 1 1\n" +
+		"name-2 dir-2 type-2 options-2 2 2\n"))
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/mountprofile_test.go snapd-2.37~rc1~14.04/osutil/mountprofile_test.go
--- snapd-2.32.3.2~14.04/osutil/mountprofile_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mountprofile_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,152 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil_test
-
-import (
-	"bytes"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-
-	. "gopkg.in/check.v1"
-
-	"github.com/snapcore/snapd/osutil"
-	"github.com/snapcore/snapd/testutil"
-)
-
-type profileSuite struct{}
-
-var _ = Suite(&profileSuite{})
-
-// Test that loading a profile from inexisting file returns an empty profile.
-func (s *profileSuite) TestLoadMountProfile1(c *C) {
-	dir := c.MkDir()
-	p, err := osutil.LoadMountProfile(filepath.Join(dir, "missing"))
-	c.Assert(err, IsNil)
-	c.Assert(p.Entries, HasLen, 0)
-}
-
-// Test that loading profile from a file works as expected.
-func (s *profileSuite) TestLoadMountProfile2(c *C) {
-	dir := c.MkDir()
-	fname := filepath.Join(dir, "existing")
-	err := ioutil.WriteFile(fname, []byte("name-1 dir-1 type-1 options-1 1 1 # 1st entry"), 0644)
-	c.Assert(err, IsNil)
-	p, err := osutil.LoadMountProfile(fname)
-	c.Assert(err, IsNil)
-	c.Assert(p.Entries, HasLen, 1)
-	c.Assert(p.Entries, DeepEquals, []osutil.MountEntry{
-		{Name: "name-1", Dir: "dir-1", Type: "type-1", Options: []string{"options-1"}, DumpFrequency: 1, CheckPassNumber: 1},
-	})
-}
-
-// Test that loading profile with various comments works as expected.
-func (s *profileSuite) TestLoadMountProfile3(c *C) {
-	dir := c.MkDir()
-	fname := filepath.Join(dir, "existing")
-	err := ioutil.WriteFile(fname, []byte(`
-   # comment with leading spaces
-name#-1 dir#-1 type#-1 options#-1 1 1 # inline comment
-# comment without leading spaces
-
-
-`), 0644)
-	c.Assert(err, IsNil)
-	p, err := osutil.LoadMountProfile(fname)
-	c.Assert(err, IsNil)
-	c.Assert(p.Entries, HasLen, 1)
-	c.Assert(p.Entries, DeepEquals, []osutil.MountEntry{
-		{Name: "name#-1", Dir: "dir#-1", Type: "type#-1", Options: []string{"options#-1"}, DumpFrequency: 1, CheckPassNumber: 1},
-	})
-}
-
-// Test that saving a profile to a file works correctly.
-func (s *profileSuite) TestSaveMountProfile1(c *C) {
-	dir := c.MkDir()
-	fname := filepath.Join(dir, "profile")
-	p := &osutil.MountProfile{
-		Entries: []osutil.MountEntry{
-			{Name: "name-1", Dir: "dir-1", Type: "type-1", Options: []string{"options-1"}, DumpFrequency: 1, CheckPassNumber: 1},
-		},
-	}
-	err := p.Save(fname)
-	c.Assert(err, IsNil)
-
-	stat, err := os.Stat(fname)
-	c.Assert(err, IsNil)
-	c.Assert(stat.Mode().Perm(), Equals, os.FileMode(0644))
-
-	c.Assert(fname, testutil.FileEquals, "name-1 dir-1 type-1 options-1 1 1\n")
-}
-
-// Test that empty fstab is parsed without errors
-func (s *profileSuite) TestReadMountProfile1(c *C) {
-	p, err := osutil.ReadMountProfile(strings.NewReader(""))
-	c.Assert(err, IsNil)
-	c.Assert(p.Entries, HasLen, 0)
-}
-
-// Test that '#'-comments are skipped
-func (s *profileSuite) TestReadMountProfile2(c *C) {
-	p, err := osutil.ReadMountProfile(strings.NewReader("# comment"))
-	c.Assert(err, IsNil)
-	c.Assert(p.Entries, HasLen, 0)
-}
-
-// Test that simple profile can be loaded correctly.
-func (s *profileSuite) TestReadMountProfile3(c *C) {
-	p, err := osutil.ReadMountProfile(strings.NewReader(`
-		name-1 dir-1 type-1 options-1 1 1 # 1st entry
-		name-2 dir-2 type-2 options-2 2 2 # 2nd entry`))
-	c.Assert(err, IsNil)
-	c.Assert(p.Entries, HasLen, 2)
-	c.Assert(p.Entries, DeepEquals, []osutil.MountEntry{
-		{Name: "name-1", Dir: "dir-1", Type: "type-1", Options: []string{"options-1"}, DumpFrequency: 1, CheckPassNumber: 1},
-		{Name: "name-2", Dir: "dir-2", Type: "type-2", Options: []string{"options-2"}, DumpFrequency: 2, CheckPassNumber: 2},
-	})
-}
-
-// Test that writing an empty fstab file works correctly.
-func (s *profileSuite) TestWriteTo1(c *C) {
-	p := &osutil.MountProfile{}
-	var buf bytes.Buffer
-	n, err := p.WriteTo(&buf)
-	c.Assert(err, IsNil)
-	c.Assert(n, Equals, int64(0))
-	c.Assert(buf.String(), Equals, "")
-}
-
-// Test that writing an trivial fstab file works correctly.
-func (s *profileSuite) TestWriteTo2(c *C) {
-	p := &osutil.MountProfile{
-		Entries: []osutil.MountEntry{
-			{Name: "name-1", Dir: "dir-1", Type: "type-1", Options: []string{"options-1"}, DumpFrequency: 1, CheckPassNumber: 1},
-			{Name: "name-2", Dir: "dir-2", Type: "type-2", Options: []string{"options-2"}, DumpFrequency: 2, CheckPassNumber: 2},
-		},
-	}
-	var buf bytes.Buffer
-	n, err := p.WriteTo(&buf)
-	c.Assert(err, IsNil)
-	c.Assert(n, Equals, int64(68))
-	c.Assert(buf.String(), Equals, ("" +
-		"name-1 dir-1 type-1 options-1 1 1\n" +
-		"name-2 dir-2 type-2 options-2 2 2\n"))
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/mount_test.go snapd-2.37~rc1~14.04/osutil/mount_test.go
--- snapd-2.32.3.2~14.04/osutil/mount_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/mount_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,63 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil_test
-
-import (
-	. "gopkg.in/check.v1"
-
-	"github.com/snapcore/snapd/osutil"
-)
-
-type mountSuite struct{}
-
-var _ = Suite(&mountSuite{})
-
-func (s *mountSuite) TestIsMountedHappyish(c *C) {
-	// note the different optional fields
-	const content = "" +
-		"44 24 7:1 / /snap/ubuntu-core/855 rw,relatime shared:27 - squashfs /dev/loop1 ro\n" +
-		"44 24 7:1 / /snap/something/123 rw,relatime - squashfs /dev/loop2 ro\n" +
-		"44 24 7:1 / /snap/random/456 rw,relatime opt:1 shared:27 - squashfs /dev/loop1 ro\n"
-	defer osutil.MockMountInfo(content)()
-
-	mounted, err := osutil.IsMounted("/snap/ubuntu-core/855")
-	c.Check(err, IsNil)
-	c.Check(mounted, Equals, true)
-
-	mounted, err = osutil.IsMounted("/snap/something/123")
-	c.Check(err, IsNil)
-	c.Check(mounted, Equals, true)
-
-	mounted, err = osutil.IsMounted("/snap/random/456")
-	c.Check(err, IsNil)
-	c.Check(mounted, Equals, true)
-
-	mounted, err = osutil.IsMounted("/random/made/up/name")
-	c.Check(err, IsNil)
-	c.Check(mounted, Equals, false)
-}
-
-func (s *mountSuite) TestIsMountedBroken(c *C) {
-	defer osutil.MockMountInfo("44 24 7:1 ...truncated-stuff")()
-
-	mounted, err := osutil.IsMounted("/snap/ubuntu-core/855")
-	c.Check(err, ErrorMatches, "incorrect number of fields, .*")
-	c.Check(mounted, Equals, false)
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/nfs_darwin.go snapd-2.37~rc1~14.04/osutil/nfs_darwin.go
--- snapd-2.32.3.2~14.04/osutil/nfs_darwin.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/nfs_darwin.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,25 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+// IsHomeUsingNFS is not implemented on darwin
+func IsHomeUsingNFS() (bool, error) {
+	return false, ErrDarwin
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/nfs.go snapd-2.37~rc1~14.04/osutil/nfs.go
--- snapd-2.32.3.2~14.04/osutil/nfs.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/nfs.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,52 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil
-
-import (
-	"fmt"
-	"strings"
-)
-
-// IsHomeUsingNFS returns true if NFS mounts are defined or mounted under /home.
-//
-// Internally /proc/self/mountinfo and /etc/fstab are interrogated (for current
-// and possible mounted filesystems).  If either of those describes NFS
-// filesystem mounted under or beneath /home/ then the return value is true.
-func IsHomeUsingNFS() (bool, error) {
-	mountinfo, err := LoadMountInfo(procSelfMountInfo)
-	if err != nil {
-		return false, fmt.Errorf("cannot parse %s: %s", procSelfMountInfo, err)
-	}
-	for _, entry := range mountinfo {
-		if (entry.FsType == "nfs4" || entry.FsType == "nfs") && (strings.HasPrefix(entry.MountDir, "/home/") || entry.MountDir == "/home") {
-			return true, nil
-		}
-	}
-	fstab, err := LoadMountProfile(etcFstab)
-	if err != nil {
-		return false, fmt.Errorf("cannot parse %s: %s", etcFstab, err)
-	}
-	for _, entry := range fstab.Entries {
-		if (entry.Type == "nfs4" || entry.Type == "nfs") && (strings.HasPrefix(entry.Dir, "/home/") || entry.Dir == "/home") {
-			return true, nil
-		}
-	}
-	return false, nil
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/nfs_linux.go snapd-2.37~rc1~14.04/osutil/nfs_linux.go
--- snapd-2.32.3.2~14.04/osutil/nfs_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/nfs_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"fmt"
+	"strings"
+)
+
+// IsHomeUsingNFS returns true if NFS mounts are defined or mounted under /home.
+//
+// Internally /proc/self/mountinfo and /etc/fstab are interrogated (for current
+// and possible mounted filesystems).  If either of those describes NFS
+// filesystem mounted under or beneath /home/ then the return value is true.
+func IsHomeUsingNFS() (bool, error) {
+	mountinfo, err := LoadMountInfo(procSelfMountInfo)
+	if err != nil {
+		return false, fmt.Errorf("cannot parse %s: %s", procSelfMountInfo, err)
+	}
+	for _, entry := range mountinfo {
+		if (entry.FsType == "nfs4" || entry.FsType == "nfs") && (strings.HasPrefix(entry.MountDir, "/home/") || entry.MountDir == "/home") {
+			return true, nil
+		}
+	}
+	fstab, err := LoadMountProfile(etcFstab)
+	if err != nil {
+		return false, fmt.Errorf("cannot parse %s: %s", etcFstab, err)
+	}
+	for _, entry := range fstab.Entries {
+		if (entry.Type == "nfs4" || entry.Type == "nfs") && (strings.HasPrefix(entry.Dir, "/home/") || entry.Dir == "/home") {
+			return true, nil
+		}
+	}
+	return false, nil
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/nfs_linux_test.go snapd-2.37~rc1~14.04/osutil/nfs_linux_test.go
--- snapd-2.32.3.2~14.04/osutil/nfs_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/nfs_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,94 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+type nfsSuite struct{}
+
+var _ = Suite(&nfsSuite{})
+
+func (s *nfsSuite) TestIsHomeUsingNFS(c *C) {
+	cases := []struct {
+		mountinfo, fstab string
+		nfs              bool
+		errorPattern     string
+	}{{
+		// Errors from parsing mountinfo and fstab are propagated.
+		mountinfo:    "bad syntax",
+		errorPattern: "cannot parse .*/mountinfo.*, .*",
+	}, {
+		fstab:        "bad syntax",
+		errorPattern: "cannot parse .*/fstab.*, .*",
+	}, {
+		// NFSv3 {tcp,udp} and NFSv4 currently mounted at /home/zyga/nfs are recognized.
+		mountinfo: "1074 28 0:59 / /home/zyga/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=54125,mountproto=tcp,local_lock=none,addr=127.0.0.1",
+		nfs:       true,
+	}, {
+		mountinfo: "1074 28 0:59 / /home/zyga/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=udp,timeo=11,retrans=3,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=47875,mountproto=udp,local_lock=none,addr=127.0.0.1",
+		nfs:       true,
+	}, {
+		mountinfo: "680 27 0:59 / /home/zyga/nfs rw,relatime shared:478 - nfs4 localhost:/srv/nfs rw,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1",
+		nfs:       true,
+	}, {
+		// NFSv3 {tcp,udp} and NFSv4 currently mounted at /home/zyga/nfs are ignored (not in $HOME).
+		mountinfo: "1074 28 0:59 / /mnt/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=54125,mountproto=tcp,local_lock=none,addr=127.0.0.1",
+	}, {
+		mountinfo: "1074 28 0:59 / /mnt/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=udp,timeo=11,retrans=3,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=47875,mountproto=udp,local_lock=none,addr=127.0.0.1",
+	}, {
+		mountinfo: "680 27 0:59 / /mnt/nfs rw,relatime shared:478 - nfs4 localhost:/srv/nfs rw,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1",
+	}, {
+		// NFS that may be mounted at /home and /home/zyga/nfs is recognized.
+		// Two spellings are possible, "nfs" and "nfs4" (they are equivalent
+		// nowadays).
+		fstab: "localhost:/srv/nfs /home nfs defaults 0 0",
+		nfs:   true,
+	}, {
+		fstab: "localhost:/srv/nfs /home nfs4 defaults 0 0",
+		nfs:   true,
+	}, {
+		fstab: "localhost:/srv/nfs /home/zyga/nfs nfs defaults 0 0",
+		nfs:   true,
+	}, {
+		fstab: "localhost:/srv/nfs /home/zyga/nfs nfs4 defaults 0 0",
+		nfs:   true,
+	}, {
+		// NFS that may be mounted at /mnt/nfs is ignored (not in $HOME).
+		fstab: "localhost:/srv/nfs /mnt/nfs nfs defaults 0 0",
+	}}
+	for _, tc := range cases {
+		restore := osutil.MockMountInfo(tc.mountinfo)
+		defer restore()
+		restore = osutil.MockEtcFstab(tc.fstab)
+		defer restore()
+
+		nfs, err := osutil.IsHomeUsingNFS()
+		if tc.errorPattern != "" {
+			c.Assert(err, ErrorMatches, tc.errorPattern, Commentf("test case %#v", tc))
+		} else {
+			c.Assert(err, IsNil)
+		}
+		c.Assert(nfs, Equals, tc.nfs)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/nfs_test.go snapd-2.37~rc1~14.04/osutil/nfs_test.go
--- snapd-2.32.3.2~14.04/osutil/nfs_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/nfs_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,94 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2016 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil_test
-
-import (
-	. "gopkg.in/check.v1"
-
-	"github.com/snapcore/snapd/osutil"
-)
-
-type nfsSuite struct{}
-
-var _ = Suite(&nfsSuite{})
-
-func (s *nfsSuite) TestIsHomeUsingNFS(c *C) {
-	cases := []struct {
-		mountinfo, fstab string
-		nfs              bool
-		errorPattern     string
-	}{{
-		// Errors from parsing mountinfo and fstab are propagated.
-		mountinfo:    "bad syntax",
-		errorPattern: "cannot parse .*/mountinfo.*, .*",
-	}, {
-		fstab:        "bad syntax",
-		errorPattern: "cannot parse .*/fstab.*, .*",
-	}, {
-		// NFSv3 {tcp,udp} and NFSv4 currently mounted at /home/zyga/nfs are recognized.
-		mountinfo: "1074 28 0:59 / /home/zyga/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=54125,mountproto=tcp,local_lock=none,addr=127.0.0.1",
-		nfs:       true,
-	}, {
-		mountinfo: "1074 28 0:59 / /home/zyga/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=udp,timeo=11,retrans=3,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=47875,mountproto=udp,local_lock=none,addr=127.0.0.1",
-		nfs:       true,
-	}, {
-		mountinfo: "680 27 0:59 / /home/zyga/nfs rw,relatime shared:478 - nfs4 localhost:/srv/nfs rw,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1",
-		nfs:       true,
-	}, {
-		// NFSv3 {tcp,udp} and NFSv4 currently mounted at /home/zyga/nfs are ignored (not in $HOME).
-		mountinfo: "1074 28 0:59 / /mnt/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=54125,mountproto=tcp,local_lock=none,addr=127.0.0.1",
-	}, {
-		mountinfo: "1074 28 0:59 / /mnt/nfs rw,relatime shared:342 - nfs localhost:/srv/nfs rw,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=udp,timeo=11,retrans=3,sec=sys,mountaddr=127.0.0.1,mountvers=3,mountport=47875,mountproto=udp,local_lock=none,addr=127.0.0.1",
-	}, {
-		mountinfo: "680 27 0:59 / /mnt/nfs rw,relatime shared:478 - nfs4 localhost:/srv/nfs rw,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1",
-	}, {
-		// NFS that may be mounted at /home and /home/zyga/nfs is recognized.
-		// Two spellings are possible, "nfs" and "nfs4" (they are equivalent
-		// nowadays).
-		fstab: "localhost:/srv/nfs /home nfs defaults 0 0",
-		nfs:   true,
-	}, {
-		fstab: "localhost:/srv/nfs /home nfs4 defaults 0 0",
-		nfs:   true,
-	}, {
-		fstab: "localhost:/srv/nfs /home/zyga/nfs nfs defaults 0 0",
-		nfs:   true,
-	}, {
-		fstab: "localhost:/srv/nfs /home/zyga/nfs nfs4 defaults 0 0",
-		nfs:   true,
-	}, {
-		// NFS that may be mounted at /mnt/nfs is ignored (not in $HOME).
-		fstab: "localhost:/srv/nfs /mnt/nfs nfs defaults 0 0",
-	}}
-	for _, tc := range cases {
-		restore := osutil.MockMountInfo(tc.mountinfo)
-		defer restore()
-		restore = osutil.MockEtcFstab(tc.fstab)
-		defer restore()
-
-		nfs, err := osutil.IsHomeUsingNFS()
-		if tc.errorPattern != "" {
-			c.Assert(err, ErrorMatches, tc.errorPattern, Commentf("test case %#v", tc))
-		} else {
-			c.Assert(err, IsNil)
-		}
-		c.Assert(nfs, Equals, tc.nfs)
-	}
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/osutil_darwin.go snapd-2.37~rc1~14.04/osutil/osutil_darwin.go
--- snapd-2.32.3.2~14.04/osutil/osutil_darwin.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/osutil_darwin.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,27 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"errors"
+)
+
+// Some things are not implemented on darwin
+var ErrDarwin = errors.New("not implemented on darwin")
diff -Nru snapd-2.32.3.2~14.04/osutil/overlay_darwin.go snapd-2.37~rc1~14.04/osutil/overlay_darwin.go
--- snapd-2.32.3.2~14.04/osutil/overlay_darwin.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/overlay_darwin.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,25 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+// IsRootWritableOverlay is not implemented on darwin
+func IsRootWritableOverlay() (string, error) {
+	return "", ErrDarwin
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/overlay.go snapd-2.37~rc1~14.04/osutil/overlay.go
--- snapd-2.32.3.2~14.04/osutil/overlay.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/overlay.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,79 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2016-2018 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil
-
-import (
-	"fmt"
-	"strings"
-)
-
-// IsRootWritableOverlay detects if the current '/' is a writable overlay
-// (fstype is 'overlay' and 'upperdir' is specified) and returns upperdir or
-// the empty string if not used.
-//
-// Debian-based LiveCD systems use 'casper' to setup the mounts, and part of
-// this setup involves running mount commands to mount / on /cow as overlay and
-// results in AppArmor seeing '/upper' as the upperdir rather than '/cow/upper'
-// as seen in mountinfo. By the time snapd is run, we don't have enough
-// information to discover /cow through mount parent ID or st_dev (maj:min).
-// While overlay doesn't use the mount source for anything itself, casper sets
-// the mount source ('/cow' with the above) for its own purposes and we can
-// leverage this by stripping the mount source from the beginning of upperdir.
-//
-// https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt
-// man 5 proc
-//
-// Currently uses variables and Mock functions from nfs.go
-func IsRootWritableOverlay() (string, error) {
-	mountinfo, err := LoadMountInfo(procSelfMountInfo)
-	if err != nil {
-		return "", fmt.Errorf("cannot parse %s: %s", procSelfMountInfo, err)
-	}
-	for _, entry := range mountinfo {
-		if entry.FsType == "overlay" && entry.MountDir == "/" {
-			if dir, ok := entry.SuperOptions["upperdir"]; ok {
-				// upperdir must be an absolute path without
-				// any AppArmor regular expression (AARE)
-				// characters or double quotes to be considered
-				if !strings.HasPrefix(dir, "/") || strings.ContainsAny(dir, `?*[]{}^"`) {
-					continue
-				}
-				// if mount source is path, strip it from dir
-				// (for casper)
-				if strings.HasPrefix(entry.MountSource, "/") {
-					dir = strings.TrimPrefix(dir, strings.TrimRight(entry.MountSource, "/"))
-				}
-
-				dir = strings.TrimRight(dir, "/")
-
-				// The resulting trimmed dir must be an
-				// absolute path that is not '/'
-				if len(dir) < 2 || !strings.HasPrefix(dir, "/") {
-					continue
-				}
-
-				// Make sure trailing slashes are predicatably
-				// missing
-				return dir, nil
-			}
-		}
-	}
-	return "", nil
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/overlay_linux.go snapd-2.37~rc1~14.04/osutil/overlay_linux.go
--- snapd-2.32.3.2~14.04/osutil/overlay_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/overlay_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,89 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"fmt"
+	"strings"
+)
+
+// IsRootWritableOverlay detects if the current '/' is a writable overlay
+// (fstype is 'overlay' and 'upperdir' is specified) and returns upperdir or
+// the empty string if not used.
+//
+// Debian-based LiveCD systems use 'casper' to setup the mounts, and part of
+// this setup involves running mount commands to mount / on /cow as overlay and
+// results in AppArmor seeing '/upper' as the upperdir rather than '/cow/upper'
+// as seen in mountinfo. By the time snapd is run, we don't have enough
+// information to discover /cow through mount parent ID or st_dev (maj:min).
+// While overlay doesn't use the mount source for anything itself, casper sets
+// the mount source ('/cow' with the above) for its own purposes and we can
+// leverage this by stripping the mount source from the beginning of upperdir.
+//
+// https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt
+// man 5 proc
+//
+// Currently uses variables and Mock functions from nfs.go
+func IsRootWritableOverlay() (string, error) {
+	mountinfo, err := LoadMountInfo(procSelfMountInfo)
+	if err != nil {
+		return "", fmt.Errorf("cannot parse %s: %s", procSelfMountInfo, err)
+	}
+	for _, entry := range mountinfo {
+		if entry.FsType == "overlay" && entry.MountDir == "/" {
+			if dir, ok := entry.SuperOptions["upperdir"]; ok {
+				// upperdir must be an absolute path without
+				// any AppArmor regular expression (AARE)
+				// characters or double quotes to be considered
+				if !strings.HasPrefix(dir, "/") || strings.ContainsAny(dir, `?*[]{}^"`) {
+					continue
+				}
+				// if mount source is path, strip it from dir
+				// (for casper)
+				if strings.HasPrefix(entry.MountSource, "/") {
+					dir = strings.TrimPrefix(dir, strings.TrimRight(entry.MountSource, "/"))
+				}
+
+				dir = strings.TrimRight(dir, "/")
+
+				// The resulting trimmed dir must be an
+				// absolute path that is not '/'
+				if len(dir) < 2 || !strings.HasPrefix(dir, "/") {
+					continue
+				}
+
+				if dir == "/media/root-rw/overlay" {
+					// On the Ubuntu server ephemeral image, '/' is setup via
+					// overlayroot (on at least 18.10), which uses a combination
+					// of overlayfs and chroot. This differs from the livecd setup
+					// so special case the detection logic to look for the known
+					// upperdir for this configuration, and return the required
+					// path. See LP: #1797218 for details.
+					return "/overlay", nil
+				}
+
+				// Make sure trailing slashes are predicatably
+				// missing
+				return dir, nil
+			}
+		}
+	}
+	return "", nil
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/overlay_linux_test.go snapd-2.37~rc1~14.04/osutil/overlay_linux_test.go
--- snapd-2.32.3.2~14.04/osutil/overlay_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/overlay_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,103 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+type overlaySuite struct{}
+
+var _ = Suite(&overlaySuite{})
+
+func (s *overlaySuite) TestIsRootWritableOverlay(c *C) {
+	cases := []struct {
+		mountinfo    string
+		overlay      string
+		errorPattern string
+	}{{
+		// Errors from parsing mountinfo are propagated.
+		mountinfo:    "bad syntax",
+		errorPattern: "cannot parse .*/mountinfo.*, .*",
+	}, {
+		// overlay mounted on / are recognized
+		// casper mount source /cow
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
+		overlay:   "/upper",
+	}, {
+		// casper mount source upperdir trailing slash
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper/,workdir=/cow/work",
+		overlay:   "/upper",
+	}, {
+		// casper mount source trailing slash
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow/ rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
+		overlay:   "/upper",
+	}, {
+		// non-casper mount source
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
+		overlay:   "/cow/upper",
+	}, {
+		// overlay mounted elsewhere are ignored
+		mountinfo: "31 1 0:26 /elsewhere /elsewhere rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
+	}, {
+		mountinfo: "31 1 0:26 /elsewhere /elsewhere rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
+	}, {
+		// casper overlay which results in empty upperdir are ignored
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /upper rw,lowerdir=//filesystem.squashfs,upperdir=/upper,workdir=/cow/work",
+	}, {
+		// overlay with relative paths, AARE or double quotes are
+		// ignored
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=cow/upper,workdir=/cow/work",
+	}, {
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad?upper,workdir=/cow/work",
+	}, {
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad*upper,workdir=/cow/work",
+	}, {
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad[upper,workdir=/cow/work",
+	}, {
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad]upper,workdir=/cow/work",
+	}, {
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad{upper,workdir=/cow/work",
+	}, {
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad}upper,workdir=/cow/work",
+	}, {
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad^upper,workdir=/cow/work",
+	}, {
+		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad\"upper,workdir=/cow/work",
+	}, {
+		// The special cased version for 18.10 server release
+		mountinfo: "28 0 0:24 / / rw,realtime shared:1 - overlay overlayroot rw,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_",
+		overlay:   "/overlay",
+	}}
+	for _, tc := range cases {
+		restore := osutil.MockMountInfo(tc.mountinfo)
+		defer restore()
+
+		overlay, err := osutil.IsRootWritableOverlay()
+		if tc.errorPattern != "" {
+			c.Assert(err, ErrorMatches, tc.errorPattern, Commentf("test case %#v", tc))
+		} else {
+			c.Assert(err, IsNil)
+		}
+		c.Assert(overlay, Equals, tc.overlay)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/overlay_test.go snapd-2.37~rc1~14.04/osutil/overlay_test.go
--- snapd-2.32.3.2~14.04/osutil/overlay_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/overlay_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,99 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2016-2018 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package osutil_test
-
-import (
-	. "gopkg.in/check.v1"
-
-	"github.com/snapcore/snapd/osutil"
-)
-
-type overlaySuite struct{}
-
-var _ = Suite(&overlaySuite{})
-
-func (s *overlaySuite) TestIsRootWritableOverlay(c *C) {
-	cases := []struct {
-		mountinfo    string
-		overlay      string
-		errorPattern string
-	}{{
-		// Errors from parsing mountinfo are propagated.
-		mountinfo:    "bad syntax",
-		errorPattern: "cannot parse .*/mountinfo.*, .*",
-	}, {
-		// overlay mounted on / are recognized
-		// casper mount source /cow
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
-		overlay:   "/upper",
-	}, {
-		// casper mount source upperdir trailing slash
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper/,workdir=/cow/work",
-		overlay:   "/upper",
-	}, {
-		// casper mount source trailing slash
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow/ rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
-		overlay:   "/upper",
-	}, {
-		// non-casper mount source
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
-		overlay:   "/cow/upper",
-	}, {
-		// overlay mounted elsewhere are ignored
-		mountinfo: "31 1 0:26 /elsewhere /elsewhere rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
-	}, {
-		mountinfo: "31 1 0:26 /elsewhere /elsewhere rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/upper,workdir=/cow/work",
-	}, {
-		// casper overlay which results in empty upperdir are ignored
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /upper rw,lowerdir=//filesystem.squashfs,upperdir=/upper,workdir=/cow/work",
-	}, {
-		// overlay with relative paths, AARE or double quotes are
-		// ignored
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=cow/upper,workdir=/cow/work",
-	}, {
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad?upper,workdir=/cow/work",
-	}, {
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad*upper,workdir=/cow/work",
-	}, {
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay /cow rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad[upper,workdir=/cow/work",
-	}, {
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad]upper,workdir=/cow/work",
-	}, {
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad{upper,workdir=/cow/work",
-	}, {
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad}upper,workdir=/cow/work",
-	}, {
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad^upper,workdir=/cow/work",
-	}, {
-		mountinfo: "31 1 0:26 / / rw,relatime shared:1 - overlay overlay rw,lowerdir=//filesystem.squashfs,upperdir=/cow/bad\"upper,workdir=/cow/work",
-	}}
-	for _, tc := range cases {
-		restore := osutil.MockMountInfo(tc.mountinfo)
-		defer restore()
-
-		overlay, err := osutil.IsRootWritableOverlay()
-		if tc.errorPattern != "" {
-			c.Assert(err, ErrorMatches, tc.errorPattern, Commentf("test case %#v", tc))
-		} else {
-			c.Assert(err, IsNil)
-		}
-		c.Assert(overlay, Equals, tc.overlay)
-	}
-}
diff -Nru snapd-2.32.3.2~14.04/osutil/squashfs/fstype.go snapd-2.37~rc1~14.04/osutil/squashfs/fstype.go
--- snapd-2.32.3.2~14.04/osutil/squashfs/fstype.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/squashfs/fstype.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,82 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package squashfs
+
+import (
+	"os/exec"
+	"strings"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+// useFuse detects if we should be using squashfuse instead
+var useFuse = useFuseImpl
+
+func useFuseImpl() bool {
+	if !osutil.FileExists("/dev/fuse") {
+		return false
+	}
+
+	if !osutil.ExecutableExists("squashfuse") && !osutil.ExecutableExists("snapfuse") {
+		return false
+	}
+
+	out, err := exec.Command("systemd-detect-virt", "--container").Output()
+	if err != nil {
+		return false
+	}
+
+	virt := strings.TrimSpace(string(out))
+	if virt != "none" {
+		return true
+	}
+
+	return false
+}
+
+// MockUseFuse is exported so useFuse can be overridden by testing.
+func MockUseFuse(r bool) func() {
+	oldUseFuse := useFuse
+	useFuse = func() bool {
+		return r
+	}
+	return func() { useFuse = oldUseFuse }
+}
+
+// FsType returns what fstype to use for squashfs mounts and what
+// mount options
+func FsType() (fstype string, options []string, err error) {
+	fstype = "squashfs"
+	options = []string{"ro", "x-gdu.hide"}
+
+	if useFuse() {
+		options = append(options, "allow_other")
+		switch {
+		case osutil.ExecutableExists("squashfuse"):
+			fstype = "fuse.squashfuse"
+		case osutil.ExecutableExists("snapfuse"):
+			fstype = "fuse.snapfuse"
+		default:
+			panic("cannot happen because useFuse() ensures one of the two executables is there")
+		}
+	}
+
+	return fstype, options, nil
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/strace/export_test.go snapd-2.37~rc1~14.04/osutil/strace/export_test.go
--- snapd-2.32.3.2~14.04/osutil/strace/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/strace/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package strace
+
+var (
+	ExcludedSyscalls = excludedSyscalls
+)
+
+func (stt *ExecveTiming) ExeRuntimes() []ExeRuntime {
+	return stt.exeRuntimes
+}
+
+func (stt *ExecveTiming) AddExeRuntime(exe string, totalSec float64) {
+	stt.addExeRuntime(exe, totalSec)
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/strace/strace.go snapd-2.37~rc1~14.04/osutil/strace/strace.go
--- snapd-2.32.3.2~14.04/osutil/strace/strace.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/strace/strace.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,93 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package strace
+
+import (
+	"fmt"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+)
+
+// These syscalls are excluded because they make strace hang on all or
+// some architectures (gettimeofday on arm64).
+var excludedSyscalls = "!select,pselect6,_newselect,clock_gettime,sigaltstack,gettid,gettimeofday,nanosleep"
+
+// Command returns how to run strace in the users context with the
+// right set of excluded system calls.
+func Command(extraStraceOpts []string, traceeCmd ...string) (*exec.Cmd, error) {
+	current, err := user.Current()
+	if err != nil {
+		return nil, err
+	}
+	sudoPath, err := exec.LookPath("sudo")
+	if err != nil {
+		return nil, fmt.Errorf("cannot use strace without sudo: %s", err)
+	}
+
+	// Try strace from the snap first, we use new syscalls like
+	// "_newselect" that are known to not work with the strace of e.g.
+	// ubuntu 14.04.
+	//
+	// TODO: some architectures do not have some syscalls (e.g.
+	// s390x does not have _newselect). In
+	// https://github.com/strace/strace/issues/57 options are
+	// discussed.  We could use "-e trace=?syscall" but that is
+	// only available since strace 4.17 which is not even in
+	// ubutnu 17.10.
+	var stracePath string
+	cand := filepath.Join(dirs.SnapMountDir, "strace-static", "current", "bin", "strace")
+	if osutil.FileExists(cand) {
+		stracePath = cand
+	}
+	if stracePath == "" {
+		stracePath, err = exec.LookPath("strace")
+		if err != nil {
+			return nil, fmt.Errorf("cannot find an installed strace, please try 'snap install strace-static'")
+		}
+	}
+
+	args := []string{
+		sudoPath,
+		"-E",
+		stracePath,
+		"-u", current.Username,
+		"-f",
+		"-e", excludedSyscalls,
+	}
+	args = append(args, extraStraceOpts...)
+	args = append(args, traceeCmd...)
+
+	return &exec.Cmd{
+		Path: sudoPath,
+		Args: args,
+	}, nil
+}
+
+// TraceExecCommand returns an exec.Cmd suitable for tracking timings of
+// execve{,at}() calls
+func TraceExecCommand(straceLogPath string, origCmd ...string) (*exec.Cmd, error) {
+	extraStraceOpts := []string{"-ttt", "-e", "trace=execve,execveat", "-o", fmt.Sprintf("%s", straceLogPath)}
+
+	return Command(extraStraceOpts, origCmd...)
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/strace/strace_test.go snapd-2.37~rc1~14.04/osutil/strace/strace_test.go
--- snapd-2.32.3.2~14.04/osutil/strace/strace_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/strace/strace_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,118 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package strace_test
+
+import (
+	"io/ioutil"
+	"os"
+	"os/user"
+	"path/filepath"
+	"testing"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil/strace"
+	"github.com/snapcore/snapd/testutil"
+)
+
+// Hook up check.v1 into the "go test" runner
+func Test(t *testing.T) { TestingT(t) }
+
+type straceSuite struct {
+	rootdir    string
+	mockSudo   *testutil.MockCmd
+	mockStrace *testutil.MockCmd
+}
+
+var _ = Suite(&straceSuite{})
+
+func (s *straceSuite) SetUpTest(c *C) {
+	s.rootdir = c.MkDir()
+	dirs.SetRootDir(s.rootdir)
+
+	s.mockSudo = testutil.MockCommand(c, "sudo", "")
+	s.mockStrace = testutil.MockCommand(c, "strace", "")
+}
+
+func (s *straceSuite) TearDownTest(c *C) {
+	dirs.SetRootDir("/")
+	s.mockSudo.Restore()
+	s.mockStrace.Restore()
+}
+
+func (s *straceSuite) TestStraceCommandHappy(c *C) {
+	u, err := user.Current()
+	c.Assert(err, IsNil)
+
+	cmd, err := strace.Command(nil, "foo")
+	c.Assert(err, IsNil)
+	c.Assert(cmd.Path, Equals, s.mockSudo.Exe())
+	c.Assert(cmd.Args, DeepEquals, []string{
+		s.mockSudo.Exe(), "-E",
+		s.mockStrace.Exe(), "-u", u.Username, "-f",
+		"-e", strace.ExcludedSyscalls,
+		// the command
+		"foo",
+	})
+}
+
+func (s *straceSuite) TestStraceCommandNoSudo(c *C) {
+	origPath := os.Getenv("PATH")
+	defer func() { os.Setenv("PATH", origPath) }()
+
+	os.Setenv("PATH", "/not-exists")
+	_, err := strace.Command(nil, "foo")
+	c.Assert(err, ErrorMatches, `cannot use strace without sudo: exec: "sudo": executable file not found in \$PATH`)
+}
+
+func (s *straceSuite) TestStraceCommandNoStrace(c *C) {
+	origPath := os.Getenv("PATH")
+	defer func() { os.Setenv("PATH", origPath) }()
+
+	tmp := c.MkDir()
+	os.Setenv("PATH", tmp)
+	err := ioutil.WriteFile(filepath.Join(tmp, "sudo"), nil, 0755)
+	c.Assert(err, IsNil)
+
+	_, err = strace.Command(nil, "foo")
+	c.Assert(err, ErrorMatches, `cannot find an installed strace, please try 'snap install strace-static'`)
+}
+
+func (s *straceSuite) TestTraceExecCommand(c *C) {
+	u, err := user.Current()
+	c.Assert(err, IsNil)
+
+	cmd, err := strace.TraceExecCommand("/run/snapd/strace.log", "cmd")
+	c.Assert(err, IsNil)
+	c.Assert(cmd.Path, Equals, s.mockSudo.Exe())
+	c.Assert(cmd.Args, DeepEquals, []string{
+		s.mockSudo.Exe(), "-E",
+		s.mockStrace.Exe(), "-u", u.Username, "-f",
+		"-e", strace.ExcludedSyscalls,
+		// timing specific trace
+		"-ttt",
+		"-e", "trace=execve,execveat",
+		"-o", "/run/snapd/strace.log",
+		// the command
+		"cmd",
+	})
+
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/strace/timing.go snapd-2.37~rc1~14.04/osutil/strace/timing.go
--- snapd-2.32.3.2~14.04/osutil/strace/timing.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/strace/timing.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,233 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package strace
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"regexp"
+	"strconv"
+)
+
+// ExeRuntime is the runtime of an individual executable
+type ExeRuntime struct {
+	Exe string
+	// FIXME: move to time.Duration
+	TotalSec float64
+}
+
+// ExecveTiming measures the execve calls timings under strace. This is
+// useful for performance analysis. It keeps the N slowest samples.
+type ExecveTiming struct {
+	TotalTime   float64
+	exeRuntimes []ExeRuntime
+
+	nSlowestSamples int
+}
+
+// NewExecveTiming returns a new ExecveTiming struct that keeps
+// the given amount of the slowest exec samples.
+func NewExecveTiming(nSlowestSamples int) *ExecveTiming {
+	return &ExecveTiming{nSlowestSamples: nSlowestSamples}
+}
+
+func (stt *ExecveTiming) addExeRuntime(exe string, totalSec float64) {
+	stt.exeRuntimes = append(stt.exeRuntimes, ExeRuntime{
+		Exe:      exe,
+		TotalSec: totalSec,
+	})
+	stt.prune()
+}
+
+// prune() ensures the number of exeRuntimes stays with the nSlowestSamples
+// limit
+func (stt *ExecveTiming) prune() {
+	for len(stt.exeRuntimes) > stt.nSlowestSamples {
+		fastest := 0
+		for idx, rt := range stt.exeRuntimes {
+			if rt.TotalSec < stt.exeRuntimes[fastest].TotalSec {
+				fastest = idx
+			}
+		}
+		// delete fastest element
+		stt.exeRuntimes = append(stt.exeRuntimes[:fastest], stt.exeRuntimes[fastest+1:]...)
+	}
+}
+
+func (stt *ExecveTiming) Display(w io.Writer) {
+	if len(stt.exeRuntimes) == 0 {
+		return
+	}
+	fmt.Fprintf(w, "Slowest %d exec calls during snap run:\n", len(stt.exeRuntimes))
+	for _, rt := range stt.exeRuntimes {
+		fmt.Fprintf(w, "  %2.3fs %s\n", rt.TotalSec, rt.Exe)
+	}
+	fmt.Fprintf(w, "Total time: %2.3fs\n", stt.TotalTime)
+}
+
+type exeStart struct {
+	start float64
+	exe   string
+}
+
+type pidTracker struct {
+	pidToExeStart map[string]exeStart
+}
+
+func newPidTracker() *pidTracker {
+	return &pidTracker{
+		pidToExeStart: make(map[string]exeStart),
+	}
+
+}
+
+func (pt *pidTracker) Get(pid string) (startTime float64, exe string) {
+	if exeStart, ok := pt.pidToExeStart[pid]; ok {
+		return exeStart.start, exeStart.exe
+	}
+	return 0, ""
+}
+
+func (pt *pidTracker) Add(pid string, startTime float64, exe string) {
+	pt.pidToExeStart[pid] = exeStart{start: startTime, exe: exe}
+}
+
+func (pt *pidTracker) Del(pid string) {
+	delete(pt.pidToExeStart, pid)
+}
+
+// lines look like:
+// PID   TIME              SYSCALL
+// 17363 1542815326.700248 execve("/snap/brave/44/usr/bin/update-mime-database", ["update-mime-database", "/home/egon/snap/brave/44/.local/"...], 0x1566008 /* 69 vars */) = 0
+var execveRE = regexp.MustCompile(`([0-9]+)\ +([0-9.]+) execve\(\"([^"]+)\"`)
+
+// lines look like:
+// PID   TIME              SYSCALL
+// 14157 1542875582.816782 execveat(3, "", ["snap-update-ns", "--from-snap-confine", "test-snapd-tools"], 0x7ffce7dd6160 /* 0 vars */, AT_EMPTY_PATH) = 0
+var execveatRE = regexp.MustCompile(`([0-9]+)\ +([0-9.]+) execveat\(.*\["([^"]+)"`)
+
+// lines look like (both SIGTERM and SIGCHLD need to be handled):
+// PID   TIME                  SIGNAL
+// 17559 1542815330.242750 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=17643, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
+var sigChldTermRE = regexp.MustCompile(`[0-9]+\ +([0-9.]+).*SIG(CHLD|TERM)\ {.*si_pid=([0-9]+),`)
+
+// all lines start with this:
+// PID   TIME
+// 21616 1542882400.198907 ....
+var timeRE = regexp.MustCompile(`[0-9]+\ +([0-9.]+).*`)
+
+func handleExecMatch(trace *ExecveTiming, pt *pidTracker, match []string) error {
+	if len(match) == 0 {
+		return nil
+	}
+	// the pid of the process that does the execve{,at}()
+	pid := match[1]
+	execStart, err := strconv.ParseFloat(match[2], 64)
+	if err != nil {
+		return err
+	}
+	exe := match[3]
+	// deal with subsequent execve()
+	if start, exe := pt.Get(pid); exe != "" {
+		trace.addExeRuntime(exe, execStart-start)
+	}
+	pt.Add(pid, execStart, exe)
+	return nil
+}
+
+func handleSignalMatch(trace *ExecveTiming, pt *pidTracker, match []string) error {
+	if len(match) == 0 {
+		return nil
+	}
+	sigTime, err := strconv.ParseFloat(match[1], 64)
+	if err != nil {
+		return err
+	}
+	sigPid := match[3]
+	if start, exe := pt.Get(sigPid); exe != "" {
+		trace.addExeRuntime(exe, sigTime-start)
+		pt.Del(sigPid)
+	}
+	return nil
+}
+
+func TraceExecveTimings(straceLog string, nSlowest int) (*ExecveTiming, error) {
+	slog, err := os.Open(straceLog)
+	if err != nil {
+		return nil, err
+	}
+	defer slog.Close()
+
+	// pidTracker maps the "pid" string to the executable
+	pidTracker := newPidTracker()
+
+	var line string
+	var start, end, tmp float64
+	trace := NewExecveTiming(nSlowest)
+	r := bufio.NewScanner(slog)
+	for r.Scan() {
+		line = r.Text()
+		if start == 0.0 {
+			if _, err := fmt.Sscanf(line, "%f %f ", &tmp, &start); err != nil {
+				return nil, fmt.Errorf("cannot parse start of exec profile: %s", err)
+			}
+		}
+		// handleExecMatch looks for execve{,at}() calls and
+		// uses the pidTracker to keep track of execution of
+		// things. Because of fork() we may see many pids and
+		// within each pid we can see multiple execve{,at}()
+		// calls.
+		// An example of pids/exec transitions:
+		// $ snap run --trace-exec test-snapd-sh -c "/bin/true"
+		//    pid 20817 execve("snap-confine")
+		//    pid 20817 execve("snap-exec")
+		//    pid 20817 execve("/snap/test-snapd-sh/x2/bin/sh")
+		//    pid 20817 execve("/bin/sh")
+		//    pid 2023  execve("/bin/true")
+		match := execveRE.FindStringSubmatch(line)
+		if err := handleExecMatch(trace, pidTracker, match); err != nil {
+			return nil, err
+		}
+		match = execveatRE.FindStringSubmatch(line)
+		if err := handleExecMatch(trace, pidTracker, match); err != nil {
+			return nil, err
+		}
+		// handleSignalMatch looks for SIG{CHLD,TERM} signals and
+		// maps them via the pidTracker to the execve{,at}() calls
+		// of the terminating PID to calculate the total time of
+		// a execve{,at}() call.
+		match = sigChldTermRE.FindStringSubmatch(line)
+		if err := handleSignalMatch(trace, pidTracker, match); err != nil {
+			return nil, err
+		}
+	}
+	if _, err := fmt.Sscanf(line, "%f %f", &tmp, &end); err != nil {
+		return nil, fmt.Errorf("cannot parse end of exec profile: %s", err)
+	}
+	trace.TotalTime = end - start
+
+	if r.Err() != nil {
+		return nil, r.Err()
+	}
+
+	return trace, nil
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/strace/timing_test.go snapd-2.37~rc1~14.04/osutil/strace/timing_test.go
--- snapd-2.32.3.2~14.04/osutil/strace/timing_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/strace/timing_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,137 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package strace_test
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil/strace"
+)
+
+type timingSuite struct{}
+
+var _ = Suite(&timingSuite{})
+
+func (s *timingSuite) TestNewExecveTiming(c *C) {
+	et := strace.NewExecveTiming(10)
+	c.Assert(et, FitsTypeOf, &strace.ExecveTiming{})
+}
+
+func (s *timingSuite) TestDisplayExeRuntimes(c *C) {
+	// setup mock traces
+	stt := strace.NewExecveTiming(3)
+	stt.TotalTime = 2.71828
+	stt.AddExeRuntime("slow", 1.0001)
+	stt.AddExeRuntime("fast", 0.1002)
+	stt.AddExeRuntime("really-fast", 0.0301)
+	stt.AddExeRuntime("medium", 0.5003)
+
+	// display works and shows the slowest 3 calls in order
+	buf := bytes.NewBuffer(nil)
+	stt.Display(buf)
+	c.Check(buf.String(), Equals, `Slowest 3 exec calls during snap run:
+  1.000s slow
+  0.100s fast
+  0.500s medium
+Total time: 2.718s
+`)
+}
+
+func (s *timingSuite) TestExecveTimingPrunes(c *C) {
+	stt := strace.NewExecveTiming(3)
+
+	// simple cases
+	stt.AddExeRuntime("t0", 2)
+	c.Check(stt.ExeRuntimes(), HasLen, 1)
+	stt.AddExeRuntime("t1", 1)
+	c.Check(stt.ExeRuntimes(), HasLen, 2)
+	stt.AddExeRuntime("t2", 5)
+	c.Check(stt.ExeRuntimes(), HasLen, 3)
+
+	// starts pruing the fastest call, keeps order otherwise
+	stt.AddExeRuntime("t3", 4)
+	c.Check(stt.ExeRuntimes(), HasLen, 3)
+	c.Check(stt.ExeRuntimes(), DeepEquals, []strace.ExeRuntime{
+		{Exe: "t0", TotalSec: 2},
+		{Exe: "t2", TotalSec: 5},
+		{Exe: "t3", TotalSec: 4},
+	})
+
+}
+
+// generated with:
+//  sudo /usr/lib/snapd/snap-discard-ns test-snapd-tools && sudo strace -u $USER -o strace.log -f -e trace=execve,execveat -ttt test-snapd-tools.echo foo && cat strace.log
+var sampleStraceSimple = []byte(`21616 1542882400.198907 execve("/snap/bin/test-snapd-tools.echo", ["test-snapd-tools.echo", "foo"], 0x7fff7f275f48 /* 27 vars */) = 0
+21616 1542882400.204710 execve("/snap/core/current/usr/bin/snap", ["test-snapd-tools.echo", "foo"], 0xc42011c8c0 /* 27 vars */ <unfinished ...>
+21621 1542882400.204845 +++ exited with 0 +++
+21620 1542882400.204853 +++ exited with 0 +++
+21619 1542882400.204857 +++ exited with 0 +++
+21618 1542882400.204861 +++ exited with 0 +++
+21617 1542882400.204875 +++ exited with 0 +++
+21616 1542882400.205199 <... execve resumed> ) = 0
+21616 1542882400.220845 execve("/snap/core/5976/usr/lib/snapd/snap-confine", ["/snap/core/5976/usr/lib/snapd/sn"..., "snap.test-snapd-tools.echo", "/usr/lib/snapd/snap-exec", "test-snapd-tools.echo", "foo"], 0xc8200a3600 /* 41 vars */ <unfinished ...>
+21625 1542882400.220994 +++ exited with 0 +++
+21624 1542882400.220999 +++ exited with 0 +++
+21623 1542882400.221002 +++ exited with 0 +++
+21622 1542882400.221005 +++ exited with 0 +++
+21616 1542882400.221634 <... execve resumed> ) = 0
+21629 1542882400.356625 execveat(3, "", ["snap-update-ns", "--from-snap-confine", "test-snapd-tools"], 0x7ffeaf4faa40 /* 0 vars */, AT_EMPTY_PATH) = 0
+21631 1542882400.360708 +++ exited with 0 +++
+21632 1542882400.360723 +++ exited with 0 +++
+21630 1542882400.360727 +++ exited with 0 +++
+21633 1542882400.360842 +++ exited with 0 +++
+21629 1542882400.360848 +++ exited with 0 +++
+21616 1542882400.360869 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=21629, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
+21626 1542882400.375793 +++ exited with 0 +++
+21616 1542882400.375836 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=21626, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
+21616 1542882400.377349 execve("/usr/lib/snapd/snap-exec", ["/usr/lib/snapd/snap-exec", "test-snapd-tools.echo", "foo"], 0x23ebc80 /* 45 vars */) = 0
+21616 1542882400.383698 execve("/snap/test-snapd-tools/6/bin/echo", ["/snap/test-snapd-tools/6/bin/ech"..., "foo"], 0xc420072f00 /* 47 vars */ <unfinished ...>
+21638 1542882400.383855 +++ exited with 0 +++
+21637 1542882400.383862 +++ exited with 0 +++
+21636 1542882400.383877 +++ exited with 0 +++
+21634 1542882400.383884 +++ exited with 0 +++
+21635 1542882400.383890 +++ exited with 0 +++
+21616 1542882400.384105 <... execve resumed> ) = 0
+21616 1542882400.384974 +++ exited with 0 +++
+`)
+
+func (s *timingSuite) TestTraceExecveTimings(c *C) {
+	f, err := ioutil.TempFile("", "strace-extract-test-")
+	c.Assert(err, IsNil)
+	defer os.Remove(f.Name())
+	_, err = f.Write(sampleStraceSimple)
+	c.Assert(err, IsNil)
+	f.Sync()
+
+	st, err := strace.TraceExecveTimings(f.Name(), 10)
+	c.Assert(err, IsNil)
+	c.Assert(st.TotalTime, Equals, 0.1860671043395996)
+	c.Assert(st.ExeRuntimes(), DeepEquals, []strace.ExeRuntime{
+		{Exe: "/snap/bin/test-snapd-tools.echo", TotalSec: 0.005803108215332031},
+		{Exe: "/snap/core/current/usr/bin/snap", TotalSec: 0.016134977340698242},
+		{Exe: "snap-update-ns", TotalSec: 0.0042438507080078125},
+		{Exe: "/snap/core/5976/usr/lib/snapd/snap-confine", TotalSec: 0.15650391578674316},
+		{Exe: "/usr/lib/snapd/snap-exec", TotalSec: 0.006349086761474609},
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/sys/syscall.go snapd-2.37~rc1~14.04/osutil/sys/syscall.go
--- snapd-2.32.3.2~14.04/osutil/sys/syscall.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/sys/syscall.go	2019-01-16 08:36:51.000000000 +0000
@@ -89,7 +89,7 @@
 	if err != nil {
 		return err
 	}
-	_, _, errno := syscall.Syscall6(syscall.SYS_FCHOWNAT, dirfd, uintptr(unsafe.Pointer(p0)), uintptr(uid), uintptr(gid), uintptr(flags), 0)
+	_, _, errno := syscall.Syscall6(_SYS_FCHOWNAT, dirfd, uintptr(unsafe.Pointer(p0)), uintptr(uid), uintptr(gid), uintptr(flags), 0)
 	if errno == 0 {
 		return nil
 	}
diff -Nru snapd-2.32.3.2~14.04/osutil/sys/sysnum_16_linux.go snapd-2.37~rc1~14.04/osutil/sys/sysnum_16_linux.go
--- snapd-2.32.3.2~14.04/osutil/sys/sysnum_16_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/sys/sysnum_16_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,33 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+// +build arm 386
+
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sys
+
+import "syscall"
+
+// these are the constants for where getuid et al are 16-bit versions
+// (and so the 32 bit version is called getuid32 etc)
+
+const (
+	_SYS_GETUID  = syscall.SYS_GETUID32
+	_SYS_GETGID  = syscall.SYS_GETGID32
+	_SYS_GETEUID = syscall.SYS_GETEUID32
+	_SYS_GETEGID = syscall.SYS_GETEGID32
+)
diff -Nru snapd-2.32.3.2~14.04/osutil/sys/sysnum_32_linux.go snapd-2.37~rc1~14.04/osutil/sys/sysnum_32_linux.go
--- snapd-2.32.3.2~14.04/osutil/sys/sysnum_32_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/sys/sysnum_32_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+// +build arm64 amd64 ppc64le s390x ppc
+
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sys
+
+import "syscall"
+
+// these are the constants for where getuid et al are already 32-bit
+
+const (
+	_SYS_GETUID  = syscall.SYS_GETUID
+	_SYS_GETGID  = syscall.SYS_GETGID
+	_SYS_GETEUID = syscall.SYS_GETEUID
+	_SYS_GETEGID = syscall.SYS_GETEGID
+)
diff -Nru snapd-2.32.3.2~14.04/osutil/sys/sysnum_darwin.go snapd-2.37~rc1~14.04/osutil/sys/sysnum_darwin.go
--- snapd-2.32.3.2~14.04/osutil/sys/sysnum_darwin.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/sys/sysnum_darwin.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,30 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sys
+
+import "golang.org/x/sys/unix"
+
+const (
+	_SYS_GETUID   = unix.SYS_GETUID
+	_SYS_GETGID   = unix.SYS_GETGID
+	_SYS_GETEUID  = unix.SYS_GETEUID
+	_SYS_GETEGID  = unix.SYS_GETEGID
+	_SYS_FCHOWNAT = unix.SYS_FCHOWNAT
+)
diff -Nru snapd-2.32.3.2~14.04/osutil/sys/sysnum_getpid_16.go snapd-2.37~rc1~14.04/osutil/sys/sysnum_getpid_16.go
--- snapd-2.32.3.2~14.04/osutil/sys/sysnum_getpid_16.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/sys/sysnum_getpid_16.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,33 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-// +build arm 386
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package sys
-
-import "syscall"
-
-// these are the constants for where getuid et al are 16-bit versions
-// (and so the 32 bit version is called getuid32 etc)
-
-const (
-	_SYS_GETUID  = syscall.SYS_GETUID32
-	_SYS_GETGID  = syscall.SYS_GETGID32
-	_SYS_GETEUID = syscall.SYS_GETEUID32
-	_SYS_GETEGID = syscall.SYS_GETEGID32
-)
diff -Nru snapd-2.32.3.2~14.04/osutil/sys/sysnum_getpid_32.go snapd-2.37~rc1~14.04/osutil/sys/sysnum_getpid_32.go
--- snapd-2.32.3.2~14.04/osutil/sys/sysnum_getpid_32.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/sys/sysnum_getpid_32.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,32 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-// +build arm64 amd64 ppc64le s390x ppc
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package sys
-
-import "syscall"
-
-// these are the constants for where getuid et al are already 32-bit
-
-const (
-	_SYS_GETUID  = syscall.SYS_GETUID
-	_SYS_GETGID  = syscall.SYS_GETGID
-	_SYS_GETEUID = syscall.SYS_GETEUID
-	_SYS_GETEGID = syscall.SYS_GETEGID
-)
diff -Nru snapd-2.32.3.2~14.04/osutil/sys/sysnum_linux.go snapd-2.37~rc1~14.04/osutil/sys/sysnum_linux.go
--- snapd-2.32.3.2~14.04/osutil/sys/sysnum_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/sys/sysnum_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,26 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sys
+
+import "syscall"
+
+const (
+	_SYS_FCHOWNAT = syscall.SYS_FCHOWNAT
+)
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/crawler/device.go snapd-2.37~rc1~14.04/osutil/udev/crawler/device.go
--- snapd-2.32.3.2~14.04/osutil/udev/crawler/device.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/crawler/device.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,112 @@
+package crawler
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/snapcore/snapd/osutil/udev/netlink"
+)
+
+const (
+	BASE_DEVPATH = "/sys/devices"
+)
+
+type Device struct {
+	KObj string
+	Env  map[string]string
+}
+
+// ExistingDevices return all plugged devices matched by the matcher
+// All uevent files inside /sys/devices is crawled to match right env values
+func ExistingDevices(queue chan Device, errors chan error, matcher netlink.Matcher) chan struct{} {
+	quit := make(chan struct{}, 1)
+
+	if matcher != nil {
+		if err := matcher.Compile(); err != nil {
+			errors <- fmt.Errorf("Wrong matcher, err: %v", err)
+			quit <- struct{}{}
+			return quit
+		}
+	}
+
+	go func() {
+		err := filepath.Walk(BASE_DEVPATH, func(path string, info os.FileInfo, err error) error {
+			select {
+			case <-quit:
+				return fmt.Errorf("abort signal receive")
+			default:
+				if err != nil {
+					return err
+				}
+
+				if info.IsDir() || info.Name() != "uevent" {
+					return nil
+				}
+
+				env, err := getEventFromUEventFile(path)
+				if err != nil {
+					return err
+				}
+
+				kObj := filepath.Dir(path)
+
+				// Append to env subsystem if existing
+				if link, err := os.Readlink(kObj + "/subsystem"); err == nil {
+					env["SUBSYSTEM"] = filepath.Base(link)
+				}
+
+				if matcher == nil || matcher.EvaluateEnv(env) {
+
+					queue <- Device{
+						KObj: kObj,
+						Env:  env,
+					}
+				}
+				return nil
+			}
+		})
+
+		if err != nil {
+			errors <- err
+		}
+		close(queue)
+	}()
+	return quit
+}
+
+// getEventFromUEventFile return all env var define in file
+// syntax: name=value for each line
+// Fonction use for /sys/.../uevent files
+func getEventFromUEventFile(path string) (rv map[string]string, err error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+
+	defer f.Close()
+
+	data, err := ioutil.ReadAll(f)
+	if err != nil {
+		return nil, err
+	}
+
+	rv = make(map[string]string, 0)
+	buf := bufio.NewScanner(bytes.NewBuffer(data))
+
+	var line string
+	for buf.Scan() {
+		line = buf.Text()
+		field := strings.SplitN(line, "=", 2)
+		if len(field) != 2 {
+			return
+		}
+		rv[field[0]] = field[1]
+	}
+
+	return
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/LICENSE snapd-2.37~rc1~14.04/osutil/udev/LICENSE
--- snapd-2.32.3.2~14.04/osutil/udev/LICENSE	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/LICENSE	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    {one line to give the program's name and a brief idea of what it does.}
+    Copyright (C) {year}  {name of author}
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    {project}  Copyright (C) {year}  {fullname}
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<http://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<http://www.gnu.org/philosophy/why-not-lgpl.html>.
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/main.go.sample snapd-2.37~rc1~14.04/osutil/udev/main.go.sample
--- snapd-2.32.3.2~14.04/osutil/udev/main.go.sample	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/main.go.sample	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,145 @@
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/snapcore/snapd/osutil/udev/crawler"
+	"github.com/snapcore/snapd/osutil/udev/netlink"
+
+	"github.com/kr/pretty"
+)
+
+var (
+	filePath              *string
+	monitorMode, infoMode *bool
+)
+
+func init() {
+	filePath = flag.String("file", "", "Optionnal input file path with matcher-rules (default: no matcher)")
+	monitorMode = flag.Bool("monitor", false, "Enable monitor mode")
+	infoMode = flag.Bool("info", false, "Enable crawler mode")
+}
+
+func main() {
+	flag.Parse()
+
+	matcher, err := getOptionnalMatcher()
+	if err != nil {
+		log.Fatalln(err.Error())
+	}
+
+	if monitorMode == nil && infoMode == nil {
+		log.Fatalln("You should use only one mode:", os.Args[0], "-monitor|-info")
+	}
+
+	if (monitorMode != nil && *monitorMode) && (infoMode != nil && *infoMode) {
+		log.Fatalln("Unable to enable both mode : monitor & info")
+	}
+
+	if *monitorMode {
+		monitor(matcher)
+	}
+
+	if *infoMode {
+		info(matcher)
+	}
+}
+
+// info run info mode
+func info(matcher netlink.Matcher) {
+	log.Println("Get existing devices...")
+
+	queue := make(chan crawler.Device)
+	errors := make(chan error)
+	quit := crawler.ExistingDevices(queue, errors, matcher)
+
+	// Signal handler to quit properly monitor mode
+	signals := make(chan os.Signal, 1)
+	signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)
+	go func() {
+		<-signals
+		log.Println("Exiting info mode...")
+		quit <- struct{}{}
+		os.Exit(0)
+	}()
+
+	// Handling message from queue
+	for {
+		select {
+		case device, more := <-queue:
+			if !more {
+				log.Printf("Finished processing existing devices\n")
+				return
+			}
+			log.Printf("Detect device at %s with env %v\n", device.KObj, device.Env)
+		case err := <-errors:
+			log.Printf("ERROR: %v", err)
+		}
+	}
+}
+
+// monitor run monitor mode
+func monitor(matcher netlink.Matcher) {
+	log.Println("Monitoring UEvent kernel message to user-space...")
+
+	conn := new(netlink.UEventConn)
+	if err := conn.Connect(netlink.UdevEvent); err != nil {
+		log.Fatalln("Unable to connect to Netlink Kobject UEvent socket")
+	}
+	defer conn.Close()
+
+	queue := make(chan netlink.UEvent)
+	errors := make(chan error)
+	quit := conn.Monitor(queue, errors, matcher)
+
+	// Signal handler to quit properly monitor mode
+	signals := make(chan os.Signal, 1)
+	signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)
+	go func() {
+		<-signals
+		log.Println("Exiting monitor mode...")
+		quit <- struct{}{}
+		os.Exit(0)
+	}()
+
+	// Handling message from queue
+	for {
+		select {
+		case uevent := <-queue:
+			log.Printf("Handle %s\n", pretty.Sprint(uevent))
+		case err := <-errors:
+			log.Printf("ERROR: %v", err)
+		}
+	}
+
+}
+
+// getOptionnalMatcher Parse and load config file which contains rules for matching
+func getOptionnalMatcher() (matcher netlink.Matcher, err error) {
+	if filePath == nil || *filePath == "" {
+		return nil, nil
+	}
+
+	stream, err := ioutil.ReadFile(*filePath)
+	if err != nil {
+		return nil, err
+	}
+
+	if stream == nil {
+		return nil, fmt.Errorf("Empty, no rules provided in \"%s\", err: %s", *filePath, err.Error())
+	}
+
+	var rules netlink.RuleDefinitions
+	if err := json.Unmarshal(stream, &rules); err != nil {
+		return nil, fmt.Errorf("Wrong rule syntax in \"%s\", err: %s", *filePath, err.Error())
+	}
+
+	return &rules, nil
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/matcher.sample snapd-2.37~rc1~14.04/osutil/udev/matcher.sample
--- snapd-2.32.3.2~14.04/osutil/udev/matcher.sample	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/matcher.sample	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,21 @@
+{
+	"rules": [
+		{
+			"action": "^ad+$", 
+			"env": {
+				"SUBSYSTEM": "^usb.*"
+			}
+		},
+		{
+			"action": "remove", 
+			"env": {
+				"SUBSYSTEM": "^usb.*"
+			}
+		},
+		{
+			"env": {
+				"DEVTYPE": "usb_interface"
+			}
+		}
+	]
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/netlink/conn.go snapd-2.37~rc1~14.04/osutil/udev/netlink/conn.go
--- snapd-2.32.3.2~14.04/osutil/udev/netlink/conn.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/netlink/conn.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,137 @@
+package netlink
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+)
+
+type Mode int
+
+// Mode determines event source: kernel events or udev-processed events.
+// See libudev/libudev-monitor.c.
+const (
+	KernelEvent Mode = 1
+	// Events that are processed by udev - much richer, with more attributes (such as vendor info, serial numbers and more).
+	UdevEvent Mode = 2
+)
+
+// Generic connection
+type NetlinkConn struct {
+	Fd   int
+	Addr syscall.SockaddrNetlink
+}
+
+type UEventConn struct {
+	NetlinkConn
+}
+
+// Connect allow to connect to system socket AF_NETLINK with family NETLINK_KOBJECT_UEVENT to
+// catch events about block/char device
+// see:
+// - http://elixir.free-electrons.com/linux/v3.12/source/include/uapi/linux/netlink.h#L23
+// - http://elixir.free-electrons.com/linux/v3.12/source/include/uapi/linux/socket.h#L11
+func (c *UEventConn) Connect(mode Mode) (err error) {
+
+	if c.Fd, err = syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, syscall.NETLINK_KOBJECT_UEVENT); err != nil {
+		return
+	}
+
+	c.Addr = syscall.SockaddrNetlink{
+		Family: syscall.AF_NETLINK,
+		Groups: uint32(mode),
+		Pid:    uint32(os.Getpid()),
+	}
+
+	if err = syscall.Bind(c.Fd, &c.Addr); err != nil {
+		syscall.Close(c.Fd)
+	}
+
+	return
+}
+
+// Close allow to close file descriptor and socket bound
+func (c *UEventConn) Close() error {
+	return syscall.Close(c.Fd)
+}
+
+// ReadMsg allow to read an entire uevent msg
+func (c *UEventConn) ReadMsg() (msg []byte, err error) {
+	var n int
+
+	buf := make([]byte, os.Getpagesize())
+	for {
+		// Just read how many bytes are available in the socket
+		if n, _, err = syscall.Recvfrom(c.Fd, buf, syscall.MSG_PEEK); err != nil {
+			return
+		}
+
+		// If all message could be store inside the buffer : break
+		if n < len(buf) {
+			break
+		}
+
+		// Increase size of buffer if not enough
+		buf = make([]byte, len(buf)+os.Getpagesize())
+	}
+
+	// Now read complete data
+	n, _, err = syscall.Recvfrom(c.Fd, buf, 0)
+	if err != nil {
+		return
+	}
+
+	// Extract only real data from buffer and return that
+	msg = buf[:n]
+
+	return
+}
+
+// ReadMsg allow to read an entire uevent msg
+func (c *UEventConn) ReadUEvent() (*UEvent, error) {
+	msg, err := c.ReadMsg()
+	if err != nil {
+		return nil, err
+	}
+
+	return ParseUEvent(msg)
+}
+
+// Monitor run in background a worker to read netlink msg in loop and notify
+// when msg receive inside a queue using channel.
+// To be notified with only relevant message, use Matcher.
+func (c *UEventConn) Monitor(queue chan UEvent, errors chan error, matcher Matcher) chan struct{} {
+	quit := make(chan struct{}, 1)
+
+	if matcher != nil {
+		if err := matcher.Compile(); err != nil {
+			errors <- fmt.Errorf("Wrong matcher, err: %v", err)
+			quit <- struct{}{}
+			return quit
+		}
+	}
+
+	go func() {
+		for {
+			select {
+			case <-quit:
+				return
+			default:
+				uevent, err := c.ReadUEvent()
+				if err != nil {
+					errors <- fmt.Errorf("Unable to parse uevent, err: %v", err)
+					continue
+				}
+
+				if matcher != nil {
+					if !matcher.Evaluate(*uevent) {
+						continue // Drop uevent if not match
+					}
+				}
+
+				queue <- *uevent
+			}
+		}
+	}()
+	return quit
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/netlink/conn_test.go snapd-2.37~rc1~14.04/osutil/udev/netlink/conn_test.go
--- snapd-2.32.3.2~14.04/osutil/udev/netlink/conn_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/netlink/conn_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,20 @@
+package netlink
+
+import (
+	"testing"
+)
+
+func TestConnect(t *testing.T) {
+	conn := new(UEventConn)
+	if err := conn.Connect(UdevEvent); err != nil {
+		t.Fatal("unable to subscribe to netlink uevent, err:", err)
+	}
+	defer conn.Close()
+
+	conn2 := new(UEventConn)
+	if err := conn2.Connect(UdevEvent); err == nil {
+		// see issue: https://github.com/pilebones/go-udev/issues/3 by @stolowski
+		t.Fatal("can't subscribing a second time to netlink socket with PID", conn2.Addr.Pid)
+	}
+	defer conn2.Close()
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/netlink/matcher.go snapd-2.37~rc1~14.04/osutil/udev/netlink/matcher.go
--- snapd-2.32.3.2~14.04/osutil/udev/netlink/matcher.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/netlink/matcher.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,169 @@
+package netlink
+
+import (
+	"fmt"
+	"regexp"
+)
+
+type Matcher interface {
+	Evaluate(e UEvent) bool
+	EvaluateAction(a KObjAction) bool
+	EvaluateEnv(e map[string]string) bool
+	Compile() error
+	String() string
+}
+
+type RuleDefinition struct {
+	Action *string           `json:"action,omitempty"`
+	Env    map[string]string `json:"env,omitempty"`
+	rule   *rule
+}
+
+// Evaluate return true if all condition match uevent and envs in rule exists in uevent
+func (r RuleDefinition) Evaluate(e UEvent) bool {
+	// Compile if needed
+	if r.rule == nil {
+		if err := r.Compile(); err != nil {
+			return false
+		}
+	}
+
+	return r.EvaluateAction(e.Action) && r.EvaluateEnv(e.Env)
+}
+
+// EvaluateAction return true if the action match
+func (r RuleDefinition) EvaluateAction(a KObjAction) (match bool) {
+	// Compile if needed
+	if r.rule == nil {
+		if err := r.Compile(); err != nil {
+			return false
+		}
+	}
+	if match = (r.rule.Action == nil); !match {
+		match = r.rule.Action.MatchString(a.String())
+	}
+	return
+}
+
+// EvaluateEnv return true if all env match and exists
+func (r RuleDefinition) EvaluateEnv(e map[string]string) bool {
+	// Compile if needed
+	if r.rule == nil {
+		if err := r.Compile(); err != nil {
+			return false
+		}
+	}
+	return r.rule.Env.Evaluate(e)
+}
+
+// Compile prepare rule definition to be able to Evaluate() an UEvent
+func (r *RuleDefinition) Compile() error {
+	r.rule = &rule{
+		Env: make(map[string]*regexp.Regexp, 0),
+	}
+
+	if r.Action != nil {
+		action, err := regexp.Compile(*(r.Action))
+		if err != nil {
+			return err
+		}
+		r.rule.Action = action
+	}
+
+	for k, v := range r.Env {
+		reg, err := regexp.Compile(v)
+		if err != nil {
+			return err
+		}
+		r.rule.Env[k] = reg
+	}
+	return nil
+}
+
+func (r RuleDefinition) String() string {
+	return fmt.Sprintf("Action: %v / Env: %+v", r.Action, r.Env)
+}
+
+// rule is the compiled version of the RuleDefinition
+type rule struct {
+	Action *regexp.Regexp
+	Env    Env
+}
+
+type Env map[string]*regexp.Regexp
+
+func (e Env) Evaluate(env map[string]string) bool {
+	foundEnv := (len(e) == 0)
+	for envName, reg := range e {
+		foundEnv = false
+		for k, v := range env {
+			if k == envName {
+				foundEnv = true
+				if !reg.MatchString(v) {
+					return false
+				}
+			}
+		}
+		if !foundEnv {
+			return false
+		}
+	}
+
+	return foundEnv
+
+}
+
+// RuleDefinitions is like chained rule with OR operator
+type RuleDefinitions struct {
+	Rules []RuleDefinition
+}
+
+func (rs *RuleDefinitions) AddRule(r RuleDefinition) {
+	rs.Rules = append(rs.Rules, r)
+}
+
+func (rs *RuleDefinitions) Compile() error {
+	for _, r := range rs.Rules {
+		if err := r.Compile(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (rs RuleDefinitions) Evaluate(e UEvent) bool {
+	for _, r := range rs.Rules {
+		if r.Evaluate(e) {
+			return true
+		}
+	}
+	return false
+}
+
+// EvaluateAction return true if the action match
+func (rs RuleDefinitions) EvaluateAction(a KObjAction) (match bool) {
+	for _, r := range rs.Rules {
+		if r.EvaluateAction(a) {
+			return true
+		}
+	}
+	return false
+}
+
+// EvaluateEnv return true if almost one env match all regexp
+func (rs RuleDefinitions) EvaluateEnv(e map[string]string) bool {
+	for _, r := range rs.Rules {
+		if r.EvaluateEnv(e) {
+			return true
+		}
+	}
+	return false
+}
+
+func (rs RuleDefinitions) String() string {
+	output := ""
+	for _, v := range rs.Rules {
+		output += "- " + v.String() + "\n"
+	}
+	return output
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/netlink/matcher_test.go snapd-2.37~rc1~14.04/osutil/udev/netlink/matcher_test.go
--- snapd-2.32.3.2~14.04/osutil/udev/netlink/matcher_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/netlink/matcher_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,119 @@
+package netlink
+
+import "testing"
+
+type Testcases []Testcase
+
+type Testcase struct {
+	Object interface{}
+	Valid  bool
+}
+
+func TestRules(testing *testing.T) {
+	t := testingWrapper{testing}
+
+	uevent := UEvent{
+		Action: ADD,
+		KObj:   "/devices/pci0000:00/0000:00:14.0/usb2/2-1/2-1:1.2/0003:04F2:0976.0008/hidraw/hidraw4",
+		Env: map[string]string{
+			"ACTION":    "add",
+			"DEVPATH":   "/devices/pci0000:00/0000:00:14.0/usb2/2-1/2-1:1.2/0003:04F2:0976.0008/hidraw/hidraw4",
+			"SUBSYSTEM": "hidraw",
+			"MAJOR":     "247",
+			"MINOR":     "4",
+			"DEVNAME":   "hidraw4",
+			"SEQNUM":    "2569",
+		},
+	}
+
+	add := ADD.String()
+	wrongAction := "can't match"
+
+	rules := []RuleDefinition{
+		{
+			Action: nil,
+			Env: map[string]string{
+				"DEVNAME": "hidraw\\d+",
+			},
+		},
+
+		{
+			Action: &add,
+			Env:    make(map[string]string, 0),
+		},
+
+		{
+			Action: nil,
+			Env: map[string]string{
+				"SUBSYSTEM": "can't match",
+				"MAJOR":     "247",
+			},
+		},
+
+		{
+			Action: &add,
+			Env: map[string]string{
+				"SUBSYSTEM": "hidraw",
+				"MAJOR":     "\\d+",
+			},
+		},
+
+		{
+			Action: &wrongAction,
+			Env: map[string]string{
+				"SUBSYSTEM": "hidraw",
+				"MAJOR":     "\\d+",
+			},
+		},
+	}
+
+	testcases := []Testcase{
+		{
+			Object: &rules[0],
+			Valid:  true,
+		},
+		{
+			Object: &rules[1],
+			Valid:  true,
+		},
+		{
+			Object: &rules[2],
+			Valid:  false,
+		},
+		{
+			Object: &rules[3],
+			Valid:  true,
+		},
+		{
+			Object: &rules[4],
+			Valid:  false,
+		},
+		{
+			Object: &RuleDefinitions{[]RuleDefinition{rules[0], rules[4]}},
+			Valid:  true,
+		},
+		{
+			Object: &RuleDefinitions{[]RuleDefinition{rules[4], rules[0]}},
+			Valid:  true,
+		},
+		{
+			Object: &RuleDefinitions{[]RuleDefinition{rules[2], rules[4]}},
+			Valid:  false,
+		},
+		{
+			Object: &RuleDefinitions{[]RuleDefinition{rules[3], rules[1]}},
+			Valid:  true,
+		},
+	}
+
+	for k, tcase := range testcases {
+		matcher := tcase.Object.(Matcher)
+
+		err := matcher.Compile()
+		t.FatalfIf(err != nil, "Testcase n°%d should compile without error, err: %v", k+1, err)
+
+		ok := matcher.Evaluate(uevent)
+		t.FatalfIf((ok != tcase.Valid) && tcase.Valid, "Testcase n°%d should evaluate event", k+1)
+		t.FatalfIf((ok != tcase.Valid) && !tcase.Valid, "Testcase n°%d shouldn't evaluate event", k+1)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/netlink/uevent.go snapd-2.37~rc1~14.04/osutil/udev/netlink/uevent.go
--- snapd-2.32.3.2~14.04/osutil/udev/netlink/uevent.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/netlink/uevent.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,178 @@
+package netlink
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"strings"
+	"unsafe"
+)
+
+// See: http://elixir.free-electrons.com/linux/v3.12/source/lib/kobject_uevent.c#L45
+
+const (
+	ADD     KObjAction = "add"
+	REMOVE  KObjAction = "remove"
+	CHANGE  KObjAction = "change"
+	MOVE    KObjAction = "move"
+	ONLINE  KObjAction = "online"
+	OFFLINE KObjAction = "offline"
+	BIND    KObjAction = "bind"
+	UNBIND  KObjAction = "unbind"
+)
+
+// The magic value used by udev, see https://github.com/systemd/systemd/blob/v239/src/libudev/libudev-monitor.c#L57
+const libudevMagic = 0xfeedcafe
+
+type KObjAction string
+
+func (a KObjAction) String() string {
+	return string(a)
+}
+
+func ParseKObjAction(raw string) (a KObjAction, err error) {
+	a = KObjAction(raw)
+	switch a {
+	case ADD, REMOVE, CHANGE, MOVE, ONLINE, OFFLINE, BIND, UNBIND:
+	default:
+		err = fmt.Errorf("unknow kobject action (got: %s)", raw)
+	}
+	return
+}
+
+type UEvent struct {
+	Action KObjAction
+	KObj   string
+	Env    map[string]string
+}
+
+func (e UEvent) String() string {
+	rv := fmt.Sprintf("%s@%s\000", e.Action.String(), e.KObj)
+	for k, v := range e.Env {
+		rv += k + "=" + v + "\000"
+	}
+	return rv
+}
+
+func (e UEvent) Bytes() []byte {
+	return []byte(e.String())
+}
+
+func (e UEvent) Equal(e2 UEvent) (bool, error) {
+	if e.Action != e2.Action {
+		return false, fmt.Errorf("Wrong action (got: %s, wanted: %s)", e.Action, e2.Action)
+	}
+
+	if e.KObj != e2.KObj {
+		return false, fmt.Errorf("Wrong kobject (got: %s, wanted: %s)", e.KObj, e2.KObj)
+	}
+
+	if len(e.Env) != len(e2.Env) {
+		return false, fmt.Errorf("Wrong length of env (got: %d, wanted: %d)", len(e.Env), len(e2.Env))
+	}
+
+	var found bool
+	for k, v := range e.Env {
+		found = false
+		for i, e := range e2.Env {
+			if i == k && v == e {
+				found = true
+			}
+		}
+		if !found {
+			return false, fmt.Errorf("Unable to find %s=%s env var from uevent", k, v)
+		}
+	}
+	return true, nil
+}
+
+// Parse udev event created by udevd.
+// The format of the data header is internal to udev and defined in libudev-monitor.c - see the udev_monitor_netlink_header struct.
+// go-udev only looks at the "magic" number to filter out possibly invalid packets, and at the payload offset. Other fields of the header
+// are ignored.
+// Note, only some of the fields of the header use network byte order, for the rest udev uses native byte order of the platform.
+func parseUdevEvent(raw []byte) (e *UEvent, err error) {
+	// the magic number is stored in network byte order.
+	magic := binary.BigEndian.Uint32(raw[8:])
+	if magic != libudevMagic {
+		return nil, fmt.Errorf("cannot parse libudev event: magic number mismatch")
+	}
+
+	// the payload offset int is stored in native byte order.
+	payloadoff := *(*uint32)(unsafe.Pointer(&raw[16]))
+	if payloadoff >= uint32(len(raw)) {
+		return nil, fmt.Errorf("cannot parse libudev event: invalid data offset")
+	}
+
+	fields := bytes.Split(raw[payloadoff:], []byte{0x00}) // 0x00 = end of string
+	if len(fields) == 0 {
+		err = fmt.Errorf("cannot parse libudev event: data missing")
+		return
+	}
+
+	envdata := make(map[string]string, 0)
+	for _, envs := range fields[0 : len(fields)-1] {
+		env := bytes.Split(envs, []byte("="))
+		if len(env) != 2 {
+			err = fmt.Errorf("cannot parse libudev event: invalid env data")
+			return
+		}
+		envdata[string(env[0])] = string(env[1])
+	}
+
+	var action KObjAction
+	action, err = ParseKObjAction(strings.ToLower(envdata["ACTION"]))
+	if err != nil {
+		return
+	}
+
+	// XXX: do we need kobj?
+	kobj := envdata["DEVPATH"]
+
+	e = &UEvent{
+		Action: action,
+		KObj:   kobj,
+		Env:    envdata,
+	}
+
+	return
+}
+
+func ParseUEvent(raw []byte) (e *UEvent, err error) {
+	if len(raw) > 40 && bytes.Compare(raw[:8], []byte("libudev\x00")) == 0 {
+		return parseUdevEvent(raw)
+	}
+	fields := bytes.Split(raw, []byte{0x00}) // 0x00 = end of string
+
+	if len(fields) == 0 {
+		err = fmt.Errorf("Wrong uevent format")
+		return
+	}
+
+	headers := bytes.Split(fields[0], []byte("@")) // 0x40 = @
+	if len(headers) != 2 {
+		err = fmt.Errorf("Wrong uevent header")
+		return
+	}
+
+	action, err := ParseKObjAction(string(headers[0]))
+	if err != nil {
+		return
+	}
+
+	e = &UEvent{
+		Action: action,
+		KObj:   string(headers[1]),
+		Env:    make(map[string]string, 0),
+	}
+
+	for _, envs := range fields[1 : len(fields)-1] {
+		env := bytes.Split(envs, []byte("="))
+		if len(env) != 2 {
+			err = fmt.Errorf("Wrong uevent env")
+			return
+		}
+		e.Env[string(env[0])] = string(env[1])
+	}
+	return
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/netlink/uevent_test.go snapd-2.37~rc1~14.04/osutil/udev/netlink/uevent_test.go
--- snapd-2.32.3.2~14.04/osutil/udev/netlink/uevent_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/netlink/uevent_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,188 @@
+package netlink
+
+import (
+	"runtime"
+	"testing"
+)
+
+type testingWrapper struct {
+	*testing.T
+}
+
+func (t *testingWrapper) FatalfIf(cond bool, msg string, args ...interface{}) {
+	if cond {
+		if len(args) == 0 {
+			t.Fatal(msg)
+		}
+		t.Fatalf(msg, args...)
+	}
+}
+
+// TestParseUEvent parse uevent bytes msg but fatal if needed
+func TestParseUEvent(testing *testing.T) {
+	t := testingWrapper{testing}
+
+	samples := []UEvent{
+		{
+			Action: ADD,
+			KObj:   "/devices/pci0000:00/0000:00:14.0/usb2/2-1/2-1:1.2/0003:04F2:0976.0008/hidraw/hidraw4",
+			Env: map[string]string{
+				"ACTION":    "add",
+				"DEVPATH":   "/devices/pci0000:00/0000:00:14.0/usb2/2-1/2-1:1.2/0003:04F2:0976.0008/hidraw/hidraw4",
+				"SUBSYSTEM": "hidraw",
+				"MAJOR":     "247",
+				"MINOR":     "4",
+				"DEVNAME":   "hidraw4",
+				"SEQNUM":    "2569",
+			},
+		},
+		{
+			Action: REMOVE,
+			KObj:   "mykobj",
+			Env: map[string]string{
+				"bla": "bla",
+				"abl": "abl",
+				"lab": "lab",
+			},
+		},
+	}
+	for _, s := range samples {
+		raw := s.Bytes()
+		uevent, err := ParseUEvent(raw)
+		t.FatalfIf(err != nil, "Unable to parse uevent (got: %s)", s.String())
+		t.FatalfIf(uevent == nil, "Uevent can't be nil (with: %s)", s.String())
+
+		ok, err := uevent.Equal(s)
+		t.FatalfIf(!ok || err != nil, "Uevent should be equal: bijectivity fail")
+	}
+
+	raw := samples[0].Bytes()
+	raw[3] = 0x00 // remove @ to fake rawdata
+
+	uevent, err := ParseUEvent(raw)
+	t.FatalfIf(err == nil && uevent != nil, "Event parsed successfully but it should be invalid, err: %s", err.Error())
+
+}
+
+func TestParseUdevEvent(testing *testing.T) {
+	if runtime.GOARCH == "s390x" || runtime.GOARCH == "ppc" {
+		testing.Skip("This test assumes little-endian architecture")
+	}
+
+	t := testingWrapper{testing}
+
+	// Input samples obtained by running the main testing binary in monitor mode
+	// and having fmt.Printf("%q\n", raw) in the ParseUEvent method.
+	samples := []struct {
+		Input    []byte
+		Expected UEvent
+	}{{
+		Input: []byte("libudev\x00\xfe\xed\xca\xfe(\x00\x00\x00(\x00\x00\x00\xd5\x03\x00\x00\x8a\xfa\x90\xc8\x00\x00\x00\x00\x02\x00\x04\x00\x10\x80\x00\x00" +
+			"ACTION=remove\x00DEVPATH=/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0/tty/ttyUSB0\x00SUBSYSTEM=tty\x00" +
+			"DEVNAME=/dev/ttyUSB0\x00SEQNUM=4344\x00MAJOR=188\x00MINOR=0\x00USEC_INITIALIZED=75223543693\x00ID_BUS=usb\x00" +
+			"ID_VENDOR_ID=0403\x00ID_MODEL_ID=6001\x00ID_PCI_CLASS_FROM_DATABASE=Serial bus controller\x00" +
+			"ID_PCI_SUBCLASS_FROM_DATABASE=USB controller\x00ID_PCI_INTERFACE_FROM_DATABASE=XHCI\x00" +
+			"ID_VENDOR_FROM_DATABASE=Future Technology Devices International, Ltd\x00ID_MODEL_FROM_DATABASE=FT232 Serial (UART) IC\x00" +
+			"ID_VENDOR=FTDI\x00ID_VENDOR_ENC=FTDI\x00ID_MODEL=FT232R_USB_UART\x00ID_MODEL_ENC=FT232R\\x20USB\\x20UART\x00" +
+			"ID_REVISION=0600\x00ID_SERIAL=FTDI_FT232R_USB_UART_AH06W0EQ\x00ID_SERIAL_SHORT=AH06W0EQ\x00ID_TYPE=generic\x00" +
+			"ID_USB_INTERFACES=:ffffff:\x00ID_USB_INTERFACE_NUM=00\x00ID_USB_DRIVER=ftdi_sio\x00" +
+			"ID_PATH=pci-0000:00:14.0-usb-0:2:1.0\x00ID_PATH_TAG=pci-0000_00_14_0-usb-0_2_1_0\x00ID_MM_CANDIDATE=1\x00" +
+			"DEVLINKS=/dev/serial/by-path/pci-0000:00:14.0-usb-0:2:1.0-port0 /dev/serial/by-id/usb-FTDI_FT232R_USB_UART_AH06W0EQ-if00-port0\x00TAGS=:systemd:\x00"),
+		Expected: UEvent{
+			Action: REMOVE,
+			KObj:   "/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0/tty/ttyUSB0",
+			Env: map[string]string{
+				"MINOR": "0",
+				"ID_PCI_CLASS_FROM_DATABASE":     "Serial bus controller",
+				"ID_PCI_SUBCLASS_FROM_DATABASE":  "USB controller",
+				"ID_VENDOR_FROM_DATABASE":        "Future Technology Devices International, Ltd",
+				"ID_MODEL_ENC":                   "FT232R\\x20USB\\x20UART",
+				"ID_USB_INTERFACES":              ":ffffff:",
+				"ID_PATH":                        "pci-0000:00:14.0-usb-0:2:1.0",
+				"ID_MODEL":                       "FT232R_USB_UART",
+				"ID_TYPE":                        "generic",
+				"DEVLINKS":                       "/dev/serial/by-path/pci-0000:00:14.0-usb-0:2:1.0-port0 /dev/serial/by-id/usb-FTDI_FT232R_USB_UART_AH06W0EQ-if00-port0",
+				"ID_MODEL_ID":                    "6001",
+				"ID_USB_INTERFACE_NUM":           "00",
+				"ID_PATH_TAG":                    "pci-0000_00_14_0-usb-0_2_1_0",
+				"TAGS":                           ":systemd:",
+				"ACTION":                         "remove",
+				"DEVNAME":                        "/dev/ttyUSB0",
+				"ID_REVISION":                    "0600",
+				"ID_VENDOR_ENC":                  "FTDI",
+				"ID_USB_DRIVER":                  "ftdi_sio",
+				"ID_MM_CANDIDATE":                "1",
+				"SEQNUM":                         "4344",
+				"ID_VENDOR":                      "FTDI",
+				"SUBSYSTEM":                      "tty",
+				"MAJOR":                          "188",
+				"ID_BUS":                         "usb",
+				"ID_VENDOR_ID":                   "0403",
+				"ID_MODEL_FROM_DATABASE":         "FT232 Serial (UART) IC",
+				"ID_SERIAL":                      "FTDI_FT232R_USB_UART_AH06W0EQ",
+				"DEVPATH":                        "/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0/tty/ttyUSB0",
+				"USEC_INITIALIZED":               "75223543693",
+				"ID_PCI_INTERFACE_FROM_DATABASE": "XHCI",
+				"ID_SERIAL_SHORT":                "AH06W0EQ",
+			}}}, {
+		Input: []byte("libudev\x00\xfe\xed\xca\xfe(\x00\x00\x00(\x00\x00\x00\xf2\x02\x00\x00\x05w\xc5\xe5'\xf8\xf5\f\x00\x00\x00\x00\x00\x00\x00\x00" +
+			"ACTION=add\x00DEVPATH=/devices/pci0000:00/0000:00:14.0/usb1/1-2\x00SUBSYSTEM=usb\x00DEVNAME=/dev/bus/usb/001/033\x00DEVTYPE=usb_device\x00" +
+			"PRODUCT=10c4/ea60/100\x00TYPE=0/0/0\x00BUSNUM=001\x00DEVNUM=033\x00SEQNUM=4410\x00MAJOR=189\x00MINOR=32\x00USEC_INITIALIZED=77155422759\x00" +
+			"ID_VENDOR=Silicon_Labs\x00ID_VENDOR_ENC=Silicon\\x20Labs\x00ID_VENDOR_ID=10c4\x00ID_MODEL=CP2102_USB_to_UART_Bridge_Controller\x00" +
+			"ID_MODEL_ENC=CP2102\\x20USB\\x20to\\x20UART\\x20Bridge\\x20Controller\x00ID_MODEL_ID=ea60\x00ID_REVISION=0100\x00" +
+			"ID_SERIAL=Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001\x00ID_SERIAL_SHORT=0001\x00ID_BUS=usb\x00ID_USB_INTERFACES=:ff0000:\x00" +
+			"ID_VENDOR_FROM_DATABASE=Cygnal Integrated Products, Inc.\x00ID_MODEL_FROM_DATABASE=CP2102/CP2109 UART Bridge Controller [CP210x family]\x00" +
+			"DRIVER=usb\x00ID_MM_DEVICE_MANUAL_SCAN_ONLY=1\x00"),
+		Expected: UEvent{
+			Action: ADD,
+			KObj:   "/devices/pci0000:00/0000:00:14.0/usb1/1-2",
+			Env: map[string]string{
+				"DEVTYPE":                "usb_device",
+				"SEQNUM":                 "4410",
+				"DRIVER":                 "usb",
+				"DEVPATH":                "/devices/pci0000:00/0000:00:14.0/usb1/1-2",
+				"SUBSYSTEM":              "usb",
+				"BUSNUM":                 "001",
+				"ID_USB_INTERFACES":      ":ff0000:",
+				"USEC_INITIALIZED":       "77155422759",
+				"ID_VENDOR_ENC":          "Silicon\\x20Labs",
+				"ID_VENDOR_ID":           "10c4",
+				"ID_SERIAL":              "Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001",
+				"ACTION":                 "add",
+				"DEVNAME":                "/dev/bus/usb/001/033",
+				"MAJOR":                  "189",
+				"ID_MODEL_FROM_DATABASE": "CP2102/CP2109 UART Bridge Controller [CP210x family]",
+				"TYPE":                          "0/0/0",
+				"ID_REVISION":                   "0100",
+				"ID_BUS":                        "usb",
+				"PRODUCT":                       "10c4/ea60/100",
+				"DEVNUM":                        "033",
+				"MINOR":                         "32",
+				"ID_MODEL_ENC":                  "CP2102\\x20USB\\x20to\\x20UART\\x20Bridge\\x20Controller",
+				"ID_MM_DEVICE_MANUAL_SCAN_ONLY": "1",
+				"ID_VENDOR":                     "Silicon_Labs",
+				"ID_MODEL":                      "CP2102_USB_to_UART_Bridge_Controller",
+				"ID_MODEL_ID":                   "ea60",
+				"ID_SERIAL_SHORT":               "0001",
+				"ID_VENDOR_FROM_DATABASE":       "Cygnal Integrated Products, Inc.",
+			},
+		},
+	}}
+
+	for _, s := range samples {
+		uevent, err := ParseUEvent(s.Input)
+		t.FatalfIf(err != nil, "Unable to parse uevent: %s", err)
+		ok, err := uevent.Equal(s.Expected)
+		t.FatalfIf(!ok || err != nil, "Uevent should be equal: bijectivity fail,\n%s", err)
+	}
+
+	invalidMagic := []byte("libudev\x00\xfe\xed\xca\xff(\x00\x00\x00(\x00\x00\x00\xd5\x03\x00\x00\x8a\xfa\x90\xc8\x00\x00\x00\x00\x02\x00\x04\x00\x10\x80\x00\x00ACTION=remove\x00DEVPATH=foo\x00")
+	uevent, err := ParseUEvent(invalidMagic)
+	t.FatalfIf(err == nil && uevent != nil, "Event parsed successfully but it should be invalid, err: %s", err)
+	t.FatalfIf(err.Error() != "cannot parse libudev event: magic number mismatch", "Expecting magic number error, got %s", err)
+
+	invalidOffset := []byte("libudev\x00\xfe\xed\xca\xfe(\xff\xff\xff(\xff\xff\xff\xd5\xf3\xff\xff\x8a\xfa\x90\xc8\x00\x00\x00\x00\x02\x00\x04\x00\x10\x80\x00\x00ACTION=remove\x00DEVPATH=foo\x00")
+	uevent, err = ParseUEvent(invalidOffset)
+	t.FatalfIf(err == nil && uevent != nil, "Event parsed successfully but it should be invalid, err: %s", err)
+	t.FatalfIf(err.Error() != "cannot parse libudev event: invalid data offset", "Expecting invalud offset error, got %s", err)
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/README.md snapd-2.37~rc1~14.04/osutil/udev/README.md
--- snapd-2.32.3.2~14.04/osutil/udev/README.md	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/README.md	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,126 @@
+# go-udev [![Go Report Card](https://goreportcard.com/badge/github.com/pilebones/go-udev)](https://goreportcard.com/report/github.com/pilebones/go-udev) [![GoDoc](https://godoc.org/github.com/pilebones/go-udev?status.svg)](https://godoc.org/github.com/pilebones/go-udev) [![Build Status](https://travis-ci.org/pilebones/go-udev.svg?branch=master)](https://travis-ci.org/pilebones/go-udev)
+
+Simple udev implementation in Golang developed from scratch.
+This library allow to listen and manage Linux-kernel (since version 2.6.10) Netlink messages to user space (ie: NETLINK_KOBJECT_UEVENT).
+
+Like [`udev`](https://en.wikipedia.org/wiki/Udev) you will be able to monitor, display and manage devices plug to the system.
+
+## How to
+
+### Get sources
+
+```
+go get github.com/pilebones/go-udev
+```
+
+### Unit test
+
+```
+go test ./...
+```
+
+### Compile
+
+```
+go build
+```
+
+### Usage
+
+```
+./go-udev -<mode> [-file=<absolute_path>]
+```
+
+Allowed mode: `info` or `monitor`
+File should contains matcher rules (see: "Advanced usage" section)
+
+### Info Mode
+
+Crawl /sys/devices uevent struct to detect plugged devices:
+
+```
+./go-udev -info
+```
+
+### Monitor Mode
+
+Handle all kernel message to detect change about plugged or unplugged devices:
+
+```
+./go-udev -monitor
+```
+
+#### Examples
+
+Example of output when a USB storage is plugged:
+```
+2017/10/20 23:47:23 Handle netlink.UEvent{
+    Action: "add",
+    KObj:   "/devices/pci0000:00/0000:00:14.0/usb1/1-1",
+    Env:    {"PRODUCT":"58f/6387/10b", "TYPE":"0/0/0", "BUSNUM":"001", "DEVNUM":"005", "SEQNUM":"2511", "DEVNAME":"bus/usb/001/005", "DEVPATH":"/devices/pci0000:00/0000:00:14.0/usb1/1-1", "SUBSYSTEM":"usb", "MAJOR":"189", "MINOR":"4", "DEVTYPE":"usb_device", "ACTION":"add"},
+}
+2017/10/20 23:47:23 Handle netlink.UEvent{
+    Action: "add",
+    KObj:   "/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0",
+    Env:    {"SUBSYSTEM":"usb", "TYPE":"0/0/0", "INTERFACE":"8/6/80", "MODALIAS":"usb:v058Fp6387d010Bdc00dsc00dp00ic08isc06ip50in00", "SEQNUM":"2512", "DEVPATH":"/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0", "DEVTYPE":"usb_interface", "PRODUCT":"58f/6387/10b", "ACTION":"add"},
+}
+2017/10/20 23:47:23 Handle netlink.UEvent{
+    Action: "add",
+    KObj:   "/module/usb_storage",
+    Env:    {"SEQNUM":"2513", "ACTION":"add", "DEVPATH":"/module/usb_storage", "SUBSYSTEM":"module"},
+}
+[...]
+```
+
+Example of output when a USB storage is unplugged:
+```
+[...]
+2017/10/20 23:47:29 Handle netlink.UEvent{
+    Action: "remove",
+    KObj:   "/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/host4/target4:0:0/4:0:0:0/block/sdb",
+    Env:    {"SUBSYSTEM":"block", "MAJOR":"8", "MINOR":"16", "DEVNAME":"sdb", "DEVTYPE":"disk", "SEQNUM":"2543", "ACTION":"remove", "DEVPATH":"/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/host4/target4:0:0/4:0:0:0/block/sdb"},
+}
+[...]
+2017/10/20 23:47:29 Handle netlink.UEvent{
+    Action: "remove",
+    KObj:   "/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0",
+    Env:    {"ACTION":"remove", "SUBSYSTEM":"usb", "DEVTYPE":"usb_interface", "SEQNUM":"2548", "MODALIAS":"usb:v058Fp6387d010Bdc00dsc00dp00ic08isc06ip50in00", "DEVPATH":"/devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0", "PRODUCT":"58f/6387/10b", "TYPE":"0/0/0", "INTERFACE":"8/6/80"},
+}
+2017/10/20 23:47:29 Handle netlink.UEvent{
+    Action: "remove",
+    KObj:   "/devices/pci0000:00/0000:00:14.0/usb1/1-1",
+    Env:    {"PRODUCT":"58f/6387/10b", "TYPE":"0/0/0", "DEVNUM":"005", "SEQNUM":"2549", "ACTION":"remove", "DEVPATH":"/devices/pci0000:00/0000:00:14.0/usb1/1-1", "SUBSYSTEM":"usb", "MAJOR":"189", "MINOR":"4", "DEVNAME":"bus/usb/001/005", "DEVTYPE":"usb_device", "BUSNUM":"001"},
+}
+```
+
+Note: To implement your own monitoring system, please see `main.go` as a simple example.
+
+### Advanced usage
+
+Is it possible to filter uevents/devices with a Matcher.
+
+A Matcher is a list of your own rules to match only relevant uevent kernel message (see: `matcher.sample`).
+
+You could pass this file using for both mode:
+```
+./go-udev -file  matcher.sample [...]
+
+```
+
+## Throubleshooting
+
+Don't hesitate to notice if you detect a problem with this tool or library.
+
+## Links
+
+- Netlink Manual: http://man7.org/linux/man-pages/man7/netlink.7.html
+- Linux source code about: 
+  * Struct sockaddr_netlink: http://elixir.free-electrons.com/linux/v3.12/source/lib/kobject_uevent.c#L45
+  * KObject action: http://elixir.free-electrons.com/linux/v3.12/source/lib/kobject_uevent.c#L45
+
+## Documentation
+- [GoDoc Reference](http://godoc.org/github.com/pilebones/go-udev).
+
+## License
+
+go-udev is available under the [GNU GPL v3 - Clause License](https://opensource.org/licenses/GPL-3.0).
diff -Nru snapd-2.32.3.2~14.04/osutil/udev/.travis.yml snapd-2.37~rc1~14.04/osutil/udev/.travis.yml
--- snapd-2.32.3.2~14.04/osutil/udev/.travis.yml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/udev/.travis.yml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,8 @@
+language: go
+  
+go:
+  - 1.9.x
+  - master
+
+script:
+  - go test -v -race ./...
diff -Nru snapd-2.32.3.2~14.04/osutil/uname_darwin.go snapd-2.37~rc1~14.04/osutil/uname_darwin.go
--- snapd-2.32.3.2~14.04/osutil/uname_darwin.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/uname_darwin.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,30 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2014-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+func uname() (*unix.Utsname, error) {
+	var u unix.Utsname
+	err := unix.Uname(&u)
+	return &u, err
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/uname.go snapd-2.37~rc1~14.04/osutil/uname.go
--- snapd-2.32.3.2~14.04/osutil/uname.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/uname.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,79 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2014-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+var KernelVersion = kernelVersion
+
+// We have to implement separate functions for the kernel version and the
+// machine name at the moment as the utsname struct is either using int8
+// or uint8 depending on the architecture the code is built for. As there
+// is no easy way to generalise this implements the same code twice (other
+// than going via unsafe.Pointer, or interfaces, which are overkill). The
+// way to get this solved is by using []byte inside the utsname struct
+// instead of []int8/[]uint8. See https://github.com/golang/go/issues/20753
+// for details.
+
+func kernelVersion() string {
+	u, err := uname()
+	if err != nil {
+		return "unknown"
+	}
+
+	// Release is more informative than Version.
+	buf := make([]byte, len(u.Release))
+	for i, c := range u.Release {
+		if c == 0 {
+			buf = buf[:i]
+			break
+		}
+		// c can be uint8 or int8 depending on arch (see comment above)
+		buf[i] = byte(c)
+	}
+
+	return string(buf)
+}
+
+func MachineName() string {
+	u, err := uname()
+	if err != nil {
+		return "unknown"
+	}
+
+	buf := make([]byte, len(u.Machine))
+	for i, c := range u.Machine {
+		if c == 0 {
+			buf = buf[:i]
+			break
+		}
+		// c can be uint8 or int8 depending on arch (see comment above)
+		buf[i] = byte(c)
+	}
+
+	return string(buf)
+}
+
+// MockKernelVersion replaces the function that returns the kernel version string.
+func MockKernelVersion(version string) (restore func()) {
+	old := KernelVersion
+	KernelVersion = func() string { return version }
+	return func() {
+		KernelVersion = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/uname_linux.go snapd-2.37~rc1~14.04/osutil/uname_linux.go
--- snapd-2.32.3.2~14.04/osutil/uname_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/uname_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2014-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"syscall"
+)
+
+var syscallUname = syscall.Uname
+
+func uname() (*syscall.Utsname, error) {
+	var u syscall.Utsname
+	err := syscallUname(&u)
+	return &u, err
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/uname_linux_test.go snapd-2.37~rc1~14.04/osutil/uname_linux_test.go
--- snapd-2.32.3.2~14.04/osutil/uname_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/uname_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,96 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2014-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil_test
+
+import (
+	"bytes"
+	"errors"
+	"os/exec"
+	"syscall"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+type unameSuite struct{}
+
+var _ = check.Suite(unameSuite{})
+
+func ucmd1(c *check.C, arg string) string {
+	out, err := exec.Command("uname", arg).CombinedOutput()
+	c.Assert(err, check.IsNil)
+	return string(bytes.TrimSpace(out))
+}
+
+func (unameSuite) TestUname(c *check.C) {
+	c.Check(osutil.KernelVersion(), check.Equals, ucmd1(c, "-r"))
+	c.Check(osutil.MachineName(), check.Equals, ucmd1(c, "-m"))
+}
+
+func (unameSuite) TestUnameErrorMeansUnknown(c *check.C) {
+	restore := osutil.MockUname(func(buf *syscall.Utsname) error {
+		return errors.New("bzzzt")
+	})
+	defer restore()
+
+	c.Check(osutil.KernelVersion(), check.Equals, "unknown")
+	c.Check(osutil.MachineName(), check.Equals, "unknown")
+}
+
+func (unameSuite) TestKernelVersionStopsAtZeroes(c *check.C) {
+	restore := osutil.MockUname(func(buf *syscall.Utsname) error {
+		buf.Release[0] = 'f'
+		buf.Release[1] = 'o'
+		buf.Release[2] = 'o'
+		buf.Release[3] = 0
+		buf.Release[4] = 'u'
+		buf.Release[5] = 'n'
+		buf.Release[6] = 'u'
+		buf.Release[7] = 's'
+		buf.Release[8] = 'e'
+		buf.Release[9] = 'd'
+		return nil
+	})
+	defer restore()
+
+	c.Check(osutil.KernelVersion(), check.Equals, "foo")
+}
+
+func (unameSuite) TestMachineNameStopsAtZeroes(c *check.C) {
+	restore := osutil.MockUname(func(buf *syscall.Utsname) error {
+		buf.Machine[0] = 'a'
+		buf.Machine[1] = 'r'
+		buf.Machine[2] = 'm'
+		buf.Machine[3] = 'v'
+		buf.Machine[4] = '7'
+		buf.Machine[5] = 'a'
+		buf.Machine[6] = 0
+		buf.Machine[7] = 'u'
+		buf.Machine[8] = 'n'
+		buf.Machine[9] = 'u'
+		buf.Machine[10] = 's'
+		buf.Machine[11] = 'e'
+		buf.Machine[12] = 'd'
+		return nil
+	})
+	defer restore()
+	c.Check(osutil.MachineName(), check.Equals, "armv7a")
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/unlink_darwin.go snapd-2.37~rc1~14.04/osutil/unlink_darwin.go
--- snapd-2.32.3.2~14.04/osutil/unlink_darwin.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/unlink_darwin.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,29 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// sys/unix _does_ expose flags, so we need to wrap it
+func sysUnlinkat(dirfd int, path string) error {
+	return unix.Unlinkat(dirfd, path, 0)
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/unlink.go snapd-2.37~rc1~14.04/osutil/unlink.go
--- snapd-2.32.3.2~14.04/osutil/unlink.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/unlink.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,72 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/snapcore/snapd/osutil/sys"
+)
+
+// UnlinkMany removes multiple files from a single directory.
+//
+// If dirname is not a directory, this will fail.
+//
+// This will abort at the first removal error (but ENOENT is ignored).
+//
+// Filenames must refer to files. They don't necessarily have to be
+// relative paths to the given dirname, but if they aren't why are you
+// using this function?
+//
+// Errors are *os.PathError, for convenience
+func UnlinkMany(dirname string, filenames []string) error {
+	dirfd, err := syscall.Open(dirname, syscall.O_RDONLY|syscall.O_CLOEXEC|syscall.O_DIRECTORY|sys.O_PATH, 0)
+	if err != nil {
+		return &os.PathError{
+			Op:   "open",
+			Path: dirname,
+			Err:  err,
+		}
+	}
+	defer syscall.Close(dirfd)
+
+	return unlinkMany(dirfd, filenames)
+}
+
+func unlinkMany(dirfd int, filenames []string) error {
+	var err error
+	for _, filename := range filenames {
+		if err = sysUnlinkat(dirfd, filename); err != nil && err != syscall.ENOENT {
+			return &os.PathError{
+				Op:   "remove",
+				Path: filename,
+				Err:  err,
+			}
+		}
+	}
+	return nil
+}
+
+// UnlinkManyAt is like UnlinkMany but takes an open directory *os.File
+// instead of a dirname.
+func UnlinkManyAt(dir *os.File, filenames []string) error {
+	return unlinkMany(int(dir.Fd()), filenames)
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/unlink_linux.go snapd-2.37~rc1~14.04/osutil/unlink_linux.go
--- snapd-2.32.3.2~14.04/osutil/unlink_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/unlink_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,27 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil
+
+import (
+	"syscall"
+)
+
+// syscall.Unlinkat calls unlinkat(2) _without_ AT_REMOVEDIR, which is exactly what we want
+var sysUnlinkat = syscall.Unlinkat
diff -Nru snapd-2.32.3.2~14.04/osutil/unlink_test.go snapd-2.37~rc1~14.04/osutil/unlink_test.go
--- snapd-2.32.3.2~14.04/osutil/unlink_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/unlink_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,108 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package osutil_test
+
+import (
+	"os"
+	"path/filepath"
+	"sort"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+type unlinkSuite struct {
+	d string
+}
+
+var _ = check.Suite(&unlinkSuite{})
+
+func (s *unlinkSuite) checkDirnames(c *check.C, names []string) {
+	dir, err := os.Open(s.d)
+	c.Assert(err, check.IsNil)
+	defer dir.Close()
+	found, err := dir.Readdirnames(-1)
+	c.Assert(err, check.IsNil)
+	sort.Strings(names)
+	sort.Strings(found)
+	c.Check(found, check.DeepEquals, names)
+}
+
+func (s *unlinkSuite) SetUpTest(c *check.C) {
+	s.d = c.MkDir()
+	s.mkFixture(c)
+}
+
+func (s *unlinkSuite) mkFixture(c *check.C) {
+	for _, fname := range []string{"foo", "bar", "baz", "quux"} {
+		f, err := os.Create(filepath.Join(s.d, fname))
+		if err == nil {
+			f.Close()
+		} else if !os.IsExist(err) {
+			c.Fatal(err)
+		}
+	}
+	if err := os.Mkdir(filepath.Join(s.d, "dir"), 0700); err != nil && !os.IsExist(err) {
+		c.Fatal(err)
+	}
+}
+
+func (s *unlinkSuite) TestUnlinkMany(c *check.C) {
+	c.Assert(osutil.UnlinkMany(s.d, []string{"bar", "does-not-exist", "baz"}), check.IsNil)
+
+	s.checkDirnames(c, []string{"foo", "quux", "dir"})
+}
+
+func (s *unlinkSuite) TestUnlinkManyAt(c *check.C) {
+	d, err := os.Open(s.d)
+	c.Assert(err, check.IsNil)
+	c.Assert(osutil.UnlinkManyAt(d, []string{"bar", "does-not-exist", "baz"}), check.IsNil)
+
+	s.checkDirnames(c, []string{"foo", "quux", "dir"})
+}
+
+func (s *unlinkSuite) TestUnlinkManyFails(c *check.C) {
+	type T struct {
+		dirname   string
+		filenames []string
+		expected  string
+	}
+	tests := []T{
+		{
+			dirname:   filepath.Join(s.d, "does-not-exist"),
+			filenames: []string{"bar", "baz"},
+			expected:  `open /tmp/.*/does-not-exist: no such file or directory`,
+		}, {
+			dirname:   filepath.Join(s.d, "foo"),
+			filenames: []string{"bar", "baz"},
+			expected:  `open /tmp/.*/foo: not a directory`,
+		}, {
+			dirname:   s.d,
+			filenames: []string{"bar", "dir", "baz"},
+			expected:  `remove dir: is a directory`,
+		},
+	}
+
+	for i, test := range tests {
+		c.Check(osutil.UnlinkMany(test.dirname, test.filenames), check.ErrorMatches, test.expected, check.Commentf("%d", i))
+		s.mkFixture(c)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/osutil/user.go snapd-2.37~rc1~14.04/osutil/user.go
--- snapd-2.32.3.2~14.04/osutil/user.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/user.go	2019-01-16 08:36:51.000000000 +0000
@@ -46,18 +46,21 @@
 	SSHKeys    []string
 	// crypt(3) compatible password of the form $id$salt$hash
 	Password string
+	// force a password change by the user on login
+	ForcePasswordChange bool
 }
 
+// we check the (user)name ourselves, adduser is a bit too
+// strict (i.e. no `.`) - this regexp is in sync with that SSO
+// allows as valid usernames
+var isValidUsername = regexp.MustCompile(`^[a-z0-9][-a-z0-9+.-_]*$`).MatchString
+
 func AddUser(name string, opts *AddUserOptions) error {
 	if opts == nil {
 		opts = &AddUserOptions{}
 	}
 
-	// we check the (user)name ourselves, adduser is a bit too
-	// strict (i.e. no `.`) - this regexp is in sync with that SSO
-	// allows as valid usernames
-	validNames := regexp.MustCompile(`^[a-z0-9][-a-z0-9+.-_]*$`)
-	if !validNames.MatchString(name) {
+	if !isValidUsername(name) {
 		return fmt.Errorf("cannot add user %q: name contains invalid characters", name)
 	}
 
@@ -74,7 +77,7 @@
 
 	cmd := exec.Command(cmdStr[0], cmdStr[1:]...)
 	if output, err := cmd.CombinedOutput(); err != nil {
-		return fmt.Errorf("adduser failed with %s: %s", err, output)
+		return fmt.Errorf("adduser failed with: %s", OutputErr(output, err))
 	}
 
 	if opts.Sudoer {
@@ -96,6 +99,20 @@
 			return fmt.Errorf("setting password failed: %s", OutputErr(output, err))
 		}
 	}
+	if opts.ForcePasswordChange {
+		if opts.Password == "" {
+			return fmt.Errorf("cannot force password change when no password is provided")
+		}
+		cmdStr := []string{
+			"passwd",
+			"--expire",
+			// no --extrauser required, see LP: #1562872
+			name,
+		}
+		if output, err := exec.Command(cmdStr[0], cmdStr[1:]...).CombinedOutput(); err != nil {
+			return fmt.Errorf("cannot force password change: %s", OutputErr(output, err))
+		}
+	}
 
 	u, err := userLookup(name)
 	if err != nil {
diff -Nru snapd-2.32.3.2~14.04/osutil/user_test.go snapd-2.37~rc1~14.04/osutil/user_test.go
--- snapd-2.32.3.2~14.04/osutil/user_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/osutil/user_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -40,6 +40,7 @@
 
 	mockAddUser *testutil.MockCmd
 	mockUserMod *testutil.MockCmd
+	mockPasswd  *testutil.MockCmd
 }
 
 var _ = check.Suite(&createUserSuite{})
@@ -59,12 +60,14 @@
 	})
 	s.mockAddUser = testutil.MockCommand(c, "adduser", "")
 	s.mockUserMod = testutil.MockCommand(c, "usermod", "")
+	s.mockPasswd = testutil.MockCommand(c, "passwd", "")
 }
 
 func (s *createUserSuite) TearDownTest(c *check.C) {
 	s.restorer()
 	s.mockAddUser.Restore()
 	s.mockUserMod.Restore()
+	s.mockPasswd.Restore()
 }
 
 func (s *createUserSuite) TestAddUserExtraUsersFalse(c *check.C) {
@@ -149,7 +152,41 @@
 	c.Check(s.mockUserMod.Calls(), check.DeepEquals, [][]string{
 		{"usermod", "--password", "$6$salt$hash", "karl.sagan"},
 	})
+}
+
+func (s *createUserSuite) TestAddUserWithPasswordForceChange(c *check.C) {
+	mockSudoers := c.MkDir()
+	restorer := osutil.MockSudoersDotD(mockSudoers)
+	defer restorer()
+
+	err := osutil.AddUser("karl.popper", &osutil.AddUserOptions{
+		Gecos:               "my gecos",
+		Password:            "$6$salt$hash",
+		ForcePasswordChange: true,
+	})
+	c.Assert(err, check.IsNil)
+
+	c.Check(s.mockAddUser.Calls(), check.DeepEquals, [][]string{
+		{"adduser", "--force-badname", "--gecos", "my gecos", "--disabled-password", "karl.popper"},
+	})
+	c.Check(s.mockUserMod.Calls(), check.DeepEquals, [][]string{
+		{"usermod", "--password", "$6$salt$hash", "karl.popper"},
+	})
+	c.Check(s.mockPasswd.Calls(), check.DeepEquals, [][]string{
+		{"passwd", "--expire", "karl.popper"},
+	})
+}
+
+func (s *createUserSuite) TestAddUserPasswordForceChangeUnhappy(c *check.C) {
+	mockSudoers := c.MkDir()
+	restorer := osutil.MockSudoersDotD(mockSudoers)
+	defer restorer()
 
+	err := osutil.AddUser("karl.popper", &osutil.AddUserOptions{
+		Gecos:               "my gecos",
+		ForcePasswordChange: true,
+	})
+	c.Assert(err, check.ErrorMatches, `cannot force password change when no password is provided`)
 }
 
 func (s *createUserSuite) TestRealUser(c *check.C) {
@@ -205,3 +242,12 @@
 		}
 	}
 }
+
+func (s *createUserSuite) TestAddUserUnhappy(c *check.C) {
+	mockAddUser := testutil.MockCommand(c, "adduser", "echo some error; exit 1")
+	defer mockAddUser.Restore()
+
+	err := osutil.AddUser("lakatos", nil)
+	c.Assert(err, check.ErrorMatches, "adduser failed with: some error")
+
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/assertstate/assertmgr.go snapd-2.37~rc1~14.04/overlord/assertstate/assertmgr.go
--- snapd-2.32.3.2~14.04/overlord/assertstate/assertmgr.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/assertstate/assertmgr.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,16 +35,12 @@
 // system states. It manipulates the observed system state to ensure
 // nothing in it violates existing assertions, or misses required
 // ones.
-type AssertManager struct {
-	runner *state.TaskRunner
-}
+type AssertManager struct{}
 
 // Manager returns a new assertion manager.
-func Manager(s *state.State) (*AssertManager, error) {
+func Manager(s *state.State, runner *state.TaskRunner) (*AssertManager, error) {
 	delayedCrossMgrInit()
 
-	runner := state.NewTaskRunner(s)
-
 	runner.AddHandler("validate-snap", doValidateSnap, nil)
 
 	db, err := sysdb.Open()
@@ -56,29 +52,14 @@
 	ReplaceDB(s, db)
 	s.Unlock()
 
-	return &AssertManager{runner: runner}, nil
-}
-
-func (m *AssertManager) KnownTaskKinds() []string {
-	return m.runner.KnownTaskKinds()
+	return &AssertManager{}, nil
 }
 
 // Ensure implements StateManager.Ensure.
 func (m *AssertManager) Ensure() error {
-	m.runner.Ensure()
 	return nil
 }
 
-// Wait implements StateManager.Wait.
-func (m *AssertManager) Wait() {
-	m.runner.Wait()
-}
-
-// Stop implements StateManager.Stop.
-func (m *AssertManager) Stop() {
-	m.runner.Stop()
-}
-
 type cachedDBKey struct{}
 
 // ReplaceDB replaces the assertion database used by the manager.
@@ -101,12 +82,13 @@
 
 // doValidateSnap fetches the relevant assertions for the snap being installed and cross checks them with the snap.
 func doValidateSnap(t *state.Task, _ *tomb.Tomb) error {
-	t.State().Lock()
-	defer t.State().Unlock()
+	st := t.State()
+	st.Lock()
+	defer st.Unlock()
 
 	snapsup, err := snapstate.TaskSnapSetup(t)
 	if err != nil {
-		return nil
+		return fmt.Errorf("internal error: cannot obtain snap setup: %s", err)
 	}
 
 	sha3_384, snapSize, err := asserts.SnapFileSHA3_384(snapsup.SnapPath)
@@ -114,22 +96,43 @@
 		return err
 	}
 
-	err = doFetch(t.State(), snapsup.UserID, func(f asserts.Fetcher) error {
-		return snapasserts.FetchSnapAssertions(f, sha3_384)
+	modelAs, err := snapstate.Model(st)
+	if err != nil {
+		return err
+	}
+
+	err = doFetch(st, snapsup.UserID, func(f asserts.Fetcher) error {
+		if err := snapasserts.FetchSnapAssertions(f, sha3_384); err != nil {
+			return err
+		}
+
+		// fetch store assertion if available
+		if modelAs.Store() != "" {
+			err := snapasserts.FetchStore(f, modelAs.Store())
+			if notFound, ok := err.(*asserts.NotFoundError); ok {
+				if notFound.Type != asserts.StoreType {
+					return err
+				}
+			} else if err != nil {
+				return err
+			}
+		}
+
+		return nil
 	})
 	if notFound, ok := err.(*asserts.NotFoundError); ok {
 		if notFound.Type == asserts.SnapRevisionType {
-			return fmt.Errorf("cannot verify snap %q, no matching signatures found", snapsup.Name())
+			return fmt.Errorf("cannot verify snap %q, no matching signatures found", snapsup.InstanceName())
 		} else {
-			return fmt.Errorf("cannot find supported signatures to verify snap %q and its hash (%v)", snapsup.Name(), notFound)
+			return fmt.Errorf("cannot find supported signatures to verify snap %q and its hash (%v)", snapsup.InstanceName(), notFound)
 		}
 	}
 	if err != nil {
 		return err
 	}
 
-	db := DB(t.State())
-	err = snapasserts.CrossCheck(snapsup.Name(), sha3_384, snapSize, snapsup.SideInfo, db)
+	db := DB(st)
+	err = snapasserts.CrossCheck(snapsup.InstanceName(), sha3_384, snapSize, snapsup.SideInfo, db)
 	if err != nil {
 		// TODO: trigger a global sanity check
 		// that will generate the changes to deal with this
diff -Nru snapd-2.32.3.2~14.04/overlord/assertstate/assertstate.go snapd-2.37~rc1~14.04/overlord/assertstate/assertstate.go
--- snapd-2.32.3.2~14.04/overlord/assertstate/assertstate.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/assertstate/assertstate.go	2019-01-16 08:36:51.000000000 +0000
@@ -138,6 +138,11 @@
 
 // RefreshSnapDeclarations refetches all the current snap declarations and their prerequisites.
 func RefreshSnapDeclarations(s *state.State, userID int) error {
+	modelAs, err := snapstate.ModelPastSeeding(s)
+	if err != nil {
+		return err
+	}
+
 	snapStates, err := snapstate.All(s)
 	if err != nil {
 		return nil
@@ -152,9 +157,18 @@
 				continue
 			}
 			if err := snapasserts.FetchSnapDeclaration(f, info.SnapID); err != nil {
-				return fmt.Errorf("cannot refresh snap-declaration for %q: %v", info.Name(), err)
+				return fmt.Errorf("cannot refresh snap-declaration for %q: %v", info.InstanceName(), err)
+			}
+		}
+
+		// fetch store assertion if available
+		if modelAs.Store() != "" {
+			err := snapasserts.FetchStore(f, modelAs.Store())
+			if err != nil && !asserts.IsNotFound(err) {
+				return err
 			}
 		}
+
 		return nil
 	}
 	return doFetch(s, userID, fetching)
@@ -175,12 +189,11 @@
 	return fmt.Sprintf("refresh control errors:%s", strings.Join(l, "\n - "))
 }
 
-// ValidateRefreshes validates the refresh candidate revisions
-// represented by the snapInfos, looking for the needed refresh
-// control validation assertions, it returns a validated subset in
-// validated and a summary error if not all candidates
-// validated. ignoreValidation is a set of snap-ids that should not be
-// gated.
+// ValidateRefreshes validates the refresh candidate revisions represented by
+// the snapInfos, looking for the needed refresh control validation assertions,
+// it returns a validated subset in validated and a summary error if not all
+// candidates validated. ignoreValidation is a set of snap-instance-names that
+// should not be gated.
 func ValidateRefreshes(s *state.State, snapInfos []*snap.Info, ignoreValidation map[string]bool, userID int) (validated []*snap.Info, err error) {
 	// maps gated snap-ids to gating snap-ids
 	controlled := make(map[string][]string)
@@ -192,7 +205,7 @@
 	if err != nil {
 		return nil, err
 	}
-	for snapName, snapst := range snapStates {
+	for instanceName, snapst := range snapStates {
 		info, err := snapst.CurrentInfo()
 		if err != nil {
 			return nil, err
@@ -201,12 +214,15 @@
 			continue
 		}
 		gatingID := info.SnapID
+		if gatingNames[gatingID] != "" {
+			continue
+		}
 		a, err := db.Find(asserts.SnapDeclarationType, map[string]string{
 			"series":  release.Series,
 			"snap-id": gatingID,
 		})
 		if err != nil {
-			return nil, fmt.Errorf("internal error: cannot find snap declaration for installed snap %q: %v", snapName, err)
+			return nil, fmt.Errorf("internal error: cannot find snap declaration for installed snap %q: %v", instanceName, err)
 		}
 		decl := a.(*asserts.SnapDeclaration)
 		control := decl.RefreshControl()
@@ -215,14 +231,16 @@
 		}
 		gatingNames[gatingID] = decl.SnapName()
 		for _, gatedID := range control {
-			if !ignoreValidation[gatedID] {
-				controlled[gatedID] = append(controlled[gatedID], gatingID)
-			}
+			controlled[gatedID] = append(controlled[gatedID], gatingID)
 		}
 	}
 
 	var errs []error
 	for _, candInfo := range snapInfos {
+		if ignoreValidation[candInfo.InstanceName()] {
+			validated = append(validated, candInfo)
+			continue
+		}
 		gatedID := candInfo.SnapID
 		gating := controlled[gatedID]
 		if len(gating) == 0 { // easy case, no refresh control
@@ -251,7 +269,7 @@
 		}
 		err := doFetch(s, userID, fetching)
 		if err != nil {
-			errs = append(errs, fmt.Errorf("cannot refresh %q to revision %s: %v", candInfo.Name(), candInfo.Revision, err))
+			errs = append(errs, fmt.Errorf("cannot refresh %q to revision %s: %v", candInfo.InstanceName(), candInfo.Revision, err))
 			continue
 		}
 
@@ -267,7 +285,7 @@
 			}
 		}
 		if revoked != nil {
-			errs = append(errs, fmt.Errorf("cannot refresh %q to revision %s: validation by %q (id %q) revoked", candInfo.Name(), candInfo.Revision, gatingNames[revoked.SnapID()], revoked.SnapID()))
+			errs = append(errs, fmt.Errorf("cannot refresh %q to revision %s: validation by %q (id %q) revoked", candInfo.InstanceName(), candInfo.Revision, gatingNames[revoked.SnapID()], revoked.SnapID()))
 			continue
 		}
 
@@ -346,7 +364,7 @@
 	}
 	decl, err := SnapDeclaration(s, info.SnapID)
 	if err != nil {
-		return nil, fmt.Errorf("internal error: cannot find snap-declaration for installed snap %q: %v", info.Name(), err)
+		return nil, fmt.Errorf("internal error: cannot find snap-declaration for installed snap %q: %v", info.InstanceName(), err)
 	}
 	explicitAliases := decl.Aliases()
 	if len(explicitAliases) != 0 {
diff -Nru snapd-2.32.3.2~14.04/overlord/assertstate/assertstate_test.go snapd-2.37~rc1~14.04/overlord/assertstate/assertstate_test.go
--- snapd-2.32.3.2~14.04/overlord/assertstate/assertstate_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/assertstate/assertstate_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,7 +25,6 @@
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
-	"sort"
 	"testing"
 	"time"
 
@@ -52,11 +51,15 @@
 type assertMgrSuite struct {
 	o     *overlord.Overlord
 	state *state.State
+	se    *overlord.StateEngine
 	mgr   *assertstate.AssertManager
 
 	storeSigning *assertstest.StoreStack
 	dev1Acct     *asserts.Account
 	dev1Signing  *assertstest.SigningDB
+	brandAcct    *asserts.Account
+	brandAcctKey *asserts.AccountKey
+	brandSigning *assertstest.SigningDB
 
 	restore func()
 }
@@ -100,13 +103,29 @@
 
 	s.dev1Signing = assertstest.NewSigningDB(s.dev1Acct.AccountID(), dev1PrivKey)
 
+	// brand
+	brandPrivKey, _ := assertstest.GenerateKey(752)
+	s.brandAcct = assertstest.NewAccount(s.storeSigning, "my-brand", map[string]interface{}{
+		"account-id":   "my-brand",
+		"verification": "verified",
+	}, "")
+	brandAcctKey := assertstest.NewAccountKey(s.storeSigning, s.brandAcct, nil, brandPrivKey.PublicKey(), "")
+	err = s.storeSigning.Add(s.brandAcct)
+	c.Assert(err, IsNil)
+	err = s.storeSigning.Add(brandAcctKey)
+	c.Assert(err, IsNil)
+	s.brandSigning = assertstest.NewSigningDB("my-brand", brandPrivKey)
+
 	s.o = overlord.Mock()
 	s.state = s.o.State()
-	mgr, err := assertstate.Manager(s.state)
+	s.se = s.o.StateEngine()
+	mgr, err := assertstate.Manager(s.state, s.o.TaskRunner())
 	c.Assert(err, IsNil)
 	s.mgr = mgr
 	s.o.AddManager(s.mgr)
 
+	s.o.AddManager(s.o.TaskRunner())
+
 	s.state.Lock()
 	snapstate.ReplaceStore(s.state, &fakeStore{
 		state: s.state,
@@ -117,6 +136,7 @@
 
 func (s *assertMgrSuite) TearDownTest(c *C) {
 	s.restore()
+	snapstate.Model = nil
 }
 
 func (s *assertMgrSuite) TestDB(c *C) {
@@ -127,12 +147,6 @@
 	c.Check(db, FitsTypeOf, (*asserts.Database)(nil))
 }
 
-func (s *assertMgrSuite) TestKnownTaskKinds(c *C) {
-	kinds := s.mgr.KnownTaskKinds()
-	sort.Strings(kinds)
-	c.Assert(kinds, DeepEquals, []string{"validate-snap"})
-}
-
 func (s *assertMgrSuite) TestAdd(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -418,6 +432,39 @@
 	c.Assert(err, IsNil)
 }
 
+func (s *assertMgrSuite) setModel(model *asserts.Model) {
+	snapstate.Model = func(*state.State) (*asserts.Model, error) {
+		return model, nil
+	}
+	s.state.Set("seeded", true)
+}
+
+func (s *assertMgrSuite) setupModelAndStore(c *C) *asserts.Store {
+	// setup a model and store assertion
+	a, err := s.brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":       "16",
+		"authority-id": "my-brand",
+		"brand-id":     "my-brand",
+		"model":        "my-model",
+		"architecture": "amd64",
+		"store":        "my-brand-store",
+		"gadget":       "gadget",
+		"kernel":       "krnl",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	s.setModel(a.(*asserts.Model))
+
+	a, err = s.storeSigning.Sign(asserts.StoreType, map[string]interface{}{
+		"authority-id": s.storeSigning.AuthorityID,
+		"operator-id":  s.storeSigning.AuthorityID,
+		"store":        "my-brand-store",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	return a.(*asserts.Store)
+}
+
 func (s *assertMgrSuite) TestValidateSnap(c *C) {
 	s.prereqSnapAssertions(c, 10)
 
@@ -429,6 +476,11 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	// have a model and the store assertion available
+	storeAs := s.setupModelAndStore(c)
+	err = s.storeSigning.Add(storeAs)
+	c.Assert(err, IsNil)
+
 	chg := s.state.NewChange("install", "...")
 	t := s.state.NewTask("validate-snap", "Fetch and check snap assertions")
 	snapsup := snapstate.SnapSetup{
@@ -444,7 +496,7 @@
 	chg.AddTask(t)
 
 	s.state.Unlock()
-	defer s.mgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -456,6 +508,77 @@
 	})
 	c.Assert(err, IsNil)
 	c.Check(snapRev.(*asserts.SnapRevision).SnapRevision(), Equals, 10)
+
+	// store assertion was also fetched
+	_, err = assertstate.DB(s.state).Find(asserts.StoreType, map[string]string{
+		"store": "my-brand-store",
+	})
+	c.Assert(err, IsNil)
+}
+
+func (s *assertMgrSuite) TestValidateSnapStoreNotFound(c *C) {
+	s.prereqSnapAssertions(c, 10)
+
+	tempdir := c.MkDir()
+	snapPath := filepath.Join(tempdir, "foo.snap")
+	err := ioutil.WriteFile(snapPath, fakeSnap(10), 0644)
+	c.Assert(err, IsNil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// have a model and store but store assertion is not made available
+	s.setupModelAndStore(c)
+
+	chg := s.state.NewChange("install", "...")
+	t := s.state.NewTask("validate-snap", "Fetch and check snap assertions")
+	snapsup := snapstate.SnapSetup{
+		SnapPath: snapPath,
+		UserID:   0,
+		SideInfo: &snap.SideInfo{
+			RealName: "foo",
+			SnapID:   "snap-id-1",
+			Revision: snap.R(10),
+		},
+	}
+	t.Set("snap-setup", snapsup)
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+
+	snapRev, err := assertstate.DB(s.state).Find(asserts.SnapRevisionType, map[string]string{
+		"snap-id":       "snap-id-1",
+		"snap-sha3-384": makeDigest(10),
+	})
+	c.Assert(err, IsNil)
+	c.Check(snapRev.(*asserts.SnapRevision).SnapRevision(), Equals, 10)
+
+	// store assertion was not found and ignored
+	_, err = assertstate.DB(s.state).Find(asserts.StoreType, map[string]string{
+		"store": "my-brand-store",
+	})
+	c.Assert(asserts.IsNotFound(err), Equals, true)
+}
+
+func (s *assertMgrSuite) TestValidateSnapMissingSnapSetup(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	chg := s.state.NewChange("install", "...")
+	t := s.state.NewTask("validate-snap", "Fetch and check snap assertions")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Assert(chg.Err(), ErrorMatches, `(?s).*internal error: cannot obtain snap setup: no state entry for key.*`)
 }
 
 func (s *assertMgrSuite) TestValidateSnapNotFound(c *C) {
@@ -467,6 +590,8 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	s.setModel(sysdb.GenericClassicModel())
+
 	chg := s.state.NewChange("install", "...")
 	t := s.state.NewTask("validate-snap", "Fetch and check snap assertions")
 	snapsup := snapstate.SnapSetup{
@@ -482,7 +607,7 @@
 	chg.AddTask(t)
 
 	s.state.Unlock()
-	defer s.mgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -500,6 +625,8 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	s.setModel(sysdb.GenericClassicModel())
+
 	chg := s.state.NewChange("install", "...")
 	t := s.state.NewTask("validate-snap", "Fetch and check snap assertions")
 	snapsup := snapstate.SnapSetup{
@@ -515,11 +642,11 @@
 	chg.AddTask(t)
 
 	s.state.Unlock()
-	defer s.mgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
-	c.Assert(chg.Err(), ErrorMatches, `(?s).*cannot install snap "f" that is undergoing a rename to "foo".*`)
+	c.Assert(chg.Err(), ErrorMatches, `(?s).*cannot install "f", snap "f" is undergoing a rename to "foo".*`)
 }
 
 func (s *assertMgrSuite) TestValidateSnapSnapDeclIsTooNewFirstInstall(c *C) {
@@ -569,7 +696,7 @@
 	chg.AddTask(t)
 
 	s.state.Unlock()
-	defer s.mgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -594,27 +721,49 @@
 	return decl.(*asserts.SnapDeclaration)
 }
 
-func (s *assertMgrSuite) stateFromDecl(decl *asserts.SnapDeclaration, revno snap.Revision) {
-	name := decl.SnapName()
+func (s *assertMgrSuite) stateFromDecl(c *C, decl *asserts.SnapDeclaration, instanceName string, revno snap.Revision) {
+	snapName, instanceKey := snap.SplitInstanceName(instanceName)
+	if snapName == "" {
+		snapName = decl.SnapName()
+		instanceName = snapName
+	}
+
+	c.Assert(snapName, Equals, decl.SnapName())
+
 	snapID := decl.SnapID()
-	snapstate.Set(s.state, name, &snapstate.SnapState{
+	snapstate.Set(s.state, instanceName, &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
-			{RealName: name, SnapID: snapID, Revision: revno},
+			{RealName: snapName, SnapID: snapID, Revision: revno},
 		},
-		Current: revno,
+		Current:     revno,
+		InstanceKey: instanceKey,
 	})
 }
 
-func (s *assertMgrSuite) TestRefreshSnapDeclarations(c *C) {
+func (s *assertMgrSuite) TestRefreshSnapDeclarationsTooEarly(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	snapstate.Model = func(*state.State) (*asserts.Model, error) {
+		return nil, state.ErrNoState
+	}
+
+	err := assertstate.RefreshSnapDeclarations(s.state, 0)
+	c.Check(err, FitsTypeOf, &snapstate.ChangeConflictError{})
+}
+
+func (s *assertMgrSuite) TestRefreshSnapDeclarationsNoStore(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.setModel(sysdb.GenericClassicModel())
+
 	snapDeclFoo := s.snapDecl(c, "foo", nil)
 	snapDeclBar := s.snapDecl(c, "bar", nil)
 
-	s.stateFromDecl(snapDeclFoo, snap.R(7))
-	s.stateFromDecl(snapDeclBar, snap.R(3))
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
 	snapstate.Set(s.state, "local", &snapstate.SnapState{
 		Active: false,
 		Sequence: []*snap.SideInfo{
@@ -711,6 +860,105 @@
 	c.Check(a.(*asserts.SnapDeclaration).Revision(), Equals, 1)
 }
 
+func (s *assertMgrSuite) TestRefreshSnapDeclarationsWithStore(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	storeAs := s.setupModelAndStore(c)
+
+	snapDeclFoo := s.snapDecl(c, "foo", nil)
+
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+
+	// previous state
+	err := assertstate.Add(s.state, s.storeSigning.StoreAccountKey(""))
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, s.dev1Acct)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, snapDeclFoo)
+	c.Assert(err, IsNil)
+
+	// one changed assertion
+	headers := map[string]interface{}{
+		"series":       "16",
+		"snap-id":      "foo-id",
+		"snap-name":    "fo-o",
+		"publisher-id": s.dev1Acct.AccountID(),
+		"timestamp":    time.Now().Format(time.RFC3339),
+		"revision":     "1",
+	}
+	snapDeclFoo1, err := s.storeSigning.Sign(asserts.SnapDeclarationType, headers, nil, "")
+	c.Assert(err, IsNil)
+	err = s.storeSigning.Add(snapDeclFoo1)
+	c.Assert(err, IsNil)
+
+	// store assertion is missing
+	err = assertstate.RefreshSnapDeclarations(s.state, 0)
+	c.Assert(err, IsNil)
+
+	a, err := assertstate.DB(s.state).Find(asserts.SnapDeclarationType, map[string]string{
+		"series":  "16",
+		"snap-id": "foo-id",
+	})
+	c.Assert(err, IsNil)
+	c.Check(a.(*asserts.SnapDeclaration).SnapName(), Equals, "fo-o")
+
+	// changed again
+	headers = map[string]interface{}{
+		"series":       "16",
+		"snap-id":      "foo-id",
+		"snap-name":    "f-oo",
+		"publisher-id": s.dev1Acct.AccountID(),
+		"timestamp":    time.Now().Format(time.RFC3339),
+		"revision":     "2",
+	}
+	snapDeclFoo2, err := s.storeSigning.Sign(asserts.SnapDeclarationType, headers, nil, "")
+	c.Assert(err, IsNil)
+	err = s.storeSigning.Add(snapDeclFoo2)
+	c.Assert(err, IsNil)
+
+	// store assertion is available
+	err = s.storeSigning.Add(storeAs)
+	c.Assert(err, IsNil)
+
+	err = assertstate.RefreshSnapDeclarations(s.state, 0)
+	c.Assert(err, IsNil)
+
+	a, err = assertstate.DB(s.state).Find(asserts.SnapDeclarationType, map[string]string{
+		"series":  "16",
+		"snap-id": "foo-id",
+	})
+	c.Assert(err, IsNil)
+	c.Check(a.(*asserts.SnapDeclaration).SnapName(), Equals, "f-oo")
+
+	_, err = assertstate.DB(s.state).Find(asserts.StoreType, map[string]string{
+		"store": "my-brand-store",
+	})
+	c.Assert(err, IsNil)
+
+	// store assertion has changed
+	a, err = s.storeSigning.Sign(asserts.StoreType, map[string]interface{}{
+		"authority-id": s.storeSigning.AuthorityID,
+		"operator-id":  s.storeSigning.AuthorityID,
+		"store":        "my-brand-store",
+		"location":     "the-cloud",
+		"revision":     "1",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	storeAs = a.(*asserts.Store)
+	err = s.storeSigning.Add(storeAs)
+	c.Assert(err, IsNil)
+
+	err = assertstate.RefreshSnapDeclarations(s.state, 0)
+	c.Assert(err, IsNil)
+	a, err = assertstate.DB(s.state).Find(asserts.StoreType, map[string]string{
+		"store": "my-brand-store",
+	})
+	c.Assert(err, IsNil)
+	c.Check(a.(*asserts.Store).Location(), Equals, "the-cloud")
+}
+
 func (s *assertMgrSuite) TestValidateRefreshesNothing(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -726,8 +974,8 @@
 
 	snapDeclFoo := s.snapDecl(c, "foo", nil)
 	snapDeclBar := s.snapDecl(c, "bar", nil)
-	s.stateFromDecl(snapDeclFoo, snap.R(7))
-	s.stateFromDecl(snapDeclBar, snap.R(3))
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
 
 	err := assertstate.Add(s.state, s.storeSigning.StoreAccountKey(""))
 	c.Assert(err, IsNil)
@@ -755,8 +1003,8 @@
 	snapDeclBar := s.snapDecl(c, "bar", map[string]interface{}{
 		"refresh-control": []interface{}{"foo-id"},
 	})
-	s.stateFromDecl(snapDeclFoo, snap.R(7))
-	s.stateFromDecl(snapDeclBar, snap.R(3))
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
 
 	err := assertstate.Add(s.state, s.storeSigning.StoreAccountKey(""))
 	c.Assert(err, IsNil)
@@ -776,6 +1024,37 @@
 	c.Check(validated, HasLen, 0)
 }
 
+func (s *assertMgrSuite) TestParallelInstanceValidateRefreshesMissingValidation(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapDeclFoo := s.snapDecl(c, "foo", nil)
+	snapDeclBar := s.snapDecl(c, "bar", map[string]interface{}{
+		"refresh-control": []interface{}{"foo-id"},
+	})
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+	s.stateFromDecl(c, snapDeclFoo, "foo_instance", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
+
+	err := assertstate.Add(s.state, s.storeSigning.StoreAccountKey(""))
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, s.dev1Acct)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, snapDeclFoo)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, snapDeclBar)
+	c.Assert(err, IsNil)
+
+	fooInstanceRefresh := &snap.Info{
+		SideInfo:    snap.SideInfo{RealName: "foo", SnapID: "foo-id", Revision: snap.R(9)},
+		InstanceKey: "instance",
+	}
+
+	validated, err := assertstate.ValidateRefreshes(s.state, []*snap.Info{fooInstanceRefresh}, nil, 0)
+	c.Assert(err, ErrorMatches, `cannot refresh "foo_instance" to revision 9: no validation by "bar"`)
+	c.Check(validated, HasLen, 0)
+}
+
 func (s *assertMgrSuite) TestValidateRefreshesMissingValidationButIgnore(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -784,8 +1063,8 @@
 	snapDeclBar := s.snapDecl(c, "bar", map[string]interface{}{
 		"refresh-control": []interface{}{"foo-id"},
 	})
-	s.stateFromDecl(snapDeclFoo, snap.R(7))
-	s.stateFromDecl(snapDeclBar, snap.R(3))
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
 
 	err := assertstate.Add(s.state, s.storeSigning.StoreAccountKey(""))
 	c.Assert(err, IsNil)
@@ -800,11 +1079,110 @@
 		SideInfo: snap.SideInfo{RealName: "foo", SnapID: "foo-id", Revision: snap.R(9)},
 	}
 
-	validated, err := assertstate.ValidateRefreshes(s.state, []*snap.Info{fooRefresh}, map[string]bool{"foo-id": true}, 0)
+	validated, err := assertstate.ValidateRefreshes(s.state, []*snap.Info{fooRefresh}, map[string]bool{"foo": true}, 0)
 	c.Assert(err, IsNil)
 	c.Check(validated, DeepEquals, []*snap.Info{fooRefresh})
 }
 
+func (s *assertMgrSuite) TestParallelInstanceValidateRefreshesMissingValidationButIgnore(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapDeclFoo := s.snapDecl(c, "foo", nil)
+	snapDeclBar := s.snapDecl(c, "bar", map[string]interface{}{
+		"refresh-control": []interface{}{"foo-id"},
+	})
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+	s.stateFromDecl(c, snapDeclFoo, "foo_instance", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
+
+	err := assertstate.Add(s.state, s.storeSigning.StoreAccountKey(""))
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, s.dev1Acct)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, snapDeclFoo)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, snapDeclBar)
+	c.Assert(err, IsNil)
+
+	fooRefresh := &snap.Info{
+		SideInfo: snap.SideInfo{RealName: "foo", SnapID: "foo-id", Revision: snap.R(9)},
+	}
+	fooInstanceRefresh := &snap.Info{
+		SideInfo:    snap.SideInfo{RealName: "foo", SnapID: "foo-id", Revision: snap.R(9)},
+		InstanceKey: "instance",
+	}
+
+	// validation is ignore for foo_instance but not for foo
+	validated, err := assertstate.ValidateRefreshes(s.state, []*snap.Info{fooRefresh, fooInstanceRefresh}, map[string]bool{"foo_instance": true}, 0)
+	c.Assert(err, ErrorMatches, `cannot refresh "foo" to revision 9: no validation by "bar"`)
+	c.Check(validated, DeepEquals, []*snap.Info{fooInstanceRefresh})
+}
+
+func (s *assertMgrSuite) TestParallelInstanceValidateRefreshesMissingValidationButIgnoreInstanceKeyed(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapDeclFoo := s.snapDecl(c, "foo", nil)
+	snapDeclBar := s.snapDecl(c, "bar", map[string]interface{}{
+		"refresh-control": []interface{}{"foo-id"},
+	})
+	s.stateFromDecl(c, snapDeclFoo, "foo_instance", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
+
+	err := assertstate.Add(s.state, s.storeSigning.StoreAccountKey(""))
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, s.dev1Acct)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, snapDeclFoo)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, snapDeclBar)
+	c.Assert(err, IsNil)
+
+	fooInstanceRefresh := &snap.Info{
+		SideInfo:    snap.SideInfo{RealName: "foo", SnapID: "foo-id", Revision: snap.R(9)},
+		InstanceKey: "instance",
+	}
+
+	validated, err := assertstate.ValidateRefreshes(s.state, []*snap.Info{fooInstanceRefresh}, map[string]bool{"foo_instance": true}, 0)
+	c.Assert(err, IsNil)
+	c.Check(validated, DeepEquals, []*snap.Info{fooInstanceRefresh})
+}
+
+func (s *assertMgrSuite) TestParallelInstanceValidateRefreshesMissingValidationButIgnoreBothOneIgnored(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapDeclFoo := s.snapDecl(c, "foo", nil)
+	snapDeclBar := s.snapDecl(c, "bar", map[string]interface{}{
+		"refresh-control": []interface{}{"foo-id"},
+	})
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+	s.stateFromDecl(c, snapDeclFoo, "foo_instance", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
+
+	err := assertstate.Add(s.state, s.storeSigning.StoreAccountKey(""))
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, s.dev1Acct)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, snapDeclFoo)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(s.state, snapDeclBar)
+	c.Assert(err, IsNil)
+
+	fooRefresh := &snap.Info{
+		SideInfo: snap.SideInfo{RealName: "foo", SnapID: "foo-id", Revision: snap.R(9)},
+	}
+	fooInstanceRefresh := &snap.Info{
+		SideInfo:    snap.SideInfo{RealName: "foo", SnapID: "foo-id", Revision: snap.R(9)},
+		InstanceKey: "instance",
+	}
+
+	validated, err := assertstate.ValidateRefreshes(s.state, []*snap.Info{fooRefresh, fooInstanceRefresh}, map[string]bool{"foo_instance": true}, 0)
+	c.Assert(err, ErrorMatches, `cannot refresh "foo" to revision 9: no validation by "bar"`)
+	c.Check(validated, DeepEquals, []*snap.Info{fooInstanceRefresh})
+}
+
 func (s *assertMgrSuite) TestValidateRefreshesValidationOK(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -816,9 +1194,10 @@
 	snapDeclBaz := s.snapDecl(c, "baz", map[string]interface{}{
 		"refresh-control": []interface{}{"foo-id"},
 	})
-	s.stateFromDecl(snapDeclFoo, snap.R(7))
-	s.stateFromDecl(snapDeclBar, snap.R(3))
-	s.stateFromDecl(snapDeclBaz, snap.R(1))
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+	s.stateFromDecl(c, snapDeclFoo, "foo_instance", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
+	s.stateFromDecl(c, snapDeclBaz, "", snap.R(1))
 	snapstate.Set(s.state, "local", &snapstate.SnapState{
 		Active: false,
 		Sequence: []*snap.SideInfo{
@@ -867,10 +1246,14 @@
 	fooRefresh := &snap.Info{
 		SideInfo: snap.SideInfo{RealName: "foo", SnapID: "foo-id", Revision: snap.R(9)},
 	}
+	fooInstanceRefresh := &snap.Info{
+		SideInfo:    snap.SideInfo{RealName: "foo", SnapID: "foo-id", Revision: snap.R(9)},
+		InstanceKey: "instance",
+	}
 
-	validated, err := assertstate.ValidateRefreshes(s.state, []*snap.Info{fooRefresh}, nil, 0)
+	validated, err := assertstate.ValidateRefreshes(s.state, []*snap.Info{fooRefresh, fooInstanceRefresh}, nil, 0)
 	c.Assert(err, IsNil)
-	c.Check(validated, DeepEquals, []*snap.Info{fooRefresh})
+	c.Check(validated, DeepEquals, []*snap.Info{fooRefresh, fooInstanceRefresh})
 }
 
 func (s *assertMgrSuite) TestValidateRefreshesRevokedValidation(c *C) {
@@ -884,9 +1267,9 @@
 	snapDeclBaz := s.snapDecl(c, "baz", map[string]interface{}{
 		"refresh-control": []interface{}{"foo-id"},
 	})
-	s.stateFromDecl(snapDeclFoo, snap.R(7))
-	s.stateFromDecl(snapDeclBar, snap.R(3))
-	s.stateFromDecl(snapDeclBaz, snap.R(1))
+	s.stateFromDecl(c, snapDeclFoo, "", snap.R(7))
+	s.stateFromDecl(c, snapDeclBar, "", snap.R(3))
+	s.stateFromDecl(c, snapDeclBaz, "", snap.R(1))
 	snapstate.Set(s.state, "local", &snapstate.SnapState{
 		Active: false,
 		Sequence: []*snap.SideInfo{
diff -Nru snapd-2.32.3.2~14.04/overlord/auth/auth.go snapd-2.37~rc1~14.04/overlord/auth/auth.go
--- snapd-2.32.3.2~14.04/overlord/auth/auth.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/auth/auth.go	2019-01-16 08:36:51.000000000 +0000
@@ -68,6 +68,14 @@
 	StoreDischarges []string `json:"store-discharges,omitempty"`
 }
 
+// HasStoreAuth returns true if the user has store authorization.
+func (u *UserState) HasStoreAuth() bool {
+	if u == nil {
+		return false
+	}
+	return u.StoreMacaroon != ""
+}
+
 // MacaroonSerialize returns a store-compatible serialized representation of the given macaroon
 func MacaroonSerialize(m *macaroon.Macaroon) (string, error) {
 	marshalled, err := m.MarshalBinary()
diff -Nru snapd-2.32.3.2~14.04/overlord/auth/auth_test.go snapd-2.37~rc1~14.04/overlord/auth/auth_test.go
--- snapd-2.32.3.2~14.04/overlord/auth/auth_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/auth/auth_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -303,6 +303,27 @@
 	as.state.Unlock()
 	c.Check(err, IsNil)
 	c.Check(userFromState, DeepEquals, user)
+
+	c.Check(user.HasStoreAuth(), Equals, true)
+}
+
+func (as *authSuite) TestUserHasStoreAuth(c *C) {
+	var user0 *auth.UserState
+	// nil user
+	c.Check(user0.HasStoreAuth(), Equals, false)
+
+	as.state.Lock()
+	user, err := auth.NewUser(as.state, "username", "email@test.com", "macaroon", []string{"discharge"})
+	as.state.Unlock()
+	c.Check(err, IsNil)
+	c.Check(user.HasStoreAuth(), Equals, true)
+
+	// no store auth
+	as.state.Lock()
+	user, err = auth.NewUser(as.state, "username", "email@test.com", "", nil)
+	as.state.Unlock()
+	c.Check(err, IsNil)
+	c.Check(user.HasStoreAuth(), Equals, false)
 }
 
 func (as *authSuite) TestUpdateUser(c *C) {
diff -Nru snapd-2.32.3.2~14.04/overlord/cmdstate/cmdmgr.go snapd-2.37~rc1~14.04/overlord/cmdstate/cmdmgr.go
--- snapd-2.32.3.2~14.04/overlord/cmdstate/cmdmgr.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/cmdstate/cmdmgr.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,50 +30,41 @@
 )
 
 // CommandManager helps running arbitrary commands as tasks.
-type CommandManager struct {
-	runner *state.TaskRunner
-}
+type CommandManager struct{}
 
 // Manager returns a new CommandManager.
-func Manager(st *state.State) *CommandManager {
-	runner := state.NewTaskRunner(st)
+func Manager(st *state.State, runner *state.TaskRunner) *CommandManager {
 	runner.AddHandler("exec-command", doExec, nil)
-	return &CommandManager{runner: runner}
-}
-
-func (m *CommandManager) KnownTaskKinds() []string {
-	return m.runner.KnownTaskKinds()
+	return &CommandManager{}
 }
 
 // Ensure is part of the overlord.StateManager interface.
 func (m *CommandManager) Ensure() error {
-	m.runner.Ensure()
 	return nil
 }
 
-// Wait is part of the overlord.StateManager interface.
-func (m *CommandManager) Wait() {
-	m.runner.Wait()
-}
-
-// Stop is part of the overlord.StateManager interface.
-func (m *CommandManager) Stop() {
-	m.runner.Stop()
-}
-
-var execTimeout = 5 * time.Second
+var defaultExecTimeout = 5 * time.Second
 
 func doExec(t *state.Task, tomb *tomb.Tomb) error {
 	var argv []string
+	var tout time.Duration
+
 	st := t.State()
 	st.Lock()
-	err := t.Get("argv", &argv)
+	err1 := t.Get("argv", &argv)
+	err2 := t.Get("timeout", &tout)
 	st.Unlock()
-	if err != nil {
-		return err
+	if err1 != nil {
+		return err1
+	}
+	if err2 != nil && err2 != state.ErrNoState {
+		return err2
+	}
+	if err2 == state.ErrNoState {
+		tout = defaultExecTimeout
 	}
 
-	if buf, err := osutil.RunAndWait(argv, nil, execTimeout, tomb); err != nil {
+	if buf, err := osutil.RunAndWait(argv, nil, tout, tomb); err != nil {
 		st.Lock()
 		t.Errorf("# %s\n%s", strings.Join(argv, " "), buf)
 		st.Unlock()
diff -Nru snapd-2.32.3.2~14.04/overlord/cmdstate/cmdstate.go snapd-2.37~rc1~14.04/overlord/cmdstate/cmdstate.go
--- snapd-2.32.3.2~14.04/overlord/cmdstate/cmdstate.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/cmdstate/cmdstate.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,12 +22,16 @@
 package cmdstate
 
 import (
+	"time"
+
 	"github.com/snapcore/snapd/overlord/state"
 )
 
-// Exec creates a task that will execute the given command.
-func Exec(st *state.State, summary string, argv []string) *state.TaskSet {
+// ExecWithTimeout creates a task that will execute the given command
+// with the given timeout.
+func ExecWithTimeout(st *state.State, summary string, argv []string, timeout time.Duration) *state.TaskSet {
 	t := st.NewTask("exec-command", summary)
 	t.Set("argv", argv)
+	t.Set("timeout", timeout)
 	return state.NewTaskSet(t)
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/cmdstate/cmdstate_test.go snapd-2.37~rc1~14.04/overlord/cmdstate/cmdstate_test.go
--- snapd-2.32.3.2~14.04/overlord/cmdstate/cmdstate_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/cmdstate/cmdstate_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,7 +21,6 @@
 
 import (
 	"path/filepath"
-	"sort"
 	"strings"
 	"testing"
 	"time"
@@ -41,6 +40,7 @@
 type cmdSuite struct {
 	rootdir string
 	state   *state.State
+	se      *overlord.StateEngine
 	manager overlord.StateManager
 	restore func()
 }
@@ -54,8 +54,8 @@
 func (s *cmdSuite) waitfor(thing statr) {
 	s.state.Unlock()
 	for i := 0; i < 5; i++ {
-		s.manager.Ensure()
-		s.manager.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 		s.state.Lock()
 		if thing.Status().Ready() {
 			return
@@ -70,25 +70,23 @@
 	dirs.SetRootDir(d)
 	s.rootdir = d
 	s.state = state.New(nil)
-	s.manager = cmdstate.Manager(s.state)
-	s.restore = cmdstate.MockExecTimeout(time.Second / 10)
+	s.se = overlord.NewStateEngine(s.state)
+	runner := state.NewTaskRunner(s.state)
+	s.manager = cmdstate.Manager(s.state, runner)
+	s.se.AddManager(s.manager)
+	s.se.AddManager(runner)
+	s.restore = cmdstate.MockDefaultExecTimeout(time.Second / 10)
 }
 
 func (s *cmdSuite) TearDownTest(c *check.C) {
 	s.restore()
 }
 
-func (s *cmdSuite) TestKnownTaskKinds(c *check.C) {
-	kinds := s.manager.KnownTaskKinds()
-	sort.Strings(kinds)
-	c.Assert(kinds, check.DeepEquals, []string{"exec-command"})
-}
-
 func (s *cmdSuite) TestExecTask(c *check.C) {
 	s.state.Lock()
 	defer s.state.Unlock()
 	argvIn := []string{"/bin/echo", "hello"}
-	tasks := cmdstate.Exec(s.state, "this is the summary", argvIn).Tasks()
+	tasks := cmdstate.ExecWithTimeout(s.state, "this is the summary", argvIn, time.Second/10).Tasks()
 	c.Assert(tasks, check.HasLen, 1)
 	task := tasks[0]
 	c.Check(task.Kind(), check.Equals, "exec-command")
@@ -103,7 +101,7 @@
 	defer s.state.Unlock()
 
 	fn := filepath.Join(s.rootdir, "flag")
-	ts := cmdstate.Exec(s.state, "Doing the thing", []string{"touch", fn})
+	ts := cmdstate.ExecWithTimeout(s.state, "Doing the thing", []string{"touch", fn}, time.Second/10)
 	chg := s.state.NewChange("do-the-thing", "Doing the thing")
 	chg.AddAll(ts)
 
@@ -117,7 +115,7 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	ts := cmdstate.Exec(s.state, "Doing the thing", []string{"sh", "-c", "echo hello; false"})
+	ts := cmdstate.ExecWithTimeout(s.state, "Doing the thing", []string{"sh", "-c", "echo hello; false"}, time.Second/10)
 	chg := s.state.NewChange("do-the-thing", "Doing the thing")
 	chg.AddAll(ts)
 
@@ -130,12 +128,12 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	ts := cmdstate.Exec(s.state, "Doing the thing", []string{"sleep", "1h"})
+	ts := cmdstate.ExecWithTimeout(s.state, "Doing the thing", []string{"sleep", "1h"}, time.Second/10)
 	chg := s.state.NewChange("do-the-thing", "Doing the thing")
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	s.manager.Ensure()
+	s.se.Ensure()
 	s.state.Lock()
 
 	c.Assert(chg.Status(), check.Equals, state.DoingStatus)
@@ -152,14 +150,14 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	ts := cmdstate.Exec(s.state, "Doing the thing", []string{"sleep", "1h"})
+	ts := cmdstate.ExecWithTimeout(s.state, "Doing the thing", []string{"sleep", "1h"}, time.Second/10)
 	chg := s.state.NewChange("do-the-thing", "Doing the thing")
 	chg.AddAll(ts)
 
 	c.Assert(chg.Status(), check.Equals, state.DoStatus)
 
 	s.state.Unlock()
-	s.manager.Stop()
+	s.se.Stop()
 	s.state.Lock()
 
 	c.Check(chg.Status(), check.Equals, state.DoStatus)
@@ -170,7 +168,7 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	ts := cmdstate.Exec(s.state, "Doing the thing", []string{"sleep", "1m"})
+	ts := cmdstate.ExecWithTimeout(s.state, "Doing the thing", []string{"sleep", "1m"}, time.Second/10)
 	chg := s.state.NewChange("do-the-thing", "Doing the thing")
 	chg.AddAll(ts)
 
@@ -179,3 +177,24 @@
 	c.Check(chg.Status(), check.Equals, state.ErrorStatus)
 	c.Check(strings.Join(chg.Tasks()[0].Log(), "\n"), check.Matches, `(?s).*ERROR exceeded maximum runtime.*`)
 }
+
+func (s *cmdSuite) TestExecTimeoutMissing(c *check.C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	restore := cmdstate.MockDefaultExecTimeout(1 * time.Second)
+	defer restore()
+
+	ts := cmdstate.ExecWithTimeout(s.state, "Doing the thing", []string{"sleep", "0.3"}, time.Second/10)
+	c.Assert(len(ts.Tasks()), check.Equals, 1)
+	t := ts.Tasks()[0]
+	// no timeout means the default timeout will be used
+	t.Clear("timeout")
+	chg := s.state.NewChange("do-the-thing", "Doing the thing")
+	chg.AddAll(ts)
+
+	s.waitfor(chg)
+
+	// slept for
+	c.Check(chg.Status(), check.Equals, state.DoneStatus)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/cmdstate/export_test.go snapd-2.37~rc1~14.04/overlord/cmdstate/export_test.go
--- snapd-2.32.3.2~14.04/overlord/cmdstate/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/cmdstate/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,10 +23,10 @@
 	"time"
 )
 
-func MockExecTimeout(t time.Duration) func() {
-	ot := execTimeout
-	execTimeout = t
+func MockDefaultExecTimeout(t time.Duration) func() {
+	ot := defaultExecTimeout
+	defaultExecTimeout = t
 	return func() {
-		execTimeout = ot
+		defaultExecTimeout = ot
 	}
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/config/helpers.go snapd-2.37~rc1~14.04/overlord/configstate/config/helpers.go
--- snapd-2.32.3.2~14.04/overlord/configstate/config/helpers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/config/helpers.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,6 +26,7 @@
 	"regexp"
 	"strings"
 
+	"github.com/snapcore/snapd/features"
 	"github.com/snapcore/snapd/jsonutil"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
@@ -281,3 +282,29 @@
 	}
 	return nil
 }
+
+// Conf is an interface describing both state and transaction.
+type Conf interface {
+	Get(snapName, key string, result interface{}) error
+	Set(snapName, key string, value interface{}) error
+	Changes() []string
+	State() *state.State
+}
+
+// GetFeatureFlag returns the value of a given feature flag.
+func GetFeatureFlag(tr Conf, feature features.SnapdFeature) (bool, error) {
+	var isEnabled interface{}
+	snapName, confName := feature.ConfigOption()
+	if err := tr.Get(snapName, confName, &isEnabled); err != nil && !IsNoOption(err) {
+		return false, err
+	}
+	switch isEnabled {
+	case true, "true":
+		return true, nil
+	case false, "false":
+		return false, nil
+	case nil, "":
+		return feature.IsEnabledWhenUnset(), nil
+	}
+	return false, fmt.Errorf("%s can only be set to 'true' or 'false', got %q", feature, isEnabled)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/config/helpers_test.go snapd-2.37~rc1~14.04/overlord/configstate/config/helpers_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/config/helpers_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/config/helpers_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,6 +24,7 @@
 
 	. "gopkg.in/check.v1"
 
+	"github.com/snapcore/snapd/features"
 	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
@@ -172,3 +173,31 @@
 		c.Check(rawCfg, IsNil)
 	}
 }
+
+func (s *configHelpersSuite) TestGetFeatureFlag(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+	tr := config.NewTransaction(s.state)
+
+	// Feature flags have a value even if unset.
+	flag, err := config.GetFeatureFlag(tr, features.Layouts)
+	c.Assert(err, IsNil)
+	c.Check(flag, Equals, true)
+
+	// Feature flags can be disabled.
+	c.Assert(tr.Set("core", "experimental.layouts", "false"), IsNil)
+	flag, err = config.GetFeatureFlag(tr, features.Layouts)
+	c.Assert(err, IsNil)
+	c.Check(flag, Equals, false)
+
+	// Feature flags can be enabled.
+	c.Assert(tr.Set("core", "experimental.layouts", "true"), IsNil)
+	flag, err = config.GetFeatureFlag(tr, features.Layouts)
+	c.Assert(err, IsNil)
+	c.Check(flag, Equals, true)
+
+	// Feature flags must have a well-known value.
+	c.Assert(tr.Set("core", "experimental.layouts", "banana"), IsNil)
+	_, err = config.GetFeatureFlag(tr, features.Layouts)
+	c.Assert(err, ErrorMatches, `layouts can only be set to 'true' or 'false', got "banana"`)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/config/transaction.go snapd-2.37~rc1~14.04/overlord/configstate/config/transaction.go
--- snapd-2.32.3.2~14.04/overlord/configstate/config/transaction.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/config/transaction.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,7 @@
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"sort"
 	"strings"
 	"sync"
 
@@ -66,6 +67,37 @@
 	return t.state
 }
 
+func changes(cfgStr string, cfg map[string]interface{}) []string {
+	var out []string
+	for k := range cfg {
+		switch subCfg := cfg[k].(type) {
+		case map[string]interface{}:
+			out = append(out, changes(cfgStr+"."+k, subCfg)...)
+		case *json.RawMessage:
+			// check if we need to dive into a sub-config
+			var configm map[string]interface{}
+			if err := jsonutil.DecodeWithNumber(bytes.NewReader(*subCfg), &configm); err == nil {
+				out = append(out, changes(cfgStr+"."+k, configm)...)
+				continue
+			}
+			out = append(out, []string{cfgStr + "." + k}...)
+		default:
+			out = append(out, []string{cfgStr + "." + k}...)
+		}
+	}
+	return out
+}
+
+// Changes returns the changing keys associated with this transaction
+func (t *Transaction) Changes() []string {
+	var out []string
+	for k := range t.changes {
+		out = append(out, changes(k, t.changes[k])...)
+	}
+	sort.Strings(out)
+	return out
+}
+
 // Set sets the provided snap's configuration key to the given value.
 // The provided key may be formed as a dotted key path through nested maps.
 // For example, the "a.b.c" key describes the {a: {b: {c: value}}} map.
@@ -74,18 +106,18 @@
 //
 // The provided value must marshal properly by encoding/json.
 // Changes are not persisted until Commit is called.
-func (t *Transaction) Set(snapName, key string, value interface{}) error {
+func (t *Transaction) Set(instanceName, key string, value interface{}) error {
 	t.mu.Lock()
 	defer t.mu.Unlock()
 
-	config, ok := t.changes[snapName]
+	config, ok := t.changes[instanceName]
 	if !ok {
 		config = make(map[string]interface{})
 	}
 
 	data, err := json.Marshal(value)
 	if err != nil {
-		return fmt.Errorf("cannot marshal snap %q option %q: %s", snapName, key, err)
+		return fmt.Errorf("cannot marshal snap %q option %q: %s", instanceName, key, err)
 	}
 	raw := json.RawMessage(data)
 
@@ -98,17 +130,17 @@
 	// would go unperceived by the configuration patching below.
 	if len(subkeys) > 1 {
 		var result interface{}
-		err = getFromPristine(snapName, subkeys, 0, t.pristine[snapName], &result)
+		err = getFromPristine(instanceName, subkeys, 0, t.pristine[instanceName], &result)
 		if err != nil && !IsNoOption(err) {
 			return err
 		}
 	}
-	_, err = PatchConfig(snapName, subkeys, 0, config, &raw)
+	_, err = PatchConfig(instanceName, subkeys, 0, config, &raw)
 	if err != nil {
 		return err
 	}
 
-	t.changes[snapName] = config
+	t.changes[instanceName] = config
 	return nil
 }
 
@@ -139,30 +171,30 @@
 // If the key does not exist, no error is returned.
 //
 // Transactions do not see updates from the current state or from other transactions.
-func (t *Transaction) GetMaybe(snapName, key string, result interface{}) error {
-	err := t.Get(snapName, key, result)
+func (t *Transaction) GetMaybe(instanceName, key string, result interface{}) error {
+	err := t.Get(instanceName, key, result)
 	if err != nil && !IsNoOption(err) {
 		return err
 	}
 	return nil
 }
 
-func getFromPristine(snapName string, subkeys []string, pos int, config map[string]*json.RawMessage, result interface{}) error {
+func getFromPristine(instanceName string, subkeys []string, pos int, config map[string]*json.RawMessage, result interface{}) error {
 	// special case - get root document
 	if len(subkeys) == 0 {
 		if len(config) == 0 {
-			return &NoOptionError{SnapName: snapName}
+			return &NoOptionError{SnapName: instanceName}
 		}
 		raw := jsonRaw(config)
 		if err := jsonutil.DecodeWithNumber(bytes.NewReader(*raw), &result); err != nil {
-			return fmt.Errorf("internal error: cannot unmarshal snap %q root document: %s", snapName, err)
+			return fmt.Errorf("internal error: cannot unmarshal snap %q root document: %s", instanceName, err)
 		}
 		return nil
 	}
 
 	raw, ok := config[subkeys[pos]]
 	if !ok {
-		return &NoOptionError{SnapName: snapName, Key: strings.Join(subkeys[:pos+1], ".")}
+		return &NoOptionError{SnapName: instanceName, Key: strings.Join(subkeys[:pos+1], ".")}
 	}
 
 	// There is a known problem with json raw messages representing nulls when they are stored in nested structures, such as
@@ -175,16 +207,16 @@
 	if pos+1 == len(subkeys) {
 		if err := jsonutil.DecodeWithNumber(bytes.NewReader(*raw), &result); err != nil {
 			key := strings.Join(subkeys, ".")
-			return fmt.Errorf("internal error: cannot unmarshal snap %q option %q into %T: %s, json: %s", snapName, key, result, err, *raw)
+			return fmt.Errorf("internal error: cannot unmarshal snap %q option %q into %T: %s, json: %s", instanceName, key, result, err, *raw)
 		}
 		return nil
 	}
 
 	var configm map[string]*json.RawMessage
 	if err := jsonutil.DecodeWithNumber(bytes.NewReader(*raw), &configm); err != nil {
-		return fmt.Errorf("snap %q option %q is not a map", snapName, strings.Join(subkeys[:pos+1], "."))
+		return fmt.Errorf("snap %q option %q is not a map", instanceName, strings.Join(subkeys[:pos+1], "."))
 	}
-	return getFromPristine(snapName, subkeys, pos+1, configm, result)
+	return getFromPristine(instanceName, subkeys, pos+1, configm, result)
 }
 
 // Commit applies to the state the configuration changes made in the transaction
@@ -208,15 +240,15 @@
 	}
 
 	// Iterate through the write cache and save each item.
-	for snapName, snapChanges := range t.changes {
-		config, ok := t.pristine[snapName]
+	for instanceName, snapChanges := range t.changes {
+		config, ok := t.pristine[instanceName]
 		if !ok {
 			config = make(map[string]*json.RawMessage)
 		}
 		for k, v := range snapChanges {
 			config[k] = commitChange(config[k], v)
 		}
-		t.pristine[snapName] = config
+		t.pristine[instanceName] = config
 	}
 
 	t.state.Set("config", t.pristine)
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/config/transaction_test.go snapd-2.37~rc1~14.04/overlord/configstate/config/transaction_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/config/transaction_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/config/transaction_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,6 +55,11 @@
 	return strings.Fields(string(op))[0]
 }
 
+func (op setGetOp) list() []string {
+	args := strings.Fields(string(op))
+	return args[1:]
+}
+
 func (op setGetOp) args() map[string]interface{} {
 	m := make(map[string]interface{})
 	args := strings.Fields(string(op))
@@ -90,10 +95,12 @@
 	`setunder three=3 big=9876543210`,
 	`get one=1 big=1234567890 two=2 three=-`,
 	`getunder one=- two=- three=3 big=9876543210`,
+	`changes core.big core.one core.two`,
 	`commit`,
 	`getunder one=1 two=2 three=3`,
 	`get one=1 two=2 three=3`,
 	`set two=22 four=4 big=1234567890`,
+	`changes core.big core.four core.two`,
 	`get one=1 two=22 three=3 four=4 big=1234567890`,
 	`getunder one=1 two=2 three=3 four=-`,
 	`commit`,
@@ -102,9 +109,11 @@
 	// Trivial full doc.
 	`set doc={"one":1,"two":2}`,
 	`get doc={"one":1,"two":2}`,
+	`changes core.doc.one core.doc.two`,
 }, {
 	// Root doc
 	`set doc={"one":1,"two":2}`,
+	`changes core.doc.one core.doc.two`,
 	`getroot ={"doc":{"one":1,"two":2}}`,
 	`commit`,
 	`getroot ={"doc":{"one":1,"two":2}}`,
@@ -112,7 +121,9 @@
 }, {
 	// Nested mutations.
 	`set one.two.three=3`,
+	`changes core.one.two.three`,
 	`set one.five=5`,
+	`changes core.one.five core.one.two.three`,
 	`setunder one={"two":{"four":4}}`,
 	`get one={"two":{"three":3},"five":5}`,
 	`get one.two={"three":3}`,
@@ -128,7 +139,9 @@
 }, {
 	// Replacement with nested mutation.
 	`set one={"two":{"three":3}}`,
+	`changes core.one.two.three`,
 	`set one.five=5`,
+	`changes core.one.five core.one.two.three`,
 	`get one={"two":{"three":3},"five":5}`,
 	`get one.two={"three":3}`,
 	`get one.two.three=3`,
@@ -139,6 +152,7 @@
 }, {
 	// Cannot go through known scalar implicitly.
 	`set one.two=2`,
+	`changes core.one.two`,
 	`set one.two.three=3 => snap "core" option "one\.two" is not a map`,
 	`get one.two.three=3 => snap "core" option "one\.two" is not a map`,
 	`get one={"two":2}`,
@@ -151,6 +165,7 @@
 	// Unknown scalars may be overwritten though.
 	`setunder one={"two":2}`,
 	`set one.two.three=3`,
+	`changes core.one.two.three`,
 	`commit`,
 	`getunder one={"two":{"three":3}}`,
 }, {
@@ -219,6 +234,11 @@
 			case "commit":
 				t.Commit()
 
+			case "changes":
+				expected := op.list()
+				obtained := t.Changes()
+				c.Check(obtained, DeepEquals, expected)
+
 			case "setunder":
 				var config map[string]map[string]interface{}
 				s.state.Get("config", &config)
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/cloud.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/cloud.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/cloud.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/cloud.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,10 +27,11 @@
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/overlord/auth"
+	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/overlord/state"
 )
 
-func alreadySeeded(tr Conf) (bool, error) {
+func alreadySeeded(tr config.Conf) (bool, error) {
 	st := tr.State()
 	st.Lock()
 	defer st.Unlock()
@@ -42,7 +43,43 @@
 	return seeded, nil
 }
 
-func setCloudInfoWhenSeeding(tr Conf) error {
+type cloudInitInstanceData struct {
+	V1 struct {
+		Region           string
+		Name             string
+		AvailabilityZone string
+	}
+}
+
+func (c *cloudInitInstanceData) UnmarshalJSON(bs []byte) error {
+	var instanceDataJSON struct {
+		V1 struct {
+			Region string `json:"region"`
+			// these fields can come with - or _ as separators
+			Name                string `json:"cloud_name"`
+			AltName             string `json:"cloud-name"`
+			AvailabilityZone    string `json:"availability_zone"`
+			AltAvailabilityZone string `json:"availability-zone"`
+		} `json:"v1"`
+	}
+
+	if err := json.Unmarshal(bs, &instanceDataJSON); err != nil {
+		return err
+	}
+
+	c.V1.Region = instanceDataJSON.V1.Region
+	switch {
+	case instanceDataJSON.V1.Name != "":
+		c.V1.Name = instanceDataJSON.V1.Name
+		c.V1.AvailabilityZone = instanceDataJSON.V1.AvailabilityZone
+	case instanceDataJSON.V1.AltName != "":
+		c.V1.Name = instanceDataJSON.V1.AltName
+		c.V1.AvailabilityZone = instanceDataJSON.V1.AltAvailabilityZone
+	}
+	return nil
+}
+
+func setCloudInfoWhenSeeding(tr config.Conf) error {
 	// if we are during seeding try to capture cloud information
 	seeded, err := alreadySeeded(tr)
 	if err != nil {
@@ -62,13 +99,8 @@
 		logger.Noticef("cannot read cloud instance information %q: %v", dirs.CloudInstanceDataFile, err)
 		return nil
 	}
-	var instanceData struct {
-		V1 struct {
-			Name             string `json:"cloud-name"`
-			Region           string `json:"region"`
-			AvailabilityZone string `json:"availability-zone"`
-		} `json:"v1"`
-	}
+
+	var instanceData cloudInitInstanceData
 	err = json.Unmarshal(data, &instanceData)
 	if err != nil {
 		logger.Noticef("cannot unmarshal cloud instance information %q: %v", dirs.CloudInstanceDataFile, err)
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/cloud_test.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/cloud_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/cloud_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/cloud_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -104,12 +104,68 @@
    "cloud-name": "none"
  }
 }`, "", "", ""},
+		// both _ and - are supported
+		{`{
+ "v1": {
+  "availability_zone": "nova",
+  "cloud_name": "openstack",
+  "instance-id": "b5",
+  "local-hostname": "b5",
+  "region": null
+ }
+}`, "openstack", "", "nova"},
+		{`{
+ "v1": {
+  "availability_zone": "nova",
+  "availability-zone": "nova",
+  "cloud_name": "openstack",
+  "cloud-name": "openstack",
+  "instance-id": "b5",
+  "local-hostname": "b5",
+  "region": null
+ }
+}`, "openstack", "", "nova"},
+		// cloud_name takes precedence, if set, and other fields follow
+		{`{
+ "v1": {
+  "availability_zone": "us-east-2b",
+  "availability-zone": "none",
+  "cloud_name": "aws",
+  "cloud_name": "aws",
+  "instance-id": "b5",
+  "local-hostname": "b5",
+  "region": null
+ }
+}`, "aws", "", "us-east-2b"},
+		{`{
+ "v1": {
+  "availability_zone": "nova",
+  "availability-zone": "gibberish",
+  "cloud_name": "openstack",
+  "cloud-name": "aws",
+  "instance-id": "b5",
+  "local-hostname": "b5",
+  "region": null
+ }
+}`, "openstack", "", "nova"},
+		{`{
+ "v1": {
+  "availability_zone": "gibberish",
+  "availability-zone": "nova",
+  "cloud_name": null,
+  "cloud-name": "openstack",
+  "instance-id": "b5",
+  "local-hostname": "b5",
+  "region": null
+ }
+}`, "openstack", "", "nova"},
 	}
 
 	err := os.MkdirAll(filepath.Dir(dirs.CloudInstanceDataFile), 0755)
 	c.Assert(err, IsNil)
 
-	for _, t := range tests {
+	for i, t := range tests {
+		c.Logf("tc: %v", i)
 		os.Remove(dirs.CloudInstanceDataFile)
 		if t.instData != "" {
 			err = ioutil.WriteFile(dirs.CloudInstanceDataFile, []byte(t.instData), 0600)
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/corecfg.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/corecfg.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/corecfg.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/corecfg.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,7 +24,6 @@
 	"os"
 
 	"github.com/snapcore/snapd/overlord/configstate/config"
-	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/release"
 )
 
@@ -33,13 +32,8 @@
 	Stderr = os.Stderr
 )
 
-type Conf interface {
-	Get(snapName, key string, result interface{}) error
-	Set(snapName, key string, value interface{}) error
-	State() *state.State
-}
-
-func coreCfg(tr Conf, key string) (result string, err error) {
+// coreCfg returns the configuration value for the core snap.
+func coreCfg(tr config.Conf, key string) (result string, err error) {
 	var v interface{} = ""
 	if err := tr.Get("core", key, &v); err != nil && !config.IsNoOption(err) {
 		return "", err
@@ -50,19 +44,62 @@
 	return fmt.Sprintf("%v", v), nil
 }
 
-func Run(tr Conf) error {
+// supportedConfigurations contains a set of handled configuration keys.
+// The actual values are populated by `init()` functions in each module.
+var supportedConfigurations = make(map[string]bool, 32)
+
+func validateBoolFlag(tr config.Conf, flag string) error {
+	value, err := coreCfg(tr, flag)
+	if err != nil {
+		return err
+	}
+	switch value {
+	case "", "true", "false":
+		// noop
+	default:
+		return fmt.Errorf("%s can only be set to 'true' or 'false'", flag)
+	}
+	return nil
+}
+
+func Run(tr config.Conf) error {
+	// check if the changes
+	for _, k := range tr.Changes() {
+		if !supportedConfigurations[k] {
+			return fmt.Errorf("cannot set %q: unsupported system option", k)
+		}
+	}
+
 	if err := validateProxyStore(tr); err != nil {
 		return err
 	}
 	if err := validateRefreshSchedule(tr); err != nil {
 		return err
 	}
+	if err := validateRefreshRateLimit(tr); err != nil {
+		return err
+	}
+	if err := validateExperimentalSettings(tr); err != nil {
+		return err
+	}
+	if err := validateWatchdogOptions(tr); err != nil {
+		return err
+	}
+	if err := validateNetworkSettings(tr); err != nil {
+		return err
+	}
+	// FIXME: ensure the user cannot set "core seed.loaded"
 
 	// capture cloud information
 	if err := setCloudInfoWhenSeeding(tr); err != nil {
 		return err
 	}
 
+	// Export experimental.* flags to a place easily accessible from snapd helpers.
+	if err := handleExperimentalFlags(tr); err != nil {
+		return err
+	}
+
 	// see if it makes sense to run at all
 	if release.OnClassic {
 		// nothing to do
@@ -88,6 +125,14 @@
 	if err := handleProxyConfiguration(tr); err != nil {
 		return err
 	}
+	// watchdog.{runtime-timeout,shutdown-timeout}
+	if err := handleWatchdogConfiguration(tr); err != nil {
+		return err
+	}
+	// network.disable-ipv6
+	if err := handleNetworkConfiguration(tr); err != nil {
+		return err
+	}
 
 	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/corecfg_test.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/corecfg_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/corecfg_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/corecfg_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,6 +26,8 @@
 
 	. "gopkg.in/check.v1"
 
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/overlord/configstate/configcore"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/systemd"
 )
@@ -33,19 +35,26 @@
 func Test(t *testing.T) { TestingT(t) }
 
 type mockConf struct {
-	state *state.State
-	conf  map[string]interface{}
-	err   error
+	state   *state.State
+	conf    map[string]interface{}
+	changes map[string]interface{}
+	err     error
 }
 
 func (cfg *mockConf) Get(snapName, key string, result interface{}) error {
 	if snapName != "core" {
 		return fmt.Errorf("mockConf only knows about core")
 	}
-	if cfg.conf[key] != nil {
+
+	var value interface{}
+	value = cfg.changes[key]
+	if value == nil {
+		value = cfg.conf[key]
+	}
+	if value != nil {
 		v1 := reflect.ValueOf(result)
 		v2 := reflect.Indirect(v1)
-		v2.Set(reflect.ValueOf(cfg.conf[key]))
+		v2.Set(reflect.ValueOf(value))
 	}
 	return cfg.err
 }
@@ -61,6 +70,14 @@
 	return nil
 }
 
+func (cfg *mockConf) Changes() []string {
+	out := make([]string, 0, len(cfg.changes))
+	for k := range cfg.changes {
+		out = append(out, "core."+k)
+	}
+	return out
+}
+
 func (cfg *mockConf) State() *state.State {
 	return cfg.state
 }
@@ -88,10 +105,29 @@
 }
 
 func (s *configcoreSuite) SetUpTest(c *C) {
+	dirs.SetRootDir(c.MkDir())
 	s.state = state.New(nil)
 }
 
+func (s *configcoreSuite) TearDownTest(c *C) {
+	dirs.SetRootDir("")
+}
+
 // runCfgSuite tests configcore.Run()
 type runCfgSuite struct {
 	configcoreSuite
 }
+
+var _ = Suite(&runCfgSuite{})
+
+func (r *runCfgSuite) TestConfigureUnknownOption(c *C) {
+	conf := &mockConf{
+		state: r.state,
+		changes: map[string]interface{}{
+			"unknown.option": "1",
+		},
+	}
+
+	err := configcore.Run(conf)
+	c.Check(err, ErrorMatches, `cannot set "core.unknown.option": unsupported system option`)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/experimental.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/experimental.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/experimental.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/experimental.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,72 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package configcore
+
+import (
+	"os"
+	"strings"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/features"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord/configstate/config"
+)
+
+func init() {
+	for _, feature := range features.KnownFeatures() {
+		snapName, confName := feature.ConfigOption()
+		supportedConfigurations[snapName+"."+confName] = true
+	}
+}
+
+func validateExperimentalSettings(tr config.Conf) error {
+	for k := range supportedConfigurations {
+		if !strings.HasPrefix(k, "core.experimental.") {
+			continue
+		}
+		if err := validateBoolFlag(tr, strings.TrimPrefix(k, "core.")); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func handleExperimentalFlags(tr config.Conf) error {
+	dir := dirs.FeaturesDir
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return err
+	}
+	features := features.KnownFeatures()
+	content := make(map[string]*osutil.FileState, len(features))
+	for _, feature := range features {
+		if !feature.IsExported() {
+			continue
+		}
+		isEnabled, err := config.GetFeatureFlag(tr, feature)
+		if err != nil {
+			return err
+		}
+		if isEnabled {
+			content[feature.String()] = &osutil.FileState{Mode: 0644}
+		}
+	}
+	_, _, err := osutil.EnsureDirState(dir, "*", content)
+	return err
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/experimental_test.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/experimental_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/experimental_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/experimental_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,79 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package configcore_test
+
+import (
+	"fmt"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/features"
+	"github.com/snapcore/snapd/overlord/configstate/configcore"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type experimentalSuite struct {
+	configcoreSuite
+}
+
+var _ = Suite(&experimentalSuite{})
+
+func featureConf(feature features.SnapdFeature) string {
+	return "experimental." + feature.String()
+}
+
+func (s *experimentalSuite) TestConfigureExperimentalSettingsInvalid(c *C) {
+	for _, feature := range features.KnownFeatures() {
+		conf := &mockConf{
+			state:   s.state,
+			changes: map[string]interface{}{featureConf(feature): "foo"},
+		}
+		err := configcore.Run(conf)
+		c.Check(err, ErrorMatches, fmt.Sprintf(`%s can only be set to 'true' or 'false'`, featureConf(feature)))
+	}
+}
+
+func (s *experimentalSuite) TestConfigureExperimentalSettingsHappy(c *C) {
+	for _, feature := range features.KnownFeatures() {
+		for _, t := range []string{"true", "false"} {
+			conf := &mockConf{
+				state: s.state,
+				conf:  map[string]interface{}{featureConf(feature): t},
+			}
+			err := configcore.Run(conf)
+			c.Check(err, IsNil)
+		}
+	}
+}
+
+func (s *experimentalSuite) TestExportedFeatures(c *C) {
+	conf := &mockConf{
+		state: s.state,
+		conf:  map[string]interface{}{featureConf(features.PerUserMountNamespace): true},
+	}
+	err := configcore.Run(conf)
+	c.Assert(err, IsNil)
+	c.Check(features.PerUserMountNamespace.ControlFile(), testutil.FilePresent)
+
+	delete(conf.changes, "experimental.per-user-mount-namespace")
+	err = configcore.Run(conf)
+	c.Assert(err, IsNil)
+	c.Check(features.PerUserMountNamespace.ControlFile(), testutil.FilePresent)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/network.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/network.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/network.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/network.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,88 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package configcore
+
+import (
+	"bytes"
+	"fmt"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord/configstate/config"
+)
+
+func init() {
+	// add supported configuration of this module
+	supportedConfigurations["core.network.disable-ipv6"] = true
+}
+
+func validateNetworkSettings(tr config.Conf) error {
+	return validateBoolFlag(tr, "network.disable-ipv6")
+}
+
+func handleNetworkConfiguration(tr config.Conf) error {
+	dir := filepath.Join(dirs.GlobalRootDir, "/etc/sysctl.d")
+	name := "10-snapd-network.conf"
+	content := bytes.NewBuffer(nil)
+
+	output, err := coreCfg(tr, "network.disable-ipv6")
+	if err != nil {
+		return nil
+	}
+
+	var sysctl string
+	switch output {
+	case "true":
+		sysctl = "net.ipv6.conf.all.disable_ipv6=1"
+		content.WriteString(sysctl + "\n")
+	case "false", "":
+		// Store the sysctl for the code below but don't write it to
+		// content so that the file setting this option gets removed.
+		sysctl = "net.ipv6.conf.all.disable_ipv6=0"
+	default:
+		return fmt.Errorf("unsupported disable-ipv6 option: %q", output)
+	}
+	dirContent := map[string]*osutil.FileState{}
+	if content.Len() > 0 {
+		dirContent[name] = &osutil.FileState{
+			Content: content.Bytes(),
+			Mode:    0644,
+		}
+	}
+
+	// write the new config
+	glob := name
+	changed, removed, err := osutil.EnsureDirState(dir, glob, dirContent)
+	if err != nil {
+		return err
+	}
+
+	// load the new config into the kernel
+	if len(changed) > 0 || len(removed) > 0 {
+		output, err := exec.Command("sysctl", "-w", sysctl).CombinedOutput()
+		if err != nil {
+			return osutil.OutputErr(output, err)
+		}
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/network_test.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/network_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/network_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/network_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,117 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package configcore_test
+
+import (
+	"os"
+	"path/filepath"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord/configstate/configcore"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type networkSuite struct {
+	configcoreSuite
+
+	mockNetworkSysctlPath string
+	restores              []func()
+	mockSysctl            *testutil.MockCmd
+}
+
+var _ = Suite(&networkSuite{})
+
+func (s *networkSuite) SetUpTest(c *C) {
+	s.configcoreSuite.SetUpTest(c)
+	dirs.SetRootDir(c.MkDir())
+	s.restores = append(s.restores, release.MockOnClassic(false))
+
+	s.mockSysctl = testutil.MockCommand(c, "sysctl", "")
+	s.restores = append(s.restores, func() { s.mockSysctl.Restore() })
+
+	s.mockNetworkSysctlPath = filepath.Join(dirs.GlobalRootDir, "/etc/sysctl.d/10-snapd-network.conf")
+	c.Assert(os.MkdirAll(filepath.Dir(s.mockNetworkSysctlPath), 0755), IsNil)
+}
+
+func (s *networkSuite) TearDownTest(c *C) {
+	dirs.SetRootDir("/")
+	for _, f := range s.restores {
+		f()
+	}
+}
+
+func (s *networkSuite) TestConfigureNetworkIntegrationIPv6(c *C) {
+	// disable ipv6
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"network.disable-ipv6": true,
+		},
+	})
+	c.Assert(err, IsNil)
+
+	c.Check(s.mockNetworkSysctlPath, testutil.FileEquals, "net.ipv6.conf.all.disable_ipv6=1\n")
+	c.Check(s.mockSysctl.Calls(), DeepEquals, [][]string{
+		{"sysctl", "-w", "net.ipv6.conf.all.disable_ipv6=1"},
+	})
+	s.mockSysctl.ForgetCalls()
+
+	// enable it again
+	err = configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"network.disable-ipv6": false,
+		},
+	})
+	c.Assert(err, IsNil)
+
+	c.Check(osutil.FileExists(s.mockNetworkSysctlPath), Equals, false)
+	c.Check(s.mockSysctl.Calls(), DeepEquals, [][]string{
+		{"sysctl", "-w", "net.ipv6.conf.all.disable_ipv6=0"},
+	})
+	s.mockSysctl.ForgetCalls()
+
+	// enable it yet again, this does not trigger another syscall
+	err = configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"network.disable-ipv6": false,
+		},
+	})
+	c.Assert(err, IsNil)
+	c.Check(s.mockSysctl.Calls(), HasLen, 0)
+}
+
+func (s *networkSuite) TestConfigureNetworkIntegrationNoSetting(c *C) {
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf:  map[string]interface{}{},
+	})
+	c.Assert(err, IsNil)
+
+	// the file is not there and was not there before, nothing changed
+	// and no sysctl call is generated
+	c.Check(osutil.FileExists(s.mockNetworkSysctlPath), Equals, false)
+	c.Check(s.mockSysctl.Calls(), HasLen, 0)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/picfg.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/picfg.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/picfg.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/picfg.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,6 +27,7 @@
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord/configstate/config"
 )
 
 // valid pi config keys
@@ -54,6 +55,14 @@
 	"hdmi_force_hotplug":       true,
 }
 
+func init() {
+	// add supported config keys
+	for k := range piConfigKeys {
+		s := fmt.Sprintf("core.pi-config.%s", strings.Replace(k, "_", "-", -1))
+		supportedConfigurations[s] = true
+	}
+}
+
 func updatePiConfig(path string, config map[string]string) error {
 	f, err := os.Open(path)
 	if err != nil {
@@ -80,7 +89,7 @@
 	return filepath.Join(dirs.GlobalRootDir, "/boot/uboot/config.txt")
 }
 
-func handlePiConfiguration(tr Conf) error {
+func handlePiConfiguration(tr config.Conf) error {
 	if osutil.FileExists(piConfigFile()) {
 		// snapctl can actually give us the whole dict in
 		// JSON, in a single call; use that instead of this.
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/picfg_test.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/picfg_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/picfg_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/picfg_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -49,6 +49,7 @@
 # and your display can output without overscan
 #disable_overscan=1
 unrelated_options=are-kept
+#gpu_mem_512=true
 `
 
 func (s *piCfgSuite) SetUpTest(c *C) {
@@ -153,5 +154,19 @@
 	c.Assert(err, IsNil)
 
 	s.checkMockConfig(c, mockConfigTxt)
+}
+
+func (s *piCfgSuite) TestConfigurePiConfigRegression(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
 
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"pi-config.gpu-mem-512": true,
+		},
+	})
+	c.Assert(err, IsNil)
+	expected := strings.Replace(mockConfigTxt, "#gpu_mem_512=true", "gpu_mem_512=true", -1)
+	s.checkMockConfig(c, expected)
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/powerbtn.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/powerbtn.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/powerbtn.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/powerbtn.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,8 +26,13 @@
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord/configstate/config"
 )
 
+func init() {
+	supportedConfigurations["core.system.power-key-action"] = true
+}
+
 func powerBtnCfg() string {
 	return filepath.Join(dirs.GlobalRootDir, "/etc/systemd/logind.conf.d/00-snap-core.conf")
 }
@@ -62,7 +67,7 @@
 	return osutil.AtomicWriteFile(powerBtnCfg(), []byte(content), 0644, 0)
 }
 
-func handlePowerButtonConfiguration(tr Conf) error {
+func handlePowerButtonConfiguration(tr config.Conf) error {
 	output, err := coreCfg(tr, "system.power-key-action")
 	if err != nil {
 		return err
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/proxy.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/proxy.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/proxy.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/proxy.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,6 +29,7 @@
 	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/overlord/assertstate"
+	"github.com/snapcore/snapd/overlord/configstate/config"
 )
 
 var proxyConfigKeys = map[string]bool{
@@ -38,6 +39,15 @@
 	"no_proxy":    true,
 }
 
+func init() {
+	// add supported configuration of this module
+	supportedConfigurations["core.proxy.http"] = true
+	supportedConfigurations["core.proxy.https"] = true
+	supportedConfigurations["core.proxy.ftp"] = true
+	supportedConfigurations["core.proxy.no-proxy"] = true
+	supportedConfigurations["core.proxy.store"] = true
+}
+
 func etcEnvironment() string {
 	return filepath.Join(dirs.GlobalRootDir, "/etc/environment")
 }
@@ -60,7 +70,7 @@
 	return nil
 }
 
-func handleProxyConfiguration(tr Conf) error {
+func handleProxyConfiguration(tr config.Conf) error {
 	config := map[string]string{}
 	// normal proxy settings
 	for _, key := range []string{"http", "https", "ftp"} {
@@ -84,7 +94,7 @@
 	return nil
 }
 
-func validateProxyStore(tr Conf) error {
+func validateProxyStore(tr config.Conf) error {
 	proxyStore, err := coreCfg(tr, "proxy.store")
 	if err != nil {
 		return err
@@ -97,9 +107,13 @@
 	st := tr.State()
 	st.Lock()
 	defer st.Unlock()
-	_, err = assertstate.Store(st, proxyStore)
+
+	store, err := assertstate.Store(st, proxyStore)
 	if asserts.IsNotFound(err) {
 		return fmt.Errorf("cannot set proxy.store to %q without a matching store assertion", proxyStore)
 	}
+	if err == nil && store.URL() == nil {
+		return fmt.Errorf("cannot set proxy.store to %q with a matching store assertion with url unset", proxyStore)
+	}
 	return err
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/proxy_test.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/proxy_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/proxy_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/proxy_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -151,10 +151,11 @@
 	s.state.Unlock()
 	c.Assert(err, IsNil)
 
-	// have a store assertion.
+	// have a store assertion
 	stoAs, err := s.storeSigning.Sign(asserts.StoreType, map[string]interface{}{
 		"store":       "foo",
 		"operator-id": operatorAcct.AccountID(),
+		"url":         "http://store.interal:9943",
 		"timestamp":   time.Now().Format(time.RFC3339),
 	}, nil, "")
 	c.Assert(err, IsNil)
@@ -166,3 +167,33 @@
 	err = configcore.Run(conf)
 	c.Check(err, IsNil)
 }
+
+func (s *proxySuite) TestConfigureProxyStoreNoURL(c *C) {
+	conf := &mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"proxy.store": "foo",
+		},
+	}
+
+	operatorAcct := assertstest.NewAccount(s.storeSigning, "foo-operator", nil, "")
+	s.state.Lock()
+	err := assertstate.Add(s.state, operatorAcct)
+	s.state.Unlock()
+	c.Assert(err, IsNil)
+
+	// have a store assertion but no url
+	stoAs, err := s.storeSigning.Sign(asserts.StoreType, map[string]interface{}{
+		"store":       "foo",
+		"operator-id": operatorAcct.AccountID(),
+		"timestamp":   time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	s.state.Lock()
+	err = assertstate.Add(s.state, stoAs)
+	s.state.Unlock()
+	c.Assert(err, IsNil)
+
+	err = configcore.Run(conf)
+	c.Check(err, ErrorMatches, `cannot set proxy.store to "foo" with a matching store assertion with url unset`)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/refresh.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/refresh.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/refresh.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/refresh.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -21,22 +21,32 @@
 
 import (
 	"fmt"
+	"strconv"
 	"time"
 
+	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/overlord/devicestate"
+	"github.com/snapcore/snapd/strutil"
 	"github.com/snapcore/snapd/timeutil"
 )
 
-func validateRefreshSchedule(tr Conf) error {
-	refreshTimerStr, err := coreCfg(tr, "refresh.timer")
+func init() {
+	supportedConfigurations["core.refresh.hold"] = true
+	supportedConfigurations["core.refresh.schedule"] = true
+	supportedConfigurations["core.refresh.timer"] = true
+	supportedConfigurations["core.refresh.metered"] = true
+	supportedConfigurations["core.refresh.retain"] = true
+	supportedConfigurations["core.refresh.rate-limit"] = true
+}
+
+func validateRefreshSchedule(tr config.Conf) error {
+	refreshRetainStr, err := coreCfg(tr, "refresh.retain")
 	if err != nil {
 		return err
 	}
-	if refreshTimerStr != "" {
-		// try legacy refresh.schedule setting if new-style
-		// refresh.timer is not set
-		if _, err = timeutil.ParseSchedule(refreshTimerStr); err != nil {
-			return err
+	if refreshRetainStr != "" {
+		if n, err := strconv.ParseUint(refreshRetainStr, 10, 8); err != nil || (n < 2 || n > 20) {
+			return fmt.Errorf("retain must be a number between 2 and 20, not %q", refreshRetainStr)
 		}
 	}
 
@@ -50,6 +60,41 @@
 		}
 	}
 
+	refreshOnMeteredStr, err := coreCfg(tr, "refresh.metered")
+	if err != nil {
+		return err
+	}
+	switch refreshOnMeteredStr {
+	case "", "hold":
+		// noop
+	default:
+		return fmt.Errorf("refresh.metered value %q is invalid", refreshOnMeteredStr)
+	}
+
+	// check (new) refresh.timer
+	refreshTimerStr, err := coreCfg(tr, "refresh.timer")
+	if err != nil {
+		return err
+	}
+	if refreshTimerStr == "managed" {
+		st := tr.State()
+		st.Lock()
+		defer st.Unlock()
+
+		if !devicestate.CanManageRefreshes(st) {
+			return fmt.Errorf("cannot set schedule to managed")
+		}
+		return nil
+	}
+	if refreshTimerStr != "" {
+		// try legacy refresh.schedule setting if new-style
+		// refresh.timer is not set
+		if _, err = timeutil.ParseSchedule(refreshTimerStr); err != nil {
+			return err
+		}
+	}
+
+	// check (legacy) refresh.schedule
 	refreshScheduleStr, err := coreCfg(tr, "refresh.schedule")
 	if err != nil {
 		return err
@@ -72,3 +117,18 @@
 	_, err = timeutil.ParseLegacySchedule(refreshScheduleStr)
 	return err
 }
+
+func validateRefreshRateLimit(tr config.Conf) error {
+	refreshRateLimit, err := coreCfg(tr, "refresh.rate-limit")
+	if err != nil {
+		return err
+	}
+	// reset is fine
+	if len(refreshRateLimit) == 0 {
+		return nil
+	}
+	if _, err := strutil.ParseByteSize(refreshRateLimit); err != nil {
+		return err
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/refresh_test.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/refresh_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/refresh_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/refresh_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -99,3 +99,71 @@
 	})
 	c.Assert(err, ErrorMatches, `refresh\.hold cannot be parsed:.*`)
 }
+
+func (s *refreshSuite) TestConfigureRefreshHoldOnMeteredInvalid(c *C) {
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"refresh.metered": "invalid",
+		},
+	})
+	c.Assert(err, ErrorMatches, `refresh\.metered value "invalid" is invalid`)
+}
+
+func (s *refreshSuite) TestConfigureRefreshHoldOnMeteredHappy(c *C) {
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"refresh.metered": "hold",
+		},
+	})
+	c.Assert(err, IsNil)
+
+	err = configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"refresh.metered": "",
+		},
+	})
+	c.Assert(err, IsNil)
+}
+
+func (s *refreshSuite) TestConfigureRefreshRetainHappy(c *C) {
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"refresh.retain": "4",
+		},
+	})
+	c.Assert(err, IsNil)
+}
+
+func (s *refreshSuite) TestConfigureRefreshRetainUnderRange(c *C) {
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"refresh.retain": "1",
+		},
+	})
+	c.Assert(err, ErrorMatches, `retain must be a number between 2 and 20, not "1"`)
+}
+
+func (s *refreshSuite) TestConfigureRefreshRetainOverRange(c *C) {
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"refresh.retain": "100",
+		},
+	})
+	c.Assert(err, ErrorMatches, `retain must be a number between 2 and 20, not "100"`)
+}
+
+func (s *refreshSuite) TestConfigureRefreshRetainInvalid(c *C) {
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"refresh.retain": "invalid",
+		},
+	})
+	c.Assert(err, ErrorMatches, `retain must be a number between 2 and 20, not "invalid"`)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/services.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/services.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/services.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/services.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,9 +27,22 @@
 	"time"
 
 	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/systemd"
 )
 
+var services = []struct{ configName, systemdName string }{
+	{"ssh", "ssh.service"},
+	{"rsyslog", "rsyslog.service"},
+}
+
+func init() {
+	for _, service := range services {
+		s := fmt.Sprintf("core.service.%s.disable", service.configName)
+		supportedConfigurations[s] = true
+	}
+}
+
 type sysdLogger struct{}
 
 func (l *sysdLogger) Notify(status string) {
@@ -96,11 +109,7 @@
 }
 
 // services that can be disabled
-func handleServiceDisableConfiguration(tr Conf) error {
-	var services = []struct{ configName, systemdName string }{
-		{"ssh", "ssh.service"},
-		{"rsyslog", "rsyslog.service"},
-	}
+func handleServiceDisableConfiguration(tr config.Conf) error {
 	for _, service := range services {
 		output, err := coreCfg(tr, fmt.Sprintf("service.%s.disable", service.configName))
 		if err != nil {
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/utils.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/utils.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/utils.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/utils.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,7 +27,7 @@
 )
 
 // first match is if it is comment, second is key, third value
-var rx = regexp.MustCompile(`^[ \t]*(#?)[ \t#]*([a-z_]+)=(.*)$`)
+var rx = regexp.MustCompile(`^[ \t]*(#?)[ \t#]*([a-z0-9_]+)=(.*)$`)
 
 // updateKeyValueStream updates simple key=value files with comments.
 // Example for such formats are: /etc/environment or /boot/uboot/config.txt
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/watchdog.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/watchdog.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/watchdog.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/watchdog.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,120 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package configcore
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord/configstate/config"
+)
+
+func init() {
+	// add supported configuration of this module
+	supportedConfigurations["core.watchdog.runtime-timeout"] = true
+	supportedConfigurations["core.watchdog.shutdown-timeout"] = true
+}
+
+func updateWatchdogConfig(config map[string]uint) error {
+	dir := dirs.SnapSystemdConfDir
+	name := "10-snapd-watchdog.conf"
+	dirContent := make(map[string]*osutil.FileState, 1)
+
+	configStr := []string{}
+	for k, v := range config {
+		if v > 0 {
+			configStr = append(configStr, fmt.Sprintf("%s=%d\n", k, v))
+		}
+	}
+	if len(configStr) > 0 {
+		// We order the variables to have predictable output
+		sort.Strings(configStr)
+		content := "[Manager]\n" + strings.Join(configStr, "")
+		dirContent[name] = &osutil.FileState{
+			Content: []byte(content),
+			Mode:    0644,
+		}
+	}
+
+	glob := name
+	_, _, err := osutil.EnsureDirState(dir, glob, dirContent)
+	return err
+}
+
+func handleWatchdogConfiguration(tr config.Conf) error {
+	config := map[string]uint{}
+
+	for _, key := range []string{"runtime-timeout", "shutdown-timeout"} {
+		output, err := coreCfg(tr, "watchdog."+key)
+		if err != nil {
+			return err
+		}
+		secs, err := getSystemdConfSeconds(output)
+		if err != nil {
+			return fmt.Errorf("cannot set timer to %q: %v", output, err)
+		}
+		switch key {
+		case "runtime-timeout":
+			config["RuntimeWatchdogSec"] = secs
+		case "shutdown-timeout":
+			config["ShutdownWatchdogSec"] = secs
+		}
+	}
+
+	if err := updateWatchdogConfig(config); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func getSystemdConfSeconds(timeStr string) (uint, error) {
+	if timeStr == "" {
+		return 0, nil
+	}
+
+	dur, err := time.ParseDuration(timeStr)
+	if err != nil {
+		return 0, fmt.Errorf("cannot parse %q: %v", timeStr, err)
+	}
+	if dur < 0 {
+		return 0, fmt.Errorf("cannot use negative duration %q: %v", timeStr, err)
+	}
+
+	return uint(dur.Seconds()), nil
+}
+
+func validateWatchdogOptions(tr config.Conf) error {
+	for _, key := range []string{"runtime-timeout", "shutdown-timeout"} {
+		option, err := coreCfg(tr, "watchdog."+key)
+		if err != nil {
+			return err
+		}
+		if _, err = getSystemdConfSeconds(option); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configcore/watchdog_test.go snapd-2.37~rc1~14.04/overlord/configstate/configcore/watchdog_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configcore/watchdog_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configcore/watchdog_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,212 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package configcore_test
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"time"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord/configstate/configcore"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type watchdogSuite struct {
+	configcoreSuite
+
+	mockEtcEnvironment string
+}
+
+var _ = Suite(&watchdogSuite{})
+
+func (s *watchdogSuite) SetUpTest(c *C) {
+	s.configcoreSuite.SetUpTest(c)
+
+	dirs.SetRootDir(c.MkDir())
+	s.mockEtcEnvironment = filepath.Join(dirs.SnapSystemdConfDir, "10-snapd-watchdog.conf")
+	err := os.MkdirAll(dirs.SnapSystemdConfDir, 0755)
+	c.Assert(err, IsNil)
+}
+
+func (s *watchdogSuite) TearDownTest(c *C) {
+	dirs.SetRootDir("/")
+}
+
+func (s *watchdogSuite) TestConfigureWatchdog(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	for option, val := range map[string]string{"runtime-timeout": "10", "shutdown-timeout": "60"} {
+
+		err := configcore.Run(&mockConf{
+			state: s.state,
+			conf: map[string]interface{}{
+				fmt.Sprintf("watchdog.%s", option): val + "s",
+			},
+		})
+		c.Assert(err, IsNil)
+
+		var systemdOption string
+		switch option {
+		case "runtime-timeout":
+			systemdOption = "RuntimeWatchdogSec"
+		case "shutdown-timeout":
+			systemdOption = "ShutdownWatchdogSec"
+		}
+		c.Check(s.mockEtcEnvironment, testutil.FileEquals,
+			fmt.Sprintf("[Manager]\n%s=%s\n", systemdOption, val))
+	}
+}
+
+func (s *watchdogSuite) TestConfigureWatchdogUnits(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	times := []int{56, 432}
+	type timeUnit struct {
+		unit  string
+		toSec int
+	}
+
+	for _, tunit := range []timeUnit{{"s", 1}, {"m", 60}, {"h", 3600}} {
+		err := configcore.Run(&mockConf{
+			state: s.state,
+			conf: map[string]interface{}{
+				"watchdog.runtime-timeout":  fmt.Sprintf("%d", times[0]) + tunit.unit,
+				"watchdog.shutdown-timeout": fmt.Sprintf("%d", times[1]) + tunit.unit,
+			},
+		})
+		c.Assert(err, IsNil)
+		c.Check(s.mockEtcEnvironment, testutil.FileEquals, "[Manager]\n"+
+			fmt.Sprintf("RuntimeWatchdogSec=%d\n", times[0]*tunit.toSec)+
+			fmt.Sprintf("ShutdownWatchdogSec=%d\n", times[1]*tunit.toSec))
+	}
+}
+
+func (s *watchdogSuite) TestConfigureWatchdogAll(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	times := []int{10, 100}
+	err := configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"watchdog.runtime-timeout":  fmt.Sprintf("%ds", times[0]),
+			"watchdog.shutdown-timeout": fmt.Sprintf("%ds", times[1]),
+		},
+	})
+	c.Assert(err, IsNil)
+	c.Check(s.mockEtcEnvironment, testutil.FileEquals, "[Manager]\n"+
+		fmt.Sprintf("RuntimeWatchdogSec=%d\n", times[0])+
+		fmt.Sprintf("ShutdownWatchdogSec=%d\n", times[1]))
+}
+
+func (s *watchdogSuite) TestConfigureWatchdogBadFormat(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	type badValErr struct {
+		val string
+		err string
+	}
+	for _, badVal := range []badValErr{{"BAD", ".*invalid duration.*"},
+		{"-5s", ".*negative duration.*"},
+		{"34k", ".*unknown unit.*"}} {
+		err := configcore.Run(&mockConf{
+			state: s.state,
+			conf: map[string]interface{}{
+				"watchdog.runtime-timeout": badVal.val,
+			},
+		})
+		c.Assert(err, ErrorMatches, badVal.err)
+	}
+}
+
+func (s *watchdogSuite) TestConfigureWatchdogNoFileUpdate(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	times := []int{10, 100}
+	content := "[Manager]\n" +
+		fmt.Sprintf("RuntimeWatchdogSec=%d\n", times[0]) +
+		fmt.Sprintf("ShutdownWatchdogSec=%d\n", times[1])
+	err := ioutil.WriteFile(s.mockEtcEnvironment, []byte(content), 0644)
+	c.Assert(err, IsNil)
+
+	info, err := os.Stat(s.mockEtcEnvironment)
+	c.Assert(err, IsNil)
+
+	fileModTime := info.ModTime()
+
+	// To make sure the times will defer if the file is newly written
+	time.Sleep(100 * time.Millisecond)
+
+	err = configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"watchdog.runtime-timeout":  fmt.Sprintf("%ds", times[0]),
+			"watchdog.shutdown-timeout": fmt.Sprintf("%ds", times[1]),
+		},
+	})
+	c.Assert(err, IsNil)
+	c.Check(s.mockEtcEnvironment, testutil.FileEquals, content)
+
+	info, err = os.Stat(s.mockEtcEnvironment)
+	c.Assert(err, IsNil)
+	c.Assert(info.ModTime(), Equals, fileModTime)
+}
+
+func (s *watchdogSuite) TestConfigureWatchdogRemovesIfEmpty(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	// add canary to ensure we don't touch other files
+	canary := filepath.Join(dirs.SnapSystemdConfDir, "05-canary.conf")
+	err := ioutil.WriteFile(canary, nil, 0644)
+	c.Assert(err, IsNil)
+
+	content := `[Manager]
+RuntimeWatchdogSec=10
+ShutdownWatchdogSec=20
+`
+	err = ioutil.WriteFile(s.mockEtcEnvironment, []byte(content), 0644)
+	c.Assert(err, IsNil)
+
+	err = configcore.Run(&mockConf{
+		state: s.state,
+		conf: map[string]interface{}{
+			"watchdog.runtime-timeout":  0,
+			"watchdog.shutdown-timeout": 0,
+		},
+	})
+	c.Assert(err, IsNil)
+
+	// ensure the file got deleted
+	c.Check(osutil.FileExists(s.mockEtcEnvironment), Equals, false)
+	// but the canary is still here
+	c.Check(osutil.FileExists(canary), Equals, true)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configmgr.go snapd-2.37~rc1~14.04/overlord/configstate/configmgr.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configmgr.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configmgr.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,13 +22,14 @@
 import (
 	"regexp"
 
+	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/overlord/configstate/configcore"
 	"github.com/snapcore/snapd/overlord/hookstate"
 )
 
 var configcoreRun = configcore.Run
 
-func MockConfigcoreRun(f func(conf configcore.Conf) error) (restore func()) {
+func MockConfigcoreRun(f func(config.Conf) error) (restore func()) {
 	origConfigcoreRun := configcoreRun
 	configcoreRun = f
 	return func() {
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configstate.go snapd-2.37~rc1~14.04/overlord/configstate/configstate.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configstate.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configstate.go	2019-01-16 08:36:51.000000000 +0000
@@ -47,21 +47,46 @@
 	return timeout
 }
 
+func canConfigure(st *state.State, snapName string) error {
+	// the "core" snap/pseudonym can always be configured as it
+	// is handled internally
+	if snapName == "core" {
+		return nil
+	}
+
+	var snapst snapstate.SnapState
+	err := snapstate.Get(st, snapName, &snapst)
+	if err != nil && err != state.ErrNoState {
+		return err
+	}
+
+	if !snapst.IsInstalled() {
+		return &snap.NotInstalledError{Snap: snapName}
+	}
+
+	// the "snapd" snap cannot be configured yet
+	if snapName == "snapd" {
+		return fmt.Errorf(`cannot configure the "snapd" snap, please use "system" instead`)
+	}
+
+	// bases cannot be configured for now
+	typ, err := snapst.Type()
+	if err != nil {
+		return err
+	}
+	if typ == snap.TypeBase {
+		return fmt.Errorf("cannot configure snap %q because it is of type 'base'", snapName)
+	}
+
+	return snapstate.CheckChangeConflict(st, snapName, nil)
+}
+
 // ConfigureInstalled returns a taskset to apply the given
 // configuration patch for an installed snap. It returns
 // snap.NotInstalledError if the snap is not installed.
 func ConfigureInstalled(st *state.State, snapName string, patch map[string]interface{}, flags int) (*state.TaskSet, error) {
-	// core is handled internally and can be configured before
-	// being installed
-	if snapName != "core" {
-		var snapst snapstate.SnapState
-		err := snapstate.Get(st, snapName, &snapst)
-		if err != nil && err != state.ErrNoState {
-			return nil, err
-		}
-		if !snapst.IsInstalled() {
-			return nil, &snap.NotInstalledError{Snap: snapName}
-		}
+	if err := canConfigure(st, snapName); err != nil {
+		return nil, err
 	}
 
 	taskset := Configure(st, snapName, patch, flags)
@@ -95,3 +120,19 @@
 	task := hookstate.HookTask(st, summary, hooksup, contextData)
 	return state.NewTaskSet(task)
 }
+
+// RemapSnapFromRequest renames a snap as received from an API request
+func RemapSnapFromRequest(snapName string) string {
+	if snapName == "system" {
+		return "core"
+	}
+	return snapName
+}
+
+// RemapSnapToResponse renames a snap as about to be sent from an API response
+func RemapSnapToResponse(snapName string) string {
+	if snapName == "core" {
+		return "system"
+	}
+	return snapName
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/configstate_test.go snapd-2.37~rc1~14.04/overlord/configstate/configstate_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/configstate_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/configstate_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,7 +27,6 @@
 	"github.com/snapcore/snapd/overlord"
 	"github.com/snapcore/snapd/overlord/configstate"
 	"github.com/snapcore/snapd/overlord/configstate/config"
-	"github.com/snapcore/snapd/overlord/configstate/configcore"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
@@ -79,8 +78,9 @@
 		Sequence: []*snap.SideInfo{
 			{RealName: "test-snap", Revision: snap.R(1)},
 		},
-		Current: snap.R(1),
-		Active:  true,
+		Current:  snap.R(1),
+		Active:   true,
+		SnapType: "app",
 	})
 	s.state.Unlock()
 
@@ -123,7 +123,7 @@
 
 		context, err := hookstate.NewContext(task, task.State(), &hooksup, nil, "")
 		c.Check(err, IsNil)
-		c.Check(context.SnapName(), Equals, "test-snap")
+		c.Check(context.InstanceName(), Equals, "test-snap")
 		c.Check(context.SnapRevision(), Equals, snap.Revision{})
 		c.Check(context.HookName(), Equals, "configure")
 
@@ -144,6 +144,28 @@
 	}
 }
 
+func (s *tasksetsSuite) TestConfigureInstalledConflict(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+	snapstate.Set(s.state, "test-snap", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "test-snap", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		Active:   true,
+		SnapType: "app",
+	})
+
+	ts, err := snapstate.Disable(s.state, "test-snap")
+	c.Assert(err, IsNil)
+	chg := s.state.NewChange("other-change", "...")
+	chg.AddAll(ts)
+
+	patch := map[string]interface{}{"foo": "bar"}
+	_, err = configstate.ConfigureInstalled(s.state, "test-snap", patch, 0)
+	c.Check(err, ErrorMatches, `snap "test-snap" has "other-change" change in progress`)
+}
+
 func (s *tasksetsSuite) TestConfigureNotInstalled(c *C) {
 	patch := map[string]interface{}{"foo": "bar"}
 	s.state.Lock()
@@ -157,6 +179,40 @@
 	c.Check(err, IsNil)
 }
 
+func (s *tasksetsSuite) TestConfigureDenyBases(c *C) {
+	patch := map[string]interface{}{"foo": "bar"}
+	s.state.Lock()
+	defer s.state.Unlock()
+	snapstate.Set(s.state, "test-base", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "test-base", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		Active:   true,
+		SnapType: "base",
+	})
+
+	_, err := configstate.ConfigureInstalled(s.state, "test-base", patch, 0)
+	c.Check(err, ErrorMatches, `cannot configure snap "test-base" because it is of type 'base'`)
+}
+
+func (s *tasksetsSuite) TestConfigureDenySnapd(c *C) {
+	patch := map[string]interface{}{"foo": "bar"}
+	s.state.Lock()
+	defer s.state.Unlock()
+	snapstate.Set(s.state, "snapd", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "snapd", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		Active:   true,
+		SnapType: "app",
+	})
+
+	_, err := configstate.ConfigureInstalled(s.state, "snapd", patch, 0)
+	c.Check(err, ErrorMatches, `cannot configure the "snapd" snap, please use "system" instead`)
+}
+
 type configcoreHijackSuite struct {
 	o     *overlord.Overlord
 	state *state.State
@@ -165,10 +221,11 @@
 func (s *configcoreHijackSuite) SetUpTest(c *C) {
 	s.o = overlord.Mock()
 	s.state = s.o.State()
-	hookMgr, err := hookstate.Manager(s.state)
+	hookMgr, err := hookstate.Manager(s.state, s.o.TaskRunner())
 	c.Assert(err, IsNil)
 	s.o.AddManager(hookMgr)
 	configstate.Init(hookMgr)
+	s.o.AddManager(s.o.TaskRunner())
 }
 
 type witnessManager struct {
@@ -176,10 +233,6 @@
 	committed bool
 }
 
-func (m *witnessManager) KnownTaskKinds() []string {
-	return nil
-}
-
 func (wm *witnessManager) Ensure() error {
 	wm.state.Lock()
 	defer wm.state.Unlock()
@@ -192,16 +245,10 @@
 	return nil
 }
 
-func (wm *witnessManager) Stop() {
-}
-
-func (wm *witnessManager) Wait() {
-}
-
 func (s *configcoreHijackSuite) TestHijack(c *C) {
 	configcoreRan := false
 	witnessCfg := false
-	witnessConfigcoreRun := func(conf configcore.Conf) error {
+	witnessConfigcoreRun := func(conf config.Conf) error {
 		// called with no state lock!
 		conf.State().Lock()
 		defer conf.State().Unlock()
@@ -245,3 +292,20 @@
 	c.Check(chg.Err(), IsNil)
 	c.Check(configcoreRan, Equals, true)
 }
+
+type miscSuite struct{}
+
+var _ = Suite(&miscSuite{})
+
+func (s *miscSuite) TestRemappingFuncs(c *C) {
+	// We don't change those.
+	c.Assert(configstate.RemapSnapFromRequest("foo"), Equals, "foo")
+	c.Assert(configstate.RemapSnapFromRequest("snapd"), Equals, "snapd")
+	c.Assert(configstate.RemapSnapFromRequest("core"), Equals, "core")
+	c.Assert(configstate.RemapSnapToResponse("foo"), Equals, "foo")
+	c.Assert(configstate.RemapSnapToResponse("snapd"), Equals, "snapd")
+
+	// This is the one we alter.
+	c.Assert(configstate.RemapSnapFromRequest("system"), Equals, "core")
+	c.Assert(configstate.RemapSnapToResponse("core"), Equals, "system")
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/handler_test.go snapd-2.37~rc1~14.04/overlord/configstate/handler_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/handler_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/handler_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -49,10 +49,29 @@
 var _ = Suite(&configureHandlerSuite{})
 
 func (s *configureHandlerSuite) SetUpTest(c *C) {
+	dirs.SetRootDir(c.MkDir())
+
 	s.state = state.New(nil)
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	coreSnapYaml := `name: core
+version: 1.0
+type: os
+`
+	snaptest.MockSnap(c, coreSnapYaml, &snap.SideInfo{
+		RealName: "core",
+		Revision: snap.R(1),
+	})
+	snapstate.Set(s.state, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1), SnapID: "core-snap-id"},
+		},
+		Current:  snap.R(1),
+		SnapType: "os",
+	})
+
 	s.restore = snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {})
 
 	task := s.state.NewTask("test-task", "my test task")
@@ -67,6 +86,7 @@
 
 func (s *configureHandlerSuite) TearDownTest(c *C) {
 	s.restore()
+	dirs.SetRootDir("/")
 }
 
 func (s *configureHandlerSuite) TestBeforeInitializesTransaction(c *C) {
@@ -91,8 +111,6 @@
 func (s *configureHandlerSuite) TestBeforeInitializesTransactionUseDefaults(c *C) {
 	r := release.MockOnClassic(false)
 	defer r()
-	dirs.SetRootDir(c.MkDir())
-	defer dirs.SetRootDir("/")
 
 	const mockGadgetSnapYaml = `
 name: canonical-pc
@@ -100,7 +118,7 @@
 `
 	var mockGadgetYaml = []byte(`
 defaults:
-  test-snap-id:
+  test-snap-ididididididididididid:
       bar: baz
       num: 1.305
 
@@ -133,7 +151,7 @@
 	snapstate.Set(s.state, "test-snap", &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
-			{RealName: "test-snap", Revision: snap.R(11), SnapID: "test-snap-id"},
+			{RealName: "test-snap", Revision: snap.R(11), SnapID: "test-snap-ididididididididididid"},
 		},
 		Current:  snap.R(11),
 		SnapType: "app",
@@ -162,8 +180,6 @@
 func (s *configureHandlerSuite) TestBeforeUseDefaultsMissingHook(c *C) {
 	r := release.MockOnClassic(false)
 	defer r()
-	dirs.SetRootDir(c.MkDir())
-	defer dirs.SetRootDir("/")
 
 	const mockGadgetSnapYaml = `
 name: canonical-pc
@@ -171,7 +187,7 @@
 `
 	var mockGadgetYaml = []byte(`
 defaults:
-  test-snap-id:
+  test-snap-ididididididididididid:
       bar: baz
       num: 1.305
 
@@ -197,7 +213,7 @@
 	snapstate.Set(s.state, "test-snap", &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
-			{RealName: "test-snap", Revision: snap.R(11), SnapID: "test-snap-id"},
+			{RealName: "test-snap", Revision: snap.R(11), SnapID: "test-snap-ididididididididididid"},
 		},
 		Current:  snap.R(11),
 		SnapType: "app",
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/hooks.go snapd-2.37~rc1~14.04/overlord/configstate/hooks.go
--- snapd-2.32.3.2~14.04/overlord/configstate/hooks.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/hooks.go	2019-01-16 08:36:51.000000000 +0000
@@ -51,7 +51,7 @@
 
 	context.OnDone(func() error {
 		tr.Commit()
-		if context.SnapName() == "core" {
+		if context.InstanceName() == "core" {
 			// make sure the Ensure logic can process
 			// system configuration changes as soon as possible
 			context.State().EnsureBefore(0)
@@ -83,22 +83,22 @@
 		return err
 	}
 
-	snapName := h.context.SnapName()
+	instanceName := h.context.InstanceName()
 	st := h.context.State()
 	if useDefaults {
 		var err error
-		patch, err = snapstate.ConfigDefaults(st, snapName)
+		patch, err = snapstate.ConfigDefaults(st, instanceName)
 		if err != nil && err != state.ErrNoState {
 			return err
 		}
 		if len(patch) != 0 {
 			// TODO: helper on context?
-			info, err := snapstate.CurrentInfo(st, snapName)
+			info, err := snapstate.CurrentInfo(st, instanceName)
 			if err != nil {
 				return err
 			}
 			if info.Hooks["configure"] == nil {
-				return fmt.Errorf("cannot apply gadget config defaults for snap %q, no configure hook", snapName)
+				return fmt.Errorf("cannot apply gadget config defaults for snap %q, no configure hook", instanceName)
 			}
 		}
 	} else {
@@ -108,7 +108,7 @@
 	}
 
 	for key, value := range patch {
-		if err := tr.Set(snapName, key, value); err != nil {
+		if err := tr.Set(instanceName, key, value); err != nil {
 			return err
 		}
 	}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/proxyconf/proxy.go snapd-2.37~rc1~14.04/overlord/configstate/proxyconf/proxy.go
--- snapd-2.32.3.2~14.04/overlord/configstate/proxyconf/proxy.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/proxyconf/proxy.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,57 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package proxyconf
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/snapcore/snapd/overlord/configstate/config"
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+type ProxySettings struct {
+	st *state.State
+}
+
+func New(st *state.State) *ProxySettings {
+	return &ProxySettings{st: st}
+}
+
+func (p *ProxySettings) Conf(req *http.Request) (*url.URL, error) {
+	p.st.Lock()
+	tr := config.NewTransaction(p.st)
+	p.st.Unlock()
+
+	var proxy string
+	err := tr.Get("core", fmt.Sprintf("proxy.%s", req.URL.Scheme), &proxy)
+	if proxy == "" || config.IsNoOption(err) {
+		return http.ProxyFromEnvironment(req)
+	}
+	if err != nil {
+		return nil, err
+	}
+	url, err := url.Parse(proxy)
+	if err != nil {
+		return nil, err
+	}
+	return url, nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/proxyconf/proxy_test.go snapd-2.37~rc1~14.04/overlord/configstate/proxyconf/proxy_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/proxyconf/proxy_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/proxyconf/proxy_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,74 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package proxyconf_test
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/overlord/configstate/config"
+	"github.com/snapcore/snapd/overlord/configstate/proxyconf"
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+func TestT(t *testing.T) { TestingT(t) }
+
+type proxyconfSuite struct{}
+
+var _ = Suite(&proxyconfSuite{})
+
+func (s *proxyconfSuite) TestProxySettingsNoSetting(c *C) {
+	st := state.New(nil)
+
+	req, err := http.NewRequest("GET", "http://example.com", nil)
+	c.Assert(err, IsNil)
+
+	expected, err := http.ProxyFromEnvironment(req)
+	c.Assert(err, IsNil)
+
+	proxyConf := proxyconf.New(st)
+	proxy, err := proxyConf.Conf(req)
+	c.Assert(err, IsNil)
+	c.Check(proxy, DeepEquals, expected)
+}
+
+func (s *proxyconfSuite) TestProxySettings(c *C) {
+	st := state.New(nil)
+
+	req, err := http.NewRequest("GET", "http://example.com", nil)
+	c.Assert(err, IsNil)
+
+	st.Lock()
+	tr := config.NewTransaction(st)
+	tr.Set("core", "proxy.http", "http://some-proxy:3128")
+	tr.Commit()
+	st.Unlock()
+
+	proxyConf := proxyconf.New(st)
+	proxy, err := proxyConf.Conf(req)
+	c.Assert(err, IsNil)
+	c.Check(proxy, DeepEquals, &url.URL{
+		Scheme: "http",
+		Host:   "some-proxy:3128",
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/settings/settings.go snapd-2.37~rc1~14.04/overlord/configstate/settings/settings.go
--- snapd-2.32.3.2~14.04/overlord/configstate/settings/settings.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/settings/settings.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,41 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package settings
+
+import (
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/overlord/configstate/config"
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+// ProblemReportsDisabled returns true if the problem reports are disabled
+// via the "core.problem-reports.disabled" settings.
+//
+// The state must be locked when this is called.
+func ProblemReportsDisabled(st *state.State) bool {
+	var disableProblemReports bool
+
+	tr := config.NewTransaction(st)
+	if err := tr.GetMaybe("core", "problem-reports.disabled", &disableProblemReports); err != nil {
+		logger.Noticef("cannot get problem report setting: %v", err)
+	}
+
+	return disableProblemReports
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/configstate/settings/settings_test.go snapd-2.37~rc1~14.04/overlord/configstate/settings/settings_test.go
--- snapd-2.32.3.2~14.04/overlord/configstate/settings/settings_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/configstate/settings/settings_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,60 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package settings_test
+
+import (
+	"testing"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/overlord/configstate/config"
+	"github.com/snapcore/snapd/overlord/configstate/settings"
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+func TestT(t *testing.T) { TestingT(t) }
+
+type settingsSuite struct {
+	state *state.State
+}
+
+var _ = Suite(&settingsSuite{})
+
+func (s *settingsSuite) SetUpTest(c *C) {
+	s.state = state.New(nil)
+}
+
+func (s *settingsSuite) TestSettingProblemReportsDisableDefault(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	c.Check(settings.ProblemReportsDisabled(s.state), Equals, false)
+}
+
+func (s *settingsSuite) TestSettingProblemReportsDisable(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "problem-reports.disabled", true)
+	tr.Commit()
+
+	c.Check(settings.ProblemReportsDisabled(s.state), Equals, true)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/devicestate/crypto.go snapd-2.37~rc1~14.04/overlord/devicestate/crypto.go
--- snapd-2.32.3.2~14.04/overlord/devicestate/crypto.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/devicestate/crypto.go	2019-01-16 08:36:51.000000000 +0000
@@ -45,7 +45,7 @@
 
 	rsaKeyFile := filepath.Join(tempDir, "rsa.key")
 
-	cmd := exec.Command("ssh-keygen", "-t", "rsa", "-b", strconv.Itoa(keyLength), "-N", "", "-f", rsaKeyFile)
+	cmd := exec.Command("ssh-keygen", "-t", "rsa", "-b", strconv.Itoa(keyLength), "-N", "", "-f", rsaKeyFile, "-m", "PEM")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return nil, osutil.OutputErr(out, err)
diff -Nru snapd-2.32.3.2~14.04/overlord/devicestate/devicemgr.go snapd-2.37~rc1~14.04/overlord/devicestate/devicemgr.go
--- snapd-2.32.3.2~14.04/overlord/devicestate/devicemgr.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/devicestate/devicemgr.go	2019-01-16 08:36:51.000000000 +0000
@@ -31,6 +31,7 @@
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/overlord/assertstate"
 	"github.com/snapcore/snapd/overlord/auth"
+	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
@@ -44,28 +45,33 @@
 type DeviceManager struct {
 	state      *state.State
 	keypairMgr asserts.KeypairManager
-	runner     *state.TaskRunner
 
 	bootOkRan            bool
 	bootRevisionsUpdated bool
 
+	ensureSeedInConfigRan bool
+
 	lastBecomeOperationalAttempt time.Time
 	becomeOperationalBackoff     time.Duration
+	registered                   bool
+	reg                          chan struct{}
 }
 
 // Manager returns a new device manager.
-func Manager(s *state.State, hookManager *hookstate.HookManager) (*DeviceManager, error) {
+func Manager(s *state.State, hookManager *hookstate.HookManager, runner *state.TaskRunner) (*DeviceManager, error) {
 	delayedCrossMgrInit()
 
-	runner := state.NewTaskRunner(s)
-
 	keypairMgr, err := asserts.OpenFSKeypairManager(dirs.SnapDeviceDir)
 	if err != nil {
 		return nil, err
 
 	}
 
-	m := &DeviceManager{state: s, keypairMgr: keypairMgr, runner: runner}
+	m := &DeviceManager{state: s, keypairMgr: keypairMgr, reg: make(chan struct{})}
+
+	if err := m.confirmRegistered(); err != nil {
+		return nil, err
+	}
 
 	hookManager.Register(regexp.MustCompile("^prepare-device$"), newPrepareDeviceHandler)
 
@@ -76,6 +82,37 @@
 	return m, nil
 }
 
+func (m *DeviceManager) CanStandby() bool {
+	var seeded bool
+	if err := m.state.Get("seeded", &seeded); err != nil {
+		return false
+	}
+	return seeded
+}
+
+func (m *DeviceManager) confirmRegistered() error {
+	m.state.Lock()
+	defer m.state.Unlock()
+
+	device, err := auth.Device(m.state)
+	if err != nil {
+		return err
+	}
+
+	if device.Serial != "" {
+		m.markRegistered()
+	}
+	return nil
+}
+
+func (m *DeviceManager) markRegistered() {
+	if m.registered {
+		return
+	}
+	m.registered = true
+	close(m.reg)
+}
+
 type prepareDeviceHandler struct{}
 
 func newPrepareDeviceHandler(context *hookstate.Context) hookstate.Handler {
@@ -139,6 +176,19 @@
 	return false
 }
 
+func setClassicFallbackModel(st *state.State, device *auth.DeviceState) error {
+	err := assertstate.Add(st, sysdb.GenericClassicModel())
+	if err != nil && !asserts.IsUnaccceptedUpdate(err) {
+		return fmt.Errorf(`cannot install "generic-classic" fallback model assertion: %v`, err)
+	}
+	device.Brand = "generic"
+	device.Model = "generic-classic"
+	if err := auth.SetDevice(st, device); err != nil {
+		return err
+	}
+	return nil
+}
+
 func (m *DeviceManager) ensureOperational() error {
 	m.state.Lock()
 	defer m.state.Unlock()
@@ -178,13 +228,8 @@
 		}
 		// we are on classic and seeded but there is no model:
 		// use a fallback model!
-		err = assertstate.Add(m.state, sysdb.GenericClassicModel())
-		if err != nil && !asserts.IsUnaccceptedUpdate(err) {
-			return fmt.Errorf(`cannot install "generic-classic" fallback model assertion: %v`, err)
-		}
-		device.Brand = "generic"
-		device.Model = "generic-classic"
-		if err := auth.SetDevice(m.state, device); err != nil {
+		err := setClassicFallbackModel(m.state, device)
+		if err != nil {
 			return err
 		}
 	}
@@ -218,8 +263,9 @@
 		}
 	}
 
-	// if there's a gadget specified wait for it
 	var gadgetInfo *snap.Info
+	var hasPrepareDeviceHook bool
+	// if there's a gadget specified wait for it
 	if gadget != "" {
 		var err error
 		gadgetInfo, err = snapstate.GadgetInfo(m.state)
@@ -230,6 +276,16 @@
 		if err != nil {
 			return err
 		}
+		hasPrepareDeviceHook = (gadgetInfo.Hooks["prepare-device"] != nil)
+	}
+
+	// When the prepare-device hook is used we need a fully seeded system
+	// to ensure the prepare-device hook has access to the things it
+	// needs
+	if !seeded && hasPrepareDeviceHook {
+		// this will be run again, so eventually when the system is
+		// seeded the code below runs
+		return nil
 	}
 
 	// have some backoff between full retries
@@ -246,10 +302,10 @@
 	tasks := []*state.Task{}
 
 	var prepareDevice *state.Task
-	if gadgetInfo != nil && gadgetInfo.Hooks["prepare-device"] != nil {
+	if hasPrepareDeviceHook {
 		summary := i18n.G("Run prepare-device hook")
 		hooksup := &hookstate.HookSetup{
-			Snap: gadgetInfo.Name(),
+			Snap: gadgetInfo.InstanceName(),
 			Hook: "prepare-device",
 		}
 		prepareDevice = hookstate.HookTask(m.state, summary, hooksup, nil)
@@ -342,6 +398,51 @@
 	return nil
 }
 
+func markSeededInConfig(st *state.State) error {
+	var seedDone bool
+	tr := config.NewTransaction(st)
+	if err := tr.Get("core", "seed.loaded", &seedDone); err != nil && !config.IsNoOption(err) {
+		return err
+	}
+	if !seedDone {
+		if err := tr.Set("core", "seed.loaded", true); err != nil {
+			return err
+		}
+		tr.Commit()
+	}
+	return nil
+}
+
+func (m *DeviceManager) ensureSeedInConfig() error {
+	m.state.Lock()
+	defer m.state.Unlock()
+
+	if !m.ensureSeedInConfigRan {
+		// get global seeded option
+		var seeded bool
+		if err := m.state.Get("seeded", &seeded); err != nil && err != state.ErrNoState {
+			return err
+		}
+		if !seeded {
+			// wait for ensure again, this is fine because
+			// doMarkSeeded will run "EnsureBefore(0)"
+			return nil
+		}
+
+		// Sync seeding with the configuration state. We need to
+		// do this here to ensure that old systems which did not
+		// set the configuration on seeding get the configuration
+		// update too.
+		if err := markSeededInConfig(m.state); err != nil {
+			return err
+		}
+		m.ensureSeedInConfigRan = true
+	}
+
+	return nil
+
+}
+
 type ensureError struct {
 	errs []error
 }
@@ -357,10 +458,6 @@
 	return strings.Join(parts, "\n - ")
 }
 
-func (m *DeviceManager) KnownTaskKinds() []string {
-	return m.runner.KnownTaskKinds()
-}
-
 // Ensure implements StateManager.Ensure.
 func (m *DeviceManager) Ensure() error {
 	var errs []error
@@ -376,7 +473,9 @@
 		errs = append(errs, err)
 	}
 
-	m.runner.Ensure()
+	if err := m.ensureSeedInConfig(); err != nil {
+		errs = append(errs, err)
+	}
 
 	if len(errs) > 0 {
 		return &ensureError{errs}
@@ -385,16 +484,6 @@
 	return nil
 }
 
-// Wait implements StateManager.Wait.
-func (m *DeviceManager) Wait() {
-	m.runner.Wait()
-}
-
-// Stop implements StateManager.Stop.
-func (m *DeviceManager) Stop() {
-	m.runner.Stop()
-}
-
 func (m *DeviceManager) keyPair() (asserts.PrivateKey, error) {
 	device, err := auth.Device(m.state)
 	if err != nil {
@@ -432,6 +521,11 @@
 	return Serial(m.state)
 }
 
+// Registered returns a channel that is closed when the device is known to have been registered.
+func (m *DeviceManager) Registered() <-chan struct{} {
+	return m.reg
+}
+
 // DeviceSessionRequestParams produces a device-session-request with the given nonce, together with other required parameters, the device serial and model assertions.
 func (m *DeviceManager) DeviceSessionRequestParams(nonce string) (*auth.DeviceSessionRequestParams, error) {
 	m.state.Lock()
diff -Nru snapd-2.32.3.2~14.04/overlord/devicestate/devicestate.go snapd-2.37~rc1~14.04/overlord/devicestate/devicestate.go
--- snapd-2.32.3.2~14.04/overlord/devicestate/devicestate.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/devicestate/devicestate.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -27,6 +27,7 @@
 
 	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/netutil"
 	"github.com/snapcore/snapd/overlord/assertstate"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/configstate/config"
@@ -159,14 +160,14 @@
 	if snapInfo.SnapID != "" {
 		snapDecl, err := assertstate.SnapDeclaration(st, snapInfo.SnapID)
 		if err != nil {
-			return fmt.Errorf("internal error: cannot find snap declaration for %q: %v", snapInfo.Name(), err)
+			return fmt.Errorf("internal error: cannot find snap declaration for %q: %v", snapInfo.InstanceName(), err)
 		}
 		publisher := snapDecl.PublisherID()
 		if publisher != "canonical" && publisher != model.BrandID() {
-			return fmt.Errorf("cannot install %s %q published by %q for model by %q", kind, snapInfo.Name(), publisher, model.BrandID())
+			return fmt.Errorf("cannot install %s %q published by %q for model by %q", kind, snapInfo.InstanceName(), publisher, model.BrandID())
 		}
 	} else {
-		logger.Noticef("installing unasserted %s %q", kind, snapInfo.Name())
+		logger.Noticef("installing unasserted %s %q", kind, snapInfo.InstanceName())
 	}
 
 	currentSnap, err := currentInfo(st)
@@ -184,8 +185,12 @@
 		return fmt.Errorf("cannot install %s snap on classic if not requested by the model", kind)
 	}
 
-	if snapInfo.Name() != expectedName {
-		return fmt.Errorf("cannot install %s %q, model assertion requests %q", kind, snapInfo.Name(), expectedName)
+	if snapInfo.InstanceName() != snapInfo.SnapName() {
+		return fmt.Errorf("cannot install %q, parallel installation of kernel or gadget snaps is not supported", snapInfo.InstanceName())
+	}
+
+	if snapInfo.InstanceName() != expectedName {
+		return fmt.Errorf("cannot install %s %q, model assertion requests %q", kind, snapInfo.InstanceName(), expectedName)
 	}
 
 	return nil
@@ -199,11 +204,16 @@
 	})
 	snapstate.CanAutoRefresh = canAutoRefresh
 	snapstate.CanManageRefreshes = CanManageRefreshes
+	snapstate.IsOnMeteredConnection = netutil.IsOnMeteredConnection
+	snapstate.Model = Model
 }
 
 // ProxyStore returns the store assertion for the proxy store if one is set.
 func ProxyStore(st *state.State) (*asserts.Store, error) {
-	tr := config.NewTransaction(st)
+	return proxyStore(st, config.NewTransaction(st))
+}
+
+func proxyStore(st *state.State, tr *config.Transaction) (*asserts.Store, error) {
 	var proxyStore string
 	err := tr.GetMaybe("core", "proxy.store", &proxyStore)
 	if err != nil {
@@ -235,19 +245,28 @@
 
 // CanManageRefreshes returns true if the device can be
 // switched to the "core.refresh.schedule=managed" mode.
+//
+// TODO:
+// - Move the CanManageRefreshes code into the ifstate
+// - Look at the connections and find the connection for snapd-control
+//   with the managed attribute
+// - Take the snap from this connection and look at the snapstate to see
+//   if that snap has a snap declaration (to ensure it comes from the store)
 func CanManageRefreshes(st *state.State) bool {
 	snapStates, err := snapstate.All(st)
 	if err != nil {
 		return false
 	}
 	for _, snapst := range snapStates {
-		if !snapst.Active {
-			continue
-		}
+		// Always get the current info even if the snap is currently
+		// being operated on or if its disabled.
 		info, err := snapst.CurrentInfo()
 		if err != nil {
 			continue
 		}
+		if info.Broken != "" {
+			continue
+		}
 		// The snap must have a snap declaration (implies that
 		// its from the store)
 		if _, err := assertstate.SnapDeclaration(st, info.SideInfo.SnapID); err != nil {
@@ -256,7 +275,7 @@
 
 		for _, plugInfo := range info.Plugs {
 			if plugInfo.Interface == "snapd-control" && plugInfo.Attrs["refresh-schedule"] == "managed" {
-				snapName := info.Name()
+				snapName := info.InstanceName()
 				plugName := plugInfo.Name
 				if interfaceConnected(st, snapName, plugName) {
 					return true
diff -Nru snapd-2.32.3.2~14.04/overlord/devicestate/devicestate_test.go snapd-2.37~rc1~14.04/overlord/devicestate/devicestate_test.go
--- snapd-2.32.3.2~14.04/overlord/devicestate/devicestate_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/devicestate/devicestate_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -25,10 +25,11 @@
 	"fmt"
 	"io"
 	"io/ioutil"
+	"net"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
-	"sort"
 	"sync"
 	"testing"
 	"time"
@@ -45,6 +46,7 @@
 	"github.com/snapcore/snapd/httputil"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/overlord"
 	"github.com/snapcore/snapd/overlord/assertstate"
 	"github.com/snapcore/snapd/overlord/auth"
@@ -68,6 +70,7 @@
 type deviceMgrSuite struct {
 	o       *overlord.Overlord
 	state   *state.State
+	se      *overlord.StateEngine
 	hookMgr *hookstate.HookManager
 	mgr     *devicestate.DeviceManager
 	db      *asserts.Database
@@ -121,6 +124,7 @@
 	s.storeSigning = assertstest.NewStoreStack("canonical", nil)
 	s.o = overlord.Mock()
 	s.state = s.o.State()
+	s.se = s.o.StateEngine()
 
 	s.restoreGenericClassicMod = sysdb.MockGenericClassicModel(s.storeSigning.GenericClassicModel)
 
@@ -141,9 +145,9 @@
 	err = db.Add(s.storeSigning.StoreAccountKey(""))
 	c.Assert(err, IsNil)
 
-	hookMgr, err := hookstate.Manager(s.state)
+	hookMgr, err := hookstate.Manager(s.state, s.o.TaskRunner())
 	c.Assert(err, IsNil)
-	mgr, err := devicestate.Manager(s.state, hookMgr)
+	mgr, err := devicestate.Manager(s.state, hookMgr, s.o.TaskRunner())
 	c.Assert(err, IsNil)
 
 	s.db = db
@@ -151,6 +155,7 @@
 	s.o.AddManager(s.hookMgr)
 	s.mgr = mgr
 	s.o.AddManager(s.mgr)
+	s.o.AddManager(s.o.TaskRunner())
 
 	s.state.Lock()
 	snapstate.ReplaceStore(s.state, &fakeStore{
@@ -195,7 +200,34 @@
 	var mu sync.Mutex
 	count := 0
 	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		default:
+			c.Fatalf("unexpected verb %q", r.Method)
+		case "HEAD":
+			if r.URL.Path != "/" {
+				c.Fatalf("unexpected HEAD request %q", r.URL.String())
+			}
+			switch s.reqID {
+			case "REQID-42":
+				w.Header().Set("Snap-Store-Version", "6")
+			case "REQID-41":
+				w.Header().Set("Snap-Store-Version", "5")
+			default:
+				c.Fatalf("unexpected HEAD request w/reqID %q", s.reqID)
+			}
+			w.WriteHeader(200)
+			return
+		case "POST":
+			// carry on
+		}
+
+		if s.reqID == "REQID-42" {
+			c.Check(r.Header.Get("X-Snap-Device-Service-URL"), Matches, "http://[^/]*/bad/svc/")
+		}
+
 		switch r.URL.Path {
+		default:
+			c.Fatalf("unexpected POST request %q", r.URL.String())
 		case requestIDURLPath, "/svc/request-id":
 			if s.reqID == "REQID-501" {
 				w.WriteHeader(501)
@@ -209,6 +241,9 @@
 			c.Check(r.Header.Get("X-Extra-Header"), Equals, "extra")
 			fallthrough
 		case serialURLPath:
+			if s.reqID == "REQID-42" {
+				c.Check(r.Header.Get("X-Extra-Header"), Equals, "extra")
+			}
 			c.Check(r.Header.Get("User-Agent"), Equals, expectedUserAgent)
 
 			mu.Lock()
@@ -321,12 +356,6 @@
 	return nil
 }
 
-func (s *deviceMgrSuite) TestKnownTaskKinds(c *C) {
-	kinds := s.mgr.KnownTaskKinds()
-	sort.Strings(kinds)
-	c.Assert(kinds, DeepEquals, []string{"generate-device-key", "mark-seeded", "request-serial"})
-}
-
 func (s *deviceMgrSuite) TestFullDeviceRegistrationHappy(c *C) {
 	r1 := devicestate.MockKeyLength(testKeyLength)
 	defer r1()
@@ -335,18 +364,114 @@
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	r2 := devicestate.MockRequestIDURL(mockRequestIDURL)
+	r2 := devicestate.MockBaseStoreURL(mockServer.URL)
 	defer r2()
 
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	r3 := devicestate.MockSerialRequestURL(mockSerialRequestURL)
-	defer r3()
+	// setup state as will be done by first-boot
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.makeModelAssertionInState(c, "canonical", "pc", map[string]string{
+		"architecture": "amd64",
+		"kernel":       "pc-kernel",
+		"gadget":       "pc",
+	})
+
+	auth.SetDevice(s.state, &auth.DeviceState{
+		Brand: "canonical",
+		Model: "pc",
+	})
+
+	// avoid full seeding
+	s.seeding()
+
+	// not started without gadget
+	s.state.Unlock()
+	s.se.Ensure()
+	s.state.Lock()
+
+	becomeOperational := s.findBecomeOperationalChange()
+	c.Check(becomeOperational, IsNil)
+
+	s.setupGadget(c, `
+name: pc
+type: gadget
+version: gadget
+`, "")
+
+	// runs the whole device registration process
+	s.state.Unlock()
+	s.settle(c)
+	s.state.Lock()
+
+	becomeOperational = s.findBecomeOperationalChange()
+	c.Assert(becomeOperational, NotNil)
+
+	c.Check(becomeOperational.Status().Ready(), Equals, true)
+	c.Check(becomeOperational.Err(), IsNil)
+
+	device, err := auth.Device(s.state)
+	c.Assert(err, IsNil)
+	c.Check(device.Brand, Equals, "canonical")
+	c.Check(device.Model, Equals, "pc")
+	c.Check(device.Serial, Equals, "9999")
+
+	ok := false
+	select {
+	case <-s.mgr.Registered():
+		ok = true
+	case <-time.After(5 * time.Second):
+		c.Fatal("should have been marked registered")
+	}
+	c.Check(ok, Equals, true)
+
+	a, err := s.db.Find(asserts.SerialType, map[string]string{
+		"brand-id": "canonical",
+		"model":    "pc",
+		"serial":   "9999",
+	})
+	c.Assert(err, IsNil)
+	serial := a.(*asserts.Serial)
+
+	privKey, err := devicestate.KeypairManager(s.mgr).Get(serial.DeviceKey().ID())
+	c.Assert(err, IsNil)
+	c.Check(privKey, NotNil)
+
+	c.Check(device.KeyID, Equals, privKey.PublicKey().ID())
+}
+
+func (s *deviceMgrSuite) TestFullDeviceRegistrationHappyWithProxy(c *C) {
+	r1 := devicestate.MockKeyLength(testKeyLength)
+	defer r1()
+
+	s.reqID = "REQID-1"
+	mockServer := s.mockServer(c)
+	defer mockServer.Close()
+
+	// as core.proxy.store is set, should not need to do this but just in case
+	r2 := devicestate.MockBaseStoreURL(mockServer.URL + "/direct/baaad/")
+	defer r2()
 
 	// setup state as will be done by first-boot
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	tr := config.NewTransaction(s.state)
+	c.Assert(tr.Set("core", "proxy.store", "foo"), IsNil)
+	tr.Commit()
+	operatorAcct := assertstest.NewAccount(s.storeSigning, "foo-operator", nil, "")
+	c.Assert(assertstate.Add(s.state, operatorAcct), IsNil)
+
+	// have a store assertion.
+	stoAs, err := s.storeSigning.Sign(asserts.StoreType, map[string]interface{}{
+		"store":       "foo",
+		"url":         mockServer.URL,
+		"operator-id": operatorAcct.AccountID(),
+		"timestamp":   time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	c.Assert(assertstate.Add(s.state, stoAs), IsNil)
+
 	s.makeModelAssertionInState(c, "canonical", "pc", map[string]string{
 		"architecture": "amd64",
 		"kernel":       "pc-kernel",
@@ -363,7 +488,7 @@
 
 	// not started without gadget
 	s.state.Unlock()
-	s.mgr.Ensure()
+	s.se.Ensure()
 	s.state.Lock()
 
 	becomeOperational := s.findBecomeOperationalChange()
@@ -392,6 +517,15 @@
 	c.Check(device.Model, Equals, "pc")
 	c.Check(device.Serial, Equals, "9999")
 
+	ok := false
+	select {
+	case <-s.mgr.Registered():
+		ok = true
+	case <-time.After(5 * time.Second):
+		c.Fatal("should have been marked registered")
+	}
+	c.Check(ok, Equals, true)
+
 	a, err := s.db.Find(asserts.SerialType, map[string]string{
 		"brand-id": "canonical",
 		"model":    "pc",
@@ -418,14 +552,9 @@
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	r2 := devicestate.MockRequestIDURL(mockRequestIDURL)
+	r2 := devicestate.MockBaseStoreURL(mockServer.URL)
 	defer r2()
 
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	r3 := devicestate.MockSerialRequestURL(mockSerialRequestURL)
-	defer r3()
-
 	// setup state as will be done by first-boot
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -486,14 +615,9 @@
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	r2 := devicestate.MockRequestIDURL(mockRequestIDURL)
+	r2 := devicestate.MockBaseStoreURL(mockServer.URL)
 	defer r2()
 
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	r3 := devicestate.MockSerialRequestURL(mockSerialRequestURL)
-	defer r3()
-
 	// setup state as will be done by first-boot
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -503,7 +627,7 @@
 
 	// not started without some installation happening or happened
 	s.state.Unlock()
-	s.mgr.Ensure()
+	s.se.Ensure()
 	s.state.Lock()
 
 	becomeOperational := s.findBecomeOperationalChange()
@@ -569,14 +693,9 @@
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	r2 := devicestate.MockRequestIDURL(mockRequestIDURL)
+	r2 := devicestate.MockBaseStoreURL(mockServer.URL)
 	defer r2()
 
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	r3 := devicestate.MockSerialRequestURL(mockSerialRequestURL)
-	defer r3()
-
 	// setup state as will be done by first-boot
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -639,12 +758,7 @@
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	restore := devicestate.MockRequestIDURL(mockRequestIDURL)
-	defer restore()
-
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	restore = devicestate.MockSerialRequestURL(mockSerialRequestURL)
+	restore := devicestate.MockBaseStoreURL(mockServer.URL)
 	defer restore()
 
 	restore = devicestate.MockRepeatRequestSerial("after-add-serial")
@@ -675,8 +789,8 @@
 	s.seeding()
 
 	s.state.Unlock()
-	s.mgr.Ensure()
-	s.mgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	c.Check(chg.Status(), Equals, state.DoingStatus)
@@ -689,9 +803,17 @@
 	})
 	c.Assert(err, IsNil)
 
+	ok := false
+	select {
+	case <-s.mgr.Registered():
+	default:
+		ok = true
+	}
+	c.Check(ok, Equals, true)
+
 	s.state.Unlock()
-	s.mgr.Ensure()
-	s.mgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	// Repeated handler run but set original serial.
@@ -699,6 +821,15 @@
 	device, err = auth.Device(s.state)
 	c.Check(err, IsNil)
 	c.Check(device.Serial, Equals, "9999")
+
+	ok = false
+	select {
+	case <-s.mgr.Registered():
+		ok = true
+	case <-time.After(5 * time.Second):
+		c.Fatal("should have been marked registered")
+	}
+	c.Check(ok, Equals, true)
 }
 
 func (s *deviceMgrSuite) TestDoRequestSerialIdempotentAfterGotSerial(c *C) {
@@ -708,12 +839,7 @@
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	restore := devicestate.MockRequestIDURL(mockRequestIDURL)
-	defer restore()
-
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	restore = devicestate.MockSerialRequestURL(mockSerialRequestURL)
+	restore := devicestate.MockBaseStoreURL(mockServer.URL)
 	defer restore()
 
 	restore = devicestate.MockRepeatRequestSerial("after-got-serial")
@@ -744,8 +870,8 @@
 	s.seeding()
 
 	s.state.Unlock()
-	s.mgr.Ensure()
-	s.mgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	c.Check(chg.Status(), Equals, state.DoingStatus)
@@ -759,8 +885,8 @@
 	c.Assert(asserts.IsNotFound(err), Equals, true)
 
 	s.state.Unlock()
-	s.mgr.Ensure()
-	s.mgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	// Repeated handler run but set original serial.
@@ -775,16 +901,19 @@
 		c.Skip("cannot run test when http proxy is in use, the error pattern is different")
 	}
 
-	privKey, _ := assertstest.GenerateKey(testKeyLength)
+	const nonexistent_host = "nowhere.nowhere.test"
 
-	nowhere := "http://nowhere.nowhere.test"
+	// check internet access
+	_, err := net.LookupHost(nonexistent_host)
+	if netErr, ok := err.(net.Error); !ok || netErr.Temporary() {
+		c.Skip("cannot run test with no internet access, the error pattern is different")
+	}
 
-	mockRequestIDURL := nowhere + requestIDURLPath
-	restore := devicestate.MockRequestIDURL(mockRequestIDURL)
-	defer restore()
+	privKey, _ := assertstest.GenerateKey(testKeyLength)
 
-	mockSerialRequestURL := nowhere + serialURLPath
-	restore = devicestate.MockSerialRequestURL(mockSerialRequestURL)
+	nowhere := "http://" + nonexistent_host
+
+	restore := devicestate.MockBaseStoreURL(nowhere)
 	defer restore()
 
 	// setup state as done by first-boot/Ensure/doGenerateDeviceKey
@@ -812,8 +941,8 @@
 	s.seeding()
 
 	s.state.Unlock()
-	s.mgr.Ensure()
-	s.mgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	c.Check(chg.Status(), Equals, state.ErrorStatus)
@@ -833,12 +962,7 @@
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	restore := devicestate.MockRequestIDURL(mockRequestIDURL)
-	defer restore()
-
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	restore = devicestate.MockSerialRequestURL(mockSerialRequestURL)
+	restore := devicestate.MockBaseStoreURL(mockServer.URL)
 	defer restore()
 
 	restore = devicestate.MockRepeatRequestSerial("after-add-serial")
@@ -869,15 +993,15 @@
 	s.seeding()
 
 	s.state.Unlock()
-	s.mgr.Ensure()
-	s.mgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	c.Check(chg.Status(), Equals, state.DoingStatus)
 
 	s.state.Unlock()
-	s.mgr.Ensure()
-	s.mgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	c.Check(chg.Status(), Equals, state.ErrorStatus)
@@ -892,17 +1016,12 @@
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	r2 := devicestate.MockRequestIDURL(mockRequestIDURL)
+	r2 := devicestate.MockBaseStoreURL(mockServer.URL)
 	defer r2()
 
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	r3 := devicestate.MockSerialRequestURL(mockSerialRequestURL)
-	defer r3()
-
 	// immediately
-	r4 := devicestate.MockRetryInterval(0)
-	defer r4()
+	r3 := devicestate.MockRetryInterval(0)
+	defer r3()
 
 	// setup state as will be done by first-boot
 	s.state.Lock()
@@ -979,30 +1098,34 @@
 		c.Assert(ctx.HookName(), Equals, "prepare-device")
 
 		// snapctl set the registration params
-		_, _, err := ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("device-service.url=%q", mockServer.URL+"/svc/")})
+		_, _, err := ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("device-service.url=%q", mockServer.URL+"/svc/")}, 0)
 		c.Assert(err, IsNil)
 
 		h, err := json.Marshal(map[string]string{
 			"x-extra-header": "extra",
 		})
 		c.Assert(err, IsNil)
-		_, _, err = ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("device-service.headers=%s", string(h))})
+		_, _, err = ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("device-service.headers=%s", string(h))}, 0)
 		c.Assert(err, IsNil)
 
-		_, _, err = ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("registration.proposed-serial=%q", "Y9999")})
+		_, _, err = ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("registration.proposed-serial=%q", "Y9999")}, 0)
 		c.Assert(err, IsNil)
 
 		d, err := yaml.Marshal(map[string]string{
 			"mac": "00:00:00:00:ff:00",
 		})
 		c.Assert(err, IsNil)
-		_, _, err = ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("registration.body=%q", d)})
+		_, _, err = ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("registration.body=%q", d)}, 0)
 		c.Assert(err, IsNil)
 
 		return nil, nil
 	})
 	defer r2()
 
+	// as device-service.url is set, should not need to do this but just in case
+	r3 := devicestate.MockBaseStoreURL(mockServer.URL + "/direct/baad/")
+	defer r3()
+
 	// setup state as will be done by first-boot
 	// & have a gadget with a prepare-device hook
 	s.state.Lock()
@@ -1030,12 +1153,24 @@
 	// avoid full seeding
 	s.seeding()
 
-	// runs the whole device registration process
+	// runs the whole device registration process, note that the
+	// device is not seeded yet
 	s.state.Unlock()
 	s.settle(c)
 	s.state.Lock()
 
+	// without a seeded device, there is no become-operational change
 	becomeOperational := s.findBecomeOperationalChange()
+	c.Assert(becomeOperational, IsNil)
+
+	// now mark it as seeded
+	s.state.Set("seeded", true)
+	// and run the device registration again
+	s.state.Unlock()
+	s.settle(c)
+	s.state.Lock()
+
+	becomeOperational = s.findBecomeOperationalChange()
 	c.Assert(becomeOperational, NotNil)
 
 	c.Check(becomeOperational.Status().Ready(), Equals, true)
@@ -1070,23 +1205,140 @@
 	c.Check(device.KeyID, Equals, privKey.PublicKey().ID())
 }
 
-func (s *deviceMgrSuite) TestFullDeviceRegistrationErrorBackoff(c *C) {
+func (s *deviceMgrSuite) TestFullDeviceRegistrationHappyWithHookAndNewProxy(c *C) {
+	s.testFullDeviceRegistrationHappyWithHookAndProxy(c, true)
+}
+
+func (s *deviceMgrSuite) TestFullDeviceRegistrationHappyWithHookAndOldProxy(c *C) {
+	s.testFullDeviceRegistrationHappyWithHookAndProxy(c, false)
+}
+
+func (s *deviceMgrSuite) testFullDeviceRegistrationHappyWithHookAndProxy(c *C, newEnough bool) {
 	r1 := devicestate.MockKeyLength(testKeyLength)
 	defer r1()
 
-	s.reqID = "REQID-BADREQ"
+	if newEnough {
+		s.reqID = "REQID-42"
+	} else {
+		s.reqID = "REQID-41"
+	}
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	r2 := devicestate.MockRequestIDURL(mockRequestIDURL)
+	r2 := hookstate.MockRunHook(func(ctx *hookstate.Context, _ *tomb.Tomb) ([]byte, error) {
+		c.Assert(ctx.HookName(), Equals, "prepare-device")
+
+		deviceURL := mockServer.URL + "/bad/svc/"
+		if !newEnough {
+			deviceURL = mockServer.URL + "/svc/"
+		}
+
+		// snapctl set the registration params
+		_, _, err := ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("device-service.url=%q", deviceURL)}, 0)
+		c.Assert(err, IsNil)
+
+		h, err := json.Marshal(map[string]string{
+			"x-extra-header": "extra",
+		})
+		c.Assert(err, IsNil)
+		_, _, err = ctlcmd.Run(ctx, []string{"set", fmt.Sprintf("device-service.headers=%s", string(h))}, 0)
+		c.Assert(err, IsNil)
+
+		return nil, nil
+	})
 	defer r2()
 
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	r3 := devicestate.MockSerialRequestURL(mockSerialRequestURL)
+	// as device-service.url is set, should not need to do this but just in case
+	r3 := devicestate.MockBaseStoreURL(mockServer.URL + "/direct/baad/")
 	defer r3()
 
 	// setup state as will be done by first-boot
+	// & have a gadget with a prepare-device hook
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	tr := config.NewTransaction(s.state)
+	c.Assert(tr.Set("core", "proxy.store", "foo"), IsNil)
+	tr.Commit()
+	operatorAcct := assertstest.NewAccount(s.storeSigning, "foo-operator", nil, "")
+	c.Assert(assertstate.Add(s.state, operatorAcct), IsNil)
+
+	// have a store assertion.
+	stoAs, err := s.storeSigning.Sign(asserts.StoreType, map[string]interface{}{
+		"store":       "foo",
+		"url":         mockServer.URL,
+		"operator-id": operatorAcct.AccountID(),
+		"timestamp":   time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+	c.Assert(assertstate.Add(s.state, stoAs), IsNil)
+
+	s.makeModelAssertionInState(c, "canonical", "pc2", map[string]string{
+		"architecture": "amd64",
+		"kernel":       "pc-kernel",
+		"gadget":       "gadget",
+	})
+
+	s.setupGadget(c, `
+name: gadget
+type: gadget
+version: gadget
+hooks:
+    prepare-device:
+`, "")
+
+	auth.SetDevice(s.state, &auth.DeviceState{
+		Brand: "canonical",
+		Model: "pc2",
+	})
+
+	// mark it as seeded
+	s.state.Set("seeded", true)
+
+	// runs the whole device registration process
+	s.state.Unlock()
+	s.settle(c)
+	s.state.Lock()
+
+	becomeOperational := s.findBecomeOperationalChange()
+	c.Assert(becomeOperational, NotNil)
+
+	c.Check(becomeOperational.Status().Ready(), Equals, true)
+	c.Check(becomeOperational.Err(), IsNil)
+
+	device, err := auth.Device(s.state)
+	c.Assert(err, IsNil)
+	c.Check(device.Brand, Equals, "canonical")
+	c.Check(device.Model, Equals, "pc2")
+	c.Check(device.Serial, Equals, "9999")
+
+	a, err := s.db.Find(asserts.SerialType, map[string]string{
+		"brand-id": "canonical",
+		"model":    "pc2",
+		"serial":   "9999",
+	})
+	c.Assert(err, IsNil)
+	serial := a.(*asserts.Serial)
+
+	privKey, err := devicestate.KeypairManager(s.mgr).Get(serial.DeviceKey().ID())
+	c.Assert(err, IsNil)
+	c.Check(privKey, NotNil)
+
+	c.Check(device.KeyID, Equals, privKey.PublicKey().ID())
+}
+
+func (s *deviceMgrSuite) TestFullDeviceRegistrationErrorBackoff(c *C) {
+	r1 := devicestate.MockKeyLength(testKeyLength)
+	defer r1()
+
+	s.reqID = "REQID-BADREQ"
+	mockServer := s.mockServer(c)
+	defer mockServer.Close()
+
+	r2 := devicestate.MockBaseStoreURL(mockServer.URL)
+	defer r2()
+
+	// setup state as will be done by first-boot
 	s.state.Lock()
 	defer s.state.Unlock()
 
@@ -1183,14 +1435,9 @@
 	mockServer := s.mockServer(c)
 	defer mockServer.Close()
 
-	mockRequestIDURL := mockServer.URL + requestIDURLPath
-	r2 := devicestate.MockRequestIDURL(mockRequestIDURL)
+	r2 := devicestate.MockBaseStoreURL(mockServer.URL)
 	defer r2()
 
-	mockSerialRequestURL := mockServer.URL + serialURLPath
-	r3 := devicestate.MockSerialRequestURL(mockSerialRequestURL)
-	defer r3()
-
 	// setup state as will be done by first-boot
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1385,6 +1632,9 @@
 }
 
 func (s *deviceMgrSuite) TestDeviceAssertionsProxyStore(c *C) {
+	mockServer := s.mockServer(c)
+	defer mockServer.Close()
+
 	// nothing in the state
 	s.state.Lock()
 	_, err := devicestate.ProxyStore(s.state)
@@ -1414,6 +1664,7 @@
 	stoAs, err := s.storeSigning.Sign(asserts.StoreType, map[string]interface{}{
 		"store":       "foo",
 		"operator-id": operatorAcct.AccountID(),
+		"url":         mockServer.URL,
 		"timestamp":   time.Now().Format(time.RFC3339),
 	}, nil, "")
 	c.Assert(err, IsNil)
@@ -1431,6 +1682,7 @@
 	s.state.Unlock()
 	c.Assert(err, IsNil)
 	c.Assert(sto.Store(), Equals, "foo")
+	c.Assert(sto.URL().String(), Equals, mockServer.URL)
 }
 
 func (s *deviceMgrSuite) TestDeviceManagerEnsureSeedYamlAlreadySeeded(c *C) {
@@ -1698,6 +1950,11 @@
 	otherGadgetInfo.SnapID = ""
 	err = devicestate.CheckGadgetOrKernel(s.state, otherGadgetInfo, nil, snapstate.Flags{})
 	c.Check(err, IsNil)
+
+	// parallel install fails
+	otherGadgetInfo.InstanceKey = "foo"
+	err = devicestate.CheckGadgetOrKernel(s.state, otherGadgetInfo, nil, snapstate.Flags{})
+	c.Check(err, ErrorMatches, `cannot install "gadget_foo", parallel installation of kernel or gadget snaps is not supported`)
 }
 
 func (s *deviceMgrSuite) TestCheckGadgetOnClassic(c *C) {
@@ -1865,6 +2122,11 @@
 	otherKrnlInfo.SnapID = ""
 	err = devicestate.CheckGadgetOrKernel(s.state, otherKrnlInfo, nil, snapstate.Flags{})
 	c.Check(err, IsNil)
+
+	// parallel install fails
+	otherKrnlInfo.InstanceKey = "foo"
+	err = devicestate.CheckGadgetOrKernel(s.state, otherKrnlInfo, nil, snapstate.Flags{})
+	c.Check(err, ErrorMatches, `cannot install "krnl_foo", parallel installation of kernel or gadget snaps is not supported`)
 }
 
 func (s *deviceMgrSuite) makeModelAssertionInState(c *C, brandID, model string, extras map[string]string) {
@@ -2085,10 +2347,10 @@
 	c.Assert(err, IsNil)
 	err = repo.AddSnap(core11)
 	c.Assert(err, IsNil)
-	err = repo.Connect(interfaces.ConnRef{
-		PlugRef: interfaces.PlugRef{Snap: info11.Name(), Name: ifname},
-		SlotRef: interfaces.SlotRef{Snap: core11.Name(), Name: ifname},
-	})
+	_, err = repo.Connect(&interfaces.ConnRef{
+		PlugRef: interfaces.PlugRef{Snap: info11.InstanceName(), Name: ifname},
+		SlotRef: interfaces.SlotRef{Snap: core11.InstanceName(), Name: ifname},
+	}, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 	conns, err := repo.Connected("snap-with-snapd-control", "snapd-control")
 	c.Assert(err, IsNil)
@@ -2099,7 +2361,7 @@
 func (s *deviceMgrSuite) makeSnapDeclaration(c *C, st *state.State, info *snap.Info) {
 	decl, err := s.storeSigning.Sign(asserts.SnapDeclarationType, map[string]interface{}{
 		"series":       "16",
-		"snap-name":    info.Name(),
+		"snap-name":    info.SnapName(),
 		"snap-id":      info.SideInfo.SnapID,
 		"publisher-id": "canonical",
 		"timestamp":    time.Now().UTC().Format(time.RFC3339),
@@ -2134,6 +2396,15 @@
 	// manage schedules
 	s.makeSnapDeclaration(c, st, info11)
 	c.Check(devicestate.CanManageRefreshes(st), Equals, true)
+
+	// works if the snap is not active as well (to fix race when a
+	// snap is refreshed)
+	var sideInfo11 snapstate.SnapState
+	err := snapstate.Get(st, "snap-with-snapd-control", &sideInfo11)
+	c.Assert(err, IsNil)
+	sideInfo11.Active = false
+	snapstate.Set(st, "snap-with-snapd-control", &sideInfo11)
+	c.Check(devicestate.CanManageRefreshes(st), Equals, true)
 }
 
 func (s *deviceMgrSuite) TestCanManageRefreshesNoRefreshScheduleManaged(c *C) {
@@ -2150,3 +2421,177 @@
 
 	c.Check(devicestate.CanManageRefreshes(st), Equals, false)
 }
+
+func (s *deviceMgrSuite) TestReloadRegistered(c *C) {
+	st := state.New(nil)
+
+	runner1 := state.NewTaskRunner(st)
+	hookMgr1, err := hookstate.Manager(st, runner1)
+	c.Assert(err, IsNil)
+	mgr1, err := devicestate.Manager(st, hookMgr1, runner1)
+	c.Assert(err, IsNil)
+
+	ok := false
+	select {
+	case <-mgr1.Registered():
+	default:
+		ok = true
+	}
+	c.Check(ok, Equals, true)
+
+	st.Lock()
+	auth.SetDevice(st, &auth.DeviceState{
+		Brand:  "canonical",
+		Model:  "pc",
+		Serial: "serial",
+	})
+	st.Unlock()
+
+	runner2 := state.NewTaskRunner(st)
+	hookMgr2, err := hookstate.Manager(st, runner2)
+	c.Assert(err, IsNil)
+	mgr2, err := devicestate.Manager(st, hookMgr2, runner2)
+	c.Assert(err, IsNil)
+
+	ok = false
+	select {
+	case <-mgr2.Registered():
+		ok = true
+	case <-time.After(5 * time.Second):
+		c.Fatal("should have been marked registered")
+	}
+	c.Check(ok, Equals, true)
+}
+
+func (s *deviceMgrSuite) TestMarkSeededInConfig(c *C) {
+	st := s.state
+	st.Lock()
+	defer st.Unlock()
+
+	// avoid device registration
+	auth.SetDevice(s.state, &auth.DeviceState{
+		Serial: "123",
+	})
+
+	// avoid full seeding
+	s.seeding()
+
+	// not seeded -> no config is set
+	s.state.Unlock()
+	s.mgr.Ensure()
+	s.state.Lock()
+
+	var seedLoaded bool
+	tr := config.NewTransaction(st)
+	tr.Get("core", "seed.loaded", &seedLoaded)
+	c.Check(seedLoaded, Equals, false)
+
+	// pretend we are seeded now
+	s.state.Set("seeded", true)
+
+	// seeded -> config got updated
+	s.state.Unlock()
+	s.mgr.Ensure()
+	s.state.Lock()
+
+	tr = config.NewTransaction(st)
+	tr.Get("core", "seed.loaded", &seedLoaded)
+	c.Check(seedLoaded, Equals, true)
+
+	// only the fake seeding change is in the state, no further
+	// changes
+	c.Check(s.state.Changes(), HasLen, 1)
+}
+
+func (s *deviceMgrSuite) TestNewEnoughProxyParse(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	log, restore := logger.MockLogger()
+	defer restore()
+	os.Setenv("SNAPD_DEBUG", "1")
+	defer os.Unsetenv("SNAPD_DEBUG")
+
+	badURL := &url.URL{Opaque: "%a"} // url.Parse(badURL.String()) needs to fail, which isn't easy :-)
+	c.Check(devicestate.NewEnoughProxy(s.state, badURL, http.DefaultClient), Equals, false)
+	c.Check(log.String(), Matches, "(?m).* DEBUG: Cannot check whether proxy store supports a custom serial vault: parse .*")
+}
+
+func (s *deviceMgrSuite) TestNewEnoughProxy(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	expectedUserAgent := httputil.UserAgent()
+	log, restore := logger.MockLogger()
+	defer restore()
+	os.Setenv("SNAPD_DEBUG", "1")
+	defer os.Unsetenv("SNAPD_DEBUG")
+
+	expecteds := []string{
+		`Head http://\S+: EOF`,
+		`Head request returned 403 Forbidden.`,
+		`Bogus Snap-Store-Version header "5pre1".`,
+		``,
+	}
+
+	n := 0
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Header.Get("User-Agent"), Equals, expectedUserAgent)
+		n++
+		switch n {
+		case 1:
+			conn, _, err := w.(http.Hijacker).Hijack()
+			c.Assert(err, IsNil)
+			conn.Close()
+		case 2:
+			w.WriteHeader(403)
+		case 3:
+			w.Header().Set("Snap-Store-Version", "5pre1")
+			w.WriteHeader(200)
+		case 4:
+			w.Header().Set("Snap-Store-Version", "5")
+			w.WriteHeader(200)
+		case 5:
+			w.Header().Set("Snap-Store-Version", "6")
+			w.WriteHeader(200)
+		default:
+			c.Errorf("expected %d results, now on %d", len(expecteds), n)
+		}
+	}))
+	defer server.Close()
+
+	u, err := url.Parse(server.URL)
+	c.Assert(err, IsNil)
+	for _, expected := range expecteds {
+		log.Reset()
+		c.Check(devicestate.NewEnoughProxy(s.state, u, http.DefaultClient), Equals, false)
+		if len(expected) > 0 {
+			expected = "(?m).* DEBUG: Cannot check whether proxy store supports a custom serial vault: " + expected
+		}
+		c.Check(log.String(), Matches, expected)
+	}
+	c.Check(n, Equals, len(expecteds))
+
+	// and success at last
+	log.Reset()
+	c.Check(devicestate.NewEnoughProxy(s.state, u, http.DefaultClient), Equals, true)
+	c.Check(log.String(), Equals, "")
+	c.Check(n, Equals, len(expecteds)+1)
+}
+
+func (s *deviceMgrSuite) TestDevicemgrCanStandby(c *C) {
+	st := state.New(nil)
+
+	runner := state.NewTaskRunner(st)
+	hookMgr, err := hookstate.Manager(st, runner)
+	c.Assert(err, IsNil)
+	mgr, err := devicestate.Manager(st, hookMgr, runner)
+	c.Assert(err, IsNil)
+
+	st.Lock()
+	defer st.Unlock()
+	c.Check(mgr.CanStandby(), Equals, false)
+
+	st.Set("seeded", true)
+	c.Check(mgr.CanStandby(), Equals, true)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/devicestate/export_test.go snapd-2.37~rc1~14.04/overlord/devicestate/export_test.go
--- snapd-2.32.3.2~14.04/overlord/devicestate/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/devicestate/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -38,19 +38,11 @@
 	}
 }
 
-func MockRequestIDURL(url string) (restore func()) {
-	oldURL := requestIDURL
-	requestIDURL = url
+func MockBaseStoreURL(url string) (restore func()) {
+	oldURL := baseStoreURL
+	baseStoreURL = mustParse(url).ResolveReference(authRef)
 	return func() {
-		requestIDURL = oldURL
-	}
-}
-
-func MockSerialRequestURL(url string) (restore func()) {
-	oldURL := serialRequestURL
-	serialRequestURL = url
-	return func() {
-		serialRequestURL = oldURL
+		baseStoreURL = oldURL
 	}
 }
 
@@ -120,6 +112,7 @@
 	ImportAssertionsFromSeed = importAssertionsFromSeed
 	CheckGadgetOrKernel      = checkGadgetOrKernel
 	CanAutoRefresh           = canAutoRefresh
+	NewEnoughProxy           = newEnoughProxy
 
 	IncEnsureOperationalAttempts = incEnsureOperationalAttempts
 	EnsureOperationalAttempts    = ensureOperationalAttempts
diff -Nru snapd-2.32.3.2~14.04/overlord/devicestate/firstboot.go snapd-2.37~rc1~14.04/overlord/devicestate/firstboot.go
--- snapd-2.32.3.2~14.04/overlord/devicestate/firstboot.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/devicestate/firstboot.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,6 +25,7 @@
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"sort"
 
 	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/asserts/snapasserts"
@@ -41,7 +42,7 @@
 
 var errNothingToDo = errors.New("nothing to do")
 
-func installSeedSnap(st *state.State, sn *snap.SeedSnap, flags snapstate.Flags) (*state.TaskSet, error) {
+func installSeedSnap(st *state.State, sn *snap.SeedSnap, flags snapstate.Flags) (*state.TaskSet, *snap.Info, error) {
 	if sn.Classic {
 		flags.Classic = true
 	}
@@ -57,21 +58,22 @@
 	} else {
 		si, err := snapasserts.DeriveSideInfo(path, assertstate.DB(st))
 		if asserts.IsNotFound(err) {
-			return nil, fmt.Errorf("cannot find signatures with metadata for snap %q (%q)", sn.Name, path)
+			return nil, nil, fmt.Errorf("cannot find signatures with metadata for snap %q (%q)", sn.Name, path)
 		}
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		sideInfo = *si
 		sideInfo.Private = sn.Private
 		sideInfo.Contact = sn.Contact
 	}
 
-	return snapstate.InstallPath(st, &sideInfo, path, sn.Channel, flags)
+	return snapstate.InstallPath(st, &sideInfo, path, "", sn.Channel, flags)
 }
 
 func trivialSeeding(st *state.State, markSeeded *state.Task) []*state.TaskSet {
-	// give the internal core config a chance to run
+	// give the internal core config a chance to run (even if core is
+	// not used at all we put system configuration there)
 	configTs := snapstate.ConfigureSnap(st, "core", 0)
 	markSeeded.WaitAll(configTs)
 	return []*state.TaskSet{configTs, state.NewTaskSet(markSeeded)}
@@ -110,10 +112,10 @@
 		return nil, err
 	}
 
-	var required map[string]bool
 	reqSnaps := model.RequiredSnaps()
+	// +4 for (snapd, base, gadget, kernel)
+	required := make(map[string]bool, len(reqSnaps)+4)
 	if len(reqSnaps) > 0 {
-		required = make(map[string]bool, len(reqSnaps))
 		for _, snap := range reqSnaps {
 			required[snap] = true
 		}
@@ -128,63 +130,97 @@
 	tsAll := []*state.TaskSet{}
 	configTss := []*state.TaskSet{}
 
-	// if there are snaps to seed, core needs to be seeded too
-	if len(seed.Snaps) != 0 {
-		coreSeed := seeding["core"]
-		if coreSeed == nil {
-			return nil, fmt.Errorf("cannot proceed without seeding core")
+	baseSnap := "core"
+	if model.Base() != "" {
+		baseSnap = model.Base()
+	}
+
+	installSeedEssential := func(snapName string, last int) (*snap.Info, error) {
+		seedSnap := seeding[snapName]
+		if seedSnap == nil {
+			return nil, fmt.Errorf("cannot proceed without seeding %q", snapName)
 		}
-		ts, err := installSeedSnap(st, coreSeed, snapstate.Flags{SkipConfigure: true})
+		ts, info, err := installSeedSnap(st, seedSnap, snapstate.Flags{SkipConfigure: true, Required: true})
 		if err != nil {
 			return nil, err
 		}
+		if last >= 0 {
+			ts.WaitAll(tsAll[last])
+		}
 		tsAll = append(tsAll, ts)
-		alreadySeeded["core"] = true
+		alreadySeeded[snapName] = true
+		return info, nil
+	}
+
+	last := -1
+	// if there are snaps to seed, core/base needs to be seeded too
+	if len(seed.Snaps) != 0 {
+		// ensure "snapd" snap is installed first
+		if model.Base() != "" {
+			if _, err := installSeedEssential("snapd", last); err != nil {
+				return nil, err
+			}
+			last++
+		}
+		if _, err := installSeedEssential(baseSnap, last); err != nil {
+			return nil, err
+		}
+		// we *always* configure "core" here even if bases are used
+		// for booting. "core" if where the system config lives.
 		configTss = append(configTss, snapstate.ConfigureSnap(st, "core", snapstate.UseConfigDefaults))
+		last++
 	}
 
-	last := 0
+	lastConf := 0
 	if kernelName := model.Kernel(); kernelName != "" {
-		kernelSeed := seeding[kernelName]
-		if kernelSeed == nil {
-			return nil, fmt.Errorf("cannot find seed information for kernel snap %q", kernelName)
-		}
-		ts, err := installSeedSnap(st, kernelSeed, snapstate.Flags{SkipConfigure: true})
-		if err != nil {
+		if _, err := installSeedEssential(kernelName, last); err != nil {
 			return nil, err
 		}
-		ts.WaitAll(tsAll[last])
-		tsAll = append(tsAll, ts)
-		alreadySeeded[kernelName] = true
 		configTs := snapstate.ConfigureSnap(st, kernelName, snapstate.UseConfigDefaults)
-		configTs.WaitAll(configTss[last])
+		// wait for the previous configTss
+		configTs.WaitAll(configTss[lastConf])
 		configTss = append(configTss, configTs)
 		last++
+		lastConf++
 	}
 
+	// FIXME: ensure that any base is ordered before the gadget so that
+	//        the gadget can use bases that are not the model base
 	if gadgetName := model.Gadget(); gadgetName != "" {
-		gadgetSeed := seeding[gadgetName]
-		if gadgetSeed == nil {
-			return nil, fmt.Errorf("cannot find seed information for gadget snap %q", gadgetName)
-		}
-		ts, err := installSeedSnap(st, gadgetSeed, snapstate.Flags{SkipConfigure: true})
+		info, err := installSeedEssential(gadgetName, last)
 		if err != nil {
 			return nil, err
 		}
-		ts.WaitAll(tsAll[last])
-		tsAll = append(tsAll, ts)
-		alreadySeeded[gadgetName] = true
+		// Sanity check, note that we could support this if we have
+		// a use-case. However this requires that we do the sorting
+		// different, i.e. other bases will have to be sorted before
+		// the gadget.
+		if info.Base != model.Base() {
+			return nil, fmt.Errorf("cannot use gadget snap because its base %q is different from model base %q", info.Base, model.Base())
+		}
+
 		configTs := snapstate.ConfigureSnap(st, gadgetName, snapstate.UseConfigDefaults)
-		configTs.WaitAll(configTss[last])
+		// wait for the previous configTss
+		configTs.WaitAll(configTss[lastConf])
 		configTss = append(configTss, configTs)
 		last++
+		//If we use lastConf again we need to enable this. It is
+		//commented out because go vet complains about an ineffectual
+		// assignment.
+		//lastConf++
 	}
 
 	// chain together configuring core, kernel, and gadget after
 	// installing them so that defaults are availabble from gadget
-	configTss[0].WaitAll(tsAll[last])
-	tsAll = append(tsAll, configTss...)
-	last += len(configTss)
+	if len(configTss) > 0 {
+		configTss[0].WaitAll(tsAll[last])
+		tsAll = append(tsAll, configTss...)
+		last += len(configTss)
+	}
+
+	// ensure we install in the right order
+	infoToTs := make(map[*snap.Info]*state.TaskSet, len(seed.Snaps))
+	infos := make([]*snap.Info, 0, len(seed.Snaps))
 
 	for _, sn := range seed.Snaps {
 		if alreadySeeded[sn.Name] {
@@ -196,11 +232,19 @@
 			flags.Required = true
 		}
 
-		ts, err := installSeedSnap(st, sn, flags)
+		ts, info, err := installSeedSnap(st, sn, flags)
 		if err != nil {
 			return nil, err
 		}
+		infos = append(infos, info)
+		infoToTs[info] = ts
+	}
 
+	// now add/chain the tasksets in the right order, note that we
+	// only have tasksets that we did not already seeded
+	sort.Stable(snap.ByType(infos))
+	for _, info := range infos {
+		ts := infoToTs[info]
 		ts.WaitAll(tsAll[last])
 		tsAll = append(tsAll, ts)
 		last++
@@ -211,8 +255,18 @@
 	}
 
 	ts := tsAll[len(tsAll)-1]
+	endTs := state.NewTaskSet()
+	if model.Gadget() != "" {
+		// we have a gadget that could have interface
+		// connection instructions
+		gadgetConnect := st.NewTask("gadget-connect", "Connect plugs and slots as instructed by the gadget")
+		gadgetConnect.WaitAll(ts)
+		endTs.AddTask(gadgetConnect)
+		ts = endTs
+	}
 	markSeeded.WaitAll(ts)
-	tsAll = append(tsAll, state.NewTaskSet(markSeeded))
+	endTs.AddTask(markSeeded)
+	tsAll = append(tsAll, endTs)
 
 	return tsAll, nil
 }
@@ -237,6 +291,11 @@
 	dc, err := ioutil.ReadDir(assertSeedDir)
 	if release.OnClassic && os.IsNotExist(err) {
 		// on classic seeding is optional
+		// set the fallback model
+		err := setClassicFallbackModel(st, device)
+		if err != nil {
+			return nil, err
+		}
 		return nil, errNothingToDo
 	}
 	if err != nil {
diff -Nru snapd-2.32.3.2~14.04/overlord/devicestate/firstboot_test.go snapd-2.37~rc1~14.04/overlord/devicestate/firstboot_test.go
--- snapd-2.32.3.2~14.04/overlord/devicestate/firstboot_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/devicestate/firstboot_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2015 Canonical Ltd
+ * Copyright (C) 2015-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -42,7 +42,6 @@
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/configstate"
 	"github.com/snapcore/snapd/overlord/configstate/config"
-	"github.com/snapcore/snapd/overlord/configstate/configcore"
 	"github.com/snapcore/snapd/overlord/devicestate"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/ifacestate"
@@ -52,14 +51,12 @@
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/systemd"
 	"github.com/snapcore/snapd/testutil"
 )
 
 type FirstBootTestSuite struct {
-	aa          *testutil.MockCmd
-	systemctl   *testutil.MockCmd
-	mockUdevAdm *testutil.MockCmd
-	snapSeccomp *testutil.MockCmd
+	systemctl *testutil.MockCmd
 
 	storeSigning *assertstest.StoreStack
 	restore      func()
@@ -70,6 +67,7 @@
 	overlord *overlord.Overlord
 
 	restoreOnClassic func()
+	restoreBackends  func()
 }
 
 var _ = Suite(&FirstBootTestSuite{})
@@ -88,14 +86,7 @@
 	err = os.MkdirAll(dirs.SnapServicesDir, 0755)
 	c.Assert(err, IsNil)
 	os.Setenv("SNAPPY_SQUASHFS_UNPACK_FOR_TESTS", "1")
-	s.aa = testutil.MockCommand(c, "apparmor_parser", "")
 	s.systemctl = testutil.MockCommand(c, "systemctl", "")
-	s.mockUdevAdm = testutil.MockCommand(c, "udevadm", "")
-
-	snapSeccompPath := filepath.Join(dirs.DistroLibExecDir, "snap-seccomp")
-	err = os.MkdirAll(filepath.Dir(snapSeccompPath), 0755)
-	c.Assert(err, IsNil)
-	s.snapSeccomp = testutil.MockCommand(c, snapSeccompPath, "")
 
 	err = ioutil.WriteFile(filepath.Join(dirs.SnapSeedDir, "seed.yaml"), nil, 0644)
 	c.Assert(err, IsNil)
@@ -106,8 +97,11 @@
 	s.brandPrivKey, _ = assertstest.GenerateKey(752)
 	s.brandSigning = assertstest.NewSigningDB("my-brand", s.brandPrivKey)
 
+	s.restoreBackends = ifacestate.MockSecurityBackends(nil)
+
 	ovld, err := overlord.New()
 	c.Assert(err, IsNil)
+	ovld.InterfaceManager().DisableUDevMonitor()
 	s.overlord = ovld
 
 	// don't actually try to talk to the store on snapstate.Ensure
@@ -117,13 +111,11 @@
 
 func (s *FirstBootTestSuite) TearDownTest(c *C) {
 	os.Unsetenv("SNAPPY_SQUASHFS_UNPACK_FOR_TESTS")
-	s.aa.Restore()
 	s.systemctl.Restore()
-	s.mockUdevAdm.Restore()
-	s.snapSeccomp.Restore()
 
 	s.restore()
 	s.restoreOnClassic()
+	s.restoreBackends()
 	dirs.SetRootDir("/")
 }
 
@@ -144,7 +136,8 @@
 }
 
 func (s *FirstBootTestSuite) TestPopulateFromSeedOnClassicNoop(c *C) {
-	release.OnClassic = true
+	restore := release.MockOnClassic(true)
+	defer restore()
 
 	st := s.overlord.State()
 	st.Lock()
@@ -156,17 +149,36 @@
 	tsAll, err := devicestate.PopulateStateFromSeedImpl(st)
 	c.Assert(err, IsNil)
 	checkTrivialSeeding(c, tsAll)
+
+	// already set the fallback model
+
+	// verify that the model was added
+	db := assertstate.DB(st)
+	as, err := db.Find(asserts.ModelType, map[string]string{
+		"series":   "16",
+		"brand-id": "generic",
+		"model":    "generic-classic",
+	})
+	c.Assert(err, IsNil)
+	_, ok := as.(*asserts.Model)
+	c.Check(ok, Equals, true)
+
+	ds, err := auth.Device(st)
+	c.Assert(err, IsNil)
+	c.Check(ds.Brand, Equals, "generic")
+	c.Check(ds.Model, Equals, "generic-classic")
 }
 
 func (s *FirstBootTestSuite) TestPopulateFromSeedOnClassicNoSeedYaml(c *C) {
-	release.OnClassic = true
+	restore := release.MockOnClassic(true)
+	defer restore()
 
 	ovld, err := overlord.New()
 	c.Assert(err, IsNil)
 	st := ovld.State()
 
 	// add a bunch of assert files
-	assertsChain := s.makeModelAssertionChain(c, "my-model-classic")
+	assertsChain := s.makeModelAssertionChain(c, "my-model-classic", nil)
 	for i, as := range assertsChain {
 		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
 		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
@@ -189,13 +201,41 @@
 	c.Check(ds.Model, Equals, "my-model-classic")
 }
 
+func (s *FirstBootTestSuite) TestPopulateFromSeedOnClassicEmptySeedYaml(c *C) {
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	ovld, err := overlord.New()
+	c.Assert(err, IsNil)
+	st := ovld.State()
+
+	// add a bunch of assert files
+	assertsChain := s.makeModelAssertionChain(c, "my-model-classic", nil)
+	for i, as := range assertsChain {
+		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
+		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
+		c.Assert(err, IsNil)
+	}
+
+	// create an empty seed.yaml
+	err = ioutil.WriteFile(filepath.Join(dirs.SnapSeedDir, "seed.yaml"), nil, 0644)
+	c.Assert(err, IsNil)
+
+	st.Lock()
+	defer st.Unlock()
+
+	_, err = devicestate.PopulateStateFromSeedImpl(st)
+	c.Assert(err, ErrorMatches, "cannot proceed, no snaps to seed")
+}
+
 func (s *FirstBootTestSuite) TestPopulateFromSeedOnClassicNoSeedYamlWithCloudInstanceData(c *C) {
-	release.OnClassic = true
+	restore := release.MockOnClassic(true)
+	defer restore()
 
 	st := s.overlord.State()
 
 	// add a bunch of assert files
-	assertsChain := s.makeModelAssertionChain(c, "my-model-classic")
+	assertsChain := s.makeModelAssertionChain(c, "my-model-classic", nil)
 	for i, as := range assertsChain {
 		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
 		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
@@ -279,7 +319,7 @@
 func (s *FirstBootTestSuite) makeAssertedSnap(c *C, snapYaml string, files [][]string, revision snap.Revision, developerID string) (snapFname string, snapDecl *asserts.SnapDeclaration, snapRev *asserts.SnapRevision) {
 	info, err := snap.InfoFromSnapYaml([]byte(snapYaml))
 	c.Assert(err, IsNil)
-	snapName := info.Name()
+	snapName := info.InstanceName()
 
 	mockSnapFile := snaptest.MakeTestSnapWithFiles(c, snapYaml, files)
 	snapFname = filepath.Base(mockSnapFile)
@@ -288,9 +328,17 @@
 	err = os.Rename(mockSnapFile, targetFile)
 	c.Assert(err, IsNil)
 
+	snapID := (snapName + "-snap-" + strings.Repeat("id", 20))[:32]
+	// FIXME: snapd is special in the interface policy code and it
+	//        identified by its snap-id. so we fake the real snap-id
+	//        here. Instead we should add a "type: snapd" for snaps.
+	if snapName == "snapd" {
+		snapID = "PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4"
+	}
+
 	declA, err := s.storeSigning.Sign(asserts.SnapDeclarationType, map[string]interface{}{
 		"series":       "16",
-		"snap-id":      snapName + "-snap-id",
+		"snap-id":      snapID,
 		"publisher-id": developerID,
 		"snap-name":    snapName,
 		"timestamp":    time.Now().UTC().Format(time.RFC3339),
@@ -303,7 +351,7 @@
 	revA, err := s.storeSigning.Sign(asserts.SnapRevisionType, map[string]interface{}{
 		"snap-sha3-384": sha3_384,
 		"snap-size":     fmt.Sprintf("%d", size),
-		"snap-id":       snapName + "-snap-id",
+		"snap-id":       snapID,
 		"developer-id":  developerID,
 		"snap-revision": revision.String(),
 		"timestamp":     time.Now().UTC().Format(time.RFC3339),
@@ -313,9 +361,25 @@
 	return snapFname, declA.(*asserts.SnapDeclaration), revA.(*asserts.SnapRevision)
 }
 
-func (s *FirstBootTestSuite) makeCoreSnaps(c *C, withConfigure bool) (coreFname, kernelFname, gadgetFname string) {
+func checkSeedTasks(c *C, tsAll []*state.TaskSet) {
+	// the tasks of the last taskset must be gadget-connect, mark-seeded
+	lastTasks := tsAll[len(tsAll)-1].Tasks()
+	c.Check(lastTasks, HasLen, 2)
+	gadgetConnectTask := lastTasks[0]
+	markSeededTask := lastTasks[1]
+	c.Check(gadgetConnectTask.Kind(), Equals, "gadget-connect")
+	c.Check(markSeededTask.Kind(), Equals, "mark-seeded")
+	// and the gadget-connect must wait for the other tasks
+	prevTasks := tsAll[len(tsAll)-2].Tasks()
+	otherTask := prevTasks[len(prevTasks)-1]
+	c.Check(gadgetConnectTask.WaitTasks(), testutil.Contains, otherTask)
+	// add the mark-seeded waits for gadget-connects
+	c.Check(markSeededTask.WaitTasks(), DeepEquals, []*state.Task{gadgetConnectTask})
+}
+
+func (s *FirstBootTestSuite) makeCoreSnaps(c *C, extraGadgetYaml string) (coreFname, kernelFname, gadgetFname string) {
 	files := [][]string{}
-	if withConfigure {
+	if strings.Contains(extraGadgetYaml, "defaults:") {
 		files = [][]string{{"meta/hooks/configure", ""}}
 	}
 
@@ -340,19 +404,7 @@
     volume-id:
         bootloader: grub
 `
-	if withConfigure {
-		gadgetYaml += `
-defaults:
-    foo-snap-id:
-       foo-cfg: foo.
-    core-snap-id:
-       core-cfg: core_cfg_defl
-    pc-kernel-snap-id:
-       pc-kernel-cfg: pc-kernel_cfg_defl
-    pc-snap-id:
-       pc-cfg: pc_cfg_defl
-`
-	}
+	gadgetYaml += extraGadgetYaml
 
 	// put gadget snap into the SnapBlobDir
 	files = append(files, []string{"meta/gadget.yaml", gadgetYaml})
@@ -368,7 +420,7 @@
 }
 
 func (s *FirstBootTestSuite) makeBecomeOperationalChange(c *C, st *state.State) *state.Change {
-	coreFname, kernelFname, gadgetFname := s.makeCoreSnaps(c, false)
+	coreFname, kernelFname, gadgetFname := s.makeCoreSnaps(c, "")
 
 	devAcct := assertstest.NewAccount(s.storeSigning, "developer", map[string]interface{}{
 		"account-id": "developerid",
@@ -399,7 +451,7 @@
 	c.Assert(err, IsNil)
 
 	// add a model assertion and its chain
-	assertsChain := s.makeModelAssertionChain(c, "my-model", "foo")
+	assertsChain := s.makeModelAssertionChain(c, "my-model", nil, "foo")
 	for i, as := range assertsChain {
 		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
 		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
@@ -432,13 +484,20 @@
 	tsAll, err := devicestate.PopulateStateFromSeedImpl(st)
 	c.Assert(err, IsNil)
 
-	// the last task of the last taskset must be mark-seeded
-	markSeededTask := tsAll[len(tsAll)-1].Tasks()[0]
-	c.Check(markSeededTask.Kind(), Equals, "mark-seeded")
-	// and the markSeededTask must wait for the other tasks
-	prevTasks := tsAll[len(tsAll)-2].Tasks()
-	otherTask := prevTasks[len(prevTasks)-1]
-	c.Check(markSeededTask.WaitTasks(), testutil.Contains, otherTask)
+	// the first taskset installs core and waits for noone
+	i := 0
+	tCore := tsAll[i].Tasks()[0]
+	c.Check(tCore.WaitTasks(), HasLen, 0)
+	// the next installs the kernel and that will wait for core
+	i++
+	tKernel := tsAll[i].Tasks()[0]
+	c.Check(tKernel.WaitTasks(), testutil.Contains, tCore)
+	// the next installs the gadget and will wait for the kernel
+	i++
+	tGadget := tsAll[i].Tasks()[0]
+	c.Check(tGadget.WaitTasks(), testutil.Contains, tKernel)
+
+	checkSeedTasks(c, tsAll)
 
 	// now run the change and check the result
 	// use the expected kind otherwise settle with start another one
@@ -495,17 +554,24 @@
 	_, err = snapstate.CurrentInfo(state, "pc")
 	c.Assert(err, IsNil)
 
+	// ensure requied flag is set on all essential snaps
+	var snapst snapstate.SnapState
+	for _, reqName := range []string{"core", "pc-kernel", "pc"} {
+		err = snapstate.Get(state, reqName, &snapst)
+		c.Assert(err, IsNil)
+		c.Assert(snapst.Required, Equals, true, Commentf("required not set for %v", reqName))
+	}
+
 	// check foo
 	info, err := snapstate.CurrentInfo(state, "foo")
 	c.Assert(err, IsNil)
-	c.Assert(info.SnapID, Equals, "foo-snap-id")
+	c.Assert(info.SnapID, Equals, "foo-snap-idididididididididididi")
 	c.Assert(info.Revision, Equals, snap.R(128))
 	c.Assert(info.Contact, Equals, "mailto:some.guy@example.com")
 	pubAcct, err := assertstate.Publisher(st, info.SnapID)
 	c.Assert(err, IsNil)
 	c.Check(pubAcct.AccountID(), Equals, "developerid")
 
-	var snapst snapstate.SnapState
 	err = snapstate.Get(state, "foo", &snapst)
 	c.Assert(err, IsNil)
 	c.Assert(snapst.DevMode, Equals, true)
@@ -545,26 +611,27 @@
 	// situation
 	o := overlord.Mock()
 	st := o.State()
-	snapmgr, err := snapstate.Manager(st)
+	snapmgr, err := snapstate.Manager(st, o.TaskRunner())
 	c.Assert(err, IsNil)
 	o.AddManager(snapmgr)
 
-	ifacemgr, err := ifacestate.Manager(st, nil, nil, nil)
+	ifacemgr, err := ifacestate.Manager(st, nil, o.TaskRunner(), nil, nil)
 	c.Assert(err, IsNil)
 	o.AddManager(ifacemgr)
 	st.Lock()
 	assertstate.ReplaceDB(st, db.(*asserts.Database))
 	st.Unlock()
 
+	o.AddManager(o.TaskRunner())
+
 	chg := s.makeBecomeOperationalChange(c, st)
 
+	se := o.StateEngine()
 	// we cannot use Settle because the Change will not become Clean
 	// under the subset of managers
 	for i := 0; i < 25 && !chg.IsReady(); i++ {
-		snapmgr.Ensure()
-		ifacemgr.Ensure()
-		snapmgr.Wait()
-		ifacemgr.Wait()
+		se.Ensure()
+		se.Wait()
 	}
 
 	st.Lock()
@@ -597,7 +664,7 @@
 		"snap_kernel": "pc-kernel_1.snap",
 	})
 
-	coreFname, kernelFname, gadgetFname := s.makeCoreSnaps(c, false)
+	coreFname, kernelFname, gadgetFname := s.makeCoreSnaps(c, "")
 
 	devAcct := assertstest.NewAccount(s.storeSigning, "developer", map[string]interface{}{
 		"account-id": "developerid",
@@ -618,7 +685,7 @@
 	writeAssertionsToFile("bar.asserts", []asserts.Assertion{devAcct, barDecl, barRev})
 
 	// add a model assertion and its chain
-	assertsChain := s.makeModelAssertionChain(c, "my-model")
+	assertsChain := s.makeModelAssertionChain(c, "my-model", nil)
 	writeAssertionsToFile("model.asserts", assertsChain)
 
 	// create a seed.yaml
@@ -679,7 +746,7 @@
 	// check foo
 	info, err := snapstate.CurrentInfo(state, "foo")
 	c.Assert(err, IsNil)
-	c.Check(info.SnapID, Equals, "foo-snap-id")
+	c.Check(info.SnapID, Equals, "foo-snap-idididididididididididi")
 	c.Check(info.Revision, Equals, snap.R(128))
 	pubAcct, err := assertstate.Publisher(st, info.SnapID)
 	c.Assert(err, IsNil)
@@ -688,14 +755,14 @@
 	// check bar
 	info, err = snapstate.CurrentInfo(state, "bar")
 	c.Assert(err, IsNil)
-	c.Check(info.SnapID, Equals, "bar-snap-id")
+	c.Check(info.SnapID, Equals, "bar-snap-idididididididididididi")
 	c.Check(info.Revision, Equals, snap.R(65))
 	pubAcct, err = assertstate.Publisher(st, info.SnapID)
 	c.Assert(err, IsNil)
 	c.Check(pubAcct.AccountID(), Equals, "developerid")
 }
 
-func (s *FirstBootTestSuite) makeModelAssertion(c *C, modelStr string, reqSnaps ...string) *asserts.Model {
+func (s *FirstBootTestSuite) makeModelAssertion(c *C, modelStr string, extraHeaders map[string]interface{}, reqSnaps ...string) *asserts.Model {
 	headers := map[string]interface{}{
 		"series":       "16",
 		"authority-id": "my-brand",
@@ -703,13 +770,16 @@
 		"model":        modelStr,
 		"architecture": "amd64",
 		"store":        "canonical",
-		"gadget":       "pc",
 		"timestamp":    time.Now().Format(time.RFC3339),
 	}
+	for k, v := range extraHeaders {
+		headers[k] = v
+	}
 	if strings.HasSuffix(modelStr, "-classic") {
 		headers["classic"] = "true"
 	} else {
 		headers["kernel"] = "pc-kernel"
+		headers["gadget"] = "pc"
 	}
 	if len(reqSnaps) != 0 {
 		reqs := make([]interface{}, len(reqSnaps))
@@ -723,19 +793,19 @@
 	return model.(*asserts.Model)
 }
 
-func (s *FirstBootTestSuite) makeModelAssertionChain(c *C, modName string, reqSnaps ...string) []asserts.Assertion {
+func (s *FirstBootTestSuite) makeModelAssertionChain(c *C, modName string, extraHeaders map[string]interface{}, reqSnaps ...string) []asserts.Assertion {
 	assertChain := []asserts.Assertion{}
 
 	brandAcct := assertstest.NewAccount(s.storeSigning, "my-brand", map[string]interface{}{
 		"account-id":   "my-brand",
-		"verification": "certified",
+		"verification": "verified",
 	}, "")
 	assertChain = append(assertChain, brandAcct)
 
 	brandAccKey := assertstest.NewAccountKey(s.storeSigning, brandAcct, nil, s.brandPrivKey.PublicKey(), "")
 	assertChain = append(assertChain, brandAccKey)
 
-	model := s.makeModelAssertion(c, modName, reqSnaps...)
+	model := s.makeModelAssertion(c, modName, extraHeaders, reqSnaps...)
 	assertChain = append(assertChain, model)
 
 	storeAccountKey := s.storeSigning.StoreAccountKey("")
@@ -752,7 +822,18 @@
 		"snap_kernel": "pc-kernel_1.snap",
 	})
 
-	coreFname, kernelFname, gadgetFname := s.makeCoreSnaps(c, true)
+	const defaultsYaml = `
+defaults:
+    foo-snap-idididididididididididi:
+       foo-cfg: foo.
+    core-snap-ididididididididididid:
+       core-cfg: core_cfg_defl
+    pc-kernel-snap-ididididididididi:
+       pc-kernel-cfg: pc-kernel_cfg_defl
+    pc-snap-idididididididididididid:
+       pc-cfg: pc_cfg_defl
+`
+	coreFname, kernelFname, gadgetFname := s.makeCoreSnaps(c, defaultsYaml)
 
 	devAcct := assertstest.NewAccount(s.storeSigning, "developer", map[string]interface{}{
 		"account-id": "developerid",
@@ -777,7 +858,7 @@
 	c.Assert(err, IsNil)
 
 	// add a model assertion and its chain
-	assertsChain := s.makeModelAssertionChain(c, "my-model", "foo")
+	assertsChain := s.makeModelAssertionChain(c, "my-model", nil, "foo")
 	for i, as := range assertsChain {
 		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
 		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
@@ -806,13 +887,7 @@
 	tsAll, err := devicestate.PopulateStateFromSeedImpl(st)
 	c.Assert(err, IsNil)
 
-	// the last task of the last taskset must be mark-seeded
-	markSeededTask := tsAll[len(tsAll)-1].Tasks()[0]
-	c.Check(markSeededTask.Kind(), Equals, "mark-seeded")
-	// and the markSeededTask must wait for the other tasks
-	prevTasks := tsAll[len(tsAll)-2].Tasks()
-	otherTask := prevTasks[len(prevTasks)-1]
-	c.Check(markSeededTask.WaitTasks(), testutil.Contains, otherTask)
+	checkSeedTasks(c, tsAll)
 
 	// now run the change and check the result
 	// use the expected kind otherwise settle with start another one
@@ -829,7 +904,7 @@
 		// we have a gadget at this point(s)
 		_, err := snapstate.GadgetInfo(st)
 		c.Check(err, IsNil)
-		configured = append(configured, ctx.SnapName())
+		configured = append(configured, ctx.InstanceName())
 		return nil, nil
 	}
 
@@ -837,7 +912,7 @@
 	defer rhk()
 
 	// ensure we have something that captures the core config
-	restore := configstate.MockConfigcoreRun(func(configcore.Conf) error {
+	restore := configstate.MockConfigcoreRun(func(config.Conf) error {
 		configured = append(configured, "configcore")
 		return nil
 	})
@@ -889,7 +964,7 @@
 	// check foo
 	info, err := snapstate.CurrentInfo(state, "foo")
 	c.Assert(err, IsNil)
-	c.Assert(info.SnapID, Equals, "foo-snap-id")
+	c.Assert(info.SnapID, Equals, "foo-snap-idididididididididididi")
 	c.Assert(info.Revision, Equals, snap.R(128))
 	pubAcct, err := assertstate.Publisher(st, info.SnapID)
 	c.Assert(err, IsNil)
@@ -909,15 +984,143 @@
 	c.Check(seeded, Equals, true)
 }
 
+func (s *FirstBootTestSuite) TestPopulateFromSeedGadgetConnectHappy(c *C) {
+	bootloader := boottest.NewMockBootloader("mock", c.MkDir())
+	partition.ForceBootloader(bootloader)
+	defer partition.ForceBootloader(nil)
+	bootloader.SetBootVars(map[string]string{
+		"snap_core":   "core_1.snap",
+		"snap_kernel": "pc-kernel_1.snap",
+	})
+
+	const connectionsYaml = `
+connections:
+  - plug: foo-snap-idididididididididididi:network-control
+`
+	coreFname, kernelFname, gadgetFname := s.makeCoreSnaps(c, connectionsYaml)
+
+	devAcct := assertstest.NewAccount(s.storeSigning, "developer", map[string]interface{}{
+		"account-id": "developerid",
+	}, "")
+
+	devAcctFn := filepath.Join(dirs.SnapSeedDir, "assertions", "developer.account")
+	err := ioutil.WriteFile(devAcctFn, asserts.Encode(devAcct), 0644)
+	c.Assert(err, IsNil)
+
+	snapYaml := `name: foo
+version: 1.0
+plugs:
+  network-control:
+`
+	fooFname, fooDecl, fooRev := s.makeAssertedSnap(c, snapYaml, nil, snap.R(128), "developerid")
+
+	declFn := filepath.Join(dirs.SnapSeedDir, "assertions", "foo.snap-declaration")
+	err = ioutil.WriteFile(declFn, asserts.Encode(fooDecl), 0644)
+	c.Assert(err, IsNil)
+
+	revFn := filepath.Join(dirs.SnapSeedDir, "assertions", "foo.snap-revision")
+	err = ioutil.WriteFile(revFn, asserts.Encode(fooRev), 0644)
+	c.Assert(err, IsNil)
+
+	// add a model assertion and its chain
+	assertsChain := s.makeModelAssertionChain(c, "my-model", nil, "foo")
+	for i, as := range assertsChain {
+		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
+		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
+		c.Assert(err, IsNil)
+	}
+
+	// create a seed.yaml
+	content := []byte(fmt.Sprintf(`
+snaps:
+ - name: core
+   file: %s
+ - name: pc-kernel
+   file: %s
+ - name: pc
+   file: %s
+ - name: foo
+   file: %s
+`, coreFname, kernelFname, gadgetFname, fooFname))
+	err = ioutil.WriteFile(filepath.Join(dirs.SnapSeedDir, "seed.yaml"), content, 0644)
+	c.Assert(err, IsNil)
+
+	// run the firstboot stuff
+	st := s.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+	tsAll, err := devicestate.PopulateStateFromSeedImpl(st)
+	c.Assert(err, IsNil)
+
+	checkSeedTasks(c, tsAll)
+
+	// now run the change and check the result
+	// use the expected kind otherwise settle with start another one
+	chg := st.NewChange("seed", "run the populate from seed changes")
+	for _, ts := range tsAll {
+		chg.AddAll(ts)
+	}
+	c.Assert(st.Changes(), HasLen, 1)
+
+	// avoid device reg
+	chg1 := st.NewChange("become-operational", "init device")
+	chg1.SetStatus(state.DoingStatus)
+
+	st.Unlock()
+	err = s.overlord.Settle(settleTimeout)
+	st.Lock()
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(err, IsNil)
+
+	// and check the snap got correctly installed
+	c.Check(osutil.FileExists(filepath.Join(dirs.SnapMountDir, "foo", "128", "meta", "snap.yaml")), Equals, true)
+
+	// verify
+	r, err := os.Open(dirs.SnapStateFile)
+	c.Assert(err, IsNil)
+	state, err := state.ReadState(nil, r)
+	c.Assert(err, IsNil)
+
+	state.Lock()
+	defer state.Unlock()
+
+	// check foo
+	info, err := snapstate.CurrentInfo(state, "foo")
+	c.Assert(err, IsNil)
+	c.Assert(info.SnapID, Equals, "foo-snap-idididididididididididi")
+	c.Assert(info.Revision, Equals, snap.R(128))
+	pubAcct, err := assertstate.Publisher(st, info.SnapID)
+	c.Assert(err, IsNil)
+	c.Check(pubAcct.AccountID(), Equals, "developerid")
+
+	// check connection
+	var conns map[string]interface{}
+	err = state.Get("conns", &conns)
+	c.Assert(err, IsNil)
+	c.Check(conns, HasLen, 1)
+	c.Check(conns, DeepEquals, map[string]interface{}{
+		"foo:network-control core:network-control": map[string]interface{}{
+			"interface": "network-control", "auto": true, "by-gadget": true,
+		},
+	})
+
+	// and ensure state is now considered seeded
+	var seeded bool
+	err = state.Get("seeded", &seeded)
+	c.Assert(err, IsNil)
+	c.Check(seeded, Equals, true)
+}
+
 func (s *FirstBootTestSuite) TestImportAssertionsFromSeedClassicModelMismatch(c *C) {
-	release.OnClassic = true
+	restore := release.MockOnClassic(true)
+	defer restore()
 
 	ovld, err := overlord.New()
 	c.Assert(err, IsNil)
 	st := ovld.State()
 
 	// add a bunch of assert files
-	assertsChain := s.makeModelAssertionChain(c, "my-model")
+	assertsChain := s.makeModelAssertionChain(c, "my-model", nil)
 	for i, as := range assertsChain {
 		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
 		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
@@ -938,7 +1141,7 @@
 	st := ovld.State()
 
 	// add a bunch of assert files
-	assertsChain := s.makeModelAssertionChain(c, "my-model-classic")
+	assertsChain := s.makeModelAssertionChain(c, "my-model-classic", nil)
 	for i, as := range assertsChain {
 		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
 		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
@@ -959,7 +1162,7 @@
 	st := ovld.State()
 
 	// add a bunch of assert files
-	assertsChain := s.makeModelAssertionChain(c, "my-model")
+	assertsChain := s.makeModelAssertionChain(c, "my-model", nil)
 	for i, as := range assertsChain {
 		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
 		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
@@ -1000,7 +1203,7 @@
 	defer st.Unlock()
 
 	// write out only the model assertion
-	assertsChain := s.makeModelAssertionChain(c, "my-model")
+	assertsChain := s.makeModelAssertionChain(c, "my-model", nil)
 	for _, as := range assertsChain {
 		if as.Type() == asserts.ModelType {
 			fn := filepath.Join(dirs.SnapSeedDir, "assertions", "model")
@@ -1022,12 +1225,12 @@
 	defer st.Unlock()
 
 	// write out two model assertions
-	model := s.makeModelAssertion(c, "my-model")
+	model := s.makeModelAssertion(c, "my-model", nil)
 	fn := filepath.Join(dirs.SnapSeedDir, "assertions", "model")
 	err := ioutil.WriteFile(fn, asserts.Encode(model), 0644)
 	c.Assert(err, IsNil)
 
-	model2 := s.makeModelAssertion(c, "my-second-model")
+	model2 := s.makeModelAssertion(c, "my-second-model", nil)
 	fn = filepath.Join(dirs.SnapSeedDir, "assertions", "model2")
 	err = ioutil.WriteFile(fn, asserts.Encode(model2), 0644)
 	c.Assert(err, IsNil)
@@ -1043,7 +1246,7 @@
 	st.Lock()
 	defer st.Unlock()
 
-	assertsChain := s.makeModelAssertionChain(c, "my-model")
+	assertsChain := s.makeModelAssertionChain(c, "my-model", nil)
 	for _, as := range assertsChain {
 		if as.Type() != asserts.ModelType {
 			fn := filepath.Join(dirs.SnapSeedDir, "assertions", "model")
@@ -1058,3 +1261,416 @@
 	_, err := devicestate.ImportAssertionsFromSeed(st)
 	c.Assert(err, ErrorMatches, "need a model assertion")
 }
+
+func (s *FirstBootTestSuite) makeCore18Snaps(c *C) (core18Fn, snapdFn, kernelFn, gadgetFn string) {
+	files := [][]string{}
+
+	core18Yaml := `name: core18
+version: 1.0
+type: base`
+	core18Fname, core18Decl, core18Rev := s.makeAssertedSnap(c, core18Yaml, files, snap.R(1), "canonical")
+	writeAssertionsToFile("core18.asserts", []asserts.Assertion{core18Rev, core18Decl})
+
+	snapdYaml := `name: snapd
+version: 1.0
+`
+	snapdFname, snapdDecl, snapdRev := s.makeAssertedSnap(c, snapdYaml, nil, snap.R(2), "canonical")
+	writeAssertionsToFile("snapd.asserts", []asserts.Assertion{snapdRev, snapdDecl})
+
+	kernelYaml := `name: pc-kernel
+version: 1.0
+type: kernel`
+	kernelFname, kernelDecl, kernelRev := s.makeAssertedSnap(c, kernelYaml, files, snap.R(1), "canonical")
+
+	writeAssertionsToFile("kernel.asserts", []asserts.Assertion{kernelRev, kernelDecl})
+
+	gadgetYaml := `
+volumes:
+    volume-id:
+        bootloader: grub
+`
+	files = append(files, []string{"meta/gadget.yaml", gadgetYaml})
+	gaYaml := `name: pc
+version: 1.0
+type: gadget
+base: core18
+`
+	gadgetFname, gadgetDecl, gadgetRev := s.makeAssertedSnap(c, gaYaml, files, snap.R(1), "canonical")
+
+	writeAssertionsToFile("gadget.asserts", []asserts.Assertion{gadgetRev, gadgetDecl})
+
+	return core18Fname, snapdFname, kernelFname, gadgetFname
+}
+
+func (s *FirstBootTestSuite) TestPopulateFromSeedWithBaseHappy(c *C) {
+	var sysdLog [][]string
+	systemctlRestorer := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
+		sysdLog = append(sysdLog, cmd)
+		return []byte("ActiveState=inactive\n"), nil
+	})
+	defer systemctlRestorer()
+
+	bootloader := boottest.NewMockBootloader("mock", c.MkDir())
+	partition.ForceBootloader(bootloader)
+	defer partition.ForceBootloader(nil)
+	bootloader.SetBootVars(map[string]string{
+		"snap_core":   "core18_1.snap",
+		"snap_kernel": "pc-kernel_1.snap",
+	})
+
+	core18Fname, snapdFname, kernelFname, gadgetFname := s.makeCore18Snaps(c)
+
+	devAcct := assertstest.NewAccount(s.storeSigning, "developer", map[string]interface{}{
+		"account-id": "developerid",
+	}, "")
+
+	devAcctFn := filepath.Join(dirs.SnapSeedDir, "assertions", "developer.account")
+	err := ioutil.WriteFile(devAcctFn, asserts.Encode(devAcct), 0644)
+	c.Assert(err, IsNil)
+
+	// add a model assertion and its chain
+	assertsChain := s.makeModelAssertionChain(c, "my-model", map[string]interface{}{"base": "core18"})
+	for i, as := range assertsChain {
+		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
+		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
+		c.Assert(err, IsNil)
+	}
+
+	// create a seed.yaml
+	content := []byte(fmt.Sprintf(`
+snaps:
+ - name: snapd
+   file: %s
+ - name: core18
+   file: %s
+ - name: pc-kernel
+   file: %s
+ - name: pc
+   file: %s
+`, snapdFname, core18Fname, kernelFname, gadgetFname))
+	err = ioutil.WriteFile(filepath.Join(dirs.SnapSeedDir, "seed.yaml"), content, 0644)
+	c.Assert(err, IsNil)
+
+	// run the firstboot stuff
+	st := s.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+	tsAll, err := devicestate.PopulateStateFromSeedImpl(st)
+	c.Assert(err, IsNil)
+
+	// the first taskset installs snapd and waits for noone
+	i := 0
+	tSnapd := tsAll[i].Tasks()[0]
+	c.Check(tSnapd.WaitTasks(), HasLen, 0)
+	// the next installs the core18 and that will wait for snapd
+	i++
+	tCore18 := tsAll[i].Tasks()[0]
+	c.Check(tCore18.WaitTasks(), testutil.Contains, tSnapd)
+	// the next installs the kernel and will wait for the core18
+	i++
+	tKernel := tsAll[i].Tasks()[0]
+	c.Check(tKernel.WaitTasks(), testutil.Contains, tCore18)
+	// the next installs the gadget and will wait for the kernel
+	i++
+	tGadget := tsAll[i].Tasks()[0]
+	c.Check(tGadget.WaitTasks(), testutil.Contains, tKernel)
+
+	// now run the change and check the result
+	// use the expected kind otherwise settle with start another one
+	chg := st.NewChange("seed", "run the populate from seed changes")
+	for _, ts := range tsAll {
+		chg.AddAll(ts)
+	}
+	c.Assert(st.Changes(), HasLen, 1)
+
+	c.Assert(chg.Err(), IsNil)
+
+	// avoid device reg
+	chg1 := st.NewChange("become-operational", "init device")
+	chg1.SetStatus(state.DoingStatus)
+
+	// run change until it wants to restart
+	st.Unlock()
+	err = s.overlord.Settle(settleTimeout)
+	st.Lock()
+	c.Assert(err, IsNil)
+
+	// at this point the system is "restarting", pretend the restart has
+	// happened
+	c.Assert(chg.Status(), Equals, state.DoingStatus)
+	state.MockRestarting(st, state.RestartUnset)
+	st.Unlock()
+	err = s.overlord.Settle(settleTimeout)
+	st.Lock()
+	c.Assert(err, IsNil)
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+
+	// verify
+	r, err := os.Open(dirs.SnapStateFile)
+	c.Assert(err, IsNil)
+	state, err := state.ReadState(nil, r)
+	c.Assert(err, IsNil)
+
+	state.Lock()
+	defer state.Unlock()
+	// check snapd, core18, kernel, gadget
+	_, err = snapstate.CurrentInfo(state, "snapd")
+	c.Check(err, IsNil)
+	_, err = snapstate.CurrentInfo(state, "core18")
+	c.Check(err, IsNil)
+	_, err = snapstate.CurrentInfo(state, "pc-kernel")
+	c.Check(err, IsNil)
+	_, err = snapstate.CurrentInfo(state, "pc")
+	c.Check(err, IsNil)
+
+	// ensure requied flag is set on all essential snaps
+	var snapst snapstate.SnapState
+	for _, reqName := range []string{"snapd", "core18", "pc-kernel", "pc"} {
+		err = snapstate.Get(state, reqName, &snapst)
+		c.Assert(err, IsNil)
+		c.Assert(snapst.Required, Equals, true, Commentf("required not set for %v", reqName))
+	}
+
+	// the right systemd commands were run
+	c.Check(sysdLog, testutil.DeepContains, []string{"start", "usr-lib-snapd.mount"})
+
+	// and ensure state is now considered seeded
+	var seeded bool
+	err = state.Get("seeded", &seeded)
+	c.Assert(err, IsNil)
+	c.Check(seeded, Equals, true)
+
+	// check we set seed-time
+	var seedTime time.Time
+	err = state.Get("seed-time", &seedTime)
+	c.Assert(err, IsNil)
+	c.Check(seedTime.IsZero(), Equals, false)
+}
+
+func (s *FirstBootTestSuite) TestPopulateFromSeedOrdering(c *C) {
+	devAcct := assertstest.NewAccount(s.storeSigning, "developer", map[string]interface{}{
+		"account-id": "developerid",
+	}, "")
+
+	devAcctFn := filepath.Join(dirs.SnapSeedDir, "assertions", "developer.account")
+	err := ioutil.WriteFile(devAcctFn, asserts.Encode(devAcct), 0644)
+	c.Assert(err, IsNil)
+
+	// add a model assertion and its chain
+	assertsChain := s.makeModelAssertionChain(c, "my-model", map[string]interface{}{"base": "core18"})
+	for i, as := range assertsChain {
+		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
+		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
+		c.Assert(err, IsNil)
+	}
+
+	core18Fname, snapdFname, kernelFname, gadgetFname := s.makeCore18Snaps(c)
+
+	snapYaml := `name: snap-req-other-base
+version: 1.0
+base: other-base
+`
+	snapFname, snapDecl, snapRev := s.makeAssertedSnap(c, snapYaml, nil, snap.R(128), "developerid")
+	writeAssertionsToFile("snap-req-other-base.asserts", []asserts.Assertion{devAcct, snapRev, snapDecl})
+	baseYaml := `name: other-base
+version: 1.0
+type: base
+`
+	baseFname, baseDecl, baseRev := s.makeAssertedSnap(c, baseYaml, nil, snap.R(127), "developerid")
+	writeAssertionsToFile("other-base.asserts", []asserts.Assertion{devAcct, baseRev, baseDecl})
+
+	// create a seed.yaml
+	content := []byte(fmt.Sprintf(`
+snaps:
+ - name: snapd
+   file: %s
+ - name: core18
+   file: %s
+ - name: pc-kernel
+   file: %s
+ - name: pc
+   file: %s
+ - name: snap-req-other-base
+   file: %s
+ - name: other-base
+   file: %s
+`, snapdFname, core18Fname, kernelFname, gadgetFname, snapFname, baseFname))
+	err = ioutil.WriteFile(filepath.Join(dirs.SnapSeedDir, "seed.yaml"), content, 0644)
+	c.Assert(err, IsNil)
+
+	// run the firstboot stuff
+	st := s.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+	tsAll, err := devicestate.PopulateStateFromSeedImpl(st)
+	c.Assert(err, IsNil)
+
+	// the first taskset installs snapd and waits for noone
+	i := 0
+	tSnapd := tsAll[i].Tasks()[0]
+	c.Check(tSnapd.WaitTasks(), HasLen, 0)
+	// the next installs the core18 and that will wait for snapd
+	i++
+	tCore18 := tsAll[i].Tasks()[0]
+	c.Check(tCore18.WaitTasks(), testutil.Contains, tSnapd)
+	// the next installs the kernel and will wait for the core18
+	i++
+	tKernel := tsAll[i].Tasks()[0]
+	c.Check(tKernel.WaitTasks(), testutil.Contains, tCore18)
+	// the next installs the gadget and will wait for the kernel
+	i++
+	tGadget := tsAll[i].Tasks()[0]
+	c.Check(tGadget.WaitTasks(), testutil.Contains, tKernel)
+	// the next installs the base and waits for the gadget
+	i++
+	tOtherBase := tsAll[i].Tasks()[0]
+	c.Check(tOtherBase.WaitTasks(), testutil.Contains, tGadget)
+	// and finally the app
+	i++
+	tSnap := tsAll[i].Tasks()[0]
+	c.Check(tSnap.WaitTasks(), testutil.Contains, tOtherBase)
+}
+
+func (s *FirstBootTestSuite) TestFirstbootGadgetBaseModelBaseMismatch(c *C) {
+	devAcct := assertstest.NewAccount(s.storeSigning, "developer", map[string]interface{}{
+		"account-id": "developerid",
+	}, "")
+
+	devAcctFn := filepath.Join(dirs.SnapSeedDir, "assertions", "developer.account")
+	err := ioutil.WriteFile(devAcctFn, asserts.Encode(devAcct), 0644)
+	c.Assert(err, IsNil)
+
+	// add a model assertion and its chain
+	assertsChain := s.makeModelAssertionChain(c, "my-model", map[string]interface{}{"base": "core18"})
+	for i, as := range assertsChain {
+		fn := filepath.Join(dirs.SnapSeedDir, "assertions", strconv.Itoa(i))
+		err := ioutil.WriteFile(fn, asserts.Encode(as), 0644)
+		c.Assert(err, IsNil)
+	}
+
+	core18Fname, snapdFname, kernelFname, _ := s.makeCore18Snaps(c)
+	// take the gadget without "base: core18"
+	_, _, gadgetFname := s.makeCoreSnaps(c, "")
+
+	// create a seed.yaml
+	content := []byte(fmt.Sprintf(`
+snaps:
+ - name: snapd
+   file: %s
+ - name: core18
+   file: %s
+ - name: pc-kernel
+   file: %s
+ - name: pc
+   file: %s
+`, snapdFname, core18Fname, kernelFname, gadgetFname))
+	err = ioutil.WriteFile(filepath.Join(dirs.SnapSeedDir, "seed.yaml"), content, 0644)
+	c.Assert(err, IsNil)
+
+	// run the firstboot stuff
+	st := s.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+
+	_, err = devicestate.PopulateStateFromSeedImpl(st)
+	c.Assert(err, ErrorMatches, `cannot use gadget snap because its base "" is different from model base "core18"`)
+}
+
+func (s *FirstBootTestSuite) TestPopulateFromSeedWrongContentProviderOrder(c *C) {
+	bootloader := boottest.NewMockBootloader("mock", c.MkDir())
+	partition.ForceBootloader(bootloader)
+	defer partition.ForceBootloader(nil)
+	bootloader.SetBootVars(map[string]string{
+		"snap_core":   "core_1.snap",
+		"snap_kernel": "pc-kernel_1.snap",
+	})
+
+	coreFname, kernelFname, gadgetFname := s.makeCoreSnaps(c, "")
+
+	devAcct := assertstest.NewAccount(s.storeSigning, "developer", map[string]interface{}{
+		"account-id": "developerid",
+	}, "")
+
+	// a snap that uses content providers
+	snapYaml := `name: gnome-calculator
+version: 1.0
+plugs:
+ gtk-3-themes:
+  interface: content
+  default-provider: gtk-common-themes
+  target: $SNAP/data-dir/themes
+`
+	calcFname, calcDecl, calcRev := s.makeAssertedSnap(c, snapYaml, nil, snap.R(128), "developerid")
+
+	writeAssertionsToFile("calc.asserts", []asserts.Assertion{devAcct, calcRev, calcDecl})
+
+	// put a 2nd firstboot snap into the SnapBlobDir
+	snapYaml = `name: gtk-common-themes
+version: 1.0
+slots:
+ gtk-3-themes:
+  interface: content
+  source:
+   read:
+    - $SNAP/share/themes/Adawaita
+`
+	themesFname, themesDecl, themesRev := s.makeAssertedSnap(c, snapYaml, nil, snap.R(65), "developerid")
+
+	writeAssertionsToFile("themes.asserts", []asserts.Assertion{devAcct, themesDecl, themesRev})
+
+	// add a model assertion and its chain
+	assertsChain := s.makeModelAssertionChain(c, "my-model", nil)
+	writeAssertionsToFile("model.asserts", assertsChain)
+
+	// create a seed.yaml
+	content := []byte(fmt.Sprintf(`
+snaps:
+ - name: core
+   file: %s
+ - name: pc-kernel
+   file: %s
+ - name: pc
+   file: %s
+ - name: gnome-calculator
+   file: %s
+ - name: gtk-common-themes
+   file: %s
+`, coreFname, kernelFname, gadgetFname, calcFname, themesFname))
+	err := ioutil.WriteFile(filepath.Join(dirs.SnapSeedDir, "seed.yaml"), content, 0644)
+	c.Assert(err, IsNil)
+
+	// run the firstboot stuff
+	st := s.overlord.State()
+	st.Lock()
+	defer st.Unlock()
+
+	tsAll, err := devicestate.PopulateStateFromSeedImpl(st)
+	c.Assert(err, IsNil)
+	// use the expected kind otherwise settle with start another one
+	chg := st.NewChange("seed", "run the populate from seed changes")
+	for _, ts := range tsAll {
+		chg.AddAll(ts)
+	}
+	c.Assert(st.Changes(), HasLen, 1)
+
+	// avoid device reg
+	chg1 := st.NewChange("become-operational", "init device")
+	chg1.SetStatus(state.DoingStatus)
+
+	st.Unlock()
+	err = s.overlord.Settle(settleTimeout)
+	st.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(err, IsNil)
+
+	// verify the result
+	var conns map[string]interface{}
+	err = st.Get("conns", &conns)
+	c.Assert(err, IsNil)
+	c.Check(conns, HasLen, 1)
+	conn, hasConn := conns["gnome-calculator:gtk-3-themes gtk-common-themes:gtk-3-themes"]
+	c.Check(hasConn, Equals, true)
+	c.Check(conn.(map[string]interface{})["auto"], Equals, true)
+	c.Check(conn.(map[string]interface{})["interface"], Equals, "content")
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/devicestate/handlers.go snapd-2.37~rc1~14.04/overlord/devicestate/handlers.go
--- snapd-2.32.3.2~14.04/overlord/devicestate/handlers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/devicestate/handlers.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,16 +26,20 @@
 	"net"
 	"net/http"
 	"net/url"
+	"strconv"
+	"strings"
 	"time"
 
 	"gopkg.in/tomb.v2"
 
 	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/httputil"
+	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/overlord/assertstate"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/configstate/config"
+	"github.com/snapcore/snapd/overlord/configstate/proxyconf"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 )
@@ -57,22 +61,89 @@
 	return osutil.GetenvBool("SNAPPY_USE_STAGING_STORE")
 }
 
-func deviceAPIBaseURL() string {
+func baseURL() *url.URL {
 	if useStaging() {
-		return "https://api.staging.snapcraft.io/api/v1/snaps/auth/"
+		return mustParse("https://api.staging.snapcraft.io/")
 	}
-	return "https://api.snapcraft.io/api/v1/snaps/auth/"
+	return mustParse("https://api.snapcraft.io/")
+}
+
+func mustParse(s string) *url.URL {
+	u, err := url.Parse(s)
+	if err != nil {
+		panic(err)
+	}
+	return u
 }
 
 var (
-	keyLength        = 4096
-	retryInterval    = 60 * time.Second
-	maxTentatives    = 15
-	deviceAPIBase    = deviceAPIBaseURL()
-	requestIDURL     = deviceAPIBase + "request-id"
-	serialRequestURL = deviceAPIBase + "devices"
+	keyLength     = 4096
+	retryInterval = 60 * time.Second
+	maxTentatives = 15
+	baseStoreURL  = baseURL().ResolveReference(authRef)
+
+	authRef    = mustParse("api/v1/snaps/auth/") // authRef must end in / for the following refs to work
+	reqIdRef   = mustParse("request-id")
+	serialRef  = mustParse("serial")
+	devicesRef = mustParse("devices")
 )
 
+func newEnoughProxy(st *state.State, proxyURL *url.URL, client *http.Client) bool {
+	st.Unlock()
+	defer st.Lock()
+
+	const prefix = "Cannot check whether proxy store supports a custom serial vault"
+
+	req, err := http.NewRequest("HEAD", proxyURL.String(), nil)
+	if err != nil {
+		// can't really happen unless proxyURL is somehow broken
+		logger.Debugf(prefix+": %v", err)
+		return false
+	}
+	req.Header.Set("User-Agent", httputil.UserAgent())
+	resp, err := client.Do(req)
+	if err != nil {
+		// some sort of network or protocol error
+		logger.Debugf(prefix+": %v", err)
+		return false
+	}
+	resp.Body.Close()
+	if resp.StatusCode != 200 {
+		logger.Debugf(prefix+": Head request returned %s.", resp.Status)
+		return false
+	}
+	verstr := resp.Header.Get("Snap-Store-Version")
+	ver, err := strconv.Atoi(verstr)
+	if err != nil {
+		logger.Debugf(prefix+": Bogus Snap-Store-Version header %q.", verstr)
+		return false
+	}
+	return ver >= 6
+}
+
+func (cfg *serialRequestConfig) setURLs(proxyURL, svcURL *url.URL) {
+	base := baseStoreURL
+	if proxyURL != nil {
+		if svcURL != nil {
+			if cfg.headers == nil {
+				cfg.headers = make(map[string]string, 1)
+			}
+			cfg.headers["X-Snap-Device-Service-URL"] = svcURL.String()
+		}
+		base = proxyURL.ResolveReference(authRef)
+	} else if svcURL != nil {
+		base = svcURL
+	}
+
+	cfg.requestIDURL = base.ResolveReference(reqIdRef).String()
+	if svcURL != nil && proxyURL == nil {
+		// talking directly to the custom device service
+		cfg.serialRequestURL = base.ResolveReference(serialRef).String()
+	} else {
+		cfg.serialRequestURL = base.ResolveReference(devicesRef).String()
+	}
+}
+
 func (m *DeviceManager) doGenerateDeviceKey(t *state.Task, _ *tomb.Tomb) error {
 	st := t.State()
 	st.Lock()
@@ -269,7 +340,7 @@
 	return serial, nil
 }
 
-func getSerial(t *state.Task, privKey asserts.PrivateKey, device *auth.DeviceState, cfg *serialRequestConfig) (*asserts.Serial, error) {
+func getSerial(t *state.Task, privKey asserts.PrivateKey, device *auth.DeviceState) (*asserts.Serial, error) {
 	var serialSup serialSetup
 	err := t.Get("serial-setup", &serialSup)
 	if err != nil && err != state.ErrNoState {
@@ -285,11 +356,19 @@
 		return a.(*asserts.Serial), nil
 	}
 
-	client := httputil.NewHTTPClient(&httputil.ClientOpts{
+	st := t.State()
+	proxyConf := proxyconf.New(st)
+	client := httputil.NewHTTPClient(&httputil.ClientOptions{
 		Timeout:    30 * time.Second,
 		MayLogBody: true,
+		Proxy:      proxyConf.Conf,
 	})
 
+	cfg, err := getSerialRequestConfig(t, client)
+	if err != nil {
+		return nil, err
+	}
+
 	// NB: until we get at least an Accepted (202) we need to
 	// retry from scratch creating a new request-id because the
 	// previous one used could have expired
@@ -343,84 +422,87 @@
 	}
 }
 
-func getSerialRequestConfig(t *state.Task) (*serialRequestConfig, error) {
-	var svcURL string
+func getSerialRequestConfig(t *state.Task, client *http.Client) (*serialRequestConfig, error) {
+	var svcURL, proxyURL *url.URL
+
+	st := t.State()
+	tr := config.NewTransaction(st)
+	if proxyStore, err := proxyStore(st, tr); err != nil && err != state.ErrNoState {
+		return nil, err
+	} else if proxyStore != nil {
+		proxyURL = proxyStore.URL()
+	}
 
 	// gadget is optional on classic
-	model, err := Model(t.State())
+	model, err := Model(st)
 	if err != nil && err != state.ErrNoState {
 		return nil, err
 	}
 
-	var gadgetName string
-	var tr *config.Transaction
+	cfg := serialRequestConfig{}
+
 	if model != nil && model.Gadget() != "" {
 		// model specifies a gadget
-		gadgetInfo, err := snapstate.GadgetInfo(t.State())
+		gadgetInfo, err := snapstate.GadgetInfo(st)
 		if err != nil {
 			return nil, fmt.Errorf("cannot find gadget snap and its name: %v", err)
 		}
-		gadgetName = gadgetInfo.Name()
+		gadgetName := gadgetInfo.InstanceName()
 
-		tr = config.NewTransaction(t.State())
-		err = tr.GetMaybe(gadgetName, "device-service.url", &svcURL)
+		var svcURI string
+		err = tr.GetMaybe(gadgetName, "device-service.url", &svcURI)
 		if err != nil {
 			return nil, err
 		}
-	}
 
-	if svcURL == "" {
-		// no gadget or no device-service.url, use the fallback
-		// service in the store
-		return &serialRequestConfig{
-			requestIDURL:     requestIDURL,
-			serialRequestURL: serialRequestURL,
-		}, nil
-	}
+		if svcURI != "" {
+			svcURL, err = url.Parse(svcURI)
+			if err != nil {
+				return nil, fmt.Errorf("cannot parse device registration base URL %q: %v", svcURI, err)
+			}
+			if !strings.HasSuffix(svcURL.Path, "/") {
+				svcURL.Path += "/"
+			}
+		}
 
-	baseURL, err := url.Parse(svcURL)
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse device registration base URL %q: %v", svcURL, err)
-	}
+		err = tr.GetMaybe(gadgetName, "device-service.headers", &cfg.headers)
+		if err != nil {
+			return nil, err
+		}
 
-	var headers map[string]string
-	err = tr.GetMaybe(gadgetName, "device-service.headers", &headers)
-	if err != nil {
-		return nil, err
-	}
+		var bodyStr string
+		err = tr.GetMaybe(gadgetName, "registration.body", &bodyStr)
+		if err != nil {
+			return nil, err
+		}
 
-	cfg := serialRequestConfig{
-		headers: headers,
-	}
+		cfg.body = []byte(bodyStr)
 
-	reqIDURL, err := baseURL.Parse("request-id")
-	if err != nil {
-		return nil, fmt.Errorf("cannot build /request-id URL from %v: %v", baseURL, err)
+		err = tr.GetMaybe(gadgetName, "registration.proposed-serial", &cfg.proposedSerial)
+		if err != nil {
+			return nil, err
+		}
 	}
-	cfg.requestIDURL = reqIDURL.String()
 
-	var bodyStr string
-	err = tr.GetMaybe(gadgetName, "registration.body", &bodyStr)
-	if err != nil {
-		return nil, err
+	if proxyURL != nil && svcURL != nil && !newEnoughProxy(st, proxyURL, client) {
+		logger.Noticef("Proxy store does not support custom serial vault; ignoring the proxy")
+		proxyURL = nil
 	}
 
-	cfg.body = []byte(bodyStr)
+	cfg.setURLs(proxyURL, svcURL)
 
-	serialURL, err := baseURL.Parse("serial")
-	if err != nil {
-		return nil, fmt.Errorf("cannot build /serial URL from %v: %v", baseURL, err)
-	}
-	cfg.serialRequestURL = serialURL.String()
+	return &cfg, nil
+}
 
-	var proposedSerial string
-	err = tr.GetMaybe(gadgetName, "registration.proposed-serial", &proposedSerial)
+func (m *DeviceManager) finishRegistration(t *state.Task, device *auth.DeviceState, serial *asserts.Serial) error {
+	device.Serial = serial.Serial()
+	err := auth.SetDevice(t.State(), device)
 	if err != nil {
-		return nil, err
+		return err
 	}
-	cfg.proposedSerial = proposedSerial
-
-	return &cfg, nil
+	m.markRegistered()
+	t.SetStatus(state.DoneStatus)
+	return nil
 }
 
 func (m *DeviceManager) doRequestSerial(t *state.Task, _ *tomb.Tomb) error {
@@ -428,11 +510,6 @@
 	st.Lock()
 	defer st.Unlock()
 
-	cfg, err := getSerialRequestConfig(t)
-	if err != nil {
-		return err
-	}
-
 	device, err := auth.Device(st)
 	if err != nil {
 		return err
@@ -459,19 +536,13 @@
 
 	if len(serials) == 1 {
 		// means we saved the assertion but didn't get to the end of the task
-		device.Serial = serials[0].(*asserts.Serial).Serial()
-		err := auth.SetDevice(st, device)
-		if err != nil {
-			return err
-		}
-		t.SetStatus(state.DoneStatus)
-		return nil
+		return m.finishRegistration(t, device, serials[0].(*asserts.Serial))
 	}
 	if len(serials) > 1 {
 		return fmt.Errorf("internal error: multiple serial assertions for the same device key")
 	}
 
-	serial, err := getSerial(t, privKey, device, cfg)
+	serial, err := getSerial(t, privKey, device)
 	if err == errPoll {
 		t.Logf("Will poll for device serial assertion in 60 seconds")
 		return &state.Retry{After: retryInterval}
@@ -502,13 +573,7 @@
 		return &state.Retry{}
 	}
 
-	device.Serial = serial.Serial()
-	err = auth.SetDevice(st, device)
-	if err != nil {
-		return err
-	}
-	t.SetStatus(state.DoneStatus)
-	return nil
+	return m.finishRegistration(t, device, serial)
 }
 
 var repeatRequestSerial string // for tests
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/context.go snapd-2.37~rc1~14.04/overlord/hookstate/context.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/context.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/context.go	2019-01-16 08:36:51.000000000 +0000
@@ -70,8 +70,8 @@
 	}, nil
 }
 
-// SnapName returns the name of the snap containing the hook.
-func (c *Context) SnapName() string {
+// InstanceName returns the name of the snap instance containing the hook.
+func (c *Context) InstanceName() string {
 	return c.setup.Snap
 }
 
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/context_test.go snapd-2.37~rc1~14.04/overlord/hookstate/context_test.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/context_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/context_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -51,7 +51,7 @@
 
 func (s *contextSuite) TestHookSetup(c *C) {
 	c.Check(s.context.HookName(), Equals, "test-hook")
-	c.Check(s.context.SnapName(), Equals, "test-snap")
+	c.Check(s.context.InstanceName(), Equals, "test-snap")
 }
 
 func (s *contextSuite) TestSetAndGet(c *C) {
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/ctlcmd.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/ctlcmd.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/ctlcmd.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/ctlcmd.go	2019-01-16 08:36:51.000000000 +0000
@@ -43,7 +43,7 @@
 
 func (c *baseCommand) printf(format string, a ...interface{}) {
 	if c.stdout != nil {
-		c.stdout.Write([]byte(fmt.Sprintf(format, a...)))
+		fmt.Fprintf(c.stdout, format, a...)
 	}
 }
 
@@ -53,7 +53,7 @@
 
 func (c *baseCommand) errorf(format string, a ...interface{}) {
 	if c.stderr != nil {
-		c.stderr.Write([]byte(fmt.Sprintf(format, a...)))
+		fmt.Fprintf(c.stderr, format, a...)
 	}
 }
 
@@ -91,20 +91,46 @@
 	}
 }
 
+// ForbiddenCommandError conveys that a command cannot be invoked in some context
+type ForbiddenCommandError struct {
+	Message string
+}
+
+func (f ForbiddenCommandError) Error() string {
+	return f.Message
+}
+
+// ForbiddenCommand contains information about an attempt to use a command in a context where it is not allowed.
+type ForbiddenCommand struct {
+	Uid  uint32
+	Name string
+}
+
+func (f *ForbiddenCommand) Execute(args []string) error {
+	return &ForbiddenCommandError{Message: fmt.Sprintf("cannot use %q with uid %d, try with sudo", f.Name, f.Uid)}
+}
+
 // Run runs the requested command.
-func Run(context *hookstate.Context, args []string) (stdout, stderr []byte, err error) {
+func Run(context *hookstate.Context, args []string, uid uint32) (stdout, stderr []byte, err error) {
 	parser := flags.NewParser(nil, flags.PassDoubleDash|flags.HelpFlag)
 
 	// Create stdout/stderr buffers, and make sure commands use them.
 	var stdoutBuffer bytes.Buffer
 	var stderrBuffer bytes.Buffer
 	for name, cmdInfo := range commands {
-		cmd := cmdInfo.generator()
-		cmd.setStdout(&stdoutBuffer)
-		cmd.setStderr(&stderrBuffer)
-		cmd.setContext(context)
-
-		_, err = parser.AddCommand(name, cmdInfo.shortHelp, cmdInfo.longHelp, cmd)
+		var data interface{}
+		// commands listed here will be allowed for regular users
+		// note: commands still need valid context and snaps can only access own config.
+		if uid == 0 || name == "get" || name == "services" {
+			cmd := cmdInfo.generator()
+			cmd.setStdout(&stdoutBuffer)
+			cmd.setStderr(&stderrBuffer)
+			cmd.setContext(context)
+			data = cmd
+		} else {
+			data = &ForbiddenCommand{Uid: uid, Name: name}
+		}
+		_, err = parser.AddCommand(name, cmdInfo.shortHelp, cmdInfo.longHelp, data)
 		if err != nil {
 			logger.Panicf("cannot add command %q: %s", name, err)
 		}
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/ctlcmd_test.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/ctlcmd_test.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/ctlcmd_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/ctlcmd_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -55,7 +55,7 @@
 }
 
 func (s *ctlcmdSuite) TestNonExistingCommand(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"foo"})
+	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"foo"}, 0)
 	c.Check(string(stdout), Equals, "")
 	c.Check(string(stderr), Equals, "")
 	c.Check(err, ErrorMatches, ".*[Uu]nknown command.*")
@@ -68,7 +68,7 @@
 	mockCommand.FakeStdout = "test stdout"
 	mockCommand.FakeStderr = "test stderr"
 
-	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"mock", "foo"})
+	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"mock", "foo"}, 0)
 	c.Check(err, IsNil)
 	c.Check(string(stdout), Equals, "test stdout")
 	c.Check(string(stderr), Equals, "test stderr")
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/export_test.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/export_test.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,7 +29,7 @@
 
 var AttributesTask = attributesTask
 
-func MockServicestateControlFunc(f func(*state.State, []*snap.AppInfo, *servicestate.Instruction, *hookstate.Context) (*state.TaskSet, error)) (restore func()) {
+func MockServicestateControlFunc(f func(*state.State, []*snap.AppInfo, *servicestate.Instruction, *hookstate.Context) ([]*state.TaskSet, error)) (restore func()) {
 	old := servicestateControl
 	servicestateControl = f
 	return func() { servicestateControl = old }
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/get.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/get.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/get.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/get.go	2019-01-16 08:36:51.000000000 +0000
@@ -175,7 +175,7 @@
 
 	return c.printValues(func(key string) (interface{}, bool, error) {
 		var value interface{}
-		err := transaction.Get(c.context().SnapName(), key, &value)
+		err := transaction.Get(c.context().InstanceName(), key, &value)
 		if err == nil {
 			return value, true, nil
 		}
@@ -194,22 +194,36 @@
 const (
 	preparePlugHook ifaceHookType = iota
 	prepareSlotHook
+	unpreparePlugHook
+	unprepareSlotHook
 	connectPlugHook
 	connectSlotHook
+	disconnectPlugHook
+	disconnectSlotHook
 	unknownHook
 )
 
 func interfaceHookType(hookName string) (ifaceHookType, error) {
-	if strings.HasPrefix(hookName, "prepare-plug-") {
+	switch {
+	case strings.HasPrefix(hookName, "prepare-plug-"):
 		return preparePlugHook, nil
-	} else if strings.HasPrefix(hookName, "connect-plug-") {
+	case strings.HasPrefix(hookName, "connect-plug-"):
 		return connectPlugHook, nil
-	} else if strings.HasPrefix(hookName, "prepare-slot-") {
+	case strings.HasPrefix(hookName, "prepare-slot-"):
 		return prepareSlotHook, nil
-	} else if strings.HasPrefix(hookName, "connect-slot-") {
+	case strings.HasPrefix(hookName, "connect-slot-"):
 		return connectSlotHook, nil
+	case strings.HasPrefix(hookName, "disconnect-plug-"):
+		return disconnectPlugHook, nil
+	case strings.HasPrefix(hookName, "disconnect-slot-"):
+		return disconnectSlotHook, nil
+	case strings.HasPrefix(hookName, "unprepare-slot-"):
+		return unprepareSlotHook, nil
+	case strings.HasPrefix(hookName, "unprepare-plug-"):
+		return unpreparePlugHook, nil
+	default:
+		return unknownHook, fmt.Errorf("unknown hook type")
 	}
-	return unknownHook, fmt.Errorf("unknown hook type")
 }
 
 func validatePlugOrSlot(attrsTask *state.Task, plugSide bool, plugOrSlot string) error {
@@ -275,31 +289,50 @@
 		return fmt.Errorf("cannot use --plug and --slot together")
 	}
 
-	isPlugSide := (hookType == preparePlugHook || hookType == connectPlugHook)
+	isPlugSide := (hookType == preparePlugHook || hookType == unpreparePlugHook || hookType == connectPlugHook || hookType == disconnectPlugHook)
 	if err = validatePlugOrSlot(attrsTask, isPlugSide, plugOrSlot); err != nil {
 		return err
 	}
 
 	var which string
 	if c.ForcePlugSide || (isPlugSide && !c.ForceSlotSide) {
-		which = "plug-attrs"
+		which = "plug"
 	} else {
-		which = "slot-attrs"
+		which = "slot"
 	}
 
 	st := context.State()
 	st.Lock()
 	defer st.Unlock()
 
-	attributes := make(map[string]interface{})
-	if err = attrsTask.Get(which, &attributes); err != nil {
+	var staticAttrs, dynamicAttrs map[string]interface{}
+	if err = attrsTask.Get(which+"-static", &staticAttrs); err != nil {
+		return fmt.Errorf(i18n.G("internal error: cannot get %s from appropriate task"), which)
+	}
+	if err = attrsTask.Get(which+"-dynamic", &dynamicAttrs); err != nil {
 		return fmt.Errorf(i18n.G("internal error: cannot get %s from appropriate task"), which)
 	}
 
 	return c.printValues(func(key string) (interface{}, bool, error) {
-		if value, ok := attributes[key]; ok {
+		subkeys, err := config.ParseKey(key)
+		if err != nil {
+			return nil, false, err
+		}
+
+		var value interface{}
+		err = config.GetFromChange(context.InstanceName(), subkeys, 0, staticAttrs, &value)
+		if err == nil {
 			return value, true, nil
 		}
-		return nil, false, fmt.Errorf(i18n.G("unknown attribute %q"), key)
+		if config.IsNoOption(err) {
+			err = config.GetFromChange(context.InstanceName(), subkeys, 0, dynamicAttrs, &value)
+			if err == nil {
+				return value, true, nil
+			}
+			if config.IsNoOption(err) {
+				return nil, false, fmt.Errorf(i18n.G("unknown attribute %q"), key)
+			}
+		}
+		return nil, false, err
 	})
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/get_test.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/get_test.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/get_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/get_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -135,7 +135,7 @@
 
 		state.Unlock()
 
-		stdout, stderr, err := ctlcmd.Run(mockContext, strings.Fields(test.args))
+		stdout, stderr, err := ctlcmd.Run(mockContext, strings.Fields(test.args), 0)
 		if test.error != "" {
 			c.Check(err, ErrorMatches, test.error)
 		} else {
@@ -146,11 +146,54 @@
 	}
 }
 
+func (s *getSuite) TestGetRegularUser(c *C) {
+	state := state.New(nil)
+	state.Lock()
+
+	task := state.NewTask("test-task", "my test task")
+	setup := &hookstate.HookSetup{Snap: "test-snap", Revision: snap.R(1), Hook: "test-hook"}
+
+	// Initialize configuration
+	tr := config.NewTransaction(state)
+	tr.Set("test-snap", "test-key1", "test-value1")
+	tr.Commit()
+
+	state.Unlock()
+
+	mockHandler := hooktest.NewMockHandler()
+	mockContext, err := hookstate.NewContext(task, task.State(), setup, mockHandler, "")
+	c.Assert(err, IsNil)
+	stdout, stderr, err := ctlcmd.Run(mockContext, []string{"get", "test-key1"}, 1000)
+	c.Assert(err, IsNil)
+	c.Assert(string(stdout), Equals, "test-value1\n")
+	c.Assert(string(stderr), Equals, "")
+}
+
 func (s *getSuite) TestCommandWithoutContext(c *C) {
-	_, _, err := ctlcmd.Run(nil, []string{"get", "foo"})
+	_, _, err := ctlcmd.Run(nil, []string{"get", "foo"}, 0)
 	c.Check(err, ErrorMatches, ".*cannot get without a context.*")
 }
 
+func (s *setSuite) TestNull(c *C) {
+	_, _, err := ctlcmd.Run(s.mockContext, []string{"set", "foo=null"}, 0)
+	c.Check(err, IsNil)
+
+	_, _, err = ctlcmd.Run(s.mockContext, []string{"set", `bar=[null]`}, 0)
+	c.Check(err, IsNil)
+
+	// Notify the context that we're done. This should save the config.
+	s.mockContext.Lock()
+	defer s.mockContext.Unlock()
+	c.Check(s.mockContext.Done(), IsNil)
+
+	// Verify config value
+	var value interface{}
+	tr := config.NewTransaction(s.mockContext.State())
+	c.Assert(tr.Get("test-snap", "foo", &value), IsNil)
+	c.Assert(value, IsNil)
+	c.Assert(tr.Get("test-snap", "bar", &value), IsNil)
+	c.Assert(value, DeepEquals, []interface{}{nil})
+}
 func (s *getAttrSuite) SetUpTest(c *C) {
 	s.mockHandler = hooktest.NewMockHandler()
 
@@ -161,13 +204,25 @@
 	attrsTask := state.NewTask("connect-task", "my connect task")
 	attrsTask.Set("plug", &interfaces.PlugRef{Snap: "a", Name: "aplug"})
 	attrsTask.Set("slot", &interfaces.SlotRef{Snap: "b", Name: "bslot"})
-	plugAttrs := make(map[string]interface{})
-	slotAttrs := make(map[string]interface{})
-	plugAttrs["aattr"] = "foo"
-	plugAttrs["baz"] = []string{"a", "b"}
-	slotAttrs["battr"] = "bar"
-	attrsTask.Set("plug-attrs", plugAttrs)
-	attrsTask.Set("slot-attrs", slotAttrs)
+	staticPlugAttrs := map[string]interface{}{
+		"aattr":   "foo",
+		"baz":     []string{"a", "b"},
+		"mapattr": map[string]interface{}{"mapattr1": "mapval1", "mapattr2": "mapval2"},
+	}
+	dynamicPlugAttrs := map[string]interface{}{
+		"dyn-plug-attr": "c",
+	}
+	dynamicSlotAttrs := map[string]interface{}{
+		"dyn-slot-attr": "d",
+	}
+
+	staticSlotAttrs := map[string]interface{}{
+		"battr": "bar",
+	}
+	attrsTask.Set("plug-static", staticPlugAttrs)
+	attrsTask.Set("plug-dynamic", dynamicPlugAttrs)
+	attrsTask.Set("slot-static", staticSlotAttrs)
+	attrsTask.Set("slot-dynamic", dynamicSlotAttrs)
 	ch.AddTask(attrsTask)
 	state.Unlock()
 
@@ -205,115 +260,93 @@
 	ch.AddTask(slotHookTask)
 }
 
-func (s *getAttrSuite) TestGetPlugAttributesInPlugHook(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"get", ":aplug", "aattr"})
-	c.Check(err, IsNil)
-	c.Check(string(stdout), Equals, "foo\n")
-	c.Check(string(stderr), Equals, "")
-
-	stdout, stderr, err = ctlcmd.Run(s.mockPlugHookContext, []string{"get", "-d", ":aplug", "baz"})
-	c.Check(err, IsNil)
-	c.Check(string(stdout), Equals, "{\n\t\"baz\": [\n\t\t\"a\",\n\t\t\"b\"\n\t]\n}\n")
-	c.Check(string(stderr), Equals, "")
-
+var getPlugAttributesTests = []struct {
+	args, stdout, error string
+}{{
+	args:   "get :aplug aattr",
+	stdout: "foo\n",
+}, {
+	args:   "get -d :aplug baz",
+	stdout: "{\n\t\"baz\": [\n\t\t\"a\",\n\t\t\"b\"\n\t]\n}\n",
+}, {
+	args:   "get :aplug mapattr.mapattr1",
+	stdout: "mapval1\n",
+}, {
+	args:   "get -d :aplug mapattr.mapattr1",
+	stdout: "{\n\t\"mapattr.mapattr1\": \"mapval1\"\n}\n",
+}, {
+	args:   "get :aplug dyn-plug-attr",
+	stdout: "c\n",
+}, {
 	// The --plug parameter doesn't do anything if used on plug side
-	stdout, stderr, err = ctlcmd.Run(s.mockPlugHookContext, []string{"get", "--plug", ":aplug", "aattr"})
-	c.Check(err, IsNil)
-	c.Check(string(stdout), Equals, "foo\n")
-	c.Check(string(stderr), Equals, "")
-}
+	args:   "get --plug :aplug aattr",
+	stdout: "foo\n",
+}, {
+	args:   "get --slot :aplug battr",
+	stdout: "bar\n",
+}, {
+	args:  "get :aplug x",
+	error: `unknown attribute "x"`,
+}, {
+	args:  "get :bslot x",
+	error: `unknown plug or slot "bslot"`,
+}, {
+	args:  "get : foo",
+	error: "plug or slot name not provided",
+}}
+
+func (s *getAttrSuite) TestPlugHookTests(c *C) {
+	for _, test := range getPlugAttributesTests {
+		c.Logf("Test: %s", test.args)
 
-func (s *getAttrSuite) TestGetSlotAttributesInSlotHook(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockSlotHookContext, []string{"get", ":bslot", "battr"})
-	c.Check(err, IsNil)
-	c.Check(string(stdout), Equals, "bar\n")
-	c.Check(string(stderr), Equals, "")
-
-	// The --slot parameter doesn't do anything if used on slot side
-	stdout, stderr, err = ctlcmd.Run(s.mockSlotHookContext, []string{"get", "--slot", ":bslot", "battr"})
-	c.Check(err, IsNil)
-	c.Check(string(stdout), Equals, "bar\n")
-	c.Check(string(stderr), Equals, "")
-}
-
-func (s *getAttrSuite) TestGetSlotAttributeInPlugHook(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"get", "--slot", ":aplug", "battr"})
-	c.Check(err, IsNil)
-	c.Check(string(stdout), Equals, "bar\n")
-	c.Check(string(stderr), Equals, "")
-}
-
-func (s *getAttrSuite) TestGetPlugAttributeInSlotHook(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockSlotHookContext, []string{"get", "--plug", ":bslot", "aattr"})
-	c.Check(err, IsNil)
-	c.Check(string(stdout), Equals, "foo\n")
-	c.Check(string(stderr), Equals, "")
-}
-
-func (s *getAttrSuite) TestUnknownPlugAttribute(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"get", ":aplug", "x"})
-	c.Check(err, NotNil)
-	c.Check(err.Error(), Equals, `unknown attribute "x"`)
-	c.Check(string(stdout), Equals, "")
-	c.Check(string(stderr), Equals, "")
-}
-
-func (s *getAttrSuite) TestUnknownSlotAttribute(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockSlotHookContext, []string{"get", ":bslot", "x"})
-	c.Check(err, NotNil)
-	c.Check(err.Error(), Equals, `unknown attribute "x"`)
-	c.Check(string(stdout), Equals, "")
-	c.Check(string(stderr), Equals, "")
-}
-
-func (s *getAttrSuite) TestUsingPlugNameInSlotHookFails(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockSlotHookContext, []string{"get", ":aplug", "x"})
-	c.Check(err, NotNil)
-	c.Check(err.Error(), Equals, `unknown plug or slot "aplug"`)
-	c.Check(string(stdout), Equals, "")
-	c.Check(string(stderr), Equals, "")
-}
-
-func (s *getAttrSuite) TestUsingSlotNameInPlugHookFails(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"get", ":bslot", "x"})
-	c.Check(err, NotNil)
-	c.Check(err.Error(), Equals, `unknown plug or slot "bslot"`)
-	c.Check(string(stdout), Equals, "")
-	c.Check(string(stderr), Equals, "")
-}
-
-func (s *getAttrSuite) TestForcePlugOrSlotMutuallyExclusive(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockSlotHookContext, []string{"get", "--slot", "--plug", ":aplug", "x"})
-	c.Check(err, NotNil)
-	c.Check(err.Error(), Equals, `cannot use --plug and --slot together`)
-	c.Check(string(stdout), Equals, "")
-	c.Check(string(stderr), Equals, "")
-}
-
-func (s *getAttrSuite) TestPlugOrSlotEmpty(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"get", ":", "foo"})
-	c.Check(err.Error(), Equals, "plug or slot name not provided")
-	c.Check(string(stdout), Equals, "")
-	c.Check(string(stderr), Equals, "")
+		stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, strings.Fields(test.args), 0)
+		if test.error != "" {
+			c.Check(err, ErrorMatches, test.error)
+		} else {
+			c.Check(err, IsNil)
+			c.Check(string(stderr), Equals, "")
+			c.Check(string(stdout), Equals, test.stdout)
+		}
+	}
 }
 
-func (s *setSuite) TestNull(c *C) {
-	_, _, err := ctlcmd.Run(s.mockContext, []string{"set", "foo=null"})
-	c.Check(err, IsNil)
-
-	_, _, err = ctlcmd.Run(s.mockContext, []string{"set", `bar=[null]`})
-	c.Check(err, IsNil)
-
-	// Notify the context that we're done. This should save the config.
-	s.mockContext.Lock()
-	defer s.mockContext.Unlock()
-	c.Check(s.mockContext.Done(), IsNil)
+var getSlotAttributesTests = []struct {
+	args, stdout, error string
+}{{
+	args:   "get :bslot battr",
+	stdout: "bar\n",
+}, {
+	args:   "get :bslot dyn-slot-attr",
+	stdout: "d\n",
+}, {
+	// The --slot parameter doesn't do anything if used on slot side
+	args:   "get --slot :bslot battr",
+	stdout: "bar\n",
+}, {
+	args:   "get --plug :bslot aattr",
+	stdout: "foo\n",
+}, {
+	args:  "get :bslot x",
+	error: `unknown attribute "x"`,
+}, {
+	args:  "get :aplug x",
+	error: `unknown plug or slot "aplug"`,
+}, {
+	args:  "get --slot --plug :aplug x",
+	error: `cannot use --plug and --slot together`,
+}}
+
+func (s *getAttrSuite) TestSlotHookTests(c *C) {
+	for _, test := range getSlotAttributesTests {
+		c.Logf("Test: %s", test.args)
 
-	// Verify config value
-	var value interface{}
-	tr := config.NewTransaction(s.mockContext.State())
-	c.Assert(tr.Get("test-snap", "foo", &value), IsNil)
-	c.Assert(value, IsNil)
-	c.Assert(tr.Get("test-snap", "bar", &value), IsNil)
-	c.Assert(value, DeepEquals, []interface{}{nil})
+		stdout, stderr, err := ctlcmd.Run(s.mockSlotHookContext, strings.Fields(test.args), 0)
+		if test.error != "" {
+			c.Check(err, ErrorMatches, test.error)
+		} else {
+			c.Check(err, IsNil)
+			c.Check(string(stderr), Equals, "")
+			c.Check(string(stdout), Equals, test.stdout)
+		}
+	}
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/helpers.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/helpers.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/helpers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/helpers.go	2019-01-16 08:36:51.000000000 +0000
@@ -46,6 +46,10 @@
 	if err != nil {
 		return nil, err
 	}
+	if len(serviceNames) == 0 {
+		// all services
+		return info.Services(), nil
+	}
 
 	var svcs []*snap.AppInfo
 	for _, svcName := range serviceNames {
@@ -69,7 +73,7 @@
 
 var servicestateControl = servicestate.Control
 
-func queueCommand(context *hookstate.Context, ts *state.TaskSet) error {
+func queueCommand(context *hookstate.Context, tts []*state.TaskSet) error {
 	hookTask, ok := context.Task()
 	if !ok {
 		return fmt.Errorf("attempted to queue command with ephemeral context")
@@ -90,10 +94,15 @@
 		hookTaskLanes = nil
 	}
 	for _, l := range hookTaskLanes {
-		ts.JoinLane(l)
+		for _, ts := range tts {
+			ts.JoinLane(l)
+		}
+	}
+
+	for _, ts := range tts {
+		ts.WaitAll(state.NewTaskSet(tasks...))
+		change.AddAll(ts)
 	}
-	ts.WaitAll(state.NewTaskSet(tasks...))
-	change.AddAll(ts)
 	// As this can be run from what was originally the last task of a change,
 	// make sure the tasks added to the change are considered immediately.
 	st.EnsureBefore(0)
@@ -107,24 +116,26 @@
 	}
 
 	st := context.State()
-	appInfos, err := getServiceInfos(st, context.SnapName(), serviceNames)
+	appInfos, err := getServiceInfos(st, context.InstanceName(), serviceNames)
 	if err != nil {
 		return err
 	}
 
 	// passing context so we can ignore self-conflicts with the current change
-	ts, err := servicestateControl(st, appInfos, inst, context)
+	tts, err := servicestateControl(st, appInfos, inst, context)
 	if err != nil {
 		return err
 	}
 
 	if !context.IsEphemeral() && context.HookName() == "configure" {
-		return queueCommand(context, ts)
+		return queueCommand(context, tts)
 	}
 
 	st.Lock()
-	chg := st.NewChange("service-control", fmt.Sprintf("Running service command for snap %q", context.SnapName()))
-	chg.AddAll(ts)
+	chg := st.NewChange("service-control", fmt.Sprintf("Running service command for snap %q", context.InstanceName()))
+	for _, ts := range tts {
+		chg.AddAll(ts)
+	}
 	st.EnsureBefore(0)
 	st.Unlock()
 
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/services.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/services.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/services.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/services.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,97 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package ctlcmd
+
+import (
+	"errors"
+	"fmt"
+	"sort"
+	"text/tabwriter"
+
+	"github.com/snapcore/snapd/cmd"
+	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/snap"
+)
+
+var (
+	shortServicesHelp = i18n.G("Query the status of services")
+	longServicesHelp  = i18n.G(`
+The services command lists information about the services specified.
+`)
+)
+
+func init() {
+	addCommand("services", shortServicesHelp, longServicesHelp, func() command { return &servicesCommand{} })
+}
+
+type servicesCommand struct {
+	baseCommand
+	Positional struct {
+		ServiceNames []string `positional-arg-name:"<service>"`
+	} `positional-args:"yes"`
+}
+
+var errNoContextForServices = errors.New(i18n.G("cannot query services without a context"))
+
+type byApp []*snap.AppInfo
+
+func (a byApp) Len() int      { return len(a) }
+func (a byApp) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+func (a byApp) Less(i, j int) bool {
+	return a[i].Name < a[j].Name
+}
+
+func (c *servicesCommand) Execute([]string) error {
+	context := c.context()
+	if context == nil {
+		return errNoContextForServices
+	}
+
+	st := context.State()
+	svcInfos, err := getServiceInfos(st, context.InstanceName(), c.Positional.ServiceNames)
+	if err != nil {
+		return err
+	}
+	sort.Sort(byApp(svcInfos))
+
+	services, err := cmd.ClientAppInfosFromSnapAppInfos(svcInfos)
+	if err != nil || len(services) == 0 {
+		return err
+	}
+
+	w := tabwriter.NewWriter(c.stdout, 5, 3, 2, ' ', 0)
+	defer w.Flush()
+
+	fmt.Fprintln(w, i18n.G("Service\tStartup\tCurrent\tNotes"))
+
+	for _, svc := range services {
+		startup := i18n.G("disabled")
+		if svc.Enabled {
+			startup = i18n.G("enabled")
+		}
+		current := i18n.G("inactive")
+		if svc.Active {
+			current = i18n.G("active")
+		}
+		fmt.Fprintf(w, "%s.%s\t%s\t%s\t%s\n", svc.Snap, svc.Name, startup, current, cmd.ClientAppInfoNotes(&svc))
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/services_test.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/services_test.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/services_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/services_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,6 +27,8 @@
 
 	. "gopkg.in/check.v1"
 
+	"github.com/snapcore/snapd/asserts"
+	"github.com/snapcore/snapd/asserts/sysdb"
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/overlord/auth"
@@ -40,6 +42,7 @@
 	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/store"
 	"github.com/snapcore/snapd/store/storetest"
+	"github.com/snapcore/snapd/systemd"
 	"github.com/snapcore/snapd/testutil"
 )
 
@@ -47,32 +50,39 @@
 	storetest.Store
 }
 
-func (f *fakeStore) SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error) {
-	return &snap.Info{
-		SideInfo: snap.SideInfo{
-			RealName: spec.Name,
-			Revision: snap.R(2),
-		},
-		Publisher:     "foo",
-		Architectures: []string{"all"},
-	}, nil
-}
+func (f *fakeStore) SnapAction(_ context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error) {
+	if actions[0].Action == "install" {
+		installs := make([]*snap.Info, 0, len(actions))
+		for _, a := range actions {
+			snapName, instanceKey := snap.SplitInstanceName(a.InstanceName)
+			if instanceKey != "" {
+				panic(fmt.Sprintf("unexpected instance name %q in snap install action", a.InstanceName))
+			}
+
+			installs = append(installs, &snap.Info{
+				SideInfo: snap.SideInfo{
+					RealName: snapName,
+					Revision: snap.R(2),
+				},
+				Architectures: []string{"all"},
+			})
+		}
+
+		return installs, nil
+	}
 
-func (f *fakeStore) ListRefresh(_ context.Context, cand []*store.RefreshCandidate, user *auth.UserState, opt *store.RefreshOptions) ([]*snap.Info, error) {
 	return []*snap.Info{{
 		SideInfo: snap.SideInfo{
 			RealName: "test-snap",
 			Revision: snap.R(2),
 			SnapID:   "test-snap-id",
 		},
-		Publisher:     "foo",
 		Architectures: []string{"all"},
 	}, {SideInfo: snap.SideInfo{
 		RealName: "other-snap",
 		Revision: snap.R(2),
 		SnapID:   "other-snap-id",
 	},
-		Publisher:     "foo",
 		Architectures: []string{"all"},
 	}}, nil
 }
@@ -97,6 +107,10 @@
   command: bin/service
   daemon: simple
   reload-command: bin/reload
+ another-service:
+  command: bin/service
+  daemon: simple
+  reload-command: bin/reload
 `
 
 const otherSnapYaml = `name: other-snap
@@ -110,7 +124,7 @@
 `
 
 func mockServiceChangeFunc(testServiceControlInputs func(appInfos []*snap.AppInfo, inst *servicestate.Instruction)) func() {
-	return ctlcmd.MockServicestateControlFunc(func(st *state.State, appInfos []*snap.AppInfo, inst *servicestate.Instruction, context *hookstate.Context) (*state.TaskSet, error) {
+	return ctlcmd.MockServicestateControlFunc(func(st *state.State, appInfos []*snap.AppInfo, inst *servicestate.Instruction, context *hookstate.Context) ([]*state.TaskSet, error) {
 		testServiceControlInputs(appInfos, inst)
 		return nil, fmt.Errorf("forced error")
 	})
@@ -137,28 +151,28 @@
 	snapstate.ReplaceStore(s.st, &s.fakeStore)
 
 	// mock installed snaps
-	info1 := snaptest.MockSnap(c, string(testSnapYaml), &snap.SideInfo{
+	info1 := snaptest.MockSnapCurrent(c, string(testSnapYaml), &snap.SideInfo{
 		Revision: snap.R(1),
 	})
-	info2 := snaptest.MockSnap(c, string(otherSnapYaml), &snap.SideInfo{
+	info2 := snaptest.MockSnapCurrent(c, string(otherSnapYaml), &snap.SideInfo{
 		Revision: snap.R(1),
 	})
-	snapstate.Set(s.st, info1.Name(), &snapstate.SnapState{
+	snapstate.Set(s.st, info1.InstanceName(), &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
 			{
-				RealName: info1.Name(),
+				RealName: info1.SnapName(),
 				Revision: info1.Revision,
 				SnapID:   "test-snap-id",
 			},
 		},
 		Current: info1.Revision,
 	})
-	snapstate.Set(s.st, info2.Name(), &snapstate.SnapState{
+	snapstate.Set(s.st, info2.InstanceName(), &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
 			{
-				RealName: info2.Name(),
+				RealName: info2.SnapName(),
 				Revision: info2.Revision,
 				SnapID:   "other-snap-id",
 			},
@@ -172,10 +186,17 @@
 	var err error
 	s.mockContext, err = hookstate.NewContext(task, task.State(), setup, s.mockHandler, "")
 	c.Assert(err, IsNil)
+
+	s.st.Set("seeded", true)
+	s.st.Set("refresh-privacy-key", "privacy-key")
+	snapstate.Model = func(*state.State) (*asserts.Model, error) {
+		return sysdb.GenericClassicModel(), nil
+	}
 }
 
 func (s *servicectlSuite) TearDownTest(c *C) {
 	s.BaseTest.TearDownTest(c)
+	snapstate.Model = nil
 }
 
 func (s *servicectlSuite) TestStopCommand(c *C) {
@@ -194,7 +215,7 @@
 		)
 	})
 	defer restore()
-	_, _, err := ctlcmd.Run(s.mockContext, []string{"stop", "test-snap.test-service"})
+	_, _, err := ctlcmd.Run(s.mockContext, []string{"stop", "test-snap.test-service"}, 0)
 	c.Assert(err, NotNil)
 	c.Check(err, ErrorMatches, "forced error")
 	c.Assert(serviceChangeFuncCalled, Equals, true)
@@ -206,7 +227,7 @@
 		serviceChangeFuncCalled = true
 	})
 	defer restore()
-	_, _, err := ctlcmd.Run(s.mockContext, []string{"stop", "test-snap.fooservice"})
+	_, _, err := ctlcmd.Run(s.mockContext, []string{"stop", "test-snap.fooservice"}, 0)
 	c.Assert(err, NotNil)
 	c.Assert(err, ErrorMatches, `unknown service: "test-snap.fooservice"`)
 	c.Assert(serviceChangeFuncCalled, Equals, false)
@@ -219,7 +240,7 @@
 	})
 	defer restore()
 	// verify that snapctl is not allowed to control services of other snaps (only the one of its hook)
-	_, _, err := ctlcmd.Run(s.mockContext, []string{"stop", "other-snap.test-service"})
+	_, _, err := ctlcmd.Run(s.mockContext, []string{"stop", "other-snap.test-service"}, 0)
 	c.Check(err, NotNil)
 	c.Assert(err, ErrorMatches, `unknown service: "other-snap.test-service"`)
 	c.Assert(serviceChangeFuncCalled, Equals, false)
@@ -241,7 +262,7 @@
 		)
 	})
 	defer restore()
-	_, _, err := ctlcmd.Run(s.mockContext, []string{"start", "test-snap.test-service"})
+	_, _, err := ctlcmd.Run(s.mockContext, []string{"start", "test-snap.test-service"}, 0)
 	c.Check(err, NotNil)
 	c.Check(err, ErrorMatches, "forced error")
 	c.Assert(serviceChangeFuncCalled, Equals, true)
@@ -263,7 +284,7 @@
 		)
 	})
 	defer restore()
-	_, _, err := ctlcmd.Run(s.mockContext, []string{"restart", "test-snap.test-service"})
+	_, _, err := ctlcmd.Run(s.mockContext, []string{"restart", "test-snap.test-service"}, 0)
 	c.Check(err, NotNil)
 	c.Check(err, ErrorMatches, "forced error")
 	c.Assert(serviceChangeFuncCalled, Equals, true)
@@ -284,7 +305,7 @@
 	chg.AddTask(task)
 	s.st.Unlock()
 
-	_, _, err := ctlcmd.Run(s.mockContext, []string{"start", "test-snap.test-service"})
+	_, _, err := ctlcmd.Run(s.mockContext, []string{"start", "test-snap.test-service"}, 0)
 	c.Check(err, NotNil)
 	c.Check(err, ErrorMatches, `snap "test-snap" has "conflicting change" change in progress`)
 }
@@ -313,11 +334,11 @@
 		context, err := hookstate.NewContext(task, task.State(), setup, s.mockHandler, "")
 		c.Assert(err, IsNil)
 
-		_, _, err = ctlcmd.Run(context, []string{"stop", "test-snap.test-service"})
+		_, _, err = ctlcmd.Run(context, []string{"stop", "test-snap.test-service"}, 0)
 		c.Check(err, IsNil)
-		_, _, err = ctlcmd.Run(context, []string{"start", "test-snap.test-service"})
+		_, _, err = ctlcmd.Run(context, []string{"start", "test-snap.test-service"}, 0)
 		c.Check(err, IsNil)
-		_, _, err = ctlcmd.Run(context, []string{"restart", "test-snap.test-service"})
+		_, _, err = ctlcmd.Run(context, []string{"restart", "test-snap.test-service"}, 0)
 		c.Check(err, IsNil)
 	}
 
@@ -344,7 +365,7 @@
 	s.st.Lock()
 
 	chg := s.st.NewChange("update many change", "update change")
-	installed, tts, err := snapstate.UpdateMany(context.TODO(), s.st, []string{"test-snap", "other-snap"}, 0)
+	installed, tts, err := snapstate.UpdateMany(context.TODO(), s.st, []string{"test-snap", "other-snap"}, 0, nil)
 	c.Assert(err, IsNil)
 	sort.Strings(installed)
 	c.Check(installed, DeepEquals, []string{"other-snap", "test-snap"})
@@ -365,11 +386,11 @@
 		context, err := hookstate.NewContext(task, task.State(), setup, s.mockHandler, "")
 		c.Assert(err, IsNil)
 
-		_, _, err = ctlcmd.Run(context, []string{"stop", "test-snap.test-service"})
+		_, _, err = ctlcmd.Run(context, []string{"stop", "test-snap.test-service"}, 0)
 		c.Check(err, IsNil)
-		_, _, err = ctlcmd.Run(context, []string{"start", "test-snap.test-service"})
+		_, _, err = ctlcmd.Run(context, []string{"start", "test-snap.test-service"}, 0)
 		c.Check(err, IsNil)
-		_, _, err = ctlcmd.Run(context, []string{"restart", "test-snap.test-service"})
+		_, _, err = ctlcmd.Run(context, []string{"restart", "test-snap.test-service"}, 0)
 		c.Check(err, IsNil)
 	}
 
@@ -405,11 +426,11 @@
 	context, err := hookstate.NewContext(task, task.State(), setup, s.mockHandler, "")
 	c.Assert(err, IsNil)
 
-	_, _, err = ctlcmd.Run(context, []string{"stop", "test-snap.test-service"})
+	_, _, err = ctlcmd.Run(context, []string{"stop", "test-snap.test-service"}, 0)
 	c.Check(err, IsNil)
-	_, _, err = ctlcmd.Run(context, []string{"start", "test-snap.test-service"})
+	_, _, err = ctlcmd.Run(context, []string{"start", "test-snap.test-service"}, 0)
 	c.Check(err, IsNil)
-	_, _, err = ctlcmd.Run(context, []string{"restart", "test-snap.test-service"})
+	_, _, err = ctlcmd.Run(context, []string{"restart", "test-snap.test-service"}, 0)
 	c.Check(err, IsNil)
 
 	s.st.Lock()
@@ -422,3 +443,46 @@
 	c.Check(laneTasks[14].Summary(), Equals, "start of [test-snap.test-service]")
 	c.Check(laneTasks[15].Summary(), Equals, "restart of [test-snap.test-service]")
 }
+
+func (s *servicectlSuite) TestTwoServices(c *C) {
+	restore := systemd.MockSystemctl(func(args ...string) (buf []byte, err error) {
+		c.Assert(args[0], Equals, "show")
+		c.Check(args[2], Matches, `snap\.test-snap\.\w+-service\.service`)
+		return []byte(fmt.Sprintf(`Id=%s
+Type=simple
+ActiveState=active
+UnitFileState=enabled
+`, args[2])), nil
+	})
+	defer restore()
+
+	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"services"}, 0)
+	c.Assert(err, IsNil)
+	c.Check(string(stdout), Equals, `
+Service                    Startup  Current  Notes
+test-snap.another-service  enabled  active   -
+test-snap.test-service     enabled  active   -
+`[1:])
+	c.Check(string(stderr), Equals, "")
+}
+
+func (s *servicectlSuite) TestServices(c *C) {
+	restore := systemd.MockSystemctl(func(args ...string) (buf []byte, err error) {
+		c.Assert(args[0], Equals, "show")
+		c.Check(args[2], Equals, "snap.test-snap.test-service.service")
+		return []byte(`Id=snap.test-snap.test-service.service
+Type=simple
+ActiveState=active
+UnitFileState=enabled
+`), nil
+	})
+	defer restore()
+
+	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"services", "test-snap.test-service"}, 0)
+	c.Assert(err, IsNil)
+	c.Check(string(stdout), Equals, `
+Service                 Startup  Current  Notes
+test-snap.test-service  enabled  active   -
+`[1:])
+	c.Check(string(stderr), Equals, "")
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/set.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/set.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/set.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/set.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,12 +20,14 @@
 package ctlcmd
 
 import (
+	"encoding/json"
 	"fmt"
 	"strings"
 
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/jsonutil"
 	"github.com/snapcore/snapd/overlord/configstate"
+	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/overlord/hookstate"
 )
 
@@ -107,12 +109,44 @@
 			value = parts[1]
 		}
 
-		tr.Set(s.context().SnapName(), key, value)
+		tr.Set(s.context().InstanceName(), key, value)
 	}
 
 	return nil
 }
 
+func setInterfaceAttribute(context *hookstate.Context, staticAttrs map[string]interface{}, dynamicAttrs map[string]interface{}, key string, value interface{}) error {
+	data, err := json.Marshal(value)
+	if err != nil {
+		return fmt.Errorf("cannot marshal snap %q option %q: %s", context.InstanceName(), key, err)
+	}
+	raw := json.RawMessage(data)
+
+	subkeys, err := config.ParseKey(key)
+	if err != nil {
+		return err
+	}
+
+	// We're called from setInterfaceSetting, subkeys is derived from key
+	// part of key=value argument and is guaranteed to be non-empty at this
+	// point.
+	if len(subkeys) == 0 {
+		return fmt.Errorf("internal error: unexpected empty subkeys for key %q", key)
+	}
+	var existing interface{}
+	err = config.GetFromChange(context.InstanceName(), subkeys[:1], 0, staticAttrs, &existing)
+	if err == nil {
+		return fmt.Errorf(i18n.G("attribute %q cannot be overwritten"), key)
+	}
+	// we expect NoOptionError here, any other error is unexpected (a real error)
+	if !config.IsNoOption(err) {
+		return err
+	}
+
+	_, err = config.PatchConfig(context.InstanceName(), subkeys, 0, dynamicAttrs, &raw)
+	return err
+}
+
 func (s *setCommand) setInterfaceSetting(context *hookstate.Context, plugOrSlot string) error {
 	// Make sure set :<plug|slot> is only supported during the execution of prepare-[plug|slot] hooks
 	hookType, _ := interfaceHookType(context.HookName())
@@ -132,18 +166,22 @@
 
 	var which string
 	if hookType == preparePlugHook {
-		which = "plug-attrs"
+		which = "plug"
 	} else {
-		which = "slot-attrs"
+		which = "slot"
 	}
 
-	st := context.State()
-	st.Lock()
-	defer st.Unlock()
+	context.Lock()
+	defer context.Unlock()
+
+	var staticAttrs, dynamicAttrs map[string]interface{}
+	if err = attrsTask.Get(which+"-static", &staticAttrs); err != nil {
+		return fmt.Errorf(i18n.G("internal error: cannot get %s from appropriate task, %s"), which, err)
+	}
 
-	attributes := make(map[string]interface{})
-	if err := attrsTask.Get(which, &attributes); err != nil {
-		return fmt.Errorf(i18n.G("internal error: cannot get %s from appropriate task"), which)
+	dynKey := which + "-dynamic"
+	if err = attrsTask.Get(dynKey, &dynamicAttrs); err != nil {
+		return fmt.Errorf(i18n.G("internal error: cannot get %s from appropriate task, %s"), which, err)
 	}
 
 	for _, attrValue := range s.Positional.ConfValues {
@@ -157,9 +195,12 @@
 			// Not valid JSON, save the string as-is
 			value = parts[1]
 		}
-		attributes[parts[0]] = value
+		err = setInterfaceAttribute(context, staticAttrs, dynamicAttrs, parts[0], value)
+		if err != nil {
+			return fmt.Errorf(i18n.G("cannot set attribute: %v"), err)
+		}
 	}
 
-	attrsTask.Set(which, attributes)
+	attrsTask.Set(dynKey, dynamicAttrs)
 	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/set_test.go snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/set_test.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/ctlcmd/set_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/ctlcmd/set_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,6 +21,7 @@
 
 import (
 	"encoding/json"
+	"strings"
 
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/overlord/configstate/config"
@@ -63,16 +64,16 @@
 }
 
 func (s *setSuite) TestInvalidArguments(c *C) {
-	_, _, err := ctlcmd.Run(s.mockContext, []string{"set"})
+	_, _, err := ctlcmd.Run(s.mockContext, []string{"set"}, 0)
 	c.Check(err, ErrorMatches, "set which option.*")
-	_, _, err = ctlcmd.Run(s.mockContext, []string{"set", "foo", "bar"})
+	_, _, err = ctlcmd.Run(s.mockContext, []string{"set", "foo", "bar"}, 0)
 	c.Check(err, ErrorMatches, ".*invalid parameter.*want key=value.*")
-	_, _, err = ctlcmd.Run(s.mockContext, []string{"set", ":foo", "bar=baz"})
+	_, _, err = ctlcmd.Run(s.mockContext, []string{"set", ":foo", "bar=baz"}, 0)
 	c.Check(err, ErrorMatches, ".*interface attributes can only be set during the execution of prepare hooks.*")
 }
 
 func (s *setSuite) TestCommand(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"set", "foo=bar", "baz=qux"})
+	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"set", "foo=bar", "baz=qux"}, 0)
 	c.Check(err, IsNil)
 	c.Check(string(stdout), Equals, "")
 	c.Check(string(stderr), Equals, "")
@@ -98,8 +99,44 @@
 	c.Check(value, Equals, "qux")
 }
 
+func (s *getSuite) TestSetRegularUserForbidden(c *C) {
+	state := state.New(nil)
+	state.Lock()
+
+	task := state.NewTask("test-task", "my test task")
+	setup := &hookstate.HookSetup{Snap: "test-snap", Revision: snap.R(1), Hook: "test-hook"}
+
+	state.Unlock()
+
+	mockHandler := hooktest.NewMockHandler()
+	mockContext, err := hookstate.NewContext(task, task.State(), setup, mockHandler, "")
+	c.Assert(err, IsNil)
+	_, _, err = ctlcmd.Run(mockContext, []string{"set", "test-key1"}, 1000)
+	c.Assert(err, NotNil)
+	c.Assert(err, ErrorMatches, `cannot use "set" with uid 1000, try with sudo`)
+	forbidden, _ := err.(*ctlcmd.ForbiddenCommandError)
+	c.Assert(forbidden, NotNil)
+}
+
+func (s *getSuite) TestSetHelpRegularUserAllowed(c *C) {
+	state := state.New(nil)
+	state.Lock()
+
+	task := state.NewTask("test-task", "my test task")
+	setup := &hookstate.HookSetup{Snap: "test-snap", Revision: snap.R(1), Hook: "test-hook"}
+
+	state.Unlock()
+
+	mockHandler := hooktest.NewMockHandler()
+	mockContext, err := hookstate.NewContext(task, task.State(), setup, mockHandler, "")
+	c.Assert(err, IsNil)
+	_, _, err = ctlcmd.Run(mockContext, []string{"set", "-h"}, 1000)
+	c.Assert(err, NotNil)
+	c.Assert(strings.HasPrefix(err.Error(), "Usage:"), Equals, true)
+}
+
 func (s *setSuite) TestSetConfigOptionWithColon(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"set", "device-service.url=192.168.0.1:5555"})
+	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"set", "device-service.url=192.168.0.1:5555"}, 0)
 	c.Check(err, IsNil)
 	c.Check(string(stdout), Equals, "")
 	c.Check(string(stderr), Equals, "")
@@ -117,7 +154,7 @@
 }
 
 func (s *setSuite) TestSetNumbers(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"set", "foo=1234567890", "bar=123456.7890"})
+	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"set", "foo=1234567890", "bar=123456.7890"}, 0)
 	c.Check(err, IsNil)
 	c.Check(string(stdout), Equals, "")
 	c.Check(string(stderr), Equals, "")
@@ -146,7 +183,7 @@
 	tr.Commit()
 	s.mockContext.State().Unlock()
 
-	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"set", "test-key2=test-value3"})
+	stdout, stderr, err := ctlcmd.Run(s.mockContext, []string{"set", "test-key2=test-value3"}, 0)
 	c.Check(err, IsNil)
 	c.Check(string(stdout), Equals, "")
 	c.Check(string(stderr), Equals, "")
@@ -166,7 +203,7 @@
 }
 
 func (s *setSuite) TestCommandWithoutContext(c *C) {
-	_, _, err := ctlcmd.Run(nil, []string{"set", "foo=bar"})
+	_, _, err := ctlcmd.Run(nil, []string{"set", "foo=bar"}, 0)
 	c.Check(err, ErrorMatches, ".*cannot set without a context.*")
 }
 
@@ -179,9 +216,17 @@
 	attrsTask := state.NewTask("connect-task", "my connect task")
 	attrsTask.Set("plug", &interfaces.PlugRef{Snap: "a", Name: "aplug"})
 	attrsTask.Set("slot", &interfaces.SlotRef{Snap: "b", Name: "bslot"})
-	attrs := make(map[string]interface{})
-	attrsTask.Set("plug-attrs", attrs)
-	attrsTask.Set("slot-attrs", attrs)
+	staticAttrs := map[string]interface{}{
+		"lorem": "ipsum",
+		"nested": map[string]interface{}{
+			"x": "y",
+		},
+	}
+	dynamicAttrs := make(map[string]interface{})
+	attrsTask.Set("plug-static", staticAttrs)
+	attrsTask.Set("plug-dynamic", dynamicAttrs)
+	attrsTask.Set("slot-static", staticAttrs)
+	attrsTask.Set("slot-dynamic", dynamicAttrs)
 	ch.AddTask(attrsTask)
 	state.Unlock()
 
@@ -220,7 +265,7 @@
 }
 
 func (s *setAttrSuite) TestSetPlugAttributesInPlugHook(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"set", ":aplug", "foo=bar"})
+	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"set", ":aplug", "foo=bar"}, 0)
 	c.Check(err, IsNil)
 	c.Check(string(stdout), Equals, "")
 	c.Check(string(stderr), Equals, "")
@@ -230,31 +275,31 @@
 	st := s.mockPlugHookContext.State()
 	st.Lock()
 	defer st.Unlock()
-	attrs := make(map[string]interface{})
-	err = attrsTask.Get("plug-attrs", &attrs)
+	dynattrs := make(map[string]interface{})
+	err = attrsTask.Get("plug-dynamic", &dynattrs)
 	c.Assert(err, IsNil)
-	c.Check(attrs["foo"], Equals, "bar")
+	c.Check(dynattrs["foo"], Equals, "bar")
 }
 
-func (s *setAttrSuite) TestSetSlotAttributesInSlotHook(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockSlotHookContext, []string{"set", ":bslot", "foo=bar"})
+func (s *setAttrSuite) TestSetPlugAttributesSupportsDottedSyntax(c *C) {
+	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"set", ":aplug", "my.attr1=foo", "my.attr2=bar"}, 0)
 	c.Check(err, IsNil)
 	c.Check(string(stdout), Equals, "")
 	c.Check(string(stderr), Equals, "")
 
-	attrsTask, err := ctlcmd.AttributesTask(s.mockSlotHookContext)
+	attrsTask, err := ctlcmd.AttributesTask(s.mockPlugHookContext)
 	c.Assert(err, IsNil)
-	st := s.mockSlotHookContext.State()
+	st := s.mockPlugHookContext.State()
 	st.Lock()
 	defer st.Unlock()
-	attrs := make(map[string]interface{})
-	err = attrsTask.Get("slot-attrs", &attrs)
+	dynattrs := make(map[string]interface{})
+	err = attrsTask.Get("plug-dynamic", &dynattrs)
 	c.Assert(err, IsNil)
-	c.Check(attrs["foo"], Equals, "bar")
+	c.Check(dynattrs["my"], DeepEquals, map[string]interface{}{"attr1": "foo", "attr2": "bar"})
 }
 
 func (s *setAttrSuite) TestPlugOrSlotEmpty(c *C) {
-	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"set", ":", "foo=bar"})
+	stdout, stderr, err := ctlcmd.Run(s.mockPlugHookContext, []string{"set", ":", "foo=bar"}, 0)
 	c.Check(err.Error(), Equals, "plug or slot name not provided")
 	c.Check(string(stdout), Equals, "")
 	c.Check(string(stderr), Equals, "")
@@ -273,7 +318,7 @@
 	mockContext, err = hookstate.NewContext(task, task.State(), setup, s.mockHandler, "")
 	c.Assert(err, IsNil)
 
-	stdout, stderr, err := ctlcmd.Run(mockContext, []string{"set", ":aplug", "foo=bar"})
+	stdout, stderr, err := ctlcmd.Run(mockContext, []string{"set", ":aplug", "foo=bar"}, 0)
 	c.Check(err, NotNil)
 	c.Check(err.Error(), Equals, `interface attributes can only be set during the execution of prepare hooks`)
 	c.Check(string(stdout), Equals, "")
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/hookmgr.go snapd-2.37~rc1~14.04/overlord/hookstate/hookmgr.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/hookmgr.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/hookmgr.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,6 +35,7 @@
 	"github.com/snapcore/snapd/errtracker"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord/configstate/settings"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
@@ -48,7 +49,6 @@
 // snap. Otherwise they're skipped with no error.
 type HookManager struct {
 	state      *state.State
-	runner     *state.TaskRunner
 	repository *repository
 
 	contextsMutex sync.RWMutex
@@ -57,6 +57,7 @@
 	hijackMap map[hijackKey]hijackFunc
 
 	runningHooks int32
+	runner       *state.TaskRunner
 }
 
 // Handler is the interface a client must satify to handle hooks.
@@ -87,11 +88,9 @@
 }
 
 // Manager returns a new HookManager.
-func Manager(s *state.State) (*HookManager, error) {
-	runner := state.NewTaskRunner(s)
-
+func Manager(s *state.State, runner *state.TaskRunner) (*HookManager, error) {
 	// Make sure we only run 1 hook task for given snap at a time
-	runner.SetBlocked(func(thisTask *state.Task, running []*state.Task) bool {
+	runner.AddBlocked(func(thisTask *state.Task, running []*state.Task) bool {
 		// check if we're a hook task, probably not needed but let's take extra care
 		if thisTask.Kind() != "run-hook" {
 			return false
@@ -116,13 +115,13 @@
 
 	manager := &HookManager{
 		state:      s,
-		runner:     runner,
 		repository: newRepository(),
 		contexts:   make(map[string]*Context),
 		hijackMap:  make(map[hijackKey]hijackFunc),
+		runner:     runner,
 	}
 
-	runner.AddHandler("run-hook", manager.doRunHook, nil)
+	runner.AddHandler("run-hook", manager.doRunHook, manager.undoRunHook)
 	// Compatibility with snapd between 2.29 and 2.30 in edge only.
 	// We generated a configure-snapd task on core refreshes and
 	// for compatibility we need to handle those.
@@ -132,6 +131,8 @@
 
 	setupHooks(manager)
 
+	snapstate.AddAffectedSnapsByAttr("hook-setup", manager.hookAffectedSnaps)
+
 	return manager, nil
 }
 
@@ -141,35 +142,42 @@
 	m.repository.addHandlerGenerator(pattern, generator)
 }
 
-func (m *HookManager) KnownTaskKinds() []string {
-	return m.runner.KnownTaskKinds()
-}
-
 // Ensure implements StateManager.Ensure.
 func (m *HookManager) Ensure() error {
-	m.runner.Ensure()
 	return nil
 }
 
-// Wait implements StateManager.Wait.
-func (m *HookManager) Wait() {
-	m.runner.Wait()
+// StopHooks kills all currently running hooks and returns after
+// that's done.
+func (m *HookManager) StopHooks() {
+	m.runner.StopKinds("run-hook")
 }
 
-// Stop implements StateManager.Stop.
-func (m *HookManager) Stop() {
-	m.runner.Stop()
+func (m *HookManager) hijacked(hookName, instanceName string) hijackFunc {
+	return m.hijackMap[hijackKey{hookName, instanceName}]
 }
 
-func (m *HookManager) hijacked(hookName, snapName string) hijackFunc {
-	return m.hijackMap[hijackKey{hookName, snapName}]
+func (m *HookManager) RegisterHijack(hookName, instanceName string, f hijackFunc) {
+	if _, ok := m.hijackMap[hijackKey{hookName, instanceName}]; ok {
+		panic(fmt.Sprintf("hook %s for snap %s already hijacked", hookName, instanceName))
+	}
+	m.hijackMap[hijackKey{hookName, instanceName}] = f
 }
 
-func (m *HookManager) RegisterHijack(hookName, snapName string, f hijackFunc) {
-	if _, ok := m.hijackMap[hijackKey{hookName, snapName}]; ok {
-		panic(fmt.Sprintf("hook %s for snap %s already hijacked", hookName, snapName))
+func (m *HookManager) hookAffectedSnaps(t *state.Task) ([]string, error) {
+	var hooksup HookSetup
+	if err := t.Get("hook-setup", &hooksup); err != nil {
+		return nil, fmt.Errorf("internal error: cannot obtain hook data from task: %s", t.Summary())
+
+	}
+
+	if m.hijacked(hooksup.Hook, hooksup.Snap) != nil {
+		// assume being these internal they should not
+		// generate conflicts
+		return nil, nil
 	}
-	m.hijackMap[hijackKey{hookName, snapName}] = f
+
+	return []string{hooksup.Snap}, nil
 }
 
 func (m *HookManager) ephemeralContext(cookieID string) (context *Context, err error) {
@@ -180,9 +188,9 @@
 	if err != nil {
 		return nil, fmt.Errorf("cannot get snap cookies: %v", err)
 	}
-	if snapName, ok := contexts[cookieID]; ok {
+	if instanceName, ok := contexts[cookieID]; ok {
 		// create new ephemeral cookie
-		context, err = NewContext(nil, m.state, &HookSetup{Snap: snapName}, nil, cookieID)
+		context, err = NewContext(nil, m.state, &HookSetup{Snap: instanceName}, nil, cookieID)
 		return context, err
 	}
 	return nil, fmt.Errorf("invalid snap cookie requested")
@@ -205,11 +213,11 @@
 	return context, nil
 }
 
-func hookSetup(task *state.Task) (*HookSetup, *snapstate.SnapState, error) {
+func hookSetup(task *state.Task, key string) (*HookSetup, *snapstate.SnapState, error) {
 	var hooksup HookSetup
-	err := task.Get("hook-setup", &hooksup)
+	err := task.Get(key, &hooksup)
 	if err != nil {
-		return nil, nil, fmt.Errorf("cannot extract hook setup from task: %s", err)
+		return nil, nil, err
 	}
 
 	var snapst snapstate.SnapState
@@ -246,12 +254,35 @@
 // goroutine.
 func (m *HookManager) doRunHook(task *state.Task, tomb *tomb.Tomb) error {
 	task.State().Lock()
-	hooksup, snapst, err := hookSetup(task)
+	hooksup, snapst, err := hookSetup(task, "hook-setup")
 	task.State().Unlock()
 	if err != nil {
-		return err
+		return fmt.Errorf("cannot extract hook setup from task: %s", err)
+	}
+
+	return m.runHook(task, tomb, snapst, hooksup)
+}
+
+// undoRunHook runs the undo-hook that was requested.
+//
+// Note that this method is synchronous, as the task is already running in a
+// goroutine.
+func (m *HookManager) undoRunHook(task *state.Task, tomb *tomb.Tomb) error {
+	task.State().Lock()
+	hooksup, snapst, err := hookSetup(task, "undo-hook-setup")
+	task.State().Unlock()
+	if err != nil {
+		if err == state.ErrNoState {
+			// no undo hook setup
+			return nil
+		}
+		return fmt.Errorf("cannot extract undo hook setup from task: %s", err)
 	}
 
+	return m.runHook(task, tomb, snapst, hooksup)
+}
+
+func (m *HookManager) runHook(task *state.Task, tomb *tomb.Tomb, snapst *snapstate.SnapState, hooksup *HookSetup) error {
 	mustHijack := m.hijacked(hooksup.Hook, hooksup.Snap) != nil
 	hookExists := false
 	if !mustHijack {
@@ -273,7 +304,7 @@
 
 	if hookExists || mustHijack {
 		// we will run something, not a noop
-		if task.State().Restarting() {
+		if ok, _ := task.State().Restarting(); ok {
 			// don't start running a hook if we are restarting
 			return &state.Retry{}
 		}
@@ -361,7 +392,7 @@
 }
 
 func runHookImpl(c *Context, tomb *tomb.Tomb) ([]byte, error) {
-	return runHookAndWait(c.SnapName(), c.SnapRevision(), c.HookName(), c.ID(), c.Timeout(), tomb)
+	return runHookAndWait(c.InstanceName(), c.SnapRevision(), c.HookName(), c.ID(), c.Timeout(), tomb)
 }
 
 var runHook = runHookImpl
@@ -422,18 +453,24 @@
 var errtrackerReport = errtracker.Report
 
 func trackHookError(context *Context, output []byte, err error) {
-	errmsg := fmt.Sprintf("hook %s in snap %q failed: %v", context.HookName(), context.SnapName(), osutil.OutputErr(output, err))
-	dupSig := fmt.Sprintf("hook:%s:%s:%s\n%s", context.SnapName(), context.HookName(), err, output)
+	errmsg := fmt.Sprintf("hook %s in snap %q failed: %v", context.HookName(), context.InstanceName(), osutil.OutputErr(output, err))
+	dupSig := fmt.Sprintf("hook:%s:%s:%s\n%s", context.InstanceName(), context.HookName(), err, output)
 	extra := map[string]string{
 		"HookName": context.HookName(),
 	}
 	if context.setup.IgnoreError {
 		extra["IgnoreError"] = "1"
 	}
-	oopsid, err := errtrackerReport(context.SnapName(), errmsg, dupSig, extra)
-	if err == nil {
-		logger.Noticef("Reported hook failure from %q for snap %q as %s", context.HookName(), context.SnapName(), oopsid)
-	} else {
-		logger.Debugf("Cannot report hook failure: %s", err)
+
+	context.state.Lock()
+	problemReportsDisabled := settings.ProblemReportsDisabled(context.state)
+	context.state.Unlock()
+	if !problemReportsDisabled {
+		oopsid, err := errtrackerReport(context.InstanceName(), errmsg, dupSig, extra)
+		if err == nil {
+			logger.Noticef("Reported hook failure from %q for snap %q as %s", context.HookName(), context.InstanceName(), oopsid)
+		} else {
+			logger.Debugf("Cannot report hook failure: %s", err)
+		}
 	}
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/hookstate.go snapd-2.37~rc1~14.04/overlord/hookstate/hookstate.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/hookstate.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/hookstate.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,11 +25,14 @@
 	"github.com/snapcore/snapd/overlord/state"
 )
 
-// HookTask returns a task that will run the specified hook. Note that the
-// initial context must properly marshal and unmarshal with encoding/json.
-func HookTask(st *state.State, summary string, setup *HookSetup, contextData map[string]interface{}) *state.Task {
+// HookTaskWithUndo returns a task that will run the specified hook. On error the undo hook will be executed.
+// Note that the initial context must properly marshal and unmarshal with encoding/json.
+func HookTaskWithUndo(st *state.State, summary string, setup *HookSetup, undo *HookSetup, contextData map[string]interface{}) *state.Task {
 	task := st.NewTask("run-hook", summary)
 	task.Set("hook-setup", setup)
+	if undo != nil {
+		task.Set("undo-hook-setup", undo)
+	}
 
 	// Initial data for Context.Get/Set.
 	if len(contextData) > 0 {
@@ -37,3 +40,9 @@
 	}
 	return task
 }
+
+// HookTask returns a task that will run the specified hook. Note that the
+// initial context must properly marshal and unmarshal with encoding/json.
+func HookTask(st *state.State, summary string, setup *HookSetup, contextData map[string]interface{}) *state.Task {
+	return HookTaskWithUndo(st, summary, setup, nil, contextData)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/hookstate/hookstate_test.go snapd-2.37~rc1~14.04/overlord/hookstate/hookstate_test.go
--- snapd-2.32.3.2~14.04/overlord/hookstate/hookstate_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/hookstate/hookstate_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,7 +25,6 @@
 	"os"
 	"path/filepath"
 	"regexp"
-	"sort"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -34,6 +33,7 @@
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/overlord"
+	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/hookstate/hooktest"
 	"github.com/snapcore/snapd/overlord/snapstate"
@@ -50,6 +50,7 @@
 
 	o           *overlord.Overlord
 	state       *state.State
+	se          *overlord.StateEngine
 	manager     *hookstate.HookManager
 	context     *hookstate.Context
 	mockHandler *hooktest.MockHandler
@@ -66,6 +67,8 @@
 hooks:
     configure:
     prepare-device:
+    do-something:
+    undo-something:
 `
 
 var snapYaml1 = `
@@ -85,13 +88,19 @@
 func (s *hookManagerSuite) SetUpTest(c *C) {
 	s.BaseTest.SetUpTest(c)
 
+	hooktype1 := snap.NewHookType(regexp.MustCompile("^do-something$"))
+	hooktype2 := snap.NewHookType(regexp.MustCompile("^undo-something$"))
+	s.AddCleanup(snap.MockAppendSupportedHookTypes([]*snap.HookType{hooktype1, hooktype2}))
+
 	dirs.SetRootDir(c.MkDir())
 	s.o = overlord.Mock()
 	s.state = s.o.State()
-	manager, err := hookstate.Manager(s.state)
+	manager, err := hookstate.Manager(s.state, s.o.TaskRunner())
 	c.Assert(err, IsNil)
 	s.manager = manager
+	s.se = s.o.StateEngine()
 	s.o.AddManager(s.manager)
+	s.o.AddManager(s.o.TaskRunner())
 
 	s.AddCleanup(snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {}))
 
@@ -138,7 +147,8 @@
 func (s *hookManagerSuite) TearDownTest(c *C) {
 	s.BaseTest.TearDownTest(c)
 
-	s.manager.Stop()
+	s.manager.StopHooks()
+	s.se.Stop()
 	dirs.SetRootDir("")
 }
 
@@ -148,14 +158,8 @@
 }
 
 func (s *hookManagerSuite) TestSmoke(c *C) {
-	s.manager.Ensure()
-	s.manager.Wait()
-}
-
-func (s *hookManagerSuite) TestKnownTaskKinds(c *C) {
-	kinds := s.manager.KnownTaskKinds()
-	sort.Strings(kinds)
-	c.Assert(kinds, DeepEquals, []string{"configure-snapd", "run-hook"})
+	s.se.Ensure()
+	s.se.Wait()
 }
 
 func (s *hookManagerSuite) TestHookSetupJsonMarshal(c *C) {
@@ -206,20 +210,20 @@
 			didRun <- s.manager.GracefullyWaitRunningHooks()
 		}()
 	}
-	s.manager.Ensure()
+	s.se.Ensure()
 	select {
 	case ok := <-didRun:
 		c.Check(ok, Equals, true)
 	case <-time.After(5 * time.Second):
 		c.Fatal("hook run should have been done by now")
 	}
-	s.manager.Wait()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
 
 	c.Assert(s.context, NotNil, Commentf("Expected handler generator to be called with a valid context"))
-	c.Check(s.context.SnapName(), Equals, "test-snap")
+	c.Check(s.context.InstanceName(), Equals, "test-snap")
 	c.Check(s.context.SnapRevision(), Equals, snap.R(1))
 	c.Check(s.context.HookName(), Equals, "configure")
 
@@ -242,8 +246,8 @@
 	// we do no start new hooks runs if we are restarting
 	s.state.RequestRestart(state.RestartDaemon)
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -267,8 +271,8 @@
 	snapstate.Set(s.state, "test-snap", nil)
 	s.state.Unlock()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -288,8 +292,8 @@
 		return nil
 	})
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -298,7 +302,7 @@
 	c.Check(s.command.Calls(), HasLen, 0)
 
 	c.Assert(s.context, NotNil)
-	c.Check(s.context.SnapName(), Equals, "test-snap")
+	c.Check(s.context.InstanceName(), Equals, "test-snap")
 	c.Check(s.context.SnapRevision(), Equals, snap.R(1))
 	c.Check(s.context.HookName(), Equals, "configure")
 
@@ -316,8 +320,8 @@
 		return fmt.Errorf("not-happy-at-all")
 	})
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -325,7 +329,7 @@
 	c.Check(s.command.Calls(), HasLen, 0)
 
 	c.Assert(s.context, NotNil)
-	c.Check(s.context.SnapName(), Equals, "test-snap")
+	c.Check(s.context.InstanceName(), Equals, "test-snap")
 	c.Check(s.context.SnapRevision(), Equals, snap.R(1))
 	c.Check(s.context.HookName(), Equals, "configure")
 
@@ -347,8 +351,8 @@
 }
 
 func (s *hookManagerSuite) TestHookTaskInitializesContext(c *C) {
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	var value string
 	c.Assert(s.context, NotNil, Commentf("Expected handler generator to be called with a valid context"))
@@ -364,8 +368,8 @@
 		c, "snap", ">&2 echo 'hook failed at user request'; exit 1")
 	defer cmd.Restore()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -395,8 +399,8 @@
 		c, "snap", ">&2 echo 'hook failed at user request'; exit 1")
 	defer cmd.Restore()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -424,17 +428,8 @@
 	cmd := testutil.MockCommand(c, "snap", "while true; do sleep 1; done")
 	defer cmd.Restore()
 
-	s.manager.Ensure()
-	completed := make(chan struct{})
-	go func() {
-		s.manager.Wait()
-		close(completed)
-	}()
-
-	s.state.Lock()
-	s.state.Unlock()
-	s.manager.Ensure()
-	<-completed
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -458,8 +453,8 @@
 	cmd := testutil.MockCommand(c, "snap", "while true; do sleep 1; done")
 	defer cmd.Restore()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -489,17 +484,8 @@
 	cmd := testutil.MockCommand(c, "snap", "while true; do sleep 1; done")
 	defer cmd.Restore()
 
-	s.manager.Ensure()
-	completed := make(chan struct{})
-	go func() {
-		s.manager.Wait()
-		close(completed)
-	}()
-
-	s.state.Lock()
-	s.state.Unlock()
-	s.manager.Ensure()
-	<-completed
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -520,20 +506,15 @@
 	cmd := testutil.MockCommand(c, "snap", "while true; do sleep 1; done")
 	defer cmd.Restore()
 
-	s.manager.Ensure()
-	completed := make(chan struct{})
-	go func() {
-		s.manager.Wait()
-		close(completed)
-	}()
+	s.se.Ensure()
 
-	// Abort the change, which should kill the hanging hook, and wait for the
-	// task to complete.
+	// Abort the change, which should kill the hanging hook, and
+	// wait for the task to complete.
 	s.state.Lock()
 	s.change.Abort()
 	s.state.Unlock()
-	s.manager.Ensure()
-	<-completed
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -558,8 +539,8 @@
 		c, "snap", ">&2 echo \"SNAP_COOKIE=$SNAP_COOKIE\"; exit 1")
 	defer cmd.Restore()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -577,8 +558,8 @@
 func (s *hookManagerSuite) TestHookTaskHandlerBeforeError(c *C) {
 	s.mockHandler.BeforeError = true
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -596,8 +577,8 @@
 func (s *hookManagerSuite) TestHookTaskHandlerDoneError(c *C) {
 	s.mockHandler.DoneError = true
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -619,8 +600,8 @@
 	cmd := testutil.MockCommand(c, "snap", "exit 1")
 	defer cmd.Restore()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -635,6 +616,67 @@
 	checkTaskLogContains(c, s.task, `.*Error failed at user request.*`)
 }
 
+func (s *hookManagerSuite) TestHookUndoRunsOnError(c *C) {
+	handler := hooktest.NewMockHandler()
+	undoHandler := hooktest.NewMockHandler()
+
+	s.manager.Register(regexp.MustCompile("^do-something$"), func(context *hookstate.Context) hookstate.Handler {
+		return handler
+	})
+	s.manager.Register(regexp.MustCompile("^undo-something$"), func(context *hookstate.Context) hookstate.Handler {
+		return undoHandler
+	})
+
+	hooksup := &hookstate.HookSetup{
+		Snap:     "test-snap",
+		Hook:     "do-something",
+		Revision: snap.R(1),
+	}
+	undohooksup := &hookstate.HookSetup{
+		Snap:     "test-snap",
+		Hook:     "undo-something",
+		Revision: snap.R(1),
+	}
+
+	// use unknown hook to fail the change
+	failinghooksup := &hookstate.HookSetup{
+		Snap:     "test-snap",
+		Hook:     "unknown-hook",
+		Revision: snap.R(1),
+	}
+
+	initialContext := map[string]interface{}{}
+
+	s.state.Lock()
+	task := hookstate.HookTaskWithUndo(s.state, "test summary", hooksup, undohooksup, initialContext)
+	c.Assert(task, NotNil)
+	failtask := hookstate.HookTask(s.state, "test summary", failinghooksup, initialContext)
+	failtask.WaitFor(task)
+
+	change := s.state.NewChange("kind", "summary")
+	change.AddTask(task)
+	change.AddTask(failtask)
+	s.state.Unlock()
+
+	s.settle(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	c.Check(handler.BeforeCalled, Equals, true)
+	c.Check(handler.DoneCalled, Equals, true)
+	c.Check(handler.ErrorCalled, Equals, false)
+
+	c.Check(undoHandler.BeforeCalled, Equals, true)
+	c.Check(undoHandler.DoneCalled, Equals, true)
+	c.Check(undoHandler.ErrorCalled, Equals, false)
+
+	c.Check(task.Status(), Equals, state.UndoneStatus)
+	c.Check(change.Status(), Equals, state.ErrorStatus)
+
+	c.Check(s.manager.NumRunningHooks(), Equals, 0)
+}
+
 func (s *hookManagerSuite) TestHookWithoutHandlerIsError(c *C) {
 	hooksup := &hookstate.HookSetup{
 		Snap:     "test-snap",
@@ -645,8 +687,8 @@
 	s.task.Set("hook-setup", hooksup)
 	s.state.Unlock()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -663,8 +705,8 @@
 		return hooktest.NewMockHandler()
 	})
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -685,8 +727,8 @@
 	s.task.Set("hook-setup", hooksup)
 	s.state.Unlock()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -711,8 +753,8 @@
 	s.task.Set("hook-setup", hooksup)
 	s.state.Unlock()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	c.Check(s.mockHandler.BeforeCalled, Equals, true)
 	c.Check(s.mockHandler.DoneCalled, Equals, true)
@@ -740,8 +782,8 @@
 	s.task.Set("hook-setup", hooksup)
 	s.state.Unlock()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	c.Check(s.command.Calls(), IsNil)
 
@@ -780,8 +822,8 @@
 	})
 	defer r()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -816,8 +858,8 @@
 		c, "snap", ">&2 echo 'hook failed at user request'; exit 1")
 	defer cmd.Restore()
 
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -825,6 +867,35 @@
 	c.Check(errtrackerCalled, Equals, true)
 }
 
+func (s *hookManagerSuite) TestHookTaskHandlerReportsErrorDisabled(c *C) {
+	s.state.Lock()
+	var hooksup hookstate.HookSetup
+	s.task.Get("hook-setup", &hooksup)
+	hooksup.TrackError = true
+	s.task.Set("hook-setup", &hooksup)
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "problem-reports.disabled", true)
+	tr.Commit()
+	s.state.Unlock()
+
+	hookstate.MockErrtrackerReport(func(snap, errmsg, dupSig string, extra map[string]string) (string, error) {
+		c.Fatalf("no error reports should be generated")
+		return "", nil
+	})
+
+	// Force the snap command to exit 1, and print something to stderr
+	cmd := testutil.MockCommand(
+		c, "snap", ">&2 echo 'hook failed at user request'; exit 1")
+	defer cmd.Restore()
+
+	s.se.Ensure()
+	s.se.Wait()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+}
+
 func (s *hookManagerSuite) TestHookTasksForSameSnapAreSerialized(c *C) {
 	var Executing int32
 	var TotalExecutions int32
@@ -942,13 +1013,13 @@
 		testSnap2HookCalls++
 	})
 	s.manager.Register(regexp.MustCompile("prepare-device"), func(context *hookstate.Context) hookstate.Handler {
-		if context.SnapName() == "test-snap-1" {
+		if context.InstanceName() == "test-snap-1" {
 			return mockHandler1
 		}
-		if context.SnapName() == "test-snap-2" {
+		if context.InstanceName() == "test-snap-2" {
 			return mockHandler2
 		}
-		c.Fatalf("unknown snap: %s", context.SnapName())
+		c.Fatalf("unknown snap: %s", context.InstanceName())
 		return nil
 	})
 
@@ -988,8 +1059,8 @@
 	chg.AddTask(task)
 
 	st.Unlock()
-	s.manager.Ensure()
-	s.manager.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	st.Lock()
 
 	c.Check(chg.Status(), Equals, state.DoneStatus)
@@ -1022,7 +1093,7 @@
 		return nil
 	})
 
-	s.manager.Ensure()
+	s.se.Ensure()
 	select {
 	case noPending := <-didRun:
 		c.Check(noPending, Equals, false)
@@ -1030,3 +1101,23 @@
 		c.Fatal("timeout should have expired")
 	}
 }
+
+func (s *hookManagerSuite) TestSnapstateOpConflict(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+	_, err := snapstate.Disable(s.state, "test-snap")
+	c.Assert(err, ErrorMatches, `snap "test-snap" has "kind" change in progress`)
+}
+
+func (s *hookManagerSuite) TestHookHijackingNoConflict(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.manager.RegisterHijack("configure", "test-snap", func(ctx *hookstate.Context) error {
+		return nil
+	})
+
+	// no conflict on hijacked hooks
+	_, err := snapstate.Disable(s.state, "test-snap")
+	c.Assert(err, IsNil)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/export_test.go snapd-2.37~rc1~14.04/overlord/ifacestate/export_test.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -18,27 +18,55 @@
 package ifacestate
 
 import (
-	"errors"
 	"time"
 
-	"gopkg.in/tomb.v2"
-
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/overlord/ifacestate/udevmonitor"
 	"github.com/snapcore/snapd/overlord/state"
 )
 
 var (
-	AddImplicitSlots          = addImplicitSlots
-	SnapsWithSecurityProfiles = snapsWithSecurityProfiles
+	AddImplicitSlots             = addImplicitSlots
+	SnapsWithSecurityProfiles    = snapsWithSecurityProfiles
+	CheckAutoconnectConflicts    = checkAutoconnectConflicts
+	FindSymmetricAutoconnectTask = findSymmetricAutoconnectTask
+	ConnectPriv                  = connect
+	DisconnectPriv               = disconnectTasks
+	GetConns                     = getConns
+	SetConns                     = setConns
+	DefaultDeviceKey             = defaultDeviceKey
+	RemoveDevice                 = removeDevice
+	MakeSlotName                 = makeSlotName
+	EnsureUniqueName             = ensureUniqueName
+	SuggestedSlotName            = suggestedSlotName
+	InSameChangeWaitChain        = inSameChangeWaitChain
+	GetHotplugAttrs              = getHotplugAttrs
+	SetHotplugAttrs              = setHotplugAttrs
+	GetHotplugSlots              = getHotplugSlots
+	SetHotplugSlots              = setHotplugSlots
+	UpdateDevice                 = updateDevice
+	FindConnsForHotplugKey       = findConnsForHotplugKey
+	CheckSystemSnapIsPresent     = checkSystemSnapIsPresent
+	SystemSnapInfo               = systemSnapInfo
+	IsHotplugChange              = isHotplugChange
+	GetHotplugChangeAttrs        = getHotplugChangeAttrs
+	SetHotplugChangeAttrs        = setHotplugChangeAttrs
+	AllocHotplugSeq              = allocHotplugSeq
+	AddHotplugSeqWaitTask        = addHotplugSeqWaitTask
 )
 
-// AddForeignTaskHandlers registers handlers for tasks handled outside of the
-// InterfaceManager.
-func AddForeignTaskHandlers(m *InterfaceManager) {
-	// Add handler to test full aborting of changes
-	erroringHandler := func(task *state.Task, _ *tomb.Tomb) error {
-		return errors.New("error out")
-	}
-	m.runner.AddHandler("error-trigger", erroringHandler, nil)
+func NewConnectOptsWithAutoSet() connectOpts {
+	return connectOpts{AutoConnect: true, ByGadget: false}
+}
+
+func NewDisconnectOptsWithByHotplugSet() disconnectOpts {
+	return disconnectOpts{ByHotplug: true}
+}
+
+func MockRemoveStaleConnections(f func(st *state.State) error) (restore func()) {
+	old := removeStaleConnections
+	removeStaleConnections = f
+	return func() { removeStaleConnections = old }
 }
 
 func MockContentLinkRetryTimeout(d time.Duration) (restore func()) {
@@ -46,3 +74,71 @@
 	contentLinkRetryTimeout = d
 	return func() { contentLinkRetryTimeout = old }
 }
+
+func MockCreateUDevMonitor(new func(udevmonitor.DeviceAddedFunc, udevmonitor.DeviceRemovedFunc, udevmonitor.EnumerationDoneFunc) udevmonitor.Interface) (restore func()) {
+	old := createUDevMonitor
+	createUDevMonitor = new
+	return func() {
+		createUDevMonitor = old
+	}
+}
+
+func MockUDevInitRetryTimeout(t time.Duration) (restore func()) {
+	old := udevInitRetryTimeout
+	udevInitRetryTimeout = t
+	return func() {
+		udevInitRetryTimeout = old
+	}
+}
+
+// UpperCaseConnState returns a canned connection state map.
+// This allows us to keep connState private and still write some tests for it.
+func UpperCaseConnState() map[string]*connState {
+	return map[string]*connState{
+		"APP:network CORE:network": {Auto: true, Interface: "network"},
+	}
+}
+
+func UpdateConnectionInConnState(conns map[string]*connState, conn *interfaces.Connection, autoConnect, byGadget bool) {
+	connRef := &interfaces.ConnRef{
+		PlugRef: *conn.Plug.Ref(),
+		SlotRef: *conn.Slot.Ref(),
+	}
+
+	conns[connRef.ID()] = &connState{
+		Interface:        conn.Interface(),
+		StaticPlugAttrs:  conn.Plug.StaticAttrs(),
+		DynamicPlugAttrs: conn.Plug.DynamicAttrs(),
+		StaticSlotAttrs:  conn.Slot.StaticAttrs(),
+		DynamicSlotAttrs: conn.Slot.DynamicAttrs(),
+		Auto:             autoConnect,
+		ByGadget:         byGadget,
+	}
+}
+
+func GetConnStateAttrs(conns map[string]*connState, connID string) (plugStatic, plugDynamic, slotStatic, SlotDynamic map[string]interface{}, ok bool) {
+	conn, ok := conns[connID]
+	if !ok {
+		return nil, nil, nil, nil, false
+	}
+	return conn.StaticPlugAttrs, conn.DynamicPlugAttrs, conn.StaticSlotAttrs, conn.DynamicSlotAttrs, true
+}
+
+// SystemSnapName returns actual name of the system snap - reimplemented by concrete mapper.
+func (m *IdentityMapper) SystemSnapName() string {
+	return "unknown"
+}
+
+// MockProfilesNeedRegeneration mocks the function checking if profiles need regeneration.
+func MockProfilesNeedRegeneration(fn func() bool) func() {
+	old := profilesNeedRegeneration
+	profilesNeedRegeneration = fn
+	return func() { profilesNeedRegeneration = old }
+}
+
+// MockWriteSystemKey mocks the function responsible for writing the system key.
+func MockWriteSystemKey(fn func() error) func() {
+	old := writeSystemKey
+	writeSystemKey = fn
+	return func() { writeSystemKey = old }
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/handlers.go snapd-2.37~rc1~14.04/overlord/ifacestate/handlers.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/handlers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/handlers.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,13 +27,10 @@
 
 	"gopkg.in/tomb.v2"
 
-	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/interfaces"
-	"github.com/snapcore/snapd/interfaces/policy"
-	"github.com/snapcore/snapd/overlord/assertstate"
+	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
-	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 )
 
@@ -50,21 +47,23 @@
 	st := task.State()
 
 	// Setup security of the affected snaps.
-	for _, affectedSnapName := range affectedSnaps {
+	for _, affectedInstanceName := range affectedSnaps {
 		// the snap that triggered the change needs to be skipped
-		if affectedSnapName == affectingSnap {
+		if affectedInstanceName == affectingSnap {
 			continue
 		}
 		var snapst snapstate.SnapState
-		if err := snapstate.Get(st, affectedSnapName, &snapst); err != nil {
-			task.Errorf("skipping security profiles setup for snap %q when handling snap %q: %v", affectedSnapName, affectingSnap, err)
+		if err := snapstate.Get(st, affectedInstanceName, &snapst); err != nil {
+			task.Errorf("skipping security profiles setup for snap %q when handling snap %q: %v", affectedInstanceName, affectingSnap, err)
 			continue
 		}
 		affectedSnapInfo, err := snapst.CurrentInfo()
 		if err != nil {
 			return err
 		}
-		addImplicitSlots(affectedSnapInfo)
+		if err := addImplicitSlots(st, affectedSnapInfo); err != nil {
+			return err
+		}
 		opts := confinementOptions(snapst.Flags)
 		if err := m.setupSnapSecurity(task, affectedSnapInfo, opts); err != nil {
 			return err
@@ -83,63 +82,22 @@
 		return err
 	}
 
-	snapInfo, err := snap.ReadInfo(snapsup.Name(), snapsup.SideInfo)
+	snapInfo, err := snap.ReadInfo(snapsup.InstanceName(), snapsup.SideInfo)
 	if err != nil {
 		return err
 	}
 
-	// TODO: this whole bit seems maybe that it should belong (largely) to a snapstate helper
+	// We no longer do/need core-phase-2, see
+	//   https://github.com/snapcore/snapd/pull/5301
+	// This code is just here to deal with old state that may still
+	// have the 2nd setup-profiles with this flag set.
 	var corePhase2 bool
 	if err := task.Get("core-phase-2", &corePhase2); err != nil && err != state.ErrNoState {
 		return err
 	}
 	if corePhase2 {
-		if snapInfo.Type != snap.TypeOS {
-			// not core, nothing to do
-			return nil
-		}
-		if task.State().Restarting() {
-			// don't continue until we are in the restarted snapd
-			task.Logf("Waiting for restart...")
-			return &state.Retry{}
-		}
-		// if not on classic check there was no rollback
-		if !release.OnClassic {
-			// TODO: double check that we really rebooted
-			// otherwise this could be just a spurious restart
-			// of snapd
-			name, rev, err := snapstate.CurrentBootNameAndRevision(snap.TypeOS)
-			if err == snapstate.ErrBootNameAndRevisionAgain {
-				return &state.Retry{After: 5 * time.Second}
-			}
-			if err != nil {
-				return err
-			}
-			if snapsup.Name() != name || snapInfo.Revision != rev {
-				return fmt.Errorf("cannot finish core installation, there was a rollback across reboot")
-			}
-		}
-
-		// Compatibility with old snapd: check if we have auto-connect task and if not, inject it after self (setup-profiles).
-		// Inject it for core after the 2nd setup-profiles - same placement as done in doInstall.
-		// In the older snapd versions interfaces were auto-connected as part of setupProfilesForSnap.
-		var hasAutoConnect bool
-		for _, t := range task.Change().Tasks() {
-			if t.Kind() == "auto-connect" {
-				otherSnapsup, err := snapstate.TaskSnapSetup(t)
-				if err != nil {
-					return err
-				}
-				// Check if this is auto-connect task for same snap
-				if snapsup.Name() == otherSnapsup.Name() {
-					hasAutoConnect = true
-					break
-				}
-			}
-		}
-		if !hasAutoConnect {
-			snapstate.InjectAutoConnect(task, snapsup)
-		}
+		// nothing to do
+		return nil
 	}
 
 	opts := confinementOptions(snapsup.Flags)
@@ -147,8 +105,13 @@
 }
 
 func (m *InterfaceManager) setupProfilesForSnap(task *state.Task, _ *tomb.Tomb, snapInfo *snap.Info, opts interfaces.ConfinementOptions) error {
-	addImplicitSlots(snapInfo)
-	snapName := snapInfo.Name()
+	st := task.State()
+
+	if err := addImplicitSlots(task.State(), snapInfo); err != nil {
+		return err
+	}
+
+	snapName := snapInfo.InstanceName()
 
 	// The snap may have been updated so perform the following operation to
 	// ensure that we are always working on the correct state:
@@ -176,13 +139,17 @@
 		task.Logf("%s", snap.BadInterfacesSummary(snapInfo))
 	}
 
+	// Reload the connections and compute the set of affected snaps. The set
+	// affectedSet set contains name of all the affected snap instances.  The
+	// arrays affectedNames and affectedSnaps contain, arrays of snap names and
+	// snapInfo's, respectively. The arrays are sorted by name with the special
+	// exception that the snap being setup is always first. The affectedSnaps
+	// array may be shorter than the set of affected snaps in case any of the
+	// snaps cannot be found in the state.
 	reconnectedSnaps, err := m.reloadConnections(snapName)
 	if err != nil {
 		return err
 	}
-	if err := m.setupSnapSecurity(task, snapInfo, opts); err != nil {
-		return err
-	}
 	affectedSet := make(map[string]bool)
 	for _, name := range disconnectedSnaps {
 		affectedSet[name] = true
@@ -190,14 +157,43 @@
 	for _, name := range reconnectedSnaps {
 		affectedSet[name] = true
 	}
-	// The principal snap was already handled above.
-	delete(affectedSet, snapInfo.Name())
-	affectedSnaps := make([]string, 0, len(affectedSet))
+
+	// Sort the set of affected names, ensuring that the snap being setup
+	// is first regardless of the name it has.
+	affectedNames := make([]string, 0, len(affectedSet))
 	for name := range affectedSet {
-		affectedSnaps = append(affectedSnaps, name)
+		if name != snapName {
+			affectedNames = append(affectedNames, name)
+		}
+	}
+	sort.Strings(affectedNames)
+	affectedNames = append([]string{snapName}, affectedNames...)
+
+	// Obtain snap.Info for each affected snap, skipping those that cannot be
+	// found and compute the confinement options that apply to it.
+	affectedSnaps := make([]*snap.Info, 0, len(affectedSet))
+	confinementOpts := make([]interfaces.ConfinementOptions, 0, len(affectedSet))
+	// For the snap being setup we know exactly what was requested.
+	affectedSnaps = append(affectedSnaps, snapInfo)
+	confinementOpts = append(confinementOpts, opts)
+	// For remaining snaps we need to interrogate the state.
+	for _, name := range affectedNames[1:] {
+		var snapst snapstate.SnapState
+		if err := snapstate.Get(st, name, &snapst); err != nil {
+			task.Errorf("cannot obtain state of snap %s: %s", name, err)
+			continue
+		}
+		snapInfo, err := snapst.CurrentInfo()
+		if err != nil {
+			return err
+		}
+		if err := addImplicitSlots(st, snapInfo); err != nil {
+			return err
+		}
+		affectedSnaps = append(affectedSnaps, snapInfo)
+		confinementOpts = append(confinementOpts, confinementOptions(snapst.Flags))
 	}
-	sort.Strings(affectedSnaps)
-	return m.setupAffectedSnaps(task, snapName, affectedSnaps)
+	return m.setupSecurityByBackend(task, affectedSnaps, confinementOpts)
 }
 
 func (m *InterfaceManager) doRemoveProfiles(task *state.Task, tomb *tomb.Tomb) error {
@@ -210,7 +206,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapSetup.Name()
+	snapName := snapSetup.InstanceName()
 
 	return m.removeProfilesForSnap(task, tomb, snapName)
 }
@@ -260,7 +256,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 
 	// Get the name from SnapSetup and use it to find the current SideInfo
 	// about the snap, if there is one.
@@ -294,28 +290,28 @@
 		return err
 	}
 
-	snapName := snapSetup.Name()
+	instanceName := snapSetup.InstanceName()
 
 	var snapst snapstate.SnapState
-	err = snapstate.Get(st, snapName, &snapst)
+	err = snapstate.Get(st, instanceName, &snapst)
 	if err != nil && err != state.ErrNoState {
 		return err
 	}
 
 	if err == nil && len(snapst.Sequence) != 0 {
-		return fmt.Errorf("cannot discard connections for snap %q while it is present", snapName)
+		return fmt.Errorf("cannot discard connections for snap %q while it is present", instanceName)
 	}
 	conns, err := getConns(st)
 	if err != nil {
 		return err
 	}
-	removed := make(map[string]connState)
+	removed := make(map[string]*connState)
 	for id := range conns {
 		connRef, err := interfaces.ParseConnRef(id)
 		if err != nil {
 			return err
 		}
-		if connRef.PlugRef.Snap == snapName || connRef.SlotRef.Snap == snapName {
+		if connRef.PlugRef.Snap == instanceName || connRef.SlotRef.Snap == instanceName {
 			removed[id] = conns[id]
 			delete(conns, id)
 		}
@@ -330,7 +326,7 @@
 	st.Lock()
 	defer st.Unlock()
 
-	var removed map[string]connState
+	var removed map[string]*connState
 	err := task.Get("removed", &removed)
 	if err != nil && err != state.ErrNoState {
 		return err
@@ -349,6 +345,28 @@
 	return nil
 }
 
+func getDynamicHookAttributes(task *state.Task) (plugAttrs, slotAttrs map[string]interface{}, err error) {
+	if err = task.Get("plug-dynamic", &plugAttrs); err != nil && err != state.ErrNoState {
+		return nil, nil, err
+	}
+	if err = task.Get("slot-dynamic", &slotAttrs); err != nil && err != state.ErrNoState {
+		return nil, nil, err
+	}
+	if plugAttrs == nil {
+		plugAttrs = make(map[string]interface{})
+	}
+	if slotAttrs == nil {
+		slotAttrs = make(map[string]interface{})
+	}
+
+	return plugAttrs, slotAttrs, nil
+}
+
+func setDynamicHookAttributes(task *state.Task, plugAttrs, slotAttrs map[string]interface{}) {
+	task.Set("plug-dynamic", plugAttrs)
+	task.Set("slot-dynamic", slotAttrs)
+}
+
 func (m *InterfaceManager) doConnect(task *state.Task, _ *tomb.Tomb) error {
 	st := task.State()
 	st.Lock()
@@ -363,20 +381,23 @@
 	if err := task.Get("auto", &autoConnect); err != nil && err != state.ErrNoState {
 		return err
 	}
+	var byGadget bool
+	if err := task.Get("by-gadget", &byGadget); err != nil && err != state.ErrNoState {
+		return err
+	}
 
 	conns, err := getConns(st)
 	if err != nil {
 		return err
 	}
 
-	connRef := interfaces.ConnRef{PlugRef: plugRef, SlotRef: slotRef}
+	connRef := &interfaces.ConnRef{PlugRef: plugRef, SlotRef: slotRef}
 
 	var plugSnapst snapstate.SnapState
 	if err := snapstate.Get(st, plugRef.Snap, &plugSnapst); err != nil {
 		if autoConnect && err == state.ErrNoState {
-			// ignore the error if auto-connecting
-			task.Logf("snap %q is no longer available for auto-connecting", plugRef.Snap)
-			return nil
+			// conflict logic should prevent this
+			return fmt.Errorf("internal error: snap %q is no longer available for auto-connecting", plugRef.Snap)
 		}
 		return err
 	}
@@ -384,81 +405,52 @@
 	var slotSnapst snapstate.SnapState
 	if err := snapstate.Get(st, slotRef.Snap, &slotSnapst); err != nil {
 		if autoConnect && err == state.ErrNoState {
-			// ignore the error if auto-connecting
-			task.Logf("snap %q is no longer available for auto-connecting", slotRef.Snap)
-			return nil
+			// conflict logic should prevent this
+			return fmt.Errorf("internal error: snap %q is no longer available for auto-connecting", slotRef.Snap)
 		}
 		return err
 	}
 
 	plug := m.repo.Plug(connRef.PlugRef.Snap, connRef.PlugRef.Name)
 	if plug == nil {
-		if autoConnect {
-			// ignore the error if auto-connecting
-			task.Logf("snap %q no longer has %q plug", connRef.PlugRef.Snap, connRef.PlugRef.Name)
-			return nil
-		}
+		// conflict logic should prevent this
 		return fmt.Errorf("snap %q has no %q plug", connRef.PlugRef.Snap, connRef.PlugRef.Name)
 	}
 
-	var plugDecl *asserts.SnapDeclaration
-	if plug.Snap.SnapID != "" {
-		var err error
-		plugDecl, err = assertstate.SnapDeclaration(st, plug.Snap.SnapID)
-		if err != nil {
-			return fmt.Errorf("cannot find snap declaration for %q: %v", plug.Snap.Name(), err)
-		}
-	}
-
 	slot := m.repo.Slot(connRef.SlotRef.Snap, connRef.SlotRef.Name)
 	if slot == nil {
-		if autoConnect {
-			// ignore the error if auto-connecting
-			task.Logf("snap %q no longer has %q slot", connRef.SlotRef.Snap, connRef.SlotRef.Name)
-			return nil
-		}
+		// conflict logic should prevent this
 		return fmt.Errorf("snap %q has no %q slot", connRef.SlotRef.Snap, connRef.SlotRef.Name)
 	}
 
-	// FIXME: check auto connect policy when interface hooks land.
-	if !autoConnect {
-		var slotDecl *asserts.SnapDeclaration
-		if slot.Snap.SnapID != "" {
-			var err error
-			slotDecl, err = assertstate.SnapDeclaration(st, slot.Snap.SnapID)
-			if err != nil {
-				return fmt.Errorf("cannot find snap declaration for %q: %v", slot.Snap.Name(), err)
-			}
-		}
+	// attributes are always present, even if there are no hooks (they're initialized by Connect).
+	plugDynamicAttrs, slotDynamicAttrs, err := getDynamicHookAttributes(task)
+	if err != nil {
+		return fmt.Errorf("failed to get hook attributes: %s", err)
+	}
 
-		baseDecl, err := assertstate.BaseDeclaration(st)
-		if err != nil {
-			return fmt.Errorf("internal error: cannot find base declaration: %v", err)
-		}
+	var policyChecker interfaces.PolicyFunc
 
-		// check the connection against the declarations' rules
-		ic := policy.ConnectCandidate{
-			Plug:                plug,
-			PlugSnapDeclaration: plugDecl,
-			Slot:                slot,
-			SlotSnapDeclaration: slotDecl,
-			BaseDeclaration:     baseDecl,
+	// manual connections and connections by the gadget obey the
+	// policy "connection" rules, other auto-connections obey the
+	// "auto-connection" rules
+	if autoConnect && !byGadget {
+		autochecker, err := newAutoConnectChecker(st)
+		if err != nil {
+			return err
 		}
-
-		// if either of plug or slot snaps don't have a declaration it
-		// means they were installed with "dangerous", so the security
-		// check should be skipped at this point.
-		if plugDecl != nil && slotDecl != nil {
-			err = ic.Check()
-			if err != nil {
-				return err
-			}
+		policyChecker = autochecker.check
+	} else {
+		policyCheck, err := newConnectChecker(st)
+		if err != nil {
+			return err
 		}
+		policyChecker = policyCheck.check
 	}
 
-	// TODO: pass dynamic attributes from hooks
-	err = m.repo.Connect(connRef)
-	if err != nil {
+	// static attributes of the plug and slot not provided, the ones from snap infos will be used
+	conn, err := m.repo.Connect(connRef, nil, plugDynamicAttrs, nil, slotDynamicAttrs, policyChecker)
+	if err != nil || conn == nil {
 		return err
 	}
 
@@ -471,9 +463,21 @@
 		return err
 	}
 
-	conns[connRef.ID()] = connState{Interface: plug.Interface, Auto: autoConnect}
+	conns[connRef.ID()] = &connState{
+		Interface:        conn.Interface(),
+		StaticPlugAttrs:  conn.Plug.StaticAttrs(),
+		DynamicPlugAttrs: conn.Plug.DynamicAttrs(),
+		StaticSlotAttrs:  conn.Slot.StaticAttrs(),
+		DynamicSlotAttrs: conn.Slot.DynamicAttrs(),
+		Auto:             autoConnect,
+		ByGadget:         byGadget,
+		HotplugKey:       slot.HotplugKey,
+	}
 	setConns(st, conns)
 
+	// the dynamic attributes might have been updated by the interface's BeforeConnectPlug/Slot code,
+	// so we need to update the task for connect-plug- and connect-slot- hooks to see new values.
+	setDynamicHookAttributes(task, conn.Plug.DynamicAttrs(), conn.Slot.DynamicAttrs())
 	return nil
 }
 
@@ -493,14 +497,14 @@
 	}
 
 	var snapStates []snapstate.SnapState
-	for _, snapName := range []string{plugRef.Snap, slotRef.Snap} {
+	for _, instanceName := range []string{plugRef.Snap, slotRef.Snap} {
 		var snapst snapstate.SnapState
-		if err := snapstate.Get(st, snapName, &snapst); err != nil {
+		if err := snapstate.Get(st, instanceName, &snapst); err != nil {
 			if err == state.ErrNoState {
-				task.Logf("skipping disconnect operation for connection %s %s, snap %q doesn't exist", plugRef, slotRef, snapName)
+				task.Logf("skipping disconnect operation for connection %s %s, snap %q doesn't exist", plugRef, slotRef, instanceName)
 				return nil
 			}
-			task.Errorf("skipping security profiles setup for snap %q when disconnecting %s from %s: %v", snapName, plugRef, slotRef, err)
+			task.Errorf("skipping security profiles setup for snap %q when disconnecting %s from %s: %v", instanceName, plugRef, slotRef, err)
 		} else {
 			snapStates = append(snapStates, snapst)
 		}
@@ -521,9 +525,127 @@
 		}
 	}
 
-	conn := interfaces.ConnRef{PlugRef: plugRef, SlotRef: slotRef}
-	delete(conns, conn.ID())
+	cref := interfaces.ConnRef{PlugRef: plugRef, SlotRef: slotRef}
+	conn, ok := conns[cref.ID()]
+	if !ok {
+		return fmt.Errorf("internal error: connection %q not found in state", cref.ID())
+	}
+
+	// store old connection for undo
+	task.Set("old-conn", conn)
+
+	// "auto-disconnect" flag indicates it's a disconnect triggered automatically as part of snap removal;
+	// such disconnects should not set undesired flag and instead just remove the connection.
+	var autoDisconnect bool
+	if err := task.Get("auto-disconnect", &autoDisconnect); err != nil && err != state.ErrNoState {
+		return fmt.Errorf("internal error: failed to read 'auto-disconnect' flag: %s", err)
+	}
+
+	// "by-hotplug" flag indicates it's a disconnect triggered by hotplug remove event;
+	// we want to keep information of the connection and just mark it as hotplug-gone.
+	var byHotplug bool
+	if err := task.Get("by-hotplug", &byHotplug); err != nil && err != state.ErrNoState {
+		return fmt.Errorf("internal error: cannot read 'by-hotplug' flag: %s", err)
+	}
+
+	switch {
+	case byHotplug:
+		conn.HotplugGone = true
+		conns[cref.ID()] = conn
+	case conn.Auto && !autoDisconnect:
+		conn.Undesired = true
+		conn.DynamicPlugAttrs = nil
+		conn.DynamicSlotAttrs = nil
+		conn.StaticPlugAttrs = nil
+		conn.StaticSlotAttrs = nil
+		conns[cref.ID()] = conn
+	default:
+		delete(conns, cref.ID())
+	}
+	setConns(st, conns)
+
+	return nil
+}
 
+func (m *InterfaceManager) undoDisconnect(task *state.Task, _ *tomb.Tomb) error {
+	st := task.State()
+	st.Lock()
+	defer st.Unlock()
+
+	var oldconn connState
+	err := task.Get("old-conn", &oldconn)
+	if err == state.ErrNoState {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	plugRef, slotRef, err := getPlugAndSlotRefs(task)
+	if err != nil {
+		return err
+	}
+
+	conns, err := getConns(st)
+	if err != nil {
+		return err
+	}
+
+	var plugSnapst snapstate.SnapState
+	if err := snapstate.Get(st, plugRef.Snap, &plugSnapst); err != nil {
+		return err
+	}
+	var slotSnapst snapstate.SnapState
+	if err := snapstate.Get(st, slotRef.Snap, &slotSnapst); err != nil {
+		return err
+	}
+
+	connRef := &interfaces.ConnRef{PlugRef: plugRef, SlotRef: slotRef}
+
+	plug := m.repo.Plug(connRef.PlugRef.Snap, connRef.PlugRef.Name)
+	if plug == nil {
+		return fmt.Errorf("snap %q has no %q plug", connRef.PlugRef.Snap, connRef.PlugRef.Name)
+	}
+	slot := m.repo.Slot(connRef.SlotRef.Snap, connRef.SlotRef.Name)
+	if slot == nil {
+		return fmt.Errorf("snap %q has no %q slot", connRef.SlotRef.Snap, connRef.SlotRef.Name)
+	}
+
+	_, err = m.repo.Connect(connRef, nil, oldconn.DynamicPlugAttrs, nil, oldconn.DynamicSlotAttrs, nil)
+	if err != nil {
+		return err
+	}
+
+	slotOpts := confinementOptions(slotSnapst.Flags)
+	if err := m.setupSnapSecurity(task, slot.Snap, slotOpts); err != nil {
+		return err
+	}
+	plugOpts := confinementOptions(plugSnapst.Flags)
+	if err := m.setupSnapSecurity(task, plug.Snap, plugOpts); err != nil {
+		return err
+	}
+
+	conns[connRef.ID()] = &oldconn
+	setConns(st, conns)
+
+	return nil
+}
+
+func (m *InterfaceManager) undoConnect(task *state.Task, _ *tomb.Tomb) error {
+	st := task.State()
+	st.Lock()
+	defer st.Unlock()
+
+	plugRef, slotRef, err := getPlugAndSlotRefs(task)
+	if err != nil {
+		return err
+	}
+	connRef := interfaces.ConnRef{PlugRef: plugRef, SlotRef: slotRef}
+	conns, err := getConns(st)
+	if err != nil {
+		return err
+	}
+	delete(conns, connRef.ID())
 	setConns(st, conns)
 	return nil
 }
@@ -532,9 +654,9 @@
 var contentLinkRetryTimeout = 30 * time.Second
 
 // defaultContentProviders returns a dict of the default-providers for the
-// content plugs for the given snapName
-func (m *InterfaceManager) defaultContentProviders(snapName string) map[string]bool {
-	plugs := m.repo.Plugs(snapName)
+// content plugs for the given instanceName
+func (m *InterfaceManager) defaultContentProviders(instanceName string) map[string]bool {
+	plugs := m.repo.Plugs(instanceName)
 	defaultProviders := make(map[string]bool, len(plugs))
 	for _, plug := range plugs {
 		if plug.Interface == "content" {
@@ -550,30 +672,223 @@
 	return defaultProviders
 }
 
+func obsoleteCorePhase2SetupProfiles(kind string, task *state.Task) (bool, error) {
+	if kind != "setup-profiles" {
+		return false, nil
+	}
+
+	var corePhase2 bool
+	if err := task.Get("core-phase-2", &corePhase2); err != nil && err != state.ErrNoState {
+		return false, err
+	}
+	return corePhase2, nil
+}
+
+func checkAutoconnectConflicts(st *state.State, autoconnectTask *state.Task, plugSnap, slotSnap string) error {
+	for _, task := range st.Tasks() {
+		if task.Status().Ready() {
+			continue
+		}
+
+		k := task.Kind()
+		if k == "connect" || k == "disconnect" {
+			// retry if we found another connect/disconnect affecting same snap; note we can only encounter
+			// connects/disconnects created by doAutoDisconnect / doAutoConnect here as manual interface ops
+			// are rejected by conflict check logic in snapstate.
+			plugRef, slotRef, err := getPlugAndSlotRefs(task)
+			if err != nil {
+				return err
+			}
+			if plugRef.Snap == plugSnap {
+				return &state.Retry{After: connectRetryTimeout, Reason: fmt.Sprintf("conflicting plug snap %s, task %q", plugSnap, k)}
+			}
+			if slotRef.Snap == slotSnap {
+				return &state.Retry{After: connectRetryTimeout, Reason: fmt.Sprintf("conflicting slot snap %s, task %q", slotSnap, k)}
+			}
+			continue
+		}
+
+		snapsup, err := snapstate.TaskSnapSetup(task)
+		// e.g. hook tasks don't have task snap setup
+		if err != nil {
+			continue
+		}
+
+		otherSnapName := snapsup.InstanceName()
+
+		// different snaps - no conflict
+		if otherSnapName != plugSnap && otherSnapName != slotSnap {
+			continue
+		}
+
+		// setup-profiles core-phase-2 is now no-op, we shouldn't
+		// conflict on it; note, old snapd would create this task even
+		// for regular snaps if installed with the dangerous flag.
+		obsoleteCorePhase2, err := obsoleteCorePhase2SetupProfiles(k, task)
+		if err != nil {
+			return err
+		}
+		if obsoleteCorePhase2 {
+			continue
+		}
+
+		// other snap that affects us because of plug or slot
+		if k == "unlink-snap" || k == "link-snap" || k == "setup-profiles" || k == "discard-snap" {
+			// discard-snap is scheduled as part of garbage collection during refresh, if multiple revsions are already installed.
+			// this revision check avoids conflict with own discard tasks created as part of install/refresh.
+			if k == "discard-snap" && autoconnectTask.Change() != nil && autoconnectTask.Change().ID() == task.Change().ID() {
+				continue
+			}
+			// if snap is getting removed, we will retry but the snap will be gone and auto-connect becomes no-op
+			// if snap is getting installed/refreshed - temporary conflict, retry later
+			return &state.Retry{After: connectRetryTimeout, Reason: fmt.Sprintf("conflicting snap %s with task %q", otherSnapName, k)}
+		}
+	}
+	return nil
+}
+
+func checkDisconnectConflicts(st *state.State, disconnectingSnap, plugSnap, slotSnap string) error {
+	for _, task := range st.Tasks() {
+		if task.Status().Ready() {
+			continue
+		}
+
+		k := task.Kind()
+		if k == "connect" || k == "disconnect" {
+			// retry if we found another connect/disconnect affecting same snap; note we can only encounter
+			// connects/disconnects created by doAutoDisconnect / doAutoConnect here as manual interface ops
+			// are rejected by conflict check logic in snapstate.
+			plugRef, slotRef, err := getPlugAndSlotRefs(task)
+			if err != nil {
+				return err
+			}
+			if plugRef.Snap == plugSnap || slotRef.Snap == slotSnap {
+				return &state.Retry{After: connectRetryTimeout}
+			}
+			continue
+		}
+
+		snapsup, err := snapstate.TaskSnapSetup(task)
+		// e.g. hook tasks don't have task snap setup
+		if err != nil {
+			continue
+		}
+
+		otherSnapName := snapsup.InstanceName()
+
+		// different snaps - no conflict
+		if otherSnapName != plugSnap && otherSnapName != slotSnap {
+			continue
+		}
+
+		// another task related to same snap op (unrelated op would be blocked by snapstate conflict logic)
+		if otherSnapName == disconnectingSnap {
+			continue
+		}
+
+		// note, don't care about unlink-snap for the opposite end. This relies
+		// on the fact that auto-disconnect will create conflicting "disconnect" tasks that
+		// we will retry with the logic above.
+		if k == "link-snap" || k == "setup-profiles" {
+			// other snap is getting installed/refreshed - temporary conflict
+			return &state.Retry{After: connectRetryTimeout}
+		}
+	}
+	return nil
+}
+
+func checkHotplugDisconnectConflicts(st *state.State, plugSnap, slotSnap string) error {
+	for _, task := range st.Tasks() {
+		if task.Status().Ready() {
+			continue
+		}
+
+		k := task.Kind()
+		if k == "connect" || k == "disconnect" {
+			plugRef, slotRef, err := getPlugAndSlotRefs(task)
+			if err != nil {
+				return err
+			}
+			if plugRef.Snap == plugSnap {
+				return &state.Retry{After: connectRetryTimeout, Reason: fmt.Sprintf("conflicting plug snap %s, task %q", plugSnap, k)}
+			}
+			if slotRef.Snap == slotSnap {
+				return &state.Retry{After: connectRetryTimeout, Reason: fmt.Sprintf("conflicting slot snap %s, task %q", slotSnap, k)}
+			}
+			continue
+		}
+
+		snapsup, err := snapstate.TaskSnapSetup(task)
+		// e.g. hook tasks don't have task snap setup
+		if err != nil {
+			continue
+		}
+		otherSnapName := snapsup.InstanceName()
+
+		// different snaps - no conflict
+		if otherSnapName != plugSnap && otherSnapName != slotSnap {
+			continue
+		}
+
+		if k == "link-snap" || k == "setup-profiles" || k == "unlink-snap" {
+			// other snap is getting installed/refreshed/removed - temporary conflict
+			return &state.Retry{After: connectRetryTimeout, Reason: fmt.Sprintf("conflicting snap %s with task %q", otherSnapName, k)}
+		}
+	}
+	return nil
+}
+
+// inSameChangeWaitChains returns true if there is a wait chain so
+// that `startT` is run before `searchT` in the same state.Change.
+func inSameChangeWaitChain(startT, searchT *state.Task) bool {
+	// Trivial case, tasks in different changes (they could in theory
+	// still have cross-change waits but we don't do these today).
+	// In this case, return quickly.
+	if startT.Change() != searchT.Change() {
+		return false
+	}
+	// Do a recursive check if its in the same change
+	return waitChainSearch(startT, searchT)
+}
+
+func waitChainSearch(startT, searchT *state.Task) bool {
+	for _, cand := range startT.HaltTasks() {
+		if cand == searchT {
+			return true
+		}
+		if waitChainSearch(cand, searchT) {
+			return true
+		}
+	}
+
+	return false
+}
+
 // doAutoConnect creates task(s) to connect the given snap to viable candidates.
 func (m *InterfaceManager) doAutoConnect(task *state.Task, _ *tomb.Tomb) error {
-	// FIXME: here we should not reconnect auto-connect plug/slot
-	// pairs that were explicitly disconnected by the user
-
 	st := task.State()
 	st.Lock()
 	defer st.Unlock()
 
-	var conns map[string]connState
-	err := st.Get("conns", &conns)
-	if err != nil && err != state.ErrNoState {
+	conns, err := getConns(st)
+	if err != nil {
 		return err
 	}
-	if conns == nil {
-		conns = make(map[string]connState)
-	}
 
 	snapsup, err := snapstate.TaskSnapSetup(task)
 	if err != nil {
 		return err
 	}
 
-	snapName := snapsup.Name()
+	// The previous task (link-snap) may have triggered a restart,
+	// if this is the case we can only procceed once the restart
+	// has happened or we may not have all the interfaces of the
+	// new core/base snap.
+	if err := snapstate.WaitRestart(task, snapsup); err != nil {
+		return err
+	}
+
+	snapName := snapsup.InstanceName()
 
 	autots := state.NewTaskSet()
 	autochecker, err := newAutoConnectChecker(st)
@@ -597,16 +912,22 @@
 				continue
 			}
 			if snapsup, err := snapstate.TaskSnapSetup(t); err == nil {
-				if defaultProviders[snapsup.Name()] {
+				// Only retry if the task that installs the
+				// content provider is not waiting for us
+				// (or this will just hang forever).
+				if defaultProviders[snapsup.InstanceName()] && !inSameChangeWaitChain(task, t) {
 					return &state.Retry{After: contentLinkRetryTimeout}
 				}
 			}
 		}
 	}
 
-	chg := task.Change()
+	plugs := m.repo.Plugs(snapName)
+	slots := m.repo.Slots(snapName)
+	newconns := make(map[string]*interfaces.ConnRef, len(plugs)+len(slots))
+
 	// Auto-connect all the plugs
-	for _, plug := range m.repo.Plugs(snapName) {
+	for _, plug := range plugs {
 		candidates := m.repo.AutoConnectCandidateSlots(snapName, plug.Name, autochecker.check)
 		if len(candidates) == 0 {
 			continue
@@ -617,9 +938,9 @@
 		// go with those from the new core snap.
 		if len(candidates) == 2 {
 			switch {
-			case candidates[0].Snap.Name() == "ubuntu-core" && candidates[1].Snap.Name() == "core":
+			case candidates[0].Snap.InstanceName() == "ubuntu-core" && candidates[1].Snap.InstanceName() == "core":
 				candidates = candidates[1:2]
-			case candidates[1].Snap.Name() == "ubuntu-core" && candidates[0].Snap.Name() == "core":
+			case candidates[1].Snap.InstanceName() == "ubuntu-core" && candidates[0].Snap.InstanceName() == "core":
 				candidates = candidates[0:1]
 			}
 		}
@@ -635,20 +956,31 @@
 		connRef := interfaces.NewConnRef(plug, slot)
 		key := connRef.ID()
 		if _, ok := conns[key]; ok {
-			// Suggested connection already exist so don't clobber it.
+			// Suggested connection already exist (or has Undesired flag set) so don't clobber it.
 			// NOTE: we don't log anything here as this is a normal and common condition.
 			continue
 		}
 
-		ts, err := AutoConnect(st, chg, task, plug.Snap.Name(), plug.Name, slot.Snap.Name(), slot.Name)
+		ignore, err := findSymmetricAutoconnectTask(st, plug.Snap.InstanceName(), slot.Snap.InstanceName(), task)
 		if err != nil {
-			task.Logf("cannot auto-connect plug %s to %s: %s", connRef.PlugRef, connRef.SlotRef, err)
+			return err
+		}
+
+		if ignore {
 			continue
 		}
-		autots.AddAll(ts)
+
+		if err := checkAutoconnectConflicts(st, task, plug.Snap.InstanceName(), slot.Snap.InstanceName()); err != nil {
+			if retry, ok := err.(*state.Retry); ok {
+				task.Logf("Waiting for conflicting change in progress: %s", retry.Reason)
+				return err // will retry
+			}
+			return fmt.Errorf("auto-connect conflict check failed: %s", err)
+		}
+		newconns[connRef.ID()] = connRef
 	}
 	// Auto-connect all the slots
-	for _, slot := range m.repo.Slots(snapName) {
+	for _, slot := range slots {
 		candidates := m.repo.AutoConnectCandidatePlugs(snapName, slot.Name, autochecker.check)
 		if len(candidates) == 0 {
 			continue
@@ -658,7 +990,7 @@
 			// make sure slot is the only viable
 			// connection for plug, same check as if we were
 			// considering auto-connections from plug
-			candSlots := m.repo.AutoConnectCandidateSlots(plug.Snap.Name(), plug.Name, autochecker.check)
+			candSlots := m.repo.AutoConnectCandidateSlots(plug.Snap.InstanceName(), plug.Name, autochecker.check)
 
 			if len(candSlots) != 1 || candSlots[0].String() != slot.String() {
 				crefs := make([]string, len(candSlots))
@@ -672,38 +1004,102 @@
 			connRef := interfaces.NewConnRef(plug, slot)
 			key := connRef.ID()
 			if _, ok := conns[key]; ok {
-				// Suggested connection already exist so don't clobber it.
+				// Suggested connection already exist (or has Undesired flag set) so don't clobber it.
 				// NOTE: we don't log anything here as this is a normal and common condition.
 				continue
 			}
-			ts, err := AutoConnect(st, chg, task, plug.Snap.Name(), plug.Name, slot.Snap.Name(), slot.Name)
+			if _, ok := newconns[key]; ok {
+				continue
+			}
+
+			ignore, err := findSymmetricAutoconnectTask(st, plug.Snap.InstanceName(), slot.Snap.InstanceName(), task)
 			if err != nil {
-				task.Logf("cannot auto-connect slot %s to %s: %s", connRef.SlotRef, connRef.PlugRef, err)
+				return err
+			}
+
+			if ignore {
 				continue
 			}
-			autots.AddAll(ts)
+
+			if err := checkAutoconnectConflicts(st, task, plug.Snap.InstanceName(), slot.Snap.InstanceName()); err != nil {
+				if retry, ok := err.(*state.Retry); ok {
+					task.Logf("Waiting for conflicting change in progress: %s", retry.Reason)
+					return err // will retry
+				}
+				return fmt.Errorf("auto-connect conflict check failed: %s", err)
+			}
+			newconns[connRef.ID()] = connRef
 		}
 	}
 
+	// Create connect tasks and interface hooks
+	for _, conn := range newconns {
+		ts, err := connect(st, conn.PlugRef.Snap, conn.PlugRef.Name, conn.SlotRef.Snap, conn.SlotRef.Name, connectOpts{AutoConnect: true})
+		if err != nil {
+			return fmt.Errorf("internal error: auto-connect of %q failed: %s", conn, err)
+		}
+		autots.AddAll(ts)
+	}
+
+	if len(autots.Tasks()) > 0 {
+		snapstate.InjectTasks(task, autots)
+
+		st.EnsureBefore(0)
+	}
+
 	task.SetStatus(state.DoneStatus)
+	return nil
+}
+
+// doAutoDisconnect creates tasks for disconnecting all interfaces of a snap and running its interface hooks.
+func (m *InterfaceManager) doAutoDisconnect(task *state.Task, _ *tomb.Tomb) error {
+	st := task.State()
+	st.Lock()
+	defer st.Unlock()
+
+	snapsup, err := snapstate.TaskSnapSetup(task)
+	if err != nil {
+		return err
+	}
 
-	lanes := task.Lanes()
-	if len(lanes) == 1 && lanes[0] == 0 {
-		lanes = nil
-	}
-	ht := task.HaltTasks()
-
-	// add all connect tasks to the change of main "auto-connect" task and to the same lane.
-	for _, l := range lanes {
-		autots.JoinLane(l)
-	}
-	chg.AddAll(autots)
-	// make all halt tasks of the main 'auto-connect' task wait on connect tasks
-	for _, t := range ht {
-		t.WaitAll(autots)
+	snapName := snapsup.InstanceName()
+	connections, err := m.repo.Connections(snapName)
+	if err != nil {
+		return err
 	}
 
-	st.EnsureBefore(0)
+	// check for conflicts on all connections first before creating disconnect hooks
+	for _, connRef := range connections {
+		if err := checkDisconnectConflicts(st, snapName, connRef.PlugRef.Snap, connRef.SlotRef.Snap); err != nil {
+			if _, retry := err.(*state.Retry); retry {
+				logger.Debugf("disconnecting interfaces of snap %q will be retried because of %q - %q conflict", snapName, connRef.PlugRef.Snap, connRef.SlotRef.Snap)
+				task.Logf("Waiting for conflicting change in progress...")
+				return err // will retry
+			}
+			return fmt.Errorf("cannot check conflicts when disconnecting interfaces: %s", err)
+		}
+	}
+
+	hookTasks := state.NewTaskSet()
+	for _, connRef := range connections {
+		conn, err := m.repo.Connection(connRef)
+		if err != nil {
+			break
+		}
+		// "auto-disconnect" flag indicates it's a disconnect triggered as part of snap removal, in which
+		// case we want to skip the logic of marking auto-connections as 'undesired' and instead just remove
+		// them so they can be automatically connected if the snap is installed again.
+		ts, err := disconnectTasks(st, conn, disconnectOpts{AutoDisconnect: true})
+		if err != nil {
+			return err
+		}
+		hookTasks.AddAll(ts)
+	}
+
+	snapstate.InjectTasks(task, hookTasks)
+
+	// make sure that we add tasks and mark this task done in the same atomic write, otherwise there is a risk of re-adding tasks again
+	task.SetStatus(state.DoneStatus)
 	return nil
 }
 
@@ -784,3 +1180,232 @@
 
 	return m.transitionConnectionsCoreMigration(st, newName, oldName)
 }
+
+// doGadgetConnect creates task(s) to follow the interface connection instructions from the gadget.
+func (m *InterfaceManager) doGadgetConnect(task *state.Task, _ *tomb.Tomb) error {
+	st := task.State()
+	st.Lock()
+	defer st.Unlock()
+
+	conns, err := getConns(st)
+	if err != nil {
+		return err
+	}
+
+	gconns, err := snapstate.GadgetConnections(st)
+	if err != nil {
+		return err
+	}
+
+	gconnts := state.NewTaskSet()
+	var newconns []*interfaces.ConnRef
+
+	// consider the gadget connect instructions
+	for _, gconn := range gconns {
+		plugSnapName, err := resolveSnapIDToName(st, gconn.Plug.SnapID)
+		if err != nil {
+			return err
+		}
+		plug := m.repo.Plug(plugSnapName, gconn.Plug.Plug)
+		if plug == nil {
+			task.Logf("gadget connect: ignoring missing plug %s:%s", gconn.Plug.SnapID, gconn.Plug.Plug)
+			continue
+		}
+
+		slotSnapName, err := resolveSnapIDToName(st, gconn.Slot.SnapID)
+		if err != nil {
+			return err
+		}
+		slot := m.repo.Slot(slotSnapName, gconn.Slot.Slot)
+		if slot == nil {
+			task.Logf("gadget connect: ignoring missing slot %s:%s", gconn.Slot.SnapID, gconn.Slot.Slot)
+			continue
+		}
+
+		connRef := interfaces.NewConnRef(plug, slot)
+		key := connRef.ID()
+		if _, ok := conns[key]; ok {
+			// Gadget connection already exist (or has Undesired flag set) so don't clobber it.
+			continue
+		}
+
+		if err := checkAutoconnectConflicts(st, task, plug.Snap.InstanceName(), slot.Snap.InstanceName()); err != nil {
+			if retry, ok := err.(*state.Retry); ok {
+				task.Logf("gadget connect will be retried: %s", retry.Reason)
+				return err // will retry
+			}
+			return fmt.Errorf("gadget connect conflict check failed: %s", err)
+		}
+		newconns = append(newconns, connRef)
+	}
+
+	// Create connect tasks and interface hooks
+	for _, conn := range newconns {
+		ts, err := connect(st, conn.PlugRef.Snap, conn.PlugRef.Name, conn.SlotRef.Snap, conn.SlotRef.Name, connectOpts{AutoConnect: true, ByGadget: true})
+		if err != nil {
+			return fmt.Errorf("internal error: connect of %q failed: %s", conn, err)
+		}
+		gconnts.AddAll(ts)
+	}
+
+	if len(gconnts.Tasks()) > 0 {
+		snapstate.InjectTasks(task, gconnts)
+
+		st.EnsureBefore(0)
+	}
+
+	task.SetStatus(state.DoneStatus)
+	return nil
+}
+
+// doHotplugRemoveSlot removes hotplug slot for given device from the repository in response to udev "remove" event.
+// This task must necessarily be run after all affected slot gets disconnected in the repo.
+func (m *InterfaceManager) doHotplugRemoveSlot(task *state.Task, _ *tomb.Tomb) error {
+	st := task.State()
+	st.Lock()
+	defer st.Unlock()
+
+	ifaceName, hotplugKey, err := getHotplugAttrs(task)
+	if err != nil {
+		return fmt.Errorf("internal error: cannot get hotplug task attributes: %s", err)
+	}
+
+	slot, err := m.repo.SlotForHotplugKey(ifaceName, hotplugKey)
+	if err != nil {
+		return fmt.Errorf("internal error: cannot determine slots: %v", err)
+	}
+	if slot != nil {
+		if err := m.repo.RemoveSlot(slot.Snap.InstanceName(), slot.Name); err != nil {
+			return fmt.Errorf("cannot remove hotplug slot: %v", err)
+		}
+	}
+
+	stateSlots, err := getHotplugSlots(st)
+	if err != nil {
+		return fmt.Errorf("internal error: cannot obtain hotplug slots: %v", err)
+	}
+
+	// remove the slot from hotplug-slots in the state as long as there are no connections referencing it,
+	// including connection with hotplug-gone=true.
+Loop:
+	for slotName, def := range stateSlots {
+		if def.Interface != ifaceName || def.HotplugKey != hotplugKey {
+			continue
+		}
+		conns, err := getConns(st)
+		if err != nil {
+			return err
+		}
+		for _, conn := range conns {
+			if conn.Interface == def.Interface && conn.HotplugKey == def.HotplugKey {
+				// there is a connection referencing this slot, do not remove it
+				break Loop
+			}
+		}
+		delete(stateSlots, slotName)
+		setHotplugSlots(st, stateSlots)
+		break
+	}
+
+	return nil
+}
+
+// doHotplugDisconnect creates task(s) to disconnect connections and remove slots in response to hotplug "remove" event.
+func (m *InterfaceManager) doHotplugDisconnect(task *state.Task, _ *tomb.Tomb) error {
+	st := task.State()
+	st.Lock()
+	defer st.Unlock()
+
+	ifaceName, hotplugKey, err := getHotplugAttrs(task)
+	if err != nil {
+		return fmt.Errorf("internal error: cannot get hotplug task attributes: %s", err)
+	}
+
+	connections, err := m.repo.ConnectionsForHotplugKey(ifaceName, hotplugKey)
+	if err != nil {
+		return err
+	}
+	if len(connections) == 0 {
+		return nil
+	}
+
+	// check for conflicts on all connections first before creating disconnect hooks
+	for _, connRef := range connections {
+		if err := checkHotplugDisconnectConflicts(st, connRef.PlugRef.Snap, connRef.SlotRef.Snap); err != nil {
+			if retry, ok := err.(*state.Retry); ok {
+				task.Logf("Waiting for conflicting change in progress: %s", retry.Reason)
+				return err // will retry
+			}
+			return fmt.Errorf("cannot check conflicts when disconnecting interfaces: %s", err)
+		}
+	}
+
+	dts := state.NewTaskSet()
+	for _, connRef := range connections {
+		conn, err := m.repo.Connection(connRef)
+		if err != nil {
+			// this should never happen since we get all connections from the repo
+			return fmt.Errorf("internal error: cannot get connection %q: %s", connRef, err)
+		}
+		// "by-hotplug" flag indicates it's a disconnect triggered as part of hotplug removal.
+		ts, err := disconnectTasks(st, conn, disconnectOpts{ByHotplug: true})
+		if err != nil {
+			return fmt.Errorf("internal error: cannot create disconnect tasks: %s", err)
+		}
+		dts.AddAll(ts)
+	}
+
+	snapstate.InjectTasks(task, dts)
+	st.EnsureBefore(0)
+
+	// make sure that we add tasks and mark this task done in the same atomic write, otherwise there is a risk of re-adding tasks again
+	task.SetStatus(state.DoneStatus)
+
+	return nil
+}
+
+// doHotplugSeqWait returns Retry error if there is another change for same hotplug key and a lower sequence number.
+// Sequence numbers control the order of execution of hotplug-related changes, which would otherwise be executed in
+// arbitrary order by task runner, leading to unexpected results if multiple events for same device are in flight
+// (e.g. plugging, followed by immediate unplugging, or snapd restart with pending hotplug changes).
+// The handler expects "hotplug-key" and "hotplug-seq" values set on own and other hotplug-related changes.
+func (m *InterfaceManager) doHotplugSeqWait(task *state.Task, _ *tomb.Tomb) error {
+	st := task.State()
+	st.Lock()
+	defer st.Unlock()
+
+	chg := task.Change()
+	if chg == nil || !isHotplugChange(chg) {
+		return fmt.Errorf("internal error: task %q not in a hotplug change", task.Kind())
+	}
+
+	seq, hotplugKey, err := getHotplugChangeAttrs(chg)
+	if err != nil {
+		return err
+	}
+
+	for _, otherChg := range st.Changes() {
+		if otherChg.Status().Ready() || otherChg.ID() == chg.ID() {
+			continue
+		}
+
+		// only inspect hotplug changes
+		if !isHotplugChange(otherChg) {
+			continue
+		}
+
+		otherSeq, otherKey, err := getHotplugChangeAttrs(otherChg)
+		if err != nil {
+			return err
+		}
+
+		// conflict with retry if there another change affecting same device and has lower sequence number
+		if hotplugKey == otherKey && otherSeq < seq {
+			task.Logf("Waiting processing of earlier hotplug event change %q affecting device with hotplug key %q", otherChg.Kind(), hotplugKey)
+			return &state.Retry{}
+		}
+	}
+
+	// no conflicting change for same hotplug key found
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/handlers_test.go snapd-2.37~rc1~14.04/overlord/ifacestate/handlers_test.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/handlers_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/handlers_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,66 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package ifacestate_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/overlord/ifacestate"
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+type handlersSuite struct{}
+
+var _ = Suite(&handlersSuite{})
+
+func (s *handlersSuite) TestInSameChangeWaitChain(c *C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	// no wait chain (yet)
+	startT := st.NewTask("start", "...start")
+	intermediateT := st.NewTask("intermediateT", "...intermediateT")
+	searchT := st.NewTask("searchT", "...searchT")
+	c.Check(ifacestate.InSameChangeWaitChain(startT, searchT), Equals, false)
+
+	// add (indirect) wait chain
+	searchT.WaitFor(intermediateT)
+	intermediateT.WaitFor(startT)
+	c.Check(ifacestate.InSameChangeWaitChain(startT, searchT), Equals, true)
+}
+
+func (s *handlersSuite) TestInSameChangeWaitChainDifferentChanges(c *C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	t1 := st.NewTask("t1", "...")
+	chg1 := st.NewChange("chg1", "...")
+	chg1.AddTask(t1)
+
+	t2 := st.NewTask("t2", "...")
+	chg2 := st.NewChange("chg2", "...")
+	chg2.AddTask(t2)
+
+	// add a cross change wait chain
+	t2.WaitFor(t1)
+	c.Check(ifacestate.InSameChangeWaitChain(t1, t2), Equals, false)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/helpers.go snapd-2.37~rc1~14.04/overlord/ifacestate/helpers.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/helpers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/helpers.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,15 +20,24 @@
 package ifacestate
 
 import (
+	"bytes"
+	"encoding/json"
 	"fmt"
+	"os"
+	"sort"
+	"strings"
 
 	"github.com/snapcore/snapd/asserts"
+	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/backends"
 	"github.com/snapcore/snapd/interfaces/builtin"
 	"github.com/snapcore/snapd/interfaces/policy"
+	"github.com/snapcore/snapd/interfaces/utils"
+	"github.com/snapcore/snapd/jsonutil"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/overlord/assertstate"
+	"github.com/snapcore/snapd/overlord/devicestate"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
@@ -38,22 +47,36 @@
 	m.state.Lock()
 	defer m.state.Unlock()
 
+	snaps, err := snapsWithSecurityProfiles(m.state)
+	if err != nil {
+		return err
+	}
+	// Before deciding about adding implicit slots to any snap we need to scan
+	// the set of snaps we know about. If any of those is "snapd" then for the
+	// duration of this process always add implicit slots to snapd and not to
+	// any other type: os snap and use a mapper to use names core-snapd-system
+	// on state, in memory and in API responses, respectively.
+	m.selectInterfaceMapper(snaps)
+
 	if err := m.addInterfaces(extraInterfaces); err != nil {
 		return err
 	}
 	if err := m.addBackends(extraBackends); err != nil {
 		return err
 	}
-	if err := m.addSnaps(); err != nil {
+	if err := m.addSnaps(snaps); err != nil {
 		return err
 	}
 	if err := m.renameCorePlugConnection(); err != nil {
 		return err
 	}
+	if err := removeStaleConnections(m.state); err != nil {
+		return err
+	}
 	if _, err := m.reloadConnections(""); err != nil {
 		return err
 	}
-	if m.profilesNeedRegeneration() {
+	if profilesNeedRegeneration() {
 		if err := m.regenerateAllSecurityProfiles(); err != nil {
 			return err
 		}
@@ -61,6 +84,15 @@
 	return nil
 }
 
+func (m *InterfaceManager) selectInterfaceMapper(snaps []*snap.Info) {
+	for _, snapInfo := range snaps {
+		if snapInfo.SnapName() == "snapd" {
+			mapper = &CoreSnapdSystemMapper{}
+			break
+		}
+	}
+}
+
 func (m *InterfaceManager) addInterfaces(extra []interfaces.Interface) error {
 	for _, iface := range builtin.Interfaces() {
 		if err := m.repo.AddInterface(iface); err != nil {
@@ -95,21 +127,19 @@
 	return nil
 }
 
-func (m *InterfaceManager) addSnaps() error {
-	snaps, err := snapsWithSecurityProfiles(m.state)
-	if err != nil {
-		return err
-	}
+func (m *InterfaceManager) addSnaps(snaps []*snap.Info) error {
 	for _, snapInfo := range snaps {
-		addImplicitSlots(snapInfo)
+		if err := addImplicitSlots(m.state, snapInfo); err != nil {
+			return err
+		}
 		if err := m.repo.AddSnap(snapInfo); err != nil {
-			logger.Noticef("cannot add snap %q to interface repository: %s", snapInfo.Name(), err)
+			logger.Noticef("cannot add snap %q to interface repository: %s", snapInfo.InstanceName(), err)
 		}
 	}
 	return nil
 }
 
-func (m *InterfaceManager) profilesNeedRegeneration() bool {
+func profilesNeedRegenerationImpl() bool {
 	mismatch, err := interfaces.SystemKeyMismatch()
 	if err != nil {
 		logger.Noticef("error trying to compare the snap system key: %v", err)
@@ -118,6 +148,9 @@
 	return mismatch
 }
 
+var profilesNeedRegeneration = profilesNeedRegenerationImpl
+var writeSystemKey = interfaces.WriteSystemKey
+
 // regenerateAllSecurityProfiles will regenerate all security profiles.
 func (m *InterfaceManager) regenerateAllSecurityProfiles() error {
 	// Get all the security backends
@@ -128,14 +161,27 @@
 	if err != nil {
 		return err
 	}
+
 	// Add implicit slots to all snaps
 	for _, snapInfo := range snaps {
-		addImplicitSlots(snapInfo)
+		if err := addImplicitSlots(m.state, snapInfo); err != nil {
+			return err
+		}
 	}
 
+	// The reason the system key is unlinked is to prevent snapd from believing
+	// that an old system key is valid and represents security setup
+	// established in the system. If snapd is reverted following a failed
+	// startup then system key may match the system key that used to be on disk
+	// but some of the system security may have been changed by the new snapd,
+	// the one that was reverted. Unlinking avoids such possibility, forcing
+	// old snapd to re-establish proper security view.
+	shouldWriteSystemKey := true
+	os.Remove(dirs.SnapSystemKeyFile)
+
 	// For each snap:
 	for _, snapInfo := range snaps {
-		snapName := snapInfo.Name()
+		snapName := snapInfo.InstanceName()
 		// Get the state of the snap so we can compute the confinement option
 		var snapst snapstate.SnapState
 		if err := snapstate.Get(m.state, snapName, &snapst); err != nil {
@@ -152,15 +198,18 @@
 			}
 			// Refresh security of this snap and backend
 			if err := backend.Setup(snapInfo, opts, m.repo); err != nil {
-				// Let's log this but carry on
+				// Let's log this but carry on without writing the system key.
 				logger.Noticef("cannot regenerate %s profile for snap %q: %s",
 					backend.Name(), snapName, err)
+				shouldWriteSystemKey = false
 			}
 		}
 	}
 
-	if err := interfaces.WriteSystemKey(); err != nil {
-		logger.Noticef("cannot write system key: %v", err)
+	if shouldWriteSystemKey {
+		if err := writeSystemKey(); err != nil {
+			logger.Noticef("cannot write system key: %v", err)
+		}
 	}
 	return nil
 }
@@ -194,6 +243,46 @@
 	return nil
 }
 
+// removeStaleConnections removes stale connections left by some older versions of snapd.
+// Connection is considered stale if the snap on either end of the connection doesn't exist anymore.
+// XXX: this code should eventually go away.
+var removeStaleConnections = func(st *state.State) error {
+	conns, err := getConns(st)
+	if err != nil {
+		return err
+	}
+	var staleConns []string
+	for id := range conns {
+		connRef, err := interfaces.ParseConnRef(id)
+		if err != nil {
+			return err
+		}
+		var snapst snapstate.SnapState
+		if err := snapstate.Get(st, connRef.PlugRef.Snap, &snapst); err != nil {
+			if err != state.ErrNoState {
+				return err
+			}
+			staleConns = append(staleConns, id)
+			continue
+		}
+		if err := snapstate.Get(st, connRef.SlotRef.Snap, &snapst); err != nil {
+			if err != state.ErrNoState {
+				return err
+			}
+			staleConns = append(staleConns, id)
+			continue
+		}
+	}
+	if len(staleConns) > 0 {
+		for _, id := range staleConns {
+			delete(conns, id)
+		}
+		setConns(st, conns)
+		logger.Noticef("removed stale connections: %s", strings.Join(staleConns, ", "))
+	}
+	return nil
+}
+
 // reloadConnections reloads connections stored in the state in the repository.
 // Using non-empty snapName the operation can be scoped to connections
 // affecting a given snap.
@@ -205,7 +294,10 @@
 		return nil, err
 	}
 	affected := make(map[string]bool)
-	for id := range conns {
+	for id, conn := range conns {
+		if conn.Undesired || conn.HotplugGone {
+			continue
+		}
 		connRef, err := interfaces.ParseConnRef(id)
 		if err != nil {
 			return nil, err
@@ -213,11 +305,21 @@
 		if snapName != "" && connRef.PlugRef.Snap != snapName && connRef.SlotRef.Snap != snapName {
 			continue
 		}
-		if err := m.repo.Connect(connRef); err != nil {
+
+		// Note: reloaded connections are not checked against policy again, and also we don't call BeforeConnect* methods on them.
+		if _, err := m.repo.Connect(connRef, conn.StaticPlugAttrs, conn.DynamicPlugAttrs, conn.StaticSlotAttrs, conn.DynamicSlotAttrs, nil); err != nil {
+			if _, ok := err.(*interfaces.UnknownPlugSlotError); ok {
+				// Some versions of snapd may have left stray connections that
+				// don't have the corresponding plug or slot anymore. Before we
+				// choose how to deal with this data we want to silently ignore
+				// that error not to worry the users.
+				continue
+			}
 			logger.Noticef("%s", err)
+		} else {
+			affected[connRef.PlugRef.Snap] = true
+			affected[connRef.SlotRef.Snap] = true
 		}
-		affected[connRef.PlugRef.Snap] = true
-		affected[connRef.SlotRef.Snap] = true
 	}
 	result := make([]string, 0, len(affected))
 	for name := range affected {
@@ -226,30 +328,50 @@
 	return result, nil
 }
 
+func (m *InterfaceManager) setupSecurityByBackend(task *state.Task, snaps []*snap.Info, opts []interfaces.ConfinementOptions) error {
+	st := task.State()
+
+	// Setup all affected snaps, start with the most important security
+	// backend and run it for all snaps. See LP: 1802581
+	for _, backend := range m.repo.Backends() {
+		for i, snapInfo := range snaps {
+			st.Unlock()
+			err := backend.Setup(snapInfo, opts[i], m.repo)
+			st.Lock()
+			if err != nil {
+				task.Errorf("cannot setup %s for snap %q: %s", backend.Name(), snapInfo.InstanceName(), err)
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
 func (m *InterfaceManager) setupSnapSecurity(task *state.Task, snapInfo *snap.Info, opts interfaces.ConfinementOptions) error {
 	st := task.State()
-	snapName := snapInfo.Name()
+	instanceName := snapInfo.InstanceName()
 
 	for _, backend := range m.repo.Backends() {
 		st.Unlock()
 		err := backend.Setup(snapInfo, opts, m.repo)
 		st.Lock()
 		if err != nil {
-			task.Errorf("cannot setup %s for snap %q: %s", backend.Name(), snapName, err)
+			task.Errorf("cannot setup %s for snap %q: %s", backend.Name(), instanceName, err)
 			return err
 		}
 	}
 	return nil
 }
 
-func (m *InterfaceManager) removeSnapSecurity(task *state.Task, snapName string) error {
+func (m *InterfaceManager) removeSnapSecurity(task *state.Task, instanceName string) error {
 	st := task.State()
 	for _, backend := range m.repo.Backends() {
 		st.Unlock()
-		err := backend.Remove(snapName)
+		err := backend.Remove(instanceName)
 		st.Lock()
 		if err != nil {
-			task.Errorf("cannot setup %s for snap %q: %s", backend.Name(), snapName, err)
+			task.Errorf("cannot setup %s for snap %q: %s", backend.Name(), instanceName, err)
 			return err
 		}
 	}
@@ -258,7 +380,22 @@
 
 type connState struct {
 	Auto      bool   `json:"auto,omitempty"`
+	ByGadget  bool   `json:"by-gadget,omitempty"`
 	Interface string `json:"interface,omitempty"`
+	// Undesired tracks connections that were manually disconnected after being auto-connected,
+	// so that they are not automatically reconnected again in the future.
+	Undesired        bool                   `json:"undesired,omitempty"`
+	StaticPlugAttrs  map[string]interface{} `json:"plug-static,omitempty"`
+	DynamicPlugAttrs map[string]interface{} `json:"plug-dynamic,omitempty"`
+	StaticSlotAttrs  map[string]interface{} `json:"slot-static,omitempty"`
+	DynamicSlotAttrs map[string]interface{} `json:"slot-dynamic,omitempty"`
+	// Hotplug-related attributes: HotplugGone indicates a connection that
+	// disappeared because the device was removed, but may potentially be
+	// restored in the future if we see the device again. HotplugKey is the
+	// key of the associated device; it's empty for connections of regular
+	// slots.
+	HotplugGone bool   `json:"hotplug-gone,omitempty"`
+	HotplugKey  string `json:"hotplug-key,omitempty"`
 }
 
 type autoConnectChecker struct {
@@ -292,37 +429,124 @@
 	return snapDecl, nil
 }
 
-func (c *autoConnectChecker) check(plug *interfaces.Plug, slot *interfaces.Slot) bool {
+func (c *autoConnectChecker) check(plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) (bool, error) {
+	modelAs, err := devicestate.Model(c.st)
+	if err != nil {
+		return false, err
+	}
+
+	var storeAs *asserts.Store
+	if modelAs.Store() != "" {
+		var err error
+		storeAs, err = assertstate.Store(c.st, modelAs.Store())
+		if err != nil && !asserts.IsNotFound(err) {
+			return false, err
+		}
+	}
+
 	var plugDecl *asserts.SnapDeclaration
-	if plug.Snap.SnapID != "" {
+	if plug.Snap().SnapID != "" {
 		var err error
-		plugDecl, err = c.snapDeclaration(plug.Snap.SnapID)
+		plugDecl, err = c.snapDeclaration(plug.Snap().SnapID)
 		if err != nil {
-			logger.Noticef("error: cannot find snap declaration for %q: %v", plug.Snap.Name(), err)
-			return false
+			logger.Noticef("error: cannot find snap declaration for %q: %v", plug.Snap().InstanceName(), err)
+			return false, nil
 		}
 	}
 
 	var slotDecl *asserts.SnapDeclaration
-	if slot.Snap.SnapID != "" {
+	if slot.Snap().SnapID != "" {
 		var err error
-		slotDecl, err = c.snapDeclaration(slot.Snap.SnapID)
+		slotDecl, err = c.snapDeclaration(slot.Snap().SnapID)
 		if err != nil {
-			logger.Noticef("error: cannot find snap declaration for %q: %v", slot.Snap.Name(), err)
-			return false
+			logger.Noticef("error: cannot find snap declaration for %q: %v", slot.Snap().InstanceName(), err)
+			return false, nil
 		}
 	}
 
 	// check the connection against the declarations' rules
 	ic := policy.ConnectCandidate{
-		Plug:                plug.PlugInfo,
+		Plug:                plug,
 		PlugSnapDeclaration: plugDecl,
-		Slot:                slot.SlotInfo,
+		Slot:                slot,
 		SlotSnapDeclaration: slotDecl,
 		BaseDeclaration:     c.baseDecl,
+		Model:               modelAs,
+		Store:               storeAs,
 	}
 
-	return ic.CheckAutoConnect() == nil
+	return ic.CheckAutoConnect() == nil, nil
+}
+
+type connectChecker struct {
+	st       *state.State
+	baseDecl *asserts.BaseDeclaration
+}
+
+func newConnectChecker(s *state.State) (*connectChecker, error) {
+	baseDecl, err := assertstate.BaseDeclaration(s)
+	if err != nil {
+		return nil, fmt.Errorf("internal error: cannot find base declaration: %v", err)
+	}
+	return &connectChecker{
+		st:       s,
+		baseDecl: baseDecl,
+	}, nil
+}
+
+func (c *connectChecker) check(plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) (bool, error) {
+	modelAs, err := devicestate.Model(c.st)
+	if err != nil {
+		return false, fmt.Errorf("cannot get model assertion: %v", err)
+	}
+
+	var storeAs *asserts.Store
+	if modelAs.Store() != "" {
+		var err error
+		storeAs, err = assertstate.Store(c.st, modelAs.Store())
+		if err != nil && !asserts.IsNotFound(err) {
+			return false, err
+		}
+	}
+
+	var plugDecl *asserts.SnapDeclaration
+	if plug.Snap().SnapID != "" {
+		var err error
+		plugDecl, err = assertstate.SnapDeclaration(c.st, plug.Snap().SnapID)
+		if err != nil {
+			return false, fmt.Errorf("cannot find snap declaration for %q: %v", plug.Snap().InstanceName(), err)
+		}
+	}
+
+	var slotDecl *asserts.SnapDeclaration
+	if slot.Snap().SnapID != "" {
+		var err error
+		slotDecl, err = assertstate.SnapDeclaration(c.st, slot.Snap().SnapID)
+		if err != nil {
+			return false, fmt.Errorf("cannot find snap declaration for %q: %v", slot.Snap().InstanceName(), err)
+		}
+	}
+
+	// check the connection against the declarations' rules
+	ic := policy.ConnectCandidate{
+		Plug:                plug,
+		PlugSnapDeclaration: plugDecl,
+		Slot:                slot,
+		SlotSnapDeclaration: slotDecl,
+		BaseDeclaration:     c.baseDecl,
+		Model:               modelAs,
+		Store:               storeAs,
+	}
+
+	// if either of plug or slot snaps don't have a declaration it
+	// means they were installed with "dangerous", so the security
+	// check should be skipped at this point.
+	if plugDecl != nil && slotDecl != nil {
+		if err := ic.Check(); err != nil {
+			return false, err
+		}
+	}
+	return true, nil
 }
 
 func getPlugAndSlotRefs(task *state.Task) (interfaces.PlugRef, interfaces.SlotRef, error) {
@@ -337,21 +561,57 @@
 	return plugRef, slotRef, nil
 }
 
-func getConns(st *state.State) (map[string]connState, error) {
-	// Get information about connections from the state
-	var conns map[string]connState
-	err := st.Get("conns", &conns)
+// getConns returns information about connections from the state.
+//
+// Connections are transparently re-mapped according to remapIncomingConnRef
+func getConns(st *state.State) (conns map[string]*connState, err error) {
+	var raw *json.RawMessage
+	err = st.Get("conns", &raw)
 	if err != nil && err != state.ErrNoState {
-		return nil, fmt.Errorf("cannot obtain data about existing connections: %s", err)
+		return nil, fmt.Errorf("cannot obtain raw data about existing connections: %s", err)
+	}
+	if raw != nil {
+		err = jsonutil.DecodeWithNumber(bytes.NewReader(*raw), &conns)
+		if err != nil {
+			return nil, fmt.Errorf("cannot decode data about existing connections: %s", err)
+		}
 	}
 	if conns == nil {
-		conns = make(map[string]connState)
+		conns = make(map[string]*connState)
+	}
+	remapped := make(map[string]*connState, len(conns))
+	for id, cstate := range conns {
+		cref, err := interfaces.ParseConnRef(id)
+		if err != nil {
+			return nil, err
+		}
+		cref.PlugRef.Snap = RemapSnapFromState(cref.PlugRef.Snap)
+		cref.SlotRef.Snap = RemapSnapFromState(cref.SlotRef.Snap)
+		cstate.StaticSlotAttrs = utils.NormalizeInterfaceAttributes(cstate.StaticSlotAttrs).(map[string]interface{})
+		cstate.DynamicSlotAttrs = utils.NormalizeInterfaceAttributes(cstate.DynamicSlotAttrs).(map[string]interface{})
+		cstate.StaticPlugAttrs = utils.NormalizeInterfaceAttributes(cstate.StaticPlugAttrs).(map[string]interface{})
+		cstate.DynamicPlugAttrs = utils.NormalizeInterfaceAttributes(cstate.DynamicPlugAttrs).(map[string]interface{})
+		remapped[cref.ID()] = cstate
 	}
-	return conns, nil
+	return remapped, nil
 }
 
-func setConns(st *state.State, conns map[string]connState) {
-	st.Set("conns", conns)
+// setConns sets information about connections in the state.
+//
+// Connections are transparently re-mapped according to remapOutgoingConnRef
+func setConns(st *state.State, conns map[string]*connState) {
+	remapped := make(map[string]*connState, len(conns))
+	for id, cstate := range conns {
+		cref, err := interfaces.ParseConnRef(id)
+		if err != nil {
+			// We cannot fail here
+			panic(err)
+		}
+		cref.PlugRef.Snap = RemapSnapToState(cref.PlugRef.Snap)
+		cref.SlotRef.Snap = RemapSnapToState(cref.SlotRef.Snap)
+		remapped[cref.ID()] = cstate
+	}
+	st.Set("conns", remapped)
 }
 
 // snapsWithSecurityProfiles returns all snaps that have active
@@ -364,7 +624,7 @@
 	}
 	seen := make(map[string]bool, len(infos))
 	for _, info := range infos {
-		seen[info.Name()] = true
+		seen[info.InstanceName()] = true
 	}
 	for _, t := range st.Tasks() {
 		if t.Kind() != "link-snap" || t.Status().Ready() {
@@ -374,8 +634,8 @@
 		if err != nil {
 			return nil, err
 		}
-		snapName := snapsup.Name()
-		if seen[snapName] {
+		instanceName := snapsup.InstanceName()
+		if seen[instanceName] {
 			continue
 		}
 
@@ -386,7 +646,7 @@
 				if err != nil {
 					return nil, err
 				}
-				if snapsup1.Name() == snapName {
+				if snapsup1.InstanceName() == instanceName {
 					doneProfiles = true
 					break
 				}
@@ -396,10 +656,10 @@
 			continue
 		}
 
-		seen[snapName] = true
-		snapInfo, err := snap.ReadInfo(snapName, snapsup.SideInfo)
+		seen[instanceName] = true
+		snapInfo, err := snap.ReadInfo(instanceName, snapsup.SideInfo)
 		if err != nil {
-			logger.Noticef("cannot retrieve info for snap %q: %s", snapName, err)
+			logger.Noticef("cannot retrieve info for snap %q: %s", instanceName, err)
 			continue
 		}
 		infos = append(infos, snapInfo)
@@ -407,3 +667,274 @@
 
 	return infos, nil
 }
+
+func resolveSnapIDToName(st *state.State, snapID string) (name string, err error) {
+	if snapID == "system" {
+		// Resolve the system nickname to a concrete snap.
+		return mapper.RemapSnapFromRequest(snapID), nil
+	}
+	decl, err := assertstate.SnapDeclaration(st, snapID)
+	if asserts.IsNotFound(err) {
+		return "", nil
+	}
+	if err != nil {
+		return "", err
+	}
+	return decl.SnapName(), nil
+}
+
+// SnapMapper offers APIs for re-mapping snap names in interfaces and the
+// configuration system. The mapper is designed to apply transformations around
+// the edges of snapd (state interactions and API interactions) to offer one
+// view on the inside of snapd and another view on the outside.
+type SnapMapper interface {
+	// re-map functions for loading and saving objects in the state.
+	RemapSnapFromState(snapName string) string
+	RemapSnapToState(snapName string) string
+	// RamapSnapFromRequest can replace snap names in API requests.
+	// There is no corresponding mapping function for API responses anymore.
+	// The API responses always reflect the real system state.
+	RemapSnapFromRequest(snapName string) string
+	// Returns actual name of the system snap.
+	SystemSnapName() string
+}
+
+// IdentityMapper implements SnapMapper and performs no transformations at all.
+type IdentityMapper struct{}
+
+// RemapSnapFromState doesn't change the snap name in any way.
+func (m *IdentityMapper) RemapSnapFromState(snapName string) string {
+	return snapName
+}
+
+// RemapSnapToState doesn't change the snap name in any way.
+func (m *IdentityMapper) RemapSnapToState(snapName string) string {
+	return snapName
+}
+
+// RemapSnapFromRequest  doesn't change the snap name in any way.
+func (m *IdentityMapper) RemapSnapFromRequest(snapName string) string {
+	return snapName
+}
+
+// CoreCoreSystemMapper implements SnapMapper and makes implicit slots
+// appear to be on "core" in the state and in memory but as "system" in the API.
+//
+// NOTE: This mapper can be used to prepare, as an intermediate step, for the
+// transition to "snapd" mapper. Using it the state and API layer will look
+// exactly the same as with the "snapd" mapper. This can be used to make any
+// necessary adjustments the test suite.
+type CoreCoreSystemMapper struct {
+	IdentityMapper // Embedding the identity mapper allows us to cut on boilerplate.
+}
+
+// RemapSnapFromRequest renames the "system" snap to the "core" snap.
+//
+// This allows us to accept connection and disconnection requests that
+// explicitly refer to "core" or using the "system" nickname.
+func (m *CoreCoreSystemMapper) RemapSnapFromRequest(snapName string) string {
+	if snapName == "system" {
+		return m.SystemSnapName()
+	}
+	return snapName
+}
+
+// SystemSnapName returns actual name of the system snap.
+func (m *CoreCoreSystemMapper) SystemSnapName() string {
+	return "core"
+}
+
+// CoreSnapdSystemMapper implements SnapMapper and makes implicit slots
+// appear to be on "core" in the state and on "system" in the API while they
+// are on "snapd" in memory.
+type CoreSnapdSystemMapper struct {
+	IdentityMapper // Embedding the identity mapper allows us to cut on boilerplate.
+}
+
+// RemapSnapFromState renames the "core" snap to the "snapd" snap.
+//
+// This allows modern snapd to load an old state that remembers connections
+// between slots on the "core" snap and other snaps. In memory we are actually
+// using "snapd" snap for hosting those slots and this lets us stay compatible.
+func (m *CoreSnapdSystemMapper) RemapSnapFromState(snapName string) string {
+	if snapName == "core" {
+		return m.SystemSnapName()
+	}
+	return snapName
+}
+
+// RemapSnapToState renames the "snapd" snap to the "core" snap.
+//
+// This allows the state to stay backwards compatible as all the connections
+// seem to refer to the "core" snap, as in pre core{16,18} days where there was
+// only one core snap.
+func (m *CoreSnapdSystemMapper) RemapSnapToState(snapName string) string {
+	if snapName == m.SystemSnapName() {
+		return "core"
+	}
+	return snapName
+}
+
+// RemapSnapFromRequest renames the "core" or "system" snaps to the "snapd" snap.
+//
+// This allows us to accept connection and disconnection requests that
+// explicitly refer to "core" or "system" even though we really want them to
+// refer to "snapd". Note that this is not fully symmetric with
+// RemapSnapToResponse as we explicitly always talk about "system" snap,
+// even if the request used "core".
+func (m *CoreSnapdSystemMapper) RemapSnapFromRequest(snapName string) string {
+	if snapName == "system" || snapName == "core" {
+		return m.SystemSnapName()
+	}
+	return snapName
+}
+
+// SystemSnapName returns actual name of the system snap.
+func (m *CoreSnapdSystemMapper) SystemSnapName() string {
+	return "snapd"
+}
+
+// mapper contains the currently active snap mapper.
+var mapper SnapMapper = &CoreCoreSystemMapper{}
+
+// MockSnapMapper mocks the currently used snap mapper.
+func MockSnapMapper(new SnapMapper) (restore func()) {
+	old := mapper
+	mapper = new
+	return func() { mapper = old }
+}
+
+// RemapSnapFromState renames a snap when loaded from state according to the current mapper.
+func RemapSnapFromState(snapName string) string {
+	return mapper.RemapSnapFromState(snapName)
+}
+
+// RemapSnapToState renames a snap when saving to state according to the current mapper.
+func RemapSnapToState(snapName string) string {
+	return mapper.RemapSnapToState(snapName)
+}
+
+// RemapSnapFromRequest renames a snap as received from an API request according to the current mapper.
+func RemapSnapFromRequest(snapName string) string {
+	return mapper.RemapSnapFromRequest(snapName)
+}
+
+// SystemSnapName returns actual name of the system snap.
+func SystemSnapName() string {
+	return mapper.SystemSnapName()
+}
+
+// systemSnapInfo returns current info for system snap.
+func systemSnapInfo(st *state.State) (*snap.Info, error) {
+	return snapstate.CurrentInfo(st, SystemSnapName())
+}
+
+func connectDisconnectAffectedSnaps(t *state.Task) ([]string, error) {
+	plugRef, slotRef, err := getPlugAndSlotRefs(t)
+	if err != nil {
+		return nil, fmt.Errorf("internal error: cannot obtain plug/slot data from task: %s", t.Summary())
+	}
+	return []string{plugRef.Snap, slotRef.Snap}, nil
+}
+
+func checkSystemSnapIsPresent(st *state.State) bool {
+	st.Lock()
+	defer st.Unlock()
+	_, err := systemSnapInfo(st)
+	return err == nil
+}
+
+func setHotplugAttrs(task *state.Task, ifaceName, hotplugKey string) {
+	task.Set("interface", ifaceName)
+	task.Set("hotplug-key", hotplugKey)
+}
+
+func getHotplugAttrs(task *state.Task) (ifaceName, hotplugKey string, err error) {
+	if err = task.Get("interface", &ifaceName); err != nil {
+		return "", "", fmt.Errorf("internal error: cannot get interface name from hotplug task: %s", err)
+	}
+	if err = task.Get("hotplug-key", &hotplugKey); err != nil {
+		return "", "", fmt.Errorf("internal error: cannot get hotplug key from hotplug task: %s", err)
+	}
+	return ifaceName, hotplugKey, err
+}
+
+func allocHotplugSeq(st *state.State) (int, error) {
+	var seq int
+	if err := st.Get("hotplug-seq", &seq); err != nil && err != state.ErrNoState {
+		return 0, err
+	}
+	seq++
+	st.Set("hotplug-seq", seq)
+	return seq, nil
+}
+
+func isHotplugChange(chg *state.Change) bool {
+	return strings.HasPrefix(chg.Kind(), "hotplug-")
+}
+
+func getHotplugChangeAttrs(chg *state.Change) (seq int, hotplugKey string, err error) {
+	if err = chg.Get("hotplug-key", &hotplugKey); err != nil {
+		return 0, "", fmt.Errorf("internal error: hotplug-key not set on change %q", chg.Kind())
+	}
+	if err = chg.Get("hotplug-seq", &seq); err != nil {
+		return 0, "", fmt.Errorf("internal error: hotplug-seq not set on change %q", chg.Kind())
+	}
+	return seq, hotplugKey, nil
+}
+
+func setHotplugChangeAttrs(chg *state.Change, seq int, hotplugKey string) {
+	chg.Set("hotplug-seq", seq)
+	chg.Set("hotplug-key", hotplugKey)
+}
+
+// addHotplugSeqWaitTask sets mandatory hotplug attributes on the hotplug change, adds "hotplug-seq-wait" task
+// and makes all existing tasks of the change wait for it.
+func addHotplugSeqWaitTask(hotplugChange *state.Change, hotplugKey string) error {
+	st := hotplugChange.State()
+	seq, err := allocHotplugSeq(st)
+	if err != nil {
+		return fmt.Errorf("internal error: cannot allocate hotplug sequence number: %s", err)
+	}
+	setHotplugChangeAttrs(hotplugChange, seq, hotplugKey)
+	seqControl := st.NewTask("hotplug-seq-wait", fmt.Sprintf("Serialize hotplug change for hotplug key %q", hotplugKey))
+	tss := state.NewTaskSet(hotplugChange.Tasks()...)
+	tss.WaitFor(seqControl)
+	hotplugChange.AddTask(seqControl)
+	return nil
+}
+
+type HotplugSlotInfo struct {
+	Name        string                 `json:"name"`
+	Interface   string                 `json:"interface"`
+	StaticAttrs map[string]interface{} `json:"static-attrs,omitempty"`
+	HotplugKey  string                 `json:"hotplug-key"`
+}
+
+func getHotplugSlots(st *state.State) (map[string]*HotplugSlotInfo, error) {
+	var slots map[string]*HotplugSlotInfo
+	err := st.Get("hotplug-slots", &slots)
+	if err != nil {
+		if err != state.ErrNoState {
+			return nil, err
+		}
+		slots = make(map[string]*HotplugSlotInfo)
+	}
+	return slots, nil
+}
+
+func setHotplugSlots(st *state.State, slots map[string]*HotplugSlotInfo) {
+	st.Set("hotplug-slots", slots)
+}
+
+func findConnsForHotplugKey(conns map[string]*connState, ifaceName, hotplugKey string) []string {
+	var connsForDevice []string
+	for id, connSt := range conns {
+		if connSt.Interface != ifaceName || connSt.HotplugKey != hotplugKey {
+			continue
+		}
+		connsForDevice = append(connsForDevice, id)
+	}
+	sort.Strings(connsForDevice)
+	return connsForDevice
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/helpers_test.go snapd-2.37~rc1~14.04/overlord/ifacestate/helpers_test.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/helpers_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/helpers_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,525 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package ifacestate_test
+
+import (
+	"errors"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/ifacetest"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord"
+	"github.com/snapcore/snapd/overlord/ifacestate"
+	"github.com/snapcore/snapd/overlord/snapstate"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type helpersSuite struct {
+	st *state.State
+}
+
+var _ = Suite(&helpersSuite{})
+
+func (s *helpersSuite) SetUpTest(c *C) {
+	s.st = state.New(nil)
+	dirs.SetRootDir(c.MkDir())
+}
+
+func (s *helpersSuite) TearDownTest(c *C) {
+	dirs.SetRootDir("")
+}
+
+func (s *helpersSuite) TestIdentityMapper(c *C) {
+	var m ifacestate.SnapMapper = &ifacestate.IdentityMapper{}
+
+	// Nothing is altered.
+	c.Assert(m.RemapSnapFromState("example"), Equals, "example")
+	c.Assert(m.RemapSnapToState("example"), Equals, "example")
+	c.Assert(m.RemapSnapFromRequest("example"), Equals, "example")
+
+	c.Assert(m.SystemSnapName(), Equals, "unknown")
+}
+
+func (s *helpersSuite) TestCoreCoreSystemMapper(c *C) {
+	var m ifacestate.SnapMapper = &ifacestate.CoreCoreSystemMapper{}
+
+	// Snaps are not renamed when interacting with the state.
+	c.Assert(m.RemapSnapFromState("core"), Equals, "core")
+	c.Assert(m.RemapSnapToState("core"), Equals, "core")
+
+	// The "core" snap is renamed to the "system" in API response
+	// and back in the API requests.
+	c.Assert(m.RemapSnapFromRequest("system"), Equals, "core")
+
+	// Other snap names are unchanged.
+	c.Assert(m.RemapSnapFromState("potato"), Equals, "potato")
+	c.Assert(m.RemapSnapToState("potato"), Equals, "potato")
+	c.Assert(m.RemapSnapFromRequest("potato"), Equals, "potato")
+
+	c.Assert(m.SystemSnapName(), Equals, "core")
+}
+
+func (s *helpersSuite) TestCoreSnapdSystemMapper(c *C) {
+	var m ifacestate.SnapMapper = &ifacestate.CoreSnapdSystemMapper{}
+
+	// The "snapd" snap is renamed to the "core" in when saving the state
+	// and back when loading the state.
+	c.Assert(m.RemapSnapFromState("core"), Equals, "snapd")
+	c.Assert(m.RemapSnapToState("snapd"), Equals, "core")
+
+	// The "snapd" snap is renamed to the "system" in API response and back in
+	// the API requests.
+	c.Assert(m.RemapSnapFromRequest("system"), Equals, "snapd")
+
+	// The "core" snap is also renamed to "snapd" in API requests, for
+	// compatibility.
+	c.Assert(m.RemapSnapFromRequest("core"), Equals, "snapd")
+
+	// Other snap names are unchanged.
+	c.Assert(m.RemapSnapFromState("potato"), Equals, "potato")
+	c.Assert(m.RemapSnapToState("potato"), Equals, "potato")
+	c.Assert(m.RemapSnapFromRequest("potato"), Equals, "potato")
+
+	c.Assert(m.SystemSnapName(), Equals, "snapd")
+}
+
+// caseMapper implements SnapMapper to use upper case internally and lower case externally.
+type caseMapper struct{}
+
+func (m *caseMapper) RemapSnapFromState(snapName string) string {
+	return strings.ToUpper(snapName)
+}
+
+func (m *caseMapper) RemapSnapToState(snapName string) string {
+	return strings.ToLower(snapName)
+}
+
+func (m *caseMapper) RemapSnapFromRequest(snapName string) string {
+	return strings.ToUpper(snapName)
+}
+
+func (m *caseMapper) SystemSnapName() string {
+	return "unknown"
+}
+
+func (s *helpersSuite) TestMappingFunctions(c *C) {
+	restore := ifacestate.MockSnapMapper(&caseMapper{})
+	defer restore()
+
+	c.Assert(ifacestate.RemapSnapFromState("example"), Equals, "EXAMPLE")
+	c.Assert(ifacestate.RemapSnapToState("EXAMPLE"), Equals, "example")
+	c.Assert(ifacestate.RemapSnapFromRequest("example"), Equals, "EXAMPLE")
+	c.Assert(ifacestate.SystemSnapName(), Equals, "unknown")
+}
+
+func (s *helpersSuite) TestGetConns(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+	s.st.Set("conns", map[string]interface{}{
+		"app:network core:network": map[string]interface{}{
+			"auto":      true,
+			"interface": "network",
+			"slot-static": map[string]interface{}{
+				"number": int(78),
+			},
+		},
+	})
+
+	restore := ifacestate.MockSnapMapper(&caseMapper{})
+	defer restore()
+
+	conns, err := ifacestate.GetConns(s.st)
+	c.Assert(err, IsNil)
+	for id, connState := range conns {
+		c.Assert(id, Equals, "APP:network CORE:network")
+		c.Assert(connState.Auto, Equals, true)
+		c.Assert(connState.Interface, Equals, "network")
+		c.Assert(connState.StaticSlotAttrs["number"], Equals, int64(78))
+	}
+}
+
+func (s *helpersSuite) TestSetConns(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	restore := ifacestate.MockSnapMapper(&caseMapper{})
+	defer restore()
+
+	// This has upper-case data internally, see export_test.go
+	ifacestate.SetConns(s.st, ifacestate.UpperCaseConnState())
+	var conns map[string]interface{}
+	err := s.st.Get("conns", &conns)
+	c.Assert(err, IsNil)
+	c.Assert(conns, DeepEquals, map[string]interface{}{
+		"app:network core:network": map[string]interface{}{
+			"auto":      true,
+			"interface": "network",
+		}})
+}
+
+func (s *helpersSuite) TestHotplugTaskHelpers(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	t := s.st.NewTask("foo", "")
+	_, _, err := ifacestate.GetHotplugAttrs(t)
+	c.Assert(err, ErrorMatches, `internal error: cannot get interface name from hotplug task: no state entry for key`)
+
+	t.Set("interface", "x")
+	_, _, err = ifacestate.GetHotplugAttrs(t)
+	c.Assert(err, ErrorMatches, `internal error: cannot get hotplug key from hotplug task: no state entry for key`)
+
+	ifacestate.SetHotplugAttrs(t, "iface", "key")
+
+	var key, iface string
+	c.Assert(t.Get("hotplug-key", &key), IsNil)
+	c.Assert(key, Equals, "key")
+
+	c.Assert(t.Get("interface", &iface), IsNil)
+	c.Assert(iface, Equals, "iface")
+
+	iface, key, err = ifacestate.GetHotplugAttrs(t)
+	c.Assert(err, IsNil)
+	c.Assert(key, Equals, "key")
+	c.Assert(iface, Equals, "iface")
+}
+
+func (s *helpersSuite) TestHotplugSlotInfo(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	slots, err := ifacestate.GetHotplugSlots(s.st)
+	c.Assert(err, IsNil)
+	c.Assert(slots, HasLen, 0)
+
+	defs := map[string]*ifacestate.HotplugSlotInfo{}
+	defs["foo"] = &ifacestate.HotplugSlotInfo{
+		Name:        "foo",
+		Interface:   "iface",
+		StaticAttrs: map[string]interface{}{"attr": "value"},
+		HotplugKey:  "key",
+	}
+	ifacestate.SetHotplugSlots(s.st, defs)
+
+	var data map[string]interface{}
+	c.Assert(s.st.Get("hotplug-slots", &data), IsNil)
+	c.Assert(data, DeepEquals, map[string]interface{}{
+		"foo": map[string]interface{}{
+			"name":         "foo",
+			"interface":    "iface",
+			"static-attrs": map[string]interface{}{"attr": "value"},
+			"hotplug-key":  "key",
+		}})
+
+	slots, err = ifacestate.GetHotplugSlots(s.st)
+	c.Assert(err, IsNil)
+	c.Assert(slots, DeepEquals, defs)
+}
+
+func (s *helpersSuite) TestFindConnsForHotplugKey(c *C) {
+	st := s.st
+	st.Lock()
+	defer st.Unlock()
+
+	// Set conns in the state and get them via GetConns to avoid having to
+	// know the internals of connState struct.
+	st.Set("conns", map[string]interface{}{
+		"snap1:plug1 core:slot1": map[string]interface{}{
+			"interface":   "iface1",
+			"hotplug-key": "key1",
+		},
+		"snap1:plug2 core:slot2": map[string]interface{}{
+			"interface":   "iface2",
+			"hotplug-key": "key1",
+		},
+		"snap1:plug3 core:slot3": map[string]interface{}{
+			"interface":   "iface2",
+			"hotplug-key": "key2",
+		},
+		"snap2:plug1 core:slot1": map[string]interface{}{
+			"interface":   "iface2",
+			"hotplug-key": "key2",
+		},
+	})
+
+	conns, err := ifacestate.GetConns(st)
+	c.Assert(err, IsNil)
+
+	hotplugConns := ifacestate.FindConnsForHotplugKey(conns, "iface1", "key1")
+	c.Assert(hotplugConns, DeepEquals, []string{"snap1:plug1 core:slot1"})
+
+	hotplugConns = ifacestate.FindConnsForHotplugKey(conns, "iface2", "key2")
+	c.Assert(hotplugConns, DeepEquals, []string{"snap1:plug3 core:slot3", "snap2:plug1 core:slot1"})
+
+	hotplugConns = ifacestate.FindConnsForHotplugKey(conns, "unknown", "key1")
+	c.Assert(hotplugConns, HasLen, 0)
+}
+
+func (s *helpersSuite) TestCheckIsSystemSnapPresentWithCore(c *C) {
+	restore := ifacestate.MockSnapMapper(&ifacestate.CoreCoreSystemMapper{})
+	defer restore()
+
+	// no core snap yet
+	c.Assert(ifacestate.CheckSystemSnapIsPresent(s.st), Equals, false)
+
+	s.st.Lock()
+
+	// add "core" snap
+	sideInfo := &snap.SideInfo{Revision: snap.R(1)}
+	snapInfo := snaptest.MockSnapInstance(c, "", coreSnapYaml, sideInfo)
+	sideInfo.RealName = snapInfo.SnapName()
+
+	snapstate.Set(s.st, snapInfo.InstanceName(), &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{sideInfo},
+		Current:     sideInfo.Revision,
+		SnapType:    string(snapInfo.Type),
+		InstanceKey: snapInfo.InstanceKey,
+	})
+	s.st.Unlock()
+
+	c.Assert(ifacestate.CheckSystemSnapIsPresent(s.st), Equals, true)
+}
+
+var snapdYaml = `name: snapd
+version: 1.0
+`
+
+func (s *helpersSuite) TestCheckIsSystemSnapPresentWithSnapd(c *C) {
+	restore := ifacestate.MockSnapMapper(&ifacestate.CoreSnapdSystemMapper{})
+	defer restore()
+
+	// no snapd snap yet
+	c.Assert(ifacestate.CheckSystemSnapIsPresent(s.st), Equals, false)
+
+	s.st.Lock()
+
+	// "snapd" snap
+	sideInfo := &snap.SideInfo{Revision: snap.R(1)}
+	snapInfo := snaptest.MockSnapInstance(c, "", snapdYaml, sideInfo)
+	sideInfo.RealName = snapInfo.SnapName()
+
+	snapstate.Set(s.st, snapInfo.InstanceName(), &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{sideInfo},
+		Current:     sideInfo.Revision,
+		SnapType:    string(snapInfo.Type),
+		InstanceKey: snapInfo.InstanceKey,
+	})
+
+	inf, err := ifacestate.SystemSnapInfo(s.st)
+	c.Assert(err, IsNil)
+	c.Assert(inf.InstanceName(), Equals, "snapd")
+
+	s.st.Unlock()
+
+	c.Assert(ifacestate.CheckSystemSnapIsPresent(s.st), Equals, true)
+}
+
+// Check what happens with system-key when security profile regeneration fails.
+func (s *helpersSuite) TestSystemKeyAndFailingProfileRegeneration(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	defer dirs.SetRootDir("")
+
+	// Create a fake security backend with failing Setup method and mock all
+	// security backends away so that we only use this special one. Note that
+	// the backend is given a non-empty name as the interface manager skips
+	// test backends with empty name for convenience.
+	backend := &ifacetest.TestSecurityBackend{
+		BackendName: "BROKEN",
+		SetupCallback: func(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository) error {
+			return errors.New("cannot setup security profile")
+		},
+	}
+	restore := ifacestate.MockSecurityBackends([]interfaces.SecurityBackend{backend})
+	defer restore()
+
+	// Create a mock overlord, mainly to have state.
+	ovld := overlord.Mock()
+	st := ovld.State()
+
+	// Put a fake snap in the state, we need to setup security for at least one
+	// snap to give the fake security backend a chance to fail.
+	yamlText := `
+name: test-snapd-canary
+version: 1
+apps:
+  test-snapd-canary:
+    command: bin/canary
+`
+	si := &snap.SideInfo{Revision: snap.R(1), RealName: "test-snapd-canary"}
+	snapInfo := snaptest.MockSnap(c, yamlText, si)
+	st.Lock()
+	snapst := &snapstate.SnapState{
+		SnapType: string(snap.TypeApp),
+		Sequence: []*snap.SideInfo{si},
+		Active:   true,
+		Current:  snap.R(1),
+	}
+	snapstate.Set(st, snapInfo.InstanceName(), snapst)
+	st.Unlock()
+
+	// Pretend that security profiles are out of date and mock the
+	// function that writes the new system key with one always panics.
+	restore = ifacestate.MockProfilesNeedRegeneration(func() bool { return true })
+	defer restore()
+	restore = ifacestate.MockWriteSystemKey(func() error { panic("should not attempt to write system key") })
+	defer restore()
+	// Put a fake system key in place, we just want to see that file being removed.
+	err := os.MkdirAll(filepath.Dir(dirs.SnapSystemKeyFile), 0755)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(dirs.SnapSystemKeyFile, []byte("system-key"), 0755)
+	c.Assert(err, IsNil)
+
+	// Put up a fake logger to capture logged messages.
+	log, restore := logger.MockLogger()
+	defer restore()
+
+	// Construct the interface manager.
+	_, err = ifacestate.Manager(st, nil, ovld.TaskRunner(), nil, nil)
+	c.Assert(err, IsNil)
+
+	// Check that system key is not on disk.
+	c.Check(log.String(), testutil.Contains, `cannot regenerate BROKEN profile for snap "test-snapd-canary": cannot setup security profile`)
+	c.Check(osutil.FileExists(dirs.SnapSystemKeyFile), Equals, false)
+}
+
+func (s *helpersSuite) TestIsHotplugChange(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	chg := s.st.NewChange("foo", "")
+	c.Assert(ifacestate.IsHotplugChange(chg), Equals, false)
+
+	chg = s.st.NewChange("hotplugfoo", "")
+	c.Assert(ifacestate.IsHotplugChange(chg), Equals, false)
+
+	chg = s.st.NewChange("hotplug-foo", "")
+	c.Assert(ifacestate.IsHotplugChange(chg), Equals, true)
+}
+
+func (s *helpersSuite) TestGetHotplugChangeAttrs(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	chg := s.st.NewChange("none-set", "")
+	_, _, err := ifacestate.GetHotplugChangeAttrs(chg)
+	c.Assert(err, ErrorMatches, `internal error: hotplug-key not set on change "none-set"`)
+
+	chg = s.st.NewChange("foo", "")
+	chg.Set("hotplug-seq", 1)
+	_, _, err = ifacestate.GetHotplugChangeAttrs(chg)
+	c.Assert(err, ErrorMatches, `internal error: hotplug-key not set on change "foo"`)
+
+	chg = s.st.NewChange("bar", "")
+	chg.Set("hotplug-key", "2222")
+	_, _, err = ifacestate.GetHotplugChangeAttrs(chg)
+	c.Assert(err, ErrorMatches, `internal error: hotplug-seq not set on change "bar"`)
+
+	chg = s.st.NewChange("baz", "")
+	chg.Set("hotplug-key", "1234")
+	chg.Set("hotplug-seq", 7)
+
+	seq, key, err := ifacestate.GetHotplugChangeAttrs(chg)
+	c.Assert(err, IsNil)
+	c.Check(key, Equals, "1234")
+	c.Check(seq, Equals, 7)
+}
+
+func (s *helpersSuite) TestSetHotplugChangeAttrs(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	chg := s.st.NewChange("foo", "")
+	ifacestate.SetHotplugChangeAttrs(chg, 12, "abcd")
+
+	var seq int
+	var hotplugKey string
+	c.Assert(chg.Get("hotplug-seq", &seq), IsNil)
+	c.Assert(chg.Get("hotplug-key", &hotplugKey), IsNil)
+	c.Check(seq, Equals, 12)
+	c.Check(hotplugKey, Equals, "abcd")
+}
+
+func (s *helpersSuite) TestAllocHotplugSeq(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	var stateSeq int
+
+	// sanity
+	c.Assert(s.st.Get("hotplug-seq", &stateSeq), Equals, state.ErrNoState)
+
+	seq, err := ifacestate.AllocHotplugSeq(s.st)
+	c.Assert(err, IsNil)
+	c.Assert(seq, Equals, 1)
+
+	seq, err = ifacestate.AllocHotplugSeq(s.st)
+	c.Assert(err, IsNil)
+	c.Assert(seq, Equals, 2)
+
+	c.Assert(s.st.Get("hotplug-seq", &stateSeq), IsNil)
+	c.Check(stateSeq, Equals, 2)
+}
+
+func (s *helpersSuite) TestAddHotplugSeqWaitTask(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	chg := s.st.NewChange("foo", "")
+	t1 := s.st.NewTask("task1", "")
+	t2 := s.st.NewTask("task2", "")
+	chg.AddTask(t1)
+	chg.AddTask(t2)
+
+	c.Assert(ifacestate.AddHotplugSeqWaitTask(chg, "1234"), IsNil)
+	// hotplug change got an extra task
+	c.Assert(chg.Tasks(), HasLen, 3)
+	seq, key, err := ifacestate.GetHotplugChangeAttrs(chg)
+	c.Assert(err, IsNil)
+	c.Check(seq, Equals, 1)
+	c.Check(key, Equals, "1234")
+
+	var seqTask *state.Task
+	for _, t := range chg.Tasks() {
+		if t.Kind() == "hotplug-seq-wait" {
+			seqTask = t
+			break
+		}
+	}
+	c.Assert(seqTask, NotNil)
+
+	// existing tasks wait for the hotplug-seq-wait task
+	c.Assert(t1.WaitTasks(), HasLen, 1)
+	c.Assert(t1.WaitTasks()[0].ID(), Equals, seqTask.ID())
+	c.Assert(t2.WaitTasks(), HasLen, 1)
+	c.Assert(t2.WaitTasks()[0].ID(), Equals, seqTask.ID())
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/hooks.go snapd-2.37~rc1~14.04/overlord/ifacestate/hooks.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/hooks.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/hooks.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -25,50 +25,34 @@
 	"github.com/snapcore/snapd/overlord/hookstate"
 )
 
-type prepareHandler struct {
+type interfaceHookHandler struct {
 	context *hookstate.Context
 }
 
-type connectHandler struct {
-	context *hookstate.Context
-}
-
-func (h *prepareHandler) Before() error {
-	return nil
-}
-
-func (h *prepareHandler) Done() error {
-	return nil
-}
-
-func (h *prepareHandler) Error(err error) error {
+func (h *interfaceHookHandler) Before() error {
 	return nil
 }
 
-func (h *connectHandler) Before() error {
+func (h *interfaceHookHandler) Done() error {
 	return nil
 }
 
-func (h *connectHandler) Done() error {
-	return nil
-}
-
-func (h *connectHandler) Error(err error) error {
+func (h *interfaceHookHandler) Error(err error) error {
 	return nil
 }
 
 // setupHooks sets hooks of InterfaceManager up
 func setupHooks(hookMgr *hookstate.HookManager) {
-	prepareGenerator := func(context *hookstate.Context) hookstate.Handler {
-		return &prepareHandler{context: context}
-	}
-
-	connectGenerator := func(context *hookstate.Context) hookstate.Handler {
-		return &connectHandler{context: context}
+	gen := func(context *hookstate.Context) hookstate.Handler {
+		return &interfaceHookHandler{context: context}
 	}
 
-	hookMgr.Register(regexp.MustCompile("^prepare-plug-[-a-z0-9]+$"), prepareGenerator)
-	hookMgr.Register(regexp.MustCompile("^prepare-slot-[-a-z0-9]+$"), prepareGenerator)
-	hookMgr.Register(regexp.MustCompile("^connect-plug-[-a-z0-9]+$"), connectGenerator)
-	hookMgr.Register(regexp.MustCompile("^connect-slot-[-a-z0-9]+$"), connectGenerator)
+	hookMgr.Register(regexp.MustCompile("^prepare-plug-[-a-z0-9]+$"), gen)
+	hookMgr.Register(regexp.MustCompile("^prepare-slot-[-a-z0-9]+$"), gen)
+	hookMgr.Register(regexp.MustCompile("^unprepare-plug-[-a-z0-9]+$"), gen)
+	hookMgr.Register(regexp.MustCompile("^unprepare-slot-[-a-z0-9]+$"), gen)
+	hookMgr.Register(regexp.MustCompile("^connect-plug-[-a-z0-9]+$"), gen)
+	hookMgr.Register(regexp.MustCompile("^connect-slot-[-a-z0-9]+$"), gen)
+	hookMgr.Register(regexp.MustCompile("^disconnect-plug-[-a-z0-9]+$"), gen)
+	hookMgr.Register(regexp.MustCompile("^disconnect-slot-[-a-z0-9]+$"), gen)
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/hotplug.go snapd-2.37~rc1~14.04/overlord/ifacestate/hotplug.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/hotplug.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/hotplug.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,210 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package ifacestate
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"strconv"
+	"strings"
+	"unicode"
+
+	"github.com/snapcore/snapd/interfaces/hotplug"
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+// List of attributes that determine the computation of default device key.
+// Attributes are grouped by similarity, the first non-empty attribute within the group goes into the key.
+// The final key is composed of 4 attributes (some of which may be empty), separated by "/".
+// Warning, any future changes to these definitions require a new key version.
+var attrGroups = [][][]string{
+	// key version 0
+	{
+		// Name
+		{"ID_V4L_PRODUCT", "NAME", "ID_NET_NAME", "PCI_SLOT_NAME"},
+		// Vendor
+		{"ID_VENDOR_ID", "ID_VENDOR", "ID_WWN", "ID_WWN_WITH_EXTENSION", "ID_VENDOR_FROM_DATABASE", "ID_VENDOR_ENC", "ID_OUI_FROM_DATABASE"},
+		// Model
+		{"ID_MODEL_ID", "ID_MODEL_ENC"},
+		// Identifier
+		{"ID_SERIAL", "ID_SERIAL_SHORT", "ID_NET_NAME_MAC", "ID_REVISION"},
+	},
+}
+
+// deviceKeyVersion is the current version number for the default keys computed by hotplug subsystem.
+// Fresh device keys always use current version format
+var deviceKeyVersion = len(attrGroups) - 1
+
+// defaultDeviceKey computes device key from the attributes of
+// HotplugDeviceInfo. Empty string is returned if too few attributes are present
+// to compute a good key. Attributes used to compute device key are defined in
+// attrGroups list above and they depend on the keyVersion passed to the
+// function.
+// The resulting key returned by the function has the following format:
+// <version><checksum> where checksum is the sha256 checksum computed over
+// select attributes of the device.
+func defaultDeviceKey(devinfo *hotplug.HotplugDeviceInfo, keyVersion int) (string, error) {
+	found := 0
+	key := sha256.New()
+	if keyVersion >= 16 || keyVersion >= len(attrGroups) {
+		return "", fmt.Errorf("internal error: invalid key version %d", keyVersion)
+	}
+	for _, group := range attrGroups[keyVersion] {
+		for _, attr := range group {
+			if val, ok := devinfo.Attribute(attr); ok && val != "" {
+				key.Write([]byte(attr))
+				key.Write([]byte{0})
+				key.Write([]byte(val))
+				key.Write([]byte{0})
+				found++
+				break
+			}
+		}
+	}
+	if found < 2 {
+		return "", nil
+	}
+	return fmt.Sprintf("%x%x", keyVersion, key.Sum(nil)), nil
+}
+
+// hotplugDeviceAdded gets called when a device is added to the system.
+func (m *InterfaceManager) hotplugDeviceAdded(devinfo *hotplug.HotplugDeviceInfo) {
+}
+
+// hotplugDeviceRemoved gets called when a device is removed from the system.
+func (m *InterfaceManager) hotplugDeviceRemoved(devinfo *hotplug.HotplugDeviceInfo) {
+}
+
+// hotplugEnumerationDone gets called when initial enumeration on startup is finished.
+func (m *InterfaceManager) hotplugEnumerationDone() {
+}
+
+// ensureUniqueName modifies proposedName so that it's unique according to isUnique predicate.
+// Uniqueness is achieved by appending a numeric suffix, or increasing existing suffix.
+func ensureUniqueName(proposedName string, isUnique func(string) bool) string {
+	// if the name is unique right away, do nothing
+	if isUnique(proposedName) {
+		return proposedName
+	}
+
+	suffixNumValue := 0
+	prefix := strings.TrimRightFunc(proposedName, unicode.IsDigit)
+	if prefix != proposedName {
+		suffixNumValue, _ = strconv.Atoi(proposedName[len(prefix):])
+	}
+
+	// increase suffix value until we have a unique name
+	for {
+		suffixNumValue++
+		proposedName = fmt.Sprintf("%s%d", prefix, suffixNumValue)
+		if isUnique(proposedName) {
+			return proposedName
+		}
+	}
+}
+
+const maxGenerateSlotNameLen = 20
+
+// makeSlotName sanitizes a string to make it a valid slot name that
+// passes validation rules implemented by ValidateSlotName (see snap/validate.go):
+// - only lowercase letter, digits and dashes are allowed
+// - must start with a letter
+// - no double dashes, cannot end with a dash.
+// In addition names are truncated not to exceed maxGenerateSlotNameLen characters.
+func makeSlotName(s string) string {
+	var out []rune
+	// the dash flag is used to prevent consecutive dashes, and the dash in the front
+	dash := true
+	for _, c := range s {
+		switch {
+		case c == '-' && !dash:
+			dash = true
+			out = append(out, '-')
+		case unicode.IsLetter(c):
+			out = append(out, unicode.ToLower(c))
+			dash = false
+		case unicode.IsDigit(c) && len(out) > 0:
+			out = append(out, c)
+			dash = false
+		default:
+			// any other character is ignored
+		}
+		if len(out) >= maxGenerateSlotNameLen {
+			break
+		}
+	}
+	// make sure the name doesn't end with a dash
+	return strings.TrimRight(string(out), "-")
+}
+
+var nameAttrs = []string{"NAME", "ID_MODEL_FROM_DATABASE", "ID_MODEL"}
+
+// suggestedSlotName returns the shortest name derived from attributes defined
+// by nameAttrs, or the fallbackName if there is no known attribute to derive
+// name from. The name created from attributes is sanitized to ensure it's a
+// valid slot name. The fallbackName is typically the name of the interface.
+func suggestedSlotName(devinfo *hotplug.HotplugDeviceInfo, fallbackName string) string {
+	var shortestName string
+	for _, attr := range nameAttrs {
+		name, ok := devinfo.Attribute(attr)
+		if ok {
+			if name := makeSlotName(name); name != "" {
+				if shortestName == "" || len(name) < len(shortestName) {
+					shortestName = name
+				}
+			}
+		}
+	}
+	if len(shortestName) == 0 {
+		return fallbackName
+	}
+	return shortestName
+}
+
+// updateDevice creates tasks to disconnect slots of given device, update the slot in the repository, then connect it back.
+func updateDevice(st *state.State, ifaceName, hotplugKey string, newAttrs map[string]interface{}) *state.TaskSet {
+	hotplugDisconnect := st.NewTask("hotplug-disconnect", fmt.Sprintf("Disable connections of interface %s, hotplug key %q", ifaceName, hotplugKey))
+	setHotplugAttrs(hotplugDisconnect, ifaceName, hotplugKey)
+
+	updateSlot := st.NewTask("hotplug-update-slot", fmt.Sprintf("Update slot of interface %s, hotplug key %q", ifaceName, hotplugKey))
+	setHotplugAttrs(updateSlot, ifaceName, hotplugKey)
+	updateSlot.Set("slot-attrs", newAttrs)
+	updateSlot.WaitFor(hotplugDisconnect)
+
+	hotplugConnect := st.NewTask("hotplug-connect", fmt.Sprintf("Recreate connections of interface %s, hotplug key %q", ifaceName, hotplugKey))
+	setHotplugAttrs(hotplugConnect, ifaceName, hotplugKey)
+	hotplugConnect.WaitFor(updateSlot)
+
+	return state.NewTaskSet(hotplugDisconnect, updateSlot, hotplugConnect)
+}
+
+// removeDevice creates tasks to disconnect slots of given device and remove affected slots.
+func removeDevice(st *state.State, ifaceName, hotplugKey string) *state.TaskSet {
+	// hotplug-disconnect task will create hooks and disconnect the slot
+	hotplugDisconnect := st.NewTask("hotplug-disconnect", fmt.Sprintf("Disable connections of interface %s, hotplug key %q", ifaceName, hotplugKey))
+	setHotplugAttrs(hotplugDisconnect, ifaceName, hotplugKey)
+
+	// hotplug-remove-slot will remove this device's slot from the repository.
+	removeSlot := st.NewTask("hotplug-remove-slot", fmt.Sprintf("Remove slot for interface %s, hotplug key %q", ifaceName, hotplugKey))
+	setHotplugAttrs(removeSlot, ifaceName, hotplugKey)
+	removeSlot.WaitFor(hotplugDisconnect)
+
+	return state.NewTaskSet(hotplugDisconnect, removeSlot)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/hotplug_test.go snapd-2.37~rc1~14.04/overlord/ifacestate/hotplug_test.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/hotplug_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/hotplug_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,394 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package ifacestate_test
+
+import (
+	"crypto/sha256"
+	"fmt"
+
+	"github.com/snapcore/snapd/interfaces/hotplug"
+	"github.com/snapcore/snapd/overlord/ifacestate"
+	"github.com/snapcore/snapd/overlord/state"
+
+	. "gopkg.in/check.v1"
+)
+
+type hotplugSuite struct{}
+
+var _ = Suite(&hotplugSuite{})
+
+func keyHelper(input string) string {
+	return fmt.Sprintf("0%x", sha256.Sum256([]byte(input)))
+}
+
+func (s *hotplugSuite) TestDefaultDeviceKey(c *C) {
+	di, err := hotplug.NewHotplugDeviceInfo(map[string]string{
+		"DEVPATH":        "a/path",
+		"ACTION":         "add",
+		"SUBSYSTEM":      "foo",
+		"ID_V4L_PRODUCT": "v4lproduct",
+		"NAME":           "name",
+		"ID_VENDOR_ID":   "vendor",
+		"ID_MODEL_ID":    "model",
+		"ID_SERIAL":      "serial",
+		"ID_REVISION":    "revision",
+	})
+	c.Assert(err, IsNil)
+	key, err := ifacestate.DefaultDeviceKey(di, 0)
+	c.Assert(err, IsNil)
+
+	// sanity check
+	c.Check(key, HasLen, 65)
+	c.Check(key, Equals, "08bcbdcda3fee3534c0288506d9b75d4e26fe3692a36a11e75d05eac9ebf5ca7d")
+	c.Assert(key, Equals, keyHelper("ID_V4L_PRODUCT\x00v4lproduct\x00ID_VENDOR_ID\x00vendor\x00ID_MODEL_ID\x00model\x00ID_SERIAL\x00serial\x00"))
+
+	di, err = hotplug.NewHotplugDeviceInfo(map[string]string{
+		"DEVPATH":      "a/path",
+		"ACTION":       "add",
+		"SUBSYSTEM":    "foo",
+		"NAME":         "name",
+		"ID_WWN":       "wnn",
+		"ID_MODEL_ENC": "modelenc",
+		"ID_REVISION":  "revision",
+	})
+	c.Assert(err, IsNil)
+	key, err = ifacestate.DefaultDeviceKey(di, 0)
+	c.Assert(err, IsNil)
+	c.Assert(key, Equals, keyHelper("NAME\x00name\x00ID_WWN\x00wnn\x00ID_MODEL_ENC\x00modelenc\x00ID_REVISION\x00revision\x00"))
+
+	di, err = hotplug.NewHotplugDeviceInfo(map[string]string{
+		"DEVPATH":       "a/path",
+		"ACTION":        "add",
+		"SUBSYSTEM":     "foo",
+		"PCI_SLOT_NAME": "pcislot",
+		"ID_MODEL_ENC":  "modelenc",
+	})
+	c.Assert(err, IsNil)
+	key, err = ifacestate.DefaultDeviceKey(di, 0)
+	c.Assert(key, Equals, keyHelper("PCI_SLOT_NAME\x00pcislot\x00ID_MODEL_ENC\x00modelenc\x00"))
+	c.Assert(err, IsNil)
+
+	// real device #1 - Lime SDR device
+	di, err = hotplug.NewHotplugDeviceInfo(map[string]string{
+		"DEVNAME":                 "/dev/bus/usb/002/002",
+		"DEVNUM":                  "002",
+		"DEVPATH":                 "/devices/pci0000:00/0000:00:14.0/usb2/2-3",
+		"DEVTYPE":                 "usb_device",
+		"DRIVER":                  "usb",
+		"ID_BUS":                  "usb",
+		"ID_MODEL":                "LimeSDR-USB",
+		"ID_MODEL_ENC":            "LimeSDR-USB",
+		"ID_MODEL_FROM_DATABASE":  "Myriad-RF LimeSDR",
+		"ID_MODEL_ID":             "6108",
+		"ID_REVISION":             "0000",
+		"ID_SERIAL":               "Myriad-RF_LimeSDR-USB_0009060B00492E2C",
+		"ID_SERIAL_SHORT":         "0009060B00492E2C",
+		"ID_USB_INTERFACES":       ":ff0000:",
+		"ID_VENDOR":               "Myriad-RF",
+		"ID_VENDOR_ENC":           "Myriad-RF",
+		"ID_VENDOR_FROM_DATABASE": "OpenMoko, Inc.",
+		"ID_VENDOR_ID":            "1d50",
+		"MAJOR":                   "189",
+		"MINOR":                   "129",
+		"PRODUCT":                 "1d50/6108/0",
+		"SUBSYSTEM":               "usb",
+		"TYPE":                    "0/0/0",
+		"USEC_INITIALIZED":        "6125378086 ",
+	})
+	c.Assert(err, IsNil)
+	key, err = ifacestate.DefaultDeviceKey(di, 0)
+	c.Assert(err, IsNil)
+	c.Assert(key, Equals, keyHelper("ID_VENDOR_ID\x001d50\x00ID_MODEL_ID\x006108\x00ID_SERIAL\x00Myriad-RF_LimeSDR-USB_0009060B00492E2C\x00"))
+
+	// real device #2 - usb-serial port adapter
+	di, err = hotplug.NewHotplugDeviceInfo(map[string]string{
+		"DEVLINKS":                       "/dev/serial/by-id/usb-FTDI_FT232R_USB_UART_AH06W0EQ-if00-port0 /dev/serial/by-path/pci-0000:00:14.0-usb-0:2:1.0-port0",
+		"DEVNAME":                        "/dev/ttyUSB0",
+		"DEVPATH":                        "/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/ttyUSB0/tty/ttyUSB0",
+		"ID_BUS":                         "usb",
+		"ID_MM_CANDIDATE":                "1",
+		"ID_MODEL_ENC":                   "FT232R\x20USB\x20UART",
+		"MODEL_FROM_DATABASE":            "FT232 Serial (UART) IC",
+		"ID_MODEL_ID":                    "6001",
+		"ID_PATH":                        "pci-0000:00:14.0-usb-0:2:1.0",
+		"ID_PATH_TAG":                    "pci-0000_00_14_0-usb-0_2_1_0",
+		"ID_PCI_CLASS_FROM_DATABASE":     "Serial bus controller",
+		"ID_PCI_INTERFACE_FROM_DATABASE": "XHCI",
+		"ID_PCI_SUBCLASS_FROM_DATABASE":  "USB controller",
+		"ID_REVISION":                    "0600",
+		"ID_SERIAL":                      "FTDI_FT232R_USB_UART_AH06W0EQ",
+		"ID_SERIAL_SHORT":                "AH06W0EQ",
+		"ID_TYPE":                        "generic",
+		"ID_USB_DRIVER":                  "ftdi_sio",
+		"ID_USB_INTERFACES":              ":ffffff:",
+		"ID_USB_INTERFACE_NUM":           "00",
+		"ID_VENDOR":                      "FTDI",
+		"ID_VENDOR_ENC":                  "FTDI",
+		"ID_VENDOR_FROM_DATABASE":        "Future Technology Devices International, Ltd",
+		"ID_VENDOR_ID":                   "0403",
+		"MAJOR":                          "188",
+		"MINOR":                          "0",
+		"SUBSYSTEM":                      "tty",
+		"TAGS":                           ":systemd:",
+		"USEC_INITIALIZED":               "6571662103",
+	})
+	c.Assert(err, IsNil)
+	key, err = ifacestate.DefaultDeviceKey(di, 0)
+	c.Assert(err, IsNil)
+	c.Assert(key, Equals, keyHelper("ID_VENDOR_ID\x000403\x00ID_MODEL_ID\x006001\x00ID_SERIAL\x00FTDI_FT232R_USB_UART_AH06W0EQ\x00"))
+
+	// real device #3 - integrated web camera
+	di, err = hotplug.NewHotplugDeviceInfo(map[string]string{
+		"COLORD_DEVICE":        "1",
+		"COLORD_KIND":          "camera",
+		"DEVLINKS":             "/dev/v4l/by-path/pci-0000:00:14.0-usb-0:11:1.0-video-index0 /dev/v4l/by-id/usb-CN0J8NNP7248766FA3H3A01_Integrated_Webcam_HD_200901010001-video-index0",
+		"DEVNAME":              "/dev/video0",
+		"DEVPATH":              "/devices/pci0000:00/0000:00:14.0/usb1/1-11/1-11:1.0/video4linux/video0",
+		"ID_BUS":               "usb",
+		"ID_FOR_SEAT":          "video4linux-pci-0000_00_14_0-usb-0_11_1_0",
+		"ID_MODEL":             "Integrated_Webcam_HD",
+		"ID_MODEL_ENC":         "Integrated_Webcam_HD",
+		"ID_MODEL_ID":          "57c3",
+		"ID_PATH":              "pci-0000:00:14.0-usb-0:11:1.0",
+		"ID_PATH_TAG":          "pci-0000_00_14_0-usb-0_11_1_0",
+		"ID_REVISION":          "5806",
+		"ID_SERIAL":            "CN0J8NNP7248766FA3H3A01_Integrated_Webcam_HD_200901010001",
+		"ID_SERIAL_SHORT":      "200901010001",
+		"ID_TYPE":              "video",
+		"ID_USB_DRIVER":        "uvcvideo",
+		"ID_USB_INTERFACES":    ":0e0100:0e0200:",
+		"ID_USB_INTERFACE_NUM": "00",
+		"ID_V4L_CAPABILITIES":  ":capture:",
+		"ID_V4L_PRODUCT":       "Integrated_Webcam_HD: Integrate",
+		"ID_V4L_VERSION":       "2",
+		"ID_VENDOR":            "CN0J8NNP7248766FA3H3A01",
+		"ID_VENDOR_ENC":        "CN0J8NNP7248766FA3H3A01",
+		"ID_VENDOR_ID":         "0bda",
+		"MAJOR":                "81",
+		"MINOR":                "0",
+		"SUBSYSTEM":            "video4linux",
+		"TAGS":                 ":uaccess:seat:",
+		"USEC_INITIALIZED":     "3411321",
+	})
+	c.Assert(err, IsNil)
+	key, err = ifacestate.DefaultDeviceKey(di, 0)
+	c.Assert(err, IsNil)
+	c.Assert(key, Equals, keyHelper("ID_V4L_PRODUCT\x00Integrated_Webcam_HD: Integrate\x00ID_VENDOR_ID\x000bda\x00ID_MODEL_ID\x0057c3\x00ID_SERIAL\x00CN0J8NNP7248766FA3H3A01_Integrated_Webcam_HD_200901010001\x00"))
+
+	// key cannot be computed - empty string
+	di, err = hotplug.NewHotplugDeviceInfo(map[string]string{
+		"DEVPATH":   "a/path",
+		"ACTION":    "add",
+		"SUBSYSTEM": "foo",
+	})
+	c.Assert(err, IsNil)
+	key, err = ifacestate.DefaultDeviceKey(di, 0)
+	c.Assert(err, IsNil)
+	c.Assert(key, Equals, "")
+}
+
+func (s *hotplugSuite) TestDefaultDeviceKeyError(c *C) {
+	di, err := hotplug.NewHotplugDeviceInfo(map[string]string{
+		"DEVPATH":      "a/path",
+		"ACTION":       "add",
+		"SUBSYSTEM":    "foo",
+		"NAME":         "name",
+		"ID_VENDOR_ID": "vendor",
+		"ID_MODEL_ID":  "model",
+		"ID_SERIAL":    "serial",
+	})
+	c.Assert(err, IsNil)
+	_, err = ifacestate.DefaultDeviceKey(di, 16)
+	c.Assert(err, ErrorMatches, "internal error: invalid key version 16")
+}
+
+func (s *hotplugSuite) TestEnsureUniqueName(c *C) {
+	fakeRepositoryLookup := func(n string) bool {
+		reserved := map[string]bool{
+			"slot1":    true,
+			"slot":     true,
+			"slot1234": true,
+			"slot-1":   true,
+			"slot-2":   true,
+			"slot3-5":  true,
+			"slot3-6":  true,
+			"11":       true,
+			"12foo":    true,
+			"slot-99":  true,
+		}
+		return !reserved[n]
+	}
+
+	names := []struct{ proposedName, resultingName string }{
+		{"foo", "foo"},
+		{"slot", "slot2"},
+		{"slot1", "slot2"},
+		{"slot1234", "slot1235"},
+		{"slot-1", "slot-3"},
+		{"slot3-5", "slot3-7"},
+		{"slot3-1", "slot3-1"},
+		{"11", "12"},
+		{"12foo", "12foo1"},
+		{"slot-99", "slot-100"},
+	}
+
+	for _, name := range names {
+		c.Assert(ifacestate.EnsureUniqueName(name.proposedName, fakeRepositoryLookup), Equals, name.resultingName)
+	}
+}
+
+func (s *hotplugSuite) TestMakeSlotName(c *C) {
+	names := []struct{ proposedName, resultingName string }{
+		{"", ""},
+		{"-", ""},
+		{"slot1", "slot1"},
+		{"-slot1", "slot1"},
+		{"a--slot-1", "a-slot-1"},
+		{"(-slot", "slot"},
+		{"(--slot", "slot"},
+		{"slot-", "slot"},
+		{"slot---", "slot"},
+		{"slot-(", "slot"},
+		{"Integrated_Webcam_HD", "integratedwebcamhd"},
+		{"Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host Bridge/DRAM Registers", "xeone3-1200v5e3-1500"},
+	}
+	for _, name := range names {
+		c.Assert(ifacestate.MakeSlotName(name.proposedName), Equals, name.resultingName)
+	}
+}
+
+func (s *hotplugSuite) TestSuggestedSlotName(c *C) {
+
+	events := []struct {
+		eventData map[string]string
+		outName   string
+	}{{
+		map[string]string{
+			"DEVPATH":                "a/path",
+			"ACTION":                 "add",
+			"SUBSYSTEM":              "foo",
+			"NAME":                   "Name",
+			"ID_MODEL":               "Longer Name",
+			"ID_MODEL_FROM_DATABASE": "Longest Name",
+		},
+		"name",
+	}, {
+		map[string]string{
+			"DEVPATH":                "a/path",
+			"ACTION":                 "add",
+			"SUBSYSTEM":              "foo",
+			"ID_MODEL":               "Longer Name",
+			"ID_MODEL_FROM_DATABASE": "Longest Name",
+		},
+		"longername",
+	}, {
+		map[string]string{
+			"DEVPATH":                "a/path",
+			"ACTION":                 "add",
+			"SUBSYSTEM":              "foo",
+			"ID_MODEL_FROM_DATABASE": "Longest Name",
+		},
+		"longestname",
+	}, {
+		map[string]string{
+			"DEVPATH":   "a/path",
+			"ACTION":    "add",
+			"SUBSYSTEM": "foo",
+		},
+		"fallbackname",
+	},
+	}
+
+	for _, data := range events {
+		di, err := hotplug.NewHotplugDeviceInfo(data.eventData)
+		c.Assert(err, IsNil)
+
+		slotName := ifacestate.SuggestedSlotName(di, "fallbackname")
+		c.Assert(slotName, Equals, data.outName)
+	}
+}
+
+func (s *hotplugSuite) TestUpdateDeviceTasks(c *C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	tss := ifacestate.UpdateDevice(st, "interface", "key", map[string]interface{}{"attr": "value"})
+	c.Assert(tss, NotNil)
+	c.Assert(tss.Tasks(), HasLen, 3)
+
+	task1 := tss.Tasks()[0]
+	c.Assert(task1.Kind(), Equals, "hotplug-disconnect")
+
+	iface, key, err := ifacestate.GetHotplugAttrs(task1)
+	c.Assert(err, IsNil)
+	c.Assert(iface, Equals, "interface")
+	c.Assert(key, Equals, "key")
+
+	task2 := tss.Tasks()[1]
+	c.Assert(task2.Kind(), Equals, "hotplug-update-slot")
+	iface, key, err = ifacestate.GetHotplugAttrs(task2)
+	c.Assert(err, IsNil)
+	c.Assert(iface, Equals, "interface")
+	c.Assert(key, Equals, "key")
+	var attrs map[string]interface{}
+	c.Assert(task2.Get("slot-attrs", &attrs), IsNil)
+	c.Assert(attrs, DeepEquals, map[string]interface{}{"attr": "value"})
+
+	wt := task2.WaitTasks()
+	c.Assert(wt, HasLen, 1)
+	c.Assert(wt[0], DeepEquals, task1)
+
+	task3 := tss.Tasks()[2]
+	c.Assert(task3.Kind(), Equals, "hotplug-connect")
+
+	wt = task3.WaitTasks()
+	c.Assert(wt, HasLen, 1)
+	c.Assert(wt[0], DeepEquals, task2)
+}
+
+func (s *hotplugSuite) TestRemoveDeviceTasks(c *C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	tss := ifacestate.RemoveDevice(st, "interface", "key")
+	c.Assert(tss, NotNil)
+	c.Assert(tss.Tasks(), HasLen, 2)
+
+	task1 := tss.Tasks()[0]
+	c.Assert(task1.Kind(), Equals, "hotplug-disconnect")
+
+	iface, key, err := ifacestate.GetHotplugAttrs(task1)
+	c.Assert(err, IsNil)
+	c.Assert(iface, Equals, "interface")
+	c.Assert(key, Equals, "key")
+
+	task2 := tss.Tasks()[1]
+	c.Assert(task2.Kind(), Equals, "hotplug-remove-slot")
+	iface, key, err = ifacestate.GetHotplugAttrs(task2)
+	c.Assert(err, IsNil)
+	c.Assert(iface, Equals, "interface")
+	c.Assert(key, Equals, "key")
+
+	wt := task2.WaitTasks()
+	c.Assert(wt, HasLen, 1)
+	c.Assert(wt[0], DeepEquals, task1)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/ifacemgr.go snapd-2.37~rc1~14.04/overlord/ifacestate/ifacemgr.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/ifacemgr.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/ifacemgr.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,10 +20,14 @@
 package ifacestate
 
 import (
+	"time"
+
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/backends"
+	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/ifacestate/ifacerepo"
+	"github.com/snapcore/snapd/overlord/ifacestate/udevmonitor"
 	"github.com/snapcore/snapd/overlord/state"
 )
 
@@ -31,14 +35,17 @@
 // the system state.  It maintains interface connections, and also observes
 // installed snaps to track the current set of available plugs and slots.
 type InterfaceManager struct {
-	state  *state.State
-	runner *state.TaskRunner
-	repo   *interfaces.Repository
+	state *state.State
+	repo  *interfaces.Repository
+
+	udevMon             udevmonitor.Interface
+	udevRetryTimeout    time.Time
+	udevMonitorDisabled bool
 }
 
 // Manager returns a new InterfaceManager.
 // Extra interfaces can be provided for testing.
-func Manager(s *state.State, hookManager *hookstate.HookManager, extraInterfaces []interfaces.Interface, extraBackends []interfaces.SecurityBackend) (*InterfaceManager, error) {
+func Manager(s *state.State, hookManager *hookstate.HookManager, runner *state.TaskRunner, extraInterfaces []interfaces.Interface, extraBackends []interfaces.SecurityBackend) (*InterfaceManager, error) {
 	delayedCrossMgrInit()
 
 	// NOTE: hookManager is nil only when testing.
@@ -46,11 +53,10 @@
 		setupHooks(hookManager)
 	}
 
-	runner := state.NewTaskRunner(s)
+	// Leave udevRetryTimeout at the default value, so that udev is initialized on first Ensure run.
 	m := &InterfaceManager{
-		state:  s,
-		runner: runner,
-		repo:   interfaces.NewRepository(),
+		state: s,
+		repo:  interfaces.NewRepository(),
 	}
 
 	if err := m.initialize(extraInterfaces, extraBackends); err != nil {
@@ -61,45 +67,80 @@
 	ifacerepo.Replace(s, m.repo)
 	s.Unlock()
 
+	taskKinds := map[string]bool{}
+	addHandler := func(kind string, do, undo state.HandlerFunc) {
+		taskKinds[kind] = true
+		runner.AddHandler(kind, do, undo)
+	}
+
+	addHandler("connect", m.doConnect, m.undoConnect)
+	addHandler("disconnect", m.doDisconnect, m.undoDisconnect)
+	addHandler("setup-profiles", m.doSetupProfiles, m.undoSetupProfiles)
+	addHandler("remove-profiles", m.doRemoveProfiles, m.doSetupProfiles)
+	addHandler("discard-conns", m.doDiscardConns, m.undoDiscardConns)
+	addHandler("auto-connect", m.doAutoConnect, m.undoAutoConnect)
+	addHandler("gadget-connect", m.doGadgetConnect, nil)
+	addHandler("auto-disconnect", m.doAutoDisconnect, nil)
+	addHandler("hotplug-remove-slot", m.doHotplugRemoveSlot, nil)
+	addHandler("hotplug-disconnect", m.doHotplugDisconnect, nil)
+
+	// don't block on hotplug-seq-wait task
+	runner.AddHandler("hotplug-seq-wait", m.doHotplugSeqWait, nil)
+
+	// helper for ubuntu-core -> core
+	addHandler("transition-ubuntu-core", m.doTransitionUbuntuCore, m.undoTransitionUbuntuCore)
+
 	// interface tasks might touch more than the immediate task target snap, serialize them
-	runner.SetBlocked(func(t *state.Task, running []*state.Task) bool {
-		if t.Kind() == "auto-connect" {
+	runner.AddBlocked(func(t *state.Task, running []*state.Task) bool {
+		if !taskKinds[t.Kind()] {
 			return false
 		}
-		return len(running) != 0
-	})
 
-	runner.AddHandler("connect", m.doConnect, nil)
-	runner.AddHandler("disconnect", m.doDisconnect, nil)
-	runner.AddHandler("setup-profiles", m.doSetupProfiles, m.undoSetupProfiles)
-	runner.AddHandler("remove-profiles", m.doRemoveProfiles, m.doSetupProfiles)
-	runner.AddHandler("discard-conns", m.doDiscardConns, m.undoDiscardConns)
-	runner.AddHandler("auto-connect", m.doAutoConnect, m.undoAutoConnect)
+		for _, t := range running {
+			if taskKinds[t.Kind()] {
+				return true
+			}
+		}
 
-	// helper for ubuntu-core -> core
-	runner.AddHandler("transition-ubuntu-core", m.doTransitionUbuntuCore, m.undoTransitionUbuntuCore)
+		return false
+	})
 
 	return m, nil
 }
 
-func (m *InterfaceManager) KnownTaskKinds() []string {
-	return m.runner.KnownTaskKinds()
-}
-
 // Ensure implements StateManager.Ensure.
 func (m *InterfaceManager) Ensure() error {
-	m.runner.Ensure()
-	return nil
-}
+	if m.udevMon != nil || m.udevMonitorDisabled {
+		return nil
+	}
 
-// Wait implements StateManager.Wait.
-func (m *InterfaceManager) Wait() {
-	m.runner.Wait()
+	// don't initialize udev monitor until we have a system snap so that we
+	// can attach hotplug interfaces to it.
+	if !checkSystemSnapIsPresent(m.state) {
+		return nil
+	}
+
+	// retry udev monitor initialization every 5 minutes
+	now := time.Now()
+	if now.After(m.udevRetryTimeout) {
+		err := m.initUDevMonitor()
+		if err != nil {
+			m.udevRetryTimeout = now.Add(udevInitRetryTimeout)
+		}
+		return err
+	}
+	return nil
 }
 
-// Stop implements StateManager.Stop.
+// Stop implements StateWaiterStopper.Stop. It stops
+// the udev monitor, if running.
 func (m *InterfaceManager) Stop() {
-	m.runner.Stop()
+	if m.udevMon == nil {
+		return
+	}
+	if err := m.udevMon.Stop(); err != nil {
+		logger.Noticef("Cannot stop udev monitor: %s", err)
+	}
 }
 
 // Repository returns the interface repository used internally by the manager.
@@ -114,6 +155,36 @@
 	return m.repo
 }
 
+// DisableUDevMonitor disables the instantiation of udev monitor, but has no effect
+// if udev is already created; it should be called after creating InterfaceManager, before
+// first Ensure.
+// This method is meant for tests only.
+func (m *InterfaceManager) DisableUDevMonitor() {
+	if m.udevMon != nil {
+		logger.Noticef("UDev Monitor already created, cannot be disabled")
+		return
+	}
+	m.udevMonitorDisabled = true
+}
+
+var (
+	udevInitRetryTimeout = time.Minute * 5
+	createUDevMonitor    = udevmonitor.New
+)
+
+func (m *InterfaceManager) initUDevMonitor() error {
+	mon := createUDevMonitor(m.hotplugDeviceAdded, m.hotplugDeviceRemoved, m.hotplugEnumerationDone)
+	if err := mon.Connect(); err != nil {
+		return err
+	}
+	if err := mon.Run(); err != nil {
+		mon.Disconnect()
+		return err
+	}
+	m.udevMon = mon
+	return nil
+}
+
 // MockSecurityBackends mocks the list of security backends that are used for setting up security.
 //
 // This function is public because it is referenced in the daemon
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/ifacestate.go snapd-2.37~rc1~14.04/overlord/ifacestate/ifacestate.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/ifacestate.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/ifacestate.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,97 +26,71 @@
 	"sync"
 	"time"
 
+	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/policy"
 	"github.com/snapcore/snapd/overlord/assertstate"
+	"github.com/snapcore/snapd/overlord/devicestate"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
 )
 
-var noConflictOnConnectTasks = func(task *state.Task) bool {
-	return task.Kind() != "connect" && task.Kind() != "disconnect"
-}
-
 var connectRetryTimeout = time.Second * 5
 
-func checkConnectConflicts(st *state.State, change *state.Change, plugSnap, slotSnap string, autoConnectTask *state.Task) error {
-	if autoConnectTask == nil {
-		for _, chg := range st.Changes() {
-			if chg.Kind() == "transition-ubuntu-core" {
-				return fmt.Errorf("ubuntu-core to core transition in progress, no other changes allowed until this is done")
-			}
-		}
-	}
+// ErrAlreadyConnected describes the error that occurs when attempting to connect already connected interface.
+type ErrAlreadyConnected struct {
+	Connection interfaces.ConnRef
+}
 
-	var installedSnap string
-	if autoConnectTask != nil {
-		snapsup, err := snapstate.TaskSnapSetup(autoConnectTask)
-		if err != nil {
-			return fmt.Errorf("internal error: cannot obtain snap setup from task: %s", autoConnectTask.Summary())
-		}
-		installedSnap = snapsup.Name()
+func (e ErrAlreadyConnected) Error() string {
+	return fmt.Sprintf("already connected: %q", e.Connection.ID())
+}
+
+// findSymmetricAutoconnectTask checks if there is another auto-connect task affecting same snap because of plug/slot.
+func findSymmetricAutoconnectTask(st *state.State, plugSnap, slotSnap string, installTask *state.Task) (bool, error) {
+	snapsup, err := snapstate.TaskSnapSetup(installTask)
+	if err != nil {
+		return false, fmt.Errorf("internal error: cannot obtain snap setup from task: %s", installTask.Summary())
 	}
+	installedSnap := snapsup.InstanceName()
 
+	// if we find any auto-connect task that's not ready and is affecting our snap, return true to indicate that
+	// it should be ignored (we shouldn't create connect tasks for it)
 	for _, task := range st.Tasks() {
-		if task.Status().Ready() || autoConnectTask == task {
-			continue
-		}
-
-		k := task.Kind()
-		if k == "connect" || k == "disconnect" {
-			continue
-		}
-
-		snapsup, err := snapstate.TaskSnapSetup(task)
-		// e.g. hook tasks don't have task snap setup
-		if err != nil {
-			continue
-		}
-
-		snapName := snapsup.Name()
-
-		if autoConnectTask != nil && installedSnap == snapName {
-			continue
-		}
-
-		// different snaps - no conflict
-		if snapName != plugSnap && snapName != slotSnap {
-			continue
-		}
+		if !task.Status().Ready() && task.ID() != installTask.ID() && task.Kind() == "auto-connect" {
+			snapsup, err := snapstate.TaskSnapSetup(task)
+			if err != nil {
+				return false, fmt.Errorf("internal error: cannot obtain snap setup from task: %s", task.Summary())
+			}
+			otherSnap := snapsup.InstanceName()
 
-		if k == "unlink-snap" || k == "link-snap" || k == "setup-profiles" {
-			if autoConnectTask != nil {
-				// if snap is getting removed, we will retry but the snap will be gone and auto-connect becomes no-op
-				// if snap is getting installed/refreshed - temporary conflict, retry later
-				return &state.Retry{After: connectRetryTimeout}
+			if (otherSnap == plugSnap && installedSnap == slotSnap) || (otherSnap == slotSnap && installedSnap == plugSnap) {
+				return true, nil
 			}
-			// for connect it's a conflict
-			return snapstate.ChangeConflictError(snapName, task.Change().Kind())
 		}
 	}
-	return nil
+	return false, nil
 }
 
-// AutoConnect returns a set of tasks for connecting an interface as part of snap installation
-// and auto-connect handling.
-func AutoConnect(st *state.State, change *state.Change, autoConnectTask *state.Task, plugSnap, plugName, slotSnap, slotName string) (*state.TaskSet, error) {
-	return connect(st, change, plugSnap, plugName, slotSnap, slotName, autoConnectTask)
+type connectOpts struct {
+	ByGadget    bool
+	AutoConnect bool
 }
 
 // Connect returns a set of tasks for connecting an interface.
 //
 func Connect(st *state.State, plugSnap, plugName, slotSnap, slotName string) (*state.TaskSet, error) {
-	return connect(st, nil, plugSnap, plugName, slotSnap, slotName, nil)
-}
-
-func connect(st *state.State, change *state.Change, plugSnap, plugName, slotSnap, slotName string, autoConnectTask *state.Task) (*state.TaskSet, error) {
-	if err := checkConnectConflicts(st, change, plugSnap, slotSnap, autoConnectTask); err != nil {
+	if err := snapstate.CheckChangeConflictMany(st, []string{plugSnap, slotSnap}, ""); err != nil {
 		return nil, err
 	}
 
+	return connect(st, plugSnap, plugName, slotSnap, slotName, connectOpts{})
+}
+
+func connect(st *state.State, plugSnap, plugName, slotSnap, slotName string, flags connectOpts) (*state.TaskSet, error) {
 	// TODO: Store the intent-to-connect in the state so that we automatically
 	// try to reconnect on reboot (reconnection can fail or can connect with
 	// different parameters so we cannot store the actual connection details).
@@ -127,132 +101,336 @@
 	//  - connect task
 	//  - connect-slot-<slot> hook
 	//  - connect-plug-<plug> hook
-	// The tasks run in sequence (are serialized by WaitFor).
+	// The tasks run in sequence (are serialized by WaitFor). The hooks are optional
+	// and their tasks are created when hook exists or is declared in the snap.
 	// The prepare- hooks collect attributes via snapctl set.
 	// 'snapctl set' can only modify own attributes (plug's attributes in the *-plug-* hook and
 	// slot's attributes in the *-slot-* hook).
 	// 'snapctl get' can read both slot's and plug's attributes.
-	summary := fmt.Sprintf(i18n.G("Connect %s:%s to %s:%s"),
-		plugSnap, plugName, slotSnap, slotName)
-	connectInterface := st.NewTask("connect", summary)
 
+	// check if the connection already exists
+	conns, err := getConns(st)
+	if err != nil {
+		return nil, err
+	}
+	connRef := interfaces.ConnRef{PlugRef: interfaces.PlugRef{Snap: plugSnap, Name: plugName}, SlotRef: interfaces.SlotRef{Snap: slotSnap, Name: slotName}}
+	if conn, ok := conns[connRef.ID()]; ok && conn.Undesired == false && conn.HotplugGone == false {
+		return nil, &ErrAlreadyConnected{Connection: connRef}
+	}
+
+	var plugSnapst, slotSnapst snapstate.SnapState
+	if err = snapstate.Get(st, plugSnap, &plugSnapst); err != nil {
+		return nil, err
+	}
+	if err = snapstate.Get(st, slotSnap, &slotSnapst); err != nil {
+		return nil, err
+	}
+	plugSnapInfo, err := plugSnapst.CurrentInfo()
+	if err != nil {
+		return nil, err
+	}
+	slotSnapInfo, err := slotSnapst.CurrentInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	plugStatic, slotStatic, err := initialConnectAttributes(st, plugSnapInfo, plugSnap, plugName, slotSnapInfo, slotSnap, slotName)
+	if err != nil {
+		return nil, err
+	}
+
+	connectInterface := st.NewTask("connect", fmt.Sprintf(i18n.G("Connect %s:%s to %s:%s"), plugSnap, plugName, slotSnap, slotName))
 	initialContext := make(map[string]interface{})
 	initialContext["attrs-task"] = connectInterface.ID()
 
-	plugHookSetup := &hookstate.HookSetup{
-		Snap:     plugSnap,
-		Hook:     "prepare-plug-" + plugName,
-		Optional: true,
+	tasks := state.NewTaskSet()
+	var prev *state.Task
+	addTask := func(t *state.Task) {
+		if prev != nil {
+			t.WaitFor(prev)
+		}
+		tasks.AddTask(t)
 	}
 
-	summary = fmt.Sprintf(i18n.G("Run hook %s of snap %q"), plugHookSetup.Hook, plugHookSetup.Snap)
-	preparePlugConnection := hookstate.HookTask(st, summary, plugHookSetup, initialContext)
-
-	slotHookSetup := &hookstate.HookSetup{
-		Snap:     slotSnap,
-		Hook:     "prepare-slot-" + slotName,
-		Optional: true,
+	preparePlugHookName := fmt.Sprintf("prepare-plug-%s", plugName)
+	if plugSnapInfo.Hooks[preparePlugHookName] != nil {
+		plugHookSetup := &hookstate.HookSetup{
+			Snap:     plugSnap,
+			Hook:     preparePlugHookName,
+			Optional: true,
+		}
+		summary := fmt.Sprintf(i18n.G("Run hook %s of snap %q"), plugHookSetup.Hook, plugHookSetup.Snap)
+		undoPrepPlugHookSetup := &hookstate.HookSetup{
+			Snap:        plugSnap,
+			Hook:        "unprepare-plug-" + plugName,
+			Optional:    true,
+			IgnoreError: true,
+		}
+		preparePlugConnection := hookstate.HookTaskWithUndo(st, summary, plugHookSetup, undoPrepPlugHookSetup, initialContext)
+		addTask(preparePlugConnection)
+		prev = preparePlugConnection
 	}
 
-	summary = fmt.Sprintf(i18n.G("Run hook %s of snap %q"), slotHookSetup.Hook, slotHookSetup.Snap)
-	prepareSlotConnection := hookstate.HookTask(st, summary, slotHookSetup, initialContext)
-	prepareSlotConnection.WaitFor(preparePlugConnection)
+	prepareSlotHookName := fmt.Sprintf("prepare-slot-%s", slotName)
+	if slotSnapInfo.Hooks[prepareSlotHookName] != nil {
+		slotHookSetup := &hookstate.HookSetup{
+			Snap:     slotSnap,
+			Hook:     prepareSlotHookName,
+			Optional: true,
+		}
+		undoPrepSlotHookSetup := &hookstate.HookSetup{
+			Snap:        slotSnap,
+			Hook:        "unprepare-slot-" + slotName,
+			Optional:    true,
+			IgnoreError: true,
+		}
+
+		summary := fmt.Sprintf(i18n.G("Run hook %s of snap %q"), slotHookSetup.Hook, slotHookSetup.Snap)
+		prepareSlotConnection := hookstate.HookTaskWithUndo(st, summary, slotHookSetup, undoPrepSlotHookSetup, initialContext)
+		addTask(prepareSlotConnection)
+		prev = prepareSlotConnection
+	}
 
 	connectInterface.Set("slot", interfaces.SlotRef{Snap: slotSnap, Name: slotName})
 	connectInterface.Set("plug", interfaces.PlugRef{Snap: plugSnap, Name: plugName})
-	connectInterface.Set("auto", autoConnectTask != nil)
-
-	if err := setInitialConnectAttributes(connectInterface, plugSnap, plugName, slotSnap, slotName); err != nil {
-		return nil, err
+	if flags.AutoConnect {
+		connectInterface.Set("auto", true)
 	}
-	connectInterface.WaitFor(prepareSlotConnection)
-
-	connectSlotHookSetup := &hookstate.HookSetup{
-		Snap:     slotSnap,
-		Hook:     "connect-slot-" + slotName,
-		Optional: true,
+	if flags.ByGadget {
+		connectInterface.Set("by-gadget", true)
 	}
 
-	summary = fmt.Sprintf(i18n.G("Run hook %s of snap %q"), connectSlotHookSetup.Hook, connectSlotHookSetup.Snap)
-	connectSlotConnection := hookstate.HookTask(st, summary, connectSlotHookSetup, initialContext)
-	connectSlotConnection.WaitFor(connectInterface)
+	// Expose a copy of all plug and slot attributes coming from yaml to interface hooks. The hooks will be able
+	// to modify them but all attributes will be checked against assertions after the hooks are run.
+	emptyDynamicAttrs := map[string]interface{}{}
+	connectInterface.Set("plug-static", plugStatic)
+	connectInterface.Set("slot-static", slotStatic)
+	connectInterface.Set("plug-dynamic", emptyDynamicAttrs)
+	connectInterface.Set("slot-dynamic", emptyDynamicAttrs)
+
+	// The main 'connect' task should wait on prepare-slot- hook or on prepare-plug- hook (whichever is present),
+	// but not on both. While there would be no harm in waiting for both, it's not needed as prepare-slot- will
+	// wait for prepare-plug- anyway, and a simple one-to-one wait dependency makes testing easier.
+	addTask(connectInterface)
+	prev = connectInterface
+
+	connectSlotHookName := fmt.Sprintf("connect-slot-%s", slotName)
+	if slotSnapInfo.Hooks[connectSlotHookName] != nil {
+		connectSlotHookSetup := &hookstate.HookSetup{
+			Snap:     slotSnap,
+			Hook:     connectSlotHookName,
+			Optional: true,
+		}
+		undoConnectSlotHookSetup := &hookstate.HookSetup{
+			Snap:        slotSnap,
+			Hook:        "disconnect-slot-" + slotName,
+			Optional:    true,
+			IgnoreError: true,
+		}
 
-	connectPlugHookSetup := &hookstate.HookSetup{
-		Snap:     plugSnap,
-		Hook:     "connect-plug-" + plugName,
-		Optional: true,
+		summary := fmt.Sprintf(i18n.G("Run hook %s of snap %q"), connectSlotHookSetup.Hook, connectSlotHookSetup.Snap)
+		connectSlotConnection := hookstate.HookTaskWithUndo(st, summary, connectSlotHookSetup, undoConnectSlotHookSetup, initialContext)
+		addTask(connectSlotConnection)
+		prev = connectSlotConnection
 	}
 
-	summary = fmt.Sprintf(i18n.G("Run hook %s of snap %q"), connectPlugHookSetup.Hook, connectPlugHookSetup.Snap)
-	connectPlugConnection := hookstate.HookTask(st, summary, connectPlugHookSetup, initialContext)
-	connectPlugConnection.WaitFor(connectSlotConnection)
+	connectPlugHookName := fmt.Sprintf("connect-plug-%s", plugName)
+	if plugSnapInfo.Hooks[connectPlugHookName] != nil {
+		connectPlugHookSetup := &hookstate.HookSetup{
+			Snap:     plugSnap,
+			Hook:     connectPlugHookName,
+			Optional: true,
+		}
+		undoConnectPlugHookSetup := &hookstate.HookSetup{
+			Snap:        plugSnap,
+			Hook:        "disconnect-plug-" + plugName,
+			Optional:    true,
+			IgnoreError: true,
+		}
 
-	return state.NewTaskSet(preparePlugConnection, prepareSlotConnection, connectInterface, connectSlotConnection, connectPlugConnection), nil
+		summary := fmt.Sprintf(i18n.G("Run hook %s of snap %q"), connectPlugHookSetup.Hook, connectPlugHookSetup.Snap)
+		connectPlugConnection := hookstate.HookTaskWithUndo(st, summary, connectPlugHookSetup, undoConnectPlugHookSetup, initialContext)
+		addTask(connectPlugConnection)
+		prev = connectPlugConnection
+	}
+	return tasks, nil
 }
 
-func setInitialConnectAttributes(ts *state.Task, plugSnap string, plugName string, slotSnap string, slotName string) error {
-	// Set initial interface attributes for the plug and slot snaps in connect task.
-	var snapst snapstate.SnapState
-	var err error
+func initialConnectAttributes(st *state.State, plugSnapInfo *snap.Info, plugSnap string, plugName string, slotSnapInfo *snap.Info, slotSnap string, slotName string) (plugStatic, slotStatic map[string]interface{}, err error) {
+	var plugSnapst snapstate.SnapState
 
-	st := ts.State()
-	if err = snapstate.Get(st, plugSnap, &snapst); err != nil {
-		return err
-	}
-	snapInfo, err := snapst.CurrentInfo()
-	if err != nil {
-		return err
+	if err = snapstate.Get(st, plugSnap, &plugSnapst); err != nil {
+		return nil, nil, err
 	}
-	if plug, ok := snapInfo.Plugs[plugName]; ok {
-		ts.Set("plug-attrs", plug.Attrs)
-	} else {
-		return fmt.Errorf("snap %q has no plug named %q", plugSnap, plugName)
+
+	plug, ok := plugSnapInfo.Plugs[plugName]
+	if !ok {
+		return nil, nil, fmt.Errorf("snap %q has no plug named %q", plugSnap, plugName)
 	}
 
-	if err = snapstate.Get(st, slotSnap, &snapst); err != nil {
-		return err
+	var slotSnapst snapstate.SnapState
+
+	if err = snapstate.Get(st, slotSnap, &slotSnapst); err != nil {
+		return nil, nil, err
 	}
-	snapInfo, err = snapst.CurrentInfo()
-	if err != nil {
-		return err
+
+	if err := addImplicitSlots(st, slotSnapInfo); err != nil {
+		return nil, nil, err
 	}
-	addImplicitSlots(snapInfo)
-	if slot, ok := snapInfo.Slots[slotName]; ok {
-		ts.Set("slot-attrs", slot.Attrs)
-	} else {
-		return fmt.Errorf("snap %q has no slot named %q", slotSnap, slotName)
+
+	slot, ok := slotSnapInfo.Slots[slotName]
+	if !ok {
+		return nil, nil, fmt.Errorf("snap %q has no slot named %q", slotSnap, slotName)
 	}
 
-	return nil
+	return plug.Attrs, slot.Attrs, nil
 }
 
 // Disconnect returns a set of tasks for  disconnecting an interface.
-func Disconnect(st *state.State, plugSnap, plugName, slotSnap, slotName string) (*state.TaskSet, error) {
-	if err := snapstate.CheckChangeConflict(st, plugSnap, noConflictOnConnectTasks, nil); err != nil {
+func Disconnect(st *state.State, conn *interfaces.Connection) (*state.TaskSet, error) {
+	plugSnap := conn.Plug.Snap().InstanceName()
+	slotSnap := conn.Slot.Snap().InstanceName()
+	if err := snapstate.CheckChangeConflictMany(st, []string{plugSnap, slotSnap}, ""); err != nil {
+		return nil, err
+	}
+
+	return disconnectTasks(st, conn, disconnectOpts{})
+}
+
+type disconnectOpts struct {
+	AutoDisconnect bool
+	ByHotplug      bool
+}
+
+// disconnectTasks creates a set of tasks for disconnect, including hooks, but does not do any conflict checking.
+func disconnectTasks(st *state.State, conn *interfaces.Connection, flags disconnectOpts) (*state.TaskSet, error) {
+	plugSnap := conn.Plug.Snap().InstanceName()
+	slotSnap := conn.Slot.Snap().InstanceName()
+	plugName := conn.Plug.Name()
+	slotName := conn.Slot.Name()
+
+	var plugSnapst, slotSnapst snapstate.SnapState
+	if err := snapstate.Get(st, slotSnap, &slotSnapst); err != nil {
 		return nil, err
 	}
-	if err := snapstate.CheckChangeConflict(st, slotSnap, noConflictOnConnectTasks, nil); err != nil {
+	if err := snapstate.Get(st, plugSnap, &plugSnapst); err != nil {
 		return nil, err
 	}
 
 	summary := fmt.Sprintf(i18n.G("Disconnect %s:%s from %s:%s"),
 		plugSnap, plugName, slotSnap, slotName)
-	task := st.NewTask("disconnect", summary)
-	task.Set("slot", interfaces.SlotRef{Snap: slotSnap, Name: slotName})
-	task.Set("plug", interfaces.PlugRef{Snap: plugSnap, Name: plugName})
-	return state.NewTaskSet(task), nil
+	disconnectTask := st.NewTask("disconnect", summary)
+	disconnectTask.Set("slot", interfaces.SlotRef{Snap: slotSnap, Name: slotName})
+	disconnectTask.Set("plug", interfaces.PlugRef{Snap: plugSnap, Name: plugName})
+
+	disconnectTask.Set("slot-static", conn.Slot.StaticAttrs())
+	disconnectTask.Set("slot-dynamic", conn.Slot.DynamicAttrs())
+	disconnectTask.Set("plug-static", conn.Plug.StaticAttrs())
+	disconnectTask.Set("plug-dynamic", conn.Plug.DynamicAttrs())
+
+	if flags.AutoDisconnect {
+		disconnectTask.Set("auto-disconnect", true)
+	}
+	if flags.ByHotplug {
+		disconnectTask.Set("by-hotplug", true)
+	}
+
+	ts := state.NewTaskSet()
+	var prev *state.Task
+	addTask := func(t *state.Task) {
+		if prev != nil {
+			t.WaitFor(prev)
+		}
+		ts.AddTask(t)
+		prev = t
+	}
+
+	initialContext := make(map[string]interface{})
+	initialContext["attrs-task"] = disconnectTask.ID()
+
+	plugSnapInfo, err := plugSnapst.CurrentInfo()
+	if err != nil {
+		return nil, err
+	}
+	slotSnapInfo, err := slotSnapst.CurrentInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	// only run slot hooks if slotSnap is active
+	if slotSnapst.Active {
+		hookName := fmt.Sprintf("disconnect-slot-%s", slotName)
+		if slotSnapInfo.Hooks[hookName] != nil {
+			disconnectSlotHookSetup := &hookstate.HookSetup{
+				Snap:     slotSnap,
+				Hook:     hookName,
+				Optional: true,
+			}
+			undoDisconnectSlotHookSetup := &hookstate.HookSetup{
+				Snap:     slotSnap,
+				Hook:     "connect-slot-" + slotName,
+				Optional: true,
+			}
+
+			summary := fmt.Sprintf(i18n.G("Run hook %s of snap %q"), disconnectSlotHookSetup.Hook, disconnectSlotHookSetup.Snap)
+			disconnectSlot := hookstate.HookTaskWithUndo(st, summary, disconnectSlotHookSetup, undoDisconnectSlotHookSetup, initialContext)
+
+			addTask(disconnectSlot)
+		}
+	}
+
+	// only run plug hooks if plugSnap is active
+	if plugSnapst.Active {
+		hookName := fmt.Sprintf("disconnect-plug-%s", plugName)
+		if plugSnapInfo.Hooks[hookName] != nil {
+			disconnectPlugHookSetup := &hookstate.HookSetup{
+				Snap:     plugSnap,
+				Hook:     hookName,
+				Optional: true,
+			}
+			undoDisconnectPlugHookSetup := &hookstate.HookSetup{
+				Snap:     plugSnap,
+				Hook:     "connect-plug-" + plugName,
+				Optional: true,
+			}
+
+			summary := fmt.Sprintf(i18n.G("Run hook %s of snap %q"), disconnectPlugHookSetup.Hook, disconnectPlugHookSetup.Snap)
+			disconnectPlug := hookstate.HookTaskWithUndo(st, summary, disconnectPlugHookSetup, undoDisconnectPlugHookSetup, initialContext)
+
+			addTask(disconnectPlug)
+		}
+	}
+
+	addTask(disconnectTask)
+	return ts, nil
 }
 
 // CheckInterfaces checks whether plugs and slots of snap are allowed for installation.
 func CheckInterfaces(st *state.State, snapInfo *snap.Info) error {
 	// XXX: addImplicitSlots is really a brittle interface
-	addImplicitSlots(snapInfo)
+	if err := addImplicitSlots(st, snapInfo); err != nil {
+		return err
+	}
 
 	if snapInfo.SnapID == "" {
 		// no SnapID means --dangerous was given, so skip interface checks
 		return nil
 	}
 
+	modelAs, err := devicestate.Model(st)
+	if err != nil {
+		return err
+	}
+
+	var storeAs *asserts.Store
+	if modelAs.Store() != "" {
+		var err error
+		storeAs, err = assertstate.Store(st, modelAs.Store())
+		if err != nil && !asserts.IsNotFound(err) {
+			return err
+		}
+	}
+
 	baseDecl, err := assertstate.BaseDeclaration(st)
 	if err != nil {
 		return fmt.Errorf("internal error: cannot find base declaration: %v", err)
@@ -260,13 +438,15 @@
 
 	snapDecl, err := assertstate.SnapDeclaration(st, snapInfo.SnapID)
 	if err != nil {
-		return fmt.Errorf("cannot find snap declaration for %q: %v", snapInfo.Name(), err)
+		return fmt.Errorf("cannot find snap declaration for %q: %v", snapInfo.InstanceName(), err)
 	}
 
 	ic := policy.InstallCandidate{
 		Snap:            snapInfo,
 		SnapDeclaration: snapDecl,
 		BaseDeclaration: baseDecl,
+		Model:           modelAs,
+		Store:           storeAs,
 	}
 
 	return ic.Check()
@@ -275,10 +455,21 @@
 var once sync.Once
 
 func delayedCrossMgrInit() {
-	// hook interface checks into snapstate installation logic
 	once.Do(func() {
+		// hook interface checks into snapstate installation logic
+
 		snapstate.AddCheckSnapCallback(func(st *state.State, snapInfo, _ *snap.Info, _ snapstate.Flags) error {
 			return CheckInterfaces(st, snapInfo)
 		})
+
+		// hook into conflict checks mechanisms
+		snapstate.AddAffectedSnapsByKind("connect", connectDisconnectAffectedSnaps)
+		snapstate.AddAffectedSnapsByKind("disconnect", connectDisconnectAffectedSnaps)
 	})
 }
+
+func MockConnectRetryTimeout(d time.Duration) (restore func()) {
+	old := connectRetryTimeout
+	connectRetryTimeout = d
+	return func() { connectRetryTimeout = old }
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/ifacestate_test.go snapd-2.37~rc1~14.04/overlord/ifacestate/ifacestate_test.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/ifacestate_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/ifacestate_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,28 +20,36 @@
 package ifacestate_test
 
 import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
-	"sort"
 	"strings"
 	"testing"
 	"time"
 
 	. "gopkg.in/check.v1"
+	"gopkg.in/tomb.v2"
 
 	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/asserts/assertstest"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/ifacetest"
+	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/overlord"
 	"github.com/snapcore/snapd/overlord/assertstate"
+	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/ifacestate"
 	"github.com/snapcore/snapd/overlord/ifacestate/ifacerepo"
+	"github.com/snapcore/snapd/overlord/ifacestate/udevmonitor"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/testutil"
@@ -49,26 +57,137 @@
 
 func TestInterfaceManager(t *testing.T) { TestingT(t) }
 
+type AssertsMock struct {
+	Db           *asserts.Database
+	storeSigning *assertstest.StoreStack
+	brandSigning *assertstest.SigningDB
+	st           *state.State
+}
+
+func (am *AssertsMock) SetupAsserts(c *C, st *state.State) {
+	am.st = st
+	am.storeSigning = assertstest.NewStoreStack("canonical", nil)
+	brandPrivKey, _ := assertstest.GenerateKey(752)
+	am.brandSigning = assertstest.NewSigningDB("my-brand", brandPrivKey)
+
+	db, err := asserts.OpenDatabase(&asserts.DatabaseConfig{
+		Backstore: asserts.NewMemoryBackstore(),
+		Trusted:   am.storeSigning.Trusted,
+	})
+	c.Assert(err, IsNil)
+	am.Db = db
+	err = db.Add(am.storeSigning.StoreAccountKey(""))
+	c.Assert(err, IsNil)
+
+	st.Lock()
+	assertstate.ReplaceDB(st, am.Db)
+
+	brandAcct := assertstest.NewAccount(am.storeSigning, "my-brand", map[string]interface{}{
+		"account-id": "my-brand",
+	}, "")
+	err = assertstate.Add(st, brandAcct)
+	c.Assert(err, IsNil)
+
+	brandPubKey, err := am.brandSigning.PublicKey("")
+	c.Assert(err, IsNil)
+	brandAccKey := assertstest.NewAccountKey(am.storeSigning, brandAcct, nil, brandPubKey, "")
+	err = assertstate.Add(st, brandAccKey)
+	c.Assert(err, IsNil)
+	st.Unlock()
+}
+
+func (am *AssertsMock) MockModel(c *C, extraHeaders map[string]interface{}) {
+	headers := map[string]interface{}{
+		"series":       "16",
+		"brand-id":     "my-brand",
+		"model":        "my-model",
+		"gadget":       "gadget",
+		"kernel":       "krnl",
+		"architecture": "amd64",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}
+	for k, v := range extraHeaders {
+		headers[k] = v
+	}
+	model, err := am.brandSigning.Sign(asserts.ModelType, headers, nil, "")
+	c.Assert(err, IsNil)
+	am.st.Lock()
+	defer am.st.Unlock()
+	err = assertstate.Add(am.st, model)
+	c.Assert(err, IsNil)
+	err = auth.SetDevice(am.st, &auth.DeviceState{
+		Brand: "my-brand",
+		Model: "my-model",
+	})
+	c.Assert(err, IsNil)
+}
+
+func (am *AssertsMock) MockSnapDecl(c *C, name, publisher string, extraHeaders map[string]interface{}) {
+	_, err := am.Db.Find(asserts.AccountType, map[string]string{
+		"account-id": publisher,
+	})
+	if asserts.IsNotFound(err) {
+		acct := assertstest.NewAccount(am.storeSigning, publisher, map[string]interface{}{
+			"account-id": publisher,
+		}, "")
+		err = am.Db.Add(acct)
+	}
+	c.Assert(err, IsNil)
+
+	headers := map[string]interface{}{
+		"series":       "16",
+		"snap-name":    name,
+		"publisher-id": publisher,
+		"snap-id":      (name + strings.Repeat("id", 16))[:32],
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}
+	for k, v := range extraHeaders {
+		headers[k] = v
+	}
+
+	snapDecl, err := am.storeSigning.Sign(asserts.SnapDeclarationType, headers, nil, "")
+	c.Assert(err, IsNil)
+
+	err = am.Db.Add(snapDecl)
+	c.Assert(err, IsNil)
+}
+
+func (am *AssertsMock) MockStore(c *C, st *state.State, storeID string, extraHeaders map[string]interface{}) {
+	headers := map[string]interface{}{
+		"store":       storeID,
+		"operator-id": am.storeSigning.AuthorityID,
+		"timestamp":   time.Now().Format(time.RFC3339),
+	}
+	for k, v := range extraHeaders {
+		headers[k] = v
+	}
+	storeAs, err := am.storeSigning.Sign(asserts.StoreType, headers, nil, "")
+	c.Assert(err, IsNil)
+	st.Lock()
+	defer st.Unlock()
+	err = assertstate.Add(st, storeAs)
+	c.Assert(err, IsNil)
+}
+
 type interfaceManagerSuite struct {
 	testutil.BaseTest
+	AssertsMock
 	o              *overlord.Overlord
 	state          *state.State
-	db             *asserts.Database
+	se             *overlord.StateEngine
 	privateMgr     *ifacestate.InterfaceManager
 	privateHookMgr *hookstate.HookManager
 	extraIfaces    []interfaces.Interface
 	extraBackends  []interfaces.SecurityBackend
 	secBackend     *ifacetest.TestSecurityBackend
 	mockSnapCmd    *testutil.MockCmd
-	storeSigning   *assertstest.StoreStack
+	log            *bytes.Buffer
 }
 
 var _ = Suite(&interfaceManagerSuite{})
 
 func (s *interfaceManagerSuite) SetUpTest(c *C) {
 	s.BaseTest.SetUpTest(c)
-	s.storeSigning = assertstest.NewStoreStack("canonical", nil)
-
 	s.mockSnapCmd = testutil.MockCommand(c, "snap", "")
 
 	dirs.SetRootDir(c.MkDir())
@@ -76,20 +195,14 @@
 
 	s.o = overlord.Mock()
 	s.state = s.o.State()
-	db, err := asserts.OpenDatabase(&asserts.DatabaseConfig{
-		Backstore: asserts.NewMemoryBackstore(),
-		Trusted:   s.storeSigning.Trusted,
-	})
-	c.Assert(err, IsNil)
-	s.db = db
-	err = db.Add(s.storeSigning.StoreAccountKey(""))
-	c.Assert(err, IsNil)
+	s.se = s.o.StateEngine()
+
+	s.SetupAsserts(c, s.state)
 
 	s.BaseTest.AddCleanup(snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {}))
 
 	s.state.Lock()
-	assertstate.ReplaceDB(s.state, s.db)
-	s.state.Unlock()
+	defer s.state.Unlock()
 
 	s.privateHookMgr = nil
 	s.privateMgr = nil
@@ -100,6 +213,12 @@
 	// just load the test backend here and this is nicely integrated with
 	// extraBackends above.
 	s.BaseTest.AddCleanup(ifacestate.MockSecurityBackends([]interfaces.SecurityBackend{s.secBackend}))
+
+	buf, restore := logger.MockLogger()
+	s.BaseTest.AddCleanup(restore)
+	s.log = buf
+
+	s.BaseTest.AddCleanup(ifacestate.MockConnectRetryTimeout(0))
 }
 
 func (s *interfaceManagerSuite) TearDownTest(c *C) {
@@ -108,19 +227,30 @@
 	s.mockSnapCmd.Restore()
 
 	if s.privateMgr != nil {
-		s.privateMgr.Stop()
+		s.se.Stop()
 	}
 	dirs.SetRootDir("")
 }
 
+func addForeignTaskHandlers(runner *state.TaskRunner) {
+	// Add handler to test full aborting of changes
+	erroringHandler := func(task *state.Task, _ *tomb.Tomb) error {
+		return errors.New("error out")
+	}
+	runner.AddHandler("error-trigger", erroringHandler, nil)
+}
+
 func (s *interfaceManagerSuite) manager(c *C) *ifacestate.InterfaceManager {
 	if s.privateMgr == nil {
-		mgr, err := ifacestate.Manager(s.state, s.hookManager(c), s.extraIfaces, s.extraBackends)
+		mgr, err := ifacestate.Manager(s.state, s.hookManager(c), s.o.TaskRunner(), s.extraIfaces, s.extraBackends)
 		c.Assert(err, IsNil)
-		ifacestate.AddForeignTaskHandlers(mgr)
+		addForeignTaskHandlers(s.o.TaskRunner())
+		mgr.DisableUDevMonitor()
 		s.privateMgr = mgr
 		s.o.AddManager(mgr)
 
+		s.o.AddManager(s.o.TaskRunner())
+
 		// ensure the re-generation of security profiles did not
 		// confuse the tests
 		s.secBackend.SetupCalls = nil
@@ -130,7 +260,7 @@
 
 func (s *interfaceManagerSuite) hookManager(c *C) *hookstate.HookManager {
 	if s.privateHookMgr == nil {
-		mgr, err := hookstate.Manager(s.state)
+		mgr, err := hookstate.Manager(s.state, s.o.TaskRunner())
 		c.Assert(err, IsNil)
 		s.privateHookMgr = mgr
 		s.o.AddManager(mgr)
@@ -144,24 +274,9 @@
 }
 
 func (s *interfaceManagerSuite) TestSmoke(c *C) {
-	mgr := s.manager(c)
-	mgr.Ensure()
-	mgr.Wait()
-}
-
-func (s *interfaceManagerSuite) TestKnownTaskKinds(c *C) {
-	mgr, err := ifacestate.Manager(s.state, s.hookManager(c), nil, nil)
-	c.Assert(err, IsNil)
-	kinds := mgr.KnownTaskKinds()
-	sort.Strings(kinds)
-	c.Assert(kinds, DeepEquals, []string{
-		"auto-connect",
-		"connect",
-		"discard-conns",
-		"disconnect",
-		"remove-profiles",
-		"setup-profiles",
-		"transition-ubuntu-core"})
+	s.manager(c)
+	s.se.Ensure()
+	s.se.Wait()
 }
 
 func (s *interfaceManagerSuite) TestRepoAvailable(c *C) {
@@ -188,10 +303,251 @@
 	i := 0
 	task := ts.Tasks()[i]
 	c.Check(task.Kind(), Equals, "run-hook")
+	var hookSetup, undoHookSetup hookstate.HookSetup
+	c.Assert(task.Get("hook-setup", &hookSetup), IsNil)
+	c.Assert(hookSetup, Equals, hookstate.HookSetup{Snap: "consumer", Hook: "prepare-plug-plug", Optional: true})
+	c.Assert(task.Get("undo-hook-setup", &undoHookSetup), IsNil)
+	c.Assert(undoHookSetup, Equals, hookstate.HookSetup{Snap: "consumer", Hook: "unprepare-plug-plug", Optional: true, IgnoreError: true})
+	i++
+	task = ts.Tasks()[i]
+	c.Check(task.Kind(), Equals, "run-hook")
+	c.Assert(task.Get("hook-setup", &hookSetup), IsNil)
+	c.Assert(hookSetup, Equals, hookstate.HookSetup{Snap: "producer", Hook: "prepare-slot-slot", Optional: true})
+	c.Assert(task.Get("undo-hook-setup", &undoHookSetup), IsNil)
+	c.Assert(undoHookSetup, Equals, hookstate.HookSetup{Snap: "producer", Hook: "unprepare-slot-slot", Optional: true, IgnoreError: true})
+	i++
+	task = ts.Tasks()[i]
+	c.Assert(task.Kind(), Equals, "connect")
+	var plug interfaces.PlugRef
+	c.Assert(task.Get("plug", &plug), IsNil)
+	c.Assert(plug.Snap, Equals, "consumer")
+	c.Assert(plug.Name, Equals, "plug")
+	var slot interfaces.SlotRef
+	c.Assert(task.Get("slot", &slot), IsNil)
+	c.Assert(slot.Snap, Equals, "producer")
+	c.Assert(slot.Name, Equals, "slot")
+
+	var autoconnect bool
+	err = task.Get("auto", &autoconnect)
+	c.Assert(err, Equals, state.ErrNoState)
+	c.Assert(autoconnect, Equals, false)
+
+	// verify initial attributes are present in connect task
+	var plugStaticAttrs map[string]interface{}
+	var plugDynamicAttrs map[string]interface{}
+	c.Assert(task.Get("plug-static", &plugStaticAttrs), IsNil)
+	c.Assert(plugStaticAttrs, DeepEquals, map[string]interface{}{"attr1": "value1"})
+	c.Assert(task.Get("plug-dynamic", &plugDynamicAttrs), IsNil)
+	c.Assert(plugDynamicAttrs, DeepEquals, map[string]interface{}{})
+
+	var slotStaticAttrs map[string]interface{}
+	var slotDynamicAttrs map[string]interface{}
+	c.Assert(task.Get("slot-static", &slotStaticAttrs), IsNil)
+	c.Assert(slotStaticAttrs, DeepEquals, map[string]interface{}{"attr2": "value2"})
+	c.Assert(task.Get("slot-dynamic", &slotDynamicAttrs), IsNil)
+	c.Assert(slotDynamicAttrs, DeepEquals, map[string]interface{}{})
+
+	i++
+	task = ts.Tasks()[i]
+	c.Check(task.Kind(), Equals, "run-hook")
+	c.Assert(task.Get("hook-setup", &hs), IsNil)
+	c.Assert(hs, Equals, hookstate.HookSetup{Snap: "producer", Hook: "connect-slot-slot", Optional: true})
+	c.Assert(task.Get("undo-hook-setup", &undoHookSetup), IsNil)
+	c.Assert(undoHookSetup, Equals, hookstate.HookSetup{Snap: "producer", Hook: "disconnect-slot-slot", Optional: true, IgnoreError: true})
+	i++
+	task = ts.Tasks()[i]
+	c.Check(task.Kind(), Equals, "run-hook")
+	c.Assert(task.Get("hook-setup", &hs), IsNil)
+	c.Assert(hs, Equals, hookstate.HookSetup{Snap: "consumer", Hook: "connect-plug-plug", Optional: true})
+	c.Assert(task.Get("undo-hook-setup", &undoHookSetup), IsNil)
+	c.Assert(undoHookSetup, Equals, hookstate.HookSetup{Snap: "consumer", Hook: "disconnect-plug-plug", Optional: true, IgnoreError: true})
+}
+
+type interfaceHooksTestData struct {
+	consumer  []string
+	producer  []string
+	waitChain []string
+}
+
+func hookNameOrTaskKind(c *C, t *state.Task) string {
+	if t.Kind() == "run-hook" {
+		var hookSup hookstate.HookSetup
+		c.Assert(t.Get("hook-setup", &hookSup), IsNil)
+		return fmt.Sprintf("hook:%s", hookSup.Hook)
+	}
+	return fmt.Sprintf("task:%s", t.Kind())
+}
+
+func testInterfaceHooksTasks(c *C, tasks []*state.Task, waitChain []string, undoHooks map[string]string) {
+	for i, t := range tasks {
+		c.Assert(waitChain[i], Equals, hookNameOrTaskKind(c, t))
+		waits := t.WaitTasks()
+		if i == 0 {
+			c.Assert(waits, HasLen, 0)
+		} else {
+			c.Assert(waits, HasLen, 1)
+			waiting := hookNameOrTaskKind(c, waits[0])
+			// check that this task waits on previous one
+			c.Assert(waiting, Equals, waitChain[i-1])
+		}
+
+		// check undo hook setup if applicable
+		if t.Kind() == "run-hook" {
+			var hooksup hookstate.HookSetup
+			var undosup hookstate.HookSetup
+			c.Assert(t.Get("hook-setup", &hooksup), IsNil)
+			c.Assert(t.Get("undo-hook-setup", &undosup), IsNil)
+			c.Assert(undosup.Hook, Equals, undoHooks[hooksup.Hook], Commentf("unexpected undo hook: %s", undosup.Hook))
+		}
+	}
+
+}
+
+func (s *interfaceManagerSuite) TestConnectTaskHooksConditionals(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+
+	hooksTests := []interfaceHooksTestData{{
+		consumer:  []string{"prepare-plug-plug"},
+		producer:  []string{"prepare-slot-slot"},
+		waitChain: []string{"hook:prepare-plug-plug", "hook:prepare-slot-slot", "task:connect"},
+	}, {
+		consumer:  []string{"prepare-plug-plug"},
+		producer:  []string{"prepare-slot-slot", "connect-slot-slot"},
+		waitChain: []string{"hook:prepare-plug-plug", "hook:prepare-slot-slot", "task:connect", "hook:connect-slot-slot"},
+	}, {
+		consumer:  []string{"prepare-plug-plug"},
+		producer:  []string{"connect-slot-slot"},
+		waitChain: []string{"hook:prepare-plug-plug", "task:connect", "hook:connect-slot-slot"},
+	}, {
+		consumer:  []string{"connect-plug-plug"},
+		producer:  []string{"prepare-slot-slot", "connect-slot-slot"},
+		waitChain: []string{"hook:prepare-slot-slot", "task:connect", "hook:connect-slot-slot", "hook:connect-plug-plug"},
+	}, {
+		consumer:  []string{"connect-plug-plug"},
+		producer:  []string{"connect-slot-slot"},
+		waitChain: []string{"task:connect", "hook:connect-slot-slot", "hook:connect-plug-plug"},
+	}, {
+		consumer:  []string{"prepare-plug-plug", "connect-plug-plug"},
+		producer:  []string{"prepare-slot-slot"},
+		waitChain: []string{"hook:prepare-plug-plug", "hook:prepare-slot-slot", "task:connect", "hook:connect-plug-plug"},
+	}, {
+		consumer:  []string{"prepare-plug-plug", "connect-plug-plug"},
+		producer:  []string{"prepare-slot-slot", "connect-slot-slot"},
+		waitChain: []string{"hook:prepare-plug-plug", "hook:prepare-slot-slot", "task:connect", "hook:connect-slot-slot", "hook:connect-plug-plug"},
+	}}
+
+	_ = s.manager(c)
+	for _, hooks := range hooksTests {
+		var hooksYaml string
+		for _, name := range hooks.consumer {
+			hooksYaml = fmt.Sprintf("%s %s:\n", hooksYaml, name)
+		}
+		consumer := fmt.Sprintf(consumerYaml3, hooksYaml)
+
+		hooksYaml = ""
+		for _, name := range hooks.producer {
+			hooksYaml = fmt.Sprintf("%s %s:\n", hooksYaml, name)
+		}
+		producer := fmt.Sprintf(producerYaml3, hooksYaml)
+
+		s.mockSnap(c, consumer)
+		s.mockSnap(c, producer)
+
+		s.state.Lock()
+
+		ts, err := ifacestate.Connect(s.state, "consumer", "plug", "producer", "slot")
+		c.Assert(err, IsNil)
+		c.Assert(ts.Tasks(), HasLen, len(hooks.producer)+len(hooks.consumer)+1)
+		c.Assert(ts.Tasks(), HasLen, len(hooks.waitChain))
+
+		undoHooks := map[string]string{
+			"prepare-plug-plug": "unprepare-plug-plug",
+			"prepare-slot-slot": "unprepare-slot-slot",
+			"connect-plug-plug": "disconnect-plug-plug",
+			"connect-slot-slot": "disconnect-slot-slot",
+		}
+
+		testInterfaceHooksTasks(c, ts.Tasks(), hooks.waitChain, undoHooks)
+		s.state.Unlock()
+	}
+}
+
+func (s *interfaceManagerSuite) TestDisconnectTaskHooksConditionals(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+
+	hooksTests := []interfaceHooksTestData{{
+		consumer:  []string{"disconnect-plug-plug"},
+		producer:  []string{"disconnect-slot-slot"},
+		waitChain: []string{"hook:disconnect-slot-slot", "hook:disconnect-plug-plug", "task:disconnect"},
+	}, {
+		producer:  []string{"disconnect-slot-slot"},
+		waitChain: []string{"hook:disconnect-slot-slot", "task:disconnect"},
+	}, {
+		consumer:  []string{"disconnect-plug-plug"},
+		waitChain: []string{"hook:disconnect-plug-plug", "task:disconnect"},
+	}, {
+		waitChain: []string{"task:disconnect"},
+	}}
+
+	_ = s.manager(c)
+	for _, hooks := range hooksTests {
+		var hooksYaml string
+		for _, name := range hooks.consumer {
+			hooksYaml = fmt.Sprintf("%s %s:\n", hooksYaml, name)
+		}
+		consumer := fmt.Sprintf(consumerYaml3, hooksYaml)
+
+		hooksYaml = ""
+		for _, name := range hooks.producer {
+			hooksYaml = fmt.Sprintf("%s %s:\n", hooksYaml, name)
+		}
+		producer := fmt.Sprintf(producerYaml3, hooksYaml)
+
+		plugSnap := s.mockSnap(c, consumer)
+		slotSnap := s.mockSnap(c, producer)
+
+		conn := &interfaces.Connection{
+			Plug: interfaces.NewConnectedPlug(plugSnap.Plugs["plug"], nil, nil),
+			Slot: interfaces.NewConnectedSlot(slotSnap.Slots["slot"], nil, nil),
+		}
+
+		s.state.Lock()
+
+		ts, err := ifacestate.Disconnect(s.state, conn)
+		c.Assert(err, IsNil)
+		c.Assert(ts.Tasks(), HasLen, len(hooks.producer)+len(hooks.consumer)+1)
+		c.Assert(ts.Tasks(), HasLen, len(hooks.waitChain))
+
+		undoHooks := map[string]string{
+			"disconnect-plug-plug": "connect-plug-plug",
+			"disconnect-slot-slot": "connect-slot-slot",
+		}
+
+		testInterfaceHooksTasks(c, ts.Tasks(), hooks.waitChain, undoHooks)
+		s.state.Unlock()
+	}
+}
+
+func (s *interfaceManagerSuite) TestParallelInstallConnectTask(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
+	s.mockSnapInstance(c, "consumer_foo", consumerYaml)
+	s.mockSnapInstance(c, "producer", producerYaml)
+	_ = s.manager(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	ts, err := ifacestate.Connect(s.state, "consumer_foo", "plug", "producer", "slot")
+	c.Assert(err, IsNil)
+
+	var hs hookstate.HookSetup
+	i := 0
+	task := ts.Tasks()[i]
+	c.Check(task.Kind(), Equals, "run-hook")
 	var hookSetup hookstate.HookSetup
 	err = task.Get("hook-setup", &hookSetup)
 	c.Assert(err, IsNil)
-	c.Assert(hookSetup, Equals, hookstate.HookSetup{Snap: "consumer", Hook: "prepare-plug-plug", Optional: true})
+	c.Assert(hookSetup, Equals, hookstate.HookSetup{Snap: "consumer_foo", Hook: "prepare-plug-plug", Optional: true})
 	i++
 	task = ts.Tasks()[i]
 	c.Check(task.Kind(), Equals, "run-hook")
@@ -204,26 +560,38 @@
 	var plug interfaces.PlugRef
 	err = task.Get("plug", &plug)
 	c.Assert(err, IsNil)
-	c.Assert(plug.Snap, Equals, "consumer")
+	c.Assert(plug.Snap, Equals, "consumer_foo")
 	c.Assert(plug.Name, Equals, "plug")
 	var slot interfaces.SlotRef
 	err = task.Get("slot", &slot)
 	c.Assert(err, IsNil)
 	c.Assert(slot.Snap, Equals, "producer")
 	c.Assert(slot.Name, Equals, "slot")
+
 	var autoconnect bool
 	err = task.Get("auto", &autoconnect)
-	c.Assert(err, IsNil)
+	c.Assert(err, Equals, state.ErrNoState)
 	c.Assert(autoconnect, Equals, false)
 
 	// verify initial attributes are present in connect task
-	var attrs map[string]interface{}
-	err = task.Get("plug-attrs", &attrs)
+	var plugStaticAttrs map[string]interface{}
+	var plugDynamicAttrs map[string]interface{}
+	err = task.Get("plug-static", &plugStaticAttrs)
+	c.Assert(err, IsNil)
+	c.Assert(plugStaticAttrs, DeepEquals, map[string]interface{}{"attr1": "value1"})
+	err = task.Get("plug-dynamic", &plugDynamicAttrs)
 	c.Assert(err, IsNil)
-	c.Assert(attrs["attr1"], Equals, "value1")
-	err = task.Get("slot-attrs", &attrs)
+	c.Assert(plugDynamicAttrs, DeepEquals, map[string]interface{}{})
+
+	var slotStaticAttrs map[string]interface{}
+	var slotDynamicAttrs map[string]interface{}
+	err = task.Get("slot-static", &slotStaticAttrs)
+	c.Assert(err, IsNil)
+	c.Assert(slotStaticAttrs, DeepEquals, map[string]interface{}{"attr2": "value2"})
+	err = task.Get("slot-dynamic", &slotDynamicAttrs)
 	c.Assert(err, IsNil)
-	c.Assert(attrs["attr2"], Equals, "value2")
+	c.Assert(slotDynamicAttrs, DeepEquals, map[string]interface{}{})
+
 	i++
 	task = ts.Tasks()[i]
 	c.Check(task.Kind(), Equals, "run-hook")
@@ -235,7 +603,53 @@
 	c.Check(task.Kind(), Equals, "run-hook")
 	err = task.Get("hook-setup", &hs)
 	c.Assert(err, IsNil)
-	c.Assert(hs, Equals, hookstate.HookSetup{Snap: "consumer", Hook: "connect-plug-plug", Optional: true})
+	c.Assert(hs, Equals, hookstate.HookSetup{Snap: "consumer_foo", Hook: "connect-plug-plug", Optional: true})
+}
+
+func (s *interfaceManagerSuite) TestConnectAlreadyConnected(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
+	_ = s.manager(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	conns := map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{
+			"auto": false,
+		},
+	}
+	s.state.Set("conns", conns)
+
+	ts, err := ifacestate.Connect(s.state, "consumer", "plug", "producer", "slot")
+	c.Assert(err, NotNil)
+	c.Assert(ts, IsNil)
+	alreadyConnected, ok := err.(*ifacestate.ErrAlreadyConnected)
+	c.Assert(ok, Equals, true)
+	c.Assert(alreadyConnected.Connection, DeepEquals, interfaces.ConnRef{PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"}, SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}})
+	c.Assert(err, ErrorMatches, `already connected: "consumer:plug producer:slot"`)
+
+	conns = map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{
+			"auto":      true,
+			"undesired": true,
+		},
+	}
+	s.state.Set("conns", conns)
+
+	// ErrAlreadyConnected is not reported if connection exists but is undesired
+	ts, err = ifacestate.Connect(s.state, "consumer", "plug", "producer", "slot")
+	c.Assert(err, IsNil)
+	c.Assert(ts, NotNil)
+
+	conns = map[string]interface{}{"consumer:plug producer:slot": map[string]interface{}{"hotplug-gone": true}}
+	s.state.Set("conns", conns)
+
+	// ErrAlreadyConnected is not reported if connection was removed by hotplug
+	ts, err = ifacestate.Connect(s.state, "consumer", "plug", "producer", "slot")
+	c.Assert(err, IsNil)
+	c.Assert(ts, NotNil)
 }
 
 func (s *interfaceManagerSuite) testConnectDisconnectConflicts(c *C, f func(*state.State, string, string, string, string) (*state.TaskSet, error), snapName string, otherTaskKind string, expectedErr string) {
@@ -254,6 +668,27 @@
 	c.Assert(err, ErrorMatches, expectedErr)
 }
 
+func (s *interfaceManagerSuite) testDisconnectConflicts(c *C, snapName string, otherTaskKind string, expectedErr string) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	chg := s.state.NewChange("other-chg", "...")
+	t := s.state.NewTask(otherTaskKind, "...")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: snapName},
+	})
+	chg.AddTask(t)
+
+	conn := &interfaces.Connection{
+		Plug: interfaces.NewConnectedPlug(&snap.PlugInfo{Snap: &snap.Info{SuggestedName: "consumer"}, Name: "plug"}, nil, nil),
+		Slot: interfaces.NewConnectedSlot(&snap.SlotInfo{Snap: &snap.Info{SuggestedName: "producer"}, Name: "slot"}, nil, nil),
+	}
+
+	_, err := ifacestate.Disconnect(s.state, conn)
+	c.Assert(err, ErrorMatches, expectedErr)
+}
+
 func (s *interfaceManagerSuite) TestConnectConflictsPlugSnapOnLinkSnap(c *C) {
 	s.testConnectDisconnectConflicts(c, ifacestate.Connect, "consumer", "link-snap", `snap "consumer" has "other-chg" change in progress`)
 }
@@ -271,14 +706,14 @@
 }
 
 func (s *interfaceManagerSuite) TestDisconnectConflictsPlugSnapOnLink(c *C) {
-	s.testConnectDisconnectConflicts(c, ifacestate.Disconnect, "consumer", "link-snap", `snap "consumer" has "other-chg" change in progress`)
+	s.testDisconnectConflicts(c, "consumer", "link-snap", `snap "consumer" has "other-chg" change in progress`)
 }
 
 func (s *interfaceManagerSuite) TestDisconnectConflictsSlotSnapOnLink(c *C) {
-	s.testConnectDisconnectConflicts(c, ifacestate.Disconnect, "producer", "link-snap", `snap "producer" has "other-chg" change in progress`)
+	s.testDisconnectConflicts(c, "producer", "link-snap", `snap "producer" has "other-chg" change in progress`)
 }
 
-func (s *interfaceManagerSuite) TestConnectDoesntConflict(c *C) {
+func (s *interfaceManagerSuite) TestConnectDoesConflict(c *C) {
 	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
 	s.mockSnap(c, consumerYaml)
 	s.mockSnap(c, producerYaml)
@@ -293,38 +728,77 @@
 	chg.AddTask(t)
 
 	_, err := ifacestate.Connect(s.state, "consumer", "plug", "producer", "slot")
-	c.Assert(err, IsNil)
+	c.Assert(err, ErrorMatches, `snap "consumer" has "other-connect" change in progress`)
+
+	conn := &interfaces.Connection{
+		Plug: interfaces.NewConnectedPlug(&snap.PlugInfo{Snap: &snap.Info{SuggestedName: "consumer"}, Name: "plug"}, nil, nil),
+		Slot: interfaces.NewConnectedSlot(&snap.SlotInfo{Snap: &snap.Info{SuggestedName: "producer"}, Name: "slot"}, nil, nil),
+	}
+	_, err = ifacestate.Disconnect(s.state, conn)
+	c.Assert(err, ErrorMatches, `snap "consumer" has "other-connect" change in progress`)
+}
+
+func (s *interfaceManagerSuite) TestConnectBecomeOperationalNoConflict(c *C) {
+	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
+
+	s.state.Lock()
+	defer s.state.Unlock()
 
-	_, err = ifacestate.Disconnect(s.state, "consumer", "plug", "producer", "slot")
+	chg := s.state.NewChange("become-operational", "...")
+	hooksup := &hookstate.HookSetup{
+		Snap: "producer",
+		Hook: "prepare-device",
+	}
+	t := hookstate.HookTask(s.state, "prep", hooksup, nil)
+	chg.AddTask(t)
+
+	_, err := ifacestate.Connect(s.state, "consumer", "plug", "producer", "slot")
 	c.Assert(err, IsNil)
 }
 
-func (s *interfaceManagerSuite) TestAutoconnectDoesntConflictOnInstalledSnap(c *C) {
+func (s *interfaceManagerSuite) TestAutoconnectDoesntConflictOnInstallingDifferentSnap(c *C) {
 	s.mockSnap(c, consumerYaml)
 	s.mockSnap(c, producerYaml)
 
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	sup := &snapstate.SnapSetup{
+	sup1 := &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
 			RealName: "consumer"},
 	}
+	sup2 := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "othersnap"},
+	}
 
 	chg := s.state.NewChange("install", "...")
 	t := s.state.NewTask("link-snap", "...")
-	t.Set("snap-setup", sup)
+	t.Set("snap-setup", sup2)
 	chg.AddTask(t)
 
 	t = s.state.NewTask("auto-connect", "...")
-	t.Set("snap-setup", sup)
+	t.Set("snap-setup", sup1)
 	chg.AddTask(t)
 
-	_, err := ifacestate.AutoConnect(s.state, chg, t, "consumer", "plug", "producer", "slot")
+	ignore, err := ifacestate.FindSymmetricAutoconnectTask(s.state, "consumer", "producer", t)
+	c.Assert(err, IsNil)
+	c.Assert(ignore, Equals, false)
+	c.Assert(ifacestate.CheckAutoconnectConflicts(s.state, t, "consumer", "producer"), IsNil)
+
+	ts, err := ifacestate.ConnectPriv(s.state, "consumer", "plug", "producer", "slot", ifacestate.NewConnectOptsWithAutoSet())
 	c.Assert(err, IsNil)
+	c.Assert(ts.Tasks(), HasLen, 5)
+	connectTask := ts.Tasks()[2]
+	c.Assert(connectTask.Kind(), Equals, "connect")
+	var auto bool
+	connectTask.Get("auto", &auto)
+	c.Assert(auto, Equals, true)
 }
 
-func (s *interfaceManagerSuite) testAutoConnectConflicts(c *C, conflictingKind string) {
+func (s *interfaceManagerSuite) createAutoconnectChange(c *C, conflictingTask *state.Task) error {
 	s.mockSnap(c, consumerYaml)
 	s.mockSnap(c, producerYaml)
 
@@ -332,12 +806,11 @@
 	defer s.state.Unlock()
 
 	chg1 := s.state.NewChange("a change", "...")
-	t1 := s.state.NewTask(conflictingKind, "...")
-	t1.Set("snap-setup", &snapstate.SnapSetup{
+	conflictingTask.Set("snap-setup", &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
 			RealName: "consumer"},
 	})
-	chg1.AddTask(t1)
+	chg1.AddTask(conflictingTask)
 
 	chg := s.state.NewChange("other-chg", "...")
 	t2 := s.state.NewTask("auto-connect", "...")
@@ -348,20 +821,156 @@
 
 	chg.AddTask(t2)
 
-	_, err := ifacestate.AutoConnect(s.state, chg, t2, "consumer", "plug", "producer", "slot")
+	ignore, err := ifacestate.FindSymmetricAutoconnectTask(s.state, "consumer", "producer", t2)
+	c.Assert(err, IsNil)
+	c.Assert(ignore, Equals, false)
+
+	return ifacestate.CheckAutoconnectConflicts(s.state, t2, "consumer", "producer")
+}
+
+func (s *interfaceManagerSuite) testRetryError(c *C, err error) {
 	c.Assert(err, NotNil)
 	c.Assert(err, ErrorMatches, `task should be retried`)
+	rerr, ok := err.(*state.Retry)
+	c.Assert(ok, Equals, true)
+	c.Assert(rerr, NotNil)
 }
 
 func (s *interfaceManagerSuite) TestAutoconnectConflictOnUnlink(c *C) {
-	s.testAutoConnectConflicts(c, "unlink-snap")
+	s.state.Lock()
+	task := s.state.NewTask("unlink-snap", "")
+	s.state.Unlock()
+	err := s.createAutoconnectChange(c, task)
+	s.testRetryError(c, err)
 }
 
-func (s *interfaceManagerSuite) TestAutoconnectConflictOnLink(c *C) {
-	s.testAutoConnectConflicts(c, "link-snap")
+func (s *interfaceManagerSuite) TestAutoconnectConflictOnDiscardSnap(c *C) {
+	s.state.Lock()
+	task := s.state.NewTask("discard-snap", "")
+	s.state.Unlock()
+	err := s.createAutoconnectChange(c, task)
+	s.testRetryError(c, err)
+}
+
+func (s *interfaceManagerSuite) TestAutoconnectConflictOnLink(c *C) {
+	s.state.Lock()
+	task := s.state.NewTask("link-snap", "")
+	s.state.Unlock()
+	err := s.createAutoconnectChange(c, task)
+	s.testRetryError(c, err)
+}
+
+func (s *interfaceManagerSuite) TestAutoconnectConflictOnSetupProfiles(c *C) {
+	s.state.Lock()
+	task := s.state.NewTask("setup-profiles", "")
+	s.state.Unlock()
+	err := s.createAutoconnectChange(c, task)
+	s.testRetryError(c, err)
+}
+
+func (s *interfaceManagerSuite) TestSymmetricAutoconnectIgnore(c *C) {
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	sup1 := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "consumer"},
+	}
+	sup2 := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "producer"},
+	}
+
+	chg1 := s.state.NewChange("install", "...")
+	t1 := s.state.NewTask("auto-connect", "...")
+	t1.Set("snap-setup", sup1)
+	chg1.AddTask(t1)
+
+	chg2 := s.state.NewChange("install", "...")
+	t2 := s.state.NewTask("auto-connect", "...")
+	t2.Set("snap-setup", sup2)
+	chg2.AddTask(t2)
+
+	ignore, err := ifacestate.FindSymmetricAutoconnectTask(s.state, "consumer", "producer", t1)
+	c.Assert(err, IsNil)
+	c.Assert(ignore, Equals, true)
+
+	ignore, err = ifacestate.FindSymmetricAutoconnectTask(s.state, "consumer", "producer", t2)
+	c.Assert(err, IsNil)
+	c.Assert(ignore, Equals, true)
+}
+
+func (s *interfaceManagerSuite) TestAutoconnectConflictOnConnectWithAutoFlag(c *C) {
+	s.state.Lock()
+	task := s.state.NewTask("connect", "")
+	task.Set("slot", interfaces.SlotRef{Snap: "producer", Name: "slot"})
+	task.Set("plug", interfaces.PlugRef{Snap: "consumer", Name: "plug"})
+	task.Set("auto", true)
+	s.state.Unlock()
+
+	err := s.createAutoconnectChange(c, task)
+	c.Assert(err, NotNil)
+	c.Assert(err, ErrorMatches, `task should be retried`)
+}
+
+func (s *interfaceManagerSuite) TestAutoconnectRetryOnConnect(c *C) {
+	s.state.Lock()
+	task := s.state.NewTask("connect", "")
+	task.Set("slot", interfaces.SlotRef{Snap: "producer", Name: "slot"})
+	task.Set("plug", interfaces.PlugRef{Snap: "consumer", Name: "plug"})
+	task.Set("auto", false)
+	s.state.Unlock()
+
+	err := s.createAutoconnectChange(c, task)
+	c.Assert(err, ErrorMatches, `task should be retried`)
+}
+
+func (s *interfaceManagerSuite) TestAutoconnectIgnoresSetupProfilesPhase2(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
+
+	_ = s.manager(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	sup := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			Revision: snap.R(1),
+			RealName: "consumer"},
+	}
+
+	chg := s.state.NewChange("install", "...")
+	t1 := s.state.NewTask("auto-connect", "...")
+	t1.Set("snap-setup", sup)
+
+	t2 := s.state.NewTask("setup-profiles", "...")
+	corePhase2 := true
+	t2.Set("core-phase-2", corePhase2)
+	t2.Set("snap-setup", sup)
+	t2.WaitFor(t1)
+	chg.AddTask(t1)
+	chg.AddTask(t2)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+	// auto-connect task is done
+	c.Assert(t1.Status(), Equals, state.DoneStatus)
+	// change not finished because of hook tasks
+	c.Assert(chg.Status(), Equals, state.DoStatus)
 }
 
 func (s *interfaceManagerSuite) TestEnsureProcessesConnectTask(c *C) {
+	s.MockModel(c, nil)
+
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
 	s.mockSnap(c, consumerYaml)
 	s.mockSnap(c, producerYaml)
@@ -405,7 +1014,9 @@
 	repo := s.manager(c).Repository()
 	ifaces := repo.Interfaces()
 	c.Assert(ifaces.Connections, HasLen, 1)
-	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{interfaces.PlugRef{Snap: "consumer", Name: "plug"}, interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
+	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{
+		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
 }
 
 func (s *interfaceManagerSuite) TestConnectTaskCheckInterfaceMismatch(c *C) {
@@ -418,6 +1029,7 @@
 	change := s.state.NewChange("kind", "summary")
 	ts, err := ifacestate.Connect(s.state, "consumer", "otherplug", "producer", "slot")
 	c.Assert(err, IsNil)
+
 	c.Assert(ts.Tasks(), HasLen, 5)
 	c.Check(ts.Tasks()[2].Kind(), Equals, "connect")
 	ts.Tasks()[2].Set("snap-setup", &snapstate.SnapSetup{
@@ -466,10 +1078,12 @@
 }
 
 func (s *interfaceManagerSuite) TestConnectTaskCheckNotAllowed(c *C) {
+	s.MockModel(c, nil)
+
 	s.testConnectTaskCheck(c, func() {
-		s.mockSnapDecl(c, "consumer", "consumer-publisher", nil)
+		s.MockSnapDecl(c, "consumer", "consumer-publisher", nil)
 		s.mockSnap(c, consumerYaml)
-		s.mockSnapDecl(c, "producer", "producer-publisher", nil)
+		s.MockSnapDecl(c, "producer", "producer-publisher", nil)
 		s.mockSnap(c, producerYaml)
 	}, func(change *state.Change) {
 		c.Check(change.Err(), ErrorMatches, `(?s).*connection not allowed by slot rule of interface "test".*`)
@@ -482,6 +1096,8 @@
 }
 
 func (s *interfaceManagerSuite) TestConnectTaskCheckNotAllowedButNoDecl(c *C) {
+	s.MockModel(c, nil)
+
 	s.testConnectTaskCheck(c, func() {
 		s.mockSnap(c, consumerYaml)
 		s.mockSnap(c, producerYaml)
@@ -492,15 +1108,19 @@
 		repo := s.manager(c).Repository()
 		ifaces := repo.Interfaces()
 		c.Assert(ifaces.Connections, HasLen, 1)
-		c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{interfaces.PlugRef{Snap: "consumer", Name: "plug"}, interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
+		c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{
+			PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+			SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
 	})
 }
 
 func (s *interfaceManagerSuite) TestConnectTaskCheckAllowed(c *C) {
+	s.MockModel(c, nil)
+
 	s.testConnectTaskCheck(c, func() {
-		s.mockSnapDecl(c, "consumer", "one-publisher", nil)
+		s.MockSnapDecl(c, "consumer", "one-publisher", nil)
 		s.mockSnap(c, consumerYaml)
-		s.mockSnapDecl(c, "producer", "one-publisher", nil)
+		s.MockSnapDecl(c, "producer", "one-publisher", nil)
 		s.mockSnap(c, producerYaml)
 	}, func(change *state.Change) {
 		c.Assert(change.Err(), IsNil)
@@ -509,7 +1129,9 @@
 		repo := s.manager(c).Repository()
 		ifaces := repo.Interfaces()
 		c.Assert(ifaces.Connections, HasLen, 1)
-		c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{interfaces.PlugRef{Snap: "consumer", Name: "plug"}, interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
+		c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{
+			PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+			SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
 	})
 }
 
@@ -552,15 +1174,177 @@
 	check(change)
 }
 
+func (s *interfaceManagerSuite) TestConnectTaskCheckDeviceScopeNoStore(c *C) {
+	s.MockModel(c, nil)
+
+	s.testConnectTaskCheckDeviceScope(c, func(change *state.Change) {
+		c.Check(change.Err(), ErrorMatches, `(?s).*connection not allowed by plug rule of interface "test".*`)
+		c.Check(change.Status(), Equals, state.ErrorStatus)
+
+		repo := s.manager(c).Repository()
+		ifaces := repo.Interfaces()
+		c.Check(ifaces.Connections, HasLen, 0)
+	})
+}
+
+func (s *interfaceManagerSuite) TestConnectTaskCheckDeviceScopeWrongStore(c *C) {
+	s.MockModel(c, map[string]interface{}{
+		"store": "other-store",
+	})
+
+	s.testConnectTaskCheckDeviceScope(c, func(change *state.Change) {
+		c.Check(change.Err(), ErrorMatches, `(?s).*connection not allowed by plug rule of interface "test".*`)
+		c.Check(change.Status(), Equals, state.ErrorStatus)
+
+		repo := s.manager(c).Repository()
+		ifaces := repo.Interfaces()
+		c.Check(ifaces.Connections, HasLen, 0)
+	})
+}
+
+func (s *interfaceManagerSuite) TestConnectTaskCheckDeviceScopeRightStore(c *C) {
+	s.MockModel(c, map[string]interface{}{
+		"store": "my-store",
+	})
+
+	s.testConnectTaskCheckDeviceScope(c, func(change *state.Change) {
+		c.Assert(change.Err(), IsNil)
+		c.Check(change.Status(), Equals, state.DoneStatus)
+
+		repo := s.manager(c).Repository()
+		ifaces := repo.Interfaces()
+		c.Assert(ifaces.Connections, HasLen, 1)
+		c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{
+			PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+			SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
+	})
+}
+
+func (s *interfaceManagerSuite) TestConnectTaskCheckDeviceScopeWrongFriendlyStore(c *C) {
+	s.MockModel(c, map[string]interface{}{
+		"store": "my-substore",
+	})
+
+	s.MockStore(c, s.state, "my-substore", map[string]interface{}{
+		"friendly-stores": []interface{}{"other-store"},
+	})
+
+	s.testConnectTaskCheckDeviceScope(c, func(change *state.Change) {
+		c.Check(change.Err(), ErrorMatches, `(?s).*connection not allowed by plug rule of interface "test".*`)
+		c.Check(change.Status(), Equals, state.ErrorStatus)
+
+		repo := s.manager(c).Repository()
+		ifaces := repo.Interfaces()
+		c.Check(ifaces.Connections, HasLen, 0)
+	})
+}
+
+func (s *interfaceManagerSuite) TestConnectTaskCheckDeviceScopeRightFriendlyStore(c *C) {
+	s.MockModel(c, map[string]interface{}{
+		"store": "my-substore",
+	})
+
+	s.MockStore(c, s.state, "my-substore", map[string]interface{}{
+		"friendly-stores": []interface{}{"my-store"},
+	})
+
+	s.testConnectTaskCheckDeviceScope(c, func(change *state.Change) {
+		c.Assert(change.Err(), IsNil)
+		c.Check(change.Status(), Equals, state.DoneStatus)
+
+		repo := s.manager(c).Repository()
+		ifaces := repo.Interfaces()
+		c.Assert(ifaces.Connections, HasLen, 1)
+		c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{
+			PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+			SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
+	})
+}
+
+func (s *interfaceManagerSuite) testConnectTaskCheckDeviceScope(c *C, check func(*state.Change)) {
+	restore := assertstest.MockBuiltinBaseDeclaration([]byte(`
+type: base-declaration
+authority-id: canonical
+series: 16
+slots:
+  test:
+    allow-connection: false
+`))
+	defer restore()
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+
+	s.MockSnapDecl(c, "producer", "one-publisher", nil)
+	s.mockSnap(c, producerYaml)
+	s.MockSnapDecl(c, "consumer", "one-publisher", map[string]interface{}{
+		"format": "3",
+		"plugs": map[string]interface{}{
+			"test": map[string]interface{}{
+				"allow-connection": map[string]interface{}{
+					"on-store": []interface{}{"my-store"},
+				},
+			},
+		},
+	})
+	s.mockSnap(c, consumerYaml)
+
+	s.manager(c)
+
+	s.state.Lock()
+	change := s.state.NewChange("kind", "summary")
+	ts, err := ifacestate.Connect(s.state, "consumer", "plug", "producer", "slot")
+	c.Assert(err, IsNil)
+	c.Assert(ts.Tasks(), HasLen, 5)
+
+	change.AddAll(ts)
+	s.state.Unlock()
+
+	s.settle(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	check(change)
+}
+
 func (s *interfaceManagerSuite) TestDisconnectTask(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
+	plugSnap := s.mockSnap(c, consumerYaml)
+	slotSnap := s.mockSnap(c, producerYaml)
+
+	conn := &interfaces.Connection{
+		Plug: interfaces.NewConnectedPlug(plugSnap.Plugs["plug"], nil, map[string]interface{}{"attr3": "value3"}),
+		Slot: interfaces.NewConnectedSlot(slotSnap.Slots["slot"], nil, map[string]interface{}{"attr4": "value4"}),
+	}
+
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	ts, err := ifacestate.Disconnect(s.state, "consumer", "plug", "producer", "slot")
+	ts, err := ifacestate.Disconnect(s.state, conn)
 	c.Assert(err, IsNil)
+	c.Assert(ts.Tasks(), HasLen, 3)
 
+	var hookSetup, undoHookSetup hookstate.HookSetup
 	task := ts.Tasks()[0]
+	c.Assert(task.Kind(), Equals, "run-hook")
+	c.Assert(task.Get("hook-setup", &hookSetup), IsNil)
+	c.Assert(hookSetup, Equals, hookstate.HookSetup{Snap: "producer", Hook: "disconnect-slot-slot", Optional: true, IgnoreError: false})
+	c.Assert(task.Get("undo-hook-setup", &undoHookSetup), IsNil)
+	c.Assert(undoHookSetup, Equals, hookstate.HookSetup{Snap: "producer", Hook: "connect-slot-slot", Optional: true, IgnoreError: false})
+
+	task = ts.Tasks()[1]
+	c.Assert(task.Kind(), Equals, "run-hook")
+	err = task.Get("hook-setup", &hookSetup)
+	c.Assert(err, IsNil)
+	c.Assert(hookSetup, Equals, hookstate.HookSetup{Snap: "consumer", Hook: "disconnect-plug-plug", Optional: true})
+	c.Assert(task.Get("undo-hook-setup", &undoHookSetup), IsNil)
+	c.Assert(undoHookSetup, Equals, hookstate.HookSetup{Snap: "consumer", Hook: "connect-plug-plug", Optional: true, IgnoreError: false})
+
+	task = ts.Tasks()[2]
 	c.Assert(task.Kind(), Equals, "disconnect")
+	var autoDisconnect bool
+	c.Assert(task.Get("auto-disconnect", &autoDisconnect), Equals, state.ErrNoState)
+	c.Assert(autoDisconnect, Equals, false)
+
 	var plug interfaces.PlugRef
 	err = task.Get("plug", &plug)
 	c.Assert(err, IsNil)
@@ -571,6 +1355,19 @@
 	c.Assert(err, IsNil)
 	c.Assert(slot.Snap, Equals, "producer")
 	c.Assert(slot.Name, Equals, "slot")
+
+	// verify connection attributes are present in the disconnect task
+	var plugStaticAttrs1, plugDynamicAttrs1, slotStaticAttrs1, slotDynamicAttrs1 map[string]interface{}
+
+	c.Assert(task.Get("plug-static", &plugStaticAttrs1), IsNil)
+	c.Assert(plugStaticAttrs1, DeepEquals, map[string]interface{}{"attr1": "value1"})
+	c.Assert(task.Get("plug-dynamic", &plugDynamicAttrs1), IsNil)
+	c.Assert(plugDynamicAttrs1, DeepEquals, map[string]interface{}{"attr3": "value3"})
+
+	c.Assert(task.Get("slot-static", &slotStaticAttrs1), IsNil)
+	c.Assert(slotStaticAttrs1, DeepEquals, map[string]interface{}{"attr2": "value2"})
+	c.Assert(task.Get("slot-dynamic", &slotDynamicAttrs1), IsNil)
+	c.Assert(slotDynamicAttrs1, DeepEquals, map[string]interface{}{"attr4": "value4"})
 }
 
 // Disconnect works when both plug and slot are specified
@@ -578,6 +1375,16 @@
 	s.testDisconnect(c, "consumer", "plug", "producer", "slot")
 }
 
+func (s *interfaceManagerSuite) getConnection(c *C, plugSnap, plugName, slotSnap, slotName string) *interfaces.Connection {
+	conn, err := s.manager(c).Repository().Connection(&interfaces.ConnRef{
+		PlugRef: interfaces.PlugRef{Snap: plugSnap, Name: plugName},
+		SlotRef: interfaces.SlotRef{Snap: slotSnap, Name: slotName},
+	})
+	c.Assert(err, IsNil)
+	c.Assert(conn, NotNil)
+	return conn
+}
+
 func (s *interfaceManagerSuite) testDisconnect(c *C, plugSnap, plugName, slotSnap, slotName string) {
 	// Put two snaps in place They consumer has an plug that can be connected
 	// to slot on the producer.
@@ -596,10 +1403,12 @@
 	// Initialize the manager. This registers both snaps and reloads the connection.
 	mgr := s.manager(c)
 
+	conn := s.getConnection(c, plugSnap, plugName, slotSnap, slotName)
+
 	// Run the disconnect task and let it finish.
 	s.state.Lock()
 	change := s.state.NewChange("disconnect", "...")
-	ts, err := ifacestate.Disconnect(s.state, plugSnap, plugName, slotSnap, slotName)
+	ts, err := ifacestate.Disconnect(s.state, conn)
 	ts.Tasks()[0].Set("snap-setup", &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
 			RealName: "consumer",
@@ -609,15 +1418,16 @@
 	c.Assert(err, IsNil)
 	change.AddAll(ts)
 	s.state.Unlock()
-	mgr.Ensure()
-	mgr.Wait()
+
+	s.settle(c)
 
 	s.state.Lock()
 	defer s.state.Unlock()
 
 	// Ensure that the task succeeded.
 	c.Assert(change.Err(), IsNil)
-	task := change.Tasks()[0]
+	c.Assert(change.Tasks(), HasLen, 3)
+	task := change.Tasks()[2]
 	c.Check(task.Kind(), Equals, "disconnect")
 	c.Check(task.Status(), Equals, state.DoneStatus)
 
@@ -637,96 +1447,189 @@
 	// Ensure that the backend was used to setup security of both snaps
 	c.Assert(s.secBackend.SetupCalls, HasLen, 2)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, "consumer")
-	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Name(), Equals, "producer")
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, "consumer")
+	c.Check(s.secBackend.SetupCalls[1].SnapInfo.InstanceName(), Equals, "producer")
 
 	c.Check(s.secBackend.SetupCalls[0].Options, Equals, interfaces.ConfinementOptions{})
 	c.Check(s.secBackend.SetupCalls[1].Options, Equals, interfaces.ConfinementOptions{})
 }
 
-func (s *interfaceManagerSuite) mockIface(c *C, iface interfaces.Interface) {
-	s.extraIfaces = append(s.extraIfaces, iface)
-}
-
-func (s *interfaceManagerSuite) mockIfaces(c *C, ifaces ...interfaces.Interface) {
-	s.extraIfaces = append(s.extraIfaces, ifaces...)
-}
+func (s *interfaceManagerSuite) TestDisconnectUndo(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
 
-func (s *interfaceManagerSuite) mockSnapDecl(c *C, name, publisher string, extraHeaders map[string]interface{}) {
-	_, err := s.db.Find(asserts.AccountType, map[string]string{
-		"account-id": publisher,
-	})
-	if asserts.IsNotFound(err) {
-		acct := assertstest.NewAccount(s.storeSigning, publisher, map[string]interface{}{
-			"account-id": publisher,
-		}, "")
-		err = s.db.Add(acct)
+	connState := map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{
+			"interface":    "test",
+			"slot-static":  map[string]interface{}{"attr1": "value1"},
+			"slot-dynamic": map[string]interface{}{"attr2": "value2"},
+			"plug-static":  map[string]interface{}{"attr3": "value3"},
+			"plug-dynamic": map[string]interface{}{"attr4": "value4"},
+		},
 	}
-	c.Assert(err, IsNil)
 
-	headers := map[string]interface{}{
-		"series":       "16",
-		"snap-name":    name,
-		"publisher-id": publisher,
-		"snap-id":      (name + strings.Repeat("id", 16))[:32],
-		"timestamp":    time.Now().Format(time.RFC3339),
-	}
-	for k, v := range extraHeaders {
-		headers[k] = v
-	}
+	s.state.Lock()
+	s.state.Set("conns", connState)
+	s.state.Unlock()
 
-	snapDecl, err := s.storeSigning.Sign(asserts.SnapDeclarationType, headers, nil, "")
-	c.Assert(err, IsNil)
+	// Initialize the manager. This registers both snaps and reloads the connection.
+	_ = s.manager(c)
 
-	err = s.db.Add(snapDecl)
-	c.Assert(err, IsNil)
-}
+	conn := s.getConnection(c, "consumer", "plug", "producer", "slot")
 
-func (s *interfaceManagerSuite) mockSnap(c *C, yamlText string) *snap.Info {
-	sideInfo := &snap.SideInfo{
-		Revision: snap.R(1),
-	}
-	snapInfo := snaptest.MockSnap(c, yamlText, sideInfo)
-	sideInfo.RealName = snapInfo.Name()
+	// Run the disconnect task and let it finish.
+	s.state.Lock()
+	change := s.state.NewChange("disconnect", "...")
+	ts, err := ifacestate.Disconnect(s.state, conn)
 
-	a, err := s.db.FindMany(asserts.SnapDeclarationType, map[string]string{
-		"snap-name": sideInfo.RealName,
-	})
-	if err == nil {
-		decl := a[0].(*asserts.SnapDeclaration)
-		snapInfo.SnapID = decl.SnapID()
-		sideInfo.SnapID = decl.SnapID()
-	} else if asserts.IsNotFound(err) {
-		err = nil
-	}
 	c.Assert(err, IsNil)
+	change.AddAll(ts)
+	terr := s.state.NewTask("error-trigger", "provoking total undo")
+	terr.WaitAll(ts)
+	change.AddTask(terr)
+	c.Assert(change.Tasks(), HasLen, 4)
+	s.state.Unlock()
+
+	s.settle(c)
 
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	// Put a side info into the state
-	snapstate.Set(s.state, snapInfo.Name(), &snapstate.SnapState{
-		Active:   true,
-		Sequence: []*snap.SideInfo{sideInfo},
-		Current:  sideInfo.Revision,
-	})
-	return snapInfo
+	// Ensure that disconnect tasks were undone
+	for _, t := range ts.Tasks() {
+		c.Assert(t.Status(), Equals, state.UndoneStatus)
+	}
+
+	var conns map[string]interface{}
+	c.Assert(s.state.Get("conns", &conns), IsNil)
+	c.Assert(conns, DeepEquals, connState)
+
+	_ = s.getConnection(c, "consumer", "plug", "producer", "slot")
 }
 
-func (s *interfaceManagerSuite) mockUpdatedSnap(c *C, yamlText string, revision int) *snap.Info {
-	sideInfo := &snap.SideInfo{Revision: snap.R(revision)}
-	snapInfo := snaptest.MockSnap(c, yamlText, sideInfo)
-	sideInfo.RealName = snapInfo.Name()
+func (s *interfaceManagerSuite) TestStaleConnectionsIgnoredInReloadConnections(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
 
+	// Put a stray connection in the state so that it automatically gets set up
+	// when we create the manager.
 	s.state.Lock()
-	defer s.state.Unlock()
-
-	// Put the new revision (stored in SideInfo) into the state
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{"interface": "test"},
+	})
+	s.state.Unlock()
+
+	restore := ifacestate.MockRemoveStaleConnections(func(s *state.State) error { return nil })
+	defer restore()
+	mgr := s.manager(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// Ensure that nothing got connected.
+	repo := mgr.Repository()
+	ifaces := repo.Interfaces()
+	c.Assert(ifaces.Connections, HasLen, 0)
+
+	// Ensure that nothing to setup.
+	c.Assert(s.secBackend.SetupCalls, HasLen, 0)
+	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
+
+	// Ensure that nothing, crucially, got logged about that connection.
+	// We still have an error logged about the system key but this is just
+	// a bit of test mocking missing.
+	logLines := strings.Split(s.log.String(), "\n")
+	c.Assert(logLines, HasLen, 2)
+	c.Assert(logLines[0], testutil.Contains, "error trying to compare the snap system key:")
+	c.Assert(logLines[1], Equals, "")
+}
+
+func (s *interfaceManagerSuite) TestStaleConnectionsRemoved(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+
+	s.state.Lock()
+	// Add stale connection to the state
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{"interface": "test"},
+	})
+	s.state.Unlock()
+
+	// Create the manager, this removes stale connections
+	mgr := s.manager(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// Ensure that nothing got connected and connection was removed
+	var conns map[string]interface{}
+	err := s.state.Get("conns", &conns)
+	c.Assert(err, IsNil)
+	c.Check(conns, HasLen, 0)
+
+	repo := mgr.Repository()
+	ifaces := repo.Interfaces()
+	c.Assert(ifaces.Connections, HasLen, 0)
+}
+
+func (s *interfaceManagerSuite) mockIface(c *C, iface interfaces.Interface) {
+	s.extraIfaces = append(s.extraIfaces, iface)
+}
+
+func (s *interfaceManagerSuite) mockIfaces(c *C, ifaces ...interfaces.Interface) {
+	s.extraIfaces = append(s.extraIfaces, ifaces...)
+}
+
+func (s *interfaceManagerSuite) mockSnap(c *C, yamlText string) *snap.Info {
+	return s.mockSnapInstance(c, "", yamlText)
+}
+
+func (s *interfaceManagerSuite) mockSnapInstance(c *C, instanceName, yamlText string) *snap.Info {
+	sideInfo := &snap.SideInfo{
+		Revision: snap.R(1),
+	}
+	snapInfo := snaptest.MockSnapInstance(c, instanceName, yamlText, sideInfo)
+	sideInfo.RealName = snapInfo.SnapName()
+
+	a, err := s.Db.FindMany(asserts.SnapDeclarationType, map[string]string{
+		"snap-name": sideInfo.RealName,
+	})
+	if err == nil {
+		decl := a[0].(*asserts.SnapDeclaration)
+		snapInfo.SnapID = decl.SnapID()
+		sideInfo.SnapID = decl.SnapID()
+	} else if asserts.IsNotFound(err) {
+		err = nil
+	}
+	c.Assert(err, IsNil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// Put a side info into the state
+	snapstate.Set(s.state, snapInfo.InstanceName(), &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{sideInfo},
+		Current:     sideInfo.Revision,
+		SnapType:    string(snapInfo.Type),
+		InstanceKey: snapInfo.InstanceKey,
+	})
+	return snapInfo
+}
+
+func (s *interfaceManagerSuite) mockUpdatedSnap(c *C, yamlText string, revision int) *snap.Info {
+	sideInfo := &snap.SideInfo{Revision: snap.R(revision)}
+	snapInfo := snaptest.MockSnap(c, yamlText, sideInfo)
+	sideInfo.RealName = snapInfo.SnapName()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// Put the new revision (stored in SideInfo) into the state
 	var snapst snapstate.SnapState
-	err := snapstate.Get(s.state, snapInfo.Name(), &snapst)
+	err := snapstate.Get(s.state, snapInfo.InstanceName(), &snapst)
 	c.Assert(err, IsNil)
 	snapst.Sequence = append(snapst.Sequence, sideInfo)
-	snapstate.Set(s.state, snapInfo.Name(), &snapst)
+	snapstate.Set(s.state, snapInfo.InstanceName(), &snapst)
 
 	return snapInfo
 }
@@ -766,7 +1669,7 @@
 	return change
 }
 
-func (s *interfaceManagerSuite) addDiscardConnsChange(c *C, snapName string) *state.Change {
+func (s *interfaceManagerSuite) addDiscardConnsChange(c *C, snapName string) (*state.Change, *state.Task) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
@@ -780,7 +1683,7 @@
 	taskset := state.NewTaskSet(task)
 	change := s.state.NewChange("test", "")
 	change.AddAll(taskset)
-	return change
+	return change, task
 }
 
 var ubuntuCoreSnapYaml = `
@@ -815,6 +1718,15 @@
   attr1: value1
  otherplug:
   interface: test2
+hooks:
+ prepare-plug-plug:
+ unprepare-plug-plug:
+ connect-plug-plug:
+ disconnect-plug-plug:
+ prepare-plug-otherplug:
+ unprepare-plug-otherplug:
+ connect-plug-otherplug:
+ disconnect-plug-otherplug:
 `
 
 var consumer2Yaml = `
@@ -826,6 +1738,16 @@
   attr1: value1
 `
 
+var consumerYaml3 = `
+name: consumer
+version: 1
+plugs:
+ plug:
+  interface: test
+hooks:
+%s
+`
+
 var producerYaml = `
 name: producer
 version: 1
@@ -833,6 +1755,11 @@
  slot:
   interface: test
   attr2: value2
+hooks:
+  prepare-slot-slot:
+  unprepare-slot-slot:
+  connect-slot-slot:
+  disconnect-slot-slot:
 `
 
 var producer2Yaml = `
@@ -842,6 +1769,17 @@
  slot:
   interface: test
   attr2: value2
+  number: 1
+`
+
+var producerYaml3 = `
+name: producer
+version: 1
+slots:
+ slot:
+  interface: test
+hooks:
+%s
 `
 
 var httpdSnapYaml = `name: httpd
@@ -851,10 +1789,37 @@
   interface: network
 `
 
-// The setup-profiles task will not auto-connect an plug that was previously
+var selfconnectSnapYaml = `
+name: producerconsumer
+version: 1
+slots:
+ slot:
+  interface: test
+plugs:
+ plug:
+  interface: test
+hooks:
+ prepare-plug-plug:
+ unprepare-plug-plug:
+ connect-plug-plug:
+ disconnect-plug-plug:
+ prepare-slot-slot:
+ unprepare-slot-slot:
+ connect-slot-slot:
+ disconnect-slot-slot:
+`
+
+// The auto-connect task will not auto-connect a plug that was previously
 // explicitly disconnected by the user.
-func (s *interfaceManagerSuite) TestDoSetupSnapSecurityHonorsDisconnect(c *C) {
-	c.Skip("feature disabled until redesign/reimpl")
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityHonorsUndesiredFlag(c *C) {
+	s.state.Lock()
+	s.state.Set("conns", map[string]interface{}{
+		"snap:network ubuntu-core:network": map[string]interface{}{
+			"undesired": true,
+		},
+	})
+	s.state.Unlock()
+
 	// Add an OS snap as well as a sample snap with a "network" plug.
 	// The plug is normally auto-connected.
 	s.mockSnap(c, ubuntuCoreSnapYaml)
@@ -866,13 +1831,12 @@
 	// Run the setup-snap-security task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
-	mgr.Ensure()
-	mgr.Wait()
-	mgr.Stop()
+
+	s.settle(c)
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -880,13 +1844,16 @@
 	// Ensure that the task succeeded
 	c.Assert(change.Status(), Equals, state.DoneStatus)
 
-	// Ensure that "network" is not saved in the state as auto-connected.
 	var conns map[string]interface{}
 	err := s.state.Get("conns", &conns)
 	c.Assert(err, IsNil)
-	c.Check(conns, HasLen, 0)
+	c.Check(conns, DeepEquals, map[string]interface{}{
+		"snap:network ubuntu-core:network": map[string]interface{}{
+			"undesired": true,
+		},
+	})
 
-	// Ensure that "network" is really disconnected.
+	// Ensure that "network" is not connected
 	repo := mgr.Repository()
 	plug := repo.Plug("snap", "network")
 	c.Assert(plug, Not(IsNil))
@@ -894,8 +1861,10 @@
 	c.Assert(ifaces.Connections, HasLen, 0)
 }
 
-// The setup-profiles task will auto-connect plugs with viable candidates.
+// The auto-connect task will auto-connect plugs with viable candidates.
 func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsPlugs(c *C) {
+	s.MockModel(c, nil)
+
 	// Add an OS snap.
 	s.mockSnap(c, ubuntuCoreSnapYaml)
 
@@ -908,7 +1877,7 @@
 	// Run the setup-snap-security task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
@@ -938,8 +1907,10 @@
 	c.Assert(ifaces.Connections, HasLen, 1) //FIXME add deep eq
 }
 
-// The setup-profiles task will auto-connect slots with viable candidates.
+// The auto-connect task will auto-connect slots with viable candidates.
 func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsSlots(c *C) {
+	s.MockModel(c, nil)
+
 	// Mock the interface that will be used by the test
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
 	// Add an OS snap.
@@ -956,7 +1927,7 @@
 	// Run the setup-snap-security task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
@@ -975,6 +1946,8 @@
 	c.Check(conns, DeepEquals, map[string]interface{}{
 		"consumer:plug producer:slot": map[string]interface{}{
 			"interface": "test", "auto": true,
+			"plug-static": map[string]interface{}{"attr1": "value1"},
+			"slot-static": map[string]interface{}{"attr2": "value2"},
 		},
 	})
 
@@ -984,11 +1957,15 @@
 	c.Assert(slot, Not(IsNil))
 	ifaces := repo.Interfaces()
 	c.Assert(ifaces.Connections, HasLen, 1)
-	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{interfaces.PlugRef{Snap: "consumer", Name: "plug"}, interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
+	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{
+		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
 }
 
-// The setup-profiles task will auto-connect slots with viable multiple candidates.
+// The auto-connect task will auto-connect slots with viable multiple candidates.
 func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsSlotsMultiplePlugs(c *C) {
+	s.MockModel(c, nil)
+
 	// Mock the interface that will be used by the test
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
 	// Add an OS snap.
@@ -1007,7 +1984,7 @@
 	// Run the setup-snap-security task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
@@ -1026,9 +2003,13 @@
 	c.Check(conns, DeepEquals, map[string]interface{}{
 		"consumer:plug producer:slot": map[string]interface{}{
 			"interface": "test", "auto": true,
+			"plug-static": map[string]interface{}{"attr1": "value1"},
+			"slot-static": map[string]interface{}{"attr2": "value2"},
 		},
 		"consumer2:plug producer:slot": map[string]interface{}{
 			"interface": "test", "auto": true,
+			"plug-static": map[string]interface{}{"attr1": "value1"},
+			"slot-static": map[string]interface{}{"attr2": "value2"},
 		},
 	})
 
@@ -1039,12 +2020,12 @@
 	ifaces := repo.Interfaces()
 	c.Assert(ifaces.Connections, HasLen, 2)
 	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{
-		{interfaces.PlugRef{Snap: "consumer", Name: "plug"}, interfaces.SlotRef{Snap: "producer", Name: "slot"}},
-		{interfaces.PlugRef{Snap: "consumer2", Name: "plug"}, interfaces.SlotRef{Snap: "producer", Name: "slot"}},
+		{PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"}, SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}},
+		{PlugRef: interfaces.PlugRef{Snap: "consumer2", Name: "plug"}, SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}},
 	})
 }
 
-// The setup-profiles task will not auto-connect slots if viable alternative slots are present.
+// The auto-connect task will not auto-connect slots if viable alternative slots are present.
 func (s *interfaceManagerSuite) TestDoSetupSnapSecurityNoAutoConnectSlotsIfAlternative(c *C) {
 	// Mock the interface that will be used by the test
 	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
@@ -1065,7 +2046,7 @@
 	// Run the setup-snap-security task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
@@ -1084,19 +2065,23 @@
 	c.Check(conns, HasLen, 0)
 }
 
-// The setup-profiles task will auto-connect plugs with viable candidates also condidering snap declarations.
+// The auto-connect task will auto-connect plugs with viable candidates also condidering snap declarations.
 func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsDeclBased(c *C) {
+	s.MockModel(c, nil)
+
 	s.testDoSetupSnapSecurityAutoConnectsDeclBased(c, true, func(conns map[string]interface{}, repoConns []*interfaces.ConnRef) {
 		// Ensure that "test" plug is now saved in the state as auto-connected.
 		c.Check(conns, DeepEquals, map[string]interface{}{
-			"consumer:plug producer:slot": map[string]interface{}{"auto": true, "interface": "test"},
-		})
+			"consumer:plug producer:slot": map[string]interface{}{"auto": true, "interface": "test",
+				"plug-static": map[string]interface{}{"attr1": "value1"},
+				"slot-static": map[string]interface{}{"attr2": "value2"},
+			}})
 		// Ensure that "test" is really connected.
 		c.Check(repoConns, HasLen, 1)
 	})
 }
 
-// The setup-profiles task will *not* auto-connect plugs with viable candidates when snap declarations are missing.
+// The auto-connect task will *not* auto-connect plugs with viable candidates when snap declarations are missing.
 func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsDeclBasedWhenMissingDecl(c *C) {
 	s.testDoSetupSnapSecurityAutoConnectsDeclBased(c, false, func(conns map[string]interface{}, repoConns []*interfaces.ConnRef) {
 		// Ensure nothing is connected.
@@ -1119,7 +2104,7 @@
 	defer restore()
 	// Add the producer snap
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
-	s.mockSnapDecl(c, "producer", "one-publisher", nil)
+	s.MockSnapDecl(c, "producer", "one-publisher", nil)
 	s.mockSnap(c, producerYaml)
 
 	// Initialize the manager. This registers the producer snap.
@@ -1127,14 +2112,168 @@
 
 	// Add a sample snap with a plug with the "test" interface which should be auto-connected.
 	if withDecl {
-		s.mockSnapDecl(c, "consumer", "one-publisher", nil)
+		s.MockSnapDecl(c, "consumer", "one-publisher", nil)
 	}
 	snapInfo := s.mockSnap(c, consumerYaml)
 
 	// Run the setup-snap-security task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
+			SnapID:   snapInfo.SnapID,
+			Revision: snapInfo.Revision,
+		},
+	})
+	s.settle(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// Ensure that the task succeeded.
+	c.Assert(change.Status(), Equals, state.DoneStatus)
+
+	var conns map[string]interface{}
+	_ = s.state.Get("conns", &conns)
+
+	repo := mgr.Repository()
+	plug := repo.Plug("consumer", "plug")
+	c.Assert(plug, Not(IsNil))
+
+	check(conns, repo.Interfaces().Connections)
+}
+
+// The auto-connect task will check snap declarations providing the
+// model assertion to fulfill device scope constraints: here no store
+// in the model assertion fails an on-store constraint.
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScopeNoStore(c *C) {
+
+	s.MockModel(c, nil)
+
+	s.testDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScope(c, func(conns map[string]interface{}, repoConns []*interfaces.ConnRef) {
+		// Ensure nothing is connected.
+		c.Check(conns, HasLen, 0)
+		c.Check(repoConns, HasLen, 0)
+	})
+}
+
+// The auto-connect task will check snap declarations providing the
+// model assertion to fulfill device scope constraints: here the wrong
+// store in the model assertion fails an on-store constraint.
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScopeWrongStore(c *C) {
+
+	s.MockModel(c, map[string]interface{}{
+		"store": "other-store",
+	})
+
+	s.testDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScope(c, func(conns map[string]interface{}, repoConns []*interfaces.ConnRef) {
+		// Ensure nothing is connected.
+		c.Check(conns, HasLen, 0)
+		c.Check(repoConns, HasLen, 0)
+	})
+}
+
+// The auto-connect task will check snap declarations providing the
+// model assertion to fulfill device scope constraints: here the right
+// store in the model assertion passes an on-store constraint.
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScopeRightStore(c *C) {
+
+	s.MockModel(c, map[string]interface{}{
+		"store": "my-store",
+	})
+
+	s.testDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScope(c, func(conns map[string]interface{}, repoConns []*interfaces.ConnRef) {
+		// Ensure that "test" plug is now saved in the state as auto-connected.
+		c.Check(conns, DeepEquals, map[string]interface{}{
+			"consumer:plug producer:slot": map[string]interface{}{"auto": true, "interface": "test",
+				"plug-static": map[string]interface{}{"attr1": "value1"},
+				"slot-static": map[string]interface{}{"attr2": "value2"},
+			}})
+		// Ensure that "test" is really connected.
+		c.Check(repoConns, HasLen, 1)
+	})
+}
+
+// The auto-connect task will check snap declarations providing the
+// model assertion to fulfill device scope constraints: here the
+// wrong "friendly store"s of the store in the model assertion fail an
+// on-store constraint.
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScopeWrongFriendlyStore(c *C) {
+
+	s.MockModel(c, map[string]interface{}{
+		"store": "my-substore",
+	})
+
+	s.MockStore(c, s.state, "my-substore", map[string]interface{}{
+		"friendly-stores": []interface{}{"other-store"},
+	})
+
+	s.testDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScope(c, func(conns map[string]interface{}, repoConns []*interfaces.ConnRef) {
+		// Ensure nothing is connected.
+		c.Check(conns, HasLen, 0)
+		c.Check(repoConns, HasLen, 0)
+	})
+}
+
+// The auto-connect task will check snap declarations providing the
+// model assertion to fulfill device scope constraints: here a
+// "friendly store" of the store in the model assertion passes an
+// on-store constraint.
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScopeFriendlyStore(c *C) {
+
+	s.MockModel(c, map[string]interface{}{
+		"store": "my-substore",
+	})
+
+	s.MockStore(c, s.state, "my-substore", map[string]interface{}{
+		"friendly-stores": []interface{}{"my-store"},
+	})
+
+	s.testDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScope(c, func(conns map[string]interface{}, repoConns []*interfaces.ConnRef) {
+		// Ensure that "test" plug is now saved in the state as auto-connected.
+		c.Check(conns, DeepEquals, map[string]interface{}{
+			"consumer:plug producer:slot": map[string]interface{}{"auto": true, "interface": "test",
+				"plug-static": map[string]interface{}{"attr1": "value1"},
+				"slot-static": map[string]interface{}{"attr2": "value2"},
+			}})
+		// Ensure that "test" is really connected.
+		c.Check(repoConns, HasLen, 1)
+	})
+}
+
+func (s *interfaceManagerSuite) testDoSetupSnapSecurityAutoConnectsDeclBasedDeviceScope(c *C, check func(map[string]interface{}, []*interfaces.ConnRef)) {
+	restore := assertstest.MockBuiltinBaseDeclaration([]byte(`
+type: base-declaration
+authority-id: canonical
+series: 16
+slots:
+  test:
+    allow-auto-connection: false
+`))
+	defer restore()
+	// Add the producer snap
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	s.MockSnapDecl(c, "producer", "one-publisher", nil)
+	s.mockSnap(c, producerYaml)
+
+	// Initialize the manager. This registers the producer snap.
+	mgr := s.manager(c)
+
+	s.MockSnapDecl(c, "consumer", "one-publisher", map[string]interface{}{
+		"format": "3",
+		"plugs": map[string]interface{}{
+			"test": map[string]interface{}{
+				"allow-auto-connection": map[string]interface{}{
+					"on-store": []interface{}{"my-store"},
+				},
+			},
+		},
+	})
+	snapInfo := s.mockSnap(c, consumerYaml)
+
+	// Run the setup-snap-security task and let it finish.
+	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: snapInfo.SnapName(),
 			SnapID:   snapInfo.SnapID,
 			Revision: snapInfo.Revision,
 		},
@@ -1159,7 +2298,9 @@
 
 // The setup-profiles task will only touch connection state for the task it
 // operates on or auto-connects to and will leave other state intact.
-func (s *interfaceManagerSuite) TestDoSetupSnapSecuirtyKeepsExistingConnectionState(c *C) {
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityKeepsExistingConnectionState(c *C) {
+	s.MockModel(c, nil)
+
 	// Add an OS snap in place.
 	s.mockSnap(c, ubuntuCoreSnapYaml)
 
@@ -1181,7 +2322,7 @@
 	// Run the setup-snap-security task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
@@ -1209,6 +2350,42 @@
 	})
 }
 
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityIgnoresStrayConnection(c *C) {
+	// Add an OS snap
+	snapInfo := s.mockSnap(c, ubuntuCoreSnapYaml)
+
+	_ = s.manager(c)
+
+	// Put fake information about connections for another snap into the state.
+	s.state.Lock()
+	s.state.Set("conns", map[string]interface{}{
+		"removed-snap:network ubuntu-core:network": map[string]interface{}{
+			"interface": "network",
+		},
+	})
+	s.state.Unlock()
+
+	// Run the setup-snap-security task and let it finish.
+	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: snapInfo.SnapName(),
+			Revision: snapInfo.Revision,
+		},
+	})
+	s.settle(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// Ensure that the task succeeded.
+	c.Assert(change.Status(), Equals, state.DoneStatus)
+
+	// Ensure that the tasks don't report errors caused by bad connections
+	for _, t := range change.Tasks() {
+		c.Assert(t.Log(), HasLen, 0)
+	}
+}
+
 // The setup-profiles task will add implicit slots necessary for the OS snap.
 func (s *interfaceManagerSuite) TestDoSetupProfilesAddsImplicitSlots(c *C) {
 	// Initialize the manager.
@@ -1220,7 +2397,7 @@
 	// Run the setup-profiles task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
@@ -1234,46 +2411,46 @@
 
 	// Ensure that we have slots on the OS snap.
 	repo := mgr.Repository()
-	slots := repo.Slots(snapInfo.Name())
+	slots := repo.Slots(snapInfo.InstanceName())
 	// NOTE: This is not an exact test as it duplicates functionality elsewhere
 	// and is was a pain to update each time. This is correctly handled by the
 	// implicit slot tests in snap/implicit_test.go
 	c.Assert(len(slots) > 18, Equals, true)
 }
 
-func (s *interfaceManagerSuite) TestDoSetupSnapSecuirtyReloadsConnectionsWhenInvokedOnPlugSide(c *C) {
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityReloadsConnectionsWhenInvokedOnPlugSide(c *C) {
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
 	snapInfo := s.mockSnap(c, consumerYaml)
 	s.mockSnap(c, producerYaml)
-	s.testDoSetupSnapSecuirtyReloadsConnectionsWhenInvokedOn(c, snapInfo.Name(), snapInfo.Revision)
+	s.testDoSetupSnapSecurityReloadsConnectionsWhenInvokedOn(c, snapInfo.InstanceName(), snapInfo.Revision)
 
 	// Ensure that the backend was used to setup security of both snaps
 	c.Assert(s.secBackend.SetupCalls, HasLen, 2)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, "consumer")
-	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Name(), Equals, "producer")
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, "consumer")
+	c.Check(s.secBackend.SetupCalls[1].SnapInfo.InstanceName(), Equals, "producer")
 
 	c.Check(s.secBackend.SetupCalls[0].Options, Equals, interfaces.ConfinementOptions{})
 	c.Check(s.secBackend.SetupCalls[1].Options, Equals, interfaces.ConfinementOptions{})
 }
 
-func (s *interfaceManagerSuite) TestDoSetupSnapSecuirtyReloadsConnectionsWhenInvokedOnSlotSide(c *C) {
+func (s *interfaceManagerSuite) TestDoSetupSnapSecurityReloadsConnectionsWhenInvokedOnSlotSide(c *C) {
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
 	s.mockSnap(c, consumerYaml)
 	snapInfo := s.mockSnap(c, producerYaml)
-	s.testDoSetupSnapSecuirtyReloadsConnectionsWhenInvokedOn(c, snapInfo.Name(), snapInfo.Revision)
+	s.testDoSetupSnapSecurityReloadsConnectionsWhenInvokedOn(c, snapInfo.InstanceName(), snapInfo.Revision)
 
 	// Ensure that the backend was used to setup security of both snaps
 	c.Assert(s.secBackend.SetupCalls, HasLen, 2)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, "producer")
-	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Name(), Equals, "consumer")
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, "producer")
+	c.Check(s.secBackend.SetupCalls[1].SnapInfo.InstanceName(), Equals, "consumer")
 
 	c.Check(s.secBackend.SetupCalls[0].Options, Equals, interfaces.ConfinementOptions{})
 	c.Check(s.secBackend.SetupCalls[1].Options, Equals, interfaces.ConfinementOptions{})
 }
 
-func (s *interfaceManagerSuite) testDoSetupSnapSecuirtyReloadsConnectionsWhenInvokedOn(c *C, snapName string, revision snap.Revision) {
+func (s *interfaceManagerSuite) testDoSetupSnapSecurityReloadsConnectionsWhenInvokedOn(c *C, snapName string, revision snap.Revision) {
 	s.state.Lock()
 	s.state.Set("conns", map[string]interface{}{
 		"consumer:plug producer:slot": map[string]interface{}{"interface": "test"},
@@ -1301,7 +2478,9 @@
 	// Repository shows the connection
 	ifaces := repo.Interfaces()
 	c.Assert(ifaces.Connections, HasLen, 1)
-	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{interfaces.PlugRef{Snap: "consumer", Name: "plug"}, interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
+	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{
+		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
 }
 
 // The setup-profiles task will honor snapstate.DevMode flag by storing it
@@ -1319,7 +2498,7 @@
 	// Note that the task will see SnapSetup.Flags equal to DeveloperMode.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 		Flags: snapstate.Flags{DevMode: true},
@@ -1335,7 +2514,7 @@
 	// The snap was setup with DevModeConfinement
 	c.Assert(s.secBackend.SetupCalls, HasLen, 1)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, "snap")
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, "snap")
 	c.Check(s.secBackend.SetupCalls[0].Options, Equals, interfaces.ConfinementOptions{DevMode: true})
 }
 
@@ -1370,7 +2549,7 @@
 	// Run the setup-profiles task for the new revision and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: newSnapInfo.Name(),
+			RealName: newSnapInfo.SnapName(),
 			Revision: newSnapInfo.Revision,
 		},
 	})
@@ -1387,15 +2566,17 @@
 	c.Assert(s.secBackend.SetupCalls, HasLen, 2)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
 	// The sample snap was setup, with the correct new revision.
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, newSnapInfo.Name())
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, newSnapInfo.InstanceName())
 	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Revision, Equals, newSnapInfo.Revision)
 	// The OS snap was setup (because it was affected).
-	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Name(), Equals, coreSnapInfo.Name())
+	c.Check(s.secBackend.SetupCalls[1].SnapInfo.InstanceName(), Equals, coreSnapInfo.InstanceName())
 	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Revision, Equals, coreSnapInfo.Revision)
 }
 
-// setup-profiles needs to setup security for connected slots after autoconnection
+// auto-connect needs to setup security for connected slots after autoconnection
 func (s *interfaceManagerSuite) TestAutoConnectSetupSecurityForConnectedSlots(c *C) {
+	s.MockModel(c, nil)
+
 	// Add an OS snap.
 	coreSnapInfo := s.mockSnap(c, ubuntuCoreSnapYaml)
 
@@ -1408,7 +2589,7 @@
 	// Run the setup-snap-security task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
@@ -1425,49 +2606,61 @@
 	c.Assert(s.secBackend.SetupCalls, HasLen, 3)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
 	// The sample snap was setup, with the correct new revision.
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, snapInfo.Name())
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, snapInfo.InstanceName())
 	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Revision, Equals, snapInfo.Revision)
 	// The OS snap was setup (because its connected to sample snap).
-	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Name(), Equals, coreSnapInfo.Name())
+	c.Check(s.secBackend.SetupCalls[1].SnapInfo.InstanceName(), Equals, coreSnapInfo.InstanceName())
 	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Revision, Equals, coreSnapInfo.Revision)
 }
 
 func (s *interfaceManagerSuite) TestDoDiscardConnsPlug(c *C) {
-	s.testDoDicardConns(c, "consumer")
+	s.testDoDiscardConns(c, "consumer")
 }
 
 func (s *interfaceManagerSuite) TestDoDiscardConnsSlot(c *C) {
-	s.testDoDicardConns(c, "producer")
+	s.testDoDiscardConns(c, "producer")
 }
 
 func (s *interfaceManagerSuite) TestUndoDiscardConnsPlug(c *C) {
-	s.testUndoDicardConns(c, "consumer")
+	s.testUndoDiscardConns(c, "consumer")
 }
 
 func (s *interfaceManagerSuite) TestUndoDiscardConnsSlot(c *C) {
-	s.testUndoDicardConns(c, "producer")
+	s.testUndoDiscardConns(c, "producer")
 }
 
-func (s *interfaceManagerSuite) testDoDicardConns(c *C, snapName string) {
+func (s *interfaceManagerSuite) testDoDiscardConns(c *C, snapName string) {
 	s.state.Lock()
 	// Store information about a connection in the state.
 	s.state.Set("conns", map[string]interface{}{
-		"consumer:plug producer:slot": map[string]interface{}{"interface": "test"},
-	})
+		"consumer:plug producer:slot": map[string]interface{}{
+			"interface": "test",
+		},
+	})
+
 	// Store empty snap state. This snap has an empty sequence now.
-	snapstate.Set(s.state, snapName, &snapstate.SnapState{})
 	s.state.Unlock()
 
-	mgr := s.manager(c)
+	// mock the snaps or otherwise the manager will remove stale connections
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
+
+	s.manager(c)
+
+	s.state.Lock()
+	// remove the snaps so that discard-conns doesn't complain about snaps still installed
+	snapstate.Set(s.state, "producer", nil)
+	snapstate.Set(s.state, "consumer", nil)
+	s.state.Unlock()
 
 	// Run the discard-conns task and let it finish
-	change := s.addDiscardConnsChange(c, snapName)
-	mgr.Ensure()
-	mgr.Wait()
-	mgr.Stop()
+	change, _ := s.addDiscardConnsChange(c, snapName)
+
+	s.settle(c)
 
 	s.state.Lock()
 	defer s.state.Unlock()
+
 	c.Check(change.Status(), Equals, state.DoneStatus)
 
 	// Information about the connection was removed
@@ -1485,42 +2678,33 @@
 	})
 }
 
-func (s *interfaceManagerSuite) testUndoDicardConns(c *C, snapName string) {
+func (s *interfaceManagerSuite) testUndoDiscardConns(c *C, snapName string) {
+	s.manager(c)
+
 	s.state.Lock()
 	// Store information about a connection in the state.
 	s.state.Set("conns", map[string]interface{}{
 		"consumer:plug producer:slot": map[string]interface{}{"interface": "test"},
 	})
+
 	// Store empty snap state. This snap has an empty sequence now.
 	snapstate.Set(s.state, snapName, &snapstate.SnapState{})
 	s.state.Unlock()
 
-	mgr := s.manager(c)
-
 	// Run the discard-conns task and let it finish
-	change := s.addDiscardConnsChange(c, snapName)
-
-	// Add a dummy task just to hold the change not ready.
+	change, t := s.addDiscardConnsChange(c, snapName)
 	s.state.Lock()
-	dummy := s.state.NewTask("dummy", "")
-	change.AddTask(dummy)
-	s.state.Unlock()
-
-	mgr.Ensure()
-	mgr.Wait()
-
-	s.state.Lock()
-	c.Check(change.Status(), Equals, state.DoStatus)
-	change.Abort()
+	terr := s.state.NewTask("error-trigger", "provoking undo")
+	terr.WaitFor(t)
+	change.AddTask(terr)
 	s.state.Unlock()
 
-	mgr.Ensure()
-	mgr.Wait()
-	mgr.Stop()
+	s.settle(c)
 
 	s.state.Lock()
 	defer s.state.Unlock()
-	c.Assert(change.Status(), Equals, state.UndoneStatus)
+	c.Assert(change.Status().Ready(), Equals, true)
+	c.Assert(t.Status(), Equals, state.UndoneStatus)
 
 	// Information about the connection is intact
 	var conns map[string]interface{}
@@ -1550,9 +2734,9 @@
 
 	// Run the remove-security task
 	change := s.addRemoveSnapSecurityChange(c, "consumer")
-	mgr.Ensure()
-	mgr.Wait()
-	mgr.Stop()
+	s.se.Ensure()
+	s.se.Wait()
+	s.se.Stop()
 
 	// Change succeeds
 	s.state.Lock()
@@ -1569,7 +2753,7 @@
 
 	// Security of the related snap was configured
 	c.Check(s.secBackend.SetupCalls, HasLen, 1)
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, "producer")
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, "producer")
 
 	// Connection state was left intact
 	var conns map[string]interface{}
@@ -1581,6 +2765,8 @@
 }
 
 func (s *interfaceManagerSuite) TestConnectTracksConnectionsInState(c *C) {
+	s.MockModel(c, nil)
+
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
 	s.mockSnap(c, consumerYaml)
 	s.mockSnap(c, producerYaml)
@@ -1588,6 +2774,7 @@
 	_ = s.manager(c)
 
 	s.state.Lock()
+
 	ts, err := ifacestate.Connect(s.state, "consumer", "plug", "producer", "slot")
 	c.Assert(err, IsNil)
 	c.Assert(ts.Tasks(), HasLen, 5)
@@ -1614,12 +2801,16 @@
 	c.Assert(err, IsNil)
 	c.Check(conns, DeepEquals, map[string]interface{}{
 		"consumer:plug producer:slot": map[string]interface{}{
-			"interface": "test",
+			"interface":   "test",
+			"plug-static": map[string]interface{}{"attr1": "value1"},
+			"slot-static": map[string]interface{}{"attr2": "value2"},
 		},
 	})
 }
 
 func (s *interfaceManagerSuite) TestConnectSetsUpSecurity(c *C) {
+	s.MockModel(c, nil)
+
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
 
 	s.mockSnap(c, consumerYaml)
@@ -1649,13 +2840,59 @@
 
 	c.Assert(s.secBackend.SetupCalls, HasLen, 2)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, "producer")
-	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Name(), Equals, "consumer")
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, "producer")
+	c.Check(s.secBackend.SetupCalls[1].SnapInfo.InstanceName(), Equals, "consumer")
 
 	c.Check(s.secBackend.SetupCalls[0].Options, Equals, interfaces.ConfinementOptions{})
 	c.Check(s.secBackend.SetupCalls[1].Options, Equals, interfaces.ConfinementOptions{})
 }
 
+func (s *interfaceManagerSuite) TestConnectSetsHotplugKeyFromTheSlot(c *C) {
+	s.MockModel(c, nil)
+
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	s.mockSnap(c, consumer2Yaml)
+	s.mockSnap(c, coreSnapYaml)
+
+	s.state.Lock()
+	s.state.Set("hotplug-slots", map[string]interface{}{
+		"slot": map[string]interface{}{
+			"name":         "slot",
+			"interface":    "test",
+			"hotplug-key":  "1234",
+			"static-attrs": map[string]interface{}{"attr2": "value2"}}})
+	s.state.Unlock()
+
+	_ = s.manager(c)
+
+	s.state.Lock()
+	ts, err := ifacestate.Connect(s.state, "consumer2", "plug", "core", "slot")
+	c.Assert(err, IsNil)
+
+	change := s.state.NewChange("connect", "")
+	change.AddAll(ts)
+	s.state.Unlock()
+
+	s.settle(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	c.Assert(change.Err(), IsNil)
+	c.Check(change.Status(), Equals, state.DoneStatus)
+
+	var conns map[string]interface{}
+	c.Assert(s.state.Get("conns", &conns), IsNil)
+	c.Check(conns, DeepEquals, map[string]interface{}{
+		"consumer2:plug core:slot": map[string]interface{}{
+			"interface":   "test",
+			"hotplug-key": "1234",
+			"plug-static": map[string]interface{}{"attr1": "value1"},
+			"slot-static": map[string]interface{}{"attr2": "value2"},
+		},
+	})
+}
+
 func (s *interfaceManagerSuite) TestDisconnectSetsUpSecurity(c *C) {
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
 	s.mockSnap(c, consumerYaml)
@@ -1667,10 +2904,11 @@
 	})
 	s.state.Unlock()
 
-	mgr := s.manager(c)
+	s.manager(c)
+	conn := s.getConnection(c, "consumer", "plug", "producer", "slot")
 
 	s.state.Lock()
-	ts, err := ifacestate.Disconnect(s.state, "consumer", "plug", "producer", "slot")
+	ts, err := ifacestate.Disconnect(s.state, conn)
 	c.Assert(err, IsNil)
 	ts.Tasks()[0].Set("snap-setup", &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
@@ -1682,9 +2920,7 @@
 	change.AddAll(ts)
 	s.state.Unlock()
 
-	mgr.Ensure()
-	mgr.Wait()
-	mgr.Stop()
+	s.settle(c)
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1694,8 +2930,8 @@
 
 	c.Assert(s.secBackend.SetupCalls, HasLen, 2)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, "consumer")
-	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Name(), Equals, "producer")
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, "consumer")
+	c.Check(s.secBackend.SetupCalls[1].SnapInfo.InstanceName(), Equals, "producer")
 
 	c.Check(s.secBackend.SetupCalls[0].Options, Equals, interfaces.ConfinementOptions{})
 	c.Check(s.secBackend.SetupCalls[1].Options, Equals, interfaces.ConfinementOptions{})
@@ -1711,10 +2947,11 @@
 	})
 	s.state.Unlock()
 
-	mgr := s.manager(c)
+	s.manager(c)
 
+	conn := s.getConnection(c, "consumer", "plug", "producer", "slot")
 	s.state.Lock()
-	ts, err := ifacestate.Disconnect(s.state, "consumer", "plug", "producer", "slot")
+	ts, err := ifacestate.Disconnect(s.state, conn)
 	c.Assert(err, IsNil)
 	ts.Tasks()[0].Set("snap-setup", &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
@@ -1726,9 +2963,7 @@
 	change.AddAll(ts)
 	s.state.Unlock()
 
-	mgr.Ensure()
-	mgr.Wait()
-	mgr.Stop()
+	s.settle(c)
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1741,6 +2976,101 @@
 	c.Check(conns, DeepEquals, map[string]interface{}{})
 }
 
+func (s *interfaceManagerSuite) TestDisconnectDisablesAutoConnect(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
+	s.state.Lock()
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{"interface": "test", "auto": true},
+	})
+	s.state.Unlock()
+
+	s.manager(c)
+
+	s.state.Lock()
+	conn := &interfaces.Connection{
+		Plug: interfaces.NewConnectedPlug(&snap.PlugInfo{Snap: &snap.Info{SuggestedName: "consumer"}, Name: "plug"}, nil, nil),
+		Slot: interfaces.NewConnectedSlot(&snap.SlotInfo{Snap: &snap.Info{SuggestedName: "producer"}, Name: "slot"}, nil, nil),
+	}
+
+	ts, err := ifacestate.Disconnect(s.state, conn)
+	c.Assert(err, IsNil)
+	ts.Tasks()[0].Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "consumer",
+		},
+	})
+
+	change := s.state.NewChange("disconnect", "")
+	change.AddAll(ts)
+	s.state.Unlock()
+
+	s.settle(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	c.Assert(change.Err(), IsNil)
+	c.Check(change.Status(), Equals, state.DoneStatus)
+	var conns map[string]interface{}
+	err = s.state.Get("conns", &conns)
+	c.Assert(err, IsNil)
+	c.Check(conns, DeepEquals, map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{"interface": "test", "auto": true, "undesired": true},
+	})
+}
+
+func (s *interfaceManagerSuite) TestDisconnectByHotplug(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	consumerInfo := s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, coreSnapYaml)
+
+	s.state.Lock()
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug core:slot":  map[string]interface{}{"interface": "test"},
+		"consumer:plug core:slot2": map[string]interface{}{"interface": "test"},
+	})
+	s.state.Set("hotplug-slots", map[string]interface{}{
+		"slot": map[string]interface{}{
+			"name":        "slot",
+			"interface":   "test",
+			"hotplug-key": "1234",
+		}})
+	s.state.Unlock()
+
+	s.manager(c)
+
+	s.state.Lock()
+	conn := &interfaces.Connection{
+		Plug: interfaces.NewConnectedPlug(consumerInfo.Plugs["plug"], nil, nil),
+		Slot: interfaces.NewConnectedSlot(&snap.SlotInfo{Snap: &snap.Info{SuggestedName: "core"}, Name: "slot"}, nil, nil),
+	}
+
+	ts, err := ifacestate.DisconnectPriv(s.state, conn, ifacestate.NewDisconnectOptsWithByHotplugSet())
+	c.Assert(err, IsNil)
+
+	change := s.state.NewChange("disconnect", "")
+	change.AddAll(ts)
+	s.state.Unlock()
+
+	s.settle(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	c.Assert(change.Err(), IsNil)
+	c.Check(change.Status(), Equals, state.DoneStatus)
+
+	var conns map[string]interface{}
+	err = s.state.Get("conns", &conns)
+	c.Assert(err, IsNil)
+	c.Check(conns, DeepEquals, map[string]interface{}{
+		"consumer:plug core:slot":  map[string]interface{}{"interface": "test", "hotplug-gone": true},
+		"consumer:plug core:slot2": map[string]interface{}{"interface": "test"},
+	})
+}
+
 func (s *interfaceManagerSuite) TestManagerReloadsConnections(c *C) {
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
 	s.mockSnap(c, consumerYaml)
@@ -1748,7 +3078,17 @@
 
 	s.state.Lock()
 	s.state.Set("conns", map[string]interface{}{
-		"consumer:plug producer:slot": map[string]interface{}{"interface": "test"},
+		"consumer:plug producer:slot": map[string]interface{}{
+			"interface": "test",
+			"plug-static": map[string]interface{}{
+				"attr1": "value2",
+				"attr3": "value3",
+			},
+			"slot-static": map[string]interface{}{
+				"attr2": "value4",
+				"attr4": "value6",
+			},
+		},
 	})
 	s.state.Unlock()
 
@@ -1757,7 +3097,91 @@
 
 	ifaces := repo.Interfaces()
 	c.Assert(ifaces.Connections, HasLen, 1)
-	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{interfaces.PlugRef{Snap: "consumer", Name: "plug"}, interfaces.SlotRef{Snap: "producer", Name: "slot"}}})
+	cref := &interfaces.ConnRef{PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"}, SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"}}
+	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{cref})
+
+	conn, err := repo.Connection(cref)
+	c.Assert(err, IsNil)
+	c.Assert(conn.Plug.Name(), Equals, "plug")
+	c.Assert(conn.Plug.StaticAttrs(), DeepEquals, map[string]interface{}{
+		"attr1": "value2",
+		"attr3": "value3",
+	})
+	c.Assert(conn.Slot.Name(), Equals, "slot")
+	c.Assert(conn.Slot.StaticAttrs(), DeepEquals, map[string]interface{}{
+		"attr2": "value4",
+		"attr4": "value6",
+	})
+}
+
+func (s *interfaceManagerSuite) TestManagerDoesntReloadUndesiredAutoconnections(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"}, &ifacetest.TestInterface{InterfaceName: "test2"})
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, producerYaml)
+
+	s.state.Lock()
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{
+			"interface": "test",
+			"auto":      true,
+			"undesired": true,
+		},
+	})
+	s.state.Unlock()
+
+	mgr := s.manager(c)
+	c.Assert(mgr.Repository().Interfaces().Connections, HasLen, 0)
+}
+
+func (s *interfaceManagerSuite) setupHotplugSlot(c *C) {
+	s.mockIfaces(c, &ifacetest.TestHotplugInterface{TestInterface: ifacetest.TestInterface{InterfaceName: "test"}})
+	s.mockSnap(c, consumerYaml)
+	s.mockSnap(c, coreSnapYaml)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.state.Set("hotplug-slots", map[string]interface{}{
+		"slot": map[string]interface{}{
+			"name":        "slot",
+			"interface":   "test",
+			"hotplug-key": "abcd",
+		}})
+}
+
+func (s *interfaceManagerSuite) TestManagerDoesntReloadHotlugGoneConnection(c *C) {
+	s.setupHotplugSlot(c)
+
+	s.state.Lock()
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug core:slot": map[string]interface{}{
+			"interface":    "test",
+			"hotplug-gone": true,
+		}})
+	s.state.Unlock()
+
+	mgr := s.manager(c)
+	c.Assert(mgr.Repository().Interfaces().Connections, HasLen, 0)
+}
+
+func (s *interfaceManagerSuite) TestManagerReloadsHotlugConnection(c *C) {
+	s.setupHotplugSlot(c)
+
+	s.state.Lock()
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug core:slot": map[string]interface{}{
+			"interface":    "test",
+			"hotplug-gone": false,
+		}})
+	s.state.Unlock()
+
+	mgr := s.manager(c)
+	repo := mgr.Repository()
+	c.Assert(repo.Interfaces().Connections, HasLen, 1)
+	cref := &interfaces.ConnRef{PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"}, SlotRef: interfaces.SlotRef{Snap: "core", Name: "slot"}}
+	conn, err := repo.Connection(cref)
+	c.Assert(err, IsNil)
+	c.Assert(conn, NotNil)
 }
 
 func (s *interfaceManagerSuite) TestSetupProfilesDevModeMultiple(c *C) {
@@ -1788,16 +3212,16 @@
 		Interface: "test",
 	})
 	c.Assert(err, IsNil)
-	connRef := interfaces.ConnRef{
-		PlugRef: interfaces.PlugRef{Snap: siP.Name(), Name: "plug"},
-		SlotRef: interfaces.SlotRef{Snap: siC.Name(), Name: "slot"},
+	connRef := &interfaces.ConnRef{
+		PlugRef: interfaces.PlugRef{Snap: siP.InstanceName(), Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: siC.InstanceName(), Name: "slot"},
 	}
-	err = repo.Connect(connRef)
+	_, err = repo.Connect(connRef, nil, nil, nil, nil, nil)
 	c.Assert(err, IsNil)
 
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: siC.Name(),
+			RealName: siC.SnapName(),
 			Revision: siC.Revision,
 		},
 		Flags: snapstate.Flags{DevMode: true},
@@ -1814,13 +3238,15 @@
 	// The first snap is setup in devmode, the second is not
 	c.Assert(s.secBackend.SetupCalls, HasLen, 2)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, siC.Name())
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, siC.InstanceName())
 	c.Check(s.secBackend.SetupCalls[0].Options, Equals, interfaces.ConfinementOptions{DevMode: true})
-	c.Check(s.secBackend.SetupCalls[1].SnapInfo.Name(), Equals, siP.Name())
+	c.Check(s.secBackend.SetupCalls[1].SnapInfo.InstanceName(), Equals, siP.InstanceName())
 	c.Check(s.secBackend.SetupCalls[1].Options, Equals, interfaces.ConfinementOptions{})
 }
 
 func (s *interfaceManagerSuite) TestCheckInterfacesDeny(c *C) {
+	s.MockModel(c, nil)
+
 	restore := assertstest.MockBuiltinBaseDeclaration([]byte(`
 type: base-declaration
 authority-id: canonical
@@ -1832,7 +3258,7 @@
 	defer restore()
 	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
 
-	s.mockSnapDecl(c, "producer", "producer-publisher", nil)
+	s.MockSnapDecl(c, "producer", "producer-publisher", nil)
 	snapInfo := s.mockSnap(c, producerYaml)
 
 	s.state.Lock()
@@ -1861,6 +3287,8 @@
 }
 
 func (s *interfaceManagerSuite) TestCheckInterfacesAllow(c *C) {
+	s.MockModel(c, nil)
+
 	restore := assertstest.MockBuiltinBaseDeclaration([]byte(`
 type: base-declaration
 authority-id: canonical
@@ -1872,7 +3300,7 @@
 	defer restore()
 	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
 
-	s.mockSnapDecl(c, "producer", "producer-publisher", map[string]interface{}{
+	s.MockSnapDecl(c, "producer", "producer-publisher", map[string]interface{}{
 		"format": "1",
 		"slots": map[string]interface{}{
 			"test": "true",
@@ -1885,49 +3313,220 @@
 	c.Check(ifacestate.CheckInterfaces(s.state, snapInfo), IsNil)
 }
 
-func (s *interfaceManagerSuite) TestCheckInterfacesConsidersImplicitSlots(c *C) {
-	snapInfo := s.mockSnap(c, ubuntuCoreSnapYaml)
+func (s *interfaceManagerSuite) TestCheckInterfacesDeviceScopeRightStore(c *C) {
+	s.MockModel(c, map[string]interface{}{
+		"store": "my-store",
+	})
+
+	restore := assertstest.MockBuiltinBaseDeclaration([]byte(`
+type: base-declaration
+authority-id: canonical
+series: 16
+slots:
+  test:
+    deny-installation: true
+`))
+	defer restore()
+	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
+
+	s.MockSnapDecl(c, "producer", "producer-publisher", map[string]interface{}{
+		"format": "3",
+		"slots": map[string]interface{}{
+			"test": map[string]interface{}{
+				"allow-installation": map[string]interface{}{
+					"on-store": []interface{}{"my-store"},
+				},
+			},
+		},
+	})
+	snapInfo := s.mockSnap(c, producerYaml)
 
 	s.state.Lock()
 	defer s.state.Unlock()
 	c.Check(ifacestate.CheckInterfaces(s.state, snapInfo), IsNil)
-	c.Check(snapInfo.Slots["home"], NotNil)
 }
 
-// Test that setup-snap-security gets undone correctly when a snap is installed
-// but the installation fails (the security profiles are removed).
-func (s *interfaceManagerSuite) TestUndoSetupProfilesOnInstall(c *C) {
-	// Create the interface manager
-	_ = s.manager(c)
+func (s *interfaceManagerSuite) TestCheckInterfacesDeviceScopeNoStore(c *C) {
+	s.MockModel(c, nil)
 
-	// Mock a snap and remove the side info from the state (it is implicitly
-	// added by mockSnap) so that we can emulate a undo during a fresh
-	// install.
-	snapInfo := s.mockSnap(c, sampleSnapYaml)
-	s.state.Lock()
-	snapstate.Set(s.state, snapInfo.Name(), nil)
-	s.state.Unlock()
+	restore := assertstest.MockBuiltinBaseDeclaration([]byte(`
+type: base-declaration
+authority-id: canonical
+series: 16
+slots:
+  test:
+    deny-installation: true
+`))
+	defer restore()
+	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
 
-	// Add a change that undoes "setup-snap-security"
-	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
-		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
-			Revision: snapInfo.Revision,
+	s.MockSnapDecl(c, "producer", "producer-publisher", map[string]interface{}{
+		"format": "3",
+		"slots": map[string]interface{}{
+			"test": map[string]interface{}{
+				"allow-installation": map[string]interface{}{
+					"on-store": []interface{}{"my-store"},
+				},
+			},
 		},
 	})
-	s.state.Lock()
-	c.Assert(change.Tasks(), HasLen, 2)
-	change.Tasks()[0].SetStatus(state.UndoStatus)
-	change.Tasks()[1].SetStatus(state.UndoneStatus)
-	s.state.Unlock()
-
-	// Turn the crank
-	s.settle(c)
+	snapInfo := s.mockSnap(c, producerYaml)
 
 	s.state.Lock()
 	defer s.state.Unlock()
+	c.Check(ifacestate.CheckInterfaces(s.state, snapInfo), ErrorMatches, `installation not allowed.*`)
+}
 
-	// Ensure that the change got undone.
+func (s *interfaceManagerSuite) TestCheckInterfacesDeviceScopeWrongStore(c *C) {
+	s.MockModel(c, map[string]interface{}{
+		"store": "other-store",
+	})
+
+	restore := assertstest.MockBuiltinBaseDeclaration([]byte(`
+type: base-declaration
+authority-id: canonical
+series: 16
+slots:
+  test:
+    deny-installation: true
+`))
+	defer restore()
+	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
+
+	s.MockSnapDecl(c, "producer", "producer-publisher", map[string]interface{}{
+		"format": "3",
+		"slots": map[string]interface{}{
+			"test": map[string]interface{}{
+				"allow-installation": map[string]interface{}{
+					"on-store": []interface{}{"my-store"},
+				},
+			},
+		},
+	})
+	snapInfo := s.mockSnap(c, producerYaml)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	c.Check(ifacestate.CheckInterfaces(s.state, snapInfo), ErrorMatches, `installation not allowed.*`)
+}
+
+func (s *interfaceManagerSuite) TestCheckInterfacesDeviceScopeRightFriendlyStore(c *C) {
+	s.MockModel(c, map[string]interface{}{
+		"store": "my-substore",
+	})
+
+	s.MockStore(c, s.state, "my-substore", map[string]interface{}{
+		"friendly-stores": []interface{}{"my-store"},
+	})
+
+	restore := assertstest.MockBuiltinBaseDeclaration([]byte(`
+type: base-declaration
+authority-id: canonical
+series: 16
+slots:
+  test:
+    deny-installation: true
+`))
+	defer restore()
+	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
+
+	s.MockSnapDecl(c, "producer", "producer-publisher", map[string]interface{}{
+		"format": "3",
+		"slots": map[string]interface{}{
+			"test": map[string]interface{}{
+				"allow-installation": map[string]interface{}{
+					"on-store": []interface{}{"my-store"},
+				},
+			},
+		},
+	})
+	snapInfo := s.mockSnap(c, producerYaml)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	c.Check(ifacestate.CheckInterfaces(s.state, snapInfo), IsNil)
+}
+
+func (s *interfaceManagerSuite) TestCheckInterfacesDeviceScopeWrongFriendlyStore(c *C) {
+	s.MockModel(c, map[string]interface{}{
+		"store": "my-substore",
+	})
+
+	s.MockStore(c, s.state, "my-substore", map[string]interface{}{
+		"friendly-stores": []interface{}{"other-store"},
+	})
+
+	restore := assertstest.MockBuiltinBaseDeclaration([]byte(`
+type: base-declaration
+authority-id: canonical
+series: 16
+slots:
+  test:
+    deny-installation: true
+`))
+	defer restore()
+	s.mockIface(c, &ifacetest.TestInterface{InterfaceName: "test"})
+
+	s.MockSnapDecl(c, "producer", "producer-publisher", map[string]interface{}{
+		"format": "3",
+		"slots": map[string]interface{}{
+			"test": map[string]interface{}{
+				"allow-installation": map[string]interface{}{
+					"on-store": []interface{}{"my-store"},
+				},
+			},
+		},
+	})
+	snapInfo := s.mockSnap(c, producerYaml)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	c.Check(ifacestate.CheckInterfaces(s.state, snapInfo), ErrorMatches, `installation not allowed.*`)
+}
+
+func (s *interfaceManagerSuite) TestCheckInterfacesConsidersImplicitSlots(c *C) {
+	snapInfo := s.mockSnap(c, ubuntuCoreSnapYaml)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	c.Check(ifacestate.CheckInterfaces(s.state, snapInfo), IsNil)
+	c.Check(snapInfo.Slots["home"], NotNil)
+}
+
+// Test that setup-snap-security gets undone correctly when a snap is installed
+// but the installation fails (the security profiles are removed).
+func (s *interfaceManagerSuite) TestUndoSetupProfilesOnInstall(c *C) {
+	// Create the interface manager
+	_ = s.manager(c)
+
+	// Mock a snap and remove the side info from the state (it is implicitly
+	// added by mockSnap) so that we can emulate a undo during a fresh
+	// install.
+	snapInfo := s.mockSnap(c, sampleSnapYaml)
+	s.state.Lock()
+	snapstate.Set(s.state, snapInfo.InstanceName(), nil)
+	s.state.Unlock()
+
+	// Add a change that undoes "setup-snap-security"
+	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: snapInfo.SnapName(),
+			Revision: snapInfo.Revision,
+		},
+	})
+	s.state.Lock()
+	c.Assert(change.Tasks(), HasLen, 2)
+	change.Tasks()[0].SetStatus(state.UndoStatus)
+	change.Tasks()[1].SetStatus(state.UndoneStatus)
+	s.state.Unlock()
+
+	// Turn the crank
+	s.settle(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// Ensure that the change got undone.
 	c.Assert(change.Err(), IsNil)
 	c.Check(change.Status(), Equals, state.UndoneStatus)
 
@@ -1935,7 +3534,7 @@
 	// undo task removed the security profile from the system.
 	c.Assert(s.secBackend.SetupCalls, HasLen, 0)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 1)
-	c.Check(s.secBackend.RemoveCalls, DeepEquals, []string{snapInfo.Name()})
+	c.Check(s.secBackend.RemoveCalls, DeepEquals, []string{snapInfo.InstanceName()})
 }
 
 // Test that setup-snap-security gets undone correctly when a snap is refreshed
@@ -1951,7 +3550,7 @@
 	// Add a change that undoes "setup-snap-security"
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
@@ -1974,7 +3573,7 @@
 	// setup the security of the snap we had in the state.
 	c.Assert(s.secBackend.SetupCalls, HasLen, 1)
 	c.Assert(s.secBackend.RemoveCalls, HasLen, 0)
-	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Name(), Equals, snapInfo.Name())
+	c.Check(s.secBackend.SetupCalls[0].SnapInfo.InstanceName(), Equals, snapInfo.InstanceName())
 	c.Check(s.secBackend.SetupCalls[0].SnapInfo.Revision, Equals, snapInfo.Revision)
 	c.Check(s.secBackend.SetupCalls[0].Options, Equals, interfaces.ConfinementOptions{})
 }
@@ -1984,7 +3583,7 @@
 	s.mockSnap(c, coreSnapYaml)
 	s.mockSnap(c, httpdSnapYaml)
 
-	mgr := s.manager(c)
+	s.manager(c)
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -2001,9 +3600,9 @@
 	change.AddTask(task)
 
 	s.state.Unlock()
-	mgr.Ensure()
-	mgr.Wait()
-	mgr.Stop()
+	s.se.Ensure()
+	s.se.Wait()
+	s.se.Stop()
 	s.state.Lock()
 
 	c.Assert(change.Status(), Equals, state.DoneStatus)
@@ -2023,7 +3622,7 @@
 	s.mockSnap(c, coreSnapYaml)
 	s.mockSnap(c, httpdSnapYaml)
 
-	mgr := s.manager(c)
+	s.manager(c)
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -2044,10 +3643,10 @@
 
 	s.state.Unlock()
 	for i := 0; i < 10; i++ {
-		mgr.Ensure()
-		mgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
-	mgr.Stop()
+	s.se.Stop()
 	s.state.Lock()
 
 	c.Assert(change.Status(), Equals, state.ErrorStatus)
@@ -2079,6 +3678,10 @@
 	})
 	s.state.Unlock()
 
+	// mock both snaps, otherwise the manager will remove stale connections
+	s.mockSnap(c, coreSnapYaml)
+	s.mockSnap(c, sampleSnapYaml)
+
 	// Start the manager, this is where renames happen.
 	s.manager(c)
 
@@ -2121,6 +3724,8 @@
 }
 
 func (s *interfaceManagerSuite) TestAutoConnectDuringCoreTransition(c *C) {
+	s.MockModel(c, nil)
+
 	// Add both the old and new core snaps
 	s.mockSnap(c, ubuntuCoreSnapYaml)
 	s.mockSnap(c, coreSnapYaml)
@@ -2137,7 +3742,7 @@
 	// Run the setup-snap-security task and let it finish.
 	change := s.addSetupSnapSecurityChange(c, &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: snapInfo.Name(),
+			RealName: snapInfo.SnapName(),
 			Revision: snapInfo.Revision,
 		},
 	})
@@ -2168,29 +3773,111 @@
 	c.Assert(plug, Not(IsNil))
 	ifaces := repo.Interfaces()
 	c.Assert(ifaces.Connections, HasLen, 1)
-	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{interfaces.PlugRef{Snap: "snap", Name: "network"}, interfaces.SlotRef{Snap: "core", Name: "network"}}})
+	c.Check(ifaces.Connections, DeepEquals, []*interfaces.ConnRef{{
+		PlugRef: interfaces.PlugRef{Snap: "snap", Name: "network"},
+		SlotRef: interfaces.SlotRef{Snap: "core", Name: "network"}}})
 }
 
 func makeAutoConnectChange(st *state.State, plugSnap, plug, slotSnap, slot string) *state.Change {
 	chg := st.NewChange("connect...", "...")
 
 	t := st.NewTask("connect", "other connect task")
-	t.Set("slot", interfaces.SlotRef{Snap: "producer", Name: "slot"})
-	t.Set("plug", interfaces.PlugRef{Snap: "consumer", Name: "plug"})
+	t.Set("slot", interfaces.SlotRef{Snap: slotSnap, Name: slot})
+	t.Set("plug", interfaces.PlugRef{Snap: plugSnap, Name: plug})
+	var plugAttrs, slotAttrs map[string]interface{}
+	t.Set("plug-dynamic", plugAttrs)
+	t.Set("slot-dynamic", slotAttrs)
 	t.Set("auto", true)
+
+	// two fake tasks for connect-plug-/slot- hooks
+	hs1 := hookstate.HookSetup{
+		Snap:     slotSnap,
+		Optional: true,
+		Hook:     "connect-slot-" + slot,
+	}
+	ht1 := hookstate.HookTask(st, "connect-slot hook", &hs1, nil)
+	ht1.WaitFor(t)
+	hs2 := hookstate.HookSetup{
+		Snap:     plugSnap,
+		Optional: true,
+		Hook:     "connect-plug-" + plug,
+	}
+	ht2 := hookstate.HookTask(st, "connect-plug hook", &hs2, nil)
+	ht2.WaitFor(ht1)
+
 	chg.AddTask(t)
+	chg.AddTask(ht1)
+	chg.AddTask(ht2)
 
 	return chg
 }
 
-func (s *interfaceManagerSuite) TestConnectIgnoresMissingSlotSnapOnAutoConnect(c *C) {
+func (s *interfaceManagerSuite) TestUndoConnect(c *C) {
+	s.MockModel(c, nil)
+
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	s.manager(c)
+	producer := s.mockSnap(c, producerYaml)
+	consumer := s.mockSnap(c, consumerYaml)
+
+	repo := s.manager(c).Repository()
+	err := repo.AddPlug(&snap.PlugInfo{
+		Snap:      consumer,
+		Name:      "plug",
+		Interface: "test",
+	})
+	c.Assert(err, IsNil)
+	err = repo.AddSlot(&snap.SlotInfo{
+		Snap:      producer,
+		Name:      "slot",
+		Interface: "test",
+	})
+	c.Assert(err, IsNil)
+
+	s.state.Lock()
+
+	// "consumer:plug producer:slot" wouldn't normally be present in conns when connecting because
+	// ifacestate.Connect() checks for existing connection; it's used here to test removal on undo.
+	s.state.Set("conns", map[string]interface{}{
+		"snap1:plug snap2:slot":       map[string]interface{}{},
+		"consumer:plug producer:slot": map[string]interface{}{},
+	})
+
+	chg := makeAutoConnectChange(s.state, "consumer", "plug", "producer", "slot")
+	terr := s.state.NewTask("error-trigger", "provoking undo")
+	connTasks := chg.Tasks()
+	terr.WaitAll(state.NewTaskSet(connTasks...))
+	chg.AddTask(terr)
+
+	s.state.Unlock()
+	s.settle(c)
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	c.Assert(chg.Status().Ready(), Equals, true)
+	for _, t := range connTasks {
+		c.Assert(t.Status(), Equals, state.UndoneStatus)
+	}
+
+	// connection is removed from conns, other connection is left intact
+	var conns map[string]interface{}
+	c.Assert(s.state.Get("conns", &conns), IsNil)
+	c.Check(conns, DeepEquals, map[string]interface{}{
+		"snap1:plug snap2:slot": map[string]interface{}{},
+	})
+}
+
+func (s *interfaceManagerSuite) TestConnectErrorMissingSlotSnapOnAutoConnect(c *C) {
 	_ = s.manager(c)
+	s.mockSnap(c, producerYaml)
 	s.mockSnap(c, consumerYaml)
-	// no producer snap in the state, doConnect should complain
 
 	s.state.Lock()
 
 	chg := makeAutoConnectChange(s.state, "consumer", "plug", "producer", "slot")
+	// remove producer snap from the state, doConnect should complain
+	snapstate.Set(s.state, "producer", nil)
+
 	s.state.Unlock()
 
 	s.settle(c)
@@ -2198,22 +3885,23 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	task := chg.Tasks()[0]
-	c.Assert(task.Status(), Equals, state.DoneStatus)
-	c.Assert(strings.Join(task.Log(), ""), Matches, `.*snap "producer" is no longer available for auto-connecting.*`)
+	c.Check(chg.Status(), Equals, state.ErrorStatus)
+	c.Assert(chg.Err(), ErrorMatches, `cannot perform the following tasks:\n.*snap "producer" is no longer available for auto-connecting.*`)
 
 	var conns map[string]interface{}
 	c.Assert(s.state.Get("conns", &conns), Equals, state.ErrNoState)
 }
 
-func (s *interfaceManagerSuite) TestConnectIgnoresMissingPlugSnapOnAutoConnect(c *C) {
+func (s *interfaceManagerSuite) TestConnectErrorMissingPlugSnapOnAutoConnect(c *C) {
 	_ = s.manager(c)
 	s.mockSnap(c, producerYaml)
-	// no consumer snap in the state, doConnect should complain
+	s.mockSnap(c, consumerYaml)
 
 	s.state.Lock()
-
 	chg := makeAutoConnectChange(s.state, "consumer", "plug", "producer", "slot")
+	// remove consumer snap from the state, doConnect should complain
+	snapstate.Set(s.state, "consumer", nil)
+
 	s.state.Unlock()
 
 	s.settle(c)
@@ -2221,15 +3909,14 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	task := chg.Tasks()[0]
-	c.Assert(task.Status(), Equals, state.DoneStatus)
-	c.Assert(strings.Join(task.Log(), ""), Matches, `.*snap "consumer" is no longer available for auto-connecting.*`)
+	c.Assert(chg.Status(), Equals, state.ErrorStatus)
+	c.Assert(chg.Err(), ErrorMatches, `cannot perform the following tasks:\n.*snap "consumer" is no longer available for auto-connecting.*`)
 
 	var conns map[string]interface{}
 	c.Assert(s.state.Get("conns", &conns), Equals, state.ErrNoState)
 }
 
-func (s *interfaceManagerSuite) TestConnectIgnoresMissingPlugOnAutoConnect(c *C) {
+func (s *interfaceManagerSuite) TestConnectErrorMissingPlugOnAutoConnect(c *C) {
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
 	_ = s.manager(c)
 	producer := s.mockSnap(c, producerYaml)
@@ -2254,16 +3941,15 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	task := chg.Tasks()[0]
-	c.Assert(task.Status(), Equals, state.DoneStatus)
-	c.Assert(strings.Join(task.Log(), ""), Matches, `.*snap "consumer" no longer has "plug" plug`)
+	c.Assert(chg.Status(), Equals, state.ErrorStatus)
+	c.Assert(chg.Err(), ErrorMatches, `cannot perform the following tasks:\n.*snap "consumer" has no "plug" plug.*`)
 
 	var conns map[string]interface{}
 	err = s.state.Get("conns", &conns)
 	c.Assert(err, Equals, state.ErrNoState)
 }
 
-func (s *interfaceManagerSuite) TestConnectIgnoresMissingSlotOnAutoConnect(c *C) {
+func (s *interfaceManagerSuite) TestConnectErrorMissingSlotOnAutoConnect(c *C) {
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
 	_ = s.manager(c)
 	// producer snap has no slot, doConnect should complain
@@ -2288,9 +3974,8 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	task := chg.Tasks()[0]
-	c.Assert(task.Status(), Equals, state.DoneStatus)
-	c.Assert(strings.Join(task.Log(), ""), Matches, `.*snap "producer" no longer has "slot" slot`)
+	c.Assert(chg.Status(), Equals, state.ErrorStatus)
+	c.Assert(chg.Err(), ErrorMatches, `cannot perform the following tasks:\n.*snap "producer" has no "slot" slot.*`)
 
 	var conns map[string]interface{}
 	err = s.state.Get("conns", &conns)
@@ -2298,6 +3983,8 @@
 }
 
 func (s *interfaceManagerSuite) TestConnectHandlesAutoconnect(c *C) {
+	s.MockModel(c, nil)
+
 	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
 	_ = s.manager(c)
 	producer := s.mockSnap(c, producerYaml)
@@ -2365,6 +4052,50 @@
 	c.Check(stat.ModTime(), DeepEquals, stat2.ModTime())
 }
 
+func (s *interfaceManagerSuite) TestAutoconnectSelf(c *C) {
+	s.MockModel(c, nil)
+
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	s.mockSnap(c, selfconnectSnapYaml)
+	repo := s.manager(c).Repository()
+	c.Assert(repo.Slots("producerconsumer"), HasLen, 1)
+
+	s.state.Lock()
+
+	sup := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			Revision: snap.R(1),
+			RealName: "producerconsumer"},
+	}
+
+	chg := s.state.NewChange("install", "...")
+	t := s.state.NewTask("auto-connect", "...")
+	t.Set("snap-setup", sup)
+	chg.AddTask(t)
+
+	s.state.Unlock()
+
+	s.settle(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	hooktypes := make(map[string]int)
+	for _, t := range s.state.Tasks() {
+		if t.Kind() == "run-hook" {
+			var hsup hookstate.HookSetup
+			c.Assert(t.Get("hook-setup", &hsup), IsNil)
+			count := hooktypes[hsup.Hook]
+			hooktypes[hsup.Hook] = count + 1
+		}
+	}
+
+	// verify that every hook was run once
+	for _, ht := range []string{"prepare-plug-plug", "prepare-slot-slot", "connect-slot-slot", "connect-plug-plug"} {
+		c.Assert(hooktypes[ht], Equals, 1)
+	}
+}
+
 func (s *interfaceManagerSuite) TestAutoconnectForDefaultContentProvider(c *C) {
 	restore := ifacestate.MockContentLinkRetryTimeout(5 * time.Millisecond)
 	defer restore()
@@ -2384,16 +4115,18 @@
   interface: content
   content: shared-content
 `)
-	mgr := s.manager(c)
+	s.manager(c)
 
 	s.state.Lock()
 
 	supContentPlug := &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
+			Revision: snap.R(1),
 			RealName: "snap-content-plug"},
 	}
 	supContentSlot := &snapstate.SnapSetup{
 		SideInfo: &snap.SideInfo{
+			Revision: snap.R(1),
 			RealName: "snap-content-slot"},
 	}
 	chg := s.state.NewChange("install", "...")
@@ -2417,15 +4150,15 @@
 	// run the change
 	s.state.Unlock()
 	for i := 0; i < 5; i++ {
-		mgr.Ensure()
-		mgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	// change did a retry
 	s.state.Lock()
 	c.Check(tConnectPlug.Status(), Equals, state.DoingStatus)
 
-	// pretent install of content slot is done
+	// pretend install of content slot is done
 	tInstSlot.SetStatus(state.DoneStatus)
 	// wait for contentLinkRetryTimeout
 	time.Sleep(10 * time.Millisecond)
@@ -2434,8 +4167,8 @@
 
 	// run again
 	for i := 0; i < 5; i++ {
-		mgr.Ensure()
-		mgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	// check that the connect plug task is now in done state
@@ -2444,118 +4177,97 @@
 	c.Check(tConnectPlug.Status(), Equals, state.DoneStatus)
 }
 
-/*
-func (s *interfaceManagerSuite) TestSetupProfilesInjectsAutoConnectIfMissing(c *C) {
-	mgr := s.manager(c)
+func (s *interfaceManagerSuite) TestAutoconnectForDefaultContentProviderWrongOrderWaitChain(c *C) {
+	restore := ifacestate.MockContentLinkRetryTimeout(5 * time.Millisecond)
+	defer restore()
 
-	si1 := &snap.SideInfo{
-		RealName: "snap1",
-		Revision: snap.R(1),
-	}
-	sup1 := &snapstate.SnapSetup{SideInfo: si1}
-	_ = snaptest.MockSnap(c, sampleSnapYaml, si1)
+	s.mockSnap(c, `name: snap-content-plug
+version: 1
+plugs:
+ shared-content-plug:
+  interface: content
+  default-provider: snap-content-slot
+  content: shared-content
+`)
+	s.mockSnap(c, `name: snap-content-slot
+version: 1
+slots:
+ shared-content-slot:
+  interface: content
+  content: shared-content
+`)
+	s.manager(c)
 
-	si2 := &snap.SideInfo{
-		RealName: "snap2",
-		Revision: snap.R(1),
+	s.state.Lock()
+
+	supContentPlug := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			Revision: snap.R(1),
+			RealName: "snap-content-plug"},
+	}
+	supContentSlot := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			Revision: snap.R(1),
+			RealName: "snap-content-slot"},
 	}
-	sup2 := &snapstate.SnapSetup{SideInfo: si2}
-	_ = snaptest.MockSnap(c, consumerYaml, si2)
+	chg := s.state.NewChange("install", "...")
 
-	s.state.Lock()
-	defer s.state.Unlock()
+	// Setup a wait chain in the "wrong" order, i.e. pretend we seed
+	// the consumer of the content interface before we seed the producer
+	// (see LP:#1772844) for a real world example of this).
+	tInstPlug := s.state.NewTask("link-snap", "Install snap-content-plug")
+	tInstPlug.Set("snap-setup", supContentPlug)
+	chg.AddTask(tInstPlug)
 
-	task1 := s.state.NewTask("setup-profiles", "")
-	task1.Set("snap-setup", sup1)
+	tConnectPlug := s.state.NewTask("auto-connect", "...plug")
+	tConnectPlug.Set("snap-setup", supContentPlug)
+	tConnectPlug.WaitFor(tInstPlug)
+	chg.AddTask(tConnectPlug)
 
-	task2 := s.state.NewTask("setup-profiles", "")
-	task2.Set("snap-setup", sup2)
+	tInstSlot := s.state.NewTask("link-snap", "Install snap-content-slot")
+	tInstSlot.Set("snap-setup", supContentSlot)
+	tInstSlot.WaitFor(tInstPlug)
+	tInstSlot.WaitFor(tConnectPlug)
+	chg.AddTask(tInstSlot)
 
-	chg := s.state.NewChange("test", "")
-	chg.AddTask(task1)
-	task2.WaitFor(task1)
-	chg.AddTask(task2)
+	tConnectSlot := s.state.NewTask("auto-connect", "...slot")
+	tConnectSlot.Set("snap-setup", supContentSlot)
+	tConnectSlot.WaitFor(tInstPlug)
+	tConnectSlot.WaitFor(tInstSlot)
+	tConnectSlot.WaitFor(tConnectPlug)
+	chg.AddTask(tConnectSlot)
 
-	s.state.Unlock()
+	// pretend plug install was done by snapstate
+	tInstPlug.SetStatus(state.DoneStatus)
 
-	defer mgr.Stop()
-	s.settle(c)
-	s.state.Lock()
-
-	// ensure all our tasks ran
-	c.Assert(chg.Err(), IsNil)
-	c.Assert(chg.Tasks(), HasLen, 4)
-
-	// sanity checks
-	t := chg.Tasks()[0]
-	c.Assert(t.Kind(), Equals, "setup-profiles")
-	t = chg.Tasks()[1]
-	c.Assert(t.Kind(), Equals, "setup-profiles")
-
-	// check that auto-connect tasks were added and have snap-setup
-	var autoconnectSup snapstate.SnapSetup
-	t = chg.Tasks()[2]
-	c.Assert(t.Kind(), Equals, "auto-connect")
-	c.Assert(t.Get("snap-setup", &autoconnectSup), IsNil)
-	c.Assert(autoconnectSup.Name(), Equals, "snap1")
-
-	t = chg.Tasks()[3]
-	c.Assert(t.Kind(), Equals, "auto-connect")
-	c.Assert(t.Get("snap-setup", &autoconnectSup), IsNil)
-	c.Assert(autoconnectSup.Name(), Equals, "snap2")
-}
-*/
-
-func (s *interfaceManagerSuite) TestSetupProfilesInjectsAutoConnectIfCore(c *C) {
-	mgr := s.manager(c)
-
-	si1 := &snap.SideInfo{
-		RealName: "core",
-		Revision: snap.R(1),
+	// run the change, this will trigger the auto-connect of the plug
+	s.state.Unlock()
+	for i := 0; i < 5; i++ {
+		s.se.Ensure()
+		s.se.Wait()
 	}
-	sup1 := &snapstate.SnapSetup{SideInfo: si1}
-	_ = snaptest.MockSnap(c, ubuntuCoreSnapYaml, si1)
 
+	// check that auto-connect did finish and not hang
 	s.state.Lock()
-	defer s.state.Unlock()
-
-	task1 := s.state.NewTask("setup-profiles", "")
-	task1.Set("snap-setup", sup1)
-
-	task2 := s.state.NewTask("setup-profiles", "")
-	task2.Set("snap-setup", sup1)
-	task2.Set("core-phase-2", true)
-	task2.WaitFor(task1)
+	c.Check(tConnectPlug.Status(), Equals, state.DoneStatus)
+	c.Check(tInstSlot.Status(), Equals, state.DoStatus)
+	c.Check(tConnectSlot.Status(), Equals, state.DoStatus)
 
-	chg := s.state.NewChange("test", "")
-	chg.AddTask(task1)
-	chg.AddTask(task2)
+	// pretend snapstate finished installing the slot
+	tInstSlot.SetStatus(state.DoneStatus)
 
 	s.state.Unlock()
 
-	defer mgr.Stop()
-	s.settle(c)
-	s.state.Lock()
-
-	// ensure all our tasks ran
-	c.Assert(chg.Err(), IsNil)
-	c.Assert(chg.Tasks(), HasLen, 3)
+	// run again
+	for i := 0; i < 5; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
 
-	// sanity checks
-	t := chg.Tasks()[0]
-	c.Assert(t.Kind(), Equals, "setup-profiles")
-	t = chg.Tasks()[1]
-	c.Assert(t.Kind(), Equals, "setup-profiles")
-	var phase2 bool
-	c.Assert(t.Get("core-phase-2", &phase2), IsNil)
-	c.Assert(t.HaltTasks(), HasLen, 1)
-
-	// check that auto-connect task was added after phase2
-	var autoconnectSup snapstate.SnapSetup
-	t = chg.Tasks()[2]
-	c.Assert(t.Kind(), Equals, "auto-connect")
-	c.Assert(t.Get("snap-setup", &autoconnectSup), IsNil)
-	c.Assert(autoconnectSup.Name(), Equals, "core")
+	// and now the slot side auto-connected
+	s.state.Lock()
+	defer s.state.Unlock()
+	c.Check(tConnectSlot.Status(), Equals, state.DoneStatus)
 }
 
 func (s *interfaceManagerSuite) TestSnapsWithSecurityProfiles(c *C) {
@@ -2618,7 +4330,7 @@
 	c.Check(infos, HasLen, 3)
 	got := make(map[string]snap.Revision)
 	for _, info := range infos {
-		got[info.Name()] = info.Revision
+		got[info.InstanceName()] = info.Revision
 	}
 	c.Check(got, DeepEquals, map[string]snap.Revision{
 		"snap0": snap.R(10),
@@ -2626,3 +4338,1074 @@
 		"snap3": snap.R(3),
 	})
 }
+
+func (s *interfaceManagerSuite) TestDisconnectInterfaces(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	_ = s.manager(c)
+
+	consumerInfo := s.mockSnap(c, consumerYaml)
+	producerInfo := s.mockSnap(c, producerYaml)
+
+	s.state.Lock()
+
+	sup := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "consumer"},
+	}
+
+	repo := s.manager(c).Repository()
+	c.Assert(repo.AddSnap(consumerInfo), IsNil)
+	c.Assert(repo.AddSnap(producerInfo), IsNil)
+
+	plugDynAttrs := map[string]interface{}{
+		"attr3": "value3",
+	}
+	slotDynAttrs := map[string]interface{}{
+		"attr4": "value4",
+	}
+	repo.Connect(&interfaces.ConnRef{
+		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"},
+	}, nil, plugDynAttrs, nil, slotDynAttrs, nil)
+
+	chg := s.state.NewChange("install", "")
+	t := s.state.NewTask("auto-disconnect", "")
+	t.Set("snap-setup", sup)
+	chg.AddTask(t)
+
+	s.state.Unlock()
+
+	s.se.Ensure()
+	s.se.Wait()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	ht := t.HaltTasks()
+	c.Assert(ht, HasLen, 3)
+
+	c.Assert(ht[2].Kind(), Equals, "disconnect")
+	var autoDisconnect bool
+	c.Assert(ht[2].Get("auto-disconnect", &autoDisconnect), IsNil)
+	c.Assert(autoDisconnect, Equals, true)
+	var plugDynamic, slotDynamic, plugStatic, slotStatic map[string]interface{}
+	c.Assert(ht[2].Get("plug-static", &plugStatic), IsNil)
+	c.Assert(ht[2].Get("plug-dynamic", &plugDynamic), IsNil)
+	c.Assert(ht[2].Get("slot-static", &slotStatic), IsNil)
+	c.Assert(ht[2].Get("slot-dynamic", &slotDynamic), IsNil)
+
+	c.Assert(plugStatic, DeepEquals, map[string]interface{}{"attr1": "value1"})
+	c.Assert(slotStatic, DeepEquals, map[string]interface{}{"attr2": "value2"})
+	c.Assert(plugDynamic, DeepEquals, map[string]interface{}{"attr3": "value3"})
+	c.Assert(slotDynamic, DeepEquals, map[string]interface{}{"attr4": "value4"})
+
+	var expectedHooks = []struct{ snap, hook string }{
+		{snap: "producer", hook: "disconnect-slot-slot"},
+		{snap: "consumer", hook: "disconnect-plug-plug"},
+	}
+
+	for i := 0; i < 2; i++ {
+		var hsup hookstate.HookSetup
+		c.Assert(ht[i].Kind(), Equals, "run-hook")
+		c.Assert(ht[i].Get("hook-setup", &hsup), IsNil)
+
+		c.Assert(hsup.Snap, Equals, expectedHooks[i].snap)
+		c.Assert(hsup.Hook, Equals, expectedHooks[i].hook)
+	}
+}
+
+func (s *interfaceManagerSuite) testDisconnectInterfacesRetry(c *C, conflictingKind string) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	_ = s.manager(c)
+
+	consumerInfo := s.mockSnap(c, consumerYaml)
+	producerInfo := s.mockSnap(c, producerYaml)
+
+	supprod := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "producer"},
+	}
+
+	s.state.Lock()
+
+	repo := s.manager(c).Repository()
+	c.Assert(repo.AddSnap(consumerInfo), IsNil)
+	c.Assert(repo.AddSnap(producerInfo), IsNil)
+
+	repo.Connect(&interfaces.ConnRef{
+		PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "producer", Name: "slot"},
+	}, nil, nil, nil, nil, nil)
+
+	sup := &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "consumer"},
+	}
+
+	chg2 := s.state.NewChange("remove", "")
+	t2 := s.state.NewTask("auto-disconnect", "")
+	t2.Set("snap-setup", sup)
+	chg2.AddTask(t2)
+
+	// create conflicting task
+	chg1 := s.state.NewChange("conflicting change", "")
+	t1 := s.state.NewTask(conflictingKind, "")
+	t1.Set("snap-setup", supprod)
+	chg1.AddTask(t1)
+	t3 := s.state.NewTask("other", "")
+	t1.WaitFor(t3)
+	chg1.AddTask(t3)
+	t3.SetStatus(state.HoldStatus)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	c.Assert(strings.Join(t2.Log(), ""), Matches, `.*Waiting for conflicting change in progress...`)
+	c.Assert(t2.Status(), Equals, state.DoingStatus)
+}
+
+func (s *interfaceManagerSuite) TestDisconnectInterfacesRetryLink(c *C) {
+	s.testDisconnectInterfacesRetry(c, "link-snap")
+}
+
+func (s *interfaceManagerSuite) TestDisconnectInterfacesRetrySetupProfiles(c *C) {
+	s.testDisconnectInterfacesRetry(c, "setup-profiles")
+}
+
+func (s *interfaceManagerSuite) setupGadgetConnect(c *C) {
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	s.MockSnapDecl(c, "consumer", "publisher1", nil)
+	s.mockSnap(c, consumerYaml)
+	s.MockSnapDecl(c, "producer", "publisher2", nil)
+	s.mockSnap(c, producerYaml)
+
+	gadgetInfo := s.mockSnap(c, `name: gadget
+type: gadget
+`)
+
+	gadgetYaml := []byte(`
+connections:
+   - plug: consumeridididididididididididid:plug
+     slot: produceridididididididididididid:slot
+
+volumes:
+    volume-id:
+        bootloader: grub
+`)
+
+	err := ioutil.WriteFile(filepath.Join(gadgetInfo.MountDir(), "meta", "gadget.yaml"), gadgetYaml, 0644)
+	c.Assert(err, IsNil)
+
+}
+
+func (s *interfaceManagerSuite) TestGadgetConnect(c *C) {
+	r1 := release.MockOnClassic(false)
+	defer r1()
+
+	s.setupGadgetConnect(c)
+	s.manager(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	chg := s.state.NewChange("setting-up", "...")
+	t := s.state.NewTask("gadget-connect", "gadget connections")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+	tasks := chg.Tasks()
+	c.Assert(tasks, HasLen, 6)
+
+	gotConnect := false
+	for _, t := range tasks {
+		switch t.Kind() {
+		default:
+			c.Fatalf("unexpected task kind: %s", t.Kind())
+		case "gadget-connect":
+		case "run-hook":
+		case "connect":
+			gotConnect = true
+			var autoConnect, byGadget bool
+			err := t.Get("auto", &autoConnect)
+			c.Assert(err, IsNil)
+			err = t.Get("by-gadget", &byGadget)
+			c.Assert(err, IsNil)
+			c.Check(autoConnect, Equals, true)
+			c.Check(byGadget, Equals, true)
+
+			var plug interfaces.PlugRef
+			err = t.Get("plug", &plug)
+			c.Assert(err, IsNil)
+			c.Assert(plug.Snap, Equals, "consumer")
+			c.Assert(plug.Name, Equals, "plug")
+			var slot interfaces.SlotRef
+			err = t.Get("slot", &slot)
+			c.Assert(err, IsNil)
+			c.Assert(slot.Snap, Equals, "producer")
+			c.Assert(slot.Name, Equals, "slot")
+		}
+	}
+
+	c.Assert(gotConnect, Equals, true)
+}
+
+func (s *interfaceManagerSuite) TestGadgetConnectAlreadyConnected(c *C) {
+	r1 := release.MockOnClassic(false)
+	defer r1()
+
+	s.setupGadgetConnect(c)
+	s.manager(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug producer:slot": map[string]interface{}{
+			"interface": "test", "auto": true,
+		},
+	})
+
+	chg := s.state.NewChange("setting-up", "...")
+	t := s.state.NewTask("gadget-connect", "gadget connections")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+	c.Check(chg.Status().Ready(), Equals, true)
+	tasks := chg.Tasks()
+	c.Assert(tasks, HasLen, 1)
+}
+
+func (s *interfaceManagerSuite) TestGadgetConnectConflictRetry(c *C) {
+	r1 := release.MockOnClassic(false)
+	defer r1()
+
+	s.setupGadgetConnect(c)
+	s.manager(c)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	otherChg := s.state.NewChange("other-chg", "...")
+	t := s.state.NewTask("link-snap", "...")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "producer"},
+	})
+	otherChg.AddTask(t)
+
+	chg := s.state.NewChange("setting-up", "...")
+	t = s.state.NewTask("gadget-connect", "gadget connections")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+	c.Check(chg.Status().Ready(), Equals, false)
+	tasks := chg.Tasks()
+	c.Assert(tasks, HasLen, 1)
+
+	c.Check(t.Status(), Equals, state.DoingStatus)
+	c.Check(t.Log()[0], Matches, `.*gadget connect will be retried: conflicting snap producer with task "link-snap"`)
+}
+
+func (s *interfaceManagerSuite) TestGadgetConnectSkipUnknown(c *C) {
+	r1 := release.MockOnClassic(false)
+	defer r1()
+
+	s.mockIfaces(c, &ifacetest.TestInterface{InterfaceName: "test"})
+	s.MockSnapDecl(c, "consumer", "publisher1", nil)
+	s.mockSnap(c, consumerYaml)
+	s.MockSnapDecl(c, "producer", "publisher2", nil)
+	s.mockSnap(c, producerYaml)
+
+	s.manager(c)
+
+	gadgetInfo := s.mockSnap(c, `name: gadget
+type: gadget
+`)
+
+	gadgetYaml := []byte(`
+connections:
+   - plug: consumeridididididididididididid:plug
+     slot: produceridididididididididididid:unknown
+   - plug: unknownididididididididididididi:plug
+     slot: produceridididididididididididid:slot
+
+volumes:
+    volume-id:
+        bootloader: grub
+`)
+
+	err := ioutil.WriteFile(filepath.Join(gadgetInfo.MountDir(), "meta", "gadget.yaml"), gadgetYaml, 0644)
+	c.Assert(err, IsNil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	chg := s.state.NewChange("setting-up", "...")
+	t := s.state.NewTask("gadget-connect", "gadget connections")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+	tasks := chg.Tasks()
+	c.Assert(tasks, HasLen, 1)
+
+	logs := t.Log()
+	c.Check(logs, HasLen, 2)
+	c.Check(logs[0], Matches, `.*ignoring missing slot produceridididididididididididid:unknown`)
+	c.Check(logs[1], Matches, `.* ignoring missing plug unknownididididididididididididi:plug`)
+}
+
+func (s *interfaceManagerSuite) TestGadgetConnectHappyPolicyChecks(c *C) {
+	// network-control does not auto-connect so this test also
+	// checks that the right policy checker (for "*-connection"
+	// rules) is used for gadget connections
+	r1 := release.MockOnClassic(false)
+	defer r1()
+
+	s.MockModel(c, nil)
+
+	s.mockSnap(c, coreSnapYaml)
+
+	s.MockSnapDecl(c, "foo", "publisher1", nil)
+	s.mockSnap(c, `name: foo
+version: 1.0
+plugs:
+  network-control:
+`)
+
+	s.manager(c)
+
+	gadgetInfo := s.mockSnap(c, `name: gadget
+type: gadget
+`)
+
+	gadgetYaml := []byte(`
+connections:
+   - plug: fooididididididididididididididi:network-control
+
+volumes:
+    volume-id:
+        bootloader: grub
+`)
+
+	err := ioutil.WriteFile(filepath.Join(gadgetInfo.MountDir(), "meta", "gadget.yaml"), gadgetYaml, 0644)
+	c.Assert(err, IsNil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	chg := s.state.NewChange("setting-up", "...")
+	t := s.state.NewTask("gadget-connect", "gadget connections")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+	tasks := chg.Tasks()
+	c.Assert(tasks, HasLen, 2)
+	c.Assert(tasks[0].Kind(), Equals, "gadget-connect")
+	c.Assert(tasks[1].Kind(), Equals, "connect")
+
+	s.state.Unlock()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(chg.Status().Ready(), Equals, true)
+
+	// check connection
+	var conns map[string]interface{}
+	err = s.state.Get("conns", &conns)
+	c.Assert(err, IsNil)
+	c.Check(conns, HasLen, 1)
+	c.Check(conns, DeepEquals, map[string]interface{}{
+		"foo:network-control core:network-control": map[string]interface{}{
+			"interface": "network-control", "auto": true, "by-gadget": true,
+		},
+	})
+}
+
+func (s *interfaceManagerSuite) testChangeConflict(c *C, kind string) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "producer", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{{RealName: "producer", SnapID: "producer-id", Revision: snap.R(1)}},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+	snapstate.Set(s.state, "consumer", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{{RealName: "consumer", SnapID: "consumer-id", Revision: snap.R(1)}},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	chg := s.state.NewChange("another change", "...")
+	t := s.state.NewTask(kind, "...")
+	t.Set("slot", interfaces.SlotRef{Snap: "producer", Name: "slot"})
+	t.Set("plug", interfaces.PlugRef{Snap: "consumer", Name: "plug"})
+	chg.AddTask(t)
+
+	_, err := snapstate.Disable(s.state, "producer")
+	c.Assert(err, ErrorMatches, `snap "producer" has "another change" change in progress`)
+
+	_, err = snapstate.Disable(s.state, "consumer")
+	c.Assert(err, ErrorMatches, `snap "consumer" has "another change" change in progress`)
+}
+
+func (s *interfaceManagerSuite) TestSnapstateOpConflictWithConnect(c *C) {
+	s.testChangeConflict(c, "connect")
+}
+
+func (s *interfaceManagerSuite) TestSnapstateOpConflictWithDisconnect(c *C) {
+	s.testChangeConflict(c, "disconnect")
+}
+
+type udevMonitorMock struct {
+	ConnectError, RunError                             error
+	ConnectCalls, RunCalls, StopCalls, DisconnectCalls int
+}
+
+func (u *udevMonitorMock) Connect() error {
+	u.ConnectCalls++
+	return u.ConnectError
+}
+
+func (u *udevMonitorMock) Disconnect() error {
+	u.DisconnectCalls++
+	return nil
+}
+
+func (u *udevMonitorMock) Run() error {
+	u.RunCalls++
+	return u.RunError
+}
+
+func (u *udevMonitorMock) Stop() error {
+	u.StopCalls++
+	return nil
+}
+
+func (s *interfaceManagerSuite) TestUDevMonitorInit(c *C) {
+	u := udevMonitorMock{}
+	st := s.state
+	st.Lock()
+	snapstate.Set(s.state, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "os",
+	})
+	st.Unlock()
+
+	restoreTimeout := ifacestate.MockUDevInitRetryTimeout(0 * time.Second)
+	defer restoreTimeout()
+
+	restoreCreate := ifacestate.MockCreateUDevMonitor(func(udevmonitor.DeviceAddedFunc, udevmonitor.DeviceRemovedFunc, udevmonitor.EnumerationDoneFunc) udevmonitor.Interface {
+		return &u
+	})
+	defer restoreCreate()
+
+	mgr, err := ifacestate.Manager(s.state, nil, s.o.TaskRunner(), nil, nil)
+	c.Assert(err, IsNil)
+
+	// succesfull initialization should result in exactly 1 connect and run call
+	for i := 0; i < 5; i++ {
+		c.Assert(mgr.Ensure(), IsNil)
+	}
+	mgr.Stop()
+
+	c.Assert(u.ConnectCalls, Equals, 1)
+	c.Assert(u.RunCalls, Equals, 1)
+	c.Assert(u.StopCalls, Equals, 1)
+}
+
+func (s *interfaceManagerSuite) TestUDevMonitorInitErrors(c *C) {
+	u := udevMonitorMock{
+		ConnectError: fmt.Errorf("Connect failed"),
+	}
+	st := s.state
+	st.Lock()
+	snapstate.Set(s.state, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "os",
+	})
+	st.Unlock()
+
+	restoreTimeout := ifacestate.MockUDevInitRetryTimeout(0 * time.Second)
+	defer restoreTimeout()
+
+	restoreCreate := ifacestate.MockCreateUDevMonitor(func(udevmonitor.DeviceAddedFunc, udevmonitor.DeviceRemovedFunc, udevmonitor.EnumerationDoneFunc) udevmonitor.Interface {
+		return &u
+	})
+	defer restoreCreate()
+
+	mgr, err := ifacestate.Manager(s.state, nil, s.o.TaskRunner(), nil, nil)
+	c.Assert(err, IsNil)
+
+	c.Assert(mgr.Ensure(), ErrorMatches, "Connect failed")
+	c.Assert(u.ConnectCalls, Equals, 1)
+	c.Assert(u.RunCalls, Equals, 0)
+	c.Assert(u.StopCalls, Equals, 0)
+
+	u.ConnectError = nil
+	u.RunError = fmt.Errorf("Run failed")
+	c.Assert(mgr.Ensure(), ErrorMatches, "Run failed")
+	c.Assert(u.ConnectCalls, Equals, 2)
+	c.Assert(u.RunCalls, Equals, 1)
+	c.Assert(u.StopCalls, Equals, 0)
+	c.Assert(u.DisconnectCalls, Equals, 1)
+
+	u.RunError = nil
+	c.Assert(mgr.Ensure(), IsNil)
+
+	mgr.Stop()
+
+	c.Assert(u.StopCalls, Equals, 1)
+}
+
+func (s *interfaceManagerSuite) TestUDevMonitorInitWaitsForCore(c *C) {
+	restoreTimeout := ifacestate.MockUDevInitRetryTimeout(0 * time.Second)
+	defer restoreTimeout()
+
+	var udevMonitorCreated bool
+	restoreCreate := ifacestate.MockCreateUDevMonitor(func(udevmonitor.DeviceAddedFunc, udevmonitor.DeviceRemovedFunc, udevmonitor.EnumerationDoneFunc) udevmonitor.Interface {
+		udevMonitorCreated = true
+		return &udevMonitorMock{}
+	})
+	defer restoreCreate()
+
+	mgr, err := ifacestate.Manager(s.state, nil, s.o.TaskRunner(), nil, nil)
+	c.Assert(err, IsNil)
+
+	for i := 0; i < 5; i++ {
+		c.Assert(mgr.Ensure(), IsNil)
+		c.Assert(udevMonitorCreated, Equals, false)
+	}
+
+	// core snap appears in the system
+	st := s.state
+	st.Lock()
+	snapstate.Set(s.state, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "os",
+	})
+	st.Unlock()
+
+	// and udev monitor is now created
+	c.Assert(mgr.Ensure(), IsNil)
+	c.Assert(udevMonitorCreated, Equals, true)
+}
+
+func (s *interfaceManagerSuite) TestAttributesRestoredFromConns(c *C) {
+	slotSnap := s.mockSnap(c, producer2Yaml)
+	plugSnap := s.mockSnap(c, consumerYaml)
+
+	slot := slotSnap.Slots["slot"]
+	c.Assert(slot, NotNil)
+	plug := plugSnap.Plugs["plug"]
+	c.Assert(plug, NotNil)
+
+	st := s.st
+	st.Lock()
+	defer st.Unlock()
+
+	conns, err := ifacestate.GetConns(st)
+	c.Assert(err, IsNil)
+
+	// create connection in conns state
+	dynamicAttrs := map[string]interface{}{"dynamic-number": 7}
+	conn := &interfaces.Connection{
+		Plug: interfaces.NewConnectedPlug(plug, nil, nil),
+		Slot: interfaces.NewConnectedSlot(slot, nil, dynamicAttrs),
+	}
+
+	var number, dynnumber int64
+	c.Check(conn.Slot.Attr("number", &number), IsNil)
+	c.Check(number, Equals, int64(1))
+
+	ifacestate.UpdateConnectionInConnState(conns, conn, false, false)
+	ifacestate.SetConns(st, conns)
+
+	// restore connection from conns state
+	newConns, err := ifacestate.GetConns(st)
+	c.Assert(err, IsNil)
+
+	_, _, slotStaticAttrs, slotDynamicAttrs, ok := ifacestate.GetConnStateAttrs(newConns, "consumer:plug producer2:slot")
+	c.Assert(ok, Equals, true)
+
+	restoredSlot := interfaces.NewConnectedSlot(slot, slotStaticAttrs, slotDynamicAttrs)
+	c.Check(restoredSlot.Attr("number", &number), IsNil)
+	c.Check(number, Equals, int64(1))
+	c.Check(restoredSlot.Attr("dynamic-number", &dynnumber), IsNil)
+}
+
+func (s *interfaceManagerSuite) TestHotplugDisconnect(c *C) {
+	coreInfo := s.mockSnap(c, coreSnapYaml)
+	repo := s.manager(c).Repository()
+	err := repo.AddInterface(&ifacetest.TestInterface{
+		InterfaceName: "test",
+	})
+	c.Assert(err, IsNil)
+	err = repo.AddSlot(&snap.SlotInfo{
+		Snap:       coreInfo,
+		Name:       "hotplugslot",
+		Interface:  "test",
+		HotplugKey: "1234",
+	})
+	c.Assert(err, IsNil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// mock the consumer
+	si := &snap.SideInfo{RealName: "consumer", Revision: snap.R(1)}
+	testSnap := snaptest.MockSnapInstance(c, "", consumerYaml, si)
+	c.Assert(testSnap.Plugs["plug"], NotNil)
+	c.Assert(repo.AddPlug(testSnap.Plugs["plug"]), IsNil)
+	snapstate.Set(s.state, "consumer", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	s.state.Set("hotplug-slots", map[string]interface{}{
+		"hotplugslot": map[string]interface{}{
+			"name":        "hotplugslot",
+			"interface":   "test",
+			"hotplug-key": "1234",
+		}})
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug core:hotplugslot": map[string]interface{}{
+			"interface":   "test",
+			"hotplug-key": "1234",
+		}})
+	_, err = repo.Connect(&interfaces.ConnRef{PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "core", Name: "hotplugslot"}},
+		nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+
+	chg := s.state.NewChange("hotplug change", "")
+	t := s.state.NewTask("hotplug-disconnect", "")
+	t.Set("hotplug-key", "1234")
+	t.Set("interface", "test")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+	s.state.Lock()
+	c.Assert(chg.Err(), IsNil)
+
+	var byHotplug bool
+	for _, t := range s.state.Tasks() {
+		// the 'disconnect' task created by hotplug-disconnect should have by-hotplug flag set
+		if t.Kind() == "disconnect" {
+			c.Assert(t.Get("by-hotplug", &byHotplug), IsNil)
+		}
+	}
+	c.Assert(byHotplug, Equals, true)
+
+	// hotplug-gone flag on the connection is set
+	var conns map[string]interface{}
+	c.Assert(s.state.Get("conns", &conns), IsNil)
+	c.Assert(conns, DeepEquals, map[string]interface{}{
+		"consumer:plug core:hotplugslot": map[string]interface{}{
+			"interface":    "test",
+			"hotplug-key":  "1234",
+			"hotplug-gone": true,
+		}})
+}
+
+func (s *interfaceManagerSuite) testHotplugDisconnectWaitsForCoreRefresh(c *C, taskKind string) {
+	coreInfo := s.mockSnap(c, coreSnapYaml)
+
+	repo := s.manager(c).Repository()
+	err := repo.AddInterface(&ifacetest.TestInterface{
+		InterfaceName: "test",
+	})
+	c.Assert(err, IsNil)
+	err = repo.AddSlot(&snap.SlotInfo{
+		Snap:       coreInfo,
+		Name:       "hotplugslot",
+		Interface:  "test",
+		HotplugKey: "1234",
+	})
+	c.Assert(err, IsNil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// mock the consumer
+	si := &snap.SideInfo{RealName: "consumer", Revision: snap.R(1)}
+	testSnap := snaptest.MockSnapInstance(c, "", consumerYaml, si)
+	c.Assert(testSnap.Plugs["plug"], NotNil)
+	c.Assert(repo.AddPlug(testSnap.Plugs["plug"]), IsNil)
+	snapstate.Set(s.state, "consumer", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	s.state.Set("hotplug-slots", map[string]interface{}{
+		"hotplugslot": map[string]interface{}{
+			"name":        "hotplugslot",
+			"interface":   "test",
+			"hotplug-key": "1234",
+		}})
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug core:hotplugslot": map[string]interface{}{
+			"interface":   "test",
+			"hotplug-key": "1234",
+		}})
+	_, err = repo.Connect(&interfaces.ConnRef{PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "core", Name: "hotplugslot"}},
+		nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+
+	chg := s.state.NewChange("hotplug change", "")
+	t := s.state.NewTask("hotplug-disconnect", "")
+	ifacestate.SetHotplugAttrs(t, "test", "1234")
+	chg.AddTask(t)
+
+	chg2 := s.state.NewChange("other-chg", "...")
+	t2 := s.state.NewTask(taskKind, "...")
+	t2.Set("snap-setup", &snapstate.SnapSetup{SideInfo: &snap.SideInfo{RealName: "core"}})
+	chg2.AddTask(t2)
+	t3 := s.state.NewTask("other", "")
+	t2.WaitFor(t3)
+	t3.SetStatus(state.HoldStatus)
+	chg2.AddTask(t3)
+
+	s.state.Unlock()
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+	s.state.Lock()
+	c.Assert(chg.Err(), IsNil)
+
+	c.Assert(strings.Join(t.Log(), ""), Matches, `.*Waiting for conflicting change in progress:.*`)
+	c.Assert(chg.Status(), Equals, state.DoingStatus)
+
+	t2.SetStatus(state.DoneStatus)
+	t3.SetStatus(state.DoneStatus)
+
+	s.state.Unlock()
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+}
+
+func (s *interfaceManagerSuite) TestHotplugDisconnectWaitsForCoreSetupProfiles(c *C) {
+	s.testHotplugDisconnectWaitsForCoreRefresh(c, "setup-profiles")
+}
+
+func (s *interfaceManagerSuite) TestHotplugDisconnectWaitsForCoreLnkSnap(c *C) {
+	s.testHotplugDisconnectWaitsForCoreRefresh(c, "link-snap")
+}
+
+func (s *interfaceManagerSuite) TestHotplugDisconnectWaitsForCoreUnlinkSnap(c *C) {
+	s.testHotplugDisconnectWaitsForCoreRefresh(c, "unlink-snap")
+}
+
+func (s *interfaceManagerSuite) TestHotplugDisconnectWaitsForDisconnectPlug(c *C) {
+	coreInfo := s.mockSnap(c, coreSnapYaml)
+
+	repo := s.manager(c).Repository()
+	err := repo.AddInterface(&ifacetest.TestInterface{
+		InterfaceName: "test",
+	})
+	c.Assert(err, IsNil)
+	err = repo.AddSlot(&snap.SlotInfo{
+		Snap:       coreInfo,
+		Name:       "hotplugslot",
+		Interface:  "test",
+		HotplugKey: "1234",
+	})
+	c.Assert(err, IsNil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// mock the consumer
+	si := &snap.SideInfo{RealName: "consumer", Revision: snap.R(1)}
+	testSnap := snaptest.MockSnapInstance(c, "", consumerYaml, si)
+	c.Assert(testSnap.Plugs["plug"], NotNil)
+	c.Assert(repo.AddPlug(testSnap.Plugs["plug"]), IsNil)
+	snapstate.Set(s.state, "consumer", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	s.state.Set("hotplug-slots", map[string]interface{}{
+		"hotplugslot": map[string]interface{}{
+			"name":        "hotplugslot",
+			"interface":   "test",
+			"hotplug-key": "1234",
+		}})
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug core:hotplugslot": map[string]interface{}{
+			"interface":   "test",
+			"hotplug-key": "1234",
+		}})
+	conn, err := repo.Connect(&interfaces.ConnRef{PlugRef: interfaces.PlugRef{Snap: "consumer", Name: "plug"},
+		SlotRef: interfaces.SlotRef{Snap: "core", Name: "hotplugslot"}},
+		nil, nil, nil, nil, nil)
+	c.Assert(err, IsNil)
+
+	hotplugChg := s.state.NewChange("hotplug change", "")
+	hotplugDisconnect := s.state.NewTask("hotplug-disconnect", "")
+	ifacestate.SetHotplugAttrs(hotplugDisconnect, "test", "1234")
+	hotplugChg.AddTask(hotplugDisconnect)
+
+	disconnectChg := s.state.NewChange("disconnect change", "...")
+	disconnectTs, err := ifacestate.Disconnect(s.state, conn)
+	c.Assert(err, IsNil)
+	disconnectChg.AddAll(disconnectTs)
+
+	holdingTask := s.state.NewTask("other", "")
+	disconnectTs.WaitFor(holdingTask)
+	holdingTask.SetStatus(state.HoldStatus)
+	disconnectChg.AddTask(holdingTask)
+
+	s.state.Unlock()
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+	s.state.Lock()
+	c.Assert(hotplugChg.Err(), IsNil)
+
+	c.Assert(strings.Join(hotplugDisconnect.Log(), ""), Matches, `.*Waiting for conflicting change in progress: conflicting plug snap consumer.*`)
+	c.Assert(hotplugChg.Status(), Equals, state.DoingStatus)
+
+	for _, t := range disconnectTs.Tasks() {
+		t.SetStatus(state.DoneStatus)
+	}
+	holdingTask.SetStatus(state.DoneStatus)
+
+	s.state.Unlock()
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+	s.state.Lock()
+
+	c.Assert(hotplugChg.Err(), IsNil)
+	c.Assert(hotplugChg.Status(), Equals, state.DoneStatus)
+}
+
+func (s *interfaceManagerSuite) TestHotplugRemoveSlot(c *C) {
+	coreInfo := s.mockSnap(c, coreSnapYaml)
+	repo := s.manager(c).Repository()
+	err := repo.AddInterface(&ifacetest.TestInterface{
+		InterfaceName: "test",
+	})
+	c.Assert(err, IsNil)
+	err = repo.AddSlot(&snap.SlotInfo{
+		Snap:       coreInfo,
+		Name:       "hotplugslot",
+		Interface:  "test",
+		HotplugKey: "1234",
+	})
+	c.Assert(err, IsNil)
+
+	// sanity check
+	c.Assert(repo.Slot("core", "hotplugslot"), NotNil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.state.Set("hotplug-slots", map[string]interface{}{
+		"hotplugslot": map[string]interface{}{
+			"name":        "hotplugslot",
+			"interface":   "test",
+			"hotplug-key": "1234",
+		},
+		"otherslot": map[string]interface{}{
+			"name":        "otherslot",
+			"interface":   "test",
+			"hotplug-key": "5678",
+		}})
+
+	chg := s.state.NewChange("hotplug change", "")
+	t := s.state.NewTask("hotplug-remove-slot", "")
+	t.Set("hotplug-key", "1234")
+	t.Set("interface", "test")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+
+	// hotplugslot is removed from the repository and from the state
+	c.Assert(repo.Slot("core", "hotplugslot"), IsNil)
+	slot, err := repo.SlotForHotplugKey("test", "1234")
+	c.Assert(err, IsNil)
+	c.Assert(slot, IsNil)
+
+	var hotplugSlots map[string]interface{}
+	c.Assert(s.state.Get("hotplug-slots", &hotplugSlots), IsNil)
+	c.Assert(hotplugSlots, DeepEquals, map[string]interface{}{
+		"otherslot": map[string]interface{}{
+			"name":        "otherslot",
+			"interface":   "test",
+			"hotplug-key": "5678",
+		}})
+}
+
+func (s *interfaceManagerSuite) TestHotplugRemoveSlotWhenConnected(c *C) {
+	coreInfo := s.mockSnap(c, coreSnapYaml)
+	repo := s.manager(c).Repository()
+	err := repo.AddInterface(&ifacetest.TestInterface{
+		InterfaceName: "test",
+	})
+	c.Assert(err, IsNil)
+	err = repo.AddSlot(&snap.SlotInfo{
+		Snap:       coreInfo,
+		Name:       "hotplugslot",
+		Interface:  "test",
+		HotplugKey: "1234",
+	})
+	c.Assert(err, IsNil)
+
+	// sanity check
+	c.Assert(repo.Slot("core", "hotplugslot"), NotNil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.state.Set("hotplug-slots", map[string]interface{}{
+		"hotplugslot": map[string]interface{}{
+			"name":        "hotplugslot",
+			"interface":   "test",
+			"hotplug-key": "1234",
+		}})
+	s.state.Set("conns", map[string]interface{}{
+		"consumer:plug core:hotplugslot": map[string]interface{}{
+			"interface":    "test",
+			"hotplug-key":  "1234",
+			"hotplug-gone": true,
+		}})
+
+	chg := s.state.NewChange("hotplug change", "")
+	t := s.state.NewTask("hotplug-remove-slot", "")
+	t.Set("hotplug-key", "1234")
+	t.Set("interface", "test")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Assert(chg.Err(), IsNil)
+
+	// hotplugslot is removed from the repository but not from the state, because of existing connection
+	c.Assert(repo.Slot("core", "hotplugslot"), IsNil)
+	slot, err := repo.SlotForHotplugKey("test", "1234")
+	c.Assert(err, IsNil)
+	c.Assert(slot, IsNil)
+
+	var hotplugSlots map[string]interface{}
+	c.Assert(s.state.Get("hotplug-slots", &hotplugSlots), IsNil)
+	c.Assert(hotplugSlots, DeepEquals, map[string]interface{}{
+		"hotplugslot": map[string]interface{}{
+			"name":        "hotplugslot",
+			"interface":   "test",
+			"hotplug-key": "1234",
+		}})
+}
+
+func (s *interfaceManagerSuite) TestHotplugSeqWaitTasks(c *C) {
+	var order []int
+	_ = s.manager(c)
+	s.o.TaskRunner().AddHandler("witness", func(task *state.Task, tomb *tomb.Tomb) error {
+		task.State().Lock()
+		defer task.State().Unlock()
+		var seq int
+		c.Assert(task.Get("seq", &seq), IsNil)
+		order = append(order, seq)
+		return nil
+	}, nil)
+	s.st.Lock()
+
+	// create hotplug changes with witness task to track execution order
+	for i := 10; i >= 1; i-- {
+		chg := s.st.NewChange("hotplug-change", "")
+		chg.Set("hotplug-key", "1234")
+		chg.Set("hotplug-seq", i)
+		t := s.st.NewTask("hotplug-seq-wait", "")
+		witness := s.st.NewTask("witness", "")
+		witness.Set("seq", i)
+		witness.WaitFor(t)
+		chg.AddTask(t)
+		chg.AddTask(witness)
+	}
+
+	s.st.Unlock()
+
+	s.settle(c)
+
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	c.Assert(order, DeepEquals, []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10})
+
+	for _, chg := range s.st.Changes() {
+		c.Assert(chg.Status(), Equals, state.DoneStatus)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/implicit.go snapd-2.37~rc1~14.04/overlord/ifacestate/implicit.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/implicit.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/implicit.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,23 +20,46 @@
 package ifacestate
 
 import (
+	"fmt"
+
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 )
 
-// addImplicitSlots adds implicitly defined slots to a given snap.
+func shouldSnapdHostImplicitSlots(mapper SnapMapper) bool {
+	_, ok := mapper.(*CoreSnapdSystemMapper)
+	return ok
+}
+
+// addImplicitSlots adds implicitly defined slots and hotplug slots to a given snap.
 //
-// Only the OS snap has implicit slots.
+// Only the OS snap has implicit and hotplug slots.
 //
 // It is assumed that slots have names matching the interface name. Existing
 // slots are not changed, only missing slots are added.
-func addImplicitSlots(snapInfo *snap.Info) {
-	if snapInfo.Type != snap.TypeOS {
-		return
+func addImplicitSlots(st *state.State, snapInfo *snap.Info) error {
+	// Implicit slots can be added to the special "snapd" snap or to snaps with
+	// type "os". Currently there are no other snaps that gain implicit
+	// interfaces.
+	if snapInfo.Type != snap.TypeOS && snapInfo.InstanceName() != "snapd" {
+		return nil
+	}
+
+	// If the manager has chosen to put implicit slots on the "snapd" snap
+	// then stop adding them to any other core snaps.
+	if shouldSnapdHostImplicitSlots(mapper) && snapInfo.InstanceName() != "snapd" {
+		return nil
+	}
+
+	hotplugSlots, err := getHotplugSlots(st)
+	if err != nil {
+		return err
 	}
-	// Ask each interface if it wants to be implcitly added.
+
+	// Ask each interface if it wants to be implicitly added.
 	for _, iface := range builtin.Interfaces() {
 		si := interfaces.StaticInfoOf(iface)
 		if (release.OnClassic && si.ImplicitOnClassic) || (!release.OnClassic && si.ImplicitOnCore) {
@@ -46,6 +69,22 @@
 			}
 		}
 	}
+
+	// Add hotplug slots
+	for _, hslotInfo := range hotplugSlots {
+		if _, ok := snapInfo.Slots[hslotInfo.Name]; ok {
+			return fmt.Errorf("cannot add hotplug slot %s: slot already exists", hslotInfo.Name)
+		}
+		snapInfo.Slots[hslotInfo.Name] = &snap.SlotInfo{
+			Name:       hslotInfo.Name,
+			Snap:       snapInfo,
+			Interface:  hslotInfo.Interface,
+			Attrs:      hslotInfo.StaticAttrs,
+			HotplugKey: hslotInfo.HotplugKey,
+		}
+	}
+
+	return nil
 }
 
 func makeImplicitSlot(snapInfo *snap.Info, ifaceName string) *snap.SlotInfo {
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/implicit_test.go snapd-2.37~rc1~14.04/overlord/ifacestate/implicit_test.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/implicit_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/implicit_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,6 +21,7 @@
 
 import (
 	"github.com/snapcore/snapd/overlord/ifacestate"
+	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap/snaptest"
 
@@ -35,8 +36,20 @@
 	restore := release.MockOnClassic(false)
 	defer restore()
 
+	st := state.New(nil)
+	hotplugSlots := map[string]*ifacestate.HotplugSlotInfo{
+		"foo": {
+			Name:        "foo",
+			Interface:   "dummy",
+			StaticAttrs: map[string]interface{}{"attr": "value"},
+			HotplugKey:  "1234",
+		}}
+	st.Lock()
+	defer st.Unlock()
+	st.Set("hotplug-slots", hotplugSlots)
+
 	info := snaptest.MockInfo(c, "{name: core, type: os, version: 0}", nil)
-	ifacestate.AddImplicitSlots(info)
+	c.Assert(ifacestate.AddImplicitSlots(st, info), IsNil)
 	// Ensure that some slots that exist in core systems are present.
 	for _, name := range []string{"network"} {
 		slot := info.Slots[name]
@@ -51,6 +64,13 @@
 
 	// Ensure that we have *some* implicit slots
 	c.Assert(len(info.Slots) > 10, Equals, true)
+
+	// Ensure hotplug slots were added
+	slot := info.Slots["foo"]
+	c.Assert(slot, NotNil)
+	c.Assert(slot.Interface, Equals, "dummy")
+	c.Assert(slot.Attrs, DeepEquals, map[string]interface{}{"attr": "value"})
+	c.Assert(slot.HotplugKey, Equals, "1234")
 }
 
 func (implicitSuite) TestAddImplicitSlotsOnClassic(c *C) {
@@ -58,7 +78,12 @@
 	defer restore()
 
 	info := snaptest.MockInfo(c, "{name: core, type: os, version: 0}", nil)
-	ifacestate.AddImplicitSlots(info)
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	c.Assert(ifacestate.AddImplicitSlots(st, info), IsNil)
 	// Ensure that some slots that exist in classic systems are present.
 	for _, name := range []string{"network", "unity7"} {
 		slot := info.Slots[name]
@@ -69,3 +94,23 @@
 	// Ensure that we have *some* implicit slots
 	c.Assert(len(info.Slots) > 10, Equals, true)
 }
+
+func (implicitSuite) TestAddImplicitSlotsErrorSlotExists(c *C) {
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	info := snaptest.MockInfo(c, "{name: core, type: os, version: 0}", nil)
+
+	st := state.New(nil)
+	hotplugSlots := map[string]*ifacestate.HotplugSlotInfo{
+		"unity7": {
+			Name:       "unity7",
+			Interface:  "unity7",
+			HotplugKey: "1234",
+		}}
+	st.Lock()
+	defer st.Unlock()
+	st.Set("hotplug-slots", hotplugSlots)
+
+	c.Assert(ifacestate.AddImplicitSlots(st, info), ErrorMatches, `cannot add hotplug slot unity7: slot already exists`)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/udevmonitor/udevmon.go snapd-2.37~rc1~14.04/overlord/ifacestate/udevmonitor/udevmon.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/udevmonitor/udevmon.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/udevmonitor/udevmon.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,197 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package udevmonitor
+
+import (
+	"fmt"
+
+	"gopkg.in/tomb.v2"
+
+	"github.com/snapcore/snapd/interfaces/hotplug"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil/udev/netlink"
+)
+
+type Interface interface {
+	Connect() error
+	Disconnect() error
+	Run() error
+	Stop() error
+}
+
+type DeviceAddedFunc func(device *hotplug.HotplugDeviceInfo)
+type DeviceRemovedFunc func(device *hotplug.HotplugDeviceInfo)
+type EnumerationDoneFunc func()
+
+// Monitor monitors kernel uevents making it possible to find hotpluggable devices.
+type Monitor struct {
+	tomb            tomb.Tomb
+	deviceAdded     DeviceAddedFunc
+	deviceRemoved   DeviceRemovedFunc
+	enumerationDone func()
+	netlinkConn     *netlink.UEventConn
+	// channels used by netlink connection and monitor
+	monitorStop   chan struct{}
+	netlinkErrors chan error
+	netlinkEvents chan netlink.UEvent
+
+	// seen keeps track of all observed devices to know when to
+	// ignore a spurious event (in case it happens, e.g. when
+	// device gets reported by both the enumeration and monitor on
+	// startup).  the keys are based on device paths which are
+	// guaranteed to be unique and stable till device gets
+	// removed.  the lookup is not persisted and gets populated
+	// and updated in response to enumeration and hotplug events.
+	seen map[string]bool
+}
+
+func New(added DeviceAddedFunc, removed DeviceRemovedFunc, enumerationDone EnumerationDoneFunc) Interface {
+	m := &Monitor{
+		deviceAdded:     added,
+		deviceRemoved:   removed,
+		enumerationDone: enumerationDone,
+		netlinkConn:     &netlink.UEventConn{},
+		seen:            make(map[string]bool),
+	}
+
+	m.netlinkEvents = make(chan netlink.UEvent)
+	m.netlinkErrors = make(chan error)
+
+	return m
+}
+
+func (m *Monitor) EventsChannel() chan netlink.UEvent {
+	return m.netlinkEvents
+}
+
+func (m *Monitor) Connect() error {
+	if m.netlinkConn == nil || m.netlinkConn.Fd != 0 {
+		// this cannot happen in real code but may happen in tests
+		return fmt.Errorf("cannot connect: already connected")
+	}
+
+	if err := m.netlinkConn.Connect(netlink.UdevEvent); err != nil {
+		return fmt.Errorf("cannot start udev monitor: %s", err)
+	}
+
+	// TODO: consider passing a device filter to reduce noise from irrelevant devices.
+	m.monitorStop = m.netlinkConn.Monitor(m.netlinkEvents, m.netlinkErrors, nil)
+
+	return nil
+}
+
+func (m *Monitor) Disconnect() error {
+	select {
+	case m.monitorStop <- struct{}{}:
+	default:
+	}
+	return m.netlinkConn.Close()
+}
+
+// Run enumerates existing USB devices and starts a new goroutine that
+// handles hotplug events (devices added or removed). It returns immediately.
+// The goroutine must be stopped by calling Stop() method.
+func (m *Monitor) Run() error {
+	// Gather devices from udevadm info output (enumeration on startup).
+	devices, parseErrors, err := hotplug.EnumerateExistingDevices()
+	if err != nil {
+		return fmt.Errorf("cannot enumerate existing devices: %s", err)
+	}
+	m.tomb.Go(func() error {
+		for _, perr := range parseErrors {
+			logger.Noticef("udev enumeration error: %s", perr)
+		}
+		for _, dev := range devices {
+			devPath := dev.DevicePath()
+			if m.seen[devPath] {
+				continue
+			}
+			m.seen[devPath] = true
+			if m.deviceAdded != nil {
+				m.deviceAdded(dev)
+			}
+		}
+		if m.enumerationDone != nil {
+			m.enumerationDone()
+		}
+
+		// Process hotplug events reported by udev monitor.
+		for {
+			select {
+			case err := <-m.netlinkErrors:
+				logger.Noticef("udev event error: %s", err)
+			case ev := <-m.netlinkEvents:
+				m.udevEvent(&ev)
+			case <-m.tomb.Dying():
+				return m.Disconnect()
+			}
+		}
+	})
+
+	return nil
+}
+
+func (m *Monitor) Stop() error {
+	m.tomb.Kill(nil)
+	err := m.tomb.Wait()
+	m.netlinkConn = nil
+	return err
+}
+
+func (m *Monitor) udevEvent(ev *netlink.UEvent) {
+	switch ev.Action {
+	case netlink.ADD:
+		m.addDevice(ev.KObj, ev.Env)
+	case netlink.REMOVE:
+		m.removeDevice(ev.KObj, ev.Env)
+	default:
+	}
+}
+
+func (m *Monitor) addDevice(kobj string, env map[string]string) {
+	dev, err := hotplug.NewHotplugDeviceInfo(env)
+	if err != nil {
+		return
+	}
+	devPath := dev.DevicePath()
+	if m.seen[devPath] {
+		return
+	}
+	m.seen[devPath] = true
+	if m.deviceAdded != nil {
+		m.deviceAdded(dev)
+	}
+}
+
+func (m *Monitor) removeDevice(kobj string, env map[string]string) {
+	dev, err := hotplug.NewHotplugDeviceInfo(env)
+	if err != nil {
+		return
+	}
+	devPath := dev.DevicePath()
+	if !m.seen[devPath] {
+		logger.Noticef("udev monitor observed remove event for unknown device %q", dev.DevicePath())
+		return
+	}
+	delete(m.seen, devPath)
+	if m.deviceRemoved != nil {
+		m.deviceRemoved(dev)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/ifacestate/udevmonitor/udevmon_test.go snapd-2.37~rc1~14.04/overlord/ifacestate/udevmonitor/udevmon_test.go
--- snapd-2.32.3.2~14.04/overlord/ifacestate/udevmonitor/udevmon_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/ifacestate/udevmonitor/udevmon_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,182 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package udevmonitor_test
+
+import (
+	"testing"
+	"time"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/interfaces/hotplug"
+	"github.com/snapcore/snapd/osutil/udev/netlink"
+	"github.com/snapcore/snapd/overlord/ifacestate/udevmonitor"
+	"github.com/snapcore/snapd/testutil"
+)
+
+func TestHotplug(t *testing.T) { TestingT(t) }
+
+type udevMonitorSuite struct{}
+
+var _ = Suite(&udevMonitorSuite{})
+
+func (s *udevMonitorSuite) TestSmoke(c *C) {
+	mon := udevmonitor.New(nil, nil, nil)
+	c.Assert(mon, NotNil)
+	c.Assert(mon.Connect(), IsNil)
+	c.Assert(mon.Run(), IsNil)
+	c.Assert(mon.Stop(), IsNil)
+}
+
+func (s *udevMonitorSuite) TestDiscovery(c *C) {
+	var addInfos []*hotplug.HotplugDeviceInfo
+	var remInfo *hotplug.HotplugDeviceInfo
+	var enumerationDone bool
+
+	callbackChannel := make(chan struct{})
+	defer close(callbackChannel)
+
+	added := func(inf *hotplug.HotplugDeviceInfo) {
+		addInfos = append(addInfos, inf)
+		callbackChannel <- struct{}{}
+	}
+	removed := func(inf *hotplug.HotplugDeviceInfo) {
+		remInfo = inf
+		callbackChannel <- struct{}{}
+	}
+	enumerationFinished := func() {
+		// enumerationDone is signalled after udevadm parsing ends and before other devices are reported
+		c.Assert(addInfos, HasLen, 2)
+		c.Check(addInfos[0].DevicePath(), Equals, "/sys/a/path")
+		c.Check(addInfos[1].DevicePath(), Equals, "/sys/def")
+
+		enumerationDone = true
+		callbackChannel <- struct{}{}
+	}
+
+	cmd := testutil.MockCommand(c, "udevadm", `#!/bin/sh
+cat << __END__
+P: /a/path
+N: name
+E: DEVNAME=name
+E: foo=bar
+E: DEVPATH=/a/path
+E: SUBSYSTEM=tty
+
+P: def
+N: bar
+E: DEVPATH=def
+E: SUBSYSTEM=tty
+E: MINOR=3
+E: MAJOR=0
+E: DEVNAME=ghi
+E: DEVTYPE=bzz
+`)
+	defer cmd.Restore()
+
+	udevmon := udevmonitor.New(added, removed, enumerationFinished).(*udevmonitor.Monitor)
+	events := udevmon.EventsChannel()
+
+	c.Assert(udevmon.Run(), IsNil)
+
+	go func() {
+		events <- netlink.UEvent{
+			Action: netlink.ADD,
+			KObj:   "foo",
+			Env: map[string]string{
+				"DEVPATH":   "abc",
+				"SUBSYSTEM": "tty",
+				"MINOR":     "1",
+				"MAJOR":     "2",
+				"DEVNAME":   "def",
+				"DEVTYPE":   "boo",
+			},
+		}
+		// the 2nd device will be ignored by de-duplication logic since it's also reported by udevadm mock.
+		events <- netlink.UEvent{
+			Action: netlink.ADD,
+			KObj:   "foo",
+			Env: map[string]string{
+				"DEVPATH":   "/a/path",
+				"SUBSYSTEM": "tty",
+				"DEVNAME":   "name",
+			},
+		}
+		events <- netlink.UEvent{
+			Action: netlink.REMOVE,
+			KObj:   "bar",
+			Env: map[string]string{
+				"DEVPATH":   "def",
+				"SUBSYSTEM": "tty",
+				"MINOR":     "3",
+				"MAJOR":     "0",
+				"DEVNAME":   "ghi",
+				"DEVTYPE":   "bzz",
+			},
+		}
+	}()
+
+	// expect three add events - one from udev event, two from enumeration.
+	const numExpectedDevices = 3
+Loop:
+	for {
+		select {
+		case <-callbackChannel:
+			if len(addInfos) == numExpectedDevices && remInfo != nil && enumerationDone {
+				break Loop
+			}
+		case <-time.After(3 * time.Second):
+			c.Error("Did not receive expected devices before timeout")
+			break Loop
+		default:
+		}
+	}
+
+	c.Assert(remInfo, NotNil)
+	c.Assert(addInfos, HasLen, numExpectedDevices)
+	c.Assert(enumerationDone, Equals, true)
+
+	c.Assert(udevmon.Stop(), IsNil)
+
+	addInfo := addInfos[0]
+	c.Assert(addInfo.DeviceName(), Equals, "name")
+	c.Assert(addInfo.DevicePath(), Equals, "/sys/a/path")
+	c.Assert(addInfo.Subsystem(), Equals, "tty")
+
+	addInfo = addInfos[1]
+	c.Assert(addInfo.DeviceName(), Equals, "ghi")
+	c.Assert(addInfo.DevicePath(), Equals, "/sys/def")
+	c.Assert(addInfo.Subsystem(), Equals, "tty")
+
+	addInfo = addInfos[2]
+	c.Assert(addInfo.DeviceName(), Equals, "def")
+	c.Assert(addInfo.DeviceType(), Equals, "boo")
+	c.Assert(addInfo.Subsystem(), Equals, "tty")
+	c.Assert(addInfo.DevicePath(), Equals, "/sys/abc")
+	c.Assert(addInfo.Major(), Equals, "2")
+	c.Assert(addInfo.Minor(), Equals, "1")
+
+	c.Assert(remInfo.DeviceName(), Equals, "ghi")
+	c.Assert(remInfo.DeviceType(), Equals, "bzz")
+	c.Assert(remInfo.Subsystem(), Equals, "tty")
+	c.Assert(remInfo.DevicePath(), Equals, "/sys/def")
+	c.Assert(remInfo.Major(), Equals, "0")
+	c.Assert(remInfo.Minor(), Equals, "3")
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/managers_test.go snapd-2.37~rc1~14.04/overlord/managers_test.go
--- snapd-2.32.3.2~14.04/overlord/managers_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/managers_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -50,6 +50,7 @@
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/overlord/hookstate"
+	"github.com/snapcore/snapd/overlord/ifacestate"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/partition"
@@ -66,16 +67,11 @@
 
 	restore func()
 
-	aa               *testutil.MockCmd
-	udev             *testutil.MockCmd
-	umount           *testutil.MockCmd
 	restoreSystemctl func()
 
-	snapDiscardNs *testutil.MockCmd
-	snapSeccomp   *testutil.MockCmd
-
 	storeSigning   *assertstest.StoreStack
 	restoreTrusted func()
+	mockSnapCmd    *testutil.MockCmd
 
 	devAcct *asserts.Account
 
@@ -86,6 +82,8 @@
 	hijackServeSnap func(http.ResponseWriter)
 
 	o *overlord.Overlord
+
+	restoreBackends func()
 }
 
 var (
@@ -101,20 +99,31 @@
 	deviceKey, _ = assertstest.GenerateKey(752)
 )
 
+const (
+	aggressiveSettleTimeout = 50 * time.Millisecond
+	connectRetryTimeout     = 70 * time.Millisecond
+)
+
 func (ms *mgrsSuite) SetUpTest(c *C) {
 	ms.tempdir = c.MkDir()
 	dirs.SetRootDir(ms.tempdir)
 	err := os.MkdirAll(filepath.Dir(dirs.SnapStateFile), 0755)
 	c.Assert(err, IsNil)
 
+	// needed by hooks
+	ms.mockSnapCmd = testutil.MockCommand(c, "snap", "")
+
 	oldSetupInstallHook := snapstate.SetupInstallHook
 	oldSetupRemoveHook := snapstate.SetupRemoveHook
 	snapstate.SetupRemoveHook = hookstate.SetupRemoveHook
 	snapstate.SetupInstallHook = hookstate.SetupInstallHook
 
+	restoreConnectRetryTimeout := ifacestate.MockConnectRetryTimeout(connectRetryTimeout)
+
 	ms.restore = func() {
 		snapstate.SetupRemoveHook = oldSetupRemoveHook
 		snapstate.SetupInstallHook = oldSetupInstallHook
+		restoreConnectRetryTimeout()
 	}
 
 	os.Setenv("SNAPPY_SQUASHFS_UNPACK_FOR_TESTS", "1")
@@ -126,12 +135,6 @@
 		return []byte("ActiveState=inactive\n"), nil
 	})
 
-	ms.aa = testutil.MockCommand(c, "apparmor_parser", "")
-	ms.udev = testutil.MockCommand(c, "udevadm", "")
-	ms.umount = testutil.MockCommand(c, "umount", "")
-	ms.snapDiscardNs = testutil.MockCommand(c, "snap-discard-ns", "")
-	dirs.DistroLibExecDir = ms.snapDiscardNs.BinDir()
-
 	ms.storeSigning = assertstest.NewStoreStack("can0nical", nil)
 	ms.restoreTrusted = sysdb.InjectTrusted(ms.storeSigning.Trusted)
 
@@ -144,20 +147,21 @@
 	ms.serveIDtoName = make(map[string]string)
 	ms.serveSnapPath = make(map[string]string)
 	ms.serveRevision = make(map[string]string)
+	ms.hijackServeSnap = nil
 
-	snapSeccompPath := filepath.Join(dirs.DistroLibExecDir, "snap-seccomp")
-	err = os.MkdirAll(filepath.Dir(snapSeccompPath), 0755)
-	c.Assert(err, IsNil)
-	ms.snapSeccomp = testutil.MockCommand(c, snapSeccompPath, "")
+	ms.restoreBackends = ifacestate.MockSecurityBackends(nil)
 
 	o, err := overlord.New()
 	c.Assert(err, IsNil)
+	o.InterfaceManager().DisableUDevMonitor()
 	ms.o = o
 	st := ms.o.State()
 	st.Lock()
 	defer st.Unlock()
 	st.Set("seeded", true)
 	// registered
+	err = assertstate.Add(st, sysdb.GenericClassicModel())
+	c.Assert(err, IsNil)
 	auth.SetDevice(st, &auth.DeviceState{
 		Brand:  "generic",
 		Model:  "generic-classic",
@@ -209,6 +213,32 @@
 	c.Assert(assertstate.Add(st, a3), IsNil)
 	c.Assert(ms.storeSigning.Add(a3), IsNil)
 
+	// add "some-snap" snap declaration
+	headers = map[string]interface{}{
+		"series":       "16",
+		"snap-name":    "some-snap",
+		"publisher-id": "can0nical",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}
+	headers["snap-id"] = fakeSnapID(headers["snap-name"].(string))
+	a4, err := ms.storeSigning.Sign(asserts.SnapDeclarationType, headers, nil, "")
+	c.Assert(err, IsNil)
+	c.Assert(assertstate.Add(st, a4), IsNil)
+	c.Assert(ms.storeSigning.Add(a4), IsNil)
+
+	// add "other-snap" snap declaration
+	headers = map[string]interface{}{
+		"series":       "16",
+		"snap-name":    "other-snap",
+		"publisher-id": "can0nical",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}
+	headers["snap-id"] = fakeSnapID(headers["snap-name"].(string))
+	a5, err := ms.storeSigning.Sign(asserts.SnapDeclarationType, headers, nil, "")
+	c.Assert(err, IsNil)
+	c.Assert(assertstate.Add(st, a5), IsNil)
+	c.Assert(ms.storeSigning.Add(a5), IsNil)
+
 	// add core itself
 	snapstate.Set(st, "core", &snapstate.SnapState{
 		Active: true,
@@ -221,6 +251,8 @@
 	// don't actually try to talk to the store on snapstate.Ensure
 	// needs doing after the call to devicestate.Manager (which happens in overlord.New)
 	snapstate.CanAutoRefresh = nil
+
+	st.Set("refresh-privacy-key", "privacy-key")
 }
 
 func (ms *mgrsSuite) TearDownTest(c *C) {
@@ -228,12 +260,9 @@
 	ms.restoreTrusted()
 	ms.restore()
 	ms.restoreSystemctl()
+	ms.mockSnapCmd.Restore()
 	os.Unsetenv("SNAPPY_SQUASHFS_UNPACK_FOR_TESTS")
-	ms.udev.Restore()
-	ms.aa.Restore()
-	ms.umount.Restore()
-	ms.snapDiscardNs.Restore()
-	ms.snapSeccomp.Restore()
+	ms.restoreBackends()
 }
 
 var settleTimeout = 15 * time.Second
@@ -263,7 +292,7 @@
 	st.Lock()
 	defer st.Unlock()
 
-	ts, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "foo"}, snapPath, "", snapstate.Flags{DevMode: true})
+	ts, _, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "foo"}, snapPath, "", "", snapstate.Flags{DevMode: true})
 	c.Assert(err, IsNil)
 	chg := st.NewChange("install-snap", "...")
 	chg.AddAll(ts)
@@ -360,6 +389,29 @@
 	"summary": "Foo",
 	"version": "@VERSION@"
 }`
+
+	snapV2 = `{
+	"architectures": [
+	    "all"
+	],
+        "download": {
+            "url": "@URL@"
+        },
+        "type": "@TYPE@",
+	"name": "@NAME@",
+	"revision": @REVISION@,
+	"snap-id": "@SNAPID@",
+	"summary": "Foo",
+	"description": "this is a description",
+	"version": "@VERSION@",
+        "publisher": {
+           "id": "devdevdev",
+           "name": "bar"
+         },
+         "media": [
+            {"type": "icon", "url": "@ICON@"}
+         ]
+}`
 )
 
 var fooSnapID = fakeSnapID("foo")
@@ -399,7 +451,7 @@
 	c.Assert(err, IsNil)
 
 	headers := map[string]interface{}{
-		"snap-id":       fakeSnapID(info.Name()),
+		"snap-id":       fakeSnapID(info.SnapName()),
 		"snap-sha3-384": snapDigest,
 		"snap-size":     fmt.Sprintf("%d", size),
 		"snap-revision": revno,
@@ -416,7 +468,7 @@
 
 func (ms *mgrsSuite) mockStore(c *C) *httptest.Server {
 	var baseURL *url.URL
-	fillHit := func(name string) string {
+	fillHit := func(hitTemplate, name string) string {
 		snapf, err := snap.Open(ms.serveSnapPath[name])
 		if err != nil {
 			panic(err)
@@ -425,23 +477,36 @@
 		if err != nil {
 			panic(err)
 		}
-		hit := strings.Replace(searchHit, "@URL@", baseURL.String()+"/api/v1/snaps/download/"+name, -1)
+		hit := strings.Replace(hitTemplate, "@URL@", baseURL.String()+"/api/v1/snaps/download/"+name, -1)
 		hit = strings.Replace(hit, "@NAME@", name, -1)
 		hit = strings.Replace(hit, "@SNAPID@", fakeSnapID(name), -1)
 		hit = strings.Replace(hit, "@ICON@", baseURL.String()+"/icon", -1)
 		hit = strings.Replace(hit, "@VERSION@", info.Version, -1)
 		hit = strings.Replace(hit, "@REVISION@", ms.serveRevision[name], -1)
+		hit = strings.Replace(hit, `@TYPE@`, string(info.Type), -1)
 		return hit
 	}
 
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// all URLS are /api/v1/snaps/... so check the url is sane and discard
-		// the common prefix to simplify indexing into the comps slice.
+		// all URLS are /api/v1/snaps/... or /v2/snaps/... so
+		// check the url is sane and discard the common prefix
+		// to simplify indexing into the comps slice.
 		comps := strings.Split(r.URL.Path, "/")
-		if len(comps) <= 4 {
+		if len(comps) < 2 {
 			panic("unexpected url path: " + r.URL.Path)
 		}
-		comps = comps[4:]
+		if comps[1] == "api" { //v1
+			if len(comps) <= 4 {
+				panic("unexpected url path: " + r.URL.Path)
+			}
+			comps = comps[4:]
+		} else { // v2
+			if len(comps) <= 3 {
+				panic("unexpected url path: " + r.URL.Path)
+			}
+			comps = comps[3:]
+			comps[0] = "v2:" + comps[0]
+		}
 
 		switch comps[0] {
 		case "assertions":
@@ -465,7 +530,7 @@
 			return
 		case "details":
 			w.WriteHeader(200)
-			io.WriteString(w, fillHit(comps[1]))
+			io.WriteString(w, fillHit(searchHit, comps[1]))
 		case "metadata":
 			dec := json.NewDecoder(r.Body)
 			var input struct {
@@ -484,7 +549,7 @@
 				if snap.R(s.Revision) == snap.R(ms.serveRevision[name]) {
 					continue
 				}
-				hits = append(hits, json.RawMessage(fillHit(name)))
+				hits = append(hits, json.RawMessage(fillHit(searchHit, name)))
 			}
 			w.WriteHeader(200)
 			output, err := json.Marshal(map[string]interface{}{
@@ -506,6 +571,53 @@
 				panic(err)
 			}
 			io.Copy(w, snapR)
+		case "v2:refresh":
+			dec := json.NewDecoder(r.Body)
+			var input struct {
+				Actions []struct {
+					Action      string `json:"action"`
+					SnapID      string `json:"snap-id"`
+					Name        string `json:"name"`
+					InstanceKey string `json:"instance-key"`
+				} `json:"actions"`
+			}
+			if err := dec.Decode(&input); err != nil {
+				panic(err)
+			}
+			type resultJSON struct {
+				Result      string          `json:"result"`
+				SnapID      string          `json:"snap-id"`
+				Name        string          `json:"name"`
+				Snap        json.RawMessage `json:"snap"`
+				InstanceKey string          `json:"instance-key"`
+			}
+			var results []resultJSON
+			for _, a := range input.Actions {
+				name := ms.serveIDtoName[a.SnapID]
+				if a.Action == "install" {
+					name = a.Name
+				}
+				if ms.serveSnapPath[name] == "" {
+					// no match
+					continue
+				}
+				results = append(results, resultJSON{
+					Result:      a.Action,
+					SnapID:      a.SnapID,
+					InstanceKey: a.InstanceKey,
+					Name:        name,
+					Snap:        json.RawMessage(fillHit(snapV2, name)),
+				})
+			}
+			w.WriteHeader(200)
+			output, err := json.Marshal(map[string]interface{}{
+				"results": results,
+			})
+			if err != nil {
+				panic(err)
+			}
+			w.Write(output)
+
 		default:
 			panic("unexpected url path: " + r.URL.Path)
 		}
@@ -535,7 +647,7 @@
 	if err != nil {
 		panic(err)
 	}
-	name := info.Name()
+	name := info.SnapName()
 	ms.serveIDtoName[fakeSnapID(name)] = name
 	ms.serveSnapPath[name] = snapPath
 	ms.serveRevision[name] = revno
@@ -681,7 +793,7 @@
 	err = assertstate.Add(st, snapDecl)
 	c.Assert(err, IsNil)
 
-	ts, err := snapstate.InstallPath(st, si, snapPath, "", snapstate.Flags{DevMode: true})
+	ts, _, err := snapstate.InstallPath(st, si, snapPath, "", "", snapstate.Flags{DevMode: true})
 	c.Assert(err, IsNil)
 	chg := st.NewChange("install-snap", "...")
 	chg.AddAll(ts)
@@ -719,6 +831,66 @@
 	c.Assert(mup, testutil.FileMatches, "(?ms).*^What=/var/lib/snapd/snaps/foo_55.snap")
 }
 
+func (ms *mgrsSuite) TestParallelInstanceLocalInstallSnapNameMismatch(c *C) {
+	snapDecl := ms.prereqSnapAssertions(c)
+
+	snapYamlContent := `name: foo
+apps:
+ bar:
+  command: bin/bar
+`
+	snapPath := makeTestSnap(c, snapYamlContent+"version: 1.5")
+
+	si := &snap.SideInfo{
+		RealName: "foo",
+		SnapID:   fooSnapID,
+		Revision: snap.R(55),
+	}
+
+	st := ms.o.State()
+	st.Lock()
+	defer st.Unlock()
+
+	// have the snap-declaration in the system db
+	err := assertstate.Add(st, ms.devAcct)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(st, snapDecl)
+	c.Assert(err, IsNil)
+
+	_, _, err = snapstate.InstallPath(st, si, snapPath, "bar_instance", "", snapstate.Flags{DevMode: true})
+	c.Assert(err, ErrorMatches, `cannot install snap "bar_instance", the name does not match the metadata "foo"`)
+}
+
+func (ms *mgrsSuite) TestParallelInstanceLocalInstallInvalidInstanceName(c *C) {
+	snapDecl := ms.prereqSnapAssertions(c)
+
+	snapYamlContent := `name: foo
+apps:
+ bar:
+  command: bin/bar
+`
+	snapPath := makeTestSnap(c, snapYamlContent+"version: 1.5")
+
+	si := &snap.SideInfo{
+		RealName: "foo",
+		SnapID:   fooSnapID,
+		Revision: snap.R(55),
+	}
+
+	st := ms.o.State()
+	st.Lock()
+	defer st.Unlock()
+
+	// have the snap-declaration in the system db
+	err := assertstate.Add(st, ms.devAcct)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(st, snapDecl)
+	c.Assert(err, IsNil)
+
+	_, _, err = snapstate.InstallPath(st, si, snapPath, "bar_invalid_instance_name", "", snapstate.Flags{DevMode: true})
+	c.Assert(err, ErrorMatches, `invalid instance key: "invalid_instance_name"`)
+}
+
 func (ms *mgrsSuite) TestCheckInterfaces(c *C) {
 	snapDecl := ms.prereqSnapAssertions(c)
 
@@ -751,7 +923,7 @@
 	restoreSanitize := snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {})
 	defer restoreSanitize()
 
-	ts, err := snapstate.InstallPath(st, si, snapPath, "", snapstate.Flags{DevMode: true})
+	ts, _, err := snapstate.InstallPath(st, si, snapPath, "", "", snapstate.Flags{DevMode: true})
 	c.Assert(err, IsNil)
 	chg := st.NewChange("install-snap", "...")
 	chg.AddAll(ts)
@@ -844,7 +1016,7 @@
 	snapPath, _ = ms.makeStoreTestSnap(c, strings.Replace(snapYamlContent, "@VERSION@", ver, -1), revno)
 	ms.serveSnap(snapPath, revno)
 
-	updated, tss, err := snapstate.UpdateMany(context.TODO(), st, []string{"foo"}, 0)
+	updated, tss, err := snapstate.UpdateMany(context.TODO(), st, []string{"foo"}, 0, nil)
 	c.Check(updated, IsNil)
 	c.Check(tss, IsNil)
 	// no validation we, get an error
@@ -864,7 +1036,7 @@
 	c.Assert(err, IsNil)
 
 	// ... and try again
-	updated, tss, err = snapstate.UpdateMany(context.TODO(), st, []string{"foo"}, 0)
+	updated, tss, err = snapstate.UpdateMany(context.TODO(), st, []string{"foo"}, 0, nil)
 	c.Assert(err, IsNil)
 	c.Assert(updated, DeepEquals, []string{"foo"})
 	c.Assert(tss, HasLen, 1)
@@ -895,6 +1067,26 @@
 	restore := release.MockOnClassic(false)
 	defer restore()
 
+	brandAcct := assertstest.NewAccount(ms.storeSigning, "my-brand", map[string]interface{}{
+		"account-id":   "my-brand",
+		"verification": "verified",
+	}, "")
+	brandAccKey := assertstest.NewAccountKey(ms.storeSigning, brandAcct, nil, brandPrivKey.PublicKey(), "")
+
+	brandSigning := assertstest.NewSigningDB("my-brand", brandPrivKey)
+	model, err := brandSigning.Sign(asserts.ModelType, map[string]interface{}{
+		"series":       "16",
+		"authority-id": "my-brand",
+		"brand-id":     "my-brand",
+		"model":        "my-model",
+		"architecture": "amd64",
+		"store":        "my-brand-store-id",
+		"gadget":       "gadget",
+		"kernel":       "krnl",
+		"timestamp":    time.Now().Format(time.RFC3339),
+	}, nil, "")
+	c.Assert(err, IsNil)
+
 	const packageOS = `
 name: core
 version: 16.04-1
@@ -906,7 +1098,19 @@
 	st.Lock()
 	defer st.Unlock()
 
-	ts, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "core"}, snapPath, "", snapstate.Flags{})
+	// setup model assertion
+	err = assertstate.Add(st, brandAcct)
+	c.Assert(err, IsNil)
+	err = assertstate.Add(st, brandAccKey)
+	c.Assert(err, IsNil)
+	auth.SetDevice(st, &auth.DeviceState{
+		Brand: "my-brand",
+		Model: "my-model",
+	})
+	err = assertstate.Add(st, model)
+	c.Assert(err, IsNil)
+
+	ts, _, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "core"}, snapPath, "", "", snapstate.Flags{})
 	c.Assert(err, IsNil)
 	chg := st.NewChange("install-snap", "...")
 	chg.AddAll(ts)
@@ -917,8 +1121,21 @@
 	c.Assert(err, IsNil)
 
 	// final steps will are post poned until we are in the restarted snapd
-	c.Assert(st.Restarting(), Equals, true)
-	c.Assert(chg.Status(), Equals, state.DoingStatus, Commentf("install-snap change failed with: %v", chg.Err()))
+	ok, rst := st.Restarting()
+	c.Assert(ok, Equals, true)
+	c.Assert(rst, Equals, state.RestartSystem)
+
+	findKind := func(chg *state.Change, kind string) *state.Task {
+		for _, t := range chg.Tasks() {
+			if t.Kind() == kind {
+				return t
+			}
+		}
+		return nil
+	}
+	t := findKind(chg, "auto-connect")
+	c.Assert(t, NotNil)
+	c.Assert(t.Status(), Equals, state.DoingStatus, Commentf("install-snap change failed with: %v", chg.Err()))
 
 	// this is already set
 	c.Assert(bootloader.BootVars, DeepEquals, map[string]string{
@@ -927,7 +1144,7 @@
 	})
 
 	// simulate successful restart happened
-	state.MockRestarting(st, false)
+	state.MockRestarting(st, state.RestartUnset)
 	bootloader.BootVars["snap_mode"] = ""
 	bootloader.BootVars["snap_core"] = "core_x1.snap"
 
@@ -950,7 +1167,7 @@
 
 	brandAcct := assertstest.NewAccount(ms.storeSigning, "my-brand", map[string]interface{}{
 		"account-id":   "my-brand",
-		"verification": "certified",
+		"verification": "verified",
 	}, "")
 	brandAccKey := assertstest.NewAccountKey(ms.storeSigning, brandAcct, nil, brandPrivKey.PublicKey(), "")
 
@@ -996,11 +1213,24 @@
 	err = assertstate.Add(st, model)
 	c.Assert(err, IsNil)
 
-	ts, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "krnl"}, snapPath, "", snapstate.Flags{})
+	ts, _, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "krnl"}, snapPath, "", "", snapstate.Flags{})
 	c.Assert(err, IsNil)
 	chg := st.NewChange("install-snap", "...")
 	chg.AddAll(ts)
 
+	// run, this will trigger a wait for the restart
+	st.Unlock()
+	err = ms.o.Settle(settleTimeout)
+	st.Lock()
+	c.Assert(err, IsNil)
+
+	// we are in restarting state and the change is not done yet
+	restarting, _ := st.Restarting()
+	c.Check(restarting, Equals, true)
+	c.Check(chg.Status(), Equals, state.DoingStatus)
+	// pretend we restarted
+	state.MockRestarting(st, state.RestartUnset)
+
 	st.Unlock()
 	err = ms.o.Settle(settleTimeout)
 	st.Lock()
@@ -1024,11 +1254,11 @@
 	c.Assert(err, IsNil)
 
 	// store current state
-	snapName := info.Name()
+	snapName := info.InstanceName()
 	var snapst snapstate.SnapState
 	snapstate.Get(st, snapName, &snapst)
 
-	ts, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: snapName}, snapPath, "", snapstate.Flags{DevMode: true})
+	ts, _, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: snapName}, snapPath, "", "", snapstate.Flags{DevMode: true})
 	c.Assert(err, IsNil)
 	chg := st.NewChange("install-snap", "...")
 	chg.AddAll(ts)
@@ -1353,7 +1583,7 @@
 	ms.serveSnap(fooPath, "15")
 
 	// refresh all
-	updated, tss, err := snapstate.UpdateMany(context.TODO(), st, nil, 0)
+	updated, tss, err := snapstate.UpdateMany(context.TODO(), st, nil, 0, nil)
 	c.Assert(err, IsNil)
 	c.Assert(updated, DeepEquals, []string{"foo"})
 	c.Assert(tss, HasLen, 1)
@@ -1599,7 +1829,7 @@
 	err = assertstate.RefreshSnapDeclarations(st, 0)
 	c.Assert(err, IsNil)
 
-	updated, tss, err := snapstate.UpdateMany(context.TODO(), st, nil, 0)
+	updated, tss, err := snapstate.UpdateMany(context.TODO(), st, nil, 0, nil)
 	c.Assert(err, IsNil)
 	sort.Strings(updated)
 	c.Assert(updated, DeepEquals, []string{"bar", "foo"})
@@ -1741,6 +1971,8 @@
 
 	model  *asserts.Model
 	serial *asserts.Serial
+
+	restoreBackends func()
 }
 
 func (s *authContextSetupSuite) SetUpTest(c *C) {
@@ -1763,7 +1995,7 @@
 
 	brandAcct := assertstest.NewAccount(s.storeSigning, "my-brand", map[string]interface{}{
 		"account-id":   "my-brand",
-		"verification": "certified",
+		"verification": "verified",
 	}, "")
 	s.storeSigning.Add(brandAcct)
 
@@ -1798,8 +2030,11 @@
 	c.Assert(err, IsNil)
 	s.serial = serial.(*asserts.Serial)
 
+	s.restoreBackends = ifacestate.MockSecurityBackends(nil)
+
 	o, err := overlord.New()
 	c.Assert(err, IsNil)
+	o.InterfaceManager().DisableUDevMonitor()
 	s.o = o
 
 	st := o.State()
@@ -1815,6 +2050,7 @@
 
 func (s *authContextSetupSuite) TearDownTest(c *C) {
 	dirs.SetRootDir("")
+	s.restoreBackends()
 	s.restoreTrusted()
 }
 
@@ -1955,12 +2191,12 @@
 	st.Lock()
 	defer st.Unlock()
 
-	ts1, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: snapName1, SnapID: fakeSnapID(snapName1), Revision: snap.R(3)}, snapPath1, "", snapstate.Flags{DevMode: true})
+	ts1, _, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: snapName1, SnapID: fakeSnapID(snapName1), Revision: snap.R(3)}, snapPath1, "", "", snapstate.Flags{DevMode: true})
 	c.Assert(err, IsNil)
 	chg := st.NewChange("install-snap", "...")
 	chg.AddAll(ts1)
 
-	ts2, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: snapName2, SnapID: fakeSnapID(snapName2), Revision: snap.R(3)}, snapPath2, "", snapstate.Flags{DevMode: true})
+	ts2, _, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: snapName2, SnapID: fakeSnapID(snapName2), Revision: snap.R(3)}, snapPath2, "", "", snapstate.Flags{DevMode: true})
 	c.Assert(err, IsNil)
 
 	ts2.WaitAll(ts1)
@@ -1974,7 +2210,7 @@
 	c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("install-snap change failed with: %v", chg.Err()))
 
 	tasks := chg.Tasks()
-	connectTask := tasks[len(tasks)-3]
+	connectTask := tasks[len(tasks)-1]
 	c.Assert(connectTask.Kind(), Equals, "connect")
 
 	// verify connect task data
@@ -1996,7 +2232,7 @@
 	cn, err := repo.Connected("snap1", "shared-data-plug")
 	c.Assert(err, IsNil)
 	c.Assert(cn, HasLen, 1)
-	c.Assert(cn, DeepEquals, []interfaces.ConnRef{{
+	c.Assert(cn, DeepEquals, []*interfaces.ConnRef{{
 		PlugRef: interfaces.PlugRef{Snap: "snap1", Name: "shared-data-plug"},
 		SlotRef: interfaces.SlotRef{Snap: "snap2", Name: "shared-data-slot"},
 	}})
@@ -2024,7 +2260,7 @@
 
 	snapPath := makeTestSnap(c, snapYamlContent2+"version: 1.0")
 	chg2 := st.NewChange("install-snap", "...")
-	ts2, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "snap2", SnapID: fakeSnapID("snap2"), Revision: snap.R(3)}, snapPath, "", snapstate.Flags{DevMode: true})
+	ts2, _, err := snapstate.InstallPath(st, &snap.SideInfo{RealName: "snap2", SnapID: fakeSnapID("snap2"), Revision: snap.R(3)}, snapPath, "", "", snapstate.Flags{DevMode: true})
 	chg2.AddAll(ts2)
 	c.Assert(err, IsNil)
 
@@ -2036,3 +2272,501 @@
 	c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("remove-snap change failed with: %v", chg.Err()))
 	c.Assert(chg2.Status(), Equals, state.DoneStatus, Commentf("install-snap change failed with: %v", chg.Err()))
 }
+
+const otherSnapYaml = `name: other-snap
+version: 1.0
+apps:
+   baz:
+        command: bin/bar
+        plugs: [media-hub]
+`
+
+func (ms *mgrsSuite) TestUpdateManyWithAutoconnect(c *C) {
+	const someSnapYaml = `name: some-snap
+version: 1.0
+apps:
+   foo:
+        command: bin/bar
+        plugs: [network,home]
+        slots: [media-hub]
+`
+
+	const coreSnapYaml = `name: core
+type: os
+version: @VERSION@`
+
+	snapPath, _ := ms.makeStoreTestSnap(c, someSnapYaml, "40")
+	ms.serveSnap(snapPath, "40")
+
+	snapPath, _ = ms.makeStoreTestSnap(c, otherSnapYaml, "50")
+	ms.serveSnap(snapPath, "50")
+
+	corePath, _ := ms.makeStoreTestSnap(c, strings.Replace(coreSnapYaml, "@VERSION@", "30", -1), "30")
+	ms.serveSnap(corePath, "30")
+
+	mockServer := ms.mockStore(c)
+	defer mockServer.Close()
+
+	st := ms.o.State()
+	st.Lock()
+	defer st.Unlock()
+
+	st.Set("conns", map[string]interface{}{})
+
+	si := &snap.SideInfo{RealName: "some-snap", SnapID: fakeSnapID("some-snap"), Revision: snap.R(1)}
+	snapInfo := snaptest.MockSnap(c, someSnapYaml, si)
+	c.Assert(snapInfo.Plugs, HasLen, 2)
+
+	oi := &snap.SideInfo{RealName: "other-snap", SnapID: fakeSnapID("other-snap"), Revision: snap.R(1)}
+	otherInfo := snaptest.MockSnap(c, otherSnapYaml, oi)
+	c.Assert(otherInfo.Plugs, HasLen, 1)
+
+	csi := &snap.SideInfo{RealName: "core", SnapID: fakeSnapID("core"), Revision: snap.R(1)}
+	coreInfo := snaptest.MockSnap(c, strings.Replace(coreSnapYaml, "@VERSION@", "1", -1), csi)
+
+	// add implicit slots
+	coreInfo.Slots["network"] = &snap.SlotInfo{
+		Name:      "network",
+		Snap:      coreInfo,
+		Interface: "network",
+	}
+	coreInfo.Slots["home"] = &snap.SlotInfo{
+		Name:      "home",
+		Snap:      coreInfo,
+		Interface: "home",
+	}
+
+	snapstate.Set(st, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+	snapstate.Set(st, "other-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{oi},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	repo := ms.o.InterfaceManager().Repository()
+
+	// add snaps to the repo to have plugs/slots
+	c.Assert(repo.AddSnap(snapInfo), IsNil)
+	c.Assert(repo.AddSnap(otherInfo), IsNil)
+	c.Assert(repo.AddSnap(coreInfo), IsNil)
+
+	// refresh all
+	err := assertstate.RefreshSnapDeclarations(st, 0)
+	c.Assert(err, IsNil)
+
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), st, []string{"core", "some-snap", "other-snap"}, 0, nil)
+	c.Assert(err, IsNil)
+	c.Check(updates, HasLen, 3)
+	c.Assert(tts, HasLen, 3)
+
+	// to make TaskSnapSetup work
+	chg := st.NewChange("refresh", "...")
+	for _, ts := range tts {
+		chg.AddAll(ts)
+	}
+
+	// force hold state to hit ignore status of findSymmetricAutoconnect
+	tts[2].Tasks()[0].SetStatus(state.HoldStatus)
+
+	st.Unlock()
+	err = ms.o.Settle(3 * time.Second)
+	st.Lock()
+	c.Assert(err, IsNil)
+
+	// simulate successful restart happened
+	state.MockRestarting(st, state.RestartUnset)
+	tts[2].Tasks()[0].SetStatus(state.DefaultStatus)
+	st.Unlock()
+
+	err = ms.o.Settle(settleTimeout)
+	st.Lock()
+
+	c.Assert(err, IsNil)
+
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+
+	// check connections
+	var conns map[string]interface{}
+	st.Get("conns", &conns)
+	c.Assert(conns, DeepEquals, map[string]interface{}{
+		"some-snap:home core:home":                 map[string]interface{}{"interface": "home", "auto": true},
+		"some-snap:network core:network":           map[string]interface{}{"interface": "network", "auto": true},
+		"other-snap:media-hub some-snap:media-hub": map[string]interface{}{"interface": "media-hub", "auto": true},
+	})
+
+	connections, err := repo.Connections("some-snap")
+	c.Assert(err, IsNil)
+	c.Assert(connections, HasLen, 3)
+}
+
+func (ms *mgrsSuite) TestUpdateWithAutoconnectAndInactiveRevisions(c *C) {
+	const someSnapYaml = `name: some-snap
+version: 1.0
+apps:
+   foo:
+        command: bin/bar
+        plugs: [network]
+`
+	const coreSnapYaml = `name: core
+type: os
+version: 1`
+
+	snapPath, _ := ms.makeStoreTestSnap(c, someSnapYaml, "40")
+	ms.serveSnap(snapPath, "40")
+
+	mockServer := ms.mockStore(c)
+	defer mockServer.Close()
+
+	st := ms.o.State()
+	st.Lock()
+	defer st.Unlock()
+
+	si1 := &snap.SideInfo{RealName: "some-snap", SnapID: fakeSnapID("some-snap"), Revision: snap.R(1)}
+	snapInfo := snaptest.MockSnap(c, someSnapYaml, si1)
+	c.Assert(snapInfo.Plugs, HasLen, 1)
+
+	csi := &snap.SideInfo{RealName: "core", SnapID: fakeSnapID("core"), Revision: snap.R(1)}
+	coreInfo := snaptest.MockSnap(c, coreSnapYaml, csi)
+
+	// add implicit slots
+	coreInfo.Slots["network"] = &snap.SlotInfo{
+		Name:      "network",
+		Snap:      coreInfo,
+		Interface: "network",
+	}
+
+	// some-snap has inactive revisions
+	si0 := &snap.SideInfo{RealName: "some-snap", SnapID: fakeSnapID("some-snap"), Revision: snap.R(0)}
+	si2 := &snap.SideInfo{RealName: "some-snap", SnapID: fakeSnapID("some-snap"), Revision: snap.R(2)}
+	snapstate.Set(st, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si0, si1, si2},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	repo := ms.o.InterfaceManager().Repository()
+
+	// add snaps to the repo to have plugs/slots
+	c.Assert(repo.AddSnap(snapInfo), IsNil)
+	c.Assert(repo.AddSnap(coreInfo), IsNil)
+
+	// refresh all
+	err := assertstate.RefreshSnapDeclarations(st, 0)
+	c.Assert(err, IsNil)
+
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), st, []string{"some-snap"}, 0, nil)
+	c.Assert(err, IsNil)
+	c.Check(updates, HasLen, 1)
+	c.Assert(tts, HasLen, 1)
+
+	// to make TaskSnapSetup work
+	chg := st.NewChange("refresh", "...")
+	for _, ts := range tts {
+		chg.AddAll(ts)
+	}
+
+	st.Unlock()
+	err = ms.o.Settle(settleTimeout)
+	st.Lock()
+
+	c.Assert(err, IsNil)
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+
+	// check connections
+	var conns map[string]interface{}
+	st.Get("conns", &conns)
+	c.Assert(conns, DeepEquals, map[string]interface{}{
+		"some-snap:network core:network": map[string]interface{}{"interface": "network", "auto": true},
+	})
+}
+
+const someSnapYaml = `name: some-snap
+version: 1.0
+apps:
+   foo:
+        command: bin/bar
+        slots: [media-hub]
+`
+
+func (ms *mgrsSuite) testUpdateWithAutoconnectRetry(c *C, updateSnapName, removeSnapName string) {
+	snapPath, _ := ms.makeStoreTestSnap(c, someSnapYaml, "40")
+	ms.serveSnap(snapPath, "40")
+
+	snapPath, _ = ms.makeStoreTestSnap(c, otherSnapYaml, "50")
+	ms.serveSnap(snapPath, "50")
+
+	mockServer := ms.mockStore(c)
+	defer mockServer.Close()
+
+	st := ms.o.State()
+	st.Lock()
+	defer st.Unlock()
+
+	st.Set("conns", map[string]interface{}{})
+
+	si := &snap.SideInfo{RealName: "some-snap", SnapID: fakeSnapID("some-snap"), Revision: snap.R(1)}
+	snapInfo := snaptest.MockSnap(c, someSnapYaml, si)
+	c.Assert(snapInfo.Slots, HasLen, 1)
+
+	oi := &snap.SideInfo{RealName: "other-snap", SnapID: fakeSnapID("other-snap"), Revision: snap.R(1)}
+	otherInfo := snaptest.MockSnap(c, otherSnapYaml, oi)
+	c.Assert(otherInfo.Plugs, HasLen, 1)
+
+	snapstate.Set(st, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+	snapstate.Set(st, "other-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{oi},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	repo := ms.o.InterfaceManager().Repository()
+
+	// add snaps to the repo to have plugs/slots
+	c.Assert(repo.AddSnap(snapInfo), IsNil)
+	c.Assert(repo.AddSnap(otherInfo), IsNil)
+
+	// refresh all
+	err := assertstate.RefreshSnapDeclarations(st, 0)
+	c.Assert(err, IsNil)
+
+	ts, err := snapstate.Update(st, updateSnapName, "stable", snap.R(0), 0, snapstate.Flags{})
+	c.Assert(err, IsNil)
+
+	// to make TaskSnapSetup work
+	chg := st.NewChange("refresh", "...")
+	chg.AddAll(ts)
+
+	// remove other-snap
+	ts2, err := snapstate.Remove(st, removeSnapName, snap.R(0))
+	c.Assert(err, IsNil)
+	chg2 := st.NewChange("remove-snap", "...")
+	chg2.AddAll(ts2)
+
+	// force hold state on first removal task to hit Retry error
+	ts2.Tasks()[0].SetStatus(state.HoldStatus)
+
+	// Settle is not converging here because of the task in Hold status, therefore
+	// it always hits given timeout before we carry on with the test. We're
+	// interested in hitting the retry condition on auto-connect task, so
+	// instead of passing a generous timeout to Settle(), repeat Settle() a number
+	// of times with an aggressive timeout and break as soon as we reach the desired
+	// state of auto-connect task.
+	var retryCheck bool
+	var autoconnectLog string
+	for i := 0; i < 50 && !retryCheck; i++ {
+		st.Unlock()
+		ms.o.Settle(aggressiveSettleTimeout)
+		st.Lock()
+
+		for _, t := range st.Tasks() {
+			if t.Kind() == "auto-connect" && t.Status() == state.DoingStatus && strings.Contains(strings.Join(t.Log(), ""), "Waiting") {
+				autoconnectLog = strings.Join(t.Log(), "")
+				retryCheck = true
+				break
+			}
+		}
+	}
+
+	c.Check(retryCheck, Equals, true)
+	c.Assert(autoconnectLog, Matches, `.*Waiting for conflicting change in progress: conflicting snap.*`)
+
+	// back to default state, that will unblock autoconnect
+	ts2.Tasks()[0].SetStatus(state.DefaultStatus)
+	st.Unlock()
+	err = ms.o.Settle(settleTimeout)
+	st.Lock()
+	c.Assert(err, IsNil)
+
+	c.Check(chg.Err(), IsNil)
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+
+	// check connections
+	var conns map[string]interface{}
+	st.Get("conns", &conns)
+	c.Assert(conns, HasLen, 0)
+}
+
+func (ms *mgrsSuite) TestUpdateWithAutoconnectRetrySlotSide(c *C) {
+	ms.testUpdateWithAutoconnectRetry(c, "some-snap", "other-snap")
+}
+
+func (ms *mgrsSuite) TestUpdateWithAutoconnectRetryPlugSide(c *C) {
+	ms.testUpdateWithAutoconnectRetry(c, "other-snap", "some-snap")
+}
+
+func (ms *mgrsSuite) TestDisconnectIgnoredOnSymmetricRemove(c *C) {
+	const someSnapYaml = `name: some-snap
+version: 1.0
+apps:
+   foo:
+        command: bin/bar
+        slots: [media-hub]
+hooks:
+   disconnect-slot-media-hub:
+`
+	const otherSnapYaml = `name: other-snap
+version: 1.0
+apps:
+   baz:
+        command: bin/bar
+        plugs: [media-hub]
+hooks:
+   disconnect-plug-media-hub:
+`
+	st := ms.o.State()
+	st.Lock()
+	defer st.Unlock()
+
+	st.Set("conns", map[string]interface{}{
+		"other-snap:media-hub some-snap:media-hub": map[string]interface{}{"interface": "media-hub", "auto": false},
+	})
+
+	si := &snap.SideInfo{RealName: "some-snap", SnapID: fakeSnapID("some-snap"), Revision: snap.R(1)}
+	snapInfo := snaptest.MockSnap(c, someSnapYaml, si)
+	c.Assert(snapInfo.Slots, HasLen, 1)
+
+	oi := &snap.SideInfo{RealName: "other-snap", SnapID: fakeSnapID("other-snap"), Revision: snap.R(1)}
+	otherInfo := snaptest.MockSnap(c, otherSnapYaml, oi)
+	c.Assert(otherInfo.Plugs, HasLen, 1)
+
+	snapstate.Set(st, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+	snapstate.Set(st, "other-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{oi},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	repo := ms.o.InterfaceManager().Repository()
+
+	// add snaps to the repo to have plugs/slots
+	c.Assert(repo.AddSnap(snapInfo), IsNil)
+	c.Assert(repo.AddSnap(otherInfo), IsNil)
+	repo.Connect(&interfaces.ConnRef{
+		PlugRef: interfaces.PlugRef{Snap: "other-snap", Name: "media-hub"},
+		SlotRef: interfaces.SlotRef{Snap: "some-snap", Name: "media-hub"},
+	}, nil, nil, nil, nil, nil)
+
+	ts, err := snapstate.Remove(st, "some-snap", snap.R(0))
+	c.Assert(err, IsNil)
+	chg := st.NewChange("uninstall", "...")
+	chg.AddAll(ts)
+
+	// remove other-snap
+	ts2, err := snapstate.Remove(st, "other-snap", snap.R(0))
+	c.Assert(err, IsNil)
+	chg2 := st.NewChange("uninstall", "...")
+	chg2.AddAll(ts2)
+
+	st.Unlock()
+	err = ms.o.Settle(settleTimeout)
+	st.Lock()
+	c.Assert(err, IsNil)
+
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+
+	// check connections
+	var conns map[string]interface{}
+	st.Get("conns", &conns)
+	c.Assert(conns, HasLen, 0)
+
+	var disconnectInterfacesCount, slotHookCount, plugHookCount int
+	for _, t := range st.Tasks() {
+		if t.Kind() == "auto-disconnect" {
+			disconnectInterfacesCount++
+		}
+		if t.Kind() == "run-hook" {
+			var hsup hookstate.HookSetup
+			c.Assert(t.Get("hook-setup", &hsup), IsNil)
+			if hsup.Hook == "disconnect-plug-media-hub" {
+				plugHookCount++
+			}
+			if hsup.Hook == "disconnect-slot-media-hub" {
+				slotHookCount++
+			}
+		}
+	}
+	c.Assert(plugHookCount, Equals, 1)
+	c.Assert(slotHookCount, Equals, 1)
+	c.Assert(disconnectInterfacesCount, Equals, 2)
+
+	var snst snapstate.SnapState
+	err = snapstate.Get(st, "other-snap", &snst)
+	c.Assert(err, Equals, state.ErrNoState)
+	_, err = repo.Connected("other-snap", "media-hub")
+	c.Assert(err, ErrorMatches, `snap "other-snap" has no plug or slot named "media-hub"`)
+}
+
+func (ms *mgrsSuite) TestDisconnectOnUninstallRemovesAutoconnection(c *C) {
+	st := ms.o.State()
+	st.Lock()
+	defer st.Unlock()
+
+	st.Set("conns", map[string]interface{}{
+		"other-snap:media-hub some-snap:media-hub": map[string]interface{}{"interface": "media-hub", "auto": true},
+	})
+
+	si := &snap.SideInfo{RealName: "some-snap", SnapID: fakeSnapID("some-snap"), Revision: snap.R(1)}
+	snapInfo := snaptest.MockSnap(c, someSnapYaml, si)
+
+	oi := &snap.SideInfo{RealName: "other-snap", SnapID: fakeSnapID("other-snap"), Revision: snap.R(1)}
+	otherInfo := snaptest.MockSnap(c, otherSnapYaml, oi)
+
+	snapstate.Set(st, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+	snapstate.Set(st, "other-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{oi},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	repo := ms.o.InterfaceManager().Repository()
+
+	// add snaps to the repo to have plugs/slots
+	c.Assert(repo.AddSnap(snapInfo), IsNil)
+	c.Assert(repo.AddSnap(otherInfo), IsNil)
+	repo.Connect(&interfaces.ConnRef{
+		PlugRef: interfaces.PlugRef{Snap: "other-snap", Name: "media-hub"},
+		SlotRef: interfaces.SlotRef{Snap: "some-snap", Name: "media-hub"},
+	}, nil, nil, nil, nil, nil)
+
+	ts, err := snapstate.Remove(st, "some-snap", snap.R(0))
+	c.Assert(err, IsNil)
+	chg := st.NewChange("uninstall", "...")
+	chg.AddAll(ts)
+
+	st.Unlock()
+	err = ms.o.Settle(settleTimeout)
+	st.Lock()
+	c.Assert(err, IsNil)
+
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+
+	// check connections; auto-connection should be removed completely from conns on uninstall.
+	var conns map[string]interface{}
+	st.Get("conns", &conns)
+	c.Assert(conns, HasLen, 0)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/overlord.go snapd-2.37~rc1~14.04/overlord/overlord.go
--- snapd-2.32.3.2~14.04/overlord/overlord.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/overlord.go	2019-01-16 08:36:51.000000000 +0000
@@ -37,10 +37,12 @@
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/cmdstate"
 	"github.com/snapcore/snapd/overlord/configstate"
+	"github.com/snapcore/snapd/overlord/configstate/proxyconf"
 	"github.com/snapcore/snapd/overlord/devicestate"
 	"github.com/snapcore/snapd/overlord/hookstate"
 	"github.com/snapcore/snapd/overlord/ifacestate"
 	"github.com/snapcore/snapd/overlord/patch"
+	"github.com/snapcore/snapd/overlord/snapshotstate"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/store"
@@ -69,17 +71,19 @@
 	ensureTimer *time.Timer
 	ensureNext  time.Time
 	pruneTicker *time.Ticker
+	numEnsure   uint64
 	// restarts
 	restartHandler func(t state.RestartType)
 	// managers
-	inited     bool
-	snapMgr    *snapstate.SnapManager
-	assertMgr  *assertstate.AssertManager
-	ifaceMgr   *ifacestate.InterfaceManager
-	hookMgr    *hookstate.HookManager
-	deviceMgr  *devicestate.DeviceManager
-	cmdMgr     *cmdstate.CommandManager
-	unknownMgr *UnknownTaskManager
+	inited    bool
+	runner    *state.TaskRunner
+	snapMgr   *snapstate.SnapManager
+	assertMgr *assertstate.AssertManager
+	ifaceMgr  *ifacestate.InterfaceManager
+	hookMgr   *hookstate.HookManager
+	deviceMgr *devicestate.DeviceManager
+	cmdMgr    *cmdstate.CommandManager
+	shotMgr   *snapshotstate.SnapshotManager
 }
 
 var storeNew = store.New
@@ -102,48 +106,60 @@
 	}
 
 	o.stateEng = NewStateEngine(s)
-	o.unknownMgr = NewUnknownTaskManager(s)
-	o.stateEng.AddManager(o.unknownMgr)
+	o.runner = state.NewTaskRunner(s)
 
-	hookMgr, err := hookstate.Manager(s)
+	// any unknown task should be ignored and succeed
+	matchAnyUnknownTask := func(_ *state.Task) bool {
+		return true
+	}
+	o.runner.AddOptionalHandler(matchAnyUnknownTask, handleUnknownTask, nil)
+
+	hookMgr, err := hookstate.Manager(s, o.runner)
 	if err != nil {
 		return nil, err
 	}
 	o.addManager(hookMgr)
 
-	snapMgr, err := snapstate.Manager(s)
+	snapMgr, err := snapstate.Manager(s, o.runner)
 	if err != nil {
 		return nil, err
 	}
 	o.addManager(snapMgr)
 
-	assertMgr, err := assertstate.Manager(s)
+	assertMgr, err := assertstate.Manager(s, o.runner)
 	if err != nil {
 		return nil, err
 	}
 	o.addManager(assertMgr)
 
-	ifaceMgr, err := ifacestate.Manager(s, hookMgr, nil, nil)
+	ifaceMgr, err := ifacestate.Manager(s, hookMgr, o.runner, nil, nil)
 	if err != nil {
 		return nil, err
 	}
 	o.addManager(ifaceMgr)
 
-	deviceMgr, err := devicestate.Manager(s, hookMgr)
+	deviceMgr, err := devicestate.Manager(s, hookMgr, o.runner)
 	if err != nil {
 		return nil, err
 	}
 	o.addManager(deviceMgr)
 
-	o.addManager(cmdstate.Manager(s))
+	o.addManager(cmdstate.Manager(s, o.runner))
+	o.addManager(snapshotstate.Manager(s, o.runner))
 
 	configstateInit(hookMgr)
 
+	// the shared task runner should be added last!
+	o.stateEng.AddManager(o.runner)
+
 	s.Lock()
 	defer s.Unlock()
 	// setting up the store
+	proxyConf := proxyconf.New(s)
 	authContext := auth.NewAuthContext(s, o.deviceMgr)
-	sto := storeNew(nil, authContext)
+	cfg := store.DefaultConfig()
+	cfg.Proxy = proxyConf.Conf
+	sto := storeNew(cfg, authContext)
 	sto.SetCacheDownloads(defaultCachedDownloads)
 
 	snapstate.ReplaceStore(s, sto)
@@ -169,9 +185,10 @@
 		o.deviceMgr = x
 	case *cmdstate.CommandManager:
 		o.cmdMgr = x
+	case *snapshotstate.SnapshotManager:
+		o.shotMgr = x
 	}
 	o.stateEng.AddManager(mgr)
-	o.unknownMgr.Ignore(mgr.KnownTaskKinds())
 }
 
 func loadState(backend state.Backend) (*state.State, error) {
@@ -260,6 +277,7 @@
 			// in case of errors engine logs them,
 			// continue to the next Ensure() try for now
 			o.stateEng.Ensure()
+			o.numEnsure++
 			select {
 			case <-o.loopTomb.Dying():
 				return nil
@@ -274,12 +292,16 @@
 	})
 }
 
+func (o *Overlord) CanStandby() bool {
+	return o.numEnsure > 0
+}
+
 // Stop stops the ensure loop and the managers under the StateEngine.
 func (o *Overlord) Stop() error {
 	o.loopTomb.Kill(nil)
-	err1 := o.loopTomb.Wait()
+	err := o.loopTomb.Wait()
 	o.stateEng.Stop()
-	return err1
+	return err
 }
 
 func (o *Overlord) settle(timeout time.Duration, beforeCleanups func()) error {
@@ -374,6 +396,17 @@
 	return o.stateEng.State()
 }
 
+// StateEngine returns the stage engine used by overlord.
+func (o *Overlord) StateEngine() *StateEngine {
+	return o.stateEng
+}
+
+// TaskRunner returns the shared task runner responsible for running
+// tasks for all managers under the overlord.
+func (o *Overlord) TaskRunner() *state.TaskRunner {
+	return o.runner
+}
+
 // SnapManager returns the snap manager responsible for snaps under
 // the overlord.
 func (o *Overlord) SnapManager() *snapstate.SnapManager {
@@ -410,10 +443,9 @@
 	return o.cmdMgr
 }
 
-// UnknownTaskManager returns the manager responsible for handling of
-// unknown tasks.
-func (o *Overlord) UnknownTaskManager() *UnknownTaskManager {
-	return o.unknownMgr
+// SnapshotManager returns the manager responsible for snapshots.
+func (o *Overlord) SnapshotManager() *snapshotstate.SnapshotManager {
+	return o.shotMgr
 }
 
 // Mock creates an Overlord without any managers and with a backend
@@ -423,9 +455,9 @@
 		loopTomb: new(tomb.Tomb),
 		inited:   false,
 	}
-	o.stateEng = NewStateEngine(state.New(mockBackend{o: o}))
-	o.unknownMgr = NewUnknownTaskManager(o.stateEng.State())
-	o.stateEng.AddManager(o.unknownMgr)
+	s := state.New(mockBackend{o: o})
+	o.stateEng = NewStateEngine(s)
+	o.runner = state.NewTaskRunner(s)
 
 	return o
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/overlord_test.go snapd-2.37~rc1~14.04/overlord/overlord_test.go
--- snapd-2.32.3.2~14.04/overlord/overlord_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/overlord_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -36,6 +36,7 @@
 	"github.com/snapcore/snapd/overlord"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/hookstate"
+	"github.com/snapcore/snapd/overlord/ifacestate"
 	"github.com/snapcore/snapd/overlord/patch"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
@@ -45,7 +46,9 @@
 
 func TestOverlord(t *testing.T) { TestingT(t) }
 
-type overlordSuite struct{}
+type overlordSuite struct {
+	restoreBackends func()
+}
 
 var _ = Suite(&overlordSuite{})
 
@@ -54,14 +57,16 @@
 	dirs.SetRootDir(tmpdir)
 	dirs.SnapStateFile = filepath.Join(tmpdir, "test.json")
 	snapstate.CanAutoRefresh = nil
+	ovs.restoreBackends = ifacestate.MockSecurityBackends(nil)
 }
 
 func (ovs *overlordSuite) TearDownTest(c *C) {
 	dirs.SetRootDir("/")
+	ovs.restoreBackends()
 }
 
 func (ovs *overlordSuite) TestNew(c *C) {
-	restore := patch.Mock(42, nil)
+	restore := patch.Mock(42, 2, nil)
 	defer restore()
 
 	var configstateInitCalled bool
@@ -73,23 +78,33 @@
 	c.Assert(err, IsNil)
 	c.Check(o, NotNil)
 
+	c.Check(o.StateEngine(), NotNil)
+	c.Check(o.TaskRunner(), NotNil)
 	c.Check(o.SnapManager(), NotNil)
 	c.Check(o.AssertManager(), NotNil)
 	c.Check(o.InterfaceManager(), NotNil)
 	c.Check(o.HookManager(), NotNil)
 	c.Check(o.DeviceManager(), NotNil)
 	c.Check(o.CommandManager(), NotNil)
+	c.Check(o.SnapshotManager(), NotNil)
 	c.Check(configstateInitCalled, Equals, true)
 
+	o.InterfaceManager().DisableUDevMonitor()
+
 	s := o.State()
 	c.Check(s, NotNil)
 	c.Check(o.Engine().State(), Equals, s)
 
 	s.Lock()
 	defer s.Unlock()
-	var patchLevel int
+	var patchLevel, patchSublevel int
 	s.Get("patch-level", &patchLevel)
 	c.Check(patchLevel, Equals, 42)
+	s.Get("patch-sublevel", &patchSublevel)
+	c.Check(patchSublevel, Equals, 2)
+	var refreshPrivacyKey string
+	s.Get("refresh-privacy-key", &refreshPrivacyKey)
+	c.Check(refreshPrivacyKey, HasLen, 16)
 
 	// store is setup
 	sto := snapstate.Store(s)
@@ -98,7 +113,7 @@
 }
 
 func (ovs *overlordSuite) TestNewWithGoodState(c *C) {
-	fakeState := []byte(fmt.Sprintf(`{"data":{"patch-level":%d,"some":"data"},"changes":null,"tasks":null,"last-change-id":0,"last-task-id":0,"last-lane-id":0}`, patch.Level))
+	fakeState := []byte(fmt.Sprintf(`{"data":{"patch-level":%d,"patch-sublevel":%d,"some":"data","refresh-privacy-key":"0123456789ABCDEF"},"changes":null,"tasks":null,"last-change-id":0,"last-task-id":0,"last-lane-id":0}`, patch.Level, patch.Sublevel))
 	err := ioutil.WriteFile(dirs.SnapStateFile, fakeState, 0600)
 	c.Assert(err, IsNil)
 
@@ -122,6 +137,24 @@
 	c.Check(got, DeepEquals, expected)
 }
 
+func (ovs *overlordSuite) TestNewWithStateSnapmgrUpdate(c *C) {
+	fakeState := []byte(fmt.Sprintf(`{"data":{"patch-level":%d,"some":"data"},"changes":null,"tasks":null,"last-change-id":0,"last-task-id":0,"last-lane-id":0}`, patch.Level))
+	err := ioutil.WriteFile(dirs.SnapStateFile, fakeState, 0600)
+	c.Assert(err, IsNil)
+
+	o, err := overlord.New()
+	c.Assert(err, IsNil)
+
+	state := o.State()
+	c.Assert(err, IsNil)
+	state.Lock()
+	defer state.Unlock()
+
+	var refreshPrivacyKey string
+	state.Get("refresh-privacy-key", &refreshPrivacyKey)
+	c.Check(refreshPrivacyKey, HasLen, 16)
+}
+
 func (ovs *overlordSuite) TestNewWithInvalidState(c *C) {
 	fakeState := []byte(``)
 	err := ioutil.WriteFile(dirs.SnapStateFile, fakeState, 0600)
@@ -136,9 +169,13 @@
 		s.Set("patched", true)
 		return nil
 	}
-	patch.Mock(1, map[int]func(*state.State) error{1: p})
+	sp := func(s *state.State) error {
+		s.Set("patched2", true)
+		return nil
+	}
+	patch.Mock(1, 1, map[int][]patch.PatchFunc{1: {p, sp}})
 
-	fakeState := []byte(fmt.Sprintf(`{"data":{"patch-level":0}}`))
+	fakeState := []byte(fmt.Sprintf(`{"data":{"patch-level":0, "patch-sublevel":0}}`))
 	err := ioutil.WriteFile(dirs.SnapStateFile, fakeState, 0600)
 	c.Assert(err, IsNil)
 
@@ -155,10 +192,17 @@
 	c.Assert(err, IsNil)
 	c.Check(level, Equals, 1)
 
+	var sublevel int
+	c.Assert(state.Get("patch-sublevel", &sublevel), IsNil)
+	c.Check(sublevel, Equals, 1)
+
 	var b bool
 	err = state.Get("patched", &b)
 	c.Assert(err, IsNil)
 	c.Check(b, Equals, true)
+
+	c.Assert(state.Get("patched2", &b), IsNil)
+	c.Check(b, Equals, true)
 }
 
 type witnessManager struct {
@@ -168,10 +212,6 @@
 	ensureCallback func(s *state.State) error
 }
 
-func (m *witnessManager) KnownTaskKinds() []string {
-	return []string{"foo"}
-}
-
 func (wm *witnessManager) Ensure() error {
 	if wm.expectedEnsure--; wm.expectedEnsure == 0 {
 		close(wm.ensureCalled)
@@ -183,12 +223,6 @@
 	return nil
 }
 
-func (wm *witnessManager) Stop() {
-}
-
-func (wm *witnessManager) Wait() {
-}
-
 // markSeeded flags the state under the overlord as seeded to avoid running the seeding code in these tests
 func markSeeded(o *overlord.Overlord) {
 	st := o.State()
@@ -216,6 +250,31 @@
 	c.Assert(err, IsNil)
 }
 
+func (ovs *overlordSuite) TestUnknownTasks(c *C) {
+	o, err := overlord.New()
+	c.Assert(err, IsNil)
+	o.InterfaceManager().DisableUDevMonitor()
+
+	markSeeded(o)
+	// make sure we don't try to talk to the store
+	snapstate.CanAutoRefresh = nil
+
+	// unknown tasks are ignored and succeed
+	st := o.State()
+	st.Lock()
+	defer st.Unlock()
+	t := st.NewTask("unknown", "...")
+	chg := st.NewChange("change-w-unknown", "...")
+	chg.AddTask(t)
+
+	st.Unlock()
+	err = o.Settle(1 * time.Second)
+	st.Lock()
+	c.Assert(err, IsNil)
+
+	c.Check(chg.Status(), Equals, state.DoneStatus)
+}
+
 func (ovs *overlordSuite) TestEnsureLoopRunAndStop(c *C) {
 	restoreIntv := overlord.MockEnsureInterval(10 * time.Millisecond)
 	defer restoreIntv()
@@ -427,7 +486,6 @@
 	restoreIntv := overlord.MockPruneInterval(100*time.Millisecond, 1000*time.Millisecond, 1*time.Hour)
 	defer restoreIntv()
 	o := overlord.Mock()
-	o.UnknownTaskManager().Ignore([]string{"foo"})
 
 	// create two changes, one that can be pruned now, one in progress
 	st := o.State()
@@ -485,52 +543,49 @@
 	c.Check(dirs.SnapStateFile, testutil.FileContains, `"mark":1`)
 }
 
-type runnerManager struct {
-	runner         *state.TaskRunner
+type sampleManager struct {
 	ensureCallback func()
 }
 
-func newRunnerManager(s *state.State) *runnerManager {
-	rm := &runnerManager{
-		runner: state.NewTaskRunner(s),
-	}
+func newSampleManager(s *state.State, runner *state.TaskRunner) *sampleManager {
+	sm := &sampleManager{}
 
-	rm.runner.AddHandler("runMgr1", func(t *state.Task, _ *tomb.Tomb) error {
+	runner.AddHandler("runMgr1", func(t *state.Task, _ *tomb.Tomb) error {
 		s := t.State()
 		s.Lock()
 		defer s.Unlock()
 		s.Set("runMgr1Mark", 1)
 		return nil
 	}, nil)
-	rm.runner.AddHandler("runMgr2", func(t *state.Task, _ *tomb.Tomb) error {
+	runner.AddHandler("runMgr2", func(t *state.Task, _ *tomb.Tomb) error {
 		s := t.State()
 		s.Lock()
 		defer s.Unlock()
 		s.Set("runMgr2Mark", 1)
 		return nil
 	}, nil)
-	rm.runner.AddHandler("runMgrEnsureBefore", func(t *state.Task, _ *tomb.Tomb) error {
+	runner.AddHandler("runMgrEnsureBefore", func(t *state.Task, _ *tomb.Tomb) error {
 		s := t.State()
 		s.Lock()
 		defer s.Unlock()
 		s.EnsureBefore(20 * time.Millisecond)
 		return nil
 	}, nil)
-	rm.runner.AddHandler("runMgrForever", func(t *state.Task, _ *tomb.Tomb) error {
+	runner.AddHandler("runMgrForever", func(t *state.Task, _ *tomb.Tomb) error {
 		s := t.State()
 		s.Lock()
 		defer s.Unlock()
 		s.EnsureBefore(20 * time.Millisecond)
 		return &state.Retry{}
 	}, nil)
-	rm.runner.AddHandler("runMgrWCleanup", func(t *state.Task, _ *tomb.Tomb) error {
+	runner.AddHandler("runMgrWCleanup", func(t *state.Task, _ *tomb.Tomb) error {
 		s := t.State()
 		s.Lock()
 		defer s.Unlock()
 		s.Set("runMgrWCleanupMark", 1)
 		return nil
 	}, nil)
-	rm.runner.AddCleanup("runMgrWCleanup", func(t *state.Task, _ *tomb.Tomb) error {
+	runner.AddCleanup("runMgrWCleanup", func(t *state.Task, _ *tomb.Tomb) error {
 		s := t.State()
 		s.Lock()
 		defer s.Unlock()
@@ -538,37 +593,25 @@
 		return nil
 	})
 
-	return rm
+	return sm
 }
 
-func (rm *runnerManager) KnownTaskKinds() []string {
-	return rm.runner.KnownTaskKinds()
-}
-
-func (rm *runnerManager) Ensure() error {
-	if rm.ensureCallback != nil {
-		rm.ensureCallback()
+func (sm *sampleManager) Ensure() error {
+	if sm.ensureCallback != nil {
+		sm.ensureCallback()
 	}
-	rm.runner.Ensure()
 	return nil
 }
 
-func (rm *runnerManager) Stop() {
-	rm.runner.Stop()
-}
-
-func (rm *runnerManager) Wait() {
-	rm.runner.Wait()
-}
-
 func (ovs *overlordSuite) TestTrivialSettle(c *C) {
 	restoreIntv := overlord.MockEnsureInterval(1 * time.Minute)
 	defer restoreIntv()
 	o := overlord.Mock()
 
 	s := o.State()
-	rm1 := newRunnerManager(s)
-	o.AddManager(rm1)
+	sm1 := newSampleManager(s, o.TaskRunner())
+	o.AddManager(sm1)
+	o.AddManager(o.TaskRunner())
 
 	defer o.Engine().Stop()
 
@@ -595,8 +638,9 @@
 	o := overlord.Mock()
 
 	s := o.State()
-	rm1 := newRunnerManager(s)
-	o.AddManager(rm1)
+	sm1 := newSampleManager(s, o.TaskRunner())
+	o.AddManager(sm1)
+	o.AddManager(o.TaskRunner())
 
 	defer o.Engine().Stop()
 
@@ -621,8 +665,9 @@
 	o := overlord.Mock()
 
 	s := o.State()
-	rm1 := newRunnerManager(s)
-	o.AddManager(rm1)
+	sm1 := newSampleManager(s, o.TaskRunner())
+	o.AddManager(sm1)
+	o.AddManager(o.TaskRunner())
 
 	defer o.Engine().Stop()
 
@@ -654,8 +699,9 @@
 	o := overlord.Mock()
 
 	s := o.State()
-	rm1 := newRunnerManager(s)
-	o.AddManager(rm1)
+	sm1 := newSampleManager(s, o.TaskRunner())
+	o.AddManager(sm1)
+	o.AddManager(o.TaskRunner())
 
 	defer o.Engine().Stop()
 
@@ -690,8 +736,8 @@
 	o := overlord.Mock()
 
 	s := o.State()
-	rm1 := newRunnerManager(s)
-	rm1.ensureCallback = func() {
+	sm1 := newSampleManager(s, o.TaskRunner())
+	sm1.ensureCallback = func() {
 		s.Lock()
 		defer s.Unlock()
 		v := 0
@@ -699,7 +745,8 @@
 		s.Set("ensureCount", v+1)
 	}
 
-	o.AddManager(rm1)
+	o.AddManager(sm1)
+	o.AddManager(o.TaskRunner())
 
 	defer o.Engine().Stop()
 
@@ -742,3 +789,29 @@
 
 	c.Check(restartRequested, Equals, true)
 }
+
+func (ovs *overlordSuite) TestOverlordCanStandby(c *C) {
+	restoreIntv := overlord.MockEnsureInterval(10 * time.Millisecond)
+	defer restoreIntv()
+	o := overlord.Mock()
+	witness := &witnessManager{
+		state:          o.State(),
+		expectedEnsure: 3,
+		ensureCalled:   make(chan struct{}),
+	}
+	o.AddManager(witness)
+
+	// can only standby after loop ran once
+	c.Assert(o.CanStandby(), Equals, false)
+
+	o.Loop()
+	defer o.Stop()
+
+	select {
+	case <-witness.ensureCalled:
+	case <-time.After(2 * time.Second):
+		c.Fatal("Ensure calls not happening")
+	}
+
+	c.Assert(o.CanStandby(), Equals, true)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/export_test.go snapd-2.37~rc1~14.04/overlord/patch/export_test.go
--- snapd-2.32.3.2~14.04/overlord/patch/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,7 +25,7 @@
 )
 
 // PatchesForTest returns the registered set of patches for testing purposes.
-func PatchesForTest() map[int]func(*state.State) error {
+func PatchesForTest() map[int][]PatchFunc {
 	return patches
 }
 
@@ -37,10 +37,15 @@
 }
 
 // MockLevel replaces the current implemented patch level
-func MockLevel(lv int) (restorer func()) {
+func MockLevel(lv, sublvl int) (restorer func()) {
 	old := Level
 	Level = lv
-	return func() { Level = old }
+	oldSublvl := Sublevel
+	Sublevel = sublvl
+	return func() {
+		Level = old
+		Sublevel = oldSublvl
+	}
 }
 
 func Patch4TaskSnapSetup(task *state.Task) (*patch4SnapSetup, error) {
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch1.go snapd-2.37~rc1~14.04/overlord/patch/patch1.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch1.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch1.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,7 +29,7 @@
 )
 
 func init() {
-	patches[1] = patch1
+	patches[1] = []PatchFunc{patch1}
 }
 
 type patch1SideInfo struct {
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch1_test.go snapd-2.37~rc1~14.04/overlord/patch/patch1_test.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch1_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch1_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -107,7 +107,7 @@
 	c.Assert(err, IsNil)
 
 	// go from patch-level 0 to patch-level 1
-	restorer := patch.MockLevel(1)
+	restorer := patch.MockLevel(1, 1)
 	defer restorer()
 
 	err = patch.Apply(st)
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch2.go snapd-2.37~rc1~14.04/overlord/patch/patch2.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch2.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch2.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,7 +25,7 @@
 )
 
 func init() {
-	patches[2] = patch2
+	patches[2] = []PatchFunc{patch2}
 }
 
 type patch2SideInfo struct {
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch2_test.go snapd-2.37~rc1~14.04/overlord/patch/patch2_test.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch2_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch2_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -124,7 +124,7 @@
 }
 
 func (s *patch2Suite) TestPatch2(c *C) {
-	restorer := patch.MockLevel(2)
+	restorer := patch.MockLevel(2, 1)
 	defer restorer()
 
 	r, err := os.Open(dirs.SnapStateFile)
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch3.go snapd-2.37~rc1~14.04/overlord/patch/patch3.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch3.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch3.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,14 +20,12 @@
 package patch
 
 import (
-	"fmt"
-
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/overlord/state"
 )
 
 func init() {
-	patches[3] = patch3
+	patches[3] = []PatchFunc{patch3}
 }
 
 // patch3:
@@ -41,7 +39,7 @@
 		}
 
 		if t.Kind() == "link-snap" {
-			startSnapServices := s.NewTask("start-snap-services", fmt.Sprintf(i18n.G("Start snap services")))
+			startSnapServices := s.NewTask("start-snap-services", i18n.G("Start snap services"))
 			startSnapServices.Set("snap-setup-task", t.ID())
 			startSnapServices.WaitFor(t)
 
@@ -50,7 +48,7 @@
 		}
 
 		if t.Kind() == "unlink-snap" || t.Kind() == "unlink-current-snap" {
-			stopSnapServices := s.NewTask("stop-snap-services", fmt.Sprintf(i18n.G("Stop snap services")))
+			stopSnapServices := s.NewTask("stop-snap-services", i18n.G("Stop snap services"))
 			stopSnapServices.Set("snap-setup-task", t.ID())
 			t.WaitFor(stopSnapServices)
 
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch3_test.go snapd-2.37~rc1~14.04/overlord/patch/patch3_test.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch3_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch3_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -107,7 +107,7 @@
 }
 
 func (s *patch3Suite) TestPatch3(c *C) {
-	restorer := patch.MockLevel(3)
+	restorer := patch.MockLevel(3, 1)
 	defer restorer()
 
 	r, err := os.Open(dirs.SnapStateFile)
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch4.go snapd-2.37~rc1~14.04/overlord/patch/patch4.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch4.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch4.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,7 +29,7 @@
 )
 
 func init() {
-	patches[4] = patch4
+	patches[4] = []PatchFunc{patch4}
 }
 
 type patch4Flags int
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch4_test.go snapd-2.37~rc1~14.04/overlord/patch/patch4_test.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch4_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch4_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -233,7 +233,7 @@
 }
 
 func (s *patch4Suite) TestPatch4OnReverts(c *C) {
-	restorer := patch.MockLevel(4)
+	restorer := patch.MockLevel(4, 1)
 	defer restorer()
 
 	r, err := os.Open(dirs.SnapStateFile)
@@ -287,7 +287,7 @@
 }
 
 func (s *patch4Suite) TestPatch4OnRevertsNoCandidateYet(c *C) {
-	restorer := patch.MockLevel(4)
+	restorer := patch.MockLevel(4, 1)
 	defer restorer()
 
 	r, err := os.Open(dirs.SnapStateFile)
@@ -340,7 +340,7 @@
 }
 
 func (s *patch4Suite) TestPatch4OnRefreshes(c *C) {
-	restorer := patch.MockLevel(4)
+	restorer := patch.MockLevel(4, 1)
 	defer restorer()
 
 	r, err := os.Open(dirs.SnapStateFile)
@@ -397,7 +397,7 @@
 // This test simulates a link-snap task that is scheduled but has not
 // run yet. It has no "had-candidate" data set yet.
 func (s *patch4Suite) TestPatch4OnRefreshesNoHadCandidateYet(c *C) {
-	restorer := patch.MockLevel(4)
+	restorer := patch.MockLevel(4, 1)
 	defer restorer()
 
 	r, err := os.Open(dirs.SnapStateFile)
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch5.go snapd-2.37~rc1~14.04/overlord/patch/patch5.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch5.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch5.go	2019-01-16 08:36:51.000000000 +0000
@@ -28,7 +28,7 @@
 )
 
 func init() {
-	patches[5] = patch5
+	patches[5] = []PatchFunc{patch5}
 }
 
 type log struct{}
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch6_1.go snapd-2.37~rc1~14.04/overlord/patch/patch6_1.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch6_1.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch6_1.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,149 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package patch
+
+import (
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
+)
+
+type connStatePatch6_1 struct {
+	Auto             bool                   `json:"auto,omitempty"`
+	ByGadget         bool                   `json:"by-gadget,omitempty"`
+	Interface        string                 `json:"interface,omitempty"`
+	Undesired        bool                   `json:"undesired,omitempty"`
+	StaticPlugAttrs  map[string]interface{} `json:"plug-static,omitempty"`
+	DynamicPlugAttrs map[string]interface{} `json:"plug-dynamic,omitempty"`
+	StaticSlotAttrs  map[string]interface{} `json:"slot-static,omitempty"`
+	DynamicSlotAttrs map[string]interface{} `json:"slot-dynamic,omitempty"`
+}
+
+// processConns updates conns map and augments it with plug-static and slot-static attributes from current snap info.
+// NOTE: missing snap or missing plugs/slots are ignored and not reported as errors as we might have stale connections
+// and ifacemgr deals with them (i.e. discards) on startup; we want to process all good slots and plugs here.
+func processConns(conns map[string]connStatePatch6_1, infos map[string]*snap.Info) (bool, error) {
+	var updated bool
+	for id, conn := range conns {
+		// static attributes already present
+		if len(conn.StaticPlugAttrs) > 0 || len(conn.StaticSlotAttrs) > 0 {
+			continue
+		}
+
+		// undesired connections have all their attributes dropped, so don't set them
+		if conn.Undesired {
+			continue
+		}
+
+		connRef, err := interfaces.ParseConnRef(id)
+		if err != nil {
+			return false, err
+		}
+
+		var ok bool
+		var plugSnapInfo, slotSnapInfo *snap.Info
+
+		// read current snap info from disk and keep it around in infos map
+		if plugSnapInfo, ok = infos[connRef.PlugRef.Snap]; !ok {
+			plugSnapInfo, err = snap.ReadCurrentInfo(connRef.PlugRef.Snap)
+			if err == nil {
+				infos[connRef.PlugRef.Snap] = plugSnapInfo
+			}
+		}
+		if slotSnapInfo, ok = infos[connRef.SlotRef.Snap]; !ok {
+			slotSnapInfo, err = snap.ReadCurrentInfo(connRef.SlotRef.Snap)
+			if err == nil {
+				infos[connRef.SlotRef.Snap] = slotSnapInfo
+			}
+		}
+
+		if slotSnapInfo != nil {
+			if slot, ok := slotSnapInfo.Slots[connRef.SlotRef.Name]; ok && slot.Attrs != nil {
+				conn.StaticSlotAttrs = slot.Attrs
+				updated = true
+			}
+		}
+
+		if plugSnapInfo != nil {
+			if plug, ok := plugSnapInfo.Plugs[connRef.PlugRef.Name]; ok && plug.Attrs != nil {
+				conn.StaticPlugAttrs = plug.Attrs
+				updated = true
+			}
+		}
+
+		conns[id] = conn
+	}
+
+	return updated, nil
+}
+
+// patch6_1:
+//  - add static plug and slot attributes to connections that miss them. Attributes are read from current snap info.
+func patch6_1(st *state.State) error {
+	infos := make(map[string]*snap.Info)
+
+	// update all pending "discard-conns" tasks as they may keep connection data in "removed".
+	for _, task := range st.Tasks() {
+		if task.Change().Status().Ready() {
+			continue
+		}
+
+		var removed map[string]connStatePatch6_1
+		if task.Kind() == "discard-conns" {
+			err := task.Get("removed", &removed)
+			if err == state.ErrNoState {
+				continue
+			}
+			if err != nil {
+				return err
+			}
+		}
+
+		updated, err := processConns(removed, infos)
+		if err != nil {
+			return err
+		}
+
+		if updated {
+			task.Set("removed", removed)
+		}
+	}
+
+	// update conns
+	var conns map[string]connStatePatch6_1
+	err := st.Get("conns", &conns)
+	if err == state.ErrNoState {
+		// no connections to process
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	updated, err := processConns(conns, infos)
+	if err != nil {
+		return err
+	}
+	if updated {
+		st.Set("conns", conns)
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch6_1_test.go snapd-2.37~rc1~14.04/overlord/patch/patch6_1_test.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch6_1_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch6_1_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,284 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package patch_test
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/overlord/patch"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+)
+
+type patch61Suite struct{}
+
+var _ = Suite(&patch61Suite{})
+
+var statePatch6_1JSON = []byte(`
+{
+	"last-task-id": 999,
+	"last-change-id": 99,
+
+	"data": {
+		"patch-level": 6,
+		"snaps": {
+			"core": {
+				"sequence": [{"name": "core", "revision": "2"}],
+        "flags": 1,
+				"current": "2"}
+			},
+	  "conns": {
+	    "gnome-calculator:icon-themes gtk-common-themes:icon-themes": {
+				"auto": true,
+				"interface": "content",
+				"plug-static": {
+					"content": "icon-themes",
+					"default-provider": "gtk-common-themes",
+					"target": "$SNAP/data-dir/icons"
+				},
+				"slot-static": {
+					"content": "icon-themes",
+					"source": {
+						"read": ["$SNAP/share/icons/Adwaita"]
+					}
+				}
+			},
+			"foobar:fooplug gtk-common-themes:icon-themes": {
+				"auto": true,
+				"interface": "content"
+			},
+			"gnome-calculator:network core:network": {
+				"auto": true,
+				"interface": "network"
+			},
+			"other-snap:icon-themes gtk-common-themes:icon-themes": {
+				"auto": true,
+				"interface": "content",
+				"undesired":true
+			}
+		}
+	},
+		"changes": {
+			"1": {
+				"id": "1",
+				"kind": "install-snap",
+				"summary": "install a snap",
+				"status": 0,
+				"data": {"snap-names": ["foobar"]},
+				"task-ids": ["11"]
+			}
+	},
+	"tasks": {
+		"11": {
+				"id": "11",
+				"change": "1",
+				"kind": "discard-conns",
+				"summary": "",
+				"status": 0,
+				"data": {"snap-setup": {
+								"channel": "edge",
+								"flags": 1
+				},
+				"removed": {
+				    "foobar:fooplug gtk-common-themes:icon-themes": {
+				      "auto": true,
+				      "interface": "content"
+				    }
+				}
+			},
+  		"halt-tasks": []
+    }
+	}
+}`)
+
+var mockSnap1Yaml = `
+name: gnome-calculator
+version: 3.28.2
+summary: GNOME Calculator
+grade: stable
+plugs:
+  icon-themes:
+    default-provider: gtk-common-themes
+    interface: content
+    target: $SNAP/data-dir/icons
+  sound-themes:
+    default-provider: gtk-common-themes
+    interface: content
+    target: $SNAP/data-dir/sounds
+slots:
+  gnome-calculator:
+    bus: session
+    interface: dbus
+    name: org.gnome.Calculator
+apps:
+  gnome-calculator:
+    command: command-gnome-calculator.wrapper
+`
+
+var mockSnap2Yaml = `
+name: foobar
+version: 1
+summary: FooBar snap
+plugs:
+  fooplug:
+    interface: content
+    target: $SNAP/foo-dir/icons
+slots:
+  fooslot:
+    bus: session
+    interface: dbus
+    name: org.gnome.Calculator
+apps:
+  foo:
+    command: bar
+`
+
+var mockSnap3Yaml = `
+name: gtk-common-themes
+version: 1
+summary: gtk common themes snap
+slots:
+  icon-themes:
+    bus: session
+    interface: dbus
+    name: org.gnome.Calculator
+apps:
+  foo:
+    command: bar
+`
+
+var mockSnap4Yaml = `
+name: other-snap
+version: 1.1
+plugs:
+  icon-themes:
+    default-provider: gtk-common-themes
+    interface: content
+    target: $SNAP/data-dir/icons
+apps:
+  foo:
+    command: bar
+`
+
+func (s *patch61Suite) SetUpTest(c *C) {
+	dirs.SetRootDir(c.MkDir())
+
+	err := os.MkdirAll(filepath.Dir(dirs.SnapStateFile), 0755)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(dirs.SnapStateFile, statePatch6_1JSON, 0644)
+	c.Assert(err, IsNil)
+
+	snap.MockSanitizePlugsSlots(func(*snap.Info) {})
+
+	snaptest.MockSnapCurrent(c, mockSnap1Yaml, &snap.SideInfo{Revision: snap.R("x1")})
+	snaptest.MockSnapCurrent(c, mockSnap2Yaml, &snap.SideInfo{Revision: snap.R("x1")})
+	snaptest.MockSnapCurrent(c, mockSnap3Yaml, &snap.SideInfo{Revision: snap.R("x1")})
+	snaptest.MockSnapCurrent(c, mockSnap4Yaml, &snap.SideInfo{Revision: snap.R("x1")})
+}
+
+func (s *patch61Suite) TestPatch61(c *C) {
+	restore := patch.MockLevel(6, 1)
+	defer restore()
+
+	r, err := os.Open(dirs.SnapStateFile)
+	c.Assert(err, IsNil)
+	defer r.Close()
+	st, err := state.ReadState(nil, r)
+	c.Assert(err, IsNil)
+
+	// repeat the patch a few times to ensure it's idempotent
+	for i := 0; i < 3; i++ {
+		st.Lock()
+		sublevel := 0
+		st.Set("patch-sublevel", sublevel)
+		st.Unlock()
+
+		c.Assert(patch.Apply(st), IsNil)
+		st.Lock()
+
+		st.Get("patch-sublevel", &sublevel)
+		c.Assert(sublevel, Equals, 1)
+
+		var conns map[string]interface{}
+		c.Assert(st.Get("conns", &conns), IsNil)
+		c.Assert(conns, DeepEquals, map[string]interface{}{
+			"gnome-calculator:icon-themes gtk-common-themes:icon-themes": map[string]interface{}{
+				"auto":      true,
+				"interface": "content",
+				"plug-static": map[string]interface{}{
+					"content":          "icon-themes",
+					"default-provider": "gtk-common-themes",
+					"target":           "$SNAP/data-dir/icons",
+				},
+				"slot-static": map[string]interface{}{
+					"content": "icon-themes",
+					"source": map[string]interface{}{
+						"read": []interface{}{"$SNAP/share/icons/Adwaita"},
+					},
+				},
+			},
+			"foobar:fooplug gtk-common-themes:icon-themes": map[string]interface{}{
+				"auto":      true,
+				"interface": "content",
+				"plug-static": map[string]interface{}{
+					"target": "$SNAP/foo-dir/icons",
+				},
+				"slot-static": map[string]interface{}{
+					"bus":  "session",
+					"name": "org.gnome.Calculator",
+				},
+			},
+			"gnome-calculator:network core:network": map[string]interface{}{
+				"auto":      true,
+				"interface": "network",
+			},
+			"other-snap:icon-themes gtk-common-themes:icon-themes": map[string]interface{}{
+				"undesired": true,
+				"auto":      true,
+				"interface": "content",
+			},
+		})
+
+		var removed map[string]interface{}
+		task := st.Task("11")
+		c.Assert(task, NotNil)
+		c.Assert(task.Get("removed", &removed), IsNil)
+		c.Assert(removed, DeepEquals, map[string]interface{}{
+			"foobar:fooplug gtk-common-themes:icon-themes": map[string]interface{}{
+				"auto":      true,
+				"interface": "content",
+				"plug-static": map[string]interface{}{
+					"target": "$SNAP/foo-dir/icons",
+				},
+				"slot-static": map[string]interface{}{
+					"bus":  "session",
+					"name": "org.gnome.Calculator",
+				},
+			},
+		})
+		st.Unlock()
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch6.go snapd-2.37~rc1~14.04/overlord/patch/patch6.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch6.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch6.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,7 +25,7 @@
 )
 
 func init() {
-	patches[6] = patch6
+	patches[6] = []PatchFunc{patch6, patch6_1}
 }
 
 type patch6Flags struct {
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch6_test.go snapd-2.37~rc1~14.04/overlord/patch/patch6_test.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch6_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch6_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -137,7 +137,7 @@
 }
 
 func (s *patch6Suite) TestPatch6(c *C) {
-	restorer := patch.MockLevel(6)
+	restorer := patch.MockLevel(6, 1)
 	defer restorer()
 
 	r, err := os.Open(dirs.SnapStateFile)
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch.go snapd-2.37~rc1~14.04/overlord/patch/patch.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -20,17 +20,30 @@
 package patch
 
 import (
+	"encoding/json"
 	"fmt"
+	"os"
+	"path/filepath"
+	"time"
 
+	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
 )
 
 // Level is the current implemented patch level of the state format and content.
 var Level = 6
 
-// patches maps from patch level L to the function that moves from L-1 to L.
-var patches = make(map[int]func(s *state.State) error)
+// Sublevel is the current implemented sublevel for the Level.
+// Sublevel 0 is the first patch for the new Level, rollback below x.0 is not possible.
+// Sublevel patches > 0 do not prevent rollbacks.
+var Sublevel = 1
+
+type PatchFunc func(s *state.State) error
+
+// patches maps from patch level L to the list of sublevel patches.
+var patches = make(map[int][]PatchFunc)
 
 // Init initializes an empty state to the current implemented patch level.
 func Init(s *state.State) {
@@ -40,45 +53,191 @@
 		panic("internal error: expected empty state, attempting to override patch-level without actual patching")
 	}
 	s.Set("patch-level", Level)
+
+	if s.Get("patch-sublevel", new(int)) != state.ErrNoState {
+		panic("internal error: expected empty state, attempting to override patch-sublevel without actual patching")
+	}
+	s.Set("patch-sublevel", Sublevel)
+}
+
+// applySublevelPatches applies all sublevel patches for given level, starting
+// from firstSublevel index.
+func applySublevelPatches(level, firstSublevel int, s *state.State) error {
+	for sublevel := firstSublevel; sublevel < len(patches[level]); sublevel++ {
+		if sublevel > 0 {
+			logger.Noticef("Patching system state level %d to sublevel %d...", level, sublevel)
+		}
+		err := applyOne(patches[level][sublevel], s, level, sublevel)
+		if err != nil {
+			logger.Noticef("Cannot patch: %v", err)
+			return fmt.Errorf("cannot patch system state to level %d, sublevel %d: %v", level, sublevel, err)
+		}
+	}
+	return nil
+}
+
+type patchSnapState struct {
+	Sequence []*patchSideInfo `json:"sequence"`
+	Current  snap.Revision    `json:"current"`
+}
+
+type patchSideInfo struct {
+	Revision snap.Revision `json:"revision"`
+}
+
+// lastIndex returns the last index of the given revision in the
+// snapst.Sequence
+func (snapst *patchSnapState) lastIndex(revision snap.Revision) int {
+	for i := len(snapst.Sequence) - 1; i >= 0; i-- {
+		if snapst.Sequence[i].Revision == revision {
+			return i
+		}
+	}
+	return -1
+}
+
+// maybeResetSublevelForLevel60 checks if the previously installed core revision was a patch 6 sublevel 0
+// i.e. unaware of sublevels and the need for resetting sublevel state and if so, resets sublevel to 0
+// to re-apply sublevel patches.
+func maybeResetSublevelForLevel60(s *state.State, sublevel *int) error {
+	s.Lock()
+	defer s.Unlock()
+
+	var snaps map[string]*json.RawMessage
+	err := s.Get("snaps", &snaps)
+	if err == state.ErrNoState {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	raw, ok := snaps["core"]
+	if !ok {
+		// no core snap - nothing to do.
+		return nil
+	}
+
+	var snapst patchSnapState
+	if err := json.Unmarshal([]byte(*raw), &snapst); err != nil {
+		return fmt.Errorf("cannot unmarshal snap state: %v", err)
+	}
+
+	seqlen := len(snapst.Sequence)
+	if seqlen < 2 {
+		return nil
+	}
+	current := snapst.lastIndex(snapst.Current)
+	if current < 0 {
+		return fmt.Errorf("internal error: couldn't find current core revision in the snap sequence")
+	}
+
+	// check if core revision is for patch level 6.0.
+	// the revision number here is the highest rev number from candidate channels of all architectures;
+	// we check previous and next revision in the snap sequence to support refresh and revert cases.
+	var lvl60rev bool
+	if current > 0 && snapst.Sequence[current-1].Revision.N <= 5332 {
+		lvl60rev = true
+	}
+	if current < seqlen-1 && snapst.Sequence[current+1].Revision.N <= 5332 {
+		lvl60rev = true
+	}
+	if !lvl60rev {
+		return nil
+	}
+
+	var sublevelResetTime time.Time
+	lastRefresh, err := getCoreRefreshTime()
+	if err != nil {
+		return fmt.Errorf("cannot determine core refresh time: %s", err)
+	}
+
+	err = s.Get("patch-sublevel-reset", &sublevelResetTime)
+	if err != nil && err != state.ErrNoState {
+		return fmt.Errorf("cannot read patch-sublevel-reset: %s", err)
+	}
+	if !sublevelResetTime.Equal(lastRefresh) || err == state.ErrNoState {
+		*sublevel = 0
+		s.Set("patch-sublevel", *sublevel)
+		s.Set("patch-sublevel-reset", lastRefresh)
+	}
+
+	return nil
+}
+
+func getCoreRefreshTime() (time.Time, error) {
+	path := filepath.Join(dirs.SnapMountDir, "core", "current")
+	info, err := os.Lstat(path)
+	if err != nil {
+		return time.Time{}, err
+	}
+	return info.ModTime(), nil
 }
 
 // Apply applies any necessary patches to update the provided state to
 // conventions required by the current patch level of the system.
 func Apply(s *state.State) error {
-	var stateLevel int
+	var stateLevel, stateSublevel int
 	s.Lock()
 	err := s.Get("patch-level", &stateLevel)
+	if err == nil || err == state.ErrNoState {
+		err = s.Get("patch-sublevel", &stateSublevel)
+	}
 	s.Unlock()
+
 	if err != nil && err != state.ErrNoState {
 		return err
 	}
-	if stateLevel == Level {
-		// already at right level, nothing to do
-		return nil
-	}
+
 	if stateLevel > Level {
 		return fmt.Errorf("cannot downgrade: snapd is too old for the current system state (patch level %d)", stateLevel)
 	}
 
-	level := stateLevel
-	for level < Level {
-		logger.Noticef("Patching system state from level %d to %d", level, level+1)
-		patch := patches[level+1]
-		if patch == nil {
-			return fmt.Errorf("cannot upgrade: snapd is too new for the current system state (patch level %d)", level)
+	// check if we refreshed from 6.0 which was not aware of sublevels
+	if stateLevel == 6 && stateSublevel > 0 {
+		if err := maybeResetSublevelForLevel60(s, &stateSublevel); err != nil {
+			return err
 		}
-		err := applyOne(patch, s, level)
-		if err != nil {
-			logger.Noticef("Cannot patch: %v", err)
-			return fmt.Errorf("cannot patch system state from level %d to %d: %v", level, level+1, err)
+	}
+
+	if stateLevel == Level && stateSublevel == Sublevel {
+		return nil
+	}
+
+	// downgrade within same level; update sublevel in the state so that sublevel patches
+	// are re-applied if the user refreshes to a newer patch sublevel again.
+	if stateLevel == Level && stateSublevel > Sublevel {
+		s.Lock()
+		s.Set("patch-sublevel", Sublevel)
+		s.Unlock()
+		return nil
+	}
+
+	// apply any missing sublevel patches for current state level before upgrading to new levels.
+	// the 0th sublevel patch is a patch for major level update (e.g. 7.0),
+	// therefore there is +1 for the indices.
+	if stateSublevel+1 < len(patches[stateLevel]) {
+		if err := applySublevelPatches(stateLevel, stateSublevel+1, s); err != nil {
+			return err
+		}
+	}
+
+	// at the lower Level - apply all new level and sublevel patches
+	for level := stateLevel + 1; level <= Level; level++ {
+		sublevels := patches[level]
+		logger.Noticef("Patching system state from level %d to %d", level-1, level)
+		if sublevels == nil {
+			return fmt.Errorf("cannot upgrade: snapd is too new for the current system state (patch level %d)", level-1)
+		}
+		if err := applySublevelPatches(level, 0, s); err != nil {
+			return err
 		}
-		level++
 	}
 
 	return nil
 }
 
-func applyOne(patch func(s *state.State) error, s *state.State, level int) error {
+func applyOne(patch func(s *state.State) error, s *state.State, newLevel, newSublevel int) error {
 	s.Lock()
 	defer s.Unlock()
 
@@ -87,18 +246,24 @@
 		return err
 	}
 
-	s.Set("patch-level", level+1)
+	s.Set("patch-level", newLevel)
+	s.Set("patch-sublevel", newSublevel)
 	return nil
 }
 
 // Mock mocks the current patch level and available patches.
-func Mock(level int, p map[int]func(*state.State) error) (restore func()) {
+func Mock(level int, sublevel int, p map[int][]PatchFunc) (restore func()) {
 	oldLevel := Level
 	oldPatches := patches
 	Level = level
 	patches = p
+
+	oldSublevel := Sublevel
+	Sublevel = sublevel
+
 	return func() {
 		Level = oldLevel
 		patches = oldPatches
+		Sublevel = oldSublevel
 	}
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/patch/patch_test.go snapd-2.37~rc1~14.04/overlord/patch/patch_test.go
--- snapd-2.32.3.2~14.04/overlord/patch/patch_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/patch/patch_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,23 +21,40 @@
 
 import (
 	"fmt"
+	"os"
+	"path/filepath"
 	"sort"
 	"testing"
+	"time"
 
+	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/overlord/patch"
+	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
 
 	. "gopkg.in/check.v1"
 )
 
 func Test(t *testing.T) { TestingT(t) }
 
-type patchSuite struct{}
+type patchSuite struct {
+	restoreSanitize func()
+}
 
 var _ = Suite(&patchSuite{})
 
+func (s *patchSuite) SetUpTest(c *C) {
+	s.restoreSanitize = snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {})
+}
+
+func (s *patchSuite) TearDownTest(c *C) {
+	s.restoreSanitize()
+}
+
 func (s *patchSuite) TestInit(c *C) {
-	restore := patch.Mock(2, nil)
+	restore := patch.Mock(2, 1, nil)
 	defer restore()
 
 	st := state.New(nil)
@@ -49,10 +66,14 @@
 	err := st.Get("patch-level", &patchLevel)
 	c.Assert(err, IsNil)
 	c.Check(patchLevel, Equals, 2)
+
+	var patchSublevel int
+	c.Assert(st.Get("patch-sublevel", &patchSublevel), IsNil)
+	c.Check(patchSublevel, Equals, 1)
 }
 
 func (s *patchSuite) TestNothingToDo(c *C) {
-	restore := patch.Mock(2, nil)
+	restore := patch.Mock(2, 1, nil)
 	defer restore()
 
 	st := state.New(nil)
@@ -64,7 +85,7 @@
 }
 
 func (s *patchSuite) TestNoDowngrade(c *C) {
-	restore := patch.Mock(2, nil)
+	restore := patch.Mock(2, 0, nil)
 	defer restore()
 
 	st := state.New(nil)
@@ -82,15 +103,23 @@
 		st.Set("n", n+1)
 		return nil
 	}
+	p121 := func(st *state.State) error {
+		var o int
+		st.Get("o", &o)
+		st.Set("o", o+1)
+		return nil
+	}
 	p23 := func(st *state.State) error {
 		var n int
 		st.Get("n", &n)
 		st.Set("n", n*10)
 		return nil
 	}
-	restore := patch.Mock(3, map[int]func(*state.State) error{
-		2: p12,
-		3: p23,
+
+	// patch level 3, sublevel 1
+	restore := patch.Mock(3, 1, map[int][]patch.PatchFunc{
+		2: {p12, p121},
+		3: {p23},
 	})
 	defer restore()
 
@@ -109,15 +138,105 @@
 	c.Assert(err, IsNil)
 	c.Check(level, Equals, 3)
 
-	var n int
+	var sublevel int
+	c.Assert(st.Get("patch-sublevel", &sublevel), IsNil)
+	c.Check(sublevel, Equals, 0)
+
+	var n, o int
 	err = st.Get("n", &n)
 	c.Assert(err, IsNil)
 	c.Check(n, Equals, 10)
+
+	c.Assert(st.Get("o", &o), IsNil)
+	c.Assert(o, Equals, 1)
+}
+
+func (s *patchSuite) TestApplyLevel6(c *C) {
+	var sequence []int
+	p50 := generatePatchFunc(50, &sequence)
+	p60 := generatePatchFunc(60, &sequence)
+	p61 := generatePatchFunc(61, &sequence)
+
+	restore := patch.Mock(6, 1, map[int][]patch.PatchFunc{
+		5: {p50},
+		6: {p60, p61},
+	})
+	defer restore()
+
+	// simulate the special case where sublevel is introduced for system that's already on patch level 6.
+	// only p61 patch should be applied.
+	st := state.New(nil)
+	st.Lock()
+	st.Set("patch-level", 6)
+	st.Unlock()
+	c.Assert(patch.Apply(st), IsNil)
+
+	st.Lock()
+	defer st.Unlock()
+
+	var level, sublevel int
+	c.Assert(sequence, DeepEquals, []int{61})
+	c.Assert(st.Get("patch-level", &level), IsNil)
+	c.Assert(st.Get("patch-sublevel", &sublevel), IsNil)
+	c.Check(level, Equals, 6)
+	c.Check(sublevel, Equals, 1)
+}
+
+func (s *patchSuite) TestApplyFromSublevel(c *C) {
+	var sequence []int
+	p60 := generatePatchFunc(60, &sequence)
+	p61 := generatePatchFunc(61, &sequence)
+	p62 := generatePatchFunc(62, &sequence)
+	p70 := generatePatchFunc(70, &sequence)
+	p71 := generatePatchFunc(71, &sequence)
+
+	restore := patch.Mock(7, 1, map[int][]patch.PatchFunc{
+		6: {p60, p61, p62},
+		7: {p70, p71},
+	})
+	defer restore()
+
+	// we'll be patching from 6.0 -> 7.1
+	st := state.New(nil)
+	st.Lock()
+	st.Set("patch-level", 6)
+	st.Set("patch-sublevel", 0)
+	st.Unlock()
+	c.Assert(patch.Apply(st), IsNil)
+
+	st.Lock()
+
+	var level, sublevel int
+	c.Assert(st.Get("patch-level", &level), IsNil)
+	c.Assert(st.Get("patch-sublevel", &sublevel), IsNil)
+	c.Check(level, Equals, 7)
+	c.Check(sublevel, Equals, 1)
+	c.Assert(sequence, DeepEquals, []int{61, 62, 70, 71})
+
+	// now patching from 7.1 -> 7.2
+	sequence = []int{}
+	p72 := generatePatchFunc(72, &sequence)
+	patch.Mock(7, 2, map[int][]patch.PatchFunc{
+		6: {p60, p61, p62},
+		7: {p70, p71, p72},
+	})
+
+	st.Unlock()
+	c.Assert(patch.Apply(st), IsNil)
+	c.Assert(sequence, DeepEquals, []int{72})
+
+	st.Lock()
+	defer st.Unlock()
+
+	c.Assert(st.Get("patch-level", &level), IsNil)
+	c.Assert(st.Get("patch-sublevel", &sublevel), IsNil)
+	c.Check(level, Equals, 7)
+	c.Check(sublevel, Equals, 2)
 }
 
 func (s *patchSuite) TestMissing(c *C) {
-	restore := patch.Mock(3, map[int]func(*state.State) error{
-		3: func(s *state.State) error { return nil },
+	restore := patch.Mock(3, 0, map[int][]patch.PatchFunc{
+		3: {func(s *state.State) error { return nil }},
 	})
 	defer restore()
 
@@ -129,6 +248,30 @@
 	c.Assert(err, ErrorMatches, `cannot upgrade: snapd is too new for the current system state \(patch level 1\)`)
 }
 
+func (s *patchSuite) TestDowngradeSublevel(c *C) {
+	restore := patch.Mock(3, 1, map[int][]patch.PatchFunc{
+		3: {func(s *state.State) error { return nil }},
+	})
+	defer restore()
+
+	st := state.New(nil)
+	st.Lock()
+	st.Set("patch-level", 3)
+	st.Set("patch-sublevel", 6)
+	st.Unlock()
+
+	// we're at patch level 3, sublevel 6 according to state, but the implemented level is 3,1
+	c.Assert(patch.Apply(st), IsNil)
+
+	st.Lock()
+	defer st.Unlock()
+	var level, sublevel int
+	c.Assert(st.Get("patch-level", &level), IsNil)
+	c.Assert(st.Get("patch-sublevel", &sublevel), IsNil)
+	c.Check(level, Equals, 3)
+	c.Check(sublevel, Equals, 1)
+}
+
 func (s *patchSuite) TestError(c *C) {
 	p12 := func(st *state.State) error {
 		var n int
@@ -148,10 +291,10 @@
 		st.Set("n", n*100)
 		return nil
 	}
-	restore := patch.Mock(3, map[int]func(*state.State) error{
-		2: p12,
-		3: p23,
-		4: p34,
+	restore := patch.Mock(3, 0, map[int][]patch.PatchFunc{
+		2: {p12},
+		3: {p23},
+		4: {p34},
 	})
 	defer restore()
 
@@ -160,7 +303,7 @@
 	st.Set("patch-level", 1)
 	st.Unlock()
 	err := patch.Apply(st)
-	c.Assert(err, ErrorMatches, `cannot patch system state from level 2 to 3: boom`)
+	c.Assert(err, ErrorMatches, `cannot patch system state to level 3, sublevel 0: boom`)
 
 	st.Lock()
 	defer st.Unlock()
@@ -176,6 +319,119 @@
 	c.Check(n, Equals, 10)
 }
 
+const coreYaml = `name: core
+version: 1
+type: os
+`
+
+func (s *patchSuite) TestRefreshBackFromLevel60(c *C) {
+	var sequence []int
+
+	p60 := generatePatchFunc(60, &sequence)
+	p61 := generatePatchFunc(61, &sequence)
+	p62 := generatePatchFunc(62, &sequence)
+
+	currentPath := filepath.Join(dirs.SnapMountDir, "core", "current")
+	for _, coreRev := range []struct{ current, first, second int }{
+		{5500, 5142, 5500},
+		{5555, 5555, 5142},
+	} {
+		restore := patch.Mock(6, 2, map[int][]patch.PatchFunc{
+			6: {p60, p61, p62},
+		})
+		defer restore()
+
+		sequence = []int{}
+		st := state.New(nil)
+		st.Lock()
+
+		// simulate the situation where core was refreshed
+		// from a revision with patch level 6 that's not sublevel-aware back to 6.2.
+		st.Set("patch-level", 6)
+		st.Set("patch-sublevel", 2)
+
+		siCore1 := &snap.SideInfo{RealName: "core", Revision: snap.R(coreRev.first)}
+		siCore2 := &snap.SideInfo{RealName: "core", Revision: snap.R(coreRev.second)}
+		if coreRev.current == coreRev.first {
+			snaptest.MockSnapCurrent(c, coreYaml, siCore1)
+		} else {
+			snaptest.MockSnapCurrent(c, coreYaml, siCore2)
+		}
+
+		snapstate.Set(st, "core", &snapstate.SnapState{
+			SnapType: "os",
+			Active:   true,
+			Sequence: []*snap.SideInfo{siCore1, siCore2},
+			Current:  snap.R(coreRev.current),
+		})
+		pastTime := time.Now().Add(-23 * time.Hour)
+		c.Assert(os.Chtimes(currentPath, pastTime, pastTime), IsNil)
+		st.Unlock()
+
+		c.Assert(patch.Apply(st), IsNil)
+		c.Assert(sequence, DeepEquals, []int{61, 62})
+
+		// the patches shouldn't be applied again
+		sequence = []int{}
+		c.Assert(patch.Apply(st), IsNil)
+		c.Assert(sequence, HasLen, 0)
+
+		// new sublevel patch 6.3 gets implemented, and is applied
+		p63 := generatePatchFunc(63, &sequence)
+		patch.Mock(6, 3, map[int][]patch.PatchFunc{
+			6: {p60, p61, p62, p63},
+		})
+
+		c.Assert(patch.Apply(st), IsNil)
+		c.Assert(sequence, DeepEquals, []int{63})
+
+		os.Remove(currentPath)
+	}
+}
+
+func (s *patchSuite) TestRefreshBackFromLevel60ShortSequence(c *C) {
+	var sequence []int
+
+	p60 := generatePatchFunc(60, &sequence)
+	p61 := generatePatchFunc(61, &sequence)
+	p62 := generatePatchFunc(62, &sequence)
+
+	restore := patch.Mock(6, 2, map[int][]patch.PatchFunc{
+		6: {p60, p61, p62},
+	})
+
+	defer restore()
+
+	st := state.New(nil)
+	st.Lock()
+
+	// simulate the situation where core was refreshed
+	// from a revision with patch level 6 that's not sublevel-aware back to 6.2,
+	// but sequence for core is missing.
+	st.Set("patch-level", 6)
+	st.Set("patch-sublevel", 2)
+
+	siCore := &snap.SideInfo{RealName: "core", Revision: snap.R(5500)}
+	snapstate.Set(st, "core", &snapstate.SnapState{
+		SnapType: "os",
+		Active:   true,
+		Sequence: []*snap.SideInfo{siCore},
+		Current:  siCore.Revision,
+	})
+	st.Unlock()
+
+	c.Assert(patch.Apply(st), IsNil)
+	c.Assert(sequence, HasLen, 0)
+
+	st.Lock()
+	defer st.Unlock()
+	var level, sublevel int
+	c.Assert(st.Get("patch-level", &level), IsNil)
+	c.Assert(st.Get("patch-sublevel", &sublevel), IsNil)
+	c.Check(level, Equals, 6)
+	c.Check(sublevel, Equals, 2)
+}
+
 func (s *patchSuite) TestSanity(c *C) {
 	patches := patch.PatchesForTest()
 	levels := make([]int, 0, len(patches))
@@ -189,4 +445,14 @@
 	}
 	// ends at implemented patch level
 	c.Check(levels[len(levels)-1], Equals, patch.Level)
+
+	// Sublevel matches the number of patches for last Level.
+	c.Check(len(patches[patch.Level])-1, Equals, patch.Sublevel)
+}
+
+func generatePatchFunc(testValue int, sequence *[]int) patch.PatchFunc {
+	return func(st *state.State) error {
+		*sequence = append(*sequence, testValue)
+		return nil
+	}
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/servicestate/servicestate.go snapd-2.37~rc1~14.04/overlord/servicestate/servicestate.go
--- snapd-2.32.3.2~14.04/overlord/servicestate/servicestate.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/servicestate/servicestate.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,6 +21,7 @@
 
 import (
 	"fmt"
+	"time"
 
 	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/overlord/cmdstate"
@@ -44,39 +45,41 @@
 // The appInfos and inst define the services and the command to execute.
 // Context is used to determine change conflicts - we will not conflict with
 // tasks from same change as that of context's.
-func Control(st *state.State, appInfos []*snap.AppInfo, inst *Instruction, context *hookstate.Context) (*state.TaskSet, error) {
-	// the argv to call systemctl will need at most one entry per appInfo,
-	// plus one for "systemctl", one for the action, and sometimes one for
-	// an option. That's a maximum of 3+len(appInfos).
-	argv := make([]string, 2, 3+len(appInfos))
-	argv[0] = "systemctl"
-
-	argv[1] = inst.Action
-	switch inst.Action {
-	case "start":
+func Control(st *state.State, appInfos []*snap.AppInfo, inst *Instruction, context *hookstate.Context) ([]*state.TaskSet, error) {
+	var tts []*state.TaskSet
+
+	var ctlcmds []string
+	switch {
+	case inst.Action == "start":
 		if inst.Enable {
-			argv[1] = "enable"
-			argv = append(argv, "--now")
+			ctlcmds = []string{"enable"}
 		}
-	case "stop":
+		ctlcmds = append(ctlcmds, "start")
+	case inst.Action == "stop":
 		if inst.Disable {
-			argv[1] = "disable"
-			argv = append(argv, "--now")
+			ctlcmds = []string{"disable"}
 		}
-	case "restart":
+		ctlcmds = append(ctlcmds, "stop")
+	case inst.Action == "restart":
 		if inst.Reload {
-			argv[1] = "reload-or-restart"
+			ctlcmds = []string{"reload-or-restart"}
+		} else {
+			ctlcmds = []string{"restart"}
 		}
 	default:
 		return nil, fmt.Errorf("unknown action %q", inst.Action)
 	}
 
+	st.Lock()
+	defer st.Unlock()
+
+	svcs := make([]string, 0, len(appInfos))
 	snapNames := make([]string, 0, len(appInfos))
 	lastName := ""
 	names := make([]string, len(appInfos))
 	for i, svc := range appInfos {
-		argv = append(argv, svc.ServiceName())
-		snapName := svc.Snap.Name()
+		svcs = append(svcs, svc.ServiceName())
+		snapName := svc.Snap.InstanceName()
 		names[i] = snapName + "." + svc.Name
 		if snapName != lastName {
 			snapNames = append(snapNames, snapName)
@@ -84,28 +87,35 @@
 		}
 	}
 
-	desc := fmt.Sprintf("%s of %v", inst.Action, names)
-
-	st.Lock()
-	defer st.Unlock()
-
-	var checkConflict func(otherTask *state.Task) bool
+	var ignoreChangeID string
 	if context != nil && !context.IsEphemeral() {
 		if task, ok := context.Task(); ok {
-			chg := task.Change()
-			checkConflict = func(otherTask *state.Task) bool {
-				if chg != nil && otherTask.Change() != nil {
-					// if same change, then return false (no conflict)
-					return chg.ID() != otherTask.Change().ID()
-				}
-				return true
+			if chg := task.Change(); chg != nil {
+				ignoreChangeID = chg.ID()
 			}
 		}
 	}
 
-	if err := snapstate.CheckChangeConflictMany(st, snapNames, checkConflict); err != nil {
+	if err := snapstate.CheckChangeConflictMany(st, snapNames, ignoreChangeID); err != nil {
 		return nil, &ServiceActionConflictError{err}
 	}
 
-	return cmdstate.Exec(st, desc, argv), nil
+	for _, cmd := range ctlcmds {
+		argv := append([]string{"systemctl", cmd}, svcs...)
+		desc := fmt.Sprintf("%s of %v", cmd, names)
+		// Give the systemctl a maximum time of 61 for now.
+		//
+		// Longer term we need to refactor this code and
+		// reuse the snapd/systemd and snapd/wrapper packages
+		// to control the timeout in a single place.
+		ts := cmdstate.ExecWithTimeout(st, desc, argv, 61*time.Second)
+		tts = append(tts, ts)
+	}
+
+	// make a taskset wait for its predecessor
+	for i := 1; i < len(tts); i++ {
+		tts[i].WaitAll(tts[i-1])
+	}
+
+	return tts, nil
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/backend.go snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/backend.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/backend.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,314 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package backend
+
+import (
+	"archive/zip"
+	"crypto"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"sort"
+	"time"
+
+	"golang.org/x/net/context"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
+)
+
+const (
+	archiveName  = "archive.tgz"
+	metadataName = "meta.json"
+	metaHashName = "meta.sha3_384"
+
+	userArchivePrefix = "user/"
+	userArchiveSuffix = ".tgz"
+)
+
+var (
+	// Stop is used to ask Iter to stop iteration, without it being an error.
+	Stop = errors.New("stop iteration")
+
+	osOpen      = os.Open
+	dirNames    = (*os.File).Readdirnames
+	backendOpen = Open
+)
+
+// Iter loops over all snapshots in the snapshots directory, applying the given
+// function to each. The snapshot will be closed after the function returns. If
+// the function returns an error, iteration is stopped (and if the error isn't
+// Stop, it's returned as the error of the iterator).
+func Iter(ctx context.Context, f func(*Reader) error) error {
+	if err := ctx.Err(); err != nil {
+		return err
+	}
+
+	dir, err := osOpen(dirs.SnapshotsDir)
+	if err != nil {
+		if osutil.IsDirNotExist(err) {
+			// no dir -> no snapshots
+			return nil
+		}
+		return fmt.Errorf("cannot open snapshots directory: %v", err)
+	}
+	defer dir.Close()
+
+	var names []string
+	var readErr error
+	for readErr == nil && err == nil {
+		names, readErr = dirNames(dir, 100)
+		// note os.Readdirnames can return a non-empty names and a non-nil err
+		for _, name := range names {
+			if err = ctx.Err(); err != nil {
+				break
+			}
+
+			filename := filepath.Join(dirs.SnapshotsDir, name)
+			reader, openError := backendOpen(filename)
+			// reader can be non-nil even when openError is not nil (in
+			// which case reader.Broken will have a reason). f can
+			// check and either ignore or return an error when
+			// finding a broken snapshot.
+			if reader != nil {
+				err = f(reader)
+			} else {
+				// TODO: use warnings instead
+				logger.Noticef("Cannot open snapshot %q: %v.", name, openError)
+			}
+			if openError == nil {
+				// if openError was nil the snapshot was opened and needs closing
+				if closeError := reader.Close(); err == nil {
+					err = closeError
+				}
+			}
+			if err != nil {
+				break
+			}
+		}
+	}
+
+	if readErr != nil && readErr != io.EOF {
+		return readErr
+	}
+
+	if err == Stop {
+		err = nil
+	}
+
+	return err
+}
+
+// List valid snapshots sets.
+func List(ctx context.Context, setID uint64, snapNames []string) ([]client.SnapshotSet, error) {
+	setshots := map[uint64][]*client.Snapshot{}
+	err := Iter(ctx, func(reader *Reader) error {
+		if setID == 0 || reader.SetID == setID {
+			if len(snapNames) == 0 || strutil.ListContains(snapNames, reader.Snap) {
+				setshots[reader.SetID] = append(setshots[reader.SetID], &reader.Snapshot)
+			}
+		}
+		return nil
+	})
+
+	sets := make([]client.SnapshotSet, 0, len(setshots))
+	for id, shots := range setshots {
+		sort.Sort(bySnap(shots))
+		sets = append(sets, client.SnapshotSet{ID: id, Snapshots: shots})
+	}
+
+	sort.Sort(byID(sets))
+
+	return sets, err
+}
+
+// Filename of the given client.Snapshot in this backend.
+func Filename(snapshot *client.Snapshot) string {
+	// this _needs_ the snap name and version to be valid
+	return filepath.Join(dirs.SnapshotsDir, fmt.Sprintf("%d_%s_%s_%s.zip", snapshot.SetID, snapshot.Snap, snapshot.Version, snapshot.Revision))
+}
+
+// Save a snapshot
+func Save(ctx context.Context, id uint64, si *snap.Info, cfg map[string]interface{}, usernames []string) (*client.Snapshot, error) {
+	if err := os.MkdirAll(dirs.SnapshotsDir, 0700); err != nil {
+		return nil, err
+	}
+
+	snapshot := &client.Snapshot{
+		SetID:    id,
+		Snap:     si.InstanceName(),
+		SnapID:   si.SnapID,
+		Revision: si.Revision,
+		Version:  si.Version,
+		Epoch:    si.Epoch,
+		Time:     time.Now(),
+		SHA3_384: make(map[string]string),
+		Size:     0,
+		Conf:     cfg,
+	}
+
+	aw, err := osutil.NewAtomicFile(Filename(snapshot), 0600, 0, osutil.NoChown, osutil.NoChown)
+	if err != nil {
+		return nil, err
+	}
+	// if things worked, we'll commit (and Cancel becomes a NOP)
+	defer aw.Cancel()
+
+	w := zip.NewWriter(aw)
+	defer w.Close() // note this does not close the file descriptor (that's done by hand on the atomic writer, above)
+	if err := addDirToZip(ctx, snapshot, w, "root", archiveName, si.DataDir()); err != nil {
+		return nil, err
+	}
+
+	users, err := usersForUsernames(usernames)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, usr := range users {
+		if err := addDirToZip(ctx, snapshot, w, usr.Username, userArchiveName(usr), si.UserDataDir(usr.HomeDir)); err != nil {
+			return nil, err
+		}
+	}
+
+	metaWriter, err := w.Create(metadataName)
+	if err != nil {
+		return nil, err
+	}
+
+	hasher := crypto.SHA3_384.New()
+	enc := json.NewEncoder(io.MultiWriter(metaWriter, hasher))
+	if err := enc.Encode(snapshot); err != nil {
+		return nil, err
+	}
+
+	hashWriter, err := w.Create(metaHashName)
+	if err != nil {
+		return nil, err
+	}
+	fmt.Fprintf(hashWriter, "%x\n", hasher.Sum(nil))
+	if err := w.Close(); err != nil {
+		return nil, err
+	}
+
+	if err := ctx.Err(); err != nil {
+		return nil, err
+	}
+
+	if err := aw.Commit(); err != nil {
+		return nil, err
+	}
+
+	return snapshot, nil
+}
+
+var isTesting = osutil.GetenvBool("SNAPPY_TESTING")
+
+func addDirToZip(ctx context.Context, snapshot *client.Snapshot, w *zip.Writer, username string, entry, dir string) error {
+	parent, revdir := filepath.Split(dir)
+	exists, isDir, err := osutil.DirExists(parent)
+	if err != nil {
+		return err
+	}
+	if exists && !isDir {
+		logger.Noticef("Not saving directories under %q in snapshot #%d of %q as it is not a directory.", parent, snapshot.SetID, snapshot.Snap)
+		return nil
+	}
+	if !exists {
+		logger.Debugf("Not saving directories under %q in snapshot #%d of %q as it is does not exist.", parent, snapshot.SetID, snapshot.Snap)
+		return nil
+	}
+	tarArgs := []string{
+		"--create",
+		"--sparse", "--gzip",
+		"--directory", parent,
+	}
+
+	noRev, noCommon := true, true
+
+	exists, isDir, err = osutil.DirExists(dir)
+	if err != nil {
+		return err
+	}
+	switch {
+	case exists && isDir:
+		tarArgs = append(tarArgs, revdir)
+		noRev = false
+	case exists && !isDir:
+		logger.Noticef("Not saving %q in snapshot #%d of %q as it is not a directory.", dir, snapshot.SetID, snapshot.Snap)
+	case !exists:
+		logger.Debugf("Not saving %q in snapshot #%d of %q as it is does not exist.", dir, snapshot.SetID, snapshot.Snap)
+	}
+
+	common := filepath.Join(parent, "common")
+	exists, isDir, err = osutil.DirExists(common)
+	if err != nil {
+		return err
+	}
+	switch {
+	case exists && isDir:
+		tarArgs = append(tarArgs, "common")
+		noCommon = false
+	case exists && !isDir:
+		logger.Noticef("Not saving %q in snapshot #%d of %q as it is not a directory.", common, snapshot.SetID, snapshot.Snap)
+	case !exists:
+		logger.Debugf("Not saving %q in snapshot #%d of %q as it is does not exist.", common, snapshot.SetID, snapshot.Snap)
+	}
+
+	if noCommon && noRev {
+		return nil
+	}
+
+	archiveWriter, err := w.CreateHeader(&zip.FileHeader{Name: entry})
+	if err != nil {
+		return err
+	}
+
+	var sz sizer
+	hasher := crypto.SHA3_384.New()
+
+	cmd := tarAsUser(username, tarArgs...)
+	cmd.Stdout = io.MultiWriter(archiveWriter, hasher, &sz)
+	matchCounter := &strutil.MatchCounter{N: 1}
+	cmd.Stderr = matchCounter
+	if isTesting {
+		matchCounter.N = -1
+		cmd.Stderr = io.MultiWriter(os.Stderr, matchCounter)
+	}
+	if err := osutil.RunWithContext(ctx, cmd); err != nil {
+		matches, count := matchCounter.Matches()
+		if count > 0 {
+			return fmt.Errorf("cannot create archive: %s (and %d more)", matches[0], count-1)
+		}
+		return fmt.Errorf("tar failed: %v", err)
+	}
+
+	snapshot.SHA3_384[entry] = fmt.Sprintf("%x", hasher.Sum(nil))
+	snapshot.Size += sz.size
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/backend_test.go snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/backend_test.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/backend_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,714 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package backend_test
+
+import (
+	"archive/zip"
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"sort"
+	"strings"
+	"testing"
+
+	"golang.org/x/net/context"
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil/sys"
+	"github.com/snapcore/snapd/overlord/snapshotstate/backend"
+	"github.com/snapcore/snapd/snap"
+)
+
+type snapshotSuite struct {
+	root      string
+	restore   []func()
+	tarPath   string
+	isTesting bool
+}
+
+// silly wrappers to get better failure messages
+type isTestingSuite struct{ snapshotSuite }
+type noTestingSuite struct{ snapshotSuite }
+
+var _ = check.Suite(&isTestingSuite{snapshotSuite{isTesting: true}})
+var _ = check.Suite(&noTestingSuite{snapshotSuite{isTesting: false}})
+
+// tie gocheck into testing
+func TestSnapshot(t *testing.T) { check.TestingT(t) }
+
+type tableT struct {
+	dir     string
+	name    string
+	content string
+}
+
+func table(si snap.PlaceInfo, homeDir string) []tableT {
+	return []tableT{
+		{
+			dir:     si.DataDir(),
+			name:    "foo",
+			content: "versioned system canary\n",
+		}, {
+			dir:     si.CommonDataDir(),
+			name:    "bar",
+			content: "common system canary\n",
+		}, {
+			dir:     si.UserDataDir(homeDir),
+			name:    "ufoo",
+			content: "versioned user canary\n",
+		}, {
+			dir:     si.UserCommonDataDir(homeDir),
+			name:    "ubar",
+			content: "common user canary\n",
+		},
+	}
+}
+
+func (s *snapshotSuite) SetUpTest(c *check.C) {
+	s.root = c.MkDir()
+
+	dirs.SetRootDir(s.root)
+
+	si := snap.MinimalPlaceInfo("hello-snap", snap.R(42))
+
+	for _, t := range table(si, filepath.Join(dirs.GlobalRootDir, "home/snapuser")) {
+		c.Check(os.MkdirAll(t.dir, 0755), check.IsNil)
+		c.Check(ioutil.WriteFile(filepath.Join(t.dir, t.name), []byte(t.content), 0644), check.IsNil)
+	}
+
+	cur, err := user.Current()
+	c.Assert(err, check.IsNil)
+
+	s.restore = append(s.restore, backend.MockUserLookup(func(username string) (*user.User, error) {
+		if username != "snapuser" {
+			return nil, user.UnknownUserError(username)
+		}
+		rv := *cur
+		rv.Username = username
+		rv.HomeDir = filepath.Join(dirs.GlobalRootDir, "home/snapuser")
+		return &rv, nil
+	}),
+		backend.MockIsTesting(s.isTesting),
+	)
+
+	s.tarPath, err = exec.LookPath("tar")
+	c.Assert(err, check.IsNil)
+}
+
+func (s *snapshotSuite) TearDownTest(c *check.C) {
+	dirs.SetRootDir("")
+	for _, restore := range s.restore {
+		restore()
+	}
+}
+
+func hashkeys(snapshot *client.Snapshot) (keys []string) {
+	for k := range snapshot.SHA3_384 {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
+	return keys
+}
+
+func (s *snapshotSuite) TestIterBailsIfContextDone(c *check.C) {
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+	triedToOpenDir := false
+	defer backend.MockOsOpen(func(string) (*os.File, error) {
+		triedToOpenDir = true
+		return nil, nil // deal with it
+	})()
+
+	err := backend.Iter(ctx, nil)
+	c.Check(err, check.Equals, context.Canceled)
+	c.Check(triedToOpenDir, check.Equals, false)
+}
+
+func (s *snapshotSuite) TestIterBailsIfContextDoneMidway(c *check.C) {
+	ctx, cancel := context.WithCancel(context.Background())
+	triedToOpenDir := false
+	defer backend.MockOsOpen(func(string) (*os.File, error) {
+		triedToOpenDir = true
+		return os.Open(os.DevNull)
+	})()
+	readNames := 0
+	defer backend.MockDirNames(func(*os.File, int) ([]string, error) {
+		readNames++
+		cancel()
+		return []string{"hello"}, nil
+	})()
+	triedToOpenSnapshot := false
+	defer backend.MockOpen(func(string) (*backend.Reader, error) {
+		triedToOpenSnapshot = true
+		return nil, nil
+	})()
+
+	err := backend.Iter(ctx, nil)
+	c.Check(err, check.Equals, context.Canceled)
+	c.Check(triedToOpenDir, check.Equals, true)
+	// bails as soon as
+	c.Check(readNames, check.Equals, 1)
+	c.Check(triedToOpenSnapshot, check.Equals, false)
+}
+
+func (s *snapshotSuite) TestIterReturnsOkIfSnapshotsDirNonexistent(c *check.C) {
+	triedToOpenDir := false
+	defer backend.MockOsOpen(func(string) (*os.File, error) {
+		triedToOpenDir = true
+		return nil, os.ErrNotExist
+	})()
+
+	err := backend.Iter(context.Background(), nil)
+	c.Check(err, check.IsNil)
+	c.Check(triedToOpenDir, check.Equals, true)
+}
+
+func (s *snapshotSuite) TestIterBailsIfSnapshotsDirFails(c *check.C) {
+	triedToOpenDir := false
+	defer backend.MockOsOpen(func(string) (*os.File, error) {
+		triedToOpenDir = true
+		return nil, os.ErrInvalid
+	})()
+
+	err := backend.Iter(context.Background(), nil)
+	c.Check(err, check.ErrorMatches, "cannot open snapshots directory: invalid argument")
+	c.Check(triedToOpenDir, check.Equals, true)
+}
+
+func (s *snapshotSuite) TestIterWarnsOnOpenErrorIfSnapshotNil(c *check.C) {
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+	triedToOpenDir := false
+	defer backend.MockOsOpen(func(string) (*os.File, error) {
+		triedToOpenDir = true
+		return new(os.File), nil
+	})()
+	readNames := 0
+	defer backend.MockDirNames(func(*os.File, int) ([]string, error) {
+		readNames++
+		if readNames > 1 {
+			return nil, io.EOF
+		}
+		return []string{"hello"}, nil
+	})()
+	triedToOpenSnapshot := false
+	defer backend.MockOpen(func(string) (*backend.Reader, error) {
+		triedToOpenSnapshot = true
+		return nil, os.ErrInvalid
+	})()
+
+	calledF := false
+	f := func(snapshot *backend.Reader) error {
+		calledF = true
+		return nil
+	}
+
+	err := backend.Iter(context.Background(), f)
+	// snapshot open errors are not failures:
+	c.Check(err, check.IsNil)
+	c.Check(triedToOpenDir, check.Equals, true)
+	c.Check(readNames, check.Equals, 2)
+	c.Check(triedToOpenSnapshot, check.Equals, true)
+	c.Check(logbuf.String(), check.Matches, `(?m).* Cannot open snapshot "hello": invalid argument.`)
+	c.Check(calledF, check.Equals, false)
+}
+
+func (s *snapshotSuite) TestIterCallsFuncIfSnapshotNotNil(c *check.C) {
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+	triedToOpenDir := false
+	defer backend.MockOsOpen(func(string) (*os.File, error) {
+		triedToOpenDir = true
+		return new(os.File), nil
+	})()
+	readNames := 0
+	defer backend.MockDirNames(func(*os.File, int) ([]string, error) {
+		readNames++
+		if readNames > 1 {
+			return nil, io.EOF
+		}
+		return []string{"hello"}, nil
+	})()
+	triedToOpenSnapshot := false
+	defer backend.MockOpen(func(string) (*backend.Reader, error) {
+		triedToOpenSnapshot = true
+		// NOTE non-nil reader, and error, returned
+		r := backend.Reader{}
+		r.Broken = "xyzzy"
+		return &r, os.ErrInvalid
+	})()
+
+	calledF := false
+	f := func(snapshot *backend.Reader) error {
+		c.Check(snapshot.Broken, check.Equals, "xyzzy")
+		calledF = true
+		return nil
+	}
+
+	err := backend.Iter(context.Background(), f)
+	// snapshot open errors are not failures:
+	c.Check(err, check.IsNil)
+	c.Check(triedToOpenDir, check.Equals, true)
+	c.Check(readNames, check.Equals, 2)
+	c.Check(triedToOpenSnapshot, check.Equals, true)
+	c.Check(logbuf.String(), check.Equals, "")
+	c.Check(calledF, check.Equals, true)
+}
+
+func (s *snapshotSuite) TestIterReportsCloseError(c *check.C) {
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+	triedToOpenDir := false
+	defer backend.MockOsOpen(func(string) (*os.File, error) {
+		triedToOpenDir = true
+		return new(os.File), nil
+	})()
+	readNames := 0
+	defer backend.MockDirNames(func(*os.File, int) ([]string, error) {
+		readNames++
+		if readNames > 1 {
+			return nil, io.EOF
+		}
+		return []string{"hello"}, nil
+	})()
+	triedToOpenSnapshot := false
+	defer backend.MockOpen(func(string) (*backend.Reader, error) {
+		triedToOpenSnapshot = true
+		r := backend.Reader{}
+		r.SetID = 42
+		return &r, nil
+	})()
+
+	calledF := false
+	f := func(snapshot *backend.Reader) error {
+		c.Check(snapshot.SetID, check.Equals, uint64(42))
+		calledF = true
+		return nil
+	}
+
+	err := backend.Iter(context.Background(), f)
+	// snapshot close errors _are_ failures (because they're completely unexpected):
+	c.Check(err, check.Equals, os.ErrInvalid)
+	c.Check(triedToOpenDir, check.Equals, true)
+	c.Check(readNames, check.Equals, 1) // never gets to read another one
+	c.Check(triedToOpenSnapshot, check.Equals, true)
+	c.Check(logbuf.String(), check.Equals, "")
+	c.Check(calledF, check.Equals, true)
+}
+
+func (s *snapshotSuite) TestList(c *check.C) {
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+	defer backend.MockOsOpen(func(string) (*os.File, error) { return new(os.File), nil })()
+	readNames := 0
+	defer backend.MockDirNames(func(*os.File, int) ([]string, error) {
+		readNames++
+		if readNames > 4 {
+			return nil, io.EOF
+		}
+		return []string{
+			fmt.Sprintf("%d_foo", readNames),
+			fmt.Sprintf("%d_bar", readNames),
+			fmt.Sprintf("%d_baz", readNames),
+		}, nil
+	})()
+	defer backend.MockOpen(func(fn string) (*backend.Reader, error) {
+		var id uint64
+		var snapname string
+		fn = filepath.Base(fn)
+		_, err := fmt.Sscanf(fn, "%d_%s", &id, &snapname)
+		c.Assert(err, check.IsNil, check.Commentf(fn))
+		f, err := os.Open(os.DevNull)
+		c.Assert(err, check.IsNil, check.Commentf(fn))
+		return &backend.Reader{
+			File: f,
+			Snapshot: client.Snapshot{
+				SetID:    id,
+				Snap:     snapname,
+				SnapID:   "id-for-" + snapname,
+				Version:  "v1.0-" + snapname,
+				Revision: snap.R(int(id)),
+			},
+		}, nil
+	})()
+
+	type tableT struct {
+		setID     uint64
+		snapnames []string
+		numSets   int
+		numShots  int
+		predicate func(*client.Snapshot) bool
+	}
+	table := []tableT{
+		{0, nil, 4, 12, nil},
+		{0, []string{"foo"}, 4, 4, func(snapshot *client.Snapshot) bool { return snapshot.Snap == "foo" }},
+		{1, nil, 1, 3, func(snapshot *client.Snapshot) bool { return snapshot.SetID == 1 }},
+		{2, []string{"bar"}, 1, 1, func(snapshot *client.Snapshot) bool { return snapshot.Snap == "bar" && snapshot.SetID == 2 }},
+		{0, []string{"foo", "bar"}, 4, 8, func(snapshot *client.Snapshot) bool { return snapshot.Snap == "foo" || snapshot.Snap == "bar" }},
+	}
+
+	for i, t := range table {
+		comm := check.Commentf("%d: %d/%v", i, t.setID, t.snapnames)
+		// reset
+		readNames = 0
+		logbuf.Reset()
+
+		sets, err := backend.List(context.Background(), t.setID, t.snapnames)
+		c.Check(err, check.IsNil, comm)
+		c.Check(readNames, check.Equals, 5, comm)
+		c.Check(logbuf.String(), check.Equals, "", comm)
+		c.Check(sets, check.HasLen, t.numSets, comm)
+		nShots := 0
+		fnTpl := filepath.Join(dirs.SnapshotsDir, "%d_%s_%s_%s.zip")
+		for j, ss := range sets {
+			for k, snapshot := range ss.Snapshots {
+				comm := check.Commentf("%d: %d/%v #%d/%d", i, t.setID, t.snapnames, j, k)
+				if t.predicate != nil {
+					c.Check(t.predicate(snapshot), check.Equals, true, comm)
+				}
+				nShots++
+				fn := fmt.Sprintf(fnTpl, snapshot.SetID, snapshot.Snap, snapshot.Version, snapshot.Revision)
+				c.Check(backend.Filename(snapshot), check.Equals, fn, comm)
+				c.Check(snapshot.SnapID, check.Equals, "id-for-"+snapshot.Snap)
+			}
+		}
+		c.Check(nShots, check.Equals, t.numShots)
+	}
+}
+
+func (s *snapshotSuite) TestAddDirToZipBails(c *check.C) {
+	snapshot := &client.Snapshot{SetID: 42, Snap: "a-snap"}
+	buf, restore := logger.MockLogger()
+	defer restore()
+	// note as the zip is nil this would panic if it didn't bail
+	c.Check(backend.AddDirToZip(nil, snapshot, nil, "", "an/entry", filepath.Join(s.root, "nonexistent")), check.IsNil)
+	// no log for the non-existent case
+	c.Check(buf.String(), check.Equals, "")
+	buf.Reset()
+	c.Check(backend.AddDirToZip(nil, snapshot, nil, "", "an/entry", "/etc/passwd"), check.IsNil)
+	c.Check(buf.String(), check.Matches, "(?m).* is not a directory.")
+}
+
+func (s *snapshotSuite) TestAddDirToZipTarFails(c *check.C) {
+	d := filepath.Join(s.root, "foo")
+	c.Assert(os.MkdirAll(filepath.Join(d, "bar"), 0755), check.IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(s.root, "common"), 0755), check.IsNil)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	var buf bytes.Buffer
+	z := zip.NewWriter(&buf)
+	c.Assert(backend.AddDirToZip(ctx, nil, z, "", "an/entry", d), check.ErrorMatches, ".* context canceled")
+}
+
+func (s *snapshotSuite) TestAddDirToZip(c *check.C) {
+	d := filepath.Join(s.root, "foo")
+	c.Assert(os.MkdirAll(filepath.Join(d, "bar"), 0755), check.IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(s.root, "common"), 0755), check.IsNil)
+	c.Assert(ioutil.WriteFile(filepath.Join(d, "bar", "baz"), []byte("hello\n"), 0644), check.IsNil)
+
+	var buf bytes.Buffer
+	z := zip.NewWriter(&buf)
+	snapshot := &client.Snapshot{
+		SHA3_384: map[string]string{},
+	}
+	c.Assert(backend.AddDirToZip(context.Background(), snapshot, z, "", "an/entry", d), check.IsNil)
+	z.Close() // write out the central directory
+
+	c.Check(snapshot.SHA3_384, check.HasLen, 1)
+	c.Check(snapshot.SHA3_384["an/entry"], check.HasLen, 96)
+	c.Check(snapshot.Size > 0, check.Equals, true) // actual size most likely system-dependent
+	br := bytes.NewReader(buf.Bytes())
+	r, err := zip.NewReader(br, int64(br.Len()))
+	c.Assert(err, check.IsNil)
+	c.Check(r.File, check.HasLen, 1)
+	c.Check(r.File[0].Name, check.Equals, "an/entry")
+}
+
+func (s *snapshotSuite) TestHappyRoundtrip(c *check.C) {
+	s.testHappyRoundtrip(c, "marker")
+}
+
+func (s *snapshotSuite) TestHappyRoundtripNoCommon(c *check.C) {
+	for _, t := range table(snap.MinimalPlaceInfo("hello-snap", snap.R(42)), filepath.Join(dirs.GlobalRootDir, "home/snapuser")) {
+		if _, d := filepath.Split(t.dir); d == "common" {
+			c.Assert(os.RemoveAll(t.dir), check.IsNil)
+		}
+	}
+	s.testHappyRoundtrip(c, "marker")
+}
+
+func (s *snapshotSuite) TestHappyRoundtripNoRev(c *check.C) {
+	for _, t := range table(snap.MinimalPlaceInfo("hello-snap", snap.R(42)), filepath.Join(dirs.GlobalRootDir, "home/snapuser")) {
+		if _, d := filepath.Split(t.dir); d == "42" {
+			c.Assert(os.RemoveAll(t.dir), check.IsNil)
+		}
+	}
+	s.testHappyRoundtrip(c, "../common/marker")
+}
+
+func (s *snapshotSuite) testHappyRoundtrip(c *check.C, marker string) {
+	if os.Geteuid() == 0 {
+		c.Skip("this test cannot run as root (runuser will fail)")
+	}
+	logger.SimpleSetup()
+
+	epoch := snap.E("42*")
+	info := &snap.Info{SideInfo: snap.SideInfo{RealName: "hello-snap", Revision: snap.R(42), SnapID: "hello-id"}, Version: "v1.33", Epoch: epoch}
+	cfg := map[string]interface{}{"some-setting": false}
+	shID := uint64(12)
+
+	shw, err := backend.Save(context.TODO(), shID, info, cfg, []string{"snapuser"})
+	c.Assert(err, check.IsNil)
+	c.Check(shw.SetID, check.Equals, shID)
+	c.Check(shw.Snap, check.Equals, info.InstanceName())
+	c.Check(shw.SnapID, check.Equals, info.SnapID)
+	c.Check(shw.Version, check.Equals, info.Version)
+	c.Check(shw.Epoch, check.DeepEquals, epoch)
+	c.Check(shw.Revision, check.Equals, info.Revision)
+	c.Check(shw.Conf, check.DeepEquals, cfg)
+	c.Check(backend.Filename(shw), check.Equals, filepath.Join(dirs.SnapshotsDir, "12_hello-snap_v1.33_42.zip"))
+	c.Check(hashkeys(shw), check.DeepEquals, []string{"archive.tgz", "user/snapuser.tgz"})
+
+	shs, err := backend.List(context.TODO(), 0, nil)
+	c.Assert(err, check.IsNil)
+	c.Assert(shs, check.HasLen, 1)
+	c.Assert(shs[0].Snapshots, check.HasLen, 1)
+
+	shr, err := backend.Open(backend.Filename(shw))
+	c.Assert(err, check.IsNil)
+	defer shr.Close()
+
+	for label, sh := range map[string]*client.Snapshot{"open": &shr.Snapshot, "list": shs[0].Snapshots[0]} {
+		comm := check.Commentf("%q", label)
+		c.Check(sh.SetID, check.Equals, shID, comm)
+		c.Check(sh.Snap, check.Equals, info.InstanceName(), comm)
+		c.Check(sh.SnapID, check.Equals, info.SnapID, comm)
+		c.Check(sh.Version, check.Equals, info.Version, comm)
+		c.Check(sh.Epoch, check.DeepEquals, epoch)
+		c.Check(sh.Revision, check.Equals, info.Revision, comm)
+		c.Check(sh.Conf, check.DeepEquals, cfg, comm)
+		c.Check(sh.SHA3_384, check.DeepEquals, shw.SHA3_384, comm)
+	}
+	c.Check(shr.Name(), check.Equals, filepath.Join(dirs.SnapshotsDir, "12_hello-snap_v1.33_42.zip"))
+	c.Check(shr.Check(context.TODO(), nil), check.IsNil)
+
+	newroot := c.MkDir()
+	c.Assert(os.MkdirAll(filepath.Join(newroot, "home/snapuser"), 0755), check.IsNil)
+	dirs.SetRootDir(newroot)
+
+	var diff = func() *exec.Cmd {
+		cmd := exec.Command("diff", "-urN", "-x*.zip", s.root, newroot)
+		// cmd.Stdout = os.Stdout
+		// cmd.Stderr = os.Stderr
+		return cmd
+	}
+
+	for i := 0; i < 3; i++ {
+		comm := check.Commentf("%d", i)
+		// sanity check
+		c.Check(diff().Run(), check.NotNil, comm)
+
+		// restore leaves things like they were (again and again)
+		rs, err := shr.Restore(context.TODO(), snap.R(0), nil, logger.Debugf)
+		c.Assert(err, check.IsNil, comm)
+		rs.Cleanup()
+		c.Check(diff().Run(), check.IsNil, comm)
+
+		// dirty it -> no longer like it was
+		c.Check(ioutil.WriteFile(filepath.Join(info.DataDir(), marker), []byte("scribble\n"), 0644), check.IsNil, comm)
+	}
+}
+
+func (s *snapshotSuite) TestRestoreRoundtripDifferentRevision(c *check.C) {
+	if os.Geteuid() == 0 {
+		c.Skip("this test cannot run as root (runuser will fail)")
+	}
+	logger.SimpleSetup()
+
+	epoch := snap.E("42*")
+	info := &snap.Info{SideInfo: snap.SideInfo{RealName: "hello-snap", Revision: snap.R(42), SnapID: "hello-id"}, Version: "v1.33", Epoch: epoch}
+	shID := uint64(12)
+
+	shw, err := backend.Save(context.TODO(), shID, info, nil, []string{"snapuser"})
+	c.Assert(err, check.IsNil)
+	c.Check(shw.Revision, check.Equals, info.Revision)
+
+	shr, err := backend.Open(backend.Filename(shw))
+	c.Assert(err, check.IsNil)
+	defer shr.Close()
+
+	c.Check(shr.Revision, check.Equals, info.Revision)
+	c.Check(shr.Name(), check.Equals, filepath.Join(dirs.SnapshotsDir, "12_hello-snap_v1.33_42.zip"))
+
+	// move the expected data to its expected place
+	for _, dir := range []string{
+		filepath.Join(s.root, "home", "snapuser", "snap", "hello-snap"),
+		filepath.Join(dirs.SnapDataDir, "hello-snap"),
+	} {
+		c.Check(os.Rename(filepath.Join(dir, "42"), filepath.Join(dir, "17")), check.IsNil)
+	}
+
+	newroot := c.MkDir()
+	c.Assert(os.MkdirAll(filepath.Join(newroot, "home", "snapuser"), 0755), check.IsNil)
+	dirs.SetRootDir(newroot)
+
+	var diff = func() *exec.Cmd {
+		cmd := exec.Command("diff", "-urN", "-x*.zip", s.root, newroot)
+		// cmd.Stdout = os.Stdout
+		// cmd.Stderr = os.Stderr
+		return cmd
+	}
+
+	// sanity check
+	c.Check(diff().Run(), check.NotNil)
+
+	// restore leaves things like they were, but in the new dir
+	rs, err := shr.Restore(context.TODO(), snap.R("17"), nil, logger.Debugf)
+	c.Assert(err, check.IsNil)
+	rs.Cleanup()
+	c.Check(diff().Run(), check.IsNil)
+}
+
+func (s *snapshotSuite) TestPickUserWrapperRunuser(c *check.C) {
+	n := 0
+	defer backend.MockExecLookPath(func(s string) (string, error) {
+		n++
+		if s != "runuser" {
+			c.Fatalf(`expected to get "runuser", got %q`, s)
+		}
+		return "/sbin/runuser", nil
+	})()
+
+	c.Check(backend.PickUserWrapper(), check.Equals, "/sbin/runuser")
+	c.Check(n, check.Equals, 1)
+}
+
+func (s *snapshotSuite) TestPickUserWrapperSudo(c *check.C) {
+	n := 0
+	defer backend.MockExecLookPath(func(s string) (string, error) {
+		n++
+		if n == 1 {
+			if s != "runuser" {
+				c.Fatalf(`expected to get "runuser" first, got %q`, s)
+			}
+			return "", errors.New("no such thing")
+		}
+		if s != "sudo" {
+			c.Fatalf(`expected to get "sudo" next, got %q`, s)
+		}
+		return "/usr/bin/sudo", nil
+	})()
+
+	c.Check(backend.PickUserWrapper(), check.Equals, "/usr/bin/sudo")
+	c.Check(n, check.Equals, 2)
+}
+
+func (s *snapshotSuite) TestPickUserWrapperNothing(c *check.C) {
+	n := 0
+	defer backend.MockExecLookPath(func(s string) (string, error) {
+		n++
+		return "", errors.New("no such thing")
+	})()
+
+	c.Check(backend.PickUserWrapper(), check.Equals, "")
+	c.Check(n, check.Equals, 2)
+}
+
+func (s *snapshotSuite) TestMaybeRunuserHappyRunuser(c *check.C) {
+	uid := sys.UserID(0)
+	defer backend.MockSysGeteuid(func() sys.UserID { return uid })()
+	defer backend.SetUserWrapper("/sbin/runuser")()
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+
+	c.Check(backend.TarAsUser("test", "--bar"), check.DeepEquals, &exec.Cmd{
+		Path: "/sbin/runuser",
+		Args: []string{"/sbin/runuser", "-u", "test", "--", "tar", "--bar"},
+	})
+	c.Check(backend.TarAsUser("root", "--bar"), check.DeepEquals, &exec.Cmd{
+		Path: s.tarPath,
+		Args: []string{"tar", "--bar"},
+	})
+	uid = 42
+	c.Check(backend.TarAsUser("test", "--bar"), check.DeepEquals, &exec.Cmd{
+		Path: s.tarPath,
+		Args: []string{"tar", "--bar"},
+	})
+	c.Check(logbuf.String(), check.Equals, "")
+}
+
+func (s *snapshotSuite) TestMaybeRunuserHappySudo(c *check.C) {
+	uid := sys.UserID(0)
+	defer backend.MockSysGeteuid(func() sys.UserID { return uid })()
+	defer backend.SetUserWrapper("/usr/bin/sudo")()
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+
+	cmd := backend.TarAsUser("test", "--bar")
+	c.Check(cmd, check.DeepEquals, &exec.Cmd{
+		Path: "/usr/bin/sudo",
+		Args: []string{"/usr/bin/sudo", "-u", "test", "--", "tar", "--bar"},
+	})
+	c.Check(backend.TarAsUser("root", "--bar"), check.DeepEquals, &exec.Cmd{
+		Path: s.tarPath,
+		Args: []string{"tar", "--bar"},
+	})
+	uid = 42
+	c.Check(backend.TarAsUser("test", "--bar"), check.DeepEquals, &exec.Cmd{
+		Path: s.tarPath,
+		Args: []string{"tar", "--bar"},
+	})
+	c.Check(logbuf.String(), check.Equals, "")
+}
+
+func (s *snapshotSuite) TestMaybeRunuserNoHappy(c *check.C) {
+	uid := sys.UserID(0)
+	defer backend.MockSysGeteuid(func() sys.UserID { return uid })()
+	defer backend.SetUserWrapper("")()
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+
+	c.Check(backend.TarAsUser("test", "--bar"), check.DeepEquals, &exec.Cmd{
+		Path: s.tarPath,
+		Args: []string{"tar", "--bar"},
+	})
+	c.Check(backend.TarAsUser("root", "--bar"), check.DeepEquals, &exec.Cmd{
+		Path: s.tarPath,
+		Args: []string{"tar", "--bar"},
+	})
+	uid = 42
+	c.Check(backend.TarAsUser("test", "--bar"), check.DeepEquals, &exec.Cmd{
+		Path: s.tarPath,
+		Args: []string{"tar", "--bar"},
+	})
+	c.Check(strings.TrimSpace(logbuf.String()), check.Matches, ".* No user wrapper found.*")
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/export_test.go snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/export_test.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,97 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package backend
+
+import (
+	"os"
+	"os/user"
+
+	"github.com/snapcore/snapd/osutil/sys"
+)
+
+var (
+	AddDirToZip     = addDirToZip
+	TarAsUser       = tarAsUser
+	PickUserWrapper = pickUserWrapper
+)
+
+func MockIsTesting(newIsTesting bool) func() {
+	oldIsTesting := isTesting
+	isTesting = newIsTesting
+	return func() {
+		isTesting = oldIsTesting
+	}
+}
+
+func MockUserLookupId(newLookupId func(string) (*user.User, error)) func() {
+	oldLookupId := userLookupId
+	userLookupId = newLookupId
+	return func() {
+		userLookupId = oldLookupId
+	}
+}
+
+func MockOsOpen(newOsOpen func(string) (*os.File, error)) func() {
+	oldOsOpen := osOpen
+	osOpen = newOsOpen
+	return func() {
+		osOpen = oldOsOpen
+	}
+}
+
+func MockDirNames(newDirNames func(*os.File, int) ([]string, error)) func() {
+	oldDirNames := dirNames
+	dirNames = newDirNames
+	return func() {
+		dirNames = oldDirNames
+	}
+}
+
+func MockOpen(newOpen func(string) (*Reader, error)) func() {
+	oldOpen := backendOpen
+	backendOpen = newOpen
+	return func() {
+		backendOpen = oldOpen
+	}
+}
+
+func MockSysGeteuid(newGeteuid func() sys.UserID) (restore func()) {
+	oldGeteuid := sysGeteuid
+	sysGeteuid = newGeteuid
+	return func() {
+		sysGeteuid = oldGeteuid
+	}
+}
+
+func MockExecLookPath(newLookPath func(string) (string, error)) (restore func()) {
+	oldLookPath := execLookPath
+	execLookPath = newLookPath
+	return func() {
+		execLookPath = oldLookPath
+	}
+}
+
+func SetUserWrapper(newUserWrapper string) (restore func()) {
+	oldUserWrapper := userWrapper
+	userWrapper = newUserWrapper
+	return func() {
+		userWrapper = oldUserWrapper
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/helpers.go snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/helpers.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/helpers.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/helpers.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,229 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package backend
+
+import (
+	"archive/zip"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil/sys"
+)
+
+func zipMember(f *os.File, member string) (r io.ReadCloser, sz int64, err error) {
+	// rewind the file
+	// (shouldn't be needed, but doesn't hurt too much)
+	if _, err := f.Seek(0, 0); err != nil {
+		return nil, -1, err
+	}
+
+	fi, err := f.Stat()
+	if err != nil {
+		return nil, -1, err
+	}
+
+	arch, err := zip.NewReader(f, fi.Size())
+	if err != nil {
+		return nil, -1, err
+	}
+
+	for _, fh := range arch.File {
+		if fh.Name == member {
+			r, err = fh.Open()
+			return r, int64(fh.UncompressedSize64), err
+		}
+	}
+
+	return nil, -1, fmt.Errorf("missing archive member %q", member)
+}
+
+func userArchiveName(usr *user.User) string {
+	return filepath.Join(userArchivePrefix, usr.Username+userArchiveSuffix)
+}
+
+func isUserArchive(entry string) bool {
+	return strings.HasPrefix(entry, userArchivePrefix) && strings.HasSuffix(entry, userArchiveSuffix)
+}
+
+func entryUsername(entry string) string {
+	// this _will_ panic if !isUserArchive(entry)
+	return entry[len(userArchivePrefix) : len(entry)-len(userArchiveSuffix)]
+}
+
+type bySnap []*client.Snapshot
+
+func (a bySnap) Len() int           { return len(a) }
+func (a bySnap) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a bySnap) Less(i, j int) bool { return a[i].Snap < a[j].Snap }
+
+type byID []client.SnapshotSet
+
+func (a byID) Len() int           { return len(a) }
+func (a byID) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a byID) Less(i, j int) bool { return a[i].ID < a[j].ID }
+
+var (
+	userLookup   = user.Lookup
+	userLookupId = user.LookupId
+)
+
+func isUnknownUser(err error) bool {
+	switch err.(type) {
+	case user.UnknownUserError, user.UnknownUserIdError:
+		return true
+	default:
+		return false
+	}
+}
+
+func usersForUsernames(usernames []string) ([]*user.User, error) {
+	if len(usernames) == 0 {
+		return allUsers()
+	}
+	users := make([]*user.User, 0, len(usernames))
+	for _, username := range usernames {
+		usr, err := userLookup(username)
+		if err != nil {
+			if !isUnknownUser(err) {
+				return nil, err
+			}
+			u, e := userLookupId(username)
+			if e != nil {
+				// return first error, as it's usually clearer
+				return nil, err
+			}
+			usr = u
+		}
+		users = append(users, usr)
+
+	}
+	return users, nil
+}
+
+func allUsers() ([]*user.User, error) {
+	ds, err := filepath.Glob(dirs.SnapDataHomeGlob)
+	if err != nil {
+		// can't happen?
+		return nil, err
+	}
+
+	users := make([]*user.User, 1, len(ds)+1)
+	root, err := user.LookupId("0")
+	if err != nil {
+		return nil, err
+	}
+	users[0] = root
+	seen := make(map[uint32]bool, len(ds)+1)
+	seen[0] = true
+	var st syscall.Stat_t
+	for _, d := range ds {
+		err := syscall.Stat(d, &st)
+		if err != nil {
+			continue
+		}
+		if seen[st.Uid] {
+			continue
+		}
+		seen[st.Uid] = true
+		usr, err := userLookupId(strconv.FormatUint(uint64(st.Uid), 10))
+		if err != nil {
+			if !isUnknownUser(err) {
+				return nil, err
+			}
+		} else {
+			users = append(users, usr)
+		}
+	}
+
+	return users, nil
+}
+
+var (
+	sysGeteuid   = sys.Geteuid
+	execLookPath = exec.LookPath
+)
+
+func pickUserWrapper() string {
+	// runuser and sudo happen to work the same way in this case.  The main
+	// reason to prefer runuser over sudo is that runuser is part of
+	// util-linux, which is considered essential, whereas sudo is an addon
+	// which could be removed.  However util-linux < 2.23 does not have
+	// runuser, and we support some distros that ship things older than that
+	// (e.g. Ubuntu 14.04)
+	for _, cmd := range []string{"runuser", "sudo"} {
+		if lp, err := execLookPath(cmd); err == nil {
+			return lp
+		}
+	}
+	return ""
+}
+
+var userWrapper = pickUserWrapper()
+
+// tarAsUser returns an exec.Cmd that will, if the current effective user id is
+// 0 and username is not "root", and if either runuser(1) or sudo(8) are found
+// on the PATH, run tar as the given user.
+//
+// If the effective user id is not 0, or username is "root", exec.Command is
+// used directly; changing the user id would fail (in the first case) or be a
+// no-op (in the second).
+//
+// If neither runuser nor sudo are found on the path, exec.Command is also used
+// directly. This will result in tar running as root in this situation (so it
+// will fail if on NFS; I don't think there's an attack vector though).
+func tarAsUser(username string, args ...string) *exec.Cmd {
+	if sysGeteuid() == 0 && username != "root" {
+		if userWrapper != "" {
+			uwArgs := make([]string, len(args)+5)
+			uwArgs[0] = userWrapper
+			uwArgs[1] = "-u"
+			uwArgs[2] = username
+			uwArgs[3] = "--"
+			uwArgs[4] = "tar"
+			copy(uwArgs[5:], args)
+			return &exec.Cmd{
+				Path: userWrapper,
+				Args: uwArgs,
+			}
+		}
+		// TODO: use warnings instead
+		logger.Noticef("No user wrapper found; running tar for user data as root. Please make sure 'sudo' or 'runuser' (from util-linux) is on $PATH to avoid this.")
+	}
+
+	return exec.Command("tar", args...)
+}
+
+func MockUserLookup(newLookup func(string) (*user.User, error)) func() {
+	oldLookup := userLookup
+	userLookup = newLookup
+	return func() {
+		userLookup = oldLookup
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/reader.go snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/reader.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/reader.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/reader.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,378 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package backend
+
+import (
+	"bytes"
+	"crypto"
+	"errors"
+	"fmt"
+	"hash"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sort"
+	"syscall"
+
+	"golang.org/x/net/context"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/jsonutil"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/sys"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
+)
+
+// A Reader is a snapshot that's been opened for reading.
+type Reader struct {
+	*os.File
+	client.Snapshot
+}
+
+// Open a Snapshot given its full filename.
+//
+// If the returned error is nil, the caller must close the reader (or
+// its file) when done with it.
+//
+// If the returned error is non-nil, the returned Reader will be nil,
+// *or* have a non-empty Broken; in the latter case its file will be
+// closed.
+func Open(fn string) (reader *Reader, e error) {
+	f, err := os.Open(fn)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if e != nil && f != nil {
+			f.Close()
+		}
+	}()
+
+	reader = &Reader{
+		File: f,
+	}
+
+	// first try to load the metadata itself
+	var sz sizer
+	hasher := crypto.SHA3_384.New()
+	metaReader, metaSize, err := zipMember(f, metadataName)
+	if err != nil {
+		// no metadata file -> nothing to do :-(
+		return nil, err
+	}
+
+	if err := jsonutil.DecodeWithNumber(io.TeeReader(metaReader, io.MultiWriter(hasher, &sz)), &reader.Snapshot); err != nil {
+		return nil, err
+	}
+
+	// OK, from here on we have a Snapshot
+
+	if !reader.IsValid() {
+		reader.Broken = "invalid snapshot"
+		return reader, errors.New(reader.Broken)
+	}
+
+	if sz.size != metaSize {
+		reader.Broken = fmt.Sprintf("declared metadata size (%d) does not match actual (%d)", metaSize, sz.size)
+		return reader, errors.New(reader.Broken)
+	}
+
+	actualMetaHash := fmt.Sprintf("%x", hasher.Sum(nil))
+
+	// grab the metadata hash
+	sz.Reset()
+	metaHashReader, metaHashSize, err := zipMember(f, metaHashName)
+	if err != nil {
+		reader.Broken = err.Error()
+		return reader, err
+	}
+	metaHashBuf, err := ioutil.ReadAll(io.TeeReader(metaHashReader, &sz))
+	if err != nil {
+		reader.Broken = err.Error()
+		return reader, err
+	}
+	if sz.size != metaHashSize {
+		reader.Broken = fmt.Sprintf("declared hash size (%d) does not match actual (%d)", metaHashSize, sz.size)
+		return reader, errors.New(reader.Broken)
+	}
+	if expectedMetaHash := string(bytes.TrimSpace(metaHashBuf)); actualMetaHash != expectedMetaHash {
+		reader.Broken = fmt.Sprintf("declared hash (%.7s…) does not match actual (%.7s…)", expectedMetaHash, actualMetaHash)
+		return reader, errors.New(reader.Broken)
+	}
+
+	return reader, nil
+}
+
+func (r *Reader) checkOne(ctx context.Context, entry string, hasher hash.Hash) error {
+	body, reportedSize, err := zipMember(r.File, entry)
+	if err != nil {
+		return err
+	}
+	defer body.Close()
+
+	expectedHash := r.SHA3_384[entry]
+	readSize, err := io.Copy(io.MultiWriter(osutil.ContextWriter(ctx), hasher), body)
+	if err != nil {
+		return err
+	}
+
+	if readSize != reportedSize {
+		return fmt.Errorf("snapshot entry %q size (%d) different from actual (%d)", entry, reportedSize, readSize)
+	}
+
+	if actualHash := fmt.Sprintf("%x", hasher.Sum(nil)); actualHash != expectedHash {
+		return fmt.Errorf("snapshot entry %q expected hash (%.7s…) does not match actual (%.7s…)", entry, expectedHash, actualHash)
+	}
+	return nil
+}
+
+// Check that the data contained in the snapshot matches its hashsums.
+func (r *Reader) Check(ctx context.Context, usernames []string) error {
+	sort.Strings(usernames)
+
+	hasher := crypto.SHA3_384.New()
+	for entry := range r.SHA3_384 {
+		if len(usernames) > 0 && isUserArchive(entry) {
+			username := entryUsername(entry)
+			if !strutil.SortedListContains(usernames, username) {
+				logger.Debugf("In checking snapshot %q, skipping entry %q by user request.", r.Name(), username)
+				continue
+			}
+		}
+
+		if err := r.checkOne(ctx, entry, hasher); err != nil {
+			return err
+		}
+		hasher.Reset()
+	}
+
+	return nil
+}
+
+// Logf is the type implemented by logging functions.
+type Logf func(format string, args ...interface{})
+
+// Restore the data from the snapshot.
+//
+// If successful this will replace the existing data (for the given revision,
+// or the one in the snapshot) with that contained in the snapshot. It keeps
+// track of the old data in the task so it can be undone (or cleaned up).
+func (r *Reader) Restore(ctx context.Context, current snap.Revision, usernames []string, logf Logf) (rs *RestoreState, e error) {
+	rs = &RestoreState{}
+	defer func() {
+		if e != nil {
+			logger.Noticef("Restore of snapshot %q failed (%v); undoing.", r.Name(), e)
+			rs.Revert()
+			rs = nil
+		}
+	}()
+
+	sort.Strings(usernames)
+	isRoot := sys.Geteuid() == 0
+	si := snap.MinimalPlaceInfo(r.Snap, r.Revision)
+	hasher := crypto.SHA3_384.New()
+	var sz sizer
+
+	var curdir string
+	if !current.Unset() {
+		curdir = current.String()
+	}
+
+	for entry := range r.SHA3_384 {
+		if err := ctx.Err(); err != nil {
+			return rs, err
+		}
+
+		var dest string
+		isUser := isUserArchive(entry)
+		username := "root"
+		uid := sys.UserID(osutil.NoChown)
+		gid := sys.GroupID(osutil.NoChown)
+
+		if !isUser {
+			if entry != archiveName {
+				// hmmm
+				logf("Skipping restore of unknown entry %q.", entry)
+				continue
+			}
+			dest = si.DataDir()
+		} else {
+			username = entryUsername(entry)
+			if len(usernames) > 0 && !strutil.SortedListContains(usernames, username) {
+				logger.Debugf("In restoring snapshot %q, skipping entry %q by user request.", r.Name(), username)
+				continue
+			}
+			usr, err := userLookup(username)
+			if err != nil {
+				logf("Skipping restore of user %q: %v.", username, err)
+				continue
+			}
+
+			dest = si.UserDataDir(usr.HomeDir)
+			fi, err := os.Stat(usr.HomeDir)
+			if err != nil {
+				if osutil.IsDirNotExist(err) {
+					logf("Skipping restore of %q as %q doesn't exist.", dest, usr.HomeDir)
+				} else {
+					logf("Skipping restore of %q: %v.", dest, err)
+				}
+				continue
+			}
+
+			if !fi.IsDir() {
+				logf("Skipping restore of %q as %q is not a directory.", dest, usr.HomeDir)
+				continue
+			}
+
+			if st, ok := fi.Sys().(*syscall.Stat_t); ok && isRoot {
+				// the mkdir below will use the uid/gid of usr.HomeDir
+				if st.Uid > 0 {
+					uid = sys.UserID(st.Uid)
+				}
+				if st.Gid > 0 {
+					gid = sys.GroupID(st.Gid)
+				}
+			}
+		}
+		parent, revdir := filepath.Split(dest)
+
+		exists, isDir, err := osutil.DirExists(parent)
+		if err != nil {
+			return rs, err
+		}
+		if !exists {
+			// NOTE that the chown won't happen (it'll be NoChown)
+			// for the system path, and we won't be creating the
+			// user's home (as we skip restore in that case).
+			// Also no chown happens for root/root.
+			if err := osutil.MkdirAllChown(parent, 0755, uid, gid); err != nil {
+				return rs, err
+			}
+			rs.Created = append(rs.Created, parent)
+		} else if !isDir {
+			return rs, fmt.Errorf("Cannot restore snapshot into %q: not a directory.", parent)
+		}
+
+		// TODO: have something more atomic in osutil
+		tempdir, err := ioutil.TempDir(parent, ".snapshot")
+		if err != nil {
+			return rs, err
+		}
+		if err := sys.ChownPath(tempdir, uid, gid); err != nil {
+			return rs, err
+		}
+
+		// one way or another we want tempdir gone
+		defer func() {
+			if err := os.RemoveAll(tempdir); err != nil {
+				logf("Cannot clean up temporary directory %q: %v.", tempdir, err)
+			}
+		}()
+
+		logger.Debugf("Restoring %q from %q into %q.", entry, r.Name(), tempdir)
+
+		body, expectedSize, err := zipMember(r.File, entry)
+		if err != nil {
+			return rs, err
+		}
+
+		expectedHash := r.SHA3_384[entry]
+
+		tr := io.TeeReader(body, io.MultiWriter(hasher, &sz))
+
+		// resist the temptation of using archive/tar unless it's proven
+		// that calling out to tar has issues -- there are a lot of
+		// special cases we'd need to consider otherwise
+		cmd := tarAsUser(username,
+			"--extract",
+			"--preserve-permissions", "--preserve-order", "--gunzip",
+			"--directory", tempdir)
+		cmd.Env = []string{}
+		cmd.Stdin = tr
+		matchCounter := &strutil.MatchCounter{N: 1}
+		cmd.Stderr = matchCounter
+		cmd.Stdout = os.Stderr
+		if isTesting {
+			matchCounter.N = -1
+			cmd.Stderr = io.MultiWriter(os.Stderr, matchCounter)
+		}
+
+		if err = osutil.RunWithContext(ctx, cmd); err != nil {
+			matches, count := matchCounter.Matches()
+			if count > 0 {
+				return rs, fmt.Errorf("cannot unpack archive: %s (and %d more)", matches[0], count-1)
+			}
+			return rs, fmt.Errorf("tar failed: %v", err)
+		}
+
+		if sz.size != expectedSize {
+			return rs, fmt.Errorf("snapshot %q entry %q expected size (%d) does not match actual (%d)",
+				r.Name(), entry, expectedSize, sz.size)
+		}
+
+		if actualHash := fmt.Sprintf("%x", hasher.Sum(nil)); actualHash != expectedHash {
+			return rs, fmt.Errorf("snapshot %q entry %q expected hash (%.7s…) does not match actual (%.7s…)",
+				r.Name(), entry, expectedHash, actualHash)
+		}
+
+		if curdir != "" && curdir != revdir {
+			// rename it in tempdir
+			// this is where we assume the current revision can read the snapshot revision's data
+			if err := os.Rename(filepath.Join(tempdir, revdir), filepath.Join(tempdir, curdir)); err != nil {
+				return rs, err
+			}
+			revdir = curdir
+		}
+
+		for _, dir := range []string{"common", revdir} {
+			source := filepath.Join(tempdir, dir)
+			if exists, _, err := osutil.DirExists(source); err != nil {
+				return rs, err
+			} else if !exists {
+				continue
+			}
+			target := filepath.Join(parent, dir)
+			exists, _, err := osutil.DirExists(target)
+			if err != nil {
+				return rs, err
+			}
+			if exists {
+				rsfn := restoreStateFilename(target)
+				if err := os.Rename(target, rsfn); err != nil {
+					return rs, err
+				}
+				rs.Moved = append(rs.Moved, rsfn)
+			}
+
+			if err := os.Rename(source, target); err != nil {
+				return rs, err
+			}
+			rs.Created = append(rs.Created, target)
+		}
+
+		sz.Reset()
+		hasher.Reset()
+	}
+
+	return rs, nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/restorestate.go snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/restorestate.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/restorestate.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/restorestate.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,96 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package backend
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/strutil"
+)
+
+// RestoreState stores information that can be used to cleanly revert (or finish
+// cleaning up) a snapshot Restore.
+//
+// This is useful when a Restore is part of a chain of operations, and a later
+// one failing necessitates undoing the Restore.
+type RestoreState struct {
+	Done    bool     `json:"done,omitempty"`
+	Created []string `json:"created,omitempty"`
+	Moved   []string `json:"moved,omitempty"`
+	// Config is here for convenience; this package doesn't touch it
+	Config map[string]interface{} `json:"config,omitempty"`
+}
+
+// Cleanup the backed up data from disk.
+func (rs *RestoreState) Cleanup() {
+	if rs.Done {
+		logger.Noticef("Internal error: attempting to clean up a snapshot.RestoreState twice.")
+		return
+	}
+	rs.Done = true
+	for _, dir := range rs.Moved {
+		if err := os.RemoveAll(dir); err != nil {
+			logger.Noticef("Cannot remove directory tree rooted at %q: %v.", dir, err)
+		}
+	}
+}
+
+func restoreStateFilename(fn string) string {
+	return fmt.Sprintf("%s.~%s~", fn, strutil.MakeRandomString(9))
+}
+
+var restoreStateRx = regexp.MustCompile(`\.~[a-zA-Z0-9]{9}~$`)
+
+func restoreState2orig(fn string) string {
+	if idx := restoreStateRx.FindStringIndex(fn); len(idx) > 0 {
+		return fn[:idx[0]]
+	}
+	return ""
+}
+
+// Revert the backed up data: remove what was added, move back what was moved aside.
+func (rs *RestoreState) Revert() {
+	if rs.Done {
+		logger.Noticef("Internal error: attempting to revert a snapshot.RestoreState twice.")
+		return
+	}
+	rs.Done = true
+	for _, dir := range rs.Created {
+		logger.Debugf("Removing %q.", dir)
+		if err := os.RemoveAll(dir); err != nil {
+			logger.Noticef("While undoing changes because of a previous error: cannot remove %q: %v.", dir, err)
+		}
+	}
+	for _, dir := range rs.Moved {
+		orig := restoreState2orig(dir)
+		if orig == "" {
+			// dir is not restore state?!?
+			logger.Debugf("Skipping restore of %q: unrecognised filename.", dir)
+			continue
+		}
+		logger.Debugf("Restoring %q to %q.", dir, orig)
+		if err := os.Rename(dir, orig); err != nil {
+			logger.Noticef("While undoing changes because of a previous error: cannot restore %q to %q: %v.", dir, orig, err)
+		}
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/sizer.go snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/sizer.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/backend/sizer.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/backend/sizer.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,34 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package backend
+
+type sizer struct {
+	size int64
+}
+
+func (sz *sizer) Write(data []byte) (n int, err error) {
+	n = len(data)
+	sz.size += int64(n)
+	return
+}
+
+func (sz *sizer) Reset() {
+	sz.size = 0
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/export_test.go snapd-2.37~rc1~14.04/overlord/snapshotstate/export_test.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,163 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package snapshotstate
+
+import (
+	"encoding/json"
+
+	"golang.org/x/net/context"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/overlord/snapshotstate/backend"
+	"github.com/snapcore/snapd/overlord/snapstate"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
+)
+
+var (
+	NewSnapshotSetID           = newSnapshotSetID
+	AllActiveSnapNames         = allActiveSnapNames
+	SnapSummariesInSnapshotSet = snapSummariesInSnapshotSet
+	CheckSnapshotTaskConflict  = checkSnapshotTaskConflict
+	Filename                   = filename
+	DoSave                     = doSave
+	DoRestore                  = doRestore
+	UndoRestore                = undoRestore
+	CleanupRestore             = cleanupRestore
+	DoCheck                    = doCheck
+	DoForget                   = doForget
+)
+
+func (summaries snapshotSnapSummaries) AsMaps() []map[string]string {
+	out := make([]map[string]string, len(summaries))
+	for i, summary := range summaries {
+		out[i] = map[string]string{
+			"snap":     summary.snap,
+			"snapID":   summary.snapID,
+			"filename": summary.filename,
+			"epoch":    summary.epoch.String(),
+		}
+	}
+	return out
+}
+
+func MockOsRemove(f func(string) error) (restore func()) {
+	old := osRemove
+	osRemove = f
+	return func() {
+		osRemove = old
+	}
+}
+
+func MockSnapstateAll(f func(*state.State) (map[string]*snapstate.SnapState, error)) (restore func()) {
+	old := snapstateAll
+	snapstateAll = f
+	return func() {
+		snapstateAll = old
+	}
+}
+
+func MockSnapstateCurrentInfo(f func(*state.State, string) (*snap.Info, error)) (restore func()) {
+	old := snapstateCurrentInfo
+	snapstateCurrentInfo = f
+	return func() {
+		snapstateCurrentInfo = old
+	}
+}
+
+func MockSnapstateCheckChangeConflictMany(f func(*state.State, []string, string) error) (restore func()) {
+	old := snapstateCheckChangeConflictMany
+	snapstateCheckChangeConflictMany = f
+	return func() {
+		snapstateCheckChangeConflictMany = old
+	}
+}
+
+func MockBackendIter(f func(context.Context, func(*backend.Reader) error) error) (restore func()) {
+	old := backendIter
+	backendIter = f
+	return func() {
+		backendIter = old
+	}
+}
+
+func MockBackendSave(f func(context.Context, uint64, *snap.Info, map[string]interface{}, []string) (*client.Snapshot, error)) (restore func()) {
+	old := backendSave
+	backendSave = f
+	return func() {
+		backendSave = old
+	}
+}
+
+func MockBackendOpen(f func(string) (*backend.Reader, error)) (restore func()) {
+	old := backendOpen
+	backendOpen = f
+	return func() {
+		backendOpen = old
+	}
+}
+
+func MockBackendRestore(f func(*backend.Reader, context.Context, snap.Revision, []string, backend.Logf) (*backend.RestoreState, error)) (restore func()) {
+	old := backendRestore
+	backendRestore = f
+	return func() {
+		backendRestore = old
+	}
+}
+
+func MockBackendCheck(f func(*backend.Reader, context.Context, []string) error) (restore func()) {
+	old := backendCheck
+	backendCheck = f
+	return func() {
+		backendCheck = old
+	}
+}
+
+func MockBackendRevert(f func(*backend.RestoreState)) (restore func()) {
+	old := backendRevert
+	backendRevert = f
+	return func() {
+		backendRevert = old
+	}
+}
+
+func MockBackendCleanup(f func(*backend.RestoreState)) (restore func()) {
+	old := backendCleanup
+	backendCleanup = f
+	return func() {
+		backendCleanup = old
+	}
+}
+
+func MockConfigGetSnapConfig(f func(*state.State, string) (*json.RawMessage, error)) (restore func()) {
+	old := configGetSnapConfig
+	configGetSnapConfig = f
+	return func() {
+		configGetSnapConfig = old
+	}
+}
+
+func MockConfigSetSnapConfig(f func(*state.State, string, *json.RawMessage) error) (restore func()) {
+	old := configSetSnapConfig
+	configSetSnapConfig = f
+	return func() {
+		configSetSnapConfig = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/snapshotmgr.go snapd-2.37~rc1~14.04/overlord/snapshotstate/snapshotmgr.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/snapshotmgr.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/snapshotmgr.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,307 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package snapshotstate
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"gopkg.in/tomb.v2"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/overlord/configstate/config"
+	"github.com/snapcore/snapd/overlord/snapshotstate/backend"
+	"github.com/snapcore/snapd/overlord/snapstate"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
+)
+
+var (
+	osRemove             = os.Remove
+	snapstateCurrentInfo = snapstate.CurrentInfo
+	configGetSnapConfig  = config.GetSnapConfig
+	configSetSnapConfig  = config.SetSnapConfig
+	backendOpen          = backend.Open
+	backendSave          = backend.Save
+	backendRestore       = (*backend.Reader).Restore // TODO: look into using an interface instead
+	backendCheck         = (*backend.Reader).Check
+	backendRevert        = (*backend.RestoreState).Revert // ditto
+	backendCleanup       = (*backend.RestoreState).Cleanup
+)
+
+// SnapshotManager takes snapshots of active snaps
+type SnapshotManager struct{}
+
+// Manager returns a new SnapshotManager
+func Manager(st *state.State, runner *state.TaskRunner) *SnapshotManager {
+	runner.AddHandler("save-snapshot", doSave, doForget)
+	runner.AddHandler("forget-snapshot", doForget, nil)
+	runner.AddHandler("check-snapshot", doCheck, nil)
+	runner.AddHandler("restore-snapshot", doRestore, undoRestore)
+	runner.AddCleanup("restore-snapshot", cleanupRestore)
+
+	manager := &SnapshotManager{}
+	snapstate.AddAffectedSnapsByAttr("snapshot-setup", manager.affectedSnaps)
+
+	return manager
+}
+
+// Ensure is part of the overlord.StateManager interface.
+func (SnapshotManager) Ensure() error { return nil }
+
+func (SnapshotManager) affectedSnaps(t *state.Task) ([]string, error) {
+	if k := t.Kind(); k == "check-snapshot" || k == "forget-snapshot" {
+		// check and forget don't affect snaps
+		// (this could also be written k != save && k != restore, but it's safer this way around)
+		return nil, nil
+	}
+	var snapshot snapshotSetup
+	if err := t.Get("snapshot-setup", &snapshot); err != nil {
+		return nil, taskGetErrMsg(t, err, "snapshot")
+	}
+
+	return []string{snapshot.Snap}, nil
+}
+
+type snapshotSetup struct {
+	SetID    uint64        `json:"set-id"`
+	Snap     string        `json:"snap"`
+	Users    []string      `json:"users,omitempty"`
+	Filename string        `json:"filename,omitempty"`
+	Current  snap.Revision `json:"current"`
+}
+
+func filename(setID uint64, si *snap.Info) string {
+	skel := &client.Snapshot{
+		SetID:    setID,
+		Snap:     si.InstanceName(),
+		Revision: si.Revision,
+		Version:  si.Version,
+	}
+	return backend.Filename(skel)
+}
+
+// prepareSave does all the steps of doSave that require the state lock;
+// it has no real significance beyond making the lock handling simpler
+func prepareSave(task *state.Task) (snapshot *snapshotSetup, cur *snap.Info, cfg map[string]interface{}, err error) {
+	st := task.State()
+	st.Lock()
+	defer st.Unlock()
+
+	if err := task.Get("snapshot-setup", &snapshot); err != nil {
+		return nil, nil, nil, taskGetErrMsg(task, err, "snapshot")
+	}
+	cur, err = snapstateCurrentInfo(st, snapshot.Snap)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	// updating snapshot-setup with the filename, for use in undo
+	snapshot.Filename = filename(snapshot.SetID, cur)
+	task.Set("snapshot-setup", &snapshot)
+
+	rawCfg, err := configGetSnapConfig(st, snapshot.Snap)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	if rawCfg != nil {
+		if err := json.Unmarshal(*rawCfg, &cfg); err != nil {
+			return nil, nil, nil, err
+		}
+	}
+
+	return snapshot, cur, cfg, nil
+}
+
+func doSave(task *state.Task, tomb *tomb.Tomb) error {
+	snapshot, cur, cfg, err := prepareSave(task)
+	if err != nil {
+		return err
+	}
+	_, err = backendSave(tomb.Context(nil), snapshot.SetID, cur, cfg, snapshot.Users)
+	return err
+}
+
+// prepareRestore does the steps of doRestore that require the state lock
+// before the backend Restore call.
+func prepareRestore(task *state.Task) (snapshot *snapshotSetup, oldCfg map[string]interface{}, reader *backend.Reader, err error) {
+	st := task.State()
+
+	st.Lock()
+	defer st.Unlock()
+
+	if err := task.Get("snapshot-setup", &snapshot); err != nil {
+		return nil, nil, nil, taskGetErrMsg(task, err, "snapshot")
+	}
+
+	rawCfg, err := configGetSnapConfig(st, snapshot.Snap)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("internal error: cannot obtain current snap config for snapshot restore: %v", err)
+	}
+
+	if rawCfg != nil {
+		if err := json.Unmarshal(*rawCfg, &oldCfg); err != nil {
+			return nil, nil, nil, fmt.Errorf("internal error: cannot decode current snap config: %v", err)
+		}
+	}
+
+	reader, err = backendOpen(snapshot.Filename)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("cannot open snapshot: %v", err)
+	}
+	// note given the Open succeeded, caller needs to close it when done
+
+	return snapshot, oldCfg, reader, nil
+}
+
+func doRestore(task *state.Task, tomb *tomb.Tomb) error {
+	snapshot, oldCfg, reader, err := prepareRestore(task)
+	if err != nil {
+		return err
+	}
+	defer reader.Close()
+
+	st := task.State()
+	logf := func(format string, args ...interface{}) {
+		st.Lock()
+		defer st.Unlock()
+		task.Logf(format, args...)
+	}
+
+	restoreState, err := backendRestore(reader, tomb.Context(nil), snapshot.Current, snapshot.Users, logf)
+	if err != nil {
+		return err
+	}
+
+	buf, err := json.Marshal(reader.Conf)
+	if err != nil {
+		backendRevert(restoreState)
+		return fmt.Errorf("cannot marshal saved config: %v", err)
+	}
+
+	st.Lock()
+	defer st.Unlock()
+
+	if err := configSetSnapConfig(st, snapshot.Snap, (*json.RawMessage)(&buf)); err != nil {
+		backendRevert(restoreState)
+		return fmt.Errorf("cannot set snap config: %v", err)
+	}
+
+	restoreState.Config = oldCfg
+	task.Set("restore-state", restoreState)
+
+	return nil
+}
+
+func undoRestore(task *state.Task, _ *tomb.Tomb) error {
+	var restoreState backend.RestoreState
+	var snapshot snapshotSetup
+
+	st := task.State()
+	st.Lock()
+	defer st.Unlock()
+
+	if err := task.Get("restore-state", &restoreState); err != nil {
+		return taskGetErrMsg(task, err, "snapshot restore")
+	}
+	if err := task.Get("snapshot-setup", &snapshot); err != nil {
+		return taskGetErrMsg(task, err, "snapshot")
+	}
+
+	buf, err := json.Marshal(restoreState.Config)
+	if err != nil {
+		return fmt.Errorf("cannot marshal saved config: %v", err)
+	}
+
+	if err := configSetSnapConfig(st, snapshot.Snap, (*json.RawMessage)(&buf)); err != nil {
+		return fmt.Errorf("cannot restore saved config: %v", err)
+	}
+
+	backendRevert(&restoreState)
+
+	return nil
+}
+
+func cleanupRestore(task *state.Task, _ *tomb.Tomb) error {
+	var restoreState backend.RestoreState
+
+	st := task.State()
+	st.Lock()
+	status := task.Status()
+	err := task.Get("restore-state", &restoreState)
+	st.Unlock()
+
+	if status != state.DoneStatus {
+		// only need to clean up restores that worked
+		return nil
+	}
+
+	if err != nil {
+		// this is bad: we somehow lost the information to restore things
+		// but if we return the error we'll just get called again :-(
+		// TODO: use warnings :-)
+		logger.Noticef("%v", taskGetErrMsg(task, err, "snapshot restore"))
+		return nil
+	}
+
+	backendCleanup(&restoreState)
+
+	return nil
+}
+
+func doCheck(task *state.Task, tomb *tomb.Tomb) error {
+	var snapshot snapshotSetup
+
+	st := task.State()
+	st.Lock()
+	err := task.Get("snapshot-setup", &snapshot)
+	st.Unlock()
+	if err != nil {
+		return taskGetErrMsg(task, err, "snapshot")
+	}
+
+	reader, err := backendOpen(snapshot.Filename)
+	if err != nil {
+		return fmt.Errorf("cannot open snapshot: %v", err)
+	}
+	defer reader.Close()
+
+	return backendCheck(reader, tomb.Context(nil), snapshot.Users)
+}
+
+func doForget(task *state.Task, _ *tomb.Tomb) error {
+	// note this is also undoSave
+	st := task.State()
+	st.Lock()
+
+	var snapshot snapshotSetup
+	err := task.Get("snapshot-setup", &snapshot)
+	st.Unlock()
+	if err != nil {
+		return taskGetErrMsg(task, err, "snapshot")
+	}
+
+	if snapshot.Filename == "" {
+		return fmt.Errorf("internal error: task %s (%s) snapshot info is missing the filename", task.ID(), task.Kind())
+	}
+
+	return osRemove(snapshot.Filename)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/snapshotmgr_test.go snapd-2.37~rc1~14.04/overlord/snapshotstate/snapshotmgr_test.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/snapshotmgr_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/snapshotmgr_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,481 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package snapshotstate_test
+
+import (
+	"encoding/json"
+	"errors"
+	"path/filepath"
+	"sort"
+
+	"golang.org/x/net/context"
+	"gopkg.in/check.v1"
+	"gopkg.in/tomb.v2"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/overlord/snapshotstate"
+	"github.com/snapcore/snapd/overlord/snapshotstate/backend"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
+)
+
+func (snapshotSuite) TestManager(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	runner := state.NewTaskRunner(st)
+	mgr := snapshotstate.Manager(st, runner)
+	c.Assert(mgr, check.NotNil)
+	kinds := runner.KnownTaskKinds()
+	sort.Strings(kinds)
+	c.Check(kinds, check.DeepEquals, []string{
+		"check-snapshot",
+		"forget-snapshot",
+		"restore-snapshot",
+		"save-snapshot",
+	})
+}
+
+func (snapshotSuite) TestFilename(c *check.C) {
+	si := &snap.Info{
+		SideInfo: snap.SideInfo{
+			RealName: "a-snap",
+			Revision: snap.R(-1),
+		},
+		Version: "1.33",
+	}
+	filename := snapshotstate.Filename(42, si)
+	c.Check(filepath.Dir(filename), check.Equals, dirs.SnapshotsDir)
+	c.Check(filepath.Base(filename), check.Equals, "42_a-snap_1.33_x1.zip")
+}
+
+func (snapshotSuite) TestDoSave(c *check.C) {
+	snapInfo := snap.Info{
+		SideInfo: snap.SideInfo{
+			RealName: "a-snap",
+			Revision: snap.R(-1),
+		},
+		Version: "1.33",
+	}
+	defer snapshotstate.MockSnapstateCurrentInfo(func(_ *state.State, snapname string) (*snap.Info, error) {
+		c.Check(snapname, check.Equals, "a-snap")
+		return &snapInfo, nil
+	})()
+	defer snapshotstate.MockConfigGetSnapConfig(func(_ *state.State, snapname string) (*json.RawMessage, error) {
+		c.Check(snapname, check.Equals, "a-snap")
+		buf := json.RawMessage(`{"hello": "there"}`)
+		return &buf, nil
+	})()
+	defer snapshotstate.MockBackendSave(func(_ context.Context, id uint64, si *snap.Info, cfg map[string]interface{}, usernames []string) (*client.Snapshot, error) {
+		c.Check(id, check.Equals, uint64(42))
+		c.Check(si, check.DeepEquals, &snapInfo)
+		c.Check(cfg, check.DeepEquals, map[string]interface{}{"hello": "there"})
+		c.Check(usernames, check.DeepEquals, []string{"a-user", "b-user"})
+		return nil, nil
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	task := st.NewTask("save-snapshot", "...")
+	task.Set("snapshot-setup", map[string]interface{}{
+		"set-id": 42,
+		"snap":   "a-snap",
+		"users":  []string{"a-user", "b-user"},
+	})
+	st.Unlock()
+	err := snapshotstate.DoSave(task, &tomb.Tomb{})
+	c.Assert(err, check.IsNil)
+}
+
+func (snapshotSuite) TestDoSaveFailsWithNoSnap(c *check.C) {
+	defer snapshotstate.MockSnapstateCurrentInfo(func(*state.State, string) (*snap.Info, error) {
+		return nil, errors.New("bzzt")
+	})()
+	defer snapshotstate.MockConfigGetSnapConfig(func(*state.State, string) (*json.RawMessage, error) { return nil, nil })()
+	defer snapshotstate.MockBackendSave(func(_ context.Context, id uint64, si *snap.Info, cfg map[string]interface{}, usernames []string) (*client.Snapshot, error) {
+		return nil, nil
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	task := st.NewTask("save-snapshot", "...")
+	task.Set("snapshot-setup", map[string]interface{}{
+		"set-id": 42,
+		"snap":   "a-snap",
+		"users":  []string{"a-user", "b-user"},
+	})
+	st.Unlock()
+	err := snapshotstate.DoSave(task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, "bzzt")
+}
+
+func (snapshotSuite) TestDoSaveFailsWithNoSnapshot(c *check.C) {
+	snapInfo := snap.Info{
+		SideInfo: snap.SideInfo{
+			RealName: "a-snap",
+			Revision: snap.R(-1),
+		},
+		Version: "1.33",
+	}
+	defer snapshotstate.MockSnapstateCurrentInfo(func(*state.State, string) (*snap.Info, error) { return &snapInfo, nil })()
+	defer snapshotstate.MockConfigGetSnapConfig(func(*state.State, string) (*json.RawMessage, error) { return nil, nil })()
+	defer snapshotstate.MockBackendSave(func(_ context.Context, id uint64, si *snap.Info, cfg map[string]interface{}, usernames []string) (*client.Snapshot, error) {
+		return nil, nil
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	task := st.NewTask("save-snapshot", "...")
+	// NOTE no task.Set("snapshot-setup", ...)
+	st.Unlock()
+	err := snapshotstate.DoSave(task, &tomb.Tomb{})
+	c.Assert(err, check.NotNil)
+	c.Assert(err.Error(), check.Equals, "internal error: task 1 (save-snapshot) is missing snapshot information")
+}
+
+func (snapshotSuite) TestDoSaveFailsBackendError(c *check.C) {
+	snapInfo := snap.Info{
+		SideInfo: snap.SideInfo{
+			RealName: "a-snap",
+			Revision: snap.R(-1),
+		},
+		Version: "1.33",
+	}
+	defer snapshotstate.MockSnapstateCurrentInfo(func(*state.State, string) (*snap.Info, error) { return &snapInfo, nil })()
+	defer snapshotstate.MockConfigGetSnapConfig(func(*state.State, string) (*json.RawMessage, error) { return nil, nil })()
+	defer snapshotstate.MockBackendSave(func(_ context.Context, id uint64, si *snap.Info, cfg map[string]interface{}, usernames []string) (*client.Snapshot, error) {
+		return nil, errors.New("bzzt")
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	task := st.NewTask("save-snapshot", "...")
+	task.Set("snapshot-setup", map[string]interface{}{
+		"set-id": 42,
+		"snap":   "a-snap",
+		"users":  []string{"a-user", "b-user"},
+	})
+	st.Unlock()
+	err := snapshotstate.DoSave(task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, "bzzt")
+}
+
+func (snapshotSuite) TestDoSaveFailsConfigError(c *check.C) {
+	snapInfo := snap.Info{
+		SideInfo: snap.SideInfo{
+			RealName: "a-snap",
+			Revision: snap.R(-1),
+		},
+		Version: "1.33",
+	}
+	defer snapshotstate.MockSnapstateCurrentInfo(func(*state.State, string) (*snap.Info, error) { return &snapInfo, nil })()
+	defer snapshotstate.MockConfigGetSnapConfig(func(*state.State, string) (*json.RawMessage, error) {
+		return nil, errors.New("bzzt")
+	})()
+	defer snapshotstate.MockBackendSave(func(_ context.Context, id uint64, si *snap.Info, cfg map[string]interface{}, usernames []string) (*client.Snapshot, error) {
+		return nil, nil
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	task := st.NewTask("save-snapshot", "...")
+	task.Set("snapshot-setup", map[string]interface{}{
+		"set-id": 42,
+		"snap":   "a-snap",
+		"users":  []string{"a-user", "b-user"},
+	})
+	st.Unlock()
+	err := snapshotstate.DoSave(task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, "bzzt")
+}
+
+func (snapshotSuite) TestDoSaveFailsBadConfig(c *check.C) {
+	snapInfo := snap.Info{
+		SideInfo: snap.SideInfo{
+			RealName: "a-snap",
+			Revision: snap.R(-1),
+		},
+		Version: "1.33",
+	}
+	defer snapshotstate.MockSnapstateCurrentInfo(func(*state.State, string) (*snap.Info, error) { return &snapInfo, nil })()
+	defer snapshotstate.MockConfigGetSnapConfig(func(*state.State, string) (*json.RawMessage, error) {
+		// returns something that's not a JSON object
+		buf := json.RawMessage(`"hello-there"`)
+		return &buf, nil
+	})()
+	defer snapshotstate.MockBackendSave(func(_ context.Context, id uint64, si *snap.Info, cfg map[string]interface{}, usernames []string) (*client.Snapshot, error) {
+		return nil, nil
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	task := st.NewTask("save-snapshot", "...")
+	task.Set("snapshot-setup", map[string]interface{}{
+		"set-id": 42,
+		"snap":   "a-snap",
+		"users":  []string{"a-user", "b-user"},
+	})
+	st.Unlock()
+	err := snapshotstate.DoSave(task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, ".* cannot unmarshal .*")
+}
+
+type readerSuite struct {
+	task     *state.Task
+	calls    []string
+	restores []func()
+}
+
+var _ = check.Suite(&readerSuite{})
+
+func (rs *readerSuite) SetUpTest(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	rs.task = st.NewTask("restore-snapshot", "...")
+	rs.task.Set("snapshot-setup", map[string]interface{}{
+		// interestingly restore doesn't use the set-id
+		"snap":     "a-snap",
+		"filename": "/some/file.zip",
+		"users":    []string{"a-user", "b-user"},
+	})
+	st.Unlock()
+
+	rs.calls = nil
+	rs.restores = []func(){
+		snapshotstate.MockOsRemove(func(string) error {
+			rs.calls = append(rs.calls, "remove")
+			return nil
+		}),
+		snapshotstate.MockConfigGetSnapConfig(func(*state.State, string) (*json.RawMessage, error) {
+			rs.calls = append(rs.calls, "get config")
+			return nil, nil
+		}),
+		snapshotstate.MockConfigSetSnapConfig(func(*state.State, string, *json.RawMessage) error {
+			rs.calls = append(rs.calls, "set config")
+			return nil
+		}),
+		snapshotstate.MockBackendOpen(func(string) (*backend.Reader, error) {
+			rs.calls = append(rs.calls, "open")
+			return &backend.Reader{}, nil
+		}),
+		snapshotstate.MockBackendRestore(func(*backend.Reader, context.Context, snap.Revision, []string, backend.Logf) (*backend.RestoreState, error) {
+			rs.calls = append(rs.calls, "restore")
+			return &backend.RestoreState{}, nil
+		}),
+		snapshotstate.MockBackendCheck(func(*backend.Reader, context.Context, []string) error {
+			rs.calls = append(rs.calls, "check")
+			return nil
+		}),
+		snapshotstate.MockBackendRevert(func(*backend.RestoreState) {
+			rs.calls = append(rs.calls, "revert")
+		}),
+		snapshotstate.MockBackendCleanup(func(*backend.RestoreState) {
+			rs.calls = append(rs.calls, "cleanup")
+		}),
+	}
+}
+
+func (rs *readerSuite) TearDownTest(c *check.C) {
+	for _, restore := range rs.restores {
+		restore()
+	}
+}
+
+func (rs *readerSuite) TestDoRestore(c *check.C) {
+	defer snapshotstate.MockConfigGetSnapConfig(func(_ *state.State, snapname string) (*json.RawMessage, error) {
+		rs.calls = append(rs.calls, "get config")
+		c.Check(snapname, check.Equals, "a-snap")
+		buf := json.RawMessage(`{"old": "conf"}`)
+		return &buf, nil
+	})()
+	defer snapshotstate.MockBackendOpen(func(filename string) (*backend.Reader, error) {
+		rs.calls = append(rs.calls, "open")
+		c.Check(filename, check.Equals, "/some/file.zip")
+		return &backend.Reader{
+			Snapshot: client.Snapshot{Conf: map[string]interface{}{"hello": "there"}},
+		}, nil
+	})()
+	defer snapshotstate.MockBackendRestore(func(_ *backend.Reader, _ context.Context, _ snap.Revision, users []string, _ backend.Logf) (*backend.RestoreState, error) {
+		rs.calls = append(rs.calls, "restore")
+		c.Check(users, check.DeepEquals, []string{"a-user", "b-user"})
+		return &backend.RestoreState{}, nil
+	})()
+	defer snapshotstate.MockConfigSetSnapConfig(func(_ *state.State, snapname string, conf *json.RawMessage) error {
+		rs.calls = append(rs.calls, "set config")
+		c.Check(snapname, check.Equals, "a-snap")
+		c.Check(string(*conf), check.Equals, `{"hello":"there"}`)
+		return nil
+	})()
+
+	err := snapshotstate.DoRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.IsNil)
+	c.Check(rs.calls, check.DeepEquals, []string{"get config", "open", "restore", "set config"})
+
+	st := rs.task.State()
+	st.Lock()
+	var v map[string]interface{}
+	rs.task.Get("restore-state", &v)
+	st.Unlock()
+	c.Check(v, check.DeepEquals, map[string]interface{}{"config": map[string]interface{}{"old": "conf"}})
+}
+
+func (rs *readerSuite) TestDoRestoreFailsNoTaskSnapshot(c *check.C) {
+	rs.task.State().Lock()
+	rs.task.Clear("snapshot-setup")
+	rs.task.State().Unlock()
+
+	err := snapshotstate.DoRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.NotNil)
+	c.Assert(err.Error(), check.Equals, "internal error: task 1 (restore-snapshot) is missing snapshot information")
+	c.Check(rs.calls, check.HasLen, 0)
+}
+
+func (rs *readerSuite) TestDoRestoreFailsOnGetConfigError(c *check.C) {
+	defer snapshotstate.MockConfigGetSnapConfig(func(*state.State, string) (*json.RawMessage, error) {
+		rs.calls = append(rs.calls, "get config")
+		return nil, errors.New("bzzt")
+	})()
+
+	err := snapshotstate.DoRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, "internal error: cannot obtain current snap config for snapshot restore: bzzt")
+	c.Check(rs.calls, check.DeepEquals, []string{"get config"})
+}
+
+func (rs *readerSuite) TestDoRestoreFailsOnBadConfig(c *check.C) {
+	defer snapshotstate.MockConfigGetSnapConfig(func(*state.State, string) (*json.RawMessage, error) {
+		rs.calls = append(rs.calls, "get config")
+		buf := json.RawMessage(`42`)
+		return &buf, nil
+	})()
+
+	err := snapshotstate.DoRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, ".* cannot unmarshal .*")
+	c.Check(rs.calls, check.DeepEquals, []string{"get config"})
+}
+
+func (rs *readerSuite) TestDoRestoreFailsOpenError(c *check.C) {
+	defer snapshotstate.MockBackendOpen(func(string) (*backend.Reader, error) {
+		rs.calls = append(rs.calls, "open")
+		return nil, errors.New("bzzt")
+	})()
+
+	err := snapshotstate.DoRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, "cannot open snapshot: bzzt")
+	c.Check(rs.calls, check.DeepEquals, []string{"get config", "open"})
+}
+
+func (rs *readerSuite) TestDoRestoreFailsUnserialisableSnapshotConfigError(c *check.C) {
+	defer snapshotstate.MockBackendOpen(func(string) (*backend.Reader, error) {
+		rs.calls = append(rs.calls, "open")
+		return &backend.Reader{
+			Snapshot: client.Snapshot{Conf: map[string]interface{}{"hello": func() {}}},
+		}, nil
+	})()
+
+	err := snapshotstate.DoRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, "cannot marshal saved config: json.*")
+	c.Check(rs.calls, check.DeepEquals, []string{"get config", "open", "restore", "revert"})
+}
+
+func (rs *readerSuite) TestDoRestoreFailsOnRestoreError(c *check.C) {
+	defer snapshotstate.MockBackendRestore(func(*backend.Reader, context.Context, snap.Revision, []string, backend.Logf) (*backend.RestoreState, error) {
+		rs.calls = append(rs.calls, "restore")
+		return nil, errors.New("bzzt")
+	})()
+
+	err := snapshotstate.DoRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, "bzzt")
+	c.Check(rs.calls, check.DeepEquals, []string{"get config", "open", "restore"})
+}
+
+func (rs *readerSuite) TestDoRestoreFailsAndRevertsOnSetConfigError(c *check.C) {
+	defer snapshotstate.MockConfigSetSnapConfig(func(*state.State, string, *json.RawMessage) error {
+		rs.calls = append(rs.calls, "set config")
+		return errors.New("bzzt")
+	})()
+
+	err := snapshotstate.DoRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.ErrorMatches, "cannot set snap config: bzzt")
+	c.Check(rs.calls, check.DeepEquals, []string{"get config", "open", "restore", "set config", "revert"})
+}
+
+func (rs *readerSuite) TestUndoRestore(c *check.C) {
+	st := rs.task.State()
+	st.Lock()
+	var v map[string]interface{}
+	rs.task.Set("restore-state", &v)
+	st.Unlock()
+
+	err := snapshotstate.UndoRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.IsNil)
+	c.Check(rs.calls, check.DeepEquals, []string{"set config", "revert"})
+}
+
+func (rs *readerSuite) TestCleanupRestore(c *check.C) {
+	st := rs.task.State()
+	st.Lock()
+	var v map[string]interface{}
+	rs.task.Set("restore-state", &v)
+	st.Unlock()
+
+	err := snapshotstate.CleanupRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.IsNil)
+	c.Check(rs.calls, check.HasLen, 0)
+
+	st.Lock()
+	rs.task.SetStatus(state.DoneStatus)
+	st.Unlock()
+
+	err = snapshotstate.CleanupRestore(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.IsNil)
+	c.Check(rs.calls, check.DeepEquals, []string{"cleanup"})
+}
+
+func (rs *readerSuite) TestDoCheck(c *check.C) {
+	defer snapshotstate.MockBackendOpen(func(filename string) (*backend.Reader, error) {
+		rs.calls = append(rs.calls, "open")
+		c.Check(filename, check.Equals, "/some/file.zip")
+		return &backend.Reader{
+			Snapshot: client.Snapshot{Conf: map[string]interface{}{"hello": "there"}},
+		}, nil
+	})()
+	defer snapshotstate.MockBackendCheck(func(_ *backend.Reader, _ context.Context, users []string) error {
+		rs.calls = append(rs.calls, "check")
+		c.Check(users, check.DeepEquals, []string{"a-user", "b-user"})
+		return nil
+	})()
+
+	err := snapshotstate.DoCheck(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.IsNil)
+	c.Check(rs.calls, check.DeepEquals, []string{"open", "check"})
+
+}
+
+func (rs *readerSuite) TestDoRemove(c *check.C) {
+	defer snapshotstate.MockOsRemove(func(filename string) error {
+		c.Check(filename, check.Equals, "/some/file.zip")
+		rs.calls = append(rs.calls, "remove")
+		return nil
+	})()
+	err := snapshotstate.DoForget(rs.task, &tomb.Tomb{})
+	c.Assert(err, check.IsNil)
+	c.Check(rs.calls, check.DeepEquals, []string{"remove"})
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/snapshotstate.go snapd-2.37~rc1~14.04/overlord/snapshotstate/snapshotstate.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/snapshotstate.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/snapshotstate.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,326 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package snapshotstate
+
+import (
+	"fmt"
+	"sort"
+
+	"golang.org/x/net/context"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/overlord/snapshotstate/backend"
+	"github.com/snapcore/snapd/overlord/snapstate"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
+)
+
+var (
+	snapstateAll                     = snapstate.All
+	snapstateCheckChangeConflictMany = snapstate.CheckChangeConflictMany
+	backendIter                      = backend.Iter
+)
+
+func newSnapshotSetID(st *state.State) (uint64, error) {
+	var lastSetID uint64
+
+	err := st.Get("last-snapshot-set-id", &lastSetID)
+	if err != nil && err != state.ErrNoState {
+		return 0, err
+	}
+
+	lastSetID++
+	st.Set("last-snapshot-set-id", lastSetID)
+
+	return lastSetID, nil
+}
+
+func allActiveSnapNames(st *state.State) ([]string, error) {
+	all, err := snapstateAll(st)
+	if err != nil {
+		return nil, err
+	}
+	names := make([]string, 0, len(all))
+	for name, snapst := range all {
+		if snapst.Active {
+			names = append(names, name)
+		}
+	}
+
+	sort.Strings(names)
+
+	return names, nil
+}
+
+// snapshotSnapSummaries are used internally to get useful data from a
+// snapshot set when deciding whether to check/forget/restore it.
+type snapshotSnapSummaries []*snapshotSnapSummary
+
+func (summaries snapshotSnapSummaries) snapNames() []string {
+	names := make([]string, len(summaries))
+	for i, summary := range summaries {
+		names[i] = summary.snap
+	}
+	return names
+}
+
+type snapshotSnapSummary struct {
+	snap     string
+	snapID   string
+	filename string
+	epoch    snap.Epoch
+}
+
+// snapSummariesInSnapshotSet goes looking for the requested snaps in the
+// given snap set, and returns summaries of the matching snaps in the set.
+func snapSummariesInSnapshotSet(setID uint64, requested []string) (summaries snapshotSnapSummaries, err error) {
+	sort.Strings(requested)
+	found := false
+	err = backendIter(context.TODO(), func(r *backend.Reader) error {
+		if r.SetID == setID {
+			found = true
+			if len(requested) == 0 || strutil.SortedListContains(requested, r.Snap) {
+				summaries = append(summaries, &snapshotSnapSummary{
+					filename: r.Name(),
+					snap:     r.Snap,
+					snapID:   r.SnapID,
+					epoch:    r.Epoch,
+				})
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	if !found {
+		return nil, client.ErrSnapshotSetNotFound
+	}
+	if len(summaries) == 0 {
+		return nil, client.ErrSnapshotSnapsNotFound
+	}
+
+	return summaries, nil
+}
+
+func taskGetErrMsg(task *state.Task, err error, what string) error {
+	if err == state.ErrNoState {
+		return fmt.Errorf("internal error: task %s (%s) is missing %s information", task.ID(), task.Kind(), what)
+	}
+	return fmt.Errorf("internal error: retrieving %s information from task %s (%s): %v", what, task.ID(), task.Kind(), err)
+}
+
+// checkSnapshotTaskConflict checks whether there's an in-progress task for snapshots with the given set id.
+func checkSnapshotTaskConflict(st *state.State, setID uint64, conflictingKinds ...string) error {
+	for _, task := range st.Tasks() {
+		if task.Change().Status().Ready() {
+			continue
+		}
+		if !strutil.ListContains(conflictingKinds, task.Kind()) {
+			continue
+		}
+
+		var snapshot snapshotSetup
+		if err := task.Get("snapshot-setup", &snapshot); err != nil {
+			return taskGetErrMsg(task, err, "snapshot")
+		}
+
+		if snapshot.SetID == setID {
+			return fmt.Errorf("cannot operate on snapshot set #%d while change %q is in progress", setID, task.Change().ID())
+		}
+	}
+
+	return nil
+}
+
+// List valid snapshots.
+// Note that the state must be locked by the caller.
+var List = backend.List
+
+// Save creates a taskset for taking snapshots of snaps' data.
+// Note that the state must be locked by the caller.
+func Save(st *state.State, instanceNames []string, users []string) (setID uint64, snapsSaved []string, ts *state.TaskSet, err error) {
+	if len(instanceNames) == 0 {
+		instanceNames, err = allActiveSnapNames(st)
+		if err != nil {
+			return 0, nil, nil, err
+		}
+	}
+
+	// Make sure we do not snapshot if anything like install/remove/refresh is in progress
+	if err := snapstateCheckChangeConflictMany(st, instanceNames, ""); err != nil {
+		return 0, nil, nil, err
+	}
+
+	setID, err = newSnapshotSetID(st)
+	if err != nil {
+		return 0, nil, nil, err
+	}
+
+	ts = state.NewTaskSet()
+
+	for _, name := range instanceNames {
+		desc := fmt.Sprintf("Save data of snap %q in snapshot set #%d", name, setID)
+		task := st.NewTask("save-snapshot", desc)
+		snapshot := snapshotSetup{
+			SetID: setID,
+			Snap:  name,
+			Users: users,
+		}
+		task.Set("snapshot-setup", &snapshot)
+		// Here, note that a snapshot set behaves as a unit: it either
+		// succeeds, or fails, as a whole; we don't use lanes, to have
+		// some snaps' snapshot succeed and not others in a single set.
+		// In practice: either the snapshot will be automatic and only
+		// for one snap (already in a lane via refresh), or it will be
+		// done by hand and the user can remove failing snaps (or find
+		// the cause of the failure). A snapshot failure can happen if
+		// a user has dropped files they can't read in their directory,
+		// for example.
+		// Also note we aren't promising this behaviour; we can change
+		// it if we find it to be wrong.
+		ts.AddTask(task)
+	}
+
+	return setID, instanceNames, ts, nil
+}
+
+// Restore creates a taskset for restoring a snapshot's data.
+// Note that the state must be locked by the caller.
+func Restore(st *state.State, setID uint64, snapNames []string, users []string) (snapsFound []string, ts *state.TaskSet, err error) {
+	summaries, err := snapSummariesInSnapshotSet(setID, snapNames)
+	if err != nil {
+		return nil, nil, err
+	}
+	all, err := snapstateAll(st)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	snapsFound = summaries.snapNames()
+
+	if err := snapstateCheckChangeConflictMany(st, snapsFound, ""); err != nil {
+		return nil, nil, err
+	}
+
+	// restore needs to conflict with forget of itself
+	if err := checkSnapshotTaskConflict(st, setID, "forget-snapshot"); err != nil {
+		return nil, nil, err
+	}
+
+	ts = state.NewTaskSet()
+
+	for _, summary := range summaries {
+		var current snap.Revision
+		if snapst, ok := all[summary.snap]; ok {
+			info, err := snapst.CurrentInfo()
+			if err != nil {
+				// how?
+				return nil, nil, fmt.Errorf("unexpected error while reading snap info: %v", err)
+			}
+			if !info.Epoch.CanRead(summary.epoch) {
+				const tpl = "cannot restore snapshot for %q: current snap (epoch %s) cannot read snapshot data (epoch %s)"
+				return nil, nil, fmt.Errorf(tpl, summary.snap, &info.Epoch, &summary.epoch)
+			}
+			if summary.snapID != "" && info.SnapID != "" && info.SnapID != summary.snapID {
+				const tpl = "cannot restore snapshot for %q: current snap (ID %.7s…) does not match snapshot (ID %.7s…)"
+				return nil, nil, fmt.Errorf(tpl, summary.snap, info.SnapID, summary.snapID)
+			}
+			current = snapst.Current
+		}
+
+		desc := fmt.Sprintf("Restore data of snap %q from snapshot set #%d", summary.snap, setID)
+		task := st.NewTask("restore-snapshot", desc)
+		snapshot := snapshotSetup{
+			SetID:    setID,
+			Snap:     summary.snap,
+			Users:    users,
+			Filename: summary.filename,
+			Current:  current,
+		}
+		task.Set("snapshot-setup", &snapshot)
+		// see the note about snapshots not using lanes, above.
+		ts.AddTask(task)
+	}
+
+	return snapsFound, ts, nil
+}
+
+// Check creates a taskset for checking a snapshot's data.
+// Note that the state must be locked by the caller.
+func Check(st *state.State, setID uint64, snapNames []string, users []string) (snapsFound []string, ts *state.TaskSet, err error) {
+	// check needs to conflict with forget of itself
+	if err := checkSnapshotTaskConflict(st, setID, "forget-snapshot"); err != nil {
+		return nil, nil, err
+	}
+
+	summaries, err := snapSummariesInSnapshotSet(setID, snapNames)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	ts = state.NewTaskSet()
+
+	for _, summary := range summaries {
+		desc := fmt.Sprintf("Check data of snap %q in snapshot set #%d", summary.snap, setID)
+		task := st.NewTask("check-snapshot", desc)
+		snapshot := snapshotSetup{
+			SetID:    setID,
+			Snap:     summary.snap,
+			Users:    users,
+			Filename: summary.filename,
+		}
+		task.Set("snapshot-setup", &snapshot)
+		ts.AddTask(task)
+	}
+
+	return summaries.snapNames(), ts, nil
+}
+
+// Forget creates a taskset for deletinig a snapshot.
+// Note that the state must be locked by the caller.
+func Forget(st *state.State, setID uint64, snapNames []string) (snapsFound []string, ts *state.TaskSet, err error) {
+	// forget needs to conflict with check and restore
+	if err := checkSnapshotTaskConflict(st, setID, "check-snapshot", "restore-snapshot"); err != nil {
+		return nil, nil, err
+	}
+
+	summaries, err := snapSummariesInSnapshotSet(setID, snapNames)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	ts = state.NewTaskSet()
+	for _, summary := range summaries {
+		desc := fmt.Sprintf("Drop data of snap %q from snapshot set #%d", summary.snap, setID)
+		task := st.NewTask("forget-snapshot", desc)
+		snapshot := snapshotSetup{
+			SetID:    setID,
+			Snap:     summary.snap,
+			Filename: summary.filename,
+		}
+		task.Set("snapshot-setup", &snapshot)
+		ts.AddTask(task)
+	}
+
+	return summaries.snapNames(), ts, nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapshotstate/snapshotstate_test.go snapd-2.37~rc1~14.04/overlord/snapshotstate/snapshotstate_test.go
--- snapd-2.32.3.2~14.04/overlord/snapshotstate/snapshotstate_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapshotstate/snapshotstate_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,1343 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package snapshotstate_test
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"sort"
+	"strings"
+	"testing"
+	"time"
+
+	"golang.org/x/net/context"
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/client"
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil/sys"
+	"github.com/snapcore/snapd/overlord"
+	"github.com/snapcore/snapd/overlord/snapshotstate"
+	"github.com/snapcore/snapd/overlord/snapshotstate/backend"
+	"github.com/snapcore/snapd/overlord/snapstate"
+	"github.com/snapcore/snapd/overlord/state"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type snapshotSuite struct{}
+
+var _ = check.Suite(&snapshotSuite{})
+
+// tie gocheck into testing
+func TestSnapshot(t *testing.T) { check.TestingT(t) }
+
+func (snapshotSuite) SetUpTest(c *check.C) {
+	dirs.SetRootDir(c.MkDir())
+}
+
+func (snapshotSuite) TearDownTest(c *check.C) {
+	dirs.SetRootDir("/")
+}
+
+func (snapshotSuite) TestNewSnapshotSetID(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	sid, err := snapshotstate.NewSnapshotSetID(st)
+	c.Assert(err, check.IsNil)
+	c.Check(sid, check.Equals, uint64(1))
+
+	sid, err = snapshotstate.NewSnapshotSetID(st)
+	c.Assert(err, check.IsNil)
+	c.Check(sid, check.Equals, uint64(2))
+}
+
+func (snapshotSuite) TestAllActiveSnapNames(c *check.C) {
+	fakeSnapstateAll := func(*state.State) (map[string]*snapstate.SnapState, error) {
+		return map[string]*snapstate.SnapState{
+			"a-snap": {Active: true},
+			"b-snap": {},
+			"c-snap": {Active: true},
+		}, nil
+	}
+
+	defer snapshotstate.MockSnapstateAll(fakeSnapstateAll)()
+
+	// loop to check sortedness
+	for i := 0; i < 100; i++ {
+		names, err := snapshotstate.AllActiveSnapNames(nil)
+		c.Assert(err, check.IsNil)
+		c.Check(names, check.DeepEquals, []string{"a-snap", "c-snap"})
+	}
+}
+
+func (snapshotSuite) TestAllActiveSnapNamesError(c *check.C) {
+	errBad := errors.New("bad")
+	fakeSnapstateAll := func(*state.State) (map[string]*snapstate.SnapState, error) {
+		return nil, errBad
+	}
+
+	defer snapshotstate.MockSnapstateAll(fakeSnapstateAll)()
+
+	names, err := snapshotstate.AllActiveSnapNames(nil)
+	c.Check(err, check.Equals, errBad)
+	c.Check(names, check.IsNil)
+}
+
+func (snapshotSuite) TestSnapSummariesInSnapshotSet(c *check.C) {
+	shotfileA, err := os.Create(filepath.Join(c.MkDir(), "foo.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfileA.Close()
+	shotfileB, err := os.Create(filepath.Join(c.MkDir(), "foo.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfileB.Close()
+
+	setID := uint64(42)
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// wanted
+			Snapshot: client.Snapshot{SetID: setID, Snap: "a-snap", SnapID: "a-id", Epoch: snap.Epoch{Read: []uint32{42}, Write: []uint32{17}}},
+			File:     shotfileA,
+		}), check.IsNil)
+		c.Assert(f(&backend.Reader{
+			// not wanted (bad set id)
+			Snapshot: client.Snapshot{SetID: setID + 1, Snap: "a-snap", SnapID: "a-id"},
+			File:     shotfileA,
+		}), check.IsNil)
+		c.Assert(f(&backend.Reader{
+			// wanted
+			Snapshot: client.Snapshot{SetID: setID, Snap: "b-snap", SnapID: "b-id"},
+			File:     shotfileB,
+		}), check.IsNil)
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	summaries, err := snapshotstate.SnapSummariesInSnapshotSet(setID, nil)
+	c.Assert(err, check.IsNil)
+	c.Assert(summaries.AsMaps(), check.DeepEquals, []map[string]string{
+		{"snap": "a-snap", "snapID": "a-id", "filename": shotfileA.Name(), "epoch": `{"read":[42],"write":[17]}`},
+		{"snap": "b-snap", "snapID": "b-id", "filename": shotfileB.Name(), "epoch": "0"},
+	})
+}
+
+func (snapshotSuite) TestSnapSummariesInSnapshotSetSnaps(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "foo.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	setID := uint64(42)
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// wanted
+			Snapshot: client.Snapshot{SetID: setID, Snap: "a-snap", SnapID: "a-id"},
+			File:     shotfile,
+		}), check.IsNil)
+		c.Assert(f(&backend.Reader{
+			// not wanted (bad set id)
+			Snapshot: client.Snapshot{SetID: setID + 1, Snap: "a-snap", SnapID: "a-id"},
+			File:     shotfile,
+		}), check.IsNil)
+		c.Assert(f(&backend.Reader{
+			// not wanted (bad snap name)
+			Snapshot: client.Snapshot{SetID: setID, Snap: "c-snap", SnapID: "c-id"},
+			File:     shotfile,
+		}), check.IsNil)
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	summaries, err := snapshotstate.SnapSummariesInSnapshotSet(setID, []string{"a-snap"})
+	c.Assert(err, check.IsNil)
+	c.Check(summaries.AsMaps(), check.DeepEquals, []map[string]string{
+		{"snap": "a-snap", "snapID": "a-id", "filename": shotfile.Name(), "epoch": "0"},
+	})
+}
+
+func (snapshotSuite) TestSnapSummariesInSnapshotSetErrors(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "foo.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	setID := uint64(42)
+	errBad := errors.New("bad")
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// wanted
+			Snapshot: client.Snapshot{SetID: setID, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return errBad
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	summaries, err := snapshotstate.SnapSummariesInSnapshotSet(setID, nil)
+	c.Assert(err, check.Equals, errBad)
+	c.Check(summaries, check.IsNil)
+}
+
+func (snapshotSuite) TestSnapSummariesInSnapshotSetNotFound(c *check.C) {
+	setID := uint64(42)
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "foo.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: setID - 1, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	summaries, err := snapshotstate.SnapSummariesInSnapshotSet(setID, nil)
+	c.Assert(err, check.Equals, client.ErrSnapshotSetNotFound)
+	c.Check(summaries, check.IsNil)
+}
+
+func (snapshotSuite) TestSnapSummariesInSnapshotSetEmptyNotFound(c *check.C) {
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error { return nil }
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	summaries, err := snapshotstate.SnapSummariesInSnapshotSet(42, nil)
+	c.Assert(err, check.Equals, client.ErrSnapshotSetNotFound)
+	c.Check(summaries, check.IsNil)
+}
+
+func (snapshotSuite) TestSnapSummariesInSnapshotSetSnapNotFound(c *check.C) {
+	setID := uint64(42)
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "foo.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: setID, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	summaries, err := snapshotstate.SnapSummariesInSnapshotSet(setID, []string{"b-snap"})
+	c.Assert(err, check.Equals, client.ErrSnapshotSnapsNotFound)
+	c.Check(summaries, check.IsNil)
+}
+
+func (snapshotSuite) TestCheckConflict(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	chg := st.NewChange("some-change", "...")
+	tsk := st.NewTask("some-task", "...")
+	tsk.SetStatus(state.DoingStatus)
+	chg.AddTask(tsk)
+
+	// no snapshot state
+	err := snapshotstate.CheckSnapshotTaskConflict(st, 42, "some-task")
+	c.Assert(err, check.ErrorMatches, "internal error: task 1 .some-task. is missing snapshot information")
+
+	// wrong snapshot state
+	tsk.Set("snapshot-setup", "hello")
+	err = snapshotstate.CheckSnapshotTaskConflict(st, 42, "some-task")
+	c.Assert(err, check.ErrorMatches, "internal error.* could not unmarshal.*")
+
+	tsk.Set("snapshot-setup", map[string]int{"set-id": 42})
+
+	err = snapshotstate.CheckSnapshotTaskConflict(st, 42, "some-task")
+	c.Assert(err, check.ErrorMatches, "cannot operate on snapshot set #42 while change \"1\" is in progress")
+
+	// no change with that label
+	c.Assert(snapshotstate.CheckSnapshotTaskConflict(st, 42, "some-other-task"), check.IsNil)
+
+	// no change with that snapshot id
+	c.Assert(snapshotstate.CheckSnapshotTaskConflict(st, 43, "some-task"), check.IsNil)
+
+	// no non-ready change
+	tsk.SetStatus(state.DoneStatus)
+	c.Assert(snapshotstate.CheckSnapshotTaskConflict(st, 42, "some-task"), check.IsNil)
+}
+
+func (snapshotSuite) TestSaveChecksSnapnamesError(c *check.C) {
+	defer snapshotstate.MockSnapstateAll(func(*state.State) (map[string]*snapstate.SnapState, error) {
+		return nil, errors.New("bzzt")
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	_, _, _, err := snapshotstate.Save(st, nil, nil)
+	c.Check(err, check.ErrorMatches, "bzzt")
+}
+
+func (snapshotSuite) createConflictingChange(c *check.C) (st *state.State, restore func()) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "foo.zip"))
+	c.Assert(err, check.IsNil)
+	shotfile.Close()
+
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			Snapshot: client.Snapshot{SetID: 42, Snap: "foo"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	restoreIter := snapshotstate.MockBackendIter(fakeIter)
+
+	o := overlord.Mock()
+	st = o.State()
+
+	stmgr, err := snapstate.Manager(st, o.TaskRunner())
+	c.Assert(err, check.IsNil)
+	o.AddManager(stmgr)
+	shmgr := snapshotstate.Manager(st, o.TaskRunner())
+	o.AddManager(shmgr)
+
+	st.Lock()
+	defer func() {
+		if c.Failed() {
+			// something went wrong
+			st.Unlock()
+		}
+	}()
+
+	snapstate.Set(st, "foo", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "foo", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	chg := st.NewChange("rm foo", "...")
+	rmTasks, err := snapstate.Remove(st, "foo", snap.R(0))
+	c.Assert(err, check.IsNil)
+	c.Assert(rmTasks, check.NotNil)
+	chg.AddAll(rmTasks)
+
+	return st, func() {
+		shotfile.Close()
+		st.Unlock()
+		restoreIter()
+	}
+}
+
+func (s snapshotSuite) TestSaveChecksSnapstateConflict(c *check.C) {
+	st, restore := s.createConflictingChange(c)
+	defer restore()
+
+	_, _, _, err := snapshotstate.Save(st, []string{"foo"}, nil)
+	c.Assert(err, check.NotNil)
+	c.Check(err, check.FitsTypeOf, &snapstate.ChangeConflictError{})
+}
+
+func (snapshotSuite) TestSaveConflictsWithSnapstate(c *check.C) {
+	fakeSnapstateAll := func(*state.State) (map[string]*snapstate.SnapState, error) {
+		return map[string]*snapstate.SnapState{
+			"foo": {Active: true},
+		}, nil
+	}
+
+	defer snapshotstate.MockSnapstateAll(fakeSnapstateAll)()
+
+	o := overlord.Mock()
+	st := o.State()
+
+	stmgr, err := snapstate.Manager(st, o.TaskRunner())
+	c.Assert(err, check.IsNil)
+	o.AddManager(stmgr)
+	shmgr := snapshotstate.Manager(st, o.TaskRunner())
+	o.AddManager(shmgr)
+
+	st.Lock()
+	defer st.Unlock()
+
+	snapstate.Set(st, "foo", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "foo", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	chg := st.NewChange("snapshot-save", "...")
+	_, _, saveTasks, err := snapshotstate.Save(st, nil, nil)
+	c.Assert(err, check.IsNil)
+	chg.AddAll(saveTasks)
+
+	_, err = snapstate.Disable(st, "foo")
+	c.Assert(err, check.ErrorMatches, `snap "foo" has "snapshot-save" change in progress`)
+}
+
+func (snapshotSuite) TestSaveChecksSnapstateConflictError(c *check.C) {
+	defer snapshotstate.MockSnapstateCheckChangeConflictMany(func(*state.State, []string, string) error {
+		return errors.New("bzzt")
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	_, _, _, err := snapshotstate.Save(st, nil, nil)
+	c.Check(err, check.ErrorMatches, "bzzt")
+}
+
+func (snapshotSuite) TestSaveChecksSetIDError(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	st.Set("last-snapshot-set-id", "3/4")
+
+	_, _, _, err := snapshotstate.Save(st, nil, nil)
+	c.Check(err, check.ErrorMatches, ".* could not unmarshal .*")
+}
+
+func (snapshotSuite) TestSaveNoSnapsInState(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	setID, saved, taskset, err := snapshotstate.Save(st, nil, nil)
+	c.Assert(err, check.IsNil)
+	c.Check(setID, check.Equals, uint64(1))
+	c.Check(saved, check.HasLen, 0)
+	c.Check(taskset.Tasks(), check.HasLen, 0)
+}
+
+func (snapshotSuite) TestSaveSomeSnaps(c *check.C) {
+	fakeSnapstateAll := func(*state.State) (map[string]*snapstate.SnapState, error) {
+		return map[string]*snapstate.SnapState{
+			"a-snap": {Active: true},
+			"b-snap": {},
+			"c-snap": {Active: true},
+		}, nil
+	}
+
+	defer snapshotstate.MockSnapstateAll(fakeSnapstateAll)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	setID, saved, taskset, err := snapshotstate.Save(st, nil, nil)
+	c.Assert(err, check.IsNil)
+	c.Check(setID, check.Equals, uint64(1))
+	c.Check(saved, check.DeepEquals, []string{"a-snap", "c-snap"})
+	tasks := taskset.Tasks()
+	c.Assert(tasks, check.HasLen, 2)
+	c.Check(tasks[0].Kind(), check.Equals, "save-snapshot")
+	c.Check(tasks[0].Summary(), check.Equals, `Save data of snap "a-snap" in snapshot set #1`)
+	c.Check(tasks[1].Kind(), check.Equals, "save-snapshot")
+	c.Check(tasks[1].Summary(), check.Equals, `Save data of snap "c-snap" in snapshot set #1`)
+}
+
+func (snapshotSuite) TestSaveOneSnap(c *check.C) {
+	fakeSnapstateAll := func(*state.State) (map[string]*snapstate.SnapState, error) {
+		// snapstate.All isn't called when a snap name is passed in
+		return nil, errors.New("bzzt")
+	}
+
+	defer snapshotstate.MockSnapstateAll(fakeSnapstateAll)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	setID, saved, taskset, err := snapshotstate.Save(st, []string{"a-snap"}, []string{"a-user"})
+	c.Assert(err, check.IsNil)
+	c.Check(setID, check.Equals, uint64(1))
+	c.Check(saved, check.DeepEquals, []string{"a-snap"})
+	tasks := taskset.Tasks()
+	c.Assert(tasks, check.HasLen, 1)
+	c.Check(tasks[0].Kind(), check.Equals, "save-snapshot")
+	c.Check(tasks[0].Summary(), check.Equals, `Save data of snap "a-snap" in snapshot set #1`)
+	var snapshot map[string]interface{}
+	c.Check(tasks[0].Get("snapshot-setup", &snapshot), check.IsNil)
+	c.Check(snapshot, check.DeepEquals, map[string]interface{}{
+		"set-id":  1.,
+		"snap":    "a-snap",
+		"users":   []interface{}{"a-user"},
+		"current": "unset",
+	})
+}
+
+func (snapshotSuite) TestSaveIntegration(c *check.C) {
+	if os.Geteuid() == 0 {
+		c.Skip("this test cannot run as root (runuser will fail)")
+	}
+
+	c.Assert(os.MkdirAll(dirs.SnapshotsDir, 0755), check.IsNil)
+	homedir := filepath.Join(dirs.GlobalRootDir, "home", "a-user")
+
+	defer backend.MockUserLookup(func(username string) (*user.User, error) {
+		if username != "a-user" {
+			c.Fatalf("unexpected user %q", username)
+		}
+		return &user.User{
+			Uid:      fmt.Sprint(sys.Geteuid()),
+			Username: username,
+			HomeDir:  homedir,
+		}, nil
+	})()
+
+	o := overlord.Mock()
+	st := o.State()
+
+	stmgr, err := snapstate.Manager(st, o.TaskRunner())
+	c.Assert(err, check.IsNil)
+	o.AddManager(stmgr)
+	shmgr := snapshotstate.Manager(st, o.TaskRunner())
+	o.AddManager(shmgr)
+	o.AddManager(o.TaskRunner())
+
+	st.Lock()
+	defer st.Unlock()
+
+	snapshots := make(map[string]*client.Snapshot, 3)
+	for i, name := range []string{"one-snap", "too-snap", "tri-snap"} {
+		sideInfo := &snap.SideInfo{RealName: name, Revision: snap.R(i + 1)}
+		snapstate.Set(st, name, &snapstate.SnapState{
+			Active:   true,
+			Sequence: []*snap.SideInfo{sideInfo},
+			Current:  sideInfo.Revision,
+			SnapType: "app",
+		})
+		snaptest.MockSnap(c, fmt.Sprintf("{name: %s, version: v1}", name), sideInfo)
+
+		c.Assert(os.MkdirAll(filepath.Join(homedir, "snap", name, fmt.Sprint(i+1), "canary-"+name), 0755), check.IsNil)
+		c.Assert(os.MkdirAll(filepath.Join(homedir, "snap", name, "common", "common-"+name), 0755), check.IsNil)
+
+		snapshots[name] = &client.Snapshot{
+			SetID:    1,
+			Snap:     name,
+			Version:  "v1",
+			Revision: sideInfo.Revision,
+			Epoch:    snap.E("0"),
+		}
+	}
+
+	setID, saved, taskset, err := snapshotstate.Save(st, nil, []string{"a-user"})
+	c.Assert(err, check.IsNil)
+	c.Check(setID, check.Equals, uint64(1))
+	c.Check(saved, check.DeepEquals, []string{"one-snap", "too-snap", "tri-snap"})
+
+	change := st.NewChange("save-snapshot", "...")
+	change.AddAll(taskset)
+
+	t0 := time.Now()
+
+	st.Unlock()
+	c.Assert(o.Settle(5*time.Second), check.IsNil)
+	st.Lock()
+	c.Check(change.Err(), check.IsNil)
+
+	tf := time.Now()
+	c.Assert(backend.Iter(context.TODO(), func(r *backend.Reader) error {
+		c.Check(r.Check(context.TODO(), nil), check.IsNil)
+
+		// check the unknowables, and zero them out
+		c.Check(r.Snapshot.Time.After(t0), check.Equals, true)
+		c.Check(r.Snapshot.Time.Before(tf), check.Equals, true)
+		c.Check(r.Snapshot.Size > 0, check.Equals, true)
+		c.Assert(r.Snapshot.SHA3_384, check.HasLen, 1)
+		c.Check(r.Snapshot.SHA3_384["user/a-user.tgz"], check.HasLen, 96)
+
+		r.Snapshot.Time = time.Time{}
+		r.Snapshot.Size = 0
+		r.Snapshot.SHA3_384 = nil
+
+		c.Check(&r.Snapshot, check.DeepEquals, snapshots[r.Snapshot.Snap])
+		return nil
+	}), check.IsNil)
+}
+
+func (snapshotSuite) TestSaveIntegrationFails(c *check.C) {
+	if os.Geteuid() == 0 {
+		c.Skip("this test cannot run as root (runuser will fail)")
+	}
+	c.Assert(os.MkdirAll(dirs.SnapshotsDir, 0755), check.IsNil)
+	// sanity check: no files in snapshot dir
+	out, err := exec.Command("find", dirs.SnapshotsDir, "-type", "f").CombinedOutput()
+	c.Assert(err, check.IsNil)
+	c.Check(string(out), check.Equals, "")
+
+	homedir := filepath.Join(dirs.GlobalRootDir, "home", "a-user")
+
+	// Mock "tar" so that the tars finish in the expected order.
+	// Locally .01s and .02s do the trick with count=1000;
+	// padded a lot bigger for slower systems.
+	mocktar := testutil.MockCommand(c, "tar", `
+case "$*" in
+*/too-snap/*)
+    sleep .5
+    ;;
+*/tri-snap/*)
+    sleep 1
+    ;;
+esac
+exec /bin/tar "$@"
+`)
+	defer mocktar.Restore()
+
+	defer backend.MockUserLookup(func(username string) (*user.User, error) {
+		if username != "a-user" {
+			c.Fatalf("unexpected user %q", username)
+		}
+		return &user.User{
+			Uid:      fmt.Sprint(sys.Geteuid()),
+			Username: username,
+			HomeDir:  homedir,
+		}, nil
+	})()
+
+	o := overlord.Mock()
+	st := o.State()
+
+	stmgr, err := snapstate.Manager(st, o.TaskRunner())
+	c.Assert(err, check.IsNil)
+	o.AddManager(stmgr)
+	shmgr := snapshotstate.Manager(st, o.TaskRunner())
+	o.AddManager(shmgr)
+	o.AddManager(o.TaskRunner())
+
+	st.Lock()
+	defer st.Unlock()
+
+	for i, name := range []string{"one-snap", "too-snap", "tri-snap"} {
+		sideInfo := &snap.SideInfo{RealName: name, Revision: snap.R(i + 1)}
+		snapstate.Set(st, name, &snapstate.SnapState{
+			Active:   true,
+			Sequence: []*snap.SideInfo{sideInfo},
+			Current:  sideInfo.Revision,
+			SnapType: "app",
+		})
+		snaptest.MockSnap(c, fmt.Sprintf("{name: %s, version: v1}", name), sideInfo)
+
+		c.Assert(os.MkdirAll(filepath.Join(homedir, "snap", name, fmt.Sprint(i+1), "canary-"+name), 0755), check.IsNil)
+		c.Assert(os.MkdirAll(filepath.Join(homedir, "snap", name, "common"), 0755), check.IsNil)
+		mode := os.FileMode(0755)
+		if i == 1 {
+			mode = 0
+		}
+		c.Assert(os.Mkdir(filepath.Join(homedir, "snap", name, "common", "common-"+name), mode), check.IsNil)
+	}
+
+	setID, saved, taskset, err := snapshotstate.Save(st, nil, []string{"a-user"})
+	c.Assert(err, check.IsNil)
+	c.Check(setID, check.Equals, uint64(1))
+	c.Check(saved, check.DeepEquals, []string{"one-snap", "too-snap", "tri-snap"})
+
+	change := st.NewChange("save-snapshot", "...")
+	change.AddAll(taskset)
+
+	st.Unlock()
+	c.Assert(o.Settle(5*time.Second), check.IsNil)
+	st.Lock()
+	c.Check(change.Err(), check.NotNil)
+	tasks := change.Tasks()
+	c.Assert(tasks, check.HasLen, 3)
+
+	// task 0 (for "one-snap") will have been undone
+	c.Check(tasks[0].Summary(), testutil.Contains, `"one-snap"`) // sanity check: task 0 is one-snap's
+	c.Check(tasks[0].Status(), check.Equals, state.UndoneStatus)
+
+	// task 1 (for "too-snap") will have errored
+	c.Check(tasks[1].Summary(), testutil.Contains, `"too-snap"`) // sanity check: task 1 is too-snap's
+	c.Check(tasks[1].Status(), check.Equals, state.ErrorStatus)
+	c.Check(strings.Join(tasks[1].Log(), "\n"), check.Matches, `\S+ ERROR cannot create archive: .* Permission denied .and \d+ more.`)
+
+	// task 2 (for "tri-snap") will have errored as well, hopefully, but it's a race (see the "tar" comment above)
+	c.Check(tasks[2].Summary(), testutil.Contains, `"tri-snap"`) // sanity check: task 2 is tri-snap's
+	c.Check(tasks[2].Status(), check.Equals, state.ErrorStatus, check.Commentf("if this ever fails, duplicate the fake tar sleeps please"))
+	// sometimes you'll get one, sometimes you'll get the other (depending on ordering of events)
+	c.Check(strings.Join(tasks[2].Log(), "\n"), check.Matches, `\S+ ERROR( tar failed:)? context canceled`)
+
+	// no zips left behind, not for errors, not for undos \o/
+	out, err = exec.Command("find", dirs.SnapshotsDir, "-type", "f").CombinedOutput()
+	c.Assert(err, check.IsNil)
+	c.Check(string(out), check.Equals, "")
+}
+
+func (snapshotSuite) TestRestoreChecksIterError(c *check.C) {
+	defer snapshotstate.MockBackendIter(func(context.Context, func(*backend.Reader) error) error {
+		return errors.New("bzzt")
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	_, _, err := snapshotstate.Restore(st, 42, nil, nil)
+	c.Assert(err, check.ErrorMatches, "bzzt")
+}
+
+func (s snapshotSuite) TestRestoreChecksSnapstateConflicts(c *check.C) {
+	st, restore := s.createConflictingChange(c)
+	defer restore()
+
+	_, _, err := snapshotstate.Restore(st, 42, nil, nil)
+	c.Assert(err, check.NotNil)
+	c.Check(err, check.FitsTypeOf, &snapstate.ChangeConflictError{})
+
+}
+
+func (snapshotSuite) TestRestoreConflictsWithSnapstate(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "foo.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+
+	sideInfo := &snap.SideInfo{RealName: "foo", Revision: snap.R(1)}
+	fakeSnapstateAll := func(*state.State) (map[string]*snapstate.SnapState, error) {
+		return map[string]*snapstate.SnapState{
+			"foo": {
+				Active:   true,
+				Sequence: []*snap.SideInfo{sideInfo},
+				Current:  sideInfo.Revision,
+			},
+		}, nil
+	}
+	snaptest.MockSnap(c, "{name: foo, version: v1}", sideInfo)
+
+	defer snapshotstate.MockSnapstateAll(fakeSnapstateAll)()
+
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			Snapshot: client.Snapshot{SetID: 42, Snap: "foo"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	o := overlord.Mock()
+	st := o.State()
+
+	stmgr, err := snapstate.Manager(st, o.TaskRunner())
+	c.Assert(err, check.IsNil)
+	o.AddManager(stmgr)
+	shmgr := snapshotstate.Manager(st, o.TaskRunner())
+	o.AddManager(shmgr)
+
+	st.Lock()
+	defer st.Unlock()
+
+	snapstate.Set(st, "foo", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "foo", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	chg := st.NewChange("snapshot-restore", "...")
+	_, restoreTasks, err := snapshotstate.Restore(st, 42, nil, nil)
+	c.Assert(err, check.IsNil)
+	chg.AddAll(restoreTasks)
+
+	_, err = snapstate.Disable(st, "foo")
+	c.Assert(err, check.ErrorMatches, `snap "foo" has "snapshot-restore" change in progress`)
+}
+
+func (snapshotSuite) TestRestoreChecksForgetConflicts(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: 42, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	chg := st.NewChange("forget-snapshot-change", "...")
+	tsk := st.NewTask("forget-snapshot", "...")
+	tsk.SetStatus(state.DoingStatus)
+	tsk.Set("snapshot-setup", map[string]int{"set-id": 42})
+	chg.AddTask(tsk)
+
+	_, _, err = snapshotstate.Restore(st, 42, nil, nil)
+	c.Assert(err, check.ErrorMatches, `cannot operate on snapshot set #42 while change \"1\" is in progress`)
+}
+
+func (snapshotSuite) TestRestoreChecksChangesToSnapID(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeSnapstateAll := func(*state.State) (map[string]*snapstate.SnapState, error) {
+		return map[string]*snapstate.SnapState{
+			"a-snap": {
+				Active: true,
+				Sequence: []*snap.SideInfo{
+					{RealName: "a-snap", Revision: snap.R(1), SnapID: "1234567890"},
+				},
+				Current: snap.R(1),
+			},
+		}, nil
+	}
+	defer snapshotstate.MockSnapstateAll(fakeSnapstateAll)()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: 42, Snap: "a-snap", SnapID: "0987654321"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	_, _, err = snapshotstate.Restore(st, 42, nil, nil)
+	c.Assert(err, check.ErrorMatches, `cannot restore snapshot for "a-snap": current snap \(ID 1234567…\) does not match snapshot \(ID 0987654…\)`)
+}
+
+func (snapshotSuite) TestRestoreChecksChangesToEpoch(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+
+	sideInfo := &snap.SideInfo{RealName: "a-snap", Revision: snap.R(1)}
+	fakeSnapstateAll := func(*state.State) (map[string]*snapstate.SnapState, error) {
+		return map[string]*snapstate.SnapState{
+			"a-snap": {
+				Active:   true,
+				Sequence: []*snap.SideInfo{sideInfo},
+				Current:  sideInfo.Revision,
+			},
+		}, nil
+	}
+	defer snapshotstate.MockSnapstateAll(fakeSnapstateAll)()
+	snaptest.MockSnap(c, "{name: a-snap, version: v1, epoch: 17}", sideInfo)
+
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{
+				SetID: 42,
+				Snap:  "a-snap",
+				Epoch: snap.E("42"),
+			},
+			File: shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	_, _, err = snapshotstate.Restore(st, 42, nil, nil)
+	c.Assert(err, check.ErrorMatches, `cannot restore snapshot for "a-snap": current snap \(epoch 17\) cannot read snapshot data \(epoch 42\)`)
+}
+
+func (snapshotSuite) TestRestoreWorksWithCompatibleEpoch(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+
+	sideInfo := &snap.SideInfo{RealName: "a-snap", Revision: snap.R(1)}
+	fakeSnapstateAll := func(*state.State) (map[string]*snapstate.SnapState, error) {
+		return map[string]*snapstate.SnapState{
+			"a-snap": {
+				Active:   true,
+				Sequence: []*snap.SideInfo{sideInfo},
+				Current:  sideInfo.Revision,
+			},
+		}, nil
+	}
+	defer snapshotstate.MockSnapstateAll(fakeSnapstateAll)()
+	snaptest.MockSnap(c, "{name: a-snap, version: v1, epoch: {read: [17, 42], write: [42]}}", sideInfo)
+
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{
+				SetID: 42,
+				Snap:  "a-snap",
+				Epoch: snap.E("17"),
+			},
+			File: shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	found, taskset, err := snapshotstate.Restore(st, 42, nil, nil)
+	c.Assert(err, check.IsNil)
+	c.Check(found, check.DeepEquals, []string{"a-snap"})
+	tasks := taskset.Tasks()
+	c.Assert(tasks, check.HasLen, 1)
+	c.Check(tasks[0].Kind(), check.Equals, "restore-snapshot")
+	c.Check(tasks[0].Summary(), check.Equals, `Restore data of snap "a-snap" from snapshot set #42`)
+	var snapshot map[string]interface{}
+	c.Check(tasks[0].Get("snapshot-setup", &snapshot), check.IsNil)
+	c.Check(snapshot, check.DeepEquals, map[string]interface{}{
+		"set-id":   42.,
+		"snap":     "a-snap",
+		"filename": shotfile.Name(),
+		"current":  "1",
+	})
+}
+
+func (snapshotSuite) TestRestore(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: 42, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	found, taskset, err := snapshotstate.Restore(st, 42, []string{"a-snap", "b-snap"}, []string{"a-user"})
+	c.Assert(err, check.IsNil)
+	c.Check(found, check.DeepEquals, []string{"a-snap"})
+	tasks := taskset.Tasks()
+	c.Assert(tasks, check.HasLen, 1)
+	c.Check(tasks[0].Kind(), check.Equals, "restore-snapshot")
+	c.Check(tasks[0].Summary(), check.Equals, `Restore data of snap "a-snap" from snapshot set #42`)
+	var snapshot map[string]interface{}
+	c.Check(tasks[0].Get("snapshot-setup", &snapshot), check.IsNil)
+	c.Check(snapshot, check.DeepEquals, map[string]interface{}{
+		"set-id":   42.,
+		"snap":     "a-snap",
+		"filename": shotfile.Name(),
+		"users":    []interface{}{"a-user"},
+		"current":  "unset",
+	})
+}
+
+func (snapshotSuite) TestRestoreIntegration(c *check.C) {
+	if os.Geteuid() == 0 {
+		c.Skip("this test cannot run as root (runuser will fail)")
+	}
+
+	c.Assert(os.MkdirAll(dirs.SnapshotsDir, 0755), check.IsNil)
+	homedirA := filepath.Join(dirs.GlobalRootDir, "home", "a-user")
+	homedirB := filepath.Join(dirs.GlobalRootDir, "home", "b-user")
+
+	defer backend.MockUserLookup(func(username string) (*user.User, error) {
+		if username != "a-user" && username != "b-user" {
+			c.Fatalf("unexpected user %q", username)
+			return nil, user.UnknownUserError(username)
+		}
+		return &user.User{
+			Uid:      fmt.Sprint(sys.Geteuid()),
+			Username: username,
+			HomeDir:  filepath.Join(dirs.GlobalRootDir, "home", username),
+		}, nil
+
+	})()
+
+	o := overlord.Mock()
+	st := o.State()
+
+	stmgr, err := snapstate.Manager(st, o.TaskRunner())
+	c.Assert(err, check.IsNil)
+	o.AddManager(stmgr)
+	shmgr := snapshotstate.Manager(st, o.TaskRunner())
+	o.AddManager(shmgr)
+	o.AddManager(o.TaskRunner())
+
+	st.Lock()
+	defer st.Unlock()
+
+	for i, name := range []string{"one-snap", "too-snap", "tri-snap"} {
+		sideInfo := &snap.SideInfo{RealName: name, Revision: snap.R(i + 1)}
+		snapstate.Set(st, name, &snapstate.SnapState{
+			Active:   true,
+			Sequence: []*snap.SideInfo{sideInfo},
+			Current:  sideInfo.Revision,
+			SnapType: "app",
+		})
+		snapInfo := snaptest.MockSnap(c, fmt.Sprintf("{name: %s, version: v1}", name), sideInfo)
+
+		for _, home := range []string{homedirA, homedirB} {
+			c.Assert(os.MkdirAll(filepath.Join(home, "snap", name, fmt.Sprint(i+1), "canary-"+name), 0755), check.IsNil)
+			c.Assert(os.MkdirAll(filepath.Join(home, "snap", name, "common", "common-"+name), 0755), check.IsNil)
+		}
+
+		_, err := backend.Save(context.TODO(), 42, snapInfo, nil, []string{"a-user", "b-user"})
+		c.Assert(err, check.IsNil)
+	}
+
+	// move the old away
+	c.Assert(os.Rename(filepath.Join(homedirA, "snap"), filepath.Join(homedirA, "snap.old")), check.IsNil)
+	// remove b-user's home
+	c.Assert(os.RemoveAll(homedirB), check.IsNil)
+
+	found, taskset, err := snapshotstate.Restore(st, 42, nil, []string{"a-user", "b-user"})
+	c.Assert(err, check.IsNil)
+	sort.Strings(found)
+	c.Check(found, check.DeepEquals, []string{"one-snap", "too-snap", "tri-snap"})
+
+	change := st.NewChange("restore-snapshot", "...")
+	change.AddAll(taskset)
+
+	st.Unlock()
+	c.Assert(o.Settle(5*time.Second), check.IsNil)
+	st.Lock()
+	c.Check(change.Err(), check.IsNil)
+
+	// the three restores warn about the missing home (but no errors, no panics)
+	for _, task := range change.Tasks() {
+		c.Check(strings.Join(task.Log(), "\n"), check.Matches, `.* Skipping restore of "[^"]+/home/b-user/[^"]+" as "[^"]+/home/b-user" doesn't exist.`)
+	}
+
+	// check it was all brought back \o/
+	out, err := exec.Command("diff", "-rN", filepath.Join(homedirA, "snap"), filepath.Join("snap.old")).CombinedOutput()
+	c.Assert(err, check.IsNil)
+	c.Check(string(out), check.Equals, "")
+}
+
+func (snapshotSuite) TestRestoreIntegrationFails(c *check.C) {
+	if os.Geteuid() == 0 {
+		c.Skip("this test cannot run as root (runuser will fail)")
+	}
+	c.Assert(os.MkdirAll(dirs.SnapshotsDir, 0755), check.IsNil)
+	homedir := filepath.Join(dirs.GlobalRootDir, "home", "a-user")
+
+	defer backend.MockUserLookup(func(username string) (*user.User, error) {
+		if username != "a-user" {
+			c.Fatalf("unexpected user %q", username)
+		}
+		return &user.User{
+			Uid:      fmt.Sprint(sys.Geteuid()),
+			Username: username,
+			HomeDir:  homedir,
+		}, nil
+	})()
+
+	o := overlord.Mock()
+	st := o.State()
+
+	stmgr, err := snapstate.Manager(st, o.TaskRunner())
+	c.Assert(err, check.IsNil)
+	o.AddManager(stmgr)
+	shmgr := snapshotstate.Manager(st, o.TaskRunner())
+	o.AddManager(shmgr)
+	o.AddManager(o.TaskRunner())
+
+	st.Lock()
+	defer st.Unlock()
+
+	for i, name := range []string{"one-snap", "too-snap", "tri-snap"} {
+		sideInfo := &snap.SideInfo{RealName: name, Revision: snap.R(i + 1)}
+		snapstate.Set(st, name, &snapstate.SnapState{
+			Active:   true,
+			Sequence: []*snap.SideInfo{sideInfo},
+			Current:  sideInfo.Revision,
+			SnapType: "app",
+		})
+		snapInfo := snaptest.MockSnap(c, fmt.Sprintf("{name: %s, version: vv1}", name), sideInfo)
+
+		c.Assert(os.MkdirAll(filepath.Join(homedir, "snap", name, fmt.Sprint(i+1), "canary-"+name), 0755), check.IsNil)
+		c.Assert(os.MkdirAll(filepath.Join(homedir, "snap", name, "common", "common-"+name), 0755), check.IsNil)
+
+		_, err := backend.Save(context.TODO(), 42, snapInfo, nil, []string{"a-user"})
+		c.Assert(err, check.IsNil)
+	}
+
+	// move the old away
+	c.Assert(os.Rename(filepath.Join(homedir, "snap"), filepath.Join(homedir, "snap.old")), check.IsNil)
+	// but poison the well
+	c.Assert(os.MkdirAll(filepath.Join(homedir, "snap"), 0755), check.IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(homedir, "snap", "too-snap"), 0), check.IsNil)
+
+	found, taskset, err := snapshotstate.Restore(st, 42, nil, []string{"a-user"})
+	c.Assert(err, check.IsNil)
+	sort.Strings(found)
+	c.Check(found, check.DeepEquals, []string{"one-snap", "too-snap", "tri-snap"})
+
+	change := st.NewChange("restore-snapshot", "...")
+	change.AddAll(taskset)
+
+	st.Unlock()
+	c.Assert(o.Settle(5*time.Second), check.IsNil)
+	st.Lock()
+	c.Check(change.Err(), check.NotNil)
+
+	tasks := change.Tasks()
+	c.Check(tasks, check.HasLen, 3)
+	for _, task := range tasks {
+		if strings.Contains(task.Summary(), `"too-snap"`) {
+			// too-snap was set up to fail, should always fail with
+			// 'permission denied' (see the mkdirall w/mode 0 above)
+			c.Check(task.Status(), check.Equals, state.ErrorStatus)
+			c.Check(strings.Join(task.Log(), "\n"), check.Matches, `\S+ ERROR mkdir \S+: permission denied`)
+		} else {
+			// the other two might fail (ErrorStatus) if they're
+			// still running when too-snap fails, or they might have
+			// finished and needed to be undone (UndoneStatus); it's
+			// a race, but either is fine.
+			if task.Status() == state.ErrorStatus {
+				c.Check(strings.Join(task.Log(), "\n"), check.Matches, `\S+ ERROR.* context canceled`)
+			} else {
+				c.Check(task.Status(), check.Equals, state.UndoneStatus)
+			}
+		}
+	}
+
+	// remove the poison
+	c.Assert(os.Remove(filepath.Join(homedir, "snap", "too-snap")), check.IsNil)
+
+	// check that nothing else was put there
+	out, err := exec.Command("find", filepath.Join(homedir, "snap")).CombinedOutput()
+	c.Assert(err, check.IsNil)
+	c.Check(strings.TrimSpace(string(out)), check.Equals, filepath.Join(homedir, "snap"))
+}
+
+func (snapshotSuite) TestCheckChecksIterError(c *check.C) {
+	defer snapshotstate.MockBackendIter(func(context.Context, func(*backend.Reader) error) error {
+		return errors.New("bzzt")
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	_, _, err := snapshotstate.Check(st, 42, nil, nil)
+	c.Assert(err, check.ErrorMatches, "bzzt")
+}
+
+func (s snapshotSuite) TestCheckDoesNotTriggerSnapstateConflict(c *check.C) {
+	st, restore := s.createConflictingChange(c)
+	defer restore()
+
+	_, _, err := snapshotstate.Check(st, 42, nil, nil)
+	c.Assert(err, check.IsNil)
+}
+
+func (snapshotSuite) TestCheckChecksForgetConflicts(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: 42, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	chg := st.NewChange("forget-snapshot-change", "...")
+	tsk := st.NewTask("forget-snapshot", "...")
+	tsk.SetStatus(state.DoingStatus)
+	tsk.Set("snapshot-setup", map[string]int{"set-id": 42})
+	chg.AddTask(tsk)
+
+	_, _, err = snapshotstate.Check(st, 42, nil, nil)
+	c.Assert(err, check.ErrorMatches, `cannot operate on snapshot set #42 while change \"1\" is in progress`)
+}
+
+func (snapshotSuite) TestCheck(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: 42, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	found, taskset, err := snapshotstate.Check(st, 42, []string{"a-snap", "b-snap"}, []string{"a-user"})
+	c.Assert(err, check.IsNil)
+	c.Check(found, check.DeepEquals, []string{"a-snap"})
+	tasks := taskset.Tasks()
+	c.Assert(tasks, check.HasLen, 1)
+	c.Check(tasks[0].Kind(), check.Equals, "check-snapshot")
+	c.Check(tasks[0].Summary(), check.Equals, `Check data of snap "a-snap" in snapshot set #42`)
+	var snapshot map[string]interface{}
+	c.Check(tasks[0].Get("snapshot-setup", &snapshot), check.IsNil)
+	c.Check(snapshot, check.DeepEquals, map[string]interface{}{
+		"set-id":   42.,
+		"snap":     "a-snap",
+		"filename": shotfile.Name(),
+		"users":    []interface{}{"a-user"},
+		"current":  "unset",
+	})
+}
+
+func (snapshotSuite) TestForgetChecksIterError(c *check.C) {
+	defer snapshotstate.MockBackendIter(func(context.Context, func(*backend.Reader) error) error {
+		return errors.New("bzzt")
+	})()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	_, _, err := snapshotstate.Forget(st, 42, nil)
+	c.Assert(err, check.ErrorMatches, "bzzt")
+}
+
+func (s snapshotSuite) TestForgetDoesNotTriggerSnapstateConflict(c *check.C) {
+	st, restore := s.createConflictingChange(c)
+	defer restore()
+
+	_, _, err := snapshotstate.Forget(st, 42, nil)
+	c.Assert(err, check.IsNil)
+}
+
+func (snapshotSuite) TestForgetChecksCheckConflicts(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: 42, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	chg := st.NewChange("check-snapshot-change", "...")
+	tsk := st.NewTask("check-snapshot", "...")
+	tsk.SetStatus(state.DoingStatus)
+	tsk.Set("snapshot-setup", map[string]int{"set-id": 42})
+	chg.AddTask(tsk)
+
+	_, _, err = snapshotstate.Forget(st, 42, nil)
+	c.Assert(err, check.ErrorMatches, `cannot operate on snapshot set #42 while change \"1\" is in progress`)
+}
+
+func (snapshotSuite) TestForgetChecksRestoreConflicts(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: 42, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	chg := st.NewChange("restore-snapshot-change", "...")
+	tsk := st.NewTask("restore-snapshot", "...")
+	tsk.SetStatus(state.DoingStatus)
+	tsk.Set("snapshot-setup", map[string]int{"set-id": 42})
+	chg.AddTask(tsk)
+
+	_, _, err = snapshotstate.Forget(st, 42, nil)
+	c.Assert(err, check.ErrorMatches, `cannot operate on snapshot set #42 while change \"1\" is in progress`)
+}
+
+func (snapshotSuite) TestForget(c *check.C) {
+	shotfile, err := os.Create(filepath.Join(c.MkDir(), "yadda.zip"))
+	c.Assert(err, check.IsNil)
+	defer shotfile.Close()
+	fakeIter := func(_ context.Context, f func(*backend.Reader) error) error {
+		c.Assert(f(&backend.Reader{
+			// not wanted
+			Snapshot: client.Snapshot{SetID: 42, Snap: "a-snap"},
+			File:     shotfile,
+		}), check.IsNil)
+
+		return nil
+	}
+	defer snapshotstate.MockBackendIter(fakeIter)()
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	found, taskset, err := snapshotstate.Forget(st, 42, []string{"a-snap", "b-snap"})
+	c.Assert(err, check.IsNil)
+	c.Check(found, check.DeepEquals, []string{"a-snap"})
+	tasks := taskset.Tasks()
+	c.Assert(tasks, check.HasLen, 1)
+	c.Check(tasks[0].Kind(), check.Equals, "forget-snapshot")
+	c.Check(tasks[0].Summary(), check.Equals, `Drop data of snap "a-snap" from snapshot set #42`)
+	var snapshot map[string]interface{}
+	c.Check(tasks[0].Get("snapshot-setup", &snapshot), check.IsNil)
+	c.Check(snapshot, check.DeepEquals, map[string]interface{}{
+		"set-id":   42.,
+		"snap":     "a-snap",
+		"filename": shotfile.Name(),
+		"current":  "unset",
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/aliasesv2.go snapd-2.37~rc1~14.04/overlord/snapstate/aliasesv2.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/aliasesv2.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/aliasesv2.go	2019-01-16 08:36:51.000000000 +0000
@@ -170,7 +170,7 @@
 	var firstErr error
 	changed = make(map[string][]string)
 	dropped = make(map[string][]string)
-	for snapName, snapst := range snapStates {
+	for instanceName, snapst := range snapStates {
 		aliases := snapst.Aliases
 		info, err := snapst.CurrentInfo()
 		if err != nil {
@@ -189,12 +189,12 @@
 		for alias, target := range autoAliases {
 			curTarget := aliases[alias]
 			if curTarget == nil || curTarget.Auto != target {
-				changed[snapName] = append(changed[snapName], alias)
+				changed[instanceName] = append(changed[instanceName], alias)
 			}
 		}
 		for alias, target := range aliases {
 			if target.Auto != "" && autoAliases[alias] == "" {
-				dropped[snapName] = append(dropped[snapName], alias)
+				dropped[instanceName] = append(dropped[instanceName], alias)
 			}
 		}
 	}
@@ -251,7 +251,7 @@
 	if len(e.Conflicts) != 0 {
 		errParts := []string{"cannot enable"}
 		first := true
-		for snapName, aliases := range e.Conflicts {
+		for instanceName, aliases := range e.Conflicts {
 			if !first {
 				errParts = append(errParts, "nor")
 			}
@@ -264,7 +264,7 @@
 				errParts = append(errParts, fmt.Sprintf("for %q,", e.Snap))
 				first = false
 			}
-			errParts = append(errParts, fmt.Sprintf("already enabled for %q", snapName))
+			errParts = append(errParts, fmt.Sprintf("already enabled for %q", instanceName))
 		}
 		// TODO: add recommendation about what to do next
 		return strings.Join(errParts, " ")
@@ -352,10 +352,10 @@
 	return nil, nil
 }
 
-// checkSnapAliasConflict checks whether snapName and its command
+// checkSnapAliasConflict checks whether instanceName and its command
 // namepsace conflicts against installed snap aliases.
-func checkSnapAliasConflict(st *state.State, snapName string) error {
-	prefix := fmt.Sprintf("%s.", snapName)
+func checkSnapAliasConflict(st *state.State, instanceName string) error {
+	prefix := fmt.Sprintf("%s.", instanceName)
 	snapStates, err := All(st)
 	if err != nil {
 		return err
@@ -363,9 +363,9 @@
 	for otherSnap, snapst := range snapStates {
 		autoDisabled := snapst.AutoAliasesDisabled
 		for alias, target := range snapst.Aliases {
-			if alias == snapName || strings.HasPrefix(alias, prefix) {
+			if alias == instanceName || strings.HasPrefix(alias, prefix) {
 				if target.Effective(autoDisabled) != "" {
-					return fmt.Errorf("snap %q command namespace conflicts with alias %q for %q snap", snapName, alias, otherSnap)
+					return fmt.Errorf("snap %q command namespace conflicts with alias %q for %q snap", instanceName, alias, otherSnap)
 				}
 			}
 		}
@@ -483,27 +483,27 @@
 	}
 
 	withAliases := make(map[string]*SnapState, len(snapStates))
-	for snapName, snapst := range snapStates {
-		err := m.backend.RemoveSnapAliases(snapName)
+	for instanceName, snapst := range snapStates {
+		err := m.backend.RemoveSnapAliases(instanceName)
 		if err != nil {
-			logger.Noticef("cannot cleanup aliases for %q: %v", snapName, err)
+			logger.Noticef("cannot cleanup aliases for %q: %v", instanceName, err)
 			continue
 		}
 
 		info, err := snapst.CurrentInfo()
 		if err != nil {
-			logger.Noticef("cannot get info for %q: %v", snapName, err)
+			logger.Noticef("cannot get info for %q: %v", instanceName, err)
 			continue
 		}
 		newAliases, err := refreshAliases(m.state, info, nil)
 		if err != nil {
-			logger.Noticef("cannot get automatic aliases for %q: %v", snapName, err)
+			logger.Noticef("cannot get automatic aliases for %q: %v", instanceName, err)
 			continue
 		}
 		// TODO: check for conflicts
 		if len(newAliases) != 0 {
 			snapst.Aliases = newAliases
-			withAliases[snapName] = snapst
+			withAliases[instanceName] = snapst
 		}
 		snapst.AutoAliasesDisabled = false
 		if !snapst.Active {
@@ -511,17 +511,17 @@
 		}
 	}
 
-	for snapName, snapst := range withAliases {
+	for instanceName, snapst := range withAliases {
 		if !snapst.AliasesPending {
-			_, _, err := applyAliasesChange(snapName, autoDis, nil, autoEn, snapst.Aliases, m.backend, doApply)
+			_, _, err := applyAliasesChange(instanceName, autoDis, nil, autoEn, snapst.Aliases, m.backend, doApply)
 			if err != nil {
 				// try to clean up and disable
-				logger.Noticef("cannot create automatic aliases for %q: %v", snapName, err)
-				m.backend.RemoveSnapAliases(snapName)
+				logger.Noticef("cannot create automatic aliases for %q: %v", instanceName, err)
+				m.backend.RemoveSnapAliases(instanceName)
 				snapst.AutoAliasesDisabled = true
 			}
 		}
-		Set(m.state, snapName, snapst)
+		Set(m.state, instanceName, snapst)
 	}
 
 	m.state.Set("aliases", nil)
@@ -529,28 +529,30 @@
 }
 
 // Alias sets up a manual alias from alias to app in snapName.
-func Alias(st *state.State, snapName, app, alias string) (*state.TaskSet, error) {
+func Alias(st *state.State, instanceName, app, alias string) (*state.TaskSet, error) {
 	if err := snap.ValidateAlias(alias); err != nil {
 		return nil, err
 	}
 
 	var snapst SnapState
-	err := Get(st, snapName, &snapst)
+	err := Get(st, instanceName, &snapst)
 	if err == state.ErrNoState {
-		return nil, &snap.NotInstalledError{Snap: snapName}
+		return nil, &snap.NotInstalledError{Snap: instanceName}
 	}
 	if err != nil {
 		return nil, err
 	}
-	if err := CheckChangeConflict(st, snapName, nil, nil); err != nil {
+	if err := CheckChangeConflict(st, instanceName, nil); err != nil {
 		return nil, err
 	}
 
+	snapName, instanceKey := snap.SplitInstanceName(instanceName)
 	snapsup := &SnapSetup{
-		SideInfo: &snap.SideInfo{RealName: snapName},
+		SideInfo:    &snap.SideInfo{RealName: snapName},
+		InstanceKey: instanceKey,
 	}
 
-	manualAlias := st.NewTask("alias", fmt.Sprintf(i18n.G("Setup manual alias %q => %q for snap %q"), alias, app, snapsup.Name()))
+	manualAlias := st.NewTask("alias", fmt.Sprintf(i18n.G("Setup manual alias %q => %q for snap %q"), alias, app, snapsup.InstanceName()))
 	manualAlias.Set("alias", alias)
 	manualAlias.Set("target", app)
 	manualAlias.Set("snap-setup", &snapsup)
@@ -568,7 +570,7 @@
 		} else {
 			reason = fmt.Sprintf("target application %q is a daemon", target)
 		}
-		return nil, fmt.Errorf("cannot enable alias %q for %q, %s", alias, info.Name(), reason)
+		return nil, fmt.Errorf("cannot enable alias %q for %q, %s", alias, info.InstanceName(), reason)
 	}
 	newAliases = make(map[string]*AliasTarget, len(curAliases))
 	for alias, aliasTarget := range curAliases {
@@ -588,50 +590,54 @@
 }
 
 // DisableAllAliases disables all aliases of a snap, removing all manual ones.
-func DisableAllAliases(st *state.State, snapName string) (*state.TaskSet, error) {
+func DisableAllAliases(st *state.State, instanceName string) (*state.TaskSet, error) {
 	var snapst SnapState
-	err := Get(st, snapName, &snapst)
+	err := Get(st, instanceName, &snapst)
 	if err == state.ErrNoState {
-		return nil, &snap.NotInstalledError{Snap: snapName}
+		return nil, &snap.NotInstalledError{Snap: instanceName}
 	}
 	if err != nil {
 		return nil, err
 	}
 
-	if err := CheckChangeConflict(st, snapName, nil, nil); err != nil {
+	if err := CheckChangeConflict(st, instanceName, nil); err != nil {
 		return nil, err
 	}
 
+	snapName, instanceKey := snap.SplitInstanceName(instanceName)
 	snapsup := &SnapSetup{
-		SideInfo: &snap.SideInfo{RealName: snapName},
+		SideInfo:    &snap.SideInfo{RealName: snapName},
+		InstanceKey: instanceKey,
 	}
 
-	disableAll := st.NewTask("disable-aliases", fmt.Sprintf(i18n.G("Disable aliases for snap %q"), snapName))
+	disableAll := st.NewTask("disable-aliases", fmt.Sprintf(i18n.G("Disable aliases for snap %q"), instanceName))
 	disableAll.Set("snap-setup", &snapsup)
 
 	return state.NewTaskSet(disableAll), nil
 }
 
 // RemoveManualAlias removes a manual alias.
-func RemoveManualAlias(st *state.State, alias string) (ts *state.TaskSet, snapName string, err error) {
-	snapName, err = findSnapOfManualAlias(st, alias)
+func RemoveManualAlias(st *state.State, alias string) (ts *state.TaskSet, instanceName string, err error) {
+	instanceName, err = findSnapOfManualAlias(st, alias)
 	if err != nil {
 		return nil, "", err
 	}
 
-	if err := CheckChangeConflict(st, snapName, nil, nil); err != nil {
+	if err := CheckChangeConflict(st, instanceName, nil); err != nil {
 		return nil, "", err
 	}
 
+	snapName, instanceKey := snap.SplitInstanceName(instanceName)
 	snapsup := &SnapSetup{
-		SideInfo: &snap.SideInfo{RealName: snapName},
+		SideInfo:    &snap.SideInfo{RealName: snapName},
+		InstanceKey: instanceKey,
 	}
 
-	unalias := st.NewTask("unalias", fmt.Sprintf(i18n.G("Remove manual alias %q for snap %q"), alias, snapName))
+	unalias := st.NewTask("unalias", fmt.Sprintf(i18n.G("Remove manual alias %q for snap %q"), alias, instanceName))
 	unalias.Set("alias", alias)
 	unalias.Set("snap-setup", &snapsup)
 
-	return state.NewTaskSet(unalias), snapName, nil
+	return state.NewTaskSet(unalias), instanceName, nil
 }
 
 func findSnapOfManualAlias(st *state.State, alias string) (snapName string, err error) {
@@ -639,10 +645,10 @@
 	if err != nil {
 		return "", err
 	}
-	for snapName, snapst := range snapStates {
+	for instanceName, snapst := range snapStates {
 		target := snapst.Aliases[alias]
 		if target != nil && target.Manual != "" {
-			return snapName, nil
+			return instanceName, nil
 		}
 	}
 	return "", fmt.Errorf("cannot find manual alias %q in any snap", alias)
@@ -681,12 +687,14 @@
 		return nil, err
 	}
 
-	if err := CheckChangeConflict(st, name, nil, nil); err != nil {
+	if err := CheckChangeConflict(st, name, nil); err != nil {
 		return nil, err
 	}
 
+	snapName, instanceKey := snap.SplitInstanceName(name)
 	snapsup := &SnapSetup{
-		SideInfo: &snap.SideInfo{RealName: name},
+		SideInfo:    &snap.SideInfo{RealName: snapName},
+		InstanceKey: instanceKey,
 	}
 
 	prefer := st.NewTask("prefer-aliases", fmt.Sprintf(i18n.G("Prefer aliases for snap %q"), name))
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/aliasesv2_test.go snapd-2.37~rc1~14.04/overlord/snapstate/aliasesv2_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/aliasesv2_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/aliasesv2_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -93,11 +93,11 @@
 
 		var add, rm []*backend.Alias
 		if strings.Contains(scenario.ops, "rm") {
-			rm = []*backend.Alias{{"myalias", fmt.Sprintf("alias-snap1.%s", target(scenario.target))}}
+			rm = []*backend.Alias{{Name: "myalias", Target: fmt.Sprintf("alias-snap1.%s", target(scenario.target))}}
 		}
 
 		if strings.Contains(scenario.ops, "add") {
-			add = []*backend.Alias{{"myalias", fmt.Sprintf("alias-snap1.%s", target(scenario.newTarget))}}
+			add = []*backend.Alias{{Name: "myalias", Target: fmt.Sprintf("alias-snap1.%s", target(scenario.newTarget))}}
 		}
 
 		expected := fakeOps{
@@ -133,8 +133,8 @@
 	expected := fakeOps{
 		{
 			op:        "update-aliases",
-			rmAliases: []*backend.Alias{{"myalias0", "alias-snap1.cmd0"}},
-			aliases:   []*backend.Alias{{"myalias1", "alias-snap1"}},
+			rmAliases: []*backend.Alias{{Name: "myalias0", Target: "alias-snap1.cmd0"}},
+			aliases:   []*backend.Alias{{Name: "myalias1", Target: "alias-snap1"}},
 		},
 	}
 
@@ -145,7 +145,7 @@
 
 func (s *snapmgrTestSuite) TestAutoAliasesDelta(c *C) {
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -188,8 +188,8 @@
 func (s *snapmgrTestSuite) TestAutoAliasesDeltaAll(c *C) {
 	seen := make(map[string]bool)
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		seen[info.Name()] = true
-		if info.Name() == "alias-snap" {
+		seen[info.InstanceName()] = true
+		if info.InstanceName() == "alias-snap" {
 			return map[string]string{
 				"alias1": "cmd1",
 				"alias2": "cmd2",
@@ -237,7 +237,7 @@
 
 func (s *snapmgrTestSuite) TestAutoAliasesDeltaOverManual(c *C) {
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -274,7 +274,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -514,6 +514,14 @@
 		Current: snap.R(11),
 		Active:  true,
 	})
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", Revision: snap.R(11)},
+		},
+		Current:     snap.R(11),
+		Active:      true,
+		InstanceKey: "instance",
+	})
 
 	ts, err := snapstate.Alias(s.state, "some-snap", "cmd1", "alias1")
 	c.Assert(err, IsNil)
@@ -522,6 +530,22 @@
 	c.Assert(taskKinds(ts.Tasks()), DeepEquals, []string{
 		"alias",
 	})
+
+	ts, err = snapstate.Alias(s.state, "some-snap_instance", "cmd1", "alias1")
+	c.Assert(err, IsNil)
+
+	c.Assert(s.state.TaskCount(), Equals, 2)
+	c.Assert(taskKinds(ts.Tasks()), DeepEquals, []string{
+		"alias",
+	})
+
+	var snapsup snapstate.SnapSetup
+	tasks := ts.Tasks()
+	c.Assert(tasks, HasLen, 1)
+	err = tasks[0].Get("snap-setup", &snapsup)
+	c.Assert(err, IsNil)
+	c.Check(snapsup.InstanceKey, Equals, "instance")
+	c.Check(snapsup.InstanceName(), Equals, "some-snap_instance")
 }
 
 type changedAlias struct {
@@ -553,7 +577,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -561,7 +585,7 @@
 	expected := fakeOps{
 		{
 			op:      "update-aliases",
-			aliases: []*backend.Alias{{"alias1", "alias-snap.cmd1"}},
+			aliases: []*backend.Alias{{Name: "alias1", Target: "alias-snap.cmd1"}},
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -586,6 +610,70 @@
 	})
 }
 
+func (s *snapmgrTestSuite) TestParallelInstanceAliasRunThrough(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "alias-snap", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "alias-snap", Revision: snap.R(11)},
+		},
+		Current: snap.R(11),
+		Active:  true,
+	})
+	snapstate.Set(s.state, "alias-snap_foo", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "alias-snap", Revision: snap.R(11)},
+		},
+		Current:     snap.R(11),
+		Active:      true,
+		InstanceKey: "foo",
+	})
+
+	chg := s.state.NewChange("alias", "manual alias")
+	ts, err := snapstate.Alias(s.state, "alias-snap_foo", "cmd1", "alias1")
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("%v", chg.Err()))
+	expected := fakeOps{
+		{
+			op:      "update-aliases",
+			aliases: []*backend.Alias{{Name: "alias1", Target: "alias-snap_foo.cmd1"}},
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "alias-snap_foo", &snapst)
+	c.Assert(err, IsNil)
+
+	c.Check(snapst.AutoAliasesDisabled, Equals, false)
+	c.Check(snapst.AliasesPending, Equals, false)
+	c.Check(snapst.Aliases, DeepEquals, map[string]*snapstate.AliasTarget{
+		"alias1": {Manual: "cmd1"},
+	})
+
+	// snap without instance key is unchanged
+	err = snapstate.Get(s.state, "alias-snap", &snapst)
+	c.Assert(err, IsNil)
+	c.Check(snapst.Aliases, HasLen, 0)
+
+	var trace traceData
+	err = chg.Get("api-data", &trace)
+	c.Assert(err, IsNil)
+	c.Check(trace, DeepEquals, traceData{
+		Added: []*changedAlias{{Snap: "alias-snap_foo", App: "cmd1", Alias: "alias1"}},
+	})
+}
+
 func (s *snapmgrTestSuite) TestAliasNoTarget(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -604,8 +692,8 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	c.Check(chg.Status(), Equals, state.ErrorStatus)
@@ -630,8 +718,8 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	c.Check(chg.Status(), Equals, state.ErrorStatus)
@@ -668,7 +756,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -676,8 +764,8 @@
 	expected := fakeOps{
 		{
 			op:        "update-aliases",
-			rmAliases: []*backend.Alias{{"alias1", "alias-snap.cmd1"}},
-			aliases:   []*backend.Alias{{"alias1", "alias-snap.cmd5"}},
+			rmAliases: []*backend.Alias{{Name: "alias1", Target: "alias-snap.cmd1"}},
+			aliases:   []*backend.Alias{{Name: "alias1", Target: "alias-snap.cmd5"}},
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -764,14 +852,69 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 
 	c.Check(chg.Status(), Equals, state.ErrorStatus)
 	c.Check(chg.Err(), ErrorMatches, `(?s).*cannot enable alias "alias1" for "alias-snap", already enabled for "other-snap".*`)
 }
 
+func (s *snapmgrTestSuite) TestParallelInstanceAliasConflict(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "alias-snap", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "alias-snap", Revision: snap.R(11)},
+		},
+		Current: snap.R(11),
+		Active:  true,
+		Aliases: map[string]*snapstate.AliasTarget{
+			"alias2": {Auto: "cmd2"},
+		},
+	})
+	snapstate.Set(s.state, "alias-snap_foo", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "alias-snap", Revision: snap.R(11)},
+		},
+		Current:     snap.R(11),
+		Active:      true,
+		InstanceKey: "foo",
+		Aliases: map[string]*snapstate.AliasTarget{
+			"alias1": {Auto: "cmd1"},
+		},
+	})
+
+	chg := s.state.NewChange("alias", "alias")
+	// conflicts with aliases of alias-snap_foo
+	ts, err := snapstate.Alias(s.state, "alias-snap", "cmd5", "alias1")
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Check(chg.Status(), Equals, state.ErrorStatus)
+	c.Check(chg.Err(), ErrorMatches, `(?s).*cannot enable alias "alias1" for "alias-snap", already enabled for "alias-snap_foo".*`)
+
+	chg = s.state.NewChange("alias", "alias")
+	// conflicts with aliases of alias-snap
+	ts, err = snapstate.Alias(s.state, "alias-snap_foo", "cmd5", "alias2")
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	s.se.Ensure()
+	s.se.Wait()
+	s.state.Lock()
+
+	c.Check(chg.Status(), Equals, state.ErrorStatus)
+	c.Check(chg.Err(), ErrorMatches, `(?s).*cannot enable alias "alias2" for "alias-snap_foo", already enabled for "alias-snap".*`)
+}
+
 func (s *snapmgrTestSuite) TestDisableAllAliasesTasks(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -816,7 +959,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -825,9 +968,9 @@
 		{
 			op: "update-aliases",
 			rmAliases: []*backend.Alias{
-				{"alias1", "alias-snap.cmd5"},
-				{"alias2", "alias-snap.cmd2"},
-				{"alias3", "alias-snap.cmd3"},
+				{Name: "alias1", Target: "alias-snap.cmd5"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias3", Target: "alias-snap.cmd3"},
 			},
 		},
 	}
@@ -853,6 +996,87 @@
 	c.Check(trace.Removed, HasLen, 3)
 }
 
+func (s *snapmgrTestSuite) TestParallelInstanceDisableAllAliasesRunThrough(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "alias-snap_instance", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "alias-snap", Revision: snap.R(11)},
+		},
+		Current: snap.R(11),
+		Active:  true,
+		Aliases: map[string]*snapstate.AliasTarget{
+			"alias1": {Auto: "cmd1"},
+			"alias2": {Auto: "cmd2"},
+			"alias3": {Manual: "cmd3"},
+		},
+		InstanceKey: "instance",
+	})
+	snapstate.Set(s.state, "alias-snap", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "alias-snap", Revision: snap.R(11)},
+		},
+		Current: snap.R(11),
+		Active:  true,
+		Aliases: map[string]*snapstate.AliasTarget{
+			"alias1": {Manual: "cmd6"},
+			"alias2": {Manual: "cmd7"},
+		},
+	})
+
+	chg := s.state.NewChange("unalias", "unalias")
+	ts, err := snapstate.DisableAllAliases(s.state, "alias-snap_instance")
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("%v", chg.Err()))
+	expected := fakeOps{
+		{
+			op: "update-aliases",
+			rmAliases: []*backend.Alias{
+				{Name: "alias1", Target: "alias-snap_instance.cmd1"},
+				{Name: "alias2", Target: "alias-snap_instance.cmd2"},
+				{Name: "alias3", Target: "alias-snap_instance.cmd3"},
+			},
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "alias-snap_instance", &snapst)
+	c.Assert(err, IsNil)
+
+	c.Check(snapst.AutoAliasesDisabled, Equals, true)
+	c.Check(snapst.AliasesPending, Equals, false)
+	c.Check(snapst.Aliases, DeepEquals, map[string]*snapstate.AliasTarget{
+		"alias1": {Auto: "cmd1"},
+		"alias2": {Auto: "cmd2"},
+	})
+
+	var trace traceData
+	err = chg.Get("api-data", &trace)
+	c.Assert(err, IsNil)
+	c.Check(trace.Added, HasLen, 0)
+	c.Check(trace.Removed, HasLen, 3)
+
+	// non _instance instance is unchanged
+	err = snapstate.Get(s.state, "alias-snap", &snapst)
+	c.Assert(err, IsNil)
+	c.Check(snapst.AutoAliasesDisabled, Equals, false)
+	c.Check(snapst.Aliases, DeepEquals, map[string]*snapstate.AliasTarget{
+		"alias1": {Manual: "cmd6"},
+		"alias2": {Manual: "cmd7"},
+	})
+}
+
 func (s *snapmgrTestSuite) TestRemoveManualAliasTasks(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -904,7 +1128,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -912,7 +1136,7 @@
 	expected := fakeOps{
 		{
 			op:        "update-aliases",
-			rmAliases: []*backend.Alias{{"alias1", "alias-snap.cmd5"}},
+			rmAliases: []*backend.Alias{{Name: "alias1", Target: "alias-snap.cmd5"}},
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -956,7 +1180,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -964,8 +1188,8 @@
 	expected := fakeOps{
 		{
 			op:        "update-aliases",
-			rmAliases: []*backend.Alias{{"alias1", "alias-snap.cmd5"}},
-			aliases:   []*backend.Alias{{"alias1", "alias-snap.cmd1"}},
+			rmAliases: []*backend.Alias{{Name: "alias1", Target: "alias-snap.cmd5"}},
+			aliases:   []*backend.Alias{{Name: "alias1", Target: "alias-snap.cmd1"}},
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -983,6 +1207,55 @@
 	})
 }
 
+func (s *snapmgrTestSuite) TestParallelInstanceRemoveManualAliasRunThrough(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "alias-snap_instance", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "alias-snap", Revision: snap.R(11)},
+		},
+		Current: snap.R(11),
+		Active:  true,
+		Aliases: map[string]*snapstate.AliasTarget{
+			"alias1": {Manual: "cmd2", Auto: "cmd1"},
+		},
+		InstanceKey: "instance",
+	})
+
+	chg := s.state.NewChange("alias", "manual alias")
+	ts, _, err := snapstate.RemoveManualAlias(s.state, "alias1")
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("%v", chg.Err()))
+	expected := fakeOps{
+		{
+			op:        "update-aliases",
+			rmAliases: []*backend.Alias{{Name: "alias1", Target: "alias-snap_instance.cmd2"}},
+			aliases:   []*backend.Alias{{Name: "alias1", Target: "alias-snap_instance.cmd1"}},
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "alias-snap_instance", &snapst)
+	c.Assert(err, IsNil)
+
+	c.Check(snapst.AutoAliasesDisabled, Equals, false)
+	c.Check(snapst.AliasesPending, Equals, false)
+	c.Check(snapst.Aliases, DeepEquals, map[string]*snapstate.AliasTarget{
+		"alias1": {Auto: "cmd1"},
+	})
+}
+
 func (s *snapmgrTestSuite) TestRemoveManualAliasNoAlias(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1124,7 +1397,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -1133,8 +1406,8 @@
 		{
 			op: "update-aliases",
 			aliases: []*backend.Alias{
-				{"alias1", "alias-snap.cmd1"},
-				{"alias2", "alias-snap.cmd2"},
+				{Name: "alias1", Target: "alias-snap.cmd1"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
 			},
 		},
 	}
@@ -1154,6 +1427,87 @@
 	})
 }
 
+func (s *snapmgrTestSuite) TestParallelInstancePreferRunThrough(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "alias-snap", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "alias-snap", Revision: snap.R(11)},
+		},
+		Current: snap.R(11),
+		Active:  true,
+		Aliases: map[string]*snapstate.AliasTarget{
+			"alias1": {Auto: "cmd1"},
+			"alias2": {Auto: "cmd2"},
+		},
+	})
+	snapstate.Set(s.state, "alias-snap_instance", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "alias-snap", Revision: snap.R(11)},
+		},
+		Current:             snap.R(11),
+		Active:              true,
+		AutoAliasesDisabled: true,
+		Aliases: map[string]*snapstate.AliasTarget{
+			"alias1": {Auto: "cmd1"},
+			"alias2": {Auto: "cmd2"},
+		},
+	})
+
+	chg := s.state.NewChange("prefer", "prefer")
+	ts, err := snapstate.Prefer(s.state, "alias-snap_instance")
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Assert(chg.Status(), Equals, state.DoneStatus, Commentf("%v", chg.Err()))
+	expected := fakeOps{
+		{
+			op: "update-aliases",
+			rmAliases: []*backend.Alias{
+				{Name: "alias1", Target: "alias-snap.cmd1"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+			},
+		},
+		{
+			op: "update-aliases",
+			aliases: []*backend.Alias{
+				{Name: "alias1", Target: "alias-snap_instance.cmd1"},
+				{Name: "alias2", Target: "alias-snap_instance.cmd2"},
+			},
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "alias-snap_instance", &snapst)
+	c.Assert(err, IsNil)
+	// _instance aliases are preferred now
+	c.Check(snapst.AutoAliasesDisabled, Equals, false)
+	c.Check(snapst.AliasesPending, Equals, false)
+	c.Check(snapst.Aliases, DeepEquals, map[string]*snapstate.AliasTarget{
+		"alias1": {Auto: "cmd1"},
+		"alias2": {Auto: "cmd2"},
+	})
+
+	err = snapstate.Get(s.state, "alias-snap", &snapst)
+	c.Assert(err, IsNil)
+	c.Check(snapst.AutoAliasesDisabled, Equals, true)
+	c.Check(snapst.AliasesPending, Equals, false)
+	c.Check(snapst.Aliases, DeepEquals, map[string]*snapstate.AliasTarget{
+		"alias1": {Auto: "cmd1"},
+		"alias2": {Auto: "cmd2"},
+	})
+
+}
+
 func (s *snapmgrTestSuite) TestUpdatePreferChangeConflict(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/autorefresh.go snapd-2.37~rc1~14.04/overlord/snapstate/autorefresh.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/autorefresh.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/autorefresh.go	2019-01-16 08:36:51.000000000 +0000
@@ -43,8 +43,9 @@
 
 // hooks setup by devicestate
 var (
-	CanAutoRefresh     func(st *state.State) (bool, error)
-	CanManageRefreshes func(st *state.State) bool
+	CanAutoRefresh        func(st *state.State) (bool, error)
+	CanManageRefreshes    func(st *state.State) bool
+	IsOnMeteredConnection func() (bool, error)
 )
 
 // refreshRetryDelay specified the minimum time to retry failed refreshes
@@ -149,6 +150,44 @@
 	return nil
 }
 
+func canRefreshOnMeteredConnection(st *state.State) (bool, error) {
+	tr := config.NewTransaction(st)
+	var onMetered string
+	err := tr.GetMaybe("core", "refresh.metered", &onMetered)
+	if err != nil && err != state.ErrNoState {
+		return false, err
+	}
+
+	return onMetered != "hold", nil
+}
+
+func (m *autoRefresh) canRefreshRespectingMetered(now, lastRefresh time.Time) (can bool, err error) {
+	can, err = canRefreshOnMeteredConnection(m.state)
+	if err != nil {
+		return false, err
+	}
+	if can {
+		return true, nil
+	}
+
+	// ignore any errors that occurred while checking if we are on a metered
+	// connection
+	metered, _ := IsOnMeteredConnection()
+	if !metered {
+		return true, nil
+	}
+
+	if now.Sub(lastRefresh) >= maxPostponement {
+		// TODO use warnings when the infra becomes available
+		logger.Noticef("Auto refresh disabled while on metered connections, but pending for too long (%d days). Trying to refresh now.", int(maxPostponement.Hours()/24))
+		return true, nil
+	}
+
+	logger.Debugf("Auto refresh disabled on metered connections")
+
+	return false, nil
+}
+
 // Ensure ensures that we refresh all installed snaps periodically
 func (m *autoRefresh) Ensure() error {
 	m.state.Lock()
@@ -237,6 +276,17 @@
 
 	// do refresh attempt (if needed)
 	if !m.nextRefresh.After(now) {
+		var can bool
+		can, err = m.canRefreshRespectingMetered(now, lastRefresh)
+		if err != nil {
+			return err
+		}
+		if !can {
+			// clear nextRefresh so that another refresh time is calculated
+			m.nextRefresh = time.Time{}
+			return nil
+		}
+
 		err = m.launchAutoRefresh()
 		// clear nextRefresh only if the refresh worked. There is
 		// still the lastRefreshAttempt rate limit so things will
@@ -277,16 +327,15 @@
 // TODO: we can remove the refreshSchedule reset because we have validation
 //       of the schedule now.
 func (m *autoRefresh) refreshScheduleWithDefaultsFallback() (ts []*timeutil.Schedule, scheduleAsStr string, legacy bool, err error) {
-	if refreshScheduleManaged(m.state) {
+	if managed, legacy := refreshScheduleManaged(m.state); managed {
 		if m.lastRefreshSchedule != "managed" {
-			logger.Noticef("refresh.schedule is managed via the snapd-control interface")
+			logger.Noticef("refresh is managed via the snapd-control interface")
 			m.lastRefreshSchedule = "managed"
 		}
-		return nil, "managed", true, nil
+		return nil, "managed", legacy, nil
 	}
 
 	tr := config.NewTransaction(m.state)
-
 	// try the new refresh.timer config option first
 	err = tr.Get("core", "refresh.timer", &scheduleAsStr)
 	if err != nil && !config.IsNoOption(err) {
@@ -377,24 +426,32 @@
 
 // refreshScheduleManaged returns true if the refresh schedule of the
 // device is managed by an external snap
-func refreshScheduleManaged(st *state.State) bool {
-	var refreshScheduleStr string
+func refreshScheduleManaged(st *state.State) (managed bool, legacy bool) {
+	var confStr string
 
 	// this will only be "nil" if running in tests
 	if CanManageRefreshes == nil {
-		return false
+		return false, legacy
 	}
 
+	// check new style timer first
 	tr := config.NewTransaction(st)
-	err := tr.Get("core", "refresh.schedule", &refreshScheduleStr)
-	if err != nil {
-		return false
+	err := tr.Get("core", "refresh.timer", &confStr)
+	if err != nil && !config.IsNoOption(err) {
+		return false, legacy
 	}
-	if refreshScheduleStr != "managed" {
-		return false
+	// if not set, fallback to refresh.schedule
+	if confStr == "" {
+		if err := tr.Get("core", "refresh.schedule", &confStr); err != nil {
+			return false, legacy
+		}
+		legacy = true
 	}
 
-	return CanManageRefreshes(st)
+	if confStr != "managed" {
+		return false, legacy
+	}
+	return CanManageRefreshes(st), legacy
 }
 
 // getTime retrieves a time from a state value.
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/autorefresh_test.go snapd-2.37~rc1~14.04/overlord/snapstate/autorefresh_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/autorefresh_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/autorefresh_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -38,6 +38,7 @@
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/store"
 	"github.com/snapcore/snapd/store/storetest"
+	"github.com/snapcore/snapd/timeutil"
 )
 
 type autoRefreshStore struct {
@@ -45,15 +46,23 @@
 
 	ops []string
 
-	listRefreshErr error
+	err error
 }
 
-func (r *autoRefreshStore) ListRefresh(ctx context.Context, cands []*store.RefreshCandidate, _ *auth.UserState, flags *store.RefreshOptions) ([]*snap.Info, error) {
+func (r *autoRefreshStore) SnapAction(ctx context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error) {
 	if ctx == nil || !auth.IsEnsureContext(ctx) {
 		panic("Ensure marked context required")
 	}
+	if len(currentSnaps) != len(actions) || len(currentSnaps) == 0 {
+		panic("expected in test one action for each current snaps, and at least one snap")
+	}
+	for _, a := range actions {
+		if a.Action != "refresh" {
+			panic("expected refresh actions")
+		}
+	}
 	r.ops = append(r.ops, "list-refresh")
-	return nil, r.listRefreshErr
+	return nil, r.err
 }
 
 type autoRefreshTestSuite struct {
@@ -89,13 +98,18 @@
 	snapstate.AutoAliases = func(*state.State, *snap.Info) (map[string]string, error) {
 		return nil, nil
 	}
+	snapstate.IsOnMeteredConnection = func() (bool, error) { return false, nil }
 
+	s.state.Set("seeded", true)
 	s.state.Set("seed-time", time.Now())
+	s.state.Set("refresh-privacy-key", "privacy-key")
+	snapstate.SetDefaultModel()
 }
 
 func (s *autoRefreshTestSuite) TearDownTest(c *C) {
 	snapstate.CanAutoRefresh = nil
 	snapstate.AutoAliases = nil
+	snapstate.Model = nil
 	dirs.SetRootDir("")
 }
 
@@ -123,7 +137,49 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	for _, t := range []struct {
+		conf   string
+		legacy bool
+	}{
+		{"refresh.timer", false},
+		{"refresh.schedule", true},
+	} {
+		tr := config.NewTransaction(s.state)
+		tr.Set("core", t.conf, "managed")
+		tr.Commit()
+
+		af := snapstate.NewAutoRefresh(s.state)
+		s.state.Unlock()
+		err := af.Ensure()
+		s.state.Lock()
+		c.Check(err, IsNil)
+		c.Check(s.store.ops, HasLen, 0)
+
+		refreshScheduleStr, legacy, err := af.RefreshSchedule()
+		c.Check(refreshScheduleStr, Equals, "managed")
+		c.Check(legacy, Equals, t.legacy)
+		c.Check(err, IsNil)
+
+		c.Check(af.NextRefresh(), DeepEquals, time.Time{})
+
+		// ensure clean config for the next run
+		s.state.Set("config", nil)
+	}
+}
+
+func (s *autoRefreshTestSuite) TestRefreshManagedTimerWins(c *C) {
+	snapstate.CanManageRefreshes = func(st *state.State) bool {
+		return true
+	}
+	defer func() { snapstate.CanManageRefreshes = nil }()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
 	tr := config.NewTransaction(s.state)
+	// the "refresh.timer" setting always takes precedence over
+	// refresh.schedule
+	tr.Set("core", "refresh.timer", "00:00-12:00")
 	tr.Set("core", "refresh.schedule", "managed")
 	tr.Commit()
 
@@ -132,14 +188,12 @@
 	err := af.Ensure()
 	s.state.Lock()
 	c.Check(err, IsNil)
-	c.Check(s.store.ops, HasLen, 0)
+	c.Check(s.store.ops, DeepEquals, []string{"list-refresh"})
 
 	refreshScheduleStr, legacy, err := af.RefreshSchedule()
-	c.Check(refreshScheduleStr, Equals, "managed")
-	c.Check(legacy, Equals, true)
+	c.Check(refreshScheduleStr, Equals, "00:00-12:00")
+	c.Check(legacy, Equals, false)
 	c.Check(err, IsNil)
-
-	c.Check(af.NextRefresh(), DeepEquals, time.Time{})
 }
 
 func (s *autoRefreshTestSuite) TestLastRefreshNoRefreshNeeded(c *C) {
@@ -154,7 +208,7 @@
 }
 
 func (s *autoRefreshTestSuite) TestRefreshBackoff(c *C) {
-	s.store.listRefreshErr = fmt.Errorf("random store error")
+	s.store.err = fmt.Errorf("random store error")
 	af := snapstate.NewAutoRefresh(s.state)
 	err := af.Ensure()
 	c.Check(err, ErrorMatches, "random store error")
@@ -177,6 +231,20 @@
 	c.Check(s.store.ops, HasLen, 2)
 }
 
+func (s *autoRefreshTestSuite) TestDefaultScheduleIsRandomized(c *C) {
+	schedule, err := timeutil.ParseSchedule(snapstate.DefaultRefreshSchedule)
+	c.Assert(err, IsNil)
+
+	for _, sched := range schedule {
+		for _, span := range sched.ClockSpans {
+			c.Check(span.Start == span.End, Equals, false,
+				Commentf("clock span %v is a single time, expected an actual span", span))
+			c.Check(span.Spread, Equals, true,
+				Commentf("clock span %v is not randomized", span))
+		}
+	}
+}
+
 func (s *autoRefreshTestSuite) TestLastRefreshRefreshHold(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -421,3 +489,92 @@
 	c.Check(err, IsNil)
 	c.Check(t1.Equal(t2), Equals, true)
 }
+
+func (s *autoRefreshTestSuite) TestCanRefreshOnMetered(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	can, err := snapstate.CanRefreshOnMeteredConnection(s.state)
+	c.Assert(can, Equals, true)
+	c.Assert(err, Equals, nil)
+
+	// enable holding refreshes when on metered connection
+	tr := config.NewTransaction(s.state)
+	err = tr.Set("core", "refresh.metered", "hold")
+	c.Assert(err, IsNil)
+	tr.Commit()
+
+	can, err = snapstate.CanRefreshOnMeteredConnection(s.state)
+	c.Assert(can, Equals, false)
+	c.Assert(err, Equals, nil)
+
+	// explicitly disable holding refreshes when on metered connection
+	tr = config.NewTransaction(s.state)
+	err = tr.Set("core", "refresh.metered", "")
+	c.Assert(err, IsNil)
+	tr.Commit()
+
+	can, err = snapstate.CanRefreshOnMeteredConnection(s.state)
+	c.Assert(can, Equals, true)
+	c.Assert(err, Equals, nil)
+}
+
+func (s *autoRefreshTestSuite) TestRefreshOnMeteredConnIsMetered(c *C) {
+	// pretend we're on metered connection
+	revert := snapstate.MockIsOnMeteredConnection(func() (bool, error) {
+		return true, nil
+	})
+	defer revert()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "refresh.metered", "hold")
+	tr.Commit()
+
+	af := snapstate.NewAutoRefresh(s.state)
+
+	s.state.Set("last-refresh", time.Now().Add(-5*24*time.Hour))
+	s.state.Unlock()
+	err := af.Ensure()
+	s.state.Lock()
+	c.Check(err, IsNil)
+	// no refresh
+	c.Check(s.store.ops, HasLen, 0)
+
+	c.Check(af.NextRefresh(), DeepEquals, time.Time{})
+
+	// last refresh over 60 days ago, new one is launched regardless of
+	// connection being metered
+	s.state.Set("last-refresh", time.Now().Add(-61*24*time.Hour))
+	s.state.Unlock()
+	err = af.Ensure()
+	s.state.Lock()
+	c.Check(err, IsNil)
+	c.Check(s.store.ops, DeepEquals, []string{"list-refresh"})
+}
+
+func (s *autoRefreshTestSuite) TestRefreshOnMeteredConnNotMetered(c *C) {
+	// pretend we're on non-metered connection
+	revert := snapstate.MockIsOnMeteredConnection(func() (bool, error) {
+		return false, nil
+	})
+	defer revert()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "refresh.metered", "hold")
+	tr.Commit()
+
+	af := snapstate.NewAutoRefresh(s.state)
+
+	s.state.Set("last-refresh", time.Now().Add(-5*24*time.Hour))
+	s.state.Unlock()
+	err := af.Ensure()
+	s.state.Lock()
+	c.Check(err, IsNil)
+	c.Check(s.store.ops, DeepEquals, []string{"list-refresh"})
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/aliases.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/aliases.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/aliases.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/aliases.go	2019-01-16 08:36:51.000000000 +0000
@@ -68,8 +68,7 @@
 			return fmt.Errorf("cannot create alias symlink: %v", err)
 		}
 
-		target, err := os.Readlink(filepath.Join(dirs.CompletersDir, alias.Target))
-		if err == nil && target == dirs.CompleteSh {
+		if dirs.IsCompleteShSymlink(filepath.Join(dirs.CompletersDir, alias.Target)) {
 			os.Symlink(alias.Target, filepath.Join(dirs.CompletersDir, alias.Name))
 		}
 	}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/aliases_test.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/aliases_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/aliases_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/aliases_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,18 +32,29 @@
 )
 
 type aliasesSuite struct {
-	be backend.Backend
+	be   backend.Backend
+	base string
 }
 
-var _ = Suite(&aliasesSuite{})
+// silly wrappers to get better failure messages
+type noBaseAliasesSuite struct{ aliasesSuite }
+type withBaseAliasesSuite struct{ aliasesSuite }
+type withSnapdAliasesSuite struct{ aliasesSuite }
+
+var _ = Suite(&noBaseAliasesSuite{})
+var _ = Suite(&withBaseAliasesSuite{aliasesSuite{base: "core99"}})
+var _ = Suite(&withSnapdAliasesSuite{aliasesSuite{base: "core-with-snapd"}})
 
 func (s *aliasesSuite) SetUpTest(c *C) {
 	dirs.SetRootDir(c.MkDir())
+	if s.base == "core-with-snapd" {
+		c.Check(os.MkdirAll(filepath.Join(dirs.SnapMountDir, "snapd/current/usr/lib/snapd"), 0755), IsNil)
+	}
 	err := os.MkdirAll(dirs.SnapBinariesDir, 0755)
 	c.Assert(err, IsNil)
 	c.Assert(os.MkdirAll(dirs.CompletersDir, 0755), IsNil)
-	c.Assert(os.MkdirAll(filepath.Dir(dirs.CompleteSh), 0755), IsNil)
-	c.Assert(ioutil.WriteFile(dirs.CompleteSh, nil, 0644), IsNil)
+	c.Assert(os.MkdirAll(filepath.Dir(dirs.CompleteShPath(s.base)), 0755), IsNil)
+	c.Assert(ioutil.WriteFile(dirs.CompleteShPath(s.base), nil, 0644), IsNil)
 }
 
 func (s *aliasesSuite) TearDownTest(c *C) {
@@ -76,10 +87,10 @@
 	c.Assert(err, IsNil)
 	c.Assert(os.Symlink("x.a", filepath.Join(dirs.CompletersDir, "a")), IsNil)
 
-	missingAs, missingCs, err := missingAliases([]*backend.Alias{{"a", "x.a"}, {"foo", "x.foo"}})
+	missingAs, missingCs, err := missingAliases([]*backend.Alias{{Name: "a", Target: "x.a"}, {Name: "foo", Target: "x.foo"}})
 	c.Assert(err, IsNil)
-	c.Check(missingAs, DeepEquals, []*backend.Alias{{"a", "x.a"}})
-	c.Check(missingCs, DeepEquals, []*backend.Alias{{"foo", "x.foo"}})
+	c.Check(missingAs, DeepEquals, []*backend.Alias{{Name: "a", Target: "x.a"}})
+	c.Check(missingCs, DeepEquals, []*backend.Alias{{Name: "foo", Target: "x.foo"}})
 }
 
 func matchingAliases(aliases []*backend.Alias) (matchingAs, matchingCs []*backend.Alias, err error) {
@@ -113,14 +124,14 @@
 	c.Assert(os.Symlink("y.foo", filepath.Join(dirs.CompletersDir, "foo")), IsNil)
 	c.Assert(os.Symlink("x.bar", filepath.Join(dirs.CompletersDir, "bar")), IsNil)
 
-	matchingAs, matchingCs, err := matchingAliases([]*backend.Alias{{"a", "x.a"}, {"foo", "x.foo"}, {"bar", "x.bar"}})
+	matchingAs, matchingCs, err := matchingAliases([]*backend.Alias{{Name: "a", Target: "x.a"}, {Name: "foo", Target: "x.foo"}, {Name: "bar", Target: "x.bar"}})
 	c.Assert(err, IsNil)
-	c.Check(matchingAs, DeepEquals, []*backend.Alias{{"foo", "x.foo"}})
-	c.Check(matchingCs, DeepEquals, []*backend.Alias{{"bar", "x.bar"}})
+	c.Check(matchingAs, DeepEquals, []*backend.Alias{{Name: "foo", Target: "x.foo"}})
+	c.Check(matchingCs, DeepEquals, []*backend.Alias{{Name: "bar", Target: "x.bar"}})
 }
 
 func (s *aliasesSuite) TestUpdateAliasesAdd(c *C) {
-	aliases := []*backend.Alias{{"foo", "x.foo"}, {"bar", "x.bar"}}
+	aliases := []*backend.Alias{{Name: "foo", Target: "x.foo"}, {Name: "bar", Target: "x.bar"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -131,15 +142,15 @@
 	c.Check(matchingCs, HasLen, 0)
 }
 
-func mkCompleters(c *C, apps ...string) {
+func mkCompleters(c *C, base string, apps ...string) {
 	for _, app := range apps {
-		c.Assert(os.Symlink(dirs.CompleteSh, filepath.Join(dirs.CompletersDir, app)), IsNil)
+		c.Assert(os.Symlink(dirs.CompleteShPath(base), filepath.Join(dirs.CompletersDir, app)), IsNil)
 	}
 }
 
 func (s *aliasesSuite) TestUpdateAliasesAddWithCompleter(c *C) {
-	mkCompleters(c, "x.bar", "x.foo")
-	aliases := []*backend.Alias{{"foo", "x.foo"}, {"bar", "x.bar"}}
+	mkCompleters(c, s.base, "x.bar", "x.foo")
+	aliases := []*backend.Alias{{Name: "foo", Target: "x.foo"}, {Name: "bar", Target: "x.bar"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -151,7 +162,7 @@
 }
 
 func (s *aliasesSuite) TestUpdateAliasesAddIdempot(c *C) {
-	aliases := []*backend.Alias{{"foo", "x.foo"}, {"bar", "x.bar"}}
+	aliases := []*backend.Alias{{Name: "foo", Target: "x.foo"}, {Name: "bar", Target: "x.bar"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -166,8 +177,8 @@
 }
 
 func (s *aliasesSuite) TestUpdateAliasesAddWithCompleterIdempot(c *C) {
-	mkCompleters(c, "x.foo", "x.bar")
-	aliases := []*backend.Alias{{"foo", "x.foo"}, {"bar", "x.bar"}}
+	mkCompleters(c, s.base, "x.foo", "x.bar")
+	aliases := []*backend.Alias{{Name: "foo", Target: "x.foo"}, {Name: "bar", Target: "x.bar"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -182,7 +193,7 @@
 }
 
 func (s *aliasesSuite) TestUpdateAliasesRemove(c *C) {
-	aliases := []*backend.Alias{{"foo", "x.foo"}, {"bar", "x.bar"}}
+	aliases := []*backend.Alias{{Name: "foo", Target: "x.foo"}, {Name: "bar", Target: "x.bar"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -207,8 +218,8 @@
 }
 
 func (s *aliasesSuite) TestUpdateAliasesWithCompleterRemove(c *C) {
-	mkCompleters(c, "x.foo", "x.bar")
-	aliases := []*backend.Alias{{"foo", "x.foo"}, {"bar", "x.bar"}}
+	mkCompleters(c, s.base, "x.foo", "x.bar")
+	aliases := []*backend.Alias{{Name: "foo", Target: "x.foo"}, {Name: "bar", Target: "x.bar"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -233,7 +244,7 @@
 }
 
 func (s *aliasesSuite) TestUpdateAliasesRemoveIdempot(c *C) {
-	aliases := []*backend.Alias{{"foo", "x.foo"}, {"bar", "x.bar"}}
+	aliases := []*backend.Alias{{Name: "foo", Target: "x.foo"}, {Name: "bar", Target: "x.bar"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -256,8 +267,8 @@
 }
 
 func (s *aliasesSuite) TestUpdateAliasesWithCompleterRemoveIdempot(c *C) {
-	mkCompleters(c, "x.foo", "x.bar")
-	aliases := []*backend.Alias{{"foo", "x.foo"}, {"bar", "x.bar"}}
+	mkCompleters(c, s.base, "x.foo", "x.bar")
+	aliases := []*backend.Alias{{Name: "foo", Target: "x.foo"}, {Name: "bar", Target: "x.bar"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -280,8 +291,8 @@
 }
 
 func (s *aliasesSuite) TestUpdateAliasesAddRemoveOverlap(c *C) {
-	before := []*backend.Alias{{"bar", "x.bar"}}
-	after := []*backend.Alias{{"bar", "x.baz"}}
+	before := []*backend.Alias{{Name: "bar", Target: "x.bar"}}
+	after := []*backend.Alias{{Name: "bar", Target: "x.baz"}}
 
 	err := s.be.UpdateAliases(before, nil)
 	c.Assert(err, IsNil)
@@ -300,9 +311,9 @@
 }
 
 func (s *aliasesSuite) TestUpdateAliasesWithCompleterAddRemoveOverlap(c *C) {
-	mkCompleters(c, "x.baz", "x.bar")
-	before := []*backend.Alias{{"bar", "x.bar"}}
-	after := []*backend.Alias{{"bar", "x.baz"}}
+	mkCompleters(c, s.base, "x.baz", "x.bar")
+	before := []*backend.Alias{{Name: "bar", Target: "x.bar"}}
+	after := []*backend.Alias{{Name: "bar", Target: "x.baz"}}
 
 	err := s.be.UpdateAliases(before, nil)
 	c.Assert(err, IsNil)
@@ -321,7 +332,7 @@
 }
 
 func (s *aliasesSuite) TestRemoveSnapAliases(c *C) {
-	aliases := []*backend.Alias{{"bar", "x.bar"}, {"baz", "y.baz"}}
+	aliases := []*backend.Alias{{Name: "bar", Target: "x.bar"}, {Name: "baz", Target: "y.baz"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -331,14 +342,18 @@
 
 	matchingAs, matchingCs, err := matchingAliases(aliases)
 	c.Assert(err, IsNil)
-	c.Check(matchingAs, DeepEquals, []*backend.Alias{{"baz", "y.baz"}})
+	c.Check(matchingAs, DeepEquals, []*backend.Alias{{Name: "baz", Target: "y.baz"}})
 	// no completion for the commands -> no completion for the aliases
 	c.Check(matchingCs, HasLen, 0)
 }
 
 func (s *aliasesSuite) TestRemoveSnapAliasesWithCompleter(c *C) {
-	mkCompleters(c, "x", "x.bar", "y", "y.baz")
-	aliases := []*backend.Alias{{"xx", "x"}, {"bar", "x.bar"}, {"baz", "y.baz"}, {"yy", "y"}}
+	mkCompleters(c, s.base, "x", "x.bar", "y", "y.baz")
+	aliases := []*backend.Alias{
+		{Name: "xx", Target: "x"},
+		{Name: "bar", Target: "x.bar"},
+		{Name: "baz", Target: "y.baz"},
+		{Name: "yy", Target: "y"}}
 
 	err := s.be.UpdateAliases(aliases, nil)
 	c.Assert(err, IsNil)
@@ -348,6 +363,6 @@
 
 	matchingAs, matchingCs, err := matchingAliases(aliases)
 	c.Assert(err, IsNil)
-	c.Check(matchingAs, DeepEquals, []*backend.Alias{{"baz", "y.baz"}, {"yy", "y"}})
-	c.Check(matchingCs, DeepEquals, []*backend.Alias{{"baz", "y.baz"}, {"yy", "y"}})
+	c.Check(matchingAs, DeepEquals, []*backend.Alias{{Name: "baz", Target: "y.baz"}, {Name: "yy", Target: "y"}})
+	c.Check(matchingCs, DeepEquals, []*backend.Alias{{Name: "baz", Target: "y.baz"}, {Name: "yy", Target: "y"}})
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/backend_test.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/backend_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/backend_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -72,7 +72,7 @@
 	c.Assert(err, IsNil)
 
 	c.Assert(snapf, FitsTypeOf, &squashfs.Snap{})
-	c.Check(info.Name(), Equals, "hello")
+	c.Check(info.InstanceName(), Equals, "hello")
 }
 
 func (s *backendSuite) TestOpenSnapFilebSideInfo(c *C) {
@@ -93,7 +93,7 @@
 	c.Assert(err, IsNil)
 
 	// check side info
-	c.Check(info.Name(), Equals, "blessed")
+	c.Check(info.InstanceName(), Equals, "blessed")
 	c.Check(info.Revision, Equals, snap.R(42))
 
 	c.Check(info.SideInfo, DeepEquals, si)
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/copydata.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/copydata.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/copydata.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/copydata.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,6 +32,14 @@
 	// deal with the old data or
 	// otherwise just create a empty data dir
 
+	// Make sure the base data directory exists for instance snaps
+	if newSnap.InstanceKey != "" {
+		err := os.MkdirAll(snap.BaseDataDir(newSnap.SnapName()), 0755)
+		if err != nil && !os.IsExist(err) {
+			return err
+		}
+	}
+
 	// Make sure the common data directory exists, even if this isn't a new
 	// install.
 	if err := os.MkdirAll(newSnap.CommonDataDir(), 0755); err != nil {
@@ -56,7 +64,7 @@
 	}
 	err1 := b.RemoveSnapData(newInfo)
 	if err1 != nil {
-		logger.Noticef("Cannot remove data directories for %q: %v", newInfo.Name(), err1)
+		logger.Noticef("Cannot remove data directories for %q: %v", newInfo.InstanceName(), err1)
 	}
 
 	var err2 error
@@ -64,12 +72,12 @@
 		// first install, remove created common data dir
 		err2 = b.RemoveSnapCommonData(newInfo)
 		if err2 != nil {
-			logger.Noticef("Cannot remove common data directories for %q: %v", newInfo.Name(), err2)
+			logger.Noticef("Cannot remove common data directories for %q: %v", newInfo.InstanceName(), err2)
 		}
 	} else {
 		err2 = b.untrashData(newInfo)
 		if err2 != nil {
-			logger.Noticef("Cannot restore original data for %q while undoing: %v", newInfo.Name(), err2)
+			logger.Noticef("Cannot restore original data for %q while undoing: %v", newInfo.InstanceName(), err2)
 		}
 	}
 
@@ -80,7 +88,7 @@
 func (b Backend) ClearTrashedData(oldSnap *snap.Info) {
 	dirs, err := snapDataDirs(oldSnap)
 	if err != nil {
-		logger.Noticef("Cannot remove previous data for %q: %v", oldSnap.Name(), err)
+		logger.Noticef("Cannot remove previous data for %q: %v", oldSnap.InstanceName(), err)
 		return
 	}
 
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/export_test.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/export_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,3 +23,11 @@
 	AddMountUnit    = addMountUnit
 	RemoveMountUnit = removeMountUnit
 )
+
+func MockUpdateFontconfigCaches(f func() error) (restore func()) {
+	oldUpdateFontconfigCaches := updateFontconfigCaches
+	updateFontconfigCaches = f
+	return func() {
+		updateFontconfigCaches = oldUpdateFontconfigCaches
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/fontconfig.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/fontconfig.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/fontconfig.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/fontconfig.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,44 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package backend
+
+import (
+	"fmt"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+)
+
+var updateFontconfigCaches = updateFontconfigCachesImpl
+
+// updateFontconfigCaches always update the fontconfig caches
+func updateFontconfigCachesImpl() error {
+	for _, fc := range []string{"fc-cache-v6", "fc-cache-v7"} {
+		// FIXME: also use the snapd snap if available
+		cmd, err := osutil.CommandFromCore(dirs.SnapMountDir, "/bin/"+fc)
+		if err != nil {
+			return fmt.Errorf("cannot get %s from core: %v", fc, err)
+		}
+		if output, err := cmd.CombinedOutput(); err != nil {
+			return fmt.Errorf("cannot run %s on core: %v", fc, osutil.OutputErr(output, err))
+		}
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/link.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/link.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/link.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/link.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,9 +24,11 @@
 	"os"
 	"path/filepath"
 
+	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/boot"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/progress"
+	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/wrappers"
 )
@@ -57,18 +59,35 @@
 }
 
 // LinkSnap makes the snap available by generating wrappers and setting the current symlinks.
-func (b Backend) LinkSnap(info *snap.Info) error {
+func (b Backend) LinkSnap(info *snap.Info, model *asserts.Model) error {
 	if info.Revision.Unset() {
-		return fmt.Errorf("cannot link snap %q with unset revision", info.Name())
+		return fmt.Errorf("cannot link snap %q with unset revision", info.InstanceName())
 	}
 
 	if err := generateWrappers(info); err != nil {
 		return err
 	}
 
+	// fontconfig is only relevant on classic
+	// TODO: consider moving this to a less hidden place
+	if release.OnClassic {
+		if err := updateFontconfigCaches(); err != nil {
+			logger.Noticef("cannot update fontconfig cache: %v", err)
+		}
+	}
+
 	// XXX/TODO: this needs to be a task with proper undo and tests!
-	if err := boot.SetNextBoot(info); err != nil {
-		return err
+	if model != nil && !release.OnClassic {
+		bootBase := "core"
+		if model.Base() != "" {
+			bootBase = model.Base()
+		}
+		switch info.InstanceName() {
+		case model.Kernel(), bootBase:
+			if err := boot.SetNextBoot(info); err != nil {
+				return err
+			}
+		}
 	}
 
 	return updateCurrentSymlinks(info)
@@ -105,17 +124,17 @@
 func removeGeneratedWrappers(s *snap.Info, meter progress.Meter) error {
 	err1 := wrappers.RemoveSnapBinaries(s)
 	if err1 != nil {
-		logger.Noticef("Cannot remove binaries for %q: %v", s.Name(), err1)
+		logger.Noticef("Cannot remove binaries for %q: %v", s.InstanceName(), err1)
 	}
 
 	err2 := wrappers.RemoveSnapServices(s, meter)
 	if err2 != nil {
-		logger.Noticef("Cannot remove services for %q: %v", s.Name(), err2)
+		logger.Noticef("Cannot remove services for %q: %v", s.InstanceName(), err2)
 	}
 
 	err3 := wrappers.RemoveSnapDesktopFiles(s)
 	if err3 != nil {
-		logger.Noticef("Cannot remove desktop files for %q: %v", s.Name(), err3)
+		logger.Noticef("Cannot remove desktop files for %q: %v", s.InstanceName(), err3)
 	}
 
 	return firstErr(err1, err2, err3)
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/link_test.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/link_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/link_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/link_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,6 +30,7 @@
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/progress"
+	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/systemd"
@@ -73,7 +74,7 @@
 `
 	info := snaptest.MockSnap(c, yaml, &snap.SideInfo{Revision: snap.R(11)})
 
-	err := s.be.LinkSnap(info)
+	err := s.be.LinkSnap(info, nil)
 	c.Assert(err, IsNil)
 
 	l, err := filepath.Glob(filepath.Join(dirs.SnapBinariesDir, "*"))
@@ -103,7 +104,7 @@
 
 	info := snaptest.MockSnap(c, yaml, &snap.SideInfo{Revision: snap.R(11)})
 
-	err := s.be.LinkSnap(info)
+	err := s.be.LinkSnap(info, nil)
 	c.Assert(err, IsNil)
 
 	mountDir := info.MountDir()
@@ -145,10 +146,10 @@
 
 	info := snaptest.MockSnap(c, yaml, &snap.SideInfo{Revision: snap.R(11)})
 
-	err := s.be.LinkSnap(info)
+	err := s.be.LinkSnap(info, nil)
 	c.Assert(err, IsNil)
 
-	err = s.be.LinkSnap(info)
+	err = s.be.LinkSnap(info, nil)
 	c.Assert(err, IsNil)
 
 	l, err := filepath.Glob(filepath.Join(dirs.SnapBinariesDir, "*"))
@@ -187,7 +188,7 @@
 
 	info := snaptest.MockSnap(c, yaml, &snap.SideInfo{Revision: snap.R(11)})
 
-	err := s.be.LinkSnap(info)
+	err := s.be.LinkSnap(info, nil)
 	c.Assert(err, IsNil)
 
 	err = s.be.UnlinkSnap(info, progress.Null)
@@ -215,7 +216,7 @@
 	info := &snap.Info{
 		SuggestedName: "foo",
 	}
-	err := s.be.LinkSnap(info)
+	err := s.be.LinkSnap(info, nil)
 	c.Assert(err, ErrorMatches, `cannot link snap "foo" with unset revision`)
 }
 
@@ -272,7 +273,7 @@
 	c.Assert(os.Chmod(dir, 0), IsNil)
 	defer os.Chmod(dir, 0755)
 
-	err := s.be.LinkSnap(s.info)
+	err := s.be.LinkSnap(s.info, nil)
 	c.Assert(err, NotNil)
 	c.Assert(err, FitsTypeOf, &os.PathError{})
 
@@ -303,7 +304,7 @@
 	})
 	defer r()
 
-	err := s.be.LinkSnap(s.info)
+	err := s.be.LinkSnap(s.info, nil)
 	c.Assert(err, ErrorMatches, "ouchie")
 
 	for _, d := range []string{dirs.SnapBinariesDir, dirs.SnapDesktopFilesDir, dirs.SnapServicesDir} {
@@ -311,5 +312,27 @@
 		c.Check(err, IsNil, Commentf(d))
 		c.Check(l, HasLen, 0, Commentf(d))
 	}
+}
+
+func (s *linkCleanupSuite) TestLinkRunsUpdateFontconfigCachesClassic(c *C) {
+	for _, onClassic := range []bool{false, true} {
 
+		restore := release.MockOnClassic(onClassic)
+		defer restore()
+
+		var updateFontconfigCaches int
+		restore = backend.MockUpdateFontconfigCaches(func() error {
+			updateFontconfigCaches += 1
+			return nil
+		})
+		defer restore()
+
+		err := s.be.LinkSnap(s.info, nil)
+		c.Assert(err, IsNil)
+		if onClassic {
+			c.Assert(updateFontconfigCaches, Equals, 1)
+		} else {
+			c.Assert(updateFontconfigCaches, Equals, 0)
+		}
+	}
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/mountunit.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/mountunit.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/mountunit.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/mountunit.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,13 +20,7 @@
 package backend
 
 import (
-	"os"
-	"os/exec"
-	"path/filepath"
-	"time"
-
 	"github.com/snapcore/snapd/dirs"
-	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/progress"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/systemd"
@@ -37,57 +31,11 @@
 	whereDir := dirs.StripRootDir(s.MountDir())
 
 	sysd := systemd.New(dirs.GlobalRootDir, meter)
-	mountUnitName, err := sysd.WriteMountUnitFile(s.Name(), squashfsPath, whereDir, "squashfs")
-	if err != nil {
-		return err
-	}
-
-	// we need to do a daemon-reload here to ensure that systemd really
-	// knows about this new mount unit file
-	if err := sysd.DaemonReload(); err != nil {
-		return err
-	}
-
-	if err := sysd.Enable(mountUnitName); err != nil {
-		return err
-	}
-
-	return sysd.Start(mountUnitName)
+	_, err := sysd.AddMountUnitFile(s.InstanceName(), s.Revision.String(), squashfsPath, whereDir, "squashfs")
+	return err
 }
 
-func removeMountUnit(baseDir string, meter progress.Meter) error {
+func removeMountUnit(mountDir string, meter progress.Meter) error {
 	sysd := systemd.New(dirs.GlobalRootDir, meter)
-	unit := systemd.MountUnitPath(dirs.StripRootDir(baseDir))
-	if osutil.FileExists(unit) {
-		// use umount -d (cleanup loopback devices) -l (lazy) to ensure that even busy mount points
-		// can be unmounted.
-		// note that the long option --lazy is not supported on trusty.
-		// the explicit -d is only needed on trusty.
-		isMounted, err := osutil.IsMounted(baseDir)
-		if err != nil {
-			return err
-		}
-		if isMounted {
-			if output, err := exec.Command("umount", "-d", "-l", baseDir).CombinedOutput(); err != nil {
-				return osutil.OutputErr(output, err)
-			}
-
-			if err := sysd.Stop(filepath.Base(unit), time.Duration(1*time.Second)); err != nil {
-				return err
-			}
-		}
-		if err := sysd.Disable(filepath.Base(unit)); err != nil {
-			return err
-		}
-		if err := os.Remove(unit); err != nil {
-			return err
-		}
-		// daemon-reload to ensure that systemd actually really
-		// forgets about this mount unit
-		if err := sysd.DaemonReload(); err != nil {
-			return err
-		}
-	}
-
-	return nil
+	return sysd.RemoveMountUnitFile(mountDir)
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/mountunit_test.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/mountunit_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/mountunit_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/mountunit_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -28,6 +28,7 @@
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/squashfs"
 	"github.com/snapcore/snapd/overlord/snapstate/backend"
 	"github.com/snapcore/snapd/progress"
 	"github.com/snapcore/snapd/snap"
@@ -62,6 +63,9 @@
 }
 
 func (s *mountunitSuite) TestAddMountUnit(c *C) {
+	restore := squashfs.MockUseFuse(false)
+	defer restore()
+
 	info := &snap.Info{
 		SideInfo: snap.SideInfo{
 			RealName: "foo",
@@ -77,7 +81,7 @@
 	un := fmt.Sprintf("%s.mount", systemd.EscapeUnitNamePath(filepath.Join(dirs.StripRootDir(dirs.SnapMountDir), "foo", "13")))
 	c.Assert(filepath.Join(dirs.SnapServicesDir, un), testutil.FileEquals, fmt.Sprintf(`
 [Unit]
-Description=Mount unit for foo
+Description=Mount unit for foo, revision 13
 Before=snapd.service
 
 [Mount]
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/setup.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/setup.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/setup.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/setup.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,13 +30,17 @@
 )
 
 // SetupSnap does prepare and mount the snap for further processing.
-func (b Backend) SetupSnap(snapFilePath string, sideInfo *snap.SideInfo, meter progress.Meter) (err error) {
+func (b Backend) SetupSnap(snapFilePath, instanceName string, sideInfo *snap.SideInfo, meter progress.Meter) (snapType snap.Type, err error) {
 	// This assumes that the snap was already verified or --dangerous was used.
 
 	s, snapf, oErr := OpenSnapFile(snapFilePath, sideInfo)
 	if oErr != nil {
-		return oErr
+		return snapType, oErr
 	}
+
+	// update instance key to what was requested
+	_, s.InstanceKey = snap.SplitInstanceName(instanceName)
+
 	instdir := s.MountDir()
 
 	defer func() {
@@ -50,25 +54,32 @@
 	}()
 
 	if err := os.MkdirAll(instdir, 0755); err != nil {
-		return err
+		return snapType, err
+	}
+
+	if s.InstanceKey != "" {
+		err := os.MkdirAll(snap.BaseDir(s.SnapName()), 0755)
+		if err != nil && !os.IsExist(err) {
+			return snapType, err
+		}
 	}
 
 	if err := snapf.Install(s.MountFile(), instdir); err != nil {
-		return err
+		return snapType, err
 	}
 
 	// generate the mount unit for the squashfs
 	if err := addMountUnit(s, meter); err != nil {
-		return err
+		return snapType, err
 	}
 
 	if s.Type == snap.TypeKernel {
 		if err := boot.ExtractKernelAssets(s, snapf); err != nil {
-			return fmt.Errorf("cannot install kernel: %s", err)
+			return snapType, fmt.Errorf("cannot install kernel: %s", err)
 		}
 	}
 
-	return err
+	return s.Type, err
 }
 
 // RemoveSnapFiles removes the snap files from the disk after unmounting the snap.
@@ -84,10 +95,6 @@
 		return err
 	}
 
-	// try to remove parent dir, failure is ok, means some other
-	// revisions are still in there
-	os.Remove(filepath.Dir(mountDir))
-
 	// snapPath may either be a file or a (broken) symlink to a dir
 	snapPath := s.MountFile()
 	if _, err := os.Lstat(snapPath); err == nil {
@@ -107,6 +114,23 @@
 	return nil
 }
 
+func (b Backend) RemoveSnapDir(s snap.PlaceInfo, hasOtherInstances bool) error {
+	mountDir := s.MountDir()
+
+	snapName, instanceKey := snap.SplitInstanceName(s.InstanceName())
+	if instanceKey != "" {
+		// always ok to remove instance specific one, failure to remove
+		// is ok, there may be other revisions
+		os.Remove(filepath.Dir(mountDir))
+	}
+	if !hasOtherInstances {
+		// remove only if not used by other instances of the same snap,
+		// failure to remove is ok, there may be other revisions
+		os.Remove(snap.BaseDir(snapName))
+	}
+	return nil
+}
+
 // UndoSetupSnap undoes the work of SetupSnap using RemoveSnapFiles.
 func (b Backend) UndoSetupSnap(s snap.PlaceInfo, typ snap.Type, meter progress.Meter) error {
 	return b.RemoveSnapFiles(s, typ, meter)
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/setup_test.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/setup_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/setup_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/setup_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -80,8 +80,9 @@
 		Revision: snap.R(14),
 	}
 
-	err := s.be.SetupSnap(snapPath, &si, progress.Null)
+	snapType, err := s.be.SetupSnap(snapPath, "hello", &si, progress.Null)
 	c.Assert(err, IsNil)
+	c.Check(snapType, Equals, snap.TypeApp)
 
 	// after setup the snap file is in the right dir
 	c.Assert(osutil.FileExists(filepath.Join(dirs.SnapBlobDir, "hello_14.snap")), Equals, true)
@@ -107,6 +108,41 @@
 
 }
 
+func (s *setupSuite) TestSetupDoUndoInstance(c *C) {
+	snapPath := makeTestSnap(c, helloYaml1)
+
+	si := snap.SideInfo{
+		RealName: "hello",
+		Revision: snap.R(14),
+	}
+
+	snapType, err := s.be.SetupSnap(snapPath, "hello_instance", &si, progress.Null)
+	c.Assert(err, IsNil)
+	c.Check(snapType, Equals, snap.TypeApp)
+
+	// after setup the snap file is in the right dir
+	c.Assert(osutil.FileExists(filepath.Join(dirs.SnapBlobDir, "hello_instance_14.snap")), Equals, true)
+
+	// ensure the right unit is created
+	mup := systemd.MountUnitPath(filepath.Join(dirs.StripRootDir(dirs.SnapMountDir), "hello_instance/14"))
+	c.Assert(mup, testutil.FileMatches, fmt.Sprintf("(?ms).*^Where=%s", filepath.Join(dirs.StripRootDir(dirs.SnapMountDir), "hello_instance/14")))
+	c.Assert(mup, testutil.FileMatches, "(?ms).*^What=/var/lib/snapd/snaps/hello_instance_14.snap")
+
+	minInfo := snap.MinimalPlaceInfo("hello_instance", snap.R(14))
+	// mount dir was created
+	c.Assert(osutil.FileExists(minInfo.MountDir()), Equals, true)
+
+	// undo undoes the mount unit and the instdir creation
+	err = s.be.UndoSetupSnap(minInfo, "app", progress.Null)
+	c.Assert(err, IsNil)
+
+	l, _ := filepath.Glob(filepath.Join(dirs.SnapServicesDir, "*.mount"))
+	c.Assert(l, HasLen, 0)
+	c.Assert(osutil.FileExists(minInfo.MountDir()), Equals, false)
+
+	c.Assert(osutil.FileExists(minInfo.MountFile()), Equals, false)
+}
+
 func (s *setupSuite) TestSetupDoUndoKernelUboot(c *C) {
 	bootloader := boottest.NewMockBootloader("mock", c.MkDir())
 	partition.ForceBootloader(bootloader)
@@ -131,8 +167,9 @@
 		Revision: snap.R(140),
 	}
 
-	err := s.be.SetupSnap(snapPath, &si, progress.Null)
+	snapType, err := s.be.SetupSnap(snapPath, "kernel", &si, progress.Null)
 	c.Assert(err, IsNil)
+	c.Check(snapType, Equals, snap.TypeKernel)
 	l, _ := filepath.Glob(filepath.Join(bootloader.Dir(), "*"))
 	c.Assert(l, HasLen, 1)
 
@@ -175,11 +212,11 @@
 		Revision: snap.R(140),
 	}
 
-	err := s.be.SetupSnap(snapPath, &si, progress.Null)
+	_, err := s.be.SetupSnap(snapPath, "kernel", &si, progress.Null)
 	c.Assert(err, IsNil)
 
 	// retry run
-	err = s.be.SetupSnap(snapPath, &si, progress.Null)
+	_, err = s.be.SetupSnap(snapPath, "kernel", &si, progress.Null)
 	c.Assert(err, IsNil)
 
 	minInfo := snap.MinimalPlaceInfo("kernel", snap.R(140))
@@ -224,7 +261,7 @@
 		Revision: snap.R(140),
 	}
 
-	err := s.be.SetupSnap(snapPath, &si, progress.Null)
+	_, err := s.be.SetupSnap(snapPath, "kernel", &si, progress.Null)
 	c.Assert(err, IsNil)
 
 	minInfo := snap.MinimalPlaceInfo("kernel", snap.R(140))
@@ -264,7 +301,7 @@
 	})
 	defer r()
 
-	err := s.be.SetupSnap(snapPath, &si, progress.Null)
+	_, err := s.be.SetupSnap(snapPath, "hello", &si, progress.Null)
 	c.Assert(err, ErrorMatches, "failed")
 
 	// everything is gone
@@ -276,3 +313,41 @@
 	c.Check(osutil.FileExists(minInfo.MountFile()), Equals, false)
 	c.Check(osutil.FileExists(filepath.Join(dirs.SnapBlobDir, "hello_14.snap")), Equals, false)
 }
+
+func (s *setupSuite) TestRemoveSnapFilesDir(c *C) {
+	snapPath := makeTestSnap(c, helloYaml1)
+
+	si := snap.SideInfo{
+		RealName: "hello",
+		Revision: snap.R(14),
+	}
+
+	snapType, err := s.be.SetupSnap(snapPath, "hello_instance", &si, progress.Null)
+	c.Assert(err, IsNil)
+	c.Check(snapType, Equals, snap.TypeApp)
+
+	minInfo := snap.MinimalPlaceInfo("hello_instance", snap.R(14))
+	// mount dir was created
+	c.Assert(osutil.FileExists(minInfo.MountDir()), Equals, true)
+
+	s.be.RemoveSnapFiles(minInfo, snapType, progress.Null)
+	c.Assert(err, IsNil)
+
+	l, _ := filepath.Glob(filepath.Join(dirs.SnapServicesDir, "*.mount"))
+	c.Assert(l, HasLen, 0)
+	c.Assert(osutil.FileExists(minInfo.MountDir()), Equals, false)
+	c.Assert(osutil.FileExists(minInfo.MountFile()), Equals, false)
+	c.Assert(osutil.FileExists(snap.BaseDir(minInfo.InstanceName())), Equals, true)
+	c.Assert(osutil.FileExists(snap.BaseDir(minInfo.SnapName())), Equals, true)
+
+	// /snap/hello is kept as other instances exist
+	err = s.be.RemoveSnapDir(minInfo, true)
+	c.Assert(err, IsNil)
+	c.Assert(osutil.FileExists(snap.BaseDir(minInfo.InstanceName())), Equals, false)
+	c.Assert(osutil.FileExists(snap.BaseDir(minInfo.SnapName())), Equals, true)
+
+	// /snap/hello is removed when there are no more instances
+	err = s.be.RemoveSnapDir(minInfo, false)
+	c.Assert(err, IsNil)
+	c.Assert(osutil.FileExists(snap.BaseDir(minInfo.SnapName())), Equals, false)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/snapdata.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/snapdata.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/snapdata.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/snapdata.go	2019-01-16 08:36:51.000000000 +0000
@@ -52,6 +52,26 @@
 	return removeDirs(dirs)
 }
 
+// RemoveSnapDataDir removes base snap data directory
+func (b Backend) RemoveSnapDataDir(info *snap.Info, hasOtherInstances bool) error {
+	if info.InstanceKey != "" {
+		// data directories of snaps with instance key are never used by
+		// other instances
+		if err := os.Remove(snap.BaseDataDir(info.InstanceName())); err != nil && !os.IsNotExist(err) {
+			return fmt.Errorf("failed to remove snap %q base directory: %v", info.InstanceName(), err)
+		}
+	}
+	if !hasOtherInstances {
+		// remove the snap base directory only if there are no other
+		// snap instances using it
+		if err := os.Remove(snap.BaseDataDir(info.SnapName())); err != nil && !os.IsNotExist(err) {
+			return fmt.Errorf("failed to remove snap %q base directory: %v", info.SnapName(), err)
+		}
+	}
+
+	return nil
+}
+
 func (b Backend) untrashData(snap *snap.Info) error {
 	dirs, err := snapDataDirs(snap)
 	if err != nil {
@@ -72,9 +92,6 @@
 		if err := os.RemoveAll(dir); err != nil {
 			return err
 		}
-
-		// Attempt to remove the parent directory as well (ignore any failure)
-		os.Remove(filepath.Dir(dir))
 	}
 
 	return nil
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend/snapdata_test.go snapd-2.37~rc1~14.04/overlord/snapstate/backend/snapdata_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend/snapdata_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend/snapdata_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,120 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package backend_test
+
+import (
+	"os"
+	"path/filepath"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+
+	"github.com/snapcore/snapd/overlord/snapstate/backend"
+)
+
+type snapdataSuite struct {
+	be      backend.Backend
+	tempdir string
+}
+
+var _ = Suite(&snapdataSuite{})
+
+func (s *snapdataSuite) SetUpTest(c *C) {
+	s.tempdir = c.MkDir()
+	dirs.SetRootDir(s.tempdir)
+}
+
+func (s *snapdataSuite) TearDownTest(c *C) {
+	dirs.SetRootDir("")
+}
+
+func (s *snapdataSuite) TestRemoveSnapData(c *C) {
+	homedir := filepath.Join(s.tempdir, "home", "user1", "snap")
+	homeData := filepath.Join(homedir, "hello/10")
+	err := os.MkdirAll(homeData, 0755)
+	c.Assert(err, IsNil)
+	varData := filepath.Join(dirs.SnapDataDir, "hello/10")
+	err = os.MkdirAll(varData, 0755)
+	c.Assert(err, IsNil)
+
+	info := snaptest.MockSnap(c, helloYaml1, &snap.SideInfo{Revision: snap.R(10)})
+	err = s.be.RemoveSnapData(info)
+
+	c.Assert(err, IsNil)
+	c.Assert(osutil.FileExists(homeData), Equals, false)
+	c.Assert(osutil.FileExists(filepath.Dir(homeData)), Equals, true)
+	c.Assert(osutil.FileExists(varData), Equals, false)
+	c.Assert(osutil.FileExists(filepath.Dir(varData)), Equals, true)
+}
+
+func (s *snapdataSuite) TestRemoveSnapCommonData(c *C) {
+	homedir := filepath.Join(s.tempdir, "home", "user1", "snap")
+	homeCommonData := filepath.Join(homedir, "hello/common")
+	err := os.MkdirAll(homeCommonData, 0755)
+	c.Assert(err, IsNil)
+	varCommonData := filepath.Join(dirs.SnapDataDir, "hello/common")
+	err = os.MkdirAll(varCommonData, 0755)
+	c.Assert(err, IsNil)
+
+	info := snaptest.MockSnap(c, helloYaml1, &snap.SideInfo{Revision: snap.R(10)})
+
+	err = s.be.RemoveSnapCommonData(info)
+	c.Assert(err, IsNil)
+	c.Assert(osutil.FileExists(homeCommonData), Equals, false)
+	c.Assert(osutil.FileExists(filepath.Dir(homeCommonData)), Equals, true)
+	c.Assert(osutil.FileExists(varCommonData), Equals, false)
+	c.Assert(osutil.FileExists(filepath.Dir(varCommonData)), Equals, true)
+}
+
+func (s *snapdataSuite) TestRemoveSnapDataDir(c *C) {
+	varBaseData := filepath.Join(dirs.SnapDataDir, "hello")
+	err := os.MkdirAll(varBaseData, 0755)
+	c.Assert(err, IsNil)
+	varBaseDataInstance := filepath.Join(dirs.SnapDataDir, "hello_instance")
+	err = os.MkdirAll(varBaseDataInstance, 0755)
+	c.Assert(err, IsNil)
+
+	info := snaptest.MockSnap(c, helloYaml1, &snap.SideInfo{Revision: snap.R(10)})
+
+	err = s.be.RemoveSnapDataDir(info, true)
+	c.Assert(err, IsNil)
+	c.Assert(osutil.FileExists(varBaseData), Equals, true)
+	c.Assert(osutil.FileExists(varBaseDataInstance), Equals, true)
+
+	// now with instance key
+	info.InstanceKey = "instance"
+	err = s.be.RemoveSnapDataDir(info, true)
+	c.Assert(err, IsNil)
+	// instance directory is gone
+	c.Assert(osutil.FileExists(varBaseDataInstance), Equals, false)
+	// but the snap-name one is still around
+	c.Assert(osutil.FileExists(varBaseData), Equals, true)
+
+	// back to no instance key
+	info.InstanceKey = ""
+	err = s.be.RemoveSnapDataDir(info, false)
+	c.Assert(err, IsNil)
+	// the snap-name directory is gone now too
+	c.Assert(osutil.FileExists(varBaseData), Equals, false)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend.go snapd-2.37~rc1~14.04/overlord/snapstate/backend.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -25,6 +25,7 @@
 	"golang.org/x/net/context"
 
 	"github.com/snapcore/snapd/asserts"
+	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/snapstate/backend"
 	"github.com/snapcore/snapd/progress"
@@ -36,24 +37,30 @@
 type StoreService interface {
 	SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error)
 	Find(search *store.Search, user *auth.UserState) ([]*snap.Info, error)
-	LookupRefresh(*store.RefreshCandidate, *auth.UserState) (*snap.Info, error)
-	ListRefresh(context.Context, []*store.RefreshCandidate, *auth.UserState, *store.RefreshOptions) ([]*snap.Info, error)
+
+	SnapAction(ctx context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error)
+
 	Sections(ctx context.Context, user *auth.UserState) ([]string, error)
 	WriteCatalogs(ctx context.Context, names io.Writer, adder store.SnapAdder) error
-	Download(context.Context, string, string, *snap.DownloadInfo, progress.Meter, *auth.UserState) error
+
+	Download(context.Context, string, string, *snap.DownloadInfo, progress.Meter, *auth.UserState, *store.DownloadOptions) error
 
 	Assertion(assertType *asserts.AssertionType, primaryKey []string, user *auth.UserState) (asserts.Assertion, error)
 
 	SuggestedCurrency() string
-	Buy(options *store.BuyOptions, user *auth.UserState) (*store.BuyResult, error)
+	Buy(options *client.BuyOptions, user *auth.UserState) (*client.BuyResult, error)
 	ReadyToBuy(*auth.UserState) error
+	ConnectivityCheck() (map[string]bool, error)
+
+	LoginUser(username, password, otp string) (string, string, error)
+	UserInfo(email string) (userinfo *store.User, err error)
 }
 
 type managerBackend interface {
 	// install releated
-	SetupSnap(snapFilePath string, si *snap.SideInfo, meter progress.Meter) error
+	SetupSnap(snapFilePath, instanceName string, si *snap.SideInfo, meter progress.Meter) (snap.Type, error)
 	CopySnapData(newSnap, oldSnap *snap.Info, meter progress.Meter) error
-	LinkSnap(info *snap.Info) error
+	LinkSnap(info *snap.Info, model *asserts.Model) error
 	StartServices(svcs []*snap.AppInfo, meter progress.Meter) error
 	StopServices(svcs []*snap.AppInfo, reason snap.ServiceStopReason, meter progress.Meter) error
 
@@ -66,8 +73,10 @@
 	// remove related
 	UnlinkSnap(info *snap.Info, meter progress.Meter) error
 	RemoveSnapFiles(s snap.PlaceInfo, typ snap.Type, meter progress.Meter) error
+	RemoveSnapDir(s snap.PlaceInfo, hasOtherInstances bool) error
 	RemoveSnapData(info *snap.Info) error
 	RemoveSnapCommonData(info *snap.Info) error
+	RemoveSnapDataDir(info *snap.Info, hasOtherInstances bool) error
 	DiscardSnapNamespace(snapName string) error
 
 	// alias related
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/backend_test.go snapd-2.37~rc1~14.04/overlord/snapstate/backend_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/backend_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/backend_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -26,9 +26,12 @@
 	"path/filepath"
 	"sort"
 	"strings"
+	"sync"
 
 	"golang.org/x/net/context"
 
+	"github.com/snapcore/snapd/asserts"
+	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/snapstate/backend"
@@ -44,10 +47,13 @@
 
 	name    string
 	channel string
+	path    string
 	revno   snap.Revision
 	sinfo   snap.SideInfo
 	stype   snap.Type
-	cand    store.RefreshCandidate
+
+	curSnaps []store.CurrentSnap
+	action   store.SnapAction
 
 	old string
 
@@ -55,6 +61,10 @@
 	rmAliases []*backend.Alias
 
 	userID int
+
+	otherInstances bool
+
+	services []string
 }
 
 type fakeOps []fakeOp
@@ -91,6 +101,31 @@
 type fakeDownload struct {
 	name     string
 	macaroon string
+	target   string
+	opts     *store.DownloadOptions
+}
+
+type byName []store.CurrentSnap
+
+func (bna byName) Len() int      { return len(bna) }
+func (bna byName) Swap(i, j int) { bna[i], bna[j] = bna[j], bna[i] }
+func (bna byName) Less(i, j int) bool {
+	return bna[i].InstanceName < bna[j].InstanceName
+}
+
+type byAction []*store.SnapAction
+
+func (ba byAction) Len() int      { return len(ba) }
+func (ba byAction) Swap(i, j int) { ba[i], ba[j] = ba[j], ba[i] }
+func (ba byAction) Less(i, j int) bool {
+	if ba[i].Action == ba[j].Action {
+		if ba[i].Action == "refresh" {
+			return ba[i].SnapID < ba[j].SnapID
+		} else {
+			return ba[i].InstanceName < ba[j].InstanceName
+		}
+	}
+	return ba[i].Action < ba[j].Action
 }
 
 type fakeStore struct {
@@ -102,6 +137,7 @@
 	fakeCurrentProgress int
 	fakeTotalProgress   int
 	state               *state.State
+	seenPrivacyKeys     map[string]bool
 }
 
 func (f *fakeStore) pokeStateLock() {
@@ -114,6 +150,31 @@
 func (f *fakeStore) SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error) {
 	f.pokeStateLock()
 
+	_, instanceKey := snap.SplitInstanceName(spec.Name)
+	if instanceKey != "" {
+		return nil, fmt.Errorf("internal error: unexpected instance name: %q", spec.Name)
+	}
+	sspec := snapSpec{
+		Name: spec.Name,
+	}
+	info, err := f.snap(sspec, user)
+
+	userID := 0
+	if user != nil {
+		userID = user.ID
+	}
+	f.fakeBackend.appendOp(&fakeOp{op: "storesvc-snap", name: spec.Name, revno: info.Revision, userID: userID})
+
+	return info, err
+}
+
+type snapSpec struct {
+	Name     string
+	Channel  string
+	Revision snap.Revision
+}
+
+func (f *fakeStore) snap(spec snapSpec, user *auth.UserState) (*snap.Info, error) {
 	if spec.Revision.Unset() {
 		spec.Revision = snap.R(11)
 		if spec.Channel == "channel-for-7" {
@@ -124,8 +185,26 @@
 	confinement := snap.StrictConfinement
 
 	typ := snap.TypeApp
-	if spec.Name == "some-core" {
+	epoch := snap.E("1*")
+	switch spec.Name {
+	case "core", "ubuntu-core", "some-core":
 		typ = snap.TypeOS
+	case "some-base":
+		typ = snap.TypeBase
+	case "some-kernel":
+		typ = snap.TypeKernel
+	case "some-gadget":
+		typ = snap.TypeGadget
+	case "some-snapd":
+		typ = snap.TypeSnapd
+	case "some-snap-now-classic":
+		confinement = "classic"
+	case "some-epoch-snap":
+		epoch = snap.E("42")
+	}
+
+	if spec.Name == "snap-unknown" {
+		return nil, store.ErrSnapNotFound
 	}
 
 	info := &snap.Info{
@@ -142,6 +221,7 @@
 		},
 		Confinement: confinement,
 		Type:        typ,
+		Epoch:       epoch,
 	}
 	switch spec.Channel {
 	case "channel-for-devmode":
@@ -163,27 +243,25 @@
 		}
 	}
 
-	userID := 0
-	if user != nil {
-		userID = user.ID
-	}
-	f.fakeBackend.ops = append(f.fakeBackend.ops, fakeOp{op: "storesvc-snap", name: spec.Name, revno: spec.Revision, userID: userID})
-
 	return info, nil
 }
 
-func (f *fakeStore) LookupRefresh(cand *store.RefreshCandidate, user *auth.UserState) (*snap.Info, error) {
-	f.pokeStateLock()
-
-	if cand == nil {
-		panic("LookupRefresh called with no candidate")
-	}
+type refreshCand struct {
+	snapID           string
+	channel          string
+	revision         snap.Revision
+	block            []snap.Revision
+	ignoreValidation bool
+}
 
+func (f *fakeStore) lookupRefresh(cand refreshCand) (*snap.Info, error) {
 	var name string
 
-	switch cand.SnapID {
+	typ := snap.TypeApp
+	epoch := snap.E("1*")
+	switch cand.snapID {
 	case "":
-		return nil, store.ErrLocalSnap
+		panic("store refresh APIs expect snap-ids")
 	case "other-snap-id":
 		return nil, store.ErrNoUpdateAvailable
 	case "fakestore-please-error-on-refresh":
@@ -192,20 +270,48 @@
 		name = "services-snap"
 	case "some-snap-id":
 		name = "some-snap"
+	case "some-epoch-snap-id":
+		name = "some-epoch-snap"
+		epoch = snap.E("42")
+	case "some-snap-now-classic-id":
+		name = "some-snap-now-classic"
+	case "some-snap-was-classic-id":
+		name = "some-snap-was-classic"
 	case "core-snap-id":
 		name = "core"
+		typ = snap.TypeOS
+	case "core18-snap-id":
+		name = "core18"
+		typ = snap.TypeBase
 	case "snap-with-snapd-control-id":
 		name = "snap-with-snapd-control"
+	case "producer-id":
+		name = "producer"
+	case "consumer-id":
+		name = "consumer"
+	case "some-base-id":
+		name = "some-base"
+		typ = snap.TypeBase
+	case "snap-content-plug-id":
+		name = "snap-content-plug"
+	case "snapd-id":
+		name = "snapd"
+	case "kernel-id":
+		name = "kernel"
+		typ = snap.TypeKernel
+	case "brand-gadget-id":
+		name = "brand-gadget"
+		typ = snap.TypeGadget
 	default:
-		panic(fmt.Sprintf("ListRefresh: unknown snap-id: %s", cand.SnapID))
+		panic(fmt.Sprintf("refresh: unknown snap-id: %s", cand.snapID))
 	}
 
 	revno := snap.R(11)
-	if r := f.refreshRevnos[cand.SnapID]; !r.Unset() {
+	if r := f.refreshRevnos[cand.snapID]; !r.Unset() {
 		revno = r
 	}
 	confinement := snap.StrictConfinement
-	switch cand.Channel {
+	switch cand.channel {
 	case "channel-for-7":
 		revno = snap.R(7)
 	case "channel-for-classic":
@@ -213,12 +319,16 @@
 	case "channel-for-devmode":
 		confinement = snap.DevModeConfinement
 	}
+	if name == "some-snap-now-classic" {
+		confinement = "classic"
+	}
 
 	info := &snap.Info{
+		Type: typ,
 		SideInfo: snap.SideInfo{
 			RealName: name,
-			Channel:  cand.Channel,
-			SnapID:   cand.SnapID,
+			Channel:  cand.channel,
+			SnapID:   cand.snapID,
 			Revision: revno,
 		},
 		Version: name,
@@ -227,8 +337,9 @@
 		},
 		Confinement:   confinement,
 		Architectures: []string{"all"},
+		Epoch:         epoch,
 	}
-	switch cand.Channel {
+	switch cand.channel {
 	case "channel-for-layout":
 		info.Layout = map[string]*snap.Layout{
 			"/usr": {
@@ -237,26 +348,21 @@
 				Symlink: "$SNAP/usr",
 			},
 		}
+	case "channel-for-base":
+		info.Base = "some-base"
 	}
 
 	var hit snap.Revision
-	if cand.Revision != revno {
+	if cand.revision != revno {
 		hit = revno
 	}
-	for _, blocked := range cand.Block {
+	for _, blocked := range cand.block {
 		if blocked == revno {
 			hit = snap.Revision{}
 			break
 		}
 	}
 
-	userID := 0
-	if user != nil {
-		userID = user.ID
-	}
-	// TODO: move this back to ListRefresh
-	f.fakeBackend.ops = append(f.fakeBackend.ops, fakeOp{op: "storesvc-list-refresh", cand: *cand, revno: hit, userID: userID})
-
 	if !hit.Unset() {
 		return info, nil
 	}
@@ -264,28 +370,158 @@
 	return nil, store.ErrNoUpdateAvailable
 }
 
-func (f *fakeStore) ListRefresh(ctx context.Context, cands []*store.RefreshCandidate, user *auth.UserState, flags *store.RefreshOptions) ([]*snap.Info, error) {
+func (f *fakeStore) SnapAction(ctx context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error) {
 	if ctx == nil {
 		panic("context required")
 	}
 	f.pokeStateLock()
 
-	if len(cands) == 0 {
+	if len(currentSnaps) == 0 && len(actions) == 0 {
 		return nil, nil
 	}
-	if len(cands) > 3 {
-		panic("fake ListRefresh unexpectedly called with more than 3 candidates")
+	if len(actions) > 4 {
+		panic("fake SnapAction unexpectedly called with more than 3 actions")
+	}
+
+	curByInstanceName := make(map[string]*store.CurrentSnap, len(currentSnaps))
+	curSnaps := make(byName, len(currentSnaps))
+	for i, cur := range currentSnaps {
+		if cur.InstanceName == "" || cur.SnapID == "" || cur.Revision.Unset() {
+			return nil, fmt.Errorf("internal error: incomplete current snap info")
+		}
+		curByInstanceName[cur.InstanceName] = cur
+		curSnaps[i] = *cur
+	}
+	sort.Sort(curSnaps)
+
+	userID := 0
+	if user != nil {
+		userID = user.ID
+	}
+	if len(curSnaps) == 0 {
+		curSnaps = nil
 	}
+	f.fakeBackend.appendOp(&fakeOp{
+		op:       "storesvc-snap-action",
+		curSnaps: curSnaps,
+		userID:   userID,
+	})
+
+	if f.seenPrivacyKeys == nil {
+		// so that checks don't topple over this being uninitialized
+		f.seenPrivacyKeys = make(map[string]bool)
+	}
+	if opts != nil && opts.PrivacyKey != "" {
+		f.seenPrivacyKeys[opts.PrivacyKey] = true
+	}
+
+	sorted := make(byAction, len(actions))
+	copy(sorted, actions)
+	sort.Sort(sorted)
 
+	refreshErrors := make(map[string]error)
+	installErrors := make(map[string]error)
 	var res []*snap.Info
-	for _, cand := range cands {
-		info, err := f.LookupRefresh(cand, user)
-		if err == store.ErrLocalSnap || err == store.ErrNoUpdateAvailable {
+	for _, a := range sorted {
+		if a.Action != "install" && a.Action != "refresh" {
+			panic("not supported")
+		}
+		if a.InstanceName == "" {
+			return nil, fmt.Errorf("internal error: action without instance name")
+		}
+
+		snapName, instanceKey := snap.SplitInstanceName(a.InstanceName)
+
+		if a.Action == "install" {
+			spec := snapSpec{
+				Name:     snapName,
+				Channel:  a.Channel,
+				Revision: a.Revision,
+			}
+			info, err := f.snap(spec, user)
+			if err != nil {
+				installErrors[a.InstanceName] = err
+				continue
+			}
+			f.fakeBackend.appendOp(&fakeOp{
+				op:     "storesvc-snap-action:action",
+				action: *a,
+				revno:  info.Revision,
+				userID: userID,
+			})
+			if !a.Revision.Unset() {
+				info.Channel = ""
+			}
+			info.InstanceKey = instanceKey
+			res = append(res, info)
+			continue
+		}
+
+		// refresh
+
+		cur := curByInstanceName[a.InstanceName]
+		if cur == nil {
+			return nil, fmt.Errorf("internal error: no matching current snap for %q", a.InstanceName)
+		}
+		channel := a.Channel
+		if channel == "" {
+			channel = cur.TrackingChannel
+		}
+		ignoreValidation := cur.IgnoreValidation
+		if a.Flags&store.SnapActionIgnoreValidation != 0 {
+			ignoreValidation = true
+		} else if a.Flags&store.SnapActionEnforceValidation != 0 {
+			ignoreValidation = false
+		}
+		cand := refreshCand{
+			snapID:           a.SnapID,
+			channel:          channel,
+			revision:         cur.Revision,
+			block:            cur.Block,
+			ignoreValidation: ignoreValidation,
+		}
+		info, err := f.lookupRefresh(cand)
+		var hit snap.Revision
+		if info != nil {
+			if !a.Revision.Unset() {
+				info.Revision = a.Revision
+			}
+			hit = info.Revision
+		}
+		f.fakeBackend.ops = append(f.fakeBackend.ops, fakeOp{
+			op:     "storesvc-snap-action:action",
+			action: *a,
+			revno:  hit,
+			userID: userID,
+		})
+		if err == store.ErrNoUpdateAvailable {
+			refreshErrors[cur.InstanceName] = err
 			continue
 		}
+		if err != nil {
+			return nil, err
+		}
+		if !a.Revision.Unset() {
+			info.Channel = ""
+		}
+		info.InstanceKey = instanceKey
 		res = append(res, info)
 	}
 
+	if len(refreshErrors)+len(installErrors) > 0 || len(res) == 0 {
+		if len(refreshErrors) == 0 {
+			refreshErrors = nil
+		}
+		if len(installErrors) == 0 {
+			installErrors = nil
+		}
+		return res, &store.SnapActionError{
+			NoResults: len(refreshErrors)+len(installErrors)+len(res) == 0,
+			Refresh:   refreshErrors,
+			Install:   installErrors,
+		}
+	}
+
 	return res, nil
 }
 
@@ -295,18 +531,27 @@
 	return "XTS"
 }
 
-func (f *fakeStore) Download(ctx context.Context, name, targetFn string, snapInfo *snap.DownloadInfo, pb progress.Meter, user *auth.UserState) error {
+func (f *fakeStore) Download(ctx context.Context, name, targetFn string, snapInfo *snap.DownloadInfo, pb progress.Meter, user *auth.UserState, dlOpts *store.DownloadOptions) error {
 	f.pokeStateLock()
 
+	if _, key := snap.SplitInstanceName(name); key != "" {
+		return fmt.Errorf("internal error: unsupported download with instance name %q", name)
+	}
 	var macaroon string
 	if user != nil {
 		macaroon = user.StoreMacaroon
 	}
+	// only add the options if they contain anything interessting
+	if *dlOpts == (store.DownloadOptions{}) {
+		dlOpts = nil
+	}
 	f.downloads = append(f.downloads, fakeDownload{
 		macaroon: macaroon,
 		name:     name,
+		target:   targetFn,
+		opts:     dlOpts,
 	})
-	f.fakeBackend.ops = append(f.fakeBackend.ops, fakeOp{op: "storesvc-download", name: name})
+	f.fakeBackend.appendOp(&fakeOp{op: "storesvc-download", name: name})
 
 	pb.SetTotal(float64(f.fakeTotalProgress))
 	pb.Set(float64(f.fakeCurrentProgress))
@@ -319,7 +564,8 @@
 		panic("context required")
 	}
 	f.pokeStateLock()
-	f.fakeBackend.ops = append(f.fakeBackend.ops, fakeOp{
+
+	f.fakeBackend.appendOp(&fakeOp{
 		op: "x-commands",
 	})
 
@@ -331,7 +577,8 @@
 		panic("context required")
 	}
 	f.pokeStateLock()
-	f.fakeBackend.ops = append(f.fakeBackend.ops, fakeOp{
+
+	f.fakeBackend.appendOp(&fakeOp{
 		op: "x-sections",
 	})
 
@@ -340,6 +587,10 @@
 
 type fakeSnappyBackend struct {
 	ops fakeOps
+	mu  sync.Mutex
+
+	linkSnapWaitCh      chan int
+	linkSnapWaitTrigger string
 
 	linkSnapFailTrigger     string
 	copySnapDataFailTrigger string
@@ -349,63 +600,122 @@
 func (f *fakeSnappyBackend) OpenSnapFile(snapFilePath string, si *snap.SideInfo) (*snap.Info, snap.Container, error) {
 	op := fakeOp{
 		op:   "open-snap-file",
-		name: snapFilePath,
+		path: snapFilePath,
 	}
 
 	if si != nil {
 		op.sinfo = *si
 	}
 
-	name := filepath.Base(snapFilePath)
-	if idx := strings.IndexByte(name, '_'); idx > -1 {
-		name = name[:idx]
+	var info *snap.Info
+	if !osutil.IsDirectory(snapFilePath) {
+		name := filepath.Base(snapFilePath)
+		split := strings.Split(name, "_")
+		if len(split) >= 2 {
+			// <snap>_<rev>.snap
+			// <snap>_<instance-key>_<rev>.snap
+			name = split[0]
+		}
+
+		info = &snap.Info{SuggestedName: name, Architectures: []string{"all"}}
+		if name == "some-snap-now-classic" {
+			info.Confinement = "classic"
+		}
+		if name == "some-epoch-snap" {
+			info.Epoch = snap.E("42")
+		} else {
+			info.Epoch = snap.E("1*")
+		}
+	} else {
+		// for snap try only
+		snapf, err := snap.Open(snapFilePath)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		info, err = snap.ReadInfoFromSnapFile(snapf, si)
+		if err != nil {
+			return nil, nil, err
+		}
 	}
 
-	f.ops = append(f.ops, op)
-	return &snap.Info{SuggestedName: name, Architectures: []string{"all"}}, f.emptyContainer, nil
+	if info == nil {
+		return nil, nil, fmt.Errorf("internal error: no mocked snap for %q", snapFilePath)
+	}
+	f.appendOp(&op)
+	return info, f.emptyContainer, nil
 }
 
-func (f *fakeSnappyBackend) SetupSnap(snapFilePath string, si *snap.SideInfo, p progress.Meter) error {
+func (f *fakeSnappyBackend) SetupSnap(snapFilePath, instanceName string, si *snap.SideInfo, p progress.Meter) (snap.Type, error) {
 	p.Notify("setup-snap")
 	revno := snap.R(0)
 	if si != nil {
 		revno = si.Revision
 	}
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:    "setup-snap",
-		name:  snapFilePath,
+		name:  instanceName,
+		path:  snapFilePath,
 		revno: revno,
 	})
-	return nil
+	snapType := snap.TypeApp
+	switch si.RealName {
+	case "core":
+		snapType = snap.TypeOS
+	case "gadget":
+		snapType = snap.TypeGadget
+	}
+	if instanceName == "borken-in-setup" {
+		return snapType, fmt.Errorf("cannot install snap %q", instanceName)
+	}
+	return snapType, nil
 }
 
 func (f *fakeSnappyBackend) ReadInfo(name string, si *snap.SideInfo) (*snap.Info, error) {
-	if name == "borken" {
+	if name == "borken" && si.Revision == snap.R(2) {
 		return nil, errors.New(`cannot read info for "borken" snap`)
 	}
+	if name == "borken-undo-setup" && si.Revision == snap.R(2) {
+		return nil, errors.New(`cannot read info for "borken-undo-setup" snap`)
+	}
+	if name == "not-there" && si.Revision == snap.R(2) {
+		return nil, &snap.NotFoundError{Snap: name, Revision: si.Revision}
+	}
+	snapName, instanceKey := snap.SplitInstanceName(name)
 	// naive emulation for now, always works
 	info := &snap.Info{
-		SuggestedName: name,
+		SuggestedName: snapName,
 		SideInfo:      *si,
 		Architectures: []string{"all"},
 		Type:          snap.TypeApp,
+		Epoch:         snap.E("1*"),
 	}
-	if strings.Contains(name, "alias-snap") {
-		name = "alias-snap"
-	}
-	switch name {
+	if strings.Contains(snapName, "alias-snap") {
+		// only for the switch below
+		snapName = "alias-snap"
+	}
+	switch snapName {
+	case "some-epoch-snap":
+		info.Epoch = snap.E("13")
 	case "gadget":
 		info.Type = snap.TypeGadget
 	case "core":
 		info.Type = snap.TypeOS
 	case "services-snap":
 		var err error
+		// fix services after/before so that there is only one solution
+		// to dependency ordering
 		info, err = snap.InfoFromSnapYaml([]byte(`name: services-snap
 apps:
   svc1:
     daemon: simple
+    before: [svc3]
   svc2:
     daemon: simple
+    after: [svc1]
+  svc3:
+    daemon: simple
+    before: [svc2]
 `))
 		if err != nil {
 			panic(err)
@@ -429,13 +739,14 @@
 		info.SideInfo = *si
 	}
 
+	info.InstanceKey = instanceKey
 	return info, nil
 }
 
 func (f *fakeSnappyBackend) ClearTrashedData(si *snap.Info) {
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:    "cleanup-trash",
-		name:  si.Name(),
+		name:  si.InstanceName(),
 		revno: si.Revision,
 	})
 }
@@ -454,34 +765,39 @@
 	}
 
 	if newInfo.MountDir() == f.copySnapDataFailTrigger {
-		f.ops = append(f.ops, fakeOp{
+		f.appendOp(&fakeOp{
 			op:   "copy-data.failed",
-			name: newInfo.MountDir(),
+			path: newInfo.MountDir(),
 			old:  old,
 		})
 		return errors.New("fail")
 	}
 
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:   "copy-data",
-		name: newInfo.MountDir(),
+		path: newInfo.MountDir(),
 		old:  old,
 	})
 	return nil
 }
 
-func (f *fakeSnappyBackend) LinkSnap(info *snap.Info) error {
+func (f *fakeSnappyBackend) LinkSnap(info *snap.Info, model *asserts.Model) error {
+	if info.MountDir() == f.linkSnapWaitTrigger {
+		f.linkSnapWaitCh <- 1
+		<-f.linkSnapWaitCh
+	}
+
 	if info.MountDir() == f.linkSnapFailTrigger {
 		f.ops = append(f.ops, fakeOp{
 			op:   "link-snap.failed",
-			name: info.MountDir(),
+			path: info.MountDir(),
 		})
 		return errors.New("fail")
 	}
 
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:   "link-snap",
-		name: info.MountDir(),
+		path: info.MountDir(),
 	})
 	return nil
 }
@@ -497,28 +813,37 @@
 }
 
 func (f *fakeSnappyBackend) StartServices(svcs []*snap.AppInfo, meter progress.Meter) error {
-	f.ops = append(f.ops, fakeOp{
-		op:   "start-snap-services",
-		name: svcSnapMountDir(svcs),
+	services := make([]string, 0, len(svcs))
+	for _, svc := range svcs {
+		services = append(services, svc.Name)
+	}
+	f.appendOp(&fakeOp{
+		op:       "start-snap-services",
+		path:     svcSnapMountDir(svcs),
+		services: services,
 	})
 	return nil
 }
 
 func (f *fakeSnappyBackend) StopServices(svcs []*snap.AppInfo, reason snap.ServiceStopReason, meter progress.Meter) error {
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:   fmt.Sprintf("stop-snap-services:%s", reason),
-		name: svcSnapMountDir(svcs),
+		path: svcSnapMountDir(svcs),
 	})
 	return nil
 }
 
 func (f *fakeSnappyBackend) UndoSetupSnap(s snap.PlaceInfo, typ snap.Type, p progress.Meter) error {
 	p.Notify("setup-snap")
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:    "undo-setup-snap",
-		name:  s.MountDir(),
+		name:  s.InstanceName(),
+		path:  s.MountDir(),
 		stype: typ,
 	})
+	if s.InstanceName() == "borken-undo-setup" {
+		return errors.New(`cannot undo setup of "borken-undo-setup" snap`)
+	}
 	return nil
 }
 
@@ -528,9 +853,9 @@
 	if oldInfo != nil {
 		old = oldInfo.MountDir()
 	}
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:   "undo-copy-snap-data",
-		name: newInfo.MountDir(),
+		path: newInfo.MountDir(),
 		old:  old,
 	})
 	return nil
@@ -538,41 +863,61 @@
 
 func (f *fakeSnappyBackend) UnlinkSnap(info *snap.Info, meter progress.Meter) error {
 	meter.Notify("unlink")
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:   "unlink-snap",
-		name: info.MountDir(),
+		path: info.MountDir(),
 	})
 	return nil
 }
 
 func (f *fakeSnappyBackend) RemoveSnapFiles(s snap.PlaceInfo, typ snap.Type, meter progress.Meter) error {
 	meter.Notify("remove-snap-files")
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:    "remove-snap-files",
-		name:  s.MountDir(),
+		path:  s.MountDir(),
 		stype: typ,
 	})
 	return nil
 }
 
 func (f *fakeSnappyBackend) RemoveSnapData(info *snap.Info) error {
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:   "remove-snap-data",
-		name: info.MountDir(),
+		path: info.MountDir(),
 	})
 	return nil
 }
 
 func (f *fakeSnappyBackend) RemoveSnapCommonData(info *snap.Info) error {
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:   "remove-snap-common-data",
-		name: info.MountDir(),
+		path: info.MountDir(),
 	})
 	return nil
 }
 
-func (f *fakeSnappyBackend) DiscardSnapNamespace(snapName string) error {
+func (f *fakeSnappyBackend) RemoveSnapDataDir(info *snap.Info, otherInstances bool) error {
 	f.ops = append(f.ops, fakeOp{
+		op:             "remove-snap-data-dir",
+		name:           info.InstanceName(),
+		path:           snap.BaseDataDir(info.SnapName()),
+		otherInstances: otherInstances,
+	})
+	return nil
+}
+
+func (f *fakeSnappyBackend) RemoveSnapDir(s snap.PlaceInfo, otherInstances bool) error {
+	f.ops = append(f.ops, fakeOp{
+		op:             "remove-snap-dir",
+		name:           s.InstanceName(),
+		path:           snap.BaseDir(s.SnapName()),
+		otherInstances: otherInstances,
+	})
+	return nil
+}
+
+func (f *fakeSnappyBackend) DiscardSnapNamespace(snapName string) error {
+	f.appendOp(&fakeOp{
 		op:   "discard-namespace",
 		name: snapName,
 	})
@@ -584,7 +929,7 @@
 	if sideInfo != nil {
 		sinfo = *sideInfo
 	}
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:    "candidate",
 		sinfo: sinfo,
 	})
@@ -595,16 +940,16 @@
 	if curInfo != nil {
 		old = curInfo.MountDir()
 	}
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:  "current",
 		old: old,
 	})
 }
 
 func (f *fakeSnappyBackend) ForeignTask(kind string, status state.Status, snapsup *snapstate.SnapSetup) {
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:    kind + ":" + status.String(),
-		name:  snapsup.Name(),
+		name:  snapsup.InstanceName(),
 		revno: snapsup.Revision(),
 	})
 }
@@ -626,7 +971,7 @@
 		remove = append([]*backend.Alias(nil), remove...)
 		sort.Sort(byAlias(remove))
 	}
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:        "update-aliases",
 		aliases:   add,
 		rmAliases: remove,
@@ -635,9 +980,15 @@
 }
 
 func (f *fakeSnappyBackend) RemoveSnapAliases(snapName string) error {
-	f.ops = append(f.ops, fakeOp{
+	f.appendOp(&fakeOp{
 		op:   "remove-snap-aliases",
 		name: snapName,
 	})
 	return nil
 }
+
+func (f *fakeSnappyBackend) appendOp(op *fakeOp) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	f.ops = append(f.ops, *op)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/booted.go snapd-2.37~rc1~14.04/overlord/snapstate/booted.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/booted.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/booted.go	2019-01-16 08:36:51.000000000 +0000
@@ -133,6 +133,9 @@
 	case snap.TypeOS:
 		kind = "core"
 		bootVar = "snap_core"
+	case snap.TypeBase:
+		kind = "base"
+		bootVar = "snap_core"
 	default:
 		return "", snap.Revision{}, fmt.Errorf("cannot find boot revision for anything but core and kernel")
 	}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/booted_test.go snapd-2.37~rc1~14.04/overlord/snapstate/booted_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/booted_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/booted_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -19,7 +19,7 @@
 
 package snapstate_test
 
-// test the boot releated code
+// test the boot related code
 
 import (
 	"os"
@@ -73,21 +73,25 @@
 	bs.fakeBackend = &fakeSnappyBackend{}
 	bs.o = overlord.Mock()
 	bs.state = bs.o.State()
-	bs.snapmgr, err = snapstate.Manager(bs.state)
+	bs.snapmgr, err = snapstate.Manager(bs.state, bs.o.TaskRunner())
 	c.Assert(err, IsNil)
-	bs.snapmgr.AddForeignTaskHandlers(bs.fakeBackend)
+
+	AddForeignTaskHandlers(bs.o.TaskRunner(), bs.fakeBackend)
 
 	bs.o.AddManager(bs.snapmgr)
+	bs.o.AddManager(bs.o.TaskRunner())
 
 	snapstate.SetSnapManagerBackend(bs.snapmgr, bs.fakeBackend)
 	snapstate.AutoAliases = func(*state.State, *snap.Info) (map[string]string, error) {
 		return nil, nil
 	}
+	snapstate.SetDefaultModel()
 }
 
 func (bs *bootedSuite) TearDownTest(c *C) {
 	bs.BaseTest.TearDownTest(c)
 	snapstate.AutoAliases = nil
+	snapstate.Model = nil
 	release.MockOnClassic(true)
 	dirs.SetRootDir("")
 	partition.ForceBootloader(nil)
@@ -280,9 +284,113 @@
 	bs.bootloader.BootVars["snap_mode"] = "trying"
 	_, _, err = snapstate.CurrentBootNameAndRevision(snap.TypeKernel)
 	c.Check(err, Equals, snapstate.ErrBootNameAndRevisionAgain)
+}
 
-	bs.bootloader.BootVars["snap_mode"] = ""
+func (bs *bootedSuite) TestCurrentBootNameAndRevisionUnhappy(c *C) {
 	delete(bs.bootloader.BootVars, "snap_kernel")
-	_, _, err = snapstate.CurrentBootNameAndRevision(snap.TypeKernel)
+	_, _, err := snapstate.CurrentBootNameAndRevision(snap.TypeKernel)
 	c.Check(err, ErrorMatches, "cannot retrieve boot revision for kernel: unset")
+
+	delete(bs.bootloader.BootVars, "snap_core")
+	_, _, err = snapstate.CurrentBootNameAndRevision(snap.TypeOS)
+	c.Check(err, ErrorMatches, "cannot retrieve boot revision for core: unset")
+
+	delete(bs.bootloader.BootVars, "snap_core")
+	_, _, err = snapstate.CurrentBootNameAndRevision(snap.TypeBase)
+	c.Check(err, ErrorMatches, "cannot retrieve boot revision for base: unset")
+
+}
+
+func (bs *bootedSuite) TestWaitRestartCore(c *C) {
+	st := bs.state
+	st.Lock()
+	defer st.Unlock()
+
+	task := st.NewTask("auto-connect", "...")
+
+	// not core snap
+	si := &snap.SideInfo{RealName: "some-app"}
+	snaptest.MockSnap(c, "name: some-app\nversion: 1", si)
+	err := snapstate.WaitRestart(task, &snapstate.SnapSetup{SideInfo: si})
+	c.Check(err, IsNil)
+
+	si = &snap.SideInfo{RealName: "core"}
+	snapsup := &snapstate.SnapSetup{SideInfo: si}
+
+	// core snap, restarting ... wait
+	state.MockRestarting(st, state.RestartSystem)
+	snaptest.MockSnap(c, "name: core\ntype: os\nversion: 1", si)
+	err = snapstate.WaitRestart(task, snapsup)
+	c.Check(err, FitsTypeOf, &state.Retry{})
+
+	// core snap, restarted, waiting for current core revision
+	state.MockRestarting(st, state.RestartUnset)
+	bs.bootloader.BootVars["snap_mode"] = "trying"
+	err = snapstate.WaitRestart(task, snapsup)
+	c.Check(err, DeepEquals, &state.Retry{After: 5 * time.Second})
+
+	// core snap udated
+	si.Revision = snap.R(2)
+	snaptest.MockSnap(c, "name: core\ntype: os\nversion: 2", si)
+
+	// core snap, restarted, right core revision, no rollback
+	bs.bootloader.BootVars["snap_mode"] = ""
+	err = snapstate.WaitRestart(task, snapsup)
+	c.Check(err, IsNil)
+
+	// core snap, restarted, wrong core revision, rollback!
+	bs.bootloader.BootVars["snap_core"] = "core_1.snap"
+	err = snapstate.WaitRestart(task, snapsup)
+	c.Check(err, ErrorMatches, `cannot finish core installation, there was a rollback across reboot`)
+}
+
+func (bs *bootedSuite) TestWaitRestartBootableBase(c *C) {
+	snapstate.SetModelWithBase("core18")
+
+	st := bs.state
+	st.Lock()
+	defer st.Unlock()
+
+	task := st.NewTask("auto-connect", "...")
+
+	// not core snap
+	si := &snap.SideInfo{RealName: "some-app", Revision: snap.R(1)}
+	snaptest.MockSnap(c, "name: some-app\nversion: 1", si)
+	err := snapstate.WaitRestart(task, &snapstate.SnapSetup{SideInfo: si})
+	c.Check(err, IsNil)
+
+	// core snap but we are on a model with a different base
+	si = &snap.SideInfo{RealName: "core"}
+	snaptest.MockSnap(c, "name: core\ntype: os\nversion: 1", si)
+	err = snapstate.WaitRestart(task, &snapstate.SnapSetup{SideInfo: si})
+	c.Check(err, IsNil)
+
+	si = &snap.SideInfo{RealName: "core18"}
+	snapsup := &snapstate.SnapSetup{SideInfo: si}
+	snaptest.MockSnap(c, "name: core18\ntype: base\nversion: 1", si)
+	// core snap, restarting ... wait
+	state.MockRestarting(st, state.RestartSystem)
+	err = snapstate.WaitRestart(task, snapsup)
+	c.Check(err, FitsTypeOf, &state.Retry{})
+
+	// core snap, restarted, waiting for current core revision
+	state.MockRestarting(st, state.RestartUnset)
+	bs.bootloader.BootVars["snap_mode"] = "trying"
+	err = snapstate.WaitRestart(task, snapsup)
+	c.Check(err, DeepEquals, &state.Retry{After: 5 * time.Second})
+
+	// core18 snap udated
+	si.Revision = snap.R(2)
+	snaptest.MockSnap(c, "name: core18\ntype: base\nversion: 2", si)
+
+	// core snap, restarted, right core revision, no rollback
+	bs.bootloader.BootVars["snap_mode"] = ""
+	bs.bootloader.BootVars["snap_core"] = "core18_2.snap"
+	err = snapstate.WaitRestart(task, snapsup)
+	c.Check(err, IsNil)
+
+	// core snap, restarted, wrong core revision, rollback!
+	bs.bootloader.BootVars["snap_core"] = "core18_1.snap"
+	err = snapstate.WaitRestart(task, snapsup)
+	c.Check(err, ErrorMatches, `cannot finish core18 installation, there was a rollback across reboot`)
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/catalogrefresh.go snapd-2.37~rc1~14.04/overlord/snapstate/catalogrefresh.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/catalogrefresh.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/catalogrefresh.go	2019-01-16 08:36:51.000000000 +0000
@@ -56,8 +56,15 @@
 		return nil
 	}
 
-	theStore := Store(r.state)
 	now := time.Now()
+	if r.nextCatalogRefresh.IsZero() {
+		// try to use the timestamp on the sections file
+		if st, err := os.Stat(dirs.SnapSectionsFile); err == nil && st.ModTime().Before(now) {
+			r.nextCatalogRefresh = st.ModTime().Add(catalogRefreshDelay)
+		}
+	}
+
+	theStore := Store(r.state)
 	needsRefresh := r.nextCatalogRefresh.IsZero() || r.nextCatalogRefresh.Before(now)
 
 	if !needsRefresh {
@@ -70,7 +77,13 @@
 
 	logger.Debugf("Catalog refresh starting now; next scheduled for %s.", next)
 
-	return refreshCatalogs(r.state, theStore)
+	err := refreshCatalogs(r.state, theStore)
+	if err == nil {
+		logger.Debugf("Catalog refresh succeeded.")
+	} else {
+		logger.Debugf("Catalog refresh failed: %v.", err)
+	}
+	return err
 }
 
 var newCmdDB = advisor.Create
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/catalogrefresh_test.go snapd-2.37~rc1~14.04/overlord/snapstate/catalogrefresh_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/catalogrefresh_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/catalogrefresh_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -21,6 +21,9 @@
 
 import (
 	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
 	"time"
 
 	"golang.org/x/net/context"
@@ -50,8 +53,8 @@
 	}
 	r.ops = append(r.ops, "write-catalog")
 	w.Write([]byte("pkg1\npkg2"))
-	a.AddSnap("foo", "foo summary", []string{"foo", "meh"})
-	a.AddSnap("bar", "bar summray", []string{"bar", "meh"})
+	a.AddSnap("foo", "1.0", "foo summary", []string{"foo", "meh"})
+	a.AddSnap("bar", "2.0", "bar summray", []string{"bar", "meh"})
 	return nil
 }
 
@@ -105,10 +108,10 @@
 	c.Check(osutil.FileExists(dirs.SnapCommandsDB), Equals, true)
 	dump, err := advisor.DumpCommands()
 	c.Assert(err, IsNil)
-	c.Check(dump, DeepEquals, map[string][]string{
-		"foo": {"foo"},
-		"bar": {"bar"},
-		"meh": {"foo", "bar"},
+	c.Check(dump, DeepEquals, map[string]string{
+		"foo": `[{"snap":"foo","version":"1.0"}]`,
+		"bar": `[{"snap":"bar","version":"2.0"}]`,
+		"meh": `[{"snap":"foo","version":"1.0"},{"snap":"bar","version":"2.0"}]`,
 	})
 }
 
@@ -121,3 +124,28 @@
 	c.Check(osutil.FileExists(dirs.SnapSectionsFile), Equals, false)
 	c.Check(osutil.FileExists(dirs.SnapNamesFile), Equals, false)
 }
+
+func (s *catalogRefreshTestSuite) TestCatalogRefreshNewEnough(c *C) {
+	// write a fake sections file just to have it
+	c.Assert(os.MkdirAll(filepath.Dir(dirs.SnapSectionsFile), 0755), IsNil)
+	c.Assert(ioutil.WriteFile(dirs.SnapSectionsFile, nil, 0644), IsNil)
+
+	cr7 := snapstate.NewCatalogRefresh(s.state)
+	err := cr7.Ensure()
+	c.Check(err, IsNil)
+	c.Check(s.store.ops, HasLen, 0)
+}
+
+func (s *catalogRefreshTestSuite) TestCatalogRefreshTooNew(c *C) {
+	// write a fake sections file just to have it
+	c.Assert(os.MkdirAll(filepath.Dir(dirs.SnapSectionsFile), 0755), IsNil)
+	c.Assert(ioutil.WriteFile(dirs.SnapSectionsFile, nil, 0644), IsNil)
+	// but set the timestamp in the future
+	t := time.Now().Add(time.Hour)
+	c.Assert(os.Chtimes(dirs.SnapSectionsFile, t, t), IsNil)
+
+	cr7 := snapstate.NewCatalogRefresh(s.state)
+	err := cr7.Ensure()
+	c.Check(err, IsNil)
+	c.Check(s.store.ops, DeepEquals, []string{"sections", "write-catalog"})
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/check_snap.go snapd-2.37~rc1~14.04/overlord/snapstate/check_snap.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/check_snap.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/check_snap.go	2019-01-16 08:36:51.000000000 +0000
@@ -41,6 +41,8 @@
 	"common-data-dir": true,
 	// Support for the "Environment:" feature in snap.yaml
 	"snap-env": true,
+	// Support for the "command-chain" feature for apps and hooks in snap.yaml
+	"command-chain": true,
 }
 
 func checkAssumes(si *snap.Info) error {
@@ -58,7 +60,7 @@
 		if release.OnClassic {
 			hint = "try to update snapd and refresh the core snap"
 		}
-		return fmt.Errorf("snap %q assumes unsupported features: %s (%s)", si.Name(), strings.Join(missing, ", "), hint)
+		return fmt.Errorf("snap %q assumes unsupported features: %s (%s)", si.InstanceName(), strings.Join(missing, ", "), hint)
 	}
 	return nil
 }
@@ -124,9 +126,21 @@
 	return fmt.Sprintf("snap %q requires classic confinement which is only available on classic systems", e.Snap)
 }
 
+type SnapNotClassicError struct {
+	Snap string
+}
+
+func (e *SnapNotClassicError) Error() string {
+	return fmt.Sprintf("snap %q is not a classic confined snap", e.Snap)
+}
+
 // determine whether the flags (and system overrides thereof) are
 // compatible with the given *snap.Info
 func validateFlagsForInfo(info *snap.Info, snapst *SnapState, flags Flags) error {
+	if flags.Classic && !info.NeedsClassic() {
+		return &SnapNotClassicError{Snap: info.InstanceName()}
+	}
+
 	switch c := info.Confinement; c {
 	case snap.StrictConfinement, "":
 		// strict is always fine
@@ -137,11 +151,11 @@
 			return nil
 		}
 		return &SnapNeedsDevModeError{
-			Snap: info.Name(),
+			Snap: info.InstanceName(),
 		}
 	case snap.ClassicConfinement:
 		if !release.OnClassic {
-			return &SnapNeedsClassicSystemError{Snap: info.Name()}
+			return &SnapNeedsClassicSystemError{Snap: info.InstanceName()}
 		}
 
 		if flags.Classic {
@@ -153,7 +167,7 @@
 		}
 
 		return &SnapNeedsClassicError{
-			Snap: info.Name(),
+			Snap: info.InstanceName(),
 		}
 	default:
 		return fmt.Errorf("unknown confinement %q", c)
@@ -170,7 +184,7 @@
 
 	// verify we have a valid architecture
 	if !arch.IsSupportedArchitecture(info.Architectures) {
-		return fmt.Errorf("snap %q supported architectures (%s) are incompatible with this system (%s)", info.Name(), strings.Join(info.Architectures, ", "), arch.UbuntuArchitecture())
+		return fmt.Errorf("snap %q supported architectures (%s) are incompatible with this system (%s)", info.InstanceName(), strings.Join(info.Architectures, ", "), arch.UbuntuArchitecture())
 	}
 
 	// check assumes
@@ -192,7 +206,7 @@
 }
 
 // checkSnap ensures that the snap can be installed.
-func checkSnap(st *state.State, snapFilePath string, si *snap.SideInfo, curInfo *snap.Info, flags Flags) error {
+func checkSnap(st *state.State, snapFilePath, instanceName string, si *snap.SideInfo, curInfo *snap.Info, flags Flags) error {
 	// This assumes that the snap was already verified or --dangerous was used.
 
 	s, c, err := openSnapFile(snapFilePath, si)
@@ -208,9 +222,15 @@
 		return err
 	}
 
+	snapName, instanceKey := snap.SplitInstanceName(instanceName)
+	// update instance key to what was requested
+	s.InstanceKey = instanceKey
+
 	st.Lock()
 	defer st.Unlock()
 
+	// allow registered checks to run first as they may produce more
+	// precise errors
 	for _, check := range checkSnapCallbacks {
 		err := check(st, s, curInfo, flags)
 		if err != nil {
@@ -218,6 +238,10 @@
 		}
 	}
 
+	if snapName != s.SnapName() {
+		return fmt.Errorf("cannot install snap %q using instance name %q", s.SnapName(), instanceName)
+	}
+
 	return nil
 }
 
@@ -263,13 +287,13 @@
 	// transition we will end up with not connected interface
 	// connections in the "core" snap. But the transition will
 	// kick in automatically quickly so an extra flag is overkill.
-	if snapInfo.Name() == "core" && core.Name() == "ubuntu-core" {
+	if snapInfo.InstanceName() == "core" && core.InstanceName() == "ubuntu-core" {
 		return nil
 	}
 
 	// but generally do not allow to have two cores installed
-	if core.Name() != snapInfo.Name() {
-		return fmt.Errorf("cannot install core snap %q when core snap %q is already present", snapInfo.Name(), core.Name())
+	if core.InstanceName() != snapInfo.InstanceName() {
+		return fmt.Errorf("cannot install core snap %q when core snap %q is already present", snapInfo.InstanceName(), core.InstanceName())
 	}
 
 	return nil
@@ -312,7 +336,7 @@
 		return fmt.Errorf("cannot replace signed %s snap with an unasserted one", kind)
 	}
 
-	if currentSnap.Name() != snapInfo.Name() {
+	if currentSnap.InstanceName() != snapInfo.InstanceName() {
 		return fmt.Errorf("cannot replace %s snap with a different one", kind)
 	}
 
@@ -345,8 +369,43 @@
 	return fmt.Errorf("cannot find required base %q", snapInfo.Base)
 }
 
+func checkEpochs(_ *state.State, snapInfo, curInfo *snap.Info, _ Flags) error {
+	if curInfo == nil {
+		return nil
+	}
+	if snapInfo.Epoch.CanRead(curInfo.Epoch) {
+		return nil
+	}
+	desc := "local snap"
+	if snapInfo.SideInfo.Revision.Store() {
+		desc = fmt.Sprintf("new revision %s", snapInfo.SideInfo.Revision)
+	}
+
+	return fmt.Errorf("cannot refresh %q to %s with epoch %s, because it can't read the current epoch of %s", snapInfo.InstanceName(), desc, snapInfo.Epoch, curInfo.Epoch)
+}
+
+// check that the snap installed in the system (via snapst) can be
+// upgraded to info (i.e. that info's epoch can read sanpst's epoch)
+func earlyEpochCheck(info *snap.Info, snapst *SnapState) error {
+	if snapst == nil {
+		// no snapst, no problem
+		return nil
+	}
+	cur, err := snapst.CurrentInfo()
+	if err == ErrNoCurrent {
+		// refreshing a disabled snap (maybe via InstallPath)
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	return checkEpochs(nil, info, cur, Flags{})
+}
+
 func init() {
 	AddCheckSnapCallback(checkCoreName)
 	AddCheckSnapCallback(checkGadgetOrKernel)
 	AddCheckSnapCallback(checkBases)
+	AddCheckSnapCallback(checkEpochs)
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/check_snap_test.go snapd-2.37~rc1~14.04/overlord/snapstate/check_snap_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/check_snap_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/check_snap_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -78,7 +78,7 @@
 	restore := snapstate.MockOpenSnapFile(openSnapFile)
 	defer restore()
 
-	err = snapstate.CheckSnap(s.st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(s.st, "snap-path", "hello", nil, nil, snapstate.Flags{})
 
 	errorMsg := fmt.Sprintf(`snap "hello" supported architectures (yadayada, blahblah) are incompatible with this system (%s)`, arch.UbuntuArchitecture())
 	c.Assert(err.Error(), Equals, errorMsg)
@@ -142,6 +142,8 @@
 	assumes: "[snapd2.15.1]",
 	version: "2.15.0",
 	error:   `.* unsupported features: snapd2\.15\.1 .*`,
+}, {
+	assumes: "[command-chain]",
 }}
 
 func (s *checkSnapSuite) TestCheckSnapAssumes(c *C) {
@@ -168,7 +170,7 @@
 		}
 		restore := snapstate.MockOpenSnapFile(openSnapFile)
 		defer restore()
-		err = snapstate.CheckSnap(s.st, "snap-path", nil, nil, snapstate.Flags{})
+		err = snapstate.CheckSnap(s.st, "snap-path", "foo", nil, nil, snapstate.Flags{})
 		if test.error != "" {
 			c.Check(err, ErrorMatches, test.error)
 		} else {
@@ -194,7 +196,7 @@
 
 	checkCbCalled := false
 	checkCb := func(st *state.State, s, cur *snap.Info, flags snapstate.Flags) error {
-		c.Assert(s.Name(), Equals, "foo")
+		c.Assert(s.InstanceName(), Equals, "foo")
 		c.Assert(s.SnapID, Equals, "snap-id")
 		checkCbCalled = true
 		return nil
@@ -202,7 +204,7 @@
 	r2 := snapstate.MockCheckSnapCallbacks([]snapstate.CheckSnapCallback{checkCb})
 	defer r2()
 
-	err := snapstate.CheckSnap(s.st, "snap-path", si, nil, snapstate.Flags{})
+	err := snapstate.CheckSnap(s.st, "snap-path", "foo", si, nil, snapstate.Flags{})
 	c.Check(err, IsNil)
 
 	c.Check(checkCbCalled, Equals, true)
@@ -229,7 +231,7 @@
 	defer r2()
 	snapstate.AddCheckSnapCallback(checkCb)
 
-	err = snapstate.CheckSnap(s.st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(s.st, "snap-path", "foo", nil, nil, snapstate.Flags{})
 	c.Check(err, Equals, fail)
 }
 
@@ -270,7 +272,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "gadget", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, IsNil)
 }
@@ -312,7 +314,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "gadget", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, IsNil)
 }
@@ -353,7 +355,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "gadget", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, ErrorMatches, `cannot replace signed gadget snap with an unasserted one`)
 }
@@ -394,7 +396,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "gadget", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, ErrorMatches, "cannot replace gadget snap with a different one")
 }
@@ -436,7 +438,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "gadget", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, ErrorMatches, "cannot replace gadget snap with a different one")
 }
@@ -464,7 +466,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "gadget", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, IsNil)
 }
@@ -485,7 +487,7 @@
 	restore := snapstate.MockOpenSnapFile(openSnapFile)
 	defer restore()
 
-	err = snapstate.CheckSnap(s.st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(s.st, "snap-path", "hello", nil, nil, snapstate.Flags{})
 
 	c.Assert(err, ErrorMatches, ".* requires devmode or confinement override")
 }
@@ -509,7 +511,7 @@
 	restore = release.MockOnClassic(true)
 	defer restore()
 
-	err = snapstate.CheckSnap(s.st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(s.st, "snap-path", "hello", nil, nil, snapstate.Flags{})
 
 	c.Assert(err, ErrorMatches, ".* requires classic confinement")
 }
@@ -533,11 +535,32 @@
 	restore = release.MockOnClassic(false)
 	defer restore()
 
-	err = snapstate.CheckSnap(s.st, "snap-path", nil, nil, snapstate.Flags{Classic: true})
+	err = snapstate.CheckSnap(s.st, "snap-path", "hello", nil, nil, snapstate.Flags{Classic: true})
 
 	c.Assert(err, ErrorMatches, ".* requires classic confinement which is only available on classic systems")
 }
 
+func (s *checkSnapSuite) TestCheckSnapErrorClassicModeForStrictOrDevmode(c *C) {
+	const yaml = `name: hello
+version: 1.10
+confinement: strict
+`
+	info, err := snap.InfoFromSnapYaml([]byte(yaml))
+	c.Assert(err, IsNil)
+
+	var openSnapFile = func(path string, si *snap.SideInfo) (*snap.Info, snap.Container, error) {
+		c.Check(path, Equals, "snap-path")
+		c.Check(si, IsNil)
+		return info, emptyContainer(c), nil
+	}
+	restore := snapstate.MockOpenSnapFile(openSnapFile)
+	defer restore()
+
+	err = snapstate.CheckSnap(s.st, "snap-path", "hello", nil, nil, snapstate.Flags{Classic: true})
+
+	c.Assert(err, ErrorMatches, `snap "hello" is not a classic confined snap`)
+}
+
 func (s *checkSnapSuite) TestCheckSnapKernelUpdate(c *C) {
 	reset := release.MockOnClassic(false)
 	defer reset()
@@ -575,7 +598,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "kernel", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, IsNil)
 }
@@ -617,7 +640,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "kernel", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, ErrorMatches, "cannot replace kernel snap with a different one")
 }
@@ -642,7 +665,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "requires-base", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, ErrorMatches, "cannot find required base \"some-base\"")
 }
@@ -680,7 +703,7 @@
 	defer restore()
 
 	st.Unlock()
-	err = snapstate.CheckSnap(st, "snap-path", nil, nil, snapstate.Flags{})
+	err = snapstate.CheckSnap(st, "snap-path", "requires-base", nil, nil, snapstate.Flags{})
 	st.Lock()
 	c.Check(err, IsNil)
 }
@@ -695,3 +718,106 @@
 	c.Assert(ioutil.WriteFile(filepath.Join(d, "meta", "snap.yaml"), nil, 0444), IsNil)
 	return snapdir.New(d)
 }
+
+func (s *checkSnapSuite) TestCheckSnapInstanceName(c *C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	si := &snap.SideInfo{RealName: "foo", Revision: snap.R(1), SnapID: "some-base-id"}
+	info := snaptest.MockSnap(c, `
+name: foo
+version: 1
+`, si)
+	snapstate.Set(st, "foo", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  si.Revision,
+	})
+
+	var openSnapFile = func(path string, si *snap.SideInfo) (*snap.Info, snap.Container, error) {
+		return info, emptyContainer(c), nil
+	}
+	restore := snapstate.MockOpenSnapFile(openSnapFile)
+	defer restore()
+
+	st.Unlock()
+	err := snapstate.CheckSnap(st, "snap-path", "foo_instance", nil, nil, snapstate.Flags{})
+	st.Lock()
+	c.Check(err, IsNil)
+
+	st.Unlock()
+	err = snapstate.CheckSnap(st, "snap-path", "bar_instance", nil, nil, snapstate.Flags{})
+	st.Lock()
+	c.Check(err, ErrorMatches, `cannot install snap "foo" using instance name "bar_instance"`)
+
+	st.Unlock()
+	err = snapstate.CheckSnap(st, "snap-path", "other-name", nil, nil, snapstate.Flags{})
+	st.Lock()
+	c.Check(err, ErrorMatches, `cannot install snap "foo" using instance name "other-name"`)
+}
+
+func (s *checkSnapSuite) TestCheckSnapCheckCallInstanceKeySet(c *C) {
+	const yaml = `name: foo
+version: 1.0`
+
+	si := &snap.SideInfo{
+		SnapID: "snap-id",
+	}
+
+	var openSnapFile = func(path string, si *snap.SideInfo) (*snap.Info, snap.Container, error) {
+		info := snaptest.MockInfo(c, yaml, si)
+		return info, emptyContainer(c), nil
+	}
+	r1 := snapstate.MockOpenSnapFile(openSnapFile)
+	defer r1()
+
+	checkCbCalled := false
+	checkCb := func(st *state.State, s, cur *snap.Info, flags snapstate.Flags) error {
+		c.Assert(s.InstanceName(), Equals, "foo_instance")
+		c.Assert(s.SnapName(), Equals, "foo")
+		c.Assert(s.SnapID, Equals, "snap-id")
+		checkCbCalled = true
+		return nil
+	}
+	r2 := snapstate.MockCheckSnapCallbacks([]snapstate.CheckSnapCallback{checkCb})
+	defer r2()
+
+	err := snapstate.CheckSnap(s.st, "snap-path", "foo_instance", si, nil, snapstate.Flags{})
+	c.Check(err, IsNil)
+
+	c.Check(checkCbCalled, Equals, true)
+}
+
+func (s *checkSnapSuite) TestCheckSnapCheckEpochLocal(c *C) {
+	si := &snap.SideInfo{
+		SnapID: "snap-id",
+	}
+
+	var openSnapFile = func(path string, si *snap.SideInfo) (*snap.Info, snap.Container, error) {
+		info := snaptest.MockInfo(c, "{name: foo, version: 1.0, epoch: 13}", si)
+		return info, emptyContainer(c), nil
+	}
+	r1 := snapstate.MockOpenSnapFile(openSnapFile)
+	defer r1()
+
+	err := snapstate.CheckSnap(s.st, "snap-path", "foo", si, &snap.Info{}, snapstate.Flags{})
+	c.Check(err, ErrorMatches, `cannot refresh "foo" to local snap with epoch 13, because it can't read the current epoch of 0`)
+}
+
+func (s *checkSnapSuite) TestCheckSnapCheckEpochNonLocal(c *C) {
+	si := &snap.SideInfo{
+		SnapID:   "snap-id",
+		Revision: snap.R(42),
+	}
+
+	var openSnapFile = func(path string, si *snap.SideInfo) (*snap.Info, snap.Container, error) {
+		info := snaptest.MockInfo(c, "{name: foo, version: 1.0, epoch: 13}", si)
+		return info, emptyContainer(c), nil
+	}
+	r1 := snapstate.MockOpenSnapFile(openSnapFile)
+	defer r1()
+
+	err := snapstate.CheckSnap(s.st, "snap-path", "foo", si, &snap.Info{}, snapstate.Flags{})
+	c.Check(err, ErrorMatches, `cannot refresh "foo" to new revision 42 with epoch 13, because it can't read the current epoch of 0`)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/conflict.go snapd-2.37~rc1~14.04/overlord/snapstate/conflict.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/conflict.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/conflict.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,169 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2016-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package snapstate
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+// ChangeConflictError represents an error because of snap conflicts between changes.
+type ChangeConflictError struct {
+	Snap       string
+	ChangeKind string
+	// a Message is optional, otherwise one is composed from the other information
+	Message string
+}
+
+func (e *ChangeConflictError) Error() string {
+	if e.Message != "" {
+		return e.Message
+	}
+	if e.ChangeKind != "" {
+		return fmt.Sprintf("snap %q has %q change in progress", e.Snap, e.ChangeKind)
+	}
+	return fmt.Sprintf("snap %q has changes in progress", e.Snap)
+}
+
+// An AffectedSnapsFunc returns a list of affected snap names for the given supported task.
+type AffectedSnapsFunc func(*state.Task) ([]string, error)
+
+var (
+	affectedSnapsByAttr = make(map[string]AffectedSnapsFunc)
+	affectedSnapsByKind = make(map[string]AffectedSnapsFunc)
+)
+
+// AddAffectedSnapsByAttrs registers an AffectedSnapsFunc for returning the affected snaps for tasks sporting the given identifying attribute, to use in conflicts detection.
+func AddAffectedSnapsByAttr(attr string, f AffectedSnapsFunc) {
+	affectedSnapsByAttr[attr] = f
+}
+
+// AddAffectedSnapsByKind registers an AffectedSnapsFunc for returning the affected snaps for tasks of the given kind, to use in conflicts detection. Whenever possible using AddAffectedSnapsByAttr should be preferred.
+func AddAffectedSnapsByKind(kind string, f AffectedSnapsFunc) {
+	affectedSnapsByKind[kind] = f
+}
+
+func affectedSnaps(t *state.Task) ([]string, error) {
+	// snapstate's own styled tasks
+	if t.Has("snap-setup") || t.Has("snap-setup-task") {
+		snapsup, err := TaskSnapSetup(t)
+		if err != nil {
+			return nil, fmt.Errorf("internal error: cannot obtain snap setup from task: %s", t.Summary())
+		}
+		return []string{snapsup.InstanceName()}, nil
+	}
+
+	if f := affectedSnapsByKind[t.Kind()]; f != nil {
+		return f(t)
+	}
+
+	for attrKey, f := range affectedSnapsByAttr {
+		if t.Has(attrKey) {
+			return f(t)
+		}
+	}
+
+	return nil, nil
+}
+
+// CheckChangeConflictMany ensures that for the given instanceNames no other
+// changes that alters the snaps (like remove, install, refresh) are in
+// progress. If a conflict is detected an error is returned.
+//
+// It's like CheckChangeConflict, but for multiple snaps, and does not
+// check snapst.
+func CheckChangeConflictMany(st *state.State, instanceNames []string, ignoreChangeID string) error {
+	snapMap := make(map[string]bool, len(instanceNames))
+	for _, k := range instanceNames {
+		snapMap[k] = true
+	}
+
+	for _, chg := range st.Changes() {
+		if chg.Status().Ready() {
+			continue
+		}
+		if chg.Kind() == "transition-ubuntu-core" {
+			return &ChangeConflictError{Message: "ubuntu-core to core transition in progress, no other changes allowed until this is done", ChangeKind: "transition-ubuntu-core"}
+		}
+	}
+
+	for _, task := range st.Tasks() {
+		chg := task.Change()
+		if chg == nil || chg.Status().Ready() {
+			continue
+		}
+		if ignoreChangeID != "" && chg.ID() == ignoreChangeID {
+			continue
+		}
+		if chg.Kind() == "become-operational" {
+			// become-operational will be retried until success
+			// and on its own just runs a hook on gadget:
+			// do not make it interfere with user requests
+			// TODO: consider a use vs change modeling of
+			// conflicts
+			continue
+		}
+
+		snaps, err := affectedSnaps(task)
+		if err != nil {
+			return err
+		}
+
+		for _, snap := range snaps {
+			if snapMap[snap] {
+				return &ChangeConflictError{Snap: snap, ChangeKind: chg.Kind()}
+			}
+		}
+	}
+
+	return nil
+}
+
+// CheckChangeConflict ensures that for the given instanceName no other
+// changes that alters the snap (like remove, install, refresh) are in
+// progress. It also ensures that snapst (if not nil) did not get
+// modified. If a conflict is detected an error is returned.
+func CheckChangeConflict(st *state.State, instanceName string, snapst *SnapState) error {
+	if err := CheckChangeConflictMany(st, []string{instanceName}, ""); err != nil {
+		return err
+	}
+
+	if snapst != nil {
+		// caller wants us to also make sure the SnapState in state
+		// matches the one they provided. Necessary because we need to
+		// unlock while talking to the store, during which a change can
+		// sneak in (if it's before the taskset is created) (e.g. for
+		// install, while getting the snap info; for refresh, when
+		// getting what needs refreshing).
+		var cursnapst SnapState
+		if err := Get(st, instanceName, &cursnapst); err != nil && err != state.ErrNoState {
+			return err
+		}
+
+		// TODO: implement the rather-boring-but-more-performant SnapState.Equals
+		if !reflect.DeepEqual(snapst, &cursnapst) {
+			return &ChangeConflictError{Snap: instanceName}
+		}
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/cookies.go snapd-2.37~rc1~14.04/overlord/snapstate/cookies.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/cookies.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/cookies.go	2019-01-16 08:36:51.000000000 +0000
@@ -47,8 +47,8 @@
 // from snap-confine).
 // It is the caller's responsibility to lock state before calling this function.
 func (m *SnapManager) SyncCookies(st *state.State) error {
-	var snapNames map[string]*json.RawMessage
-	if err := st.Get("snaps", &snapNames); err != nil && err != state.ErrNoState {
+	var instanceNames map[string]*json.RawMessage
+	if err := st.Get("snaps", &instanceNames); err != nil && err != state.ErrNoState {
 		return err
 	}
 
@@ -60,7 +60,7 @@
 	snapsWithCookies := make(map[string]bool)
 	for _, snap := range snapCookies {
 		// check if we have a cookie for non-installed snap or if we have a duplicated cookie
-		if _, ok := snapNames[snap]; !ok || snapsWithCookies[snap] {
+		if _, ok := instanceNames[snap]; !ok || snapsWithCookies[snap] {
 			// there is no point in checking all cookies if we found a bad one - recreate them all
 			snapCookies = make(map[string]string)
 			snapsWithCookies = make(map[string]bool)
@@ -72,7 +72,7 @@
 	var changed bool
 
 	// make sure every snap has a cookie, generate one if necessary
-	for snap := range snapNames {
+	for snap := range instanceNames {
 		if _, ok := snapsWithCookies[snap]; !ok {
 			cookie := makeCookie()
 			snapCookies[cookie] = snap
@@ -97,7 +97,7 @@
 	return nil
 }
 
-func (m *SnapManager) createSnapCookie(st *state.State, snapName string) error {
+func (m *SnapManager) createSnapCookie(st *state.State, instanceName string) error {
 	snapCookies, err := cookies(st)
 	if err != nil {
 		return err
@@ -105,23 +105,23 @@
 
 	// make sure we don't create cookie if it already exists
 	for _, snap := range snapCookies {
-		if snapName == snap {
+		if instanceName == snap {
 			return nil
 		}
 	}
 
-	cookieID, err := createCookieFile(snapName)
+	cookieID, err := createCookieFile(instanceName)
 	if err != nil {
 		return err
 	}
 
-	snapCookies[cookieID] = snapName
+	snapCookies[cookieID] = instanceName
 	st.Set("snap-cookies", &snapCookies)
 	return nil
 }
 
-func (m *SnapManager) removeSnapCookie(st *state.State, snapName string) error {
-	if err := removeCookieFile(snapName); err != nil {
+func (m *SnapManager) removeSnapCookie(st *state.State, instanceName string) error {
+	if err := removeCookieFile(instanceName); err != nil {
 		return err
 	}
 
@@ -136,7 +136,7 @@
 	}
 
 	for cookieID, snap := range snapCookies {
-		if snapName == snap {
+		if instanceName == snap {
 			delete(snapCookies, cookieID)
 			st.Set("snap-cookies", snapCookies)
 			return nil
@@ -149,9 +149,9 @@
 	return strutil.MakeRandomString(44)
 }
 
-func createCookieFile(snapName string) (cookieID string, err error) {
+func createCookieFile(instanceName string) (cookieID string, err error) {
 	cookieID = makeCookie()
-	path := filepath.Join(dirs.SnapCookieDir, fmt.Sprintf("snap.%s", snapName))
+	path := filepath.Join(dirs.SnapCookieDir, fmt.Sprintf("snap.%s", instanceName))
 	err = osutil.AtomicWriteFile(path, []byte(cookieID), 0600, 0)
 	if err != nil {
 		return "", fmt.Errorf("Failed to create cookie file %q: %s", path, err)
@@ -159,8 +159,8 @@
 	return cookieID, nil
 }
 
-func removeCookieFile(snapName string) error {
-	path := filepath.Join(dirs.SnapCookieDir, fmt.Sprintf("snap.%s", snapName))
+func removeCookieFile(instanceName string) error {
+	path := filepath.Join(dirs.SnapCookieDir, fmt.Sprintf("snap.%s", instanceName))
 	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("Failed to remove cookie file %q: %s", path, err)
 	}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/cookies_test.go snapd-2.37~rc1~14.04/overlord/snapstate/cookies_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/cookies_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/cookies_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -45,7 +45,7 @@
 	s.BaseTest.SetUpTest(c)
 	dirs.SetRootDir(c.MkDir())
 	s.st = state.New(nil)
-	s.snapmgr, _ = Manager(s.st)
+	s.snapmgr, _ = Manager(s.st, state.NewTaskRunner(s.st))
 }
 
 func (s *cookiesSuite) TearDownTest(c *C) {
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/export_test.go snapd-2.37~rc1~14.04/overlord/snapstate/export_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,11 +20,9 @@
 package snapstate
 
 import (
-	"errors"
 	"time"
 
-	"gopkg.in/tomb.v2"
-
+	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
 )
@@ -35,58 +33,25 @@
 	s.backend = b
 }
 
-type ForeignTaskTracker interface {
-	ForeignTask(kind string, status state.Status, snapsup *SnapSetup)
-}
-
-// AddForeignTaskHandlers registers handlers for tasks handled outside of the snap manager.
-func (m *SnapManager) AddForeignTaskHandlers(tracker ForeignTaskTracker) {
-	// Add fake handlers for tasks handled by interfaces manager
-	fakeHandler := func(task *state.Task, _ *tomb.Tomb) error {
-		task.State().Lock()
-		kind := task.Kind()
-		status := task.Status()
-		snapsup, err := TaskSnapSetup(task)
-		task.State().Unlock()
-		if err != nil {
-			return err
-		}
-
-		tracker.ForeignTask(kind, status, snapsup)
-
-		return nil
-	}
-	m.runner.AddHandler("setup-profiles", fakeHandler, fakeHandler)
-	m.runner.AddHandler("auto-connect", fakeHandler, nil)
-	m.runner.AddHandler("remove-profiles", fakeHandler, fakeHandler)
-	m.runner.AddHandler("discard-conns", fakeHandler, fakeHandler)
-	m.runner.AddHandler("validate-snap", fakeHandler, nil)
-	m.runner.AddHandler("transition-ubuntu-core", fakeHandler, nil)
-
-	// Add handler to test full aborting of changes
-	erroringHandler := func(task *state.Task, _ *tomb.Tomb) error {
-		return errors.New("error out")
-	}
-	m.runner.AddHandler("error-trigger", erroringHandler, nil)
-
-	m.runner.AddHandler("run-hook", func(task *state.Task, _ *tomb.Tomb) error {
-		return nil
-	}, nil)
-	m.runner.AddHandler("configure-snapd", func(t *state.Task, _ *tomb.Tomb) error {
-		return nil
-	}, nil)
-
-}
-
-// AddAdhocTaskHandlers registers handlers for ad hoc test handler
-func (m *SnapManager) AddAdhocTaskHandler(adhoc string, do, undo func(*state.Task, *tomb.Tomb) error) {
-	m.runner.AddHandler(adhoc, do, undo)
-}
-
-func MockReadInfo(mock func(name string, si *snap.SideInfo) (*snap.Info, error)) (restore func()) {
-	old := readInfo
-	readInfo = mock
-	return func() { readInfo = old }
+func MockSnapReadInfo(mock func(name string, si *snap.SideInfo) (*snap.Info, error)) (restore func()) {
+	old := snapReadInfo
+	snapReadInfo = mock
+	return func() { snapReadInfo = old }
+}
+
+func MockMountPollInterval(intv time.Duration) (restore func()) {
+	old := mountPollInterval
+	mountPollInterval = intv
+	return func() { mountPollInterval = old }
+}
+
+func MockRevisionDate(mock func(info *snap.Info) time.Time) (restore func()) {
+	old := revisionDate
+	if mock == nil {
+		mock = revisionDateImpl
+	}
+	revisionDate = mock
+	return func() { revisionDate = old }
 }
 
 func MockOpenSnapFile(mock func(path string, si *snap.SideInfo) (*snap.Info, snap.Container, error)) (restore func()) {
@@ -116,6 +81,11 @@
 	NameAndRevnoFromSnap   = nameAndRevnoFromSnap
 	DoInstall              = doInstall
 	UserFromUserID         = userFromUserID
+	ValidateFeatureFlags   = validateFeatureFlags
+
+	DefaultContentPlugProviders = defaultContentPlugProviders
+
+	HasOtherInstances = hasOtherInstances
 )
 
 func PreviousSideInfo(snapst *SnapState) *snap.SideInfo {
@@ -139,9 +109,10 @@
 
 // refreshes
 var (
-	NewAutoRefresh    = newAutoRefresh
-	NewRefreshHints   = newRefreshHints
-	NewCatalogRefresh = newCatalogRefresh
+	NewAutoRefresh                = newAutoRefresh
+	NewRefreshHints               = newRefreshHints
+	NewCatalogRefresh             = newCatalogRefresh
+	CanRefreshOnMeteredConnection = canRefreshOnMeteredConnection
 )
 
 func MockNextRefresh(ar *autoRefresh, when time.Time) {
@@ -163,3 +134,70 @@
 		refreshRetryDelay = origRefreshRetryDelay
 	}
 }
+
+func MockIsOnMeteredConnection(mock func() (bool, error)) func() {
+	old := IsOnMeteredConnection
+	IsOnMeteredConnection = mock
+	return func() {
+		IsOnMeteredConnection = old
+	}
+}
+
+func MockLocalInstallCleanupWait(d time.Duration) (restore func()) {
+	old := localInstallCleanupWait
+	localInstallCleanupWait = d
+	return func() {
+		localInstallCleanupWait = old
+	}
+}
+
+func MockLocalInstallLastCleanup(t time.Time) (restore func()) {
+	old := localInstallLastCleanup
+	localInstallLastCleanup = t
+	return func() {
+		localInstallLastCleanup = old
+	}
+}
+
+func SetModelWithBase(baseName string) {
+	setModel(map[string]string{"base": baseName})
+}
+
+func SetModelWithKernelTrack(kernelTrack string) {
+	setModel(map[string]string{"kernel": "kernel=" + kernelTrack})
+}
+
+func SetModelWithGadgetTrack(gadgetTrack string) {
+	setModel(map[string]string{"gadget": "brand-gadget=" + gadgetTrack})
+}
+
+func SetDefaultModel() {
+	setModel(nil)
+}
+
+func setModel(override map[string]string) {
+	model := map[string]interface{}{
+		"type":              "model",
+		"authority-id":      "brand",
+		"series":            "16",
+		"brand-id":          "brand",
+		"model":             "baz-3000",
+		"architecture":      "armhf",
+		"gadget":            "brand-gadget",
+		"kernel":            "kernel",
+		"timestamp":         "2018-01-01T08:00:00+00:00",
+		"sign-key-sha3-384": "Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij",
+	}
+	for k, v := range override {
+		model[k] = v
+	}
+
+	a, err := asserts.Assemble(model, nil, nil, []byte("AXNpZw=="))
+	if err != nil {
+		panic(err)
+	}
+
+	Model = func(*state.State) (*asserts.Model, error) {
+		return a.(*asserts.Model), nil
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/flags.go snapd-2.37~rc1~14.04/overlord/snapstate/flags.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/flags.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/flags.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,6 +57,9 @@
 	// Amend allows refreshing out of a snap unknown to the store
 	// and into one that is known.
 	Amend bool `json:"amend,omitempty"`
+
+	// IsAutoRefresh is true if the snap is currently auto-refreshed
+	IsAutoRefresh bool `json:"is-auto-refresh,omitempty"`
 }
 
 // DevModeAllowed returns whether a snap can be installed with devmode confinement (either set or overridden)
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/handlers_aliasesv2_test.go snapd-2.37~rc1~14.04/overlord/snapstate/handlers_aliasesv2_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/handlers_aliasesv2_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/handlers_aliasesv2_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -34,7 +34,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -66,8 +66,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -89,7 +89,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -114,8 +114,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -139,7 +139,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -175,8 +175,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -200,7 +200,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -242,8 +242,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -256,7 +256,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -304,7 +304,8 @@
 
 		return nil
 	}
-	s.snapmgr.AddAdhocTaskHandler("grab-alias3", grabAlias3, nil)
+
+	s.o.TaskRunner().AddHandler("grab-alias3", grabAlias3, nil)
 
 	t := s.state.NewTask("set-auto-aliases", "test")
 	t.Set("snap-setup", &snapstate.SnapSetup{
@@ -324,8 +325,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 5; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -353,7 +354,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -379,8 +380,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -404,7 +405,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -435,8 +436,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -478,8 +479,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -487,7 +488,7 @@
 	expected := fakeOps{
 		{
 			op:      "update-aliases",
-			aliases: []*backend.Alias{{"manual1", "alias-snap.cmd1"}},
+			aliases: []*backend.Alias{{Name: "manual1", Target: "alias-snap.cmd1"}},
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -533,8 +534,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -543,7 +544,7 @@
 	expected := fakeOps{
 		{
 			op:      "update-aliases",
-			aliases: []*backend.Alias{{"manual1", "alias-snap.cmd1"}},
+			aliases: []*backend.Alias{{Name: "manual1", Target: "alias-snap.cmd1"}},
 		},
 		{
 			op:   "remove-snap-aliases",
@@ -588,8 +589,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -597,7 +598,7 @@
 	expected := fakeOps{
 		{
 			op:      "update-aliases",
-			aliases: []*backend.Alias{{"alias1", "alias-snap.cmd1"}},
+			aliases: []*backend.Alias{{Name: "alias1", Target: "alias-snap.cmd1"}},
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -643,8 +644,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -653,7 +654,7 @@
 	expected := fakeOps{
 		{
 			op:      "update-aliases",
-			aliases: []*backend.Alias{{"alias1", "alias-snap.cmd1"}},
+			aliases: []*backend.Alias{{Name: "alias1", Target: "alias-snap.cmd1"}},
 		},
 		{
 			op:   "remove-snap-aliases",
@@ -694,8 +695,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -744,8 +745,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -800,8 +801,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -811,8 +812,8 @@
 		{
 			op: "update-aliases",
 			rmAliases: []*backend.Alias{
-				{"alias2", "alias-snap.cmd2"},
-				{"alias3", "alias-snap.cmd3"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias3", Target: "alias-snap.cmd3"},
 			},
 		},
 	}
@@ -857,8 +858,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -906,8 +907,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -938,7 +939,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -969,8 +970,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -980,12 +981,12 @@
 		{
 			op: "update-aliases",
 			rmAliases: []*backend.Alias{
-				{"alias2", "alias-snap.cmd2x"},
-				{"alias3", "alias-snap.cmd3"},
+				{Name: "alias2", Target: "alias-snap.cmd2x"},
+				{Name: "alias3", Target: "alias-snap.cmd3"},
 			},
 			aliases: []*backend.Alias{
-				{"alias2", "alias-snap.cmd2"},
-				{"alias4", "alias-snap.cmd4"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias4", Target: "alias-snap.cmd4"},
 			},
 		},
 	}
@@ -1011,7 +1012,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -1047,8 +1048,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -1059,23 +1060,23 @@
 		{
 			op: "update-aliases",
 			rmAliases: []*backend.Alias{
-				{"alias2", "alias-snap.cmd2x"},
-				{"alias3", "alias-snap.cmd3"},
+				{Name: "alias2", Target: "alias-snap.cmd2x"},
+				{Name: "alias3", Target: "alias-snap.cmd3"},
 			},
 			aliases: []*backend.Alias{
-				{"alias2", "alias-snap.cmd2"},
-				{"alias4", "alias-snap.cmd4"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias4", Target: "alias-snap.cmd4"},
 			},
 		},
 		{
 			op: "update-aliases",
 			aliases: []*backend.Alias{
-				{"alias2", "alias-snap.cmd2x"},
-				{"alias3", "alias-snap.cmd3"},
+				{Name: "alias2", Target: "alias-snap.cmd2x"},
+				{Name: "alias3", Target: "alias-snap.cmd3"},
 			},
 			rmAliases: []*backend.Alias{
-				{"alias2", "alias-snap.cmd2"},
-				{"alias4", "alias-snap.cmd4"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias4", Target: "alias-snap.cmd4"},
 			},
 		},
 	}
@@ -1101,7 +1102,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -1132,8 +1133,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -1144,17 +1145,17 @@
 		{
 			op: "update-aliases",
 			aliases: []*backend.Alias{
-				{"alias1", "alias-snap.cmd1"},
-				{"alias2", "alias-snap.cmd2"},
-				{"alias4", "alias-snap.cmd4"},
+				{Name: "alias1", Target: "alias-snap.cmd1"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias4", Target: "alias-snap.cmd4"},
 			},
 		},
 		{
 			op: "update-aliases",
 			rmAliases: []*backend.Alias{
-				{"alias1", "alias-snap.cmd1"},
-				{"alias2", "alias-snap.cmd2"},
-				{"alias4", "alias-snap.cmd4"},
+				{Name: "alias1", Target: "alias-snap.cmd1"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias4", Target: "alias-snap.cmd4"},
 			},
 		},
 	}
@@ -1176,7 +1177,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -1207,8 +1208,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -1235,7 +1236,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -1271,8 +1272,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -1300,7 +1301,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -1340,8 +1341,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -1354,7 +1355,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		c.Check(info.Name(), Equals, "alias-snap")
+		c.Check(info.InstanceName(), Equals, "alias-snap")
 		return map[string]string{
 			"alias1": "cmd1",
 			"alias2": "cmd2",
@@ -1396,7 +1397,7 @@
 		return nil
 	}
 
-	s.snapmgr.AddAdhocTaskHandler("grab-alias3", grabAlias3, nil)
+	s.o.TaskRunner().AddHandler("grab-alias3", grabAlias3, nil)
 
 	t := s.state.NewTask("refresh-aliases", "test")
 	t.Set("snap-setup", &snapstate.SnapSetup{
@@ -1416,8 +1417,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 5; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -1428,20 +1429,20 @@
 		{
 			op: "update-aliases",
 			rmAliases: []*backend.Alias{
-				{"alias2", "alias-snap.cmd2x"},
-				{"alias3", "alias-snap.cmd3"},
+				{Name: "alias2", Target: "alias-snap.cmd2x"},
+				{Name: "alias3", Target: "alias-snap.cmd3"},
 			},
 			aliases: []*backend.Alias{
-				{"alias2", "alias-snap.cmd2"},
-				{"alias4", "alias-snap.cmd4"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias4", Target: "alias-snap.cmd4"},
 			},
 		},
 		{
 			op: "update-aliases",
 			rmAliases: []*backend.Alias{
-				{"alias1", "alias-snap.cmd1"},
-				{"alias2", "alias-snap.cmd2"},
-				{"alias4", "alias-snap.cmd4"},
+				{Name: "alias1", Target: "alias-snap.cmd1"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias4", Target: "alias-snap.cmd4"},
 			},
 		},
 	}
@@ -1504,8 +1505,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -1515,17 +1516,17 @@
 		{
 			op: "update-aliases",
 			rmAliases: []*backend.Alias{
-				{"alias1", "alias-snap.cmd5"},
-				{"alias2", "alias-snap.cmd2"},
-				{"alias3", "alias-snap.cmd3"},
+				{Name: "alias1", Target: "alias-snap.cmd5"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias3", Target: "alias-snap.cmd3"},
 			},
 		},
 		{
 			op: "update-aliases",
 			aliases: []*backend.Alias{
-				{"alias1", "alias-snap.cmd5"},
-				{"alias2", "alias-snap.cmd2"},
-				{"alias3", "alias-snap.cmd3"},
+				{Name: "alias1", Target: "alias-snap.cmd5"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
+				{Name: "alias3", Target: "alias-snap.cmd3"},
 			},
 		},
 	}
@@ -1605,8 +1606,8 @@
 
 	s.state.Unlock()
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 	s.state.Lock()
 	c.Check(t.Status(), Equals, state.DoneStatus, Commentf("%v", chg.Err()))
@@ -1620,9 +1621,9 @@
 	c.Assert(s.fakeBackend.ops[2], DeepEquals, fakeOp{
 		op: "update-aliases",
 		aliases: []*backend.Alias{
-			{"alias1", "alias-snap.cmd1"},
-			{"alias2", "alias-snap.cmd2"},
-			{"alias3", "alias-snap.cmd3"},
+			{Name: "alias1", Target: "alias-snap.cmd1"},
+			{Name: "alias2", Target: "alias-snap.cmd2"},
+			{Name: "alias3", Target: "alias-snap.cmd3"},
 		},
 	})
 
@@ -1733,8 +1734,8 @@
 
 	s.state.Unlock()
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 	s.state.Lock()
 	c.Check(t.Status(), Equals, state.UndoneStatus, Commentf("%v", chg.Err()))
@@ -1744,9 +1745,9 @@
 	c.Assert(s.fakeBackend.ops[3], DeepEquals, fakeOp{
 		op: "update-aliases",
 		rmAliases: []*backend.Alias{
-			{"alias1", "alias-snap.cmd1"},
-			{"alias2", "alias-snap.cmd2"},
-			{"alias3", "alias-snap.cmd3"},
+			{Name: "alias1", Target: "alias-snap.cmd1"},
+			{Name: "alias2", Target: "alias-snap.cmd2"},
+			{Name: "alias3", Target: "alias-snap.cmd3"},
 		},
 	})
 	c.Assert(s.fakeBackend.ops[4].aliases, HasLen, 1)
@@ -1867,7 +1868,7 @@
 		return nil
 	}
 
-	s.snapmgr.AddAdhocTaskHandler("conflict-alias5", conflictAlias5, nil)
+	s.o.TaskRunner().AddHandler("conflict-alias5", conflictAlias5, nil)
 
 	t := s.state.NewTask("prefer-aliases", "test")
 	t.Set("snap-setup", &snapstate.SnapSetup{
@@ -1886,8 +1887,8 @@
 
 	s.state.Unlock()
 	for i := 0; i < 5; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 	s.state.Lock()
 	c.Check(t.Status(), Equals, state.UndoneStatus, Commentf("%v", chg.Err()))
@@ -1897,15 +1898,15 @@
 	c.Assert(s.fakeBackend.ops[3], DeepEquals, fakeOp{
 		op: "update-aliases",
 		rmAliases: []*backend.Alias{
-			{"alias1", "alias-snap.cmd1"},
-			{"alias2", "alias-snap.cmd2"},
-			{"alias3", "alias-snap.cmd3"},
+			{Name: "alias1", Target: "alias-snap.cmd1"},
+			{Name: "alias2", Target: "alias-snap.cmd2"},
+			{Name: "alias3", Target: "alias-snap.cmd3"},
 		},
 	})
 	c.Assert(s.fakeBackend.ops[4], DeepEquals, fakeOp{
 		op: "update-aliases",
 		aliases: []*backend.Alias{
-			{"alias3", "other-alias-snap3.cmd5"},
+			{Name: "alias3", Target: "other-alias-snap3.cmd5"},
 		},
 	})
 
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/handlers_discard_test.go snapd-2.37~rc1~14.04/overlord/snapstate/handlers_discard_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/handlers_discard_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/handlers_discard_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,44 +22,17 @@
 import (
 	. "gopkg.in/check.v1"
 
-	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
 )
 
 type discardSnapSuite struct {
-	state   *state.State
-	snapmgr *snapstate.SnapManager
-
-	fakeBackend *fakeSnappyBackend
-
-	reset func()
+	baseHandlerSuite
 }
 
 var _ = Suite(&discardSnapSuite{})
 
-func (s *discardSnapSuite) SetUpTest(c *C) {
-	// use fake root
-	dirs.SetRootDir(c.MkDir())
-
-	s.fakeBackend = &fakeSnappyBackend{}
-	s.state = state.New(nil)
-
-	var err error
-	s.snapmgr, err = snapstate.Manager(s.state)
-	c.Assert(err, IsNil)
-	s.snapmgr.AddForeignTaskHandlers(s.fakeBackend)
-
-	snapstate.SetSnapManagerBackend(s.snapmgr, s.fakeBackend)
-
-	s.reset = snapstate.MockReadInfo(s.fakeBackend.ReadInfo)
-}
-
-func (s *discardSnapSuite) TearDownTest(c *C) {
-	s.reset()
-}
-
 func (s *discardSnapSuite) TestDoDiscardSnapSuccess(c *C) {
 	s.state.Lock()
 	snapstate.Set(s.state, "foo", &snapstate.SnapState{
@@ -81,8 +54,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -115,8 +88,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -147,8 +120,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -180,8 +153,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/handlers_download_test.go snapd-2.37~rc1~14.04/overlord/snapstate/handlers_download_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/handlers_download_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/handlers_download_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,49 +20,37 @@
 package snapstate_test
 
 import (
+	"path/filepath"
+
 	. "gopkg.in/check.v1"
 
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/overlord/configstate/config"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/store"
 )
 
 type downloadSnapSuite struct {
-	state     *state.State
-	snapmgr   *snapstate.SnapManager
-	fakeStore *fakeStore
-
-	fakeBackend *fakeSnappyBackend
+	baseHandlerSuite
 
-	reset func()
+	fakeStore *fakeStore
 }
 
 var _ = Suite(&downloadSnapSuite{})
 
 func (s *downloadSnapSuite) SetUpTest(c *C) {
-	s.fakeBackend = &fakeSnappyBackend{}
-	s.state = state.New(nil)
-	s.state.Lock()
-	defer s.state.Unlock()
+	s.setup(c, nil)
 
 	s.fakeStore = &fakeStore{
 		state:       s.state,
 		fakeBackend: s.fakeBackend,
 	}
+	s.state.Lock()
+	defer s.state.Unlock()
 	snapstate.ReplaceStore(s.state, s.fakeStore)
-
-	var err error
-	s.snapmgr, err = snapstate.Manager(s.state)
-	c.Assert(err, IsNil)
-	s.snapmgr.AddForeignTaskHandlers(s.fakeBackend)
-
-	snapstate.SetSnapManagerBackend(s.snapmgr, s.fakeBackend)
-
-	s.reset = snapstate.MockReadInfo(s.fakeBackend.ReadInfo)
-}
-
-func (s *downloadSnapSuite) TearDownTest(c *C) {
-	s.reset()
+	s.state.Set("refresh-privacy-key", "privacy-key")
 }
 
 func (s *downloadSnapSuite) TestDoDownloadSnapCompatbility(c *C) {
@@ -84,14 +72,21 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	// the compat code called the store "Snap" endpoint
 	c.Assert(s.fakeBackend.ops, DeepEquals, fakeOps{
 		{
-			op:    "storesvc-snap",
-			name:  "foo",
+			op: "storesvc-snap-action",
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "foo",
+				Channel:      "some-channel",
+			},
 			revno: snap.R(11),
 		},
 		{
@@ -137,8 +132,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	// only the download endpoint of the store was hit
 	c.Assert(s.fakeBackend.ops, DeepEquals, fakeOps{
@@ -180,8 +175,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -196,3 +191,47 @@
 	c.Assert(err, Equals, state.ErrNoState)
 
 }
+
+func (s *downloadSnapSuite) TestDoDownloadRateLimitedIntegration(c *C) {
+	s.state.Lock()
+
+	// set auto-refresh rate-limit
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "refresh.rate-limit", "1234B")
+	tr.Commit()
+
+	// setup fake auto-refresh download
+	si := &snap.SideInfo{
+		RealName: "foo",
+		SnapID:   "foo-id",
+		Revision: snap.R(11),
+	}
+	t := s.state.NewTask("download-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si,
+		DownloadInfo: &snap.DownloadInfo{
+			DownloadURL: "http://some-url.com/snap",
+		},
+		Flags: snapstate.Flags{
+			IsAutoRefresh: true,
+		},
+	})
+	s.state.NewChange("dummy", "...").AddTask(t)
+
+	s.state.Unlock()
+
+	s.se.Ensure()
+	s.se.Wait()
+
+	// ensure that rate limit was honored
+	c.Assert(s.fakeStore.downloads, DeepEquals, []fakeDownload{
+		{
+			name:   "foo",
+			target: filepath.Join(dirs.SnapBlobDir, "foo_11.snap"),
+			opts: &store.DownloadOptions{
+				RateLimit: 1234,
+			},
+		},
+	})
+
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/handlers.go snapd-2.37~rc1~14.04/overlord/snapstate/handlers.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/handlers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/handlers.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,8 +20,10 @@
 package snapstate
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -29,15 +31,19 @@
 	"gopkg.in/tomb.v2"
 
 	"github.com/snapcore/snapd/boot"
+	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/configstate/config"
+	"github.com/snapcore/snapd/overlord/configstate/settings"
 	"github.com/snapcore/snapd/overlord/snapstate/backend"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/store"
+	"github.com/snapcore/snapd/strutil"
 )
 
 // TaskSnapSetup returns the SnapSetup with task params hold by or referred to by the the task.
@@ -59,6 +65,9 @@
 	}
 
 	ts := t.State().Task(id)
+	if ts == nil {
+		return nil, fmt.Errorf("internal error: tasks are being pruned")
+	}
 	if err := ts.Get("snap-setup", &snapsup); err != nil {
 		return nil, err
 	}
@@ -71,7 +80,7 @@
 		return nil, nil, err
 	}
 	var snapst SnapState
-	err = Get(t.State(), snapsup.Name(), &snapst)
+	err = Get(t.State(), snapsup.InstanceName(), &snapst)
 	if err != nil && err != state.ErrNoState {
 		return nil, nil, err
 	}
@@ -114,7 +123,22 @@
 */
 
 const defaultCoreSnapName = "core"
-const defaultBaseSnapsChannel = "stable"
+
+func defaultBaseSnapsChannel() string {
+	channel := os.Getenv("SNAPD_BASES_CHANNEL")
+	if channel == "" {
+		return "stable"
+	}
+	return channel
+}
+
+func defaultPrereqSnapsChannel() string {
+	channel := os.Getenv("SNAPD_PREREQS_CHANNEL")
+	if channel == "" {
+		return "stable"
+	}
+	return channel
+}
 
 func linkSnapInFlight(st *state.State, snapName string) (bool, error) {
 	for _, chg := range st.Changes() {
@@ -130,7 +154,7 @@
 				if err != nil {
 					return false, err
 				}
-				if snapsup.Name() == snapName {
+				if snapsup.InstanceName() == snapName {
 					return true, nil
 				}
 			}
@@ -163,9 +187,14 @@
 		return err
 	}
 
-	// core/ubuntu-core can not have prerequisites
-	snapName := snapsup.Name()
-	if snapName == defaultCoreSnapName || snapName == "ubuntu-core" {
+	// os/base/kernel/gadget cannot have prerequisites other
+	// than the models default base (or core) which is installed anyway
+	switch snapsup.Type {
+	case snap.TypeOS, snap.TypeBase, snap.TypeKernel, snap.TypeGadget:
+		return nil
+	}
+	// snapd is special and has no prereqs
+	if snapsup.InstanceName() == "snapd" {
 		return nil
 	}
 
@@ -183,7 +212,7 @@
 	return nil
 }
 
-func (m *SnapManager) installOneBaseOrRequired(st *state.State, snapName string, onInFlight error, userID int) (*state.TaskSet, error) {
+func (m *SnapManager) installOneBaseOrRequired(st *state.State, snapName, channel string, onInFlight error, userID int) (*state.TaskSet, error) {
 	// installed already?
 	isInstalled, err := isInstalled(st, snapName)
 	if err != nil {
@@ -202,14 +231,11 @@
 	}
 
 	// not installed, nor queued for install -> install it
-	ts, err := Install(st, snapName, defaultBaseSnapsChannel, snap.R(0), userID, Flags{})
+	ts, err := Install(st, snapName, channel, snap.R(0), userID, Flags{})
 	// something might have triggered an explicit install while
 	// the state was unlocked -> deal with that here by simply
 	// retrying the operation.
-	if _, ok := err.(changeDuringInstallError); ok {
-		return nil, &state.Retry{After: prerequisitesRetryTimeout}
-	}
-	if _, ok := err.(changeConflictError); ok {
+	if _, ok := err.(*ChangeConflictError); ok {
 		return nil, &state.Retry{After: prerequisitesRetryTimeout}
 	}
 	return ts, err
@@ -224,7 +250,7 @@
 	var tss []*state.TaskSet
 	for _, prereqName := range prereq {
 		var onInFlightErr error = nil
-		ts, err := m.installOneBaseOrRequired(st, prereqName, onInFlightErr, userID)
+		ts, err := m.installOneBaseOrRequired(st, prereqName, defaultPrereqSnapsChannel(), onInFlightErr, userID)
 		if err != nil {
 			return err
 		}
@@ -237,7 +263,7 @@
 	// for base snaps we need to wait until the change is done
 	// (either finished or failed)
 	onInFlightErr := &state.Retry{After: prerequisitesRetryTimeout}
-	tsBase, err := m.installOneBaseOrRequired(st, base, onInFlightErr, userID)
+	tsBase, err := m.installOneBaseOrRequired(st, base, defaultBaseSnapsChannel(), onInFlightErr, userID)
 	if err != nil {
 		return err
 	}
@@ -351,18 +377,52 @@
 		extra["UbuntuCoreTransitionCount"] = strconv.Itoa(ubuntuCoreTransitionCount)
 	}
 
-	st.Unlock()
-	oopsid, err := errtrackerReport(snapsup.SideInfo.RealName, strings.Join(logMsg, "\n"), strings.Join(dupSig, "\n"), extra)
-	st.Lock()
-	if err == nil {
-		logger.Noticef("Reported install problem for %q as %s", snapsup.SideInfo.RealName, oopsid)
-	} else {
-		logger.Debugf("Cannot report problem: %s", err)
+	// Only report and error if there is an actual error in the change,
+	// we could undo things because the user canceled the change.
+	var isErr bool
+	for _, tt := range t.Change().Tasks() {
+		if tt.Status() == state.ErrorStatus {
+			isErr = true
+			break
+		}
+	}
+	if isErr && !settings.ProblemReportsDisabled(st) {
+		st.Unlock()
+		oopsid, err := errtrackerReport(snapsup.SideInfo.RealName, strings.Join(logMsg, "\n"), strings.Join(dupSig, "\n"), extra)
+		st.Lock()
+		if err == nil {
+			logger.Noticef("Reported install problem for %q as %s", snapsup.SideInfo.RealName, oopsid)
+		} else {
+			logger.Debugf("Cannot report problem: %s", err)
+		}
 	}
 
 	return nil
 }
 
+func installInfoUnlocked(st *state.State, snapsup *SnapSetup) (*snap.Info, error) {
+	st.Lock()
+	defer st.Unlock()
+	return installInfo(st, snapsup.InstanceName(), snapsup.Channel, snapsup.Revision(), snapsup.UserID)
+}
+
+// autoRefreshRateLimited returns the rate limit of auto-refreshes or 0 if
+// there is no limit.
+func autoRefreshRateLimited(st *state.State) (rate int64) {
+	tr := config.NewTransaction(st)
+
+	var rateLimit string
+	err := tr.Get("core", "refresh.rate-limit", &rateLimit)
+	if err != nil {
+		return 0
+	}
+	val, err := strutil.ParseByteSize(rateLimit)
+	if err != nil {
+		return 0
+	}
+	return val
+}
+
 func (m *SnapManager) doDownloadSnap(t *state.Task, tomb *tomb.Tomb) error {
 	st := t.State()
 	st.Lock()
@@ -374,6 +434,7 @@
 
 	st.Lock()
 	theStore := Store(st)
+	rate := autoRefreshRateLimited(st)
 	user, err := userFromUserID(st, snapsup.UserID)
 	st.Unlock()
 	if err != nil {
@@ -382,24 +443,24 @@
 
 	meter := NewTaskProgressAdapterUnlocked(t)
 	targetFn := snapsup.MountFile()
+
+	dlOpts := &store.DownloadOptions{}
+	if snapsup.IsAutoRefresh && rate > 0 {
+		dlOpts.RateLimit = rate
+	}
 	if snapsup.DownloadInfo == nil {
 		var storeInfo *snap.Info
 		// COMPATIBILITY - this task was created from an older version
 		// of snapd that did not store the DownloadInfo in the state
 		// yet.
-		spec := store.SnapSpec{
-			Name:     snapsup.Name(),
-			Channel:  snapsup.Channel,
-			Revision: snapsup.Revision(),
-		}
-		storeInfo, err = theStore.SnapInfo(spec, user)
+		storeInfo, err = installInfoUnlocked(st, snapsup)
 		if err != nil {
 			return err
 		}
-		err = theStore.Download(tomb.Context(nil), snapsup.Name(), targetFn, &storeInfo.DownloadInfo, meter, user)
+		err = theStore.Download(tomb.Context(nil), snapsup.SnapName(), targetFn, &storeInfo.DownloadInfo, meter, user, dlOpts)
 		snapsup.SideInfo = &storeInfo.SideInfo
 	} else {
-		err = theStore.Download(tomb.Context(nil), snapsup.Name(), targetFn, snapsup.DownloadInfo, meter, user)
+		err = theStore.Download(tomb.Context(nil), snapsup.SnapName(), targetFn, snapsup.DownloadInfo, meter, user, dlOpts)
 	}
 	if err != nil {
 		return err
@@ -415,10 +476,34 @@
 	return nil
 }
 
+var (
+	mountPollInterval = 1 * time.Second
+)
+
+// hasOtherInstances checks whether there are other instances of the snap, be it
+// instance keyed or not
+func hasOtherInstances(st *state.State, instanceName string) (bool, error) {
+	snapName, _ := snap.SplitInstanceName(instanceName)
+	var all map[string]*json.RawMessage
+	if err := st.Get("snaps", &all); err != nil && err != state.ErrNoState {
+		return false, err
+	}
+	for otherName := range all {
+		if otherName == instanceName {
+			continue
+		}
+		if otherSnapName, _ := snap.SplitInstanceName(otherName); otherSnapName == snapName {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 func (m *SnapManager) doMountSnap(t *state.Task, _ *tomb.Tomb) error {
-	t.State().Lock()
+	st := t.State()
+	st.Lock()
 	snapsup, snapst, err := snapSetupAndState(t)
-	t.State().Unlock()
+	st.Unlock()
 	if err != nil {
 		return err
 	}
@@ -429,26 +514,69 @@
 
 	m.backend.CurrentInfo(curInfo)
 
-	if err := checkSnap(t.State(), snapsup.SnapPath, snapsup.SideInfo, curInfo, snapsup.Flags); err != nil {
+	if err := checkSnap(st, snapsup.SnapPath, snapsup.InstanceName(), snapsup.SideInfo, curInfo, snapsup.Flags); err != nil {
 		return err
 	}
 
+	cleanup := func() {
+		st.Lock()
+		defer st.Unlock()
+
+		otherInstances, err := hasOtherInstances(st, snapsup.InstanceName())
+		if err != nil {
+			t.Errorf("cannot cleanup partial setup snap %q: %v", snapsup.InstanceName(), err)
+			return
+		}
+
+		// remove snap dir is idempotent so it's ok to always call it in the cleanup path
+		if err := m.backend.RemoveSnapDir(snapsup.placeInfo(), otherInstances); err != nil {
+			t.Errorf("cannot cleanup partial setup snap %q: %v", snapsup.InstanceName(), err)
+		}
+
+	}
+
 	pb := NewTaskProgressAdapterUnlocked(t)
 	// TODO Use snapsup.Revision() to obtain the right info to mount
 	//      instead of assuming the candidate is the right one.
-	if err := m.backend.SetupSnap(snapsup.SnapPath, snapsup.SideInfo, pb); err != nil {
+	snapType, err := m.backend.SetupSnap(snapsup.SnapPath, snapsup.InstanceName(), snapsup.SideInfo, pb)
+	if err != nil {
+		cleanup()
 		return err
 	}
 
-	// set snapst type for undoMountSnap
-	newInfo, err := readInfo(snapsup.Name(), snapsup.SideInfo)
-	if err != nil {
-		return err
+	// double check that the snap is mounted
+	var readInfoErr error
+	for i := 0; i < 10; i++ {
+		_, readInfoErr = readInfo(snapsup.InstanceName(), snapsup.SideInfo, errorOnBroken)
+		if readInfoErr == nil {
+			break
+		}
+		if _, ok := readInfoErr.(*snap.NotFoundError); !ok {
+			break
+		}
+		// snap not found, seems is not mounted yet
+		msg := fmt.Sprintf("expected snap %q revision %v to be mounted but is not", snapsup.InstanceName(), snapsup.Revision())
+		readInfoErr = fmt.Errorf("cannot proceed, %s", msg)
+		if i == 0 {
+			logger.Noticef(msg)
+		}
+		time.Sleep(mountPollInterval)
+	}
+	if readInfoErr != nil {
+		if err := m.backend.UndoSetupSnap(snapsup.placeInfo(), snapType, pb); err != nil {
+			st.Lock()
+			t.Errorf("cannot undo partial setup snap %q: %v", snapsup.InstanceName(), err)
+			st.Unlock()
+		}
+
+		cleanup()
+		return readInfoErr
 	}
 
-	t.State().Lock()
-	t.Set("snap-type", newInfo.Type)
-	t.State().Unlock()
+	st.Lock()
+	// set snapst type for undoMountSnap
+	t.Set("snap-type", snapType)
+	st.Unlock()
 
 	if snapsup.Flags.RemoveSnapPath {
 		if err := os.Remove(snapsup.SnapPath); err != nil {
@@ -460,17 +588,18 @@
 }
 
 func (m *SnapManager) undoMountSnap(t *state.Task, _ *tomb.Tomb) error {
-	t.State().Lock()
+	st := t.State()
+	st.Lock()
 	snapsup, err := TaskSnapSetup(t)
-	t.State().Unlock()
+	st.Unlock()
 	if err != nil {
 		return err
 	}
 
-	t.State().Lock()
+	st.Lock()
 	var typ snap.Type
 	err = t.Get("snap-type", &typ)
-	t.State().Unlock()
+	st.Unlock()
 	// backward compatibility
 	if err == state.ErrNoState {
 		typ = "app"
@@ -479,7 +608,19 @@
 	}
 
 	pb := NewTaskProgressAdapterUnlocked(t)
-	return m.backend.UndoSetupSnap(snapsup.placeInfo(), typ, pb)
+	if err := m.backend.UndoSetupSnap(snapsup.placeInfo(), typ, pb); err != nil {
+		return err
+	}
+
+	st.Lock()
+	defer st.Unlock()
+
+	otherInstances, err := hasOtherInstances(st, snapsup.InstanceName())
+	if err != nil {
+		return err
+	}
+
+	return m.backend.RemoveSnapDir(snapsup.placeInfo(), otherInstances)
 }
 
 func (m *SnapManager) doUnlinkCurrentSnap(t *state.Task, _ *tomb.Tomb) error {
@@ -498,7 +639,7 @@
 	}
 
 	// Make a copy of configuration of given snap revision
-	if err = config.SaveRevisionConfig(st, snapsup.Name(), snapst.Current); err != nil {
+	if err = config.SaveRevisionConfig(st, snapsup.InstanceName(), snapst.Current); err != nil {
 		return err
 	}
 
@@ -511,7 +652,7 @@
 	}
 
 	// mark as inactive
-	Set(st, snapsup.Name(), snapst)
+	Set(st, snapsup.InstanceName(), snapst)
 	return nil
 }
 
@@ -530,14 +671,19 @@
 		return err
 	}
 
+	model, err := Model(st)
+	if err != nil && err != state.ErrNoState {
+		return err
+	}
+
 	snapst.Active = true
-	err = m.backend.LinkSnap(oldInfo)
+	err = m.backend.LinkSnap(oldInfo, model)
 	if err != nil {
 		return err
 	}
 
 	// mark as active again
-	Set(st, snapsup.Name(), snapst)
+	Set(st, snapsup.InstanceName(), snapst)
 
 	// if we just put back a previous a core snap, request a restart
 	// so that we switch executing its snapd
@@ -547,14 +693,15 @@
 }
 
 func (m *SnapManager) doCopySnapData(t *state.Task, _ *tomb.Tomb) error {
-	t.State().Lock()
+	st := t.State()
+	st.Lock()
 	snapsup, snapst, err := snapSetupAndState(t)
-	t.State().Unlock()
+	st.Unlock()
 	if err != nil {
 		return err
 	}
 
-	newInfo, err := readInfo(snapsup.Name(), snapsup.SideInfo)
+	newInfo, err := readInfo(snapsup.InstanceName(), snapsup.SideInfo, 0)
 	if err != nil {
 		return err
 	}
@@ -565,18 +712,42 @@
 	}
 
 	pb := NewTaskProgressAdapterUnlocked(t)
-	return m.backend.CopySnapData(newInfo, oldInfo, pb)
+	if copyDataErr := m.backend.CopySnapData(newInfo, oldInfo, pb); copyDataErr != nil {
+		if oldInfo != nil {
+			// there is another revision of the snap, cannot remove
+			// shared data directory
+			return copyDataErr
+		}
+
+		// cleanup shared snap data directory
+		st.Lock()
+		defer st.Unlock()
+
+		otherInstances, err := hasOtherInstances(st, snapsup.InstanceName())
+		if err != nil {
+			t.Errorf("cannot undo partial snap %q data copy: %v", snapsup.InstanceName(), err)
+			return copyDataErr
+		}
+		// no other instances of this snap, shared data directory can be
+		// removed now too
+		if err := m.backend.RemoveSnapDataDir(newInfo, otherInstances); err != nil {
+			t.Errorf("cannot undo partial snap %q data copy, failed removing shared directory: %v", snapsup.InstanceName(), err)
+		}
+		return copyDataErr
+	}
+	return nil
 }
 
 func (m *SnapManager) undoCopySnapData(t *state.Task, _ *tomb.Tomb) error {
-	t.State().Lock()
+	st := t.State()
+	st.Lock()
 	snapsup, snapst, err := snapSetupAndState(t)
-	t.State().Unlock()
+	st.Unlock()
 	if err != nil {
 		return err
 	}
 
-	newInfo, err := readInfo(snapsup.Name(), snapsup.SideInfo)
+	newInfo, err := readInfo(snapsup.InstanceName(), snapsup.SideInfo, 0)
 	if err != nil {
 		return err
 	}
@@ -587,7 +758,29 @@
 	}
 
 	pb := NewTaskProgressAdapterUnlocked(t)
-	return m.backend.UndoCopySnapData(newInfo, oldInfo, pb)
+	if err := m.backend.UndoCopySnapData(newInfo, oldInfo, pb); err != nil {
+		return err
+	}
+
+	if oldInfo != nil {
+		// there is other revision of this snap, cannot remove shared
+		// directory anyway
+		return nil
+	}
+
+	st.Lock()
+	defer st.Unlock()
+
+	otherInstances, err := hasOtherInstances(st, snapsup.InstanceName())
+	if err != nil {
+		return err
+	}
+	// no other instances of this snap and no other revisions, shared data
+	// directory can be removed
+	if err := m.backend.RemoveSnapDataDir(newInfo, otherInstances); err != nil {
+		return err
+	}
+	return nil
 }
 
 func (m *SnapManager) cleanupCopySnapData(t *state.Task, _ *tomb.Tomb) error {
@@ -615,6 +808,27 @@
 	return nil
 }
 
+// writeSeqFile writes the sequence file for failover handling
+func writeSeqFile(name string, snapst *SnapState) error {
+	p := filepath.Join(dirs.SnapSeqDir, name+".json")
+	if err := os.MkdirAll(filepath.Dir(p), 0755); err != nil {
+		return err
+	}
+
+	b, err := json.Marshal(&struct {
+		Sequence []*snap.SideInfo `json:"sequence"`
+		Current  string           `json:"current"`
+	}{
+		Sequence: snapst.Sequence,
+		Current:  snapst.Current.String(),
+	})
+	if err != nil {
+		return err
+	}
+
+	return osutil.AtomicWriteFile(p, b, 0644, 0)
+}
+
 func (m *SnapManager) doLinkSnap(t *state.Task, _ *tomb.Tomb) error {
 	st := t.State()
 	st.Lock()
@@ -675,8 +889,10 @@
 			snapst.UserID = snapsup.UserID
 		}
 	}
+	// keep instance key
+	snapst.InstanceKey = snapsup.InstanceKey
 
-	newInfo, err := readInfo(snapsup.Name(), cand)
+	newInfo, err := readInfo(snapsup.InstanceName(), cand, 0)
 	if err != nil {
 		return err
 	}
@@ -685,12 +901,13 @@
 	snapst.SetType(newInfo.Type)
 
 	// XXX: this block is slightly ugly, find a pattern when we have more examples
-	err = m.backend.LinkSnap(newInfo)
+	model, _ := Model(st)
+	err = m.backend.LinkSnap(newInfo, model)
 	if err != nil {
 		pb := NewTaskProgressAdapterLocked(t)
 		err := m.backend.UnlinkSnap(newInfo, pb)
 		if err != nil {
-			t.Errorf("cannot cleanup failed attempt at making snap %q available to the system: %v", snapsup.Name(), err)
+			t.Errorf("cannot cleanup failed attempt at making snap %q available to the system: %v", snapsup.InstanceName(), err)
 		}
 	}
 	if err != nil {
@@ -699,13 +916,13 @@
 
 	// Restore configuration of the target revision (if available) on revert
 	if snapsup.Revert {
-		if err = config.RestoreRevisionConfig(st, snapsup.Name(), snapsup.Revision()); err != nil {
+		if err = config.RestoreRevisionConfig(st, snapsup.InstanceName(), snapsup.Revision()); err != nil {
 			return err
 		}
 	}
 
 	if len(snapst.Sequence) == 1 {
-		if err := m.createSnapCookie(st, snapsup.Name()); err != nil {
+		if err := m.createSnapCookie(st, snapsup.InstanceName()); err != nil {
 			return fmt.Errorf("cannot create snap cookie: %v", err)
 		}
 	}
@@ -719,7 +936,11 @@
 	t.Set("old-current", oldCurrent)
 	t.Set("old-candidate-index", oldCandidateIndex)
 	// Do at the end so we only preserve the new state if it worked.
-	Set(st, snapsup.Name(), snapst)
+	Set(st, snapsup.InstanceName(), snapst)
+	// write sequence file for failover helpers
+	if err := writeSeqFile(snapsup.InstanceName(), snapst); err != nil {
+		return err
+	}
 
 	// Compatibility with old snapd: check if we have auto-connect task and
 	// if not, inject it after self (link-snap) for snaps that are not core
@@ -732,7 +953,7 @@
 				if err != nil {
 					return err
 				}
-				if snapsup.Name() == otherSnapsup.Name() {
+				if snapsup.InstanceName() == otherSnapsup.InstanceName() {
 					if other.Kind() == "auto-connect" {
 						hasAutoConnect = true
 					} else {
@@ -756,17 +977,39 @@
 	return nil
 }
 
-// maybeRestart will schedule a reboot or restart as needed for the just linked
-// snap with info if it's a core or kernel snap.
+// maybeRestart will schedule a reboot or restart as needed for the
+// just linked snap with info if it's a core or snapd or kernel snap.
 func maybeRestart(t *state.Task, info *snap.Info) {
 	st := t.State()
-	if release.OnClassic && info.Type == snap.TypeOS {
-		t.Logf("Requested daemon restart.")
-		st.RequestRestart(state.RestartDaemon)
+
+	// TODO: once classic uses the snapd snap we need to restart
+	//       here too
+	if release.OnClassic {
+		if info.Type == snap.TypeOS {
+			t.Logf("Requested daemon restart.")
+			st.RequestRestart(state.RestartDaemon)
+		}
+		return
 	}
-	if !release.OnClassic && boot.KernelOrOsRebootRequired(info) {
+
+	// On a core system we may need a full reboot if
+	// core/base or the kernel changes.
+	if boot.ChangeRequiresReboot(info) {
 		t.Logf("Requested system restart.")
 		st.RequestRestart(state.RestartSystem)
+		return
+	}
+
+	// On core systems that use a base snap we need to restart
+	// snapd when the snapd snap changes.
+	model, err := Model(st)
+	if err != nil {
+		logger.Noticef("cannot get model assertion: %v", model)
+		return
+	}
+	if model.Base() != "" && info.InstanceName() == "snapd" {
+		t.Logf("Requested daemon restart (snapd snap).")
+		st.RequestRestart(state.RestartDaemon)
 	}
 }
 
@@ -821,7 +1064,7 @@
 	}
 
 	if len(snapst.Sequence) == 1 {
-		if err := m.removeSnapCookie(st, snapsup.Name()); err != nil {
+		if err := m.removeSnapCookie(st, snapsup.InstanceName()); err != nil {
 			return fmt.Errorf("cannot remove snap cookie: %v", err)
 		}
 	}
@@ -850,13 +1093,13 @@
 	snapst.JailMode = oldJailMode
 	snapst.Classic = oldClassic
 
-	newInfo, err := readInfo(snapsup.Name(), snapsup.SideInfo)
+	newInfo, err := readInfo(snapsup.InstanceName(), snapsup.SideInfo, 0)
 	if err != nil {
 		return err
 	}
 
 	if len(snapst.Sequence) == 1 {
-		if err = config.RestoreRevisionConfig(st, snapsup.Name(), oldCurrent); err != nil {
+		if err = config.RestoreRevisionConfig(st, snapsup.InstanceName(), oldCurrent); err != nil {
 			return err
 		}
 	}
@@ -867,7 +1110,11 @@
 	}
 
 	// mark as inactive
-	Set(st, snapsup.Name(), snapst)
+	Set(st, snapsup.InstanceName(), snapst)
+	// write sequence file for failover helpers
+	if err := writeSeqFile(snapsup.InstanceName(), snapst); err != nil {
+		return err
+	}
 	// Make sure if state commits and snapst is mutated we won't be rerun
 	t.SetStatus(state.UndoneStatus)
 
@@ -902,7 +1149,7 @@
 		snapst.CurrentSideInfo().Channel = snapsup.Channel
 	}
 
-	Set(st, snapsup.Name(), snapst)
+	Set(st, snapsup.InstanceName(), snapst)
 	return nil
 }
 
@@ -917,7 +1164,7 @@
 	}
 	snapst.Channel = snapsup.Channel
 
-	Set(st, snapsup.Name(), snapst)
+	Set(st, snapsup.InstanceName(), snapst)
 	return nil
 }
 
@@ -934,7 +1181,7 @@
 	// for now we support toggling only ignore-validation
 	snapst.IgnoreValidation = snapsup.IgnoreValidation
 
-	Set(st, snapsup.Name(), snapst)
+	Set(st, snapsup.InstanceName(), snapst)
 	return nil
 }
 
@@ -957,9 +1204,14 @@
 		return nil
 	}
 
+	startupOrdered, err := snap.SortServices(svcs)
+	if err != nil {
+		return err
+	}
+
 	pb := NewTaskProgressAdapterUnlocked(t)
 	st.Unlock()
-	err = m.backend.StartServices(svcs, pb)
+	err = m.backend.StartServices(startupOrdered, pb)
 	st.Lock()
 	return err
 }
@@ -1006,7 +1258,7 @@
 		return err
 	}
 
-	info, err := Info(t.State(), snapsup.Name(), snapsup.Revision())
+	info, err := Info(t.State(), snapsup.InstanceName(), snapsup.Revision())
 	if err != nil {
 		return err
 	}
@@ -1019,22 +1271,23 @@
 
 	// mark as inactive
 	snapst.Active = false
-	Set(st, snapsup.Name(), snapst)
+	Set(st, snapsup.InstanceName(), snapst)
 
 	return err
 }
 
 func (m *SnapManager) doClearSnapData(t *state.Task, _ *tomb.Tomb) error {
-	t.State().Lock()
+	st := t.State()
+	st.Lock()
 	snapsup, snapst, err := snapSetupAndState(t)
-	t.State().Unlock()
+	st.Unlock()
 	if err != nil {
 		return err
 	}
 
-	t.State().Lock()
-	info, err := Info(t.State(), snapsup.Name(), snapsup.Revision())
-	t.State().Unlock()
+	st.Lock()
+	info, err := Info(t.State(), snapsup.InstanceName(), snapsup.Revision())
+	st.Unlock()
 	if err != nil {
 		return err
 	}
@@ -1043,11 +1296,23 @@
 		return err
 	}
 
-	// Only remove data common between versions if this is the last version
 	if len(snapst.Sequence) == 1 {
+		// Only remove data common between versions if this is the last version
 		if err = m.backend.RemoveSnapCommonData(info); err != nil {
 			return err
 		}
+
+		st.Lock()
+		defer st.Unlock()
+
+		otherInstances, err := hasOtherInstances(st, snapsup.InstanceName())
+		if err != nil {
+			return err
+		}
+		// Snap data directory can be removed now too
+		if err := m.backend.RemoveSnapDataDir(info, otherInstances); err != nil {
+			return err
+		}
 	}
 
 	return nil
@@ -1064,7 +1329,7 @@
 	}
 
 	if snapst.Current == snapsup.Revision() && snapst.Active {
-		return fmt.Errorf("internal error: cannot discard snap %q: still active", snapsup.Name())
+		return fmt.Errorf("internal error: cannot discard snap %q: still active", snapsup.InstanceName())
 	}
 
 	if len(snapst.Sequence) == 1 {
@@ -1092,28 +1357,37 @@
 	}
 	err = m.backend.RemoveSnapFiles(snapsup.placeInfo(), typ, pb)
 	if err != nil {
-		t.Errorf("cannot remove snap file %q, will retry in 3 mins: %s", snapsup.Name(), err)
+		t.Errorf("cannot remove snap file %q, will retry in 3 mins: %s", snapsup.InstanceName(), err)
 		return &state.Retry{After: 3 * time.Minute}
 	}
 	if len(snapst.Sequence) == 0 {
 		// Remove configuration associated with this snap.
-		err = config.DeleteSnapConfig(st, snapsup.Name())
+		err = config.DeleteSnapConfig(st, snapsup.InstanceName())
 		if err != nil {
 			return err
 		}
-		err = m.backend.DiscardSnapNamespace(snapsup.Name())
+		err = m.backend.DiscardSnapNamespace(snapsup.InstanceName())
 		if err != nil {
-			t.Errorf("cannot discard snap namespace %q, will retry in 3 mins: %s", snapsup.Name(), err)
+			t.Errorf("cannot discard snap namespace %q, will retry in 3 mins: %s", snapsup.InstanceName(), err)
 			return &state.Retry{After: 3 * time.Minute}
 		}
-		if err := m.removeSnapCookie(st, snapsup.Name()); err != nil {
+		if err := m.removeSnapCookie(st, snapsup.InstanceName()); err != nil {
 			return fmt.Errorf("cannot remove snap cookie: %v", err)
 		}
+
+		otherInstances, err := hasOtherInstances(st, snapsup.InstanceName())
+		if err != nil {
+			return err
+		}
+
+		if err := m.backend.RemoveSnapDir(snapsup.placeInfo(), otherInstances); err != nil {
+			return fmt.Errorf("cannot remove snap directory: %v", err)
+		}
 	}
-	if err = config.DiscardRevisionConfig(st, snapsup.Name(), snapsup.Revision()); err != nil {
+	if err = config.DiscardRevisionConfig(st, snapsup.InstanceName(), snapsup.Revision()); err != nil {
 		return err
 	}
-	Set(st, snapsup.Name(), snapst)
+	Set(st, snapsup.InstanceName(), snapst)
 	return nil
 }
 
@@ -1163,7 +1437,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 	curInfo, err := snapst.CurrentInfo()
 	if err != nil {
 		return err
@@ -1202,7 +1476,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 
 	err = m.backend.RemoveSnapAliases(snapName)
 	if err != nil {
@@ -1222,7 +1496,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 	curAliases := snapst.Aliases
 
 	_, _, err = applyAliasesChange(snapName, autoDis, nil, snapst.AutoAliasesDisabled, curAliases, m.backend, doApply)
@@ -1243,7 +1517,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 	curInfo, err := snapst.CurrentInfo()
 	if err != nil {
 		return err
@@ -1289,7 +1563,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 	curAutoDisabled := snapst.AutoAliasesDisabled
 	autoDisabled := curAutoDisabled
 	if err = t.Get("old-auto-aliases-disabled", &autoDisabled); err != nil && err != state.ErrNoState {
@@ -1378,12 +1652,12 @@
 		}
 	}
 
-	for snapName, snapst := range newSnapStates {
-		if conflicting[snapName] {
+	for instanceName, snapst := range newSnapStates {
+		if conflicting[instanceName] {
 			// keep as it was
 			continue
 		}
-		Set(st, snapName, snapst)
+		Set(st, instanceName, snapst)
 	}
 	return nil
 }
@@ -1401,7 +1675,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 	autoDisabled := snapst.AutoAliasesDisabled
 	curAliases := snapst.Aliases
 
@@ -1480,7 +1754,7 @@
 		return err
 	}
 
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 	curInfo, err := snapst.CurrentInfo()
 	if err != nil {
 		return err
@@ -1519,7 +1793,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 
 	oldAutoDisabled := snapst.AutoAliasesDisabled
 	oldAliases := snapst.Aliases
@@ -1554,7 +1828,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	snapName := snapsup.InstanceName()
 
 	autoDisabled := snapst.AutoAliasesDisabled
 	oldAliases := snapst.Aliases
@@ -1595,7 +1869,7 @@
 	if err != nil {
 		return err
 	}
-	snapName := snapsup.Name()
+	instanceName := snapsup.InstanceName()
 
 	if !snapst.AutoAliasesDisabled {
 		// already enabled, nothing to do
@@ -1603,7 +1877,7 @@
 	}
 
 	curAliases := snapst.Aliases
-	aliasConflicts, err := checkAliasesConflicts(st, snapName, autoEn, curAliases, nil)
+	aliasConflicts, err := checkAliasesConflicts(st, instanceName, autoEn, curAliases, nil)
 	conflErr, isConflErr := err.(*AliasConflictError)
 	if err != nil && !isConflErr {
 		return err
@@ -1613,7 +1887,7 @@
 		return conflErr
 	}
 	// proceed to disable conflicting aliases as needed
-	// before re-enabling snapName aliases
+	// before re-enabling instanceName aliases
 
 	otherSnapStates := make(map[string]*SnapState, len(aliasConflicts))
 	otherSnapDisabled := make(map[string]*otherDisabledAliases, len(aliasConflicts))
@@ -1647,7 +1921,7 @@
 		otherSnapStates[otherSnap] = &otherSnapState
 	}
 
-	added, removed, err := applyAliasesChange(snapName, autoDis, curAliases, autoEn, curAliases, m.backend, snapst.AliasesPending)
+	added, removed, err := applyAliasesChange(instanceName, autoDis, curAliases, autoEn, curAliases, m.backend, snapst.AliasesPending)
 	if err != nil {
 		return err
 	}
@@ -1664,7 +1938,7 @@
 	t.Set("old-auto-aliases-disabled", true)
 	t.Set("old-aliases-v2", curAliases)
 	snapst.AutoAliasesDisabled = false
-	Set(st, snapName, snapst)
+	Set(st, instanceName, snapst)
 	return nil
 }
 
@@ -1698,7 +1972,7 @@
 
 func InjectAutoConnect(mainTask *state.Task, snapsup *SnapSetup) {
 	st := mainTask.State()
-	autoConnect := st.NewTask("auto-connect", fmt.Sprintf(i18n.G("Automatically connect eligible plugs and slots of snap %q"), snapsup.Name()))
+	autoConnect := st.NewTask("auto-connect", fmt.Sprintf(i18n.G("Automatically connect eligible plugs and slots of snap %q"), snapsup.InstanceName()))
 	autoConnect.Set("snap-setup", snapsup)
 	InjectTasks(mainTask, state.NewTaskSet(autoConnect))
 	mainTask.Logf("added auto-connect task")
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/handlers_link_test.go snapd-2.37~rc1~14.04/overlord/snapstate/handlers_link_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/handlers_link_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/handlers_link_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 import (
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"path/filepath"
 	"time"
 
@@ -37,14 +38,9 @@
 )
 
 type linkSnapSuite struct {
-	state   *state.State
-	snapmgr *snapstate.SnapManager
-
-	fakeBackend *fakeSnappyBackend
+	baseHandlerSuite
 
 	stateBackend *witnessRestartReqStateBackend
-
-	reset func()
 }
 
 var _ = Suite(&linkSnapSuite{})
@@ -64,42 +60,30 @@
 func (b *witnessRestartReqStateBackend) EnsureBefore(time.Duration) {}
 
 func (s *linkSnapSuite) SetUpTest(c *C) {
-	dirs.SetRootDir(c.MkDir())
-
 	s.stateBackend = &witnessRestartReqStateBackend{}
-	s.fakeBackend = &fakeSnappyBackend{}
-	s.state = state.New(s.stateBackend)
-
-	var err error
-	s.snapmgr, err = snapstate.Manager(s.state)
-	c.Assert(err, IsNil)
-	s.snapmgr.AddForeignTaskHandlers(s.fakeBackend)
 
-	snapstate.SetSnapManagerBackend(s.snapmgr, s.fakeBackend)
+	s.setup(c, s.stateBackend)
 
-	resetReadInfo := snapstate.MockReadInfo(s.fakeBackend.ReadInfo)
-	s.reset = func() {
-		resetReadInfo()
-		dirs.SetRootDir("/")
-	}
+	snapstate.SetDefaultModel()
 }
 
 func (s *linkSnapSuite) TearDownTest(c *C) {
-	s.reset()
+	s.baseHandlerSuite.TearDownTest(c)
+	snapstate.Model = nil
 }
 
-func checkHasCookieForSnap(c *C, st *state.State, snapName string) {
+func checkHasCookieForSnap(c *C, st *state.State, instanceName string) {
 	var contexts map[string]interface{}
 	err := st.Get("snap-cookies", &contexts)
 	c.Assert(err, IsNil)
 	c.Check(contexts, HasLen, 1)
 
 	for _, snap := range contexts {
-		if snapName == snap {
+		if instanceName == snap {
 			return
 		}
 	}
-	panic(fmt.Sprintf("Cookie missing for snap %q", snapName))
+	panic(fmt.Sprintf("Cookie missing for snap %q", instanceName))
 }
 
 func (s *linkSnapSuite) TestDoLinkSnapSuccess(c *C) {
@@ -117,8 +101,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -154,8 +138,8 @@
 	s.state.NewChange("dummy", "...").AddTask(t)
 
 	s.state.Unlock()
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 	defer s.state.Unlock()
 
@@ -198,8 +182,8 @@
 	s.state.NewChange("dummy", "...").AddTask(t)
 
 	s.state.Unlock()
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 	defer s.state.Unlock()
 
@@ -232,8 +216,8 @@
 	s.state.NewChange("dummy", "...").AddTask(t)
 
 	s.state.Unlock()
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 	s.state.Lock()
 	defer s.state.Unlock()
 
@@ -245,6 +229,44 @@
 	c.Check(snapst.UserID, Equals, 2)
 }
 
+func (s *linkSnapSuite) TestDoLinkSnapSeqFile(c *C) {
+	s.state.Lock()
+	// pretend we have an installed snap
+	si11 := &snap.SideInfo{
+		RealName: "foo",
+		Revision: snap.R(11),
+	}
+	snapstate.Set(s.state, "foo", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{si11},
+		Current:  si11.Revision,
+	})
+	// add a new one
+	t := s.state.NewTask("link-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "foo",
+			Revision: snap.R(33),
+		},
+		Channel: "beta",
+	})
+	s.state.NewChange("dummy", "...").AddTask(t)
+	s.state.Unlock()
+
+	s.se.Ensure()
+	s.se.Wait()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	var snapst snapstate.SnapState
+	err := snapstate.Get(s.state, "foo", &snapst)
+	c.Assert(err, IsNil)
+
+	// and check that the sequence file got updated
+	seqContent, err := ioutil.ReadFile(filepath.Join(dirs.SnapSeqDir, "foo.json"))
+	c.Assert(err, IsNil)
+	c.Check(string(seqContent), Equals, `{"sequence":[{"name":"foo","snap-id":"","revision":"11"},{"name":"foo","snap-id":"","revision":"33"}],"current":"33"}`)
+}
+
 func (s *linkSnapSuite) TestDoUndoLinkSnap(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -267,8 +289,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 6; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -276,6 +298,11 @@
 	err := snapstate.Get(s.state, "foo", &snapst)
 	c.Assert(err, Equals, state.ErrNoState)
 	c.Check(t.Status(), Equals, state.UndoneStatus)
+
+	// and check that the sequence file got updated
+	seqContent, err := ioutil.ReadFile(filepath.Join(dirs.SnapSeqDir, "foo.json"))
+	c.Assert(err, IsNil)
+	c.Check(string(seqContent), Equals, `{"sequence":[],"current":"unset"}`)
 }
 
 func (s *linkSnapSuite) TestDoLinkSnapTryToCleanupOnError(c *C) {
@@ -295,8 +322,8 @@
 	s.state.NewChange("dummy", "...").AddTask(t)
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 
@@ -313,11 +340,11 @@
 		},
 		{
 			op:   "link-snap.failed",
-			name: filepath.Join(dirs.SnapMountDir, "foo/35"),
+			path: filepath.Join(dirs.SnapMountDir, "foo/35"),
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "foo/35"),
+			path: filepath.Join(dirs.SnapMountDir, "foo/35"),
 		},
 	})
 }
@@ -339,8 +366,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -359,6 +386,117 @@
 	c.Check(t.Log()[0], Matches, `.*INFO Requested daemon restart\.`)
 }
 
+func (s *linkSnapSuite) TestDoLinkSnapSuccessSnapdRestartsOnCoreWithBase(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	snapstate.SetModelWithBase("core18")
+
+	s.state.Lock()
+	si := &snap.SideInfo{
+		RealName: "snapd",
+		Revision: snap.R(22),
+	}
+	t := s.state.NewTask("link-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si,
+	})
+	s.state.NewChange("dummy", "...").AddTask(t)
+
+	s.state.Unlock()
+
+	s.se.Ensure()
+	s.se.Wait()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	var snapst snapstate.SnapState
+	err := snapstate.Get(s.state, "snapd", &snapst)
+	c.Assert(err, IsNil)
+
+	typ, err := snapst.Type()
+	c.Check(err, IsNil)
+	c.Check(typ, Equals, snap.TypeApp)
+
+	c.Check(t.Status(), Equals, state.DoneStatus)
+	c.Check(s.stateBackend.restartRequested, DeepEquals, []state.RestartType{state.RestartDaemon})
+	c.Check(t.Log(), HasLen, 1)
+	c.Check(t.Log()[0], Matches, `.*INFO Requested daemon restart \(snapd snap\)\.`)
+}
+
+func (s *linkSnapSuite) TestDoLinkSnapSuccessSnapdNoRestartWithoutBase(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	s.state.Lock()
+	si := &snap.SideInfo{
+		RealName: "snapd",
+		Revision: snap.R(22),
+	}
+	t := s.state.NewTask("link-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si,
+	})
+	s.state.NewChange("dummy", "...").AddTask(t)
+
+	s.state.Unlock()
+
+	s.se.Ensure()
+	s.se.Wait()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	var snapst snapstate.SnapState
+	err := snapstate.Get(s.state, "snapd", &snapst)
+	c.Assert(err, IsNil)
+
+	typ, err := snapst.Type()
+	c.Check(err, IsNil)
+	c.Check(typ, Equals, snap.TypeApp)
+
+	c.Check(t.Status(), Equals, state.DoneStatus)
+	c.Check(s.stateBackend.restartRequested, IsNil)
+	c.Check(t.Log(), HasLen, 0)
+}
+
+func (s *linkSnapSuite) TestDoLinkSnapSuccessSnapdNoRestartOnClassic(c *C) {
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	s.state.Lock()
+	si := &snap.SideInfo{
+		RealName: "snapd",
+		Revision: snap.R(22),
+	}
+	t := s.state.NewTask("link-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si,
+	})
+	s.state.NewChange("dummy", "...").AddTask(t)
+
+	s.state.Unlock()
+
+	s.se.Ensure()
+	s.se.Wait()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	var snapst snapstate.SnapState
+	err := snapstate.Get(s.state, "snapd", &snapst)
+	c.Assert(err, IsNil)
+
+	typ, err := snapst.Type()
+	c.Check(err, IsNil)
+	c.Check(typ, Equals, snap.TypeApp)
+
+	c.Check(t.Status(), Equals, state.DoneStatus)
+	c.Check(s.stateBackend.restartRequested, IsNil)
+	c.Check(t.Log(), HasLen, 0)
+}
+
 func (s *linkSnapSuite) TestDoUndoLinkSnapSequenceDidNotHaveCandidate(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -389,8 +527,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 6; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -433,8 +571,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 6; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -481,8 +619,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -525,8 +663,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -576,8 +714,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 10; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -597,10 +735,10 @@
 	t = chg.Tasks()[4]
 	c.Assert(t.Kind(), Equals, "auto-connect")
 	c.Assert(t.Get("snap-setup", &autoconnectSup), IsNil)
-	c.Assert(autoconnectSup.Name(), Equals, "snap1")
+	c.Assert(autoconnectSup.InstanceName(), Equals, "snap1")
 
 	t = chg.Tasks()[5]
 	c.Assert(t.Kind(), Equals, "auto-connect")
 	c.Assert(t.Get("snap-setup", &autoconnectSup), IsNil)
-	c.Assert(autoconnectSup.Name(), Equals, "snap2")
+	c.Assert(autoconnectSup.InstanceName(), Equals, "snap2")
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/handlers_mount_test.go snapd-2.37~rc1~14.04/overlord/snapstate/handlers_mount_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/handlers_mount_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/handlers_mount_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,53 +21,23 @@
 
 import (
 	"path/filepath"
+	"time"
 
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/overlord/snapstate"
-	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 )
 
 type mountSnapSuite struct {
-	state   *state.State
-	snapmgr *snapstate.SnapManager
-
-	fakeBackend *fakeSnappyBackend
-
-	reset func()
+	baseHandlerSuite
 }
 
 var _ = Suite(&mountSnapSuite{})
 
-func (s *mountSnapSuite) SetUpTest(c *C) {
-	oldDir := dirs.GlobalRootDir
-	dirs.SetRootDir(c.MkDir())
-
-	s.fakeBackend = &fakeSnappyBackend{}
-	s.state = state.New(nil)
-
-	var err error
-	s.snapmgr, err = snapstate.Manager(s.state)
-	c.Assert(err, IsNil)
-	s.snapmgr.AddForeignTaskHandlers(s.fakeBackend)
-
-	snapstate.SetSnapManagerBackend(s.snapmgr, s.fakeBackend)
-
-	reset1 := snapstate.MockReadInfo(s.fakeBackend.ReadInfo)
-	s.reset = func() {
-		reset1()
-		dirs.SetRootDir(oldDir)
-	}
-}
-
-func (s *mountSnapSuite) TearDownTest(c *C) {
-	s.reset()
-}
-
 func (s *mountSnapSuite) TestDoMountSnapDoesNotRemovesSnaps(c *C) {
 	v1 := "name: mock\nversion: 1.0\n"
 	testSnap := snaptest.MakeTestSnapWithFiles(c, v1, nil)
@@ -87,14 +57,14 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	c.Assert(osutil.FileExists(testSnap), Equals, true)
 }
 
 func (s *mountSnapSuite) TestDoUndoMountSnap(c *C) {
-	v1 := "name: core\nversion: 1.0\n"
+	v1 := "name: core\nversion: 1.0\nepoch: 1\n"
 	testSnap := snaptest.MakeTestSnapWithFiles(c, v1, nil)
 
 	s.state.Lock()
@@ -128,8 +98,8 @@
 	s.state.Unlock()
 
 	for i := 0; i < 3; i++ {
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 	}
 
 	s.state.Lock()
@@ -142,14 +112,381 @@
 		},
 		{
 			op:    "setup-snap",
-			name:  testSnap,
+			name:  "core",
+			path:  testSnap,
 			revno: snap.R(2),
 		},
 		{
 			op:    "undo-setup-snap",
-			name:  filepath.Join(dirs.SnapMountDir, "core/2"),
+			name:  "core",
+			path:  filepath.Join(dirs.SnapMountDir, "core/2"),
 			stype: "os",
 		},
+		{
+			op:   "remove-snap-dir",
+			name: "core",
+			path: filepath.Join(dirs.SnapMountDir, "core"),
+		},
+	})
+
+}
+
+func (s *mountSnapSuite) TestDoMountSnapErrorReadInfo(c *C) {
+	v1 := "name: borken\nversion: 1.0\nepoch: 1\n"
+	testSnap := snaptest.MakeTestSnapWithFiles(c, v1, nil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	si1 := &snap.SideInfo{
+		RealName: "borken",
+		Revision: snap.R(1),
+	}
+	si2 := &snap.SideInfo{
+		RealName: "borken",
+		Revision: snap.R(2),
+	}
+	snapstate.Set(s.state, "borken", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{si1},
+		Current:  si1.Revision,
+		SnapType: "app",
+	})
+
+	t := s.state.NewTask("mount-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si2,
+		SnapPath: testSnap,
+	})
+	chg := s.state.NewChange("dummy", "...")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+
+	s.state.Lock()
+
+	c.Check(chg.Err(), ErrorMatches, `(?s).*cannot read info for "borken" snap.*`)
+
+	c.Check(s.fakeBackend.ops, DeepEquals, fakeOps{
+		{
+			op:  "current",
+			old: filepath.Join(dirs.SnapMountDir, "borken/1"),
+		},
+		{
+			op:    "setup-snap",
+			name:  "borken",
+			path:  testSnap,
+			revno: snap.R(2),
+		},
+		{
+			op:    "undo-setup-snap",
+			name:  "borken",
+			path:  filepath.Join(dirs.SnapMountDir, "borken/2"),
+			stype: "app",
+		},
+		{
+			op:   "remove-snap-dir",
+			name: "borken",
+			path: filepath.Join(dirs.SnapMountDir, "borken"),
+		},
+	})
+}
+
+func (s *mountSnapSuite) TestDoMountSnapEpochError(c *C) {
+	v1 := "name: some-snap\nversion: 1.0\nepoch: 13\n"
+	testSnap := snaptest.MakeTestSnapWithFiles(c, v1, nil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	si1 := &snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(1),
+	}
+	si2 := &snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(2),
+	}
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{si1},
+		Current:  si1.Revision,
+		SnapType: "app",
+	})
+
+	t := s.state.NewTask("mount-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si2,
+		SnapPath: testSnap,
+	})
+	chg := s.state.NewChange("dummy", "...")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+
+	s.state.Lock()
+
+	c.Check(chg.Err(), ErrorMatches, `(?s).* new revision 2 with epoch .* can't read the current epoch of [^ ]*`)
+	c.Check(s.fakeBackend.ops, DeepEquals, fakeOps{
+		{
+			op:  "current",
+			old: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
+		},
 	})
+}
+
+func (s *mountSnapSuite) TestDoMountSnapErrorSetupSnap(c *C) {
+	v1 := "name: borken\nversion: 1.0\n"
+	testSnap := snaptest.MakeTestSnapWithFiles(c, v1, nil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	si := &snap.SideInfo{
+		RealName: "borken-in-setup",
+		Revision: snap.R(2),
+	}
+
+	t := s.state.NewTask("mount-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si,
+		SnapPath: testSnap,
+	})
+	chg := s.state.NewChange("dummy", "...")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+
+	s.state.Lock()
+
+	c.Check(chg.Err(), ErrorMatches, `(?s).*cannot install snap "borken-in-setup".*`)
+
+	c.Check(s.fakeBackend.ops, DeepEquals, fakeOps{
+		{
+			op:  "current",
+			old: "<no-current>",
+		},
+		{
+			op:    "setup-snap",
+			name:  "borken-in-setup",
+			path:  testSnap,
+			revno: snap.R(2),
+		},
+		{
+			op:   "remove-snap-dir",
+			name: "borken-in-setup",
+			path: filepath.Join(dirs.SnapMountDir, "borken-in-setup"),
+		},
+	})
+}
+
+func (s *mountSnapSuite) TestDoMountSnapUndoError(c *C) {
+	v1 := "name: borken-undo-setup\nversion: 1.0\nepoch: 1\n"
+	testSnap := snaptest.MakeTestSnapWithFiles(c, v1, nil)
 
+	s.state.Lock()
+	defer s.state.Unlock()
+	si1 := &snap.SideInfo{
+		RealName: "borken-undo-setup",
+		Revision: snap.R(1),
+	}
+	si2 := &snap.SideInfo{
+		RealName: "borken-undo-setup",
+		Revision: snap.R(2),
+	}
+	snapstate.Set(s.state, "borken-undo-setup", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{si1},
+		Current:  si1.Revision,
+		SnapType: "app",
+	})
+
+	t := s.state.NewTask("mount-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si2,
+		SnapPath: testSnap,
+	})
+	chg := s.state.NewChange("dummy", "...")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+
+	s.state.Lock()
+
+	c.Check(chg.Err(), ErrorMatches, `(?s).*cannot undo partial setup snap "borken-undo-setup": cannot undo setup of "borken-undo-setup" snap.*cannot read info for "borken-undo-setup" snap.*`)
+
+	c.Check(s.fakeBackend.ops, DeepEquals, fakeOps{
+		{
+			op:  "current",
+			old: filepath.Join(dirs.SnapMountDir, "borken-undo-setup/1"),
+		},
+		{
+			op:    "setup-snap",
+			name:  "borken-undo-setup",
+			path:  testSnap,
+			revno: snap.R(2),
+		},
+		{
+			op:    "undo-setup-snap",
+			name:  "borken-undo-setup",
+			path:  filepath.Join(dirs.SnapMountDir, "borken-undo-setup/2"),
+			stype: "app",
+		},
+		{
+			op:   "remove-snap-dir",
+			name: "borken-undo-setup",
+			path: filepath.Join(dirs.SnapMountDir, "borken-undo-setup"),
+		},
+	})
+}
+
+func (s *mountSnapSuite) TestDoMountSnapErrorNotFound(c *C) {
+	r := snapstate.MockMountPollInterval(10 * time.Millisecond)
+	defer r()
+
+	v1 := "name: not-there\nversion: 1.0\nepoch: 1\n"
+	testSnap := snaptest.MakeTestSnapWithFiles(c, v1, nil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	si1 := &snap.SideInfo{
+		RealName: "not-there",
+		Revision: snap.R(1),
+	}
+	si2 := &snap.SideInfo{
+		RealName: "not-there",
+		Revision: snap.R(2),
+	}
+	snapstate.Set(s.state, "not-there", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{si1},
+		Current:  si1.Revision,
+		SnapType: "app",
+	})
+
+	t := s.state.NewTask("mount-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si2,
+		SnapPath: testSnap,
+	})
+	chg := s.state.NewChange("dummy", "...")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+
+	s.state.Lock()
+
+	c.Check(chg.Err(), ErrorMatches, `(?s).*cannot proceed, expected snap "not-there" revision 2 to be mounted but is not.*`)
+
+	c.Check(s.fakeBackend.ops, DeepEquals, fakeOps{
+		{
+			op:  "current",
+			old: filepath.Join(dirs.SnapMountDir, "not-there/1"),
+		},
+		{
+			op:    "setup-snap",
+			name:  "not-there",
+			path:  testSnap,
+			revno: snap.R(2),
+		},
+		{
+			op:    "undo-setup-snap",
+			name:  "not-there",
+			path:  filepath.Join(dirs.SnapMountDir, "not-there/2"),
+			stype: "app",
+		},
+		{
+			op:   "remove-snap-dir",
+			name: "not-there",
+			path: filepath.Join(dirs.SnapMountDir, "not-there"),
+		},
+	})
+}
+
+func (s *mountSnapSuite) TestDoMountNotMountedRetryRetry(c *C) {
+	r := snapstate.MockMountPollInterval(10 * time.Millisecond)
+	defer r()
+	n := 0
+	slowMountedReadInfo := func(name string, si *snap.SideInfo) (*snap.Info, error) {
+		n++
+		if n < 3 {
+			return nil, &snap.NotFoundError{Snap: "not-there", Revision: si.Revision}
+		}
+		return &snap.Info{
+			SideInfo: *si,
+		}, nil
+	}
+
+	r1 := snapstate.MockSnapReadInfo(slowMountedReadInfo)
+	defer r1()
+
+	v1 := "name: not-there\nversion: 1.0\n"
+	testSnap := snaptest.MakeTestSnapWithFiles(c, v1, nil)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+	si1 := &snap.SideInfo{
+		RealName: "not-there",
+		Revision: snap.R(1),
+	}
+	si2 := &snap.SideInfo{
+		RealName: "not-there",
+		Revision: snap.R(2),
+	}
+	snapstate.Set(s.state, "not-there", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{si1},
+		Current:  si1.Revision,
+		SnapType: "app",
+	})
+
+	t := s.state.NewTask("mount-snap", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: si2,
+		SnapPath: testSnap,
+	})
+	chg := s.state.NewChange("dummy", "...")
+	chg.AddTask(t)
+
+	s.state.Unlock()
+
+	for i := 0; i < 3; i++ {
+		s.se.Ensure()
+		s.se.Wait()
+	}
+
+	s.state.Lock()
+
+	c.Check(chg.IsReady(), Equals, true)
+	c.Check(chg.Err(), IsNil)
+
+	c.Check(s.fakeBackend.ops, DeepEquals, fakeOps{
+		{
+			op:  "current",
+			old: filepath.Join(dirs.SnapMountDir, "not-there/1"),
+		},
+		{
+			op:    "setup-snap",
+			name:  "not-there",
+			path:  testSnap,
+			revno: snap.R(2),
+		},
+	})
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/handlers_prepare_test.go snapd-2.37~rc1~14.04/overlord/snapstate/handlers_prepare_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/handlers_prepare_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/handlers_prepare_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,13 +23,16 @@
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/overlord"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
 )
 
-type prepareSnapSuite struct {
+type baseHandlerSuite struct {
 	state   *state.State
+	runner  *state.TaskRunner
+	se      *overlord.StateEngine
 	snapmgr *snapstate.SnapManager
 
 	fakeBackend *fakeSnappyBackend
@@ -37,32 +40,46 @@
 	reset func()
 }
 
-var _ = Suite(&prepareSnapSuite{})
-
-func (s *prepareSnapSuite) SetUpTest(c *C) {
+func (s *baseHandlerSuite) setup(c *C, b state.Backend) {
 	dirs.SetRootDir(c.MkDir())
 
 	s.fakeBackend = &fakeSnappyBackend{}
-	s.state = state.New(nil)
+	s.state = state.New(b)
+	s.runner = state.NewTaskRunner(s.state)
 
 	var err error
-	s.snapmgr, err = snapstate.Manager(s.state)
+	s.snapmgr, err = snapstate.Manager(s.state, s.runner)
 	c.Assert(err, IsNil)
-	s.snapmgr.AddForeignTaskHandlers(s.fakeBackend)
+
+	s.se = overlord.NewStateEngine(s.state)
+	s.se.AddManager(s.snapmgr)
+	s.se.AddManager(s.runner)
+
+	AddForeignTaskHandlers(s.runner, s.fakeBackend)
 
 	snapstate.SetSnapManagerBackend(s.snapmgr, s.fakeBackend)
 
-	reset1 := snapstate.MockReadInfo(s.fakeBackend.ReadInfo)
+	reset1 := snapstate.MockSnapReadInfo(s.fakeBackend.ReadInfo)
 	s.reset = func() {
 		dirs.SetRootDir("/")
 		reset1()
 	}
 }
 
-func (s *prepareSnapSuite) TearDownTest(c *C) {
+func (s *baseHandlerSuite) SetUpTest(c *C) {
+	s.setup(c, nil)
+}
+
+func (s *baseHandlerSuite) TearDownTest(c *C) {
 	s.reset()
 }
 
+type prepareSnapSuite struct {
+	baseHandlerSuite
+}
+
+var _ = Suite(&prepareSnapSuite{})
+
 func (s *prepareSnapSuite) TestDoPrepareSnapSimple(c *C) {
 	s.state.Lock()
 	t := s.state.NewTask("prepare-snap", "test")
@@ -75,8 +92,8 @@
 
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/handlers_prereq_test.go snapd-2.37~rc1~14.04/overlord/snapstate/handlers_prereq_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/handlers_prereq_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/handlers_prereq_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,53 +20,46 @@
 package snapstate_test
 
 import (
+	"fmt"
+	"os"
 	"time"
 
 	. "gopkg.in/check.v1"
 	"gopkg.in/tomb.v2"
 
-	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/store"
 )
 
 type prereqSuite struct {
-	state     *state.State
-	snapmgr   *snapstate.SnapManager
-	fakeStore *fakeStore
-
-	fakeBackend *fakeSnappyBackend
+	baseHandlerSuite
 
-	reset func()
+	fakeStore *fakeStore
 }
 
 var _ = Suite(&prereqSuite{})
 
 func (s *prereqSuite) SetUpTest(c *C) {
-	dirs.SetRootDir(c.MkDir())
-	s.fakeBackend = &fakeSnappyBackend{}
-	s.state = state.New(nil)
-	s.state.Lock()
-	defer s.state.Unlock()
+	s.setup(c, nil)
 
 	s.fakeStore = &fakeStore{
 		state:       s.state,
 		fakeBackend: s.fakeBackend,
 	}
+	s.state.Lock()
+	defer s.state.Unlock()
 	snapstate.ReplaceStore(s.state, s.fakeStore)
 
-	var err error
-	s.snapmgr, err = snapstate.Manager(s.state)
-	c.Assert(err, IsNil)
-	s.snapmgr.AddForeignTaskHandlers(s.fakeBackend)
-	snapstate.SetSnapManagerBackend(s.snapmgr, s.fakeBackend)
-
-	s.reset = snapstate.MockReadInfo(s.fakeBackend.ReadInfo)
+	s.state.Set("seeded", true)
+	s.state.Set("refresh-privacy-key", "privacy-key")
+	snapstate.SetDefaultModel()
 }
 
 func (s *prereqSuite) TearDownTest(c *C) {
 	s.reset()
+	snapstate.Model = nil
 }
 
 func (s *prereqSuite) TestDoPrereqNothingToDo(c *C) {
@@ -91,8 +84,8 @@
 	s.state.NewChange("dummy", "...").AddTask(t)
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -116,25 +109,46 @@
 	chg.AddTask(t)
 	s.state.Unlock()
 
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	s.state.Lock()
 	defer s.state.Unlock()
 	c.Assert(s.fakeBackend.ops, DeepEquals, fakeOps{
 		{
-			op:    "storesvc-snap",
-			name:  "prereq1",
+			op: "storesvc-snap-action",
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "prereq1",
+				Channel:      "stable",
+			},
 			revno: snap.R(11),
 		},
 		{
-			op:    "storesvc-snap",
-			name:  "prereq2",
+			op: "storesvc-snap-action",
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "prereq2",
+				Channel:      "stable",
+			},
 			revno: snap.R(11),
 		},
 		{
-			op:    "storesvc-snap",
-			name:  "some-base",
+			op: "storesvc-snap-action",
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "some-base",
+				Channel:      "stable",
+			},
 			revno: snap.R(11),
 		},
 	})
@@ -147,7 +161,7 @@
 		if t.Kind() == "link-snap" {
 			snapsup, err := snapstate.TaskSnapSetup(t)
 			c.Assert(err, IsNil)
-			linkedSnaps = append(linkedSnaps, snapsup.Name())
+			linkedSnaps = append(linkedSnaps, snapsup.InstanceName())
 		}
 	}
 	c.Check(linkedSnaps, DeepEquals, expectedLinkedSnaps)
@@ -158,7 +172,7 @@
 	defer restore()
 
 	calls := 0
-	s.snapmgr.AddAdhocTaskHandler("link-snap",
+	s.runner.AddHandler("link-snap",
 		func(task *state.Task, _ *tomb.Tomb) error {
 			if calls == 0 {
 				// retry again later, this forces ordering of
@@ -174,10 +188,10 @@
 			defer st.Unlock()
 			snapsup, _ := snapstate.TaskSnapSetup(task)
 			var snapst snapstate.SnapState
-			snapstate.Get(st, snapsup.Name(), &snapst)
+			snapstate.Get(st, snapsup.InstanceName(), &snapst)
 			snapst.Current = snapsup.Revision()
 			snapst.Sequence = append(snapst.Sequence, snapsup.SideInfo)
-			snapstate.Set(st, snapsup.Name(), &snapst)
+			snapstate.Set(st, snapsup.InstanceName(), &snapst)
 			return nil
 		},
 		func(*state.Task, *tomb.Tomb) error {
@@ -212,8 +226,8 @@
 	for i := 0; i < 10; i++ {
 		time.Sleep(1 * time.Millisecond)
 		s.state.Unlock()
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.se.Ensure()
+		s.se.Wait()
 		s.state.Lock()
 		if tCore.Status() == state.DoneStatus {
 			break
@@ -224,15 +238,134 @@
 	c.Check(t.Status(), Equals, state.DoingStatus)
 	c.Check(tCore.Status(), Equals, state.DoneStatus)
 
-	s.state.Unlock()
-	// wait the prereq-retry-timeout
-	for i := 0; i < 10; i++ {
+	// wait, we will hit prereq-retry-timeout eventually
+	// (this can take a while on very slow machines)
+	for i := 0; i < 50; i++ {
 		time.Sleep(10 * time.Millisecond)
-		s.snapmgr.Ensure()
-		s.snapmgr.Wait()
+		s.state.Unlock()
+		s.se.Ensure()
+		s.se.Wait()
+		s.state.Lock()
+		if t.Status() == state.DoneStatus {
+			break
+		}
 	}
+	c.Check(t.Status(), Equals, state.DoneStatus)
+}
+
+func (s *prereqSuite) TestDoPrereqChannelEnvvars(c *C) {
+	os.Setenv("SNAPD_BASES_CHANNEL", "edge")
+	defer os.Unsetenv("SNAPD_BASES_CHANNEL")
+	os.Setenv("SNAPD_PREREQS_CHANNEL", "candidate")
+	defer os.Unsetenv("SNAPD_PREREQS_CHANNEL")
+	s.state.Lock()
+	t := s.state.NewTask("prerequisites", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "foo",
+			Revision: snap.R(33),
+		},
+		Channel: "beta",
+		Base:    "some-base",
+		Prereq:  []string{"prereq1", "prereq2"},
+	})
+	chg := s.state.NewChange("dummy", "...")
+	chg.AddTask(t)
+	s.state.Unlock()
+
+	s.se.Ensure()
+	s.se.Wait()
+
 	s.state.Lock()
 	defer s.state.Unlock()
+	c.Assert(s.fakeBackend.ops, DeepEquals, fakeOps{
+		{
+			op: "storesvc-snap-action",
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "prereq1",
+				Channel:      "candidate",
+			},
+			revno: snap.R(11),
+		},
+		{
+			op: "storesvc-snap-action",
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "prereq2",
+				Channel:      "candidate",
+			},
+			revno: snap.R(11),
+		},
+		{
+			op: "storesvc-snap-action",
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "some-base",
+				Channel:      "edge",
+			},
+			revno: snap.R(11),
+		},
+	})
+	c.Check(t.Status(), Equals, state.DoneStatus)
+}
+
+func (s *prereqSuite) TestDoPrereqNothingToDoForBase(c *C) {
+	for _, typ := range []snap.Type{
+		snap.TypeOS,
+		snap.TypeGadget,
+		snap.TypeKernel,
+		snap.TypeBase,
+	} {
 
+		s.state.Lock()
+		t := s.state.NewTask("prerequisites", "test")
+		t.Set("snap-setup", &snapstate.SnapSetup{
+			SideInfo: &snap.SideInfo{
+				RealName: fmt.Sprintf("foo-%s", typ),
+				Revision: snap.R(1),
+			},
+			Type: typ,
+		})
+		s.state.NewChange("dummy", "...").AddTask(t)
+		s.state.Unlock()
+
+		s.se.Ensure()
+		s.se.Wait()
+
+		s.state.Lock()
+		c.Assert(s.fakeBackend.ops, HasLen, 0)
+		c.Check(t.Status(), Equals, state.DoneStatus)
+		s.state.Unlock()
+	}
+}
+
+func (s *prereqSuite) TestDoPrereqNothingToDoForSnapdSnap(c *C) {
+	s.state.Lock()
+	t := s.state.NewTask("prerequisites", "test")
+	t.Set("snap-setup", &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "snapd",
+			Revision: snap.R(1),
+		},
+	})
+	s.state.NewChange("dummy", "...").AddTask(t)
+	s.state.Unlock()
+
+	s.se.Ensure()
+	s.se.Wait()
+
+	s.state.Lock()
+	c.Assert(s.fakeBackend.ops, HasLen, 0)
 	c.Check(t.Status(), Equals, state.DoneStatus)
+	s.state.Unlock()
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/refreshhints.go snapd-2.37~rc1~14.04/overlord/snapstate/refreshhints.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/refreshhints.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/refreshhints.go	2019-01-16 08:36:51.000000000 +0000
@@ -64,7 +64,7 @@
 
 func (r *refreshHints) refresh() error {
 	var refreshManaged bool
-	refreshManaged = refreshScheduleManaged(r.state)
+	refreshManaged, _ = refreshScheduleManaged(r.state)
 
 	_, _, _, err := refreshCandidates(auth.EnsureContextTODO(), r.state, nil, nil, &store.RefreshOptions{RefreshManaged: refreshManaged})
 	// TODO: we currently set last-refresh-hints even when there was an
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/refreshhints_test.go snapd-2.37~rc1~14.04/overlord/snapstate/refreshhints_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/refreshhints_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/refreshhints_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2017 Canonical Ltd
+ * Copyright (C) 2017-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -41,10 +41,18 @@
 	ops []string
 }
 
-func (r *recordingStore) ListRefresh(ctx context.Context, cands []*store.RefreshCandidate, _ *auth.UserState, flags *store.RefreshOptions) ([]*snap.Info, error) {
+func (r *recordingStore) SnapAction(ctx context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error) {
 	if ctx == nil || !auth.IsEnsureContext(ctx) {
 		panic("Ensure marked context required")
 	}
+	if len(currentSnaps) != len(actions) || len(currentSnaps) == 0 {
+		panic("expected in test one action for each current snaps, and at least one snap")
+	}
+	for _, a := range actions {
+		if a.Action != "refresh" {
+			panic("expected refresh actions")
+		}
+	}
 	r.ops = append(r.ops, "list-refresh")
 	return nil, nil
 }
@@ -79,6 +87,8 @@
 	snapstate.AutoAliases = func(*state.State, *snap.Info) (map[string]string, error) {
 		return nil, nil
 	}
+
+	s.state.Set("refresh-privacy-key", "privacy-key")
 }
 
 func (s *refreshHintsTestSuite) TearDownTest(c *C) {
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/snapmgr.go snapd-2.37~rc1~14.04/overlord/snapstate/snapmgr.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/snapmgr.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/snapmgr.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,7 +22,9 @@
 import (
 	"errors"
 	"fmt"
+	"io"
 	"os"
+	"strings"
 	"time"
 
 	"gopkg.in/tomb.v2"
@@ -31,11 +33,13 @@
 	"github.com/snapcore/snapd/errtracker"
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/overlord/snapstate/backend"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/store"
+	"github.com/snapcore/snapd/strutil"
 )
 
 // overridden in the tests
@@ -51,16 +55,19 @@
 	catalogRefresh *catalogRefresh
 
 	lastUbuntuCoreTransitionAttempt time.Time
-
-	runner *state.TaskRunner
 }
 
 // SnapSetup holds the necessary snap details to perform most snap manager tasks.
 type SnapSetup struct {
 	// FIXME: rename to RequestedChannel to convey the meaning better
-	Channel string `json:"channel,omitempty"`
-	UserID  int    `json:"user-id,omitempty"`
-	Base    string `json:"base,omitempty"`
+	Channel string    `json:"channel,omitempty"`
+	UserID  int       `json:"user-id,omitempty"`
+	Base    string    `json:"base,omitempty"`
+	Type    snap.Type `json:"type,omitempty"`
+	// PlugsOnly indicates whether the relevant revisions for the
+	// operation have only plugs (#plugs >= 0), and absolutely no
+	// slots (#slots == 0).
+	PlugsOnly bool `json:"plugs-only,omitempty"`
 
 	// FIXME: implement rename of this as suggested in
 	//  https://github.com/snapcore/snapd/pull/4103#discussion_r169569717
@@ -76,9 +83,17 @@
 
 	DownloadInfo *snap.DownloadInfo `json:"download-info,omitempty"`
 	SideInfo     *snap.SideInfo     `json:"side-info,omitempty"`
+
+	// InstanceKey is set by the user during installation and differs for
+	// each instance of given snap
+	InstanceKey string `json:"instance-key,omitempty"`
+}
+
+func (snapsup *SnapSetup) InstanceName() string {
+	return snap.InstanceName(snapsup.SnapName(), snapsup.InstanceKey)
 }
 
-func (snapsup *SnapSetup) Name() string {
+func (snapsup *SnapSetup) SnapName() string {
 	if snapsup.SideInfo.RealName == "" {
 		panic("SnapSetup.SideInfo.RealName not set")
 	}
@@ -90,15 +105,15 @@
 }
 
 func (snapsup *SnapSetup) placeInfo() snap.PlaceInfo {
-	return snap.MinimalPlaceInfo(snapsup.Name(), snapsup.Revision())
+	return snap.MinimalPlaceInfo(snapsup.InstanceName(), snapsup.Revision())
 }
 
 func (snapsup *SnapSetup) MountDir() string {
-	return snap.MountDir(snapsup.Name(), snapsup.Revision())
+	return snap.MountDir(snapsup.InstanceName(), snapsup.Revision())
 }
 
 func (snapsup *SnapSetup) MountFile() string {
-	return snap.MountFile(snapsup.Name(), snapsup.Revision())
+	return snap.MountFile(snapsup.InstanceName(), snapsup.Revision())
 }
 
 // SnapState holds the state for a snap installed in the system.
@@ -119,6 +134,10 @@
 
 	// UserID of the user requesting the install
 	UserID int `json:"user-id,omitempty"`
+
+	// InstanceKey is set by the user during installation and differs for
+	// each instance of given snap
+	InstanceKey string `json:"instance-key,omitempty"`
 }
 
 // Type returns the type of the snap or an error.
@@ -212,18 +231,27 @@
 var ErrNoCurrent = errors.New("snap has no current revision")
 
 // Retrieval functions
-var readInfo = readInfoAnyway
 
-func readInfoAnyway(name string, si *snap.SideInfo) (*snap.Info, error) {
-	info, err := snap.ReadInfo(name, si)
+const (
+	errorOnBroken = 1 << iota
+)
+
+var snapReadInfo = snap.ReadInfo
+
+func readInfo(name string, si *snap.SideInfo, flags int) (*snap.Info, error) {
+	info, err := snapReadInfo(name, si)
+	if err != nil && flags&errorOnBroken != 0 {
+		return nil, err
+	}
 	if err != nil {
 		logger.Noticef("cannot read snap info of snap %q at revision %s: %s", name, si.Revision, err)
 	}
-	if _, ok := err.(*snap.NotFoundError); ok {
-		reason := fmt.Sprintf("cannot read snap %q: %s", name, err)
+	if bse, ok := err.(snap.BrokenSnapError); ok {
+		_, instanceKey := snap.SplitInstanceName(name)
 		info := &snap.Info{
 			SuggestedName: name,
-			Broken:        reason,
+			Broken:        bse.Broken(),
+			InstanceKey:   instanceKey,
 		}
 		info.Apps = snap.GuessAppsForBroken(info)
 		if si != nil {
@@ -234,13 +262,26 @@
 	return info, err
 }
 
+var revisionDate = revisionDateImpl
+
+// revisionDate returns a good approximation of when a revision reached the system.
+func revisionDateImpl(info *snap.Info) time.Time {
+	fi, err := os.Lstat(info.MountFile())
+	if err != nil {
+		return time.Time{}
+	}
+	return fi.ModTime()
+}
+
 // CurrentInfo returns the information about the current active revision or the last active revision (if the snap is inactive). It returns the ErrNoCurrent error if snapst.Current is unset.
 func (snapst *SnapState) CurrentInfo() (*snap.Info, error) {
 	cur := snapst.CurrentSideInfo()
 	if cur == nil {
 		return nil, ErrNoCurrent
 	}
-	return readInfo(cur.RealName, cur)
+
+	name := snap.InstanceName(cur.RealName, snapst.InstanceKey)
+	return readInfo(name, cur, 0)
 }
 
 func revisionInSequence(snapst *SnapState, needle snap.Revision) bool {
@@ -279,13 +320,10 @@
 }
 
 // Manager returns a new snap manager.
-func Manager(st *state.State) (*SnapManager, error) {
-	runner := state.NewTaskRunner(st)
-
+func Manager(st *state.State, runner *state.TaskRunner) (*SnapManager, error) {
 	m := &SnapManager{
 		state:          st,
 		backend:        backend.Backend{},
-		runner:         runner,
 		autoRefresh:    newAutoRefresh(st),
 		refreshHints:   newRefreshHints(st),
 		catalogRefresh: newCatalogRefresh(st),
@@ -295,6 +333,10 @@
 		return nil, fmt.Errorf("cannot create directory %q: %v", dirs.SnapCookieDir, err)
 	}
 
+	if err := genRefreshRequestSalt(st); err != nil {
+		return nil, fmt.Errorf("cannot generate request salt: %v", err)
+	}
+
 	// this handler does nothing
 	runner.AddHandler("nop", func(t *state.Task, _ *tomb.Tomb) error {
 		return nil
@@ -343,13 +385,40 @@
 	runner.AddHandler("switch-snap", m.doSwitchSnap, nil)
 
 	// control serialisation
-	runner.SetBlocked(m.blockedTask)
+	runner.AddBlocked(m.blockedTask)
 
 	writeSnapReadme()
 
 	return m, nil
 }
 
+func (m *SnapManager) CanStandby() bool {
+	if n, err := NumSnaps(m.state); err == nil && n == 0 {
+		return true
+	}
+	return false
+}
+
+func genRefreshRequestSalt(st *state.State) error {
+	var refreshPrivacyKey string
+
+	st.Lock()
+	defer st.Unlock()
+
+	if err := st.Get("refresh-privacy-key", &refreshPrivacyKey); err != nil && err != state.ErrNoState {
+		return err
+	}
+	if refreshPrivacyKey != "" {
+		// nothing to do
+		return nil
+	}
+
+	refreshPrivacyKey = strutil.MakeRandomString(16)
+	st.Set("refresh-privacy-key", refreshPrivacyKey)
+
+	return nil
+}
+
 func (m *SnapManager) blockedTask(cand *state.Task, running []*state.Task) bool {
 	// Serialize "prerequisites", the state lock is not enough as
 	// Install() inside doPrerequisites() will unlock to talk to
@@ -481,7 +550,7 @@
 		return err
 	}
 
-	msg := fmt.Sprintf(i18n.G("Transition ubuntu-core to core"))
+	msg := i18n.G("Transition ubuntu-core to core")
 	chg := m.state.NewChange("transition-ubuntu-core", msg)
 	for _, ts := range tss {
 		chg.AddAll(ts)
@@ -509,6 +578,62 @@
 	return nil
 }
 
+var (
+	localInstallCleanupWait = time.Duration(24 * time.Hour)
+	localInstallLastCleanup time.Time
+)
+
+// localInstallCleanup removes files that might've been left behind by an
+// old aborted local install.
+//
+// They're usually cleaned up, but if they're created and then snapd
+// stops before writing the change to disk (killed, light cut, etc)
+// it'll be left behind.
+//
+// The code that creates the files is in daemon/api.go's postSnaps
+func (m *SnapManager) localInstallCleanup() error {
+	m.state.Lock()
+	defer m.state.Unlock()
+
+	now := time.Now()
+	cutoff := now.Add(-localInstallCleanupWait)
+	if localInstallLastCleanup.After(cutoff) {
+		return nil
+	}
+	localInstallLastCleanup = now
+
+	d, err := os.Open(dirs.SnapBlobDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+	defer d.Close()
+
+	var filenames []string
+	var fis []os.FileInfo
+	for err == nil {
+		// TODO: if we had fstatat we could avoid a bunch of stats
+		fis, err = d.Readdir(100)
+		// fis is nil if err isn't
+		for _, fi := range fis {
+			name := fi.Name()
+			if !strings.HasPrefix(name, dirs.LocalInstallBlobTempPrefix) {
+				continue
+			}
+			if fi.ModTime().After(cutoff) {
+				continue
+			}
+			filenames = append(filenames, name)
+		}
+	}
+	if err != io.EOF {
+		return err
+	}
+	return osutil.UnlinkManyAt(d, filenames)
+}
+
 // Ensure implements StateManager.Ensure.
 func (m *SnapManager) Ensure() error {
 	// do not exit right away on error
@@ -522,10 +647,9 @@
 		m.autoRefresh.Ensure(),
 		m.refreshHints.Ensure(),
 		m.catalogRefresh.Ensure(),
+		m.localInstallCleanup(),
 	}
 
-	m.runner.Ensure()
-
 	//FIXME: use firstErr helper
 	for _, e := range errs {
 		if e != nil {
@@ -535,17 +659,3 @@
 
 	return nil
 }
-
-func (m *SnapManager) KnownTaskKinds() []string {
-	return m.runner.KnownTaskKinds()
-}
-
-// Wait implements StateManager.Wait.
-func (m *SnapManager) Wait() {
-	m.runner.Wait()
-}
-
-// Stop implements StateManager.Stop.
-func (m *SnapManager) Stop() {
-	m.runner.Stop()
-}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/snapstate.go snapd-2.37~rc1~14.04/overlord/snapstate/snapstate.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/snapstate.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/snapstate.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -23,13 +23,17 @@
 import (
 	"encoding/json"
 	"fmt"
-	"reflect"
+	"os"
+	"sort"
 	"strings"
+	"time"
 
 	"golang.org/x/net/context"
 
+	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/boot"
 	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/features"
 	"github.com/snapcore/snapd/i18n"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/logger"
@@ -45,8 +49,7 @@
 
 // control flags for doInstall
 const (
-	maybeCore = 1 << iota
-	skipConfigure
+	skipConfigure = 1 << iota
 )
 
 // control flags for "Configure()"
@@ -56,16 +59,38 @@
 	UseConfigDefaults
 )
 
-func needsMaybeCore(typ snap.Type) int {
-	if typ == snap.TypeOS {
-		return maybeCore
+func isParallelInstallable(snapsup *SnapSetup) error {
+	if snapsup.InstanceKey == "" {
+		return nil
+	}
+	if snapsup.Type == snap.TypeApp {
+		return nil
 	}
-	return 0
+	return fmt.Errorf("cannot install snap of type %v as %q", snapsup.Type, snapsup.InstanceName())
 }
 
 func doInstall(st *state.State, snapst *SnapState, snapsup *SnapSetup, flags int) (*state.TaskSet, error) {
+	if snapsup.InstanceName() == "system" {
+		return nil, fmt.Errorf("cannot install reserved snap name 'system'")
+	}
+	if snapsup.InstanceName() == "snapd" {
+		model, err := Model(st)
+		if err != nil && err != state.ErrNoState {
+			return nil, err
+		}
+		if model == nil || model.Base() == "" {
+			tr := config.NewTransaction(st)
+			experimentalAllowSnapd, err := config.GetFeatureFlag(tr, features.SnapdSnap)
+			if err != nil && !config.IsNoOption(err) {
+				return nil, err
+			}
+			if !experimentalAllowSnapd {
+				return nil, fmt.Errorf("cannot install snapd snap on a model without a base snap yet")
+			}
+		}
+	}
 	if snapst.IsInstalled() && !snapst.Active {
-		return nil, fmt.Errorf("cannot update disabled snap %q", snapsup.Name())
+		return nil, fmt.Errorf("cannot update disabled snap %q", snapsup.InstanceName())
 	}
 
 	if snapsup.Flags.Classic {
@@ -77,17 +102,28 @@
 	}
 	if !snapst.IsInstalled() { // install?
 		// check that the snap command namespace doesn't conflict with an enabled alias
-		if err := checkSnapAliasConflict(st, snapsup.Name()); err != nil {
+		if err := checkSnapAliasConflict(st, snapsup.InstanceName()); err != nil {
 			return nil, err
 		}
 	}
 
-	if err := CheckChangeConflict(st, snapsup.Name(), nil, snapst); err != nil {
+	if err := isParallelInstallable(snapsup); err != nil {
 		return nil, err
 	}
 
-	// ensure core gets installed. if it is already installed return
-	// an empty task set
+	if err := CheckChangeConflict(st, snapsup.InstanceName(), snapst); err != nil {
+		return nil, err
+	}
+
+	if snapst.IsInstalled() {
+		// consider also the current revision to set plugs-only hint
+		info, err := snapst.CurrentInfo()
+		if err != nil {
+			return nil, err
+		}
+		snapsup.PlugsOnly = snapsup.PlugsOnly && (len(info.Slots) == 0)
+	}
+
 	ts := state.NewTaskSet()
 
 	targetRevision := snapsup.Revision()
@@ -99,7 +135,7 @@
 	// check if we already have the revision locally (alters tasks)
 	revisionIsLocal := snapst.LastIndex(targetRevision) >= 0
 
-	prereq := st.NewTask("prerequisites", fmt.Sprintf(i18n.G("Ensure prerequisites for %q are available"), snapsup.Name()))
+	prereq := st.NewTask("prerequisites", fmt.Sprintf(i18n.G("Ensure prerequisites for %q are available"), snapsup.InstanceName()))
 	prereq.Set("snap-setup", snapsup)
 
 	var prepare, prev *state.Task
@@ -109,7 +145,7 @@
 		prepare = st.NewTask("prepare-snap", fmt.Sprintf(i18n.G("Prepare snap %q%s"), snapsup.SnapPath, revisionStr))
 	} else {
 		fromStore = true
-		prepare = st.NewTask("download-snap", fmt.Sprintf(i18n.G("Download snap %q%s from channel %q"), snapsup.Name(), revisionStr, snapsup.Channel))
+		prepare = st.NewTask("download-snap", fmt.Sprintf(i18n.G("Download snap %q%s from channel %q"), snapsup.InstanceName(), revisionStr, snapsup.Channel))
 	}
 	prepare.Set("snap-setup", snapsup)
 	prepare.WaitFor(prereq)
@@ -124,14 +160,14 @@
 
 	if fromStore {
 		// fetch and check assertions
-		checkAsserts := st.NewTask("validate-snap", fmt.Sprintf(i18n.G("Fetch and check assertions for snap %q%s"), snapsup.Name(), revisionStr))
+		checkAsserts := st.NewTask("validate-snap", fmt.Sprintf(i18n.G("Fetch and check assertions for snap %q%s"), snapsup.InstanceName(), revisionStr))
 		addTask(checkAsserts)
 		prev = checkAsserts
 	}
 
 	// mount
 	if !revisionIsLocal {
-		mount := st.NewTask("mount-snap", fmt.Sprintf(i18n.G("Mount snap %q%s"), snapsup.Name(), revisionStr))
+		mount := st.NewTask("mount-snap", fmt.Sprintf(i18n.G("Mount snap %q%s"), snapsup.InstanceName(), revisionStr))
 		addTask(mount)
 		prev = mount
 	}
@@ -139,86 +175,84 @@
 	// run refresh hooks when updating existing snap, otherwise run install hook further down.
 	runRefreshHooks := (snapst.IsInstalled() && !snapsup.Flags.Revert)
 	if runRefreshHooks {
-		preRefreshHook := SetupPreRefreshHook(st, snapsup.Name())
+		preRefreshHook := SetupPreRefreshHook(st, snapsup.InstanceName())
 		addTask(preRefreshHook)
 		prev = preRefreshHook
 	}
 
 	if snapst.IsInstalled() {
 		// unlink-current-snap (will stop services for copy-data)
-		stop := st.NewTask("stop-snap-services", fmt.Sprintf(i18n.G("Stop snap %q services"), snapsup.Name()))
+		stop := st.NewTask("stop-snap-services", fmt.Sprintf(i18n.G("Stop snap %q services"), snapsup.InstanceName()))
 		stop.Set("stop-reason", snap.StopReasonRefresh)
 		addTask(stop)
 		prev = stop
 
-		removeAliases := st.NewTask("remove-aliases", fmt.Sprintf(i18n.G("Remove aliases for snap %q"), snapsup.Name()))
+		removeAliases := st.NewTask("remove-aliases", fmt.Sprintf(i18n.G("Remove aliases for snap %q"), snapsup.InstanceName()))
 		addTask(removeAliases)
 		prev = removeAliases
 
-		unlink := st.NewTask("unlink-current-snap", fmt.Sprintf(i18n.G("Make current revision for snap %q unavailable"), snapsup.Name()))
+		unlink := st.NewTask("unlink-current-snap", fmt.Sprintf(i18n.G("Make current revision for snap %q unavailable"), snapsup.InstanceName()))
 		addTask(unlink)
 		prev = unlink
 	}
 
 	// copy-data (needs stopped services by unlink)
 	if !snapsup.Flags.Revert {
-		copyData := st.NewTask("copy-snap-data", fmt.Sprintf(i18n.G("Copy snap %q data"), snapsup.Name()))
+		copyData := st.NewTask("copy-snap-data", fmt.Sprintf(i18n.G("Copy snap %q data"), snapsup.InstanceName()))
 		addTask(copyData)
 		prev = copyData
 	}
 
 	// security
-	setupSecurity := st.NewTask("setup-profiles", fmt.Sprintf(i18n.G("Setup snap %q%s security profiles"), snapsup.Name(), revisionStr))
+	setupSecurity := st.NewTask("setup-profiles", fmt.Sprintf(i18n.G("Setup snap %q%s security profiles"), snapsup.InstanceName(), revisionStr))
 	addTask(setupSecurity)
 	prev = setupSecurity
 
 	// finalize (wrappers+current symlink)
-	linkSnap := st.NewTask("link-snap", fmt.Sprintf(i18n.G("Make snap %q%s available to the system"), snapsup.Name(), revisionStr))
+	linkSnap := st.NewTask("link-snap", fmt.Sprintf(i18n.G("Make snap %q%s available to the system"), snapsup.InstanceName(), revisionStr))
 	addTask(linkSnap)
 	prev = linkSnap
 
-	// security: phase 2, no-op unless core
-	if flags&maybeCore != 0 {
-		setupSecurityPhase2 := st.NewTask("setup-profiles", fmt.Sprintf(i18n.G("Setup snap %q%s security profiles (phase 2)"), snapsup.Name(), revisionStr))
-		setupSecurityPhase2.Set("core-phase-2", true)
-		addTask(setupSecurityPhase2)
-		prev = setupSecurityPhase2
-	}
-
 	// auto-connections
-	autoConnect := st.NewTask("auto-connect", fmt.Sprintf(i18n.G("Automatically connect eligible plugs and slots of snap %q"), snapsup.Name()))
+	autoConnect := st.NewTask("auto-connect", fmt.Sprintf(i18n.G("Automatically connect eligible plugs and slots of snap %q"), snapsup.InstanceName()))
 	addTask(autoConnect)
 	prev = autoConnect
 
 	// setup aliases
-	setAutoAliases := st.NewTask("set-auto-aliases", fmt.Sprintf(i18n.G("Set automatic aliases for snap %q"), snapsup.Name()))
+	setAutoAliases := st.NewTask("set-auto-aliases", fmt.Sprintf(i18n.G("Set automatic aliases for snap %q"), snapsup.InstanceName()))
 	addTask(setAutoAliases)
 	prev = setAutoAliases
 
-	setupAliases := st.NewTask("setup-aliases", fmt.Sprintf(i18n.G("Setup snap %q aliases"), snapsup.Name()))
+	setupAliases := st.NewTask("setup-aliases", fmt.Sprintf(i18n.G("Setup snap %q aliases"), snapsup.InstanceName()))
 	addTask(setupAliases)
 	prev = setupAliases
 
 	if runRefreshHooks {
-		postRefreshHook := SetupPostRefreshHook(st, snapsup.Name())
+		postRefreshHook := SetupPostRefreshHook(st, snapsup.InstanceName())
 		addTask(postRefreshHook)
 		prev = postRefreshHook
 	}
 
 	// only run install hook if installing the snap for the first time
 	if !snapst.IsInstalled() {
-		installHook := SetupInstallHook(st, snapsup.Name())
+		installHook := SetupInstallHook(st, snapsup.InstanceName())
 		addTask(installHook)
 		prev = installHook
 	}
 
 	// run new serices
-	startSnapServices := st.NewTask("start-snap-services", fmt.Sprintf(i18n.G("Start snap %q%s services"), snapsup.Name(), revisionStr))
+	startSnapServices := st.NewTask("start-snap-services", fmt.Sprintf(i18n.G("Start snap %q%s services"), snapsup.InstanceName(), revisionStr))
 	addTask(startSnapServices)
 	prev = startSnapServices
 
 	// Do not do that if we are reverting to a local revision
 	if snapst.IsInstalled() && !snapsup.Flags.Revert {
+		var retain int
+		if err := config.NewTransaction(st).Get("core", "refresh.retain", &retain); err != nil {
+			retain = 3
+		}
+		retain-- //  we're adding one
+
 		seq := snapst.Sequence
 		currentIndex := snapst.LastIndex(snapst.Current)
 
@@ -230,7 +264,7 @@
 				// but don't discard this one; its' the thing we're switching to!
 				continue
 			}
-			ts := removeInactiveRevision(st, snapsup.Name(), si.Revision)
+			ts := removeInactiveRevision(st, snapsup.InstanceName(), si.Revision)
 			ts.WaitFor(prev)
 			tasks = append(tasks, ts.Tasks()...)
 			prev = tasks[len(tasks)-1]
@@ -250,18 +284,18 @@
 		}
 
 		// normal garbage collect
-		for i := 0; i <= currentIndex-2; i++ {
+		for i := 0; i <= currentIndex-retain; i++ {
 			si := seq[i]
-			if boot.InUse(snapsup.Name(), si.Revision) {
+			if boot.InUse(snapsup.InstanceName(), si.Revision) {
 				continue
 			}
-			ts := removeInactiveRevision(st, snapsup.Name(), si.Revision)
+			ts := removeInactiveRevision(st, snapsup.InstanceName(), si.Revision)
 			ts.WaitFor(prev)
 			tasks = append(tasks, ts.Tasks()...)
 			prev = tasks[len(tasks)-1]
 		}
 
-		addTask(st.NewTask("cleanup", fmt.Sprintf("Clean up %q%s install", snapsup.Name(), revisionStr)))
+		addTask(st.NewTask("cleanup", fmt.Sprintf("Clean up %q%s install", snapsup.InstanceName(), revisionStr)))
 	}
 
 	installSet := state.NewTaskSet(tasks...)
@@ -279,9 +313,12 @@
 		confFlags |= UseConfigDefaults
 	}
 
-	configSet := ConfigureSnap(st, snapsup.Name(), confFlags)
-	configSet.WaitAll(ts)
-	ts.AddAll(configSet)
+	// we do not support configuration for bases or the "snapd" snap yet
+	if snapsup.Type != snap.TypeBase && snapsup.InstanceName() != "snapd" {
+		configSet := ConfigureSnap(st, snapsup.InstanceName(), confFlags)
+		configSet.WaitAll(ts)
+		ts.AddAll(configSet)
+	}
 
 	return ts, nil
 }
@@ -318,142 +355,65 @@
 	panic("internal error: snapstate.SetupRemoveHook is unset")
 }
 
-// snapTopicalTasks are tasks that characterize changes on a snap that
-// cannot be run concurrently and should conflict with each other.
-var snapTopicalTasks = map[string]bool{
-	"link-snap":           true,
-	"unlink-snap":         true,
-	"switch-snap":         true,
-	"switch-snap-channel": true,
-	"toggle-snap-flags":   true,
-	"refresh-aliases":     true,
-	"prune-auto-aliases":  true,
-	"alias":               true,
-	"unalias":             true,
-	"disable-aliases":     true,
-	"prefer-aliases":      true,
-	"connect":             true,
-	"disconnect":          true,
-}
-
-func getPlugAndSlotRefs(task *state.Task) (*interfaces.PlugRef, *interfaces.SlotRef, error) {
-	var plugRef interfaces.PlugRef
-	var slotRef interfaces.SlotRef
-	if err := task.Get("plug", &plugRef); err != nil {
-		return nil, nil, err
-	}
-	if err := task.Get("slot", &slotRef); err != nil {
-		return nil, nil, err
+// WaitRestart will return a Retry error if there is a pending restart
+// and a real error if anything went wrong (like a rollback across
+// restarts)
+func WaitRestart(task *state.Task, snapsup *SnapSetup) (err error) {
+	if ok, _ := task.State().Restarting(); ok {
+		// don't continue until we are in the restarted snapd
+		task.Logf("Waiting for restart...")
+		return &state.Retry{}
 	}
-	return &plugRef, &slotRef, nil
-}
 
-func ChangeConflictError(snapName, kind string) *changeConflictError {
-	return &changeConflictError{
-		snapName:   snapName,
-		changeKind: kind,
+	snapInfo, err := snap.ReadInfo(snapsup.InstanceName(), snapsup.SideInfo)
+	if err != nil {
+		return err
 	}
-}
 
-type changeConflictError struct {
-	snapName   string
-	changeKind string
-}
-
-func (e changeConflictError) Error() string {
-	if e.changeKind != "" {
-		return fmt.Sprintf("snap %q has %q change in progress", e.snapName, e.changeKind)
+	if snapsup.InstanceName() == "snapd" && os.Getenv("SNAPD_REVERT_TO_REV") != "" {
+		return fmt.Errorf("there was a snapd rollback across the restart")
 	}
-	return fmt.Sprintf("snap %q has changes in progress", e.snapName)
-}
 
-// CheckChangeConflictMany ensures that for the given snapNames no other
-// changes that alters the snaps (like remove, install, refresh) are in
-// progress. If a conflict is detected an error is returned.
-//
-// It's like CheckChangeConflict, but for multiple snaps, and does not
-// check snapst.
-func CheckChangeConflictMany(st *state.State, snapNames []string, checkConflictPredicate func(task *state.Task) bool) error {
-	snapMap := make(map[string]bool, len(snapNames))
-	for _, k := range snapNames {
-		snapMap[k] = true
-	}
+	// If not on classic check there was no rollback. A reboot
+	// can be triggered by:
+	// - core (old core16 world, system-reboot)
+	// - bootable base snap (new core18 world, system-reboot)
+	//
+	// TODO: Detect "snapd" snap daemon-restarts here that
+	//       fallback into the old version (once we have
+	//       better snapd rollback support in core18).
+	if !release.OnClassic {
+		// TODO: double check that we really rebooted
+		// otherwise this could be just a spurious restart
+		// of snapd
 
-	for _, chg := range st.Changes() {
-		if chg.Status().Ready() {
-			continue
+		model, err := Model(task.State())
+		if err != nil {
+			return err
 		}
-		if chg.Kind() == "transition-ubuntu-core" {
-			return fmt.Errorf("ubuntu-core to core transition in progress, no other changes allowed until this is done")
+		bootName := "core"
+		typ := snap.TypeOS
+		if model.Base() != "" {
+			bootName = model.Base()
+			typ = snap.TypeBase
+		}
+		// if it is not a bootable snap we are not interested
+		if snapsup.InstanceName() != bootName {
+			return nil
 		}
-	}
 
-	for _, task := range st.Tasks() {
-		k := task.Kind()
-		chg := task.Change()
-		if snapTopicalTasks[k] && (chg == nil || !chg.Status().Ready()) {
-			if k == "connect" || k == "disconnect" {
-				plugRef, slotRef, err := getPlugAndSlotRefs(task)
-				if err != nil {
-					return fmt.Errorf("internal error: cannot obtain plug/slot data from task: %s", task.Summary())
-				}
-				if (snapMap[plugRef.Snap] || snapMap[slotRef.Snap]) && (checkConflictPredicate == nil || checkConflictPredicate(task)) {
-					var snapName string
-					if snapMap[plugRef.Snap] {
-						snapName = plugRef.Snap
-					} else {
-						snapName = slotRef.Snap
-					}
-					return changeConflictError{snapName, chg.Kind()}
-				}
-			} else {
-				snapsup, err := TaskSnapSetup(task)
-				if err != nil {
-					return fmt.Errorf("internal error: cannot obtain snap setup from task: %s", task.Summary())
-				}
-				snapName := snapsup.Name()
-				if (snapMap[snapName]) && (checkConflictPredicate == nil || checkConflictPredicate(task)) {
-					return changeConflictError{snapName, chg.Kind()}
-				}
-			}
+		name, rev, err := CurrentBootNameAndRevision(typ)
+		if err == ErrBootNameAndRevisionAgain {
+			return &state.Retry{After: 5 * time.Second}
 		}
-	}
-
-	return nil
-}
-
-type changeDuringInstallError struct {
-	snapName string
-}
-
-func (c changeDuringInstallError) Error() string {
-	return fmt.Sprintf("snap %q state changed during install preparations", c.snapName)
-}
-
-// CheckChangeConflict ensures that for the given snapName no other
-// changes that alters the snap (like remove, install, refresh) are in
-// progress. It also ensures that snapst (if not nil) did not get
-// modified. If a conflict is detected an error is returned.
-func CheckChangeConflict(st *state.State, snapName string, checkConflictPredicate func(task *state.Task) bool, snapst *SnapState) error {
-	if err := CheckChangeConflictMany(st, []string{snapName}, checkConflictPredicate); err != nil {
-		return err
-	}
-
-	if snapst != nil {
-		// caller wants us to also make sure the SnapState in state
-		// matches the one they provided. Necessary because we need to
-		// unlock while talking to the store, during which a change can
-		// sneak in (if it's before the taskset is created) (e.g. for
-		// install, while getting the snap info; for refresh, when
-		// getting what needs refreshing).
-		var cursnapst SnapState
-		if err := Get(st, snapName, &cursnapst); err != nil && err != state.ErrNoState {
+		if err != nil {
 			return err
 		}
 
-		// TODO: implement the rather-boring-but-more-performant SnapState.Equals
-		if !reflect.DeepEqual(snapst, &cursnapst) {
-			return changeDuringInstallError{snapName: snapName}
+		if snapsup.InstanceName() != name || snapInfo.Revision != rev {
+			// TODO: make sure this revision gets ignored for
+			//       automatic refreshes
+			return fmt.Errorf("cannot finish %s installation, there was a rollback across reboot", snapsup.InstanceName())
 		}
 	}
 
@@ -486,6 +446,7 @@
 // default providers there are.
 func defaultContentPlugProviders(st *state.State, info *snap.Info) []string {
 	out := []string{}
+	seen := map[string]bool{}
 	for _, plug := range info.Plugs {
 		if plug.Interface == "content" {
 			if contentAttr(plug) == "" {
@@ -501,7 +462,10 @@
 				// documentation said it is "snapname:ifname",
 				// we deal with this gracefully by just
 				// stripping of the part after the ":"
-				out = append(out, strings.Split(dprovider, ":")[0])
+				if name := strings.SplitN(dprovider, ":", 2)[0]; !seen[name] {
+					out = append(out, name)
+					seen[name] = true
+				}
 			}
 		}
 	}
@@ -511,46 +475,74 @@
 // validateFeatureFlags validates the given snap only uses experimental
 // features that are enabled by the user.
 func validateFeatureFlags(st *state.State, info *snap.Info) error {
-	if len(info.Layout) == 0 {
-		return nil
+	tr := config.NewTransaction(st)
+
+	if len(info.Layout) > 0 {
+		flag, err := config.GetFeatureFlag(tr, features.Layouts)
+		if err != nil {
+			return err
+		}
+		if !flag {
+			return fmt.Errorf("experimental feature disabled - test it by setting 'experimental.layouts' to true")
+		}
 	}
 
-	tr := config.NewTransaction(st)
-	var featureFlagLayouts bool
-	if err := tr.GetMaybe("core", "experimental.layouts", &featureFlagLayouts); err != nil {
+	if info.InstanceKey != "" {
+		flag, err := config.GetFeatureFlag(tr, features.ParallelInstances)
+		if err != nil {
+			return err
+		}
+		if !flag {
+			return fmt.Errorf("experimental feature disabled - test it by setting 'experimental.parallel-instances' to true")
+		}
+	}
+
+	return nil
+}
+
+func checkInstallPreconditions(st *state.State, info *snap.Info, flags Flags, snapst *SnapState) error {
+	if err := validateInfoAndFlags(info, snapst, flags); err != nil {
 		return err
 	}
-	if featureFlagLayouts {
-		return nil
+	if err := validateFeatureFlags(st, info); err != nil {
+		return err
 	}
-
-	return fmt.Errorf("cannot use experimental 'layouts' feature, set option 'experimental.layouts' to true and try again")
+	return nil
 }
 
-// InstallPath returns a set of tasks for installing snap from a file path.
+// InstallPath returns a set of tasks for installing a snap from a file path
+// and the snap.Info for the given snap.
+//
 // Note that the state must be locked by the caller.
 // The provided SideInfo can contain just a name which results in a
 // local revision and sideloading, or full metadata in which case it
 // the snap will appear as installed from the store.
-func InstallPath(st *state.State, si *snap.SideInfo, path, channel string, flags Flags) (*state.TaskSet, error) {
-	name := si.RealName
-	if name == "" {
-		return nil, fmt.Errorf("internal error: snap name to install %q not provided", path)
+func InstallPath(st *state.State, si *snap.SideInfo, path, instanceName, channel string, flags Flags) (*state.TaskSet, *snap.Info, error) {
+	if si.RealName == "" {
+		return nil, nil, fmt.Errorf("internal error: snap name to install %q not provided", path)
+	}
+
+	if instanceName == "" {
+		instanceName = si.RealName
 	}
 
 	var snapst SnapState
-	err := Get(st, name, &snapst)
+	err := Get(st, instanceName, &snapst)
 	if err != nil && err != state.ErrNoState {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if si.SnapID != "" {
 		if si.Revision.Unset() {
-			return nil, fmt.Errorf("internal error: snap id set to install %q but revision is unset", path)
+			return nil, nil, fmt.Errorf("internal error: snap id set to install %q but revision is unset", path)
 		}
 	}
 
-	instFlags := maybeCore
+	if err := canSwitchChannel(st, instanceName, channel); err != nil {
+		return nil, nil, err
+	}
+
+	var instFlags int
 	if flags.SkipConfigure {
 		// extract it as a doInstall flag, this is not passed
 		// into SnapSetup
@@ -561,26 +553,44 @@
 	// have side info or the user passed --dangerous
 	info, container, err := backend.OpenSnapFile(path, si)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if err := validateContainer(container, info, logger.Noticef); err != nil {
-		return nil, err
+		return nil, nil, err
 	}
-	if err := validateFeatureFlags(st, info); err != nil {
-		return nil, err
+	if err := snap.ValidateInstanceName(instanceName); err != nil {
+		return nil, nil, err
+	}
+
+	snapName, instanceKey := snap.SplitInstanceName(instanceName)
+	if info.SnapName() != snapName {
+		return nil, nil, fmt.Errorf("cannot install snap %q, the name does not match the metadata %q", instanceName, info.SnapName())
+	}
+	info.InstanceKey = instanceKey
+
+	if err := checkInstallPreconditions(st, info, flags, &snapst); err != nil {
+		return nil, nil, err
+	}
+	// this might be a refresh; check the epoch before proceeding
+	if err := earlyEpochCheck(info, &snapst); err != nil {
+		return nil, nil, err
 	}
 
 	snapsup := &SnapSetup{
-		Base:     info.Base,
-		Prereq:   defaultContentPlugProviders(st, info),
-		SideInfo: si,
-		SnapPath: path,
-		Channel:  channel,
-		Flags:    flags.ForSnapSetup(),
+		Base:        info.Base,
+		Prereq:      defaultContentPlugProviders(st, info),
+		SideInfo:    si,
+		SnapPath:    path,
+		Channel:     channel,
+		Flags:       flags.ForSnapSetup(),
+		Type:        info.Type,
+		PlugsOnly:   len(info.Slots) == 0,
+		InstanceKey: info.InstanceKey,
 	}
 
-	return doInstall(st, &snapst, snapsup, instFlags)
+	ts, err := doInstall(st, &snapst, snapsup, instFlags)
+	return ts, info, err
 }
 
 // TryPath returns a set of tasks for trying a snap from a file path.
@@ -588,7 +598,8 @@
 func TryPath(st *state.State, name, path string, flags Flags) (*state.TaskSet, error) {
 	flags.TryMode = true
 
-	return InstallPath(st, &snap.SideInfo{RealName: name}, path, "", flags)
+	ts, _, err := InstallPath(st, &snap.SideInfo{RealName: name}, path, "", "", flags)
+	return ts, err
 }
 
 // Install returns a set of tasks for installing snap.
@@ -607,15 +618,17 @@
 		return nil, &snap.AlreadyInstalledError{Snap: name}
 	}
 
-	info, err := snapInfo(st, name, channel, revision, userID)
-	if err != nil {
+	// need to have a model set before trying to talk the store
+	if _, err := ModelPastSeeding(st); err != nil {
 		return nil, err
 	}
 
-	if err := validateInfoAndFlags(info, &snapst, flags); err != nil {
+	info, err := installInfo(st, name, channel, revision, userID)
+	if err != nil {
 		return nil, err
 	}
-	if err := validateFeatureFlags(st, info); err != nil {
+
+	if err := checkInstallPreconditions(st, info, flags, &snapst); err != nil {
 		return nil, err
 	}
 
@@ -627,31 +640,71 @@
 		Flags:        flags.ForSnapSetup(),
 		DownloadInfo: &info.DownloadInfo,
 		SideInfo:     &info.SideInfo,
+		Type:         info.Type,
+		PlugsOnly:    len(info.Slots) == 0,
+		InstanceKey:  info.InstanceKey,
 	}
 
-	return doInstall(st, &snapst, snapsup, needsMaybeCore(info.Type))
+	return doInstall(st, &snapst, snapsup, 0)
 }
 
 // InstallMany installs everything from the given list of names.
 // Note that the state must be locked by the caller.
 func InstallMany(st *state.State, names []string, userID int) ([]string, []*state.TaskSet, error) {
-	installed := make([]string, 0, len(names))
-	tasksets := make([]*state.TaskSet, 0, len(names))
+	toInstall := make([]string, 0, len(names))
 	for _, name := range names {
-		ts, err := Install(st, name, "", snap.R(0), userID, Flags{})
-		// FIXME: is this expected behavior?
-		if _, ok := err.(*snap.AlreadyInstalledError); ok {
+		var snapst SnapState
+		err := Get(st, name, &snapst)
+		if err != nil && err != state.ErrNoState {
+			return nil, nil, err
+		}
+		if snapst.IsInstalled() {
 			continue
 		}
+		toInstall = append(toInstall, name)
+	}
+
+	user, err := userFromUserID(st, userID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	installs, err := installCandidates(st, toInstall, "stable", user)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	tasksets := make([]*state.TaskSet, 0, len(installs))
+	for _, info := range installs {
+		var snapst SnapState
+		var flags Flags
+
+		if err := checkInstallPreconditions(st, info, flags, &snapst); err != nil {
+			return nil, nil, err
+		}
+
+		snapsup := &SnapSetup{
+			Channel:      "stable",
+			Base:         info.Base,
+			Prereq:       defaultContentPlugProviders(st, info),
+			UserID:       userID,
+			Flags:        flags.ForSnapSetup(),
+			DownloadInfo: &info.DownloadInfo,
+			SideInfo:     &info.SideInfo,
+			Type:         info.Type,
+			PlugsOnly:    len(info.Slots) == 0,
+			InstanceKey:  info.InstanceKey,
+		}
+
+		ts, err := doInstall(st, &snapst, snapsup, 0)
 		if err != nil {
 			return nil, nil, err
 		}
-		installed = append(installed, name)
 		ts.JoinLane(st.NewLane())
 		tasksets = append(tasksets, ts)
 	}
 
-	return installed, tasksets, nil
+	return toInstall, tasksets, nil
 }
 
 // RefreshCandidates gets a list of candidates for update
@@ -667,13 +720,21 @@
 // UpdateMany updates everything from the given list of names that the
 // store says is updateable. If the list is empty, update everything.
 // Note that the state must be locked by the caller.
-func UpdateMany(ctx context.Context, st *state.State, names []string, userID int) ([]string, []*state.TaskSet, error) {
+func UpdateMany(ctx context.Context, st *state.State, names []string, userID int, flags *Flags) ([]string, []*state.TaskSet, error) {
+	if flags == nil {
+		flags = &Flags{}
+	}
 	user, err := userFromUserID(st, userID)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	updates, stateByID, ignoreValidation, err := refreshCandidates(ctx, st, names, user, nil)
+	// need to have a model set before trying to talk the store
+	if _, err := ModelPastSeeding(st); err != nil {
+		return nil, nil, err
+	}
+
+	updates, stateByInstanceName, ignoreValidation, err := refreshCandidates(ctx, st, names, user, nil)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -691,15 +752,24 @@
 	}
 
 	params := func(update *snap.Info) (string, Flags, *SnapState) {
-		snapst := stateByID[update.SnapID]
+		snapst := stateByInstanceName[update.InstanceName()]
+		updateFlags := snapst.Flags
+		if !update.NeedsClassic() && updateFlags.Classic {
+			// allow updating from classic to strict
+			updateFlags.Classic = false
+		}
 		return snapst.Channel, snapst.Flags, snapst
 
 	}
 
-	return doUpdate(st, names, updates, params, userID)
+	return doUpdate(ctx, st, names, updates, params, userID, flags)
 }
 
-func doUpdate(st *state.State, names []string, updates []*snap.Info, params func(*snap.Info) (channel string, flags Flags, snapst *SnapState), userID int) ([]string, []*state.TaskSet, error) {
+func doUpdate(ctx context.Context, st *state.State, names []string, updates []*snap.Info, params func(*snap.Info) (channel string, flags Flags, snapst *SnapState), userID int, globalFlags *Flags) ([]string, []*state.TaskSet, error) {
+	if globalFlags == nil {
+		globalFlags = &Flags{}
+	}
+
 	tasksets := make([]*state.TaskSet, 0, len(updates))
 
 	refreshAll := len(names) == 0
@@ -740,19 +810,32 @@
 		reportUpdated[snapName] = true
 	}
 
+	// first snapd, core, bases, then rest
+	sort.Stable(snap.ByType(updates))
+	prereqs := make(map[string]*state.TaskSet)
+	waitPrereq := func(ts *state.TaskSet, prereqName string) {
+		preTs := prereqs[prereqName]
+		if preTs != nil {
+			ts.WaitAll(preTs)
+		}
+	}
+
+	// updates is sorted by kind so this will process first core
+	// and bases and then other snaps
 	for _, update := range updates {
 		channel, flags, snapst := params(update)
+		flags.IsAutoRefresh = globalFlags.IsAutoRefresh
 
-		if err := validateInfoAndFlags(update, snapst, flags); err != nil {
+		if err := checkInstallPreconditions(st, update, flags, snapst); err != nil {
 			if refreshAll {
-				logger.Noticef("cannot update %q: %v", update.Name(), err)
+				logger.Noticef("cannot update %q: %v", update.InstanceName(), err)
 				continue
 			}
 			return nil, nil, err
 		}
-		if err := validateFeatureFlags(st, update); err != nil {
+		if err := earlyEpochCheck(update, snapst); err != nil {
 			if refreshAll {
-				logger.Noticef("cannot update %q: %v", update.Name(), err)
+				logger.Noticef("cannot update %q: %v", update.InstanceName(), err)
 				continue
 			}
 			return nil, nil, err
@@ -764,25 +847,49 @@
 		}
 
 		snapsup := &SnapSetup{
+			Base:         update.Base,
+			Prereq:       defaultContentPlugProviders(st, update),
 			Channel:      channel,
 			UserID:       snapUserID,
 			Flags:        flags.ForSnapSetup(),
 			DownloadInfo: &update.DownloadInfo,
 			SideInfo:     &update.SideInfo,
+			Type:         update.Type,
+			PlugsOnly:    len(update.Slots) == 0,
+			InstanceKey:  update.InstanceKey,
 		}
 
-		ts, err := doInstall(st, snapst, snapsup, needsMaybeCore(update.Type))
+		ts, err := doInstall(st, snapst, snapsup, 0)
 		if err != nil {
 			if refreshAll {
 				// doing "refresh all", just skip this snap
-				logger.Noticef("cannot refresh snap %q: %v", update.Name(), err)
+				logger.Noticef("cannot refresh snap %q: %v", update.InstanceName(), err)
 				continue
 			}
 			return nil, nil, err
 		}
 		ts.JoinLane(st.NewLane())
 
-		scheduleUpdate(update.Name(), ts)
+		// because of the sorting of updates we fill prereqs
+		// first (if branch) and only then use it to setup
+		// waits (else branch)
+		if update.Type == snap.TypeOS || update.Type == snap.TypeBase || update.InstanceName() == "snapd" {
+			// prereq types come first in updates, we
+			// also assume bases don't have hooks, otherwise
+			// they would need to wait on core or snapd
+			prereqs[update.InstanceName()] = ts
+		} else {
+			// prereqs were processed already, wait for
+			// them as necessary for the other kind of
+			// snaps
+			waitPrereq(ts, defaultCoreSnapName)
+			waitPrereq(ts, "snapd")
+			if update.Base != "" {
+				waitPrereq(ts, update.Base)
+			}
+		}
+
+		scheduleUpdate(update.InstanceName(), ts)
 		tasksets = append(tasksets, ts)
 	}
 
@@ -802,7 +909,7 @@
 	return updated, tasksets, nil
 }
 
-func applyAutoAliasesDelta(st *state.State, delta map[string][]string, op string, refreshAll bool, linkTs func(snapName string, ts *state.TaskSet)) (*state.TaskSet, error) {
+func applyAutoAliasesDelta(st *state.State, delta map[string][]string, op string, refreshAll bool, linkTs func(instanceName string, ts *state.TaskSet)) (*state.TaskSet, error) {
 	applyTs := state.NewTaskSet()
 	kind := "refresh-aliases"
 	msg := i18n.G("Refresh aliases for snap %q")
@@ -810,26 +917,28 @@
 		kind = "prune-auto-aliases"
 		msg = i18n.G("Prune automatic aliases for snap %q")
 	}
-	for snapName, aliases := range delta {
-		if err := CheckChangeConflict(st, snapName, nil, nil); err != nil {
+	for instanceName, aliases := range delta {
+		if err := CheckChangeConflict(st, instanceName, nil); err != nil {
 			if refreshAll {
 				// doing "refresh all", just skip this snap
-				logger.Noticef("cannot %s automatic aliases for snap %q: %v", op, snapName, err)
+				logger.Noticef("cannot %s automatic aliases for snap %q: %v", op, instanceName, err)
 				continue
 			}
 			return nil, err
 		}
 
+		snapName, instanceKey := snap.SplitInstanceName(instanceName)
 		snapsup := &SnapSetup{
-			SideInfo: &snap.SideInfo{RealName: snapName},
+			SideInfo:    &snap.SideInfo{RealName: snapName},
+			InstanceKey: instanceKey,
 		}
-		alias := st.NewTask(kind, fmt.Sprintf(msg, snapsup.Name()))
+		alias := st.NewTask(kind, fmt.Sprintf(msg, snapsup.InstanceName()))
 		alias.Set("snap-setup", &snapsup)
 		if op == "prune" {
 			alias.Set("aliases", aliases)
 		}
 		ts := state.NewTaskSet(alias)
-		linkTs(snapName, ts)
+		linkTs(instanceName, ts)
 		applyTs.AddAll(ts)
 	}
 	return applyTs, nil
@@ -850,9 +959,9 @@
 
 	// dropped alias -> snapName
 	droppedAliases := make(map[string][]string, len(dropped))
-	for snapName, aliases := range dropped {
+	for instanceName, aliases := range dropped {
 		for _, alias := range aliases {
-			droppedAliases[alias] = append(droppedAliases[alias], snapName)
+			droppedAliases[alias] = append(droppedAliases[alias], instanceName)
 		}
 	}
 
@@ -871,10 +980,10 @@
 	// mark snaps that are sources or target of transfers
 	transferSources := make(map[string]bool, len(dropped))
 	transferTargets = make(map[string]bool, len(changed))
-	for snapName, aliases := range changed {
+	for instanceName, aliases := range changed {
 		for _, alias := range aliases {
 			if sources := droppedAliases[alias]; len(sources) != 0 {
-				transferTargets[snapName] = true
+				transferTargets[instanceName] = true
 				for _, source := range sources {
 					transferSources[source] = true
 				}
@@ -885,26 +994,26 @@
 	// snaps with updates
 	updating := make(map[string]bool, len(updates))
 	for _, info := range updates {
-		updating[info.Name()] = true
+		updating[info.InstanceName()] = true
 	}
 
 	// add explicitly auto-aliases only for snaps that are not updated
-	for snapName := range changed {
-		if updating[snapName] {
-			delete(changed, snapName)
+	for instanceName := range changed {
+		if updating[instanceName] {
+			delete(changed, instanceName)
 		}
 	}
 
 	// prune explicitly auto-aliases only for snaps that are mentioned
 	// and not updated OR the source of transfers
 	mustPrune = make(map[string][]string, len(dropped))
-	for snapName := range transferSources {
-		mustPrune[snapName] = dropped[snapName]
+	for instanceName := range transferSources {
+		mustPrune[instanceName] = dropped[instanceName]
 	}
 	if refreshAll {
-		for snapName, aliases := range dropped {
-			if !updating[snapName] {
-				mustPrune[snapName] = aliases
+		for instanceName, aliases := range dropped {
+			if !updating[instanceName] {
+				mustPrune[instanceName] = aliases
 			}
 		}
 	} else {
@@ -918,6 +1027,45 @@
 	return changed, mustPrune, transferTargets, nil
 }
 
+// canSwitchChannel returns an error if switching to newChannel for snap is
+// forbidden.
+func canSwitchChannel(st *state.State, snapName, newChannel string) error {
+	// nothing to do
+	if newChannel == "" {
+		return nil
+	}
+
+	// ensure we do not switch away from the kernel-track in the model
+	model, err := Model(st)
+	if err != nil && err != state.ErrNoState {
+		return err
+	}
+	if model == nil {
+		return nil
+	}
+
+	if snapName == model.Kernel() && model.KernelTrack() != "" {
+		nch, err := snap.ParseChannel(newChannel, "")
+		if err != nil {
+			return err
+		}
+		if nch.Track != model.KernelTrack() {
+			return fmt.Errorf("cannot switch from kernel track %q as specified for the (device) model to %q", model.KernelTrack(), nch.String())
+		}
+	}
+	if snapName == model.Gadget() && model.GadgetTrack() != "" {
+		nch, err := snap.ParseChannel(newChannel, "")
+		if err != nil {
+			return err
+		}
+		if nch.Track != model.GadgetTrack() {
+			return fmt.Errorf("cannot switch from gadget track %q as specified for the (device) model to %q", model.GadgetTrack(), nch.String())
+		}
+	}
+
+	return nil
+}
+
 // Switch switches a snap to a new channel
 func Switch(st *state.State, name, channel string) (*state.TaskSet, error) {
 	var snapst SnapState
@@ -929,16 +1077,21 @@
 		return nil, &snap.NotInstalledError{Snap: name}
 	}
 
-	if err := CheckChangeConflict(st, name, nil, nil); err != nil {
+	if err := CheckChangeConflict(st, name, nil); err != nil {
+		return nil, err
+	}
+
+	if err := canSwitchChannel(st, name, channel); err != nil {
 		return nil, err
 	}
 
 	snapsup := &SnapSetup{
-		SideInfo: snapst.CurrentSideInfo(),
-		Channel:  channel,
+		SideInfo:    snapst.CurrentSideInfo(),
+		Channel:     channel,
+		InstanceKey: snapst.InstanceKey,
 	}
 
-	switchSnap := st.NewTask("switch-snap", fmt.Sprintf(i18n.G("Switch snap %q to %s"), snapsup.Name(), snapsup.Channel))
+	switchSnap := st.NewTask("switch-snap", fmt.Sprintf(i18n.G("Switch snap %q to %s"), snapsup.InstanceName(), snapsup.Channel))
 	switchSnap.Set("snap-setup", &snapsup)
 
 	return state.NewTaskSet(switchSnap), nil
@@ -962,6 +1115,15 @@
 		return nil, fmt.Errorf("refreshing disabled snap %q not supported", name)
 	}
 
+	// need to have a model set before trying to talk the store
+	if _, err := ModelPastSeeding(st); err != nil {
+		return nil, err
+	}
+
+	if err := canSwitchChannel(st, name, channel); err != nil {
+		return nil, err
+	}
+
 	if channel == "" {
 		channel = snapst.Channel
 	}
@@ -984,23 +1146,29 @@
 	}
 
 	params := func(update *snap.Info) (string, Flags, *SnapState) {
-		return channel, flags, &snapst
+		updateFlags := flags
+		if !update.NeedsClassic() && updateFlags.Classic {
+			// allow updating from classic to strict
+			updateFlags.Classic = false
+		}
+		return channel, updateFlags, &snapst
 	}
 
-	_, tts, err := doUpdate(st, []string{name}, updates, params, userID)
+	_, tts, err := doUpdate(context.TODO(), st, []string{name}, updates, params, userID, &flags)
 	if err != nil {
 		return nil, err
 	}
 
 	// see if we need to update the channel or toggle ignore-validation
 	if infoErr == store.ErrNoUpdateAvailable && (snapst.Channel != channel || snapst.IgnoreValidation != flags.IgnoreValidation) {
-		if err := CheckChangeConflict(st, name, nil, nil); err != nil {
+		if err := CheckChangeConflict(st, name, nil); err != nil {
 			return nil, err
 		}
 
 		snapsup := &SnapSetup{
-			SideInfo: snapst.CurrentSideInfo(),
-			Flags:    snapst.Flags.ForSnapSetup(),
+			SideInfo:    snapst.CurrentSideInfo(),
+			Flags:       snapst.Flags.ForSnapSetup(),
+			InstanceKey: snapst.InstanceKey,
 		}
 
 		if snapst.Channel != channel {
@@ -1010,7 +1178,7 @@
 			// the UI displays the right values.
 			snapsup.SideInfo.Channel = channel
 
-			switchSnap := st.NewTask("switch-snap-channel", fmt.Sprintf(i18n.G("Switch snap %q from %s to %s"), snapsup.Name(), snapst.Channel, channel))
+			switchSnap := st.NewTask("switch-snap-channel", fmt.Sprintf(i18n.G("Switch snap %q from %s to %s"), snapsup.InstanceName(), snapst.Channel, channel))
 			switchSnap.Set("snap-setup", &snapsup)
 
 			switchSnapTs := state.NewTaskSet(switchSnap)
@@ -1023,7 +1191,7 @@
 		if snapst.IgnoreValidation != flags.IgnoreValidation {
 			// toggle ignore validation
 			snapsup.IgnoreValidation = flags.IgnoreValidation
-			toggle := st.NewTask("toggle-snap-flags", fmt.Sprintf(i18n.G("Toggle snap %q flags"), snapsup.Name()))
+			toggle := st.NewTask("toggle-snap-flags", fmt.Sprintf(i18n.G("Toggle snap %q flags"), snapsup.InstanceName()))
 			toggle.Set("snap-setup", &snapsup)
 
 			toggleTs := state.NewTaskSet(toggle)
@@ -1057,9 +1225,6 @@
 		if err != nil {
 			return nil, err
 		}
-		if err := validateInfoAndFlags(info, snapst, flags); err != nil {
-			return nil, err
-		}
 		if ValidateRefreshes != nil && !flags.IgnoreValidation {
 			_, err := ValidateRefreshes(st, []*snap.Info{info}, nil, userID)
 			if err != nil {
@@ -1077,11 +1242,11 @@
 	}
 	if sideInfo == nil {
 		// refresh from given revision from store
-		return updateToRevisionInfo(st, snapst, channel, revision, userID)
+		return updateToRevisionInfo(st, snapst, revision, userID)
 	}
 
-	// refresh-to-local
-	return readInfo(name, sideInfo)
+	// refresh-to-local, this assumes the snap revision is mounted
+	return readInfo(name, sideInfo, errorOnBroken)
 }
 
 // AutoRefreshAssertions allows to hook fetching of important assertions
@@ -1100,7 +1265,7 @@
 		}
 	}
 
-	return UpdateMany(ctx, st, nil, userID)
+	return UpdateMany(ctx, st, nil, userID, &Flags{IsAutoRefresh: true})
 }
 
 // Enable sets a snap to the active state
@@ -1118,32 +1283,40 @@
 		return nil, fmt.Errorf("snap %q already enabled", name)
 	}
 
-	if err := CheckChangeConflict(st, name, nil, nil); err != nil {
+	if err := CheckChangeConflict(st, name, nil); err != nil {
+		return nil, err
+	}
+
+	info, err := snapst.CurrentInfo()
+	if err != nil {
 		return nil, err
 	}
 
 	snapsup := &SnapSetup{
-		SideInfo: snapst.CurrentSideInfo(),
-		Flags:    snapst.Flags.ForSnapSetup(),
+		SideInfo:    snapst.CurrentSideInfo(),
+		Flags:       snapst.Flags.ForSnapSetup(),
+		Type:        info.Type,
+		PlugsOnly:   len(info.Slots) == 0,
+		InstanceKey: snapst.InstanceKey,
 	}
 
-	prepareSnap := st.NewTask("prepare-snap", fmt.Sprintf(i18n.G("Prepare snap %q (%s)"), snapsup.Name(), snapst.Current))
+	prepareSnap := st.NewTask("prepare-snap", fmt.Sprintf(i18n.G("Prepare snap %q (%s)"), snapsup.InstanceName(), snapst.Current))
 	prepareSnap.Set("snap-setup", &snapsup)
 
-	setupProfiles := st.NewTask("setup-profiles", fmt.Sprintf(i18n.G("Setup snap %q (%s) security profiles"), snapsup.Name(), snapst.Current))
+	setupProfiles := st.NewTask("setup-profiles", fmt.Sprintf(i18n.G("Setup snap %q (%s) security profiles"), snapsup.InstanceName(), snapst.Current))
 	setupProfiles.Set("snap-setup-task", prepareSnap.ID())
 	setupProfiles.WaitFor(prepareSnap)
 
-	linkSnap := st.NewTask("link-snap", fmt.Sprintf(i18n.G("Make snap %q (%s) available to the system"), snapsup.Name(), snapst.Current))
+	linkSnap := st.NewTask("link-snap", fmt.Sprintf(i18n.G("Make snap %q (%s) available to the system"), snapsup.InstanceName(), snapst.Current))
 	linkSnap.Set("snap-setup-task", prepareSnap.ID())
 	linkSnap.WaitFor(setupProfiles)
 
 	// setup aliases
-	setupAliases := st.NewTask("setup-aliases", fmt.Sprintf(i18n.G("Setup snap %q aliases"), snapsup.Name()))
+	setupAliases := st.NewTask("setup-aliases", fmt.Sprintf(i18n.G("Setup snap %q aliases"), snapsup.InstanceName()))
 	setupAliases.Set("snap-setup-task", prepareSnap.ID())
 	setupAliases.WaitFor(linkSnap)
 
-	startSnapServices := st.NewTask("start-snap-services", fmt.Sprintf(i18n.G("Start snap %q (%s) services"), snapsup.Name(), snapst.Current))
+	startSnapServices := st.NewTask("start-snap-services", fmt.Sprintf(i18n.G("Start snap %q (%s) services"), snapsup.InstanceName(), snapst.Current))
 	startSnapServices.Set("snap-setup-task", prepareSnap.ID())
 	startSnapServices.WaitFor(setupAliases)
 
@@ -1172,30 +1345,33 @@
 		return nil, fmt.Errorf("snap %q cannot be disabled", name)
 	}
 
-	if err := CheckChangeConflict(st, name, nil, nil); err != nil {
+	if err := CheckChangeConflict(st, name, nil); err != nil {
 		return nil, err
 	}
 
 	snapsup := &SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: name,
+			RealName: snap.InstanceSnap(name),
 			Revision: snapst.Current,
 		},
+		Type:        info.Type,
+		PlugsOnly:   len(info.Slots) == 0,
+		InstanceKey: snapst.InstanceKey,
 	}
 
-	stopSnapServices := st.NewTask("stop-snap-services", fmt.Sprintf(i18n.G("Stop snap %q (%s) services"), snapsup.Name(), snapst.Current))
+	stopSnapServices := st.NewTask("stop-snap-services", fmt.Sprintf(i18n.G("Stop snap %q (%s) services"), snapsup.InstanceName(), snapst.Current))
 	stopSnapServices.Set("snap-setup", &snapsup)
 	stopSnapServices.Set("stop-reason", snap.StopReasonDisable)
 
-	removeAliases := st.NewTask("remove-aliases", fmt.Sprintf(i18n.G("Remove aliases for snap %q"), snapsup.Name()))
+	removeAliases := st.NewTask("remove-aliases", fmt.Sprintf(i18n.G("Remove aliases for snap %q"), snapsup.InstanceName()))
 	removeAliases.Set("snap-setup-task", stopSnapServices.ID())
 	removeAliases.WaitFor(stopSnapServices)
 
-	unlinkSnap := st.NewTask("unlink-snap", fmt.Sprintf(i18n.G("Make snap %q (%s) unavailable to the system"), snapsup.Name(), snapst.Current))
+	unlinkSnap := st.NewTask("unlink-snap", fmt.Sprintf(i18n.G("Make snap %q (%s) unavailable to the system"), snapsup.InstanceName(), snapst.Current))
 	unlinkSnap.Set("snap-setup-task", stopSnapServices.ID())
 	unlinkSnap.WaitFor(removeAliases)
 
-	removeProfiles := st.NewTask("remove-profiles", fmt.Sprintf(i18n.G("Remove security profiles of snap %q"), snapsup.Name()))
+	removeProfiles := st.NewTask("remove-profiles", fmt.Sprintf(i18n.G("Remove security profiles of snap %q"), snapsup.InstanceName()))
 	removeProfiles.Set("snap-setup-task", stopSnapServices.ID())
 	removeProfiles.WaitFor(unlinkSnap)
 
@@ -1213,8 +1389,54 @@
 	return true
 }
 
+// baseInUse returns true if the given base is needed by another snap
+func baseInUse(st *state.State, base *snap.Info) bool {
+	snapStates, err := All(st)
+	if err != nil {
+		return false
+	}
+	for name, snapst := range snapStates {
+		for _, si := range snapst.Sequence {
+			if snapInfo, err := snap.ReadInfo(name, si); err == nil {
+				if snapInfo.Type != snap.TypeApp {
+					continue
+				}
+				if snapInfo.Base == base.SnapName() {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+// coreInUse returns true if any snap uses "core" (i.e. does not
+// declare a base
+func coreInUse(st *state.State) bool {
+	snapStates, err := All(st)
+	if err != nil {
+		return false
+	}
+	for name, snapst := range snapStates {
+		for _, si := range snapst.Sequence {
+			if snapInfo, err := snap.ReadInfo(name, si); err == nil {
+				if snapInfo.Type != snap.TypeApp || snapInfo.SnapName() == "snapd" {
+					continue
+				}
+				if snapInfo.Base == "" {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
 // canRemove verifies that a snap can be removed.
-func canRemove(si *snap.Info, snapst *SnapState, removeAll bool) bool {
+//
+// TODO: canRemove should also return the reason why the snap cannot
+//       be removed to the user
+func canRemove(st *state.State, si *snap.Info, snapst *SnapState, removeAll bool) bool {
 	// removing single revisions is generally allowed
 	if !removeAll {
 		return true
@@ -1244,10 +1466,27 @@
 	//
 	// Once the ubuntu-core -> core transition has landed for some
 	// time we can remove the two lines below.
-	if si.Name() == "ubuntu-core" && si.Type == snap.TypeOS {
+	if si.InstanceName() == "ubuntu-core" && si.Type == snap.TypeOS {
 		return true
 	}
 
+	// do not allow removal of bases that are in use
+	if si.Type == snap.TypeBase && baseInUse(st, si) {
+		return false
+	}
+
+	// Allow snap.TypeOS removals if a different base is in use
+	//
+	// Note that removal of the boot base itself is prevented
+	// via the snapst.Required flag that is set on firstboot.
+	if si.Type == snap.TypeOS {
+		if model, err := Model(st); err == nil {
+			if model.Base() != "" && !coreInUse(st) {
+				return true
+			}
+		}
+	}
+
 	// You never want to remove a kernel or OS. Do not remove their
 	// last revision left.
 	if si.Type == snap.TypeKernel || si.Type == snap.TypeOS {
@@ -1257,7 +1496,7 @@
 	// TODO: on classic likely let remove core even if active if it's only snap left.
 
 	// never remove anything that is used for booting
-	if boot.InUse(si.Name(), si.Revision) {
+	if boot.InUse(si.InstanceName(), si.Revision) {
 		return false
 	}
 
@@ -1277,7 +1516,7 @@
 		return nil, &snap.NotInstalledError{Snap: name, Rev: snap.R(0)}
 	}
 
-	if err := CheckChangeConflict(st, name, nil, nil); err != nil {
+	if err := CheckChangeConflict(st, name, nil); err != nil {
 		return nil, err
 	}
 
@@ -1311,16 +1550,19 @@
 	}
 
 	// check if this is something that can be removed
-	if !canRemove(info, &snapst, removeAll) {
+	if !canRemove(st, info, &snapst, removeAll) {
 		return nil, fmt.Errorf("snap %q is not removable", name)
 	}
 
 	// main/current SnapSetup
 	snapsup := SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: name,
+			RealName: snap.InstanceSnap(name),
 			Revision: revision,
 		},
+		Type:        info.Type,
+		PlugsOnly:   len(info.Slots) == 0,
+		InstanceKey: snapst.InstanceKey,
 	}
 
 	// trigger remove
@@ -1336,26 +1578,36 @@
 		chain = ts
 	}
 
-	var removeHook *state.Task
-	// only run remove hook if uninstalling the snap completely
-	if removeAll {
-		removeHook = SetupRemoveHook(st, snapsup.Name())
-	}
-
-	if active { // unlink
-		var prev *state.Task
-
-		stopSnapServices := st.NewTask("stop-snap-services", fmt.Sprintf(i18n.G("Stop snap %q services"), name))
+	var prev *state.Task
+	var stopSnapServices *state.Task
+	if active {
+		stopSnapServices = st.NewTask("stop-snap-services", fmt.Sprintf(i18n.G("Stop snap %q services"), name))
 		stopSnapServices.Set("snap-setup", snapsup)
 		stopSnapServices.Set("stop-reason", snap.StopReasonRemove)
+		addNext(state.NewTaskSet(stopSnapServices))
 		prev = stopSnapServices
+	}
 
-		tasks := []*state.Task{stopSnapServices}
-		if removeHook != nil {
-			tasks = append(tasks, removeHook)
-			removeHook.WaitFor(prev)
-			prev = removeHook
+	// only run remove hook if uninstalling the snap completely
+	if removeAll {
+		removeHook := SetupRemoveHook(st, snapsup.InstanceName())
+		addNext(state.NewTaskSet(removeHook))
+		prev = removeHook
+	}
+
+	if removeAll {
+		// run disconnect hooks
+		disconnect := st.NewTask("auto-disconnect", fmt.Sprintf(i18n.G("Disconnect interfaces of snap %q"), snapsup.InstanceName()))
+		disconnect.Set("snap-setup", snapsup)
+		if prev != nil {
+			disconnect.WaitFor(prev)
 		}
+		addNext(state.NewTaskSet(disconnect))
+		prev = disconnect
+	}
+
+	if active { // unlink
+		var tasks []*state.Task
 
 		removeAliases := st.NewTask("remove-aliases", fmt.Sprintf(i18n.G("Remove aliases for snap %q"), name))
 		removeAliases.WaitFor(prev)
@@ -1371,8 +1623,6 @@
 
 		tasks = append(tasks, removeAliases, unlink, removeSecurity)
 		addNext(state.NewTaskSet(tasks...))
-	} else if removeHook != nil {
-		addNext(state.NewTaskSet(removeHook))
 	}
 
 	if removeAll {
@@ -1381,14 +1631,6 @@
 			si := seq[i]
 			addNext(removeInactiveRevision(st, name, si.Revision))
 		}
-
-		discardConns := st.NewTask("discard-conns", fmt.Sprintf(i18n.G("Discard interface connections for snap %q (%s)"), name, revision))
-		discardConns.Set("snap-setup", &SnapSetup{
-			SideInfo: &snap.SideInfo{
-				RealName: name,
-			},
-		})
-		addNext(state.NewTaskSet(discardConns))
 	} else {
 		addNext(removeInactiveRevision(st, name, revision))
 	}
@@ -1397,11 +1639,13 @@
 }
 
 func removeInactiveRevision(st *state.State, name string, revision snap.Revision) *state.TaskSet {
+	snapName, instanceKey := snap.SplitInstanceName(name)
 	snapsup := SnapSetup{
 		SideInfo: &snap.SideInfo{
-			RealName: name,
+			RealName: snapName,
 			Revision: revision,
 		},
+		InstanceKey: instanceKey,
 	}
 
 	clearData := st.NewTask("clear-snap", fmt.Sprintf(i18n.G("Remove data for snap %q (%s)"), name, revision))
@@ -1429,6 +1673,7 @@
 			return nil, nil, err
 		}
 		removed = append(removed, name)
+		ts.JoinLane(st.NewLane())
 		tasksets = append(tasksets, ts)
 	}
 
@@ -1470,10 +1715,6 @@
 	if i < 0 {
 		return nil, fmt.Errorf("cannot find revision %s for snap %q", rev, name)
 	}
-	typ, err := snapst.Type()
-	if err != nil {
-		return nil, err
-	}
 	flags.Revert = true
 	// TODO: make flags be per revision to avoid this logic (that
 	//       leaves corner cases all over the place)
@@ -1488,11 +1729,20 @@
 			flags.Classic = true
 		}
 	}
+
+	info, err := Info(st, name, rev)
+	if err != nil {
+		return nil, err
+	}
+
 	snapsup := &SnapSetup{
-		SideInfo: snapst.Sequence[i],
-		Flags:    flags.ForSnapSetup(),
+		SideInfo:    snapst.Sequence[i],
+		Flags:       flags.ForSnapSetup(),
+		Type:        info.Type,
+		PlugsOnly:   len(info.Slots) == 0,
+		InstanceKey: snapst.InstanceKey,
 	}
-	return doInstall(st, &snapst, snapsup, needsMaybeCore(typ))
+	return doInstall(st, &snapst, snapsup, 0)
 }
 
 // TransitionCore transitions from an old core snap name to a new core
@@ -1514,12 +1764,6 @@
 		return nil, fmt.Errorf("cannot transition snap %q: not installed", oldName)
 	}
 
-	var userID int
-	newInfo, err := snapInfo(st, newName, oldSnapst.Channel, snap.R(0), userID)
-	if err != nil {
-		return nil, err
-	}
-
 	var all []*state.TaskSet
 	// install new core (if not already installed)
 	err = Get(st, newName, &newSnapst)
@@ -1527,12 +1771,19 @@
 		return nil, err
 	}
 	if !newSnapst.IsInstalled() {
+		var userID int
+		newInfo, err := installInfo(st, newName, oldSnapst.Channel, snap.R(0), userID)
+		if err != nil {
+			return nil, err
+		}
+
 		// start by instaling the new snap
 		tsInst, err := doInstall(st, &newSnapst, &SnapSetup{
 			Channel:      oldSnapst.Channel,
 			DownloadInfo: &newInfo.DownloadInfo,
 			SideInfo:     &newInfo.SideInfo,
-		}, maybeCore)
+			Type:         newInfo.Type,
+		}, 0)
 		if err != nil {
 			return nil, err
 		}
@@ -1595,7 +1846,7 @@
 
 	for i := len(snapst.Sequence) - 1; i >= 0; i-- {
 		if si := snapst.Sequence[i]; si.Revision == revision {
-			return readInfo(name, si)
+			return readInfo(name, si, 0)
 		}
 	}
 
@@ -1618,6 +1869,17 @@
 
 // Get retrieves the SnapState of the given snap.
 func Get(st *state.State, name string, snapst *SnapState) error {
+	if snapst == nil {
+		return fmt.Errorf("internal error: snapst is nil")
+	}
+	// SnapState is (un-)marshalled from/to JSON, fields having omitempty
+	// tag will not appear in the output (if empty) and subsequently will
+	// not be unmarshalled to (or cleared); if the caller reuses the same
+	// struct though subsequent calls, it is possible that they end up with
+	// garbage inside, clear the destination struct so that we always
+	// unmarshal to a clean state
+	*snapst = SnapState{}
+
 	var snaps map[string]*json.RawMessage
 	err := st.Get("snaps", &snaps)
 	if err != nil {
@@ -1643,8 +1905,8 @@
 		return nil, err
 	}
 	curStates := make(map[string]*SnapState, len(stateMap))
-	for snapName, snapst := range stateMap {
-		curStates[snapName] = snapst
+	for instanceName, snapst := range stateMap {
+		curStates[instanceName] = snapst
 	}
 	return curStates, nil
 }
@@ -1688,13 +1950,13 @@
 	if err := st.Get("snaps", &stateMap); err != nil && err != state.ErrNoState {
 		return nil, err
 	}
-	for snapName, snapst := range stateMap {
+	for instanceName, snapst := range stateMap {
 		if !snapst.Active {
 			continue
 		}
 		snapInfo, err := snapst.CurrentInfo()
 		if err != nil {
-			logger.Noticef("cannot retrieve info for snap %q: %s", snapName, err)
+			logger.Noticef("cannot retrieve info for snap %q: %s", instanceName, err)
 			continue
 		}
 		infos = append(infos, snapInfo)
@@ -1774,19 +2036,21 @@
 	// some systems have two cores: ubuntu-core/core
 	// we always return "core" in this case
 	if len(res) == 2 {
-		if res[0].Name() == defaultCoreSnapName && res[1].Name() == "ubuntu-core" {
+		if res[0].InstanceName() == defaultCoreSnapName && res[1].InstanceName() == "ubuntu-core" {
 			return res[0], nil
 		}
-		if res[0].Name() == "ubuntu-core" && res[1].Name() == defaultCoreSnapName {
+		if res[0].InstanceName() == "ubuntu-core" && res[1].InstanceName() == defaultCoreSnapName {
 			return res[1], nil
 		}
-		return nil, fmt.Errorf("unexpected cores %q and %q", res[0].Name(), res[1].Name())
+		return nil, fmt.Errorf("unexpected cores %q and %q", res[0].InstanceName(), res[1].InstanceName())
 	}
 
 	return nil, fmt.Errorf("unexpected number of cores, got %d", len(res))
 }
 
-// ConfigDefaults returns the configuration defaults for the snap specified in the gadget. If gadget is absent or the snap has no snap-id it returns ErrNoState.
+// ConfigDefaults returns the configuration defaults for the snap specified in
+// the gadget. If gadget is absent or the snap has no snap-id it returns
+// ErrNoState.
 func ConfigDefaults(st *state.State, snapName string) (map[string]interface{}, error) {
 	gadget, err := GadgetInfo(st)
 	if err != nil {
@@ -1798,8 +2062,17 @@
 		return nil, err
 	}
 
+	core, err := CoreInfo(st)
+	if err != nil {
+		return nil, err
+	}
+	isCoreDefaults := core.InstanceName() == snapName
+
 	si := snapst.CurrentSideInfo()
-	if si.SnapID == "" {
+	// core snaps can be addressed even without a snap-id via the special
+	// "system" value in the config; first-boot always configures the core
+	// snap with UseConfigDefaults
+	if si.SnapID == "" && !isCoreDefaults {
 		return nil, state.ErrNoState
 	}
 
@@ -1808,6 +2081,17 @@
 		return nil, err
 	}
 
+	// we support setting core defaults via "system"
+	if isCoreDefaults {
+		if defaults, ok := gadgetInfo.Defaults["system"]; ok {
+			if _, ok := gadgetInfo.Defaults[si.SnapID]; ok && si.SnapID != "" {
+				logger.Noticef("core snap configuration defaults found under both 'system' key and core-snap-id, preferring 'system'")
+			}
+
+			return defaults, nil
+		}
+	}
+
 	defaults, ok := gadgetInfo.Defaults[si.SnapID]
 	if !ok {
 		return nil, state.ErrNoState
@@ -1815,3 +2099,52 @@
 
 	return defaults, nil
 }
+
+// GadgetConnections returns the interface connection instructions
+// specified in the gadget. If gadget is absent it returns ErrNoState.
+func GadgetConnections(st *state.State) ([]snap.GadgetConnection, error) {
+	gadget, err := GadgetInfo(st)
+	if err != nil {
+		return nil, err
+	}
+
+	gadgetInfo, err := snap.ReadGadgetInfo(gadget, release.OnClassic)
+	if err != nil {
+		return nil, err
+	}
+
+	return gadgetInfo.Connections, nil
+}
+
+// hook setup by devicestate
+var (
+	Model func(st *state.State) (*asserts.Model, error)
+)
+
+// ModelPastSeeding returns the device model assertion if available and
+// the device is seeded, at that point the device store is known
+// and seeding done. Otherwise it returns a ChangeConflictError
+// about being too early.
+func ModelPastSeeding(st *state.State) (*asserts.Model, error) {
+	var seeded bool
+	err := st.Get("seeded", &seeded)
+	if err != nil && err != state.ErrNoState {
+		return nil, err
+	}
+	modelAs, err := Model(st)
+	if err != nil && err != state.ErrNoState {
+		return nil, err
+	}
+	// when seeded modelAs should not be nil except in the rare
+	// case of upgrades from a snapd before the introduction of
+	// the fallback generic/generic-classic model
+	if !seeded || modelAs == nil {
+		return nil, &ChangeConflictError{
+			Message: "too early for operation, device not yet" +
+				" seeded or device model not acknowledged",
+			ChangeKind: "seed",
+		}
+	}
+
+	return modelAs, nil
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/snapstate_test.go snapd-2.37~rc1~14.04/overlord/snapstate/snapstate_test.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/snapstate_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/snapstate_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -20,6 +20,7 @@
 package snapstate_test
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -27,13 +28,16 @@
 	"os"
 	"path/filepath"
 	"sort"
+	"strings"
 	"testing"
 	"time"
 
 	"golang.org/x/net/context"
 
 	. "gopkg.in/check.v1"
+	"gopkg.in/tomb.v2"
 
+	"github.com/snapcore/snapd/asserts"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/logger"
@@ -62,6 +66,7 @@
 	testutil.BaseTest
 	o       *overlord.Overlord
 	state   *state.State
+	se      *overlord.StateEngine
 	snapmgr *snapstate.SnapManager
 
 	fakeBackend *fakeSnappyBackend
@@ -69,6 +74,7 @@
 
 	user  *auth.UserState
 	user2 *auth.UserState
+	user3 *auth.UserState
 }
 
 func (s *snapmgrTestSuite) settle(c *C) {
@@ -78,6 +84,8 @@
 
 var _ = Suite(&snapmgrTestSuite{})
 
+var fakeRevDateEpoch = time.Date(2018, 1, 0, 0, 0, 0, 0, time.UTC)
+
 func (s *snapmgrTestSuite) SetUpTest(c *C) {
 	s.BaseTest.SetUpTest(c)
 	dirs.SetRootDir(c.MkDir())
@@ -106,16 +114,27 @@
 	snapstate.SetupRemoveHook = hookstate.SetupRemoveHook
 
 	var err error
-	s.snapmgr, err = snapstate.Manager(s.state)
+	s.snapmgr, err = snapstate.Manager(s.state, s.o.TaskRunner())
 	c.Assert(err, IsNil)
-	s.snapmgr.AddForeignTaskHandlers(s.fakeBackend)
+
+	AddForeignTaskHandlers(s.o.TaskRunner(), s.fakeBackend)
 
 	snapstate.SetSnapManagerBackend(s.snapmgr, s.fakeBackend)
 
 	s.o.AddManager(s.snapmgr)
+	s.o.AddManager(s.o.TaskRunner())
+	s.se = s.o.StateEngine()
 
-	s.BaseTest.AddCleanup(snapstate.MockReadInfo(s.fakeBackend.ReadInfo))
+	s.BaseTest.AddCleanup(snapstate.MockSnapReadInfo(s.fakeBackend.ReadInfo))
 	s.BaseTest.AddCleanup(snapstate.MockOpenSnapFile(s.fakeBackend.OpenSnapFile))
+	revDate := func(info *snap.Info) time.Time {
+		if info.Revision.Local() {
+			panic("no local revision should reach revisionDate")
+		}
+		// for convenience a date derived from the revision
+		return fakeRevDateEpoch.AddDate(0, 0, info.Revision.N)
+	}
+	s.BaseTest.AddCleanup(snapstate.MockRevisionDate(revDate))
 
 	s.BaseTest.AddCleanup(func() {
 		snapstate.SetupInstallHook = oldSetupInstallHook
@@ -132,8 +151,15 @@
 	c.Assert(err, IsNil)
 	s.user2, err = auth.NewUser(s.state, "username2", "email2@test.com", "macaroon2", []string{"discharge2"})
 	c.Assert(err, IsNil)
+	// 3 has no store auth
+	s.user3, err = auth.NewUser(s.state, "username3", "email2@test.com", "", nil)
+	c.Assert(err, IsNil)
 
+	s.state.Set("seeded", true)
 	s.state.Set("seed-time", time.Now())
+	snapstate.SetDefaultModel()
+
+	s.state.Set("refresh-privacy-key", "privacy-key")
 	snapstate.Set(s.state, "core", &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
@@ -154,48 +180,86 @@
 	snapstate.ValidateRefreshes = nil
 	snapstate.AutoAliases = nil
 	snapstate.CanAutoRefresh = nil
+	snapstate.Model = nil
 }
 
-func (s *snapmgrTestSuite) TestKnownTaskKinds(c *C) {
-	kinds := s.snapmgr.KnownTaskKinds()
-	sort.Strings(kinds)
-	c.Assert(kinds, DeepEquals, []string{
-		"alias",
-		"auto-connect",
-		"cleanup",
-		"clear-aliases",
-		"clear-snap",
-		"configure-snapd",
-		"copy-snap-data",
-		"disable-aliases",
-		"discard-conns",
-		"discard-snap",
-		"download-snap",
-		"error-trigger",
-		"link-snap",
-		"mount-snap",
-		"nop",
-		"prefer-aliases",
-		"prepare-snap",
-		"prerequisites",
-		"prune-auto-aliases",
-		"refresh-aliases",
-		"remove-aliases",
-		"remove-profiles",
-		"run-hook",
-		"set-auto-aliases",
-		"setup-aliases",
-		"setup-profiles",
-		"start-snap-services",
-		"stop-snap-services",
-		"switch-snap",
-		"switch-snap-channel",
-		"toggle-snap-flags",
-		"transition-ubuntu-core",
-		"unalias",
-		"unlink-current-snap",
-		"unlink-snap",
-		"validate-snap"})
+type ForeignTaskTracker interface {
+	ForeignTask(kind string, status state.Status, snapsup *snapstate.SnapSetup)
+}
+
+func AddForeignTaskHandlers(runner *state.TaskRunner, tracker ForeignTaskTracker) {
+	// Add fake handlers for tasks handled by interfaces manager
+	fakeHandler := func(task *state.Task, _ *tomb.Tomb) error {
+		task.State().Lock()
+		kind := task.Kind()
+		status := task.Status()
+		snapsup, err := snapstate.TaskSnapSetup(task)
+		task.State().Unlock()
+		if err != nil {
+			return err
+		}
+
+		tracker.ForeignTask(kind, status, snapsup)
+
+		return nil
+	}
+	runner.AddHandler("setup-profiles", fakeHandler, fakeHandler)
+	runner.AddHandler("auto-connect", fakeHandler, nil)
+	runner.AddHandler("auto-disconnect", fakeHandler, nil)
+	runner.AddHandler("remove-profiles", fakeHandler, fakeHandler)
+	runner.AddHandler("discard-conns", fakeHandler, fakeHandler)
+	runner.AddHandler("validate-snap", fakeHandler, nil)
+	runner.AddHandler("transition-ubuntu-core", fakeHandler, nil)
+
+	// Add handler to test full aborting of changes
+	erroringHandler := func(task *state.Task, _ *tomb.Tomb) error {
+		return errors.New("error out")
+	}
+	runner.AddHandler("error-trigger", erroringHandler, nil)
+
+	runner.AddHandler("run-hook", func(task *state.Task, _ *tomb.Tomb) error {
+		return nil
+	}, nil)
+	runner.AddHandler("configure-snapd", func(t *state.Task, _ *tomb.Tomb) error {
+		return nil
+	}, nil)
+
+}
+
+func (s *snapmgrTestSuite) TestCleanSnapStateGet(c *C) {
+	snapst := snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "foo", Revision: snap.R(1)},
+		},
+		Current:     snap.R(1),
+		SnapType:    "os",
+		Channel:     "foo",
+		InstanceKey: "bar",
+	}
+
+	s.state.Lock()
+
+	defer s.state.Unlock()
+	snapstate.Set(s.state, "no-instance-key", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	err := snapstate.Get(s.state, "bar", nil)
+	c.Assert(err, ErrorMatches, "internal error: snapst is nil")
+
+	err = snapstate.Get(s.state, "no-instance-key", &snapst)
+	c.Assert(err, IsNil)
+	c.Assert(snapst, DeepEquals, snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
 }
 
 func (s *snapmgrTestSuite) TestStore(c *C) {
@@ -285,11 +349,6 @@
 		"setup-profiles",
 		"link-snap",
 	)
-	if opts&maybeCore != 0 {
-		expected = append(expected,
-			"setup-profiles",
-		)
-	}
 	expected = append(expected,
 		"auto-connect",
 		"set-auto-aliases",
@@ -373,16 +432,29 @@
 	c.Assert(taskKinds(ts.Tasks()), DeepEquals, []string{
 		"stop-snap-services",
 		"run-hook[remove]",
+		"auto-disconnect",
 		"remove-aliases",
 		"unlink-snap",
 		"remove-profiles",
 		"clear-snap",
 		"discard-snap",
-		"discard-conns",
 	})
 	verifyStopReason(c, ts, "remove")
 }
 
+func checkIsAutoRefresh(c *C, tasks []*state.Task, expected bool) {
+	for _, t := range tasks {
+		if t.Kind() == "download-snap" {
+			var snapsup snapstate.SnapSetup
+			err := t.Get("snap-setup", &snapsup)
+			c.Assert(err, IsNil)
+			c.Check(snapsup.IsAutoRefresh, Equals, expected)
+			return
+		}
+	}
+	c.Fatalf("cannot find download-snap task in %v", tasks)
+}
+
 func (s *snapmgrTestSuite) TestLastIndexFindsLast(c *C) {
 	snapst := &snapstate.SnapState{Sequence: []*snap.SideInfo{
 		{Revision: snap.R(7)},
@@ -409,11 +481,25 @@
 	c.Assert(err, IsNil)
 }
 
-func (s *snapmgrTestSuite) TestInstallClassicConfinementFiltering(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
+func maybeMockClassicSupport(c *C) (restore func()) {
+	if dirs.SupportsClassicConfinement() {
+		return func() {}
 	}
 
+	d := filepath.Join(dirs.GlobalRootDir, "/var/lib/snapd/snap")
+	err := os.MkdirAll(d, 0755)
+	c.Assert(err, IsNil)
+	snapSymlink := filepath.Join(dirs.GlobalRootDir, "snap")
+	err = os.Symlink(d, snapSymlink)
+	c.Assert(err, IsNil)
+
+	return func() { os.Remove(snapSymlink) }
+}
+
+func (s *snapmgrTestSuite) TestInstallClassicConfinementFiltering(c *C) {
+	restore := maybeMockClassicSupport(c)
+	defer restore()
+
 	s.state.Lock()
 	defer s.state.Unlock()
 
@@ -425,9 +511,10 @@
 	_, err = snapstate.Install(s.state, "some-snap", "channel-for-classic", snap.R(0), s.user.ID, snapstate.Flags{Classic: true})
 	c.Assert(err, IsNil)
 
-	// if a snap is *not* classic, you can still install it with --classic
+	// if a snap is *not* classic, you cannot install it with --classic
 	_, err = snapstate.Install(s.state, "some-snap", "channel-for-strict", snap.R(0), s.user.ID, snapstate.Flags{Classic: true})
-	c.Assert(err, IsNil)
+	c.Assert(err, ErrorMatches, `snap "some-snap" is not a classic confined snap`)
+	c.Check(err, FitsTypeOf, &snapstate.SnapNotClassicError{})
 }
 
 func (s *snapmgrTestSuite) TestInstallFailsWhenClassicSnapsAreNotSupported(c *C) {
@@ -471,8 +558,10 @@
 	})
 
 	mockSnap := makeTestSnap(c, `name: some-snap
-version: 1.0`)
-	ts, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(8)}, mockSnap, "", snapstate.Flags{})
+version: 1.0
+epoch: 1*
+`)
+	ts, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(8)}, mockSnap, "", "", snapstate.Flags{})
 	c.Assert(err, IsNil)
 
 	runHooks := tasksWithKind(ts, "run-hook")
@@ -483,28 +572,6 @@
 	c.Assert(runHooks[2].Summary(), Equals, `Run configure hook of "some-snap" snap if present`)
 }
 
-func (s *snapmgrTestSuite) TestCoreInstallTasks(c *C) {
-	s.state.Lock()
-	defer s.state.Unlock()
-
-	ts, err := snapstate.Install(s.state, "some-core", "some-channel", snap.R(0), 0, snapstate.Flags{})
-	c.Assert(err, IsNil)
-
-	verifyInstallTasks(c, maybeCore, 0, ts, s.state)
-	c.Assert(s.state.TaskCount(), Equals, len(ts.Tasks()))
-	var phase2 *state.Task
-	for _, t := range ts.Tasks() {
-		if t.Kind() == "setup-profiles" {
-			phase2 = t
-		}
-	}
-	c.Assert(phase2, NotNil)
-	var flag bool
-	err = phase2.Get("core-phase-2", &flag)
-	c.Assert(err, IsNil)
-	c.Check(flag, Equals, true)
-}
-
 type fullFlags struct{ before, change, after, setup snapstate.Flags }
 
 func (s *snapmgrTestSuite) testRevertTasksFullFlags(flags fullFlags, c *C) {
@@ -548,12 +615,13 @@
 	c.Assert(err, IsNil)
 	flags.setup.Revert = true
 	c.Check(snapsup.Flags, Equals, flags.setup)
+	c.Check(snapsup.Type, Equals, snap.TypeApp)
 
 	chg := s.state.NewChange("revert", "revert snap")
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -592,9 +660,8 @@
 }
 
 func (s *snapmgrTestSuite) TestRevertTasksFromClassic(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
+	restore := maybeMockClassicSupport(c)
+	defer restore()
 
 	// the snap is installed in classic, but the request to revert does not specify classic
 	s.testRevertTasksFullFlags(fullFlags{
@@ -614,9 +681,9 @@
 }
 
 func (s *snapmgrTestSuite) TestRevertTasksClassic(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
+	restore := maybeMockClassicSupport(c)
+	defer restore()
+
 	s.testRevertTasks(snapstate.Flags{Classic: true}, c)
 }
 
@@ -657,6 +724,13 @@
 	c.Assert(err, ErrorMatches, `cannot update disabled snap "some-snap"`)
 }
 
+func (s snapmgrTestSuite) TestInstallFailsOnSystem(c *C) {
+	snapsup := &snapstate.SnapSetup{SideInfo: &snap.SideInfo{RealName: "system", SnapID: "some-snap-id", Revision: snap.R(1)}}
+	_, err := snapstate.DoInstall(s.state, nil, snapsup, 0)
+	c.Assert(err, NotNil)
+	c.Assert(err, ErrorMatches, `cannot install reserved snap name 'system'`)
+}
+
 func (s *snapmgrTestSuite) TestUpdateCreatesDiscardAfterCurrentTasks(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -680,6 +754,24 @@
 	c.Assert(s.state.TaskCount(), Equals, len(ts.Tasks()))
 }
 
+func (s *snapmgrTestSuite) TestUpdateManyTooEarly(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.state.Set("seeded", nil)
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(7)}},
+		Current:  snap.R(7),
+		SnapType: "app",
+	})
+
+	_, _, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0, nil)
+	c.Check(err, FitsTypeOf, &snapstate.ChangeConflictError{})
+	c.Assert(err, ErrorMatches, `too early for operation, device not yet seeded or device model not acknowledged`)
+}
+
 func (s *snapmgrTestSuite) TestUpdateMany(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -696,7 +788,7 @@
 		SnapType: "app",
 	})
 
-	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0)
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0, nil)
 	c.Assert(err, IsNil)
 	c.Assert(tts, HasLen, 1)
 	c.Check(updates, DeepEquals, []string{"some-snap"})
@@ -709,6 +801,69 @@
 		c.Assert(t.Lanes(), DeepEquals, []int{1})
 	}
 	c.Assert(s.state.TaskCount(), Equals, len(ts.Tasks()))
+
+	checkIsAutoRefresh(c, ts.Tasks(), false)
+}
+
+func (s *snapmgrTestSuite) TestParallelInstanceUpdateMany(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", true)
+	tr.Commit()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)},
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(2)},
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(3)},
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(4)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)},
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(2)},
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(3)},
+		},
+		Current:     snap.R(3),
+		SnapType:    "app",
+		InstanceKey: "instance",
+	})
+
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0, nil)
+	c.Assert(err, IsNil)
+	c.Assert(tts, HasLen, 2)
+	// ensure stable ordering of updates list
+	if updates[0] != "some-snap" {
+		updates[1], updates[0] = updates[0], updates[1]
+	}
+
+	c.Check(updates, DeepEquals, []string{"some-snap", "some-snap_instance"})
+
+	var snapsup, snapsupInstance *snapstate.SnapSetup
+
+	// ensure stable ordering of task sets list
+	snapsup, err = snapstate.TaskSnapSetup(tts[0].Tasks()[0])
+	c.Assert(err, IsNil)
+	if snapsup.InstanceName() != "some-snap" {
+		tts[0], tts[1] = tts[1], tts[0]
+		snapsup, err = snapstate.TaskSnapSetup(tts[0].Tasks()[0])
+		c.Assert(err, IsNil)
+	}
+	snapsupInstance, err = snapstate.TaskSnapSetup(tts[1].Tasks()[0])
+	c.Assert(err, IsNil)
+
+	c.Assert(snapsup.InstanceName(), Equals, "some-snap")
+	c.Assert(snapsupInstance.InstanceName(), Equals, "some-snap_instance")
+
+	verifyUpdateTasks(c, unlinkBefore|cleanupAfter, 3, tts[0], s.state)
+	verifyUpdateTasks(c, unlinkBefore|cleanupAfter, 1, tts[1], s.state)
 }
 
 func (s *snapmgrTestSuite) TestUpdateManyDevModeConfinementFiltering(c *C) {
@@ -724,15 +879,14 @@
 	})
 
 	// updated snap is devmode, updatemany doesn't update it
-	_, tts, _ := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID)
+	_, tts, _ := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID, nil)
 	// FIXME: UpdateMany will not error out in this case (daemon catches this case, with a weird error)
 	c.Assert(tts, HasLen, 0)
 }
 
 func (s *snapmgrTestSuite) TestUpdateManyClassicConfinementFiltering(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
+	restore := maybeMockClassicSupport(c)
+	defer restore()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -746,15 +900,14 @@
 	})
 
 	// if a snap installed without --classic gets a classic update it isn't installed
-	_, tts, _ := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID)
+	_, tts, _ := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID, nil)
 	// FIXME: UpdateMany will not error out in this case (daemon catches this case, with a weird error)
 	c.Assert(tts, HasLen, 0)
 }
 
 func (s *snapmgrTestSuite) TestUpdateManyClassic(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
+	restore := maybeMockClassicSupport(c)
+	defer restore()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -769,7 +922,7 @@
 	})
 
 	// snap installed with classic: refresh gets classic
-	_, tts, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID)
+	_, tts, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID, nil)
 	c.Assert(err, IsNil)
 	c.Assert(tts, HasLen, 1)
 }
@@ -788,7 +941,7 @@
 		SnapType: "app",
 	})
 
-	updates, _, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, 0)
+	updates, _, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, 0, nil)
 	c.Assert(err, IsNil)
 	c.Check(updates, HasLen, 1)
 }
@@ -807,11 +960,160 @@
 		SnapType: "app",
 	})
 
-	updates, _, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0)
+	updates, _, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0, nil)
 	c.Assert(err, IsNil)
 	c.Check(updates, HasLen, 0)
 }
 
+func (s *snapmgrTestSuite) TestUpdateManyWaitForBasesUC16(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", SnapID: "core-snap-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "os",
+	})
+
+	snapstate.Set(s.state, "some-base", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-base", SnapID: "some-base-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "base",
+	})
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+		Channel:  "channel-for-base",
+	})
+
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap", "core", "some-base"}, 0, nil)
+	c.Assert(err, IsNil)
+	c.Assert(tts, HasLen, 3)
+	c.Check(updates, HasLen, 3)
+
+	// to make TaskSnapSetup work
+	chg := s.state.NewChange("refresh", "...")
+	for _, ts := range tts {
+		chg.AddAll(ts)
+	}
+
+	prereqTotal := len(tts[0].Tasks()) + len(tts[1].Tasks())
+	prereqs := map[string]bool{}
+	for i, task := range tts[2].Tasks() {
+		waitTasks := task.WaitTasks()
+		if i == 0 {
+			c.Check(len(waitTasks), Equals, prereqTotal)
+		} else if task.Kind() == "link-snap" {
+			c.Check(len(waitTasks), Equals, prereqTotal+1)
+			for _, pre := range waitTasks {
+				if pre.Kind() == "link-snap" {
+					snapsup, err := snapstate.TaskSnapSetup(pre)
+					c.Assert(err, IsNil)
+					prereqs[snapsup.InstanceName()] = true
+				}
+			}
+		}
+	}
+
+	c.Check(prereqs, DeepEquals, map[string]bool{
+		"core":      true,
+		"some-base": true,
+	})
+}
+
+func (s *snapmgrTestSuite) TestUpdateManyWaitForBasesUC18(c *C) {
+	snapstate.SetModelWithBase("core18")
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "core18", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core18", SnapID: "core18-snap-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "base",
+	})
+
+	snapstate.Set(s.state, "some-base", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-base", SnapID: "some-base-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "base",
+	})
+
+	snapstate.Set(s.state, "snapd", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "snapd", SnapID: "snapd-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+		Channel:  "channel-for-base",
+	})
+
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap", "core18", "some-base", "snapd"}, 0, nil)
+	c.Assert(err, IsNil)
+	c.Assert(tts, HasLen, 4)
+	c.Check(updates, HasLen, 4)
+
+	// to make TaskSnapSetup work
+	chg := s.state.NewChange("refresh", "...")
+	for _, ts := range tts {
+		chg.AddAll(ts)
+	}
+
+	// Note that some-app only waits for snapd+some-base. The core18
+	// base is not special to this snap and not waited for
+	prereqTotal := len(tts[0].Tasks()) + len(tts[1].Tasks())
+	prereqs := map[string]bool{}
+	for i, task := range tts[3].Tasks() {
+		waitTasks := task.WaitTasks()
+		if i == 0 {
+			c.Check(len(waitTasks), Equals, prereqTotal)
+		} else if task.Kind() == "link-snap" {
+			c.Check(len(waitTasks), Equals, prereqTotal+1)
+			for _, pre := range waitTasks {
+				if pre.Kind() == "link-snap" {
+					snapsup, err := snapstate.TaskSnapSetup(pre)
+					c.Assert(err, IsNil)
+					prereqs[snapsup.InstanceName()] = true
+				}
+			}
+		}
+	}
+
+	// Note that "core18" is not part of the prereqs for some-app
+	// as it does not use this base.
+	c.Check(prereqs, DeepEquals, map[string]bool{
+		"some-base": true,
+		"snapd":     true,
+	})
+}
+
 func (s *snapmgrTestSuite) TestUpdateManyValidateRefreshes(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -829,6 +1131,7 @@
 	validateRefreshes := func(st *state.State, refreshes []*snap.Info, ignoreValidation map[string]bool, userID int) ([]*snap.Info, error) {
 		validateCalled = true
 		c.Check(refreshes, HasLen, 1)
+		c.Check(refreshes[0].InstanceName(), Equals, "some-snap")
 		c.Check(refreshes[0].SnapID, Equals, "some-snap-id")
 		c.Check(refreshes[0].Revision, Equals, snap.R(11))
 		c.Check(ignoreValidation, HasLen, 0)
@@ -837,7 +1140,7 @@
 	// hook it up
 	snapstate.ValidateRefreshes = validateRefreshes
 
-	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0)
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0, nil)
 	c.Assert(err, IsNil)
 	c.Assert(tts, HasLen, 1)
 	c.Check(updates, DeepEquals, []string{"some-snap"})
@@ -846,16 +1149,74 @@
 	c.Check(validateCalled, Equals, true)
 }
 
-func (s *snapmgrTestSuite) TestUpdateManyValidateRefreshesUnhappy(c *C) {
+func (s *snapmgrTestSuite) TestParallelInstanceUpdateManyValidateRefreshes(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", true)
+	tr.Commit()
+
 	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
 			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)},
 		},
-		Current: snap.R(1),
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)},
+		},
+		Current:     snap.R(1),
+		SnapType:    "app",
+		InstanceKey: "instance",
+	})
+
+	validateCalled := false
+	validateRefreshes := func(st *state.State, refreshes []*snap.Info, ignoreValidation map[string]bool, userID int) ([]*snap.Info, error) {
+		validateCalled = true
+		c.Check(refreshes, HasLen, 2)
+		instanceIdx := 0
+		someIdx := 1
+		if refreshes[0].InstanceName() != "some-snap_instance" {
+			instanceIdx = 1
+			someIdx = 0
+		}
+		c.Check(refreshes[someIdx].InstanceName(), Equals, "some-snap")
+		c.Check(refreshes[instanceIdx].InstanceName(), Equals, "some-snap_instance")
+		c.Check(refreshes[0].SnapID, Equals, "some-snap-id")
+		c.Check(refreshes[0].Revision, Equals, snap.R(11))
+		c.Check(refreshes[1].SnapID, Equals, "some-snap-id")
+		c.Check(refreshes[1].Revision, Equals, snap.R(11))
+		c.Check(ignoreValidation, HasLen, 0)
+		return refreshes, nil
+	}
+	// hook it up
+	snapstate.ValidateRefreshes = validateRefreshes
+
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0, nil)
+	c.Assert(err, IsNil)
+	c.Assert(tts, HasLen, 2)
+	sort.Strings(updates)
+	c.Check(updates, DeepEquals, []string{"some-snap", "some-snap_instance"})
+	verifyUpdateTasks(c, unlinkBefore|cleanupAfter, 0, tts[0], s.state)
+
+	c.Check(validateCalled, Equals, true)
+}
+
+func (s *snapmgrTestSuite) TestUpdateManyValidateRefreshesUnhappy(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)},
+		},
+		Current: snap.R(1),
 	})
 
 	validateErr := errors.New("refresh control error")
@@ -870,13 +1231,13 @@
 	snapstate.ValidateRefreshes = validateRefreshes
 
 	// refresh all => no error
-	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0)
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0, nil)
 	c.Assert(err, IsNil)
 	c.Check(tts, HasLen, 0)
 	c.Check(updates, HasLen, 0)
 
 	// refresh some-snap => report error
-	updates, tts, err = snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, 0)
+	updates, tts, err = snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, 0, nil)
 	c.Assert(err, Equals, validateErr)
 	c.Check(tts, HasLen, 0)
 	c.Check(updates, HasLen, 0)
@@ -993,6 +1354,78 @@
 	c.Assert(err, ErrorMatches, `snap "non-existing-snap" is not installed`)
 }
 
+func (s *snapmgrTestSuite) TestSwitchKernelTrackForbidden(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.SetModelWithKernelTrack("18")
+	snapstate.Set(s.state, "kernel", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "kernel", Revision: snap.R(11)},
+		},
+		Channel: "18/stable",
+		Current: snap.R(11),
+		Active:  true,
+	})
+
+	_, err := snapstate.Switch(s.state, "kernel", "new-channel")
+	c.Assert(err, ErrorMatches, `cannot switch from kernel track "18" as specified for the \(device\) model to "new-channel/stable"`)
+}
+
+func (s *snapmgrTestSuite) TestSwitchKernelTrackRiskOnlyIsOK(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.SetModelWithKernelTrack("18")
+	snapstate.Set(s.state, "kernel", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "kernel", Revision: snap.R(11)},
+		},
+		Channel: "18/stable",
+		Current: snap.R(11),
+		Active:  true,
+	})
+
+	_, err := snapstate.Switch(s.state, "kernel", "18/beta")
+	c.Assert(err, IsNil)
+}
+
+func (s *snapmgrTestSuite) TestSwitchGadgetTrackForbidden(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.SetModelWithGadgetTrack("18")
+	snapstate.Set(s.state, "brand-gadget", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "brand-gadget", Revision: snap.R(11)},
+		},
+		Channel: "18/stable",
+		Current: snap.R(11),
+		Active:  true,
+	})
+
+	_, err := snapstate.Switch(s.state, "brand-gadget", "new-channel")
+	c.Assert(err, ErrorMatches, `cannot switch from gadget track "18" as specified for the \(device\) model to "new-channel/stable"`)
+}
+
+func (s *snapmgrTestSuite) TestSwitchGadgetTrackRiskOnlyIsOK(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.SetModelWithGadgetTrack("18")
+	snapstate.Set(s.state, "brand-gadget", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "brand-gadget", Revision: snap.R(11)},
+		},
+		Channel: "18/stable",
+		Current: snap.R(11),
+		Active:  true,
+	})
+
+	_, err := snapstate.Switch(s.state, "brand-gadget", "18/beta")
+	c.Assert(err, IsNil)
+}
+
 func (s *snapmgrTestSuite) TestDisableTasks(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1060,6 +1493,67 @@
 	c.Assert(err, ErrorMatches, `snap "some-snap" has "install" change in progress`)
 }
 
+func (s *snapmgrTestSuite) TestDoInstallWithSlots(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.ReplaceStore(s.state, contentStore{fakeStore: s.fakeStore, state: s.state})
+
+	ts, err := snapstate.Install(s.state, "snap-content-slot", "", snap.R(0), 0, snapstate.Flags{})
+	c.Assert(err, IsNil)
+
+	var snapsup snapstate.SnapSetup
+	err = ts.Tasks()[0].Get("snap-setup", &snapsup)
+	c.Assert(err, IsNil)
+
+	c.Check(snapsup.PlugsOnly, Equals, false)
+}
+
+func (s *snapmgrTestSuite) TestDoUpdateHadSlots(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(4)},
+		},
+		Current:  snap.R(4),
+		SnapType: "app",
+	})
+
+	snapstate.MockSnapReadInfo(func(name string, si *snap.SideInfo) (*snap.Info, error) {
+		if name != "some-snap" {
+			return s.fakeBackend.ReadInfo(name, si)
+		}
+
+		info := &snap.Info{
+			SideInfo: *si,
+			Type:     snap.TypeApp,
+		}
+		info.Slots = map[string]*snap.SlotInfo{
+			"some-slot": {
+				Snap:      info,
+				Name:      "shared-content",
+				Interface: "content",
+				Attrs: map[string]interface{}{
+					"content": "shared-content",
+				},
+			},
+		}
+		return info, nil
+	})
+
+	ts, err := snapstate.Update(s.state, "some-snap", "", snap.R(0), 0, snapstate.Flags{})
+	c.Assert(err, IsNil)
+
+	var snapsup snapstate.SnapSetup
+	err = ts.Tasks()[0].Get("snap-setup", &snapsup)
+	c.Assert(err, IsNil)
+
+	c.Check(snapsup.PlugsOnly, Equals, false)
+}
+
 func (s *snapmgrTestSuite) TestDoInstallChannelDefault(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1088,6 +1582,17 @@
 	c.Check(snapsup.Revision(), Equals, snap.R(7))
 }
 
+func (s *snapmgrTestSuite) TestInstallTooEarly(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.state.Set("seeded", nil)
+
+	_, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(0), 0, snapstate.Flags{})
+	c.Check(err, FitsTypeOf, &snapstate.ChangeConflictError{})
+	c.Assert(err, ErrorMatches, `too early for operation, device not yet seeded or device model not acknowledged`)
+}
+
 func (s *snapmgrTestSuite) TestInstallConflict(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1098,6 +1603,7 @@
 	s.state.NewChange("install", "...").AddAll(ts)
 
 	_, err = snapstate.Install(s.state, "some-snap", "some-channel", snap.R(0), 0, snapstate.Flags{})
+	c.Check(err, FitsTypeOf, &snapstate.ChangeConflictError{})
 	c.Assert(err, ErrorMatches, `snap "some-snap" has "install" change in progress`)
 }
 
@@ -1127,7 +1633,7 @@
 	state *state.State
 }
 
-func (s sneakyStore) SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error) {
+func (s sneakyStore) SnapAction(ctx context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error) {
 	s.state.Lock()
 	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
 		Active:   true,
@@ -1137,7 +1643,7 @@
 		SnapType: "app",
 	})
 	s.state.Unlock()
-	return s.fakeStore.SnapInfo(spec, user)
+	return s.fakeStore.SnapAction(ctx, currentSnaps, actions, user, opts)
 }
 
 func (s *snapmgrTestSuite) TestInstallStateConflict(c *C) {
@@ -1147,7 +1653,8 @@
 	snapstate.ReplaceStore(s.state, sneakyStore{fakeStore: s.fakeStore, state: s.state})
 
 	_, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(0), 0, snapstate.Flags{})
-	c.Assert(err, ErrorMatches, `snap "some-snap" state changed during install preparations`)
+	c.Check(err, FitsTypeOf, &snapstate.ChangeConflictError{})
+	c.Assert(err, ErrorMatches, `snap "some-snap" has changes in progress`)
 }
 
 func (s *snapmgrTestSuite) TestInstallPathConflict(c *C) {
@@ -1160,7 +1667,7 @@
 	s.state.NewChange("install", "...").AddAll(ts)
 
 	mockSnap := makeTestSnap(c, "name: some-snap\nversion: 1.0")
-	_, err = snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap"}, mockSnap, "", snapstate.Flags{})
+	_, _, err = snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap"}, mockSnap, "", "", snapstate.Flags{})
 	c.Assert(err, ErrorMatches, `snap "some-snap" has "install" change in progress`)
 }
 
@@ -1169,7 +1676,7 @@
 	defer s.state.Unlock()
 
 	mockSnap := makeTestSnap(c, "name: some-snap\nversion: 1.0")
-	_, err := snapstate.InstallPath(s.state, &snap.SideInfo{}, mockSnap, "", snapstate.Flags{})
+	_, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{}, mockSnap, "", "", snapstate.Flags{})
 	c.Assert(err, ErrorMatches, fmt.Sprintf(`internal error: snap name to install %q not provided`, mockSnap))
 }
 
@@ -1178,10 +1685,66 @@
 	defer s.state.Unlock()
 
 	mockSnap := makeTestSnap(c, "name: some-snap\nversion: 1.0")
-	_, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "snapididid"}, mockSnap, "", snapstate.Flags{})
+	_, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "snapididid"}, mockSnap, "", "", snapstate.Flags{})
 	c.Assert(err, ErrorMatches, fmt.Sprintf(`internal error: snap id set to install %q but revision is unset`, mockSnap))
 }
 
+func (s *snapmgrTestSuite) TestInstallPathValidateFlags(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	mockSnap := makeTestSnap(c, `name: some-snap
+version: 1.0
+confinement: devmode
+`)
+	_, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap"}, mockSnap, "", "", snapstate.Flags{})
+	c.Assert(err, ErrorMatches, `.* requires devmode or confinement override`)
+}
+
+func (s *snapmgrTestSuite) TestParallelInstanceInstallNotAllowed(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.ReplaceStore(s.state, sneakyStore{fakeStore: s.fakeStore, state: s.state})
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", true)
+	tr.Commit()
+
+	_, err := snapstate.Install(s.state, "core_foo", "", snap.R(0), 0, snapstate.Flags{})
+	c.Check(err, ErrorMatches, `cannot install snap of type os as "core_foo"`)
+
+	_, err = snapstate.Install(s.state, "some-base_foo", "", snap.R(0), 0, snapstate.Flags{})
+	c.Check(err, ErrorMatches, `cannot install snap of type base as "some-base_foo"`)
+
+	_, err = snapstate.Install(s.state, "some-gadget_foo", "", snap.R(0), 0, snapstate.Flags{})
+	c.Check(err, ErrorMatches, `cannot install snap of type gadget as "some-gadget_foo"`)
+
+	_, err = snapstate.Install(s.state, "some-kernel_foo", "", snap.R(0), 0, snapstate.Flags{})
+	c.Check(err, ErrorMatches, `cannot install snap of type kernel as "some-kernel_foo"`)
+
+	_, err = snapstate.Install(s.state, "some-snapd_foo", "", snap.R(0), 0, snapstate.Flags{})
+	c.Check(err, ErrorMatches, `cannot install snap of type snapd as "some-snapd_foo"`)
+}
+
+func (s *snapmgrTestSuite) TestInstallPathFailsEarlyOnEpochMismatch(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// have epoch 1* installed
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Channel:  "edge",
+		Sequence: []*snap.SideInfo{{RealName: "some-snap", Revision: snap.R(7)}},
+		Current:  snap.R(7),
+	})
+
+	// try to install epoch 42
+	mockSnap := makeTestSnap(c, "name: some-snap\nversion: 1.0\nepoch: 42\n")
+	_, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap"}, mockSnap, "", "", snapstate.Flags{})
+	c.Assert(err, ErrorMatches, `cannot refresh "some-snap" to local snap with epoch 42, because it can't read the current epoch of 1\*`)
+}
+
 func (s *snapmgrTestSuite) TestUpdateTasksPropagatesErrors(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1260,9 +1823,8 @@
 }
 
 func (s *snapmgrTestSuite) TestUpdateDevModeConfinementFiltering(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
+	restore := maybeMockClassicSupport(c)
+	defer restore()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1286,49 +1848,49 @@
 }
 
 func (s *snapmgrTestSuite) TestUpdateClassicConfinementFiltering(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
+	restore := maybeMockClassicSupport(c)
+	defer restore()
 
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+	snapstate.Set(s.state, "some-snap-now-classic", &snapstate.SnapState{
 		Active:   true,
-		Channel:  "channel-for-classic",
-		Sequence: []*snap.SideInfo{{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(7)}},
+		Sequence: []*snap.SideInfo{{RealName: "some-snap-now-classic", SnapID: "some-snap-now-classic-id", Revision: snap.R(7)}},
 		Current:  snap.R(7),
 		SnapType: "app",
 	})
 
 	// updated snap is classic, refresh without --classic, do nothing
 	// TODO: better error message here
-	_, err := snapstate.Update(s.state, "some-snap", "", snap.R(0), s.user.ID, snapstate.Flags{})
+	_, err := snapstate.Update(s.state, "some-snap-now-classic", "", snap.R(0), s.user.ID, snapstate.Flags{})
 	c.Assert(err, ErrorMatches, `.* requires classic confinement`)
 
 	// updated snap is classic, refresh with --classic
-	ts, err := snapstate.Update(s.state, "some-snap", "", snap.R(0), s.user.ID, snapstate.Flags{Classic: true})
+	ts, err := snapstate.Update(s.state, "some-snap-now-classic", "", snap.R(0), s.user.ID, snapstate.Flags{Classic: true})
 	c.Assert(err, IsNil)
 
 	chg := s.state.NewChange("refresh", "refresh snap")
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(chg.IsReady(), Equals, true)
+
 	// verify snap is in classic
 	var snapst snapstate.SnapState
-	err = snapstate.Get(s.state, "some-snap", &snapst)
+	err = snapstate.Get(s.state, "some-snap-now-classic", &snapst)
 	c.Assert(err, IsNil)
 	c.Check(snapst.Classic, Equals, true)
 }
 
 func (s *snapmgrTestSuite) TestUpdateClassicFromClassic(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
+	restore := maybeMockClassicSupport(c)
+	defer restore()
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1386,7 +1948,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -1398,28 +1960,27 @@
 }
 
 func (s *snapmgrTestSuite) TestUpdateStrictFromClassic(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
+	restore := maybeMockClassicSupport(c)
+	defer restore()
 
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+	snapstate.Set(s.state, "some-snap-was-classic", &snapstate.SnapState{
 		Active:   true,
 		Channel:  "channel",
-		Sequence: []*snap.SideInfo{{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(7)}},
+		Sequence: []*snap.SideInfo{{RealName: "some-snap-was-classic", SnapID: "some-snap-was-classic-id", Revision: snap.R(7)}},
 		Current:  snap.R(7),
 		SnapType: "app",
 		Flags:    snapstate.Flags{Classic: true},
 	})
 
 	// snap installed with --classic, update does not need classic, refresh works without --classic
-	_, err := snapstate.Update(s.state, "some-snap", "", snap.R(0), s.user.ID, snapstate.Flags{})
+	_, err := snapstate.Update(s.state, "some-snap-was-classic", "", snap.R(0), s.user.ID, snapstate.Flags{})
 	c.Assert(err, IsNil)
 
 	// snap installed with --classic, update does not need classic, refresh works with --classic
-	_, err = snapstate.Update(s.state, "some-snap", "", snap.R(0), s.user.ID, snapstate.Flags{Classic: true})
+	_, err = snapstate.Update(s.state, "some-snap-was-classic", "", snap.R(0), s.user.ID, snapstate.Flags{Classic: true})
 	c.Assert(err, IsNil)
 }
 
@@ -1445,10 +2006,12 @@
 	c.Check(snapsup.Channel, Equals, "edge")
 }
 
-func (s *snapmgrTestSuite) TestUpdateConflict(c *C) {
+func (s *snapmgrTestSuite) TestUpdateTooEarly(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	s.state.Set("seeded", nil)
+
 	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
 		Active:   true,
 		Sequence: []*snap.SideInfo{{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(7)}},
@@ -1456,51 +2019,29 @@
 		SnapType: "app",
 	})
 
-	ts, err := snapstate.Update(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
-	c.Assert(err, IsNil)
-	// need a change to make the tasks visible
-	s.state.NewChange("refresh", "...").AddAll(ts)
-
-	_, err = snapstate.Update(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
-	c.Assert(err, ErrorMatches, `snap "some-snap" has "refresh" change in progress`)
+	_, err := snapstate.Update(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Check(err, FitsTypeOf, &snapstate.ChangeConflictError{})
+	c.Assert(err, ErrorMatches, `too early for operation, device not yet seeded or device model not acknowledged`)
 }
 
-func (s *snapmgrTestSuite) testChangeConflict(c *C, kind string) {
+func (s *snapmgrTestSuite) TestUpdateConflict(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	snapstate.Set(s.state, "producer", &snapstate.SnapState{
-		Active:   true,
-		Sequence: []*snap.SideInfo{{RealName: "producer", SnapID: "producer-id", Revision: snap.R(1)}},
-		Current:  snap.R(1),
-		SnapType: "app",
-	})
-	snapstate.Set(s.state, "consumer", &snapstate.SnapState{
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
 		Active:   true,
-		Sequence: []*snap.SideInfo{{RealName: "consumer", SnapID: "consumer-id", Revision: snap.R(1)}},
-		Current:  snap.R(1),
+		Sequence: []*snap.SideInfo{{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(7)}},
+		Current:  snap.R(7),
 		SnapType: "app",
 	})
 
-	chg := s.state.NewChange("another change", "...")
-	t := s.state.NewTask(kind, "...")
-	t.Set("slot", interfaces.SlotRef{Snap: "producer", Name: "slot"})
-	t.Set("plug", interfaces.PlugRef{Snap: "consumer", Name: "plug"})
-	chg.AddTask(t)
-
-	_, err := snapstate.Update(s.state, "producer", "some-channel", snap.R(2), s.user.ID, snapstate.Flags{})
-	c.Assert(err, ErrorMatches, `snap "producer" has "another change" change in progress`)
-
-	_, err = snapstate.Update(s.state, "consumer", "some-channel", snap.R(2), s.user.ID, snapstate.Flags{})
-	c.Assert(err, ErrorMatches, `snap "consumer" has "another change" change in progress`)
-}
-
-func (s *snapmgrTestSuite) TestUpdateConflictWithConnect(c *C) {
-	s.testChangeConflict(c, "connect")
-}
+	ts, err := snapstate.Update(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	// need a change to make the tasks visible
+	s.state.NewChange("refresh", "...").AddAll(ts)
 
-func (s *snapmgrTestSuite) TestUpdateConflictWithDisconnect(c *C) {
-	s.testChangeConflict(c, "disconnect")
+	_, err = snapstate.Update(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, ErrorMatches, `snap "some-snap" has "refresh" change in progress`)
 }
 
 func (s *snapmgrTestSuite) TestRemoveTasks(c *C) {
@@ -1512,7 +2053,8 @@
 		Sequence: []*snap.SideInfo{
 			{RealName: "foo", Revision: snap.R(11)},
 		},
-		Current: snap.R(11),
+		Current:  snap.R(11),
+		SnapType: "app",
 	})
 
 	ts, err := snapstate.Remove(s.state, "foo", snap.R(0))
@@ -1567,12 +2109,12 @@
 	defer s.state.Unlock()
 
 	chg := s.state.NewChange("install", "install a snap")
-	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(42), s.user.ID, snapstate.Flags{})
+	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -1583,12 +2125,22 @@
 	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{{
 		macaroon: s.user.StoreMacaroon,
 		name:     "some-snap",
+		target:   filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 	}})
+	c.Check(s.fakeStore.seenPrivacyKeys["privacy-key"], Equals, true, Commentf("salts seen: %v", s.fakeStore.seenPrivacyKeys))
 	expected := fakeOps{
 		{
-			op:     "storesvc-snap",
-			name:   "some-snap",
-			revno:  snap.R(42),
+			op:     "storesvc-snap-action",
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "some-snap",
+				Channel:      "some-channel",
+			},
+			revno:  snap.R(11),
 			userID: 1,
 		},
 		{
@@ -1598,7 +2150,7 @@
 		{
 			op:    "validate-snap:Doing",
 			name:  "some-snap",
-			revno: snap.R(42),
+			revno: snap.R(11),
 		},
 		{
 			op:  "current",
@@ -1606,46 +2158,47 @@
 		},
 		{
 			op:   "open-snap-file",
-			name: filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
+			path: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 			sinfo: snap.SideInfo{
 				RealName: "some-snap",
-				Channel:  "some-channel",
 				SnapID:   "some-snap-id",
-				Revision: snap.R(42),
+				Channel:  "some-channel",
+				Revision: snap.R(11),
 			},
 		},
 		{
 			op:    "setup-snap",
-			name:  filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
-			revno: snap.R(42),
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			revno: snap.R(11),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/42"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 			old:  "<no-old>",
 		},
 		{
 			op:    "setup-profiles:Doing",
 			name:  "some-snap",
-			revno: snap.R(42),
+			revno: snap.R(11),
 		},
 		{
 			op: "candidate",
 			sinfo: snap.SideInfo{
 				RealName: "some-snap",
-				Channel:  "some-channel",
 				SnapID:   "some-snap-id",
-				Revision: snap.R(42),
+				Channel:  "some-channel",
+				Revision: snap.R(11),
 			},
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/42"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 		},
 		{
 			op:    "auto-connect:Doing",
 			name:  "some-snap",
-			revno: snap.R(42),
+			revno: snap.R(11),
 		},
 		{
 			op: "update-aliases",
@@ -1653,7 +2206,7 @@
 		{
 			op:    "cleanup-trash",
 			name:  "some-snap",
-			revno: snap.R(42),
+			revno: snap.R(11),
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -1666,13 +2219,485 @@
 	_, cur, total := task.Progress()
 	c.Assert(cur, Equals, s.fakeStore.fakeCurrentProgress)
 	c.Assert(total, Equals, s.fakeStore.fakeTotalProgress)
-	c.Check(task.Summary(), Equals, `Download snap "some-snap" (42) from channel "some-channel"`)
+	c.Check(task.Summary(), Equals, `Download snap "some-snap" (11) from channel "some-channel"`)
 
 	// check link/start snap summary
 	linkTask := ta[len(ta)-7]
-	c.Check(linkTask.Summary(), Equals, `Make snap "some-snap" (42) available to the system`)
+	c.Check(linkTask.Summary(), Equals, `Make snap "some-snap" (11) available to the system`)
 	startTask := ta[len(ta)-2]
-	c.Check(startTask.Summary(), Equals, `Start snap "some-snap" (42) services`)
+	c.Check(startTask.Summary(), Equals, `Start snap "some-snap" (11) services`)
+
+	// verify snap-setup in the task state
+	var snapsup snapstate.SnapSetup
+	err = task.Get("snap-setup", &snapsup)
+	c.Assert(err, IsNil)
+	c.Assert(snapsup, DeepEquals, snapstate.SnapSetup{
+		Channel:  "some-channel",
+		UserID:   s.user.ID,
+		SnapPath: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+		DownloadInfo: &snap.DownloadInfo{
+			DownloadURL: "https://some-server.com/some/path.snap",
+		},
+		SideInfo:  snapsup.SideInfo,
+		Type:      snap.TypeApp,
+		PlugsOnly: true,
+	})
+	c.Assert(snapsup.SideInfo, DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
+		Channel:  "some-channel",
+		Revision: snap.R(11),
+		SnapID:   "some-snap-id",
+	})
+
+	// verify snaps in the system state
+	var snaps map[string]*snapstate.SnapState
+	err = s.state.Get("snaps", &snaps)
+	c.Assert(err, IsNil)
+
+	snapst := snaps["some-snap"]
+	c.Assert(snapst, NotNil)
+	c.Assert(snapst.Active, Equals, true)
+	c.Assert(snapst.Channel, Equals, "some-channel")
+	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
+		SnapID:   "some-snap-id",
+		Channel:  "some-channel",
+		Revision: snap.R(11),
+	})
+	c.Assert(snapst.Required, Equals, false)
+}
+
+func (s *snapmgrTestSuite) TestParallelInstanceInstallRunThrough(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", true)
+	tr.Commit()
+
+	chg := s.state.NewChange("install", "install a snap")
+	ts, err := snapstate.Install(s.state, "some-snap_instance", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	s.settle(c)
+	s.state.Lock()
+
+	// ensure all our tasks ran
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(chg.IsReady(), Equals, true)
+	c.Check(snapstate.Installing(s.state), Equals, false)
+	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{{
+		macaroon: s.user.StoreMacaroon,
+		name:     "some-snap",
+		target:   filepath.Join(dirs.SnapBlobDir, "some-snap_instance_11.snap"),
+	}})
+	c.Check(s.fakeStore.seenPrivacyKeys["privacy-key"], Equals, true, Commentf("salts seen: %v", s.fakeStore.seenPrivacyKeys))
+	expected := fakeOps{
+		{
+			op:     "storesvc-snap-action",
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "some-snap_instance",
+				Channel:      "some-channel",
+			},
+			revno:  snap.R(11),
+			userID: 1,
+		},
+		{
+			op:   "storesvc-download",
+			name: "some-snap",
+		},
+		{
+			op:    "validate-snap:Doing",
+			name:  "some-snap_instance",
+			revno: snap.R(11),
+		},
+		{
+			op:  "current",
+			old: "<no-current>",
+		},
+		{
+			op:   "open-snap-file",
+			path: filepath.Join(dirs.SnapBlobDir, "some-snap_instance_11.snap"),
+			sinfo: snap.SideInfo{
+				RealName: "some-snap",
+				SnapID:   "some-snap-id",
+				Channel:  "some-channel",
+				Revision: snap.R(11),
+			},
+		},
+		{
+			op:    "setup-snap",
+			name:  "some-snap_instance",
+			path:  filepath.Join(dirs.SnapBlobDir, "some-snap_instance_11.snap"),
+			revno: snap.R(11),
+		},
+		{
+			op:   "copy-data",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/11"),
+			old:  "<no-old>",
+		},
+		{
+			op:    "setup-profiles:Doing",
+			name:  "some-snap_instance",
+			revno: snap.R(11),
+		},
+		{
+			op: "candidate",
+			sinfo: snap.SideInfo{
+				RealName: "some-snap",
+				SnapID:   "some-snap-id",
+				Channel:  "some-channel",
+				Revision: snap.R(11),
+			},
+		},
+		{
+			op:   "link-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/11"),
+		},
+		{
+			op:    "auto-connect:Doing",
+			name:  "some-snap_instance",
+			revno: snap.R(11),
+		},
+		{
+			op: "update-aliases",
+		},
+		{
+			op:    "cleanup-trash",
+			name:  "some-snap_instance",
+			revno: snap.R(11),
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	// check progress
+	ta := ts.Tasks()
+	task := ta[1]
+	_, cur, total := task.Progress()
+	c.Assert(cur, Equals, s.fakeStore.fakeCurrentProgress)
+	c.Assert(total, Equals, s.fakeStore.fakeTotalProgress)
+	c.Check(task.Summary(), Equals, `Download snap "some-snap_instance" (11) from channel "some-channel"`)
+
+	// check link/start snap summary
+	linkTask := ta[len(ta)-7]
+	c.Check(linkTask.Summary(), Equals, `Make snap "some-snap_instance" (11) available to the system`)
+	startTask := ta[len(ta)-2]
+	c.Check(startTask.Summary(), Equals, `Start snap "some-snap_instance" (11) services`)
+
+	// verify snap-setup in the task state
+	var snapsup snapstate.SnapSetup
+	err = task.Get("snap-setup", &snapsup)
+	c.Assert(err, IsNil)
+	c.Assert(snapsup, DeepEquals, snapstate.SnapSetup{
+		Channel:  "some-channel",
+		UserID:   s.user.ID,
+		SnapPath: filepath.Join(dirs.SnapBlobDir, "some-snap_instance_11.snap"),
+		DownloadInfo: &snap.DownloadInfo{
+			DownloadURL: "https://some-server.com/some/path.snap",
+		},
+		SideInfo:    snapsup.SideInfo,
+		Type:        snap.TypeApp,
+		PlugsOnly:   true,
+		InstanceKey: "instance",
+	})
+	c.Assert(snapsup.SideInfo, DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
+		Channel:  "some-channel",
+		Revision: snap.R(11),
+		SnapID:   "some-snap-id",
+	})
+
+	// verify snaps in the system state
+	var snaps map[string]*snapstate.SnapState
+	err = s.state.Get("snaps", &snaps)
+	c.Assert(err, IsNil)
+
+	snapst := snaps["some-snap_instance"]
+	c.Assert(snapst, NotNil)
+	c.Assert(snapst.Active, Equals, true)
+	c.Assert(snapst.Channel, Equals, "some-channel")
+	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
+		SnapID:   "some-snap-id",
+		Channel:  "some-channel",
+		Revision: snap.R(11),
+	})
+	c.Assert(snapst.Required, Equals, false)
+	c.Assert(snapst.InstanceKey, Equals, "instance")
+}
+
+func (s *snapmgrTestSuite) TestInstallUndoRunThroughJustOneSnap(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	chg := s.state.NewChange("install", "install a snap")
+	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	tasks := ts.Tasks()
+	last := tasks[len(tasks)-1]
+	// sanity
+	c.Assert(last.Lanes(), HasLen, 1)
+	terr := s.state.NewTask("error-trigger", "provoking total undo")
+	terr.WaitFor(last)
+	terr.JoinLane(last.Lanes()[0])
+	chg.AddTask(terr)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	// ensure all our tasks ran
+	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{{
+		macaroon: s.user.StoreMacaroon,
+		name:     "some-snap",
+		target:   filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+	}})
+	expected := fakeOps{
+		{
+			op:     "storesvc-snap-action",
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "some-snap",
+				Channel:      "some-channel",
+			},
+			revno:  snap.R(11),
+			userID: 1,
+		},
+		{
+			op:   "storesvc-download",
+			name: "some-snap",
+		},
+		{
+			op:    "validate-snap:Doing",
+			name:  "some-snap",
+			revno: snap.R(11),
+		},
+		{
+			op:  "current",
+			old: "<no-current>",
+		},
+		{
+			op:   "open-snap-file",
+			path: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			sinfo: snap.SideInfo{
+				RealName: "some-snap",
+				SnapID:   "some-snap-id",
+				Channel:  "some-channel",
+				Revision: snap.R(11),
+			},
+		},
+		{
+			op:    "setup-snap",
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			revno: snap.R(11),
+		},
+		{
+			op:   "copy-data",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			old:  "<no-old>",
+		},
+		{
+			op:    "setup-profiles:Doing",
+			name:  "some-snap",
+			revno: snap.R(11),
+		},
+		{
+			op: "candidate",
+			sinfo: snap.SideInfo{
+				RealName: "some-snap",
+				SnapID:   "some-snap-id",
+				Channel:  "some-channel",
+				Revision: snap.R(11),
+			},
+		},
+		{
+			op:   "link-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+		},
+		{
+			op:    "auto-connect:Doing",
+			name:  "some-snap",
+			revno: snap.R(11),
+		},
+		{
+			op: "update-aliases",
+		},
+		{
+			op:   "remove-snap-aliases",
+			name: "some-snap",
+		},
+		{
+			op:   "unlink-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+		},
+		{
+			op:    "setup-profiles:Undoing",
+			name:  "some-snap",
+			revno: snap.R(11),
+		},
+		{
+			op:   "undo-copy-snap-data",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			old:  "<no-old>",
+		},
+		{
+			op:   "remove-snap-data-dir",
+			name: "some-snap",
+			path: filepath.Join(dirs.SnapDataDir, "some-snap"),
+		},
+		{
+			op:    "undo-setup-snap",
+			name:  "some-snap",
+			stype: "app",
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+		},
+		{
+			op:   "remove-snap-dir",
+			name: "some-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap"),
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+}
+
+func (s *snapmgrTestSuite) TestInstallWithRevisionRunThrough(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	chg := s.state.NewChange("install", "install a snap")
+	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(42), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	// ensure all our tasks ran
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(chg.IsReady(), Equals, true)
+	c.Check(snapstate.Installing(s.state), Equals, false)
+	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{{
+		macaroon: s.user.StoreMacaroon,
+		name:     "some-snap",
+		target:   filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
+	}})
+	expected := fakeOps{
+		{
+			op:     "storesvc-snap-action",
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "some-snap",
+				Revision:     snap.R(42),
+			},
+			revno:  snap.R(42),
+			userID: 1,
+		},
+		{
+			op:   "storesvc-download",
+			name: "some-snap",
+		},
+		{
+			op:    "validate-snap:Doing",
+			name:  "some-snap",
+			revno: snap.R(42),
+		},
+		{
+			op:  "current",
+			old: "<no-current>",
+		},
+		{
+			op:   "open-snap-file",
+			path: filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
+			sinfo: snap.SideInfo{
+				RealName: "some-snap",
+				SnapID:   "some-snap-id",
+				Revision: snap.R(42),
+			},
+		},
+		{
+			op:    "setup-snap",
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
+			revno: snap.R(42),
+		},
+		{
+			op:   "copy-data",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/42"),
+			old:  "<no-old>",
+		},
+		{
+			op:    "setup-profiles:Doing",
+			name:  "some-snap",
+			revno: snap.R(42),
+		},
+		{
+			op: "candidate",
+			sinfo: snap.SideInfo{
+				RealName: "some-snap",
+				SnapID:   "some-snap-id",
+				Revision: snap.R(42),
+			},
+		},
+		{
+			op:   "link-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/42"),
+		},
+		{
+			op:    "auto-connect:Doing",
+			name:  "some-snap",
+			revno: snap.R(42),
+		},
+		{
+			op: "update-aliases",
+		},
+		{
+			op:    "cleanup-trash",
+			name:  "some-snap",
+			revno: snap.R(42),
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	// check progress
+	ta := ts.Tasks()
+	task := ta[1]
+	_, cur, total := task.Progress()
+	c.Assert(cur, Equals, s.fakeStore.fakeCurrentProgress)
+	c.Assert(total, Equals, s.fakeStore.fakeTotalProgress)
+	c.Check(task.Summary(), Equals, `Download snap "some-snap" (42) from channel "some-channel"`)
+
+	// check link/start snap summary
+	linkTask := ta[len(ta)-7]
+	c.Check(linkTask.Summary(), Equals, `Make snap "some-snap" (42) available to the system`)
+	startTask := ta[len(ta)-2]
+	c.Check(startTask.Summary(), Equals, `Start snap "some-snap" (42) services`)
 
 	// verify snap-setup in the task state
 	var snapsup snapstate.SnapSetup
@@ -1685,81 +2710,469 @@
 		DownloadInfo: &snap.DownloadInfo{
 			DownloadURL: "https://some-server.com/some/path.snap",
 		},
-		SideInfo: snapsup.SideInfo,
+		SideInfo:  snapsup.SideInfo,
+		Type:      snap.TypeApp,
+		PlugsOnly: true,
+	})
+	c.Assert(snapsup.SideInfo, DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(42),
+		SnapID:   "some-snap-id",
+	})
+
+	// verify snaps in the system state
+	var snaps map[string]*snapstate.SnapState
+	err = s.state.Get("snaps", &snaps)
+	c.Assert(err, IsNil)
+
+	snapst := snaps["some-snap"]
+	c.Assert(snapst, NotNil)
+	c.Assert(snapst.Active, Equals, true)
+	c.Assert(snapst.Channel, Equals, "some-channel")
+	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
+		SnapID:   "some-snap-id",
+		Revision: snap.R(42),
+	})
+	c.Assert(snapst.Required, Equals, false)
+}
+func (s *snapmgrTestSuite) TestInstallStartOrder(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	chg := s.state.NewChange("install", "install a snap")
+	ts, err := snapstate.Install(s.state, "services-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	// ensure all our tasks ran
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(chg.IsReady(), Equals, true)
+	c.Check(snapstate.Installing(s.state), Equals, false)
+	op := s.fakeBackend.ops.First("start-snap-services")
+	c.Assert(op, NotNil)
+	c.Assert(op, DeepEquals, &fakeOp{
+		op:   "start-snap-services",
+		path: filepath.Join(dirs.SnapMountDir, "services-snap/11"),
+		// ordered to preserve after/before relation
+		services: []string{"svc1", "svc3", "svc2"},
+	})
+}
+
+func (s *snapmgrTestSuite) TestInstalling(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	c.Check(snapstate.Installing(s.state), Equals, false)
+
+	chg := s.state.NewChange("install", "install a snap")
+	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(42), 0, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	c.Check(snapstate.Installing(s.state), Equals, true)
+}
+
+func (s *snapmgrTestSuite) TestUpdateAmendRunThrough(c *C) {
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(-42),
+	}
+	snaptest.MockSnap(c, `name: some-snap`, &si)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{&si},
+		Current:  si.Revision,
+		SnapType: "app",
+		Channel:  "stable",
+	})
+
+	chg := s.state.NewChange("refresh", "refresh a snap")
+	ts, err := snapstate.Update(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{Amend: true})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	// ensure all our tasks ran
+	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{{
+		macaroon: s.user.StoreMacaroon,
+		name:     "some-snap",
+		target:   filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+	}})
+	c.Check(s.fakeStore.seenPrivacyKeys["privacy-key"], Equals, true, Commentf("salts seen: %v", s.fakeStore.seenPrivacyKeys))
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, []string{
+		"storesvc-snap-action",
+		"storesvc-snap-action:action",
+		"storesvc-download",
+		"validate-snap:Doing",
+		"current",
+		"open-snap-file",
+		"setup-snap",
+		"remove-snap-aliases",
+		"unlink-snap",
+		"copy-data",
+		"setup-profiles:Doing",
+		"candidate",
+		"link-snap",
+		"auto-connect:Doing",
+		"update-aliases",
+		"cleanup-trash",
+	})
+	// just check the interesting op
+	c.Check(s.fakeBackend.ops[1], DeepEquals, fakeOp{
+		op: "storesvc-snap-action:action",
+		action: store.SnapAction{
+			Action:       "install", // we asked for an Update, but an amend is actually an Install
+			InstanceName: "some-snap",
+			Channel:      "some-channel",
+			Epoch:        snap.E("1*"), // in amend, epoch in the action is not nil!
+			Flags:        store.SnapActionEnforceValidation,
+		},
+		revno:  snap.R(11),
+		userID: 1,
+	})
+
+	task := ts.Tasks()[1]
+	// verify snapSetup info
+	var snapsup snapstate.SnapSetup
+	err = task.Get("snap-setup", &snapsup)
+	c.Assert(err, IsNil)
+	c.Assert(snapsup, DeepEquals, snapstate.SnapSetup{
+		Channel: "some-channel",
+		UserID:  s.user.ID,
+
+		SnapPath: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+		DownloadInfo: &snap.DownloadInfo{
+			DownloadURL: "https://some-server.com/some/path.snap",
+		},
+		SideInfo:  snapsup.SideInfo,
+		Type:      snap.TypeApp,
+		PlugsOnly: true,
+		Flags:     snapstate.Flags{Amend: true},
 	})
 	c.Assert(snapsup.SideInfo, DeepEquals, &snap.SideInfo{
 		RealName: "some-snap",
-		Revision: snap.R(42),
+		Revision: snap.R(11),
+		Channel:  "some-channel",
+		SnapID:   "some-snap-id",
+	})
+
+	// verify services stop reason
+	verifyStopReason(c, ts, "refresh")
+
+	// check post-refresh hook
+	task = ts.Tasks()[14]
+	c.Assert(task.Kind(), Equals, "run-hook")
+	c.Assert(task.Summary(), Matches, `Run post-refresh hook of "some-snap" snap if present`)
+
+	// verify snaps in the system state
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap", &snapst)
+	c.Assert(err, IsNil)
+
+	c.Assert(snapst.Active, Equals, true)
+	c.Assert(snapst.Sequence, HasLen, 2)
+	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
+		Channel:  "",
+		Revision: snap.R(-42),
+	})
+	c.Assert(snapst.Sequence[1], DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
 		Channel:  "some-channel",
 		SnapID:   "some-snap-id",
+		Revision: snap.R(11),
+	})
+}
+
+func (s *snapmgrTestSuite) TestUpdateRunThrough(c *C) {
+	// use services-snap here to make sure services would be stopped/started appropriately
+	si := snap.SideInfo{
+		RealName: "services-snap",
+		Revision: snap.R(7),
+		SnapID:   "services-snap-id",
+	}
+	snaptest.MockSnap(c, `name: services-snap`, &si)
+	fi, err := os.Stat(snap.MountFile("services-snap", si.Revision))
+	c.Assert(err, IsNil)
+	refreshedDate := fi.ModTime()
+	// look at disk
+	r := snapstate.MockRevisionDate(nil)
+	defer r()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "services-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{&si},
+		Current:  si.Revision,
+		SnapType: "app",
+		Channel:  "stable",
+	})
+
+	chg := s.state.NewChange("refresh", "refresh a snap")
+	ts, err := snapstate.Update(s.state, "services-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	expected := fakeOps{
+		{
+			op: "storesvc-snap-action",
+			curSnaps: []store.CurrentSnap{{
+				InstanceName:    "services-snap",
+				SnapID:          "services-snap-id",
+				Revision:        snap.R(7),
+				TrackingChannel: "stable",
+				RefreshedDate:   refreshedDate,
+				Epoch:           snap.E("0"),
+			}},
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "refresh",
+				InstanceName: "services-snap",
+				SnapID:       "services-snap-id",
+				Channel:      "some-channel",
+				Flags:        store.SnapActionEnforceValidation,
+			},
+			revno:  snap.R(11),
+			userID: 1,
+		},
+		{
+			op:   "storesvc-download",
+			name: "services-snap",
+		},
+		{
+			op:    "validate-snap:Doing",
+			name:  "services-snap",
+			revno: snap.R(11),
+		},
+		{
+			op:  "current",
+			old: filepath.Join(dirs.SnapMountDir, "services-snap/7"),
+		},
+		{
+			op:   "open-snap-file",
+			path: filepath.Join(dirs.SnapBlobDir, "services-snap_11.snap"),
+			sinfo: snap.SideInfo{
+				RealName: "services-snap",
+				SnapID:   "services-snap-id",
+				Channel:  "some-channel",
+				Revision: snap.R(11),
+			},
+		},
+		{
+			op:    "setup-snap",
+			name:  "services-snap",
+			path:  filepath.Join(dirs.SnapBlobDir, "services-snap_11.snap"),
+			revno: snap.R(11),
+		},
+		{
+			op:   "stop-snap-services:refresh",
+			path: filepath.Join(dirs.SnapMountDir, "services-snap/7"),
+		},
+		{
+			op:   "remove-snap-aliases",
+			name: "services-snap",
+		},
+		{
+			op:   "unlink-snap",
+			path: filepath.Join(dirs.SnapMountDir, "services-snap/7"),
+		},
+		{
+			op:   "copy-data",
+			path: filepath.Join(dirs.SnapMountDir, "services-snap/11"),
+			old:  filepath.Join(dirs.SnapMountDir, "services-snap/7"),
+		},
+		{
+			op:    "setup-profiles:Doing",
+			name:  "services-snap",
+			revno: snap.R(11),
+		},
+		{
+			op: "candidate",
+			sinfo: snap.SideInfo{
+				RealName: "services-snap",
+				SnapID:   "services-snap-id",
+				Channel:  "some-channel",
+				Revision: snap.R(11),
+			},
+		},
+		{
+			op:   "link-snap",
+			path: filepath.Join(dirs.SnapMountDir, "services-snap/11"),
+		},
+		{
+			op:    "auto-connect:Doing",
+			name:  "services-snap",
+			revno: snap.R(11),
+		},
+		{
+			op: "update-aliases",
+		},
+		{
+			op:       "start-snap-services",
+			path:     filepath.Join(dirs.SnapMountDir, "services-snap/11"),
+			services: []string{"svc1", "svc3", "svc2"},
+		},
+		{
+			op:    "cleanup-trash",
+			name:  "services-snap",
+			revno: snap.R(11),
+		},
+	}
+
+	// ensure all our tasks ran
+	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{{
+		macaroon: s.user.StoreMacaroon,
+		name:     "services-snap",
+		target:   filepath.Join(dirs.SnapBlobDir, "services-snap_11.snap"),
+	}})
+	c.Check(s.fakeStore.seenPrivacyKeys["privacy-key"], Equals, true, Commentf("salts seen: %v", s.fakeStore.seenPrivacyKeys))
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	// check progress
+	task := ts.Tasks()[1]
+	_, cur, total := task.Progress()
+	c.Assert(cur, Equals, s.fakeStore.fakeCurrentProgress)
+	c.Assert(total, Equals, s.fakeStore.fakeTotalProgress)
+
+	// verify snapSetup info
+	var snapsup snapstate.SnapSetup
+	err = task.Get("snap-setup", &snapsup)
+	c.Assert(err, IsNil)
+	c.Assert(snapsup, DeepEquals, snapstate.SnapSetup{
+		Channel: "some-channel",
+		UserID:  s.user.ID,
+
+		SnapPath: filepath.Join(dirs.SnapBlobDir, "services-snap_11.snap"),
+		DownloadInfo: &snap.DownloadInfo{
+			DownloadURL: "https://some-server.com/some/path.snap",
+		},
+		SideInfo:  snapsup.SideInfo,
+		Type:      snap.TypeApp,
+		PlugsOnly: true,
+	})
+	c.Assert(snapsup.SideInfo, DeepEquals, &snap.SideInfo{
+		RealName: "services-snap",
+		Revision: snap.R(11),
+		Channel:  "some-channel",
+		SnapID:   "services-snap-id",
 	})
 
+	// verify services stop reason
+	verifyStopReason(c, ts, "refresh")
+
+	// check post-refresh hook
+	task = ts.Tasks()[14]
+	c.Assert(task.Kind(), Equals, "run-hook")
+	c.Assert(task.Summary(), Matches, `Run post-refresh hook of "services-snap" snap if present`)
+
 	// verify snaps in the system state
-	var snaps map[string]*snapstate.SnapState
-	err = s.state.Get("snaps", &snaps)
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "services-snap", &snapst)
 	c.Assert(err, IsNil)
 
-	snapst := snaps["some-snap"]
 	c.Assert(snapst.Active, Equals, true)
-	c.Assert(snapst.Channel, Equals, "some-channel")
+	c.Assert(snapst.Sequence, HasLen, 2)
 	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
-		RealName: "some-snap",
+		RealName: "services-snap",
+		SnapID:   "services-snap-id",
+		Channel:  "",
+		Revision: snap.R(7),
+	})
+	c.Assert(snapst.Sequence[1], DeepEquals, &snap.SideInfo{
+		RealName: "services-snap",
 		Channel:  "some-channel",
-		SnapID:   "some-snap-id",
-		Revision: snap.R(42),
+		SnapID:   "services-snap-id",
+		Revision: snap.R(11),
 	})
-	c.Assert(snapst.Required, Equals, false)
-}
-
-func (s *snapmgrTestSuite) TestInstalling(c *C) {
-	s.state.Lock()
-	defer s.state.Unlock()
-
-	c.Check(snapstate.Installing(s.state), Equals, false)
-
-	chg := s.state.NewChange("install", "install a snap")
-	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(42), 0, snapstate.Flags{})
-	c.Assert(err, IsNil)
-	chg.AddAll(ts)
-
-	c.Check(snapstate.Installing(s.state), Equals, true)
 }
 
-func (s *snapmgrTestSuite) TestUpdateRunThrough(c *C) {
+func (s *snapmgrTestSuite) TestParallelInstanceUpdateRunThrough(c *C) {
 	// use services-snap here to make sure services would be stopped/started appropriately
 	si := snap.SideInfo{
 		RealName: "services-snap",
 		Revision: snap.R(7),
 		SnapID:   "services-snap-id",
 	}
+	snaptest.MockSnapInstance(c, "services-snap_instance", `name: services-snap`, &si)
+	fi, err := os.Stat(snap.MountFile("services-snap_instance", si.Revision))
+	c.Assert(err, IsNil)
+	refreshedDate := fi.ModTime()
+	// look at disk
+	r := snapstate.MockRevisionDate(nil)
+	defer r()
 
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	snapstate.Set(s.state, "services-snap", &snapstate.SnapState{
-		Active:   true,
-		Sequence: []*snap.SideInfo{&si},
-		Current:  si.Revision,
-		SnapType: "app",
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", true)
+	tr.Commit()
+
+	snapstate.Set(s.state, "services-snap_instance", &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{&si},
+		Current:     si.Revision,
+		SnapType:    "app",
+		Channel:     "stable",
+		InstanceKey: "instance",
 	})
 
 	chg := s.state.NewChange("refresh", "refresh a snap")
-	ts, err := snapstate.Update(s.state, "services-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	ts, err := snapstate.Update(s.state, "services-snap_instance", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	expected := fakeOps{
 		{
-			op: "storesvc-list-refresh",
-			cand: store.RefreshCandidate{
-				Channel:  "some-channel",
-				SnapID:   "services-snap-id",
-				Revision: snap.R(7),
+			op: "storesvc-snap-action",
+			curSnaps: []store.CurrentSnap{{
+				InstanceName:    "services-snap_instance",
+				SnapID:          "services-snap-id",
+				Revision:        snap.R(7),
+				TrackingChannel: "stable",
+				RefreshedDate:   refreshedDate,
+				Epoch:           snap.E("0"),
+			}},
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "refresh",
+				SnapID:       "services-snap-id",
+				InstanceName: "services-snap_instance",
+				Channel:      "some-channel",
+				Flags:        store.SnapActionEnforceValidation,
 			},
 			revno:  snap.R(11),
 			userID: 1,
@@ -1770,16 +3183,16 @@
 		},
 		{
 			op:    "validate-snap:Doing",
-			name:  "services-snap",
+			name:  "services-snap_instance",
 			revno: snap.R(11),
 		},
 		{
 			op:  "current",
-			old: filepath.Join(dirs.SnapMountDir, "services-snap/7"),
+			old: filepath.Join(dirs.SnapMountDir, "services-snap_instance/7"),
 		},
 		{
 			op:   "open-snap-file",
-			name: filepath.Join(dirs.SnapBlobDir, "services-snap_11.snap"),
+			path: filepath.Join(dirs.SnapBlobDir, "services-snap_instance_11.snap"),
 			sinfo: snap.SideInfo{
 				RealName: "services-snap",
 				SnapID:   "services-snap-id",
@@ -1789,29 +3202,30 @@
 		},
 		{
 			op:    "setup-snap",
-			name:  filepath.Join(dirs.SnapBlobDir, "services-snap_11.snap"),
+			name:  "services-snap_instance",
+			path:  filepath.Join(dirs.SnapBlobDir, "services-snap_instance_11.snap"),
 			revno: snap.R(11),
 		},
 		{
 			op:   "stop-snap-services:refresh",
-			name: filepath.Join(dirs.SnapMountDir, "services-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "services-snap_instance/7"),
 		},
 		{
 			op:   "remove-snap-aliases",
-			name: "services-snap",
+			name: "services-snap_instance",
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "services-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "services-snap_instance/7"),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "services-snap/11"),
-			old:  filepath.Join(dirs.SnapMountDir, "services-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "services-snap_instance/11"),
+			old:  filepath.Join(dirs.SnapMountDir, "services-snap_instance/7"),
 		},
 		{
 			op:    "setup-profiles:Doing",
-			name:  "services-snap",
+			name:  "services-snap_instance",
 			revno: snap.R(11),
 		},
 		{
@@ -1825,23 +3239,24 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "services-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "services-snap_instance/11"),
 		},
 		{
 			op:    "auto-connect:Doing",
-			name:  "services-snap",
+			name:  "services-snap_instance",
 			revno: snap.R(11),
 		},
 		{
 			op: "update-aliases",
 		},
 		{
-			op:   "start-snap-services",
-			name: filepath.Join(dirs.SnapMountDir, "services-snap/11"),
+			op:       "start-snap-services",
+			path:     filepath.Join(dirs.SnapMountDir, "services-snap_instance/11"),
+			services: []string{"svc1", "svc3", "svc2"},
 		},
 		{
 			op:    "cleanup-trash",
-			name:  "services-snap",
+			name:  "services-snap_instance",
 			revno: snap.R(11),
 		},
 	}
@@ -1850,7 +3265,9 @@
 	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{{
 		macaroon: s.user.StoreMacaroon,
 		name:     "services-snap",
+		target:   filepath.Join(dirs.SnapBlobDir, "services-snap_instance_11.snap"),
 	}})
+	c.Check(s.fakeStore.seenPrivacyKeys["privacy-key"], Equals, true, Commentf("salts seen: %v", s.fakeStore.seenPrivacyKeys))
 	// start with an easier-to-read error if this fails:
 	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
 	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
@@ -1869,11 +3286,14 @@
 		Channel: "some-channel",
 		UserID:  s.user.ID,
 
-		SnapPath: filepath.Join(dirs.SnapBlobDir, "services-snap_11.snap"),
+		SnapPath: filepath.Join(dirs.SnapBlobDir, "services-snap_instance_11.snap"),
 		DownloadInfo: &snap.DownloadInfo{
 			DownloadURL: "https://some-server.com/some/path.snap",
 		},
-		SideInfo: snapsup.SideInfo,
+		SideInfo:    snapsup.SideInfo,
+		Type:        snap.TypeApp,
+		PlugsOnly:   true,
+		InstanceKey: "instance",
 	})
 	c.Assert(snapsup.SideInfo, DeepEquals, &snap.SideInfo{
 		RealName: "services-snap",
@@ -1888,13 +3308,14 @@
 	// check post-refresh hook
 	task = ts.Tasks()[14]
 	c.Assert(task.Kind(), Equals, "run-hook")
-	c.Assert(task.Summary(), Matches, `Run post-refresh hook of "services-snap" snap if present`)
+	c.Assert(task.Summary(), Matches, `Run post-refresh hook of "services-snap_instance" snap if present`)
 
 	// verify snaps in the system state
 	var snapst snapstate.SnapState
-	err = snapstate.Get(s.state, "services-snap", &snapst)
+	err = snapstate.Get(s.state, "services-snap_instance", &snapst)
 	c.Assert(err, IsNil)
 
+	c.Assert(snapst.InstanceKey, Equals, "instance")
 	c.Assert(snapst.Active, Equals, true)
 	c.Assert(snapst.Sequence, HasLen, 2)
 	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
@@ -1911,6 +3332,172 @@
 	})
 }
 
+func (s *snapmgrTestSuite) TestUpdateWithNewBase(c *C) {
+	si := &snap.SideInfo{
+		RealName: "some-snap",
+		SnapID:   "some-snap-id",
+		Revision: snap.R(7),
+	}
+	snaptest.MockSnap(c, `name: some-snap`, si)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Channel:  "edge",
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(7),
+		SnapType: "app",
+	})
+
+	chg := s.state.NewChange("refresh", "refresh a snap")
+	ts, err := snapstate.Update(s.state, "some-snap", "channel-for-base", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{
+		{macaroon: s.user.StoreMacaroon, name: "some-base", target: filepath.Join(dirs.SnapBlobDir, "some-base_11.snap")},
+		{macaroon: s.user.StoreMacaroon, name: "some-snap", target: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap")},
+	})
+}
+
+func (s *snapmgrTestSuite) TestUpdateWithAlreadyInstalledBase(c *C) {
+	si := &snap.SideInfo{
+		RealName: "some-snap",
+		SnapID:   "some-snap-id",
+		Revision: snap.R(7),
+	}
+	snaptest.MockSnap(c, `name: some-snap`, si)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Channel:  "edge",
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(7),
+		SnapType: "app",
+	})
+	snapstate.Set(s.state, "some-base", &snapstate.SnapState{
+		Active:  true,
+		Channel: "stable",
+		Sequence: []*snap.SideInfo{{
+			RealName: "some-base",
+			SnapID:   "some-base-id",
+			Revision: snap.R(1),
+		}},
+		Current:  snap.R(1),
+		SnapType: "base",
+	})
+
+	chg := s.state.NewChange("refresh", "refresh a snap")
+	ts, err := snapstate.Update(s.state, "some-snap", "channel-for-base", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{
+		{macaroon: s.user.StoreMacaroon, name: "some-snap", target: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap")},
+	})
+}
+
+func (s *snapmgrTestSuite) TestUpdateWithNewDefaultProvider(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.ReplaceStore(s.state, contentStore{fakeStore: s.fakeStore, state: s.state})
+	repo := interfaces.NewRepository()
+	ifacerepo.Replace(s.state, repo)
+
+	si := &snap.SideInfo{
+		RealName: "snap-content-plug",
+		SnapID:   "snap-content-plug-id",
+		Revision: snap.R(7),
+	}
+	snaptest.MockSnap(c, `name: snap-content-plug`, si)
+	snapstate.Set(s.state, "snap-content-plug", &snapstate.SnapState{
+		Active:   true,
+		Channel:  "edge",
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(7),
+		SnapType: "app",
+	})
+
+	chg := s.state.NewChange("refresh", "refresh a snap")
+	ts, err := snapstate.Update(s.state, "snap-content-plug", "stable", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{
+		{macaroon: s.user.StoreMacaroon, name: "snap-content-plug", target: filepath.Join(dirs.SnapBlobDir, "snap-content-plug_11.snap")},
+		{macaroon: s.user.StoreMacaroon, name: "snap-content-slot", target: filepath.Join(dirs.SnapBlobDir, "snap-content-slot_11.snap")},
+	})
+}
+
+func (s *snapmgrTestSuite) TestUpdateWithInstalledDefaultProvider(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.ReplaceStore(s.state, contentStore{fakeStore: s.fakeStore, state: s.state})
+	repo := interfaces.NewRepository()
+	ifacerepo.Replace(s.state, repo)
+
+	si := &snap.SideInfo{
+		RealName: "snap-content-plug",
+		SnapID:   "snap-content-plug-id",
+		Revision: snap.R(7),
+	}
+	snaptest.MockSnap(c, `name: snap-content-plug`, si)
+	snapstate.Set(s.state, "snap-content-plug", &snapstate.SnapState{
+		Active:   true,
+		Channel:  "edge",
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(7),
+		SnapType: "app",
+	})
+	snapstate.Set(s.state, "snap-content-slot", &snapstate.SnapState{
+		Active:  true,
+		Channel: "stable",
+		Sequence: []*snap.SideInfo{{
+			RealName: "snap-content-slot",
+			SnapID:   "snap-content-slot-id",
+			Revision: snap.R(1),
+		}},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	chg := s.state.NewChange("refresh", "refresh a snap")
+	ts, err := snapstate.Update(s.state, "snap-content-plug", "stable", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{
+		{macaroon: s.user.StoreMacaroon, name: "snap-content-plug", target: filepath.Join(dirs.SnapBlobDir, "snap-content-plug_11.snap")},
+	})
+}
+
 func (s *snapmgrTestSuite) TestUpdateRememberedUserRunThrough(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -1931,7 +3518,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -1940,13 +3527,14 @@
 
 	for _, op := range s.fakeBackend.ops {
 		switch op.op {
-		case "storesvc-list-refresh":
+		case "storesvc-snap-action":
 			c.Check(op.userID, Equals, 1)
 		case "storesvc-download":
 			snapName := op.name
 			c.Check(s.fakeStore.downloads[0], DeepEquals, fakeDownload{
 				macaroon: "macaroon",
 				name:     "some-snap",
+				target:   filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 			}, Commentf(snapName))
 		}
 	}
@@ -1972,7 +3560,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -1981,19 +3569,128 @@
 
 	for _, op := range s.fakeBackend.ops {
 		switch op.op {
-		case "storesvc-snap":
+		case "storesvc-snap-action:action":
 			c.Check(op.userID, Equals, 1)
 		case "storesvc-download":
 			snapName := op.name
 			c.Check(s.fakeStore.downloads[0], DeepEquals, fakeDownload{
 				macaroon: "macaroon",
 				name:     "some-snap",
+				target:   filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			}, Commentf(snapName))
+		}
+	}
+}
+
+func (s *snapmgrTestSuite) TestUpdateManyMultipleCredsNoUserRunThrough(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1), SnapID: "core-snap-id"},
+		},
+		Current:  snap.R(1),
+		SnapType: "os",
+	})
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", Revision: snap.R(5), SnapID: "some-snap-id"},
+		},
+		Current:  snap.R(5),
+		SnapType: "app",
+		UserID:   1,
+	})
+	snapstate.Set(s.state, "services-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "services-snap", Revision: snap.R(2), SnapID: "services-snap-id"},
+		},
+		Current:  snap.R(2),
+		SnapType: "app",
+		UserID:   2,
+	})
+
+	chg := s.state.NewChange("refresh", "refresh all snaps")
+	// no user is passed to use for UpdateMany
+	updated, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0, nil)
+	c.Assert(err, IsNil)
+	for _, ts := range tts {
+		chg.AddAll(ts)
+	}
+	c.Check(updated, HasLen, 3)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+	c.Assert(chg.Err(), IsNil)
+
+	macaroonMap := map[string]string{
+		"core":          "",
+		"some-snap":     "macaroon",
+		"services-snap": "macaroon2",
+	}
+
+	seen := make(map[string]int)
+	ir := 0
+	di := 0
+	for _, op := range s.fakeBackend.ops {
+		switch op.op {
+		case "storesvc-snap-action":
+			ir++
+			c.Check(op.curSnaps, DeepEquals, []store.CurrentSnap{
+				{
+					InstanceName:  "core",
+					SnapID:        "core-snap-id",
+					Revision:      snap.R(1),
+					RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 1),
+					Epoch:         snap.E("1*"),
+				},
+				{
+					InstanceName:  "services-snap",
+					SnapID:        "services-snap-id",
+					Revision:      snap.R(2),
+					RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 2),
+					Epoch:         snap.E("0"),
+				},
+				{
+					InstanceName:  "some-snap",
+					SnapID:        "some-snap-id",
+					Revision:      snap.R(5),
+					RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 5),
+					Epoch:         snap.E("1*"),
+				},
+			})
+		case "storesvc-snap-action:action":
+			snapID := op.action.SnapID
+			seen[snapID] = op.userID
+		case "storesvc-download":
+			snapName := op.name
+			fakeDl := s.fakeStore.downloads[di]
+			// check target path separately and clear it
+			c.Check(fakeDl.target, Matches, filepath.Join(dirs.SnapBlobDir, fmt.Sprintf("%s_[0-9]+.snap", snapName)))
+			fakeDl.target = ""
+			c.Check(fakeDl, DeepEquals, fakeDownload{
+				macaroon: macaroonMap[snapName],
+				name:     snapName,
 			}, Commentf(snapName))
+			di++
 		}
 	}
+	c.Check(ir, Equals, 2)
+	// we check all snaps with each user
+	c.Check(seen["some-snap-id"], Equals, 1)
+	c.Check(seen["services-snap-id"], Equals, 2)
+	// coalesced with one of the others
+	c.Check(seen["core-snap-id"] > 0, Equals, true)
 }
 
-func (s *snapmgrTestSuite) TestUpdateManyMultipleCredsNoUserRunThrough(c *C) {
+func (s *snapmgrTestSuite) TestUpdateManyMultipleCredsUserRunThrough(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
@@ -2025,8 +3722,8 @@
 	})
 
 	chg := s.state.NewChange("refresh", "refresh all snaps")
-	// no user is passed to use for UpdateMany
-	updated, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0)
+	// do UpdateMany using user 2 as fallback
+	updated, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 2, nil)
 	c.Assert(err, IsNil)
 	for _, ts := range tts {
 		chg.AddAll(ts)
@@ -2034,7 +3731,7 @@
 	c.Check(updated, HasLen, 3)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -2042,7 +3739,7 @@
 	c.Assert(chg.Err(), IsNil)
 
 	macaroonMap := map[string]string{
-		"core":          "",
+		"core":          "macaroon2",
 		"some-snap":     "macaroon",
 		"services-snap": "macaroon2",
 	}
@@ -2052,33 +3749,75 @@
 		userID int
 	}
 	seen := make(map[snapIDuserID]bool)
+	ir := 0
 	di := 0
 	for _, op := range s.fakeBackend.ops {
 		switch op.op {
-		case "storesvc-list-refresh":
-			snapID := op.cand.SnapID
+		case "storesvc-snap-action":
+			ir++
+			c.Check(op.curSnaps, DeepEquals, []store.CurrentSnap{
+				{
+					InstanceName:  "core",
+					SnapID:        "core-snap-id",
+					Revision:      snap.R(1),
+					RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 1),
+					Epoch:         snap.E("1*"),
+				},
+				{
+					InstanceName:  "services-snap",
+					SnapID:        "services-snap-id",
+					Revision:      snap.R(2),
+					RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 2),
+					Epoch:         snap.E("0"),
+				},
+				{
+					InstanceName:  "some-snap",
+					SnapID:        "some-snap-id",
+					Revision:      snap.R(5),
+					RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 5),
+					Epoch:         snap.E("1*"),
+				},
+			})
+		case "storesvc-snap-action:action":
+			snapID := op.action.SnapID
 			seen[snapIDuserID{snapID: snapID, userID: op.userID}] = true
 		case "storesvc-download":
 			snapName := op.name
-			c.Check(s.fakeStore.downloads[di], DeepEquals, fakeDownload{
+			fakeDl := s.fakeStore.downloads[di]
+			// check target path separately and clear it
+			c.Check(fakeDl.target, Matches, filepath.Join(dirs.SnapBlobDir, fmt.Sprintf("%s_[0-9]+.snap", snapName)))
+			fakeDl.target = ""
+			c.Check(fakeDl, DeepEquals, fakeDownload{
 				macaroon: macaroonMap[snapName],
 				name:     snapName,
 			}, Commentf(snapName))
 			di++
 		}
 	}
+	c.Check(ir, Equals, 2)
 	// we check all snaps with each user
 	c.Check(seen, DeepEquals, map[snapIDuserID]bool{
-		{snapID: "core-snap-id", userID: 1}:     true,
-		{snapID: "some-snap-id", userID: 1}:     true,
-		{snapID: "services-snap-id", userID: 1}: true,
 		{snapID: "core-snap-id", userID: 2}:     true,
-		{snapID: "some-snap-id", userID: 2}:     true,
+		{snapID: "some-snap-id", userID: 1}:     true,
 		{snapID: "services-snap-id", userID: 2}: true,
 	})
+
+	var coreState, snapState snapstate.SnapState
+	// user in SnapState was preserved
+	err = snapstate.Get(s.state, "some-snap", &snapState)
+	c.Assert(err, IsNil)
+	c.Check(snapState.UserID, Equals, 1)
+	c.Check(snapState.Current, DeepEquals, snap.R(11))
+
+	// user in SnapState was set
+	err = snapstate.Get(s.state, "core", &coreState)
+	c.Assert(err, IsNil)
+	c.Check(coreState.UserID, Equals, 2)
+	c.Check(coreState.Current, DeepEquals, snap.R(11))
+
 }
 
-func (s *snapmgrTestSuite) TestUpdateManyMultipleCredsUserRunThrough(c *C) {
+func (s *snapmgrTestSuite) TestUpdateManyMultipleCredsUserWithNoStoreAuthRunThrough(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
@@ -2106,12 +3845,12 @@
 		},
 		Current:  snap.R(2),
 		SnapType: "app",
-		UserID:   2,
+		UserID:   3,
 	})
 
 	chg := s.state.NewChange("refresh", "refresh all snaps")
-	// do UpdateMany using user 2 as fallback
-	updated, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 2)
+	// no user is passed to use for UpdateMany
+	updated, tts, err := snapstate.UpdateMany(context.TODO(), s.state, nil, 0, nil)
 	c.Assert(err, IsNil)
 	for _, ts := range tts {
 		chg.AddAll(ts)
@@ -2119,7 +3858,7 @@
 	c.Check(updated, HasLen, 3)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -2127,54 +3866,63 @@
 	c.Assert(chg.Err(), IsNil)
 
 	macaroonMap := map[string]string{
-		"core":          "macaroon2",
+		"core":          "",
 		"some-snap":     "macaroon",
-		"services-snap": "macaroon2",
+		"services-snap": "",
 	}
 
-	type snapIDuserID struct {
-		snapID string
-		userID int
-	}
-	seen := make(map[snapIDuserID]bool)
+	seen := make(map[string]int)
+	ir := 0
 	di := 0
 	for _, op := range s.fakeBackend.ops {
 		switch op.op {
-		case "storesvc-list-refresh":
-			snapID := op.cand.SnapID
-			seen[snapIDuserID{snapID: snapID, userID: op.userID}] = true
+		case "storesvc-snap-action":
+			ir++
+			c.Check(op.curSnaps, DeepEquals, []store.CurrentSnap{
+				{
+					InstanceName:  "core",
+					SnapID:        "core-snap-id",
+					Revision:      snap.R(1),
+					RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 1),
+					Epoch:         snap.E("1*"),
+				},
+				{
+					InstanceName:  "services-snap",
+					SnapID:        "services-snap-id",
+					Revision:      snap.R(2),
+					RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 2),
+					Epoch:         snap.E("0"),
+				},
+				{
+					InstanceName:  "some-snap",
+					SnapID:        "some-snap-id",
+					Revision:      snap.R(5),
+					RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 5),
+					Epoch:         snap.E("1*"),
+				},
+			})
+		case "storesvc-snap-action:action":
+			snapID := op.action.SnapID
+			seen[snapID] = op.userID
 		case "storesvc-download":
 			snapName := op.name
-			c.Check(s.fakeStore.downloads[di], DeepEquals, fakeDownload{
+			fakeDl := s.fakeStore.downloads[di]
+			// check target path separately and clear it
+			c.Check(fakeDl.target, Matches, filepath.Join(dirs.SnapBlobDir, fmt.Sprintf("%s_[0-9]+.snap", snapName)))
+			fakeDl.target = ""
+			c.Check(fakeDl, DeepEquals, fakeDownload{
 				macaroon: macaroonMap[snapName],
 				name:     snapName,
 			}, Commentf(snapName))
 			di++
 		}
 	}
+	c.Check(ir, Equals, 1)
 	// we check all snaps with each user
-	c.Check(seen, DeepEquals, map[snapIDuserID]bool{
-		{snapID: "core-snap-id", userID: 1}:     true,
-		{snapID: "some-snap-id", userID: 1}:     true,
-		{snapID: "services-snap-id", userID: 1}: true,
-		{snapID: "core-snap-id", userID: 2}:     true,
-		{snapID: "some-snap-id", userID: 2}:     true,
-		{snapID: "services-snap-id", userID: 2}: true,
-	})
-
-	var coreState, snapState snapstate.SnapState
-	// user in SnapState was preserved
-	err = snapstate.Get(s.state, "some-snap", &snapState)
-	c.Assert(err, IsNil)
-	c.Check(snapState.UserID, Equals, 1)
-	c.Check(snapState.Current, DeepEquals, snap.R(11))
-
-	// user in SnapState was set
-	err = snapstate.Get(s.state, "core", &coreState)
-	c.Assert(err, IsNil)
-	c.Check(coreState.UserID, Equals, 2)
-	c.Check(coreState.Current, DeepEquals, snap.R(11))
-
+	c.Check(seen["some-snap-id"], Equals, 1)
+	// coalesced with request for 1
+	c.Check(seen["services-snap-id"], Equals, 1)
+	c.Check(seen["core-snap-id"], Equals, 1)
 }
 
 func (s *snapmgrTestSuite) TestUpdateUndoRunThrough(c *C) {
@@ -2202,17 +3950,30 @@
 	s.fakeBackend.linkSnapFailTrigger = filepath.Join(dirs.SnapMountDir, "/some-snap/11")
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	expected := fakeOps{
 		{
-			op: "storesvc-list-refresh",
-			cand: store.RefreshCandidate{
-				Channel:  "some-channel",
-				SnapID:   "some-snap-id",
-				Revision: snap.R(7),
+			op: "storesvc-snap-action",
+			curSnaps: []store.CurrentSnap{{
+				InstanceName:  "some-snap",
+				SnapID:        "some-snap-id",
+				Revision:      snap.R(7),
+				RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 7),
+				Epoch:         snap.E("1*"),
+			}},
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "refresh",
+				InstanceName: "some-snap",
+				SnapID:       "some-snap-id",
+				Channel:      "some-channel",
+				Flags:        store.SnapActionEnforceValidation,
 			},
 			revno:  snap.R(11),
 			userID: 1,
@@ -2232,7 +3993,7 @@
 		},
 		{
 			op:   "open-snap-file",
-			name: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			path: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 			sinfo: snap.SideInfo{
 				RealName: "some-snap",
 				SnapID:   "some-snap-id",
@@ -2242,7 +4003,8 @@
 		},
 		{
 			op:    "setup-snap",
-			name:  filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 			revno: snap.R(11),
 		},
 		{
@@ -2251,11 +4013,11 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 			old:  filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
@@ -2274,11 +4036,11 @@
 		},
 		{
 			op:   "link-snap.failed",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 		},
 		{
 			op:    "setup-profiles:Undoing",
@@ -2287,27 +4049,34 @@
 		},
 		{
 			op:   "undo-copy-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 			old:  filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op: "update-aliases",
 		},
 		{
 			op:    "undo-setup-snap",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 			stype: "app",
 		},
+		{
+			op:   "remove-snap-dir",
+			name: "some-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap"),
+		},
 	}
 
 	// ensure all our tasks ran
 	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{{
 		macaroon: s.user.StoreMacaroon,
 		name:     "some-snap",
+		target:   filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 	}})
 	// start with an easier-to-read error if this fails:
 	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
@@ -2362,17 +4131,31 @@
 	chg.AddTask(terr)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	expected := fakeOps{
 		{
-			op: "storesvc-list-refresh",
-			cand: store.RefreshCandidate{
-				Channel:  "some-channel",
-				SnapID:   "some-snap-id",
-				Revision: snap.R(7),
+			op: "storesvc-snap-action",
+			curSnaps: []store.CurrentSnap{{
+				InstanceName:    "some-snap",
+				SnapID:          "some-snap-id",
+				Revision:        snap.R(7),
+				TrackingChannel: "stable",
+				RefreshedDate:   fakeRevDateEpoch.AddDate(0, 0, 7),
+				Epoch:           snap.E("1*"),
+			}},
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "refresh",
+				InstanceName: "some-snap",
+				SnapID:       "some-snap-id",
+				Channel:      "some-channel",
+				Flags:        store.SnapActionEnforceValidation,
 			},
 			revno:  snap.R(11),
 			userID: 1,
@@ -2392,7 +4175,7 @@
 		},
 		{
 			op:   "open-snap-file",
-			name: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			path: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 			sinfo: snap.SideInfo{
 				RealName: "some-snap",
 				SnapID:   "some-snap-id",
@@ -2402,7 +4185,8 @@
 		},
 		{
 			op:    "setup-snap",
-			name:  filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 			revno: snap.R(11),
 		},
 		{
@@ -2411,11 +4195,11 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 			old:  filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
@@ -2434,7 +4218,7 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -2451,7 +4235,7 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 		},
 		{
 			op:    "setup-profiles:Undoing",
@@ -2460,27 +4244,34 @@
 		},
 		{
 			op:   "undo-copy-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 			old:  filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op: "update-aliases",
 		},
 		{
 			op:    "undo-setup-snap",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 			stype: "app",
 		},
+		{
+			op:   "remove-snap-dir",
+			name: "some-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap"),
+		},
 	}
 
 	// ensure all our tasks ran
 	c.Check(s.fakeStore.downloads, DeepEquals, []fakeDownload{{
 		macaroon: s.user.StoreMacaroon,
 		name:     "some-snap",
+		target:   filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 	}})
 	// friendlier failure first
 	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
@@ -2523,6 +4314,41 @@
 	c.Assert(err, Equals, store.ErrNoUpdateAvailable)
 }
 
+// A noResultsStore returns no results for install/refresh requests
+type noResultsStore struct {
+	*fakeStore
+}
+
+func (n noResultsStore) SnapAction(ctx context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error) {
+	return nil, &store.SnapActionError{NoResults: true}
+}
+
+func (s *snapmgrTestSuite) TestUpdateNoStoreResults(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.ReplaceStore(s.state, noResultsStore{fakeStore: s.fakeStore})
+
+	// this is an atypical case in which the store didn't return
+	// an error nor a result, we are defensive and return
+	// a reasonable error
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		SnapID:   "some-snap-id",
+		Revision: snap.R(7),
+	}
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{&si},
+		Channel:  "channel-for-7",
+		Current:  si.Revision,
+	})
+
+	_, err := snapstate.Update(s.state, "some-snap", "channel-for-7", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, Equals, store.ErrNoUpdateAvailable)
+}
+
 func (s *snapmgrTestSuite) TestUpdateSameRevisionSwitchesChannel(c *C) {
 	si := snap.SideInfo{
 		RealName: "some-snap",
@@ -2596,20 +4422,35 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	expected := fakeOps{
-		// we just expect the "storesvc-list-refresh" op, we
+		// we just expect the "storesvc-snap-action" ops, we
 		// don't have a fakeOp for switchChannel because it has
 		// not a backend method, it just manipulates the state
 		{
-			op: "storesvc-list-refresh",
-			cand: store.RefreshCandidate{
-				Channel:  "channel-for-7",
-				SnapID:   "some-snap-id",
-				Revision: snap.R(7),
+			op: "storesvc-snap-action",
+			curSnaps: []store.CurrentSnap{{
+				InstanceName:    "some-snap",
+				SnapID:          "some-snap-id",
+				Revision:        snap.R(7),
+				TrackingChannel: "other-channel",
+				RefreshedDate:   fakeRevDateEpoch.AddDate(0, 0, 7),
+				Epoch:           snap.E("1*"),
+			}},
+			userID: 1,
+		},
+
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "refresh",
+				InstanceName: "some-snap",
+				SnapID:       "some-snap-id",
+				Channel:      "channel-for-7",
+				Flags:        store.SnapActionEnforceValidation,
 			},
 			userID: 1,
 		},
@@ -2725,7 +4566,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -2852,7 +4693,7 @@
 			return nil, validateErr
 		}
 		c.Check(ignoreValidation, DeepEquals, map[string]bool{
-			"some-snap-id": true,
+			"some-snap": true,
 		})
 		return refreshes, nil
 	}
@@ -2864,13 +4705,26 @@
 	c.Assert(err, IsNil)
 
 	c.Check(s.fakeBackend.ops[0], DeepEquals, fakeOp{
-		op:    "storesvc-list-refresh",
-		revno: snap.R(11),
-		cand: store.RefreshCandidate{
+		op: "storesvc-snap-action",
+		curSnaps: []store.CurrentSnap{{
+			InstanceName:     "some-snap",
 			SnapID:           "some-snap-id",
 			Revision:         snap.R(7),
-			Channel:          "stable",
-			IgnoreValidation: true,
+			IgnoreValidation: false,
+			RefreshedDate:    fakeRevDateEpoch.AddDate(0, 0, 7),
+			Epoch:            snap.E("1*"),
+		}},
+		userID: 1,
+	})
+	c.Check(s.fakeBackend.ops[1], DeepEquals, fakeOp{
+		op:    "storesvc-snap-action:action",
+		revno: snap.R(11),
+		action: store.SnapAction{
+			Action:       "refresh",
+			InstanceName: "some-snap",
+			SnapID:       "some-snap-id",
+			Channel:      "stable",
+			Flags:        store.SnapActionIgnoreValidation,
 		},
 		userID: 1,
 	})
@@ -2879,7 +4733,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -2894,18 +4748,31 @@
 	s.fakeStore.refreshRevnos = map[string]snap.Revision{
 		"some-snap-id": snap.R(12),
 	}
-	_, tts, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID)
+	_, tts, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID, nil)
 	c.Assert(err, IsNil)
 	c.Check(tts, HasLen, 1)
 
 	c.Check(s.fakeBackend.ops[0], DeepEquals, fakeOp{
-		op:    "storesvc-list-refresh",
-		revno: snap.R(12),
-		cand: store.RefreshCandidate{
+		op: "storesvc-snap-action",
+		curSnaps: []store.CurrentSnap{{
+			InstanceName:     "some-snap",
 			SnapID:           "some-snap-id",
 			Revision:         snap.R(11),
-			Channel:          "stable",
+			TrackingChannel:  "stable",
 			IgnoreValidation: true,
+			RefreshedDate:    fakeRevDateEpoch.AddDate(0, 0, 11),
+			Epoch:            snap.E("1*"),
+		}},
+		userID: 1,
+	})
+	c.Check(s.fakeBackend.ops[1], DeepEquals, fakeOp{
+		op:    "storesvc-snap-action:action",
+		revno: snap.R(12),
+		action: store.SnapAction{
+			Action:       "refresh",
+			InstanceName: "some-snap",
+			SnapID:       "some-snap-id",
+			Flags:        0,
 		},
 		userID: 1,
 	})
@@ -2914,7 +4781,7 @@
 	chg.AddAll(tts[0])
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -2939,13 +4806,27 @@
 	c.Assert(err, IsNil)
 
 	c.Check(s.fakeBackend.ops[0], DeepEquals, fakeOp{
-		op:    "storesvc-list-refresh",
-		revno: snap.R(11),
-		cand: store.RefreshCandidate{
+		op: "storesvc-snap-action",
+		curSnaps: []store.CurrentSnap{{
+			InstanceName:     "some-snap",
 			SnapID:           "some-snap-id",
 			Revision:         snap.R(12),
-			Channel:          "stable",
-			IgnoreValidation: false,
+			TrackingChannel:  "stable",
+			IgnoreValidation: true,
+			RefreshedDate:    fakeRevDateEpoch.AddDate(0, 0, 12),
+			Epoch:            snap.E("1*"),
+		}},
+		userID: 1,
+	})
+	c.Check(s.fakeBackend.ops[1], DeepEquals, fakeOp{
+		op:    "storesvc-snap-action:action",
+		revno: snap.R(11),
+		action: store.SnapAction{
+			Action:       "refresh",
+			InstanceName: "some-snap",
+			SnapID:       "some-snap-id",
+			Channel:      "stable",
+			Flags:        store.SnapActionEnforceValidation,
 		},
 		userID: 1,
 	})
@@ -2954,7 +4835,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -2965,6 +4846,202 @@
 	c.Check(snapst.Current, Equals, snap.R(11))
 }
 
+func (s *snapmgrTestSuite) TestParallelInstanceUpdateIgnoreValidationSticky(c *C) {
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		SnapID:   "some-snap-id",
+		Revision: snap.R(7),
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", true)
+	tr.Commit()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{&si},
+		Current:  si.Revision,
+		SnapType: "app",
+	})
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{&si},
+		Current:     si.Revision,
+		SnapType:    "app",
+		InstanceKey: "instance",
+	})
+
+	validateErr := errors.New("refresh control error")
+	validateRefreshesFail := func(st *state.State, refreshes []*snap.Info, ignoreValidation map[string]bool, userID int) ([]*snap.Info, error) {
+		c.Check(refreshes, HasLen, 2)
+		if len(ignoreValidation) == 0 {
+			return nil, validateErr
+		}
+		c.Check(ignoreValidation, DeepEquals, map[string]bool{
+			"some-snap_instance": true,
+		})
+		return refreshes, nil
+	}
+	// hook it up
+	snapstate.ValidateRefreshes = validateRefreshesFail
+
+	flags := snapstate.Flags{IgnoreValidation: true}
+	ts, err := snapstate.Update(s.state, "some-snap_instance", "stable", snap.R(0), s.user.ID, flags)
+	c.Assert(err, IsNil)
+
+	c.Check(s.fakeBackend.ops[0], DeepEquals, fakeOp{
+		op: "storesvc-snap-action",
+		curSnaps: []store.CurrentSnap{{
+			InstanceName:     "some-snap",
+			SnapID:           "some-snap-id",
+			Revision:         snap.R(7),
+			IgnoreValidation: false,
+			RefreshedDate:    fakeRevDateEpoch.AddDate(0, 0, 7),
+			Epoch:            snap.E("1*"),
+		}, {
+			InstanceName:     "some-snap_instance",
+			SnapID:           "some-snap-id",
+			Revision:         snap.R(7),
+			IgnoreValidation: false,
+			RefreshedDate:    fakeRevDateEpoch.AddDate(0, 0, 7),
+			Epoch:            snap.E("1*"),
+		}},
+		userID: 1,
+	})
+	c.Check(s.fakeBackend.ops[1], DeepEquals, fakeOp{
+		op:    "storesvc-snap-action:action",
+		revno: snap.R(11),
+		action: store.SnapAction{
+			Action:       "refresh",
+			InstanceName: "some-snap_instance",
+			SnapID:       "some-snap-id",
+			Channel:      "stable",
+			Flags:        store.SnapActionIgnoreValidation,
+		},
+		userID: 1,
+	})
+
+	chg := s.state.NewChange("refresh", "refresh snaps")
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	// ensure all our tasks ran
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(chg.IsReady(), Equals, true)
+
+	// verify snap 'instance' has IgnoreValidation set and the snap was
+	// updated
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap_instance", &snapst)
+	c.Assert(err, IsNil)
+	c.Check(snapst.IgnoreValidation, Equals, true)
+	c.Check(snapst.Current, Equals, snap.R(11))
+	// and the other snap does not
+	err = snapstate.Get(s.state, "some-snap", &snapst)
+	c.Assert(err, IsNil)
+	c.Check(snapst.Current, Equals, snap.R(7))
+	c.Check(snapst.IgnoreValidation, Equals, false)
+
+	s.fakeBackend.ops = nil
+	s.fakeStore.refreshRevnos = map[string]snap.Revision{
+		"some-snap-id": snap.R(12),
+	}
+	updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap", "some-snap_instance"}, s.user.ID, nil)
+	c.Assert(err, IsNil)
+	c.Check(tts, HasLen, 2)
+	sort.Strings(updates)
+	c.Check(updates, DeepEquals, []string{"some-snap", "some-snap_instance"})
+
+	chg = s.state.NewChange("refresh", "refresh snaps")
+	for _, ts := range tts {
+		chg.AddAll(ts)
+	}
+
+	s.state.Unlock()
+	s.settle(c)
+	s.state.Lock()
+
+	// ensure all our tasks ran
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(chg.IsReady(), Equals, true)
+
+	err = snapstate.Get(s.state, "some-snap", &snapst)
+	c.Assert(err, IsNil)
+	c.Check(snapst.IgnoreValidation, Equals, false)
+	c.Check(snapst.Current, Equals, snap.R(12))
+
+	err = snapstate.Get(s.state, "some-snap_instance", &snapst)
+	c.Assert(err, IsNil)
+	c.Check(snapst.IgnoreValidation, Equals, true)
+	c.Check(snapst.Current, Equals, snap.R(12))
+
+	for i := 0; i < 2; i++ {
+		op := s.fakeBackend.ops[i]
+		switch op.op {
+		case "storesvc-snap-action":
+			c.Check(op, DeepEquals, fakeOp{
+				op: "storesvc-snap-action",
+				curSnaps: []store.CurrentSnap{{
+					InstanceName:     "some-snap",
+					SnapID:           "some-snap-id",
+					Revision:         snap.R(7),
+					IgnoreValidation: false,
+					RefreshedDate:    fakeRevDateEpoch.AddDate(0, 0, 7),
+					Epoch:            snap.E("1*"),
+				}, {
+					InstanceName:     "some-snap_instance",
+					SnapID:           "some-snap-id",
+					Revision:         snap.R(11),
+					TrackingChannel:  "stable",
+					IgnoreValidation: true,
+					RefreshedDate:    fakeRevDateEpoch.AddDate(0, 0, 11),
+					Epoch:            snap.E("1*"),
+				}},
+				userID: 1,
+			})
+		case "storesvc-snap-action:action":
+			switch op.action.InstanceName {
+			case "some-snap":
+				c.Check(op, DeepEquals, fakeOp{
+					op:    "storesvc-snap-action:action",
+					revno: snap.R(12),
+					action: store.SnapAction{
+						Action:       "refresh",
+						InstanceName: "some-snap",
+						SnapID:       "some-snap-id",
+						Flags:        0,
+					},
+					userID: 1,
+				})
+			case "some-snap_instance":
+				c.Check(op, DeepEquals, fakeOp{
+					op:    "storesvc-snap-action:action",
+					revno: snap.R(12),
+					action: store.SnapAction{
+						Action:       "refresh",
+						InstanceName: "some-snap_instance",
+						SnapID:       "some-snap-id",
+						Flags:        0,
+					},
+					userID: 1,
+				})
+			default:
+				c.Fatalf("unexpected instance name %q", op.action.InstanceName)
+			}
+		default:
+			c.Fatalf("unexpected action %q", op.op)
+		}
+	}
+
+}
+
 func (s *snapmgrTestSuite) TestUpdateFromLocal(c *C) {
 	si := snap.SideInfo{
 		RealName: "some-snap",
@@ -3012,7 +5089,26 @@
 	err = tasks[1].Get("snap-setup", &snapsup)
 	c.Assert(err, IsNil)
 	c.Check(snapsup.Revision(), Equals, snap.R(7))
+}
+
+func (s *snapmgrTestSuite) TestUpdateAmendSnapNotFound(c *C) {
+	si := snap.SideInfo{
+		RealName: "snap-unknown",
+		Revision: snap.R("x1"),
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "snap-unknown", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{&si},
+		Channel:  "stable",
+		Current:  si.Revision,
+	})
 
+	_, err := snapstate.Update(s.state, "snap-unknown", "stable", snap.R(0), s.user.ID, snapstate.Flags{Amend: true})
+	c.Assert(err, Equals, store.ErrSnapNotFound)
 }
 
 func (s *snapmgrTestSuite) TestSingleUpdateBlockedRevision(c *C) {
@@ -3041,18 +5137,18 @@
 	_, err := snapstate.Update(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
 	c.Assert(err, IsNil)
 
-	c.Assert(s.fakeBackend.ops, HasLen, 1)
+	c.Assert(s.fakeBackend.ops, HasLen, 2)
 	c.Check(s.fakeBackend.ops[0], DeepEquals, fakeOp{
-		op:    "storesvc-list-refresh",
-		revno: snap.R(11),
-		cand: store.RefreshCandidate{
-			SnapID:   "some-snap-id",
-			Revision: snap.R(7),
-			Channel:  "some-channel",
-		},
+		op: "storesvc-snap-action",
+		curSnaps: []store.CurrentSnap{{
+			InstanceName:  "some-snap",
+			SnapID:        "some-snap-id",
+			Revision:      snap.R(7),
+			RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 7),
+			Epoch:         snap.E("1*"),
+		}},
 		userID: 1,
 	})
-
 }
 
 func (s *snapmgrTestSuite) TestMultiUpdateBlockedRevision(c *C) {
@@ -3078,21 +5174,22 @@
 		SnapType: "app",
 	})
 
-	updates, _, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID)
+	updates, _, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID, nil)
 	c.Assert(err, IsNil)
 	c.Check(updates, DeepEquals, []string{"some-snap"})
 
-	c.Assert(s.fakeBackend.ops, HasLen, 1)
+	c.Assert(s.fakeBackend.ops, HasLen, 2)
 	c.Check(s.fakeBackend.ops[0], DeepEquals, fakeOp{
-		op:    "storesvc-list-refresh",
-		revno: snap.R(11),
-		cand: store.RefreshCandidate{
-			SnapID:   "some-snap-id",
-			Revision: snap.R(7),
-		},
+		op: "storesvc-snap-action",
+		curSnaps: []store.CurrentSnap{{
+			InstanceName:  "some-snap",
+			SnapID:        "some-snap-id",
+			Revision:      snap.R(7),
+			RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 7),
+			Epoch:         snap.E("1*"),
+		}},
 		userID: 1,
 	})
-
 }
 
 func (s *snapmgrTestSuite) TestAllUpdateBlockedRevision(c *C) {
@@ -3117,21 +5214,23 @@
 		Current:  si7.Revision,
 	})
 
-	updates, _, err := snapstate.UpdateMany(context.TODO(), s.state, nil, s.user.ID)
+	updates, _, err := snapstate.UpdateMany(context.TODO(), s.state, nil, s.user.ID, nil)
 	c.Check(err, IsNil)
 	c.Check(updates, HasLen, 0)
 
-	c.Assert(s.fakeBackend.ops, HasLen, 1)
+	c.Assert(s.fakeBackend.ops, HasLen, 2)
 	c.Check(s.fakeBackend.ops[0], DeepEquals, fakeOp{
-		op: "storesvc-list-refresh",
-		cand: store.RefreshCandidate{
-			SnapID:   "some-snap-id",
-			Revision: snap.R(7),
-			Block:    []snap.Revision{snap.R(11)},
-		},
+		op: "storesvc-snap-action",
+		curSnaps: []store.CurrentSnap{{
+			InstanceName:  "some-snap",
+			SnapID:        "some-snap-id",
+			Revision:      snap.R(7),
+			RefreshedDate: fakeRevDateEpoch.AddDate(0, 0, 7),
+			Block:         []snap.Revision{snap.R(11)},
+			Epoch:         snap.E("1*"),
+		}},
 		userID: 1,
 	})
-
 }
 
 var orthogonalAutoAliasesScenarios = []struct {
@@ -3176,7 +5275,7 @@
 	})
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		switch info.Name() {
+		switch info.InstanceName() {
 		case "some-snap":
 			return map[string]string{"aliasA": "cmdA"}, nil
 		case "other-snap":
@@ -3203,13 +5302,13 @@
 	}
 
 	for _, scenario := range orthogonalAutoAliasesScenarios {
-		for _, snapName := range []string{"some-snap", "other-snap"} {
+		for _, instanceName := range []string{"some-snap", "other-snap"} {
 			var snapst snapstate.SnapState
-			err := snapstate.Get(s.state, snapName, &snapst)
+			err := snapstate.Get(s.state, instanceName, &snapst)
 			c.Assert(err, IsNil)
 			snapst.Aliases = nil
 			snapst.AutoAliasesDisabled = false
-			if autoAliases := scenario.aliasesBefore[snapName]; autoAliases != nil {
+			if autoAliases := scenario.aliasesBefore[instanceName]; autoAliases != nil {
 				targets := make(map[string]*snapstate.AliasTarget)
 				for _, alias := range autoAliases {
 					targets[alias] = &snapstate.AliasTarget{Auto: "cmd" + alias[len(alias)-1:]}
@@ -3217,10 +5316,10 @@
 
 				snapst.Aliases = targets
 			}
-			snapstate.Set(s.state, snapName, &snapst)
+			snapstate.Set(s.state, instanceName, &snapst)
 		}
 
-		updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, scenario.names, s.user.ID)
+		updates, tts, err := snapstate.UpdateMany(context.TODO(), s.state, scenario.names, s.user.ID, nil)
 		c.Check(err, IsNil)
 
 		_, dropped, err := snapstate.AutoAliasesDelta(s.state, []string{"some-snap", "other-snap"})
@@ -3241,12 +5340,12 @@
 				c.Assert(err, IsNil)
 				snapsup, err := snapstate.TaskSnapSetup(aliasTask)
 				c.Assert(err, IsNil)
-				taskAliases[snapsup.Name()] = expectedSet(aliases)
+				taskAliases[snapsup.InstanceName()] = expectedSet(aliases)
 			}
 			expectedPruned = make(map[string]map[string]bool)
-			for _, snapName := range scenario.prune {
-				expectedPruned[snapName] = expectedSet(dropped[snapName])
-				if snapName == "other-snap" && !scenario.new && !scenario.update {
+			for _, instanceName := range scenario.prune {
+				expectedPruned[instanceName] = expectedSet(dropped[instanceName])
+				if instanceName == "other-snap" && !scenario.new && !scenario.update {
 					expectedUpdatesSet["other-snap"] = true
 				}
 			}
@@ -3319,7 +5418,7 @@
 	})
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		switch info.Name() {
+		switch info.InstanceName() {
 		case "some-snap":
 			return map[string]string{"aliasA": "cmdA"}, nil
 		case "other-snap":
@@ -3350,13 +5449,13 @@
 			continue
 		}
 
-		for _, snapName := range []string{"some-snap", "other-snap"} {
+		for _, instanceName := range []string{"some-snap", "other-snap"} {
 			var snapst snapstate.SnapState
-			err := snapstate.Get(s.state, snapName, &snapst)
+			err := snapstate.Get(s.state, instanceName, &snapst)
 			c.Assert(err, IsNil)
 			snapst.Aliases = nil
 			snapst.AutoAliasesDisabled = false
-			if autoAliases := scenario.aliasesBefore[snapName]; autoAliases != nil {
+			if autoAliases := scenario.aliasesBefore[instanceName]; autoAliases != nil {
 				targets := make(map[string]*snapstate.AliasTarget)
 				for _, alias := range autoAliases {
 					targets[alias] = &snapstate.AliasTarget{Auto: "cmd" + alias[len(alias)-1:]}
@@ -3364,7 +5463,7 @@
 
 				snapst.Aliases = targets
 			}
-			snapstate.Set(s.state, snapName, &snapst)
+			snapstate.Set(s.state, instanceName, &snapst)
 		}
 
 		ts, err := snapstate.Update(s.state, scenario.names[0], "", snap.R(0), s.user.ID, snapstate.Flags{})
@@ -3388,11 +5487,11 @@
 				c.Assert(err, IsNil)
 				snapsup, err := snapstate.TaskSnapSetup(aliasTask)
 				c.Assert(err, IsNil)
-				taskAliases[snapsup.Name()] = expectedSet(aliases)
+				taskAliases[snapsup.InstanceName()] = expectedSet(aliases)
 			}
 			expectedPruned = make(map[string]map[string]bool)
-			for _, snapName := range scenario.prune {
-				expectedPruned[snapName] = expectedSet(dropped[snapName])
+			for _, instanceName := range scenario.prune {
+				expectedPruned[instanceName] = expectedSet(dropped[instanceName])
 			}
 			c.Check(taskAliases, DeepEquals, expectedPruned)
 		}
@@ -3433,7 +5532,7 @@
 		// conflict checks are triggered
 		chg := s.state.NewChange("update", "...")
 		chg.AddAll(ts)
-		err = snapstate.CheckChangeConflict(s.state, scenario.names[0], nil, nil)
+		err = snapstate.CheckChangeConflict(s.state, scenario.names[0], nil)
 		c.Check(err, ErrorMatches, `.* has "update" change in progress`)
 		chg.SetStatus(state.DoneStatus)
 	}
@@ -3478,6 +5577,70 @@
 	c.Assert(err, ErrorMatches, `refreshing disabled snap "some-snap" not supported`)
 }
 
+func (s *snapmgrTestSuite) TestUpdateKernelTrackChecksSwitchingTracks(c *C) {
+	si := snap.SideInfo{
+		RealName: "kernel",
+		SnapID:   "kernel-id",
+		Revision: snap.R(7),
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.SetModelWithKernelTrack("18")
+	snapstate.Set(s.state, "kernel", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{&si},
+		Current:  si.Revision,
+		Channel:  "18/stable",
+	})
+
+	// switching tracks is not ok
+	_, err := snapstate.Update(s.state, "kernel", "new-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, ErrorMatches, `cannot switch from kernel track "18" as specified for the \(device\) model to "new-channel/stable"`)
+
+	// no change to the channel is ok
+	_, err = snapstate.Update(s.state, "kernel", "", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+
+	// switching risk level is ok
+	_, err = snapstate.Update(s.state, "kernel", "18/beta", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+
+}
+
+func (s *snapmgrTestSuite) TestUpdateGadgetTrackChecksSwitchingTracks(c *C) {
+	si := snap.SideInfo{
+		RealName: "brand-gadget",
+		SnapID:   "brand-gadget-id",
+		Revision: snap.R(7),
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.SetModelWithGadgetTrack("18")
+	snapstate.Set(s.state, "brand-gadget", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{&si},
+		Current:  si.Revision,
+		Channel:  "18/stable",
+	})
+
+	// switching tracks is not ok
+	_, err := snapstate.Update(s.state, "brand-gadget", "new-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, ErrorMatches, `cannot switch from gadget track "18" as specified for the \(device\) model to "new-channel/stable"`)
+
+	// no change to the channel is ok
+	_, err = snapstate.Update(s.state, "brand-gadget", "", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+
+	// switching risk level is ok
+	_, err = snapstate.Update(s.state, "brand-gadget", "18/beta", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+
+}
+
 func makeTestSnap(c *C, snapYamlContent string) (snapFilePath string) {
 	return snaptest.MakeTestSnapWithFiles(c, snapYamlContent, nil)
 }
@@ -3492,12 +5655,16 @@
 	mockSnap := makeTestSnap(c, `name: mock
 version: 1.0`)
 	chg := s.state.NewChange("install", "install a local snap")
-	ts, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "mock"}, mockSnap, "", snapstate.Flags{})
+	ts, info, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "mock"}, mockSnap, "", "", snapstate.Flags{})
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
+	// ensure the returned info is correct
+	c.Check(info.SideInfo.RealName, Equals, "mock")
+	c.Check(info.Version, Equals, "1.0")
+
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -3510,12 +5677,13 @@
 		{
 			// and setup-snap
 			op:    "setup-snap",
-			name:  mockSnap,
+			name:  "mock",
+			path:  mockSnap,
 			revno: snap.R("x1"),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "mock/x1"),
+			path: filepath.Join(dirs.SnapMountDir, "mock/x1"),
 			old:  "<no-old>",
 		},
 		{
@@ -3532,12 +5700,7 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "mock/x1"),
-		},
-		{
-			op:    "setup-profiles:Doing", // core phase 2
-			name:  "mock",
-			revno: snap.R("x1"),
+			path: filepath.Join(dirs.SnapMountDir, "mock/x1"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -3563,8 +5726,10 @@
 	err = task.Get("snap-setup", &snapsup)
 	c.Assert(err, IsNil)
 	c.Assert(snapsup, DeepEquals, snapstate.SnapSetup{
-		SnapPath: mockSnap,
-		SideInfo: snapsup.SideInfo,
+		SnapPath:  mockSnap,
+		SideInfo:  snapsup.SideInfo,
+		Type:      snap.TypeApp,
+		PlugsOnly: true,
 	})
 	c.Assert(snapsup.SideInfo, DeepEquals, &snap.SideInfo{
 		RealName: "mock",
@@ -3602,25 +5767,28 @@
 	})
 
 	mockSnap := makeTestSnap(c, `name: mock
-version: 1.0`)
+version: 1.0
+epoch: 1*
+`)
 	chg := s.state.NewChange("install", "install a local snap")
-	ts, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "mock"}, mockSnap, "", snapstate.Flags{})
+	ts, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "mock"}, mockSnap, "", "", snapstate.Flags{})
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	ops := s.fakeBackend.ops
 	// ensure only local install was run, i.e. first action is pseudo-action current
-	c.Assert(ops.Ops(), HasLen, 12)
+	c.Assert(ops.Ops(), HasLen, 11)
 	c.Check(ops[0].op, Equals, "current")
 	c.Check(ops[0].old, Equals, filepath.Join(dirs.SnapMountDir, "mock/x2"))
 	// and setup-snap
 	c.Check(ops[1].op, Equals, "setup-snap")
-	c.Check(ops[1].name, Matches, `.*/mock_1.0_all.snap`)
+	c.Check(ops[1].name, Matches, "mock")
+	c.Check(ops[1].path, Matches, `.*/mock_1.0_all.snap`)
 	c.Check(ops[1].revno, Equals, snap.R("x3"))
 	// and cleanup
 	c.Check(ops[len(ops)-1], DeepEquals, fakeOp{
@@ -3630,10 +5798,10 @@
 	})
 
 	c.Check(ops[3].op, Equals, "unlink-snap")
-	c.Check(ops[3].name, Equals, filepath.Join(dirs.SnapMountDir, "mock/x2"))
+	c.Check(ops[3].path, Equals, filepath.Join(dirs.SnapMountDir, "mock/x2"))
 
 	c.Check(ops[4].op, Equals, "copy-data")
-	c.Check(ops[4].name, Equals, filepath.Join(dirs.SnapMountDir, "mock/x3"))
+	c.Check(ops[4].path, Equals, filepath.Join(dirs.SnapMountDir, "mock/x3"))
 	c.Check(ops[4].old, Equals, filepath.Join(dirs.SnapMountDir, "mock/x2"))
 
 	c.Check(ops[5].op, Equals, "setup-profiles:Doing")
@@ -3646,8 +5814,7 @@
 		Revision: snap.R(-3),
 	})
 	c.Check(ops[7].op, Equals, "link-snap")
-	c.Check(ops[7].name, Equals, filepath.Join(dirs.SnapMountDir, "mock/x3"))
-	c.Check(ops[8].op, Equals, "setup-profiles:Doing") // core phase 2
+	c.Check(ops[7].path, Equals, filepath.Join(dirs.SnapMountDir, "mock/x3"))
 
 	// verify snapSetup info
 	var snapsup snapstate.SnapSetup
@@ -3655,8 +5822,10 @@
 	err = task.Get("snap-setup", &snapsup)
 	c.Assert(err, IsNil)
 	c.Assert(snapsup, DeepEquals, snapstate.SnapSetup{
-		SnapPath: mockSnap,
-		SideInfo: snapsup.SideInfo,
+		SnapPath:  mockSnap,
+		SideInfo:  snapsup.SideInfo,
+		Type:      snap.TypeApp,
+		PlugsOnly: true,
 	})
 	c.Assert(snapsup.SideInfo, DeepEquals, &snap.SideInfo{
 		RealName: "mock",
@@ -3695,14 +5864,16 @@
 	})
 
 	mockSnap := makeTestSnap(c, `name: mock
-version: 1.0`)
+version: 1.0
+epoch: 1*
+`)
 	chg := s.state.NewChange("install", "install a local snap")
-	ts, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "mock"}, mockSnap, "", snapstate.Flags{})
+	ts, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "mock"}, mockSnap, "", "", snapstate.Flags{})
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -3715,7 +5886,8 @@
 		{
 			// and setup-snap
 			op:    "setup-snap",
-			name:  mockSnap,
+			name:  "mock",
+			path:  mockSnap,
 			revno: snap.R("x1"),
 		},
 		{
@@ -3724,11 +5896,11 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "mock/100001"),
+			path: filepath.Join(dirs.SnapMountDir, "mock/100001"),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "mock/x1"),
+			path: filepath.Join(dirs.SnapMountDir, "mock/x1"),
 			old:  filepath.Join(dirs.SnapMountDir, "mock/100001"),
 		},
 		{
@@ -3745,12 +5917,7 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "mock/x1"),
-		},
-		{
-			op:    "setup-profiles:Doing",
-			name:  "mock",
-			revno: snap.R("x1"),
+			path: filepath.Join(dirs.SnapMountDir, "mock/x1"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -3800,28 +5967,29 @@
 		SnapID:   "some-snap-id",
 		Revision: snap.R(42),
 	}
-	ts, err := snapstate.InstallPath(s.state, si, someSnap, "", snapstate.Flags{Required: true})
+	ts, _, err := snapstate.InstallPath(s.state, si, someSnap, "", "", snapstate.Flags{Required: true})
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	// ensure only local install was run, i.e. first actions are pseudo-action current
-	c.Assert(s.fakeBackend.ops.Ops(), HasLen, 10)
+	c.Assert(s.fakeBackend.ops.Ops(), HasLen, 9)
 	c.Check(s.fakeBackend.ops[0].op, Equals, "current")
 	c.Check(s.fakeBackend.ops[0].old, Equals, "<no-current>")
 	// and setup-snap
 	c.Check(s.fakeBackend.ops[1].op, Equals, "setup-snap")
-	c.Check(s.fakeBackend.ops[1].name, Matches, `.*/orig-name_1.0_all.snap`)
+	c.Check(s.fakeBackend.ops[1].name, Equals, "some-snap")
+	c.Check(s.fakeBackend.ops[1].path, Matches, `.*/orig-name_1.0_all.snap`)
 	c.Check(s.fakeBackend.ops[1].revno, Equals, snap.R(42))
 
 	c.Check(s.fakeBackend.ops[4].op, Equals, "candidate")
 	c.Check(s.fakeBackend.ops[4].sinfo, DeepEquals, *si)
 	c.Check(s.fakeBackend.ops[5].op, Equals, "link-snap")
-	c.Check(s.fakeBackend.ops[5].name, Equals, filepath.Join(dirs.SnapMountDir, "some-snap/42"))
+	c.Check(s.fakeBackend.ops[5].path, Equals, filepath.Join(dirs.SnapMountDir, "some-snap/42"))
 
 	// verify snapSetup info
 	var snapsup snapstate.SnapSetup
@@ -3834,6 +6002,8 @@
 		Flags: snapstate.Flags{
 			Required: true,
 		},
+		Type:      snap.TypeApp,
+		PlugsOnly: true,
 	})
 	c.Assert(snapsup.SideInfo, DeepEquals, si)
 
@@ -3871,18 +6041,23 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	expected := fakeOps{
 		{
+			op:    "auto-disconnect:Doing",
+			name:  "some-snap",
+			revno: snap.R(7),
+		},
+		{
 			op:   "remove-snap-aliases",
 			name: "some-snap",
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:    "remove-profiles:Doing",
@@ -3891,15 +6066,20 @@
 		},
 		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:   "remove-snap-common-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+		},
+		{
+			op:   "remove-snap-data-dir",
+			name: "some-snap",
+			path: filepath.Join(dirs.SnapDataDir, "some-snap"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 			stype: "app",
 		},
 		{
@@ -3907,8 +6087,9 @@
 			name: "some-snap",
 		},
 		{
-			op:   "discard-conns:Doing",
+			op:   "remove-snap-dir",
 			name: "some-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap"),
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -3926,27 +6107,276 @@
 		c.Assert(err, IsNil)
 
 		var expSnapSetup *snapstate.SnapSetup
-		if t.Kind() == "discard-conns" {
+		switch t.Kind() {
+		case "discard-conns":
 			expSnapSetup = &snapstate.SnapSetup{
 				SideInfo: &snap.SideInfo{
 					RealName: "some-snap",
 				},
 			}
-		} else {
+		case "clear-snap", "discard-snap":
+			expSnapSetup = &snapstate.SnapSetup{
+				SideInfo: &snap.SideInfo{
+					RealName: "some-snap",
+					Revision: snap.R(7),
+				},
+			}
+		default:
+			expSnapSetup = &snapstate.SnapSetup{
+				SideInfo: &snap.SideInfo{
+					RealName: "some-snap",
+					Revision: snap.R(7),
+				},
+				Type:      snap.TypeApp,
+				PlugsOnly: true,
+			}
+
+		}
+
+		c.Check(snapsup, DeepEquals, expSnapSetup, Commentf(t.Kind()))
+	}
+
+	// verify snaps in the system state
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap", &snapst)
+	c.Assert(err, Equals, state.ErrNoState)
+}
+
+func (s *snapmgrTestSuite) TestParallelInstanceRemoveRunThrough(c *C) {
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(7),
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// pretend we have both a regular snap and a parallel instance
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{&si},
+		Current:     si.Revision,
+		SnapType:    "app",
+		InstanceKey: "instance",
+	})
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{&si},
+		Current:  si.Revision,
+		SnapType: "app",
+	})
+
+	chg := s.state.NewChange("remove", "remove a snap")
+	ts, err := snapstate.Remove(s.state, "some-snap_instance", snap.R(0))
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	s.settle(c)
+	s.state.Lock()
+
+	expected := fakeOps{
+		{
+			op:    "auto-disconnect:Doing",
+			name:  "some-snap_instance",
+			revno: snap.R(7),
+		},
+		{
+			op:   "remove-snap-aliases",
+			name: "some-snap_instance",
+		},
+		{
+			op:   "unlink-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
+		},
+		{
+			op:    "remove-profiles:Doing",
+			name:  "some-snap_instance",
+			revno: snap.R(7),
+		},
+		{
+			op:   "remove-snap-data",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
+		},
+		{
+			op:   "remove-snap-common-data",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
+		},
+		{
+			op:             "remove-snap-data-dir",
+			name:           "some-snap_instance",
+			path:           filepath.Join(dirs.SnapDataDir, "some-snap"),
+			otherInstances: true,
+		},
+		{
+			op:    "remove-snap-files",
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
+			stype: "app",
+		},
+		{
+			op:   "discard-namespace",
+			name: "some-snap_instance",
+		},
+		{
+			op:             "remove-snap-dir",
+			name:           "some-snap_instance",
+			path:           filepath.Join(dirs.SnapMountDir, "some-snap"),
+			otherInstances: true,
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Check(len(s.fakeBackend.ops), Equals, len(expected))
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Check(s.fakeBackend.ops, DeepEquals, expected)
+
+	// verify snapSetup info
+	tasks := ts.Tasks()
+	for _, t := range tasks {
+		if t.Kind() == "run-hook" {
+			continue
+		}
+		snapsup, err := snapstate.TaskSnapSetup(t)
+		c.Assert(err, IsNil)
+
+		var expSnapSetup *snapstate.SnapSetup
+		switch t.Kind() {
+		case "discard-conns":
+			expSnapSetup = &snapstate.SnapSetup{
+				SideInfo: &snap.SideInfo{
+					RealName: "some-snap",
+				},
+				InstanceKey: "instance",
+			}
+		case "clear-snap", "discard-snap":
+			expSnapSetup = &snapstate.SnapSetup{
+				SideInfo: &snap.SideInfo{
+					RealName: "some-snap",
+					Revision: snap.R(7),
+				},
+				InstanceKey: "instance",
+			}
+		default:
 			expSnapSetup = &snapstate.SnapSetup{
 				SideInfo: &snap.SideInfo{
 					RealName: "some-snap",
 					Revision: snap.R(7),
 				},
+				Type:        snap.TypeApp,
+				PlugsOnly:   true,
+				InstanceKey: "instance",
 			}
+
 		}
+
 		c.Check(snapsup, DeepEquals, expSnapSetup, Commentf(t.Kind()))
 	}
 
 	// verify snaps in the system state
 	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap_instance", &snapst)
+	c.Assert(err, Equals, state.ErrNoState)
+
+	// the non-instance snap is still there
 	err = snapstate.Get(s.state, "some-snap", &snapst)
+	c.Assert(err, IsNil)
+}
+
+func (s *snapmgrTestSuite) TestParallelInstanceRemoveRunThroughOtherInstances(c *C) {
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(7),
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// pretend we have both a regular snap and a parallel instance
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{&si},
+		Current:     si.Revision,
+		SnapType:    "app",
+		InstanceKey: "instance",
+	})
+	snapstate.Set(s.state, "some-snap_other", &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{&si},
+		Current:     si.Revision,
+		SnapType:    "app",
+		InstanceKey: "other",
+	})
+
+	chg := s.state.NewChange("remove", "remove a snap")
+	ts, err := snapstate.Remove(s.state, "some-snap_instance", snap.R(0))
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	s.settle(c)
+	s.state.Lock()
+
+	expected := fakeOps{
+		{
+			op:    "auto-disconnect:Doing",
+			name:  "some-snap_instance",
+			revno: snap.R(7),
+		},
+		{
+			op:   "remove-snap-aliases",
+			name: "some-snap_instance",
+		},
+		{
+			op:   "unlink-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
+		},
+		{
+			op:    "remove-profiles:Doing",
+			name:  "some-snap_instance",
+			revno: snap.R(7),
+		},
+		{
+			op:   "remove-snap-data",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
+		},
+		{
+			op:   "remove-snap-common-data",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
+		},
+		{
+			op:             "remove-snap-data-dir",
+			name:           "some-snap_instance",
+			path:           filepath.Join(dirs.SnapDataDir, "some-snap"),
+			otherInstances: true,
+		},
+		{
+			op:    "remove-snap-files",
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
+			stype: "app",
+		},
+		{
+			op:   "discard-namespace",
+			name: "some-snap_instance",
+		},
+		{
+			op:             "remove-snap-dir",
+			name:           "some-snap_instance",
+			path:           filepath.Join(dirs.SnapMountDir, "some-snap"),
+			otherInstances: true,
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Check(len(s.fakeBackend.ops), Equals, len(expected))
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Check(s.fakeBackend.ops, DeepEquals, expected)
+
+	// verify snaps in the system state
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap_instance", &snapst)
 	c.Assert(err, Equals, state.ErrNoState)
+
+	// the other instance is still there
+	err = snapstate.Get(s.state, "some-snap_other", &snapst)
+	c.Assert(err, IsNil)
 }
 
 func (s *snapmgrTestSuite) TestRemoveWithManyRevisionsRunThrough(c *C) {
@@ -3981,18 +6411,23 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	expected := fakeOps{
 		{
+			op:    "auto-disconnect:Doing",
+			name:  "some-snap",
+			revno: snap.R(7),
+		},
+		{
 			op:   "remove-snap-aliases",
 			name: "some-snap",
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:    "remove-profiles:Doing",
@@ -4001,33 +6436,38 @@
 		},
 		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 			stype: "app",
 		},
 		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/3"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/3"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/3"),
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/3"),
 			stype: "app",
 		},
 		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/5"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/5"),
 		},
 		{
 			op:   "remove-snap-common-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/5"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/5"),
+		},
+		{
+			op:   "remove-snap-data-dir",
+			name: "some-snap",
+			path: filepath.Join(dirs.SnapDataDir, "some-snap"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/5"),
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/5"),
 			stype: "app",
 		},
 		{
@@ -4035,8 +6475,9 @@
 			name: "some-snap",
 		},
 		{
-			op:   "discard-conns:Doing",
+			op:   "remove-snap-dir",
 			name: "some-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap"),
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -4055,19 +6496,30 @@
 		c.Assert(err, IsNil)
 
 		var expSnapSetup *snapstate.SnapSetup
-		if t.Kind() == "discard-conns" {
+		switch t.Kind() {
+		case "discard-conns":
+			expSnapSetup = &snapstate.SnapSetup{
+				SideInfo: &snap.SideInfo{
+					RealName: "some-snap",
+				},
+			}
+		case "clear-snap", "discard-snap":
 			expSnapSetup = &snapstate.SnapSetup{
 				SideInfo: &snap.SideInfo{
 					RealName: "some-snap",
+					Revision: revnos[whichRevno],
 				},
 			}
-		} else {
+		default:
 			expSnapSetup = &snapstate.SnapSetup{
 				SideInfo: &snap.SideInfo{
 					RealName: "some-snap",
-					Revision: revnos[whichRevno],
+					Revision: snap.R(7),
 				},
+				Type:      snap.TypeApp,
+				PlugsOnly: true,
 			}
+
 		}
 
 		c.Check(snapsup, DeepEquals, expSnapSetup, Commentf(t.Kind()))
@@ -4115,7 +6567,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -4123,11 +6575,11 @@
 	expected := fakeOps{
 		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/3"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/3"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/3"),
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/3"),
 			stype: "app",
 		},
 	}
@@ -4180,23 +6632,33 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
-	c.Check(len(s.fakeBackend.ops), Equals, 5)
+	c.Check(len(s.fakeBackend.ops), Equals, 7)
 	expected := fakeOps{
 		{
+			op:    "auto-disconnect:Doing",
+			name:  "some-snap",
+			revno: snap.R(2),
+		},
+		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
 		},
 		{
 			op:   "remove-snap-common-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+		},
+		{
+			op:   "remove-snap-data-dir",
+			name: "some-snap",
+			path: filepath.Join(dirs.SnapDataDir, "some-snap"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/2"),
 			stype: "app",
 		},
 		{
@@ -4204,8 +6666,9 @@
 			name: "some-snap",
 		},
 		{
-			op:   "discard-conns:Doing",
+			op:   "remove-snap-dir",
 			name: "some-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap"),
 		},
 	}
 	// start with an easier-to-read error if this fails:
@@ -4229,6 +6692,10 @@
 		if t.Kind() != "discard-conns" {
 			expSnapSetup.SideInfo.Revision = snap.R(2)
 		}
+		if t.Kind() == "auto-disconnect" {
+			expSnapSetup.PlugsOnly = true
+			expSnapSetup.Type = "app"
+		}
 
 		c.Check(snapsup, DeepEquals, expSnapSetup, Commentf(t.Kind()))
 	}
@@ -4387,7 +6854,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -4440,7 +6907,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -4481,7 +6948,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 
 	s.state.Lock()
@@ -4528,7 +6995,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 
 	s.state.Lock()
@@ -4569,7 +7036,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -4577,7 +7044,7 @@
 	expectedTail := fakeOps{
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -4589,20 +7056,20 @@
 		},
 		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/1"),
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/1"),
 			stype: "app",
 		},
 		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/2"),
 			stype: "app",
 		},
 		{
@@ -4736,7 +7203,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -4747,7 +7214,7 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:    "setup-profiles:Doing",
@@ -4763,7 +7230,7 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -4799,6 +7266,112 @@
 	c.Assert(snapst.Block(), DeepEquals, []snap.Revision{snap.R(7)})
 }
 
+func (s *snapmgrTestSuite) TestParallelInstanceRevertRunThrough(c *C) {
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(7),
+	}
+	siOld := snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(2),
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Active:      true,
+		SnapType:    "app",
+		Sequence:    []*snap.SideInfo{&siOld, &si},
+		Current:     si.Revision,
+		InstanceKey: "instance",
+	})
+
+	// another snap withouth instance key
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		SnapType: "app",
+		Sequence: []*snap.SideInfo{&siOld, &si},
+		Current:  si.Revision,
+	})
+
+	chg := s.state.NewChange("revert", "revert a snap backwards")
+	ts, err := snapstate.Revert(s.state, "some-snap_instance", snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	expected := fakeOps{
+		{
+			op:   "remove-snap-aliases",
+			name: "some-snap_instance",
+		},
+		{
+			op:   "unlink-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
+		},
+		{
+			op:    "setup-profiles:Doing",
+			name:  "some-snap_instance",
+			revno: snap.R(2),
+		},
+		{
+			op: "candidate",
+			sinfo: snap.SideInfo{
+				RealName: "some-snap",
+				Revision: snap.R(2),
+			},
+		},
+		{
+			op:   "link-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/2"),
+		},
+		{
+			op:    "auto-connect:Doing",
+			name:  "some-snap_instance",
+			revno: snap.R(2),
+		},
+		{
+			op: "update-aliases",
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	// verify that the R(2) version is active now and R(7) is still there
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap_instance", &snapst)
+	c.Assert(err, IsNil)
+
+	c.Assert(snapst.Active, Equals, true)
+	c.Assert(snapst.Current, Equals, snap.R(2))
+	c.Assert(snapst.InstanceKey, Equals, "instance")
+	c.Assert(snapst.Sequence, HasLen, 2)
+	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
+		Channel:  "",
+		Revision: snap.R(2),
+	})
+	c.Assert(snapst.Sequence[1], DeepEquals, &snap.SideInfo{
+		RealName: "some-snap",
+		Channel:  "",
+		Revision: snap.R(7),
+	})
+	c.Assert(snapst.Block(), DeepEquals, []snap.Revision{snap.R(7)})
+
+	// non instance snap is not affected
+	var nonInstanceSnapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap", &nonInstanceSnapst)
+	c.Assert(err, IsNil)
+	c.Assert(nonInstanceSnapst.Current, Equals, snap.R(7))
+
+}
+
 func (s *snapmgrTestSuite) TestRevertWithLocalRevisionRunThrough(c *C) {
 	si := snap.SideInfo{
 		RealName: "some-snap",
@@ -4825,7 +7398,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -4869,7 +7442,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -4880,7 +7453,7 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
 		},
 		{
 			op:    "setup-profiles:Doing",
@@ -4893,7 +7466,7 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -4955,7 +7528,7 @@
 	chg.AddTask(terr)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -4966,7 +7539,7 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
 		},
 		{
 			op:    "setup-profiles:Doing",
@@ -4982,7 +7555,7 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -4999,7 +7572,7 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
 		},
 		{
 			op:    "setup-profiles:Undoing",
@@ -5008,7 +7581,7 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
 		},
 		{
 			op: "update-aliases",
@@ -5056,7 +7629,7 @@
 	s.fakeBackend.linkSnapFailTrigger = filepath.Join(dirs.SnapMountDir, "some-snap/1")
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -5067,7 +7640,7 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
 		},
 		{
 			op:    "setup-profiles:Doing",
@@ -5082,64 +7655,219 @@
 			},
 		},
 		{
-			op:   "link-snap.failed",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
+			op:   "link-snap.failed",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
+		},
+		// undo stuff here
+		{
+			op:   "unlink-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
+		},
+		{
+			op:    "setup-profiles:Undoing",
+			name:  "some-snap",
+			revno: snap.R(1),
+		},
+		{
+			op:   "link-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
+		},
+		{
+			op: "update-aliases",
+		},
+	}
+
+	// ensure all our tasks ran
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	// verify snaps in the system state
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap", &snapst)
+	c.Assert(err, IsNil)
+
+	c.Assert(snapst.Active, Equals, true)
+	c.Assert(snapst.Sequence, HasLen, 2)
+	c.Assert(snapst.Current, Equals, snap.R(2))
+}
+
+func (s *snapmgrTestSuite) TestEnableDoesNotEnableAgain(c *C) {
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(7),
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{&si},
+		Current:  snap.R(7),
+		Active:   true,
+	})
+
+	ts, err := snapstate.Enable(s.state, "some-snap")
+	c.Assert(err, ErrorMatches, `snap "some-snap" already enabled`)
+	c.Assert(ts, IsNil)
+}
+
+func (s *snapmgrTestSuite) TestEnableRunThrough(c *C) {
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(7),
+		Channel:  "edge",
+		SnapID:   "foo",
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	flags := snapstate.Flags{
+		DevMode:  true,
+		JailMode: true,
+		Classic:  true,
+		TryMode:  true,
+		Required: true,
+	}
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Sequence:            []*snap.SideInfo{&si},
+		Current:             si.Revision,
+		Active:              false,
+		Channel:             "edge",
+		Flags:               flags,
+		AliasesPending:      true,
+		AutoAliasesDisabled: true,
+	})
+
+	chg := s.state.NewChange("enable", "enable a snap")
+	ts, err := snapstate.Enable(s.state, "some-snap")
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	expected := fakeOps{
+		{
+			op:    "setup-profiles:Doing",
+			name:  "some-snap",
+			revno: snap.R(7),
+		},
+		{
+			op:    "candidate",
+			sinfo: si,
+		},
+		{
+			op:   "link-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+		},
+		{
+			op:    "auto-connect:Doing",
+			name:  "some-snap",
+			revno: snap.R(7),
+		},
+		{
+			op: "update-aliases",
+		},
+	}
+	// start with an easier-to-read error if this fails:
+	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
+	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
+
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap", &snapst)
+	c.Assert(err, IsNil)
+	c.Check(snapst.Flags, DeepEquals, flags)
+
+	c.Assert(snapst.Active, Equals, true)
+	c.Assert(snapst.AliasesPending, Equals, false)
+	c.Assert(snapst.AutoAliasesDisabled, Equals, true)
+
+	info, err := snapst.CurrentInfo()
+	c.Assert(err, IsNil)
+	c.Assert(info.Channel, Equals, "edge")
+	c.Assert(info.SnapID, Equals, "foo")
+
+	first := ts.Tasks()[0]
+	snapsup, err := snapstate.TaskSnapSetup(first)
+	c.Assert(err, IsNil)
+	c.Check(snapsup, DeepEquals, &snapstate.SnapSetup{
+		SideInfo:  &si,
+		Flags:     flags,
+		Type:      snap.TypeApp,
+		PlugsOnly: true,
+	})
+}
+
+func (s *snapmgrTestSuite) TestDisableRunThrough(c *C) {
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(7),
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{&si},
+		Current:  si.Revision,
+		Active:   true,
+		SnapType: "app",
+	})
+
+	chg := s.state.NewChange("disable", "disable a snap")
+	ts, err := snapstate.Disable(s.state, "some-snap")
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	expected := fakeOps{
+		{
+			op:   "remove-snap-aliases",
+			name: "some-snap",
 		},
-		// undo stuff here
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/1"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
-			op:    "setup-profiles:Undoing",
+			op:    "remove-profiles:Doing",
 			name:  "some-snap",
-			revno: snap.R(1),
-		},
-		{
-			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/2"),
-		},
-		{
-			op: "update-aliases",
+			revno: snap.R(7),
 		},
 	}
-
-	// ensure all our tasks ran
 	// start with an easier-to-read error if this fails:
 	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
 	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
 
-	// verify snaps in the system state
 	var snapst snapstate.SnapState
 	err = snapstate.Get(s.state, "some-snap", &snapst)
 	c.Assert(err, IsNil)
 
-	c.Assert(snapst.Active, Equals, true)
-	c.Assert(snapst.Sequence, HasLen, 2)
-	c.Assert(snapst.Current, Equals, snap.R(2))
-}
-
-func (s *snapmgrTestSuite) TestEnableDoesNotEnableAgain(c *C) {
-	si := snap.SideInfo{
-		RealName: "some-snap",
-		Revision: snap.R(7),
-	}
-
-	s.state.Lock()
-	defer s.state.Unlock()
+	c.Assert(snapst.Active, Equals, false)
+	c.Assert(snapst.AliasesPending, Equals, true)
 
-	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
-		Sequence: []*snap.SideInfo{&si},
-		Current:  snap.R(7),
-		Active:   true,
+	first := ts.Tasks()[0]
+	snapsup, err := snapstate.TaskSnapSetup(first)
+	c.Assert(err, IsNil)
+	c.Check(snapsup, DeepEquals, &snapstate.SnapSetup{
+		SideInfo: &snap.SideInfo{
+			RealName: "some-snap",
+			Revision: snap.R(7),
+		},
+		Type:      snap.TypeApp,
+		PlugsOnly: true,
 	})
-
-	ts, err := snapstate.Enable(s.state, "some-snap")
-	c.Assert(err, ErrorMatches, `snap "some-snap" already enabled`)
-	c.Assert(ts, IsNil)
 }
 
-func (s *snapmgrTestSuite) TestEnableRunThrough(c *C) {
+func (s *snapmgrTestSuite) TestParallelInstanceEnableRunThrough(c *C) {
 	si := snap.SideInfo{
 		RealName: "some-snap",
 		Revision: snap.R(7),
@@ -5157,6 +7885,16 @@
 		TryMode:  true,
 		Required: true,
 	}
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Sequence:            []*snap.SideInfo{&si},
+		Current:             si.Revision,
+		Active:              false,
+		Channel:             "edge",
+		Flags:               flags,
+		AliasesPending:      true,
+		AutoAliasesDisabled: true,
+		InstanceKey:         "instance",
+	})
 	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
 		Sequence:            []*snap.SideInfo{&si},
 		Current:             si.Revision,
@@ -5168,19 +7906,18 @@
 	})
 
 	chg := s.state.NewChange("enable", "enable a snap")
-	ts, err := snapstate.Enable(s.state, "some-snap")
+	ts, err := snapstate.Enable(s.state, "some-snap_instance")
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	expected := fakeOps{
 		{
 			op:    "setup-profiles:Doing",
-			name:  "some-snap",
+			name:  "some-snap_instance",
 			revno: snap.R(7),
 		},
 		{
@@ -5189,11 +7926,11 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
 		},
 		{
 			op:    "auto-connect:Doing",
-			name:  "some-snap",
+			name:  "some-snap_instance",
 			revno: snap.R(7),
 		},
 		{
@@ -5205,10 +7942,11 @@
 	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
 
 	var snapst snapstate.SnapState
-	err = snapstate.Get(s.state, "some-snap", &snapst)
+	err = snapstate.Get(s.state, "some-snap_instance", &snapst)
 	c.Assert(err, IsNil)
 	c.Check(snapst.Flags, DeepEquals, flags)
 
+	c.Assert(snapst.InstanceKey, Equals, "instance")
 	c.Assert(snapst.Active, Equals, true)
 	c.Assert(snapst.AliasesPending, Equals, false)
 	c.Assert(snapst.AutoAliasesDisabled, Equals, true)
@@ -5217,9 +7955,16 @@
 	c.Assert(err, IsNil)
 	c.Assert(info.Channel, Equals, "edge")
 	c.Assert(info.SnapID, Equals, "foo")
+
+	// the non-parallel instance is still disabled
+	snapst = snapstate.SnapState{}
+	err = snapstate.Get(s.state, "some-snap", &snapst)
+	c.Assert(err, IsNil)
+	c.Assert(snapst.InstanceKey, Equals, "")
+	c.Assert(snapst.Active, Equals, false)
 }
 
-func (s *snapmgrTestSuite) TestDisableRunThrough(c *C) {
+func (s *snapmgrTestSuite) TestParallelInstanceDisableRunThrough(c *C) {
 	si := snap.SideInfo{
 		RealName: "some-snap",
 		Revision: snap.R(7),
@@ -5233,29 +7978,34 @@
 		Current:  si.Revision,
 		Active:   true,
 	})
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Sequence:    []*snap.SideInfo{&si},
+		Current:     si.Revision,
+		Active:      true,
+		InstanceKey: "instance",
+	})
 
 	chg := s.state.NewChange("disable", "disable a snap")
-	ts, err := snapstate.Disable(s.state, "some-snap")
+	ts, err := snapstate.Disable(s.state, "some-snap_instance")
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	expected := fakeOps{
 		{
 			op:   "remove-snap-aliases",
-			name: "some-snap",
+			name: "some-snap_instance",
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap_instance/7"),
 		},
 		{
 			op:    "remove-profiles:Doing",
-			name:  "some-snap",
+			name:  "some-snap_instance",
 			revno: snap.R(7),
 		},
 	}
@@ -5264,11 +8014,18 @@
 	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
 
 	var snapst snapstate.SnapState
-	err = snapstate.Get(s.state, "some-snap", &snapst)
+	err = snapstate.Get(s.state, "some-snap_instance", &snapst)
 	c.Assert(err, IsNil)
-
+	c.Assert(snapst.InstanceKey, Equals, "instance")
 	c.Assert(snapst.Active, Equals, false)
 	c.Assert(snapst.AliasesPending, Equals, true)
+
+	// the non-parallel instance is still active
+	snapst = snapstate.SnapState{}
+	err = snapstate.Get(s.state, "some-snap", &snapst)
+	c.Assert(err, IsNil)
+	c.Assert(snapst.InstanceKey, Equals, "")
+	c.Assert(snapst.Active, Equals, true)
 }
 
 func (s *snapmgrTestSuite) TestSwitchRunThrough(c *C) {
@@ -5294,7 +8051,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -5313,6 +8070,61 @@
 	c.Assert(info.Channel, Equals, "edge")
 }
 
+func (s *snapmgrTestSuite) TestParallelInstallSwitchRunThrough(c *C) {
+	si := snap.SideInfo{
+		RealName: "some-snap",
+		Revision: snap.R(7),
+		Channel:  "edge",
+		SnapID:   "foo",
+	}
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{&si},
+		Current:  si.Revision,
+		Channel:  "edge",
+	})
+
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Sequence:    []*snap.SideInfo{&si},
+		Current:     si.Revision,
+		Channel:     "edge",
+		InstanceKey: "instance",
+	})
+
+	chg := s.state.NewChange("switch-snap", "switch snap to some-channel")
+	ts, err := snapstate.Switch(s.state, "some-snap_instance", "some-channel")
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	// switch is not really really doing anything backend related
+	c.Assert(s.fakeBackend.ops, HasLen, 0)
+
+	// ensure the desired channel has changed
+	var snapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap_instance", &snapst)
+	c.Assert(err, IsNil)
+	c.Assert(snapst.Channel, Equals, "some-channel")
+
+	// ensure the current info has not changed
+	info, err := snapst.CurrentInfo()
+	c.Assert(err, IsNil)
+	c.Assert(info.Channel, Equals, "edge")
+
+	// Ensure that the non-intance snap is unchanged
+	var nonInstanceSnapst snapstate.SnapState
+	err = snapstate.Get(s.state, "some-snap", &nonInstanceSnapst)
+	c.Assert(err, IsNil)
+	c.Assert(nonInstanceSnapst.Channel, Equals, "edge")
+}
+
 func (s *snapmgrTestSuite) TestDisableDoesNotEnableAgain(c *C) {
 	si := snap.SideInfo{
 		RealName: "some-snap",
@@ -5345,14 +8157,22 @@
 	s.fakeBackend.copySnapDataFailTrigger = filepath.Join(dirs.SnapMountDir, "some-snap/11")
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
 	expected := fakeOps{
 		{
-			op:     "storesvc-snap",
-			name:   "some-snap",
+			op:     "storesvc-snap-action",
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "some-snap",
+				Channel:      "some-channel",
+			},
 			revno:  snap.R(11),
 			userID: 1,
 		},
@@ -5371,7 +8191,7 @@
 		},
 		{
 			op:   "open-snap-file",
-			name: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			path: filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 			sinfo: snap.SideInfo{
 				RealName: "some-snap",
 				SnapID:   "some-snap-id",
@@ -5381,19 +8201,31 @@
 		},
 		{
 			op:    "setup-snap",
-			name:  filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapBlobDir, "some-snap_11.snap"),
 			revno: snap.R(11),
 		},
 		{
 			op:   "copy-data.failed",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 			old:  "<no-old>",
 		},
 		{
+			op:   "remove-snap-data-dir",
+			name: "some-snap",
+			path: filepath.Join(dirs.SnapDataDir, "some-snap"),
+		},
+		{
 			op:    "undo-setup-snap",
-			name:  filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 			stype: "app",
 		},
+		{
+			op:   "remove-snap-dir",
+			name: "some-snap",
+			path: filepath.Join(dirs.SnapMountDir, "some-snap"),
+		},
 	}
 	// start with an easier-to-read error if this fails:
 	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
@@ -5439,7 +8271,7 @@
 	s.fakeBackend.linkSnapFailTrigger = filepath.Join(dirs.SnapMountDir, "some-snap/11")
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -5491,7 +8323,7 @@
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 	// verify that we excluded this field from the bugreport
@@ -5503,14 +8335,80 @@
 
 }
 
+func (s *snapmgrTestSuite) TestAbortCausesNoErrReport(c *C) {
+	errReported := 0
+	restore := snapstate.MockErrtrackerReport(func(aSnap, aErrMsg, aDupSig string, extra map[string]string) (string, error) {
+		errReported++
+		return "oops-id", nil
+	})
+	defer restore()
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	chg := s.state.NewChange("install", "install a snap")
+	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+
+	s.fakeBackend.linkSnapWaitCh = make(chan int)
+	s.fakeBackend.linkSnapWaitTrigger = filepath.Join(dirs.SnapMountDir, "some-snap/11")
+	go func() {
+		<-s.fakeBackend.linkSnapWaitCh
+		chg.Abort()
+		s.fakeBackend.linkSnapWaitCh <- 1
+	}()
+
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Check(chg.Status(), Equals, state.UndoneStatus)
+	c.Assert(errReported, Equals, 0)
+}
+
+func (s *snapmgrTestSuite) TestErrreportDisable(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "problem-reports.disabled", true)
+	tr.Commit()
+
+	restore := snapstate.MockErrtrackerReport(func(aSnap, aErrMsg, aDupSig string, extra map[string]string) (string, error) {
+		c.Fatalf("this should not be reached")
+		return "", nil
+	})
+	defer restore()
+
+	chg := s.state.NewChange("install", "install a snap")
+	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+	s.fakeBackend.linkSnapFailTrigger = filepath.Join(dirs.SnapMountDir, "some-snap/11")
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	// no failure report was generated
+}
+
 func (s *snapmgrTestSuite) TestEnsureRefreshesAtSeedPolicy(c *C) {
 	// special policy only on classic
 	r := release.MockOnClassic(true)
 	defer r()
+	// set at not seeded yet
+	st := s.state
+	st.Lock()
+	st.Set("seeded", nil)
+	st.Unlock()
 
 	s.snapmgr.Ensure()
 
-	st := s.state
 	st.Lock()
 	defer st.Unlock()
 
@@ -5523,6 +8421,56 @@
 	c.Check(err, IsNil)
 }
 
+func (s *snapmgrTestSuite) TestEsnureCleansOldSideloads(c *C) {
+	filenames := func() []string {
+		filenames, _ := filepath.Glob(filepath.Join(dirs.SnapBlobDir, "*"))
+		return filenames
+	}
+
+	defer snapstate.MockLocalInstallCleanupWait(200 * time.Millisecond)()
+	c.Assert(os.MkdirAll(dirs.SnapBlobDir, 0700), IsNil)
+	// sanity check; note * in go glob matches .foo
+	c.Assert(filenames(), HasLen, 0)
+
+	s0 := filepath.Join(dirs.SnapBlobDir, "some.snap")
+	s1 := filepath.Join(dirs.SnapBlobDir, dirs.LocalInstallBlobTempPrefix+"-12345")
+	s2 := filepath.Join(dirs.SnapBlobDir, dirs.LocalInstallBlobTempPrefix+"-67890")
+
+	c.Assert(ioutil.WriteFile(s0, nil, 0600), IsNil)
+	c.Assert(ioutil.WriteFile(s1, nil, 0600), IsNil)
+	c.Assert(ioutil.WriteFile(s2, nil, 0600), IsNil)
+
+	t1 := time.Now()
+	t0 := t1.Add(-time.Hour)
+
+	c.Assert(os.Chtimes(s0, t0, t0), IsNil)
+	c.Assert(os.Chtimes(s1, t0, t0), IsNil)
+	c.Assert(os.Chtimes(s2, t1, t1), IsNil)
+
+	// all there
+	c.Assert(filenames(), DeepEquals, []string{s1, s2, s0})
+
+	// set last cleanup in the future
+	defer snapstate.MockLocalInstallLastCleanup(t1.Add(time.Minute))()
+	s.snapmgr.Ensure()
+	// all there ( -> cleanup not done)
+	c.Assert(filenames(), DeepEquals, []string{s1, s2, s0})
+
+	// set last cleanup to epoch
+	snapstate.MockLocalInstallLastCleanup(time.Time{})
+
+	s.snapmgr.Ensure()
+	// oldest sideload gone
+	c.Assert(filenames(), DeepEquals, []string{s2, s0})
+
+	time.Sleep(200 * time.Millisecond)
+
+	s.snapmgr.Ensure()
+	// all sideloads gone
+	c.Assert(filenames(), DeepEquals, []string{s0})
+
+}
+
 func (s *snapmgrTestSuite) verifyRefreshLast(c *C) {
 	var lastRefresh time.Time
 
@@ -5532,7 +8480,6 @@
 
 func makeTestRefreshConfig(st *state.State) {
 	// avoid special at seed policy
-	st.Set("seeded", true)
 	now := time.Now()
 	st.Set("last-refresh", time.Date(2009, 8, 13, 8, 0, 5, 0, now.Location()))
 
@@ -5557,7 +8504,7 @@
 
 	// Ensure() also runs ensureRefreshes()
 	s.state.Unlock()
-	s.snapmgr.Ensure()
+	s.se.Ensure()
 	s.state.Lock()
 
 	c.Check(logbuf.String(), testutil.Contains, `cannot use refresh.schedule configuration: cannot parse "mon@12:00": not a valid time`)
@@ -5589,7 +8536,7 @@
 
 	// Ensure() also runs ensureRefreshes()
 	s.state.Unlock()
-	s.snapmgr.Ensure()
+	s.se.Ensure()
 	s.state.Lock()
 
 	// expecting new refresh.timer to have been used, fallback to legacy was
@@ -5613,7 +8560,7 @@
 
 	// Ensure() also runs ensureRefreshes()
 	s.state.Unlock()
-	s.snapmgr.Ensure()
+	s.se.Ensure()
 	s.state.Lock()
 
 	// refresh.timer is unset, triggering automatic fallback to legacy
@@ -5636,7 +8583,7 @@
 
 	// Ensure() also runs ensureRefreshes()
 	s.state.Unlock()
-	s.snapmgr.Ensure()
+	s.se.Ensure()
 	s.state.Lock()
 
 	// automatic fallback to default schedule if refresh.timer is set but
@@ -5667,7 +8614,7 @@
 
 	// Ensure() also runs ensureRefreshes()
 	s.state.Unlock()
-	s.snapmgr.Ensure()
+	s.se.Ensure()
 	s.state.Lock()
 
 	// automatic fallback to default schedule if neither refresh.timer nor
@@ -5776,6 +8723,8 @@
 	c.Check(chg.Kind(), Equals, "auto-refresh")
 	c.Check(chg.IsReady(), Equals, false)
 	s.verifyRefreshLast(c)
+
+	checkIsAutoRefresh(c, chg.Tasks(), true)
 }
 
 func (s *snapmgrTestSuite) TestEnsureRefreshesImmediateWithUpdate(c *C) {
@@ -5893,7 +8842,6 @@
 	snapstate.CanAutoRefresh = func(*state.State) (bool, error) { return true, nil }
 
 	// avoid special at seed policy
-	s.state.Set("seeded", true)
 	s.state.Set("last-refresh", time.Time{})
 	autoRefreshAssertionsCalled := 0
 	restore := mockAutoRefreshAssertions(func(st *state.State, userID int) error {
@@ -5920,7 +8868,7 @@
 	c.Check(autoRefreshAssertionsCalled, Equals, 1)
 }
 
-func (s *snapmgrTestSuite) TestEnsureRefreshesDisabledViaSnapdControl(c *C) {
+func (s *snapmgrTestSuite) testEnsureRefreshesDisabledViaSnapdControl(c *C, confSet func(*config.Transaction)) {
 	st := s.state
 	st.Lock()
 	defer st.Unlock()
@@ -5951,8 +8899,9 @@
 		return true
 	}
 	defer func() { snapstate.CanManageRefreshes = oldCanManageRefreshes }()
+
 	tr := config.NewTransaction(st)
-	tr.Set("core", "refresh.schedule", "managed")
+	confSet(tr)
 	tr.Commit()
 
 	// Ensure() also runs ensureRefreshes()
@@ -5974,12 +8923,60 @@
 	c.Check(lastRefreshHints.Year(), Equals, time.Now().Year())
 }
 
+func (s *snapmgrTestSuite) TestEnsureRefreshDisableLegacy(c *C) {
+	f := func(tr *config.Transaction) {
+		tr.Set("core", "refresh.timer", "")
+		tr.Set("core", "refresh.schedule", "managed")
+	}
+	s.testEnsureRefreshesDisabledViaSnapdControl(c, f)
+}
+
+func (s *snapmgrTestSuite) TestEnsureRefreshDisableNew(c *C) {
+	f := func(tr *config.Transaction) {
+		tr.Set("core", "refresh.timer", "managed")
+		tr.Set("core", "refresh.schedule", "")
+	}
+	s.testEnsureRefreshesDisabledViaSnapdControl(c, f)
+}
+
+func (s *snapmgrTestSuite) TestEnsureRefreshDisableNewTrumpsOld(c *C) {
+	f := func(tr *config.Transaction) {
+		tr.Set("core", "refresh.timer", "managed")
+		tr.Set("core", "refresh.schedule", "00:00-12:00")
+	}
+	s.testEnsureRefreshesDisabledViaSnapdControl(c, f)
+}
+
 func (s *snapmgrTestSuite) TestDefaultRefreshScheduleParsing(c *C) {
 	l, err := timeutil.ParseSchedule(snapstate.DefaultRefreshSchedule)
 	c.Assert(err, IsNil)
 	c.Assert(l, HasLen, 1)
 }
 
+func (s *snapmgrTestSuite) TestWaitRestartBasics(c *C) {
+	r := release.MockOnClassic(true)
+	defer r()
+
+	st := s.state
+	st.Lock()
+	defer st.Unlock()
+
+	task := st.NewTask("auto-connect", "...")
+
+	// not restarting
+	state.MockRestarting(st, state.RestartUnset)
+	si := &snap.SideInfo{RealName: "some-app"}
+	snaptest.MockSnap(c, "name: some-app\nversion: 1", si)
+	snapsup := &snapstate.SnapSetup{SideInfo: si}
+	err := snapstate.WaitRestart(task, snapsup)
+	c.Check(err, IsNil)
+
+	// restarting ... we always wait
+	state.MockRestarting(st, state.RestartDaemon)
+	err = snapstate.WaitRestart(task, snapsup)
+	c.Check(err, FitsTypeOf, &state.Retry{})
+}
+
 type snapmgrQuerySuite struct {
 	st      *state.State
 	restore func()
@@ -6004,6 +9001,7 @@
 	// Write a snap.yaml with fake name
 	sideInfo11 := &snap.SideInfo{RealName: "name1", Revision: snap.R(11), EditedSummary: "s11"}
 	sideInfo12 := &snap.SideInfo{RealName: "name1", Revision: snap.R(12), EditedSummary: "s12"}
+	instanceSideInfo13 := &snap.SideInfo{RealName: "name1", Revision: snap.R(13), EditedSummary: "s13 instance"}
 	snaptest.MockSnap(c, `
 name: name0
 version: 1.1
@@ -6014,12 +9012,24 @@
 version: 1.2
 description: |
     Lots of text`, sideInfo12)
+	snaptest.MockSnapInstance(c, "name1_instance", `
+name: name0
+version: 1.3
+description: |
+    Lots of text`, instanceSideInfo13)
 	snapstate.Set(st, "name1", &snapstate.SnapState{
 		Active:   true,
 		Sequence: []*snap.SideInfo{sideInfo11, sideInfo12},
 		Current:  sideInfo12.Revision,
 		SnapType: "app",
 	})
+	snapstate.Set(st, "name1_instance", &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{instanceSideInfo13},
+		Current:     instanceSideInfo13.Revision,
+		SnapType:    "app",
+		InstanceKey: "instance",
+	})
 
 	// have also a snap being installed
 	/*
@@ -6042,7 +9052,7 @@
 	info, err := snapstate.Info(st, "name1", snap.R(11))
 	c.Assert(err, IsNil)
 
-	c.Check(info.Name(), Equals, "name1")
+	c.Check(info.InstanceName(), Equals, "name1")
 	c.Check(info.Revision, Equals, snap.R(11))
 	c.Check(info.Summary(), Equals, "s11")
 	c.Check(info.Version, Equals, "1.1")
@@ -6061,13 +9071,32 @@
 	info, err := snapst.CurrentInfo()
 	c.Assert(err, IsNil)
 
-	c.Check(info.Name(), Equals, "name1")
+	c.Check(info.InstanceName(), Equals, "name1")
 	c.Check(info.Revision, Equals, snap.R(12))
 	c.Check(info.Summary(), Equals, "s12")
 	c.Check(info.Version, Equals, "1.2")
 	c.Check(info.Description(), Equals, "Lots of text")
 }
 
+func (s *snapmgrQuerySuite) TestSnapStateCurrentInfoParallelInstall(c *C) {
+	st := s.st
+	st.Lock()
+	defer st.Unlock()
+
+	var snapst snapstate.SnapState
+	err := snapstate.Get(st, "name1_instance", &snapst)
+	c.Assert(err, IsNil)
+
+	info, err := snapst.CurrentInfo()
+	c.Assert(err, IsNil)
+
+	c.Check(info.InstanceName(), Equals, "name1_instance")
+	c.Check(info.Revision, Equals, snap.R(13))
+	c.Check(info.Summary(), Equals, "s13 instance")
+	c.Check(info.Version, Equals, "1.3")
+	c.Check(info.Description(), Equals, "Lots of text")
+}
+
 func (s *snapmgrQuerySuite) TestSnapStateCurrentInfoErrNoCurrent(c *C) {
 	snapst := new(snapstate.SnapState)
 	_, err := snapst.CurrentInfo()
@@ -6083,7 +9112,7 @@
 	info, err := snapstate.CurrentInfo(st, "name1")
 	c.Assert(err, IsNil)
 
-	c.Check(info.Name(), Equals, "name1")
+	c.Check(info.InstanceName(), Equals, "name1")
 	c.Check(info.Revision, Equals, snap.R(12))
 }
 
@@ -6104,13 +9133,28 @@
 	infos, err := snapstate.ActiveInfos(st)
 	c.Assert(err, IsNil)
 
-	c.Check(infos, HasLen, 1)
+	c.Check(infos, HasLen, 2)
+
+	instanceName := "name1_instance"
+	if infos[0].InstanceName() != instanceName && infos[1].InstanceName() != instanceName {
+		c.Fail()
+	}
+	// need stable ordering
+	if infos[0].InstanceName() == instanceName {
+		infos[1], infos[0] = infos[0], infos[1]
+	}
 
-	c.Check(infos[0].Name(), Equals, "name1")
+	c.Check(infos[0].InstanceName(), Equals, "name1")
 	c.Check(infos[0].Revision, Equals, snap.R(12))
 	c.Check(infos[0].Summary(), Equals, "s12")
 	c.Check(infos[0].Version, Equals, "1.2")
 	c.Check(infos[0].Description(), Equals, "Lots of text")
+
+	c.Check(infos[1].InstanceName(), Equals, "name1_instance")
+	c.Check(infos[1].Revision, Equals, snap.R(13))
+	c.Check(infos[1].Summary(), Equals, "s13 instance")
+	c.Check(infos[1].Version, Equals, "1.3")
+	c.Check(infos[1].Description(), Equals, "Lots of text")
 }
 
 func (s *snapmgrQuerySuite) TestTypeInfo(c *C) {
@@ -6157,7 +9201,7 @@
 		info, err := x.getInfo(st)
 		c.Assert(err, IsNil)
 
-		c.Check(info.Name(), Equals, x.snapName)
+		c.Check(info.InstanceName(), Equals, x.snapName)
 		c.Check(info.Revision, Equals, snap.R(2))
 		c.Check(info.Version, Equals, x.snapName)
 		c.Check(info.Type, Equals, x.snapType)
@@ -6217,7 +9261,7 @@
 			c.Assert(err, ErrorMatches, t.errMatcher)
 		} else {
 			c.Assert(info, NotNil)
-			c.Check(info.Name(), Equals, t.expectedSnap, Commentf("(%d) test %q %v", testNr, t.expectedSnap, t.snapNames))
+			c.Check(info.InstanceName(), Equals, t.expectedSnap, Commentf("(%d) test %q %v", testNr, t.expectedSnap, t.snapNames))
 			c.Check(info.Type, Equals, snap.TypeOS)
 		}
 	}
@@ -6253,11 +9297,11 @@
 
 	snapStates, err := snapstate.All(st)
 	c.Assert(err, IsNil)
-	c.Assert(snapStates, HasLen, 1)
+	c.Assert(snapStates, HasLen, 2)
 
 	n, err := snapstate.NumSnaps(st)
 	c.Assert(err, IsNil)
-	c.Check(n, Equals, 1)
+	c.Check(n, Equals, 2)
 
 	snapst := snapStates["name1"]
 	c.Assert(snapst, NotNil)
@@ -6268,7 +9312,7 @@
 	info12, err := snap.ReadInfo("name1", snapst.CurrentSideInfo())
 	c.Assert(err, IsNil)
 
-	c.Check(info12.Name(), Equals, "name1")
+	c.Check(info12.InstanceName(), Equals, "name1")
 	c.Check(info12.Revision, Equals, snap.R(12))
 	c.Check(info12.Summary(), Equals, "s12")
 	c.Check(info12.Version, Equals, "1.2")
@@ -6277,9 +9321,29 @@
 	info11, err := snap.ReadInfo("name1", snapst.Sequence[0])
 	c.Assert(err, IsNil)
 
-	c.Check(info11.Name(), Equals, "name1")
+	c.Check(info11.InstanceName(), Equals, "name1")
 	c.Check(info11.Revision, Equals, snap.R(11))
 	c.Check(info11.Version, Equals, "1.1")
+
+	instance := snapStates["name1_instance"]
+	c.Assert(instance, NotNil)
+
+	c.Check(instance.Active, Equals, true)
+	c.Check(instance.CurrentSideInfo(), NotNil)
+
+	info13, err := snap.ReadInfo("name1_instance", instance.CurrentSideInfo())
+	c.Assert(err, IsNil)
+
+	c.Check(info13.InstanceName(), Equals, "name1_instance")
+	c.Check(info13.SnapName(), Equals, "name1")
+	c.Check(info13.Revision, Equals, snap.R(13))
+	c.Check(info13.Summary(), Equals, "s13 instance")
+	c.Check(info13.Version, Equals, "1.3")
+	c.Check(info13.Description(), Equals, "Lots of text")
+
+	info13other, err := snap.ReadInfo("name1_instance", instance.Sequence[0])
+	c.Assert(err, IsNil)
+	c.Check(info13, DeepEquals, info13other)
 }
 
 func (s *snapmgrQuerySuite) TestAllEmptyAndEmptyNormalisation(c *C) {
@@ -6327,13 +9391,13 @@
 	s.testTrySetsTryMode(snapstate.Flags{JailMode: true}, c)
 }
 func (s *snapmgrTestSuite) TestTrySetsTryModeClassic(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
-	s.testTrySetsTryMode(snapstate.Flags{Classic: true}, c)
+	restore := maybeMockClassicSupport(c)
+	defer restore()
+
+	s.testTrySetsTryMode(snapstate.Flags{Classic: true}, c, "confinement: classic\n")
 }
 
-func (s *snapmgrTestSuite) testTrySetsTryMode(flags snapstate.Flags, c *C) {
+func (s *snapmgrTestSuite) testTrySetsTryMode(flags snapstate.Flags, c *C, extraYaml ...string) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
@@ -6343,7 +9407,14 @@
 	tryYaml := filepath.Join(d, "meta", "snap.yaml")
 	err := os.MkdirAll(filepath.Dir(tryYaml), 0755)
 	c.Assert(err, IsNil)
-	err = ioutil.WriteFile(tryYaml, []byte("name: foo\nversion: 1.0"), 0644)
+	buf := bytes.Buffer{}
+	buf.WriteString("name: foo\nversion: 1.0\n")
+	if len(extraYaml) > 0 {
+		for _, extra := range extraYaml {
+			buf.WriteString(extra)
+		}
+	}
+	err = ioutil.WriteFile(tryYaml, buf.Bytes(), 0644)
 	c.Assert(err, IsNil)
 
 	chg := s.state.NewChange("try", "try snap")
@@ -6352,10 +9423,13 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
+	c.Assert(chg.Err(), IsNil)
+	c.Assert(chg.IsReady(), Equals, true)
+
 	// verify snap is in TryMode
 	var snapst snapstate.SnapState
 	err = snapstate.Get(s.state, "foo", &snapst)
@@ -6372,7 +9446,6 @@
 		"copy-snap-data",
 		"setup-profiles",
 		"link-snap",
-		"setup-profiles",
 		"auto-connect",
 		"set-auto-aliases",
 		"setup-aliases",
@@ -6384,9 +9457,8 @@
 }
 
 func (s *snapmgrTestSuite) TestTryUndoRemovesTryFlag(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
+	restore := maybeMockClassicSupport(c)
+	defer restore()
 	s.testTrySetsTryMode(snapstate.Flags{}, c)
 }
 
@@ -6397,10 +9469,9 @@
 	s.testTrySetsTryMode(snapstate.Flags{JailMode: true}, c)
 }
 func (s *snapmgrTestSuite) TestTryUndoRemovesTryFlagLeavesClassic(c *C) {
-	if !dirs.SupportsClassicConfinement() {
-		c.Skip("no support for classic")
-	}
-	s.testTrySetsTryMode(snapstate.Flags{Classic: true}, c)
+	restore := maybeMockClassicSupport(c)
+	defer restore()
+	s.testTrySetsTryMode(snapstate.Flags{Classic: true}, c, "confinement: classic\n")
 }
 
 func (s *snapmgrTestSuite) testTryUndoRemovesTryFlag(flags snapstate.Flags, c *C) {
@@ -6431,7 +9502,7 @@
 	chg.AddTask(terr)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -6512,22 +9583,72 @@
 	c.Check(func() { snapst.CurrentSideInfo() }, PanicMatches, `cannot find snapst.Current in the snapst.Sequence`)
 }
 
+func (snapStateSuite) TestDefaultContentPlugProviders(c *C) {
+	info := &snap.Info{
+		Plugs: map[string]*snap.PlugInfo{},
+	}
+
+	info.Plugs["foo"] = &snap.PlugInfo{
+		Snap:      info,
+		Name:      "sound-themes",
+		Interface: "content",
+		Attrs:     map[string]interface{}{"default-provider": "common-themes", "content": "foo"},
+	}
+	info.Plugs["bar"] = &snap.PlugInfo{
+		Snap:      info,
+		Name:      "visual-themes",
+		Interface: "content",
+		Attrs:     map[string]interface{}{"default-provider": "common-themes", "content": "bar"},
+	}
+	info.Plugs["baz"] = &snap.PlugInfo{
+		Snap:      info,
+		Name:      "not-themes",
+		Interface: "content",
+		Attrs:     map[string]interface{}{"default-provider": "some-snap", "content": "baz"},
+	}
+	info.Plugs["qux"] = &snap.PlugInfo{Snap: info, Interface: "not-content"}
+
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	repo := interfaces.NewRepository()
+	ifacerepo.Replace(st, repo)
+
+	providers := snapstate.DefaultContentPlugProviders(st, info)
+	sort.Strings(providers)
+	c.Check(providers, DeepEquals, []string{"common-themes", "some-snap"})
+}
+
 type snapSetupSuite struct{}
 
 var _ = Suite(&snapSetupSuite{})
 
-type canRemoveSuite struct{}
+type canRemoveSuite struct {
+	st *state.State
+}
 
 var _ = Suite(&canRemoveSuite{})
 
+func (s *canRemoveSuite) SetUpTest(c *C) {
+	dirs.SetRootDir(c.MkDir())
+	s.st = state.New(nil)
+	snapstate.SetDefaultModel()
+}
+
+func (s *canRemoveSuite) TearDownTest(c *C) {
+	dirs.SetRootDir("/")
+	snapstate.Model = nil
+}
+
 func (s *canRemoveSuite) TestAppAreAlwaysOKToRemove(c *C) {
 	info := &snap.Info{
 		Type: snap.TypeApp,
 	}
 	info.RealName = "foo"
 
-	c.Check(snapstate.CanRemove(info, &snapstate.SnapState{Active: true}, false), Equals, true)
-	c.Check(snapstate.CanRemove(info, &snapstate.SnapState{Active: true}, true), Equals, true)
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: true}, false), Equals, true)
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: true}, true), Equals, true)
 }
 
 func (s *canRemoveSuite) TestLastGadgetsAreNotOK(c *C) {
@@ -6536,7 +9657,7 @@
 	}
 	info.RealName = "foo"
 
-	c.Check(snapstate.CanRemove(info, &snapstate.SnapState{}, true), Equals, false)
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{}, true), Equals, false)
 }
 
 func (s *canRemoveSuite) TestLastOSAndKernelAreNotOK(c *C) {
@@ -6549,9 +9670,46 @@
 	}
 	kernel.RealName = "krnl"
 
-	c.Check(snapstate.CanRemove(os, &snapstate.SnapState{}, true), Equals, false)
+	c.Check(snapstate.CanRemove(s.st, os, &snapstate.SnapState{}, true), Equals, false)
+
+	c.Check(snapstate.CanRemove(s.st, kernel, &snapstate.SnapState{}, true), Equals, false)
+}
+
+func (s *canRemoveSuite) TestLastOSWithModelBaseIsOk(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	snapstate.SetModelWithBase("core18")
+	os := &snap.Info{
+		Type: snap.TypeOS,
+	}
+	os.RealName = "os"
+
+	c.Check(snapstate.CanRemove(s.st, os, &snapstate.SnapState{}, true), Equals, true)
+}
+
+func (s *canRemoveSuite) TestLastOSWithModelBaseButOsInUse(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	snapstate.SetModelWithBase("core18")
+
+	// pretend we have a snap installed that has no base (which means
+	// it needs core)
+	si := &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)}
+	snaptest.MockSnap(c, "name: some-snap\nversion: 1.0", si)
+	snapstate.Set(s.st, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(1),
+	})
 
-	c.Check(snapstate.CanRemove(kernel, &snapstate.SnapState{}, true), Equals, false)
+	// now pretend we want to remove the core snap
+	os := &snap.Info{
+		Type: snap.TypeOS,
+	}
+	os.RealName = "core"
+	c.Check(snapstate.CanRemove(s.st, os, &snapstate.SnapState{}, true), Equals, false)
 }
 
 func (s *canRemoveSuite) TestOneRevisionIsOK(c *C) {
@@ -6560,7 +9718,7 @@
 	}
 	info.RealName = "foo"
 
-	c.Check(snapstate.CanRemove(info, &snapstate.SnapState{Active: true}, false), Equals, true)
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: true}, false), Equals, true)
 }
 
 func (s *canRemoveSuite) TestRequiredIsNotOK(c *C) {
@@ -6569,9 +9727,77 @@
 	}
 	info.RealName = "foo"
 
-	c.Check(snapstate.CanRemove(info, &snapstate.SnapState{Active: false, Flags: snapstate.Flags{Required: true}}, true), Equals, false)
-	c.Check(snapstate.CanRemove(info, &snapstate.SnapState{Active: true, Flags: snapstate.Flags{Required: true}}, true), Equals, false)
-	c.Check(snapstate.CanRemove(info, &snapstate.SnapState{Active: true, Flags: snapstate.Flags{Required: true}}, false), Equals, true)
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: false, Flags: snapstate.Flags{Required: true}}, true), Equals, false)
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: true, Flags: snapstate.Flags{Required: true}}, true), Equals, false)
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: true, Flags: snapstate.Flags{Required: true}}, false), Equals, true)
+}
+
+func (s *canRemoveSuite) TestBaseUnused(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	info := &snap.Info{
+		Type: snap.TypeBase,
+	}
+	info.RealName = "some-base"
+
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: true}, false), Equals, true)
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: true}, true), Equals, true)
+}
+
+func (s *canRemoveSuite) TestBaseInUse(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	// pretend we have a snap installed that uses "some-base"
+	si := &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)}
+	snaptest.MockSnap(c, "name: some-snap\nversion: 1.0\nbase: some-base", si)
+	snapstate.Set(s.st, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si},
+		Current:  snap.R(1),
+	})
+
+	// pretend now we want to remove "some-base"
+	info := &snap.Info{
+		Type: snap.TypeBase,
+	}
+	info.RealName = "some-base"
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: true}, true), Equals, false)
+}
+
+func (s *canRemoveSuite) TestBaseInUseOtherRevision(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	// pretend we have a snap installed that uses "some-base"
+	si := &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)}
+	si2 := &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(2)}
+	// older revision uses base
+	snaptest.MockSnap(c, "name: some-snap\nversion: 1.0\nbase: some-base", si)
+	// new one does not
+	snaptest.MockSnap(c, "name: some-snap\nversion: 1.0\n", si2)
+	snapstate.Set(s.st, "some-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{si, si2},
+		Current:  snap.R(2),
+	})
+
+	// pretend now we want to remove "some-base"
+	info := &snap.Info{
+		Type: snap.TypeBase,
+	}
+	info.RealName = "some-base"
+	// revision 1 requires some-base
+	c.Check(snapstate.CanRemove(s.st, info, &snapstate.SnapState{Active: true}, true), Equals, false)
+
+	// now pretend we want to remove the core snap
+	os := &snap.Info{
+		Type: snap.TypeOS,
+	}
+	os.RealName = "core"
+	// but revision 2 requires core
+	c.Check(snapstate.CanRemove(s.st, os, &snapstate.SnapState{}, true), Equals, false)
 }
 
 func revs(seq []*snap.SideInfo) []int {
@@ -6639,7 +9865,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -6661,7 +9887,7 @@
 	c.Check(s.fakeBackend.ops.Count("copy-data"), Equals, 1)
 	c.Check(s.fakeBackend.ops.First("copy-data"), DeepEquals, &fakeOp{
 		op:   "copy-data",
-		name: fmt.Sprintf(filepath.Join(dirs.SnapMountDir, "some-snap/%d"), opts.via),
+		path: fmt.Sprintf(filepath.Join(dirs.SnapMountDir, "some-snap/%d"), opts.via),
 		old:  fmt.Sprintf(filepath.Join(dirs.SnapMountDir, "some-snap/%d"), opts.current),
 	})
 
@@ -6875,6 +10101,23 @@
 	// gets nuked after all tasks succeeded).
 }
 
+func (s *snapmgrTestSuite) TestSeqRetainConf(c *C) {
+	revseq := []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
+
+	for i := 2; i <= 10; i++ {
+		// wot, me, hacky?
+		s.TearDownTest(c)
+		s.SetUpTest(c)
+		s.state.Lock()
+		tr := config.NewTransaction(s.state)
+		tr.Set("core", "refresh.retain", i)
+		tr.Commit()
+		s.state.Unlock()
+
+		s.testUpdateSequence(c, &opSeqOpts{before: revseq[:9], current: 9, via: 10, after: revseq[10-i:]})
+	}
+}
+
 func (s *snapmgrTestSuite) TestUpdateTasksWithOldCurrent(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -6943,7 +10186,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 	expected := fakeOps{
@@ -6953,11 +10196,11 @@
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 			old:  filepath.Join(dirs.SnapMountDir, "some-snap/11"),
 		},
 		{
@@ -6976,7 +10219,7 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/7"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -7034,6 +10277,8 @@
 	c.Assert(tts, HasLen, 2)
 	c.Check(installed, DeepEquals, []string{"one", "two"})
 
+	c.Check(s.fakeStore.seenPrivacyKeys["privacy-key"], Equals, true)
+
 	for i, ts := range tts {
 		verifyInstallTasks(c, 0, 0, ts, s.state)
 		// check that tasksets are in separate lanes
@@ -7043,6 +10288,18 @@
 	}
 }
 
+func (s *snapmgrTestSuite) TestInstallManyChecksPreconditions(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	_, _, err := snapstate.InstallMany(s.state, []string{"some-snap-now-classic"}, 0)
+	c.Assert(err, NotNil)
+	c.Check(err, DeepEquals, &snapstate.SnapNeedsClassicError{Snap: "some-snap-now-classic"})
+
+	_, _, err = snapstate.InstallMany(s.state, []string{"some-snap_foo"}, 0)
+	c.Assert(err, ErrorMatches, "experimental feature disabled - test it by setting 'experimental.parallel-instances' to true")
+}
+
 func verifyStopReason(c *C, ts *state.TaskSet, reason string) {
 	tl := tasksWithKind(ts, "stop-snap-services")
 	c.Check(tl, HasLen, 1)
@@ -7079,18 +10336,23 @@
 	c.Check(removed, DeepEquals, []string{"one", "two"})
 
 	c.Assert(s.state.TaskCount(), Equals, 8*2)
-	for _, ts := range tts {
+	for i, ts := range tts {
 		c.Assert(taskKinds(ts.Tasks()), DeepEquals, []string{
 			"stop-snap-services",
 			"run-hook[remove]",
+			"auto-disconnect",
 			"remove-aliases",
 			"unlink-snap",
 			"remove-profiles",
 			"clear-snap",
 			"discard-snap",
-			"discard-conns",
 		})
 		verifyStopReason(c, ts, "remove")
+		// check that tasksets are in separate lanes
+		for _, t := range ts.Tasks() {
+			c.Assert(t.Lanes(), DeepEquals, []int{i + 1})
+		}
+
 	}
 }
 
@@ -7106,7 +10368,7 @@
 
 var gadgetYaml = `
 defaults:
-    some-snap-id:
+    some-snap-ididididididididididid:
         key: value
 
 volumes:
@@ -7114,7 +10376,7 @@
         bootloader: grub
 `
 
-func (s *snapmgrTestSuite) prepareGadget(c *C) {
+func (s *snapmgrTestSuite) prepareGadget(c *C, extraGadgetYaml ...string) {
 	gadgetSideInfo := &snap.SideInfo{RealName: "the-gadget", SnapID: "the-gadget-id", Revision: snap.R(1)}
 	gadgetInfo := snaptest.MockSnap(c, `
 name: the-gadget
@@ -7122,7 +10384,8 @@
 version: 1.0
 `, gadgetSideInfo)
 
-	err := ioutil.WriteFile(filepath.Join(gadgetInfo.MountDir(), "meta/gadget.yaml"), []byte(gadgetYaml), 0600)
+	gadgetYamlWhole := strings.Join(append([]string{gadgetYaml}, extraGadgetYaml...), "")
+	err := ioutil.WriteFile(filepath.Join(gadgetInfo.MountDir(), "meta/gadget.yaml"), []byte(gadgetYamlWhole), 0600)
 	c.Assert(err, IsNil)
 
 	snapstate.Set(s.state, "the-gadget", &snapstate.SnapState{
@@ -7138,7 +10401,7 @@
 	defer r()
 
 	// using MockSnap, we want to read the bits on disk
-	snapstate.MockReadInfo(snap.ReadInfo)
+	snapstate.MockSnapReadInfo(snap.ReadInfo)
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -7148,11 +10411,12 @@
 	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
-			{RealName: "some-snap", Revision: snap.R(11), SnapID: "some-snap-id"},
+			{RealName: "some-snap", Revision: snap.R(11), SnapID: "some-snap-ididididididididididid"},
 		},
 		Current:  snap.R(11),
 		SnapType: "app",
 	})
+	makeInstalledMockCoreSnap(c)
 
 	defls, err := snapstate.ConfigDefaults(s.state, "some-snap")
 	c.Assert(err, IsNil)
@@ -7170,6 +10434,65 @@
 	c.Assert(err, Equals, state.ErrNoState)
 }
 
+func (s *snapmgrTestSuite) TestConfigDefaultsSystem(c *C) {
+	r := release.MockOnClassic(false)
+	defer r()
+
+	// using MockSnapReadInfo, we want to read the bits on disk
+	snapstate.MockSnapReadInfo(snap.ReadInfo)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.prepareGadget(c, `
+defaults:
+    system:
+        foo: bar
+`)
+
+	makeInstalledMockCoreSnap(c)
+
+	defls, err := snapstate.ConfigDefaults(s.state, "core")
+	c.Assert(err, IsNil)
+	c.Assert(defls, DeepEquals, map[string]interface{}{"foo": "bar"})
+}
+
+func (s *snapmgrTestSuite) TestConfigDefaultsSystemConflictsCoreSnapId(c *C) {
+	r := release.MockOnClassic(false)
+	defer r()
+
+	// using MockSnapReadInfo, we want to read the bits on disk
+	snapstate.MockSnapReadInfo(snap.ReadInfo)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	s.prepareGadget(c, `
+defaults:
+    system:
+        foo: bar
+    the-core-snapidididididididididi:
+        foo: other-bar
+        other-key: other-key-default
+`)
+
+	snapstate.Set(s.state, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", SnapID: "the-core-snapidididididididididi", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "os",
+	})
+
+	makeInstalledMockCoreSnap(c)
+
+	// 'system' key defaults take precedence over snap-id ones
+	defls, err := snapstate.ConfigDefaults(s.state, "core")
+	c.Assert(err, IsNil)
+	c.Assert(defls, DeepEquals, map[string]interface{}{"foo": "bar"})
+}
+
 func (s *snapmgrTestSuite) TestGadgetDefaultsAreNormalizedForConfigHook(c *C) {
 	var mockGadgetSnapYaml = `
 name: canonical-pc
@@ -7177,7 +10500,7 @@
 `
 	var mockGadgetYaml = []byte(`
 defaults:
-  other:
+  otheridididididididididididididi:
     foo:
       bar: baz
       num: 1.305
@@ -7230,7 +10553,7 @@
 	makeInstalledMockCoreSnap(c)
 
 	// using MockSnap, we want to read the bits on disk
-	snapstate.MockReadInfo(snap.ReadInfo)
+	snapstate.MockSnapReadInfo(snap.ReadInfo)
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -7239,7 +10562,7 @@
 
 	snapPath := makeTestSnap(c, "name: some-snap\nversion: 1.0")
 
-	ts, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)}, snapPath, "edge", snapstate.Flags{})
+	ts, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)}, snapPath, "", "edge", snapstate.Flags{})
 	c.Assert(err, IsNil)
 
 	var m map[string]interface{}
@@ -7260,7 +10583,7 @@
 	makeInstalledMockCoreSnap(c)
 
 	// using MockSnap, we want to read the bits on disk
-	snapstate.MockReadInfo(snap.ReadInfo)
+	snapstate.MockSnapReadInfo(snap.ReadInfo)
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -7269,7 +10592,7 @@
 
 	snapPath := makeTestSnap(c, "name: some-snap\nversion: 1.0")
 
-	ts, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)}, snapPath, "edge", snapstate.Flags{SkipConfigure: true})
+	ts, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)}, snapPath, "", "edge", snapstate.Flags{SkipConfigure: true})
 	c.Assert(err, IsNil)
 
 	snapsup, err := snapstate.TaskSnapSetup(ts.Tasks()[0])
@@ -7283,7 +10606,7 @@
 	makeInstalledMockCoreSnap(c)
 
 	// using MockSnap, we want to read the bits on disk
-	snapstate.MockReadInfo(snap.ReadInfo)
+	snapstate.MockSnapReadInfo(snap.ReadInfo)
 
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -7299,7 +10622,7 @@
 
 	snapPath := makeTestSnap(c, "name: some-snap\nversion: 1.0")
 
-	ts, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(2)}, snapPath, "edge", snapstate.Flags{})
+	ts, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(2)}, snapPath, "", "edge", snapstate.Flags{})
 	c.Assert(err, IsNil)
 
 	var m map[string]interface{}
@@ -7402,6 +10725,7 @@
 		Sequence: []*snap.SideInfo{{RealName: "ubuntu-core", SnapID: "ubuntu-core-snap-id", Revision: snap.R(1)}},
 		Current:  snap.R(1),
 		SnapType: "os",
+		Channel:  "beta",
 	})
 
 	chg := s.state.NewChange("transition-ubuntu-core", "...")
@@ -7412,7 +10736,7 @@
 	}
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -7423,11 +10747,29 @@
 		name: "core",
 		// the transition has no user associcated with it
 		macaroon: "",
+		target:   filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
 	}})
 	expected := fakeOps{
 		{
-			op:    "storesvc-snap",
-			name:  "core",
+			op: "storesvc-snap-action",
+			curSnaps: []store.CurrentSnap{
+				{
+					InstanceName:    "ubuntu-core",
+					SnapID:          "ubuntu-core-snap-id",
+					Revision:        snap.R(1),
+					TrackingChannel: "beta",
+					RefreshedDate:   fakeRevDateEpoch.AddDate(0, 0, 1),
+					Epoch:           snap.E("1*"),
+				},
+			},
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "core",
+				Channel:      "beta",
+			},
 			revno: snap.R(11),
 		},
 		{
@@ -7445,21 +10787,23 @@
 		},
 		{
 			op:   "open-snap-file",
-			name: filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
+			path: filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
 			sinfo: snap.SideInfo{
 				RealName: "core",
 				SnapID:   "core-id",
+				Channel:  "beta",
 				Revision: snap.R(11),
 			},
 		},
 		{
 			op:    "setup-snap",
-			name:  filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
+			name:  "core",
+			path:  filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
 			revno: snap.R(11),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "core/11"),
+			path: filepath.Join(dirs.SnapMountDir, "core/11"),
 			old:  "<no-old>",
 		},
 		{
@@ -7472,17 +10816,13 @@
 			sinfo: snap.SideInfo{
 				RealName: "core",
 				SnapID:   "core-id",
+				Channel:  "beta",
 				Revision: snap.R(11),
 			},
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "core/11"),
-		},
-		{
-			op:    "setup-profiles:Doing",
-			name:  "core",
-			revno: snap.R(11),
+			path: filepath.Join(dirs.SnapMountDir, "core/11"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -7497,12 +10837,17 @@
 			name: "ubuntu-core",
 		},
 		{
+			op:    "auto-disconnect:Doing",
+			name:  "ubuntu-core",
+			revno: snap.R(1),
+		},
+		{
 			op:   "remove-snap-aliases",
 			name: "ubuntu-core",
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+			path: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
 		},
 		{
 			op:    "remove-profiles:Doing",
@@ -7511,15 +10856,20 @@
 		},
 		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+			path: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
 		},
 		{
 			op:   "remove-snap-common-data",
-			name: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+			path: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+		},
+		{
+			op:   "remove-snap-data-dir",
+			name: "ubuntu-core",
+			path: filepath.Join(dirs.SnapDataDir, "ubuntu-core"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+			path:  filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
 			stype: "os",
 		},
 		{
@@ -7527,8 +10877,9 @@
 			name: "ubuntu-core",
 		},
 		{
-			op:   "discard-conns:Doing",
+			op:   "remove-snap-dir",
 			name: "ubuntu-core",
+			path: filepath.Join(dirs.SnapMountDir, "ubuntu-core"),
 		},
 		{
 			op:    "cleanup-trash",
@@ -7540,6 +10891,7 @@
 	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
 	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
 }
+
 func (s *snapmgrTestSuite) TestTransitionCoreRunThroughWithCore(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -7549,12 +10901,14 @@
 		Sequence: []*snap.SideInfo{{RealName: "ubuntu-core", SnapID: "ubuntu-core-snap-id", Revision: snap.R(1)}},
 		Current:  snap.R(1),
 		SnapType: "os",
+		Channel:  "stable",
 	})
 	snapstate.Set(s.state, "core", &snapstate.SnapState{
 		Active:   true,
 		Sequence: []*snap.SideInfo{{RealName: "core", SnapID: "core-snap-id", Revision: snap.R(1)}},
 		Current:  snap.R(1),
 		SnapType: "os",
+		Channel:  "stable",
 	})
 
 	chg := s.state.NewChange("transition-ubuntu-core", "...")
@@ -7565,7 +10919,7 @@
 	}
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -7575,21 +10929,21 @@
 	c.Check(s.fakeStore.downloads, HasLen, 0)
 	expected := fakeOps{
 		{
-			op:    "storesvc-snap",
-			name:  "core",
-			revno: snap.R(11),
-		},
-		{
 			op:   "transition-ubuntu-core:Doing",
 			name: "ubuntu-core",
 		},
 		{
+			op:    "auto-disconnect:Doing",
+			name:  "ubuntu-core",
+			revno: snap.R(1),
+		},
+		{
 			op:   "remove-snap-aliases",
 			name: "ubuntu-core",
 		},
 		{
 			op:   "unlink-snap",
-			name: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+			path: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
 		},
 		{
 			op:    "remove-profiles:Doing",
@@ -7598,15 +10952,20 @@
 		},
 		{
 			op:   "remove-snap-data",
-			name: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+			path: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
 		},
 		{
 			op:   "remove-snap-common-data",
-			name: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+			path: filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+		},
+		{
+			op:   "remove-snap-data-dir",
+			name: "ubuntu-core",
+			path: filepath.Join(dirs.SnapDataDir, "ubuntu-core"),
 		},
 		{
 			op:    "remove-snap-files",
-			name:  filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
+			path:  filepath.Join(dirs.SnapMountDir, "ubuntu-core/1"),
 			stype: "os",
 		},
 		{
@@ -7614,14 +10973,14 @@
 			name: "ubuntu-core",
 		},
 		{
-			op:   "discard-conns:Doing",
+			op:   "remove-snap-dir",
 			name: "ubuntu-core",
+			path: filepath.Join(dirs.SnapMountDir, "ubuntu-core"),
 		},
 	}
 	// start with an easier-to-read error if this fails:
 	c.Assert(s.fakeBackend.ops.Ops(), DeepEquals, expected.Ops())
 	c.Assert(s.fakeBackend.ops, DeepEquals, expected)
-
 }
 
 func (s *snapmgrTestSuite) TestTransitionCoreStartsAutomatically(c *C) {
@@ -7636,7 +10995,7 @@
 	})
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -7659,7 +11018,7 @@
 	s.state.Set("ubuntu-core-transition-last-retry-time", time.Now().Add(-3*time.Hour))
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -7669,7 +11028,7 @@
 	s.state.Set("ubuntu-core-transition-last-retry-time", time.Now().Add(-7*time.Hour))
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 	c.Check(s.state.Changes(), HasLen, 1)
@@ -7693,7 +11052,7 @@
 	chg.SetStatus(state.DoStatus)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -7711,6 +11070,7 @@
 
 	// other tasks block until the transition is done
 	_, err := snapstate.Install(s.state, "some-snap", "stable", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Check(err, FitsTypeOf, &snapstate.ChangeConflictError{})
 	c.Check(err, ErrorMatches, "ubuntu-core to core transition in progress, no other changes allowed until this is done")
 
 	// and when the transition is done, other tasks run
@@ -7757,7 +11117,7 @@
 	c.Assert(snapst1.DevMode, Equals, true)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -7776,7 +11136,7 @@
 	defer r()
 	c.Assert(release.ReleaseInfo.ForceDevMode(), Equals, true)
 
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -7811,7 +11171,7 @@
 	c.Assert(snapst1.DevMode, Equals, true)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -7832,7 +11192,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		switch info.Name() {
+		switch info.InstanceName() {
 		case "alias-snap":
 			return map[string]string{
 				"alias1": "cmd1",
@@ -7885,8 +11245,8 @@
 		{
 			op: "update-aliases",
 			aliases: []*backend.Alias{
-				{"alias1", "alias-snap.cmd1"},
-				{"alias2", "alias-snap.cmd2"},
+				{Name: "alias1", Target: "alias-snap.cmd1"},
+				{Name: "alias2", Target: "alias-snap.cmd2"},
 			},
 		},
 	}
@@ -7900,7 +11260,7 @@
 	defer s.state.Unlock()
 
 	snapstate.AutoAliases = func(st *state.State, info *snap.Info) (map[string]string, error) {
-		switch info.Name() {
+		switch info.InstanceName() {
 		case "alias-snap":
 			return map[string]string{
 				"alias1": "cmd1",
@@ -7986,16 +11346,16 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
-	for _, snapName := range []string{"a-snap", "b-snap"} {
-		snapstate.Set(s.state, snapName, &snapstate.SnapState{
+	for _, instanceName := range []string{"a-snap", "b-snap"} {
+		snapstate.Set(s.state, instanceName, &snapstate.SnapState{
 			Sequence: []*snap.SideInfo{
-				{RealName: snapName, Revision: snap.R(11)},
+				{RealName: instanceName, Revision: snap.R(11)},
 			},
 			Current: snap.R(11),
 			Active:  false,
 		})
 
-		ts, err := snapstate.Enable(s.state, snapName)
+		ts, err := snapstate.Enable(s.state, instanceName)
 		c.Assert(err, IsNil)
 		// need a change to make the tasks visible
 		s.state.NewChange("enable", "...").AddAll(ts)
@@ -8007,7 +11367,7 @@
 		{"c-snap"},
 		{"c-snap", "d-snap", "e-snap", "f-snap"},
 	} {
-		c.Check(snapstate.CheckChangeConflictMany(s.state, m, nil), IsNil)
+		c.Check(snapstate.CheckChangeConflictMany(s.state, m, ""), IsNil)
 	}
 
 	// things that should not be ok:
@@ -8017,7 +11377,9 @@
 		{"a-snap", "c-snap"},
 		{"b-snap", "c-snap"},
 	} {
-		c.Check(snapstate.CheckChangeConflictMany(s.state, m, nil), ErrorMatches, `snap "[^"]*" has "enable" change in progress`)
+		err := snapstate.CheckChangeConflictMany(s.state, m, "")
+		c.Check(err, FitsTypeOf, &snapstate.ChangeConflictError{})
+		c.Check(err, ErrorMatches, `snap "[^"]*" has "enable" change in progress`)
 	}
 }
 
@@ -8034,7 +11396,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -8045,24 +11407,42 @@
 		{
 			macaroon: s.user.StoreMacaroon,
 			name:     "core",
+			target:   filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
 		},
 		{
 			macaroon: s.user.StoreMacaroon,
 			name:     "some-snap",
+			target:   filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
 		}})
 	expected := fakeOps{
 		// we check the snap
 		{
-			op:     "storesvc-snap",
-			name:   "some-snap",
+			op:     "storesvc-snap-action",
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "some-snap",
+				Revision:     snap.R(42),
+			},
 			revno:  snap.R(42),
 			userID: 1,
 		},
 		// then we check core because its not installed already
 		// and continue with that
 		{
-			op:     "storesvc-snap",
-			name:   "core",
+			op:     "storesvc-snap-action",
+			userID: 1,
+		},
+		{
+			op: "storesvc-snap-action:action",
+			action: store.SnapAction{
+				Action:       "install",
+				InstanceName: "core",
+				Channel:      "stable",
+			},
 			revno:  snap.R(11),
 			userID: 1,
 		},
@@ -8081,7 +11461,7 @@
 		},
 		{
 			op:   "open-snap-file",
-			name: filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
+			path: filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
 			sinfo: snap.SideInfo{
 				RealName: "core",
 				Channel:  "stable",
@@ -8091,12 +11471,13 @@
 		},
 		{
 			op:    "setup-snap",
-			name:  filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
+			name:  "core",
+			path:  filepath.Join(dirs.SnapBlobDir, "core_11.snap"),
 			revno: snap.R(11),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "core/11"),
+			path: filepath.Join(dirs.SnapMountDir, "core/11"),
 			old:  "<no-old>",
 		},
 		{
@@ -8115,7 +11496,7 @@
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "core/11"),
+			path: filepath.Join(dirs.SnapMountDir, "core/11"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -8141,22 +11522,22 @@
 		},
 		{
 			op:   "open-snap-file",
-			name: filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
+			path: filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
 			sinfo: snap.SideInfo{
 				RealName: "some-snap",
-				Channel:  "some-channel",
 				SnapID:   "some-snap-id",
 				Revision: snap.R(42),
 			},
 		},
 		{
 			op:    "setup-snap",
-			name:  filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
+			name:  "some-snap",
+			path:  filepath.Join(dirs.SnapBlobDir, "some-snap_42.snap"),
 			revno: snap.R(42),
 		},
 		{
 			op:   "copy-data",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/42"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/42"),
 			old:  "<no-old>",
 		},
 		{
@@ -8168,14 +11549,13 @@
 			op: "candidate",
 			sinfo: snap.SideInfo{
 				RealName: "some-snap",
-				Channel:  "some-channel",
 				SnapID:   "some-snap-id",
 				Revision: snap.R(42),
 			},
 		},
 		{
 			op:   "link-snap",
-			name: filepath.Join(dirs.SnapMountDir, "some-snap/42"),
+			path: filepath.Join(dirs.SnapMountDir, "some-snap/42"),
 		},
 		{
 			op:    "auto-connect:Doing",
@@ -8189,7 +11569,7 @@
 		{
 			op:    "cleanup-trash",
 			name:  "core",
-			revno: snap.R(11),
+			revno: snap.R(42),
 		},
 		{
 			op:    "cleanup-trash",
@@ -8210,6 +11590,7 @@
 	c.Assert(err, IsNil)
 
 	snapst := snaps["core"]
+	c.Assert(snapst, NotNil)
 	c.Assert(snapst.Active, Equals, true)
 	c.Assert(snapst.Channel, Equals, "stable")
 	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
@@ -8241,7 +11622,7 @@
 	chg2.AddAll(ts2)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -8276,7 +11657,7 @@
 	restore := snapstate.MockPrerequisitesRetryTimeout(40 * time.Millisecond)
 	defer restore()
 
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	// Two changes are created, the first will fails, the second will
 	// be fine. The order of what change runs first is random, the
 	// first change will also install core in its own lane. This test
@@ -8320,7 +11701,6 @@
 
 		// ensure we have both core and snap2
 		var snapst snapstate.SnapState
-
 		err = snapstate.Get(s.state, "core", &snapst)
 		c.Assert(err, IsNil)
 		c.Assert(snapst.Active, Equals, true)
@@ -8332,14 +11712,15 @@
 			Revision: snap.R(11),
 		})
 
-		err = snapstate.Get(s.state, "snap2", &snapst)
+		var snapst2 snapstate.SnapState
+		err = snapstate.Get(s.state, "snap2", &snapst2)
 		c.Assert(err, IsNil)
-		c.Assert(snapst.Active, Equals, true)
-		c.Assert(snapst.Sequence, HasLen, 1)
-		c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
+		c.Assert(snapst2.Active, Equals, true)
+		c.Assert(snapst2.Sequence, HasLen, 1)
+		c.Assert(snapst2.Sequence[0], DeepEquals, &snap.SideInfo{
 			RealName: "snap2",
 			SnapID:   "snap2-id",
-			Channel:  "some-other-channel",
+			Channel:  "",
 			Revision: snap.R(21),
 		})
 
@@ -8355,8 +11736,8 @@
 	chg                  *state.Change
 }
 
-func (s behindYourBackStore) SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error) {
-	if spec.Name == "core" {
+func (s behindYourBackStore) SnapAction(ctx context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error) {
+	if len(actions) == 1 && actions[0].Action == "install" && actions[0].InstanceName == "core" {
 		s.state.Lock()
 		if !s.coreInstallRequested {
 			s.coreInstallRequested = true
@@ -8390,7 +11771,7 @@
 		s.state.Unlock()
 	}
 
-	return s.fakeStore.SnapInfo(spec, user)
+	return s.fakeStore.SnapAction(ctx, currentSnaps, actions, user, opts)
 }
 
 // this test the scenario that some-snap gets installed and during the
@@ -8412,7 +11793,7 @@
 
 	// now install a snap that will pull in core
 	chg := s.state.NewChange("install", "install a snap on a system without core")
-	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(42), s.user.ID, snapstate.Flags{})
+	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
@@ -8421,14 +11802,14 @@
 	c.Check(prereq.AtTime().IsZero(), Equals, true)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 
 	// start running the change, this will trigger the
 	// prerequisites task, which will trigger the install of core
 	// and also call our mock store which will generate a parallel
 	// change
-	s.snapmgr.Ensure()
-	s.snapmgr.Wait()
+	s.se.Ensure()
+	s.se.Wait()
 
 	// change is not ready yet, because the prerequists triggered
 	// a state.Retry{} because of the conflicting change
@@ -8457,6 +11838,7 @@
 	c.Assert(err, IsNil)
 
 	snapst := snaps["core"]
+	c.Assert(snapst, NotNil)
 	c.Assert(snapst.Active, Equals, true)
 	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
 		RealName: "core",
@@ -8464,12 +11846,13 @@
 	})
 
 	snapst = snaps["some-snap"]
+	c.Assert(snapst, NotNil)
 	c.Assert(snapst.Active, Equals, true)
 	c.Assert(snapst.Sequence[0], DeepEquals, &snap.SideInfo{
 		RealName: "some-snap",
 		SnapID:   "some-snap-id",
 		Channel:  "some-channel",
-		Revision: snap.R(42),
+		Revision: snap.R(11),
 	})
 }
 
@@ -8478,9 +11861,13 @@
 	state *state.State
 }
 
-func (s contentStore) SnapInfo(spec store.SnapSpec, user *auth.UserState) (*snap.Info, error) {
-	info, err := s.fakeStore.SnapInfo(spec, user)
-	switch spec.Name {
+func (s contentStore) SnapAction(ctx context.Context, currentSnaps []*store.CurrentSnap, actions []*store.SnapAction, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, error) {
+	snaps, err := s.fakeStore.SnapAction(ctx, currentSnaps, actions, user, opts)
+	if len(snaps) != 1 {
+		panic("expected to be queried for install of only one snap at a time")
+	}
+	info := snaps[0]
+	switch info.InstanceName() {
 	case "snap-content-plug":
 		info.Plugs = map[string]*snap.PlugInfo{
 			"some-plug": {
@@ -8562,7 +11949,7 @@
 		}
 	}
 
-	return info, err
+	return []*snap.Info{info}, err
 }
 
 func (s *snapmgrTestSuite) TestInstallDefaultProviderRunThrough(c *C) {
@@ -8575,12 +11962,12 @@
 	ifacerepo.Replace(s.state, repo)
 
 	chg := s.state.NewChange("install", "install a snap")
-	ts, err := snapstate.Install(s.state, "snap-content-plug", "some-channel", snap.R(42), s.user.ID, snapstate.Flags{})
+	ts, err := snapstate.Install(s.state, "snap-content-plug", "stable", snap.R(42), s.user.ID, snapstate.Flags{})
 	c.Assert(err, IsNil)
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -8588,13 +11975,27 @@
 	c.Assert(chg.Err(), IsNil)
 	c.Assert(chg.IsReady(), Equals, true)
 	expected := fakeOps{{
-		op:     "storesvc-snap",
-		name:   "snap-content-plug",
+		op:     "storesvc-snap-action",
+		userID: 1,
+	}, {
+		op: "storesvc-snap-action:action",
+		action: store.SnapAction{
+			Action:       "install",
+			InstanceName: "snap-content-plug",
+			Revision:     snap.R(42),
+		},
 		revno:  snap.R(42),
 		userID: 1,
 	}, {
-		op:     "storesvc-snap",
-		name:   "snap-content-slot",
+		op:     "storesvc-snap-action",
+		userID: 1,
+	}, {
+		op: "storesvc-snap-action:action",
+		action: store.SnapAction{
+			Action:       "install",
+			InstanceName: "snap-content-slot",
+			Channel:      "stable",
+		},
 		revno:  snap.R(11),
 		userID: 1,
 	}, {
@@ -8609,7 +12010,7 @@
 		old: "<no-current>",
 	}, {
 		op:   "open-snap-file",
-		name: filepath.Join(dirs.SnapBlobDir, "snap-content-slot_11.snap"),
+		path: filepath.Join(dirs.SnapBlobDir, "snap-content-slot_11.snap"),
 		sinfo: snap.SideInfo{
 			RealName: "snap-content-slot",
 			Channel:  "stable",
@@ -8618,11 +12019,12 @@
 		},
 	}, {
 		op:    "setup-snap",
-		name:  filepath.Join(dirs.SnapBlobDir, "snap-content-slot_11.snap"),
+		name:  "snap-content-slot",
+		path:  filepath.Join(dirs.SnapBlobDir, "snap-content-slot_11.snap"),
 		revno: snap.R(11),
 	}, {
 		op:   "copy-data",
-		name: filepath.Join(dirs.SnapMountDir, "snap-content-slot/11"),
+		path: filepath.Join(dirs.SnapMountDir, "snap-content-slot/11"),
 		old:  "<no-old>",
 	}, {
 		op:    "setup-profiles:Doing",
@@ -8638,7 +12040,7 @@
 		},
 	}, {
 		op:   "link-snap",
-		name: filepath.Join(dirs.SnapMountDir, "snap-content-slot/11"),
+		path: filepath.Join(dirs.SnapMountDir, "snap-content-slot/11"),
 	}, {
 		op:    "auto-connect:Doing",
 		name:  "snap-content-slot",
@@ -8657,20 +12059,20 @@
 		old: "<no-current>",
 	}, {
 		op:   "open-snap-file",
-		name: filepath.Join(dirs.SnapBlobDir, "snap-content-plug_42.snap"),
+		path: filepath.Join(dirs.SnapBlobDir, "snap-content-plug_42.snap"),
 		sinfo: snap.SideInfo{
 			RealName: "snap-content-plug",
-			Channel:  "some-channel",
 			SnapID:   "snap-content-plug-id",
 			Revision: snap.R(42),
 		},
 	}, {
 		op:    "setup-snap",
-		name:  filepath.Join(dirs.SnapBlobDir, "snap-content-plug_42.snap"),
+		name:  "snap-content-plug",
+		path:  filepath.Join(dirs.SnapBlobDir, "snap-content-plug_42.snap"),
 		revno: snap.R(42),
 	}, {
 		op:   "copy-data",
-		name: filepath.Join(dirs.SnapMountDir, "snap-content-plug/42"),
+		path: filepath.Join(dirs.SnapMountDir, "snap-content-plug/42"),
 		old:  "<no-old>",
 	}, {
 		op:    "setup-profiles:Doing",
@@ -8680,13 +12082,12 @@
 		op: "candidate",
 		sinfo: snap.SideInfo{
 			RealName: "snap-content-plug",
-			Channel:  "some-channel",
 			SnapID:   "snap-content-plug-id",
 			Revision: snap.R(42),
 		},
 	}, {
 		op:   "link-snap",
-		name: filepath.Join(dirs.SnapMountDir, "snap-content-plug/42"),
+		path: filepath.Join(dirs.SnapMountDir, "snap-content-plug/42"),
 	}, {
 		op:    "auto-connect:Doing",
 		name:  "snap-content-plug",
@@ -8707,7 +12108,7 @@
 	// do a simple c.Check(ops, DeepEquals, fakeOps{...})
 	c.Check(len(s.fakeBackend.ops), Equals, len(expected))
 	for _, op := range expected {
-		c.Check(s.fakeBackend.ops, testutil.DeepContains, op)
+		c.Assert(s.fakeBackend.ops, testutil.DeepContains, op)
 	}
 }
 
@@ -8726,7 +12127,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -8736,11 +12137,11 @@
 	// and both circular snaps got linked
 	c.Check(s.fakeBackend.ops, testutil.DeepContains, fakeOp{
 		op:   "link-snap",
-		name: filepath.Join(dirs.SnapMountDir, "snap-content-circular1/42"),
+		path: filepath.Join(dirs.SnapMountDir, "snap-content-circular1/42"),
 	})
 	c.Check(s.fakeBackend.ops, testutil.DeepContains, fakeOp{
 		op:   "link-snap",
-		name: filepath.Join(dirs.SnapMountDir, "snap-content-circular2/11"),
+		path: filepath.Join(dirs.SnapMountDir, "snap-content-circular2/11"),
 	})
 }
 
@@ -8759,7 +12160,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -8769,11 +12170,11 @@
 	// and both circular snaps got linked
 	c.Check(s.fakeBackend.ops, testutil.DeepContains, fakeOp{
 		op:   "link-snap",
-		name: filepath.Join(dirs.SnapMountDir, "snap-content-plug-compat/42"),
+		path: filepath.Join(dirs.SnapMountDir, "snap-content-plug-compat/42"),
 	})
 	c.Check(s.fakeBackend.ops, testutil.DeepContains, fakeOp{
 		op:   "link-snap",
-		name: filepath.Join(dirs.SnapMountDir, "snap-content-slot/11"),
+		path: filepath.Join(dirs.SnapMountDir, "snap-content-slot/11"),
 	})
 }
 
@@ -8843,7 +12244,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -8865,7 +12266,7 @@
 	chg.AddAll(ts)
 
 	s.state.Unlock()
-	defer s.snapmgr.Stop()
+	defer s.se.Stop()
 	s.settle(c)
 	s.state.Lock()
 
@@ -8881,44 +12282,136 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	// When layouts are disabled we cannot install a local snap depending on the feature.
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.layouts", false)
+	tr.Commit()
+
 	mockSnap := makeTestSnap(c, `name: some-snap
 version: 1.0
 layout:
  /usr:
   bind: $SNAP/usr
 `)
-	_, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(8)}, mockSnap, "", snapstate.Flags{})
-	c.Assert(err, ErrorMatches, "cannot use experimental 'layouts' feature.*")
+	_, _, err := snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(8)}, mockSnap, "", "", snapstate.Flags{})
+	c.Assert(err, ErrorMatches, "experimental feature disabled - test it by setting 'experimental.layouts' to true")
 
-	// enable layouts
-	tr := config.NewTransaction(s.state)
+	// When layouts are enabled we can install a local snap depending on the feature.
+	tr = config.NewTransaction(s.state)
 	tr.Set("core", "experimental.layouts", true)
 	tr.Commit()
 
-	_, err = snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(8)}, mockSnap, "", snapstate.Flags{})
+	_, _, err = snapstate.InstallPath(s.state, &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(8)}, mockSnap, "", "", snapstate.Flags{})
 	c.Assert(err, IsNil)
 }
 
+func (s *snapmgrTestSuite) TestInstallPathWithMetadataChannelSwitchKernel(c *C) {
+	// use the real thing for this one
+	snapstate.MockOpenSnapFile(backend.OpenSnapFile)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// snapd cannot be installed unless the model uses a base snap
+	snapstate.SetModelWithKernelTrack("18")
+	snapstate.Set(s.state, "kernel", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "kernel", Revision: snap.R(11)},
+		},
+		Channel: "18/stable",
+		Current: snap.R(11),
+		Active:  true,
+	})
+
+	someSnap := makeTestSnap(c, `name: kernel
+version: 1.0`)
+	si := &snap.SideInfo{
+		RealName: "kernel",
+		SnapID:   "kernel-id",
+		Revision: snap.R(42),
+		Channel:  "some-channel",
+	}
+	_, _, err := snapstate.InstallPath(s.state, si, someSnap, "", "some-channel", snapstate.Flags{Required: true})
+	c.Assert(err, ErrorMatches, `cannot switch from kernel track "18" as specified for the \(device\) model to "some-channel/stable"`)
+}
+
+func (s *snapmgrTestSuite) TestInstallPathWithMetadataChannelSwitchGadget(c *C) {
+	// use the real thing for this one
+	snapstate.MockOpenSnapFile(backend.OpenSnapFile)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// snapd cannot be installed unless the model uses a base snap
+	snapstate.SetModelWithGadgetTrack("18")
+	snapstate.Set(s.state, "brand-gadget", &snapstate.SnapState{
+		Sequence: []*snap.SideInfo{
+			{RealName: "brand-gadget", Revision: snap.R(11)},
+		},
+		Channel: "18/stable",
+		Current: snap.R(11),
+		Active:  true,
+	})
+
+	someSnap := makeTestSnap(c, `name: brand-gadget
+version: 1.0`)
+	si := &snap.SideInfo{
+		RealName: "brand-gadget",
+		SnapID:   "brand-gadget-id",
+		Revision: snap.R(42),
+		Channel:  "some-channel",
+	}
+	_, _, err := snapstate.InstallPath(s.state, si, someSnap, "", "some-channel", snapstate.Flags{Required: true})
+	c.Assert(err, ErrorMatches, `cannot switch from gadget track "18" as specified for the \(device\) model to "some-channel/stable"`)
+}
+
 func (s *snapmgrTestSuite) TestInstallLayoutsChecksFeatureFlag(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	// Layouts are now enabled by default.
 	_, err := snapstate.Install(s.state, "some-snap", "channel-for-layout", snap.R(0), s.user.ID, snapstate.Flags{})
-	c.Assert(err, ErrorMatches, "cannot use experimental 'layouts' feature.*")
+	c.Assert(err, IsNil)
+
+	// Layouts can be explicitly disabled.
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.layouts", false)
+	tr.Commit()
+	_, err = snapstate.Install(s.state, "some-snap", "channel-for-layout", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, ErrorMatches, "experimental feature disabled - test it by setting 'experimental.layouts' to true")
 
-	// enable layouts
-	tr := config.NewTransaction(s.state)
+	// Layouts can be explicitly enabled.
+	tr = config.NewTransaction(s.state)
 	tr.Set("core", "experimental.layouts", true)
 	tr.Commit()
+	_, err = snapstate.Install(s.state, "some-snap", "channel-for-layout", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+
+	// The default empty value now means "enabled".
+	tr = config.NewTransaction(s.state)
+	tr.Set("core", "experimental.layouts", "")
+	tr.Commit()
+	_, err = snapstate.Install(s.state, "some-snap", "channel-for-layout", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
 
+	// Layouts are enabled when the controlling flag is reset to nil.
+	tr = config.NewTransaction(s.state)
+	tr.Set("core", "experimental.layouts", nil)
+	tr.Commit()
 	_, err = snapstate.Install(s.state, "some-snap", "channel-for-layout", snap.R(0), s.user.ID, snapstate.Flags{})
 	c.Assert(err, IsNil)
+
 }
 
 func (s *snapmgrTestSuite) TestUpdateLayoutsChecksFeatureFlag(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	// When layouts are disabled we cannot refresh to a snap depending on the feature.
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.layouts", false)
+	tr.Commit()
+
 	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
 		Active: true,
 		Sequence: []*snap.SideInfo{
@@ -8929,10 +12422,10 @@
 	})
 
 	_, err := snapstate.Update(s.state, "some-snap", "channel-for-layout", snap.R(0), s.user.ID, snapstate.Flags{})
-	c.Assert(err, ErrorMatches, "cannot use experimental 'layouts' feature.*")
+	c.Assert(err, ErrorMatches, "experimental feature disabled - test it by setting 'experimental.layouts' to true")
 
-	// enable layouts
-	tr := config.NewTransaction(s.state)
+	// When layouts are enabled we can refresh to a snap depending on the feature.
+	tr = config.NewTransaction(s.state)
 	tr.Set("core", "experimental.layouts", true)
 	tr.Commit()
 
@@ -8944,6 +12437,11 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	// When layouts are disabled we cannot refresh multiple snaps if one of them depends on the feature.
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.layouts", false)
+	tr.Commit()
+
 	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
 		Active:  true,
 		Channel: "channel-for-layout",
@@ -8954,15 +12452,15 @@
 		SnapType: "app",
 	})
 
-	_, _, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID)
-	c.Assert(err, ErrorMatches, "cannot use experimental 'layouts' feature.*")
+	_, _, err := snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID, nil)
+	c.Assert(err, ErrorMatches, "experimental feature disabled - test it by setting 'experimental.layouts' to true")
 
-	// enable layouts
-	tr := config.NewTransaction(s.state)
+	// When layouts are enabled we can refresh multiple snaps if one of them depends on the feature.
+	tr = config.NewTransaction(s.state)
 	tr.Set("core", "experimental.layouts", true)
 	tr.Commit()
 
-	_, _, err = snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID)
+	_, _, err = snapstate.UpdateMany(context.TODO(), s.state, []string{"some-snap"}, s.user.ID, nil)
 	c.Assert(err, IsNil)
 }
 
@@ -8970,6 +12468,11 @@
 	s.state.Lock()
 	defer s.state.Unlock()
 
+	// When layouts are disabled we cannot refresh multiple snaps if one of them depends on the feature.
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.layouts", false)
+	tr.Commit()
+
 	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
 		Active:  true,
 		Channel: "channel-for-layout",
@@ -8980,20 +12483,106 @@
 		SnapType: "app",
 	})
 
-	refreshes, _, err := snapstate.UpdateMany(context.TODO(), s.state, nil, s.user.ID)
+	refreshes, _, err := snapstate.UpdateMany(context.TODO(), s.state, nil, s.user.ID, nil)
 	c.Assert(err, IsNil)
 	c.Assert(refreshes, HasLen, 0)
 
-	// enable layouts
-	tr := config.NewTransaction(s.state)
+	// When layouts are enabled we can refresh multiple snaps if one of them depends on the feature.
+	tr = config.NewTransaction(s.state)
 	tr.Set("core", "experimental.layouts", true)
 	tr.Commit()
 
-	refreshes, _, err = snapstate.UpdateMany(context.TODO(), s.state, nil, s.user.ID)
+	refreshes, _, err = snapstate.UpdateMany(context.TODO(), s.state, nil, s.user.ID, nil)
 	c.Assert(err, IsNil)
 	c.Assert(refreshes, DeepEquals, []string{"some-snap"})
 }
 
+func (s *snapmgrTestSuite) TestUpdateFailsEarlyOnEpochMismatch(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-epoch-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-epoch-snap", SnapID: "some-epoch-snap-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	_, err := snapstate.Update(s.state, "some-epoch-snap", "", snap.R(0), 0, snapstate.Flags{})
+	c.Assert(err, ErrorMatches, `cannot refresh "some-epoch-snap" to new revision 11 with epoch 42, because it can't read the current epoch of 13`)
+}
+
+func (s *snapmgrTestSuite) TestParallelInstallValidateFeatureFlag(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	info := &snap.Info{
+		InstanceKey: "foo",
+	}
+
+	err := snapstate.ValidateFeatureFlags(s.state, info)
+	c.Assert(err, ErrorMatches, `experimental feature disabled - test it by setting 'experimental.parallel-instances' to true`)
+
+	// various forms of disabling
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", false)
+	tr.Commit()
+
+	err = snapstate.ValidateFeatureFlags(s.state, info)
+	c.Assert(err, ErrorMatches, `experimental feature disabled - test it by setting 'experimental.parallel-instances' to true`)
+
+	tr = config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", "")
+	tr.Commit()
+
+	err = snapstate.ValidateFeatureFlags(s.state, info)
+	c.Assert(err, ErrorMatches, `experimental feature disabled - test it by setting 'experimental.parallel-instances' to true`)
+
+	tr = config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", nil)
+	tr.Commit()
+
+	err = snapstate.ValidateFeatureFlags(s.state, info)
+	c.Assert(err, ErrorMatches, `experimental feature disabled - test it by setting 'experimental.parallel-instances' to true`)
+
+	tr = config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", "veryfalse")
+	tr.Commit()
+
+	err = snapstate.ValidateFeatureFlags(s.state, info)
+	c.Assert(err, ErrorMatches, `parallel-instances can only be set to 'true' or 'false', got "veryfalse"`)
+
+	// enable parallel instances
+	tr = config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", true)
+	tr.Commit()
+
+	err = snapstate.ValidateFeatureFlags(s.state, info)
+	c.Assert(err, IsNil)
+}
+
+func (s *snapmgrTestSuite) TestParallelInstallInstallPathExperimentalSwitch(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	mockSnap := makeTestSnap(c, `name: some-snap
+version: 1.0
+`)
+	si := &snap.SideInfo{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(8)}
+	_, _, err := snapstate.InstallPath(s.state, si, mockSnap, "some-snap_foo", "", snapstate.Flags{})
+	c.Assert(err, ErrorMatches, "experimental feature disabled - test it by setting 'experimental.parallel-instances' to true")
+
+	// enable parallel instances
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.parallel-instances", true)
+	tr.Commit()
+
+	_, _, err = snapstate.InstallPath(s.state, si, mockSnap, "some-snap_foo", "", snapstate.Flags{})
+	c.Assert(err, IsNil)
+}
+
 func (s *snapmgrTestSuite) TestInjectTasks(c *C) {
 	s.state.Lock()
 	defer s.state.Unlock()
@@ -9064,6 +12653,234 @@
 	c.Assert(t1.HaltTasks()[0].Kind(), Equals, "task1-1")
 }
 
+func hasConfigureTask(ts *state.TaskSet) bool {
+	for _, tk := range taskKinds(ts.Tasks()) {
+		if tk == "run-hook[configure]" {
+			return true
+		}
+	}
+	return false
+}
+
+func (s *snapmgrTestSuite) TestNoConfigureForBasesTask(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// normal snaps get a configure task
+	ts, err := snapstate.Install(s.state, "some-snap", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	c.Check(hasConfigureTask(ts), Equals, true)
+
+	// but bases do not for install
+	ts, err = snapstate.Install(s.state, "some-base", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	c.Check(hasConfigureTask(ts), Equals, false)
+
+	// or for refresh
+	snapstate.Set(s.state, "some-base", &snapstate.SnapState{
+		Active:   true,
+		Channel:  "edge",
+		Sequence: []*snap.SideInfo{{RealName: "some-base", SnapID: "some-base-id", Revision: snap.R(1)}},
+		Current:  snap.R(1),
+		SnapType: "base",
+	})
+	ts, err = snapstate.Update(s.state, "some-base", "", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	c.Check(hasConfigureTask(ts), Equals, false)
+}
+
+func (s *snapmgrTestSuite) TestNoSnapdSnapOnSystemsWithoutBase(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// but snapd do not for install
+	_, err := snapstate.Install(s.state, "snapd", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, ErrorMatches, "cannot install snapd snap on a model without a base snap yet")
+}
+
+func (s *snapmgrTestSuite) TestNoSnapdSnapOnSystemsWithoutBaseButOption(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	tr := config.NewTransaction(s.state)
+	tr.Set("core", "experimental.snapd-snap", true)
+	tr.Commit()
+
+	_, err := snapstate.Install(s.state, "snapd", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+}
+
+func (s *snapmgrTestSuite) TestNoConfigureForSnapdSnap(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// snapd cannot be installed unless the model uses a base snap
+	snapstate.SetModelWithBase("core18")
+
+	// but snapd do not for install
+	ts, err := snapstate.Install(s.state, "snapd", "some-channel", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	c.Check(hasConfigureTask(ts), Equals, false)
+
+	// or for refresh
+	snapstate.Set(s.state, "snapd", &snapstate.SnapState{
+		Active:   true,
+		Channel:  "edge",
+		Sequence: []*snap.SideInfo{{RealName: "snapd", SnapID: "snapd-id", Revision: snap.R(1)}},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+	ts, err = snapstate.Update(s.state, "snapd", "", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	c.Check(hasConfigureTask(ts), Equals, false)
+
+}
+
+func (s snapmgrTestSuite) TestCanLoadOldSnapSetupWithoutType(c *C) {
+	// ensure we don't crash when loading a SnapSetup json without
+	// a type set
+	oldSnapSetup := []byte(`{
+ "snap-path":"/some/path",
+ "side-info": {
+    "channel": "edge",
+    "name": "some-snap",
+    "revision": "1",
+    "snap-id": "some-snap-id"
+ }
+}`)
+	var snapsup snapstate.SnapSetup
+	err := json.Unmarshal(oldSnapSetup, &snapsup)
+	c.Assert(err, IsNil)
+	c.Check(snapsup.SnapPath, Equals, "/some/path")
+	c.Check(snapsup.SideInfo, DeepEquals, &snap.SideInfo{
+		Channel:  "edge",
+		RealName: "some-snap",
+		Revision: snap.R(1),
+		SnapID:   "some-snap-id",
+	})
+	c.Check(snapsup.Type, Equals, snap.Type(""))
+}
+
+func (s snapmgrTestSuite) TestHasOtherInstances(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "some-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+	snapstate.Set(s.state, "some-snap_instance", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(3)},
+		},
+		Current:     snap.R(3),
+		SnapType:    "app",
+		InstanceKey: "instance",
+	})
+	snapstate.Set(s.state, "some-other-snap", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-other-snap", SnapID: "some-other-snap-id", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "app",
+	})
+
+	other, err := snapstate.HasOtherInstances(s.state, "some-snap")
+	c.Assert(err, IsNil)
+	c.Assert(other, Equals, true)
+	other, err = snapstate.HasOtherInstances(s.state, "some-snap_instance")
+	c.Assert(err, IsNil)
+	c.Assert(other, Equals, true)
+	other, err = snapstate.HasOtherInstances(s.state, "some-other-snap")
+	c.Assert(err, IsNil)
+	c.Assert(other, Equals, false)
+	// other snaps like only looks at the name of the refence snap
+	other, err = snapstate.HasOtherInstances(s.state, "some-other-snap_instance")
+	c.Assert(err, IsNil)
+	c.Assert(other, Equals, true)
+
+	// remove the snap without instance key
+	snapstate.Set(s.state, "some-snap", nil)
+	// some-snap_instance is like some-snap
+	other, err = snapstate.HasOtherInstances(s.state, "some-snap")
+	c.Assert(err, IsNil)
+	c.Assert(other, Equals, true)
+	other, err = snapstate.HasOtherInstances(s.state, "some-snap_instance")
+	c.Assert(err, IsNil)
+	c.Assert(other, Equals, false)
+
+	// add another snap with instance key
+	snapstate.Set(s.state, "some-snap_other", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "some-snap", SnapID: "some-snap-id", Revision: snap.R(3)},
+		},
+		Current:     snap.R(3),
+		SnapType:    "app",
+		InstanceKey: "other",
+	})
+	other, err = snapstate.HasOtherInstances(s.state, "some-snap")
+	c.Assert(err, IsNil)
+	c.Assert(other, Equals, true)
+	other, err = snapstate.HasOtherInstances(s.state, "some-snap_instance")
+	c.Assert(err, IsNil)
+	c.Assert(other, Equals, true)
+}
+
+func (s *snapmgrTestSuite) TestRequestSalt(c *C) {
+	si := snap.SideInfo{
+		RealName: "other-snap",
+		Revision: snap.R(7),
+		SnapID:   "other-snap-id",
+	}
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	snapstate.Set(s.state, "other-snap", &snapstate.SnapState{
+		Active:   true,
+		Sequence: []*snap.SideInfo{&si},
+		Current:  si.Revision,
+		SnapType: "app",
+	})
+	snapstate.Set(s.state, "other-snap_instance", &snapstate.SnapState{
+		Active:      true,
+		Sequence:    []*snap.SideInfo{&si},
+		Current:     si.Revision,
+		SnapType:    "app",
+		InstanceKey: "instance",
+	})
+
+	// clear request-salt to have it generated
+	s.state.Set("refresh-privacy-key", nil)
+
+	_, err := snapstate.Install(s.state, "some-snap", "", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, ErrorMatches, "internal error: request salt is unset")
+
+	s.state.Set("refresh-privacy-key", "privacy-key")
+
+	chg := s.state.NewChange("install", "install a snap")
+	ts, err := snapstate.Install(s.state, "some-snap", "", snap.R(0), s.user.ID, snapstate.Flags{})
+	c.Assert(err, IsNil)
+	chg.AddAll(ts)
+
+	s.state.Unlock()
+	defer s.se.Stop()
+	s.settle(c)
+	s.state.Lock()
+
+	c.Assert(len(s.fakeBackend.ops) >= 1, Equals, true)
+	storeAction := s.fakeBackend.ops[0]
+	c.Assert(storeAction.op, Equals, "storesvc-snap-action")
+	c.Assert(storeAction.curSnaps, HasLen, 2)
+	c.Assert(s.fakeStore.seenPrivacyKeys["privacy-key"], Equals, true)
+}
+
 type canDisableSuite struct{}
 
 var _ = Suite(&canDisableSuite{})
@@ -9082,3 +12899,100 @@
 		c.Check(snapstate.CanDisable(info), Equals, tt.canDisable)
 	}
 }
+
+func (s *snapmgrTestSuite) TestGadgetConnections(c *C) {
+	r := release.MockOnClassic(false)
+	defer r()
+
+	// using MockSnap, we want to read the bits on disk
+	snapstate.MockSnapReadInfo(snap.ReadInfo)
+
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	_, err := snapstate.GadgetConnections(s.state)
+	c.Assert(err, Equals, state.ErrNoState)
+
+	s.prepareGadget(c, `
+connections:
+  - plug: snap1idididididididididididididi:plug
+    slot: snap2idididididididididididididi:slot
+`)
+
+	conns, err := snapstate.GadgetConnections(s.state)
+	c.Assert(err, IsNil)
+	c.Check(conns, DeepEquals, []snap.GadgetConnection{
+		{Plug: snap.GadgetConnectionPlug{SnapID: "snap1idididididididididididididi", Plug: "plug"}, Slot: snap.GadgetConnectionSlot{SnapID: "snap2idididididididididididididi", Slot: "slot"}}})
+}
+
+func (s *snapmgrTestSuite) TestSnapManagerCanStandby(c *C) {
+	s.state.Lock()
+	defer s.state.Unlock()
+
+	// no snaps -> can standby
+	s.state.Set("snaps", nil)
+	c.Assert(s.snapmgr.CanStandby(), Equals, true)
+
+	// snaps installed -> can *not* standby
+	snapstate.Set(s.state, "core", &snapstate.SnapState{
+		Active: true,
+		Sequence: []*snap.SideInfo{
+			{RealName: "core", Revision: snap.R(1)},
+		},
+		Current:  snap.R(1),
+		SnapType: "os",
+	})
+	c.Assert(s.snapmgr.CanStandby(), Equals, false)
+}
+
+type modelPastSeedSuite struct {
+	st *state.State
+}
+
+var _ = Suite(&modelPastSeedSuite{})
+
+func (s *modelPastSeedSuite) SetUpTest(c *C) {
+	s.st = state.New(nil)
+}
+
+func (s *modelPastSeedSuite) TearDownTest(c *C) {
+	snapstate.Model = nil
+}
+
+func (s *modelPastSeedSuite) TestTooEarly(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	snapstate.Model = func(*state.State) (*asserts.Model, error) {
+		return nil, state.ErrNoState
+	}
+
+	expectedErr := &snapstate.ChangeConflictError{
+		Message: "too early for operation, device not yet seeded or" +
+			" device model not acknowledged",
+		ChangeKind: "seed",
+	}
+
+	// not seeded, no model assertion
+	_, err := snapstate.ModelPastSeeding(s.st)
+	c.Assert(err, DeepEquals, expectedErr)
+
+	// seeded, no model assertion
+	s.st.Set("seeded", true)
+	_, err = snapstate.ModelPastSeeding(s.st)
+	c.Assert(err, DeepEquals, expectedErr)
+}
+
+func (s *modelPastSeedSuite) TestReady(c *C) {
+	s.st.Lock()
+	defer s.st.Unlock()
+
+	// seeded and model assertion
+	s.st.Set("seeded", true)
+
+	snapstate.SetDefaultModel()
+
+	modelAs, err := snapstate.ModelPastSeeding(s.st)
+	c.Assert(err, IsNil)
+	c.Check(modelAs.Model(), Equals, "baz-3000")
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/snapstate/storehelpers.go snapd-2.37~rc1~14.04/overlord/snapstate/storehelpers.go
--- snapd-2.32.3.2~14.04/overlord/snapstate/storehelpers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/snapstate/storehelpers.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016-2017 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -25,6 +25,7 @@
 
 	"golang.org/x/net/context"
 
+	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/snap"
@@ -38,13 +39,6 @@
 	amend            bool
 }
 
-func idForUser(user *auth.UserState) int {
-	if user == nil {
-		return 0
-	}
-	return user.ID
-}
-
 func userIDForSnap(st *state.State, snapst *SnapState, fallbackUserID int) (int, error) {
 	userID := snapst.UserID
 	_, err := auth.User(st, userID)
@@ -75,44 +69,64 @@
 	return user, err
 }
 
-// userFromUserIDOrFallback returns the user corresponding to userID
-// if valid or otherwise the fallbackUser.
-func userFromUserIDOrFallback(st *state.State, userID int, fallbackUser *auth.UserState) (*auth.UserState, error) {
-	if userID != 0 {
-		u, err := auth.User(st, userID)
-		if err != nil && err != auth.ErrInvalidUser {
-			return nil, err
-		}
-		if err == nil {
-			return u, nil
+func refreshOptions(st *state.State, origOpts *store.RefreshOptions) (*store.RefreshOptions, error) {
+	var opts store.RefreshOptions
+
+	if origOpts != nil {
+		if origOpts.PrivacyKey != "" {
+			// nothing to add
+			return origOpts, nil
 		}
+		opts = *origOpts
 	}
-	return fallbackUser, nil
-}
 
-func snapNameToID(st *state.State, name string, user *auth.UserState) (string, error) {
-	theStore := Store(st)
-	st.Unlock()
-	info, err := theStore.SnapInfo(store.SnapSpec{Name: name}, user)
-	st.Lock()
-	return info.SnapID, err
+	if err := st.Get("refresh-privacy-key", &opts.PrivacyKey); err != nil && err != state.ErrNoState {
+		return nil, fmt.Errorf("cannot obtain store request salt: %v", err)
+	}
+	if opts.PrivacyKey == "" {
+		return nil, fmt.Errorf("internal error: request salt is unset")
+	}
+	return &opts, nil
 }
 
-func snapInfo(st *state.State, name, channel string, revision snap.Revision, userID int) (*snap.Info, error) {
+func installInfo(st *state.State, name, channel string, revision snap.Revision, userID int) (*snap.Info, error) {
+	// TODO: support ignore-validation?
+
+	curSnaps, err := currentSnaps(st)
+	if err != nil {
+		return nil, err
+	}
+
 	user, err := userFromUserID(st, userID)
 	if err != nil {
 		return nil, err
 	}
-	theStore := Store(st)
-	st.Unlock() // calls to the store should be done without holding the state lock
-	spec := store.SnapSpec{
-		Name:     name,
-		Channel:  channel,
+
+	// cannot specify both with the API
+	if !revision.Unset() {
+		channel = ""
+	}
+
+	opts, err := refreshOptions(st, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	action := &store.SnapAction{
+		Action:       "install",
+		InstanceName: name,
+		// the desired channel
+		Channel: channel,
+		// the desired revision
 		Revision: revision,
 	}
-	snap, err := theStore.SnapInfo(spec, user)
+
+	theStore := Store(st)
+	st.Unlock() // calls to the store should be done without holding the state lock
+	res, err := theStore.SnapAction(context.TODO(), curSnaps, []*store.SnapAction{action}, user, opts)
 	st.Lock()
-	return snap, err
+
+	return singleActionResult(name, action.Action, res, err)
 }
 
 func updateInfo(st *state.State, snapst *SnapState, opts *updateInfoOpts, userID int) (*snap.Info, error) {
@@ -120,26 +134,48 @@
 		opts = &updateInfoOpts{}
 	}
 
+	curSnaps, err := currentSnaps(st)
+	if err != nil {
+		return nil, err
+	}
+
+	refreshOpts, err := refreshOptions(st, nil)
+	if err != nil {
+		return nil, err
+	}
+
 	curInfo, user, err := preUpdateInfo(st, snapst, opts.amend, userID)
 	if err != nil {
 		return nil, err
 	}
 
-	refreshCand := &store.RefreshCandidate{
+	var flags store.SnapActionFlags
+	if opts.ignoreValidation {
+		flags = store.SnapActionIgnoreValidation
+	} else {
+		flags = store.SnapActionEnforceValidation
+	}
+
+	action := &store.SnapAction{
+		Action:       "refresh",
+		InstanceName: curInfo.InstanceName(),
+		SnapID:       curInfo.SnapID,
 		// the desired channel
-		Channel:          opts.channel,
-		SnapID:           curInfo.SnapID,
-		Revision:         curInfo.Revision,
-		Epoch:            curInfo.Epoch,
-		IgnoreValidation: opts.ignoreValidation,
-		Amend:            opts.amend,
+		Channel: opts.channel,
+		Flags:   flags,
+	}
+
+	if curInfo.SnapID == "" { // amend
+		action.Action = "install"
+		action.Epoch = curInfo.Epoch
 	}
 
 	theStore := Store(st)
 	st.Unlock() // calls to the store should be done without holding the state lock
-	res, err := theStore.LookupRefresh(refreshCand, user)
+	res, err := theStore.SnapAction(context.TODO(), curSnaps, []*store.SnapAction{action}, user, refreshOpts)
 	st.Lock()
-	return res, err
+
+	return singleActionResult(curInfo.InstanceName(), action.Action, res, err)
 }
 
 func preUpdateInfo(st *state.State, snapst *SnapState, amend bool, userID int) (*snap.Info, *auth.UserState, error) {
@@ -157,151 +193,287 @@
 		if !amend {
 			return nil, nil, store.ErrLocalSnap
 		}
+	}
 
-		// in amend mode we need to move to the store rev
-		id, err := snapNameToID(st, curInfo.Name(), user)
-		if err != nil {
-			return nil, nil, fmt.Errorf("cannot get snap ID for %q: %v", curInfo.Name(), err)
+	return curInfo, user, nil
+}
+
+func singleActionResult(name, action string, results []*snap.Info, e error) (info *snap.Info, err error) {
+	if len(results) > 1 {
+		return nil, fmt.Errorf("internal error: multiple store results for a single snap op")
+	}
+	if len(results) > 0 {
+		// TODO: if we also have an error log/warn about it
+		return results[0], nil
+	}
+
+	if saErr, ok := e.(*store.SnapActionError); ok {
+		if len(saErr.Other) != 0 {
+			return nil, saErr
+		}
+
+		var snapErr error
+		switch action {
+		case "refresh":
+			snapErr = saErr.Refresh[name]
+		case "install":
+			snapErr = saErr.Install[name]
+		}
+		if snapErr != nil {
+			return nil, snapErr
+		}
+
+		// no result, atypical case
+		if saErr.NoResults {
+			switch action {
+			case "refresh":
+				return nil, store.ErrNoUpdateAvailable
+			case "install":
+				return nil, store.ErrSnapNotFound
+			}
 		}
-		curInfo.SnapID = id
-		// set revision to "unknown"
-		curInfo.Revision = snap.R(0)
 	}
 
-	return curInfo, user, nil
+	return nil, e
 }
 
-func updateToRevisionInfo(st *state.State, snapst *SnapState, channel string, revision snap.Revision, userID int) (*snap.Info, error) {
+func updateToRevisionInfo(st *state.State, snapst *SnapState, revision snap.Revision, userID int) (*snap.Info, error) {
+	// TODO: support ignore-validation?
+
+	curSnaps, err := currentSnaps(st)
+	if err != nil {
+		return nil, err
+	}
+
 	curInfo, user, err := preUpdateInfo(st, snapst, false, userID)
 	if err != nil {
 		return nil, err
 	}
 
-	theStore := Store(st)
-	st.Unlock() // calls to the store should be done without holding the state lock
-	spec := store.SnapSpec{
-		Name:     curInfo.Name(),
-		Channel:  channel,
+	opts, err := refreshOptions(st, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	action := &store.SnapAction{
+		Action:       "refresh",
+		SnapID:       curInfo.SnapID,
+		InstanceName: curInfo.InstanceName(),
+		// the desired revision
 		Revision: revision,
 	}
-	snap, err := theStore.SnapInfo(spec, user)
+
+	theStore := Store(st)
+	st.Unlock() // calls to the store should be done without holding the state lock
+	res, err := theStore.SnapAction(context.TODO(), curSnaps, []*store.SnapAction{action}, user, opts)
 	st.Lock()
-	return snap, err
+
+	return singleActionResult(curInfo.InstanceName(), action.Action, res, err)
 }
 
-func refreshCandidates(ctx context.Context, st *state.State, names []string, user *auth.UserState, flags *store.RefreshOptions) ([]*snap.Info, map[string]*SnapState, map[string]bool, error) {
+func currentSnaps(st *state.State) ([]*store.CurrentSnap, error) {
 	snapStates, err := All(st)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, err
 	}
 
-	// check if we have this name at all
-	for _, name := range names {
-		if _, ok := snapStates[name]; !ok {
-			return nil, nil, nil, snap.NotInstalledError{Snap: name}
-		}
+	if len(snapStates) == 0 {
+		// no snaps installed, do not bother any further
+		return nil, nil
 	}
 
-	sort.Strings(names)
+	curSnaps := collectCurrentSnaps(snapStates, nil)
+	return curSnaps, nil
+}
 
-	stateByID := make(map[string]*SnapState, len(snapStates))
-	candidatesInfo := make([]*store.RefreshCandidate, 0, len(snapStates))
-	ignoreValidation := make(map[string]bool)
-	userIDs := make(map[int]bool)
-	for _, snapst := range snapStates {
-		if len(names) == 0 && (snapst.TryMode || snapst.DevMode) {
-			// no auto-refresh for trymode nor devmode
-			continue
-		}
+func collectCurrentSnaps(snapStates map[string]*SnapState, consider func(*store.CurrentSnap, *SnapState)) (curSnaps []*store.CurrentSnap) {
+	curSnaps = make([]*store.CurrentSnap, 0, len(snapStates))
 
-		// FIXME: snaps that are not active are skipped for now
-		//        until we know what we want to do
-		if !snapst.Active {
+	for _, snapst := range snapStates {
+		if snapst.TryMode {
+			// try mode snaps are completely local and
+			// irrelevant for the operation
 			continue
 		}
 
 		snapInfo, err := snapst.CurrentInfo()
 		if err != nil {
-			// log something maybe?
 			continue
 		}
 
 		if snapInfo.SnapID == "" {
-			// no refresh for sideloaded
+			// the store won't be able to tell what this
+			// is and so cannot include it in the
+			// operation
 			continue
 		}
 
-		if len(names) > 0 && !strutil.SortedListContains(names, snapInfo.Name()) {
-			continue
+		installed := &store.CurrentSnap{
+			InstanceName: snapInfo.InstanceName(),
+			SnapID:       snapInfo.SnapID,
+			// the desired channel (not snapInfo.Channel!)
+			TrackingChannel:  snapst.Channel,
+			Revision:         snapInfo.Revision,
+			RefreshedDate:    revisionDate(snapInfo),
+			IgnoreValidation: snapst.IgnoreValidation,
+			Epoch:            snapInfo.Epoch,
 		}
+		curSnaps = append(curSnaps, installed)
 
-		stateByID[snapInfo.SnapID] = snapst
+		if consider != nil {
+			consider(installed, snapst)
+		}
+	}
 
-		// get confinement preference from the snapstate
-		candidateInfo := &store.RefreshCandidate{
-			// the desired channel (not info.Channel!)
-			Channel:          snapst.Channel,
-			SnapID:           snapInfo.SnapID,
-			Revision:         snapInfo.Revision,
-			Epoch:            snapInfo.Epoch,
-			IgnoreValidation: snapst.IgnoreValidation,
+	return curSnaps
+}
+
+func refreshCandidates(ctx context.Context, st *state.State, names []string, user *auth.UserState, opts *store.RefreshOptions) ([]*snap.Info, map[string]*SnapState, map[string]bool, error) {
+	snapStates, err := All(st)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	opts, err = refreshOptions(st, opts)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	// check if we have this name at all
+	for _, name := range names {
+		if _, ok := snapStates[name]; !ok {
+			return nil, nil, nil, snap.NotInstalledError{Snap: name}
+		}
+	}
+
+	sort.Strings(names)
+
+	var fallbackID int
+	// normalize fallback user
+	if !user.HasStoreAuth() {
+		user = nil
+	} else {
+		fallbackID = user.ID
+	}
+
+	actionsByUserID := make(map[int][]*store.SnapAction)
+	stateByInstanceName := make(map[string]*SnapState, len(snapStates))
+	ignoreValidationByInstanceName := make(map[string]bool)
+	nCands := 0
+
+	addCand := func(installed *store.CurrentSnap, snapst *SnapState) {
+		// FIXME: snaps that are not active are skipped for now
+		//        until we know what we want to do
+		if !snapst.Active {
+			return
+		}
+
+		if len(names) == 0 && snapst.DevMode {
+			// no auto-refresh for devmode
+			return
+		}
+
+		if len(names) > 0 && !strutil.SortedListContains(names, installed.InstanceName) {
+			return
 		}
 
+		stateByInstanceName[installed.InstanceName] = snapst
+
 		if len(names) == 0 {
-			candidateInfo.Block = snapst.Block()
+			installed.Block = snapst.Block()
 		}
 
-		candidatesInfo = append(candidatesInfo, candidateInfo)
-		if snapst.UserID != 0 {
-			userIDs[snapst.UserID] = true
+		userID := snapst.UserID
+		if userID == 0 {
+			userID = fallbackID
 		}
+		actionsByUserID[userID] = append(actionsByUserID[userID], &store.SnapAction{
+			Action:       "refresh",
+			SnapID:       installed.SnapID,
+			InstanceName: installed.InstanceName,
+		})
 		if snapst.IgnoreValidation {
-			ignoreValidation[snapInfo.SnapID] = true
+			ignoreValidationByInstanceName[installed.InstanceName] = true
 		}
+		nCands++
 	}
+	// determine current snaps and collect candidates for refresh
+	curSnaps := collectCurrentSnaps(snapStates, addCand)
 
-	theStore := Store(st)
-
-	// TODO: we query for all snaps for each user so that the
-	// store can take into account validation constraints, we can
-	// do better with coming APIs
-	updatesInfo := make(map[string]*snap.Info, len(candidatesInfo))
-	fallbackUsed := false
-	fallbackID := idForUser(user)
-	if len(userIDs) == 0 {
-		// none of the snaps had an installed user set, just
-		// use the fallbackID
-		userIDs[fallbackID] = true
-	}
-	for userID := range userIDs {
-		u, err := userFromUserIDOrFallback(st, userID, user)
+	actionsForUser := make(map[*auth.UserState][]*store.SnapAction, len(actionsByUserID))
+	noUserActions := actionsByUserID[0]
+	for userID, actions := range actionsByUserID {
+		if userID == 0 {
+			continue
+		}
+		u, err := userFromUserID(st, userID, 0)
 		if err != nil {
 			return nil, nil, nil, err
 		}
-		// consider the fallback user at most once
-		if idForUser(u) == fallbackID {
-			if fallbackUsed {
-				continue
+		if u.HasStoreAuth() {
+			actionsForUser[u] = actions
+		} else {
+			noUserActions = append(noUserActions, actions...)
+		}
+	}
+	// coalesce if possible
+	if len(noUserActions) != 0 {
+		if len(actionsForUser) == 0 {
+			actionsForUser[nil] = noUserActions
+		} else {
+			// coalesce no user actions with one other user's
+			for u1, actions := range actionsForUser {
+				actionsForUser[u1] = append(actions, noUserActions...)
+				break
 			}
-			fallbackUsed = true
 		}
+	}
 
+	theStore := Store(st)
+
+	updates := make([]*snap.Info, 0, nCands)
+	for u, actions := range actionsForUser {
 		st.Unlock()
-		updatesForUser, err := theStore.ListRefresh(ctx, candidatesInfo, u, flags)
+		updatesForUser, err := theStore.SnapAction(ctx, curSnaps, actions, u, opts)
 		st.Lock()
 		if err != nil {
-			return nil, nil, nil, err
+			saErr, ok := err.(*store.SnapActionError)
+			if !ok {
+				return nil, nil, nil, err
+			}
+			// TODO: use the warning infra here when we have it
+			logger.Noticef("%v", saErr)
 		}
 
-		for _, snapInfo := range updatesForUser {
-			updatesInfo[snapInfo.SnapID] = snapInfo
-		}
+		updates = append(updates, updatesForUser...)
+	}
+
+	return updates, stateByInstanceName, ignoreValidationByInstanceName, nil
+}
+
+func installCandidates(st *state.State, names []string, channel string, user *auth.UserState) ([]*snap.Info, error) {
+	curSnaps, err := currentSnaps(st)
+	if err != nil {
+		return nil, err
 	}
 
-	updates := make([]*snap.Info, 0, len(updatesInfo))
-	for _, snapInfo := range updatesInfo {
-		updates = append(updates, snapInfo)
+	opts, err := refreshOptions(st, nil)
+	if err != nil {
+		return nil, err
 	}
 
-	return updates, stateByID, ignoreValidation, nil
+	actions := make([]*store.SnapAction, len(names))
+	for i, name := range names {
+		actions[i] = &store.SnapAction{
+			Action:       "install",
+			InstanceName: name,
+			// the desired channel
+			Channel: channel,
+		}
+	}
+
+	theStore := Store(st)
+	st.Unlock() // calls to the store should be done without holding the state lock
+	defer st.Lock()
+	return theStore.SnapAction(context.TODO(), curSnaps, actions, user, opts)
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/standby/export_test.go snapd-2.37~rc1~14.04/overlord/standby/export_test.go
--- snapd-2.32.3.2~14.04/overlord/standby/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/standby/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,37 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package standby
+
+import (
+	"time"
+
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+func (m *StandbyOpinions) SetStartTime(t time.Time) {
+	m.startTime = t
+}
+
+func MockStateRequestRestart(newStateRequestRestart func(*state.State, state.RestartType)) (restore func()) {
+	oldStateRequestRestart := stateRequestRestart
+	stateRequestRestart = newStateRequestRestart
+	return func() {
+		stateRequestRestart = oldStateRequestRestart
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/standby/standby.go snapd-2.37~rc1~14.04/overlord/standby/standby.go
--- snapd-2.32.3.2~14.04/overlord/standby/standby.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/standby/standby.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,130 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package standby
+
+import (
+	"time"
+
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+var standbyWait = 5 * time.Second
+var maxWait = 5 * time.Minute
+
+var stateRequestRestart = (*state.State).RequestRestart
+
+type Opinionator interface {
+	CanStandby() bool
+}
+
+// StandbyOpinions tracks if snapd can go into socket activation mode
+type StandbyOpinions struct {
+	state     *state.State
+	startTime time.Time
+	opinions  []Opinionator
+
+	stoppingCh chan struct{}
+	stoppedCh  chan struct{}
+}
+
+// CanStandby returns true if the main ensure loop can go into
+// "socket-activation" mode. This is only possible once seeding is done
+// and there are no snaps on the system. This is to reduce the memory
+// footprint on e.g. containers.
+func (m *StandbyOpinions) CanStandby() bool {
+	st := m.state
+	st.Lock()
+	defer st.Unlock()
+
+	// check if enough time has passed
+	if m.startTime.Add(standbyWait).After(time.Now()) {
+		return false
+	}
+	// check if there are any changes in flight
+	for _, chg := range st.Changes() {
+		if !chg.Status().Ready() || !chg.IsClean() {
+			return false
+		}
+	}
+	// check the voice of the crowd
+	for _, ct := range m.opinions {
+		if !ct.CanStandby() {
+			return false
+		}
+	}
+	return true
+}
+
+func New(st *state.State) *StandbyOpinions {
+	return &StandbyOpinions{
+		state:      st,
+		startTime:  time.Now(),
+		stoppingCh: make(chan struct{}),
+		stoppedCh:  make(chan struct{}),
+	}
+}
+
+func (m *StandbyOpinions) Start() {
+	go func() {
+		wait := standbyWait
+		timer := time.NewTimer(wait)
+		for {
+			if m.CanStandby() {
+				stateRequestRestart(m.state, state.RestartSocket)
+			}
+			select {
+			case <-timer.C:
+				if wait < maxWait {
+					wait *= 2
+				}
+			case <-m.stoppingCh:
+				close(m.stoppedCh)
+				return
+			}
+			timer.Reset(wait)
+		}
+	}()
+}
+
+func (m *StandbyOpinions) Stop() {
+	select {
+	case <-m.stoppedCh:
+		// nothing left to do
+		return
+	case <-m.stoppingCh:
+		// nearly nothing to do
+	default:
+		close(m.stoppingCh)
+	}
+	<-m.stoppedCh
+}
+
+func (m *StandbyOpinions) AddOpinion(opi Opinionator) {
+	if opi != nil {
+		m.opinions = append(m.opinions, opi)
+	}
+}
+
+func MockStandbyWait(d time.Duration) (restore func()) {
+	oldStandbyWait := standbyWait
+	standbyWait = d
+	return func() {
+		standbyWait = oldStandbyWait
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/standby/standby_test.go snapd-2.37~rc1~14.04/overlord/standby/standby_test.go
--- snapd-2.32.3.2~14.04/overlord/standby/standby_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/standby/standby_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,205 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package standby_test
+
+import (
+	"testing"
+	"time"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/overlord/standby"
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+// Hook up v1 into the "go test" runner
+func Test(t *testing.T) { TestingT(t) }
+
+type standbySuite struct {
+	state *state.State
+
+	canStandby bool
+}
+
+var _ = Suite(&standbySuite{})
+
+func (s *standbySuite) SetUpTest(c *C) {
+	s.state = state.New(nil)
+}
+
+func (s *standbySuite) TestCanStandbyNoChanges(c *C) {
+	m := standby.New(s.state)
+	c.Check(m.CanStandby(), Equals, false)
+
+	m.SetStartTime(time.Time{})
+	c.Check(m.CanStandby(), Equals, true)
+}
+
+func (s *standbySuite) TestCanStandbyPendingChanges(c *C) {
+	st := s.state
+	st.Lock()
+	chg := st.NewChange("foo", "fake change")
+	chg.AddTask(st.NewTask("bar", "fake task"))
+	c.Assert(chg.Status(), Equals, state.DoStatus)
+	st.Unlock()
+
+	m := standby.New(s.state)
+	m.SetStartTime(time.Time{})
+	c.Check(m.CanStandby(), Equals, false)
+}
+
+func (s *standbySuite) TestCanStandbyPendingClean(c *C) {
+	st := s.state
+	st.Lock()
+	t := st.NewTask("bar", "fake task")
+	chg := st.NewChange("foo", "fake change")
+	chg.AddTask(t)
+	t.SetStatus(state.DoneStatus)
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+	c.Assert(t.IsClean(), Equals, false)
+	st.Unlock()
+
+	m := standby.New(s.state)
+	m.SetStartTime(time.Time{})
+	c.Check(m.CanStandby(), Equals, false)
+}
+
+func (s *standbySuite) TestCanStandbyOnlyDonePendingChanges(c *C) {
+	st := s.state
+	st.Lock()
+	t := st.NewTask("bar", "fake task")
+	chg := st.NewChange("foo", "fake change")
+	chg.AddTask(t)
+	t.SetStatus(state.DoneStatus)
+	t.SetClean()
+	c.Assert(chg.Status(), Equals, state.DoneStatus)
+	c.Assert(t.IsClean(), Equals, true)
+	st.Unlock()
+
+	m := standby.New(s.state)
+	m.SetStartTime(time.Time{})
+	c.Check(m.CanStandby(), Equals, true)
+}
+
+func (s *standbySuite) CanStandby() bool {
+	return s.canStandby
+}
+
+func (s *standbySuite) TestCanStandbyWithOpinion(c *C) {
+	m := standby.New(s.state)
+	m.AddOpinion(s)
+	m.SetStartTime(time.Time{})
+
+	s.canStandby = true
+	c.Check(m.CanStandby(), Equals, true)
+
+	s.canStandby = false
+	c.Check(m.CanStandby(), Equals, false)
+}
+
+type opine func() bool
+
+func (f opine) CanStandby() bool {
+	return f()
+}
+
+func (s *standbySuite) TestStartChecks(c *C) {
+	n := 0
+	ch1 := make(chan struct{})
+	ch2 := make(chan struct{})
+
+	defer standby.MockStandbyWait(time.Millisecond)()
+	defer standby.MockStateRequestRestart(func(_ *state.State, t state.RestartType) {
+		c.Check(t, Equals, state.RestartSocket)
+		n++
+		<-ch2
+	})()
+
+	opinion := false
+	m := standby.New(s.state)
+	m.AddOpinion(opine(func() bool {
+		<-ch1
+		return opinion
+	}))
+
+	m.Start()
+	ch1 <- struct{}{}
+	c.Check(n, Equals, 0)
+	ch1 <- struct{}{}
+	c.Check(n, Equals, 0)
+
+	opinion = true
+	ch1 <- struct{}{}
+	ch2 <- struct{}{}
+	c.Check(n, Equals, 1)
+
+	m.Stop()
+}
+
+func (s *standbySuite) TestStopWaits(c *C) {
+	defer standby.MockStandbyWait(time.Millisecond)()
+	defer standby.MockStateRequestRestart(func(*state.State, state.RestartType) {
+		c.Fatal("request restart should have not been called")
+	})()
+
+	ch := make(chan struct{})
+	opineReady := make(chan struct{})
+	done := make(chan struct{})
+	m := standby.New(s.state)
+	synced := false
+	m.AddOpinion(opine(func() bool {
+		if !synced {
+			// synchronize with the main goroutine only at the
+			// beginning
+			close(opineReady)
+			synced = true
+		}
+		select {
+		case <-time.After(200 * time.Millisecond):
+		case <-done:
+		}
+		return false
+	}))
+
+	m.Start()
+
+	// let the opinionator start its delay
+	<-opineReady
+	go func() {
+		// this will block until standby stops
+		m.Stop()
+		close(ch)
+	}()
+
+	select {
+	case <-time.After(100 * time.Millisecond):
+		// wheee
+	case <-ch:
+		c.Fatal("stop should have blocked and didn't")
+	}
+
+	close(done)
+
+	// wait for Stop to complete now
+	select {
+	case <-ch:
+		// nothing to do here
+	case <-time.After(10 * time.Second):
+		c.Fatal("stop did not complete")
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/state/export_test.go snapd-2.37~rc1~14.04/overlord/state/export_test.go
--- snapd-2.32.3.2~14.04/overlord/state/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/state/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -44,3 +44,24 @@
 	t.spawnTime = spawnTime
 	t.readyTime = readyTime
 }
+
+func (s *State) AddWarning(message string, lastAdded, lastShown time.Time, expireAfter, repeatAfter time.Duration) {
+	s.addWarning(Warning{
+		message:     message,
+		lastShown:   lastShown,
+		expireAfter: expireAfter,
+		repeatAfter: repeatAfter,
+	}, lastAdded)
+}
+
+func (w Warning) LastAdded() time.Time {
+	return w.lastAdded
+}
+
+var (
+	ErrNoWarningMessage     = errNoWarningMessage
+	ErrBadWarningMessage    = errBadWarningMessage
+	ErrNoWarningFirstAdded  = errNoWarningFirstAdded
+	ErrNoWarningExpireAfter = errNoWarningExpireAfter
+	ErrNoWarningRepeatAfter = errNoWarningRepeatAfter
+)
diff -Nru snapd-2.32.3.2~14.04/overlord/state/state.go snapd-2.37~rc1~14.04/overlord/state/state.go
--- snapd-2.32.3.2~14.04/overlord/state/state.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/state/state.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,6 +57,10 @@
 	return nil
 }
 
+func (data customData) has(key string) bool {
+	return data[key] != nil
+}
+
 func (data customData) set(key string, value interface{}) {
 	if value == nil {
 		delete(data, key)
@@ -76,6 +80,9 @@
 	RestartUnset RestartType = iota
 	RestartDaemon
 	RestartSystem
+	// RestartSocket will restart the daemon so that it goes into
+	// socket activation mode.
+	RestartSocket
 )
 
 // State represents an evolving system state that persists across restarts.
@@ -94,16 +101,17 @@
 	lastChangeId int
 	lastLaneId   int
 
-	backend Backend
-	data    customData
-	changes map[string]*Change
-	tasks   map[string]*Task
+	backend  Backend
+	data     customData
+	changes  map[string]*Change
+	tasks    map[string]*Task
+	warnings map[string]*Warning
 
 	modified bool
 
 	cache map[interface{}]interface{}
 
-	restarting bool
+	restarting RestartType
 	restartLck sync.Mutex
 }
 
@@ -114,6 +122,7 @@
 		data:     make(customData),
 		changes:  make(map[string]*Change),
 		tasks:    make(map[string]*Task),
+		warnings: make(map[string]*Warning),
 		modified: true,
 		cache:    make(map[interface{}]interface{}),
 	}
@@ -149,9 +158,10 @@
 }
 
 type marshalledState struct {
-	Data    map[string]*json.RawMessage `json:"data"`
-	Changes map[string]*Change          `json:"changes"`
-	Tasks   map[string]*Task            `json:"tasks"`
+	Data     map[string]*json.RawMessage `json:"data"`
+	Changes  map[string]*Change          `json:"changes"`
+	Tasks    map[string]*Task            `json:"tasks"`
+	Warnings []*Warning                  `json:"warnings,omitempty"`
 
 	LastChangeId int `json:"last-change-id"`
 	LastTaskId   int `json:"last-task-id"`
@@ -162,9 +172,10 @@
 func (s *State) MarshalJSON() ([]byte, error) {
 	s.reading()
 	return json.Marshal(marshalledState{
-		Data:    s.data,
-		Changes: s.changes,
-		Tasks:   s.tasks,
+		Data:     s.data,
+		Changes:  s.changes,
+		Tasks:    s.tasks,
+		Warnings: s.flattenWarnings(),
 
 		LastTaskId:   s.lastTaskId,
 		LastChangeId: s.lastChangeId,
@@ -183,6 +194,7 @@
 	s.data = unmarshalled.Data
 	s.changes = unmarshalled.Changes
 	s.tasks = unmarshalled.Tasks
+	s.unflattenWarnings(unmarshalled.Warnings)
 	s.lastChangeId = unmarshalled.LastChangeId
 	s.lastTaskId = unmarshalled.LastTaskId
 	s.lastLaneId = unmarshalled.LastLaneId
@@ -245,21 +257,21 @@
 // RequestRestart asks for a restart of the managing process.
 func (s *State) RequestRestart(t RestartType) {
 	if s.backend != nil {
-		s.backend.RequestRestart(t)
 		s.restartLck.Lock()
-		s.restarting = true
+		s.restarting = t
 		s.restartLck.Unlock()
+		s.backend.RequestRestart(t)
 	}
 }
 
-// Restarting returns whether a restart was requested with RequestRestart
-func (s *State) Restarting() bool {
+// Restarting returns whether a restart was requested with RequestRestart and of which type.
+func (s *State) Restarting() (bool, RestartType) {
 	s.restartLck.Lock()
 	defer s.restartLck.Unlock()
-	return s.restarting
+	return s.restarting != RestartUnset, s.restarting
 }
 
-func MockRestarting(s *State, restarting bool) bool {
+func MockRestarting(s *State, restarting RestartType) RestartType {
 	s.restartLck.Lock()
 	defer s.restartLck.Unlock()
 	old := s.restarting
@@ -386,12 +398,16 @@
 	return res
 }
 
-// Prune removes changes that became ready for more than pruneWait
-// and aborts tasks spawned for more than abortWait.
-// It also removes tasks unlinked to changes after pruneWait. When
-// there are more changes than the limit set via "maxReadyChanges"
-// those changes in ready state will also removed even if they are below
-// the pruneWait duration.
+// Prune does several cleanup tasks to the in-memory state:
+//
+//  * it removes changes that became ready for more than pruneWait and aborts
+//    tasks spawned for more than abortWait.
+//
+//  * it removes tasks unlinked to changes after pruneWait. When there are more
+//    changes than the limit set via "maxReadyChanges" those changes in ready
+//    state will also removed even if they are below the pruneWait duration.
+//
+//  * it removes expired warnings.
 func (s *State) Prune(pruneWait, abortWait time.Duration, maxReadyChanges int) {
 	now := time.Now()
 	pruneLimit := now.Add(-pruneWait)
@@ -413,6 +429,12 @@
 		readyChangesCount++
 	}
 
+	for k, w := range s.warnings {
+		if w.ExpiredBefore(now) {
+			delete(s.warnings, k)
+		}
+	}
+
 	for _, chg := range changes {
 		spawnTime := chg.SpawnTime()
 		readyTime := chg.ReadyTime()
diff -Nru snapd-2.32.3.2~14.04/overlord/state/state_test.go snapd-2.37~rc1~14.04/overlord/state/state_test.go
--- snapd-2.32.3.2~14.04/overlord/state/state_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/state/state_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -693,6 +693,9 @@
 		func() { st.NewTask("download", "...") },
 		func() { st.UnmarshalJSON(nil) },
 		func() { st.NewLane() },
+		func() { st.Warnf("hello") },
+		func() { st.OkayWarnings(time.Time{}) },
+		func() { st.UnshowAllWarnings() },
 	}
 
 	reads := []func(){
@@ -706,6 +709,9 @@
 		func() { st.MarshalJSON() },
 		func() { st.Prune(time.Hour, time.Hour, 100) },
 		func() { st.TaskCount() },
+		func() { st.AllWarnings() },
+		func() { st.PendingWarnings() },
+		func() { st.WarningsSummary() },
 	}
 
 	for i, f := range reads {
@@ -763,6 +769,10 @@
 	c.Check(st.Task(t5.ID()), IsNil)
 	state.MockTaskTimes(t5, now.Add(-pruneWait), now.Add(-pruneWait))
 
+	// two warnings, one expired
+	st.AddWarning("hello", now, never, time.Nanosecond, state.DefaultRepeatAfter)
+	st.Warnf("hello again")
+
 	st.Prune(pruneWait, abortWait, 100)
 
 	c.Assert(st.Change(chg1.ID()), Equals, chg1)
@@ -784,6 +794,8 @@
 	c.Assert(t4.Status(), Equals, state.DoStatus)
 
 	c.Check(st.TaskCount(), Equals, 3)
+
+	c.Check(st.AllWarnings(), HasLen, 1)
 }
 
 func (ss *stateSuite) TestPruneEmptyChange(c *C) {
@@ -917,13 +929,17 @@
 	b := new(fakeStateBackend)
 	st := state.New(b)
 
-	c.Check(st.Restarting(), Equals, false)
+	ok, t := st.Restarting()
+	c.Check(ok, Equals, false)
+	c.Check(t, Equals, state.RestartUnset)
 
 	st.RequestRestart(state.RestartDaemon)
 
 	c.Check(b.restartRequested, Equals, true)
 
-	c.Check(st.Restarting(), Equals, true)
+	ok, t = st.Restarting()
+	c.Check(ok, Equals, true)
+	c.Check(t, Equals, state.RestartDaemon)
 }
 
 func (ss *stateSuite) TestReadStateInitsCache(c *C) {
diff -Nru snapd-2.32.3.2~14.04/overlord/state/task.go snapd-2.37~rc1~14.04/overlord/state/task.go
--- snapd-2.32.3.2~14.04/overlord/state/task.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/state/task.go	2019-01-16 08:36:51.000000000 +0000
@@ -345,6 +345,12 @@
 	return t.data.get(key, value)
 }
 
+// Has returns whether the provided key has an associated value.
+func (t *Task) Has(key string) bool {
+	t.state.reading()
+	return t.data.has(key)
+}
+
 // Clear disassociates the value from key.
 func (t *Task) Clear(key string) {
 	t.state.writing()
diff -Nru snapd-2.32.3.2~14.04/overlord/state/taskrunner.go snapd-2.37~rc1~14.04/overlord/state/taskrunner.go
--- snapd-2.32.3.2~14.04/overlord/state/taskrunner.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/state/taskrunner.go	2019-01-16 08:36:51.000000000 +0000
@@ -36,14 +36,18 @@
 // is asked to stop through its tomb. After can be used to indicate
 // how much to postpone the retry, 0 (the default) means at the next
 // ensure pass and is what should be used if stopped through its tomb.
+// Reason is an optional explanation of the conflict.
 type Retry struct {
-	After time.Duration
+	After  time.Duration
+	Reason string
 }
 
 func (r *Retry) Error() string {
 	return "task should be retried"
 }
 
+type blockedFunc func(t *Task, running []*Task) bool
+
 // TaskRunner controls the running of goroutines to execute known task kinds.
 type TaskRunner struct {
 	state *State
@@ -55,7 +59,7 @@
 	cleanups map[string]HandlerFunc
 	stopped  bool
 
-	blocked     func(t *Task, running []*Task) bool
+	blocked     []blockedFunc
 	someBlocked bool
 
 	// go-routines lifecycle
@@ -143,7 +147,15 @@
 	r.mu.Lock()
 	defer r.mu.Unlock()
 
-	r.blocked = pred
+	r.blocked = []blockedFunc{pred}
+}
+
+// AddBlocked adds a predicate function to decide whether to block a task from running based on the current running tasks. It can be used to control task serialisation. All added predicates are considered in turn until one returns true, or none.
+func (r *TaskRunner) AddBlocked(pred func(t *Task, running []*Task) bool) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	r.blocked = append(r.blocked, pred)
 }
 
 // run must be called with the state lock in place
@@ -316,13 +328,13 @@
 // Ensure starts new goroutines for all known tasks with no pending
 // dependencies.
 // Note that Ensure will lock the state.
-func (r *TaskRunner) Ensure() {
+func (r *TaskRunner) Ensure() error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 
 	if r.stopped {
 		// we are stopping, don't run another ensure
-		return
+		return nil
 	}
 
 	// Locks must be acquired in the same order everywhere.
@@ -340,6 +352,7 @@
 
 	ensureTime := timeNow()
 	nextTaskTime := time.Time{}
+ConsiderTasks:
 	for _, t := range r.state.Tasks() {
 		handlers := r.handlerPair(t)
 		if handlers.do == nil {
@@ -395,9 +408,13 @@
 			continue
 		}
 
-		if r.blocked != nil && r.blocked(t, running) {
-			r.someBlocked = true
-			continue
+		// check if any of the blocked predicates returns true
+		// and skip the task if so
+		for _, blocked := range r.blocked {
+			if blocked(t, running) {
+				r.someBlocked = true
+				continue ConsiderTasks
+			}
 		}
 
 		logger.Debugf("Running task %s on %s: %s", t.ID(), t.Status(), t.Summary())
@@ -410,6 +427,8 @@
 	if !nextTaskTime.IsZero() {
 		r.state.EnsureBefore(nextTaskTime.Sub(ensureTime))
 	}
+
+	return nil
 }
 
 // mustWait returns whether task t must wait for other tasks to be done.
@@ -464,3 +483,35 @@
 
 	r.wait()
 }
+
+// StopKinds kills all concurrent tasks of the given kinds and returns
+// after that's done.
+func (r *TaskRunner) StopKinds(kind ...string) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	kinds := make(map[string]bool, len(kind))
+	for _, k := range kind {
+		kinds[k] = true
+	}
+
+	var tombs []*tomb.Tomb
+	// Locks must be acquired in the same order everywhere:
+	// r.mu, r.state
+	r.state.Lock()
+	for tid, tb := range r.tombs {
+		task := r.state.Task(tid)
+		if task == nil || !kinds[task.Kind()] {
+			continue
+		}
+		tombs = append(tombs, tb)
+		tb.Kill(nil)
+	}
+	r.state.Unlock()
+
+	for _, tb := range tombs {
+		r.mu.Unlock()
+		tb.Wait()
+		r.mu.Lock()
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/state/taskrunner_test.go snapd-2.37~rc1~14.04/overlord/state/taskrunner_test.go
--- snapd-2.32.3.2~14.04/overlord/state/taskrunner_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/state/taskrunner_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -400,6 +400,51 @@
 	c.Check(t.Status(), Equals, state.DoneStatus)
 }
 
+func (ts *taskRunnerSuite) TestStopKinds(c *C) {
+	sb := &stateBackend{}
+	st := state.New(sb)
+	r := state.NewTaskRunner(st)
+	defer r.Stop()
+
+	ch1 := make(chan bool)
+	ch2 := make(chan bool)
+	r.AddHandler("just-finish1", func(t *state.Task, tb *tomb.Tomb) error {
+		ch1 <- true
+		<-tb.Dying()
+		// just ignore and actually finishes
+		return nil
+	}, nil)
+	r.AddHandler("just-finish2", func(t *state.Task, tb *tomb.Tomb) error {
+		ch2 <- true
+		<-tb.Dying()
+		// just ignore and actually finishes
+		return nil
+	}, nil)
+
+	st.Lock()
+	chg := st.NewChange("install", "...")
+	t1 := st.NewTask("just-finish1", "...")
+	t2 := st.NewTask("just-finish2", "...")
+	chg.AddTask(t1)
+	chg.AddTask(t2)
+	st.Unlock()
+
+	r.Ensure()
+	<-ch1
+	<-ch2
+	r.StopKinds("just-finish1")
+
+	st.Lock()
+	defer st.Unlock()
+	c.Check(t1.Status(), Equals, state.DoneStatus)
+	c.Check(t2.Status(), Equals, state.DoingStatus)
+
+	st.Unlock()
+	r.Stop()
+	st.Lock()
+	c.Check(t2.Status(), Equals, state.DoneStatus)
+}
+
 func (ts *taskRunnerSuite) TestErrorsOnStopAreRetried(c *C) {
 	sb := &stateBackend{}
 	st := state.New(sb)
@@ -537,7 +582,7 @@
 	c.Check(t.AtTime().IsZero(), Equals, true)
 }
 
-func (ts *taskRunnerSuite) TestTaskSerialization(c *C) {
+func (ts *taskRunnerSuite) testTaskSerialization(c *C, setupBlocked func(r *state.TaskRunner)) {
 	ensureBeforeTick := make(chan bool, 1)
 	sb := &stateBackend{
 		ensureBefore:     time.Hour,
@@ -559,17 +604,8 @@
 		return nil
 	}, nil)
 
-	// start first do1, and then do2 when nothing else is running
-	startedDo1 := false
-	r.SetBlocked(func(t *state.Task, running []*state.Task) bool {
-		if t.Kind() == "do2" && (len(running) != 0 || !startedDo1) {
-			return true
-		}
-		if t.Kind() == "do1" {
-			startedDo1 = true
-		}
-		return false
-	})
+	// setup blocked predicates
+	setupBlocked(r)
 
 	st.Lock()
 	chg := st.NewChange("install", "...")
@@ -622,6 +658,41 @@
 	c.Check(ensureBeforeTick, HasLen, 0)
 }
 
+func (ts *taskRunnerSuite) TestTaskSerializationSetBlocked(c *C) {
+	// start first do1, and then do2 when nothing else is running
+	startedDo1 := false
+	ts.testTaskSerialization(c, func(r *state.TaskRunner) {
+		r.SetBlocked(func(t *state.Task, running []*state.Task) bool {
+			if t.Kind() == "do2" && (len(running) != 0 || !startedDo1) {
+				return true
+			}
+			if t.Kind() == "do1" {
+				startedDo1 = true
+			}
+			return false
+		})
+	})
+}
+
+func (ts *taskRunnerSuite) TestTaskSerializationAddBlocked(c *C) {
+	// start first do1, and then do2 when nothing else is running
+	startedDo1 := false
+	ts.testTaskSerialization(c, func(r *state.TaskRunner) {
+		r.AddBlocked(func(t *state.Task, running []*state.Task) bool {
+			if t.Kind() == "do2" && (len(running) != 0 || !startedDo1) {
+				return true
+			}
+			return false
+		})
+		r.AddBlocked(func(t *state.Task, running []*state.Task) bool {
+			if t.Kind() == "do1" {
+				startedDo1 = true
+			}
+			return false
+		})
+	})
+}
+
 func (ts *taskRunnerSuite) TestPrematureChangeReady(c *C) {
 	sb := &stateBackend{}
 	st := state.New(sb)
diff -Nru snapd-2.32.3.2~14.04/overlord/state/task_test.go snapd-2.37~rc1~14.04/overlord/state/task_test.go
--- snapd-2.32.3.2~14.04/overlord/state/task_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/state/task_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -82,6 +82,21 @@
 	c.Check(v, Equals, 1)
 }
 
+func (ts *taskSuite) TestHas(c *C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	t := st.NewTask("download", "1...")
+	c.Check(t.Has("a"), Equals, false)
+
+	t.Set("a", 1)
+	c.Check(t.Has("a"), Equals, true)
+
+	t.Set("a", nil)
+	c.Check(t.Has("a"), Equals, false)
+}
+
 func (ts *taskSuite) TestClear(c *C) {
 	st := state.New(nil)
 	st.Lock()
diff -Nru snapd-2.32.3.2~14.04/overlord/state/warning.go snapd-2.37~rc1~14.04/overlord/state/warning.go
--- snapd-2.32.3.2~14.04/overlord/state/warning.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/state/warning.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,292 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package state
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/snapcore/snapd/logger"
+)
+
+var (
+	DefaultRepeatAfter = time.Hour * 24
+	DefaultExpireAfter = time.Hour * 24 * 28
+
+	errNoWarningMessage     = errors.New("warning has no message")
+	errBadWarningMessage    = errors.New("malformed warning message")
+	errNoWarningFirstAdded  = errors.New("warning has no first-added timestamp")
+	errNoWarningExpireAfter = errors.New("warning has no expire-after duration")
+	errNoWarningRepeatAfter = errors.New("warning has no repeat-after duration")
+)
+
+type jsonWarning struct {
+	Message     string     `json:"message"`
+	FirstAdded  time.Time  `json:"first-added"`
+	LastAdded   time.Time  `json:"last-added"`
+	LastShown   *time.Time `json:"last-shown,omitempty"`
+	ExpireAfter string     `json:"expire-after,omitempty"`
+	RepeatAfter string     `json:"repeat-after,omitempty"`
+}
+
+type Warning struct {
+	// the warning text itself. Only one of these in the system at a time.
+	message string
+	// the first time one of these messages was created
+	firstAdded time.Time
+	// the last time one of these was created
+	lastAdded time.Time
+	// the last time one of these was shown to the user
+	lastShown time.Time
+	// how much time since one of these was last added should we drop the message
+	expireAfter time.Duration
+	// how much time since one of these was last shown should we repeat it
+	repeatAfter time.Duration
+}
+
+func (w *Warning) String() string {
+	return w.message
+}
+
+func (w *Warning) MarshalJSON() ([]byte, error) {
+	jw := jsonWarning{
+		Message:     w.message,
+		FirstAdded:  w.firstAdded,
+		LastAdded:   w.lastAdded,
+		ExpireAfter: w.expireAfter.String(),
+		RepeatAfter: w.repeatAfter.String(),
+	}
+	if !w.lastShown.IsZero() {
+		jw.LastShown = &w.lastShown
+	}
+
+	return json.Marshal(jw)
+}
+
+func (w *Warning) UnmarshalJSON(data []byte) error {
+	var jw jsonWarning
+	err := json.Unmarshal(data, &jw)
+	if err != nil {
+		return err
+	}
+	w.message = jw.Message
+	w.firstAdded = jw.FirstAdded
+	w.lastAdded = jw.LastAdded
+	if jw.LastShown != nil {
+		w.lastShown = *jw.LastShown
+	}
+	if jw.ExpireAfter != "" {
+		w.expireAfter, err = time.ParseDuration(jw.ExpireAfter)
+		if err != nil {
+			return err
+		}
+	}
+	if jw.RepeatAfter != "" {
+		w.repeatAfter, err = time.ParseDuration(jw.RepeatAfter)
+		if err != nil {
+			return err
+		}
+	}
+
+	return w.validate()
+}
+
+func (w *Warning) validate() (e error) {
+	if w.message == "" {
+		return errNoWarningMessage
+	}
+	if strings.TrimSpace(w.message) != w.message {
+		return errBadWarningMessage
+	}
+	if w.firstAdded.IsZero() {
+		return errNoWarningFirstAdded
+	}
+	if w.expireAfter == 0 {
+		return errNoWarningExpireAfter
+	}
+	if w.repeatAfter == 0 {
+		return errNoWarningRepeatAfter
+	}
+	return nil
+}
+
+func (w *Warning) ExpiredBefore(now time.Time) bool {
+	return w.lastAdded.Add(w.expireAfter).Before(now)
+}
+
+func (w *Warning) ShowAfter(t time.Time) bool {
+	if w.lastShown.IsZero() {
+		// warning was never shown before; was it added after the cutoff?
+		return !w.firstAdded.After(t)
+	}
+
+	return w.lastShown.Add(w.repeatAfter).Before(t)
+}
+
+// flattenWarning loops over the warnings map, and returns all
+// non-expired warnings therein as a flat list, for serialising.
+// Call with the lock held.
+func (s *State) flattenWarnings() []*Warning {
+	now := time.Now()
+	flat := make([]*Warning, 0, len(s.warnings))
+	for _, w := range s.warnings {
+		if w.ExpiredBefore(now) {
+			continue
+		}
+		flat = append(flat, w)
+	}
+	return flat
+}
+
+// unflattenWarnings takes a flat list of warnings and replaces the
+// warning map with them, ignoring expired warnings in the process.
+// Call with the lock held.
+func (s *State) unflattenWarnings(flat []*Warning) {
+	now := time.Now()
+	s.warnings = make(map[string]*Warning, len(flat))
+	for _, w := range flat {
+		if w.ExpiredBefore(now) {
+			continue
+		}
+		s.warnings[w.message] = w
+	}
+}
+
+// Warnf records a warning: if it's the first Warning with this
+// message it'll be added (with its firstAdded and lastAdded set to the
+// current time), otherwise the existing one will have its lastAdded
+// updated.
+func (s *State) Warnf(template string, args ...interface{}) {
+	var message string
+	if len(args) > 0 {
+		message = fmt.Sprintf(template, args...)
+	} else {
+		message = template
+	}
+	s.addWarning(Warning{
+		message:     message,
+		expireAfter: DefaultExpireAfter,
+		repeatAfter: DefaultRepeatAfter,
+	}, time.Now().UTC())
+}
+
+func (s *State) addWarning(w Warning, t time.Time) {
+	s.writing()
+
+	if s.warnings[w.message] == nil {
+		w.firstAdded = t
+		if err := w.validate(); err != nil {
+			// programming error!
+			logger.Panicf("internal error, please report: attempted to add invalid warning: %v", err)
+			return
+		}
+		s.warnings[w.message] = &w
+	}
+	s.warnings[w.message].lastAdded = t
+}
+
+type byLastAdded []*Warning
+
+func (a byLastAdded) Len() int           { return len(a) }
+func (a byLastAdded) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a byLastAdded) Less(i, j int) bool { return a[i].lastAdded.Before(a[j].lastAdded) }
+
+// AllWarnings returns all the warnings in the system, whether they're
+// due to be shown or not. They'll be sorted by lastAdded.
+func (s *State) AllWarnings() []*Warning {
+	s.reading()
+
+	all := s.flattenWarnings()
+	sort.Sort(byLastAdded(all))
+
+	return all
+}
+
+// OkayWarnings marks warnings that were showable at the given time as shown.
+func (s *State) OkayWarnings(t time.Time) int {
+	t = t.UTC()
+	s.writing()
+
+	n := 0
+	for _, w := range s.warnings {
+		if w.ShowAfter(t) {
+			w.lastShown = t
+			n++
+		}
+	}
+
+	return n
+}
+
+// PendingWarnings returns the list of warnings to show the user, sorted by
+// lastAdded, and a timestamp than can be used to refer to these warnings.
+//
+// Warnings to show to the user are those that have not been shown before,
+// or that have been shown earlier than repeatAfter ago.
+func (s *State) PendingWarnings() ([]*Warning, time.Time) {
+	s.reading()
+	now := time.Now().UTC()
+
+	var toShow []*Warning
+	for _, w := range s.warnings {
+		if !w.ShowAfter(now) {
+			continue
+		}
+		toShow = append(toShow, w)
+	}
+
+	sort.Sort(byLastAdded(toShow))
+	return toShow, now
+}
+
+// WarningsSummary returns the number of warnings that are ready to be
+// shown to the user, and the timestamp of the most recently added
+// warning (useful for silencing the warning alerts, and OKing the
+// returned warnings).
+func (s *State) WarningsSummary() (int, time.Time) {
+	s.reading()
+	now := time.Now().UTC()
+	var last time.Time
+
+	var n int
+	for _, w := range s.warnings {
+		if w.ShowAfter(now) {
+			n++
+			if w.lastAdded.After(last) {
+				last = w.lastAdded
+			}
+		}
+	}
+
+	return n, last
+}
+
+// UnshowAllWarnings clears the lastShown timestamp from all the
+// warnings. For use in debugging.
+func (s *State) UnshowAllWarnings() {
+	s.writing()
+	for _, w := range s.warnings {
+		w.lastShown = time.Time{}
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/state/warning_test.go snapd-2.37~rc1~14.04/overlord/state/warning_test.go
--- snapd-2.32.3.2~14.04/overlord/state/warning_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/state/warning_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,267 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package state_test
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/overlord/state"
+)
+
+var never time.Time
+
+func (stateSuite) testMarshalWarning(shown bool, c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+
+	st.Warnf("hello")
+	now := time.Now()
+
+	expectedNumKeys := 5
+	if shown {
+		expectedNumKeys++ // last-shown
+		st.OkayWarnings(now)
+	}
+
+	ws := st.AllWarnings()
+	c.Assert(ws, check.HasLen, 1)
+	c.Check(ws[0].String(), check.Equals, "hello")
+	buf, err := json.Marshal(ws)
+	c.Assert(err, check.IsNil)
+
+	var v []map[string]string
+	c.Assert(json.Unmarshal(buf, &v), check.IsNil)
+	c.Assert(v, check.HasLen, 1)
+	c.Check(v[0], check.HasLen, expectedNumKeys)
+	c.Check(v[0]["message"], check.DeepEquals, "hello")
+	c.Check(v[0]["expire-after"], check.Equals, state.DefaultExpireAfter.String())
+	c.Check(v[0]["repeat-after"], check.Equals, state.DefaultRepeatAfter.String())
+	c.Check(v[0]["first-added"], check.Equals, v[0]["last-added"])
+	t, err := time.Parse(time.RFC3339, v[0]["first-added"])
+	c.Assert(err, check.IsNil)
+	dt := t.Sub(now)
+	// 'now' was just *after* creating the warning
+	c.Check(dt <= 0, check.Equals, true)
+	c.Check(-time.Minute < dt, check.Equals, true)
+	if shown {
+		t, err := time.Parse(time.RFC3339, v[0]["last-shown"])
+		c.Assert(err, check.IsNil)
+		dt := t.Sub(now)
+		// 'now' was just *before* marking the warning as shown
+		c.Check(0 <= dt, check.Equals, true)
+		c.Check(dt < time.Minute, check.Equals, true)
+	}
+
+	var ws2 []*state.Warning
+	c.Assert(json.Unmarshal(buf, &ws2), check.IsNil)
+	c.Assert(ws2, check.HasLen, 1)
+	c.Check(ws2[0], check.DeepEquals, ws[0])
+}
+
+func (s stateSuite) TestMarshalWarning(c *check.C) {
+	s.testMarshalWarning(false, c)
+}
+
+func (s stateSuite) TestMarshalShownWarning(c *check.C) {
+	s.testMarshalWarning(true, c)
+}
+
+func (stateSuite) TestUnmarshalErrors(c *check.C) {
+	var w state.Warning
+	c.Check(json.Unmarshal([]byte(`42`), &w), check.ErrorMatches, ".* cannot unmarshal .*")
+
+	type T1 struct {
+		b string
+		e error
+	}
+
+	for _, t := range []T1{
+		// sanity check
+		{`{"message": "x", "first-added": "2006-01-02T15:04:05Z", "expire-after": "1h", "repeat-after": "1h"}`, nil},
+		// remove one field at a time:
+		{`{                "first-added": "2006-01-02T15:04:05Z", "expire-after": "1h", "repeat-after": "1h"}`, state.ErrNoWarningMessage},
+		{`{"message": "x",                                        "expire-after": "1h", "repeat-after": "1h"}`, state.ErrNoWarningFirstAdded},
+		{`{"message": "x", "first-added": "2006-01-02T15:04:05Z",                       "repeat-after": "1h"}`, state.ErrNoWarningExpireAfter},
+		{`{"message": "x", "first-added": "2006-01-02T15:04:05Z", "expire-after": "1h"                      }`, state.ErrNoWarningRepeatAfter},
+	} {
+		var w state.Warning
+		c.Check(json.Unmarshal([]byte(t.b), &w), check.Equals, t.e)
+	}
+
+	type T2 struct{ b, e string }
+
+	for _, t := range []T2{
+		// some bogus values
+		{`{"message": " ", "first-added": "2006-01-02T15:04:05Z", "expire-after": "1h", "repeat-after": "1h"}`, "malformed warning message"},
+		{`{"message": "x", "first-added": "2006",                 "expire-after": "1h", "repeat-after": "1h"}`, "parsing time .* cannot parse .*"},
+		{`{"message": "x", "first-added": "2006-01-02T15:04:05Z", "expire-after": "1d", "repeat-after": "1h"}`, ".* unknown unit d .*"},
+		{`{"message": "x", "first-added": "2006-01-02T15:04:05Z", "expire-after": "1h", "repeat-after": "1d"}`, ".* unknown unit d .*"},
+	} {
+		var w state.Warning
+		c.Check(json.Unmarshal([]byte(t.b), &w), check.ErrorMatches, t.e)
+	}
+}
+
+func (stateSuite) TestEmptyStateWarnings(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	ws := st.AllWarnings()
+	c.Check(ws, check.HasLen, 0)
+}
+
+func (stateSuite) TestDeleteExpired(c *check.C) {
+	const dt = 20 * time.Millisecond
+	oldTime := time.Now()
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	st.Warnf("hello again") // adding this twice to trigger the swap in sort
+	st.AddWarning("hello", oldTime, never, dt, state.DefaultRepeatAfter)
+	st.Warnf("hello again")
+
+	allWs := st.AllWarnings()
+	c.Assert(allWs, check.HasLen, 2)
+
+	time.Sleep(2 * dt)
+	now := time.Now()
+
+	c.Assert(allWs, check.HasLen, 2)
+	c.Check(fmt.Sprintf("%q", allWs), check.Equals, `["hello" "hello again"]`)
+	c.Check(allWs[0].ExpiredBefore(now), check.Equals, true)
+	c.Check(allWs[0].ShowAfter(now), check.Equals, true)
+	c.Check(allWs[1].ExpiredBefore(now), check.Equals, false)
+	c.Check(allWs[1].ShowAfter(now), check.Equals, true)
+
+	allWs = st.AllWarnings()
+	c.Check(allWs, check.HasLen, 1)
+	c.Check(fmt.Sprintf("%q", allWs), check.Equals, `["hello again"]`)
+}
+
+func (stateSuite) TestOldRepeatedWarning(c *check.C) {
+	now := time.Now()
+	oldTime := now.UTC().Add(-2 * state.DefaultExpireAfter)
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	st.AddWarning("hello", oldTime, never, state.DefaultExpireAfter, state.DefaultRepeatAfter)
+	st.Warnf("hello")
+
+	allWs := st.AllWarnings()
+	c.Assert(allWs, check.HasLen, 1)
+	w := allWs[0]
+	c.Check(w.ExpiredBefore(now), check.Equals, false)
+	c.Check(w.ShowAfter(now), check.Equals, true)
+}
+
+func (stateSuite) TestCheckpoint(c *check.C) {
+	b := &fakeStateBackend{}
+	st := state.New(b)
+	st.Lock()
+	st.Warnf("hello")
+	st.Unlock()
+	c.Assert(b.checkpoints, check.HasLen, 1)
+
+	st2, err := state.ReadState(nil, bytes.NewReader(b.checkpoints[0]))
+	c.Assert(err, check.IsNil)
+	st2.Lock()
+	defer st2.Unlock()
+	ws := st2.AllWarnings()
+	c.Assert(ws, check.HasLen, 1)
+	c.Check(fmt.Sprintf("%q", ws), check.Equals, `["hello"]`)
+}
+
+func (stateSuite) TestWarningsSummaryReturnsLastLastAdded(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	t0 := time.Now().Add(-100 * time.Hour)
+	st.AddWarning("hello", t0, never, state.DefaultExpireAfter, state.DefaultRepeatAfter)
+	n, t := st.WarningsSummary()
+	c.Check(n, check.Equals, 1)
+	c.Check(t, check.DeepEquals, t0)
+}
+
+func (stateSuite) TestShowAndOkay(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	st.Warnf("number one")
+	n, _ := st.WarningsSummary()
+	c.Check(n, check.Equals, 1)
+	ws1, t1 := st.PendingWarnings()
+	c.Assert(ws1, check.HasLen, 1)
+	c.Check(fmt.Sprintf("%q", ws1), check.Equals, `["number one"]`)
+
+	st.Warnf("number two")
+	ws2, t2 := st.PendingWarnings()
+	c.Assert(ws2, check.HasLen, 2)
+	c.Check(fmt.Sprintf("%q", ws2), check.Equals, `["number one" "number two"]`)
+	c.Assert(t2.After(t1), check.Equals, true)
+
+	n = st.OkayWarnings(t1)
+	c.Check(n, check.Equals, 1)
+
+	ws, _ := st.PendingWarnings()
+	c.Assert(ws, check.HasLen, 1)
+	c.Check(fmt.Sprintf("%q", ws), check.Equals, `["number two"]`)
+
+	n = st.OkayWarnings(t2)
+	c.Check(n, check.Equals, 1)
+
+	ws, _ = st.PendingWarnings()
+	c.Check(ws, check.HasLen, 0)
+
+	st.UnshowAllWarnings()
+	ws, _ = st.PendingWarnings()
+	c.Check(ws, check.HasLen, 2)
+}
+
+func (stateSuite) TestShowAndOkayWithRepeats(c *check.C) {
+	st := state.New(nil)
+	st.Lock()
+	defer st.Unlock()
+	const myRepeatAfter = 2 * time.Second
+	t0 := time.Now()
+	st.AddWarning("hello", t0, never, state.DefaultExpireAfter, myRepeatAfter)
+	ws, t1 := st.PendingWarnings()
+	c.Assert(ws, check.HasLen, 1)
+	c.Check(fmt.Sprintf("%q", ws), check.Equals, `["hello"]`)
+
+	n := st.OkayWarnings(t1)
+	c.Check(n, check.Equals, 1)
+
+	st.Warnf("hello")
+
+	ws, _ = st.PendingWarnings()
+	c.Check(ws, check.HasLen, 0) // not enough time has passed
+
+	time.Sleep(myRepeatAfter)
+
+	ws, _ = st.PendingWarnings()
+	c.Check(ws, check.HasLen, 1)
+	c.Check(fmt.Sprintf("%q", ws), check.Equals, `["hello"]`)
+}
diff -Nru snapd-2.32.3.2~14.04/overlord/stateengine.go snapd-2.37~rc1~14.04/overlord/stateengine.go
--- snapd-2.32.3.2~14.04/overlord/stateengine.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/stateengine.go	2019-01-16 08:36:51.000000000 +0000
@@ -34,16 +34,17 @@
 	// Ensure forces a complete evaluation of the current state.
 	// See StateEngine.Ensure for more details.
 	Ensure() error
+}
 
+// StateWaiterStopper is implemented by StateManagers that have
+// running activities that can be waited or terminated.
+type StateWaiterStopper interface {
 	// Wait asks manager to wait for all running activities to finish.
 	Wait()
 
 	// Stop asks the manager to terminate all activities running concurrently.
 	// It must not return before these activities are finished.
 	Stop()
-
-	// KnownTaskKinds returns all task kinds handled by this manager.
-	KnownTaskKinds() []string
 }
 
 // StateEngine controls the dispatching of state changes to state managers.
@@ -123,7 +124,9 @@
 		return
 	}
 	for _, m := range se.managers {
-		m.Wait()
+		if waiter, ok := m.(StateWaiterStopper); ok {
+			waiter.Wait()
+		}
 	}
 }
 
@@ -135,7 +138,9 @@
 		return
 	}
 	for _, m := range se.managers {
-		m.Stop()
+		if stopper, ok := m.(StateWaiterStopper); ok {
+			stopper.Stop()
+		}
 	}
 	se.stopped = true
 }
diff -Nru snapd-2.32.3.2~14.04/overlord/stateengine_test.go snapd-2.37~rc1~14.04/overlord/stateengine_test.go
--- snapd-2.32.3.2~14.04/overlord/stateengine_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/stateengine_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -45,10 +45,6 @@
 	ensureError, stopError error
 }
 
-func (m *fakeManager) KnownTaskKinds() []string {
-	return []string{}
-}
-
 func (fm *fakeManager) Ensure() error {
 	*fm.calls = append(*fm.calls, "ensure:"+fm.name)
 	return fm.ensureError
diff -Nru snapd-2.32.3.2~14.04/overlord/unknowntask.go snapd-2.37~rc1~14.04/overlord/unknowntask.go
--- snapd-2.32.3.2~14.04/overlord/unknowntask.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/overlord/unknowntask.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,34 +25,6 @@
 	"github.com/snapcore/snapd/overlord/state"
 )
 
-type UnknownTaskManager struct {
-	state          *state.State
-	runner         *state.TaskRunner
-	knownTaskKinds map[string]bool
-}
-
-func NewUnknownTaskManager(s *state.State) *UnknownTaskManager {
-	runner := state.NewTaskRunner(s)
-	mgr := &UnknownTaskManager{
-		state:          s,
-		runner:         runner,
-		knownTaskKinds: make(map[string]bool),
-	}
-
-	runner.AddOptionalHandler(mgr.matchUnknownTasks, handleUnknownTask, nil)
-	return mgr
-}
-
-func (m *UnknownTaskManager) Ignore(taskKinds []string) {
-	for _, k := range taskKinds {
-		m.knownTaskKinds[k] = true
-	}
-}
-
-func (m *UnknownTaskManager) matchUnknownTasks(task *state.Task) bool {
-	return !m.knownTaskKinds[task.Kind()]
-}
-
 func handleUnknownTask(task *state.Task, tomb *tomb.Tomb) error {
 	st := task.State()
 	st.Lock()
@@ -60,23 +32,3 @@
 	task.Logf("no handler for task %q, task ignored", task.Kind())
 	return nil
 }
-
-// Ensure implements StateManager.Ensure.
-func (m *UnknownTaskManager) Ensure() error {
-	m.runner.Ensure()
-	return nil
-}
-
-// Wait implements StateManager.Wait.
-func (m *UnknownTaskManager) Wait() {
-	m.runner.Wait()
-}
-
-// Stop implements StateManager.Stop.
-func (m *UnknownTaskManager) Stop() {
-	m.runner.Stop()
-}
-
-func (mgr *UnknownTaskManager) KnownTaskKinds() []string {
-	return nil
-}
diff -Nru snapd-2.32.3.2~14.04/packaging/amzn-2/snapd.spec snapd-2.37~rc1~14.04/packaging/amzn-2/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/amzn-2/snapd.spec	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/amzn-2/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4448 @@
+# With Fedora, nothing is bundled. For everything else, bundling is used.
+# To use bundled stuff, use "--with vendorized" on rpmbuild
+%if 0%{?fedora}
+%bcond_with vendorized
+%else
+%bcond_without vendorized
+%endif
+
+# With Amazon Linux 2+, we're going to provide the /snap symlink by default,
+# since classic snaps currently require it... :(
+%if 0%{?amzn} >= 2
+%bcond_without snap_symlink
+%else
+%bcond_with snap_symlink
+%endif
+
+# A switch to allow building the package with support for testkeys which
+# are used for the spread test suite of snapd.
+%bcond_with testkeys
+
+%global with_devel 1
+%global with_debug 1
+%global with_check 0
+%global with_unit_test 0
+%global with_test_keys 0
+%global with_selinux 1
+
+# For the moment, we don't support all golang arches...
+%global with_goarches 0
+
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%if ! %{with vendorized}
+%global with_bundled 0
+%else
+%global with_bundled 1
+%endif
+
+%if ! %{with testkeys}
+%global with_test_keys 0
+%else
+%global with_test_keys 1
+%endif
+
+%if 0%{?with_debug}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package   %{nil}
+%endif
+
+%global provider        github
+%global provider_tld    com
+%global project         snapcore
+%global repo            snapd
+# https://github.com/snapcore/snapd
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service
+
+# Until we have a way to add more extldflags to gobuild macro...
+%if 0%{?fedora} >= 26
+%define gobuild_static(o:) go build -buildmode pie -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
+%endif
+%if 0%{?fedora} == 25
+%define gobuild_static(o:) go build -compiler gc -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-static'" -a -v -x %{?**};
+%endif
+%if 0%{?rhel} == 7
+%define gobuild_static(o:) go build -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
+%endif
+
+# These macros are not defined in RHEL 7
+%if 0%{?rhel} == 7
+%define gobuild(o:) go build -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+%define gotest() go test -compiler gc -ldflags "${LDFLAGS:-}" %{?**};
+%endif
+
+# Compat path macros
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
+%if 0%{?amzn2} == 1
+%global with_selinux 0
+%endif
+
+Name:           snapd
+Version:        2.37
+Release:        0%{?dist}
+Summary:        A transactional software package manager
+Group:          System Environment/Base
+License:        GPLv3
+URL:            https://%{provider_prefix}
+Source0:        https://%{provider_prefix}/archive/%{version}/%{name}-%{version}.tar.gz
+%if 0%{?with_bundled}
+Source1:        https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.only-vendor.tar.xz
+%endif
+
+%if 0%{?with_goarches}
+# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+%else
+# Verified arches from snapd upstream
+ExclusiveArch:  %{ix86} x86_64 %{arm} aarch64 ppc64le s390x
+%endif
+
+# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
+BuildRequires:  systemd
+%{?systemd_requires}
+
+Requires:       snap-confine%{?_isa} = %{version}-%{release}
+Requires:       squashfs-tools
+
+%if 0%{?fedora} >= 26 || 0%{?rhel} >= 8
+# snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.)
+Requires:       ((squashfuse and fuse) or kmod(squashfs.ko))
+%else
+%if ! 0%{?amzn2}
+# Rich dependencies not available, always pull in squashfuse
+# snapd will use squashfs.ko instead of squashfuse if it's on the system
+# NOTE: Amazon Linux 2 does not have squashfuse, squashfs.ko is part of the kernel package
+Requires:       squashfuse
+Requires:       fuse
+%endif
+%endif
+
+# bash-completion owns /usr/share/bash-completion/completions
+Requires:       bash-completion
+
+%if 0%{?with_selinux}
+# Force the SELinux module to be installed
+Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
+# snapd-login-service is no more
+# Note: Remove when F27 is EOL
+Obsoletes:      %{name}-login-service < 1.33
+Provides:       %{name}-login-service = 1.33
+Provides:       %{name}-login-service%{?_isa} = 1.33
+
+%if ! 0%{?with_bundled}
+BuildRequires: golang(github.com/boltdb/bolt)
+BuildRequires: golang(github.com/cheggaaa/pb)
+BuildRequires: golang(github.com/coreos/go-systemd/activation)
+BuildRequires: golang(github.com/godbus/dbus)
+BuildRequires: golang(github.com/godbus/dbus/introspect)
+BuildRequires: golang(github.com/gorilla/mux)
+BuildRequires: golang(github.com/jessevdk/go-flags)
+BuildRequires: golang(github.com/juju/ratelimit)
+BuildRequires: golang(github.com/kr/pretty)
+BuildRequires: golang(github.com/kr/text)
+BuildRequires: golang(github.com/mvo5/goconfigparser)
+BuildRequires: golang(github.com/ojii/gettext.go)
+BuildRequires: golang(github.com/seccomp/libseccomp-golang)
+BuildRequires: golang(golang.org/x/crypto/openpgp/armor)
+BuildRequires: golang(golang.org/x/crypto/openpgp/packet)
+BuildRequires: golang(golang.org/x/crypto/sha3)
+BuildRequires: golang(golang.org/x/crypto/ssh/terminal)
+BuildRequires: golang(golang.org/x/net/context)
+BuildRequires: golang(golang.org/x/net/context/ctxhttp)
+BuildRequires: golang(gopkg.in/check.v1)
+BuildRequires: golang(gopkg.in/macaroon.v1)
+BuildRequires: golang(gopkg.in/mgo.v2/bson)
+BuildRequires: golang(gopkg.in/retry.v1)
+BuildRequires: golang(gopkg.in/tomb.v2)
+BuildRequires: golang(gopkg.in/yaml.v2)
+%endif
+
+%description
+Snappy is a modern, cross-distribution, transactional package manager
+designed for working with self-contained, immutable packages.
+
+%package -n snap-confine
+Summary:        Confinement system for snap applications
+License:        GPLv3
+Group:          System Environment/Base
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  gcc
+BuildRequires:  gettext
+BuildRequires:  gnupg
+BuildRequires:  indent
+BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(libcap)
+BuildRequires:  pkgconfig(libseccomp)
+BuildRequires:  pkgconfig(libudev)
+BuildRequires:  pkgconfig(systemd)
+BuildRequires:  pkgconfig(udev)
+BuildRequires:  xfsprogs-devel
+BuildRequires:  glibc-static
+%if ! 0%{?rhel}
+BuildRequires:  libseccomp-static
+%endif
+BuildRequires:  valgrind
+BuildRequires:  %{_bindir}/rst2man
+%if 0%{?fedora} >= 25
+# ShellCheck in F24 and older doesn't work
+BuildRequires:  %{_bindir}/shellcheck
+%endif
+
+# Ensures older version from split packaging is replaced
+Obsoletes:      snap-confine < 2.19
+
+%description -n snap-confine
+This package is used internally by snapd to apply confinement to
+the started snap applications.
+
+%if 0%{?with_selinux}
+%package selinux
+Summary:        SELinux module for snapd
+Group:          System Environment/Base
+License:        GPLv2+
+BuildArch:      noarch
+BuildRequires:  selinux-policy, selinux-policy-devel
+Requires(post): selinux-policy-base >= %{_selinux_policy_version}
+Requires(post): policycoreutils
+%if 0%{?rhel} == 7
+Requires(post): policycoreutils-python
+%else
+Requires(post): policycoreutils-python-utils
+%endif
+Requires(pre):  libselinux-utils
+Requires(post): libselinux-utils
+
+%description selinux
+This package provides the SELinux policy module to ensure snapd
+runs properly under an environment with SELinux enabled.
+%endif
+
+%if 0%{?with_devel}
+%package devel
+Summary:       Development files for %{name}
+BuildArch:     noarch
+
+%if 0%{?with_check} && ! 0%{?with_bundled}
+%endif
+
+%if ! 0%{?with_bundled}
+Requires:      golang(github.com/boltdb/bolt)
+Requires:      golang(github.com/cheggaaa/pb)
+Requires:      golang(github.com/coreos/go-systemd/activation)
+Requires:      golang(github.com/godbus/dbus)
+Requires:      golang(github.com/godbus/dbus/introspect)
+Requires:      golang(github.com/gorilla/mux)
+Requires:      golang(github.com/jessevdk/go-flags)
+Requires:      golang(github.com/juju/ratelimit)
+Requires:      golang(github.com/kr/pretty)
+Requires:      golang(github.com/kr/text)
+Requires:      golang(github.com/mvo5/goconfigparser)
+Requires:      golang(github.com/ojii/gettext.go)
+Requires:      golang(github.com/seccomp/libseccomp-golang)
+Requires:      golang(golang.org/x/crypto/openpgp/armor)
+Requires:      golang(golang.org/x/crypto/openpgp/packet)
+Requires:      golang(golang.org/x/crypto/sha3)
+Requires:      golang(golang.org/x/crypto/ssh/terminal)
+Requires:      golang(golang.org/x/net/context)
+Requires:      golang(golang.org/x/net/context/ctxhttp)
+Requires:      golang(gopkg.in/check.v1)
+Requires:      golang(gopkg.in/macaroon.v1)
+Requires:      golang(gopkg.in/mgo.v2/bson)
+Requires:      golang(gopkg.in/retry.v1)
+Requires:      golang(gopkg.in/tomb.v2)
+Requires:      golang(gopkg.in/yaml.v2)
+%else
+# These Provides are unversioned because the sources in
+# the bundled tarball are unversioned (they go by git commit)
+# *sigh*... I hate golang...
+Provides:      bundled(golang(github.com/snapcore/bolt))
+Provides:      bundled(golang(github.com/cheggaaa/pb))
+Provides:      bundled(golang(github.com/coreos/go-systemd/activation))
+Provides:      bundled(golang(github.com/godbus/dbus))
+Provides:      bundled(golang(github.com/godbus/dbus/introspect))
+Provides:      bundled(golang(github.com/gorilla/mux))
+Provides:      bundled(golang(github.com/jessevdk/go-flags))
+Provides:      bundled(golang(github.com/juju/ratelimit))
+Provides:      bundled(golang(github.com/kr/pretty))
+Provides:      bundled(golang(github.com/kr/text))
+Provides:      bundled(golang(github.com/mvo5/goconfigparser))
+Provides:      bundled(golang(github.com/mvo5/libseccomp-golang))
+Provides:      bundled(golang(github.com/ojii/gettext.go))
+Provides:      bundled(golang(golang.org/x/crypto/openpgp/armor))
+Provides:      bundled(golang(golang.org/x/crypto/openpgp/packet))
+Provides:      bundled(golang(golang.org/x/crypto/sha3))
+Provides:      bundled(golang(golang.org/x/crypto/ssh/terminal))
+Provides:      bundled(golang(golang.org/x/net/context))
+Provides:      bundled(golang(golang.org/x/net/context/ctxhttp))
+Provides:      bundled(golang(gopkg.in/check.v1))
+Provides:      bundled(golang(gopkg.in/macaroon.v1))
+Provides:      bundled(golang(gopkg.in/mgo.v2/bson))
+Provides:      bundled(golang(gopkg.in/retry.v1))
+Provides:      bundled(golang(gopkg.in/tomb.v2))
+Provides:      bundled(golang(gopkg.in/yaml.v2))
+%endif
+
+# Generated by gofed
+Provides:      golang(%{import_path}/advisor) = %{version}-%{release}
+Provides:      golang(%{import_path}/arch) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/assertstest) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/signtool) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/snapasserts) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/sysdb) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/systestkeys) = %{version}-%{release}
+Provides:      golang(%{import_path}/boot) = %{version}-%{release}
+Provides:      golang(%{import_path}/boot/boottest) = %{version}-%{release}
+Provides:      golang(%{import_path}/client) = %{version}-%{release}
+Provides:      golang(%{import_path}/cmd) = %{version}-%{release}
+Provides:      golang(%{import_path}/daemon) = %{version}-%{release}
+Provides:      golang(%{import_path}/dirs) = %{version}-%{release}
+Provides:      golang(%{import_path}/errtracker) = %{version}-%{release}
+Provides:      golang(%{import_path}/httputil) = %{version}-%{release}
+Provides:      golang(%{import_path}/i18n) = %{version}-%{release}
+Provides:      golang(%{import_path}/image) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/apparmor) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/backends) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/builtin) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/dbus) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/hotplug) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/ifacetest) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/kmod) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/mount) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/policy) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/seccomp) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/systemd) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/udev) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/utils) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil/safejson) = %{version}-%{release}
+Provides:      golang(%{import_path}/logger) = %{version}-%{release}
+Provides:      golang(%{import_path}/netutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/sys) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/crawler) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/netlink) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/assertstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/auth) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/cmdstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/config) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/configcore) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/proxyconf) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/settings) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/devicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate/ctlcmd) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate/hooktest) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/ifacerepo) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/udevmonitor) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/patch) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/servicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/standby) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/state) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/androidbootenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/grubenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/ubootenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/polkit) = %{version}-%{release}
+Provides:      golang(%{import_path}/progress) = %{version}-%{release}
+Provides:      golang(%{import_path}/progress/progresstest) = %{version}-%{release}
+Provides:      golang(%{import_path}/release) = %{version}-%{release}
+Provides:      golang(%{import_path}/sanity) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/pack) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snapdir) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snapenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snaptest) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/spdx) = %{version}-%{release}
+Provides:      golang(%{import_path}/store) = %{version}-%{release}
+Provides:      golang(%{import_path}/store/storetest) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/quantity) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/shlex) = %{version}-%{release}
+Provides:      golang(%{import_path}/systemd) = %{version}-%{release}
+Provides:      golang(%{import_path}/tests/lib/fakestore/refresh) = %{version}-%{release}
+Provides:      golang(%{import_path}/tests/lib/fakestore/store) = %{version}-%{release}
+Provides:      golang(%{import_path}/testutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/timeout) = %{version}-%{release}
+Provides:      golang(%{import_path}/timeutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd/ui) = %{version}-%{release}
+Provides:      golang(%{import_path}/wrappers) = %{version}-%{release}
+Provides:      golang(%{import_path}/x11) = %{version}-%{release}
+Provides:      golang(%{import_path}/xdgopenproxy) = %{version}-%{release}
+
+%description devel
+This package contains library source intended for
+building other packages which use import path with
+%{import_path} prefix.
+%endif
+
+%if 0%{?with_unit_test} && 0%{?with_devel}
+%package unit-test-devel
+Summary:         Unit tests for %{name} package
+
+%if 0%{?with_check}
+#Here comes all BuildRequires: PACKAGE the unit tests
+#in %%check section need for running
+%endif
+
+# test subpackage tests code from devel subpackage
+Requires:        %{name}-devel = %{version}-%{release}
+
+%description unit-test-devel
+This package contains unit tests for project
+providing packages with %{import_path} prefix.
+%endif
+
+%prep
+%if ! 0%{?with_bundled}
+%setup -q
+# Ensure there's no bundled stuff accidentally leaking in...
+rm -rf vendor/*
+%else
+# Extract each tarball properly
+%setup -q -D -b 1
+%endif
+
+%build
+# Generate version files
+./mkversion.sh "%{version}-%{release}"
+
+# We don't want/need squashfuse in the rpm, as it's available in Fedora and EPEL
+sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
+
+# Build snapd
+mkdir -p src/github.com/snapcore
+ln -s ../../../ src/github.com/snapcore/snapd
+
+%if ! 0%{?with_bundled}
+export GOPATH=$(pwd):%{gopath}
+%else
+export GOPATH=$(pwd):$(pwd)/Godeps/_workspace:%{gopath}
+%endif
+
+GOFLAGS=
+%if 0%{?with_test_keys}
+GOFLAGS="$GOFLAGS -tags withtestkeys"
+%endif
+
+%if ! 0%{?with_bundled}
+# We don't need mvo5 fork for seccomp, as we have seccomp 2.3.x
+sed -e "s:github.com/mvo5/libseccomp-golang:github.com/seccomp/libseccomp-golang:g" -i cmd/snap-seccomp/*.go
+# We don't need the snapcore fork for bolt - it is just a fix on ppc
+sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go
+%endif
+
+# We have to build snapd first to prevent the build from
+# building various things from the tree without additional
+# set tags.
+%gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
+%gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
+%gobuild -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
+%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
+
+# To ensure things work correctly with base snaps,
+# snap-exec and snap-update-ns need to be built statically
+%gobuild_static -o bin/snap-exec $GOFLAGS %{import_path}/cmd/snap-exec
+%gobuild_static -o bin/snap-update-ns $GOFLAGS %{import_path}/cmd/snap-update-ns
+
+%if 0%{?rhel}
+# There's no static link library for libseccomp in RHEL/CentOS...
+sed -e "s/-Bstatic -lseccomp/-Bstatic/g" -i cmd/snap-seccomp/*.go
+%endif
+%gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
+
+%if 0%{?with_selinux}
+# Build SELinux module
+pushd ./data/selinux
+make SHARE="%{_datadir}" TARGETS="snappy"
+popd
+%endif
+
+# Build snap-confine
+pushd ./cmd
+# FIXME This is a hack to get rid of a patch we have to ship for the
+# Fedora package at the moment as /usr/lib/rpm/redhat/redhat-hardened-ld
+# accidentially adds -pie for static executables. See
+# https://bugzilla.redhat.com/show_bug.cgi?id=1343892 for a few more
+# details. To prevent this from happening we drop the linker
+# script and define our LDFLAGS manually for now.
+export LDFLAGS="-Wl,-z,relro -z now"
+autoreconf --force --install --verbose
+# selinux support is not yet available, for now just disable apparmor
+# FIXME: add --enable-caps-over-setuid as soon as possible (setuid discouraged!)
+%configure \
+    --disable-apparmor \
+    --libexecdir=%{_libexecdir}/snapd/ \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{_sharedstatedir}/snapd/snap \
+    --enable-merged-usr
+
+%make_build
+popd
+
+# Build systemd units, dbus services, and env files
+pushd ./data
+make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+     SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+     SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+     SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%install
+install -d -p %{buildroot}%{_bindir}
+install -d -p %{buildroot}%{_libexecdir}/snapd
+install -d -p %{buildroot}%{_mandir}/man8
+install -d -p %{buildroot}%{_environmentdir}
+install -d -p %{buildroot}%{_systemdgeneratordir}
+install -d -p %{buildroot}%{_unitdir}
+install -d -p %{buildroot}%{_sysconfdir}/profile.d
+install -d -p %{buildroot}%{_sysconfdir}/sysconfig
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/assertions
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/cookie
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl32
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/vulkan
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
+install -d -p %{buildroot}%{_localstatedir}/snap
+install -d -p %{buildroot}%{_localstatedir}/cache/snapd
+install -d -p %{buildroot}%{_datadir}/polkit-1/actions
+install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+%if 0%{?with_selinux}
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -d -p %{buildroot}%{_datadir}/selinux/packages
+%endif
+
+# Install snap and snapd
+install -p -m 0755 bin/snap %{buildroot}%{_bindir}
+install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+
+%if 0%{?with_selinux}
+# Install SELinux module
+install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
+
+# Install snap(8) man page
+bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
+
+# Install the "info" data file with snapd version
+install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
+
+# Install bash completion for "snap"
+install -m 644 -D data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Install snap-confine
+pushd ./cmd
+%make_install
+# Undo the 0000 permissions, they are restored in the files section
+chmod 0755 %{buildroot}%{_sharedstatedir}/snapd/void
+# We don't use AppArmor
+rm -rfv %{buildroot}%{_sysconfdir}/apparmor.d
+# ubuntu-core-launcher is dead
+rm -fv %{buildroot}%{_bindir}/ubuntu-core-launcher
+popd
+
+# Install all systemd and dbus units, and env files
+pushd ./data
+%make_install BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+              SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+              SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+              SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.conf
+%endif
+
+# Remove snappy core specific units
+rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
+rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
+rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
+
+# Remove snappy core specific scripts
+rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Remove snapd apparmor service
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+
+# Install Polkit configuration
+install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
+
+# Disable re-exec by default
+echo 'SNAP_REEXEC=0' > %{buildroot}%{_sysconfdir}/sysconfig/snapd
+
+# Create state.json and the README file to be ghosted
+touch %{buildroot}%{_sharedstatedir}/snapd/state.json
+touch %{buildroot}%{_sharedstatedir}/snapd/snap/README
+
+# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
+%if %{with snap_symlink}
+ln -sr %{buildroot}%{_sharedstatedir}/snapd/snap %{buildroot}/snap
+%endif
+
+# source codes for building projects
+%if 0%{?with_devel}
+install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
+echo "%%dir %%{gopath}/src/%%{import_path}/." >> devel.file-list
+# find all *.go but no *_test.go files and generate devel.file-list
+for file in $(find . -iname "*.go" -o -iname "*.s" \! -iname "*_test.go") ; do
+    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
+    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
+    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
+    echo "%%{gopath}/src/%%{import_path}/$file" >> devel.file-list
+done
+%endif
+
+# testing files for this project
+%if 0%{?with_unit_test} && 0%{?with_devel}
+install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
+# find all *_test.go files and generate unit-test.file-list
+for file in $(find . -iname "*_test.go"); do
+    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
+    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
+    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
+    echo "%%{gopath}/src/%%{import_path}/$file" >> unit-test-devel.file-list
+done
+
+# Install additional testdata
+install -d %{buildroot}/%{gopath}/src/%{import_path}/cmd/snap/test-data/
+cp -pav cmd/snap/test-data/* %{buildroot}/%{gopath}/src/%{import_path}/cmd/snap/test-data/
+echo "%%{gopath}/src/%%{import_path}/cmd/snap/test-data" >> unit-test-devel.file-list
+%endif
+
+%if 0%{?with_devel}
+sort -u -o devel.file-list devel.file-list
+%endif
+
+%check
+# snapd tests
+%if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel}
+%if ! 0%{?with_bundled}
+export GOPATH=%{buildroot}/%{gopath}:%{gopath}
+%else
+export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
+%endif
+%gotest %{import_path}/...
+%endif
+
+# snap-confine tests (these always run!)
+pushd ./cmd
+make check
+popd
+
+%files
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+%license COPYING
+%doc README.md docs/*
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_environmentdir}/990-snapd.conf
+%dir %{_libexecdir}/snapd
+%{_libexecdir}/snapd/snapctl
+%{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-failure
+%{_libexecdir}/snapd/info
+%{_libexecdir}/snapd/snap-mgmt
+%{_mandir}/man8/snap.8*
+%{_datadir}/bash-completion/completions/snap
+%{_libexecdir}/snapd/complete.sh
+%{_libexecdir}/snapd/etelpmoc.sh
+%{_libexecdir}/snapd/snapd.run-from-snap
+%{_sysconfdir}/profile.d/snapd.sh
+%{_mandir}/man8/snapd-env-generator.8*
+%{_unitdir}/snapd.socket
+%{_unitdir}/snapd.service
+%{_unitdir}/snapd.autoimport.service
+%{_unitdir}/snapd.failure.service
+%{_unitdir}/snapd.seeded.service
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_systemd_system_env_generator_dir}/snapd-env-generator
+%config(noreplace) %{_sysconfdir}/sysconfig/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/snap
+%ghost %dir %{_sharedstatedir}/snapd/snap/bin
+%dir %{_localstatedir}/cache/snapd
+%dir %{_localstatedir}/snap
+%ghost %{_sharedstatedir}/snapd/state.json
+%ghost %{_sharedstatedir}/snapd/snap/README
+%if %{with snap_symlink}
+/snap
+%endif
+%if 0%{?rhel} == 7
+%{_sysctldir}/99-snap.conf
+%endif
+
+%files -n snap-confine
+%doc cmd/snap-confine/PORTING
+%license COPYING
+%dir %{_libexecdir}/snapd
+# For now, we can't use caps
+# FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
+%attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_libexecdir}/snapd/snap-device-helper
+%{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-gdb-shim
+%{_libexecdir}/snapd/snap-seccomp
+%{_libexecdir}/snapd/snap-update-ns
+%{_libexecdir}/snapd/system-shutdown
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_systemdgeneratordir}/snapd-generator
+%attr(0000,root,root) %{_sharedstatedir}/snapd/void
+
+%if 0%{?with_selinux}
+%files selinux
+%license data/selinux/COPYING
+%doc data/selinux/README.md
+%{_datadir}/selinux/packages/snappy.pp.bz2
+%{_datadir}/selinux/devel/include/contrib/snappy.if
+%endif
+
+%if 0%{?with_devel}
+%files devel -f devel.file-list
+%license COPYING
+%doc README.md
+%dir %{gopath}/src/%{provider}.%{provider_tld}/%{project}
+%endif
+
+%if 0%{?with_unit_test} && 0%{?with_devel}
+%files unit-test-devel -f unit-test-devel.file-list
+%license COPYING
+%doc README.md
+%endif
+
+%post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
+%systemd_post %{snappy_svcs}
+# If install, test if snapd socket and timer are enabled.
+# If enabled, then attempt to start them. This will silently fail
+# in chroots or other environments where services aren't expected
+# to be started.
+if [ $1 -eq 1 ] ; then
+   if systemctl -q is-enabled snapd.socket > /dev/null 2>&1 ; then
+      systemctl start snapd.socket > /dev/null 2>&1 || :
+   fi
+fi
+
+%preun
+%systemd_preun %{snappy_svcs}
+
+# Remove all Snappy content if snapd is being fully uninstalled
+if [ $1 -eq 0 ]; then
+   %{_libexecdir}/snapd/snap-mgmt --purge || :
+fi
+
+
+%postun
+%systemd_postun_with_restart %{snappy_svcs}
+
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre
+
+%post selinux
+%selinux_modules_install %{_datadir}/selinux/packages/snappy.pp.bz2
+%selinux_relabel_post
+
+%posttrans selinux
+%selinux_relabel_post
+
+%postun selinux
+%selinux_modules_uninstall snappy
+if [ $1 -eq 0 ]; then
+    %selinux_relabel_post
+fi
+%endif
+
+%changelog
+* Wed Jan 16 2019 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.37
+ - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+   have device node /dev/ttyACM[0-9]
+ - tests: fix enable-disable-unit-gpio test on external boards
+ - tests: define new "tests/smoke" suite and use that for
+   autopkgtests
+ - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+   library
+ - snapshotstate: don't task.Log without the lock
+ - overlord/configstate/configcore: support - and _ in cloud init
+   field names
+ - cmd/snap-confine: use makedev instead of MKDEV
+ - tests: review/fix the autopkgtest failures in disco
+ - systemd: allow only a single daemon-reload at the same time
+ - cmd/snap: only auto-enable unicode to a tty
+ - cmd/snap: right-align revision and size in info's channel map
+ - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+   different on Fedora
+ - tests: fix "No space left on device" issue on amazon-linux
+ - store: undo workaround for timezone-less released-at
+ - store, snap, cmd/snap: channels have released-at
+ - snap-confine: fix incorrect use "src" var in mount-support.c
+ - release: support probing SELinux state
+ - release-tools: display self-help
+ - interface: add new `{personal,system}-files` interface
+ - snap: give Epoch an Equal method
+ - many: remove unused interface code
+ - interfaces/many: use 'unsafe' with docker-support change_profile
+   rules
+ - run-checks: stop running HEAD of staticcheck
+ - release: use sync.Once around lazy intialized state
+ - overlord/ifacestate: include interface name in the hotplug-
+   disconnect task summary
+ - spread: show free space in debug output
+ - cmd/snap: attempt to restore SELinux context of snap user
+   directories
+ - image: do not write empty etc/cloud
+ - tests: skip snapd snap on reset for core systems
+ - cmd/snap-discard-ns: fix umount(2) typo
+ - overlord/ifacestate: hotplug-remove-slot task handler
+ - overlord/ifacestate: handler for hotplug-disconnect task
+ - ifacestate/hotplug: updateDevice helper
+ - tests: reset snapd state on tests restore
+ - interfaces: return security setup errors
+ - overlord: make InstallMany work like UpdateMany, issuing a single
+   request to get candidates
+ - systemd/systemd.go: add missing tests for systemd.IsActive
+ - overlord/ifacestate: addHotplugSeqWaitTask helper
+ - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+ - tests: new backend used to run upgrade test suite
+ - travis: short circuit failures in static and unit tests travis job
+ - cmd: automatically fix localized <option>s to <option>
+ - overlord/configstate,features: expose features to snapd tools
+ - selinux: package to query SELinux status and verify/restore file
+   contexts
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - cmd: add tests for lintArg and lintDesc
+ - httputil: retry on temporary net errors
+ - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+ - wrappers: only restart service in core18 when they are active
+ - overlord/ifacestate: helpers for serializing hotplug changes
+ - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interface
+ - snap/info: bind global plugs/slots to implicit hooks
+ - cmd/snap-confine: remove SC_NS_MNT_FILE
+ - spread: record each tests/upgrade job
+ - osutil: do not import dirs
+ - cmd/snap-confine: fix typo "a pipe"
+ - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+   devices
+ - tests: force test-snapd-daemon-notify exit 0 when the interface is
+   not connected
+ - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+ - centos: enable SELinux support on CentOS 7
+ - apparmor: allow hard link to snap-specific semaphore files
+ - tests/lib/pkgdb: disable weak deps on Fedora
+ - release: detect too old apparmor_parser
+ - tests: improve how the log is checked to see if the system is
+   waiting for a reboot
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - spread, tests: add Fedora 29
+ - cmd/snap-confine: refactor calling snapd tools into helper module
+ - apparmor: allow snap-update-ns access to common devices
+ - cmd/snap-confine: capture initialized per-user mount ns
+ - tests: reduce verbosity around package installation
+ - data: set KillMode=process for snapd
+ - cmd/snap: handle DNS error gracefully
+ - spread, tests: use checkpoints when dumping audit log
+ - tests/lib/prepare: make sure that SELinux context of repacked core
+   snap is controlled
+ - testutils: split checkers, tweak tests
+ - tests: fix for tests test-*-cgroup
+ - spread: show AVC audits when debugging, start auditd on Fedora
+ - spread: drop Fedora 27, add Fedora 29
+ - tests/lib/reset: restore context of removed snapd directories
+ - testutil: add File{Present,Absent} checkers
+ - snap: add new `snap run --trace-exec`
+ - tests: fix for failover test on how logs are checked
+ - snapctl: add "services"
+ - overlord/snapstate: use file timestamp to initialize timer
+ - cmd/libsnap: introduce and use sc_strdup
+ - interfaces: let NM access ifindex/ifupdown files
+ - overlord/snapstate: on refresh, check new rev can read current
+ - client, store: don't use store from client (use client from store)
+ - tests/main/parallel-install-store: verify installation of more
+   than one instance at a time
+ - overlord: don't write system key if security setup fails
+ - packaging/fedora/snapd.spec: fix bogus date in changelog
+ - snapstate: update fontconfig caches on install
+ - interfaces/apparmor/backend.go:411:38: regular expression does not
+   contain any meta characters (SA6004)
+ - asserts/header_checks.go:199:35: regular expression does not
+   contain any meta characters (SA6004)
+ - run staticcheck every time :-)
+ - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+   used with signal.Notify should be buffered (SA1017)
+ - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+   signal.Notify should be buffered (SA1017)
+ - spdx/parser.go:30:1: only the first constant has an explicit type
+   (SA9004)
+ - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+   first argument and no further arguments should use print-style
+   function instead (SA1006)
+ - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+ - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+   Did you mean to break out of the outer loop? (SA4011)
+ - daemon/api.go:992:22: printf-style function with dynamic first
+   argument and no further arguments should use print-style function
+   instead (SA1006)
+ - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+   to break out of the outer loop? (SA4011)
+ - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+   should be buffered (SA1017)
+ - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+   provided buffer, not even temporarily (SA1023)
+ - release: probe apparmor features lazily
+ - overlord,daemon: mock security backends for testing
+ - cmd/libsnap: move apparmor-support to libsnap
+ - cmd: drop cruft from snap-discard-ns build rules
+ - cmd/snap-confine: use snap-discard-ns ns to discard stale
+   namespaces
+ - cmd/snap-confine: handle mounted shared /run/snapd/ns
+ - many: fix composite literals with unkeyed fields
+ - dirs, wrappers, overlord/snapstate: make completion + bases work
+ - tests: revert "tests: restore in restore, not prepare"
+ - many: validate title
+ - snap: make description maximum in runes, not bytes
+ - tests: discard mount namespaces in reset.sh
+ - tests/lib: sync cla check back from snapcraft
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - daemon: remove enableInternalInterfaceActions
+ - mkversion: use "test -n" rather than "! test -z"
+ - run-checks: assorted fixes
+ - tests: restore in restore, not in prepare
+ - cmd/snap: fix missing newline in "snap keys" error message
+ - snap: epoch lists must contain no duplicate entries
+ - interfaces/avahi_observe: Fix typo in comment
+ - tests: add SPREAD_JOB to the description of
+   systemd_create_and_start_unit
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+ - packaging/fedora: use %_sysctldir macro
+ - cmd/snap-confine: remove unneeded unshare
+ - sanity: extend the kernel version check to cover CentOS/RHEL
+   kernels
+ - wrappers: remove all desktop files from a snap on removal
+ - snap: add an explicit check for `epoch: null` loading
+ - snap: check max description length in validate
+ - spread, tests: add CentOS support
+ - cmd/snap-confine: allow mapping more libc shards
+ - cmd/snap-discard-ns: add support for --from-snap-confine
+ - tests: make tinyproxy support systemd notify
+ - tests: fix shellcheck
+ - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+ - store: add a test for a non-zero epoch refresh (with epoch bump)
+ - store: v1 search doesn't send epoch, stop pretending it does
+ - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+ - overlord/snapstate: amend test should send local revision
+ - tests: use mock-gpio.py in enable-disable-units-gpio test
+ - snap: enforce minimal snap name len of 2
+ - cmd/libsnap: add sc_verify_snap_lock
+ - cmd/snap-update-ns: extra debugging of trespassing events
+ - userd: force zenity width if the text displayed is long
+ - overlord/snapstate, store: always send epochs
+ - cmd/snap-confine,snap-update-ns: discard quirks
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - cmd/snap-update-ns, tests: clean trespassing paths
+ - nvidia, interfaces/builtin: OpenCL fixes
+ - ifacestate/hotplug: removeDevice helper
+ - cmd: install snap-discard-ns in "make hack"
+ - overlord/ifacestate: setup security backends phased by backends
+   first
+ - ifacestate/helpers: added SystemSnapName mapper helper method
+ - overlord/ifacestate: set hotplug-key of the connection when
+   connecting hotplug slots
+ - snapd: allow snap-update-ns to read /proc/version
+ - cmd: handle tumbleweed and leap in autogen.sh
+ - interfaces/tests: MockHotplugSlot test helper
+ - store,daemon: make UserInfo,LoginUser part of the store interface
+ - overlord/ifacestate: use remapper when checking if system snap is
+   installed
+ - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+ - packaging/arch: fix bash completions path
+ - interfaces/builtin: add device-buttons interface for accessing
+   events
+ - tests, fakestore: extend refresh tests with parallel installed
+   snaps
+ - snap, store, overlord/snapshotstate: drop epoch pointers
+ - snap: make Epoch default to {[0],[0]} on load from yaml
+ - data/completion: pass documented arguments to completion functions
+ - tests: skip opensuse from interfaces-openvswitch-support test
+ - tests: simple reproducer for snap try and hooks bug
+ - snapstate: do not allow classic mode for strict snaps
+ - snap: make Epoch's MarshalJSON not simplify
+ - store: remove unused currentSnap and currentSnapJSON
+ - many: some small doc comment fixes in recent hotplug code
+ - ifacestate/udevmonitor: added callback to signal end of
+   enumeration
+ - cmd/libsnap: add simplified feature flag checker
+ - interfaces/opengl: add additional accesses for cuda
+ - tests: add core18 only hooks test and fix running core18 only on
+   classic
+ - sanity, release, cmd/snap: refuse to try to do things on WSL.
+ - cmd: make coreSupportsReExec faster
+ - overlord/ifacestate: don't remove the dash when generating unique
+   slot name
+ - cmd/snap-seccomp: add full complement of ptrace constants
+ - cmd: update autogen.sh for opensuse
+ - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+   overlord/snapstate: address review feedback
+ - packaging/opensuse: stop using golang-packaging
+ - overlord/snapshots: survive an unknown user
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - cmd/snap: unhide --name parameter to snap install, tweak help
+   message
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/main/snap-service-after-before-install: verify after/before
+   in snap install
+ - overlord/ifacestate: mark connections disconnected by hotplug with
+   hotplug-gone
+ - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+   startup
+ - tests: install dependencies during prepare
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - tests: core 18 does not support classic confinement
+ - tests: add debug output for degraded test
+ - strutil: make VersionCompare faster
+ - overlord/snapshotstate/backend: survive missing directories
+ - overlord/ifacestate: use map[string]*connState when passing conns
+   around
+ - tests: move fedora 28 to manual
+ - overlord/snapshotstate/backend: be more verbose when
+   SNAPPY_TESTING=1
+ - tests: removing fedora 26 system from spread.yaml
+ - tests: linode execution is not needed anymore
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests: fixes and new backend for tests on nested suite
+ - strutil: let MatchCounter work with a nil regexp
+ - ifacestate/helpers: findConnsForHotplugKey helper
+ - many: move regexp.(Must)Compile out of non-init functions into
+   variables
+ - store: also make snaps downloaded via deltas 0600
+ - snap: use Lstat to determine snap size, remove
+   ReadSnapInfoExceptSize
+ - interfaces/builtin: add adb-support interface
+ - tests: fail if install_snap_local fails
+ - strutil: add extra test to CommaSeparatedList as suggested by
+   mborzecki
+ - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+ - ifacestate: optimize disconnect hooks
+ - cmd/snap-update-ns: parse the -u <uid> command line option
+ - cmd/snap, tests: snapshots for all
+ - client, cmd/daemon: allow disabling keepalive, improve degraded
+   mode unit tests
+ - snap: only show "next" refresh time if its after the hold time
+ - overlord/snapstate: run tests for classic snaps even on systems
+   that don't support classic
+ - overlord/standby: fix a race between standby goroutine and stop
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - cmd: remove remnants of sc_should_populate_mount_ns
+ - client, daemon, cmd/snap: indicate that services are socket/timer
+   activated
+ - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+ - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+ - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+ - cmd/snap-discard-ns: add support for per-user mount namespaces
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook.
+ - tests/main: fixes for the new shellcheck
+ - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+   fly
+ - tests: initial setup for testing current branch on nested vm and
+   hotplug management
+ - cmd: refactor IPC and lifecycle of the helper process
+ - tests/main/parallel-install-store: the store has caught up, do not
+   expect failures
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+   ptrace, for the Breakpad crash reporter
+ - snap,client: use a different exit code for retryable errors
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - cmd/snap: tweak `snap services` output when there is no services
+ - interfaces/many: updates to support k8s worker nodes
+ - cmd/snap: gnome-software install via snap:// handler
+ - overlord/many: cleanup use of snapName vs. instanceName
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes* ifstate: fix decoding of json numbers
+ - cmd/snap: try not to panic on error from "snap try"
+ - tests: new cosmic image for spread tests on gce
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - overlord/snapshotstate/backend: detect path to tar in unit tests
+ - tests/unit/gccgo: drop gccgo unit tests
+ - cmd: use relative file names in locking APIs
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - overlord/snapshotstate/backend: fall back on sudo when no runuser
+ - cmd/snap-confine: reduce verbosity of debug and error messages
+ - systemd: extend Status() to work for socket and timer units
+ - interfaces: typo 'allows' for consistency with other ifaces
+ - systemd,wrappers: don't start disabled services
+ - ifacestate: simplify task chaining in ifacestate.Connect
+ - tests: ensure that goa-daemon is off
+ - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+ - cmd/snap: block 'snap help <cmd> --all'
+ - asserts, image: ensure kernel, gadget, base and required-snaps use
+   valid snap names
+ - apparmor: add unit test for probeAppArmorParser and simplify code
+ - interfaces/apparmor: conditionally add explicit deny rules for
+   ptrace
+ - po: sync translations from launchpad
+ - osutil: tweak handling of error adduser errors
+ - cmd: rename ns_group to mount_ns
+ - tests/main/interfaces-accounts-service: more debugging
+ - snap/pack, snap/squashfs: use type to determine mksquashfs args
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - tests: show list of processes when ifaces-accounts-service fails
+ - tests: do not run degraded test in autopkgtest env
+ - snap: overhaul validation error messages
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - interfaces: improve Attr error further
+ - snapstate: tweak GetFeatureFlagBool() to have a default argument
+ - many: cleanup remaining parallel installs TODOs
+ - image: improve validation of extra snaps
+
+* Fri Dec 14 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.3
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - httputil: retry on temporary net errors
+ - wrappers: only restart service in core18 when they are active
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interfacewhen installing selinux-policy-devel package.
+ - centos: enable SELinux support on CentOS 7
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - apparmor: allow hard link to snap-specific semaphore files
+ - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+   profile errors
+ - snap: add new `snap run --trace-exec` call
+ - interfaces/backends: detect too old apparmor_parser
+
+* Thu Nov 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.2
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - snapstate: update fontconfig caches on install
+ - overlord,daemon: mock security backends for testing
+ - sanity, spread, tests: add CentOS
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - tests: add regression test for LP: #1803535
+ - snap-update-ns: fix trailing slash bug on trespassing error
+ - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+ - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+ - interfaces/opengl: add additional accesses for cuda
+
+* Fri Nov 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.1
+ - tests,snap-confine: add core18 only hooks test and fix running
+   core18 only hooks on classic
+ - interfaces/apparmor: allow access to
+   /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests/main/interfces-accounts-service: switch to busctl, more
+   debugging
+ - store: also make snaps downloaded via deltas 0600
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - tests/main: fixes for the new shellcheck
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook
+
+* Sun Nov 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.36-1
+- Release 2.36 to Fedora
+
+* Wed Oct 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - tests: the store has caught up, drop gccgo test, update cosmic
+   image
+ - cmd/snap: try not to panic on error from "snap try"`--devmode`
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - systemd,wrappers: don't start disabled services
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - tests: do not run degraded test in autopkgtest env
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces: include invalid type in Attr error
+ - many: enable layouts by default
+ - interfaces/default: don't scrub with change_profile with classic
+ - cmd/snap: speed up unit tests
+ - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+   flags
+ - daemon: expose snapshots to the API
+ - interfaces: updates for default, screen-inhibit-control, tpm,
+   {hardware,system,network}-observe
+ - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+   update test interface
+ - interfaces/tests: use TestInterface instead of a custom local
+   helper
+ - overlord/snapstate: export getFeatureFlagBool.
+ - osutil,asserts,daemon: support force password change in system-
+   user assertion
+ - snap, wrappers: support restart-delay, generate RestartSec=<value>
+   in service units
+ - tests/ifacestate: moved asserts-related mocking into helper
+ - image: fetch device store assertion if available
+ - many: enable AppArmor on Arch
+ - interfaces/repo: two helper methods for hotplug
+ - overlord/ifacestate: add hotplug slots with implicit slots
+ - interfaces/hotplug: helpers and struct updates
+ - tests: run the snapd tests on Ubuntu 18.10
+ - snapstate: only report errors if there is an actual error
+ - store: speedup unit tests
+ - spread-shellcheck: fix interleaved error messages, tweaks
+ - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+ - ifacestate: implementation of defaultDeviceKey function for
+   hotplug
+ - cmd/snap-update-ns: remove empty placeholders used for mounting
+ - snapshotstate: restore to current revision
+ - tests/lib: rework the CLA checker
+ - many: support and consider store friendly-stores when checking
+   device scope constraints
+ - overlord/snapstate: block parallel installs of snapd, core, base,
+   kernel, gadget snaps
+ - overlord/patch: patch for static plug/slot attributes
+ - interfaces: honor static attributes when reloading conns
+ - osutils: unit tests speedup; introduce «run-checks --short-
+   unit».
+ - systemd, wrappers: speed up wrappers unit tests
+ - client: speedup unit tests
+ - spread-shellcheck: use threads to parallelise
+ - snap: validate plug and slot names
+ - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+ - wrappers: do not depend on network.taget in socket units, tweak
+   generated units
+ - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+ - store: gracefully handle unexpected errors in 'action'
+   response
+ - cmd: put our manpages in section 8
+ - overlord: don't make become-operational interfere with user
+   requests
+ - store: tweak unmatched refresh result error log
+ - snap, client, daemon, store: use and expose "media" more
+ - tests,cmd/snap-update-ns: add test showing mount update bug
+   cmd/snap-update-ns: better detection of snapd-made tmpfs
+ - tests: spread tests for aliases with parallel installed snaps
+ - interfaces/seccomp: allow using statx by default
+ - store: gracefully handle unexpected errors in 'action' response
+ - overlord/snapshotstate: chown the tempdir
+ - cmd/snap: attempt to start the document portal if running with a
+   session bus
+ - snap: detect layouts vs layout in snap.yaml
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snapcraft.yaml: set grade to stable
+ - tests: shellchecks, final round
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snap: detect layouts vs layout in snap.yaml
+ - overlord/snapshotstate: store epoch in snapshot, check on restore
+ - cmd/snap: tweak UX of snap refresh --list
+ - overlord/snapstate: improve consistency, use validateInfoAndFlags
+   also in InstallPath
+ - snap: give Epoch a CanRead helper
+ - overlord/snapshotstate: small refactor of internal helpers
+ - interfaces/builtin: adding missing permission to create
+   /run/wpa_supplicant directory
+ - interfaces/builtin: avahi interface update
+ - client, daemon: support passing of 'unaliased' option when
+   installing from local files
+ - selftest: rename selftest.Run() to sanity.Check()
+ - interfaces/apparmor: report apparmor support level and policy
+ - ifacestate: helpers for generating slot names for hotplug
+ - overlord/ifacestate: make sure to pass in the Model assertion when
+   enforcing policies
+ - overlord/snapshotstate: store the SnapID in snapshot, block
+   restore if changed
+ - interfaces: generalize writable mimic profile
+ - asserts,interfaces/policy: add support for on-store/on-brand/on-
+   model plug/slot rule constraints
+ - many: fetch the device store assertion together and in the context
+   of interpreting snap-declarations
+ - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+   gccgo is fixed
+ - tests/main/parallel-install-services: add spread test for snaps
+   with services
+ - tests/main/snap-env: extend to cover parallel installations of
+   snaps
+ - tests/main/parallel-install-local: rename from *-sideload, extend
+   to run snaps
+ - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+ - cmd/snap: tame the help zoo
+ - tests/main/parallel-install-store: run installed snap
+ - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+   i18n)
+ - cmd: fix C formatting
+ - tests: remove unneeded cleanup from layout tests
+ - image: warn on missing default-providers
+ - selftest: add test to ensure selftest.checks is up-to-date
+ - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+   installs
+ - userd: extend the list of supported XDG Desktop properties when
+   autostarting user applications
+ - cmd/snap-update-ns: enforce trespassing checks
+ - selftest: actually run the kernel version selftest
+ - snapd: go into degraded mode when the selftest fails
+ - tests: add test that runs snapctl with a core18 snap
+ - tests: add snap install hook with base: core18
+ - overlord/{snapstate,assertstate}: parallel instances and
+   refresh validation
+ - interfaces/docker-support: add rules to read apparmor macros
+ - tests: make nfs test available for more systems
+ - tests: cleanup copy/paste dup in interfaces-network-setup-control
+ - tests: using single sh snap in interface tests
+ - overlord/snapstate: improve cleaup in mount-snap handler
+ - tests: don't fail interfaces-bluez test if bluez is already
+   installed
+ - tests: find snaps just for edge and beta channels
+ - daemon, snapstate: consistent snap list [--all] output with broken
+   snaps
+ - tests: fix listing to allow extra things in the notes column
+ - cmd/snap: improve UX when removing specific snap revision
+ - cmd/snap, tests/main/snap-info: highlight the current channel
+ - interfaces/testiface: added TestHotplugInterface
+ - snap: tweak commands
+ - interfaces/hotplug: hotplug spec takes one slot definition
+ - overlord/snapstate, snap: handle shared snap directories when
+   installing/remove snaps with instance key
+ - interfaces/opengl: misc accesses for VA-API
+ - client, cmd/snap: expose warnings to the world
+ - cmd/snap-update-ns: introduce trespassing state tracking
+ - cmd/snap: commands no longer build their own client
+ - tests: try to build cmd/snap for darwin
+ - daemon: make error responders not printf when called with 1
+   argument
+ - many: return real snap name in API response
+ - overlord/state: return latest LastAdded time in WarningsSummary
+ - many: mount namespace mapping for parallel installs of snaps
+ - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+   core-phase-2
+ - client, cmd/snap: on !linux, exit when the client tries to Do
+   something
+ - tests: refactor for nested suite and tests fixed
+ - tests: use lxd's waitready instead of polling lxd socket
+ - ifacestate: don't initialize udev monitor until we have a system
+   snap
+ - interfaces: extra argument for static attrs in
+   NewConnectedPlug/NewConnectedSlot
+ - packaging/arch: sync packaging with AUR
+ - snapstate/tests: serialize all appends in fake backend
+ - snap-confine: make /lib/modules optional
+ - cmd/snap: handle "snap interfaces core" better
+ - store: move download tests into downloadSuite
+ - tests,interfaces: run interfaces-account-control on UC18
+ - tests: fix install snaps test by adding link to /snap
+ - tests: fix for nested test suite
+ - daemon: fix snap list --all with parallel snap instances
+ - snapstate: refactor tests to use SetModel*
+ - wrappers: fix snap services order in tests
+ - many: provide salt for generating instance-key in store requests
+ - ifacestate: fix hang when retrying content providers
+ - snapd-env-generator: fix when PATH is empty or unset
+ - overlord/assertstate: propagate TaskSnapSetup error
+ - client: catch and expose logs errors
+ - overlord: integrate device enumeration with udev monitor
+ - daemon, overlord/state: warnings pipeline
+ - tests: add publisher regex to fix the snap-info test pass on sru
+ - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+   tweaks
+ - cmd/snap-update-ns: remove the unused Secure type
+ - osutil, o/snapshotstate, o/sss/backend: quick fixes
+ - tests: update the listing expression to support core from
+   different channels
+ - store: use stable instance key in store refresh requests
+ - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+ - overlord/patch: support for sublevel patches
+ - tests: update prepare/restore for nightly suite
+ - cmd/snap-update-ns: detach BindMount from the Secure type
+ - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+ - ifacestate: retry on "discard-snap" in autoconnect conflict check
+ - cmd/snap-update-ns: separate OpenPath from the Secure struct
+ - wrappers: remove Wants=network-online.target
+ - tests: add new core16-base test
+ - store: refactor tests so that they work as store_test package
+ - many: add refresh.rate-limit core option
+ - tests: run account-control test with different bases
+ - tests: port proxy test to use python tinyproxy
+ - overlord: introduce snapshotstate.
+ - testutil: allow Fstatfs results to vary over time
+ - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+ - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+ - many: remove deadcode
+ - tests: also run unit/gccgo in 18.04
+ - tests: introduce a helper for installing local snaps with --name
+ - tests: avoid removing core snap on reset
+ - snap: use snap.SideInfo in test to fix build with gccgo
+ - partition: remove unused runCommand
+ - image: fix incorrect error when using local bases
+ - overlord/snapstate: fix format
+ - cmd: fix format
+ - tests: setting "storage: preserve-size" just for amazon-linux
+   system
+ - tests: test for the hostname interface
+ - interfaces/modem-manager: allow access to more USB strings
+ - overlord: instantiate UDevMonitor
+ - interfaces/apparmor: tweak naming, rename to AddLayout()
+ - interfaces: take instance name in ifacetest.InstallSnap
+ - snapcraft: do not use --dirty in mkversion
+ - cmd: add systemd environment generator
+ - devicestate: support getting (http) proxy from core config
+ - many: rename ClientOpts to ClientOptions
+ - prepare-image-grub-core18: remove image root in restore
+ - overlord/ifacestate: remove "old-conn" from connect/undo connect
+   handlers
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - image: handle errors when downloadedSnapsInfoForBootConfig has no
+   data
+ - tests: use official core18 model assertion in tests
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - overlord,store: support proxy settings internally too
+ - cmd/snap: bring back 'snap version'
+ - interfaces/mount: tweak naming of things
+ - strutil: fix MatchCounter to also work with buffer reuse
+ - cmd,interfaces,tests: add /mnt to removable-media interface
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - snap/snapenv: drop some instance specific variables, use instance-
+   specific ones for user locations
+ - firstboot: sort by type when installing the firstboot snaps
+ - cmd, cmd/snap: better support for non-linux
+ - strutil: add new ParseByteSize
+ - image: detect and error if bases are missing
+ - interfaces/apparmor: do not downgrade confinement on arch with
+   linux-hardened 4.17.4+
+ - daemon: add pokeStateLock helper to the daemon tests
+ - snap/squashfs: improve error message from Build on mksquashfs
+   failure
+ - tests: remove /etc/alternatives from dirs-not-shared-with-host
+ - cmd: support re-exec into the "snapd" snap
+ - spdx: remove "Other Open Source" from the support licenses
+ - snap: add new type "TypeSnapd" and attach to the snapd snap
+ - interfaces: retain order of inserted security backends
+ - tests: spread test for parallel-installs desktop file handling
+ - overlord/devicestate: use OpenSSL's PEM format when generating
+   keys
+ - cmd: remove --skip-command-chain from snap run and snap-exec
+ - selftest: detect if apparmor is unusable and error
+ - snap,snap-exec: support command-chain for hooks
+ - tests: significantly reduce execution time for managers test
+ - snapstate: use new "snap.ByType" sorting
+ - overlord/snapstate: fix UpdateMany() to work with parallel
+   instances
+ - testutil: have File* checker produce more useful error output
+ - overlord/ifacestate: introduce connectOpts
+ - interfaces: parallel instances support, extend unit tests
+ - tests: normalize tests
+ - snapstate: make InstallPath() return *snap.Info too
+ - snap: add ByType sorting
+ - interfaces: add cifs-mount interface
+ - tests: use file based markers in snap-service-stop-mode
+ - osutil: reorg and stub out things to get it building on darwin
+ - tests/main/layout: cleanup after the test
+ - osutil/sys: small tweaks to let it build on darwin
+ - daemon, overlord/snapstate: set instance name when installing from
+   snap file
+ - many: move Uname to osutil, for more DRY and easier porting.
+ - cmd/snap: create snap user directory when running parallel
+   installed snaps
+ - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+ - tests: basic test for parallel installs from the store
+ - image: download the gadget from the model.GadgetTrack()
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - overlord: handle sigterm during shutdown better
+ - tests: add the original function to fix the errors on new kernels
+ - tests/main/lxd: pull lxd from candidate; reënable i386
+ - wayland: add extra sockets that are used by older toolkits (e.g.
+   gtk3)
+ - asserts: add support for gadget tracks in the model assertion
+ - overlord/snapstate: improve feature flag validation
+ - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+ - interfaces: workaround for activated services and newer DBus
+ - tests: get the linux-image-extra available for the current kernel
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - interfaces: disconnect hooks
+ - cmd/libsnap: unify detection of core/classic with go
+ - tests: fix autopkgtest failures in cosmic
+ - snap: fix advice json
+ - overlord/snapstate: parallel snap install
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - interfaces: add screencast-legacy for video and audio recording
+ - tests: skip unsupported architectures for fedora-base-smoke test
+ - tests: avoid using the journalctl cursor when it has not been
+   created yet
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - tests: enable lxd again everywhere
+ - tests: new test for udisks2 interface
+ - interfaces: add cpu-control for setting CPU tunables
+ - overlord/devicestate: fix tests, set seeded in registration
+   through proxy tests
+ - debian: add missing breaks on cosmic
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - tests: new test for juju client observe interface
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - snapcraft: set version information for the snapd snap
+ - cmd/snap, daemon: error out if trying to install a snap using
+   empty name
+ - hookstate: simplify some hook tests
+ - cmd/snap-confine: extend security tag validation to cover instance
+   names
+ - snap: fix mocking of systemkey in snap-run tests
+ - packaging/opensuse: fix static build of snap-update-ns and snap-
+   exec
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - cmd/libsnap-confine-private: intoduce helpers for validating snap
+   instance name and instance key
+ - snap,snap-exec: support command-chain for app
+ - interfaces/builtin: network-manager resolved DBus changes
+ - snap: tweak `snap wait` command
+ - cmd/snap-update-ns: introduce validation of snap instance names
+ - cmd/snap: fix some corner-case test setup weirdness
+ - cmd,dirs: fix various issues discovered by a Fedora base snap
+ - tests/lib/prepare: fix extra snaps test
+
+* Mon Oct 15 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.5
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - osutil: workaround overlayfs on ubuntu 18.10
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.4
+  - wrappers: do not depend on network.taget in socket units, tweak
+    generated units
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.3
+ - overlord: don't make become-operational interfere with user
+   requests
+ - docker_support.go: add rules to read apparmor macros
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-
+   nsFixes:
+ - snapcraft.yaml: add workaround to fix snapcraft build
+ - interfaces/opengl: misc accesses for VA-API
+
+* Wed Sep 12 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.2
+ - cmd,overlord/snapstate: go 1.11 format fixes
+ - ifacestate: fix hang when retrying content providers
+ - snap-env-generator: do nothing when PATH is unset
+ - interfaces/modem-manager: allow access to more USB strings
+
+* Mon Sep 03 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.1
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapcraft: do not use --diry in mkversion.sh
+ - cmd: add systemd environment generator
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - tests: cherry-pick test fixes from master for 2.35
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - interfaces: retain order of inserted security backends
+ - selftest: detect if apparmor is unusable and error
+
+* Sat Aug 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.35-1
+- Release 2.35 to Fedora (RH#1598946)
+
+* Mon Aug 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - asserts: add support for gadget tracks in the model assertion
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - overlord: handle sigterm during shutdown better
+ - wayland: add extra sockets that are used by older toolkits
+ - snap: fix advice json
+ - tests: fix autopkgtest failures in cosmic
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - interfaces: add cpu-control for setting CPU tunables
+ - debian: add missing breaks on comisc
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - hookstate: simplify some hook tests
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - interfaces/builtin: network-manager resolved DBus changes
+ - tests: add spread test for fedora29 base snap
+ - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+ - dirs: fix SnapMountDir inside a Fedora base snap
+ - tests: fix snapd-failover for core18 with external backend
+ - overlord/snapstate: always clean SnapState when doing Get()
+ - overlod/ifacestate: always use a new SnapState when fetching the
+   snap state
+ - overlord/devicestate: have the serial request talk to the proxy if
+   set
+ - interfaces/hotplug: udevadm output parser
+ - tests: New test for daemon-notify interface
+ - image: ensure "core" is ordered early if base: and core is used
+ - cmd/snap-confine: snap-device-helper parallel installs support
+ - tests: enable interfaces-framebuffer everywhere
+ - tests: reduce nc wait time from 2 to 1 second
+ - snap/snapenv: add snap instance specific variables
+ - cmd/snap-confine: add minimal test for snap-device-helper
+ - tests: enable snapctl test on core18
+ - overlord: added UDevMonitor for future hotplug support
+ - wrappers: do not glob when removing desktop files
+ - tests: add dbus monitor log to interfaces-accounts-service
+ - tests: add core-18 systems to external backend
+ - wrappers: account for changed app wrapper in parallel installed
+   snaps
+ - wrappers: make sure that the tests pass on non-Ubuntu too
+ - many: add snapd snap failure handling
+ - tests: new test for dvb interface
+ - configstate: accept refresh.timer=managed
+ - tests: new test for snap logs command
+ - wrapper: generate all the snapd unit files when generating
+   wrappers
+ - store: keep all files with link-count > 1 in the cache
+ - store: be less verbose in the common refresh case of "no updates"
+ - snap-confine: update snappy-app-dev path
+ - debian: ensure dependency on fixed apt on 18.04
+ - snapd: add initial software watchdog for snapd
+ - daemon, systemd: change journalctl -n=all to --no-tail
+ - systemd: fix snapd.apparmor.service.in dependencies
+ - snapstate: refuse to remove bases or core if snaps need them
+ - snap: introduce package-level helpers for building snap related
+   directory/file paths
+ - overlord/devicestate: deny parallel install of kernel or gadget
+   snaps
+ - store: clean up parallel-install TODOs in store tests
+ - timeutil: fix first weekday of the month schedule
+ - interfaces: match all possible tty but console
+ - tests: shellchecks part 5
+ - cmd/snap-confine: allow ptrace read for 4.18 kernels
+ - advise: make the bolt database do the atomic rename dance
+ - tests/main/apt-hooks: debug dump of commands.db
+ - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+   handling
+ - snap: validate instance name as part of Validate()
+ - daemon: if a snap is inactive, don't ask systemd about its
+   services.
+ - udev: skip TestParseUdevEvent on s390x
+ - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+ - asserts,image: add support for new kernel=track syntax
+ - tests: new gce image for fedora 27
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - store, overlord/snapstate: introduce instance name in store APIs
+ - tests: drive-by cleanup of redudant pkgname matching
+ - tests: ensure apt-hook is only run after catalog update ran
+ - tests: use pkill instead of kilall
+ - tests/main: another bunch of updates for Amazon Linux 2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the  directory tree
+ - tests: disable/fix more tests for Amazon Linux 2
+ - overlord: introduce InstanceKey to SnapState and SnapSetup,
+   renames
+ - daemon: make sure most change generating handlers can produce
+   errors with kinds
+ - tests/main/interfaces-calendar-service: skip the test on AMZN2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the directory tree
+ - cmd/snap: add a green check mark to verified publishers
+ - cmd/snap: fix two issues in the cmd/snap unit tests
+ - packaging/fedora: fix target path of /snap symlink
+ - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - strutil: detect and bail out of Unmarshal on duplicate key
+ - packaging/fedora(amzn2): disable SELinux, drop dependency on
+   squashfuse for AMZN2
+ - spread, tests: add support for Amazon Linux 2
+ - packaging/fedora: Add Amazon Linux 2 support
+ - many: make Wait/Stop optional on StateManagers
+ - snap/squashfs: stop printing unsquashfs info to stderr
+ - snap: add support for `snap advise-snap --from-apt`
+ - overlord/ifacestate: ignore connect if already connected
+ - tests: change the service snap used instead of network-bind-
+   consumer
+ - interfaces/network-control: update for wpa-supplicant and ifupdown
+ - tests: fix raciness in stop mode tests
+ - logger: try to not have double dates
+ - debian: use deb-systemd-invoke instead of systemctl directly
+ - tests: run all main tests on core18
+ - many: finish sharing a single TaskRunner with all the the managers
+ - interfaces/repo: added AllHotplugInterfaces helper
+ - snapstate: ensure kernel-track is honored on switch/refresh
+ - overlord/ifacestate: support implicit slots on snapd
+ - image: add support for "kernel-track" in `snap prepare-image`
+ - tests: add test that ensures we do not boot any system in degraded
+   state
+ - tests: update tests to work on core18
+ - cmd/snap: check for typographic dashes in command
+ - tests: fix tests expecting old email address
+ - client: add some existing error kinds that were not listed in
+   client.go
+ - tests: add missing slots in classic and core provider test snaps
+ - overlord,daemon,cmd: re-map snap names around the edges of snapd
+ - tests: use install_local in snap-run-hooks
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - overlord/snapstate: dedupe default content providers
+ - osutil/udev: sync with upstream
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord: have SnapManager use a passed in TaskRunner created by
+   Overlord
+ - many: streamline the generic conflict check mechanisms
+ - tests: remove unneeded setup code in snap-run-symlink
+ - cmd/snap: print unset license as "unset", instead of "unknown"
+ - asserts: add (optional) kernel-track to model assertion
+ - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+ - interfaces/pulseaudio: be clear that the interface allows playback
+   and record
+ - snap: support hook environment
+ - interfaces: fix typo "daemonNotify" (add missing "n")
+ - interfaces: tweak tests of daemon-notify, use common naming
+ - interfaces: allow invoking systemd-notify when daemon-notify is
+   connected
+ - store: make snap blobs be 0600
+ - interfaces,daemon: move JSON types to the daemon
+ - tests: prepare needs to handle bin/snapctl being a symlink
+ - tests: do not mask errors in interfaces-timezone-control (#5405)
+ - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+ - tests: add basic integration test for spread hold
+ - overlord/snapstate: improve PlugsOnly comment
+ - many: assorted shellcheck fixes
+ - store, daemon, client, cmd/snap: expose "scope", default to wide
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - client, cmd/snap: pass snap instance name when installing from
+   file
+ - cmd/snap: add 'debug paths' command
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: fix tests on arch
+ - tests: start active system units on reset
+ - tests: new test for joystick interface
+ - tests: moving install of dependencies to pkgdb helper
+ - tests: enable new fedora image with test dependencies installed
+ - tests: start using the new opensuse image with test dependencies
+ - tests: check catalog refresh before and after restart snapd
+ - tests: stop restarting journald service on prepare
+ - interfaces: make core-support a no-op interface
+ - interfaces: prefer "snapd" when resolving implicit connections
+ - interfaces/hotplug: add hotplug Specification and
+   HotplugDeviceInfo
+ - many: lessen the use of core-support
+ - tests: fixes for the autopkgtest failures in cosmic
+ - tests: remove extra ' which breaks interfaces-bluetooth-control
+   test
+ - dirs: fix antergos typo
+ - tests: use grep to avoid non-matching messages from MATCH
+ - dirs: improve distro detection for Antegros
+ - vendor: switch to latest bson
+ - interfaces/builtin: create can-bus interface
+ - tests: "snap connect" is idempotent so just connect
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - interfaces: treat "snapd" snap as type:os
+ - interfaces: tweak tests to have less repetition of "core" and
+   "ubuntu…
+ - tests: simplify econnreset test
+ - snap: add helper for renaming slots
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - tests: add artful for sru validation on google backend
+ - snap,interfaces: move interface name validation to snap
+ - overlord/snapstate: introduce path to fake backend ops
+ - cmd/snap-confine: fix snaps running on core18
+ - many: expose publisher's validation throughout the API
+
+* Fri Jul 27 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.3
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - snapstate: allow setting "refresh.timer=managed"
+ - spread: switch Fedora and openSUSE images
+
+* Thu Jul 19 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.2
+ - packaging: fix bogus date in fedora snapd.spec
+ - tests: fix tests expecting old email address
+
+* Tue Jul 17 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.1
+ - tests: cherry-pick test fixes from master for 2.34
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord/snapstate: dedupe default content providers
+ - interfaces/builtin: create can-bus interface
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.33.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34
+ - store, daemon, client, cmd/snap: expose "scope", default to wide*
+ - tests: fix arch tests
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+ - tests: run interfaces-contacts-service only where test-snapd-eds
+   is available
+ - many: expose publisher's validation throughout the API
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - dirs: improve distro detection for Antegros
+ - Revert "dirs: improve identification of Arch Linux like systems"
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - i18n: use xgettext-go --files-from to avoid running into cmdline
+   size limits
+ - interfaces: move ValidateName helper to utils
+ - snapstate,ifstate: wait for pending restarts before auto-
+   connecting
+ - snap: account for parallel installs in wrappers, place info and
+   tests
+ - configcore: fix incorrect handling of keys with numbers (like
+   gpu_mem_512)
+ - tests: fix tests when no keyboard input detected
+ - overlord/configstate: add watchdog options
+ - snap-mgmt: fix for non-existent dbus system policy dir,
+   shellchecks
+ - tests/main/snapd-notify: use systemd's service properties rater
+   than the journal
+ - snapstate: allow removal of snap.TypeOS when using a model with a
+   base
+ - interfaces: make findSnapdPath smarter
+ - tests: run "arp" tests only if arp is available
+ - spread: increase the number of auto retries for package downloads
+   in opensuse
+ - cmd/snap-confine: fix nvidia support under lxd
+ - corecfg: added experimental.hotplug feature flag
+ - image: block installation of parallel snap instances
+ - interfaces: moved normalize method to interfaces/utils and made it
+   public
+ - api/snapctl: allow -h and --help for regular users.
+ - interfaces/udisks2: also implement implicit classic slot
+ - cmd/snap-confine: include CUDA runtime libraries
+ - tests: disable auto-refresh test on core18
+ - many: switch to account validation: unproven|verified
+ - overlord/ifacestate: get/set connection state only via helpers
+ - tests: adding extra check to validate journalctl is showing
+   current test data
+ - data: add systemd environment configuration
+ - i18n: handle write errors in xgettext-go
+ - snap: helper for validating snap instance names
+ - snap{/snaptest}: set instance key based on snap name
+ - userd: fix running unit tests on KDE
+ - tests/main/econnreset: limit ingress traffic to 512kB/s
+ - snap: introduce a struct Channel to represent store channels, and
+   helpers to work with it
+ - tests: add fedora to distro_clean_package_cache function
+ - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+ - tests: add spread test to ensure snapd/core18 are not removable
+ - tests: tweaks for running the main tests on core18
+ - overlord/{config,snap}state: introduce experimental.parallel-
+   instances feature flag
+ - strutil: support iteration over almost clean paths
+ - strutil: add PathIterator.Rewind
+ - tests: update interfaces-timeserver-control to core18
+ - tests: add halt-timeout to google backend
+ - tests: skip security-udev-input-subsystem without /dev/input/by-
+   path
+ - snap: introduce the instance key field
+ - packaging/opensuse: remaining packaging updates for 2.33.1
+ - overlord/snapstate: disallow installing snapd on baseless models
+ - tests: disable core tests on all core systems (16 and 18)
+ - dirs: improve identification of Arch Linux like systems
+ - many: expose full publisher info over the snapd API
+ - tests: disable core tests on all core systems (16 and 18)
+ - tests/main/xdg-open: restore or clean up xdg-open
+ - tests/main/interfaces-firewall-control: shellcheck fix
+ - snapstate: sort "snapd" first
+ - systemd: require snapd.socket in snapd.seeded.service; make sure
+   snapd.seeded
+ - spread-shellcheck: use the latest shellcheck available from snaps
+ - tests: use "ss" instead of "netstat" (netstat is not available in
+   core18)
+ - data/complete: fix three out of four shellcheck warnings in
+   data/complete
+ - packaging/opensuse: fix typo, missing assignment
+ - tests: initial core18 spread image building
+ - overlord: introduce a gadget-connect task and use it at first boot
+ - data/completion: fix inconsistency in +x and shebang
+ - firstboot: mark essential snaps as "Required" in the state
+ - spread-shellcheck: use a whitelist of files that are allowed to
+   fail validation
+ - packaging/opensuse: build position-independent binaries
+ - ifacestate: prevent running interface hooks twice when self-
+   connecting on autoconnect
+ - data: remove /bin/sh from snapd.sh
+ - tests: fix shellcheck 0.5.0 warnings
+ - packaging/opensuse: snap-confine should be 06755
+ - packaging/opensuse: ship apparmor integration if enabled
+ - interfaces/udev,misc: only trigger udev events on input subsystem
+   as needed
+ - packaging/opensuse: add missing bits for snapd.seeded.service
+ - packaging/opensuse: don't use %-macros in comments
+ - tests: shellchecks part 4
+ - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+   parallel-install TODOs
+ - store: drop unused: channel map types, and details fixture.
+ - store: have a basic test about the unmarshalling of /search
+   results
+ - tests: show executed tests on current system when a test fails
+ - tests: fix for the download of the big snap
+ - interfaces/apparmor: add chopTree
+ - tests: remove double debug: | entry in tests and add more checks
+ - cmd/snap-update-ns: introduce mimicRequired helper
+ - interfaces: move assertions around for better failure line number
+ - store: log a nice clear "download succeeded" message
+ - snap: run snap-confine from the re-exec location
+ - snapstate: support restarting snapd from the snapd snap on core18
+ - tests: show status of the partial test-snapd-huge snap in
+   econnreset test
+ - tests: fix interfaces-calendar-service test when gvfsd-metadata
+   loks the xdg dirctory
+ - store: switch store.SnapInfo to use the new v2/info endpoint
+ - interfaces: add Repository.AllInterfaces
+ - snapstate: stop using evolving SnapSpec internally, use an
+   internal-only snapSpec instead
+ - cmd/libsnap-confine-private: introduce a helper for splitting snap
+   name
+ - tests: econnreset/retry tweaks
+ - store, et al: kill dead code that uses the bulk endpoint
+ - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+ - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+   Depth helper
+ - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+   available
+ - store: switch connectivity check to use v2/info
+ - devicestate: support seeding from a base snap instead of core
+ - snapstate,ifacestate: remove core-phase-2 handling
+ - interfaces/docker-support: update for docker 18.05
+ - tests: enable fedora 28 again
+ - overlord/ifacestate:  simplify checkConnectConflicts and also
+   connect signature
+ - snap: parse connect instructions in gadget.yaml
+ - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+   test
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - store, image: have 'snap download' use v2/refresh action=download
+ - interfaces/policy: test that base policy can be parsed
+ - tests: publish test-snapd-appstreamid for any architecture
+ - snap: don't include newline in hook environment
+ - cmd/snap-update-ns: use RCall with SyscallsEqual
+ - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+ - interfaces: add the dvb interface
+ - daemon: paging is not a thing.
+ - cmd/snap-mgmt: remove system key on purge
+ - testutil: syscall sequence checker
+ - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command* many: add `snap debug
+   connectivity` command
+ - configstate: deny configuration of base snaps and for the "snapd"
+   snap
+ - interfaces/raw-usb: also allow usb serial devices
+ - snap: reject more layout locations
+ - errtracker: do not send duplicated reports
+ - httputil: extra debug if an error is not retried
+ - cmd/snap-update-ns: improve wording in many errors
+ - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+ - cmd/snap-update-ns: add helper for checking for read-only
+   filesystems
+ - interfaces/builtin/docker: use commonInterface over specific
+   struct
+ - testutil: add test support for Fstatfs
+ - cmd/snap-update-ns: discard the concept of segments
+ - cmd/libsnap-confine-private: helper for extracting store snap name
+   from local-name
+ - tests: fix flaky test for hooks undo
+ - interfaces: add {contacts,calendar}-service interfaces
+ - tests: retry 'restarting into..' match in the snap-confine-from-
+   core test
+ - systemd: adjust TestWriteMountUnitForDirs() to use
+   squashfs.MockUseFuse(false)
+ - data: add helper that can generate/start/stop the snapd service
+ - sefltest: advise reboot into 4.4 on trusty running 3.13
+ - selftest: add new selftest package that tests squashfs mounting
+ - store, jsonutil: move store.getStructFields to
+   jsonutil.StructFields
+ - ifacestate: improved conflict and error handling when creating
+   autoconnect tasks
+ - cmd/snap-confine: applied make fmt
+ - interfaces/udev: call 'udevadm settle --timeout=10' after
+   triggering events
+ - tests: wait more time until snap start to be downloaded on
+   econnreset test
+ - snapstate: ensure fakestore returns TypeOS for the core snap
+ - tests: fix lxd test which hangs on restore
+ - cmd/snap-update-ns: add PathIterator
+ - asserts,image: add support for models with bases
+ - tests: shellchecks part 3
+ - overlord/hookstate: support undo for hooks
+ - interfaces/tpm: Allow access to the kernel resource manager
+ - tests: skip appstream-id test for core systems 32 bits
+ - interfaces/home: remove redundant common interface assignment
+ - tests: reprioritise a few tests that are known to be slow
+ - cmd/snap: small help tweaks and fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - spread-shellcheck: silly fix & pep8
+ - spread: switch fedora 28 to manual
+ - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+   it in snap info --verbose
+ - tests: fix lxd test - --auto now sets up networking
+ - tests: adding fedora-28 to spread.yaml
+ - interfaces: add juju-client-observe interface
+ - client, daemon: add a "mounted-from" entry to local snaps' JSON
+ - image: set model.DisplayName() in bootenv as "snap_menuentry"
+ - packaging/opensuse: Refactor packaging to support all openSUSE
+   targets
+ - interfaces/joystick: force use of the device cgroup with joystick
+   interface
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - interfaces: remove Plug/Slot types
+ - interface hooks: update old AutoConnect methods
+ - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+ - overlord/{config,snap}state: the number of inactive revisions is
+   config
+ - cmd/snap: check with snapd for unknown sections
+ - tests: moving test helpers from sh to bash
+ - data/systemd: add snapd.apparmor.service
+ - many: expose AppStream IDs (AKA common ID)
+ - many: hold refresh when on metered connections
+ - interfaces/joystick: also support modern evdev joysticks and
+   gamepads
+ - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+ - snapcraft: use dpkg-buildpackage options that work in xenial
+ - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+ - get-deps: work with an unset GOPATH too
+ - interfaces/apparmor: use strict template on openSUSE tumbleweed
+ - packaging: filter out verbose flags from "dh-golang"
+ - packaging: fix description
+ - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+* Fri Jun 22 2018 Neal Gompa <ngompa13@gmail.com> - 2.33.1-1
+- Release 2.33.1 to Fedora (RH#1567916)
+
+* Thu Jun 21 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33.1
+ - many: improve udev trigger on refresh experience
+ - systemd: require snapd.socket in snapd.seeded.service
+ - snap: don't include newline in hook environment
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - tests: skip security-dev-input-event-denied when /dev/input/by-
+   path/ is missing
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+
+* Fri Jun 08 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command
+ - interfaces/raw-usb: also allow usb serial devices
+ - errtracker: do not send duplicated reports
+ - selftest: add new selftest package that tests squashfs mounting
+ - tests: backport lxd force stop and econnreset fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - interfaces/joystick: support modern evdev joysticks
+ - interfaces: add juju-client-observe
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - many: holding refresh on metered connections
+ - many: expose AppStream IDs (AKA common ID)
+ - tests: speed up save/restore snapd state for all-snap systems
+   during tests execution
+ - interfaces/apparmor: use helper to load stray profile
+ - tests: ubuntu core abstraction
+ - overlord/snapstate: don't panic in a corner case interaction of
+   cleanup tasks and pruning
+ - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+   snaps
+ - tests: new parameter for the journalctl rate limit
+ - spread-shellcheck: port to python
+ - interfaces/home: add 'read' attribute to allow non-owner read to
+   @{HOME}
+ - testutil: import check.v1 differently to workaround gccgo error
+ - interfaces/many: miscellaneous updates for default, desktop,
+   desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+   keys
+ - snapstate/hooks: reorder autoconnect and reconnect hooks
+ - daemon: update unit tests to match current master
+ - overlord/snapshotstate/backend: introducing the snapshot backend
+ - many: support 'system' nickname in interfaces
+ - userd: add the "snap" scheme to the whitelist
+ - many: make rebooting of core on refresh immediate, refactor logic
+   around it
+ - tests/main/snap-service-timer: account for service timer being in
+   the 'running' state
+ - interfaces/builtin: allow access to libGLESv* too for opengl
+   interface
+ - daemon: fix unit tests on arch
+ - interfaces/default,process-control: miscellaneous signal policy
+   fixes
+ - interfaces/bulitin: add write permission to optical-drive
+ - configstate: validate known core.* options
+ - snap, wrappers: systemd WatchdogSec support
+ - ifacestate: do not auto-connect manually disconnected interfaces
+ - systemd: mock useFuse() so testsuite passes in container via lxd
+   snap
+ - snap/env: fix env duplication logic
+ - snap: some doc comments fixes and additions
+ - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+   vendor files
+ - ifacestate: unify reconnect and autoconnect methods
+ - tests: fix user mounts test for external systems
+ - overlord/snapstate,overlord/auth,store: coalesce no auth user
+   refresh requests
+ - boot,partition: improve tests/docs around SetNextBoot()
+ - many: improve `snap wait` command
+ - snap: fix `snap interface --attrs` output when numbers are used
+ - cmd/snap-update-ns: poke holes when creating source paths for
+   layouts
+ - snapstate: support getting new bases/default-providers on refresh
+ - ifacemgr: remove stale connections on startup
+ - asserts: use Attrer in policy checks
+ - testutil: record system call errors / return values
+ - tests: increase timeouts to make tests reliable on slow boards
+ - repo: pass and return ConnRef via pointers
+ - interfaces: add xdg-document-portal support to desktop interface
+ - debian: add a zenity|kdialog suggests
+ - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+ - tests: go must be installed as a classic snap
+ - tests: use journalctl cursors instead rotating logs
+ - daemon: add confinement-options to /v2/system-info
+   daemon: refactor classic support flag to be more structured
+ - tests: build spread in the autopkgtests with a more recent go
+ - cmd/snap: fix the message when snap.channel != snap.tracking
+ - overlord/snapstate: allow core defaults configuration via 'system'
+   key
+ - many: add "snap debug sandbox-features" and needed bits
+ - interfaces: interface hooks for refresh
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - many: add wait command and `snapd.seeded` service
+ - interfaces: move host font update-ns AppArmor rules to desktop
+   interface
+ - jsonutil/safejson: introducing safejson.String &
+   safejson.Paragraph
+ - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+ - cmd/snap-update-ns,tests: mimic the mode and ownership of
+   directories
+ - cmd/snap-update-ns: add support for ignoring mounts with missing
+   source/target
+ - interfaces: interface hooks implementation
+ - cmd/libsnap: fix compile error on more restrictive gcc
+   cmd/libsnap: fix compilation errors on gcc 8
+ - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+ - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+ - tests: fix interfaces-network test for systems with partial
+   confinement
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+ - configcore: validate experimental.layouts option
+ - interfaces:minor autoconnect cleanup
+ - HACKING: fix typos
+ - spread: add adt for ubuntu 18.10
+ - tests: skip test lp-1721518 for arch, snapd is failing to start
+   after reboot
+ - interfaces/x11: allow X11 slot implementations
+ - tests: checking interfaces declaring the specific interface
+ - snap: improve error for snaps not available in the given context
+ - cmdstate: add missing test for default timeout handling
+ - tests: shellcheck spread tasks
+ - cmd/snap: update install/refresh help vs --revision
+ - cmd/snap-confine: add support for per-user mounts
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - tests: adding google-sru backend replacing linode-sur
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - systemd: replace ancient paths with 16.04+ standards
+ - overlord,systemd: store snap revision in mount units
+ - testutil: add test helper for SysLstat
+ - testutil,cmd: rename test helper of Lstat to OsLstat
+ - testutil: document all fake syscall/os functions
+ - osutil,interfaces,cmd: use less hardcoded strings
+ - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+ - testutil: don't dot-import check.v1
+ - store: getStructFields takes pointers now
+ - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+ - many: fix false negatives reported by vet
+ - osutil,interfaces: use uint32 for uid, gid
+ - many: fix various issues reported by shellcheck
+ - tests: add pending shutdown detection
+ - image: support refreshing soft-expired user macaroons in tooling
+ - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+   daemon tests
+ - interfaces/builtin: add support for software-watchdog interface
+ - spread: auto accept key changes when calling dnf
+ - snap,overlord/snapstate: introduce and use BrokenSnapError
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: bring back one missing test in snap-service-stop-mode
+ - debian: update LP bug for the 2.32.5 SRU
+ - userd: set up journal logging streams for autostarted apps
+ - snap,tests : don't fail if we cannot stat MountFile
+ - tests: smaller fixes for Arch tests
+ - tests: run interfaces-broadcom-asic-control early
+ - client: support for snapshot sets, snapshots, and snapshot actions
+ - tests: skip interfaces-content test on core devices
+ - cmd: generalize locking to global, snap and per-user locks
+ - release-tools: handle the snapd-x.y.z version
+ - packaging: fix incorrectly auto-generated changelog entry for
+   2.32.5
+ - tests: add arch to CI
+ - systemd: add helper for opening stream file descriptors to the
+   journal
+ - cmd/snap: handle distros with no version ID
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - tests: removing linode-sru backend
+ - tests: updating bionic version for spread tests on google
+ - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - overlord/snapstate: allow to get an error from readInfo instead of
+   a broken stub, use it in doMountSnap
+ - snap: snap.AppInfo is now a fmt.Stringer
+ - tests: move fedora 27 to google backend
+ - many: add `core.problem-reports.disabled` option
+ - cmd/snap-update-ns: remove the need for stash directory in secure
+   bind mount implementation
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+ - cmd/snap: user session application autostart v3
+ - tests: add test to ensure `snap refresh --amend` works with
+   different channels
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - cmd/snap-update-ns: add secure bind mount implementation for use
+   with user mounts
+ - snap: fix `snap advise-snap --command` output to match spec
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - overlord/snapstate: introduce envvars to control the channels for
+   based and prereqs
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - advisor: use json for package database
+ - interfaces/hostname-control: allow setting the hostname via
+   syscall and systemd
+ - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+   libraries
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - data/selinux: Give snapd access to more aspects of the system
+ - many: use the new install/refresh API by switching snapstate to
+   use store.SnapAction
+ - errtracker: make TestJournalErrorSilentError work on gccgo
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate, ifacestate: inject auto-connect tasks try 2
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - ifacestate: injectTasks helper
+ - osutil: fix fstab parser to allow for # in field values
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - release-tools: add repack-debian-tarball.sh
+ - daemon,client: add build-id to /v2/system-info
+ - cmd: make fmt (indent 2.2.11)
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+ - ifacestate: don't surface errors from stale connections
+ - cmd/snap-update-ns: convert Secure* family of functions into
+   methods
+ - tests: adjust canonical-livepatch test on GCE
+ - tests: fix quoting issues in econnreset test
+ - cmd/snap-confine: make /run/media an alias of /media
+ - cmd/snap-update-ns: rename i to segNum
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+ - spread: disable StartLimitInterval option on opensuse-42.3
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses
+   arch triplets
+ - store: add Store.SnapAction to support the new install/refresh API
+   endpoint
+ - tests: adding test for removable-media interface
+ - tests: update interface tests to remove extra checks and normalize
+   tests
+ - timeutil: in Human, count days with fingers
+ - vendor: update gopkg.in/yaml.v2 to the latest version
+ - cmd/snap-confine: fix Archlinux compatibility
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - tests: copy or sanity check core users using usernames
+ - tests: disentangle etc vs extrausers in core tests
+ - tests: fix snap-run tests when snapd is not running
+ - overlord/configstate: change how ssh is stopped/started
+ - snap: make `snap run` look at the system-key for security profiles
+ - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+   replacement
+ - tests: adding opensuse-42.3 to google
+ - cmd/snap: fix one issue with noWait error handling logic, add
+   tests plus other cleanups
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+   needed
+ - interfaces,release: probe seccomp features lazily
+ - tests: change debug for layout test
+ - advisor: deal with missing commands.db file
+ - interfaces/apparmor: simplify UpdateNS internals
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: moving debian 9 from linode to google backend
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - po: specify charset in po/snappy.pot
+ - interfaces: harden snap-update-ns profile
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - tests: update tests to deal with s390x quirks
+ - debian: run snap.mount upgrade fixup *before* debhelper
+ - tests: move xenial i386 to google backend
+ - snapstate: add compat mode for default-provider
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - tests: add workaround for s390x failure
+ - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+ - daemon: support 'system' as nickname of the core snap
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - devicestate: add DeviceManager.Registered returning a channel
+   closed when the device is known to be registered
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - tests: add bionic system to google backend
+ - many: fix shellcheck warnings in bionic
+ - cmd/snap-update-ns: don't fail on existing symlinks
+ - tests: make autopkgtest tests more targeted
+ - cmd/snap-update-ns: fix creation of layout symlinks
+ - spread,tests: move suite-level prepare/restore to central script
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - snap: unify snap name validation w/python; enforce length limit.
+ - cmd/snap: use shlex when parsing `snap run --strace` arguments
+ - osutil,testutil: add symlinkat(2) and readlinkat(2)
+ - tests: autopkgtest may have non edge core too
+ - tests: adding checks before stopping snapd service to avoid job
+   canceled on ubuntu 14.04
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate:  hold refreshes for 2h after seeding on
+   classic
+ - cmd/snap: tweak and polish help strings
+ - snapstate: put layout feature behind feature flag
+ - tests: force profile re-generation via system-key
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: go vet cleanups
+ - tests: define MATCH from spread
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - cmd/snap: in changes and tasks, default to human-friendly times
+ - many: support holding refreshes by setting refresh.hold
+ - Revert "cmd/snap: use timeutil.Human to show times in `snap
+   refresh -…-time`"
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - tests/main/snap-service-refresh-mode: refactor the test to rely on
+   comparing PIDs
+ - tests/main/media-sharing: improve the test to cover /media and
+   /run/media
+ - store: enable deltas for core devices too
+ - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+ - strutil/shlex: import github.com/google/shlex into the tree
+ - vendor: update github.com/mvo5/libseccomp-golang
+ - overlord/snapstate: block install of "system"
+ - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+ - many: add the snapd-generator
+ - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+ - polkit: ensure error is properly set if dialog is dismissed
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - progress: tweak ansimeter cvvis use to no longer confuse minicom
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - tests: avoid removing preinstalled snaps on core
+ - tests: chroot into core to run xdg-open there
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - tests: moving ubuntu core from linode to google backend
+ - run-checks: remove accidental bashism
+ - i18n: simplify NG usage by doing the modulo math in-package.
+ - snap/squashfs: set timezone when calling unsquashfs to get the
+   build date
+ - timeutil: timeutil.Human(t) gives a human-friendly string for t
+ - snap: add autostart app property
+ - tests: add support for external backend executions on listing test
+ - tests: make interface-broadcom-asic-control test work on rpi
+ - configstate: when disable "ssh" we must disable the "sshd" service
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+ - snap/squashfs: add BuildDate
+ - store: parse the JSON format used by the coming new store API to
+   convey snap information
+ - many: remove snapd.refresh.{timer,service}
+ - tests: adding ubuntu-14.04-64 to the google backend
+ - interfaces: add xdg-desktop-portal support to desktop interface
+ - packaging/arch: sync with snapd/snapd-git from AUR
+ - wrappers, tests/main/snap-service-timer: restore missing commit,
+   add spread test for timer services
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - many: generate and use per-snap snap-update-ns profile
+ - tests: add debug for layout test
+ - wrappers: detect whether systemd-analyze can be used in unit tests
+ - osutil: allow creating strings out of MountInfoEntry
+ - servicestate: use systemctl enable+start and disable+stop instead
+   of --now flag
+ - osutil: handle file being matched by multiple patterns
+ - daemon, snap: fix InstallDate, make a method of *snap.Info
+ - wrappers: timer services
+ - wrappers: generator for systemd OnCalendar schedules
+ - asserts: fix flaky storeSuite.TestCheckAuthority
+ - tests: fix dependency for ubuntu artful
+ - spread: start moving towards google backend
+ - tests: add a spread test for layouts
+ - ifacestate: be consistent passing Retry.After as named field
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - testutil: allow mocking syscall.Fstat
+ - overlord/snapstate: verify that default schedule is randomized and
+   is  not a single time
+ - many: simplify mocking of home-on-NFS
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - store: move infoFromRemote into details.go close to snapDetails
+ - userd/tests: Test kdialog calls and mock kdialog too to make tests
+   work in KDE
+ - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+ - cmd/snap: add self-strace to `snap run`
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - update-pot: Force xgettext() to return true
+ - store: cleanup test naming, dropping remoteRepo  and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+
+* Wed May 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.9
+ - tests: run all spread tests inside GCE
+ - tests: build spread in the autopkgtests with a more recent go
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.8
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.7
+ - many: add wait command and seeded target (2
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - cmd/libsnap: fix compile error on more restrictive gcc
+ - tests: cherry-pick commits to move spread to google backend
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - userd: set up journal logging streams for autostarted apps
+
+* Sun Apr 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.6
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: run interfaces-boradcom-asic-control early
+ - tests: skip interfaces-content test on core devices
+
+* Mon Apr 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.5
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - daemon: support 'system' as nickname of the core snap
+
+* Thu Apr 12 2018 Neal Gompa <ngompa13@gmail.com> - 2.32.4-1
+- Release 2.32.4 to Fedora (RH#1553734)
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.4
+ - cmd/snap: user session application autostart
+ - overlord/snapstate: introduce envvars to control the channels for
+   bases and prereqs
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - many: use the new install/refresh /v2/snaps/refresh store API
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3.2
+ - errtracker: make TestJournalErrorSilentError work on
+   gccgo
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3.1
+ - debian: add gbp.conf script to build snapd via `gbp
+   buildpackage`
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - data/selinux: Give snapd access to more aspects of the system
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - overlord: test fix, address corner case
+
+* Thu Apr 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate: inject autoconnect tasks in doLinkSnap for regular
+   snaps
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - osutil: fix fstab parser to allow for # in field values
+
+* Sat Mar 31 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.2
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - tests: adjust canonical-livepatch test on GCE
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc
+ - spread.yaml: switch Fedora 27 tests to manual
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses arch
+   triplets
+ - vendor: update gopkg.in/yaml.v2 to the latest version (#4945)
+
+* Mon Mar 26 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.1
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - tests: disentangle etc vs extrausers in core tests
+ - packaging: fix changelogs' typo
+
+* Sat Mar 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32
+ - snap: make `snap run` look at the system-key for security profiles
+ - overlord/configstate: change how ssh is stopped/started
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: deal with missing commands.db file
+ - interfaces,release: probe seccomp features lazily
+ - interfaces: harden snap-update-ns profile
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: change debug for layout test
+ - cmd/snap-confine: don't use per-snap s-u-n profile
+ - many: backported fixes for layouts and symlinks
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - cmd/snap-confine: fix ptrace rule with snap-confine peer
+ - tests: update tests to deal with s390x quirks
+ - snapstate: add compat mode for default-provider"snapname:ifname"
+ - snap-confine: fallback to /lib/udev/snappy-app-dev if the core is
+   older
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - debian: undo snap.mount system unit removal
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - tests: add workaround for s390x failure
+ - tests: make autopkgtest tests more targeted
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - store: cleanup test naming, dropping remoteRepo and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+ - tests: autopkgtest may have non edge core too
+ - data: translate polkit strings
+ - snapstate: put layout feature behind feature flag
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate: hold refreshes for 2h after seeding on classic
+ - many: cherry-pick relevant `go vet` 1.10 fixes to 2.32
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: generate and use per-snap snap-update-ns profile
+ - many: support holding refreshes by setting refresh.hold
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - many: remove snapd.refresh.{timer,service}
+ - many: add the snapd-generator
+ - polkit: do not shadow dbus errors, avoid panic in case of errors
+ - polkit: ensure error is properly set if dialog is dismissed
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - asserts:  use a timestamp for the assertion after the signing key
+   has been created
+ - ifacestate: be consistent passing Retry.After as named field
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+   interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps
+ - configstate: when disable "ssh" we must disable the "sshd"
+   service
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - osutil: handle file being matched by multiple patterns
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - interfaces/network-status: fix use of '/' in interface in DBus
+   rule
+ - interfaces/screen-inhibit-control: fix use of '.' in path in DBus
+   rule
+ - overlord/snapstate: fix task iteration order in
+   TestDoPrereqRetryWhenBaseInFlight
+ - interfaces: add an interface for gnome-online-accounts D-Bus
+   service
+ - snap: pass full timer spec in `snap run --timer`
+ - cmd/snap: introduce `snap run --timer`
+ - snapstate: auto install default-providers for content snaps
+ - hooks/strutil: limit the number of data read from the hooks to
+   avoid oom
+ - osutil: aggregate mockable symbols
+ - tests: make sure snapd is running before attempting to remove
+   leftover snaps
+ - timeutil: account for 24h wrap when flattening clock spans
+ - many: send  new Snap-CDN header with none or with cloud instance
+   placement info as needed
+ - cmd/snap-update-ns,testutil: move syscall testing helpers
+ - tests: disable interfaces-location-control on s390x
+ - tests: new spread test for gpio-memory-control interface
+ - tests: spread test for broadcom-asic-control interface
+ - tests: make restore of interfaces-password-manager-service more
+   robust
+ - tests/lib/prepare-restore: sync journal before rotating and
+   vacuuming
+ - overlord/snapstate: use spread in the default refresh schedule
+ - tests: fixes for autopkgtest in bionic
+ - timeutil: introduce helpers for checking it time falls inside the
+   schedule
+ - cmd/snap-repair,httputil: set snap-repair User-Agent on requests
+ - vendor: resync formatting of vendor.json
+ - snapstate/ifacestate: auto-connect tasks
+ - cmd/snap: also include tracking channel in list output.
+ - interfaces/apparmor: use snap revision with surrounding '.' when
+   replacing in glob
+ - debian,vendor: import github.com/snapcore/squashfs and use
+ - many: implement "refresh-mode: {restart,endure,...}" for services
+ - daemon: make the ast-inspecting test smarter; drop 'exceptions'
+ - tests: new spread test for kvm interface
+ - cmd/snap: tweaks to 'snap info' output
+ - snap: remove underscore from version validator regexp
+ - testutil: add File{Matches,Equals,Contains} checkers.
+ - snap: improve the version validator's error messages.
+ - osutil: refactor EnsureFileState to separate out the comparator
+ - timeutil: fix scheduling on nth weekday of the month
+ - cmd/snap-update-ns: small refactor for upcoming per-user mounts
+ - many: rename snappy-app-dev to snap-device-helper
+ - systemd: add default target for timers
+ - interfaces: miscellaneous policy updates for home, opengl, time-
+   control, network, et al
+ - cmd/snap: linter cleanups
+ - interfaces/mount: generate per-user mount profiles
+ - cmd/snap: use proper help strings for `snap userd --help`
+ - packaging: provide a compat symlink for snappy-app-dev
+ - interfaces/time-control,netlink-audit: adjust for util-linux
+   compiled with libaudit
+ - tests: adding new test to validate the raw-usb interface
+ - snap: add support for `snap run --gdb`
+ - interfaces/builtin: allow MM to access login1
+ - packaging: fix build on sbuild
+ - store: revert PR#4532 and do not display displayname
+ - interfaces/mount: add support for per-user mount entries
+ - cmd/system-shutdown: move sync to be even more pessimistic
+ - osutil: reimplement IsMounted with LoadMountInfo
+ - tests/main/ubuntu-core-services: enable snapd.refresh.timer for
+   the test
+ - many: don't allow layout construction to silently fail
+ - interfaces/apparmor: ensure snap-confine profile for reexec is
+   current
+ - interfaces/apparmor: generalize apparmor load and unload helpers
+ - tests: removing packages which are not needed anymore to generate
+   random data
+ - snap: improve `snap run` comments/naming
+ - snap: allow options for --strace, e.g. `snap run --strace="-tt"`
+ - tests: fix spread test failures on 18.04
+ - systemd: update comment on SocketsTarget
+ - osutil: add and update docstrings
+ - osutil: parse mount entries without options field
+ - interfaces: mock away real mountinfo/fstab
+ - many: move /lib/udev/snappy-app-dev to /usr/lib/snapd/snappy-app-
+   dev
+ - overlord/snapstate/backend: perform cleanup if snap setup fails
+ - tests/lib/prepare: disable snapd.refresh.timer
+ - daemon: remove redundant UserOK markings from api commands
+ - snap: introduce  timer service data types and validation
+ - cmd/snap: fix UX of snap services
+ - daemon: allow `snapctl get` from any uid
+ - debian, snap: only static link libseccomp in snap-seccomp on
+   ubuntu
+ - all: snap versions are now validated
+ - many: add nfs-home flag to system-key
+ - snap: disallow layouts in various special directories
+ - cmd/snap: add help for service commands.
+ - devicestate: fix autopkgtest failure in
+   TestDoRequestSerialErrorsOnNoHost
+ - snap,interfaces: allow using bind-file layouts
+ - many: move mount code to osutil
+ - snap: understand directories in layout blacklist
+ - snap: use custom unsquashfsStderrWriter for unsquashfs error
+   detection
+ - tests/main/user-data-handling: get rid of ordering bug
+ - snap: exclude `gettimeofday` from `snap run --strace`
+ - tests: check if snapd.socket is active before stoping it
+ - snap: sort layout elements before validating
+ - strutil: introducing MatchCounter
+ - snap: detect unsquashfs write failures
+ - spread: add missing ubuntu-18.04-arm64 to available autopkgtest
+   machines
+ - cmd/snap-confine: allow mounting anywhere, effectively
+ - daemon: improve ucrednet code for the snap.socket
+ - release, interfaces: add new release.AppArmorFeatures helper
+ - snap: apply some golint suggestions
+ - many: add interfaces.SystemKey() helper
+ - tests: new snaps to test installs nightly
+ - tests: skip alsa interface test when the system does not have any
+   audio devices
+ - debian/rules: workaround for
+   https://github.com/golang/go/issues/23721
+ - interfaces/apparmor: early support for snap-update-ns snippets
+ - wrappers: cleanup enabled service sockets
+ - cmd/snap-update-ns: large refactor / update of unit tests
+ - interfaces/apparmor: remove leaked future layout code
+ - many: allow constructing layouts (phase 1)
+ - data/systemd: for debugging/testing use /etc/environment also for
+   snap-repair runs
+ - cmd/snap-confine: create lib/{gl,gl32,vulkan} under /var/lib/snapd
+   and chown as root:root
+ - overlord/configstate/config: make [GS]etSnapConfig use *RawMessage
+ - daemon: refactor snapFooMany helpers a little
+ - cmd/snap-confine: allow snap-update-ns to chown things
+ - interfaces/apparmor: use a helper to set the scope
+ - overlord/configstate/config: make SetSnapConfig delete on empty
+ - osutil: make MkdirAllChown clean the path passed in
+ - many: at seeding try to capture cloud information into core config
+   under "cloud"
+ - cmd/snap: add completion conversion helper to increase DRY
+ - many: remove "content" argument from snaptest.MockSnap()
+ - osutil: allow using many globs in EnsureDirState
+ - cmd/snap-confine: fix read-only filesystem when mounting nvidia
+   files in biarch
+ - tests: use root path to /home/test/tmp to avoid lack of space
+   issue
+ - packaging: create /var/lib/snapd/lib/{gl,gl32,vulkan} as part of
+   packaging
+ - tests: update kill-timeout focused on making tests pass on boards
+ - advisor: ensure commands.db has mode 0644 and add test
+ - snap: improve validation of snap layouts
+ - tests: ensure disabled services are masked
+ - interfaces/desktop-legacy,unity7: support gtk2/gvfs gtk_show_uri()
+ - systemd, wrappers: start all snap services in one systemctl call
+ - mir: software clients need access to shared memory /dev/shm/#*
+ - snap: add support for `snap advise-snap pkgName`
+ - snap: fix command-not-found on core devices
+ - tests: new spead test for openvswitch-support interface
+ - tests: add integration for local snap licenses
+ - config: add (Get|Set)SnapConfig to do bulk config e.g. from
+   snapshots
+ - cmd/snap: display snap license information
+ - tests: enable content sharing test for $SNAP
+ - osutil: add ContextWriter and RunWithContext helpers.
+ - osutil: add DirExists and IsDirNotExist
+
+* Fri Mar 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31.2
+ - many: add the snapd-generator
+ - polkit: ensure error is properly set if dialog is dismissed
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - configstate: when disable "ssh" we must disable the "sshd"
+   service
+ - many: remove snapd.refresh.{timer,service}
+ - interfaces/builtin: allow MM to access login1
+ - timeutil: account for 24h wrap when flattening clock spans
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - systemd, wrappers: start all snap services in one systemctl
+   call
+ - tests: disable interfaces-location-control on s390x
+
+* Mon Mar 05 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-2
+- Fix dependencies for devel subpackage
+
+* Sun Mar 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-1
+- Release 2.31.1 to Fedora (RH#1542483)
+- Drop all backported patches as they're part of this release
+
+* Tue Feb 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31.1
+ - tests: multiple autopkgtest related fixes for 18.04
+ - overlord/snapstate: use spread in the default refresh schedule
+ - timeutil: fix scheduling on nth weekday of the month
+ - interfaces: miscellaneous policy updates for home, opengl, time-
+   control, network, et al
+ - cmd/snap: use proper help strings for `snap userd --help`
+ - interfaces/time-control,netlink-audit: adjust for util-linux
+   compiled with libaudit
+ - rules: do not static link on powerpc
+ - packaging: revert LDFLAGS rewrite again after building snap-
+   seccomp
+ - store: revert PR#4532 and do not display displayname
+ - daemon: allow `snapctl get` from any uid
+ - debian, snap: only static link libseccomp in snap-seccomp on
+   ubuntu
+ - daemon: improve ucrednet code for the snap.socket
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Feb 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31
+ - cmd/snap-confine: allow snap-update-ns to chown things
+ - cmd/snap-confine: fix read-only filesystem when mounting nvidia
+   files in biarch
+ - packaging: create /var/lib/snapd/lib/{gl,gl32,vulkan} as part of
+   packaging
+ - advisor: ensure commands.db has mode 0644 and add test
+ - interfaces/desktop-legacy,unity7: support gtk2/gvfs gtk_show_uri()
+ - snap: improve validation of snap layoutsRules for validating
+   layouts:
+ - snap: fix command-not-found on core devices
+ - cmd/snap: display snap license information
+ - tests: enable content sharing test for $SNAP
+ - userd: add support for a simple UI that can be used from userd
+ - snap-confine/nvidia: Support legacy biarch trees for GLVND systems
+ - tests: generic detection of gadget and kernel snaps
+ - cmd/snap-update-ns: refactor and improve Change.Perform to handle
+   EROFS
+ - cmd/snap: improve output when snaps were found in a section or the
+   section is invalid
+ - cmd/snap-confine,tests: hide message about stale base snap
+ - cmd/snap-mgmt: fix out of source tree build
+ - strutil/quantity: new package that exports formatFoo (from
+   progress)
+ - cmd/snap: snap refresh --time with new and legacy schedules
+ - state: unknown tasks handler
+ - cmd/snap-confine,data/systemd: fix removal of snaps inside LXD
+ - snap: add io.snapcraft.Settings to `snap userd`
+ - spread: remove more EOLed releases
+ - snap: tidy up top-level help output
+ - snap: fix race in `snap run --strace`
+ - tests: update "searching" test to match store changes
+ - store: use the "publisher" when populating the "publisher" field
+ - snap: make `snap find --section` show all sections
+ - tests: new test to validate location control interface
+ - many: add new `snap refresh --amend <snap>` command
+ - tests/main/kernel-snap-refresh-on-core: skip the whole test if
+   edge and stable are the same version
+ - tests: set test kernel-snap-refresh-on-core to manual
+ - tests: new spread test for interface gpg-keys
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - interfaces: miscellaneous policy updates
+ - interfaces/builtin: Replace Solus support with GLVND support
+ - tests/main/kernel-snap-refresh-on-core: do not fail if edge and
+   stable kernels are the same version
+ - snap: add `snap run --strace` to be able to strace snap apps
+ - tests: new spread test for ssh-keys interface
+ - errtracker: include detected virtualisation
+ - tests: add new kernel refresh/revert test for spread-cron
+ - interfaces/builtin: blacklist zigbee dongle
+ - cmd/snap-confine: discard stale mount namespaces
+ - cmd: remove unused execArg0/execEnv
+ - snap,interfaces/mount: disallow nobody/nogroup
+ - cmd/snap: improve `snap aliases` output when no aliases are
+   defined
+ - tests/lib/snaps/test-snapd-service: refactor service reload
+ - tests: new spread test for gpg-public-keys interface
+ - tests: new spread test for ssh-public-keys interface
+ - spread: setup machine creation on Linode
+ - interfaces/builtin: allow introspecting UDisks2
+ - interfaces/builtin: add support for content "source" section
+ - tests: new spread test for netlink-audit interface
+ - daemon: avoid panic'ing building an error response w/no snaps
+   given
+ - interfaces/mount,snap: early support for snap layouts
+ - daemon: unlock state even if RefreshSchedule() fails
+ - arch: add "armv8l" to ubuntuArchFromKernelArch table
+ - tests: fix for test interface-netlink-connector
+ - data/dbus: add AssumedAppArmorLabel=unconfined
+ - advisor: use forked bolt to make it work on ppc
+ - overlord/snapstate: record the 'kind' of conflicting change
+ - dirs: fix snap mount dir on Manjaro
+ - overlord/{snapstate,configstate}, daemon: introduce refresh.timer,
+   fallback to refresh.schedule
+ - config: add support for `snap set core proxy.no_proxy=...`
+ - snap-mgmt: extend spread tests, stop, disable and cleanup snap
+   services
+ - spread.yaml: add fedora 27
+ - cmd/snap-confine: allow snap-update-ns to poke writable holes in
+   $SNAP
+ - packaging/14.04: move linux-generic-lts-xenial to recommends
+ - osutil/sys: ppc has 32-bit getuid already
+ - snapstate: make no autorefresh message clearer
+ - spread: try to enable Fedora once more
+ - overlord/snapstate: do a minimal sanity check on containers
+ - configcore: ensure config.txt has a final newline
+ - cmd/libsnap-confine-private: print failed mount/umount regardless
+   of SNAP_CONFINE_DEBUG
+ - debian/tests: add missing autopkgtest test dependencies for debian
+ - image: port ini handling to goconfigparser
+ - tests/main/snap-service-after-before: add test for after/before
+   service ordering
+ - tests: enabling opensuse for tests
+ - tests: update auto-refresh-private to match messages from current
+   master
+ - dirs: check if distro 'is like' fedora when picking path to
+   libexecdir
+ - tests: fix "job canceled" issue and improve cleanup for snaps
+ - cmd/libsnap-confine-private: add debug build of libsnap-confine-
+   private.a, link it into snap-confine-debug
+ - vendor: remove x/sys/unix to fix builds on arm64 and powerpc
+ - image: let consume snapcraft export-login files from tooling
+ - interfaces/mir: allow Wayland socket and non-root sockets
+ - interfaces/builtin: use snap.{Plug,Slot}Info over
+   interfaces.{Plug,Slot}
+ - tests: add simple snap-mgmt test
+ - wrappers: autogenerate After/Before in systemd's service files for
+   apps
+ - snap: add usage hints in `snap download`
+ - snap: provide more meaningful errors for installMany and friends
+ - cmd/snap: show header/footer when `snap find` is used without
+   arguments
+ - overlord/snapstate: for Enable's tasks refer to the first task
+   with snap-setup, do not duplicate
+ - tests: add hard-coded fully expired macaroons to run related tests
+ - cmd/snap-update-ns: new test features
+ - cmd/snap-update-ns: we don't want to bind mount symlinks
+ - interfaces/mount: test OptsToCommonFlags, filter out x-snapd.
+   options
+ - cmd/snap-update-ns: untangle upcoming cyclic initialization
+ - client, daemon: update user's email when logging in with new
+   account
+ - tests: ensure snap-confine apparmor profile is parsable
+ - snap: do not leak internal errors on install/refresh etc
+ - snap: fix missing error check when multiple snaps are refreshed
+ - spread: trying to re-enable tests on Fedora
+ - snap: fix gadget.yaml parsing for multi volume gadgets
+ - snap: give the snap.Container interface a Walk method
+ - snap: rename `snap advise-command` to `snap advise-snap --command`
+ - overlord/snapstate: no refresh just for hints if there was a
+   recent regular full refresh
+ - progress: switch ansimeter's Spin() to use a spinner
+ - snap: support `command-not-found` symlink for `snap advise-
+   command`
+ - daemon: store email, ID and macaroon when creating a new user
+ - snap: app startup after/before validation
+ - timeutil: refresh timer take 2
+ - store, daemon/api: Rename MyAppsServer, point to
+   dashboard.snapcraft.io instead
+ - tests: use "quiet" helper instead of "dnf -q" to get errors on
+   failures
+ - cmd/snap-update-ns: improve mocking for tests
+ - many: implement the advisor backend, populate it from the store
+ - tests: make less calls to the package manager
+ - tests/main/confinement-classic: enable the test on Fedora
+ - snap: do not leak internal network errors to the user
+ - snap: use stdout instead of stderr for "fetching" message
+ - tests: fix test whoami, share successful_login.exp
+ - many: refresh with appropriate creds
+ - snap: add new `snap advice-command` skeleton
+ - tests: add test that ensures we never parse versions as numbers
+ - overlord/snapstate: override Snapstate.UserID in refresh if the
+   installing user is gone
+ - interfaces: allow socket "shutdown" syscall in default profile
+ - snap: print friendly message if `snap keys` is empty
+ - cmd/snap-update-ns: add execWritableMimic
+ - snap: make `snap info invalid-snap` output more user friendly
+ - cmd/snap,  tests/main/classic-confinement: fix snap-exec path when
+   running under classic confinement
+ - overlord/ifacestate: fix disable/enable cycle to setup security
+ - snap: fix snap find " " output
+ - daemon: add new polkit action to manage interfaces
+ - packaging/arch: disable services when removing
+ - asserts/signtool: support for building tools on top that fill-
+   in/compute some headers
+ - cmd: clarify "This leaves %s tracking %s." message
+ - daemon: return "bad-query" error kind for store.ErrBadQuery
+ - taskrunner/many: KnownTaskKinds helper
+ - tests/main/interfaces-fuse_support: fix confinement, allow
+   unmount, fix spread tests
+ - snap: use the -no-fragments mksquashfs option
+ - data/selinux: allow messages from policykit
+ - tests: fix catalog-update wait loop
+ - tests/lib/prepare-restore: disable rate limiting in journald
+ - tests: change interfaces-fuse_support to be debug friendly
+ - tests/main/postrm-purge: stop snapd before purge
+ - This is an example of test log:https://paste.ubuntu.com/26215170/
+ - tests/main/interfaces-fuse_support: dump more debugging
+   information
+ - interfaces/dbus: adjust slot policy for listen, accept and accept4
+   syscalls
+ - tests: save the snapd-state without compression
+ - tests/main/searching: handle changes in featured snaps list
+ - overlord/snapstate: fix auto-refresh summary for 2 snaps
+ - overlord/auth,daemon: introduce an explicit auth.ErrInvalidUser
+ - interfaces: add /proc/partitions to system-observe (This addresses
+   LP#1708527.)
+ - tests/lib: introduce helpers for setting up /dev/random using
+   /dev/urandom in project prepare
+ - tests: new test for interface network status
+ - interfaces: interfaces: also add an app/hook-specific udev RUN
+   rule for hotplugging
+ - tests: fix external backend for tests that need DEBUG output
+ - tests: do not disable refresh timer on external backend
+ - client: send all snap related bool json fields
+ - interfaces/desktop,unity7: allow status/activate/lock of
+   screensavers
+ - tests/main: source mkpinentry.sh
+ - tests: fix security-device-cgroups-serial-port test for rpi and db
+ - cmd/snap-mgmt: add more directories for cleanup and refactor
+   purge() code
+ - snap: YAML and data structures for app before/after ordering
+ - tests: set TRUST_TEST_KEYS=false for all the external backends
+ - packaging/arch: install snap-mgmt tool
+ - tests: add support on tests for cm3 gadget
+ - interfaces/removable-media: also allow 'k' (lock)
+ - interfaces: use ConnectedPlug/ConnectedSlot types (step 2)
+ - interfaces: rename sanitize methods
+ - devicestate: fix misbehaving test when using systemd-resolved
+ - interfaces: added Ref() helpers, restored more detailed error
+   message on spi iface
+ - debian: make "gnupg" a recommends
+ - interfaces/many: misc updates for default, browser-support,
+   opengl, desktop, unity7, x11
+ - interfaces: PlugInfo/SlotInfo/ConnectedPlug/ConnectedSlot
+   attribute helpers
+ - interfaces: update fixme comments
+ - tests: make interfaces-snapd-control-with-manage more robust
+ - userd: generalize dbusInterface
+ - interfaces: use ConnectedPlug/ConnectedSlot types (step 1)
+ - hookstate: add compat "configure-snapd" task.
+ - config, overlord/snapstate, timeutil: rename ParseSchedule to
+   ParseLegacySchedule
+ - tests: adding tests for time*-control interfaces
+ - tests: new test to check interfaces after reboot the system
+ - cmd/snap-mgmt: fixes
+ - packaging/opensuse-42.2: package and use snap-mgmt
+ - corecfg: also "mask" services when disabling them
+ - cmd/snap-mgmt: introduce snap-mgmt tool
+ - configstate: simplify ConfigManager
+ - interfaces: add gpio-memory-control interface
+ - cmd: disable check-syntax-c
+ - packaging/arch: add bash-completion as optional dependency
+ - corecfg: rename package to overlord/configstate/configcore
+ - wrappers: fix unit tests to use dirs.SnapMountDir
+ - osutil/sys: reimplement getuid and chown with the right int type
+ - interfaces-netlink-connector: fix sourcing snaps.sh
+
+* Thu Jan 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.30-1
+- Release 2.30 to Fedora (RH#1527519)
+- Backport fix to correctly locate snapd libexecdir on Fedora derivatives (RH#1536895)
+- Refresh SELinux policy fix patches with upstream backport version
+
+* Mon Dec 18 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.30
+ - tests: set TRUST_TEST_KEYS=false for all the external backends
+ - tests: fix external backend for tests that need DEBUG output
+ - tests: do not disable refresh timer on external backend
+ - client: send all snap related bool json fields
+ - interfaces: interfaces: also add an app/hook-specific udev RUN
+   rule for hotplugging
+ - interfaces/desktop,unity7: allow status/activate/lock of
+   screensavers
+ - tests/main: source mkpinentry.sh
+ - devicestate: use a different nowhere domain
+ - interfaces: add ssh-keys, ssh-public-keys, gpg-keys and gpg-public
+   keys interfaces
+ - interfaces/many: misc updates for default, browser-support, opengl,
+   desktop, unity7, x11
+ - devicestate: fix misbehaving test when using systemd-resolved
+ - interfaces/removable-media: also allow 'k' (lock)
+ - interfaces/many: misc updates for default, browser-support,
+   opengl, desktop, unity7, x11
+ - corecfg: also "mask" services when disabling them
+ - tests: add support for autopkgtests on s390x
+ - snapstate: support for pre-refresh hook
+ - many: allow to configure core before it is installed
+ - devicestate: fix unkeyed fields error
+ - snap-confine: create mount target for lib32,vulkan on demand
+ - snapstate: add support for refresh.schedule=managed
+ - cmd/snap-update-ns: teach update logic to handle synthetic changes
+ - many: remove configure-snapd task again and handle internally
+ - snap: fix TestDirAndFileMethods() test to work with gccgo
+ - debian: ensure /var/lib/snapd/lib/vulkan is available
+ - cmd/snap-confine: use #include instead of bare include
+ - snapstate: store userID in snapstate
+ - snapd.dirs: add var/lib/snapd/lib/gl32
+ - timeutil, overlod/snapstate: cleanup remaining pieces of timeutil
+   weekday support
+ - packaging/arch: install missing directories, manpages and version
+   info
+ - snapstate,store: store if a snap is a paid snap in the sideinfo
+ - packaging/arch: pre-create snapd directories when packaging
+ - tests/main/manpages: set LC_ALL=C as man may complain if the
+   locale is unset or unsupported
+ - repo: ConnectedPlug and ConnectedSlot types
+ - snapd: fix handling of undo in the taskrunner
+ - store: fix download caching and add integration test
+ - snapstate: move autorefresh code into autoRefresh helper
+ - snapctl: don't error out on start/stop/restart from configure hook
+   during install or refresh
+ - cmd/snap-update-ns: add planWritableMimic
+ - deamon: don't omit responses, even if null
+ - tests: add test for frame buffer interface
+ - tests/lib: fix shellcheck errors
+ - apparmor: generate the snap-confine re-exec profile for
+   AppArmor{Partial,Full}
+ - tests: remove obsolete workaround
+ - snap: use existing files in `snap download` if digest/size matches
+ - tests: merge pepare-project.sh into prepare-restore.sh
+ - tests: cache snaps to $TESTSLIB/cache
+ - tests: set -e, -o pipefail in prepare-restore.sh
+ - apparmor: generate the snap-confine re-exec profile for
+   AppArmor{Partial,Full}
+ - cmd/snap-seccomp: fix uid/gid restrictions tests on Arch
+ - tests: document and slightly refactor prepare/restore code
+ - snapstate: ensure RefreshSchedule() gives accurate results
+ - snapstate: add new refresh-hints helper and use it
+ - spread.yaml,tests: move most of project-wide prepare/restore to
+   separate file
+ - timeutil: introduce helpers for weekdays and TimeOfDay
+ - tests: adding new test for uhid interface
+ - cmd/libsnap: fix parsing of empty mountinfo fields
+ - overlord/devicestate:  best effort to go to early full retries for
+   registration on the like of DNS no host
+ - spread.yaml: bump delta ref to 2.29
+ - tests: adding test to test physical memory observe interface
+ - cmd, errtracker: get rid of SNAP_DID_REEXEC environment
+ - timeutil: remove support to parse weekday schedules
+ - snap-confine: add workaround for snap-confine on 4.13/upstream
+ - store: do not log the http body for catalog updates
+ - snapstate: move catalogRefresh into its own helper
+ - spread.yaml: fix shellcheck issues and trivial refactor
+ - spread.yaml: move prepare-each closer to restore-each
+ - spread.yaml: increase workers for opensuse to 3
+ - tests: force delete when tests are restore to avoid suite failure
+ - test: ignore /snap/README
+ - interfaces/opengl: also allow read on 'revision' in
+   /sys/devices/pci...
+ - interfaces/screen-inhibit-control: fix case in screen inhibit
+   control
+ - asserts/sysdb: panic early if pointed to staging but staging keys
+   are not compiled-in
+ - interfaces: allow /bin/chown and fchownat to root:root
+ - timeutil: include test input in error message in
+   TestParseSchedule()
+ - interfaces/browser-support: adjust base declaration for auto-
+   connection
+ - snap-confine: fix snap-confine under lxd
+ - store: bit less aggressive retry strategy
+ - tests: add new `fakestore new-snap-{declaration,revision}` helpers
+ - cmd/snap-update-ns: add secureMkfileAll
+ - snap: use field names when initializing composite literals
+ - HACKING: fix path in snap install
+ - store: add support for flags in ListRefresh()
+ - interfaces: remove invalid plugs/slots from SnapInfo on
+   sanitization.
+ - debian: add missing udev dependency
+ - snap/validate: extend socket validation tests
+ - interfaces: add "refresh-schedule" attribute to snapd-control
+ - interfaces/builtin/account_control: use gid owning /etc/shadow to
+   setup seccomp rules
+ - cmd/snap-update-ns: tweak changePerform
+ - interfaces,tests: skip unknown plug/slot interfaces
+ - tests: disable interfaces-network-control-tuntap
+ - cmd: use a preinit_array function rather than parsing
+   /proc/self/cmdline
+ - interfaces/time*_control: explicitly deny noisy read on
+   /proc/1/environ
+ - cmd/snap-update-ns: misc cleanups
+ - snapd: allow hooks to have slots
+ - fakestore: add go-flags to prepare for `new-snap-declaration` cmd
+ - interfaces/browser-support: add shm path for nwjs
+ - many: add magic /snap/README file
+ - overlord/snapstate: support completion for command aliases
+ - tests: re-enable tun/tap test on Debian
+ - snap,wrappers: add support for socket activation
+ - repo: use PlugInfo and SlotInfo for permanent plugs/slots
+ - tests/interfaces-network-control-tuntap: disable on debian-
+   unstable for now
+ - cmd/snap-confine: Loosen the NVIDIA Vulkan ICD glob
+ - cmd/snap-update-ns: detect and report read-only filesystems
+ - cmd/snap-update-ns: re-factor secureMkdirAll into
+   secureMk{Prefix,Dir}
+ - run-checks, tests/lib/snaps/: shellcheck fixes
+ - corecfg: validate refresh.schedule when it is applied
+ - tests: adjust test to match stderr
+ - snapd: fix snap cookie bugs
+ - packaging/arch: do not quote MAKEFLAGS
+ - state: add change.LaneTasks helper
+ - cmd/snap-update-ns: do not assume 'nogroup' exists
+ - tests/lib: handle distro specific grub-editenv naming
+ - cmd/snap-confine: Add missing bi-arch NVIDIA filesthe
+   `/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl/vdpau` paths within
+ - cmd: Support exposing NVIDIA Vulkan ICD files to the snaps
+ - cmd/snap-confine: Implement full 32-bit NVIDIA driver support
+ - packaging/arch: packaging update
+ - cmd/snap-confine: Support bash as base runtime entry
+ - wrappers: do not error on incorrect Exec= lines
+ - interfaces: fix udev tagging for hooks
+ - tests/set-proxy-store: exclude ubuntu-core-16 via systems: key
+ - tests: new tests for network setup control and observe interfaces
+ - osutil: add helper for obtaining group ID of given file path
+ - daemon,overlord/snapstate: return snap-not-installed error in more
+   cases
+ - interfaces/builtin/lxd_support: allow discovering of host's os-
+   release
+ - configstate: add support for configure-snapd for
+   snapstate.IgnoreHookError
+ - tests:  add a spread test for proxy.store setting together with
+   store assertion
+ - cmd/snap-seccomp: do not use group 'shadow' in tests
+ - asserts/assertstest:  fix use of hardcoded value when the passed
+   or default keys should be used
+ - interfaces/many: misc policy updates for browser-support, cups-
+   control and network-status
+ - tests: fix xdg-open-compat
+ - daemon: for /v2/logs, 404 when no services are found
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - cmd/snap-update-ns: add new helpers for mount entries
+ - cmd/snap-confine: Respect biarch nature of libdirs
+ - cmd/snap-confine: Ensure snap-confine is allowed to access os-
+   release
+ - cmd: fix re-exec bug with classic confinement for host snapd <
+   2.28
+ - interfaces/kmod: simplify loadModules now that errors are ignored
+ - tests: disable xdg-open-compat test
+ - tests: add test that checks core reverts on core devices
+ - dirs: use alt root when checking classic confinement support
+   without …
+ - interfaces/kmod: treat failure to load module as non-fatal
+ - cmd/snap-update-ns: fix golint and some stale comments
+ - corecfg:  support setting proxy.store if there's a matching store
+   assertion
+ - overlord/snapstate: toggle ignore-validation as needed as we do
+   for channel
+ - tests: fix security-device-cgroup* tests on devices with
+   framebuffer
+ - interfaces/raw-usb: match on SUBSYSTEM, not SUBSYSTEMS
+ - interfaces: add USB interface number attribute in udev rule for
+   serial-port interface
+ - overlord/devicestate: switch to the new endpoints for registration
+ - snap-update-ns: add missing unit test for desired/current profile
+   handling
+ - cmd/{snap-confine,libsnap-confine-private,snap-shutdown}: cleanup
+   low-level C bits
+ - ifacestate: make interfaces.Repository available via state cache
+ - overlord/snapstate: cleanups around switch-snap*
+ - cmd/snapd,client,daemon: display ignore-validation flag through
+   the notes mechanism
+ - cmd/snap-update-ns: add logging to snap-update-ns
+ - many: have a timestamp on store assertions
+ - many: lookup and use the URL from a store assertion if one is set
+   for use
+ - tests/test-snapd-service: fix shellcheck issues
+ - tests: new test for hardware-random-control interface
+ - tests: use `snap change --last=install` in snapd-reexec test
+ - repo, daemon: use PlugInfo, SlotInfo
+ - many: handle core configuration internally instead of using the
+   core configure hook
+ - tests: refactor and expand content interface test
+ - snap-seccomp: skip in-kernel bpf tests for socket() in trusty/i386
+ - cmd/snap-update-ns: allow Change.Perform to return changes
+ - snap-confine: Support biarch Linux distribution confinement
+ - partition/ubootenv: don't panic when uboot.env is missing the eof
+   marker
+ - cmd/snap-update-ns: allow fault injection to provide dynamic
+   result
+ - interfaces/mount: exspose mount.{Escape,Unescape}
+ - snapctl: added long help to stop/start/restart command
+ - cmd/snap-update-ns: create missing mount points automatically.
+ - cmd: downgrade log message in InternalToolPath to Debugf()
+ - tests: wait for service status change & file update in the test to
+   avoid races
+ - daemon, store: forward SSO invalid credentials errors as 401
+   Unauthorized responses
+ - spdx: fix for WITH syntax, require a license name before the
+   operator
+ - many: reorg things in preparation to make handling of the base url
+   in store dynamic
+ - hooks/configure: queue service restarts
+ - cmd/snap: warn when a snap is not from the tracking channel
+ - interfaces/mount: add support for parsing x-snapd.{mode,uid,gid}=
+ - cmd/snap-confine: add detection of stale mount namespace
+ - interfaces: add plugRef/slotRef helpers for PlugInfo/SlotInfo
+ - tests: check for invalid udev files during all tests
+ - daemon: use newChange() in changeAliases for consistency
+ - servicestate: use taskset
+ - many: add support for /home on NFS
+ - packaging,spread: fix and re-enable opensuse builds
+
+* Sun Dec 17 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-3
+- Add patch to SELinux policy to allow snapd to receive replies from polkit
+
+* Sun Nov 19 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-2
+- Add missing bash completion files and cache directory
+
+* Sun Nov 19 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-1
+- Release 2.29.4 to Fedora (RH#1508433)
+- Install Polkit configuration (RH#1509586)
+- Drop changes to revert cheggaaa/pb import path used
+
+* Fri Nov 17 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.4
+ - snap-confine: fix snap-confine under lxd
+ - tests: disable classic-ubuntu-core-transition on i386 temporarily
+ - many: reject bad plugs/slots
+ - interfaces,tests: skip unknown plug/slot interfaces
+ - store: enable "base" field from the store
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+
+* Thu Nov 09 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.3
+ - daemon: cherry-picked /v2/logs fixes
+ - cmd/snap-confine: Respect biarch nature of libdirs
+ - cmd/snap-confine: Ensure snap-confine is allowed to access os-
+   release
+ - interfaces: fix udev tagging for hooks
+ - cmd: fix re-exec bug with classic confinement for host snapd
+ - tests: disable xdg-open-compat test
+ - cmd/snap-confine: add slave PTYs and let devpts newinstance
+   perform mediation
+ - interfaces/many: misc policy updates for browser-support, cups-
+   control and network-status
+ - interfaces/raw-usb: match on SUBSYSTEM, not SUBSYSTEMS
+ - tests: fix security-device-cgroup* tests on devices with
+   framebuffer
+
+* Fri Nov 03 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.2
+  - snapctl: disable stop/start/restart (2.29)
+  - cmd/snap-update-ns: fix collection of changes made
+
+* Fri Nov 03 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.1
+ - interfaces: fix incorrect signature of ofono DBusPermanentSlot
+ - interfaces/serial-port: udev tag plugged slots that have just
+   'path' via KERNEL
+ - interfaces/hidraw: udev tag plugged slots that have just 'path'
+   via KERNEL
+ - interfaces/uhid: unconditionally add existing uhid device to the
+   device cgroup
+ - cmd/snap-update-ns: fix mount rules for font sharing
+ - tests: disable refresh-undo test on trusty for now
+ - tests: use `snap change --last=install` in snapd-reexec test
+ - Revert " wrappers: fail install if exec-line cannot be re-written
+ - interfaces: don't udev tag devmode or classic snaps
+ - many: make ignore-validation sticky and send the flag with refresh
+   requests
+
+* Mon Oct 30 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29
+ - interfaces/many: miscellaneous updates based on feedback from the
+   field
+ - snap-confine: allow reading uevents from any where in /sys
+ - spread: add bionic beaver
+ - debian: make packaging/ubuntu-14.04/copyright a real file again
+ - tests: cherry pick the fix for services test into 2.29
+ - cmd/snap-update-ns: initialize logger
+ - hooks/configure: queue service restarts
+ - snap-{confine,seccomp}: make @unrestricted fully unrestricted
+ - interfaces: clean system apparmor cache on core device
+ - debian: do not build static snap-exec on powerpc
+ - snap-confine: increase sanity_timeout to 6s
+ - snapctl: cherry pick service commands changes
+ - cmd/snap: tell translators about arg names and descs req's
+ - systemd: run all mount units before snapd.service to avoid race
+ - store: add a test to show auth failures are forwarded by doRequest
+ - daemon: convert ErrInvalidCredentials to a 401 Unauthorized error.
+ - store: forward on INVALID_CREDENTIALS error as
+   ErrInvalidCredentials
+ - daemon: generate a forbidden response message if polkit dialog is
+   dismissed
+ - daemon: Allow Polkit authorization to cancel changes.
+ - travis: switch to container based test runs
+ - interfaces: reduce duplicated code in interface tests mocks
+ - tests: improve revert related testing
+ - interfaces: sanitize plugs and slots early in ReadInfo
+ - store: add download caching
+ - preserve TMPDIR and HOSTALIASES across snap-confine invocation
+ - snap-confine: init all arrays with `= {0,}`
+ - tests: adding test for network-manager interface
+ - interfaces/mount: don't generate legacy per-hook/per-app mount
+   profiles
+ - snap: introduce structured epochs
+ - tests: fix interfaces-cups-control test for cups-2.2.5
+ - snap-confine: cleanup incorrectly created nvidia udev tags
+ - cmd/snap-confine: update valid security tag regexp
+ - cmd/libsnap: enable two stranded tests
+ - cmd,packaging: enable apparmor on openSUSE
+ - overlord/ifacestate: refresh all security backends on startup
+ - interfaces/dbus: drop unneeded check for
+   release.ReleaseInfo.ForceDevMode
+ - dbus: ensure io.snapcraft.Launcher.service is created on re-
+   exec
+ - overlord/auth: continue for now supporting UBUNTU_STORE_ID if the
+   model is generic-classic
+ - snap-confine: add support for handling /dev/nvidia-modeset
+ - interfaces/network-control: remove incorrect rules for tun
+ - spread: allow setting SPREAD_DEBUG_EACH=0 to disable debug-each
+   section
+ - packaging: remove .mnt files on removal
+ - tests: fix econnreset scenario when the iptables rule was not
+   created
+ - tests: add test for lxd interface
+ - run-checks: use nakedret static checker to check for naked
+   returns on long functions
+ - progress: be more flexible in testing ansimeter
+ - interfaces: fix udev rules for tun
+ - many: implement our own ANSI-escape-using progress indicator
+ - snap-exec: update tests to follow main_test pattern
+ - snap: support "command: foo $ENV_STRING"
+ - packaging: update nvidia configure options
+ - snap: add new `snap pack` and use in tests
+ - cmd: correctly name the "Ubuntu" and "Arch" NVIDIA methods
+ - cmd: add autogen case for solus
+ - tests: do not use http://canihazip.com/ which appears to be down
+ - hooks: commands for controlling own services from snapctl
+ - snap: refactor cmdGet.Execute()
+ - interfaces/mount: make Change.Perform testable and test it
+ - interfaces/mount,cmd/snap-update-ns: move change code
+ - snap-confine: is_running_on_classic_distribution() looks into os-
+   release
+ - interfaces: misc updates for default, browser-support, home and
+   system-observe
+ - interfaces: deny lttng by default
+ - interfaces/lxd: lxd slot implementation can also be an app snap
+ - release,cmd,dirs: Redo the distro checks to take into account
+   distribution families
+ - cmd/snap: completion for alias and unalias
+ - snap-confine: add new SC_CLEANUP and use it
+ - snap: refrain from running filepath.Base on random strings
+ - cmd/snap-confine: put processes into freezer hierarchy
+ - wrappers: fail install if exec-line cannot be re-written
+ - cmd/snap-seccomp,osutil: make user/group lookup functions public
+ - snapstate: deal with snap user data in the /root/ directory
+ - interfaces: Enhance full-confinement support for biarch
+   distributions
+ - snap-confine: Only attempt to copy/mount NVIDIA libs when NVIDIA
+   is used
+ - packaging/fedora: Add Fedora 26, 27, and Rawhide symlinks
+ - overlord/snapstate: prefer a smaller corner case for doing the
+   wrong thing
+ - cmd/snap-repair:  set user agent for snap-repair http requests
+ - packaging: bring down the delta between 14.04 and 16.04
+ - snap-confine: Ensure lib64 biarch directory is respected
+ - snap-confine: update apparmor rules for fedora based base snaps
+ - tests: Increase SNAPD_CONFIGURE_HOOK_TIMEOUT to 3 minutes to
+   install real snaps
+ - daemon: use client.Snap instead of map[string]interface{} for
+   snaps.
+ - hooks: rename refresh hook to post-refresh
+ - git: make the .gitingore file a bit more targeted
+ - interfaces/opengl: don't udev tag nvidia devices and use snap-
+   confine instead
+ - cmd/snap-{confine,update-ns}: apply mount profiles using snap-
+   update-ns
+ - cmd: update "make hack"
+ - interfaces/system-observe: allow clients to enumerate DBus
+   connection names
+ - snap-repair: implement `snap-repair {list,show}`
+ - dirs,interfaces: create snap-confine.d on demand when re-executing
+ - snap-confine: fix base snaps on core
+ - cmd/snap-repair: fix tests when running as root
+ - interfaces: add Connection type
+ - cmd/snap-repair: skip disabled repairs
+ - cmd/snap-repair: prefer leaking unmanaged fds on test failure over
+   closing random ones
+ - snap-repair: make `repair` binary available for repair scripts
+ - snap-repair: fix missing Close() in TestStatusHappy
+ - cmd/snap-confine,packaging: import snapd-generated policy
+ - cmd/snap: return empty document if snap has no configuration
+ - snap-seccomp: run secondary-arch tests via gcc-multilib
+ - snap: implement `snap {repair,repairs}` and pass-through to snap-
+   repair
+ - interfaces/builtin: allow receiving dbus messages
+ - snap-repair: implement `snap-repair {done,skip,retry}`
+ - data/completion: small tweak to snap completion snippet
+ - dirs: fix classic support detection
+ - cmd/snap-repair: integrate root public keys for repairs
+ - tests: fix ubuntu core services
+ - tests: add new test that checks that the compat snapd-xdg-open
+   works
+ - snap-confine: improve error message if core/u-core cannot be found
+ - tests: only run tests/regression/nmcli on amd64
+ - interfaces: mount host system fonts in desktop interface
+ - interfaces: enable partial apparmor support
+ - snapstate: auto-install missing base snaps
+ - spread: work around temporary packaging issue in debian sid
+ - asserts,cmd/snap-repair: introduce a mandatory summary for repairs
+ - asserts,cmd/snap-repair: represent RepairID internally as an int
+ - tests: test the real "xdg-open" from the core snap
+ - many: implement fetching sections and package names periodically.
+ - interfaces/network: allow using netcat as client
+ - snap-seccomp, osutil: use osutil.AtomicFile in snap-seccomp
+ - snap-seccomp: skip mknod syscall on arm64
+ - tests: add trivial canonical-livepatch test
+ - tests: add test that ensures that all core services are working
+ - many: add logger.MockLogger() and use it in the tests
+ - snap-repair: fix test failure in TestRepairHitsTimeout
+ - asserts: add empty values check in HeadersFromPrimaryKey
+ - daemon: remove unused installSnap var in test
+ - daemon: reach for Overlord.Loop less thanks to overlord.Mock
+ - snap-seccomp: manually resolve socket() call in tests
+ - tests: change regex used to validate installed ubuntu core snap
+ - cmd/snapctl: allow snapctl -h without a context (regression fix).
+ - many: use snapcore/snapd/i18n instead of i18n/dumb
+ - many: introduce asserts.NotFoundError replacing both ErrNotFound
+   and store.AssertionNotFoundError
+ - packaging: don't include any marcos in comments
+ - overlord: use overlord.Mock in more tests, make sure we check the
+   outcome of Settle
+ - tests: try to fix staging tests
+ - store: simplify api base url config
+ - systemd: add systemd.MockJournalctl()
+ - many: provide systemd.MockSystemctl() helper
+ - tests: improve the listing test to not fail for e.g. 2.28~rc2
+ - snapstate: give snapmgrTestSuite.settle() more time to settle
+ - tests: fix regex to check core version on snap list
+ - debian: update trusted account-keys check on 14.04 packaging
+ - interfaces: add udev netlink support to hardware-observe
+ - overlord: introduce Mock which enables to use Overlord.Settle for
+   settle in many more places
+ - snap-repair: execute the repair and capture logs/status
+ - tests: run the tests/unit/go everywhere
+ - daemon, snapstate: move ensureCore from daemon/api.go into
+   snapstate.go
+ - cmd/snap: get keys or root document
+ - spread.yaml: turn suse to manual given that it's breaking master
+ - many: configure store from state, reconfigure store at runtime
+ - osutil: AtomicWriter (an io.Writer), and io.Reader versions of
+   AtomicWrite*
+ - tests: check for negative syscalls in runBpf() and skip those
+   tests
+ - docs: use abolute path in PULL_REQUEST_TEMPLATE.md
+ - store: move device auth endpoint uris to config (#3831)
+
+* Sat Oct 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.5-2
+- Properly fix the build for Fedora 25
+- Incorporate misc build fixes
+
+* Sat Oct 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.5-1
+- Release 2.28.5 to Fedora (RH#1502186)
+- Build snap-exec and snap-update-ns statically to support base snaps
+
+* Fri Oct 13 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.5
+  - snap-confine: cleanup broken nvidia udev tags
+  - cmd/snap-confine: update valid security tag regexp
+  - overlord/ifacestate: refresh udev backend on startup
+  - dbus: ensure io.snapcraft.Launcher.service is created on re-
+    exec
+  - snap-confine: add support for handling /dev/nvidia-modeset
+  - interfaces/network-control: remove incorrect rules for tun
+
+* Thu Oct 12 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.4-1
+- Release 2.28.4 to Fedora (RH#1501141)
+- Drop distro check backport patches (released with 2.28.2)
+
+* Wed Oct 11 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.4
+  - interfaces/opengl: don't udev tag nvidia devices and use snap-
+    confine instead
+  - debian: fix replaces/breaks for snap-xdg-open (thanks to apw!)
+
+* Wed Oct 11 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.3
+  - interfaces/lxd: lxd slot implementation can also be an app
+    snap
+
+* Tue Oct 10 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.2
+  - interfaces: fix udev rules for tun
+  - release,cmd,dirs: Redo the distro checks to take into account
+    distribution families
+
+* Sun Oct 08 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.1-1
+- Release 2.28.1 to Fedora (RH#1495852)
+- Drop userd backport patches, they are part of 2.28 release
+- Backport changes to rework distro checks to fix derivative distro usage of snapd
+- Revert import path change for cheggaaa/pb as it breaks build on Fedora
+- Add a posttrans relabel to snapd-selinux to ensure everything is labeled correctly
+
+* Wed Sep 27 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.1
+  - snap-confine: update apparmor rules for fedora based basesnaps
+  - snapstate: rename refresh hook to post-refresh for consistency
+
+* Mon Sep 25 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28
+ - hooks: rename refresh to after-refresh
+ - snap-confine: bind mount /usr/lib/snapd relative to snap-confine
+ - cmd,dirs: treat "liri" the same way as "arch"
+ - snap-confine: fix base snaps on core
+ - hooks: substitute env vars when executing hooks
+ - interfaces: updates for default, browser-support, desktop, opengl,
+   upower and stub-resolv.conf
+ - cmd,dirs: treat manjaro the same as arch
+ - systemd: do not run auto-import and repair services on classic
+ - packaging/fedora: Ensure vendor/ is empty for builds and fix spec
+   to build current master
+ - many: fix TestSetConfNumber missing an Unlock and other fragility
+   improvements
+ - osutil: adjust StreamCommand tests for golang 1.9
+ - daemon: allow polkit authorisation to install/remove snaps
+ - tests: make TestCmdWatch more robust
+ - debian: improve package description
+ - interfaces: add netlink kobject uevent to hardware observe
+ - debian: update trusted account-keys check on 14.04 packaging
+ - interfaces/network-{control,observe}: allow receiving
+   kobject_uevent() messages
+ - tests: fix lxd test for external backend
+ - snap-confine,snap-update-ns: add -no-pie to fix FTBFS on
+   go1.7,ppc64
+ - corecfg: mock "systemctl" in all corecfg tests
+ - tests: fix unit tests on Ubuntu 14.04
+ - debian: add missing flags when building static snap-exec
+ - many: end-to-end support for the bare base snap
+ - overlord/snapstate: SetRootDir from SetUpTest, not in just some
+   tests
+ - store: have an ad-hoc method on cfg to get its list of uris for
+   tests
+ - daemon: let client decide whether to allow interactive auth via
+   polkit
+ - client,daemon,snap,store: add license field
+ - overlord/snapstate: rename HasCurrent to IsInstalled, remove
+   superfluous/misleading check from All
+ - cmd/snap: SetRootDir from SetUpTest, not in just some individual
+   tests.
+ - systemd: rename snap-repair.{service,timer} to snapd.snap-
+   repair.{service,timer}
+ - snap-seccomp: remove use of x/net/bpf from tests
+ - httputil: more naive per go version way to recreate a default
+   transport for tls reconfig
+ - cmd/snap-seccomp/main_test.go: add one more syscall for arm64
+ - interfaces/opengl: use == to compare, not =
+ - cmd/snap-seccomp/main_test.go: add syscalls for armhf and arm64
+ - cmd/snap-repair: track and use a lower bound for the time for
+   TLS checks
+ - interfaces: expose bluez interface on classic OS
+ - snap-seccomp: add in-kernel bpf tests
+ - overlord: always try to get a serial, lazily on classic
+ - tests: add nmcli regression test
+ - tests: deal with __PNR_chown on aarch64 to fix FTBFS on arm64
+ - tests: add autopilot-introspection interface test
+ - vendor: fix artifact from manually editing vendor/vendor.json
+ - tests: rename complexion to test-snapd-complexion
+ - interfaces: add desktop and desktop-legacy
+   interfaces/desktop: add new 'desktop' interface for modern DEs*
+   interfaces/builtin/desktop_test.go: use modern testing techniques*
+   interfaces/wayland: allow read on /etc/drirc for Plasma desktop*
+   interfaces/desktop-legacy: add new 'legacy' interface (currently
+   for a11y and input)
+ - tests: fix race in snap userd test
+ - devices/iio: add read/write for missing sysfs entries
+ - spread: don't set HTTPS?_PROXY for linode
+ - cmd/snap-repair: check signatures of repairs from Next
+ - env: set XDG_DATA_DIRS for wayland et.al.
+ - interfaces/{default,account-control}: Use username/group instead
+   of uid/gid
+ - interfaces/builtin: use udev tagging more broadly
+ - tests: add basic lxd test
+ - wrappers: ensure bash completion snaps install on core
+ - vendor: use old golang.org/x/crypto/ssh/terminal to build on
+   powerpc again
+ - docs: add PULL_REQUEST_TEMPLATE.md
+ - interfaces: fix network-manager plug
+ - hooks: do not error out when hook is optional and no hook handler
+   is registered
+ - cmd/snap: add userd command to replace snapd-xdg-open
+ - tests: new regex used to validate the core version on extra snaps
+   ass...
+ - snap: add new `snap switch` command
+ - tests: wait more and more debug info about fakestore start issues
+ - apparmor,release: add better apparmor detection/mocking code
+ - interfaces/i2c: adjust sysfs rule for alternate paths
+ - interfaces/apparmor: add missing call to dirs.SetRootDir
+ - cmd: "make hack" now also installs snap-update-ns
+ - tests: copy files with less verbosity
+ - cmd/snap-confine: allow using additional libraries required by
+   openSUSE
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapstate: improve the error message when classic confinement is
+   not supported
+ - tests: add test to ensure amd64 can run i386 syscall binaries
+ - tests: adding extra info for fakestore when fails to start
+ - tests: install most important snaps
+ - cmd/snap-repair: more test coverage of filtering
+ - squashfs: remove runCommand/runCommandWithOutput as we do not need
+   it
+ - cmd/snap-repair: ignore superseded revisions, filter on arch and
+   models
+ - hooks: support for refresh hook
+ - Partial revert "overlord/devicestate, store: update device auth
+   endpoints URLs"
+ - cmd/snap-confine: allow reading /proc/filesystems
+ - cmd/snap-confine: genearlize apparmor profile for various lib
+   layout
+ - corecfg: fix proxy.* writing and add integration test
+ - corecfg: deal with system.power-key-action="" correctly
+ - vendor: update vendor.json after (presumed) manual edits
+ - cmd/snap: in `snap info`, don't print a newline between tracks
+ - daemon: add polkit support to /v2/login
+ - snapd,snapctl: decode json using Number
+ - client: fix go vet 1.7 errors
+ - tests: make 17.04 shellcheck clean
+ - tests: remove TestInterfacesHelp as it breaks when go-flags
+   changes
+ - snapstate: undo a daemon restart on classic if needed
+ - cmd/snap-repair: recover brand/model from
+   /var/lib/snapd/seed/assertions checking signatures and brand
+   account
+ - spread: opt into unsafe IO during spread tests
+ - snap-repair: update snap-repair/runner_test.go for API change in
+   makeMockServer
+ - cmd/snap-repair: skeleton code around actually running a repair
+ - tests: wait until the port is listening after start the fake store
+ - corecfg: fix typo in tests
+ - cmd/snap-repair: test that redirects works during fetching
+ - osutil: honor SNAPD_UNSAFE_IO for testing
+ - vendor: explode and make more precise our golang.go/x/crypto deps,
+   use same version as Debian unstable
+ - many: sanitize NewStoreStack signature, have shared default store
+   test private keys
+ - systemd: disable `Nice=-5` to fix error when running inside lxd
+ - spread.yaml: update delta ref to 2.27
+ - cmd/snap-repair: use E-Tags when refetching a repair to retry
+ - interfaces/many: updates based on chromium and mrrescue denials
+ - cmd/snap-repair: implement most logic to get the next repair to
+   run/retry in a brand sequence
+ - asserts/assertstest: copy headers in SigningDB.Sign
+ - interfaces: convert uhid to common interface and test cases
+   improvement for time_control and opengl
+ - many tests: move all panicing fake store methods to a common place
+ - asserts: add store assertion type
+ - interfaces: don't crash if content slot has no attributes
+ - debian: do not build with -buildmode=pie on i386
+ - wrappers: symlink completion snippets when symlinking binaries
+ - tests: adding more debug information for the interfaces-cups-
+   control …
+ - apparmor: pass --quiet to parser on load unless SNAPD_DEBUG is set
+ - many: allow and support serials signed by the 'generic' authority
+   instead of the brand
+ - corecfg: add proxy configuration via `snap set core
+   proxy.{http,https,ftp}=...`
+ - interfaces: a bunch of interfaces test improvement
+ - tests: enable regression and completion suites for opensuse
+ - tests: installing snapd for nested test suite
+ - interfaces: convert lxd_support to common iface
+ - interfaces: add missing test for camera interface.
+ - snap: add support for parsing snap layout section
+ - cmd/snap-repair: like for downloads we cannot have a timeout (at
+   least for now), less aggressive retry strategies
+ - overlord: rely on more conservative ensure interval
+ - overlord,store: no piles of return args for methods gathering
+   device session request params
+ - overlord,store: send model assertion when setting up device
+   sessions
+ - interfaces/misc: updates for unity7/x11, browser-
+   support, network-control and mount-observe
+   interfaces/unity7,x11: update for NETLINK_KOBJECT_UEVENT
+   interfaces/browser-support: update sysfs reads for
+   newer browser versions, interfaces/network-control: rw for
+   ieee80211 advanced wireless interfaces/mount-observe: allow read
+   on sysfs entries for block devices
+ - tests: use dnf --refresh install to avert stale cache
+ - osutil: ensure TestLockUnlockWorks uses supported flock
+ - interfaces: convert lxd to common iface
+ - tests: restart snapd to ensure re-exec settings are applied
+ - tests: fix interfaces-cups-control test
+ - interfaces: improve and tweak bunch of interfaces test cases.
+ - tests: adding extra worker for fedora
+ - asserts,overlord/devicestate: support predefined assertions that
+   don't establish foundational trust
+ - interfaces: convert two hardware_random interfaces to common iface
+ - interfaces: convert io_ports_control to common iface
+ - tests: fix for  upgrade test on fedora
+ - daemon, client, cmd/snap: implement snap start/stop/restart
+ - cmd/snap-confine: set _FILE_OFFSET_BITS to 64
+ - interfaces: covert framebuffer to commonInterface
+ - interfaces: convert joystick to common iface
+ - interfaces/builtin: add the spi interface
+ - wrappers, overlord/snapstate/backend: make link-snap clean up on
+   failure.
+ - interfaces/wayland: add wayland interface
+ - interfaces: convert kvm to common iface
+ - tests: extend upower-observe test to cover snaps providing slots
+ - tests: enable main suite for opensuse
+ - interfaces: convert physical_memory_observe to common iface
+ - interfaces: add missing test for optical_drive interface.
+ - interfaces: convert physical_memory_control to common iface
+ - interfaces: convert ppp to common iface
+ - interfaces: convert time-control to common iface
+ - tests: fix failover test
+ - interfaces/builtin: rework for avahi interface
+ - interfaces: convert broadcom-asic-control to common iface
+ - snap/snapenv: document the use of CoreSnapMountDir for SNAP
+ - packaging/arch: drop patches merged into master
+ - cmd: fix mustUnsetenv docstring (thanks to Chipaca)
+ - release: remove default from VERSION_ID
+ - tests: enable regression, upgrade and completion test suites for
+   fedora 
+ - tests: restore interfaces-account-control properly
+ - overlord/devicestate, store: update device auth endpoints URLs
+ - tests: fix install-hook test failure
+ - tests: download core and ubuntu-core at most once
+ - interfaces: add common support for udev
+ - overlord/devicestate: fix, don't assume that the serial is backed
+   by a 1-key chain
+ - cmd/snap-confine: don't share /etc/nsswitch from host
+ - store: do not resume a download when we already have the whole
+   thing
+ - many: implement "snap logs"
+ - store: don't call useDeltas() twice in quick succession
+ - interfaces/builtin: add kvm interface
+ - snap/snapenv: always expect /snap for $SNAP
+ - cmd: mark arch as non-reexecing distro
+ - cmd: fix tests that assume /snap mount
+ - gitignore: ignore more build artefacts
+ - packaging: add current arch packaging
+ - interfaces/unity7: allow receiving media key events in (at least)
+   gnome-shell
+ - interfaces/many, cmd/snap-confine: miscellaneous policy updates
+ - interfaces/builtin: implement broadcom-asic-control interface
+ - interfaces/builtin: reduce duplication and remove cruft in
+   Sanitize{Plug,Slot}
+ - tests: apply underscore convention for SNAPMOUNTDIR variable
+ - interfaces/greengrass-support: adjust accesses now that have
+   working snap
+ - daemon, client, cmd/snap: implement "snap services"
+ - tests: fix refresh tests not stopping fake store for fedora
+ - many: add the interface command
+ - overlord/snapstate/backend: some copydata improvements
+ - many: support querying and completing assertion type names
+ - interfaces/builtin: discard empty Validate{Plug,Slot}
+ - cmd/snap-repair:  start of Runner, implement first pass of Peek
+   and Fetch
+ - tests: enable main suite on fedora
+ - snap: do not always quote the snap info summary
+ - vendor: update go-flags to address crash in "snap debug"
+ - interfaces: opengl support pci device and vendor
+ - many: start implenting "base" snap type on the snapd side
+ - arch,release: map armv6 correctly
+ - many: expose service status in 'snap info'
+ - tests: add browser-support interface test
+ - tests: disable snapd-notify for the external backend
+ - interfaces: Add /run/uuid/request to openvswitch
+ - interfaces: add password-manager-service implicit classic
+   interface
+ - cmd: rework reexec detection
+ - cmd: fix re-exec bug when starting from snapd 2.21
+ - tests: dependency packages installed during prepare-project
+ - tests: remove unneeded check for re-exec in InternalToolPath()
+ - cmd,tests: fix classic confinement confusing re-execution code
+ - store: configurable base api
+ - tests: fix how package lists are updated for opensuse and fedora
+
+* Sun Sep 10 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.6-1
+- Release 2.27.6 to Fedora (RH#1489437)
+
+* Thu Sep 07 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.6
+  - interfaces: add udev netlink support to hardware-observe
+  - interfaces/network-{control,observe}: allow receiving
+    kobject_uevent() messages
+
+* Mon Sep 04 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.5-1
+- Release 2.27.5 to Fedora (RH#1483177)
+- Backport userd from upstream to support xdg-open
+
+* Wed Aug 30 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.5
+  - interfaces: fix network-manager plug regression
+  - hooks: do not error when hook handler is not registered
+  - interfaces/alsa,pulseaudio: allow read on udev data for sound
+  - interfaces/optical-drive: read access to udev data for /dev/scd*
+  - interfaces/browser-support: read on /proc/vmstat and misc udev
+    data
+
+* Thu Aug 24 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.4
+  - snap-seccomp: add secondary arch for unrestricted snaps as well
+
+* Fri Aug 18 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.3
+  - systemd: disable `Nice=-5` to fix error when running inside lxdSee
+    https://bugs.launchpad.net/snapd/+bug/1709536
+
+* Wed Aug 16 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.2-2
+- Bump to rebuild for F27 and Rawhide
+
+* Wed Aug 16 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.2-1
+- Release 2.27.2 to Fedora (RH#1482173)
+
+* Wed Aug 16 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.2
+ - tests: remove TestInterfacesHelp as it breaks when go-flags
+   changes
+ - interfaces: don't crash if content slot has no attributes
+ - debian: do not build with -buildmode=pie on i386
+ - interfaces: backport broadcom-asic-control interface
+ - interfaces: allow /usr/bin/xdg-open in unity7
+ - store: do not resume a download when we already have the whole
+   thing
+
+* Mon Aug 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.1-1
+- Release 2.27.1 to Fedora (RH#1481247)
+
+* Mon Aug 14 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.1
+ - tests: use dnf --refresh install to avert stale cache
+ - tests: fix test failure on 14.04 due to old version of
+   flock
+ - updates for unity7/x11, browser-support, network-control,
+   mount-observe
+ - interfaces/unity7,x11: update for NETLINK_KOBJECT_UEVENT
+ - interfaces/browser-support: update sysfs reads for
+   newer browser versions
+ - interfaces/network-control: rw for ieee80211 advanced wireless
+ - interfaces/mount-observe: allow read on sysfs entries for block
+   devices
+
+* Thu Aug 10 2017 Neal Gompa <ngompa13@gmail.com> - 2.27-1
+- Release 2.27 to Fedora (RH#1458086)
+
+* Thu Aug 10 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27
+ - fix build failure on 32bit fedora
+ - interfaces: add password-manager-service implicit classic interface
+ - interfaces/greengrass-support: adjust accesses now that have working
+   snap
+ - interfaces/many, cmd/snap-confine: miscellaneous policy updates
+ - interfaces/unity7: allow receiving media key events in (at least)
+   gnome-shell
+ - cmd: fix re-exec bug when starting from snapd 2.21
+ - tests: restore interfaces-account-control properly
+ - cmd: fix tests that assume /snap mount
+ - cmd: mark arch as non-reexecing distro
+ - snap-confine: don't share /etc/nsswitch from host
+ - store: talk to api.snapcraft.io for purchases
+ - hooks: support for install and remove hooks
+ - packaging: fix Fedora support
+ - tests: add bluetooth-control interface test
+ - store: talk to api.snapcraft.io for assertions
+ - tests: remove snapd before building from branch
+ - tests: add avahi-observe interface test
+ - store: orders API now checks if customer is ready
+ - cmd/snap: snap find only searches stable
+ - interfaces: updates default, mir, optical-observe, system-observe,
+   screen-inhibit-control and unity7
+ - tests: speedup prepare statement part 1
+ - store: do not send empty refresh requests
+ - asserts: fix error handling in snap-developer consistency check
+ - systemd: add explicit sync to snapd.core-fixup.sh
+ - snapd: generate snap cookies on startup
+ - cmd,client,daemon: expose "force devmode" in sysinfo
+ - many: introduce and use strutil.ListContains and also
+   strutil.SortedListContains
+ - assserts,overlord/assertstate: test we don't accept chains of
+   assertions founded on a self-signed key coming externally
+ - interfaces: enable access to bridge settings
+ - interfaces: fix copy-pasted iio vs io in io-ports-control
+ - cmd/snap-confine: various small fixes and tweaks to seccomp
+   support code
+ - interfaces: bring back seccomp argument filtering
+ - systemd, osutil: rework systemd logs in preparation for services
+   commands
+ - tests: store /etc/systemd/system/snap-*core*.mount in snapd-
+   state.tar.gz
+ - tests: shellcheck improvements for tests/main tasks - first set of
+   tests
+ - cmd/snap: `--last` for abort and watch, and aliases
+   (search→find, change→tasks)
+ - tests: shellcheck improvements for tests/lib scripts
+ - tests: create ramdisk if it's not present
+ - tests: shellcheck improvements for nightly upgrade and regressions
+   tests
+ - snapd: fix for snapctl get panic on null config values.
+ - tests: fix for rng-tools service not restarting
+ - systemd: add snapd.core-fixup.service unit
+ - cmd: avoid using current symlink in InternalToolPath
+ - tests: fix timeout issue for test refresh core with hanging …
+ - intefaces: control bridged vlan/ppoe-tagged traffic
+ - cmd/snap: include snap type in notes
+ - overlord/state: Abort() only visits each task once
+ - tests: extend find-private test to cover more cases
+ - snap-seccomp: skip socket() tests on systems that use socketcall()
+   instead of socket()
+ - many: support snap title as localized/title-cased name
+ - snap-seccomp: deal with mknod on aarch64 in the seccomp tests
+ - interfaces: put base policy fragments inside each interface
+ - asserts: introduce NewDecoderWithTypeMaxBodySize
+ - tests: fix snapd-notify when it takes more time to restart
+ - snap-seccomp: fix snap-seccomp tests in artful
+ - tests: fix for create-key task to avoid rng-tools service ramains
+   alive
+ - snap-seccomp: make sure snap-seccomp writes the bpf file
+   atomically
+ - tests: do not disable ipv6 on core systems
+ - arch: the kernel architecture name is armv7l instead of armv7
+ - snap-confine: ensure snap-confine waits some seconds for seccomp
+   security profiles
+ - tests: shellcheck improvements for tests/nested tasks
+ - wrappers: add SyslogIdentifier to the service unit files.
+ - tests: shellcheck improvements for unit tasks
+ - asserts: implement FindManyTrusted as well
+ - asserts: open up and optimize Encoder to help avoiding unnecessary
+   copying
+ - interfaces: simplify snap-confine by just loading pre-generated
+   bpf code
+ - tests: restart rng-tools services after few seconds
+ - interfaces, tests: add mising dbus abstraction to system-observe
+   and extend spread test
+ - store: change main store host to api.snapcraft.io
+ - overlord/cmdstate: new package for running commands as tasks.
+ - spread: help libapt resolve installing libudev-dev
+ - tests: show the IP from .travis.yaml
+ - tests/main: use pkgdb function in more test cases
+ - cmd,daemon: add debug command for displaying the base policy
+ - tests: prevent quoting error on opensuse
+ - tests: fix nightly suite
+ - tests: add linode-sru backend
+ - snap-confine: validate SNAP_NAME against security tag
+ - tests: fix ipv6 disable for ubuntu-core
+ - tests: extend core-revert test to cover bluez issues
+ - interfaces/greengrass-support: add support for Amazon Greengrass
+   as a snap
+ - asserts: support timestamp and optional disabled header on repair
+ - tests: reboot after upgrading to snapd on the -proposed pocket
+ - many: fix test cases to work with different DistroLibExecDir
+ - tests: reenable help test on ubuntu and debian systems
+ - packaging/{opensuse,fedora}: allow package build with testkeys
+   included
+ - tests/lib: generalize RPM build support
+ - interfaces/builtin: sync connected slot and permanent slot snippet
+ - tests: fix snap create-key by restarting automatically rng-tools
+ - many: switch to use http numeric statuses as agreed
+ - debian: add missing  Type=notify in 14.04 packaging
+ - tests: mark interfaces-openvswitch as manual due to prepare errors
+ - debian: unify built_using between the 14.04 and 16.04 packaging
+   branch
+ - tests: pull from urandom when real entropy is not enough
+ - tests/main/manpages: install missing man package
+ - tests: add refresh --time output check
+ - debian: add missing "make -C data/systemd clean"
+ - tests: fix for upgrade test when it is repeated
+ - tests/main: use dir abstraction in a few more test cases
+ - tests/main: check for confinement in a few more interface tests
+ - spread: add fedora snap bin dir to global PATH
+ - tests: check that locale-control is not present on core
+ - many: snapctl outside hooks
+ - tests: add whoami check
+ - interfaces: compose the base declaration from interfaces
+ - tests: fix spread flaky tests linode
+ - tests,packaging: add package build support for openSUSE
+ - many: slight improvement of some snap error messaging
+ - errtracker: Include /etc/apparmor.d/usr.lib.snap-confine md5sum in
+   err reports
+ - tests: fix for the test postrm-purge
+ - tests: restoring the /etc/environment and service units config for
+   each test
+ - daemon: make snapd a "Type=notify" daemon and notify when startup
+   is done
+ - cmd/snap-confine: add support for --base snap
+ - many: derive implicit slots from interface meta-data
+ - tests: add core revert test
+ - tests,packaging: add package build support for Fedora for our
+   spread setup
+ - interfaces: move base declaration to the policy sub-package
+ - tests: fix for snapd-reexec test cheking for restart info on debug
+   log
+ - tests: show available entropy on error
+ - tests: clean journalctl logs on trusty
+ - tests: fix econnreset on staging
+ - tests: modify core before calling set
+ - tests: add snap-confine privilege test
+ - tests: add staging snap-id
+ - interfaces/builtin: silence ptrace denial for network-manager
+ - tests: add alsa interface spread test
+ - tests: prefer ipv4 over ipv6
+ - tests: fix for econnreset test checking that the download already
+   started
+ - httputil,store: extract retry code to httputil, reorg usages
+ - errtracker: report if snapd did re-execute itself
+ - errtracker: include bits of snap-confine apparmor profile
+ - tests: take into account staging snap-ids for snap-info
+ - cmd: add stub new snap-repair command and add timer
+ - many: stop "snap refresh $x --channel invalid" from working
+ - interfaces: revert "interfaces: re-add reverted ioctl and quotactl
+ - snapstate: consider connect/disconnect tasks in
+   CheckChangeConflict.
+ - interfaces: disable "mknod |N" in the default seccomp template
+   again
+ - interfaces,overlord/ifacestate: make sure installing slots after
+   plugs works similarly to plugs after slots
+ - interfaces/seccomp: add bind() syscall for forced-devmode systems
+ - packaging/fedora: Sync packaging from Fedora Dist-Git
+ - tests: move static and unit tests to spread task
+ - many: error types should be called FooError, not ErrFoo.
+ - partition: add directory sync to the save uboot.env file code
+ - cmd: test everything (100% coverage \o/)
+ - many: make shell scripts shellcheck-clean
+ - tests: remove additional setup for docker on core
+ - interfaces: add summary to each interface
+ - many: remove interface meta-data from list of connections
+ - logger (& many more, to accommodate): drop explicit syslog.
+ - packaging: import packaging bits for opensuse
+ - snapstate,many: implement snap install --unaliased
+ - tests/lib: abstract build dependency installation a bit more
+ - interfaces, osutil: move flock code from interfaces/mount to
+   osutil
+ - cmd: auto import assertions only from ext4,vfat file systems
+ - many: refactor in preparation for 'snap start'
+ - overlord/snapstate: have an explicit code path last-refresh
+   unset/zero => immediately refresh try
+ - tests: fixes for executions using the staging store
+ - tests: use pollinate to seed the rng
+ - cmd/snap,tests: show the sha3-384 of the snap for snap info
+   --verbose SNAP-FILE
+ - asserts: simplify and adjust repair assertion definition
+ - cmd/snap,tests: show the snap id if available in snap info
+ - daemon,overlord/auth: store from model assertion wins
+ - cmd/snap,tests/main: add confinement switch instead of spread
+   system blacklisting
+ - many: cleanup MockCommands and don't leave a process around after
+   hookstate tests
+ - tests: update listing test to the core version number schema
+ - interfaces: allow snaps to use the timedatectl utility
+ - packaging: Add Fedora packaging files
+ - tests/libs: add distro_auto_remove_packages function
+ - cmd/snap: correct devmode note for anomalous state
+ - tests/main/snap-info: use proper pkgdb functions to install distro
+   packages
+ - tests/lib: use mktemp instead of tempfile to work cross-distro
+ - tests: abstract common dirs which differ on distributions
+ - many: model and expose interface meta-data.
+ - overlord: make config defaults from gadget work also at first boot
+ - interfaces/log-observe: allow using journalctl from hostfs for
+   classic distro
+ - partition,snap: add support for android boot
+ - errtracker: small simplification around readMachineID
+ - snap-confine: move rm_rf_tmp to test-utils.
+ - tests/lib: introduce pkgdb helper library
+ - errtracker: try multiple paths to read machine-id
+ - overlord/hooks: make sure only one hook for given snap is executed
+   at a time.
+ - cmd/snap-confine: use SNAP_MOUNT_DIR to setup /snap inside the
+   confinement env
+ - tests: bump kill-timeout and remove quiet call on build
+ - tests/lib/snaps: add a test store snap with a passthrough
+   configure hook
+ - daemon: teach the daemon to wait on active connections when
+   shutting down
+ - tests: remove unit tests task
+ - tests/main/completion: source from /usr/share/bash-completion
+ - assertions: add "repair" assertion
+ - interfaces/seccomp: document Backend.NewSpecification
+ - wrappers: make StartSnapServices cleanup any services that were
+   added if a later one fails
+ - overlord/snapstate: avoid creating command aliases for daemons
+ - vendor: remove unused packages
+ - vendor,partition: fix panics from uenv
+ - cmd,interfaces/mount: run snap-update-ns and snap-discard-ns from
+   core if possible
+ - daemon: do not allow to install ubuntu-core anymore
+ - wrappers: service start/stop were inconsistent
+ - tests: fix failing tests (snap core version, syslog changes)
+ - cmd/snap-update-ns: add actual implementation
+ - tests: improve entropy also for ubuntu
+ - cmd/snap-confine: use /etc/ssl from the core snap
+ - wrappers: don't convert between []byte and string needlessly.
+ - hooks: default timeout
+ - overlord/snapstate: Enable() was ignoring the flags from the
+   snap's state, resulting in losing "devmode" on disable/enable.
+ - difs,interfaces/mount: add support for locking namespaces
+ - interfaces/mount: keep track of kept mount entries
+ - tests/main: move a bunch of greps over to MATCH
+ - interfaces/builtin: make all interfaces private
+ - interfaces/mount: spell unmount correctly
+ - tests: allow 16-X.Y.Z version of core snap
+ - the timezone_control interface only allows changing /etc/timezone
+   and /etc/writable/timezone. systemd-timedated also updated the
+   link of /etc/localtime and /etc/writable/localtime ... allow
+   access to this file too
+ - cmd/snap-confine: aggregate operations holding global lock
+ - api, ifacestate: resolve disconnect early
+ - interfaces/builtin: ensure we don't register interfaces twice
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.26.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.26.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu May 25 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-3
+- Cover even more stuff for proper erasure on final uninstall (RH#1444422)
+
+* Sun May 21 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-2
+- Fix error in script for removing Snappy content (RH#1444422)
+- Adjust changelog bug references to be specific on origin
+
+* Wed May 17 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-1
+- Update to snapd 2.26.3
+- Drop merged and unused patches
+- Cover more Snappy content for proper erasure on final uninstall (RH#1444422)
+- Add temporary fix to ensure generated seccomp profiles don't break snapctl
+
+* Mon May 01 2017 Neal Gompa <ngompa13@gmail.com> - 2.25-1
+- Update to snapd 2.25
+- Ensure all Snappy content is gone on final uninstall (RH#1444422)
+
+* Tue Apr 11 2017 Neal Gompa <ngompa13@gmail.com> - 2.24-1
+- Update to snapd 2.24
+- Drop merged patches
+- Install snap bash completion and snapd info file
+
+* Wed Apr 05 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-4
+- Test if snapd socket and timer enabled and start them if enabled on install
+
+* Sat Apr 01 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-3
+- Fix profile.d generation so that vars aren't expanded in package build
+
+* Fri Mar 31 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-2
+- Fix the overlapping file conflicts between snapd and snap-confine
+- Rework package descriptions slightly
+
+* Thu Mar 30 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-1
+- Rebase to snapd 2.23.6
+- Rediff patches
+- Re-enable seccomp
+- Fix building snap-confine on 32-bit arches
+- Set ExclusiveArch based on upstream supported arch list
+
+* Wed Mar 29 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.5-1
+- Rebase to snapd 2.23.5
+- Disable seccomp temporarily avoid snap-confine bugs (LP#1674193)
+- Use vendorized build for non-Fedora
+
+* Mon Mar 13 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.1-1
+- Rebase to snapd 2.23.1
+- Add support for vendored tarball for non-Fedora targets
+- Use merged in SELinux policy module
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.16-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Oct 19 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.16-1
+- New upstream release
+
+* Tue Oct 18 2016 Neal Gompa <ngompa13@gmail.com> - 2.14-2
+- Add SELinux policy module subpackage
+
+* Tue Aug 30 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.14-1
+- New upstream release
+
+* Tue Aug 23 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.13-1
+- New upstream release
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.12-2
+- Correct license identifier
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.12-1
+- New upstream release
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-8
+- Add %%dir entries for various snapd directories
+- Tweak Source0 URL
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-7
+- Disable snapd re-exec feature by default
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-6
+- Don't auto-start snapd.socket and snapd.refresh.timer
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-5
+- Don't touch snapd state on removal
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-4
+- Use ExecStartPre to load squashfs.ko before snapd starts
+- Use dedicated systemd units for Fedora
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-3
+- Remove systemd preset (will be requested separately according to distribution
+  standards).
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-2
+- Use Requires: kmod(squashfs.ko) instead of Requires: kernel-modules
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-1
+- New upstream release
+- Move private executables to /usr/libexec/snapd/
+
+* Fri Jun 24 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.9-2
+- Depend on kernel-modules to ensure that squashfs can be loaded. Load it afer
+  installing the package. This hopefully fixes
+  https://github.com/zyga/snapcore-fedora/issues/2
+
+* Fri Jun 17 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.9
+- New upstream release
+  https://github.com/snapcore/snapd/releases/tag/2.0.9
+
+* Tue Jun 14 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.8.1
+- New upstream release
+
+* Fri Jun 10 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.8
+- First package for Fedora
diff -Nru snapd-2.32.3.2~14.04/packaging/arch/PKGBUILD snapd-2.37~rc1~14.04/packaging/arch/PKGBUILD
--- snapd-2.32.3.2~14.04/packaging/arch/PKGBUILD	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/arch/PKGBUILD	2019-01-16 08:36:51.000000000 +0000
@@ -1,30 +1,29 @@
-# $Id$
-# Maintainer: Timothy Redaelli <timothy.redaelli@gmail.com>
+# Maintainer: aimileus <me at aimileus dot nl>
+# Maintainer: Maciej Borzecki <maciek.borzecki@gmail.com>
+# Contributor: Timothy Redaelli <timothy.redaelli@gmail.com>
 # Contributor: Zygmunt Krynicki <me at zygoon dot pl>
-# Contributor: Maciej Borzecki <maciek.borzecki@gmail.com>
+#
+# Environment variables that can set by CI:
+# - WITH_TEST_KEYS=1 - enable use of testing keys
 
-pkgbase=snapd
-pkgname=snapd-git
-pkgver=2.32.3.2
+pkgname=snapd
+pkgdesc="Service and tools for management of snap packages."
+depends=('squashfs-tools' 'libseccomp' 'libsystemd')
+optdepends=('bash-completion: bash completion support')
+pkgver=2.37
 pkgrel=1
-arch=('i686' 'x86_64')
+arch=('x86_64')
 url="https://github.com/snapcore/snapd"
 license=('GPL3')
-makedepends=('git' 'go' 'go-tools' 'libseccomp' 'libcap' 'python-docutils' 'systemd' 'xfsprogs' 'libseccomp')
-checkdepends=('python' 'squashfs-tools' 'indent' 'shellcheck')
-
+makedepends=('git' 'go' 'go-tools' 'libseccomp' 'libcap' 'systemd' 'xfsprogs' 'python-docutils' 'apparmor')
+# the following checkdepends are only required for static checks and unit tests,
+# unit tests are currently enabled
+checkdepends=('python' 'squashfs-tools' 'shellcheck')
+conflicts=('snap-confine')
 options=('!strip' 'emptydirs')
 install=snapd.install
-source=("git+https://github.com/snapcore/$pkgbase.git")
-md5sums=('SKIP')
-
-pkgdesc="Service and tools for management of snap packages."
-depends=('squashfs-tools' 'libseccomp' 'libsystemd')
-optdepends=('bash-completion: bash completion support')
-provides=($pkgbase)
-# Community package is split into snapd and snap-confine, make sure we replace
-# both bits
-conflicts=($pkgbase 'snap-confine')
+source=("git+https://github.com/snapcore/$pkgname.git")
+sha256sums=('SKIP')
 
 _gourl=github.com/snapcore/snapd
 
@@ -34,31 +33,52 @@
 }
 
 prepare() {
-  cd "$pkgbase"
+  cd "$pkgname"
 
-  # Use $srcdir/go as our GOPATH
   export GOPATH="$srcdir/go"
-  mkdir -p "$GOPATH"
-  # Have snapd checkout appear in a place suitable for subsequent GOPATH This
+
+  # Have snapd checkout appear in a place suitable for subsequent GOPATH. This
   # way we don't have to go get it again and it is exactly what the tag/hash
   # above describes.
-  mkdir -p "$(dirname "$GOPATH/src/${_gourl}")"
-  ln --no-target-directory -fs "$srcdir/$pkgbase" "$GOPATH/src/${_gourl}"
-  # Patch snap-seccomp build flags not to link libseccomp statically.
-  sed -i -e 's/-Wl,-Bstatic -lseccomp -Wl,-Bdynamic/-lseccomp/' "$srcdir/$pkgbase/cmd/snap-seccomp/main.go"
+  mkdir -p "$(dirname "$srcdir/go/src/${_gourl}")"
+  ln --no-target-directory -fs "$srcdir/$pkgname" "$srcdir/go/src/${_gourl}"
 }
 
 build() {
+  cd "$pkgname"
   export GOPATH="$srcdir/go"
-  # Use get-deps.sh provided by upstream to fetch go dependencies using the
-  # godeps tool and dependencies.tsv (maintained upstream).
-  cd "$GOPATH/src/${_gourl}"
-  # Generate version
+
+  # GOFLAGS may be modified by CI tools
+  GOFLAGS=""
+  if [[ "$WITH_TEST_KEYS" == 1 ]]; then
+      GOFLAGS="$GOFLAGS -tags withtestkeys"
+  fi
+
+  export CGO_ENABLED="1"
+  export CGO_CFLAGS="${CFLAGS}"
+  export CGO_CPPFLAGS="${CPPFLAGS}"
+  export CGO_CXXFLAGS="${CXXFLAGS}"
+  export CGO_LDFLAGS="${LDFLAGS}"
+
   ./mkversion.sh $pkgver-$pkgrel
 
-  # Get golang dependencies
+  # Use get-deps.sh provided by upstream to fetch go dependencies using the
+  # godeps tool and dependencies.tsv (maintained upstream).
+  cd "$srcdir/go/src/${_gourl}"
   XDG_CONFIG_HOME="$srcdir" ./get-deps.sh
 
+  gobuild="go build -x -v -buildmode=pie"
+  gobuild_static="go build -x -v -buildmode=pie -ldflags=-extldflags=-static"
+  # Build/install snap and snapd
+  $gobuild -o $srcdir/go/bin/snap $GOFLAGS "${_gourl}/cmd/snap"
+  $gobuild -o $srcdir/go/bin/snapctl $GOFLAGS "${_gourl}/cmd/snapctl"
+  $gobuild -o $srcdir/go/bin/snapd $GOFLAGS "${_gourl}/cmd/snapd"
+  $gobuild -o $srcdir/go/bin/snap-seccomp $GOFLAGS "${_gourl}/cmd/snap-seccomp"
+  $gobuild -o $srcdir/go/bin/snap-failure $GOFLAGS "${_gourl}/cmd/snap-failure"
+  # build snap-exec and snap-update-ns completely static for base snaps
+  $gobuild_static -o $srcdir/go/bin/snap-update-ns $GOFLAGS "${_gourl}/cmd/snap-update-ns"
+  $gobuild_static -o $srcdir/go/bin/snap-exec $GOFLAGS "${_gourl}/cmd/snap-exec"
+
   # Generate data files such as real systemd units, dbus service, environment
   # setup helpers out of the available templates
   make -C data \
@@ -68,94 +88,97 @@
        SNAP_MOUNT_DIR=/var/lib/snapd/snap \
        SNAPD_ENVIRONMENT_FILE=/etc/default/snapd
 
-  export CGO_ENABLED="1"
-  export CGO_CFLAGS="${CFLAGS}"
-  export CGO_CPPFLAGS="${CPPFLAGS}"
-  export CGO_CXXFLAGS="${CXXFLAGS}"
-  export CGO_LDFLAGS="${LDFLAGS}"
-
-  # gobuild="go build -pkgdir $GOPATH/pkg -x -v"
-  gobuild="go build -x -v"
-  # Build/install snap and snapd
-  $gobuild -o $GOPATH/bin/snap "${_gourl}/cmd/snap"
-  $gobuild -o $GOPATH/bin/snapctl "${_gourl}/cmd/snapctl"
-  $gobuild -o $GOPATH/bin/snapd "${_gourl}/cmd/snapd"
-  $gobuild -o $GOPATH/bin/snap-seccomp "${_gourl}/cmd/snap-seccomp"
-  # build snap-exec and snap-update-ns completely static for base snaps
-  $gobuild -o $GOPATH/bin/snap-update-ns -ldflags '-extldflags "-static"' "${_gourl}/cmd/snap-update-ns"
-  CGO_ENABLED=0 $gobuild -o $GOPATH/bin/snap-exec "${_gourl}/cmd/snap-exec"
-
-  # Build snap-confine
   cd cmd
-  # Sync actual parameters with cmd/autogen.sh
   autoreconf -i -f
   ./configure \
     --prefix=/usr \
     --libexecdir=/usr/lib/snapd \
     --with-snap-mount-dir=/var/lib/snapd/snap \
-    --disable-apparmor \
+    --enable-apparmor \
     --enable-nvidia-biarch \
     --enable-merged-usr
   make $MAKEFLAGS
-
-  # generate man-pages for snap
-  $GOPATH/bin/snap help --man > "$srcdir/snap.1"
 }
 
 check() {
   export GOPATH="$srcdir/go"
-  cd "$GOPATH/src/${_gourl}"
-
-  # XXX: Those files are unknown to gitignore but are checked by run-checks
-  # --static. Before gitignore is updated we just remove the junk one and move
-  # the valuable one aside.
-  rm -f cmd/snap-confine/snap-confine-debug
-  mv data/info $srcdir/xxx-info
+  cd "$srcdir/go/src/${_gourl}"
 
-  ./run-checks --unit
+  SKIP_UNCLEAN=1 ./run-checks --unit
   # XXX: Static checks choke on autotools generated cruft. Let's not run them
   # here as they are designed to pass on a clean tree, before anything else is
   # done, not after building the tree.
   # ./run-checks --static
-  make -C cmd -k check
+  TMPDIR=/tmp make -C cmd -k check
 
   mv $srcdir/xxx-info data/info
 }
 
-package_snapd-git() {
+package() {
+  cd "$pkgname"
   export GOPATH="$srcdir/go"
 
-  # Install snap, snapctl, snap-update-ns, snap-seccomp, snap-exec and snapd
-  # executables
-  install -d -m 755 "$pkgdir/usr/bin/"
-  install -m 755 -t "$pkgdir/usr/bin" \
-          "$GOPATH/bin/snap" \
-          "$GOPATH/bin/snapctl"
-
-  install -d -m 755 "$pkgdir/usr/lib/snapd"
-  install -m 755 -t "$pkgdir/usr/lib/snapd" \
-          "$GOPATH/bin/snap-update-ns" \
-          "$GOPATH/bin/snap-exec" \
-          "$GOPATH/bin/snap-seccomp" \
-          "$GOPATH/bin/snapd"
-
-  # Install snap-confine
-  make -C "$srcdir/$pkgbase/cmd" install DESTDIR="$pkgdir"
-
-  # Install script to export binaries paths of snaps and XDG_DATA_DIRS for their
-  # .desktop files
-  make -C "$srcdir/$pkgbase/data/env" install DESTDIR="$pkgdir"
-
-  # Install D-Bus service files
-  make -C "$srcdir/$pkgbase/data/dbus" install \
-       DBUSSERVICESDIR=/usr/share/dbus-1/services \
-       DESTDIR="$pkgdir"
+  # Install bash completion
+  install -Dm644 data/completion/snap \
+    "$pkgdir/usr/share/bash-completion/completions/snap"
+  install -Dm644 data/completion/complete.sh \
+    "$pkgdir/usr/lib/snapd/complete.sh"
+  install -Dm644 data/completion/etelpmoc.sh \
+    "$pkgdir/usr/lib/snapd/etelpmoc.sh"
+
+  # Install systemd units, dbus services and a script for environment variables
+  make -C data/ install \
+     DBUSSERVICESDIR=/usr/share/dbus-1/services \
+     BINDIR=/usr/bin \
+     SYSTEMDSYSTEMUNITDIR=/usr/lib/systemd/system \
+     SNAP_MOUNT_DIR=/var/lib/snapd/snap \
+     DESTDIR="$pkgdir"
+
+  # Install polkit policy
+  install -Dm644 data/polkit/io.snapcraft.snapd.policy \
+    "$pkgdir/usr/share/polkit-1/actions/io.snapcraft.snapd.policy"
+
+  # Install executables
+  install -Dm755 "$srcdir/go/bin/snap" "$pkgdir/usr/bin/snap"
+  install -Dm755 "$srcdir/go/bin/snapd" "$pkgdir/usr/lib/snapd/snapd"
+  install -Dm755 "$srcdir/go/bin/snap-seccomp" "$pkgdir/usr/lib/snapd/snap-seccomp"
+  install -Dm755 "$srcdir/go/bin/snap-failure" "$pkgdir/usr/lib/snapd/snap-failure"
+  install -Dm755 "$srcdir/go/bin/snap-update-ns" "$pkgdir/usr/lib/snapd/snap-update-ns"
+  install -Dm755 "$srcdir/go/bin/snap-exec" "$pkgdir/usr/lib/snapd/snap-exec"
+  # Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+  install -Dm755 "$srcdir/go/bin/snapctl" "$pkgdir/usr/lib/snapd/snapctl"
+  ln -s  ../lib/snapd/snapctl  "$pkgdir/usr/bin/snapctl"
 
-  # Install systemd units
-  make -C "$srcdir/$pkgbase/data/systemd" install \
-       BINDIR=/bin \
-       SYSTEMDSYSTEMUNITDIR=/usr/lib/systemd/system \
-       DESTDIR="$pkgdir"
+  # pre-create directories
+  install -dm755 "$pkgdir/var/lib/snapd/snap"
+  install -dm755 "$pkgdir/var/cache/snapd"
+  install -dm755 "$pkgdir/var/lib/snapd/apparmor"
+  install -dm755 "$pkgdir/var/lib/snapd/assertions"
+  install -dm755 "$pkgdir/var/lib/snapd/desktop/applications"
+  install -dm755 "$pkgdir/var/lib/snapd/device"
+  install -dm755 "$pkgdir/var/lib/snapd/hostfs"
+  install -dm755 "$pkgdir/var/lib/snapd/mount"
+  install -dm755 "$pkgdir/var/lib/snapd/seccomp/bpf"
+  install -dm755 "$pkgdir/var/lib/snapd/snap/bin"
+  install -dm755 "$pkgdir/var/lib/snapd/snaps"
+  install -dm755 "$pkgdir/var/lib/snapd/lib/gl"
+  install -dm755 "$pkgdir/var/lib/snapd/lib/gl32"
+  install -dm755 "$pkgdir/var/lib/snapd/lib/vulkan"
+  install -dm755 "$pkgdir/var/lib/snapd/lib/glvnd"
+  # these dirs have special permissions
+  install -dm000 "$pkgdir/var/lib/snapd/void"
+  install -dm700 "$pkgdir/var/lib/snapd/cookie"
+  install -dm700 "$pkgdir/var/lib/snapd/cache"
+
+  make -C cmd install DESTDIR="$pkgdir/"
+
+  # Install man file
+  mkdir -p "$pkgdir/usr/share/man/man8"
+  "$srcdir/go/bin/snap" help --man > "$pkgdir/usr/share/man/man8/snap.8"
+
+  # Install the "info" data file with snapd version
+  install -m 644 -D "$srcdir/go/src/${_gourl}/data/info" \
+          "$pkgdir/usr/lib/snapd/info"
 
   # Remove snappy core specific units
   rm -fv "$pkgdir/usr/lib/systemd/system/snapd.system-shutdown.service"
@@ -166,46 +189,4 @@
   rm -fv "$pkgdir/usr/lib/snapd/snapd.core-fixup.sh"
   rm -fv "$pkgdir/usr/bin/ubuntu-core-launcher"
   rm -fv "$pkgdir/usr/lib/snapd/system-shutdown"
-
-
-  # Install the bash tab completion files
-  install -Dm 755 \
-          "$GOPATH/src/${_gourl}/data/completion/snap" \
-          "$pkgdir/usr/share/bash-completion/completions/snap"
-
-  install -D -m 755 -t "$pkgdir/usr/lib/snapd" \
-          "$GOPATH/src/${_gourl}/data/completion/complete.sh" \
-          "$GOPATH/src/${_gourl}/data/completion/etelpmoc.sh"
-
-  # Symlink /var/lib/snapd/snap to /snap so that --classic snaps work
-  ln -s var/lib/snapd/snap "$pkgdir/snap"
-  # and make sure that target exists so that we don't have dangling symlinks
-  # after installing the package
-  install -d -m 755 "$pkgdir/var/lib/snapd/snap"
-
-  # pre-create directories
-  install -d -m 755 "$pkgdir/var/cache/snapd"
-  install -d -m 755 "$pkgdir/var/lib/snapd/assertions"
-  install -d -m 755 "$pkgdir/var/lib/snapd/desktop/applications"
-  install -d -m 755 "$pkgdir/var/lib/snapd/device"
-  install -d -m 755 "$pkgdir/var/lib/snapd/hostfs"
-  install -d -m 755 "$pkgdir/var/lib/snapd/mount"
-  install -d -m 755 "$pkgdir/var/lib/snapd/seccomp/bpf"
-  install -d -m 755 "$pkgdir/var/lib/snapd/snap/bin"
-  install -d -m 755 "$pkgdir/var/lib/snapd/snaps"
-  install -d -m 755 "$pkgdir/var/lib/snapd/lib/gl"
-  install -d -m 755 "$pkgdir/var/lib/snapd/lib/gl32"
-  install -d -m 755 "$pkgdir/var/lib/snapd/lib/vulkan"
-  # these dirs have special permissions
-  install -d -m 000 "$pkgdir/var/lib/snapd/void"
-  install -d -m 700 "$pkgdir/var/lib/snapd/cookie"
-  install -d -m 700 "$pkgdir/var/lib/snapd/cache"
-
-  # Install snap(1) man page
-  install -m 644 -D "$srcdir/snap.1" \
-          "$pkgdir/usr/share/man/man1/snap.1"
-
-  # Install the "info" data file with snapd version
-  install -m 644 -D "$GOPATH/src/${_gourl}/data/info" \
-          "$pkgdir/usr/lib/snapd/info"
 }
diff -Nru snapd-2.32.3.2~14.04/packaging/build-tools/go snapd-2.37~rc1~14.04/packaging/build-tools/go
--- snapd-2.32.3.2~14.04/packaging/build-tools/go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/build-tools/go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,16 @@
+#!/usr/bin/python3
+# This wrapper is put in $PATH, ahead of the real "go" tool to work around
+# some, er, curious, choices done by the Debian packaging helper scripts that
+# pass verbose flag to "go generate" which in turns prints every single file in
+# the source tree on a separate line. This easily dominates the build log,
+# possibly exceeding the 4MB mark that travis chooses to keep by default.
+
+# The real go is passed as an environment variable SNAPD_VANILLA_GO.
+
+import sys 
+import os
+
+if __name__ == "__main__":
+    go = os.getenv("SNAPD_VANILLA_GO")
+    args = [arg for arg in sys.argv if arg != "-v"]
+    os.execl(go, *args)
diff -Nru snapd-2.32.3.2~14.04/packaging/centos-7/snapd.spec snapd-2.37~rc1~14.04/packaging/centos-7/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/centos-7/snapd.spec	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/centos-7/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4448 @@
+# With Fedora, nothing is bundled. For everything else, bundling is used.
+# To use bundled stuff, use "--with vendorized" on rpmbuild
+%if 0%{?fedora}
+%bcond_with vendorized
+%else
+%bcond_without vendorized
+%endif
+
+# With Amazon Linux 2+, we're going to provide the /snap symlink by default,
+# since classic snaps currently require it... :(
+%if 0%{?amzn} >= 2
+%bcond_without snap_symlink
+%else
+%bcond_with snap_symlink
+%endif
+
+# A switch to allow building the package with support for testkeys which
+# are used for the spread test suite of snapd.
+%bcond_with testkeys
+
+%global with_devel 1
+%global with_debug 1
+%global with_check 0
+%global with_unit_test 0
+%global with_test_keys 0
+%global with_selinux 1
+
+# For the moment, we don't support all golang arches...
+%global with_goarches 0
+
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%if ! %{with vendorized}
+%global with_bundled 0
+%else
+%global with_bundled 1
+%endif
+
+%if ! %{with testkeys}
+%global with_test_keys 0
+%else
+%global with_test_keys 1
+%endif
+
+%if 0%{?with_debug}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package   %{nil}
+%endif
+
+%global provider        github
+%global provider_tld    com
+%global project         snapcore
+%global repo            snapd
+# https://github.com/snapcore/snapd
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service
+
+# Until we have a way to add more extldflags to gobuild macro...
+%if 0%{?fedora} >= 26
+%define gobuild_static(o:) go build -buildmode pie -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
+%endif
+%if 0%{?fedora} == 25
+%define gobuild_static(o:) go build -compiler gc -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-static'" -a -v -x %{?**};
+%endif
+%if 0%{?rhel} == 7
+%define gobuild_static(o:) go build -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
+%endif
+
+# These macros are not defined in RHEL 7
+%if 0%{?rhel} == 7
+%define gobuild(o:) go build -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+%define gotest() go test -compiler gc -ldflags "${LDFLAGS:-}" %{?**};
+%endif
+
+# Compat path macros
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
+%if 0%{?amzn2} == 1
+%global with_selinux 0
+%endif
+
+Name:           snapd
+Version:        2.37
+Release:        0%{?dist}
+Summary:        A transactional software package manager
+Group:          System Environment/Base
+License:        GPLv3
+URL:            https://%{provider_prefix}
+Source0:        https://%{provider_prefix}/archive/%{version}/%{name}-%{version}.tar.gz
+%if 0%{?with_bundled}
+Source1:        https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.only-vendor.tar.xz
+%endif
+
+%if 0%{?with_goarches}
+# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+%else
+# Verified arches from snapd upstream
+ExclusiveArch:  %{ix86} x86_64 %{arm} aarch64 ppc64le s390x
+%endif
+
+# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
+BuildRequires:  systemd
+%{?systemd_requires}
+
+Requires:       snap-confine%{?_isa} = %{version}-%{release}
+Requires:       squashfs-tools
+
+%if 0%{?fedora} >= 26 || 0%{?rhel} >= 8
+# snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.)
+Requires:       ((squashfuse and fuse) or kmod(squashfs.ko))
+%else
+%if ! 0%{?amzn2}
+# Rich dependencies not available, always pull in squashfuse
+# snapd will use squashfs.ko instead of squashfuse if it's on the system
+# NOTE: Amazon Linux 2 does not have squashfuse, squashfs.ko is part of the kernel package
+Requires:       squashfuse
+Requires:       fuse
+%endif
+%endif
+
+# bash-completion owns /usr/share/bash-completion/completions
+Requires:       bash-completion
+
+%if 0%{?with_selinux}
+# Force the SELinux module to be installed
+Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
+# snapd-login-service is no more
+# Note: Remove when F27 is EOL
+Obsoletes:      %{name}-login-service < 1.33
+Provides:       %{name}-login-service = 1.33
+Provides:       %{name}-login-service%{?_isa} = 1.33
+
+%if ! 0%{?with_bundled}
+BuildRequires: golang(github.com/boltdb/bolt)
+BuildRequires: golang(github.com/cheggaaa/pb)
+BuildRequires: golang(github.com/coreos/go-systemd/activation)
+BuildRequires: golang(github.com/godbus/dbus)
+BuildRequires: golang(github.com/godbus/dbus/introspect)
+BuildRequires: golang(github.com/gorilla/mux)
+BuildRequires: golang(github.com/jessevdk/go-flags)
+BuildRequires: golang(github.com/juju/ratelimit)
+BuildRequires: golang(github.com/kr/pretty)
+BuildRequires: golang(github.com/kr/text)
+BuildRequires: golang(github.com/mvo5/goconfigparser)
+BuildRequires: golang(github.com/ojii/gettext.go)
+BuildRequires: golang(github.com/seccomp/libseccomp-golang)
+BuildRequires: golang(golang.org/x/crypto/openpgp/armor)
+BuildRequires: golang(golang.org/x/crypto/openpgp/packet)
+BuildRequires: golang(golang.org/x/crypto/sha3)
+BuildRequires: golang(golang.org/x/crypto/ssh/terminal)
+BuildRequires: golang(golang.org/x/net/context)
+BuildRequires: golang(golang.org/x/net/context/ctxhttp)
+BuildRequires: golang(gopkg.in/check.v1)
+BuildRequires: golang(gopkg.in/macaroon.v1)
+BuildRequires: golang(gopkg.in/mgo.v2/bson)
+BuildRequires: golang(gopkg.in/retry.v1)
+BuildRequires: golang(gopkg.in/tomb.v2)
+BuildRequires: golang(gopkg.in/yaml.v2)
+%endif
+
+%description
+Snappy is a modern, cross-distribution, transactional package manager
+designed for working with self-contained, immutable packages.
+
+%package -n snap-confine
+Summary:        Confinement system for snap applications
+License:        GPLv3
+Group:          System Environment/Base
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  gcc
+BuildRequires:  gettext
+BuildRequires:  gnupg
+BuildRequires:  indent
+BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(libcap)
+BuildRequires:  pkgconfig(libseccomp)
+BuildRequires:  pkgconfig(libudev)
+BuildRequires:  pkgconfig(systemd)
+BuildRequires:  pkgconfig(udev)
+BuildRequires:  xfsprogs-devel
+BuildRequires:  glibc-static
+%if ! 0%{?rhel}
+BuildRequires:  libseccomp-static
+%endif
+BuildRequires:  valgrind
+BuildRequires:  %{_bindir}/rst2man
+%if 0%{?fedora} >= 25
+# ShellCheck in F24 and older doesn't work
+BuildRequires:  %{_bindir}/shellcheck
+%endif
+
+# Ensures older version from split packaging is replaced
+Obsoletes:      snap-confine < 2.19
+
+%description -n snap-confine
+This package is used internally by snapd to apply confinement to
+the started snap applications.
+
+%if 0%{?with_selinux}
+%package selinux
+Summary:        SELinux module for snapd
+Group:          System Environment/Base
+License:        GPLv2+
+BuildArch:      noarch
+BuildRequires:  selinux-policy, selinux-policy-devel
+Requires(post): selinux-policy-base >= %{_selinux_policy_version}
+Requires(post): policycoreutils
+%if 0%{?rhel} == 7
+Requires(post): policycoreutils-python
+%else
+Requires(post): policycoreutils-python-utils
+%endif
+Requires(pre):  libselinux-utils
+Requires(post): libselinux-utils
+
+%description selinux
+This package provides the SELinux policy module to ensure snapd
+runs properly under an environment with SELinux enabled.
+%endif
+
+%if 0%{?with_devel}
+%package devel
+Summary:       Development files for %{name}
+BuildArch:     noarch
+
+%if 0%{?with_check} && ! 0%{?with_bundled}
+%endif
+
+%if ! 0%{?with_bundled}
+Requires:      golang(github.com/boltdb/bolt)
+Requires:      golang(github.com/cheggaaa/pb)
+Requires:      golang(github.com/coreos/go-systemd/activation)
+Requires:      golang(github.com/godbus/dbus)
+Requires:      golang(github.com/godbus/dbus/introspect)
+Requires:      golang(github.com/gorilla/mux)
+Requires:      golang(github.com/jessevdk/go-flags)
+Requires:      golang(github.com/juju/ratelimit)
+Requires:      golang(github.com/kr/pretty)
+Requires:      golang(github.com/kr/text)
+Requires:      golang(github.com/mvo5/goconfigparser)
+Requires:      golang(github.com/ojii/gettext.go)
+Requires:      golang(github.com/seccomp/libseccomp-golang)
+Requires:      golang(golang.org/x/crypto/openpgp/armor)
+Requires:      golang(golang.org/x/crypto/openpgp/packet)
+Requires:      golang(golang.org/x/crypto/sha3)
+Requires:      golang(golang.org/x/crypto/ssh/terminal)
+Requires:      golang(golang.org/x/net/context)
+Requires:      golang(golang.org/x/net/context/ctxhttp)
+Requires:      golang(gopkg.in/check.v1)
+Requires:      golang(gopkg.in/macaroon.v1)
+Requires:      golang(gopkg.in/mgo.v2/bson)
+Requires:      golang(gopkg.in/retry.v1)
+Requires:      golang(gopkg.in/tomb.v2)
+Requires:      golang(gopkg.in/yaml.v2)
+%else
+# These Provides are unversioned because the sources in
+# the bundled tarball are unversioned (they go by git commit)
+# *sigh*... I hate golang...
+Provides:      bundled(golang(github.com/snapcore/bolt))
+Provides:      bundled(golang(github.com/cheggaaa/pb))
+Provides:      bundled(golang(github.com/coreos/go-systemd/activation))
+Provides:      bundled(golang(github.com/godbus/dbus))
+Provides:      bundled(golang(github.com/godbus/dbus/introspect))
+Provides:      bundled(golang(github.com/gorilla/mux))
+Provides:      bundled(golang(github.com/jessevdk/go-flags))
+Provides:      bundled(golang(github.com/juju/ratelimit))
+Provides:      bundled(golang(github.com/kr/pretty))
+Provides:      bundled(golang(github.com/kr/text))
+Provides:      bundled(golang(github.com/mvo5/goconfigparser))
+Provides:      bundled(golang(github.com/mvo5/libseccomp-golang))
+Provides:      bundled(golang(github.com/ojii/gettext.go))
+Provides:      bundled(golang(golang.org/x/crypto/openpgp/armor))
+Provides:      bundled(golang(golang.org/x/crypto/openpgp/packet))
+Provides:      bundled(golang(golang.org/x/crypto/sha3))
+Provides:      bundled(golang(golang.org/x/crypto/ssh/terminal))
+Provides:      bundled(golang(golang.org/x/net/context))
+Provides:      bundled(golang(golang.org/x/net/context/ctxhttp))
+Provides:      bundled(golang(gopkg.in/check.v1))
+Provides:      bundled(golang(gopkg.in/macaroon.v1))
+Provides:      bundled(golang(gopkg.in/mgo.v2/bson))
+Provides:      bundled(golang(gopkg.in/retry.v1))
+Provides:      bundled(golang(gopkg.in/tomb.v2))
+Provides:      bundled(golang(gopkg.in/yaml.v2))
+%endif
+
+# Generated by gofed
+Provides:      golang(%{import_path}/advisor) = %{version}-%{release}
+Provides:      golang(%{import_path}/arch) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/assertstest) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/signtool) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/snapasserts) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/sysdb) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/systestkeys) = %{version}-%{release}
+Provides:      golang(%{import_path}/boot) = %{version}-%{release}
+Provides:      golang(%{import_path}/boot/boottest) = %{version}-%{release}
+Provides:      golang(%{import_path}/client) = %{version}-%{release}
+Provides:      golang(%{import_path}/cmd) = %{version}-%{release}
+Provides:      golang(%{import_path}/daemon) = %{version}-%{release}
+Provides:      golang(%{import_path}/dirs) = %{version}-%{release}
+Provides:      golang(%{import_path}/errtracker) = %{version}-%{release}
+Provides:      golang(%{import_path}/httputil) = %{version}-%{release}
+Provides:      golang(%{import_path}/i18n) = %{version}-%{release}
+Provides:      golang(%{import_path}/image) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/apparmor) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/backends) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/builtin) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/dbus) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/hotplug) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/ifacetest) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/kmod) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/mount) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/policy) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/seccomp) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/systemd) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/udev) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/utils) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil/safejson) = %{version}-%{release}
+Provides:      golang(%{import_path}/logger) = %{version}-%{release}
+Provides:      golang(%{import_path}/netutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/sys) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/crawler) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/netlink) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/assertstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/auth) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/cmdstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/config) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/configcore) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/proxyconf) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/settings) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/devicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate/ctlcmd) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate/hooktest) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/ifacerepo) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/udevmonitor) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/patch) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/servicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/standby) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/state) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/androidbootenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/grubenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/ubootenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/polkit) = %{version}-%{release}
+Provides:      golang(%{import_path}/progress) = %{version}-%{release}
+Provides:      golang(%{import_path}/progress/progresstest) = %{version}-%{release}
+Provides:      golang(%{import_path}/release) = %{version}-%{release}
+Provides:      golang(%{import_path}/sanity) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/pack) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snapdir) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snapenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snaptest) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/spdx) = %{version}-%{release}
+Provides:      golang(%{import_path}/store) = %{version}-%{release}
+Provides:      golang(%{import_path}/store/storetest) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/quantity) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/shlex) = %{version}-%{release}
+Provides:      golang(%{import_path}/systemd) = %{version}-%{release}
+Provides:      golang(%{import_path}/tests/lib/fakestore/refresh) = %{version}-%{release}
+Provides:      golang(%{import_path}/tests/lib/fakestore/store) = %{version}-%{release}
+Provides:      golang(%{import_path}/testutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/timeout) = %{version}-%{release}
+Provides:      golang(%{import_path}/timeutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd/ui) = %{version}-%{release}
+Provides:      golang(%{import_path}/wrappers) = %{version}-%{release}
+Provides:      golang(%{import_path}/x11) = %{version}-%{release}
+Provides:      golang(%{import_path}/xdgopenproxy) = %{version}-%{release}
+
+%description devel
+This package contains library source intended for
+building other packages which use import path with
+%{import_path} prefix.
+%endif
+
+%if 0%{?with_unit_test} && 0%{?with_devel}
+%package unit-test-devel
+Summary:         Unit tests for %{name} package
+
+%if 0%{?with_check}
+#Here comes all BuildRequires: PACKAGE the unit tests
+#in %%check section need for running
+%endif
+
+# test subpackage tests code from devel subpackage
+Requires:        %{name}-devel = %{version}-%{release}
+
+%description unit-test-devel
+This package contains unit tests for project
+providing packages with %{import_path} prefix.
+%endif
+
+%prep
+%if ! 0%{?with_bundled}
+%setup -q
+# Ensure there's no bundled stuff accidentally leaking in...
+rm -rf vendor/*
+%else
+# Extract each tarball properly
+%setup -q -D -b 1
+%endif
+
+%build
+# Generate version files
+./mkversion.sh "%{version}-%{release}"
+
+# We don't want/need squashfuse in the rpm, as it's available in Fedora and EPEL
+sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
+
+# Build snapd
+mkdir -p src/github.com/snapcore
+ln -s ../../../ src/github.com/snapcore/snapd
+
+%if ! 0%{?with_bundled}
+export GOPATH=$(pwd):%{gopath}
+%else
+export GOPATH=$(pwd):$(pwd)/Godeps/_workspace:%{gopath}
+%endif
+
+GOFLAGS=
+%if 0%{?with_test_keys}
+GOFLAGS="$GOFLAGS -tags withtestkeys"
+%endif
+
+%if ! 0%{?with_bundled}
+# We don't need mvo5 fork for seccomp, as we have seccomp 2.3.x
+sed -e "s:github.com/mvo5/libseccomp-golang:github.com/seccomp/libseccomp-golang:g" -i cmd/snap-seccomp/*.go
+# We don't need the snapcore fork for bolt - it is just a fix on ppc
+sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go
+%endif
+
+# We have to build snapd first to prevent the build from
+# building various things from the tree without additional
+# set tags.
+%gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
+%gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
+%gobuild -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
+%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
+
+# To ensure things work correctly with base snaps,
+# snap-exec and snap-update-ns need to be built statically
+%gobuild_static -o bin/snap-exec $GOFLAGS %{import_path}/cmd/snap-exec
+%gobuild_static -o bin/snap-update-ns $GOFLAGS %{import_path}/cmd/snap-update-ns
+
+%if 0%{?rhel}
+# There's no static link library for libseccomp in RHEL/CentOS...
+sed -e "s/-Bstatic -lseccomp/-Bstatic/g" -i cmd/snap-seccomp/*.go
+%endif
+%gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
+
+%if 0%{?with_selinux}
+# Build SELinux module
+pushd ./data/selinux
+make SHARE="%{_datadir}" TARGETS="snappy"
+popd
+%endif
+
+# Build snap-confine
+pushd ./cmd
+# FIXME This is a hack to get rid of a patch we have to ship for the
+# Fedora package at the moment as /usr/lib/rpm/redhat/redhat-hardened-ld
+# accidentially adds -pie for static executables. See
+# https://bugzilla.redhat.com/show_bug.cgi?id=1343892 for a few more
+# details. To prevent this from happening we drop the linker
+# script and define our LDFLAGS manually for now.
+export LDFLAGS="-Wl,-z,relro -z now"
+autoreconf --force --install --verbose
+# selinux support is not yet available, for now just disable apparmor
+# FIXME: add --enable-caps-over-setuid as soon as possible (setuid discouraged!)
+%configure \
+    --disable-apparmor \
+    --libexecdir=%{_libexecdir}/snapd/ \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{_sharedstatedir}/snapd/snap \
+    --enable-merged-usr
+
+%make_build
+popd
+
+# Build systemd units, dbus services, and env files
+pushd ./data
+make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+     SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+     SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+     SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%install
+install -d -p %{buildroot}%{_bindir}
+install -d -p %{buildroot}%{_libexecdir}/snapd
+install -d -p %{buildroot}%{_mandir}/man8
+install -d -p %{buildroot}%{_environmentdir}
+install -d -p %{buildroot}%{_systemdgeneratordir}
+install -d -p %{buildroot}%{_unitdir}
+install -d -p %{buildroot}%{_sysconfdir}/profile.d
+install -d -p %{buildroot}%{_sysconfdir}/sysconfig
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/assertions
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/cookie
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl32
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/vulkan
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
+install -d -p %{buildroot}%{_localstatedir}/snap
+install -d -p %{buildroot}%{_localstatedir}/cache/snapd
+install -d -p %{buildroot}%{_datadir}/polkit-1/actions
+install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+%if 0%{?with_selinux}
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -d -p %{buildroot}%{_datadir}/selinux/packages
+%endif
+
+# Install snap and snapd
+install -p -m 0755 bin/snap %{buildroot}%{_bindir}
+install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+
+%if 0%{?with_selinux}
+# Install SELinux module
+install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
+
+# Install snap(8) man page
+bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
+
+# Install the "info" data file with snapd version
+install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
+
+# Install bash completion for "snap"
+install -m 644 -D data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Install snap-confine
+pushd ./cmd
+%make_install
+# Undo the 0000 permissions, they are restored in the files section
+chmod 0755 %{buildroot}%{_sharedstatedir}/snapd/void
+# We don't use AppArmor
+rm -rfv %{buildroot}%{_sysconfdir}/apparmor.d
+# ubuntu-core-launcher is dead
+rm -fv %{buildroot}%{_bindir}/ubuntu-core-launcher
+popd
+
+# Install all systemd and dbus units, and env files
+pushd ./data
+%make_install BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+              SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+              SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+              SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.conf
+%endif
+
+# Remove snappy core specific units
+rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
+rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
+rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
+
+# Remove snappy core specific scripts
+rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Remove snapd apparmor service
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+
+# Install Polkit configuration
+install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
+
+# Disable re-exec by default
+echo 'SNAP_REEXEC=0' > %{buildroot}%{_sysconfdir}/sysconfig/snapd
+
+# Create state.json and the README file to be ghosted
+touch %{buildroot}%{_sharedstatedir}/snapd/state.json
+touch %{buildroot}%{_sharedstatedir}/snapd/snap/README
+
+# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
+%if %{with snap_symlink}
+ln -sr %{buildroot}%{_sharedstatedir}/snapd/snap %{buildroot}/snap
+%endif
+
+# source codes for building projects
+%if 0%{?with_devel}
+install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
+echo "%%dir %%{gopath}/src/%%{import_path}/." >> devel.file-list
+# find all *.go but no *_test.go files and generate devel.file-list
+for file in $(find . -iname "*.go" -o -iname "*.s" \! -iname "*_test.go") ; do
+    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
+    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
+    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
+    echo "%%{gopath}/src/%%{import_path}/$file" >> devel.file-list
+done
+%endif
+
+# testing files for this project
+%if 0%{?with_unit_test} && 0%{?with_devel}
+install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
+# find all *_test.go files and generate unit-test.file-list
+for file in $(find . -iname "*_test.go"); do
+    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
+    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
+    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
+    echo "%%{gopath}/src/%%{import_path}/$file" >> unit-test-devel.file-list
+done
+
+# Install additional testdata
+install -d %{buildroot}/%{gopath}/src/%{import_path}/cmd/snap/test-data/
+cp -pav cmd/snap/test-data/* %{buildroot}/%{gopath}/src/%{import_path}/cmd/snap/test-data/
+echo "%%{gopath}/src/%%{import_path}/cmd/snap/test-data" >> unit-test-devel.file-list
+%endif
+
+%if 0%{?with_devel}
+sort -u -o devel.file-list devel.file-list
+%endif
+
+%check
+# snapd tests
+%if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel}
+%if ! 0%{?with_bundled}
+export GOPATH=%{buildroot}/%{gopath}:%{gopath}
+%else
+export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
+%endif
+%gotest %{import_path}/...
+%endif
+
+# snap-confine tests (these always run!)
+pushd ./cmd
+make check
+popd
+
+%files
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+%license COPYING
+%doc README.md docs/*
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_environmentdir}/990-snapd.conf
+%dir %{_libexecdir}/snapd
+%{_libexecdir}/snapd/snapctl
+%{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-failure
+%{_libexecdir}/snapd/info
+%{_libexecdir}/snapd/snap-mgmt
+%{_mandir}/man8/snap.8*
+%{_datadir}/bash-completion/completions/snap
+%{_libexecdir}/snapd/complete.sh
+%{_libexecdir}/snapd/etelpmoc.sh
+%{_libexecdir}/snapd/snapd.run-from-snap
+%{_sysconfdir}/profile.d/snapd.sh
+%{_mandir}/man8/snapd-env-generator.8*
+%{_unitdir}/snapd.socket
+%{_unitdir}/snapd.service
+%{_unitdir}/snapd.autoimport.service
+%{_unitdir}/snapd.failure.service
+%{_unitdir}/snapd.seeded.service
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_systemd_system_env_generator_dir}/snapd-env-generator
+%config(noreplace) %{_sysconfdir}/sysconfig/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/snap
+%ghost %dir %{_sharedstatedir}/snapd/snap/bin
+%dir %{_localstatedir}/cache/snapd
+%dir %{_localstatedir}/snap
+%ghost %{_sharedstatedir}/snapd/state.json
+%ghost %{_sharedstatedir}/snapd/snap/README
+%if %{with snap_symlink}
+/snap
+%endif
+%if 0%{?rhel} == 7
+%{_sysctldir}/99-snap.conf
+%endif
+
+%files -n snap-confine
+%doc cmd/snap-confine/PORTING
+%license COPYING
+%dir %{_libexecdir}/snapd
+# For now, we can't use caps
+# FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
+%attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_libexecdir}/snapd/snap-device-helper
+%{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-gdb-shim
+%{_libexecdir}/snapd/snap-seccomp
+%{_libexecdir}/snapd/snap-update-ns
+%{_libexecdir}/snapd/system-shutdown
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_systemdgeneratordir}/snapd-generator
+%attr(0000,root,root) %{_sharedstatedir}/snapd/void
+
+%if 0%{?with_selinux}
+%files selinux
+%license data/selinux/COPYING
+%doc data/selinux/README.md
+%{_datadir}/selinux/packages/snappy.pp.bz2
+%{_datadir}/selinux/devel/include/contrib/snappy.if
+%endif
+
+%if 0%{?with_devel}
+%files devel -f devel.file-list
+%license COPYING
+%doc README.md
+%dir %{gopath}/src/%{provider}.%{provider_tld}/%{project}
+%endif
+
+%if 0%{?with_unit_test} && 0%{?with_devel}
+%files unit-test-devel -f unit-test-devel.file-list
+%license COPYING
+%doc README.md
+%endif
+
+%post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
+%systemd_post %{snappy_svcs}
+# If install, test if snapd socket and timer are enabled.
+# If enabled, then attempt to start them. This will silently fail
+# in chroots or other environments where services aren't expected
+# to be started.
+if [ $1 -eq 1 ] ; then
+   if systemctl -q is-enabled snapd.socket > /dev/null 2>&1 ; then
+      systemctl start snapd.socket > /dev/null 2>&1 || :
+   fi
+fi
+
+%preun
+%systemd_preun %{snappy_svcs}
+
+# Remove all Snappy content if snapd is being fully uninstalled
+if [ $1 -eq 0 ]; then
+   %{_libexecdir}/snapd/snap-mgmt --purge || :
+fi
+
+
+%postun
+%systemd_postun_with_restart %{snappy_svcs}
+
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre
+
+%post selinux
+%selinux_modules_install %{_datadir}/selinux/packages/snappy.pp.bz2
+%selinux_relabel_post
+
+%posttrans selinux
+%selinux_relabel_post
+
+%postun selinux
+%selinux_modules_uninstall snappy
+if [ $1 -eq 0 ]; then
+    %selinux_relabel_post
+fi
+%endif
+
+%changelog
+* Wed Jan 16 2019 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.37
+ - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+   have device node /dev/ttyACM[0-9]
+ - tests: fix enable-disable-unit-gpio test on external boards
+ - tests: define new "tests/smoke" suite and use that for
+   autopkgtests
+ - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+   library
+ - snapshotstate: don't task.Log without the lock
+ - overlord/configstate/configcore: support - and _ in cloud init
+   field names
+ - cmd/snap-confine: use makedev instead of MKDEV
+ - tests: review/fix the autopkgtest failures in disco
+ - systemd: allow only a single daemon-reload at the same time
+ - cmd/snap: only auto-enable unicode to a tty
+ - cmd/snap: right-align revision and size in info's channel map
+ - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+   different on Fedora
+ - tests: fix "No space left on device" issue on amazon-linux
+ - store: undo workaround for timezone-less released-at
+ - store, snap, cmd/snap: channels have released-at
+ - snap-confine: fix incorrect use "src" var in mount-support.c
+ - release: support probing SELinux state
+ - release-tools: display self-help
+ - interface: add new `{personal,system}-files` interface
+ - snap: give Epoch an Equal method
+ - many: remove unused interface code
+ - interfaces/many: use 'unsafe' with docker-support change_profile
+   rules
+ - run-checks: stop running HEAD of staticcheck
+ - release: use sync.Once around lazy intialized state
+ - overlord/ifacestate: include interface name in the hotplug-
+   disconnect task summary
+ - spread: show free space in debug output
+ - cmd/snap: attempt to restore SELinux context of snap user
+   directories
+ - image: do not write empty etc/cloud
+ - tests: skip snapd snap on reset for core systems
+ - cmd/snap-discard-ns: fix umount(2) typo
+ - overlord/ifacestate: hotplug-remove-slot task handler
+ - overlord/ifacestate: handler for hotplug-disconnect task
+ - ifacestate/hotplug: updateDevice helper
+ - tests: reset snapd state on tests restore
+ - interfaces: return security setup errors
+ - overlord: make InstallMany work like UpdateMany, issuing a single
+   request to get candidates
+ - systemd/systemd.go: add missing tests for systemd.IsActive
+ - overlord/ifacestate: addHotplugSeqWaitTask helper
+ - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+ - tests: new backend used to run upgrade test suite
+ - travis: short circuit failures in static and unit tests travis job
+ - cmd: automatically fix localized <option>s to <option>
+ - overlord/configstate,features: expose features to snapd tools
+ - selinux: package to query SELinux status and verify/restore file
+   contexts
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - cmd: add tests for lintArg and lintDesc
+ - httputil: retry on temporary net errors
+ - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+ - wrappers: only restart service in core18 when they are active
+ - overlord/ifacestate: helpers for serializing hotplug changes
+ - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interface
+ - snap/info: bind global plugs/slots to implicit hooks
+ - cmd/snap-confine: remove SC_NS_MNT_FILE
+ - spread: record each tests/upgrade job
+ - osutil: do not import dirs
+ - cmd/snap-confine: fix typo "a pipe"
+ - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+   devices
+ - tests: force test-snapd-daemon-notify exit 0 when the interface is
+   not connected
+ - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+ - centos: enable SELinux support on CentOS 7
+ - apparmor: allow hard link to snap-specific semaphore files
+ - tests/lib/pkgdb: disable weak deps on Fedora
+ - release: detect too old apparmor_parser
+ - tests: improve how the log is checked to see if the system is
+   waiting for a reboot
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - spread, tests: add Fedora 29
+ - cmd/snap-confine: refactor calling snapd tools into helper module
+ - apparmor: allow snap-update-ns access to common devices
+ - cmd/snap-confine: capture initialized per-user mount ns
+ - tests: reduce verbosity around package installation
+ - data: set KillMode=process for snapd
+ - cmd/snap: handle DNS error gracefully
+ - spread, tests: use checkpoints when dumping audit log
+ - tests/lib/prepare: make sure that SELinux context of repacked core
+   snap is controlled
+ - testutils: split checkers, tweak tests
+ - tests: fix for tests test-*-cgroup
+ - spread: show AVC audits when debugging, start auditd on Fedora
+ - spread: drop Fedora 27, add Fedora 29
+ - tests/lib/reset: restore context of removed snapd directories
+ - testutil: add File{Present,Absent} checkers
+ - snap: add new `snap run --trace-exec`
+ - tests: fix for failover test on how logs are checked
+ - snapctl: add "services"
+ - overlord/snapstate: use file timestamp to initialize timer
+ - cmd/libsnap: introduce and use sc_strdup
+ - interfaces: let NM access ifindex/ifupdown files
+ - overlord/snapstate: on refresh, check new rev can read current
+ - client, store: don't use store from client (use client from store)
+ - tests/main/parallel-install-store: verify installation of more
+   than one instance at a time
+ - overlord: don't write system key if security setup fails
+ - packaging/fedora/snapd.spec: fix bogus date in changelog
+ - snapstate: update fontconfig caches on install
+ - interfaces/apparmor/backend.go:411:38: regular expression does not
+   contain any meta characters (SA6004)
+ - asserts/header_checks.go:199:35: regular expression does not
+   contain any meta characters (SA6004)
+ - run staticcheck every time :-)
+ - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+   used with signal.Notify should be buffered (SA1017)
+ - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+   signal.Notify should be buffered (SA1017)
+ - spdx/parser.go:30:1: only the first constant has an explicit type
+   (SA9004)
+ - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+   first argument and no further arguments should use print-style
+   function instead (SA1006)
+ - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+ - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+   Did you mean to break out of the outer loop? (SA4011)
+ - daemon/api.go:992:22: printf-style function with dynamic first
+   argument and no further arguments should use print-style function
+   instead (SA1006)
+ - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+   to break out of the outer loop? (SA4011)
+ - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+   should be buffered (SA1017)
+ - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+   provided buffer, not even temporarily (SA1023)
+ - release: probe apparmor features lazily
+ - overlord,daemon: mock security backends for testing
+ - cmd/libsnap: move apparmor-support to libsnap
+ - cmd: drop cruft from snap-discard-ns build rules
+ - cmd/snap-confine: use snap-discard-ns ns to discard stale
+   namespaces
+ - cmd/snap-confine: handle mounted shared /run/snapd/ns
+ - many: fix composite literals with unkeyed fields
+ - dirs, wrappers, overlord/snapstate: make completion + bases work
+ - tests: revert "tests: restore in restore, not prepare"
+ - many: validate title
+ - snap: make description maximum in runes, not bytes
+ - tests: discard mount namespaces in reset.sh
+ - tests/lib: sync cla check back from snapcraft
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - daemon: remove enableInternalInterfaceActions
+ - mkversion: use "test -n" rather than "! test -z"
+ - run-checks: assorted fixes
+ - tests: restore in restore, not in prepare
+ - cmd/snap: fix missing newline in "snap keys" error message
+ - snap: epoch lists must contain no duplicate entries
+ - interfaces/avahi_observe: Fix typo in comment
+ - tests: add SPREAD_JOB to the description of
+   systemd_create_and_start_unit
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+ - packaging/fedora: use %_sysctldir macro
+ - cmd/snap-confine: remove unneeded unshare
+ - sanity: extend the kernel version check to cover CentOS/RHEL
+   kernels
+ - wrappers: remove all desktop files from a snap on removal
+ - snap: add an explicit check for `epoch: null` loading
+ - snap: check max description length in validate
+ - spread, tests: add CentOS support
+ - cmd/snap-confine: allow mapping more libc shards
+ - cmd/snap-discard-ns: add support for --from-snap-confine
+ - tests: make tinyproxy support systemd notify
+ - tests: fix shellcheck
+ - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+ - store: add a test for a non-zero epoch refresh (with epoch bump)
+ - store: v1 search doesn't send epoch, stop pretending it does
+ - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+ - overlord/snapstate: amend test should send local revision
+ - tests: use mock-gpio.py in enable-disable-units-gpio test
+ - snap: enforce minimal snap name len of 2
+ - cmd/libsnap: add sc_verify_snap_lock
+ - cmd/snap-update-ns: extra debugging of trespassing events
+ - userd: force zenity width if the text displayed is long
+ - overlord/snapstate, store: always send epochs
+ - cmd/snap-confine,snap-update-ns: discard quirks
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - cmd/snap-update-ns, tests: clean trespassing paths
+ - nvidia, interfaces/builtin: OpenCL fixes
+ - ifacestate/hotplug: removeDevice helper
+ - cmd: install snap-discard-ns in "make hack"
+ - overlord/ifacestate: setup security backends phased by backends
+   first
+ - ifacestate/helpers: added SystemSnapName mapper helper method
+ - overlord/ifacestate: set hotplug-key of the connection when
+   connecting hotplug slots
+ - snapd: allow snap-update-ns to read /proc/version
+ - cmd: handle tumbleweed and leap in autogen.sh
+ - interfaces/tests: MockHotplugSlot test helper
+ - store,daemon: make UserInfo,LoginUser part of the store interface
+ - overlord/ifacestate: use remapper when checking if system snap is
+   installed
+ - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+ - packaging/arch: fix bash completions path
+ - interfaces/builtin: add device-buttons interface for accessing
+   events
+ - tests, fakestore: extend refresh tests with parallel installed
+   snaps
+ - snap, store, overlord/snapshotstate: drop epoch pointers
+ - snap: make Epoch default to {[0],[0]} on load from yaml
+ - data/completion: pass documented arguments to completion functions
+ - tests: skip opensuse from interfaces-openvswitch-support test
+ - tests: simple reproducer for snap try and hooks bug
+ - snapstate: do not allow classic mode for strict snaps
+ - snap: make Epoch's MarshalJSON not simplify
+ - store: remove unused currentSnap and currentSnapJSON
+ - many: some small doc comment fixes in recent hotplug code
+ - ifacestate/udevmonitor: added callback to signal end of
+   enumeration
+ - cmd/libsnap: add simplified feature flag checker
+ - interfaces/opengl: add additional accesses for cuda
+ - tests: add core18 only hooks test and fix running core18 only on
+   classic
+ - sanity, release, cmd/snap: refuse to try to do things on WSL.
+ - cmd: make coreSupportsReExec faster
+ - overlord/ifacestate: don't remove the dash when generating unique
+   slot name
+ - cmd/snap-seccomp: add full complement of ptrace constants
+ - cmd: update autogen.sh for opensuse
+ - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+   overlord/snapstate: address review feedback
+ - packaging/opensuse: stop using golang-packaging
+ - overlord/snapshots: survive an unknown user
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - cmd/snap: unhide --name parameter to snap install, tweak help
+   message
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/main/snap-service-after-before-install: verify after/before
+   in snap install
+ - overlord/ifacestate: mark connections disconnected by hotplug with
+   hotplug-gone
+ - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+   startup
+ - tests: install dependencies during prepare
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - tests: core 18 does not support classic confinement
+ - tests: add debug output for degraded test
+ - strutil: make VersionCompare faster
+ - overlord/snapshotstate/backend: survive missing directories
+ - overlord/ifacestate: use map[string]*connState when passing conns
+   around
+ - tests: move fedora 28 to manual
+ - overlord/snapshotstate/backend: be more verbose when
+   SNAPPY_TESTING=1
+ - tests: removing fedora 26 system from spread.yaml
+ - tests: linode execution is not needed anymore
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests: fixes and new backend for tests on nested suite
+ - strutil: let MatchCounter work with a nil regexp
+ - ifacestate/helpers: findConnsForHotplugKey helper
+ - many: move regexp.(Must)Compile out of non-init functions into
+   variables
+ - store: also make snaps downloaded via deltas 0600
+ - snap: use Lstat to determine snap size, remove
+   ReadSnapInfoExceptSize
+ - interfaces/builtin: add adb-support interface
+ - tests: fail if install_snap_local fails
+ - strutil: add extra test to CommaSeparatedList as suggested by
+   mborzecki
+ - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+ - ifacestate: optimize disconnect hooks
+ - cmd/snap-update-ns: parse the -u <uid> command line option
+ - cmd/snap, tests: snapshots for all
+ - client, cmd/daemon: allow disabling keepalive, improve degraded
+   mode unit tests
+ - snap: only show "next" refresh time if its after the hold time
+ - overlord/snapstate: run tests for classic snaps even on systems
+   that don't support classic
+ - overlord/standby: fix a race between standby goroutine and stop
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - cmd: remove remnants of sc_should_populate_mount_ns
+ - client, daemon, cmd/snap: indicate that services are socket/timer
+   activated
+ - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+ - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+ - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+ - cmd/snap-discard-ns: add support for per-user mount namespaces
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook.
+ - tests/main: fixes for the new shellcheck
+ - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+   fly
+ - tests: initial setup for testing current branch on nested vm and
+   hotplug management
+ - cmd: refactor IPC and lifecycle of the helper process
+ - tests/main/parallel-install-store: the store has caught up, do not
+   expect failures
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+   ptrace, for the Breakpad crash reporter
+ - snap,client: use a different exit code for retryable errors
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - cmd/snap: tweak `snap services` output when there is no services
+ - interfaces/many: updates to support k8s worker nodes
+ - cmd/snap: gnome-software install via snap:// handler
+ - overlord/many: cleanup use of snapName vs. instanceName
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes* ifstate: fix decoding of json numbers
+ - cmd/snap: try not to panic on error from "snap try"
+ - tests: new cosmic image for spread tests on gce
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - overlord/snapshotstate/backend: detect path to tar in unit tests
+ - tests/unit/gccgo: drop gccgo unit tests
+ - cmd: use relative file names in locking APIs
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - overlord/snapshotstate/backend: fall back on sudo when no runuser
+ - cmd/snap-confine: reduce verbosity of debug and error messages
+ - systemd: extend Status() to work for socket and timer units
+ - interfaces: typo 'allows' for consistency with other ifaces
+ - systemd,wrappers: don't start disabled services
+ - ifacestate: simplify task chaining in ifacestate.Connect
+ - tests: ensure that goa-daemon is off
+ - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+ - cmd/snap: block 'snap help <cmd> --all'
+ - asserts, image: ensure kernel, gadget, base and required-snaps use
+   valid snap names
+ - apparmor: add unit test for probeAppArmorParser and simplify code
+ - interfaces/apparmor: conditionally add explicit deny rules for
+   ptrace
+ - po: sync translations from launchpad
+ - osutil: tweak handling of error adduser errors
+ - cmd: rename ns_group to mount_ns
+ - tests/main/interfaces-accounts-service: more debugging
+ - snap/pack, snap/squashfs: use type to determine mksquashfs args
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - tests: show list of processes when ifaces-accounts-service fails
+ - tests: do not run degraded test in autopkgtest env
+ - snap: overhaul validation error messages
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - interfaces: improve Attr error further
+ - snapstate: tweak GetFeatureFlagBool() to have a default argument
+ - many: cleanup remaining parallel installs TODOs
+ - image: improve validation of extra snaps
+
+* Fri Dec 14 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.3
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - httputil: retry on temporary net errors
+ - wrappers: only restart service in core18 when they are active
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interfacewhen installing selinux-policy-devel package.
+ - centos: enable SELinux support on CentOS 7
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - apparmor: allow hard link to snap-specific semaphore files
+ - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+   profile errors
+ - snap: add new `snap run --trace-exec` call
+ - interfaces/backends: detect too old apparmor_parser
+
+* Thu Nov 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.2
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - snapstate: update fontconfig caches on install
+ - overlord,daemon: mock security backends for testing
+ - sanity, spread, tests: add CentOS
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - tests: add regression test for LP: #1803535
+ - snap-update-ns: fix trailing slash bug on trespassing error
+ - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+ - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+ - interfaces/opengl: add additional accesses for cuda
+
+* Fri Nov 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.1
+ - tests,snap-confine: add core18 only hooks test and fix running
+   core18 only hooks on classic
+ - interfaces/apparmor: allow access to
+   /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests/main/interfces-accounts-service: switch to busctl, more
+   debugging
+ - store: also make snaps downloaded via deltas 0600
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - tests/main: fixes for the new shellcheck
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook
+
+* Sun Nov 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.36-1
+- Release 2.36 to Fedora
+
+* Wed Oct 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - tests: the store has caught up, drop gccgo test, update cosmic
+   image
+ - cmd/snap: try not to panic on error from "snap try"`--devmode`
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - systemd,wrappers: don't start disabled services
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - tests: do not run degraded test in autopkgtest env
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces: include invalid type in Attr error
+ - many: enable layouts by default
+ - interfaces/default: don't scrub with change_profile with classic
+ - cmd/snap: speed up unit tests
+ - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+   flags
+ - daemon: expose snapshots to the API
+ - interfaces: updates for default, screen-inhibit-control, tpm,
+   {hardware,system,network}-observe
+ - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+   update test interface
+ - interfaces/tests: use TestInterface instead of a custom local
+   helper
+ - overlord/snapstate: export getFeatureFlagBool.
+ - osutil,asserts,daemon: support force password change in system-
+   user assertion
+ - snap, wrappers: support restart-delay, generate RestartSec=<value>
+   in service units
+ - tests/ifacestate: moved asserts-related mocking into helper
+ - image: fetch device store assertion if available
+ - many: enable AppArmor on Arch
+ - interfaces/repo: two helper methods for hotplug
+ - overlord/ifacestate: add hotplug slots with implicit slots
+ - interfaces/hotplug: helpers and struct updates
+ - tests: run the snapd tests on Ubuntu 18.10
+ - snapstate: only report errors if there is an actual error
+ - store: speedup unit tests
+ - spread-shellcheck: fix interleaved error messages, tweaks
+ - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+ - ifacestate: implementation of defaultDeviceKey function for
+   hotplug
+ - cmd/snap-update-ns: remove empty placeholders used for mounting
+ - snapshotstate: restore to current revision
+ - tests/lib: rework the CLA checker
+ - many: support and consider store friendly-stores when checking
+   device scope constraints
+ - overlord/snapstate: block parallel installs of snapd, core, base,
+   kernel, gadget snaps
+ - overlord/patch: patch for static plug/slot attributes
+ - interfaces: honor static attributes when reloading conns
+ - osutils: unit tests speedup; introduce «run-checks --short-
+   unit».
+ - systemd, wrappers: speed up wrappers unit tests
+ - client: speedup unit tests
+ - spread-shellcheck: use threads to parallelise
+ - snap: validate plug and slot names
+ - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+ - wrappers: do not depend on network.taget in socket units, tweak
+   generated units
+ - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+ - store: gracefully handle unexpected errors in 'action'
+   response
+ - cmd: put our manpages in section 8
+ - overlord: don't make become-operational interfere with user
+   requests
+ - store: tweak unmatched refresh result error log
+ - snap, client, daemon, store: use and expose "media" more
+ - tests,cmd/snap-update-ns: add test showing mount update bug
+   cmd/snap-update-ns: better detection of snapd-made tmpfs
+ - tests: spread tests for aliases with parallel installed snaps
+ - interfaces/seccomp: allow using statx by default
+ - store: gracefully handle unexpected errors in 'action' response
+ - overlord/snapshotstate: chown the tempdir
+ - cmd/snap: attempt to start the document portal if running with a
+   session bus
+ - snap: detect layouts vs layout in snap.yaml
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snapcraft.yaml: set grade to stable
+ - tests: shellchecks, final round
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snap: detect layouts vs layout in snap.yaml
+ - overlord/snapshotstate: store epoch in snapshot, check on restore
+ - cmd/snap: tweak UX of snap refresh --list
+ - overlord/snapstate: improve consistency, use validateInfoAndFlags
+   also in InstallPath
+ - snap: give Epoch a CanRead helper
+ - overlord/snapshotstate: small refactor of internal helpers
+ - interfaces/builtin: adding missing permission to create
+   /run/wpa_supplicant directory
+ - interfaces/builtin: avahi interface update
+ - client, daemon: support passing of 'unaliased' option when
+   installing from local files
+ - selftest: rename selftest.Run() to sanity.Check()
+ - interfaces/apparmor: report apparmor support level and policy
+ - ifacestate: helpers for generating slot names for hotplug
+ - overlord/ifacestate: make sure to pass in the Model assertion when
+   enforcing policies
+ - overlord/snapshotstate: store the SnapID in snapshot, block
+   restore if changed
+ - interfaces: generalize writable mimic profile
+ - asserts,interfaces/policy: add support for on-store/on-brand/on-
+   model plug/slot rule constraints
+ - many: fetch the device store assertion together and in the context
+   of interpreting snap-declarations
+ - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+   gccgo is fixed
+ - tests/main/parallel-install-services: add spread test for snaps
+   with services
+ - tests/main/snap-env: extend to cover parallel installations of
+   snaps
+ - tests/main/parallel-install-local: rename from *-sideload, extend
+   to run snaps
+ - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+ - cmd/snap: tame the help zoo
+ - tests/main/parallel-install-store: run installed snap
+ - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+   i18n)
+ - cmd: fix C formatting
+ - tests: remove unneeded cleanup from layout tests
+ - image: warn on missing default-providers
+ - selftest: add test to ensure selftest.checks is up-to-date
+ - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+   installs
+ - userd: extend the list of supported XDG Desktop properties when
+   autostarting user applications
+ - cmd/snap-update-ns: enforce trespassing checks
+ - selftest: actually run the kernel version selftest
+ - snapd: go into degraded mode when the selftest fails
+ - tests: add test that runs snapctl with a core18 snap
+ - tests: add snap install hook with base: core18
+ - overlord/{snapstate,assertstate}: parallel instances and
+   refresh validation
+ - interfaces/docker-support: add rules to read apparmor macros
+ - tests: make nfs test available for more systems
+ - tests: cleanup copy/paste dup in interfaces-network-setup-control
+ - tests: using single sh snap in interface tests
+ - overlord/snapstate: improve cleaup in mount-snap handler
+ - tests: don't fail interfaces-bluez test if bluez is already
+   installed
+ - tests: find snaps just for edge and beta channels
+ - daemon, snapstate: consistent snap list [--all] output with broken
+   snaps
+ - tests: fix listing to allow extra things in the notes column
+ - cmd/snap: improve UX when removing specific snap revision
+ - cmd/snap, tests/main/snap-info: highlight the current channel
+ - interfaces/testiface: added TestHotplugInterface
+ - snap: tweak commands
+ - interfaces/hotplug: hotplug spec takes one slot definition
+ - overlord/snapstate, snap: handle shared snap directories when
+   installing/remove snaps with instance key
+ - interfaces/opengl: misc accesses for VA-API
+ - client, cmd/snap: expose warnings to the world
+ - cmd/snap-update-ns: introduce trespassing state tracking
+ - cmd/snap: commands no longer build their own client
+ - tests: try to build cmd/snap for darwin
+ - daemon: make error responders not printf when called with 1
+   argument
+ - many: return real snap name in API response
+ - overlord/state: return latest LastAdded time in WarningsSummary
+ - many: mount namespace mapping for parallel installs of snaps
+ - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+   core-phase-2
+ - client, cmd/snap: on !linux, exit when the client tries to Do
+   something
+ - tests: refactor for nested suite and tests fixed
+ - tests: use lxd's waitready instead of polling lxd socket
+ - ifacestate: don't initialize udev monitor until we have a system
+   snap
+ - interfaces: extra argument for static attrs in
+   NewConnectedPlug/NewConnectedSlot
+ - packaging/arch: sync packaging with AUR
+ - snapstate/tests: serialize all appends in fake backend
+ - snap-confine: make /lib/modules optional
+ - cmd/snap: handle "snap interfaces core" better
+ - store: move download tests into downloadSuite
+ - tests,interfaces: run interfaces-account-control on UC18
+ - tests: fix install snaps test by adding link to /snap
+ - tests: fix for nested test suite
+ - daemon: fix snap list --all with parallel snap instances
+ - snapstate: refactor tests to use SetModel*
+ - wrappers: fix snap services order in tests
+ - many: provide salt for generating instance-key in store requests
+ - ifacestate: fix hang when retrying content providers
+ - snapd-env-generator: fix when PATH is empty or unset
+ - overlord/assertstate: propagate TaskSnapSetup error
+ - client: catch and expose logs errors
+ - overlord: integrate device enumeration with udev monitor
+ - daemon, overlord/state: warnings pipeline
+ - tests: add publisher regex to fix the snap-info test pass on sru
+ - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+   tweaks
+ - cmd/snap-update-ns: remove the unused Secure type
+ - osutil, o/snapshotstate, o/sss/backend: quick fixes
+ - tests: update the listing expression to support core from
+   different channels
+ - store: use stable instance key in store refresh requests
+ - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+ - overlord/patch: support for sublevel patches
+ - tests: update prepare/restore for nightly suite
+ - cmd/snap-update-ns: detach BindMount from the Secure type
+ - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+ - ifacestate: retry on "discard-snap" in autoconnect conflict check
+ - cmd/snap-update-ns: separate OpenPath from the Secure struct
+ - wrappers: remove Wants=network-online.target
+ - tests: add new core16-base test
+ - store: refactor tests so that they work as store_test package
+ - many: add refresh.rate-limit core option
+ - tests: run account-control test with different bases
+ - tests: port proxy test to use python tinyproxy
+ - overlord: introduce snapshotstate.
+ - testutil: allow Fstatfs results to vary over time
+ - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+ - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+ - many: remove deadcode
+ - tests: also run unit/gccgo in 18.04
+ - tests: introduce a helper for installing local snaps with --name
+ - tests: avoid removing core snap on reset
+ - snap: use snap.SideInfo in test to fix build with gccgo
+ - partition: remove unused runCommand
+ - image: fix incorrect error when using local bases
+ - overlord/snapstate: fix format
+ - cmd: fix format
+ - tests: setting "storage: preserve-size" just for amazon-linux
+   system
+ - tests: test for the hostname interface
+ - interfaces/modem-manager: allow access to more USB strings
+ - overlord: instantiate UDevMonitor
+ - interfaces/apparmor: tweak naming, rename to AddLayout()
+ - interfaces: take instance name in ifacetest.InstallSnap
+ - snapcraft: do not use --dirty in mkversion
+ - cmd: add systemd environment generator
+ - devicestate: support getting (http) proxy from core config
+ - many: rename ClientOpts to ClientOptions
+ - prepare-image-grub-core18: remove image root in restore
+ - overlord/ifacestate: remove "old-conn" from connect/undo connect
+   handlers
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - image: handle errors when downloadedSnapsInfoForBootConfig has no
+   data
+ - tests: use official core18 model assertion in tests
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - overlord,store: support proxy settings internally too
+ - cmd/snap: bring back 'snap version'
+ - interfaces/mount: tweak naming of things
+ - strutil: fix MatchCounter to also work with buffer reuse
+ - cmd,interfaces,tests: add /mnt to removable-media interface
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - snap/snapenv: drop some instance specific variables, use instance-
+   specific ones for user locations
+ - firstboot: sort by type when installing the firstboot snaps
+ - cmd, cmd/snap: better support for non-linux
+ - strutil: add new ParseByteSize
+ - image: detect and error if bases are missing
+ - interfaces/apparmor: do not downgrade confinement on arch with
+   linux-hardened 4.17.4+
+ - daemon: add pokeStateLock helper to the daemon tests
+ - snap/squashfs: improve error message from Build on mksquashfs
+   failure
+ - tests: remove /etc/alternatives from dirs-not-shared-with-host
+ - cmd: support re-exec into the "snapd" snap
+ - spdx: remove "Other Open Source" from the support licenses
+ - snap: add new type "TypeSnapd" and attach to the snapd snap
+ - interfaces: retain order of inserted security backends
+ - tests: spread test for parallel-installs desktop file handling
+ - overlord/devicestate: use OpenSSL's PEM format when generating
+   keys
+ - cmd: remove --skip-command-chain from snap run and snap-exec
+ - selftest: detect if apparmor is unusable and error
+ - snap,snap-exec: support command-chain for hooks
+ - tests: significantly reduce execution time for managers test
+ - snapstate: use new "snap.ByType" sorting
+ - overlord/snapstate: fix UpdateMany() to work with parallel
+   instances
+ - testutil: have File* checker produce more useful error output
+ - overlord/ifacestate: introduce connectOpts
+ - interfaces: parallel instances support, extend unit tests
+ - tests: normalize tests
+ - snapstate: make InstallPath() return *snap.Info too
+ - snap: add ByType sorting
+ - interfaces: add cifs-mount interface
+ - tests: use file based markers in snap-service-stop-mode
+ - osutil: reorg and stub out things to get it building on darwin
+ - tests/main/layout: cleanup after the test
+ - osutil/sys: small tweaks to let it build on darwin
+ - daemon, overlord/snapstate: set instance name when installing from
+   snap file
+ - many: move Uname to osutil, for more DRY and easier porting.
+ - cmd/snap: create snap user directory when running parallel
+   installed snaps
+ - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+ - tests: basic test for parallel installs from the store
+ - image: download the gadget from the model.GadgetTrack()
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - overlord: handle sigterm during shutdown better
+ - tests: add the original function to fix the errors on new kernels
+ - tests/main/lxd: pull lxd from candidate; reënable i386
+ - wayland: add extra sockets that are used by older toolkits (e.g.
+   gtk3)
+ - asserts: add support for gadget tracks in the model assertion
+ - overlord/snapstate: improve feature flag validation
+ - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+ - interfaces: workaround for activated services and newer DBus
+ - tests: get the linux-image-extra available for the current kernel
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - interfaces: disconnect hooks
+ - cmd/libsnap: unify detection of core/classic with go
+ - tests: fix autopkgtest failures in cosmic
+ - snap: fix advice json
+ - overlord/snapstate: parallel snap install
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - interfaces: add screencast-legacy for video and audio recording
+ - tests: skip unsupported architectures for fedora-base-smoke test
+ - tests: avoid using the journalctl cursor when it has not been
+   created yet
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - tests: enable lxd again everywhere
+ - tests: new test for udisks2 interface
+ - interfaces: add cpu-control for setting CPU tunables
+ - overlord/devicestate: fix tests, set seeded in registration
+   through proxy tests
+ - debian: add missing breaks on cosmic
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - tests: new test for juju client observe interface
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - snapcraft: set version information for the snapd snap
+ - cmd/snap, daemon: error out if trying to install a snap using
+   empty name
+ - hookstate: simplify some hook tests
+ - cmd/snap-confine: extend security tag validation to cover instance
+   names
+ - snap: fix mocking of systemkey in snap-run tests
+ - packaging/opensuse: fix static build of snap-update-ns and snap-
+   exec
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - cmd/libsnap-confine-private: intoduce helpers for validating snap
+   instance name and instance key
+ - snap,snap-exec: support command-chain for app
+ - interfaces/builtin: network-manager resolved DBus changes
+ - snap: tweak `snap wait` command
+ - cmd/snap-update-ns: introduce validation of snap instance names
+ - cmd/snap: fix some corner-case test setup weirdness
+ - cmd,dirs: fix various issues discovered by a Fedora base snap
+ - tests/lib/prepare: fix extra snaps test
+
+* Mon Oct 15 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.5
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - osutil: workaround overlayfs on ubuntu 18.10
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.4
+  - wrappers: do not depend on network.taget in socket units, tweak
+    generated units
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.3
+ - overlord: don't make become-operational interfere with user
+   requests
+ - docker_support.go: add rules to read apparmor macros
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-
+   nsFixes:
+ - snapcraft.yaml: add workaround to fix snapcraft build
+ - interfaces/opengl: misc accesses for VA-API
+
+* Wed Sep 12 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.2
+ - cmd,overlord/snapstate: go 1.11 format fixes
+ - ifacestate: fix hang when retrying content providers
+ - snap-env-generator: do nothing when PATH is unset
+ - interfaces/modem-manager: allow access to more USB strings
+
+* Mon Sep 03 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.1
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapcraft: do not use --diry in mkversion.sh
+ - cmd: add systemd environment generator
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - tests: cherry-pick test fixes from master for 2.35
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - interfaces: retain order of inserted security backends
+ - selftest: detect if apparmor is unusable and error
+
+* Sat Aug 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.35-1
+- Release 2.35 to Fedora (RH#1598946)
+
+* Mon Aug 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - asserts: add support for gadget tracks in the model assertion
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - overlord: handle sigterm during shutdown better
+ - wayland: add extra sockets that are used by older toolkits
+ - snap: fix advice json
+ - tests: fix autopkgtest failures in cosmic
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - interfaces: add cpu-control for setting CPU tunables
+ - debian: add missing breaks on comisc
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - hookstate: simplify some hook tests
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - interfaces/builtin: network-manager resolved DBus changes
+ - tests: add spread test for fedora29 base snap
+ - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+ - dirs: fix SnapMountDir inside a Fedora base snap
+ - tests: fix snapd-failover for core18 with external backend
+ - overlord/snapstate: always clean SnapState when doing Get()
+ - overlod/ifacestate: always use a new SnapState when fetching the
+   snap state
+ - overlord/devicestate: have the serial request talk to the proxy if
+   set
+ - interfaces/hotplug: udevadm output parser
+ - tests: New test for daemon-notify interface
+ - image: ensure "core" is ordered early if base: and core is used
+ - cmd/snap-confine: snap-device-helper parallel installs support
+ - tests: enable interfaces-framebuffer everywhere
+ - tests: reduce nc wait time from 2 to 1 second
+ - snap/snapenv: add snap instance specific variables
+ - cmd/snap-confine: add minimal test for snap-device-helper
+ - tests: enable snapctl test on core18
+ - overlord: added UDevMonitor for future hotplug support
+ - wrappers: do not glob when removing desktop files
+ - tests: add dbus monitor log to interfaces-accounts-service
+ - tests: add core-18 systems to external backend
+ - wrappers: account for changed app wrapper in parallel installed
+   snaps
+ - wrappers: make sure that the tests pass on non-Ubuntu too
+ - many: add snapd snap failure handling
+ - tests: new test for dvb interface
+ - configstate: accept refresh.timer=managed
+ - tests: new test for snap logs command
+ - wrapper: generate all the snapd unit files when generating
+   wrappers
+ - store: keep all files with link-count > 1 in the cache
+ - store: be less verbose in the common refresh case of "no updates"
+ - snap-confine: update snappy-app-dev path
+ - debian: ensure dependency on fixed apt on 18.04
+ - snapd: add initial software watchdog for snapd
+ - daemon, systemd: change journalctl -n=all to --no-tail
+ - systemd: fix snapd.apparmor.service.in dependencies
+ - snapstate: refuse to remove bases or core if snaps need them
+ - snap: introduce package-level helpers for building snap related
+   directory/file paths
+ - overlord/devicestate: deny parallel install of kernel or gadget
+   snaps
+ - store: clean up parallel-install TODOs in store tests
+ - timeutil: fix first weekday of the month schedule
+ - interfaces: match all possible tty but console
+ - tests: shellchecks part 5
+ - cmd/snap-confine: allow ptrace read for 4.18 kernels
+ - advise: make the bolt database do the atomic rename dance
+ - tests/main/apt-hooks: debug dump of commands.db
+ - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+   handling
+ - snap: validate instance name as part of Validate()
+ - daemon: if a snap is inactive, don't ask systemd about its
+   services.
+ - udev: skip TestParseUdevEvent on s390x
+ - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+ - asserts,image: add support for new kernel=track syntax
+ - tests: new gce image for fedora 27
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - store, overlord/snapstate: introduce instance name in store APIs
+ - tests: drive-by cleanup of redudant pkgname matching
+ - tests: ensure apt-hook is only run after catalog update ran
+ - tests: use pkill instead of kilall
+ - tests/main: another bunch of updates for Amazon Linux 2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the  directory tree
+ - tests: disable/fix more tests for Amazon Linux 2
+ - overlord: introduce InstanceKey to SnapState and SnapSetup,
+   renames
+ - daemon: make sure most change generating handlers can produce
+   errors with kinds
+ - tests/main/interfaces-calendar-service: skip the test on AMZN2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the directory tree
+ - cmd/snap: add a green check mark to verified publishers
+ - cmd/snap: fix two issues in the cmd/snap unit tests
+ - packaging/fedora: fix target path of /snap symlink
+ - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - strutil: detect and bail out of Unmarshal on duplicate key
+ - packaging/fedora(amzn2): disable SELinux, drop dependency on
+   squashfuse for AMZN2
+ - spread, tests: add support for Amazon Linux 2
+ - packaging/fedora: Add Amazon Linux 2 support
+ - many: make Wait/Stop optional on StateManagers
+ - snap/squashfs: stop printing unsquashfs info to stderr
+ - snap: add support for `snap advise-snap --from-apt`
+ - overlord/ifacestate: ignore connect if already connected
+ - tests: change the service snap used instead of network-bind-
+   consumer
+ - interfaces/network-control: update for wpa-supplicant and ifupdown
+ - tests: fix raciness in stop mode tests
+ - logger: try to not have double dates
+ - debian: use deb-systemd-invoke instead of systemctl directly
+ - tests: run all main tests on core18
+ - many: finish sharing a single TaskRunner with all the the managers
+ - interfaces/repo: added AllHotplugInterfaces helper
+ - snapstate: ensure kernel-track is honored on switch/refresh
+ - overlord/ifacestate: support implicit slots on snapd
+ - image: add support for "kernel-track" in `snap prepare-image`
+ - tests: add test that ensures we do not boot any system in degraded
+   state
+ - tests: update tests to work on core18
+ - cmd/snap: check for typographic dashes in command
+ - tests: fix tests expecting old email address
+ - client: add some existing error kinds that were not listed in
+   client.go
+ - tests: add missing slots in classic and core provider test snaps
+ - overlord,daemon,cmd: re-map snap names around the edges of snapd
+ - tests: use install_local in snap-run-hooks
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - overlord/snapstate: dedupe default content providers
+ - osutil/udev: sync with upstream
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord: have SnapManager use a passed in TaskRunner created by
+   Overlord
+ - many: streamline the generic conflict check mechanisms
+ - tests: remove unneeded setup code in snap-run-symlink
+ - cmd/snap: print unset license as "unset", instead of "unknown"
+ - asserts: add (optional) kernel-track to model assertion
+ - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+ - interfaces/pulseaudio: be clear that the interface allows playback
+   and record
+ - snap: support hook environment
+ - interfaces: fix typo "daemonNotify" (add missing "n")
+ - interfaces: tweak tests of daemon-notify, use common naming
+ - interfaces: allow invoking systemd-notify when daemon-notify is
+   connected
+ - store: make snap blobs be 0600
+ - interfaces,daemon: move JSON types to the daemon
+ - tests: prepare needs to handle bin/snapctl being a symlink
+ - tests: do not mask errors in interfaces-timezone-control (#5405)
+ - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+ - tests: add basic integration test for spread hold
+ - overlord/snapstate: improve PlugsOnly comment
+ - many: assorted shellcheck fixes
+ - store, daemon, client, cmd/snap: expose "scope", default to wide
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - client, cmd/snap: pass snap instance name when installing from
+   file
+ - cmd/snap: add 'debug paths' command
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: fix tests on arch
+ - tests: start active system units on reset
+ - tests: new test for joystick interface
+ - tests: moving install of dependencies to pkgdb helper
+ - tests: enable new fedora image with test dependencies installed
+ - tests: start using the new opensuse image with test dependencies
+ - tests: check catalog refresh before and after restart snapd
+ - tests: stop restarting journald service on prepare
+ - interfaces: make core-support a no-op interface
+ - interfaces: prefer "snapd" when resolving implicit connections
+ - interfaces/hotplug: add hotplug Specification and
+   HotplugDeviceInfo
+ - many: lessen the use of core-support
+ - tests: fixes for the autopkgtest failures in cosmic
+ - tests: remove extra ' which breaks interfaces-bluetooth-control
+   test
+ - dirs: fix antergos typo
+ - tests: use grep to avoid non-matching messages from MATCH
+ - dirs: improve distro detection for Antegros
+ - vendor: switch to latest bson
+ - interfaces/builtin: create can-bus interface
+ - tests: "snap connect" is idempotent so just connect
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - interfaces: treat "snapd" snap as type:os
+ - interfaces: tweak tests to have less repetition of "core" and
+   "ubuntu…
+ - tests: simplify econnreset test
+ - snap: add helper for renaming slots
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - tests: add artful for sru validation on google backend
+ - snap,interfaces: move interface name validation to snap
+ - overlord/snapstate: introduce path to fake backend ops
+ - cmd/snap-confine: fix snaps running on core18
+ - many: expose publisher's validation throughout the API
+
+* Fri Jul 27 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.3
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - snapstate: allow setting "refresh.timer=managed"
+ - spread: switch Fedora and openSUSE images
+
+* Thu Jul 19 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.2
+ - packaging: fix bogus date in fedora snapd.spec
+ - tests: fix tests expecting old email address
+
+* Tue Jul 17 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.1
+ - tests: cherry-pick test fixes from master for 2.34
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord/snapstate: dedupe default content providers
+ - interfaces/builtin: create can-bus interface
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.33.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34
+ - store, daemon, client, cmd/snap: expose "scope", default to wide*
+ - tests: fix arch tests
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+ - tests: run interfaces-contacts-service only where test-snapd-eds
+   is available
+ - many: expose publisher's validation throughout the API
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - dirs: improve distro detection for Antegros
+ - Revert "dirs: improve identification of Arch Linux like systems"
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - i18n: use xgettext-go --files-from to avoid running into cmdline
+   size limits
+ - interfaces: move ValidateName helper to utils
+ - snapstate,ifstate: wait for pending restarts before auto-
+   connecting
+ - snap: account for parallel installs in wrappers, place info and
+   tests
+ - configcore: fix incorrect handling of keys with numbers (like
+   gpu_mem_512)
+ - tests: fix tests when no keyboard input detected
+ - overlord/configstate: add watchdog options
+ - snap-mgmt: fix for non-existent dbus system policy dir,
+   shellchecks
+ - tests/main/snapd-notify: use systemd's service properties rater
+   than the journal
+ - snapstate: allow removal of snap.TypeOS when using a model with a
+   base
+ - interfaces: make findSnapdPath smarter
+ - tests: run "arp" tests only if arp is available
+ - spread: increase the number of auto retries for package downloads
+   in opensuse
+ - cmd/snap-confine: fix nvidia support under lxd
+ - corecfg: added experimental.hotplug feature flag
+ - image: block installation of parallel snap instances
+ - interfaces: moved normalize method to interfaces/utils and made it
+   public
+ - api/snapctl: allow -h and --help for regular users.
+ - interfaces/udisks2: also implement implicit classic slot
+ - cmd/snap-confine: include CUDA runtime libraries
+ - tests: disable auto-refresh test on core18
+ - many: switch to account validation: unproven|verified
+ - overlord/ifacestate: get/set connection state only via helpers
+ - tests: adding extra check to validate journalctl is showing
+   current test data
+ - data: add systemd environment configuration
+ - i18n: handle write errors in xgettext-go
+ - snap: helper for validating snap instance names
+ - snap{/snaptest}: set instance key based on snap name
+ - userd: fix running unit tests on KDE
+ - tests/main/econnreset: limit ingress traffic to 512kB/s
+ - snap: introduce a struct Channel to represent store channels, and
+   helpers to work with it
+ - tests: add fedora to distro_clean_package_cache function
+ - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+ - tests: add spread test to ensure snapd/core18 are not removable
+ - tests: tweaks for running the main tests on core18
+ - overlord/{config,snap}state: introduce experimental.parallel-
+   instances feature flag
+ - strutil: support iteration over almost clean paths
+ - strutil: add PathIterator.Rewind
+ - tests: update interfaces-timeserver-control to core18
+ - tests: add halt-timeout to google backend
+ - tests: skip security-udev-input-subsystem without /dev/input/by-
+   path
+ - snap: introduce the instance key field
+ - packaging/opensuse: remaining packaging updates for 2.33.1
+ - overlord/snapstate: disallow installing snapd on baseless models
+ - tests: disable core tests on all core systems (16 and 18)
+ - dirs: improve identification of Arch Linux like systems
+ - many: expose full publisher info over the snapd API
+ - tests: disable core tests on all core systems (16 and 18)
+ - tests/main/xdg-open: restore or clean up xdg-open
+ - tests/main/interfaces-firewall-control: shellcheck fix
+ - snapstate: sort "snapd" first
+ - systemd: require snapd.socket in snapd.seeded.service; make sure
+   snapd.seeded
+ - spread-shellcheck: use the latest shellcheck available from snaps
+ - tests: use "ss" instead of "netstat" (netstat is not available in
+   core18)
+ - data/complete: fix three out of four shellcheck warnings in
+   data/complete
+ - packaging/opensuse: fix typo, missing assignment
+ - tests: initial core18 spread image building
+ - overlord: introduce a gadget-connect task and use it at first boot
+ - data/completion: fix inconsistency in +x and shebang
+ - firstboot: mark essential snaps as "Required" in the state
+ - spread-shellcheck: use a whitelist of files that are allowed to
+   fail validation
+ - packaging/opensuse: build position-independent binaries
+ - ifacestate: prevent running interface hooks twice when self-
+   connecting on autoconnect
+ - data: remove /bin/sh from snapd.sh
+ - tests: fix shellcheck 0.5.0 warnings
+ - packaging/opensuse: snap-confine should be 06755
+ - packaging/opensuse: ship apparmor integration if enabled
+ - interfaces/udev,misc: only trigger udev events on input subsystem
+   as needed
+ - packaging/opensuse: add missing bits for snapd.seeded.service
+ - packaging/opensuse: don't use %-macros in comments
+ - tests: shellchecks part 4
+ - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+   parallel-install TODOs
+ - store: drop unused: channel map types, and details fixture.
+ - store: have a basic test about the unmarshalling of /search
+   results
+ - tests: show executed tests on current system when a test fails
+ - tests: fix for the download of the big snap
+ - interfaces/apparmor: add chopTree
+ - tests: remove double debug: | entry in tests and add more checks
+ - cmd/snap-update-ns: introduce mimicRequired helper
+ - interfaces: move assertions around for better failure line number
+ - store: log a nice clear "download succeeded" message
+ - snap: run snap-confine from the re-exec location
+ - snapstate: support restarting snapd from the snapd snap on core18
+ - tests: show status of the partial test-snapd-huge snap in
+   econnreset test
+ - tests: fix interfaces-calendar-service test when gvfsd-metadata
+   loks the xdg dirctory
+ - store: switch store.SnapInfo to use the new v2/info endpoint
+ - interfaces: add Repository.AllInterfaces
+ - snapstate: stop using evolving SnapSpec internally, use an
+   internal-only snapSpec instead
+ - cmd/libsnap-confine-private: introduce a helper for splitting snap
+   name
+ - tests: econnreset/retry tweaks
+ - store, et al: kill dead code that uses the bulk endpoint
+ - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+ - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+   Depth helper
+ - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+   available
+ - store: switch connectivity check to use v2/info
+ - devicestate: support seeding from a base snap instead of core
+ - snapstate,ifacestate: remove core-phase-2 handling
+ - interfaces/docker-support: update for docker 18.05
+ - tests: enable fedora 28 again
+ - overlord/ifacestate:  simplify checkConnectConflicts and also
+   connect signature
+ - snap: parse connect instructions in gadget.yaml
+ - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+   test
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - store, image: have 'snap download' use v2/refresh action=download
+ - interfaces/policy: test that base policy can be parsed
+ - tests: publish test-snapd-appstreamid for any architecture
+ - snap: don't include newline in hook environment
+ - cmd/snap-update-ns: use RCall with SyscallsEqual
+ - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+ - interfaces: add the dvb interface
+ - daemon: paging is not a thing.
+ - cmd/snap-mgmt: remove system key on purge
+ - testutil: syscall sequence checker
+ - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command* many: add `snap debug
+   connectivity` command
+ - configstate: deny configuration of base snaps and for the "snapd"
+   snap
+ - interfaces/raw-usb: also allow usb serial devices
+ - snap: reject more layout locations
+ - errtracker: do not send duplicated reports
+ - httputil: extra debug if an error is not retried
+ - cmd/snap-update-ns: improve wording in many errors
+ - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+ - cmd/snap-update-ns: add helper for checking for read-only
+   filesystems
+ - interfaces/builtin/docker: use commonInterface over specific
+   struct
+ - testutil: add test support for Fstatfs
+ - cmd/snap-update-ns: discard the concept of segments
+ - cmd/libsnap-confine-private: helper for extracting store snap name
+   from local-name
+ - tests: fix flaky test for hooks undo
+ - interfaces: add {contacts,calendar}-service interfaces
+ - tests: retry 'restarting into..' match in the snap-confine-from-
+   core test
+ - systemd: adjust TestWriteMountUnitForDirs() to use
+   squashfs.MockUseFuse(false)
+ - data: add helper that can generate/start/stop the snapd service
+ - sefltest: advise reboot into 4.4 on trusty running 3.13
+ - selftest: add new selftest package that tests squashfs mounting
+ - store, jsonutil: move store.getStructFields to
+   jsonutil.StructFields
+ - ifacestate: improved conflict and error handling when creating
+   autoconnect tasks
+ - cmd/snap-confine: applied make fmt
+ - interfaces/udev: call 'udevadm settle --timeout=10' after
+   triggering events
+ - tests: wait more time until snap start to be downloaded on
+   econnreset test
+ - snapstate: ensure fakestore returns TypeOS for the core snap
+ - tests: fix lxd test which hangs on restore
+ - cmd/snap-update-ns: add PathIterator
+ - asserts,image: add support for models with bases
+ - tests: shellchecks part 3
+ - overlord/hookstate: support undo for hooks
+ - interfaces/tpm: Allow access to the kernel resource manager
+ - tests: skip appstream-id test for core systems 32 bits
+ - interfaces/home: remove redundant common interface assignment
+ - tests: reprioritise a few tests that are known to be slow
+ - cmd/snap: small help tweaks and fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - spread-shellcheck: silly fix & pep8
+ - spread: switch fedora 28 to manual
+ - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+   it in snap info --verbose
+ - tests: fix lxd test - --auto now sets up networking
+ - tests: adding fedora-28 to spread.yaml
+ - interfaces: add juju-client-observe interface
+ - client, daemon: add a "mounted-from" entry to local snaps' JSON
+ - image: set model.DisplayName() in bootenv as "snap_menuentry"
+ - packaging/opensuse: Refactor packaging to support all openSUSE
+   targets
+ - interfaces/joystick: force use of the device cgroup with joystick
+   interface
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - interfaces: remove Plug/Slot types
+ - interface hooks: update old AutoConnect methods
+ - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+ - overlord/{config,snap}state: the number of inactive revisions is
+   config
+ - cmd/snap: check with snapd for unknown sections
+ - tests: moving test helpers from sh to bash
+ - data/systemd: add snapd.apparmor.service
+ - many: expose AppStream IDs (AKA common ID)
+ - many: hold refresh when on metered connections
+ - interfaces/joystick: also support modern evdev joysticks and
+   gamepads
+ - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+ - snapcraft: use dpkg-buildpackage options that work in xenial
+ - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+ - get-deps: work with an unset GOPATH too
+ - interfaces/apparmor: use strict template on openSUSE tumbleweed
+ - packaging: filter out verbose flags from "dh-golang"
+ - packaging: fix description
+ - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+* Fri Jun 22 2018 Neal Gompa <ngompa13@gmail.com> - 2.33.1-1
+- Release 2.33.1 to Fedora (RH#1567916)
+
+* Thu Jun 21 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33.1
+ - many: improve udev trigger on refresh experience
+ - systemd: require snapd.socket in snapd.seeded.service
+ - snap: don't include newline in hook environment
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - tests: skip security-dev-input-event-denied when /dev/input/by-
+   path/ is missing
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+
+* Fri Jun 08 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command
+ - interfaces/raw-usb: also allow usb serial devices
+ - errtracker: do not send duplicated reports
+ - selftest: add new selftest package that tests squashfs mounting
+ - tests: backport lxd force stop and econnreset fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - interfaces/joystick: support modern evdev joysticks
+ - interfaces: add juju-client-observe
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - many: holding refresh on metered connections
+ - many: expose AppStream IDs (AKA common ID)
+ - tests: speed up save/restore snapd state for all-snap systems
+   during tests execution
+ - interfaces/apparmor: use helper to load stray profile
+ - tests: ubuntu core abstraction
+ - overlord/snapstate: don't panic in a corner case interaction of
+   cleanup tasks and pruning
+ - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+   snaps
+ - tests: new parameter for the journalctl rate limit
+ - spread-shellcheck: port to python
+ - interfaces/home: add 'read' attribute to allow non-owner read to
+   @{HOME}
+ - testutil: import check.v1 differently to workaround gccgo error
+ - interfaces/many: miscellaneous updates for default, desktop,
+   desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+   keys
+ - snapstate/hooks: reorder autoconnect and reconnect hooks
+ - daemon: update unit tests to match current master
+ - overlord/snapshotstate/backend: introducing the snapshot backend
+ - many: support 'system' nickname in interfaces
+ - userd: add the "snap" scheme to the whitelist
+ - many: make rebooting of core on refresh immediate, refactor logic
+   around it
+ - tests/main/snap-service-timer: account for service timer being in
+   the 'running' state
+ - interfaces/builtin: allow access to libGLESv* too for opengl
+   interface
+ - daemon: fix unit tests on arch
+ - interfaces/default,process-control: miscellaneous signal policy
+   fixes
+ - interfaces/bulitin: add write permission to optical-drive
+ - configstate: validate known core.* options
+ - snap, wrappers: systemd WatchdogSec support
+ - ifacestate: do not auto-connect manually disconnected interfaces
+ - systemd: mock useFuse() so testsuite passes in container via lxd
+   snap
+ - snap/env: fix env duplication logic
+ - snap: some doc comments fixes and additions
+ - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+   vendor files
+ - ifacestate: unify reconnect and autoconnect methods
+ - tests: fix user mounts test for external systems
+ - overlord/snapstate,overlord/auth,store: coalesce no auth user
+   refresh requests
+ - boot,partition: improve tests/docs around SetNextBoot()
+ - many: improve `snap wait` command
+ - snap: fix `snap interface --attrs` output when numbers are used
+ - cmd/snap-update-ns: poke holes when creating source paths for
+   layouts
+ - snapstate: support getting new bases/default-providers on refresh
+ - ifacemgr: remove stale connections on startup
+ - asserts: use Attrer in policy checks
+ - testutil: record system call errors / return values
+ - tests: increase timeouts to make tests reliable on slow boards
+ - repo: pass and return ConnRef via pointers
+ - interfaces: add xdg-document-portal support to desktop interface
+ - debian: add a zenity|kdialog suggests
+ - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+ - tests: go must be installed as a classic snap
+ - tests: use journalctl cursors instead rotating logs
+ - daemon: add confinement-options to /v2/system-info
+   daemon: refactor classic support flag to be more structured
+ - tests: build spread in the autopkgtests with a more recent go
+ - cmd/snap: fix the message when snap.channel != snap.tracking
+ - overlord/snapstate: allow core defaults configuration via 'system'
+   key
+ - many: add "snap debug sandbox-features" and needed bits
+ - interfaces: interface hooks for refresh
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - many: add wait command and `snapd.seeded` service
+ - interfaces: move host font update-ns AppArmor rules to desktop
+   interface
+ - jsonutil/safejson: introducing safejson.String &
+   safejson.Paragraph
+ - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+ - cmd/snap-update-ns,tests: mimic the mode and ownership of
+   directories
+ - cmd/snap-update-ns: add support for ignoring mounts with missing
+   source/target
+ - interfaces: interface hooks implementation
+ - cmd/libsnap: fix compile error on more restrictive gcc
+   cmd/libsnap: fix compilation errors on gcc 8
+ - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+ - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+ - tests: fix interfaces-network test for systems with partial
+   confinement
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+ - configcore: validate experimental.layouts option
+ - interfaces:minor autoconnect cleanup
+ - HACKING: fix typos
+ - spread: add adt for ubuntu 18.10
+ - tests: skip test lp-1721518 for arch, snapd is failing to start
+   after reboot
+ - interfaces/x11: allow X11 slot implementations
+ - tests: checking interfaces declaring the specific interface
+ - snap: improve error for snaps not available in the given context
+ - cmdstate: add missing test for default timeout handling
+ - tests: shellcheck spread tasks
+ - cmd/snap: update install/refresh help vs --revision
+ - cmd/snap-confine: add support for per-user mounts
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - tests: adding google-sru backend replacing linode-sur
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - systemd: replace ancient paths with 16.04+ standards
+ - overlord,systemd: store snap revision in mount units
+ - testutil: add test helper for SysLstat
+ - testutil,cmd: rename test helper of Lstat to OsLstat
+ - testutil: document all fake syscall/os functions
+ - osutil,interfaces,cmd: use less hardcoded strings
+ - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+ - testutil: don't dot-import check.v1
+ - store: getStructFields takes pointers now
+ - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+ - many: fix false negatives reported by vet
+ - osutil,interfaces: use uint32 for uid, gid
+ - many: fix various issues reported by shellcheck
+ - tests: add pending shutdown detection
+ - image: support refreshing soft-expired user macaroons in tooling
+ - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+   daemon tests
+ - interfaces/builtin: add support for software-watchdog interface
+ - spread: auto accept key changes when calling dnf
+ - snap,overlord/snapstate: introduce and use BrokenSnapError
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: bring back one missing test in snap-service-stop-mode
+ - debian: update LP bug for the 2.32.5 SRU
+ - userd: set up journal logging streams for autostarted apps
+ - snap,tests : don't fail if we cannot stat MountFile
+ - tests: smaller fixes for Arch tests
+ - tests: run interfaces-broadcom-asic-control early
+ - client: support for snapshot sets, snapshots, and snapshot actions
+ - tests: skip interfaces-content test on core devices
+ - cmd: generalize locking to global, snap and per-user locks
+ - release-tools: handle the snapd-x.y.z version
+ - packaging: fix incorrectly auto-generated changelog entry for
+   2.32.5
+ - tests: add arch to CI
+ - systemd: add helper for opening stream file descriptors to the
+   journal
+ - cmd/snap: handle distros with no version ID
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - tests: removing linode-sru backend
+ - tests: updating bionic version for spread tests on google
+ - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - overlord/snapstate: allow to get an error from readInfo instead of
+   a broken stub, use it in doMountSnap
+ - snap: snap.AppInfo is now a fmt.Stringer
+ - tests: move fedora 27 to google backend
+ - many: add `core.problem-reports.disabled` option
+ - cmd/snap-update-ns: remove the need for stash directory in secure
+   bind mount implementation
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+ - cmd/snap: user session application autostart v3
+ - tests: add test to ensure `snap refresh --amend` works with
+   different channels
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - cmd/snap-update-ns: add secure bind mount implementation for use
+   with user mounts
+ - snap: fix `snap advise-snap --command` output to match spec
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - overlord/snapstate: introduce envvars to control the channels for
+   based and prereqs
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - advisor: use json for package database
+ - interfaces/hostname-control: allow setting the hostname via
+   syscall and systemd
+ - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+   libraries
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - data/selinux: Give snapd access to more aspects of the system
+ - many: use the new install/refresh API by switching snapstate to
+   use store.SnapAction
+ - errtracker: make TestJournalErrorSilentError work on gccgo
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate, ifacestate: inject auto-connect tasks try 2
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - ifacestate: injectTasks helper
+ - osutil: fix fstab parser to allow for # in field values
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - release-tools: add repack-debian-tarball.sh
+ - daemon,client: add build-id to /v2/system-info
+ - cmd: make fmt (indent 2.2.11)
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+ - ifacestate: don't surface errors from stale connections
+ - cmd/snap-update-ns: convert Secure* family of functions into
+   methods
+ - tests: adjust canonical-livepatch test on GCE
+ - tests: fix quoting issues in econnreset test
+ - cmd/snap-confine: make /run/media an alias of /media
+ - cmd/snap-update-ns: rename i to segNum
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+ - spread: disable StartLimitInterval option on opensuse-42.3
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses
+   arch triplets
+ - store: add Store.SnapAction to support the new install/refresh API
+   endpoint
+ - tests: adding test for removable-media interface
+ - tests: update interface tests to remove extra checks and normalize
+   tests
+ - timeutil: in Human, count days with fingers
+ - vendor: update gopkg.in/yaml.v2 to the latest version
+ - cmd/snap-confine: fix Archlinux compatibility
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - tests: copy or sanity check core users using usernames
+ - tests: disentangle etc vs extrausers in core tests
+ - tests: fix snap-run tests when snapd is not running
+ - overlord/configstate: change how ssh is stopped/started
+ - snap: make `snap run` look at the system-key for security profiles
+ - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+   replacement
+ - tests: adding opensuse-42.3 to google
+ - cmd/snap: fix one issue with noWait error handling logic, add
+   tests plus other cleanups
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+   needed
+ - interfaces,release: probe seccomp features lazily
+ - tests: change debug for layout test
+ - advisor: deal with missing commands.db file
+ - interfaces/apparmor: simplify UpdateNS internals
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: moving debian 9 from linode to google backend
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - po: specify charset in po/snappy.pot
+ - interfaces: harden snap-update-ns profile
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - tests: update tests to deal with s390x quirks
+ - debian: run snap.mount upgrade fixup *before* debhelper
+ - tests: move xenial i386 to google backend
+ - snapstate: add compat mode for default-provider
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - tests: add workaround for s390x failure
+ - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+ - daemon: support 'system' as nickname of the core snap
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - devicestate: add DeviceManager.Registered returning a channel
+   closed when the device is known to be registered
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - tests: add bionic system to google backend
+ - many: fix shellcheck warnings in bionic
+ - cmd/snap-update-ns: don't fail on existing symlinks
+ - tests: make autopkgtest tests more targeted
+ - cmd/snap-update-ns: fix creation of layout symlinks
+ - spread,tests: move suite-level prepare/restore to central script
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - snap: unify snap name validation w/python; enforce length limit.
+ - cmd/snap: use shlex when parsing `snap run --strace` arguments
+ - osutil,testutil: add symlinkat(2) and readlinkat(2)
+ - tests: autopkgtest may have non edge core too
+ - tests: adding checks before stopping snapd service to avoid job
+   canceled on ubuntu 14.04
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate:  hold refreshes for 2h after seeding on
+   classic
+ - cmd/snap: tweak and polish help strings
+ - snapstate: put layout feature behind feature flag
+ - tests: force profile re-generation via system-key
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: go vet cleanups
+ - tests: define MATCH from spread
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - cmd/snap: in changes and tasks, default to human-friendly times
+ - many: support holding refreshes by setting refresh.hold
+ - Revert "cmd/snap: use timeutil.Human to show times in `snap
+   refresh -…-time`"
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - tests/main/snap-service-refresh-mode: refactor the test to rely on
+   comparing PIDs
+ - tests/main/media-sharing: improve the test to cover /media and
+   /run/media
+ - store: enable deltas for core devices too
+ - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+ - strutil/shlex: import github.com/google/shlex into the tree
+ - vendor: update github.com/mvo5/libseccomp-golang
+ - overlord/snapstate: block install of "system"
+ - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+ - many: add the snapd-generator
+ - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+ - polkit: ensure error is properly set if dialog is dismissed
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - progress: tweak ansimeter cvvis use to no longer confuse minicom
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - tests: avoid removing preinstalled snaps on core
+ - tests: chroot into core to run xdg-open there
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - tests: moving ubuntu core from linode to google backend
+ - run-checks: remove accidental bashism
+ - i18n: simplify NG usage by doing the modulo math in-package.
+ - snap/squashfs: set timezone when calling unsquashfs to get the
+   build date
+ - timeutil: timeutil.Human(t) gives a human-friendly string for t
+ - snap: add autostart app property
+ - tests: add support for external backend executions on listing test
+ - tests: make interface-broadcom-asic-control test work on rpi
+ - configstate: when disable "ssh" we must disable the "sshd" service
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+ - snap/squashfs: add BuildDate
+ - store: parse the JSON format used by the coming new store API to
+   convey snap information
+ - many: remove snapd.refresh.{timer,service}
+ - tests: adding ubuntu-14.04-64 to the google backend
+ - interfaces: add xdg-desktop-portal support to desktop interface
+ - packaging/arch: sync with snapd/snapd-git from AUR
+ - wrappers, tests/main/snap-service-timer: restore missing commit,
+   add spread test for timer services
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - many: generate and use per-snap snap-update-ns profile
+ - tests: add debug for layout test
+ - wrappers: detect whether systemd-analyze can be used in unit tests
+ - osutil: allow creating strings out of MountInfoEntry
+ - servicestate: use systemctl enable+start and disable+stop instead
+   of --now flag
+ - osutil: handle file being matched by multiple patterns
+ - daemon, snap: fix InstallDate, make a method of *snap.Info
+ - wrappers: timer services
+ - wrappers: generator for systemd OnCalendar schedules
+ - asserts: fix flaky storeSuite.TestCheckAuthority
+ - tests: fix dependency for ubuntu artful
+ - spread: start moving towards google backend
+ - tests: add a spread test for layouts
+ - ifacestate: be consistent passing Retry.After as named field
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - testutil: allow mocking syscall.Fstat
+ - overlord/snapstate: verify that default schedule is randomized and
+   is  not a single time
+ - many: simplify mocking of home-on-NFS
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - store: move infoFromRemote into details.go close to snapDetails
+ - userd/tests: Test kdialog calls and mock kdialog too to make tests
+   work in KDE
+ - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+ - cmd/snap: add self-strace to `snap run`
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - update-pot: Force xgettext() to return true
+ - store: cleanup test naming, dropping remoteRepo  and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+
+* Wed May 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.9
+ - tests: run all spread tests inside GCE
+ - tests: build spread in the autopkgtests with a more recent go
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.8
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.7
+ - many: add wait command and seeded target (2
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - cmd/libsnap: fix compile error on more restrictive gcc
+ - tests: cherry-pick commits to move spread to google backend
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - userd: set up journal logging streams for autostarted apps
+
+* Sun Apr 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.6
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: run interfaces-boradcom-asic-control early
+ - tests: skip interfaces-content test on core devices
+
+* Mon Apr 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.5
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - daemon: support 'system' as nickname of the core snap
+
+* Thu Apr 12 2018 Neal Gompa <ngompa13@gmail.com> - 2.32.4-1
+- Release 2.32.4 to Fedora (RH#1553734)
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.4
+ - cmd/snap: user session application autostart
+ - overlord/snapstate: introduce envvars to control the channels for
+   bases and prereqs
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - many: use the new install/refresh /v2/snaps/refresh store API
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3.2
+ - errtracker: make TestJournalErrorSilentError work on
+   gccgo
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3.1
+ - debian: add gbp.conf script to build snapd via `gbp
+   buildpackage`
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - data/selinux: Give snapd access to more aspects of the system
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - overlord: test fix, address corner case
+
+* Thu Apr 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate: inject autoconnect tasks in doLinkSnap for regular
+   snaps
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - osutil: fix fstab parser to allow for # in field values
+
+* Sat Mar 31 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.2
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - tests: adjust canonical-livepatch test on GCE
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc
+ - spread.yaml: switch Fedora 27 tests to manual
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses arch
+   triplets
+ - vendor: update gopkg.in/yaml.v2 to the latest version (#4945)
+
+* Mon Mar 26 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.1
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - tests: disentangle etc vs extrausers in core tests
+ - packaging: fix changelogs' typo
+
+* Sat Mar 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32
+ - snap: make `snap run` look at the system-key for security profiles
+ - overlord/configstate: change how ssh is stopped/started
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: deal with missing commands.db file
+ - interfaces,release: probe seccomp features lazily
+ - interfaces: harden snap-update-ns profile
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: change debug for layout test
+ - cmd/snap-confine: don't use per-snap s-u-n profile
+ - many: backported fixes for layouts and symlinks
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - cmd/snap-confine: fix ptrace rule with snap-confine peer
+ - tests: update tests to deal with s390x quirks
+ - snapstate: add compat mode for default-provider"snapname:ifname"
+ - snap-confine: fallback to /lib/udev/snappy-app-dev if the core is
+   older
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - debian: undo snap.mount system unit removal
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - tests: add workaround for s390x failure
+ - tests: make autopkgtest tests more targeted
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - store: cleanup test naming, dropping remoteRepo and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+ - tests: autopkgtest may have non edge core too
+ - data: translate polkit strings
+ - snapstate: put layout feature behind feature flag
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate: hold refreshes for 2h after seeding on classic
+ - many: cherry-pick relevant `go vet` 1.10 fixes to 2.32
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: generate and use per-snap snap-update-ns profile
+ - many: support holding refreshes by setting refresh.hold
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - many: remove snapd.refresh.{timer,service}
+ - many: add the snapd-generator
+ - polkit: do not shadow dbus errors, avoid panic in case of errors
+ - polkit: ensure error is properly set if dialog is dismissed
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - asserts:  use a timestamp for the assertion after the signing key
+   has been created
+ - ifacestate: be consistent passing Retry.After as named field
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+   interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps
+ - configstate: when disable "ssh" we must disable the "sshd"
+   service
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - osutil: handle file being matched by multiple patterns
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - interfaces/network-status: fix use of '/' in interface in DBus
+   rule
+ - interfaces/screen-inhibit-control: fix use of '.' in path in DBus
+   rule
+ - overlord/snapstate: fix task iteration order in
+   TestDoPrereqRetryWhenBaseInFlight
+ - interfaces: add an interface for gnome-online-accounts D-Bus
+   service
+ - snap: pass full timer spec in `snap run --timer`
+ - cmd/snap: introduce `snap run --timer`
+ - snapstate: auto install default-providers for content snaps
+ - hooks/strutil: limit the number of data read from the hooks to
+   avoid oom
+ - osutil: aggregate mockable symbols
+ - tests: make sure snapd is running before attempting to remove
+   leftover snaps
+ - timeutil: account for 24h wrap when flattening clock spans
+ - many: send  new Snap-CDN header with none or with cloud instance
+   placement info as needed
+ - cmd/snap-update-ns,testutil: move syscall testing helpers
+ - tests: disable interfaces-location-control on s390x
+ - tests: new spread test for gpio-memory-control interface
+ - tests: spread test for broadcom-asic-control interface
+ - tests: make restore of interfaces-password-manager-service more
+   robust
+ - tests/lib/prepare-restore: sync journal before rotating and
+   vacuuming
+ - overlord/snapstate: use spread in the default refresh schedule
+ - tests: fixes for autopkgtest in bionic
+ - timeutil: introduce helpers for checking it time falls inside the
+   schedule
+ - cmd/snap-repair,httputil: set snap-repair User-Agent on requests
+ - vendor: resync formatting of vendor.json
+ - snapstate/ifacestate: auto-connect tasks
+ - cmd/snap: also include tracking channel in list output.
+ - interfaces/apparmor: use snap revision with surrounding '.' when
+   replacing in glob
+ - debian,vendor: import github.com/snapcore/squashfs and use
+ - many: implement "refresh-mode: {restart,endure,...}" for services
+ - daemon: make the ast-inspecting test smarter; drop 'exceptions'
+ - tests: new spread test for kvm interface
+ - cmd/snap: tweaks to 'snap info' output
+ - snap: remove underscore from version validator regexp
+ - testutil: add File{Matches,Equals,Contains} checkers.
+ - snap: improve the version validator's error messages.
+ - osutil: refactor EnsureFileState to separate out the comparator
+ - timeutil: fix scheduling on nth weekday of the month
+ - cmd/snap-update-ns: small refactor for upcoming per-user mounts
+ - many: rename snappy-app-dev to snap-device-helper
+ - systemd: add default target for timers
+ - interfaces: miscellaneous policy updates for home, opengl, time-
+   control, network, et al
+ - cmd/snap: linter cleanups
+ - interfaces/mount: generate per-user mount profiles
+ - cmd/snap: use proper help strings for `snap userd --help`
+ - packaging: provide a compat symlink for snappy-app-dev
+ - interfaces/time-control,netlink-audit: adjust for util-linux
+   compiled with libaudit
+ - tests: adding new test to validate the raw-usb interface
+ - snap: add support for `snap run --gdb`
+ - interfaces/builtin: allow MM to access login1
+ - packaging: fix build on sbuild
+ - store: revert PR#4532 and do not display displayname
+ - interfaces/mount: add support for per-user mount entries
+ - cmd/system-shutdown: move sync to be even more pessimistic
+ - osutil: reimplement IsMounted with LoadMountInfo
+ - tests/main/ubuntu-core-services: enable snapd.refresh.timer for
+   the test
+ - many: don't allow layout construction to silently fail
+ - interfaces/apparmor: ensure snap-confine profile for reexec is
+   current
+ - interfaces/apparmor: generalize apparmor load and unload helpers
+ - tests: removing packages which are not needed anymore to generate
+   random data
+ - snap: improve `snap run` comments/naming
+ - snap: allow options for --strace, e.g. `snap run --strace="-tt"`
+ - tests: fix spread test failures on 18.04
+ - systemd: update comment on SocketsTarget
+ - osutil: add and update docstrings
+ - osutil: parse mount entries without options field
+ - interfaces: mock away real mountinfo/fstab
+ - many: move /lib/udev/snappy-app-dev to /usr/lib/snapd/snappy-app-
+   dev
+ - overlord/snapstate/backend: perform cleanup if snap setup fails
+ - tests/lib/prepare: disable snapd.refresh.timer
+ - daemon: remove redundant UserOK markings from api commands
+ - snap: introduce  timer service data types and validation
+ - cmd/snap: fix UX of snap services
+ - daemon: allow `snapctl get` from any uid
+ - debian, snap: only static link libseccomp in snap-seccomp on
+   ubuntu
+ - all: snap versions are now validated
+ - many: add nfs-home flag to system-key
+ - snap: disallow layouts in various special directories
+ - cmd/snap: add help for service commands.
+ - devicestate: fix autopkgtest failure in
+   TestDoRequestSerialErrorsOnNoHost
+ - snap,interfaces: allow using bind-file layouts
+ - many: move mount code to osutil
+ - snap: understand directories in layout blacklist
+ - snap: use custom unsquashfsStderrWriter for unsquashfs error
+   detection
+ - tests/main/user-data-handling: get rid of ordering bug
+ - snap: exclude `gettimeofday` from `snap run --strace`
+ - tests: check if snapd.socket is active before stoping it
+ - snap: sort layout elements before validating
+ - strutil: introducing MatchCounter
+ - snap: detect unsquashfs write failures
+ - spread: add missing ubuntu-18.04-arm64 to available autopkgtest
+   machines
+ - cmd/snap-confine: allow mounting anywhere, effectively
+ - daemon: improve ucrednet code for the snap.socket
+ - release, interfaces: add new release.AppArmorFeatures helper
+ - snap: apply some golint suggestions
+ - many: add interfaces.SystemKey() helper
+ - tests: new snaps to test installs nightly
+ - tests: skip alsa interface test when the system does not have any
+   audio devices
+ - debian/rules: workaround for
+   https://github.com/golang/go/issues/23721
+ - interfaces/apparmor: early support for snap-update-ns snippets
+ - wrappers: cleanup enabled service sockets
+ - cmd/snap-update-ns: large refactor / update of unit tests
+ - interfaces/apparmor: remove leaked future layout code
+ - many: allow constructing layouts (phase 1)
+ - data/systemd: for debugging/testing use /etc/environment also for
+   snap-repair runs
+ - cmd/snap-confine: create lib/{gl,gl32,vulkan} under /var/lib/snapd
+   and chown as root:root
+ - overlord/configstate/config: make [GS]etSnapConfig use *RawMessage
+ - daemon: refactor snapFooMany helpers a little
+ - cmd/snap-confine: allow snap-update-ns to chown things
+ - interfaces/apparmor: use a helper to set the scope
+ - overlord/configstate/config: make SetSnapConfig delete on empty
+ - osutil: make MkdirAllChown clean the path passed in
+ - many: at seeding try to capture cloud information into core config
+   under "cloud"
+ - cmd/snap: add completion conversion helper to increase DRY
+ - many: remove "content" argument from snaptest.MockSnap()
+ - osutil: allow using many globs in EnsureDirState
+ - cmd/snap-confine: fix read-only filesystem when mounting nvidia
+   files in biarch
+ - tests: use root path to /home/test/tmp to avoid lack of space
+   issue
+ - packaging: create /var/lib/snapd/lib/{gl,gl32,vulkan} as part of
+   packaging
+ - tests: update kill-timeout focused on making tests pass on boards
+ - advisor: ensure commands.db has mode 0644 and add test
+ - snap: improve validation of snap layouts
+ - tests: ensure disabled services are masked
+ - interfaces/desktop-legacy,unity7: support gtk2/gvfs gtk_show_uri()
+ - systemd, wrappers: start all snap services in one systemctl call
+ - mir: software clients need access to shared memory /dev/shm/#*
+ - snap: add support for `snap advise-snap pkgName`
+ - snap: fix command-not-found on core devices
+ - tests: new spead test for openvswitch-support interface
+ - tests: add integration for local snap licenses
+ - config: add (Get|Set)SnapConfig to do bulk config e.g. from
+   snapshots
+ - cmd/snap: display snap license information
+ - tests: enable content sharing test for $SNAP
+ - osutil: add ContextWriter and RunWithContext helpers.
+ - osutil: add DirExists and IsDirNotExist
+
+* Fri Mar 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31.2
+ - many: add the snapd-generator
+ - polkit: ensure error is properly set if dialog is dismissed
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - configstate: when disable "ssh" we must disable the "sshd"
+   service
+ - many: remove snapd.refresh.{timer,service}
+ - interfaces/builtin: allow MM to access login1
+ - timeutil: account for 24h wrap when flattening clock spans
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - systemd, wrappers: start all snap services in one systemctl
+   call
+ - tests: disable interfaces-location-control on s390x
+
+* Mon Mar 05 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-2
+- Fix dependencies for devel subpackage
+
+* Sun Mar 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-1
+- Release 2.31.1 to Fedora (RH#1542483)
+- Drop all backported patches as they're part of this release
+
+* Tue Feb 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31.1
+ - tests: multiple autopkgtest related fixes for 18.04
+ - overlord/snapstate: use spread in the default refresh schedule
+ - timeutil: fix scheduling on nth weekday of the month
+ - interfaces: miscellaneous policy updates for home, opengl, time-
+   control, network, et al
+ - cmd/snap: use proper help strings for `snap userd --help`
+ - interfaces/time-control,netlink-audit: adjust for util-linux
+   compiled with libaudit
+ - rules: do not static link on powerpc
+ - packaging: revert LDFLAGS rewrite again after building snap-
+   seccomp
+ - store: revert PR#4532 and do not display displayname
+ - daemon: allow `snapctl get` from any uid
+ - debian, snap: only static link libseccomp in snap-seccomp on
+   ubuntu
+ - daemon: improve ucrednet code for the snap.socket
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Feb 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31
+ - cmd/snap-confine: allow snap-update-ns to chown things
+ - cmd/snap-confine: fix read-only filesystem when mounting nvidia
+   files in biarch
+ - packaging: create /var/lib/snapd/lib/{gl,gl32,vulkan} as part of
+   packaging
+ - advisor: ensure commands.db has mode 0644 and add test
+ - interfaces/desktop-legacy,unity7: support gtk2/gvfs gtk_show_uri()
+ - snap: improve validation of snap layoutsRules for validating
+   layouts:
+ - snap: fix command-not-found on core devices
+ - cmd/snap: display snap license information
+ - tests: enable content sharing test for $SNAP
+ - userd: add support for a simple UI that can be used from userd
+ - snap-confine/nvidia: Support legacy biarch trees for GLVND systems
+ - tests: generic detection of gadget and kernel snaps
+ - cmd/snap-update-ns: refactor and improve Change.Perform to handle
+   EROFS
+ - cmd/snap: improve output when snaps were found in a section or the
+   section is invalid
+ - cmd/snap-confine,tests: hide message about stale base snap
+ - cmd/snap-mgmt: fix out of source tree build
+ - strutil/quantity: new package that exports formatFoo (from
+   progress)
+ - cmd/snap: snap refresh --time with new and legacy schedules
+ - state: unknown tasks handler
+ - cmd/snap-confine,data/systemd: fix removal of snaps inside LXD
+ - snap: add io.snapcraft.Settings to `snap userd`
+ - spread: remove more EOLed releases
+ - snap: tidy up top-level help output
+ - snap: fix race in `snap run --strace`
+ - tests: update "searching" test to match store changes
+ - store: use the "publisher" when populating the "publisher" field
+ - snap: make `snap find --section` show all sections
+ - tests: new test to validate location control interface
+ - many: add new `snap refresh --amend <snap>` command
+ - tests/main/kernel-snap-refresh-on-core: skip the whole test if
+   edge and stable are the same version
+ - tests: set test kernel-snap-refresh-on-core to manual
+ - tests: new spread test for interface gpg-keys
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - interfaces: miscellaneous policy updates
+ - interfaces/builtin: Replace Solus support with GLVND support
+ - tests/main/kernel-snap-refresh-on-core: do not fail if edge and
+   stable kernels are the same version
+ - snap: add `snap run --strace` to be able to strace snap apps
+ - tests: new spread test for ssh-keys interface
+ - errtracker: include detected virtualisation
+ - tests: add new kernel refresh/revert test for spread-cron
+ - interfaces/builtin: blacklist zigbee dongle
+ - cmd/snap-confine: discard stale mount namespaces
+ - cmd: remove unused execArg0/execEnv
+ - snap,interfaces/mount: disallow nobody/nogroup
+ - cmd/snap: improve `snap aliases` output when no aliases are
+   defined
+ - tests/lib/snaps/test-snapd-service: refactor service reload
+ - tests: new spread test for gpg-public-keys interface
+ - tests: new spread test for ssh-public-keys interface
+ - spread: setup machine creation on Linode
+ - interfaces/builtin: allow introspecting UDisks2
+ - interfaces/builtin: add support for content "source" section
+ - tests: new spread test for netlink-audit interface
+ - daemon: avoid panic'ing building an error response w/no snaps
+   given
+ - interfaces/mount,snap: early support for snap layouts
+ - daemon: unlock state even if RefreshSchedule() fails
+ - arch: add "armv8l" to ubuntuArchFromKernelArch table
+ - tests: fix for test interface-netlink-connector
+ - data/dbus: add AssumedAppArmorLabel=unconfined
+ - advisor: use forked bolt to make it work on ppc
+ - overlord/snapstate: record the 'kind' of conflicting change
+ - dirs: fix snap mount dir on Manjaro
+ - overlord/{snapstate,configstate}, daemon: introduce refresh.timer,
+   fallback to refresh.schedule
+ - config: add support for `snap set core proxy.no_proxy=...`
+ - snap-mgmt: extend spread tests, stop, disable and cleanup snap
+   services
+ - spread.yaml: add fedora 27
+ - cmd/snap-confine: allow snap-update-ns to poke writable holes in
+   $SNAP
+ - packaging/14.04: move linux-generic-lts-xenial to recommends
+ - osutil/sys: ppc has 32-bit getuid already
+ - snapstate: make no autorefresh message clearer
+ - spread: try to enable Fedora once more
+ - overlord/snapstate: do a minimal sanity check on containers
+ - configcore: ensure config.txt has a final newline
+ - cmd/libsnap-confine-private: print failed mount/umount regardless
+   of SNAP_CONFINE_DEBUG
+ - debian/tests: add missing autopkgtest test dependencies for debian
+ - image: port ini handling to goconfigparser
+ - tests/main/snap-service-after-before: add test for after/before
+   service ordering
+ - tests: enabling opensuse for tests
+ - tests: update auto-refresh-private to match messages from current
+   master
+ - dirs: check if distro 'is like' fedora when picking path to
+   libexecdir
+ - tests: fix "job canceled" issue and improve cleanup for snaps
+ - cmd/libsnap-confine-private: add debug build of libsnap-confine-
+   private.a, link it into snap-confine-debug
+ - vendor: remove x/sys/unix to fix builds on arm64 and powerpc
+ - image: let consume snapcraft export-login files from tooling
+ - interfaces/mir: allow Wayland socket and non-root sockets
+ - interfaces/builtin: use snap.{Plug,Slot}Info over
+   interfaces.{Plug,Slot}
+ - tests: add simple snap-mgmt test
+ - wrappers: autogenerate After/Before in systemd's service files for
+   apps
+ - snap: add usage hints in `snap download`
+ - snap: provide more meaningful errors for installMany and friends
+ - cmd/snap: show header/footer when `snap find` is used without
+   arguments
+ - overlord/snapstate: for Enable's tasks refer to the first task
+   with snap-setup, do not duplicate
+ - tests: add hard-coded fully expired macaroons to run related tests
+ - cmd/snap-update-ns: new test features
+ - cmd/snap-update-ns: we don't want to bind mount symlinks
+ - interfaces/mount: test OptsToCommonFlags, filter out x-snapd.
+   options
+ - cmd/snap-update-ns: untangle upcoming cyclic initialization
+ - client, daemon: update user's email when logging in with new
+   account
+ - tests: ensure snap-confine apparmor profile is parsable
+ - snap: do not leak internal errors on install/refresh etc
+ - snap: fix missing error check when multiple snaps are refreshed
+ - spread: trying to re-enable tests on Fedora
+ - snap: fix gadget.yaml parsing for multi volume gadgets
+ - snap: give the snap.Container interface a Walk method
+ - snap: rename `snap advise-command` to `snap advise-snap --command`
+ - overlord/snapstate: no refresh just for hints if there was a
+   recent regular full refresh
+ - progress: switch ansimeter's Spin() to use a spinner
+ - snap: support `command-not-found` symlink for `snap advise-
+   command`
+ - daemon: store email, ID and macaroon when creating a new user
+ - snap: app startup after/before validation
+ - timeutil: refresh timer take 2
+ - store, daemon/api: Rename MyAppsServer, point to
+   dashboard.snapcraft.io instead
+ - tests: use "quiet" helper instead of "dnf -q" to get errors on
+   failures
+ - cmd/snap-update-ns: improve mocking for tests
+ - many: implement the advisor backend, populate it from the store
+ - tests: make less calls to the package manager
+ - tests/main/confinement-classic: enable the test on Fedora
+ - snap: do not leak internal network errors to the user
+ - snap: use stdout instead of stderr for "fetching" message
+ - tests: fix test whoami, share successful_login.exp
+ - many: refresh with appropriate creds
+ - snap: add new `snap advice-command` skeleton
+ - tests: add test that ensures we never parse versions as numbers
+ - overlord/snapstate: override Snapstate.UserID in refresh if the
+   installing user is gone
+ - interfaces: allow socket "shutdown" syscall in default profile
+ - snap: print friendly message if `snap keys` is empty
+ - cmd/snap-update-ns: add execWritableMimic
+ - snap: make `snap info invalid-snap` output more user friendly
+ - cmd/snap,  tests/main/classic-confinement: fix snap-exec path when
+   running under classic confinement
+ - overlord/ifacestate: fix disable/enable cycle to setup security
+ - snap: fix snap find " " output
+ - daemon: add new polkit action to manage interfaces
+ - packaging/arch: disable services when removing
+ - asserts/signtool: support for building tools on top that fill-
+   in/compute some headers
+ - cmd: clarify "This leaves %s tracking %s." message
+ - daemon: return "bad-query" error kind for store.ErrBadQuery
+ - taskrunner/many: KnownTaskKinds helper
+ - tests/main/interfaces-fuse_support: fix confinement, allow
+   unmount, fix spread tests
+ - snap: use the -no-fragments mksquashfs option
+ - data/selinux: allow messages from policykit
+ - tests: fix catalog-update wait loop
+ - tests/lib/prepare-restore: disable rate limiting in journald
+ - tests: change interfaces-fuse_support to be debug friendly
+ - tests/main/postrm-purge: stop snapd before purge
+ - This is an example of test log:https://paste.ubuntu.com/26215170/
+ - tests/main/interfaces-fuse_support: dump more debugging
+   information
+ - interfaces/dbus: adjust slot policy for listen, accept and accept4
+   syscalls
+ - tests: save the snapd-state without compression
+ - tests/main/searching: handle changes in featured snaps list
+ - overlord/snapstate: fix auto-refresh summary for 2 snaps
+ - overlord/auth,daemon: introduce an explicit auth.ErrInvalidUser
+ - interfaces: add /proc/partitions to system-observe (This addresses
+   LP#1708527.)
+ - tests/lib: introduce helpers for setting up /dev/random using
+   /dev/urandom in project prepare
+ - tests: new test for interface network status
+ - interfaces: interfaces: also add an app/hook-specific udev RUN
+   rule for hotplugging
+ - tests: fix external backend for tests that need DEBUG output
+ - tests: do not disable refresh timer on external backend
+ - client: send all snap related bool json fields
+ - interfaces/desktop,unity7: allow status/activate/lock of
+   screensavers
+ - tests/main: source mkpinentry.sh
+ - tests: fix security-device-cgroups-serial-port test for rpi and db
+ - cmd/snap-mgmt: add more directories for cleanup and refactor
+   purge() code
+ - snap: YAML and data structures for app before/after ordering
+ - tests: set TRUST_TEST_KEYS=false for all the external backends
+ - packaging/arch: install snap-mgmt tool
+ - tests: add support on tests for cm3 gadget
+ - interfaces/removable-media: also allow 'k' (lock)
+ - interfaces: use ConnectedPlug/ConnectedSlot types (step 2)
+ - interfaces: rename sanitize methods
+ - devicestate: fix misbehaving test when using systemd-resolved
+ - interfaces: added Ref() helpers, restored more detailed error
+   message on spi iface
+ - debian: make "gnupg" a recommends
+ - interfaces/many: misc updates for default, browser-support,
+   opengl, desktop, unity7, x11
+ - interfaces: PlugInfo/SlotInfo/ConnectedPlug/ConnectedSlot
+   attribute helpers
+ - interfaces: update fixme comments
+ - tests: make interfaces-snapd-control-with-manage more robust
+ - userd: generalize dbusInterface
+ - interfaces: use ConnectedPlug/ConnectedSlot types (step 1)
+ - hookstate: add compat "configure-snapd" task.
+ - config, overlord/snapstate, timeutil: rename ParseSchedule to
+   ParseLegacySchedule
+ - tests: adding tests for time*-control interfaces
+ - tests: new test to check interfaces after reboot the system
+ - cmd/snap-mgmt: fixes
+ - packaging/opensuse-42.2: package and use snap-mgmt
+ - corecfg: also "mask" services when disabling them
+ - cmd/snap-mgmt: introduce snap-mgmt tool
+ - configstate: simplify ConfigManager
+ - interfaces: add gpio-memory-control interface
+ - cmd: disable check-syntax-c
+ - packaging/arch: add bash-completion as optional dependency
+ - corecfg: rename package to overlord/configstate/configcore
+ - wrappers: fix unit tests to use dirs.SnapMountDir
+ - osutil/sys: reimplement getuid and chown with the right int type
+ - interfaces-netlink-connector: fix sourcing snaps.sh
+
+* Thu Jan 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.30-1
+- Release 2.30 to Fedora (RH#1527519)
+- Backport fix to correctly locate snapd libexecdir on Fedora derivatives (RH#1536895)
+- Refresh SELinux policy fix patches with upstream backport version
+
+* Mon Dec 18 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.30
+ - tests: set TRUST_TEST_KEYS=false for all the external backends
+ - tests: fix external backend for tests that need DEBUG output
+ - tests: do not disable refresh timer on external backend
+ - client: send all snap related bool json fields
+ - interfaces: interfaces: also add an app/hook-specific udev RUN
+   rule for hotplugging
+ - interfaces/desktop,unity7: allow status/activate/lock of
+   screensavers
+ - tests/main: source mkpinentry.sh
+ - devicestate: use a different nowhere domain
+ - interfaces: add ssh-keys, ssh-public-keys, gpg-keys and gpg-public
+   keys interfaces
+ - interfaces/many: misc updates for default, browser-support, opengl,
+   desktop, unity7, x11
+ - devicestate: fix misbehaving test when using systemd-resolved
+ - interfaces/removable-media: also allow 'k' (lock)
+ - interfaces/many: misc updates for default, browser-support,
+   opengl, desktop, unity7, x11
+ - corecfg: also "mask" services when disabling them
+ - tests: add support for autopkgtests on s390x
+ - snapstate: support for pre-refresh hook
+ - many: allow to configure core before it is installed
+ - devicestate: fix unkeyed fields error
+ - snap-confine: create mount target for lib32,vulkan on demand
+ - snapstate: add support for refresh.schedule=managed
+ - cmd/snap-update-ns: teach update logic to handle synthetic changes
+ - many: remove configure-snapd task again and handle internally
+ - snap: fix TestDirAndFileMethods() test to work with gccgo
+ - debian: ensure /var/lib/snapd/lib/vulkan is available
+ - cmd/snap-confine: use #include instead of bare include
+ - snapstate: store userID in snapstate
+ - snapd.dirs: add var/lib/snapd/lib/gl32
+ - timeutil, overlod/snapstate: cleanup remaining pieces of timeutil
+   weekday support
+ - packaging/arch: install missing directories, manpages and version
+   info
+ - snapstate,store: store if a snap is a paid snap in the sideinfo
+ - packaging/arch: pre-create snapd directories when packaging
+ - tests/main/manpages: set LC_ALL=C as man may complain if the
+   locale is unset or unsupported
+ - repo: ConnectedPlug and ConnectedSlot types
+ - snapd: fix handling of undo in the taskrunner
+ - store: fix download caching and add integration test
+ - snapstate: move autorefresh code into autoRefresh helper
+ - snapctl: don't error out on start/stop/restart from configure hook
+   during install or refresh
+ - cmd/snap-update-ns: add planWritableMimic
+ - deamon: don't omit responses, even if null
+ - tests: add test for frame buffer interface
+ - tests/lib: fix shellcheck errors
+ - apparmor: generate the snap-confine re-exec profile for
+   AppArmor{Partial,Full}
+ - tests: remove obsolete workaround
+ - snap: use existing files in `snap download` if digest/size matches
+ - tests: merge pepare-project.sh into prepare-restore.sh
+ - tests: cache snaps to $TESTSLIB/cache
+ - tests: set -e, -o pipefail in prepare-restore.sh
+ - apparmor: generate the snap-confine re-exec profile for
+   AppArmor{Partial,Full}
+ - cmd/snap-seccomp: fix uid/gid restrictions tests on Arch
+ - tests: document and slightly refactor prepare/restore code
+ - snapstate: ensure RefreshSchedule() gives accurate results
+ - snapstate: add new refresh-hints helper and use it
+ - spread.yaml,tests: move most of project-wide prepare/restore to
+   separate file
+ - timeutil: introduce helpers for weekdays and TimeOfDay
+ - tests: adding new test for uhid interface
+ - cmd/libsnap: fix parsing of empty mountinfo fields
+ - overlord/devicestate:  best effort to go to early full retries for
+   registration on the like of DNS no host
+ - spread.yaml: bump delta ref to 2.29
+ - tests: adding test to test physical memory observe interface
+ - cmd, errtracker: get rid of SNAP_DID_REEXEC environment
+ - timeutil: remove support to parse weekday schedules
+ - snap-confine: add workaround for snap-confine on 4.13/upstream
+ - store: do not log the http body for catalog updates
+ - snapstate: move catalogRefresh into its own helper
+ - spread.yaml: fix shellcheck issues and trivial refactor
+ - spread.yaml: move prepare-each closer to restore-each
+ - spread.yaml: increase workers for opensuse to 3
+ - tests: force delete when tests are restore to avoid suite failure
+ - test: ignore /snap/README
+ - interfaces/opengl: also allow read on 'revision' in
+   /sys/devices/pci...
+ - interfaces/screen-inhibit-control: fix case in screen inhibit
+   control
+ - asserts/sysdb: panic early if pointed to staging but staging keys
+   are not compiled-in
+ - interfaces: allow /bin/chown and fchownat to root:root
+ - timeutil: include test input in error message in
+   TestParseSchedule()
+ - interfaces/browser-support: adjust base declaration for auto-
+   connection
+ - snap-confine: fix snap-confine under lxd
+ - store: bit less aggressive retry strategy
+ - tests: add new `fakestore new-snap-{declaration,revision}` helpers
+ - cmd/snap-update-ns: add secureMkfileAll
+ - snap: use field names when initializing composite literals
+ - HACKING: fix path in snap install
+ - store: add support for flags in ListRefresh()
+ - interfaces: remove invalid plugs/slots from SnapInfo on
+   sanitization.
+ - debian: add missing udev dependency
+ - snap/validate: extend socket validation tests
+ - interfaces: add "refresh-schedule" attribute to snapd-control
+ - interfaces/builtin/account_control: use gid owning /etc/shadow to
+   setup seccomp rules
+ - cmd/snap-update-ns: tweak changePerform
+ - interfaces,tests: skip unknown plug/slot interfaces
+ - tests: disable interfaces-network-control-tuntap
+ - cmd: use a preinit_array function rather than parsing
+   /proc/self/cmdline
+ - interfaces/time*_control: explicitly deny noisy read on
+   /proc/1/environ
+ - cmd/snap-update-ns: misc cleanups
+ - snapd: allow hooks to have slots
+ - fakestore: add go-flags to prepare for `new-snap-declaration` cmd
+ - interfaces/browser-support: add shm path for nwjs
+ - many: add magic /snap/README file
+ - overlord/snapstate: support completion for command aliases
+ - tests: re-enable tun/tap test on Debian
+ - snap,wrappers: add support for socket activation
+ - repo: use PlugInfo and SlotInfo for permanent plugs/slots
+ - tests/interfaces-network-control-tuntap: disable on debian-
+   unstable for now
+ - cmd/snap-confine: Loosen the NVIDIA Vulkan ICD glob
+ - cmd/snap-update-ns: detect and report read-only filesystems
+ - cmd/snap-update-ns: re-factor secureMkdirAll into
+   secureMk{Prefix,Dir}
+ - run-checks, tests/lib/snaps/: shellcheck fixes
+ - corecfg: validate refresh.schedule when it is applied
+ - tests: adjust test to match stderr
+ - snapd: fix snap cookie bugs
+ - packaging/arch: do not quote MAKEFLAGS
+ - state: add change.LaneTasks helper
+ - cmd/snap-update-ns: do not assume 'nogroup' exists
+ - tests/lib: handle distro specific grub-editenv naming
+ - cmd/snap-confine: Add missing bi-arch NVIDIA filesthe
+   `/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl/vdpau` paths within
+ - cmd: Support exposing NVIDIA Vulkan ICD files to the snaps
+ - cmd/snap-confine: Implement full 32-bit NVIDIA driver support
+ - packaging/arch: packaging update
+ - cmd/snap-confine: Support bash as base runtime entry
+ - wrappers: do not error on incorrect Exec= lines
+ - interfaces: fix udev tagging for hooks
+ - tests/set-proxy-store: exclude ubuntu-core-16 via systems: key
+ - tests: new tests for network setup control and observe interfaces
+ - osutil: add helper for obtaining group ID of given file path
+ - daemon,overlord/snapstate: return snap-not-installed error in more
+   cases
+ - interfaces/builtin/lxd_support: allow discovering of host's os-
+   release
+ - configstate: add support for configure-snapd for
+   snapstate.IgnoreHookError
+ - tests:  add a spread test for proxy.store setting together with
+   store assertion
+ - cmd/snap-seccomp: do not use group 'shadow' in tests
+ - asserts/assertstest:  fix use of hardcoded value when the passed
+   or default keys should be used
+ - interfaces/many: misc policy updates for browser-support, cups-
+   control and network-status
+ - tests: fix xdg-open-compat
+ - daemon: for /v2/logs, 404 when no services are found
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - cmd/snap-update-ns: add new helpers for mount entries
+ - cmd/snap-confine: Respect biarch nature of libdirs
+ - cmd/snap-confine: Ensure snap-confine is allowed to access os-
+   release
+ - cmd: fix re-exec bug with classic confinement for host snapd <
+   2.28
+ - interfaces/kmod: simplify loadModules now that errors are ignored
+ - tests: disable xdg-open-compat test
+ - tests: add test that checks core reverts on core devices
+ - dirs: use alt root when checking classic confinement support
+   without …
+ - interfaces/kmod: treat failure to load module as non-fatal
+ - cmd/snap-update-ns: fix golint and some stale comments
+ - corecfg:  support setting proxy.store if there's a matching store
+   assertion
+ - overlord/snapstate: toggle ignore-validation as needed as we do
+   for channel
+ - tests: fix security-device-cgroup* tests on devices with
+   framebuffer
+ - interfaces/raw-usb: match on SUBSYSTEM, not SUBSYSTEMS
+ - interfaces: add USB interface number attribute in udev rule for
+   serial-port interface
+ - overlord/devicestate: switch to the new endpoints for registration
+ - snap-update-ns: add missing unit test for desired/current profile
+   handling
+ - cmd/{snap-confine,libsnap-confine-private,snap-shutdown}: cleanup
+   low-level C bits
+ - ifacestate: make interfaces.Repository available via state cache
+ - overlord/snapstate: cleanups around switch-snap*
+ - cmd/snapd,client,daemon: display ignore-validation flag through
+   the notes mechanism
+ - cmd/snap-update-ns: add logging to snap-update-ns
+ - many: have a timestamp on store assertions
+ - many: lookup and use the URL from a store assertion if one is set
+   for use
+ - tests/test-snapd-service: fix shellcheck issues
+ - tests: new test for hardware-random-control interface
+ - tests: use `snap change --last=install` in snapd-reexec test
+ - repo, daemon: use PlugInfo, SlotInfo
+ - many: handle core configuration internally instead of using the
+   core configure hook
+ - tests: refactor and expand content interface test
+ - snap-seccomp: skip in-kernel bpf tests for socket() in trusty/i386
+ - cmd/snap-update-ns: allow Change.Perform to return changes
+ - snap-confine: Support biarch Linux distribution confinement
+ - partition/ubootenv: don't panic when uboot.env is missing the eof
+   marker
+ - cmd/snap-update-ns: allow fault injection to provide dynamic
+   result
+ - interfaces/mount: exspose mount.{Escape,Unescape}
+ - snapctl: added long help to stop/start/restart command
+ - cmd/snap-update-ns: create missing mount points automatically.
+ - cmd: downgrade log message in InternalToolPath to Debugf()
+ - tests: wait for service status change & file update in the test to
+   avoid races
+ - daemon, store: forward SSO invalid credentials errors as 401
+   Unauthorized responses
+ - spdx: fix for WITH syntax, require a license name before the
+   operator
+ - many: reorg things in preparation to make handling of the base url
+   in store dynamic
+ - hooks/configure: queue service restarts
+ - cmd/snap: warn when a snap is not from the tracking channel
+ - interfaces/mount: add support for parsing x-snapd.{mode,uid,gid}=
+ - cmd/snap-confine: add detection of stale mount namespace
+ - interfaces: add plugRef/slotRef helpers for PlugInfo/SlotInfo
+ - tests: check for invalid udev files during all tests
+ - daemon: use newChange() in changeAliases for consistency
+ - servicestate: use taskset
+ - many: add support for /home on NFS
+ - packaging,spread: fix and re-enable opensuse builds
+
+* Sun Dec 17 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-3
+- Add patch to SELinux policy to allow snapd to receive replies from polkit
+
+* Sun Nov 19 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-2
+- Add missing bash completion files and cache directory
+
+* Sun Nov 19 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-1
+- Release 2.29.4 to Fedora (RH#1508433)
+- Install Polkit configuration (RH#1509586)
+- Drop changes to revert cheggaaa/pb import path used
+
+* Fri Nov 17 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.4
+ - snap-confine: fix snap-confine under lxd
+ - tests: disable classic-ubuntu-core-transition on i386 temporarily
+ - many: reject bad plugs/slots
+ - interfaces,tests: skip unknown plug/slot interfaces
+ - store: enable "base" field from the store
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+
+* Thu Nov 09 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.3
+ - daemon: cherry-picked /v2/logs fixes
+ - cmd/snap-confine: Respect biarch nature of libdirs
+ - cmd/snap-confine: Ensure snap-confine is allowed to access os-
+   release
+ - interfaces: fix udev tagging for hooks
+ - cmd: fix re-exec bug with classic confinement for host snapd
+ - tests: disable xdg-open-compat test
+ - cmd/snap-confine: add slave PTYs and let devpts newinstance
+   perform mediation
+ - interfaces/many: misc policy updates for browser-support, cups-
+   control and network-status
+ - interfaces/raw-usb: match on SUBSYSTEM, not SUBSYSTEMS
+ - tests: fix security-device-cgroup* tests on devices with
+   framebuffer
+
+* Fri Nov 03 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.2
+  - snapctl: disable stop/start/restart (2.29)
+  - cmd/snap-update-ns: fix collection of changes made
+
+* Fri Nov 03 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.1
+ - interfaces: fix incorrect signature of ofono DBusPermanentSlot
+ - interfaces/serial-port: udev tag plugged slots that have just
+   'path' via KERNEL
+ - interfaces/hidraw: udev tag plugged slots that have just 'path'
+   via KERNEL
+ - interfaces/uhid: unconditionally add existing uhid device to the
+   device cgroup
+ - cmd/snap-update-ns: fix mount rules for font sharing
+ - tests: disable refresh-undo test on trusty for now
+ - tests: use `snap change --last=install` in snapd-reexec test
+ - Revert " wrappers: fail install if exec-line cannot be re-written
+ - interfaces: don't udev tag devmode or classic snaps
+ - many: make ignore-validation sticky and send the flag with refresh
+   requests
+
+* Mon Oct 30 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29
+ - interfaces/many: miscellaneous updates based on feedback from the
+   field
+ - snap-confine: allow reading uevents from any where in /sys
+ - spread: add bionic beaver
+ - debian: make packaging/ubuntu-14.04/copyright a real file again
+ - tests: cherry pick the fix for services test into 2.29
+ - cmd/snap-update-ns: initialize logger
+ - hooks/configure: queue service restarts
+ - snap-{confine,seccomp}: make @unrestricted fully unrestricted
+ - interfaces: clean system apparmor cache on core device
+ - debian: do not build static snap-exec on powerpc
+ - snap-confine: increase sanity_timeout to 6s
+ - snapctl: cherry pick service commands changes
+ - cmd/snap: tell translators about arg names and descs req's
+ - systemd: run all mount units before snapd.service to avoid race
+ - store: add a test to show auth failures are forwarded by doRequest
+ - daemon: convert ErrInvalidCredentials to a 401 Unauthorized error.
+ - store: forward on INVALID_CREDENTIALS error as
+   ErrInvalidCredentials
+ - daemon: generate a forbidden response message if polkit dialog is
+   dismissed
+ - daemon: Allow Polkit authorization to cancel changes.
+ - travis: switch to container based test runs
+ - interfaces: reduce duplicated code in interface tests mocks
+ - tests: improve revert related testing
+ - interfaces: sanitize plugs and slots early in ReadInfo
+ - store: add download caching
+ - preserve TMPDIR and HOSTALIASES across snap-confine invocation
+ - snap-confine: init all arrays with `= {0,}`
+ - tests: adding test for network-manager interface
+ - interfaces/mount: don't generate legacy per-hook/per-app mount
+   profiles
+ - snap: introduce structured epochs
+ - tests: fix interfaces-cups-control test for cups-2.2.5
+ - snap-confine: cleanup incorrectly created nvidia udev tags
+ - cmd/snap-confine: update valid security tag regexp
+ - cmd/libsnap: enable two stranded tests
+ - cmd,packaging: enable apparmor on openSUSE
+ - overlord/ifacestate: refresh all security backends on startup
+ - interfaces/dbus: drop unneeded check for
+   release.ReleaseInfo.ForceDevMode
+ - dbus: ensure io.snapcraft.Launcher.service is created on re-
+   exec
+ - overlord/auth: continue for now supporting UBUNTU_STORE_ID if the
+   model is generic-classic
+ - snap-confine: add support for handling /dev/nvidia-modeset
+ - interfaces/network-control: remove incorrect rules for tun
+ - spread: allow setting SPREAD_DEBUG_EACH=0 to disable debug-each
+   section
+ - packaging: remove .mnt files on removal
+ - tests: fix econnreset scenario when the iptables rule was not
+   created
+ - tests: add test for lxd interface
+ - run-checks: use nakedret static checker to check for naked
+   returns on long functions
+ - progress: be more flexible in testing ansimeter
+ - interfaces: fix udev rules for tun
+ - many: implement our own ANSI-escape-using progress indicator
+ - snap-exec: update tests to follow main_test pattern
+ - snap: support "command: foo $ENV_STRING"
+ - packaging: update nvidia configure options
+ - snap: add new `snap pack` and use in tests
+ - cmd: correctly name the "Ubuntu" and "Arch" NVIDIA methods
+ - cmd: add autogen case for solus
+ - tests: do not use http://canihazip.com/ which appears to be down
+ - hooks: commands for controlling own services from snapctl
+ - snap: refactor cmdGet.Execute()
+ - interfaces/mount: make Change.Perform testable and test it
+ - interfaces/mount,cmd/snap-update-ns: move change code
+ - snap-confine: is_running_on_classic_distribution() looks into os-
+   release
+ - interfaces: misc updates for default, browser-support, home and
+   system-observe
+ - interfaces: deny lttng by default
+ - interfaces/lxd: lxd slot implementation can also be an app snap
+ - release,cmd,dirs: Redo the distro checks to take into account
+   distribution families
+ - cmd/snap: completion for alias and unalias
+ - snap-confine: add new SC_CLEANUP and use it
+ - snap: refrain from running filepath.Base on random strings
+ - cmd/snap-confine: put processes into freezer hierarchy
+ - wrappers: fail install if exec-line cannot be re-written
+ - cmd/snap-seccomp,osutil: make user/group lookup functions public
+ - snapstate: deal with snap user data in the /root/ directory
+ - interfaces: Enhance full-confinement support for biarch
+   distributions
+ - snap-confine: Only attempt to copy/mount NVIDIA libs when NVIDIA
+   is used
+ - packaging/fedora: Add Fedora 26, 27, and Rawhide symlinks
+ - overlord/snapstate: prefer a smaller corner case for doing the
+   wrong thing
+ - cmd/snap-repair:  set user agent for snap-repair http requests
+ - packaging: bring down the delta between 14.04 and 16.04
+ - snap-confine: Ensure lib64 biarch directory is respected
+ - snap-confine: update apparmor rules for fedora based base snaps
+ - tests: Increase SNAPD_CONFIGURE_HOOK_TIMEOUT to 3 minutes to
+   install real snaps
+ - daemon: use client.Snap instead of map[string]interface{} for
+   snaps.
+ - hooks: rename refresh hook to post-refresh
+ - git: make the .gitingore file a bit more targeted
+ - interfaces/opengl: don't udev tag nvidia devices and use snap-
+   confine instead
+ - cmd/snap-{confine,update-ns}: apply mount profiles using snap-
+   update-ns
+ - cmd: update "make hack"
+ - interfaces/system-observe: allow clients to enumerate DBus
+   connection names
+ - snap-repair: implement `snap-repair {list,show}`
+ - dirs,interfaces: create snap-confine.d on demand when re-executing
+ - snap-confine: fix base snaps on core
+ - cmd/snap-repair: fix tests when running as root
+ - interfaces: add Connection type
+ - cmd/snap-repair: skip disabled repairs
+ - cmd/snap-repair: prefer leaking unmanaged fds on test failure over
+   closing random ones
+ - snap-repair: make `repair` binary available for repair scripts
+ - snap-repair: fix missing Close() in TestStatusHappy
+ - cmd/snap-confine,packaging: import snapd-generated policy
+ - cmd/snap: return empty document if snap has no configuration
+ - snap-seccomp: run secondary-arch tests via gcc-multilib
+ - snap: implement `snap {repair,repairs}` and pass-through to snap-
+   repair
+ - interfaces/builtin: allow receiving dbus messages
+ - snap-repair: implement `snap-repair {done,skip,retry}`
+ - data/completion: small tweak to snap completion snippet
+ - dirs: fix classic support detection
+ - cmd/snap-repair: integrate root public keys for repairs
+ - tests: fix ubuntu core services
+ - tests: add new test that checks that the compat snapd-xdg-open
+   works
+ - snap-confine: improve error message if core/u-core cannot be found
+ - tests: only run tests/regression/nmcli on amd64
+ - interfaces: mount host system fonts in desktop interface
+ - interfaces: enable partial apparmor support
+ - snapstate: auto-install missing base snaps
+ - spread: work around temporary packaging issue in debian sid
+ - asserts,cmd/snap-repair: introduce a mandatory summary for repairs
+ - asserts,cmd/snap-repair: represent RepairID internally as an int
+ - tests: test the real "xdg-open" from the core snap
+ - many: implement fetching sections and package names periodically.
+ - interfaces/network: allow using netcat as client
+ - snap-seccomp, osutil: use osutil.AtomicFile in snap-seccomp
+ - snap-seccomp: skip mknod syscall on arm64
+ - tests: add trivial canonical-livepatch test
+ - tests: add test that ensures that all core services are working
+ - many: add logger.MockLogger() and use it in the tests
+ - snap-repair: fix test failure in TestRepairHitsTimeout
+ - asserts: add empty values check in HeadersFromPrimaryKey
+ - daemon: remove unused installSnap var in test
+ - daemon: reach for Overlord.Loop less thanks to overlord.Mock
+ - snap-seccomp: manually resolve socket() call in tests
+ - tests: change regex used to validate installed ubuntu core snap
+ - cmd/snapctl: allow snapctl -h without a context (regression fix).
+ - many: use snapcore/snapd/i18n instead of i18n/dumb
+ - many: introduce asserts.NotFoundError replacing both ErrNotFound
+   and store.AssertionNotFoundError
+ - packaging: don't include any marcos in comments
+ - overlord: use overlord.Mock in more tests, make sure we check the
+   outcome of Settle
+ - tests: try to fix staging tests
+ - store: simplify api base url config
+ - systemd: add systemd.MockJournalctl()
+ - many: provide systemd.MockSystemctl() helper
+ - tests: improve the listing test to not fail for e.g. 2.28~rc2
+ - snapstate: give snapmgrTestSuite.settle() more time to settle
+ - tests: fix regex to check core version on snap list
+ - debian: update trusted account-keys check on 14.04 packaging
+ - interfaces: add udev netlink support to hardware-observe
+ - overlord: introduce Mock which enables to use Overlord.Settle for
+   settle in many more places
+ - snap-repair: execute the repair and capture logs/status
+ - tests: run the tests/unit/go everywhere
+ - daemon, snapstate: move ensureCore from daemon/api.go into
+   snapstate.go
+ - cmd/snap: get keys or root document
+ - spread.yaml: turn suse to manual given that it's breaking master
+ - many: configure store from state, reconfigure store at runtime
+ - osutil: AtomicWriter (an io.Writer), and io.Reader versions of
+   AtomicWrite*
+ - tests: check for negative syscalls in runBpf() and skip those
+   tests
+ - docs: use abolute path in PULL_REQUEST_TEMPLATE.md
+ - store: move device auth endpoint uris to config (#3831)
+
+* Sat Oct 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.5-2
+- Properly fix the build for Fedora 25
+- Incorporate misc build fixes
+
+* Sat Oct 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.5-1
+- Release 2.28.5 to Fedora (RH#1502186)
+- Build snap-exec and snap-update-ns statically to support base snaps
+
+* Fri Oct 13 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.5
+  - snap-confine: cleanup broken nvidia udev tags
+  - cmd/snap-confine: update valid security tag regexp
+  - overlord/ifacestate: refresh udev backend on startup
+  - dbus: ensure io.snapcraft.Launcher.service is created on re-
+    exec
+  - snap-confine: add support for handling /dev/nvidia-modeset
+  - interfaces/network-control: remove incorrect rules for tun
+
+* Thu Oct 12 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.4-1
+- Release 2.28.4 to Fedora (RH#1501141)
+- Drop distro check backport patches (released with 2.28.2)
+
+* Wed Oct 11 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.4
+  - interfaces/opengl: don't udev tag nvidia devices and use snap-
+    confine instead
+  - debian: fix replaces/breaks for snap-xdg-open (thanks to apw!)
+
+* Wed Oct 11 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.3
+  - interfaces/lxd: lxd slot implementation can also be an app
+    snap
+
+* Tue Oct 10 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.2
+  - interfaces: fix udev rules for tun
+  - release,cmd,dirs: Redo the distro checks to take into account
+    distribution families
+
+* Sun Oct 08 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.1-1
+- Release 2.28.1 to Fedora (RH#1495852)
+- Drop userd backport patches, they are part of 2.28 release
+- Backport changes to rework distro checks to fix derivative distro usage of snapd
+- Revert import path change for cheggaaa/pb as it breaks build on Fedora
+- Add a posttrans relabel to snapd-selinux to ensure everything is labeled correctly
+
+* Wed Sep 27 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.1
+  - snap-confine: update apparmor rules for fedora based basesnaps
+  - snapstate: rename refresh hook to post-refresh for consistency
+
+* Mon Sep 25 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28
+ - hooks: rename refresh to after-refresh
+ - snap-confine: bind mount /usr/lib/snapd relative to snap-confine
+ - cmd,dirs: treat "liri" the same way as "arch"
+ - snap-confine: fix base snaps on core
+ - hooks: substitute env vars when executing hooks
+ - interfaces: updates for default, browser-support, desktop, opengl,
+   upower and stub-resolv.conf
+ - cmd,dirs: treat manjaro the same as arch
+ - systemd: do not run auto-import and repair services on classic
+ - packaging/fedora: Ensure vendor/ is empty for builds and fix spec
+   to build current master
+ - many: fix TestSetConfNumber missing an Unlock and other fragility
+   improvements
+ - osutil: adjust StreamCommand tests for golang 1.9
+ - daemon: allow polkit authorisation to install/remove snaps
+ - tests: make TestCmdWatch more robust
+ - debian: improve package description
+ - interfaces: add netlink kobject uevent to hardware observe
+ - debian: update trusted account-keys check on 14.04 packaging
+ - interfaces/network-{control,observe}: allow receiving
+   kobject_uevent() messages
+ - tests: fix lxd test for external backend
+ - snap-confine,snap-update-ns: add -no-pie to fix FTBFS on
+   go1.7,ppc64
+ - corecfg: mock "systemctl" in all corecfg tests
+ - tests: fix unit tests on Ubuntu 14.04
+ - debian: add missing flags when building static snap-exec
+ - many: end-to-end support for the bare base snap
+ - overlord/snapstate: SetRootDir from SetUpTest, not in just some
+   tests
+ - store: have an ad-hoc method on cfg to get its list of uris for
+   tests
+ - daemon: let client decide whether to allow interactive auth via
+   polkit
+ - client,daemon,snap,store: add license field
+ - overlord/snapstate: rename HasCurrent to IsInstalled, remove
+   superfluous/misleading check from All
+ - cmd/snap: SetRootDir from SetUpTest, not in just some individual
+   tests.
+ - systemd: rename snap-repair.{service,timer} to snapd.snap-
+   repair.{service,timer}
+ - snap-seccomp: remove use of x/net/bpf from tests
+ - httputil: more naive per go version way to recreate a default
+   transport for tls reconfig
+ - cmd/snap-seccomp/main_test.go: add one more syscall for arm64
+ - interfaces/opengl: use == to compare, not =
+ - cmd/snap-seccomp/main_test.go: add syscalls for armhf and arm64
+ - cmd/snap-repair: track and use a lower bound for the time for
+   TLS checks
+ - interfaces: expose bluez interface on classic OS
+ - snap-seccomp: add in-kernel bpf tests
+ - overlord: always try to get a serial, lazily on classic
+ - tests: add nmcli regression test
+ - tests: deal with __PNR_chown on aarch64 to fix FTBFS on arm64
+ - tests: add autopilot-introspection interface test
+ - vendor: fix artifact from manually editing vendor/vendor.json
+ - tests: rename complexion to test-snapd-complexion
+ - interfaces: add desktop and desktop-legacy
+   interfaces/desktop: add new 'desktop' interface for modern DEs*
+   interfaces/builtin/desktop_test.go: use modern testing techniques*
+   interfaces/wayland: allow read on /etc/drirc for Plasma desktop*
+   interfaces/desktop-legacy: add new 'legacy' interface (currently
+   for a11y and input)
+ - tests: fix race in snap userd test
+ - devices/iio: add read/write for missing sysfs entries
+ - spread: don't set HTTPS?_PROXY for linode
+ - cmd/snap-repair: check signatures of repairs from Next
+ - env: set XDG_DATA_DIRS for wayland et.al.
+ - interfaces/{default,account-control}: Use username/group instead
+   of uid/gid
+ - interfaces/builtin: use udev tagging more broadly
+ - tests: add basic lxd test
+ - wrappers: ensure bash completion snaps install on core
+ - vendor: use old golang.org/x/crypto/ssh/terminal to build on
+   powerpc again
+ - docs: add PULL_REQUEST_TEMPLATE.md
+ - interfaces: fix network-manager plug
+ - hooks: do not error out when hook is optional and no hook handler
+   is registered
+ - cmd/snap: add userd command to replace snapd-xdg-open
+ - tests: new regex used to validate the core version on extra snaps
+   ass...
+ - snap: add new `snap switch` command
+ - tests: wait more and more debug info about fakestore start issues
+ - apparmor,release: add better apparmor detection/mocking code
+ - interfaces/i2c: adjust sysfs rule for alternate paths
+ - interfaces/apparmor: add missing call to dirs.SetRootDir
+ - cmd: "make hack" now also installs snap-update-ns
+ - tests: copy files with less verbosity
+ - cmd/snap-confine: allow using additional libraries required by
+   openSUSE
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapstate: improve the error message when classic confinement is
+   not supported
+ - tests: add test to ensure amd64 can run i386 syscall binaries
+ - tests: adding extra info for fakestore when fails to start
+ - tests: install most important snaps
+ - cmd/snap-repair: more test coverage of filtering
+ - squashfs: remove runCommand/runCommandWithOutput as we do not need
+   it
+ - cmd/snap-repair: ignore superseded revisions, filter on arch and
+   models
+ - hooks: support for refresh hook
+ - Partial revert "overlord/devicestate, store: update device auth
+   endpoints URLs"
+ - cmd/snap-confine: allow reading /proc/filesystems
+ - cmd/snap-confine: genearlize apparmor profile for various lib
+   layout
+ - corecfg: fix proxy.* writing and add integration test
+ - corecfg: deal with system.power-key-action="" correctly
+ - vendor: update vendor.json after (presumed) manual edits
+ - cmd/snap: in `snap info`, don't print a newline between tracks
+ - daemon: add polkit support to /v2/login
+ - snapd,snapctl: decode json using Number
+ - client: fix go vet 1.7 errors
+ - tests: make 17.04 shellcheck clean
+ - tests: remove TestInterfacesHelp as it breaks when go-flags
+   changes
+ - snapstate: undo a daemon restart on classic if needed
+ - cmd/snap-repair: recover brand/model from
+   /var/lib/snapd/seed/assertions checking signatures and brand
+   account
+ - spread: opt into unsafe IO during spread tests
+ - snap-repair: update snap-repair/runner_test.go for API change in
+   makeMockServer
+ - cmd/snap-repair: skeleton code around actually running a repair
+ - tests: wait until the port is listening after start the fake store
+ - corecfg: fix typo in tests
+ - cmd/snap-repair: test that redirects works during fetching
+ - osutil: honor SNAPD_UNSAFE_IO for testing
+ - vendor: explode and make more precise our golang.go/x/crypto deps,
+   use same version as Debian unstable
+ - many: sanitize NewStoreStack signature, have shared default store
+   test private keys
+ - systemd: disable `Nice=-5` to fix error when running inside lxd
+ - spread.yaml: update delta ref to 2.27
+ - cmd/snap-repair: use E-Tags when refetching a repair to retry
+ - interfaces/many: updates based on chromium and mrrescue denials
+ - cmd/snap-repair: implement most logic to get the next repair to
+   run/retry in a brand sequence
+ - asserts/assertstest: copy headers in SigningDB.Sign
+ - interfaces: convert uhid to common interface and test cases
+   improvement for time_control and opengl
+ - many tests: move all panicing fake store methods to a common place
+ - asserts: add store assertion type
+ - interfaces: don't crash if content slot has no attributes
+ - debian: do not build with -buildmode=pie on i386
+ - wrappers: symlink completion snippets when symlinking binaries
+ - tests: adding more debug information for the interfaces-cups-
+   control …
+ - apparmor: pass --quiet to parser on load unless SNAPD_DEBUG is set
+ - many: allow and support serials signed by the 'generic' authority
+   instead of the brand
+ - corecfg: add proxy configuration via `snap set core
+   proxy.{http,https,ftp}=...`
+ - interfaces: a bunch of interfaces test improvement
+ - tests: enable regression and completion suites for opensuse
+ - tests: installing snapd for nested test suite
+ - interfaces: convert lxd_support to common iface
+ - interfaces: add missing test for camera interface.
+ - snap: add support for parsing snap layout section
+ - cmd/snap-repair: like for downloads we cannot have a timeout (at
+   least for now), less aggressive retry strategies
+ - overlord: rely on more conservative ensure interval
+ - overlord,store: no piles of return args for methods gathering
+   device session request params
+ - overlord,store: send model assertion when setting up device
+   sessions
+ - interfaces/misc: updates for unity7/x11, browser-
+   support, network-control and mount-observe
+   interfaces/unity7,x11: update for NETLINK_KOBJECT_UEVENT
+   interfaces/browser-support: update sysfs reads for
+   newer browser versions, interfaces/network-control: rw for
+   ieee80211 advanced wireless interfaces/mount-observe: allow read
+   on sysfs entries for block devices
+ - tests: use dnf --refresh install to avert stale cache
+ - osutil: ensure TestLockUnlockWorks uses supported flock
+ - interfaces: convert lxd to common iface
+ - tests: restart snapd to ensure re-exec settings are applied
+ - tests: fix interfaces-cups-control test
+ - interfaces: improve and tweak bunch of interfaces test cases.
+ - tests: adding extra worker for fedora
+ - asserts,overlord/devicestate: support predefined assertions that
+   don't establish foundational trust
+ - interfaces: convert two hardware_random interfaces to common iface
+ - interfaces: convert io_ports_control to common iface
+ - tests: fix for  upgrade test on fedora
+ - daemon, client, cmd/snap: implement snap start/stop/restart
+ - cmd/snap-confine: set _FILE_OFFSET_BITS to 64
+ - interfaces: covert framebuffer to commonInterface
+ - interfaces: convert joystick to common iface
+ - interfaces/builtin: add the spi interface
+ - wrappers, overlord/snapstate/backend: make link-snap clean up on
+   failure.
+ - interfaces/wayland: add wayland interface
+ - interfaces: convert kvm to common iface
+ - tests: extend upower-observe test to cover snaps providing slots
+ - tests: enable main suite for opensuse
+ - interfaces: convert physical_memory_observe to common iface
+ - interfaces: add missing test for optical_drive interface.
+ - interfaces: convert physical_memory_control to common iface
+ - interfaces: convert ppp to common iface
+ - interfaces: convert time-control to common iface
+ - tests: fix failover test
+ - interfaces/builtin: rework for avahi interface
+ - interfaces: convert broadcom-asic-control to common iface
+ - snap/snapenv: document the use of CoreSnapMountDir for SNAP
+ - packaging/arch: drop patches merged into master
+ - cmd: fix mustUnsetenv docstring (thanks to Chipaca)
+ - release: remove default from VERSION_ID
+ - tests: enable regression, upgrade and completion test suites for
+   fedora 
+ - tests: restore interfaces-account-control properly
+ - overlord/devicestate, store: update device auth endpoints URLs
+ - tests: fix install-hook test failure
+ - tests: download core and ubuntu-core at most once
+ - interfaces: add common support for udev
+ - overlord/devicestate: fix, don't assume that the serial is backed
+   by a 1-key chain
+ - cmd/snap-confine: don't share /etc/nsswitch from host
+ - store: do not resume a download when we already have the whole
+   thing
+ - many: implement "snap logs"
+ - store: don't call useDeltas() twice in quick succession
+ - interfaces/builtin: add kvm interface
+ - snap/snapenv: always expect /snap for $SNAP
+ - cmd: mark arch as non-reexecing distro
+ - cmd: fix tests that assume /snap mount
+ - gitignore: ignore more build artefacts
+ - packaging: add current arch packaging
+ - interfaces/unity7: allow receiving media key events in (at least)
+   gnome-shell
+ - interfaces/many, cmd/snap-confine: miscellaneous policy updates
+ - interfaces/builtin: implement broadcom-asic-control interface
+ - interfaces/builtin: reduce duplication and remove cruft in
+   Sanitize{Plug,Slot}
+ - tests: apply underscore convention for SNAPMOUNTDIR variable
+ - interfaces/greengrass-support: adjust accesses now that have
+   working snap
+ - daemon, client, cmd/snap: implement "snap services"
+ - tests: fix refresh tests not stopping fake store for fedora
+ - many: add the interface command
+ - overlord/snapstate/backend: some copydata improvements
+ - many: support querying and completing assertion type names
+ - interfaces/builtin: discard empty Validate{Plug,Slot}
+ - cmd/snap-repair:  start of Runner, implement first pass of Peek
+   and Fetch
+ - tests: enable main suite on fedora
+ - snap: do not always quote the snap info summary
+ - vendor: update go-flags to address crash in "snap debug"
+ - interfaces: opengl support pci device and vendor
+ - many: start implenting "base" snap type on the snapd side
+ - arch,release: map armv6 correctly
+ - many: expose service status in 'snap info'
+ - tests: add browser-support interface test
+ - tests: disable snapd-notify for the external backend
+ - interfaces: Add /run/uuid/request to openvswitch
+ - interfaces: add password-manager-service implicit classic
+   interface
+ - cmd: rework reexec detection
+ - cmd: fix re-exec bug when starting from snapd 2.21
+ - tests: dependency packages installed during prepare-project
+ - tests: remove unneeded check for re-exec in InternalToolPath()
+ - cmd,tests: fix classic confinement confusing re-execution code
+ - store: configurable base api
+ - tests: fix how package lists are updated for opensuse and fedora
+
+* Sun Sep 10 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.6-1
+- Release 2.27.6 to Fedora (RH#1489437)
+
+* Thu Sep 07 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.6
+  - interfaces: add udev netlink support to hardware-observe
+  - interfaces/network-{control,observe}: allow receiving
+    kobject_uevent() messages
+
+* Mon Sep 04 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.5-1
+- Release 2.27.5 to Fedora (RH#1483177)
+- Backport userd from upstream to support xdg-open
+
+* Wed Aug 30 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.5
+  - interfaces: fix network-manager plug regression
+  - hooks: do not error when hook handler is not registered
+  - interfaces/alsa,pulseaudio: allow read on udev data for sound
+  - interfaces/optical-drive: read access to udev data for /dev/scd*
+  - interfaces/browser-support: read on /proc/vmstat and misc udev
+    data
+
+* Thu Aug 24 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.4
+  - snap-seccomp: add secondary arch for unrestricted snaps as well
+
+* Fri Aug 18 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.3
+  - systemd: disable `Nice=-5` to fix error when running inside lxdSee
+    https://bugs.launchpad.net/snapd/+bug/1709536
+
+* Wed Aug 16 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.2-2
+- Bump to rebuild for F27 and Rawhide
+
+* Wed Aug 16 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.2-1
+- Release 2.27.2 to Fedora (RH#1482173)
+
+* Wed Aug 16 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.2
+ - tests: remove TestInterfacesHelp as it breaks when go-flags
+   changes
+ - interfaces: don't crash if content slot has no attributes
+ - debian: do not build with -buildmode=pie on i386
+ - interfaces: backport broadcom-asic-control interface
+ - interfaces: allow /usr/bin/xdg-open in unity7
+ - store: do not resume a download when we already have the whole
+   thing
+
+* Mon Aug 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.1-1
+- Release 2.27.1 to Fedora (RH#1481247)
+
+* Mon Aug 14 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.1
+ - tests: use dnf --refresh install to avert stale cache
+ - tests: fix test failure on 14.04 due to old version of
+   flock
+ - updates for unity7/x11, browser-support, network-control,
+   mount-observe
+ - interfaces/unity7,x11: update for NETLINK_KOBJECT_UEVENT
+ - interfaces/browser-support: update sysfs reads for
+   newer browser versions
+ - interfaces/network-control: rw for ieee80211 advanced wireless
+ - interfaces/mount-observe: allow read on sysfs entries for block
+   devices
+
+* Thu Aug 10 2017 Neal Gompa <ngompa13@gmail.com> - 2.27-1
+- Release 2.27 to Fedora (RH#1458086)
+
+* Thu Aug 10 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27
+ - fix build failure on 32bit fedora
+ - interfaces: add password-manager-service implicit classic interface
+ - interfaces/greengrass-support: adjust accesses now that have working
+   snap
+ - interfaces/many, cmd/snap-confine: miscellaneous policy updates
+ - interfaces/unity7: allow receiving media key events in (at least)
+   gnome-shell
+ - cmd: fix re-exec bug when starting from snapd 2.21
+ - tests: restore interfaces-account-control properly
+ - cmd: fix tests that assume /snap mount
+ - cmd: mark arch as non-reexecing distro
+ - snap-confine: don't share /etc/nsswitch from host
+ - store: talk to api.snapcraft.io for purchases
+ - hooks: support for install and remove hooks
+ - packaging: fix Fedora support
+ - tests: add bluetooth-control interface test
+ - store: talk to api.snapcraft.io for assertions
+ - tests: remove snapd before building from branch
+ - tests: add avahi-observe interface test
+ - store: orders API now checks if customer is ready
+ - cmd/snap: snap find only searches stable
+ - interfaces: updates default, mir, optical-observe, system-observe,
+   screen-inhibit-control and unity7
+ - tests: speedup prepare statement part 1
+ - store: do not send empty refresh requests
+ - asserts: fix error handling in snap-developer consistency check
+ - systemd: add explicit sync to snapd.core-fixup.sh
+ - snapd: generate snap cookies on startup
+ - cmd,client,daemon: expose "force devmode" in sysinfo
+ - many: introduce and use strutil.ListContains and also
+   strutil.SortedListContains
+ - assserts,overlord/assertstate: test we don't accept chains of
+   assertions founded on a self-signed key coming externally
+ - interfaces: enable access to bridge settings
+ - interfaces: fix copy-pasted iio vs io in io-ports-control
+ - cmd/snap-confine: various small fixes and tweaks to seccomp
+   support code
+ - interfaces: bring back seccomp argument filtering
+ - systemd, osutil: rework systemd logs in preparation for services
+   commands
+ - tests: store /etc/systemd/system/snap-*core*.mount in snapd-
+   state.tar.gz
+ - tests: shellcheck improvements for tests/main tasks - first set of
+   tests
+ - cmd/snap: `--last` for abort and watch, and aliases
+   (search→find, change→tasks)
+ - tests: shellcheck improvements for tests/lib scripts
+ - tests: create ramdisk if it's not present
+ - tests: shellcheck improvements for nightly upgrade and regressions
+   tests
+ - snapd: fix for snapctl get panic on null config values.
+ - tests: fix for rng-tools service not restarting
+ - systemd: add snapd.core-fixup.service unit
+ - cmd: avoid using current symlink in InternalToolPath
+ - tests: fix timeout issue for test refresh core with hanging …
+ - intefaces: control bridged vlan/ppoe-tagged traffic
+ - cmd/snap: include snap type in notes
+ - overlord/state: Abort() only visits each task once
+ - tests: extend find-private test to cover more cases
+ - snap-seccomp: skip socket() tests on systems that use socketcall()
+   instead of socket()
+ - many: support snap title as localized/title-cased name
+ - snap-seccomp: deal with mknod on aarch64 in the seccomp tests
+ - interfaces: put base policy fragments inside each interface
+ - asserts: introduce NewDecoderWithTypeMaxBodySize
+ - tests: fix snapd-notify when it takes more time to restart
+ - snap-seccomp: fix snap-seccomp tests in artful
+ - tests: fix for create-key task to avoid rng-tools service ramains
+   alive
+ - snap-seccomp: make sure snap-seccomp writes the bpf file
+   atomically
+ - tests: do not disable ipv6 on core systems
+ - arch: the kernel architecture name is armv7l instead of armv7
+ - snap-confine: ensure snap-confine waits some seconds for seccomp
+   security profiles
+ - tests: shellcheck improvements for tests/nested tasks
+ - wrappers: add SyslogIdentifier to the service unit files.
+ - tests: shellcheck improvements for unit tasks
+ - asserts: implement FindManyTrusted as well
+ - asserts: open up and optimize Encoder to help avoiding unnecessary
+   copying
+ - interfaces: simplify snap-confine by just loading pre-generated
+   bpf code
+ - tests: restart rng-tools services after few seconds
+ - interfaces, tests: add mising dbus abstraction to system-observe
+   and extend spread test
+ - store: change main store host to api.snapcraft.io
+ - overlord/cmdstate: new package for running commands as tasks.
+ - spread: help libapt resolve installing libudev-dev
+ - tests: show the IP from .travis.yaml
+ - tests/main: use pkgdb function in more test cases
+ - cmd,daemon: add debug command for displaying the base policy
+ - tests: prevent quoting error on opensuse
+ - tests: fix nightly suite
+ - tests: add linode-sru backend
+ - snap-confine: validate SNAP_NAME against security tag
+ - tests: fix ipv6 disable for ubuntu-core
+ - tests: extend core-revert test to cover bluez issues
+ - interfaces/greengrass-support: add support for Amazon Greengrass
+   as a snap
+ - asserts: support timestamp and optional disabled header on repair
+ - tests: reboot after upgrading to snapd on the -proposed pocket
+ - many: fix test cases to work with different DistroLibExecDir
+ - tests: reenable help test on ubuntu and debian systems
+ - packaging/{opensuse,fedora}: allow package build with testkeys
+   included
+ - tests/lib: generalize RPM build support
+ - interfaces/builtin: sync connected slot and permanent slot snippet
+ - tests: fix snap create-key by restarting automatically rng-tools
+ - many: switch to use http numeric statuses as agreed
+ - debian: add missing  Type=notify in 14.04 packaging
+ - tests: mark interfaces-openvswitch as manual due to prepare errors
+ - debian: unify built_using between the 14.04 and 16.04 packaging
+   branch
+ - tests: pull from urandom when real entropy is not enough
+ - tests/main/manpages: install missing man package
+ - tests: add refresh --time output check
+ - debian: add missing "make -C data/systemd clean"
+ - tests: fix for upgrade test when it is repeated
+ - tests/main: use dir abstraction in a few more test cases
+ - tests/main: check for confinement in a few more interface tests
+ - spread: add fedora snap bin dir to global PATH
+ - tests: check that locale-control is not present on core
+ - many: snapctl outside hooks
+ - tests: add whoami check
+ - interfaces: compose the base declaration from interfaces
+ - tests: fix spread flaky tests linode
+ - tests,packaging: add package build support for openSUSE
+ - many: slight improvement of some snap error messaging
+ - errtracker: Include /etc/apparmor.d/usr.lib.snap-confine md5sum in
+   err reports
+ - tests: fix for the test postrm-purge
+ - tests: restoring the /etc/environment and service units config for
+   each test
+ - daemon: make snapd a "Type=notify" daemon and notify when startup
+   is done
+ - cmd/snap-confine: add support for --base snap
+ - many: derive implicit slots from interface meta-data
+ - tests: add core revert test
+ - tests,packaging: add package build support for Fedora for our
+   spread setup
+ - interfaces: move base declaration to the policy sub-package
+ - tests: fix for snapd-reexec test cheking for restart info on debug
+   log
+ - tests: show available entropy on error
+ - tests: clean journalctl logs on trusty
+ - tests: fix econnreset on staging
+ - tests: modify core before calling set
+ - tests: add snap-confine privilege test
+ - tests: add staging snap-id
+ - interfaces/builtin: silence ptrace denial for network-manager
+ - tests: add alsa interface spread test
+ - tests: prefer ipv4 over ipv6
+ - tests: fix for econnreset test checking that the download already
+   started
+ - httputil,store: extract retry code to httputil, reorg usages
+ - errtracker: report if snapd did re-execute itself
+ - errtracker: include bits of snap-confine apparmor profile
+ - tests: take into account staging snap-ids for snap-info
+ - cmd: add stub new snap-repair command and add timer
+ - many: stop "snap refresh $x --channel invalid" from working
+ - interfaces: revert "interfaces: re-add reverted ioctl and quotactl
+ - snapstate: consider connect/disconnect tasks in
+   CheckChangeConflict.
+ - interfaces: disable "mknod |N" in the default seccomp template
+   again
+ - interfaces,overlord/ifacestate: make sure installing slots after
+   plugs works similarly to plugs after slots
+ - interfaces/seccomp: add bind() syscall for forced-devmode systems
+ - packaging/fedora: Sync packaging from Fedora Dist-Git
+ - tests: move static and unit tests to spread task
+ - many: error types should be called FooError, not ErrFoo.
+ - partition: add directory sync to the save uboot.env file code
+ - cmd: test everything (100% coverage \o/)
+ - many: make shell scripts shellcheck-clean
+ - tests: remove additional setup for docker on core
+ - interfaces: add summary to each interface
+ - many: remove interface meta-data from list of connections
+ - logger (& many more, to accommodate): drop explicit syslog.
+ - packaging: import packaging bits for opensuse
+ - snapstate,many: implement snap install --unaliased
+ - tests/lib: abstract build dependency installation a bit more
+ - interfaces, osutil: move flock code from interfaces/mount to
+   osutil
+ - cmd: auto import assertions only from ext4,vfat file systems
+ - many: refactor in preparation for 'snap start'
+ - overlord/snapstate: have an explicit code path last-refresh
+   unset/zero => immediately refresh try
+ - tests: fixes for executions using the staging store
+ - tests: use pollinate to seed the rng
+ - cmd/snap,tests: show the sha3-384 of the snap for snap info
+   --verbose SNAP-FILE
+ - asserts: simplify and adjust repair assertion definition
+ - cmd/snap,tests: show the snap id if available in snap info
+ - daemon,overlord/auth: store from model assertion wins
+ - cmd/snap,tests/main: add confinement switch instead of spread
+   system blacklisting
+ - many: cleanup MockCommands and don't leave a process around after
+   hookstate tests
+ - tests: update listing test to the core version number schema
+ - interfaces: allow snaps to use the timedatectl utility
+ - packaging: Add Fedora packaging files
+ - tests/libs: add distro_auto_remove_packages function
+ - cmd/snap: correct devmode note for anomalous state
+ - tests/main/snap-info: use proper pkgdb functions to install distro
+   packages
+ - tests/lib: use mktemp instead of tempfile to work cross-distro
+ - tests: abstract common dirs which differ on distributions
+ - many: model and expose interface meta-data.
+ - overlord: make config defaults from gadget work also at first boot
+ - interfaces/log-observe: allow using journalctl from hostfs for
+   classic distro
+ - partition,snap: add support for android boot
+ - errtracker: small simplification around readMachineID
+ - snap-confine: move rm_rf_tmp to test-utils.
+ - tests/lib: introduce pkgdb helper library
+ - errtracker: try multiple paths to read machine-id
+ - overlord/hooks: make sure only one hook for given snap is executed
+   at a time.
+ - cmd/snap-confine: use SNAP_MOUNT_DIR to setup /snap inside the
+   confinement env
+ - tests: bump kill-timeout and remove quiet call on build
+ - tests/lib/snaps: add a test store snap with a passthrough
+   configure hook
+ - daemon: teach the daemon to wait on active connections when
+   shutting down
+ - tests: remove unit tests task
+ - tests/main/completion: source from /usr/share/bash-completion
+ - assertions: add "repair" assertion
+ - interfaces/seccomp: document Backend.NewSpecification
+ - wrappers: make StartSnapServices cleanup any services that were
+   added if a later one fails
+ - overlord/snapstate: avoid creating command aliases for daemons
+ - vendor: remove unused packages
+ - vendor,partition: fix panics from uenv
+ - cmd,interfaces/mount: run snap-update-ns and snap-discard-ns from
+   core if possible
+ - daemon: do not allow to install ubuntu-core anymore
+ - wrappers: service start/stop were inconsistent
+ - tests: fix failing tests (snap core version, syslog changes)
+ - cmd/snap-update-ns: add actual implementation
+ - tests: improve entropy also for ubuntu
+ - cmd/snap-confine: use /etc/ssl from the core snap
+ - wrappers: don't convert between []byte and string needlessly.
+ - hooks: default timeout
+ - overlord/snapstate: Enable() was ignoring the flags from the
+   snap's state, resulting in losing "devmode" on disable/enable.
+ - difs,interfaces/mount: add support for locking namespaces
+ - interfaces/mount: keep track of kept mount entries
+ - tests/main: move a bunch of greps over to MATCH
+ - interfaces/builtin: make all interfaces private
+ - interfaces/mount: spell unmount correctly
+ - tests: allow 16-X.Y.Z version of core snap
+ - the timezone_control interface only allows changing /etc/timezone
+   and /etc/writable/timezone. systemd-timedated also updated the
+   link of /etc/localtime and /etc/writable/localtime ... allow
+   access to this file too
+ - cmd/snap-confine: aggregate operations holding global lock
+ - api, ifacestate: resolve disconnect early
+ - interfaces/builtin: ensure we don't register interfaces twice
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.26.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.26.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu May 25 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-3
+- Cover even more stuff for proper erasure on final uninstall (RH#1444422)
+
+* Sun May 21 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-2
+- Fix error in script for removing Snappy content (RH#1444422)
+- Adjust changelog bug references to be specific on origin
+
+* Wed May 17 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-1
+- Update to snapd 2.26.3
+- Drop merged and unused patches
+- Cover more Snappy content for proper erasure on final uninstall (RH#1444422)
+- Add temporary fix to ensure generated seccomp profiles don't break snapctl
+
+* Mon May 01 2017 Neal Gompa <ngompa13@gmail.com> - 2.25-1
+- Update to snapd 2.25
+- Ensure all Snappy content is gone on final uninstall (RH#1444422)
+
+* Tue Apr 11 2017 Neal Gompa <ngompa13@gmail.com> - 2.24-1
+- Update to snapd 2.24
+- Drop merged patches
+- Install snap bash completion and snapd info file
+
+* Wed Apr 05 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-4
+- Test if snapd socket and timer enabled and start them if enabled on install
+
+* Sat Apr 01 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-3
+- Fix profile.d generation so that vars aren't expanded in package build
+
+* Fri Mar 31 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-2
+- Fix the overlapping file conflicts between snapd and snap-confine
+- Rework package descriptions slightly
+
+* Thu Mar 30 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-1
+- Rebase to snapd 2.23.6
+- Rediff patches
+- Re-enable seccomp
+- Fix building snap-confine on 32-bit arches
+- Set ExclusiveArch based on upstream supported arch list
+
+* Wed Mar 29 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.5-1
+- Rebase to snapd 2.23.5
+- Disable seccomp temporarily avoid snap-confine bugs (LP#1674193)
+- Use vendorized build for non-Fedora
+
+* Mon Mar 13 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.1-1
+- Rebase to snapd 2.23.1
+- Add support for vendored tarball for non-Fedora targets
+- Use merged in SELinux policy module
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.16-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Oct 19 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.16-1
+- New upstream release
+
+* Tue Oct 18 2016 Neal Gompa <ngompa13@gmail.com> - 2.14-2
+- Add SELinux policy module subpackage
+
+* Tue Aug 30 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.14-1
+- New upstream release
+
+* Tue Aug 23 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.13-1
+- New upstream release
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.12-2
+- Correct license identifier
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.12-1
+- New upstream release
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-8
+- Add %%dir entries for various snapd directories
+- Tweak Source0 URL
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-7
+- Disable snapd re-exec feature by default
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-6
+- Don't auto-start snapd.socket and snapd.refresh.timer
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-5
+- Don't touch snapd state on removal
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-4
+- Use ExecStartPre to load squashfs.ko before snapd starts
+- Use dedicated systemd units for Fedora
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-3
+- Remove systemd preset (will be requested separately according to distribution
+  standards).
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-2
+- Use Requires: kmod(squashfs.ko) instead of Requires: kernel-modules
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-1
+- New upstream release
+- Move private executables to /usr/libexec/snapd/
+
+* Fri Jun 24 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.9-2
+- Depend on kernel-modules to ensure that squashfs can be loaded. Load it afer
+  installing the package. This hopefully fixes
+  https://github.com/zyga/snapcore-fedora/issues/2
+
+* Fri Jun 17 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.9
+- New upstream release
+  https://github.com/snapcore/snapd/releases/tag/2.0.9
+
+* Tue Jun 14 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.8.1
+- New upstream release
+
+* Fri Jun 10 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.8
+- First package for Fedora
diff -Nru snapd-2.32.3.2~14.04/packaging/fedora/snapd.spec snapd-2.37~rc1~14.04/packaging/fedora/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/fedora/snapd.spec	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/fedora/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -6,6 +6,14 @@
 %bcond_without vendorized
 %endif
 
+# With Amazon Linux 2+, we're going to provide the /snap symlink by default,
+# since classic snaps currently require it... :(
+%if 0%{?amzn} >= 2
+%bcond_without snap_symlink
+%else
+%bcond_with snap_symlink
+%endif
+
 # A switch to allow building the package with support for testkeys which
 # are used for the spread test suite of snapd.
 %bcond_with testkeys
@@ -15,6 +23,7 @@
 %global with_check 0
 %global with_unit_test 0
 %global with_test_keys 0
+%global with_selinux 1
 
 # For the moment, we don't support all golang arches...
 %global with_goarches 0
@@ -50,7 +59,7 @@
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 
-%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service
+%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service
 
 # Until we have a way to add more extldflags to gobuild macro...
 %if 0%{?fedora} >= 26
@@ -69,8 +78,21 @@
 %define gotest() go test -compiler gc -ldflags "${LDFLAGS:-}" %{?**};
 %endif
 
+# Compat path macros
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
+%if 0%{?amzn2} == 1
+%global with_selinux 0
+%endif
+
 Name:           snapd
-Version:        2.32.3.2
+Version:        2.37
 Release:        0%{?dist}
 Summary:        A transactional software package manager
 Group:          System Environment/Base
@@ -101,17 +123,28 @@
 # snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.)
 Requires:       ((squashfuse and fuse) or kmod(squashfs.ko))
 %else
+%if ! 0%{?amzn2}
 # Rich dependencies not available, always pull in squashfuse
 # snapd will use squashfs.ko instead of squashfuse if it's on the system
+# NOTE: Amazon Linux 2 does not have squashfuse, squashfs.ko is part of the kernel package
 Requires:       squashfuse
 Requires:       fuse
 %endif
+%endif
 
 # bash-completion owns /usr/share/bash-completion/completions
 Requires:       bash-completion
 
+%if 0%{?with_selinux}
 # Force the SELinux module to be installed
 Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
+# snapd-login-service is no more
+# Note: Remove when F27 is EOL
+Obsoletes:      %{name}-login-service < 1.33
+Provides:       %{name}-login-service = 1.33
+Provides:       %{name}-login-service%{?_isa} = 1.33
 
 %if ! 0%{?with_bundled}
 BuildRequires: golang(github.com/boltdb/bolt)
@@ -121,6 +154,9 @@
 BuildRequires: golang(github.com/godbus/dbus/introspect)
 BuildRequires: golang(github.com/gorilla/mux)
 BuildRequires: golang(github.com/jessevdk/go-flags)
+BuildRequires: golang(github.com/juju/ratelimit)
+BuildRequires: golang(github.com/kr/pretty)
+BuildRequires: golang(github.com/kr/text)
 BuildRequires: golang(github.com/mvo5/goconfigparser)
 BuildRequires: golang(github.com/ojii/gettext.go)
 BuildRequires: golang(github.com/seccomp/libseccomp-golang)
@@ -178,6 +214,7 @@
 This package is used internally by snapd to apply confinement to
 the started snap applications.
 
+%if 0%{?with_selinux}
 %package selinux
 Summary:        SELinux module for snapd
 Group:          System Environment/Base
@@ -186,18 +223,22 @@
 BuildRequires:  selinux-policy, selinux-policy-devel
 Requires(post): selinux-policy-base >= %{_selinux_policy_version}
 Requires(post): policycoreutils
+%if 0%{?rhel} == 7
+Requires(post): policycoreutils-python
+%else
 Requires(post): policycoreutils-python-utils
+%endif
 Requires(pre):  libselinux-utils
 Requires(post): libselinux-utils
 
 %description selinux
 This package provides the SELinux policy module to ensure snapd
 runs properly under an environment with SELinux enabled.
-
+%endif
 
 %if 0%{?with_devel}
 %package devel
-Summary:       %{summary}
+Summary:       Development files for %{name}
 BuildArch:     noarch
 
 %if 0%{?with_check} && ! 0%{?with_bundled}
@@ -211,6 +252,9 @@
 Requires:      golang(github.com/godbus/dbus/introspect)
 Requires:      golang(github.com/gorilla/mux)
 Requires:      golang(github.com/jessevdk/go-flags)
+Requires:      golang(github.com/juju/ratelimit)
+Requires:      golang(github.com/kr/pretty)
+Requires:      golang(github.com/kr/text)
 Requires:      golang(github.com/mvo5/goconfigparser)
 Requires:      golang(github.com/ojii/gettext.go)
 Requires:      golang(github.com/seccomp/libseccomp-golang)
@@ -230,13 +274,16 @@
 # These Provides are unversioned because the sources in
 # the bundled tarball are unversioned (they go by git commit)
 # *sigh*... I hate golang...
-Provides:      bundled(golang(github.com/boltdb/bolt))
+Provides:      bundled(golang(github.com/snapcore/bolt))
 Provides:      bundled(golang(github.com/cheggaaa/pb))
 Provides:      bundled(golang(github.com/coreos/go-systemd/activation))
 Provides:      bundled(golang(github.com/godbus/dbus))
 Provides:      bundled(golang(github.com/godbus/dbus/introspect))
 Provides:      bundled(golang(github.com/gorilla/mux))
 Provides:      bundled(golang(github.com/jessevdk/go-flags))
+Provides:      bundled(golang(github.com/juju/ratelimit))
+Provides:      bundled(golang(github.com/kr/pretty))
+Provides:      bundled(golang(github.com/kr/text))
 Provides:      bundled(golang(github.com/mvo5/goconfigparser))
 Provides:      bundled(golang(github.com/mvo5/libseccomp-golang))
 Provides:      bundled(golang(github.com/ojii/gettext.go))
@@ -255,6 +302,7 @@
 %endif
 
 # Generated by gofed
+Provides:      golang(%{import_path}/advisor) = %{version}-%{release}
 Provides:      golang(%{import_path}/arch) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts/assertstest) = %{version}-%{release}
@@ -277,6 +325,7 @@
 Provides:      golang(%{import_path}/interfaces/backends) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/builtin) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/dbus) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/hotplug) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/ifacetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/kmod) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/mount) = %{version}-%{release}
@@ -284,9 +333,16 @@
 Provides:      golang(%{import_path}/interfaces/seccomp) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/udev) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/utils) = %{version}-%{release}
 Provides:      golang(%{import_path}/jsonutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil/safejson) = %{version}-%{release}
 Provides:      golang(%{import_path}/logger) = %{version}-%{release}
+Provides:      golang(%{import_path}/netutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/osutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/sys) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/crawler) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/netlink) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/assertstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/auth) = %{version}-%{release}
@@ -294,17 +350,23 @@
 Provides:      golang(%{import_path}/overlord/configstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/config) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/configcore) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/proxyconf) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/settings) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/devicestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/ctlcmd) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/hooktest) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/ifacestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/ifacerepo) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/udevmonitor) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/patch) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/servicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate/backend) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/standby) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/state) = %{version}-%{release}
-Provides:      golang(%{import_path}/overlord/storestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/androidbootenv) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/grubenv) = %{version}-%{release}
@@ -313,6 +375,7 @@
 Provides:      golang(%{import_path}/progress) = %{version}-%{release}
 Provides:      golang(%{import_path}/progress/progresstest) = %{version}-%{release}
 Provides:      golang(%{import_path}/release) = %{version}-%{release}
+Provides:      golang(%{import_path}/sanity) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/pack) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/snapdir) = %{version}-%{release}
@@ -323,6 +386,8 @@
 Provides:      golang(%{import_path}/store) = %{version}-%{release}
 Provides:      golang(%{import_path}/store/storetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/strutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/quantity) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/shlex) = %{version}-%{release}
 Provides:      golang(%{import_path}/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/refresh) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/store) = %{version}-%{release}
@@ -330,12 +395,12 @@
 Provides:      golang(%{import_path}/timeout) = %{version}-%{release}
 Provides:      golang(%{import_path}/timeutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/userd) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd/ui) = %{version}-%{release}
 Provides:      golang(%{import_path}/wrappers) = %{version}-%{release}
 Provides:      golang(%{import_path}/x11) = %{version}-%{release}
+Provides:      golang(%{import_path}/xdgopenproxy) = %{version}-%{release}
 
 %description devel
-%{summary}
-
 This package contains library source intended for
 building other packages which use import path with
 %{import_path} prefix.
@@ -354,28 +419,25 @@
 Requires:        %{name}-devel = %{version}-%{release}
 
 %description unit-test-devel
-%{summary}
-
 This package contains unit tests for project
 providing packages with %{import_path} prefix.
 %endif
 
 %prep
-%setup -q
-
 %if ! 0%{?with_bundled}
+%setup -q
 # Ensure there's no bundled stuff accidentally leaking in...
 rm -rf vendor/*
 %else
-# Unpack the vendor tarball too...
-%setup -q -T -D -b 1
+# Extract each tarball properly
+%setup -q -D -b 1
 %endif
 
 %build
 # Generate version files
 ./mkversion.sh "%{version}-%{release}"
 
-# We don't want/need squashfuse in the rpm
+# We don't want/need squashfuse in the rpm, as it's available in Fedora and EPEL
 sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
 
 # Build snapd
@@ -397,7 +459,7 @@
 # We don't need mvo5 fork for seccomp, as we have seccomp 2.3.x
 sed -e "s:github.com/mvo5/libseccomp-golang:github.com/seccomp/libseccomp-golang:g" -i cmd/snap-seccomp/*.go
 # We don't need the snapcore fork for bolt - it is just a fix on ppc
-sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go
+sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go
 %endif
 
 # We have to build snapd first to prevent the build from
@@ -406,6 +468,7 @@
 %gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
 %gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
 %gobuild -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
+%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
 
 # To ensure things work correctly with base snaps,
 # snap-exec and snap-update-ns need to be built statically
@@ -418,10 +481,12 @@
 %endif
 %gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
 
+%if 0%{?with_selinux}
 # Build SELinux module
 pushd ./data/selinux
 make SHARE="%{_datadir}" TARGETS="snappy"
 popd
+%endif
 
 # Build snap-confine
 pushd ./cmd
@@ -441,12 +506,12 @@
     --enable-nvidia-biarch \
     %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
     --with-snap-mount-dir=%{_sharedstatedir}/snapd/snap \
-    --with-merged-usr
+    --enable-merged-usr
 
 %make_build
 popd
 
-# Build systemd and dbus units, and env files
+# Build systemd units, dbus services, and env files
 pushd ./data
 make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
      SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
@@ -457,41 +522,52 @@
 %install
 install -d -p %{buildroot}%{_bindir}
 install -d -p %{buildroot}%{_libexecdir}/snapd
-install -d -p %{buildroot}%{_mandir}/man1
+install -d -p %{buildroot}%{_mandir}/man8
+install -d -p %{buildroot}%{_environmentdir}
+install -d -p %{buildroot}%{_systemdgeneratordir}
 install -d -p %{buildroot}%{_unitdir}
 install -d -p %{buildroot}%{_sysconfdir}/profile.d
 install -d -p %{buildroot}%{_sysconfdir}/sysconfig
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/assertions
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/cookie
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl32
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/vulkan
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
 install -d -p %{buildroot}%{_localstatedir}/snap
 install -d -p %{buildroot}%{_localstatedir}/cache/snapd
 install -d -p %{buildroot}%{_datadir}/polkit-1/actions
+install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+%if 0%{?with_selinux}
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -d -p %{buildroot}%{_datadir}/selinux/packages
+%endif
 
 # Install snap and snapd
 install -p -m 0755 bin/snap %{buildroot}%{_bindir}
 install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
-install -p -m 0755 bin/snapctl %{buildroot}%{_bindir}/snapctl
+install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
 
+%if 0%{?with_selinux}
 # Install SELinux module
 install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
 
-# Install snap(1) man page
-bin/snap help --man > %{buildroot}%{_mandir}/man1/snap.1
+# Install snap(8) man page
+bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
 
 # Install the "info" data file with snapd version
 install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
@@ -514,16 +590,30 @@
 
 # Install all systemd and dbus units, and env files
 pushd ./data
-%make_install SYSTEMDSYSTEMUNITDIR="%{_unitdir}" BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}"
+%make_install BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+              SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+              SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+              SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.conf
+%endif
+
 # Remove snappy core specific units
 rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
 rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
 rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
-popd
 
 # Remove snappy core specific scripts
 rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
 
+# Remove snapd apparmor service
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+
 # Install Polkit configuration
 install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
 
@@ -534,6 +624,11 @@
 touch %{buildroot}%{_sharedstatedir}/snapd/state.json
 touch %{buildroot}%{_sharedstatedir}/snapd/snap/README
 
+# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
+%if %{with snap_symlink}
+ln -sr %{buildroot}%{_sharedstatedir}/snapd/snap %{buildroot}/snap
+%endif
+
 # source codes for building projects
 %if 0%{?with_devel}
 install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
@@ -591,44 +686,60 @@
 %doc README.md docs/*
 %{_bindir}/snap
 %{_bindir}/snapctl
+%{_environmentdir}/990-snapd.conf
 %dir %{_libexecdir}/snapd
+%{_libexecdir}/snapd/snapctl
 %{_libexecdir}/snapd/snapd
 %{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-failure
 %{_libexecdir}/snapd/info
 %{_libexecdir}/snapd/snap-mgmt
-%{_mandir}/man1/snap.1*
+%{_mandir}/man8/snap.8*
 %{_datadir}/bash-completion/completions/snap
 %{_libexecdir}/snapd/complete.sh
 %{_libexecdir}/snapd/etelpmoc.sh
+%{_libexecdir}/snapd/snapd.run-from-snap
 %{_sysconfdir}/profile.d/snapd.sh
+%{_mandir}/man8/snapd-env-generator.8*
 %{_unitdir}/snapd.socket
 %{_unitdir}/snapd.service
 %{_unitdir}/snapd.autoimport.service
+%{_unitdir}/snapd.failure.service
+%{_unitdir}/snapd.seeded.service
+%{_datadir}/applications/snap-handle-link.desktop
 %{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_systemd_system_env_generator_dir}/snapd-env-generator
 %config(noreplace) %{_sysconfdir}/sysconfig/snapd
 %dir %{_sharedstatedir}/snapd
 %dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
 %dir %{_sharedstatedir}/snapd/desktop
 %dir %{_sharedstatedir}/snapd/desktop/applications
 %dir %{_sharedstatedir}/snapd/device
 %dir %{_sharedstatedir}/snapd/hostfs
-%dir %{_sharedstatedir}/snapd/mount
-%dir %{_sharedstatedir}/snapd/seccomp
-%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/lib
 %dir %{_sharedstatedir}/snapd/lib/gl
 %dir %{_sharedstatedir}/snapd/lib/gl32
 %dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/snaps
 %dir %{_sharedstatedir}/snapd/snap
 %ghost %dir %{_sharedstatedir}/snapd/snap/bin
 %dir %{_localstatedir}/cache/snapd
 %dir %{_localstatedir}/snap
 %ghost %{_sharedstatedir}/snapd/state.json
-%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
-%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %ghost %{_sharedstatedir}/snapd/snap/README
+%if %{with snap_symlink}
+/snap
+%endif
+%if 0%{?rhel} == 7
+%{_sysctldir}/99-snap.conf
+%endif
 
 %files -n snap-confine
 %doc cmd/snap-confine/PORTING
@@ -637,23 +748,24 @@
 # For now, we can't use caps
 # FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
 %attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-gdb-shim
 %{_libexecdir}/snapd/snap-seccomp
 %{_libexecdir}/snapd/snap-update-ns
-%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/system-shutdown
-%{_libexecdir}/snapd/snap-gdb-shim
-%{_libexecdir}/snapd/snapd-generator
-%{_mandir}/man1/snap-confine.1*
-%{_mandir}/man5/snap-discard-ns.5*
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_systemdgeneratordir}/snapd-generator
 %attr(0000,root,root) %{_sharedstatedir}/snapd/void
 
-
+%if 0%{?with_selinux}
 %files selinux
 %license data/selinux/COPYING
 %doc data/selinux/README.md
 %{_datadir}/selinux/packages/snappy.pp.bz2
 %{_datadir}/selinux/devel/include/contrib/snappy.if
+%endif
 
 %if 0%{?with_devel}
 %files devel -f devel.file-list
@@ -669,6 +781,9 @@
 %endif
 
 %post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
 %systemd_post %{snappy_svcs}
 # If install, test if snapd socket and timer are enabled.
 # If enabled, then attempt to start them. This will silently fail
@@ -692,6 +807,7 @@
 %postun
 %systemd_postun_with_restart %{snappy_svcs}
 
+%if 0%{?with_selinux}
 %pre selinux
 %selinux_relabel_pre
 
@@ -707,9 +823,1790 @@
 if [ $1 -eq 0 ]; then
     %selinux_relabel_post
 fi
-
+%endif
 
 %changelog
+* Wed Jan 16 2019 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.37
+ - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+   have device node /dev/ttyACM[0-9]
+ - tests: fix enable-disable-unit-gpio test on external boards
+ - tests: define new "tests/smoke" suite and use that for
+   autopkgtests
+ - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+   library
+ - snapshotstate: don't task.Log without the lock
+ - overlord/configstate/configcore: support - and _ in cloud init
+   field names
+ - cmd/snap-confine: use makedev instead of MKDEV
+ - tests: review/fix the autopkgtest failures in disco
+ - systemd: allow only a single daemon-reload at the same time
+ - cmd/snap: only auto-enable unicode to a tty
+ - cmd/snap: right-align revision and size in info's channel map
+ - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+   different on Fedora
+ - tests: fix "No space left on device" issue on amazon-linux
+ - store: undo workaround for timezone-less released-at
+ - store, snap, cmd/snap: channels have released-at
+ - snap-confine: fix incorrect use "src" var in mount-support.c
+ - release: support probing SELinux state
+ - release-tools: display self-help
+ - interface: add new `{personal,system}-files` interface
+ - snap: give Epoch an Equal method
+ - many: remove unused interface code
+ - interfaces/many: use 'unsafe' with docker-support change_profile
+   rules
+ - run-checks: stop running HEAD of staticcheck
+ - release: use sync.Once around lazy intialized state
+ - overlord/ifacestate: include interface name in the hotplug-
+   disconnect task summary
+ - spread: show free space in debug output
+ - cmd/snap: attempt to restore SELinux context of snap user
+   directories
+ - image: do not write empty etc/cloud
+ - tests: skip snapd snap on reset for core systems
+ - cmd/snap-discard-ns: fix umount(2) typo
+ - overlord/ifacestate: hotplug-remove-slot task handler
+ - overlord/ifacestate: handler for hotplug-disconnect task
+ - ifacestate/hotplug: updateDevice helper
+ - tests: reset snapd state on tests restore
+ - interfaces: return security setup errors
+ - overlord: make InstallMany work like UpdateMany, issuing a single
+   request to get candidates
+ - systemd/systemd.go: add missing tests for systemd.IsActive
+ - overlord/ifacestate: addHotplugSeqWaitTask helper
+ - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+ - tests: new backend used to run upgrade test suite
+ - travis: short circuit failures in static and unit tests travis job
+ - cmd: automatically fix localized <option>s to <option>
+ - overlord/configstate,features: expose features to snapd tools
+ - selinux: package to query SELinux status and verify/restore file
+   contexts
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - cmd: add tests for lintArg and lintDesc
+ - httputil: retry on temporary net errors
+ - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+ - wrappers: only restart service in core18 when they are active
+ - overlord/ifacestate: helpers for serializing hotplug changes
+ - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interface
+ - snap/info: bind global plugs/slots to implicit hooks
+ - cmd/snap-confine: remove SC_NS_MNT_FILE
+ - spread: record each tests/upgrade job
+ - osutil: do not import dirs
+ - cmd/snap-confine: fix typo "a pipe"
+ - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+   devices
+ - tests: force test-snapd-daemon-notify exit 0 when the interface is
+   not connected
+ - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+ - centos: enable SELinux support on CentOS 7
+ - apparmor: allow hard link to snap-specific semaphore files
+ - tests/lib/pkgdb: disable weak deps on Fedora
+ - release: detect too old apparmor_parser
+ - tests: improve how the log is checked to see if the system is
+   waiting for a reboot
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - spread, tests: add Fedora 29
+ - cmd/snap-confine: refactor calling snapd tools into helper module
+ - apparmor: allow snap-update-ns access to common devices
+ - cmd/snap-confine: capture initialized per-user mount ns
+ - tests: reduce verbosity around package installation
+ - data: set KillMode=process for snapd
+ - cmd/snap: handle DNS error gracefully
+ - spread, tests: use checkpoints when dumping audit log
+ - tests/lib/prepare: make sure that SELinux context of repacked core
+   snap is controlled
+ - testutils: split checkers, tweak tests
+ - tests: fix for tests test-*-cgroup
+ - spread: show AVC audits when debugging, start auditd on Fedora
+ - spread: drop Fedora 27, add Fedora 29
+ - tests/lib/reset: restore context of removed snapd directories
+ - testutil: add File{Present,Absent} checkers
+ - snap: add new `snap run --trace-exec`
+ - tests: fix for failover test on how logs are checked
+ - snapctl: add "services"
+ - overlord/snapstate: use file timestamp to initialize timer
+ - cmd/libsnap: introduce and use sc_strdup
+ - interfaces: let NM access ifindex/ifupdown files
+ - overlord/snapstate: on refresh, check new rev can read current
+ - client, store: don't use store from client (use client from store)
+ - tests/main/parallel-install-store: verify installation of more
+   than one instance at a time
+ - overlord: don't write system key if security setup fails
+ - packaging/fedora/snapd.spec: fix bogus date in changelog
+ - snapstate: update fontconfig caches on install
+ - interfaces/apparmor/backend.go:411:38: regular expression does not
+   contain any meta characters (SA6004)
+ - asserts/header_checks.go:199:35: regular expression does not
+   contain any meta characters (SA6004)
+ - run staticcheck every time :-)
+ - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+   used with signal.Notify should be buffered (SA1017)
+ - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+   signal.Notify should be buffered (SA1017)
+ - spdx/parser.go:30:1: only the first constant has an explicit type
+   (SA9004)
+ - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+   first argument and no further arguments should use print-style
+   function instead (SA1006)
+ - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+ - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+   Did you mean to break out of the outer loop? (SA4011)
+ - daemon/api.go:992:22: printf-style function with dynamic first
+   argument and no further arguments should use print-style function
+   instead (SA1006)
+ - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+   to break out of the outer loop? (SA4011)
+ - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+   should be buffered (SA1017)
+ - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+   provided buffer, not even temporarily (SA1023)
+ - release: probe apparmor features lazily
+ - overlord,daemon: mock security backends for testing
+ - cmd/libsnap: move apparmor-support to libsnap
+ - cmd: drop cruft from snap-discard-ns build rules
+ - cmd/snap-confine: use snap-discard-ns ns to discard stale
+   namespaces
+ - cmd/snap-confine: handle mounted shared /run/snapd/ns
+ - many: fix composite literals with unkeyed fields
+ - dirs, wrappers, overlord/snapstate: make completion + bases work
+ - tests: revert "tests: restore in restore, not prepare"
+ - many: validate title
+ - snap: make description maximum in runes, not bytes
+ - tests: discard mount namespaces in reset.sh
+ - tests/lib: sync cla check back from snapcraft
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - daemon: remove enableInternalInterfaceActions
+ - mkversion: use "test -n" rather than "! test -z"
+ - run-checks: assorted fixes
+ - tests: restore in restore, not in prepare
+ - cmd/snap: fix missing newline in "snap keys" error message
+ - snap: epoch lists must contain no duplicate entries
+ - interfaces/avahi_observe: Fix typo in comment
+ - tests: add SPREAD_JOB to the description of
+   systemd_create_and_start_unit
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+ - packaging/fedora: use %_sysctldir macro
+ - cmd/snap-confine: remove unneeded unshare
+ - sanity: extend the kernel version check to cover CentOS/RHEL
+   kernels
+ - wrappers: remove all desktop files from a snap on removal
+ - snap: add an explicit check for `epoch: null` loading
+ - snap: check max description length in validate
+ - spread, tests: add CentOS support
+ - cmd/snap-confine: allow mapping more libc shards
+ - cmd/snap-discard-ns: add support for --from-snap-confine
+ - tests: make tinyproxy support systemd notify
+ - tests: fix shellcheck
+ - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+ - store: add a test for a non-zero epoch refresh (with epoch bump)
+ - store: v1 search doesn't send epoch, stop pretending it does
+ - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+ - overlord/snapstate: amend test should send local revision
+ - tests: use mock-gpio.py in enable-disable-units-gpio test
+ - snap: enforce minimal snap name len of 2
+ - cmd/libsnap: add sc_verify_snap_lock
+ - cmd/snap-update-ns: extra debugging of trespassing events
+ - userd: force zenity width if the text displayed is long
+ - overlord/snapstate, store: always send epochs
+ - cmd/snap-confine,snap-update-ns: discard quirks
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - cmd/snap-update-ns, tests: clean trespassing paths
+ - nvidia, interfaces/builtin: OpenCL fixes
+ - ifacestate/hotplug: removeDevice helper
+ - cmd: install snap-discard-ns in "make hack"
+ - overlord/ifacestate: setup security backends phased by backends
+   first
+ - ifacestate/helpers: added SystemSnapName mapper helper method
+ - overlord/ifacestate: set hotplug-key of the connection when
+   connecting hotplug slots
+ - snapd: allow snap-update-ns to read /proc/version
+ - cmd: handle tumbleweed and leap in autogen.sh
+ - interfaces/tests: MockHotplugSlot test helper
+ - store,daemon: make UserInfo,LoginUser part of the store interface
+ - overlord/ifacestate: use remapper when checking if system snap is
+   installed
+ - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+ - packaging/arch: fix bash completions path
+ - interfaces/builtin: add device-buttons interface for accessing
+   events
+ - tests, fakestore: extend refresh tests with parallel installed
+   snaps
+ - snap, store, overlord/snapshotstate: drop epoch pointers
+ - snap: make Epoch default to {[0],[0]} on load from yaml
+ - data/completion: pass documented arguments to completion functions
+ - tests: skip opensuse from interfaces-openvswitch-support test
+ - tests: simple reproducer for snap try and hooks bug
+ - snapstate: do not allow classic mode for strict snaps
+ - snap: make Epoch's MarshalJSON not simplify
+ - store: remove unused currentSnap and currentSnapJSON
+ - many: some small doc comment fixes in recent hotplug code
+ - ifacestate/udevmonitor: added callback to signal end of
+   enumeration
+ - cmd/libsnap: add simplified feature flag checker
+ - interfaces/opengl: add additional accesses for cuda
+ - tests: add core18 only hooks test and fix running core18 only on
+   classic
+ - sanity, release, cmd/snap: refuse to try to do things on WSL.
+ - cmd: make coreSupportsReExec faster
+ - overlord/ifacestate: don't remove the dash when generating unique
+   slot name
+ - cmd/snap-seccomp: add full complement of ptrace constants
+ - cmd: update autogen.sh for opensuse
+ - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+   overlord/snapstate: address review feedback
+ - packaging/opensuse: stop using golang-packaging
+ - overlord/snapshots: survive an unknown user
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - cmd/snap: unhide --name parameter to snap install, tweak help
+   message
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/main/snap-service-after-before-install: verify after/before
+   in snap install
+ - overlord/ifacestate: mark connections disconnected by hotplug with
+   hotplug-gone
+ - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+   startup
+ - tests: install dependencies during prepare
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - tests: core 18 does not support classic confinement
+ - tests: add debug output for degraded test
+ - strutil: make VersionCompare faster
+ - overlord/snapshotstate/backend: survive missing directories
+ - overlord/ifacestate: use map[string]*connState when passing conns
+   around
+ - tests: move fedora 28 to manual
+ - overlord/snapshotstate/backend: be more verbose when
+   SNAPPY_TESTING=1
+ - tests: removing fedora 26 system from spread.yaml
+ - tests: linode execution is not needed anymore
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests: fixes and new backend for tests on nested suite
+ - strutil: let MatchCounter work with a nil regexp
+ - ifacestate/helpers: findConnsForHotplugKey helper
+ - many: move regexp.(Must)Compile out of non-init functions into
+   variables
+ - store: also make snaps downloaded via deltas 0600
+ - snap: use Lstat to determine snap size, remove
+   ReadSnapInfoExceptSize
+ - interfaces/builtin: add adb-support interface
+ - tests: fail if install_snap_local fails
+ - strutil: add extra test to CommaSeparatedList as suggested by
+   mborzecki
+ - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+ - ifacestate: optimize disconnect hooks
+ - cmd/snap-update-ns: parse the -u <uid> command line option
+ - cmd/snap, tests: snapshots for all
+ - client, cmd/daemon: allow disabling keepalive, improve degraded
+   mode unit tests
+ - snap: only show "next" refresh time if its after the hold time
+ - overlord/snapstate: run tests for classic snaps even on systems
+   that don't support classic
+ - overlord/standby: fix a race between standby goroutine and stop
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - cmd: remove remnants of sc_should_populate_mount_ns
+ - client, daemon, cmd/snap: indicate that services are socket/timer
+   activated
+ - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+ - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+ - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+ - cmd/snap-discard-ns: add support for per-user mount namespaces
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook.
+ - tests/main: fixes for the new shellcheck
+ - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+   fly
+ - tests: initial setup for testing current branch on nested vm and
+   hotplug management
+ - cmd: refactor IPC and lifecycle of the helper process
+ - tests/main/parallel-install-store: the store has caught up, do not
+   expect failures
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+   ptrace, for the Breakpad crash reporter
+ - snap,client: use a different exit code for retryable errors
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - cmd/snap: tweak `snap services` output when there is no services
+ - interfaces/many: updates to support k8s worker nodes
+ - cmd/snap: gnome-software install via snap:// handler
+ - overlord/many: cleanup use of snapName vs. instanceName
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes* ifstate: fix decoding of json numbers
+ - cmd/snap: try not to panic on error from "snap try"
+ - tests: new cosmic image for spread tests on gce
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - overlord/snapshotstate/backend: detect path to tar in unit tests
+ - tests/unit/gccgo: drop gccgo unit tests
+ - cmd: use relative file names in locking APIs
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - overlord/snapshotstate/backend: fall back on sudo when no runuser
+ - cmd/snap-confine: reduce verbosity of debug and error messages
+ - systemd: extend Status() to work for socket and timer units
+ - interfaces: typo 'allows' for consistency with other ifaces
+ - systemd,wrappers: don't start disabled services
+ - ifacestate: simplify task chaining in ifacestate.Connect
+ - tests: ensure that goa-daemon is off
+ - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+ - cmd/snap: block 'snap help <cmd> --all'
+ - asserts, image: ensure kernel, gadget, base and required-snaps use
+   valid snap names
+ - apparmor: add unit test for probeAppArmorParser and simplify code
+ - interfaces/apparmor: conditionally add explicit deny rules for
+   ptrace
+ - po: sync translations from launchpad
+ - osutil: tweak handling of error adduser errors
+ - cmd: rename ns_group to mount_ns
+ - tests/main/interfaces-accounts-service: more debugging
+ - snap/pack, snap/squashfs: use type to determine mksquashfs args
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - tests: show list of processes when ifaces-accounts-service fails
+ - tests: do not run degraded test in autopkgtest env
+ - snap: overhaul validation error messages
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - interfaces: improve Attr error further
+ - snapstate: tweak GetFeatureFlagBool() to have a default argument
+ - many: cleanup remaining parallel installs TODOs
+ - image: improve validation of extra snaps
+
+* Fri Dec 14 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.3
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - httputil: retry on temporary net errors
+ - wrappers: only restart service in core18 when they are active
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interfacewhen installing selinux-policy-devel package.
+ - centos: enable SELinux support on CentOS 7
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - apparmor: allow hard link to snap-specific semaphore files
+ - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+   profile errors
+ - snap: add new `snap run --trace-exec` call
+ - interfaces/backends: detect too old apparmor_parser
+
+* Thu Nov 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.2
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - snapstate: update fontconfig caches on install
+ - overlord,daemon: mock security backends for testing
+ - sanity, spread, tests: add CentOS
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - tests: add regression test for LP: #1803535
+ - snap-update-ns: fix trailing slash bug on trespassing error
+ - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+ - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+ - interfaces/opengl: add additional accesses for cuda
+
+* Fri Nov 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.1
+ - tests,snap-confine: add core18 only hooks test and fix running
+   core18 only hooks on classic
+ - interfaces/apparmor: allow access to
+   /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests/main/interfces-accounts-service: switch to busctl, more
+   debugging
+ - store: also make snaps downloaded via deltas 0600
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - tests/main: fixes for the new shellcheck
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook
+
+* Sun Nov 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.36-1
+- Release 2.36 to Fedora
+
+* Wed Oct 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - tests: the store has caught up, drop gccgo test, update cosmic
+   image
+ - cmd/snap: try not to panic on error from "snap try"`--devmode`
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - systemd,wrappers: don't start disabled services
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - tests: do not run degraded test in autopkgtest env
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces: include invalid type in Attr error
+ - many: enable layouts by default
+ - interfaces/default: don't scrub with change_profile with classic
+ - cmd/snap: speed up unit tests
+ - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+   flags
+ - daemon: expose snapshots to the API
+ - interfaces: updates for default, screen-inhibit-control, tpm,
+   {hardware,system,network}-observe
+ - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+   update test interface
+ - interfaces/tests: use TestInterface instead of a custom local
+   helper
+ - overlord/snapstate: export getFeatureFlagBool.
+ - osutil,asserts,daemon: support force password change in system-
+   user assertion
+ - snap, wrappers: support restart-delay, generate RestartSec=<value>
+   in service units
+ - tests/ifacestate: moved asserts-related mocking into helper
+ - image: fetch device store assertion if available
+ - many: enable AppArmor on Arch
+ - interfaces/repo: two helper methods for hotplug
+ - overlord/ifacestate: add hotplug slots with implicit slots
+ - interfaces/hotplug: helpers and struct updates
+ - tests: run the snapd tests on Ubuntu 18.10
+ - snapstate: only report errors if there is an actual error
+ - store: speedup unit tests
+ - spread-shellcheck: fix interleaved error messages, tweaks
+ - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+ - ifacestate: implementation of defaultDeviceKey function for
+   hotplug
+ - cmd/snap-update-ns: remove empty placeholders used for mounting
+ - snapshotstate: restore to current revision
+ - tests/lib: rework the CLA checker
+ - many: support and consider store friendly-stores when checking
+   device scope constraints
+ - overlord/snapstate: block parallel installs of snapd, core, base,
+   kernel, gadget snaps
+ - overlord/patch: patch for static plug/slot attributes
+ - interfaces: honor static attributes when reloading conns
+ - osutils: unit tests speedup; introduce «run-checks --short-
+   unit».
+ - systemd, wrappers: speed up wrappers unit tests
+ - client: speedup unit tests
+ - spread-shellcheck: use threads to parallelise
+ - snap: validate plug and slot names
+ - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+ - wrappers: do not depend on network.taget in socket units, tweak
+   generated units
+ - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+ - store: gracefully handle unexpected errors in 'action'
+   response
+ - cmd: put our manpages in section 8
+ - overlord: don't make become-operational interfere with user
+   requests
+ - store: tweak unmatched refresh result error log
+ - snap, client, daemon, store: use and expose "media" more
+ - tests,cmd/snap-update-ns: add test showing mount update bug
+   cmd/snap-update-ns: better detection of snapd-made tmpfs
+ - tests: spread tests for aliases with parallel installed snaps
+ - interfaces/seccomp: allow using statx by default
+ - store: gracefully handle unexpected errors in 'action' response
+ - overlord/snapshotstate: chown the tempdir
+ - cmd/snap: attempt to start the document portal if running with a
+   session bus
+ - snap: detect layouts vs layout in snap.yaml
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snapcraft.yaml: set grade to stable
+ - tests: shellchecks, final round
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snap: detect layouts vs layout in snap.yaml
+ - overlord/snapshotstate: store epoch in snapshot, check on restore
+ - cmd/snap: tweak UX of snap refresh --list
+ - overlord/snapstate: improve consistency, use validateInfoAndFlags
+   also in InstallPath
+ - snap: give Epoch a CanRead helper
+ - overlord/snapshotstate: small refactor of internal helpers
+ - interfaces/builtin: adding missing permission to create
+   /run/wpa_supplicant directory
+ - interfaces/builtin: avahi interface update
+ - client, daemon: support passing of 'unaliased' option when
+   installing from local files
+ - selftest: rename selftest.Run() to sanity.Check()
+ - interfaces/apparmor: report apparmor support level and policy
+ - ifacestate: helpers for generating slot names for hotplug
+ - overlord/ifacestate: make sure to pass in the Model assertion when
+   enforcing policies
+ - overlord/snapshotstate: store the SnapID in snapshot, block
+   restore if changed
+ - interfaces: generalize writable mimic profile
+ - asserts,interfaces/policy: add support for on-store/on-brand/on-
+   model plug/slot rule constraints
+ - many: fetch the device store assertion together and in the context
+   of interpreting snap-declarations
+ - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+   gccgo is fixed
+ - tests/main/parallel-install-services: add spread test for snaps
+   with services
+ - tests/main/snap-env: extend to cover parallel installations of
+   snaps
+ - tests/main/parallel-install-local: rename from *-sideload, extend
+   to run snaps
+ - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+ - cmd/snap: tame the help zoo
+ - tests/main/parallel-install-store: run installed snap
+ - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+   i18n)
+ - cmd: fix C formatting
+ - tests: remove unneeded cleanup from layout tests
+ - image: warn on missing default-providers
+ - selftest: add test to ensure selftest.checks is up-to-date
+ - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+   installs
+ - userd: extend the list of supported XDG Desktop properties when
+   autostarting user applications
+ - cmd/snap-update-ns: enforce trespassing checks
+ - selftest: actually run the kernel version selftest
+ - snapd: go into degraded mode when the selftest fails
+ - tests: add test that runs snapctl with a core18 snap
+ - tests: add snap install hook with base: core18
+ - overlord/{snapstate,assertstate}: parallel instances and
+   refresh validation
+ - interfaces/docker-support: add rules to read apparmor macros
+ - tests: make nfs test available for more systems
+ - tests: cleanup copy/paste dup in interfaces-network-setup-control
+ - tests: using single sh snap in interface tests
+ - overlord/snapstate: improve cleaup in mount-snap handler
+ - tests: don't fail interfaces-bluez test if bluez is already
+   installed
+ - tests: find snaps just for edge and beta channels
+ - daemon, snapstate: consistent snap list [--all] output with broken
+   snaps
+ - tests: fix listing to allow extra things in the notes column
+ - cmd/snap: improve UX when removing specific snap revision
+ - cmd/snap, tests/main/snap-info: highlight the current channel
+ - interfaces/testiface: added TestHotplugInterface
+ - snap: tweak commands
+ - interfaces/hotplug: hotplug spec takes one slot definition
+ - overlord/snapstate, snap: handle shared snap directories when
+   installing/remove snaps with instance key
+ - interfaces/opengl: misc accesses for VA-API
+ - client, cmd/snap: expose warnings to the world
+ - cmd/snap-update-ns: introduce trespassing state tracking
+ - cmd/snap: commands no longer build their own client
+ - tests: try to build cmd/snap for darwin
+ - daemon: make error responders not printf when called with 1
+   argument
+ - many: return real snap name in API response
+ - overlord/state: return latest LastAdded time in WarningsSummary
+ - many: mount namespace mapping for parallel installs of snaps
+ - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+   core-phase-2
+ - client, cmd/snap: on !linux, exit when the client tries to Do
+   something
+ - tests: refactor for nested suite and tests fixed
+ - tests: use lxd's waitready instead of polling lxd socket
+ - ifacestate: don't initialize udev monitor until we have a system
+   snap
+ - interfaces: extra argument for static attrs in
+   NewConnectedPlug/NewConnectedSlot
+ - packaging/arch: sync packaging with AUR
+ - snapstate/tests: serialize all appends in fake backend
+ - snap-confine: make /lib/modules optional
+ - cmd/snap: handle "snap interfaces core" better
+ - store: move download tests into downloadSuite
+ - tests,interfaces: run interfaces-account-control on UC18
+ - tests: fix install snaps test by adding link to /snap
+ - tests: fix for nested test suite
+ - daemon: fix snap list --all with parallel snap instances
+ - snapstate: refactor tests to use SetModel*
+ - wrappers: fix snap services order in tests
+ - many: provide salt for generating instance-key in store requests
+ - ifacestate: fix hang when retrying content providers
+ - snapd-env-generator: fix when PATH is empty or unset
+ - overlord/assertstate: propagate TaskSnapSetup error
+ - client: catch and expose logs errors
+ - overlord: integrate device enumeration with udev monitor
+ - daemon, overlord/state: warnings pipeline
+ - tests: add publisher regex to fix the snap-info test pass on sru
+ - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+   tweaks
+ - cmd/snap-update-ns: remove the unused Secure type
+ - osutil, o/snapshotstate, o/sss/backend: quick fixes
+ - tests: update the listing expression to support core from
+   different channels
+ - store: use stable instance key in store refresh requests
+ - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+ - overlord/patch: support for sublevel patches
+ - tests: update prepare/restore for nightly suite
+ - cmd/snap-update-ns: detach BindMount from the Secure type
+ - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+ - ifacestate: retry on "discard-snap" in autoconnect conflict check
+ - cmd/snap-update-ns: separate OpenPath from the Secure struct
+ - wrappers: remove Wants=network-online.target
+ - tests: add new core16-base test
+ - store: refactor tests so that they work as store_test package
+ - many: add refresh.rate-limit core option
+ - tests: run account-control test with different bases
+ - tests: port proxy test to use python tinyproxy
+ - overlord: introduce snapshotstate.
+ - testutil: allow Fstatfs results to vary over time
+ - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+ - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+ - many: remove deadcode
+ - tests: also run unit/gccgo in 18.04
+ - tests: introduce a helper for installing local snaps with --name
+ - tests: avoid removing core snap on reset
+ - snap: use snap.SideInfo in test to fix build with gccgo
+ - partition: remove unused runCommand
+ - image: fix incorrect error when using local bases
+ - overlord/snapstate: fix format
+ - cmd: fix format
+ - tests: setting "storage: preserve-size" just for amazon-linux
+   system
+ - tests: test for the hostname interface
+ - interfaces/modem-manager: allow access to more USB strings
+ - overlord: instantiate UDevMonitor
+ - interfaces/apparmor: tweak naming, rename to AddLayout()
+ - interfaces: take instance name in ifacetest.InstallSnap
+ - snapcraft: do not use --dirty in mkversion
+ - cmd: add systemd environment generator
+ - devicestate: support getting (http) proxy from core config
+ - many: rename ClientOpts to ClientOptions
+ - prepare-image-grub-core18: remove image root in restore
+ - overlord/ifacestate: remove "old-conn" from connect/undo connect
+   handlers
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - image: handle errors when downloadedSnapsInfoForBootConfig has no
+   data
+ - tests: use official core18 model assertion in tests
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - overlord,store: support proxy settings internally too
+ - cmd/snap: bring back 'snap version'
+ - interfaces/mount: tweak naming of things
+ - strutil: fix MatchCounter to also work with buffer reuse
+ - cmd,interfaces,tests: add /mnt to removable-media interface
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - snap/snapenv: drop some instance specific variables, use instance-
+   specific ones for user locations
+ - firstboot: sort by type when installing the firstboot snaps
+ - cmd, cmd/snap: better support for non-linux
+ - strutil: add new ParseByteSize
+ - image: detect and error if bases are missing
+ - interfaces/apparmor: do not downgrade confinement on arch with
+   linux-hardened 4.17.4+
+ - daemon: add pokeStateLock helper to the daemon tests
+ - snap/squashfs: improve error message from Build on mksquashfs
+   failure
+ - tests: remove /etc/alternatives from dirs-not-shared-with-host
+ - cmd: support re-exec into the "snapd" snap
+ - spdx: remove "Other Open Source" from the support licenses
+ - snap: add new type "TypeSnapd" and attach to the snapd snap
+ - interfaces: retain order of inserted security backends
+ - tests: spread test for parallel-installs desktop file handling
+ - overlord/devicestate: use OpenSSL's PEM format when generating
+   keys
+ - cmd: remove --skip-command-chain from snap run and snap-exec
+ - selftest: detect if apparmor is unusable and error
+ - snap,snap-exec: support command-chain for hooks
+ - tests: significantly reduce execution time for managers test
+ - snapstate: use new "snap.ByType" sorting
+ - overlord/snapstate: fix UpdateMany() to work with parallel
+   instances
+ - testutil: have File* checker produce more useful error output
+ - overlord/ifacestate: introduce connectOpts
+ - interfaces: parallel instances support, extend unit tests
+ - tests: normalize tests
+ - snapstate: make InstallPath() return *snap.Info too
+ - snap: add ByType sorting
+ - interfaces: add cifs-mount interface
+ - tests: use file based markers in snap-service-stop-mode
+ - osutil: reorg and stub out things to get it building on darwin
+ - tests/main/layout: cleanup after the test
+ - osutil/sys: small tweaks to let it build on darwin
+ - daemon, overlord/snapstate: set instance name when installing from
+   snap file
+ - many: move Uname to osutil, for more DRY and easier porting.
+ - cmd/snap: create snap user directory when running parallel
+   installed snaps
+ - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+ - tests: basic test for parallel installs from the store
+ - image: download the gadget from the model.GadgetTrack()
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - overlord: handle sigterm during shutdown better
+ - tests: add the original function to fix the errors on new kernels
+ - tests/main/lxd: pull lxd from candidate; reënable i386
+ - wayland: add extra sockets that are used by older toolkits (e.g.
+   gtk3)
+ - asserts: add support for gadget tracks in the model assertion
+ - overlord/snapstate: improve feature flag validation
+ - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+ - interfaces: workaround for activated services and newer DBus
+ - tests: get the linux-image-extra available for the current kernel
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - interfaces: disconnect hooks
+ - cmd/libsnap: unify detection of core/classic with go
+ - tests: fix autopkgtest failures in cosmic
+ - snap: fix advice json
+ - overlord/snapstate: parallel snap install
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - interfaces: add screencast-legacy for video and audio recording
+ - tests: skip unsupported architectures for fedora-base-smoke test
+ - tests: avoid using the journalctl cursor when it has not been
+   created yet
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - tests: enable lxd again everywhere
+ - tests: new test for udisks2 interface
+ - interfaces: add cpu-control for setting CPU tunables
+ - overlord/devicestate: fix tests, set seeded in registration
+   through proxy tests
+ - debian: add missing breaks on cosmic
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - tests: new test for juju client observe interface
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - snapcraft: set version information for the snapd snap
+ - cmd/snap, daemon: error out if trying to install a snap using
+   empty name
+ - hookstate: simplify some hook tests
+ - cmd/snap-confine: extend security tag validation to cover instance
+   names
+ - snap: fix mocking of systemkey in snap-run tests
+ - packaging/opensuse: fix static build of snap-update-ns and snap-
+   exec
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - cmd/libsnap-confine-private: intoduce helpers for validating snap
+   instance name and instance key
+ - snap,snap-exec: support command-chain for app
+ - interfaces/builtin: network-manager resolved DBus changes
+ - snap: tweak `snap wait` command
+ - cmd/snap-update-ns: introduce validation of snap instance names
+ - cmd/snap: fix some corner-case test setup weirdness
+ - cmd,dirs: fix various issues discovered by a Fedora base snap
+ - tests/lib/prepare: fix extra snaps test
+
+* Mon Oct 15 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.5
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - osutil: workaround overlayfs on ubuntu 18.10
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.4
+  - wrappers: do not depend on network.taget in socket units, tweak
+    generated units
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.3
+ - overlord: don't make become-operational interfere with user
+   requests
+ - docker_support.go: add rules to read apparmor macros
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-
+   nsFixes:
+ - snapcraft.yaml: add workaround to fix snapcraft build
+ - interfaces/opengl: misc accesses for VA-API
+
+* Wed Sep 12 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.2
+ - cmd,overlord/snapstate: go 1.11 format fixes
+ - ifacestate: fix hang when retrying content providers
+ - snap-env-generator: do nothing when PATH is unset
+ - interfaces/modem-manager: allow access to more USB strings
+
+* Mon Sep 03 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.1
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapcraft: do not use --diry in mkversion.sh
+ - cmd: add systemd environment generator
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - tests: cherry-pick test fixes from master for 2.35
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - interfaces: retain order of inserted security backends
+ - selftest: detect if apparmor is unusable and error
+
+* Sat Aug 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.35-1
+- Release 2.35 to Fedora (RH#1598946)
+
+* Mon Aug 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - asserts: add support for gadget tracks in the model assertion
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - overlord: handle sigterm during shutdown better
+ - wayland: add extra sockets that are used by older toolkits
+ - snap: fix advice json
+ - tests: fix autopkgtest failures in cosmic
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - interfaces: add cpu-control for setting CPU tunables
+ - debian: add missing breaks on comisc
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - hookstate: simplify some hook tests
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - interfaces/builtin: network-manager resolved DBus changes
+ - tests: add spread test for fedora29 base snap
+ - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+ - dirs: fix SnapMountDir inside a Fedora base snap
+ - tests: fix snapd-failover for core18 with external backend
+ - overlord/snapstate: always clean SnapState when doing Get()
+ - overlod/ifacestate: always use a new SnapState when fetching the
+   snap state
+ - overlord/devicestate: have the serial request talk to the proxy if
+   set
+ - interfaces/hotplug: udevadm output parser
+ - tests: New test for daemon-notify interface
+ - image: ensure "core" is ordered early if base: and core is used
+ - cmd/snap-confine: snap-device-helper parallel installs support
+ - tests: enable interfaces-framebuffer everywhere
+ - tests: reduce nc wait time from 2 to 1 second
+ - snap/snapenv: add snap instance specific variables
+ - cmd/snap-confine: add minimal test for snap-device-helper
+ - tests: enable snapctl test on core18
+ - overlord: added UDevMonitor for future hotplug support
+ - wrappers: do not glob when removing desktop files
+ - tests: add dbus monitor log to interfaces-accounts-service
+ - tests: add core-18 systems to external backend
+ - wrappers: account for changed app wrapper in parallel installed
+   snaps
+ - wrappers: make sure that the tests pass on non-Ubuntu too
+ - many: add snapd snap failure handling
+ - tests: new test for dvb interface
+ - configstate: accept refresh.timer=managed
+ - tests: new test for snap logs command
+ - wrapper: generate all the snapd unit files when generating
+   wrappers
+ - store: keep all files with link-count > 1 in the cache
+ - store: be less verbose in the common refresh case of "no updates"
+ - snap-confine: update snappy-app-dev path
+ - debian: ensure dependency on fixed apt on 18.04
+ - snapd: add initial software watchdog for snapd
+ - daemon, systemd: change journalctl -n=all to --no-tail
+ - systemd: fix snapd.apparmor.service.in dependencies
+ - snapstate: refuse to remove bases or core if snaps need them
+ - snap: introduce package-level helpers for building snap related
+   directory/file paths
+ - overlord/devicestate: deny parallel install of kernel or gadget
+   snaps
+ - store: clean up parallel-install TODOs in store tests
+ - timeutil: fix first weekday of the month schedule
+ - interfaces: match all possible tty but console
+ - tests: shellchecks part 5
+ - cmd/snap-confine: allow ptrace read for 4.18 kernels
+ - advise: make the bolt database do the atomic rename dance
+ - tests/main/apt-hooks: debug dump of commands.db
+ - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+   handling
+ - snap: validate instance name as part of Validate()
+ - daemon: if a snap is inactive, don't ask systemd about its
+   services.
+ - udev: skip TestParseUdevEvent on s390x
+ - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+ - asserts,image: add support for new kernel=track syntax
+ - tests: new gce image for fedora 27
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - store, overlord/snapstate: introduce instance name in store APIs
+ - tests: drive-by cleanup of redudant pkgname matching
+ - tests: ensure apt-hook is only run after catalog update ran
+ - tests: use pkill instead of kilall
+ - tests/main: another bunch of updates for Amazon Linux 2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the  directory tree
+ - tests: disable/fix more tests for Amazon Linux 2
+ - overlord: introduce InstanceKey to SnapState and SnapSetup,
+   renames
+ - daemon: make sure most change generating handlers can produce
+   errors with kinds
+ - tests/main/interfaces-calendar-service: skip the test on AMZN2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the directory tree
+ - cmd/snap: add a green check mark to verified publishers
+ - cmd/snap: fix two issues in the cmd/snap unit tests
+ - packaging/fedora: fix target path of /snap symlink
+ - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - strutil: detect and bail out of Unmarshal on duplicate key
+ - packaging/fedora(amzn2): disable SELinux, drop dependency on
+   squashfuse for AMZN2
+ - spread, tests: add support for Amazon Linux 2
+ - packaging/fedora: Add Amazon Linux 2 support
+ - many: make Wait/Stop optional on StateManagers
+ - snap/squashfs: stop printing unsquashfs info to stderr
+ - snap: add support for `snap advise-snap --from-apt`
+ - overlord/ifacestate: ignore connect if already connected
+ - tests: change the service snap used instead of network-bind-
+   consumer
+ - interfaces/network-control: update for wpa-supplicant and ifupdown
+ - tests: fix raciness in stop mode tests
+ - logger: try to not have double dates
+ - debian: use deb-systemd-invoke instead of systemctl directly
+ - tests: run all main tests on core18
+ - many: finish sharing a single TaskRunner with all the the managers
+ - interfaces/repo: added AllHotplugInterfaces helper
+ - snapstate: ensure kernel-track is honored on switch/refresh
+ - overlord/ifacestate: support implicit slots on snapd
+ - image: add support for "kernel-track" in `snap prepare-image`
+ - tests: add test that ensures we do not boot any system in degraded
+   state
+ - tests: update tests to work on core18
+ - cmd/snap: check for typographic dashes in command
+ - tests: fix tests expecting old email address
+ - client: add some existing error kinds that were not listed in
+   client.go
+ - tests: add missing slots in classic and core provider test snaps
+ - overlord,daemon,cmd: re-map snap names around the edges of snapd
+ - tests: use install_local in snap-run-hooks
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - overlord/snapstate: dedupe default content providers
+ - osutil/udev: sync with upstream
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord: have SnapManager use a passed in TaskRunner created by
+   Overlord
+ - many: streamline the generic conflict check mechanisms
+ - tests: remove unneeded setup code in snap-run-symlink
+ - cmd/snap: print unset license as "unset", instead of "unknown"
+ - asserts: add (optional) kernel-track to model assertion
+ - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+ - interfaces/pulseaudio: be clear that the interface allows playback
+   and record
+ - snap: support hook environment
+ - interfaces: fix typo "daemonNotify" (add missing "n")
+ - interfaces: tweak tests of daemon-notify, use common naming
+ - interfaces: allow invoking systemd-notify when daemon-notify is
+   connected
+ - store: make snap blobs be 0600
+ - interfaces,daemon: move JSON types to the daemon
+ - tests: prepare needs to handle bin/snapctl being a symlink
+ - tests: do not mask errors in interfaces-timezone-control (#5405)
+ - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+ - tests: add basic integration test for spread hold
+ - overlord/snapstate: improve PlugsOnly comment
+ - many: assorted shellcheck fixes
+ - store, daemon, client, cmd/snap: expose "scope", default to wide
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - client, cmd/snap: pass snap instance name when installing from
+   file
+ - cmd/snap: add 'debug paths' command
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: fix tests on arch
+ - tests: start active system units on reset
+ - tests: new test for joystick interface
+ - tests: moving install of dependencies to pkgdb helper
+ - tests: enable new fedora image with test dependencies installed
+ - tests: start using the new opensuse image with test dependencies
+ - tests: check catalog refresh before and after restart snapd
+ - tests: stop restarting journald service on prepare
+ - interfaces: make core-support a no-op interface
+ - interfaces: prefer "snapd" when resolving implicit connections
+ - interfaces/hotplug: add hotplug Specification and
+   HotplugDeviceInfo
+ - many: lessen the use of core-support
+ - tests: fixes for the autopkgtest failures in cosmic
+ - tests: remove extra ' which breaks interfaces-bluetooth-control
+   test
+ - dirs: fix antergos typo
+ - tests: use grep to avoid non-matching messages from MATCH
+ - dirs: improve distro detection for Antegros
+ - vendor: switch to latest bson
+ - interfaces/builtin: create can-bus interface
+ - tests: "snap connect" is idempotent so just connect
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - interfaces: treat "snapd" snap as type:os
+ - interfaces: tweak tests to have less repetition of "core" and
+   "ubuntu…
+ - tests: simplify econnreset test
+ - snap: add helper for renaming slots
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - tests: add artful for sru validation on google backend
+ - snap,interfaces: move interface name validation to snap
+ - overlord/snapstate: introduce path to fake backend ops
+ - cmd/snap-confine: fix snaps running on core18
+ - many: expose publisher's validation throughout the API
+
+* Fri Jul 27 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.3
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - snapstate: allow setting "refresh.timer=managed"
+ - spread: switch Fedora and openSUSE images
+
+* Thu Jul 19 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.2
+ - packaging: fix bogus date in fedora snapd.spec
+ - tests: fix tests expecting old email address
+
+* Tue Jul 17 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.1
+ - tests: cherry-pick test fixes from master for 2.34
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord/snapstate: dedupe default content providers
+ - interfaces/builtin: create can-bus interface
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.33.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34
+ - store, daemon, client, cmd/snap: expose "scope", default to wide*
+ - tests: fix arch tests
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+ - tests: run interfaces-contacts-service only where test-snapd-eds
+   is available
+ - many: expose publisher's validation throughout the API
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - dirs: improve distro detection for Antegros
+ - Revert "dirs: improve identification of Arch Linux like systems"
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - i18n: use xgettext-go --files-from to avoid running into cmdline
+   size limits
+ - interfaces: move ValidateName helper to utils
+ - snapstate,ifstate: wait for pending restarts before auto-
+   connecting
+ - snap: account for parallel installs in wrappers, place info and
+   tests
+ - configcore: fix incorrect handling of keys with numbers (like
+   gpu_mem_512)
+ - tests: fix tests when no keyboard input detected
+ - overlord/configstate: add watchdog options
+ - snap-mgmt: fix for non-existent dbus system policy dir,
+   shellchecks
+ - tests/main/snapd-notify: use systemd's service properties rater
+   than the journal
+ - snapstate: allow removal of snap.TypeOS when using a model with a
+   base
+ - interfaces: make findSnapdPath smarter
+ - tests: run "arp" tests only if arp is available
+ - spread: increase the number of auto retries for package downloads
+   in opensuse
+ - cmd/snap-confine: fix nvidia support under lxd
+ - corecfg: added experimental.hotplug feature flag
+ - image: block installation of parallel snap instances
+ - interfaces: moved normalize method to interfaces/utils and made it
+   public
+ - api/snapctl: allow -h and --help for regular users.
+ - interfaces/udisks2: also implement implicit classic slot
+ - cmd/snap-confine: include CUDA runtime libraries
+ - tests: disable auto-refresh test on core18
+ - many: switch to account validation: unproven|verified
+ - overlord/ifacestate: get/set connection state only via helpers
+ - tests: adding extra check to validate journalctl is showing
+   current test data
+ - data: add systemd environment configuration
+ - i18n: handle write errors in xgettext-go
+ - snap: helper for validating snap instance names
+ - snap{/snaptest}: set instance key based on snap name
+ - userd: fix running unit tests on KDE
+ - tests/main/econnreset: limit ingress traffic to 512kB/s
+ - snap: introduce a struct Channel to represent store channels, and
+   helpers to work with it
+ - tests: add fedora to distro_clean_package_cache function
+ - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+ - tests: add spread test to ensure snapd/core18 are not removable
+ - tests: tweaks for running the main tests on core18
+ - overlord/{config,snap}state: introduce experimental.parallel-
+   instances feature flag
+ - strutil: support iteration over almost clean paths
+ - strutil: add PathIterator.Rewind
+ - tests: update interfaces-timeserver-control to core18
+ - tests: add halt-timeout to google backend
+ - tests: skip security-udev-input-subsystem without /dev/input/by-
+   path
+ - snap: introduce the instance key field
+ - packaging/opensuse: remaining packaging updates for 2.33.1
+ - overlord/snapstate: disallow installing snapd on baseless models
+ - tests: disable core tests on all core systems (16 and 18)
+ - dirs: improve identification of Arch Linux like systems
+ - many: expose full publisher info over the snapd API
+ - tests: disable core tests on all core systems (16 and 18)
+ - tests/main/xdg-open: restore or clean up xdg-open
+ - tests/main/interfaces-firewall-control: shellcheck fix
+ - snapstate: sort "snapd" first
+ - systemd: require snapd.socket in snapd.seeded.service; make sure
+   snapd.seeded
+ - spread-shellcheck: use the latest shellcheck available from snaps
+ - tests: use "ss" instead of "netstat" (netstat is not available in
+   core18)
+ - data/complete: fix three out of four shellcheck warnings in
+   data/complete
+ - packaging/opensuse: fix typo, missing assignment
+ - tests: initial core18 spread image building
+ - overlord: introduce a gadget-connect task and use it at first boot
+ - data/completion: fix inconsistency in +x and shebang
+ - firstboot: mark essential snaps as "Required" in the state
+ - spread-shellcheck: use a whitelist of files that are allowed to
+   fail validation
+ - packaging/opensuse: build position-independent binaries
+ - ifacestate: prevent running interface hooks twice when self-
+   connecting on autoconnect
+ - data: remove /bin/sh from snapd.sh
+ - tests: fix shellcheck 0.5.0 warnings
+ - packaging/opensuse: snap-confine should be 06755
+ - packaging/opensuse: ship apparmor integration if enabled
+ - interfaces/udev,misc: only trigger udev events on input subsystem
+   as needed
+ - packaging/opensuse: add missing bits for snapd.seeded.service
+ - packaging/opensuse: don't use %-macros in comments
+ - tests: shellchecks part 4
+ - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+   parallel-install TODOs
+ - store: drop unused: channel map types, and details fixture.
+ - store: have a basic test about the unmarshalling of /search
+   results
+ - tests: show executed tests on current system when a test fails
+ - tests: fix for the download of the big snap
+ - interfaces/apparmor: add chopTree
+ - tests: remove double debug: | entry in tests and add more checks
+ - cmd/snap-update-ns: introduce mimicRequired helper
+ - interfaces: move assertions around for better failure line number
+ - store: log a nice clear "download succeeded" message
+ - snap: run snap-confine from the re-exec location
+ - snapstate: support restarting snapd from the snapd snap on core18
+ - tests: show status of the partial test-snapd-huge snap in
+   econnreset test
+ - tests: fix interfaces-calendar-service test when gvfsd-metadata
+   loks the xdg dirctory
+ - store: switch store.SnapInfo to use the new v2/info endpoint
+ - interfaces: add Repository.AllInterfaces
+ - snapstate: stop using evolving SnapSpec internally, use an
+   internal-only snapSpec instead
+ - cmd/libsnap-confine-private: introduce a helper for splitting snap
+   name
+ - tests: econnreset/retry tweaks
+ - store, et al: kill dead code that uses the bulk endpoint
+ - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+ - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+   Depth helper
+ - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+   available
+ - store: switch connectivity check to use v2/info
+ - devicestate: support seeding from a base snap instead of core
+ - snapstate,ifacestate: remove core-phase-2 handling
+ - interfaces/docker-support: update for docker 18.05
+ - tests: enable fedora 28 again
+ - overlord/ifacestate:  simplify checkConnectConflicts and also
+   connect signature
+ - snap: parse connect instructions in gadget.yaml
+ - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+   test
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - store, image: have 'snap download' use v2/refresh action=download
+ - interfaces/policy: test that base policy can be parsed
+ - tests: publish test-snapd-appstreamid for any architecture
+ - snap: don't include newline in hook environment
+ - cmd/snap-update-ns: use RCall with SyscallsEqual
+ - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+ - interfaces: add the dvb interface
+ - daemon: paging is not a thing.
+ - cmd/snap-mgmt: remove system key on purge
+ - testutil: syscall sequence checker
+ - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command* many: add `snap debug
+   connectivity` command
+ - configstate: deny configuration of base snaps and for the "snapd"
+   snap
+ - interfaces/raw-usb: also allow usb serial devices
+ - snap: reject more layout locations
+ - errtracker: do not send duplicated reports
+ - httputil: extra debug if an error is not retried
+ - cmd/snap-update-ns: improve wording in many errors
+ - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+ - cmd/snap-update-ns: add helper for checking for read-only
+   filesystems
+ - interfaces/builtin/docker: use commonInterface over specific
+   struct
+ - testutil: add test support for Fstatfs
+ - cmd/snap-update-ns: discard the concept of segments
+ - cmd/libsnap-confine-private: helper for extracting store snap name
+   from local-name
+ - tests: fix flaky test for hooks undo
+ - interfaces: add {contacts,calendar}-service interfaces
+ - tests: retry 'restarting into..' match in the snap-confine-from-
+   core test
+ - systemd: adjust TestWriteMountUnitForDirs() to use
+   squashfs.MockUseFuse(false)
+ - data: add helper that can generate/start/stop the snapd service
+ - sefltest: advise reboot into 4.4 on trusty running 3.13
+ - selftest: add new selftest package that tests squashfs mounting
+ - store, jsonutil: move store.getStructFields to
+   jsonutil.StructFields
+ - ifacestate: improved conflict and error handling when creating
+   autoconnect tasks
+ - cmd/snap-confine: applied make fmt
+ - interfaces/udev: call 'udevadm settle --timeout=10' after
+   triggering events
+ - tests: wait more time until snap start to be downloaded on
+   econnreset test
+ - snapstate: ensure fakestore returns TypeOS for the core snap
+ - tests: fix lxd test which hangs on restore
+ - cmd/snap-update-ns: add PathIterator
+ - asserts,image: add support for models with bases
+ - tests: shellchecks part 3
+ - overlord/hookstate: support undo for hooks
+ - interfaces/tpm: Allow access to the kernel resource manager
+ - tests: skip appstream-id test for core systems 32 bits
+ - interfaces/home: remove redundant common interface assignment
+ - tests: reprioritise a few tests that are known to be slow
+ - cmd/snap: small help tweaks and fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - spread-shellcheck: silly fix & pep8
+ - spread: switch fedora 28 to manual
+ - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+   it in snap info --verbose
+ - tests: fix lxd test - --auto now sets up networking
+ - tests: adding fedora-28 to spread.yaml
+ - interfaces: add juju-client-observe interface
+ - client, daemon: add a "mounted-from" entry to local snaps' JSON
+ - image: set model.DisplayName() in bootenv as "snap_menuentry"
+ - packaging/opensuse: Refactor packaging to support all openSUSE
+   targets
+ - interfaces/joystick: force use of the device cgroup with joystick
+   interface
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - interfaces: remove Plug/Slot types
+ - interface hooks: update old AutoConnect methods
+ - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+ - overlord/{config,snap}state: the number of inactive revisions is
+   config
+ - cmd/snap: check with snapd for unknown sections
+ - tests: moving test helpers from sh to bash
+ - data/systemd: add snapd.apparmor.service
+ - many: expose AppStream IDs (AKA common ID)
+ - many: hold refresh when on metered connections
+ - interfaces/joystick: also support modern evdev joysticks and
+   gamepads
+ - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+ - snapcraft: use dpkg-buildpackage options that work in xenial
+ - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+ - get-deps: work with an unset GOPATH too
+ - interfaces/apparmor: use strict template on openSUSE tumbleweed
+ - packaging: filter out verbose flags from "dh-golang"
+ - packaging: fix description
+ - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+* Fri Jun 22 2018 Neal Gompa <ngompa13@gmail.com> - 2.33.1-1
+- Release 2.33.1 to Fedora (RH#1567916)
+
+* Thu Jun 21 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33.1
+ - many: improve udev trigger on refresh experience
+ - systemd: require snapd.socket in snapd.seeded.service
+ - snap: don't include newline in hook environment
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - tests: skip security-dev-input-event-denied when /dev/input/by-
+   path/ is missing
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+
+* Fri Jun 08 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command
+ - interfaces/raw-usb: also allow usb serial devices
+ - errtracker: do not send duplicated reports
+ - selftest: add new selftest package that tests squashfs mounting
+ - tests: backport lxd force stop and econnreset fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - interfaces/joystick: support modern evdev joysticks
+ - interfaces: add juju-client-observe
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - many: holding refresh on metered connections
+ - many: expose AppStream IDs (AKA common ID)
+ - tests: speed up save/restore snapd state for all-snap systems
+   during tests execution
+ - interfaces/apparmor: use helper to load stray profile
+ - tests: ubuntu core abstraction
+ - overlord/snapstate: don't panic in a corner case interaction of
+   cleanup tasks and pruning
+ - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+   snaps
+ - tests: new parameter for the journalctl rate limit
+ - spread-shellcheck: port to python
+ - interfaces/home: add 'read' attribute to allow non-owner read to
+   @{HOME}
+ - testutil: import check.v1 differently to workaround gccgo error
+ - interfaces/many: miscellaneous updates for default, desktop,
+   desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+   keys
+ - snapstate/hooks: reorder autoconnect and reconnect hooks
+ - daemon: update unit tests to match current master
+ - overlord/snapshotstate/backend: introducing the snapshot backend
+ - many: support 'system' nickname in interfaces
+ - userd: add the "snap" scheme to the whitelist
+ - many: make rebooting of core on refresh immediate, refactor logic
+   around it
+ - tests/main/snap-service-timer: account for service timer being in
+   the 'running' state
+ - interfaces/builtin: allow access to libGLESv* too for opengl
+   interface
+ - daemon: fix unit tests on arch
+ - interfaces/default,process-control: miscellaneous signal policy
+   fixes
+ - interfaces/bulitin: add write permission to optical-drive
+ - configstate: validate known core.* options
+ - snap, wrappers: systemd WatchdogSec support
+ - ifacestate: do not auto-connect manually disconnected interfaces
+ - systemd: mock useFuse() so testsuite passes in container via lxd
+   snap
+ - snap/env: fix env duplication logic
+ - snap: some doc comments fixes and additions
+ - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+   vendor files
+ - ifacestate: unify reconnect and autoconnect methods
+ - tests: fix user mounts test for external systems
+ - overlord/snapstate,overlord/auth,store: coalesce no auth user
+   refresh requests
+ - boot,partition: improve tests/docs around SetNextBoot()
+ - many: improve `snap wait` command
+ - snap: fix `snap interface --attrs` output when numbers are used
+ - cmd/snap-update-ns: poke holes when creating source paths for
+   layouts
+ - snapstate: support getting new bases/default-providers on refresh
+ - ifacemgr: remove stale connections on startup
+ - asserts: use Attrer in policy checks
+ - testutil: record system call errors / return values
+ - tests: increase timeouts to make tests reliable on slow boards
+ - repo: pass and return ConnRef via pointers
+ - interfaces: add xdg-document-portal support to desktop interface
+ - debian: add a zenity|kdialog suggests
+ - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+ - tests: go must be installed as a classic snap
+ - tests: use journalctl cursors instead rotating logs
+ - daemon: add confinement-options to /v2/system-info
+   daemon: refactor classic support flag to be more structured
+ - tests: build spread in the autopkgtests with a more recent go
+ - cmd/snap: fix the message when snap.channel != snap.tracking
+ - overlord/snapstate: allow core defaults configuration via 'system'
+   key
+ - many: add "snap debug sandbox-features" and needed bits
+ - interfaces: interface hooks for refresh
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - many: add wait command and `snapd.seeded` service
+ - interfaces: move host font update-ns AppArmor rules to desktop
+   interface
+ - jsonutil/safejson: introducing safejson.String &
+   safejson.Paragraph
+ - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+ - cmd/snap-update-ns,tests: mimic the mode and ownership of
+   directories
+ - cmd/snap-update-ns: add support for ignoring mounts with missing
+   source/target
+ - interfaces: interface hooks implementation
+ - cmd/libsnap: fix compile error on more restrictive gcc
+   cmd/libsnap: fix compilation errors on gcc 8
+ - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+ - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+ - tests: fix interfaces-network test for systems with partial
+   confinement
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+ - configcore: validate experimental.layouts option
+ - interfaces:minor autoconnect cleanup
+ - HACKING: fix typos
+ - spread: add adt for ubuntu 18.10
+ - tests: skip test lp-1721518 for arch, snapd is failing to start
+   after reboot
+ - interfaces/x11: allow X11 slot implementations
+ - tests: checking interfaces declaring the specific interface
+ - snap: improve error for snaps not available in the given context
+ - cmdstate: add missing test for default timeout handling
+ - tests: shellcheck spread tasks
+ - cmd/snap: update install/refresh help vs --revision
+ - cmd/snap-confine: add support for per-user mounts
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - tests: adding google-sru backend replacing linode-sur
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - systemd: replace ancient paths with 16.04+ standards
+ - overlord,systemd: store snap revision in mount units
+ - testutil: add test helper for SysLstat
+ - testutil,cmd: rename test helper of Lstat to OsLstat
+ - testutil: document all fake syscall/os functions
+ - osutil,interfaces,cmd: use less hardcoded strings
+ - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+ - testutil: don't dot-import check.v1
+ - store: getStructFields takes pointers now
+ - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+ - many: fix false negatives reported by vet
+ - osutil,interfaces: use uint32 for uid, gid
+ - many: fix various issues reported by shellcheck
+ - tests: add pending shutdown detection
+ - image: support refreshing soft-expired user macaroons in tooling
+ - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+   daemon tests
+ - interfaces/builtin: add support for software-watchdog interface
+ - spread: auto accept key changes when calling dnf
+ - snap,overlord/snapstate: introduce and use BrokenSnapError
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: bring back one missing test in snap-service-stop-mode
+ - debian: update LP bug for the 2.32.5 SRU
+ - userd: set up journal logging streams for autostarted apps
+ - snap,tests : don't fail if we cannot stat MountFile
+ - tests: smaller fixes for Arch tests
+ - tests: run interfaces-broadcom-asic-control early
+ - client: support for snapshot sets, snapshots, and snapshot actions
+ - tests: skip interfaces-content test on core devices
+ - cmd: generalize locking to global, snap and per-user locks
+ - release-tools: handle the snapd-x.y.z version
+ - packaging: fix incorrectly auto-generated changelog entry for
+   2.32.5
+ - tests: add arch to CI
+ - systemd: add helper for opening stream file descriptors to the
+   journal
+ - cmd/snap: handle distros with no version ID
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - tests: removing linode-sru backend
+ - tests: updating bionic version for spread tests on google
+ - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - overlord/snapstate: allow to get an error from readInfo instead of
+   a broken stub, use it in doMountSnap
+ - snap: snap.AppInfo is now a fmt.Stringer
+ - tests: move fedora 27 to google backend
+ - many: add `core.problem-reports.disabled` option
+ - cmd/snap-update-ns: remove the need for stash directory in secure
+   bind mount implementation
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+ - cmd/snap: user session application autostart v3
+ - tests: add test to ensure `snap refresh --amend` works with
+   different channels
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - cmd/snap-update-ns: add secure bind mount implementation for use
+   with user mounts
+ - snap: fix `snap advise-snap --command` output to match spec
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - overlord/snapstate: introduce envvars to control the channels for
+   based and prereqs
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - advisor: use json for package database
+ - interfaces/hostname-control: allow setting the hostname via
+   syscall and systemd
+ - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+   libraries
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - data/selinux: Give snapd access to more aspects of the system
+ - many: use the new install/refresh API by switching snapstate to
+   use store.SnapAction
+ - errtracker: make TestJournalErrorSilentError work on gccgo
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate, ifacestate: inject auto-connect tasks try 2
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - ifacestate: injectTasks helper
+ - osutil: fix fstab parser to allow for # in field values
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - release-tools: add repack-debian-tarball.sh
+ - daemon,client: add build-id to /v2/system-info
+ - cmd: make fmt (indent 2.2.11)
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+ - ifacestate: don't surface errors from stale connections
+ - cmd/snap-update-ns: convert Secure* family of functions into
+   methods
+ - tests: adjust canonical-livepatch test on GCE
+ - tests: fix quoting issues in econnreset test
+ - cmd/snap-confine: make /run/media an alias of /media
+ - cmd/snap-update-ns: rename i to segNum
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+ - spread: disable StartLimitInterval option on opensuse-42.3
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses
+   arch triplets
+ - store: add Store.SnapAction to support the new install/refresh API
+   endpoint
+ - tests: adding test for removable-media interface
+ - tests: update interface tests to remove extra checks and normalize
+   tests
+ - timeutil: in Human, count days with fingers
+ - vendor: update gopkg.in/yaml.v2 to the latest version
+ - cmd/snap-confine: fix Archlinux compatibility
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - tests: copy or sanity check core users using usernames
+ - tests: disentangle etc vs extrausers in core tests
+ - tests: fix snap-run tests when snapd is not running
+ - overlord/configstate: change how ssh is stopped/started
+ - snap: make `snap run` look at the system-key for security profiles
+ - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+   replacement
+ - tests: adding opensuse-42.3 to google
+ - cmd/snap: fix one issue with noWait error handling logic, add
+   tests plus other cleanups
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+   needed
+ - interfaces,release: probe seccomp features lazily
+ - tests: change debug for layout test
+ - advisor: deal with missing commands.db file
+ - interfaces/apparmor: simplify UpdateNS internals
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: moving debian 9 from linode to google backend
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - po: specify charset in po/snappy.pot
+ - interfaces: harden snap-update-ns profile
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - tests: update tests to deal with s390x quirks
+ - debian: run snap.mount upgrade fixup *before* debhelper
+ - tests: move xenial i386 to google backend
+ - snapstate: add compat mode for default-provider
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - tests: add workaround for s390x failure
+ - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+ - daemon: support 'system' as nickname of the core snap
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - devicestate: add DeviceManager.Registered returning a channel
+   closed when the device is known to be registered
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - tests: add bionic system to google backend
+ - many: fix shellcheck warnings in bionic
+ - cmd/snap-update-ns: don't fail on existing symlinks
+ - tests: make autopkgtest tests more targeted
+ - cmd/snap-update-ns: fix creation of layout symlinks
+ - spread,tests: move suite-level prepare/restore to central script
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - snap: unify snap name validation w/python; enforce length limit.
+ - cmd/snap: use shlex when parsing `snap run --strace` arguments
+ - osutil,testutil: add symlinkat(2) and readlinkat(2)
+ - tests: autopkgtest may have non edge core too
+ - tests: adding checks before stopping snapd service to avoid job
+   canceled on ubuntu 14.04
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate:  hold refreshes for 2h after seeding on
+   classic
+ - cmd/snap: tweak and polish help strings
+ - snapstate: put layout feature behind feature flag
+ - tests: force profile re-generation via system-key
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: go vet cleanups
+ - tests: define MATCH from spread
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - cmd/snap: in changes and tasks, default to human-friendly times
+ - many: support holding refreshes by setting refresh.hold
+ - Revert "cmd/snap: use timeutil.Human to show times in `snap
+   refresh -…-time`"
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - tests/main/snap-service-refresh-mode: refactor the test to rely on
+   comparing PIDs
+ - tests/main/media-sharing: improve the test to cover /media and
+   /run/media
+ - store: enable deltas for core devices too
+ - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+ - strutil/shlex: import github.com/google/shlex into the tree
+ - vendor: update github.com/mvo5/libseccomp-golang
+ - overlord/snapstate: block install of "system"
+ - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+ - many: add the snapd-generator
+ - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+ - polkit: ensure error is properly set if dialog is dismissed
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - progress: tweak ansimeter cvvis use to no longer confuse minicom
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - tests: avoid removing preinstalled snaps on core
+ - tests: chroot into core to run xdg-open there
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - tests: moving ubuntu core from linode to google backend
+ - run-checks: remove accidental bashism
+ - i18n: simplify NG usage by doing the modulo math in-package.
+ - snap/squashfs: set timezone when calling unsquashfs to get the
+   build date
+ - timeutil: timeutil.Human(t) gives a human-friendly string for t
+ - snap: add autostart app property
+ - tests: add support for external backend executions on listing test
+ - tests: make interface-broadcom-asic-control test work on rpi
+ - configstate: when disable "ssh" we must disable the "sshd" service
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+ - snap/squashfs: add BuildDate
+ - store: parse the JSON format used by the coming new store API to
+   convey snap information
+ - many: remove snapd.refresh.{timer,service}
+ - tests: adding ubuntu-14.04-64 to the google backend
+ - interfaces: add xdg-desktop-portal support to desktop interface
+ - packaging/arch: sync with snapd/snapd-git from AUR
+ - wrappers, tests/main/snap-service-timer: restore missing commit,
+   add spread test for timer services
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - many: generate and use per-snap snap-update-ns profile
+ - tests: add debug for layout test
+ - wrappers: detect whether systemd-analyze can be used in unit tests
+ - osutil: allow creating strings out of MountInfoEntry
+ - servicestate: use systemctl enable+start and disable+stop instead
+   of --now flag
+ - osutil: handle file being matched by multiple patterns
+ - daemon, snap: fix InstallDate, make a method of *snap.Info
+ - wrappers: timer services
+ - wrappers: generator for systemd OnCalendar schedules
+ - asserts: fix flaky storeSuite.TestCheckAuthority
+ - tests: fix dependency for ubuntu artful
+ - spread: start moving towards google backend
+ - tests: add a spread test for layouts
+ - ifacestate: be consistent passing Retry.After as named field
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - testutil: allow mocking syscall.Fstat
+ - overlord/snapstate: verify that default schedule is randomized and
+   is  not a single time
+ - many: simplify mocking of home-on-NFS
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - store: move infoFromRemote into details.go close to snapDetails
+ - userd/tests: Test kdialog calls and mock kdialog too to make tests
+   work in KDE
+ - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+ - cmd/snap: add self-strace to `snap run`
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - update-pot: Force xgettext() to return true
+ - store: cleanup test naming, dropping remoteRepo  and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+
+* Wed May 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.9
+ - tests: run all spread tests inside GCE
+ - tests: build spread in the autopkgtests with a more recent go
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.8
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.7
+ - many: add wait command and seeded target (2
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - cmd/libsnap: fix compile error on more restrictive gcc
+ - tests: cherry-pick commits to move spread to google backend
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - userd: set up journal logging streams for autostarted apps
+
+* Sun Apr 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.6
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: run interfaces-boradcom-asic-control early
+ - tests: skip interfaces-content test on core devices
+
+* Mon Apr 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.5
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - daemon: support 'system' as nickname of the core snap
+
+* Thu Apr 12 2018 Neal Gompa <ngompa13@gmail.com> - 2.32.4-1
+- Release 2.32.4 to Fedora (RH#1553734)
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.4
+ - cmd/snap: user session application autostart
+ - overlord/snapstate: introduce envvars to control the channels for
+   bases and prereqs
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - many: use the new install/refresh /v2/snaps/refresh store API
+
 * Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.32.3.2
  - errtracker: make TestJournalErrorSilentError work on
@@ -1021,6 +2918,14 @@
  - systemd, wrappers: start all snap services in one systemctl
    call
  - tests: disable interfaces-location-control on s390x
+
+* Mon Mar 05 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-2
+- Fix dependencies for devel subpackage
+
+* Sun Mar 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-1
+- Release 2.31.1 to Fedora (RH#1542483)
+- Drop all backported patches as they're part of this release
+
 * Tue Feb 20 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31.1
  - tests: multiple autopkgtest related fixes for 18.04
@@ -1040,6 +2945,9 @@
    ubuntu
  - daemon: improve ucrednet code for the snap.socket
 
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
 * Tue Feb 06 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31
  - cmd/snap-confine: allow snap-update-ns to chown things
diff -Nru snapd-2.32.3.2~14.04/packaging/fedora-25/snapd.spec snapd-2.37~rc1~14.04/packaging/fedora-25/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/fedora-25/snapd.spec	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/fedora-25/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -6,6 +6,14 @@
 %bcond_without vendorized
 %endif
 
+# With Amazon Linux 2+, we're going to provide the /snap symlink by default,
+# since classic snaps currently require it... :(
+%if 0%{?amzn} >= 2
+%bcond_without snap_symlink
+%else
+%bcond_with snap_symlink
+%endif
+
 # A switch to allow building the package with support for testkeys which
 # are used for the spread test suite of snapd.
 %bcond_with testkeys
@@ -15,6 +23,7 @@
 %global with_check 0
 %global with_unit_test 0
 %global with_test_keys 0
+%global with_selinux 1
 
 # For the moment, we don't support all golang arches...
 %global with_goarches 0
@@ -50,7 +59,7 @@
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 
-%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service
+%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service
 
 # Until we have a way to add more extldflags to gobuild macro...
 %if 0%{?fedora} >= 26
@@ -69,8 +78,21 @@
 %define gotest() go test -compiler gc -ldflags "${LDFLAGS:-}" %{?**};
 %endif
 
+# Compat path macros
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
+%if 0%{?amzn2} == 1
+%global with_selinux 0
+%endif
+
 Name:           snapd
-Version:        2.32.3.2
+Version:        2.37
 Release:        0%{?dist}
 Summary:        A transactional software package manager
 Group:          System Environment/Base
@@ -101,17 +123,28 @@
 # snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.)
 Requires:       ((squashfuse and fuse) or kmod(squashfs.ko))
 %else
+%if ! 0%{?amzn2}
 # Rich dependencies not available, always pull in squashfuse
 # snapd will use squashfs.ko instead of squashfuse if it's on the system
+# NOTE: Amazon Linux 2 does not have squashfuse, squashfs.ko is part of the kernel package
 Requires:       squashfuse
 Requires:       fuse
 %endif
+%endif
 
 # bash-completion owns /usr/share/bash-completion/completions
 Requires:       bash-completion
 
+%if 0%{?with_selinux}
 # Force the SELinux module to be installed
 Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
+# snapd-login-service is no more
+# Note: Remove when F27 is EOL
+Obsoletes:      %{name}-login-service < 1.33
+Provides:       %{name}-login-service = 1.33
+Provides:       %{name}-login-service%{?_isa} = 1.33
 
 %if ! 0%{?with_bundled}
 BuildRequires: golang(github.com/boltdb/bolt)
@@ -121,6 +154,9 @@
 BuildRequires: golang(github.com/godbus/dbus/introspect)
 BuildRequires: golang(github.com/gorilla/mux)
 BuildRequires: golang(github.com/jessevdk/go-flags)
+BuildRequires: golang(github.com/juju/ratelimit)
+BuildRequires: golang(github.com/kr/pretty)
+BuildRequires: golang(github.com/kr/text)
 BuildRequires: golang(github.com/mvo5/goconfigparser)
 BuildRequires: golang(github.com/ojii/gettext.go)
 BuildRequires: golang(github.com/seccomp/libseccomp-golang)
@@ -178,6 +214,7 @@
 This package is used internally by snapd to apply confinement to
 the started snap applications.
 
+%if 0%{?with_selinux}
 %package selinux
 Summary:        SELinux module for snapd
 Group:          System Environment/Base
@@ -186,18 +223,22 @@
 BuildRequires:  selinux-policy, selinux-policy-devel
 Requires(post): selinux-policy-base >= %{_selinux_policy_version}
 Requires(post): policycoreutils
+%if 0%{?rhel} == 7
+Requires(post): policycoreutils-python
+%else
 Requires(post): policycoreutils-python-utils
+%endif
 Requires(pre):  libselinux-utils
 Requires(post): libselinux-utils
 
 %description selinux
 This package provides the SELinux policy module to ensure snapd
 runs properly under an environment with SELinux enabled.
-
+%endif
 
 %if 0%{?with_devel}
 %package devel
-Summary:       %{summary}
+Summary:       Development files for %{name}
 BuildArch:     noarch
 
 %if 0%{?with_check} && ! 0%{?with_bundled}
@@ -211,6 +252,9 @@
 Requires:      golang(github.com/godbus/dbus/introspect)
 Requires:      golang(github.com/gorilla/mux)
 Requires:      golang(github.com/jessevdk/go-flags)
+Requires:      golang(github.com/juju/ratelimit)
+Requires:      golang(github.com/kr/pretty)
+Requires:      golang(github.com/kr/text)
 Requires:      golang(github.com/mvo5/goconfigparser)
 Requires:      golang(github.com/ojii/gettext.go)
 Requires:      golang(github.com/seccomp/libseccomp-golang)
@@ -230,13 +274,16 @@
 # These Provides are unversioned because the sources in
 # the bundled tarball are unversioned (they go by git commit)
 # *sigh*... I hate golang...
-Provides:      bundled(golang(github.com/boltdb/bolt))
+Provides:      bundled(golang(github.com/snapcore/bolt))
 Provides:      bundled(golang(github.com/cheggaaa/pb))
 Provides:      bundled(golang(github.com/coreos/go-systemd/activation))
 Provides:      bundled(golang(github.com/godbus/dbus))
 Provides:      bundled(golang(github.com/godbus/dbus/introspect))
 Provides:      bundled(golang(github.com/gorilla/mux))
 Provides:      bundled(golang(github.com/jessevdk/go-flags))
+Provides:      bundled(golang(github.com/juju/ratelimit))
+Provides:      bundled(golang(github.com/kr/pretty))
+Provides:      bundled(golang(github.com/kr/text))
 Provides:      bundled(golang(github.com/mvo5/goconfigparser))
 Provides:      bundled(golang(github.com/mvo5/libseccomp-golang))
 Provides:      bundled(golang(github.com/ojii/gettext.go))
@@ -255,6 +302,7 @@
 %endif
 
 # Generated by gofed
+Provides:      golang(%{import_path}/advisor) = %{version}-%{release}
 Provides:      golang(%{import_path}/arch) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts/assertstest) = %{version}-%{release}
@@ -277,6 +325,7 @@
 Provides:      golang(%{import_path}/interfaces/backends) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/builtin) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/dbus) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/hotplug) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/ifacetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/kmod) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/mount) = %{version}-%{release}
@@ -284,9 +333,16 @@
 Provides:      golang(%{import_path}/interfaces/seccomp) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/udev) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/utils) = %{version}-%{release}
 Provides:      golang(%{import_path}/jsonutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil/safejson) = %{version}-%{release}
 Provides:      golang(%{import_path}/logger) = %{version}-%{release}
+Provides:      golang(%{import_path}/netutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/osutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/sys) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/crawler) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/netlink) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/assertstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/auth) = %{version}-%{release}
@@ -294,17 +350,23 @@
 Provides:      golang(%{import_path}/overlord/configstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/config) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/configcore) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/proxyconf) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/settings) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/devicestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/ctlcmd) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/hooktest) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/ifacestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/ifacerepo) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/udevmonitor) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/patch) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/servicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate/backend) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/standby) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/state) = %{version}-%{release}
-Provides:      golang(%{import_path}/overlord/storestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/androidbootenv) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/grubenv) = %{version}-%{release}
@@ -313,6 +375,7 @@
 Provides:      golang(%{import_path}/progress) = %{version}-%{release}
 Provides:      golang(%{import_path}/progress/progresstest) = %{version}-%{release}
 Provides:      golang(%{import_path}/release) = %{version}-%{release}
+Provides:      golang(%{import_path}/sanity) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/pack) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/snapdir) = %{version}-%{release}
@@ -323,6 +386,8 @@
 Provides:      golang(%{import_path}/store) = %{version}-%{release}
 Provides:      golang(%{import_path}/store/storetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/strutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/quantity) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/shlex) = %{version}-%{release}
 Provides:      golang(%{import_path}/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/refresh) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/store) = %{version}-%{release}
@@ -330,12 +395,12 @@
 Provides:      golang(%{import_path}/timeout) = %{version}-%{release}
 Provides:      golang(%{import_path}/timeutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/userd) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd/ui) = %{version}-%{release}
 Provides:      golang(%{import_path}/wrappers) = %{version}-%{release}
 Provides:      golang(%{import_path}/x11) = %{version}-%{release}
+Provides:      golang(%{import_path}/xdgopenproxy) = %{version}-%{release}
 
 %description devel
-%{summary}
-
 This package contains library source intended for
 building other packages which use import path with
 %{import_path} prefix.
@@ -354,28 +419,25 @@
 Requires:        %{name}-devel = %{version}-%{release}
 
 %description unit-test-devel
-%{summary}
-
 This package contains unit tests for project
 providing packages with %{import_path} prefix.
 %endif
 
 %prep
-%setup -q
-
 %if ! 0%{?with_bundled}
+%setup -q
 # Ensure there's no bundled stuff accidentally leaking in...
 rm -rf vendor/*
 %else
-# Unpack the vendor tarball too...
-%setup -q -T -D -b 1
+# Extract each tarball properly
+%setup -q -D -b 1
 %endif
 
 %build
 # Generate version files
 ./mkversion.sh "%{version}-%{release}"
 
-# We don't want/need squashfuse in the rpm
+# We don't want/need squashfuse in the rpm, as it's available in Fedora and EPEL
 sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
 
 # Build snapd
@@ -397,7 +459,7 @@
 # We don't need mvo5 fork for seccomp, as we have seccomp 2.3.x
 sed -e "s:github.com/mvo5/libseccomp-golang:github.com/seccomp/libseccomp-golang:g" -i cmd/snap-seccomp/*.go
 # We don't need the snapcore fork for bolt - it is just a fix on ppc
-sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go
+sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go
 %endif
 
 # We have to build snapd first to prevent the build from
@@ -406,6 +468,7 @@
 %gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
 %gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
 %gobuild -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
+%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
 
 # To ensure things work correctly with base snaps,
 # snap-exec and snap-update-ns need to be built statically
@@ -418,10 +481,12 @@
 %endif
 %gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
 
+%if 0%{?with_selinux}
 # Build SELinux module
 pushd ./data/selinux
 make SHARE="%{_datadir}" TARGETS="snappy"
 popd
+%endif
 
 # Build snap-confine
 pushd ./cmd
@@ -441,12 +506,12 @@
     --enable-nvidia-biarch \
     %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
     --with-snap-mount-dir=%{_sharedstatedir}/snapd/snap \
-    --with-merged-usr
+    --enable-merged-usr
 
 %make_build
 popd
 
-# Build systemd and dbus units, and env files
+# Build systemd units, dbus services, and env files
 pushd ./data
 make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
      SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
@@ -457,41 +522,52 @@
 %install
 install -d -p %{buildroot}%{_bindir}
 install -d -p %{buildroot}%{_libexecdir}/snapd
-install -d -p %{buildroot}%{_mandir}/man1
+install -d -p %{buildroot}%{_mandir}/man8
+install -d -p %{buildroot}%{_environmentdir}
+install -d -p %{buildroot}%{_systemdgeneratordir}
 install -d -p %{buildroot}%{_unitdir}
 install -d -p %{buildroot}%{_sysconfdir}/profile.d
 install -d -p %{buildroot}%{_sysconfdir}/sysconfig
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/assertions
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/cookie
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl32
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/vulkan
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
 install -d -p %{buildroot}%{_localstatedir}/snap
 install -d -p %{buildroot}%{_localstatedir}/cache/snapd
 install -d -p %{buildroot}%{_datadir}/polkit-1/actions
+install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+%if 0%{?with_selinux}
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -d -p %{buildroot}%{_datadir}/selinux/packages
+%endif
 
 # Install snap and snapd
 install -p -m 0755 bin/snap %{buildroot}%{_bindir}
 install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
-install -p -m 0755 bin/snapctl %{buildroot}%{_bindir}/snapctl
+install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
 
+%if 0%{?with_selinux}
 # Install SELinux module
 install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
 
-# Install snap(1) man page
-bin/snap help --man > %{buildroot}%{_mandir}/man1/snap.1
+# Install snap(8) man page
+bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
 
 # Install the "info" data file with snapd version
 install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
@@ -514,16 +590,30 @@
 
 # Install all systemd and dbus units, and env files
 pushd ./data
-%make_install SYSTEMDSYSTEMUNITDIR="%{_unitdir}" BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}"
+%make_install BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+              SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+              SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+              SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.conf
+%endif
+
 # Remove snappy core specific units
 rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
 rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
 rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
-popd
 
 # Remove snappy core specific scripts
 rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
 
+# Remove snapd apparmor service
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+
 # Install Polkit configuration
 install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
 
@@ -534,6 +624,11 @@
 touch %{buildroot}%{_sharedstatedir}/snapd/state.json
 touch %{buildroot}%{_sharedstatedir}/snapd/snap/README
 
+# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
+%if %{with snap_symlink}
+ln -sr %{buildroot}%{_sharedstatedir}/snapd/snap %{buildroot}/snap
+%endif
+
 # source codes for building projects
 %if 0%{?with_devel}
 install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
@@ -591,44 +686,60 @@
 %doc README.md docs/*
 %{_bindir}/snap
 %{_bindir}/snapctl
+%{_environmentdir}/990-snapd.conf
 %dir %{_libexecdir}/snapd
+%{_libexecdir}/snapd/snapctl
 %{_libexecdir}/snapd/snapd
 %{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-failure
 %{_libexecdir}/snapd/info
 %{_libexecdir}/snapd/snap-mgmt
-%{_mandir}/man1/snap.1*
+%{_mandir}/man8/snap.8*
 %{_datadir}/bash-completion/completions/snap
 %{_libexecdir}/snapd/complete.sh
 %{_libexecdir}/snapd/etelpmoc.sh
+%{_libexecdir}/snapd/snapd.run-from-snap
 %{_sysconfdir}/profile.d/snapd.sh
+%{_mandir}/man8/snapd-env-generator.8*
 %{_unitdir}/snapd.socket
 %{_unitdir}/snapd.service
 %{_unitdir}/snapd.autoimport.service
+%{_unitdir}/snapd.failure.service
+%{_unitdir}/snapd.seeded.service
+%{_datadir}/applications/snap-handle-link.desktop
 %{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_systemd_system_env_generator_dir}/snapd-env-generator
 %config(noreplace) %{_sysconfdir}/sysconfig/snapd
 %dir %{_sharedstatedir}/snapd
 %dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
 %dir %{_sharedstatedir}/snapd/desktop
 %dir %{_sharedstatedir}/snapd/desktop/applications
 %dir %{_sharedstatedir}/snapd/device
 %dir %{_sharedstatedir}/snapd/hostfs
-%dir %{_sharedstatedir}/snapd/mount
-%dir %{_sharedstatedir}/snapd/seccomp
-%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/lib
 %dir %{_sharedstatedir}/snapd/lib/gl
 %dir %{_sharedstatedir}/snapd/lib/gl32
 %dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/snaps
 %dir %{_sharedstatedir}/snapd/snap
 %ghost %dir %{_sharedstatedir}/snapd/snap/bin
 %dir %{_localstatedir}/cache/snapd
 %dir %{_localstatedir}/snap
 %ghost %{_sharedstatedir}/snapd/state.json
-%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
-%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %ghost %{_sharedstatedir}/snapd/snap/README
+%if %{with snap_symlink}
+/snap
+%endif
+%if 0%{?rhel} == 7
+%{_sysctldir}/99-snap.conf
+%endif
 
 %files -n snap-confine
 %doc cmd/snap-confine/PORTING
@@ -637,23 +748,24 @@
 # For now, we can't use caps
 # FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
 %attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-gdb-shim
 %{_libexecdir}/snapd/snap-seccomp
 %{_libexecdir}/snapd/snap-update-ns
-%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/system-shutdown
-%{_libexecdir}/snapd/snap-gdb-shim
-%{_libexecdir}/snapd/snapd-generator
-%{_mandir}/man1/snap-confine.1*
-%{_mandir}/man5/snap-discard-ns.5*
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_systemdgeneratordir}/snapd-generator
 %attr(0000,root,root) %{_sharedstatedir}/snapd/void
 
-
+%if 0%{?with_selinux}
 %files selinux
 %license data/selinux/COPYING
 %doc data/selinux/README.md
 %{_datadir}/selinux/packages/snappy.pp.bz2
 %{_datadir}/selinux/devel/include/contrib/snappy.if
+%endif
 
 %if 0%{?with_devel}
 %files devel -f devel.file-list
@@ -669,6 +781,9 @@
 %endif
 
 %post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
 %systemd_post %{snappy_svcs}
 # If install, test if snapd socket and timer are enabled.
 # If enabled, then attempt to start them. This will silently fail
@@ -692,6 +807,7 @@
 %postun
 %systemd_postun_with_restart %{snappy_svcs}
 
+%if 0%{?with_selinux}
 %pre selinux
 %selinux_relabel_pre
 
@@ -707,9 +823,1790 @@
 if [ $1 -eq 0 ]; then
     %selinux_relabel_post
 fi
-
+%endif
 
 %changelog
+* Wed Jan 16 2019 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.37
+ - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+   have device node /dev/ttyACM[0-9]
+ - tests: fix enable-disable-unit-gpio test on external boards
+ - tests: define new "tests/smoke" suite and use that for
+   autopkgtests
+ - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+   library
+ - snapshotstate: don't task.Log without the lock
+ - overlord/configstate/configcore: support - and _ in cloud init
+   field names
+ - cmd/snap-confine: use makedev instead of MKDEV
+ - tests: review/fix the autopkgtest failures in disco
+ - systemd: allow only a single daemon-reload at the same time
+ - cmd/snap: only auto-enable unicode to a tty
+ - cmd/snap: right-align revision and size in info's channel map
+ - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+   different on Fedora
+ - tests: fix "No space left on device" issue on amazon-linux
+ - store: undo workaround for timezone-less released-at
+ - store, snap, cmd/snap: channels have released-at
+ - snap-confine: fix incorrect use "src" var in mount-support.c
+ - release: support probing SELinux state
+ - release-tools: display self-help
+ - interface: add new `{personal,system}-files` interface
+ - snap: give Epoch an Equal method
+ - many: remove unused interface code
+ - interfaces/many: use 'unsafe' with docker-support change_profile
+   rules
+ - run-checks: stop running HEAD of staticcheck
+ - release: use sync.Once around lazy intialized state
+ - overlord/ifacestate: include interface name in the hotplug-
+   disconnect task summary
+ - spread: show free space in debug output
+ - cmd/snap: attempt to restore SELinux context of snap user
+   directories
+ - image: do not write empty etc/cloud
+ - tests: skip snapd snap on reset for core systems
+ - cmd/snap-discard-ns: fix umount(2) typo
+ - overlord/ifacestate: hotplug-remove-slot task handler
+ - overlord/ifacestate: handler for hotplug-disconnect task
+ - ifacestate/hotplug: updateDevice helper
+ - tests: reset snapd state on tests restore
+ - interfaces: return security setup errors
+ - overlord: make InstallMany work like UpdateMany, issuing a single
+   request to get candidates
+ - systemd/systemd.go: add missing tests for systemd.IsActive
+ - overlord/ifacestate: addHotplugSeqWaitTask helper
+ - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+ - tests: new backend used to run upgrade test suite
+ - travis: short circuit failures in static and unit tests travis job
+ - cmd: automatically fix localized <option>s to <option>
+ - overlord/configstate,features: expose features to snapd tools
+ - selinux: package to query SELinux status and verify/restore file
+   contexts
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - cmd: add tests for lintArg and lintDesc
+ - httputil: retry on temporary net errors
+ - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+ - wrappers: only restart service in core18 when they are active
+ - overlord/ifacestate: helpers for serializing hotplug changes
+ - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interface
+ - snap/info: bind global plugs/slots to implicit hooks
+ - cmd/snap-confine: remove SC_NS_MNT_FILE
+ - spread: record each tests/upgrade job
+ - osutil: do not import dirs
+ - cmd/snap-confine: fix typo "a pipe"
+ - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+   devices
+ - tests: force test-snapd-daemon-notify exit 0 when the interface is
+   not connected
+ - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+ - centos: enable SELinux support on CentOS 7
+ - apparmor: allow hard link to snap-specific semaphore files
+ - tests/lib/pkgdb: disable weak deps on Fedora
+ - release: detect too old apparmor_parser
+ - tests: improve how the log is checked to see if the system is
+   waiting for a reboot
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - spread, tests: add Fedora 29
+ - cmd/snap-confine: refactor calling snapd tools into helper module
+ - apparmor: allow snap-update-ns access to common devices
+ - cmd/snap-confine: capture initialized per-user mount ns
+ - tests: reduce verbosity around package installation
+ - data: set KillMode=process for snapd
+ - cmd/snap: handle DNS error gracefully
+ - spread, tests: use checkpoints when dumping audit log
+ - tests/lib/prepare: make sure that SELinux context of repacked core
+   snap is controlled
+ - testutils: split checkers, tweak tests
+ - tests: fix for tests test-*-cgroup
+ - spread: show AVC audits when debugging, start auditd on Fedora
+ - spread: drop Fedora 27, add Fedora 29
+ - tests/lib/reset: restore context of removed snapd directories
+ - testutil: add File{Present,Absent} checkers
+ - snap: add new `snap run --trace-exec`
+ - tests: fix for failover test on how logs are checked
+ - snapctl: add "services"
+ - overlord/snapstate: use file timestamp to initialize timer
+ - cmd/libsnap: introduce and use sc_strdup
+ - interfaces: let NM access ifindex/ifupdown files
+ - overlord/snapstate: on refresh, check new rev can read current
+ - client, store: don't use store from client (use client from store)
+ - tests/main/parallel-install-store: verify installation of more
+   than one instance at a time
+ - overlord: don't write system key if security setup fails
+ - packaging/fedora/snapd.spec: fix bogus date in changelog
+ - snapstate: update fontconfig caches on install
+ - interfaces/apparmor/backend.go:411:38: regular expression does not
+   contain any meta characters (SA6004)
+ - asserts/header_checks.go:199:35: regular expression does not
+   contain any meta characters (SA6004)
+ - run staticcheck every time :-)
+ - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+   used with signal.Notify should be buffered (SA1017)
+ - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+   signal.Notify should be buffered (SA1017)
+ - spdx/parser.go:30:1: only the first constant has an explicit type
+   (SA9004)
+ - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+   first argument and no further arguments should use print-style
+   function instead (SA1006)
+ - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+ - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+   Did you mean to break out of the outer loop? (SA4011)
+ - daemon/api.go:992:22: printf-style function with dynamic first
+   argument and no further arguments should use print-style function
+   instead (SA1006)
+ - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+   to break out of the outer loop? (SA4011)
+ - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+   should be buffered (SA1017)
+ - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+   provided buffer, not even temporarily (SA1023)
+ - release: probe apparmor features lazily
+ - overlord,daemon: mock security backends for testing
+ - cmd/libsnap: move apparmor-support to libsnap
+ - cmd: drop cruft from snap-discard-ns build rules
+ - cmd/snap-confine: use snap-discard-ns ns to discard stale
+   namespaces
+ - cmd/snap-confine: handle mounted shared /run/snapd/ns
+ - many: fix composite literals with unkeyed fields
+ - dirs, wrappers, overlord/snapstate: make completion + bases work
+ - tests: revert "tests: restore in restore, not prepare"
+ - many: validate title
+ - snap: make description maximum in runes, not bytes
+ - tests: discard mount namespaces in reset.sh
+ - tests/lib: sync cla check back from snapcraft
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - daemon: remove enableInternalInterfaceActions
+ - mkversion: use "test -n" rather than "! test -z"
+ - run-checks: assorted fixes
+ - tests: restore in restore, not in prepare
+ - cmd/snap: fix missing newline in "snap keys" error message
+ - snap: epoch lists must contain no duplicate entries
+ - interfaces/avahi_observe: Fix typo in comment
+ - tests: add SPREAD_JOB to the description of
+   systemd_create_and_start_unit
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+ - packaging/fedora: use %_sysctldir macro
+ - cmd/snap-confine: remove unneeded unshare
+ - sanity: extend the kernel version check to cover CentOS/RHEL
+   kernels
+ - wrappers: remove all desktop files from a snap on removal
+ - snap: add an explicit check for `epoch: null` loading
+ - snap: check max description length in validate
+ - spread, tests: add CentOS support
+ - cmd/snap-confine: allow mapping more libc shards
+ - cmd/snap-discard-ns: add support for --from-snap-confine
+ - tests: make tinyproxy support systemd notify
+ - tests: fix shellcheck
+ - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+ - store: add a test for a non-zero epoch refresh (with epoch bump)
+ - store: v1 search doesn't send epoch, stop pretending it does
+ - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+ - overlord/snapstate: amend test should send local revision
+ - tests: use mock-gpio.py in enable-disable-units-gpio test
+ - snap: enforce minimal snap name len of 2
+ - cmd/libsnap: add sc_verify_snap_lock
+ - cmd/snap-update-ns: extra debugging of trespassing events
+ - userd: force zenity width if the text displayed is long
+ - overlord/snapstate, store: always send epochs
+ - cmd/snap-confine,snap-update-ns: discard quirks
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - cmd/snap-update-ns, tests: clean trespassing paths
+ - nvidia, interfaces/builtin: OpenCL fixes
+ - ifacestate/hotplug: removeDevice helper
+ - cmd: install snap-discard-ns in "make hack"
+ - overlord/ifacestate: setup security backends phased by backends
+   first
+ - ifacestate/helpers: added SystemSnapName mapper helper method
+ - overlord/ifacestate: set hotplug-key of the connection when
+   connecting hotplug slots
+ - snapd: allow snap-update-ns to read /proc/version
+ - cmd: handle tumbleweed and leap in autogen.sh
+ - interfaces/tests: MockHotplugSlot test helper
+ - store,daemon: make UserInfo,LoginUser part of the store interface
+ - overlord/ifacestate: use remapper when checking if system snap is
+   installed
+ - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+ - packaging/arch: fix bash completions path
+ - interfaces/builtin: add device-buttons interface for accessing
+   events
+ - tests, fakestore: extend refresh tests with parallel installed
+   snaps
+ - snap, store, overlord/snapshotstate: drop epoch pointers
+ - snap: make Epoch default to {[0],[0]} on load from yaml
+ - data/completion: pass documented arguments to completion functions
+ - tests: skip opensuse from interfaces-openvswitch-support test
+ - tests: simple reproducer for snap try and hooks bug
+ - snapstate: do not allow classic mode for strict snaps
+ - snap: make Epoch's MarshalJSON not simplify
+ - store: remove unused currentSnap and currentSnapJSON
+ - many: some small doc comment fixes in recent hotplug code
+ - ifacestate/udevmonitor: added callback to signal end of
+   enumeration
+ - cmd/libsnap: add simplified feature flag checker
+ - interfaces/opengl: add additional accesses for cuda
+ - tests: add core18 only hooks test and fix running core18 only on
+   classic
+ - sanity, release, cmd/snap: refuse to try to do things on WSL.
+ - cmd: make coreSupportsReExec faster
+ - overlord/ifacestate: don't remove the dash when generating unique
+   slot name
+ - cmd/snap-seccomp: add full complement of ptrace constants
+ - cmd: update autogen.sh for opensuse
+ - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+   overlord/snapstate: address review feedback
+ - packaging/opensuse: stop using golang-packaging
+ - overlord/snapshots: survive an unknown user
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - cmd/snap: unhide --name parameter to snap install, tweak help
+   message
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/main/snap-service-after-before-install: verify after/before
+   in snap install
+ - overlord/ifacestate: mark connections disconnected by hotplug with
+   hotplug-gone
+ - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+   startup
+ - tests: install dependencies during prepare
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - tests: core 18 does not support classic confinement
+ - tests: add debug output for degraded test
+ - strutil: make VersionCompare faster
+ - overlord/snapshotstate/backend: survive missing directories
+ - overlord/ifacestate: use map[string]*connState when passing conns
+   around
+ - tests: move fedora 28 to manual
+ - overlord/snapshotstate/backend: be more verbose when
+   SNAPPY_TESTING=1
+ - tests: removing fedora 26 system from spread.yaml
+ - tests: linode execution is not needed anymore
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests: fixes and new backend for tests on nested suite
+ - strutil: let MatchCounter work with a nil regexp
+ - ifacestate/helpers: findConnsForHotplugKey helper
+ - many: move regexp.(Must)Compile out of non-init functions into
+   variables
+ - store: also make snaps downloaded via deltas 0600
+ - snap: use Lstat to determine snap size, remove
+   ReadSnapInfoExceptSize
+ - interfaces/builtin: add adb-support interface
+ - tests: fail if install_snap_local fails
+ - strutil: add extra test to CommaSeparatedList as suggested by
+   mborzecki
+ - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+ - ifacestate: optimize disconnect hooks
+ - cmd/snap-update-ns: parse the -u <uid> command line option
+ - cmd/snap, tests: snapshots for all
+ - client, cmd/daemon: allow disabling keepalive, improve degraded
+   mode unit tests
+ - snap: only show "next" refresh time if its after the hold time
+ - overlord/snapstate: run tests for classic snaps even on systems
+   that don't support classic
+ - overlord/standby: fix a race between standby goroutine and stop
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - cmd: remove remnants of sc_should_populate_mount_ns
+ - client, daemon, cmd/snap: indicate that services are socket/timer
+   activated
+ - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+ - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+ - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+ - cmd/snap-discard-ns: add support for per-user mount namespaces
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook.
+ - tests/main: fixes for the new shellcheck
+ - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+   fly
+ - tests: initial setup for testing current branch on nested vm and
+   hotplug management
+ - cmd: refactor IPC and lifecycle of the helper process
+ - tests/main/parallel-install-store: the store has caught up, do not
+   expect failures
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+   ptrace, for the Breakpad crash reporter
+ - snap,client: use a different exit code for retryable errors
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - cmd/snap: tweak `snap services` output when there is no services
+ - interfaces/many: updates to support k8s worker nodes
+ - cmd/snap: gnome-software install via snap:// handler
+ - overlord/many: cleanup use of snapName vs. instanceName
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes* ifstate: fix decoding of json numbers
+ - cmd/snap: try not to panic on error from "snap try"
+ - tests: new cosmic image for spread tests on gce
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - overlord/snapshotstate/backend: detect path to tar in unit tests
+ - tests/unit/gccgo: drop gccgo unit tests
+ - cmd: use relative file names in locking APIs
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - overlord/snapshotstate/backend: fall back on sudo when no runuser
+ - cmd/snap-confine: reduce verbosity of debug and error messages
+ - systemd: extend Status() to work for socket and timer units
+ - interfaces: typo 'allows' for consistency with other ifaces
+ - systemd,wrappers: don't start disabled services
+ - ifacestate: simplify task chaining in ifacestate.Connect
+ - tests: ensure that goa-daemon is off
+ - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+ - cmd/snap: block 'snap help <cmd> --all'
+ - asserts, image: ensure kernel, gadget, base and required-snaps use
+   valid snap names
+ - apparmor: add unit test for probeAppArmorParser and simplify code
+ - interfaces/apparmor: conditionally add explicit deny rules for
+   ptrace
+ - po: sync translations from launchpad
+ - osutil: tweak handling of error adduser errors
+ - cmd: rename ns_group to mount_ns
+ - tests/main/interfaces-accounts-service: more debugging
+ - snap/pack, snap/squashfs: use type to determine mksquashfs args
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - tests: show list of processes when ifaces-accounts-service fails
+ - tests: do not run degraded test in autopkgtest env
+ - snap: overhaul validation error messages
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - interfaces: improve Attr error further
+ - snapstate: tweak GetFeatureFlagBool() to have a default argument
+ - many: cleanup remaining parallel installs TODOs
+ - image: improve validation of extra snaps
+
+* Fri Dec 14 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.3
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - httputil: retry on temporary net errors
+ - wrappers: only restart service in core18 when they are active
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interfacewhen installing selinux-policy-devel package.
+ - centos: enable SELinux support on CentOS 7
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - apparmor: allow hard link to snap-specific semaphore files
+ - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+   profile errors
+ - snap: add new `snap run --trace-exec` call
+ - interfaces/backends: detect too old apparmor_parser
+
+* Thu Nov 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.2
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - snapstate: update fontconfig caches on install
+ - overlord,daemon: mock security backends for testing
+ - sanity, spread, tests: add CentOS
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - tests: add regression test for LP: #1803535
+ - snap-update-ns: fix trailing slash bug on trespassing error
+ - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+ - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+ - interfaces/opengl: add additional accesses for cuda
+
+* Fri Nov 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.1
+ - tests,snap-confine: add core18 only hooks test and fix running
+   core18 only hooks on classic
+ - interfaces/apparmor: allow access to
+   /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests/main/interfces-accounts-service: switch to busctl, more
+   debugging
+ - store: also make snaps downloaded via deltas 0600
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - tests/main: fixes for the new shellcheck
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook
+
+* Sun Nov 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.36-1
+- Release 2.36 to Fedora
+
+* Wed Oct 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - tests: the store has caught up, drop gccgo test, update cosmic
+   image
+ - cmd/snap: try not to panic on error from "snap try"`--devmode`
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - systemd,wrappers: don't start disabled services
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - tests: do not run degraded test in autopkgtest env
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces: include invalid type in Attr error
+ - many: enable layouts by default
+ - interfaces/default: don't scrub with change_profile with classic
+ - cmd/snap: speed up unit tests
+ - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+   flags
+ - daemon: expose snapshots to the API
+ - interfaces: updates for default, screen-inhibit-control, tpm,
+   {hardware,system,network}-observe
+ - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+   update test interface
+ - interfaces/tests: use TestInterface instead of a custom local
+   helper
+ - overlord/snapstate: export getFeatureFlagBool.
+ - osutil,asserts,daemon: support force password change in system-
+   user assertion
+ - snap, wrappers: support restart-delay, generate RestartSec=<value>
+   in service units
+ - tests/ifacestate: moved asserts-related mocking into helper
+ - image: fetch device store assertion if available
+ - many: enable AppArmor on Arch
+ - interfaces/repo: two helper methods for hotplug
+ - overlord/ifacestate: add hotplug slots with implicit slots
+ - interfaces/hotplug: helpers and struct updates
+ - tests: run the snapd tests on Ubuntu 18.10
+ - snapstate: only report errors if there is an actual error
+ - store: speedup unit tests
+ - spread-shellcheck: fix interleaved error messages, tweaks
+ - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+ - ifacestate: implementation of defaultDeviceKey function for
+   hotplug
+ - cmd/snap-update-ns: remove empty placeholders used for mounting
+ - snapshotstate: restore to current revision
+ - tests/lib: rework the CLA checker
+ - many: support and consider store friendly-stores when checking
+   device scope constraints
+ - overlord/snapstate: block parallel installs of snapd, core, base,
+   kernel, gadget snaps
+ - overlord/patch: patch for static plug/slot attributes
+ - interfaces: honor static attributes when reloading conns
+ - osutils: unit tests speedup; introduce «run-checks --short-
+   unit».
+ - systemd, wrappers: speed up wrappers unit tests
+ - client: speedup unit tests
+ - spread-shellcheck: use threads to parallelise
+ - snap: validate plug and slot names
+ - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+ - wrappers: do not depend on network.taget in socket units, tweak
+   generated units
+ - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+ - store: gracefully handle unexpected errors in 'action'
+   response
+ - cmd: put our manpages in section 8
+ - overlord: don't make become-operational interfere with user
+   requests
+ - store: tweak unmatched refresh result error log
+ - snap, client, daemon, store: use and expose "media" more
+ - tests,cmd/snap-update-ns: add test showing mount update bug
+   cmd/snap-update-ns: better detection of snapd-made tmpfs
+ - tests: spread tests for aliases with parallel installed snaps
+ - interfaces/seccomp: allow using statx by default
+ - store: gracefully handle unexpected errors in 'action' response
+ - overlord/snapshotstate: chown the tempdir
+ - cmd/snap: attempt to start the document portal if running with a
+   session bus
+ - snap: detect layouts vs layout in snap.yaml
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snapcraft.yaml: set grade to stable
+ - tests: shellchecks, final round
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snap: detect layouts vs layout in snap.yaml
+ - overlord/snapshotstate: store epoch in snapshot, check on restore
+ - cmd/snap: tweak UX of snap refresh --list
+ - overlord/snapstate: improve consistency, use validateInfoAndFlags
+   also in InstallPath
+ - snap: give Epoch a CanRead helper
+ - overlord/snapshotstate: small refactor of internal helpers
+ - interfaces/builtin: adding missing permission to create
+   /run/wpa_supplicant directory
+ - interfaces/builtin: avahi interface update
+ - client, daemon: support passing of 'unaliased' option when
+   installing from local files
+ - selftest: rename selftest.Run() to sanity.Check()
+ - interfaces/apparmor: report apparmor support level and policy
+ - ifacestate: helpers for generating slot names for hotplug
+ - overlord/ifacestate: make sure to pass in the Model assertion when
+   enforcing policies
+ - overlord/snapshotstate: store the SnapID in snapshot, block
+   restore if changed
+ - interfaces: generalize writable mimic profile
+ - asserts,interfaces/policy: add support for on-store/on-brand/on-
+   model plug/slot rule constraints
+ - many: fetch the device store assertion together and in the context
+   of interpreting snap-declarations
+ - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+   gccgo is fixed
+ - tests/main/parallel-install-services: add spread test for snaps
+   with services
+ - tests/main/snap-env: extend to cover parallel installations of
+   snaps
+ - tests/main/parallel-install-local: rename from *-sideload, extend
+   to run snaps
+ - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+ - cmd/snap: tame the help zoo
+ - tests/main/parallel-install-store: run installed snap
+ - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+   i18n)
+ - cmd: fix C formatting
+ - tests: remove unneeded cleanup from layout tests
+ - image: warn on missing default-providers
+ - selftest: add test to ensure selftest.checks is up-to-date
+ - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+   installs
+ - userd: extend the list of supported XDG Desktop properties when
+   autostarting user applications
+ - cmd/snap-update-ns: enforce trespassing checks
+ - selftest: actually run the kernel version selftest
+ - snapd: go into degraded mode when the selftest fails
+ - tests: add test that runs snapctl with a core18 snap
+ - tests: add snap install hook with base: core18
+ - overlord/{snapstate,assertstate}: parallel instances and
+   refresh validation
+ - interfaces/docker-support: add rules to read apparmor macros
+ - tests: make nfs test available for more systems
+ - tests: cleanup copy/paste dup in interfaces-network-setup-control
+ - tests: using single sh snap in interface tests
+ - overlord/snapstate: improve cleaup in mount-snap handler
+ - tests: don't fail interfaces-bluez test if bluez is already
+   installed
+ - tests: find snaps just for edge and beta channels
+ - daemon, snapstate: consistent snap list [--all] output with broken
+   snaps
+ - tests: fix listing to allow extra things in the notes column
+ - cmd/snap: improve UX when removing specific snap revision
+ - cmd/snap, tests/main/snap-info: highlight the current channel
+ - interfaces/testiface: added TestHotplugInterface
+ - snap: tweak commands
+ - interfaces/hotplug: hotplug spec takes one slot definition
+ - overlord/snapstate, snap: handle shared snap directories when
+   installing/remove snaps with instance key
+ - interfaces/opengl: misc accesses for VA-API
+ - client, cmd/snap: expose warnings to the world
+ - cmd/snap-update-ns: introduce trespassing state tracking
+ - cmd/snap: commands no longer build their own client
+ - tests: try to build cmd/snap for darwin
+ - daemon: make error responders not printf when called with 1
+   argument
+ - many: return real snap name in API response
+ - overlord/state: return latest LastAdded time in WarningsSummary
+ - many: mount namespace mapping for parallel installs of snaps
+ - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+   core-phase-2
+ - client, cmd/snap: on !linux, exit when the client tries to Do
+   something
+ - tests: refactor for nested suite and tests fixed
+ - tests: use lxd's waitready instead of polling lxd socket
+ - ifacestate: don't initialize udev monitor until we have a system
+   snap
+ - interfaces: extra argument for static attrs in
+   NewConnectedPlug/NewConnectedSlot
+ - packaging/arch: sync packaging with AUR
+ - snapstate/tests: serialize all appends in fake backend
+ - snap-confine: make /lib/modules optional
+ - cmd/snap: handle "snap interfaces core" better
+ - store: move download tests into downloadSuite
+ - tests,interfaces: run interfaces-account-control on UC18
+ - tests: fix install snaps test by adding link to /snap
+ - tests: fix for nested test suite
+ - daemon: fix snap list --all with parallel snap instances
+ - snapstate: refactor tests to use SetModel*
+ - wrappers: fix snap services order in tests
+ - many: provide salt for generating instance-key in store requests
+ - ifacestate: fix hang when retrying content providers
+ - snapd-env-generator: fix when PATH is empty or unset
+ - overlord/assertstate: propagate TaskSnapSetup error
+ - client: catch and expose logs errors
+ - overlord: integrate device enumeration with udev monitor
+ - daemon, overlord/state: warnings pipeline
+ - tests: add publisher regex to fix the snap-info test pass on sru
+ - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+   tweaks
+ - cmd/snap-update-ns: remove the unused Secure type
+ - osutil, o/snapshotstate, o/sss/backend: quick fixes
+ - tests: update the listing expression to support core from
+   different channels
+ - store: use stable instance key in store refresh requests
+ - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+ - overlord/patch: support for sublevel patches
+ - tests: update prepare/restore for nightly suite
+ - cmd/snap-update-ns: detach BindMount from the Secure type
+ - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+ - ifacestate: retry on "discard-snap" in autoconnect conflict check
+ - cmd/snap-update-ns: separate OpenPath from the Secure struct
+ - wrappers: remove Wants=network-online.target
+ - tests: add new core16-base test
+ - store: refactor tests so that they work as store_test package
+ - many: add refresh.rate-limit core option
+ - tests: run account-control test with different bases
+ - tests: port proxy test to use python tinyproxy
+ - overlord: introduce snapshotstate.
+ - testutil: allow Fstatfs results to vary over time
+ - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+ - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+ - many: remove deadcode
+ - tests: also run unit/gccgo in 18.04
+ - tests: introduce a helper for installing local snaps with --name
+ - tests: avoid removing core snap on reset
+ - snap: use snap.SideInfo in test to fix build with gccgo
+ - partition: remove unused runCommand
+ - image: fix incorrect error when using local bases
+ - overlord/snapstate: fix format
+ - cmd: fix format
+ - tests: setting "storage: preserve-size" just for amazon-linux
+   system
+ - tests: test for the hostname interface
+ - interfaces/modem-manager: allow access to more USB strings
+ - overlord: instantiate UDevMonitor
+ - interfaces/apparmor: tweak naming, rename to AddLayout()
+ - interfaces: take instance name in ifacetest.InstallSnap
+ - snapcraft: do not use --dirty in mkversion
+ - cmd: add systemd environment generator
+ - devicestate: support getting (http) proxy from core config
+ - many: rename ClientOpts to ClientOptions
+ - prepare-image-grub-core18: remove image root in restore
+ - overlord/ifacestate: remove "old-conn" from connect/undo connect
+   handlers
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - image: handle errors when downloadedSnapsInfoForBootConfig has no
+   data
+ - tests: use official core18 model assertion in tests
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - overlord,store: support proxy settings internally too
+ - cmd/snap: bring back 'snap version'
+ - interfaces/mount: tweak naming of things
+ - strutil: fix MatchCounter to also work with buffer reuse
+ - cmd,interfaces,tests: add /mnt to removable-media interface
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - snap/snapenv: drop some instance specific variables, use instance-
+   specific ones for user locations
+ - firstboot: sort by type when installing the firstboot snaps
+ - cmd, cmd/snap: better support for non-linux
+ - strutil: add new ParseByteSize
+ - image: detect and error if bases are missing
+ - interfaces/apparmor: do not downgrade confinement on arch with
+   linux-hardened 4.17.4+
+ - daemon: add pokeStateLock helper to the daemon tests
+ - snap/squashfs: improve error message from Build on mksquashfs
+   failure
+ - tests: remove /etc/alternatives from dirs-not-shared-with-host
+ - cmd: support re-exec into the "snapd" snap
+ - spdx: remove "Other Open Source" from the support licenses
+ - snap: add new type "TypeSnapd" and attach to the snapd snap
+ - interfaces: retain order of inserted security backends
+ - tests: spread test for parallel-installs desktop file handling
+ - overlord/devicestate: use OpenSSL's PEM format when generating
+   keys
+ - cmd: remove --skip-command-chain from snap run and snap-exec
+ - selftest: detect if apparmor is unusable and error
+ - snap,snap-exec: support command-chain for hooks
+ - tests: significantly reduce execution time for managers test
+ - snapstate: use new "snap.ByType" sorting
+ - overlord/snapstate: fix UpdateMany() to work with parallel
+   instances
+ - testutil: have File* checker produce more useful error output
+ - overlord/ifacestate: introduce connectOpts
+ - interfaces: parallel instances support, extend unit tests
+ - tests: normalize tests
+ - snapstate: make InstallPath() return *snap.Info too
+ - snap: add ByType sorting
+ - interfaces: add cifs-mount interface
+ - tests: use file based markers in snap-service-stop-mode
+ - osutil: reorg and stub out things to get it building on darwin
+ - tests/main/layout: cleanup after the test
+ - osutil/sys: small tweaks to let it build on darwin
+ - daemon, overlord/snapstate: set instance name when installing from
+   snap file
+ - many: move Uname to osutil, for more DRY and easier porting.
+ - cmd/snap: create snap user directory when running parallel
+   installed snaps
+ - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+ - tests: basic test for parallel installs from the store
+ - image: download the gadget from the model.GadgetTrack()
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - overlord: handle sigterm during shutdown better
+ - tests: add the original function to fix the errors on new kernels
+ - tests/main/lxd: pull lxd from candidate; reënable i386
+ - wayland: add extra sockets that are used by older toolkits (e.g.
+   gtk3)
+ - asserts: add support for gadget tracks in the model assertion
+ - overlord/snapstate: improve feature flag validation
+ - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+ - interfaces: workaround for activated services and newer DBus
+ - tests: get the linux-image-extra available for the current kernel
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - interfaces: disconnect hooks
+ - cmd/libsnap: unify detection of core/classic with go
+ - tests: fix autopkgtest failures in cosmic
+ - snap: fix advice json
+ - overlord/snapstate: parallel snap install
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - interfaces: add screencast-legacy for video and audio recording
+ - tests: skip unsupported architectures for fedora-base-smoke test
+ - tests: avoid using the journalctl cursor when it has not been
+   created yet
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - tests: enable lxd again everywhere
+ - tests: new test for udisks2 interface
+ - interfaces: add cpu-control for setting CPU tunables
+ - overlord/devicestate: fix tests, set seeded in registration
+   through proxy tests
+ - debian: add missing breaks on cosmic
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - tests: new test for juju client observe interface
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - snapcraft: set version information for the snapd snap
+ - cmd/snap, daemon: error out if trying to install a snap using
+   empty name
+ - hookstate: simplify some hook tests
+ - cmd/snap-confine: extend security tag validation to cover instance
+   names
+ - snap: fix mocking of systemkey in snap-run tests
+ - packaging/opensuse: fix static build of snap-update-ns and snap-
+   exec
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - cmd/libsnap-confine-private: intoduce helpers for validating snap
+   instance name and instance key
+ - snap,snap-exec: support command-chain for app
+ - interfaces/builtin: network-manager resolved DBus changes
+ - snap: tweak `snap wait` command
+ - cmd/snap-update-ns: introduce validation of snap instance names
+ - cmd/snap: fix some corner-case test setup weirdness
+ - cmd,dirs: fix various issues discovered by a Fedora base snap
+ - tests/lib/prepare: fix extra snaps test
+
+* Mon Oct 15 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.5
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - osutil: workaround overlayfs on ubuntu 18.10
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.4
+  - wrappers: do not depend on network.taget in socket units, tweak
+    generated units
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.3
+ - overlord: don't make become-operational interfere with user
+   requests
+ - docker_support.go: add rules to read apparmor macros
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-
+   nsFixes:
+ - snapcraft.yaml: add workaround to fix snapcraft build
+ - interfaces/opengl: misc accesses for VA-API
+
+* Wed Sep 12 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.2
+ - cmd,overlord/snapstate: go 1.11 format fixes
+ - ifacestate: fix hang when retrying content providers
+ - snap-env-generator: do nothing when PATH is unset
+ - interfaces/modem-manager: allow access to more USB strings
+
+* Mon Sep 03 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.1
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapcraft: do not use --diry in mkversion.sh
+ - cmd: add systemd environment generator
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - tests: cherry-pick test fixes from master for 2.35
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - interfaces: retain order of inserted security backends
+ - selftest: detect if apparmor is unusable and error
+
+* Sat Aug 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.35-1
+- Release 2.35 to Fedora (RH#1598946)
+
+* Mon Aug 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - asserts: add support for gadget tracks in the model assertion
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - overlord: handle sigterm during shutdown better
+ - wayland: add extra sockets that are used by older toolkits
+ - snap: fix advice json
+ - tests: fix autopkgtest failures in cosmic
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - interfaces: add cpu-control for setting CPU tunables
+ - debian: add missing breaks on comisc
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - hookstate: simplify some hook tests
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - interfaces/builtin: network-manager resolved DBus changes
+ - tests: add spread test for fedora29 base snap
+ - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+ - dirs: fix SnapMountDir inside a Fedora base snap
+ - tests: fix snapd-failover for core18 with external backend
+ - overlord/snapstate: always clean SnapState when doing Get()
+ - overlod/ifacestate: always use a new SnapState when fetching the
+   snap state
+ - overlord/devicestate: have the serial request talk to the proxy if
+   set
+ - interfaces/hotplug: udevadm output parser
+ - tests: New test for daemon-notify interface
+ - image: ensure "core" is ordered early if base: and core is used
+ - cmd/snap-confine: snap-device-helper parallel installs support
+ - tests: enable interfaces-framebuffer everywhere
+ - tests: reduce nc wait time from 2 to 1 second
+ - snap/snapenv: add snap instance specific variables
+ - cmd/snap-confine: add minimal test for snap-device-helper
+ - tests: enable snapctl test on core18
+ - overlord: added UDevMonitor for future hotplug support
+ - wrappers: do not glob when removing desktop files
+ - tests: add dbus monitor log to interfaces-accounts-service
+ - tests: add core-18 systems to external backend
+ - wrappers: account for changed app wrapper in parallel installed
+   snaps
+ - wrappers: make sure that the tests pass on non-Ubuntu too
+ - many: add snapd snap failure handling
+ - tests: new test for dvb interface
+ - configstate: accept refresh.timer=managed
+ - tests: new test for snap logs command
+ - wrapper: generate all the snapd unit files when generating
+   wrappers
+ - store: keep all files with link-count > 1 in the cache
+ - store: be less verbose in the common refresh case of "no updates"
+ - snap-confine: update snappy-app-dev path
+ - debian: ensure dependency on fixed apt on 18.04
+ - snapd: add initial software watchdog for snapd
+ - daemon, systemd: change journalctl -n=all to --no-tail
+ - systemd: fix snapd.apparmor.service.in dependencies
+ - snapstate: refuse to remove bases or core if snaps need them
+ - snap: introduce package-level helpers for building snap related
+   directory/file paths
+ - overlord/devicestate: deny parallel install of kernel or gadget
+   snaps
+ - store: clean up parallel-install TODOs in store tests
+ - timeutil: fix first weekday of the month schedule
+ - interfaces: match all possible tty but console
+ - tests: shellchecks part 5
+ - cmd/snap-confine: allow ptrace read for 4.18 kernels
+ - advise: make the bolt database do the atomic rename dance
+ - tests/main/apt-hooks: debug dump of commands.db
+ - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+   handling
+ - snap: validate instance name as part of Validate()
+ - daemon: if a snap is inactive, don't ask systemd about its
+   services.
+ - udev: skip TestParseUdevEvent on s390x
+ - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+ - asserts,image: add support for new kernel=track syntax
+ - tests: new gce image for fedora 27
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - store, overlord/snapstate: introduce instance name in store APIs
+ - tests: drive-by cleanup of redudant pkgname matching
+ - tests: ensure apt-hook is only run after catalog update ran
+ - tests: use pkill instead of kilall
+ - tests/main: another bunch of updates for Amazon Linux 2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the  directory tree
+ - tests: disable/fix more tests for Amazon Linux 2
+ - overlord: introduce InstanceKey to SnapState and SnapSetup,
+   renames
+ - daemon: make sure most change generating handlers can produce
+   errors with kinds
+ - tests/main/interfaces-calendar-service: skip the test on AMZN2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the directory tree
+ - cmd/snap: add a green check mark to verified publishers
+ - cmd/snap: fix two issues in the cmd/snap unit tests
+ - packaging/fedora: fix target path of /snap symlink
+ - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - strutil: detect and bail out of Unmarshal on duplicate key
+ - packaging/fedora(amzn2): disable SELinux, drop dependency on
+   squashfuse for AMZN2
+ - spread, tests: add support for Amazon Linux 2
+ - packaging/fedora: Add Amazon Linux 2 support
+ - many: make Wait/Stop optional on StateManagers
+ - snap/squashfs: stop printing unsquashfs info to stderr
+ - snap: add support for `snap advise-snap --from-apt`
+ - overlord/ifacestate: ignore connect if already connected
+ - tests: change the service snap used instead of network-bind-
+   consumer
+ - interfaces/network-control: update for wpa-supplicant and ifupdown
+ - tests: fix raciness in stop mode tests
+ - logger: try to not have double dates
+ - debian: use deb-systemd-invoke instead of systemctl directly
+ - tests: run all main tests on core18
+ - many: finish sharing a single TaskRunner with all the the managers
+ - interfaces/repo: added AllHotplugInterfaces helper
+ - snapstate: ensure kernel-track is honored on switch/refresh
+ - overlord/ifacestate: support implicit slots on snapd
+ - image: add support for "kernel-track" in `snap prepare-image`
+ - tests: add test that ensures we do not boot any system in degraded
+   state
+ - tests: update tests to work on core18
+ - cmd/snap: check for typographic dashes in command
+ - tests: fix tests expecting old email address
+ - client: add some existing error kinds that were not listed in
+   client.go
+ - tests: add missing slots in classic and core provider test snaps
+ - overlord,daemon,cmd: re-map snap names around the edges of snapd
+ - tests: use install_local in snap-run-hooks
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - overlord/snapstate: dedupe default content providers
+ - osutil/udev: sync with upstream
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord: have SnapManager use a passed in TaskRunner created by
+   Overlord
+ - many: streamline the generic conflict check mechanisms
+ - tests: remove unneeded setup code in snap-run-symlink
+ - cmd/snap: print unset license as "unset", instead of "unknown"
+ - asserts: add (optional) kernel-track to model assertion
+ - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+ - interfaces/pulseaudio: be clear that the interface allows playback
+   and record
+ - snap: support hook environment
+ - interfaces: fix typo "daemonNotify" (add missing "n")
+ - interfaces: tweak tests of daemon-notify, use common naming
+ - interfaces: allow invoking systemd-notify when daemon-notify is
+   connected
+ - store: make snap blobs be 0600
+ - interfaces,daemon: move JSON types to the daemon
+ - tests: prepare needs to handle bin/snapctl being a symlink
+ - tests: do not mask errors in interfaces-timezone-control (#5405)
+ - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+ - tests: add basic integration test for spread hold
+ - overlord/snapstate: improve PlugsOnly comment
+ - many: assorted shellcheck fixes
+ - store, daemon, client, cmd/snap: expose "scope", default to wide
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - client, cmd/snap: pass snap instance name when installing from
+   file
+ - cmd/snap: add 'debug paths' command
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: fix tests on arch
+ - tests: start active system units on reset
+ - tests: new test for joystick interface
+ - tests: moving install of dependencies to pkgdb helper
+ - tests: enable new fedora image with test dependencies installed
+ - tests: start using the new opensuse image with test dependencies
+ - tests: check catalog refresh before and after restart snapd
+ - tests: stop restarting journald service on prepare
+ - interfaces: make core-support a no-op interface
+ - interfaces: prefer "snapd" when resolving implicit connections
+ - interfaces/hotplug: add hotplug Specification and
+   HotplugDeviceInfo
+ - many: lessen the use of core-support
+ - tests: fixes for the autopkgtest failures in cosmic
+ - tests: remove extra ' which breaks interfaces-bluetooth-control
+   test
+ - dirs: fix antergos typo
+ - tests: use grep to avoid non-matching messages from MATCH
+ - dirs: improve distro detection for Antegros
+ - vendor: switch to latest bson
+ - interfaces/builtin: create can-bus interface
+ - tests: "snap connect" is idempotent so just connect
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - interfaces: treat "snapd" snap as type:os
+ - interfaces: tweak tests to have less repetition of "core" and
+   "ubuntu…
+ - tests: simplify econnreset test
+ - snap: add helper for renaming slots
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - tests: add artful for sru validation on google backend
+ - snap,interfaces: move interface name validation to snap
+ - overlord/snapstate: introduce path to fake backend ops
+ - cmd/snap-confine: fix snaps running on core18
+ - many: expose publisher's validation throughout the API
+
+* Fri Jul 27 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.3
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - snapstate: allow setting "refresh.timer=managed"
+ - spread: switch Fedora and openSUSE images
+
+* Thu Jul 19 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.2
+ - packaging: fix bogus date in fedora snapd.spec
+ - tests: fix tests expecting old email address
+
+* Tue Jul 17 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.1
+ - tests: cherry-pick test fixes from master for 2.34
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord/snapstate: dedupe default content providers
+ - interfaces/builtin: create can-bus interface
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.33.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34
+ - store, daemon, client, cmd/snap: expose "scope", default to wide*
+ - tests: fix arch tests
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+ - tests: run interfaces-contacts-service only where test-snapd-eds
+   is available
+ - many: expose publisher's validation throughout the API
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - dirs: improve distro detection for Antegros
+ - Revert "dirs: improve identification of Arch Linux like systems"
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - i18n: use xgettext-go --files-from to avoid running into cmdline
+   size limits
+ - interfaces: move ValidateName helper to utils
+ - snapstate,ifstate: wait for pending restarts before auto-
+   connecting
+ - snap: account for parallel installs in wrappers, place info and
+   tests
+ - configcore: fix incorrect handling of keys with numbers (like
+   gpu_mem_512)
+ - tests: fix tests when no keyboard input detected
+ - overlord/configstate: add watchdog options
+ - snap-mgmt: fix for non-existent dbus system policy dir,
+   shellchecks
+ - tests/main/snapd-notify: use systemd's service properties rater
+   than the journal
+ - snapstate: allow removal of snap.TypeOS when using a model with a
+   base
+ - interfaces: make findSnapdPath smarter
+ - tests: run "arp" tests only if arp is available
+ - spread: increase the number of auto retries for package downloads
+   in opensuse
+ - cmd/snap-confine: fix nvidia support under lxd
+ - corecfg: added experimental.hotplug feature flag
+ - image: block installation of parallel snap instances
+ - interfaces: moved normalize method to interfaces/utils and made it
+   public
+ - api/snapctl: allow -h and --help for regular users.
+ - interfaces/udisks2: also implement implicit classic slot
+ - cmd/snap-confine: include CUDA runtime libraries
+ - tests: disable auto-refresh test on core18
+ - many: switch to account validation: unproven|verified
+ - overlord/ifacestate: get/set connection state only via helpers
+ - tests: adding extra check to validate journalctl is showing
+   current test data
+ - data: add systemd environment configuration
+ - i18n: handle write errors in xgettext-go
+ - snap: helper for validating snap instance names
+ - snap{/snaptest}: set instance key based on snap name
+ - userd: fix running unit tests on KDE
+ - tests/main/econnreset: limit ingress traffic to 512kB/s
+ - snap: introduce a struct Channel to represent store channels, and
+   helpers to work with it
+ - tests: add fedora to distro_clean_package_cache function
+ - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+ - tests: add spread test to ensure snapd/core18 are not removable
+ - tests: tweaks for running the main tests on core18
+ - overlord/{config,snap}state: introduce experimental.parallel-
+   instances feature flag
+ - strutil: support iteration over almost clean paths
+ - strutil: add PathIterator.Rewind
+ - tests: update interfaces-timeserver-control to core18
+ - tests: add halt-timeout to google backend
+ - tests: skip security-udev-input-subsystem without /dev/input/by-
+   path
+ - snap: introduce the instance key field
+ - packaging/opensuse: remaining packaging updates for 2.33.1
+ - overlord/snapstate: disallow installing snapd on baseless models
+ - tests: disable core tests on all core systems (16 and 18)
+ - dirs: improve identification of Arch Linux like systems
+ - many: expose full publisher info over the snapd API
+ - tests: disable core tests on all core systems (16 and 18)
+ - tests/main/xdg-open: restore or clean up xdg-open
+ - tests/main/interfaces-firewall-control: shellcheck fix
+ - snapstate: sort "snapd" first
+ - systemd: require snapd.socket in snapd.seeded.service; make sure
+   snapd.seeded
+ - spread-shellcheck: use the latest shellcheck available from snaps
+ - tests: use "ss" instead of "netstat" (netstat is not available in
+   core18)
+ - data/complete: fix three out of four shellcheck warnings in
+   data/complete
+ - packaging/opensuse: fix typo, missing assignment
+ - tests: initial core18 spread image building
+ - overlord: introduce a gadget-connect task and use it at first boot
+ - data/completion: fix inconsistency in +x and shebang
+ - firstboot: mark essential snaps as "Required" in the state
+ - spread-shellcheck: use a whitelist of files that are allowed to
+   fail validation
+ - packaging/opensuse: build position-independent binaries
+ - ifacestate: prevent running interface hooks twice when self-
+   connecting on autoconnect
+ - data: remove /bin/sh from snapd.sh
+ - tests: fix shellcheck 0.5.0 warnings
+ - packaging/opensuse: snap-confine should be 06755
+ - packaging/opensuse: ship apparmor integration if enabled
+ - interfaces/udev,misc: only trigger udev events on input subsystem
+   as needed
+ - packaging/opensuse: add missing bits for snapd.seeded.service
+ - packaging/opensuse: don't use %-macros in comments
+ - tests: shellchecks part 4
+ - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+   parallel-install TODOs
+ - store: drop unused: channel map types, and details fixture.
+ - store: have a basic test about the unmarshalling of /search
+   results
+ - tests: show executed tests on current system when a test fails
+ - tests: fix for the download of the big snap
+ - interfaces/apparmor: add chopTree
+ - tests: remove double debug: | entry in tests and add more checks
+ - cmd/snap-update-ns: introduce mimicRequired helper
+ - interfaces: move assertions around for better failure line number
+ - store: log a nice clear "download succeeded" message
+ - snap: run snap-confine from the re-exec location
+ - snapstate: support restarting snapd from the snapd snap on core18
+ - tests: show status of the partial test-snapd-huge snap in
+   econnreset test
+ - tests: fix interfaces-calendar-service test when gvfsd-metadata
+   loks the xdg dirctory
+ - store: switch store.SnapInfo to use the new v2/info endpoint
+ - interfaces: add Repository.AllInterfaces
+ - snapstate: stop using evolving SnapSpec internally, use an
+   internal-only snapSpec instead
+ - cmd/libsnap-confine-private: introduce a helper for splitting snap
+   name
+ - tests: econnreset/retry tweaks
+ - store, et al: kill dead code that uses the bulk endpoint
+ - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+ - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+   Depth helper
+ - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+   available
+ - store: switch connectivity check to use v2/info
+ - devicestate: support seeding from a base snap instead of core
+ - snapstate,ifacestate: remove core-phase-2 handling
+ - interfaces/docker-support: update for docker 18.05
+ - tests: enable fedora 28 again
+ - overlord/ifacestate:  simplify checkConnectConflicts and also
+   connect signature
+ - snap: parse connect instructions in gadget.yaml
+ - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+   test
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - store, image: have 'snap download' use v2/refresh action=download
+ - interfaces/policy: test that base policy can be parsed
+ - tests: publish test-snapd-appstreamid for any architecture
+ - snap: don't include newline in hook environment
+ - cmd/snap-update-ns: use RCall with SyscallsEqual
+ - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+ - interfaces: add the dvb interface
+ - daemon: paging is not a thing.
+ - cmd/snap-mgmt: remove system key on purge
+ - testutil: syscall sequence checker
+ - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command* many: add `snap debug
+   connectivity` command
+ - configstate: deny configuration of base snaps and for the "snapd"
+   snap
+ - interfaces/raw-usb: also allow usb serial devices
+ - snap: reject more layout locations
+ - errtracker: do not send duplicated reports
+ - httputil: extra debug if an error is not retried
+ - cmd/snap-update-ns: improve wording in many errors
+ - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+ - cmd/snap-update-ns: add helper for checking for read-only
+   filesystems
+ - interfaces/builtin/docker: use commonInterface over specific
+   struct
+ - testutil: add test support for Fstatfs
+ - cmd/snap-update-ns: discard the concept of segments
+ - cmd/libsnap-confine-private: helper for extracting store snap name
+   from local-name
+ - tests: fix flaky test for hooks undo
+ - interfaces: add {contacts,calendar}-service interfaces
+ - tests: retry 'restarting into..' match in the snap-confine-from-
+   core test
+ - systemd: adjust TestWriteMountUnitForDirs() to use
+   squashfs.MockUseFuse(false)
+ - data: add helper that can generate/start/stop the snapd service
+ - sefltest: advise reboot into 4.4 on trusty running 3.13
+ - selftest: add new selftest package that tests squashfs mounting
+ - store, jsonutil: move store.getStructFields to
+   jsonutil.StructFields
+ - ifacestate: improved conflict and error handling when creating
+   autoconnect tasks
+ - cmd/snap-confine: applied make fmt
+ - interfaces/udev: call 'udevadm settle --timeout=10' after
+   triggering events
+ - tests: wait more time until snap start to be downloaded on
+   econnreset test
+ - snapstate: ensure fakestore returns TypeOS for the core snap
+ - tests: fix lxd test which hangs on restore
+ - cmd/snap-update-ns: add PathIterator
+ - asserts,image: add support for models with bases
+ - tests: shellchecks part 3
+ - overlord/hookstate: support undo for hooks
+ - interfaces/tpm: Allow access to the kernel resource manager
+ - tests: skip appstream-id test for core systems 32 bits
+ - interfaces/home: remove redundant common interface assignment
+ - tests: reprioritise a few tests that are known to be slow
+ - cmd/snap: small help tweaks and fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - spread-shellcheck: silly fix & pep8
+ - spread: switch fedora 28 to manual
+ - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+   it in snap info --verbose
+ - tests: fix lxd test - --auto now sets up networking
+ - tests: adding fedora-28 to spread.yaml
+ - interfaces: add juju-client-observe interface
+ - client, daemon: add a "mounted-from" entry to local snaps' JSON
+ - image: set model.DisplayName() in bootenv as "snap_menuentry"
+ - packaging/opensuse: Refactor packaging to support all openSUSE
+   targets
+ - interfaces/joystick: force use of the device cgroup with joystick
+   interface
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - interfaces: remove Plug/Slot types
+ - interface hooks: update old AutoConnect methods
+ - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+ - overlord/{config,snap}state: the number of inactive revisions is
+   config
+ - cmd/snap: check with snapd for unknown sections
+ - tests: moving test helpers from sh to bash
+ - data/systemd: add snapd.apparmor.service
+ - many: expose AppStream IDs (AKA common ID)
+ - many: hold refresh when on metered connections
+ - interfaces/joystick: also support modern evdev joysticks and
+   gamepads
+ - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+ - snapcraft: use dpkg-buildpackage options that work in xenial
+ - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+ - get-deps: work with an unset GOPATH too
+ - interfaces/apparmor: use strict template on openSUSE tumbleweed
+ - packaging: filter out verbose flags from "dh-golang"
+ - packaging: fix description
+ - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+* Fri Jun 22 2018 Neal Gompa <ngompa13@gmail.com> - 2.33.1-1
+- Release 2.33.1 to Fedora (RH#1567916)
+
+* Thu Jun 21 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33.1
+ - many: improve udev trigger on refresh experience
+ - systemd: require snapd.socket in snapd.seeded.service
+ - snap: don't include newline in hook environment
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - tests: skip security-dev-input-event-denied when /dev/input/by-
+   path/ is missing
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+
+* Fri Jun 08 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command
+ - interfaces/raw-usb: also allow usb serial devices
+ - errtracker: do not send duplicated reports
+ - selftest: add new selftest package that tests squashfs mounting
+ - tests: backport lxd force stop and econnreset fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - interfaces/joystick: support modern evdev joysticks
+ - interfaces: add juju-client-observe
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - many: holding refresh on metered connections
+ - many: expose AppStream IDs (AKA common ID)
+ - tests: speed up save/restore snapd state for all-snap systems
+   during tests execution
+ - interfaces/apparmor: use helper to load stray profile
+ - tests: ubuntu core abstraction
+ - overlord/snapstate: don't panic in a corner case interaction of
+   cleanup tasks and pruning
+ - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+   snaps
+ - tests: new parameter for the journalctl rate limit
+ - spread-shellcheck: port to python
+ - interfaces/home: add 'read' attribute to allow non-owner read to
+   @{HOME}
+ - testutil: import check.v1 differently to workaround gccgo error
+ - interfaces/many: miscellaneous updates for default, desktop,
+   desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+   keys
+ - snapstate/hooks: reorder autoconnect and reconnect hooks
+ - daemon: update unit tests to match current master
+ - overlord/snapshotstate/backend: introducing the snapshot backend
+ - many: support 'system' nickname in interfaces
+ - userd: add the "snap" scheme to the whitelist
+ - many: make rebooting of core on refresh immediate, refactor logic
+   around it
+ - tests/main/snap-service-timer: account for service timer being in
+   the 'running' state
+ - interfaces/builtin: allow access to libGLESv* too for opengl
+   interface
+ - daemon: fix unit tests on arch
+ - interfaces/default,process-control: miscellaneous signal policy
+   fixes
+ - interfaces/bulitin: add write permission to optical-drive
+ - configstate: validate known core.* options
+ - snap, wrappers: systemd WatchdogSec support
+ - ifacestate: do not auto-connect manually disconnected interfaces
+ - systemd: mock useFuse() so testsuite passes in container via lxd
+   snap
+ - snap/env: fix env duplication logic
+ - snap: some doc comments fixes and additions
+ - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+   vendor files
+ - ifacestate: unify reconnect and autoconnect methods
+ - tests: fix user mounts test for external systems
+ - overlord/snapstate,overlord/auth,store: coalesce no auth user
+   refresh requests
+ - boot,partition: improve tests/docs around SetNextBoot()
+ - many: improve `snap wait` command
+ - snap: fix `snap interface --attrs` output when numbers are used
+ - cmd/snap-update-ns: poke holes when creating source paths for
+   layouts
+ - snapstate: support getting new bases/default-providers on refresh
+ - ifacemgr: remove stale connections on startup
+ - asserts: use Attrer in policy checks
+ - testutil: record system call errors / return values
+ - tests: increase timeouts to make tests reliable on slow boards
+ - repo: pass and return ConnRef via pointers
+ - interfaces: add xdg-document-portal support to desktop interface
+ - debian: add a zenity|kdialog suggests
+ - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+ - tests: go must be installed as a classic snap
+ - tests: use journalctl cursors instead rotating logs
+ - daemon: add confinement-options to /v2/system-info
+   daemon: refactor classic support flag to be more structured
+ - tests: build spread in the autopkgtests with a more recent go
+ - cmd/snap: fix the message when snap.channel != snap.tracking
+ - overlord/snapstate: allow core defaults configuration via 'system'
+   key
+ - many: add "snap debug sandbox-features" and needed bits
+ - interfaces: interface hooks for refresh
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - many: add wait command and `snapd.seeded` service
+ - interfaces: move host font update-ns AppArmor rules to desktop
+   interface
+ - jsonutil/safejson: introducing safejson.String &
+   safejson.Paragraph
+ - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+ - cmd/snap-update-ns,tests: mimic the mode and ownership of
+   directories
+ - cmd/snap-update-ns: add support for ignoring mounts with missing
+   source/target
+ - interfaces: interface hooks implementation
+ - cmd/libsnap: fix compile error on more restrictive gcc
+   cmd/libsnap: fix compilation errors on gcc 8
+ - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+ - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+ - tests: fix interfaces-network test for systems with partial
+   confinement
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+ - configcore: validate experimental.layouts option
+ - interfaces:minor autoconnect cleanup
+ - HACKING: fix typos
+ - spread: add adt for ubuntu 18.10
+ - tests: skip test lp-1721518 for arch, snapd is failing to start
+   after reboot
+ - interfaces/x11: allow X11 slot implementations
+ - tests: checking interfaces declaring the specific interface
+ - snap: improve error for snaps not available in the given context
+ - cmdstate: add missing test for default timeout handling
+ - tests: shellcheck spread tasks
+ - cmd/snap: update install/refresh help vs --revision
+ - cmd/snap-confine: add support for per-user mounts
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - tests: adding google-sru backend replacing linode-sur
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - systemd: replace ancient paths with 16.04+ standards
+ - overlord,systemd: store snap revision in mount units
+ - testutil: add test helper for SysLstat
+ - testutil,cmd: rename test helper of Lstat to OsLstat
+ - testutil: document all fake syscall/os functions
+ - osutil,interfaces,cmd: use less hardcoded strings
+ - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+ - testutil: don't dot-import check.v1
+ - store: getStructFields takes pointers now
+ - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+ - many: fix false negatives reported by vet
+ - osutil,interfaces: use uint32 for uid, gid
+ - many: fix various issues reported by shellcheck
+ - tests: add pending shutdown detection
+ - image: support refreshing soft-expired user macaroons in tooling
+ - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+   daemon tests
+ - interfaces/builtin: add support for software-watchdog interface
+ - spread: auto accept key changes when calling dnf
+ - snap,overlord/snapstate: introduce and use BrokenSnapError
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: bring back one missing test in snap-service-stop-mode
+ - debian: update LP bug for the 2.32.5 SRU
+ - userd: set up journal logging streams for autostarted apps
+ - snap,tests : don't fail if we cannot stat MountFile
+ - tests: smaller fixes for Arch tests
+ - tests: run interfaces-broadcom-asic-control early
+ - client: support for snapshot sets, snapshots, and snapshot actions
+ - tests: skip interfaces-content test on core devices
+ - cmd: generalize locking to global, snap and per-user locks
+ - release-tools: handle the snapd-x.y.z version
+ - packaging: fix incorrectly auto-generated changelog entry for
+   2.32.5
+ - tests: add arch to CI
+ - systemd: add helper for opening stream file descriptors to the
+   journal
+ - cmd/snap: handle distros with no version ID
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - tests: removing linode-sru backend
+ - tests: updating bionic version for spread tests on google
+ - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - overlord/snapstate: allow to get an error from readInfo instead of
+   a broken stub, use it in doMountSnap
+ - snap: snap.AppInfo is now a fmt.Stringer
+ - tests: move fedora 27 to google backend
+ - many: add `core.problem-reports.disabled` option
+ - cmd/snap-update-ns: remove the need for stash directory in secure
+   bind mount implementation
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+ - cmd/snap: user session application autostart v3
+ - tests: add test to ensure `snap refresh --amend` works with
+   different channels
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - cmd/snap-update-ns: add secure bind mount implementation for use
+   with user mounts
+ - snap: fix `snap advise-snap --command` output to match spec
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - overlord/snapstate: introduce envvars to control the channels for
+   based and prereqs
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - advisor: use json for package database
+ - interfaces/hostname-control: allow setting the hostname via
+   syscall and systemd
+ - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+   libraries
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - data/selinux: Give snapd access to more aspects of the system
+ - many: use the new install/refresh API by switching snapstate to
+   use store.SnapAction
+ - errtracker: make TestJournalErrorSilentError work on gccgo
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate, ifacestate: inject auto-connect tasks try 2
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - ifacestate: injectTasks helper
+ - osutil: fix fstab parser to allow for # in field values
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - release-tools: add repack-debian-tarball.sh
+ - daemon,client: add build-id to /v2/system-info
+ - cmd: make fmt (indent 2.2.11)
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+ - ifacestate: don't surface errors from stale connections
+ - cmd/snap-update-ns: convert Secure* family of functions into
+   methods
+ - tests: adjust canonical-livepatch test on GCE
+ - tests: fix quoting issues in econnreset test
+ - cmd/snap-confine: make /run/media an alias of /media
+ - cmd/snap-update-ns: rename i to segNum
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+ - spread: disable StartLimitInterval option on opensuse-42.3
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses
+   arch triplets
+ - store: add Store.SnapAction to support the new install/refresh API
+   endpoint
+ - tests: adding test for removable-media interface
+ - tests: update interface tests to remove extra checks and normalize
+   tests
+ - timeutil: in Human, count days with fingers
+ - vendor: update gopkg.in/yaml.v2 to the latest version
+ - cmd/snap-confine: fix Archlinux compatibility
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - tests: copy or sanity check core users using usernames
+ - tests: disentangle etc vs extrausers in core tests
+ - tests: fix snap-run tests when snapd is not running
+ - overlord/configstate: change how ssh is stopped/started
+ - snap: make `snap run` look at the system-key for security profiles
+ - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+   replacement
+ - tests: adding opensuse-42.3 to google
+ - cmd/snap: fix one issue with noWait error handling logic, add
+   tests plus other cleanups
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+   needed
+ - interfaces,release: probe seccomp features lazily
+ - tests: change debug for layout test
+ - advisor: deal with missing commands.db file
+ - interfaces/apparmor: simplify UpdateNS internals
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: moving debian 9 from linode to google backend
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - po: specify charset in po/snappy.pot
+ - interfaces: harden snap-update-ns profile
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - tests: update tests to deal with s390x quirks
+ - debian: run snap.mount upgrade fixup *before* debhelper
+ - tests: move xenial i386 to google backend
+ - snapstate: add compat mode for default-provider
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - tests: add workaround for s390x failure
+ - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+ - daemon: support 'system' as nickname of the core snap
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - devicestate: add DeviceManager.Registered returning a channel
+   closed when the device is known to be registered
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - tests: add bionic system to google backend
+ - many: fix shellcheck warnings in bionic
+ - cmd/snap-update-ns: don't fail on existing symlinks
+ - tests: make autopkgtest tests more targeted
+ - cmd/snap-update-ns: fix creation of layout symlinks
+ - spread,tests: move suite-level prepare/restore to central script
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - snap: unify snap name validation w/python; enforce length limit.
+ - cmd/snap: use shlex when parsing `snap run --strace` arguments
+ - osutil,testutil: add symlinkat(2) and readlinkat(2)
+ - tests: autopkgtest may have non edge core too
+ - tests: adding checks before stopping snapd service to avoid job
+   canceled on ubuntu 14.04
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate:  hold refreshes for 2h after seeding on
+   classic
+ - cmd/snap: tweak and polish help strings
+ - snapstate: put layout feature behind feature flag
+ - tests: force profile re-generation via system-key
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: go vet cleanups
+ - tests: define MATCH from spread
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - cmd/snap: in changes and tasks, default to human-friendly times
+ - many: support holding refreshes by setting refresh.hold
+ - Revert "cmd/snap: use timeutil.Human to show times in `snap
+   refresh -…-time`"
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - tests/main/snap-service-refresh-mode: refactor the test to rely on
+   comparing PIDs
+ - tests/main/media-sharing: improve the test to cover /media and
+   /run/media
+ - store: enable deltas for core devices too
+ - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+ - strutil/shlex: import github.com/google/shlex into the tree
+ - vendor: update github.com/mvo5/libseccomp-golang
+ - overlord/snapstate: block install of "system"
+ - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+ - many: add the snapd-generator
+ - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+ - polkit: ensure error is properly set if dialog is dismissed
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - progress: tweak ansimeter cvvis use to no longer confuse minicom
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - tests: avoid removing preinstalled snaps on core
+ - tests: chroot into core to run xdg-open there
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - tests: moving ubuntu core from linode to google backend
+ - run-checks: remove accidental bashism
+ - i18n: simplify NG usage by doing the modulo math in-package.
+ - snap/squashfs: set timezone when calling unsquashfs to get the
+   build date
+ - timeutil: timeutil.Human(t) gives a human-friendly string for t
+ - snap: add autostart app property
+ - tests: add support for external backend executions on listing test
+ - tests: make interface-broadcom-asic-control test work on rpi
+ - configstate: when disable "ssh" we must disable the "sshd" service
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+ - snap/squashfs: add BuildDate
+ - store: parse the JSON format used by the coming new store API to
+   convey snap information
+ - many: remove snapd.refresh.{timer,service}
+ - tests: adding ubuntu-14.04-64 to the google backend
+ - interfaces: add xdg-desktop-portal support to desktop interface
+ - packaging/arch: sync with snapd/snapd-git from AUR
+ - wrappers, tests/main/snap-service-timer: restore missing commit,
+   add spread test for timer services
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - many: generate and use per-snap snap-update-ns profile
+ - tests: add debug for layout test
+ - wrappers: detect whether systemd-analyze can be used in unit tests
+ - osutil: allow creating strings out of MountInfoEntry
+ - servicestate: use systemctl enable+start and disable+stop instead
+   of --now flag
+ - osutil: handle file being matched by multiple patterns
+ - daemon, snap: fix InstallDate, make a method of *snap.Info
+ - wrappers: timer services
+ - wrappers: generator for systemd OnCalendar schedules
+ - asserts: fix flaky storeSuite.TestCheckAuthority
+ - tests: fix dependency for ubuntu artful
+ - spread: start moving towards google backend
+ - tests: add a spread test for layouts
+ - ifacestate: be consistent passing Retry.After as named field
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - testutil: allow mocking syscall.Fstat
+ - overlord/snapstate: verify that default schedule is randomized and
+   is  not a single time
+ - many: simplify mocking of home-on-NFS
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - store: move infoFromRemote into details.go close to snapDetails
+ - userd/tests: Test kdialog calls and mock kdialog too to make tests
+   work in KDE
+ - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+ - cmd/snap: add self-strace to `snap run`
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - update-pot: Force xgettext() to return true
+ - store: cleanup test naming, dropping remoteRepo  and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+
+* Wed May 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.9
+ - tests: run all spread tests inside GCE
+ - tests: build spread in the autopkgtests with a more recent go
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.8
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.7
+ - many: add wait command and seeded target (2
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - cmd/libsnap: fix compile error on more restrictive gcc
+ - tests: cherry-pick commits to move spread to google backend
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - userd: set up journal logging streams for autostarted apps
+
+* Sun Apr 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.6
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: run interfaces-boradcom-asic-control early
+ - tests: skip interfaces-content test on core devices
+
+* Mon Apr 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.5
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - daemon: support 'system' as nickname of the core snap
+
+* Thu Apr 12 2018 Neal Gompa <ngompa13@gmail.com> - 2.32.4-1
+- Release 2.32.4 to Fedora (RH#1553734)
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.4
+ - cmd/snap: user session application autostart
+ - overlord/snapstate: introduce envvars to control the channels for
+   bases and prereqs
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - many: use the new install/refresh /v2/snaps/refresh store API
+
 * Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.32.3.2
  - errtracker: make TestJournalErrorSilentError work on
@@ -1021,6 +2918,14 @@
  - systemd, wrappers: start all snap services in one systemctl
    call
  - tests: disable interfaces-location-control on s390x
+
+* Mon Mar 05 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-2
+- Fix dependencies for devel subpackage
+
+* Sun Mar 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-1
+- Release 2.31.1 to Fedora (RH#1542483)
+- Drop all backported patches as they're part of this release
+
 * Tue Feb 20 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31.1
  - tests: multiple autopkgtest related fixes for 18.04
@@ -1040,6 +2945,9 @@
    ubuntu
  - daemon: improve ucrednet code for the snap.socket
 
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
 * Tue Feb 06 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31
  - cmd/snap-confine: allow snap-update-ns to chown things
diff -Nru snapd-2.32.3.2~14.04/packaging/fedora-26/snapd.spec snapd-2.37~rc1~14.04/packaging/fedora-26/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/fedora-26/snapd.spec	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/fedora-26/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -6,6 +6,14 @@
 %bcond_without vendorized
 %endif
 
+# With Amazon Linux 2+, we're going to provide the /snap symlink by default,
+# since classic snaps currently require it... :(
+%if 0%{?amzn} >= 2
+%bcond_without snap_symlink
+%else
+%bcond_with snap_symlink
+%endif
+
 # A switch to allow building the package with support for testkeys which
 # are used for the spread test suite of snapd.
 %bcond_with testkeys
@@ -15,6 +23,7 @@
 %global with_check 0
 %global with_unit_test 0
 %global with_test_keys 0
+%global with_selinux 1
 
 # For the moment, we don't support all golang arches...
 %global with_goarches 0
@@ -50,7 +59,7 @@
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 
-%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service
+%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service
 
 # Until we have a way to add more extldflags to gobuild macro...
 %if 0%{?fedora} >= 26
@@ -69,8 +78,21 @@
 %define gotest() go test -compiler gc -ldflags "${LDFLAGS:-}" %{?**};
 %endif
 
+# Compat path macros
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
+%if 0%{?amzn2} == 1
+%global with_selinux 0
+%endif
+
 Name:           snapd
-Version:        2.32.3.2
+Version:        2.37
 Release:        0%{?dist}
 Summary:        A transactional software package manager
 Group:          System Environment/Base
@@ -101,17 +123,28 @@
 # snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.)
 Requires:       ((squashfuse and fuse) or kmod(squashfs.ko))
 %else
+%if ! 0%{?amzn2}
 # Rich dependencies not available, always pull in squashfuse
 # snapd will use squashfs.ko instead of squashfuse if it's on the system
+# NOTE: Amazon Linux 2 does not have squashfuse, squashfs.ko is part of the kernel package
 Requires:       squashfuse
 Requires:       fuse
 %endif
+%endif
 
 # bash-completion owns /usr/share/bash-completion/completions
 Requires:       bash-completion
 
+%if 0%{?with_selinux}
 # Force the SELinux module to be installed
 Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
+# snapd-login-service is no more
+# Note: Remove when F27 is EOL
+Obsoletes:      %{name}-login-service < 1.33
+Provides:       %{name}-login-service = 1.33
+Provides:       %{name}-login-service%{?_isa} = 1.33
 
 %if ! 0%{?with_bundled}
 BuildRequires: golang(github.com/boltdb/bolt)
@@ -121,6 +154,9 @@
 BuildRequires: golang(github.com/godbus/dbus/introspect)
 BuildRequires: golang(github.com/gorilla/mux)
 BuildRequires: golang(github.com/jessevdk/go-flags)
+BuildRequires: golang(github.com/juju/ratelimit)
+BuildRequires: golang(github.com/kr/pretty)
+BuildRequires: golang(github.com/kr/text)
 BuildRequires: golang(github.com/mvo5/goconfigparser)
 BuildRequires: golang(github.com/ojii/gettext.go)
 BuildRequires: golang(github.com/seccomp/libseccomp-golang)
@@ -178,6 +214,7 @@
 This package is used internally by snapd to apply confinement to
 the started snap applications.
 
+%if 0%{?with_selinux}
 %package selinux
 Summary:        SELinux module for snapd
 Group:          System Environment/Base
@@ -186,18 +223,22 @@
 BuildRequires:  selinux-policy, selinux-policy-devel
 Requires(post): selinux-policy-base >= %{_selinux_policy_version}
 Requires(post): policycoreutils
+%if 0%{?rhel} == 7
+Requires(post): policycoreutils-python
+%else
 Requires(post): policycoreutils-python-utils
+%endif
 Requires(pre):  libselinux-utils
 Requires(post): libselinux-utils
 
 %description selinux
 This package provides the SELinux policy module to ensure snapd
 runs properly under an environment with SELinux enabled.
-
+%endif
 
 %if 0%{?with_devel}
 %package devel
-Summary:       %{summary}
+Summary:       Development files for %{name}
 BuildArch:     noarch
 
 %if 0%{?with_check} && ! 0%{?with_bundled}
@@ -211,6 +252,9 @@
 Requires:      golang(github.com/godbus/dbus/introspect)
 Requires:      golang(github.com/gorilla/mux)
 Requires:      golang(github.com/jessevdk/go-flags)
+Requires:      golang(github.com/juju/ratelimit)
+Requires:      golang(github.com/kr/pretty)
+Requires:      golang(github.com/kr/text)
 Requires:      golang(github.com/mvo5/goconfigparser)
 Requires:      golang(github.com/ojii/gettext.go)
 Requires:      golang(github.com/seccomp/libseccomp-golang)
@@ -230,13 +274,16 @@
 # These Provides are unversioned because the sources in
 # the bundled tarball are unversioned (they go by git commit)
 # *sigh*... I hate golang...
-Provides:      bundled(golang(github.com/boltdb/bolt))
+Provides:      bundled(golang(github.com/snapcore/bolt))
 Provides:      bundled(golang(github.com/cheggaaa/pb))
 Provides:      bundled(golang(github.com/coreos/go-systemd/activation))
 Provides:      bundled(golang(github.com/godbus/dbus))
 Provides:      bundled(golang(github.com/godbus/dbus/introspect))
 Provides:      bundled(golang(github.com/gorilla/mux))
 Provides:      bundled(golang(github.com/jessevdk/go-flags))
+Provides:      bundled(golang(github.com/juju/ratelimit))
+Provides:      bundled(golang(github.com/kr/pretty))
+Provides:      bundled(golang(github.com/kr/text))
 Provides:      bundled(golang(github.com/mvo5/goconfigparser))
 Provides:      bundled(golang(github.com/mvo5/libseccomp-golang))
 Provides:      bundled(golang(github.com/ojii/gettext.go))
@@ -255,6 +302,7 @@
 %endif
 
 # Generated by gofed
+Provides:      golang(%{import_path}/advisor) = %{version}-%{release}
 Provides:      golang(%{import_path}/arch) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts/assertstest) = %{version}-%{release}
@@ -277,6 +325,7 @@
 Provides:      golang(%{import_path}/interfaces/backends) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/builtin) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/dbus) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/hotplug) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/ifacetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/kmod) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/mount) = %{version}-%{release}
@@ -284,9 +333,16 @@
 Provides:      golang(%{import_path}/interfaces/seccomp) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/udev) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/utils) = %{version}-%{release}
 Provides:      golang(%{import_path}/jsonutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil/safejson) = %{version}-%{release}
 Provides:      golang(%{import_path}/logger) = %{version}-%{release}
+Provides:      golang(%{import_path}/netutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/osutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/sys) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/crawler) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/netlink) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/assertstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/auth) = %{version}-%{release}
@@ -294,17 +350,23 @@
 Provides:      golang(%{import_path}/overlord/configstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/config) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/configcore) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/proxyconf) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/settings) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/devicestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/ctlcmd) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/hooktest) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/ifacestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/ifacerepo) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/udevmonitor) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/patch) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/servicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate/backend) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/standby) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/state) = %{version}-%{release}
-Provides:      golang(%{import_path}/overlord/storestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/androidbootenv) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/grubenv) = %{version}-%{release}
@@ -313,6 +375,7 @@
 Provides:      golang(%{import_path}/progress) = %{version}-%{release}
 Provides:      golang(%{import_path}/progress/progresstest) = %{version}-%{release}
 Provides:      golang(%{import_path}/release) = %{version}-%{release}
+Provides:      golang(%{import_path}/sanity) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/pack) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/snapdir) = %{version}-%{release}
@@ -323,6 +386,8 @@
 Provides:      golang(%{import_path}/store) = %{version}-%{release}
 Provides:      golang(%{import_path}/store/storetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/strutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/quantity) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/shlex) = %{version}-%{release}
 Provides:      golang(%{import_path}/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/refresh) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/store) = %{version}-%{release}
@@ -330,12 +395,12 @@
 Provides:      golang(%{import_path}/timeout) = %{version}-%{release}
 Provides:      golang(%{import_path}/timeutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/userd) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd/ui) = %{version}-%{release}
 Provides:      golang(%{import_path}/wrappers) = %{version}-%{release}
 Provides:      golang(%{import_path}/x11) = %{version}-%{release}
+Provides:      golang(%{import_path}/xdgopenproxy) = %{version}-%{release}
 
 %description devel
-%{summary}
-
 This package contains library source intended for
 building other packages which use import path with
 %{import_path} prefix.
@@ -354,28 +419,25 @@
 Requires:        %{name}-devel = %{version}-%{release}
 
 %description unit-test-devel
-%{summary}
-
 This package contains unit tests for project
 providing packages with %{import_path} prefix.
 %endif
 
 %prep
-%setup -q
-
 %if ! 0%{?with_bundled}
+%setup -q
 # Ensure there's no bundled stuff accidentally leaking in...
 rm -rf vendor/*
 %else
-# Unpack the vendor tarball too...
-%setup -q -T -D -b 1
+# Extract each tarball properly
+%setup -q -D -b 1
 %endif
 
 %build
 # Generate version files
 ./mkversion.sh "%{version}-%{release}"
 
-# We don't want/need squashfuse in the rpm
+# We don't want/need squashfuse in the rpm, as it's available in Fedora and EPEL
 sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
 
 # Build snapd
@@ -397,7 +459,7 @@
 # We don't need mvo5 fork for seccomp, as we have seccomp 2.3.x
 sed -e "s:github.com/mvo5/libseccomp-golang:github.com/seccomp/libseccomp-golang:g" -i cmd/snap-seccomp/*.go
 # We don't need the snapcore fork for bolt - it is just a fix on ppc
-sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go
+sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go
 %endif
 
 # We have to build snapd first to prevent the build from
@@ -406,6 +468,7 @@
 %gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
 %gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
 %gobuild -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
+%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
 
 # To ensure things work correctly with base snaps,
 # snap-exec and snap-update-ns need to be built statically
@@ -418,10 +481,12 @@
 %endif
 %gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
 
+%if 0%{?with_selinux}
 # Build SELinux module
 pushd ./data/selinux
 make SHARE="%{_datadir}" TARGETS="snappy"
 popd
+%endif
 
 # Build snap-confine
 pushd ./cmd
@@ -441,12 +506,12 @@
     --enable-nvidia-biarch \
     %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
     --with-snap-mount-dir=%{_sharedstatedir}/snapd/snap \
-    --with-merged-usr
+    --enable-merged-usr
 
 %make_build
 popd
 
-# Build systemd and dbus units, and env files
+# Build systemd units, dbus services, and env files
 pushd ./data
 make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
      SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
@@ -457,41 +522,52 @@
 %install
 install -d -p %{buildroot}%{_bindir}
 install -d -p %{buildroot}%{_libexecdir}/snapd
-install -d -p %{buildroot}%{_mandir}/man1
+install -d -p %{buildroot}%{_mandir}/man8
+install -d -p %{buildroot}%{_environmentdir}
+install -d -p %{buildroot}%{_systemdgeneratordir}
 install -d -p %{buildroot}%{_unitdir}
 install -d -p %{buildroot}%{_sysconfdir}/profile.d
 install -d -p %{buildroot}%{_sysconfdir}/sysconfig
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/assertions
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/cookie
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl32
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/vulkan
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
 install -d -p %{buildroot}%{_localstatedir}/snap
 install -d -p %{buildroot}%{_localstatedir}/cache/snapd
 install -d -p %{buildroot}%{_datadir}/polkit-1/actions
+install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+%if 0%{?with_selinux}
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -d -p %{buildroot}%{_datadir}/selinux/packages
+%endif
 
 # Install snap and snapd
 install -p -m 0755 bin/snap %{buildroot}%{_bindir}
 install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
-install -p -m 0755 bin/snapctl %{buildroot}%{_bindir}/snapctl
+install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
 
+%if 0%{?with_selinux}
 # Install SELinux module
 install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
 
-# Install snap(1) man page
-bin/snap help --man > %{buildroot}%{_mandir}/man1/snap.1
+# Install snap(8) man page
+bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
 
 # Install the "info" data file with snapd version
 install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
@@ -514,16 +590,30 @@
 
 # Install all systemd and dbus units, and env files
 pushd ./data
-%make_install SYSTEMDSYSTEMUNITDIR="%{_unitdir}" BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}"
+%make_install BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+              SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+              SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+              SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.conf
+%endif
+
 # Remove snappy core specific units
 rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
 rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
 rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
-popd
 
 # Remove snappy core specific scripts
 rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
 
+# Remove snapd apparmor service
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+
 # Install Polkit configuration
 install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
 
@@ -534,6 +624,11 @@
 touch %{buildroot}%{_sharedstatedir}/snapd/state.json
 touch %{buildroot}%{_sharedstatedir}/snapd/snap/README
 
+# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
+%if %{with snap_symlink}
+ln -sr %{buildroot}%{_sharedstatedir}/snapd/snap %{buildroot}/snap
+%endif
+
 # source codes for building projects
 %if 0%{?with_devel}
 install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
@@ -591,44 +686,60 @@
 %doc README.md docs/*
 %{_bindir}/snap
 %{_bindir}/snapctl
+%{_environmentdir}/990-snapd.conf
 %dir %{_libexecdir}/snapd
+%{_libexecdir}/snapd/snapctl
 %{_libexecdir}/snapd/snapd
 %{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-failure
 %{_libexecdir}/snapd/info
 %{_libexecdir}/snapd/snap-mgmt
-%{_mandir}/man1/snap.1*
+%{_mandir}/man8/snap.8*
 %{_datadir}/bash-completion/completions/snap
 %{_libexecdir}/snapd/complete.sh
 %{_libexecdir}/snapd/etelpmoc.sh
+%{_libexecdir}/snapd/snapd.run-from-snap
 %{_sysconfdir}/profile.d/snapd.sh
+%{_mandir}/man8/snapd-env-generator.8*
 %{_unitdir}/snapd.socket
 %{_unitdir}/snapd.service
 %{_unitdir}/snapd.autoimport.service
+%{_unitdir}/snapd.failure.service
+%{_unitdir}/snapd.seeded.service
+%{_datadir}/applications/snap-handle-link.desktop
 %{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_systemd_system_env_generator_dir}/snapd-env-generator
 %config(noreplace) %{_sysconfdir}/sysconfig/snapd
 %dir %{_sharedstatedir}/snapd
 %dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
 %dir %{_sharedstatedir}/snapd/desktop
 %dir %{_sharedstatedir}/snapd/desktop/applications
 %dir %{_sharedstatedir}/snapd/device
 %dir %{_sharedstatedir}/snapd/hostfs
-%dir %{_sharedstatedir}/snapd/mount
-%dir %{_sharedstatedir}/snapd/seccomp
-%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/lib
 %dir %{_sharedstatedir}/snapd/lib/gl
 %dir %{_sharedstatedir}/snapd/lib/gl32
 %dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/snaps
 %dir %{_sharedstatedir}/snapd/snap
 %ghost %dir %{_sharedstatedir}/snapd/snap/bin
 %dir %{_localstatedir}/cache/snapd
 %dir %{_localstatedir}/snap
 %ghost %{_sharedstatedir}/snapd/state.json
-%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
-%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %ghost %{_sharedstatedir}/snapd/snap/README
+%if %{with snap_symlink}
+/snap
+%endif
+%if 0%{?rhel} == 7
+%{_sysctldir}/99-snap.conf
+%endif
 
 %files -n snap-confine
 %doc cmd/snap-confine/PORTING
@@ -637,23 +748,24 @@
 # For now, we can't use caps
 # FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
 %attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-gdb-shim
 %{_libexecdir}/snapd/snap-seccomp
 %{_libexecdir}/snapd/snap-update-ns
-%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/system-shutdown
-%{_libexecdir}/snapd/snap-gdb-shim
-%{_libexecdir}/snapd/snapd-generator
-%{_mandir}/man1/snap-confine.1*
-%{_mandir}/man5/snap-discard-ns.5*
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_systemdgeneratordir}/snapd-generator
 %attr(0000,root,root) %{_sharedstatedir}/snapd/void
 
-
+%if 0%{?with_selinux}
 %files selinux
 %license data/selinux/COPYING
 %doc data/selinux/README.md
 %{_datadir}/selinux/packages/snappy.pp.bz2
 %{_datadir}/selinux/devel/include/contrib/snappy.if
+%endif
 
 %if 0%{?with_devel}
 %files devel -f devel.file-list
@@ -669,6 +781,9 @@
 %endif
 
 %post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
 %systemd_post %{snappy_svcs}
 # If install, test if snapd socket and timer are enabled.
 # If enabled, then attempt to start them. This will silently fail
@@ -692,6 +807,7 @@
 %postun
 %systemd_postun_with_restart %{snappy_svcs}
 
+%if 0%{?with_selinux}
 %pre selinux
 %selinux_relabel_pre
 
@@ -707,9 +823,1790 @@
 if [ $1 -eq 0 ]; then
     %selinux_relabel_post
 fi
-
+%endif
 
 %changelog
+* Wed Jan 16 2019 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.37
+ - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+   have device node /dev/ttyACM[0-9]
+ - tests: fix enable-disable-unit-gpio test on external boards
+ - tests: define new "tests/smoke" suite and use that for
+   autopkgtests
+ - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+   library
+ - snapshotstate: don't task.Log without the lock
+ - overlord/configstate/configcore: support - and _ in cloud init
+   field names
+ - cmd/snap-confine: use makedev instead of MKDEV
+ - tests: review/fix the autopkgtest failures in disco
+ - systemd: allow only a single daemon-reload at the same time
+ - cmd/snap: only auto-enable unicode to a tty
+ - cmd/snap: right-align revision and size in info's channel map
+ - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+   different on Fedora
+ - tests: fix "No space left on device" issue on amazon-linux
+ - store: undo workaround for timezone-less released-at
+ - store, snap, cmd/snap: channels have released-at
+ - snap-confine: fix incorrect use "src" var in mount-support.c
+ - release: support probing SELinux state
+ - release-tools: display self-help
+ - interface: add new `{personal,system}-files` interface
+ - snap: give Epoch an Equal method
+ - many: remove unused interface code
+ - interfaces/many: use 'unsafe' with docker-support change_profile
+   rules
+ - run-checks: stop running HEAD of staticcheck
+ - release: use sync.Once around lazy intialized state
+ - overlord/ifacestate: include interface name in the hotplug-
+   disconnect task summary
+ - spread: show free space in debug output
+ - cmd/snap: attempt to restore SELinux context of snap user
+   directories
+ - image: do not write empty etc/cloud
+ - tests: skip snapd snap on reset for core systems
+ - cmd/snap-discard-ns: fix umount(2) typo
+ - overlord/ifacestate: hotplug-remove-slot task handler
+ - overlord/ifacestate: handler for hotplug-disconnect task
+ - ifacestate/hotplug: updateDevice helper
+ - tests: reset snapd state on tests restore
+ - interfaces: return security setup errors
+ - overlord: make InstallMany work like UpdateMany, issuing a single
+   request to get candidates
+ - systemd/systemd.go: add missing tests for systemd.IsActive
+ - overlord/ifacestate: addHotplugSeqWaitTask helper
+ - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+ - tests: new backend used to run upgrade test suite
+ - travis: short circuit failures in static and unit tests travis job
+ - cmd: automatically fix localized <option>s to <option>
+ - overlord/configstate,features: expose features to snapd tools
+ - selinux: package to query SELinux status and verify/restore file
+   contexts
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - cmd: add tests for lintArg and lintDesc
+ - httputil: retry on temporary net errors
+ - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+ - wrappers: only restart service in core18 when they are active
+ - overlord/ifacestate: helpers for serializing hotplug changes
+ - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interface
+ - snap/info: bind global plugs/slots to implicit hooks
+ - cmd/snap-confine: remove SC_NS_MNT_FILE
+ - spread: record each tests/upgrade job
+ - osutil: do not import dirs
+ - cmd/snap-confine: fix typo "a pipe"
+ - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+   devices
+ - tests: force test-snapd-daemon-notify exit 0 when the interface is
+   not connected
+ - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+ - centos: enable SELinux support on CentOS 7
+ - apparmor: allow hard link to snap-specific semaphore files
+ - tests/lib/pkgdb: disable weak deps on Fedora
+ - release: detect too old apparmor_parser
+ - tests: improve how the log is checked to see if the system is
+   waiting for a reboot
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - spread, tests: add Fedora 29
+ - cmd/snap-confine: refactor calling snapd tools into helper module
+ - apparmor: allow snap-update-ns access to common devices
+ - cmd/snap-confine: capture initialized per-user mount ns
+ - tests: reduce verbosity around package installation
+ - data: set KillMode=process for snapd
+ - cmd/snap: handle DNS error gracefully
+ - spread, tests: use checkpoints when dumping audit log
+ - tests/lib/prepare: make sure that SELinux context of repacked core
+   snap is controlled
+ - testutils: split checkers, tweak tests
+ - tests: fix for tests test-*-cgroup
+ - spread: show AVC audits when debugging, start auditd on Fedora
+ - spread: drop Fedora 27, add Fedora 29
+ - tests/lib/reset: restore context of removed snapd directories
+ - testutil: add File{Present,Absent} checkers
+ - snap: add new `snap run --trace-exec`
+ - tests: fix for failover test on how logs are checked
+ - snapctl: add "services"
+ - overlord/snapstate: use file timestamp to initialize timer
+ - cmd/libsnap: introduce and use sc_strdup
+ - interfaces: let NM access ifindex/ifupdown files
+ - overlord/snapstate: on refresh, check new rev can read current
+ - client, store: don't use store from client (use client from store)
+ - tests/main/parallel-install-store: verify installation of more
+   than one instance at a time
+ - overlord: don't write system key if security setup fails
+ - packaging/fedora/snapd.spec: fix bogus date in changelog
+ - snapstate: update fontconfig caches on install
+ - interfaces/apparmor/backend.go:411:38: regular expression does not
+   contain any meta characters (SA6004)
+ - asserts/header_checks.go:199:35: regular expression does not
+   contain any meta characters (SA6004)
+ - run staticcheck every time :-)
+ - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+   used with signal.Notify should be buffered (SA1017)
+ - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+   signal.Notify should be buffered (SA1017)
+ - spdx/parser.go:30:1: only the first constant has an explicit type
+   (SA9004)
+ - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+   first argument and no further arguments should use print-style
+   function instead (SA1006)
+ - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+ - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+   Did you mean to break out of the outer loop? (SA4011)
+ - daemon/api.go:992:22: printf-style function with dynamic first
+   argument and no further arguments should use print-style function
+   instead (SA1006)
+ - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+   to break out of the outer loop? (SA4011)
+ - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+   should be buffered (SA1017)
+ - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+   provided buffer, not even temporarily (SA1023)
+ - release: probe apparmor features lazily
+ - overlord,daemon: mock security backends for testing
+ - cmd/libsnap: move apparmor-support to libsnap
+ - cmd: drop cruft from snap-discard-ns build rules
+ - cmd/snap-confine: use snap-discard-ns ns to discard stale
+   namespaces
+ - cmd/snap-confine: handle mounted shared /run/snapd/ns
+ - many: fix composite literals with unkeyed fields
+ - dirs, wrappers, overlord/snapstate: make completion + bases work
+ - tests: revert "tests: restore in restore, not prepare"
+ - many: validate title
+ - snap: make description maximum in runes, not bytes
+ - tests: discard mount namespaces in reset.sh
+ - tests/lib: sync cla check back from snapcraft
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - daemon: remove enableInternalInterfaceActions
+ - mkversion: use "test -n" rather than "! test -z"
+ - run-checks: assorted fixes
+ - tests: restore in restore, not in prepare
+ - cmd/snap: fix missing newline in "snap keys" error message
+ - snap: epoch lists must contain no duplicate entries
+ - interfaces/avahi_observe: Fix typo in comment
+ - tests: add SPREAD_JOB to the description of
+   systemd_create_and_start_unit
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+ - packaging/fedora: use %_sysctldir macro
+ - cmd/snap-confine: remove unneeded unshare
+ - sanity: extend the kernel version check to cover CentOS/RHEL
+   kernels
+ - wrappers: remove all desktop files from a snap on removal
+ - snap: add an explicit check for `epoch: null` loading
+ - snap: check max description length in validate
+ - spread, tests: add CentOS support
+ - cmd/snap-confine: allow mapping more libc shards
+ - cmd/snap-discard-ns: add support for --from-snap-confine
+ - tests: make tinyproxy support systemd notify
+ - tests: fix shellcheck
+ - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+ - store: add a test for a non-zero epoch refresh (with epoch bump)
+ - store: v1 search doesn't send epoch, stop pretending it does
+ - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+ - overlord/snapstate: amend test should send local revision
+ - tests: use mock-gpio.py in enable-disable-units-gpio test
+ - snap: enforce minimal snap name len of 2
+ - cmd/libsnap: add sc_verify_snap_lock
+ - cmd/snap-update-ns: extra debugging of trespassing events
+ - userd: force zenity width if the text displayed is long
+ - overlord/snapstate, store: always send epochs
+ - cmd/snap-confine,snap-update-ns: discard quirks
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - cmd/snap-update-ns, tests: clean trespassing paths
+ - nvidia, interfaces/builtin: OpenCL fixes
+ - ifacestate/hotplug: removeDevice helper
+ - cmd: install snap-discard-ns in "make hack"
+ - overlord/ifacestate: setup security backends phased by backends
+   first
+ - ifacestate/helpers: added SystemSnapName mapper helper method
+ - overlord/ifacestate: set hotplug-key of the connection when
+   connecting hotplug slots
+ - snapd: allow snap-update-ns to read /proc/version
+ - cmd: handle tumbleweed and leap in autogen.sh
+ - interfaces/tests: MockHotplugSlot test helper
+ - store,daemon: make UserInfo,LoginUser part of the store interface
+ - overlord/ifacestate: use remapper when checking if system snap is
+   installed
+ - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+ - packaging/arch: fix bash completions path
+ - interfaces/builtin: add device-buttons interface for accessing
+   events
+ - tests, fakestore: extend refresh tests with parallel installed
+   snaps
+ - snap, store, overlord/snapshotstate: drop epoch pointers
+ - snap: make Epoch default to {[0],[0]} on load from yaml
+ - data/completion: pass documented arguments to completion functions
+ - tests: skip opensuse from interfaces-openvswitch-support test
+ - tests: simple reproducer for snap try and hooks bug
+ - snapstate: do not allow classic mode for strict snaps
+ - snap: make Epoch's MarshalJSON not simplify
+ - store: remove unused currentSnap and currentSnapJSON
+ - many: some small doc comment fixes in recent hotplug code
+ - ifacestate/udevmonitor: added callback to signal end of
+   enumeration
+ - cmd/libsnap: add simplified feature flag checker
+ - interfaces/opengl: add additional accesses for cuda
+ - tests: add core18 only hooks test and fix running core18 only on
+   classic
+ - sanity, release, cmd/snap: refuse to try to do things on WSL.
+ - cmd: make coreSupportsReExec faster
+ - overlord/ifacestate: don't remove the dash when generating unique
+   slot name
+ - cmd/snap-seccomp: add full complement of ptrace constants
+ - cmd: update autogen.sh for opensuse
+ - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+   overlord/snapstate: address review feedback
+ - packaging/opensuse: stop using golang-packaging
+ - overlord/snapshots: survive an unknown user
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - cmd/snap: unhide --name parameter to snap install, tweak help
+   message
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/main/snap-service-after-before-install: verify after/before
+   in snap install
+ - overlord/ifacestate: mark connections disconnected by hotplug with
+   hotplug-gone
+ - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+   startup
+ - tests: install dependencies during prepare
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - tests: core 18 does not support classic confinement
+ - tests: add debug output for degraded test
+ - strutil: make VersionCompare faster
+ - overlord/snapshotstate/backend: survive missing directories
+ - overlord/ifacestate: use map[string]*connState when passing conns
+   around
+ - tests: move fedora 28 to manual
+ - overlord/snapshotstate/backend: be more verbose when
+   SNAPPY_TESTING=1
+ - tests: removing fedora 26 system from spread.yaml
+ - tests: linode execution is not needed anymore
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests: fixes and new backend for tests on nested suite
+ - strutil: let MatchCounter work with a nil regexp
+ - ifacestate/helpers: findConnsForHotplugKey helper
+ - many: move regexp.(Must)Compile out of non-init functions into
+   variables
+ - store: also make snaps downloaded via deltas 0600
+ - snap: use Lstat to determine snap size, remove
+   ReadSnapInfoExceptSize
+ - interfaces/builtin: add adb-support interface
+ - tests: fail if install_snap_local fails
+ - strutil: add extra test to CommaSeparatedList as suggested by
+   mborzecki
+ - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+ - ifacestate: optimize disconnect hooks
+ - cmd/snap-update-ns: parse the -u <uid> command line option
+ - cmd/snap, tests: snapshots for all
+ - client, cmd/daemon: allow disabling keepalive, improve degraded
+   mode unit tests
+ - snap: only show "next" refresh time if its after the hold time
+ - overlord/snapstate: run tests for classic snaps even on systems
+   that don't support classic
+ - overlord/standby: fix a race between standby goroutine and stop
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - cmd: remove remnants of sc_should_populate_mount_ns
+ - client, daemon, cmd/snap: indicate that services are socket/timer
+   activated
+ - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+ - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+ - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+ - cmd/snap-discard-ns: add support for per-user mount namespaces
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook.
+ - tests/main: fixes for the new shellcheck
+ - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+   fly
+ - tests: initial setup for testing current branch on nested vm and
+   hotplug management
+ - cmd: refactor IPC and lifecycle of the helper process
+ - tests/main/parallel-install-store: the store has caught up, do not
+   expect failures
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+   ptrace, for the Breakpad crash reporter
+ - snap,client: use a different exit code for retryable errors
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - cmd/snap: tweak `snap services` output when there is no services
+ - interfaces/many: updates to support k8s worker nodes
+ - cmd/snap: gnome-software install via snap:// handler
+ - overlord/many: cleanup use of snapName vs. instanceName
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes* ifstate: fix decoding of json numbers
+ - cmd/snap: try not to panic on error from "snap try"
+ - tests: new cosmic image for spread tests on gce
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - overlord/snapshotstate/backend: detect path to tar in unit tests
+ - tests/unit/gccgo: drop gccgo unit tests
+ - cmd: use relative file names in locking APIs
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - overlord/snapshotstate/backend: fall back on sudo when no runuser
+ - cmd/snap-confine: reduce verbosity of debug and error messages
+ - systemd: extend Status() to work for socket and timer units
+ - interfaces: typo 'allows' for consistency with other ifaces
+ - systemd,wrappers: don't start disabled services
+ - ifacestate: simplify task chaining in ifacestate.Connect
+ - tests: ensure that goa-daemon is off
+ - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+ - cmd/snap: block 'snap help <cmd> --all'
+ - asserts, image: ensure kernel, gadget, base and required-snaps use
+   valid snap names
+ - apparmor: add unit test for probeAppArmorParser and simplify code
+ - interfaces/apparmor: conditionally add explicit deny rules for
+   ptrace
+ - po: sync translations from launchpad
+ - osutil: tweak handling of error adduser errors
+ - cmd: rename ns_group to mount_ns
+ - tests/main/interfaces-accounts-service: more debugging
+ - snap/pack, snap/squashfs: use type to determine mksquashfs args
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - tests: show list of processes when ifaces-accounts-service fails
+ - tests: do not run degraded test in autopkgtest env
+ - snap: overhaul validation error messages
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - interfaces: improve Attr error further
+ - snapstate: tweak GetFeatureFlagBool() to have a default argument
+ - many: cleanup remaining parallel installs TODOs
+ - image: improve validation of extra snaps
+
+* Fri Dec 14 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.3
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - httputil: retry on temporary net errors
+ - wrappers: only restart service in core18 when they are active
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interfacewhen installing selinux-policy-devel package.
+ - centos: enable SELinux support on CentOS 7
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - apparmor: allow hard link to snap-specific semaphore files
+ - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+   profile errors
+ - snap: add new `snap run --trace-exec` call
+ - interfaces/backends: detect too old apparmor_parser
+
+* Thu Nov 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.2
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - snapstate: update fontconfig caches on install
+ - overlord,daemon: mock security backends for testing
+ - sanity, spread, tests: add CentOS
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - tests: add regression test for LP: #1803535
+ - snap-update-ns: fix trailing slash bug on trespassing error
+ - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+ - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+ - interfaces/opengl: add additional accesses for cuda
+
+* Fri Nov 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.1
+ - tests,snap-confine: add core18 only hooks test and fix running
+   core18 only hooks on classic
+ - interfaces/apparmor: allow access to
+   /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests/main/interfces-accounts-service: switch to busctl, more
+   debugging
+ - store: also make snaps downloaded via deltas 0600
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - tests/main: fixes for the new shellcheck
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook
+
+* Sun Nov 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.36-1
+- Release 2.36 to Fedora
+
+* Wed Oct 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - tests: the store has caught up, drop gccgo test, update cosmic
+   image
+ - cmd/snap: try not to panic on error from "snap try"`--devmode`
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - systemd,wrappers: don't start disabled services
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - tests: do not run degraded test in autopkgtest env
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces: include invalid type in Attr error
+ - many: enable layouts by default
+ - interfaces/default: don't scrub with change_profile with classic
+ - cmd/snap: speed up unit tests
+ - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+   flags
+ - daemon: expose snapshots to the API
+ - interfaces: updates for default, screen-inhibit-control, tpm,
+   {hardware,system,network}-observe
+ - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+   update test interface
+ - interfaces/tests: use TestInterface instead of a custom local
+   helper
+ - overlord/snapstate: export getFeatureFlagBool.
+ - osutil,asserts,daemon: support force password change in system-
+   user assertion
+ - snap, wrappers: support restart-delay, generate RestartSec=<value>
+   in service units
+ - tests/ifacestate: moved asserts-related mocking into helper
+ - image: fetch device store assertion if available
+ - many: enable AppArmor on Arch
+ - interfaces/repo: two helper methods for hotplug
+ - overlord/ifacestate: add hotplug slots with implicit slots
+ - interfaces/hotplug: helpers and struct updates
+ - tests: run the snapd tests on Ubuntu 18.10
+ - snapstate: only report errors if there is an actual error
+ - store: speedup unit tests
+ - spread-shellcheck: fix interleaved error messages, tweaks
+ - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+ - ifacestate: implementation of defaultDeviceKey function for
+   hotplug
+ - cmd/snap-update-ns: remove empty placeholders used for mounting
+ - snapshotstate: restore to current revision
+ - tests/lib: rework the CLA checker
+ - many: support and consider store friendly-stores when checking
+   device scope constraints
+ - overlord/snapstate: block parallel installs of snapd, core, base,
+   kernel, gadget snaps
+ - overlord/patch: patch for static plug/slot attributes
+ - interfaces: honor static attributes when reloading conns
+ - osutils: unit tests speedup; introduce «run-checks --short-
+   unit».
+ - systemd, wrappers: speed up wrappers unit tests
+ - client: speedup unit tests
+ - spread-shellcheck: use threads to parallelise
+ - snap: validate plug and slot names
+ - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+ - wrappers: do not depend on network.taget in socket units, tweak
+   generated units
+ - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+ - store: gracefully handle unexpected errors in 'action'
+   response
+ - cmd: put our manpages in section 8
+ - overlord: don't make become-operational interfere with user
+   requests
+ - store: tweak unmatched refresh result error log
+ - snap, client, daemon, store: use and expose "media" more
+ - tests,cmd/snap-update-ns: add test showing mount update bug
+   cmd/snap-update-ns: better detection of snapd-made tmpfs
+ - tests: spread tests for aliases with parallel installed snaps
+ - interfaces/seccomp: allow using statx by default
+ - store: gracefully handle unexpected errors in 'action' response
+ - overlord/snapshotstate: chown the tempdir
+ - cmd/snap: attempt to start the document portal if running with a
+   session bus
+ - snap: detect layouts vs layout in snap.yaml
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snapcraft.yaml: set grade to stable
+ - tests: shellchecks, final round
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snap: detect layouts vs layout in snap.yaml
+ - overlord/snapshotstate: store epoch in snapshot, check on restore
+ - cmd/snap: tweak UX of snap refresh --list
+ - overlord/snapstate: improve consistency, use validateInfoAndFlags
+   also in InstallPath
+ - snap: give Epoch a CanRead helper
+ - overlord/snapshotstate: small refactor of internal helpers
+ - interfaces/builtin: adding missing permission to create
+   /run/wpa_supplicant directory
+ - interfaces/builtin: avahi interface update
+ - client, daemon: support passing of 'unaliased' option when
+   installing from local files
+ - selftest: rename selftest.Run() to sanity.Check()
+ - interfaces/apparmor: report apparmor support level and policy
+ - ifacestate: helpers for generating slot names for hotplug
+ - overlord/ifacestate: make sure to pass in the Model assertion when
+   enforcing policies
+ - overlord/snapshotstate: store the SnapID in snapshot, block
+   restore if changed
+ - interfaces: generalize writable mimic profile
+ - asserts,interfaces/policy: add support for on-store/on-brand/on-
+   model plug/slot rule constraints
+ - many: fetch the device store assertion together and in the context
+   of interpreting snap-declarations
+ - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+   gccgo is fixed
+ - tests/main/parallel-install-services: add spread test for snaps
+   with services
+ - tests/main/snap-env: extend to cover parallel installations of
+   snaps
+ - tests/main/parallel-install-local: rename from *-sideload, extend
+   to run snaps
+ - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+ - cmd/snap: tame the help zoo
+ - tests/main/parallel-install-store: run installed snap
+ - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+   i18n)
+ - cmd: fix C formatting
+ - tests: remove unneeded cleanup from layout tests
+ - image: warn on missing default-providers
+ - selftest: add test to ensure selftest.checks is up-to-date
+ - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+   installs
+ - userd: extend the list of supported XDG Desktop properties when
+   autostarting user applications
+ - cmd/snap-update-ns: enforce trespassing checks
+ - selftest: actually run the kernel version selftest
+ - snapd: go into degraded mode when the selftest fails
+ - tests: add test that runs snapctl with a core18 snap
+ - tests: add snap install hook with base: core18
+ - overlord/{snapstate,assertstate}: parallel instances and
+   refresh validation
+ - interfaces/docker-support: add rules to read apparmor macros
+ - tests: make nfs test available for more systems
+ - tests: cleanup copy/paste dup in interfaces-network-setup-control
+ - tests: using single sh snap in interface tests
+ - overlord/snapstate: improve cleaup in mount-snap handler
+ - tests: don't fail interfaces-bluez test if bluez is already
+   installed
+ - tests: find snaps just for edge and beta channels
+ - daemon, snapstate: consistent snap list [--all] output with broken
+   snaps
+ - tests: fix listing to allow extra things in the notes column
+ - cmd/snap: improve UX when removing specific snap revision
+ - cmd/snap, tests/main/snap-info: highlight the current channel
+ - interfaces/testiface: added TestHotplugInterface
+ - snap: tweak commands
+ - interfaces/hotplug: hotplug spec takes one slot definition
+ - overlord/snapstate, snap: handle shared snap directories when
+   installing/remove snaps with instance key
+ - interfaces/opengl: misc accesses for VA-API
+ - client, cmd/snap: expose warnings to the world
+ - cmd/snap-update-ns: introduce trespassing state tracking
+ - cmd/snap: commands no longer build their own client
+ - tests: try to build cmd/snap for darwin
+ - daemon: make error responders not printf when called with 1
+   argument
+ - many: return real snap name in API response
+ - overlord/state: return latest LastAdded time in WarningsSummary
+ - many: mount namespace mapping for parallel installs of snaps
+ - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+   core-phase-2
+ - client, cmd/snap: on !linux, exit when the client tries to Do
+   something
+ - tests: refactor for nested suite and tests fixed
+ - tests: use lxd's waitready instead of polling lxd socket
+ - ifacestate: don't initialize udev monitor until we have a system
+   snap
+ - interfaces: extra argument for static attrs in
+   NewConnectedPlug/NewConnectedSlot
+ - packaging/arch: sync packaging with AUR
+ - snapstate/tests: serialize all appends in fake backend
+ - snap-confine: make /lib/modules optional
+ - cmd/snap: handle "snap interfaces core" better
+ - store: move download tests into downloadSuite
+ - tests,interfaces: run interfaces-account-control on UC18
+ - tests: fix install snaps test by adding link to /snap
+ - tests: fix for nested test suite
+ - daemon: fix snap list --all with parallel snap instances
+ - snapstate: refactor tests to use SetModel*
+ - wrappers: fix snap services order in tests
+ - many: provide salt for generating instance-key in store requests
+ - ifacestate: fix hang when retrying content providers
+ - snapd-env-generator: fix when PATH is empty or unset
+ - overlord/assertstate: propagate TaskSnapSetup error
+ - client: catch and expose logs errors
+ - overlord: integrate device enumeration with udev monitor
+ - daemon, overlord/state: warnings pipeline
+ - tests: add publisher regex to fix the snap-info test pass on sru
+ - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+   tweaks
+ - cmd/snap-update-ns: remove the unused Secure type
+ - osutil, o/snapshotstate, o/sss/backend: quick fixes
+ - tests: update the listing expression to support core from
+   different channels
+ - store: use stable instance key in store refresh requests
+ - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+ - overlord/patch: support for sublevel patches
+ - tests: update prepare/restore for nightly suite
+ - cmd/snap-update-ns: detach BindMount from the Secure type
+ - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+ - ifacestate: retry on "discard-snap" in autoconnect conflict check
+ - cmd/snap-update-ns: separate OpenPath from the Secure struct
+ - wrappers: remove Wants=network-online.target
+ - tests: add new core16-base test
+ - store: refactor tests so that they work as store_test package
+ - many: add refresh.rate-limit core option
+ - tests: run account-control test with different bases
+ - tests: port proxy test to use python tinyproxy
+ - overlord: introduce snapshotstate.
+ - testutil: allow Fstatfs results to vary over time
+ - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+ - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+ - many: remove deadcode
+ - tests: also run unit/gccgo in 18.04
+ - tests: introduce a helper for installing local snaps with --name
+ - tests: avoid removing core snap on reset
+ - snap: use snap.SideInfo in test to fix build with gccgo
+ - partition: remove unused runCommand
+ - image: fix incorrect error when using local bases
+ - overlord/snapstate: fix format
+ - cmd: fix format
+ - tests: setting "storage: preserve-size" just for amazon-linux
+   system
+ - tests: test for the hostname interface
+ - interfaces/modem-manager: allow access to more USB strings
+ - overlord: instantiate UDevMonitor
+ - interfaces/apparmor: tweak naming, rename to AddLayout()
+ - interfaces: take instance name in ifacetest.InstallSnap
+ - snapcraft: do not use --dirty in mkversion
+ - cmd: add systemd environment generator
+ - devicestate: support getting (http) proxy from core config
+ - many: rename ClientOpts to ClientOptions
+ - prepare-image-grub-core18: remove image root in restore
+ - overlord/ifacestate: remove "old-conn" from connect/undo connect
+   handlers
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - image: handle errors when downloadedSnapsInfoForBootConfig has no
+   data
+ - tests: use official core18 model assertion in tests
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - overlord,store: support proxy settings internally too
+ - cmd/snap: bring back 'snap version'
+ - interfaces/mount: tweak naming of things
+ - strutil: fix MatchCounter to also work with buffer reuse
+ - cmd,interfaces,tests: add /mnt to removable-media interface
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - snap/snapenv: drop some instance specific variables, use instance-
+   specific ones for user locations
+ - firstboot: sort by type when installing the firstboot snaps
+ - cmd, cmd/snap: better support for non-linux
+ - strutil: add new ParseByteSize
+ - image: detect and error if bases are missing
+ - interfaces/apparmor: do not downgrade confinement on arch with
+   linux-hardened 4.17.4+
+ - daemon: add pokeStateLock helper to the daemon tests
+ - snap/squashfs: improve error message from Build on mksquashfs
+   failure
+ - tests: remove /etc/alternatives from dirs-not-shared-with-host
+ - cmd: support re-exec into the "snapd" snap
+ - spdx: remove "Other Open Source" from the support licenses
+ - snap: add new type "TypeSnapd" and attach to the snapd snap
+ - interfaces: retain order of inserted security backends
+ - tests: spread test for parallel-installs desktop file handling
+ - overlord/devicestate: use OpenSSL's PEM format when generating
+   keys
+ - cmd: remove --skip-command-chain from snap run and snap-exec
+ - selftest: detect if apparmor is unusable and error
+ - snap,snap-exec: support command-chain for hooks
+ - tests: significantly reduce execution time for managers test
+ - snapstate: use new "snap.ByType" sorting
+ - overlord/snapstate: fix UpdateMany() to work with parallel
+   instances
+ - testutil: have File* checker produce more useful error output
+ - overlord/ifacestate: introduce connectOpts
+ - interfaces: parallel instances support, extend unit tests
+ - tests: normalize tests
+ - snapstate: make InstallPath() return *snap.Info too
+ - snap: add ByType sorting
+ - interfaces: add cifs-mount interface
+ - tests: use file based markers in snap-service-stop-mode
+ - osutil: reorg and stub out things to get it building on darwin
+ - tests/main/layout: cleanup after the test
+ - osutil/sys: small tweaks to let it build on darwin
+ - daemon, overlord/snapstate: set instance name when installing from
+   snap file
+ - many: move Uname to osutil, for more DRY and easier porting.
+ - cmd/snap: create snap user directory when running parallel
+   installed snaps
+ - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+ - tests: basic test for parallel installs from the store
+ - image: download the gadget from the model.GadgetTrack()
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - overlord: handle sigterm during shutdown better
+ - tests: add the original function to fix the errors on new kernels
+ - tests/main/lxd: pull lxd from candidate; reënable i386
+ - wayland: add extra sockets that are used by older toolkits (e.g.
+   gtk3)
+ - asserts: add support for gadget tracks in the model assertion
+ - overlord/snapstate: improve feature flag validation
+ - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+ - interfaces: workaround for activated services and newer DBus
+ - tests: get the linux-image-extra available for the current kernel
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - interfaces: disconnect hooks
+ - cmd/libsnap: unify detection of core/classic with go
+ - tests: fix autopkgtest failures in cosmic
+ - snap: fix advice json
+ - overlord/snapstate: parallel snap install
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - interfaces: add screencast-legacy for video and audio recording
+ - tests: skip unsupported architectures for fedora-base-smoke test
+ - tests: avoid using the journalctl cursor when it has not been
+   created yet
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - tests: enable lxd again everywhere
+ - tests: new test for udisks2 interface
+ - interfaces: add cpu-control for setting CPU tunables
+ - overlord/devicestate: fix tests, set seeded in registration
+   through proxy tests
+ - debian: add missing breaks on cosmic
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - tests: new test for juju client observe interface
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - snapcraft: set version information for the snapd snap
+ - cmd/snap, daemon: error out if trying to install a snap using
+   empty name
+ - hookstate: simplify some hook tests
+ - cmd/snap-confine: extend security tag validation to cover instance
+   names
+ - snap: fix mocking of systemkey in snap-run tests
+ - packaging/opensuse: fix static build of snap-update-ns and snap-
+   exec
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - cmd/libsnap-confine-private: intoduce helpers for validating snap
+   instance name and instance key
+ - snap,snap-exec: support command-chain for app
+ - interfaces/builtin: network-manager resolved DBus changes
+ - snap: tweak `snap wait` command
+ - cmd/snap-update-ns: introduce validation of snap instance names
+ - cmd/snap: fix some corner-case test setup weirdness
+ - cmd,dirs: fix various issues discovered by a Fedora base snap
+ - tests/lib/prepare: fix extra snaps test
+
+* Mon Oct 15 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.5
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - osutil: workaround overlayfs on ubuntu 18.10
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.4
+  - wrappers: do not depend on network.taget in socket units, tweak
+    generated units
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.3
+ - overlord: don't make become-operational interfere with user
+   requests
+ - docker_support.go: add rules to read apparmor macros
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-
+   nsFixes:
+ - snapcraft.yaml: add workaround to fix snapcraft build
+ - interfaces/opengl: misc accesses for VA-API
+
+* Wed Sep 12 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.2
+ - cmd,overlord/snapstate: go 1.11 format fixes
+ - ifacestate: fix hang when retrying content providers
+ - snap-env-generator: do nothing when PATH is unset
+ - interfaces/modem-manager: allow access to more USB strings
+
+* Mon Sep 03 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.1
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapcraft: do not use --diry in mkversion.sh
+ - cmd: add systemd environment generator
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - tests: cherry-pick test fixes from master for 2.35
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - interfaces: retain order of inserted security backends
+ - selftest: detect if apparmor is unusable and error
+
+* Sat Aug 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.35-1
+- Release 2.35 to Fedora (RH#1598946)
+
+* Mon Aug 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - asserts: add support for gadget tracks in the model assertion
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - overlord: handle sigterm during shutdown better
+ - wayland: add extra sockets that are used by older toolkits
+ - snap: fix advice json
+ - tests: fix autopkgtest failures in cosmic
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - interfaces: add cpu-control for setting CPU tunables
+ - debian: add missing breaks on comisc
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - hookstate: simplify some hook tests
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - interfaces/builtin: network-manager resolved DBus changes
+ - tests: add spread test for fedora29 base snap
+ - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+ - dirs: fix SnapMountDir inside a Fedora base snap
+ - tests: fix snapd-failover for core18 with external backend
+ - overlord/snapstate: always clean SnapState when doing Get()
+ - overlod/ifacestate: always use a new SnapState when fetching the
+   snap state
+ - overlord/devicestate: have the serial request talk to the proxy if
+   set
+ - interfaces/hotplug: udevadm output parser
+ - tests: New test for daemon-notify interface
+ - image: ensure "core" is ordered early if base: and core is used
+ - cmd/snap-confine: snap-device-helper parallel installs support
+ - tests: enable interfaces-framebuffer everywhere
+ - tests: reduce nc wait time from 2 to 1 second
+ - snap/snapenv: add snap instance specific variables
+ - cmd/snap-confine: add minimal test for snap-device-helper
+ - tests: enable snapctl test on core18
+ - overlord: added UDevMonitor for future hotplug support
+ - wrappers: do not glob when removing desktop files
+ - tests: add dbus monitor log to interfaces-accounts-service
+ - tests: add core-18 systems to external backend
+ - wrappers: account for changed app wrapper in parallel installed
+   snaps
+ - wrappers: make sure that the tests pass on non-Ubuntu too
+ - many: add snapd snap failure handling
+ - tests: new test for dvb interface
+ - configstate: accept refresh.timer=managed
+ - tests: new test for snap logs command
+ - wrapper: generate all the snapd unit files when generating
+   wrappers
+ - store: keep all files with link-count > 1 in the cache
+ - store: be less verbose in the common refresh case of "no updates"
+ - snap-confine: update snappy-app-dev path
+ - debian: ensure dependency on fixed apt on 18.04
+ - snapd: add initial software watchdog for snapd
+ - daemon, systemd: change journalctl -n=all to --no-tail
+ - systemd: fix snapd.apparmor.service.in dependencies
+ - snapstate: refuse to remove bases or core if snaps need them
+ - snap: introduce package-level helpers for building snap related
+   directory/file paths
+ - overlord/devicestate: deny parallel install of kernel or gadget
+   snaps
+ - store: clean up parallel-install TODOs in store tests
+ - timeutil: fix first weekday of the month schedule
+ - interfaces: match all possible tty but console
+ - tests: shellchecks part 5
+ - cmd/snap-confine: allow ptrace read for 4.18 kernels
+ - advise: make the bolt database do the atomic rename dance
+ - tests/main/apt-hooks: debug dump of commands.db
+ - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+   handling
+ - snap: validate instance name as part of Validate()
+ - daemon: if a snap is inactive, don't ask systemd about its
+   services.
+ - udev: skip TestParseUdevEvent on s390x
+ - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+ - asserts,image: add support for new kernel=track syntax
+ - tests: new gce image for fedora 27
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - store, overlord/snapstate: introduce instance name in store APIs
+ - tests: drive-by cleanup of redudant pkgname matching
+ - tests: ensure apt-hook is only run after catalog update ran
+ - tests: use pkill instead of kilall
+ - tests/main: another bunch of updates for Amazon Linux 2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the  directory tree
+ - tests: disable/fix more tests for Amazon Linux 2
+ - overlord: introduce InstanceKey to SnapState and SnapSetup,
+   renames
+ - daemon: make sure most change generating handlers can produce
+   errors with kinds
+ - tests/main/interfaces-calendar-service: skip the test on AMZN2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the directory tree
+ - cmd/snap: add a green check mark to verified publishers
+ - cmd/snap: fix two issues in the cmd/snap unit tests
+ - packaging/fedora: fix target path of /snap symlink
+ - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - strutil: detect and bail out of Unmarshal on duplicate key
+ - packaging/fedora(amzn2): disable SELinux, drop dependency on
+   squashfuse for AMZN2
+ - spread, tests: add support for Amazon Linux 2
+ - packaging/fedora: Add Amazon Linux 2 support
+ - many: make Wait/Stop optional on StateManagers
+ - snap/squashfs: stop printing unsquashfs info to stderr
+ - snap: add support for `snap advise-snap --from-apt`
+ - overlord/ifacestate: ignore connect if already connected
+ - tests: change the service snap used instead of network-bind-
+   consumer
+ - interfaces/network-control: update for wpa-supplicant and ifupdown
+ - tests: fix raciness in stop mode tests
+ - logger: try to not have double dates
+ - debian: use deb-systemd-invoke instead of systemctl directly
+ - tests: run all main tests on core18
+ - many: finish sharing a single TaskRunner with all the the managers
+ - interfaces/repo: added AllHotplugInterfaces helper
+ - snapstate: ensure kernel-track is honored on switch/refresh
+ - overlord/ifacestate: support implicit slots on snapd
+ - image: add support for "kernel-track" in `snap prepare-image`
+ - tests: add test that ensures we do not boot any system in degraded
+   state
+ - tests: update tests to work on core18
+ - cmd/snap: check for typographic dashes in command
+ - tests: fix tests expecting old email address
+ - client: add some existing error kinds that were not listed in
+   client.go
+ - tests: add missing slots in classic and core provider test snaps
+ - overlord,daemon,cmd: re-map snap names around the edges of snapd
+ - tests: use install_local in snap-run-hooks
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - overlord/snapstate: dedupe default content providers
+ - osutil/udev: sync with upstream
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord: have SnapManager use a passed in TaskRunner created by
+   Overlord
+ - many: streamline the generic conflict check mechanisms
+ - tests: remove unneeded setup code in snap-run-symlink
+ - cmd/snap: print unset license as "unset", instead of "unknown"
+ - asserts: add (optional) kernel-track to model assertion
+ - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+ - interfaces/pulseaudio: be clear that the interface allows playback
+   and record
+ - snap: support hook environment
+ - interfaces: fix typo "daemonNotify" (add missing "n")
+ - interfaces: tweak tests of daemon-notify, use common naming
+ - interfaces: allow invoking systemd-notify when daemon-notify is
+   connected
+ - store: make snap blobs be 0600
+ - interfaces,daemon: move JSON types to the daemon
+ - tests: prepare needs to handle bin/snapctl being a symlink
+ - tests: do not mask errors in interfaces-timezone-control (#5405)
+ - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+ - tests: add basic integration test for spread hold
+ - overlord/snapstate: improve PlugsOnly comment
+ - many: assorted shellcheck fixes
+ - store, daemon, client, cmd/snap: expose "scope", default to wide
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - client, cmd/snap: pass snap instance name when installing from
+   file
+ - cmd/snap: add 'debug paths' command
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: fix tests on arch
+ - tests: start active system units on reset
+ - tests: new test for joystick interface
+ - tests: moving install of dependencies to pkgdb helper
+ - tests: enable new fedora image with test dependencies installed
+ - tests: start using the new opensuse image with test dependencies
+ - tests: check catalog refresh before and after restart snapd
+ - tests: stop restarting journald service on prepare
+ - interfaces: make core-support a no-op interface
+ - interfaces: prefer "snapd" when resolving implicit connections
+ - interfaces/hotplug: add hotplug Specification and
+   HotplugDeviceInfo
+ - many: lessen the use of core-support
+ - tests: fixes for the autopkgtest failures in cosmic
+ - tests: remove extra ' which breaks interfaces-bluetooth-control
+   test
+ - dirs: fix antergos typo
+ - tests: use grep to avoid non-matching messages from MATCH
+ - dirs: improve distro detection for Antegros
+ - vendor: switch to latest bson
+ - interfaces/builtin: create can-bus interface
+ - tests: "snap connect" is idempotent so just connect
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - interfaces: treat "snapd" snap as type:os
+ - interfaces: tweak tests to have less repetition of "core" and
+   "ubuntu…
+ - tests: simplify econnreset test
+ - snap: add helper for renaming slots
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - tests: add artful for sru validation on google backend
+ - snap,interfaces: move interface name validation to snap
+ - overlord/snapstate: introduce path to fake backend ops
+ - cmd/snap-confine: fix snaps running on core18
+ - many: expose publisher's validation throughout the API
+
+* Fri Jul 27 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.3
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - snapstate: allow setting "refresh.timer=managed"
+ - spread: switch Fedora and openSUSE images
+
+* Thu Jul 19 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.2
+ - packaging: fix bogus date in fedora snapd.spec
+ - tests: fix tests expecting old email address
+
+* Tue Jul 17 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.1
+ - tests: cherry-pick test fixes from master for 2.34
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord/snapstate: dedupe default content providers
+ - interfaces/builtin: create can-bus interface
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.33.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34
+ - store, daemon, client, cmd/snap: expose "scope", default to wide*
+ - tests: fix arch tests
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+ - tests: run interfaces-contacts-service only where test-snapd-eds
+   is available
+ - many: expose publisher's validation throughout the API
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - dirs: improve distro detection for Antegros
+ - Revert "dirs: improve identification of Arch Linux like systems"
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - i18n: use xgettext-go --files-from to avoid running into cmdline
+   size limits
+ - interfaces: move ValidateName helper to utils
+ - snapstate,ifstate: wait for pending restarts before auto-
+   connecting
+ - snap: account for parallel installs in wrappers, place info and
+   tests
+ - configcore: fix incorrect handling of keys with numbers (like
+   gpu_mem_512)
+ - tests: fix tests when no keyboard input detected
+ - overlord/configstate: add watchdog options
+ - snap-mgmt: fix for non-existent dbus system policy dir,
+   shellchecks
+ - tests/main/snapd-notify: use systemd's service properties rater
+   than the journal
+ - snapstate: allow removal of snap.TypeOS when using a model with a
+   base
+ - interfaces: make findSnapdPath smarter
+ - tests: run "arp" tests only if arp is available
+ - spread: increase the number of auto retries for package downloads
+   in opensuse
+ - cmd/snap-confine: fix nvidia support under lxd
+ - corecfg: added experimental.hotplug feature flag
+ - image: block installation of parallel snap instances
+ - interfaces: moved normalize method to interfaces/utils and made it
+   public
+ - api/snapctl: allow -h and --help for regular users.
+ - interfaces/udisks2: also implement implicit classic slot
+ - cmd/snap-confine: include CUDA runtime libraries
+ - tests: disable auto-refresh test on core18
+ - many: switch to account validation: unproven|verified
+ - overlord/ifacestate: get/set connection state only via helpers
+ - tests: adding extra check to validate journalctl is showing
+   current test data
+ - data: add systemd environment configuration
+ - i18n: handle write errors in xgettext-go
+ - snap: helper for validating snap instance names
+ - snap{/snaptest}: set instance key based on snap name
+ - userd: fix running unit tests on KDE
+ - tests/main/econnreset: limit ingress traffic to 512kB/s
+ - snap: introduce a struct Channel to represent store channels, and
+   helpers to work with it
+ - tests: add fedora to distro_clean_package_cache function
+ - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+ - tests: add spread test to ensure snapd/core18 are not removable
+ - tests: tweaks for running the main tests on core18
+ - overlord/{config,snap}state: introduce experimental.parallel-
+   instances feature flag
+ - strutil: support iteration over almost clean paths
+ - strutil: add PathIterator.Rewind
+ - tests: update interfaces-timeserver-control to core18
+ - tests: add halt-timeout to google backend
+ - tests: skip security-udev-input-subsystem without /dev/input/by-
+   path
+ - snap: introduce the instance key field
+ - packaging/opensuse: remaining packaging updates for 2.33.1
+ - overlord/snapstate: disallow installing snapd on baseless models
+ - tests: disable core tests on all core systems (16 and 18)
+ - dirs: improve identification of Arch Linux like systems
+ - many: expose full publisher info over the snapd API
+ - tests: disable core tests on all core systems (16 and 18)
+ - tests/main/xdg-open: restore or clean up xdg-open
+ - tests/main/interfaces-firewall-control: shellcheck fix
+ - snapstate: sort "snapd" first
+ - systemd: require snapd.socket in snapd.seeded.service; make sure
+   snapd.seeded
+ - spread-shellcheck: use the latest shellcheck available from snaps
+ - tests: use "ss" instead of "netstat" (netstat is not available in
+   core18)
+ - data/complete: fix three out of four shellcheck warnings in
+   data/complete
+ - packaging/opensuse: fix typo, missing assignment
+ - tests: initial core18 spread image building
+ - overlord: introduce a gadget-connect task and use it at first boot
+ - data/completion: fix inconsistency in +x and shebang
+ - firstboot: mark essential snaps as "Required" in the state
+ - spread-shellcheck: use a whitelist of files that are allowed to
+   fail validation
+ - packaging/opensuse: build position-independent binaries
+ - ifacestate: prevent running interface hooks twice when self-
+   connecting on autoconnect
+ - data: remove /bin/sh from snapd.sh
+ - tests: fix shellcheck 0.5.0 warnings
+ - packaging/opensuse: snap-confine should be 06755
+ - packaging/opensuse: ship apparmor integration if enabled
+ - interfaces/udev,misc: only trigger udev events on input subsystem
+   as needed
+ - packaging/opensuse: add missing bits for snapd.seeded.service
+ - packaging/opensuse: don't use %-macros in comments
+ - tests: shellchecks part 4
+ - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+   parallel-install TODOs
+ - store: drop unused: channel map types, and details fixture.
+ - store: have a basic test about the unmarshalling of /search
+   results
+ - tests: show executed tests on current system when a test fails
+ - tests: fix for the download of the big snap
+ - interfaces/apparmor: add chopTree
+ - tests: remove double debug: | entry in tests and add more checks
+ - cmd/snap-update-ns: introduce mimicRequired helper
+ - interfaces: move assertions around for better failure line number
+ - store: log a nice clear "download succeeded" message
+ - snap: run snap-confine from the re-exec location
+ - snapstate: support restarting snapd from the snapd snap on core18
+ - tests: show status of the partial test-snapd-huge snap in
+   econnreset test
+ - tests: fix interfaces-calendar-service test when gvfsd-metadata
+   loks the xdg dirctory
+ - store: switch store.SnapInfo to use the new v2/info endpoint
+ - interfaces: add Repository.AllInterfaces
+ - snapstate: stop using evolving SnapSpec internally, use an
+   internal-only snapSpec instead
+ - cmd/libsnap-confine-private: introduce a helper for splitting snap
+   name
+ - tests: econnreset/retry tweaks
+ - store, et al: kill dead code that uses the bulk endpoint
+ - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+ - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+   Depth helper
+ - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+   available
+ - store: switch connectivity check to use v2/info
+ - devicestate: support seeding from a base snap instead of core
+ - snapstate,ifacestate: remove core-phase-2 handling
+ - interfaces/docker-support: update for docker 18.05
+ - tests: enable fedora 28 again
+ - overlord/ifacestate:  simplify checkConnectConflicts and also
+   connect signature
+ - snap: parse connect instructions in gadget.yaml
+ - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+   test
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - store, image: have 'snap download' use v2/refresh action=download
+ - interfaces/policy: test that base policy can be parsed
+ - tests: publish test-snapd-appstreamid for any architecture
+ - snap: don't include newline in hook environment
+ - cmd/snap-update-ns: use RCall with SyscallsEqual
+ - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+ - interfaces: add the dvb interface
+ - daemon: paging is not a thing.
+ - cmd/snap-mgmt: remove system key on purge
+ - testutil: syscall sequence checker
+ - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command* many: add `snap debug
+   connectivity` command
+ - configstate: deny configuration of base snaps and for the "snapd"
+   snap
+ - interfaces/raw-usb: also allow usb serial devices
+ - snap: reject more layout locations
+ - errtracker: do not send duplicated reports
+ - httputil: extra debug if an error is not retried
+ - cmd/snap-update-ns: improve wording in many errors
+ - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+ - cmd/snap-update-ns: add helper for checking for read-only
+   filesystems
+ - interfaces/builtin/docker: use commonInterface over specific
+   struct
+ - testutil: add test support for Fstatfs
+ - cmd/snap-update-ns: discard the concept of segments
+ - cmd/libsnap-confine-private: helper for extracting store snap name
+   from local-name
+ - tests: fix flaky test for hooks undo
+ - interfaces: add {contacts,calendar}-service interfaces
+ - tests: retry 'restarting into..' match in the snap-confine-from-
+   core test
+ - systemd: adjust TestWriteMountUnitForDirs() to use
+   squashfs.MockUseFuse(false)
+ - data: add helper that can generate/start/stop the snapd service
+ - sefltest: advise reboot into 4.4 on trusty running 3.13
+ - selftest: add new selftest package that tests squashfs mounting
+ - store, jsonutil: move store.getStructFields to
+   jsonutil.StructFields
+ - ifacestate: improved conflict and error handling when creating
+   autoconnect tasks
+ - cmd/snap-confine: applied make fmt
+ - interfaces/udev: call 'udevadm settle --timeout=10' after
+   triggering events
+ - tests: wait more time until snap start to be downloaded on
+   econnreset test
+ - snapstate: ensure fakestore returns TypeOS for the core snap
+ - tests: fix lxd test which hangs on restore
+ - cmd/snap-update-ns: add PathIterator
+ - asserts,image: add support for models with bases
+ - tests: shellchecks part 3
+ - overlord/hookstate: support undo for hooks
+ - interfaces/tpm: Allow access to the kernel resource manager
+ - tests: skip appstream-id test for core systems 32 bits
+ - interfaces/home: remove redundant common interface assignment
+ - tests: reprioritise a few tests that are known to be slow
+ - cmd/snap: small help tweaks and fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - spread-shellcheck: silly fix & pep8
+ - spread: switch fedora 28 to manual
+ - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+   it in snap info --verbose
+ - tests: fix lxd test - --auto now sets up networking
+ - tests: adding fedora-28 to spread.yaml
+ - interfaces: add juju-client-observe interface
+ - client, daemon: add a "mounted-from" entry to local snaps' JSON
+ - image: set model.DisplayName() in bootenv as "snap_menuentry"
+ - packaging/opensuse: Refactor packaging to support all openSUSE
+   targets
+ - interfaces/joystick: force use of the device cgroup with joystick
+   interface
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - interfaces: remove Plug/Slot types
+ - interface hooks: update old AutoConnect methods
+ - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+ - overlord/{config,snap}state: the number of inactive revisions is
+   config
+ - cmd/snap: check with snapd for unknown sections
+ - tests: moving test helpers from sh to bash
+ - data/systemd: add snapd.apparmor.service
+ - many: expose AppStream IDs (AKA common ID)
+ - many: hold refresh when on metered connections
+ - interfaces/joystick: also support modern evdev joysticks and
+   gamepads
+ - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+ - snapcraft: use dpkg-buildpackage options that work in xenial
+ - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+ - get-deps: work with an unset GOPATH too
+ - interfaces/apparmor: use strict template on openSUSE tumbleweed
+ - packaging: filter out verbose flags from "dh-golang"
+ - packaging: fix description
+ - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+* Fri Jun 22 2018 Neal Gompa <ngompa13@gmail.com> - 2.33.1-1
+- Release 2.33.1 to Fedora (RH#1567916)
+
+* Thu Jun 21 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33.1
+ - many: improve udev trigger on refresh experience
+ - systemd: require snapd.socket in snapd.seeded.service
+ - snap: don't include newline in hook environment
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - tests: skip security-dev-input-event-denied when /dev/input/by-
+   path/ is missing
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+
+* Fri Jun 08 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command
+ - interfaces/raw-usb: also allow usb serial devices
+ - errtracker: do not send duplicated reports
+ - selftest: add new selftest package that tests squashfs mounting
+ - tests: backport lxd force stop and econnreset fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - interfaces/joystick: support modern evdev joysticks
+ - interfaces: add juju-client-observe
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - many: holding refresh on metered connections
+ - many: expose AppStream IDs (AKA common ID)
+ - tests: speed up save/restore snapd state for all-snap systems
+   during tests execution
+ - interfaces/apparmor: use helper to load stray profile
+ - tests: ubuntu core abstraction
+ - overlord/snapstate: don't panic in a corner case interaction of
+   cleanup tasks and pruning
+ - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+   snaps
+ - tests: new parameter for the journalctl rate limit
+ - spread-shellcheck: port to python
+ - interfaces/home: add 'read' attribute to allow non-owner read to
+   @{HOME}
+ - testutil: import check.v1 differently to workaround gccgo error
+ - interfaces/many: miscellaneous updates for default, desktop,
+   desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+   keys
+ - snapstate/hooks: reorder autoconnect and reconnect hooks
+ - daemon: update unit tests to match current master
+ - overlord/snapshotstate/backend: introducing the snapshot backend
+ - many: support 'system' nickname in interfaces
+ - userd: add the "snap" scheme to the whitelist
+ - many: make rebooting of core on refresh immediate, refactor logic
+   around it
+ - tests/main/snap-service-timer: account for service timer being in
+   the 'running' state
+ - interfaces/builtin: allow access to libGLESv* too for opengl
+   interface
+ - daemon: fix unit tests on arch
+ - interfaces/default,process-control: miscellaneous signal policy
+   fixes
+ - interfaces/bulitin: add write permission to optical-drive
+ - configstate: validate known core.* options
+ - snap, wrappers: systemd WatchdogSec support
+ - ifacestate: do not auto-connect manually disconnected interfaces
+ - systemd: mock useFuse() so testsuite passes in container via lxd
+   snap
+ - snap/env: fix env duplication logic
+ - snap: some doc comments fixes and additions
+ - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+   vendor files
+ - ifacestate: unify reconnect and autoconnect methods
+ - tests: fix user mounts test for external systems
+ - overlord/snapstate,overlord/auth,store: coalesce no auth user
+   refresh requests
+ - boot,partition: improve tests/docs around SetNextBoot()
+ - many: improve `snap wait` command
+ - snap: fix `snap interface --attrs` output when numbers are used
+ - cmd/snap-update-ns: poke holes when creating source paths for
+   layouts
+ - snapstate: support getting new bases/default-providers on refresh
+ - ifacemgr: remove stale connections on startup
+ - asserts: use Attrer in policy checks
+ - testutil: record system call errors / return values
+ - tests: increase timeouts to make tests reliable on slow boards
+ - repo: pass and return ConnRef via pointers
+ - interfaces: add xdg-document-portal support to desktop interface
+ - debian: add a zenity|kdialog suggests
+ - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+ - tests: go must be installed as a classic snap
+ - tests: use journalctl cursors instead rotating logs
+ - daemon: add confinement-options to /v2/system-info
+   daemon: refactor classic support flag to be more structured
+ - tests: build spread in the autopkgtests with a more recent go
+ - cmd/snap: fix the message when snap.channel != snap.tracking
+ - overlord/snapstate: allow core defaults configuration via 'system'
+   key
+ - many: add "snap debug sandbox-features" and needed bits
+ - interfaces: interface hooks for refresh
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - many: add wait command and `snapd.seeded` service
+ - interfaces: move host font update-ns AppArmor rules to desktop
+   interface
+ - jsonutil/safejson: introducing safejson.String &
+   safejson.Paragraph
+ - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+ - cmd/snap-update-ns,tests: mimic the mode and ownership of
+   directories
+ - cmd/snap-update-ns: add support for ignoring mounts with missing
+   source/target
+ - interfaces: interface hooks implementation
+ - cmd/libsnap: fix compile error on more restrictive gcc
+   cmd/libsnap: fix compilation errors on gcc 8
+ - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+ - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+ - tests: fix interfaces-network test for systems with partial
+   confinement
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+ - configcore: validate experimental.layouts option
+ - interfaces:minor autoconnect cleanup
+ - HACKING: fix typos
+ - spread: add adt for ubuntu 18.10
+ - tests: skip test lp-1721518 for arch, snapd is failing to start
+   after reboot
+ - interfaces/x11: allow X11 slot implementations
+ - tests: checking interfaces declaring the specific interface
+ - snap: improve error for snaps not available in the given context
+ - cmdstate: add missing test for default timeout handling
+ - tests: shellcheck spread tasks
+ - cmd/snap: update install/refresh help vs --revision
+ - cmd/snap-confine: add support for per-user mounts
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - tests: adding google-sru backend replacing linode-sur
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - systemd: replace ancient paths with 16.04+ standards
+ - overlord,systemd: store snap revision in mount units
+ - testutil: add test helper for SysLstat
+ - testutil,cmd: rename test helper of Lstat to OsLstat
+ - testutil: document all fake syscall/os functions
+ - osutil,interfaces,cmd: use less hardcoded strings
+ - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+ - testutil: don't dot-import check.v1
+ - store: getStructFields takes pointers now
+ - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+ - many: fix false negatives reported by vet
+ - osutil,interfaces: use uint32 for uid, gid
+ - many: fix various issues reported by shellcheck
+ - tests: add pending shutdown detection
+ - image: support refreshing soft-expired user macaroons in tooling
+ - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+   daemon tests
+ - interfaces/builtin: add support for software-watchdog interface
+ - spread: auto accept key changes when calling dnf
+ - snap,overlord/snapstate: introduce and use BrokenSnapError
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: bring back one missing test in snap-service-stop-mode
+ - debian: update LP bug for the 2.32.5 SRU
+ - userd: set up journal logging streams for autostarted apps
+ - snap,tests : don't fail if we cannot stat MountFile
+ - tests: smaller fixes for Arch tests
+ - tests: run interfaces-broadcom-asic-control early
+ - client: support for snapshot sets, snapshots, and snapshot actions
+ - tests: skip interfaces-content test on core devices
+ - cmd: generalize locking to global, snap and per-user locks
+ - release-tools: handle the snapd-x.y.z version
+ - packaging: fix incorrectly auto-generated changelog entry for
+   2.32.5
+ - tests: add arch to CI
+ - systemd: add helper for opening stream file descriptors to the
+   journal
+ - cmd/snap: handle distros with no version ID
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - tests: removing linode-sru backend
+ - tests: updating bionic version for spread tests on google
+ - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - overlord/snapstate: allow to get an error from readInfo instead of
+   a broken stub, use it in doMountSnap
+ - snap: snap.AppInfo is now a fmt.Stringer
+ - tests: move fedora 27 to google backend
+ - many: add `core.problem-reports.disabled` option
+ - cmd/snap-update-ns: remove the need for stash directory in secure
+   bind mount implementation
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+ - cmd/snap: user session application autostart v3
+ - tests: add test to ensure `snap refresh --amend` works with
+   different channels
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - cmd/snap-update-ns: add secure bind mount implementation for use
+   with user mounts
+ - snap: fix `snap advise-snap --command` output to match spec
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - overlord/snapstate: introduce envvars to control the channels for
+   based and prereqs
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - advisor: use json for package database
+ - interfaces/hostname-control: allow setting the hostname via
+   syscall and systemd
+ - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+   libraries
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - data/selinux: Give snapd access to more aspects of the system
+ - many: use the new install/refresh API by switching snapstate to
+   use store.SnapAction
+ - errtracker: make TestJournalErrorSilentError work on gccgo
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate, ifacestate: inject auto-connect tasks try 2
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - ifacestate: injectTasks helper
+ - osutil: fix fstab parser to allow for # in field values
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - release-tools: add repack-debian-tarball.sh
+ - daemon,client: add build-id to /v2/system-info
+ - cmd: make fmt (indent 2.2.11)
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+ - ifacestate: don't surface errors from stale connections
+ - cmd/snap-update-ns: convert Secure* family of functions into
+   methods
+ - tests: adjust canonical-livepatch test on GCE
+ - tests: fix quoting issues in econnreset test
+ - cmd/snap-confine: make /run/media an alias of /media
+ - cmd/snap-update-ns: rename i to segNum
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+ - spread: disable StartLimitInterval option on opensuse-42.3
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses
+   arch triplets
+ - store: add Store.SnapAction to support the new install/refresh API
+   endpoint
+ - tests: adding test for removable-media interface
+ - tests: update interface tests to remove extra checks and normalize
+   tests
+ - timeutil: in Human, count days with fingers
+ - vendor: update gopkg.in/yaml.v2 to the latest version
+ - cmd/snap-confine: fix Archlinux compatibility
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - tests: copy or sanity check core users using usernames
+ - tests: disentangle etc vs extrausers in core tests
+ - tests: fix snap-run tests when snapd is not running
+ - overlord/configstate: change how ssh is stopped/started
+ - snap: make `snap run` look at the system-key for security profiles
+ - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+   replacement
+ - tests: adding opensuse-42.3 to google
+ - cmd/snap: fix one issue with noWait error handling logic, add
+   tests plus other cleanups
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+   needed
+ - interfaces,release: probe seccomp features lazily
+ - tests: change debug for layout test
+ - advisor: deal with missing commands.db file
+ - interfaces/apparmor: simplify UpdateNS internals
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: moving debian 9 from linode to google backend
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - po: specify charset in po/snappy.pot
+ - interfaces: harden snap-update-ns profile
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - tests: update tests to deal with s390x quirks
+ - debian: run snap.mount upgrade fixup *before* debhelper
+ - tests: move xenial i386 to google backend
+ - snapstate: add compat mode for default-provider
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - tests: add workaround for s390x failure
+ - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+ - daemon: support 'system' as nickname of the core snap
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - devicestate: add DeviceManager.Registered returning a channel
+   closed when the device is known to be registered
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - tests: add bionic system to google backend
+ - many: fix shellcheck warnings in bionic
+ - cmd/snap-update-ns: don't fail on existing symlinks
+ - tests: make autopkgtest tests more targeted
+ - cmd/snap-update-ns: fix creation of layout symlinks
+ - spread,tests: move suite-level prepare/restore to central script
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - snap: unify snap name validation w/python; enforce length limit.
+ - cmd/snap: use shlex when parsing `snap run --strace` arguments
+ - osutil,testutil: add symlinkat(2) and readlinkat(2)
+ - tests: autopkgtest may have non edge core too
+ - tests: adding checks before stopping snapd service to avoid job
+   canceled on ubuntu 14.04
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate:  hold refreshes for 2h after seeding on
+   classic
+ - cmd/snap: tweak and polish help strings
+ - snapstate: put layout feature behind feature flag
+ - tests: force profile re-generation via system-key
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: go vet cleanups
+ - tests: define MATCH from spread
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - cmd/snap: in changes and tasks, default to human-friendly times
+ - many: support holding refreshes by setting refresh.hold
+ - Revert "cmd/snap: use timeutil.Human to show times in `snap
+   refresh -…-time`"
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - tests/main/snap-service-refresh-mode: refactor the test to rely on
+   comparing PIDs
+ - tests/main/media-sharing: improve the test to cover /media and
+   /run/media
+ - store: enable deltas for core devices too
+ - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+ - strutil/shlex: import github.com/google/shlex into the tree
+ - vendor: update github.com/mvo5/libseccomp-golang
+ - overlord/snapstate: block install of "system"
+ - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+ - many: add the snapd-generator
+ - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+ - polkit: ensure error is properly set if dialog is dismissed
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - progress: tweak ansimeter cvvis use to no longer confuse minicom
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - tests: avoid removing preinstalled snaps on core
+ - tests: chroot into core to run xdg-open there
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - tests: moving ubuntu core from linode to google backend
+ - run-checks: remove accidental bashism
+ - i18n: simplify NG usage by doing the modulo math in-package.
+ - snap/squashfs: set timezone when calling unsquashfs to get the
+   build date
+ - timeutil: timeutil.Human(t) gives a human-friendly string for t
+ - snap: add autostart app property
+ - tests: add support for external backend executions on listing test
+ - tests: make interface-broadcom-asic-control test work on rpi
+ - configstate: when disable "ssh" we must disable the "sshd" service
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+ - snap/squashfs: add BuildDate
+ - store: parse the JSON format used by the coming new store API to
+   convey snap information
+ - many: remove snapd.refresh.{timer,service}
+ - tests: adding ubuntu-14.04-64 to the google backend
+ - interfaces: add xdg-desktop-portal support to desktop interface
+ - packaging/arch: sync with snapd/snapd-git from AUR
+ - wrappers, tests/main/snap-service-timer: restore missing commit,
+   add spread test for timer services
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - many: generate and use per-snap snap-update-ns profile
+ - tests: add debug for layout test
+ - wrappers: detect whether systemd-analyze can be used in unit tests
+ - osutil: allow creating strings out of MountInfoEntry
+ - servicestate: use systemctl enable+start and disable+stop instead
+   of --now flag
+ - osutil: handle file being matched by multiple patterns
+ - daemon, snap: fix InstallDate, make a method of *snap.Info
+ - wrappers: timer services
+ - wrappers: generator for systemd OnCalendar schedules
+ - asserts: fix flaky storeSuite.TestCheckAuthority
+ - tests: fix dependency for ubuntu artful
+ - spread: start moving towards google backend
+ - tests: add a spread test for layouts
+ - ifacestate: be consistent passing Retry.After as named field
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - testutil: allow mocking syscall.Fstat
+ - overlord/snapstate: verify that default schedule is randomized and
+   is  not a single time
+ - many: simplify mocking of home-on-NFS
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - store: move infoFromRemote into details.go close to snapDetails
+ - userd/tests: Test kdialog calls and mock kdialog too to make tests
+   work in KDE
+ - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+ - cmd/snap: add self-strace to `snap run`
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - update-pot: Force xgettext() to return true
+ - store: cleanup test naming, dropping remoteRepo  and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+
+* Wed May 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.9
+ - tests: run all spread tests inside GCE
+ - tests: build spread in the autopkgtests with a more recent go
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.8
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.7
+ - many: add wait command and seeded target (2
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - cmd/libsnap: fix compile error on more restrictive gcc
+ - tests: cherry-pick commits to move spread to google backend
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - userd: set up journal logging streams for autostarted apps
+
+* Sun Apr 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.6
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: run interfaces-boradcom-asic-control early
+ - tests: skip interfaces-content test on core devices
+
+* Mon Apr 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.5
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - daemon: support 'system' as nickname of the core snap
+
+* Thu Apr 12 2018 Neal Gompa <ngompa13@gmail.com> - 2.32.4-1
+- Release 2.32.4 to Fedora (RH#1553734)
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.4
+ - cmd/snap: user session application autostart
+ - overlord/snapstate: introduce envvars to control the channels for
+   bases and prereqs
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - many: use the new install/refresh /v2/snaps/refresh store API
+
 * Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.32.3.2
  - errtracker: make TestJournalErrorSilentError work on
@@ -1021,6 +2918,14 @@
  - systemd, wrappers: start all snap services in one systemctl
    call
  - tests: disable interfaces-location-control on s390x
+
+* Mon Mar 05 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-2
+- Fix dependencies for devel subpackage
+
+* Sun Mar 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-1
+- Release 2.31.1 to Fedora (RH#1542483)
+- Drop all backported patches as they're part of this release
+
 * Tue Feb 20 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31.1
  - tests: multiple autopkgtest related fixes for 18.04
@@ -1040,6 +2945,9 @@
    ubuntu
  - daemon: improve ucrednet code for the snap.socket
 
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
 * Tue Feb 06 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31
  - cmd/snap-confine: allow snap-update-ns to chown things
diff -Nru snapd-2.32.3.2~14.04/packaging/fedora-27/snapd.spec snapd-2.37~rc1~14.04/packaging/fedora-27/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/fedora-27/snapd.spec	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/fedora-27/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -6,6 +6,14 @@
 %bcond_without vendorized
 %endif
 
+# With Amazon Linux 2+, we're going to provide the /snap symlink by default,
+# since classic snaps currently require it... :(
+%if 0%{?amzn} >= 2
+%bcond_without snap_symlink
+%else
+%bcond_with snap_symlink
+%endif
+
 # A switch to allow building the package with support for testkeys which
 # are used for the spread test suite of snapd.
 %bcond_with testkeys
@@ -15,6 +23,7 @@
 %global with_check 0
 %global with_unit_test 0
 %global with_test_keys 0
+%global with_selinux 1
 
 # For the moment, we don't support all golang arches...
 %global with_goarches 0
@@ -50,7 +59,7 @@
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 
-%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service
+%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service
 
 # Until we have a way to add more extldflags to gobuild macro...
 %if 0%{?fedora} >= 26
@@ -69,8 +78,21 @@
 %define gotest() go test -compiler gc -ldflags "${LDFLAGS:-}" %{?**};
 %endif
 
+# Compat path macros
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
+%if 0%{?amzn2} == 1
+%global with_selinux 0
+%endif
+
 Name:           snapd
-Version:        2.32.3.2
+Version:        2.37
 Release:        0%{?dist}
 Summary:        A transactional software package manager
 Group:          System Environment/Base
@@ -101,17 +123,28 @@
 # snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.)
 Requires:       ((squashfuse and fuse) or kmod(squashfs.ko))
 %else
+%if ! 0%{?amzn2}
 # Rich dependencies not available, always pull in squashfuse
 # snapd will use squashfs.ko instead of squashfuse if it's on the system
+# NOTE: Amazon Linux 2 does not have squashfuse, squashfs.ko is part of the kernel package
 Requires:       squashfuse
 Requires:       fuse
 %endif
+%endif
 
 # bash-completion owns /usr/share/bash-completion/completions
 Requires:       bash-completion
 
+%if 0%{?with_selinux}
 # Force the SELinux module to be installed
 Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
+# snapd-login-service is no more
+# Note: Remove when F27 is EOL
+Obsoletes:      %{name}-login-service < 1.33
+Provides:       %{name}-login-service = 1.33
+Provides:       %{name}-login-service%{?_isa} = 1.33
 
 %if ! 0%{?with_bundled}
 BuildRequires: golang(github.com/boltdb/bolt)
@@ -121,6 +154,9 @@
 BuildRequires: golang(github.com/godbus/dbus/introspect)
 BuildRequires: golang(github.com/gorilla/mux)
 BuildRequires: golang(github.com/jessevdk/go-flags)
+BuildRequires: golang(github.com/juju/ratelimit)
+BuildRequires: golang(github.com/kr/pretty)
+BuildRequires: golang(github.com/kr/text)
 BuildRequires: golang(github.com/mvo5/goconfigparser)
 BuildRequires: golang(github.com/ojii/gettext.go)
 BuildRequires: golang(github.com/seccomp/libseccomp-golang)
@@ -178,6 +214,7 @@
 This package is used internally by snapd to apply confinement to
 the started snap applications.
 
+%if 0%{?with_selinux}
 %package selinux
 Summary:        SELinux module for snapd
 Group:          System Environment/Base
@@ -186,18 +223,22 @@
 BuildRequires:  selinux-policy, selinux-policy-devel
 Requires(post): selinux-policy-base >= %{_selinux_policy_version}
 Requires(post): policycoreutils
+%if 0%{?rhel} == 7
+Requires(post): policycoreutils-python
+%else
 Requires(post): policycoreutils-python-utils
+%endif
 Requires(pre):  libselinux-utils
 Requires(post): libselinux-utils
 
 %description selinux
 This package provides the SELinux policy module to ensure snapd
 runs properly under an environment with SELinux enabled.
-
+%endif
 
 %if 0%{?with_devel}
 %package devel
-Summary:       %{summary}
+Summary:       Development files for %{name}
 BuildArch:     noarch
 
 %if 0%{?with_check} && ! 0%{?with_bundled}
@@ -211,6 +252,9 @@
 Requires:      golang(github.com/godbus/dbus/introspect)
 Requires:      golang(github.com/gorilla/mux)
 Requires:      golang(github.com/jessevdk/go-flags)
+Requires:      golang(github.com/juju/ratelimit)
+Requires:      golang(github.com/kr/pretty)
+Requires:      golang(github.com/kr/text)
 Requires:      golang(github.com/mvo5/goconfigparser)
 Requires:      golang(github.com/ojii/gettext.go)
 Requires:      golang(github.com/seccomp/libseccomp-golang)
@@ -230,13 +274,16 @@
 # These Provides are unversioned because the sources in
 # the bundled tarball are unversioned (they go by git commit)
 # *sigh*... I hate golang...
-Provides:      bundled(golang(github.com/boltdb/bolt))
+Provides:      bundled(golang(github.com/snapcore/bolt))
 Provides:      bundled(golang(github.com/cheggaaa/pb))
 Provides:      bundled(golang(github.com/coreos/go-systemd/activation))
 Provides:      bundled(golang(github.com/godbus/dbus))
 Provides:      bundled(golang(github.com/godbus/dbus/introspect))
 Provides:      bundled(golang(github.com/gorilla/mux))
 Provides:      bundled(golang(github.com/jessevdk/go-flags))
+Provides:      bundled(golang(github.com/juju/ratelimit))
+Provides:      bundled(golang(github.com/kr/pretty))
+Provides:      bundled(golang(github.com/kr/text))
 Provides:      bundled(golang(github.com/mvo5/goconfigparser))
 Provides:      bundled(golang(github.com/mvo5/libseccomp-golang))
 Provides:      bundled(golang(github.com/ojii/gettext.go))
@@ -255,6 +302,7 @@
 %endif
 
 # Generated by gofed
+Provides:      golang(%{import_path}/advisor) = %{version}-%{release}
 Provides:      golang(%{import_path}/arch) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts/assertstest) = %{version}-%{release}
@@ -277,6 +325,7 @@
 Provides:      golang(%{import_path}/interfaces/backends) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/builtin) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/dbus) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/hotplug) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/ifacetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/kmod) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/mount) = %{version}-%{release}
@@ -284,9 +333,16 @@
 Provides:      golang(%{import_path}/interfaces/seccomp) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/udev) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/utils) = %{version}-%{release}
 Provides:      golang(%{import_path}/jsonutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil/safejson) = %{version}-%{release}
 Provides:      golang(%{import_path}/logger) = %{version}-%{release}
+Provides:      golang(%{import_path}/netutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/osutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/sys) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/crawler) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/netlink) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/assertstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/auth) = %{version}-%{release}
@@ -294,17 +350,23 @@
 Provides:      golang(%{import_path}/overlord/configstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/config) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/configcore) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/proxyconf) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/settings) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/devicestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/ctlcmd) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/hooktest) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/ifacestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/ifacerepo) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/udevmonitor) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/patch) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/servicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate/backend) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/standby) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/state) = %{version}-%{release}
-Provides:      golang(%{import_path}/overlord/storestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/androidbootenv) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/grubenv) = %{version}-%{release}
@@ -313,6 +375,7 @@
 Provides:      golang(%{import_path}/progress) = %{version}-%{release}
 Provides:      golang(%{import_path}/progress/progresstest) = %{version}-%{release}
 Provides:      golang(%{import_path}/release) = %{version}-%{release}
+Provides:      golang(%{import_path}/sanity) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/pack) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/snapdir) = %{version}-%{release}
@@ -323,6 +386,8 @@
 Provides:      golang(%{import_path}/store) = %{version}-%{release}
 Provides:      golang(%{import_path}/store/storetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/strutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/quantity) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/shlex) = %{version}-%{release}
 Provides:      golang(%{import_path}/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/refresh) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/store) = %{version}-%{release}
@@ -330,12 +395,12 @@
 Provides:      golang(%{import_path}/timeout) = %{version}-%{release}
 Provides:      golang(%{import_path}/timeutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/userd) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd/ui) = %{version}-%{release}
 Provides:      golang(%{import_path}/wrappers) = %{version}-%{release}
 Provides:      golang(%{import_path}/x11) = %{version}-%{release}
+Provides:      golang(%{import_path}/xdgopenproxy) = %{version}-%{release}
 
 %description devel
-%{summary}
-
 This package contains library source intended for
 building other packages which use import path with
 %{import_path} prefix.
@@ -354,28 +419,25 @@
 Requires:        %{name}-devel = %{version}-%{release}
 
 %description unit-test-devel
-%{summary}
-
 This package contains unit tests for project
 providing packages with %{import_path} prefix.
 %endif
 
 %prep
-%setup -q
-
 %if ! 0%{?with_bundled}
+%setup -q
 # Ensure there's no bundled stuff accidentally leaking in...
 rm -rf vendor/*
 %else
-# Unpack the vendor tarball too...
-%setup -q -T -D -b 1
+# Extract each tarball properly
+%setup -q -D -b 1
 %endif
 
 %build
 # Generate version files
 ./mkversion.sh "%{version}-%{release}"
 
-# We don't want/need squashfuse in the rpm
+# We don't want/need squashfuse in the rpm, as it's available in Fedora and EPEL
 sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
 
 # Build snapd
@@ -397,7 +459,7 @@
 # We don't need mvo5 fork for seccomp, as we have seccomp 2.3.x
 sed -e "s:github.com/mvo5/libseccomp-golang:github.com/seccomp/libseccomp-golang:g" -i cmd/snap-seccomp/*.go
 # We don't need the snapcore fork for bolt - it is just a fix on ppc
-sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go
+sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go
 %endif
 
 # We have to build snapd first to prevent the build from
@@ -406,6 +468,7 @@
 %gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
 %gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
 %gobuild -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
+%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
 
 # To ensure things work correctly with base snaps,
 # snap-exec and snap-update-ns need to be built statically
@@ -418,10 +481,12 @@
 %endif
 %gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
 
+%if 0%{?with_selinux}
 # Build SELinux module
 pushd ./data/selinux
 make SHARE="%{_datadir}" TARGETS="snappy"
 popd
+%endif
 
 # Build snap-confine
 pushd ./cmd
@@ -441,12 +506,12 @@
     --enable-nvidia-biarch \
     %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
     --with-snap-mount-dir=%{_sharedstatedir}/snapd/snap \
-    --with-merged-usr
+    --enable-merged-usr
 
 %make_build
 popd
 
-# Build systemd and dbus units, and env files
+# Build systemd units, dbus services, and env files
 pushd ./data
 make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
      SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
@@ -457,41 +522,52 @@
 %install
 install -d -p %{buildroot}%{_bindir}
 install -d -p %{buildroot}%{_libexecdir}/snapd
-install -d -p %{buildroot}%{_mandir}/man1
+install -d -p %{buildroot}%{_mandir}/man8
+install -d -p %{buildroot}%{_environmentdir}
+install -d -p %{buildroot}%{_systemdgeneratordir}
 install -d -p %{buildroot}%{_unitdir}
 install -d -p %{buildroot}%{_sysconfdir}/profile.d
 install -d -p %{buildroot}%{_sysconfdir}/sysconfig
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/assertions
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/cookie
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl32
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/vulkan
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
 install -d -p %{buildroot}%{_localstatedir}/snap
 install -d -p %{buildroot}%{_localstatedir}/cache/snapd
 install -d -p %{buildroot}%{_datadir}/polkit-1/actions
+install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+%if 0%{?with_selinux}
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -d -p %{buildroot}%{_datadir}/selinux/packages
+%endif
 
 # Install snap and snapd
 install -p -m 0755 bin/snap %{buildroot}%{_bindir}
 install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
-install -p -m 0755 bin/snapctl %{buildroot}%{_bindir}/snapctl
+install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
 
+%if 0%{?with_selinux}
 # Install SELinux module
 install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
 
-# Install snap(1) man page
-bin/snap help --man > %{buildroot}%{_mandir}/man1/snap.1
+# Install snap(8) man page
+bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
 
 # Install the "info" data file with snapd version
 install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
@@ -514,16 +590,30 @@
 
 # Install all systemd and dbus units, and env files
 pushd ./data
-%make_install SYSTEMDSYSTEMUNITDIR="%{_unitdir}" BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}"
+%make_install BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+              SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+              SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+              SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.conf
+%endif
+
 # Remove snappy core specific units
 rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
 rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
 rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
-popd
 
 # Remove snappy core specific scripts
 rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
 
+# Remove snapd apparmor service
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+
 # Install Polkit configuration
 install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
 
@@ -534,6 +624,11 @@
 touch %{buildroot}%{_sharedstatedir}/snapd/state.json
 touch %{buildroot}%{_sharedstatedir}/snapd/snap/README
 
+# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
+%if %{with snap_symlink}
+ln -sr %{buildroot}%{_sharedstatedir}/snapd/snap %{buildroot}/snap
+%endif
+
 # source codes for building projects
 %if 0%{?with_devel}
 install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
@@ -591,44 +686,60 @@
 %doc README.md docs/*
 %{_bindir}/snap
 %{_bindir}/snapctl
+%{_environmentdir}/990-snapd.conf
 %dir %{_libexecdir}/snapd
+%{_libexecdir}/snapd/snapctl
 %{_libexecdir}/snapd/snapd
 %{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-failure
 %{_libexecdir}/snapd/info
 %{_libexecdir}/snapd/snap-mgmt
-%{_mandir}/man1/snap.1*
+%{_mandir}/man8/snap.8*
 %{_datadir}/bash-completion/completions/snap
 %{_libexecdir}/snapd/complete.sh
 %{_libexecdir}/snapd/etelpmoc.sh
+%{_libexecdir}/snapd/snapd.run-from-snap
 %{_sysconfdir}/profile.d/snapd.sh
+%{_mandir}/man8/snapd-env-generator.8*
 %{_unitdir}/snapd.socket
 %{_unitdir}/snapd.service
 %{_unitdir}/snapd.autoimport.service
+%{_unitdir}/snapd.failure.service
+%{_unitdir}/snapd.seeded.service
+%{_datadir}/applications/snap-handle-link.desktop
 %{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_systemd_system_env_generator_dir}/snapd-env-generator
 %config(noreplace) %{_sysconfdir}/sysconfig/snapd
 %dir %{_sharedstatedir}/snapd
 %dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
 %dir %{_sharedstatedir}/snapd/desktop
 %dir %{_sharedstatedir}/snapd/desktop/applications
 %dir %{_sharedstatedir}/snapd/device
 %dir %{_sharedstatedir}/snapd/hostfs
-%dir %{_sharedstatedir}/snapd/mount
-%dir %{_sharedstatedir}/snapd/seccomp
-%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/lib
 %dir %{_sharedstatedir}/snapd/lib/gl
 %dir %{_sharedstatedir}/snapd/lib/gl32
 %dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/snaps
 %dir %{_sharedstatedir}/snapd/snap
 %ghost %dir %{_sharedstatedir}/snapd/snap/bin
 %dir %{_localstatedir}/cache/snapd
 %dir %{_localstatedir}/snap
 %ghost %{_sharedstatedir}/snapd/state.json
-%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
-%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %ghost %{_sharedstatedir}/snapd/snap/README
+%if %{with snap_symlink}
+/snap
+%endif
+%if 0%{?rhel} == 7
+%{_sysctldir}/99-snap.conf
+%endif
 
 %files -n snap-confine
 %doc cmd/snap-confine/PORTING
@@ -637,23 +748,24 @@
 # For now, we can't use caps
 # FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
 %attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-gdb-shim
 %{_libexecdir}/snapd/snap-seccomp
 %{_libexecdir}/snapd/snap-update-ns
-%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/system-shutdown
-%{_libexecdir}/snapd/snap-gdb-shim
-%{_libexecdir}/snapd/snapd-generator
-%{_mandir}/man1/snap-confine.1*
-%{_mandir}/man5/snap-discard-ns.5*
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_systemdgeneratordir}/snapd-generator
 %attr(0000,root,root) %{_sharedstatedir}/snapd/void
 
-
+%if 0%{?with_selinux}
 %files selinux
 %license data/selinux/COPYING
 %doc data/selinux/README.md
 %{_datadir}/selinux/packages/snappy.pp.bz2
 %{_datadir}/selinux/devel/include/contrib/snappy.if
+%endif
 
 %if 0%{?with_devel}
 %files devel -f devel.file-list
@@ -669,6 +781,9 @@
 %endif
 
 %post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
 %systemd_post %{snappy_svcs}
 # If install, test if snapd socket and timer are enabled.
 # If enabled, then attempt to start them. This will silently fail
@@ -692,6 +807,7 @@
 %postun
 %systemd_postun_with_restart %{snappy_svcs}
 
+%if 0%{?with_selinux}
 %pre selinux
 %selinux_relabel_pre
 
@@ -707,9 +823,1790 @@
 if [ $1 -eq 0 ]; then
     %selinux_relabel_post
 fi
-
+%endif
 
 %changelog
+* Wed Jan 16 2019 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.37
+ - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+   have device node /dev/ttyACM[0-9]
+ - tests: fix enable-disable-unit-gpio test on external boards
+ - tests: define new "tests/smoke" suite and use that for
+   autopkgtests
+ - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+   library
+ - snapshotstate: don't task.Log without the lock
+ - overlord/configstate/configcore: support - and _ in cloud init
+   field names
+ - cmd/snap-confine: use makedev instead of MKDEV
+ - tests: review/fix the autopkgtest failures in disco
+ - systemd: allow only a single daemon-reload at the same time
+ - cmd/snap: only auto-enable unicode to a tty
+ - cmd/snap: right-align revision and size in info's channel map
+ - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+   different on Fedora
+ - tests: fix "No space left on device" issue on amazon-linux
+ - store: undo workaround for timezone-less released-at
+ - store, snap, cmd/snap: channels have released-at
+ - snap-confine: fix incorrect use "src" var in mount-support.c
+ - release: support probing SELinux state
+ - release-tools: display self-help
+ - interface: add new `{personal,system}-files` interface
+ - snap: give Epoch an Equal method
+ - many: remove unused interface code
+ - interfaces/many: use 'unsafe' with docker-support change_profile
+   rules
+ - run-checks: stop running HEAD of staticcheck
+ - release: use sync.Once around lazy intialized state
+ - overlord/ifacestate: include interface name in the hotplug-
+   disconnect task summary
+ - spread: show free space in debug output
+ - cmd/snap: attempt to restore SELinux context of snap user
+   directories
+ - image: do not write empty etc/cloud
+ - tests: skip snapd snap on reset for core systems
+ - cmd/snap-discard-ns: fix umount(2) typo
+ - overlord/ifacestate: hotplug-remove-slot task handler
+ - overlord/ifacestate: handler for hotplug-disconnect task
+ - ifacestate/hotplug: updateDevice helper
+ - tests: reset snapd state on tests restore
+ - interfaces: return security setup errors
+ - overlord: make InstallMany work like UpdateMany, issuing a single
+   request to get candidates
+ - systemd/systemd.go: add missing tests for systemd.IsActive
+ - overlord/ifacestate: addHotplugSeqWaitTask helper
+ - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+ - tests: new backend used to run upgrade test suite
+ - travis: short circuit failures in static and unit tests travis job
+ - cmd: automatically fix localized <option>s to <option>
+ - overlord/configstate,features: expose features to snapd tools
+ - selinux: package to query SELinux status and verify/restore file
+   contexts
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - cmd: add tests for lintArg and lintDesc
+ - httputil: retry on temporary net errors
+ - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+ - wrappers: only restart service in core18 when they are active
+ - overlord/ifacestate: helpers for serializing hotplug changes
+ - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interface
+ - snap/info: bind global plugs/slots to implicit hooks
+ - cmd/snap-confine: remove SC_NS_MNT_FILE
+ - spread: record each tests/upgrade job
+ - osutil: do not import dirs
+ - cmd/snap-confine: fix typo "a pipe"
+ - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+   devices
+ - tests: force test-snapd-daemon-notify exit 0 when the interface is
+   not connected
+ - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+ - centos: enable SELinux support on CentOS 7
+ - apparmor: allow hard link to snap-specific semaphore files
+ - tests/lib/pkgdb: disable weak deps on Fedora
+ - release: detect too old apparmor_parser
+ - tests: improve how the log is checked to see if the system is
+   waiting for a reboot
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - spread, tests: add Fedora 29
+ - cmd/snap-confine: refactor calling snapd tools into helper module
+ - apparmor: allow snap-update-ns access to common devices
+ - cmd/snap-confine: capture initialized per-user mount ns
+ - tests: reduce verbosity around package installation
+ - data: set KillMode=process for snapd
+ - cmd/snap: handle DNS error gracefully
+ - spread, tests: use checkpoints when dumping audit log
+ - tests/lib/prepare: make sure that SELinux context of repacked core
+   snap is controlled
+ - testutils: split checkers, tweak tests
+ - tests: fix for tests test-*-cgroup
+ - spread: show AVC audits when debugging, start auditd on Fedora
+ - spread: drop Fedora 27, add Fedora 29
+ - tests/lib/reset: restore context of removed snapd directories
+ - testutil: add File{Present,Absent} checkers
+ - snap: add new `snap run --trace-exec`
+ - tests: fix for failover test on how logs are checked
+ - snapctl: add "services"
+ - overlord/snapstate: use file timestamp to initialize timer
+ - cmd/libsnap: introduce and use sc_strdup
+ - interfaces: let NM access ifindex/ifupdown files
+ - overlord/snapstate: on refresh, check new rev can read current
+ - client, store: don't use store from client (use client from store)
+ - tests/main/parallel-install-store: verify installation of more
+   than one instance at a time
+ - overlord: don't write system key if security setup fails
+ - packaging/fedora/snapd.spec: fix bogus date in changelog
+ - snapstate: update fontconfig caches on install
+ - interfaces/apparmor/backend.go:411:38: regular expression does not
+   contain any meta characters (SA6004)
+ - asserts/header_checks.go:199:35: regular expression does not
+   contain any meta characters (SA6004)
+ - run staticcheck every time :-)
+ - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+   used with signal.Notify should be buffered (SA1017)
+ - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+   signal.Notify should be buffered (SA1017)
+ - spdx/parser.go:30:1: only the first constant has an explicit type
+   (SA9004)
+ - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+   first argument and no further arguments should use print-style
+   function instead (SA1006)
+ - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+ - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+   Did you mean to break out of the outer loop? (SA4011)
+ - daemon/api.go:992:22: printf-style function with dynamic first
+   argument and no further arguments should use print-style function
+   instead (SA1006)
+ - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+   to break out of the outer loop? (SA4011)
+ - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+   should be buffered (SA1017)
+ - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+   provided buffer, not even temporarily (SA1023)
+ - release: probe apparmor features lazily
+ - overlord,daemon: mock security backends for testing
+ - cmd/libsnap: move apparmor-support to libsnap
+ - cmd: drop cruft from snap-discard-ns build rules
+ - cmd/snap-confine: use snap-discard-ns ns to discard stale
+   namespaces
+ - cmd/snap-confine: handle mounted shared /run/snapd/ns
+ - many: fix composite literals with unkeyed fields
+ - dirs, wrappers, overlord/snapstate: make completion + bases work
+ - tests: revert "tests: restore in restore, not prepare"
+ - many: validate title
+ - snap: make description maximum in runes, not bytes
+ - tests: discard mount namespaces in reset.sh
+ - tests/lib: sync cla check back from snapcraft
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - daemon: remove enableInternalInterfaceActions
+ - mkversion: use "test -n" rather than "! test -z"
+ - run-checks: assorted fixes
+ - tests: restore in restore, not in prepare
+ - cmd/snap: fix missing newline in "snap keys" error message
+ - snap: epoch lists must contain no duplicate entries
+ - interfaces/avahi_observe: Fix typo in comment
+ - tests: add SPREAD_JOB to the description of
+   systemd_create_and_start_unit
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+ - packaging/fedora: use %_sysctldir macro
+ - cmd/snap-confine: remove unneeded unshare
+ - sanity: extend the kernel version check to cover CentOS/RHEL
+   kernels
+ - wrappers: remove all desktop files from a snap on removal
+ - snap: add an explicit check for `epoch: null` loading
+ - snap: check max description length in validate
+ - spread, tests: add CentOS support
+ - cmd/snap-confine: allow mapping more libc shards
+ - cmd/snap-discard-ns: add support for --from-snap-confine
+ - tests: make tinyproxy support systemd notify
+ - tests: fix shellcheck
+ - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+ - store: add a test for a non-zero epoch refresh (with epoch bump)
+ - store: v1 search doesn't send epoch, stop pretending it does
+ - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+ - overlord/snapstate: amend test should send local revision
+ - tests: use mock-gpio.py in enable-disable-units-gpio test
+ - snap: enforce minimal snap name len of 2
+ - cmd/libsnap: add sc_verify_snap_lock
+ - cmd/snap-update-ns: extra debugging of trespassing events
+ - userd: force zenity width if the text displayed is long
+ - overlord/snapstate, store: always send epochs
+ - cmd/snap-confine,snap-update-ns: discard quirks
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - cmd/snap-update-ns, tests: clean trespassing paths
+ - nvidia, interfaces/builtin: OpenCL fixes
+ - ifacestate/hotplug: removeDevice helper
+ - cmd: install snap-discard-ns in "make hack"
+ - overlord/ifacestate: setup security backends phased by backends
+   first
+ - ifacestate/helpers: added SystemSnapName mapper helper method
+ - overlord/ifacestate: set hotplug-key of the connection when
+   connecting hotplug slots
+ - snapd: allow snap-update-ns to read /proc/version
+ - cmd: handle tumbleweed and leap in autogen.sh
+ - interfaces/tests: MockHotplugSlot test helper
+ - store,daemon: make UserInfo,LoginUser part of the store interface
+ - overlord/ifacestate: use remapper when checking if system snap is
+   installed
+ - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+ - packaging/arch: fix bash completions path
+ - interfaces/builtin: add device-buttons interface for accessing
+   events
+ - tests, fakestore: extend refresh tests with parallel installed
+   snaps
+ - snap, store, overlord/snapshotstate: drop epoch pointers
+ - snap: make Epoch default to {[0],[0]} on load from yaml
+ - data/completion: pass documented arguments to completion functions
+ - tests: skip opensuse from interfaces-openvswitch-support test
+ - tests: simple reproducer for snap try and hooks bug
+ - snapstate: do not allow classic mode for strict snaps
+ - snap: make Epoch's MarshalJSON not simplify
+ - store: remove unused currentSnap and currentSnapJSON
+ - many: some small doc comment fixes in recent hotplug code
+ - ifacestate/udevmonitor: added callback to signal end of
+   enumeration
+ - cmd/libsnap: add simplified feature flag checker
+ - interfaces/opengl: add additional accesses for cuda
+ - tests: add core18 only hooks test and fix running core18 only on
+   classic
+ - sanity, release, cmd/snap: refuse to try to do things on WSL.
+ - cmd: make coreSupportsReExec faster
+ - overlord/ifacestate: don't remove the dash when generating unique
+   slot name
+ - cmd/snap-seccomp: add full complement of ptrace constants
+ - cmd: update autogen.sh for opensuse
+ - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+   overlord/snapstate: address review feedback
+ - packaging/opensuse: stop using golang-packaging
+ - overlord/snapshots: survive an unknown user
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - cmd/snap: unhide --name parameter to snap install, tweak help
+   message
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/main/snap-service-after-before-install: verify after/before
+   in snap install
+ - overlord/ifacestate: mark connections disconnected by hotplug with
+   hotplug-gone
+ - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+   startup
+ - tests: install dependencies during prepare
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - tests: core 18 does not support classic confinement
+ - tests: add debug output for degraded test
+ - strutil: make VersionCompare faster
+ - overlord/snapshotstate/backend: survive missing directories
+ - overlord/ifacestate: use map[string]*connState when passing conns
+   around
+ - tests: move fedora 28 to manual
+ - overlord/snapshotstate/backend: be more verbose when
+   SNAPPY_TESTING=1
+ - tests: removing fedora 26 system from spread.yaml
+ - tests: linode execution is not needed anymore
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests: fixes and new backend for tests on nested suite
+ - strutil: let MatchCounter work with a nil regexp
+ - ifacestate/helpers: findConnsForHotplugKey helper
+ - many: move regexp.(Must)Compile out of non-init functions into
+   variables
+ - store: also make snaps downloaded via deltas 0600
+ - snap: use Lstat to determine snap size, remove
+   ReadSnapInfoExceptSize
+ - interfaces/builtin: add adb-support interface
+ - tests: fail if install_snap_local fails
+ - strutil: add extra test to CommaSeparatedList as suggested by
+   mborzecki
+ - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+ - ifacestate: optimize disconnect hooks
+ - cmd/snap-update-ns: parse the -u <uid> command line option
+ - cmd/snap, tests: snapshots for all
+ - client, cmd/daemon: allow disabling keepalive, improve degraded
+   mode unit tests
+ - snap: only show "next" refresh time if its after the hold time
+ - overlord/snapstate: run tests for classic snaps even on systems
+   that don't support classic
+ - overlord/standby: fix a race between standby goroutine and stop
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - cmd: remove remnants of sc_should_populate_mount_ns
+ - client, daemon, cmd/snap: indicate that services are socket/timer
+   activated
+ - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+ - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+ - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+ - cmd/snap-discard-ns: add support for per-user mount namespaces
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook.
+ - tests/main: fixes for the new shellcheck
+ - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+   fly
+ - tests: initial setup for testing current branch on nested vm and
+   hotplug management
+ - cmd: refactor IPC and lifecycle of the helper process
+ - tests/main/parallel-install-store: the store has caught up, do not
+   expect failures
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+   ptrace, for the Breakpad crash reporter
+ - snap,client: use a different exit code for retryable errors
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - cmd/snap: tweak `snap services` output when there is no services
+ - interfaces/many: updates to support k8s worker nodes
+ - cmd/snap: gnome-software install via snap:// handler
+ - overlord/many: cleanup use of snapName vs. instanceName
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes* ifstate: fix decoding of json numbers
+ - cmd/snap: try not to panic on error from "snap try"
+ - tests: new cosmic image for spread tests on gce
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - overlord/snapshotstate/backend: detect path to tar in unit tests
+ - tests/unit/gccgo: drop gccgo unit tests
+ - cmd: use relative file names in locking APIs
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - overlord/snapshotstate/backend: fall back on sudo when no runuser
+ - cmd/snap-confine: reduce verbosity of debug and error messages
+ - systemd: extend Status() to work for socket and timer units
+ - interfaces: typo 'allows' for consistency with other ifaces
+ - systemd,wrappers: don't start disabled services
+ - ifacestate: simplify task chaining in ifacestate.Connect
+ - tests: ensure that goa-daemon is off
+ - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+ - cmd/snap: block 'snap help <cmd> --all'
+ - asserts, image: ensure kernel, gadget, base and required-snaps use
+   valid snap names
+ - apparmor: add unit test for probeAppArmorParser and simplify code
+ - interfaces/apparmor: conditionally add explicit deny rules for
+   ptrace
+ - po: sync translations from launchpad
+ - osutil: tweak handling of error adduser errors
+ - cmd: rename ns_group to mount_ns
+ - tests/main/interfaces-accounts-service: more debugging
+ - snap/pack, snap/squashfs: use type to determine mksquashfs args
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - tests: show list of processes when ifaces-accounts-service fails
+ - tests: do not run degraded test in autopkgtest env
+ - snap: overhaul validation error messages
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - interfaces: improve Attr error further
+ - snapstate: tweak GetFeatureFlagBool() to have a default argument
+ - many: cleanup remaining parallel installs TODOs
+ - image: improve validation of extra snaps
+
+* Fri Dec 14 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.3
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - httputil: retry on temporary net errors
+ - wrappers: only restart service in core18 when they are active
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interfacewhen installing selinux-policy-devel package.
+ - centos: enable SELinux support on CentOS 7
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - apparmor: allow hard link to snap-specific semaphore files
+ - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+   profile errors
+ - snap: add new `snap run --trace-exec` call
+ - interfaces/backends: detect too old apparmor_parser
+
+* Thu Nov 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.2
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - snapstate: update fontconfig caches on install
+ - overlord,daemon: mock security backends for testing
+ - sanity, spread, tests: add CentOS
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - tests: add regression test for LP: #1803535
+ - snap-update-ns: fix trailing slash bug on trespassing error
+ - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+ - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+ - interfaces/opengl: add additional accesses for cuda
+
+* Fri Nov 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.1
+ - tests,snap-confine: add core18 only hooks test and fix running
+   core18 only hooks on classic
+ - interfaces/apparmor: allow access to
+   /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests/main/interfces-accounts-service: switch to busctl, more
+   debugging
+ - store: also make snaps downloaded via deltas 0600
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - tests/main: fixes for the new shellcheck
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook
+
+* Sun Nov 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.36-1
+- Release 2.36 to Fedora
+
+* Wed Oct 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - tests: the store has caught up, drop gccgo test, update cosmic
+   image
+ - cmd/snap: try not to panic on error from "snap try"`--devmode`
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - systemd,wrappers: don't start disabled services
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - tests: do not run degraded test in autopkgtest env
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces: include invalid type in Attr error
+ - many: enable layouts by default
+ - interfaces/default: don't scrub with change_profile with classic
+ - cmd/snap: speed up unit tests
+ - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+   flags
+ - daemon: expose snapshots to the API
+ - interfaces: updates for default, screen-inhibit-control, tpm,
+   {hardware,system,network}-observe
+ - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+   update test interface
+ - interfaces/tests: use TestInterface instead of a custom local
+   helper
+ - overlord/snapstate: export getFeatureFlagBool.
+ - osutil,asserts,daemon: support force password change in system-
+   user assertion
+ - snap, wrappers: support restart-delay, generate RestartSec=<value>
+   in service units
+ - tests/ifacestate: moved asserts-related mocking into helper
+ - image: fetch device store assertion if available
+ - many: enable AppArmor on Arch
+ - interfaces/repo: two helper methods for hotplug
+ - overlord/ifacestate: add hotplug slots with implicit slots
+ - interfaces/hotplug: helpers and struct updates
+ - tests: run the snapd tests on Ubuntu 18.10
+ - snapstate: only report errors if there is an actual error
+ - store: speedup unit tests
+ - spread-shellcheck: fix interleaved error messages, tweaks
+ - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+ - ifacestate: implementation of defaultDeviceKey function for
+   hotplug
+ - cmd/snap-update-ns: remove empty placeholders used for mounting
+ - snapshotstate: restore to current revision
+ - tests/lib: rework the CLA checker
+ - many: support and consider store friendly-stores when checking
+   device scope constraints
+ - overlord/snapstate: block parallel installs of snapd, core, base,
+   kernel, gadget snaps
+ - overlord/patch: patch for static plug/slot attributes
+ - interfaces: honor static attributes when reloading conns
+ - osutils: unit tests speedup; introduce «run-checks --short-
+   unit».
+ - systemd, wrappers: speed up wrappers unit tests
+ - client: speedup unit tests
+ - spread-shellcheck: use threads to parallelise
+ - snap: validate plug and slot names
+ - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+ - wrappers: do not depend on network.taget in socket units, tweak
+   generated units
+ - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+ - store: gracefully handle unexpected errors in 'action'
+   response
+ - cmd: put our manpages in section 8
+ - overlord: don't make become-operational interfere with user
+   requests
+ - store: tweak unmatched refresh result error log
+ - snap, client, daemon, store: use and expose "media" more
+ - tests,cmd/snap-update-ns: add test showing mount update bug
+   cmd/snap-update-ns: better detection of snapd-made tmpfs
+ - tests: spread tests for aliases with parallel installed snaps
+ - interfaces/seccomp: allow using statx by default
+ - store: gracefully handle unexpected errors in 'action' response
+ - overlord/snapshotstate: chown the tempdir
+ - cmd/snap: attempt to start the document portal if running with a
+   session bus
+ - snap: detect layouts vs layout in snap.yaml
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snapcraft.yaml: set grade to stable
+ - tests: shellchecks, final round
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snap: detect layouts vs layout in snap.yaml
+ - overlord/snapshotstate: store epoch in snapshot, check on restore
+ - cmd/snap: tweak UX of snap refresh --list
+ - overlord/snapstate: improve consistency, use validateInfoAndFlags
+   also in InstallPath
+ - snap: give Epoch a CanRead helper
+ - overlord/snapshotstate: small refactor of internal helpers
+ - interfaces/builtin: adding missing permission to create
+   /run/wpa_supplicant directory
+ - interfaces/builtin: avahi interface update
+ - client, daemon: support passing of 'unaliased' option when
+   installing from local files
+ - selftest: rename selftest.Run() to sanity.Check()
+ - interfaces/apparmor: report apparmor support level and policy
+ - ifacestate: helpers for generating slot names for hotplug
+ - overlord/ifacestate: make sure to pass in the Model assertion when
+   enforcing policies
+ - overlord/snapshotstate: store the SnapID in snapshot, block
+   restore if changed
+ - interfaces: generalize writable mimic profile
+ - asserts,interfaces/policy: add support for on-store/on-brand/on-
+   model plug/slot rule constraints
+ - many: fetch the device store assertion together and in the context
+   of interpreting snap-declarations
+ - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+   gccgo is fixed
+ - tests/main/parallel-install-services: add spread test for snaps
+   with services
+ - tests/main/snap-env: extend to cover parallel installations of
+   snaps
+ - tests/main/parallel-install-local: rename from *-sideload, extend
+   to run snaps
+ - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+ - cmd/snap: tame the help zoo
+ - tests/main/parallel-install-store: run installed snap
+ - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+   i18n)
+ - cmd: fix C formatting
+ - tests: remove unneeded cleanup from layout tests
+ - image: warn on missing default-providers
+ - selftest: add test to ensure selftest.checks is up-to-date
+ - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+   installs
+ - userd: extend the list of supported XDG Desktop properties when
+   autostarting user applications
+ - cmd/snap-update-ns: enforce trespassing checks
+ - selftest: actually run the kernel version selftest
+ - snapd: go into degraded mode when the selftest fails
+ - tests: add test that runs snapctl with a core18 snap
+ - tests: add snap install hook with base: core18
+ - overlord/{snapstate,assertstate}: parallel instances and
+   refresh validation
+ - interfaces/docker-support: add rules to read apparmor macros
+ - tests: make nfs test available for more systems
+ - tests: cleanup copy/paste dup in interfaces-network-setup-control
+ - tests: using single sh snap in interface tests
+ - overlord/snapstate: improve cleaup in mount-snap handler
+ - tests: don't fail interfaces-bluez test if bluez is already
+   installed
+ - tests: find snaps just for edge and beta channels
+ - daemon, snapstate: consistent snap list [--all] output with broken
+   snaps
+ - tests: fix listing to allow extra things in the notes column
+ - cmd/snap: improve UX when removing specific snap revision
+ - cmd/snap, tests/main/snap-info: highlight the current channel
+ - interfaces/testiface: added TestHotplugInterface
+ - snap: tweak commands
+ - interfaces/hotplug: hotplug spec takes one slot definition
+ - overlord/snapstate, snap: handle shared snap directories when
+   installing/remove snaps with instance key
+ - interfaces/opengl: misc accesses for VA-API
+ - client, cmd/snap: expose warnings to the world
+ - cmd/snap-update-ns: introduce trespassing state tracking
+ - cmd/snap: commands no longer build their own client
+ - tests: try to build cmd/snap for darwin
+ - daemon: make error responders not printf when called with 1
+   argument
+ - many: return real snap name in API response
+ - overlord/state: return latest LastAdded time in WarningsSummary
+ - many: mount namespace mapping for parallel installs of snaps
+ - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+   core-phase-2
+ - client, cmd/snap: on !linux, exit when the client tries to Do
+   something
+ - tests: refactor for nested suite and tests fixed
+ - tests: use lxd's waitready instead of polling lxd socket
+ - ifacestate: don't initialize udev monitor until we have a system
+   snap
+ - interfaces: extra argument for static attrs in
+   NewConnectedPlug/NewConnectedSlot
+ - packaging/arch: sync packaging with AUR
+ - snapstate/tests: serialize all appends in fake backend
+ - snap-confine: make /lib/modules optional
+ - cmd/snap: handle "snap interfaces core" better
+ - store: move download tests into downloadSuite
+ - tests,interfaces: run interfaces-account-control on UC18
+ - tests: fix install snaps test by adding link to /snap
+ - tests: fix for nested test suite
+ - daemon: fix snap list --all with parallel snap instances
+ - snapstate: refactor tests to use SetModel*
+ - wrappers: fix snap services order in tests
+ - many: provide salt for generating instance-key in store requests
+ - ifacestate: fix hang when retrying content providers
+ - snapd-env-generator: fix when PATH is empty or unset
+ - overlord/assertstate: propagate TaskSnapSetup error
+ - client: catch and expose logs errors
+ - overlord: integrate device enumeration with udev monitor
+ - daemon, overlord/state: warnings pipeline
+ - tests: add publisher regex to fix the snap-info test pass on sru
+ - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+   tweaks
+ - cmd/snap-update-ns: remove the unused Secure type
+ - osutil, o/snapshotstate, o/sss/backend: quick fixes
+ - tests: update the listing expression to support core from
+   different channels
+ - store: use stable instance key in store refresh requests
+ - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+ - overlord/patch: support for sublevel patches
+ - tests: update prepare/restore for nightly suite
+ - cmd/snap-update-ns: detach BindMount from the Secure type
+ - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+ - ifacestate: retry on "discard-snap" in autoconnect conflict check
+ - cmd/snap-update-ns: separate OpenPath from the Secure struct
+ - wrappers: remove Wants=network-online.target
+ - tests: add new core16-base test
+ - store: refactor tests so that they work as store_test package
+ - many: add refresh.rate-limit core option
+ - tests: run account-control test with different bases
+ - tests: port proxy test to use python tinyproxy
+ - overlord: introduce snapshotstate.
+ - testutil: allow Fstatfs results to vary over time
+ - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+ - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+ - many: remove deadcode
+ - tests: also run unit/gccgo in 18.04
+ - tests: introduce a helper for installing local snaps with --name
+ - tests: avoid removing core snap on reset
+ - snap: use snap.SideInfo in test to fix build with gccgo
+ - partition: remove unused runCommand
+ - image: fix incorrect error when using local bases
+ - overlord/snapstate: fix format
+ - cmd: fix format
+ - tests: setting "storage: preserve-size" just for amazon-linux
+   system
+ - tests: test for the hostname interface
+ - interfaces/modem-manager: allow access to more USB strings
+ - overlord: instantiate UDevMonitor
+ - interfaces/apparmor: tweak naming, rename to AddLayout()
+ - interfaces: take instance name in ifacetest.InstallSnap
+ - snapcraft: do not use --dirty in mkversion
+ - cmd: add systemd environment generator
+ - devicestate: support getting (http) proxy from core config
+ - many: rename ClientOpts to ClientOptions
+ - prepare-image-grub-core18: remove image root in restore
+ - overlord/ifacestate: remove "old-conn" from connect/undo connect
+   handlers
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - image: handle errors when downloadedSnapsInfoForBootConfig has no
+   data
+ - tests: use official core18 model assertion in tests
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - overlord,store: support proxy settings internally too
+ - cmd/snap: bring back 'snap version'
+ - interfaces/mount: tweak naming of things
+ - strutil: fix MatchCounter to also work with buffer reuse
+ - cmd,interfaces,tests: add /mnt to removable-media interface
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - snap/snapenv: drop some instance specific variables, use instance-
+   specific ones for user locations
+ - firstboot: sort by type when installing the firstboot snaps
+ - cmd, cmd/snap: better support for non-linux
+ - strutil: add new ParseByteSize
+ - image: detect and error if bases are missing
+ - interfaces/apparmor: do not downgrade confinement on arch with
+   linux-hardened 4.17.4+
+ - daemon: add pokeStateLock helper to the daemon tests
+ - snap/squashfs: improve error message from Build on mksquashfs
+   failure
+ - tests: remove /etc/alternatives from dirs-not-shared-with-host
+ - cmd: support re-exec into the "snapd" snap
+ - spdx: remove "Other Open Source" from the support licenses
+ - snap: add new type "TypeSnapd" and attach to the snapd snap
+ - interfaces: retain order of inserted security backends
+ - tests: spread test for parallel-installs desktop file handling
+ - overlord/devicestate: use OpenSSL's PEM format when generating
+   keys
+ - cmd: remove --skip-command-chain from snap run and snap-exec
+ - selftest: detect if apparmor is unusable and error
+ - snap,snap-exec: support command-chain for hooks
+ - tests: significantly reduce execution time for managers test
+ - snapstate: use new "snap.ByType" sorting
+ - overlord/snapstate: fix UpdateMany() to work with parallel
+   instances
+ - testutil: have File* checker produce more useful error output
+ - overlord/ifacestate: introduce connectOpts
+ - interfaces: parallel instances support, extend unit tests
+ - tests: normalize tests
+ - snapstate: make InstallPath() return *snap.Info too
+ - snap: add ByType sorting
+ - interfaces: add cifs-mount interface
+ - tests: use file based markers in snap-service-stop-mode
+ - osutil: reorg and stub out things to get it building on darwin
+ - tests/main/layout: cleanup after the test
+ - osutil/sys: small tweaks to let it build on darwin
+ - daemon, overlord/snapstate: set instance name when installing from
+   snap file
+ - many: move Uname to osutil, for more DRY and easier porting.
+ - cmd/snap: create snap user directory when running parallel
+   installed snaps
+ - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+ - tests: basic test for parallel installs from the store
+ - image: download the gadget from the model.GadgetTrack()
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - overlord: handle sigterm during shutdown better
+ - tests: add the original function to fix the errors on new kernels
+ - tests/main/lxd: pull lxd from candidate; reënable i386
+ - wayland: add extra sockets that are used by older toolkits (e.g.
+   gtk3)
+ - asserts: add support for gadget tracks in the model assertion
+ - overlord/snapstate: improve feature flag validation
+ - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+ - interfaces: workaround for activated services and newer DBus
+ - tests: get the linux-image-extra available for the current kernel
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - interfaces: disconnect hooks
+ - cmd/libsnap: unify detection of core/classic with go
+ - tests: fix autopkgtest failures in cosmic
+ - snap: fix advice json
+ - overlord/snapstate: parallel snap install
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - interfaces: add screencast-legacy for video and audio recording
+ - tests: skip unsupported architectures for fedora-base-smoke test
+ - tests: avoid using the journalctl cursor when it has not been
+   created yet
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - tests: enable lxd again everywhere
+ - tests: new test for udisks2 interface
+ - interfaces: add cpu-control for setting CPU tunables
+ - overlord/devicestate: fix tests, set seeded in registration
+   through proxy tests
+ - debian: add missing breaks on cosmic
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - tests: new test for juju client observe interface
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - snapcraft: set version information for the snapd snap
+ - cmd/snap, daemon: error out if trying to install a snap using
+   empty name
+ - hookstate: simplify some hook tests
+ - cmd/snap-confine: extend security tag validation to cover instance
+   names
+ - snap: fix mocking of systemkey in snap-run tests
+ - packaging/opensuse: fix static build of snap-update-ns and snap-
+   exec
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - cmd/libsnap-confine-private: intoduce helpers for validating snap
+   instance name and instance key
+ - snap,snap-exec: support command-chain for app
+ - interfaces/builtin: network-manager resolved DBus changes
+ - snap: tweak `snap wait` command
+ - cmd/snap-update-ns: introduce validation of snap instance names
+ - cmd/snap: fix some corner-case test setup weirdness
+ - cmd,dirs: fix various issues discovered by a Fedora base snap
+ - tests/lib/prepare: fix extra snaps test
+
+* Mon Oct 15 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.5
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - osutil: workaround overlayfs on ubuntu 18.10
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.4
+  - wrappers: do not depend on network.taget in socket units, tweak
+    generated units
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.3
+ - overlord: don't make become-operational interfere with user
+   requests
+ - docker_support.go: add rules to read apparmor macros
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-
+   nsFixes:
+ - snapcraft.yaml: add workaround to fix snapcraft build
+ - interfaces/opengl: misc accesses for VA-API
+
+* Wed Sep 12 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.2
+ - cmd,overlord/snapstate: go 1.11 format fixes
+ - ifacestate: fix hang when retrying content providers
+ - snap-env-generator: do nothing when PATH is unset
+ - interfaces/modem-manager: allow access to more USB strings
+
+* Mon Sep 03 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.1
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapcraft: do not use --diry in mkversion.sh
+ - cmd: add systemd environment generator
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - tests: cherry-pick test fixes from master for 2.35
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - interfaces: retain order of inserted security backends
+ - selftest: detect if apparmor is unusable and error
+
+* Sat Aug 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.35-1
+- Release 2.35 to Fedora (RH#1598946)
+
+* Mon Aug 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - asserts: add support for gadget tracks in the model assertion
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - overlord: handle sigterm during shutdown better
+ - wayland: add extra sockets that are used by older toolkits
+ - snap: fix advice json
+ - tests: fix autopkgtest failures in cosmic
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - interfaces: add cpu-control for setting CPU tunables
+ - debian: add missing breaks on comisc
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - hookstate: simplify some hook tests
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - interfaces/builtin: network-manager resolved DBus changes
+ - tests: add spread test for fedora29 base snap
+ - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+ - dirs: fix SnapMountDir inside a Fedora base snap
+ - tests: fix snapd-failover for core18 with external backend
+ - overlord/snapstate: always clean SnapState when doing Get()
+ - overlod/ifacestate: always use a new SnapState when fetching the
+   snap state
+ - overlord/devicestate: have the serial request talk to the proxy if
+   set
+ - interfaces/hotplug: udevadm output parser
+ - tests: New test for daemon-notify interface
+ - image: ensure "core" is ordered early if base: and core is used
+ - cmd/snap-confine: snap-device-helper parallel installs support
+ - tests: enable interfaces-framebuffer everywhere
+ - tests: reduce nc wait time from 2 to 1 second
+ - snap/snapenv: add snap instance specific variables
+ - cmd/snap-confine: add minimal test for snap-device-helper
+ - tests: enable snapctl test on core18
+ - overlord: added UDevMonitor for future hotplug support
+ - wrappers: do not glob when removing desktop files
+ - tests: add dbus monitor log to interfaces-accounts-service
+ - tests: add core-18 systems to external backend
+ - wrappers: account for changed app wrapper in parallel installed
+   snaps
+ - wrappers: make sure that the tests pass on non-Ubuntu too
+ - many: add snapd snap failure handling
+ - tests: new test for dvb interface
+ - configstate: accept refresh.timer=managed
+ - tests: new test for snap logs command
+ - wrapper: generate all the snapd unit files when generating
+   wrappers
+ - store: keep all files with link-count > 1 in the cache
+ - store: be less verbose in the common refresh case of "no updates"
+ - snap-confine: update snappy-app-dev path
+ - debian: ensure dependency on fixed apt on 18.04
+ - snapd: add initial software watchdog for snapd
+ - daemon, systemd: change journalctl -n=all to --no-tail
+ - systemd: fix snapd.apparmor.service.in dependencies
+ - snapstate: refuse to remove bases or core if snaps need them
+ - snap: introduce package-level helpers for building snap related
+   directory/file paths
+ - overlord/devicestate: deny parallel install of kernel or gadget
+   snaps
+ - store: clean up parallel-install TODOs in store tests
+ - timeutil: fix first weekday of the month schedule
+ - interfaces: match all possible tty but console
+ - tests: shellchecks part 5
+ - cmd/snap-confine: allow ptrace read for 4.18 kernels
+ - advise: make the bolt database do the atomic rename dance
+ - tests/main/apt-hooks: debug dump of commands.db
+ - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+   handling
+ - snap: validate instance name as part of Validate()
+ - daemon: if a snap is inactive, don't ask systemd about its
+   services.
+ - udev: skip TestParseUdevEvent on s390x
+ - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+ - asserts,image: add support for new kernel=track syntax
+ - tests: new gce image for fedora 27
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - store, overlord/snapstate: introduce instance name in store APIs
+ - tests: drive-by cleanup of redudant pkgname matching
+ - tests: ensure apt-hook is only run after catalog update ran
+ - tests: use pkill instead of kilall
+ - tests/main: another bunch of updates for Amazon Linux 2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the  directory tree
+ - tests: disable/fix more tests for Amazon Linux 2
+ - overlord: introduce InstanceKey to SnapState and SnapSetup,
+   renames
+ - daemon: make sure most change generating handlers can produce
+   errors with kinds
+ - tests/main/interfaces-calendar-service: skip the test on AMZN2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the directory tree
+ - cmd/snap: add a green check mark to verified publishers
+ - cmd/snap: fix two issues in the cmd/snap unit tests
+ - packaging/fedora: fix target path of /snap symlink
+ - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - strutil: detect and bail out of Unmarshal on duplicate key
+ - packaging/fedora(amzn2): disable SELinux, drop dependency on
+   squashfuse for AMZN2
+ - spread, tests: add support for Amazon Linux 2
+ - packaging/fedora: Add Amazon Linux 2 support
+ - many: make Wait/Stop optional on StateManagers
+ - snap/squashfs: stop printing unsquashfs info to stderr
+ - snap: add support for `snap advise-snap --from-apt`
+ - overlord/ifacestate: ignore connect if already connected
+ - tests: change the service snap used instead of network-bind-
+   consumer
+ - interfaces/network-control: update for wpa-supplicant and ifupdown
+ - tests: fix raciness in stop mode tests
+ - logger: try to not have double dates
+ - debian: use deb-systemd-invoke instead of systemctl directly
+ - tests: run all main tests on core18
+ - many: finish sharing a single TaskRunner with all the the managers
+ - interfaces/repo: added AllHotplugInterfaces helper
+ - snapstate: ensure kernel-track is honored on switch/refresh
+ - overlord/ifacestate: support implicit slots on snapd
+ - image: add support for "kernel-track" in `snap prepare-image`
+ - tests: add test that ensures we do not boot any system in degraded
+   state
+ - tests: update tests to work on core18
+ - cmd/snap: check for typographic dashes in command
+ - tests: fix tests expecting old email address
+ - client: add some existing error kinds that were not listed in
+   client.go
+ - tests: add missing slots in classic and core provider test snaps
+ - overlord,daemon,cmd: re-map snap names around the edges of snapd
+ - tests: use install_local in snap-run-hooks
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - overlord/snapstate: dedupe default content providers
+ - osutil/udev: sync with upstream
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord: have SnapManager use a passed in TaskRunner created by
+   Overlord
+ - many: streamline the generic conflict check mechanisms
+ - tests: remove unneeded setup code in snap-run-symlink
+ - cmd/snap: print unset license as "unset", instead of "unknown"
+ - asserts: add (optional) kernel-track to model assertion
+ - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+ - interfaces/pulseaudio: be clear that the interface allows playback
+   and record
+ - snap: support hook environment
+ - interfaces: fix typo "daemonNotify" (add missing "n")
+ - interfaces: tweak tests of daemon-notify, use common naming
+ - interfaces: allow invoking systemd-notify when daemon-notify is
+   connected
+ - store: make snap blobs be 0600
+ - interfaces,daemon: move JSON types to the daemon
+ - tests: prepare needs to handle bin/snapctl being a symlink
+ - tests: do not mask errors in interfaces-timezone-control (#5405)
+ - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+ - tests: add basic integration test for spread hold
+ - overlord/snapstate: improve PlugsOnly comment
+ - many: assorted shellcheck fixes
+ - store, daemon, client, cmd/snap: expose "scope", default to wide
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - client, cmd/snap: pass snap instance name when installing from
+   file
+ - cmd/snap: add 'debug paths' command
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: fix tests on arch
+ - tests: start active system units on reset
+ - tests: new test for joystick interface
+ - tests: moving install of dependencies to pkgdb helper
+ - tests: enable new fedora image with test dependencies installed
+ - tests: start using the new opensuse image with test dependencies
+ - tests: check catalog refresh before and after restart snapd
+ - tests: stop restarting journald service on prepare
+ - interfaces: make core-support a no-op interface
+ - interfaces: prefer "snapd" when resolving implicit connections
+ - interfaces/hotplug: add hotplug Specification and
+   HotplugDeviceInfo
+ - many: lessen the use of core-support
+ - tests: fixes for the autopkgtest failures in cosmic
+ - tests: remove extra ' which breaks interfaces-bluetooth-control
+   test
+ - dirs: fix antergos typo
+ - tests: use grep to avoid non-matching messages from MATCH
+ - dirs: improve distro detection for Antegros
+ - vendor: switch to latest bson
+ - interfaces/builtin: create can-bus interface
+ - tests: "snap connect" is idempotent so just connect
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - interfaces: treat "snapd" snap as type:os
+ - interfaces: tweak tests to have less repetition of "core" and
+   "ubuntu…
+ - tests: simplify econnreset test
+ - snap: add helper for renaming slots
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - tests: add artful for sru validation on google backend
+ - snap,interfaces: move interface name validation to snap
+ - overlord/snapstate: introduce path to fake backend ops
+ - cmd/snap-confine: fix snaps running on core18
+ - many: expose publisher's validation throughout the API
+
+* Fri Jul 27 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.3
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - snapstate: allow setting "refresh.timer=managed"
+ - spread: switch Fedora and openSUSE images
+
+* Thu Jul 19 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.2
+ - packaging: fix bogus date in fedora snapd.spec
+ - tests: fix tests expecting old email address
+
+* Tue Jul 17 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.1
+ - tests: cherry-pick test fixes from master for 2.34
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord/snapstate: dedupe default content providers
+ - interfaces/builtin: create can-bus interface
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.33.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34
+ - store, daemon, client, cmd/snap: expose "scope", default to wide*
+ - tests: fix arch tests
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+ - tests: run interfaces-contacts-service only where test-snapd-eds
+   is available
+ - many: expose publisher's validation throughout the API
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - dirs: improve distro detection for Antegros
+ - Revert "dirs: improve identification of Arch Linux like systems"
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - i18n: use xgettext-go --files-from to avoid running into cmdline
+   size limits
+ - interfaces: move ValidateName helper to utils
+ - snapstate,ifstate: wait for pending restarts before auto-
+   connecting
+ - snap: account for parallel installs in wrappers, place info and
+   tests
+ - configcore: fix incorrect handling of keys with numbers (like
+   gpu_mem_512)
+ - tests: fix tests when no keyboard input detected
+ - overlord/configstate: add watchdog options
+ - snap-mgmt: fix for non-existent dbus system policy dir,
+   shellchecks
+ - tests/main/snapd-notify: use systemd's service properties rater
+   than the journal
+ - snapstate: allow removal of snap.TypeOS when using a model with a
+   base
+ - interfaces: make findSnapdPath smarter
+ - tests: run "arp" tests only if arp is available
+ - spread: increase the number of auto retries for package downloads
+   in opensuse
+ - cmd/snap-confine: fix nvidia support under lxd
+ - corecfg: added experimental.hotplug feature flag
+ - image: block installation of parallel snap instances
+ - interfaces: moved normalize method to interfaces/utils and made it
+   public
+ - api/snapctl: allow -h and --help for regular users.
+ - interfaces/udisks2: also implement implicit classic slot
+ - cmd/snap-confine: include CUDA runtime libraries
+ - tests: disable auto-refresh test on core18
+ - many: switch to account validation: unproven|verified
+ - overlord/ifacestate: get/set connection state only via helpers
+ - tests: adding extra check to validate journalctl is showing
+   current test data
+ - data: add systemd environment configuration
+ - i18n: handle write errors in xgettext-go
+ - snap: helper for validating snap instance names
+ - snap{/snaptest}: set instance key based on snap name
+ - userd: fix running unit tests on KDE
+ - tests/main/econnreset: limit ingress traffic to 512kB/s
+ - snap: introduce a struct Channel to represent store channels, and
+   helpers to work with it
+ - tests: add fedora to distro_clean_package_cache function
+ - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+ - tests: add spread test to ensure snapd/core18 are not removable
+ - tests: tweaks for running the main tests on core18
+ - overlord/{config,snap}state: introduce experimental.parallel-
+   instances feature flag
+ - strutil: support iteration over almost clean paths
+ - strutil: add PathIterator.Rewind
+ - tests: update interfaces-timeserver-control to core18
+ - tests: add halt-timeout to google backend
+ - tests: skip security-udev-input-subsystem without /dev/input/by-
+   path
+ - snap: introduce the instance key field
+ - packaging/opensuse: remaining packaging updates for 2.33.1
+ - overlord/snapstate: disallow installing snapd on baseless models
+ - tests: disable core tests on all core systems (16 and 18)
+ - dirs: improve identification of Arch Linux like systems
+ - many: expose full publisher info over the snapd API
+ - tests: disable core tests on all core systems (16 and 18)
+ - tests/main/xdg-open: restore or clean up xdg-open
+ - tests/main/interfaces-firewall-control: shellcheck fix
+ - snapstate: sort "snapd" first
+ - systemd: require snapd.socket in snapd.seeded.service; make sure
+   snapd.seeded
+ - spread-shellcheck: use the latest shellcheck available from snaps
+ - tests: use "ss" instead of "netstat" (netstat is not available in
+   core18)
+ - data/complete: fix three out of four shellcheck warnings in
+   data/complete
+ - packaging/opensuse: fix typo, missing assignment
+ - tests: initial core18 spread image building
+ - overlord: introduce a gadget-connect task and use it at first boot
+ - data/completion: fix inconsistency in +x and shebang
+ - firstboot: mark essential snaps as "Required" in the state
+ - spread-shellcheck: use a whitelist of files that are allowed to
+   fail validation
+ - packaging/opensuse: build position-independent binaries
+ - ifacestate: prevent running interface hooks twice when self-
+   connecting on autoconnect
+ - data: remove /bin/sh from snapd.sh
+ - tests: fix shellcheck 0.5.0 warnings
+ - packaging/opensuse: snap-confine should be 06755
+ - packaging/opensuse: ship apparmor integration if enabled
+ - interfaces/udev,misc: only trigger udev events on input subsystem
+   as needed
+ - packaging/opensuse: add missing bits for snapd.seeded.service
+ - packaging/opensuse: don't use %-macros in comments
+ - tests: shellchecks part 4
+ - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+   parallel-install TODOs
+ - store: drop unused: channel map types, and details fixture.
+ - store: have a basic test about the unmarshalling of /search
+   results
+ - tests: show executed tests on current system when a test fails
+ - tests: fix for the download of the big snap
+ - interfaces/apparmor: add chopTree
+ - tests: remove double debug: | entry in tests and add more checks
+ - cmd/snap-update-ns: introduce mimicRequired helper
+ - interfaces: move assertions around for better failure line number
+ - store: log a nice clear "download succeeded" message
+ - snap: run snap-confine from the re-exec location
+ - snapstate: support restarting snapd from the snapd snap on core18
+ - tests: show status of the partial test-snapd-huge snap in
+   econnreset test
+ - tests: fix interfaces-calendar-service test when gvfsd-metadata
+   loks the xdg dirctory
+ - store: switch store.SnapInfo to use the new v2/info endpoint
+ - interfaces: add Repository.AllInterfaces
+ - snapstate: stop using evolving SnapSpec internally, use an
+   internal-only snapSpec instead
+ - cmd/libsnap-confine-private: introduce a helper for splitting snap
+   name
+ - tests: econnreset/retry tweaks
+ - store, et al: kill dead code that uses the bulk endpoint
+ - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+ - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+   Depth helper
+ - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+   available
+ - store: switch connectivity check to use v2/info
+ - devicestate: support seeding from a base snap instead of core
+ - snapstate,ifacestate: remove core-phase-2 handling
+ - interfaces/docker-support: update for docker 18.05
+ - tests: enable fedora 28 again
+ - overlord/ifacestate:  simplify checkConnectConflicts and also
+   connect signature
+ - snap: parse connect instructions in gadget.yaml
+ - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+   test
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - store, image: have 'snap download' use v2/refresh action=download
+ - interfaces/policy: test that base policy can be parsed
+ - tests: publish test-snapd-appstreamid for any architecture
+ - snap: don't include newline in hook environment
+ - cmd/snap-update-ns: use RCall with SyscallsEqual
+ - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+ - interfaces: add the dvb interface
+ - daemon: paging is not a thing.
+ - cmd/snap-mgmt: remove system key on purge
+ - testutil: syscall sequence checker
+ - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command* many: add `snap debug
+   connectivity` command
+ - configstate: deny configuration of base snaps and for the "snapd"
+   snap
+ - interfaces/raw-usb: also allow usb serial devices
+ - snap: reject more layout locations
+ - errtracker: do not send duplicated reports
+ - httputil: extra debug if an error is not retried
+ - cmd/snap-update-ns: improve wording in many errors
+ - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+ - cmd/snap-update-ns: add helper for checking for read-only
+   filesystems
+ - interfaces/builtin/docker: use commonInterface over specific
+   struct
+ - testutil: add test support for Fstatfs
+ - cmd/snap-update-ns: discard the concept of segments
+ - cmd/libsnap-confine-private: helper for extracting store snap name
+   from local-name
+ - tests: fix flaky test for hooks undo
+ - interfaces: add {contacts,calendar}-service interfaces
+ - tests: retry 'restarting into..' match in the snap-confine-from-
+   core test
+ - systemd: adjust TestWriteMountUnitForDirs() to use
+   squashfs.MockUseFuse(false)
+ - data: add helper that can generate/start/stop the snapd service
+ - sefltest: advise reboot into 4.4 on trusty running 3.13
+ - selftest: add new selftest package that tests squashfs mounting
+ - store, jsonutil: move store.getStructFields to
+   jsonutil.StructFields
+ - ifacestate: improved conflict and error handling when creating
+   autoconnect tasks
+ - cmd/snap-confine: applied make fmt
+ - interfaces/udev: call 'udevadm settle --timeout=10' after
+   triggering events
+ - tests: wait more time until snap start to be downloaded on
+   econnreset test
+ - snapstate: ensure fakestore returns TypeOS for the core snap
+ - tests: fix lxd test which hangs on restore
+ - cmd/snap-update-ns: add PathIterator
+ - asserts,image: add support for models with bases
+ - tests: shellchecks part 3
+ - overlord/hookstate: support undo for hooks
+ - interfaces/tpm: Allow access to the kernel resource manager
+ - tests: skip appstream-id test for core systems 32 bits
+ - interfaces/home: remove redundant common interface assignment
+ - tests: reprioritise a few tests that are known to be slow
+ - cmd/snap: small help tweaks and fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - spread-shellcheck: silly fix & pep8
+ - spread: switch fedora 28 to manual
+ - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+   it in snap info --verbose
+ - tests: fix lxd test - --auto now sets up networking
+ - tests: adding fedora-28 to spread.yaml
+ - interfaces: add juju-client-observe interface
+ - client, daemon: add a "mounted-from" entry to local snaps' JSON
+ - image: set model.DisplayName() in bootenv as "snap_menuentry"
+ - packaging/opensuse: Refactor packaging to support all openSUSE
+   targets
+ - interfaces/joystick: force use of the device cgroup with joystick
+   interface
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - interfaces: remove Plug/Slot types
+ - interface hooks: update old AutoConnect methods
+ - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+ - overlord/{config,snap}state: the number of inactive revisions is
+   config
+ - cmd/snap: check with snapd for unknown sections
+ - tests: moving test helpers from sh to bash
+ - data/systemd: add snapd.apparmor.service
+ - many: expose AppStream IDs (AKA common ID)
+ - many: hold refresh when on metered connections
+ - interfaces/joystick: also support modern evdev joysticks and
+   gamepads
+ - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+ - snapcraft: use dpkg-buildpackage options that work in xenial
+ - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+ - get-deps: work with an unset GOPATH too
+ - interfaces/apparmor: use strict template on openSUSE tumbleweed
+ - packaging: filter out verbose flags from "dh-golang"
+ - packaging: fix description
+ - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+* Fri Jun 22 2018 Neal Gompa <ngompa13@gmail.com> - 2.33.1-1
+- Release 2.33.1 to Fedora (RH#1567916)
+
+* Thu Jun 21 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33.1
+ - many: improve udev trigger on refresh experience
+ - systemd: require snapd.socket in snapd.seeded.service
+ - snap: don't include newline in hook environment
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - tests: skip security-dev-input-event-denied when /dev/input/by-
+   path/ is missing
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+
+* Fri Jun 08 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command
+ - interfaces/raw-usb: also allow usb serial devices
+ - errtracker: do not send duplicated reports
+ - selftest: add new selftest package that tests squashfs mounting
+ - tests: backport lxd force stop and econnreset fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - interfaces/joystick: support modern evdev joysticks
+ - interfaces: add juju-client-observe
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - many: holding refresh on metered connections
+ - many: expose AppStream IDs (AKA common ID)
+ - tests: speed up save/restore snapd state for all-snap systems
+   during tests execution
+ - interfaces/apparmor: use helper to load stray profile
+ - tests: ubuntu core abstraction
+ - overlord/snapstate: don't panic in a corner case interaction of
+   cleanup tasks and pruning
+ - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+   snaps
+ - tests: new parameter for the journalctl rate limit
+ - spread-shellcheck: port to python
+ - interfaces/home: add 'read' attribute to allow non-owner read to
+   @{HOME}
+ - testutil: import check.v1 differently to workaround gccgo error
+ - interfaces/many: miscellaneous updates for default, desktop,
+   desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+   keys
+ - snapstate/hooks: reorder autoconnect and reconnect hooks
+ - daemon: update unit tests to match current master
+ - overlord/snapshotstate/backend: introducing the snapshot backend
+ - many: support 'system' nickname in interfaces
+ - userd: add the "snap" scheme to the whitelist
+ - many: make rebooting of core on refresh immediate, refactor logic
+   around it
+ - tests/main/snap-service-timer: account for service timer being in
+   the 'running' state
+ - interfaces/builtin: allow access to libGLESv* too for opengl
+   interface
+ - daemon: fix unit tests on arch
+ - interfaces/default,process-control: miscellaneous signal policy
+   fixes
+ - interfaces/bulitin: add write permission to optical-drive
+ - configstate: validate known core.* options
+ - snap, wrappers: systemd WatchdogSec support
+ - ifacestate: do not auto-connect manually disconnected interfaces
+ - systemd: mock useFuse() so testsuite passes in container via lxd
+   snap
+ - snap/env: fix env duplication logic
+ - snap: some doc comments fixes and additions
+ - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+   vendor files
+ - ifacestate: unify reconnect and autoconnect methods
+ - tests: fix user mounts test for external systems
+ - overlord/snapstate,overlord/auth,store: coalesce no auth user
+   refresh requests
+ - boot,partition: improve tests/docs around SetNextBoot()
+ - many: improve `snap wait` command
+ - snap: fix `snap interface --attrs` output when numbers are used
+ - cmd/snap-update-ns: poke holes when creating source paths for
+   layouts
+ - snapstate: support getting new bases/default-providers on refresh
+ - ifacemgr: remove stale connections on startup
+ - asserts: use Attrer in policy checks
+ - testutil: record system call errors / return values
+ - tests: increase timeouts to make tests reliable on slow boards
+ - repo: pass and return ConnRef via pointers
+ - interfaces: add xdg-document-portal support to desktop interface
+ - debian: add a zenity|kdialog suggests
+ - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+ - tests: go must be installed as a classic snap
+ - tests: use journalctl cursors instead rotating logs
+ - daemon: add confinement-options to /v2/system-info
+   daemon: refactor classic support flag to be more structured
+ - tests: build spread in the autopkgtests with a more recent go
+ - cmd/snap: fix the message when snap.channel != snap.tracking
+ - overlord/snapstate: allow core defaults configuration via 'system'
+   key
+ - many: add "snap debug sandbox-features" and needed bits
+ - interfaces: interface hooks for refresh
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - many: add wait command and `snapd.seeded` service
+ - interfaces: move host font update-ns AppArmor rules to desktop
+   interface
+ - jsonutil/safejson: introducing safejson.String &
+   safejson.Paragraph
+ - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+ - cmd/snap-update-ns,tests: mimic the mode and ownership of
+   directories
+ - cmd/snap-update-ns: add support for ignoring mounts with missing
+   source/target
+ - interfaces: interface hooks implementation
+ - cmd/libsnap: fix compile error on more restrictive gcc
+   cmd/libsnap: fix compilation errors on gcc 8
+ - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+ - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+ - tests: fix interfaces-network test for systems with partial
+   confinement
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+ - configcore: validate experimental.layouts option
+ - interfaces:minor autoconnect cleanup
+ - HACKING: fix typos
+ - spread: add adt for ubuntu 18.10
+ - tests: skip test lp-1721518 for arch, snapd is failing to start
+   after reboot
+ - interfaces/x11: allow X11 slot implementations
+ - tests: checking interfaces declaring the specific interface
+ - snap: improve error for snaps not available in the given context
+ - cmdstate: add missing test for default timeout handling
+ - tests: shellcheck spread tasks
+ - cmd/snap: update install/refresh help vs --revision
+ - cmd/snap-confine: add support for per-user mounts
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - tests: adding google-sru backend replacing linode-sur
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - systemd: replace ancient paths with 16.04+ standards
+ - overlord,systemd: store snap revision in mount units
+ - testutil: add test helper for SysLstat
+ - testutil,cmd: rename test helper of Lstat to OsLstat
+ - testutil: document all fake syscall/os functions
+ - osutil,interfaces,cmd: use less hardcoded strings
+ - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+ - testutil: don't dot-import check.v1
+ - store: getStructFields takes pointers now
+ - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+ - many: fix false negatives reported by vet
+ - osutil,interfaces: use uint32 for uid, gid
+ - many: fix various issues reported by shellcheck
+ - tests: add pending shutdown detection
+ - image: support refreshing soft-expired user macaroons in tooling
+ - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+   daemon tests
+ - interfaces/builtin: add support for software-watchdog interface
+ - spread: auto accept key changes when calling dnf
+ - snap,overlord/snapstate: introduce and use BrokenSnapError
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: bring back one missing test in snap-service-stop-mode
+ - debian: update LP bug for the 2.32.5 SRU
+ - userd: set up journal logging streams for autostarted apps
+ - snap,tests : don't fail if we cannot stat MountFile
+ - tests: smaller fixes for Arch tests
+ - tests: run interfaces-broadcom-asic-control early
+ - client: support for snapshot sets, snapshots, and snapshot actions
+ - tests: skip interfaces-content test on core devices
+ - cmd: generalize locking to global, snap and per-user locks
+ - release-tools: handle the snapd-x.y.z version
+ - packaging: fix incorrectly auto-generated changelog entry for
+   2.32.5
+ - tests: add arch to CI
+ - systemd: add helper for opening stream file descriptors to the
+   journal
+ - cmd/snap: handle distros with no version ID
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - tests: removing linode-sru backend
+ - tests: updating bionic version for spread tests on google
+ - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - overlord/snapstate: allow to get an error from readInfo instead of
+   a broken stub, use it in doMountSnap
+ - snap: snap.AppInfo is now a fmt.Stringer
+ - tests: move fedora 27 to google backend
+ - many: add `core.problem-reports.disabled` option
+ - cmd/snap-update-ns: remove the need for stash directory in secure
+   bind mount implementation
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+ - cmd/snap: user session application autostart v3
+ - tests: add test to ensure `snap refresh --amend` works with
+   different channels
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - cmd/snap-update-ns: add secure bind mount implementation for use
+   with user mounts
+ - snap: fix `snap advise-snap --command` output to match spec
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - overlord/snapstate: introduce envvars to control the channels for
+   based and prereqs
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - advisor: use json for package database
+ - interfaces/hostname-control: allow setting the hostname via
+   syscall and systemd
+ - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+   libraries
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - data/selinux: Give snapd access to more aspects of the system
+ - many: use the new install/refresh API by switching snapstate to
+   use store.SnapAction
+ - errtracker: make TestJournalErrorSilentError work on gccgo
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate, ifacestate: inject auto-connect tasks try 2
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - ifacestate: injectTasks helper
+ - osutil: fix fstab parser to allow for # in field values
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - release-tools: add repack-debian-tarball.sh
+ - daemon,client: add build-id to /v2/system-info
+ - cmd: make fmt (indent 2.2.11)
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+ - ifacestate: don't surface errors from stale connections
+ - cmd/snap-update-ns: convert Secure* family of functions into
+   methods
+ - tests: adjust canonical-livepatch test on GCE
+ - tests: fix quoting issues in econnreset test
+ - cmd/snap-confine: make /run/media an alias of /media
+ - cmd/snap-update-ns: rename i to segNum
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+ - spread: disable StartLimitInterval option on opensuse-42.3
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses
+   arch triplets
+ - store: add Store.SnapAction to support the new install/refresh API
+   endpoint
+ - tests: adding test for removable-media interface
+ - tests: update interface tests to remove extra checks and normalize
+   tests
+ - timeutil: in Human, count days with fingers
+ - vendor: update gopkg.in/yaml.v2 to the latest version
+ - cmd/snap-confine: fix Archlinux compatibility
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - tests: copy or sanity check core users using usernames
+ - tests: disentangle etc vs extrausers in core tests
+ - tests: fix snap-run tests when snapd is not running
+ - overlord/configstate: change how ssh is stopped/started
+ - snap: make `snap run` look at the system-key for security profiles
+ - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+   replacement
+ - tests: adding opensuse-42.3 to google
+ - cmd/snap: fix one issue with noWait error handling logic, add
+   tests plus other cleanups
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+   needed
+ - interfaces,release: probe seccomp features lazily
+ - tests: change debug for layout test
+ - advisor: deal with missing commands.db file
+ - interfaces/apparmor: simplify UpdateNS internals
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: moving debian 9 from linode to google backend
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - po: specify charset in po/snappy.pot
+ - interfaces: harden snap-update-ns profile
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - tests: update tests to deal with s390x quirks
+ - debian: run snap.mount upgrade fixup *before* debhelper
+ - tests: move xenial i386 to google backend
+ - snapstate: add compat mode for default-provider
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - tests: add workaround for s390x failure
+ - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+ - daemon: support 'system' as nickname of the core snap
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - devicestate: add DeviceManager.Registered returning a channel
+   closed when the device is known to be registered
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - tests: add bionic system to google backend
+ - many: fix shellcheck warnings in bionic
+ - cmd/snap-update-ns: don't fail on existing symlinks
+ - tests: make autopkgtest tests more targeted
+ - cmd/snap-update-ns: fix creation of layout symlinks
+ - spread,tests: move suite-level prepare/restore to central script
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - snap: unify snap name validation w/python; enforce length limit.
+ - cmd/snap: use shlex when parsing `snap run --strace` arguments
+ - osutil,testutil: add symlinkat(2) and readlinkat(2)
+ - tests: autopkgtest may have non edge core too
+ - tests: adding checks before stopping snapd service to avoid job
+   canceled on ubuntu 14.04
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate:  hold refreshes for 2h after seeding on
+   classic
+ - cmd/snap: tweak and polish help strings
+ - snapstate: put layout feature behind feature flag
+ - tests: force profile re-generation via system-key
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: go vet cleanups
+ - tests: define MATCH from spread
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - cmd/snap: in changes and tasks, default to human-friendly times
+ - many: support holding refreshes by setting refresh.hold
+ - Revert "cmd/snap: use timeutil.Human to show times in `snap
+   refresh -…-time`"
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - tests/main/snap-service-refresh-mode: refactor the test to rely on
+   comparing PIDs
+ - tests/main/media-sharing: improve the test to cover /media and
+   /run/media
+ - store: enable deltas for core devices too
+ - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+ - strutil/shlex: import github.com/google/shlex into the tree
+ - vendor: update github.com/mvo5/libseccomp-golang
+ - overlord/snapstate: block install of "system"
+ - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+ - many: add the snapd-generator
+ - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+ - polkit: ensure error is properly set if dialog is dismissed
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - progress: tweak ansimeter cvvis use to no longer confuse minicom
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - tests: avoid removing preinstalled snaps on core
+ - tests: chroot into core to run xdg-open there
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - tests: moving ubuntu core from linode to google backend
+ - run-checks: remove accidental bashism
+ - i18n: simplify NG usage by doing the modulo math in-package.
+ - snap/squashfs: set timezone when calling unsquashfs to get the
+   build date
+ - timeutil: timeutil.Human(t) gives a human-friendly string for t
+ - snap: add autostart app property
+ - tests: add support for external backend executions on listing test
+ - tests: make interface-broadcom-asic-control test work on rpi
+ - configstate: when disable "ssh" we must disable the "sshd" service
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+ - snap/squashfs: add BuildDate
+ - store: parse the JSON format used by the coming new store API to
+   convey snap information
+ - many: remove snapd.refresh.{timer,service}
+ - tests: adding ubuntu-14.04-64 to the google backend
+ - interfaces: add xdg-desktop-portal support to desktop interface
+ - packaging/arch: sync with snapd/snapd-git from AUR
+ - wrappers, tests/main/snap-service-timer: restore missing commit,
+   add spread test for timer services
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - many: generate and use per-snap snap-update-ns profile
+ - tests: add debug for layout test
+ - wrappers: detect whether systemd-analyze can be used in unit tests
+ - osutil: allow creating strings out of MountInfoEntry
+ - servicestate: use systemctl enable+start and disable+stop instead
+   of --now flag
+ - osutil: handle file being matched by multiple patterns
+ - daemon, snap: fix InstallDate, make a method of *snap.Info
+ - wrappers: timer services
+ - wrappers: generator for systemd OnCalendar schedules
+ - asserts: fix flaky storeSuite.TestCheckAuthority
+ - tests: fix dependency for ubuntu artful
+ - spread: start moving towards google backend
+ - tests: add a spread test for layouts
+ - ifacestate: be consistent passing Retry.After as named field
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - testutil: allow mocking syscall.Fstat
+ - overlord/snapstate: verify that default schedule is randomized and
+   is  not a single time
+ - many: simplify mocking of home-on-NFS
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - store: move infoFromRemote into details.go close to snapDetails
+ - userd/tests: Test kdialog calls and mock kdialog too to make tests
+   work in KDE
+ - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+ - cmd/snap: add self-strace to `snap run`
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - update-pot: Force xgettext() to return true
+ - store: cleanup test naming, dropping remoteRepo  and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+
+* Wed May 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.9
+ - tests: run all spread tests inside GCE
+ - tests: build spread in the autopkgtests with a more recent go
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.8
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.7
+ - many: add wait command and seeded target (2
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - cmd/libsnap: fix compile error on more restrictive gcc
+ - tests: cherry-pick commits to move spread to google backend
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - userd: set up journal logging streams for autostarted apps
+
+* Sun Apr 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.6
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: run interfaces-boradcom-asic-control early
+ - tests: skip interfaces-content test on core devices
+
+* Mon Apr 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.5
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - daemon: support 'system' as nickname of the core snap
+
+* Thu Apr 12 2018 Neal Gompa <ngompa13@gmail.com> - 2.32.4-1
+- Release 2.32.4 to Fedora (RH#1553734)
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.4
+ - cmd/snap: user session application autostart
+ - overlord/snapstate: introduce envvars to control the channels for
+   bases and prereqs
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - many: use the new install/refresh /v2/snaps/refresh store API
+
 * Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.32.3.2
  - errtracker: make TestJournalErrorSilentError work on
@@ -1021,6 +2918,14 @@
  - systemd, wrappers: start all snap services in one systemctl
    call
  - tests: disable interfaces-location-control on s390x
+
+* Mon Mar 05 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-2
+- Fix dependencies for devel subpackage
+
+* Sun Mar 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-1
+- Release 2.31.1 to Fedora (RH#1542483)
+- Drop all backported patches as they're part of this release
+
 * Tue Feb 20 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31.1
  - tests: multiple autopkgtest related fixes for 18.04
@@ -1040,6 +2945,9 @@
    ubuntu
  - daemon: improve ucrednet code for the snap.socket
 
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
 * Tue Feb 06 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31
  - cmd/snap-confine: allow snap-update-ns to chown things
diff -Nru snapd-2.32.3.2~14.04/packaging/fedora-28/snapd.spec snapd-2.37~rc1~14.04/packaging/fedora-28/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/fedora-28/snapd.spec	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/fedora-28/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4448 @@
+# With Fedora, nothing is bundled. For everything else, bundling is used.
+# To use bundled stuff, use "--with vendorized" on rpmbuild
+%if 0%{?fedora}
+%bcond_with vendorized
+%else
+%bcond_without vendorized
+%endif
+
+# With Amazon Linux 2+, we're going to provide the /snap symlink by default,
+# since classic snaps currently require it... :(
+%if 0%{?amzn} >= 2
+%bcond_without snap_symlink
+%else
+%bcond_with snap_symlink
+%endif
+
+# A switch to allow building the package with support for testkeys which
+# are used for the spread test suite of snapd.
+%bcond_with testkeys
+
+%global with_devel 1
+%global with_debug 1
+%global with_check 0
+%global with_unit_test 0
+%global with_test_keys 0
+%global with_selinux 1
+
+# For the moment, we don't support all golang arches...
+%global with_goarches 0
+
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%if ! %{with vendorized}
+%global with_bundled 0
+%else
+%global with_bundled 1
+%endif
+
+%if ! %{with testkeys}
+%global with_test_keys 0
+%else
+%global with_test_keys 1
+%endif
+
+%if 0%{?with_debug}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package   %{nil}
+%endif
+
+%global provider        github
+%global provider_tld    com
+%global project         snapcore
+%global repo            snapd
+# https://github.com/snapcore/snapd
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service
+
+# Until we have a way to add more extldflags to gobuild macro...
+%if 0%{?fedora} >= 26
+%define gobuild_static(o:) go build -buildmode pie -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
+%endif
+%if 0%{?fedora} == 25
+%define gobuild_static(o:) go build -compiler gc -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-static'" -a -v -x %{?**};
+%endif
+%if 0%{?rhel} == 7
+%define gobuild_static(o:) go build -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
+%endif
+
+# These macros are not defined in RHEL 7
+%if 0%{?rhel} == 7
+%define gobuild(o:) go build -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+%define gotest() go test -compiler gc -ldflags "${LDFLAGS:-}" %{?**};
+%endif
+
+# Compat path macros
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
+%if 0%{?amzn2} == 1
+%global with_selinux 0
+%endif
+
+Name:           snapd
+Version:        2.37
+Release:        0%{?dist}
+Summary:        A transactional software package manager
+Group:          System Environment/Base
+License:        GPLv3
+URL:            https://%{provider_prefix}
+Source0:        https://%{provider_prefix}/archive/%{version}/%{name}-%{version}.tar.gz
+%if 0%{?with_bundled}
+Source1:        https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.only-vendor.tar.xz
+%endif
+
+%if 0%{?with_goarches}
+# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+%else
+# Verified arches from snapd upstream
+ExclusiveArch:  %{ix86} x86_64 %{arm} aarch64 ppc64le s390x
+%endif
+
+# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
+BuildRequires:  systemd
+%{?systemd_requires}
+
+Requires:       snap-confine%{?_isa} = %{version}-%{release}
+Requires:       squashfs-tools
+
+%if 0%{?fedora} >= 26 || 0%{?rhel} >= 8
+# snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.)
+Requires:       ((squashfuse and fuse) or kmod(squashfs.ko))
+%else
+%if ! 0%{?amzn2}
+# Rich dependencies not available, always pull in squashfuse
+# snapd will use squashfs.ko instead of squashfuse if it's on the system
+# NOTE: Amazon Linux 2 does not have squashfuse, squashfs.ko is part of the kernel package
+Requires:       squashfuse
+Requires:       fuse
+%endif
+%endif
+
+# bash-completion owns /usr/share/bash-completion/completions
+Requires:       bash-completion
+
+%if 0%{?with_selinux}
+# Force the SELinux module to be installed
+Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
+# snapd-login-service is no more
+# Note: Remove when F27 is EOL
+Obsoletes:      %{name}-login-service < 1.33
+Provides:       %{name}-login-service = 1.33
+Provides:       %{name}-login-service%{?_isa} = 1.33
+
+%if ! 0%{?with_bundled}
+BuildRequires: golang(github.com/boltdb/bolt)
+BuildRequires: golang(github.com/cheggaaa/pb)
+BuildRequires: golang(github.com/coreos/go-systemd/activation)
+BuildRequires: golang(github.com/godbus/dbus)
+BuildRequires: golang(github.com/godbus/dbus/introspect)
+BuildRequires: golang(github.com/gorilla/mux)
+BuildRequires: golang(github.com/jessevdk/go-flags)
+BuildRequires: golang(github.com/juju/ratelimit)
+BuildRequires: golang(github.com/kr/pretty)
+BuildRequires: golang(github.com/kr/text)
+BuildRequires: golang(github.com/mvo5/goconfigparser)
+BuildRequires: golang(github.com/ojii/gettext.go)
+BuildRequires: golang(github.com/seccomp/libseccomp-golang)
+BuildRequires: golang(golang.org/x/crypto/openpgp/armor)
+BuildRequires: golang(golang.org/x/crypto/openpgp/packet)
+BuildRequires: golang(golang.org/x/crypto/sha3)
+BuildRequires: golang(golang.org/x/crypto/ssh/terminal)
+BuildRequires: golang(golang.org/x/net/context)
+BuildRequires: golang(golang.org/x/net/context/ctxhttp)
+BuildRequires: golang(gopkg.in/check.v1)
+BuildRequires: golang(gopkg.in/macaroon.v1)
+BuildRequires: golang(gopkg.in/mgo.v2/bson)
+BuildRequires: golang(gopkg.in/retry.v1)
+BuildRequires: golang(gopkg.in/tomb.v2)
+BuildRequires: golang(gopkg.in/yaml.v2)
+%endif
+
+%description
+Snappy is a modern, cross-distribution, transactional package manager
+designed for working with self-contained, immutable packages.
+
+%package -n snap-confine
+Summary:        Confinement system for snap applications
+License:        GPLv3
+Group:          System Environment/Base
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  gcc
+BuildRequires:  gettext
+BuildRequires:  gnupg
+BuildRequires:  indent
+BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(libcap)
+BuildRequires:  pkgconfig(libseccomp)
+BuildRequires:  pkgconfig(libudev)
+BuildRequires:  pkgconfig(systemd)
+BuildRequires:  pkgconfig(udev)
+BuildRequires:  xfsprogs-devel
+BuildRequires:  glibc-static
+%if ! 0%{?rhel}
+BuildRequires:  libseccomp-static
+%endif
+BuildRequires:  valgrind
+BuildRequires:  %{_bindir}/rst2man
+%if 0%{?fedora} >= 25
+# ShellCheck in F24 and older doesn't work
+BuildRequires:  %{_bindir}/shellcheck
+%endif
+
+# Ensures older version from split packaging is replaced
+Obsoletes:      snap-confine < 2.19
+
+%description -n snap-confine
+This package is used internally by snapd to apply confinement to
+the started snap applications.
+
+%if 0%{?with_selinux}
+%package selinux
+Summary:        SELinux module for snapd
+Group:          System Environment/Base
+License:        GPLv2+
+BuildArch:      noarch
+BuildRequires:  selinux-policy, selinux-policy-devel
+Requires(post): selinux-policy-base >= %{_selinux_policy_version}
+Requires(post): policycoreutils
+%if 0%{?rhel} == 7
+Requires(post): policycoreutils-python
+%else
+Requires(post): policycoreutils-python-utils
+%endif
+Requires(pre):  libselinux-utils
+Requires(post): libselinux-utils
+
+%description selinux
+This package provides the SELinux policy module to ensure snapd
+runs properly under an environment with SELinux enabled.
+%endif
+
+%if 0%{?with_devel}
+%package devel
+Summary:       Development files for %{name}
+BuildArch:     noarch
+
+%if 0%{?with_check} && ! 0%{?with_bundled}
+%endif
+
+%if ! 0%{?with_bundled}
+Requires:      golang(github.com/boltdb/bolt)
+Requires:      golang(github.com/cheggaaa/pb)
+Requires:      golang(github.com/coreos/go-systemd/activation)
+Requires:      golang(github.com/godbus/dbus)
+Requires:      golang(github.com/godbus/dbus/introspect)
+Requires:      golang(github.com/gorilla/mux)
+Requires:      golang(github.com/jessevdk/go-flags)
+Requires:      golang(github.com/juju/ratelimit)
+Requires:      golang(github.com/kr/pretty)
+Requires:      golang(github.com/kr/text)
+Requires:      golang(github.com/mvo5/goconfigparser)
+Requires:      golang(github.com/ojii/gettext.go)
+Requires:      golang(github.com/seccomp/libseccomp-golang)
+Requires:      golang(golang.org/x/crypto/openpgp/armor)
+Requires:      golang(golang.org/x/crypto/openpgp/packet)
+Requires:      golang(golang.org/x/crypto/sha3)
+Requires:      golang(golang.org/x/crypto/ssh/terminal)
+Requires:      golang(golang.org/x/net/context)
+Requires:      golang(golang.org/x/net/context/ctxhttp)
+Requires:      golang(gopkg.in/check.v1)
+Requires:      golang(gopkg.in/macaroon.v1)
+Requires:      golang(gopkg.in/mgo.v2/bson)
+Requires:      golang(gopkg.in/retry.v1)
+Requires:      golang(gopkg.in/tomb.v2)
+Requires:      golang(gopkg.in/yaml.v2)
+%else
+# These Provides are unversioned because the sources in
+# the bundled tarball are unversioned (they go by git commit)
+# *sigh*... I hate golang...
+Provides:      bundled(golang(github.com/snapcore/bolt))
+Provides:      bundled(golang(github.com/cheggaaa/pb))
+Provides:      bundled(golang(github.com/coreos/go-systemd/activation))
+Provides:      bundled(golang(github.com/godbus/dbus))
+Provides:      bundled(golang(github.com/godbus/dbus/introspect))
+Provides:      bundled(golang(github.com/gorilla/mux))
+Provides:      bundled(golang(github.com/jessevdk/go-flags))
+Provides:      bundled(golang(github.com/juju/ratelimit))
+Provides:      bundled(golang(github.com/kr/pretty))
+Provides:      bundled(golang(github.com/kr/text))
+Provides:      bundled(golang(github.com/mvo5/goconfigparser))
+Provides:      bundled(golang(github.com/mvo5/libseccomp-golang))
+Provides:      bundled(golang(github.com/ojii/gettext.go))
+Provides:      bundled(golang(golang.org/x/crypto/openpgp/armor))
+Provides:      bundled(golang(golang.org/x/crypto/openpgp/packet))
+Provides:      bundled(golang(golang.org/x/crypto/sha3))
+Provides:      bundled(golang(golang.org/x/crypto/ssh/terminal))
+Provides:      bundled(golang(golang.org/x/net/context))
+Provides:      bundled(golang(golang.org/x/net/context/ctxhttp))
+Provides:      bundled(golang(gopkg.in/check.v1))
+Provides:      bundled(golang(gopkg.in/macaroon.v1))
+Provides:      bundled(golang(gopkg.in/mgo.v2/bson))
+Provides:      bundled(golang(gopkg.in/retry.v1))
+Provides:      bundled(golang(gopkg.in/tomb.v2))
+Provides:      bundled(golang(gopkg.in/yaml.v2))
+%endif
+
+# Generated by gofed
+Provides:      golang(%{import_path}/advisor) = %{version}-%{release}
+Provides:      golang(%{import_path}/arch) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/assertstest) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/signtool) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/snapasserts) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/sysdb) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/systestkeys) = %{version}-%{release}
+Provides:      golang(%{import_path}/boot) = %{version}-%{release}
+Provides:      golang(%{import_path}/boot/boottest) = %{version}-%{release}
+Provides:      golang(%{import_path}/client) = %{version}-%{release}
+Provides:      golang(%{import_path}/cmd) = %{version}-%{release}
+Provides:      golang(%{import_path}/daemon) = %{version}-%{release}
+Provides:      golang(%{import_path}/dirs) = %{version}-%{release}
+Provides:      golang(%{import_path}/errtracker) = %{version}-%{release}
+Provides:      golang(%{import_path}/httputil) = %{version}-%{release}
+Provides:      golang(%{import_path}/i18n) = %{version}-%{release}
+Provides:      golang(%{import_path}/image) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/apparmor) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/backends) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/builtin) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/dbus) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/hotplug) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/ifacetest) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/kmod) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/mount) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/policy) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/seccomp) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/systemd) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/udev) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/utils) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil/safejson) = %{version}-%{release}
+Provides:      golang(%{import_path}/logger) = %{version}-%{release}
+Provides:      golang(%{import_path}/netutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/sys) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/crawler) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/netlink) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/assertstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/auth) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/cmdstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/config) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/configcore) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/proxyconf) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/settings) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/devicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate/ctlcmd) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate/hooktest) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/ifacerepo) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/udevmonitor) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/patch) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/servicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/standby) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/state) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/androidbootenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/grubenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/ubootenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/polkit) = %{version}-%{release}
+Provides:      golang(%{import_path}/progress) = %{version}-%{release}
+Provides:      golang(%{import_path}/progress/progresstest) = %{version}-%{release}
+Provides:      golang(%{import_path}/release) = %{version}-%{release}
+Provides:      golang(%{import_path}/sanity) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/pack) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snapdir) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snapenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snaptest) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/spdx) = %{version}-%{release}
+Provides:      golang(%{import_path}/store) = %{version}-%{release}
+Provides:      golang(%{import_path}/store/storetest) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/quantity) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/shlex) = %{version}-%{release}
+Provides:      golang(%{import_path}/systemd) = %{version}-%{release}
+Provides:      golang(%{import_path}/tests/lib/fakestore/refresh) = %{version}-%{release}
+Provides:      golang(%{import_path}/tests/lib/fakestore/store) = %{version}-%{release}
+Provides:      golang(%{import_path}/testutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/timeout) = %{version}-%{release}
+Provides:      golang(%{import_path}/timeutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd/ui) = %{version}-%{release}
+Provides:      golang(%{import_path}/wrappers) = %{version}-%{release}
+Provides:      golang(%{import_path}/x11) = %{version}-%{release}
+Provides:      golang(%{import_path}/xdgopenproxy) = %{version}-%{release}
+
+%description devel
+This package contains library source intended for
+building other packages which use import path with
+%{import_path} prefix.
+%endif
+
+%if 0%{?with_unit_test} && 0%{?with_devel}
+%package unit-test-devel
+Summary:         Unit tests for %{name} package
+
+%if 0%{?with_check}
+#Here comes all BuildRequires: PACKAGE the unit tests
+#in %%check section need for running
+%endif
+
+# test subpackage tests code from devel subpackage
+Requires:        %{name}-devel = %{version}-%{release}
+
+%description unit-test-devel
+This package contains unit tests for project
+providing packages with %{import_path} prefix.
+%endif
+
+%prep
+%if ! 0%{?with_bundled}
+%setup -q
+# Ensure there's no bundled stuff accidentally leaking in...
+rm -rf vendor/*
+%else
+# Extract each tarball properly
+%setup -q -D -b 1
+%endif
+
+%build
+# Generate version files
+./mkversion.sh "%{version}-%{release}"
+
+# We don't want/need squashfuse in the rpm, as it's available in Fedora and EPEL
+sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
+
+# Build snapd
+mkdir -p src/github.com/snapcore
+ln -s ../../../ src/github.com/snapcore/snapd
+
+%if ! 0%{?with_bundled}
+export GOPATH=$(pwd):%{gopath}
+%else
+export GOPATH=$(pwd):$(pwd)/Godeps/_workspace:%{gopath}
+%endif
+
+GOFLAGS=
+%if 0%{?with_test_keys}
+GOFLAGS="$GOFLAGS -tags withtestkeys"
+%endif
+
+%if ! 0%{?with_bundled}
+# We don't need mvo5 fork for seccomp, as we have seccomp 2.3.x
+sed -e "s:github.com/mvo5/libseccomp-golang:github.com/seccomp/libseccomp-golang:g" -i cmd/snap-seccomp/*.go
+# We don't need the snapcore fork for bolt - it is just a fix on ppc
+sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go
+%endif
+
+# We have to build snapd first to prevent the build from
+# building various things from the tree without additional
+# set tags.
+%gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
+%gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
+%gobuild -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
+%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
+
+# To ensure things work correctly with base snaps,
+# snap-exec and snap-update-ns need to be built statically
+%gobuild_static -o bin/snap-exec $GOFLAGS %{import_path}/cmd/snap-exec
+%gobuild_static -o bin/snap-update-ns $GOFLAGS %{import_path}/cmd/snap-update-ns
+
+%if 0%{?rhel}
+# There's no static link library for libseccomp in RHEL/CentOS...
+sed -e "s/-Bstatic -lseccomp/-Bstatic/g" -i cmd/snap-seccomp/*.go
+%endif
+%gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
+
+%if 0%{?with_selinux}
+# Build SELinux module
+pushd ./data/selinux
+make SHARE="%{_datadir}" TARGETS="snappy"
+popd
+%endif
+
+# Build snap-confine
+pushd ./cmd
+# FIXME This is a hack to get rid of a patch we have to ship for the
+# Fedora package at the moment as /usr/lib/rpm/redhat/redhat-hardened-ld
+# accidentially adds -pie for static executables. See
+# https://bugzilla.redhat.com/show_bug.cgi?id=1343892 for a few more
+# details. To prevent this from happening we drop the linker
+# script and define our LDFLAGS manually for now.
+export LDFLAGS="-Wl,-z,relro -z now"
+autoreconf --force --install --verbose
+# selinux support is not yet available, for now just disable apparmor
+# FIXME: add --enable-caps-over-setuid as soon as possible (setuid discouraged!)
+%configure \
+    --disable-apparmor \
+    --libexecdir=%{_libexecdir}/snapd/ \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{_sharedstatedir}/snapd/snap \
+    --enable-merged-usr
+
+%make_build
+popd
+
+# Build systemd units, dbus services, and env files
+pushd ./data
+make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+     SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+     SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+     SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%install
+install -d -p %{buildroot}%{_bindir}
+install -d -p %{buildroot}%{_libexecdir}/snapd
+install -d -p %{buildroot}%{_mandir}/man8
+install -d -p %{buildroot}%{_environmentdir}
+install -d -p %{buildroot}%{_systemdgeneratordir}
+install -d -p %{buildroot}%{_unitdir}
+install -d -p %{buildroot}%{_sysconfdir}/profile.d
+install -d -p %{buildroot}%{_sysconfdir}/sysconfig
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/assertions
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/cookie
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl32
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/vulkan
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
+install -d -p %{buildroot}%{_localstatedir}/snap
+install -d -p %{buildroot}%{_localstatedir}/cache/snapd
+install -d -p %{buildroot}%{_datadir}/polkit-1/actions
+install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+%if 0%{?with_selinux}
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -d -p %{buildroot}%{_datadir}/selinux/packages
+%endif
+
+# Install snap and snapd
+install -p -m 0755 bin/snap %{buildroot}%{_bindir}
+install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+
+%if 0%{?with_selinux}
+# Install SELinux module
+install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
+
+# Install snap(8) man page
+bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
+
+# Install the "info" data file with snapd version
+install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
+
+# Install bash completion for "snap"
+install -m 644 -D data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Install snap-confine
+pushd ./cmd
+%make_install
+# Undo the 0000 permissions, they are restored in the files section
+chmod 0755 %{buildroot}%{_sharedstatedir}/snapd/void
+# We don't use AppArmor
+rm -rfv %{buildroot}%{_sysconfdir}/apparmor.d
+# ubuntu-core-launcher is dead
+rm -fv %{buildroot}%{_bindir}/ubuntu-core-launcher
+popd
+
+# Install all systemd and dbus units, and env files
+pushd ./data
+%make_install BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+              SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+              SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+              SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.conf
+%endif
+
+# Remove snappy core specific units
+rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
+rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
+rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
+
+# Remove snappy core specific scripts
+rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Remove snapd apparmor service
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+
+# Install Polkit configuration
+install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
+
+# Disable re-exec by default
+echo 'SNAP_REEXEC=0' > %{buildroot}%{_sysconfdir}/sysconfig/snapd
+
+# Create state.json and the README file to be ghosted
+touch %{buildroot}%{_sharedstatedir}/snapd/state.json
+touch %{buildroot}%{_sharedstatedir}/snapd/snap/README
+
+# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
+%if %{with snap_symlink}
+ln -sr %{buildroot}%{_sharedstatedir}/snapd/snap %{buildroot}/snap
+%endif
+
+# source codes for building projects
+%if 0%{?with_devel}
+install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
+echo "%%dir %%{gopath}/src/%%{import_path}/." >> devel.file-list
+# find all *.go but no *_test.go files and generate devel.file-list
+for file in $(find . -iname "*.go" -o -iname "*.s" \! -iname "*_test.go") ; do
+    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
+    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
+    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
+    echo "%%{gopath}/src/%%{import_path}/$file" >> devel.file-list
+done
+%endif
+
+# testing files for this project
+%if 0%{?with_unit_test} && 0%{?with_devel}
+install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
+# find all *_test.go files and generate unit-test.file-list
+for file in $(find . -iname "*_test.go"); do
+    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
+    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
+    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
+    echo "%%{gopath}/src/%%{import_path}/$file" >> unit-test-devel.file-list
+done
+
+# Install additional testdata
+install -d %{buildroot}/%{gopath}/src/%{import_path}/cmd/snap/test-data/
+cp -pav cmd/snap/test-data/* %{buildroot}/%{gopath}/src/%{import_path}/cmd/snap/test-data/
+echo "%%{gopath}/src/%%{import_path}/cmd/snap/test-data" >> unit-test-devel.file-list
+%endif
+
+%if 0%{?with_devel}
+sort -u -o devel.file-list devel.file-list
+%endif
+
+%check
+# snapd tests
+%if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel}
+%if ! 0%{?with_bundled}
+export GOPATH=%{buildroot}/%{gopath}:%{gopath}
+%else
+export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
+%endif
+%gotest %{import_path}/...
+%endif
+
+# snap-confine tests (these always run!)
+pushd ./cmd
+make check
+popd
+
+%files
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+%license COPYING
+%doc README.md docs/*
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_environmentdir}/990-snapd.conf
+%dir %{_libexecdir}/snapd
+%{_libexecdir}/snapd/snapctl
+%{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-failure
+%{_libexecdir}/snapd/info
+%{_libexecdir}/snapd/snap-mgmt
+%{_mandir}/man8/snap.8*
+%{_datadir}/bash-completion/completions/snap
+%{_libexecdir}/snapd/complete.sh
+%{_libexecdir}/snapd/etelpmoc.sh
+%{_libexecdir}/snapd/snapd.run-from-snap
+%{_sysconfdir}/profile.d/snapd.sh
+%{_mandir}/man8/snapd-env-generator.8*
+%{_unitdir}/snapd.socket
+%{_unitdir}/snapd.service
+%{_unitdir}/snapd.autoimport.service
+%{_unitdir}/snapd.failure.service
+%{_unitdir}/snapd.seeded.service
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_systemd_system_env_generator_dir}/snapd-env-generator
+%config(noreplace) %{_sysconfdir}/sysconfig/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/snap
+%ghost %dir %{_sharedstatedir}/snapd/snap/bin
+%dir %{_localstatedir}/cache/snapd
+%dir %{_localstatedir}/snap
+%ghost %{_sharedstatedir}/snapd/state.json
+%ghost %{_sharedstatedir}/snapd/snap/README
+%if %{with snap_symlink}
+/snap
+%endif
+%if 0%{?rhel} == 7
+%{_sysctldir}/99-snap.conf
+%endif
+
+%files -n snap-confine
+%doc cmd/snap-confine/PORTING
+%license COPYING
+%dir %{_libexecdir}/snapd
+# For now, we can't use caps
+# FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
+%attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_libexecdir}/snapd/snap-device-helper
+%{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-gdb-shim
+%{_libexecdir}/snapd/snap-seccomp
+%{_libexecdir}/snapd/snap-update-ns
+%{_libexecdir}/snapd/system-shutdown
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_systemdgeneratordir}/snapd-generator
+%attr(0000,root,root) %{_sharedstatedir}/snapd/void
+
+%if 0%{?with_selinux}
+%files selinux
+%license data/selinux/COPYING
+%doc data/selinux/README.md
+%{_datadir}/selinux/packages/snappy.pp.bz2
+%{_datadir}/selinux/devel/include/contrib/snappy.if
+%endif
+
+%if 0%{?with_devel}
+%files devel -f devel.file-list
+%license COPYING
+%doc README.md
+%dir %{gopath}/src/%{provider}.%{provider_tld}/%{project}
+%endif
+
+%if 0%{?with_unit_test} && 0%{?with_devel}
+%files unit-test-devel -f unit-test-devel.file-list
+%license COPYING
+%doc README.md
+%endif
+
+%post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
+%systemd_post %{snappy_svcs}
+# If install, test if snapd socket and timer are enabled.
+# If enabled, then attempt to start them. This will silently fail
+# in chroots or other environments where services aren't expected
+# to be started.
+if [ $1 -eq 1 ] ; then
+   if systemctl -q is-enabled snapd.socket > /dev/null 2>&1 ; then
+      systemctl start snapd.socket > /dev/null 2>&1 || :
+   fi
+fi
+
+%preun
+%systemd_preun %{snappy_svcs}
+
+# Remove all Snappy content if snapd is being fully uninstalled
+if [ $1 -eq 0 ]; then
+   %{_libexecdir}/snapd/snap-mgmt --purge || :
+fi
+
+
+%postun
+%systemd_postun_with_restart %{snappy_svcs}
+
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre
+
+%post selinux
+%selinux_modules_install %{_datadir}/selinux/packages/snappy.pp.bz2
+%selinux_relabel_post
+
+%posttrans selinux
+%selinux_relabel_post
+
+%postun selinux
+%selinux_modules_uninstall snappy
+if [ $1 -eq 0 ]; then
+    %selinux_relabel_post
+fi
+%endif
+
+%changelog
+* Wed Jan 16 2019 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.37
+ - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+   have device node /dev/ttyACM[0-9]
+ - tests: fix enable-disable-unit-gpio test on external boards
+ - tests: define new "tests/smoke" suite and use that for
+   autopkgtests
+ - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+   library
+ - snapshotstate: don't task.Log without the lock
+ - overlord/configstate/configcore: support - and _ in cloud init
+   field names
+ - cmd/snap-confine: use makedev instead of MKDEV
+ - tests: review/fix the autopkgtest failures in disco
+ - systemd: allow only a single daemon-reload at the same time
+ - cmd/snap: only auto-enable unicode to a tty
+ - cmd/snap: right-align revision and size in info's channel map
+ - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+   different on Fedora
+ - tests: fix "No space left on device" issue on amazon-linux
+ - store: undo workaround for timezone-less released-at
+ - store, snap, cmd/snap: channels have released-at
+ - snap-confine: fix incorrect use "src" var in mount-support.c
+ - release: support probing SELinux state
+ - release-tools: display self-help
+ - interface: add new `{personal,system}-files` interface
+ - snap: give Epoch an Equal method
+ - many: remove unused interface code
+ - interfaces/many: use 'unsafe' with docker-support change_profile
+   rules
+ - run-checks: stop running HEAD of staticcheck
+ - release: use sync.Once around lazy intialized state
+ - overlord/ifacestate: include interface name in the hotplug-
+   disconnect task summary
+ - spread: show free space in debug output
+ - cmd/snap: attempt to restore SELinux context of snap user
+   directories
+ - image: do not write empty etc/cloud
+ - tests: skip snapd snap on reset for core systems
+ - cmd/snap-discard-ns: fix umount(2) typo
+ - overlord/ifacestate: hotplug-remove-slot task handler
+ - overlord/ifacestate: handler for hotplug-disconnect task
+ - ifacestate/hotplug: updateDevice helper
+ - tests: reset snapd state on tests restore
+ - interfaces: return security setup errors
+ - overlord: make InstallMany work like UpdateMany, issuing a single
+   request to get candidates
+ - systemd/systemd.go: add missing tests for systemd.IsActive
+ - overlord/ifacestate: addHotplugSeqWaitTask helper
+ - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+ - tests: new backend used to run upgrade test suite
+ - travis: short circuit failures in static and unit tests travis job
+ - cmd: automatically fix localized <option>s to <option>
+ - overlord/configstate,features: expose features to snapd tools
+ - selinux: package to query SELinux status and verify/restore file
+   contexts
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - cmd: add tests for lintArg and lintDesc
+ - httputil: retry on temporary net errors
+ - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+ - wrappers: only restart service in core18 when they are active
+ - overlord/ifacestate: helpers for serializing hotplug changes
+ - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interface
+ - snap/info: bind global plugs/slots to implicit hooks
+ - cmd/snap-confine: remove SC_NS_MNT_FILE
+ - spread: record each tests/upgrade job
+ - osutil: do not import dirs
+ - cmd/snap-confine: fix typo "a pipe"
+ - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+   devices
+ - tests: force test-snapd-daemon-notify exit 0 when the interface is
+   not connected
+ - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+ - centos: enable SELinux support on CentOS 7
+ - apparmor: allow hard link to snap-specific semaphore files
+ - tests/lib/pkgdb: disable weak deps on Fedora
+ - release: detect too old apparmor_parser
+ - tests: improve how the log is checked to see if the system is
+   waiting for a reboot
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - spread, tests: add Fedora 29
+ - cmd/snap-confine: refactor calling snapd tools into helper module
+ - apparmor: allow snap-update-ns access to common devices
+ - cmd/snap-confine: capture initialized per-user mount ns
+ - tests: reduce verbosity around package installation
+ - data: set KillMode=process for snapd
+ - cmd/snap: handle DNS error gracefully
+ - spread, tests: use checkpoints when dumping audit log
+ - tests/lib/prepare: make sure that SELinux context of repacked core
+   snap is controlled
+ - testutils: split checkers, tweak tests
+ - tests: fix for tests test-*-cgroup
+ - spread: show AVC audits when debugging, start auditd on Fedora
+ - spread: drop Fedora 27, add Fedora 29
+ - tests/lib/reset: restore context of removed snapd directories
+ - testutil: add File{Present,Absent} checkers
+ - snap: add new `snap run --trace-exec`
+ - tests: fix for failover test on how logs are checked
+ - snapctl: add "services"
+ - overlord/snapstate: use file timestamp to initialize timer
+ - cmd/libsnap: introduce and use sc_strdup
+ - interfaces: let NM access ifindex/ifupdown files
+ - overlord/snapstate: on refresh, check new rev can read current
+ - client, store: don't use store from client (use client from store)
+ - tests/main/parallel-install-store: verify installation of more
+   than one instance at a time
+ - overlord: don't write system key if security setup fails
+ - packaging/fedora/snapd.spec: fix bogus date in changelog
+ - snapstate: update fontconfig caches on install
+ - interfaces/apparmor/backend.go:411:38: regular expression does not
+   contain any meta characters (SA6004)
+ - asserts/header_checks.go:199:35: regular expression does not
+   contain any meta characters (SA6004)
+ - run staticcheck every time :-)
+ - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+   used with signal.Notify should be buffered (SA1017)
+ - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+   signal.Notify should be buffered (SA1017)
+ - spdx/parser.go:30:1: only the first constant has an explicit type
+   (SA9004)
+ - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+   first argument and no further arguments should use print-style
+   function instead (SA1006)
+ - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+ - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+   Did you mean to break out of the outer loop? (SA4011)
+ - daemon/api.go:992:22: printf-style function with dynamic first
+   argument and no further arguments should use print-style function
+   instead (SA1006)
+ - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+   to break out of the outer loop? (SA4011)
+ - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+   should be buffered (SA1017)
+ - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+   provided buffer, not even temporarily (SA1023)
+ - release: probe apparmor features lazily
+ - overlord,daemon: mock security backends for testing
+ - cmd/libsnap: move apparmor-support to libsnap
+ - cmd: drop cruft from snap-discard-ns build rules
+ - cmd/snap-confine: use snap-discard-ns ns to discard stale
+   namespaces
+ - cmd/snap-confine: handle mounted shared /run/snapd/ns
+ - many: fix composite literals with unkeyed fields
+ - dirs, wrappers, overlord/snapstate: make completion + bases work
+ - tests: revert "tests: restore in restore, not prepare"
+ - many: validate title
+ - snap: make description maximum in runes, not bytes
+ - tests: discard mount namespaces in reset.sh
+ - tests/lib: sync cla check back from snapcraft
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - daemon: remove enableInternalInterfaceActions
+ - mkversion: use "test -n" rather than "! test -z"
+ - run-checks: assorted fixes
+ - tests: restore in restore, not in prepare
+ - cmd/snap: fix missing newline in "snap keys" error message
+ - snap: epoch lists must contain no duplicate entries
+ - interfaces/avahi_observe: Fix typo in comment
+ - tests: add SPREAD_JOB to the description of
+   systemd_create_and_start_unit
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+ - packaging/fedora: use %_sysctldir macro
+ - cmd/snap-confine: remove unneeded unshare
+ - sanity: extend the kernel version check to cover CentOS/RHEL
+   kernels
+ - wrappers: remove all desktop files from a snap on removal
+ - snap: add an explicit check for `epoch: null` loading
+ - snap: check max description length in validate
+ - spread, tests: add CentOS support
+ - cmd/snap-confine: allow mapping more libc shards
+ - cmd/snap-discard-ns: add support for --from-snap-confine
+ - tests: make tinyproxy support systemd notify
+ - tests: fix shellcheck
+ - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+ - store: add a test for a non-zero epoch refresh (with epoch bump)
+ - store: v1 search doesn't send epoch, stop pretending it does
+ - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+ - overlord/snapstate: amend test should send local revision
+ - tests: use mock-gpio.py in enable-disable-units-gpio test
+ - snap: enforce minimal snap name len of 2
+ - cmd/libsnap: add sc_verify_snap_lock
+ - cmd/snap-update-ns: extra debugging of trespassing events
+ - userd: force zenity width if the text displayed is long
+ - overlord/snapstate, store: always send epochs
+ - cmd/snap-confine,snap-update-ns: discard quirks
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - cmd/snap-update-ns, tests: clean trespassing paths
+ - nvidia, interfaces/builtin: OpenCL fixes
+ - ifacestate/hotplug: removeDevice helper
+ - cmd: install snap-discard-ns in "make hack"
+ - overlord/ifacestate: setup security backends phased by backends
+   first
+ - ifacestate/helpers: added SystemSnapName mapper helper method
+ - overlord/ifacestate: set hotplug-key of the connection when
+   connecting hotplug slots
+ - snapd: allow snap-update-ns to read /proc/version
+ - cmd: handle tumbleweed and leap in autogen.sh
+ - interfaces/tests: MockHotplugSlot test helper
+ - store,daemon: make UserInfo,LoginUser part of the store interface
+ - overlord/ifacestate: use remapper when checking if system snap is
+   installed
+ - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+ - packaging/arch: fix bash completions path
+ - interfaces/builtin: add device-buttons interface for accessing
+   events
+ - tests, fakestore: extend refresh tests with parallel installed
+   snaps
+ - snap, store, overlord/snapshotstate: drop epoch pointers
+ - snap: make Epoch default to {[0],[0]} on load from yaml
+ - data/completion: pass documented arguments to completion functions
+ - tests: skip opensuse from interfaces-openvswitch-support test
+ - tests: simple reproducer for snap try and hooks bug
+ - snapstate: do not allow classic mode for strict snaps
+ - snap: make Epoch's MarshalJSON not simplify
+ - store: remove unused currentSnap and currentSnapJSON
+ - many: some small doc comment fixes in recent hotplug code
+ - ifacestate/udevmonitor: added callback to signal end of
+   enumeration
+ - cmd/libsnap: add simplified feature flag checker
+ - interfaces/opengl: add additional accesses for cuda
+ - tests: add core18 only hooks test and fix running core18 only on
+   classic
+ - sanity, release, cmd/snap: refuse to try to do things on WSL.
+ - cmd: make coreSupportsReExec faster
+ - overlord/ifacestate: don't remove the dash when generating unique
+   slot name
+ - cmd/snap-seccomp: add full complement of ptrace constants
+ - cmd: update autogen.sh for opensuse
+ - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+   overlord/snapstate: address review feedback
+ - packaging/opensuse: stop using golang-packaging
+ - overlord/snapshots: survive an unknown user
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - cmd/snap: unhide --name parameter to snap install, tweak help
+   message
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/main/snap-service-after-before-install: verify after/before
+   in snap install
+ - overlord/ifacestate: mark connections disconnected by hotplug with
+   hotplug-gone
+ - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+   startup
+ - tests: install dependencies during prepare
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - tests: core 18 does not support classic confinement
+ - tests: add debug output for degraded test
+ - strutil: make VersionCompare faster
+ - overlord/snapshotstate/backend: survive missing directories
+ - overlord/ifacestate: use map[string]*connState when passing conns
+   around
+ - tests: move fedora 28 to manual
+ - overlord/snapshotstate/backend: be more verbose when
+   SNAPPY_TESTING=1
+ - tests: removing fedora 26 system from spread.yaml
+ - tests: linode execution is not needed anymore
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests: fixes and new backend for tests on nested suite
+ - strutil: let MatchCounter work with a nil regexp
+ - ifacestate/helpers: findConnsForHotplugKey helper
+ - many: move regexp.(Must)Compile out of non-init functions into
+   variables
+ - store: also make snaps downloaded via deltas 0600
+ - snap: use Lstat to determine snap size, remove
+   ReadSnapInfoExceptSize
+ - interfaces/builtin: add adb-support interface
+ - tests: fail if install_snap_local fails
+ - strutil: add extra test to CommaSeparatedList as suggested by
+   mborzecki
+ - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+ - ifacestate: optimize disconnect hooks
+ - cmd/snap-update-ns: parse the -u <uid> command line option
+ - cmd/snap, tests: snapshots for all
+ - client, cmd/daemon: allow disabling keepalive, improve degraded
+   mode unit tests
+ - snap: only show "next" refresh time if its after the hold time
+ - overlord/snapstate: run tests for classic snaps even on systems
+   that don't support classic
+ - overlord/standby: fix a race between standby goroutine and stop
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - cmd: remove remnants of sc_should_populate_mount_ns
+ - client, daemon, cmd/snap: indicate that services are socket/timer
+   activated
+ - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+ - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+ - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+ - cmd/snap-discard-ns: add support for per-user mount namespaces
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook.
+ - tests/main: fixes for the new shellcheck
+ - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+   fly
+ - tests: initial setup for testing current branch on nested vm and
+   hotplug management
+ - cmd: refactor IPC and lifecycle of the helper process
+ - tests/main/parallel-install-store: the store has caught up, do not
+   expect failures
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+   ptrace, for the Breakpad crash reporter
+ - snap,client: use a different exit code for retryable errors
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - cmd/snap: tweak `snap services` output when there is no services
+ - interfaces/many: updates to support k8s worker nodes
+ - cmd/snap: gnome-software install via snap:// handler
+ - overlord/many: cleanup use of snapName vs. instanceName
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes* ifstate: fix decoding of json numbers
+ - cmd/snap: try not to panic on error from "snap try"
+ - tests: new cosmic image for spread tests on gce
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - overlord/snapshotstate/backend: detect path to tar in unit tests
+ - tests/unit/gccgo: drop gccgo unit tests
+ - cmd: use relative file names in locking APIs
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - overlord/snapshotstate/backend: fall back on sudo when no runuser
+ - cmd/snap-confine: reduce verbosity of debug and error messages
+ - systemd: extend Status() to work for socket and timer units
+ - interfaces: typo 'allows' for consistency with other ifaces
+ - systemd,wrappers: don't start disabled services
+ - ifacestate: simplify task chaining in ifacestate.Connect
+ - tests: ensure that goa-daemon is off
+ - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+ - cmd/snap: block 'snap help <cmd> --all'
+ - asserts, image: ensure kernel, gadget, base and required-snaps use
+   valid snap names
+ - apparmor: add unit test for probeAppArmorParser and simplify code
+ - interfaces/apparmor: conditionally add explicit deny rules for
+   ptrace
+ - po: sync translations from launchpad
+ - osutil: tweak handling of error adduser errors
+ - cmd: rename ns_group to mount_ns
+ - tests/main/interfaces-accounts-service: more debugging
+ - snap/pack, snap/squashfs: use type to determine mksquashfs args
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - tests: show list of processes when ifaces-accounts-service fails
+ - tests: do not run degraded test in autopkgtest env
+ - snap: overhaul validation error messages
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - interfaces: improve Attr error further
+ - snapstate: tweak GetFeatureFlagBool() to have a default argument
+ - many: cleanup remaining parallel installs TODOs
+ - image: improve validation of extra snaps
+
+* Fri Dec 14 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.3
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - httputil: retry on temporary net errors
+ - wrappers: only restart service in core18 when they are active
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interfacewhen installing selinux-policy-devel package.
+ - centos: enable SELinux support on CentOS 7
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - apparmor: allow hard link to snap-specific semaphore files
+ - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+   profile errors
+ - snap: add new `snap run --trace-exec` call
+ - interfaces/backends: detect too old apparmor_parser
+
+* Thu Nov 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.2
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - snapstate: update fontconfig caches on install
+ - overlord,daemon: mock security backends for testing
+ - sanity, spread, tests: add CentOS
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - tests: add regression test for LP: #1803535
+ - snap-update-ns: fix trailing slash bug on trespassing error
+ - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+ - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+ - interfaces/opengl: add additional accesses for cuda
+
+* Fri Nov 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.1
+ - tests,snap-confine: add core18 only hooks test and fix running
+   core18 only hooks on classic
+ - interfaces/apparmor: allow access to
+   /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests/main/interfces-accounts-service: switch to busctl, more
+   debugging
+ - store: also make snaps downloaded via deltas 0600
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - tests/main: fixes for the new shellcheck
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook
+
+* Sun Nov 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.36-1
+- Release 2.36 to Fedora
+
+* Wed Oct 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - tests: the store has caught up, drop gccgo test, update cosmic
+   image
+ - cmd/snap: try not to panic on error from "snap try"`--devmode`
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - systemd,wrappers: don't start disabled services
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - tests: do not run degraded test in autopkgtest env
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces: include invalid type in Attr error
+ - many: enable layouts by default
+ - interfaces/default: don't scrub with change_profile with classic
+ - cmd/snap: speed up unit tests
+ - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+   flags
+ - daemon: expose snapshots to the API
+ - interfaces: updates for default, screen-inhibit-control, tpm,
+   {hardware,system,network}-observe
+ - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+   update test interface
+ - interfaces/tests: use TestInterface instead of a custom local
+   helper
+ - overlord/snapstate: export getFeatureFlagBool.
+ - osutil,asserts,daemon: support force password change in system-
+   user assertion
+ - snap, wrappers: support restart-delay, generate RestartSec=<value>
+   in service units
+ - tests/ifacestate: moved asserts-related mocking into helper
+ - image: fetch device store assertion if available
+ - many: enable AppArmor on Arch
+ - interfaces/repo: two helper methods for hotplug
+ - overlord/ifacestate: add hotplug slots with implicit slots
+ - interfaces/hotplug: helpers and struct updates
+ - tests: run the snapd tests on Ubuntu 18.10
+ - snapstate: only report errors if there is an actual error
+ - store: speedup unit tests
+ - spread-shellcheck: fix interleaved error messages, tweaks
+ - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+ - ifacestate: implementation of defaultDeviceKey function for
+   hotplug
+ - cmd/snap-update-ns: remove empty placeholders used for mounting
+ - snapshotstate: restore to current revision
+ - tests/lib: rework the CLA checker
+ - many: support and consider store friendly-stores when checking
+   device scope constraints
+ - overlord/snapstate: block parallel installs of snapd, core, base,
+   kernel, gadget snaps
+ - overlord/patch: patch for static plug/slot attributes
+ - interfaces: honor static attributes when reloading conns
+ - osutils: unit tests speedup; introduce «run-checks --short-
+   unit».
+ - systemd, wrappers: speed up wrappers unit tests
+ - client: speedup unit tests
+ - spread-shellcheck: use threads to parallelise
+ - snap: validate plug and slot names
+ - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+ - wrappers: do not depend on network.taget in socket units, tweak
+   generated units
+ - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+ - store: gracefully handle unexpected errors in 'action'
+   response
+ - cmd: put our manpages in section 8
+ - overlord: don't make become-operational interfere with user
+   requests
+ - store: tweak unmatched refresh result error log
+ - snap, client, daemon, store: use and expose "media" more
+ - tests,cmd/snap-update-ns: add test showing mount update bug
+   cmd/snap-update-ns: better detection of snapd-made tmpfs
+ - tests: spread tests for aliases with parallel installed snaps
+ - interfaces/seccomp: allow using statx by default
+ - store: gracefully handle unexpected errors in 'action' response
+ - overlord/snapshotstate: chown the tempdir
+ - cmd/snap: attempt to start the document portal if running with a
+   session bus
+ - snap: detect layouts vs layout in snap.yaml
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snapcraft.yaml: set grade to stable
+ - tests: shellchecks, final round
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snap: detect layouts vs layout in snap.yaml
+ - overlord/snapshotstate: store epoch in snapshot, check on restore
+ - cmd/snap: tweak UX of snap refresh --list
+ - overlord/snapstate: improve consistency, use validateInfoAndFlags
+   also in InstallPath
+ - snap: give Epoch a CanRead helper
+ - overlord/snapshotstate: small refactor of internal helpers
+ - interfaces/builtin: adding missing permission to create
+   /run/wpa_supplicant directory
+ - interfaces/builtin: avahi interface update
+ - client, daemon: support passing of 'unaliased' option when
+   installing from local files
+ - selftest: rename selftest.Run() to sanity.Check()
+ - interfaces/apparmor: report apparmor support level and policy
+ - ifacestate: helpers for generating slot names for hotplug
+ - overlord/ifacestate: make sure to pass in the Model assertion when
+   enforcing policies
+ - overlord/snapshotstate: store the SnapID in snapshot, block
+   restore if changed
+ - interfaces: generalize writable mimic profile
+ - asserts,interfaces/policy: add support for on-store/on-brand/on-
+   model plug/slot rule constraints
+ - many: fetch the device store assertion together and in the context
+   of interpreting snap-declarations
+ - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+   gccgo is fixed
+ - tests/main/parallel-install-services: add spread test for snaps
+   with services
+ - tests/main/snap-env: extend to cover parallel installations of
+   snaps
+ - tests/main/parallel-install-local: rename from *-sideload, extend
+   to run snaps
+ - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+ - cmd/snap: tame the help zoo
+ - tests/main/parallel-install-store: run installed snap
+ - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+   i18n)
+ - cmd: fix C formatting
+ - tests: remove unneeded cleanup from layout tests
+ - image: warn on missing default-providers
+ - selftest: add test to ensure selftest.checks is up-to-date
+ - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+   installs
+ - userd: extend the list of supported XDG Desktop properties when
+   autostarting user applications
+ - cmd/snap-update-ns: enforce trespassing checks
+ - selftest: actually run the kernel version selftest
+ - snapd: go into degraded mode when the selftest fails
+ - tests: add test that runs snapctl with a core18 snap
+ - tests: add snap install hook with base: core18
+ - overlord/{snapstate,assertstate}: parallel instances and
+   refresh validation
+ - interfaces/docker-support: add rules to read apparmor macros
+ - tests: make nfs test available for more systems
+ - tests: cleanup copy/paste dup in interfaces-network-setup-control
+ - tests: using single sh snap in interface tests
+ - overlord/snapstate: improve cleaup in mount-snap handler
+ - tests: don't fail interfaces-bluez test if bluez is already
+   installed
+ - tests: find snaps just for edge and beta channels
+ - daemon, snapstate: consistent snap list [--all] output with broken
+   snaps
+ - tests: fix listing to allow extra things in the notes column
+ - cmd/snap: improve UX when removing specific snap revision
+ - cmd/snap, tests/main/snap-info: highlight the current channel
+ - interfaces/testiface: added TestHotplugInterface
+ - snap: tweak commands
+ - interfaces/hotplug: hotplug spec takes one slot definition
+ - overlord/snapstate, snap: handle shared snap directories when
+   installing/remove snaps with instance key
+ - interfaces/opengl: misc accesses for VA-API
+ - client, cmd/snap: expose warnings to the world
+ - cmd/snap-update-ns: introduce trespassing state tracking
+ - cmd/snap: commands no longer build their own client
+ - tests: try to build cmd/snap for darwin
+ - daemon: make error responders not printf when called with 1
+   argument
+ - many: return real snap name in API response
+ - overlord/state: return latest LastAdded time in WarningsSummary
+ - many: mount namespace mapping for parallel installs of snaps
+ - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+   core-phase-2
+ - client, cmd/snap: on !linux, exit when the client tries to Do
+   something
+ - tests: refactor for nested suite and tests fixed
+ - tests: use lxd's waitready instead of polling lxd socket
+ - ifacestate: don't initialize udev monitor until we have a system
+   snap
+ - interfaces: extra argument for static attrs in
+   NewConnectedPlug/NewConnectedSlot
+ - packaging/arch: sync packaging with AUR
+ - snapstate/tests: serialize all appends in fake backend
+ - snap-confine: make /lib/modules optional
+ - cmd/snap: handle "snap interfaces core" better
+ - store: move download tests into downloadSuite
+ - tests,interfaces: run interfaces-account-control on UC18
+ - tests: fix install snaps test by adding link to /snap
+ - tests: fix for nested test suite
+ - daemon: fix snap list --all with parallel snap instances
+ - snapstate: refactor tests to use SetModel*
+ - wrappers: fix snap services order in tests
+ - many: provide salt for generating instance-key in store requests
+ - ifacestate: fix hang when retrying content providers
+ - snapd-env-generator: fix when PATH is empty or unset
+ - overlord/assertstate: propagate TaskSnapSetup error
+ - client: catch and expose logs errors
+ - overlord: integrate device enumeration with udev monitor
+ - daemon, overlord/state: warnings pipeline
+ - tests: add publisher regex to fix the snap-info test pass on sru
+ - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+   tweaks
+ - cmd/snap-update-ns: remove the unused Secure type
+ - osutil, o/snapshotstate, o/sss/backend: quick fixes
+ - tests: update the listing expression to support core from
+   different channels
+ - store: use stable instance key in store refresh requests
+ - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+ - overlord/patch: support for sublevel patches
+ - tests: update prepare/restore for nightly suite
+ - cmd/snap-update-ns: detach BindMount from the Secure type
+ - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+ - ifacestate: retry on "discard-snap" in autoconnect conflict check
+ - cmd/snap-update-ns: separate OpenPath from the Secure struct
+ - wrappers: remove Wants=network-online.target
+ - tests: add new core16-base test
+ - store: refactor tests so that they work as store_test package
+ - many: add refresh.rate-limit core option
+ - tests: run account-control test with different bases
+ - tests: port proxy test to use python tinyproxy
+ - overlord: introduce snapshotstate.
+ - testutil: allow Fstatfs results to vary over time
+ - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+ - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+ - many: remove deadcode
+ - tests: also run unit/gccgo in 18.04
+ - tests: introduce a helper for installing local snaps with --name
+ - tests: avoid removing core snap on reset
+ - snap: use snap.SideInfo in test to fix build with gccgo
+ - partition: remove unused runCommand
+ - image: fix incorrect error when using local bases
+ - overlord/snapstate: fix format
+ - cmd: fix format
+ - tests: setting "storage: preserve-size" just for amazon-linux
+   system
+ - tests: test for the hostname interface
+ - interfaces/modem-manager: allow access to more USB strings
+ - overlord: instantiate UDevMonitor
+ - interfaces/apparmor: tweak naming, rename to AddLayout()
+ - interfaces: take instance name in ifacetest.InstallSnap
+ - snapcraft: do not use --dirty in mkversion
+ - cmd: add systemd environment generator
+ - devicestate: support getting (http) proxy from core config
+ - many: rename ClientOpts to ClientOptions
+ - prepare-image-grub-core18: remove image root in restore
+ - overlord/ifacestate: remove "old-conn" from connect/undo connect
+   handlers
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - image: handle errors when downloadedSnapsInfoForBootConfig has no
+   data
+ - tests: use official core18 model assertion in tests
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - overlord,store: support proxy settings internally too
+ - cmd/snap: bring back 'snap version'
+ - interfaces/mount: tweak naming of things
+ - strutil: fix MatchCounter to also work with buffer reuse
+ - cmd,interfaces,tests: add /mnt to removable-media interface
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - snap/snapenv: drop some instance specific variables, use instance-
+   specific ones for user locations
+ - firstboot: sort by type when installing the firstboot snaps
+ - cmd, cmd/snap: better support for non-linux
+ - strutil: add new ParseByteSize
+ - image: detect and error if bases are missing
+ - interfaces/apparmor: do not downgrade confinement on arch with
+   linux-hardened 4.17.4+
+ - daemon: add pokeStateLock helper to the daemon tests
+ - snap/squashfs: improve error message from Build on mksquashfs
+   failure
+ - tests: remove /etc/alternatives from dirs-not-shared-with-host
+ - cmd: support re-exec into the "snapd" snap
+ - spdx: remove "Other Open Source" from the support licenses
+ - snap: add new type "TypeSnapd" and attach to the snapd snap
+ - interfaces: retain order of inserted security backends
+ - tests: spread test for parallel-installs desktop file handling
+ - overlord/devicestate: use OpenSSL's PEM format when generating
+   keys
+ - cmd: remove --skip-command-chain from snap run and snap-exec
+ - selftest: detect if apparmor is unusable and error
+ - snap,snap-exec: support command-chain for hooks
+ - tests: significantly reduce execution time for managers test
+ - snapstate: use new "snap.ByType" sorting
+ - overlord/snapstate: fix UpdateMany() to work with parallel
+   instances
+ - testutil: have File* checker produce more useful error output
+ - overlord/ifacestate: introduce connectOpts
+ - interfaces: parallel instances support, extend unit tests
+ - tests: normalize tests
+ - snapstate: make InstallPath() return *snap.Info too
+ - snap: add ByType sorting
+ - interfaces: add cifs-mount interface
+ - tests: use file based markers in snap-service-stop-mode
+ - osutil: reorg and stub out things to get it building on darwin
+ - tests/main/layout: cleanup after the test
+ - osutil/sys: small tweaks to let it build on darwin
+ - daemon, overlord/snapstate: set instance name when installing from
+   snap file
+ - many: move Uname to osutil, for more DRY and easier porting.
+ - cmd/snap: create snap user directory when running parallel
+   installed snaps
+ - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+ - tests: basic test for parallel installs from the store
+ - image: download the gadget from the model.GadgetTrack()
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - overlord: handle sigterm during shutdown better
+ - tests: add the original function to fix the errors on new kernels
+ - tests/main/lxd: pull lxd from candidate; reënable i386
+ - wayland: add extra sockets that are used by older toolkits (e.g.
+   gtk3)
+ - asserts: add support for gadget tracks in the model assertion
+ - overlord/snapstate: improve feature flag validation
+ - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+ - interfaces: workaround for activated services and newer DBus
+ - tests: get the linux-image-extra available for the current kernel
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - interfaces: disconnect hooks
+ - cmd/libsnap: unify detection of core/classic with go
+ - tests: fix autopkgtest failures in cosmic
+ - snap: fix advice json
+ - overlord/snapstate: parallel snap install
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - interfaces: add screencast-legacy for video and audio recording
+ - tests: skip unsupported architectures for fedora-base-smoke test
+ - tests: avoid using the journalctl cursor when it has not been
+   created yet
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - tests: enable lxd again everywhere
+ - tests: new test for udisks2 interface
+ - interfaces: add cpu-control for setting CPU tunables
+ - overlord/devicestate: fix tests, set seeded in registration
+   through proxy tests
+ - debian: add missing breaks on cosmic
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - tests: new test for juju client observe interface
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - snapcraft: set version information for the snapd snap
+ - cmd/snap, daemon: error out if trying to install a snap using
+   empty name
+ - hookstate: simplify some hook tests
+ - cmd/snap-confine: extend security tag validation to cover instance
+   names
+ - snap: fix mocking of systemkey in snap-run tests
+ - packaging/opensuse: fix static build of snap-update-ns and snap-
+   exec
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - cmd/libsnap-confine-private: intoduce helpers for validating snap
+   instance name and instance key
+ - snap,snap-exec: support command-chain for app
+ - interfaces/builtin: network-manager resolved DBus changes
+ - snap: tweak `snap wait` command
+ - cmd/snap-update-ns: introduce validation of snap instance names
+ - cmd/snap: fix some corner-case test setup weirdness
+ - cmd,dirs: fix various issues discovered by a Fedora base snap
+ - tests/lib/prepare: fix extra snaps test
+
+* Mon Oct 15 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.5
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - osutil: workaround overlayfs on ubuntu 18.10
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.4
+  - wrappers: do not depend on network.taget in socket units, tweak
+    generated units
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.3
+ - overlord: don't make become-operational interfere with user
+   requests
+ - docker_support.go: add rules to read apparmor macros
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-
+   nsFixes:
+ - snapcraft.yaml: add workaround to fix snapcraft build
+ - interfaces/opengl: misc accesses for VA-API
+
+* Wed Sep 12 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.2
+ - cmd,overlord/snapstate: go 1.11 format fixes
+ - ifacestate: fix hang when retrying content providers
+ - snap-env-generator: do nothing when PATH is unset
+ - interfaces/modem-manager: allow access to more USB strings
+
+* Mon Sep 03 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.1
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapcraft: do not use --diry in mkversion.sh
+ - cmd: add systemd environment generator
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - tests: cherry-pick test fixes from master for 2.35
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - interfaces: retain order of inserted security backends
+ - selftest: detect if apparmor is unusable and error
+
+* Sat Aug 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.35-1
+- Release 2.35 to Fedora (RH#1598946)
+
+* Mon Aug 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - asserts: add support for gadget tracks in the model assertion
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - overlord: handle sigterm during shutdown better
+ - wayland: add extra sockets that are used by older toolkits
+ - snap: fix advice json
+ - tests: fix autopkgtest failures in cosmic
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - interfaces: add cpu-control for setting CPU tunables
+ - debian: add missing breaks on comisc
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - hookstate: simplify some hook tests
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - interfaces/builtin: network-manager resolved DBus changes
+ - tests: add spread test for fedora29 base snap
+ - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+ - dirs: fix SnapMountDir inside a Fedora base snap
+ - tests: fix snapd-failover for core18 with external backend
+ - overlord/snapstate: always clean SnapState when doing Get()
+ - overlod/ifacestate: always use a new SnapState when fetching the
+   snap state
+ - overlord/devicestate: have the serial request talk to the proxy if
+   set
+ - interfaces/hotplug: udevadm output parser
+ - tests: New test for daemon-notify interface
+ - image: ensure "core" is ordered early if base: and core is used
+ - cmd/snap-confine: snap-device-helper parallel installs support
+ - tests: enable interfaces-framebuffer everywhere
+ - tests: reduce nc wait time from 2 to 1 second
+ - snap/snapenv: add snap instance specific variables
+ - cmd/snap-confine: add minimal test for snap-device-helper
+ - tests: enable snapctl test on core18
+ - overlord: added UDevMonitor for future hotplug support
+ - wrappers: do not glob when removing desktop files
+ - tests: add dbus monitor log to interfaces-accounts-service
+ - tests: add core-18 systems to external backend
+ - wrappers: account for changed app wrapper in parallel installed
+   snaps
+ - wrappers: make sure that the tests pass on non-Ubuntu too
+ - many: add snapd snap failure handling
+ - tests: new test for dvb interface
+ - configstate: accept refresh.timer=managed
+ - tests: new test for snap logs command
+ - wrapper: generate all the snapd unit files when generating
+   wrappers
+ - store: keep all files with link-count > 1 in the cache
+ - store: be less verbose in the common refresh case of "no updates"
+ - snap-confine: update snappy-app-dev path
+ - debian: ensure dependency on fixed apt on 18.04
+ - snapd: add initial software watchdog for snapd
+ - daemon, systemd: change journalctl -n=all to --no-tail
+ - systemd: fix snapd.apparmor.service.in dependencies
+ - snapstate: refuse to remove bases or core if snaps need them
+ - snap: introduce package-level helpers for building snap related
+   directory/file paths
+ - overlord/devicestate: deny parallel install of kernel or gadget
+   snaps
+ - store: clean up parallel-install TODOs in store tests
+ - timeutil: fix first weekday of the month schedule
+ - interfaces: match all possible tty but console
+ - tests: shellchecks part 5
+ - cmd/snap-confine: allow ptrace read for 4.18 kernels
+ - advise: make the bolt database do the atomic rename dance
+ - tests/main/apt-hooks: debug dump of commands.db
+ - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+   handling
+ - snap: validate instance name as part of Validate()
+ - daemon: if a snap is inactive, don't ask systemd about its
+   services.
+ - udev: skip TestParseUdevEvent on s390x
+ - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+ - asserts,image: add support for new kernel=track syntax
+ - tests: new gce image for fedora 27
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - store, overlord/snapstate: introduce instance name in store APIs
+ - tests: drive-by cleanup of redudant pkgname matching
+ - tests: ensure apt-hook is only run after catalog update ran
+ - tests: use pkill instead of kilall
+ - tests/main: another bunch of updates for Amazon Linux 2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the  directory tree
+ - tests: disable/fix more tests for Amazon Linux 2
+ - overlord: introduce InstanceKey to SnapState and SnapSetup,
+   renames
+ - daemon: make sure most change generating handlers can produce
+   errors with kinds
+ - tests/main/interfaces-calendar-service: skip the test on AMZN2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the directory tree
+ - cmd/snap: add a green check mark to verified publishers
+ - cmd/snap: fix two issues in the cmd/snap unit tests
+ - packaging/fedora: fix target path of /snap symlink
+ - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - strutil: detect and bail out of Unmarshal on duplicate key
+ - packaging/fedora(amzn2): disable SELinux, drop dependency on
+   squashfuse for AMZN2
+ - spread, tests: add support for Amazon Linux 2
+ - packaging/fedora: Add Amazon Linux 2 support
+ - many: make Wait/Stop optional on StateManagers
+ - snap/squashfs: stop printing unsquashfs info to stderr
+ - snap: add support for `snap advise-snap --from-apt`
+ - overlord/ifacestate: ignore connect if already connected
+ - tests: change the service snap used instead of network-bind-
+   consumer
+ - interfaces/network-control: update for wpa-supplicant and ifupdown
+ - tests: fix raciness in stop mode tests
+ - logger: try to not have double dates
+ - debian: use deb-systemd-invoke instead of systemctl directly
+ - tests: run all main tests on core18
+ - many: finish sharing a single TaskRunner with all the the managers
+ - interfaces/repo: added AllHotplugInterfaces helper
+ - snapstate: ensure kernel-track is honored on switch/refresh
+ - overlord/ifacestate: support implicit slots on snapd
+ - image: add support for "kernel-track" in `snap prepare-image`
+ - tests: add test that ensures we do not boot any system in degraded
+   state
+ - tests: update tests to work on core18
+ - cmd/snap: check for typographic dashes in command
+ - tests: fix tests expecting old email address
+ - client: add some existing error kinds that were not listed in
+   client.go
+ - tests: add missing slots in classic and core provider test snaps
+ - overlord,daemon,cmd: re-map snap names around the edges of snapd
+ - tests: use install_local in snap-run-hooks
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - overlord/snapstate: dedupe default content providers
+ - osutil/udev: sync with upstream
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord: have SnapManager use a passed in TaskRunner created by
+   Overlord
+ - many: streamline the generic conflict check mechanisms
+ - tests: remove unneeded setup code in snap-run-symlink
+ - cmd/snap: print unset license as "unset", instead of "unknown"
+ - asserts: add (optional) kernel-track to model assertion
+ - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+ - interfaces/pulseaudio: be clear that the interface allows playback
+   and record
+ - snap: support hook environment
+ - interfaces: fix typo "daemonNotify" (add missing "n")
+ - interfaces: tweak tests of daemon-notify, use common naming
+ - interfaces: allow invoking systemd-notify when daemon-notify is
+   connected
+ - store: make snap blobs be 0600
+ - interfaces,daemon: move JSON types to the daemon
+ - tests: prepare needs to handle bin/snapctl being a symlink
+ - tests: do not mask errors in interfaces-timezone-control (#5405)
+ - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+ - tests: add basic integration test for spread hold
+ - overlord/snapstate: improve PlugsOnly comment
+ - many: assorted shellcheck fixes
+ - store, daemon, client, cmd/snap: expose "scope", default to wide
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - client, cmd/snap: pass snap instance name when installing from
+   file
+ - cmd/snap: add 'debug paths' command
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: fix tests on arch
+ - tests: start active system units on reset
+ - tests: new test for joystick interface
+ - tests: moving install of dependencies to pkgdb helper
+ - tests: enable new fedora image with test dependencies installed
+ - tests: start using the new opensuse image with test dependencies
+ - tests: check catalog refresh before and after restart snapd
+ - tests: stop restarting journald service on prepare
+ - interfaces: make core-support a no-op interface
+ - interfaces: prefer "snapd" when resolving implicit connections
+ - interfaces/hotplug: add hotplug Specification and
+   HotplugDeviceInfo
+ - many: lessen the use of core-support
+ - tests: fixes for the autopkgtest failures in cosmic
+ - tests: remove extra ' which breaks interfaces-bluetooth-control
+   test
+ - dirs: fix antergos typo
+ - tests: use grep to avoid non-matching messages from MATCH
+ - dirs: improve distro detection for Antegros
+ - vendor: switch to latest bson
+ - interfaces/builtin: create can-bus interface
+ - tests: "snap connect" is idempotent so just connect
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - interfaces: treat "snapd" snap as type:os
+ - interfaces: tweak tests to have less repetition of "core" and
+   "ubuntu…
+ - tests: simplify econnreset test
+ - snap: add helper for renaming slots
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - tests: add artful for sru validation on google backend
+ - snap,interfaces: move interface name validation to snap
+ - overlord/snapstate: introduce path to fake backend ops
+ - cmd/snap-confine: fix snaps running on core18
+ - many: expose publisher's validation throughout the API
+
+* Fri Jul 27 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.3
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - snapstate: allow setting "refresh.timer=managed"
+ - spread: switch Fedora and openSUSE images
+
+* Thu Jul 19 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.2
+ - packaging: fix bogus date in fedora snapd.spec
+ - tests: fix tests expecting old email address
+
+* Tue Jul 17 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.1
+ - tests: cherry-pick test fixes from master for 2.34
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord/snapstate: dedupe default content providers
+ - interfaces/builtin: create can-bus interface
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.33.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34
+ - store, daemon, client, cmd/snap: expose "scope", default to wide*
+ - tests: fix arch tests
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+ - tests: run interfaces-contacts-service only where test-snapd-eds
+   is available
+ - many: expose publisher's validation throughout the API
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - dirs: improve distro detection for Antegros
+ - Revert "dirs: improve identification of Arch Linux like systems"
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - i18n: use xgettext-go --files-from to avoid running into cmdline
+   size limits
+ - interfaces: move ValidateName helper to utils
+ - snapstate,ifstate: wait for pending restarts before auto-
+   connecting
+ - snap: account for parallel installs in wrappers, place info and
+   tests
+ - configcore: fix incorrect handling of keys with numbers (like
+   gpu_mem_512)
+ - tests: fix tests when no keyboard input detected
+ - overlord/configstate: add watchdog options
+ - snap-mgmt: fix for non-existent dbus system policy dir,
+   shellchecks
+ - tests/main/snapd-notify: use systemd's service properties rater
+   than the journal
+ - snapstate: allow removal of snap.TypeOS when using a model with a
+   base
+ - interfaces: make findSnapdPath smarter
+ - tests: run "arp" tests only if arp is available
+ - spread: increase the number of auto retries for package downloads
+   in opensuse
+ - cmd/snap-confine: fix nvidia support under lxd
+ - corecfg: added experimental.hotplug feature flag
+ - image: block installation of parallel snap instances
+ - interfaces: moved normalize method to interfaces/utils and made it
+   public
+ - api/snapctl: allow -h and --help for regular users.
+ - interfaces/udisks2: also implement implicit classic slot
+ - cmd/snap-confine: include CUDA runtime libraries
+ - tests: disable auto-refresh test on core18
+ - many: switch to account validation: unproven|verified
+ - overlord/ifacestate: get/set connection state only via helpers
+ - tests: adding extra check to validate journalctl is showing
+   current test data
+ - data: add systemd environment configuration
+ - i18n: handle write errors in xgettext-go
+ - snap: helper for validating snap instance names
+ - snap{/snaptest}: set instance key based on snap name
+ - userd: fix running unit tests on KDE
+ - tests/main/econnreset: limit ingress traffic to 512kB/s
+ - snap: introduce a struct Channel to represent store channels, and
+   helpers to work with it
+ - tests: add fedora to distro_clean_package_cache function
+ - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+ - tests: add spread test to ensure snapd/core18 are not removable
+ - tests: tweaks for running the main tests on core18
+ - overlord/{config,snap}state: introduce experimental.parallel-
+   instances feature flag
+ - strutil: support iteration over almost clean paths
+ - strutil: add PathIterator.Rewind
+ - tests: update interfaces-timeserver-control to core18
+ - tests: add halt-timeout to google backend
+ - tests: skip security-udev-input-subsystem without /dev/input/by-
+   path
+ - snap: introduce the instance key field
+ - packaging/opensuse: remaining packaging updates for 2.33.1
+ - overlord/snapstate: disallow installing snapd on baseless models
+ - tests: disable core tests on all core systems (16 and 18)
+ - dirs: improve identification of Arch Linux like systems
+ - many: expose full publisher info over the snapd API
+ - tests: disable core tests on all core systems (16 and 18)
+ - tests/main/xdg-open: restore or clean up xdg-open
+ - tests/main/interfaces-firewall-control: shellcheck fix
+ - snapstate: sort "snapd" first
+ - systemd: require snapd.socket in snapd.seeded.service; make sure
+   snapd.seeded
+ - spread-shellcheck: use the latest shellcheck available from snaps
+ - tests: use "ss" instead of "netstat" (netstat is not available in
+   core18)
+ - data/complete: fix three out of four shellcheck warnings in
+   data/complete
+ - packaging/opensuse: fix typo, missing assignment
+ - tests: initial core18 spread image building
+ - overlord: introduce a gadget-connect task and use it at first boot
+ - data/completion: fix inconsistency in +x and shebang
+ - firstboot: mark essential snaps as "Required" in the state
+ - spread-shellcheck: use a whitelist of files that are allowed to
+   fail validation
+ - packaging/opensuse: build position-independent binaries
+ - ifacestate: prevent running interface hooks twice when self-
+   connecting on autoconnect
+ - data: remove /bin/sh from snapd.sh
+ - tests: fix shellcheck 0.5.0 warnings
+ - packaging/opensuse: snap-confine should be 06755
+ - packaging/opensuse: ship apparmor integration if enabled
+ - interfaces/udev,misc: only trigger udev events on input subsystem
+   as needed
+ - packaging/opensuse: add missing bits for snapd.seeded.service
+ - packaging/opensuse: don't use %-macros in comments
+ - tests: shellchecks part 4
+ - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+   parallel-install TODOs
+ - store: drop unused: channel map types, and details fixture.
+ - store: have a basic test about the unmarshalling of /search
+   results
+ - tests: show executed tests on current system when a test fails
+ - tests: fix for the download of the big snap
+ - interfaces/apparmor: add chopTree
+ - tests: remove double debug: | entry in tests and add more checks
+ - cmd/snap-update-ns: introduce mimicRequired helper
+ - interfaces: move assertions around for better failure line number
+ - store: log a nice clear "download succeeded" message
+ - snap: run snap-confine from the re-exec location
+ - snapstate: support restarting snapd from the snapd snap on core18
+ - tests: show status of the partial test-snapd-huge snap in
+   econnreset test
+ - tests: fix interfaces-calendar-service test when gvfsd-metadata
+   loks the xdg dirctory
+ - store: switch store.SnapInfo to use the new v2/info endpoint
+ - interfaces: add Repository.AllInterfaces
+ - snapstate: stop using evolving SnapSpec internally, use an
+   internal-only snapSpec instead
+ - cmd/libsnap-confine-private: introduce a helper for splitting snap
+   name
+ - tests: econnreset/retry tweaks
+ - store, et al: kill dead code that uses the bulk endpoint
+ - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+ - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+   Depth helper
+ - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+   available
+ - store: switch connectivity check to use v2/info
+ - devicestate: support seeding from a base snap instead of core
+ - snapstate,ifacestate: remove core-phase-2 handling
+ - interfaces/docker-support: update for docker 18.05
+ - tests: enable fedora 28 again
+ - overlord/ifacestate:  simplify checkConnectConflicts and also
+   connect signature
+ - snap: parse connect instructions in gadget.yaml
+ - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+   test
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - store, image: have 'snap download' use v2/refresh action=download
+ - interfaces/policy: test that base policy can be parsed
+ - tests: publish test-snapd-appstreamid for any architecture
+ - snap: don't include newline in hook environment
+ - cmd/snap-update-ns: use RCall with SyscallsEqual
+ - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+ - interfaces: add the dvb interface
+ - daemon: paging is not a thing.
+ - cmd/snap-mgmt: remove system key on purge
+ - testutil: syscall sequence checker
+ - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command* many: add `snap debug
+   connectivity` command
+ - configstate: deny configuration of base snaps and for the "snapd"
+   snap
+ - interfaces/raw-usb: also allow usb serial devices
+ - snap: reject more layout locations
+ - errtracker: do not send duplicated reports
+ - httputil: extra debug if an error is not retried
+ - cmd/snap-update-ns: improve wording in many errors
+ - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+ - cmd/snap-update-ns: add helper for checking for read-only
+   filesystems
+ - interfaces/builtin/docker: use commonInterface over specific
+   struct
+ - testutil: add test support for Fstatfs
+ - cmd/snap-update-ns: discard the concept of segments
+ - cmd/libsnap-confine-private: helper for extracting store snap name
+   from local-name
+ - tests: fix flaky test for hooks undo
+ - interfaces: add {contacts,calendar}-service interfaces
+ - tests: retry 'restarting into..' match in the snap-confine-from-
+   core test
+ - systemd: adjust TestWriteMountUnitForDirs() to use
+   squashfs.MockUseFuse(false)
+ - data: add helper that can generate/start/stop the snapd service
+ - sefltest: advise reboot into 4.4 on trusty running 3.13
+ - selftest: add new selftest package that tests squashfs mounting
+ - store, jsonutil: move store.getStructFields to
+   jsonutil.StructFields
+ - ifacestate: improved conflict and error handling when creating
+   autoconnect tasks
+ - cmd/snap-confine: applied make fmt
+ - interfaces/udev: call 'udevadm settle --timeout=10' after
+   triggering events
+ - tests: wait more time until snap start to be downloaded on
+   econnreset test
+ - snapstate: ensure fakestore returns TypeOS for the core snap
+ - tests: fix lxd test which hangs on restore
+ - cmd/snap-update-ns: add PathIterator
+ - asserts,image: add support for models with bases
+ - tests: shellchecks part 3
+ - overlord/hookstate: support undo for hooks
+ - interfaces/tpm: Allow access to the kernel resource manager
+ - tests: skip appstream-id test for core systems 32 bits
+ - interfaces/home: remove redundant common interface assignment
+ - tests: reprioritise a few tests that are known to be slow
+ - cmd/snap: small help tweaks and fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - spread-shellcheck: silly fix & pep8
+ - spread: switch fedora 28 to manual
+ - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+   it in snap info --verbose
+ - tests: fix lxd test - --auto now sets up networking
+ - tests: adding fedora-28 to spread.yaml
+ - interfaces: add juju-client-observe interface
+ - client, daemon: add a "mounted-from" entry to local snaps' JSON
+ - image: set model.DisplayName() in bootenv as "snap_menuentry"
+ - packaging/opensuse: Refactor packaging to support all openSUSE
+   targets
+ - interfaces/joystick: force use of the device cgroup with joystick
+   interface
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - interfaces: remove Plug/Slot types
+ - interface hooks: update old AutoConnect methods
+ - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+ - overlord/{config,snap}state: the number of inactive revisions is
+   config
+ - cmd/snap: check with snapd for unknown sections
+ - tests: moving test helpers from sh to bash
+ - data/systemd: add snapd.apparmor.service
+ - many: expose AppStream IDs (AKA common ID)
+ - many: hold refresh when on metered connections
+ - interfaces/joystick: also support modern evdev joysticks and
+   gamepads
+ - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+ - snapcraft: use dpkg-buildpackage options that work in xenial
+ - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+ - get-deps: work with an unset GOPATH too
+ - interfaces/apparmor: use strict template on openSUSE tumbleweed
+ - packaging: filter out verbose flags from "dh-golang"
+ - packaging: fix description
+ - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+* Fri Jun 22 2018 Neal Gompa <ngompa13@gmail.com> - 2.33.1-1
+- Release 2.33.1 to Fedora (RH#1567916)
+
+* Thu Jun 21 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33.1
+ - many: improve udev trigger on refresh experience
+ - systemd: require snapd.socket in snapd.seeded.service
+ - snap: don't include newline in hook environment
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - tests: skip security-dev-input-event-denied when /dev/input/by-
+   path/ is missing
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+
+* Fri Jun 08 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command
+ - interfaces/raw-usb: also allow usb serial devices
+ - errtracker: do not send duplicated reports
+ - selftest: add new selftest package that tests squashfs mounting
+ - tests: backport lxd force stop and econnreset fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - interfaces/joystick: support modern evdev joysticks
+ - interfaces: add juju-client-observe
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - many: holding refresh on metered connections
+ - many: expose AppStream IDs (AKA common ID)
+ - tests: speed up save/restore snapd state for all-snap systems
+   during tests execution
+ - interfaces/apparmor: use helper to load stray profile
+ - tests: ubuntu core abstraction
+ - overlord/snapstate: don't panic in a corner case interaction of
+   cleanup tasks and pruning
+ - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+   snaps
+ - tests: new parameter for the journalctl rate limit
+ - spread-shellcheck: port to python
+ - interfaces/home: add 'read' attribute to allow non-owner read to
+   @{HOME}
+ - testutil: import check.v1 differently to workaround gccgo error
+ - interfaces/many: miscellaneous updates for default, desktop,
+   desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+   keys
+ - snapstate/hooks: reorder autoconnect and reconnect hooks
+ - daemon: update unit tests to match current master
+ - overlord/snapshotstate/backend: introducing the snapshot backend
+ - many: support 'system' nickname in interfaces
+ - userd: add the "snap" scheme to the whitelist
+ - many: make rebooting of core on refresh immediate, refactor logic
+   around it
+ - tests/main/snap-service-timer: account for service timer being in
+   the 'running' state
+ - interfaces/builtin: allow access to libGLESv* too for opengl
+   interface
+ - daemon: fix unit tests on arch
+ - interfaces/default,process-control: miscellaneous signal policy
+   fixes
+ - interfaces/bulitin: add write permission to optical-drive
+ - configstate: validate known core.* options
+ - snap, wrappers: systemd WatchdogSec support
+ - ifacestate: do not auto-connect manually disconnected interfaces
+ - systemd: mock useFuse() so testsuite passes in container via lxd
+   snap
+ - snap/env: fix env duplication logic
+ - snap: some doc comments fixes and additions
+ - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+   vendor files
+ - ifacestate: unify reconnect and autoconnect methods
+ - tests: fix user mounts test for external systems
+ - overlord/snapstate,overlord/auth,store: coalesce no auth user
+   refresh requests
+ - boot,partition: improve tests/docs around SetNextBoot()
+ - many: improve `snap wait` command
+ - snap: fix `snap interface --attrs` output when numbers are used
+ - cmd/snap-update-ns: poke holes when creating source paths for
+   layouts
+ - snapstate: support getting new bases/default-providers on refresh
+ - ifacemgr: remove stale connections on startup
+ - asserts: use Attrer in policy checks
+ - testutil: record system call errors / return values
+ - tests: increase timeouts to make tests reliable on slow boards
+ - repo: pass and return ConnRef via pointers
+ - interfaces: add xdg-document-portal support to desktop interface
+ - debian: add a zenity|kdialog suggests
+ - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+ - tests: go must be installed as a classic snap
+ - tests: use journalctl cursors instead rotating logs
+ - daemon: add confinement-options to /v2/system-info
+   daemon: refactor classic support flag to be more structured
+ - tests: build spread in the autopkgtests with a more recent go
+ - cmd/snap: fix the message when snap.channel != snap.tracking
+ - overlord/snapstate: allow core defaults configuration via 'system'
+   key
+ - many: add "snap debug sandbox-features" and needed bits
+ - interfaces: interface hooks for refresh
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - many: add wait command and `snapd.seeded` service
+ - interfaces: move host font update-ns AppArmor rules to desktop
+   interface
+ - jsonutil/safejson: introducing safejson.String &
+   safejson.Paragraph
+ - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+ - cmd/snap-update-ns,tests: mimic the mode and ownership of
+   directories
+ - cmd/snap-update-ns: add support for ignoring mounts with missing
+   source/target
+ - interfaces: interface hooks implementation
+ - cmd/libsnap: fix compile error on more restrictive gcc
+   cmd/libsnap: fix compilation errors on gcc 8
+ - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+ - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+ - tests: fix interfaces-network test for systems with partial
+   confinement
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+ - configcore: validate experimental.layouts option
+ - interfaces:minor autoconnect cleanup
+ - HACKING: fix typos
+ - spread: add adt for ubuntu 18.10
+ - tests: skip test lp-1721518 for arch, snapd is failing to start
+   after reboot
+ - interfaces/x11: allow X11 slot implementations
+ - tests: checking interfaces declaring the specific interface
+ - snap: improve error for snaps not available in the given context
+ - cmdstate: add missing test for default timeout handling
+ - tests: shellcheck spread tasks
+ - cmd/snap: update install/refresh help vs --revision
+ - cmd/snap-confine: add support for per-user mounts
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - tests: adding google-sru backend replacing linode-sur
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - systemd: replace ancient paths with 16.04+ standards
+ - overlord,systemd: store snap revision in mount units
+ - testutil: add test helper for SysLstat
+ - testutil,cmd: rename test helper of Lstat to OsLstat
+ - testutil: document all fake syscall/os functions
+ - osutil,interfaces,cmd: use less hardcoded strings
+ - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+ - testutil: don't dot-import check.v1
+ - store: getStructFields takes pointers now
+ - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+ - many: fix false negatives reported by vet
+ - osutil,interfaces: use uint32 for uid, gid
+ - many: fix various issues reported by shellcheck
+ - tests: add pending shutdown detection
+ - image: support refreshing soft-expired user macaroons in tooling
+ - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+   daemon tests
+ - interfaces/builtin: add support for software-watchdog interface
+ - spread: auto accept key changes when calling dnf
+ - snap,overlord/snapstate: introduce and use BrokenSnapError
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: bring back one missing test in snap-service-stop-mode
+ - debian: update LP bug for the 2.32.5 SRU
+ - userd: set up journal logging streams for autostarted apps
+ - snap,tests : don't fail if we cannot stat MountFile
+ - tests: smaller fixes for Arch tests
+ - tests: run interfaces-broadcom-asic-control early
+ - client: support for snapshot sets, snapshots, and snapshot actions
+ - tests: skip interfaces-content test on core devices
+ - cmd: generalize locking to global, snap and per-user locks
+ - release-tools: handle the snapd-x.y.z version
+ - packaging: fix incorrectly auto-generated changelog entry for
+   2.32.5
+ - tests: add arch to CI
+ - systemd: add helper for opening stream file descriptors to the
+   journal
+ - cmd/snap: handle distros with no version ID
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - tests: removing linode-sru backend
+ - tests: updating bionic version for spread tests on google
+ - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - overlord/snapstate: allow to get an error from readInfo instead of
+   a broken stub, use it in doMountSnap
+ - snap: snap.AppInfo is now a fmt.Stringer
+ - tests: move fedora 27 to google backend
+ - many: add `core.problem-reports.disabled` option
+ - cmd/snap-update-ns: remove the need for stash directory in secure
+   bind mount implementation
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+ - cmd/snap: user session application autostart v3
+ - tests: add test to ensure `snap refresh --amend` works with
+   different channels
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - cmd/snap-update-ns: add secure bind mount implementation for use
+   with user mounts
+ - snap: fix `snap advise-snap --command` output to match spec
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - overlord/snapstate: introduce envvars to control the channels for
+   based and prereqs
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - advisor: use json for package database
+ - interfaces/hostname-control: allow setting the hostname via
+   syscall and systemd
+ - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+   libraries
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - data/selinux: Give snapd access to more aspects of the system
+ - many: use the new install/refresh API by switching snapstate to
+   use store.SnapAction
+ - errtracker: make TestJournalErrorSilentError work on gccgo
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate, ifacestate: inject auto-connect tasks try 2
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - ifacestate: injectTasks helper
+ - osutil: fix fstab parser to allow for # in field values
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - release-tools: add repack-debian-tarball.sh
+ - daemon,client: add build-id to /v2/system-info
+ - cmd: make fmt (indent 2.2.11)
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+ - ifacestate: don't surface errors from stale connections
+ - cmd/snap-update-ns: convert Secure* family of functions into
+   methods
+ - tests: adjust canonical-livepatch test on GCE
+ - tests: fix quoting issues in econnreset test
+ - cmd/snap-confine: make /run/media an alias of /media
+ - cmd/snap-update-ns: rename i to segNum
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+ - spread: disable StartLimitInterval option on opensuse-42.3
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses
+   arch triplets
+ - store: add Store.SnapAction to support the new install/refresh API
+   endpoint
+ - tests: adding test for removable-media interface
+ - tests: update interface tests to remove extra checks and normalize
+   tests
+ - timeutil: in Human, count days with fingers
+ - vendor: update gopkg.in/yaml.v2 to the latest version
+ - cmd/snap-confine: fix Archlinux compatibility
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - tests: copy or sanity check core users using usernames
+ - tests: disentangle etc vs extrausers in core tests
+ - tests: fix snap-run tests when snapd is not running
+ - overlord/configstate: change how ssh is stopped/started
+ - snap: make `snap run` look at the system-key for security profiles
+ - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+   replacement
+ - tests: adding opensuse-42.3 to google
+ - cmd/snap: fix one issue with noWait error handling logic, add
+   tests plus other cleanups
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+   needed
+ - interfaces,release: probe seccomp features lazily
+ - tests: change debug for layout test
+ - advisor: deal with missing commands.db file
+ - interfaces/apparmor: simplify UpdateNS internals
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: moving debian 9 from linode to google backend
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - po: specify charset in po/snappy.pot
+ - interfaces: harden snap-update-ns profile
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - tests: update tests to deal with s390x quirks
+ - debian: run snap.mount upgrade fixup *before* debhelper
+ - tests: move xenial i386 to google backend
+ - snapstate: add compat mode for default-provider
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - tests: add workaround for s390x failure
+ - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+ - daemon: support 'system' as nickname of the core snap
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - devicestate: add DeviceManager.Registered returning a channel
+   closed when the device is known to be registered
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - tests: add bionic system to google backend
+ - many: fix shellcheck warnings in bionic
+ - cmd/snap-update-ns: don't fail on existing symlinks
+ - tests: make autopkgtest tests more targeted
+ - cmd/snap-update-ns: fix creation of layout symlinks
+ - spread,tests: move suite-level prepare/restore to central script
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - snap: unify snap name validation w/python; enforce length limit.
+ - cmd/snap: use shlex when parsing `snap run --strace` arguments
+ - osutil,testutil: add symlinkat(2) and readlinkat(2)
+ - tests: autopkgtest may have non edge core too
+ - tests: adding checks before stopping snapd service to avoid job
+   canceled on ubuntu 14.04
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate:  hold refreshes for 2h after seeding on
+   classic
+ - cmd/snap: tweak and polish help strings
+ - snapstate: put layout feature behind feature flag
+ - tests: force profile re-generation via system-key
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: go vet cleanups
+ - tests: define MATCH from spread
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - cmd/snap: in changes and tasks, default to human-friendly times
+ - many: support holding refreshes by setting refresh.hold
+ - Revert "cmd/snap: use timeutil.Human to show times in `snap
+   refresh -…-time`"
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - tests/main/snap-service-refresh-mode: refactor the test to rely on
+   comparing PIDs
+ - tests/main/media-sharing: improve the test to cover /media and
+   /run/media
+ - store: enable deltas for core devices too
+ - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+ - strutil/shlex: import github.com/google/shlex into the tree
+ - vendor: update github.com/mvo5/libseccomp-golang
+ - overlord/snapstate: block install of "system"
+ - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+ - many: add the snapd-generator
+ - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+ - polkit: ensure error is properly set if dialog is dismissed
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - progress: tweak ansimeter cvvis use to no longer confuse minicom
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - tests: avoid removing preinstalled snaps on core
+ - tests: chroot into core to run xdg-open there
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - tests: moving ubuntu core from linode to google backend
+ - run-checks: remove accidental bashism
+ - i18n: simplify NG usage by doing the modulo math in-package.
+ - snap/squashfs: set timezone when calling unsquashfs to get the
+   build date
+ - timeutil: timeutil.Human(t) gives a human-friendly string for t
+ - snap: add autostart app property
+ - tests: add support for external backend executions on listing test
+ - tests: make interface-broadcom-asic-control test work on rpi
+ - configstate: when disable "ssh" we must disable the "sshd" service
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+ - snap/squashfs: add BuildDate
+ - store: parse the JSON format used by the coming new store API to
+   convey snap information
+ - many: remove snapd.refresh.{timer,service}
+ - tests: adding ubuntu-14.04-64 to the google backend
+ - interfaces: add xdg-desktop-portal support to desktop interface
+ - packaging/arch: sync with snapd/snapd-git from AUR
+ - wrappers, tests/main/snap-service-timer: restore missing commit,
+   add spread test for timer services
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - many: generate and use per-snap snap-update-ns profile
+ - tests: add debug for layout test
+ - wrappers: detect whether systemd-analyze can be used in unit tests
+ - osutil: allow creating strings out of MountInfoEntry
+ - servicestate: use systemctl enable+start and disable+stop instead
+   of --now flag
+ - osutil: handle file being matched by multiple patterns
+ - daemon, snap: fix InstallDate, make a method of *snap.Info
+ - wrappers: timer services
+ - wrappers: generator for systemd OnCalendar schedules
+ - asserts: fix flaky storeSuite.TestCheckAuthority
+ - tests: fix dependency for ubuntu artful
+ - spread: start moving towards google backend
+ - tests: add a spread test for layouts
+ - ifacestate: be consistent passing Retry.After as named field
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - testutil: allow mocking syscall.Fstat
+ - overlord/snapstate: verify that default schedule is randomized and
+   is  not a single time
+ - many: simplify mocking of home-on-NFS
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - store: move infoFromRemote into details.go close to snapDetails
+ - userd/tests: Test kdialog calls and mock kdialog too to make tests
+   work in KDE
+ - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+ - cmd/snap: add self-strace to `snap run`
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - update-pot: Force xgettext() to return true
+ - store: cleanup test naming, dropping remoteRepo  and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+
+* Wed May 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.9
+ - tests: run all spread tests inside GCE
+ - tests: build spread in the autopkgtests with a more recent go
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.8
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.7
+ - many: add wait command and seeded target (2
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - cmd/libsnap: fix compile error on more restrictive gcc
+ - tests: cherry-pick commits to move spread to google backend
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - userd: set up journal logging streams for autostarted apps
+
+* Sun Apr 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.6
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: run interfaces-boradcom-asic-control early
+ - tests: skip interfaces-content test on core devices
+
+* Mon Apr 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.5
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - daemon: support 'system' as nickname of the core snap
+
+* Thu Apr 12 2018 Neal Gompa <ngompa13@gmail.com> - 2.32.4-1
+- Release 2.32.4 to Fedora (RH#1553734)
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.4
+ - cmd/snap: user session application autostart
+ - overlord/snapstate: introduce envvars to control the channels for
+   bases and prereqs
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - many: use the new install/refresh /v2/snaps/refresh store API
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3.2
+ - errtracker: make TestJournalErrorSilentError work on
+   gccgo
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3.1
+ - debian: add gbp.conf script to build snapd via `gbp
+   buildpackage`
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - data/selinux: Give snapd access to more aspects of the system
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - overlord: test fix, address corner case
+
+* Thu Apr 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate: inject autoconnect tasks in doLinkSnap for regular
+   snaps
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - osutil: fix fstab parser to allow for # in field values
+
+* Sat Mar 31 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.2
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - tests: adjust canonical-livepatch test on GCE
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc
+ - spread.yaml: switch Fedora 27 tests to manual
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses arch
+   triplets
+ - vendor: update gopkg.in/yaml.v2 to the latest version (#4945)
+
+* Mon Mar 26 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.1
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - tests: disentangle etc vs extrausers in core tests
+ - packaging: fix changelogs' typo
+
+* Sat Mar 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32
+ - snap: make `snap run` look at the system-key for security profiles
+ - overlord/configstate: change how ssh is stopped/started
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: deal with missing commands.db file
+ - interfaces,release: probe seccomp features lazily
+ - interfaces: harden snap-update-ns profile
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: change debug for layout test
+ - cmd/snap-confine: don't use per-snap s-u-n profile
+ - many: backported fixes for layouts and symlinks
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - cmd/snap-confine: fix ptrace rule with snap-confine peer
+ - tests: update tests to deal with s390x quirks
+ - snapstate: add compat mode for default-provider"snapname:ifname"
+ - snap-confine: fallback to /lib/udev/snappy-app-dev if the core is
+   older
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - debian: undo snap.mount system unit removal
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - tests: add workaround for s390x failure
+ - tests: make autopkgtest tests more targeted
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - store: cleanup test naming, dropping remoteRepo and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+ - tests: autopkgtest may have non edge core too
+ - data: translate polkit strings
+ - snapstate: put layout feature behind feature flag
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate: hold refreshes for 2h after seeding on classic
+ - many: cherry-pick relevant `go vet` 1.10 fixes to 2.32
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: generate and use per-snap snap-update-ns profile
+ - many: support holding refreshes by setting refresh.hold
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - many: remove snapd.refresh.{timer,service}
+ - many: add the snapd-generator
+ - polkit: do not shadow dbus errors, avoid panic in case of errors
+ - polkit: ensure error is properly set if dialog is dismissed
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - asserts:  use a timestamp for the assertion after the signing key
+   has been created
+ - ifacestate: be consistent passing Retry.After as named field
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+   interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps
+ - configstate: when disable "ssh" we must disable the "sshd"
+   service
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - osutil: handle file being matched by multiple patterns
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - interfaces/network-status: fix use of '/' in interface in DBus
+   rule
+ - interfaces/screen-inhibit-control: fix use of '.' in path in DBus
+   rule
+ - overlord/snapstate: fix task iteration order in
+   TestDoPrereqRetryWhenBaseInFlight
+ - interfaces: add an interface for gnome-online-accounts D-Bus
+   service
+ - snap: pass full timer spec in `snap run --timer`
+ - cmd/snap: introduce `snap run --timer`
+ - snapstate: auto install default-providers for content snaps
+ - hooks/strutil: limit the number of data read from the hooks to
+   avoid oom
+ - osutil: aggregate mockable symbols
+ - tests: make sure snapd is running before attempting to remove
+   leftover snaps
+ - timeutil: account for 24h wrap when flattening clock spans
+ - many: send  new Snap-CDN header with none or with cloud instance
+   placement info as needed
+ - cmd/snap-update-ns,testutil: move syscall testing helpers
+ - tests: disable interfaces-location-control on s390x
+ - tests: new spread test for gpio-memory-control interface
+ - tests: spread test for broadcom-asic-control interface
+ - tests: make restore of interfaces-password-manager-service more
+   robust
+ - tests/lib/prepare-restore: sync journal before rotating and
+   vacuuming
+ - overlord/snapstate: use spread in the default refresh schedule
+ - tests: fixes for autopkgtest in bionic
+ - timeutil: introduce helpers for checking it time falls inside the
+   schedule
+ - cmd/snap-repair,httputil: set snap-repair User-Agent on requests
+ - vendor: resync formatting of vendor.json
+ - snapstate/ifacestate: auto-connect tasks
+ - cmd/snap: also include tracking channel in list output.
+ - interfaces/apparmor: use snap revision with surrounding '.' when
+   replacing in glob
+ - debian,vendor: import github.com/snapcore/squashfs and use
+ - many: implement "refresh-mode: {restart,endure,...}" for services
+ - daemon: make the ast-inspecting test smarter; drop 'exceptions'
+ - tests: new spread test for kvm interface
+ - cmd/snap: tweaks to 'snap info' output
+ - snap: remove underscore from version validator regexp
+ - testutil: add File{Matches,Equals,Contains} checkers.
+ - snap: improve the version validator's error messages.
+ - osutil: refactor EnsureFileState to separate out the comparator
+ - timeutil: fix scheduling on nth weekday of the month
+ - cmd/snap-update-ns: small refactor for upcoming per-user mounts
+ - many: rename snappy-app-dev to snap-device-helper
+ - systemd: add default target for timers
+ - interfaces: miscellaneous policy updates for home, opengl, time-
+   control, network, et al
+ - cmd/snap: linter cleanups
+ - interfaces/mount: generate per-user mount profiles
+ - cmd/snap: use proper help strings for `snap userd --help`
+ - packaging: provide a compat symlink for snappy-app-dev
+ - interfaces/time-control,netlink-audit: adjust for util-linux
+   compiled with libaudit
+ - tests: adding new test to validate the raw-usb interface
+ - snap: add support for `snap run --gdb`
+ - interfaces/builtin: allow MM to access login1
+ - packaging: fix build on sbuild
+ - store: revert PR#4532 and do not display displayname
+ - interfaces/mount: add support for per-user mount entries
+ - cmd/system-shutdown: move sync to be even more pessimistic
+ - osutil: reimplement IsMounted with LoadMountInfo
+ - tests/main/ubuntu-core-services: enable snapd.refresh.timer for
+   the test
+ - many: don't allow layout construction to silently fail
+ - interfaces/apparmor: ensure snap-confine profile for reexec is
+   current
+ - interfaces/apparmor: generalize apparmor load and unload helpers
+ - tests: removing packages which are not needed anymore to generate
+   random data
+ - snap: improve `snap run` comments/naming
+ - snap: allow options for --strace, e.g. `snap run --strace="-tt"`
+ - tests: fix spread test failures on 18.04
+ - systemd: update comment on SocketsTarget
+ - osutil: add and update docstrings
+ - osutil: parse mount entries without options field
+ - interfaces: mock away real mountinfo/fstab
+ - many: move /lib/udev/snappy-app-dev to /usr/lib/snapd/snappy-app-
+   dev
+ - overlord/snapstate/backend: perform cleanup if snap setup fails
+ - tests/lib/prepare: disable snapd.refresh.timer
+ - daemon: remove redundant UserOK markings from api commands
+ - snap: introduce  timer service data types and validation
+ - cmd/snap: fix UX of snap services
+ - daemon: allow `snapctl get` from any uid
+ - debian, snap: only static link libseccomp in snap-seccomp on
+   ubuntu
+ - all: snap versions are now validated
+ - many: add nfs-home flag to system-key
+ - snap: disallow layouts in various special directories
+ - cmd/snap: add help for service commands.
+ - devicestate: fix autopkgtest failure in
+   TestDoRequestSerialErrorsOnNoHost
+ - snap,interfaces: allow using bind-file layouts
+ - many: move mount code to osutil
+ - snap: understand directories in layout blacklist
+ - snap: use custom unsquashfsStderrWriter for unsquashfs error
+   detection
+ - tests/main/user-data-handling: get rid of ordering bug
+ - snap: exclude `gettimeofday` from `snap run --strace`
+ - tests: check if snapd.socket is active before stoping it
+ - snap: sort layout elements before validating
+ - strutil: introducing MatchCounter
+ - snap: detect unsquashfs write failures
+ - spread: add missing ubuntu-18.04-arm64 to available autopkgtest
+   machines
+ - cmd/snap-confine: allow mounting anywhere, effectively
+ - daemon: improve ucrednet code for the snap.socket
+ - release, interfaces: add new release.AppArmorFeatures helper
+ - snap: apply some golint suggestions
+ - many: add interfaces.SystemKey() helper
+ - tests: new snaps to test installs nightly
+ - tests: skip alsa interface test when the system does not have any
+   audio devices
+ - debian/rules: workaround for
+   https://github.com/golang/go/issues/23721
+ - interfaces/apparmor: early support for snap-update-ns snippets
+ - wrappers: cleanup enabled service sockets
+ - cmd/snap-update-ns: large refactor / update of unit tests
+ - interfaces/apparmor: remove leaked future layout code
+ - many: allow constructing layouts (phase 1)
+ - data/systemd: for debugging/testing use /etc/environment also for
+   snap-repair runs
+ - cmd/snap-confine: create lib/{gl,gl32,vulkan} under /var/lib/snapd
+   and chown as root:root
+ - overlord/configstate/config: make [GS]etSnapConfig use *RawMessage
+ - daemon: refactor snapFooMany helpers a little
+ - cmd/snap-confine: allow snap-update-ns to chown things
+ - interfaces/apparmor: use a helper to set the scope
+ - overlord/configstate/config: make SetSnapConfig delete on empty
+ - osutil: make MkdirAllChown clean the path passed in
+ - many: at seeding try to capture cloud information into core config
+   under "cloud"
+ - cmd/snap: add completion conversion helper to increase DRY
+ - many: remove "content" argument from snaptest.MockSnap()
+ - osutil: allow using many globs in EnsureDirState
+ - cmd/snap-confine: fix read-only filesystem when mounting nvidia
+   files in biarch
+ - tests: use root path to /home/test/tmp to avoid lack of space
+   issue
+ - packaging: create /var/lib/snapd/lib/{gl,gl32,vulkan} as part of
+   packaging
+ - tests: update kill-timeout focused on making tests pass on boards
+ - advisor: ensure commands.db has mode 0644 and add test
+ - snap: improve validation of snap layouts
+ - tests: ensure disabled services are masked
+ - interfaces/desktop-legacy,unity7: support gtk2/gvfs gtk_show_uri()
+ - systemd, wrappers: start all snap services in one systemctl call
+ - mir: software clients need access to shared memory /dev/shm/#*
+ - snap: add support for `snap advise-snap pkgName`
+ - snap: fix command-not-found on core devices
+ - tests: new spead test for openvswitch-support interface
+ - tests: add integration for local snap licenses
+ - config: add (Get|Set)SnapConfig to do bulk config e.g. from
+   snapshots
+ - cmd/snap: display snap license information
+ - tests: enable content sharing test for $SNAP
+ - osutil: add ContextWriter and RunWithContext helpers.
+ - osutil: add DirExists and IsDirNotExist
+
+* Fri Mar 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31.2
+ - many: add the snapd-generator
+ - polkit: ensure error is properly set if dialog is dismissed
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - configstate: when disable "ssh" we must disable the "sshd"
+   service
+ - many: remove snapd.refresh.{timer,service}
+ - interfaces/builtin: allow MM to access login1
+ - timeutil: account for 24h wrap when flattening clock spans
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - systemd, wrappers: start all snap services in one systemctl
+   call
+ - tests: disable interfaces-location-control on s390x
+
+* Mon Mar 05 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-2
+- Fix dependencies for devel subpackage
+
+* Sun Mar 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-1
+- Release 2.31.1 to Fedora (RH#1542483)
+- Drop all backported patches as they're part of this release
+
+* Tue Feb 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31.1
+ - tests: multiple autopkgtest related fixes for 18.04
+ - overlord/snapstate: use spread in the default refresh schedule
+ - timeutil: fix scheduling on nth weekday of the month
+ - interfaces: miscellaneous policy updates for home, opengl, time-
+   control, network, et al
+ - cmd/snap: use proper help strings for `snap userd --help`
+ - interfaces/time-control,netlink-audit: adjust for util-linux
+   compiled with libaudit
+ - rules: do not static link on powerpc
+ - packaging: revert LDFLAGS rewrite again after building snap-
+   seccomp
+ - store: revert PR#4532 and do not display displayname
+ - daemon: allow `snapctl get` from any uid
+ - debian, snap: only static link libseccomp in snap-seccomp on
+   ubuntu
+ - daemon: improve ucrednet code for the snap.socket
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Feb 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31
+ - cmd/snap-confine: allow snap-update-ns to chown things
+ - cmd/snap-confine: fix read-only filesystem when mounting nvidia
+   files in biarch
+ - packaging: create /var/lib/snapd/lib/{gl,gl32,vulkan} as part of
+   packaging
+ - advisor: ensure commands.db has mode 0644 and add test
+ - interfaces/desktop-legacy,unity7: support gtk2/gvfs gtk_show_uri()
+ - snap: improve validation of snap layoutsRules for validating
+   layouts:
+ - snap: fix command-not-found on core devices
+ - cmd/snap: display snap license information
+ - tests: enable content sharing test for $SNAP
+ - userd: add support for a simple UI that can be used from userd
+ - snap-confine/nvidia: Support legacy biarch trees for GLVND systems
+ - tests: generic detection of gadget and kernel snaps
+ - cmd/snap-update-ns: refactor and improve Change.Perform to handle
+   EROFS
+ - cmd/snap: improve output when snaps were found in a section or the
+   section is invalid
+ - cmd/snap-confine,tests: hide message about stale base snap
+ - cmd/snap-mgmt: fix out of source tree build
+ - strutil/quantity: new package that exports formatFoo (from
+   progress)
+ - cmd/snap: snap refresh --time with new and legacy schedules
+ - state: unknown tasks handler
+ - cmd/snap-confine,data/systemd: fix removal of snaps inside LXD
+ - snap: add io.snapcraft.Settings to `snap userd`
+ - spread: remove more EOLed releases
+ - snap: tidy up top-level help output
+ - snap: fix race in `snap run --strace`
+ - tests: update "searching" test to match store changes
+ - store: use the "publisher" when populating the "publisher" field
+ - snap: make `snap find --section` show all sections
+ - tests: new test to validate location control interface
+ - many: add new `snap refresh --amend <snap>` command
+ - tests/main/kernel-snap-refresh-on-core: skip the whole test if
+   edge and stable are the same version
+ - tests: set test kernel-snap-refresh-on-core to manual
+ - tests: new spread test for interface gpg-keys
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - interfaces: miscellaneous policy updates
+ - interfaces/builtin: Replace Solus support with GLVND support
+ - tests/main/kernel-snap-refresh-on-core: do not fail if edge and
+   stable kernels are the same version
+ - snap: add `snap run --strace` to be able to strace snap apps
+ - tests: new spread test for ssh-keys interface
+ - errtracker: include detected virtualisation
+ - tests: add new kernel refresh/revert test for spread-cron
+ - interfaces/builtin: blacklist zigbee dongle
+ - cmd/snap-confine: discard stale mount namespaces
+ - cmd: remove unused execArg0/execEnv
+ - snap,interfaces/mount: disallow nobody/nogroup
+ - cmd/snap: improve `snap aliases` output when no aliases are
+   defined
+ - tests/lib/snaps/test-snapd-service: refactor service reload
+ - tests: new spread test for gpg-public-keys interface
+ - tests: new spread test for ssh-public-keys interface
+ - spread: setup machine creation on Linode
+ - interfaces/builtin: allow introspecting UDisks2
+ - interfaces/builtin: add support for content "source" section
+ - tests: new spread test for netlink-audit interface
+ - daemon: avoid panic'ing building an error response w/no snaps
+   given
+ - interfaces/mount,snap: early support for snap layouts
+ - daemon: unlock state even if RefreshSchedule() fails
+ - arch: add "armv8l" to ubuntuArchFromKernelArch table
+ - tests: fix for test interface-netlink-connector
+ - data/dbus: add AssumedAppArmorLabel=unconfined
+ - advisor: use forked bolt to make it work on ppc
+ - overlord/snapstate: record the 'kind' of conflicting change
+ - dirs: fix snap mount dir on Manjaro
+ - overlord/{snapstate,configstate}, daemon: introduce refresh.timer,
+   fallback to refresh.schedule
+ - config: add support for `snap set core proxy.no_proxy=...`
+ - snap-mgmt: extend spread tests, stop, disable and cleanup snap
+   services
+ - spread.yaml: add fedora 27
+ - cmd/snap-confine: allow snap-update-ns to poke writable holes in
+   $SNAP
+ - packaging/14.04: move linux-generic-lts-xenial to recommends
+ - osutil/sys: ppc has 32-bit getuid already
+ - snapstate: make no autorefresh message clearer
+ - spread: try to enable Fedora once more
+ - overlord/snapstate: do a minimal sanity check on containers
+ - configcore: ensure config.txt has a final newline
+ - cmd/libsnap-confine-private: print failed mount/umount regardless
+   of SNAP_CONFINE_DEBUG
+ - debian/tests: add missing autopkgtest test dependencies for debian
+ - image: port ini handling to goconfigparser
+ - tests/main/snap-service-after-before: add test for after/before
+   service ordering
+ - tests: enabling opensuse for tests
+ - tests: update auto-refresh-private to match messages from current
+   master
+ - dirs: check if distro 'is like' fedora when picking path to
+   libexecdir
+ - tests: fix "job canceled" issue and improve cleanup for snaps
+ - cmd/libsnap-confine-private: add debug build of libsnap-confine-
+   private.a, link it into snap-confine-debug
+ - vendor: remove x/sys/unix to fix builds on arm64 and powerpc
+ - image: let consume snapcraft export-login files from tooling
+ - interfaces/mir: allow Wayland socket and non-root sockets
+ - interfaces/builtin: use snap.{Plug,Slot}Info over
+   interfaces.{Plug,Slot}
+ - tests: add simple snap-mgmt test
+ - wrappers: autogenerate After/Before in systemd's service files for
+   apps
+ - snap: add usage hints in `snap download`
+ - snap: provide more meaningful errors for installMany and friends
+ - cmd/snap: show header/footer when `snap find` is used without
+   arguments
+ - overlord/snapstate: for Enable's tasks refer to the first task
+   with snap-setup, do not duplicate
+ - tests: add hard-coded fully expired macaroons to run related tests
+ - cmd/snap-update-ns: new test features
+ - cmd/snap-update-ns: we don't want to bind mount symlinks
+ - interfaces/mount: test OptsToCommonFlags, filter out x-snapd.
+   options
+ - cmd/snap-update-ns: untangle upcoming cyclic initialization
+ - client, daemon: update user's email when logging in with new
+   account
+ - tests: ensure snap-confine apparmor profile is parsable
+ - snap: do not leak internal errors on install/refresh etc
+ - snap: fix missing error check when multiple snaps are refreshed
+ - spread: trying to re-enable tests on Fedora
+ - snap: fix gadget.yaml parsing for multi volume gadgets
+ - snap: give the snap.Container interface a Walk method
+ - snap: rename `snap advise-command` to `snap advise-snap --command`
+ - overlord/snapstate: no refresh just for hints if there was a
+   recent regular full refresh
+ - progress: switch ansimeter's Spin() to use a spinner
+ - snap: support `command-not-found` symlink for `snap advise-
+   command`
+ - daemon: store email, ID and macaroon when creating a new user
+ - snap: app startup after/before validation
+ - timeutil: refresh timer take 2
+ - store, daemon/api: Rename MyAppsServer, point to
+   dashboard.snapcraft.io instead
+ - tests: use "quiet" helper instead of "dnf -q" to get errors on
+   failures
+ - cmd/snap-update-ns: improve mocking for tests
+ - many: implement the advisor backend, populate it from the store
+ - tests: make less calls to the package manager
+ - tests/main/confinement-classic: enable the test on Fedora
+ - snap: do not leak internal network errors to the user
+ - snap: use stdout instead of stderr for "fetching" message
+ - tests: fix test whoami, share successful_login.exp
+ - many: refresh with appropriate creds
+ - snap: add new `snap advice-command` skeleton
+ - tests: add test that ensures we never parse versions as numbers
+ - overlord/snapstate: override Snapstate.UserID in refresh if the
+   installing user is gone
+ - interfaces: allow socket "shutdown" syscall in default profile
+ - snap: print friendly message if `snap keys` is empty
+ - cmd/snap-update-ns: add execWritableMimic
+ - snap: make `snap info invalid-snap` output more user friendly
+ - cmd/snap,  tests/main/classic-confinement: fix snap-exec path when
+   running under classic confinement
+ - overlord/ifacestate: fix disable/enable cycle to setup security
+ - snap: fix snap find " " output
+ - daemon: add new polkit action to manage interfaces
+ - packaging/arch: disable services when removing
+ - asserts/signtool: support for building tools on top that fill-
+   in/compute some headers
+ - cmd: clarify "This leaves %s tracking %s." message
+ - daemon: return "bad-query" error kind for store.ErrBadQuery
+ - taskrunner/many: KnownTaskKinds helper
+ - tests/main/interfaces-fuse_support: fix confinement, allow
+   unmount, fix spread tests
+ - snap: use the -no-fragments mksquashfs option
+ - data/selinux: allow messages from policykit
+ - tests: fix catalog-update wait loop
+ - tests/lib/prepare-restore: disable rate limiting in journald
+ - tests: change interfaces-fuse_support to be debug friendly
+ - tests/main/postrm-purge: stop snapd before purge
+ - This is an example of test log:https://paste.ubuntu.com/26215170/
+ - tests/main/interfaces-fuse_support: dump more debugging
+   information
+ - interfaces/dbus: adjust slot policy for listen, accept and accept4
+   syscalls
+ - tests: save the snapd-state without compression
+ - tests/main/searching: handle changes in featured snaps list
+ - overlord/snapstate: fix auto-refresh summary for 2 snaps
+ - overlord/auth,daemon: introduce an explicit auth.ErrInvalidUser
+ - interfaces: add /proc/partitions to system-observe (This addresses
+   LP#1708527.)
+ - tests/lib: introduce helpers for setting up /dev/random using
+   /dev/urandom in project prepare
+ - tests: new test for interface network status
+ - interfaces: interfaces: also add an app/hook-specific udev RUN
+   rule for hotplugging
+ - tests: fix external backend for tests that need DEBUG output
+ - tests: do not disable refresh timer on external backend
+ - client: send all snap related bool json fields
+ - interfaces/desktop,unity7: allow status/activate/lock of
+   screensavers
+ - tests/main: source mkpinentry.sh
+ - tests: fix security-device-cgroups-serial-port test for rpi and db
+ - cmd/snap-mgmt: add more directories for cleanup and refactor
+   purge() code
+ - snap: YAML and data structures for app before/after ordering
+ - tests: set TRUST_TEST_KEYS=false for all the external backends
+ - packaging/arch: install snap-mgmt tool
+ - tests: add support on tests for cm3 gadget
+ - interfaces/removable-media: also allow 'k' (lock)
+ - interfaces: use ConnectedPlug/ConnectedSlot types (step 2)
+ - interfaces: rename sanitize methods
+ - devicestate: fix misbehaving test when using systemd-resolved
+ - interfaces: added Ref() helpers, restored more detailed error
+   message on spi iface
+ - debian: make "gnupg" a recommends
+ - interfaces/many: misc updates for default, browser-support,
+   opengl, desktop, unity7, x11
+ - interfaces: PlugInfo/SlotInfo/ConnectedPlug/ConnectedSlot
+   attribute helpers
+ - interfaces: update fixme comments
+ - tests: make interfaces-snapd-control-with-manage more robust
+ - userd: generalize dbusInterface
+ - interfaces: use ConnectedPlug/ConnectedSlot types (step 1)
+ - hookstate: add compat "configure-snapd" task.
+ - config, overlord/snapstate, timeutil: rename ParseSchedule to
+   ParseLegacySchedule
+ - tests: adding tests for time*-control interfaces
+ - tests: new test to check interfaces after reboot the system
+ - cmd/snap-mgmt: fixes
+ - packaging/opensuse-42.2: package and use snap-mgmt
+ - corecfg: also "mask" services when disabling them
+ - cmd/snap-mgmt: introduce snap-mgmt tool
+ - configstate: simplify ConfigManager
+ - interfaces: add gpio-memory-control interface
+ - cmd: disable check-syntax-c
+ - packaging/arch: add bash-completion as optional dependency
+ - corecfg: rename package to overlord/configstate/configcore
+ - wrappers: fix unit tests to use dirs.SnapMountDir
+ - osutil/sys: reimplement getuid and chown with the right int type
+ - interfaces-netlink-connector: fix sourcing snaps.sh
+
+* Thu Jan 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.30-1
+- Release 2.30 to Fedora (RH#1527519)
+- Backport fix to correctly locate snapd libexecdir on Fedora derivatives (RH#1536895)
+- Refresh SELinux policy fix patches with upstream backport version
+
+* Mon Dec 18 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.30
+ - tests: set TRUST_TEST_KEYS=false for all the external backends
+ - tests: fix external backend for tests that need DEBUG output
+ - tests: do not disable refresh timer on external backend
+ - client: send all snap related bool json fields
+ - interfaces: interfaces: also add an app/hook-specific udev RUN
+   rule for hotplugging
+ - interfaces/desktop,unity7: allow status/activate/lock of
+   screensavers
+ - tests/main: source mkpinentry.sh
+ - devicestate: use a different nowhere domain
+ - interfaces: add ssh-keys, ssh-public-keys, gpg-keys and gpg-public
+   keys interfaces
+ - interfaces/many: misc updates for default, browser-support, opengl,
+   desktop, unity7, x11
+ - devicestate: fix misbehaving test when using systemd-resolved
+ - interfaces/removable-media: also allow 'k' (lock)
+ - interfaces/many: misc updates for default, browser-support,
+   opengl, desktop, unity7, x11
+ - corecfg: also "mask" services when disabling them
+ - tests: add support for autopkgtests on s390x
+ - snapstate: support for pre-refresh hook
+ - many: allow to configure core before it is installed
+ - devicestate: fix unkeyed fields error
+ - snap-confine: create mount target for lib32,vulkan on demand
+ - snapstate: add support for refresh.schedule=managed
+ - cmd/snap-update-ns: teach update logic to handle synthetic changes
+ - many: remove configure-snapd task again and handle internally
+ - snap: fix TestDirAndFileMethods() test to work with gccgo
+ - debian: ensure /var/lib/snapd/lib/vulkan is available
+ - cmd/snap-confine: use #include instead of bare include
+ - snapstate: store userID in snapstate
+ - snapd.dirs: add var/lib/snapd/lib/gl32
+ - timeutil, overlod/snapstate: cleanup remaining pieces of timeutil
+   weekday support
+ - packaging/arch: install missing directories, manpages and version
+   info
+ - snapstate,store: store if a snap is a paid snap in the sideinfo
+ - packaging/arch: pre-create snapd directories when packaging
+ - tests/main/manpages: set LC_ALL=C as man may complain if the
+   locale is unset or unsupported
+ - repo: ConnectedPlug and ConnectedSlot types
+ - snapd: fix handling of undo in the taskrunner
+ - store: fix download caching and add integration test
+ - snapstate: move autorefresh code into autoRefresh helper
+ - snapctl: don't error out on start/stop/restart from configure hook
+   during install or refresh
+ - cmd/snap-update-ns: add planWritableMimic
+ - deamon: don't omit responses, even if null
+ - tests: add test for frame buffer interface
+ - tests/lib: fix shellcheck errors
+ - apparmor: generate the snap-confine re-exec profile for
+   AppArmor{Partial,Full}
+ - tests: remove obsolete workaround
+ - snap: use existing files in `snap download` if digest/size matches
+ - tests: merge pepare-project.sh into prepare-restore.sh
+ - tests: cache snaps to $TESTSLIB/cache
+ - tests: set -e, -o pipefail in prepare-restore.sh
+ - apparmor: generate the snap-confine re-exec profile for
+   AppArmor{Partial,Full}
+ - cmd/snap-seccomp: fix uid/gid restrictions tests on Arch
+ - tests: document and slightly refactor prepare/restore code
+ - snapstate: ensure RefreshSchedule() gives accurate results
+ - snapstate: add new refresh-hints helper and use it
+ - spread.yaml,tests: move most of project-wide prepare/restore to
+   separate file
+ - timeutil: introduce helpers for weekdays and TimeOfDay
+ - tests: adding new test for uhid interface
+ - cmd/libsnap: fix parsing of empty mountinfo fields
+ - overlord/devicestate:  best effort to go to early full retries for
+   registration on the like of DNS no host
+ - spread.yaml: bump delta ref to 2.29
+ - tests: adding test to test physical memory observe interface
+ - cmd, errtracker: get rid of SNAP_DID_REEXEC environment
+ - timeutil: remove support to parse weekday schedules
+ - snap-confine: add workaround for snap-confine on 4.13/upstream
+ - store: do not log the http body for catalog updates
+ - snapstate: move catalogRefresh into its own helper
+ - spread.yaml: fix shellcheck issues and trivial refactor
+ - spread.yaml: move prepare-each closer to restore-each
+ - spread.yaml: increase workers for opensuse to 3
+ - tests: force delete when tests are restore to avoid suite failure
+ - test: ignore /snap/README
+ - interfaces/opengl: also allow read on 'revision' in
+   /sys/devices/pci...
+ - interfaces/screen-inhibit-control: fix case in screen inhibit
+   control
+ - asserts/sysdb: panic early if pointed to staging but staging keys
+   are not compiled-in
+ - interfaces: allow /bin/chown and fchownat to root:root
+ - timeutil: include test input in error message in
+   TestParseSchedule()
+ - interfaces/browser-support: adjust base declaration for auto-
+   connection
+ - snap-confine: fix snap-confine under lxd
+ - store: bit less aggressive retry strategy
+ - tests: add new `fakestore new-snap-{declaration,revision}` helpers
+ - cmd/snap-update-ns: add secureMkfileAll
+ - snap: use field names when initializing composite literals
+ - HACKING: fix path in snap install
+ - store: add support for flags in ListRefresh()
+ - interfaces: remove invalid plugs/slots from SnapInfo on
+   sanitization.
+ - debian: add missing udev dependency
+ - snap/validate: extend socket validation tests
+ - interfaces: add "refresh-schedule" attribute to snapd-control
+ - interfaces/builtin/account_control: use gid owning /etc/shadow to
+   setup seccomp rules
+ - cmd/snap-update-ns: tweak changePerform
+ - interfaces,tests: skip unknown plug/slot interfaces
+ - tests: disable interfaces-network-control-tuntap
+ - cmd: use a preinit_array function rather than parsing
+   /proc/self/cmdline
+ - interfaces/time*_control: explicitly deny noisy read on
+   /proc/1/environ
+ - cmd/snap-update-ns: misc cleanups
+ - snapd: allow hooks to have slots
+ - fakestore: add go-flags to prepare for `new-snap-declaration` cmd
+ - interfaces/browser-support: add shm path for nwjs
+ - many: add magic /snap/README file
+ - overlord/snapstate: support completion for command aliases
+ - tests: re-enable tun/tap test on Debian
+ - snap,wrappers: add support for socket activation
+ - repo: use PlugInfo and SlotInfo for permanent plugs/slots
+ - tests/interfaces-network-control-tuntap: disable on debian-
+   unstable for now
+ - cmd/snap-confine: Loosen the NVIDIA Vulkan ICD glob
+ - cmd/snap-update-ns: detect and report read-only filesystems
+ - cmd/snap-update-ns: re-factor secureMkdirAll into
+   secureMk{Prefix,Dir}
+ - run-checks, tests/lib/snaps/: shellcheck fixes
+ - corecfg: validate refresh.schedule when it is applied
+ - tests: adjust test to match stderr
+ - snapd: fix snap cookie bugs
+ - packaging/arch: do not quote MAKEFLAGS
+ - state: add change.LaneTasks helper
+ - cmd/snap-update-ns: do not assume 'nogroup' exists
+ - tests/lib: handle distro specific grub-editenv naming
+ - cmd/snap-confine: Add missing bi-arch NVIDIA filesthe
+   `/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl/vdpau` paths within
+ - cmd: Support exposing NVIDIA Vulkan ICD files to the snaps
+ - cmd/snap-confine: Implement full 32-bit NVIDIA driver support
+ - packaging/arch: packaging update
+ - cmd/snap-confine: Support bash as base runtime entry
+ - wrappers: do not error on incorrect Exec= lines
+ - interfaces: fix udev tagging for hooks
+ - tests/set-proxy-store: exclude ubuntu-core-16 via systems: key
+ - tests: new tests for network setup control and observe interfaces
+ - osutil: add helper for obtaining group ID of given file path
+ - daemon,overlord/snapstate: return snap-not-installed error in more
+   cases
+ - interfaces/builtin/lxd_support: allow discovering of host's os-
+   release
+ - configstate: add support for configure-snapd for
+   snapstate.IgnoreHookError
+ - tests:  add a spread test for proxy.store setting together with
+   store assertion
+ - cmd/snap-seccomp: do not use group 'shadow' in tests
+ - asserts/assertstest:  fix use of hardcoded value when the passed
+   or default keys should be used
+ - interfaces/many: misc policy updates for browser-support, cups-
+   control and network-status
+ - tests: fix xdg-open-compat
+ - daemon: for /v2/logs, 404 when no services are found
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - cmd/snap-update-ns: add new helpers for mount entries
+ - cmd/snap-confine: Respect biarch nature of libdirs
+ - cmd/snap-confine: Ensure snap-confine is allowed to access os-
+   release
+ - cmd: fix re-exec bug with classic confinement for host snapd <
+   2.28
+ - interfaces/kmod: simplify loadModules now that errors are ignored
+ - tests: disable xdg-open-compat test
+ - tests: add test that checks core reverts on core devices
+ - dirs: use alt root when checking classic confinement support
+   without …
+ - interfaces/kmod: treat failure to load module as non-fatal
+ - cmd/snap-update-ns: fix golint and some stale comments
+ - corecfg:  support setting proxy.store if there's a matching store
+   assertion
+ - overlord/snapstate: toggle ignore-validation as needed as we do
+   for channel
+ - tests: fix security-device-cgroup* tests on devices with
+   framebuffer
+ - interfaces/raw-usb: match on SUBSYSTEM, not SUBSYSTEMS
+ - interfaces: add USB interface number attribute in udev rule for
+   serial-port interface
+ - overlord/devicestate: switch to the new endpoints for registration
+ - snap-update-ns: add missing unit test for desired/current profile
+   handling
+ - cmd/{snap-confine,libsnap-confine-private,snap-shutdown}: cleanup
+   low-level C bits
+ - ifacestate: make interfaces.Repository available via state cache
+ - overlord/snapstate: cleanups around switch-snap*
+ - cmd/snapd,client,daemon: display ignore-validation flag through
+   the notes mechanism
+ - cmd/snap-update-ns: add logging to snap-update-ns
+ - many: have a timestamp on store assertions
+ - many: lookup and use the URL from a store assertion if one is set
+   for use
+ - tests/test-snapd-service: fix shellcheck issues
+ - tests: new test for hardware-random-control interface
+ - tests: use `snap change --last=install` in snapd-reexec test
+ - repo, daemon: use PlugInfo, SlotInfo
+ - many: handle core configuration internally instead of using the
+   core configure hook
+ - tests: refactor and expand content interface test
+ - snap-seccomp: skip in-kernel bpf tests for socket() in trusty/i386
+ - cmd/snap-update-ns: allow Change.Perform to return changes
+ - snap-confine: Support biarch Linux distribution confinement
+ - partition/ubootenv: don't panic when uboot.env is missing the eof
+   marker
+ - cmd/snap-update-ns: allow fault injection to provide dynamic
+   result
+ - interfaces/mount: exspose mount.{Escape,Unescape}
+ - snapctl: added long help to stop/start/restart command
+ - cmd/snap-update-ns: create missing mount points automatically.
+ - cmd: downgrade log message in InternalToolPath to Debugf()
+ - tests: wait for service status change & file update in the test to
+   avoid races
+ - daemon, store: forward SSO invalid credentials errors as 401
+   Unauthorized responses
+ - spdx: fix for WITH syntax, require a license name before the
+   operator
+ - many: reorg things in preparation to make handling of the base url
+   in store dynamic
+ - hooks/configure: queue service restarts
+ - cmd/snap: warn when a snap is not from the tracking channel
+ - interfaces/mount: add support for parsing x-snapd.{mode,uid,gid}=
+ - cmd/snap-confine: add detection of stale mount namespace
+ - interfaces: add plugRef/slotRef helpers for PlugInfo/SlotInfo
+ - tests: check for invalid udev files during all tests
+ - daemon: use newChange() in changeAliases for consistency
+ - servicestate: use taskset
+ - many: add support for /home on NFS
+ - packaging,spread: fix and re-enable opensuse builds
+
+* Sun Dec 17 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-3
+- Add patch to SELinux policy to allow snapd to receive replies from polkit
+
+* Sun Nov 19 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-2
+- Add missing bash completion files and cache directory
+
+* Sun Nov 19 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-1
+- Release 2.29.4 to Fedora (RH#1508433)
+- Install Polkit configuration (RH#1509586)
+- Drop changes to revert cheggaaa/pb import path used
+
+* Fri Nov 17 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.4
+ - snap-confine: fix snap-confine under lxd
+ - tests: disable classic-ubuntu-core-transition on i386 temporarily
+ - many: reject bad plugs/slots
+ - interfaces,tests: skip unknown plug/slot interfaces
+ - store: enable "base" field from the store
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+
+* Thu Nov 09 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.3
+ - daemon: cherry-picked /v2/logs fixes
+ - cmd/snap-confine: Respect biarch nature of libdirs
+ - cmd/snap-confine: Ensure snap-confine is allowed to access os-
+   release
+ - interfaces: fix udev tagging for hooks
+ - cmd: fix re-exec bug with classic confinement for host snapd
+ - tests: disable xdg-open-compat test
+ - cmd/snap-confine: add slave PTYs and let devpts newinstance
+   perform mediation
+ - interfaces/many: misc policy updates for browser-support, cups-
+   control and network-status
+ - interfaces/raw-usb: match on SUBSYSTEM, not SUBSYSTEMS
+ - tests: fix security-device-cgroup* tests on devices with
+   framebuffer
+
+* Fri Nov 03 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.2
+  - snapctl: disable stop/start/restart (2.29)
+  - cmd/snap-update-ns: fix collection of changes made
+
+* Fri Nov 03 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.1
+ - interfaces: fix incorrect signature of ofono DBusPermanentSlot
+ - interfaces/serial-port: udev tag plugged slots that have just
+   'path' via KERNEL
+ - interfaces/hidraw: udev tag plugged slots that have just 'path'
+   via KERNEL
+ - interfaces/uhid: unconditionally add existing uhid device to the
+   device cgroup
+ - cmd/snap-update-ns: fix mount rules for font sharing
+ - tests: disable refresh-undo test on trusty for now
+ - tests: use `snap change --last=install` in snapd-reexec test
+ - Revert " wrappers: fail install if exec-line cannot be re-written
+ - interfaces: don't udev tag devmode or classic snaps
+ - many: make ignore-validation sticky and send the flag with refresh
+   requests
+
+* Mon Oct 30 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29
+ - interfaces/many: miscellaneous updates based on feedback from the
+   field
+ - snap-confine: allow reading uevents from any where in /sys
+ - spread: add bionic beaver
+ - debian: make packaging/ubuntu-14.04/copyright a real file again
+ - tests: cherry pick the fix for services test into 2.29
+ - cmd/snap-update-ns: initialize logger
+ - hooks/configure: queue service restarts
+ - snap-{confine,seccomp}: make @unrestricted fully unrestricted
+ - interfaces: clean system apparmor cache on core device
+ - debian: do not build static snap-exec on powerpc
+ - snap-confine: increase sanity_timeout to 6s
+ - snapctl: cherry pick service commands changes
+ - cmd/snap: tell translators about arg names and descs req's
+ - systemd: run all mount units before snapd.service to avoid race
+ - store: add a test to show auth failures are forwarded by doRequest
+ - daemon: convert ErrInvalidCredentials to a 401 Unauthorized error.
+ - store: forward on INVALID_CREDENTIALS error as
+   ErrInvalidCredentials
+ - daemon: generate a forbidden response message if polkit dialog is
+   dismissed
+ - daemon: Allow Polkit authorization to cancel changes.
+ - travis: switch to container based test runs
+ - interfaces: reduce duplicated code in interface tests mocks
+ - tests: improve revert related testing
+ - interfaces: sanitize plugs and slots early in ReadInfo
+ - store: add download caching
+ - preserve TMPDIR and HOSTALIASES across snap-confine invocation
+ - snap-confine: init all arrays with `= {0,}`
+ - tests: adding test for network-manager interface
+ - interfaces/mount: don't generate legacy per-hook/per-app mount
+   profiles
+ - snap: introduce structured epochs
+ - tests: fix interfaces-cups-control test for cups-2.2.5
+ - snap-confine: cleanup incorrectly created nvidia udev tags
+ - cmd/snap-confine: update valid security tag regexp
+ - cmd/libsnap: enable two stranded tests
+ - cmd,packaging: enable apparmor on openSUSE
+ - overlord/ifacestate: refresh all security backends on startup
+ - interfaces/dbus: drop unneeded check for
+   release.ReleaseInfo.ForceDevMode
+ - dbus: ensure io.snapcraft.Launcher.service is created on re-
+   exec
+ - overlord/auth: continue for now supporting UBUNTU_STORE_ID if the
+   model is generic-classic
+ - snap-confine: add support for handling /dev/nvidia-modeset
+ - interfaces/network-control: remove incorrect rules for tun
+ - spread: allow setting SPREAD_DEBUG_EACH=0 to disable debug-each
+   section
+ - packaging: remove .mnt files on removal
+ - tests: fix econnreset scenario when the iptables rule was not
+   created
+ - tests: add test for lxd interface
+ - run-checks: use nakedret static checker to check for naked
+   returns on long functions
+ - progress: be more flexible in testing ansimeter
+ - interfaces: fix udev rules for tun
+ - many: implement our own ANSI-escape-using progress indicator
+ - snap-exec: update tests to follow main_test pattern
+ - snap: support "command: foo $ENV_STRING"
+ - packaging: update nvidia configure options
+ - snap: add new `snap pack` and use in tests
+ - cmd: correctly name the "Ubuntu" and "Arch" NVIDIA methods
+ - cmd: add autogen case for solus
+ - tests: do not use http://canihazip.com/ which appears to be down
+ - hooks: commands for controlling own services from snapctl
+ - snap: refactor cmdGet.Execute()
+ - interfaces/mount: make Change.Perform testable and test it
+ - interfaces/mount,cmd/snap-update-ns: move change code
+ - snap-confine: is_running_on_classic_distribution() looks into os-
+   release
+ - interfaces: misc updates for default, browser-support, home and
+   system-observe
+ - interfaces: deny lttng by default
+ - interfaces/lxd: lxd slot implementation can also be an app snap
+ - release,cmd,dirs: Redo the distro checks to take into account
+   distribution families
+ - cmd/snap: completion for alias and unalias
+ - snap-confine: add new SC_CLEANUP and use it
+ - snap: refrain from running filepath.Base on random strings
+ - cmd/snap-confine: put processes into freezer hierarchy
+ - wrappers: fail install if exec-line cannot be re-written
+ - cmd/snap-seccomp,osutil: make user/group lookup functions public
+ - snapstate: deal with snap user data in the /root/ directory
+ - interfaces: Enhance full-confinement support for biarch
+   distributions
+ - snap-confine: Only attempt to copy/mount NVIDIA libs when NVIDIA
+   is used
+ - packaging/fedora: Add Fedora 26, 27, and Rawhide symlinks
+ - overlord/snapstate: prefer a smaller corner case for doing the
+   wrong thing
+ - cmd/snap-repair:  set user agent for snap-repair http requests
+ - packaging: bring down the delta between 14.04 and 16.04
+ - snap-confine: Ensure lib64 biarch directory is respected
+ - snap-confine: update apparmor rules for fedora based base snaps
+ - tests: Increase SNAPD_CONFIGURE_HOOK_TIMEOUT to 3 minutes to
+   install real snaps
+ - daemon: use client.Snap instead of map[string]interface{} for
+   snaps.
+ - hooks: rename refresh hook to post-refresh
+ - git: make the .gitingore file a bit more targeted
+ - interfaces/opengl: don't udev tag nvidia devices and use snap-
+   confine instead
+ - cmd/snap-{confine,update-ns}: apply mount profiles using snap-
+   update-ns
+ - cmd: update "make hack"
+ - interfaces/system-observe: allow clients to enumerate DBus
+   connection names
+ - snap-repair: implement `snap-repair {list,show}`
+ - dirs,interfaces: create snap-confine.d on demand when re-executing
+ - snap-confine: fix base snaps on core
+ - cmd/snap-repair: fix tests when running as root
+ - interfaces: add Connection type
+ - cmd/snap-repair: skip disabled repairs
+ - cmd/snap-repair: prefer leaking unmanaged fds on test failure over
+   closing random ones
+ - snap-repair: make `repair` binary available for repair scripts
+ - snap-repair: fix missing Close() in TestStatusHappy
+ - cmd/snap-confine,packaging: import snapd-generated policy
+ - cmd/snap: return empty document if snap has no configuration
+ - snap-seccomp: run secondary-arch tests via gcc-multilib
+ - snap: implement `snap {repair,repairs}` and pass-through to snap-
+   repair
+ - interfaces/builtin: allow receiving dbus messages
+ - snap-repair: implement `snap-repair {done,skip,retry}`
+ - data/completion: small tweak to snap completion snippet
+ - dirs: fix classic support detection
+ - cmd/snap-repair: integrate root public keys for repairs
+ - tests: fix ubuntu core services
+ - tests: add new test that checks that the compat snapd-xdg-open
+   works
+ - snap-confine: improve error message if core/u-core cannot be found
+ - tests: only run tests/regression/nmcli on amd64
+ - interfaces: mount host system fonts in desktop interface
+ - interfaces: enable partial apparmor support
+ - snapstate: auto-install missing base snaps
+ - spread: work around temporary packaging issue in debian sid
+ - asserts,cmd/snap-repair: introduce a mandatory summary for repairs
+ - asserts,cmd/snap-repair: represent RepairID internally as an int
+ - tests: test the real "xdg-open" from the core snap
+ - many: implement fetching sections and package names periodically.
+ - interfaces/network: allow using netcat as client
+ - snap-seccomp, osutil: use osutil.AtomicFile in snap-seccomp
+ - snap-seccomp: skip mknod syscall on arm64
+ - tests: add trivial canonical-livepatch test
+ - tests: add test that ensures that all core services are working
+ - many: add logger.MockLogger() and use it in the tests
+ - snap-repair: fix test failure in TestRepairHitsTimeout
+ - asserts: add empty values check in HeadersFromPrimaryKey
+ - daemon: remove unused installSnap var in test
+ - daemon: reach for Overlord.Loop less thanks to overlord.Mock
+ - snap-seccomp: manually resolve socket() call in tests
+ - tests: change regex used to validate installed ubuntu core snap
+ - cmd/snapctl: allow snapctl -h without a context (regression fix).
+ - many: use snapcore/snapd/i18n instead of i18n/dumb
+ - many: introduce asserts.NotFoundError replacing both ErrNotFound
+   and store.AssertionNotFoundError
+ - packaging: don't include any marcos in comments
+ - overlord: use overlord.Mock in more tests, make sure we check the
+   outcome of Settle
+ - tests: try to fix staging tests
+ - store: simplify api base url config
+ - systemd: add systemd.MockJournalctl()
+ - many: provide systemd.MockSystemctl() helper
+ - tests: improve the listing test to not fail for e.g. 2.28~rc2
+ - snapstate: give snapmgrTestSuite.settle() more time to settle
+ - tests: fix regex to check core version on snap list
+ - debian: update trusted account-keys check on 14.04 packaging
+ - interfaces: add udev netlink support to hardware-observe
+ - overlord: introduce Mock which enables to use Overlord.Settle for
+   settle in many more places
+ - snap-repair: execute the repair and capture logs/status
+ - tests: run the tests/unit/go everywhere
+ - daemon, snapstate: move ensureCore from daemon/api.go into
+   snapstate.go
+ - cmd/snap: get keys or root document
+ - spread.yaml: turn suse to manual given that it's breaking master
+ - many: configure store from state, reconfigure store at runtime
+ - osutil: AtomicWriter (an io.Writer), and io.Reader versions of
+   AtomicWrite*
+ - tests: check for negative syscalls in runBpf() and skip those
+   tests
+ - docs: use abolute path in PULL_REQUEST_TEMPLATE.md
+ - store: move device auth endpoint uris to config (#3831)
+
+* Sat Oct 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.5-2
+- Properly fix the build for Fedora 25
+- Incorporate misc build fixes
+
+* Sat Oct 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.5-1
+- Release 2.28.5 to Fedora (RH#1502186)
+- Build snap-exec and snap-update-ns statically to support base snaps
+
+* Fri Oct 13 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.5
+  - snap-confine: cleanup broken nvidia udev tags
+  - cmd/snap-confine: update valid security tag regexp
+  - overlord/ifacestate: refresh udev backend on startup
+  - dbus: ensure io.snapcraft.Launcher.service is created on re-
+    exec
+  - snap-confine: add support for handling /dev/nvidia-modeset
+  - interfaces/network-control: remove incorrect rules for tun
+
+* Thu Oct 12 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.4-1
+- Release 2.28.4 to Fedora (RH#1501141)
+- Drop distro check backport patches (released with 2.28.2)
+
+* Wed Oct 11 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.4
+  - interfaces/opengl: don't udev tag nvidia devices and use snap-
+    confine instead
+  - debian: fix replaces/breaks for snap-xdg-open (thanks to apw!)
+
+* Wed Oct 11 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.3
+  - interfaces/lxd: lxd slot implementation can also be an app
+    snap
+
+* Tue Oct 10 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.2
+  - interfaces: fix udev rules for tun
+  - release,cmd,dirs: Redo the distro checks to take into account
+    distribution families
+
+* Sun Oct 08 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.1-1
+- Release 2.28.1 to Fedora (RH#1495852)
+- Drop userd backport patches, they are part of 2.28 release
+- Backport changes to rework distro checks to fix derivative distro usage of snapd
+- Revert import path change for cheggaaa/pb as it breaks build on Fedora
+- Add a posttrans relabel to snapd-selinux to ensure everything is labeled correctly
+
+* Wed Sep 27 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.1
+  - snap-confine: update apparmor rules for fedora based basesnaps
+  - snapstate: rename refresh hook to post-refresh for consistency
+
+* Mon Sep 25 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28
+ - hooks: rename refresh to after-refresh
+ - snap-confine: bind mount /usr/lib/snapd relative to snap-confine
+ - cmd,dirs: treat "liri" the same way as "arch"
+ - snap-confine: fix base snaps on core
+ - hooks: substitute env vars when executing hooks
+ - interfaces: updates for default, browser-support, desktop, opengl,
+   upower and stub-resolv.conf
+ - cmd,dirs: treat manjaro the same as arch
+ - systemd: do not run auto-import and repair services on classic
+ - packaging/fedora: Ensure vendor/ is empty for builds and fix spec
+   to build current master
+ - many: fix TestSetConfNumber missing an Unlock and other fragility
+   improvements
+ - osutil: adjust StreamCommand tests for golang 1.9
+ - daemon: allow polkit authorisation to install/remove snaps
+ - tests: make TestCmdWatch more robust
+ - debian: improve package description
+ - interfaces: add netlink kobject uevent to hardware observe
+ - debian: update trusted account-keys check on 14.04 packaging
+ - interfaces/network-{control,observe}: allow receiving
+   kobject_uevent() messages
+ - tests: fix lxd test for external backend
+ - snap-confine,snap-update-ns: add -no-pie to fix FTBFS on
+   go1.7,ppc64
+ - corecfg: mock "systemctl" in all corecfg tests
+ - tests: fix unit tests on Ubuntu 14.04
+ - debian: add missing flags when building static snap-exec
+ - many: end-to-end support for the bare base snap
+ - overlord/snapstate: SetRootDir from SetUpTest, not in just some
+   tests
+ - store: have an ad-hoc method on cfg to get its list of uris for
+   tests
+ - daemon: let client decide whether to allow interactive auth via
+   polkit
+ - client,daemon,snap,store: add license field
+ - overlord/snapstate: rename HasCurrent to IsInstalled, remove
+   superfluous/misleading check from All
+ - cmd/snap: SetRootDir from SetUpTest, not in just some individual
+   tests.
+ - systemd: rename snap-repair.{service,timer} to snapd.snap-
+   repair.{service,timer}
+ - snap-seccomp: remove use of x/net/bpf from tests
+ - httputil: more naive per go version way to recreate a default
+   transport for tls reconfig
+ - cmd/snap-seccomp/main_test.go: add one more syscall for arm64
+ - interfaces/opengl: use == to compare, not =
+ - cmd/snap-seccomp/main_test.go: add syscalls for armhf and arm64
+ - cmd/snap-repair: track and use a lower bound for the time for
+   TLS checks
+ - interfaces: expose bluez interface on classic OS
+ - snap-seccomp: add in-kernel bpf tests
+ - overlord: always try to get a serial, lazily on classic
+ - tests: add nmcli regression test
+ - tests: deal with __PNR_chown on aarch64 to fix FTBFS on arm64
+ - tests: add autopilot-introspection interface test
+ - vendor: fix artifact from manually editing vendor/vendor.json
+ - tests: rename complexion to test-snapd-complexion
+ - interfaces: add desktop and desktop-legacy
+   interfaces/desktop: add new 'desktop' interface for modern DEs*
+   interfaces/builtin/desktop_test.go: use modern testing techniques*
+   interfaces/wayland: allow read on /etc/drirc for Plasma desktop*
+   interfaces/desktop-legacy: add new 'legacy' interface (currently
+   for a11y and input)
+ - tests: fix race in snap userd test
+ - devices/iio: add read/write for missing sysfs entries
+ - spread: don't set HTTPS?_PROXY for linode
+ - cmd/snap-repair: check signatures of repairs from Next
+ - env: set XDG_DATA_DIRS for wayland et.al.
+ - interfaces/{default,account-control}: Use username/group instead
+   of uid/gid
+ - interfaces/builtin: use udev tagging more broadly
+ - tests: add basic lxd test
+ - wrappers: ensure bash completion snaps install on core
+ - vendor: use old golang.org/x/crypto/ssh/terminal to build on
+   powerpc again
+ - docs: add PULL_REQUEST_TEMPLATE.md
+ - interfaces: fix network-manager plug
+ - hooks: do not error out when hook is optional and no hook handler
+   is registered
+ - cmd/snap: add userd command to replace snapd-xdg-open
+ - tests: new regex used to validate the core version on extra snaps
+   ass...
+ - snap: add new `snap switch` command
+ - tests: wait more and more debug info about fakestore start issues
+ - apparmor,release: add better apparmor detection/mocking code
+ - interfaces/i2c: adjust sysfs rule for alternate paths
+ - interfaces/apparmor: add missing call to dirs.SetRootDir
+ - cmd: "make hack" now also installs snap-update-ns
+ - tests: copy files with less verbosity
+ - cmd/snap-confine: allow using additional libraries required by
+   openSUSE
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapstate: improve the error message when classic confinement is
+   not supported
+ - tests: add test to ensure amd64 can run i386 syscall binaries
+ - tests: adding extra info for fakestore when fails to start
+ - tests: install most important snaps
+ - cmd/snap-repair: more test coverage of filtering
+ - squashfs: remove runCommand/runCommandWithOutput as we do not need
+   it
+ - cmd/snap-repair: ignore superseded revisions, filter on arch and
+   models
+ - hooks: support for refresh hook
+ - Partial revert "overlord/devicestate, store: update device auth
+   endpoints URLs"
+ - cmd/snap-confine: allow reading /proc/filesystems
+ - cmd/snap-confine: genearlize apparmor profile for various lib
+   layout
+ - corecfg: fix proxy.* writing and add integration test
+ - corecfg: deal with system.power-key-action="" correctly
+ - vendor: update vendor.json after (presumed) manual edits
+ - cmd/snap: in `snap info`, don't print a newline between tracks
+ - daemon: add polkit support to /v2/login
+ - snapd,snapctl: decode json using Number
+ - client: fix go vet 1.7 errors
+ - tests: make 17.04 shellcheck clean
+ - tests: remove TestInterfacesHelp as it breaks when go-flags
+   changes
+ - snapstate: undo a daemon restart on classic if needed
+ - cmd/snap-repair: recover brand/model from
+   /var/lib/snapd/seed/assertions checking signatures and brand
+   account
+ - spread: opt into unsafe IO during spread tests
+ - snap-repair: update snap-repair/runner_test.go for API change in
+   makeMockServer
+ - cmd/snap-repair: skeleton code around actually running a repair
+ - tests: wait until the port is listening after start the fake store
+ - corecfg: fix typo in tests
+ - cmd/snap-repair: test that redirects works during fetching
+ - osutil: honor SNAPD_UNSAFE_IO for testing
+ - vendor: explode and make more precise our golang.go/x/crypto deps,
+   use same version as Debian unstable
+ - many: sanitize NewStoreStack signature, have shared default store
+   test private keys
+ - systemd: disable `Nice=-5` to fix error when running inside lxd
+ - spread.yaml: update delta ref to 2.27
+ - cmd/snap-repair: use E-Tags when refetching a repair to retry
+ - interfaces/many: updates based on chromium and mrrescue denials
+ - cmd/snap-repair: implement most logic to get the next repair to
+   run/retry in a brand sequence
+ - asserts/assertstest: copy headers in SigningDB.Sign
+ - interfaces: convert uhid to common interface and test cases
+   improvement for time_control and opengl
+ - many tests: move all panicing fake store methods to a common place
+ - asserts: add store assertion type
+ - interfaces: don't crash if content slot has no attributes
+ - debian: do not build with -buildmode=pie on i386
+ - wrappers: symlink completion snippets when symlinking binaries
+ - tests: adding more debug information for the interfaces-cups-
+   control …
+ - apparmor: pass --quiet to parser on load unless SNAPD_DEBUG is set
+ - many: allow and support serials signed by the 'generic' authority
+   instead of the brand
+ - corecfg: add proxy configuration via `snap set core
+   proxy.{http,https,ftp}=...`
+ - interfaces: a bunch of interfaces test improvement
+ - tests: enable regression and completion suites for opensuse
+ - tests: installing snapd for nested test suite
+ - interfaces: convert lxd_support to common iface
+ - interfaces: add missing test for camera interface.
+ - snap: add support for parsing snap layout section
+ - cmd/snap-repair: like for downloads we cannot have a timeout (at
+   least for now), less aggressive retry strategies
+ - overlord: rely on more conservative ensure interval
+ - overlord,store: no piles of return args for methods gathering
+   device session request params
+ - overlord,store: send model assertion when setting up device
+   sessions
+ - interfaces/misc: updates for unity7/x11, browser-
+   support, network-control and mount-observe
+   interfaces/unity7,x11: update for NETLINK_KOBJECT_UEVENT
+   interfaces/browser-support: update sysfs reads for
+   newer browser versions, interfaces/network-control: rw for
+   ieee80211 advanced wireless interfaces/mount-observe: allow read
+   on sysfs entries for block devices
+ - tests: use dnf --refresh install to avert stale cache
+ - osutil: ensure TestLockUnlockWorks uses supported flock
+ - interfaces: convert lxd to common iface
+ - tests: restart snapd to ensure re-exec settings are applied
+ - tests: fix interfaces-cups-control test
+ - interfaces: improve and tweak bunch of interfaces test cases.
+ - tests: adding extra worker for fedora
+ - asserts,overlord/devicestate: support predefined assertions that
+   don't establish foundational trust
+ - interfaces: convert two hardware_random interfaces to common iface
+ - interfaces: convert io_ports_control to common iface
+ - tests: fix for  upgrade test on fedora
+ - daemon, client, cmd/snap: implement snap start/stop/restart
+ - cmd/snap-confine: set _FILE_OFFSET_BITS to 64
+ - interfaces: covert framebuffer to commonInterface
+ - interfaces: convert joystick to common iface
+ - interfaces/builtin: add the spi interface
+ - wrappers, overlord/snapstate/backend: make link-snap clean up on
+   failure.
+ - interfaces/wayland: add wayland interface
+ - interfaces: convert kvm to common iface
+ - tests: extend upower-observe test to cover snaps providing slots
+ - tests: enable main suite for opensuse
+ - interfaces: convert physical_memory_observe to common iface
+ - interfaces: add missing test for optical_drive interface.
+ - interfaces: convert physical_memory_control to common iface
+ - interfaces: convert ppp to common iface
+ - interfaces: convert time-control to common iface
+ - tests: fix failover test
+ - interfaces/builtin: rework for avahi interface
+ - interfaces: convert broadcom-asic-control to common iface
+ - snap/snapenv: document the use of CoreSnapMountDir for SNAP
+ - packaging/arch: drop patches merged into master
+ - cmd: fix mustUnsetenv docstring (thanks to Chipaca)
+ - release: remove default from VERSION_ID
+ - tests: enable regression, upgrade and completion test suites for
+   fedora 
+ - tests: restore interfaces-account-control properly
+ - overlord/devicestate, store: update device auth endpoints URLs
+ - tests: fix install-hook test failure
+ - tests: download core and ubuntu-core at most once
+ - interfaces: add common support for udev
+ - overlord/devicestate: fix, don't assume that the serial is backed
+   by a 1-key chain
+ - cmd/snap-confine: don't share /etc/nsswitch from host
+ - store: do not resume a download when we already have the whole
+   thing
+ - many: implement "snap logs"
+ - store: don't call useDeltas() twice in quick succession
+ - interfaces/builtin: add kvm interface
+ - snap/snapenv: always expect /snap for $SNAP
+ - cmd: mark arch as non-reexecing distro
+ - cmd: fix tests that assume /snap mount
+ - gitignore: ignore more build artefacts
+ - packaging: add current arch packaging
+ - interfaces/unity7: allow receiving media key events in (at least)
+   gnome-shell
+ - interfaces/many, cmd/snap-confine: miscellaneous policy updates
+ - interfaces/builtin: implement broadcom-asic-control interface
+ - interfaces/builtin: reduce duplication and remove cruft in
+   Sanitize{Plug,Slot}
+ - tests: apply underscore convention for SNAPMOUNTDIR variable
+ - interfaces/greengrass-support: adjust accesses now that have
+   working snap
+ - daemon, client, cmd/snap: implement "snap services"
+ - tests: fix refresh tests not stopping fake store for fedora
+ - many: add the interface command
+ - overlord/snapstate/backend: some copydata improvements
+ - many: support querying and completing assertion type names
+ - interfaces/builtin: discard empty Validate{Plug,Slot}
+ - cmd/snap-repair:  start of Runner, implement first pass of Peek
+   and Fetch
+ - tests: enable main suite on fedora
+ - snap: do not always quote the snap info summary
+ - vendor: update go-flags to address crash in "snap debug"
+ - interfaces: opengl support pci device and vendor
+ - many: start implenting "base" snap type on the snapd side
+ - arch,release: map armv6 correctly
+ - many: expose service status in 'snap info'
+ - tests: add browser-support interface test
+ - tests: disable snapd-notify for the external backend
+ - interfaces: Add /run/uuid/request to openvswitch
+ - interfaces: add password-manager-service implicit classic
+   interface
+ - cmd: rework reexec detection
+ - cmd: fix re-exec bug when starting from snapd 2.21
+ - tests: dependency packages installed during prepare-project
+ - tests: remove unneeded check for re-exec in InternalToolPath()
+ - cmd,tests: fix classic confinement confusing re-execution code
+ - store: configurable base api
+ - tests: fix how package lists are updated for opensuse and fedora
+
+* Sun Sep 10 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.6-1
+- Release 2.27.6 to Fedora (RH#1489437)
+
+* Thu Sep 07 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.6
+  - interfaces: add udev netlink support to hardware-observe
+  - interfaces/network-{control,observe}: allow receiving
+    kobject_uevent() messages
+
+* Mon Sep 04 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.5-1
+- Release 2.27.5 to Fedora (RH#1483177)
+- Backport userd from upstream to support xdg-open
+
+* Wed Aug 30 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.5
+  - interfaces: fix network-manager plug regression
+  - hooks: do not error when hook handler is not registered
+  - interfaces/alsa,pulseaudio: allow read on udev data for sound
+  - interfaces/optical-drive: read access to udev data for /dev/scd*
+  - interfaces/browser-support: read on /proc/vmstat and misc udev
+    data
+
+* Thu Aug 24 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.4
+  - snap-seccomp: add secondary arch for unrestricted snaps as well
+
+* Fri Aug 18 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.3
+  - systemd: disable `Nice=-5` to fix error when running inside lxdSee
+    https://bugs.launchpad.net/snapd/+bug/1709536
+
+* Wed Aug 16 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.2-2
+- Bump to rebuild for F27 and Rawhide
+
+* Wed Aug 16 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.2-1
+- Release 2.27.2 to Fedora (RH#1482173)
+
+* Wed Aug 16 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.2
+ - tests: remove TestInterfacesHelp as it breaks when go-flags
+   changes
+ - interfaces: don't crash if content slot has no attributes
+ - debian: do not build with -buildmode=pie on i386
+ - interfaces: backport broadcom-asic-control interface
+ - interfaces: allow /usr/bin/xdg-open in unity7
+ - store: do not resume a download when we already have the whole
+   thing
+
+* Mon Aug 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.1-1
+- Release 2.27.1 to Fedora (RH#1481247)
+
+* Mon Aug 14 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.1
+ - tests: use dnf --refresh install to avert stale cache
+ - tests: fix test failure on 14.04 due to old version of
+   flock
+ - updates for unity7/x11, browser-support, network-control,
+   mount-observe
+ - interfaces/unity7,x11: update for NETLINK_KOBJECT_UEVENT
+ - interfaces/browser-support: update sysfs reads for
+   newer browser versions
+ - interfaces/network-control: rw for ieee80211 advanced wireless
+ - interfaces/mount-observe: allow read on sysfs entries for block
+   devices
+
+* Thu Aug 10 2017 Neal Gompa <ngompa13@gmail.com> - 2.27-1
+- Release 2.27 to Fedora (RH#1458086)
+
+* Thu Aug 10 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27
+ - fix build failure on 32bit fedora
+ - interfaces: add password-manager-service implicit classic interface
+ - interfaces/greengrass-support: adjust accesses now that have working
+   snap
+ - interfaces/many, cmd/snap-confine: miscellaneous policy updates
+ - interfaces/unity7: allow receiving media key events in (at least)
+   gnome-shell
+ - cmd: fix re-exec bug when starting from snapd 2.21
+ - tests: restore interfaces-account-control properly
+ - cmd: fix tests that assume /snap mount
+ - cmd: mark arch as non-reexecing distro
+ - snap-confine: don't share /etc/nsswitch from host
+ - store: talk to api.snapcraft.io for purchases
+ - hooks: support for install and remove hooks
+ - packaging: fix Fedora support
+ - tests: add bluetooth-control interface test
+ - store: talk to api.snapcraft.io for assertions
+ - tests: remove snapd before building from branch
+ - tests: add avahi-observe interface test
+ - store: orders API now checks if customer is ready
+ - cmd/snap: snap find only searches stable
+ - interfaces: updates default, mir, optical-observe, system-observe,
+   screen-inhibit-control and unity7
+ - tests: speedup prepare statement part 1
+ - store: do not send empty refresh requests
+ - asserts: fix error handling in snap-developer consistency check
+ - systemd: add explicit sync to snapd.core-fixup.sh
+ - snapd: generate snap cookies on startup
+ - cmd,client,daemon: expose "force devmode" in sysinfo
+ - many: introduce and use strutil.ListContains and also
+   strutil.SortedListContains
+ - assserts,overlord/assertstate: test we don't accept chains of
+   assertions founded on a self-signed key coming externally
+ - interfaces: enable access to bridge settings
+ - interfaces: fix copy-pasted iio vs io in io-ports-control
+ - cmd/snap-confine: various small fixes and tweaks to seccomp
+   support code
+ - interfaces: bring back seccomp argument filtering
+ - systemd, osutil: rework systemd logs in preparation for services
+   commands
+ - tests: store /etc/systemd/system/snap-*core*.mount in snapd-
+   state.tar.gz
+ - tests: shellcheck improvements for tests/main tasks - first set of
+   tests
+ - cmd/snap: `--last` for abort and watch, and aliases
+   (search→find, change→tasks)
+ - tests: shellcheck improvements for tests/lib scripts
+ - tests: create ramdisk if it's not present
+ - tests: shellcheck improvements for nightly upgrade and regressions
+   tests
+ - snapd: fix for snapctl get panic on null config values.
+ - tests: fix for rng-tools service not restarting
+ - systemd: add snapd.core-fixup.service unit
+ - cmd: avoid using current symlink in InternalToolPath
+ - tests: fix timeout issue for test refresh core with hanging …
+ - intefaces: control bridged vlan/ppoe-tagged traffic
+ - cmd/snap: include snap type in notes
+ - overlord/state: Abort() only visits each task once
+ - tests: extend find-private test to cover more cases
+ - snap-seccomp: skip socket() tests on systems that use socketcall()
+   instead of socket()
+ - many: support snap title as localized/title-cased name
+ - snap-seccomp: deal with mknod on aarch64 in the seccomp tests
+ - interfaces: put base policy fragments inside each interface
+ - asserts: introduce NewDecoderWithTypeMaxBodySize
+ - tests: fix snapd-notify when it takes more time to restart
+ - snap-seccomp: fix snap-seccomp tests in artful
+ - tests: fix for create-key task to avoid rng-tools service ramains
+   alive
+ - snap-seccomp: make sure snap-seccomp writes the bpf file
+   atomically
+ - tests: do not disable ipv6 on core systems
+ - arch: the kernel architecture name is armv7l instead of armv7
+ - snap-confine: ensure snap-confine waits some seconds for seccomp
+   security profiles
+ - tests: shellcheck improvements for tests/nested tasks
+ - wrappers: add SyslogIdentifier to the service unit files.
+ - tests: shellcheck improvements for unit tasks
+ - asserts: implement FindManyTrusted as well
+ - asserts: open up and optimize Encoder to help avoiding unnecessary
+   copying
+ - interfaces: simplify snap-confine by just loading pre-generated
+   bpf code
+ - tests: restart rng-tools services after few seconds
+ - interfaces, tests: add mising dbus abstraction to system-observe
+   and extend spread test
+ - store: change main store host to api.snapcraft.io
+ - overlord/cmdstate: new package for running commands as tasks.
+ - spread: help libapt resolve installing libudev-dev
+ - tests: show the IP from .travis.yaml
+ - tests/main: use pkgdb function in more test cases
+ - cmd,daemon: add debug command for displaying the base policy
+ - tests: prevent quoting error on opensuse
+ - tests: fix nightly suite
+ - tests: add linode-sru backend
+ - snap-confine: validate SNAP_NAME against security tag
+ - tests: fix ipv6 disable for ubuntu-core
+ - tests: extend core-revert test to cover bluez issues
+ - interfaces/greengrass-support: add support for Amazon Greengrass
+   as a snap
+ - asserts: support timestamp and optional disabled header on repair
+ - tests: reboot after upgrading to snapd on the -proposed pocket
+ - many: fix test cases to work with different DistroLibExecDir
+ - tests: reenable help test on ubuntu and debian systems
+ - packaging/{opensuse,fedora}: allow package build with testkeys
+   included
+ - tests/lib: generalize RPM build support
+ - interfaces/builtin: sync connected slot and permanent slot snippet
+ - tests: fix snap create-key by restarting automatically rng-tools
+ - many: switch to use http numeric statuses as agreed
+ - debian: add missing  Type=notify in 14.04 packaging
+ - tests: mark interfaces-openvswitch as manual due to prepare errors
+ - debian: unify built_using between the 14.04 and 16.04 packaging
+   branch
+ - tests: pull from urandom when real entropy is not enough
+ - tests/main/manpages: install missing man package
+ - tests: add refresh --time output check
+ - debian: add missing "make -C data/systemd clean"
+ - tests: fix for upgrade test when it is repeated
+ - tests/main: use dir abstraction in a few more test cases
+ - tests/main: check for confinement in a few more interface tests
+ - spread: add fedora snap bin dir to global PATH
+ - tests: check that locale-control is not present on core
+ - many: snapctl outside hooks
+ - tests: add whoami check
+ - interfaces: compose the base declaration from interfaces
+ - tests: fix spread flaky tests linode
+ - tests,packaging: add package build support for openSUSE
+ - many: slight improvement of some snap error messaging
+ - errtracker: Include /etc/apparmor.d/usr.lib.snap-confine md5sum in
+   err reports
+ - tests: fix for the test postrm-purge
+ - tests: restoring the /etc/environment and service units config for
+   each test
+ - daemon: make snapd a "Type=notify" daemon and notify when startup
+   is done
+ - cmd/snap-confine: add support for --base snap
+ - many: derive implicit slots from interface meta-data
+ - tests: add core revert test
+ - tests,packaging: add package build support for Fedora for our
+   spread setup
+ - interfaces: move base declaration to the policy sub-package
+ - tests: fix for snapd-reexec test cheking for restart info on debug
+   log
+ - tests: show available entropy on error
+ - tests: clean journalctl logs on trusty
+ - tests: fix econnreset on staging
+ - tests: modify core before calling set
+ - tests: add snap-confine privilege test
+ - tests: add staging snap-id
+ - interfaces/builtin: silence ptrace denial for network-manager
+ - tests: add alsa interface spread test
+ - tests: prefer ipv4 over ipv6
+ - tests: fix for econnreset test checking that the download already
+   started
+ - httputil,store: extract retry code to httputil, reorg usages
+ - errtracker: report if snapd did re-execute itself
+ - errtracker: include bits of snap-confine apparmor profile
+ - tests: take into account staging snap-ids for snap-info
+ - cmd: add stub new snap-repair command and add timer
+ - many: stop "snap refresh $x --channel invalid" from working
+ - interfaces: revert "interfaces: re-add reverted ioctl and quotactl
+ - snapstate: consider connect/disconnect tasks in
+   CheckChangeConflict.
+ - interfaces: disable "mknod |N" in the default seccomp template
+   again
+ - interfaces,overlord/ifacestate: make sure installing slots after
+   plugs works similarly to plugs after slots
+ - interfaces/seccomp: add bind() syscall for forced-devmode systems
+ - packaging/fedora: Sync packaging from Fedora Dist-Git
+ - tests: move static and unit tests to spread task
+ - many: error types should be called FooError, not ErrFoo.
+ - partition: add directory sync to the save uboot.env file code
+ - cmd: test everything (100% coverage \o/)
+ - many: make shell scripts shellcheck-clean
+ - tests: remove additional setup for docker on core
+ - interfaces: add summary to each interface
+ - many: remove interface meta-data from list of connections
+ - logger (& many more, to accommodate): drop explicit syslog.
+ - packaging: import packaging bits for opensuse
+ - snapstate,many: implement snap install --unaliased
+ - tests/lib: abstract build dependency installation a bit more
+ - interfaces, osutil: move flock code from interfaces/mount to
+   osutil
+ - cmd: auto import assertions only from ext4,vfat file systems
+ - many: refactor in preparation for 'snap start'
+ - overlord/snapstate: have an explicit code path last-refresh
+   unset/zero => immediately refresh try
+ - tests: fixes for executions using the staging store
+ - tests: use pollinate to seed the rng
+ - cmd/snap,tests: show the sha3-384 of the snap for snap info
+   --verbose SNAP-FILE
+ - asserts: simplify and adjust repair assertion definition
+ - cmd/snap,tests: show the snap id if available in snap info
+ - daemon,overlord/auth: store from model assertion wins
+ - cmd/snap,tests/main: add confinement switch instead of spread
+   system blacklisting
+ - many: cleanup MockCommands and don't leave a process around after
+   hookstate tests
+ - tests: update listing test to the core version number schema
+ - interfaces: allow snaps to use the timedatectl utility
+ - packaging: Add Fedora packaging files
+ - tests/libs: add distro_auto_remove_packages function
+ - cmd/snap: correct devmode note for anomalous state
+ - tests/main/snap-info: use proper pkgdb functions to install distro
+   packages
+ - tests/lib: use mktemp instead of tempfile to work cross-distro
+ - tests: abstract common dirs which differ on distributions
+ - many: model and expose interface meta-data.
+ - overlord: make config defaults from gadget work also at first boot
+ - interfaces/log-observe: allow using journalctl from hostfs for
+   classic distro
+ - partition,snap: add support for android boot
+ - errtracker: small simplification around readMachineID
+ - snap-confine: move rm_rf_tmp to test-utils.
+ - tests/lib: introduce pkgdb helper library
+ - errtracker: try multiple paths to read machine-id
+ - overlord/hooks: make sure only one hook for given snap is executed
+   at a time.
+ - cmd/snap-confine: use SNAP_MOUNT_DIR to setup /snap inside the
+   confinement env
+ - tests: bump kill-timeout and remove quiet call on build
+ - tests/lib/snaps: add a test store snap with a passthrough
+   configure hook
+ - daemon: teach the daemon to wait on active connections when
+   shutting down
+ - tests: remove unit tests task
+ - tests/main/completion: source from /usr/share/bash-completion
+ - assertions: add "repair" assertion
+ - interfaces/seccomp: document Backend.NewSpecification
+ - wrappers: make StartSnapServices cleanup any services that were
+   added if a later one fails
+ - overlord/snapstate: avoid creating command aliases for daemons
+ - vendor: remove unused packages
+ - vendor,partition: fix panics from uenv
+ - cmd,interfaces/mount: run snap-update-ns and snap-discard-ns from
+   core if possible
+ - daemon: do not allow to install ubuntu-core anymore
+ - wrappers: service start/stop were inconsistent
+ - tests: fix failing tests (snap core version, syslog changes)
+ - cmd/snap-update-ns: add actual implementation
+ - tests: improve entropy also for ubuntu
+ - cmd/snap-confine: use /etc/ssl from the core snap
+ - wrappers: don't convert between []byte and string needlessly.
+ - hooks: default timeout
+ - overlord/snapstate: Enable() was ignoring the flags from the
+   snap's state, resulting in losing "devmode" on disable/enable.
+ - difs,interfaces/mount: add support for locking namespaces
+ - interfaces/mount: keep track of kept mount entries
+ - tests/main: move a bunch of greps over to MATCH
+ - interfaces/builtin: make all interfaces private
+ - interfaces/mount: spell unmount correctly
+ - tests: allow 16-X.Y.Z version of core snap
+ - the timezone_control interface only allows changing /etc/timezone
+   and /etc/writable/timezone. systemd-timedated also updated the
+   link of /etc/localtime and /etc/writable/localtime ... allow
+   access to this file too
+ - cmd/snap-confine: aggregate operations holding global lock
+ - api, ifacestate: resolve disconnect early
+ - interfaces/builtin: ensure we don't register interfaces twice
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.26.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.26.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu May 25 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-3
+- Cover even more stuff for proper erasure on final uninstall (RH#1444422)
+
+* Sun May 21 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-2
+- Fix error in script for removing Snappy content (RH#1444422)
+- Adjust changelog bug references to be specific on origin
+
+* Wed May 17 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-1
+- Update to snapd 2.26.3
+- Drop merged and unused patches
+- Cover more Snappy content for proper erasure on final uninstall (RH#1444422)
+- Add temporary fix to ensure generated seccomp profiles don't break snapctl
+
+* Mon May 01 2017 Neal Gompa <ngompa13@gmail.com> - 2.25-1
+- Update to snapd 2.25
+- Ensure all Snappy content is gone on final uninstall (RH#1444422)
+
+* Tue Apr 11 2017 Neal Gompa <ngompa13@gmail.com> - 2.24-1
+- Update to snapd 2.24
+- Drop merged patches
+- Install snap bash completion and snapd info file
+
+* Wed Apr 05 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-4
+- Test if snapd socket and timer enabled and start them if enabled on install
+
+* Sat Apr 01 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-3
+- Fix profile.d generation so that vars aren't expanded in package build
+
+* Fri Mar 31 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-2
+- Fix the overlapping file conflicts between snapd and snap-confine
+- Rework package descriptions slightly
+
+* Thu Mar 30 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-1
+- Rebase to snapd 2.23.6
+- Rediff patches
+- Re-enable seccomp
+- Fix building snap-confine on 32-bit arches
+- Set ExclusiveArch based on upstream supported arch list
+
+* Wed Mar 29 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.5-1
+- Rebase to snapd 2.23.5
+- Disable seccomp temporarily avoid snap-confine bugs (LP#1674193)
+- Use vendorized build for non-Fedora
+
+* Mon Mar 13 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.1-1
+- Rebase to snapd 2.23.1
+- Add support for vendored tarball for non-Fedora targets
+- Use merged in SELinux policy module
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.16-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Oct 19 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.16-1
+- New upstream release
+
+* Tue Oct 18 2016 Neal Gompa <ngompa13@gmail.com> - 2.14-2
+- Add SELinux policy module subpackage
+
+* Tue Aug 30 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.14-1
+- New upstream release
+
+* Tue Aug 23 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.13-1
+- New upstream release
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.12-2
+- Correct license identifier
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.12-1
+- New upstream release
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-8
+- Add %%dir entries for various snapd directories
+- Tweak Source0 URL
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-7
+- Disable snapd re-exec feature by default
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-6
+- Don't auto-start snapd.socket and snapd.refresh.timer
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-5
+- Don't touch snapd state on removal
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-4
+- Use ExecStartPre to load squashfs.ko before snapd starts
+- Use dedicated systemd units for Fedora
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-3
+- Remove systemd preset (will be requested separately according to distribution
+  standards).
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-2
+- Use Requires: kmod(squashfs.ko) instead of Requires: kernel-modules
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-1
+- New upstream release
+- Move private executables to /usr/libexec/snapd/
+
+* Fri Jun 24 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.9-2
+- Depend on kernel-modules to ensure that squashfs can be loaded. Load it afer
+  installing the package. This hopefully fixes
+  https://github.com/zyga/snapcore-fedora/issues/2
+
+* Fri Jun 17 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.9
+- New upstream release
+  https://github.com/snapcore/snapd/releases/tag/2.0.9
+
+* Tue Jun 14 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.8.1
+- New upstream release
+
+* Fri Jun 10 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.8
+- First package for Fedora
diff -Nru snapd-2.32.3.2~14.04/packaging/fedora-29/snapd.spec snapd-2.37~rc1~14.04/packaging/fedora-29/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/fedora-29/snapd.spec	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/fedora-29/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4448 @@
+# With Fedora, nothing is bundled. For everything else, bundling is used.
+# To use bundled stuff, use "--with vendorized" on rpmbuild
+%if 0%{?fedora}
+%bcond_with vendorized
+%else
+%bcond_without vendorized
+%endif
+
+# With Amazon Linux 2+, we're going to provide the /snap symlink by default,
+# since classic snaps currently require it... :(
+%if 0%{?amzn} >= 2
+%bcond_without snap_symlink
+%else
+%bcond_with snap_symlink
+%endif
+
+# A switch to allow building the package with support for testkeys which
+# are used for the spread test suite of snapd.
+%bcond_with testkeys
+
+%global with_devel 1
+%global with_debug 1
+%global with_check 0
+%global with_unit_test 0
+%global with_test_keys 0
+%global with_selinux 1
+
+# For the moment, we don't support all golang arches...
+%global with_goarches 0
+
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%if ! %{with vendorized}
+%global with_bundled 0
+%else
+%global with_bundled 1
+%endif
+
+%if ! %{with testkeys}
+%global with_test_keys 0
+%else
+%global with_test_keys 1
+%endif
+
+%if 0%{?with_debug}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package   %{nil}
+%endif
+
+%global provider        github
+%global provider_tld    com
+%global project         snapcore
+%global repo            snapd
+# https://github.com/snapcore/snapd
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service
+
+# Until we have a way to add more extldflags to gobuild macro...
+%if 0%{?fedora} >= 26
+%define gobuild_static(o:) go build -buildmode pie -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
+%endif
+%if 0%{?fedora} == 25
+%define gobuild_static(o:) go build -compiler gc -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-static'" -a -v -x %{?**};
+%endif
+%if 0%{?rhel} == 7
+%define gobuild_static(o:) go build -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags -static'" -a -v -x %{?**};
+%endif
+
+# These macros are not defined in RHEL 7
+%if 0%{?rhel} == 7
+%define gobuild(o:) go build -compiler gc -tags=rpm_crashtraceback -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+%define gotest() go test -compiler gc -ldflags "${LDFLAGS:-}" %{?**};
+%endif
+
+# Compat path macros
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
+%if 0%{?amzn2} == 1
+%global with_selinux 0
+%endif
+
+Name:           snapd
+Version:        2.37
+Release:        0%{?dist}
+Summary:        A transactional software package manager
+Group:          System Environment/Base
+License:        GPLv3
+URL:            https://%{provider_prefix}
+Source0:        https://%{provider_prefix}/archive/%{version}/%{name}-%{version}.tar.gz
+%if 0%{?with_bundled}
+Source1:        https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.only-vendor.tar.xz
+%endif
+
+%if 0%{?with_goarches}
+# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+%else
+# Verified arches from snapd upstream
+ExclusiveArch:  %{ix86} x86_64 %{arm} aarch64 ppc64le s390x
+%endif
+
+# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
+BuildRequires:  systemd
+%{?systemd_requires}
+
+Requires:       snap-confine%{?_isa} = %{version}-%{release}
+Requires:       squashfs-tools
+
+%if 0%{?fedora} >= 26 || 0%{?rhel} >= 8
+# snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.)
+Requires:       ((squashfuse and fuse) or kmod(squashfs.ko))
+%else
+%if ! 0%{?amzn2}
+# Rich dependencies not available, always pull in squashfuse
+# snapd will use squashfs.ko instead of squashfuse if it's on the system
+# NOTE: Amazon Linux 2 does not have squashfuse, squashfs.ko is part of the kernel package
+Requires:       squashfuse
+Requires:       fuse
+%endif
+%endif
+
+# bash-completion owns /usr/share/bash-completion/completions
+Requires:       bash-completion
+
+%if 0%{?with_selinux}
+# Force the SELinux module to be installed
+Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
+# snapd-login-service is no more
+# Note: Remove when F27 is EOL
+Obsoletes:      %{name}-login-service < 1.33
+Provides:       %{name}-login-service = 1.33
+Provides:       %{name}-login-service%{?_isa} = 1.33
+
+%if ! 0%{?with_bundled}
+BuildRequires: golang(github.com/boltdb/bolt)
+BuildRequires: golang(github.com/cheggaaa/pb)
+BuildRequires: golang(github.com/coreos/go-systemd/activation)
+BuildRequires: golang(github.com/godbus/dbus)
+BuildRequires: golang(github.com/godbus/dbus/introspect)
+BuildRequires: golang(github.com/gorilla/mux)
+BuildRequires: golang(github.com/jessevdk/go-flags)
+BuildRequires: golang(github.com/juju/ratelimit)
+BuildRequires: golang(github.com/kr/pretty)
+BuildRequires: golang(github.com/kr/text)
+BuildRequires: golang(github.com/mvo5/goconfigparser)
+BuildRequires: golang(github.com/ojii/gettext.go)
+BuildRequires: golang(github.com/seccomp/libseccomp-golang)
+BuildRequires: golang(golang.org/x/crypto/openpgp/armor)
+BuildRequires: golang(golang.org/x/crypto/openpgp/packet)
+BuildRequires: golang(golang.org/x/crypto/sha3)
+BuildRequires: golang(golang.org/x/crypto/ssh/terminal)
+BuildRequires: golang(golang.org/x/net/context)
+BuildRequires: golang(golang.org/x/net/context/ctxhttp)
+BuildRequires: golang(gopkg.in/check.v1)
+BuildRequires: golang(gopkg.in/macaroon.v1)
+BuildRequires: golang(gopkg.in/mgo.v2/bson)
+BuildRequires: golang(gopkg.in/retry.v1)
+BuildRequires: golang(gopkg.in/tomb.v2)
+BuildRequires: golang(gopkg.in/yaml.v2)
+%endif
+
+%description
+Snappy is a modern, cross-distribution, transactional package manager
+designed for working with self-contained, immutable packages.
+
+%package -n snap-confine
+Summary:        Confinement system for snap applications
+License:        GPLv3
+Group:          System Environment/Base
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  gcc
+BuildRequires:  gettext
+BuildRequires:  gnupg
+BuildRequires:  indent
+BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(libcap)
+BuildRequires:  pkgconfig(libseccomp)
+BuildRequires:  pkgconfig(libudev)
+BuildRequires:  pkgconfig(systemd)
+BuildRequires:  pkgconfig(udev)
+BuildRequires:  xfsprogs-devel
+BuildRequires:  glibc-static
+%if ! 0%{?rhel}
+BuildRequires:  libseccomp-static
+%endif
+BuildRequires:  valgrind
+BuildRequires:  %{_bindir}/rst2man
+%if 0%{?fedora} >= 25
+# ShellCheck in F24 and older doesn't work
+BuildRequires:  %{_bindir}/shellcheck
+%endif
+
+# Ensures older version from split packaging is replaced
+Obsoletes:      snap-confine < 2.19
+
+%description -n snap-confine
+This package is used internally by snapd to apply confinement to
+the started snap applications.
+
+%if 0%{?with_selinux}
+%package selinux
+Summary:        SELinux module for snapd
+Group:          System Environment/Base
+License:        GPLv2+
+BuildArch:      noarch
+BuildRequires:  selinux-policy, selinux-policy-devel
+Requires(post): selinux-policy-base >= %{_selinux_policy_version}
+Requires(post): policycoreutils
+%if 0%{?rhel} == 7
+Requires(post): policycoreutils-python
+%else
+Requires(post): policycoreutils-python-utils
+%endif
+Requires(pre):  libselinux-utils
+Requires(post): libselinux-utils
+
+%description selinux
+This package provides the SELinux policy module to ensure snapd
+runs properly under an environment with SELinux enabled.
+%endif
+
+%if 0%{?with_devel}
+%package devel
+Summary:       Development files for %{name}
+BuildArch:     noarch
+
+%if 0%{?with_check} && ! 0%{?with_bundled}
+%endif
+
+%if ! 0%{?with_bundled}
+Requires:      golang(github.com/boltdb/bolt)
+Requires:      golang(github.com/cheggaaa/pb)
+Requires:      golang(github.com/coreos/go-systemd/activation)
+Requires:      golang(github.com/godbus/dbus)
+Requires:      golang(github.com/godbus/dbus/introspect)
+Requires:      golang(github.com/gorilla/mux)
+Requires:      golang(github.com/jessevdk/go-flags)
+Requires:      golang(github.com/juju/ratelimit)
+Requires:      golang(github.com/kr/pretty)
+Requires:      golang(github.com/kr/text)
+Requires:      golang(github.com/mvo5/goconfigparser)
+Requires:      golang(github.com/ojii/gettext.go)
+Requires:      golang(github.com/seccomp/libseccomp-golang)
+Requires:      golang(golang.org/x/crypto/openpgp/armor)
+Requires:      golang(golang.org/x/crypto/openpgp/packet)
+Requires:      golang(golang.org/x/crypto/sha3)
+Requires:      golang(golang.org/x/crypto/ssh/terminal)
+Requires:      golang(golang.org/x/net/context)
+Requires:      golang(golang.org/x/net/context/ctxhttp)
+Requires:      golang(gopkg.in/check.v1)
+Requires:      golang(gopkg.in/macaroon.v1)
+Requires:      golang(gopkg.in/mgo.v2/bson)
+Requires:      golang(gopkg.in/retry.v1)
+Requires:      golang(gopkg.in/tomb.v2)
+Requires:      golang(gopkg.in/yaml.v2)
+%else
+# These Provides are unversioned because the sources in
+# the bundled tarball are unversioned (they go by git commit)
+# *sigh*... I hate golang...
+Provides:      bundled(golang(github.com/snapcore/bolt))
+Provides:      bundled(golang(github.com/cheggaaa/pb))
+Provides:      bundled(golang(github.com/coreos/go-systemd/activation))
+Provides:      bundled(golang(github.com/godbus/dbus))
+Provides:      bundled(golang(github.com/godbus/dbus/introspect))
+Provides:      bundled(golang(github.com/gorilla/mux))
+Provides:      bundled(golang(github.com/jessevdk/go-flags))
+Provides:      bundled(golang(github.com/juju/ratelimit))
+Provides:      bundled(golang(github.com/kr/pretty))
+Provides:      bundled(golang(github.com/kr/text))
+Provides:      bundled(golang(github.com/mvo5/goconfigparser))
+Provides:      bundled(golang(github.com/mvo5/libseccomp-golang))
+Provides:      bundled(golang(github.com/ojii/gettext.go))
+Provides:      bundled(golang(golang.org/x/crypto/openpgp/armor))
+Provides:      bundled(golang(golang.org/x/crypto/openpgp/packet))
+Provides:      bundled(golang(golang.org/x/crypto/sha3))
+Provides:      bundled(golang(golang.org/x/crypto/ssh/terminal))
+Provides:      bundled(golang(golang.org/x/net/context))
+Provides:      bundled(golang(golang.org/x/net/context/ctxhttp))
+Provides:      bundled(golang(gopkg.in/check.v1))
+Provides:      bundled(golang(gopkg.in/macaroon.v1))
+Provides:      bundled(golang(gopkg.in/mgo.v2/bson))
+Provides:      bundled(golang(gopkg.in/retry.v1))
+Provides:      bundled(golang(gopkg.in/tomb.v2))
+Provides:      bundled(golang(gopkg.in/yaml.v2))
+%endif
+
+# Generated by gofed
+Provides:      golang(%{import_path}/advisor) = %{version}-%{release}
+Provides:      golang(%{import_path}/arch) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/assertstest) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/signtool) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/snapasserts) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/sysdb) = %{version}-%{release}
+Provides:      golang(%{import_path}/asserts/systestkeys) = %{version}-%{release}
+Provides:      golang(%{import_path}/boot) = %{version}-%{release}
+Provides:      golang(%{import_path}/boot/boottest) = %{version}-%{release}
+Provides:      golang(%{import_path}/client) = %{version}-%{release}
+Provides:      golang(%{import_path}/cmd) = %{version}-%{release}
+Provides:      golang(%{import_path}/daemon) = %{version}-%{release}
+Provides:      golang(%{import_path}/dirs) = %{version}-%{release}
+Provides:      golang(%{import_path}/errtracker) = %{version}-%{release}
+Provides:      golang(%{import_path}/httputil) = %{version}-%{release}
+Provides:      golang(%{import_path}/i18n) = %{version}-%{release}
+Provides:      golang(%{import_path}/image) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/apparmor) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/backends) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/builtin) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/dbus) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/hotplug) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/ifacetest) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/kmod) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/mount) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/policy) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/seccomp) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/systemd) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/udev) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/utils) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil/safejson) = %{version}-%{release}
+Provides:      golang(%{import_path}/logger) = %{version}-%{release}
+Provides:      golang(%{import_path}/netutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/sys) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/crawler) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/netlink) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/assertstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/auth) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/cmdstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/config) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/configcore) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/proxyconf) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/settings) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/devicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate/ctlcmd) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/hookstate/hooktest) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/ifacerepo) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/udevmonitor) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/patch) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/servicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/standby) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/state) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/androidbootenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/grubenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/partition/ubootenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/polkit) = %{version}-%{release}
+Provides:      golang(%{import_path}/progress) = %{version}-%{release}
+Provides:      golang(%{import_path}/progress/progresstest) = %{version}-%{release}
+Provides:      golang(%{import_path}/release) = %{version}-%{release}
+Provides:      golang(%{import_path}/sanity) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/pack) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snapdir) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snapenv) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/snaptest) = %{version}-%{release}
+Provides:      golang(%{import_path}/snap/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/spdx) = %{version}-%{release}
+Provides:      golang(%{import_path}/store) = %{version}-%{release}
+Provides:      golang(%{import_path}/store/storetest) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/quantity) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/shlex) = %{version}-%{release}
+Provides:      golang(%{import_path}/systemd) = %{version}-%{release}
+Provides:      golang(%{import_path}/tests/lib/fakestore/refresh) = %{version}-%{release}
+Provides:      golang(%{import_path}/tests/lib/fakestore/store) = %{version}-%{release}
+Provides:      golang(%{import_path}/testutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/timeout) = %{version}-%{release}
+Provides:      golang(%{import_path}/timeutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd/ui) = %{version}-%{release}
+Provides:      golang(%{import_path}/wrappers) = %{version}-%{release}
+Provides:      golang(%{import_path}/x11) = %{version}-%{release}
+Provides:      golang(%{import_path}/xdgopenproxy) = %{version}-%{release}
+
+%description devel
+This package contains library source intended for
+building other packages which use import path with
+%{import_path} prefix.
+%endif
+
+%if 0%{?with_unit_test} && 0%{?with_devel}
+%package unit-test-devel
+Summary:         Unit tests for %{name} package
+
+%if 0%{?with_check}
+#Here comes all BuildRequires: PACKAGE the unit tests
+#in %%check section need for running
+%endif
+
+# test subpackage tests code from devel subpackage
+Requires:        %{name}-devel = %{version}-%{release}
+
+%description unit-test-devel
+This package contains unit tests for project
+providing packages with %{import_path} prefix.
+%endif
+
+%prep
+%if ! 0%{?with_bundled}
+%setup -q
+# Ensure there's no bundled stuff accidentally leaking in...
+rm -rf vendor/*
+%else
+# Extract each tarball properly
+%setup -q -D -b 1
+%endif
+
+%build
+# Generate version files
+./mkversion.sh "%{version}-%{release}"
+
+# We don't want/need squashfuse in the rpm, as it's available in Fedora and EPEL
+sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
+
+# Build snapd
+mkdir -p src/github.com/snapcore
+ln -s ../../../ src/github.com/snapcore/snapd
+
+%if ! 0%{?with_bundled}
+export GOPATH=$(pwd):%{gopath}
+%else
+export GOPATH=$(pwd):$(pwd)/Godeps/_workspace:%{gopath}
+%endif
+
+GOFLAGS=
+%if 0%{?with_test_keys}
+GOFLAGS="$GOFLAGS -tags withtestkeys"
+%endif
+
+%if ! 0%{?with_bundled}
+# We don't need mvo5 fork for seccomp, as we have seccomp 2.3.x
+sed -e "s:github.com/mvo5/libseccomp-golang:github.com/seccomp/libseccomp-golang:g" -i cmd/snap-seccomp/*.go
+# We don't need the snapcore fork for bolt - it is just a fix on ppc
+sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go
+%endif
+
+# We have to build snapd first to prevent the build from
+# building various things from the tree without additional
+# set tags.
+%gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
+%gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
+%gobuild -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
+%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
+
+# To ensure things work correctly with base snaps,
+# snap-exec and snap-update-ns need to be built statically
+%gobuild_static -o bin/snap-exec $GOFLAGS %{import_path}/cmd/snap-exec
+%gobuild_static -o bin/snap-update-ns $GOFLAGS %{import_path}/cmd/snap-update-ns
+
+%if 0%{?rhel}
+# There's no static link library for libseccomp in RHEL/CentOS...
+sed -e "s/-Bstatic -lseccomp/-Bstatic/g" -i cmd/snap-seccomp/*.go
+%endif
+%gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
+
+%if 0%{?with_selinux}
+# Build SELinux module
+pushd ./data/selinux
+make SHARE="%{_datadir}" TARGETS="snappy"
+popd
+%endif
+
+# Build snap-confine
+pushd ./cmd
+# FIXME This is a hack to get rid of a patch we have to ship for the
+# Fedora package at the moment as /usr/lib/rpm/redhat/redhat-hardened-ld
+# accidentially adds -pie for static executables. See
+# https://bugzilla.redhat.com/show_bug.cgi?id=1343892 for a few more
+# details. To prevent this from happening we drop the linker
+# script and define our LDFLAGS manually for now.
+export LDFLAGS="-Wl,-z,relro -z now"
+autoreconf --force --install --verbose
+# selinux support is not yet available, for now just disable apparmor
+# FIXME: add --enable-caps-over-setuid as soon as possible (setuid discouraged!)
+%configure \
+    --disable-apparmor \
+    --libexecdir=%{_libexecdir}/snapd/ \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{_sharedstatedir}/snapd/snap \
+    --enable-merged-usr
+
+%make_build
+popd
+
+# Build systemd units, dbus services, and env files
+pushd ./data
+make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+     SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+     SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+     SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%install
+install -d -p %{buildroot}%{_bindir}
+install -d -p %{buildroot}%{_libexecdir}/snapd
+install -d -p %{buildroot}%{_mandir}/man8
+install -d -p %{buildroot}%{_environmentdir}
+install -d -p %{buildroot}%{_systemdgeneratordir}
+install -d -p %{buildroot}%{_unitdir}
+install -d -p %{buildroot}%{_sysconfdir}/profile.d
+install -d -p %{buildroot}%{_sysconfdir}/sysconfig
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/assertions
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/cookie
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl32
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/vulkan
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
+install -d -p %{buildroot}%{_localstatedir}/snap
+install -d -p %{buildroot}%{_localstatedir}/cache/snapd
+install -d -p %{buildroot}%{_datadir}/polkit-1/actions
+install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+%if 0%{?with_selinux}
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -d -p %{buildroot}%{_datadir}/selinux/packages
+%endif
+
+# Install snap and snapd
+install -p -m 0755 bin/snap %{buildroot}%{_bindir}
+install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
+install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+
+%if 0%{?with_selinux}
+# Install SELinux module
+install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
+
+# Install snap(8) man page
+bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
+
+# Install the "info" data file with snapd version
+install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
+
+# Install bash completion for "snap"
+install -m 644 -D data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Install snap-confine
+pushd ./cmd
+%make_install
+# Undo the 0000 permissions, they are restored in the files section
+chmod 0755 %{buildroot}%{_sharedstatedir}/snapd/void
+# We don't use AppArmor
+rm -rfv %{buildroot}%{_sysconfdir}/apparmor.d
+# ubuntu-core-launcher is dead
+rm -fv %{buildroot}%{_bindir}/ubuntu-core-launcher
+popd
+
+# Install all systemd and dbus units, and env files
+pushd ./data
+%make_install BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+              SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+              SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+              SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.conf
+%endif
+
+# Remove snappy core specific units
+rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
+rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
+rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
+
+# Remove snappy core specific scripts
+rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Remove snapd apparmor service
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+
+# Install Polkit configuration
+install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
+
+# Disable re-exec by default
+echo 'SNAP_REEXEC=0' > %{buildroot}%{_sysconfdir}/sysconfig/snapd
+
+# Create state.json and the README file to be ghosted
+touch %{buildroot}%{_sharedstatedir}/snapd/state.json
+touch %{buildroot}%{_sharedstatedir}/snapd/snap/README
+
+# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
+%if %{with snap_symlink}
+ln -sr %{buildroot}%{_sharedstatedir}/snapd/snap %{buildroot}/snap
+%endif
+
+# source codes for building projects
+%if 0%{?with_devel}
+install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
+echo "%%dir %%{gopath}/src/%%{import_path}/." >> devel.file-list
+# find all *.go but no *_test.go files and generate devel.file-list
+for file in $(find . -iname "*.go" -o -iname "*.s" \! -iname "*_test.go") ; do
+    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
+    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
+    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
+    echo "%%{gopath}/src/%%{import_path}/$file" >> devel.file-list
+done
+%endif
+
+# testing files for this project
+%if 0%{?with_unit_test} && 0%{?with_devel}
+install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
+# find all *_test.go files and generate unit-test.file-list
+for file in $(find . -iname "*_test.go"); do
+    echo "%%dir %%{gopath}/src/%%{import_path}/$(dirname $file)" >> devel.file-list
+    install -d -p %{buildroot}/%{gopath}/src/%{import_path}/$(dirname $file)
+    cp -pav $file %{buildroot}/%{gopath}/src/%{import_path}/$file
+    echo "%%{gopath}/src/%%{import_path}/$file" >> unit-test-devel.file-list
+done
+
+# Install additional testdata
+install -d %{buildroot}/%{gopath}/src/%{import_path}/cmd/snap/test-data/
+cp -pav cmd/snap/test-data/* %{buildroot}/%{gopath}/src/%{import_path}/cmd/snap/test-data/
+echo "%%{gopath}/src/%%{import_path}/cmd/snap/test-data" >> unit-test-devel.file-list
+%endif
+
+%if 0%{?with_devel}
+sort -u -o devel.file-list devel.file-list
+%endif
+
+%check
+# snapd tests
+%if 0%{?with_check} && 0%{?with_unit_test} && 0%{?with_devel}
+%if ! 0%{?with_bundled}
+export GOPATH=%{buildroot}/%{gopath}:%{gopath}
+%else
+export GOPATH=%{buildroot}/%{gopath}:$(pwd)/Godeps/_workspace:%{gopath}
+%endif
+%gotest %{import_path}/...
+%endif
+
+# snap-confine tests (these always run!)
+pushd ./cmd
+make check
+popd
+
+%files
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+%license COPYING
+%doc README.md docs/*
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_environmentdir}/990-snapd.conf
+%dir %{_libexecdir}/snapd
+%{_libexecdir}/snapd/snapctl
+%{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-failure
+%{_libexecdir}/snapd/info
+%{_libexecdir}/snapd/snap-mgmt
+%{_mandir}/man8/snap.8*
+%{_datadir}/bash-completion/completions/snap
+%{_libexecdir}/snapd/complete.sh
+%{_libexecdir}/snapd/etelpmoc.sh
+%{_libexecdir}/snapd/snapd.run-from-snap
+%{_sysconfdir}/profile.d/snapd.sh
+%{_mandir}/man8/snapd-env-generator.8*
+%{_unitdir}/snapd.socket
+%{_unitdir}/snapd.service
+%{_unitdir}/snapd.autoimport.service
+%{_unitdir}/snapd.failure.service
+%{_unitdir}/snapd.seeded.service
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_systemd_system_env_generator_dir}/snapd-env-generator
+%config(noreplace) %{_sysconfdir}/sysconfig/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/snap
+%ghost %dir %{_sharedstatedir}/snapd/snap/bin
+%dir %{_localstatedir}/cache/snapd
+%dir %{_localstatedir}/snap
+%ghost %{_sharedstatedir}/snapd/state.json
+%ghost %{_sharedstatedir}/snapd/snap/README
+%if %{with snap_symlink}
+/snap
+%endif
+%if 0%{?rhel} == 7
+%{_sysctldir}/99-snap.conf
+%endif
+
+%files -n snap-confine
+%doc cmd/snap-confine/PORTING
+%license COPYING
+%dir %{_libexecdir}/snapd
+# For now, we can't use caps
+# FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
+%attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_libexecdir}/snapd/snap-device-helper
+%{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-gdb-shim
+%{_libexecdir}/snapd/snap-seccomp
+%{_libexecdir}/snapd/snap-update-ns
+%{_libexecdir}/snapd/system-shutdown
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_systemdgeneratordir}/snapd-generator
+%attr(0000,root,root) %{_sharedstatedir}/snapd/void
+
+%if 0%{?with_selinux}
+%files selinux
+%license data/selinux/COPYING
+%doc data/selinux/README.md
+%{_datadir}/selinux/packages/snappy.pp.bz2
+%{_datadir}/selinux/devel/include/contrib/snappy.if
+%endif
+
+%if 0%{?with_devel}
+%files devel -f devel.file-list
+%license COPYING
+%doc README.md
+%dir %{gopath}/src/%{provider}.%{provider_tld}/%{project}
+%endif
+
+%if 0%{?with_unit_test} && 0%{?with_devel}
+%files unit-test-devel -f unit-test-devel.file-list
+%license COPYING
+%doc README.md
+%endif
+
+%post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
+%systemd_post %{snappy_svcs}
+# If install, test if snapd socket and timer are enabled.
+# If enabled, then attempt to start them. This will silently fail
+# in chroots or other environments where services aren't expected
+# to be started.
+if [ $1 -eq 1 ] ; then
+   if systemctl -q is-enabled snapd.socket > /dev/null 2>&1 ; then
+      systemctl start snapd.socket > /dev/null 2>&1 || :
+   fi
+fi
+
+%preun
+%systemd_preun %{snappy_svcs}
+
+# Remove all Snappy content if snapd is being fully uninstalled
+if [ $1 -eq 0 ]; then
+   %{_libexecdir}/snapd/snap-mgmt --purge || :
+fi
+
+
+%postun
+%systemd_postun_with_restart %{snappy_svcs}
+
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre
+
+%post selinux
+%selinux_modules_install %{_datadir}/selinux/packages/snappy.pp.bz2
+%selinux_relabel_post
+
+%posttrans selinux
+%selinux_relabel_post
+
+%postun selinux
+%selinux_modules_uninstall snappy
+if [ $1 -eq 0 ]; then
+    %selinux_relabel_post
+fi
+%endif
+
+%changelog
+* Wed Jan 16 2019 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.37
+ - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+   have device node /dev/ttyACM[0-9]
+ - tests: fix enable-disable-unit-gpio test on external boards
+ - tests: define new "tests/smoke" suite and use that for
+   autopkgtests
+ - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+   library
+ - snapshotstate: don't task.Log without the lock
+ - overlord/configstate/configcore: support - and _ in cloud init
+   field names
+ - cmd/snap-confine: use makedev instead of MKDEV
+ - tests: review/fix the autopkgtest failures in disco
+ - systemd: allow only a single daemon-reload at the same time
+ - cmd/snap: only auto-enable unicode to a tty
+ - cmd/snap: right-align revision and size in info's channel map
+ - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+   different on Fedora
+ - tests: fix "No space left on device" issue on amazon-linux
+ - store: undo workaround for timezone-less released-at
+ - store, snap, cmd/snap: channels have released-at
+ - snap-confine: fix incorrect use "src" var in mount-support.c
+ - release: support probing SELinux state
+ - release-tools: display self-help
+ - interface: add new `{personal,system}-files` interface
+ - snap: give Epoch an Equal method
+ - many: remove unused interface code
+ - interfaces/many: use 'unsafe' with docker-support change_profile
+   rules
+ - run-checks: stop running HEAD of staticcheck
+ - release: use sync.Once around lazy intialized state
+ - overlord/ifacestate: include interface name in the hotplug-
+   disconnect task summary
+ - spread: show free space in debug output
+ - cmd/snap: attempt to restore SELinux context of snap user
+   directories
+ - image: do not write empty etc/cloud
+ - tests: skip snapd snap on reset for core systems
+ - cmd/snap-discard-ns: fix umount(2) typo
+ - overlord/ifacestate: hotplug-remove-slot task handler
+ - overlord/ifacestate: handler for hotplug-disconnect task
+ - ifacestate/hotplug: updateDevice helper
+ - tests: reset snapd state on tests restore
+ - interfaces: return security setup errors
+ - overlord: make InstallMany work like UpdateMany, issuing a single
+   request to get candidates
+ - systemd/systemd.go: add missing tests for systemd.IsActive
+ - overlord/ifacestate: addHotplugSeqWaitTask helper
+ - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+ - tests: new backend used to run upgrade test suite
+ - travis: short circuit failures in static and unit tests travis job
+ - cmd: automatically fix localized <option>s to <option>
+ - overlord/configstate,features: expose features to snapd tools
+ - selinux: package to query SELinux status and verify/restore file
+   contexts
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - cmd: add tests for lintArg and lintDesc
+ - httputil: retry on temporary net errors
+ - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+ - wrappers: only restart service in core18 when they are active
+ - overlord/ifacestate: helpers for serializing hotplug changes
+ - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interface
+ - snap/info: bind global plugs/slots to implicit hooks
+ - cmd/snap-confine: remove SC_NS_MNT_FILE
+ - spread: record each tests/upgrade job
+ - osutil: do not import dirs
+ - cmd/snap-confine: fix typo "a pipe"
+ - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+   devices
+ - tests: force test-snapd-daemon-notify exit 0 when the interface is
+   not connected
+ - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+ - centos: enable SELinux support on CentOS 7
+ - apparmor: allow hard link to snap-specific semaphore files
+ - tests/lib/pkgdb: disable weak deps on Fedora
+ - release: detect too old apparmor_parser
+ - tests: improve how the log is checked to see if the system is
+   waiting for a reboot
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - spread, tests: add Fedora 29
+ - cmd/snap-confine: refactor calling snapd tools into helper module
+ - apparmor: allow snap-update-ns access to common devices
+ - cmd/snap-confine: capture initialized per-user mount ns
+ - tests: reduce verbosity around package installation
+ - data: set KillMode=process for snapd
+ - cmd/snap: handle DNS error gracefully
+ - spread, tests: use checkpoints when dumping audit log
+ - tests/lib/prepare: make sure that SELinux context of repacked core
+   snap is controlled
+ - testutils: split checkers, tweak tests
+ - tests: fix for tests test-*-cgroup
+ - spread: show AVC audits when debugging, start auditd on Fedora
+ - spread: drop Fedora 27, add Fedora 29
+ - tests/lib/reset: restore context of removed snapd directories
+ - testutil: add File{Present,Absent} checkers
+ - snap: add new `snap run --trace-exec`
+ - tests: fix for failover test on how logs are checked
+ - snapctl: add "services"
+ - overlord/snapstate: use file timestamp to initialize timer
+ - cmd/libsnap: introduce and use sc_strdup
+ - interfaces: let NM access ifindex/ifupdown files
+ - overlord/snapstate: on refresh, check new rev can read current
+ - client, store: don't use store from client (use client from store)
+ - tests/main/parallel-install-store: verify installation of more
+   than one instance at a time
+ - overlord: don't write system key if security setup fails
+ - packaging/fedora/snapd.spec: fix bogus date in changelog
+ - snapstate: update fontconfig caches on install
+ - interfaces/apparmor/backend.go:411:38: regular expression does not
+   contain any meta characters (SA6004)
+ - asserts/header_checks.go:199:35: regular expression does not
+   contain any meta characters (SA6004)
+ - run staticcheck every time :-)
+ - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+   used with signal.Notify should be buffered (SA1017)
+ - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+   signal.Notify should be buffered (SA1017)
+ - spdx/parser.go:30:1: only the first constant has an explicit type
+   (SA9004)
+ - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+   first argument and no further arguments should use print-style
+   function instead (SA1006)
+ - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+ - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+   Did you mean to break out of the outer loop? (SA4011)
+ - daemon/api.go:992:22: printf-style function with dynamic first
+   argument and no further arguments should use print-style function
+   instead (SA1006)
+ - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+   to break out of the outer loop? (SA4011)
+ - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+   should be buffered (SA1017)
+ - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+   provided buffer, not even temporarily (SA1023)
+ - release: probe apparmor features lazily
+ - overlord,daemon: mock security backends for testing
+ - cmd/libsnap: move apparmor-support to libsnap
+ - cmd: drop cruft from snap-discard-ns build rules
+ - cmd/snap-confine: use snap-discard-ns ns to discard stale
+   namespaces
+ - cmd/snap-confine: handle mounted shared /run/snapd/ns
+ - many: fix composite literals with unkeyed fields
+ - dirs, wrappers, overlord/snapstate: make completion + bases work
+ - tests: revert "tests: restore in restore, not prepare"
+ - many: validate title
+ - snap: make description maximum in runes, not bytes
+ - tests: discard mount namespaces in reset.sh
+ - tests/lib: sync cla check back from snapcraft
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - daemon: remove enableInternalInterfaceActions
+ - mkversion: use "test -n" rather than "! test -z"
+ - run-checks: assorted fixes
+ - tests: restore in restore, not in prepare
+ - cmd/snap: fix missing newline in "snap keys" error message
+ - snap: epoch lists must contain no duplicate entries
+ - interfaces/avahi_observe: Fix typo in comment
+ - tests: add SPREAD_JOB to the description of
+   systemd_create_and_start_unit
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+ - packaging/fedora: use %_sysctldir macro
+ - cmd/snap-confine: remove unneeded unshare
+ - sanity: extend the kernel version check to cover CentOS/RHEL
+   kernels
+ - wrappers: remove all desktop files from a snap on removal
+ - snap: add an explicit check for `epoch: null` loading
+ - snap: check max description length in validate
+ - spread, tests: add CentOS support
+ - cmd/snap-confine: allow mapping more libc shards
+ - cmd/snap-discard-ns: add support for --from-snap-confine
+ - tests: make tinyproxy support systemd notify
+ - tests: fix shellcheck
+ - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+ - store: add a test for a non-zero epoch refresh (with epoch bump)
+ - store: v1 search doesn't send epoch, stop pretending it does
+ - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+ - overlord/snapstate: amend test should send local revision
+ - tests: use mock-gpio.py in enable-disable-units-gpio test
+ - snap: enforce minimal snap name len of 2
+ - cmd/libsnap: add sc_verify_snap_lock
+ - cmd/snap-update-ns: extra debugging of trespassing events
+ - userd: force zenity width if the text displayed is long
+ - overlord/snapstate, store: always send epochs
+ - cmd/snap-confine,snap-update-ns: discard quirks
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - cmd/snap-update-ns, tests: clean trespassing paths
+ - nvidia, interfaces/builtin: OpenCL fixes
+ - ifacestate/hotplug: removeDevice helper
+ - cmd: install snap-discard-ns in "make hack"
+ - overlord/ifacestate: setup security backends phased by backends
+   first
+ - ifacestate/helpers: added SystemSnapName mapper helper method
+ - overlord/ifacestate: set hotplug-key of the connection when
+   connecting hotplug slots
+ - snapd: allow snap-update-ns to read /proc/version
+ - cmd: handle tumbleweed and leap in autogen.sh
+ - interfaces/tests: MockHotplugSlot test helper
+ - store,daemon: make UserInfo,LoginUser part of the store interface
+ - overlord/ifacestate: use remapper when checking if system snap is
+   installed
+ - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+ - packaging/arch: fix bash completions path
+ - interfaces/builtin: add device-buttons interface for accessing
+   events
+ - tests, fakestore: extend refresh tests with parallel installed
+   snaps
+ - snap, store, overlord/snapshotstate: drop epoch pointers
+ - snap: make Epoch default to {[0],[0]} on load from yaml
+ - data/completion: pass documented arguments to completion functions
+ - tests: skip opensuse from interfaces-openvswitch-support test
+ - tests: simple reproducer for snap try and hooks bug
+ - snapstate: do not allow classic mode for strict snaps
+ - snap: make Epoch's MarshalJSON not simplify
+ - store: remove unused currentSnap and currentSnapJSON
+ - many: some small doc comment fixes in recent hotplug code
+ - ifacestate/udevmonitor: added callback to signal end of
+   enumeration
+ - cmd/libsnap: add simplified feature flag checker
+ - interfaces/opengl: add additional accesses for cuda
+ - tests: add core18 only hooks test and fix running core18 only on
+   classic
+ - sanity, release, cmd/snap: refuse to try to do things on WSL.
+ - cmd: make coreSupportsReExec faster
+ - overlord/ifacestate: don't remove the dash when generating unique
+   slot name
+ - cmd/snap-seccomp: add full complement of ptrace constants
+ - cmd: update autogen.sh for opensuse
+ - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+   overlord/snapstate: address review feedback
+ - packaging/opensuse: stop using golang-packaging
+ - overlord/snapshots: survive an unknown user
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - cmd/snap: unhide --name parameter to snap install, tweak help
+   message
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/main/snap-service-after-before-install: verify after/before
+   in snap install
+ - overlord/ifacestate: mark connections disconnected by hotplug with
+   hotplug-gone
+ - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+   startup
+ - tests: install dependencies during prepare
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - tests: core 18 does not support classic confinement
+ - tests: add debug output for degraded test
+ - strutil: make VersionCompare faster
+ - overlord/snapshotstate/backend: survive missing directories
+ - overlord/ifacestate: use map[string]*connState when passing conns
+   around
+ - tests: move fedora 28 to manual
+ - overlord/snapshotstate/backend: be more verbose when
+   SNAPPY_TESTING=1
+ - tests: removing fedora 26 system from spread.yaml
+ - tests: linode execution is not needed anymore
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests: fixes and new backend for tests on nested suite
+ - strutil: let MatchCounter work with a nil regexp
+ - ifacestate/helpers: findConnsForHotplugKey helper
+ - many: move regexp.(Must)Compile out of non-init functions into
+   variables
+ - store: also make snaps downloaded via deltas 0600
+ - snap: use Lstat to determine snap size, remove
+   ReadSnapInfoExceptSize
+ - interfaces/builtin: add adb-support interface
+ - tests: fail if install_snap_local fails
+ - strutil: add extra test to CommaSeparatedList as suggested by
+   mborzecki
+ - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+ - ifacestate: optimize disconnect hooks
+ - cmd/snap-update-ns: parse the -u <uid> command line option
+ - cmd/snap, tests: snapshots for all
+ - client, cmd/daemon: allow disabling keepalive, improve degraded
+   mode unit tests
+ - snap: only show "next" refresh time if its after the hold time
+ - overlord/snapstate: run tests for classic snaps even on systems
+   that don't support classic
+ - overlord/standby: fix a race between standby goroutine and stop
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - cmd: remove remnants of sc_should_populate_mount_ns
+ - client, daemon, cmd/snap: indicate that services are socket/timer
+   activated
+ - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+ - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+ - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+ - cmd/snap-discard-ns: add support for per-user mount namespaces
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook.
+ - tests/main: fixes for the new shellcheck
+ - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+   fly
+ - tests: initial setup for testing current branch on nested vm and
+   hotplug management
+ - cmd: refactor IPC and lifecycle of the helper process
+ - tests/main/parallel-install-store: the store has caught up, do not
+   expect failures
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+   ptrace, for the Breakpad crash reporter
+ - snap,client: use a different exit code for retryable errors
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - cmd/snap: tweak `snap services` output when there is no services
+ - interfaces/many: updates to support k8s worker nodes
+ - cmd/snap: gnome-software install via snap:// handler
+ - overlord/many: cleanup use of snapName vs. instanceName
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes* ifstate: fix decoding of json numbers
+ - cmd/snap: try not to panic on error from "snap try"
+ - tests: new cosmic image for spread tests on gce
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - overlord/snapshotstate/backend: detect path to tar in unit tests
+ - tests/unit/gccgo: drop gccgo unit tests
+ - cmd: use relative file names in locking APIs
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - overlord/snapshotstate/backend: fall back on sudo when no runuser
+ - cmd/snap-confine: reduce verbosity of debug and error messages
+ - systemd: extend Status() to work for socket and timer units
+ - interfaces: typo 'allows' for consistency with other ifaces
+ - systemd,wrappers: don't start disabled services
+ - ifacestate: simplify task chaining in ifacestate.Connect
+ - tests: ensure that goa-daemon is off
+ - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+ - cmd/snap: block 'snap help <cmd> --all'
+ - asserts, image: ensure kernel, gadget, base and required-snaps use
+   valid snap names
+ - apparmor: add unit test for probeAppArmorParser and simplify code
+ - interfaces/apparmor: conditionally add explicit deny rules for
+   ptrace
+ - po: sync translations from launchpad
+ - osutil: tweak handling of error adduser errors
+ - cmd: rename ns_group to mount_ns
+ - tests/main/interfaces-accounts-service: more debugging
+ - snap/pack, snap/squashfs: use type to determine mksquashfs args
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - tests: show list of processes when ifaces-accounts-service fails
+ - tests: do not run degraded test in autopkgtest env
+ - snap: overhaul validation error messages
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - interfaces: improve Attr error further
+ - snapstate: tweak GetFeatureFlagBool() to have a default argument
+ - many: cleanup remaining parallel installs TODOs
+ - image: improve validation of extra snaps
+
+* Fri Dec 14 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.3
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - httputil: retry on temporary net errors
+ - wrappers: only restart service in core18 when they are active
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interfacewhen installing selinux-policy-devel package.
+ - centos: enable SELinux support on CentOS 7
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - apparmor: allow hard link to snap-specific semaphore files
+ - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+   profile errors
+ - snap: add new `snap run --trace-exec` call
+ - interfaces/backends: detect too old apparmor_parser
+
+* Thu Nov 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.2
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - snapstate: update fontconfig caches on install
+ - overlord,daemon: mock security backends for testing
+ - sanity, spread, tests: add CentOS
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - tests: add regression test for LP: #1803535
+ - snap-update-ns: fix trailing slash bug on trespassing error
+ - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+ - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+ - interfaces/opengl: add additional accesses for cuda
+
+* Fri Nov 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.1
+ - tests,snap-confine: add core18 only hooks test and fix running
+   core18 only hooks on classic
+ - interfaces/apparmor: allow access to
+   /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests/main/interfces-accounts-service: switch to busctl, more
+   debugging
+ - store: also make snaps downloaded via deltas 0600
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - tests/main: fixes for the new shellcheck
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook
+
+* Sun Nov 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.36-1
+- Release 2.36 to Fedora
+
+* Wed Oct 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - tests: the store has caught up, drop gccgo test, update cosmic
+   image
+ - cmd/snap: try not to panic on error from "snap try"`--devmode`
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - systemd,wrappers: don't start disabled services
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - tests: do not run degraded test in autopkgtest env
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces: include invalid type in Attr error
+ - many: enable layouts by default
+ - interfaces/default: don't scrub with change_profile with classic
+ - cmd/snap: speed up unit tests
+ - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+   flags
+ - daemon: expose snapshots to the API
+ - interfaces: updates for default, screen-inhibit-control, tpm,
+   {hardware,system,network}-observe
+ - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+   update test interface
+ - interfaces/tests: use TestInterface instead of a custom local
+   helper
+ - overlord/snapstate: export getFeatureFlagBool.
+ - osutil,asserts,daemon: support force password change in system-
+   user assertion
+ - snap, wrappers: support restart-delay, generate RestartSec=<value>
+   in service units
+ - tests/ifacestate: moved asserts-related mocking into helper
+ - image: fetch device store assertion if available
+ - many: enable AppArmor on Arch
+ - interfaces/repo: two helper methods for hotplug
+ - overlord/ifacestate: add hotplug slots with implicit slots
+ - interfaces/hotplug: helpers and struct updates
+ - tests: run the snapd tests on Ubuntu 18.10
+ - snapstate: only report errors if there is an actual error
+ - store: speedup unit tests
+ - spread-shellcheck: fix interleaved error messages, tweaks
+ - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+ - ifacestate: implementation of defaultDeviceKey function for
+   hotplug
+ - cmd/snap-update-ns: remove empty placeholders used for mounting
+ - snapshotstate: restore to current revision
+ - tests/lib: rework the CLA checker
+ - many: support and consider store friendly-stores when checking
+   device scope constraints
+ - overlord/snapstate: block parallel installs of snapd, core, base,
+   kernel, gadget snaps
+ - overlord/patch: patch for static plug/slot attributes
+ - interfaces: honor static attributes when reloading conns
+ - osutils: unit tests speedup; introduce «run-checks --short-
+   unit».
+ - systemd, wrappers: speed up wrappers unit tests
+ - client: speedup unit tests
+ - spread-shellcheck: use threads to parallelise
+ - snap: validate plug and slot names
+ - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+ - wrappers: do not depend on network.taget in socket units, tweak
+   generated units
+ - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+ - store: gracefully handle unexpected errors in 'action'
+   response
+ - cmd: put our manpages in section 8
+ - overlord: don't make become-operational interfere with user
+   requests
+ - store: tweak unmatched refresh result error log
+ - snap, client, daemon, store: use and expose "media" more
+ - tests,cmd/snap-update-ns: add test showing mount update bug
+   cmd/snap-update-ns: better detection of snapd-made tmpfs
+ - tests: spread tests for aliases with parallel installed snaps
+ - interfaces/seccomp: allow using statx by default
+ - store: gracefully handle unexpected errors in 'action' response
+ - overlord/snapshotstate: chown the tempdir
+ - cmd/snap: attempt to start the document portal if running with a
+   session bus
+ - snap: detect layouts vs layout in snap.yaml
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snapcraft.yaml: set grade to stable
+ - tests: shellchecks, final round
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snap: detect layouts vs layout in snap.yaml
+ - overlord/snapshotstate: store epoch in snapshot, check on restore
+ - cmd/snap: tweak UX of snap refresh --list
+ - overlord/snapstate: improve consistency, use validateInfoAndFlags
+   also in InstallPath
+ - snap: give Epoch a CanRead helper
+ - overlord/snapshotstate: small refactor of internal helpers
+ - interfaces/builtin: adding missing permission to create
+   /run/wpa_supplicant directory
+ - interfaces/builtin: avahi interface update
+ - client, daemon: support passing of 'unaliased' option when
+   installing from local files
+ - selftest: rename selftest.Run() to sanity.Check()
+ - interfaces/apparmor: report apparmor support level and policy
+ - ifacestate: helpers for generating slot names for hotplug
+ - overlord/ifacestate: make sure to pass in the Model assertion when
+   enforcing policies
+ - overlord/snapshotstate: store the SnapID in snapshot, block
+   restore if changed
+ - interfaces: generalize writable mimic profile
+ - asserts,interfaces/policy: add support for on-store/on-brand/on-
+   model plug/slot rule constraints
+ - many: fetch the device store assertion together and in the context
+   of interpreting snap-declarations
+ - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+   gccgo is fixed
+ - tests/main/parallel-install-services: add spread test for snaps
+   with services
+ - tests/main/snap-env: extend to cover parallel installations of
+   snaps
+ - tests/main/parallel-install-local: rename from *-sideload, extend
+   to run snaps
+ - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+ - cmd/snap: tame the help zoo
+ - tests/main/parallel-install-store: run installed snap
+ - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+   i18n)
+ - cmd: fix C formatting
+ - tests: remove unneeded cleanup from layout tests
+ - image: warn on missing default-providers
+ - selftest: add test to ensure selftest.checks is up-to-date
+ - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+   installs
+ - userd: extend the list of supported XDG Desktop properties when
+   autostarting user applications
+ - cmd/snap-update-ns: enforce trespassing checks
+ - selftest: actually run the kernel version selftest
+ - snapd: go into degraded mode when the selftest fails
+ - tests: add test that runs snapctl with a core18 snap
+ - tests: add snap install hook with base: core18
+ - overlord/{snapstate,assertstate}: parallel instances and
+   refresh validation
+ - interfaces/docker-support: add rules to read apparmor macros
+ - tests: make nfs test available for more systems
+ - tests: cleanup copy/paste dup in interfaces-network-setup-control
+ - tests: using single sh snap in interface tests
+ - overlord/snapstate: improve cleaup in mount-snap handler
+ - tests: don't fail interfaces-bluez test if bluez is already
+   installed
+ - tests: find snaps just for edge and beta channels
+ - daemon, snapstate: consistent snap list [--all] output with broken
+   snaps
+ - tests: fix listing to allow extra things in the notes column
+ - cmd/snap: improve UX when removing specific snap revision
+ - cmd/snap, tests/main/snap-info: highlight the current channel
+ - interfaces/testiface: added TestHotplugInterface
+ - snap: tweak commands
+ - interfaces/hotplug: hotplug spec takes one slot definition
+ - overlord/snapstate, snap: handle shared snap directories when
+   installing/remove snaps with instance key
+ - interfaces/opengl: misc accesses for VA-API
+ - client, cmd/snap: expose warnings to the world
+ - cmd/snap-update-ns: introduce trespassing state tracking
+ - cmd/snap: commands no longer build their own client
+ - tests: try to build cmd/snap for darwin
+ - daemon: make error responders not printf when called with 1
+   argument
+ - many: return real snap name in API response
+ - overlord/state: return latest LastAdded time in WarningsSummary
+ - many: mount namespace mapping for parallel installs of snaps
+ - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+   core-phase-2
+ - client, cmd/snap: on !linux, exit when the client tries to Do
+   something
+ - tests: refactor for nested suite and tests fixed
+ - tests: use lxd's waitready instead of polling lxd socket
+ - ifacestate: don't initialize udev monitor until we have a system
+   snap
+ - interfaces: extra argument for static attrs in
+   NewConnectedPlug/NewConnectedSlot
+ - packaging/arch: sync packaging with AUR
+ - snapstate/tests: serialize all appends in fake backend
+ - snap-confine: make /lib/modules optional
+ - cmd/snap: handle "snap interfaces core" better
+ - store: move download tests into downloadSuite
+ - tests,interfaces: run interfaces-account-control on UC18
+ - tests: fix install snaps test by adding link to /snap
+ - tests: fix for nested test suite
+ - daemon: fix snap list --all with parallel snap instances
+ - snapstate: refactor tests to use SetModel*
+ - wrappers: fix snap services order in tests
+ - many: provide salt for generating instance-key in store requests
+ - ifacestate: fix hang when retrying content providers
+ - snapd-env-generator: fix when PATH is empty or unset
+ - overlord/assertstate: propagate TaskSnapSetup error
+ - client: catch and expose logs errors
+ - overlord: integrate device enumeration with udev monitor
+ - daemon, overlord/state: warnings pipeline
+ - tests: add publisher regex to fix the snap-info test pass on sru
+ - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+   tweaks
+ - cmd/snap-update-ns: remove the unused Secure type
+ - osutil, o/snapshotstate, o/sss/backend: quick fixes
+ - tests: update the listing expression to support core from
+   different channels
+ - store: use stable instance key in store refresh requests
+ - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+ - overlord/patch: support for sublevel patches
+ - tests: update prepare/restore for nightly suite
+ - cmd/snap-update-ns: detach BindMount from the Secure type
+ - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+ - ifacestate: retry on "discard-snap" in autoconnect conflict check
+ - cmd/snap-update-ns: separate OpenPath from the Secure struct
+ - wrappers: remove Wants=network-online.target
+ - tests: add new core16-base test
+ - store: refactor tests so that they work as store_test package
+ - many: add refresh.rate-limit core option
+ - tests: run account-control test with different bases
+ - tests: port proxy test to use python tinyproxy
+ - overlord: introduce snapshotstate.
+ - testutil: allow Fstatfs results to vary over time
+ - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+ - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+ - many: remove deadcode
+ - tests: also run unit/gccgo in 18.04
+ - tests: introduce a helper for installing local snaps with --name
+ - tests: avoid removing core snap on reset
+ - snap: use snap.SideInfo in test to fix build with gccgo
+ - partition: remove unused runCommand
+ - image: fix incorrect error when using local bases
+ - overlord/snapstate: fix format
+ - cmd: fix format
+ - tests: setting "storage: preserve-size" just for amazon-linux
+   system
+ - tests: test for the hostname interface
+ - interfaces/modem-manager: allow access to more USB strings
+ - overlord: instantiate UDevMonitor
+ - interfaces/apparmor: tweak naming, rename to AddLayout()
+ - interfaces: take instance name in ifacetest.InstallSnap
+ - snapcraft: do not use --dirty in mkversion
+ - cmd: add systemd environment generator
+ - devicestate: support getting (http) proxy from core config
+ - many: rename ClientOpts to ClientOptions
+ - prepare-image-grub-core18: remove image root in restore
+ - overlord/ifacestate: remove "old-conn" from connect/undo connect
+   handlers
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - image: handle errors when downloadedSnapsInfoForBootConfig has no
+   data
+ - tests: use official core18 model assertion in tests
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - overlord,store: support proxy settings internally too
+ - cmd/snap: bring back 'snap version'
+ - interfaces/mount: tweak naming of things
+ - strutil: fix MatchCounter to also work with buffer reuse
+ - cmd,interfaces,tests: add /mnt to removable-media interface
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - snap/snapenv: drop some instance specific variables, use instance-
+   specific ones for user locations
+ - firstboot: sort by type when installing the firstboot snaps
+ - cmd, cmd/snap: better support for non-linux
+ - strutil: add new ParseByteSize
+ - image: detect and error if bases are missing
+ - interfaces/apparmor: do not downgrade confinement on arch with
+   linux-hardened 4.17.4+
+ - daemon: add pokeStateLock helper to the daemon tests
+ - snap/squashfs: improve error message from Build on mksquashfs
+   failure
+ - tests: remove /etc/alternatives from dirs-not-shared-with-host
+ - cmd: support re-exec into the "snapd" snap
+ - spdx: remove "Other Open Source" from the support licenses
+ - snap: add new type "TypeSnapd" and attach to the snapd snap
+ - interfaces: retain order of inserted security backends
+ - tests: spread test for parallel-installs desktop file handling
+ - overlord/devicestate: use OpenSSL's PEM format when generating
+   keys
+ - cmd: remove --skip-command-chain from snap run and snap-exec
+ - selftest: detect if apparmor is unusable and error
+ - snap,snap-exec: support command-chain for hooks
+ - tests: significantly reduce execution time for managers test
+ - snapstate: use new "snap.ByType" sorting
+ - overlord/snapstate: fix UpdateMany() to work with parallel
+   instances
+ - testutil: have File* checker produce more useful error output
+ - overlord/ifacestate: introduce connectOpts
+ - interfaces: parallel instances support, extend unit tests
+ - tests: normalize tests
+ - snapstate: make InstallPath() return *snap.Info too
+ - snap: add ByType sorting
+ - interfaces: add cifs-mount interface
+ - tests: use file based markers in snap-service-stop-mode
+ - osutil: reorg and stub out things to get it building on darwin
+ - tests/main/layout: cleanup after the test
+ - osutil/sys: small tweaks to let it build on darwin
+ - daemon, overlord/snapstate: set instance name when installing from
+   snap file
+ - many: move Uname to osutil, for more DRY and easier porting.
+ - cmd/snap: create snap user directory when running parallel
+   installed snaps
+ - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+ - tests: basic test for parallel installs from the store
+ - image: download the gadget from the model.GadgetTrack()
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - overlord: handle sigterm during shutdown better
+ - tests: add the original function to fix the errors on new kernels
+ - tests/main/lxd: pull lxd from candidate; reënable i386
+ - wayland: add extra sockets that are used by older toolkits (e.g.
+   gtk3)
+ - asserts: add support for gadget tracks in the model assertion
+ - overlord/snapstate: improve feature flag validation
+ - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+ - interfaces: workaround for activated services and newer DBus
+ - tests: get the linux-image-extra available for the current kernel
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - interfaces: disconnect hooks
+ - cmd/libsnap: unify detection of core/classic with go
+ - tests: fix autopkgtest failures in cosmic
+ - snap: fix advice json
+ - overlord/snapstate: parallel snap install
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - interfaces: add screencast-legacy for video and audio recording
+ - tests: skip unsupported architectures for fedora-base-smoke test
+ - tests: avoid using the journalctl cursor when it has not been
+   created yet
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - tests: enable lxd again everywhere
+ - tests: new test for udisks2 interface
+ - interfaces: add cpu-control for setting CPU tunables
+ - overlord/devicestate: fix tests, set seeded in registration
+   through proxy tests
+ - debian: add missing breaks on cosmic
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - tests: new test for juju client observe interface
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - snapcraft: set version information for the snapd snap
+ - cmd/snap, daemon: error out if trying to install a snap using
+   empty name
+ - hookstate: simplify some hook tests
+ - cmd/snap-confine: extend security tag validation to cover instance
+   names
+ - snap: fix mocking of systemkey in snap-run tests
+ - packaging/opensuse: fix static build of snap-update-ns and snap-
+   exec
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - cmd/libsnap-confine-private: intoduce helpers for validating snap
+   instance name and instance key
+ - snap,snap-exec: support command-chain for app
+ - interfaces/builtin: network-manager resolved DBus changes
+ - snap: tweak `snap wait` command
+ - cmd/snap-update-ns: introduce validation of snap instance names
+ - cmd/snap: fix some corner-case test setup weirdness
+ - cmd,dirs: fix various issues discovered by a Fedora base snap
+ - tests/lib/prepare: fix extra snaps test
+
+* Mon Oct 15 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.5
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - osutil: workaround overlayfs on ubuntu 18.10
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.4
+  - wrappers: do not depend on network.taget in socket units, tweak
+    generated units
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.3
+ - overlord: don't make become-operational interfere with user
+   requests
+ - docker_support.go: add rules to read apparmor macros
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-
+   nsFixes:
+ - snapcraft.yaml: add workaround to fix snapcraft build
+ - interfaces/opengl: misc accesses for VA-API
+
+* Wed Sep 12 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.2
+ - cmd,overlord/snapstate: go 1.11 format fixes
+ - ifacestate: fix hang when retrying content providers
+ - snap-env-generator: do nothing when PATH is unset
+ - interfaces/modem-manager: allow access to more USB strings
+
+* Mon Sep 03 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.1
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapcraft: do not use --diry in mkversion.sh
+ - cmd: add systemd environment generator
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - tests: cherry-pick test fixes from master for 2.35
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - interfaces: retain order of inserted security backends
+ - selftest: detect if apparmor is unusable and error
+
+* Sat Aug 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.35-1
+- Release 2.35 to Fedora (RH#1598946)
+
+* Mon Aug 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - asserts: add support for gadget tracks in the model assertion
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - overlord: handle sigterm during shutdown better
+ - wayland: add extra sockets that are used by older toolkits
+ - snap: fix advice json
+ - tests: fix autopkgtest failures in cosmic
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - interfaces: add cpu-control for setting CPU tunables
+ - debian: add missing breaks on comisc
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - hookstate: simplify some hook tests
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - interfaces/builtin: network-manager resolved DBus changes
+ - tests: add spread test for fedora29 base snap
+ - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+ - dirs: fix SnapMountDir inside a Fedora base snap
+ - tests: fix snapd-failover for core18 with external backend
+ - overlord/snapstate: always clean SnapState when doing Get()
+ - overlod/ifacestate: always use a new SnapState when fetching the
+   snap state
+ - overlord/devicestate: have the serial request talk to the proxy if
+   set
+ - interfaces/hotplug: udevadm output parser
+ - tests: New test for daemon-notify interface
+ - image: ensure "core" is ordered early if base: and core is used
+ - cmd/snap-confine: snap-device-helper parallel installs support
+ - tests: enable interfaces-framebuffer everywhere
+ - tests: reduce nc wait time from 2 to 1 second
+ - snap/snapenv: add snap instance specific variables
+ - cmd/snap-confine: add minimal test for snap-device-helper
+ - tests: enable snapctl test on core18
+ - overlord: added UDevMonitor for future hotplug support
+ - wrappers: do not glob when removing desktop files
+ - tests: add dbus monitor log to interfaces-accounts-service
+ - tests: add core-18 systems to external backend
+ - wrappers: account for changed app wrapper in parallel installed
+   snaps
+ - wrappers: make sure that the tests pass on non-Ubuntu too
+ - many: add snapd snap failure handling
+ - tests: new test for dvb interface
+ - configstate: accept refresh.timer=managed
+ - tests: new test for snap logs command
+ - wrapper: generate all the snapd unit files when generating
+   wrappers
+ - store: keep all files with link-count > 1 in the cache
+ - store: be less verbose in the common refresh case of "no updates"
+ - snap-confine: update snappy-app-dev path
+ - debian: ensure dependency on fixed apt on 18.04
+ - snapd: add initial software watchdog for snapd
+ - daemon, systemd: change journalctl -n=all to --no-tail
+ - systemd: fix snapd.apparmor.service.in dependencies
+ - snapstate: refuse to remove bases or core if snaps need them
+ - snap: introduce package-level helpers for building snap related
+   directory/file paths
+ - overlord/devicestate: deny parallel install of kernel or gadget
+   snaps
+ - store: clean up parallel-install TODOs in store tests
+ - timeutil: fix first weekday of the month schedule
+ - interfaces: match all possible tty but console
+ - tests: shellchecks part 5
+ - cmd/snap-confine: allow ptrace read for 4.18 kernels
+ - advise: make the bolt database do the atomic rename dance
+ - tests/main/apt-hooks: debug dump of commands.db
+ - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+   handling
+ - snap: validate instance name as part of Validate()
+ - daemon: if a snap is inactive, don't ask systemd about its
+   services.
+ - udev: skip TestParseUdevEvent on s390x
+ - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+ - asserts,image: add support for new kernel=track syntax
+ - tests: new gce image for fedora 27
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - store, overlord/snapstate: introduce instance name in store APIs
+ - tests: drive-by cleanup of redudant pkgname matching
+ - tests: ensure apt-hook is only run after catalog update ran
+ - tests: use pkill instead of kilall
+ - tests/main: another bunch of updates for Amazon Linux 2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the  directory tree
+ - tests: disable/fix more tests for Amazon Linux 2
+ - overlord: introduce InstanceKey to SnapState and SnapSetup,
+   renames
+ - daemon: make sure most change generating handlers can produce
+   errors with kinds
+ - tests/main/interfaces-calendar-service: skip the test on AMZN2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the directory tree
+ - cmd/snap: add a green check mark to verified publishers
+ - cmd/snap: fix two issues in the cmd/snap unit tests
+ - packaging/fedora: fix target path of /snap symlink
+ - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - strutil: detect and bail out of Unmarshal on duplicate key
+ - packaging/fedora(amzn2): disable SELinux, drop dependency on
+   squashfuse for AMZN2
+ - spread, tests: add support for Amazon Linux 2
+ - packaging/fedora: Add Amazon Linux 2 support
+ - many: make Wait/Stop optional on StateManagers
+ - snap/squashfs: stop printing unsquashfs info to stderr
+ - snap: add support for `snap advise-snap --from-apt`
+ - overlord/ifacestate: ignore connect if already connected
+ - tests: change the service snap used instead of network-bind-
+   consumer
+ - interfaces/network-control: update for wpa-supplicant and ifupdown
+ - tests: fix raciness in stop mode tests
+ - logger: try to not have double dates
+ - debian: use deb-systemd-invoke instead of systemctl directly
+ - tests: run all main tests on core18
+ - many: finish sharing a single TaskRunner with all the the managers
+ - interfaces/repo: added AllHotplugInterfaces helper
+ - snapstate: ensure kernel-track is honored on switch/refresh
+ - overlord/ifacestate: support implicit slots on snapd
+ - image: add support for "kernel-track" in `snap prepare-image`
+ - tests: add test that ensures we do not boot any system in degraded
+   state
+ - tests: update tests to work on core18
+ - cmd/snap: check for typographic dashes in command
+ - tests: fix tests expecting old email address
+ - client: add some existing error kinds that were not listed in
+   client.go
+ - tests: add missing slots in classic and core provider test snaps
+ - overlord,daemon,cmd: re-map snap names around the edges of snapd
+ - tests: use install_local in snap-run-hooks
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - overlord/snapstate: dedupe default content providers
+ - osutil/udev: sync with upstream
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord: have SnapManager use a passed in TaskRunner created by
+   Overlord
+ - many: streamline the generic conflict check mechanisms
+ - tests: remove unneeded setup code in snap-run-symlink
+ - cmd/snap: print unset license as "unset", instead of "unknown"
+ - asserts: add (optional) kernel-track to model assertion
+ - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+ - interfaces/pulseaudio: be clear that the interface allows playback
+   and record
+ - snap: support hook environment
+ - interfaces: fix typo "daemonNotify" (add missing "n")
+ - interfaces: tweak tests of daemon-notify, use common naming
+ - interfaces: allow invoking systemd-notify when daemon-notify is
+   connected
+ - store: make snap blobs be 0600
+ - interfaces,daemon: move JSON types to the daemon
+ - tests: prepare needs to handle bin/snapctl being a symlink
+ - tests: do not mask errors in interfaces-timezone-control (#5405)
+ - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+ - tests: add basic integration test for spread hold
+ - overlord/snapstate: improve PlugsOnly comment
+ - many: assorted shellcheck fixes
+ - store, daemon, client, cmd/snap: expose "scope", default to wide
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - client, cmd/snap: pass snap instance name when installing from
+   file
+ - cmd/snap: add 'debug paths' command
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: fix tests on arch
+ - tests: start active system units on reset
+ - tests: new test for joystick interface
+ - tests: moving install of dependencies to pkgdb helper
+ - tests: enable new fedora image with test dependencies installed
+ - tests: start using the new opensuse image with test dependencies
+ - tests: check catalog refresh before and after restart snapd
+ - tests: stop restarting journald service on prepare
+ - interfaces: make core-support a no-op interface
+ - interfaces: prefer "snapd" when resolving implicit connections
+ - interfaces/hotplug: add hotplug Specification and
+   HotplugDeviceInfo
+ - many: lessen the use of core-support
+ - tests: fixes for the autopkgtest failures in cosmic
+ - tests: remove extra ' which breaks interfaces-bluetooth-control
+   test
+ - dirs: fix antergos typo
+ - tests: use grep to avoid non-matching messages from MATCH
+ - dirs: improve distro detection for Antegros
+ - vendor: switch to latest bson
+ - interfaces/builtin: create can-bus interface
+ - tests: "snap connect" is idempotent so just connect
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - interfaces: treat "snapd" snap as type:os
+ - interfaces: tweak tests to have less repetition of "core" and
+   "ubuntu…
+ - tests: simplify econnreset test
+ - snap: add helper for renaming slots
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - tests: add artful for sru validation on google backend
+ - snap,interfaces: move interface name validation to snap
+ - overlord/snapstate: introduce path to fake backend ops
+ - cmd/snap-confine: fix snaps running on core18
+ - many: expose publisher's validation throughout the API
+
+* Fri Jul 27 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.3
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - snapstate: allow setting "refresh.timer=managed"
+ - spread: switch Fedora and openSUSE images
+
+* Thu Jul 19 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.2
+ - packaging: fix bogus date in fedora snapd.spec
+ - tests: fix tests expecting old email address
+
+* Tue Jul 17 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.1
+ - tests: cherry-pick test fixes from master for 2.34
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord/snapstate: dedupe default content providers
+ - interfaces/builtin: create can-bus interface
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.33.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34
+ - store, daemon, client, cmd/snap: expose "scope", default to wide*
+ - tests: fix arch tests
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+ - tests: run interfaces-contacts-service only where test-snapd-eds
+   is available
+ - many: expose publisher's validation throughout the API
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - dirs: improve distro detection for Antegros
+ - Revert "dirs: improve identification of Arch Linux like systems"
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - i18n: use xgettext-go --files-from to avoid running into cmdline
+   size limits
+ - interfaces: move ValidateName helper to utils
+ - snapstate,ifstate: wait for pending restarts before auto-
+   connecting
+ - snap: account for parallel installs in wrappers, place info and
+   tests
+ - configcore: fix incorrect handling of keys with numbers (like
+   gpu_mem_512)
+ - tests: fix tests when no keyboard input detected
+ - overlord/configstate: add watchdog options
+ - snap-mgmt: fix for non-existent dbus system policy dir,
+   shellchecks
+ - tests/main/snapd-notify: use systemd's service properties rater
+   than the journal
+ - snapstate: allow removal of snap.TypeOS when using a model with a
+   base
+ - interfaces: make findSnapdPath smarter
+ - tests: run "arp" tests only if arp is available
+ - spread: increase the number of auto retries for package downloads
+   in opensuse
+ - cmd/snap-confine: fix nvidia support under lxd
+ - corecfg: added experimental.hotplug feature flag
+ - image: block installation of parallel snap instances
+ - interfaces: moved normalize method to interfaces/utils and made it
+   public
+ - api/snapctl: allow -h and --help for regular users.
+ - interfaces/udisks2: also implement implicit classic slot
+ - cmd/snap-confine: include CUDA runtime libraries
+ - tests: disable auto-refresh test on core18
+ - many: switch to account validation: unproven|verified
+ - overlord/ifacestate: get/set connection state only via helpers
+ - tests: adding extra check to validate journalctl is showing
+   current test data
+ - data: add systemd environment configuration
+ - i18n: handle write errors in xgettext-go
+ - snap: helper for validating snap instance names
+ - snap{/snaptest}: set instance key based on snap name
+ - userd: fix running unit tests on KDE
+ - tests/main/econnreset: limit ingress traffic to 512kB/s
+ - snap: introduce a struct Channel to represent store channels, and
+   helpers to work with it
+ - tests: add fedora to distro_clean_package_cache function
+ - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+ - tests: add spread test to ensure snapd/core18 are not removable
+ - tests: tweaks for running the main tests on core18
+ - overlord/{config,snap}state: introduce experimental.parallel-
+   instances feature flag
+ - strutil: support iteration over almost clean paths
+ - strutil: add PathIterator.Rewind
+ - tests: update interfaces-timeserver-control to core18
+ - tests: add halt-timeout to google backend
+ - tests: skip security-udev-input-subsystem without /dev/input/by-
+   path
+ - snap: introduce the instance key field
+ - packaging/opensuse: remaining packaging updates for 2.33.1
+ - overlord/snapstate: disallow installing snapd on baseless models
+ - tests: disable core tests on all core systems (16 and 18)
+ - dirs: improve identification of Arch Linux like systems
+ - many: expose full publisher info over the snapd API
+ - tests: disable core tests on all core systems (16 and 18)
+ - tests/main/xdg-open: restore or clean up xdg-open
+ - tests/main/interfaces-firewall-control: shellcheck fix
+ - snapstate: sort "snapd" first
+ - systemd: require snapd.socket in snapd.seeded.service; make sure
+   snapd.seeded
+ - spread-shellcheck: use the latest shellcheck available from snaps
+ - tests: use "ss" instead of "netstat" (netstat is not available in
+   core18)
+ - data/complete: fix three out of four shellcheck warnings in
+   data/complete
+ - packaging/opensuse: fix typo, missing assignment
+ - tests: initial core18 spread image building
+ - overlord: introduce a gadget-connect task and use it at first boot
+ - data/completion: fix inconsistency in +x and shebang
+ - firstboot: mark essential snaps as "Required" in the state
+ - spread-shellcheck: use a whitelist of files that are allowed to
+   fail validation
+ - packaging/opensuse: build position-independent binaries
+ - ifacestate: prevent running interface hooks twice when self-
+   connecting on autoconnect
+ - data: remove /bin/sh from snapd.sh
+ - tests: fix shellcheck 0.5.0 warnings
+ - packaging/opensuse: snap-confine should be 06755
+ - packaging/opensuse: ship apparmor integration if enabled
+ - interfaces/udev,misc: only trigger udev events on input subsystem
+   as needed
+ - packaging/opensuse: add missing bits for snapd.seeded.service
+ - packaging/opensuse: don't use %-macros in comments
+ - tests: shellchecks part 4
+ - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+   parallel-install TODOs
+ - store: drop unused: channel map types, and details fixture.
+ - store: have a basic test about the unmarshalling of /search
+   results
+ - tests: show executed tests on current system when a test fails
+ - tests: fix for the download of the big snap
+ - interfaces/apparmor: add chopTree
+ - tests: remove double debug: | entry in tests and add more checks
+ - cmd/snap-update-ns: introduce mimicRequired helper
+ - interfaces: move assertions around for better failure line number
+ - store: log a nice clear "download succeeded" message
+ - snap: run snap-confine from the re-exec location
+ - snapstate: support restarting snapd from the snapd snap on core18
+ - tests: show status of the partial test-snapd-huge snap in
+   econnreset test
+ - tests: fix interfaces-calendar-service test when gvfsd-metadata
+   loks the xdg dirctory
+ - store: switch store.SnapInfo to use the new v2/info endpoint
+ - interfaces: add Repository.AllInterfaces
+ - snapstate: stop using evolving SnapSpec internally, use an
+   internal-only snapSpec instead
+ - cmd/libsnap-confine-private: introduce a helper for splitting snap
+   name
+ - tests: econnreset/retry tweaks
+ - store, et al: kill dead code that uses the bulk endpoint
+ - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+ - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+   Depth helper
+ - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+   available
+ - store: switch connectivity check to use v2/info
+ - devicestate: support seeding from a base snap instead of core
+ - snapstate,ifacestate: remove core-phase-2 handling
+ - interfaces/docker-support: update for docker 18.05
+ - tests: enable fedora 28 again
+ - overlord/ifacestate:  simplify checkConnectConflicts and also
+   connect signature
+ - snap: parse connect instructions in gadget.yaml
+ - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+   test
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - store, image: have 'snap download' use v2/refresh action=download
+ - interfaces/policy: test that base policy can be parsed
+ - tests: publish test-snapd-appstreamid for any architecture
+ - snap: don't include newline in hook environment
+ - cmd/snap-update-ns: use RCall with SyscallsEqual
+ - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+ - interfaces: add the dvb interface
+ - daemon: paging is not a thing.
+ - cmd/snap-mgmt: remove system key on purge
+ - testutil: syscall sequence checker
+ - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command* many: add `snap debug
+   connectivity` command
+ - configstate: deny configuration of base snaps and for the "snapd"
+   snap
+ - interfaces/raw-usb: also allow usb serial devices
+ - snap: reject more layout locations
+ - errtracker: do not send duplicated reports
+ - httputil: extra debug if an error is not retried
+ - cmd/snap-update-ns: improve wording in many errors
+ - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+ - cmd/snap-update-ns: add helper for checking for read-only
+   filesystems
+ - interfaces/builtin/docker: use commonInterface over specific
+   struct
+ - testutil: add test support for Fstatfs
+ - cmd/snap-update-ns: discard the concept of segments
+ - cmd/libsnap-confine-private: helper for extracting store snap name
+   from local-name
+ - tests: fix flaky test for hooks undo
+ - interfaces: add {contacts,calendar}-service interfaces
+ - tests: retry 'restarting into..' match in the snap-confine-from-
+   core test
+ - systemd: adjust TestWriteMountUnitForDirs() to use
+   squashfs.MockUseFuse(false)
+ - data: add helper that can generate/start/stop the snapd service
+ - sefltest: advise reboot into 4.4 on trusty running 3.13
+ - selftest: add new selftest package that tests squashfs mounting
+ - store, jsonutil: move store.getStructFields to
+   jsonutil.StructFields
+ - ifacestate: improved conflict and error handling when creating
+   autoconnect tasks
+ - cmd/snap-confine: applied make fmt
+ - interfaces/udev: call 'udevadm settle --timeout=10' after
+   triggering events
+ - tests: wait more time until snap start to be downloaded on
+   econnreset test
+ - snapstate: ensure fakestore returns TypeOS for the core snap
+ - tests: fix lxd test which hangs on restore
+ - cmd/snap-update-ns: add PathIterator
+ - asserts,image: add support for models with bases
+ - tests: shellchecks part 3
+ - overlord/hookstate: support undo for hooks
+ - interfaces/tpm: Allow access to the kernel resource manager
+ - tests: skip appstream-id test for core systems 32 bits
+ - interfaces/home: remove redundant common interface assignment
+ - tests: reprioritise a few tests that are known to be slow
+ - cmd/snap: small help tweaks and fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - spread-shellcheck: silly fix & pep8
+ - spread: switch fedora 28 to manual
+ - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+   it in snap info --verbose
+ - tests: fix lxd test - --auto now sets up networking
+ - tests: adding fedora-28 to spread.yaml
+ - interfaces: add juju-client-observe interface
+ - client, daemon: add a "mounted-from" entry to local snaps' JSON
+ - image: set model.DisplayName() in bootenv as "snap_menuentry"
+ - packaging/opensuse: Refactor packaging to support all openSUSE
+   targets
+ - interfaces/joystick: force use of the device cgroup with joystick
+   interface
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - interfaces: remove Plug/Slot types
+ - interface hooks: update old AutoConnect methods
+ - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+ - overlord/{config,snap}state: the number of inactive revisions is
+   config
+ - cmd/snap: check with snapd for unknown sections
+ - tests: moving test helpers from sh to bash
+ - data/systemd: add snapd.apparmor.service
+ - many: expose AppStream IDs (AKA common ID)
+ - many: hold refresh when on metered connections
+ - interfaces/joystick: also support modern evdev joysticks and
+   gamepads
+ - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+ - snapcraft: use dpkg-buildpackage options that work in xenial
+ - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+ - get-deps: work with an unset GOPATH too
+ - interfaces/apparmor: use strict template on openSUSE tumbleweed
+ - packaging: filter out verbose flags from "dh-golang"
+ - packaging: fix description
+ - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+* Fri Jun 22 2018 Neal Gompa <ngompa13@gmail.com> - 2.33.1-1
+- Release 2.33.1 to Fedora (RH#1567916)
+
+* Thu Jun 21 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33.1
+ - many: improve udev trigger on refresh experience
+ - systemd: require snapd.socket in snapd.seeded.service
+ - snap: don't include newline in hook environment
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - tests: skip security-dev-input-event-denied when /dev/input/by-
+   path/ is missing
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+
+* Fri Jun 08 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command
+ - interfaces/raw-usb: also allow usb serial devices
+ - errtracker: do not send duplicated reports
+ - selftest: add new selftest package that tests squashfs mounting
+ - tests: backport lxd force stop and econnreset fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - interfaces/joystick: support modern evdev joysticks
+ - interfaces: add juju-client-observe
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - many: holding refresh on metered connections
+ - many: expose AppStream IDs (AKA common ID)
+ - tests: speed up save/restore snapd state for all-snap systems
+   during tests execution
+ - interfaces/apparmor: use helper to load stray profile
+ - tests: ubuntu core abstraction
+ - overlord/snapstate: don't panic in a corner case interaction of
+   cleanup tasks and pruning
+ - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+   snaps
+ - tests: new parameter for the journalctl rate limit
+ - spread-shellcheck: port to python
+ - interfaces/home: add 'read' attribute to allow non-owner read to
+   @{HOME}
+ - testutil: import check.v1 differently to workaround gccgo error
+ - interfaces/many: miscellaneous updates for default, desktop,
+   desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+   keys
+ - snapstate/hooks: reorder autoconnect and reconnect hooks
+ - daemon: update unit tests to match current master
+ - overlord/snapshotstate/backend: introducing the snapshot backend
+ - many: support 'system' nickname in interfaces
+ - userd: add the "snap" scheme to the whitelist
+ - many: make rebooting of core on refresh immediate, refactor logic
+   around it
+ - tests/main/snap-service-timer: account for service timer being in
+   the 'running' state
+ - interfaces/builtin: allow access to libGLESv* too for opengl
+   interface
+ - daemon: fix unit tests on arch
+ - interfaces/default,process-control: miscellaneous signal policy
+   fixes
+ - interfaces/bulitin: add write permission to optical-drive
+ - configstate: validate known core.* options
+ - snap, wrappers: systemd WatchdogSec support
+ - ifacestate: do not auto-connect manually disconnected interfaces
+ - systemd: mock useFuse() so testsuite passes in container via lxd
+   snap
+ - snap/env: fix env duplication logic
+ - snap: some doc comments fixes and additions
+ - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+   vendor files
+ - ifacestate: unify reconnect and autoconnect methods
+ - tests: fix user mounts test for external systems
+ - overlord/snapstate,overlord/auth,store: coalesce no auth user
+   refresh requests
+ - boot,partition: improve tests/docs around SetNextBoot()
+ - many: improve `snap wait` command
+ - snap: fix `snap interface --attrs` output when numbers are used
+ - cmd/snap-update-ns: poke holes when creating source paths for
+   layouts
+ - snapstate: support getting new bases/default-providers on refresh
+ - ifacemgr: remove stale connections on startup
+ - asserts: use Attrer in policy checks
+ - testutil: record system call errors / return values
+ - tests: increase timeouts to make tests reliable on slow boards
+ - repo: pass and return ConnRef via pointers
+ - interfaces: add xdg-document-portal support to desktop interface
+ - debian: add a zenity|kdialog suggests
+ - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+ - tests: go must be installed as a classic snap
+ - tests: use journalctl cursors instead rotating logs
+ - daemon: add confinement-options to /v2/system-info
+   daemon: refactor classic support flag to be more structured
+ - tests: build spread in the autopkgtests with a more recent go
+ - cmd/snap: fix the message when snap.channel != snap.tracking
+ - overlord/snapstate: allow core defaults configuration via 'system'
+   key
+ - many: add "snap debug sandbox-features" and needed bits
+ - interfaces: interface hooks for refresh
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - many: add wait command and `snapd.seeded` service
+ - interfaces: move host font update-ns AppArmor rules to desktop
+   interface
+ - jsonutil/safejson: introducing safejson.String &
+   safejson.Paragraph
+ - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+ - cmd/snap-update-ns,tests: mimic the mode and ownership of
+   directories
+ - cmd/snap-update-ns: add support for ignoring mounts with missing
+   source/target
+ - interfaces: interface hooks implementation
+ - cmd/libsnap: fix compile error on more restrictive gcc
+   cmd/libsnap: fix compilation errors on gcc 8
+ - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+ - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+ - tests: fix interfaces-network test for systems with partial
+   confinement
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+ - configcore: validate experimental.layouts option
+ - interfaces:minor autoconnect cleanup
+ - HACKING: fix typos
+ - spread: add adt for ubuntu 18.10
+ - tests: skip test lp-1721518 for arch, snapd is failing to start
+   after reboot
+ - interfaces/x11: allow X11 slot implementations
+ - tests: checking interfaces declaring the specific interface
+ - snap: improve error for snaps not available in the given context
+ - cmdstate: add missing test for default timeout handling
+ - tests: shellcheck spread tasks
+ - cmd/snap: update install/refresh help vs --revision
+ - cmd/snap-confine: add support for per-user mounts
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - tests: adding google-sru backend replacing linode-sur
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - systemd: replace ancient paths with 16.04+ standards
+ - overlord,systemd: store snap revision in mount units
+ - testutil: add test helper for SysLstat
+ - testutil,cmd: rename test helper of Lstat to OsLstat
+ - testutil: document all fake syscall/os functions
+ - osutil,interfaces,cmd: use less hardcoded strings
+ - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+ - testutil: don't dot-import check.v1
+ - store: getStructFields takes pointers now
+ - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+ - many: fix false negatives reported by vet
+ - osutil,interfaces: use uint32 for uid, gid
+ - many: fix various issues reported by shellcheck
+ - tests: add pending shutdown detection
+ - image: support refreshing soft-expired user macaroons in tooling
+ - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+   daemon tests
+ - interfaces/builtin: add support for software-watchdog interface
+ - spread: auto accept key changes when calling dnf
+ - snap,overlord/snapstate: introduce and use BrokenSnapError
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: bring back one missing test in snap-service-stop-mode
+ - debian: update LP bug for the 2.32.5 SRU
+ - userd: set up journal logging streams for autostarted apps
+ - snap,tests : don't fail if we cannot stat MountFile
+ - tests: smaller fixes for Arch tests
+ - tests: run interfaces-broadcom-asic-control early
+ - client: support for snapshot sets, snapshots, and snapshot actions
+ - tests: skip interfaces-content test on core devices
+ - cmd: generalize locking to global, snap and per-user locks
+ - release-tools: handle the snapd-x.y.z version
+ - packaging: fix incorrectly auto-generated changelog entry for
+   2.32.5
+ - tests: add arch to CI
+ - systemd: add helper for opening stream file descriptors to the
+   journal
+ - cmd/snap: handle distros with no version ID
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - tests: removing linode-sru backend
+ - tests: updating bionic version for spread tests on google
+ - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - overlord/snapstate: allow to get an error from readInfo instead of
+   a broken stub, use it in doMountSnap
+ - snap: snap.AppInfo is now a fmt.Stringer
+ - tests: move fedora 27 to google backend
+ - many: add `core.problem-reports.disabled` option
+ - cmd/snap-update-ns: remove the need for stash directory in secure
+   bind mount implementation
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+ - cmd/snap: user session application autostart v3
+ - tests: add test to ensure `snap refresh --amend` works with
+   different channels
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - cmd/snap-update-ns: add secure bind mount implementation for use
+   with user mounts
+ - snap: fix `snap advise-snap --command` output to match spec
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - overlord/snapstate: introduce envvars to control the channels for
+   based and prereqs
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - advisor: use json for package database
+ - interfaces/hostname-control: allow setting the hostname via
+   syscall and systemd
+ - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+   libraries
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - data/selinux: Give snapd access to more aspects of the system
+ - many: use the new install/refresh API by switching snapstate to
+   use store.SnapAction
+ - errtracker: make TestJournalErrorSilentError work on gccgo
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate, ifacestate: inject auto-connect tasks try 2
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - ifacestate: injectTasks helper
+ - osutil: fix fstab parser to allow for # in field values
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - release-tools: add repack-debian-tarball.sh
+ - daemon,client: add build-id to /v2/system-info
+ - cmd: make fmt (indent 2.2.11)
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+ - ifacestate: don't surface errors from stale connections
+ - cmd/snap-update-ns: convert Secure* family of functions into
+   methods
+ - tests: adjust canonical-livepatch test on GCE
+ - tests: fix quoting issues in econnreset test
+ - cmd/snap-confine: make /run/media an alias of /media
+ - cmd/snap-update-ns: rename i to segNum
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+ - spread: disable StartLimitInterval option on opensuse-42.3
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses
+   arch triplets
+ - store: add Store.SnapAction to support the new install/refresh API
+   endpoint
+ - tests: adding test for removable-media interface
+ - tests: update interface tests to remove extra checks and normalize
+   tests
+ - timeutil: in Human, count days with fingers
+ - vendor: update gopkg.in/yaml.v2 to the latest version
+ - cmd/snap-confine: fix Archlinux compatibility
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - tests: copy or sanity check core users using usernames
+ - tests: disentangle etc vs extrausers in core tests
+ - tests: fix snap-run tests when snapd is not running
+ - overlord/configstate: change how ssh is stopped/started
+ - snap: make `snap run` look at the system-key for security profiles
+ - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+   replacement
+ - tests: adding opensuse-42.3 to google
+ - cmd/snap: fix one issue with noWait error handling logic, add
+   tests plus other cleanups
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+   needed
+ - interfaces,release: probe seccomp features lazily
+ - tests: change debug for layout test
+ - advisor: deal with missing commands.db file
+ - interfaces/apparmor: simplify UpdateNS internals
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: moving debian 9 from linode to google backend
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - po: specify charset in po/snappy.pot
+ - interfaces: harden snap-update-ns profile
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - tests: update tests to deal with s390x quirks
+ - debian: run snap.mount upgrade fixup *before* debhelper
+ - tests: move xenial i386 to google backend
+ - snapstate: add compat mode for default-provider
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - tests: add workaround for s390x failure
+ - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+ - daemon: support 'system' as nickname of the core snap
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - devicestate: add DeviceManager.Registered returning a channel
+   closed when the device is known to be registered
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - tests: add bionic system to google backend
+ - many: fix shellcheck warnings in bionic
+ - cmd/snap-update-ns: don't fail on existing symlinks
+ - tests: make autopkgtest tests more targeted
+ - cmd/snap-update-ns: fix creation of layout symlinks
+ - spread,tests: move suite-level prepare/restore to central script
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - snap: unify snap name validation w/python; enforce length limit.
+ - cmd/snap: use shlex when parsing `snap run --strace` arguments
+ - osutil,testutil: add symlinkat(2) and readlinkat(2)
+ - tests: autopkgtest may have non edge core too
+ - tests: adding checks before stopping snapd service to avoid job
+   canceled on ubuntu 14.04
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate:  hold refreshes for 2h after seeding on
+   classic
+ - cmd/snap: tweak and polish help strings
+ - snapstate: put layout feature behind feature flag
+ - tests: force profile re-generation via system-key
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: go vet cleanups
+ - tests: define MATCH from spread
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - cmd/snap: in changes and tasks, default to human-friendly times
+ - many: support holding refreshes by setting refresh.hold
+ - Revert "cmd/snap: use timeutil.Human to show times in `snap
+   refresh -…-time`"
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - tests/main/snap-service-refresh-mode: refactor the test to rely on
+   comparing PIDs
+ - tests/main/media-sharing: improve the test to cover /media and
+   /run/media
+ - store: enable deltas for core devices too
+ - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+ - strutil/shlex: import github.com/google/shlex into the tree
+ - vendor: update github.com/mvo5/libseccomp-golang
+ - overlord/snapstate: block install of "system"
+ - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+ - many: add the snapd-generator
+ - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+ - polkit: ensure error is properly set if dialog is dismissed
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - progress: tweak ansimeter cvvis use to no longer confuse minicom
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - tests: avoid removing preinstalled snaps on core
+ - tests: chroot into core to run xdg-open there
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - tests: moving ubuntu core from linode to google backend
+ - run-checks: remove accidental bashism
+ - i18n: simplify NG usage by doing the modulo math in-package.
+ - snap/squashfs: set timezone when calling unsquashfs to get the
+   build date
+ - timeutil: timeutil.Human(t) gives a human-friendly string for t
+ - snap: add autostart app property
+ - tests: add support for external backend executions on listing test
+ - tests: make interface-broadcom-asic-control test work on rpi
+ - configstate: when disable "ssh" we must disable the "sshd" service
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+ - snap/squashfs: add BuildDate
+ - store: parse the JSON format used by the coming new store API to
+   convey snap information
+ - many: remove snapd.refresh.{timer,service}
+ - tests: adding ubuntu-14.04-64 to the google backend
+ - interfaces: add xdg-desktop-portal support to desktop interface
+ - packaging/arch: sync with snapd/snapd-git from AUR
+ - wrappers, tests/main/snap-service-timer: restore missing commit,
+   add spread test for timer services
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - many: generate and use per-snap snap-update-ns profile
+ - tests: add debug for layout test
+ - wrappers: detect whether systemd-analyze can be used in unit tests
+ - osutil: allow creating strings out of MountInfoEntry
+ - servicestate: use systemctl enable+start and disable+stop instead
+   of --now flag
+ - osutil: handle file being matched by multiple patterns
+ - daemon, snap: fix InstallDate, make a method of *snap.Info
+ - wrappers: timer services
+ - wrappers: generator for systemd OnCalendar schedules
+ - asserts: fix flaky storeSuite.TestCheckAuthority
+ - tests: fix dependency for ubuntu artful
+ - spread: start moving towards google backend
+ - tests: add a spread test for layouts
+ - ifacestate: be consistent passing Retry.After as named field
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - testutil: allow mocking syscall.Fstat
+ - overlord/snapstate: verify that default schedule is randomized and
+   is  not a single time
+ - many: simplify mocking of home-on-NFS
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - store: move infoFromRemote into details.go close to snapDetails
+ - userd/tests: Test kdialog calls and mock kdialog too to make tests
+   work in KDE
+ - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+ - cmd/snap: add self-strace to `snap run`
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - update-pot: Force xgettext() to return true
+ - store: cleanup test naming, dropping remoteRepo  and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+
+* Wed May 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.9
+ - tests: run all spread tests inside GCE
+ - tests: build spread in the autopkgtests with a more recent go
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.8
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.7
+ - many: add wait command and seeded target (2
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - cmd/libsnap: fix compile error on more restrictive gcc
+ - tests: cherry-pick commits to move spread to google backend
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - userd: set up journal logging streams for autostarted apps
+
+* Sun Apr 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.6
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: run interfaces-boradcom-asic-control early
+ - tests: skip interfaces-content test on core devices
+
+* Mon Apr 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.5
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - daemon: support 'system' as nickname of the core snap
+
+* Thu Apr 12 2018 Neal Gompa <ngompa13@gmail.com> - 2.32.4-1
+- Release 2.32.4 to Fedora (RH#1553734)
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.4
+ - cmd/snap: user session application autostart
+ - overlord/snapstate: introduce envvars to control the channels for
+   bases and prereqs
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - many: use the new install/refresh /v2/snaps/refresh store API
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3.2
+ - errtracker: make TestJournalErrorSilentError work on
+   gccgo
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3.1
+ - debian: add gbp.conf script to build snapd via `gbp
+   buildpackage`
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - data/selinux: Give snapd access to more aspects of the system
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - overlord: test fix, address corner case
+
+* Thu Apr 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.3
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate: inject autoconnect tasks in doLinkSnap for regular
+   snaps
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - osutil: fix fstab parser to allow for # in field values
+
+* Sat Mar 31 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.2
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - tests: adjust canonical-livepatch test on GCE
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc
+ - spread.yaml: switch Fedora 27 tests to manual
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses arch
+   triplets
+ - vendor: update gopkg.in/yaml.v2 to the latest version (#4945)
+
+* Mon Mar 26 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.1
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - tests: disentangle etc vs extrausers in core tests
+ - packaging: fix changelogs' typo
+
+* Sat Mar 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32
+ - snap: make `snap run` look at the system-key for security profiles
+ - overlord/configstate: change how ssh is stopped/started
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: deal with missing commands.db file
+ - interfaces,release: probe seccomp features lazily
+ - interfaces: harden snap-update-ns profile
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: change debug for layout test
+ - cmd/snap-confine: don't use per-snap s-u-n profile
+ - many: backported fixes for layouts and symlinks
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - cmd/snap-confine: fix ptrace rule with snap-confine peer
+ - tests: update tests to deal with s390x quirks
+ - snapstate: add compat mode for default-provider"snapname:ifname"
+ - snap-confine: fallback to /lib/udev/snappy-app-dev if the core is
+   older
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - debian: undo snap.mount system unit removal
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - tests: add workaround for s390x failure
+ - tests: make autopkgtest tests more targeted
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - store: cleanup test naming, dropping remoteRepo and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+ - tests: autopkgtest may have non edge core too
+ - data: translate polkit strings
+ - snapstate: put layout feature behind feature flag
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate: hold refreshes for 2h after seeding on classic
+ - many: cherry-pick relevant `go vet` 1.10 fixes to 2.32
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: generate and use per-snap snap-update-ns profile
+ - many: support holding refreshes by setting refresh.hold
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - many: remove snapd.refresh.{timer,service}
+ - many: add the snapd-generator
+ - polkit: do not shadow dbus errors, avoid panic in case of errors
+ - polkit: ensure error is properly set if dialog is dismissed
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - asserts:  use a timestamp for the assertion after the signing key
+   has been created
+ - ifacestate: be consistent passing Retry.After as named field
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+   interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps
+ - configstate: when disable "ssh" we must disable the "sshd"
+   service
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - osutil: handle file being matched by multiple patterns
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - interfaces/network-status: fix use of '/' in interface in DBus
+   rule
+ - interfaces/screen-inhibit-control: fix use of '.' in path in DBus
+   rule
+ - overlord/snapstate: fix task iteration order in
+   TestDoPrereqRetryWhenBaseInFlight
+ - interfaces: add an interface for gnome-online-accounts D-Bus
+   service
+ - snap: pass full timer spec in `snap run --timer`
+ - cmd/snap: introduce `snap run --timer`
+ - snapstate: auto install default-providers for content snaps
+ - hooks/strutil: limit the number of data read from the hooks to
+   avoid oom
+ - osutil: aggregate mockable symbols
+ - tests: make sure snapd is running before attempting to remove
+   leftover snaps
+ - timeutil: account for 24h wrap when flattening clock spans
+ - many: send  new Snap-CDN header with none or with cloud instance
+   placement info as needed
+ - cmd/snap-update-ns,testutil: move syscall testing helpers
+ - tests: disable interfaces-location-control on s390x
+ - tests: new spread test for gpio-memory-control interface
+ - tests: spread test for broadcom-asic-control interface
+ - tests: make restore of interfaces-password-manager-service more
+   robust
+ - tests/lib/prepare-restore: sync journal before rotating and
+   vacuuming
+ - overlord/snapstate: use spread in the default refresh schedule
+ - tests: fixes for autopkgtest in bionic
+ - timeutil: introduce helpers for checking it time falls inside the
+   schedule
+ - cmd/snap-repair,httputil: set snap-repair User-Agent on requests
+ - vendor: resync formatting of vendor.json
+ - snapstate/ifacestate: auto-connect tasks
+ - cmd/snap: also include tracking channel in list output.
+ - interfaces/apparmor: use snap revision with surrounding '.' when
+   replacing in glob
+ - debian,vendor: import github.com/snapcore/squashfs and use
+ - many: implement "refresh-mode: {restart,endure,...}" for services
+ - daemon: make the ast-inspecting test smarter; drop 'exceptions'
+ - tests: new spread test for kvm interface
+ - cmd/snap: tweaks to 'snap info' output
+ - snap: remove underscore from version validator regexp
+ - testutil: add File{Matches,Equals,Contains} checkers.
+ - snap: improve the version validator's error messages.
+ - osutil: refactor EnsureFileState to separate out the comparator
+ - timeutil: fix scheduling on nth weekday of the month
+ - cmd/snap-update-ns: small refactor for upcoming per-user mounts
+ - many: rename snappy-app-dev to snap-device-helper
+ - systemd: add default target for timers
+ - interfaces: miscellaneous policy updates for home, opengl, time-
+   control, network, et al
+ - cmd/snap: linter cleanups
+ - interfaces/mount: generate per-user mount profiles
+ - cmd/snap: use proper help strings for `snap userd --help`
+ - packaging: provide a compat symlink for snappy-app-dev
+ - interfaces/time-control,netlink-audit: adjust for util-linux
+   compiled with libaudit
+ - tests: adding new test to validate the raw-usb interface
+ - snap: add support for `snap run --gdb`
+ - interfaces/builtin: allow MM to access login1
+ - packaging: fix build on sbuild
+ - store: revert PR#4532 and do not display displayname
+ - interfaces/mount: add support for per-user mount entries
+ - cmd/system-shutdown: move sync to be even more pessimistic
+ - osutil: reimplement IsMounted with LoadMountInfo
+ - tests/main/ubuntu-core-services: enable snapd.refresh.timer for
+   the test
+ - many: don't allow layout construction to silently fail
+ - interfaces/apparmor: ensure snap-confine profile for reexec is
+   current
+ - interfaces/apparmor: generalize apparmor load and unload helpers
+ - tests: removing packages which are not needed anymore to generate
+   random data
+ - snap: improve `snap run` comments/naming
+ - snap: allow options for --strace, e.g. `snap run --strace="-tt"`
+ - tests: fix spread test failures on 18.04
+ - systemd: update comment on SocketsTarget
+ - osutil: add and update docstrings
+ - osutil: parse mount entries without options field
+ - interfaces: mock away real mountinfo/fstab
+ - many: move /lib/udev/snappy-app-dev to /usr/lib/snapd/snappy-app-
+   dev
+ - overlord/snapstate/backend: perform cleanup if snap setup fails
+ - tests/lib/prepare: disable snapd.refresh.timer
+ - daemon: remove redundant UserOK markings from api commands
+ - snap: introduce  timer service data types and validation
+ - cmd/snap: fix UX of snap services
+ - daemon: allow `snapctl get` from any uid
+ - debian, snap: only static link libseccomp in snap-seccomp on
+   ubuntu
+ - all: snap versions are now validated
+ - many: add nfs-home flag to system-key
+ - snap: disallow layouts in various special directories
+ - cmd/snap: add help for service commands.
+ - devicestate: fix autopkgtest failure in
+   TestDoRequestSerialErrorsOnNoHost
+ - snap,interfaces: allow using bind-file layouts
+ - many: move mount code to osutil
+ - snap: understand directories in layout blacklist
+ - snap: use custom unsquashfsStderrWriter for unsquashfs error
+   detection
+ - tests/main/user-data-handling: get rid of ordering bug
+ - snap: exclude `gettimeofday` from `snap run --strace`
+ - tests: check if snapd.socket is active before stoping it
+ - snap: sort layout elements before validating
+ - strutil: introducing MatchCounter
+ - snap: detect unsquashfs write failures
+ - spread: add missing ubuntu-18.04-arm64 to available autopkgtest
+   machines
+ - cmd/snap-confine: allow mounting anywhere, effectively
+ - daemon: improve ucrednet code for the snap.socket
+ - release, interfaces: add new release.AppArmorFeatures helper
+ - snap: apply some golint suggestions
+ - many: add interfaces.SystemKey() helper
+ - tests: new snaps to test installs nightly
+ - tests: skip alsa interface test when the system does not have any
+   audio devices
+ - debian/rules: workaround for
+   https://github.com/golang/go/issues/23721
+ - interfaces/apparmor: early support for snap-update-ns snippets
+ - wrappers: cleanup enabled service sockets
+ - cmd/snap-update-ns: large refactor / update of unit tests
+ - interfaces/apparmor: remove leaked future layout code
+ - many: allow constructing layouts (phase 1)
+ - data/systemd: for debugging/testing use /etc/environment also for
+   snap-repair runs
+ - cmd/snap-confine: create lib/{gl,gl32,vulkan} under /var/lib/snapd
+   and chown as root:root
+ - overlord/configstate/config: make [GS]etSnapConfig use *RawMessage
+ - daemon: refactor snapFooMany helpers a little
+ - cmd/snap-confine: allow snap-update-ns to chown things
+ - interfaces/apparmor: use a helper to set the scope
+ - overlord/configstate/config: make SetSnapConfig delete on empty
+ - osutil: make MkdirAllChown clean the path passed in
+ - many: at seeding try to capture cloud information into core config
+   under "cloud"
+ - cmd/snap: add completion conversion helper to increase DRY
+ - many: remove "content" argument from snaptest.MockSnap()
+ - osutil: allow using many globs in EnsureDirState
+ - cmd/snap-confine: fix read-only filesystem when mounting nvidia
+   files in biarch
+ - tests: use root path to /home/test/tmp to avoid lack of space
+   issue
+ - packaging: create /var/lib/snapd/lib/{gl,gl32,vulkan} as part of
+   packaging
+ - tests: update kill-timeout focused on making tests pass on boards
+ - advisor: ensure commands.db has mode 0644 and add test
+ - snap: improve validation of snap layouts
+ - tests: ensure disabled services are masked
+ - interfaces/desktop-legacy,unity7: support gtk2/gvfs gtk_show_uri()
+ - systemd, wrappers: start all snap services in one systemctl call
+ - mir: software clients need access to shared memory /dev/shm/#*
+ - snap: add support for `snap advise-snap pkgName`
+ - snap: fix command-not-found on core devices
+ - tests: new spead test for openvswitch-support interface
+ - tests: add integration for local snap licenses
+ - config: add (Get|Set)SnapConfig to do bulk config e.g. from
+   snapshots
+ - cmd/snap: display snap license information
+ - tests: enable content sharing test for $SNAP
+ - osutil: add ContextWriter and RunWithContext helpers.
+ - osutil: add DirExists and IsDirNotExist
+
+* Fri Mar 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31.2
+ - many: add the snapd-generator
+ - polkit: ensure error is properly set if dialog is dismissed
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - configstate: when disable "ssh" we must disable the "sshd"
+   service
+ - many: remove snapd.refresh.{timer,service}
+ - interfaces/builtin: allow MM to access login1
+ - timeutil: account for 24h wrap when flattening clock spans
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - systemd, wrappers: start all snap services in one systemctl
+   call
+ - tests: disable interfaces-location-control on s390x
+
+* Mon Mar 05 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-2
+- Fix dependencies for devel subpackage
+
+* Sun Mar 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-1
+- Release 2.31.1 to Fedora (RH#1542483)
+- Drop all backported patches as they're part of this release
+
+* Tue Feb 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31.1
+ - tests: multiple autopkgtest related fixes for 18.04
+ - overlord/snapstate: use spread in the default refresh schedule
+ - timeutil: fix scheduling on nth weekday of the month
+ - interfaces: miscellaneous policy updates for home, opengl, time-
+   control, network, et al
+ - cmd/snap: use proper help strings for `snap userd --help`
+ - interfaces/time-control,netlink-audit: adjust for util-linux
+   compiled with libaudit
+ - rules: do not static link on powerpc
+ - packaging: revert LDFLAGS rewrite again after building snap-
+   seccomp
+ - store: revert PR#4532 and do not display displayname
+ - daemon: allow `snapctl get` from any uid
+ - debian, snap: only static link libseccomp in snap-seccomp on
+   ubuntu
+ - daemon: improve ucrednet code for the snap.socket
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Feb 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.31
+ - cmd/snap-confine: allow snap-update-ns to chown things
+ - cmd/snap-confine: fix read-only filesystem when mounting nvidia
+   files in biarch
+ - packaging: create /var/lib/snapd/lib/{gl,gl32,vulkan} as part of
+   packaging
+ - advisor: ensure commands.db has mode 0644 and add test
+ - interfaces/desktop-legacy,unity7: support gtk2/gvfs gtk_show_uri()
+ - snap: improve validation of snap layoutsRules for validating
+   layouts:
+ - snap: fix command-not-found on core devices
+ - cmd/snap: display snap license information
+ - tests: enable content sharing test for $SNAP
+ - userd: add support for a simple UI that can be used from userd
+ - snap-confine/nvidia: Support legacy biarch trees for GLVND systems
+ - tests: generic detection of gadget and kernel snaps
+ - cmd/snap-update-ns: refactor and improve Change.Perform to handle
+   EROFS
+ - cmd/snap: improve output when snaps were found in a section or the
+   section is invalid
+ - cmd/snap-confine,tests: hide message about stale base snap
+ - cmd/snap-mgmt: fix out of source tree build
+ - strutil/quantity: new package that exports formatFoo (from
+   progress)
+ - cmd/snap: snap refresh --time with new and legacy schedules
+ - state: unknown tasks handler
+ - cmd/snap-confine,data/systemd: fix removal of snaps inside LXD
+ - snap: add io.snapcraft.Settings to `snap userd`
+ - spread: remove more EOLed releases
+ - snap: tidy up top-level help output
+ - snap: fix race in `snap run --strace`
+ - tests: update "searching" test to match store changes
+ - store: use the "publisher" when populating the "publisher" field
+ - snap: make `snap find --section` show all sections
+ - tests: new test to validate location control interface
+ - many: add new `snap refresh --amend <snap>` command
+ - tests/main/kernel-snap-refresh-on-core: skip the whole test if
+   edge and stable are the same version
+ - tests: set test kernel-snap-refresh-on-core to manual
+ - tests: new spread test for interface gpg-keys
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - interfaces: miscellaneous policy updates
+ - interfaces/builtin: Replace Solus support with GLVND support
+ - tests/main/kernel-snap-refresh-on-core: do not fail if edge and
+   stable kernels are the same version
+ - snap: add `snap run --strace` to be able to strace snap apps
+ - tests: new spread test for ssh-keys interface
+ - errtracker: include detected virtualisation
+ - tests: add new kernel refresh/revert test for spread-cron
+ - interfaces/builtin: blacklist zigbee dongle
+ - cmd/snap-confine: discard stale mount namespaces
+ - cmd: remove unused execArg0/execEnv
+ - snap,interfaces/mount: disallow nobody/nogroup
+ - cmd/snap: improve `snap aliases` output when no aliases are
+   defined
+ - tests/lib/snaps/test-snapd-service: refactor service reload
+ - tests: new spread test for gpg-public-keys interface
+ - tests: new spread test for ssh-public-keys interface
+ - spread: setup machine creation on Linode
+ - interfaces/builtin: allow introspecting UDisks2
+ - interfaces/builtin: add support for content "source" section
+ - tests: new spread test for netlink-audit interface
+ - daemon: avoid panic'ing building an error response w/no snaps
+   given
+ - interfaces/mount,snap: early support for snap layouts
+ - daemon: unlock state even if RefreshSchedule() fails
+ - arch: add "armv8l" to ubuntuArchFromKernelArch table
+ - tests: fix for test interface-netlink-connector
+ - data/dbus: add AssumedAppArmorLabel=unconfined
+ - advisor: use forked bolt to make it work on ppc
+ - overlord/snapstate: record the 'kind' of conflicting change
+ - dirs: fix snap mount dir on Manjaro
+ - overlord/{snapstate,configstate}, daemon: introduce refresh.timer,
+   fallback to refresh.schedule
+ - config: add support for `snap set core proxy.no_proxy=...`
+ - snap-mgmt: extend spread tests, stop, disable and cleanup snap
+   services
+ - spread.yaml: add fedora 27
+ - cmd/snap-confine: allow snap-update-ns to poke writable holes in
+   $SNAP
+ - packaging/14.04: move linux-generic-lts-xenial to recommends
+ - osutil/sys: ppc has 32-bit getuid already
+ - snapstate: make no autorefresh message clearer
+ - spread: try to enable Fedora once more
+ - overlord/snapstate: do a minimal sanity check on containers
+ - configcore: ensure config.txt has a final newline
+ - cmd/libsnap-confine-private: print failed mount/umount regardless
+   of SNAP_CONFINE_DEBUG
+ - debian/tests: add missing autopkgtest test dependencies for debian
+ - image: port ini handling to goconfigparser
+ - tests/main/snap-service-after-before: add test for after/before
+   service ordering
+ - tests: enabling opensuse for tests
+ - tests: update auto-refresh-private to match messages from current
+   master
+ - dirs: check if distro 'is like' fedora when picking path to
+   libexecdir
+ - tests: fix "job canceled" issue and improve cleanup for snaps
+ - cmd/libsnap-confine-private: add debug build of libsnap-confine-
+   private.a, link it into snap-confine-debug
+ - vendor: remove x/sys/unix to fix builds on arm64 and powerpc
+ - image: let consume snapcraft export-login files from tooling
+ - interfaces/mir: allow Wayland socket and non-root sockets
+ - interfaces/builtin: use snap.{Plug,Slot}Info over
+   interfaces.{Plug,Slot}
+ - tests: add simple snap-mgmt test
+ - wrappers: autogenerate After/Before in systemd's service files for
+   apps
+ - snap: add usage hints in `snap download`
+ - snap: provide more meaningful errors for installMany and friends
+ - cmd/snap: show header/footer when `snap find` is used without
+   arguments
+ - overlord/snapstate: for Enable's tasks refer to the first task
+   with snap-setup, do not duplicate
+ - tests: add hard-coded fully expired macaroons to run related tests
+ - cmd/snap-update-ns: new test features
+ - cmd/snap-update-ns: we don't want to bind mount symlinks
+ - interfaces/mount: test OptsToCommonFlags, filter out x-snapd.
+   options
+ - cmd/snap-update-ns: untangle upcoming cyclic initialization
+ - client, daemon: update user's email when logging in with new
+   account
+ - tests: ensure snap-confine apparmor profile is parsable
+ - snap: do not leak internal errors on install/refresh etc
+ - snap: fix missing error check when multiple snaps are refreshed
+ - spread: trying to re-enable tests on Fedora
+ - snap: fix gadget.yaml parsing for multi volume gadgets
+ - snap: give the snap.Container interface a Walk method
+ - snap: rename `snap advise-command` to `snap advise-snap --command`
+ - overlord/snapstate: no refresh just for hints if there was a
+   recent regular full refresh
+ - progress: switch ansimeter's Spin() to use a spinner
+ - snap: support `command-not-found` symlink for `snap advise-
+   command`
+ - daemon: store email, ID and macaroon when creating a new user
+ - snap: app startup after/before validation
+ - timeutil: refresh timer take 2
+ - store, daemon/api: Rename MyAppsServer, point to
+   dashboard.snapcraft.io instead
+ - tests: use "quiet" helper instead of "dnf -q" to get errors on
+   failures
+ - cmd/snap-update-ns: improve mocking for tests
+ - many: implement the advisor backend, populate it from the store
+ - tests: make less calls to the package manager
+ - tests/main/confinement-classic: enable the test on Fedora
+ - snap: do not leak internal network errors to the user
+ - snap: use stdout instead of stderr for "fetching" message
+ - tests: fix test whoami, share successful_login.exp
+ - many: refresh with appropriate creds
+ - snap: add new `snap advice-command` skeleton
+ - tests: add test that ensures we never parse versions as numbers
+ - overlord/snapstate: override Snapstate.UserID in refresh if the
+   installing user is gone
+ - interfaces: allow socket "shutdown" syscall in default profile
+ - snap: print friendly message if `snap keys` is empty
+ - cmd/snap-update-ns: add execWritableMimic
+ - snap: make `snap info invalid-snap` output more user friendly
+ - cmd/snap,  tests/main/classic-confinement: fix snap-exec path when
+   running under classic confinement
+ - overlord/ifacestate: fix disable/enable cycle to setup security
+ - snap: fix snap find " " output
+ - daemon: add new polkit action to manage interfaces
+ - packaging/arch: disable services when removing
+ - asserts/signtool: support for building tools on top that fill-
+   in/compute some headers
+ - cmd: clarify "This leaves %s tracking %s." message
+ - daemon: return "bad-query" error kind for store.ErrBadQuery
+ - taskrunner/many: KnownTaskKinds helper
+ - tests/main/interfaces-fuse_support: fix confinement, allow
+   unmount, fix spread tests
+ - snap: use the -no-fragments mksquashfs option
+ - data/selinux: allow messages from policykit
+ - tests: fix catalog-update wait loop
+ - tests/lib/prepare-restore: disable rate limiting in journald
+ - tests: change interfaces-fuse_support to be debug friendly
+ - tests/main/postrm-purge: stop snapd before purge
+ - This is an example of test log:https://paste.ubuntu.com/26215170/
+ - tests/main/interfaces-fuse_support: dump more debugging
+   information
+ - interfaces/dbus: adjust slot policy for listen, accept and accept4
+   syscalls
+ - tests: save the snapd-state without compression
+ - tests/main/searching: handle changes in featured snaps list
+ - overlord/snapstate: fix auto-refresh summary for 2 snaps
+ - overlord/auth,daemon: introduce an explicit auth.ErrInvalidUser
+ - interfaces: add /proc/partitions to system-observe (This addresses
+   LP#1708527.)
+ - tests/lib: introduce helpers for setting up /dev/random using
+   /dev/urandom in project prepare
+ - tests: new test for interface network status
+ - interfaces: interfaces: also add an app/hook-specific udev RUN
+   rule for hotplugging
+ - tests: fix external backend for tests that need DEBUG output
+ - tests: do not disable refresh timer on external backend
+ - client: send all snap related bool json fields
+ - interfaces/desktop,unity7: allow status/activate/lock of
+   screensavers
+ - tests/main: source mkpinentry.sh
+ - tests: fix security-device-cgroups-serial-port test for rpi and db
+ - cmd/snap-mgmt: add more directories for cleanup and refactor
+   purge() code
+ - snap: YAML and data structures for app before/after ordering
+ - tests: set TRUST_TEST_KEYS=false for all the external backends
+ - packaging/arch: install snap-mgmt tool
+ - tests: add support on tests for cm3 gadget
+ - interfaces/removable-media: also allow 'k' (lock)
+ - interfaces: use ConnectedPlug/ConnectedSlot types (step 2)
+ - interfaces: rename sanitize methods
+ - devicestate: fix misbehaving test when using systemd-resolved
+ - interfaces: added Ref() helpers, restored more detailed error
+   message on spi iface
+ - debian: make "gnupg" a recommends
+ - interfaces/many: misc updates for default, browser-support,
+   opengl, desktop, unity7, x11
+ - interfaces: PlugInfo/SlotInfo/ConnectedPlug/ConnectedSlot
+   attribute helpers
+ - interfaces: update fixme comments
+ - tests: make interfaces-snapd-control-with-manage more robust
+ - userd: generalize dbusInterface
+ - interfaces: use ConnectedPlug/ConnectedSlot types (step 1)
+ - hookstate: add compat "configure-snapd" task.
+ - config, overlord/snapstate, timeutil: rename ParseSchedule to
+   ParseLegacySchedule
+ - tests: adding tests for time*-control interfaces
+ - tests: new test to check interfaces after reboot the system
+ - cmd/snap-mgmt: fixes
+ - packaging/opensuse-42.2: package and use snap-mgmt
+ - corecfg: also "mask" services when disabling them
+ - cmd/snap-mgmt: introduce snap-mgmt tool
+ - configstate: simplify ConfigManager
+ - interfaces: add gpio-memory-control interface
+ - cmd: disable check-syntax-c
+ - packaging/arch: add bash-completion as optional dependency
+ - corecfg: rename package to overlord/configstate/configcore
+ - wrappers: fix unit tests to use dirs.SnapMountDir
+ - osutil/sys: reimplement getuid and chown with the right int type
+ - interfaces-netlink-connector: fix sourcing snaps.sh
+
+* Thu Jan 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.30-1
+- Release 2.30 to Fedora (RH#1527519)
+- Backport fix to correctly locate snapd libexecdir on Fedora derivatives (RH#1536895)
+- Refresh SELinux policy fix patches with upstream backport version
+
+* Mon Dec 18 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.30
+ - tests: set TRUST_TEST_KEYS=false for all the external backends
+ - tests: fix external backend for tests that need DEBUG output
+ - tests: do not disable refresh timer on external backend
+ - client: send all snap related bool json fields
+ - interfaces: interfaces: also add an app/hook-specific udev RUN
+   rule for hotplugging
+ - interfaces/desktop,unity7: allow status/activate/lock of
+   screensavers
+ - tests/main: source mkpinentry.sh
+ - devicestate: use a different nowhere domain
+ - interfaces: add ssh-keys, ssh-public-keys, gpg-keys and gpg-public
+   keys interfaces
+ - interfaces/many: misc updates for default, browser-support, opengl,
+   desktop, unity7, x11
+ - devicestate: fix misbehaving test when using systemd-resolved
+ - interfaces/removable-media: also allow 'k' (lock)
+ - interfaces/many: misc updates for default, browser-support,
+   opengl, desktop, unity7, x11
+ - corecfg: also "mask" services when disabling them
+ - tests: add support for autopkgtests on s390x
+ - snapstate: support for pre-refresh hook
+ - many: allow to configure core before it is installed
+ - devicestate: fix unkeyed fields error
+ - snap-confine: create mount target for lib32,vulkan on demand
+ - snapstate: add support for refresh.schedule=managed
+ - cmd/snap-update-ns: teach update logic to handle synthetic changes
+ - many: remove configure-snapd task again and handle internally
+ - snap: fix TestDirAndFileMethods() test to work with gccgo
+ - debian: ensure /var/lib/snapd/lib/vulkan is available
+ - cmd/snap-confine: use #include instead of bare include
+ - snapstate: store userID in snapstate
+ - snapd.dirs: add var/lib/snapd/lib/gl32
+ - timeutil, overlod/snapstate: cleanup remaining pieces of timeutil
+   weekday support
+ - packaging/arch: install missing directories, manpages and version
+   info
+ - snapstate,store: store if a snap is a paid snap in the sideinfo
+ - packaging/arch: pre-create snapd directories when packaging
+ - tests/main/manpages: set LC_ALL=C as man may complain if the
+   locale is unset or unsupported
+ - repo: ConnectedPlug and ConnectedSlot types
+ - snapd: fix handling of undo in the taskrunner
+ - store: fix download caching and add integration test
+ - snapstate: move autorefresh code into autoRefresh helper
+ - snapctl: don't error out on start/stop/restart from configure hook
+   during install or refresh
+ - cmd/snap-update-ns: add planWritableMimic
+ - deamon: don't omit responses, even if null
+ - tests: add test for frame buffer interface
+ - tests/lib: fix shellcheck errors
+ - apparmor: generate the snap-confine re-exec profile for
+   AppArmor{Partial,Full}
+ - tests: remove obsolete workaround
+ - snap: use existing files in `snap download` if digest/size matches
+ - tests: merge pepare-project.sh into prepare-restore.sh
+ - tests: cache snaps to $TESTSLIB/cache
+ - tests: set -e, -o pipefail in prepare-restore.sh
+ - apparmor: generate the snap-confine re-exec profile for
+   AppArmor{Partial,Full}
+ - cmd/snap-seccomp: fix uid/gid restrictions tests on Arch
+ - tests: document and slightly refactor prepare/restore code
+ - snapstate: ensure RefreshSchedule() gives accurate results
+ - snapstate: add new refresh-hints helper and use it
+ - spread.yaml,tests: move most of project-wide prepare/restore to
+   separate file
+ - timeutil: introduce helpers for weekdays and TimeOfDay
+ - tests: adding new test for uhid interface
+ - cmd/libsnap: fix parsing of empty mountinfo fields
+ - overlord/devicestate:  best effort to go to early full retries for
+   registration on the like of DNS no host
+ - spread.yaml: bump delta ref to 2.29
+ - tests: adding test to test physical memory observe interface
+ - cmd, errtracker: get rid of SNAP_DID_REEXEC environment
+ - timeutil: remove support to parse weekday schedules
+ - snap-confine: add workaround for snap-confine on 4.13/upstream
+ - store: do not log the http body for catalog updates
+ - snapstate: move catalogRefresh into its own helper
+ - spread.yaml: fix shellcheck issues and trivial refactor
+ - spread.yaml: move prepare-each closer to restore-each
+ - spread.yaml: increase workers for opensuse to 3
+ - tests: force delete when tests are restore to avoid suite failure
+ - test: ignore /snap/README
+ - interfaces/opengl: also allow read on 'revision' in
+   /sys/devices/pci...
+ - interfaces/screen-inhibit-control: fix case in screen inhibit
+   control
+ - asserts/sysdb: panic early if pointed to staging but staging keys
+   are not compiled-in
+ - interfaces: allow /bin/chown and fchownat to root:root
+ - timeutil: include test input in error message in
+   TestParseSchedule()
+ - interfaces/browser-support: adjust base declaration for auto-
+   connection
+ - snap-confine: fix snap-confine under lxd
+ - store: bit less aggressive retry strategy
+ - tests: add new `fakestore new-snap-{declaration,revision}` helpers
+ - cmd/snap-update-ns: add secureMkfileAll
+ - snap: use field names when initializing composite literals
+ - HACKING: fix path in snap install
+ - store: add support for flags in ListRefresh()
+ - interfaces: remove invalid plugs/slots from SnapInfo on
+   sanitization.
+ - debian: add missing udev dependency
+ - snap/validate: extend socket validation tests
+ - interfaces: add "refresh-schedule" attribute to snapd-control
+ - interfaces/builtin/account_control: use gid owning /etc/shadow to
+   setup seccomp rules
+ - cmd/snap-update-ns: tweak changePerform
+ - interfaces,tests: skip unknown plug/slot interfaces
+ - tests: disable interfaces-network-control-tuntap
+ - cmd: use a preinit_array function rather than parsing
+   /proc/self/cmdline
+ - interfaces/time*_control: explicitly deny noisy read on
+   /proc/1/environ
+ - cmd/snap-update-ns: misc cleanups
+ - snapd: allow hooks to have slots
+ - fakestore: add go-flags to prepare for `new-snap-declaration` cmd
+ - interfaces/browser-support: add shm path for nwjs
+ - many: add magic /snap/README file
+ - overlord/snapstate: support completion for command aliases
+ - tests: re-enable tun/tap test on Debian
+ - snap,wrappers: add support for socket activation
+ - repo: use PlugInfo and SlotInfo for permanent plugs/slots
+ - tests/interfaces-network-control-tuntap: disable on debian-
+   unstable for now
+ - cmd/snap-confine: Loosen the NVIDIA Vulkan ICD glob
+ - cmd/snap-update-ns: detect and report read-only filesystems
+ - cmd/snap-update-ns: re-factor secureMkdirAll into
+   secureMk{Prefix,Dir}
+ - run-checks, tests/lib/snaps/: shellcheck fixes
+ - corecfg: validate refresh.schedule when it is applied
+ - tests: adjust test to match stderr
+ - snapd: fix snap cookie bugs
+ - packaging/arch: do not quote MAKEFLAGS
+ - state: add change.LaneTasks helper
+ - cmd/snap-update-ns: do not assume 'nogroup' exists
+ - tests/lib: handle distro specific grub-editenv naming
+ - cmd/snap-confine: Add missing bi-arch NVIDIA filesthe
+   `/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl/vdpau` paths within
+ - cmd: Support exposing NVIDIA Vulkan ICD files to the snaps
+ - cmd/snap-confine: Implement full 32-bit NVIDIA driver support
+ - packaging/arch: packaging update
+ - cmd/snap-confine: Support bash as base runtime entry
+ - wrappers: do not error on incorrect Exec= lines
+ - interfaces: fix udev tagging for hooks
+ - tests/set-proxy-store: exclude ubuntu-core-16 via systems: key
+ - tests: new tests for network setup control and observe interfaces
+ - osutil: add helper for obtaining group ID of given file path
+ - daemon,overlord/snapstate: return snap-not-installed error in more
+   cases
+ - interfaces/builtin/lxd_support: allow discovering of host's os-
+   release
+ - configstate: add support for configure-snapd for
+   snapstate.IgnoreHookError
+ - tests:  add a spread test for proxy.store setting together with
+   store assertion
+ - cmd/snap-seccomp: do not use group 'shadow' in tests
+ - asserts/assertstest:  fix use of hardcoded value when the passed
+   or default keys should be used
+ - interfaces/many: misc policy updates for browser-support, cups-
+   control and network-status
+ - tests: fix xdg-open-compat
+ - daemon: for /v2/logs, 404 when no services are found
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - cmd/snap-update-ns: add new helpers for mount entries
+ - cmd/snap-confine: Respect biarch nature of libdirs
+ - cmd/snap-confine: Ensure snap-confine is allowed to access os-
+   release
+ - cmd: fix re-exec bug with classic confinement for host snapd <
+   2.28
+ - interfaces/kmod: simplify loadModules now that errors are ignored
+ - tests: disable xdg-open-compat test
+ - tests: add test that checks core reverts on core devices
+ - dirs: use alt root when checking classic confinement support
+   without …
+ - interfaces/kmod: treat failure to load module as non-fatal
+ - cmd/snap-update-ns: fix golint and some stale comments
+ - corecfg:  support setting proxy.store if there's a matching store
+   assertion
+ - overlord/snapstate: toggle ignore-validation as needed as we do
+   for channel
+ - tests: fix security-device-cgroup* tests on devices with
+   framebuffer
+ - interfaces/raw-usb: match on SUBSYSTEM, not SUBSYSTEMS
+ - interfaces: add USB interface number attribute in udev rule for
+   serial-port interface
+ - overlord/devicestate: switch to the new endpoints for registration
+ - snap-update-ns: add missing unit test for desired/current profile
+   handling
+ - cmd/{snap-confine,libsnap-confine-private,snap-shutdown}: cleanup
+   low-level C bits
+ - ifacestate: make interfaces.Repository available via state cache
+ - overlord/snapstate: cleanups around switch-snap*
+ - cmd/snapd,client,daemon: display ignore-validation flag through
+   the notes mechanism
+ - cmd/snap-update-ns: add logging to snap-update-ns
+ - many: have a timestamp on store assertions
+ - many: lookup and use the URL from a store assertion if one is set
+   for use
+ - tests/test-snapd-service: fix shellcheck issues
+ - tests: new test for hardware-random-control interface
+ - tests: use `snap change --last=install` in snapd-reexec test
+ - repo, daemon: use PlugInfo, SlotInfo
+ - many: handle core configuration internally instead of using the
+   core configure hook
+ - tests: refactor and expand content interface test
+ - snap-seccomp: skip in-kernel bpf tests for socket() in trusty/i386
+ - cmd/snap-update-ns: allow Change.Perform to return changes
+ - snap-confine: Support biarch Linux distribution confinement
+ - partition/ubootenv: don't panic when uboot.env is missing the eof
+   marker
+ - cmd/snap-update-ns: allow fault injection to provide dynamic
+   result
+ - interfaces/mount: exspose mount.{Escape,Unescape}
+ - snapctl: added long help to stop/start/restart command
+ - cmd/snap-update-ns: create missing mount points automatically.
+ - cmd: downgrade log message in InternalToolPath to Debugf()
+ - tests: wait for service status change & file update in the test to
+   avoid races
+ - daemon, store: forward SSO invalid credentials errors as 401
+   Unauthorized responses
+ - spdx: fix for WITH syntax, require a license name before the
+   operator
+ - many: reorg things in preparation to make handling of the base url
+   in store dynamic
+ - hooks/configure: queue service restarts
+ - cmd/snap: warn when a snap is not from the tracking channel
+ - interfaces/mount: add support for parsing x-snapd.{mode,uid,gid}=
+ - cmd/snap-confine: add detection of stale mount namespace
+ - interfaces: add plugRef/slotRef helpers for PlugInfo/SlotInfo
+ - tests: check for invalid udev files during all tests
+ - daemon: use newChange() in changeAliases for consistency
+ - servicestate: use taskset
+ - many: add support for /home on NFS
+ - packaging,spread: fix and re-enable opensuse builds
+
+* Sun Dec 17 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-3
+- Add patch to SELinux policy to allow snapd to receive replies from polkit
+
+* Sun Nov 19 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-2
+- Add missing bash completion files and cache directory
+
+* Sun Nov 19 2017 Neal Gompa <ngompa13@gmail.com> - 2.29.4-1
+- Release 2.29.4 to Fedora (RH#1508433)
+- Install Polkit configuration (RH#1509586)
+- Drop changes to revert cheggaaa/pb import path used
+
+* Fri Nov 17 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.4
+ - snap-confine: fix snap-confine under lxd
+ - tests: disable classic-ubuntu-core-transition on i386 temporarily
+ - many: reject bad plugs/slots
+ - interfaces,tests: skip unknown plug/slot interfaces
+ - store: enable "base" field from the store
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+
+* Thu Nov 09 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.3
+ - daemon: cherry-picked /v2/logs fixes
+ - cmd/snap-confine: Respect biarch nature of libdirs
+ - cmd/snap-confine: Ensure snap-confine is allowed to access os-
+   release
+ - interfaces: fix udev tagging for hooks
+ - cmd: fix re-exec bug with classic confinement for host snapd
+ - tests: disable xdg-open-compat test
+ - cmd/snap-confine: add slave PTYs and let devpts newinstance
+   perform mediation
+ - interfaces/many: misc policy updates for browser-support, cups-
+   control and network-status
+ - interfaces/raw-usb: match on SUBSYSTEM, not SUBSYSTEMS
+ - tests: fix security-device-cgroup* tests on devices with
+   framebuffer
+
+* Fri Nov 03 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.2
+  - snapctl: disable stop/start/restart (2.29)
+  - cmd/snap-update-ns: fix collection of changes made
+
+* Fri Nov 03 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29.1
+ - interfaces: fix incorrect signature of ofono DBusPermanentSlot
+ - interfaces/serial-port: udev tag plugged slots that have just
+   'path' via KERNEL
+ - interfaces/hidraw: udev tag plugged slots that have just 'path'
+   via KERNEL
+ - interfaces/uhid: unconditionally add existing uhid device to the
+   device cgroup
+ - cmd/snap-update-ns: fix mount rules for font sharing
+ - tests: disable refresh-undo test on trusty for now
+ - tests: use `snap change --last=install` in snapd-reexec test
+ - Revert " wrappers: fail install if exec-line cannot be re-written
+ - interfaces: don't udev tag devmode or classic snaps
+ - many: make ignore-validation sticky and send the flag with refresh
+   requests
+
+* Mon Oct 30 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.29
+ - interfaces/many: miscellaneous updates based on feedback from the
+   field
+ - snap-confine: allow reading uevents from any where in /sys
+ - spread: add bionic beaver
+ - debian: make packaging/ubuntu-14.04/copyright a real file again
+ - tests: cherry pick the fix for services test into 2.29
+ - cmd/snap-update-ns: initialize logger
+ - hooks/configure: queue service restarts
+ - snap-{confine,seccomp}: make @unrestricted fully unrestricted
+ - interfaces: clean system apparmor cache on core device
+ - debian: do not build static snap-exec on powerpc
+ - snap-confine: increase sanity_timeout to 6s
+ - snapctl: cherry pick service commands changes
+ - cmd/snap: tell translators about arg names and descs req's
+ - systemd: run all mount units before snapd.service to avoid race
+ - store: add a test to show auth failures are forwarded by doRequest
+ - daemon: convert ErrInvalidCredentials to a 401 Unauthorized error.
+ - store: forward on INVALID_CREDENTIALS error as
+   ErrInvalidCredentials
+ - daemon: generate a forbidden response message if polkit dialog is
+   dismissed
+ - daemon: Allow Polkit authorization to cancel changes.
+ - travis: switch to container based test runs
+ - interfaces: reduce duplicated code in interface tests mocks
+ - tests: improve revert related testing
+ - interfaces: sanitize plugs and slots early in ReadInfo
+ - store: add download caching
+ - preserve TMPDIR and HOSTALIASES across snap-confine invocation
+ - snap-confine: init all arrays with `= {0,}`
+ - tests: adding test for network-manager interface
+ - interfaces/mount: don't generate legacy per-hook/per-app mount
+   profiles
+ - snap: introduce structured epochs
+ - tests: fix interfaces-cups-control test for cups-2.2.5
+ - snap-confine: cleanup incorrectly created nvidia udev tags
+ - cmd/snap-confine: update valid security tag regexp
+ - cmd/libsnap: enable two stranded tests
+ - cmd,packaging: enable apparmor on openSUSE
+ - overlord/ifacestate: refresh all security backends on startup
+ - interfaces/dbus: drop unneeded check for
+   release.ReleaseInfo.ForceDevMode
+ - dbus: ensure io.snapcraft.Launcher.service is created on re-
+   exec
+ - overlord/auth: continue for now supporting UBUNTU_STORE_ID if the
+   model is generic-classic
+ - snap-confine: add support for handling /dev/nvidia-modeset
+ - interfaces/network-control: remove incorrect rules for tun
+ - spread: allow setting SPREAD_DEBUG_EACH=0 to disable debug-each
+   section
+ - packaging: remove .mnt files on removal
+ - tests: fix econnreset scenario when the iptables rule was not
+   created
+ - tests: add test for lxd interface
+ - run-checks: use nakedret static checker to check for naked
+   returns on long functions
+ - progress: be more flexible in testing ansimeter
+ - interfaces: fix udev rules for tun
+ - many: implement our own ANSI-escape-using progress indicator
+ - snap-exec: update tests to follow main_test pattern
+ - snap: support "command: foo $ENV_STRING"
+ - packaging: update nvidia configure options
+ - snap: add new `snap pack` and use in tests
+ - cmd: correctly name the "Ubuntu" and "Arch" NVIDIA methods
+ - cmd: add autogen case for solus
+ - tests: do not use http://canihazip.com/ which appears to be down
+ - hooks: commands for controlling own services from snapctl
+ - snap: refactor cmdGet.Execute()
+ - interfaces/mount: make Change.Perform testable and test it
+ - interfaces/mount,cmd/snap-update-ns: move change code
+ - snap-confine: is_running_on_classic_distribution() looks into os-
+   release
+ - interfaces: misc updates for default, browser-support, home and
+   system-observe
+ - interfaces: deny lttng by default
+ - interfaces/lxd: lxd slot implementation can also be an app snap
+ - release,cmd,dirs: Redo the distro checks to take into account
+   distribution families
+ - cmd/snap: completion for alias and unalias
+ - snap-confine: add new SC_CLEANUP and use it
+ - snap: refrain from running filepath.Base on random strings
+ - cmd/snap-confine: put processes into freezer hierarchy
+ - wrappers: fail install if exec-line cannot be re-written
+ - cmd/snap-seccomp,osutil: make user/group lookup functions public
+ - snapstate: deal with snap user data in the /root/ directory
+ - interfaces: Enhance full-confinement support for biarch
+   distributions
+ - snap-confine: Only attempt to copy/mount NVIDIA libs when NVIDIA
+   is used
+ - packaging/fedora: Add Fedora 26, 27, and Rawhide symlinks
+ - overlord/snapstate: prefer a smaller corner case for doing the
+   wrong thing
+ - cmd/snap-repair:  set user agent for snap-repair http requests
+ - packaging: bring down the delta between 14.04 and 16.04
+ - snap-confine: Ensure lib64 biarch directory is respected
+ - snap-confine: update apparmor rules for fedora based base snaps
+ - tests: Increase SNAPD_CONFIGURE_HOOK_TIMEOUT to 3 minutes to
+   install real snaps
+ - daemon: use client.Snap instead of map[string]interface{} for
+   snaps.
+ - hooks: rename refresh hook to post-refresh
+ - git: make the .gitingore file a bit more targeted
+ - interfaces/opengl: don't udev tag nvidia devices and use snap-
+   confine instead
+ - cmd/snap-{confine,update-ns}: apply mount profiles using snap-
+   update-ns
+ - cmd: update "make hack"
+ - interfaces/system-observe: allow clients to enumerate DBus
+   connection names
+ - snap-repair: implement `snap-repair {list,show}`
+ - dirs,interfaces: create snap-confine.d on demand when re-executing
+ - snap-confine: fix base snaps on core
+ - cmd/snap-repair: fix tests when running as root
+ - interfaces: add Connection type
+ - cmd/snap-repair: skip disabled repairs
+ - cmd/snap-repair: prefer leaking unmanaged fds on test failure over
+   closing random ones
+ - snap-repair: make `repair` binary available for repair scripts
+ - snap-repair: fix missing Close() in TestStatusHappy
+ - cmd/snap-confine,packaging: import snapd-generated policy
+ - cmd/snap: return empty document if snap has no configuration
+ - snap-seccomp: run secondary-arch tests via gcc-multilib
+ - snap: implement `snap {repair,repairs}` and pass-through to snap-
+   repair
+ - interfaces/builtin: allow receiving dbus messages
+ - snap-repair: implement `snap-repair {done,skip,retry}`
+ - data/completion: small tweak to snap completion snippet
+ - dirs: fix classic support detection
+ - cmd/snap-repair: integrate root public keys for repairs
+ - tests: fix ubuntu core services
+ - tests: add new test that checks that the compat snapd-xdg-open
+   works
+ - snap-confine: improve error message if core/u-core cannot be found
+ - tests: only run tests/regression/nmcli on amd64
+ - interfaces: mount host system fonts in desktop interface
+ - interfaces: enable partial apparmor support
+ - snapstate: auto-install missing base snaps
+ - spread: work around temporary packaging issue in debian sid
+ - asserts,cmd/snap-repair: introduce a mandatory summary for repairs
+ - asserts,cmd/snap-repair: represent RepairID internally as an int
+ - tests: test the real "xdg-open" from the core snap
+ - many: implement fetching sections and package names periodically.
+ - interfaces/network: allow using netcat as client
+ - snap-seccomp, osutil: use osutil.AtomicFile in snap-seccomp
+ - snap-seccomp: skip mknod syscall on arm64
+ - tests: add trivial canonical-livepatch test
+ - tests: add test that ensures that all core services are working
+ - many: add logger.MockLogger() and use it in the tests
+ - snap-repair: fix test failure in TestRepairHitsTimeout
+ - asserts: add empty values check in HeadersFromPrimaryKey
+ - daemon: remove unused installSnap var in test
+ - daemon: reach for Overlord.Loop less thanks to overlord.Mock
+ - snap-seccomp: manually resolve socket() call in tests
+ - tests: change regex used to validate installed ubuntu core snap
+ - cmd/snapctl: allow snapctl -h without a context (regression fix).
+ - many: use snapcore/snapd/i18n instead of i18n/dumb
+ - many: introduce asserts.NotFoundError replacing both ErrNotFound
+   and store.AssertionNotFoundError
+ - packaging: don't include any marcos in comments
+ - overlord: use overlord.Mock in more tests, make sure we check the
+   outcome of Settle
+ - tests: try to fix staging tests
+ - store: simplify api base url config
+ - systemd: add systemd.MockJournalctl()
+ - many: provide systemd.MockSystemctl() helper
+ - tests: improve the listing test to not fail for e.g. 2.28~rc2
+ - snapstate: give snapmgrTestSuite.settle() more time to settle
+ - tests: fix regex to check core version on snap list
+ - debian: update trusted account-keys check on 14.04 packaging
+ - interfaces: add udev netlink support to hardware-observe
+ - overlord: introduce Mock which enables to use Overlord.Settle for
+   settle in many more places
+ - snap-repair: execute the repair and capture logs/status
+ - tests: run the tests/unit/go everywhere
+ - daemon, snapstate: move ensureCore from daemon/api.go into
+   snapstate.go
+ - cmd/snap: get keys or root document
+ - spread.yaml: turn suse to manual given that it's breaking master
+ - many: configure store from state, reconfigure store at runtime
+ - osutil: AtomicWriter (an io.Writer), and io.Reader versions of
+   AtomicWrite*
+ - tests: check for negative syscalls in runBpf() and skip those
+   tests
+ - docs: use abolute path in PULL_REQUEST_TEMPLATE.md
+ - store: move device auth endpoint uris to config (#3831)
+
+* Sat Oct 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.5-2
+- Properly fix the build for Fedora 25
+- Incorporate misc build fixes
+
+* Sat Oct 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.5-1
+- Release 2.28.5 to Fedora (RH#1502186)
+- Build snap-exec and snap-update-ns statically to support base snaps
+
+* Fri Oct 13 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.5
+  - snap-confine: cleanup broken nvidia udev tags
+  - cmd/snap-confine: update valid security tag regexp
+  - overlord/ifacestate: refresh udev backend on startup
+  - dbus: ensure io.snapcraft.Launcher.service is created on re-
+    exec
+  - snap-confine: add support for handling /dev/nvidia-modeset
+  - interfaces/network-control: remove incorrect rules for tun
+
+* Thu Oct 12 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.4-1
+- Release 2.28.4 to Fedora (RH#1501141)
+- Drop distro check backport patches (released with 2.28.2)
+
+* Wed Oct 11 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.4
+  - interfaces/opengl: don't udev tag nvidia devices and use snap-
+    confine instead
+  - debian: fix replaces/breaks for snap-xdg-open (thanks to apw!)
+
+* Wed Oct 11 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.3
+  - interfaces/lxd: lxd slot implementation can also be an app
+    snap
+
+* Tue Oct 10 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.2
+  - interfaces: fix udev rules for tun
+  - release,cmd,dirs: Redo the distro checks to take into account
+    distribution families
+
+* Sun Oct 08 2017 Neal Gompa <ngompa13@gmail.com> - 2.28.1-1
+- Release 2.28.1 to Fedora (RH#1495852)
+- Drop userd backport patches, they are part of 2.28 release
+- Backport changes to rework distro checks to fix derivative distro usage of snapd
+- Revert import path change for cheggaaa/pb as it breaks build on Fedora
+- Add a posttrans relabel to snapd-selinux to ensure everything is labeled correctly
+
+* Wed Sep 27 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28.1
+  - snap-confine: update apparmor rules for fedora based basesnaps
+  - snapstate: rename refresh hook to post-refresh for consistency
+
+* Mon Sep 25 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.28
+ - hooks: rename refresh to after-refresh
+ - snap-confine: bind mount /usr/lib/snapd relative to snap-confine
+ - cmd,dirs: treat "liri" the same way as "arch"
+ - snap-confine: fix base snaps on core
+ - hooks: substitute env vars when executing hooks
+ - interfaces: updates for default, browser-support, desktop, opengl,
+   upower and stub-resolv.conf
+ - cmd,dirs: treat manjaro the same as arch
+ - systemd: do not run auto-import and repair services on classic
+ - packaging/fedora: Ensure vendor/ is empty for builds and fix spec
+   to build current master
+ - many: fix TestSetConfNumber missing an Unlock and other fragility
+   improvements
+ - osutil: adjust StreamCommand tests for golang 1.9
+ - daemon: allow polkit authorisation to install/remove snaps
+ - tests: make TestCmdWatch more robust
+ - debian: improve package description
+ - interfaces: add netlink kobject uevent to hardware observe
+ - debian: update trusted account-keys check on 14.04 packaging
+ - interfaces/network-{control,observe}: allow receiving
+   kobject_uevent() messages
+ - tests: fix lxd test for external backend
+ - snap-confine,snap-update-ns: add -no-pie to fix FTBFS on
+   go1.7,ppc64
+ - corecfg: mock "systemctl" in all corecfg tests
+ - tests: fix unit tests on Ubuntu 14.04
+ - debian: add missing flags when building static snap-exec
+ - many: end-to-end support for the bare base snap
+ - overlord/snapstate: SetRootDir from SetUpTest, not in just some
+   tests
+ - store: have an ad-hoc method on cfg to get its list of uris for
+   tests
+ - daemon: let client decide whether to allow interactive auth via
+   polkit
+ - client,daemon,snap,store: add license field
+ - overlord/snapstate: rename HasCurrent to IsInstalled, remove
+   superfluous/misleading check from All
+ - cmd/snap: SetRootDir from SetUpTest, not in just some individual
+   tests.
+ - systemd: rename snap-repair.{service,timer} to snapd.snap-
+   repair.{service,timer}
+ - snap-seccomp: remove use of x/net/bpf from tests
+ - httputil: more naive per go version way to recreate a default
+   transport for tls reconfig
+ - cmd/snap-seccomp/main_test.go: add one more syscall for arm64
+ - interfaces/opengl: use == to compare, not =
+ - cmd/snap-seccomp/main_test.go: add syscalls for armhf and arm64
+ - cmd/snap-repair: track and use a lower bound for the time for
+   TLS checks
+ - interfaces: expose bluez interface on classic OS
+ - snap-seccomp: add in-kernel bpf tests
+ - overlord: always try to get a serial, lazily on classic
+ - tests: add nmcli regression test
+ - tests: deal with __PNR_chown on aarch64 to fix FTBFS on arm64
+ - tests: add autopilot-introspection interface test
+ - vendor: fix artifact from manually editing vendor/vendor.json
+ - tests: rename complexion to test-snapd-complexion
+ - interfaces: add desktop and desktop-legacy
+   interfaces/desktop: add new 'desktop' interface for modern DEs*
+   interfaces/builtin/desktop_test.go: use modern testing techniques*
+   interfaces/wayland: allow read on /etc/drirc for Plasma desktop*
+   interfaces/desktop-legacy: add new 'legacy' interface (currently
+   for a11y and input)
+ - tests: fix race in snap userd test
+ - devices/iio: add read/write for missing sysfs entries
+ - spread: don't set HTTPS?_PROXY for linode
+ - cmd/snap-repair: check signatures of repairs from Next
+ - env: set XDG_DATA_DIRS for wayland et.al.
+ - interfaces/{default,account-control}: Use username/group instead
+   of uid/gid
+ - interfaces/builtin: use udev tagging more broadly
+ - tests: add basic lxd test
+ - wrappers: ensure bash completion snaps install on core
+ - vendor: use old golang.org/x/crypto/ssh/terminal to build on
+   powerpc again
+ - docs: add PULL_REQUEST_TEMPLATE.md
+ - interfaces: fix network-manager plug
+ - hooks: do not error out when hook is optional and no hook handler
+   is registered
+ - cmd/snap: add userd command to replace snapd-xdg-open
+ - tests: new regex used to validate the core version on extra snaps
+   ass...
+ - snap: add new `snap switch` command
+ - tests: wait more and more debug info about fakestore start issues
+ - apparmor,release: add better apparmor detection/mocking code
+ - interfaces/i2c: adjust sysfs rule for alternate paths
+ - interfaces/apparmor: add missing call to dirs.SetRootDir
+ - cmd: "make hack" now also installs snap-update-ns
+ - tests: copy files with less verbosity
+ - cmd/snap-confine: allow using additional libraries required by
+   openSUSE
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapstate: improve the error message when classic confinement is
+   not supported
+ - tests: add test to ensure amd64 can run i386 syscall binaries
+ - tests: adding extra info for fakestore when fails to start
+ - tests: install most important snaps
+ - cmd/snap-repair: more test coverage of filtering
+ - squashfs: remove runCommand/runCommandWithOutput as we do not need
+   it
+ - cmd/snap-repair: ignore superseded revisions, filter on arch and
+   models
+ - hooks: support for refresh hook
+ - Partial revert "overlord/devicestate, store: update device auth
+   endpoints URLs"
+ - cmd/snap-confine: allow reading /proc/filesystems
+ - cmd/snap-confine: genearlize apparmor profile for various lib
+   layout
+ - corecfg: fix proxy.* writing and add integration test
+ - corecfg: deal with system.power-key-action="" correctly
+ - vendor: update vendor.json after (presumed) manual edits
+ - cmd/snap: in `snap info`, don't print a newline between tracks
+ - daemon: add polkit support to /v2/login
+ - snapd,snapctl: decode json using Number
+ - client: fix go vet 1.7 errors
+ - tests: make 17.04 shellcheck clean
+ - tests: remove TestInterfacesHelp as it breaks when go-flags
+   changes
+ - snapstate: undo a daemon restart on classic if needed
+ - cmd/snap-repair: recover brand/model from
+   /var/lib/snapd/seed/assertions checking signatures and brand
+   account
+ - spread: opt into unsafe IO during spread tests
+ - snap-repair: update snap-repair/runner_test.go for API change in
+   makeMockServer
+ - cmd/snap-repair: skeleton code around actually running a repair
+ - tests: wait until the port is listening after start the fake store
+ - corecfg: fix typo in tests
+ - cmd/snap-repair: test that redirects works during fetching
+ - osutil: honor SNAPD_UNSAFE_IO for testing
+ - vendor: explode and make more precise our golang.go/x/crypto deps,
+   use same version as Debian unstable
+ - many: sanitize NewStoreStack signature, have shared default store
+   test private keys
+ - systemd: disable `Nice=-5` to fix error when running inside lxd
+ - spread.yaml: update delta ref to 2.27
+ - cmd/snap-repair: use E-Tags when refetching a repair to retry
+ - interfaces/many: updates based on chromium and mrrescue denials
+ - cmd/snap-repair: implement most logic to get the next repair to
+   run/retry in a brand sequence
+ - asserts/assertstest: copy headers in SigningDB.Sign
+ - interfaces: convert uhid to common interface and test cases
+   improvement for time_control and opengl
+ - many tests: move all panicing fake store methods to a common place
+ - asserts: add store assertion type
+ - interfaces: don't crash if content slot has no attributes
+ - debian: do not build with -buildmode=pie on i386
+ - wrappers: symlink completion snippets when symlinking binaries
+ - tests: adding more debug information for the interfaces-cups-
+   control …
+ - apparmor: pass --quiet to parser on load unless SNAPD_DEBUG is set
+ - many: allow and support serials signed by the 'generic' authority
+   instead of the brand
+ - corecfg: add proxy configuration via `snap set core
+   proxy.{http,https,ftp}=...`
+ - interfaces: a bunch of interfaces test improvement
+ - tests: enable regression and completion suites for opensuse
+ - tests: installing snapd for nested test suite
+ - interfaces: convert lxd_support to common iface
+ - interfaces: add missing test for camera interface.
+ - snap: add support for parsing snap layout section
+ - cmd/snap-repair: like for downloads we cannot have a timeout (at
+   least for now), less aggressive retry strategies
+ - overlord: rely on more conservative ensure interval
+ - overlord,store: no piles of return args for methods gathering
+   device session request params
+ - overlord,store: send model assertion when setting up device
+   sessions
+ - interfaces/misc: updates for unity7/x11, browser-
+   support, network-control and mount-observe
+   interfaces/unity7,x11: update for NETLINK_KOBJECT_UEVENT
+   interfaces/browser-support: update sysfs reads for
+   newer browser versions, interfaces/network-control: rw for
+   ieee80211 advanced wireless interfaces/mount-observe: allow read
+   on sysfs entries for block devices
+ - tests: use dnf --refresh install to avert stale cache
+ - osutil: ensure TestLockUnlockWorks uses supported flock
+ - interfaces: convert lxd to common iface
+ - tests: restart snapd to ensure re-exec settings are applied
+ - tests: fix interfaces-cups-control test
+ - interfaces: improve and tweak bunch of interfaces test cases.
+ - tests: adding extra worker for fedora
+ - asserts,overlord/devicestate: support predefined assertions that
+   don't establish foundational trust
+ - interfaces: convert two hardware_random interfaces to common iface
+ - interfaces: convert io_ports_control to common iface
+ - tests: fix for  upgrade test on fedora
+ - daemon, client, cmd/snap: implement snap start/stop/restart
+ - cmd/snap-confine: set _FILE_OFFSET_BITS to 64
+ - interfaces: covert framebuffer to commonInterface
+ - interfaces: convert joystick to common iface
+ - interfaces/builtin: add the spi interface
+ - wrappers, overlord/snapstate/backend: make link-snap clean up on
+   failure.
+ - interfaces/wayland: add wayland interface
+ - interfaces: convert kvm to common iface
+ - tests: extend upower-observe test to cover snaps providing slots
+ - tests: enable main suite for opensuse
+ - interfaces: convert physical_memory_observe to common iface
+ - interfaces: add missing test for optical_drive interface.
+ - interfaces: convert physical_memory_control to common iface
+ - interfaces: convert ppp to common iface
+ - interfaces: convert time-control to common iface
+ - tests: fix failover test
+ - interfaces/builtin: rework for avahi interface
+ - interfaces: convert broadcom-asic-control to common iface
+ - snap/snapenv: document the use of CoreSnapMountDir for SNAP
+ - packaging/arch: drop patches merged into master
+ - cmd: fix mustUnsetenv docstring (thanks to Chipaca)
+ - release: remove default from VERSION_ID
+ - tests: enable regression, upgrade and completion test suites for
+   fedora 
+ - tests: restore interfaces-account-control properly
+ - overlord/devicestate, store: update device auth endpoints URLs
+ - tests: fix install-hook test failure
+ - tests: download core and ubuntu-core at most once
+ - interfaces: add common support for udev
+ - overlord/devicestate: fix, don't assume that the serial is backed
+   by a 1-key chain
+ - cmd/snap-confine: don't share /etc/nsswitch from host
+ - store: do not resume a download when we already have the whole
+   thing
+ - many: implement "snap logs"
+ - store: don't call useDeltas() twice in quick succession
+ - interfaces/builtin: add kvm interface
+ - snap/snapenv: always expect /snap for $SNAP
+ - cmd: mark arch as non-reexecing distro
+ - cmd: fix tests that assume /snap mount
+ - gitignore: ignore more build artefacts
+ - packaging: add current arch packaging
+ - interfaces/unity7: allow receiving media key events in (at least)
+   gnome-shell
+ - interfaces/many, cmd/snap-confine: miscellaneous policy updates
+ - interfaces/builtin: implement broadcom-asic-control interface
+ - interfaces/builtin: reduce duplication and remove cruft in
+   Sanitize{Plug,Slot}
+ - tests: apply underscore convention for SNAPMOUNTDIR variable
+ - interfaces/greengrass-support: adjust accesses now that have
+   working snap
+ - daemon, client, cmd/snap: implement "snap services"
+ - tests: fix refresh tests not stopping fake store for fedora
+ - many: add the interface command
+ - overlord/snapstate/backend: some copydata improvements
+ - many: support querying and completing assertion type names
+ - interfaces/builtin: discard empty Validate{Plug,Slot}
+ - cmd/snap-repair:  start of Runner, implement first pass of Peek
+   and Fetch
+ - tests: enable main suite on fedora
+ - snap: do not always quote the snap info summary
+ - vendor: update go-flags to address crash in "snap debug"
+ - interfaces: opengl support pci device and vendor
+ - many: start implenting "base" snap type on the snapd side
+ - arch,release: map armv6 correctly
+ - many: expose service status in 'snap info'
+ - tests: add browser-support interface test
+ - tests: disable snapd-notify for the external backend
+ - interfaces: Add /run/uuid/request to openvswitch
+ - interfaces: add password-manager-service implicit classic
+   interface
+ - cmd: rework reexec detection
+ - cmd: fix re-exec bug when starting from snapd 2.21
+ - tests: dependency packages installed during prepare-project
+ - tests: remove unneeded check for re-exec in InternalToolPath()
+ - cmd,tests: fix classic confinement confusing re-execution code
+ - store: configurable base api
+ - tests: fix how package lists are updated for opensuse and fedora
+
+* Sun Sep 10 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.6-1
+- Release 2.27.6 to Fedora (RH#1489437)
+
+* Thu Sep 07 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.6
+  - interfaces: add udev netlink support to hardware-observe
+  - interfaces/network-{control,observe}: allow receiving
+    kobject_uevent() messages
+
+* Mon Sep 04 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.5-1
+- Release 2.27.5 to Fedora (RH#1483177)
+- Backport userd from upstream to support xdg-open
+
+* Wed Aug 30 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.5
+  - interfaces: fix network-manager plug regression
+  - hooks: do not error when hook handler is not registered
+  - interfaces/alsa,pulseaudio: allow read on udev data for sound
+  - interfaces/optical-drive: read access to udev data for /dev/scd*
+  - interfaces/browser-support: read on /proc/vmstat and misc udev
+    data
+
+* Thu Aug 24 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.4
+  - snap-seccomp: add secondary arch for unrestricted snaps as well
+
+* Fri Aug 18 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.3
+  - systemd: disable `Nice=-5` to fix error when running inside lxdSee
+    https://bugs.launchpad.net/snapd/+bug/1709536
+
+* Wed Aug 16 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.2-2
+- Bump to rebuild for F27 and Rawhide
+
+* Wed Aug 16 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.2-1
+- Release 2.27.2 to Fedora (RH#1482173)
+
+* Wed Aug 16 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.2
+ - tests: remove TestInterfacesHelp as it breaks when go-flags
+   changes
+ - interfaces: don't crash if content slot has no attributes
+ - debian: do not build with -buildmode=pie on i386
+ - interfaces: backport broadcom-asic-control interface
+ - interfaces: allow /usr/bin/xdg-open in unity7
+ - store: do not resume a download when we already have the whole
+   thing
+
+* Mon Aug 14 2017 Neal Gompa <ngompa13@gmail.com> - 2.27.1-1
+- Release 2.27.1 to Fedora (RH#1481247)
+
+* Mon Aug 14 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27.1
+ - tests: use dnf --refresh install to avert stale cache
+ - tests: fix test failure on 14.04 due to old version of
+   flock
+ - updates for unity7/x11, browser-support, network-control,
+   mount-observe
+ - interfaces/unity7,x11: update for NETLINK_KOBJECT_UEVENT
+ - interfaces/browser-support: update sysfs reads for
+   newer browser versions
+ - interfaces/network-control: rw for ieee80211 advanced wireless
+ - interfaces/mount-observe: allow read on sysfs entries for block
+   devices
+
+* Thu Aug 10 2017 Neal Gompa <ngompa13@gmail.com> - 2.27-1
+- Release 2.27 to Fedora (RH#1458086)
+
+* Thu Aug 10 2017 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.27
+ - fix build failure on 32bit fedora
+ - interfaces: add password-manager-service implicit classic interface
+ - interfaces/greengrass-support: adjust accesses now that have working
+   snap
+ - interfaces/many, cmd/snap-confine: miscellaneous policy updates
+ - interfaces/unity7: allow receiving media key events in (at least)
+   gnome-shell
+ - cmd: fix re-exec bug when starting from snapd 2.21
+ - tests: restore interfaces-account-control properly
+ - cmd: fix tests that assume /snap mount
+ - cmd: mark arch as non-reexecing distro
+ - snap-confine: don't share /etc/nsswitch from host
+ - store: talk to api.snapcraft.io for purchases
+ - hooks: support for install and remove hooks
+ - packaging: fix Fedora support
+ - tests: add bluetooth-control interface test
+ - store: talk to api.snapcraft.io for assertions
+ - tests: remove snapd before building from branch
+ - tests: add avahi-observe interface test
+ - store: orders API now checks if customer is ready
+ - cmd/snap: snap find only searches stable
+ - interfaces: updates default, mir, optical-observe, system-observe,
+   screen-inhibit-control and unity7
+ - tests: speedup prepare statement part 1
+ - store: do not send empty refresh requests
+ - asserts: fix error handling in snap-developer consistency check
+ - systemd: add explicit sync to snapd.core-fixup.sh
+ - snapd: generate snap cookies on startup
+ - cmd,client,daemon: expose "force devmode" in sysinfo
+ - many: introduce and use strutil.ListContains and also
+   strutil.SortedListContains
+ - assserts,overlord/assertstate: test we don't accept chains of
+   assertions founded on a self-signed key coming externally
+ - interfaces: enable access to bridge settings
+ - interfaces: fix copy-pasted iio vs io in io-ports-control
+ - cmd/snap-confine: various small fixes and tweaks to seccomp
+   support code
+ - interfaces: bring back seccomp argument filtering
+ - systemd, osutil: rework systemd logs in preparation for services
+   commands
+ - tests: store /etc/systemd/system/snap-*core*.mount in snapd-
+   state.tar.gz
+ - tests: shellcheck improvements for tests/main tasks - first set of
+   tests
+ - cmd/snap: `--last` for abort and watch, and aliases
+   (search→find, change→tasks)
+ - tests: shellcheck improvements for tests/lib scripts
+ - tests: create ramdisk if it's not present
+ - tests: shellcheck improvements for nightly upgrade and regressions
+   tests
+ - snapd: fix for snapctl get panic on null config values.
+ - tests: fix for rng-tools service not restarting
+ - systemd: add snapd.core-fixup.service unit
+ - cmd: avoid using current symlink in InternalToolPath
+ - tests: fix timeout issue for test refresh core with hanging …
+ - intefaces: control bridged vlan/ppoe-tagged traffic
+ - cmd/snap: include snap type in notes
+ - overlord/state: Abort() only visits each task once
+ - tests: extend find-private test to cover more cases
+ - snap-seccomp: skip socket() tests on systems that use socketcall()
+   instead of socket()
+ - many: support snap title as localized/title-cased name
+ - snap-seccomp: deal with mknod on aarch64 in the seccomp tests
+ - interfaces: put base policy fragments inside each interface
+ - asserts: introduce NewDecoderWithTypeMaxBodySize
+ - tests: fix snapd-notify when it takes more time to restart
+ - snap-seccomp: fix snap-seccomp tests in artful
+ - tests: fix for create-key task to avoid rng-tools service ramains
+   alive
+ - snap-seccomp: make sure snap-seccomp writes the bpf file
+   atomically
+ - tests: do not disable ipv6 on core systems
+ - arch: the kernel architecture name is armv7l instead of armv7
+ - snap-confine: ensure snap-confine waits some seconds for seccomp
+   security profiles
+ - tests: shellcheck improvements for tests/nested tasks
+ - wrappers: add SyslogIdentifier to the service unit files.
+ - tests: shellcheck improvements for unit tasks
+ - asserts: implement FindManyTrusted as well
+ - asserts: open up and optimize Encoder to help avoiding unnecessary
+   copying
+ - interfaces: simplify snap-confine by just loading pre-generated
+   bpf code
+ - tests: restart rng-tools services after few seconds
+ - interfaces, tests: add mising dbus abstraction to system-observe
+   and extend spread test
+ - store: change main store host to api.snapcraft.io
+ - overlord/cmdstate: new package for running commands as tasks.
+ - spread: help libapt resolve installing libudev-dev
+ - tests: show the IP from .travis.yaml
+ - tests/main: use pkgdb function in more test cases
+ - cmd,daemon: add debug command for displaying the base policy
+ - tests: prevent quoting error on opensuse
+ - tests: fix nightly suite
+ - tests: add linode-sru backend
+ - snap-confine: validate SNAP_NAME against security tag
+ - tests: fix ipv6 disable for ubuntu-core
+ - tests: extend core-revert test to cover bluez issues
+ - interfaces/greengrass-support: add support for Amazon Greengrass
+   as a snap
+ - asserts: support timestamp and optional disabled header on repair
+ - tests: reboot after upgrading to snapd on the -proposed pocket
+ - many: fix test cases to work with different DistroLibExecDir
+ - tests: reenable help test on ubuntu and debian systems
+ - packaging/{opensuse,fedora}: allow package build with testkeys
+   included
+ - tests/lib: generalize RPM build support
+ - interfaces/builtin: sync connected slot and permanent slot snippet
+ - tests: fix snap create-key by restarting automatically rng-tools
+ - many: switch to use http numeric statuses as agreed
+ - debian: add missing  Type=notify in 14.04 packaging
+ - tests: mark interfaces-openvswitch as manual due to prepare errors
+ - debian: unify built_using between the 14.04 and 16.04 packaging
+   branch
+ - tests: pull from urandom when real entropy is not enough
+ - tests/main/manpages: install missing man package
+ - tests: add refresh --time output check
+ - debian: add missing "make -C data/systemd clean"
+ - tests: fix for upgrade test when it is repeated
+ - tests/main: use dir abstraction in a few more test cases
+ - tests/main: check for confinement in a few more interface tests
+ - spread: add fedora snap bin dir to global PATH
+ - tests: check that locale-control is not present on core
+ - many: snapctl outside hooks
+ - tests: add whoami check
+ - interfaces: compose the base declaration from interfaces
+ - tests: fix spread flaky tests linode
+ - tests,packaging: add package build support for openSUSE
+ - many: slight improvement of some snap error messaging
+ - errtracker: Include /etc/apparmor.d/usr.lib.snap-confine md5sum in
+   err reports
+ - tests: fix for the test postrm-purge
+ - tests: restoring the /etc/environment and service units config for
+   each test
+ - daemon: make snapd a "Type=notify" daemon and notify when startup
+   is done
+ - cmd/snap-confine: add support for --base snap
+ - many: derive implicit slots from interface meta-data
+ - tests: add core revert test
+ - tests,packaging: add package build support for Fedora for our
+   spread setup
+ - interfaces: move base declaration to the policy sub-package
+ - tests: fix for snapd-reexec test cheking for restart info on debug
+   log
+ - tests: show available entropy on error
+ - tests: clean journalctl logs on trusty
+ - tests: fix econnreset on staging
+ - tests: modify core before calling set
+ - tests: add snap-confine privilege test
+ - tests: add staging snap-id
+ - interfaces/builtin: silence ptrace denial for network-manager
+ - tests: add alsa interface spread test
+ - tests: prefer ipv4 over ipv6
+ - tests: fix for econnreset test checking that the download already
+   started
+ - httputil,store: extract retry code to httputil, reorg usages
+ - errtracker: report if snapd did re-execute itself
+ - errtracker: include bits of snap-confine apparmor profile
+ - tests: take into account staging snap-ids for snap-info
+ - cmd: add stub new snap-repair command and add timer
+ - many: stop "snap refresh $x --channel invalid" from working
+ - interfaces: revert "interfaces: re-add reverted ioctl and quotactl
+ - snapstate: consider connect/disconnect tasks in
+   CheckChangeConflict.
+ - interfaces: disable "mknod |N" in the default seccomp template
+   again
+ - interfaces,overlord/ifacestate: make sure installing slots after
+   plugs works similarly to plugs after slots
+ - interfaces/seccomp: add bind() syscall for forced-devmode systems
+ - packaging/fedora: Sync packaging from Fedora Dist-Git
+ - tests: move static and unit tests to spread task
+ - many: error types should be called FooError, not ErrFoo.
+ - partition: add directory sync to the save uboot.env file code
+ - cmd: test everything (100% coverage \o/)
+ - many: make shell scripts shellcheck-clean
+ - tests: remove additional setup for docker on core
+ - interfaces: add summary to each interface
+ - many: remove interface meta-data from list of connections
+ - logger (& many more, to accommodate): drop explicit syslog.
+ - packaging: import packaging bits for opensuse
+ - snapstate,many: implement snap install --unaliased
+ - tests/lib: abstract build dependency installation a bit more
+ - interfaces, osutil: move flock code from interfaces/mount to
+   osutil
+ - cmd: auto import assertions only from ext4,vfat file systems
+ - many: refactor in preparation for 'snap start'
+ - overlord/snapstate: have an explicit code path last-refresh
+   unset/zero => immediately refresh try
+ - tests: fixes for executions using the staging store
+ - tests: use pollinate to seed the rng
+ - cmd/snap,tests: show the sha3-384 of the snap for snap info
+   --verbose SNAP-FILE
+ - asserts: simplify and adjust repair assertion definition
+ - cmd/snap,tests: show the snap id if available in snap info
+ - daemon,overlord/auth: store from model assertion wins
+ - cmd/snap,tests/main: add confinement switch instead of spread
+   system blacklisting
+ - many: cleanup MockCommands and don't leave a process around after
+   hookstate tests
+ - tests: update listing test to the core version number schema
+ - interfaces: allow snaps to use the timedatectl utility
+ - packaging: Add Fedora packaging files
+ - tests/libs: add distro_auto_remove_packages function
+ - cmd/snap: correct devmode note for anomalous state
+ - tests/main/snap-info: use proper pkgdb functions to install distro
+   packages
+ - tests/lib: use mktemp instead of tempfile to work cross-distro
+ - tests: abstract common dirs which differ on distributions
+ - many: model and expose interface meta-data.
+ - overlord: make config defaults from gadget work also at first boot
+ - interfaces/log-observe: allow using journalctl from hostfs for
+   classic distro
+ - partition,snap: add support for android boot
+ - errtracker: small simplification around readMachineID
+ - snap-confine: move rm_rf_tmp to test-utils.
+ - tests/lib: introduce pkgdb helper library
+ - errtracker: try multiple paths to read machine-id
+ - overlord/hooks: make sure only one hook for given snap is executed
+   at a time.
+ - cmd/snap-confine: use SNAP_MOUNT_DIR to setup /snap inside the
+   confinement env
+ - tests: bump kill-timeout and remove quiet call on build
+ - tests/lib/snaps: add a test store snap with a passthrough
+   configure hook
+ - daemon: teach the daemon to wait on active connections when
+   shutting down
+ - tests: remove unit tests task
+ - tests/main/completion: source from /usr/share/bash-completion
+ - assertions: add "repair" assertion
+ - interfaces/seccomp: document Backend.NewSpecification
+ - wrappers: make StartSnapServices cleanup any services that were
+   added if a later one fails
+ - overlord/snapstate: avoid creating command aliases for daemons
+ - vendor: remove unused packages
+ - vendor,partition: fix panics from uenv
+ - cmd,interfaces/mount: run snap-update-ns and snap-discard-ns from
+   core if possible
+ - daemon: do not allow to install ubuntu-core anymore
+ - wrappers: service start/stop were inconsistent
+ - tests: fix failing tests (snap core version, syslog changes)
+ - cmd/snap-update-ns: add actual implementation
+ - tests: improve entropy also for ubuntu
+ - cmd/snap-confine: use /etc/ssl from the core snap
+ - wrappers: don't convert between []byte and string needlessly.
+ - hooks: default timeout
+ - overlord/snapstate: Enable() was ignoring the flags from the
+   snap's state, resulting in losing "devmode" on disable/enable.
+ - difs,interfaces/mount: add support for locking namespaces
+ - interfaces/mount: keep track of kept mount entries
+ - tests/main: move a bunch of greps over to MATCH
+ - interfaces/builtin: make all interfaces private
+ - interfaces/mount: spell unmount correctly
+ - tests: allow 16-X.Y.Z version of core snap
+ - the timezone_control interface only allows changing /etc/timezone
+   and /etc/writable/timezone. systemd-timedated also updated the
+   link of /etc/localtime and /etc/writable/localtime ... allow
+   access to this file too
+ - cmd/snap-confine: aggregate operations holding global lock
+ - api, ifacestate: resolve disconnect early
+ - interfaces/builtin: ensure we don't register interfaces twice
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.26.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.26.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu May 25 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-3
+- Cover even more stuff for proper erasure on final uninstall (RH#1444422)
+
+* Sun May 21 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-2
+- Fix error in script for removing Snappy content (RH#1444422)
+- Adjust changelog bug references to be specific on origin
+
+* Wed May 17 2017 Neal Gompa <ngompa13@gmail.com> - 2.26.3-1
+- Update to snapd 2.26.3
+- Drop merged and unused patches
+- Cover more Snappy content for proper erasure on final uninstall (RH#1444422)
+- Add temporary fix to ensure generated seccomp profiles don't break snapctl
+
+* Mon May 01 2017 Neal Gompa <ngompa13@gmail.com> - 2.25-1
+- Update to snapd 2.25
+- Ensure all Snappy content is gone on final uninstall (RH#1444422)
+
+* Tue Apr 11 2017 Neal Gompa <ngompa13@gmail.com> - 2.24-1
+- Update to snapd 2.24
+- Drop merged patches
+- Install snap bash completion and snapd info file
+
+* Wed Apr 05 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-4
+- Test if snapd socket and timer enabled and start them if enabled on install
+
+* Sat Apr 01 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-3
+- Fix profile.d generation so that vars aren't expanded in package build
+
+* Fri Mar 31 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-2
+- Fix the overlapping file conflicts between snapd and snap-confine
+- Rework package descriptions slightly
+
+* Thu Mar 30 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.6-1
+- Rebase to snapd 2.23.6
+- Rediff patches
+- Re-enable seccomp
+- Fix building snap-confine on 32-bit arches
+- Set ExclusiveArch based on upstream supported arch list
+
+* Wed Mar 29 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.5-1
+- Rebase to snapd 2.23.5
+- Disable seccomp temporarily avoid snap-confine bugs (LP#1674193)
+- Use vendorized build for non-Fedora
+
+* Mon Mar 13 2017 Neal Gompa <ngompa13@gmail.com> - 2.23.1-1
+- Rebase to snapd 2.23.1
+- Add support for vendored tarball for non-Fedora targets
+- Use merged in SELinux policy module
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.16-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Oct 19 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.16-1
+- New upstream release
+
+* Tue Oct 18 2016 Neal Gompa <ngompa13@gmail.com> - 2.14-2
+- Add SELinux policy module subpackage
+
+* Tue Aug 30 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.14-1
+- New upstream release
+
+* Tue Aug 23 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.13-1
+- New upstream release
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.12-2
+- Correct license identifier
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.12-1
+- New upstream release
+
+* Thu Aug 18 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-8
+- Add %%dir entries for various snapd directories
+- Tweak Source0 URL
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-7
+- Disable snapd re-exec feature by default
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-6
+- Don't auto-start snapd.socket and snapd.refresh.timer
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-5
+- Don't touch snapd state on removal
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-4
+- Use ExecStartPre to load squashfs.ko before snapd starts
+- Use dedicated systemd units for Fedora
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-3
+- Remove systemd preset (will be requested separately according to distribution
+  standards).
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-2
+- Use Requires: kmod(squashfs.ko) instead of Requires: kernel-modules
+
+* Tue Aug 16 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.11-1
+- New upstream release
+- Move private executables to /usr/libexec/snapd/
+
+* Fri Jun 24 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.9-2
+- Depend on kernel-modules to ensure that squashfs can be loaded. Load it afer
+  installing the package. This hopefully fixes
+  https://github.com/zyga/snapcore-fedora/issues/2
+
+* Fri Jun 17 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.9
+- New upstream release
+  https://github.com/snapcore/snapd/releases/tag/2.0.9
+
+* Tue Jun 14 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.8.1
+- New upstream release
+
+* Fri Jun 10 2016 Zygmunt Krynicki <me@zygoon.pl> - 2.0.8
+- First package for Fedora
diff -Nru snapd-2.32.3.2~14.04/packaging/fedora-rawhide/snapd.spec snapd-2.37~rc1~14.04/packaging/fedora-rawhide/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/fedora-rawhide/snapd.spec	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/fedora-rawhide/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -6,6 +6,14 @@
 %bcond_without vendorized
 %endif
 
+# With Amazon Linux 2+, we're going to provide the /snap symlink by default,
+# since classic snaps currently require it... :(
+%if 0%{?amzn} >= 2
+%bcond_without snap_symlink
+%else
+%bcond_with snap_symlink
+%endif
+
 # A switch to allow building the package with support for testkeys which
 # are used for the spread test suite of snapd.
 %bcond_with testkeys
@@ -15,6 +23,7 @@
 %global with_check 0
 %global with_unit_test 0
 %global with_test_keys 0
+%global with_selinux 1
 
 # For the moment, we don't support all golang arches...
 %global with_goarches 0
@@ -50,7 +59,7 @@
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 
-%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service
+%global snappy_svcs     snapd.service snapd.socket snapd.autoimport.service snapd.seeded.service
 
 # Until we have a way to add more extldflags to gobuild macro...
 %if 0%{?fedora} >= 26
@@ -69,8 +78,21 @@
 %define gotest() go test -compiler gc -ldflags "${LDFLAGS:-}" %{?**};
 %endif
 
+# Compat path macros
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+%{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+
+# Fedora selinux-policy includes 'map' permission on a 'file' class. However,
+# neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
+# https://bugzilla.redhat.com/show_bug.cgi?id=1574383 RHEL 7.6 should have the
+# necessary updates. For now disable SELinux on the affected distros.
+%if 0%{?amzn2} == 1
+%global with_selinux 0
+%endif
+
 Name:           snapd
-Version:        2.32.3.2
+Version:        2.37
 Release:        0%{?dist}
 Summary:        A transactional software package manager
 Group:          System Environment/Base
@@ -101,17 +123,28 @@
 # snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.)
 Requires:       ((squashfuse and fuse) or kmod(squashfs.ko))
 %else
+%if ! 0%{?amzn2}
 # Rich dependencies not available, always pull in squashfuse
 # snapd will use squashfs.ko instead of squashfuse if it's on the system
+# NOTE: Amazon Linux 2 does not have squashfuse, squashfs.ko is part of the kernel package
 Requires:       squashfuse
 Requires:       fuse
 %endif
+%endif
 
 # bash-completion owns /usr/share/bash-completion/completions
 Requires:       bash-completion
 
+%if 0%{?with_selinux}
 # Force the SELinux module to be installed
 Requires:       %{name}-selinux = %{version}-%{release}
+%endif
+
+# snapd-login-service is no more
+# Note: Remove when F27 is EOL
+Obsoletes:      %{name}-login-service < 1.33
+Provides:       %{name}-login-service = 1.33
+Provides:       %{name}-login-service%{?_isa} = 1.33
 
 %if ! 0%{?with_bundled}
 BuildRequires: golang(github.com/boltdb/bolt)
@@ -121,6 +154,9 @@
 BuildRequires: golang(github.com/godbus/dbus/introspect)
 BuildRequires: golang(github.com/gorilla/mux)
 BuildRequires: golang(github.com/jessevdk/go-flags)
+BuildRequires: golang(github.com/juju/ratelimit)
+BuildRequires: golang(github.com/kr/pretty)
+BuildRequires: golang(github.com/kr/text)
 BuildRequires: golang(github.com/mvo5/goconfigparser)
 BuildRequires: golang(github.com/ojii/gettext.go)
 BuildRequires: golang(github.com/seccomp/libseccomp-golang)
@@ -178,6 +214,7 @@
 This package is used internally by snapd to apply confinement to
 the started snap applications.
 
+%if 0%{?with_selinux}
 %package selinux
 Summary:        SELinux module for snapd
 Group:          System Environment/Base
@@ -186,18 +223,22 @@
 BuildRequires:  selinux-policy, selinux-policy-devel
 Requires(post): selinux-policy-base >= %{_selinux_policy_version}
 Requires(post): policycoreutils
+%if 0%{?rhel} == 7
+Requires(post): policycoreutils-python
+%else
 Requires(post): policycoreutils-python-utils
+%endif
 Requires(pre):  libselinux-utils
 Requires(post): libselinux-utils
 
 %description selinux
 This package provides the SELinux policy module to ensure snapd
 runs properly under an environment with SELinux enabled.
-
+%endif
 
 %if 0%{?with_devel}
 %package devel
-Summary:       %{summary}
+Summary:       Development files for %{name}
 BuildArch:     noarch
 
 %if 0%{?with_check} && ! 0%{?with_bundled}
@@ -211,6 +252,9 @@
 Requires:      golang(github.com/godbus/dbus/introspect)
 Requires:      golang(github.com/gorilla/mux)
 Requires:      golang(github.com/jessevdk/go-flags)
+Requires:      golang(github.com/juju/ratelimit)
+Requires:      golang(github.com/kr/pretty)
+Requires:      golang(github.com/kr/text)
 Requires:      golang(github.com/mvo5/goconfigparser)
 Requires:      golang(github.com/ojii/gettext.go)
 Requires:      golang(github.com/seccomp/libseccomp-golang)
@@ -230,13 +274,16 @@
 # These Provides are unversioned because the sources in
 # the bundled tarball are unversioned (they go by git commit)
 # *sigh*... I hate golang...
-Provides:      bundled(golang(github.com/boltdb/bolt))
+Provides:      bundled(golang(github.com/snapcore/bolt))
 Provides:      bundled(golang(github.com/cheggaaa/pb))
 Provides:      bundled(golang(github.com/coreos/go-systemd/activation))
 Provides:      bundled(golang(github.com/godbus/dbus))
 Provides:      bundled(golang(github.com/godbus/dbus/introspect))
 Provides:      bundled(golang(github.com/gorilla/mux))
 Provides:      bundled(golang(github.com/jessevdk/go-flags))
+Provides:      bundled(golang(github.com/juju/ratelimit))
+Provides:      bundled(golang(github.com/kr/pretty))
+Provides:      bundled(golang(github.com/kr/text))
 Provides:      bundled(golang(github.com/mvo5/goconfigparser))
 Provides:      bundled(golang(github.com/mvo5/libseccomp-golang))
 Provides:      bundled(golang(github.com/ojii/gettext.go))
@@ -255,6 +302,7 @@
 %endif
 
 # Generated by gofed
+Provides:      golang(%{import_path}/advisor) = %{version}-%{release}
 Provides:      golang(%{import_path}/arch) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts) = %{version}-%{release}
 Provides:      golang(%{import_path}/asserts/assertstest) = %{version}-%{release}
@@ -277,6 +325,7 @@
 Provides:      golang(%{import_path}/interfaces/backends) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/builtin) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/dbus) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/hotplug) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/ifacetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/kmod) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/mount) = %{version}-%{release}
@@ -284,9 +333,16 @@
 Provides:      golang(%{import_path}/interfaces/seccomp) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/interfaces/udev) = %{version}-%{release}
+Provides:      golang(%{import_path}/interfaces/utils) = %{version}-%{release}
 Provides:      golang(%{import_path}/jsonutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/jsonutil/safejson) = %{version}-%{release}
 Provides:      golang(%{import_path}/logger) = %{version}-%{release}
+Provides:      golang(%{import_path}/netutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/osutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/squashfs) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/sys) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/crawler) = %{version}-%{release}
+Provides:      golang(%{import_path}/osutil/udev/netlink) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/assertstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/auth) = %{version}-%{release}
@@ -294,17 +350,23 @@
 Provides:      golang(%{import_path}/overlord/configstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/config) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/configstate/configcore) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/proxyconf) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/configstate/settings) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/devicestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/ctlcmd) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/hookstate/hooktest) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/ifacestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/ifacerepo) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/ifacestate/udevmonitor) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/patch) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/servicestate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/snapshotstate/backend) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/snapstate/backend) = %{version}-%{release}
+Provides:      golang(%{import_path}/overlord/standby) = %{version}-%{release}
 Provides:      golang(%{import_path}/overlord/state) = %{version}-%{release}
-Provides:      golang(%{import_path}/overlord/storestate) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/androidbootenv) = %{version}-%{release}
 Provides:      golang(%{import_path}/partition/grubenv) = %{version}-%{release}
@@ -313,6 +375,7 @@
 Provides:      golang(%{import_path}/progress) = %{version}-%{release}
 Provides:      golang(%{import_path}/progress/progresstest) = %{version}-%{release}
 Provides:      golang(%{import_path}/release) = %{version}-%{release}
+Provides:      golang(%{import_path}/sanity) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/pack) = %{version}-%{release}
 Provides:      golang(%{import_path}/snap/snapdir) = %{version}-%{release}
@@ -323,6 +386,8 @@
 Provides:      golang(%{import_path}/store) = %{version}-%{release}
 Provides:      golang(%{import_path}/store/storetest) = %{version}-%{release}
 Provides:      golang(%{import_path}/strutil) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/quantity) = %{version}-%{release}
+Provides:      golang(%{import_path}/strutil/shlex) = %{version}-%{release}
 Provides:      golang(%{import_path}/systemd) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/refresh) = %{version}-%{release}
 Provides:      golang(%{import_path}/tests/lib/fakestore/store) = %{version}-%{release}
@@ -330,12 +395,12 @@
 Provides:      golang(%{import_path}/timeout) = %{version}-%{release}
 Provides:      golang(%{import_path}/timeutil) = %{version}-%{release}
 Provides:      golang(%{import_path}/userd) = %{version}-%{release}
+Provides:      golang(%{import_path}/userd/ui) = %{version}-%{release}
 Provides:      golang(%{import_path}/wrappers) = %{version}-%{release}
 Provides:      golang(%{import_path}/x11) = %{version}-%{release}
+Provides:      golang(%{import_path}/xdgopenproxy) = %{version}-%{release}
 
 %description devel
-%{summary}
-
 This package contains library source intended for
 building other packages which use import path with
 %{import_path} prefix.
@@ -354,28 +419,25 @@
 Requires:        %{name}-devel = %{version}-%{release}
 
 %description unit-test-devel
-%{summary}
-
 This package contains unit tests for project
 providing packages with %{import_path} prefix.
 %endif
 
 %prep
-%setup -q
-
 %if ! 0%{?with_bundled}
+%setup -q
 # Ensure there's no bundled stuff accidentally leaking in...
 rm -rf vendor/*
 %else
-# Unpack the vendor tarball too...
-%setup -q -T -D -b 1
+# Extract each tarball properly
+%setup -q -D -b 1
 %endif
 
 %build
 # Generate version files
 ./mkversion.sh "%{version}-%{release}"
 
-# We don't want/need squashfuse in the rpm
+# We don't want/need squashfuse in the rpm, as it's available in Fedora and EPEL
 sed -e 's:_ "github.com/snapcore/squashfuse"::g' -i systemd/systemd.go
 
 # Build snapd
@@ -397,7 +459,7 @@
 # We don't need mvo5 fork for seccomp, as we have seccomp 2.3.x
 sed -e "s:github.com/mvo5/libseccomp-golang:github.com/seccomp/libseccomp-golang:g" -i cmd/snap-seccomp/*.go
 # We don't need the snapcore fork for bolt - it is just a fix on ppc
-sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go
+sed -e "s:github.com/snapcore/bolt:github.com/boltdb/bolt:g" -i advisor/*.go errtracker/*.go
 %endif
 
 # We have to build snapd first to prevent the build from
@@ -406,6 +468,7 @@
 %gobuild -o bin/snapd $GOFLAGS %{import_path}/cmd/snapd
 %gobuild -o bin/snap $GOFLAGS %{import_path}/cmd/snap
 %gobuild -o bin/snapctl $GOFLAGS %{import_path}/cmd/snapctl
+%gobuild -o bin/snap-failure $GOFLAGS %{import_path}/cmd/snap-failure
 
 # To ensure things work correctly with base snaps,
 # snap-exec and snap-update-ns need to be built statically
@@ -418,10 +481,12 @@
 %endif
 %gobuild -o bin/snap-seccomp $GOFLAGS %{import_path}/cmd/snap-seccomp
 
+%if 0%{?with_selinux}
 # Build SELinux module
 pushd ./data/selinux
 make SHARE="%{_datadir}" TARGETS="snappy"
 popd
+%endif
 
 # Build snap-confine
 pushd ./cmd
@@ -441,12 +506,12 @@
     --enable-nvidia-biarch \
     %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
     --with-snap-mount-dir=%{_sharedstatedir}/snapd/snap \
-    --with-merged-usr
+    --enable-merged-usr
 
 %make_build
 popd
 
-# Build systemd and dbus units, and env files
+# Build systemd units, dbus services, and env files
 pushd ./data
 make BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
      SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
@@ -457,41 +522,52 @@
 %install
 install -d -p %{buildroot}%{_bindir}
 install -d -p %{buildroot}%{_libexecdir}/snapd
-install -d -p %{buildroot}%{_mandir}/man1
+install -d -p %{buildroot}%{_mandir}/man8
+install -d -p %{buildroot}%{_environmentdir}
+install -d -p %{buildroot}%{_systemdgeneratordir}
 install -d -p %{buildroot}%{_unitdir}
 install -d -p %{buildroot}%{_sysconfdir}/profile.d
 install -d -p %{buildroot}%{_sysconfdir}/sysconfig
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/assertions
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/cookie
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/gl32
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/lib/vulkan
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
 install -d -p %{buildroot}%{_localstatedir}/snap
 install -d -p %{buildroot}%{_localstatedir}/cache/snapd
 install -d -p %{buildroot}%{_datadir}/polkit-1/actions
+install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+%if 0%{?with_selinux}
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -d -p %{buildroot}%{_datadir}/selinux/packages
+%endif
 
 # Install snap and snapd
 install -p -m 0755 bin/snap %{buildroot}%{_bindir}
 install -p -m 0755 bin/snap-exec %{buildroot}%{_libexecdir}/snapd
-install -p -m 0755 bin/snapctl %{buildroot}%{_bindir}/snapctl
+install -p -m 0755 bin/snap-failure %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snapd %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd
 install -p -m 0755 bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -p -m 0755 bin/snapctl %{buildroot}%{_libexecdir}/snapd/snapctl
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
 
+%if 0%{?with_selinux}
 # Install SELinux module
 install -p -m 0644 data/selinux/snappy.if %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -p -m 0644 data/selinux/snappy.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+%endif
 
-# Install snap(1) man page
-bin/snap help --man > %{buildroot}%{_mandir}/man1/snap.1
+# Install snap(8) man page
+bin/snap help --man > %{buildroot}%{_mandir}/man8/snap.8
 
 # Install the "info" data file with snapd version
 install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
@@ -514,16 +590,30 @@
 
 # Install all systemd and dbus units, and env files
 pushd ./data
-%make_install SYSTEMDSYSTEMUNITDIR="%{_unitdir}" BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}"
+%make_install BINDIR="%{_bindir}" LIBEXECDIR="%{_libexecdir}" \
+              SYSTEMDSYSTEMUNITDIR="%{_unitdir}" \
+              SNAP_MOUNT_DIR="%{_sharedstatedir}/snapd/snap" \
+              SNAPD_ENVIRONMENT_FILE="%{_sysconfdir}/sysconfig/snapd"
+popd
+
+%if 0%{?rhel} == 7
+# Install kernel tweaks
+# See: https://access.redhat.com/articles/3128691
+install -m 644 -D data/sysctl/rhel7-snap.conf %{buildroot}%{_sysctldir}/99-snap.conf
+%endif
+
 # Remove snappy core specific units
 rm -fv %{buildroot}%{_unitdir}/snapd.system-shutdown.service
 rm -fv %{buildroot}%{_unitdir}/snapd.snap-repair.*
 rm -fv %{buildroot}%{_unitdir}/snapd.core-fixup.*
-popd
 
 # Remove snappy core specific scripts
 rm %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
 
+# Remove snapd apparmor service
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+
 # Install Polkit configuration
 install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
 
@@ -534,6 +624,11 @@
 touch %{buildroot}%{_sharedstatedir}/snapd/state.json
 touch %{buildroot}%{_sharedstatedir}/snapd/snap/README
 
+# When enabled, create a symlink for /snap to point to /var/lib/snapd/snap
+%if %{with snap_symlink}
+ln -sr %{buildroot}%{_sharedstatedir}/snapd/snap %{buildroot}/snap
+%endif
+
 # source codes for building projects
 %if 0%{?with_devel}
 install -d -p %{buildroot}/%{gopath}/src/%{import_path}/
@@ -591,44 +686,60 @@
 %doc README.md docs/*
 %{_bindir}/snap
 %{_bindir}/snapctl
+%{_environmentdir}/990-snapd.conf
 %dir %{_libexecdir}/snapd
+%{_libexecdir}/snapd/snapctl
 %{_libexecdir}/snapd/snapd
 %{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-failure
 %{_libexecdir}/snapd/info
 %{_libexecdir}/snapd/snap-mgmt
-%{_mandir}/man1/snap.1*
+%{_mandir}/man8/snap.8*
 %{_datadir}/bash-completion/completions/snap
 %{_libexecdir}/snapd/complete.sh
 %{_libexecdir}/snapd/etelpmoc.sh
+%{_libexecdir}/snapd/snapd.run-from-snap
 %{_sysconfdir}/profile.d/snapd.sh
+%{_mandir}/man8/snapd-env-generator.8*
 %{_unitdir}/snapd.socket
 %{_unitdir}/snapd.service
 %{_unitdir}/snapd.autoimport.service
+%{_unitdir}/snapd.failure.service
+%{_unitdir}/snapd.seeded.service
+%{_datadir}/applications/snap-handle-link.desktop
 %{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_systemd_system_env_generator_dir}/snapd-env-generator
 %config(noreplace) %{_sysconfdir}/sysconfig/snapd
 %dir %{_sharedstatedir}/snapd
 %dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
 %dir %{_sharedstatedir}/snapd/desktop
 %dir %{_sharedstatedir}/snapd/desktop/applications
 %dir %{_sharedstatedir}/snapd/device
 %dir %{_sharedstatedir}/snapd/hostfs
-%dir %{_sharedstatedir}/snapd/mount
-%dir %{_sharedstatedir}/snapd/seccomp
-%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/lib
 %dir %{_sharedstatedir}/snapd/lib/gl
 %dir %{_sharedstatedir}/snapd/lib/gl32
 %dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/snaps
 %dir %{_sharedstatedir}/snapd/snap
 %ghost %dir %{_sharedstatedir}/snapd/snap/bin
 %dir %{_localstatedir}/cache/snapd
 %dir %{_localstatedir}/snap
 %ghost %{_sharedstatedir}/snapd/state.json
-%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
-%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
 %ghost %{_sharedstatedir}/snapd/snap/README
+%if %{with snap_symlink}
+/snap
+%endif
+%if 0%{?rhel} == 7
+%{_sysctldir}/99-snap.conf
+%endif
 
 %files -n snap-confine
 %doc cmd/snap-confine/PORTING
@@ -637,23 +748,24 @@
 # For now, we can't use caps
 # FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
 %attr(6755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-gdb-shim
 %{_libexecdir}/snapd/snap-seccomp
 %{_libexecdir}/snapd/snap-update-ns
-%{_libexecdir}/snapd/snap-device-helper
 %{_libexecdir}/snapd/system-shutdown
-%{_libexecdir}/snapd/snap-gdb-shim
-%{_libexecdir}/snapd/snapd-generator
-%{_mandir}/man1/snap-confine.1*
-%{_mandir}/man5/snap-discard-ns.5*
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_systemdgeneratordir}/snapd-generator
 %attr(0000,root,root) %{_sharedstatedir}/snapd/void
 
-
+%if 0%{?with_selinux}
 %files selinux
 %license data/selinux/COPYING
 %doc data/selinux/README.md
 %{_datadir}/selinux/packages/snappy.pp.bz2
 %{_datadir}/selinux/devel/include/contrib/snappy.if
+%endif
 
 %if 0%{?with_devel}
 %files devel -f devel.file-list
@@ -669,6 +781,9 @@
 %endif
 
 %post
+%if 0%{?rhel} == 7
+%sysctl_apply 99-snap.conf
+%endif
 %systemd_post %{snappy_svcs}
 # If install, test if snapd socket and timer are enabled.
 # If enabled, then attempt to start them. This will silently fail
@@ -692,6 +807,7 @@
 %postun
 %systemd_postun_with_restart %{snappy_svcs}
 
+%if 0%{?with_selinux}
 %pre selinux
 %selinux_relabel_pre
 
@@ -707,9 +823,1790 @@
 if [ $1 -eq 0 ]; then
     %selinux_relabel_post
 fi
-
+%endif
 
 %changelog
+* Wed Jan 16 2019 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.37
+ - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+   have device node /dev/ttyACM[0-9]
+ - tests: fix enable-disable-unit-gpio test on external boards
+ - tests: define new "tests/smoke" suite and use that for
+   autopkgtests
+ - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+   library
+ - snapshotstate: don't task.Log without the lock
+ - overlord/configstate/configcore: support - and _ in cloud init
+   field names
+ - cmd/snap-confine: use makedev instead of MKDEV
+ - tests: review/fix the autopkgtest failures in disco
+ - systemd: allow only a single daemon-reload at the same time
+ - cmd/snap: only auto-enable unicode to a tty
+ - cmd/snap: right-align revision and size in info's channel map
+ - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+   different on Fedora
+ - tests: fix "No space left on device" issue on amazon-linux
+ - store: undo workaround for timezone-less released-at
+ - store, snap, cmd/snap: channels have released-at
+ - snap-confine: fix incorrect use "src" var in mount-support.c
+ - release: support probing SELinux state
+ - release-tools: display self-help
+ - interface: add new `{personal,system}-files` interface
+ - snap: give Epoch an Equal method
+ - many: remove unused interface code
+ - interfaces/many: use 'unsafe' with docker-support change_profile
+   rules
+ - run-checks: stop running HEAD of staticcheck
+ - release: use sync.Once around lazy intialized state
+ - overlord/ifacestate: include interface name in the hotplug-
+   disconnect task summary
+ - spread: show free space in debug output
+ - cmd/snap: attempt to restore SELinux context of snap user
+   directories
+ - image: do not write empty etc/cloud
+ - tests: skip snapd snap on reset for core systems
+ - cmd/snap-discard-ns: fix umount(2) typo
+ - overlord/ifacestate: hotplug-remove-slot task handler
+ - overlord/ifacestate: handler for hotplug-disconnect task
+ - ifacestate/hotplug: updateDevice helper
+ - tests: reset snapd state on tests restore
+ - interfaces: return security setup errors
+ - overlord: make InstallMany work like UpdateMany, issuing a single
+   request to get candidates
+ - systemd/systemd.go: add missing tests for systemd.IsActive
+ - overlord/ifacestate: addHotplugSeqWaitTask helper
+ - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+ - tests: new backend used to run upgrade test suite
+ - travis: short circuit failures in static and unit tests travis job
+ - cmd: automatically fix localized <option>s to <option>
+ - overlord/configstate,features: expose features to snapd tools
+ - selinux: package to query SELinux status and verify/restore file
+   contexts
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - cmd: add tests for lintArg and lintDesc
+ - httputil: retry on temporary net errors
+ - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+ - wrappers: only restart service in core18 when they are active
+ - overlord/ifacestate: helpers for serializing hotplug changes
+ - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interface
+ - snap/info: bind global plugs/slots to implicit hooks
+ - cmd/snap-confine: remove SC_NS_MNT_FILE
+ - spread: record each tests/upgrade job
+ - osutil: do not import dirs
+ - cmd/snap-confine: fix typo "a pipe"
+ - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+   devices
+ - tests: force test-snapd-daemon-notify exit 0 when the interface is
+   not connected
+ - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+ - centos: enable SELinux support on CentOS 7
+ - apparmor: allow hard link to snap-specific semaphore files
+ - tests/lib/pkgdb: disable weak deps on Fedora
+ - release: detect too old apparmor_parser
+ - tests: improve how the log is checked to see if the system is
+   waiting for a reboot
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - spread, tests: add Fedora 29
+ - cmd/snap-confine: refactor calling snapd tools into helper module
+ - apparmor: allow snap-update-ns access to common devices
+ - cmd/snap-confine: capture initialized per-user mount ns
+ - tests: reduce verbosity around package installation
+ - data: set KillMode=process for snapd
+ - cmd/snap: handle DNS error gracefully
+ - spread, tests: use checkpoints when dumping audit log
+ - tests/lib/prepare: make sure that SELinux context of repacked core
+   snap is controlled
+ - testutils: split checkers, tweak tests
+ - tests: fix for tests test-*-cgroup
+ - spread: show AVC audits when debugging, start auditd on Fedora
+ - spread: drop Fedora 27, add Fedora 29
+ - tests/lib/reset: restore context of removed snapd directories
+ - testutil: add File{Present,Absent} checkers
+ - snap: add new `snap run --trace-exec`
+ - tests: fix for failover test on how logs are checked
+ - snapctl: add "services"
+ - overlord/snapstate: use file timestamp to initialize timer
+ - cmd/libsnap: introduce and use sc_strdup
+ - interfaces: let NM access ifindex/ifupdown files
+ - overlord/snapstate: on refresh, check new rev can read current
+ - client, store: don't use store from client (use client from store)
+ - tests/main/parallel-install-store: verify installation of more
+   than one instance at a time
+ - overlord: don't write system key if security setup fails
+ - packaging/fedora/snapd.spec: fix bogus date in changelog
+ - snapstate: update fontconfig caches on install
+ - interfaces/apparmor/backend.go:411:38: regular expression does not
+   contain any meta characters (SA6004)
+ - asserts/header_checks.go:199:35: regular expression does not
+   contain any meta characters (SA6004)
+ - run staticcheck every time :-)
+ - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+   used with signal.Notify should be buffered (SA1017)
+ - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+   signal.Notify should be buffered (SA1017)
+ - spdx/parser.go:30:1: only the first constant has an explicit type
+   (SA9004)
+ - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+   dynamic first argument and no further arguments should use print-
+   style function instead (SA1006)
+ - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+   first argument and no further arguments should use print-style
+   function instead (SA1006)
+ - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+ - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+   Did you mean to break out of the outer loop? (SA4011)
+ - daemon/api.go:992:22: printf-style function with dynamic first
+   argument and no further arguments should use print-style function
+   instead (SA1006)
+ - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+   to break out of the outer loop? (SA4011)
+ - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+   should be buffered (SA1017)
+ - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+   provided buffer, not even temporarily (SA1023)
+ - release: probe apparmor features lazily
+ - overlord,daemon: mock security backends for testing
+ - cmd/libsnap: move apparmor-support to libsnap
+ - cmd: drop cruft from snap-discard-ns build rules
+ - cmd/snap-confine: use snap-discard-ns ns to discard stale
+   namespaces
+ - cmd/snap-confine: handle mounted shared /run/snapd/ns
+ - many: fix composite literals with unkeyed fields
+ - dirs, wrappers, overlord/snapstate: make completion + bases work
+ - tests: revert "tests: restore in restore, not prepare"
+ - many: validate title
+ - snap: make description maximum in runes, not bytes
+ - tests: discard mount namespaces in reset.sh
+ - tests/lib: sync cla check back from snapcraft
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - daemon: remove enableInternalInterfaceActions
+ - mkversion: use "test -n" rather than "! test -z"
+ - run-checks: assorted fixes
+ - tests: restore in restore, not in prepare
+ - cmd/snap: fix missing newline in "snap keys" error message
+ - snap: epoch lists must contain no duplicate entries
+ - interfaces/avahi_observe: Fix typo in comment
+ - tests: add SPREAD_JOB to the description of
+   systemd_create_and_start_unit
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+ - packaging/fedora: use %_sysctldir macro
+ - cmd/snap-confine: remove unneeded unshare
+ - sanity: extend the kernel version check to cover CentOS/RHEL
+   kernels
+ - wrappers: remove all desktop files from a snap on removal
+ - snap: add an explicit check for `epoch: null` loading
+ - snap: check max description length in validate
+ - spread, tests: add CentOS support
+ - cmd/snap-confine: allow mapping more libc shards
+ - cmd/snap-discard-ns: add support for --from-snap-confine
+ - tests: make tinyproxy support systemd notify
+ - tests: fix shellcheck
+ - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+ - store: add a test for a non-zero epoch refresh (with epoch bump)
+ - store: v1 search doesn't send epoch, stop pretending it does
+ - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+ - overlord/snapstate: amend test should send local revision
+ - tests: use mock-gpio.py in enable-disable-units-gpio test
+ - snap: enforce minimal snap name len of 2
+ - cmd/libsnap: add sc_verify_snap_lock
+ - cmd/snap-update-ns: extra debugging of trespassing events
+ - userd: force zenity width if the text displayed is long
+ - overlord/snapstate, store: always send epochs
+ - cmd/snap-confine,snap-update-ns: discard quirks
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - cmd/snap-update-ns, tests: clean trespassing paths
+ - nvidia, interfaces/builtin: OpenCL fixes
+ - ifacestate/hotplug: removeDevice helper
+ - cmd: install snap-discard-ns in "make hack"
+ - overlord/ifacestate: setup security backends phased by backends
+   first
+ - ifacestate/helpers: added SystemSnapName mapper helper method
+ - overlord/ifacestate: set hotplug-key of the connection when
+   connecting hotplug slots
+ - snapd: allow snap-update-ns to read /proc/version
+ - cmd: handle tumbleweed and leap in autogen.sh
+ - interfaces/tests: MockHotplugSlot test helper
+ - store,daemon: make UserInfo,LoginUser part of the store interface
+ - overlord/ifacestate: use remapper when checking if system snap is
+   installed
+ - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+ - packaging/arch: fix bash completions path
+ - interfaces/builtin: add device-buttons interface for accessing
+   events
+ - tests, fakestore: extend refresh tests with parallel installed
+   snaps
+ - snap, store, overlord/snapshotstate: drop epoch pointers
+ - snap: make Epoch default to {[0],[0]} on load from yaml
+ - data/completion: pass documented arguments to completion functions
+ - tests: skip opensuse from interfaces-openvswitch-support test
+ - tests: simple reproducer for snap try and hooks bug
+ - snapstate: do not allow classic mode for strict snaps
+ - snap: make Epoch's MarshalJSON not simplify
+ - store: remove unused currentSnap and currentSnapJSON
+ - many: some small doc comment fixes in recent hotplug code
+ - ifacestate/udevmonitor: added callback to signal end of
+   enumeration
+ - cmd/libsnap: add simplified feature flag checker
+ - interfaces/opengl: add additional accesses for cuda
+ - tests: add core18 only hooks test and fix running core18 only on
+   classic
+ - sanity, release, cmd/snap: refuse to try to do things on WSL.
+ - cmd: make coreSupportsReExec faster
+ - overlord/ifacestate: don't remove the dash when generating unique
+   slot name
+ - cmd/snap-seccomp: add full complement of ptrace constants
+ - cmd: update autogen.sh for opensuse
+ - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+   overlord/snapstate: address review feedback
+ - packaging/opensuse: stop using golang-packaging
+ - overlord/snapshots: survive an unknown user
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - cmd/snap: unhide --name parameter to snap install, tweak help
+   message
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/main/snap-service-after-before-install: verify after/before
+   in snap install
+ - overlord/ifacestate: mark connections disconnected by hotplug with
+   hotplug-gone
+ - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+   startup
+ - tests: install dependencies during prepare
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - tests: core 18 does not support classic confinement
+ - tests: add debug output for degraded test
+ - strutil: make VersionCompare faster
+ - overlord/snapshotstate/backend: survive missing directories
+ - overlord/ifacestate: use map[string]*connState when passing conns
+   around
+ - tests: move fedora 28 to manual
+ - overlord/snapshotstate/backend: be more verbose when
+   SNAPPY_TESTING=1
+ - tests: removing fedora 26 system from spread.yaml
+ - tests: linode execution is not needed anymore
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests: fixes and new backend for tests on nested suite
+ - strutil: let MatchCounter work with a nil regexp
+ - ifacestate/helpers: findConnsForHotplugKey helper
+ - many: move regexp.(Must)Compile out of non-init functions into
+   variables
+ - store: also make snaps downloaded via deltas 0600
+ - snap: use Lstat to determine snap size, remove
+   ReadSnapInfoExceptSize
+ - interfaces/builtin: add adb-support interface
+ - tests: fail if install_snap_local fails
+ - strutil: add extra test to CommaSeparatedList as suggested by
+   mborzecki
+ - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+ - ifacestate: optimize disconnect hooks
+ - cmd/snap-update-ns: parse the -u <uid> command line option
+ - cmd/snap, tests: snapshots for all
+ - client, cmd/daemon: allow disabling keepalive, improve degraded
+   mode unit tests
+ - snap: only show "next" refresh time if its after the hold time
+ - overlord/snapstate: run tests for classic snaps even on systems
+   that don't support classic
+ - overlord/standby: fix a race between standby goroutine and stop
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - cmd: remove remnants of sc_should_populate_mount_ns
+ - client, daemon, cmd/snap: indicate that services are socket/timer
+   activated
+ - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+ - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+ - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+ - cmd/snap-discard-ns: add support for per-user mount namespaces
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook.
+ - tests/main: fixes for the new shellcheck
+ - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+   fly
+ - tests: initial setup for testing current branch on nested vm and
+   hotplug management
+ - cmd: refactor IPC and lifecycle of the helper process
+ - tests/main/parallel-install-store: the store has caught up, do not
+   expect failures
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+   ptrace, for the Breakpad crash reporter
+ - snap,client: use a different exit code for retryable errors
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - cmd/snap: tweak `snap services` output when there is no services
+ - interfaces/many: updates to support k8s worker nodes
+ - cmd/snap: gnome-software install via snap:// handler
+ - overlord/many: cleanup use of snapName vs. instanceName
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes* ifstate: fix decoding of json numbers
+ - cmd/snap: try not to panic on error from "snap try"
+ - tests: new cosmic image for spread tests on gce
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - overlord/snapshotstate/backend: detect path to tar in unit tests
+ - tests/unit/gccgo: drop gccgo unit tests
+ - cmd: use relative file names in locking APIs
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - overlord/snapshotstate/backend: fall back on sudo when no runuser
+ - cmd/snap-confine: reduce verbosity of debug and error messages
+ - systemd: extend Status() to work for socket and timer units
+ - interfaces: typo 'allows' for consistency with other ifaces
+ - systemd,wrappers: don't start disabled services
+ - ifacestate: simplify task chaining in ifacestate.Connect
+ - tests: ensure that goa-daemon is off
+ - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+ - cmd/snap: block 'snap help <cmd> --all'
+ - asserts, image: ensure kernel, gadget, base and required-snaps use
+   valid snap names
+ - apparmor: add unit test for probeAppArmorParser and simplify code
+ - interfaces/apparmor: conditionally add explicit deny rules for
+   ptrace
+ - po: sync translations from launchpad
+ - osutil: tweak handling of error adduser errors
+ - cmd: rename ns_group to mount_ns
+ - tests/main/interfaces-accounts-service: more debugging
+ - snap/pack, snap/squashfs: use type to determine mksquashfs args
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - tests: show list of processes when ifaces-accounts-service fails
+ - tests: do not run degraded test in autopkgtest env
+ - snap: overhaul validation error messages
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - interfaces: improve Attr error further
+ - snapstate: tweak GetFeatureFlagBool() to have a default argument
+ - many: cleanup remaining parallel installs TODOs
+ - image: improve validation of extra snaps
+
+* Fri Dec 14 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.3
+ - wrappers: use new systemd.IsActive in core18 early boot
+ - httputil: retry on temporary net errors
+ - wrappers: only restart service in core18 when they are active
+ - systemd: start snapd.autoimport.service in --no-block mode
+ - data/selinux: fix syntax error in definition of snappy_admin
+   interfacewhen installing selinux-policy-devel package.
+ - centos: enable SELinux support on CentOS 7
+ - cmd, dirs, interfaces/apparmor: update distro identification to
+   support ID="archlinux"
+ - apparmor: allow hard link to snap-specific semaphore files
+ - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+   profile errors
+ - snap: add new `snap run --trace-exec` call
+ - interfaces/backends: detect too old apparmor_parser
+
+* Thu Nov 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.2
+ - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+   handle API changes
+ - snapstate: update fontconfig caches on install
+ - overlord,daemon: mock security backends for testing
+ - sanity, spread, tests: add CentOS
+ - Revert "cmd/snap, tests/main/snap-info: highlight the current
+   channel"
+ - cmd/snap: add nanosleep to blacklisted syscalls when running with
+   --strace
+ - tests: add regression test for LP: #1803535
+ - snap-update-ns: fix trailing slash bug on trespassing error
+ - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+ - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+ - interfaces/opengl: add additional accesses for cuda
+
+* Fri Nov 09 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36.1
+ - tests,snap-confine: add core18 only hooks test and fix running
+   core18 only hooks on classic
+ - interfaces/apparmor: allow access to
+   /run/snap.$SNAP_INSTANCE_NAME
+ - spread.yaml: add more systems to the autopkgtest and qemu backends
+ - daemon: spool sideloaded snap into blob dir
+ - wrappers: fix generating of service units with multiple `before`
+   dependencies
+ - data: run snapd.autoimport.service only after seeding
+ - tests,store,daemon: ensure proxy settings are honored in
+   auth/userinfo too
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - tests/lib: adjust to changed systemctl behaviour on debian-9
+ - tests/main/interfces-accounts-service: switch to busctl, more
+   debugging
+ - store: also make snaps downloaded via deltas 0600
+ - cmd/snap-exec: don't fail on some try mode snaps
+ - cmd/snap, userd, testutil: tweak DBus tests to use private session
+   bus connection
+ - tests/main: fixes for the new shellcheck
+ - cmd/snap-confine: remove stale mount profile along stale namespace
+ - data/apt: close stderr when calling snap in the apt install hook
+
+* Sun Nov 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.36-1
+- Release 2.36 to Fedora
+
+* Wed Oct 24 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.36
+ - overlord/snapstate, snap, wrappers: start services in the right
+   order during install
+ - tests: the store has caught up, drop gccgo test, update cosmic
+   image
+ - cmd/snap: try not to panic on error from "snap try"`--devmode`
+ - overlord/ifacestate: don't conflict on own discard-snap tasks when
+   refreshing & doing garbage collection
+ - snapstate: add command-chain to supported featureset
+ - daemon, snap: mark screenshots as deprecated
+ - interfaces: fix decoding of json numbers for static/dynamic
+   attributes
+ - data/systemd, wrappers: tweak system-shutdown helper for core18
+ - interfaces/system-key: add parser mtime and only discover features
+   on write
+ - interfaces: fix NormalizeInterfaceAttributes, add tests
+ - systemd,wrappers: don't start disabled services
+ - ifacestate/hooks: only create interface hook tasks if hooks exist
+ - tests: do not run degraded test in autopkgtest env
+ - osutil: workaround overlayfs on ubuntu 18.10
+ - interfaces: include invalid type in Attr error
+ - many: enable layouts by default
+ - interfaces/default: don't scrub with change_profile with classic
+ - cmd/snap: speed up unit tests
+ - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+   flags
+ - daemon: expose snapshots to the API
+ - interfaces: updates for default, screen-inhibit-control, tpm,
+   {hardware,system,network}-observe
+ - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+   update test interface
+ - interfaces/tests: use TestInterface instead of a custom local
+   helper
+ - overlord/snapstate: export getFeatureFlagBool.
+ - osutil,asserts,daemon: support force password change in system-
+   user assertion
+ - snap, wrappers: support restart-delay, generate RestartSec=<value>
+   in service units
+ - tests/ifacestate: moved asserts-related mocking into helper
+ - image: fetch device store assertion if available
+ - many: enable AppArmor on Arch
+ - interfaces/repo: two helper methods for hotplug
+ - overlord/ifacestate: add hotplug slots with implicit slots
+ - interfaces/hotplug: helpers and struct updates
+ - tests: run the snapd tests on Ubuntu 18.10
+ - snapstate: only report errors if there is an actual error
+ - store: speedup unit tests
+ - spread-shellcheck: fix interleaved error messages, tweaks
+ - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+ - ifacestate: implementation of defaultDeviceKey function for
+   hotplug
+ - cmd/snap-update-ns: remove empty placeholders used for mounting
+ - snapshotstate: restore to current revision
+ - tests/lib: rework the CLA checker
+ - many: support and consider store friendly-stores when checking
+   device scope constraints
+ - overlord/snapstate: block parallel installs of snapd, core, base,
+   kernel, gadget snaps
+ - overlord/patch: patch for static plug/slot attributes
+ - interfaces: honor static attributes when reloading conns
+ - osutils: unit tests speedup; introduce «run-checks --short-
+   unit».
+ - systemd, wrappers: speed up wrappers unit tests
+ - client: speedup unit tests
+ - spread-shellcheck: use threads to parallelise
+ - snap: validate plug and slot names
+ - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+ - wrappers: do not depend on network.taget in socket units, tweak
+   generated units
+ - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+ - store: gracefully handle unexpected errors in 'action'
+   response
+ - cmd: put our manpages in section 8
+ - overlord: don't make become-operational interfere with user
+   requests
+ - store: tweak unmatched refresh result error log
+ - snap, client, daemon, store: use and expose "media" more
+ - tests,cmd/snap-update-ns: add test showing mount update bug
+   cmd/snap-update-ns: better detection of snapd-made tmpfs
+ - tests: spread tests for aliases with parallel installed snaps
+ - interfaces/seccomp: allow using statx by default
+ - store: gracefully handle unexpected errors in 'action' response
+ - overlord/snapshotstate: chown the tempdir
+ - cmd/snap: attempt to start the document portal if running with a
+   session bus
+ - snap: detect layouts vs layout in snap.yaml
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snapcraft.yaml: set grade to stable
+ - tests: shellchecks, final round
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+ - snap: detect layouts vs layout in snap.yaml
+ - overlord/snapshotstate: store epoch in snapshot, check on restore
+ - cmd/snap: tweak UX of snap refresh --list
+ - overlord/snapstate: improve consistency, use validateInfoAndFlags
+   also in InstallPath
+ - snap: give Epoch a CanRead helper
+ - overlord/snapshotstate: small refactor of internal helpers
+ - interfaces/builtin: adding missing permission to create
+   /run/wpa_supplicant directory
+ - interfaces/builtin: avahi interface update
+ - client, daemon: support passing of 'unaliased' option when
+   installing from local files
+ - selftest: rename selftest.Run() to sanity.Check()
+ - interfaces/apparmor: report apparmor support level and policy
+ - ifacestate: helpers for generating slot names for hotplug
+ - overlord/ifacestate: make sure to pass in the Model assertion when
+   enforcing policies
+ - overlord/snapshotstate: store the SnapID in snapshot, block
+   restore if changed
+ - interfaces: generalize writable mimic profile
+ - asserts,interfaces/policy: add support for on-store/on-brand/on-
+   model plug/slot rule constraints
+ - many: fetch the device store assertion together and in the context
+   of interpreting snap-declarations
+ - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+   gccgo is fixed
+ - tests/main/parallel-install-services: add spread test for snaps
+   with services
+ - tests/main/snap-env: extend to cover parallel installations of
+   snaps
+ - tests/main/parallel-install-local: rename from *-sideload, extend
+   to run snaps
+ - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+ - cmd/snap: tame the help zoo
+ - tests/main/parallel-install-store: run installed snap
+ - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+   i18n)
+ - cmd: fix C formatting
+ - tests: remove unneeded cleanup from layout tests
+ - image: warn on missing default-providers
+ - selftest: add test to ensure selftest.checks is up-to-date
+ - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+   installs
+ - userd: extend the list of supported XDG Desktop properties when
+   autostarting user applications
+ - cmd/snap-update-ns: enforce trespassing checks
+ - selftest: actually run the kernel version selftest
+ - snapd: go into degraded mode when the selftest fails
+ - tests: add test that runs snapctl with a core18 snap
+ - tests: add snap install hook with base: core18
+ - overlord/{snapstate,assertstate}: parallel instances and
+   refresh validation
+ - interfaces/docker-support: add rules to read apparmor macros
+ - tests: make nfs test available for more systems
+ - tests: cleanup copy/paste dup in interfaces-network-setup-control
+ - tests: using single sh snap in interface tests
+ - overlord/snapstate: improve cleaup in mount-snap handler
+ - tests: don't fail interfaces-bluez test if bluez is already
+   installed
+ - tests: find snaps just for edge and beta channels
+ - daemon, snapstate: consistent snap list [--all] output with broken
+   snaps
+ - tests: fix listing to allow extra things in the notes column
+ - cmd/snap: improve UX when removing specific snap revision
+ - cmd/snap, tests/main/snap-info: highlight the current channel
+ - interfaces/testiface: added TestHotplugInterface
+ - snap: tweak commands
+ - interfaces/hotplug: hotplug spec takes one slot definition
+ - overlord/snapstate, snap: handle shared snap directories when
+   installing/remove snaps with instance key
+ - interfaces/opengl: misc accesses for VA-API
+ - client, cmd/snap: expose warnings to the world
+ - cmd/snap-update-ns: introduce trespassing state tracking
+ - cmd/snap: commands no longer build their own client
+ - tests: try to build cmd/snap for darwin
+ - daemon: make error responders not printf when called with 1
+   argument
+ - many: return real snap name in API response
+ - overlord/state: return latest LastAdded time in WarningsSummary
+ - many: mount namespace mapping for parallel installs of snaps
+ - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+   core-phase-2
+ - client, cmd/snap: on !linux, exit when the client tries to Do
+   something
+ - tests: refactor for nested suite and tests fixed
+ - tests: use lxd's waitready instead of polling lxd socket
+ - ifacestate: don't initialize udev monitor until we have a system
+   snap
+ - interfaces: extra argument for static attrs in
+   NewConnectedPlug/NewConnectedSlot
+ - packaging/arch: sync packaging with AUR
+ - snapstate/tests: serialize all appends in fake backend
+ - snap-confine: make /lib/modules optional
+ - cmd/snap: handle "snap interfaces core" better
+ - store: move download tests into downloadSuite
+ - tests,interfaces: run interfaces-account-control on UC18
+ - tests: fix install snaps test by adding link to /snap
+ - tests: fix for nested test suite
+ - daemon: fix snap list --all with parallel snap instances
+ - snapstate: refactor tests to use SetModel*
+ - wrappers: fix snap services order in tests
+ - many: provide salt for generating instance-key in store requests
+ - ifacestate: fix hang when retrying content providers
+ - snapd-env-generator: fix when PATH is empty or unset
+ - overlord/assertstate: propagate TaskSnapSetup error
+ - client: catch and expose logs errors
+ - overlord: integrate device enumeration with udev monitor
+ - daemon, overlord/state: warnings pipeline
+ - tests: add publisher regex to fix the snap-info test pass on sru
+ - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+   tweaks
+ - cmd/snap-update-ns: remove the unused Secure type
+ - osutil, o/snapshotstate, o/sss/backend: quick fixes
+ - tests: update the listing expression to support core from
+   different channels
+ - store: use stable instance key in store refresh requests
+ - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+ - overlord/patch: support for sublevel patches
+ - tests: update prepare/restore for nightly suite
+ - cmd/snap-update-ns: detach BindMount from the Secure type
+ - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+ - ifacestate: retry on "discard-snap" in autoconnect conflict check
+ - cmd/snap-update-ns: separate OpenPath from the Secure struct
+ - wrappers: remove Wants=network-online.target
+ - tests: add new core16-base test
+ - store: refactor tests so that they work as store_test package
+ - many: add refresh.rate-limit core option
+ - tests: run account-control test with different bases
+ - tests: port proxy test to use python tinyproxy
+ - overlord: introduce snapshotstate.
+ - testutil: allow Fstatfs results to vary over time
+ - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+ - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+ - many: remove deadcode
+ - tests: also run unit/gccgo in 18.04
+ - tests: introduce a helper for installing local snaps with --name
+ - tests: avoid removing core snap on reset
+ - snap: use snap.SideInfo in test to fix build with gccgo
+ - partition: remove unused runCommand
+ - image: fix incorrect error when using local bases
+ - overlord/snapstate: fix format
+ - cmd: fix format
+ - tests: setting "storage: preserve-size" just for amazon-linux
+   system
+ - tests: test for the hostname interface
+ - interfaces/modem-manager: allow access to more USB strings
+ - overlord: instantiate UDevMonitor
+ - interfaces/apparmor: tweak naming, rename to AddLayout()
+ - interfaces: take instance name in ifacetest.InstallSnap
+ - snapcraft: do not use --dirty in mkversion
+ - cmd: add systemd environment generator
+ - devicestate: support getting (http) proxy from core config
+ - many: rename ClientOpts to ClientOptions
+ - prepare-image-grub-core18: remove image root in restore
+ - overlord/ifacestate: remove "old-conn" from connect/undo connect
+   handlers
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - image: handle errors when downloadedSnapsInfoForBootConfig has no
+   data
+ - tests: use official core18 model assertion in tests
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - overlord,store: support proxy settings internally too
+ - cmd/snap: bring back 'snap version'
+ - interfaces/mount: tweak naming of things
+ - strutil: fix MatchCounter to also work with buffer reuse
+ - cmd,interfaces,tests: add /mnt to removable-media interface
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - snap/snapenv: drop some instance specific variables, use instance-
+   specific ones for user locations
+ - firstboot: sort by type when installing the firstboot snaps
+ - cmd, cmd/snap: better support for non-linux
+ - strutil: add new ParseByteSize
+ - image: detect and error if bases are missing
+ - interfaces/apparmor: do not downgrade confinement on arch with
+   linux-hardened 4.17.4+
+ - daemon: add pokeStateLock helper to the daemon tests
+ - snap/squashfs: improve error message from Build on mksquashfs
+   failure
+ - tests: remove /etc/alternatives from dirs-not-shared-with-host
+ - cmd: support re-exec into the "snapd" snap
+ - spdx: remove "Other Open Source" from the support licenses
+ - snap: add new type "TypeSnapd" and attach to the snapd snap
+ - interfaces: retain order of inserted security backends
+ - tests: spread test for parallel-installs desktop file handling
+ - overlord/devicestate: use OpenSSL's PEM format when generating
+   keys
+ - cmd: remove --skip-command-chain from snap run and snap-exec
+ - selftest: detect if apparmor is unusable and error
+ - snap,snap-exec: support command-chain for hooks
+ - tests: significantly reduce execution time for managers test
+ - snapstate: use new "snap.ByType" sorting
+ - overlord/snapstate: fix UpdateMany() to work with parallel
+   instances
+ - testutil: have File* checker produce more useful error output
+ - overlord/ifacestate: introduce connectOpts
+ - interfaces: parallel instances support, extend unit tests
+ - tests: normalize tests
+ - snapstate: make InstallPath() return *snap.Info too
+ - snap: add ByType sorting
+ - interfaces: add cifs-mount interface
+ - tests: use file based markers in snap-service-stop-mode
+ - osutil: reorg and stub out things to get it building on darwin
+ - tests/main/layout: cleanup after the test
+ - osutil/sys: small tweaks to let it build on darwin
+ - daemon, overlord/snapstate: set instance name when installing from
+   snap file
+ - many: move Uname to osutil, for more DRY and easier porting.
+ - cmd/snap: create snap user directory when running parallel
+   installed snaps
+ - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+ - tests: basic test for parallel installs from the store
+ - image: download the gadget from the model.GadgetTrack()
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - overlord: handle sigterm during shutdown better
+ - tests: add the original function to fix the errors on new kernels
+ - tests/main/lxd: pull lxd from candidate; reënable i386
+ - wayland: add extra sockets that are used by older toolkits (e.g.
+   gtk3)
+ - asserts: add support for gadget tracks in the model assertion
+ - overlord/snapstate: improve feature flag validation
+ - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+ - interfaces: workaround for activated services and newer DBus
+ - tests: get the linux-image-extra available for the current kernel
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - interfaces: disconnect hooks
+ - cmd/libsnap: unify detection of core/classic with go
+ - tests: fix autopkgtest failures in cosmic
+ - snap: fix advice json
+ - overlord/snapstate: parallel snap install
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - interfaces: add screencast-legacy for video and audio recording
+ - tests: skip unsupported architectures for fedora-base-smoke test
+ - tests: avoid using the journalctl cursor when it has not been
+   created yet
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - tests: enable lxd again everywhere
+ - tests: new test for udisks2 interface
+ - interfaces: add cpu-control for setting CPU tunables
+ - overlord/devicestate: fix tests, set seeded in registration
+   through proxy tests
+ - debian: add missing breaks on cosmic
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - tests: new test for juju client observe interface
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - snapcraft: set version information for the snapd snap
+ - cmd/snap, daemon: error out if trying to install a snap using
+   empty name
+ - hookstate: simplify some hook tests
+ - cmd/snap-confine: extend security tag validation to cover instance
+   names
+ - snap: fix mocking of systemkey in snap-run tests
+ - packaging/opensuse: fix static build of snap-update-ns and snap-
+   exec
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - cmd/libsnap-confine-private: intoduce helpers for validating snap
+   instance name and instance key
+ - snap,snap-exec: support command-chain for app
+ - interfaces/builtin: network-manager resolved DBus changes
+ - snap: tweak `snap wait` command
+ - cmd/snap-update-ns: introduce validation of snap instance names
+ - cmd/snap: fix some corner-case test setup weirdness
+ - cmd,dirs: fix various issues discovered by a Fedora base snap
+ - tests/lib/prepare: fix extra snaps test
+
+* Mon Oct 15 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.5
+ - interfaces/home: don't allow snaps to write to $HOME/bin
+ - osutil: workaround overlayfs on ubuntu 18.10
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.4
+  - wrappers: do not depend on network.taget in socket units, tweak
+    generated units
+
+* Fri Oct 05 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.3
+ - overlord: don't make become-operational interfere with user
+   requests
+ - docker_support.go: add rules to read apparmor macros
+ - interfaces/apparmor: handle overlayfs snippet for snap-update-
+   nsFixes:
+ - snapcraft.yaml: add workaround to fix snapcraft build
+ - interfaces/opengl: misc accesses for VA-API
+
+* Wed Sep 12 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.2
+ - cmd,overlord/snapstate: go 1.11 format fixes
+ - ifacestate: fix hang when retrying content providers
+ - snap-env-generator: do nothing when PATH is unset
+ - interfaces/modem-manager: allow access to more USB strings
+
+* Mon Sep 03 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35.1
+ - packaging/fedora: Merge changes from Fedora Dist-Git
+ - snapcraft: do not use --diry in mkversion.sh
+ - cmd: add systemd environment generator
+ - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+ - tests: cherry-pick test fixes from master for 2.35
+ - systemd: do not run "snapd.snap-repair.service.in on firstboot
+   bootstrap
+ - interfaces: retain order of inserted security backends
+ - selftest: detect if apparmor is unusable and error
+
+* Sat Aug 25 2018 Neal Gompa <ngompa13@gmail.com> - 2.35-1
+- Release 2.35 to Fedora (RH#1598946)
+
+* Mon Aug 20 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.35
+ - snapstate: add support for gadget tracks in model assertion
+ - image: add support for "gadget=track"
+ - asserts: add support for gadget tracks in the model assertion
+ - interfaces: add new "sysfs-name" to i2c interfaces code
+ - overlord: handle sigterm during shutdown better
+ - wayland: add extra sockets that are used by older toolkits
+ - snap: fix advice json
+ - tests: fix autopkgtest failures in cosmic
+ - store: backward compatible instance-key handling for non-instance
+   snaps
+ - snapstate: ensure normal snaps wait for the "snapd" snap on
+   refresh
+ - interfaces: add cpu-control for setting CPU tunables
+ - debian: add missing breaks on comisc
+ - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+ - devicestate: only run device-hook when fully seeded
+ - seccomp: conditionally add socketcall() based on system and base
+ - interfaces/builtin: addtl network-manager resolved DBus fix
+ - hookstate: simplify some hook tests
+ - udev: skip TestParseUdevEvent on ppc
+ - interfaces: miscellaneous policy updates
+ - debian: add tzdata to build-dep to ensure snapd builds correctly
+ - interfaces/builtin: network-manager resolved DBus changes
+ - tests: add spread test for fedora29 base snap
+ - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+ - dirs: fix SnapMountDir inside a Fedora base snap
+ - tests: fix snapd-failover for core18 with external backend
+ - overlord/snapstate: always clean SnapState when doing Get()
+ - overlod/ifacestate: always use a new SnapState when fetching the
+   snap state
+ - overlord/devicestate: have the serial request talk to the proxy if
+   set
+ - interfaces/hotplug: udevadm output parser
+ - tests: New test for daemon-notify interface
+ - image: ensure "core" is ordered early if base: and core is used
+ - cmd/snap-confine: snap-device-helper parallel installs support
+ - tests: enable interfaces-framebuffer everywhere
+ - tests: reduce nc wait time from 2 to 1 second
+ - snap/snapenv: add snap instance specific variables
+ - cmd/snap-confine: add minimal test for snap-device-helper
+ - tests: enable snapctl test on core18
+ - overlord: added UDevMonitor for future hotplug support
+ - wrappers: do not glob when removing desktop files
+ - tests: add dbus monitor log to interfaces-accounts-service
+ - tests: add core-18 systems to external backend
+ - wrappers: account for changed app wrapper in parallel installed
+   snaps
+ - wrappers: make sure that the tests pass on non-Ubuntu too
+ - many: add snapd snap failure handling
+ - tests: new test for dvb interface
+ - configstate: accept refresh.timer=managed
+ - tests: new test for snap logs command
+ - wrapper: generate all the snapd unit files when generating
+   wrappers
+ - store: keep all files with link-count > 1 in the cache
+ - store: be less verbose in the common refresh case of "no updates"
+ - snap-confine: update snappy-app-dev path
+ - debian: ensure dependency on fixed apt on 18.04
+ - snapd: add initial software watchdog for snapd
+ - daemon, systemd: change journalctl -n=all to --no-tail
+ - systemd: fix snapd.apparmor.service.in dependencies
+ - snapstate: refuse to remove bases or core if snaps need them
+ - snap: introduce package-level helpers for building snap related
+   directory/file paths
+ - overlord/devicestate: deny parallel install of kernel or gadget
+   snaps
+ - store: clean up parallel-install TODOs in store tests
+ - timeutil: fix first weekday of the month schedule
+ - interfaces: match all possible tty but console
+ - tests: shellchecks part 5
+ - cmd/snap-confine: allow ptrace read for 4.18 kernels
+ - advise: make the bolt database do the atomic rename dance
+ - tests/main/apt-hooks: debug dump of commands.db
+ - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+   handling
+ - snap: validate instance name as part of Validate()
+ - daemon: if a snap is inactive, don't ask systemd about its
+   services.
+ - udev: skip TestParseUdevEvent on s390x
+ - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+ - asserts,image: add support for new kernel=track syntax
+ - tests: new gce image for fedora 27
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - store, overlord/snapstate: introduce instance name in store APIs
+ - tests: drive-by cleanup of redudant pkgname matching
+ - tests: ensure apt-hook is only run after catalog update ran
+ - tests: use pkill instead of kilall
+ - tests/main: another bunch of updates for Amazon Linux 2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the  directory tree
+ - tests: disable/fix more tests for Amazon Linux 2
+ - overlord: introduce InstanceKey to SnapState and SnapSetup,
+   renames
+ - daemon: make sure most change generating handlers can produce
+   errors with kinds
+ - tests/main/interfaces-calendar-service: skip the test on AMZN2
+ - tests/lib/snaps: avoid using relative command paths that go up in
+   the directory tree
+ - cmd/snap: add a green check mark to verified publishers
+ - cmd/snap: fix two issues in the cmd/snap unit tests
+ - packaging/fedora: fix target path of /snap symlink
+ - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - strutil: detect and bail out of Unmarshal on duplicate key
+ - packaging/fedora(amzn2): disable SELinux, drop dependency on
+   squashfuse for AMZN2
+ - spread, tests: add support for Amazon Linux 2
+ - packaging/fedora: Add Amazon Linux 2 support
+ - many: make Wait/Stop optional on StateManagers
+ - snap/squashfs: stop printing unsquashfs info to stderr
+ - snap: add support for `snap advise-snap --from-apt`
+ - overlord/ifacestate: ignore connect if already connected
+ - tests: change the service snap used instead of network-bind-
+   consumer
+ - interfaces/network-control: update for wpa-supplicant and ifupdown
+ - tests: fix raciness in stop mode tests
+ - logger: try to not have double dates
+ - debian: use deb-systemd-invoke instead of systemctl directly
+ - tests: run all main tests on core18
+ - many: finish sharing a single TaskRunner with all the the managers
+ - interfaces/repo: added AllHotplugInterfaces helper
+ - snapstate: ensure kernel-track is honored on switch/refresh
+ - overlord/ifacestate: support implicit slots on snapd
+ - image: add support for "kernel-track" in `snap prepare-image`
+ - tests: add test that ensures we do not boot any system in degraded
+   state
+ - tests: update tests to work on core18
+ - cmd/snap: check for typographic dashes in command
+ - tests: fix tests expecting old email address
+ - client: add some existing error kinds that were not listed in
+   client.go
+ - tests: add missing slots in classic and core provider test snaps
+ - overlord,daemon,cmd: re-map snap names around the edges of snapd
+ - tests: use install_local in snap-run-hooks
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - overlord/snapstate: dedupe default content providers
+ - osutil/udev: sync with upstream
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord: have SnapManager use a passed in TaskRunner created by
+   Overlord
+ - many: streamline the generic conflict check mechanisms
+ - tests: remove unneeded setup code in snap-run-symlink
+ - cmd/snap: print unset license as "unset", instead of "unknown"
+ - asserts: add (optional) kernel-track to model assertion
+ - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+ - interfaces/pulseaudio: be clear that the interface allows playback
+   and record
+ - snap: support hook environment
+ - interfaces: fix typo "daemonNotify" (add missing "n")
+ - interfaces: tweak tests of daemon-notify, use common naming
+ - interfaces: allow invoking systemd-notify when daemon-notify is
+   connected
+ - store: make snap blobs be 0600
+ - interfaces,daemon: move JSON types to the daemon
+ - tests: prepare needs to handle bin/snapctl being a symlink
+ - tests: do not mask errors in interfaces-timezone-control (#5405)
+ - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+ - tests: add basic integration test for spread hold
+ - overlord/snapstate: improve PlugsOnly comment
+ - many: assorted shellcheck fixes
+ - store, daemon, client, cmd/snap: expose "scope", default to wide
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - client, cmd/snap: pass snap instance name when installing from
+   file
+ - cmd/snap: add 'debug paths' command
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: fix tests on arch
+ - tests: start active system units on reset
+ - tests: new test for joystick interface
+ - tests: moving install of dependencies to pkgdb helper
+ - tests: enable new fedora image with test dependencies installed
+ - tests: start using the new opensuse image with test dependencies
+ - tests: check catalog refresh before and after restart snapd
+ - tests: stop restarting journald service on prepare
+ - interfaces: make core-support a no-op interface
+ - interfaces: prefer "snapd" when resolving implicit connections
+ - interfaces/hotplug: add hotplug Specification and
+   HotplugDeviceInfo
+ - many: lessen the use of core-support
+ - tests: fixes for the autopkgtest failures in cosmic
+ - tests: remove extra ' which breaks interfaces-bluetooth-control
+   test
+ - dirs: fix antergos typo
+ - tests: use grep to avoid non-matching messages from MATCH
+ - dirs: improve distro detection for Antegros
+ - vendor: switch to latest bson
+ - interfaces/builtin: create can-bus interface
+ - tests: "snap connect" is idempotent so just connect
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - interfaces: treat "snapd" snap as type:os
+ - interfaces: tweak tests to have less repetition of "core" and
+   "ubuntu…
+ - tests: simplify econnreset test
+ - snap: add helper for renaming slots
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - tests: add artful for sru validation on google backend
+ - snap,interfaces: move interface name validation to snap
+ - overlord/snapstate: introduce path to fake backend ops
+ - cmd/snap-confine: fix snaps running on core18
+ - many: expose publisher's validation throughout the API
+
+* Fri Jul 27 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.3
+ - interfaces/apparmor: use the cache in mtime-resilient way
+ - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+ - snapstate: allow setting "refresh.timer=managed"
+ - spread: switch Fedora and openSUSE images
+
+* Thu Jul 19 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.2
+ - packaging: fix bogus date in fedora snapd.spec
+ - tests: fix tests expecting old email address
+
+* Tue Jul 17 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34.1
+ - tests: cherry-pick test fixes from master for 2.34
+ - coreconfig: add support for `snap set system network.disable-
+   ipv6`
+ - debian: do not ship snapd.apparmor.service on ubuntu
+ - overlord/snapstate: dedupe default content providers
+ - interfaces/builtin: create can-bus interface
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.33.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul 06 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.34
+ - store, daemon, client, cmd/snap: expose "scope", default to wide*
+ - tests: fix arch tests
+ - snapstate: make sure all *link-*snap tasks carry a snap type and
+   further hints
+ - snapstate: allow setting "refresh.timer=managed"
+ - cmd/snap: display a link to data privacy notice for interactive
+   snap login
+ - devicestate: fix race when refreshing a snap with snapd-control
+ - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+ - tests: run interfaces-contacts-service only where test-snapd-eds
+   is available
+ - many: expose publisher's validation throughout the API
+ - many: use extra "releases" information on store "revision-not-
+   found" errors to produce better errors
+ - dirs: improve distro detection for Antegros
+ - Revert "dirs: improve identification of Arch Linux like systems"
+ - devicestate: fix panic in firstboot code when no snaps are seeded
+ - i18n: use xgettext-go --files-from to avoid running into cmdline
+   size limits
+ - interfaces: move ValidateName helper to utils
+ - snapstate,ifstate: wait for pending restarts before auto-
+   connecting
+ - snap: account for parallel installs in wrappers, place info and
+   tests
+ - configcore: fix incorrect handling of keys with numbers (like
+   gpu_mem_512)
+ - tests: fix tests when no keyboard input detected
+ - overlord/configstate: add watchdog options
+ - snap-mgmt: fix for non-existent dbus system policy dir,
+   shellchecks
+ - tests/main/snapd-notify: use systemd's service properties rater
+   than the journal
+ - snapstate: allow removal of snap.TypeOS when using a model with a
+   base
+ - interfaces: make findSnapdPath smarter
+ - tests: run "arp" tests only if arp is available
+ - spread: increase the number of auto retries for package downloads
+   in opensuse
+ - cmd/snap-confine: fix nvidia support under lxd
+ - corecfg: added experimental.hotplug feature flag
+ - image: block installation of parallel snap instances
+ - interfaces: moved normalize method to interfaces/utils and made it
+   public
+ - api/snapctl: allow -h and --help for regular users.
+ - interfaces/udisks2: also implement implicit classic slot
+ - cmd/snap-confine: include CUDA runtime libraries
+ - tests: disable auto-refresh test on core18
+ - many: switch to account validation: unproven|verified
+ - overlord/ifacestate: get/set connection state only via helpers
+ - tests: adding extra check to validate journalctl is showing
+   current test data
+ - data: add systemd environment configuration
+ - i18n: handle write errors in xgettext-go
+ - snap: helper for validating snap instance names
+ - snap{/snaptest}: set instance key based on snap name
+ - userd: fix running unit tests on KDE
+ - tests/main/econnreset: limit ingress traffic to 512kB/s
+ - snap: introduce a struct Channel to represent store channels, and
+   helpers to work with it
+ - tests: add fedora to distro_clean_package_cache function
+ - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+ - tests: add spread test to ensure snapd/core18 are not removable
+ - tests: tweaks for running the main tests on core18
+ - overlord/{config,snap}state: introduce experimental.parallel-
+   instances feature flag
+ - strutil: support iteration over almost clean paths
+ - strutil: add PathIterator.Rewind
+ - tests: update interfaces-timeserver-control to core18
+ - tests: add halt-timeout to google backend
+ - tests: skip security-udev-input-subsystem without /dev/input/by-
+   path
+ - snap: introduce the instance key field
+ - packaging/opensuse: remaining packaging updates for 2.33.1
+ - overlord/snapstate: disallow installing snapd on baseless models
+ - tests: disable core tests on all core systems (16 and 18)
+ - dirs: improve identification of Arch Linux like systems
+ - many: expose full publisher info over the snapd API
+ - tests: disable core tests on all core systems (16 and 18)
+ - tests/main/xdg-open: restore or clean up xdg-open
+ - tests/main/interfaces-firewall-control: shellcheck fix
+ - snapstate: sort "snapd" first
+ - systemd: require snapd.socket in snapd.seeded.service; make sure
+   snapd.seeded
+ - spread-shellcheck: use the latest shellcheck available from snaps
+ - tests: use "ss" instead of "netstat" (netstat is not available in
+   core18)
+ - data/complete: fix three out of four shellcheck warnings in
+   data/complete
+ - packaging/opensuse: fix typo, missing assignment
+ - tests: initial core18 spread image building
+ - overlord: introduce a gadget-connect task and use it at first boot
+ - data/completion: fix inconsistency in +x and shebang
+ - firstboot: mark essential snaps as "Required" in the state
+ - spread-shellcheck: use a whitelist of files that are allowed to
+   fail validation
+ - packaging/opensuse: build position-independent binaries
+ - ifacestate: prevent running interface hooks twice when self-
+   connecting on autoconnect
+ - data: remove /bin/sh from snapd.sh
+ - tests: fix shellcheck 0.5.0 warnings
+ - packaging/opensuse: snap-confine should be 06755
+ - packaging/opensuse: ship apparmor integration if enabled
+ - interfaces/udev,misc: only trigger udev events on input subsystem
+   as needed
+ - packaging/opensuse: add missing bits for snapd.seeded.service
+ - packaging/opensuse: don't use %-macros in comments
+ - tests: shellchecks part 4
+ - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+   parallel-install TODOs
+ - store: drop unused: channel map types, and details fixture.
+ - store: have a basic test about the unmarshalling of /search
+   results
+ - tests: show executed tests on current system when a test fails
+ - tests: fix for the download of the big snap
+ - interfaces/apparmor: add chopTree
+ - tests: remove double debug: | entry in tests and add more checks
+ - cmd/snap-update-ns: introduce mimicRequired helper
+ - interfaces: move assertions around for better failure line number
+ - store: log a nice clear "download succeeded" message
+ - snap: run snap-confine from the re-exec location
+ - snapstate: support restarting snapd from the snapd snap on core18
+ - tests: show status of the partial test-snapd-huge snap in
+   econnreset test
+ - tests: fix interfaces-calendar-service test when gvfsd-metadata
+   loks the xdg dirctory
+ - store: switch store.SnapInfo to use the new v2/info endpoint
+ - interfaces: add Repository.AllInterfaces
+ - snapstate: stop using evolving SnapSpec internally, use an
+   internal-only snapSpec instead
+ - cmd/libsnap-confine-private: introduce a helper for splitting snap
+   name
+ - tests: econnreset/retry tweaks
+ - store, et al: kill dead code that uses the bulk endpoint
+ - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+ - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+   Depth helper
+ - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+   available
+ - store: switch connectivity check to use v2/info
+ - devicestate: support seeding from a base snap instead of core
+ - snapstate,ifacestate: remove core-phase-2 handling
+ - interfaces/docker-support: update for docker 18.05
+ - tests: enable fedora 28 again
+ - overlord/ifacestate:  simplify checkConnectConflicts and also
+   connect signature
+ - snap: parse connect instructions in gadget.yaml
+ - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+   test
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - store, image: have 'snap download' use v2/refresh action=download
+ - interfaces/policy: test that base policy can be parsed
+ - tests: publish test-snapd-appstreamid for any architecture
+ - snap: don't include newline in hook environment
+ - cmd/snap-update-ns: use RCall with SyscallsEqual
+ - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+ - interfaces: add the dvb interface
+ - daemon: paging is not a thing.
+ - cmd/snap-mgmt: remove system key on purge
+ - testutil: syscall sequence checker
+ - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command* many: add `snap debug
+   connectivity` command
+ - configstate: deny configuration of base snaps and for the "snapd"
+   snap
+ - interfaces/raw-usb: also allow usb serial devices
+ - snap: reject more layout locations
+ - errtracker: do not send duplicated reports
+ - httputil: extra debug if an error is not retried
+ - cmd/snap-update-ns: improve wording in many errors
+ - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+ - cmd/snap-update-ns: add helper for checking for read-only
+   filesystems
+ - interfaces/builtin/docker: use commonInterface over specific
+   struct
+ - testutil: add test support for Fstatfs
+ - cmd/snap-update-ns: discard the concept of segments
+ - cmd/libsnap-confine-private: helper for extracting store snap name
+   from local-name
+ - tests: fix flaky test for hooks undo
+ - interfaces: add {contacts,calendar}-service interfaces
+ - tests: retry 'restarting into..' match in the snap-confine-from-
+   core test
+ - systemd: adjust TestWriteMountUnitForDirs() to use
+   squashfs.MockUseFuse(false)
+ - data: add helper that can generate/start/stop the snapd service
+ - sefltest: advise reboot into 4.4 on trusty running 3.13
+ - selftest: add new selftest package that tests squashfs mounting
+ - store, jsonutil: move store.getStructFields to
+   jsonutil.StructFields
+ - ifacestate: improved conflict and error handling when creating
+   autoconnect tasks
+ - cmd/snap-confine: applied make fmt
+ - interfaces/udev: call 'udevadm settle --timeout=10' after
+   triggering events
+ - tests: wait more time until snap start to be downloaded on
+   econnreset test
+ - snapstate: ensure fakestore returns TypeOS for the core snap
+ - tests: fix lxd test which hangs on restore
+ - cmd/snap-update-ns: add PathIterator
+ - asserts,image: add support for models with bases
+ - tests: shellchecks part 3
+ - overlord/hookstate: support undo for hooks
+ - interfaces/tpm: Allow access to the kernel resource manager
+ - tests: skip appstream-id test for core systems 32 bits
+ - interfaces/home: remove redundant common interface assignment
+ - tests: reprioritise a few tests that are known to be slow
+ - cmd/snap: small help tweaks and fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - spread-shellcheck: silly fix & pep8
+ - spread: switch fedora 28 to manual
+ - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+   it in snap info --verbose
+ - tests: fix lxd test - --auto now sets up networking
+ - tests: adding fedora-28 to spread.yaml
+ - interfaces: add juju-client-observe interface
+ - client, daemon: add a "mounted-from" entry to local snaps' JSON
+ - image: set model.DisplayName() in bootenv as "snap_menuentry"
+ - packaging/opensuse: Refactor packaging to support all openSUSE
+   targets
+ - interfaces/joystick: force use of the device cgroup with joystick
+   interface
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - interfaces: remove Plug/Slot types
+ - interface hooks: update old AutoConnect methods
+ - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+ - overlord/{config,snap}state: the number of inactive revisions is
+   config
+ - cmd/snap: check with snapd for unknown sections
+ - tests: moving test helpers from sh to bash
+ - data/systemd: add snapd.apparmor.service
+ - many: expose AppStream IDs (AKA common ID)
+ - many: hold refresh when on metered connections
+ - interfaces/joystick: also support modern evdev joysticks and
+   gamepads
+ - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+ - snapcraft: use dpkg-buildpackage options that work in xenial
+ - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+ - get-deps: work with an unset GOPATH too
+ - interfaces/apparmor: use strict template on openSUSE tumbleweed
+ - packaging: filter out verbose flags from "dh-golang"
+ - packaging: fix description
+ - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+* Fri Jun 22 2018 Neal Gompa <ngompa13@gmail.com> - 2.33.1-1
+- Release 2.33.1 to Fedora (RH#1567916)
+
+* Thu Jun 21 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33.1
+ - many: improve udev trigger on refresh experience
+ - systemd: require snapd.socket in snapd.seeded.service
+ - snap: don't include newline in hook environment
+ - interfaces/apparmor: allow killing snap-update-ns
+ - tests: skip "try" test on s390x
+ - tests: skip security-dev-input-event-denied when /dev/input/by-
+   path/ is missing
+ - tests: skip security-dev-input-event-denied on s390x/arm64
+
+* Fri Jun 08 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.33
+ - packaging: use official bolt in the errtracker on fedora
+ - many: add `snap debug connectivity` command
+ - interfaces/raw-usb: also allow usb serial devices
+ - errtracker: do not send duplicated reports
+ - selftest: add new selftest package that tests squashfs mounting
+ - tests: backport lxd force stop and econnreset fixes
+ - tests: add test to ensure /dev/input/event* for non-joysticks is
+   denied
+ - interfaces/joystick: support modern evdev joysticks
+ - interfaces: add juju-client-observe
+ - interfaces/hardware-observe: allow access to /etc/sensors* for
+   libsensors
+ - many: holding refresh on metered connections
+ - many: expose AppStream IDs (AKA common ID)
+ - tests: speed up save/restore snapd state for all-snap systems
+   during tests execution
+ - interfaces/apparmor: use helper to load stray profile
+ - tests: ubuntu core abstraction
+ - overlord/snapstate: don't panic in a corner case interaction of
+   cleanup tasks and pruning
+ - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+   snaps
+ - tests: new parameter for the journalctl rate limit
+ - spread-shellcheck: port to python
+ - interfaces/home: add 'read' attribute to allow non-owner read to
+   @{HOME}
+ - testutil: import check.v1 differently to workaround gccgo error
+ - interfaces/many: miscellaneous updates for default, desktop,
+   desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+   keys
+ - snapstate/hooks: reorder autoconnect and reconnect hooks
+ - daemon: update unit tests to match current master
+ - overlord/snapshotstate/backend: introducing the snapshot backend
+ - many: support 'system' nickname in interfaces
+ - userd: add the "snap" scheme to the whitelist
+ - many: make rebooting of core on refresh immediate, refactor logic
+   around it
+ - tests/main/snap-service-timer: account for service timer being in
+   the 'running' state
+ - interfaces/builtin: allow access to libGLESv* too for opengl
+   interface
+ - daemon: fix unit tests on arch
+ - interfaces/default,process-control: miscellaneous signal policy
+   fixes
+ - interfaces/bulitin: add write permission to optical-drive
+ - configstate: validate known core.* options
+ - snap, wrappers: systemd WatchdogSec support
+ - ifacestate: do not auto-connect manually disconnected interfaces
+ - systemd: mock useFuse() so testsuite passes in container via lxd
+   snap
+ - snap/env: fix env duplication logic
+ - snap: some doc comments fixes and additions
+ - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+   vendor files
+ - ifacestate: unify reconnect and autoconnect methods
+ - tests: fix user mounts test for external systems
+ - overlord/snapstate,overlord/auth,store: coalesce no auth user
+   refresh requests
+ - boot,partition: improve tests/docs around SetNextBoot()
+ - many: improve `snap wait` command
+ - snap: fix `snap interface --attrs` output when numbers are used
+ - cmd/snap-update-ns: poke holes when creating source paths for
+   layouts
+ - snapstate: support getting new bases/default-providers on refresh
+ - ifacemgr: remove stale connections on startup
+ - asserts: use Attrer in policy checks
+ - testutil: record system call errors / return values
+ - tests: increase timeouts to make tests reliable on slow boards
+ - repo: pass and return ConnRef via pointers
+ - interfaces: add xdg-document-portal support to desktop interface
+ - debian: add a zenity|kdialog suggests
+ - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+ - tests: go must be installed as a classic snap
+ - tests: use journalctl cursors instead rotating logs
+ - daemon: add confinement-options to /v2/system-info
+   daemon: refactor classic support flag to be more structured
+ - tests: build spread in the autopkgtests with a more recent go
+ - cmd/snap: fix the message when snap.channel != snap.tracking
+ - overlord/snapstate: allow core defaults configuration via 'system'
+   key
+ - many: add "snap debug sandbox-features" and needed bits
+ - interfaces: interface hooks for refresh
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - many: add wait command and `snapd.seeded` service
+ - interfaces: move host font update-ns AppArmor rules to desktop
+   interface
+ - jsonutil/safejson: introducing safejson.String &
+   safejson.Paragraph
+ - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+ - cmd/snap-update-ns,tests: mimic the mode and ownership of
+   directories
+ - cmd/snap-update-ns: add support for ignoring mounts with missing
+   source/target
+ - interfaces: interface hooks implementation
+ - cmd/libsnap: fix compile error on more restrictive gcc
+   cmd/libsnap: fix compilation errors on gcc 8
+ - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+ - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+ - tests: fix interfaces-network test for systems with partial
+   confinement
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+ - configcore: validate experimental.layouts option
+ - interfaces:minor autoconnect cleanup
+ - HACKING: fix typos
+ - spread: add adt for ubuntu 18.10
+ - tests: skip test lp-1721518 for arch, snapd is failing to start
+   after reboot
+ - interfaces/x11: allow X11 slot implementations
+ - tests: checking interfaces declaring the specific interface
+ - snap: improve error for snaps not available in the given context
+ - cmdstate: add missing test for default timeout handling
+ - tests: shellcheck spread tasks
+ - cmd/snap: update install/refresh help vs --revision
+ - cmd/snap-confine: add support for per-user mounts
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - tests: adding google-sru backend replacing linode-sur
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - systemd: replace ancient paths with 16.04+ standards
+ - overlord,systemd: store snap revision in mount units
+ - testutil: add test helper for SysLstat
+ - testutil,cmd: rename test helper of Lstat to OsLstat
+ - testutil: document all fake syscall/os functions
+ - osutil,interfaces,cmd: use less hardcoded strings
+ - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+ - testutil: don't dot-import check.v1
+ - store: getStructFields takes pointers now
+ - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+ - many: fix false negatives reported by vet
+ - osutil,interfaces: use uint32 for uid, gid
+ - many: fix various issues reported by shellcheck
+ - tests: add pending shutdown detection
+ - image: support refreshing soft-expired user macaroons in tooling
+ - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+   daemon tests
+ - interfaces/builtin: add support for software-watchdog interface
+ - spread: auto accept key changes when calling dnf
+ - snap,overlord/snapstate: introduce and use BrokenSnapError
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: bring back one missing test in snap-service-stop-mode
+ - debian: update LP bug for the 2.32.5 SRU
+ - userd: set up journal logging streams for autostarted apps
+ - snap,tests : don't fail if we cannot stat MountFile
+ - tests: smaller fixes for Arch tests
+ - tests: run interfaces-broadcom-asic-control early
+ - client: support for snapshot sets, snapshots, and snapshot actions
+ - tests: skip interfaces-content test on core devices
+ - cmd: generalize locking to global, snap and per-user locks
+ - release-tools: handle the snapd-x.y.z version
+ - packaging: fix incorrectly auto-generated changelog entry for
+   2.32.5
+ - tests: add arch to CI
+ - systemd: add helper for opening stream file descriptors to the
+   journal
+ - cmd/snap: handle distros with no version ID
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - tests: removing linode-sru backend
+ - tests: updating bionic version for spread tests on google
+ - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - overlord/snapstate: allow to get an error from readInfo instead of
+   a broken stub, use it in doMountSnap
+ - snap: snap.AppInfo is now a fmt.Stringer
+ - tests: move fedora 27 to google backend
+ - many: add `core.problem-reports.disabled` option
+ - cmd/snap-update-ns: remove the need for stash directory in secure
+   bind mount implementation
+ - errtracker: check for whoopsie.service instead of reading
+   /etc/whoopsie
+ - cmd/snap: user session application autostart v3
+ - tests: add test to ensure `snap refresh --amend` works with
+   different channels
+ - tests: add check for OOM error after each test
+ - cmd/snap-seccomp: graceful handling of non-multilib host
+ - interfaces/shutdown: allow calling SetWallMessage
+ - cmd/snap-update-ns: add secure bind mount implementation for use
+   with user mounts
+ - snap: fix `snap advise-snap --command` output to match spec
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - overlord/snapstate: introduce envvars to control the channels for
+   based and prereqs
+ - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+ - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+ - daemon,overlord/hookstate: stop/wait for running hooks before
+   closing the snapctl socket
+ - advisor: use json for package database
+ - interfaces/hostname-control: allow setting the hostname via
+   syscall and systemd
+ - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+   libraries
+ - interfaces: misc updates for default, firewall-control, fuse-
+   support and process-control
+ - data/selinux: Give snapd access to more aspects of the system
+ - many: use the new install/refresh API by switching snapstate to
+   use store.SnapAction
+ - errtracker: make TestJournalErrorSilentError work on gccgo
+ - ifacestate: add to the repo also snaps that are pending being
+   activated but have a done setup-profiles
+ - snapstate, ifacestate: inject auto-connect tasks try 2
+ - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+ - errtracker: add more fields to aid debugging
+ - interfaces: make system-key more robust against invalid fstab
+   entries
+ - overlord,interfaces: be more vocal about broken snaps and read
+   errors
+ - ifacestate: injectTasks helper
+ - osutil: fix fstab parser to allow for # in field values
+ - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+ - release-tools: add repack-debian-tarball.sh
+ - daemon,client: add build-id to /v2/system-info
+ - cmd: make fmt (indent 2.2.11)
+ - interfaces/content: add rule so slot can access writable files at
+   plug's mountpoint
+ - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+ - ifacestate: don't surface errors from stale connections
+ - cmd/snap-update-ns: convert Secure* family of functions into
+   methods
+ - tests: adjust canonical-livepatch test on GCE
+ - tests: fix quoting issues in econnreset test
+ - cmd/snap-confine: make /run/media an alias of /media
+ - cmd/snap-update-ns: rename i to segNum
+ - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+ - spread: disable StartLimitInterval option on opensuse-42.3
+ - configstate: give a chance to immediately recompute the next
+   refresh time when schedules are set
+ - cmd/snap-confine: attempt to detect if multiarch host uses
+   arch triplets
+ - store: add Store.SnapAction to support the new install/refresh API
+   endpoint
+ - tests: adding test for removable-media interface
+ - tests: update interface tests to remove extra checks and normalize
+   tests
+ - timeutil: in Human, count days with fingers
+ - vendor: update gopkg.in/yaml.v2 to the latest version
+ - cmd/snap-confine: fix Archlinux compatibility
+ - cmd/snapd: make sure signal handlers are established during early
+   daemon startup
+ - cmd/snap-confine: apparmor: allow creating prefix path for
+   gl/vulkan
+ - osutil: use tilde suffix for temporary files used for atomic
+   replacement
+ - tests: copy or sanity check core users using usernames
+ - tests: disentangle etc vs extrausers in core tests
+ - tests: fix snap-run tests when snapd is not running
+ - overlord/configstate: change how ssh is stopped/started
+ - snap: make `snap run` look at the system-key for security profiles
+ - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+   replacement
+ - tests: adding opensuse-42.3 to google
+ - cmd/snap: fix one issue with noWait error handling logic, add
+   tests plus other cleanups
+ - cmd/snap-confine: nvidia: preserve globbed file prefix
+ - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+   needed
+ - interfaces,release: probe seccomp features lazily
+ - tests: change debug for layout test
+ - advisor: deal with missing commands.db file
+ - interfaces/apparmor: simplify UpdateNS internals
+ - polkit: Pass caller uid to PolicyKit authority
+ - tests: moving debian 9 from linode to google backend
+ - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+ - po: specify charset in po/snappy.pot
+ - interfaces: harden snap-update-ns profile
+ - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+ - tests: update tests to deal with s390x quirks
+ - debian: run snap.mount upgrade fixup *before* debhelper
+ - tests: move xenial i386 to google backend
+ - snapstate: add compat mode for default-provider
+ - tests: a bunch of test fixes for s390x from looking at the
+   autopkgtest logs
+ - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+ - interfaces/builtin: let MM change qmi device attributes
+ - tests: add workaround for s390x failure
+ - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+ - daemon: support 'system' as nickname of the core snap
+ - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+ - devicestate: add DeviceManager.Registered returning a channel
+   closed when the device is known to be registered
+ - store: Sections and WriteCatalogs need to strictly send device
+   auth only if the device has a custom store
+ - tests: add bionic system to google backend
+ - many: fix shellcheck warnings in bionic
+ - cmd/snap-update-ns: don't fail on existing symlinks
+ - tests: make autopkgtest tests more targeted
+ - cmd/snap-update-ns: fix creation of layout symlinks
+ - spread,tests: move suite-level prepare/restore to central script
+ - many: propagate contexts enough to be able to mark store
+   operations done from the Ensure loop
+ - snap: don't create empty Change with "Hold" state on disconnect
+ - snap: unify snap name validation w/python; enforce length limit.
+ - cmd/snap: use shlex when parsing `snap run --strace` arguments
+ - osutil,testutil: add symlinkat(2) and readlinkat(2)
+ - tests: autopkgtest may have non edge core too
+ - tests: adding checks before stopping snapd service to avoid job
+   canceled on ubuntu 14.04
+ - errtracker: respect the /etc/whoopsie configuration
+ - overlord/snapstate:  hold refreshes for 2h after seeding on
+   classic
+ - cmd/snap: tweak and polish help strings
+ - snapstate: put layout feature behind feature flag
+ - tests: force profile re-generation via system-key
+ - snap/squashfs: when installing from seed, try symlink before cp
+ - wrappers: services which are socket or timer activated should not
+   be started during boot
+ - many: go vet cleanups
+ - tests: define MATCH from spread
+ - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+   fix
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - cmd/snap: in changes and tasks, default to human-friendly times
+ - many: support holding refreshes by setting refresh.hold
+ - Revert "cmd/snap: use timeutil.Human to show times in `snap
+   refresh -…-time`"
+ - cmd/snap: use timeutil.Human to show times in `snap refresh
+   --time`
+ - tests/main/snap-service-refresh-mode: refactor the test to rely on
+   comparing PIDs
+ - tests/main/media-sharing: improve the test to cover /media and
+   /run/media
+ - store: enable deltas for core devices too
+ - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+ - strutil/shlex: import github.com/google/shlex into the tree
+ - vendor: update github.com/mvo5/libseccomp-golang
+ - overlord/snapstate: block install of "system"
+ - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+ - many: add the snapd-generator
+ - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+ - polkit: ensure error is properly set if dialog is dismissed
+ - snap-confine, snap-seccomp: utilize new seccomp logging features
+ - progress: tweak ansimeter cvvis use to no longer confuse minicom
+ - xdgopenproxy: integrate xdg-open implementation into snapctl
+ - tests: avoid removing preinstalled snaps on core
+ - tests: chroot into core to run xdg-open there
+ - userd: add an OpenFile method for launching local files with xdg-
+   open
+ - tests: moving ubuntu core from linode to google backend
+ - run-checks: remove accidental bashism
+ - i18n: simplify NG usage by doing the modulo math in-package.
+ - snap/squashfs: set timezone when calling unsquashfs to get the
+   build date
+ - timeutil: timeutil.Human(t) gives a human-friendly string for t
+ - snap: add autostart app property
+ - tests: add support for external backend executions on listing test
+ - tests: make interface-broadcom-asic-control test work on rpi
+ - configstate: when disable "ssh" we must disable the "sshd" service
+ - interfaces/apparmor,system-key: add upperdir snippets for strict
+   snaps on livecd
+ - snap/squashfs: add BuildDate
+ - store: parse the JSON format used by the coming new store API to
+   convey snap information
+ - many: remove snapd.refresh.{timer,service}
+ - tests: adding ubuntu-14.04-64 to the google backend
+ - interfaces: add xdg-desktop-portal support to desktop interface
+ - packaging/arch: sync with snapd/snapd-git from AUR
+ - wrappers, tests/main/snap-service-timer: restore missing commit,
+   add spread test for timer services
+ - store: don't ask for snap_yaml_raw except on the details endpoint
+ - many: generate and use per-snap snap-update-ns profile
+ - tests: add debug for layout test
+ - wrappers: detect whether systemd-analyze can be used in unit tests
+ - osutil: allow creating strings out of MountInfoEntry
+ - servicestate: use systemctl enable+start and disable+stop instead
+   of --now flag
+ - osutil: handle file being matched by multiple patterns
+ - daemon, snap: fix InstallDate, make a method of *snap.Info
+ - wrappers: timer services
+ - wrappers: generator for systemd OnCalendar schedules
+ - asserts: fix flaky storeSuite.TestCheckAuthority
+ - tests: fix dependency for ubuntu artful
+ - spread: start moving towards google backend
+ - tests: add a spread test for layouts
+ - ifacestate: be consistent passing Retry.After as named field
+ - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+ - testutil: allow mocking syscall.Fstat
+ - overlord/snapstate: verify that default schedule is randomized and
+   is  not a single time
+ - many: simplify mocking of home-on-NFS
+ - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+ - store: move infoFromRemote into details.go close to snapDetails
+ - userd/tests: Test kdialog calls and mock kdialog too to make tests
+   work in KDE
+ - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+ - cmd/snap: add self-strace to `snap run`
+ - interfaces/screen-inhibit-control,network-status: fix dbus path
+   and interface typos
+ - update-pot: Force xgettext() to return true
+ - store: cleanup test naming, dropping remoteRepo  and
+   UbuntuStore(Repository)? references
+ - store: reorg auth refresh
+
+* Wed May 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.9
+ - tests: run all spread tests inside GCE
+ - tests: build spread in the autopkgtests with a more recent go
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.8
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+* Fri May 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.7
+ - many: add wait command and seeded target (2
+ - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+ - boot: clear "snap_mode" when needed
+ - cmd/libsnap: fix compile error on more restrictive gcc
+ - tests: cherry-pick commits to move spread to google backend
+ - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+ - userd: set up journal logging streams for autostarted apps
+
+* Sun Apr 29 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.6
+ - snap: do not use overly short timeout in `snap
+   {start,stop,restart}`
+ - interfaces/apparmor: fix incorrect apparmor profile glob
+ - tests: detect kernel oops during tests and abort tests in this
+   case
+ - tests: run interfaces-boradcom-asic-control early
+ - tests: skip interfaces-content test on core devices
+
+* Mon Apr 16 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.5
+ - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+   conflating that with refresh-mode
+ - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+   not mounted in doMountSnap
+ - daemon: support 'system' as nickname of the core snap
+
+* Thu Apr 12 2018 Neal Gompa <ngompa13@gmail.com> - 2.32.4-1
+- Release 2.32.4 to Fedora (RH#1553734)
+
+* Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
+- New upstream release 2.32.4
+ - cmd/snap: user session application autostart
+ - overlord/snapstate: introduce envvars to control the channels for
+   bases and prereqs
+ - overlord/snapstate: on multi-snap refresh make sure bases and core
+   are finished before dependent snaps
+ - many: use the new install/refresh /v2/snaps/refresh store API
+
 * Wed Apr 11 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.32.3.2
  - errtracker: make TestJournalErrorSilentError work on
@@ -1021,6 +2918,14 @@
  - systemd, wrappers: start all snap services in one systemctl
    call
  - tests: disable interfaces-location-control on s390x
+
+* Mon Mar 05 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-2
+- Fix dependencies for devel subpackage
+
+* Sun Mar 04 2018 Neal Gompa <ngompa13@gmail.com> - 2.31.1-1
+- Release 2.31.1 to Fedora (RH#1542483)
+- Drop all backported patches as they're part of this release
+
 * Tue Feb 20 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31.1
  - tests: multiple autopkgtest related fixes for 18.04
@@ -1040,6 +2945,9 @@
    ubuntu
  - daemon: improve ucrednet code for the snap.socket
 
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
 * Tue Feb 06 2018 Michael Vogt <mvo@ubuntu.com>
 - New upstream release 2.31
  - cmd/snap-confine: allow snap-update-ns to chown things
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse/permissions snapd-2.37~rc1~14.04/packaging/opensuse/permissions
--- snapd-2.32.3.2~14.04/packaging/opensuse/permissions	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse/permissions	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse/permissions.easy snapd-2.37~rc1~14.04/packaging/opensuse/permissions.easy
--- snapd-2.32.3.2~14.04/packaging/opensuse/permissions.easy	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse/permissions.easy	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse/permissions.paranoid snapd-2.37~rc1~14.04/packaging/opensuse/permissions.paranoid
--- snapd-2.32.3.2~14.04/packaging/opensuse/permissions.paranoid	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse/permissions.paranoid	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse/permissions.secure snapd-2.37~rc1~14.04/packaging/opensuse/permissions.secure
--- snapd-2.32.3.2~14.04/packaging/opensuse/permissions.secure	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse/permissions.secure	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse/snapd.changes snapd-2.37~rc1~14.04/packaging/opensuse/snapd.changes
--- snapd-2.32.3.2~14.04/packaging/opensuse/snapd.changes	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse/snapd.changes	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,330 @@
+-------------------------------------------------------------------
+Wed Jan 16 08:36:51 UTC 2019 - mvo@fastmail.fm
+
+- Update to upstream release 2.37
+
+-------------------------------------------------------------------
+Fri Dec 14 07:30:58 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.3
+
+-------------------------------------------------------------------
+Thu Nov 29 10:48:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.2
+
+-------------------------------------------------------------------
+Fri Nov 09 14:42:28 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.1
+
+-------------------------------------------------------------------
+Wed Oct 24 17:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36
+
+-------------------------------------------------------------------
+Mon Oct 15 22:23:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.5
+
+-------------------------------------------------------------------
+Fri Oct 05 14:42:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.4
+
+-------------------------------------------------------------------
+Fri Oct 05 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.3
+
+-------------------------------------------------------------------
+Wed Sep 12 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.2
+
+-------------------------------------------------------------------
+Mon Sep 03 14:44:06 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.1
+
+-------------------------------------------------------------------
+Mon Aug 20 12:36:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35
+
+-------------------------------------------------------------------
+Fri Jul 27 19:08:44 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.3
+
+-------------------------------------------------------------------
+Thu Jul 19 12:05:50 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.2
+
+-------------------------------------------------------------------
+Wed Jul 17 19:46:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.1
+
+-------------------------------------------------------------------
+Fri Jul 06 16:08:17 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34
+
+-------------------------------------------------------------------
+Fri Jun 22 15:58:54 UTC 2018 - me@zygoon.pl
+
+- Fixed changelog chronology
+
+-------------------------------------------------------------------
+Fri Jun 22 14:25:35 UTC 2018 - me@zygoon.pl
+
+- Sync with snapd upstream packaging
+- Backport support for apparmor on tumbleweed
+- Install polkit files
+- Load snap-confine apparmor profile in post, if apparmor is enabled
+- Adjust badness of polkit-untracked-privlege
+-------------------------------------------------------------------
+Thu Jun 21 17:37:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33.1
+
+-------------------------------------------------------------------
+Fri Jun 08 17:13:47 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33
+
+-------------------------------------------------------------------
+Mon May 28 08:06:53 UTC 2018 - ngompa13@gmail.com
+
+- Refactor to support openSUSE Tumbleweed and Leap 42.3 and 15.0
+- Enable AppArmor support for openSUSE Tumbleweed (post Leap 15.0)
+- Enable support for handling the proprietary nvidia driver
+- Drop ancient spec stuff that was being ignored by RPM anyway
+- Drop spurious find command that didn't do anything...
+
+-------------------------------------------------------------------
+Wed May 16 10:20:08 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.9
+
+-------------------------------------------------------------------
+Fri May 11 14:36:16 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.8
+
+-------------------------------------------------------------------
+Fri May 11 13:09:32 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.7
+
+-------------------------------------------------------------------
+Sun Apr 29 19:21:53 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.6
+
+-------------------------------------------------------------------
+Mon Apr 16 16:41:48 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.5
+
+-------------------------------------------------------------------
+Wed Apr 11 16:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.4
+
+-------------------------------------------------------------------
+Wed Apr 11 12:40:09 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3.2
+
+-------------------------------------------------------------------
+Wed Apr 11 10:34:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3.1
+
+-------------------------------------------------------------------
+Thu Apr 05 22:35:35 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3
+
+-------------------------------------------------------------------
+Sat Mar 31 21:09:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.2
+
+-------------------------------------------------------------------
+Mon Mar 26 21:03:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.1
+
+-------------------------------------------------------------------
+Sat Mar 24 08:50:11 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32
+
+-------------------------------------------------------------------
+Tue Feb 20 17:32:42 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.31.1
+
+-------------------------------------------------------------------
+Tue Feb 06 09:46:22 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.31
+
+-------------------------------------------------------------------
+Sat Nov 18 15:31:24 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.30
+
+-------------------------------------------------------------------
+Fri Nov 17 22:56:09 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.4
+
+-------------------------------------------------------------------
+Thu Nov 09 19:16:29 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.3
+
+-------------------------------------------------------------------
+Fri Nov 03 17:26:14 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.2
+
+-------------------------------------------------------------------
+Fri Nov 03 07:27:08 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.1
+
+-------------------------------------------------------------------
+Mon Oct 30 16:24:08 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29
+
+-------------------------------------------------------------------
+Wed Oct 11 19:46:37 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.4
+
+-------------------------------------------------------------------
+Wed Oct 11 08:23:47 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.3
+
+-------------------------------------------------------------------
+Tue Oct 10 18:42:45 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.2
+
+-------------------------------------------------------------------
+Wed Sep 27 22:04:59 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.1
+
+-------------------------------------------------------------------
+Mon Sep 25 16:09:15 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28
+
+-------------------------------------------------------------------
+Thu Sep 07 10:32:21 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.6
+
+-------------------------------------------------------------------
+Wed Aug 30 07:45:01 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.5
+
+-------------------------------------------------------------------
+Thu Aug 24 09:08:32 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.4
+
+-------------------------------------------------------------------
+Fri Aug 18 15:51:22 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.3
+
+-------------------------------------------------------------------
+Wed Aug 16 12:16:01 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.2
+
+-------------------------------------------------------------------
+Mon Aug 14 08:07:21 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.1
+
+-------------------------------------------------------------------
+Thu Aug 10 11:25:11 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27
+
+-------------------------------------------------------------------
+Fri May 19 14:35:29 UTC 2017 - morphis@gravedo.de
+
+- Add bind() syscall to default seccomp policy to allow execution
+  of snap hooks.
+- Do not share /etc/ssl with the host but use the one from the core
+  snap.
+
+-------------------------------------------------------------------
+Wed May 10 12:24:44 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.25
+
+-------------------------------------------------------------------
+Thu Apr 13 14:06:13 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.24
+
+-------------------------------------------------------------------
+Thu Mar 30 14:14:44 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.23.6
+
+-------------------------------------------------------------------
+Thu Mar 23 08:53:37 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.23.5
+- Disable seccomp support to work around bugs in snap-confine
+  (see https://bugs.launchpad.net/snappy/+bug/1674193 for details)
+
+-------------------------------------------------------------------
+Wed Mar 08 16:09:03 UTC 2017 - me@zygoon.pl
+
+- Fix log-out prompt to be displayed only when really necessary.
+- Fix installation of /usr/lib/snapd/info (version information)
+- Install bash completion for "snap"
+
+-------------------------------------------------------------------
+Wed Mar 08 15:53:06 UTC 2017 - me@zygoon.pl
+
+- New upstream release.
+  More details are available at https://github.com/snapcore/snapd/releases/tag/2.23.1
+
+-------------------------------------------------------------------
+Tue Mar 07 23:00:34 UTC 2017 - me@zygoon.pl
+
+- Add PATH integration and post-install message asking the user to logout to
+  see PATH changes.
+
+-------------------------------------------------------------------
+Tue Mar 07 00:45:12 UTC 2017 - me@zygoon.pl
+
+- (hacky) Disable shellcheck as it is missing on Leap 42.1
+
+-------------------------------------------------------------------
+Tue Mar 07 00:43:58 UTC 2017 - me@zygoon.pl
+
+- (hacky) fix the 32bit build
+
+-------------------------------------------------------------------
+Mon Mar 06 18:08:04 UTC 2017 - me@zygoon.pl
+
+- Initial package based on fully vendorized source tarball
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse/snapd-rpmlintrc snapd-2.37~rc1~14.04/packaging/opensuse/snapd-rpmlintrc
--- snapd-2.32.3.2~14.04/packaging/opensuse/snapd-rpmlintrc	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse/snapd-rpmlintrc	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+setBadness('permissions-unauthorized-file', 22)
+setBadness('polkit-untracked-privilege', 11)
+setBadness('non-position-independent-executable', 33)
+setBadness('polkit-untracked-privilege', 44)
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse/snapd.spec snapd-2.37~rc1~14.04/packaging/opensuse/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/opensuse/snapd.spec	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,433 @@
+# spec file for package snapd
+#
+# Copyright (c) 2017 Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+# Copyright (c) 2018 Neal Gompa <ngompa13@gmail.com>
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+
+%bcond_with testkeys
+
+# Enable AppArmor on openSUSE Tumbleweed (post 15.0) or higher
+# N.B.: Prior to openSUSE Tumbleweed in May 2018, the AppArmor userspace in SUSE
+# did not support what we needed to be able to turn on basic integration.
+%if 0%{?suse_version} >= 1550
+%bcond_without apparmor
+%else
+%bcond_with apparmor
+%endif
+
+# Compat macros
+%{!?make_build: %global make_build %{__make} %{?_smp_mflags}}
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+
+# Define the variable for systemd generators, if missing.
+%{?!_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+
+# This is fixed in SUSE Linux 15
+# Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
+%if 0%{?suse_version} < 1500
+%global _sharedstatedir %{_localstatedir}/lib
+%endif
+
+%global provider        github
+%global provider_tld    com
+%global project         snapcore
+%global repo            snapd
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+# Additional entry of $GOPATH during the build process.
+# This is designed to be a sub-directory of {_builddir}/{name}-{version}
+# because that directory is automatically cleaned-up by the build process.
+%global         indigo_gopath   %{_builddir}/%{name}-%{version}/gopath
+
+# Directory where "name-version" directory from upstream taball is unpacked to.
+# This directory is arranged so that it is already contained inside the future
+# GOPATH so that nothing needs to be moved or copied for "go build" to work.
+%global         indigo_srcdir   %{indigo_gopath}/src/%{import_path}
+
+%global with_test_keys  0
+
+%if %{with testkeys}
+%global with_test_keys 1
+%else
+%global with_test_keys 0
+%endif
+
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%global systemd_services_list snapd.socket snapd.service snapd.seeded.service %{?with_apparmor:snapd.apparmor.service}
+
+%global snap_mount_dir /snap
+
+Name:           snapd
+Version:        2.37
+Release:        0
+Summary:        Tools enabling systems to work with .snap files
+License:        GPL-3.0
+Group:          System/Packages
+Url:            https://%{import_path}
+Source0:        https://github.com/snapcore/snapd/releases/download/%{version}/%{name}_%{version}.vendor.tar.xz
+Source1:        snapd-rpmlintrc
+%if (0%{?sle_version} >= 120200 || 0%{?suse_version} >= 1500) && 0%{?is_opensuse}
+BuildRequires:  ShellCheck
+%endif
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  glib2-devel
+BuildRequires:  glibc-devel-static
+BuildRequires:  go
+BuildRequires:  gpg2
+BuildRequires:  indent
+BuildRequires:  libapparmor-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libseccomp-devel
+BuildRequires:  libtool
+BuildRequires:  libudev-devel
+BuildRequires:  libuuid-devel
+BuildRequires:  make
+BuildRequires:  openssh
+BuildRequires:  pkg-config
+BuildRequires:  python-docutils
+BuildRequires:  python3-docutils
+BuildRequires:  squashfs
+# Due to: rpm -q --whatprovides /usr/share/pkgconfig/systemd.pc
+BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  timezone
+BuildRequires:  udev
+BuildRequires:  xfsprogs-devel
+BuildRequires:  xz
+%ifarch x86_64
+# This is needed for seccomp tests
+BuildRequires:  glibc-devel-32bit
+BuildRequires:  glibc-devel-static-32bit
+BuildRequires:  gcc-32bit
+%endif
+
+%if %{with apparmor}
+BuildRequires:  apparmor-rpm-macros
+%endif
+
+PreReq:         permissions
+
+Requires(post): permissions
+Requires:       apparmor-parser
+Requires:       apparmor-profiles
+Requires:       gpg2
+Requires:       openssh
+Requires:       squashfs
+
+# Old versions of xdg-document-portal can expose data belonging to
+# other confied apps.  Older OpenSUSE releases are unlikely to change,
+# so for now limit this to Tumbleweed.
+%if 0%{?suse_version} >= 1550
+Conflicts:      xdg-desktop-portal < 0.11
+%endif
+
+%{?systemd_requires}
+
+%description
+This package contains that snapd daemon and the snap command line tool.
+Together they can be used to install, refresh (update), remove and configure
+snap packages on a system. Snap packages are a novel format based on simple
+principles. Bundle your dependencies, run in a predictable environment, use
+modern kernel features for setting up the execution environment and security.
+The same binary snap package can be installed and used on many diverse systems
+such as Debian, Fedora and OpenSUSE as well as their multiple derivatives.
+
+This package contains the official build, endorsed by snapd developers. It is
+updated as soon as new upstream releases are made and is designed to live in
+the system:snappy repository.
+
+%prep
+# NOTE: Instead of using setup -q we are unpacking a subdirectory of the source
+# tarball into a directory that is automatically on the future GOPATH. This
+# means that while go doesn't care at all the current working directory is not
+# the top-level directory of the source tarball which some people may find
+# unusual.
+
+# Create indigo compatible build layout.
+mkdir -p %{indigo_srcdir}
+tar -axf %{_sourcedir}/%{name}_%{version}.vendor.tar.xz --strip-components=1 -C %{indigo_srcdir}
+
+# Patch the source in the place it got extracted to.
+pushd %{indigo_srcdir}
+# Add patch0 -p1 ... as appropriate here.
+popd
+
+# Set the version that is compiled into the various executables/
+pushd %{indigo_srcdir}
+./mkversion.sh %{version}-%{release}
+popd
+
+# Sanity check, ensure that systemd system generator directory is in agreement between the build system and packaging.
+if [ "$(pkg-config --variable=systemdsystemgeneratordir systemd)" != "%{_systemdgeneratordir}" ]; then
+  echo "pkg-confing and rpm macros disagree about the location of systemd system generator directory"
+  exit 1
+fi
+
+# Enable hardening; Also see https://bugzilla.redhat.com/show_bug.cgi?id=1343892
+CFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+CXXFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+LDFLAGS=""
+
+# On openSUSE Leap 15 or more recent build position independent executables.
+# For a helpful guide about the versions and macros used below, please see:
+# https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
+%if 0%{?suse_version} >= 1500
+CFLAGS="$CFLAGS -fPIE"
+CXXFLAGS="$CXXFLAGS -fPIE"
+LDFLAGS="$LDFLAGS -pie"
+%endif
+
+export CFLAGS
+export CXXFLAGS
+export LDFLAGS
+
+# Generate autotools build system files.
+pushd %{indigo_srcdir}/cmd
+autoreconf -i -f
+%configure \
+    %{!?with_apparmor:--disable-apparmor} \
+    --libexecdir=%{_libexecdir}/snapd \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{snap_mount_dir} \
+    --enable-merged-usr
+popd
+
+%build
+# Build golang executables, with the following exceptions everything is built the same way:
+# - snap-exec and snap-update-ns is built statically.
+# - snapd has a variant that uses test keys instead of production keys.
+#
+# NOTE: indigo_gopath takes priority over GOPATH. This ensures that we
+# build the code that we intended in case GOPATH points to another copy.
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapctl
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap-seccomp
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-update-ns
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-exec
+%if 0%{?with_test_keys}
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie -tags withtestkeys %{import_path}/cmd/snapd
+%else
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapd
+%endif
+
+# Build C executables
+%make_build -C %{indigo_srcdir}/cmd
+
+%check
+# Run tests with fixed locale that is expected by unicode/color code.
+LC_ALL=C.UTF-8 GOPATH=%{indigo_gopath}:$GOPATH go test %{import_path}/...
+%make_build -C %{indigo_srcdir}/cmd check
+
+%install
+# Install all systemd and dbus units, and env files.
+%make_install -C %{indigo_srcdir}/data \
+		BINDIR=%{_bindir} \
+		LIBEXECDIR=%{_libexecdir} \
+		SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
+		SNAP_MOUNT_DIR=%{snap_mount_dir}
+# Install all the C executables.
+%make_install -C %{indigo_srcdir}/cmd
+# Install all the Go executables.
+install -d -m 755 %{buildroot}%{_bindir}
+install -m 755 snap %{buildroot}%{_bindir}
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -m 755 snapctl %{buildroot}%{_libexecdir}/snapd
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+install -d -m 755 %{buildroot}%{_libexecdir}/snapd
+install -m 755 snapd %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-exec %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-update-ns %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-seccomp %{buildroot}%{_libexecdir}/snapd/
+# Generate and install man page for snap command
+install -d -m 755 %{buildroot}%{_mandir}/man8
+./snap help --man > %{buildroot}%{_mandir}/man8/snap.8
+# Undo special permissions of the void directory
+chmod 755 %{buildroot}%{_sharedstatedir}/snapd/void
+# Remove traces of ubuntu-core-launcher. It is a phased-out executable that is
+# still partially present in the tree but should be removed in the subsequent
+# release.
+rm -f %{buildroot}%{_bindir}/ubuntu-core-launcher
+# NOTE: we don't want to ship system-shutdown helper, it is just a helper on
+# ubuntu-core systems that exclusively use snaps. It is used during the
+# shutdown process and thus can be left out of the distribution package.
+rm -f %{buildroot}%{_libexecdir}/snapd/system-shutdown
+# Install the directories that snapd creates by itself so that they can be a part of the package
+install -d %{buildroot}%{_sharedstatedir}/snapd/{assertions,cookie,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/bpf,snaps}
+
+install -d %{buildroot}%{_sharedstatedir}/snapd/{lib/gl,lib/gl32,lib/vulkan}
+install -d %{buildroot}%{_localstatedir}/cache/snapd
+install -d %{buildroot}%{_datadir}/polkit-1/actions
+install -d %{buildroot}%{snap_mount_dir}/bin
+# Install local permissions policy for snap-confine. This should be removed
+# once snap-confine is added to the permissions package. This is done following
+# the recommendations on
+# https://en.opensuse.org/openSUSE:Package_security_guidelines
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions %{buildroot}%{_sysconfdir}/permissions.d/snapd
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/snapd.paranoid
+# Remove unwanted systemd units
+for s in snapd.autoimport.service snapd.system-shutdown.service snapd.snap-repair.timer snapd.snap-repair.service snapd.core-fixup.service; do
+    rm -f %{buildroot}%{_unitdir}/$s
+done
+# Remove snappy core specific scripts
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Install Polkit configuration
+install -m 644 -D %{indigo_srcdir}/data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
+
+# See https://en.opensuse.org/openSUSE:Packaging_checks#suse-missing-rclink for details
+install -d %{buildroot}%{_sbindir}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.apparmor
+%endif
+# Install the "info" data file with snapd version
+install -m 644 -D %{indigo_srcdir}/data/info %{buildroot}%{_libexecdir}/snapd/info
+# Install bash completion for "snap"
+install -m 644 -D %{indigo_srcdir}/data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D %{indigo_srcdir}/data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D %{indigo_srcdir}/data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Don't ship apparmor helper service when AppArmor is not enabled
+%if ! %{with apparmor}
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+%endif
+
+%verifyscript
+%verify_permissions -e %{_libexecdir}/snapd/snap-confine
+
+%pre
+%service_add_pre %{systemd_services_list}
+
+%post
+%set_permissions %{_libexecdir}/snapd/snap-confine
+%if %{with apparmor}
+%apparmor_reload /etc/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%service_add_post %{systemd_services_list}
+case ":$PATH:" in
+    *:/snap/bin:*)
+        ;;
+    *)
+        echo "Please reboot, logout/login or source /etc/profile to have /snap/bin added to PATH."
+        echo "On a Tumbleweed system you need to run: systemctl enable snapd.apparmor.service"
+        ;;
+esac
+
+%preun
+%service_del_preun %{systemd_services_list}
+if [ $1 -eq 0 ]; then
+    %{_libexecdir}/snapd/snap-mgmt --purge || :
+fi
+
+%postun
+%service_del_postun %{systemd_services_list}
+
+%files
+%if %{with apparmor}
+%config %{_sysconfdir}/apparmor.d
+%endif
+%config %{_sysconfdir}/permissions.d/snapd
+%config %{_sysconfdir}/permissions.d/snapd.paranoid
+%config %{_sysconfdir}/profile.d/snapd.sh
+%dir %attr(0000,root,root) %{_sharedstatedir}/snapd/void
+%dir %{snap_mount_dir}
+%dir %{snap_mount_dir}/bin
+%dir %{_libexecdir}/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/apparmor
+%dir %{_sharedstatedir}/snapd/apparmor/profiles
+%dir %{_sharedstatedir}/snapd/apparmor/snap-confine
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_localstatedir}/cache/snapd
+%dir %{_environmentdir}
+%dir %{_systemd_system_env_generator_dir}
+%dir %{_systemdgeneratordir}
+%dir %{_datadir}/dbus-1
+%dir %{_datadir}/dbus-1/services
+%dir %{_datadir}/polkit-1
+%dir %{_datadir}/polkit-1/actions
+%verify(not user group mode) %attr(06755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_mandir}/man8/snapd-env-generator.8*
+%{_unitdir}/snapd.service
+%{_unitdir}/snapd.socket
+%{_unitdir}/snapd.seeded.service
+%{_unitdir}/snapd.failure.service
+%if %{with apparmor}
+%{_unitdir}/snapd.apparmor.service
+%endif
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_sbindir}/rcsnapd
+%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+%{_sbindir}/rcsnapd.apparmor
+%endif
+%{_libexecdir}/snapd/info
+%{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-update-ns
+%{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-seccomp
+%{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snapctl
+%if %{with apparmor}
+%{_libexecdir}/snapd/snapd-apparmor
+%endif
+%{_libexecdir}/snapd/snap-mgmt
+%{_libexecdir}/snapd/snap-gdb-shim
+%{_libexecdir}/snapd/snap-device-helper
+%{_datadir}/bash-completion/completions/snap
+%{_libexecdir}/snapd/complete.sh
+%{_libexecdir}/snapd/etelpmoc.sh
+%{_systemdgeneratordir}/snapd-generator
+%{_mandir}/man8/snap.8*
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_libexecdir}/snapd/snapd.run-from-snap
+%if %{with apparmor}
+%{_sysconfdir}/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%{_environmentdir}/990-snapd.conf
+%{_systemd_system_env_generator_dir}/snapd-env-generator
+
+%changelog
+
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-15.0/permissions snapd-2.37~rc1~14.04/packaging/opensuse-15.0/permissions
--- snapd-2.32.3.2~14.04/packaging/opensuse-15.0/permissions	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-15.0/permissions	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-15.0/permissions.easy snapd-2.37~rc1~14.04/packaging/opensuse-15.0/permissions.easy
--- snapd-2.32.3.2~14.04/packaging/opensuse-15.0/permissions.easy	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-15.0/permissions.easy	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-15.0/permissions.paranoid snapd-2.37~rc1~14.04/packaging/opensuse-15.0/permissions.paranoid
--- snapd-2.32.3.2~14.04/packaging/opensuse-15.0/permissions.paranoid	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-15.0/permissions.paranoid	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-15.0/permissions.secure snapd-2.37~rc1~14.04/packaging/opensuse-15.0/permissions.secure
--- snapd-2.32.3.2~14.04/packaging/opensuse-15.0/permissions.secure	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-15.0/permissions.secure	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-15.0/snapd.changes snapd-2.37~rc1~14.04/packaging/opensuse-15.0/snapd.changes
--- snapd-2.32.3.2~14.04/packaging/opensuse-15.0/snapd.changes	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-15.0/snapd.changes	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,330 @@
+-------------------------------------------------------------------
+Wed Jan 16 08:36:51 UTC 2019 - mvo@fastmail.fm
+
+- Update to upstream release 2.37
+
+-------------------------------------------------------------------
+Fri Dec 14 07:30:58 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.3
+
+-------------------------------------------------------------------
+Thu Nov 29 10:48:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.2
+
+-------------------------------------------------------------------
+Fri Nov 09 14:42:28 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.1
+
+-------------------------------------------------------------------
+Wed Oct 24 17:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36
+
+-------------------------------------------------------------------
+Mon Oct 15 22:23:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.5
+
+-------------------------------------------------------------------
+Fri Oct 05 14:42:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.4
+
+-------------------------------------------------------------------
+Fri Oct 05 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.3
+
+-------------------------------------------------------------------
+Wed Sep 12 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.2
+
+-------------------------------------------------------------------
+Mon Sep 03 14:44:06 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.1
+
+-------------------------------------------------------------------
+Mon Aug 20 12:36:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35
+
+-------------------------------------------------------------------
+Fri Jul 27 19:08:44 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.3
+
+-------------------------------------------------------------------
+Thu Jul 19 12:05:50 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.2
+
+-------------------------------------------------------------------
+Wed Jul 17 19:46:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.1
+
+-------------------------------------------------------------------
+Fri Jul 06 16:08:17 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34
+
+-------------------------------------------------------------------
+Fri Jun 22 15:58:54 UTC 2018 - me@zygoon.pl
+
+- Fixed changelog chronology
+
+-------------------------------------------------------------------
+Fri Jun 22 14:25:35 UTC 2018 - me@zygoon.pl
+
+- Sync with snapd upstream packaging
+- Backport support for apparmor on tumbleweed
+- Install polkit files
+- Load snap-confine apparmor profile in post, if apparmor is enabled
+- Adjust badness of polkit-untracked-privlege
+-------------------------------------------------------------------
+Thu Jun 21 17:37:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33.1
+
+-------------------------------------------------------------------
+Fri Jun 08 17:13:47 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33
+
+-------------------------------------------------------------------
+Mon May 28 08:06:53 UTC 2018 - ngompa13@gmail.com
+
+- Refactor to support openSUSE Tumbleweed and Leap 42.3 and 15.0
+- Enable AppArmor support for openSUSE Tumbleweed (post Leap 15.0)
+- Enable support for handling the proprietary nvidia driver
+- Drop ancient spec stuff that was being ignored by RPM anyway
+- Drop spurious find command that didn't do anything...
+
+-------------------------------------------------------------------
+Wed May 16 10:20:08 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.9
+
+-------------------------------------------------------------------
+Fri May 11 14:36:16 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.8
+
+-------------------------------------------------------------------
+Fri May 11 13:09:32 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.7
+
+-------------------------------------------------------------------
+Sun Apr 29 19:21:53 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.6
+
+-------------------------------------------------------------------
+Mon Apr 16 16:41:48 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.5
+
+-------------------------------------------------------------------
+Wed Apr 11 16:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.4
+
+-------------------------------------------------------------------
+Wed Apr 11 12:40:09 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3.2
+
+-------------------------------------------------------------------
+Wed Apr 11 10:34:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3.1
+
+-------------------------------------------------------------------
+Thu Apr 05 22:35:35 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3
+
+-------------------------------------------------------------------
+Sat Mar 31 21:09:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.2
+
+-------------------------------------------------------------------
+Mon Mar 26 21:03:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.1
+
+-------------------------------------------------------------------
+Sat Mar 24 08:50:11 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32
+
+-------------------------------------------------------------------
+Tue Feb 20 17:32:42 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.31.1
+
+-------------------------------------------------------------------
+Tue Feb 06 09:46:22 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.31
+
+-------------------------------------------------------------------
+Sat Nov 18 15:31:24 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.30
+
+-------------------------------------------------------------------
+Fri Nov 17 22:56:09 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.4
+
+-------------------------------------------------------------------
+Thu Nov 09 19:16:29 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.3
+
+-------------------------------------------------------------------
+Fri Nov 03 17:26:14 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.2
+
+-------------------------------------------------------------------
+Fri Nov 03 07:27:08 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.1
+
+-------------------------------------------------------------------
+Mon Oct 30 16:24:08 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29
+
+-------------------------------------------------------------------
+Wed Oct 11 19:46:37 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.4
+
+-------------------------------------------------------------------
+Wed Oct 11 08:23:47 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.3
+
+-------------------------------------------------------------------
+Tue Oct 10 18:42:45 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.2
+
+-------------------------------------------------------------------
+Wed Sep 27 22:04:59 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.1
+
+-------------------------------------------------------------------
+Mon Sep 25 16:09:15 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28
+
+-------------------------------------------------------------------
+Thu Sep 07 10:32:21 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.6
+
+-------------------------------------------------------------------
+Wed Aug 30 07:45:01 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.5
+
+-------------------------------------------------------------------
+Thu Aug 24 09:08:32 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.4
+
+-------------------------------------------------------------------
+Fri Aug 18 15:51:22 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.3
+
+-------------------------------------------------------------------
+Wed Aug 16 12:16:01 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.2
+
+-------------------------------------------------------------------
+Mon Aug 14 08:07:21 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.1
+
+-------------------------------------------------------------------
+Thu Aug 10 11:25:11 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27
+
+-------------------------------------------------------------------
+Fri May 19 14:35:29 UTC 2017 - morphis@gravedo.de
+
+- Add bind() syscall to default seccomp policy to allow execution
+  of snap hooks.
+- Do not share /etc/ssl with the host but use the one from the core
+  snap.
+
+-------------------------------------------------------------------
+Wed May 10 12:24:44 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.25
+
+-------------------------------------------------------------------
+Thu Apr 13 14:06:13 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.24
+
+-------------------------------------------------------------------
+Thu Mar 30 14:14:44 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.23.6
+
+-------------------------------------------------------------------
+Thu Mar 23 08:53:37 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.23.5
+- Disable seccomp support to work around bugs in snap-confine
+  (see https://bugs.launchpad.net/snappy/+bug/1674193 for details)
+
+-------------------------------------------------------------------
+Wed Mar 08 16:09:03 UTC 2017 - me@zygoon.pl
+
+- Fix log-out prompt to be displayed only when really necessary.
+- Fix installation of /usr/lib/snapd/info (version information)
+- Install bash completion for "snap"
+
+-------------------------------------------------------------------
+Wed Mar 08 15:53:06 UTC 2017 - me@zygoon.pl
+
+- New upstream release.
+  More details are available at https://github.com/snapcore/snapd/releases/tag/2.23.1
+
+-------------------------------------------------------------------
+Tue Mar 07 23:00:34 UTC 2017 - me@zygoon.pl
+
+- Add PATH integration and post-install message asking the user to logout to
+  see PATH changes.
+
+-------------------------------------------------------------------
+Tue Mar 07 00:45:12 UTC 2017 - me@zygoon.pl
+
+- (hacky) Disable shellcheck as it is missing on Leap 42.1
+
+-------------------------------------------------------------------
+Tue Mar 07 00:43:58 UTC 2017 - me@zygoon.pl
+
+- (hacky) fix the 32bit build
+
+-------------------------------------------------------------------
+Mon Mar 06 18:08:04 UTC 2017 - me@zygoon.pl
+
+- Initial package based on fully vendorized source tarball
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-15.0/snapd-rpmlintrc snapd-2.37~rc1~14.04/packaging/opensuse-15.0/snapd-rpmlintrc
--- snapd-2.32.3.2~14.04/packaging/opensuse-15.0/snapd-rpmlintrc	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-15.0/snapd-rpmlintrc	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+setBadness('permissions-unauthorized-file', 22)
+setBadness('polkit-untracked-privilege', 11)
+setBadness('non-position-independent-executable', 33)
+setBadness('polkit-untracked-privilege', 44)
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-15.0/snapd.spec snapd-2.37~rc1~14.04/packaging/opensuse-15.0/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/opensuse-15.0/snapd.spec	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-15.0/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,433 @@
+# spec file for package snapd
+#
+# Copyright (c) 2017 Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+# Copyright (c) 2018 Neal Gompa <ngompa13@gmail.com>
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+
+%bcond_with testkeys
+
+# Enable AppArmor on openSUSE Tumbleweed (post 15.0) or higher
+# N.B.: Prior to openSUSE Tumbleweed in May 2018, the AppArmor userspace in SUSE
+# did not support what we needed to be able to turn on basic integration.
+%if 0%{?suse_version} >= 1550
+%bcond_without apparmor
+%else
+%bcond_with apparmor
+%endif
+
+# Compat macros
+%{!?make_build: %global make_build %{__make} %{?_smp_mflags}}
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+
+# Define the variable for systemd generators, if missing.
+%{?!_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+
+# This is fixed in SUSE Linux 15
+# Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
+%if 0%{?suse_version} < 1500
+%global _sharedstatedir %{_localstatedir}/lib
+%endif
+
+%global provider        github
+%global provider_tld    com
+%global project         snapcore
+%global repo            snapd
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+# Additional entry of $GOPATH during the build process.
+# This is designed to be a sub-directory of {_builddir}/{name}-{version}
+# because that directory is automatically cleaned-up by the build process.
+%global         indigo_gopath   %{_builddir}/%{name}-%{version}/gopath
+
+# Directory where "name-version" directory from upstream taball is unpacked to.
+# This directory is arranged so that it is already contained inside the future
+# GOPATH so that nothing needs to be moved or copied for "go build" to work.
+%global         indigo_srcdir   %{indigo_gopath}/src/%{import_path}
+
+%global with_test_keys  0
+
+%if %{with testkeys}
+%global with_test_keys 1
+%else
+%global with_test_keys 0
+%endif
+
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%global systemd_services_list snapd.socket snapd.service snapd.seeded.service %{?with_apparmor:snapd.apparmor.service}
+
+%global snap_mount_dir /snap
+
+Name:           snapd
+Version:        2.37
+Release:        0
+Summary:        Tools enabling systems to work with .snap files
+License:        GPL-3.0
+Group:          System/Packages
+Url:            https://%{import_path}
+Source0:        https://github.com/snapcore/snapd/releases/download/%{version}/%{name}_%{version}.vendor.tar.xz
+Source1:        snapd-rpmlintrc
+%if (0%{?sle_version} >= 120200 || 0%{?suse_version} >= 1500) && 0%{?is_opensuse}
+BuildRequires:  ShellCheck
+%endif
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  glib2-devel
+BuildRequires:  glibc-devel-static
+BuildRequires:  go
+BuildRequires:  gpg2
+BuildRequires:  indent
+BuildRequires:  libapparmor-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libseccomp-devel
+BuildRequires:  libtool
+BuildRequires:  libudev-devel
+BuildRequires:  libuuid-devel
+BuildRequires:  make
+BuildRequires:  openssh
+BuildRequires:  pkg-config
+BuildRequires:  python-docutils
+BuildRequires:  python3-docutils
+BuildRequires:  squashfs
+# Due to: rpm -q --whatprovides /usr/share/pkgconfig/systemd.pc
+BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  timezone
+BuildRequires:  udev
+BuildRequires:  xfsprogs-devel
+BuildRequires:  xz
+%ifarch x86_64
+# This is needed for seccomp tests
+BuildRequires:  glibc-devel-32bit
+BuildRequires:  glibc-devel-static-32bit
+BuildRequires:  gcc-32bit
+%endif
+
+%if %{with apparmor}
+BuildRequires:  apparmor-rpm-macros
+%endif
+
+PreReq:         permissions
+
+Requires(post): permissions
+Requires:       apparmor-parser
+Requires:       apparmor-profiles
+Requires:       gpg2
+Requires:       openssh
+Requires:       squashfs
+
+# Old versions of xdg-document-portal can expose data belonging to
+# other confied apps.  Older OpenSUSE releases are unlikely to change,
+# so for now limit this to Tumbleweed.
+%if 0%{?suse_version} >= 1550
+Conflicts:      xdg-desktop-portal < 0.11
+%endif
+
+%{?systemd_requires}
+
+%description
+This package contains that snapd daemon and the snap command line tool.
+Together they can be used to install, refresh (update), remove and configure
+snap packages on a system. Snap packages are a novel format based on simple
+principles. Bundle your dependencies, run in a predictable environment, use
+modern kernel features for setting up the execution environment and security.
+The same binary snap package can be installed and used on many diverse systems
+such as Debian, Fedora and OpenSUSE as well as their multiple derivatives.
+
+This package contains the official build, endorsed by snapd developers. It is
+updated as soon as new upstream releases are made and is designed to live in
+the system:snappy repository.
+
+%prep
+# NOTE: Instead of using setup -q we are unpacking a subdirectory of the source
+# tarball into a directory that is automatically on the future GOPATH. This
+# means that while go doesn't care at all the current working directory is not
+# the top-level directory of the source tarball which some people may find
+# unusual.
+
+# Create indigo compatible build layout.
+mkdir -p %{indigo_srcdir}
+tar -axf %{_sourcedir}/%{name}_%{version}.vendor.tar.xz --strip-components=1 -C %{indigo_srcdir}
+
+# Patch the source in the place it got extracted to.
+pushd %{indigo_srcdir}
+# Add patch0 -p1 ... as appropriate here.
+popd
+
+# Set the version that is compiled into the various executables/
+pushd %{indigo_srcdir}
+./mkversion.sh %{version}-%{release}
+popd
+
+# Sanity check, ensure that systemd system generator directory is in agreement between the build system and packaging.
+if [ "$(pkg-config --variable=systemdsystemgeneratordir systemd)" != "%{_systemdgeneratordir}" ]; then
+  echo "pkg-confing and rpm macros disagree about the location of systemd system generator directory"
+  exit 1
+fi
+
+# Enable hardening; Also see https://bugzilla.redhat.com/show_bug.cgi?id=1343892
+CFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+CXXFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+LDFLAGS=""
+
+# On openSUSE Leap 15 or more recent build position independent executables.
+# For a helpful guide about the versions and macros used below, please see:
+# https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
+%if 0%{?suse_version} >= 1500
+CFLAGS="$CFLAGS -fPIE"
+CXXFLAGS="$CXXFLAGS -fPIE"
+LDFLAGS="$LDFLAGS -pie"
+%endif
+
+export CFLAGS
+export CXXFLAGS
+export LDFLAGS
+
+# Generate autotools build system files.
+pushd %{indigo_srcdir}/cmd
+autoreconf -i -f
+%configure \
+    %{!?with_apparmor:--disable-apparmor} \
+    --libexecdir=%{_libexecdir}/snapd \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{snap_mount_dir} \
+    --enable-merged-usr
+popd
+
+%build
+# Build golang executables, with the following exceptions everything is built the same way:
+# - snap-exec and snap-update-ns is built statically.
+# - snapd has a variant that uses test keys instead of production keys.
+#
+# NOTE: indigo_gopath takes priority over GOPATH. This ensures that we
+# build the code that we intended in case GOPATH points to another copy.
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapctl
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap-seccomp
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-update-ns
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-exec
+%if 0%{?with_test_keys}
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie -tags withtestkeys %{import_path}/cmd/snapd
+%else
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapd
+%endif
+
+# Build C executables
+%make_build -C %{indigo_srcdir}/cmd
+
+%check
+# Run tests with fixed locale that is expected by unicode/color code.
+LC_ALL=C.UTF-8 GOPATH=%{indigo_gopath}:$GOPATH go test %{import_path}/...
+%make_build -C %{indigo_srcdir}/cmd check
+
+%install
+# Install all systemd and dbus units, and env files.
+%make_install -C %{indigo_srcdir}/data \
+		BINDIR=%{_bindir} \
+		LIBEXECDIR=%{_libexecdir} \
+		SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
+		SNAP_MOUNT_DIR=%{snap_mount_dir}
+# Install all the C executables.
+%make_install -C %{indigo_srcdir}/cmd
+# Install all the Go executables.
+install -d -m 755 %{buildroot}%{_bindir}
+install -m 755 snap %{buildroot}%{_bindir}
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -m 755 snapctl %{buildroot}%{_libexecdir}/snapd
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+install -d -m 755 %{buildroot}%{_libexecdir}/snapd
+install -m 755 snapd %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-exec %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-update-ns %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-seccomp %{buildroot}%{_libexecdir}/snapd/
+# Generate and install man page for snap command
+install -d -m 755 %{buildroot}%{_mandir}/man8
+./snap help --man > %{buildroot}%{_mandir}/man8/snap.8
+# Undo special permissions of the void directory
+chmod 755 %{buildroot}%{_sharedstatedir}/snapd/void
+# Remove traces of ubuntu-core-launcher. It is a phased-out executable that is
+# still partially present in the tree but should be removed in the subsequent
+# release.
+rm -f %{buildroot}%{_bindir}/ubuntu-core-launcher
+# NOTE: we don't want to ship system-shutdown helper, it is just a helper on
+# ubuntu-core systems that exclusively use snaps. It is used during the
+# shutdown process and thus can be left out of the distribution package.
+rm -f %{buildroot}%{_libexecdir}/snapd/system-shutdown
+# Install the directories that snapd creates by itself so that they can be a part of the package
+install -d %{buildroot}%{_sharedstatedir}/snapd/{assertions,cookie,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/bpf,snaps}
+
+install -d %{buildroot}%{_sharedstatedir}/snapd/{lib/gl,lib/gl32,lib/vulkan}
+install -d %{buildroot}%{_localstatedir}/cache/snapd
+install -d %{buildroot}%{_datadir}/polkit-1/actions
+install -d %{buildroot}%{snap_mount_dir}/bin
+# Install local permissions policy for snap-confine. This should be removed
+# once snap-confine is added to the permissions package. This is done following
+# the recommendations on
+# https://en.opensuse.org/openSUSE:Package_security_guidelines
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions %{buildroot}%{_sysconfdir}/permissions.d/snapd
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/snapd.paranoid
+# Remove unwanted systemd units
+for s in snapd.autoimport.service snapd.system-shutdown.service snapd.snap-repair.timer snapd.snap-repair.service snapd.core-fixup.service; do
+    rm -f %{buildroot}%{_unitdir}/$s
+done
+# Remove snappy core specific scripts
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Install Polkit configuration
+install -m 644 -D %{indigo_srcdir}/data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
+
+# See https://en.opensuse.org/openSUSE:Packaging_checks#suse-missing-rclink for details
+install -d %{buildroot}%{_sbindir}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.apparmor
+%endif
+# Install the "info" data file with snapd version
+install -m 644 -D %{indigo_srcdir}/data/info %{buildroot}%{_libexecdir}/snapd/info
+# Install bash completion for "snap"
+install -m 644 -D %{indigo_srcdir}/data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D %{indigo_srcdir}/data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D %{indigo_srcdir}/data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Don't ship apparmor helper service when AppArmor is not enabled
+%if ! %{with apparmor}
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+%endif
+
+%verifyscript
+%verify_permissions -e %{_libexecdir}/snapd/snap-confine
+
+%pre
+%service_add_pre %{systemd_services_list}
+
+%post
+%set_permissions %{_libexecdir}/snapd/snap-confine
+%if %{with apparmor}
+%apparmor_reload /etc/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%service_add_post %{systemd_services_list}
+case ":$PATH:" in
+    *:/snap/bin:*)
+        ;;
+    *)
+        echo "Please reboot, logout/login or source /etc/profile to have /snap/bin added to PATH."
+        echo "On a Tumbleweed system you need to run: systemctl enable snapd.apparmor.service"
+        ;;
+esac
+
+%preun
+%service_del_preun %{systemd_services_list}
+if [ $1 -eq 0 ]; then
+    %{_libexecdir}/snapd/snap-mgmt --purge || :
+fi
+
+%postun
+%service_del_postun %{systemd_services_list}
+
+%files
+%if %{with apparmor}
+%config %{_sysconfdir}/apparmor.d
+%endif
+%config %{_sysconfdir}/permissions.d/snapd
+%config %{_sysconfdir}/permissions.d/snapd.paranoid
+%config %{_sysconfdir}/profile.d/snapd.sh
+%dir %attr(0000,root,root) %{_sharedstatedir}/snapd/void
+%dir %{snap_mount_dir}
+%dir %{snap_mount_dir}/bin
+%dir %{_libexecdir}/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/apparmor
+%dir %{_sharedstatedir}/snapd/apparmor/profiles
+%dir %{_sharedstatedir}/snapd/apparmor/snap-confine
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_localstatedir}/cache/snapd
+%dir %{_environmentdir}
+%dir %{_systemd_system_env_generator_dir}
+%dir %{_systemdgeneratordir}
+%dir %{_datadir}/dbus-1
+%dir %{_datadir}/dbus-1/services
+%dir %{_datadir}/polkit-1
+%dir %{_datadir}/polkit-1/actions
+%verify(not user group mode) %attr(06755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_mandir}/man8/snapd-env-generator.8*
+%{_unitdir}/snapd.service
+%{_unitdir}/snapd.socket
+%{_unitdir}/snapd.seeded.service
+%{_unitdir}/snapd.failure.service
+%if %{with apparmor}
+%{_unitdir}/snapd.apparmor.service
+%endif
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_sbindir}/rcsnapd
+%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+%{_sbindir}/rcsnapd.apparmor
+%endif
+%{_libexecdir}/snapd/info
+%{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-update-ns
+%{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-seccomp
+%{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snapctl
+%if %{with apparmor}
+%{_libexecdir}/snapd/snapd-apparmor
+%endif
+%{_libexecdir}/snapd/snap-mgmt
+%{_libexecdir}/snapd/snap-gdb-shim
+%{_libexecdir}/snapd/snap-device-helper
+%{_datadir}/bash-completion/completions/snap
+%{_libexecdir}/snapd/complete.sh
+%{_libexecdir}/snapd/etelpmoc.sh
+%{_systemdgeneratordir}/snapd-generator
+%{_mandir}/man8/snap.8*
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_libexecdir}/snapd/snapd.run-from-snap
+%if %{with apparmor}
+%{_sysconfdir}/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%{_environmentdir}/990-snapd.conf
+%{_systemd_system_env_generator_dir}/snapd-env-generator
+
+%changelog
+
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.1/permissions snapd-2.37~rc1~14.04/packaging/opensuse-42.1/permissions
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.1/permissions	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.1/permissions	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-/usr/lib/snapd/snap-confine                             root:root         4755
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.1/permissions.easy snapd-2.37~rc1~14.04/packaging/opensuse-42.1/permissions.easy
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.1/permissions.easy	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.1/permissions.easy	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-/usr/lib/snapd/snap-confine                             root:root         4755
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.1/permissions.secure snapd-2.37~rc1~14.04/packaging/opensuse-42.1/permissions.secure
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.1/permissions.secure	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.1/permissions.secure	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-/usr/lib/snapd/snap-confine                             root:root         4755
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.1/snapd.changes snapd-2.37~rc1~14.04/packaging/opensuse-42.1/snapd.changes
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.1/snapd.changes	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.1/snapd.changes	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,141 @@
 -------------------------------------------------------------------
+Wed Jan 16 08:36:51 UTC 2019 - mvo@fastmail.fm
+
+- Update to upstream release 2.37
+
+-------------------------------------------------------------------
+Fri Dec 14 07:30:58 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.3
+
+-------------------------------------------------------------------
+Thu Nov 29 10:48:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.2
+
+-------------------------------------------------------------------
+Fri Nov 09 14:42:28 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.1
+
+-------------------------------------------------------------------
+Wed Oct 24 17:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36
+
+-------------------------------------------------------------------
+Mon Oct 15 22:23:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.5
+
+-------------------------------------------------------------------
+Fri Oct 05 14:42:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.4
+
+-------------------------------------------------------------------
+Fri Oct 05 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.3
+
+-------------------------------------------------------------------
+Wed Sep 12 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.2
+
+-------------------------------------------------------------------
+Mon Sep 03 14:44:06 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.1
+
+-------------------------------------------------------------------
+Mon Aug 20 12:36:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35
+
+-------------------------------------------------------------------
+Fri Jul 27 19:08:44 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.3
+
+-------------------------------------------------------------------
+Thu Jul 19 12:05:50 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.2
+
+-------------------------------------------------------------------
+Wed Jul 17 19:46:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.1
+
+-------------------------------------------------------------------
+Fri Jul 06 16:08:17 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34
+
+-------------------------------------------------------------------
+Fri Jun 22 15:58:54 UTC 2018 - me@zygoon.pl
+
+- Fixed changelog chronology
+
+-------------------------------------------------------------------
+Fri Jun 22 14:25:35 UTC 2018 - me@zygoon.pl
+
+- Sync with snapd upstream packaging
+- Backport support for apparmor on tumbleweed
+- Install polkit files
+- Load snap-confine apparmor profile in post, if apparmor is enabled
+- Adjust badness of polkit-untracked-privlege
+-------------------------------------------------------------------
+Thu Jun 21 17:37:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33.1
+
+-------------------------------------------------------------------
+Fri Jun 08 17:13:47 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33
+
+-------------------------------------------------------------------
+Mon May 28 08:06:53 UTC 2018 - ngompa13@gmail.com
+
+- Refactor to support openSUSE Tumbleweed and Leap 42.3 and 15.0
+- Enable AppArmor support for openSUSE Tumbleweed (post Leap 15.0)
+- Enable support for handling the proprietary nvidia driver
+- Drop ancient spec stuff that was being ignored by RPM anyway
+- Drop spurious find command that didn't do anything...
+
+-------------------------------------------------------------------
+Wed May 16 10:20:08 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.9
+
+-------------------------------------------------------------------
+Fri May 11 14:36:16 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.8
+
+-------------------------------------------------------------------
+Fri May 11 13:09:32 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.7
+
+-------------------------------------------------------------------
+Sun Apr 29 19:21:53 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.6
+
+-------------------------------------------------------------------
+Mon Apr 16 16:41:48 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.5
+
+-------------------------------------------------------------------
+Wed Apr 11 16:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.4
+
+-------------------------------------------------------------------
 Wed Apr 11 12:40:09 UTC 2018 - mvo@fastmail.fm
 
 - Update to upstream release 2.32.3.2
@@ -39,7 +176,7 @@
 - Update to upstream release 2.31
 
 -------------------------------------------------------------------
-Mon Dev 18 15:31:24 UTC 2017 - mvo@fastmail.fm
+Sat Nov 18 15:31:24 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.30
 
@@ -54,12 +191,12 @@
 - Update to upstream release 2.29.3
 
 -------------------------------------------------------------------
-Fri Nov 03 17:26:14:17 UTC 2017 - mvo@fastmail.fm
+Fri Nov 03 17:26:14 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.29.2
 
 -------------------------------------------------------------------
-Fri Nov 03 07:27:08:17 UTC 2017 - mvo@fastmail.fm
+Fri Nov 03 07:27:08 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.29.1
 
@@ -69,11 +206,6 @@
 - Update to upstream release 2.29
 
 -------------------------------------------------------------------
-Fri Oct 13 19:46:37 UTC 2017 - mvo@fastmail.fm
-
-- Update to upstream release 2.28.4
-
--------------------------------------------------------------------
 Wed Oct 11 19:46:37 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.28.4
@@ -89,7 +221,7 @@
 - Update to upstream release 2.28.2
 
 -------------------------------------------------------------------
-Mon Sep 27 22:04:59 UTC 2017 - mvo@fastmail.fm
+Wed Sep 27 22:04:59 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.28.1
 
@@ -134,7 +266,7 @@
 - Update to upstream release 2.27
 
 -------------------------------------------------------------------
-Wed May 19 14:35:29 UTC 2017 - morphis@gravedo.de
+Fri May 19 14:35:29 UTC 2017 - morphis@gravedo.de
 
 - Add bind() syscall to default seccomp policy to allow execution
   of snap hooks.
@@ -164,35 +296,35 @@
   (see https://bugs.launchpad.net/snappy/+bug/1674193 for details)
 
 -------------------------------------------------------------------
-Wed Mar  8 16:09:03 UTC 2017 - me@zygoon.pl
+Wed Mar 08 16:09:03 UTC 2017 - me@zygoon.pl
 
-- Fix log-out prompt to be displayed only when really necessary. 
+- Fix log-out prompt to be displayed only when really necessary.
 - Fix installation of /usr/lib/snapd/info (version information)
 - Install bash completion for "snap"
 
 -------------------------------------------------------------------
-Wed Mar  8 15:53:06 UTC 2017 - me@zygoon.pl
+Wed Mar 08 15:53:06 UTC 2017 - me@zygoon.pl
 
 - New upstream release.
   More details are available at https://github.com/snapcore/snapd/releases/tag/2.23.1
 
 -------------------------------------------------------------------
-Tue Mar  7 23:00:34 UTC 2017 - me@zygoon.pl
+Tue Mar 07 23:00:34 UTC 2017 - me@zygoon.pl
 
 - Add PATH integration and post-install message asking the user to logout to
-  see PATH changes. 
+  see PATH changes.
 
 -------------------------------------------------------------------
-Tue Mar  7 00:45:12 UTC 2017 - me@zygoon.pl
+Tue Mar 07 00:45:12 UTC 2017 - me@zygoon.pl
 
-- (hacky) Disable shellcheck as it is missing on Leap 42.1 
+- (hacky) Disable shellcheck as it is missing on Leap 42.1
 
 -------------------------------------------------------------------
-Tue Mar  7 00:43:58 UTC 2017 - me@zygoon.pl
+Tue Mar 07 00:43:58 UTC 2017 - me@zygoon.pl
 
-- (hacky) fix the 32bit build 
+- (hacky) fix the 32bit build
 
 -------------------------------------------------------------------
-Mon Mar  6 18:08:04 UTC 2017 - me@zygoon.pl
+Mon Mar 06 18:08:04 UTC 2017 - me@zygoon.pl
 
 - Initial package based on fully vendorized source tarball
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.1/snapd-rpmlintrc snapd-2.37~rc1~14.04/packaging/opensuse-42.1/snapd-rpmlintrc
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.1/snapd-rpmlintrc	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.1/snapd-rpmlintrc	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1,4 @@
-setBadness('permissions-unauthorized-file', 222)
+setBadness('permissions-unauthorized-file', 22)
+setBadness('polkit-untracked-privilege', 11)
+setBadness('non-position-independent-executable', 33)
+setBadness('polkit-untracked-privilege', 44)
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.1/snapd.spec snapd-2.37~rc1~14.04/packaging/opensuse-42.1/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.1/snapd.spec	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.1/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,7 @@
 # spec file for package snapd
 #
 # Copyright (c) 2017 Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+# Copyright (c) 2018 Neal Gompa <ngompa13@gmail.com>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -15,6 +16,31 @@
 
 %bcond_with testkeys
 
+# Enable AppArmor on openSUSE Tumbleweed (post 15.0) or higher
+# N.B.: Prior to openSUSE Tumbleweed in May 2018, the AppArmor userspace in SUSE
+# did not support what we needed to be able to turn on basic integration.
+%if 0%{?suse_version} >= 1550
+%bcond_without apparmor
+%else
+%bcond_with apparmor
+%endif
+
+# Compat macros
+%{!?make_build: %global make_build %{__make} %{?_smp_mflags}}
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+
+# Define the variable for systemd generators, if missing.
+%{?!_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+
+# This is fixed in SUSE Linux 15
+# Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
+%if 0%{?suse_version} < 1500
+%global _sharedstatedir %{_localstatedir}/lib
+%endif
+
 %global provider        github
 %global provider_tld    com
 %global project         snapcore
@@ -22,6 +48,16 @@
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 
+# Additional entry of $GOPATH during the build process.
+# This is designed to be a sub-directory of {_builddir}/{name}-{version}
+# because that directory is automatically cleaned-up by the build process.
+%global         indigo_gopath   %{_builddir}/%{name}-%{version}/gopath
+
+# Directory where "name-version" directory from upstream taball is unpacked to.
+# This directory is arranged so that it is already contained inside the future
+# GOPATH so that nothing needs to be moved or copied for "go build" to work.
+%global         indigo_srcdir   %{indigo_gopath}/src/%{import_path}
+
 %global with_test_keys  0
 
 %if %{with testkeys}
@@ -30,9 +66,17 @@
 %global with_test_keys 0
 %endif
 
-%define systemd_services_list snapd.socket snapd.service
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%global systemd_services_list snapd.socket snapd.service snapd.seeded.service %{?with_apparmor:snapd.apparmor.service}
+
+%global snap_mount_dir /snap
+
 Name:           snapd
-Version:        2.32.3.2
+Version:        2.37
 Release:        0
 Summary:        Tools enabling systems to work with .snap files
 License:        GPL-3.0
@@ -40,13 +84,14 @@
 Url:            https://%{import_path}
 Source0:        https://github.com/snapcore/snapd/releases/download/%{version}/%{name}_%{version}.vendor.tar.xz
 Source1:        snapd-rpmlintrc
-# TODO: make this enabled only on Leap 42.2+
-# BuildRequires:  ShellCheck
+%if (0%{?sle_version} >= 120200 || 0%{?suse_version} >= 1500) && 0%{?is_opensuse}
+BuildRequires:  ShellCheck
+%endif
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  glib2-devel
 BuildRequires:  glibc-devel-static
-BuildRequires:  golang-packaging
+BuildRequires:  go
 BuildRequires:  gpg2
 BuildRequires:  indent
 BuildRequires:  libapparmor-devel
@@ -61,179 +106,213 @@
 BuildRequires:  python-docutils
 BuildRequires:  python3-docutils
 BuildRequires:  squashfs
+# Due to: rpm -q --whatprovides /usr/share/pkgconfig/systemd.pc
+BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  timezone
 BuildRequires:  udev
 BuildRequires:  xfsprogs-devel
 BuildRequires:  xz
+%ifarch x86_64
+# This is needed for seccomp tests
+BuildRequires:  glibc-devel-32bit
+BuildRequires:  glibc-devel-static-32bit
+BuildRequires:  gcc-32bit
+%endif
 
-# Make sure we are on Leap 42.2/SLE 12 SP2 or higher
-%if 0%{?sle_version} >= 120200
-BuildRequires: systemd-rpm-macros
+%if %{with apparmor}
+BuildRequires:  apparmor-rpm-macros
 %endif
 
 PreReq:         permissions
 
 Requires(post): permissions
 Requires:       apparmor-parser
+Requires:       apparmor-profiles
 Requires:       gpg2
 Requires:       openssh
 Requires:       squashfs
 
-%systemd_requires
-
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+# Old versions of xdg-document-portal can expose data belonging to
+# other confied apps.  Older OpenSUSE releases are unlikely to change,
+# so for now limit this to Tumbleweed.
+%if 0%{?suse_version} >= 1550
+Conflicts:      xdg-desktop-portal < 0.11
+%endif
 
-# TODO strip the C executables but don't strip the go executables
-# as that breaks the world in some ways.
-# reenable {go_nostrip}
-%{go_provides}
+%{?systemd_requires}
 
 %description
 This package contains that snapd daemon and the snap command line tool.
 Together they can be used to install, refresh (update), remove and configure
 snap packages on a system. Snap packages are a novel format based on simple
 principles. Bundle your dependencies, run in a predictable environment, use
-moder kernel features for setting up the execution environment and security.
+modern kernel features for setting up the execution environment and security.
 The same binary snap package can be installed and used on many diverse systems
 such as Debian, Fedora and OpenSUSE as well as their multiple derivatives.
-.
+
 This package contains the official build, endorsed by snapd developers. It is
 updated as soon as new upstream releases are made and is designed to live in
 the system:snappy repository.
 
 %prep
-%setup -q -n %{name}-%{version}
+# NOTE: Instead of using setup -q we are unpacking a subdirectory of the source
+# tarball into a directory that is automatically on the future GOPATH. This
+# means that while go doesn't care at all the current working directory is not
+# the top-level directory of the source tarball which some people may find
+# unusual.
+
+# Create indigo compatible build layout.
+mkdir -p %{indigo_srcdir}
+tar -axf %{_sourcedir}/%{name}_%{version}.vendor.tar.xz --strip-components=1 -C %{indigo_srcdir}
+
+# Patch the source in the place it got extracted to.
+pushd %{indigo_srcdir}
+# Add patch0 -p1 ... as appropriate here.
+popd
 
-# Set the version that is compiled into the various executables
+# Set the version that is compiled into the various executables/
+pushd %{indigo_srcdir}
 ./mkversion.sh %{version}-%{release}
+popd
 
-# Generate autotools build system files
-cd cmd && autoreconf -i -f
+# Sanity check, ensure that systemd system generator directory is in agreement between the build system and packaging.
+if [ "$(pkg-config --variable=systemdsystemgeneratordir systemd)" != "%{_systemdgeneratordir}" ]; then
+  echo "pkg-confing and rpm macros disagree about the location of systemd system generator directory"
+  exit 1
+fi
 
-# Enable hardening; We can't use -pie here as this conflicts with
-# our build of static binaries for snap-confine. Also see
-# https://bugzilla.redhat.com/show_bug.cgi?id=1343892
+# Enable hardening; Also see https://bugzilla.redhat.com/show_bug.cgi?id=1343892
 CFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
 CXXFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+LDFLAGS=""
+
+# On openSUSE Leap 15 or more recent build position independent executables.
+# For a helpful guide about the versions and macros used below, please see:
+# https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
+%if 0%{?suse_version} >= 1500
+CFLAGS="$CFLAGS -fPIE"
+CXXFLAGS="$CXXFLAGS -fPIE"
+LDFLAGS="$LDFLAGS -pie"
+%endif
+
 export CFLAGS
 export CXXFLAGS
+export LDFLAGS
 
-# NOTE: until snapd and snap-confine have the improved communication mechanism
-# we need to disable apparmor as snapd doesn't yet support the version of
-# apparmor kernel available in SUSE and Debian. The generated apparmor profiles
-# cannot be loaded into a vanilla kernel. As a temporary measure we just switch
-# it all off.
-%configure --disable-apparmor --libexecdir=%{_libexecdir}/snapd
+# Generate autotools build system files.
+pushd %{indigo_srcdir}/cmd
+autoreconf -i -f
+%configure \
+    %{!?with_apparmor:--disable-apparmor} \
+    --libexecdir=%{_libexecdir}/snapd \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{snap_mount_dir} \
+    --enable-merged-usr
+popd
 
 %build
-# Build golang executables
-%goprep %{import_path}
-
+# Build golang executables, with the following exceptions everything is built the same way:
+# - snap-exec and snap-update-ns is built statically.
+# - snapd has a variant that uses test keys instead of production keys.
+#
+# NOTE: indigo_gopath takes priority over GOPATH. This ensures that we
+# build the code that we intended in case GOPATH points to another copy.
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapctl
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap-seccomp
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-update-ns
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-exec
 %if 0%{?with_test_keys}
-# The gobuild macro doesn't allow us to pass any additional parameters
-# so we we have to invoke `go install` here manually.
-export GOPATH=%{_builddir}/go:%{_libdir}/go/contrib
-export GOBIN=%{_builddir}/go/bin
-# Options used are the same as the gobuild macro does but as it
-# doesn't allow us to amend new flags we have to repeat them here:
-# -s: tell long running tests to shorten their build time
-# -v: be verbose
-# -p 4: allow parallel execution of tests
-# -x: print commands
-go install -s -v -p 4 -x -tags withtestkeys github.com/snapcore/snapd/cmd/snapd
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie -tags withtestkeys %{import_path}/cmd/snapd
 %else
-%gobuild cmd/snapd
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapd
 %endif
 
-%gobuild cmd/snap
-%gobuild cmd/snapctl
-# build snap-exec and snap-update-ns completely static for base snaps
-CGO_ENABLED=0 %gobuild cmd/snap-exec
-# gobuild --ldflags '-extldflags "-static"' bin/snap-update-ns
-# FIXME: ^ this doesn't work yet, it's going to be fixed with another PR.
-%gobuild cmd/snap-update-ns
-
-# This is ok because snap-seccomp only requires static linking when it runs from the core-snap via re-exec.
-sed -e "s/-Bstatic -lseccomp/-Bstatic/g" -i %{_builddir}/go/src/%{provider_prefix}/cmd/snap-seccomp/main.go
-# build snap-seccomp
-%gobuild cmd/snap-seccomp
-
 # Build C executables
-make %{?_smp_mflags} -C cmd
+%make_build -C %{indigo_srcdir}/cmd
 
 %check
-%{gotest} %{import_path}/...
-make %{?_smp_mflags} -C cmd check
+# Run tests with fixed locale that is expected by unicode/color code.
+LC_ALL=C.UTF-8 GOPATH=%{indigo_gopath}:$GOPATH go test %{import_path}/...
+%make_build -C %{indigo_srcdir}/cmd check
 
 %install
-# Install all the go stuff
-%goinstall
-# TODO: instead of removing it move this to a dedicated golang package
-rm -rf %{buildroot}%{_libexecdir}64/go
-rm -rf %{buildroot}%{_libexecdir}/go
-find %{buildroot}
-# Move snapd, snap-exec, snap-seccomp and snap-update-ns into %{_libexecdir}/snapd
-install -m 755 -d %{buildroot}%{_libexecdir}/snapd
-mv %{buildroot}/usr/bin/snapd %{buildroot}%{_libexecdir}/snapd/snapd
-mv %{buildroot}/usr/bin/snap-exec %{buildroot}%{_libexecdir}/snapd/snap-exec
-mv %{buildroot}/usr/bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd/snap-update-ns
-mv %{buildroot}/usr/bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd/snap-seccomp
-# Install profile.d-based PATH integration for /snap/bin
-#   and XDG_DATA_DIRS for /var/lib/snapd/desktop
-make -C data/env install DESTDIR=%{buildroot}
-
+# Install all systemd and dbus units, and env files.
+%make_install -C %{indigo_srcdir}/data \
+		BINDIR=%{_bindir} \
+		LIBEXECDIR=%{_libexecdir} \
+		SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
+		SNAP_MOUNT_DIR=%{snap_mount_dir}
+# Install all the C executables.
+%make_install -C %{indigo_srcdir}/cmd
+# Install all the Go executables.
+install -d -m 755 %{buildroot}%{_bindir}
+install -m 755 snap %{buildroot}%{_bindir}
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -m 755 snapctl %{buildroot}%{_libexecdir}/snapd
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+install -d -m 755 %{buildroot}%{_libexecdir}/snapd
+install -m 755 snapd %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-exec %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-update-ns %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-seccomp %{buildroot}%{_libexecdir}/snapd/
 # Generate and install man page for snap command
-install -m 755 -d %{buildroot}%{_mandir}/man1
-%{buildroot}/usr/bin/snap help --man >  %{buildroot}%{_mandir}/man1/snap.1
-
-# TODO: enable gosrc
-# TODO: enable gofilelist
-
-# Install all the C executables
-%{make_install} -C cmd
+install -d -m 755 %{buildroot}%{_mandir}/man8
+./snap help --man > %{buildroot}%{_mandir}/man8/snap.8
 # Undo special permissions of the void directory
-chmod 755 %{?buildroot}/var/lib/snapd/void
+chmod 755 %{buildroot}%{_sharedstatedir}/snapd/void
 # Remove traces of ubuntu-core-launcher. It is a phased-out executable that is
 # still partially present in the tree but should be removed in the subsequent
 # release.
-rm -f %{?buildroot}/usr/bin/ubuntu-core-launcher
+rm -f %{buildroot}%{_bindir}/ubuntu-core-launcher
 # NOTE: we don't want to ship system-shutdown helper, it is just a helper on
 # ubuntu-core systems that exclusively use snaps. It is used during the
 # shutdown process and thus can be left out of the distribution package.
-rm -f %{?buildroot}%{_libexecdir}/snapd/system-shutdown
+rm -f %{buildroot}%{_libexecdir}/snapd/system-shutdown
 # Install the directories that snapd creates by itself so that they can be a part of the package
-install -d %buildroot/var/lib/snapd/{assertions,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/bpf,snaps}
+install -d %{buildroot}%{_sharedstatedir}/snapd/{assertions,cookie,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/bpf,snaps}
 
-install -d %buildroot/var/lib/snapd/{lib/gl,lib/gl32,lib/vulkan}
-install -d %buildroot/var/cache/snapd
-install -d %buildroot/snap/bin
+install -d %{buildroot}%{_sharedstatedir}/snapd/{lib/gl,lib/gl32,lib/vulkan}
+install -d %{buildroot}%{_localstatedir}/cache/snapd
+install -d %{buildroot}%{_datadir}/polkit-1/actions
+install -d %{buildroot}%{snap_mount_dir}/bin
 # Install local permissions policy for snap-confine. This should be removed
 # once snap-confine is added to the permissions package. This is done following
 # the recommendations on
 # https://en.opensuse.org/openSUSE:Package_security_guidelines
-install -m 644 -D packaging/opensuse-42.2/permissions %buildroot/%{_sysconfdir}/permissions.d/snapd
-install -m 644 -D packaging/opensuse-42.2/permissions.paranoid %buildroot/%{_sysconfdir}/permissions.d/snapd.paranoid
-# Install the systemd units
-make -C data install DESTDIR=%{buildroot} SYSTEMDSYSTEMUNITDIR=%{_unitdir}
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions %{buildroot}%{_sysconfdir}/permissions.d/snapd
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/snapd.paranoid
+# Remove unwanted systemd units
 for s in snapd.autoimport.service snapd.system-shutdown.service snapd.snap-repair.timer snapd.snap-repair.service snapd.core-fixup.service; do
-    rm -f %buildroot/%{_unitdir}/$s
+    rm -f %{buildroot}%{_unitdir}/$s
 done
 # Remove snappy core specific scripts
-rm -f %buildroot%{_libexecdir}/snapd/snapd.core-fixup.sh
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Install Polkit configuration
+install -m 644 -D %{indigo_srcdir}/data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
 
 # See https://en.opensuse.org/openSUSE:Packaging_checks#suse-missing-rclink for details
-install -d %{buildroot}/usr/sbin
-ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcsnapd
-ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcsnapd.refresh
+install -d %{buildroot}%{_sbindir}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.apparmor
+%endif
 # Install the "info" data file with snapd version
-install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
+install -m 644 -D %{indigo_srcdir}/data/info %{buildroot}%{_libexecdir}/snapd/info
 # Install bash completion for "snap"
-install -m 644 -D data/completion/snap %{buildroot}/usr/share/bash-completion/completions/snap
-install -m 644 -D data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
-install -m 644 -D data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
-# move snapd-generator
-install -m 755 -d %{buildroot}/lib/systemd/system-generators/
-mv %{buildroot}%{_libexecdir}/snapd/snapd-generator %{buildroot}/lib/systemd/system-generators/
+install -m 644 -D %{indigo_srcdir}/data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D %{indigo_srcdir}/data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D %{indigo_srcdir}/data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Don't ship apparmor helper service when AppArmor is not enabled
+%if ! %{with apparmor}
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+%endif
 
 %verifyscript
 %verify_permissions -e %{_libexecdir}/snapd/snap-confine
@@ -243,12 +322,16 @@
 
 %post
 %set_permissions %{_libexecdir}/snapd/snap-confine
+%if %{with apparmor}
+%apparmor_reload /etc/apparmor.d/usr.lib.snapd.snap-confine
+%endif
 %service_add_post %{systemd_services_list}
 case ":$PATH:" in
     *:/snap/bin:*)
         ;;
     *)
         echo "Please reboot, logout/login or source /etc/profile to have /snap/bin added to PATH."
+        echo "On a Tumbleweed system you need to run: systemctl enable snapd.apparmor.service"
         ;;
 esac
 
@@ -262,57 +345,89 @@
 %service_del_postun %{systemd_services_list}
 
 %files
-%defattr(-,root,root)
+%if %{with apparmor}
+%config %{_sysconfdir}/apparmor.d
+%endif
 %config %{_sysconfdir}/permissions.d/snapd
 %config %{_sysconfdir}/permissions.d/snapd.paranoid
 %config %{_sysconfdir}/profile.d/snapd.sh
-%dir %attr(0000,root,root) /var/lib/snapd/void
-%dir /snap
-%dir /snap/bin
+%dir %attr(0000,root,root) %{_sharedstatedir}/snapd/void
+%dir %{snap_mount_dir}
+%dir %{snap_mount_dir}/bin
 %dir %{_libexecdir}/snapd
-%dir /var/lib/snapd
-%dir /var/lib/snapd/apparmor
-%dir /var/lib/snapd/apparmor/profiles
-%dir /var/lib/snapd/apparmor/snap-confine
-%dir /var/lib/snapd/assertions
-%dir /var/lib/snapd/desktop
-%dir /var/lib/snapd/desktop/applications
-%dir /var/lib/snapd/device
-%dir /var/lib/snapd/hostfs
-%dir /var/lib/snapd/mount
-%dir /var/lib/snapd/seccomp
-%dir /var/lib/snapd/seccomp/bpf
-%dir /var/lib/snapd/snaps
-%dir /var/lib/snapd/lib
-%dir /var/lib/snapd/lib/gl
-%dir /var/lib/snapd/lib/gl32
-%dir /var/lib/snapd/lib/vulkan
-%dir /var/cache/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/apparmor
+%dir %{_sharedstatedir}/snapd/apparmor/profiles
+%dir %{_sharedstatedir}/snapd/apparmor/snap-confine
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_localstatedir}/cache/snapd
+%dir %{_environmentdir}
+%dir %{_systemd_system_env_generator_dir}
+%dir %{_systemdgeneratordir}
+%dir %{_datadir}/dbus-1
+%dir %{_datadir}/dbus-1/services
+%dir %{_datadir}/polkit-1
+%dir %{_datadir}/polkit-1/actions
 %verify(not user group mode) %attr(06755,root,root) %{_libexecdir}/snapd/snap-confine
-%{_mandir}/man1/snap-confine.1.gz
-%{_mandir}/man5/snap-discard-ns.5.gz
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_mandir}/man8/snapd-env-generator.8*
 %{_unitdir}/snapd.service
 %{_unitdir}/snapd.socket
-/usr/bin/snap
-/usr/bin/snapctl
-/usr/sbin/rcsnapd
-/usr/sbin/rcsnapd.refresh
+%{_unitdir}/snapd.seeded.service
+%{_unitdir}/snapd.failure.service
+%if %{with apparmor}
+%{_unitdir}/snapd.apparmor.service
+%endif
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_sbindir}/rcsnapd
+%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+%{_sbindir}/rcsnapd.apparmor
+%endif
 %{_libexecdir}/snapd/info
 %{_libexecdir}/snapd/snap-discard-ns
 %{_libexecdir}/snapd/snap-update-ns
 %{_libexecdir}/snapd/snap-exec
 %{_libexecdir}/snapd/snap-seccomp
 %{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snapctl
+%if %{with apparmor}
+%{_libexecdir}/snapd/snapd-apparmor
+%endif
 %{_libexecdir}/snapd/snap-mgmt
 %{_libexecdir}/snapd/snap-gdb-shim
 %{_libexecdir}/snapd/snap-device-helper
-/usr/share/bash-completion/completions/snap
+%{_datadir}/bash-completion/completions/snap
 %{_libexecdir}/snapd/complete.sh
 %{_libexecdir}/snapd/etelpmoc.sh
-/lib/systemd/system-generators/snapd-generator
-%{_mandir}/man1/snap.1.gz
-/usr/share/dbus-1/services/io.snapcraft.Launcher.service
-/usr/share/dbus-1/services/io.snapcraft.Settings.service
+%{_systemdgeneratordir}/snapd-generator
+%{_mandir}/man8/snap.8*
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_libexecdir}/snapd/snapd.run-from-snap
+%if %{with apparmor}
+%{_sysconfdir}/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%{_environmentdir}/990-snapd.conf
+%{_systemd_system_env_generator_dir}/snapd-env-generator
 
 %changelog
 
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.2/permissions snapd-2.37~rc1~14.04/packaging/opensuse-42.2/permissions
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.2/permissions	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.2/permissions	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-/usr/lib/snapd/snap-confine                             root:root         4755
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.2/permissions.easy snapd-2.37~rc1~14.04/packaging/opensuse-42.2/permissions.easy
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.2/permissions.easy	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.2/permissions.easy	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-/usr/lib/snapd/snap-confine                             root:root         4755
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.2/permissions.secure snapd-2.37~rc1~14.04/packaging/opensuse-42.2/permissions.secure
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.2/permissions.secure	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.2/permissions.secure	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-/usr/lib/snapd/snap-confine                             root:root         4755
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.2/snapd.changes snapd-2.37~rc1~14.04/packaging/opensuse-42.2/snapd.changes
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.2/snapd.changes	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.2/snapd.changes	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,141 @@
 -------------------------------------------------------------------
+Wed Jan 16 08:36:51 UTC 2019 - mvo@fastmail.fm
+
+- Update to upstream release 2.37
+
+-------------------------------------------------------------------
+Fri Dec 14 07:30:58 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.3
+
+-------------------------------------------------------------------
+Thu Nov 29 10:48:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.2
+
+-------------------------------------------------------------------
+Fri Nov 09 14:42:28 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.1
+
+-------------------------------------------------------------------
+Wed Oct 24 17:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36
+
+-------------------------------------------------------------------
+Mon Oct 15 22:23:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.5
+
+-------------------------------------------------------------------
+Fri Oct 05 14:42:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.4
+
+-------------------------------------------------------------------
+Fri Oct 05 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.3
+
+-------------------------------------------------------------------
+Wed Sep 12 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.2
+
+-------------------------------------------------------------------
+Mon Sep 03 14:44:06 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.1
+
+-------------------------------------------------------------------
+Mon Aug 20 12:36:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35
+
+-------------------------------------------------------------------
+Fri Jul 27 19:08:44 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.3
+
+-------------------------------------------------------------------
+Thu Jul 19 12:05:50 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.2
+
+-------------------------------------------------------------------
+Wed Jul 17 19:46:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.1
+
+-------------------------------------------------------------------
+Fri Jul 06 16:08:17 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34
+
+-------------------------------------------------------------------
+Fri Jun 22 15:58:54 UTC 2018 - me@zygoon.pl
+
+- Fixed changelog chronology
+
+-------------------------------------------------------------------
+Fri Jun 22 14:25:35 UTC 2018 - me@zygoon.pl
+
+- Sync with snapd upstream packaging
+- Backport support for apparmor on tumbleweed
+- Install polkit files
+- Load snap-confine apparmor profile in post, if apparmor is enabled
+- Adjust badness of polkit-untracked-privlege
+-------------------------------------------------------------------
+Thu Jun 21 17:37:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33.1
+
+-------------------------------------------------------------------
+Fri Jun 08 17:13:47 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33
+
+-------------------------------------------------------------------
+Mon May 28 08:06:53 UTC 2018 - ngompa13@gmail.com
+
+- Refactor to support openSUSE Tumbleweed and Leap 42.3 and 15.0
+- Enable AppArmor support for openSUSE Tumbleweed (post Leap 15.0)
+- Enable support for handling the proprietary nvidia driver
+- Drop ancient spec stuff that was being ignored by RPM anyway
+- Drop spurious find command that didn't do anything...
+
+-------------------------------------------------------------------
+Wed May 16 10:20:08 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.9
+
+-------------------------------------------------------------------
+Fri May 11 14:36:16 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.8
+
+-------------------------------------------------------------------
+Fri May 11 13:09:32 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.7
+
+-------------------------------------------------------------------
+Sun Apr 29 19:21:53 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.6
+
+-------------------------------------------------------------------
+Mon Apr 16 16:41:48 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.5
+
+-------------------------------------------------------------------
+Wed Apr 11 16:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.4
+
+-------------------------------------------------------------------
 Wed Apr 11 12:40:09 UTC 2018 - mvo@fastmail.fm
 
 - Update to upstream release 2.32.3.2
@@ -39,7 +176,7 @@
 - Update to upstream release 2.31
 
 -------------------------------------------------------------------
-Mon Dev 18 15:31:24 UTC 2017 - mvo@fastmail.fm
+Sat Nov 18 15:31:24 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.30
 
@@ -54,12 +191,12 @@
 - Update to upstream release 2.29.3
 
 -------------------------------------------------------------------
-Fri Nov 03 17:26:14:17 UTC 2017 - mvo@fastmail.fm
+Fri Nov 03 17:26:14 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.29.2
 
 -------------------------------------------------------------------
-Fri Nov 03 07:27:08:17 UTC 2017 - mvo@fastmail.fm
+Fri Nov 03 07:27:08 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.29.1
 
@@ -69,11 +206,6 @@
 - Update to upstream release 2.29
 
 -------------------------------------------------------------------
-Fri Oct 13 19:46:37 UTC 2017 - mvo@fastmail.fm
-
-- Update to upstream release 2.28.4
-
--------------------------------------------------------------------
 Wed Oct 11 19:46:37 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.28.4
@@ -89,7 +221,7 @@
 - Update to upstream release 2.28.2
 
 -------------------------------------------------------------------
-Mon Sep 27 22:04:59 UTC 2017 - mvo@fastmail.fm
+Wed Sep 27 22:04:59 UTC 2017 - mvo@fastmail.fm
 
 - Update to upstream release 2.28.1
 
@@ -134,7 +266,7 @@
 - Update to upstream release 2.27
 
 -------------------------------------------------------------------
-Wed May 19 14:35:29 UTC 2017 - morphis@gravedo.de
+Fri May 19 14:35:29 UTC 2017 - morphis@gravedo.de
 
 - Add bind() syscall to default seccomp policy to allow execution
   of snap hooks.
@@ -164,35 +296,35 @@
   (see https://bugs.launchpad.net/snappy/+bug/1674193 for details)
 
 -------------------------------------------------------------------
-Wed Mar  8 16:09:03 UTC 2017 - me@zygoon.pl
+Wed Mar 08 16:09:03 UTC 2017 - me@zygoon.pl
 
-- Fix log-out prompt to be displayed only when really necessary. 
+- Fix log-out prompt to be displayed only when really necessary.
 - Fix installation of /usr/lib/snapd/info (version information)
 - Install bash completion for "snap"
 
 -------------------------------------------------------------------
-Wed Mar  8 15:53:06 UTC 2017 - me@zygoon.pl
+Wed Mar 08 15:53:06 UTC 2017 - me@zygoon.pl
 
 - New upstream release.
   More details are available at https://github.com/snapcore/snapd/releases/tag/2.23.1
 
 -------------------------------------------------------------------
-Tue Mar  7 23:00:34 UTC 2017 - me@zygoon.pl
+Tue Mar 07 23:00:34 UTC 2017 - me@zygoon.pl
 
 - Add PATH integration and post-install message asking the user to logout to
-  see PATH changes. 
+  see PATH changes.
 
 -------------------------------------------------------------------
-Tue Mar  7 00:45:12 UTC 2017 - me@zygoon.pl
+Tue Mar 07 00:45:12 UTC 2017 - me@zygoon.pl
 
-- (hacky) Disable shellcheck as it is missing on Leap 42.1 
+- (hacky) Disable shellcheck as it is missing on Leap 42.1
 
 -------------------------------------------------------------------
-Tue Mar  7 00:43:58 UTC 2017 - me@zygoon.pl
+Tue Mar 07 00:43:58 UTC 2017 - me@zygoon.pl
 
-- (hacky) fix the 32bit build 
+- (hacky) fix the 32bit build
 
 -------------------------------------------------------------------
-Mon Mar  6 18:08:04 UTC 2017 - me@zygoon.pl
+Mon Mar 06 18:08:04 UTC 2017 - me@zygoon.pl
 
 - Initial package based on fully vendorized source tarball
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.2/snapd-rpmlintrc snapd-2.37~rc1~14.04/packaging/opensuse-42.2/snapd-rpmlintrc
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.2/snapd-rpmlintrc	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.2/snapd-rpmlintrc	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1,4 @@
-setBadness('permissions-unauthorized-file', 222)
+setBadness('permissions-unauthorized-file', 22)
+setBadness('polkit-untracked-privilege', 11)
+setBadness('non-position-independent-executable', 33)
+setBadness('polkit-untracked-privilege', 44)
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.2/snapd.spec snapd-2.37~rc1~14.04/packaging/opensuse-42.2/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.2/snapd.spec	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.2/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,7 @@
 # spec file for package snapd
 #
 # Copyright (c) 2017 Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+# Copyright (c) 2018 Neal Gompa <ngompa13@gmail.com>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -15,6 +16,31 @@
 
 %bcond_with testkeys
 
+# Enable AppArmor on openSUSE Tumbleweed (post 15.0) or higher
+# N.B.: Prior to openSUSE Tumbleweed in May 2018, the AppArmor userspace in SUSE
+# did not support what we needed to be able to turn on basic integration.
+%if 0%{?suse_version} >= 1550
+%bcond_without apparmor
+%else
+%bcond_with apparmor
+%endif
+
+# Compat macros
+%{!?make_build: %global make_build %{__make} %{?_smp_mflags}}
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+
+# Define the variable for systemd generators, if missing.
+%{?!_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+
+# This is fixed in SUSE Linux 15
+# Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
+%if 0%{?suse_version} < 1500
+%global _sharedstatedir %{_localstatedir}/lib
+%endif
+
 %global provider        github
 %global provider_tld    com
 %global project         snapcore
@@ -22,6 +48,16 @@
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 
+# Additional entry of $GOPATH during the build process.
+# This is designed to be a sub-directory of {_builddir}/{name}-{version}
+# because that directory is automatically cleaned-up by the build process.
+%global         indigo_gopath   %{_builddir}/%{name}-%{version}/gopath
+
+# Directory where "name-version" directory from upstream taball is unpacked to.
+# This directory is arranged so that it is already contained inside the future
+# GOPATH so that nothing needs to be moved or copied for "go build" to work.
+%global         indigo_srcdir   %{indigo_gopath}/src/%{import_path}
+
 %global with_test_keys  0
 
 %if %{with testkeys}
@@ -30,9 +66,17 @@
 %global with_test_keys 0
 %endif
 
-%define systemd_services_list snapd.socket snapd.service
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%global systemd_services_list snapd.socket snapd.service snapd.seeded.service %{?with_apparmor:snapd.apparmor.service}
+
+%global snap_mount_dir /snap
+
 Name:           snapd
-Version:        2.32.3.2
+Version:        2.37
 Release:        0
 Summary:        Tools enabling systems to work with .snap files
 License:        GPL-3.0
@@ -40,13 +84,14 @@
 Url:            https://%{import_path}
 Source0:        https://github.com/snapcore/snapd/releases/download/%{version}/%{name}_%{version}.vendor.tar.xz
 Source1:        snapd-rpmlintrc
-# TODO: make this enabled only on Leap 42.2+
-# BuildRequires:  ShellCheck
+%if (0%{?sle_version} >= 120200 || 0%{?suse_version} >= 1500) && 0%{?is_opensuse}
+BuildRequires:  ShellCheck
+%endif
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  glib2-devel
 BuildRequires:  glibc-devel-static
-BuildRequires:  golang-packaging
+BuildRequires:  go
 BuildRequires:  gpg2
 BuildRequires:  indent
 BuildRequires:  libapparmor-devel
@@ -61,179 +106,213 @@
 BuildRequires:  python-docutils
 BuildRequires:  python3-docutils
 BuildRequires:  squashfs
+# Due to: rpm -q --whatprovides /usr/share/pkgconfig/systemd.pc
+BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  timezone
 BuildRequires:  udev
 BuildRequires:  xfsprogs-devel
 BuildRequires:  xz
+%ifarch x86_64
+# This is needed for seccomp tests
+BuildRequires:  glibc-devel-32bit
+BuildRequires:  glibc-devel-static-32bit
+BuildRequires:  gcc-32bit
+%endif
 
-# Make sure we are on Leap 42.2/SLE 12 SP2 or higher
-%if 0%{?sle_version} >= 120200
-BuildRequires: systemd-rpm-macros
+%if %{with apparmor}
+BuildRequires:  apparmor-rpm-macros
 %endif
 
 PreReq:         permissions
 
 Requires(post): permissions
 Requires:       apparmor-parser
+Requires:       apparmor-profiles
 Requires:       gpg2
 Requires:       openssh
 Requires:       squashfs
 
-%systemd_requires
-
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+# Old versions of xdg-document-portal can expose data belonging to
+# other confied apps.  Older OpenSUSE releases are unlikely to change,
+# so for now limit this to Tumbleweed.
+%if 0%{?suse_version} >= 1550
+Conflicts:      xdg-desktop-portal < 0.11
+%endif
 
-# TODO strip the C executables but don't strip the go executables
-# as that breaks the world in some ways.
-# reenable {go_nostrip}
-%{go_provides}
+%{?systemd_requires}
 
 %description
 This package contains that snapd daemon and the snap command line tool.
 Together they can be used to install, refresh (update), remove and configure
 snap packages on a system. Snap packages are a novel format based on simple
 principles. Bundle your dependencies, run in a predictable environment, use
-moder kernel features for setting up the execution environment and security.
+modern kernel features for setting up the execution environment and security.
 The same binary snap package can be installed and used on many diverse systems
 such as Debian, Fedora and OpenSUSE as well as their multiple derivatives.
-.
+
 This package contains the official build, endorsed by snapd developers. It is
 updated as soon as new upstream releases are made and is designed to live in
 the system:snappy repository.
 
 %prep
-%setup -q -n %{name}-%{version}
+# NOTE: Instead of using setup -q we are unpacking a subdirectory of the source
+# tarball into a directory that is automatically on the future GOPATH. This
+# means that while go doesn't care at all the current working directory is not
+# the top-level directory of the source tarball which some people may find
+# unusual.
+
+# Create indigo compatible build layout.
+mkdir -p %{indigo_srcdir}
+tar -axf %{_sourcedir}/%{name}_%{version}.vendor.tar.xz --strip-components=1 -C %{indigo_srcdir}
+
+# Patch the source in the place it got extracted to.
+pushd %{indigo_srcdir}
+# Add patch0 -p1 ... as appropriate here.
+popd
 
-# Set the version that is compiled into the various executables
+# Set the version that is compiled into the various executables/
+pushd %{indigo_srcdir}
 ./mkversion.sh %{version}-%{release}
+popd
 
-# Generate autotools build system files
-cd cmd && autoreconf -i -f
+# Sanity check, ensure that systemd system generator directory is in agreement between the build system and packaging.
+if [ "$(pkg-config --variable=systemdsystemgeneratordir systemd)" != "%{_systemdgeneratordir}" ]; then
+  echo "pkg-confing and rpm macros disagree about the location of systemd system generator directory"
+  exit 1
+fi
 
-# Enable hardening; We can't use -pie here as this conflicts with
-# our build of static binaries for snap-confine. Also see
-# https://bugzilla.redhat.com/show_bug.cgi?id=1343892
+# Enable hardening; Also see https://bugzilla.redhat.com/show_bug.cgi?id=1343892
 CFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
 CXXFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+LDFLAGS=""
+
+# On openSUSE Leap 15 or more recent build position independent executables.
+# For a helpful guide about the versions and macros used below, please see:
+# https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
+%if 0%{?suse_version} >= 1500
+CFLAGS="$CFLAGS -fPIE"
+CXXFLAGS="$CXXFLAGS -fPIE"
+LDFLAGS="$LDFLAGS -pie"
+%endif
+
 export CFLAGS
 export CXXFLAGS
+export LDFLAGS
 
-# NOTE: until snapd and snap-confine have the improved communication mechanism
-# we need to disable apparmor as snapd doesn't yet support the version of
-# apparmor kernel available in SUSE and Debian. The generated apparmor profiles
-# cannot be loaded into a vanilla kernel. As a temporary measure we just switch
-# it all off.
-%configure --disable-apparmor --libexecdir=%{_libexecdir}/snapd
+# Generate autotools build system files.
+pushd %{indigo_srcdir}/cmd
+autoreconf -i -f
+%configure \
+    %{!?with_apparmor:--disable-apparmor} \
+    --libexecdir=%{_libexecdir}/snapd \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{snap_mount_dir} \
+    --enable-merged-usr
+popd
 
 %build
-# Build golang executables
-%goprep %{import_path}
-
+# Build golang executables, with the following exceptions everything is built the same way:
+# - snap-exec and snap-update-ns is built statically.
+# - snapd has a variant that uses test keys instead of production keys.
+#
+# NOTE: indigo_gopath takes priority over GOPATH. This ensures that we
+# build the code that we intended in case GOPATH points to another copy.
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapctl
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap-seccomp
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-update-ns
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-exec
 %if 0%{?with_test_keys}
-# The gobuild macro doesn't allow us to pass any additional parameters
-# so we we have to invoke `go install` here manually.
-export GOPATH=%{_builddir}/go:%{_libdir}/go/contrib
-export GOBIN=%{_builddir}/go/bin
-# Options used are the same as the gobuild macro does but as it
-# doesn't allow us to amend new flags we have to repeat them here:
-# -s: tell long running tests to shorten their build time
-# -v: be verbose
-# -p 4: allow parallel execution of tests
-# -x: print commands
-go install -s -v -p 4 -x -tags withtestkeys github.com/snapcore/snapd/cmd/snapd
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie -tags withtestkeys %{import_path}/cmd/snapd
 %else
-%gobuild cmd/snapd
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapd
 %endif
 
-%gobuild cmd/snap
-%gobuild cmd/snapctl
-# build snap-exec and snap-update-ns completely static for base snaps
-CGO_ENABLED=0 %gobuild cmd/snap-exec
-# gobuild --ldflags '-extldflags "-static"' bin/snap-update-ns
-# FIXME: ^ this doesn't work yet, it's going to be fixed with another PR.
-%gobuild cmd/snap-update-ns
-
-# This is ok because snap-seccomp only requires static linking when it runs from the core-snap via re-exec.
-sed -e "s/-Bstatic -lseccomp/-Bstatic/g" -i %{_builddir}/go/src/%{provider_prefix}/cmd/snap-seccomp/main.go
-# build snap-seccomp
-%gobuild cmd/snap-seccomp
-
 # Build C executables
-make %{?_smp_mflags} -C cmd
+%make_build -C %{indigo_srcdir}/cmd
 
 %check
-%{gotest} %{import_path}/...
-make %{?_smp_mflags} -C cmd check
+# Run tests with fixed locale that is expected by unicode/color code.
+LC_ALL=C.UTF-8 GOPATH=%{indigo_gopath}:$GOPATH go test %{import_path}/...
+%make_build -C %{indigo_srcdir}/cmd check
 
 %install
-# Install all the go stuff
-%goinstall
-# TODO: instead of removing it move this to a dedicated golang package
-rm -rf %{buildroot}%{_libexecdir}64/go
-rm -rf %{buildroot}%{_libexecdir}/go
-find %{buildroot}
-# Move snapd, snap-exec, snap-seccomp and snap-update-ns into %{_libexecdir}/snapd
-install -m 755 -d %{buildroot}%{_libexecdir}/snapd
-mv %{buildroot}/usr/bin/snapd %{buildroot}%{_libexecdir}/snapd/snapd
-mv %{buildroot}/usr/bin/snap-exec %{buildroot}%{_libexecdir}/snapd/snap-exec
-mv %{buildroot}/usr/bin/snap-update-ns %{buildroot}%{_libexecdir}/snapd/snap-update-ns
-mv %{buildroot}/usr/bin/snap-seccomp %{buildroot}%{_libexecdir}/snapd/snap-seccomp
-# Install profile.d-based PATH integration for /snap/bin
-#   and XDG_DATA_DIRS for /var/lib/snapd/desktop
-make -C data/env install DESTDIR=%{buildroot}
-
+# Install all systemd and dbus units, and env files.
+%make_install -C %{indigo_srcdir}/data \
+		BINDIR=%{_bindir} \
+		LIBEXECDIR=%{_libexecdir} \
+		SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
+		SNAP_MOUNT_DIR=%{snap_mount_dir}
+# Install all the C executables.
+%make_install -C %{indigo_srcdir}/cmd
+# Install all the Go executables.
+install -d -m 755 %{buildroot}%{_bindir}
+install -m 755 snap %{buildroot}%{_bindir}
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -m 755 snapctl %{buildroot}%{_libexecdir}/snapd
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+install -d -m 755 %{buildroot}%{_libexecdir}/snapd
+install -m 755 snapd %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-exec %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-update-ns %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-seccomp %{buildroot}%{_libexecdir}/snapd/
 # Generate and install man page for snap command
-install -m 755 -d %{buildroot}%{_mandir}/man1
-%{buildroot}/usr/bin/snap help --man >  %{buildroot}%{_mandir}/man1/snap.1
-
-# TODO: enable gosrc
-# TODO: enable gofilelist
-
-# Install all the C executables
-%{make_install} -C cmd
+install -d -m 755 %{buildroot}%{_mandir}/man8
+./snap help --man > %{buildroot}%{_mandir}/man8/snap.8
 # Undo special permissions of the void directory
-chmod 755 %{?buildroot}/var/lib/snapd/void
+chmod 755 %{buildroot}%{_sharedstatedir}/snapd/void
 # Remove traces of ubuntu-core-launcher. It is a phased-out executable that is
 # still partially present in the tree but should be removed in the subsequent
 # release.
-rm -f %{?buildroot}/usr/bin/ubuntu-core-launcher
+rm -f %{buildroot}%{_bindir}/ubuntu-core-launcher
 # NOTE: we don't want to ship system-shutdown helper, it is just a helper on
 # ubuntu-core systems that exclusively use snaps. It is used during the
 # shutdown process and thus can be left out of the distribution package.
-rm -f %{?buildroot}%{_libexecdir}/snapd/system-shutdown
+rm -f %{buildroot}%{_libexecdir}/snapd/system-shutdown
 # Install the directories that snapd creates by itself so that they can be a part of the package
-install -d %buildroot/var/lib/snapd/{assertions,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/bpf,snaps}
+install -d %{buildroot}%{_sharedstatedir}/snapd/{assertions,cookie,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/bpf,snaps}
 
-install -d %buildroot/var/lib/snapd/{lib/gl,lib/gl32,lib/vulkan}
-install -d %buildroot/var/cache/snapd
-install -d %buildroot/snap/bin
+install -d %{buildroot}%{_sharedstatedir}/snapd/{lib/gl,lib/gl32,lib/vulkan}
+install -d %{buildroot}%{_localstatedir}/cache/snapd
+install -d %{buildroot}%{_datadir}/polkit-1/actions
+install -d %{buildroot}%{snap_mount_dir}/bin
 # Install local permissions policy for snap-confine. This should be removed
 # once snap-confine is added to the permissions package. This is done following
 # the recommendations on
 # https://en.opensuse.org/openSUSE:Package_security_guidelines
-install -m 644 -D packaging/opensuse-42.2/permissions %buildroot/%{_sysconfdir}/permissions.d/snapd
-install -m 644 -D packaging/opensuse-42.2/permissions.paranoid %buildroot/%{_sysconfdir}/permissions.d/snapd.paranoid
-# Install the systemd units
-make -C data install DESTDIR=%{buildroot} SYSTEMDSYSTEMUNITDIR=%{_unitdir}
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions %{buildroot}%{_sysconfdir}/permissions.d/snapd
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/snapd.paranoid
+# Remove unwanted systemd units
 for s in snapd.autoimport.service snapd.system-shutdown.service snapd.snap-repair.timer snapd.snap-repair.service snapd.core-fixup.service; do
-    rm -f %buildroot/%{_unitdir}/$s
+    rm -f %{buildroot}%{_unitdir}/$s
 done
 # Remove snappy core specific scripts
-rm -f %buildroot%{_libexecdir}/snapd/snapd.core-fixup.sh
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Install Polkit configuration
+install -m 644 -D %{indigo_srcdir}/data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
 
 # See https://en.opensuse.org/openSUSE:Packaging_checks#suse-missing-rclink for details
-install -d %{buildroot}/usr/sbin
-ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcsnapd
-ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcsnapd.refresh
+install -d %{buildroot}%{_sbindir}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.apparmor
+%endif
 # Install the "info" data file with snapd version
-install -m 644 -D data/info %{buildroot}%{_libexecdir}/snapd/info
+install -m 644 -D %{indigo_srcdir}/data/info %{buildroot}%{_libexecdir}/snapd/info
 # Install bash completion for "snap"
-install -m 644 -D data/completion/snap %{buildroot}/usr/share/bash-completion/completions/snap
-install -m 644 -D data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
-install -m 644 -D data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
-# move snapd-generator
-install -m 755 -d %{buildroot}/lib/systemd/system-generators/
-mv %{buildroot}%{_libexecdir}/snapd/snapd-generator %{buildroot}/lib/systemd/system-generators/
+install -m 644 -D %{indigo_srcdir}/data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D %{indigo_srcdir}/data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D %{indigo_srcdir}/data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Don't ship apparmor helper service when AppArmor is not enabled
+%if ! %{with apparmor}
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+%endif
 
 %verifyscript
 %verify_permissions -e %{_libexecdir}/snapd/snap-confine
@@ -243,12 +322,16 @@
 
 %post
 %set_permissions %{_libexecdir}/snapd/snap-confine
+%if %{with apparmor}
+%apparmor_reload /etc/apparmor.d/usr.lib.snapd.snap-confine
+%endif
 %service_add_post %{systemd_services_list}
 case ":$PATH:" in
     *:/snap/bin:*)
         ;;
     *)
         echo "Please reboot, logout/login or source /etc/profile to have /snap/bin added to PATH."
+        echo "On a Tumbleweed system you need to run: systemctl enable snapd.apparmor.service"
         ;;
 esac
 
@@ -262,57 +345,89 @@
 %service_del_postun %{systemd_services_list}
 
 %files
-%defattr(-,root,root)
+%if %{with apparmor}
+%config %{_sysconfdir}/apparmor.d
+%endif
 %config %{_sysconfdir}/permissions.d/snapd
 %config %{_sysconfdir}/permissions.d/snapd.paranoid
 %config %{_sysconfdir}/profile.d/snapd.sh
-%dir %attr(0000,root,root) /var/lib/snapd/void
-%dir /snap
-%dir /snap/bin
+%dir %attr(0000,root,root) %{_sharedstatedir}/snapd/void
+%dir %{snap_mount_dir}
+%dir %{snap_mount_dir}/bin
 %dir %{_libexecdir}/snapd
-%dir /var/lib/snapd
-%dir /var/lib/snapd/apparmor
-%dir /var/lib/snapd/apparmor/profiles
-%dir /var/lib/snapd/apparmor/snap-confine
-%dir /var/lib/snapd/assertions
-%dir /var/lib/snapd/desktop
-%dir /var/lib/snapd/desktop/applications
-%dir /var/lib/snapd/device
-%dir /var/lib/snapd/hostfs
-%dir /var/lib/snapd/mount
-%dir /var/lib/snapd/seccomp
-%dir /var/lib/snapd/seccomp/bpf
-%dir /var/lib/snapd/snaps
-%dir /var/lib/snapd/lib
-%dir /var/lib/snapd/lib/gl
-%dir /var/lib/snapd/lib/gl32
-%dir /var/lib/snapd/lib/vulkan
-%dir /var/cache/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/apparmor
+%dir %{_sharedstatedir}/snapd/apparmor/profiles
+%dir %{_sharedstatedir}/snapd/apparmor/snap-confine
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_localstatedir}/cache/snapd
+%dir %{_environmentdir}
+%dir %{_systemd_system_env_generator_dir}
+%dir %{_systemdgeneratordir}
+%dir %{_datadir}/dbus-1
+%dir %{_datadir}/dbus-1/services
+%dir %{_datadir}/polkit-1
+%dir %{_datadir}/polkit-1/actions
 %verify(not user group mode) %attr(06755,root,root) %{_libexecdir}/snapd/snap-confine
-%{_mandir}/man1/snap-confine.1.gz
-%{_mandir}/man5/snap-discard-ns.5.gz
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_mandir}/man8/snapd-env-generator.8*
 %{_unitdir}/snapd.service
 %{_unitdir}/snapd.socket
-/usr/bin/snap
-/usr/bin/snapctl
-/usr/sbin/rcsnapd
-/usr/sbin/rcsnapd.refresh
+%{_unitdir}/snapd.seeded.service
+%{_unitdir}/snapd.failure.service
+%if %{with apparmor}
+%{_unitdir}/snapd.apparmor.service
+%endif
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_sbindir}/rcsnapd
+%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+%{_sbindir}/rcsnapd.apparmor
+%endif
 %{_libexecdir}/snapd/info
 %{_libexecdir}/snapd/snap-discard-ns
 %{_libexecdir}/snapd/snap-update-ns
 %{_libexecdir}/snapd/snap-exec
 %{_libexecdir}/snapd/snap-seccomp
 %{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snapctl
+%if %{with apparmor}
+%{_libexecdir}/snapd/snapd-apparmor
+%endif
 %{_libexecdir}/snapd/snap-mgmt
 %{_libexecdir}/snapd/snap-gdb-shim
 %{_libexecdir}/snapd/snap-device-helper
-/usr/share/bash-completion/completions/snap
+%{_datadir}/bash-completion/completions/snap
 %{_libexecdir}/snapd/complete.sh
 %{_libexecdir}/snapd/etelpmoc.sh
-/lib/systemd/system-generators/snapd-generator
-%{_mandir}/man1/snap.1.gz
-/usr/share/dbus-1/services/io.snapcraft.Launcher.service
-/usr/share/dbus-1/services/io.snapcraft.Settings.service
+%{_systemdgeneratordir}/snapd-generator
+%{_mandir}/man8/snap.8*
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_libexecdir}/snapd/snapd.run-from-snap
+%if %{with apparmor}
+%{_sysconfdir}/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%{_environmentdir}/990-snapd.conf
+%{_systemd_system_env_generator_dir}/snapd-env-generator
 
 %changelog
 
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.3/permissions snapd-2.37~rc1~14.04/packaging/opensuse-42.3/permissions
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.3/permissions	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.3/permissions	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.3/permissions.easy snapd-2.37~rc1~14.04/packaging/opensuse-42.3/permissions.easy
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.3/permissions.easy	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.3/permissions.easy	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.3/permissions.paranoid snapd-2.37~rc1~14.04/packaging/opensuse-42.3/permissions.paranoid
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.3/permissions.paranoid	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.3/permissions.paranoid	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.3/permissions.secure snapd-2.37~rc1~14.04/packaging/opensuse-42.3/permissions.secure
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.3/permissions.secure	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.3/permissions.secure	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.3/snapd.changes snapd-2.37~rc1~14.04/packaging/opensuse-42.3/snapd.changes
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.3/snapd.changes	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.3/snapd.changes	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,330 @@
+-------------------------------------------------------------------
+Wed Jan 16 08:36:51 UTC 2019 - mvo@fastmail.fm
+
+- Update to upstream release 2.37
+
+-------------------------------------------------------------------
+Fri Dec 14 07:30:58 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.3
+
+-------------------------------------------------------------------
+Thu Nov 29 10:48:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.2
+
+-------------------------------------------------------------------
+Fri Nov 09 14:42:28 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.1
+
+-------------------------------------------------------------------
+Wed Oct 24 17:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36
+
+-------------------------------------------------------------------
+Mon Oct 15 22:23:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.5
+
+-------------------------------------------------------------------
+Fri Oct 05 14:42:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.4
+
+-------------------------------------------------------------------
+Fri Oct 05 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.3
+
+-------------------------------------------------------------------
+Wed Sep 12 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.2
+
+-------------------------------------------------------------------
+Mon Sep 03 14:44:06 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.1
+
+-------------------------------------------------------------------
+Mon Aug 20 12:36:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35
+
+-------------------------------------------------------------------
+Fri Jul 27 19:08:44 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.3
+
+-------------------------------------------------------------------
+Thu Jul 19 12:05:50 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.2
+
+-------------------------------------------------------------------
+Wed Jul 17 19:46:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.1
+
+-------------------------------------------------------------------
+Fri Jul 06 16:08:17 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34
+
+-------------------------------------------------------------------
+Fri Jun 22 15:58:54 UTC 2018 - me@zygoon.pl
+
+- Fixed changelog chronology
+
+-------------------------------------------------------------------
+Fri Jun 22 14:25:35 UTC 2018 - me@zygoon.pl
+
+- Sync with snapd upstream packaging
+- Backport support for apparmor on tumbleweed
+- Install polkit files
+- Load snap-confine apparmor profile in post, if apparmor is enabled
+- Adjust badness of polkit-untracked-privlege
+-------------------------------------------------------------------
+Thu Jun 21 17:37:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33.1
+
+-------------------------------------------------------------------
+Fri Jun 08 17:13:47 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33
+
+-------------------------------------------------------------------
+Mon May 28 08:06:53 UTC 2018 - ngompa13@gmail.com
+
+- Refactor to support openSUSE Tumbleweed and Leap 42.3 and 15.0
+- Enable AppArmor support for openSUSE Tumbleweed (post Leap 15.0)
+- Enable support for handling the proprietary nvidia driver
+- Drop ancient spec stuff that was being ignored by RPM anyway
+- Drop spurious find command that didn't do anything...
+
+-------------------------------------------------------------------
+Wed May 16 10:20:08 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.9
+
+-------------------------------------------------------------------
+Fri May 11 14:36:16 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.8
+
+-------------------------------------------------------------------
+Fri May 11 13:09:32 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.7
+
+-------------------------------------------------------------------
+Sun Apr 29 19:21:53 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.6
+
+-------------------------------------------------------------------
+Mon Apr 16 16:41:48 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.5
+
+-------------------------------------------------------------------
+Wed Apr 11 16:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.4
+
+-------------------------------------------------------------------
+Wed Apr 11 12:40:09 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3.2
+
+-------------------------------------------------------------------
+Wed Apr 11 10:34:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3.1
+
+-------------------------------------------------------------------
+Thu Apr 05 22:35:35 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3
+
+-------------------------------------------------------------------
+Sat Mar 31 21:09:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.2
+
+-------------------------------------------------------------------
+Mon Mar 26 21:03:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.1
+
+-------------------------------------------------------------------
+Sat Mar 24 08:50:11 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32
+
+-------------------------------------------------------------------
+Tue Feb 20 17:32:42 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.31.1
+
+-------------------------------------------------------------------
+Tue Feb 06 09:46:22 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.31
+
+-------------------------------------------------------------------
+Sat Nov 18 15:31:24 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.30
+
+-------------------------------------------------------------------
+Fri Nov 17 22:56:09 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.4
+
+-------------------------------------------------------------------
+Thu Nov 09 19:16:29 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.3
+
+-------------------------------------------------------------------
+Fri Nov 03 17:26:14 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.2
+
+-------------------------------------------------------------------
+Fri Nov 03 07:27:08 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.1
+
+-------------------------------------------------------------------
+Mon Oct 30 16:24:08 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29
+
+-------------------------------------------------------------------
+Wed Oct 11 19:46:37 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.4
+
+-------------------------------------------------------------------
+Wed Oct 11 08:23:47 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.3
+
+-------------------------------------------------------------------
+Tue Oct 10 18:42:45 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.2
+
+-------------------------------------------------------------------
+Wed Sep 27 22:04:59 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.1
+
+-------------------------------------------------------------------
+Mon Sep 25 16:09:15 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28
+
+-------------------------------------------------------------------
+Thu Sep 07 10:32:21 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.6
+
+-------------------------------------------------------------------
+Wed Aug 30 07:45:01 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.5
+
+-------------------------------------------------------------------
+Thu Aug 24 09:08:32 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.4
+
+-------------------------------------------------------------------
+Fri Aug 18 15:51:22 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.3
+
+-------------------------------------------------------------------
+Wed Aug 16 12:16:01 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.2
+
+-------------------------------------------------------------------
+Mon Aug 14 08:07:21 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.1
+
+-------------------------------------------------------------------
+Thu Aug 10 11:25:11 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27
+
+-------------------------------------------------------------------
+Fri May 19 14:35:29 UTC 2017 - morphis@gravedo.de
+
+- Add bind() syscall to default seccomp policy to allow execution
+  of snap hooks.
+- Do not share /etc/ssl with the host but use the one from the core
+  snap.
+
+-------------------------------------------------------------------
+Wed May 10 12:24:44 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.25
+
+-------------------------------------------------------------------
+Thu Apr 13 14:06:13 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.24
+
+-------------------------------------------------------------------
+Thu Mar 30 14:14:44 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.23.6
+
+-------------------------------------------------------------------
+Thu Mar 23 08:53:37 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.23.5
+- Disable seccomp support to work around bugs in snap-confine
+  (see https://bugs.launchpad.net/snappy/+bug/1674193 for details)
+
+-------------------------------------------------------------------
+Wed Mar 08 16:09:03 UTC 2017 - me@zygoon.pl
+
+- Fix log-out prompt to be displayed only when really necessary.
+- Fix installation of /usr/lib/snapd/info (version information)
+- Install bash completion for "snap"
+
+-------------------------------------------------------------------
+Wed Mar 08 15:53:06 UTC 2017 - me@zygoon.pl
+
+- New upstream release.
+  More details are available at https://github.com/snapcore/snapd/releases/tag/2.23.1
+
+-------------------------------------------------------------------
+Tue Mar 07 23:00:34 UTC 2017 - me@zygoon.pl
+
+- Add PATH integration and post-install message asking the user to logout to
+  see PATH changes.
+
+-------------------------------------------------------------------
+Tue Mar 07 00:45:12 UTC 2017 - me@zygoon.pl
+
+- (hacky) Disable shellcheck as it is missing on Leap 42.1
+
+-------------------------------------------------------------------
+Tue Mar 07 00:43:58 UTC 2017 - me@zygoon.pl
+
+- (hacky) fix the 32bit build
+
+-------------------------------------------------------------------
+Mon Mar 06 18:08:04 UTC 2017 - me@zygoon.pl
+
+- Initial package based on fully vendorized source tarball
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.3/snapd-rpmlintrc snapd-2.37~rc1~14.04/packaging/opensuse-42.3/snapd-rpmlintrc
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.3/snapd-rpmlintrc	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.3/snapd-rpmlintrc	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+setBadness('permissions-unauthorized-file', 22)
+setBadness('polkit-untracked-privilege', 11)
+setBadness('non-position-independent-executable', 33)
+setBadness('polkit-untracked-privilege', 44)
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-42.3/snapd.spec snapd-2.37~rc1~14.04/packaging/opensuse-42.3/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/opensuse-42.3/snapd.spec	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-42.3/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,433 @@
+# spec file for package snapd
+#
+# Copyright (c) 2017 Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+# Copyright (c) 2018 Neal Gompa <ngompa13@gmail.com>
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+
+%bcond_with testkeys
+
+# Enable AppArmor on openSUSE Tumbleweed (post 15.0) or higher
+# N.B.: Prior to openSUSE Tumbleweed in May 2018, the AppArmor userspace in SUSE
+# did not support what we needed to be able to turn on basic integration.
+%if 0%{?suse_version} >= 1550
+%bcond_without apparmor
+%else
+%bcond_with apparmor
+%endif
+
+# Compat macros
+%{!?make_build: %global make_build %{__make} %{?_smp_mflags}}
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+
+# Define the variable for systemd generators, if missing.
+%{?!_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+
+# This is fixed in SUSE Linux 15
+# Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
+%if 0%{?suse_version} < 1500
+%global _sharedstatedir %{_localstatedir}/lib
+%endif
+
+%global provider        github
+%global provider_tld    com
+%global project         snapcore
+%global repo            snapd
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+# Additional entry of $GOPATH during the build process.
+# This is designed to be a sub-directory of {_builddir}/{name}-{version}
+# because that directory is automatically cleaned-up by the build process.
+%global         indigo_gopath   %{_builddir}/%{name}-%{version}/gopath
+
+# Directory where "name-version" directory from upstream taball is unpacked to.
+# This directory is arranged so that it is already contained inside the future
+# GOPATH so that nothing needs to be moved or copied for "go build" to work.
+%global         indigo_srcdir   %{indigo_gopath}/src/%{import_path}
+
+%global with_test_keys  0
+
+%if %{with testkeys}
+%global with_test_keys 1
+%else
+%global with_test_keys 0
+%endif
+
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%global systemd_services_list snapd.socket snapd.service snapd.seeded.service %{?with_apparmor:snapd.apparmor.service}
+
+%global snap_mount_dir /snap
+
+Name:           snapd
+Version:        2.37
+Release:        0
+Summary:        Tools enabling systems to work with .snap files
+License:        GPL-3.0
+Group:          System/Packages
+Url:            https://%{import_path}
+Source0:        https://github.com/snapcore/snapd/releases/download/%{version}/%{name}_%{version}.vendor.tar.xz
+Source1:        snapd-rpmlintrc
+%if (0%{?sle_version} >= 120200 || 0%{?suse_version} >= 1500) && 0%{?is_opensuse}
+BuildRequires:  ShellCheck
+%endif
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  glib2-devel
+BuildRequires:  glibc-devel-static
+BuildRequires:  go
+BuildRequires:  gpg2
+BuildRequires:  indent
+BuildRequires:  libapparmor-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libseccomp-devel
+BuildRequires:  libtool
+BuildRequires:  libudev-devel
+BuildRequires:  libuuid-devel
+BuildRequires:  make
+BuildRequires:  openssh
+BuildRequires:  pkg-config
+BuildRequires:  python-docutils
+BuildRequires:  python3-docutils
+BuildRequires:  squashfs
+# Due to: rpm -q --whatprovides /usr/share/pkgconfig/systemd.pc
+BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  timezone
+BuildRequires:  udev
+BuildRequires:  xfsprogs-devel
+BuildRequires:  xz
+%ifarch x86_64
+# This is needed for seccomp tests
+BuildRequires:  glibc-devel-32bit
+BuildRequires:  glibc-devel-static-32bit
+BuildRequires:  gcc-32bit
+%endif
+
+%if %{with apparmor}
+BuildRequires:  apparmor-rpm-macros
+%endif
+
+PreReq:         permissions
+
+Requires(post): permissions
+Requires:       apparmor-parser
+Requires:       apparmor-profiles
+Requires:       gpg2
+Requires:       openssh
+Requires:       squashfs
+
+# Old versions of xdg-document-portal can expose data belonging to
+# other confied apps.  Older OpenSUSE releases are unlikely to change,
+# so for now limit this to Tumbleweed.
+%if 0%{?suse_version} >= 1550
+Conflicts:      xdg-desktop-portal < 0.11
+%endif
+
+%{?systemd_requires}
+
+%description
+This package contains that snapd daemon and the snap command line tool.
+Together they can be used to install, refresh (update), remove and configure
+snap packages on a system. Snap packages are a novel format based on simple
+principles. Bundle your dependencies, run in a predictable environment, use
+modern kernel features for setting up the execution environment and security.
+The same binary snap package can be installed and used on many diverse systems
+such as Debian, Fedora and OpenSUSE as well as their multiple derivatives.
+
+This package contains the official build, endorsed by snapd developers. It is
+updated as soon as new upstream releases are made and is designed to live in
+the system:snappy repository.
+
+%prep
+# NOTE: Instead of using setup -q we are unpacking a subdirectory of the source
+# tarball into a directory that is automatically on the future GOPATH. This
+# means that while go doesn't care at all the current working directory is not
+# the top-level directory of the source tarball which some people may find
+# unusual.
+
+# Create indigo compatible build layout.
+mkdir -p %{indigo_srcdir}
+tar -axf %{_sourcedir}/%{name}_%{version}.vendor.tar.xz --strip-components=1 -C %{indigo_srcdir}
+
+# Patch the source in the place it got extracted to.
+pushd %{indigo_srcdir}
+# Add patch0 -p1 ... as appropriate here.
+popd
+
+# Set the version that is compiled into the various executables/
+pushd %{indigo_srcdir}
+./mkversion.sh %{version}-%{release}
+popd
+
+# Sanity check, ensure that systemd system generator directory is in agreement between the build system and packaging.
+if [ "$(pkg-config --variable=systemdsystemgeneratordir systemd)" != "%{_systemdgeneratordir}" ]; then
+  echo "pkg-confing and rpm macros disagree about the location of systemd system generator directory"
+  exit 1
+fi
+
+# Enable hardening; Also see https://bugzilla.redhat.com/show_bug.cgi?id=1343892
+CFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+CXXFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+LDFLAGS=""
+
+# On openSUSE Leap 15 or more recent build position independent executables.
+# For a helpful guide about the versions and macros used below, please see:
+# https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
+%if 0%{?suse_version} >= 1500
+CFLAGS="$CFLAGS -fPIE"
+CXXFLAGS="$CXXFLAGS -fPIE"
+LDFLAGS="$LDFLAGS -pie"
+%endif
+
+export CFLAGS
+export CXXFLAGS
+export LDFLAGS
+
+# Generate autotools build system files.
+pushd %{indigo_srcdir}/cmd
+autoreconf -i -f
+%configure \
+    %{!?with_apparmor:--disable-apparmor} \
+    --libexecdir=%{_libexecdir}/snapd \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{snap_mount_dir} \
+    --enable-merged-usr
+popd
+
+%build
+# Build golang executables, with the following exceptions everything is built the same way:
+# - snap-exec and snap-update-ns is built statically.
+# - snapd has a variant that uses test keys instead of production keys.
+#
+# NOTE: indigo_gopath takes priority over GOPATH. This ensures that we
+# build the code that we intended in case GOPATH points to another copy.
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapctl
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap-seccomp
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-update-ns
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-exec
+%if 0%{?with_test_keys}
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie -tags withtestkeys %{import_path}/cmd/snapd
+%else
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapd
+%endif
+
+# Build C executables
+%make_build -C %{indigo_srcdir}/cmd
+
+%check
+# Run tests with fixed locale that is expected by unicode/color code.
+LC_ALL=C.UTF-8 GOPATH=%{indigo_gopath}:$GOPATH go test %{import_path}/...
+%make_build -C %{indigo_srcdir}/cmd check
+
+%install
+# Install all systemd and dbus units, and env files.
+%make_install -C %{indigo_srcdir}/data \
+		BINDIR=%{_bindir} \
+		LIBEXECDIR=%{_libexecdir} \
+		SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
+		SNAP_MOUNT_DIR=%{snap_mount_dir}
+# Install all the C executables.
+%make_install -C %{indigo_srcdir}/cmd
+# Install all the Go executables.
+install -d -m 755 %{buildroot}%{_bindir}
+install -m 755 snap %{buildroot}%{_bindir}
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -m 755 snapctl %{buildroot}%{_libexecdir}/snapd
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+install -d -m 755 %{buildroot}%{_libexecdir}/snapd
+install -m 755 snapd %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-exec %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-update-ns %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-seccomp %{buildroot}%{_libexecdir}/snapd/
+# Generate and install man page for snap command
+install -d -m 755 %{buildroot}%{_mandir}/man8
+./snap help --man > %{buildroot}%{_mandir}/man8/snap.8
+# Undo special permissions of the void directory
+chmod 755 %{buildroot}%{_sharedstatedir}/snapd/void
+# Remove traces of ubuntu-core-launcher. It is a phased-out executable that is
+# still partially present in the tree but should be removed in the subsequent
+# release.
+rm -f %{buildroot}%{_bindir}/ubuntu-core-launcher
+# NOTE: we don't want to ship system-shutdown helper, it is just a helper on
+# ubuntu-core systems that exclusively use snaps. It is used during the
+# shutdown process and thus can be left out of the distribution package.
+rm -f %{buildroot}%{_libexecdir}/snapd/system-shutdown
+# Install the directories that snapd creates by itself so that they can be a part of the package
+install -d %{buildroot}%{_sharedstatedir}/snapd/{assertions,cookie,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/bpf,snaps}
+
+install -d %{buildroot}%{_sharedstatedir}/snapd/{lib/gl,lib/gl32,lib/vulkan}
+install -d %{buildroot}%{_localstatedir}/cache/snapd
+install -d %{buildroot}%{_datadir}/polkit-1/actions
+install -d %{buildroot}%{snap_mount_dir}/bin
+# Install local permissions policy for snap-confine. This should be removed
+# once snap-confine is added to the permissions package. This is done following
+# the recommendations on
+# https://en.opensuse.org/openSUSE:Package_security_guidelines
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions %{buildroot}%{_sysconfdir}/permissions.d/snapd
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/snapd.paranoid
+# Remove unwanted systemd units
+for s in snapd.autoimport.service snapd.system-shutdown.service snapd.snap-repair.timer snapd.snap-repair.service snapd.core-fixup.service; do
+    rm -f %{buildroot}%{_unitdir}/$s
+done
+# Remove snappy core specific scripts
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Install Polkit configuration
+install -m 644 -D %{indigo_srcdir}/data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
+
+# See https://en.opensuse.org/openSUSE:Packaging_checks#suse-missing-rclink for details
+install -d %{buildroot}%{_sbindir}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.apparmor
+%endif
+# Install the "info" data file with snapd version
+install -m 644 -D %{indigo_srcdir}/data/info %{buildroot}%{_libexecdir}/snapd/info
+# Install bash completion for "snap"
+install -m 644 -D %{indigo_srcdir}/data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D %{indigo_srcdir}/data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D %{indigo_srcdir}/data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Don't ship apparmor helper service when AppArmor is not enabled
+%if ! %{with apparmor}
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+%endif
+
+%verifyscript
+%verify_permissions -e %{_libexecdir}/snapd/snap-confine
+
+%pre
+%service_add_pre %{systemd_services_list}
+
+%post
+%set_permissions %{_libexecdir}/snapd/snap-confine
+%if %{with apparmor}
+%apparmor_reload /etc/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%service_add_post %{systemd_services_list}
+case ":$PATH:" in
+    *:/snap/bin:*)
+        ;;
+    *)
+        echo "Please reboot, logout/login or source /etc/profile to have /snap/bin added to PATH."
+        echo "On a Tumbleweed system you need to run: systemctl enable snapd.apparmor.service"
+        ;;
+esac
+
+%preun
+%service_del_preun %{systemd_services_list}
+if [ $1 -eq 0 ]; then
+    %{_libexecdir}/snapd/snap-mgmt --purge || :
+fi
+
+%postun
+%service_del_postun %{systemd_services_list}
+
+%files
+%if %{with apparmor}
+%config %{_sysconfdir}/apparmor.d
+%endif
+%config %{_sysconfdir}/permissions.d/snapd
+%config %{_sysconfdir}/permissions.d/snapd.paranoid
+%config %{_sysconfdir}/profile.d/snapd.sh
+%dir %attr(0000,root,root) %{_sharedstatedir}/snapd/void
+%dir %{snap_mount_dir}
+%dir %{snap_mount_dir}/bin
+%dir %{_libexecdir}/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/apparmor
+%dir %{_sharedstatedir}/snapd/apparmor/profiles
+%dir %{_sharedstatedir}/snapd/apparmor/snap-confine
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_localstatedir}/cache/snapd
+%dir %{_environmentdir}
+%dir %{_systemd_system_env_generator_dir}
+%dir %{_systemdgeneratordir}
+%dir %{_datadir}/dbus-1
+%dir %{_datadir}/dbus-1/services
+%dir %{_datadir}/polkit-1
+%dir %{_datadir}/polkit-1/actions
+%verify(not user group mode) %attr(06755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_mandir}/man8/snapd-env-generator.8*
+%{_unitdir}/snapd.service
+%{_unitdir}/snapd.socket
+%{_unitdir}/snapd.seeded.service
+%{_unitdir}/snapd.failure.service
+%if %{with apparmor}
+%{_unitdir}/snapd.apparmor.service
+%endif
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_sbindir}/rcsnapd
+%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+%{_sbindir}/rcsnapd.apparmor
+%endif
+%{_libexecdir}/snapd/info
+%{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-update-ns
+%{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-seccomp
+%{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snapctl
+%if %{with apparmor}
+%{_libexecdir}/snapd/snapd-apparmor
+%endif
+%{_libexecdir}/snapd/snap-mgmt
+%{_libexecdir}/snapd/snap-gdb-shim
+%{_libexecdir}/snapd/snap-device-helper
+%{_datadir}/bash-completion/completions/snap
+%{_libexecdir}/snapd/complete.sh
+%{_libexecdir}/snapd/etelpmoc.sh
+%{_systemdgeneratordir}/snapd-generator
+%{_mandir}/man8/snap.8*
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_libexecdir}/snapd/snapd.run-from-snap
+%if %{with apparmor}
+%{_sysconfdir}/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%{_environmentdir}/990-snapd.conf
+%{_systemd_system_env_generator_dir}/snapd-env-generator
+
+%changelog
+
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/permissions snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/permissions
--- snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/permissions	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/permissions	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/permissions.easy snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/permissions.easy
--- snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/permissions.easy	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/permissions.easy	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/permissions.paranoid snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/permissions.paranoid
--- snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/permissions.paranoid	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/permissions.paranoid	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/permissions.secure snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/permissions.secure
--- snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/permissions.secure	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/permissions.secure	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/snapd/snap-confine                             root:root         6755
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/snapd.changes snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/snapd.changes
--- snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/snapd.changes	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/snapd.changes	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,330 @@
+-------------------------------------------------------------------
+Wed Jan 16 08:36:51 UTC 2019 - mvo@fastmail.fm
+
+- Update to upstream release 2.37
+
+-------------------------------------------------------------------
+Fri Dec 14 07:30:58 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.3
+
+-------------------------------------------------------------------
+Thu Nov 29 10:48:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.2
+
+-------------------------------------------------------------------
+Fri Nov 09 14:42:28 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36.1
+
+-------------------------------------------------------------------
+Wed Oct 24 17:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.36
+
+-------------------------------------------------------------------
+Mon Oct 15 22:23:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.5
+
+-------------------------------------------------------------------
+Fri Oct 05 14:42:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.4
+
+-------------------------------------------------------------------
+Fri Oct 05 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.3
+
+-------------------------------------------------------------------
+Wed Sep 12 09:32:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.2
+
+-------------------------------------------------------------------
+Mon Sep 03 14:44:06 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35.1
+
+-------------------------------------------------------------------
+Mon Aug 20 12:36:33 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.35
+
+-------------------------------------------------------------------
+Fri Jul 27 19:08:44 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.3
+
+-------------------------------------------------------------------
+Thu Jul 19 12:05:50 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.2
+
+-------------------------------------------------------------------
+Wed Jul 17 19:46:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34.1
+
+-------------------------------------------------------------------
+Fri Jul 06 16:08:17 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.34
+
+-------------------------------------------------------------------
+Fri Jun 22 15:58:54 UTC 2018 - me@zygoon.pl
+
+- Fixed changelog chronology
+
+-------------------------------------------------------------------
+Fri Jun 22 14:25:35 UTC 2018 - me@zygoon.pl
+
+- Sync with snapd upstream packaging
+- Backport support for apparmor on tumbleweed
+- Install polkit files
+- Load snap-confine apparmor profile in post, if apparmor is enabled
+- Adjust badness of polkit-untracked-privlege
+-------------------------------------------------------------------
+Thu Jun 21 17:37:56 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33.1
+
+-------------------------------------------------------------------
+Fri Jun 08 17:13:47 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.33
+
+-------------------------------------------------------------------
+Mon May 28 08:06:53 UTC 2018 - ngompa13@gmail.com
+
+- Refactor to support openSUSE Tumbleweed and Leap 42.3 and 15.0
+- Enable AppArmor support for openSUSE Tumbleweed (post Leap 15.0)
+- Enable support for handling the proprietary nvidia driver
+- Drop ancient spec stuff that was being ignored by RPM anyway
+- Drop spurious find command that didn't do anything...
+
+-------------------------------------------------------------------
+Wed May 16 10:20:08 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.9
+
+-------------------------------------------------------------------
+Fri May 11 14:36:16 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.8
+
+-------------------------------------------------------------------
+Fri May 11 13:09:32 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.7
+
+-------------------------------------------------------------------
+Sun Apr 29 19:21:53 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.6
+
+-------------------------------------------------------------------
+Mon Apr 16 16:41:48 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.5
+
+-------------------------------------------------------------------
+Wed Apr 11 16:30:45 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.4
+
+-------------------------------------------------------------------
+Wed Apr 11 12:40:09 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3.2
+
+-------------------------------------------------------------------
+Wed Apr 11 10:34:00 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3.1
+
+-------------------------------------------------------------------
+Thu Apr 05 22:35:35 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.3
+
+-------------------------------------------------------------------
+Sat Mar 31 21:09:29 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.2
+
+-------------------------------------------------------------------
+Mon Mar 26 21:03:02 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32.1
+
+-------------------------------------------------------------------
+Sat Mar 24 08:50:11 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.32
+
+-------------------------------------------------------------------
+Tue Feb 20 17:32:42 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.31.1
+
+-------------------------------------------------------------------
+Tue Feb 06 09:46:22 UTC 2018 - mvo@fastmail.fm
+
+- Update to upstream release 2.31
+
+-------------------------------------------------------------------
+Sat Nov 18 15:31:24 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.30
+
+-------------------------------------------------------------------
+Fri Nov 17 22:56:09 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.4
+
+-------------------------------------------------------------------
+Thu Nov 09 19:16:29 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.3
+
+-------------------------------------------------------------------
+Fri Nov 03 17:26:14 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.2
+
+-------------------------------------------------------------------
+Fri Nov 03 07:27:08 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29.1
+
+-------------------------------------------------------------------
+Mon Oct 30 16:24:08 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.29
+
+-------------------------------------------------------------------
+Wed Oct 11 19:46:37 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.4
+
+-------------------------------------------------------------------
+Wed Oct 11 08:23:47 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.3
+
+-------------------------------------------------------------------
+Tue Oct 10 18:42:45 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.2
+
+-------------------------------------------------------------------
+Wed Sep 27 22:04:59 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28.1
+
+-------------------------------------------------------------------
+Mon Sep 25 16:09:15 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.28
+
+-------------------------------------------------------------------
+Thu Sep 07 10:32:21 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.6
+
+-------------------------------------------------------------------
+Wed Aug 30 07:45:01 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.5
+
+-------------------------------------------------------------------
+Thu Aug 24 09:08:32 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.4
+
+-------------------------------------------------------------------
+Fri Aug 18 15:51:22 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.3
+
+-------------------------------------------------------------------
+Wed Aug 16 12:16:01 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.2
+
+-------------------------------------------------------------------
+Mon Aug 14 08:07:21 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27.1
+
+-------------------------------------------------------------------
+Thu Aug 10 11:25:11 UTC 2017 - mvo@fastmail.fm
+
+- Update to upstream release 2.27
+
+-------------------------------------------------------------------
+Fri May 19 14:35:29 UTC 2017 - morphis@gravedo.de
+
+- Add bind() syscall to default seccomp policy to allow execution
+  of snap hooks.
+- Do not share /etc/ssl with the host but use the one from the core
+  snap.
+
+-------------------------------------------------------------------
+Wed May 10 12:24:44 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.25
+
+-------------------------------------------------------------------
+Thu Apr 13 14:06:13 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.24
+
+-------------------------------------------------------------------
+Thu Mar 30 14:14:44 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.23.6
+
+-------------------------------------------------------------------
+Thu Mar 23 08:53:37 UTC 2017 - morphis@gravedo.de
+
+- Update to upstream release 2.23.5
+- Disable seccomp support to work around bugs in snap-confine
+  (see https://bugs.launchpad.net/snappy/+bug/1674193 for details)
+
+-------------------------------------------------------------------
+Wed Mar 08 16:09:03 UTC 2017 - me@zygoon.pl
+
+- Fix log-out prompt to be displayed only when really necessary.
+- Fix installation of /usr/lib/snapd/info (version information)
+- Install bash completion for "snap"
+
+-------------------------------------------------------------------
+Wed Mar 08 15:53:06 UTC 2017 - me@zygoon.pl
+
+- New upstream release.
+  More details are available at https://github.com/snapcore/snapd/releases/tag/2.23.1
+
+-------------------------------------------------------------------
+Tue Mar 07 23:00:34 UTC 2017 - me@zygoon.pl
+
+- Add PATH integration and post-install message asking the user to logout to
+  see PATH changes.
+
+-------------------------------------------------------------------
+Tue Mar 07 00:45:12 UTC 2017 - me@zygoon.pl
+
+- (hacky) Disable shellcheck as it is missing on Leap 42.1
+
+-------------------------------------------------------------------
+Tue Mar 07 00:43:58 UTC 2017 - me@zygoon.pl
+
+- (hacky) fix the 32bit build
+
+-------------------------------------------------------------------
+Mon Mar 06 18:08:04 UTC 2017 - me@zygoon.pl
+
+- Initial package based on fully vendorized source tarball
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/snapd-rpmlintrc snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/snapd-rpmlintrc
--- snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/snapd-rpmlintrc	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/snapd-rpmlintrc	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+setBadness('permissions-unauthorized-file', 22)
+setBadness('polkit-untracked-privilege', 11)
+setBadness('non-position-independent-executable', 33)
+setBadness('polkit-untracked-privilege', 44)
diff -Nru snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/snapd.spec snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/snapd.spec
--- snapd-2.32.3.2~14.04/packaging/opensuse-tumbleweed/snapd.spec	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/opensuse-tumbleweed/snapd.spec	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,433 @@
+# spec file for package snapd
+#
+# Copyright (c) 2017 Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+# Copyright (c) 2018 Neal Gompa <ngompa13@gmail.com>
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+
+%bcond_with testkeys
+
+# Enable AppArmor on openSUSE Tumbleweed (post 15.0) or higher
+# N.B.: Prior to openSUSE Tumbleweed in May 2018, the AppArmor userspace in SUSE
+# did not support what we needed to be able to turn on basic integration.
+%if 0%{?suse_version} >= 1550
+%bcond_without apparmor
+%else
+%bcond_with apparmor
+%endif
+
+# Compat macros
+%{!?make_build: %global make_build %{__make} %{?_smp_mflags}}
+%{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
+
+# Define the variable for systemd generators, if missing.
+%{?!_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
+%{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
+%{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+
+# This is fixed in SUSE Linux 15
+# Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
+%if 0%{?suse_version} < 1500
+%global _sharedstatedir %{_localstatedir}/lib
+%endif
+
+%global provider        github
+%global provider_tld    com
+%global project         snapcore
+%global repo            snapd
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+# Additional entry of $GOPATH during the build process.
+# This is designed to be a sub-directory of {_builddir}/{name}-{version}
+# because that directory is automatically cleaned-up by the build process.
+%global         indigo_gopath   %{_builddir}/%{name}-%{version}/gopath
+
+# Directory where "name-version" directory from upstream taball is unpacked to.
+# This directory is arranged so that it is already contained inside the future
+# GOPATH so that nothing needs to be moved or copied for "go build" to work.
+%global         indigo_srcdir   %{indigo_gopath}/src/%{import_path}
+
+%global with_test_keys  0
+
+%if %{with testkeys}
+%global with_test_keys 1
+%else
+%global with_test_keys 0
+%endif
+
+# Set if multilib is enabled for supported arches
+%ifarch x86_64 aarch64 %{power64} s390x
+%global with_multilib 1
+%endif
+
+%global systemd_services_list snapd.socket snapd.service snapd.seeded.service %{?with_apparmor:snapd.apparmor.service}
+
+%global snap_mount_dir /snap
+
+Name:           snapd
+Version:        2.37
+Release:        0
+Summary:        Tools enabling systems to work with .snap files
+License:        GPL-3.0
+Group:          System/Packages
+Url:            https://%{import_path}
+Source0:        https://github.com/snapcore/snapd/releases/download/%{version}/%{name}_%{version}.vendor.tar.xz
+Source1:        snapd-rpmlintrc
+%if (0%{?sle_version} >= 120200 || 0%{?suse_version} >= 1500) && 0%{?is_opensuse}
+BuildRequires:  ShellCheck
+%endif
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  glib2-devel
+BuildRequires:  glibc-devel-static
+BuildRequires:  go
+BuildRequires:  gpg2
+BuildRequires:  indent
+BuildRequires:  libapparmor-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libseccomp-devel
+BuildRequires:  libtool
+BuildRequires:  libudev-devel
+BuildRequires:  libuuid-devel
+BuildRequires:  make
+BuildRequires:  openssh
+BuildRequires:  pkg-config
+BuildRequires:  python-docutils
+BuildRequires:  python3-docutils
+BuildRequires:  squashfs
+# Due to: rpm -q --whatprovides /usr/share/pkgconfig/systemd.pc
+BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  timezone
+BuildRequires:  udev
+BuildRequires:  xfsprogs-devel
+BuildRequires:  xz
+%ifarch x86_64
+# This is needed for seccomp tests
+BuildRequires:  glibc-devel-32bit
+BuildRequires:  glibc-devel-static-32bit
+BuildRequires:  gcc-32bit
+%endif
+
+%if %{with apparmor}
+BuildRequires:  apparmor-rpm-macros
+%endif
+
+PreReq:         permissions
+
+Requires(post): permissions
+Requires:       apparmor-parser
+Requires:       apparmor-profiles
+Requires:       gpg2
+Requires:       openssh
+Requires:       squashfs
+
+# Old versions of xdg-document-portal can expose data belonging to
+# other confied apps.  Older OpenSUSE releases are unlikely to change,
+# so for now limit this to Tumbleweed.
+%if 0%{?suse_version} >= 1550
+Conflicts:      xdg-desktop-portal < 0.11
+%endif
+
+%{?systemd_requires}
+
+%description
+This package contains that snapd daemon and the snap command line tool.
+Together they can be used to install, refresh (update), remove and configure
+snap packages on a system. Snap packages are a novel format based on simple
+principles. Bundle your dependencies, run in a predictable environment, use
+modern kernel features for setting up the execution environment and security.
+The same binary snap package can be installed and used on many diverse systems
+such as Debian, Fedora and OpenSUSE as well as their multiple derivatives.
+
+This package contains the official build, endorsed by snapd developers. It is
+updated as soon as new upstream releases are made and is designed to live in
+the system:snappy repository.
+
+%prep
+# NOTE: Instead of using setup -q we are unpacking a subdirectory of the source
+# tarball into a directory that is automatically on the future GOPATH. This
+# means that while go doesn't care at all the current working directory is not
+# the top-level directory of the source tarball which some people may find
+# unusual.
+
+# Create indigo compatible build layout.
+mkdir -p %{indigo_srcdir}
+tar -axf %{_sourcedir}/%{name}_%{version}.vendor.tar.xz --strip-components=1 -C %{indigo_srcdir}
+
+# Patch the source in the place it got extracted to.
+pushd %{indigo_srcdir}
+# Add patch0 -p1 ... as appropriate here.
+popd
+
+# Set the version that is compiled into the various executables/
+pushd %{indigo_srcdir}
+./mkversion.sh %{version}-%{release}
+popd
+
+# Sanity check, ensure that systemd system generator directory is in agreement between the build system and packaging.
+if [ "$(pkg-config --variable=systemdsystemgeneratordir systemd)" != "%{_systemdgeneratordir}" ]; then
+  echo "pkg-confing and rpm macros disagree about the location of systemd system generator directory"
+  exit 1
+fi
+
+# Enable hardening; Also see https://bugzilla.redhat.com/show_bug.cgi?id=1343892
+CFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+CXXFLAGS="$RPM_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+LDFLAGS=""
+
+# On openSUSE Leap 15 or more recent build position independent executables.
+# For a helpful guide about the versions and macros used below, please see:
+# https://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto
+%if 0%{?suse_version} >= 1500
+CFLAGS="$CFLAGS -fPIE"
+CXXFLAGS="$CXXFLAGS -fPIE"
+LDFLAGS="$LDFLAGS -pie"
+%endif
+
+export CFLAGS
+export CXXFLAGS
+export LDFLAGS
+
+# Generate autotools build system files.
+pushd %{indigo_srcdir}/cmd
+autoreconf -i -f
+%configure \
+    %{!?with_apparmor:--disable-apparmor} \
+    --libexecdir=%{_libexecdir}/snapd \
+    --enable-nvidia-biarch \
+    %{?with_multilib:--with-32bit-libdir=%{_prefix}/lib} \
+    --with-snap-mount-dir=%{snap_mount_dir} \
+    --enable-merged-usr
+popd
+
+%build
+# Build golang executables, with the following exceptions everything is built the same way:
+# - snap-exec and snap-update-ns is built statically.
+# - snapd has a variant that uses test keys instead of production keys.
+#
+# NOTE: indigo_gopath takes priority over GOPATH. This ensures that we
+# build the code that we intended in case GOPATH points to another copy.
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapctl
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snap-seccomp
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-update-ns
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=default -ldflags '-extldflags "-static"' %{import_path}/cmd/snap-exec
+%if 0%{?with_test_keys}
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie -tags withtestkeys %{import_path}/cmd/snapd
+%else
+GOPATH=%{indigo_gopath}:$GOPATH go build -buildmode=pie %{import_path}/cmd/snapd
+%endif
+
+# Build C executables
+%make_build -C %{indigo_srcdir}/cmd
+
+%check
+# Run tests with fixed locale that is expected by unicode/color code.
+LC_ALL=C.UTF-8 GOPATH=%{indigo_gopath}:$GOPATH go test %{import_path}/...
+%make_build -C %{indigo_srcdir}/cmd check
+
+%install
+# Install all systemd and dbus units, and env files.
+%make_install -C %{indigo_srcdir}/data \
+		BINDIR=%{_bindir} \
+		LIBEXECDIR=%{_libexecdir} \
+		SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
+		SNAP_MOUNT_DIR=%{snap_mount_dir}
+# Install all the C executables.
+%make_install -C %{indigo_srcdir}/cmd
+# Install all the Go executables.
+install -d -m 755 %{buildroot}%{_bindir}
+install -m 755 snap %{buildroot}%{_bindir}
+# Ensure /usr/bin/snapctl is a symlink to /usr/libexec/snapd/snapctl
+install -m 755 snapctl %{buildroot}%{_libexecdir}/snapd
+ln -s %{_libexecdir}/snapd/snapctl  %{buildroot}%{_bindir}/snapctl
+install -d -m 755 %{buildroot}%{_libexecdir}/snapd
+install -m 755 snapd %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-exec %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-update-ns %{buildroot}%{_libexecdir}/snapd/
+install -m 755 snap-seccomp %{buildroot}%{_libexecdir}/snapd/
+# Generate and install man page for snap command
+install -d -m 755 %{buildroot}%{_mandir}/man8
+./snap help --man > %{buildroot}%{_mandir}/man8/snap.8
+# Undo special permissions of the void directory
+chmod 755 %{buildroot}%{_sharedstatedir}/snapd/void
+# Remove traces of ubuntu-core-launcher. It is a phased-out executable that is
+# still partially present in the tree but should be removed in the subsequent
+# release.
+rm -f %{buildroot}%{_bindir}/ubuntu-core-launcher
+# NOTE: we don't want to ship system-shutdown helper, it is just a helper on
+# ubuntu-core systems that exclusively use snaps. It is used during the
+# shutdown process and thus can be left out of the distribution package.
+rm -f %{buildroot}%{_libexecdir}/snapd/system-shutdown
+# Install the directories that snapd creates by itself so that they can be a part of the package
+install -d %{buildroot}%{_sharedstatedir}/snapd/{assertions,cookie,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/bpf,snaps}
+
+install -d %{buildroot}%{_sharedstatedir}/snapd/{lib/gl,lib/gl32,lib/vulkan}
+install -d %{buildroot}%{_localstatedir}/cache/snapd
+install -d %{buildroot}%{_datadir}/polkit-1/actions
+install -d %{buildroot}%{snap_mount_dir}/bin
+# Install local permissions policy for snap-confine. This should be removed
+# once snap-confine is added to the permissions package. This is done following
+# the recommendations on
+# https://en.opensuse.org/openSUSE:Package_security_guidelines
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions %{buildroot}%{_sysconfdir}/permissions.d/snapd
+install -m 644 -D %{indigo_srcdir}/packaging/opensuse/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/snapd.paranoid
+# Remove unwanted systemd units
+for s in snapd.autoimport.service snapd.system-shutdown.service snapd.snap-repair.timer snapd.snap-repair.service snapd.core-fixup.service; do
+    rm -f %{buildroot}%{_unitdir}/$s
+done
+# Remove snappy core specific scripts
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd.core-fixup.sh
+
+# Install Polkit configuration
+install -m 644 -D %{indigo_srcdir}/data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions
+
+# See https://en.opensuse.org/openSUSE:Packaging_checks#suse-missing-rclink for details
+install -d %{buildroot}%{_sbindir}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcsnapd.apparmor
+%endif
+# Install the "info" data file with snapd version
+install -m 644 -D %{indigo_srcdir}/data/info %{buildroot}%{_libexecdir}/snapd/info
+# Install bash completion for "snap"
+install -m 644 -D %{indigo_srcdir}/data/completion/snap %{buildroot}%{_datadir}/bash-completion/completions/snap
+install -m 644 -D %{indigo_srcdir}/data/completion/complete.sh %{buildroot}%{_libexecdir}/snapd
+install -m 644 -D %{indigo_srcdir}/data/completion/etelpmoc.sh %{buildroot}%{_libexecdir}/snapd
+
+# Don't ship apparmor helper service when AppArmor is not enabled
+%if ! %{with apparmor}
+rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service
+rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor
+%endif
+
+%verifyscript
+%verify_permissions -e %{_libexecdir}/snapd/snap-confine
+
+%pre
+%service_add_pre %{systemd_services_list}
+
+%post
+%set_permissions %{_libexecdir}/snapd/snap-confine
+%if %{with apparmor}
+%apparmor_reload /etc/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%service_add_post %{systemd_services_list}
+case ":$PATH:" in
+    *:/snap/bin:*)
+        ;;
+    *)
+        echo "Please reboot, logout/login or source /etc/profile to have /snap/bin added to PATH."
+        echo "On a Tumbleweed system you need to run: systemctl enable snapd.apparmor.service"
+        ;;
+esac
+
+%preun
+%service_del_preun %{systemd_services_list}
+if [ $1 -eq 0 ]; then
+    %{_libexecdir}/snapd/snap-mgmt --purge || :
+fi
+
+%postun
+%service_del_postun %{systemd_services_list}
+
+%files
+%if %{with apparmor}
+%config %{_sysconfdir}/apparmor.d
+%endif
+%config %{_sysconfdir}/permissions.d/snapd
+%config %{_sysconfdir}/permissions.d/snapd.paranoid
+%config %{_sysconfdir}/profile.d/snapd.sh
+%dir %attr(0000,root,root) %{_sharedstatedir}/snapd/void
+%dir %{snap_mount_dir}
+%dir %{snap_mount_dir}/bin
+%dir %{_libexecdir}/snapd
+%dir %{_sharedstatedir}/snapd
+%dir %{_sharedstatedir}/snapd/apparmor
+%dir %{_sharedstatedir}/snapd/apparmor/profiles
+%dir %{_sharedstatedir}/snapd/apparmor/snap-confine
+%dir %{_sharedstatedir}/snapd/assertions
+%dir %{_sharedstatedir}/snapd/cookie
+%dir %{_sharedstatedir}/snapd/desktop
+%dir %{_sharedstatedir}/snapd/desktop/applications
+%dir %{_sharedstatedir}/snapd/device
+%dir %{_sharedstatedir}/snapd/hostfs
+%dir %{_sharedstatedir}/snapd/mount
+%dir %{_sharedstatedir}/snapd/seccomp
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
+%dir %{_sharedstatedir}/snapd/snaps
+%dir %{_sharedstatedir}/snapd/lib
+%dir %{_sharedstatedir}/snapd/lib/gl
+%dir %{_sharedstatedir}/snapd/lib/gl32
+%dir %{_sharedstatedir}/snapd/lib/vulkan
+%dir %{_localstatedir}/cache/snapd
+%dir %{_environmentdir}
+%dir %{_systemd_system_env_generator_dir}
+%dir %{_systemdgeneratordir}
+%dir %{_datadir}/dbus-1
+%dir %{_datadir}/dbus-1/services
+%dir %{_datadir}/polkit-1
+%dir %{_datadir}/polkit-1/actions
+%verify(not user group mode) %attr(06755,root,root) %{_libexecdir}/snapd/snap-confine
+%{_mandir}/man8/snap-confine.8*
+%{_mandir}/man8/snap-discard-ns.8*
+%{_mandir}/man8/snapd-env-generator.8*
+%{_unitdir}/snapd.service
+%{_unitdir}/snapd.socket
+%{_unitdir}/snapd.seeded.service
+%{_unitdir}/snapd.failure.service
+%if %{with apparmor}
+%{_unitdir}/snapd.apparmor.service
+%endif
+%{_bindir}/snap
+%{_bindir}/snapctl
+%{_sbindir}/rcsnapd
+%{_sbindir}/rcsnapd.seeded
+%if %{with apparmor}
+%{_sbindir}/rcsnapd.apparmor
+%endif
+%{_libexecdir}/snapd/info
+%{_libexecdir}/snapd/snap-discard-ns
+%{_libexecdir}/snapd/snap-update-ns
+%{_libexecdir}/snapd/snap-exec
+%{_libexecdir}/snapd/snap-seccomp
+%{_libexecdir}/snapd/snapd
+%{_libexecdir}/snapd/snapctl
+%if %{with apparmor}
+%{_libexecdir}/snapd/snapd-apparmor
+%endif
+%{_libexecdir}/snapd/snap-mgmt
+%{_libexecdir}/snapd/snap-gdb-shim
+%{_libexecdir}/snapd/snap-device-helper
+%{_datadir}/bash-completion/completions/snap
+%{_libexecdir}/snapd/complete.sh
+%{_libexecdir}/snapd/etelpmoc.sh
+%{_systemdgeneratordir}/snapd-generator
+%{_mandir}/man8/snap.8*
+%{_datadir}/applications/snap-handle-link.desktop
+%{_datadir}/dbus-1/services/io.snapcraft.Launcher.service
+%{_datadir}/dbus-1/services/io.snapcraft.Settings.service
+%{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
+%{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
+%{_libexecdir}/snapd/snapd.run-from-snap
+%if %{with apparmor}
+%{_sysconfdir}/apparmor.d/usr.lib.snapd.snap-confine
+%endif
+%{_environmentdir}/990-snapd.conf
+%{_systemd_system_env_generator_dir}/snapd-env-generator
+
+%changelog
+
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/changelog snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/changelog
--- snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/changelog	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/changelog	2019-01-16 08:36:51.000000000 +0000
@@ -1,3 +1,1837 @@
+snapd (2.37~rc1~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1811233
+    - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+      have device node /dev/ttyACM[0-9]
+    - tests: fix enable-disable-unit-gpio test on external boards
+    - tests: define new "tests/smoke" suite and use that for
+      autopkgtests
+    - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+      library
+    - snapshotstate: don't task.Log without the lock
+    - overlord/configstate/configcore: support - and _ in cloud init
+      field names
+    - cmd/snap-confine: use makedev instead of MKDEV
+    - tests: review/fix the autopkgtest failures in disco
+    - systemd: allow only a single daemon-reload at the same time
+    - cmd/snap: only auto-enable unicode to a tty
+    - cmd/snap: right-align revision and size in info's channel map
+    - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+      different on Fedora
+    - tests: fix "No space left on device" issue on amazon-linux
+    - store: undo workaround for timezone-less released-at
+    - store, snap, cmd/snap: channels have released-at
+    - snap-confine: fix incorrect use "src" var in mount-support.c
+    - release: support probing SELinux state
+    - release-tools: display self-help
+    - interface: add new `{personal,system}-files` interface
+    - snap: give Epoch an Equal method
+    - many: remove unused interface code
+    - interfaces/many: use 'unsafe' with docker-support change_profile
+      rules
+    - run-checks: stop running HEAD of staticcheck
+    - release: use sync.Once around lazy intialized state
+    - overlord/ifacestate: include interface name in the hotplug-
+      disconnect task summary
+    - spread: show free space in debug output
+    - cmd/snap: attempt to restore SELinux context of snap user
+      directories
+    - image: do not write empty etc/cloud
+    - tests: skip snapd snap on reset for core systems
+    - cmd/snap-discard-ns: fix umount(2) typo
+    - overlord/ifacestate: hotplug-remove-slot task handler
+    - overlord/ifacestate: handler for hotplug-disconnect task
+    - ifacestate/hotplug: updateDevice helper
+    - tests: reset snapd state on tests restore
+    - interfaces: return security setup errors
+    - overlord: make InstallMany work like UpdateMany, issuing a single
+      request to get candidates
+    - systemd/systemd.go: add missing tests for systemd.IsActive
+    - overlord/ifacestate: addHotplugSeqWaitTask helper
+    - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+    - tests: new backend used to run upgrade test suite
+    - travis: short circuit failures in static and unit tests travis job
+    - cmd: automatically fix localized <option>s to <option>
+    - overlord/configstate,features: expose features to snapd tools
+    - selinux: package to query SELinux status and verify/restore file
+      contexts
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - cmd: add tests for lintArg and lintDesc
+    - httputil: retry on temporary net errors
+    - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+    - wrappers: only restart service in core18 when they are active
+    - overlord/ifacestate: helpers for serializing hotplug changes
+    - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interface
+    - snap/info: bind global plugs/slots to implicit hooks
+    - cmd/snap-confine: remove SC_NS_MNT_FILE
+    - spread: record each tests/upgrade job
+    - osutil: do not import dirs
+    - cmd/snap-confine: fix typo "a pipe"
+    - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+      devices
+    - tests: force test-snapd-daemon-notify exit 0 when the interface is
+      not connected
+    - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+    - centos: enable SELinux support on CentOS 7
+    - apparmor: allow hard link to snap-specific semaphore files
+    - tests/lib/pkgdb: disable weak deps on Fedora
+    - release: detect too old apparmor_parser
+    - tests: improve how the log is checked to see if the system is
+      waiting for a reboot
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - spread, tests: add Fedora 29
+    - cmd/snap-confine: refactor calling snapd tools into helper module
+    - apparmor: allow snap-update-ns access to common devices
+    - cmd/snap-confine: capture initialized per-user mount ns
+    - tests: reduce verbosity around package installation
+    - data: set KillMode=process for snapd
+    - cmd/snap: handle DNS error gracefully
+    - spread, tests: use checkpoints when dumping audit log
+    - tests/lib/prepare: make sure that SELinux context of repacked core
+      snap is controlled
+    - testutils: split checkers, tweak tests
+    - tests: fix for tests test-*-cgroup
+    - spread: show AVC audits when debugging, start auditd on Fedora
+    - spread: drop Fedora 27, add Fedora 29
+    - tests/lib/reset: restore context of removed snapd directories
+    - testutil: add File{Present,Absent} checkers
+    - snap: add new `snap run --trace-exec`
+    - tests: fix for failover test on how logs are checked
+    - snapctl: add "services"
+    - overlord/snapstate: use file timestamp to initialize timer
+    - cmd/libsnap: introduce and use sc_strdup
+    - interfaces: let NM access ifindex/ifupdown files
+    - overlord/snapstate: on refresh, check new rev can read current
+    - client, store: don't use store from client (use client from store)
+    - tests/main/parallel-install-store: verify installation of more
+      than one instance at a time
+    - overlord: don't write system key if security setup fails
+    - packaging/fedora/snapd.spec: fix bogus date in changelog
+    - snapstate: update fontconfig caches on install
+    - interfaces/apparmor/backend.go:411:38: regular expression does not
+      contain any meta characters (SA6004)
+    - asserts/header_checks.go:199:35: regular expression does not
+      contain any meta characters (SA6004)
+    - run staticcheck every time :-)
+    - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+      used with signal.Notify should be buffered (SA1017)
+    - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+      signal.Notify should be buffered (SA1017)
+    - spdx/parser.go:30:1: only the first constant has an explicit type
+      (SA9004)
+    - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+      first argument and no further arguments should use print-style
+      function instead (SA1006)
+    - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+    - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+      Did you mean to break out of the outer loop? (SA4011)
+    - daemon/api.go:992:22: printf-style function with dynamic first
+      argument and no further arguments should use print-style function
+      instead (SA1006)
+    - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+      to break out of the outer loop? (SA4011)
+    - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+      should be buffered (SA1017)
+    - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+      provided buffer, not even temporarily (SA1023)
+    - release: probe apparmor features lazily
+    - overlord,daemon: mock security backends for testing
+    - cmd/libsnap: move apparmor-support to libsnap
+    - cmd: drop cruft from snap-discard-ns build rules
+    - cmd/snap-confine: use snap-discard-ns ns to discard stale
+      namespaces
+    - cmd/snap-confine: handle mounted shared /run/snapd/ns
+    - many: fix composite literals with unkeyed fields
+    - dirs, wrappers, overlord/snapstate: make completion + bases work
+    - tests: revert "tests: restore in restore, not prepare"
+    - many: validate title
+    - snap: make description maximum in runes, not bytes
+    - tests: discard mount namespaces in reset.sh
+    - tests/lib: sync cla check back from snapcraft
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - daemon: remove enableInternalInterfaceActions
+    - mkversion: use "test -n" rather than "! test -z"
+    - run-checks: assorted fixes
+    - tests: restore in restore, not in prepare
+    - cmd/snap: fix missing newline in "snap keys" error message
+    - snap: epoch lists must contain no duplicate entries
+    - interfaces/avahi_observe: Fix typo in comment
+    - tests: add SPREAD_JOB to the description of
+      systemd_create_and_start_unit
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+    - packaging/fedora: use %_sysctldir macro
+    - cmd/snap-confine: remove unneeded unshare
+    - sanity: extend the kernel version check to cover CentOS/RHEL
+      kernels
+    - wrappers: remove all desktop files from a snap on removal
+    - snap: add an explicit check for `epoch: null` loading
+    - snap: check max description length in validate
+    - spread, tests: add CentOS support
+    - cmd/snap-confine: allow mapping more libc shards
+    - cmd/snap-discard-ns: add support for --from-snap-confine
+    - tests: make tinyproxy support systemd notify
+    - tests: fix shellcheck
+    - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+    - store: add a test for a non-zero epoch refresh (with epoch bump)
+    - store: v1 search doesn't send epoch, stop pretending it does
+    - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+    - overlord/snapstate: amend test should send local revision
+    - tests: use mock-gpio.py in enable-disable-units-gpio test
+    - snap: enforce minimal snap name len of 2
+    - cmd/libsnap: add sc_verify_snap_lock
+    - cmd/snap-update-ns: extra debugging of trespassing events
+    - userd: force zenity width if the text displayed is long
+    - overlord/snapstate, store: always send epochs
+    - cmd/snap-confine,snap-update-ns: discard quirks
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - cmd/snap-update-ns, tests: clean trespassing paths
+    - nvidia, interfaces/builtin: OpenCL fixes
+    - ifacestate/hotplug: removeDevice helper
+    - cmd: install snap-discard-ns in "make hack"
+    - overlord/ifacestate: setup security backends phased by backends
+      first
+    - ifacestate/helpers: added SystemSnapName mapper helper method
+    - overlord/ifacestate: set hotplug-key of the connection when
+      connecting hotplug slots
+    - snapd: allow snap-update-ns to read /proc/version
+    - cmd: handle tumbleweed and leap in autogen.sh
+    - interfaces/tests: MockHotplugSlot test helper
+    - store,daemon: make UserInfo,LoginUser part of the store interface
+    - overlord/ifacestate: use remapper when checking if system snap is
+      installed
+    - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+    - packaging/arch: fix bash completions path
+    - interfaces/builtin: add device-buttons interface for accessing
+      events
+    - tests, fakestore: extend refresh tests with parallel installed
+      snaps
+    - snap, store, overlord/snapshotstate: drop epoch pointers
+    - snap: make Epoch default to {[0],[0]} on load from yaml
+    - data/completion: pass documented arguments to completion functions
+    - tests: skip opensuse from interfaces-openvswitch-support test
+    - tests: simple reproducer for snap try and hooks bug
+    - snapstate: do not allow classic mode for strict snaps
+    - snap: make Epoch's MarshalJSON not simplify
+    - store: remove unused currentSnap and currentSnapJSON
+    - many: some small doc comment fixes in recent hotplug code
+    - ifacestate/udevmonitor: added callback to signal end of
+      enumeration
+    - cmd/libsnap: add simplified feature flag checker
+    - interfaces/opengl: add additional accesses for cuda
+    - tests: add core18 only hooks test and fix running core18 only on
+      classic
+    - sanity, release, cmd/snap: refuse to try to do things on WSL.
+    - cmd: make coreSupportsReExec faster
+    - overlord/ifacestate: don't remove the dash when generating unique
+      slot name
+    - cmd/snap-seccomp: add full complement of ptrace constants
+    - cmd: update autogen.sh for opensuse
+    - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+      overlord/snapstate: address review feedback
+    - packaging/opensuse: stop using golang-packaging
+    - overlord/snapshots: survive an unknown user
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - cmd/snap: unhide --name parameter to snap install, tweak help
+      message
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/main/snap-service-after-before-install: verify after/before
+      in snap install
+    - overlord/ifacestate: mark connections disconnected by hotplug with
+      hotplug-gone
+    - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+      startup
+    - tests: install dependencies during prepare
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - tests: core 18 does not support classic confinement
+    - tests: add debug output for degraded test
+    - strutil: make VersionCompare faster
+    - overlord/snapshotstate/backend: survive missing directories
+    - overlord/ifacestate: use map[string]*connState when passing conns
+      around
+    - tests: move fedora 28 to manual
+    - overlord/snapshotstate/backend: be more verbose when
+      SNAPPY_TESTING=1
+    - tests: removing fedora 26 system from spread.yaml
+    - tests: linode execution is not needed anymore
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests: fixes and new backend for tests on nested suite
+    - strutil: let MatchCounter work with a nil regexp
+    - ifacestate/helpers: findConnsForHotplugKey helper
+    - many: move regexp.(Must)Compile out of non-init functions into
+      variables
+    - store: also make snaps downloaded via deltas 0600
+    - snap: use Lstat to determine snap size, remove
+      ReadSnapInfoExceptSize
+    - interfaces/builtin: add adb-support interface
+    - tests: fail if install_snap_local fails
+    - strutil: add extra test to CommaSeparatedList as suggested by
+      mborzecki
+    - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+    - ifacestate: optimize disconnect hooks
+    - cmd/snap-update-ns: parse the -u <uid> command line option
+    - cmd/snap, tests: snapshots for all
+    - client, cmd/daemon: allow disabling keepalive, improve degraded
+      mode unit tests
+    - snap: only show "next" refresh time if its after the hold time
+    - overlord/snapstate: run tests for classic snaps even on systems
+      that don't support classic
+    - overlord/standby: fix a race between standby goroutine and stop
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - cmd: remove remnants of sc_should_populate_mount_ns
+    - client, daemon, cmd/snap: indicate that services are socket/timer
+      activated
+    - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+    - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+    - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+    - cmd/snap-discard-ns: add support for per-user mount namespaces
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook.
+    - tests/main: fixes for the new shellcheck
+    - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+      fly
+    - tests: initial setup for testing current branch on nested vm and
+      hotplug management
+    - cmd: refactor IPC and lifecycle of the helper process
+    - tests/main/parallel-install-store: the store has caught up, do not
+      expect failures
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+      ptrace, for the Breakpad crash reporter
+    - snap,client: use a different exit code for retryable errors
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - cmd/snap: tweak `snap services` output when there is no services
+    - interfaces/many: updates to support k8s worker nodes
+    - cmd/snap: gnome-software install via snap:// handler
+    - overlord/many: cleanup use of snapName vs. instanceName
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes* ifstate: fix decoding of json numbers
+    - cmd/snap: try not to panic on error from "snap try"
+    - tests: new cosmic image for spread tests on gce
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - overlord/snapshotstate/backend: detect path to tar in unit tests
+    - tests/unit/gccgo: drop gccgo unit tests
+    - cmd: use relative file names in locking APIs
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - overlord/snapshotstate/backend: fall back on sudo when no runuser
+    - cmd/snap-confine: reduce verbosity of debug and error messages
+    - systemd: extend Status() to work for socket and timer units
+    - interfaces: typo 'allows' for consistency with other ifaces
+    - systemd,wrappers: don't start disabled services
+    - ifacestate: simplify task chaining in ifacestate.Connect
+    - tests: ensure that goa-daemon is off
+    - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+    - cmd/snap: block 'snap help <cmd> --all'
+    - asserts, image: ensure kernel, gadget, base and required-snaps use
+      valid snap names
+    - apparmor: add unit test for probeAppArmorParser and simplify code
+    - interfaces/apparmor: conditionally add explicit deny rules for
+      ptrace
+    - po: sync translations from launchpad
+    - osutil: tweak handling of error adduser errors
+    - cmd: rename ns_group to mount_ns
+    - tests/main/interfaces-accounts-service: more debugging
+    - snap/pack, snap/squashfs: use type to determine mksquashfs args
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - tests: show list of processes when ifaces-accounts-service fails
+    - tests: do not run degraded test in autopkgtest env
+    - snap: overhaul validation error messages
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - interfaces: improve Attr error further
+    - snapstate: tweak GetFeatureFlagBool() to have a default argument
+    - many: cleanup remaining parallel installs TODOs
+    - image: improve validation of extra snaps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 Jan 2019 09:36:51 +0100
+
+snapd (2.36.3~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - httputil: retry on temporary net errors
+    - wrappers: only restart service in core18 when they are active
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interfacewhen installing selinux-policy-devel package.
+    - centos: enable SELinux support on CentOS 7
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - apparmor: allow hard link to snap-specific semaphore files
+    - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+      profile errors
+    - snap: add new `snap run --trace-exec` call
+    - interfaces/backends: detect too old apparmor_parser
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 14 Dec 2018 07:30:58 +0100
+
+snapd (2.36.2~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - snapstate: update fontconfig caches on install
+    - overlord,daemon: mock security backends for testing
+    - sanity, spread, tests: add CentOS
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - tests: add regression test for LP: #1803535
+    - snap-update-ns: fix trailing slas bug on trespassing error
+    - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+    - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+    - interfaces/opengl: add additional accesses for cuda
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 29 Nov 2018 10:48:29 +0100
+
+snapd (2.36.1~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - tests,snap-confine: add core18 only hooks test and fix running
+      core18 only hooks on classic
+    - interfaces/apparmor: allow access to
+      /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests/main/interfces-accounts-service: switch to busctl, more
+      debugging
+    - store: also make snaps downloaded via deltas 0600
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - tests/main: fixes for the new shellcheck
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 09 Nov 2018 14:42:28 +0100
+
+snapd (2.36~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - tests: the store has caught up, drop gccgo test, update cosmic
+      image
+    - cmd/snap: try not to panic on error from "snap try"`--devmode`
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - systemd,wrappers: don't start disabled services
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - tests: do not run degraded test in autopkgtest env
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces: include invalid type in Attr error
+    - many: enable layouts by default
+    - interfaces/default: don't scrub with change_profile with classic
+    - cmd/snap: speed up unit tests
+    - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+      flags
+    - daemon: expose snapshots to the API
+    - interfaces: updates for default, screen-inhibit-control, tpm,
+      {hardware,system,network}-observe
+    - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+      update test interface
+    - interfaces/tests: use TestInterface instead of a custom local
+      helper
+    - overlord/snapstate: export getFeatureFlagBool.
+    - osutil,asserts,daemon: support force password change in system-
+      user assertion
+    - snap, wrappers: support restart-delay, generate RestartSec=<value>
+      in service units
+    - tests/ifacestate: moved asserts-related mocking into helper
+    - image: fetch device store assertion if available
+    - many: enable AppArmor on Arch
+    - interfaces/repo: two helper methods for hotplug
+    - overlord/ifacestate: add hotplug slots with implicit slots
+    - interfaces/hotplug: helpers and struct updates
+    - tests: run the snapd tests on Ubuntu 18.10
+    - snapstate: only report errors if there is an actual error
+    - store: speedup unit tests
+    - spread-shellcheck: fix interleaved error messages, tweaks
+    - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+    - ifacestate: implementation of defaultDeviceKey function for
+      hotplug
+    - cmd/snap-update-ns: remove empty placeholders used for mounting
+    - snapshotstate: restore to current revision
+    - tests/lib: rework the CLA checker
+    - many: support and consider store friendly-stores when checking
+      device scope constraints
+    - overlord/snapstate: block parallel installs of snapd, core, base,
+      kernel, gadget snaps
+    - overlord/patch: patch for static plug/slot attributes
+    - interfaces: honor static attributes when reloading conns
+    - osutils: unit tests speedup; introduce «run-checks --short-
+      unit».
+    - systemd, wrappers: speed up wrappers unit tests
+    - client: speedup unit tests
+    - spread-shellcheck: use threads to parallelise
+    - snap: validate plug and slot names
+    - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+    - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+    - store: gracefully handle unexpected errors in 'action'
+      response
+    - cmd: put our manpages in section 8
+    - overlord: don't make become-operational interfere with user
+      requests
+    - store: tweak unmatched refresh result error log
+    - snap, client, daemon, store: use and expose "media" more
+    - tests,cmd/snap-update-ns: add test showing mount update bug
+      cmd/snap-update-ns: better detection of snapd-made tmpfs
+    - tests: spread tests for aliases with parallel installed snaps
+    - interfaces/seccomp: allow using statx by default
+    - store: gracefully handle unexpected errors in 'action' response
+    - overlord/snapshotstate: chown the tempdir
+    - cmd/snap: attempt to start the document portal if running with a
+      session bus
+    - snap: detect layouts vs layout in snap.yaml
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snapcraft.yaml: set grade to stable
+    - tests: shellchecks, final round
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snap: detect layouts vs layout in snap.yaml
+    - overlord/snapshotstate: store epoch in snapshot, check on restore
+    - cmd/snap: tweak UX of snap refresh --list
+    - overlord/snapstate: improve consistency, use validateInfoAndFlags
+      also in InstallPath
+    - snap: give Epoch a CanRead helper
+    - overlord/snapshotstate: small refactor of internal helpers
+    - interfaces/builtin: adding missing permission to create
+      /run/wpa_supplicant directory
+    - interfaces/builtin: avahi interface update
+    - client, daemon: support passing of 'unaliased' option when
+      installing from local files
+    - selftest: rename selftest.Run() to sanity.Check()
+    - interfaces/apparmor: report apparmor support level and policy
+    - ifacestate: helpers for generating slot names for hotplug
+    - overlord/ifacestate: make sure to pass in the Model assertion when
+      enforcing policies
+    - overlord/snapshotstate: store the SnapID in snapshot, block
+      restore if changed
+    - interfaces: generalize writable mimic profile
+    - asserts,interfaces/policy: add support for on-store/on-brand/on-
+      model plug/slot rule constraints
+    - many: fetch the device store assertion together and in the context
+      of interpreting snap-declarations
+    - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+      gccgo is fixed
+    - tests/main/parallel-install-services: add spread test for snaps
+      with services
+    - tests/main/snap-env: extend to cover parallel installations of
+      snaps
+    - tests/main/parallel-install-local: rename from *-sideload, extend
+      to run snaps
+    - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+    - cmd/snap: tame the help zoo
+    - tests/main/parallel-install-store: run installed snap
+    - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+      i18n)
+    - cmd: fix C formatting
+    - tests: remove unneeded cleanup from layout tests
+    - image: warn on missing default-providers
+    - selftest: add test to ensure selftest.checks is up-to-date
+    - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+      installs
+    - userd: extend the list of supported XDG Desktop properties when
+      autostarting user applications
+    - cmd/snap-update-ns: enforce trespassing checks
+    - selftest: actually run the kernel version selftest
+    - snapd: go into degraded mode when the selftest fails
+    - tests: add test that runs snapctl with a core18 snap
+    - tests: add snap install hook with base: core18
+    - overlord/{snapstate,assertstate}: parallel instances and
+      refresh validation
+    - interfaces/docker-support: add rules to read apparmor macros
+    - tests: make nfs test available for more systems
+    - tests: cleanup copy/paste dup in interfaces-network-setup-control
+    - tests: using single sh snap in interface tests
+    - overlord/snapstate: improve cleaup in mount-snap handler
+    - tests: don't fail interfaces-bluez test if bluez is already
+      installed
+    - tests: find snaps just for edge and beta channels
+    - daemon, snapstate: consistent snap list [--all] output with broken
+      snaps
+    - tests: fix listing to allow extra things in the notes column
+    - cmd/snap: improve UX when removing specific snap revision
+    - cmd/snap, tests/main/snap-info: highlight the current channel
+    - interfaces/testiface: added TestHotplugInterface
+    - snap: tweak commands
+    - interfaces/hotplug: hotplug spec takes one slot definition
+    - overlord/snapstate, snap: handle shared snap directories when
+      installing/remove snaps with instance key
+    - interfaces/opengl: misc accesses for VA-API
+    - client, cmd/snap: expose warnings to the world
+    - cmd/snap-update-ns: introduce trespassing state tracking
+    - cmd/snap: commands no longer build their own client
+    - tests: try to build cmd/snap for darwin
+    - daemon: make error responders not printf when called with 1
+      argument
+    - many: return real snap name in API response
+    - overlord/state: return latest LastAdded time in WarningsSummary
+    - many: mount namespace mapping for parallel installs of snaps
+    - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+      core-phase-2
+    - client, cmd/snap: on !linux, exit when the client tries to Do
+      something
+    - tests: refactor for nested suite and tests fixed
+    - tests: use lxd's waitready instead of polling lxd socket
+    - ifacestate: don't initialize udev monitor until we have a system
+      snap
+    - interfaces: extra argument for static attrs in
+      NewConnectedPlug/NewConnectedSlot
+    - packaging/arch: sync packaging with AUR
+    - snapstate/tests: serialize all appends in fake backend
+    - snap-confine: make /lib/modules optional
+    - cmd/snap: handle "snap interfaces core" better
+    - store: move download tests into downloadSuite
+    - tests,interfaces: run interfaces-account-control on UC18
+    - tests: fix install snaps test by adding link to /snap
+    - tests: fix for nested test suite
+    - daemon: fix snap list --all with parallel snap instances
+    - snapstate: refactor tests to use SetModel*
+    - wrappers: fix snap services order in tests
+    - many: provide salt for generating instance-key in store requests
+    - ifacestate: fix hang when retrying content providers
+    - snapd-env-generator: fix when PATH is empty or unset
+    - overlord/assertstate: propagate TaskSnapSetup error
+    - client: catch and expose logs errors
+    - overlord: integrate device enumeration with udev monitor
+    - daemon, overlord/state: warnings pipeline
+    - tests: add publisher regex to fix the snap-info test pass on sru
+    - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+      tweaks
+    - cmd/snap-update-ns: remove the unused Secure type
+    - osutil, o/snapshotstate, o/sss/backend: quick fixes
+    - tests: update the listing expression to support core from
+      different channels
+    - store: use stable instance key in store refresh requests
+    - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+    - overlord/patch: support for sublevel patches
+    - tests: update prepare/restore for nightly suite
+    - cmd/snap-update-ns: detach BindMount from the Secure type
+    - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+    - ifacestate: retry on "discard-snap" in autoconnect conflict check
+    - cmd/snap-update-ns: separate OpenPath from the Secure struct
+    - wrappers: remove Wants=network-online.target
+    - tests: add new core16-base test
+    - store: refactor tests so that they work as store_test package
+    - many: add refresh.rate-limit core option
+    - tests: run account-control test with different bases
+    - tests: port proxy test to use python tinyproxy
+    - overlord: introduce snapshotstate.
+    - testutil: allow Fstatfs results to vary over time
+    - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+    - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+    - many: remove deadcode
+    - tests: also run unit/gccgo in 18.04
+    - tests: introduce a helper for installing local snaps with --name
+    - tests: avoid removing core snap on reset
+    - snap: use snap.SideInfo in test to fix build with gccgo
+    - partition: remove unused runCommand
+    - image: fix incorrect error when using local bases
+    - overlord/snapstate: fix format
+    - cmd: fix format
+    - tests: setting "storage: preserve-size" just for amazon-linux
+      system
+    - tests: test for the hostname interface
+    - interfaces/modem-manager: allow access to more USB strings
+    - overlord: instantiate UDevMonitor
+    - interfaces/apparmor: tweak naming, rename to AddLayout()
+    - interfaces: take instance name in ifacetest.InstallSnap
+    - snapcraft: do not use --dirty in mkversion
+    - cmd: add systemd environment generator
+    - devicestate: support getting (http) proxy from core config
+    - many: rename ClientOpts to ClientOptions
+    - prepare-image-grub-core18: remove image root in restore
+    - overlord/ifacestate: remove "old-conn" from connect/undo connect
+      handlers
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - image: handle errors when downloadedSnapsInfoForBootConfig has no
+      data
+    - tests: use official core18 model assertion in tests
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - overlord,store: support proxy settings internally too
+    - cmd/snap: bring back 'snap version'
+    - interfaces/mount: tweak naming of things
+    - strutil: fix MatchCounter to also work with buffer reuse
+    - cmd,interfaces,tests: add /mnt to removable-media interface
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - snap/snapenv: drop some instance specific variables, use instance-
+      specific ones for user locations
+    - firstboot: sort by type when installing the firstboot snaps
+    - cmd, cmd/snap: better support for non-linux
+    - strutil: add new ParseByteSize
+    - image: detect and error if bases are missing
+    - interfaces/apparmor: do not downgrade confinement on arch with
+      linux-hardened 4.17.4+
+    - daemon: add pokeStateLock helper to the daemon tests
+    - snap/squashfs: improve error message from Build on mksquashfs
+      failure
+    - tests: remove /etc/alternatives from dirs-not-shared-with-host
+    - cmd: support re-exec into the "snapd" snap
+    - spdx: remove "Other Open Source" from the support licenses
+    - snap: add new type "TypeSnapd" and attach to the snapd snap
+    - interfaces: retain order of inserted security backends
+    - tests: spread test for parallel-installs desktop file handling
+    - overlord/devicestate: use OpenSSL's PEM format when generating
+      keys
+    - cmd: remove --skip-command-chain from snap run and snap-exec
+    - selftest: detect if apparmor is unusable and error
+    - snap,snap-exec: support command-chain for hooks
+    - tests: significantly reduce execution time for managers test
+    - snapstate: use new "snap.ByType" sorting
+    - overlord/snapstate: fix UpdateMany() to work with parallel
+      instances
+    - testutil: have File* checker produce more useful error output
+    - overlord/ifacestate: introduce connectOpts
+    - interfaces: parallel instances support, extend unit tests
+    - tests: normalize tests
+    - snapstate: make InstallPath() return *snap.Info too
+    - snap: add ByType sorting
+    - interfaces: add cifs-mount interface
+    - tests: use file based markers in snap-service-stop-mode
+    - osutil: reorg and stub out things to get it building on darwin
+    - tests/main/layout: cleanup after the test
+    - osutil/sys: small tweaks to let it build on darwin
+    - daemon, overlord/snapstate: set instance name when installing from
+      snap file
+    - many: move Uname to osutil, for more DRY and easier porting.
+    - cmd/snap: create snap user directory when running parallel
+      installed snaps
+    - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+    - tests: basic test for parallel installs from the store
+    - image: download the gadget from the model.GadgetTrack()
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - overlord: handle sigterm during shutdown better
+    - tests: add the original function to fix the errors on new kernels
+    - tests/main/lxd: pull lxd from candidate; reënable i386
+    - wayland: add extra sockets that are used by older toolkits (e.g.
+      gtk3)
+    - asserts: add support for gadget tracks in the model assertion
+    - overlord/snapstate: improve feature flag validation
+    - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+    - interfaces: workaround for activated services and newer DBus
+    - tests: get the linux-image-extra available for the current kernel
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - interfaces: disconnect hooks
+    - cmd/libsnap: unify detection of core/classic with go
+    - tests: fix autopkgtest failures in cosmic
+    - snap: fix advice json
+    - overlord/snapstate: parallel snap install
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - interfaces: add screencast-legacy for video and audio recording
+    - tests: skip unsupported architectures for fedora-base-smoke test
+    - tests: avoid using the journalctl cursor when it has not been
+      created yet
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - tests: enable lxd again everywhere
+    - tests: new test for udisks2 interface
+    - interfaces: add cpu-control for setting CPU tunables
+    - overlord/devicestate: fix tests, set seeded in registration
+      through proxy tests
+    - debian: add missing breaks on cosmic
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - tests: new test for juju client observe interface
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - snapcraft: set version information for the snapd snap
+    - cmd/snap, daemon: error out if trying to install a snap using
+      empty name
+    - hookstate: simplify some hook tests
+    - cmd/snap-confine: extend security tag validation to cover instance
+      names
+    - snap: fix mocking of systemkey in snap-run tests
+    - packaging/opensuse: fix static build of snap-update-ns and snap-
+      exec
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - cmd/libsnap-confine-private: intoduce helpers for validating snap
+      instance name and instance key
+    - snap,snap-exec: support command-chain for app
+    - interfaces/builtin: network-manager resolved DBus changes
+    - snap: tweak `snap wait` command
+    - cmd/snap-update-ns: introduce validation of snap instance names
+    - cmd/snap: fix some corner-case test setup weirdness
+    - cmd,dirs: fix various issues discovered by a Fedora base snap
+    - tests/lib/prepare: fix extra snaps test
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 24 Oct 2018 11:30:45 -0600
+
+snapd (2.35.5~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - osutil: workaround overlayfs on ubuntu 18.10
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 15 Oct 2018 22:23:02 +0200
+
+snapd (2.35.4~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 14:41:33 +0200
+
+snapd (2.35.3~14.04) trusty; urgency=medium
+
+    - overlord: don't make become-operational interfere with user
+      requests
+    - docker_support.go: add rules to read apparmor macros
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-
+      nsFixes:
+    - snapcraft.yaml: add workaround to fix snapcraft build
+    - interfaces/opengl: misc accesses for VA-API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 09:32:00 +0200
+
+snapd (2.35.2~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - cmd,overlord/snapstate: go 1.11 format fixes
+    - ifacestate: fix hang when retrying content providers
+    - snap-env-generator: do nothing when PATH is unset
+    - interfaces/modem-manager: allow access to more USB strings
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 12 Sep 2018 09:32:00 +0200
+
+snapd (2.35.1~14.04) trusty; urgency=medium
+
+  *  New upstream release, LP: #1786438
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - snapcraft: do not use --diry in mkversion.sh
+    - cmd: add systemd environment generator
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - tests: cherry-pick test fixes from master for 2.35
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - interfaces: retain order of inserted security backends
+    - selftest: detect if apparmor is unusable and error
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 03 Sep 2018 14:44:06 +0200
+
+snapd (2.35~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - asserts: add support for gadget tracks in the model assertion
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - overlord: handle sigterm during shutdown better
+    - wayland: add extra sockets that are used by older toolkits
+    - snap: fix advice json
+    - tests: fix autopkgtest failures in cosmic
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - interfaces: add cpu-control for setting CPU tunables
+    - debian: add missing breaks on comisc
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - hookstate: simplify some hook tests
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - interfaces/builtin: network-manager resolved DBus changes
+    - tests: add spread test for fedora29 base snap
+    - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+    - dirs: fix SnapMountDir inside a Fedora base snap
+    - tests: fix snapd-failover for core18 with external backend
+    - overlord/snapstate: always clean SnapState when doing Get()
+    - overlod/ifacestate: always use a new SnapState when fetching the
+      snap state
+    - overlord/devicestate: have the serial request talk to the proxy if
+      set
+    - interfaces/hotplug: udevadm output parser
+    - tests: New test for daemon-notify interface
+    - image: ensure "core" is ordered early if base: and core is used
+    - cmd/snap-confine: snap-device-helper parallel installs support
+    - tests: enable interfaces-framebuffer everywhere
+    - tests: reduce nc wait time from 2 to 1 second
+    - snap/snapenv: add snap instance specific variables
+    - cmd/snap-confine: add minimal test for snap-device-helper
+    - tests: enable snapctl test on core18
+    - overlord: added UDevMonitor for future hotplug support
+    - wrappers: do not glob when removing desktop files
+    - tests: add dbus monitor log to interfaces-accounts-service
+    - tests: add core-18 systems to external backend
+    - wrappers: account for changed app wrapper in parallel installed
+      snaps
+    - wrappers: make sure that the tests pass on non-Ubuntu too
+    - many: add snapd snap failure handling
+    - tests: new test for dvb interface
+    - configstate: accept refresh.timer=managed
+    - tests: new test for snap logs command
+    - wrapper: generate all the snapd unit files when generating
+      wrappers
+    - store: keep all files with link-count > 1 in the cache
+    - store: be less verbose in the common refresh case of "no updates"
+    - snap-confine: update snappy-app-dev path
+    - debian: ensure dependency on fixed apt on 18.04
+    - snapd: add initial software watchdog for snapd
+    - daemon, systemd: change journalctl -n=all to --no-tail
+    - systemd: fix snapd.apparmor.service.in dependencies
+    - snapstate: refuse to remove bases or core if snaps need them
+    - snap: introduce package-level helpers for building snap related
+      directory/file paths
+    - overlord/devicestate: deny parallel install of kernel or gadget
+      snaps
+    - store: clean up parallel-install TODOs in store tests
+    - timeutil: fix first weekday of the month schedule
+    - interfaces: match all possible tty but console
+    - tests: shellchecks part 5
+    - cmd/snap-confine: allow ptrace read for 4.18 kernels
+    - advise: make the bolt database do the atomic rename dance
+    - tests/main/apt-hooks: debug dump of commands.db
+    - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+      handling
+    - snap: validate instance name as part of Validate()
+    - daemon: if a snap is inactive, don't ask systemd about its
+      services.
+    - udev: skip TestParseUdevEvent on s390x
+    - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+    - asserts,image: add support for new kernel=track syntax
+    - tests: new gce image for fedora 27
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - store, overlord/snapstate: introduce instance name in store APIs
+    - tests: drive-by cleanup of redudant pkgname matching
+    - tests: ensure apt-hook is only run after catalog update ran
+    - tests: use pkill instead of kilall
+    - tests/main: another bunch of updates for Amazon Linux 2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the  directory tree
+    - tests: disable/fix more tests for Amazon Linux 2
+    - overlord: introduce InstanceKey to SnapState and SnapSetup,
+      renames
+    - daemon: make sure most change generating handlers can produce
+      errors with kinds
+    - tests/main/interfaces-calendar-service: skip the test on AMZN2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the directory tree
+    - cmd/snap: add a green check mark to verified publishers
+    - cmd/snap: fix two issues in the cmd/snap unit tests
+    - packaging/fedora: fix target path of /snap symlink
+    - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - strutil: detect and bail out of Unmarshal on duplicate key
+    - packaging/fedora(amzn2): disable SELinux, drop dependency on
+      squashfuse for AMZN2
+    - spread, tests: add support for Amazon Linux 2
+    - packaging/fedora: Add Amazon Linux 2 support
+    - many: make Wait/Stop optional on StateManagers
+    - snap/squashfs: stop printing unsquashfs info to stderr
+    - snap: add support for `snap advise-snap --from-apt`
+    - overlord/ifacestate: ignore connect if already connected
+    - tests: change the service snap used instead of network-bind-
+      consumer
+    - interfaces/network-control: update for wpa-supplicant and ifupdown
+    - tests: fix raciness in stop mode tests
+    - logger: try to not have double dates
+    - debian: use deb-systemd-invoke instead of systemctl directly
+    - tests: run all main tests on core18
+    - many: finish sharing a single TaskRunner with all the the managers
+    - interfaces/repo: added AllHotplugInterfaces helper
+    - snapstate: ensure kernel-track is honored on switch/refresh
+    - overlord/ifacestate: support implicit slots on snapd
+    - image: add support for "kernel-track" in `snap prepare-image`
+    - tests: add test that ensures we do not boot any system in degraded
+      state
+    - tests: update tests to work on core18
+    - cmd/snap: check for typographic dashes in command
+    - tests: fix tests expecting old email address
+    - client: add some existing error kinds that were not listed in
+      client.go
+    - tests: add missing slots in classic and core provider test snaps
+    - overlord,daemon,cmd: re-map snap names around the edges of snapd
+    - tests: use install_local in snap-run-hooks
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - overlord/snapstate: dedupe default content providers
+    - osutil/udev: sync with upstream
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord: have SnapManager use a passed in TaskRunner created by
+      Overlord
+    - many: streamline the generic conflict check mechanisms
+    - tests: remove unneeded setup code in snap-run-symlink
+    - cmd/snap: print unset license as "unset", instead of "unknown"
+    - asserts: add (optional) kernel-track to model assertion
+    - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+    - interfaces/pulseaudio: be clear that the interface allows playback
+      and record
+    - snap: support hook environment
+    - interfaces: fix typo "daemonNotify" (add missing "n")
+    - interfaces: tweak tests of daemon-notify, use common naming
+    - interfaces: allow invoking systemd-notify when daemon-notify is
+      connected
+    - store: make snap blobs be 0600
+    - interfaces,daemon: move JSON types to the daemon
+    - tests: prepare needs to handle bin/snapctl being a symlink
+    - tests: do not mask errors in interfaces-timezone-control (#5405)
+    - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+    - tests: add basic integration test for spread hold
+    - overlord/snapstate: improve PlugsOnly comment
+    - many: assorted shellcheck fixes
+    - store, daemon, client, cmd/snap: expose "scope", default to wide
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - client, cmd/snap: pass snap instance name when installing from
+      file
+    - cmd/snap: add 'debug paths' command
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: fix tests on arch
+    - tests: start active system units on reset
+    - tests: new test for joystick interface
+    - tests: moving install of dependencies to pkgdb helper
+    - tests: enable new fedora image with test dependencies installed
+    - tests: start using the new opensuse image with test dependencies
+    - tests: check catalog refresh before and after restart snapd
+    - tests: stop restarting journald service on prepare
+    - interfaces: make core-support a no-op interface
+    - interfaces: prefer "snapd" when resolving implicit connections
+    - interfaces/hotplug: add hotplug Specification and
+      HotplugDeviceInfo
+    - many: lessen the use of core-support
+    - tests: fixes for the autopkgtest failures in cosmic
+    - tests: remove extra ' which breaks interfaces-bluetooth-control
+      test
+    - dirs: fix antergos typo
+    - tests: use grep to avoid non-matching messages from MATCH
+    - dirs: improve distro detection for Antegros
+    - vendor: switch to latest bson
+    - interfaces/builtin: create can-bus interface
+    - tests: "snap connect" is idempotent so just connect
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - interfaces: treat "snapd" snap as type:os
+    - interfaces: tweak tests to have less repetition of "core" and
+      "ubuntu…
+    - tests: simplify econnreset test
+    - snap: add helper for renaming slots
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - tests: add artful for sru validation on google backend
+    - snap,interfaces: move interface name validation to snap
+    - overlord/snapstate: introduce path to fake backend ops
+    - cmd/snap-confine: fix snaps running on core18
+    - many: expose publisher's validation throughout the API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 20 Aug 2018 12:36:33 +0200
+
+snapd (2.34.3~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - snapstate: allow setting "refresh.timer=managed"
+    - spread: switch Fedora and openSUSE images
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 27 Jul 2018 19:08:44 +0200
+
+snapd (2.34.2~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - packaging: fix bogus date in fedora snapd.spec
+    - tests: fix tests expecting old email address
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 19 Jul 2018 12:05:50 +0200
+
+snapd (2.34.1~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - tests: cherry-pick test fixes from master for 2.34
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord/snapstate: dedupe default content providers
+    - interfaces/builtin: create can-bus interface
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Tue, 17 Jul 2018 19:46:56 +0200
+
+snapd (2.34~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - store, daemon, client, cmd/snap: expose "scope", default to wide*
+    - tests: fix arch tests
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+    - tests: run interfaces-contacts-service only where test-snapd-eds
+      is available
+    - many: expose publisher's validation throughout the API
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - dirs: improve distro detection for Antegros
+    - Revert "dirs: improve identification of Arch Linux like systems"
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - i18n: use xgettext-go --files-from to avoid running into cmdline
+      size limits
+    - interfaces: move ValidateName helper to utils
+    - snapstate,ifstate: wait for pending restarts before auto-
+      connecting
+    - snap: account for parallel installs in wrappers, place info and
+      tests
+    - configcore: fix incorrect handling of keys with numbers (like
+      gpu_mem_512)
+    - tests: fix tests when no keyboard input detected
+    - overlord/configstate: add watchdog options
+    - snap-mgmt: fix for non-existent dbus system policy dir,
+      shellchecks
+    - tests/main/snapd-notify: use systemd's service properties rater
+      than the journal
+    - snapstate: allow removal of snap.TypeOS when using a model with a
+      base
+    - interfaces: make findSnapdPath smarter
+    - tests: run "arp" tests only if arp is available
+    - spread: increase the number of auto retries for package downloads
+      in opensuse
+    - cmd/snap-confine: fix nvidia support under lxd
+    - corecfg: added experimental.hotplug feature flag
+    - image: block installation of parallel snap instances
+    - interfaces: moved normalize method to interfaces/utils and made it
+      public
+    - api/snapctl: allow -h and --help for regular users.
+    - interfaces/udisks2: also implement implicit classic slot
+    - cmd/snap-confine: include CUDA runtime libraries
+    - tests: disable auto-refresh test on core18
+    - many: switch to account validation: unproven|verified
+    - overlord/ifacestate: get/set connection state only via helpers
+    - tests: adding extra check to validate journalctl is showing
+      current test data
+    - data: add systemd environment configuration
+    - i18n: handle write errors in xgettext-go
+    - snap: helper for validating snap instance names
+    - snap{/snaptest}: set instance key based on snap name
+    - userd: fix running unit tests on KDE
+    - tests/main/econnreset: limit ingress traffic to 512kB/s
+    - snap: introduce a struct Channel to represent store channels, and
+      helpers to work with it
+    - tests: add fedora to distro_clean_package_cache function
+    - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+    - tests: add spread test to ensure snapd/core18 are not removable
+    - tests: tweaks for running the main tests on core18
+    - overlord/{config,snap}state: introduce experimental.parallel-
+      instances feature flag
+    - strutil: support iteration over almost clean paths
+    - strutil: add PathIterator.Rewind
+    - tests: update interfaces-timeserver-control to core18
+    - tests: add halt-timeout to google backend
+    - tests: skip security-udev-input-subsystem without /dev/input/by-
+      path
+    - snap: introduce the instance key field
+    - packaging/opensuse: remaining packaging updates for 2.33.1
+    - overlord/snapstate: disallow installing snapd on baseless models
+    - tests: disable core tests on all core systems (16 and 18)
+    - dirs: improve identification of Arch Linux like systems
+    - many: expose full publisher info over the snapd API
+    - tests: disable core tests on all core systems (16 and 18)
+    - tests/main/xdg-open: restore or clean up xdg-open
+    - tests/main/interfaces-firewall-control: shellcheck fix
+    - snapstate: sort "snapd" first
+    - systemd: require snapd.socket in snapd.seeded.service; make sure
+      snapd.seeded
+    - spread-shellcheck: use the latest shellcheck available from snaps
+    - tests: use "ss" instead of "netstat" (netstat is not available in
+      core18)
+    - data/complete: fix three out of four shellcheck warnings in
+      data/complete
+    - packaging/opensuse: fix typo, missing assignment
+    - tests: initial core18 spread image building
+    - overlord: introduce a gadget-connect task and use it at first boot
+    - data/completion: fix inconsistency in +x and shebang
+    - firstboot: mark essential snaps as "Required" in the state
+    - spread-shellcheck: use a whitelist of files that are allowed to
+      fail validation
+    - packaging/opensuse: build position-independent binaries
+    - ifacestate: prevent running interface hooks twice when self-
+      connecting on autoconnect
+    - data: remove /bin/sh from snapd.sh
+    - tests: fix shellcheck 0.5.0 warnings
+    - packaging/opensuse: snap-confine should be 06755
+    - packaging/opensuse: ship apparmor integration if enabled
+    - interfaces/udev,misc: only trigger udev events on input subsystem
+      as needed
+    - packaging/opensuse: add missing bits for snapd.seeded.service
+    - packaging/opensuse: don't use %-macros in comments
+    - tests: shellchecks part 4
+    - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+      parallel-install TODOs
+    - store: drop unused: channel map types, and details fixture.
+    - store: have a basic test about the unmarshalling of /search
+      results
+    - tests: show executed tests on current system when a test fails
+    - tests: fix for the download of the big snap
+    - interfaces/apparmor: add chopTree
+    - tests: remove double debug: | entry in tests and add more checks
+    - cmd/snap-update-ns: introduce mimicRequired helper
+    - interfaces: move assertions around for better failure line number
+    - store: log a nice clear "download succeeded" message
+    - snap: run snap-confine from the re-exec location
+    - snapstate: support restarting snapd from the snapd snap on core18
+    - tests: show status of the partial test-snapd-huge snap in
+      econnreset test
+    - tests: fix interfaces-calendar-service test when gvfsd-metadata
+      loks the xdg dirctory
+    - store: switch store.SnapInfo to use the new v2/info endpoint
+    - interfaces: add Repository.AllInterfaces
+    - snapstate: stop using evolving SnapSpec internally, use an
+      internal-only snapSpec instead
+    - cmd/libsnap-confine-private: introduce a helper for splitting snap
+      name
+    - tests: econnreset/retry tweaks
+    - store, et al: kill dead code that uses the bulk endpoint
+    - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+    - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+      Depth helper
+    - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+      available
+    - store: switch connectivity check to use v2/info
+    - devicestate: support seeding from a base snap instead of core
+    - snapstate,ifacestate: remove core-phase-2 handling
+    - interfaces/docker-support: update for docker 18.05
+    - tests: enable fedora 28 again
+    - overlord/ifacestate:  simplify checkConnectConflicts and also
+      connect signature
+    - snap: parse connect instructions in gadget.yaml
+    - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+      test
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - store, image: have 'snap download' use v2/refresh action=download
+    - interfaces/policy: test that base policy can be parsed
+    - tests: publish test-snapd-appstreamid for any architecture
+    - snap: don't include newline in hook environment
+    - cmd/snap-update-ns: use RCall with SyscallsEqual
+    - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+    - interfaces: add the dvb interface
+    - daemon: paging is not a thing.
+    - cmd/snap-mgmt: remove system key on purge
+    - testutil: syscall sequence checker
+    - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command* many: add `snap debug
+      connectivity` command
+    - configstate: deny configuration of base snaps and for the "snapd"
+      snap
+    - interfaces/raw-usb: also allow usb serial devices
+    - snap: reject more layout locations
+    - errtracker: do not send duplicated reports
+    - httputil: extra debug if an error is not retried
+    - cmd/snap-update-ns: improve wording in many errors
+    - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+    - cmd/snap-update-ns: add helper for checking for read-only
+      filesystems
+    - interfaces/builtin/docker: use commonInterface over specific
+      struct
+    - testutil: add test support for Fstatfs
+    - cmd/snap-update-ns: discard the concept of segments
+    - cmd/libsnap-confine-private: helper for extracting store snap name
+      from local-name
+    - tests: fix flaky test for hooks undo
+    - interfaces: add {contacts,calendar}-service interfaces
+    - tests: retry 'restarting into..' match in the snap-confine-from-
+      core test
+    - systemd: adjust TestWriteMountUnitForDirs() to use
+      squashfs.MockUseFuse(false)
+    - data: add helper that can generate/start/stop the snapd service
+    - sefltest: advise reboot into 4.4 on trusty running 3.13
+    - selftest: add new selftest package that tests squashfs mounting
+    - store, jsonutil: move store.getStructFields to
+      jsonutil.StructFields
+    - ifacestate: improved conflict and error handling when creating
+      autoconnect tasks
+    - cmd/snap-confine: applied make fmt
+    - interfaces/udev: call 'udevadm settle --timeout=10' after
+      triggering events
+    - tests: wait more time until snap start to be downloaded on
+      econnreset test
+    - snapstate: ensure fakestore returns TypeOS for the core snap
+    - tests: fix lxd test which hangs on restore
+    - cmd/snap-update-ns: add PathIterator
+    - asserts,image: add support for models with bases
+    - tests: shellchecks part 3
+    - overlord/hookstate: support undo for hooks
+    - interfaces/tpm: Allow access to the kernel resource manager
+    - tests: skip appstream-id test for core systems 32 bits
+    - interfaces/home: remove redundant common interface assignment
+    - tests: reprioritise a few tests that are known to be slow
+    - cmd/snap: small help tweaks and fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - spread-shellcheck: silly fix & pep8
+    - spread: switch fedora 28 to manual
+    - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+      it in snap info --verbose
+    - tests: fix lxd test - --auto now sets up networking
+    - tests: adding fedora-28 to spread.yaml
+    - interfaces: add juju-client-observe interface
+    - client, daemon: add a "mounted-from" entry to local snaps' JSON
+    - image: set model.DisplayName() in bootenv as "snap_menuentry"
+    - packaging/opensuse: Refactor packaging to support all openSUSE
+      targets
+    - interfaces/joystick: force use of the device cgroup with joystick
+      interface
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - interfaces: remove Plug/Slot types
+    - interface hooks: update old AutoConnect methods
+    - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+    - overlord/{config,snap}state: the number of inactive revisions is
+      config
+    - cmd/snap: check with snapd for unknown sections
+    - tests: moving test helpers from sh to bash
+    - data/systemd: add snapd.apparmor.service
+    - many: expose AppStream IDs (AKA common ID)
+    - many: hold refresh when on metered connections
+    - interfaces/joystick: also support modern evdev joysticks and
+      gamepads
+    - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+    - snapcraft: use dpkg-buildpackage options that work in xenial
+    - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+    - get-deps: work with an unset GOPATH too
+    - interfaces/apparmor: use strict template on openSUSE tumbleweed
+    - packaging: filter out verbose flags from "dh-golang"
+    - packaging: fix description
+    - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 06 Jul 2018 16:08:17 +0200
+
+snapd (2.33.1~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - many: improve udev trigger on refresh experience
+    - systemd: require snapd.socket in snapd.seeded.service
+    - snap: don't include newline in hook environment
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - tests: skip security-dev-input-event-denied when /dev/input/by-
+      path/ is missing
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 21 Jun 2018 17:37:56 +0200
+
+snapd (2.33~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command
+    - interfaces/raw-usb: also allow usb serial devices
+    - errtracker: do not send duplicated reports
+    - selftest: add new selftest package that tests squashfs mounting
+    - tests: backport lxd force stop and econnreset fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - interfaces/joystick: support modern evdev joysticks
+    - interfaces: add juju-client-observe
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - many: holding refresh on metered connections
+    - many: expose AppStream IDs (AKA common ID)
+    - tests: speed up save/restore snapd state for all-snap systems
+      during tests execution
+    - interfaces/apparmor: use helper to load stray profile
+    - tests: ubuntu core abstraction
+    - overlord/snapstate: don't panic in a corner case interaction of
+      cleanup tasks and pruning
+    - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+      snaps
+    - tests: new parameter for the journalctl rate limit
+    - spread-shellcheck: port to python
+    - interfaces/home: add 'read' attribute to allow non-owner read to
+      @{HOME}
+    - testutil: import check.v1 differently to workaround gccgo error
+    - interfaces/many: miscellaneous updates for default, desktop,
+      desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+      keys
+    - snapstate/hooks: reorder autoconnect and reconnect hooks
+    - daemon: update unit tests to match current master
+    - overlord/snapshotstate/backend: introducing the snapshot backend
+    - many: support 'system' nickname in interfaces
+    - userd: add the "snap" scheme to the whitelist
+    - many: make rebooting of core on refresh immediate, refactor logic
+      around it
+    - tests/main/snap-service-timer: account for service timer being in
+      the 'running' state
+    - interfaces/builtin: allow access to libGLESv* too for opengl
+      interface
+    - daemon: fix unit tests on arch
+    - interfaces/default,process-control: miscellaneous signal policy
+      fixes
+    - interfaces/bulitin: add write permission to optical-drive
+    - configstate: validate known core.* options
+    - snap, wrappers: systemd WatchdogSec support
+    - ifacestate: do not auto-connect manually disconnected interfaces
+    - systemd: mock useFuse() so testsuite passes in container via lxd
+      snap
+    - snap/env: fix env duplication logic
+    - snap: some doc comments fixes and additions
+    - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+      vendor files
+    - ifacestate: unify reconnect and autoconnect methods
+    - tests: fix user mounts test for external systems
+    - overlord/snapstate,overlord/auth,store: coalesce no auth user
+      refresh requests
+    - boot,partition: improve tests/docs around SetNextBoot()
+    - many: improve `snap wait` command
+    - snap: fix `snap interface --attrs` output when numbers are used
+    - cmd/snap-update-ns: poke holes when creating source paths for
+      layouts
+    - snapstate: support getting new bases/default-providers on refresh
+    - ifacemgr: remove stale connections on startup
+    - asserts: use Attrer in policy checks
+    - testutil: record system call errors / return values
+    - tests: increase timeouts to make tests reliable on slow boards
+    - repo: pass and return ConnRef via pointers
+    - interfaces: add xdg-document-portal support to desktop interface
+    - debian: add a zenity|kdialog suggests
+    - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+    - tests: go must be installed as a classic snap
+    - tests: use journalctl cursors instead rotating logs
+    - daemon: add confinement-options to /v2/system-info
+      daemon: refactor classic support flag to be more structured
+    - tests: build spread in the autopkgtests with a more recent go
+    - cmd/snap: fix the message when snap.channel != snap.tracking
+    - overlord/snapstate: allow core defaults configuration via 'system'
+      key
+    - many: add "snap debug sandbox-features" and needed bits
+    - interfaces: interface hooks for refresh
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - many: add wait command and `snapd.seeded` service
+    - interfaces: move host font update-ns AppArmor rules to desktop
+      interface
+    - jsonutil/safejson: introducing safejson.String &
+      safejson.Paragraph
+    - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+    - cmd/snap-update-ns,tests: mimic the mode and ownership of
+      directories
+    - cmd/snap-update-ns: add support for ignoring mounts with missing
+      source/target
+    - interfaces: interface hooks implementation
+    - cmd/libsnap: fix compile error on more restrictive gcc
+      cmd/libsnap: fix compilation errors on gcc 8
+    - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+    - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+    - tests: fix interfaces-network test for systems with partial
+      confinement
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+    - configcore: validate experimental.layouts option
+    - interfaces:minor autoconnect cleanup
+    - HACKING: fix typos
+    - spread: add adt for ubuntu 18.10
+    - tests: skip test lp-1721518 for arch, snapd is failing to start
+      after reboot
+    - interfaces/x11: allow X11 slot implementations
+    - tests: checking interfaces declaring the specific interface
+    - snap: improve error for snaps not available in the given context
+    - cmdstate: add missing test for default timeout handling
+    - tests: shellcheck spread tasks
+    - cmd/snap: update install/refresh help vs --revision
+    - cmd/snap-confine: add support for per-user mounts
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - tests: adding google-sru backend replacing linode-sur
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - systemd: replace ancient paths with 16.04+ standards
+    - overlord,systemd: store snap revision in mount units
+    - testutil: add test helper for SysLstat
+    - testutil,cmd: rename test helper of Lstat to OsLstat
+    - testutil: document all fake syscall/os functions
+    - osutil,interfaces,cmd: use less hardcoded strings
+    - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+    - testutil: don't dot-import check.v1
+    - store: getStructFields takes pointers now
+    - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+    - many: fix false negatives reported by vet
+    - osutil,interfaces: use uint32 for uid, gid
+    - many: fix various issues reported by shellcheck
+    - tests: add pending shutdown detection
+    - image: support refreshing soft-expired user macaroons in tooling
+    - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+      daemon tests
+    - interfaces/builtin: add support for software-watchdog interface
+    - spread: auto accept key changes when calling dnf
+    - snap,overlord/snapstate: introduce and use BrokenSnapError
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: bring back one missing test in snap-service-stop-mode
+    - debian: update LP bug for the 2.32.5 SRU
+    - userd: set up journal logging streams for autostarted apps
+    - snap,tests : don't fail if we cannot stat MountFile
+    - tests: smaller fixes for Arch tests
+    - tests: run interfaces-broadcom-asic-control early
+    - client: support for snapshot sets, snapshots, and snapshot actions
+    - tests: skip interfaces-content test on core devices
+    - cmd: generalize locking to global, snap and per-user locks
+    - release-tools: handle the snapd-x.y.z version
+    - packaging: fix incorrectly auto-generated changelog entry for
+      2.32.5
+    - tests: add arch to CI
+    - systemd: add helper for opening stream file descriptors to the
+      journal
+    - cmd/snap: handle distros with no version ID
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - tests: removing linode-sru backend
+    - tests: updating bionic version for spread tests on google
+    - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - overlord/snapstate: allow to get an error from readInfo instead of
+      a broken stub, use it in doMountSnap
+    - snap: snap.AppInfo is now a fmt.Stringer
+    - tests: move fedora 27 to google backend
+    - many: add `core.problem-reports.disabled` option
+    - cmd/snap-update-ns: remove the need for stash directory in secure
+      bind mount implementation
+    - errtracker: check for whoopsie.service instead of reading
+      /etc/whoopsie
+    - cmd/snap: user session application autostart v3
+    - tests: add test to ensure `snap refresh --amend` works with
+      different channels
+    - tests: add check for OOM error after each test
+    - cmd/snap-seccomp: graceful handling of non-multilib host
+    - interfaces/shutdown: allow calling SetWallMessage
+    - cmd/snap-update-ns: add secure bind mount implementation for use
+      with user mounts
+    - snap: fix `snap advise-snap --command` output to match spec
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - overlord/snapstate: introduce envvars to control the channels for
+      based and prereqs
+    - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+    - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+    - daemon,overlord/hookstate: stop/wait for running hooks before
+      closing the snapctl socket
+    - advisor: use json for package database
+    - interfaces/hostname-control: allow setting the hostname via
+      syscall and systemd
+    - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+      libraries
+    - interfaces: misc updates for default, firewall-control, fuse-
+      support and process-control
+    - data/selinux: Give snapd access to more aspects of the system
+    - many: use the new install/refresh API by switching snapstate to
+      use store.SnapAction
+    - errtracker: make TestJournalErrorSilentError work on gccgo
+    - ifacestate: add to the repo also snaps that are pending being
+      activated but have a done setup-profiles
+    - snapstate, ifacestate: inject auto-connect tasks try 2
+    - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+    - errtracker: add more fields to aid debugging
+    - interfaces: make system-key more robust against invalid fstab
+      entries
+    - overlord,interfaces: be more vocal about broken snaps and read
+      errors
+    - ifacestate: injectTasks helper
+    - osutil: fix fstab parser to allow for # in field values
+    - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+    - release-tools: add repack-debian-tarball.sh
+    - daemon,client: add build-id to /v2/system-info
+    - cmd: make fmt (indent 2.2.11)
+    - interfaces/content: add rule so slot can access writable files at
+      plug's mountpoint
+    - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+    - ifacestate: don't surface errors from stale connections
+    - cmd/snap-update-ns: convert Secure* family of functions into
+      methods
+    - tests: adjust canonical-livepatch test on GCE
+    - tests: fix quoting issues in econnreset test
+    - cmd/snap-confine: make /run/media an alias of /media
+    - cmd/snap-update-ns: rename i to segNum
+    - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+    - spread: disable StartLimitInterval option on opensuse-42.3
+    - configstate: give a chance to immediately recompute the next
+      refresh time when schedules are set
+    - cmd/snap-confine: attempt to detect if multiarch host uses
+      arch triplets
+    - store: add Store.SnapAction to support the new install/refresh API
+      endpoint
+    - tests: adding test for removable-media interface
+    - tests: update interface tests to remove extra checks and normalize
+      tests
+    - timeutil: in Human, count days with fingers
+    - vendor: update gopkg.in/yaml.v2 to the latest version
+    - cmd/snap-confine: fix Archlinux compatibility
+    - cmd/snapd: make sure signal handlers are established during early
+      daemon startup
+    - cmd/snap-confine: apparmor: allow creating prefix path for
+      gl/vulkan
+    - osutil: use tilde suffix for temporary files used for atomic
+      replacement
+    - tests: copy or sanity check core users using usernames
+    - tests: disentangle etc vs extrausers in core tests
+    - tests: fix snap-run tests when snapd is not running
+    - overlord/configstate: change how ssh is stopped/started
+    - snap: make `snap run` look at the system-key for security profiles
+    - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+      replacement
+    - tests: adding opensuse-42.3 to google
+    - cmd/snap: fix one issue with noWait error handling logic, add
+      tests plus other cleanups
+    - cmd/snap-confine: nvidia: preserve globbed file prefix
+    - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+      needed
+    - interfaces,release: probe seccomp features lazily
+    - tests: change debug for layout test
+    - advisor: deal with missing commands.db file
+    - interfaces/apparmor: simplify UpdateNS internals
+    - polkit: Pass caller uid to PolicyKit authority
+    - tests: moving debian 9 from linode to google backend
+    - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+    - po: specify charset in po/snappy.pot
+    - interfaces: harden snap-update-ns profile
+    - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+    - tests: update tests to deal with s390x quirks
+    - debian: run snap.mount upgrade fixup *before* debhelper
+    - tests: move xenial i386 to google backend
+    - snapstate: add compat mode for default-provider
+    - tests: a bunch of test fixes for s390x from looking at the
+      autopkgtest logs
+    - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+    - interfaces/builtin: let MM change qmi device attributes
+    - tests: add workaround for s390x failure
+    - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+    - daemon: support 'system' as nickname of the core snap
+    - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+    - devicestate: add DeviceManager.Registered returning a channel
+      closed when the device is known to be registered
+    - store: Sections and WriteCatalogs need to strictly send device
+      auth only if the device has a custom store
+    - tests: add bionic system to google backend
+    - many: fix shellcheck warnings in bionic
+    - cmd/snap-update-ns: don't fail on existing symlinks
+    - tests: make autopkgtest tests more targeted
+    - cmd/snap-update-ns: fix creation of layout symlinks
+    - spread,tests: move suite-level prepare/restore to central script
+    - many: propagate contexts enough to be able to mark store
+      operations done from the Ensure loop
+    - snap: don't create empty Change with "Hold" state on disconnect
+    - snap: unify snap name validation w/python; enforce length limit.
+    - cmd/snap: use shlex when parsing `snap run --strace` arguments
+    - osutil,testutil: add symlinkat(2) and readlinkat(2)
+    - tests: autopkgtest may have non edge core too
+    - tests: adding checks before stopping snapd service to avoid job
+      canceled on ubuntu 14.04
+    - errtracker: respect the /etc/whoopsie configuration
+    - overlord/snapstate:  hold refreshes for 2h after seeding on
+      classic
+    - cmd/snap: tweak and polish help strings
+    - snapstate: put layout feature behind feature flag
+    - tests: force profile re-generation via system-key
+    - snap/squashfs: when installing from seed, try symlink before cp
+    - wrappers: services which are socket or timer activated should not
+      be started during boot
+    - many: go vet cleanups
+    - tests: define MATCH from spread
+    - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+      fix
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - cmd/snap: in changes and tasks, default to human-friendly times
+    - many: support holding refreshes by setting refresh.hold
+    - Revert "cmd/snap: use timeutil.Human to show times in `snap
+      refresh -…-time`"
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - tests/main/snap-service-refresh-mode: refactor the test to rely on
+      comparing PIDs
+    - tests/main/media-sharing: improve the test to cover /media and
+      /run/media
+    - store: enable deltas for core devices too
+    - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+    - strutil/shlex: import github.com/google/shlex into the tree
+    - vendor: update github.com/mvo5/libseccomp-golang
+    - overlord/snapstate: block install of "system"
+    - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+    - many: add the snapd-generator
+    - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+    - polkit: ensure error is properly set if dialog is dismissed
+    - snap-confine, snap-seccomp: utilize new seccomp logging features
+    - progress: tweak ansimeter cvvis use to no longer confuse minicom
+    - xdgopenproxy: integrate xdg-open implementation into snapctl
+    - tests: avoid removing preinstalled snaps on core
+    - tests: chroot into core to run xdg-open there
+    - userd: add an OpenFile method for launching local files with xdg-
+      open
+    - tests: moving ubuntu core from linode to google backend
+    - run-checks: remove accidental bashism
+    - i18n: simplify NG usage by doing the modulo math in-package.
+    - snap/squashfs: set timezone when calling unsquashfs to get the
+      build date
+    - timeutil: timeutil.Human(t) gives a human-friendly string for t
+    - snap: add autostart app property
+    - tests: add support for external backend executions on listing test
+    - tests: make interface-broadcom-asic-control test work on rpi
+    - configstate: when disable "ssh" we must disable the "sshd" service
+    - interfaces/apparmor,system-key: add upperdir snippets for strict
+      snaps on livecd
+    - snap/squashfs: add BuildDate
+    - store: parse the JSON format used by the coming new store API to
+      convey snap information
+    - many: remove snapd.refresh.{timer,service}
+    - tests: adding ubuntu-14.04-64 to the google backend
+    - interfaces: add xdg-desktop-portal support to desktop interface
+    - packaging/arch: sync with snapd/snapd-git from AUR
+    - wrappers, tests/main/snap-service-timer: restore missing commit,
+      add spread test for timer services
+    - store: don't ask for snap_yaml_raw except on the details endpoint
+    - many: generate and use per-snap snap-update-ns profile
+    - tests: add debug for layout test
+    - wrappers: detect whether systemd-analyze can be used in unit tests
+    - osutil: allow creating strings out of MountInfoEntry
+    - servicestate: use systemctl enable+start and disable+stop instead
+      of --now flag
+    - osutil: handle file being matched by multiple patterns
+    - daemon, snap: fix InstallDate, make a method of *snap.Info
+    - wrappers: timer services
+    - wrappers: generator for systemd OnCalendar schedules
+    - asserts: fix flaky storeSuite.TestCheckAuthority
+    - tests: fix dependency for ubuntu artful
+    - spread: start moving towards google backend
+    - tests: add a spread test for layouts
+    - ifacestate: be consistent passing Retry.After as named field
+    - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+    - testutil: allow mocking syscall.Fstat
+    - overlord/snapstate: verify that default schedule is randomized and
+      is  not a single time
+    - many: simplify mocking of home-on-NFS
+    - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+    - store: move infoFromRemote into details.go close to snapDetails
+    - userd/tests: Test kdialog calls and mock kdialog too to make tests
+      work in KDE
+    - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+    - cmd/snap: add self-strace to `snap run`
+    - interfaces/screen-inhibit-control,network-status: fix dbus path
+      and interface typos
+    - update-pot: Force xgettext() to return true
+    - store: cleanup test naming, dropping remoteRepo  and
+      UbuntuStore(Repository)? references
+    - store: reorg auth refresh
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 08 Jun 2018 17:13:47 +0200
+
+snapd (2.32.9~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - tests: run all spread tests inside GCE
+    - tests: build spread in the autopkgtests with a more recent go
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 May 2018 10:20:08 +0200
+
+snapd (2.32.8~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 14:36:16 +0200
+
+snapd (2.32.7~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - many: add wait command and seeded target (2
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - cmd/libsnap: fix compile error on more restrictive gcc
+    - tests: cherry-pick commits to move spread to google backend
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - userd: set up journal logging streams for autostarted apps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 13:09:32 +0200
+
+snapd (2.32.6~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: run interfaces-boradcom-asic-control early
+    - tests: skip interfaces-content test on core devices
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Sun, 29 Apr 2018 19:21:53 +0200
+
+snapd (2.32.5~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1765090
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - daemon: support 'system' as nickname of the core snap
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 16 Apr 2018 11:41:48 +0200
+
+snapd (2.32.4~14.04) trusty; urgency=medium
+
+  * New upstream release, LP: #1756173
+    - cmd/snap: user session application autostart
+    - overlord/snapstate: introduce envvars to control the channels for
+      bases and prereqs
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - many: use the new install/refresh /v2/snaps/refresh store API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 11 Apr 2018 16:30:45 +0200
+
 snapd (2.32.3.2~14.04) trusty; urgency=medium
 
   * New upstream release, LP: #1756173
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/control snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/control
--- snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/control	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/control	2019-01-16 08:36:51.000000000 +0000
@@ -33,6 +33,8 @@
                squashfs-tools,
                udev,
                xfslibs-dev
+Recommends: gnupg1 | gnupg
+Suggests: zenity | kdialog
 Standards-Version: 3.9.7
 Homepage: https://github.com/snapcore/snapd
 Vcs-Browser: https://github.com/snapcore/snapd
@@ -84,8 +86,7 @@
  enabling secure distribution of the latest apps and utilities for
  cloud, servers, desktops and the internet of things.
  .
- This is the CLI for snapd, a background service that takes care of
- snaps on the system. Start with 'snap list' to see installed snaps.
+ Start with 'snap list' to see installed snaps.
 
 Package: ubuntu-snappy
 Architecture: all
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/rules snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/rules
--- snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/rules	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/rules	2019-01-16 08:36:51.000000000 +0000
@@ -178,13 +178,15 @@
 	if [ -d share/locale ]; then \
 		cp -R share/locale debian/snapd/usr/share; \
 	fi
+	# chrorder generator
+	rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder
 
-	# install snapd's systemd units / upstart jobs, done
+	# Install snapd's systemd units / upstart jobs, done
 	# here instead of debian/snapd.install because the
 	# ubuntu/14.04 release branch adds/changes bits here
 	$(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \
 		SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR)
-	# we called this apps-bin-path.sh instead of snapd.sh, and
+	# We called this apps-bin-path.sh instead of snapd.sh, and
 	# it's a conf file so we're stuck with it
 	mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh
 
@@ -195,6 +197,10 @@
 
 	# trusty doesn't need the .real workaround
 
+	# On Ubuntu and Debian we don't need to install the apparmor helper service.
+	rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.apparmor.service
+	rm $(CURDIR)/debian/tmp/usr/lib/snapd/snapd-apparmor
+
 	dh_install
 
 override_dh_auto_install: snap.8
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/snapd.install snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/snapd.install
--- snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/snapd.install	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/snapd.install	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,12 @@
 usr/bin/snap
-usr/bin/snapctl
+usr/bin/snapctl /usr/lib/snapd/
 usr/lib/snapd/system-shutdown
 usr/bin/snap-exec /usr/lib/snapd/
 usr/bin/snap-repair /usr/lib/snapd/
+usr/bin/snap-failure /usr/lib/snapd/
 usr/bin/snap-update-ns /usr/lib/snapd/
 usr/bin/snapd /usr/lib/snapd/
 usr/bin/snap-seccomp /usr/lib/snapd/
-usr/lib/snapd/snapd-generator /lib/systemd/system-generators/
 
 # bash completion
 data/completion/snap /usr/share/bash-completion/completions
@@ -25,11 +25,15 @@
 usr/lib/snapd/snap-confine
 usr/lib/snapd/snap-discard-ns
 usr/lib/snapd/snap-mgmt
-usr/share/man/man1/snap-confine.1
-usr/share/man/man5/snap-discard-ns.5
+usr/share/man/
 # for compatibility with ancient snap installs that wrote the shell based
 # wrapper scripts instead of the modern symlinks
 usr/bin/ubuntu-core-launcher
 
 # gdb helper
 usr/lib/snapd/snap-gdb-shim
+
+# use "usr/lib" here because apparently systemd looks only there
+usr/lib/systemd/system-environment-generators
+# but system generators end up in lib
+lib/systemd/system-generators
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/snapd.links snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/snapd.links
--- snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/snapd.links	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/snapd.links	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+../../usr/lib/snapd/snap-device-helper  /lib/udev/snappy-app-dev
+usr/lib/snapd/snapctl usr/bin/snapctl
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/snapd.postrm snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/snapd.postrm
--- snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/snapd.postrm	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/snapd.postrm	2019-01-16 08:36:51.000000000 +0000
@@ -68,10 +68,12 @@
             # udev rules
             find /etc/udev/rules.d -name "*-snap.${snap}.rules" -execdir rm -f "{}" \;
             # dbus policy files
-            find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            if [ -d /etc/dbus-1/system.d ]; then
+                find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            fi
             # timer files
             find /etc/systemd/system -name "snap.${snap}.*.timer" | while read -r f; do
-                systemctl_stop "$(basename $f)"
+                systemctl_stop "$(basename "$f")"
                 rm -f "$f"
             done
         fi
@@ -96,13 +98,13 @@
     echo "Discarding preserved snap namespaces"
     # opportunistic as those might not be actually mounted
     if [ -d /run/snapd/ns ]; then
-        if [ $(ls /run/snapd/ns/*.mnt | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.mnt" | wc -l)" -gt 0 ]; then
             for mnt in /run/snapd/ns/*.mnt; do
                 umount -l "$mnt" || true
                 rm -f "$mnt"
             done
         fi
-        if [ $(ls /run/snapd/ns/*.fstab | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.fstab" | wc -l)" -gt 0 ]; then
             for fstab in /run/snapd/ns/*.fstab; do
                 rm -f "$fstab"
             done
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/source/options snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/source/options
--- snapd-2.32.3.2~14.04/packaging/ubuntu-14.04/source/options	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-14.04/source/options	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+tar-ignore = "tests/lib/cache/*"
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/changelog snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/changelog
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/changelog	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/changelog	2019-01-16 08:36:51.000000000 +0000
@@ -1,3 +1,1839 @@
+snapd (2.37~rc1+18.10) cosmic; urgency=medium
+
+  * New upstream release, LP: #1811233
+    - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+      have device node /dev/ttyACM[0-9]
+    - tests: fix enable-disable-unit-gpio test on external boards
+    - tests: define new "tests/smoke" suite and use that for
+      autopkgtests
+    - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+      library
+    - snapshotstate: don't task.Log without the lock
+    - overlord/configstate/configcore: support - and _ in cloud init
+      field names
+    - cmd/snap-confine: use makedev instead of MKDEV
+    - tests: review/fix the autopkgtest failures in disco
+    - systemd: allow only a single daemon-reload at the same time
+    - cmd/snap: only auto-enable unicode to a tty
+    - cmd/snap: right-align revision and size in info's channel map
+    - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+      different on Fedora
+    - tests: fix "No space left on device" issue on amazon-linux
+    - store: undo workaround for timezone-less released-at
+    - store, snap, cmd/snap: channels have released-at
+    - snap-confine: fix incorrect use "src" var in mount-support.c
+    - release: support probing SELinux state
+    - release-tools: display self-help
+    - interface: add new `{personal,system}-files` interface
+    - snap: give Epoch an Equal method
+    - many: remove unused interface code
+    - interfaces/many: use 'unsafe' with docker-support change_profile
+      rules
+    - run-checks: stop running HEAD of staticcheck
+    - release: use sync.Once around lazy intialized state
+    - overlord/ifacestate: include interface name in the hotplug-
+      disconnect task summary
+    - spread: show free space in debug output
+    - cmd/snap: attempt to restore SELinux context of snap user
+      directories
+    - image: do not write empty etc/cloud
+    - tests: skip snapd snap on reset for core systems
+    - cmd/snap-discard-ns: fix umount(2) typo
+    - overlord/ifacestate: hotplug-remove-slot task handler
+    - overlord/ifacestate: handler for hotplug-disconnect task
+    - ifacestate/hotplug: updateDevice helper
+    - tests: reset snapd state on tests restore
+    - interfaces: return security setup errors
+    - overlord: make InstallMany work like UpdateMany, issuing a single
+      request to get candidates
+    - systemd/systemd.go: add missing tests for systemd.IsActive
+    - overlord/ifacestate: addHotplugSeqWaitTask helper
+    - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+    - tests: new backend used to run upgrade test suite
+    - travis: short circuit failures in static and unit tests travis job
+    - cmd: automatically fix localized <option>s to <option>
+    - overlord/configstate,features: expose features to snapd tools
+    - selinux: package to query SELinux status and verify/restore file
+      contexts
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - cmd: add tests for lintArg and lintDesc
+    - httputil: retry on temporary net errors
+    - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+    - wrappers: only restart service in core18 when they are active
+    - overlord/ifacestate: helpers for serializing hotplug changes
+    - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interface
+    - snap/info: bind global plugs/slots to implicit hooks
+    - cmd/snap-confine: remove SC_NS_MNT_FILE
+    - spread: record each tests/upgrade job
+    - osutil: do not import dirs
+    - cmd/snap-confine: fix typo "a pipe"
+    - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+      devices
+    - tests: force test-snapd-daemon-notify exit 0 when the interface is
+      not connected
+    - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+    - centos: enable SELinux support on CentOS 7
+    - apparmor: allow hard link to snap-specific semaphore files
+    - tests/lib/pkgdb: disable weak deps on Fedora
+    - release: detect too old apparmor_parser
+    - tests: improve how the log is checked to see if the system is
+      waiting for a reboot
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - spread, tests: add Fedora 29
+    - cmd/snap-confine: refactor calling snapd tools into helper module
+    - apparmor: allow snap-update-ns access to common devices
+    - cmd/snap-confine: capture initialized per-user mount ns
+    - tests: reduce verbosity around package installation
+    - data: set KillMode=process for snapd
+    - cmd/snap: handle DNS error gracefully
+    - spread, tests: use checkpoints when dumping audit log
+    - tests/lib/prepare: make sure that SELinux context of repacked core
+      snap is controlled
+    - testutils: split checkers, tweak tests
+    - tests: fix for tests test-*-cgroup
+    - spread: show AVC audits when debugging, start auditd on Fedora
+    - spread: drop Fedora 27, add Fedora 29
+    - tests/lib/reset: restore context of removed snapd directories
+    - testutil: add File{Present,Absent} checkers
+    - snap: add new `snap run --trace-exec`
+    - tests: fix for failover test on how logs are checked
+    - snapctl: add "services"
+    - overlord/snapstate: use file timestamp to initialize timer
+    - cmd/libsnap: introduce and use sc_strdup
+    - interfaces: let NM access ifindex/ifupdown files
+    - overlord/snapstate: on refresh, check new rev can read current
+    - client, store: don't use store from client (use client from store)
+    - tests/main/parallel-install-store: verify installation of more
+      than one instance at a time
+    - overlord: don't write system key if security setup fails
+    - packaging/fedora/snapd.spec: fix bogus date in changelog
+    - snapstate: update fontconfig caches on install
+    - interfaces/apparmor/backend.go:411:38: regular expression does not
+      contain any meta characters (SA6004)
+    - asserts/header_checks.go:199:35: regular expression does not
+      contain any meta characters (SA6004)
+    - run staticcheck every time :-)
+    - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+      used with signal.Notify should be buffered (SA1017)
+    - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+      signal.Notify should be buffered (SA1017)
+    - spdx/parser.go:30:1: only the first constant has an explicit type
+      (SA9004)
+    - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+      first argument and no further arguments should use print-style
+      function instead (SA1006)
+    - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+    - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+      Did you mean to break out of the outer loop? (SA4011)
+    - daemon/api.go:992:22: printf-style function with dynamic first
+      argument and no further arguments should use print-style function
+      instead (SA1006)
+    - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+      to break out of the outer loop? (SA4011)
+    - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+      should be buffered (SA1017)
+    - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+      provided buffer, not even temporarily (SA1023)
+    - release: probe apparmor features lazily
+    - overlord,daemon: mock security backends for testing
+    - cmd/libsnap: move apparmor-support to libsnap
+    - cmd: drop cruft from snap-discard-ns build rules
+    - cmd/snap-confine: use snap-discard-ns ns to discard stale
+      namespaces
+    - cmd/snap-confine: handle mounted shared /run/snapd/ns
+    - many: fix composite literals with unkeyed fields
+    - dirs, wrappers, overlord/snapstate: make completion + bases work
+    - tests: revert "tests: restore in restore, not prepare"
+    - many: validate title
+    - snap: make description maximum in runes, not bytes
+    - tests: discard mount namespaces in reset.sh
+    - tests/lib: sync cla check back from snapcraft
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - daemon: remove enableInternalInterfaceActions
+    - mkversion: use "test -n" rather than "! test -z"
+    - run-checks: assorted fixes
+    - tests: restore in restore, not in prepare
+    - cmd/snap: fix missing newline in "snap keys" error message
+    - snap: epoch lists must contain no duplicate entries
+    - interfaces/avahi_observe: Fix typo in comment
+    - tests: add SPREAD_JOB to the description of
+      systemd_create_and_start_unit
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+    - packaging/fedora: use %_sysctldir macro
+    - cmd/snap-confine: remove unneeded unshare
+    - sanity: extend the kernel version check to cover CentOS/RHEL
+      kernels
+    - wrappers: remove all desktop files from a snap on removal
+    - snap: add an explicit check for `epoch: null` loading
+    - snap: check max description length in validate
+    - spread, tests: add CentOS support
+    - cmd/snap-confine: allow mapping more libc shards
+    - cmd/snap-discard-ns: add support for --from-snap-confine
+    - tests: make tinyproxy support systemd notify
+    - tests: fix shellcheck
+    - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+    - store: add a test for a non-zero epoch refresh (with epoch bump)
+    - store: v1 search doesn't send epoch, stop pretending it does
+    - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+    - overlord/snapstate: amend test should send local revision
+    - tests: use mock-gpio.py in enable-disable-units-gpio test
+    - snap: enforce minimal snap name len of 2
+    - cmd/libsnap: add sc_verify_snap_lock
+    - cmd/snap-update-ns: extra debugging of trespassing events
+    - userd: force zenity width if the text displayed is long
+    - overlord/snapstate, store: always send epochs
+    - cmd/snap-confine,snap-update-ns: discard quirks
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - cmd/snap-update-ns, tests: clean trespassing paths
+    - nvidia, interfaces/builtin: OpenCL fixes
+    - ifacestate/hotplug: removeDevice helper
+    - cmd: install snap-discard-ns in "make hack"
+    - overlord/ifacestate: setup security backends phased by backends
+      first
+    - ifacestate/helpers: added SystemSnapName mapper helper method
+    - overlord/ifacestate: set hotplug-key of the connection when
+      connecting hotplug slots
+    - snapd: allow snap-update-ns to read /proc/version
+    - cmd: handle tumbleweed and leap in autogen.sh
+    - interfaces/tests: MockHotplugSlot test helper
+    - store,daemon: make UserInfo,LoginUser part of the store interface
+    - overlord/ifacestate: use remapper when checking if system snap is
+      installed
+    - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+    - packaging/arch: fix bash completions path
+    - interfaces/builtin: add device-buttons interface for accessing
+      events
+    - tests, fakestore: extend refresh tests with parallel installed
+      snaps
+    - snap, store, overlord/snapshotstate: drop epoch pointers
+    - snap: make Epoch default to {[0],[0]} on load from yaml
+    - data/completion: pass documented arguments to completion functions
+    - tests: skip opensuse from interfaces-openvswitch-support test
+    - tests: simple reproducer for snap try and hooks bug
+    - snapstate: do not allow classic mode for strict snaps
+    - snap: make Epoch's MarshalJSON not simplify
+    - store: remove unused currentSnap and currentSnapJSON
+    - many: some small doc comment fixes in recent hotplug code
+    - ifacestate/udevmonitor: added callback to signal end of
+      enumeration
+    - cmd/libsnap: add simplified feature flag checker
+    - interfaces/opengl: add additional accesses for cuda
+    - tests: add core18 only hooks test and fix running core18 only on
+      classic
+    - sanity, release, cmd/snap: refuse to try to do things on WSL.
+    - cmd: make coreSupportsReExec faster
+    - overlord/ifacestate: don't remove the dash when generating unique
+      slot name
+    - cmd/snap-seccomp: add full complement of ptrace constants
+    - cmd: update autogen.sh for opensuse
+    - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+      overlord/snapstate: address review feedback
+    - packaging/opensuse: stop using golang-packaging
+    - overlord/snapshots: survive an unknown user
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - cmd/snap: unhide --name parameter to snap install, tweak help
+      message
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/main/snap-service-after-before-install: verify after/before
+      in snap install
+    - overlord/ifacestate: mark connections disconnected by hotplug with
+      hotplug-gone
+    - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+      startup
+    - tests: install dependencies during prepare
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - tests: core 18 does not support classic confinement
+    - tests: add debug output for degraded test
+    - strutil: make VersionCompare faster
+    - overlord/snapshotstate/backend: survive missing directories
+    - overlord/ifacestate: use map[string]*connState when passing conns
+      around
+    - tests: move fedora 28 to manual
+    - overlord/snapshotstate/backend: be more verbose when
+      SNAPPY_TESTING=1
+    - tests: removing fedora 26 system from spread.yaml
+    - tests: linode execution is not needed anymore
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests: fixes and new backend for tests on nested suite
+    - strutil: let MatchCounter work with a nil regexp
+    - ifacestate/helpers: findConnsForHotplugKey helper
+    - many: move regexp.(Must)Compile out of non-init functions into
+      variables
+    - store: also make snaps downloaded via deltas 0600
+    - snap: use Lstat to determine snap size, remove
+      ReadSnapInfoExceptSize
+    - interfaces/builtin: add adb-support interface
+    - tests: fail if install_snap_local fails
+    - strutil: add extra test to CommaSeparatedList as suggested by
+      mborzecki
+    - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+    - ifacestate: optimize disconnect hooks
+    - cmd/snap-update-ns: parse the -u <uid> command line option
+    - cmd/snap, tests: snapshots for all
+    - client, cmd/daemon: allow disabling keepalive, improve degraded
+      mode unit tests
+    - snap: only show "next" refresh time if its after the hold time
+    - overlord/snapstate: run tests for classic snaps even on systems
+      that don't support classic
+    - overlord/standby: fix a race between standby goroutine and stop
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - cmd: remove remnants of sc_should_populate_mount_ns
+    - client, daemon, cmd/snap: indicate that services are socket/timer
+      activated
+    - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+    - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+    - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+    - cmd/snap-discard-ns: add support for per-user mount namespaces
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook.
+    - tests/main: fixes for the new shellcheck
+    - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+      fly
+    - tests: initial setup for testing current branch on nested vm and
+      hotplug management
+    - cmd: refactor IPC and lifecycle of the helper process
+    - tests/main/parallel-install-store: the store has caught up, do not
+      expect failures
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+      ptrace, for the Breakpad crash reporter
+    - snap,client: use a different exit code for retryable errors
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - cmd/snap: tweak `snap services` output when there is no services
+    - interfaces/many: updates to support k8s worker nodes
+    - cmd/snap: gnome-software install via snap:// handler
+    - overlord/many: cleanup use of snapName vs. instanceName
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes* ifstate: fix decoding of json numbers
+    - cmd/snap: try not to panic on error from "snap try"
+    - tests: new cosmic image for spread tests on gce
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - overlord/snapshotstate/backend: detect path to tar in unit tests
+    - tests/unit/gccgo: drop gccgo unit tests
+    - cmd: use relative file names in locking APIs
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - overlord/snapshotstate/backend: fall back on sudo when no runuser
+    - cmd/snap-confine: reduce verbosity of debug and error messages
+    - systemd: extend Status() to work for socket and timer units
+    - interfaces: typo 'allows' for consistency with other ifaces
+    - systemd,wrappers: don't start disabled services
+    - ifacestate: simplify task chaining in ifacestate.Connect
+    - tests: ensure that goa-daemon is off
+    - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+    - cmd/snap: block 'snap help <cmd> --all'
+    - asserts, image: ensure kernel, gadget, base and required-snaps use
+      valid snap names
+    - apparmor: add unit test for probeAppArmorParser and simplify code
+    - interfaces/apparmor: conditionally add explicit deny rules for
+      ptrace
+    - po: sync translations from launchpad
+    - osutil: tweak handling of error adduser errors
+    - cmd: rename ns_group to mount_ns
+    - tests/main/interfaces-accounts-service: more debugging
+    - snap/pack, snap/squashfs: use type to determine mksquashfs args
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - tests: show list of processes when ifaces-accounts-service fails
+    - tests: do not run degraded test in autopkgtest env
+    - snap: overhaul validation error messages
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - interfaces: improve Attr error further
+    - snapstate: tweak GetFeatureFlagBool() to have a default argument
+    - many: cleanup remaining parallel installs TODOs
+    - image: improve validation of extra snaps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 Jan 2019 09:36:51 +0100
+
+snapd (2.36.3) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - httputil: retry on temporary net errors
+    - wrappers: only restart service in core18 when they are active
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interfacewhen installing selinux-policy-devel package.
+    - centos: enable SELinux support on CentOS 7
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - apparmor: allow hard link to snap-specific semaphore files
+    - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+      profile errors
+    - snap: add new `snap run --trace-exec` call
+    - interfaces/backends: detect too old apparmor_parser
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 14 Dec 2018 07:30:58 +0100
+
+snapd (2.36.2) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - snapstate: update fontconfig caches on install
+    - overlord,daemon: mock security backends for testing
+    - sanity, spread, tests: add CentOS
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - tests: add regression test for LP #1803535
+    - snap-update-ns: fix trailing slash bug on trespassing error
+    - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+    - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+    - interfaces/opengl: add additional accesses for cuda
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 29 Nov 2018 10:48:29 +0100
+
+snapd (2.36.1) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - tests,snap-confine: add core18 only hooks test and fix running
+      core18 only hooks on classic
+    - interfaces/apparmor: allow access to
+      /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests/main/interfces-accounts-service: switch to busctl, more
+      debugging
+    - store: also make snaps downloaded via deltas 0600
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - tests/main: fixes for the new shellcheck
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 09 Nov 2018 14:42:28 +0100
+
+snapd (2.36) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - tests: the store has caught up, drop gccgo test, update cosmic
+      image
+    - cmd/snap: try not to panic on error from "snap try"`--devmode`
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - systemd,wrappers: don't start disabled services
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - tests: do not run degraded test in autopkgtest env
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces: include invalid type in Attr error
+    - many: enable layouts by default
+    - interfaces/default: don't scrub with change_profile with classic
+    - cmd/snap: speed up unit tests
+    - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+      flags
+    - daemon: expose snapshots to the API
+    - interfaces: updates for default, screen-inhibit-control, tpm,
+      {hardware,system,network}-observe
+    - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+      update test interface
+    - interfaces/tests: use TestInterface instead of a custom local
+      helper
+    - overlord/snapstate: export getFeatureFlagBool.
+    - osutil,asserts,daemon: support force password change in system-
+      user assertion
+    - snap, wrappers: support restart-delay, generate RestartSec=<value>
+      in service units
+    - tests/ifacestate: moved asserts-related mocking into helper
+    - image: fetch device store assertion if available
+    - many: enable AppArmor on Arch
+    - interfaces/repo: two helper methods for hotplug
+    - overlord/ifacestate: add hotplug slots with implicit slots
+    - interfaces/hotplug: helpers and struct updates
+    - tests: run the snapd tests on Ubuntu 18.10
+    - snapstate: only report errors if there is an actual error
+    - store: speedup unit tests
+    - spread-shellcheck: fix interleaved error messages, tweaks
+    - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+    - ifacestate: implementation of defaultDeviceKey function for
+      hotplug
+    - cmd/snap-update-ns: remove empty placeholders used for mounting
+    - snapshotstate: restore to current revision
+    - tests/lib: rework the CLA checker
+    - many: support and consider store friendly-stores when checking
+      device scope constraints
+    - overlord/snapstate: block parallel installs of snapd, core, base,
+      kernel, gadget snaps
+    - overlord/patch: patch for static plug/slot attributes
+    - interfaces: honor static attributes when reloading conns
+    - osutils: unit tests speedup; introduce «run-checks --short-
+      unit».
+    - systemd, wrappers: speed up wrappers unit tests
+    - client: speedup unit tests
+    - spread-shellcheck: use threads to parallelise
+    - snap: validate plug and slot names
+    - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+    - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+    - store: gracefully handle unexpected errors in 'action'
+      response
+    - cmd: put our manpages in section 8
+    - overlord: don't make become-operational interfere with user
+      requests
+    - store: tweak unmatched refresh result error log
+    - snap, client, daemon, store: use and expose "media" more
+    - tests,cmd/snap-update-ns: add test showing mount update bug
+      cmd/snap-update-ns: better detection of snapd-made tmpfs
+    - tests: spread tests for aliases with parallel installed snaps
+    - interfaces/seccomp: allow using statx by default
+    - store: gracefully handle unexpected errors in 'action' response
+    - overlord/snapshotstate: chown the tempdir
+    - cmd/snap: attempt to start the document portal if running with a
+      session bus
+    - snap: detect layouts vs layout in snap.yaml
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snapcraft.yaml: set grade to stable
+    - tests: shellchecks, final round
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snap: detect layouts vs layout in snap.yaml
+    - overlord/snapshotstate: store epoch in snapshot, check on restore
+    - cmd/snap: tweak UX of snap refresh --list
+    - overlord/snapstate: improve consistency, use validateInfoAndFlags
+      also in InstallPath
+    - snap: give Epoch a CanRead helper
+    - overlord/snapshotstate: small refactor of internal helpers
+    - interfaces/builtin: adding missing permission to create
+      /run/wpa_supplicant directory
+    - interfaces/builtin: avahi interface update
+    - client, daemon: support passing of 'unaliased' option when
+      installing from local files
+    - selftest: rename selftest.Run() to sanity.Check()
+    - interfaces/apparmor: report apparmor support level and policy
+    - ifacestate: helpers for generating slot names for hotplug
+    - overlord/ifacestate: make sure to pass in the Model assertion when
+      enforcing policies
+    - overlord/snapshotstate: store the SnapID in snapshot, block
+      restore if changed
+    - interfaces: generalize writable mimic profile
+    - asserts,interfaces/policy: add support for on-store/on-brand/on-
+      model plug/slot rule constraints
+    - many: fetch the device store assertion together and in the context
+      of interpreting snap-declarations
+    - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+      gccgo is fixed
+    - tests/main/parallel-install-services: add spread test for snaps
+      with services
+    - tests/main/snap-env: extend to cover parallel installations of
+      snaps
+    - tests/main/parallel-install-local: rename from *-sideload, extend
+      to run snaps
+    - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+    - cmd/snap: tame the help zoo
+    - tests/main/parallel-install-store: run installed snap
+    - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+      i18n)
+    - cmd: fix C formatting
+    - tests: remove unneeded cleanup from layout tests
+    - image: warn on missing default-providers
+    - selftest: add test to ensure selftest.checks is up-to-date
+    - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+      installs
+    - userd: extend the list of supported XDG Desktop properties when
+      autostarting user applications
+    - cmd/snap-update-ns: enforce trespassing checks
+    - selftest: actually run the kernel version selftest
+    - snapd: go into degraded mode when the selftest fails
+    - tests: add test that runs snapctl with a core18 snap
+    - tests: add snap install hook with base: core18
+    - overlord/{snapstate,assertstate}: parallel instances and
+      refresh validation
+    - interfaces/docker-support: add rules to read apparmor macros
+    - tests: make nfs test available for more systems
+    - tests: cleanup copy/paste dup in interfaces-network-setup-control
+    - tests: using single sh snap in interface tests
+    - overlord/snapstate: improve cleaup in mount-snap handler
+    - tests: don't fail interfaces-bluez test if bluez is already
+      installed
+    - tests: find snaps just for edge and beta channels
+    - daemon, snapstate: consistent snap list [--all] output with broken
+      snaps
+    - tests: fix listing to allow extra things in the notes column
+    - cmd/snap: improve UX when removing specific snap revision
+    - cmd/snap, tests/main/snap-info: highlight the current channel
+    - interfaces/testiface: added TestHotplugInterface
+    - snap: tweak commands
+    - interfaces/hotplug: hotplug spec takes one slot definition
+    - overlord/snapstate, snap: handle shared snap directories when
+      installing/remove snaps with instance key
+    - interfaces/opengl: misc accesses for VA-API
+    - client, cmd/snap: expose warnings to the world
+    - cmd/snap-update-ns: introduce trespassing state tracking
+    - cmd/snap: commands no longer build their own client
+    - tests: try to build cmd/snap for darwin
+    - daemon: make error responders not printf when called with 1
+      argument
+    - many: return real snap name in API response
+    - overlord/state: return latest LastAdded time in WarningsSummary
+    - many: mount namespace mapping for parallel installs of snaps
+    - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+      core-phase-2
+    - client, cmd/snap: on !linux, exit when the client tries to Do
+      something
+    - tests: refactor for nested suite and tests fixed
+    - tests: use lxd's waitready instead of polling lxd socket
+    - ifacestate: don't initialize udev monitor until we have a system
+      snap
+    - interfaces: extra argument for static attrs in
+      NewConnectedPlug/NewConnectedSlot
+    - packaging/arch: sync packaging with AUR
+    - snapstate/tests: serialize all appends in fake backend
+    - snap-confine: make /lib/modules optional
+    - cmd/snap: handle "snap interfaces core" better
+    - store: move download tests into downloadSuite
+    - tests,interfaces: run interfaces-account-control on UC18
+    - tests: fix install snaps test by adding link to /snap
+    - tests: fix for nested test suite
+    - daemon: fix snap list --all with parallel snap instances
+    - snapstate: refactor tests to use SetModel*
+    - wrappers: fix snap services order in tests
+    - many: provide salt for generating instance-key in store requests
+    - ifacestate: fix hang when retrying content providers
+    - snapd-env-generator: fix when PATH is empty or unset
+    - overlord/assertstate: propagate TaskSnapSetup error
+    - client: catch and expose logs errors
+    - overlord: integrate device enumeration with udev monitor
+    - daemon, overlord/state: warnings pipeline
+    - tests: add publisher regex to fix the snap-info test pass on sru
+    - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+      tweaks
+    - cmd/snap-update-ns: remove the unused Secure type
+    - osutil, o/snapshotstate, o/sss/backend: quick fixes
+    - tests: update the listing expression to support core from
+      different channels
+    - store: use stable instance key in store refresh requests
+    - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+    - overlord/patch: support for sublevel patches
+    - tests: update prepare/restore for nightly suite
+    - cmd/snap-update-ns: detach BindMount from the Secure type
+    - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+    - ifacestate: retry on "discard-snap" in autoconnect conflict check
+    - cmd/snap-update-ns: separate OpenPath from the Secure struct
+    - wrappers: remove Wants=network-online.target
+    - tests: add new core16-base test
+    - store: refactor tests so that they work as store_test package
+    - many: add refresh.rate-limit core option
+    - tests: run account-control test with different bases
+    - tests: port proxy test to use python tinyproxy
+    - overlord: introduce snapshotstate.
+    - testutil: allow Fstatfs results to vary over time
+    - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+    - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+    - many: remove deadcode
+    - tests: also run unit/gccgo in 18.04
+    - tests: introduce a helper for installing local snaps with --name
+    - tests: avoid removing core snap on reset
+    - snap: use snap.SideInfo in test to fix build with gccgo
+    - partition: remove unused runCommand
+    - image: fix incorrect error when using local bases
+    - overlord/snapstate: fix format
+    - cmd: fix format
+    - tests: setting "storage: preserve-size" just for amazon-linux
+      system
+    - tests: test for the hostname interface
+    - interfaces/modem-manager: allow access to more USB strings
+    - overlord: instantiate UDevMonitor
+    - interfaces/apparmor: tweak naming, rename to AddLayout()
+    - interfaces: take instance name in ifacetest.InstallSnap
+    - snapcraft: do not use --dirty in mkversion
+    - cmd: add systemd environment generator
+    - devicestate: support getting (http) proxy from core config
+    - many: rename ClientOpts to ClientOptions
+    - prepare-image-grub-core18: remove image root in restore
+    - overlord/ifacestate: remove "old-conn" from connect/undo connect
+      handlers
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - image: handle errors when downloadedSnapsInfoForBootConfig has no
+      data
+    - tests: use official core18 model assertion in tests
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - overlord,store: support proxy settings internally too
+    - cmd/snap: bring back 'snap version'
+    - interfaces/mount: tweak naming of things
+    - strutil: fix MatchCounter to also work with buffer reuse
+    - cmd,interfaces,tests: add /mnt to removable-media interface
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - snap/snapenv: drop some instance specific variables, use instance-
+      specific ones for user locations
+    - firstboot: sort by type when installing the firstboot snaps
+    - cmd, cmd/snap: better support for non-linux
+    - strutil: add new ParseByteSize
+    - image: detect and error if bases are missing
+    - interfaces/apparmor: do not downgrade confinement on arch with
+      linux-hardened 4.17.4+
+    - daemon: add pokeStateLock helper to the daemon tests
+    - snap/squashfs: improve error message from Build on mksquashfs
+      failure
+    - tests: remove /etc/alternatives from dirs-not-shared-with-host
+    - cmd: support re-exec into the "snapd" snap
+    - spdx: remove "Other Open Source" from the support licenses
+    - snap: add new type "TypeSnapd" and attach to the snapd snap
+    - interfaces: retain order of inserted security backends
+    - tests: spread test for parallel-installs desktop file handling
+    - overlord/devicestate: use OpenSSL's PEM format when generating
+      keys
+    - cmd: remove --skip-command-chain from snap run and snap-exec
+    - selftest: detect if apparmor is unusable and error
+    - snap,snap-exec: support command-chain for hooks
+    - tests: significantly reduce execution time for managers test
+    - snapstate: use new "snap.ByType" sorting
+    - overlord/snapstate: fix UpdateMany() to work with parallel
+      instances
+    - testutil: have File* checker produce more useful error output
+    - overlord/ifacestate: introduce connectOpts
+    - interfaces: parallel instances support, extend unit tests
+    - tests: normalize tests
+    - snapstate: make InstallPath() return *snap.Info too
+    - snap: add ByType sorting
+    - interfaces: add cifs-mount interface
+    - tests: use file based markers in snap-service-stop-mode
+    - osutil: reorg and stub out things to get it building on darwin
+    - tests/main/layout: cleanup after the test
+    - osutil/sys: small tweaks to let it build on darwin
+    - daemon, overlord/snapstate: set instance name when installing from
+      snap file
+    - many: move Uname to osutil, for more DRY and easier porting.
+    - cmd/snap: create snap user directory when running parallel
+      installed snaps
+    - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+    - tests: basic test for parallel installs from the store
+    - image: download the gadget from the model.GadgetTrack()
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - overlord: handle sigterm during shutdown better
+    - tests: add the original function to fix the errors on new kernels
+    - tests/main/lxd: pull lxd from candidate; reënable i386
+    - wayland: add extra sockets that are used by older toolkits (e.g.
+      gtk3)
+    - asserts: add support for gadget tracks in the model assertion
+    - overlord/snapstate: improve feature flag validation
+    - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+    - interfaces: workaround for activated services and newer DBus
+    - tests: get the linux-image-extra available for the current kernel
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - interfaces: disconnect hooks
+    - cmd/libsnap: unify detection of core/classic with go
+    - tests: fix autopkgtest failures in cosmic
+    - snap: fix advice json
+    - overlord/snapstate: parallel snap install
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - interfaces: add screencast-legacy for video and audio recording
+    - tests: skip unsupported architectures for fedora-base-smoke test
+    - tests: avoid using the journalctl cursor when it has not been
+      created yet
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - tests: enable lxd again everywhere
+    - tests: new test for udisks2 interface
+    - interfaces: add cpu-control for setting CPU tunables
+    - overlord/devicestate: fix tests, set seeded in registration
+      through proxy tests
+    - debian: add missing breaks on cosmic
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - tests: new test for juju client observe interface
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - snapcraft: set version information for the snapd snap
+    - cmd/snap, daemon: error out if trying to install a snap using
+      empty name
+    - hookstate: simplify some hook tests
+    - cmd/snap-confine: extend security tag validation to cover instance
+      names
+    - snap: fix mocking of systemkey in snap-run tests
+    - packaging/opensuse: fix static build of snap-update-ns and snap-
+      exec
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - cmd/libsnap-confine-private: intoduce helpers for validating snap
+      instance name and instance key
+    - snap,snap-exec: support command-chain for app
+    - interfaces/builtin: network-manager resolved DBus changes
+    - snap: tweak `snap wait` command
+    - cmd/snap-update-ns: introduce validation of snap instance names
+    - cmd/snap: fix some corner-case test setup weirdness
+    - cmd,dirs: fix various issues discovered by a Fedora base snap
+    - tests/lib/prepare: fix extra snaps test
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 24 Oct 2018 11:30:45 -0600
+
+snapd (2.35.5) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - osutil: workaround overlayfs on ubuntu 18.10
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 15 Oct 2018 22:23:02 +0200
+
+snapd (2.35.4) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 14:41:33 +0200
+
+snapd (2.35.3) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - overlord: don't make become-operational interfere with user
+      requests
+    - docker_support.go: add rules to read apparmor macros
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-
+      nsFixes:
+    - snapcraft.yaml: add workaround to fix snapcraft build
+    - interfaces/opengl: misc accesses for VA-API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 09:32:00 +0200
+
+snapd (2.35.2) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - cmd,overlord/snapstate: go 1.11 format fixes
+    - ifacestate: fix hang when retrying content providers
+    - snap-env-generator: do nothing when PATH is unset
+    - interfaces/modem-manager: allow access to more USB strings
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 12 Sep 2018 09:32:00 +0200
+
+snapd (2.35.1) xenial; urgency=medium
+
+  *  New upstream release, LP: #1786438
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - snapcraft: do not use --diry in mkversion.sh
+    - cmd: add systemd environment generator
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - tests: cherry-pick test fixes from master for 2.35
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - interfaces: retain order of inserted security backends
+    - selftest: detect if apparmor is unusable and error
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 03 Sep 2018 14:44:06 +0200
+
+snapd (2.35) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - asserts: add support for gadget tracks in the model assertion
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - overlord: handle sigterm during shutdown better
+    - wayland: add extra sockets that are used by older toolkits
+    - snap: fix advice json
+    - tests: fix autopkgtest failures in cosmic
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - interfaces: add cpu-control for setting CPU tunables
+    - debian: add missing breaks on comisc
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - hookstate: simplify some hook tests
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - interfaces/builtin: network-manager resolved DBus changes
+    - tests: add spread test for fedora29 base snap
+    - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+    - dirs: fix SnapMountDir inside a Fedora base snap
+    - tests: fix snapd-failover for core18 with external backend
+    - overlord/snapstate: always clean SnapState when doing Get()
+    - overlod/ifacestate: always use a new SnapState when fetching the
+      snap state
+    - overlord/devicestate: have the serial request talk to the proxy if
+      set
+    - interfaces/hotplug: udevadm output parser
+    - tests: New test for daemon-notify interface
+    - image: ensure "core" is ordered early if base: and core is used
+    - cmd/snap-confine: snap-device-helper parallel installs support
+    - tests: enable interfaces-framebuffer everywhere
+    - tests: reduce nc wait time from 2 to 1 second
+    - snap/snapenv: add snap instance specific variables
+    - cmd/snap-confine: add minimal test for snap-device-helper
+    - tests: enable snapctl test on core18
+    - overlord: added UDevMonitor for future hotplug support
+    - wrappers: do not glob when removing desktop files
+    - tests: add dbus monitor log to interfaces-accounts-service
+    - tests: add core-18 systems to external backend
+    - wrappers: account for changed app wrapper in parallel installed
+      snaps
+    - wrappers: make sure that the tests pass on non-Ubuntu too
+    - many: add snapd snap failure handling
+    - tests: new test for dvb interface
+    - configstate: accept refresh.timer=managed
+    - tests: new test for snap logs command
+    - wrapper: generate all the snapd unit files when generating
+      wrappers
+    - store: keep all files with link-count > 1 in the cache
+    - store: be less verbose in the common refresh case of "no updates"
+    - snap-confine: update snappy-app-dev path
+    - debian: ensure dependency on fixed apt on 18.04
+    - snapd: add initial software watchdog for snapd
+    - daemon, systemd: change journalctl -n=all to --no-tail
+    - systemd: fix snapd.apparmor.service.in dependencies
+    - snapstate: refuse to remove bases or core if snaps need them
+    - snap: introduce package-level helpers for building snap related
+      directory/file paths
+    - overlord/devicestate: deny parallel install of kernel or gadget
+      snaps
+    - store: clean up parallel-install TODOs in store tests
+    - timeutil: fix first weekday of the month schedule
+    - interfaces: match all possible tty but console
+    - tests: shellchecks part 5
+    - cmd/snap-confine: allow ptrace read for 4.18 kernels
+    - advise: make the bolt database do the atomic rename dance
+    - tests/main/apt-hooks: debug dump of commands.db
+    - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+      handling
+    - snap: validate instance name as part of Validate()
+    - daemon: if a snap is inactive, don't ask systemd about its
+      services.
+    - udev: skip TestParseUdevEvent on s390x
+    - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+    - asserts,image: add support for new kernel=track syntax
+    - tests: new gce image for fedora 27
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - store, overlord/snapstate: introduce instance name in store APIs
+    - tests: drive-by cleanup of redudant pkgname matching
+    - tests: ensure apt-hook is only run after catalog update ran
+    - tests: use pkill instead of kilall
+    - tests/main: another bunch of updates for Amazon Linux 2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the  directory tree
+    - tests: disable/fix more tests for Amazon Linux 2
+    - overlord: introduce InstanceKey to SnapState and SnapSetup,
+      renames
+    - daemon: make sure most change generating handlers can produce
+      errors with kinds
+    - tests/main/interfaces-calendar-service: skip the test on AMZN2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the directory tree
+    - cmd/snap: add a green check mark to verified publishers
+    - cmd/snap: fix two issues in the cmd/snap unit tests
+    - packaging/fedora: fix target path of /snap symlink
+    - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - strutil: detect and bail out of Unmarshal on duplicate key
+    - packaging/fedora(amzn2): disable SELinux, drop dependency on
+      squashfuse for AMZN2
+    - spread, tests: add support for Amazon Linux 2
+    - packaging/fedora: Add Amazon Linux 2 support
+    - many: make Wait/Stop optional on StateManagers
+    - snap/squashfs: stop printing unsquashfs info to stderr
+    - snap: add support for `snap advise-snap --from-apt`
+    - overlord/ifacestate: ignore connect if already connected
+    - tests: change the service snap used instead of network-bind-
+      consumer
+    - interfaces/network-control: update for wpa-supplicant and ifupdown
+    - tests: fix raciness in stop mode tests
+    - logger: try to not have double dates
+    - debian: use deb-systemd-invoke instead of systemctl directly
+    - tests: run all main tests on core18
+    - many: finish sharing a single TaskRunner with all the the managers
+    - interfaces/repo: added AllHotplugInterfaces helper
+    - snapstate: ensure kernel-track is honored on switch/refresh
+    - overlord/ifacestate: support implicit slots on snapd
+    - image: add support for "kernel-track" in `snap prepare-image`
+    - tests: add test that ensures we do not boot any system in degraded
+      state
+    - tests: update tests to work on core18
+    - cmd/snap: check for typographic dashes in command
+    - tests: fix tests expecting old email address
+    - client: add some existing error kinds that were not listed in
+      client.go
+    - tests: add missing slots in classic and core provider test snaps
+    - overlord,daemon,cmd: re-map snap names around the edges of snapd
+    - tests: use install_local in snap-run-hooks
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - overlord/snapstate: dedupe default content providers
+    - osutil/udev: sync with upstream
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord: have SnapManager use a passed in TaskRunner created by
+      Overlord
+    - many: streamline the generic conflict check mechanisms
+    - tests: remove unneeded setup code in snap-run-symlink
+    - cmd/snap: print unset license as "unset", instead of "unknown"
+    - asserts: add (optional) kernel-track to model assertion
+    - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+    - interfaces/pulseaudio: be clear that the interface allows playback
+      and record
+    - snap: support hook environment
+    - interfaces: fix typo "daemonNotify" (add missing "n")
+    - interfaces: tweak tests of daemon-notify, use common naming
+    - interfaces: allow invoking systemd-notify when daemon-notify is
+      connected
+    - store: make snap blobs be 0600
+    - interfaces,daemon: move JSON types to the daemon
+    - tests: prepare needs to handle bin/snapctl being a symlink
+    - tests: do not mask errors in interfaces-timezone-control (#5405)
+    - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+    - tests: add basic integration test for spread hold
+    - overlord/snapstate: improve PlugsOnly comment
+    - many: assorted shellcheck fixes
+    - store, daemon, client, cmd/snap: expose "scope", default to wide
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - client, cmd/snap: pass snap instance name when installing from
+      file
+    - cmd/snap: add 'debug paths' command
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: fix tests on arch
+    - tests: start active system units on reset
+    - tests: new test for joystick interface
+    - tests: moving install of dependencies to pkgdb helper
+    - tests: enable new fedora image with test dependencies installed
+    - tests: start using the new opensuse image with test dependencies
+    - tests: check catalog refresh before and after restart snapd
+    - tests: stop restarting journald service on prepare
+    - interfaces: make core-support a no-op interface
+    - interfaces: prefer "snapd" when resolving implicit connections
+    - interfaces/hotplug: add hotplug Specification and
+      HotplugDeviceInfo
+    - many: lessen the use of core-support
+    - tests: fixes for the autopkgtest failures in cosmic
+    - tests: remove extra ' which breaks interfaces-bluetooth-control
+      test
+    - dirs: fix antergos typo
+    - tests: use grep to avoid non-matching messages from MATCH
+    - dirs: improve distro detection for Antegros
+    - vendor: switch to latest bson
+    - interfaces/builtin: create can-bus interface
+    - tests: "snap connect" is idempotent so just connect
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - interfaces: treat "snapd" snap as type:os
+    - interfaces: tweak tests to have less repetition of "core" and
+      "ubuntu…
+    - tests: simplify econnreset test
+    - snap: add helper for renaming slots
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - tests: add artful for sru validation on google backend
+    - snap,interfaces: move interface name validation to snap
+    - overlord/snapstate: introduce path to fake backend ops
+    - cmd/snap-confine: fix snaps running on core18
+    - many: expose publisher's validation throughout the API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 20 Aug 2018 12:36:33 +0200
+
+snapd (2.34.3) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - snapstate: allow setting "refresh.timer=managed"
+    - spread: switch Fedora and openSUSE images
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 27 Jul 2018 19:08:44 +0200
+
+snapd (2.34.2) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - packaging: fix bogus date in fedora snapd.spec
+    - tests: fix tests expecting old email address
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 19 Jul 2018 12:05:50 +0200
+
+snapd (2.34.1) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - tests: cherry-pick test fixes from master for 2.34
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord/snapstate: dedupe default content providers
+    - interfaces/builtin: create can-bus interface
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Tue, 17 Jul 2018 19:46:56 +0200
+
+snapd (2.34) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - store, daemon, client, cmd/snap: expose "scope", default to wide*
+    - tests: fix arch tests
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+    - tests: run interfaces-contacts-service only where test-snapd-eds
+      is available
+    - many: expose publisher's validation throughout the API
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - dirs: improve distro detection for Antegros
+    - Revert "dirs: improve identification of Arch Linux like systems"
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - i18n: use xgettext-go --files-from to avoid running into cmdline
+      size limits
+    - interfaces: move ValidateName helper to utils
+    - snapstate,ifstate: wait for pending restarts before auto-
+      connecting
+    - snap: account for parallel installs in wrappers, place info and
+      tests
+    - configcore: fix incorrect handling of keys with numbers (like
+      gpu_mem_512)
+    - tests: fix tests when no keyboard input detected
+    - overlord/configstate: add watchdog options
+    - snap-mgmt: fix for non-existent dbus system policy dir,
+      shellchecks
+    - tests/main/snapd-notify: use systemd's service properties rater
+      than the journal
+    - snapstate: allow removal of snap.TypeOS when using a model with a
+      base
+    - interfaces: make findSnapdPath smarter
+    - tests: run "arp" tests only if arp is available
+    - spread: increase the number of auto retries for package downloads
+      in opensuse
+    - cmd/snap-confine: fix nvidia support under lxd
+    - corecfg: added experimental.hotplug feature flag
+    - image: block installation of parallel snap instances
+    - interfaces: moved normalize method to interfaces/utils and made it
+      public
+    - api/snapctl: allow -h and --help for regular users.
+    - interfaces/udisks2: also implement implicit classic slot
+    - cmd/snap-confine: include CUDA runtime libraries
+    - tests: disable auto-refresh test on core18
+    - many: switch to account validation: unproven|verified
+    - overlord/ifacestate: get/set connection state only via helpers
+    - tests: adding extra check to validate journalctl is showing
+      current test data
+    - data: add systemd environment configuration
+    - i18n: handle write errors in xgettext-go
+    - snap: helper for validating snap instance names
+    - snap{/snaptest}: set instance key based on snap name
+    - userd: fix running unit tests on KDE
+    - tests/main/econnreset: limit ingress traffic to 512kB/s
+    - snap: introduce a struct Channel to represent store channels, and
+      helpers to work with it
+    - tests: add fedora to distro_clean_package_cache function
+    - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+    - tests: add spread test to ensure snapd/core18 are not removable
+    - tests: tweaks for running the main tests on core18
+    - overlord/{config,snap}state: introduce experimental.parallel-
+      instances feature flag
+    - strutil: support iteration over almost clean paths
+    - strutil: add PathIterator.Rewind
+    - tests: update interfaces-timeserver-control to core18
+    - tests: add halt-timeout to google backend
+    - tests: skip security-udev-input-subsystem without /dev/input/by-
+      path
+    - snap: introduce the instance key field
+    - packaging/opensuse: remaining packaging updates for 2.33.1
+    - overlord/snapstate: disallow installing snapd on baseless models
+    - tests: disable core tests on all core systems (16 and 18)
+    - dirs: improve identification of Arch Linux like systems
+    - many: expose full publisher info over the snapd API
+    - tests: disable core tests on all core systems (16 and 18)
+    - tests/main/xdg-open: restore or clean up xdg-open
+    - tests/main/interfaces-firewall-control: shellcheck fix
+    - snapstate: sort "snapd" first
+    - systemd: require snapd.socket in snapd.seeded.service; make sure
+      snapd.seeded
+    - spread-shellcheck: use the latest shellcheck available from snaps
+    - tests: use "ss" instead of "netstat" (netstat is not available in
+      core18)
+    - data/complete: fix three out of four shellcheck warnings in
+      data/complete
+    - packaging/opensuse: fix typo, missing assignment
+    - tests: initial core18 spread image building
+    - overlord: introduce a gadget-connect task and use it at first boot
+    - data/completion: fix inconsistency in +x and shebang
+    - firstboot: mark essential snaps as "Required" in the state
+    - spread-shellcheck: use a whitelist of files that are allowed to
+      fail validation
+    - packaging/opensuse: build position-independent binaries
+    - ifacestate: prevent running interface hooks twice when self-
+      connecting on autoconnect
+    - data: remove /bin/sh from snapd.sh
+    - tests: fix shellcheck 0.5.0 warnings
+    - packaging/opensuse: snap-confine should be 06755
+    - packaging/opensuse: ship apparmor integration if enabled
+    - interfaces/udev,misc: only trigger udev events on input subsystem
+      as needed
+    - packaging/opensuse: add missing bits for snapd.seeded.service
+    - packaging/opensuse: don't use %-macros in comments
+    - tests: shellchecks part 4
+    - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+      parallel-install TODOs
+    - store: drop unused: channel map types, and details fixture.
+    - store: have a basic test about the unmarshalling of /search
+      results
+    - tests: show executed tests on current system when a test fails
+    - tests: fix for the download of the big snap
+    - interfaces/apparmor: add chopTree
+    - tests: remove double debug: | entry in tests and add more checks
+    - cmd/snap-update-ns: introduce mimicRequired helper
+    - interfaces: move assertions around for better failure line number
+    - store: log a nice clear "download succeeded" message
+    - snap: run snap-confine from the re-exec location
+    - snapstate: support restarting snapd from the snapd snap on core18
+    - tests: show status of the partial test-snapd-huge snap in
+      econnreset test
+    - tests: fix interfaces-calendar-service test when gvfsd-metadata
+      loks the xdg dirctory
+    - store: switch store.SnapInfo to use the new v2/info endpoint
+    - interfaces: add Repository.AllInterfaces
+    - snapstate: stop using evolving SnapSpec internally, use an
+      internal-only snapSpec instead
+    - cmd/libsnap-confine-private: introduce a helper for splitting snap
+      name
+    - tests: econnreset/retry tweaks
+    - store, et al: kill dead code that uses the bulk endpoint
+    - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+    - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+      Depth helper
+    - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+      available
+    - store: switch connectivity check to use v2/info
+    - devicestate: support seeding from a base snap instead of core
+    - snapstate,ifacestate: remove core-phase-2 handling
+    - interfaces/docker-support: update for docker 18.05
+    - tests: enable fedora 28 again
+    - overlord/ifacestate:  simplify checkConnectConflicts and also
+      connect signature
+    - snap: parse connect instructions in gadget.yaml
+    - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+      test
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - store, image: have 'snap download' use v2/refresh action=download
+    - interfaces/policy: test that base policy can be parsed
+    - tests: publish test-snapd-appstreamid for any architecture
+    - snap: don't include newline in hook environment
+    - cmd/snap-update-ns: use RCall with SyscallsEqual
+    - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+    - interfaces: add the dvb interface
+    - daemon: paging is not a thing.
+    - cmd/snap-mgmt: remove system key on purge
+    - testutil: syscall sequence checker
+    - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command* many: add `snap debug
+      connectivity` command
+    - configstate: deny configuration of base snaps and for the "snapd"
+      snap
+    - interfaces/raw-usb: also allow usb serial devices
+    - snap: reject more layout locations
+    - errtracker: do not send duplicated reports
+    - httputil: extra debug if an error is not retried
+    - cmd/snap-update-ns: improve wording in many errors
+    - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+    - cmd/snap-update-ns: add helper for checking for read-only
+      filesystems
+    - interfaces/builtin/docker: use commonInterface over specific
+      struct
+    - testutil: add test support for Fstatfs
+    - cmd/snap-update-ns: discard the concept of segments
+    - cmd/libsnap-confine-private: helper for extracting store snap name
+      from local-name
+    - tests: fix flaky test for hooks undo
+    - interfaces: add {contacts,calendar}-service interfaces
+    - tests: retry 'restarting into..' match in the snap-confine-from-
+      core test
+    - systemd: adjust TestWriteMountUnitForDirs() to use
+      squashfs.MockUseFuse(false)
+    - data: add helper that can generate/start/stop the snapd service
+    - sefltest: advise reboot into 4.4 on trusty running 3.13
+    - selftest: add new selftest package that tests squashfs mounting
+    - store, jsonutil: move store.getStructFields to
+      jsonutil.StructFields
+    - ifacestate: improved conflict and error handling when creating
+      autoconnect tasks
+    - cmd/snap-confine: applied make fmt
+    - interfaces/udev: call 'udevadm settle --timeout=10' after
+      triggering events
+    - tests: wait more time until snap start to be downloaded on
+      econnreset test
+    - snapstate: ensure fakestore returns TypeOS for the core snap
+    - tests: fix lxd test which hangs on restore
+    - cmd/snap-update-ns: add PathIterator
+    - asserts,image: add support for models with bases
+    - tests: shellchecks part 3
+    - overlord/hookstate: support undo for hooks
+    - interfaces/tpm: Allow access to the kernel resource manager
+    - tests: skip appstream-id test for core systems 32 bits
+    - interfaces/home: remove redundant common interface assignment
+    - tests: reprioritise a few tests that are known to be slow
+    - cmd/snap: small help tweaks and fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - spread-shellcheck: silly fix & pep8
+    - spread: switch fedora 28 to manual
+    - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+      it in snap info --verbose
+    - tests: fix lxd test - --auto now sets up networking
+    - tests: adding fedora-28 to spread.yaml
+    - interfaces: add juju-client-observe interface
+    - client, daemon: add a "mounted-from" entry to local snaps' JSON
+    - image: set model.DisplayName() in bootenv as "snap_menuentry"
+    - packaging/opensuse: Refactor packaging to support all openSUSE
+      targets
+    - interfaces/joystick: force use of the device cgroup with joystick
+      interface
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - interfaces: remove Plug/Slot types
+    - interface hooks: update old AutoConnect methods
+    - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+    - overlord/{config,snap}state: the number of inactive revisions is
+      config
+    - cmd/snap: check with snapd for unknown sections
+    - tests: moving test helpers from sh to bash
+    - data/systemd: add snapd.apparmor.service
+    - many: expose AppStream IDs (AKA common ID)
+    - many: hold refresh when on metered connections
+    - interfaces/joystick: also support modern evdev joysticks and
+      gamepads
+    - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+    - snapcraft: use dpkg-buildpackage options that work in xenial
+    - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+    - get-deps: work with an unset GOPATH too
+    - interfaces/apparmor: use strict template on openSUSE tumbleweed
+    - packaging: filter out verbose flags from "dh-golang"
+    - packaging: fix description
+    - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 06 Jul 2018 16:08:17 +0200
+
+snapd (2.33.1) xenial; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - many: improve udev trigger on refresh experience
+    - systemd: require snapd.socket in snapd.seeded.service
+    - snap: don't include newline in hook environment
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - tests: skip security-dev-input-event-denied when /dev/input/by-
+      path/ is missing
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 21 Jun 2018 17:37:56 +0200
+
+snapd (2.33) xenial; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command
+    - interfaces/raw-usb: also allow usb serial devices
+    - errtracker: do not send duplicated reports
+    - selftest: add new selftest package that tests squashfs mounting
+    - tests: backport lxd force stop and econnreset fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - interfaces/joystick: support modern evdev joysticks
+    - interfaces: add juju-client-observe
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - many: holding refresh on metered connections
+    - many: expose AppStream IDs (AKA common ID)
+    - tests: speed up save/restore snapd state for all-snap systems
+      during tests execution
+    - interfaces/apparmor: use helper to load stray profile
+    - tests: ubuntu core abstraction
+    - overlord/snapstate: don't panic in a corner case interaction of
+      cleanup tasks and pruning
+    - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+      snaps
+    - tests: new parameter for the journalctl rate limit
+    - spread-shellcheck: port to python
+    - interfaces/home: add 'read' attribute to allow non-owner read to
+      @{HOME}
+    - testutil: import check.v1 differently to workaround gccgo error
+    - interfaces/many: miscellaneous updates for default, desktop,
+      desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+      keys
+    - snapstate/hooks: reorder autoconnect and reconnect hooks
+    - daemon: update unit tests to match current master
+    - overlord/snapshotstate/backend: introducing the snapshot backend
+    - many: support 'system' nickname in interfaces
+    - userd: add the "snap" scheme to the whitelist
+    - many: make rebooting of core on refresh immediate, refactor logic
+      around it
+    - tests/main/snap-service-timer: account for service timer being in
+      the 'running' state
+    - interfaces/builtin: allow access to libGLESv* too for opengl
+      interface
+    - daemon: fix unit tests on arch
+    - interfaces/default,process-control: miscellaneous signal policy
+      fixes
+    - interfaces/bulitin: add write permission to optical-drive
+    - configstate: validate known core.* options
+    - snap, wrappers: systemd WatchdogSec support
+    - ifacestate: do not auto-connect manually disconnected interfaces
+    - systemd: mock useFuse() so testsuite passes in container via lxd
+      snap
+    - snap/env: fix env duplication logic
+    - snap: some doc comments fixes and additions
+    - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+      vendor files
+    - ifacestate: unify reconnect and autoconnect methods
+    - tests: fix user mounts test for external systems
+    - overlord/snapstate,overlord/auth,store: coalesce no auth user
+      refresh requests
+    - boot,partition: improve tests/docs around SetNextBoot()
+    - many: improve `snap wait` command
+    - snap: fix `snap interface --attrs` output when numbers are used
+    - cmd/snap-update-ns: poke holes when creating source paths for
+      layouts
+    - snapstate: support getting new bases/default-providers on refresh
+    - ifacemgr: remove stale connections on startup
+    - asserts: use Attrer in policy checks
+    - testutil: record system call errors / return values
+    - tests: increase timeouts to make tests reliable on slow boards
+    - repo: pass and return ConnRef via pointers
+    - interfaces: add xdg-document-portal support to desktop interface
+    - debian: add a zenity|kdialog suggests
+    - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+    - tests: go must be installed as a classic snap
+    - tests: use journalctl cursors instead rotating logs
+    - daemon: add confinement-options to /v2/system-info
+      daemon: refactor classic support flag to be more structured
+    - tests: build spread in the autopkgtests with a more recent go
+    - cmd/snap: fix the message when snap.channel != snap.tracking
+    - overlord/snapstate: allow core defaults configuration via 'system'
+      key
+    - many: add "snap debug sandbox-features" and needed bits
+    - interfaces: interface hooks for refresh
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - many: add wait command and `snapd.seeded` service
+    - interfaces: move host font update-ns AppArmor rules to desktop
+      interface
+    - jsonutil/safejson: introducing safejson.String &
+      safejson.Paragraph
+    - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+    - cmd/snap-update-ns,tests: mimic the mode and ownership of
+      directories
+    - cmd/snap-update-ns: add support for ignoring mounts with missing
+      source/target
+    - interfaces: interface hooks implementation
+    - cmd/libsnap: fix compile error on more restrictive gcc
+      cmd/libsnap: fix compilation errors on gcc 8
+    - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+    - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+    - tests: fix interfaces-network test for systems with partial
+      confinement
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+    - configcore: validate experimental.layouts option
+    - interfaces:minor autoconnect cleanup
+    - HACKING: fix typos
+    - spread: add adt for ubuntu 18.10
+    - tests: skip test lp-1721518 for arch, snapd is failing to start
+      after reboot
+    - interfaces/x11: allow X11 slot implementations
+    - tests: checking interfaces declaring the specific interface
+    - snap: improve error for snaps not available in the given context
+    - cmdstate: add missing test for default timeout handling
+    - tests: shellcheck spread tasks
+    - cmd/snap: update install/refresh help vs --revision
+    - cmd/snap-confine: add support for per-user mounts
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - tests: adding google-sru backend replacing linode-sur
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - systemd: replace ancient paths with 16.04+ standards
+    - overlord,systemd: store snap revision in mount units
+    - testutil: add test helper for SysLstat
+    - testutil,cmd: rename test helper of Lstat to OsLstat
+    - testutil: document all fake syscall/os functions
+    - osutil,interfaces,cmd: use less hardcoded strings
+    - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+    - testutil: don't dot-import check.v1
+    - store: getStructFields takes pointers now
+    - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+    - many: fix false negatives reported by vet
+    - osutil,interfaces: use uint32 for uid, gid
+    - many: fix various issues reported by shellcheck
+    - tests: add pending shutdown detection
+    - image: support refreshing soft-expired user macaroons in tooling
+    - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+      daemon tests
+    - interfaces/builtin: add support for software-watchdog interface
+    - spread: auto accept key changes when calling dnf
+    - snap,overlord/snapstate: introduce and use BrokenSnapError
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: bring back one missing test in snap-service-stop-mode
+    - debian: update LP bug for the 2.32.5 SRU
+    - userd: set up journal logging streams for autostarted apps
+    - snap,tests : don't fail if we cannot stat MountFile
+    - tests: smaller fixes for Arch tests
+    - tests: run interfaces-broadcom-asic-control early
+    - client: support for snapshot sets, snapshots, and snapshot actions
+    - tests: skip interfaces-content test on core devices
+    - cmd: generalize locking to global, snap and per-user locks
+    - release-tools: handle the snapd-x.y.z version
+    - packaging: fix incorrectly auto-generated changelog entry for
+      2.32.5
+    - tests: add arch to CI
+    - systemd: add helper for opening stream file descriptors to the
+      journal
+    - cmd/snap: handle distros with no version ID
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - tests: removing linode-sru backend
+    - tests: updating bionic version for spread tests on google
+    - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - overlord/snapstate: allow to get an error from readInfo instead of
+      a broken stub, use it in doMountSnap
+    - snap: snap.AppInfo is now a fmt.Stringer
+    - tests: move fedora 27 to google backend
+    - many: add `core.problem-reports.disabled` option
+    - cmd/snap-update-ns: remove the need for stash directory in secure
+      bind mount implementation
+    - errtracker: check for whoopsie.service instead of reading
+      /etc/whoopsie
+    - cmd/snap: user session application autostart v3
+    - tests: add test to ensure `snap refresh --amend` works with
+      different channels
+    - tests: add check for OOM error after each test
+    - cmd/snap-seccomp: graceful handling of non-multilib host
+    - interfaces/shutdown: allow calling SetWallMessage
+    - cmd/snap-update-ns: add secure bind mount implementation for use
+      with user mounts
+    - snap: fix `snap advise-snap --command` output to match spec
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - overlord/snapstate: introduce envvars to control the channels for
+      based and prereqs
+    - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+    - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+    - daemon,overlord/hookstate: stop/wait for running hooks before
+      closing the snapctl socket
+    - advisor: use json for package database
+    - interfaces/hostname-control: allow setting the hostname via
+      syscall and systemd
+    - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+      libraries
+    - interfaces: misc updates for default, firewall-control, fuse-
+      support and process-control
+    - data/selinux: Give snapd access to more aspects of the system
+    - many: use the new install/refresh API by switching snapstate to
+      use store.SnapAction
+    - errtracker: make TestJournalErrorSilentError work on gccgo
+    - ifacestate: add to the repo also snaps that are pending being
+      activated but have a done setup-profiles
+    - snapstate, ifacestate: inject auto-connect tasks try 2
+    - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+    - errtracker: add more fields to aid debugging
+    - interfaces: make system-key more robust against invalid fstab
+      entries
+    - overlord,interfaces: be more vocal about broken snaps and read
+      errors
+    - ifacestate: injectTasks helper
+    - osutil: fix fstab parser to allow for # in field values
+    - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+    - release-tools: add repack-debian-tarball.sh
+    - daemon,client: add build-id to /v2/system-info
+    - cmd: make fmt (indent 2.2.11)
+    - interfaces/content: add rule so slot can access writable files at
+      plug's mountpoint
+    - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+    - ifacestate: don't surface errors from stale connections
+    - cmd/snap-update-ns: convert Secure* family of functions into
+      methods
+    - tests: adjust canonical-livepatch test on GCE
+    - tests: fix quoting issues in econnreset test
+    - cmd/snap-confine: make /run/media an alias of /media
+    - cmd/snap-update-ns: rename i to segNum
+    - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+    - spread: disable StartLimitInterval option on opensuse-42.3
+    - configstate: give a chance to immediately recompute the next
+      refresh time when schedules are set
+    - cmd/snap-confine: attempt to detect if multiarch host uses
+      arch triplets
+    - store: add Store.SnapAction to support the new install/refresh API
+      endpoint
+    - tests: adding test for removable-media interface
+    - tests: update interface tests to remove extra checks and normalize
+      tests
+    - timeutil: in Human, count days with fingers
+    - vendor: update gopkg.in/yaml.v2 to the latest version
+    - cmd/snap-confine: fix Archlinux compatibility
+    - cmd/snapd: make sure signal handlers are established during early
+      daemon startup
+    - cmd/snap-confine: apparmor: allow creating prefix path for
+      gl/vulkan
+    - osutil: use tilde suffix for temporary files used for atomic
+      replacement
+    - tests: copy or sanity check core users using usernames
+    - tests: disentangle etc vs extrausers in core tests
+    - tests: fix snap-run tests when snapd is not running
+    - overlord/configstate: change how ssh is stopped/started
+    - snap: make `snap run` look at the system-key for security profiles
+    - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+      replacement
+    - tests: adding opensuse-42.3 to google
+    - cmd/snap: fix one issue with noWait error handling logic, add
+      tests plus other cleanups
+    - cmd/snap-confine: nvidia: preserve globbed file prefix
+    - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+      needed
+    - interfaces,release: probe seccomp features lazily
+    - tests: change debug for layout test
+    - advisor: deal with missing commands.db file
+    - interfaces/apparmor: simplify UpdateNS internals
+    - polkit: Pass caller uid to PolicyKit authority
+    - tests: moving debian 9 from linode to google backend
+    - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+    - po: specify charset in po/snappy.pot
+    - interfaces: harden snap-update-ns profile
+    - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+    - tests: update tests to deal with s390x quirks
+    - debian: run snap.mount upgrade fixup *before* debhelper
+    - tests: move xenial i386 to google backend
+    - snapstate: add compat mode for default-provider
+    - tests: a bunch of test fixes for s390x from looking at the
+      autopkgtest logs
+    - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+    - interfaces/builtin: let MM change qmi device attributes
+    - tests: add workaround for s390x failure
+    - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+    - daemon: support 'system' as nickname of the core snap
+    - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+    - devicestate: add DeviceManager.Registered returning a channel
+      closed when the device is known to be registered
+    - store: Sections and WriteCatalogs need to strictly send device
+      auth only if the device has a custom store
+    - tests: add bionic system to google backend
+    - many: fix shellcheck warnings in bionic
+    - cmd/snap-update-ns: don't fail on existing symlinks
+    - tests: make autopkgtest tests more targeted
+    - cmd/snap-update-ns: fix creation of layout symlinks
+    - spread,tests: move suite-level prepare/restore to central script
+    - many: propagate contexts enough to be able to mark store
+      operations done from the Ensure loop
+    - snap: don't create empty Change with "Hold" state on disconnect
+    - snap: unify snap name validation w/python; enforce length limit.
+    - cmd/snap: use shlex when parsing `snap run --strace` arguments
+    - osutil,testutil: add symlinkat(2) and readlinkat(2)
+    - tests: autopkgtest may have non edge core too
+    - tests: adding checks before stopping snapd service to avoid job
+      canceled on ubuntu 14.04
+    - errtracker: respect the /etc/whoopsie configuration
+    - overlord/snapstate:  hold refreshes for 2h after seeding on
+      classic
+    - cmd/snap: tweak and polish help strings
+    - snapstate: put layout feature behind feature flag
+    - tests: force profile re-generation via system-key
+    - snap/squashfs: when installing from seed, try symlink before cp
+    - wrappers: services which are socket or timer activated should not
+      be started during boot
+    - many: go vet cleanups
+    - tests: define MATCH from spread
+    - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+      fix
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - cmd/snap: in changes and tasks, default to human-friendly times
+    - many: support holding refreshes by setting refresh.hold
+    - Revert "cmd/snap: use timeutil.Human to show times in `snap
+      refresh -…-time`"
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - tests/main/snap-service-refresh-mode: refactor the test to rely on
+      comparing PIDs
+    - tests/main/media-sharing: improve the test to cover /media and
+      /run/media
+    - store: enable deltas for core devices too
+    - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+    - strutil/shlex: import github.com/google/shlex into the tree
+    - vendor: update github.com/mvo5/libseccomp-golang
+    - overlord/snapstate: block install of "system"
+    - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+    - many: add the snapd-generator
+    - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+    - polkit: ensure error is properly set if dialog is dismissed
+    - snap-confine, snap-seccomp: utilize new seccomp logging features
+    - progress: tweak ansimeter cvvis use to no longer confuse minicom
+    - xdgopenproxy: integrate xdg-open implementation into snapctl
+    - tests: avoid removing preinstalled snaps on core
+    - tests: chroot into core to run xdg-open there
+    - userd: add an OpenFile method for launching local files with xdg-
+      open
+    - tests: moving ubuntu core from linode to google backend
+    - run-checks: remove accidental bashism
+    - i18n: simplify NG usage by doing the modulo math in-package.
+    - snap/squashfs: set timezone when calling unsquashfs to get the
+      build date
+    - timeutil: timeutil.Human(t) gives a human-friendly string for t
+    - snap: add autostart app property
+    - tests: add support for external backend executions on listing test
+    - tests: make interface-broadcom-asic-control test work on rpi
+    - configstate: when disable "ssh" we must disable the "sshd" service
+    - interfaces/apparmor,system-key: add upperdir snippets for strict
+      snaps on livecd
+    - snap/squashfs: add BuildDate
+    - store: parse the JSON format used by the coming new store API to
+      convey snap information
+    - many: remove snapd.refresh.{timer,service}
+    - tests: adding ubuntu-14.04-64 to the google backend
+    - interfaces: add xdg-desktop-portal support to desktop interface
+    - packaging/arch: sync with snapd/snapd-git from AUR
+    - wrappers, tests/main/snap-service-timer: restore missing commit,
+      add spread test for timer services
+    - store: don't ask for snap_yaml_raw except on the details endpoint
+    - many: generate and use per-snap snap-update-ns profile
+    - tests: add debug for layout test
+    - wrappers: detect whether systemd-analyze can be used in unit tests
+    - osutil: allow creating strings out of MountInfoEntry
+    - servicestate: use systemctl enable+start and disable+stop instead
+      of --now flag
+    - osutil: handle file being matched by multiple patterns
+    - daemon, snap: fix InstallDate, make a method of *snap.Info
+    - wrappers: timer services
+    - wrappers: generator for systemd OnCalendar schedules
+    - asserts: fix flaky storeSuite.TestCheckAuthority
+    - tests: fix dependency for ubuntu artful
+    - spread: start moving towards google backend
+    - tests: add a spread test for layouts
+    - ifacestate: be consistent passing Retry.After as named field
+    - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+    - testutil: allow mocking syscall.Fstat
+    - overlord/snapstate: verify that default schedule is randomized and
+      is  not a single time
+    - many: simplify mocking of home-on-NFS
+    - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+    - store: move infoFromRemote into details.go close to snapDetails
+    - userd/tests: Test kdialog calls and mock kdialog too to make tests
+      work in KDE
+    - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+    - cmd/snap: add self-strace to `snap run`
+    - interfaces/screen-inhibit-control,network-status: fix dbus path
+      and interface typos
+    - update-pot: Force xgettext() to return true
+    - store: cleanup test naming, dropping remoteRepo  and
+      UbuntuStore(Repository)? references
+    - store: reorg auth refresh
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 08 Jun 2018 17:13:47 +0200
+
+snapd (2.32.9) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - tests: run all spread tests inside GCE
+    - tests: build spread in the autopkgtests with a more recent go
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 May 2018 10:20:08 +0200
+
+snapd (2.32.8) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snapd.core-fixup.sh: fix workaround for corrupted uboot.env
+      and add tests
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 14:36:16 +0200
+
+snapd (2.32.7) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - many: add wait command and seeded target (2
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - cmd/libsnap: fix compile error on more restrictive gcc
+    - tests: cherry-pick commits to move spread to google backend
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - userd: set up journal logging streams for autostarted apps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 13:09:32 +0200
+
+snapd (2.32.6) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: run interfaces-boradcom-asic-control early
+    - tests: skip interfaces-content test on core devices
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Sun, 29 Apr 2018 19:21:53 +0200
+
+snapd (2.32.5) xenial; urgency=medium
+
+  * New upstream release, LP: #1765090
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - daemon: support 'system' as nickname of the core snap
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 16 Apr 2018 11:41:48 +0200
+
+snapd (2.32.4) xenial; urgency=medium
+
+  * New upstream release, LP: #1756173
+    - cmd/snap: user session application autostart
+    - overlord/snapstate: introduce envvars to control the channels for
+      bases and prereqs
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - many: use the new install/refresh /v2/snaps/refresh store API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 11 Apr 2018 16:30:45 +0200
+
 snapd (2.32.3.2) xenial; urgency=medium
 
   * New upstream release, LP: #1756173
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/control snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/control
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/control	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/control	2019-01-16 08:36:51.000000000 +0000
@@ -33,6 +33,7 @@
                python3-docutils,
                python3-markdown,
                squashfs-tools,
+               tzdata,
                udev,
                xfslibs-dev
 Standards-Version: 3.9.7
@@ -69,8 +70,9 @@
          ${misc:Depends},
          ${shlibs:Depends}
 Replaces: ubuntu-snappy (<< 1.9), ubuntu-snappy-cli (<< 1.9), snap-confine (<< 2.23), ubuntu-core-launcher (<< 2.22), snapd-xdg-open (<= 0.0.0)
-Breaks: ubuntu-snappy (<< 1.9), ubuntu-snappy-cli (<< 1.9), snap-confine (<< 2.23), ubuntu-core-launcher (<< 2.22), snapd-xdg-open (<= 0.0.0)
+Breaks: ubuntu-snappy (<< 1.9), ubuntu-snappy-cli (<< 1.9), snap-confine (<< 2.23), ubuntu-core-launcher (<< 2.22), snapd-xdg-open (<= 0.0.0), ${snapd:Breaks}
 Recommends: gnupg
+Suggests: zenity | kdialog
 Conflicts: snap (<< 2013-11-29-1ubuntu1)
 Built-Using: ${Built-Using} ${misc:Built-Using}
 Description: Daemon and tooling that enable snap packages
@@ -79,8 +81,7 @@
  enabling secure distribution of the latest apps and utilities for
  cloud, servers, desktops and the internet of things.
  .
- This is the CLI for snapd, a background service that takes care of
- snaps on the system. Start with 'snap list' to see installed snaps.
+ Start with 'snap list' to see installed snaps.
 
 Package: ubuntu-snappy
 Architecture: all
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/files snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/files
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/files	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/files	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-snapd_2.32.3.2+18.04_source.buildinfo devel optional
+snapd_2.37~rc1+18.10_source.buildinfo devel optional
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/rules snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/rules
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/rules	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/rules	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,17 @@
 
 include /etc/os-release
 
+# On 18.04 the released version of apt (1.6.1) has a bug that causes
+# problem on "apt purge snapd". To ensure this won't happen add the
+# right dependency on 18.04.
+ifeq (${VERSION_ID},"18.04")
+	SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.6.3)"
+endif
+# Same as above for 18.10 just a different version.
+ifeq (${VERSION_ID},"18.10")
+	SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.7.0~alpha2)"
+endif
+
 # this is overridden in the ubuntu/14.04 release branch
 SYSTEMD_UNITS_DESTDIR="lib/systemd/system/"
 
@@ -133,7 +144,7 @@
 	cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/
 
 	# this is the main go build
-	dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS)
+	SNAPD_VANILLA_GO=$$(which go) PATH="$$(pwd)/packaging/build-tools/:$$PATH" dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS)
 
 	# (static linking on powerpc with cgo is broken)
 ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc)
@@ -206,13 +217,15 @@
 	if [ -d share/locale ]; then \
 		cp -R share/locale debian/snapd/usr/share; \
 	fi
+	# chrorder generator
+	rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder
 
-	# install snapd's systemd units / upstart jobs, done
+	# Install snapd's systemd units / upstart jobs, done
 	# here instead of debian/snapd.install because the
 	# ubuntu/14.04 release branch adds/changes bits here
 	$(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \
 		SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR)
-	# we called this apps-bin-path.sh instead of snapd.sh, and
+	# We called this apps-bin-path.sh instead of snapd.sh, and
 	# it's a conf file so we're stuck with it
 	mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh
 
@@ -221,6 +234,10 @@
 	# Rename the apparmor profile, see dh_apparmor call above for an explanation.
 	mv $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine.real
 
+	# On Ubuntu and Debian we don't need to install the apparmor helper service.
+	rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.apparmor.service
+	rm $(CURDIR)/debian/tmp/usr/lib/snapd/snapd-apparmor
+
 	dh_install
 
 override_dh_auto_install: snap.8
@@ -234,4 +251,4 @@
 	rm -vf snap.8
 
 override_dh_gencontrol:
-	dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)"
+	dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)" $(SUBSTVARS)
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/snapd.install snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/snapd.install
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/snapd.install	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/snapd.install	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,12 @@
 usr/bin/snap
-usr/bin/snapctl
+usr/bin/snapctl /usr/lib/snapd/
 usr/lib/snapd/system-shutdown
 usr/bin/snap-exec /usr/lib/snapd/
 usr/bin/snap-repair /usr/lib/snapd/
+usr/bin/snap-failure /usr/lib/snapd/
 usr/bin/snap-update-ns /usr/lib/snapd/
 usr/bin/snapd /usr/lib/snapd/
 usr/bin/snap-seccomp /usr/lib/snapd/
-usr/lib/snapd/snapd-generator /lib/systemd/system-generators/
 
 # bash completion
 data/completion/snap /usr/share/bash-completion/completions
@@ -18,6 +18,8 @@
 data/info /usr/lib/snapd/
 # polkit actions
 data/polkit/io.snapcraft.snapd.policy /usr/share/polkit-1/actions/
+# apt hook
+data/apt/20snapd.conf /etc/apt/apt.conf.d/
 
 # snap-confine stuff
 etc/apparmor.d/usr.lib.snapd.snap-confine.real
@@ -25,8 +27,7 @@
 usr/lib/snapd/snap-mgmt
 usr/lib/snapd/snap-confine
 usr/lib/snapd/snap-discard-ns
-usr/share/man/man1/snap-confine.1
-usr/share/man/man5/snap-discard-ns.5
+usr/share/man/
 # for compatibility with ancient snap installs that wrote the shell based
 # wrapper scripts instead of the modern symlinks
 usr/bin/ubuntu-core-launcher
@@ -36,3 +37,8 @@
 
 # install squashfuse as snapfuse to ensure it is available in e.g. lxd
 vendor/github.com/snapcore/squashfuse/src/snapfuse usr/bin
+
+# use "usr/lib" here because apparently systemd looks only there
+usr/lib/systemd/system-environment-generators
+# but system generators end up in lib
+lib/systemd/system-generators
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/snapd.links snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/snapd.links
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/snapd.links	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/snapd.links	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1,2 @@
 ../../usr/lib/snapd/snap-device-helper  /lib/udev/snappy-app-dev
+usr/lib/snapd/snapctl usr/bin/snapctl
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/snapd.postinst snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/snapd.postinst
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/snapd.postinst	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/snapd.postinst	2019-01-16 08:36:51.000000000 +0000
@@ -10,8 +10,15 @@
             ldconfig
         fi
 
-        # ensure we undo the stopping of the snap.mount unit
-        # that we had in 2.31 and 2.31.1
+        # Ensure that we undo the damage done by the snap.mount unit that was present
+        # in snapd 2.31.
+        #
+        # We found that update scripts make systemd stop inactive mount units and this
+        # in turn stops all the units that depend on it so when the snap.mount unit is
+        # stopped all the per-snap mount units gets stopped along with them.  The 2.31
+        # release was only out briefly in xenial-proposed and bionic but to keep the
+        # affected users safe let's start all the per-snap mount units so that snaps no
+        # longer appear as broken after update.
         if dpkg --compare-versions "$2" ge-nl "2.31" && \
                 dpkg --compare-versions "$2" lt-nl "2.32"; then
             units=$(systemctl list-unit-files --full | grep '^snap[-.]' | cut -f1 -d ' ' | grep -vF snap.mount.service || true)
@@ -24,7 +31,7 @@
                 fi
 
                 echo "Starting $unit"
-                systemctl start "$unit" || true
+                deb-systemd-invoke start "$unit" || true
             done
         fi
 esac
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/snapd.postrm snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/snapd.postrm
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/snapd.postrm	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/snapd.postrm	2019-01-16 08:36:51.000000000 +0000
@@ -71,10 +71,12 @@
             # udev rules
             find /etc/udev/rules.d -name "*-snap.${snap}.rules" -execdir rm -f "{}" \;
             # dbus policy files
-            find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            if [ -d /etc/dbus-1/system.d ]; then
+                find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            fi
             # timer files
             find /etc/systemd/system -name "snap.${snap}.*.timer" | while read -r f; do
-                systemctl_stop "$(basename $f)"
+                systemctl_stop "$(basename "$f")"
                 rm -f "$f"
             done
         fi
@@ -99,13 +101,13 @@
     echo "Discarding preserved snap namespaces"
     # opportunistic as those might not be actually mounted
     if [ -d /run/snapd/ns ]; then
-        if [ $(ls /run/snapd/ns/*.mnt | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.mnt" | wc -l)" -gt 0 ]; then
             for mnt in /run/snapd/ns/*.mnt; do
                 umount -l "$mnt" || true
                 rm -f "$mnt"
             done
         fi
-        if [ $(ls /run/snapd/ns/*.fstab | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.fstab" | wc -l)" -gt 0 ]; then
             for fstab in /run/snapd/ns/*.fstab; do
                 rm -f "$fstab"
             done
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/source/options snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/source/options
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/source/options	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/source/options	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+tar-ignore = "tests/lib/cache/*"
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/tests/integrationtests snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/tests/integrationtests
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.04/tests/integrationtests	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.04/tests/integrationtests	2019-01-16 08:36:51.000000000 +0000
@@ -18,7 +18,7 @@
 systemctl daemon-reload
 
 # ensure we are not get killed too easily
-echo -950 > /proc/$$/oom_score_adj
+printf '%s\n' "-950" > /proc/$$/oom_score_adj
 
 # see what mem we have (for debugging)
 cat /proc/meminfo
@@ -36,13 +36,16 @@
     export SPREAD_CORE_CHANNEL=stable
 fi
 
+# Spread will only buid with recent go
+snap install --classic go
+
 # and now run spread against localhost
 # shellcheck disable=SC1091
 . /etc/os-release
 export GOPATH=/tmp/go
-go get -u github.com/snapcore/spread/cmd/spread
-/tmp/go/bin/spread -v "autopkgtest:${ID}-${VERSION_ID}-$(dpkg --print-architecture)"
+/snap/bin/go get -u github.com/snapcore/spread/cmd/spread
+/tmp/go/bin/spread -v "autopkgtest:${ID}-${VERSION_ID}-$(dpkg --print-architecture)"/tests/smoke
 
 # store journal info for inspectsion
 journalctl --sync
-journalctl -ab > $ADT_ARTIFACTS/journal.txt
+journalctl -ab > "$ADT_ARTIFACTS"/journal.txt
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/changelog snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/changelog
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/changelog	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/changelog	2019-01-16 08:36:51.000000000 +0000
@@ -1,3 +1,1839 @@
+snapd (2.37~rc1+18.10) cosmic; urgency=medium
+
+  * New upstream release, LP: #1811233
+    - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+      have device node /dev/ttyACM[0-9]
+    - tests: fix enable-disable-unit-gpio test on external boards
+    - tests: define new "tests/smoke" suite and use that for
+      autopkgtests
+    - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+      library
+    - snapshotstate: don't task.Log without the lock
+    - overlord/configstate/configcore: support - and _ in cloud init
+      field names
+    - cmd/snap-confine: use makedev instead of MKDEV
+    - tests: review/fix the autopkgtest failures in disco
+    - systemd: allow only a single daemon-reload at the same time
+    - cmd/snap: only auto-enable unicode to a tty
+    - cmd/snap: right-align revision and size in info's channel map
+    - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+      different on Fedora
+    - tests: fix "No space left on device" issue on amazon-linux
+    - store: undo workaround for timezone-less released-at
+    - store, snap, cmd/snap: channels have released-at
+    - snap-confine: fix incorrect use "src" var in mount-support.c
+    - release: support probing SELinux state
+    - release-tools: display self-help
+    - interface: add new `{personal,system}-files` interface
+    - snap: give Epoch an Equal method
+    - many: remove unused interface code
+    - interfaces/many: use 'unsafe' with docker-support change_profile
+      rules
+    - run-checks: stop running HEAD of staticcheck
+    - release: use sync.Once around lazy intialized state
+    - overlord/ifacestate: include interface name in the hotplug-
+      disconnect task summary
+    - spread: show free space in debug output
+    - cmd/snap: attempt to restore SELinux context of snap user
+      directories
+    - image: do not write empty etc/cloud
+    - tests: skip snapd snap on reset for core systems
+    - cmd/snap-discard-ns: fix umount(2) typo
+    - overlord/ifacestate: hotplug-remove-slot task handler
+    - overlord/ifacestate: handler for hotplug-disconnect task
+    - ifacestate/hotplug: updateDevice helper
+    - tests: reset snapd state on tests restore
+    - interfaces: return security setup errors
+    - overlord: make InstallMany work like UpdateMany, issuing a single
+      request to get candidates
+    - systemd/systemd.go: add missing tests for systemd.IsActive
+    - overlord/ifacestate: addHotplugSeqWaitTask helper
+    - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+    - tests: new backend used to run upgrade test suite
+    - travis: short circuit failures in static and unit tests travis job
+    - cmd: automatically fix localized <option>s to <option>
+    - overlord/configstate,features: expose features to snapd tools
+    - selinux: package to query SELinux status and verify/restore file
+      contexts
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - cmd: add tests for lintArg and lintDesc
+    - httputil: retry on temporary net errors
+    - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+    - wrappers: only restart service in core18 when they are active
+    - overlord/ifacestate: helpers for serializing hotplug changes
+    - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interface
+    - snap/info: bind global plugs/slots to implicit hooks
+    - cmd/snap-confine: remove SC_NS_MNT_FILE
+    - spread: record each tests/upgrade job
+    - osutil: do not import dirs
+    - cmd/snap-confine: fix typo "a pipe"
+    - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+      devices
+    - tests: force test-snapd-daemon-notify exit 0 when the interface is
+      not connected
+    - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+    - centos: enable SELinux support on CentOS 7
+    - apparmor: allow hard link to snap-specific semaphore files
+    - tests/lib/pkgdb: disable weak deps on Fedora
+    - release: detect too old apparmor_parser
+    - tests: improve how the log is checked to see if the system is
+      waiting for a reboot
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - spread, tests: add Fedora 29
+    - cmd/snap-confine: refactor calling snapd tools into helper module
+    - apparmor: allow snap-update-ns access to common devices
+    - cmd/snap-confine: capture initialized per-user mount ns
+    - tests: reduce verbosity around package installation
+    - data: set KillMode=process for snapd
+    - cmd/snap: handle DNS error gracefully
+    - spread, tests: use checkpoints when dumping audit log
+    - tests/lib/prepare: make sure that SELinux context of repacked core
+      snap is controlled
+    - testutils: split checkers, tweak tests
+    - tests: fix for tests test-*-cgroup
+    - spread: show AVC audits when debugging, start auditd on Fedora
+    - spread: drop Fedora 27, add Fedora 29
+    - tests/lib/reset: restore context of removed snapd directories
+    - testutil: add File{Present,Absent} checkers
+    - snap: add new `snap run --trace-exec`
+    - tests: fix for failover test on how logs are checked
+    - snapctl: add "services"
+    - overlord/snapstate: use file timestamp to initialize timer
+    - cmd/libsnap: introduce and use sc_strdup
+    - interfaces: let NM access ifindex/ifupdown files
+    - overlord/snapstate: on refresh, check new rev can read current
+    - client, store: don't use store from client (use client from store)
+    - tests/main/parallel-install-store: verify installation of more
+      than one instance at a time
+    - overlord: don't write system key if security setup fails
+    - packaging/fedora/snapd.spec: fix bogus date in changelog
+    - snapstate: update fontconfig caches on install
+    - interfaces/apparmor/backend.go:411:38: regular expression does not
+      contain any meta characters (SA6004)
+    - asserts/header_checks.go:199:35: regular expression does not
+      contain any meta characters (SA6004)
+    - run staticcheck every time :-)
+    - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+      used with signal.Notify should be buffered (SA1017)
+    - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+      signal.Notify should be buffered (SA1017)
+    - spdx/parser.go:30:1: only the first constant has an explicit type
+      (SA9004)
+    - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+      first argument and no further arguments should use print-style
+      function instead (SA1006)
+    - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+    - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+      Did you mean to break out of the outer loop? (SA4011)
+    - daemon/api.go:992:22: printf-style function with dynamic first
+      argument and no further arguments should use print-style function
+      instead (SA1006)
+    - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+      to break out of the outer loop? (SA4011)
+    - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+      should be buffered (SA1017)
+    - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+      provided buffer, not even temporarily (SA1023)
+    - release: probe apparmor features lazily
+    - overlord,daemon: mock security backends for testing
+    - cmd/libsnap: move apparmor-support to libsnap
+    - cmd: drop cruft from snap-discard-ns build rules
+    - cmd/snap-confine: use snap-discard-ns ns to discard stale
+      namespaces
+    - cmd/snap-confine: handle mounted shared /run/snapd/ns
+    - many: fix composite literals with unkeyed fields
+    - dirs, wrappers, overlord/snapstate: make completion + bases work
+    - tests: revert "tests: restore in restore, not prepare"
+    - many: validate title
+    - snap: make description maximum in runes, not bytes
+    - tests: discard mount namespaces in reset.sh
+    - tests/lib: sync cla check back from snapcraft
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - daemon: remove enableInternalInterfaceActions
+    - mkversion: use "test -n" rather than "! test -z"
+    - run-checks: assorted fixes
+    - tests: restore in restore, not in prepare
+    - cmd/snap: fix missing newline in "snap keys" error message
+    - snap: epoch lists must contain no duplicate entries
+    - interfaces/avahi_observe: Fix typo in comment
+    - tests: add SPREAD_JOB to the description of
+      systemd_create_and_start_unit
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+    - packaging/fedora: use %_sysctldir macro
+    - cmd/snap-confine: remove unneeded unshare
+    - sanity: extend the kernel version check to cover CentOS/RHEL
+      kernels
+    - wrappers: remove all desktop files from a snap on removal
+    - snap: add an explicit check for `epoch: null` loading
+    - snap: check max description length in validate
+    - spread, tests: add CentOS support
+    - cmd/snap-confine: allow mapping more libc shards
+    - cmd/snap-discard-ns: add support for --from-snap-confine
+    - tests: make tinyproxy support systemd notify
+    - tests: fix shellcheck
+    - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+    - store: add a test for a non-zero epoch refresh (with epoch bump)
+    - store: v1 search doesn't send epoch, stop pretending it does
+    - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+    - overlord/snapstate: amend test should send local revision
+    - tests: use mock-gpio.py in enable-disable-units-gpio test
+    - snap: enforce minimal snap name len of 2
+    - cmd/libsnap: add sc_verify_snap_lock
+    - cmd/snap-update-ns: extra debugging of trespassing events
+    - userd: force zenity width if the text displayed is long
+    - overlord/snapstate, store: always send epochs
+    - cmd/snap-confine,snap-update-ns: discard quirks
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - cmd/snap-update-ns, tests: clean trespassing paths
+    - nvidia, interfaces/builtin: OpenCL fixes
+    - ifacestate/hotplug: removeDevice helper
+    - cmd: install snap-discard-ns in "make hack"
+    - overlord/ifacestate: setup security backends phased by backends
+      first
+    - ifacestate/helpers: added SystemSnapName mapper helper method
+    - overlord/ifacestate: set hotplug-key of the connection when
+      connecting hotplug slots
+    - snapd: allow snap-update-ns to read /proc/version
+    - cmd: handle tumbleweed and leap in autogen.sh
+    - interfaces/tests: MockHotplugSlot test helper
+    - store,daemon: make UserInfo,LoginUser part of the store interface
+    - overlord/ifacestate: use remapper when checking if system snap is
+      installed
+    - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+    - packaging/arch: fix bash completions path
+    - interfaces/builtin: add device-buttons interface for accessing
+      events
+    - tests, fakestore: extend refresh tests with parallel installed
+      snaps
+    - snap, store, overlord/snapshotstate: drop epoch pointers
+    - snap: make Epoch default to {[0],[0]} on load from yaml
+    - data/completion: pass documented arguments to completion functions
+    - tests: skip opensuse from interfaces-openvswitch-support test
+    - tests: simple reproducer for snap try and hooks bug
+    - snapstate: do not allow classic mode for strict snaps
+    - snap: make Epoch's MarshalJSON not simplify
+    - store: remove unused currentSnap and currentSnapJSON
+    - many: some small doc comment fixes in recent hotplug code
+    - ifacestate/udevmonitor: added callback to signal end of
+      enumeration
+    - cmd/libsnap: add simplified feature flag checker
+    - interfaces/opengl: add additional accesses for cuda
+    - tests: add core18 only hooks test and fix running core18 only on
+      classic
+    - sanity, release, cmd/snap: refuse to try to do things on WSL.
+    - cmd: make coreSupportsReExec faster
+    - overlord/ifacestate: don't remove the dash when generating unique
+      slot name
+    - cmd/snap-seccomp: add full complement of ptrace constants
+    - cmd: update autogen.sh for opensuse
+    - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+      overlord/snapstate: address review feedback
+    - packaging/opensuse: stop using golang-packaging
+    - overlord/snapshots: survive an unknown user
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - cmd/snap: unhide --name parameter to snap install, tweak help
+      message
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/main/snap-service-after-before-install: verify after/before
+      in snap install
+    - overlord/ifacestate: mark connections disconnected by hotplug with
+      hotplug-gone
+    - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+      startup
+    - tests: install dependencies during prepare
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - tests: core 18 does not support classic confinement
+    - tests: add debug output for degraded test
+    - strutil: make VersionCompare faster
+    - overlord/snapshotstate/backend: survive missing directories
+    - overlord/ifacestate: use map[string]*connState when passing conns
+      around
+    - tests: move fedora 28 to manual
+    - overlord/snapshotstate/backend: be more verbose when
+      SNAPPY_TESTING=1
+    - tests: removing fedora 26 system from spread.yaml
+    - tests: linode execution is not needed anymore
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests: fixes and new backend for tests on nested suite
+    - strutil: let MatchCounter work with a nil regexp
+    - ifacestate/helpers: findConnsForHotplugKey helper
+    - many: move regexp.(Must)Compile out of non-init functions into
+      variables
+    - store: also make snaps downloaded via deltas 0600
+    - snap: use Lstat to determine snap size, remove
+      ReadSnapInfoExceptSize
+    - interfaces/builtin: add adb-support interface
+    - tests: fail if install_snap_local fails
+    - strutil: add extra test to CommaSeparatedList as suggested by
+      mborzecki
+    - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+    - ifacestate: optimize disconnect hooks
+    - cmd/snap-update-ns: parse the -u <uid> command line option
+    - cmd/snap, tests: snapshots for all
+    - client, cmd/daemon: allow disabling keepalive, improve degraded
+      mode unit tests
+    - snap: only show "next" refresh time if its after the hold time
+    - overlord/snapstate: run tests for classic snaps even on systems
+      that don't support classic
+    - overlord/standby: fix a race between standby goroutine and stop
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - cmd: remove remnants of sc_should_populate_mount_ns
+    - client, daemon, cmd/snap: indicate that services are socket/timer
+      activated
+    - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+    - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+    - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+    - cmd/snap-discard-ns: add support for per-user mount namespaces
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook.
+    - tests/main: fixes for the new shellcheck
+    - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+      fly
+    - tests: initial setup for testing current branch on nested vm and
+      hotplug management
+    - cmd: refactor IPC and lifecycle of the helper process
+    - tests/main/parallel-install-store: the store has caught up, do not
+      expect failures
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+      ptrace, for the Breakpad crash reporter
+    - snap,client: use a different exit code for retryable errors
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - cmd/snap: tweak `snap services` output when there is no services
+    - interfaces/many: updates to support k8s worker nodes
+    - cmd/snap: gnome-software install via snap:// handler
+    - overlord/many: cleanup use of snapName vs. instanceName
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes* ifstate: fix decoding of json numbers
+    - cmd/snap: try not to panic on error from "snap try"
+    - tests: new cosmic image for spread tests on gce
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - overlord/snapshotstate/backend: detect path to tar in unit tests
+    - tests/unit/gccgo: drop gccgo unit tests
+    - cmd: use relative file names in locking APIs
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - overlord/snapshotstate/backend: fall back on sudo when no runuser
+    - cmd/snap-confine: reduce verbosity of debug and error messages
+    - systemd: extend Status() to work for socket and timer units
+    - interfaces: typo 'allows' for consistency with other ifaces
+    - systemd,wrappers: don't start disabled services
+    - ifacestate: simplify task chaining in ifacestate.Connect
+    - tests: ensure that goa-daemon is off
+    - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+    - cmd/snap: block 'snap help <cmd> --all'
+    - asserts, image: ensure kernel, gadget, base and required-snaps use
+      valid snap names
+    - apparmor: add unit test for probeAppArmorParser and simplify code
+    - interfaces/apparmor: conditionally add explicit deny rules for
+      ptrace
+    - po: sync translations from launchpad
+    - osutil: tweak handling of error adduser errors
+    - cmd: rename ns_group to mount_ns
+    - tests/main/interfaces-accounts-service: more debugging
+    - snap/pack, snap/squashfs: use type to determine mksquashfs args
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - tests: show list of processes when ifaces-accounts-service fails
+    - tests: do not run degraded test in autopkgtest env
+    - snap: overhaul validation error messages
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - interfaces: improve Attr error further
+    - snapstate: tweak GetFeatureFlagBool() to have a default argument
+    - many: cleanup remaining parallel installs TODOs
+    - image: improve validation of extra snaps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 Jan 2019 09:36:51 +0100
+
+snapd (2.36.3) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - httputil: retry on temporary net errors
+    - wrappers: only restart service in core18 when they are active
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interfacewhen installing selinux-policy-devel package.
+    - centos: enable SELinux support on CentOS 7
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - apparmor: allow hard link to snap-specific semaphore files
+    - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+      profile errors
+    - snap: add new `snap run --trace-exec` call
+    - interfaces/backends: detect too old apparmor_parser
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 14 Dec 2018 07:30:58 +0100
+
+snapd (2.36.2) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - snapstate: update fontconfig caches on install
+    - overlord,daemon: mock security backends for testing
+    - sanity, spread, tests: add CentOS
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - tests: add regression test for LP #1803535
+    - snap-update-ns: fix trailing slash bug on trespassing error
+    - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+    - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+    - interfaces/opengl: add additional accesses for cuda
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 29 Nov 2018 10:48:29 +0100
+
+snapd (2.36.1) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - tests,snap-confine: add core18 only hooks test and fix running
+      core18 only hooks on classic
+    - interfaces/apparmor: allow access to
+      /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests/main/interfces-accounts-service: switch to busctl, more
+      debugging
+    - store: also make snaps downloaded via deltas 0600
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - tests/main: fixes for the new shellcheck
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 09 Nov 2018 14:42:28 +0100
+
+snapd (2.36) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - tests: the store has caught up, drop gccgo test, update cosmic
+      image
+    - cmd/snap: try not to panic on error from "snap try"`--devmode`
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - systemd,wrappers: don't start disabled services
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - tests: do not run degraded test in autopkgtest env
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces: include invalid type in Attr error
+    - many: enable layouts by default
+    - interfaces/default: don't scrub with change_profile with classic
+    - cmd/snap: speed up unit tests
+    - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+      flags
+    - daemon: expose snapshots to the API
+    - interfaces: updates for default, screen-inhibit-control, tpm,
+      {hardware,system,network}-observe
+    - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+      update test interface
+    - interfaces/tests: use TestInterface instead of a custom local
+      helper
+    - overlord/snapstate: export getFeatureFlagBool.
+    - osutil,asserts,daemon: support force password change in system-
+      user assertion
+    - snap, wrappers: support restart-delay, generate RestartSec=<value>
+      in service units
+    - tests/ifacestate: moved asserts-related mocking into helper
+    - image: fetch device store assertion if available
+    - many: enable AppArmor on Arch
+    - interfaces/repo: two helper methods for hotplug
+    - overlord/ifacestate: add hotplug slots with implicit slots
+    - interfaces/hotplug: helpers and struct updates
+    - tests: run the snapd tests on Ubuntu 18.10
+    - snapstate: only report errors if there is an actual error
+    - store: speedup unit tests
+    - spread-shellcheck: fix interleaved error messages, tweaks
+    - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+    - ifacestate: implementation of defaultDeviceKey function for
+      hotplug
+    - cmd/snap-update-ns: remove empty placeholders used for mounting
+    - snapshotstate: restore to current revision
+    - tests/lib: rework the CLA checker
+    - many: support and consider store friendly-stores when checking
+      device scope constraints
+    - overlord/snapstate: block parallel installs of snapd, core, base,
+      kernel, gadget snaps
+    - overlord/patch: patch for static plug/slot attributes
+    - interfaces: honor static attributes when reloading conns
+    - osutils: unit tests speedup; introduce «run-checks --short-
+      unit».
+    - systemd, wrappers: speed up wrappers unit tests
+    - client: speedup unit tests
+    - spread-shellcheck: use threads to parallelise
+    - snap: validate plug and slot names
+    - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+    - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+    - store: gracefully handle unexpected errors in 'action'
+      response
+    - cmd: put our manpages in section 8
+    - overlord: don't make become-operational interfere with user
+      requests
+    - store: tweak unmatched refresh result error log
+    - snap, client, daemon, store: use and expose "media" more
+    - tests,cmd/snap-update-ns: add test showing mount update bug
+      cmd/snap-update-ns: better detection of snapd-made tmpfs
+    - tests: spread tests for aliases with parallel installed snaps
+    - interfaces/seccomp: allow using statx by default
+    - store: gracefully handle unexpected errors in 'action' response
+    - overlord/snapshotstate: chown the tempdir
+    - cmd/snap: attempt to start the document portal if running with a
+      session bus
+    - snap: detect layouts vs layout in snap.yaml
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snapcraft.yaml: set grade to stable
+    - tests: shellchecks, final round
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snap: detect layouts vs layout in snap.yaml
+    - overlord/snapshotstate: store epoch in snapshot, check on restore
+    - cmd/snap: tweak UX of snap refresh --list
+    - overlord/snapstate: improve consistency, use validateInfoAndFlags
+      also in InstallPath
+    - snap: give Epoch a CanRead helper
+    - overlord/snapshotstate: small refactor of internal helpers
+    - interfaces/builtin: adding missing permission to create
+      /run/wpa_supplicant directory
+    - interfaces/builtin: avahi interface update
+    - client, daemon: support passing of 'unaliased' option when
+      installing from local files
+    - selftest: rename selftest.Run() to sanity.Check()
+    - interfaces/apparmor: report apparmor support level and policy
+    - ifacestate: helpers for generating slot names for hotplug
+    - overlord/ifacestate: make sure to pass in the Model assertion when
+      enforcing policies
+    - overlord/snapshotstate: store the SnapID in snapshot, block
+      restore if changed
+    - interfaces: generalize writable mimic profile
+    - asserts,interfaces/policy: add support for on-store/on-brand/on-
+      model plug/slot rule constraints
+    - many: fetch the device store assertion together and in the context
+      of interpreting snap-declarations
+    - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+      gccgo is fixed
+    - tests/main/parallel-install-services: add spread test for snaps
+      with services
+    - tests/main/snap-env: extend to cover parallel installations of
+      snaps
+    - tests/main/parallel-install-local: rename from *-sideload, extend
+      to run snaps
+    - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+    - cmd/snap: tame the help zoo
+    - tests/main/parallel-install-store: run installed snap
+    - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+      i18n)
+    - cmd: fix C formatting
+    - tests: remove unneeded cleanup from layout tests
+    - image: warn on missing default-providers
+    - selftest: add test to ensure selftest.checks is up-to-date
+    - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+      installs
+    - userd: extend the list of supported XDG Desktop properties when
+      autostarting user applications
+    - cmd/snap-update-ns: enforce trespassing checks
+    - selftest: actually run the kernel version selftest
+    - snapd: go into degraded mode when the selftest fails
+    - tests: add test that runs snapctl with a core18 snap
+    - tests: add snap install hook with base: core18
+    - overlord/{snapstate,assertstate}: parallel instances and
+      refresh validation
+    - interfaces/docker-support: add rules to read apparmor macros
+    - tests: make nfs test available for more systems
+    - tests: cleanup copy/paste dup in interfaces-network-setup-control
+    - tests: using single sh snap in interface tests
+    - overlord/snapstate: improve cleaup in mount-snap handler
+    - tests: don't fail interfaces-bluez test if bluez is already
+      installed
+    - tests: find snaps just for edge and beta channels
+    - daemon, snapstate: consistent snap list [--all] output with broken
+      snaps
+    - tests: fix listing to allow extra things in the notes column
+    - cmd/snap: improve UX when removing specific snap revision
+    - cmd/snap, tests/main/snap-info: highlight the current channel
+    - interfaces/testiface: added TestHotplugInterface
+    - snap: tweak commands
+    - interfaces/hotplug: hotplug spec takes one slot definition
+    - overlord/snapstate, snap: handle shared snap directories when
+      installing/remove snaps with instance key
+    - interfaces/opengl: misc accesses for VA-API
+    - client, cmd/snap: expose warnings to the world
+    - cmd/snap-update-ns: introduce trespassing state tracking
+    - cmd/snap: commands no longer build their own client
+    - tests: try to build cmd/snap for darwin
+    - daemon: make error responders not printf when called with 1
+      argument
+    - many: return real snap name in API response
+    - overlord/state: return latest LastAdded time in WarningsSummary
+    - many: mount namespace mapping for parallel installs of snaps
+    - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+      core-phase-2
+    - client, cmd/snap: on !linux, exit when the client tries to Do
+      something
+    - tests: refactor for nested suite and tests fixed
+    - tests: use lxd's waitready instead of polling lxd socket
+    - ifacestate: don't initialize udev monitor until we have a system
+      snap
+    - interfaces: extra argument for static attrs in
+      NewConnectedPlug/NewConnectedSlot
+    - packaging/arch: sync packaging with AUR
+    - snapstate/tests: serialize all appends in fake backend
+    - snap-confine: make /lib/modules optional
+    - cmd/snap: handle "snap interfaces core" better
+    - store: move download tests into downloadSuite
+    - tests,interfaces: run interfaces-account-control on UC18
+    - tests: fix install snaps test by adding link to /snap
+    - tests: fix for nested test suite
+    - daemon: fix snap list --all with parallel snap instances
+    - snapstate: refactor tests to use SetModel*
+    - wrappers: fix snap services order in tests
+    - many: provide salt for generating instance-key in store requests
+    - ifacestate: fix hang when retrying content providers
+    - snapd-env-generator: fix when PATH is empty or unset
+    - overlord/assertstate: propagate TaskSnapSetup error
+    - client: catch and expose logs errors
+    - overlord: integrate device enumeration with udev monitor
+    - daemon, overlord/state: warnings pipeline
+    - tests: add publisher regex to fix the snap-info test pass on sru
+    - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+      tweaks
+    - cmd/snap-update-ns: remove the unused Secure type
+    - osutil, o/snapshotstate, o/sss/backend: quick fixes
+    - tests: update the listing expression to support core from
+      different channels
+    - store: use stable instance key in store refresh requests
+    - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+    - overlord/patch: support for sublevel patches
+    - tests: update prepare/restore for nightly suite
+    - cmd/snap-update-ns: detach BindMount from the Secure type
+    - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+    - ifacestate: retry on "discard-snap" in autoconnect conflict check
+    - cmd/snap-update-ns: separate OpenPath from the Secure struct
+    - wrappers: remove Wants=network-online.target
+    - tests: add new core16-base test
+    - store: refactor tests so that they work as store_test package
+    - many: add refresh.rate-limit core option
+    - tests: run account-control test with different bases
+    - tests: port proxy test to use python tinyproxy
+    - overlord: introduce snapshotstate.
+    - testutil: allow Fstatfs results to vary over time
+    - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+    - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+    - many: remove deadcode
+    - tests: also run unit/gccgo in 18.04
+    - tests: introduce a helper for installing local snaps with --name
+    - tests: avoid removing core snap on reset
+    - snap: use snap.SideInfo in test to fix build with gccgo
+    - partition: remove unused runCommand
+    - image: fix incorrect error when using local bases
+    - overlord/snapstate: fix format
+    - cmd: fix format
+    - tests: setting "storage: preserve-size" just for amazon-linux
+      system
+    - tests: test for the hostname interface
+    - interfaces/modem-manager: allow access to more USB strings
+    - overlord: instantiate UDevMonitor
+    - interfaces/apparmor: tweak naming, rename to AddLayout()
+    - interfaces: take instance name in ifacetest.InstallSnap
+    - snapcraft: do not use --dirty in mkversion
+    - cmd: add systemd environment generator
+    - devicestate: support getting (http) proxy from core config
+    - many: rename ClientOpts to ClientOptions
+    - prepare-image-grub-core18: remove image root in restore
+    - overlord/ifacestate: remove "old-conn" from connect/undo connect
+      handlers
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - image: handle errors when downloadedSnapsInfoForBootConfig has no
+      data
+    - tests: use official core18 model assertion in tests
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - overlord,store: support proxy settings internally too
+    - cmd/snap: bring back 'snap version'
+    - interfaces/mount: tweak naming of things
+    - strutil: fix MatchCounter to also work with buffer reuse
+    - cmd,interfaces,tests: add /mnt to removable-media interface
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - snap/snapenv: drop some instance specific variables, use instance-
+      specific ones for user locations
+    - firstboot: sort by type when installing the firstboot snaps
+    - cmd, cmd/snap: better support for non-linux
+    - strutil: add new ParseByteSize
+    - image: detect and error if bases are missing
+    - interfaces/apparmor: do not downgrade confinement on arch with
+      linux-hardened 4.17.4+
+    - daemon: add pokeStateLock helper to the daemon tests
+    - snap/squashfs: improve error message from Build on mksquashfs
+      failure
+    - tests: remove /etc/alternatives from dirs-not-shared-with-host
+    - cmd: support re-exec into the "snapd" snap
+    - spdx: remove "Other Open Source" from the support licenses
+    - snap: add new type "TypeSnapd" and attach to the snapd snap
+    - interfaces: retain order of inserted security backends
+    - tests: spread test for parallel-installs desktop file handling
+    - overlord/devicestate: use OpenSSL's PEM format when generating
+      keys
+    - cmd: remove --skip-command-chain from snap run and snap-exec
+    - selftest: detect if apparmor is unusable and error
+    - snap,snap-exec: support command-chain for hooks
+    - tests: significantly reduce execution time for managers test
+    - snapstate: use new "snap.ByType" sorting
+    - overlord/snapstate: fix UpdateMany() to work with parallel
+      instances
+    - testutil: have File* checker produce more useful error output
+    - overlord/ifacestate: introduce connectOpts
+    - interfaces: parallel instances support, extend unit tests
+    - tests: normalize tests
+    - snapstate: make InstallPath() return *snap.Info too
+    - snap: add ByType sorting
+    - interfaces: add cifs-mount interface
+    - tests: use file based markers in snap-service-stop-mode
+    - osutil: reorg and stub out things to get it building on darwin
+    - tests/main/layout: cleanup after the test
+    - osutil/sys: small tweaks to let it build on darwin
+    - daemon, overlord/snapstate: set instance name when installing from
+      snap file
+    - many: move Uname to osutil, for more DRY and easier porting.
+    - cmd/snap: create snap user directory when running parallel
+      installed snaps
+    - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+    - tests: basic test for parallel installs from the store
+    - image: download the gadget from the model.GadgetTrack()
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - overlord: handle sigterm during shutdown better
+    - tests: add the original function to fix the errors on new kernels
+    - tests/main/lxd: pull lxd from candidate; reënable i386
+    - wayland: add extra sockets that are used by older toolkits (e.g.
+      gtk3)
+    - asserts: add support for gadget tracks in the model assertion
+    - overlord/snapstate: improve feature flag validation
+    - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+    - interfaces: workaround for activated services and newer DBus
+    - tests: get the linux-image-extra available for the current kernel
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - interfaces: disconnect hooks
+    - cmd/libsnap: unify detection of core/classic with go
+    - tests: fix autopkgtest failures in cosmic
+    - snap: fix advice json
+    - overlord/snapstate: parallel snap install
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - interfaces: add screencast-legacy for video and audio recording
+    - tests: skip unsupported architectures for fedora-base-smoke test
+    - tests: avoid using the journalctl cursor when it has not been
+      created yet
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - tests: enable lxd again everywhere
+    - tests: new test for udisks2 interface
+    - interfaces: add cpu-control for setting CPU tunables
+    - overlord/devicestate: fix tests, set seeded in registration
+      through proxy tests
+    - debian: add missing breaks on cosmic
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - tests: new test for juju client observe interface
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - snapcraft: set version information for the snapd snap
+    - cmd/snap, daemon: error out if trying to install a snap using
+      empty name
+    - hookstate: simplify some hook tests
+    - cmd/snap-confine: extend security tag validation to cover instance
+      names
+    - snap: fix mocking of systemkey in snap-run tests
+    - packaging/opensuse: fix static build of snap-update-ns and snap-
+      exec
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - cmd/libsnap-confine-private: intoduce helpers for validating snap
+      instance name and instance key
+    - snap,snap-exec: support command-chain for app
+    - interfaces/builtin: network-manager resolved DBus changes
+    - snap: tweak `snap wait` command
+    - cmd/snap-update-ns: introduce validation of snap instance names
+    - cmd/snap: fix some corner-case test setup weirdness
+    - cmd,dirs: fix various issues discovered by a Fedora base snap
+    - tests/lib/prepare: fix extra snaps test
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 24 Oct 2018 11:30:45 -0600
+
+snapd (2.35.5) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - osutil: workaround overlayfs on ubuntu 18.10
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 15 Oct 2018 22:23:02 +0200
+
+snapd (2.35.4) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 14:41:33 +0200
+
+snapd (2.35.3) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - overlord: don't make become-operational interfere with user
+      requests
+    - docker_support.go: add rules to read apparmor macros
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-
+      nsFixes:
+    - snapcraft.yaml: add workaround to fix snapcraft build
+    - interfaces/opengl: misc accesses for VA-API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 09:32:00 +0200
+
+snapd (2.35.2) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - cmd,overlord/snapstate: go 1.11 format fixes
+    - ifacestate: fix hang when retrying content providers
+    - snap-env-generator: do nothing when PATH is unset
+    - interfaces/modem-manager: allow access to more USB strings
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 12 Sep 2018 09:32:00 +0200
+
+snapd (2.35.1) xenial; urgency=medium
+
+  *  New upstream release, LP: #1786438
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - snapcraft: do not use --diry in mkversion.sh
+    - cmd: add systemd environment generator
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - tests: cherry-pick test fixes from master for 2.35
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - interfaces: retain order of inserted security backends
+    - selftest: detect if apparmor is unusable and error
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 03 Sep 2018 14:44:06 +0200
+
+snapd (2.35) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - asserts: add support for gadget tracks in the model assertion
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - overlord: handle sigterm during shutdown better
+    - wayland: add extra sockets that are used by older toolkits
+    - snap: fix advice json
+    - tests: fix autopkgtest failures in cosmic
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - interfaces: add cpu-control for setting CPU tunables
+    - debian: add missing breaks on comisc
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - hookstate: simplify some hook tests
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - interfaces/builtin: network-manager resolved DBus changes
+    - tests: add spread test for fedora29 base snap
+    - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+    - dirs: fix SnapMountDir inside a Fedora base snap
+    - tests: fix snapd-failover for core18 with external backend
+    - overlord/snapstate: always clean SnapState when doing Get()
+    - overlod/ifacestate: always use a new SnapState when fetching the
+      snap state
+    - overlord/devicestate: have the serial request talk to the proxy if
+      set
+    - interfaces/hotplug: udevadm output parser
+    - tests: New test for daemon-notify interface
+    - image: ensure "core" is ordered early if base: and core is used
+    - cmd/snap-confine: snap-device-helper parallel installs support
+    - tests: enable interfaces-framebuffer everywhere
+    - tests: reduce nc wait time from 2 to 1 second
+    - snap/snapenv: add snap instance specific variables
+    - cmd/snap-confine: add minimal test for snap-device-helper
+    - tests: enable snapctl test on core18
+    - overlord: added UDevMonitor for future hotplug support
+    - wrappers: do not glob when removing desktop files
+    - tests: add dbus monitor log to interfaces-accounts-service
+    - tests: add core-18 systems to external backend
+    - wrappers: account for changed app wrapper in parallel installed
+      snaps
+    - wrappers: make sure that the tests pass on non-Ubuntu too
+    - many: add snapd snap failure handling
+    - tests: new test for dvb interface
+    - configstate: accept refresh.timer=managed
+    - tests: new test for snap logs command
+    - wrapper: generate all the snapd unit files when generating
+      wrappers
+    - store: keep all files with link-count > 1 in the cache
+    - store: be less verbose in the common refresh case of "no updates"
+    - snap-confine: update snappy-app-dev path
+    - debian: ensure dependency on fixed apt on 18.04
+    - snapd: add initial software watchdog for snapd
+    - daemon, systemd: change journalctl -n=all to --no-tail
+    - systemd: fix snapd.apparmor.service.in dependencies
+    - snapstate: refuse to remove bases or core if snaps need them
+    - snap: introduce package-level helpers for building snap related
+      directory/file paths
+    - overlord/devicestate: deny parallel install of kernel or gadget
+      snaps
+    - store: clean up parallel-install TODOs in store tests
+    - timeutil: fix first weekday of the month schedule
+    - interfaces: match all possible tty but console
+    - tests: shellchecks part 5
+    - cmd/snap-confine: allow ptrace read for 4.18 kernels
+    - advise: make the bolt database do the atomic rename dance
+    - tests/main/apt-hooks: debug dump of commands.db
+    - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+      handling
+    - snap: validate instance name as part of Validate()
+    - daemon: if a snap is inactive, don't ask systemd about its
+      services.
+    - udev: skip TestParseUdevEvent on s390x
+    - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+    - asserts,image: add support for new kernel=track syntax
+    - tests: new gce image for fedora 27
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - store, overlord/snapstate: introduce instance name in store APIs
+    - tests: drive-by cleanup of redudant pkgname matching
+    - tests: ensure apt-hook is only run after catalog update ran
+    - tests: use pkill instead of kilall
+    - tests/main: another bunch of updates for Amazon Linux 2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the  directory tree
+    - tests: disable/fix more tests for Amazon Linux 2
+    - overlord: introduce InstanceKey to SnapState and SnapSetup,
+      renames
+    - daemon: make sure most change generating handlers can produce
+      errors with kinds
+    - tests/main/interfaces-calendar-service: skip the test on AMZN2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the directory tree
+    - cmd/snap: add a green check mark to verified publishers
+    - cmd/snap: fix two issues in the cmd/snap unit tests
+    - packaging/fedora: fix target path of /snap symlink
+    - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - strutil: detect and bail out of Unmarshal on duplicate key
+    - packaging/fedora(amzn2): disable SELinux, drop dependency on
+      squashfuse for AMZN2
+    - spread, tests: add support for Amazon Linux 2
+    - packaging/fedora: Add Amazon Linux 2 support
+    - many: make Wait/Stop optional on StateManagers
+    - snap/squashfs: stop printing unsquashfs info to stderr
+    - snap: add support for `snap advise-snap --from-apt`
+    - overlord/ifacestate: ignore connect if already connected
+    - tests: change the service snap used instead of network-bind-
+      consumer
+    - interfaces/network-control: update for wpa-supplicant and ifupdown
+    - tests: fix raciness in stop mode tests
+    - logger: try to not have double dates
+    - debian: use deb-systemd-invoke instead of systemctl directly
+    - tests: run all main tests on core18
+    - many: finish sharing a single TaskRunner with all the the managers
+    - interfaces/repo: added AllHotplugInterfaces helper
+    - snapstate: ensure kernel-track is honored on switch/refresh
+    - overlord/ifacestate: support implicit slots on snapd
+    - image: add support for "kernel-track" in `snap prepare-image`
+    - tests: add test that ensures we do not boot any system in degraded
+      state
+    - tests: update tests to work on core18
+    - cmd/snap: check for typographic dashes in command
+    - tests: fix tests expecting old email address
+    - client: add some existing error kinds that were not listed in
+      client.go
+    - tests: add missing slots in classic and core provider test snaps
+    - overlord,daemon,cmd: re-map snap names around the edges of snapd
+    - tests: use install_local in snap-run-hooks
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - overlord/snapstate: dedupe default content providers
+    - osutil/udev: sync with upstream
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord: have SnapManager use a passed in TaskRunner created by
+      Overlord
+    - many: streamline the generic conflict check mechanisms
+    - tests: remove unneeded setup code in snap-run-symlink
+    - cmd/snap: print unset license as "unset", instead of "unknown"
+    - asserts: add (optional) kernel-track to model assertion
+    - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+    - interfaces/pulseaudio: be clear that the interface allows playback
+      and record
+    - snap: support hook environment
+    - interfaces: fix typo "daemonNotify" (add missing "n")
+    - interfaces: tweak tests of daemon-notify, use common naming
+    - interfaces: allow invoking systemd-notify when daemon-notify is
+      connected
+    - store: make snap blobs be 0600
+    - interfaces,daemon: move JSON types to the daemon
+    - tests: prepare needs to handle bin/snapctl being a symlink
+    - tests: do not mask errors in interfaces-timezone-control (#5405)
+    - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+    - tests: add basic integration test for spread hold
+    - overlord/snapstate: improve PlugsOnly comment
+    - many: assorted shellcheck fixes
+    - store, daemon, client, cmd/snap: expose "scope", default to wide
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - client, cmd/snap: pass snap instance name when installing from
+      file
+    - cmd/snap: add 'debug paths' command
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: fix tests on arch
+    - tests: start active system units on reset
+    - tests: new test for joystick interface
+    - tests: moving install of dependencies to pkgdb helper
+    - tests: enable new fedora image with test dependencies installed
+    - tests: start using the new opensuse image with test dependencies
+    - tests: check catalog refresh before and after restart snapd
+    - tests: stop restarting journald service on prepare
+    - interfaces: make core-support a no-op interface
+    - interfaces: prefer "snapd" when resolving implicit connections
+    - interfaces/hotplug: add hotplug Specification and
+      HotplugDeviceInfo
+    - many: lessen the use of core-support
+    - tests: fixes for the autopkgtest failures in cosmic
+    - tests: remove extra ' which breaks interfaces-bluetooth-control
+      test
+    - dirs: fix antergos typo
+    - tests: use grep to avoid non-matching messages from MATCH
+    - dirs: improve distro detection for Antegros
+    - vendor: switch to latest bson
+    - interfaces/builtin: create can-bus interface
+    - tests: "snap connect" is idempotent so just connect
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - interfaces: treat "snapd" snap as type:os
+    - interfaces: tweak tests to have less repetition of "core" and
+      "ubuntu…
+    - tests: simplify econnreset test
+    - snap: add helper for renaming slots
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - tests: add artful for sru validation on google backend
+    - snap,interfaces: move interface name validation to snap
+    - overlord/snapstate: introduce path to fake backend ops
+    - cmd/snap-confine: fix snaps running on core18
+    - many: expose publisher's validation throughout the API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 20 Aug 2018 12:36:33 +0200
+
+snapd (2.34.3) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - snapstate: allow setting "refresh.timer=managed"
+    - spread: switch Fedora and openSUSE images
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 27 Jul 2018 19:08:44 +0200
+
+snapd (2.34.2) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - packaging: fix bogus date in fedora snapd.spec
+    - tests: fix tests expecting old email address
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 19 Jul 2018 12:05:50 +0200
+
+snapd (2.34.1) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - tests: cherry-pick test fixes from master for 2.34
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord/snapstate: dedupe default content providers
+    - interfaces/builtin: create can-bus interface
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Tue, 17 Jul 2018 19:46:56 +0200
+
+snapd (2.34) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - store, daemon, client, cmd/snap: expose "scope", default to wide*
+    - tests: fix arch tests
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+    - tests: run interfaces-contacts-service only where test-snapd-eds
+      is available
+    - many: expose publisher's validation throughout the API
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - dirs: improve distro detection for Antegros
+    - Revert "dirs: improve identification of Arch Linux like systems"
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - i18n: use xgettext-go --files-from to avoid running into cmdline
+      size limits
+    - interfaces: move ValidateName helper to utils
+    - snapstate,ifstate: wait for pending restarts before auto-
+      connecting
+    - snap: account for parallel installs in wrappers, place info and
+      tests
+    - configcore: fix incorrect handling of keys with numbers (like
+      gpu_mem_512)
+    - tests: fix tests when no keyboard input detected
+    - overlord/configstate: add watchdog options
+    - snap-mgmt: fix for non-existent dbus system policy dir,
+      shellchecks
+    - tests/main/snapd-notify: use systemd's service properties rater
+      than the journal
+    - snapstate: allow removal of snap.TypeOS when using a model with a
+      base
+    - interfaces: make findSnapdPath smarter
+    - tests: run "arp" tests only if arp is available
+    - spread: increase the number of auto retries for package downloads
+      in opensuse
+    - cmd/snap-confine: fix nvidia support under lxd
+    - corecfg: added experimental.hotplug feature flag
+    - image: block installation of parallel snap instances
+    - interfaces: moved normalize method to interfaces/utils and made it
+      public
+    - api/snapctl: allow -h and --help for regular users.
+    - interfaces/udisks2: also implement implicit classic slot
+    - cmd/snap-confine: include CUDA runtime libraries
+    - tests: disable auto-refresh test on core18
+    - many: switch to account validation: unproven|verified
+    - overlord/ifacestate: get/set connection state only via helpers
+    - tests: adding extra check to validate journalctl is showing
+      current test data
+    - data: add systemd environment configuration
+    - i18n: handle write errors in xgettext-go
+    - snap: helper for validating snap instance names
+    - snap{/snaptest}: set instance key based on snap name
+    - userd: fix running unit tests on KDE
+    - tests/main/econnreset: limit ingress traffic to 512kB/s
+    - snap: introduce a struct Channel to represent store channels, and
+      helpers to work with it
+    - tests: add fedora to distro_clean_package_cache function
+    - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+    - tests: add spread test to ensure snapd/core18 are not removable
+    - tests: tweaks for running the main tests on core18
+    - overlord/{config,snap}state: introduce experimental.parallel-
+      instances feature flag
+    - strutil: support iteration over almost clean paths
+    - strutil: add PathIterator.Rewind
+    - tests: update interfaces-timeserver-control to core18
+    - tests: add halt-timeout to google backend
+    - tests: skip security-udev-input-subsystem without /dev/input/by-
+      path
+    - snap: introduce the instance key field
+    - packaging/opensuse: remaining packaging updates for 2.33.1
+    - overlord/snapstate: disallow installing snapd on baseless models
+    - tests: disable core tests on all core systems (16 and 18)
+    - dirs: improve identification of Arch Linux like systems
+    - many: expose full publisher info over the snapd API
+    - tests: disable core tests on all core systems (16 and 18)
+    - tests/main/xdg-open: restore or clean up xdg-open
+    - tests/main/interfaces-firewall-control: shellcheck fix
+    - snapstate: sort "snapd" first
+    - systemd: require snapd.socket in snapd.seeded.service; make sure
+      snapd.seeded
+    - spread-shellcheck: use the latest shellcheck available from snaps
+    - tests: use "ss" instead of "netstat" (netstat is not available in
+      core18)
+    - data/complete: fix three out of four shellcheck warnings in
+      data/complete
+    - packaging/opensuse: fix typo, missing assignment
+    - tests: initial core18 spread image building
+    - overlord: introduce a gadget-connect task and use it at first boot
+    - data/completion: fix inconsistency in +x and shebang
+    - firstboot: mark essential snaps as "Required" in the state
+    - spread-shellcheck: use a whitelist of files that are allowed to
+      fail validation
+    - packaging/opensuse: build position-independent binaries
+    - ifacestate: prevent running interface hooks twice when self-
+      connecting on autoconnect
+    - data: remove /bin/sh from snapd.sh
+    - tests: fix shellcheck 0.5.0 warnings
+    - packaging/opensuse: snap-confine should be 06755
+    - packaging/opensuse: ship apparmor integration if enabled
+    - interfaces/udev,misc: only trigger udev events on input subsystem
+      as needed
+    - packaging/opensuse: add missing bits for snapd.seeded.service
+    - packaging/opensuse: don't use %-macros in comments
+    - tests: shellchecks part 4
+    - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+      parallel-install TODOs
+    - store: drop unused: channel map types, and details fixture.
+    - store: have a basic test about the unmarshalling of /search
+      results
+    - tests: show executed tests on current system when a test fails
+    - tests: fix for the download of the big snap
+    - interfaces/apparmor: add chopTree
+    - tests: remove double debug: | entry in tests and add more checks
+    - cmd/snap-update-ns: introduce mimicRequired helper
+    - interfaces: move assertions around for better failure line number
+    - store: log a nice clear "download succeeded" message
+    - snap: run snap-confine from the re-exec location
+    - snapstate: support restarting snapd from the snapd snap on core18
+    - tests: show status of the partial test-snapd-huge snap in
+      econnreset test
+    - tests: fix interfaces-calendar-service test when gvfsd-metadata
+      loks the xdg dirctory
+    - store: switch store.SnapInfo to use the new v2/info endpoint
+    - interfaces: add Repository.AllInterfaces
+    - snapstate: stop using evolving SnapSpec internally, use an
+      internal-only snapSpec instead
+    - cmd/libsnap-confine-private: introduce a helper for splitting snap
+      name
+    - tests: econnreset/retry tweaks
+    - store, et al: kill dead code that uses the bulk endpoint
+    - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+    - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+      Depth helper
+    - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+      available
+    - store: switch connectivity check to use v2/info
+    - devicestate: support seeding from a base snap instead of core
+    - snapstate,ifacestate: remove core-phase-2 handling
+    - interfaces/docker-support: update for docker 18.05
+    - tests: enable fedora 28 again
+    - overlord/ifacestate:  simplify checkConnectConflicts and also
+      connect signature
+    - snap: parse connect instructions in gadget.yaml
+    - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+      test
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - store, image: have 'snap download' use v2/refresh action=download
+    - interfaces/policy: test that base policy can be parsed
+    - tests: publish test-snapd-appstreamid for any architecture
+    - snap: don't include newline in hook environment
+    - cmd/snap-update-ns: use RCall with SyscallsEqual
+    - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+    - interfaces: add the dvb interface
+    - daemon: paging is not a thing.
+    - cmd/snap-mgmt: remove system key on purge
+    - testutil: syscall sequence checker
+    - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command* many: add `snap debug
+      connectivity` command
+    - configstate: deny configuration of base snaps and for the "snapd"
+      snap
+    - interfaces/raw-usb: also allow usb serial devices
+    - snap: reject more layout locations
+    - errtracker: do not send duplicated reports
+    - httputil: extra debug if an error is not retried
+    - cmd/snap-update-ns: improve wording in many errors
+    - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+    - cmd/snap-update-ns: add helper for checking for read-only
+      filesystems
+    - interfaces/builtin/docker: use commonInterface over specific
+      struct
+    - testutil: add test support for Fstatfs
+    - cmd/snap-update-ns: discard the concept of segments
+    - cmd/libsnap-confine-private: helper for extracting store snap name
+      from local-name
+    - tests: fix flaky test for hooks undo
+    - interfaces: add {contacts,calendar}-service interfaces
+    - tests: retry 'restarting into..' match in the snap-confine-from-
+      core test
+    - systemd: adjust TestWriteMountUnitForDirs() to use
+      squashfs.MockUseFuse(false)
+    - data: add helper that can generate/start/stop the snapd service
+    - sefltest: advise reboot into 4.4 on trusty running 3.13
+    - selftest: add new selftest package that tests squashfs mounting
+    - store, jsonutil: move store.getStructFields to
+      jsonutil.StructFields
+    - ifacestate: improved conflict and error handling when creating
+      autoconnect tasks
+    - cmd/snap-confine: applied make fmt
+    - interfaces/udev: call 'udevadm settle --timeout=10' after
+      triggering events
+    - tests: wait more time until snap start to be downloaded on
+      econnreset test
+    - snapstate: ensure fakestore returns TypeOS for the core snap
+    - tests: fix lxd test which hangs on restore
+    - cmd/snap-update-ns: add PathIterator
+    - asserts,image: add support for models with bases
+    - tests: shellchecks part 3
+    - overlord/hookstate: support undo for hooks
+    - interfaces/tpm: Allow access to the kernel resource manager
+    - tests: skip appstream-id test for core systems 32 bits
+    - interfaces/home: remove redundant common interface assignment
+    - tests: reprioritise a few tests that are known to be slow
+    - cmd/snap: small help tweaks and fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - spread-shellcheck: silly fix & pep8
+    - spread: switch fedora 28 to manual
+    - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+      it in snap info --verbose
+    - tests: fix lxd test - --auto now sets up networking
+    - tests: adding fedora-28 to spread.yaml
+    - interfaces: add juju-client-observe interface
+    - client, daemon: add a "mounted-from" entry to local snaps' JSON
+    - image: set model.DisplayName() in bootenv as "snap_menuentry"
+    - packaging/opensuse: Refactor packaging to support all openSUSE
+      targets
+    - interfaces/joystick: force use of the device cgroup with joystick
+      interface
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - interfaces: remove Plug/Slot types
+    - interface hooks: update old AutoConnect methods
+    - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+    - overlord/{config,snap}state: the number of inactive revisions is
+      config
+    - cmd/snap: check with snapd for unknown sections
+    - tests: moving test helpers from sh to bash
+    - data/systemd: add snapd.apparmor.service
+    - many: expose AppStream IDs (AKA common ID)
+    - many: hold refresh when on metered connections
+    - interfaces/joystick: also support modern evdev joysticks and
+      gamepads
+    - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+    - snapcraft: use dpkg-buildpackage options that work in xenial
+    - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+    - get-deps: work with an unset GOPATH too
+    - interfaces/apparmor: use strict template on openSUSE tumbleweed
+    - packaging: filter out verbose flags from "dh-golang"
+    - packaging: fix description
+    - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 06 Jul 2018 16:08:17 +0200
+
+snapd (2.33.1) xenial; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - many: improve udev trigger on refresh experience
+    - systemd: require snapd.socket in snapd.seeded.service
+    - snap: don't include newline in hook environment
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - tests: skip security-dev-input-event-denied when /dev/input/by-
+      path/ is missing
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 21 Jun 2018 17:37:56 +0200
+
+snapd (2.33) xenial; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command
+    - interfaces/raw-usb: also allow usb serial devices
+    - errtracker: do not send duplicated reports
+    - selftest: add new selftest package that tests squashfs mounting
+    - tests: backport lxd force stop and econnreset fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - interfaces/joystick: support modern evdev joysticks
+    - interfaces: add juju-client-observe
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - many: holding refresh on metered connections
+    - many: expose AppStream IDs (AKA common ID)
+    - tests: speed up save/restore snapd state for all-snap systems
+      during tests execution
+    - interfaces/apparmor: use helper to load stray profile
+    - tests: ubuntu core abstraction
+    - overlord/snapstate: don't panic in a corner case interaction of
+      cleanup tasks and pruning
+    - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+      snaps
+    - tests: new parameter for the journalctl rate limit
+    - spread-shellcheck: port to python
+    - interfaces/home: add 'read' attribute to allow non-owner read to
+      @{HOME}
+    - testutil: import check.v1 differently to workaround gccgo error
+    - interfaces/many: miscellaneous updates for default, desktop,
+      desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+      keys
+    - snapstate/hooks: reorder autoconnect and reconnect hooks
+    - daemon: update unit tests to match current master
+    - overlord/snapshotstate/backend: introducing the snapshot backend
+    - many: support 'system' nickname in interfaces
+    - userd: add the "snap" scheme to the whitelist
+    - many: make rebooting of core on refresh immediate, refactor logic
+      around it
+    - tests/main/snap-service-timer: account for service timer being in
+      the 'running' state
+    - interfaces/builtin: allow access to libGLESv* too for opengl
+      interface
+    - daemon: fix unit tests on arch
+    - interfaces/default,process-control: miscellaneous signal policy
+      fixes
+    - interfaces/bulitin: add write permission to optical-drive
+    - configstate: validate known core.* options
+    - snap, wrappers: systemd WatchdogSec support
+    - ifacestate: do not auto-connect manually disconnected interfaces
+    - systemd: mock useFuse() so testsuite passes in container via lxd
+      snap
+    - snap/env: fix env duplication logic
+    - snap: some doc comments fixes and additions
+    - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+      vendor files
+    - ifacestate: unify reconnect and autoconnect methods
+    - tests: fix user mounts test for external systems
+    - overlord/snapstate,overlord/auth,store: coalesce no auth user
+      refresh requests
+    - boot,partition: improve tests/docs around SetNextBoot()
+    - many: improve `snap wait` command
+    - snap: fix `snap interface --attrs` output when numbers are used
+    - cmd/snap-update-ns: poke holes when creating source paths for
+      layouts
+    - snapstate: support getting new bases/default-providers on refresh
+    - ifacemgr: remove stale connections on startup
+    - asserts: use Attrer in policy checks
+    - testutil: record system call errors / return values
+    - tests: increase timeouts to make tests reliable on slow boards
+    - repo: pass and return ConnRef via pointers
+    - interfaces: add xdg-document-portal support to desktop interface
+    - debian: add a zenity|kdialog suggests
+    - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+    - tests: go must be installed as a classic snap
+    - tests: use journalctl cursors instead rotating logs
+    - daemon: add confinement-options to /v2/system-info
+      daemon: refactor classic support flag to be more structured
+    - tests: build spread in the autopkgtests with a more recent go
+    - cmd/snap: fix the message when snap.channel != snap.tracking
+    - overlord/snapstate: allow core defaults configuration via 'system'
+      key
+    - many: add "snap debug sandbox-features" and needed bits
+    - interfaces: interface hooks for refresh
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - many: add wait command and `snapd.seeded` service
+    - interfaces: move host font update-ns AppArmor rules to desktop
+      interface
+    - jsonutil/safejson: introducing safejson.String &
+      safejson.Paragraph
+    - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+    - cmd/snap-update-ns,tests: mimic the mode and ownership of
+      directories
+    - cmd/snap-update-ns: add support for ignoring mounts with missing
+      source/target
+    - interfaces: interface hooks implementation
+    - cmd/libsnap: fix compile error on more restrictive gcc
+      cmd/libsnap: fix compilation errors on gcc 8
+    - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+    - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+    - tests: fix interfaces-network test for systems with partial
+      confinement
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+    - configcore: validate experimental.layouts option
+    - interfaces:minor autoconnect cleanup
+    - HACKING: fix typos
+    - spread: add adt for ubuntu 18.10
+    - tests: skip test lp-1721518 for arch, snapd is failing to start
+      after reboot
+    - interfaces/x11: allow X11 slot implementations
+    - tests: checking interfaces declaring the specific interface
+    - snap: improve error for snaps not available in the given context
+    - cmdstate: add missing test for default timeout handling
+    - tests: shellcheck spread tasks
+    - cmd/snap: update install/refresh help vs --revision
+    - cmd/snap-confine: add support for per-user mounts
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - tests: adding google-sru backend replacing linode-sur
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - systemd: replace ancient paths with 16.04+ standards
+    - overlord,systemd: store snap revision in mount units
+    - testutil: add test helper for SysLstat
+    - testutil,cmd: rename test helper of Lstat to OsLstat
+    - testutil: document all fake syscall/os functions
+    - osutil,interfaces,cmd: use less hardcoded strings
+    - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+    - testutil: don't dot-import check.v1
+    - store: getStructFields takes pointers now
+    - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+    - many: fix false negatives reported by vet
+    - osutil,interfaces: use uint32 for uid, gid
+    - many: fix various issues reported by shellcheck
+    - tests: add pending shutdown detection
+    - image: support refreshing soft-expired user macaroons in tooling
+    - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+      daemon tests
+    - interfaces/builtin: add support for software-watchdog interface
+    - spread: auto accept key changes when calling dnf
+    - snap,overlord/snapstate: introduce and use BrokenSnapError
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: bring back one missing test in snap-service-stop-mode
+    - debian: update LP bug for the 2.32.5 SRU
+    - userd: set up journal logging streams for autostarted apps
+    - snap,tests : don't fail if we cannot stat MountFile
+    - tests: smaller fixes for Arch tests
+    - tests: run interfaces-broadcom-asic-control early
+    - client: support for snapshot sets, snapshots, and snapshot actions
+    - tests: skip interfaces-content test on core devices
+    - cmd: generalize locking to global, snap and per-user locks
+    - release-tools: handle the snapd-x.y.z version
+    - packaging: fix incorrectly auto-generated changelog entry for
+      2.32.5
+    - tests: add arch to CI
+    - systemd: add helper for opening stream file descriptors to the
+      journal
+    - cmd/snap: handle distros with no version ID
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - tests: removing linode-sru backend
+    - tests: updating bionic version for spread tests on google
+    - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - overlord/snapstate: allow to get an error from readInfo instead of
+      a broken stub, use it in doMountSnap
+    - snap: snap.AppInfo is now a fmt.Stringer
+    - tests: move fedora 27 to google backend
+    - many: add `core.problem-reports.disabled` option
+    - cmd/snap-update-ns: remove the need for stash directory in secure
+      bind mount implementation
+    - errtracker: check for whoopsie.service instead of reading
+      /etc/whoopsie
+    - cmd/snap: user session application autostart v3
+    - tests: add test to ensure `snap refresh --amend` works with
+      different channels
+    - tests: add check for OOM error after each test
+    - cmd/snap-seccomp: graceful handling of non-multilib host
+    - interfaces/shutdown: allow calling SetWallMessage
+    - cmd/snap-update-ns: add secure bind mount implementation for use
+      with user mounts
+    - snap: fix `snap advise-snap --command` output to match spec
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - overlord/snapstate: introduce envvars to control the channels for
+      based and prereqs
+    - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+    - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+    - daemon,overlord/hookstate: stop/wait for running hooks before
+      closing the snapctl socket
+    - advisor: use json for package database
+    - interfaces/hostname-control: allow setting the hostname via
+      syscall and systemd
+    - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+      libraries
+    - interfaces: misc updates for default, firewall-control, fuse-
+      support and process-control
+    - data/selinux: Give snapd access to more aspects of the system
+    - many: use the new install/refresh API by switching snapstate to
+      use store.SnapAction
+    - errtracker: make TestJournalErrorSilentError work on gccgo
+    - ifacestate: add to the repo also snaps that are pending being
+      activated but have a done setup-profiles
+    - snapstate, ifacestate: inject auto-connect tasks try 2
+    - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+    - errtracker: add more fields to aid debugging
+    - interfaces: make system-key more robust against invalid fstab
+      entries
+    - overlord,interfaces: be more vocal about broken snaps and read
+      errors
+    - ifacestate: injectTasks helper
+    - osutil: fix fstab parser to allow for # in field values
+    - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+    - release-tools: add repack-debian-tarball.sh
+    - daemon,client: add build-id to /v2/system-info
+    - cmd: make fmt (indent 2.2.11)
+    - interfaces/content: add rule so slot can access writable files at
+      plug's mountpoint
+    - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+    - ifacestate: don't surface errors from stale connections
+    - cmd/snap-update-ns: convert Secure* family of functions into
+      methods
+    - tests: adjust canonical-livepatch test on GCE
+    - tests: fix quoting issues in econnreset test
+    - cmd/snap-confine: make /run/media an alias of /media
+    - cmd/snap-update-ns: rename i to segNum
+    - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+    - spread: disable StartLimitInterval option on opensuse-42.3
+    - configstate: give a chance to immediately recompute the next
+      refresh time when schedules are set
+    - cmd/snap-confine: attempt to detect if multiarch host uses
+      arch triplets
+    - store: add Store.SnapAction to support the new install/refresh API
+      endpoint
+    - tests: adding test for removable-media interface
+    - tests: update interface tests to remove extra checks and normalize
+      tests
+    - timeutil: in Human, count days with fingers
+    - vendor: update gopkg.in/yaml.v2 to the latest version
+    - cmd/snap-confine: fix Archlinux compatibility
+    - cmd/snapd: make sure signal handlers are established during early
+      daemon startup
+    - cmd/snap-confine: apparmor: allow creating prefix path for
+      gl/vulkan
+    - osutil: use tilde suffix for temporary files used for atomic
+      replacement
+    - tests: copy or sanity check core users using usernames
+    - tests: disentangle etc vs extrausers in core tests
+    - tests: fix snap-run tests when snapd is not running
+    - overlord/configstate: change how ssh is stopped/started
+    - snap: make `snap run` look at the system-key for security profiles
+    - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+      replacement
+    - tests: adding opensuse-42.3 to google
+    - cmd/snap: fix one issue with noWait error handling logic, add
+      tests plus other cleanups
+    - cmd/snap-confine: nvidia: preserve globbed file prefix
+    - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+      needed
+    - interfaces,release: probe seccomp features lazily
+    - tests: change debug for layout test
+    - advisor: deal with missing commands.db file
+    - interfaces/apparmor: simplify UpdateNS internals
+    - polkit: Pass caller uid to PolicyKit authority
+    - tests: moving debian 9 from linode to google backend
+    - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+    - po: specify charset in po/snappy.pot
+    - interfaces: harden snap-update-ns profile
+    - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+    - tests: update tests to deal with s390x quirks
+    - debian: run snap.mount upgrade fixup *before* debhelper
+    - tests: move xenial i386 to google backend
+    - snapstate: add compat mode for default-provider
+    - tests: a bunch of test fixes for s390x from looking at the
+      autopkgtest logs
+    - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+    - interfaces/builtin: let MM change qmi device attributes
+    - tests: add workaround for s390x failure
+    - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+    - daemon: support 'system' as nickname of the core snap
+    - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+    - devicestate: add DeviceManager.Registered returning a channel
+      closed when the device is known to be registered
+    - store: Sections and WriteCatalogs need to strictly send device
+      auth only if the device has a custom store
+    - tests: add bionic system to google backend
+    - many: fix shellcheck warnings in bionic
+    - cmd/snap-update-ns: don't fail on existing symlinks
+    - tests: make autopkgtest tests more targeted
+    - cmd/snap-update-ns: fix creation of layout symlinks
+    - spread,tests: move suite-level prepare/restore to central script
+    - many: propagate contexts enough to be able to mark store
+      operations done from the Ensure loop
+    - snap: don't create empty Change with "Hold" state on disconnect
+    - snap: unify snap name validation w/python; enforce length limit.
+    - cmd/snap: use shlex when parsing `snap run --strace` arguments
+    - osutil,testutil: add symlinkat(2) and readlinkat(2)
+    - tests: autopkgtest may have non edge core too
+    - tests: adding checks before stopping snapd service to avoid job
+      canceled on ubuntu 14.04
+    - errtracker: respect the /etc/whoopsie configuration
+    - overlord/snapstate:  hold refreshes for 2h after seeding on
+      classic
+    - cmd/snap: tweak and polish help strings
+    - snapstate: put layout feature behind feature flag
+    - tests: force profile re-generation via system-key
+    - snap/squashfs: when installing from seed, try symlink before cp
+    - wrappers: services which are socket or timer activated should not
+      be started during boot
+    - many: go vet cleanups
+    - tests: define MATCH from spread
+    - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+      fix
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - cmd/snap: in changes and tasks, default to human-friendly times
+    - many: support holding refreshes by setting refresh.hold
+    - Revert "cmd/snap: use timeutil.Human to show times in `snap
+      refresh -…-time`"
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - tests/main/snap-service-refresh-mode: refactor the test to rely on
+      comparing PIDs
+    - tests/main/media-sharing: improve the test to cover /media and
+      /run/media
+    - store: enable deltas for core devices too
+    - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+    - strutil/shlex: import github.com/google/shlex into the tree
+    - vendor: update github.com/mvo5/libseccomp-golang
+    - overlord/snapstate: block install of "system"
+    - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+    - many: add the snapd-generator
+    - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+    - polkit: ensure error is properly set if dialog is dismissed
+    - snap-confine, snap-seccomp: utilize new seccomp logging features
+    - progress: tweak ansimeter cvvis use to no longer confuse minicom
+    - xdgopenproxy: integrate xdg-open implementation into snapctl
+    - tests: avoid removing preinstalled snaps on core
+    - tests: chroot into core to run xdg-open there
+    - userd: add an OpenFile method for launching local files with xdg-
+      open
+    - tests: moving ubuntu core from linode to google backend
+    - run-checks: remove accidental bashism
+    - i18n: simplify NG usage by doing the modulo math in-package.
+    - snap/squashfs: set timezone when calling unsquashfs to get the
+      build date
+    - timeutil: timeutil.Human(t) gives a human-friendly string for t
+    - snap: add autostart app property
+    - tests: add support for external backend executions on listing test
+    - tests: make interface-broadcom-asic-control test work on rpi
+    - configstate: when disable "ssh" we must disable the "sshd" service
+    - interfaces/apparmor,system-key: add upperdir snippets for strict
+      snaps on livecd
+    - snap/squashfs: add BuildDate
+    - store: parse the JSON format used by the coming new store API to
+      convey snap information
+    - many: remove snapd.refresh.{timer,service}
+    - tests: adding ubuntu-14.04-64 to the google backend
+    - interfaces: add xdg-desktop-portal support to desktop interface
+    - packaging/arch: sync with snapd/snapd-git from AUR
+    - wrappers, tests/main/snap-service-timer: restore missing commit,
+      add spread test for timer services
+    - store: don't ask for snap_yaml_raw except on the details endpoint
+    - many: generate and use per-snap snap-update-ns profile
+    - tests: add debug for layout test
+    - wrappers: detect whether systemd-analyze can be used in unit tests
+    - osutil: allow creating strings out of MountInfoEntry
+    - servicestate: use systemctl enable+start and disable+stop instead
+      of --now flag
+    - osutil: handle file being matched by multiple patterns
+    - daemon, snap: fix InstallDate, make a method of *snap.Info
+    - wrappers: timer services
+    - wrappers: generator for systemd OnCalendar schedules
+    - asserts: fix flaky storeSuite.TestCheckAuthority
+    - tests: fix dependency for ubuntu artful
+    - spread: start moving towards google backend
+    - tests: add a spread test for layouts
+    - ifacestate: be consistent passing Retry.After as named field
+    - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+    - testutil: allow mocking syscall.Fstat
+    - overlord/snapstate: verify that default schedule is randomized and
+      is  not a single time
+    - many: simplify mocking of home-on-NFS
+    - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+    - store: move infoFromRemote into details.go close to snapDetails
+    - userd/tests: Test kdialog calls and mock kdialog too to make tests
+      work in KDE
+    - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+    - cmd/snap: add self-strace to `snap run`
+    - interfaces/screen-inhibit-control,network-status: fix dbus path
+      and interface typos
+    - update-pot: Force xgettext() to return true
+    - store: cleanup test naming, dropping remoteRepo  and
+      UbuntuStore(Repository)? references
+    - store: reorg auth refresh
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 08 Jun 2018 17:13:47 +0200
+
+snapd (2.32.9) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - tests: run all spread tests inside GCE
+    - tests: build spread in the autopkgtests with a more recent go
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 May 2018 10:20:08 +0200
+
+snapd (2.32.8) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snapd.core-fixup.sh: fix workaround for corrupted uboot.env
+      and add tests
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 14:36:16 +0200
+
+snapd (2.32.7) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - many: add wait command and seeded target (2
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - cmd/libsnap: fix compile error on more restrictive gcc
+    - tests: cherry-pick commits to move spread to google backend
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - userd: set up journal logging streams for autostarted apps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 13:09:32 +0200
+
+snapd (2.32.6) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: run interfaces-boradcom-asic-control early
+    - tests: skip interfaces-content test on core devices
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Sun, 29 Apr 2018 19:21:53 +0200
+
+snapd (2.32.5) xenial; urgency=medium
+
+  * New upstream release, LP: #1765090
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - daemon: support 'system' as nickname of the core snap
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 16 Apr 2018 11:41:48 +0200
+
+snapd (2.32.4) xenial; urgency=medium
+
+  * New upstream release, LP: #1756173
+    - cmd/snap: user session application autostart
+    - overlord/snapstate: introduce envvars to control the channels for
+      bases and prereqs
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - many: use the new install/refresh /v2/snaps/refresh store API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 11 Apr 2018 16:30:45 +0200
+
 snapd (2.32.3.2) xenial; urgency=medium
 
   * New upstream release, LP: #1756173
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/control snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/control
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/control	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/control	2019-01-16 08:36:51.000000000 +0000
@@ -33,6 +33,7 @@
                python3-docutils,
                python3-markdown,
                squashfs-tools,
+               tzdata,
                udev,
                xfslibs-dev
 Standards-Version: 3.9.7
@@ -69,8 +70,9 @@
          ${misc:Depends},
          ${shlibs:Depends}
 Replaces: ubuntu-snappy (<< 1.9), ubuntu-snappy-cli (<< 1.9), snap-confine (<< 2.23), ubuntu-core-launcher (<< 2.22), snapd-xdg-open (<= 0.0.0)
-Breaks: ubuntu-snappy (<< 1.9), ubuntu-snappy-cli (<< 1.9), snap-confine (<< 2.23), ubuntu-core-launcher (<< 2.22), snapd-xdg-open (<= 0.0.0)
+Breaks: ubuntu-snappy (<< 1.9), ubuntu-snappy-cli (<< 1.9), snap-confine (<< 2.23), ubuntu-core-launcher (<< 2.22), snapd-xdg-open (<= 0.0.0), ${snapd:Breaks}
 Recommends: gnupg
+Suggests: zenity | kdialog
 Conflicts: snap (<< 2013-11-29-1ubuntu1)
 Built-Using: ${Built-Using} ${misc:Built-Using}
 Description: Daemon and tooling that enable snap packages
@@ -79,8 +81,7 @@
  enabling secure distribution of the latest apps and utilities for
  cloud, servers, desktops and the internet of things.
  .
- This is the CLI for snapd, a background service that takes care of
- snaps on the system. Start with 'snap list' to see installed snaps.
+ Start with 'snap list' to see installed snaps.
 
 Package: ubuntu-snappy
 Architecture: all
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/files snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/files
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/files	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/files	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-snapd_2.32.3.2+18.04_source.buildinfo devel optional
+snapd_2.37~rc1+18.10_source.buildinfo devel optional
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/rules snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/rules
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/rules	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/rules	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,17 @@
 
 include /etc/os-release
 
+# On 18.04 the released version of apt (1.6.1) has a bug that causes
+# problem on "apt purge snapd". To ensure this won't happen add the
+# right dependency on 18.04.
+ifeq (${VERSION_ID},"18.04")
+	SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.6.3)"
+endif
+# Same as above for 18.10 just a different version.
+ifeq (${VERSION_ID},"18.10")
+	SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.7.0~alpha2)"
+endif
+
 # this is overridden in the ubuntu/14.04 release branch
 SYSTEMD_UNITS_DESTDIR="lib/systemd/system/"
 
@@ -133,7 +144,7 @@
 	cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/
 
 	# this is the main go build
-	dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS)
+	SNAPD_VANILLA_GO=$$(which go) PATH="$$(pwd)/packaging/build-tools/:$$PATH" dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS)
 
 	# (static linking on powerpc with cgo is broken)
 ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc)
@@ -206,13 +217,15 @@
 	if [ -d share/locale ]; then \
 		cp -R share/locale debian/snapd/usr/share; \
 	fi
+	# chrorder generator
+	rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder
 
-	# install snapd's systemd units / upstart jobs, done
+	# Install snapd's systemd units / upstart jobs, done
 	# here instead of debian/snapd.install because the
 	# ubuntu/14.04 release branch adds/changes bits here
 	$(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \
 		SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR)
-	# we called this apps-bin-path.sh instead of snapd.sh, and
+	# We called this apps-bin-path.sh instead of snapd.sh, and
 	# it's a conf file so we're stuck with it
 	mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh
 
@@ -221,6 +234,10 @@
 	# Rename the apparmor profile, see dh_apparmor call above for an explanation.
 	mv $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine.real
 
+	# On Ubuntu and Debian we don't need to install the apparmor helper service.
+	rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.apparmor.service
+	rm $(CURDIR)/debian/tmp/usr/lib/snapd/snapd-apparmor
+
 	dh_install
 
 override_dh_auto_install: snap.8
@@ -234,4 +251,4 @@
 	rm -vf snap.8
 
 override_dh_gencontrol:
-	dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)"
+	dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)" $(SUBSTVARS)
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/snapd.install snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/snapd.install
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/snapd.install	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/snapd.install	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,12 @@
 usr/bin/snap
-usr/bin/snapctl
+usr/bin/snapctl /usr/lib/snapd/
 usr/lib/snapd/system-shutdown
 usr/bin/snap-exec /usr/lib/snapd/
 usr/bin/snap-repair /usr/lib/snapd/
+usr/bin/snap-failure /usr/lib/snapd/
 usr/bin/snap-update-ns /usr/lib/snapd/
 usr/bin/snapd /usr/lib/snapd/
 usr/bin/snap-seccomp /usr/lib/snapd/
-usr/lib/snapd/snapd-generator /lib/systemd/system-generators/
 
 # bash completion
 data/completion/snap /usr/share/bash-completion/completions
@@ -18,6 +18,8 @@
 data/info /usr/lib/snapd/
 # polkit actions
 data/polkit/io.snapcraft.snapd.policy /usr/share/polkit-1/actions/
+# apt hook
+data/apt/20snapd.conf /etc/apt/apt.conf.d/
 
 # snap-confine stuff
 etc/apparmor.d/usr.lib.snapd.snap-confine.real
@@ -25,8 +27,7 @@
 usr/lib/snapd/snap-mgmt
 usr/lib/snapd/snap-confine
 usr/lib/snapd/snap-discard-ns
-usr/share/man/man1/snap-confine.1
-usr/share/man/man5/snap-discard-ns.5
+usr/share/man/
 # for compatibility with ancient snap installs that wrote the shell based
 # wrapper scripts instead of the modern symlinks
 usr/bin/ubuntu-core-launcher
@@ -36,3 +37,8 @@
 
 # install squashfuse as snapfuse to ensure it is available in e.g. lxd
 vendor/github.com/snapcore/squashfuse/src/snapfuse usr/bin
+
+# use "usr/lib" here because apparently systemd looks only there
+usr/lib/systemd/system-environment-generators
+# but system generators end up in lib
+lib/systemd/system-generators
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/snapd.links snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/snapd.links
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/snapd.links	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/snapd.links	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1,2 @@
 ../../usr/lib/snapd/snap-device-helper  /lib/udev/snappy-app-dev
+usr/lib/snapd/snapctl usr/bin/snapctl
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/snapd.postinst snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/snapd.postinst
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/snapd.postinst	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/snapd.postinst	2019-01-16 08:36:51.000000000 +0000
@@ -10,8 +10,15 @@
             ldconfig
         fi
 
-        # ensure we undo the stopping of the snap.mount unit
-        # that we had in 2.31 and 2.31.1
+        # Ensure that we undo the damage done by the snap.mount unit that was present
+        # in snapd 2.31.
+        #
+        # We found that update scripts make systemd stop inactive mount units and this
+        # in turn stops all the units that depend on it so when the snap.mount unit is
+        # stopped all the per-snap mount units gets stopped along with them.  The 2.31
+        # release was only out briefly in xenial-proposed and bionic but to keep the
+        # affected users safe let's start all the per-snap mount units so that snaps no
+        # longer appear as broken after update.
         if dpkg --compare-versions "$2" ge-nl "2.31" && \
                 dpkg --compare-versions "$2" lt-nl "2.32"; then
             units=$(systemctl list-unit-files --full | grep '^snap[-.]' | cut -f1 -d ' ' | grep -vF snap.mount.service || true)
@@ -24,7 +31,7 @@
                 fi
 
                 echo "Starting $unit"
-                systemctl start "$unit" || true
+                deb-systemd-invoke start "$unit" || true
             done
         fi
 esac
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/snapd.postrm snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/snapd.postrm
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/snapd.postrm	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/snapd.postrm	2019-01-16 08:36:51.000000000 +0000
@@ -71,10 +71,12 @@
             # udev rules
             find /etc/udev/rules.d -name "*-snap.${snap}.rules" -execdir rm -f "{}" \;
             # dbus policy files
-            find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            if [ -d /etc/dbus-1/system.d ]; then
+                find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            fi
             # timer files
             find /etc/systemd/system -name "snap.${snap}.*.timer" | while read -r f; do
-                systemctl_stop "$(basename $f)"
+                systemctl_stop "$(basename "$f")"
                 rm -f "$f"
             done
         fi
@@ -99,13 +101,13 @@
     echo "Discarding preserved snap namespaces"
     # opportunistic as those might not be actually mounted
     if [ -d /run/snapd/ns ]; then
-        if [ $(ls /run/snapd/ns/*.mnt | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.mnt" | wc -l)" -gt 0 ]; then
             for mnt in /run/snapd/ns/*.mnt; do
                 umount -l "$mnt" || true
                 rm -f "$mnt"
             done
         fi
-        if [ $(ls /run/snapd/ns/*.fstab | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.fstab" | wc -l)" -gt 0 ]; then
             for fstab in /run/snapd/ns/*.fstab; do
                 rm -f "$fstab"
             done
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/source/options snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/source/options
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/source/options	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/source/options	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+tar-ignore = "tests/lib/cache/*"
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/tests/integrationtests snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/tests/integrationtests
--- snapd-2.32.3.2~14.04/packaging/ubuntu-16.10/tests/integrationtests	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-16.10/tests/integrationtests	2019-01-16 08:36:51.000000000 +0000
@@ -18,7 +18,7 @@
 systemctl daemon-reload
 
 # ensure we are not get killed too easily
-echo -950 > /proc/$$/oom_score_adj
+printf '%s\n' "-950" > /proc/$$/oom_score_adj
 
 # see what mem we have (for debugging)
 cat /proc/meminfo
@@ -36,13 +36,16 @@
     export SPREAD_CORE_CHANNEL=stable
 fi
 
+# Spread will only buid with recent go
+snap install --classic go
+
 # and now run spread against localhost
 # shellcheck disable=SC1091
 . /etc/os-release
 export GOPATH=/tmp/go
-go get -u github.com/snapcore/spread/cmd/spread
-/tmp/go/bin/spread -v "autopkgtest:${ID}-${VERSION_ID}-$(dpkg --print-architecture)"
+/snap/bin/go get -u github.com/snapcore/spread/cmd/spread
+/tmp/go/bin/spread -v "autopkgtest:${ID}-${VERSION_ID}-$(dpkg --print-architecture)"/tests/smoke
 
 # store journal info for inspectsion
 journalctl --sync
-journalctl -ab > $ADT_ARTIFACTS/journal.txt
+journalctl -ab > "$ADT_ARTIFACTS"/journal.txt
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/changelog snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/changelog
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/changelog	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/changelog	2019-01-16 08:36:51.000000000 +0000
@@ -1,3 +1,1839 @@
+snapd (2.37~rc1+18.10) cosmic; urgency=medium
+
+  * New upstream release, LP: #1811233
+    - interface: raw-usb: Adding ttyACM[0-9]* as many serial devices
+      have device node /dev/ttyACM[0-9]
+    - tests: fix enable-disable-unit-gpio test on external boards
+    - tests: define new "tests/smoke" suite and use that for
+      autopkgtests
+    - interfaces/builtin/opengl: allow access to NVIDIA VDPAU
+      library
+    - snapshotstate: don't task.Log without the lock
+    - overlord/configstate/configcore: support - and _ in cloud init
+      field names
+    - cmd/snap-confine: use makedev instead of MKDEV
+    - tests: review/fix the autopkgtest failures in disco
+    - systemd: allow only a single daemon-reload at the same time
+    - cmd/snap: only auto-enable unicode to a tty
+    - cmd/snap: right-align revision and size in info's channel map
+    - dirs, interfaces/builtin/desktop: system fontconfig cache path is
+      different on Fedora
+    - tests: fix "No space left on device" issue on amazon-linux
+    - store: undo workaround for timezone-less released-at
+    - store, snap, cmd/snap: channels have released-at
+    - snap-confine: fix incorrect use "src" var in mount-support.c
+    - release: support probing SELinux state
+    - release-tools: display self-help
+    - interface: add new `{personal,system}-files` interface
+    - snap: give Epoch an Equal method
+    - many: remove unused interface code
+    - interfaces/many: use 'unsafe' with docker-support change_profile
+      rules
+    - run-checks: stop running HEAD of staticcheck
+    - release: use sync.Once around lazy intialized state
+    - overlord/ifacestate: include interface name in the hotplug-
+      disconnect task summary
+    - spread: show free space in debug output
+    - cmd/snap: attempt to restore SELinux context of snap user
+      directories
+    - image: do not write empty etc/cloud
+    - tests: skip snapd snap on reset for core systems
+    - cmd/snap-discard-ns: fix umount(2) typo
+    - overlord/ifacestate: hotplug-remove-slot task handler
+    - overlord/ifacestate: handler for hotplug-disconnect task
+    - ifacestate/hotplug: updateDevice helper
+    - tests: reset snapd state on tests restore
+    - interfaces: return security setup errors
+    - overlord: make InstallMany work like UpdateMany, issuing a single
+      request to get candidates
+    - systemd/systemd.go: add missing tests for systemd.IsActive
+    - overlord/ifacestate: addHotplugSeqWaitTask helper
+    - cmd/snap-confine: refactor call to snap-update-ns --user-mounts
+    - tests: new backend used to run upgrade test suite
+    - travis: short circuit failures in static and unit tests travis job
+    - cmd: automatically fix localized <option>s to <option>
+    - overlord/configstate,features: expose features to snapd tools
+    - selinux: package to query SELinux status and verify/restore file
+      contexts
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - cmd: add tests for lintArg and lintDesc
+    - httputil: retry on temporary net errors
+    - cmd/snap-confine: remove unused sc_discard_preserved_mount_ns
+    - wrappers: only restart service in core18 when they are active
+    - overlord/ifacestate: helpers for serializing hotplug changes
+    - packaging/{fedora,opensuse}: own /var/lib/snapd/cookie
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interface
+    - snap/info: bind global plugs/slots to implicit hooks
+    - cmd/snap-confine: remove SC_NS_MNT_FILE
+    - spread: record each tests/upgrade job
+    - osutil: do not import dirs
+    - cmd/snap-confine: fix typo "a pipe"
+    - tests: make security-device-cgroups-{devmode,jailmode} work on arm
+      devices
+    - tests: force test-snapd-daemon-notify exit 0 when the interface is
+      not connected
+    - overlord/snapstate: run 'remove' hook before 'auto-disconnect'
+    - centos: enable SELinux support on CentOS 7
+    - apparmor: allow hard link to snap-specific semaphore files
+    - tests/lib/pkgdb: disable weak deps on Fedora
+    - release: detect too old apparmor_parser
+    - tests: improve how the log is checked to see if the system is
+      waiting for a reboot
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - spread, tests: add Fedora 29
+    - cmd/snap-confine: refactor calling snapd tools into helper module
+    - apparmor: allow snap-update-ns access to common devices
+    - cmd/snap-confine: capture initialized per-user mount ns
+    - tests: reduce verbosity around package installation
+    - data: set KillMode=process for snapd
+    - cmd/snap: handle DNS error gracefully
+    - spread, tests: use checkpoints when dumping audit log
+    - tests/lib/prepare: make sure that SELinux context of repacked core
+      snap is controlled
+    - testutils: split checkers, tweak tests
+    - tests: fix for tests test-*-cgroup
+    - spread: show AVC audits when debugging, start auditd on Fedora
+    - spread: drop Fedora 27, add Fedora 29
+    - tests/lib/reset: restore context of removed snapd directories
+    - testutil: add File{Present,Absent} checkers
+    - snap: add new `snap run --trace-exec`
+    - tests: fix for failover test on how logs are checked
+    - snapctl: add "services"
+    - overlord/snapstate: use file timestamp to initialize timer
+    - cmd/libsnap: introduce and use sc_strdup
+    - interfaces: let NM access ifindex/ifupdown files
+    - overlord/snapstate: on refresh, check new rev can read current
+    - client, store: don't use store from client (use client from store)
+    - tests/main/parallel-install-store: verify installation of more
+      than one instance at a time
+    - overlord: don't write system key if security setup fails
+    - packaging/fedora/snapd.spec: fix bogus date in changelog
+    - snapstate: update fontconfig caches on install
+    - interfaces/apparmor/backend.go:411:38: regular expression does not
+      contain any meta characters (SA6004)
+    - asserts/header_checks.go:199:35: regular expression does not
+      contain any meta characters (SA6004)
+    - run staticcheck every time :-)
+    - tests/lib/systemd-escape/main.go:46:14: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - tests/lib/fakestore/cmd/fakestore/cmd_run.go:66:15: the channel
+      used with signal.Notify should be buffered (SA1017)
+    - tests/lib/fakedevicesvc/main.go:55:15: the channel used with
+      signal.Notify should be buffered (SA1017)
+    - spdx/parser.go:30:1: only the first constant has an explicit type
+      (SA9004)
+    - overlord/snapstate/snapmgr.go:553:21: printf-style function with
+      dynamic first argument and no further arguments should use print-
+      style function instead (SA1006)
+    - overlord/patch/patch3.go:44:70: printf-style function with dynamic
+      first argument and no further arguments should use print-style
+      function instead (SA1006)
+    - cmd/snap/cmd_advise.go:200:2: empty branch (SA9003)
+    - osutil/udev/netlink/conn.go:120:5: ineffective break statement.
+      Did you mean to break out of the outer loop? (SA4011)
+    - daemon/api.go:992:22: printf-style function with dynamic first
+      argument and no further arguments should use print-style function
+      instead (SA1006)
+    - cmd/snapd/main.go:94:5: ineffective break statement. Did you mean
+      to break out of the outer loop? (SA4011)
+    - cmd/snap/cmd_userd.go:73:15: the channel used with signal.Notify
+      should be buffered (SA1017)
+    - cmd/snap/cmd_help.go:102:7: io.Writer.Write must not modify the
+      provided buffer, not even temporarily (SA1023)
+    - release: probe apparmor features lazily
+    - overlord,daemon: mock security backends for testing
+    - cmd/libsnap: move apparmor-support to libsnap
+    - cmd: drop cruft from snap-discard-ns build rules
+    - cmd/snap-confine: use snap-discard-ns ns to discard stale
+      namespaces
+    - cmd/snap-confine: handle mounted shared /run/snapd/ns
+    - many: fix composite literals with unkeyed fields
+    - dirs, wrappers, overlord/snapstate: make completion + bases work
+    - tests: revert "tests: restore in restore, not prepare"
+    - many: validate title
+    - snap: make description maximum in runes, not bytes
+    - tests: discard mount namespaces in reset.sh
+    - tests/lib: sync cla check back from snapcraft
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - daemon: remove enableInternalInterfaceActions
+    - mkversion: use "test -n" rather than "! test -z"
+    - run-checks: assorted fixes
+    - tests: restore in restore, not in prepare
+    - cmd/snap: fix missing newline in "snap keys" error message
+    - snap: epoch lists must contain no duplicate entries
+    - interfaces/avahi_observe: Fix typo in comment
+    - tests: add SPREAD_JOB to the description of
+      systemd_create_and_start_unit
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - Revert "cmd/snap-confine: don't allow mapping lib{uuid,blkid}"
+    - packaging/fedora: use %_sysctldir macro
+    - cmd/snap-confine: remove unneeded unshare
+    - sanity: extend the kernel version check to cover CentOS/RHEL
+      kernels
+    - wrappers: remove all desktop files from a snap on removal
+    - snap: add an explicit check for `epoch: null` loading
+    - snap: check max description length in validate
+    - spread, tests: add CentOS support
+    - cmd/snap-confine: allow mapping more libc shards
+    - cmd/snap-discard-ns: add support for --from-snap-confine
+    - tests: make tinyproxy support systemd notify
+    - tests: fix shellcheck
+    - snap, store: rename `snap.Epoch`'s `Unset` to `IsZero`
+    - store: add a test for a non-zero epoch refresh (with epoch bump)
+    - store: v1 search doesn't send epoch, stop pretending it does
+    - snap: make any "0" epoch be Unset, and marshalled to {[0],[0]}
+    - overlord/snapstate: amend test should send local revision
+    - tests: use mock-gpio.py in enable-disable-units-gpio test
+    - snap: enforce minimal snap name len of 2
+    - cmd/libsnap: add sc_verify_snap_lock
+    - cmd/snap-update-ns: extra debugging of trespassing events
+    - userd: force zenity width if the text displayed is long
+    - overlord/snapstate, store: always send epochs
+    - cmd/snap-confine,snap-update-ns: discard quirks
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - cmd/snap-update-ns, tests: clean trespassing paths
+    - nvidia, interfaces/builtin: OpenCL fixes
+    - ifacestate/hotplug: removeDevice helper
+    - cmd: install snap-discard-ns in "make hack"
+    - overlord/ifacestate: setup security backends phased by backends
+      first
+    - ifacestate/helpers: added SystemSnapName mapper helper method
+    - overlord/ifacestate: set hotplug-key of the connection when
+      connecting hotplug slots
+    - snapd: allow snap-update-ns to read /proc/version
+    - cmd: handle tumbleweed and leap in autogen.sh
+    - interfaces/tests: MockHotplugSlot test helper
+    - store,daemon: make UserInfo,LoginUser part of the store interface
+    - overlord/ifacestate: use remapper when checking if system snap is
+      installed
+    - tests: fix how pinentry is prepared for new gpg v 2.1 and 2.2
+    - packaging/arch: fix bash completions path
+    - interfaces/builtin: add device-buttons interface for accessing
+      events
+    - tests, fakestore: extend refresh tests with parallel installed
+      snaps
+    - snap, store, overlord/snapshotstate: drop epoch pointers
+    - snap: make Epoch default to {[0],[0]} on load from yaml
+    - data/completion: pass documented arguments to completion functions
+    - tests: skip opensuse from interfaces-openvswitch-support test
+    - tests: simple reproducer for snap try and hooks bug
+    - snapstate: do not allow classic mode for strict snaps
+    - snap: make Epoch's MarshalJSON not simplify
+    - store: remove unused currentSnap and currentSnapJSON
+    - many: some small doc comment fixes in recent hotplug code
+    - ifacestate/udevmonitor: added callback to signal end of
+      enumeration
+    - cmd/libsnap: add simplified feature flag checker
+    - interfaces/opengl: add additional accesses for cuda
+    - tests: add core18 only hooks test and fix running core18 only on
+      classic
+    - sanity, release, cmd/snap: refuse to try to do things on WSL.
+    - cmd: make coreSupportsReExec faster
+    - overlord/ifacestate: don't remove the dash when generating unique
+      slot name
+    - cmd/snap-seccomp: add full complement of ptrace constants
+    - cmd: update autogen.sh for opensuse
+    - interfaces/apparmor: allow access to /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+      overlord/snapstate: address review feedback
+    - packaging/opensuse: stop using golang-packaging
+    - overlord/snapshots: survive an unknown user
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - cmd/snap: unhide --name parameter to snap install, tweak help
+      message
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/main/snap-service-after-before-install: verify after/before
+      in snap install
+    - overlord/ifacestate: mark connections disconnected by hotplug with
+      hotplug-gone
+    - ifacestate/ifacemgr: don't reload hotplug-gone connections on
+      startup
+    - tests: install dependencies during prepare
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - tests: core 18 does not support classic confinement
+    - tests: add debug output for degraded test
+    - strutil: make VersionCompare faster
+    - overlord/snapshotstate/backend: survive missing directories
+    - overlord/ifacestate: use map[string]*connState when passing conns
+      around
+    - tests: move fedora 28 to manual
+    - overlord/snapshotstate/backend: be more verbose when
+      SNAPPY_TESTING=1
+    - tests: removing fedora 26 system from spread.yaml
+    - tests: linode execution is not needed anymore
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests: fixes and new backend for tests on nested suite
+    - strutil: let MatchCounter work with a nil regexp
+    - ifacestate/helpers: findConnsForHotplugKey helper
+    - many: move regexp.(Must)Compile out of non-init functions into
+      variables
+    - store: also make snaps downloaded via deltas 0600
+    - snap: use Lstat to determine snap size, remove
+      ReadSnapInfoExceptSize
+    - interfaces/builtin: add adb-support interface
+    - tests: fail if install_snap_local fails
+    - strutil: add extra test to CommaSeparatedList as suggested by
+      mborzecki
+    - cmd/snap, daemon, strutil: use CommaSeparatedList to split a CSL
+    - ifacestate: optimize disconnect hooks
+    - cmd/snap-update-ns: parse the -u <uid> command line option
+    - cmd/snap, tests: snapshots for all
+    - client, cmd/daemon: allow disabling keepalive, improve degraded
+      mode unit tests
+    - snap: only show "next" refresh time if its after the hold time
+    - overlord/snapstate: run tests for classic snaps even on systems
+      that don't support classic
+    - overlord/standby: fix a race between standby goroutine and stop
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - cmd: remove remnants of sc_should_populate_mount_ns
+    - client, daemon, cmd/snap: indicate that services are socket/timer
+      activated
+    - cmd/snap-seccomp: only look for PTRACE_GETFPX?REGS where available
+    - cmd/snap-confine: remove SC_NS_FAIL_GRACEFULLY
+    - snap/pack, cmd/snap: allow specifying the filename of 'snap pack'
+    - cmd/snap-discard-ns: add support for per-user mount namespaces
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook.
+    - tests/main: fixes for the new shellcheck
+    - testutil, cmd/snap: introduce and use testutil.EqualsWrapped and
+      fly
+    - tests: initial setup for testing current branch on nested vm and
+      hotplug management
+    - cmd: refactor IPC and lifecycle of the helper process
+    - tests/main/parallel-install-store: the store has caught up, do not
+      expect failures
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - interfaces/browser-support, cmd/snap-seccomp: Allow read-only
+      ptrace, for the Breakpad crash reporter
+    - snap,client: use a different exit code for retryable errors
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - cmd/snap: tweak `snap services` output when there is no services
+    - interfaces/many: updates to support k8s worker nodes
+    - cmd/snap: gnome-software install via snap:// handler
+    - overlord/many: cleanup use of snapName vs. instanceName
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes* ifstate: fix decoding of json numbers
+    - cmd/snap: try not to panic on error from "snap try"
+    - tests: new cosmic image for spread tests on gce
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - overlord/snapshotstate/backend: detect path to tar in unit tests
+    - tests/unit/gccgo: drop gccgo unit tests
+    - cmd: use relative file names in locking APIs
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - overlord/snapshotstate/backend: fall back on sudo when no runuser
+    - cmd/snap-confine: reduce verbosity of debug and error messages
+    - systemd: extend Status() to work for socket and timer units
+    - interfaces: typo 'allows' for consistency with other ifaces
+    - systemd,wrappers: don't start disabled services
+    - ifacestate: simplify task chaining in ifacestate.Connect
+    - tests: ensure that goa-daemon is off
+    - snap/pack, snap/squashfs: remove extra copy before mksquashfs
+    - cmd/snap: block 'snap help <cmd> --all'
+    - asserts, image: ensure kernel, gadget, base and required-snaps use
+      valid snap names
+    - apparmor: add unit test for probeAppArmorParser and simplify code
+    - interfaces/apparmor: conditionally add explicit deny rules for
+      ptrace
+    - po: sync translations from launchpad
+    - osutil: tweak handling of error adduser errors
+    - cmd: rename ns_group to mount_ns
+    - tests/main/interfaces-accounts-service: more debugging
+    - snap/pack, snap/squashfs: use type to determine mksquashfs args
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - tests: show list of processes when ifaces-accounts-service fails
+    - tests: do not run degraded test in autopkgtest env
+    - snap: overhaul validation error messages
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - interfaces: improve Attr error further
+    - snapstate: tweak GetFeatureFlagBool() to have a default argument
+    - many: cleanup remaining parallel installs TODOs
+    - image: improve validation of extra snaps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 Jan 2019 09:36:51 +0100
+
+snapd (2.36.3) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - wrappers: use new systemd.IsActive in core18 early boot
+    - httputil: retry on temporary net errors
+    - wrappers: only restart service in core18 when they are active
+    - systemd: start snapd.autoimport.service in --no-block mode
+    - data/selinux: fix syntax error in definition of snappy_admin
+      interfacewhen installing selinux-policy-devel package.
+    - centos: enable SELinux support on CentOS 7
+    - cmd, dirs, interfaces/apparmor: update distro identification to
+      support ID="archlinux"
+    - apparmor: allow hard link to snap-specific semaphore files
+    - overlord,apparmor: new syskey behaviour + non-ignored snap-confine
+      profile errors
+    - snap: add new `snap run --trace-exec` call
+    - interfaces/backends: detect too old apparmor_parser
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 14 Dec 2018 07:30:58 +0100
+
+snapd (2.36.2) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - daemon, vendor: bump github.com/coreos/go-systemd/activation,
+      handle API changes
+    - snapstate: update fontconfig caches on install
+    - overlord,daemon: mock security backends for testing
+    - sanity, spread, tests: add CentOS
+    - Revert "cmd/snap, tests/main/snap-info: highlight the current
+      channel"
+    - cmd/snap: add nanosleep to blacklisted syscalls when running with
+      --strace
+    - tests: add regression test for LP #1803535
+    - snap-update-ns: fix trailing slash bug on trespassing error
+    - interfaces/builtin/opengl: allow reading /etc/OpenCL/vendors
+    - cmd/snap-confine: nvidia: pick up libnvidia-opencl.so
+    - interfaces/opengl: add additional accesses for cuda
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 29 Nov 2018 10:48:29 +0100
+
+snapd (2.36.1) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - tests,snap-confine: add core18 only hooks test and fix running
+      core18 only hooks on classic
+    - interfaces/apparmor: allow access to
+      /run/snap.$SNAP_INSTANCE_NAME
+    - spread.yaml: add more systems to the autopkgtest and qemu backends
+    - daemon: spool sideloaded snap into blob dir
+    - wrappers: fix generating of service units with multiple `before`
+      dependencies
+    - data: run snapd.autoimport.service only after seeding
+    - tests,store,daemon: ensure proxy settings are honored in
+      auth/userinfo too
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - tests/lib: adjust to changed systemctl behaviour on debian-9
+    - tests/main/interfces-accounts-service: switch to busctl, more
+      debugging
+    - store: also make snaps downloaded via deltas 0600
+    - cmd/snap-exec: don't fail on some try mode snaps
+    - cmd/snap, userd, testutil: tweak DBus tests to use private session
+      bus connection
+    - tests/main: fixes for the new shellcheck
+    - cmd/snap-confine: remove stale mount profile along stale namespace
+    - data/apt: close stderr when calling snap in the apt install hook
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 09 Nov 2018 14:42:28 +0100
+
+snapd (2.36) xenial; urgency=medium
+
+  * New upstream release, LP: #1795590
+    - overlord/snapstate, snap, wrappers: start services in the right
+      order during install
+    - tests: the store has caught up, drop gccgo test, update cosmic
+      image
+    - cmd/snap: try not to panic on error from "snap try"`--devmode`
+    - overlord/ifacestate: don't conflict on own discard-snap tasks when
+      refreshing & doing garbage collection
+    - snapstate: add command-chain to supported featureset
+    - daemon, snap: mark screenshots as deprecated
+    - interfaces: fix decoding of json numbers for static/dynamic
+      attributes
+    - data/systemd, wrappers: tweak system-shutdown helper for core18
+    - interfaces/system-key: add parser mtime and only discover features
+      on write
+    - interfaces: fix NormalizeInterfaceAttributes, add tests
+    - systemd,wrappers: don't start disabled services
+    - ifacestate/hooks: only create interface hook tasks if hooks exist
+    - tests: do not run degraded test in autopkgtest env
+    - osutil: workaround overlayfs on ubuntu 18.10
+    - interfaces: include invalid type in Attr error
+    - many: enable layouts by default
+    - interfaces/default: don't scrub with change_profile with classic
+    - cmd/snap: speed up unit tests
+    - vendor, cmd/snap: refactor to accommodate the new less buggy go-
+      flags
+    - daemon: expose snapshots to the API
+    - interfaces: updates for default, screen-inhibit-control, tpm,
+      {hardware,system,network}-observe
+    - interfaces/hotplug: rename HotplugDeviceKey method to HotplugKey,
+      update test interface
+    - interfaces/tests: use TestInterface instead of a custom local
+      helper
+    - overlord/snapstate: export getFeatureFlagBool.
+    - osutil,asserts,daemon: support force password change in system-
+      user assertion
+    - snap, wrappers: support restart-delay, generate RestartSec=<value>
+      in service units
+    - tests/ifacestate: moved asserts-related mocking into helper
+    - image: fetch device store assertion if available
+    - many: enable AppArmor on Arch
+    - interfaces/repo: two helper methods for hotplug
+    - overlord/ifacestate: add hotplug slots with implicit slots
+    - interfaces/hotplug: helpers and struct updates
+    - tests: run the snapd tests on Ubuntu 18.10
+    - snapstate: only report errors if there is an actual error
+    - store: speedup unit tests
+    - spread-shellcheck: fix interleaved error messages, tweaks
+    - apparmor: create SnapAppArmorDir in setupSnapConfineReexec
+    - ifacestate: implementation of defaultDeviceKey function for
+      hotplug
+    - cmd/snap-update-ns: remove empty placeholders used for mounting
+    - snapshotstate: restore to current revision
+    - tests/lib: rework the CLA checker
+    - many: support and consider store friendly-stores when checking
+      device scope constraints
+    - overlord/snapstate: block parallel installs of snapd, core, base,
+      kernel, gadget snaps
+    - overlord/patch: patch for static plug/slot attributes
+    - interfaces: honor static attributes when reloading conns
+    - osutils: unit tests speedup; introduce «run-checks --short-
+      unit».
+    - systemd, wrappers: speed up wrappers unit tests
+    - client: speedup unit tests
+    - spread-shellcheck: use threads to parallelise
+    - snap: validate plug and slot names
+    - osutil, interfaces/apparmor: add and use of osutil.UnlinkMany
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+    - interfaces/apparmor: (un)load profiles in one apparmor_parser call
+    - store: gracefully handle unexpected errors in 'action'
+      response
+    - cmd: put our manpages in section 8
+    - overlord: don't make become-operational interfere with user
+      requests
+    - store: tweak unmatched refresh result error log
+    - snap, client, daemon, store: use and expose "media" more
+    - tests,cmd/snap-update-ns: add test showing mount update bug
+      cmd/snap-update-ns: better detection of snapd-made tmpfs
+    - tests: spread tests for aliases with parallel installed snaps
+    - interfaces/seccomp: allow using statx by default
+    - store: gracefully handle unexpected errors in 'action' response
+    - overlord/snapshotstate: chown the tempdir
+    - cmd/snap: attempt to start the document portal if running with a
+      session bus
+    - snap: detect layouts vs layout in snap.yaml
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snapcraft.yaml: set grade to stable
+    - tests: shellchecks, final round
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-ns
+    - snap: detect layouts vs layout in snap.yaml
+    - overlord/snapshotstate: store epoch in snapshot, check on restore
+    - cmd/snap: tweak UX of snap refresh --list
+    - overlord/snapstate: improve consistency, use validateInfoAndFlags
+      also in InstallPath
+    - snap: give Epoch a CanRead helper
+    - overlord/snapshotstate: small refactor of internal helpers
+    - interfaces/builtin: adding missing permission to create
+      /run/wpa_supplicant directory
+    - interfaces/builtin: avahi interface update
+    - client, daemon: support passing of 'unaliased' option when
+      installing from local files
+    - selftest: rename selftest.Run() to sanity.Check()
+    - interfaces/apparmor: report apparmor support level and policy
+    - ifacestate: helpers for generating slot names for hotplug
+    - overlord/ifacestate: make sure to pass in the Model assertion when
+      enforcing policies
+    - overlord/snapshotstate: store the SnapID in snapshot, block
+      restore if changed
+    - interfaces: generalize writable mimic profile
+    - asserts,interfaces/policy: add support for on-store/on-brand/on-
+      model plug/slot rule constraints
+    - many: fetch the device store assertion together and in the context
+      of interpreting snap-declarations
+    - tests: disable gccgo tests on 18.04 for now, until dh-golang vs
+      gccgo is fixed
+    - tests/main/parallel-install-services: add spread test for snaps
+      with services
+    - tests/main/snap-env: extend to cover parallel installations of
+      snaps
+    - tests/main/parallel-install-local: rename from *-sideload, extend
+      to run snaps
+    - cmd/snapd,daemon,overlord: without snaps, stop and wait for socket
+    - cmd/snap: tame the help zoo
+    - tests/main/parallel-install-store: run installed snap
+    - cmd/snap: add a bunch of TRANSLATORS notes (and a little more
+      i18n)
+    - cmd: fix C formatting
+    - tests: remove unneeded cleanup from layout tests
+    - image: warn on missing default-providers
+    - selftest: add test to ensure selftest.checks is up-to-date
+    - interfaces/apparmor, interfaces/builtin: tweaks for parallel snap
+      installs
+    - userd: extend the list of supported XDG Desktop properties when
+      autostarting user applications
+    - cmd/snap-update-ns: enforce trespassing checks
+    - selftest: actually run the kernel version selftest
+    - snapd: go into degraded mode when the selftest fails
+    - tests: add test that runs snapctl with a core18 snap
+    - tests: add snap install hook with base: core18
+    - overlord/{snapstate,assertstate}: parallel instances and
+      refresh validation
+    - interfaces/docker-support: add rules to read apparmor macros
+    - tests: make nfs test available for more systems
+    - tests: cleanup copy/paste dup in interfaces-network-setup-control
+    - tests: using single sh snap in interface tests
+    - overlord/snapstate: improve cleaup in mount-snap handler
+    - tests: don't fail interfaces-bluez test if bluez is already
+      installed
+    - tests: find snaps just for edge and beta channels
+    - daemon, snapstate: consistent snap list [--all] output with broken
+      snaps
+    - tests: fix listing to allow extra things in the notes column
+    - cmd/snap: improve UX when removing specific snap revision
+    - cmd/snap, tests/main/snap-info: highlight the current channel
+    - interfaces/testiface: added TestHotplugInterface
+    - snap: tweak commands
+    - interfaces/hotplug: hotplug spec takes one slot definition
+    - overlord/snapstate, snap: handle shared snap directories when
+      installing/remove snaps with instance key
+    - interfaces/opengl: misc accesses for VA-API
+    - client, cmd/snap: expose warnings to the world
+    - cmd/snap-update-ns: introduce trespassing state tracking
+    - cmd/snap: commands no longer build their own client
+    - tests: try to build cmd/snap for darwin
+    - daemon: make error responders not printf when called with 1
+      argument
+    - many: return real snap name in API response
+    - overlord/state: return latest LastAdded time in WarningsSummary
+    - many: mount namespace mapping for parallel installs of snaps
+    - ifacestate/autoconnect: do not self-conflict on setup-profiles if
+      core-phase-2
+    - client, cmd/snap: on !linux, exit when the client tries to Do
+      something
+    - tests: refactor for nested suite and tests fixed
+    - tests: use lxd's waitready instead of polling lxd socket
+    - ifacestate: don't initialize udev monitor until we have a system
+      snap
+    - interfaces: extra argument for static attrs in
+      NewConnectedPlug/NewConnectedSlot
+    - packaging/arch: sync packaging with AUR
+    - snapstate/tests: serialize all appends in fake backend
+    - snap-confine: make /lib/modules optional
+    - cmd/snap: handle "snap interfaces core" better
+    - store: move download tests into downloadSuite
+    - tests,interfaces: run interfaces-account-control on UC18
+    - tests: fix install snaps test by adding link to /snap
+    - tests: fix for nested test suite
+    - daemon: fix snap list --all with parallel snap instances
+    - snapstate: refactor tests to use SetModel*
+    - wrappers: fix snap services order in tests
+    - many: provide salt for generating instance-key in store requests
+    - ifacestate: fix hang when retrying content providers
+    - snapd-env-generator: fix when PATH is empty or unset
+    - overlord/assertstate: propagate TaskSnapSetup error
+    - client: catch and expose logs errors
+    - overlord: integrate device enumeration with udev monitor
+    - daemon, overlord/state: warnings pipeline
+    - tests: add publisher regex to fix the snap-info test pass on sru
+    - cmd: use systemdsystemgeneratorsdir, cleanup automake complaints,
+      tweaks
+    - cmd/snap-update-ns: remove the unused Secure type
+    - osutil, o/snapshotstate, o/sss/backend: quick fixes
+    - tests: update the listing expression to support core from
+      different channels
+    - store: use stable instance key in store refresh requests
+    - cmd/snap-update-ns: detach Mk{Prefix,{File,Dir,Symlink{,All}}}
+    - overlord/patch: support for sublevel patches
+    - tests: update prepare/restore for nightly suite
+    - cmd/snap-update-ns: detach BindMount from the Secure type
+    - cmd/snap-update-ns: re-factor pair of helpers to call fstatfs once
+    - ifacestate: retry on "discard-snap" in autoconnect conflict check
+    - cmd/snap-update-ns: separate OpenPath from the Secure struct
+    - wrappers: remove Wants=network-online.target
+    - tests: add new core16-base test
+    - store: refactor tests so that they work as store_test package
+    - many: add refresh.rate-limit core option
+    - tests: run account-control test with different bases
+    - tests: port proxy test to use python tinyproxy
+    - overlord: introduce snapshotstate.
+    - testutil: allow Fstatfs results to vary over time
+    - snap-update-ns: add comments about the "deadcode" in bootstrap.go
+    - overlord: add chg.Err() in testUpdateWithAutoconnectRetry
+    - many: remove deadcode
+    - tests: also run unit/gccgo in 18.04
+    - tests: introduce a helper for installing local snaps with --name
+    - tests: avoid removing core snap on reset
+    - snap: use snap.SideInfo in test to fix build with gccgo
+    - partition: remove unused runCommand
+    - image: fix incorrect error when using local bases
+    - overlord/snapstate: fix format
+    - cmd: fix format
+    - tests: setting "storage: preserve-size" just for amazon-linux
+      system
+    - tests: test for the hostname interface
+    - interfaces/modem-manager: allow access to more USB strings
+    - overlord: instantiate UDevMonitor
+    - interfaces/apparmor: tweak naming, rename to AddLayout()
+    - interfaces: take instance name in ifacetest.InstallSnap
+    - snapcraft: do not use --dirty in mkversion
+    - cmd: add systemd environment generator
+    - devicestate: support getting (http) proxy from core config
+    - many: rename ClientOpts to ClientOptions
+    - prepare-image-grub-core18: remove image root in restore
+    - overlord/ifacestate: remove "old-conn" from connect/undo connect
+      handlers
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - image: handle errors when downloadedSnapsInfoForBootConfig has no
+      data
+    - tests: use official core18 model assertion in tests
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - overlord,store: support proxy settings internally too
+    - cmd/snap: bring back 'snap version'
+    - interfaces/mount: tweak naming of things
+    - strutil: fix MatchCounter to also work with buffer reuse
+    - cmd,interfaces,tests: add /mnt to removable-media interface
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - snap/snapenv: drop some instance specific variables, use instance-
+      specific ones for user locations
+    - firstboot: sort by type when installing the firstboot snaps
+    - cmd, cmd/snap: better support for non-linux
+    - strutil: add new ParseByteSize
+    - image: detect and error if bases are missing
+    - interfaces/apparmor: do not downgrade confinement on arch with
+      linux-hardened 4.17.4+
+    - daemon: add pokeStateLock helper to the daemon tests
+    - snap/squashfs: improve error message from Build on mksquashfs
+      failure
+    - tests: remove /etc/alternatives from dirs-not-shared-with-host
+    - cmd: support re-exec into the "snapd" snap
+    - spdx: remove "Other Open Source" from the support licenses
+    - snap: add new type "TypeSnapd" and attach to the snapd snap
+    - interfaces: retain order of inserted security backends
+    - tests: spread test for parallel-installs desktop file handling
+    - overlord/devicestate: use OpenSSL's PEM format when generating
+      keys
+    - cmd: remove --skip-command-chain from snap run and snap-exec
+    - selftest: detect if apparmor is unusable and error
+    - snap,snap-exec: support command-chain for hooks
+    - tests: significantly reduce execution time for managers test
+    - snapstate: use new "snap.ByType" sorting
+    - overlord/snapstate: fix UpdateMany() to work with parallel
+      instances
+    - testutil: have File* checker produce more useful error output
+    - overlord/ifacestate: introduce connectOpts
+    - interfaces: parallel instances support, extend unit tests
+    - tests: normalize tests
+    - snapstate: make InstallPath() return *snap.Info too
+    - snap: add ByType sorting
+    - interfaces: add cifs-mount interface
+    - tests: use file based markers in snap-service-stop-mode
+    - osutil: reorg and stub out things to get it building on darwin
+    - tests/main/layout: cleanup after the test
+    - osutil/sys: small tweaks to let it build on darwin
+    - daemon, overlord/snapstate: set instance name when installing from
+      snap file
+    - many: move Uname to osutil, for more DRY and easier porting.
+    - cmd/snap: create snap user directory when running parallel
+      installed snaps
+    - cmd/snap-confine: switch to validation of SNAP_INSTANCE_NAME
+    - tests: basic test for parallel installs from the store
+    - image: download the gadget from the model.GadgetTrack()
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - overlord: handle sigterm during shutdown better
+    - tests: add the original function to fix the errors on new kernels
+    - tests/main/lxd: pull lxd from candidate; reënable i386
+    - wayland: add extra sockets that are used by older toolkits (e.g.
+      gtk3)
+    - asserts: add support for gadget tracks in the model assertion
+    - overlord/snapstate: improve feature flag validation
+    - tests/main/lxd: run ubuntu-16.04 only on 64 bit variant
+    - interfaces: workaround for activated services and newer DBus
+    - tests: get the linux-image-extra available for the current kernel
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - interfaces: disconnect hooks
+    - cmd/libsnap: unify detection of core/classic with go
+    - tests: fix autopkgtest failures in cosmic
+    - snap: fix advice json
+    - overlord/snapstate: parallel snap install
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - interfaces: add screencast-legacy for video and audio recording
+    - tests: skip unsupported architectures for fedora-base-smoke test
+    - tests: avoid using the journalctl cursor when it has not been
+      created yet
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - tests: enable lxd again everywhere
+    - tests: new test for udisks2 interface
+    - interfaces: add cpu-control for setting CPU tunables
+    - overlord/devicestate: fix tests, set seeded in registration
+      through proxy tests
+    - debian: add missing breaks on cosmic
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - tests: new test for juju client observe interface
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - snapcraft: set version information for the snapd snap
+    - cmd/snap, daemon: error out if trying to install a snap using
+      empty name
+    - hookstate: simplify some hook tests
+    - cmd/snap-confine: extend security tag validation to cover instance
+      names
+    - snap: fix mocking of systemkey in snap-run tests
+    - packaging/opensuse: fix static build of snap-update-ns and snap-
+      exec
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - cmd/libsnap-confine-private: intoduce helpers for validating snap
+      instance name and instance key
+    - snap,snap-exec: support command-chain for app
+    - interfaces/builtin: network-manager resolved DBus changes
+    - snap: tweak `snap wait` command
+    - cmd/snap-update-ns: introduce validation of snap instance names
+    - cmd/snap: fix some corner-case test setup weirdness
+    - cmd,dirs: fix various issues discovered by a Fedora base snap
+    - tests/lib/prepare: fix extra snaps test
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 24 Oct 2018 11:30:45 -0600
+
+snapd (2.35.5) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - interfaces/home: don't allow snaps to write to $HOME/bin
+    - osutil: workaround overlayfs on ubuntu 18.10
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 15 Oct 2018 22:23:02 +0200
+
+snapd (2.35.4) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - wrappers: do not depend on network.taget in socket units, tweak
+      generated units
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 14:41:33 +0200
+
+snapd (2.35.3) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - overlord: don't make become-operational interfere with user
+      requests
+    - docker_support.go: add rules to read apparmor macros
+    - interfaces/apparmor: handle overlayfs snippet for snap-update-
+      nsFixes:
+    - snapcraft.yaml: add workaround to fix snapcraft build
+    - interfaces/opengl: misc accesses for VA-API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 05 Oct 2018 09:32:00 +0200
+
+snapd (2.35.2) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - cmd,overlord/snapstate: go 1.11 format fixes
+    - ifacestate: fix hang when retrying content providers
+    - snap-env-generator: do nothing when PATH is unset
+    - interfaces/modem-manager: allow access to more USB strings
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 12 Sep 2018 09:32:00 +0200
+
+snapd (2.35.1) xenial; urgency=medium
+
+  *  New upstream release, LP: #1786438
+    - packaging/fedora: Merge changes from Fedora Dist-Git
+    - snapcraft: do not use --diry in mkversion.sh
+    - cmd: add systemd environment generator
+    - snap-confine: map /var/lib/extrausers into snaps mount-namespace
+    - tests: cherry-pick test fixes from master for 2.35
+    - systemd: do not run "snapd.snap-repair.service.in on firstboot
+      bootstrap
+    - interfaces: retain order of inserted security backends
+    - selftest: detect if apparmor is unusable and error
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 03 Sep 2018 14:44:06 +0200
+
+snapd (2.35) xenial; urgency=medium
+
+  * New upstream release, LP: #1786438
+    - snapstate: add support for gadget tracks in model assertion
+    - image: add support for "gadget=track"
+    - asserts: add support for gadget tracks in the model assertion
+    - interfaces: add new "sysfs-name" to i2c interfaces code
+    - overlord: handle sigterm during shutdown better
+    - wayland: add extra sockets that are used by older toolkits
+    - snap: fix advice json
+    - tests: fix autopkgtest failures in cosmic
+    - store: backward compatible instance-key handling for non-instance
+      snaps
+    - snapstate: ensure normal snaps wait for the "snapd" snap on
+      refresh
+    - interfaces: add cpu-control for setting CPU tunables
+    - debian: add missing breaks on comisc
+    - overlord/devicestate: DTRT w/a snap proxy to reach a serial vault
+    - devicestate: only run device-hook when fully seeded
+    - seccomp: conditionally add socketcall() based on system and base
+    - interfaces/builtin: addtl network-manager resolved DBus fix
+    - hookstate: simplify some hook tests
+    - udev: skip TestParseUdevEvent on ppc
+    - interfaces: miscellaneous policy updates
+    - debian: add tzdata to build-dep to ensure snapd builds correctly
+    - interfaces/builtin: network-manager resolved DBus changes
+    - tests: add spread test for fedora29 base snap
+    - cmd/libsnap: treat distributions with VARIANT_ID=snappy as "core"
+    - dirs: fix SnapMountDir inside a Fedora base snap
+    - tests: fix snapd-failover for core18 with external backend
+    - overlord/snapstate: always clean SnapState when doing Get()
+    - overlod/ifacestate: always use a new SnapState when fetching the
+      snap state
+    - overlord/devicestate: have the serial request talk to the proxy if
+      set
+    - interfaces/hotplug: udevadm output parser
+    - tests: New test for daemon-notify interface
+    - image: ensure "core" is ordered early if base: and core is used
+    - cmd/snap-confine: snap-device-helper parallel installs support
+    - tests: enable interfaces-framebuffer everywhere
+    - tests: reduce nc wait time from 2 to 1 second
+    - snap/snapenv: add snap instance specific variables
+    - cmd/snap-confine: add minimal test for snap-device-helper
+    - tests: enable snapctl test on core18
+    - overlord: added UDevMonitor for future hotplug support
+    - wrappers: do not glob when removing desktop files
+    - tests: add dbus monitor log to interfaces-accounts-service
+    - tests: add core-18 systems to external backend
+    - wrappers: account for changed app wrapper in parallel installed
+      snaps
+    - wrappers: make sure that the tests pass on non-Ubuntu too
+    - many: add snapd snap failure handling
+    - tests: new test for dvb interface
+    - configstate: accept refresh.timer=managed
+    - tests: new test for snap logs command
+    - wrapper: generate all the snapd unit files when generating
+      wrappers
+    - store: keep all files with link-count > 1 in the cache
+    - store: be less verbose in the common refresh case of "no updates"
+    - snap-confine: update snappy-app-dev path
+    - debian: ensure dependency on fixed apt on 18.04
+    - snapd: add initial software watchdog for snapd
+    - daemon, systemd: change journalctl -n=all to --no-tail
+    - systemd: fix snapd.apparmor.service.in dependencies
+    - snapstate: refuse to remove bases or core if snaps need them
+    - snap: introduce package-level helpers for building snap related
+      directory/file paths
+    - overlord/devicestate: deny parallel install of kernel or gadget
+      snaps
+    - store: clean up parallel-install TODOs in store tests
+    - timeutil: fix first weekday of the month schedule
+    - interfaces: match all possible tty but console
+    - tests: shellchecks part 5
+    - cmd/snap-confine: allow ptrace read for 4.18 kernels
+    - advise: make the bolt database do the atomic rename dance
+    - tests/main/apt-hooks: debug dump of commands.db
+    - tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION
+      handling
+    - snap: validate instance name as part of Validate()
+    - daemon: if a snap is inactive, don't ask systemd about its
+      services.
+    - udev: skip TestParseUdevEvent on s390x
+    - tests: switch core-amd64-18 to use `kernel: pc-kernel=18`
+    - asserts,image: add support for new kernel=track syntax
+    - tests: new gce image for fedora 27
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - store, overlord/snapstate: introduce instance name in store APIs
+    - tests: drive-by cleanup of redudant pkgname matching
+    - tests: ensure apt-hook is only run after catalog update ran
+    - tests: use pkill instead of kilall
+    - tests/main: another bunch of updates for Amazon Linux 2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the  directory tree
+    - tests: disable/fix more tests for Amazon Linux 2
+    - overlord: introduce InstanceKey to SnapState and SnapSetup,
+      renames
+    - daemon: make sure most change generating handlers can produce
+      errors with kinds
+    - tests/main/interfaces-calendar-service: skip the test on AMZN2
+    - tests/lib/snaps: avoid using relative command paths that go up in
+      the directory tree
+    - cmd/snap: add a green check mark to verified publishers
+    - cmd/snap: fix two issues in the cmd/snap unit tests
+    - packaging/fedora: fix target path of /snap symlink
+    - cmd/snap: support `--last=<type>?` to mean "no error on empty"
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - strutil: detect and bail out of Unmarshal on duplicate key
+    - packaging/fedora(amzn2): disable SELinux, drop dependency on
+      squashfuse for AMZN2
+    - spread, tests: add support for Amazon Linux 2
+    - packaging/fedora: Add Amazon Linux 2 support
+    - many: make Wait/Stop optional on StateManagers
+    - snap/squashfs: stop printing unsquashfs info to stderr
+    - snap: add support for `snap advise-snap --from-apt`
+    - overlord/ifacestate: ignore connect if already connected
+    - tests: change the service snap used instead of network-bind-
+      consumer
+    - interfaces/network-control: update for wpa-supplicant and ifupdown
+    - tests: fix raciness in stop mode tests
+    - logger: try to not have double dates
+    - debian: use deb-systemd-invoke instead of systemctl directly
+    - tests: run all main tests on core18
+    - many: finish sharing a single TaskRunner with all the the managers
+    - interfaces/repo: added AllHotplugInterfaces helper
+    - snapstate: ensure kernel-track is honored on switch/refresh
+    - overlord/ifacestate: support implicit slots on snapd
+    - image: add support for "kernel-track" in `snap prepare-image`
+    - tests: add test that ensures we do not boot any system in degraded
+      state
+    - tests: update tests to work on core18
+    - cmd/snap: check for typographic dashes in command
+    - tests: fix tests expecting old email address
+    - client: add some existing error kinds that were not listed in
+      client.go
+    - tests: add missing slots in classic and core provider test snaps
+    - overlord,daemon,cmd: re-map snap names around the edges of snapd
+    - tests: use install_local in snap-run-hooks
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - overlord/snapstate: dedupe default content providers
+    - osutil/udev: sync with upstream
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord: have SnapManager use a passed in TaskRunner created by
+      Overlord
+    - many: streamline the generic conflict check mechanisms
+    - tests: remove unneeded setup code in snap-run-symlink
+    - cmd/snap: print unset license as "unset", instead of "unknown"
+    - asserts: add (optional) kernel-track to model assertion
+    - snap/squashfs, tests: pass -n[o-progress] to {mk,un}squashfs
+    - interfaces/pulseaudio: be clear that the interface allows playback
+      and record
+    - snap: support hook environment
+    - interfaces: fix typo "daemonNotify" (add missing "n")
+    - interfaces: tweak tests of daemon-notify, use common naming
+    - interfaces: allow invoking systemd-notify when daemon-notify is
+      connected
+    - store: make snap blobs be 0600
+    - interfaces,daemon: move JSON types to the daemon
+    - tests: prepare needs to handle bin/snapctl being a symlink
+    - tests: do not mask errors in interfaces-timezone-control (#5405)
+    - packaging: put snapctl into /usr/lib/snapd and symlink in usr/bin
+    - tests: add basic integration test for spread hold
+    - overlord/snapstate: improve PlugsOnly comment
+    - many: assorted shellcheck fixes
+    - store, daemon, client, cmd/snap: expose "scope", default to wide
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - client, cmd/snap: pass snap instance name when installing from
+      file
+    - cmd/snap: add 'debug paths' command
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: fix tests on arch
+    - tests: start active system units on reset
+    - tests: new test for joystick interface
+    - tests: moving install of dependencies to pkgdb helper
+    - tests: enable new fedora image with test dependencies installed
+    - tests: start using the new opensuse image with test dependencies
+    - tests: check catalog refresh before and after restart snapd
+    - tests: stop restarting journald service on prepare
+    - interfaces: make core-support a no-op interface
+    - interfaces: prefer "snapd" when resolving implicit connections
+    - interfaces/hotplug: add hotplug Specification and
+      HotplugDeviceInfo
+    - many: lessen the use of core-support
+    - tests: fixes for the autopkgtest failures in cosmic
+    - tests: remove extra ' which breaks interfaces-bluetooth-control
+      test
+    - dirs: fix antergos typo
+    - tests: use grep to avoid non-matching messages from MATCH
+    - dirs: improve distro detection for Antegros
+    - vendor: switch to latest bson
+    - interfaces/builtin: create can-bus interface
+    - tests: "snap connect" is idempotent so just connect
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - interfaces: treat "snapd" snap as type:os
+    - interfaces: tweak tests to have less repetition of "core" and
+      "ubuntu…
+    - tests: simplify econnreset test
+    - snap: add helper for renaming slots
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - tests: add artful for sru validation on google backend
+    - snap,interfaces: move interface name validation to snap
+    - overlord/snapstate: introduce path to fake backend ops
+    - cmd/snap-confine: fix snaps running on core18
+    - many: expose publisher's validation throughout the API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 20 Aug 2018 12:36:33 +0200
+
+snapd (2.34.3) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - interfaces/apparmor: use the cache in mtime-resilient way
+    - cmd/snap-confine: (nvidia) pick up libnvidia-glvkspirv.so
+    - snapstate: allow setting "refresh.timer=managed"
+    - spread: switch Fedora and openSUSE images
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 27 Jul 2018 19:08:44 +0200
+
+snapd (2.34.2) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - packaging: fix bogus date in fedora snapd.spec
+    - tests: fix tests expecting old email address
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 19 Jul 2018 12:05:50 +0200
+
+snapd (2.34.1) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - tests: cherry-pick test fixes from master for 2.34
+    - coreconfig: add support for `snap set system network.disable-
+      ipv6`
+    - debian: do not ship snapd.apparmor.service on ubuntu
+    - overlord/snapstate: dedupe default content providers
+    - interfaces/builtin: create can-bus interface
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Tue, 17 Jul 2018 19:46:56 +0200
+
+snapd (2.34) xenial; urgency=medium
+
+  * New upstream release, LP: #1779403
+    - store, daemon, client, cmd/snap: expose "scope", default to wide*
+    - tests: fix arch tests
+    - snapstate: make sure all *link-*snap tasks carry a snap type and
+      further hints
+    - snapstate: allow setting "refresh.timer=managed"
+    - cmd/snap: display a link to data privacy notice for interactive
+      snap login
+    - devicestate: fix race when refreshing a snap with snapd-control
+    - tests: skip interfaces-framebuffer when no /dev/fb0 is found
+    - tests: run interfaces-contacts-service only where test-snapd-eds
+      is available
+    - many: expose publisher's validation throughout the API
+    - many: use extra "releases" information on store "revision-not-
+      found" errors to produce better errors
+    - dirs: improve distro detection for Antegros
+    - Revert "dirs: improve identification of Arch Linux like systems"
+    - devicestate: fix panic in firstboot code when no snaps are seeded
+    - i18n: use xgettext-go --files-from to avoid running into cmdline
+      size limits
+    - interfaces: move ValidateName helper to utils
+    - snapstate,ifstate: wait for pending restarts before auto-
+      connecting
+    - snap: account for parallel installs in wrappers, place info and
+      tests
+    - configcore: fix incorrect handling of keys with numbers (like
+      gpu_mem_512)
+    - tests: fix tests when no keyboard input detected
+    - overlord/configstate: add watchdog options
+    - snap-mgmt: fix for non-existent dbus system policy dir,
+      shellchecks
+    - tests/main/snapd-notify: use systemd's service properties rater
+      than the journal
+    - snapstate: allow removal of snap.TypeOS when using a model with a
+      base
+    - interfaces: make findSnapdPath smarter
+    - tests: run "arp" tests only if arp is available
+    - spread: increase the number of auto retries for package downloads
+      in opensuse
+    - cmd/snap-confine: fix nvidia support under lxd
+    - corecfg: added experimental.hotplug feature flag
+    - image: block installation of parallel snap instances
+    - interfaces: moved normalize method to interfaces/utils and made it
+      public
+    - api/snapctl: allow -h and --help for regular users.
+    - interfaces/udisks2: also implement implicit classic slot
+    - cmd/snap-confine: include CUDA runtime libraries
+    - tests: disable auto-refresh test on core18
+    - many: switch to account validation: unproven|verified
+    - overlord/ifacestate: get/set connection state only via helpers
+    - tests: adding extra check to validate journalctl is showing
+      current test data
+    - data: add systemd environment configuration
+    - i18n: handle write errors in xgettext-go
+    - snap: helper for validating snap instance names
+    - snap{/snaptest}: set instance key based on snap name
+    - userd: fix running unit tests on KDE
+    - tests/main/econnreset: limit ingress traffic to 512kB/s
+    - snap: introduce a struct Channel to represent store channels, and
+      helpers to work with it
+    - tests: add fedora to distro_clean_package_cache function
+    - many: rename snap.Info.StoreName() to snap.Info.SnapName()
+    - tests: add spread test to ensure snapd/core18 are not removable
+    - tests: tweaks for running the main tests on core18
+    - overlord/{config,snap}state: introduce experimental.parallel-
+      instances feature flag
+    - strutil: support iteration over almost clean paths
+    - strutil: add PathIterator.Rewind
+    - tests: update interfaces-timeserver-control to core18
+    - tests: add halt-timeout to google backend
+    - tests: skip security-udev-input-subsystem without /dev/input/by-
+      path
+    - snap: introduce the instance key field
+    - packaging/opensuse: remaining packaging updates for 2.33.1
+    - overlord/snapstate: disallow installing snapd on baseless models
+    - tests: disable core tests on all core systems (16 and 18)
+    - dirs: improve identification of Arch Linux like systems
+    - many: expose full publisher info over the snapd API
+    - tests: disable core tests on all core systems (16 and 18)
+    - tests/main/xdg-open: restore or clean up xdg-open
+    - tests/main/interfaces-firewall-control: shellcheck fix
+    - snapstate: sort "snapd" first
+    - systemd: require snapd.socket in snapd.seeded.service; make sure
+      snapd.seeded
+    - spread-shellcheck: use the latest shellcheck available from snaps
+    - tests: use "ss" instead of "netstat" (netstat is not available in
+      core18)
+    - data/complete: fix three out of four shellcheck warnings in
+      data/complete
+    - packaging/opensuse: fix typo, missing assignment
+    - tests: initial core18 spread image building
+    - overlord: introduce a gadget-connect task and use it at first boot
+    - data/completion: fix inconsistency in +x and shebang
+    - firstboot: mark essential snaps as "Required" in the state
+    - spread-shellcheck: use a whitelist of files that are allowed to
+      fail validation
+    - packaging/opensuse: build position-independent binaries
+    - ifacestate: prevent running interface hooks twice when self-
+      connecting on autoconnect
+    - data: remove /bin/sh from snapd.sh
+    - tests: fix shellcheck 0.5.0 warnings
+    - packaging/opensuse: snap-confine should be 06755
+    - packaging/opensuse: ship apparmor integration if enabled
+    - interfaces/udev,misc: only trigger udev events on input subsystem
+      as needed
+    - packaging/opensuse: add missing bits for snapd.seeded.service
+    - packaging/opensuse: don't use %-macros in comments
+    - tests: shellchecks part 4
+    - many: rename snap.Info.Name() to snap.Info.InstanceName(), leave
+      parallel-install TODOs
+    - store: drop unused: channel map types, and details fixture.
+    - store: have a basic test about the unmarshalling of /search
+      results
+    - tests: show executed tests on current system when a test fails
+    - tests: fix for the download of the big snap
+    - interfaces/apparmor: add chopTree
+    - tests: remove double debug: | entry in tests and add more checks
+    - cmd/snap-update-ns: introduce mimicRequired helper
+    - interfaces: move assertions around for better failure line number
+    - store: log a nice clear "download succeeded" message
+    - snap: run snap-confine from the re-exec location
+    - snapstate: support restarting snapd from the snapd snap on core18
+    - tests: show status of the partial test-snapd-huge snap in
+      econnreset test
+    - tests: fix interfaces-calendar-service test when gvfsd-metadata
+      loks the xdg dirctory
+    - store: switch store.SnapInfo to use the new v2/info endpoint
+    - interfaces: add Repository.AllInterfaces
+    - snapstate: stop using evolving SnapSpec internally, use an
+      internal-only snapSpec instead
+    - cmd/libsnap-confine-private: introduce a helper for splitting snap
+      name
+    - tests: econnreset/retry tweaks
+    - store, et al: kill dead code that uses the bulk endpoint
+    - tests/lib/prepare-restore: fix upgrade/reboot handling on arch
+    - cmd/snap-update-ns,strutil: move PathIterator to strutil, add
+      Depth helper
+    - data/systemd/snapd.run-from-snap: ensure snapd tooling is
+      available
+    - store: switch connectivity check to use v2/info
+    - devicestate: support seeding from a base snap instead of core
+    - snapstate,ifacestate: remove core-phase-2 handling
+    - interfaces/docker-support: update for docker 18.05
+    - tests: enable fedora 28 again
+    - overlord/ifacestate:  simplify checkConnectConflicts and also
+      connect signature
+    - snap: parse connect instructions in gadget.yaml
+    - tests: fix snapd-repair.timer on ubuntu-core-snapd-run- from-snap
+      test
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - store, image: have 'snap download' use v2/refresh action=download
+    - interfaces/policy: test that base policy can be parsed
+    - tests: publish test-snapd-appstreamid for any architecture
+    - snap: don't include newline in hook environment
+    - cmd/snap-update-ns: use RCall with SyscallsEqual
+    - cmd/snap-update-ns: add IsSnapdCreatedPrivateTmpfs and tests
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+    - interfaces: add the dvb interface
+    - daemon: paging is not a thing.
+    - cmd/snap-mgmt: remove system key on purge
+    - testutil: syscall sequence checker
+    - cmd/snap-update-ns: fix a leaking file descriptor in MkSymlink
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command* many: add `snap debug
+      connectivity` command
+    - configstate: deny configuration of base snaps and for the "snapd"
+      snap
+    - interfaces/raw-usb: also allow usb serial devices
+    - snap: reject more layout locations
+    - errtracker: do not send duplicated reports
+    - httputil: extra debug if an error is not retried
+    - cmd/snap-update-ns: improve wording in many errors
+    - cmd/snap: use snaptest.MockSnapCurrent in `snap run` tests
+    - cmd/snap-update-ns: add helper for checking for read-only
+      filesystems
+    - interfaces/builtin/docker: use commonInterface over specific
+      struct
+    - testutil: add test support for Fstatfs
+    - cmd/snap-update-ns: discard the concept of segments
+    - cmd/libsnap-confine-private: helper for extracting store snap name
+      from local-name
+    - tests: fix flaky test for hooks undo
+    - interfaces: add {contacts,calendar}-service interfaces
+    - tests: retry 'restarting into..' match in the snap-confine-from-
+      core test
+    - systemd: adjust TestWriteMountUnitForDirs() to use
+      squashfs.MockUseFuse(false)
+    - data: add helper that can generate/start/stop the snapd service
+    - sefltest: advise reboot into 4.4 on trusty running 3.13
+    - selftest: add new selftest package that tests squashfs mounting
+    - store, jsonutil: move store.getStructFields to
+      jsonutil.StructFields
+    - ifacestate: improved conflict and error handling when creating
+      autoconnect tasks
+    - cmd/snap-confine: applied make fmt
+    - interfaces/udev: call 'udevadm settle --timeout=10' after
+      triggering events
+    - tests: wait more time until snap start to be downloaded on
+      econnreset test
+    - snapstate: ensure fakestore returns TypeOS for the core snap
+    - tests: fix lxd test which hangs on restore
+    - cmd/snap-update-ns: add PathIterator
+    - asserts,image: add support for models with bases
+    - tests: shellchecks part 3
+    - overlord/hookstate: support undo for hooks
+    - interfaces/tpm: Allow access to the kernel resource manager
+    - tests: skip appstream-id test for core systems 32 bits
+    - interfaces/home: remove redundant common interface assignment
+    - tests: reprioritise a few tests that are known to be slow
+    - cmd/snap: small help tweaks and fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - spread-shellcheck: silly fix & pep8
+    - spread: switch fedora 28 to manual
+    - client,cmd/snap,daemon,tests: expose base of a snap over API, show
+      it in snap info --verbose
+    - tests: fix lxd test - --auto now sets up networking
+    - tests: adding fedora-28 to spread.yaml
+    - interfaces: add juju-client-observe interface
+    - client, daemon: add a "mounted-from" entry to local snaps' JSON
+    - image: set model.DisplayName() in bootenv as "snap_menuentry"
+    - packaging/opensuse: Refactor packaging to support all openSUSE
+      targets
+    - interfaces/joystick: force use of the device cgroup with joystick
+      interface
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - interfaces: remove Plug/Slot types
+    - interface hooks: update old AutoConnect methods
+    - snapcraft: run with DEB_BUILD_OPTIONS=nocheck
+    - overlord/{config,snap}state: the number of inactive revisions is
+      config
+    - cmd/snap: check with snapd for unknown sections
+    - tests: moving test helpers from sh to bash
+    - data/systemd: add snapd.apparmor.service
+    - many: expose AppStream IDs (AKA common ID)
+    - many: hold refresh when on metered connections
+    - interfaces/joystick: also support modern evdev joysticks and
+      gamepads
+    - xdgopenproxy: skip TestOpenUnreadableFile when run as root
+    - snapcraft: use dpkg-buildpackage options that work in xenial
+    - spread: openSUSE LEAP 42.2 was EOLd in January, remove it
+    - get-deps: work with an unset GOPATH too
+    - interfaces/apparmor: use strict template on openSUSE tumbleweed
+    - packaging: filter out verbose flags from "dh-golang"
+    - packaging: fix description
+    - snapcraft.yaml: add minimal snapcraft.yaml with custom build
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 06 Jul 2018 16:08:17 +0200
+
+snapd (2.33.1) xenial; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - many: improve udev trigger on refresh experience
+    - systemd: require snapd.socket in snapd.seeded.service
+    - snap: don't include newline in hook environment
+    - interfaces/apparmor: allow killing snap-update-ns
+    - tests: skip "try" test on s390x
+    - tests: skip security-dev-input-event-denied when /dev/input/by-
+      path/ is missing
+    - tests: skip security-dev-input-event-denied on s390x/arm64
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Thu, 21 Jun 2018 17:37:56 +0200
+
+snapd (2.33) xenial; urgency=medium
+
+  * New upstream release, LP: #1773118
+    - packaging: use official bolt in the errtracker on fedora
+    - many: add `snap debug connectivity` command
+    - interfaces/raw-usb: also allow usb serial devices
+    - errtracker: do not send duplicated reports
+    - selftest: add new selftest package that tests squashfs mounting
+    - tests: backport lxd force stop and econnreset fixes
+    - tests: add test to ensure /dev/input/event* for non-joysticks is
+      denied
+    - interfaces/joystick: support modern evdev joysticks
+    - interfaces: add juju-client-observe
+    - interfaces/hardware-observe: allow access to /etc/sensors* for
+      libsensors
+    - many: holding refresh on metered connections
+    - many: expose AppStream IDs (AKA common ID)
+    - tests: speed up save/restore snapd state for all-snap systems
+      during tests execution
+    - interfaces/apparmor: use helper to load stray profile
+    - tests: ubuntu core abstraction
+    - overlord/snapstate: don't panic in a corner case interaction of
+      cleanup tasks and pruning
+    - interfaces/apparmor: add 'mediate_deleted' profile flag for all
+      snaps
+    - tests: new parameter for the journalctl rate limit
+    - spread-shellcheck: port to python
+    - interfaces/home: add 'read' attribute to allow non-owner read to
+      @{HOME}
+    - testutil: import check.v1 differently to workaround gccgo error
+    - interfaces/many: miscellaneous updates for default, desktop,
+      desktop-legacy, system-observe, hardware-observe, opengl and gpg-
+      keys
+    - snapstate/hooks: reorder autoconnect and reconnect hooks
+    - daemon: update unit tests to match current master
+    - overlord/snapshotstate/backend: introducing the snapshot backend
+    - many: support 'system' nickname in interfaces
+    - userd: add the "snap" scheme to the whitelist
+    - many: make rebooting of core on refresh immediate, refactor logic
+      around it
+    - tests/main/snap-service-timer: account for service timer being in
+      the 'running' state
+    - interfaces/builtin: allow access to libGLESv* too for opengl
+      interface
+    - daemon: fix unit tests on arch
+    - interfaces/default,process-control: miscellaneous signal policy
+      fixes
+    - interfaces/bulitin: add write permission to optical-drive
+    - configstate: validate known core.* options
+    - snap, wrappers: systemd WatchdogSec support
+    - ifacestate: do not auto-connect manually disconnected interfaces
+    - systemd: mock useFuse() so testsuite passes in container via lxd
+      snap
+    - snap/env: fix env duplication logic
+    - snap: some doc comments fixes and additions
+    - cmd/snap-confine, interfaces/opengl: allow access to glvnd EGL
+      vendor files
+    - ifacestate: unify reconnect and autoconnect methods
+    - tests: fix user mounts test for external systems
+    - overlord/snapstate,overlord/auth,store: coalesce no auth user
+      refresh requests
+    - boot,partition: improve tests/docs around SetNextBoot()
+    - many: improve `snap wait` command
+    - snap: fix `snap interface --attrs` output when numbers are used
+    - cmd/snap-update-ns: poke holes when creating source paths for
+      layouts
+    - snapstate: support getting new bases/default-providers on refresh
+    - ifacemgr: remove stale connections on startup
+    - asserts: use Attrer in policy checks
+    - testutil: record system call errors / return values
+    - tests: increase timeouts to make tests reliable on slow boards
+    - repo: pass and return ConnRef via pointers
+    - interfaces: add xdg-document-portal support to desktop interface
+    - debian: add a zenity|kdialog suggests
+    - snapstate: make TestDoPrereqRetryWhenBaseInFlight less brittle
+    - tests: go must be installed as a classic snap
+    - tests: use journalctl cursors instead rotating logs
+    - daemon: add confinement-options to /v2/system-info
+      daemon: refactor classic support flag to be more structured
+    - tests: build spread in the autopkgtests with a more recent go
+    - cmd/snap: fix the message when snap.channel != snap.tracking
+    - overlord/snapstate: allow core defaults configuration via 'system'
+      key
+    - many: add "snap debug sandbox-features" and needed bits
+    - interfaces: interface hooks for refresh
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - many: add wait command and `snapd.seeded` service
+    - interfaces: move host font update-ns AppArmor rules to desktop
+      interface
+    - jsonutil/safejson: introducing safejson.String &
+      safejson.Paragraph
+    - cmd/snap-update-ns: use Secure.BindMount to bind mount files
+    - cmd/snap-update-ns,tests: mimic the mode and ownership of
+      directories
+    - cmd/snap-update-ns: add support for ignoring mounts with missing
+      source/target
+    - interfaces: interface hooks implementation
+    - cmd/libsnap: fix compile error on more restrictive gcc
+      cmd/libsnap: fix compilation errors on gcc 8
+    - interfaces/apparmor: allow bash and dash to be in /usr/bin/
+    - cmd/snap-confine: allow any base snap to provide /etc/alternatives
+    - tests: fix interfaces-network test for systems with partial
+      confinement
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - tests: ubuntu 18.04 or higher does not need linux-image-extra-
+    - configcore: validate experimental.layouts option
+    - interfaces:minor autoconnect cleanup
+    - HACKING: fix typos
+    - spread: add adt for ubuntu 18.10
+    - tests: skip test lp-1721518 for arch, snapd is failing to start
+      after reboot
+    - interfaces/x11: allow X11 slot implementations
+    - tests: checking interfaces declaring the specific interface
+    - snap: improve error for snaps not available in the given context
+    - cmdstate: add missing test for default timeout handling
+    - tests: shellcheck spread tasks
+    - cmd/snap: update install/refresh help vs --revision
+    - cmd/snap-confine: add support for per-user mounts
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - tests: adding google-sru backend replacing linode-sur
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - systemd: replace ancient paths with 16.04+ standards
+    - overlord,systemd: store snap revision in mount units
+    - testutil: add test helper for SysLstat
+    - testutil,cmd: rename test helper of Lstat to OsLstat
+    - testutil: document all fake syscall/os functions
+    - osutil,interfaces,cmd: use less hardcoded strings
+    - testutil: rename UNMOUNT_NOFOLLOW to umountNoFollow
+    - testutil: don't dot-import check.v1
+    - store: getStructFields takes pointers now
+    - tests: drop `linux-image-extra-$(uname -r)` install in 18.04
+    - many: fix false negatives reported by vet
+    - osutil,interfaces: use uint32 for uid, gid
+    - many: fix various issues reported by shellcheck
+    - tests: add pending shutdown detection
+    - image: support refreshing soft-expired user macaroons in tooling
+    - interfaces/builtin, daemon: cleanup mocked builtin interfaces in
+      daemon tests
+    - interfaces/builtin: add support for software-watchdog interface
+    - spread: auto accept key changes when calling dnf
+    - snap,overlord/snapstate: introduce and use BrokenSnapError
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: bring back one missing test in snap-service-stop-mode
+    - debian: update LP bug for the 2.32.5 SRU
+    - userd: set up journal logging streams for autostarted apps
+    - snap,tests : don't fail if we cannot stat MountFile
+    - tests: smaller fixes for Arch tests
+    - tests: run interfaces-broadcom-asic-control early
+    - client: support for snapshot sets, snapshots, and snapshot actions
+    - tests: skip interfaces-content test on core devices
+    - cmd: generalize locking to global, snap and per-user locks
+    - release-tools: handle the snapd-x.y.z version
+    - packaging: fix incorrectly auto-generated changelog entry for
+      2.32.5
+    - tests: add arch to CI
+    - systemd: add helper for opening stream file descriptors to the
+      journal
+    - cmd/snap: handle distros with no version ID
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - tests: removing linode-sru backend
+    - tests: updating bionic version for spread tests on google
+    - overlord/snapstate: poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - overlord/snapstate: allow to get an error from readInfo instead of
+      a broken stub, use it in doMountSnap
+    - snap: snap.AppInfo is now a fmt.Stringer
+    - tests: move fedora 27 to google backend
+    - many: add `core.problem-reports.disabled` option
+    - cmd/snap-update-ns: remove the need for stash directory in secure
+      bind mount implementation
+    - errtracker: check for whoopsie.service instead of reading
+      /etc/whoopsie
+    - cmd/snap: user session application autostart v3
+    - tests: add test to ensure `snap refresh --amend` works with
+      different channels
+    - tests: add check for OOM error after each test
+    - cmd/snap-seccomp: graceful handling of non-multilib host
+    - interfaces/shutdown: allow calling SetWallMessage
+    - cmd/snap-update-ns: add secure bind mount implementation for use
+      with user mounts
+    - snap: fix `snap advise-snap --command` output to match spec
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - overlord/snapstate: introduce envvars to control the channels for
+      based and prereqs
+    - cmd/snap-confine: ignore missing cgroups in snap-device-helper
+    - debian: add gbp.conf script to build snapd via `gbp buildpackage`
+    - daemon,overlord/hookstate: stop/wait for running hooks before
+      closing the snapctl socket
+    - advisor: use json for package database
+    - interfaces/hostname-control: allow setting the hostname via
+      syscall and systemd
+    - tests/main/interfaces-opengl-nvidia: verify access to 32bit
+      libraries
+    - interfaces: misc updates for default, firewall-control, fuse-
+      support and process-control
+    - data/selinux: Give snapd access to more aspects of the system
+    - many: use the new install/refresh API by switching snapstate to
+      use store.SnapAction
+    - errtracker: make TestJournalErrorSilentError work on gccgo
+    - ifacestate: add to the repo also snaps that are pending being
+      activated but have a done setup-profiles
+    - snapstate, ifacestate: inject auto-connect tasks try 2
+    - cmd/snap-confine: allow creating missing gl32, gl, vulkan dirs
+    - errtracker: add more fields to aid debugging
+    - interfaces: make system-key more robust against invalid fstab
+      entries
+    - overlord,interfaces: be more vocal about broken snaps and read
+      errors
+    - ifacestate: injectTasks helper
+    - osutil: fix fstab parser to allow for # in field values
+    - cmd/snap-mgmt: remove timers, udev rules, dbus policy files
+    - release-tools: add repack-debian-tarball.sh
+    - daemon,client: add build-id to /v2/system-info
+    - cmd: make fmt (indent 2.2.11)
+    - interfaces/content: add rule so slot can access writable files at
+      plug's mountpoint
+    - interfaces: add /var/lib/snapd/snap to @{INSTALL_DIR}
+    - ifacestate: don't surface errors from stale connections
+    - cmd/snap-update-ns: convert Secure* family of functions into
+      methods
+    - tests: adjust canonical-livepatch test on GCE
+    - tests: fix quoting issues in econnreset test
+    - cmd/snap-confine: make /run/media an alias of /media
+    - cmd/snap-update-ns: rename i to segNum
+    - interfaces/serial: change pattern not to exclude /dev/ttymxc*
+    - spread: disable StartLimitInterval option on opensuse-42.3
+    - configstate: give a chance to immediately recompute the next
+      refresh time when schedules are set
+    - cmd/snap-confine: attempt to detect if multiarch host uses
+      arch triplets
+    - store: add Store.SnapAction to support the new install/refresh API
+      endpoint
+    - tests: adding test for removable-media interface
+    - tests: update interface tests to remove extra checks and normalize
+      tests
+    - timeutil: in Human, count days with fingers
+    - vendor: update gopkg.in/yaml.v2 to the latest version
+    - cmd/snap-confine: fix Archlinux compatibility
+    - cmd/snapd: make sure signal handlers are established during early
+      daemon startup
+    - cmd/snap-confine: apparmor: allow creating prefix path for
+      gl/vulkan
+    - osutil: use tilde suffix for temporary files used for atomic
+      replacement
+    - tests: copy or sanity check core users using usernames
+    - tests: disentangle etc vs extrausers in core tests
+    - tests: fix snap-run tests when snapd is not running
+    - overlord/configstate: change how ssh is stopped/started
+    - snap: make `snap run` look at the system-key for security profiles
+    - strutil, cmd/snap: drop strutil.WordWrap, first pass at
+      replacement
+    - tests: adding opensuse-42.3 to google
+    - cmd/snap: fix one issue with noWait error handling logic, add
+      tests plus other cleanups
+    - cmd/snap-confine: nvidia: preserve globbed file prefix
+    - advisor: add comment why osutil.FileExists(dirs.SnapCommandsDB) is
+      needed
+    - interfaces,release: probe seccomp features lazily
+    - tests: change debug for layout test
+    - advisor: deal with missing commands.db file
+    - interfaces/apparmor: simplify UpdateNS internals
+    - polkit: Pass caller uid to PolicyKit authority
+    - tests: moving debian 9 from linode to google backend
+    - cmd/snap-confine: nvidia: add tls/libnvidia-tls.so* glob
+    - po: specify charset in po/snappy.pot
+    - interfaces: harden snap-update-ns profile
+    - snap: Call SanitizePlugsSlots from InfoFromSnapYaml
+    - tests: update tests to deal with s390x quirks
+    - debian: run snap.mount upgrade fixup *before* debhelper
+    - tests: move xenial i386 to google backend
+    - snapstate: add compat mode for default-provider
+    - tests: a bunch of test fixes for s390x from looking at the
+      autopkgtest logs
+    - packaging: recommend "gnupg" instead of "gnupg1 | gnupg"
+    - interfaces/builtin: let MM change qmi device attributes
+    - tests: add workaround for s390x failure
+    - snap/pack, cmd/snap: add `snap pack --check-skeleton`
+    - daemon: support 'system' as nickname of the core snap
+    - cmd/snap-update-ns: use x-snapd.{synthetic,needed-by} in practice
+    - devicestate: add DeviceManager.Registered returning a channel
+      closed when the device is known to be registered
+    - store: Sections and WriteCatalogs need to strictly send device
+      auth only if the device has a custom store
+    - tests: add bionic system to google backend
+    - many: fix shellcheck warnings in bionic
+    - cmd/snap-update-ns: don't fail on existing symlinks
+    - tests: make autopkgtest tests more targeted
+    - cmd/snap-update-ns: fix creation of layout symlinks
+    - spread,tests: move suite-level prepare/restore to central script
+    - many: propagate contexts enough to be able to mark store
+      operations done from the Ensure loop
+    - snap: don't create empty Change with "Hold" state on disconnect
+    - snap: unify snap name validation w/python; enforce length limit.
+    - cmd/snap: use shlex when parsing `snap run --strace` arguments
+    - osutil,testutil: add symlinkat(2) and readlinkat(2)
+    - tests: autopkgtest may have non edge core too
+    - tests: adding checks before stopping snapd service to avoid job
+      canceled on ubuntu 14.04
+    - errtracker: respect the /etc/whoopsie configuration
+    - overlord/snapstate:  hold refreshes for 2h after seeding on
+      classic
+    - cmd/snap: tweak and polish help strings
+    - snapstate: put layout feature behind feature flag
+    - tests: force profile re-generation via system-key
+    - snap/squashfs: when installing from seed, try symlink before cp
+    - wrappers: services which are socket or timer activated should not
+      be started during boot
+    - many: go vet cleanups
+    - tests: define MATCH from spread
+    - packaging/fedora: Merge changes from Fedora Dist-Git plus trivial
+      fix
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - cmd/snap: in changes and tasks, default to human-friendly times
+    - many: support holding refreshes by setting refresh.hold
+    - Revert "cmd/snap: use timeutil.Human to show times in `snap
+      refresh -…-time`"
+    - cmd/snap: use timeutil.Human to show times in `snap refresh
+      --time`
+    - tests/main/snap-service-refresh-mode: refactor the test to rely on
+      comparing PIDs
+    - tests/main/media-sharing: improve the test to cover /media and
+      /run/media
+    - store: enable deltas for core devices too
+    - cmd/snap: unhide --no-wait; make wait use go via waitMixin
+    - strutil/shlex: import github.com/google/shlex into the tree
+    - vendor: update github.com/mvo5/libseccomp-golang
+    - overlord/snapstate: block install of "system"
+    - cmd/snap: "current"→"installed"; "refreshed"→"refresh-date"
+    - many: add the snapd-generator
+    - cmd/snap-seccomp: Cancel the atomic file on error, not just Close
+    - polkit: ensure error is properly set if dialog is dismissed
+    - snap-confine, snap-seccomp: utilize new seccomp logging features
+    - progress: tweak ansimeter cvvis use to no longer confuse minicom
+    - xdgopenproxy: integrate xdg-open implementation into snapctl
+    - tests: avoid removing preinstalled snaps on core
+    - tests: chroot into core to run xdg-open there
+    - userd: add an OpenFile method for launching local files with xdg-
+      open
+    - tests: moving ubuntu core from linode to google backend
+    - run-checks: remove accidental bashism
+    - i18n: simplify NG usage by doing the modulo math in-package.
+    - snap/squashfs: set timezone when calling unsquashfs to get the
+      build date
+    - timeutil: timeutil.Human(t) gives a human-friendly string for t
+    - snap: add autostart app property
+    - tests: add support for external backend executions on listing test
+    - tests: make interface-broadcom-asic-control test work on rpi
+    - configstate: when disable "ssh" we must disable the "sshd" service
+    - interfaces/apparmor,system-key: add upperdir snippets for strict
+      snaps on livecd
+    - snap/squashfs: add BuildDate
+    - store: parse the JSON format used by the coming new store API to
+      convey snap information
+    - many: remove snapd.refresh.{timer,service}
+    - tests: adding ubuntu-14.04-64 to the google backend
+    - interfaces: add xdg-desktop-portal support to desktop interface
+    - packaging/arch: sync with snapd/snapd-git from AUR
+    - wrappers, tests/main/snap-service-timer: restore missing commit,
+      add spread test for timer services
+    - store: don't ask for snap_yaml_raw except on the details endpoint
+    - many: generate and use per-snap snap-update-ns profile
+    - tests: add debug for layout test
+    - wrappers: detect whether systemd-analyze can be used in unit tests
+    - osutil: allow creating strings out of MountInfoEntry
+    - servicestate: use systemctl enable+start and disable+stop instead
+      of --now flag
+    - osutil: handle file being matched by multiple patterns
+    - daemon, snap: fix InstallDate, make a method of *snap.Info
+    - wrappers: timer services
+    - wrappers: generator for systemd OnCalendar schedules
+    - asserts: fix flaky storeSuite.TestCheckAuthority
+    - tests: fix dependency for ubuntu artful
+    - spread: start moving towards google backend
+    - tests: add a spread test for layouts
+    - ifacestate: be consistent passing Retry.After as named field
+    - cmd/snap-update-ns: use recursive bind mounts for writable mimic
+    - testutil: allow mocking syscall.Fstat
+    - overlord/snapstate: verify that default schedule is randomized and
+      is  not a single time
+    - many: simplify mocking of home-on-NFS
+    - cmd/snap-update-ns: use syscall.Symlink instead of os.Symlink
+    - store: move infoFromRemote into details.go close to snapDetails
+    - userd/tests: Test kdialog calls and mock kdialog too to make tests
+      work in KDE
+    - cmd/snap: tweaks to 'snap info' (feat. installed->current rename)
+    - cmd/snap: add self-strace to `snap run`
+    - interfaces/screen-inhibit-control,network-status: fix dbus path
+      and interface typos
+    - update-pot: Force xgettext() to return true
+    - store: cleanup test naming, dropping remoteRepo  and
+      UbuntuStore(Repository)? references
+    - store: reorg auth refresh
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 08 Jun 2018 17:13:47 +0200
+
+snapd (2.32.9) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - tests: run all spread tests inside GCE
+    - tests: build spread in the autopkgtests with a more recent go
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 16 May 2018 10:20:08 +0200
+
+snapd (2.32.8) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snapd.core-fixup.sh: fix workaround for corrupted uboot.env
+      and add tests
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 14:36:16 +0200
+
+snapd (2.32.7) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - many: add wait command and seeded target (2
+    - snapd.core-fixup.sh: add workaround for corrupted uboot.env
+    - boot: clear "snap_mode" when needed
+    - cmd/libsnap: fix compile error on more restrictive gcc
+    - tests: cherry-pick commits to move spread to google backend
+    - spread.yaml: add cosmic (18.10) to autopkgtest/qemu
+    - userd: set up journal logging streams for autostarted apps
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 May 2018 13:09:32 +0200
+
+snapd (2.32.6) xenial; urgency=medium
+
+  * New upstream release, LP: #1767833
+    - snap: do not use overly short timeout in `snap
+      {start,stop,restart}`
+    - interfaces/apparmor: fix incorrect apparmor profile glob
+    - tests: detect kernel oops during tests and abort tests in this
+      case
+    - tests: run interfaces-boradcom-asic-control early
+    - tests: skip interfaces-content test on core devices
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Sun, 29 Apr 2018 19:21:53 +0200
+
+snapd (2.32.5) xenial; urgency=medium
+
+  * New upstream release, LP: #1765090
+    - many: add "stop-mode: sig{term,hup,usr[12]}{,-all}" instead of
+      conflating that with refresh-mode
+    - overlord/snapstate:  poll for up to 10s if a snap is unexpectedly
+      not mounted in doMountSnap
+    - daemon: support 'system' as nickname of the core snap
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 16 Apr 2018 11:41:48 +0200
+
+snapd (2.32.4) xenial; urgency=medium
+
+  * New upstream release, LP: #1756173
+    - cmd/snap: user session application autostart
+    - overlord/snapstate: introduce envvars to control the channels for
+      bases and prereqs
+    - overlord/snapstate: on multi-snap refresh make sure bases and core
+      are finished before dependent snaps
+    - many: use the new install/refresh /v2/snaps/refresh store API
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 11 Apr 2018 16:30:45 +0200
+
 snapd (2.32.3.2) xenial; urgency=medium
 
   * New upstream release, LP: #1756173
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/control snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/control
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/control	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/control	2019-01-16 08:36:51.000000000 +0000
@@ -33,6 +33,7 @@
                python3-docutils,
                python3-markdown,
                squashfs-tools,
+               tzdata,
                udev,
                xfslibs-dev
 Standards-Version: 3.9.7
@@ -69,8 +70,9 @@
          ${misc:Depends},
          ${shlibs:Depends}
 Replaces: ubuntu-snappy (<< 1.9), ubuntu-snappy-cli (<< 1.9), snap-confine (<< 2.23), ubuntu-core-launcher (<< 2.22), snapd-xdg-open (<= 0.0.0)
-Breaks: ubuntu-snappy (<< 1.9), ubuntu-snappy-cli (<< 1.9), snap-confine (<< 2.23), ubuntu-core-launcher (<< 2.22), snapd-xdg-open (<= 0.0.0)
+Breaks: ubuntu-snappy (<< 1.9), ubuntu-snappy-cli (<< 1.9), snap-confine (<< 2.23), ubuntu-core-launcher (<< 2.22), snapd-xdg-open (<= 0.0.0), ${snapd:Breaks}
 Recommends: gnupg
+Suggests: zenity | kdialog
 Conflicts: snap (<< 2013-11-29-1ubuntu1)
 Built-Using: ${Built-Using} ${misc:Built-Using}
 Description: Daemon and tooling that enable snap packages
@@ -79,8 +81,7 @@
  enabling secure distribution of the latest apps and utilities for
  cloud, servers, desktops and the internet of things.
  .
- This is the CLI for snapd, a background service that takes care of
- snaps on the system. Start with 'snap list' to see installed snaps.
+ Start with 'snap list' to see installed snaps.
 
 Package: ubuntu-snappy
 Architecture: all
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/files snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/files
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/files	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/files	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1 @@
-snapd_2.32.3.2+18.04_source.buildinfo devel optional
+snapd_2.37~rc1+18.10_source.buildinfo devel optional
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/rules snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/rules
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/rules	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/rules	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,17 @@
 
 include /etc/os-release
 
+# On 18.04 the released version of apt (1.6.1) has a bug that causes
+# problem on "apt purge snapd". To ensure this won't happen add the
+# right dependency on 18.04.
+ifeq (${VERSION_ID},"18.04")
+	SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.6.3)"
+endif
+# Same as above for 18.10 just a different version.
+ifeq (${VERSION_ID},"18.10")
+	SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.7.0~alpha2)"
+endif
+
 # this is overridden in the ubuntu/14.04 release branch
 SYSTEMD_UNITS_DESTDIR="lib/systemd/system/"
 
@@ -133,7 +144,7 @@
 	cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/
 
 	# this is the main go build
-	dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS)
+	SNAPD_VANILLA_GO=$$(which go) PATH="$$(pwd)/packaging/build-tools/:$$PATH" dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS)
 
 	# (static linking on powerpc with cgo is broken)
 ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc)
@@ -206,13 +217,15 @@
 	if [ -d share/locale ]; then \
 		cp -R share/locale debian/snapd/usr/share; \
 	fi
+	# chrorder generator
+	rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder
 
-	# install snapd's systemd units / upstart jobs, done
+	# Install snapd's systemd units / upstart jobs, done
 	# here instead of debian/snapd.install because the
 	# ubuntu/14.04 release branch adds/changes bits here
 	$(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \
 		SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR)
-	# we called this apps-bin-path.sh instead of snapd.sh, and
+	# We called this apps-bin-path.sh instead of snapd.sh, and
 	# it's a conf file so we're stuck with it
 	mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh
 
@@ -221,6 +234,10 @@
 	# Rename the apparmor profile, see dh_apparmor call above for an explanation.
 	mv $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine.real
 
+	# On Ubuntu and Debian we don't need to install the apparmor helper service.
+	rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.apparmor.service
+	rm $(CURDIR)/debian/tmp/usr/lib/snapd/snapd-apparmor
+
 	dh_install
 
 override_dh_auto_install: snap.8
@@ -234,4 +251,4 @@
 	rm -vf snap.8
 
 override_dh_gencontrol:
-	dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)"
+	dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)" $(SUBSTVARS)
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/snapd.install snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/snapd.install
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/snapd.install	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/snapd.install	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,12 @@
 usr/bin/snap
-usr/bin/snapctl
+usr/bin/snapctl /usr/lib/snapd/
 usr/lib/snapd/system-shutdown
 usr/bin/snap-exec /usr/lib/snapd/
 usr/bin/snap-repair /usr/lib/snapd/
+usr/bin/snap-failure /usr/lib/snapd/
 usr/bin/snap-update-ns /usr/lib/snapd/
 usr/bin/snapd /usr/lib/snapd/
 usr/bin/snap-seccomp /usr/lib/snapd/
-usr/lib/snapd/snapd-generator /lib/systemd/system-generators/
 
 # bash completion
 data/completion/snap /usr/share/bash-completion/completions
@@ -18,6 +18,8 @@
 data/info /usr/lib/snapd/
 # polkit actions
 data/polkit/io.snapcraft.snapd.policy /usr/share/polkit-1/actions/
+# apt hook
+data/apt/20snapd.conf /etc/apt/apt.conf.d/
 
 # snap-confine stuff
 etc/apparmor.d/usr.lib.snapd.snap-confine.real
@@ -25,8 +27,7 @@
 usr/lib/snapd/snap-mgmt
 usr/lib/snapd/snap-confine
 usr/lib/snapd/snap-discard-ns
-usr/share/man/man1/snap-confine.1
-usr/share/man/man5/snap-discard-ns.5
+usr/share/man/
 # for compatibility with ancient snap installs that wrote the shell based
 # wrapper scripts instead of the modern symlinks
 usr/bin/ubuntu-core-launcher
@@ -36,3 +37,8 @@
 
 # install squashfuse as snapfuse to ensure it is available in e.g. lxd
 vendor/github.com/snapcore/squashfuse/src/snapfuse usr/bin
+
+# use "usr/lib" here because apparently systemd looks only there
+usr/lib/systemd/system-environment-generators
+# but system generators end up in lib
+lib/systemd/system-generators
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/snapd.links snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/snapd.links
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/snapd.links	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/snapd.links	2019-01-16 08:36:51.000000000 +0000
@@ -1 +1,2 @@
 ../../usr/lib/snapd/snap-device-helper  /lib/udev/snappy-app-dev
+usr/lib/snapd/snapctl usr/bin/snapctl
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/snapd.postinst snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/snapd.postinst
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/snapd.postinst	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/snapd.postinst	2019-01-16 08:36:51.000000000 +0000
@@ -10,8 +10,15 @@
             ldconfig
         fi
 
-        # ensure we undo the stopping of the snap.mount unit
-        # that we had in 2.31 and 2.31.1
+        # Ensure that we undo the damage done by the snap.mount unit that was present
+        # in snapd 2.31.
+        #
+        # We found that update scripts make systemd stop inactive mount units and this
+        # in turn stops all the units that depend on it so when the snap.mount unit is
+        # stopped all the per-snap mount units gets stopped along with them.  The 2.31
+        # release was only out briefly in xenial-proposed and bionic but to keep the
+        # affected users safe let's start all the per-snap mount units so that snaps no
+        # longer appear as broken after update.
         if dpkg --compare-versions "$2" ge-nl "2.31" && \
                 dpkg --compare-versions "$2" lt-nl "2.32"; then
             units=$(systemctl list-unit-files --full | grep '^snap[-.]' | cut -f1 -d ' ' | grep -vF snap.mount.service || true)
@@ -24,7 +31,7 @@
                 fi
 
                 echo "Starting $unit"
-                systemctl start "$unit" || true
+                deb-systemd-invoke start "$unit" || true
             done
         fi
 esac
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/snapd.postrm snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/snapd.postrm
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/snapd.postrm	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/snapd.postrm	2019-01-16 08:36:51.000000000 +0000
@@ -71,10 +71,12 @@
             # udev rules
             find /etc/udev/rules.d -name "*-snap.${snap}.rules" -execdir rm -f "{}" \;
             # dbus policy files
-            find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            if [ -d /etc/dbus-1/system.d ]; then
+                find /etc/dbus-1/system.d -name "snap.${snap}.*.conf" -execdir rm -f "{}" \;
+            fi
             # timer files
             find /etc/systemd/system -name "snap.${snap}.*.timer" | while read -r f; do
-                systemctl_stop "$(basename $f)"
+                systemctl_stop "$(basename "$f")"
                 rm -f "$f"
             done
         fi
@@ -99,13 +101,13 @@
     echo "Discarding preserved snap namespaces"
     # opportunistic as those might not be actually mounted
     if [ -d /run/snapd/ns ]; then
-        if [ $(ls /run/snapd/ns/*.mnt | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.mnt" | wc -l)" -gt 0 ]; then
             for mnt in /run/snapd/ns/*.mnt; do
                 umount -l "$mnt" || true
                 rm -f "$mnt"
             done
         fi
-        if [ $(ls /run/snapd/ns/*.fstab | wc -l) -gt 0 ]; then
+        if [ "$(find /run/snapd/ns/ -name "*.fstab" | wc -l)" -gt 0 ]; then
             for fstab in /run/snapd/ns/*.fstab; do
                 rm -f "$fstab"
             done
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/source/options snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/source/options
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/source/options	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/source/options	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+tar-ignore = "tests/lib/cache/*"
diff -Nru snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/tests/integrationtests snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/tests/integrationtests
--- snapd-2.32.3.2~14.04/packaging/ubuntu-17.04/tests/integrationtests	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/packaging/ubuntu-17.04/tests/integrationtests	2019-01-16 08:36:51.000000000 +0000
@@ -18,7 +18,7 @@
 systemctl daemon-reload
 
 # ensure we are not get killed too easily
-echo -950 > /proc/$$/oom_score_adj
+printf '%s\n' "-950" > /proc/$$/oom_score_adj
 
 # see what mem we have (for debugging)
 cat /proc/meminfo
@@ -36,13 +36,16 @@
     export SPREAD_CORE_CHANNEL=stable
 fi
 
+# Spread will only buid with recent go
+snap install --classic go
+
 # and now run spread against localhost
 # shellcheck disable=SC1091
 . /etc/os-release
 export GOPATH=/tmp/go
-go get -u github.com/snapcore/spread/cmd/spread
-/tmp/go/bin/spread -v "autopkgtest:${ID}-${VERSION_ID}-$(dpkg --print-architecture)"
+/snap/bin/go get -u github.com/snapcore/spread/cmd/spread
+/tmp/go/bin/spread -v "autopkgtest:${ID}-${VERSION_ID}-$(dpkg --print-architecture)"/tests/smoke
 
 # store journal info for inspectsion
 journalctl --sync
-journalctl -ab > $ADT_ARTIFACTS/journal.txt
+journalctl -ab > "$ADT_ARTIFACTS"/journal.txt
diff -Nru snapd-2.32.3.2~14.04/partition/bootloader.go snapd-2.37~rc1~14.04/partition/bootloader.go
--- snapd-2.32.3.2~14.04/partition/bootloader.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/partition/bootloader.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,9 +29,9 @@
 )
 
 const (
-	// bootloader variable used to determine if boot was successful.
-	// Set to value of either bootloaderBootmodeTry (when attempting
-	// to boot a new rootfs) or bootloaderBootmodeSuccess (to denote
+	// bootloader variable used to determine if boot was
+	// successful.  Set to value of either modeTry (when
+	// attempting to boot a new rootfs) or modeSuccess (to denote
 	// that the boot of the new rootfs was successful).
 	bootmodeVar = "snap_mode"
 
@@ -119,7 +119,24 @@
 
 // MarkBootSuccessful marks the current boot as successful. This means
 // that snappy will consider this combination of kernel/os a valid
-// target for rollback
+// target for rollback.
+//
+// The states that a boot goes through are the following:
+// - By default snap_mode is "" in which case the bootloader loads
+//   two squashfs'es denoted by variables snap_core and snap_kernel.
+// - On a refresh of core/kernel snapd will set snap_mode=try and
+//   will also set snap_try_{core,kernel} to the core/kernel that
+//   will be tried next.
+// - On reboot the bootloader will inspect the snap_mode and if the
+//   mode is set to "try" it will set "snap_mode=trying" and then
+//   try to boot the snap_try_{core,kernel}".
+// - On a successful boot snapd resets snap_mode to "" and copies
+//   snap_try_{core,kernel} to snap_{core,kernel}. The snap_try_*
+//   values are cleared afterwards.
+// - On a failing boot the bootloader will see snap_mode=trying which
+//   means snapd did not start successfully. In this case the bootloader
+//   will set snap_mode="" and the system will boot with the known good
+//   values from snap_{core,kernel}
 func MarkBootSuccessful(bootloader Bootloader) error {
 	m, err := bootloader.GetBootVars("snap_mode", "snap_try_core", "snap_try_kernel")
 	if err != nil {
diff -Nru snapd-2.32.3.2~14.04/partition/grub_test.go snapd-2.37~rc1~14.04/partition/grub_test.go
--- snapd-2.32.3.2~14.04/partition/grub_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/partition/grub_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 import (
 	"fmt"
 	"io/ioutil"
+	"os/exec"
 	"path/filepath"
 
 	"github.com/mvo5/goconfigparser"
@@ -50,7 +51,7 @@
 		c.Skip("grub{,2}-editenv is not available")
 	}
 
-	_, err := runCommand(grubEditenvCmd(), grubEnvPath(), "set", fmt.Sprintf("%s=%s", key, value))
+	err := exec.Command(grubEditenvCmd(), grubEnvPath(), "set", fmt.Sprintf("%s=%s", key, value)).Run()
 	c.Assert(err, IsNil)
 }
 
@@ -59,11 +60,11 @@
 		c.Skip("grub{,2}-editenv is not available")
 	}
 
-	output, err := runCommand(grubEditenvCmd(), grubEnvPath(), "list")
+	output, err := exec.Command(grubEditenvCmd(), grubEnvPath(), "list").CombinedOutput()
 	c.Assert(err, IsNil)
 	cfg := goconfigparser.New()
 	cfg.AllowNoSectionHeader = true
-	err = cfg.ReadString(output)
+	err = cfg.ReadString(string(output))
 	c.Assert(err, IsNil)
 	v, err := cfg.Get("", key)
 	c.Assert(err, IsNil)
diff -Nru snapd-2.32.3.2~14.04/partition/utils.go snapd-2.37~rc1~14.04/partition/utils.go
--- snapd-2.32.3.2~14.04/partition/utils.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/partition/utils.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,52 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2014-2015 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package partition
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"os/exec"
-	"strings"
-)
-
-// This is a var instead of a function to making mocking in the tests easier
-var runCommand = runCommandImpl
-
-// Run command specified by args and return the output
-func runCommandImpl(args ...string) (string, error) {
-	if len(args) == 0 {
-
-		return "", errors.New("no command specified")
-	}
-
-	cmd := exec.Command(args[0], args[1:]...)
-	stdout := bytes.NewBuffer(nil)
-	stderr := bytes.NewBuffer(nil)
-	cmd.Stdout = stdout
-	cmd.Stderr = stderr
-	err := cmd.Run()
-	if err != nil {
-		cmdline := strings.Join(args, " ")
-		return stdout.String(), fmt.Errorf("failed to run command %q: %q (%s)", cmdline, stderr, err)
-	}
-
-	return stdout.String(), err
-}
diff -Nru snapd-2.32.3.2~14.04/partition/utils_test.go snapd-2.37~rc1~14.04/partition/utils_test.go
--- snapd-2.32.3.2~14.04/partition/utils_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/partition/utils_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,51 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2014-2015 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package partition
-
-import (
-	. "gopkg.in/check.v1"
-)
-
-type UtilsTestSuite struct {
-}
-
-var _ = Suite(&UtilsTestSuite{})
-
-func (s *UtilsTestSuite) TestRunCommandSimple(c *C) {
-	output, err := runCommandImpl("sh", "-c", "printf 'foo\nbar'")
-	c.Assert(err, IsNil)
-	c.Assert(output, DeepEquals, "foo\nbar")
-}
-
-func (s *UtilsTestSuite) TestRunCommandWithStdoutReturnsFalse(c *C) {
-	_, err := runCommandImpl("false")
-	c.Assert(err, ErrorMatches, `failed to run command \"false\": \"\" \(exit status 1\)`)
-}
-
-func (s *UtilsTestSuite) TestRunCommandWithStdoutNoSuchCommand(c *C) {
-	_, err := runCommandImpl("no-such-command")
-	c.Assert(err, ErrorMatches, `failed to run command \"no-such-command\": \"\" \(exec: \"no-such-command\": executable file not found in \$PATH\)`)
-}
-
-func (s *UtilsTestSuite) TestRunCommandWithStdoutReturnsStdout(c *C) {
-	output, err := runCommandImpl("sh", "-c", "printf stdout ; printf 'stderr' >&2; false")
-	c.Assert(output, Matches, "stdout")
-	c.Assert(err, ErrorMatches, `failed to run command \".*\": \"stderr\" \(exit status 1\)`)
-}
diff -Nru snapd-2.32.3.2~14.04/parts/plugins/x_builddeb.py snapd-2.37~rc1~14.04/parts/plugins/x_builddeb.py
--- snapd-2.32.3.2~14.04/parts/plugins/x_builddeb.py	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/parts/plugins/x_builddeb.py	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,57 @@
+# Copyright (C) 2018 Canonical Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import glob
+import os
+
+import snapcraft
+
+# cowboy baby :(
+# see https://bugs.launchpad.net/snapcraft/+bug/1772584
+# and https://bugs.launchpad.net/snapcraft/+bug/1791871
+#
+# This will be fixed by snapcraft - the agreement is that they
+# will look for a .snap/ directory with "snapcraft" in it and
+# use that when available.
+def patch_snapcraft():
+    import snapcraft.internal.common
+    import snapcraft.internal.sources._local
+    # very hacky but gets the job done for now, right now
+    # SNAPCRAFT_FILES is only used to know what to exclude
+    snapcraft.internal.common.SNAPCRAFT_FILES.remove("snap")
+    def _patched_check(self, target):
+        return False
+    snapcraft.internal.sources._local.Local._check = _patched_check
+patch_snapcraft()
+
+
+
+class XBuildDeb(snapcraft.BasePlugin):
+
+    def build(self):
+        super().build()
+        self.run(["sudo", "apt-get", "build-dep", "-y", "./"])
+        # XXX: get this from "debian/gbp.conf:postexport"
+        self.run(["./get-deps.sh", "--skip-unused-check"])
+        env=os.environ.copy()
+        if os.getuid() == 0:
+            # disable running the tests during the build when run as root
+            # because quite a few of them will break
+            env["DEB_BUILD_OPTIONS"] = "nocheck"
+        # run the real build
+        self.run(["dpkg-buildpackage"], env=env)
+        # and "install" into the right place
+        snapd_deb = glob.glob("parts/snapd/snapd_*.deb")[0]
+        self.run(["dpkg-deb", "-x", os.path.abspath(snapd_deb), self.installdir])
+
diff -Nru snapd-2.32.3.2~14.04/po/af.po snapd-2.37~rc1~14.04/po/af.po
--- snapd-2.32.3.2~14.04/po/af.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/af.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Afrikaans translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Afrikaans <af@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/am.po snapd-2.37~rc1~14.04/po/am.po
--- snapd-2.32.3.2~14.04/po/am.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/am.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Amharic translation for snapd
-# Copyright (c) 2017 Rosetta Contributors and Canonical Ltd 2017
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-04-03 15:55+0000\n"
-"Last-Translator: samson <Unknown>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Amharic <am@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr "%s ተወግዷል\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s ተቀይሯል ወደ %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s%s %s ከ '%s' ተገጥሟል\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr "%s%s %s ከ '%s' ተነቃቅቷል\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s ተገጥሟል\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr "%s%s %s ተነቃቅቷል\n"
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr "<ሀሰት>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<ኢሜይል>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<የ ፋይል ስም>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr "<የ ራስጌ ማጣሪያ filter>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr "<ቁልፍ-ስም>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<ቁልፍ>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr "<ጥያቄ>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr "አማራጭ ትእዛዝ ለማስኬድ"
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr "ፋይል ማረጋገጫ"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr "የ ማረጋገጫ ስም አይነት"
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr "መጥፎ ኮድ: እባክዎን እንደገና ይሞክሩ: "
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr "የ ማሰናጃ ምርጫ መቀየሪያ"
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr "በ ስርአቱ ውስጥ ያሉ የ ሀሰት ዝርዝሮች"
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr "የሚጠፋው የ ቁልፍ ስም"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr "የሚላከው የ ቁልፍ ስም"
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr "የ ማለፊያ ሀረግ: "
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr "የ እትም ዝርዝር ማሳያ"
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr "በርካታ ክርክሮች: %s"
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr "ዝግጁ አይደለም"
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/ar.po snapd-2.37~rc1~14.04/po/ar.po
--- snapd-2.32.3.2~14.04/po/ar.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/ar.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Arabic translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Arabic <ar@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/bs.po snapd-2.37~rc1~14.04/po/bs.po
--- snapd-2.32.3.2~14.04/po/bs.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/bs.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Bosnian translation for snapd
-# Copyright (c) 2017 Rosetta Contributors and Canonical Ltd 2017
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-09-08 10:15+0000\n"
-"Last-Translator: Samir Ribić <Unknown>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Bosnian <bs@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -23,15 +23,19 @@
 "\n"
 "Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
 msgstr ""
+"%q ne sadrži neotvoren snap.\n"
+"\n"
+"Pokušajte \"snapcraft prime\" u direktoriju vašeg programa, zatim ponovo "
+"\"snap try\"."
 
 #, c-format
 msgid "%q switched to the %q channel\n"
-msgstr ""
+msgstr "%q se pomjerio na kanal %q\n"
 
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
 msgid "%s %s mounted from %s\n"
-msgstr ""
+msgstr "%s %s je montiran sa %s\n"
 
 #, c-format
 msgid "%s (delta)"
@@ -45,7 +49,7 @@
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (try with sudo)"
-msgstr ""
+msgstr "%s (probajte sa sudo)"
 
 #, c-format
 msgid "%s already installed\n"
@@ -53,36 +57,41 @@
 
 #, c-format
 msgid "%s disabled\n"
-msgstr ""
+msgstr "%s onemogućen\n"
 
 #, c-format
 msgid "%s enabled\n"
-msgstr ""
+msgstr "%s omogućen\n"
 
 #, c-format
 msgid "%s not installed\n"
-msgstr ""
+msgstr "%s nije instaliran\n"
 
 #, c-format
 msgid "%s removed\n"
-msgstr ""
+msgstr "%s uklonjen\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
-msgstr ""
+msgstr "%s se vratio na %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
-msgstr ""
+msgstr "%s%s %s od '%s' instaliran\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -94,264 +103,341 @@
 msgstr ""
 
 msgid "-r can only be used with --hook"
-msgstr ""
+msgstr "-r se može koristiti samo sa --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
-msgstr ""
+msgstr "<alias-or-snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
-msgstr ""
+msgstr "<alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
-msgstr ""
+msgstr "<filename>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
-msgstr ""
+msgstr "<header filter>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<interface>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
-msgstr ""
+msgstr "<key-name>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
-msgstr ""
+msgstr "<key>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
-msgstr ""
+msgstr "<model-assertion>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
-msgstr ""
+msgstr "<query>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
+msgstr "<root-dir>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
-msgstr ""
+msgstr "<snap>:<plug>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
-msgstr ""
+msgstr "<snap>:<slot or plug>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
+msgstr "<snap>:<slot>"
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
 msgstr ""
 
 msgid "Abort a pending change"
-msgstr ""
+msgstr "Prekinuti promjenu na čekanju"
 
 msgid "Added"
-msgstr ""
+msgstr "Dodano"
 
 msgid "Adds an assertion to the system"
+msgstr "Daje tvrdnju sistemu"
+
+msgid "Advise on available snaps."
 msgstr ""
 
-msgid "Alias for --dangerous (DEPRECATED)"
+msgid "Advise on snaps that provide the given command"
 msgstr ""
 
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr "Pseudonim za --dangerous (OBUSTAVLJENO)"
+
 msgid "All snaps up to date."
+msgstr "Svi snapovi su ažurirani."
+
+msgid "Allow opening file?"
 msgstr ""
 
-msgid "Alternative command to run"
+msgid "Allow refresh attempt on snap unknown to the store"
 msgstr ""
 
-msgid "Always return document, even with single key"
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr "Alternativna naredba za pokretanje"
+
+msgid "Always return document, even with single key"
+msgstr "Uvijek vrati dokument, čak i sa jednim ključem"
+
+msgid "Always return list, even with single key"
+msgstr "Uvijek vrati listu, čak i sa jednim ključem"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
+msgstr "Email korisnika na login.ubuntu.com"
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
 msgstr ""
 
-msgid "Assertion file"
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr "Dokument tvrdnje"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
-msgstr ""
+msgstr "Ime tipa tvrdnje"
 
 msgid "Authenticates on snapd and the store"
 msgstr ""
 
 #, c-format
 msgid "Auto-refresh %d snaps"
-msgstr ""
+msgstr "Automatsko osvježavanje %d snapova"
 
 #, c-format
 msgid "Auto-refresh snap %q"
-msgstr ""
+msgstr "Automatsko osvježavanje snapa %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Auto-refresh snaps %s"
+msgstr "Automatsko osvježavanje snapova %s"
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
 msgstr ""
 
 msgid "Bad code. Try again: "
-msgstr ""
+msgstr "Pogrešan kod. Pokušajte ponovo: "
 
 msgid "Buys a snap"
-msgstr ""
+msgstr "Kupuje snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
-msgstr ""
+msgstr "Promijeni ID"
 
 msgid "Changes configuration options"
-msgstr ""
-
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
+msgstr "Mijenja opcije konfiguracija"
 
 msgid "Command\tAlias\tNotes"
-msgstr ""
+msgstr "Komanda\tPseudonim\tBilješke"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
-msgstr ""
+msgstr "Vrijednost konfiguracije (key=value)"
 
 msgid "Confirm passphrase: "
-msgstr ""
+msgstr "Potvrdite šifru: "
 
 #, c-format
 msgid "Connect %s:%s to %s:%s"
-msgstr ""
+msgstr "Spoji %s:%s sa %s:%s"
 
 msgid "Connects a plug to a slot"
-msgstr ""
+msgstr "Povezuje utikač sa utorom"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
-msgstr ""
+msgstr "Ograniči spisak na posebne interfejse"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
-msgstr ""
+msgstr "Ograniči spisak na poklapajuće header=value"
 
 #, c-format
 msgid "Copy snap %q data"
-msgstr ""
+msgstr "Kopiraj podatke snapa %q"
 
 msgid ""
 "Create a cryptographic key pair that can be used for signing assertions."
 msgstr ""
+"Stvoriti kriptografski par ključeva koji se mogu koristiti za potpisivanje "
+"tvrdnji"
 
 msgid "Create cryptographic key pair"
-msgstr ""
+msgstr "Stvoriti kriptografski par ključeva"
 
 msgid "Create snap build assertion"
-msgstr ""
+msgstr "Stvori tvrdnju postavljanja snapa"
 
 msgid "Create snap-build assertion for the provided snap file."
 msgstr ""
 
 msgid "Creates a local system user"
-msgstr ""
+msgstr "Stvara korisnika lokalnog sistema"
 
 msgid "Delete cryptographic key pair"
-msgstr ""
+msgstr "Obrisati par kriptografskih ključeva"
 
 msgid "Delete the local cryptographic key pair with the given name."
-msgstr ""
+msgstr "Obrisati lokalni  par kriptografskih ključeva sa datim imenom."
 
 #, c-format
 msgid "Disable %q snap"
-msgstr ""
+msgstr "Onemogućiti snap %q"
 
 #, c-format
 msgid "Disable aliases for snap %q"
-msgstr ""
+msgstr "Onemogućiti pseudonime za snap %q"
 
 #, c-format
 msgid "Disable all aliases for snap %q"
-msgstr ""
+msgstr "Onemogućiti sve pseudonime za snap %q"
 
 msgid "Disables a snap in the system"
-msgstr ""
+msgstr "Onemogućuje snap u sistemu"
 
 #, c-format
 msgid "Discard interface connections for snap %q (%s)"
-msgstr ""
+msgstr "Odbaci interfejs konekcije za snap %q (%s)"
 
 #, c-format
 msgid "Disconnect %s:%s from %s:%s"
-msgstr ""
+msgstr "Prekinuti vezu %s:%s sa %s:%s"
 
 msgid "Disconnects a plug from a slot"
-msgstr ""
+msgstr "Odspaja utikač iz utora"
 
 msgid "Do not wait for the operation to finish but just print the change id."
-msgstr ""
+msgstr "Ne čekaj da se operacija završi nego samo odštampati promjenjeni id"
 
 #, c-format
 msgid "Download snap %q%s from channel %q"
-msgstr ""
+msgstr "Preuzimanje snapa %q%s sa kanala %q"
 
 msgid ""
 "Download the given revision of a snap, to which you must have developer "
 "access"
 msgstr ""
+"Preuzeti datu reviziju snapa, za koju je potreban pristup razvojnog "
+"programera"
 
 msgid "Downloads the given snap"
-msgstr ""
+msgstr "Preuzima dati snap"
 
 msgid "Email address: "
-msgstr ""
+msgstr "Adresa e-pošte: "
 
 #, c-format
 msgid "Enable %q snap"
-msgstr ""
+msgstr "Omogućiti snap %q"
 
 msgid "Enables a snap in the system"
-msgstr ""
+msgstr "Omogućuje snap u sistemu"
 
-msgid "Entering classic dimension"
-msgstr ""
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr "Osiguraj da su dostupni preduvjeti za %q"
 
 msgid ""
 "Export a public key assertion body that may be imported by other systems."
 msgstr ""
+"Izvezi tvrdnju javnog ključa tijela koja može biti uvezena u druge sisteme."
 
 msgid "Export cryptographic public key"
-msgstr ""
+msgstr "Eksportirati javni kriptografski ključ"
 
 #, c-format
 msgid "Fetch and check assertions for snap %q%s"
-msgstr ""
+msgstr "Uhvati i provjeri tvrdnje za snap %q%s"
 
 #, c-format
 msgid "Fetching assertions for %q\n"
-msgstr ""
+msgstr "Hvatanje tvrdnji za %q\n"
 
 #, c-format
 msgid "Fetching snap %q\n"
-msgstr ""
+msgstr "Hvatanje snapa %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
-msgstr ""
+msgstr "Ime dadoteke snapa za koju želite potvrditi izgradnju"
 
 msgid "Finds packages to install"
-msgstr ""
+msgstr "Pronalazi paket za instalaciju"
 
 msgid "Force adding the user, even if the device is already managed"
-msgstr ""
+msgstr "Prisilno dodavanje korisnika, čak i ako se već upravlja uređajem"
 
 msgid "Force import on classic systems"
-msgstr ""
+msgstr "Prisilno uvezi na klasične sisteme"
 
 msgid ""
 "Format public key material as a request for an account-key for this account-"
@@ -362,13 +448,13 @@
 msgstr ""
 
 msgid "Generate the manpage"
-msgstr ""
+msgstr "Stvoriti stranicu uputstva"
 
 msgid "Grade states the build quality of the snap (defaults to 'stable')"
 msgstr ""
 
 msgid "Grant sudo access to the created user"
-msgstr ""
+msgstr "Dozvoli sudo pristup kreiranom korisniku"
 
 msgid "Help"
 msgstr ""
@@ -380,13 +466,16 @@
 msgstr ""
 
 msgid "Identifier of the signer"
-msgstr ""
+msgstr "Identifikator potpisnika."
 
 msgid "Identifier of the snap package associated with the build"
+msgstr "Identifikator snap paketa koji je povezan sa izgradnjom."
+
+msgid "If the service has a reload command, use it instead of restarting."
 msgstr ""
 
 msgid "Ignore validation by other snaps blocking the refresh"
-msgstr ""
+msgstr "Zanemari provjeru valjanosti snap-ova koji blokiraju osvježavanje"
 
 #, c-format
 msgid ""
@@ -395,55 +484,59 @@
 "\n"
 "Once completed, return here and run 'snap buy %s' again."
 msgstr ""
+"Da biste kupili %q, trebate da prihvatite posljednje uslove korištenja. "
+"Molimo posjetite https://my.ubuntu.com/payment/edit da biste to uradili.\n"
+"\n"
+"Kad završite, vratite se ovdje i ponovo pokrenite 'snap buy %s'."
 
 msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
 msgstr ""
 
 msgid "Include unused interfaces"
-msgstr ""
+msgstr "Uključiti nekorištene interfejse"
 
 msgid "Initialize device"
 msgstr ""
 
 msgid "Inspects devices for actionable information"
-msgstr ""
+msgstr "Provjerava uređaje za djelotvorne informacije"
 
 #, c-format
 msgid "Install %q snap"
-msgstr ""
+msgstr "Instaliraj snap %q"
 
 #, c-format
 msgid "Install %q snap from %q channel"
-msgstr ""
+msgstr "Instaliraj snap %q sa kanala %q"
 
 #, c-format
 msgid "Install %q snap from file"
-msgstr ""
+msgstr "Instaliraj snap %q sa datoteke"
 
 #, c-format
 msgid "Install %q snap from file %q"
-msgstr ""
+msgstr "Instaliraj snap %q sa datoteke %q"
 
 msgid "Install from the beta channel"
-msgstr ""
+msgstr "Instaliraj sa beta kanala"
 
 msgid "Install from the candidate channel"
-msgstr ""
+msgstr "Instaliraj sa kandidatnog kanala"
 
 msgid "Install from the edge channel"
-msgstr ""
+msgstr "Instaliraj sa krajnjeg kanala"
 
 msgid "Install from the stable channel"
-msgstr ""
+msgstr "Instaliraj sa stabilnog kanala"
 
 #, c-format
 msgid "Install snap %q"
-msgstr ""
+msgstr "Instaliraj snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Install snaps %s"
-msgstr ""
+msgstr "Instaliraj snapove %s"
 
 msgid ""
 "Install the given revision of a snap, to which you must have developer access"
@@ -454,36 +547,51 @@
 "for it, meaning it was not verified and could be dangerous (--devmode "
 "implies this)"
 msgstr ""
+"Instaliraj dati snap dokument čak i ako nema prethodno priznatih potpisa, "
+"što znači da nije provjereno i može biti opasno (--devmode implies this)"
 
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
-msgid "Installs a snap to the system"
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
 msgstr ""
 
+msgid "Installs a snap to the system"
+msgstr "Instalira snap na sistem"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
-msgstr ""
+msgstr "Ključ interesa unutar konfiguracije"
 
 msgid "List a change's tasks"
-msgstr ""
+msgstr "Popis zadataka promjene"
 
 msgid "List cryptographic keys"
-msgstr ""
+msgstr "Lista kriptografskih ključeva"
 
 msgid "List cryptographic keys that can be used for signing assertions."
 msgstr ""
+"Lista kriptografskih ključeva koja se može koristiti za potpisivanje tvrdnji"
 
 msgid "List installed snaps"
-msgstr ""
+msgstr "Lista instaliranih snap-ova"
 
 msgid "List system changes"
-msgstr ""
+msgstr "Lista promjena na sistemu"
 
 msgid "Lists aliases in the system"
-msgstr ""
+msgstr "Lista pseudonima u sistemu"
+
+msgid "Lists all repairs"
+msgstr "Lista svih popravki"
 
 msgid "Lists interfaces in the system"
-msgstr ""
+msgstr "Lista interfejsa u sistemu"
 
 msgid "Lists snap interfaces"
 msgstr ""
@@ -521,12 +629,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +659,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +728,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -580,7 +740,7 @@
 
 #, c-format
 msgid "Prefer aliases of snap %q"
-msgstr ""
+msgstr "Preferiraj pseudonime snapa %q"
 
 msgid "Prepare a snappy image"
 msgstr ""
@@ -602,7 +762,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -626,32 +786,32 @@
 
 #, c-format
 msgid "Refresh %q snap"
-msgstr ""
+msgstr "Osvježi snap %q"
 
 #, c-format
 msgid "Refresh %q snap from %q channel"
-msgstr ""
+msgstr "Osvježi snap %q sa kanala %q"
 
 #, c-format
 msgid "Refresh aliases for snap %q"
 msgstr ""
 
 msgid "Refresh all snaps: no updates"
-msgstr ""
+msgstr "Osvježi sve snapove: bez ažuriranja"
 
 #, c-format
 msgid "Refresh snap %q"
-msgstr ""
+msgstr "Osvježi snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s"
-msgstr ""
+msgstr "Osvježi snapove: %s"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s: no updates"
-msgstr ""
+msgstr "Osvježi snapove %s: bez ažuriranja"
 
 msgid "Refresh to the given revision"
 msgstr ""
@@ -661,7 +821,7 @@
 
 #, c-format
 msgid "Remove %q snap"
-msgstr ""
+msgstr "Ukloni snap %q"
 
 #, c-format
 msgid "Remove aliases for snap %q"
@@ -688,7 +848,7 @@
 
 #, c-format
 msgid "Remove snap %q"
-msgstr ""
+msgstr "Ukloni snap %q"
 
 #, c-format
 msgid "Remove snap %q (%s) from the system"
@@ -697,7 +857,7 @@
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Remove snaps %s"
-msgstr ""
+msgstr "Ukloni snapove %s"
 
 msgid "Removed"
 msgstr ""
@@ -730,6 +890,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +913,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +924,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +949,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +992,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1026,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1117,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1147,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -963,6 +1166,9 @@
 
 #, c-format
 msgid "Try %q snap from %s"
+msgstr "Pokušaj snap %q sa %s"
+
+msgid "Try: snap install <selected snap>\n"
 msgstr ""
 
 msgid "Two-factor code: "
@@ -977,13 +1183,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1249,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1272,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1544,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1602,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1637,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1677,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1765,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1780,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1791,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1827,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1878,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1609,21 +1903,25 @@
 
 #, c-format
 msgid "created user %q\n"
+msgstr "napravljen korisnik %q\n"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
-msgstr ""
+msgstr "onemogućene"
 
 msgid "email:"
-msgstr ""
+msgstr "epošta"
 
 msgid "enabled"
-msgstr ""
+msgstr "omogućen"
 
 #, c-format
 msgid "error: %v\n"
-msgstr ""
+msgstr "greška: %v\n"
 
 msgid ""
 "error: the `<snap-dir>` argument was not provided and couldn't be inferred"
@@ -1632,9 +1930,16 @@
 msgid "get which option?"
 msgstr ""
 
-msgid "inactive"
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
 msgstr ""
 
+msgid "inactive"
+msgstr "neaktivan"
+
 msgid ""
 "interface attributes can only be read during the execution of interface hooks"
 msgstr ""
@@ -1687,58 +1992,70 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
 msgid "need the application to run as argument"
-msgstr ""
+msgstr "potrebna aplikacija da se pokrene kao argument"
 
 msgid "no changes found"
-msgstr ""
+msgstr "promjene nisu pronađene"
 
 #, c-format
 msgid "no changes of type %q found"
-msgstr ""
+msgstr "nisu pronađene promjene tipa %q"
 
 msgid "no interfaces currently connected"
-msgstr ""
+msgstr "nijedan interfejs nije trenutno konektovan"
 
 msgid "no interfaces found"
-msgstr ""
+msgstr "nisu pronađeni interfejsi"
 
 msgid "no matching snaps installed"
 msgstr ""
 
 msgid "no such interface"
-msgstr ""
+msgstr "nema takvog interfejsa"
 
 msgid "no valid snaps given"
-msgstr ""
-
-msgid "not a valid snap"
-msgstr ""
+msgstr "nisu dati validni snap-ovi"
 
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
 msgid "private"
-msgstr ""
+msgstr "privatno"
 
 msgid ""
 "reboot scheduled to update the system - temporarily cancel with 'sudo "
 "shutdown -c'"
 msgstr ""
+"ponovno pokretanje za ažuriranje sistema isplanirano - trajno otkažite sa "
+"'sudo shutdown -c'"
+
+msgid "repairs are not available on a classic system"
+msgstr "popravke nisu dostupne na klasičnom sistemu"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
 
 #, c-format
 msgid "set failed: %v"
 msgstr ""
 
 msgid "set which option?"
-msgstr ""
-
-msgid "show detailed information about a snap"
-msgstr ""
+msgstr "koju opciju podesiti?"
 
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
@@ -1756,48 +2073,73 @@
 
 #, c-format
 msgid "snap %q is already installed, see \"snap refresh --help\""
-msgstr ""
-
-#, c-format
-msgid "snap %q is local"
-msgstr ""
+msgstr "snap %q već instaliran, pogledajte \"snap refresh --help\""
 
 #, c-format
 msgid "snap %q not found"
-msgstr ""
+msgstr "snap %q nije pronađen"
 
 #. TRANSLATORS: free as in gratis
 msgid "snap is free"
-msgstr ""
+msgstr "snap je gratis"
 
 msgid "too many arguments for command"
-msgstr ""
+msgstr "previše argumenata za komandu"
 
 #. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
 #, c-format
 msgid "too many arguments for hook %q: %s"
-msgstr ""
+msgstr "previše argumenata za hook %q: %s"
 
 #. TRANSLATORS: the %s is the list of extra arguments
 #, c-format
 msgid "too many arguments: %s"
+msgstr "previše argumenata: %s"
+
+msgid "unable to contact snap store"
 msgstr ""
 
 msgid "unavailable"
-msgstr ""
+msgstr "nedostupan"
 
 #, c-format
 msgid "unknown attribute %q"
-msgstr ""
+msgstr "nepoznat atribut %q"
 
 #, c-format
 msgid "unknown command %q, see \"snap --help\""
-msgstr ""
+msgstr "nepoznata komanda %q, pogledajte \"snap --help\""
 
 #, c-format
 msgid "unknown plug or slot %q"
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr "nepoznat servis: %q"
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
 msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "Potvrdi na snap daemon"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "Autorizacija je potrebna da bi se potvrdio snap daemon"
+
+msgid "Install, update, or remove packages"
+msgstr "Instaliraj, ažuriraj, ili ukloni pakete"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr "Potrebna potvrda za instaliranje, ažuriranje, ili uklanjanje paketa"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Spoji, odspoji interfejse"
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr "Potrebna potvrda za spajanje i odspajanje interfejsa"
diff -Nru snapd-2.32.3.2~14.04/po/ca.po snapd-2.37~rc1~14.04/po/ca.po
--- snapd-2.32.3.2~14.04/po/ca.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/ca.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Catalan translation for snapd
-# Copyright (c) 2017 Rosetta Contributors and Canonical Ltd 2017
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-03-18 12:27+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Catalan <ca@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -26,7 +26,7 @@
 
 #, c-format
 msgid "%q switched to the %q channel\n"
-msgstr ""
+msgstr "%q canviat al canal %q\n"
 
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr "S'ha suprimit %s\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s s'ha restituït a %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "S'ha instal·lat %s%s %s de '%s'\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr "S'ha actualitzat %s%s %s de '%s'\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "S'ha instal·lat %s%s %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr "S'ha actualitzat %s%s %s\n"
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr "-r només es pot utilitzar amb --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr "<alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<correu>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<nom-de-fitxer>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr "<filtre-de-capçalera>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr "<nom-de-la-clau>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<clau>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr "<consulta>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr "<directori-arrel>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr "Avorta un canvi pendent"
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr "Afegeix una afirmació al sistema"
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr "Alias de --dangerous"
 
 msgid "All snaps up to date."
 msgstr "All snaps up to date."
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr "Ordre alternativa que s'executarà"
 
 msgid "Always return document, even with single key"
 msgstr "Torna sempre el document, inclús amb una sola clau"
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr "Un correu electrònic d'un usuari a login.ubuntu.com"
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr "Fitxer de definició"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr "Nom del tipus de definició"
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr "El codi és incorrecte. Torneu a provar: "
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr "Canvia l'identificador"
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/cs.po snapd-2.37~rc1~14.04/po/cs.po
--- snapd-2.32.3.2~14.04/po/cs.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/cs.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Czech translation for snapd
-# Copyright (c) 2017 Rosetta Contributors and Canonical Ltd 2017
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-06-21 17:43+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Czech <cs@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1042,6 +1243,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1060,6 +1266,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1326,12 +1538,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1373,6 +1596,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1383,6 +1631,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1417,6 +1671,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1482,9 +1759,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1499,6 +1774,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1507,6 +1785,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1539,7 +1821,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1591,9 +1872,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1621,6 +1899,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1642,6 +1924,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1697,6 +1986,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1725,9 +2022,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1740,6 +2034,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1747,9 +2049,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1769,10 +2068,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1793,6 +2088,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1809,5 +2107,32 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
 msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "Autentizace na snap démonu"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "Pro autentizaci na snap démonu je vyžadováno ověření"
+
+msgid "Install, update, or remove packages"
+msgstr "Instalace, aktualizace nebo odstranění balíčků"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+"Pro instalaci, aktualizaci nebo odstranění balíčků je vyžadováno ověření"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Připojení, odpojení rozhraní"
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr "Pro připojení nebo odpojení rozhraní je vyžadováno ověření"
diff -Nru snapd-2.32.3.2~14.04/po/cy.po snapd-2.37~rc1~14.04/po/cy.po
--- snapd-2.32.3.2~14.04/po/cy.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/cy.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Welsh translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Welsh <cy@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/da.po snapd-2.37~rc1~14.04/po/da.po
--- snapd-2.32.3.2~14.04/po/da.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/da.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Danish translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-09-22 21:20+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Danish <da@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -23,15 +23,18 @@
 "\n"
 "Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
 msgstr ""
+"%q indeholder ikke en snap, som ikke er pakket.\n"
+"\n"
+"Prøv \"snapcraft prime\" i din projektmappe og \"snap try\" igen."
 
 #, c-format
 msgid "%q switched to the %q channel\n"
-msgstr ""
+msgstr "%q skiftede til kanalen %q\n"
 
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
 msgid "%s %s mounted from %s\n"
-msgstr ""
+msgstr "%s %s monteret fra %s\n"
 
 #, c-format
 msgid "%s (delta)"
@@ -40,151 +43,224 @@
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (see \"snap login --help\")"
-msgstr ""
+msgstr "%s (se \"snap login --help\")"
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (try with sudo)"
-msgstr ""
+msgstr "%s (prøv med sudo)"
 
 #, c-format
 msgid "%s already installed\n"
-msgstr ""
+msgstr "%s er allerede installeret\n"
 
 #, c-format
 msgid "%s disabled\n"
-msgstr ""
+msgstr "%s deaktiveret\n"
 
 #, c-format
 msgid "%s enabled\n"
-msgstr ""
+msgstr "%s aktiveret\n"
 
 #, c-format
 msgid "%s not installed\n"
-msgstr ""
+msgstr "%s er ikke installeret\n"
 
 #, c-format
 msgid "%s removed\n"
-msgstr ""
+msgstr "%s fjernet\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
-msgstr ""
+msgstr "%s rullet tilbage til %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
-msgstr ""
+msgstr "%s%s %s fra \"%s\" installeret\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
-msgstr ""
+msgstr "%s%s %s fra \"%s\" blev genopfrisket\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
-msgstr ""
+msgstr "%s%s %s installeret\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
-msgstr ""
+msgstr "%s%s %s blev genopfrisket\n"
 
 msgid "--list does not take mode nor channel flags"
-msgstr ""
+msgstr "--list tager hverken tilstands- eller kanalflag"
 
 msgid "--time does not take mode nor channel flags"
-msgstr ""
+msgstr "--time tager hverken tilstands- eller kanalflag"
 
 msgid "-r can only be used with --hook"
-msgstr ""
+msgstr "-r kan kun bruges med --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
-msgstr ""
+msgstr "<alias-eller-snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
-msgstr ""
+msgstr "<alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
-msgstr ""
+msgstr "<assertionsfil>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
-msgstr ""
+msgstr "<assertionstype>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
-msgstr ""
+msgstr "<skift-id>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
-msgstr ""
+msgstr "<konfigurationsværdi>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
-msgstr ""
+msgstr "<e-mail>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
-msgstr ""
+msgstr "<filnavn>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
-msgstr ""
+msgstr "<headerfilter>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<grænseflade>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
-msgstr ""
+msgstr "<nøglenavn>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
-msgstr ""
+msgstr "<nøgle>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
-msgstr ""
+msgstr "<modelassertion>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
-msgstr ""
+msgstr "<forespørgsel>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
+msgstr "<rodmappe>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
-msgstr ""
+msgstr "<snap>:<plug>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
-msgstr ""
+msgstr "<snap>:<slot eller plug>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
+msgstr "<snap>:<slot>"
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
 msgstr ""
 
 msgid "Abort a pending change"
-msgstr ""
+msgstr "Afbryd en ventende ændring"
 
 msgid "Added"
-msgstr ""
+msgstr "Tilføjet"
 
 msgid "Adds an assertion to the system"
+msgstr "Tilføjer en assertion til systemet"
+
+msgid "Advise on available snaps."
 msgstr ""
 
-msgid "Alias for --dangerous (DEPRECATED)"
+msgid "Advise on snaps that provide the given command"
 msgstr ""
 
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr "Alias for --dangerous (FORÆLDET)"
+
 msgid "All snaps up to date."
+msgstr "Alle snaps er opdateret."
+
+msgid "Allow opening file?"
 msgstr ""
 
-msgid "Alternative command to run"
+msgid "Allow refresh attempt on snap unknown to the store"
 msgstr ""
 
-msgid "Always return document, even with single key"
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr "Alternativ kommando som skal køres"
+
+msgid "Always return document, even with single key"
+msgstr "Returnér altid dokumentet endda med enkelt nøgle"
+
+msgid "Always return list, even with single key"
+msgstr "Returnér altid listen selv med enkelt nøgle"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
+msgstr "En e-mail på en bruger på login.ubuntu.com"
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
 msgstr ""
 
-msgid "Assertion file"
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr "Assertionsfil"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
-msgstr ""
+msgstr "Navn på asssertionstype"
 
 msgid "Authenticates on snapd and the store"
-msgstr ""
+msgstr "Godkender på snapd og i butikken"
 
 #, c-format
 msgid "Auto-refresh %d snaps"
@@ -199,48 +275,50 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
-msgid "Bad code. Try again: "
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
 msgstr ""
 
+msgid "Bad code. Try again: "
+msgstr "Ugyldig kode. Prøv igen: "
+
 msgid "Buys a snap"
-msgstr ""
+msgstr "Køber en snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
-msgstr ""
+msgstr "Skift id"
 
 msgid "Changes configuration options"
-msgstr ""
-
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
+msgstr "Ændrer konfigurationsindstillinger"
 
 msgid "Command\tAlias\tNotes"
-msgstr ""
+msgstr "Kommando\tAlias\tNoter"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
-msgstr ""
+msgstr "Konfigurationsværdi (nøgle=værdi)"
 
 msgid "Confirm passphrase: "
-msgstr ""
+msgstr "Bekræft adgangskode: "
 
 #, c-format
 msgid "Connect %s:%s to %s:%s"
 msgstr ""
 
 msgid "Connects a plug to a slot"
-msgstr ""
+msgstr "Forbinder en plug til en slot"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
-msgstr ""
+msgstr "Begræns oversigt til en specifik snap eller snap:navn"
 
 msgid "Constrain listing to specific interfaces"
-msgstr ""
+msgstr "Begræns oversigt til specifikke grænseflader"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
-msgstr ""
+msgstr "Begræns oversigt til dem som matcher header=værdi"
 
 #, c-format
 msgid "Copy snap %q data"
@@ -251,7 +329,7 @@
 msgstr ""
 
 msgid "Create cryptographic key pair"
-msgstr ""
+msgstr "Opret kryptografisk nøglepar"
 
 msgid "Create snap build assertion"
 msgstr ""
@@ -260,17 +338,17 @@
 msgstr ""
 
 msgid "Creates a local system user"
-msgstr ""
+msgstr "Opretter en lokal systembruger"
 
 msgid "Delete cryptographic key pair"
-msgstr ""
+msgstr "Slet kryptografisk nøglepar"
 
 msgid "Delete the local cryptographic key pair with the given name."
-msgstr ""
+msgstr "Slet det lokale kryptografiske nøglepar med det givne navn."
 
 #, c-format
 msgid "Disable %q snap"
-msgstr ""
+msgstr "Deaktivér %q snap"
 
 #, c-format
 msgid "Disable aliases for snap %q"
@@ -278,10 +356,10 @@
 
 #, c-format
 msgid "Disable all aliases for snap %q"
-msgstr ""
+msgstr "Deaktivér alle aliasser for snap %q"
 
 msgid "Disables a snap in the system"
-msgstr ""
+msgstr "Deaktiverer en snap i systemet"
 
 #, c-format
 msgid "Discard interface connections for snap %q (%s)"
@@ -296,6 +374,7 @@
 
 msgid "Do not wait for the operation to finish but just print the change id."
 msgstr ""
+"Vent ikke på at handlingen færdiggøres, men udskriv bare ændrings-id'et."
 
 #, c-format
 msgid "Download snap %q%s from channel %q"
@@ -305,21 +384,23 @@
 "Download the given revision of a snap, to which you must have developer "
 "access"
 msgstr ""
+"Hent den angivne udgave af en snap, som du skal have adgang til som udvikler"
 
 msgid "Downloads the given snap"
-msgstr ""
+msgstr "Henter den angivne snap"
 
 msgid "Email address: "
-msgstr ""
+msgstr "E-mailadresse: "
 
 #, c-format
 msgid "Enable %q snap"
-msgstr ""
+msgstr "Aktivér snap'en %q"
 
 msgid "Enables a snap in the system"
-msgstr ""
+msgstr "Aktiverer en snap i systemt"
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -327,7 +408,7 @@
 msgstr ""
 
 msgid "Export cryptographic public key"
-msgstr ""
+msgstr "Eksportér den offentlige kryptografiske nøgle"
 
 #, c-format
 msgid "Fetch and check assertions for snap %q%s"
@@ -339,54 +420,61 @@
 
 #, c-format
 msgid "Fetching snap %q\n"
-msgstr ""
+msgstr "Henter snap %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
 msgid "Finds packages to install"
-msgstr ""
+msgstr "Finder pakker til installation"
 
 msgid "Force adding the user, even if the device is already managed"
 msgstr ""
+"Gennemtving tilføjelse af bruger også selvom enheden allerede håndteres"
 
 msgid "Force import on classic systems"
-msgstr ""
+msgstr "Gennemtving import på klassiske systemer"
 
 msgid ""
 "Format public key material as a request for an account-key for this account-"
 "id"
 msgstr ""
+"Formatér offentligt nøglemateriale som en forespørgsel efter en kontonøgle "
+"for dette konto-id"
 
 msgid "Generate device key"
 msgstr ""
 
 msgid "Generate the manpage"
-msgstr ""
+msgstr "Generér man-side"
 
 msgid "Grade states the build quality of the snap (defaults to 'stable')"
-msgstr ""
+msgstr "Karakteren angiver snap'ens buildkvalitet (som standard \"stable\")"
 
 msgid "Grant sudo access to the created user"
-msgstr ""
+msgstr "Giv sudo-adgang til den oprettede bruger"
 
 msgid "Help"
-msgstr ""
+msgstr "Hjælp"
 
 msgid "Hook to run"
-msgstr ""
+msgstr "Hook som skal køres"
 
 msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
-msgstr ""
+msgstr "ID\tStatus\tKald\tKlar\tSammendrag\n"
 
 msgid "Identifier of the signer"
-msgstr ""
+msgstr "Underskriverens identifikator"
 
 msgid "Identifier of the snap package associated with the build"
+msgstr "Identifikator for snap-pakken tilknyttet denne version"
+
+msgid "If the service has a reload command, use it instead of restarting."
 msgstr ""
 
 msgid "Ignore validation by other snaps blocking the refresh"
-msgstr ""
+msgstr "Ignorér bekræftelse fra andre snap'er, som blokerer genopfriskningen"
 
 #, c-format
 msgid ""
@@ -395,104 +483,129 @@
 "\n"
 "Once completed, return here and run 'snap buy %s' again."
 msgstr ""
+"For at kunne købe %q skal du godkende de seneste vilkår og betingelser. Gå "
+"til https://my.ubuntu.com/payment/edit for at gøre dette.\n"
+"\n"
+"Vend tilbage her til, når du har gjort det, og kør \"snap buy %s\" igen."
 
 msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
 msgstr ""
+"Inkludér en udførlig liste med en snaps noter (i modsat fald vises et "
+"sammendrag)"
 
 msgid "Include unused interfaces"
-msgstr ""
+msgstr "Inkludér ubrugte grænseflader"
 
 msgid "Initialize device"
 msgstr ""
 
 msgid "Inspects devices for actionable information"
-msgstr ""
+msgstr "Inspicerer enheder for information om handlinger"
 
 #, c-format
 msgid "Install %q snap"
-msgstr ""
+msgstr "Installér snap'en %q"
 
 #, c-format
 msgid "Install %q snap from %q channel"
-msgstr ""
+msgstr "Installér snap'en %q fra kanalen %q"
 
 #, c-format
 msgid "Install %q snap from file"
-msgstr ""
+msgstr "Installér snap'en %q fra en fil"
 
 #, c-format
 msgid "Install %q snap from file %q"
-msgstr ""
+msgstr "Installér snap'en %q fra filen %q"
 
 msgid "Install from the beta channel"
-msgstr ""
+msgstr "Installér fra betakanalen"
 
 msgid "Install from the candidate channel"
-msgstr ""
+msgstr "Installér fra kandidatkanalen"
 
 msgid "Install from the edge channel"
-msgstr ""
+msgstr "Installér fra forkantskanalen"
 
 msgid "Install from the stable channel"
-msgstr ""
+msgstr "Installér fra kanalen stable"
 
 #, c-format
 msgid "Install snap %q"
-msgstr ""
+msgstr "Installér snap'en %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Install snaps %s"
-msgstr ""
+msgstr "Installér snap'erne %s"
 
 msgid ""
 "Install the given revision of a snap, to which you must have developer access"
 msgstr ""
+"Installér den angivne version af en snap, som du skal have adgang til som "
+"udvikler"
 
 msgid ""
 "Install the given snap file even if there are no pre-acknowledged signatures "
 "for it, meaning it was not verified and could be dangerous (--devmode "
 "implies this)"
 msgstr ""
+"Installér den angivne snap-fil, også selvom der ikke er nogen "
+"forhåndsgodkendte signaturer til den, hvilket betyder, den ikke kunne "
+"bekræftes og kan være farlig (--devmode antyder dette)"
 
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
+"Installér den angivne snap uden at aktivere dens automatiske aliasser"
 
-msgid "Installs a snap to the system"
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
 msgstr ""
 
+msgid "Installs a snap to the system"
+msgstr "Installerer en snap på systemet"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
-msgstr ""
+msgstr "Interessant nøgle i konfigurationen"
 
 msgid "List a change's tasks"
-msgstr ""
+msgstr "Oplist en ændrings opgaver"
 
 msgid "List cryptographic keys"
-msgstr ""
+msgstr "Oplist kryptografiske nøgler"
 
 msgid "List cryptographic keys that can be used for signing assertions."
 msgstr ""
+"Oplist kryptografiske nøgler som kan bruges til at underskrive assertioner."
 
 msgid "List installed snaps"
-msgstr ""
+msgstr "Oplist installerede snap'er"
 
 msgid "List system changes"
-msgstr ""
+msgstr "Oplist systemændringer"
 
 msgid "Lists aliases in the system"
-msgstr ""
+msgstr "Oplist aliasser i systemet"
+
+msgid "Lists all repairs"
+msgstr "Oplister alle reparationer"
 
 msgid "Lists interfaces in the system"
-msgstr ""
+msgstr "Oplister grænseflader i systemet"
 
 msgid "Lists snap interfaces"
-msgstr ""
+msgstr "Oplister snap-grænseflader"
 
 msgid "Log out of the store"
-msgstr ""
+msgstr "Log af butikken"
 
 msgid "Login successful"
-msgstr ""
+msgstr "Login lykkedes"
 
 #, c-format
 msgid "Make current revision for snap %q unavailable"
@@ -521,48 +634,101 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
-msgstr ""
+msgstr "Navn på nøglen som skal oprettes; som standard \"default\""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
-msgstr ""
+msgstr "Navn på nøgle som skal slettes"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
-msgstr ""
+msgstr "Navn på nøglen som skal eksporteres"
 
 msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
 msgstr ""
+"Navn på GnuPG-nøglen som skal bruges (nøglenavnet er som standard "
+"\"default\")"
 
 msgid "Name of the key to use, otherwise use the default key"
-msgstr ""
+msgstr "Navn på nøglen som skal bruges. Ellers bruges standardnøglen"
 
 msgid "Name\tSHA3-384"
-msgstr ""
+msgstr "Navn\tSHA3-384"
 
 msgid "Name\tSummary"
-msgstr ""
+msgstr "Navn\tSammendrag"
 
 msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
-msgstr ""
+msgstr "Navn\tVersion\tUdvikler\tNoter\tSammendrag"
 
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr "Navn\tVersion\tUdg\tUdvikler\tNoter"
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
 msgstr ""
 
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+"Der er endnu ikke installeret nogen snap'er. Prøv \"snap install hello-"
+"world\"."
+
 msgid "Output results in JSON format"
+msgstr "Outputresultater i JSON-format"
+
+msgid "Pack the given target dir as a snap"
 msgstr ""
 
-msgid "Passphrase: "
+#, c-format
+msgid "Packages matching %q:\n"
 msgstr ""
 
+msgid "Passphrase: "
+msgstr "Adgangskode: "
+
 #, c-format
 msgid "Password of %q: "
-msgstr ""
+msgstr "Adgangskode til %q: "
 
 #. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
 #, c-format
@@ -570,20 +736,25 @@
 "Please re-enter your Ubuntu One password to purchase %q from %q\n"
 "for %s. Press ctrl-c to cancel."
 msgstr ""
+"Indtast din adgangskode til Ubuntu One igen for at købe %q fra %q\n"
+"til %s. Tryk ctrl-c for at afbryde."
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
 
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
 
 msgid "Prefer aliases from a snap and disable conflicts"
-msgstr ""
+msgstr "Foretræk aliasser fra en snap og deaktivér konflikter"
 
 #, c-format
 msgid "Prefer aliases of snap %q"
-msgstr ""
+msgstr "Foretræk aliasser til snap'en %q"
 
 msgid "Prepare a snappy image"
-msgstr ""
+msgstr "Forbered et snappy-aftryk"
 
 #, c-format
 msgid "Prepare snap %q (%s)"
@@ -594,74 +765,74 @@
 msgstr ""
 
 msgid "Print the version and exit"
-msgstr ""
+msgstr "Udskriv versionen og afslut"
 
 msgid "Prints configuration options"
-msgstr ""
+msgstr "Udskriver konfigurationsindstillingerne"
 
 msgid "Prints the confinement mode the system operates in"
-msgstr ""
+msgstr "Udskriver den indesluttede tilstand, som systemet virker i"
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
-msgstr ""
+msgstr "Udskriver, om systemet er håndteret"
 
 #, c-format
 msgid "Prune automatic aliases for snap %q"
 msgstr ""
 
 msgid "Put snap in classic mode and disable security confinement"
-msgstr ""
+msgstr "Sæt snap i klassisk tilstand og deaktivér sikkerhedsindeslutning"
 
 msgid "Put snap in development mode and disable security confinement"
-msgstr ""
+msgstr "Sæt snap i udviklingstilstand og deaktivér sikkerhedsindeslutning"
 
 msgid "Put snap in enforced confinement mode"
-msgstr ""
+msgstr "Sæt snap i gennemtvunget, indesluttet tilstand"
 
 msgid "Query the status of services"
-msgstr ""
+msgstr "Forespørg om tjenesternes status"
 
 #, c-format
 msgid "Refresh %q snap"
-msgstr ""
+msgstr "Genopfrisk snap'en %q"
 
 #, c-format
 msgid "Refresh %q snap from %q channel"
-msgstr ""
+msgstr "Genopfrisk snap'en %q fra kanalen %q"
 
 #, c-format
 msgid "Refresh aliases for snap %q"
 msgstr ""
 
 msgid "Refresh all snaps: no updates"
-msgstr ""
+msgstr "Genopfrisk alle snap'er: ingen opdateringer"
 
 #, c-format
 msgid "Refresh snap %q"
-msgstr ""
+msgstr "Genopfrisk snap'en %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s"
-msgstr ""
+msgstr "Genopfrisk snap'erne %s"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s: no updates"
-msgstr ""
+msgstr "Genopfrisk snap'erne %s: ingen opdateringer"
 
 msgid "Refresh to the given revision"
-msgstr ""
+msgstr "Genopfrisk til den givne udgave"
 
 msgid "Refreshes a snap in the system"
-msgstr ""
+msgstr "Genopfrisker en snap i systemet"
 
 #, c-format
 msgid "Remove %q snap"
-msgstr ""
+msgstr "Fjern snap'en %q"
 
 #, c-format
 msgid "Remove aliases for snap %q"
@@ -673,10 +844,10 @@
 
 #, c-format
 msgid "Remove manual alias %q for snap %q"
-msgstr ""
+msgstr "Fjern det manuelle alias %q for snap'en %q"
 
 msgid "Remove only the given revision"
-msgstr ""
+msgstr "Fjern kun den angivne udgave"
 
 #, c-format
 msgid "Remove security profile for snap %q (%s)"
@@ -688,7 +859,7 @@
 
 #, c-format
 msgid "Remove snap %q"
-msgstr ""
+msgstr "Fjern snap'en %q"
 
 #, c-format
 msgid "Remove snap %q (%s) from the system"
@@ -697,37 +868,40 @@
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Remove snaps %s"
-msgstr ""
+msgstr "Fjern snap'erne %s"
 
 msgid "Removed"
-msgstr ""
+msgstr "Fjernet"
 
 msgid "Removes a snap from the system"
-msgstr ""
+msgstr "Fjerner en snap fra systemet"
 
 msgid "Request device serial"
 msgstr ""
 
 msgid "Restart services"
-msgstr ""
+msgstr "Genstart tjenester"
 
 msgid "Restarted.\n"
-msgstr ""
+msgstr "Genstartet.\n"
 
 msgid "Restrict the search to a given section"
-msgstr ""
+msgstr "Begræns søgningen til et angivent afsnit"
 
 msgid "Retrieve logs of services"
-msgstr ""
+msgstr "Hent tjenesternes logge"
 
 #, c-format
 msgid "Revert %q snap"
-msgstr ""
+msgstr "Gendan snap'en %q"
 
 msgid "Reverts the given snap to the previous state"
-msgstr ""
+msgstr "Gendanner den angivne snap til sin forrige tilstand"
 
 msgid "Run a shell instead of the command (useful for debugging)"
+msgstr "Kør en skal i stedet for kommandoen (nyttig til fejlsøgning)"
+
+msgid "Run as a timer service with given schedule"
 msgstr ""
 
 #, c-format
@@ -750,6 +924,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,33 +935,47 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
-msgid "Run the given snap command"
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
 msgstr ""
 
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr "Kør den angivne snap-kommando"
+
 msgid "Run the given snap command with the right confinement and environment"
 msgstr ""
+"Kør den angivne snap-kommando med den rette indeslutning og det rette miljø"
 
 msgid "Runs debug commands"
-msgstr ""
+msgstr "Kører fejlsøgningskommandoer"
 
 msgid "Search private snaps"
-msgstr ""
+msgstr "Søg private snap'er"
 
 msgid ""
 "Select last change of given type (install, refresh, remove, try, auto-"
 "refresh etc.)"
 msgstr ""
+"Vælg sidste ændring af givne type (installér, genopfrisk, fjern, prøv, auto-"
+"genopfrisk osv.)"
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
 
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
 
 msgid "Sets up a manual alias"
-msgstr ""
+msgstr "Indstiller et manuelt alias"
 
 #, c-format
 msgid "Setup alias %q => %q for snap %q"
-msgstr ""
+msgstr "Indstil alias %q => %q for snap'en %q"
 
 #, c-format
 msgid "Setup manual alias %q => %q for snap %q"
@@ -806,28 +998,42 @@
 msgstr ""
 
 msgid "Show all revisions"
-msgstr ""
+msgstr "Vis alle udgaver"
 
 msgid "Show auto refresh information but do not perform a refresh"
 msgstr ""
+"Vis information om automatisk genopfriskning, men udfør ikke en "
+"genopfriskning"
 
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
+"Vis snap'er som er tilgængelige for genopfriskning, men udfør ikke en "
+"genopfriskning"
 
-msgid "Show details of a specific interface"
+msgid "Show detailed information about a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr "Vis detaljer om en specifik grænseflade"
+
 msgid "Show interface attributes"
+msgstr "Vis grænsefladeattributer"
+
+msgid "Show only the given number of lines, or 'all'."
 msgstr ""
 
 msgid "Shows known assertions of the provided type"
-msgstr ""
+msgstr "Viser kendte assertioner af den leverede type"
+
+msgid "Shows specific repairs"
+msgstr "Viser specifikke reparationer"
 
 msgid "Shows version details"
-msgstr ""
+msgstr "Viser versionsdetaljer"
 
 msgid "Sign an assertion"
-msgstr ""
+msgstr "Underskriv en assertion"
 
 msgid ""
 "Sign an assertion using the specified key, using the input for headers from "
@@ -836,22 +1042,29 @@
 msgstr ""
 
 msgid "Slot\tPlug"
-msgstr ""
+msgstr "Slot\tPlug"
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr ""
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr "Snap-navn"
 
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
 "your\n"
 "payment details at https://my.ubuntu.com/payment/edit and try again."
 msgstr ""
+"Beklager, men din betalingsmetode er blevet afvist af udstederen. Gennemse "
+"dine\n"
+"betalingsdetaljer på https://my.ubuntu.com/payment/edit og prøv igen."
 
 msgid "Start services"
-msgstr ""
+msgstr "Start tjenester"
 
 #, c-format
 msgid "Start snap %q (%s) services"
@@ -865,16 +1078,16 @@
 msgstr ""
 
 msgid "Start the userd service"
-msgstr ""
+msgstr "Start tjenesten userd"
 
 msgid "Started.\n"
-msgstr ""
+msgstr "Startet.\n"
 
 msgid "Status\tSpawn\tReady\tSummary\n"
-msgstr ""
+msgstr "Status\tKald\tKlar\tSammendrag\n"
 
 msgid "Stop services"
-msgstr ""
+msgstr "Stop tjenester"
 
 #, c-format
 msgid "Stop snap %q (%s) services"
@@ -888,10 +1101,10 @@
 msgstr ""
 
 msgid "Stopped.\n"
-msgstr ""
+msgstr "Stoppet.\n"
 
 msgid "Strict typing with nulls and quoted strings"
-msgstr ""
+msgstr "Striks indtastning med null'er og strenge i anførselstegn"
 
 #, c-format
 msgid "Switch %q snap to %s"
@@ -906,13 +1119,13 @@
 msgstr ""
 
 msgid "Switches snap to a different channel"
-msgstr ""
+msgstr "Skifter snap'en til en anden kanal"
 
 msgid "Temporarily mount device before inspecting"
-msgstr ""
+msgstr "Montér enheden midlertidigt før inspektion"
 
 msgid "Tests a snap in the system"
-msgstr ""
+msgstr "Tester en snap i systemet"
 
 #. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
 #, c-format
@@ -920,40 +1133,53 @@
 "Thanks for purchasing %q. You may now install it on any of your devices\n"
 "with 'snap install %s'."
 msgstr ""
+"Tak for dit køb af %q. Du kan nu installere det på alle dine enheder\n"
+"med \"snap install %s\"."
 
 msgid ""
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
-msgstr ""
+msgstr "E-mailen til login-ubuntu.com der skal logges ind med"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
-msgstr ""
+msgstr "Modellens assertionsnavn"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
-msgstr ""
+msgstr "Outputmappen"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
-msgstr ""
+msgstr "Snap'en som skal konfigureres (f.eks. hello-world)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
-msgstr ""
+msgstr "Snap'en hvis konfiguration der spørges om"
 
 msgid "The userd command starts the snap user session service."
-msgstr ""
+msgstr "Kommandoen userd starter tjenesten snap-brugersession."
 
 msgid "This command logs the current user out of the store"
+msgstr "Denne kommando logger den aktuelle bruger ud af butikken"
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
 msgstr ""
 
-msgid "Tool to interact with snaps"
+#, c-format
+msgid "Toggle snap %q flags"
 msgstr ""
 
+msgid "Tool to interact with snaps"
+msgstr "Værktøj til at interagere med snap'er"
+
 #, c-format
 msgid "Transition security profiles from %q to %q"
 msgstr ""
@@ -963,47 +1189,65 @@
 
 #, c-format
 msgid "Try %q snap from %s"
+msgstr "Prøv snap'en %q fra %s"
+
+msgid "Try: snap install <selected snap>\n"
 msgstr ""
 
 msgid "Two-factor code: "
-msgstr ""
+msgstr "To-faktorkode: "
 
 msgid "Unalias a manual alias or an entire snap"
-msgstr ""
+msgstr "Fjern alias fra et manualt alias eller en hel snap"
 
 msgid "Use a specific snap revision when running hook"
-msgstr ""
+msgstr "Brug en specifik udgave af snap'en, når hook køres"
 
 msgid "Use known assertions for user creation"
+msgstr "Brug kendte assertioner til oprettelse af bruger"
+
+msgid "Use the given output format (pretty or json)"
 msgstr ""
 
 msgid "Use this channel instead of stable"
+msgstr "Brug denne kanal i stedet for stable"
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
 msgstr ""
+"ADVARSEL: Output fra \"snap get\" bliver en liste med kolonner. Brug -d "
+"eller -l til at gennemtvinge outputformatet.\n"
 
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
+msgstr "ADVARSEL: Kunne ikke aktivere logning: %v\n"
+
+msgid "Wait for new lines and print them as they come in."
 msgstr ""
 
 msgid "Waiting for server to restart"
-msgstr ""
+msgstr "Venter på, at serveren genstarter"
 
 msgid "Watch a change in progress"
-msgstr ""
+msgstr "Se en ændring, mens den sker"
 
 msgid "Wrong again. Once more: "
-msgstr ""
+msgstr "Forkert igen. En gang til: "
 
 #, c-format
 msgid "Xauthority file isn't owned by the current user %s"
-msgstr ""
+msgstr "Xauthority-filen tilhører ikke den nuværende bruger %s"
 
 msgid "Yes, yes it does."
-msgstr ""
+msgstr "Jo, jo den gør."
 
 msgid ""
 "You need to be logged in to purchase software. Please run 'snap login' and "
 "try again."
 msgstr ""
+"Du skal være logget på for at kunne købe programmer. Kør \"snap login\" og "
+"prøv igen."
 
 #, c-format
 msgid ""
@@ -1013,11 +1257,18 @@
 "Once you’ve added your payment details, you just need to run 'snap buy %s' "
 "again."
 msgstr ""
+"Du skal have en betalingsmetode tilknyttet din konto for at kunne købe en "
+"snap. Gå til https://my.ubuntu.com/payment/edit for at tilføje en.\n"
+"\n"
+"Når du her tilføjet dine betalingsoplysninger, skal du bare køre \"snap buy "
+"%s\" igen."
 
 #. TRANSLATORS: the %s is the argument given by the user to "snap changes"
 #, c-format
 msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
 msgstr ""
+"Kommandoen \"snap changes\" forventer navnet på en snap. Prøv \"snap tasks "
+"%s\""
 
 msgid ""
 "\n"
@@ -1029,11 +1280,28 @@
 "This is the CLI for snapd, a background service that takes care of\n"
 "snaps on the system. Start with 'snap list' to see installed snaps.\n"
 msgstr ""
+"\n"
+"Installér, konfigurér, genopfrisk og fjern snap-pakker. Snap'er er\n"
+"\"universelle\" pakker, som virker på mange forskellige Linux-systemer\n"
+"og tillader sikker distribution af de seneste programmer og redskaber\n"
+"til skyen, servere, computere og \"internet of things\" (IoT).\n"
+"\n"
+"Dette er kommandolinjegrænsefladen til snapd, en baggrundstjeneste\n"
+"som håndterer snap'er på systemet. Begynd med \"snap list\" for at se\n"
+"installerede snap'er.\n"
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
 
 msgid ""
 "\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
+"\n"
+"Kommandoen afbryd forsøger at afbryde en ændring, som stadig har afventende "
+"opgaver.\n"
 
 msgid ""
 "\n"
@@ -1047,6 +1315,25 @@
 "public key and the assertion consistent with and its prerequisite in the\n"
 "database.\n"
 msgstr ""
+"\n"
+"Kommandoen ack forsøger at tilføje en assertion til systemets "
+"assertionsdatabase.\n"
+"\n"
+"Assertionen kan også være en nyere udgave af en allerede eksisterende "
+"assertion\n"
+"som den vil erstatte.\n"
+"\n"
+"For at lykkes skal assertionen være gyldig, dens signatur bekræftet af en "
+"kendt\n"
+"offentlig nøgle, og assertionen skal være i overensstemmelse dens "
+"forudsætning\n"
+"i databasen.\n"
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
 
 msgid ""
 "\n"
@@ -1055,6 +1342,11 @@
 "Once this manual alias is setup the respective application command can be "
 "invoked just using the alias.\n"
 msgstr ""
+"\n"
+"Kommandoen alias forbinder det angivne snap-program med det angivne alias.\n"
+"\n"
+"Når dette manuelle alias er indstillet, kan den tilhørende programkommando "
+"kaldes med aliasset.\n"
 
 msgid ""
 "\n"
@@ -1070,6 +1362,21 @@
 "not defined in the current revision of the snap; possibly temporarely (e.g\n"
 "because of a revert), if not this can be cleared with snap alias --reset.\n"
 msgstr ""
+"\n"
+"Kommandoen aliases oplister alle tilgængelige aliasser i systemet og deres "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Oplister kun aliasserne defineret af den angivne snap.\n"
+"\n"
+"Er et alias markeret som udefineret, betyder det, at det eksplicit var "
+"aktiveret\n"
+"eller deaktiveret, men det er ikke defineret i den aktuelle udgave af "
+"snap'en,\n"
+"muligvis kun midlertidigt (f.eks. pga. en tilbagerulning). Hvis ikke, kan "
+"det ryddes\n"
+"med snap alias --reset.\n"
 
 msgid ""
 "\n"
@@ -1084,17 +1391,33 @@
 "Imported assertions must be made available in the auto-import.assert file\n"
 "in the root of the filesystem.\n"
 msgstr ""
+"\n"
+"Kommandoen auto-import søger på de tilgængelige monterede enheder\n"
+"efter assertioner, som er underskrevet af betroede autoriteter, og\n"
+"udfører eventuelt systemændringer baseret på dem.\n"
+"\n"
+"Hvis en eller flere stier til enheder er givet med --mount, monteres de\n"
+"midlertidigt for også at blive gennemsøgt. Selv i dette tilfælde vil "
+"kommandoen\n"
+"stadig gennemsøge alle tilgængelige monterede enheder.\n"
+"\n"
+"Importerede assertioner skal gøres tilgængelige i filen auto-import.assert\n"
+"i filsystemets rod.\n"
 
 msgid ""
 "\n"
 "The buy command buys a snap from the store.\n"
 msgstr ""
+"\n"
+"Kommandoen buy køber en snap i butikken.\n"
 
 msgid ""
 "\n"
 "The changes command displays a summary of the recent system changes "
 "performed."
 msgstr ""
+"\n"
+"Kommandoen changes viser et sammendrag af de senest udførte systemændringer."
 
 msgid ""
 "\n"
@@ -1102,6 +1425,10 @@
 "none)\n"
 "the system operates in.\n"
 msgstr ""
+"\n"
+"Kommandoen confinement vil udskrive indeslutningstilstanden (strengt, "
+"delvist, ingen),\n"
+"som systemet virker i.\n"
 
 msgid ""
 "\n"
@@ -1126,6 +1453,27 @@
 "matching\n"
 "the plug name.\n"
 msgstr ""
+"\n"
+"Kommandoen connect forbinder en plug til en slot.\n"
+"Den kan kaldes på følgende måder:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Forbinder den givne plug til den angivne slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Forbinder den specifikke plug til den eneste slot i den givne snap, som "
+"matcher\n"
+"den forbundne grænseflade. Hvis der er mere end en potentiel slot, "
+"mislykkes\n"
+"kommandoen.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Forbinder den givne plug til den slot i kernesnap'en,med et navn, som "
+"matcher\n"
+"plugens navn.\n"
 
 msgid ""
 "\n"
@@ -1136,6 +1484,13 @@
 "\n"
 "An account can be setup at https://login.ubuntu.com.\n"
 msgstr ""
+"\n"
+"Kommanoden create-user opretter en lokal systembruger, hvor brugernavnet og\n"
+"SSH-nøglerne er registrerede hos butikskontoen, som identificeres ved den "
+"angivne\n"
+"e-mailadresse.\n"
+"\n"
+"En konto kan sættes op på https://login.ubuntu.com.\n"
 
 msgid ""
 "\n"
@@ -1144,6 +1499,11 @@
 "Debug commands can be removed without notice and may not work on\n"
 "non-development systems.\n"
 msgstr ""
+"\n"
+"Kommandoen debug indeholder en samling underkommandoer.\n"
+"\n"
+"Debug-kommandoer kan blive fjernet uden forudgående besked og vil\n"
+"måske ikke virke på ikke-udviklingssystemer.\n"
 
 msgid ""
 "\n"
@@ -1151,6 +1511,10 @@
 "snap will no longer be available. But all the data is still available\n"
 "and the snap can easily be enabled again.\n"
 msgstr ""
+"\n"
+"Kommandoen disable deaktiverer en snap. Snap'ens binærfiler og\n"
+"tjenester vil ikke længere være tilgængelige. Alle data er stadig\n"
+"tilgængelige, og snap'en kan nemt reaktiveres.\n"
 
 msgid ""
 "\n"
@@ -1166,6 +1530,19 @@
 "Disconnects everything from the provided plug or slot.\n"
 "The snap name may be omitted for the core snap.\n"
 msgstr ""
+"\n"
+"Kommandoen disconnect afrbyder forbindelsen mellem\n"
+"en plug og en slot. Den kan kaldes på følgende måder:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Afbryder forbindelsen mellem den specifikke plug og\n"
+"den specifikke slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot eller plug>\n"
+"\n"
+"Afbryder alle forbindelser til/fra den angivne plug eller slot.\n"
+"Navnet på snap'en kan udelades for kernesnap'en.\n"
 
 msgid ""
 "\n"
@@ -1173,17 +1550,25 @@
 "to the current directory under .snap and .assert file extensions, "
 "respectively.\n"
 msgstr ""
+"\n"
+"Kommandoen download henter den angivne snap og dens understøttende\n"
+"assertioner til den aktuelle mappe med filendelserne hhv. .snap og .assert.\n"
 
 msgid ""
 "\n"
 "The enable command enables a snap that was previously disabled.\n"
 msgstr ""
+"\n"
+"Kommandoen enable aktiverer en snap, som før var deaktiveret.\n"
 
 msgid ""
 "\n"
 "The find command queries the store for available packages in the stable "
 "channel.\n"
 msgstr ""
+"\n"
+"Kommanoden find søger i butikken efter tilgængelige pakker i kanalen "
+"stable.\n"
 
 msgid ""
 "\n"
@@ -1243,22 +1628,47 @@
 "    $ snap get snap-name author.name\n"
 "    frank\n"
 msgstr ""
+"\n"
+"Kommandoen get udskriver konfigurationsmuligheder for den angivne snap.\n"
+"\n"
+"    $ snap get snap-navn brugernavn\n"
+"    frank\n"
+"\n"
+"Hvis flere tilvalg er angivet, returneres et dokument:\n"
+"\n"
+"    $ snap get snap-navn brugernavn adgangskode\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Indlejrede værdier kan hentes via en sti med punktum:\n"
+"\n"
+"    $ snap get snap-navn forfatter.navn\n"
+"    frank\n"
 
 msgid ""
 "\n"
 "The help command shows helpful information. Unlike this. ;-)\n"
 msgstr ""
+"\n"
+"Kommandoen hjælp viser nyttig information - i modsætning til denne. ;-)\n"
 
 msgid ""
 "\n"
 "The info command shows detailed information about a snap, be it by name or "
 "by path."
 msgstr ""
+"\n"
+"Kommandoen info viser detaljeret information om en snap enten efter navn "
+"eller sti."
 
 msgid ""
 "\n"
 "The install command installs the named snap in the system.\n"
 msgstr ""
+"\n"
+"Kommandoen install installerer den navngivne snap i systemet.\n"
 
 msgid ""
 "\n"
@@ -1316,12 +1726,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1784,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1819,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1859,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1947,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1962,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1973,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +2009,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +2060,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +2087,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +2112,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +2174,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2210,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2222,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2237,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2256,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2276,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2295,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/de.po snapd-2.37~rc1~14.04/po/de.po
--- snapd-2.32.3.2~14.04/po/de.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/de.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
-# German translation for snappy
-# Copyright (c) 2015 Rosetta Contributors and Canonical Ltd 2015
-# This file is distributed under the same license as the snappy package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2015.
+# German translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: snappy\n"
+"Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-01-07 18:59+0000\n"
-"Last-Translator: Tobias Bannert <tobannert@gmail.com>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: German <de@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -23,6 +23,10 @@
 "\n"
 "Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
 msgstr ""
+"%q enthält kein unkomprimiertes snap.\n"
+"\n"
+"Versuchen Sie \"snapcraft prime\" in Ihrem Projektordner, dann \"snap try\" "
+"erneut."
 
 #, c-format
 msgid "%q switched to the %q channel\n"
@@ -35,7 +39,7 @@
 
 #, c-format
 msgid "%s (delta)"
-msgstr ""
+msgstr "%s (Delta)"
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
@@ -67,22 +71,27 @@
 msgid "%s removed\n"
 msgstr "%s entfernt\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s zurückgesetzt zu %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s %s %s aus »%s« installiert\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr "%s %s %s von »%s« aufgefrischt\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s installiert\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr "%s %s %s aufgefrischt\n"
@@ -96,62 +105,93 @@
 msgid "-r can only be used with --hook"
 msgstr "-r kann nur mit --hook benutzt werden"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
-msgstr ""
+msgstr "<alias-oder-snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr "<Alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr "<Behauptungsdatei>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr "<Behauptungstyp>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
-msgstr ""
+msgstr "<Änderungs-id>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr "<Konfigurationswert>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<E-Mail>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<Dateiname>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr "<Kopfzeilenfilter>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<Schnittstelle>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr "<Schlüsselname>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<Schlüssel>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +201,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr "Alle Snaps sind aktuell"
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +276,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +310,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +398,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +421,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +466,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +542,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +575,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +617,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +647,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +716,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +750,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +878,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +901,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +912,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +937,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -803,7 +969,7 @@
 
 #, c-format
 msgid "Setup snap %q%s security profiles (phase 2)"
-msgstr ""
+msgstr "Sicherheitsprofile für Snap %q%s einrichten (Phase 2)"
 
 msgid "Show all revisions"
 msgstr ""
@@ -814,15 +980,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1014,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1105,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1135,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1156,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1171,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1237,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1260,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1532,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1590,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1625,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1665,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1753,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1768,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1779,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1815,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1866,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1893,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1918,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1980,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2016,6 @@
 msgid "no valid snaps given"
 msgstr "keine gültigen Snaps angegeben"
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2028,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2043,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2062,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2082,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr "nicht verfügbar"
 
@@ -1799,5 +2101,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
-msgstr "nicht unterstützte Shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/el.po snapd-2.37~rc1~14.04/po/el.po
--- snapd-2.32.3.2~14.04/po/el.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/el.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Greek translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-09-04 11:48+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Greek <el@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -23,15 +23,19 @@
 "\n"
 "Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
 msgstr ""
+"Το %q δεν περιέχει ένα απακετάριστο snap.\n"
+"\n"
+"Δοκιμάστε με «snapcraft prime» μέσα στον κατάλογο του έργου, και μετά «snap "
+"try» ξανά."
 
 #, c-format
 msgid "%q switched to the %q channel\n"
-msgstr ""
+msgstr "Το %q άλλαξε προς στο κανάλι %q\n"
 
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
 msgid "%s %s mounted from %s\n"
-msgstr ""
+msgstr "Το %s %s είναι προσαρτημένο από %s\n"
 
 #, c-format
 msgid "%s (delta)"
@@ -40,52 +44,57 @@
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (see \"snap login --help\")"
-msgstr ""
+msgstr "%s (δείτε «snap login --help»)"
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (try with sudo)"
-msgstr ""
+msgstr "%s (δοκιμάστε με sudo)"
 
 #, c-format
 msgid "%s already installed\n"
-msgstr ""
+msgstr "Το %s είναι ήδη εγκατεστημένο\n"
 
 #, c-format
 msgid "%s disabled\n"
-msgstr ""
+msgstr "Το %s έχει απενεργοποιηθεί\n"
 
 #, c-format
 msgid "%s enabled\n"
-msgstr ""
+msgstr "Το %s έχει ενεργοποιηθεί\n"
 
 #, c-format
 msgid "%s not installed\n"
-msgstr ""
+msgstr "Το %s δεν είναι εγκατεστημένο\n"
 
 #, c-format
 msgid "%s removed\n"
-msgstr ""
+msgstr "Το %s έχει αφαιρεθεί\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
-msgstr ""
+msgstr "Το %s έχει επαναφερθεί στην έκδοση %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
-msgstr ""
+msgstr "Το %s%s %s από «%s» έχει εγκατασταθεί\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
-msgstr ""
+msgstr "Το %s%s %s αποό «%s» έχει ανανεωθεί\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
-msgstr ""
+msgstr "Το %s%s %s έχει εγκατασταθεί\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
-msgstr ""
+msgstr "Το %s%s %s έχει ανανεωθεί\n"
 
 msgid "--list does not take mode nor channel flags"
 msgstr ""
@@ -94,137 +103,205 @@
 msgstr ""
 
 msgid "-r can only be used with --hook"
-msgstr ""
+msgstr "το -r μπορεί να χρησιμοποιηθεί μόνο με --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
-msgstr ""
+msgstr "<ψευδώνυμο-ή-πακέτο-snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
-msgstr ""
+msgstr "<ψευδώνυμο>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
-msgstr ""
+msgstr "<ηλεκ. διεύθυνση>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
-msgstr ""
+msgstr "<όνομα αρχείου>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
-msgstr ""
+msgstr "<φίλτρο κεφαλίδας>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<διεπαφή>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
-msgstr ""
+msgstr "<κλειδί-όνομα>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
-msgstr ""
+msgstr "<κλειδί>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
-msgstr ""
+msgstr "<λεκτικό αναζήτησης>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
+msgstr "<γονικός-κατάλογος>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
-msgstr ""
+msgstr "<snap>:<plug>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
-msgid "Abort a pending change"
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
 msgstr ""
 
+msgid "Abort a pending change"
+msgstr "Εγκατάλειψη εκκρεμούς αλλαγής"
+
 msgid "Added"
-msgstr ""
+msgstr "Προστέθηκε"
 
 msgid "Adds an assertion to the system"
 msgstr ""
 
-msgid "Alias for --dangerous (DEPRECATED)"
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
 msgstr ""
 
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr "Ψευδώνυμο για --dangerous (ΠΑΡΩΧΗΜΕΝΟ)"
+
 msgid "All snaps up to date."
+msgstr "Όλα τα πακέτα snap είναι ενημερωμένα."
+
+msgid "Allow opening file?"
 msgstr ""
 
-msgid "Alternative command to run"
+msgid "Allow refresh attempt on snap unknown to the store"
 msgstr ""
 
-msgid "Always return document, even with single key"
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Alternative command to run"
+msgstr "Εναλλακτική εντολή για εκτέλεση"
+
+msgid "Always return document, even with single key"
+msgstr "Πάντα επιστροφή εγγράφου, ακόμα και με μονό κλειδί"
+
+msgid "Always return list, even with single key"
+msgstr "Πάντα επιστροφή λίστας, ακόμα και με μονό κλειδί"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
+msgstr "Μια ηλεκτρονική διεύθυνση χρήστη στο login.ubuntu.com"
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
 msgid "Authenticates on snapd and the store"
-msgstr ""
+msgstr "Ταυτοποίηση χρήστη στο snapd και το κατάστημα"
 
 #, c-format
 msgid "Auto-refresh %d snaps"
-msgstr ""
+msgstr "Αυτόματη ανανέωση %d snaps"
 
 #, c-format
 msgid "Auto-refresh snap %q"
-msgstr ""
+msgstr "Αυτόματη ανανέωση του snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Auto-refresh snaps %s"
+msgstr "Αυτόματη ανανέωση των snaps %s"
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
 msgstr ""
 
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
-msgstr ""
+msgstr "Αγορά πακέτου snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
-msgstr ""
+msgstr "Αλλαγή αναγνωριστικού"
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
-msgstr ""
+msgstr "Εντολή\tΨευδώνυμο\tΣημειώσεις"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
 msgid "Confirm passphrase: "
-msgstr ""
+msgstr "Επιβεβαίωση φράσης πρόσβασης: "
 
 #, c-format
 msgid "Connect %s:%s to %s:%s"
@@ -233,12 +310,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
-msgstr ""
+msgstr "Περιορισμός λίστας σε συγκεκριμένο snap ή snap:όνομα"
 
 msgid "Constrain listing to specific interfaces"
-msgstr ""
+msgstr "Περιορισμός λίστας σε συγκεκριμένη διεπαφή"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -251,7 +330,7 @@
 msgstr ""
 
 msgid "Create cryptographic key pair"
-msgstr ""
+msgstr "Δημιουργία κρυπτογραφικού ζεύγους κλειδιών"
 
 msgid "Create snap build assertion"
 msgstr ""
@@ -260,28 +339,29 @@
 msgstr ""
 
 msgid "Creates a local system user"
-msgstr ""
+msgstr "Δημιουργία χρήστη τοπικού συστήματος"
 
 msgid "Delete cryptographic key pair"
-msgstr ""
+msgstr "Διαγραφή κρυπτογραφικού ζεύγους κλειδιών"
 
 msgid "Delete the local cryptographic key pair with the given name."
 msgstr ""
+"Διαγραφή τοπικού κρυπτογραφικού ζεύγους κλειδιών με το συγκεκριμένο όνομα."
 
 #, c-format
 msgid "Disable %q snap"
-msgstr ""
+msgstr "Απενεργοποίηση του snap %q"
 
 #, c-format
 msgid "Disable aliases for snap %q"
-msgstr ""
+msgstr "Απενεργοποίηση ψευδωνύμων για το snap %q"
 
 #, c-format
 msgid "Disable all aliases for snap %q"
-msgstr ""
+msgstr "Απενεργοποίηση όλων των ψευδωνύμων για το snap %q"
 
 msgid "Disables a snap in the system"
-msgstr ""
+msgstr "Απενεργοποίηση snap στο σύστημα"
 
 #, c-format
 msgid "Discard interface connections for snap %q (%s)"
@@ -307,19 +387,20 @@
 msgstr ""
 
 msgid "Downloads the given snap"
-msgstr ""
+msgstr "Λήψη του συγκεκριμένου snap"
 
 msgid "Email address: "
-msgstr ""
+msgstr "Ηλεκτρονική διεύθυνση: "
 
 #, c-format
 msgid "Enable %q snap"
-msgstr ""
+msgstr "Ενεργοποίση του πακέτου snap %q"
 
 msgid "Enables a snap in the system"
-msgstr ""
+msgstr "Ενεργοποίηση snap στο σύστημα"
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -327,7 +408,7 @@
 msgstr ""
 
 msgid "Export cryptographic public key"
-msgstr ""
+msgstr "Εξαγωγη κρυπτογραφικού ζεύγους κλειδιών"
 
 #, c-format
 msgid "Fetch and check assertions for snap %q%s"
@@ -339,13 +420,14 @@
 
 #, c-format
 msgid "Fetching snap %q\n"
-msgstr ""
+msgstr "Ανάκτηση snap %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
 msgid "Finds packages to install"
-msgstr ""
+msgstr "Αναζήτηση πακέτων προς εγκατάσταση"
 
 msgid "Force adding the user, even if the device is already managed"
 msgstr ""
@@ -359,7 +441,7 @@
 msgstr ""
 
 msgid "Generate device key"
-msgstr ""
+msgstr "Δημιουργία κλειδιού συσκευής"
 
 msgid "Generate the manpage"
 msgstr ""
@@ -371,13 +453,13 @@
 msgstr ""
 
 msgid "Help"
-msgstr ""
+msgstr "Βοήθεια"
 
 msgid "Hook to run"
 msgstr ""
 
 msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
-msgstr ""
+msgstr "Ταυτότητα\tΚατάσταση\tΣτιγμή εκκίνησης\tΣε λειτουργία\tΠερίληψη\n"
 
 msgid "Identifier of the signer"
 msgstr ""
@@ -385,6 +467,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -410,40 +495,40 @@
 
 #, c-format
 msgid "Install %q snap"
-msgstr ""
+msgstr "Εγκατάσταση snap %q"
 
 #, c-format
 msgid "Install %q snap from %q channel"
-msgstr ""
+msgstr "Εγκατάσταση snap %q από το κανάλι %q"
 
 #, c-format
 msgid "Install %q snap from file"
-msgstr ""
+msgstr "Εγκατάσταση snap %q από αρχείο"
 
 #, c-format
 msgid "Install %q snap from file %q"
-msgstr ""
+msgstr "Εγκατάσταση snap %q από το αρχείο %q"
 
 msgid "Install from the beta channel"
-msgstr ""
+msgstr "Εγκατάσταση από το κανάλι beta"
 
 msgid "Install from the candidate channel"
-msgstr ""
+msgstr "Εγκατάσταση από το κανάλι candidate"
 
 msgid "Install from the edge channel"
-msgstr ""
+msgstr "Εγκατάσταση από το κανάλι edge"
 
 msgid "Install from the stable channel"
-msgstr ""
+msgstr "Εγκατάσταση από το κανάλι stable"
 
 #, c-format
 msgid "Install snap %q"
-msgstr ""
+msgstr "Εγκατάσταση snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Install snaps %s"
-msgstr ""
+msgstr "Εγκατάσταση snaps %s"
 
 msgid ""
 "Install the given revision of a snap, to which you must have developer access"
@@ -458,9 +543,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
-msgid "Installs a snap to the system"
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
 msgstr ""
 
+msgid "Installs a snap to the system"
+msgstr "Εγκατάσταση snap στο σύστημα"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -474,7 +568,7 @@
 msgstr ""
 
 msgid "List installed snaps"
-msgstr ""
+msgstr "Προβολή των εγκατεστημένων πακέτων snap"
 
 msgid "List system changes"
 msgstr ""
@@ -482,6 +576,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -489,7 +586,7 @@
 msgstr ""
 
 msgid "Log out of the store"
-msgstr ""
+msgstr "Αποσύνδεση από το κατάστημα"
 
 msgid "Login successful"
 msgstr "Επιτυχής σύνδεση"
@@ -521,14 +618,17 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
-msgstr ""
+msgstr "Όνομα κλειδιού προς διαγραφή"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
-msgstr ""
+msgstr "Όνομα κλειδιού προς εξαγωγή"
 
 msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
 msgstr ""
@@ -537,32 +637,80 @@
 msgstr ""
 
 msgid "Name\tSHA3-384"
-msgstr ""
+msgstr "Όνομα πακέτου\tSHA3-384"
 
 msgid "Name\tSummary"
-msgstr ""
+msgstr "Όνομα πακέτου\tΠερίληψη"
 
 msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
-msgstr ""
+msgstr "Όνομα πακέτου\tΈκδοση\tΣυντελεστής\tΣημειώσεις\tΠερίληψη"
 
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr "Όνομα πακέτου\tΈκδοση\tΑναθεώρηση\tΣυντελεστής\tΣημειώσεις"
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
+"Κανένα span δεν έχει εγκατασταθεί ακόμα. Δοκιμάστε «snap install hello-"
+"world»."
 
 msgid "Output results in JSON format"
+msgstr "Η έξοδος καταλήγει σε μορφή JSON"
+
+msgid "Pack the given target dir as a snap"
 msgstr ""
 
-msgid "Passphrase: "
+#, c-format
+msgid "Packages matching %q:\n"
 msgstr ""
 
+msgid "Passphrase: "
+msgstr "Φράση προσβασης: "
+
 #, c-format
 msgid "Password of %q: "
-msgstr ""
+msgstr "Κωδικός πρόσβασης του %q: "
 
 #. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
 #, c-format
@@ -571,19 +719,22 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
 
 msgid "Prefer aliases from a snap and disable conflicts"
-msgstr ""
+msgstr "Προτίμηση ψευδώνυμα από snap και απενεργοποίηση συγκρούσεων"
 
 #, c-format
 msgid "Prefer aliases of snap %q"
-msgstr ""
+msgstr "Προτίμηση ψευδωνύμων του snap %q"
 
 msgid "Prepare a snappy image"
-msgstr ""
+msgstr "Προετοιμασία εικόνας snappy"
 
 #, c-format
 msgid "Prepare snap %q (%s)"
@@ -594,15 +745,15 @@
 msgstr ""
 
 msgid "Print the version and exit"
-msgstr ""
+msgstr "Εκτύπωση έκδοσης και έξοδος"
 
 msgid "Prints configuration options"
-msgstr ""
+msgstr "Εμφάνιση των επιλογών ρυθμίσεων"
 
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -626,42 +777,42 @@
 
 #, c-format
 msgid "Refresh %q snap"
-msgstr ""
+msgstr "Ανανέωση snap %q"
 
 #, c-format
 msgid "Refresh %q snap from %q channel"
-msgstr ""
+msgstr "Ανανέωση snap %q από το κανάλι %q"
 
 #, c-format
 msgid "Refresh aliases for snap %q"
 msgstr ""
 
 msgid "Refresh all snaps: no updates"
-msgstr ""
+msgstr "Ανανέωση όλων των snaps: καμία ενημέρωση"
 
 #, c-format
 msgid "Refresh snap %q"
-msgstr ""
+msgstr "Ανανέωση snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s"
-msgstr ""
+msgstr "Ανανέωση snaps %s"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s: no updates"
-msgstr ""
+msgstr "Ανανέωση snaps %s: καμία ενημέρωση"
 
 msgid "Refresh to the given revision"
-msgstr ""
+msgstr "Ανανέωση στη συγκεκριμένη αναθεώρηση"
 
 msgid "Refreshes a snap in the system"
-msgstr ""
+msgstr "Ανανέωση των πακέτων snap του συστήματος"
 
 #, c-format
 msgid "Remove %q snap"
-msgstr ""
+msgstr "Αφαίρεση snap %q"
 
 #, c-format
 msgid "Remove aliases for snap %q"
@@ -673,10 +824,10 @@
 
 #, c-format
 msgid "Remove manual alias %q for snap %q"
-msgstr ""
+msgstr "Αφαίρεση χειροκίνητου ψευδώνυμου %q για το snap %q"
 
 msgid "Remove only the given revision"
-msgstr ""
+msgstr "Αφαίρεση μόνο της συγκεκριμένης αναθεώρησης"
 
 #, c-format
 msgid "Remove security profile for snap %q (%s)"
@@ -688,7 +839,7 @@
 
 #, c-format
 msgid "Remove snap %q"
-msgstr ""
+msgstr "Αφαίρεση snap %q"
 
 #, c-format
 msgid "Remove snap %q (%s) from the system"
@@ -697,22 +848,22 @@
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Remove snaps %s"
-msgstr ""
+msgstr "Αφαίρεση snaps %s"
 
 msgid "Removed"
-msgstr ""
+msgstr "Αφαιρέθηκε"
 
 msgid "Removes a snap from the system"
-msgstr ""
+msgstr "Αφαίρεση πακέτου snap από το σύστημα"
 
 msgid "Request device serial"
 msgstr ""
 
 msgid "Restart services"
-msgstr ""
+msgstr "Επανεκκίνηση υπηρεσιών"
 
 msgid "Restarted.\n"
-msgstr ""
+msgstr "Επανεκκινήθηκε.\n"
 
 msgid "Restrict the search to a given section"
 msgstr ""
@@ -728,6 +879,9 @@
 msgstr ""
 
 msgid "Run a shell instead of the command (useful for debugging)"
+msgstr "Εκτέλεση ενός φλοιού αντί μιας εντολής (χρήσιμο στην εκσφαλμάτωση)"
+
+msgid "Run as a timer service with given schedule"
 msgstr ""
 
 #, c-format
@@ -750,6 +904,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,23 +915,34 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
-msgid "Run the given snap command"
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
 msgstr ""
 
+msgid "Run the given snap command"
+msgstr "Εκτέλεση συγκεκριμένης εντολής snap"
+
 msgid "Run the given snap command with the right confinement and environment"
 msgstr ""
 
 msgid "Runs debug commands"
-msgstr ""
+msgstr "Εκτέλεση εντολών αποσφαλμάτωσης"
 
 msgid "Search private snaps"
-msgstr ""
+msgstr "Αναζήτηση ιδιωτικών snaps"
 
 msgid ""
 "Select last change of given type (install, refresh, remove, try, auto-"
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -806,25 +975,36 @@
 msgstr ""
 
 msgid "Show all revisions"
-msgstr ""
+msgstr "Εμφάνιση όλων των αναθεωρήσεων"
 
 msgid "Show auto refresh information but do not perform a refresh"
 msgstr ""
 
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
+"Εμφάνιση διαθέσιμων snaps για ανανέωση αλλά να μην εκτελεστεί η ανανέωση"
 
-msgid "Show details of a specific interface"
+msgid "Show detailed information about a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr "Εμφάνιση λεπτομερειών συγκεκριμένης διεπαφής"
+
 msgid "Show interface attributes"
+msgstr "Εμφάνιση ιδιοτήτων διεπαφής"
+
+msgid "Show only the given number of lines, or 'all'."
 msgstr ""
 
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr "Εμφάνιση συγκεκριμένων επιδιορθώσεων"
+
 msgid "Shows version details"
-msgstr ""
+msgstr "Εμφάνιση λεπτομερειών έκδοσης"
 
 msgid "Sign an assertion"
 msgstr ""
@@ -838,11 +1018,15 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr ""
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr "Όνομα snap"
 
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
@@ -851,7 +1035,7 @@
 msgstr ""
 
 msgid "Start services"
-msgstr ""
+msgstr "Εκκίνηση υπηρεσιών"
 
 #, c-format
 msgid "Start snap %q (%s) services"
@@ -865,16 +1049,16 @@
 msgstr ""
 
 msgid "Start the userd service"
-msgstr ""
+msgstr "Εκκίνηση υπηρεσίας userd"
 
 msgid "Started.\n"
-msgstr ""
+msgstr "Εκκινήθηκε.\n"
 
 msgid "Status\tSpawn\tReady\tSummary\n"
-msgstr ""
+msgstr "Κατάσταση\tΣτιγμή εκκίνησης\tΣε λειτουργία\tΠερίληψη\n"
 
 msgid "Stop services"
-msgstr ""
+msgstr "Διακοπή υπηρεσιών"
 
 #, c-format
 msgid "Stop snap %q (%s) services"
@@ -906,13 +1090,13 @@
 msgstr ""
 
 msgid "Switches snap to a different channel"
-msgstr ""
+msgstr "Αλλάζει το κανάλι σε ένα πακέτο snap"
 
 msgid "Temporarily mount device before inspecting"
 msgstr ""
 
 msgid "Tests a snap in the system"
-msgstr ""
+msgstr "Δοκιμή πακέτου snap στο σύστημα"
 
 #. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
 #, c-format
@@ -925,35 +1109,46 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
-msgstr ""
+msgstr "Κατάλογος εξόδου"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
-msgstr ""
+msgstr "Snap προς ρύθμιση (π.χ. hello-world)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
 msgid "The userd command starts the snap user session service."
-msgstr ""
+msgstr "Η εντολή userd εκκινεί την υπηρεσία συνεδρίας χρήστη."
 
 msgid "This command logs the current user out of the store"
 msgstr ""
 
-msgid "Tool to interact with snaps"
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
 msgstr ""
 
+msgid "Tool to interact with snaps"
+msgstr "Εργαλείο για αλληλεπίδραση με τα snaps"
+
 #, c-format
 msgid "Transition security profiles from %q to %q"
 msgstr ""
@@ -963,6 +1158,9 @@
 
 #, c-format
 msgid "Try %q snap from %s"
+msgstr "Δοκιμή snap %q από %s"
+
+msgid "Try: snap install <selected snap>\n"
 msgstr ""
 
 msgid "Two-factor code: "
@@ -977,18 +1175,29 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
+msgstr "Να χρησιμοποιηθεί αυτό το κανάλι αντί του stable"
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
 msgstr ""
 
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
-msgid "Waiting for server to restart"
+msgid "Wait for new lines and print them as they come in."
 msgstr ""
 
+msgid "Waiting for server to restart"
+msgstr "Αναμονή για επανεκκίνηση του διακομιστή"
+
 msgid "Watch a change in progress"
-msgstr ""
+msgstr "Παρακολούθηση αλλαγής σε εξέλιξη"
 
 msgid "Wrong again. Once more: "
 msgstr ""
@@ -1004,6 +1213,8 @@
 "You need to be logged in to purchase software. Please run 'snap login' and "
 "try again."
 msgstr ""
+"Πρέπει να συνδεθείτε για αγορά λογισμικού. Παρακαλώ εκτελέστε «snap login» "
+"και δοκιμάστε ξανά."
 
 #, c-format
 msgid ""
@@ -1018,6 +1229,7 @@
 #, c-format
 msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
 msgstr ""
+"Η εντολή «snap changes» αναμένει όνομα snap, δοκιμάστε: «snap tasks %s»"
 
 msgid ""
 "\n"
@@ -1029,6 +1241,24 @@
 "This is the CLI for snapd, a background service that takes care of\n"
 "snaps on the system. Start with 'snap list' to see installed snaps.\n"
 msgstr ""
+"\n"
+"Εγκατάσταση, ρύθμιση, ανανέωση και απεγκατάσταση πακέτων snap. \n"
+"Τα πακέτα snap είναι «γενικά» πακέτα που μπορούν να εγκατασταθούν \n"
+"σε πολλές διαφορετικές διανομές Linux, επιτρέποντας της ασφαλή διάθεση\n"
+"εφαρμογών και εργαλείων για το σύννεφο, τους διακομιστές, τους "
+"επιτραπέζιους\n"
+"υπολογιστές και φορητούς καθώς και το Διαδίκτυο των πραγμάτων.\n"
+"\n"
+"Αυτό εδώ είναι το εργαλείο γραμμής εντολής για το snapd, μιας υπηρεσίας "
+"παρασκηνίου\n"
+"που διαχειρίζεται τα πακέτα snap στο σύστημα. Εκτελέστε την εντολή «snap "
+"list»\n"
+"για να δείτε τα ήδη εγκατεστημένα πακέτα snap.\n"
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
 
 msgid ""
 "\n"
@@ -1050,6 +1280,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1089,12 +1325,17 @@
 "\n"
 "The buy command buys a snap from the store.\n"
 msgstr ""
+"\n"
+"Η εντολή buy αγοράζει ένα πακέτο snap από το κατάστημα.\n"
 
 msgid ""
 "\n"
 "The changes command displays a summary of the recent system changes "
 "performed."
 msgstr ""
+"\n"
+"Η εντολή change προβάλει περίληψη των πρόσφατων αλλαγών συστήματος που "
+"εκτελέστηκαν."
 
 msgid ""
 "\n"
@@ -1151,6 +1392,11 @@
 "snap will no longer be available. But all the data is still available\n"
 "and the snap can easily be enabled again.\n"
 msgstr ""
+"\n"
+"Η εντολή disable απενεργοποιεί το snap. Τα εκτελέσιμα και οι υπηρεσίες του\n"
+"snap δεν θα είναι πλέον διαθέσιμα. Αλλά τα δεδομένα θα είναι ακόμα "
+"διαθέσιμα\n"
+"και το snap μπορεί εύκολα να ενεργοποιηθεί ξανά.\n"
 
 msgid ""
 "\n"
@@ -1178,6 +1424,9 @@
 "\n"
 "The enable command enables a snap that was previously disabled.\n"
 msgstr ""
+"\n"
+"Η εντολή enable ενεργοποιεί το πακέτο snap που ήταν προηγουμένως "
+"απενεργοποιημένο.\n"
 
 msgid ""
 "\n"
@@ -1300,6 +1549,9 @@
 "\n"
 "The list command displays a summary of snaps installed in the current system."
 msgstr ""
+"\n"
+"Η εντολή list προβάλει μια περίληψη των εγκατεστημένων snaps στο τρέχον "
+"σύστημα"
 
 msgid ""
 "\n"
@@ -1316,9 +1568,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
+"\n"
+"Η εντολή managed θα εκτυπώσει true ή false ενημερώνοντας αν\n"
+"το snapd έχει καταχωρημένους χρήστες.\n"
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
 
 msgid ""
 "\n"
@@ -1349,6 +1615,8 @@
 "\n"
 "The refresh command refreshes (updates) the named snap.\n"
 msgstr ""
+"\n"
+"Η εντολή refresh ανανεώνει το πακέτο snap που δηλώσατε.\n"
 
 msgid ""
 "\n"
@@ -1363,6 +1631,34 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+"\n"
+"Η εντολή repair εμφανίζει τις λεπτομέρειες για μία ή περισσότερες "
+"επιδιορθώσεις.\n"
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1669,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,15 +1709,44 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
+"\n"
+"Η εντολή switch αλλάζει σε ένα πακέτο snap το κανάλι του χωρίς να κάνει "
+"ταυτόχρονα ανανέωση (refresh).\n"
 
 msgid ""
 "\n"
 "The tasks command displays a summary of tasks associated to an individual "
 "change."
 msgstr ""
+"\n"
+"Η εντολή tasks προβάλει περίληψη των συσχετισμένων εργασιών σε μεμονωμένη "
+"αλλαγή."
 
 msgid ""
 "\n"
@@ -1444,6 +1775,9 @@
 "The version command displays the versions of the running client, server,\n"
 "and operating system.\n"
 msgstr ""
+"\n"
+"Η εντολή version προβάλει τις εκδόσεις του εκτελούμενου πελάτη, διακομιστή,\n"
+"και λειτουργικού συστήματος.\n"
 
 msgid ""
 "\n"
@@ -1456,6 +1790,9 @@
 "\n"
 "The whoami command prints the email the user is logged in with.\n"
 msgstr ""
+"\n"
+"Η εντολή whoami εμφανίζει την ηλεκτρονική διεύθυνση του χρήστη που έχει "
+"συνδεθεί.\n"
 
 #, c-format
 msgid ""
@@ -1472,9 +1809,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1487,29 +1822,36 @@
 msgstr ""
 
 msgid "active"
+msgstr "ενεργό"
+
+msgid "auto-refresh: all snaps are up-to-date"
 msgstr ""
 
 msgid "bought"
-msgstr ""
+msgstr "αγορασμένο"
 
 #. TRANSLATORS: if possible, a single short word
 msgid "broken"
+msgstr "χαλασμένο"
+
+#, c-format
+msgid "cannot %s without a context"
 msgstr ""
 
 #, c-format
 msgid "cannot buy snap: %v"
-msgstr ""
+msgstr "αδυναμία αγοράς snap: %v"
 
 msgid "cannot buy snap: invalid characters in name"
-msgstr ""
+msgstr "αδυναμία αγοράς snap: μη έγκυροι χαρακτήρες στο όνομα"
 
 msgid "cannot buy snap: it has already been bought"
-msgstr ""
+msgstr "αδυναμία αγοράς snap: είναι ήδη αγορασμένο"
 
 #. TRANSLATORS: %q is the directory whose creation failed, %v the error message
 #, c-format
 msgid "cannot create %q: %v"
-msgstr ""
+msgstr "αδυναμία δημιουργίας του %q: %v"
 
 #, c-format
 msgid "cannot create assertions file: %v"
@@ -1522,30 +1864,29 @@
 
 #, c-format
 msgid "cannot find app %q in %q"
-msgstr ""
+msgstr "αδυναμία εύρεσης εφαρμογής %q στο %q"
 
 #, c-format
 msgid "cannot find hook %q in %q"
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
-msgstr ""
+msgstr "αδυναμία απόκτησης δεδομένων για το %q: %v"
 
 #. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
 #, c-format
 msgid "cannot get full path for %q: %v"
-msgstr ""
+msgstr "αδυναμία απόκτησης πλήρους μονοπατιού για το %q: %v"
 
 #, c-format
 msgid "cannot get the current user: %s"
-msgstr ""
+msgstr "αδυναμία απόκτησης τρέχοντος χρήστη: %s"
 
 #, c-format
 msgid "cannot get the current user: %v"
-msgstr ""
+msgstr "αδυναμία απόκτησης τρέχοντος χρήστη: %v"
 
 #, c-format
 msgid "cannot mark boot successful: %s"
@@ -1579,10 +1920,7 @@
 #. TRANSLATORS: %q is the key name, %v the error message
 #, c-format
 msgid "cannot use %q key: %v"
-msgstr ""
-
-msgid "cannot use --hook and --command together"
-msgstr ""
+msgstr "αδυναμία χρήσης κλειδιού %q: %v"
 
 msgid "cannot use change ID and type together"
 msgstr ""
@@ -1592,11 +1930,11 @@
 
 #, c-format
 msgid "cannot validate owner of file %s"
-msgstr ""
+msgstr "αδυναμία επαλήθευσης κατόχου του αρχείου %s"
 
 #, c-format
 msgid "cannot write new Xauthority file at %s: %s"
-msgstr ""
+msgstr "αδυναμία εγγραφής αρχείου Xauthority στο %s: %s"
 
 #, c-format
 msgid "change finished in status %q with no error message"
@@ -1609,21 +1947,25 @@
 
 #, c-format
 msgid "created user %q\n"
+msgstr "δημιουργία χρήστη %q\n"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
-msgstr ""
+msgstr "απενεργοποιημένο"
 
 msgid "email:"
-msgstr ""
+msgstr "ηλεκτρονική διεύθυνση:"
 
 msgid "enabled"
-msgstr ""
+msgstr "ενεργοποιημένο"
 
 #, c-format
 msgid "error: %v\n"
-msgstr ""
+msgstr "σφάλμα: %v\n"
 
 msgid ""
 "error: the `<snap-dir>` argument was not provided and couldn't be inferred"
@@ -1632,9 +1974,16 @@
 msgid "get which option?"
 msgstr ""
 
-msgid "inactive"
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
 msgstr ""
 
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr "ανενεργό"
+
 msgid ""
 "interface attributes can only be read during the execution of interface hooks"
 msgstr ""
@@ -1661,10 +2010,12 @@
 "invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
 "“all”."
 msgstr ""
+"μη έγκυρη παράμετρος για τη σημαία «-n»: αναμένει μια μη-αρνητική παράμετρο, "
+"ή «όλα»."
 
 #, c-format
 msgid "invalid attribute: %q (want key=value)"
-msgstr ""
+msgstr "μη έγκυρη ιδιότητα: %q (επιθυμητό κλειδί=τιμή)"
 
 #, c-format
 msgid "invalid configuration: %q (want key=value)"
@@ -1672,7 +2023,7 @@
 
 #, c-format
 msgid "invalid header filter: %q (want key=value)"
-msgstr ""
+msgstr "μη έγκυρο φίλτρο επικαφαλίδας: %q (επιθυμητό κλειδί=τιμή)"
 
 #, c-format
 msgid "invalid parameter: %q (want key=value)"
@@ -1680,13 +2031,21 @@
 
 #, c-format
 msgid "invalid value: %q (want snap:name or snap)"
-msgstr ""
+msgstr "μη έγκυρη τιμή: %q (επιθυμητό snap:όνομα ή snap)"
 
 #, c-format
 msgid ""
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1694,42 +2053,47 @@
 msgstr ""
 
 msgid "no changes found"
-msgstr ""
+msgstr "καμία αλλαγή δεν βρέθηκε"
 
 #, c-format
 msgid "no changes of type %q found"
-msgstr ""
+msgstr "καμία αλλαγή τύπου %q δεν βρέθηκε"
 
 msgid "no interfaces currently connected"
-msgstr ""
+msgstr "καμία διεπαφή δεν έχει συνδεθεί"
 
 msgid "no interfaces found"
-msgstr ""
+msgstr "καμία διεπαφή δεν βρέθηκε"
 
 msgid "no matching snaps installed"
 msgstr ""
 
 msgid "no such interface"
-msgstr ""
+msgstr "καμία τέτοια διεπαφή"
 
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
 msgid "private"
-msgstr ""
+msgstr "ιδιωτικό"
 
 msgid ""
 "reboot scheduled to update the system - temporarily cancel with 'sudo "
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,38 +2101,31 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
-msgstr ""
+msgstr "κανένα snap %%q δεν βρέθηκε (τουλάχιστον στην αναθεώρηση %q)"
 
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
 #, c-format
 msgid "snap %%q not found (at least in channel %q)"
-msgstr ""
+msgstr "κανένα snap %%q δεν βρέθηκε (τουλάχιστον στο κανάλι %q)"
 
 #, c-format
 msgid "snap %q has no updates available"
-msgstr ""
+msgstr "το snap %q δεν έχει καμία διαθέσιμη ενημέρωση"
 
 #, c-format
 msgid "snap %q is already installed, see \"snap refresh --help\""
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
-msgstr ""
+msgstr "το snap %q δεν βρέθηκε"
 
 #. TRANSLATORS: free as in gratis
 msgid "snap is free"
-msgstr ""
+msgstr "το snap είναι δωρέαν"
 
 msgid "too many arguments for command"
 msgstr ""
@@ -1783,9 +2140,12 @@
 msgid "too many arguments: %s"
 msgstr ""
 
-msgid "unavailable"
+msgid "unable to contact snap store"
 msgstr ""
 
+msgid "unavailable"
+msgstr "μη διαθέσιμη"
+
 #, c-format
 msgid "unknown attribute %q"
 msgstr ""
@@ -1799,5 +2159,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
 msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "Ταυτοποίηση στην υπηρεσία snap"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "Απαιτείται εξουσιοδότηση για ταυτοποίηση στην υπηρεσία snap"
+
+msgid "Install, update, or remove packages"
+msgstr "Εγκατάσταση, ενημέρωση ή αφαίρεση πακέτων"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr "Ταυτοποίηση απαιτείται για εγκατάσταση ή αφαίρεση πακέτων"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Σύνδεση, αποσύνδεση διεπαφών"
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr "Ταυτοποίηση απαιτείται για σύνδεση ή αποσύνδεση διεπαφών"
diff -Nru snapd-2.32.3.2~14.04/po/en_GB.po snapd-2.37~rc1~14.04/po/en_GB.po
--- snapd-2.32.3.2~14.04/po/en_GB.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/en_GB.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # English (United Kingdom) translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-10-14 10:22+0000\n"
-"Last-Translator: Anthony Harrington <Unknown>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: English (United Kingdom) <en_GB@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -70,22 +70,27 @@
 msgid "%s removed\n"
 msgstr "%s removed\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s reverted to %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s%s %s from '%s' installed\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr "%s%s %s from '%s' refreshed\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s installed\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr "%s%s %s refreshed\n"
@@ -99,62 +104,93 @@
 msgid "-r can only be used with --hook"
 msgstr "-r can only be used with --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr "<alias-or-snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr "<alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr "<assertion file>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr "<assertion type>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr "<change-id>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr "<conf value>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<email>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<filename>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr "<header filter>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr "<interface>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr "<key-name>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<key>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr "<model-assertion>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr "<query>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr "<root-dir>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr "<snap>:<plug>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr "<snap>:<slot or plug>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr "<snap>:<slot>"
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr "Abort a pending change"
 
@@ -164,25 +200,62 @@
 msgid "Adds an assertion to the system"
 msgstr "Adds an assertion to the system"
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr "Alias for --dangerous (DEPRECATED)"
 
 msgid "All snaps up to date."
 msgstr "All snaps up to date."
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr "Alternative command to run"
 
 msgid "Always return document, even with single key"
 msgstr "Always return document, even with single key"
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr "Always return list, even with single key"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr "An e-mail of a user on login.ubuntu.com"
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr "Assertion file"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr "Assertion type name"
 
@@ -202,30 +275,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr "Auto-refresh snaps %s"
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr "Bad code. Try again: "
 
 msgid "Buys a snap"
 msgstr "Buys a snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr "Change ID"
 
 msgid "Changes configuration options"
 msgstr "Changes configuration options"
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-
 msgid "Command\tAlias\tNotes"
 msgstr "Command\tAlias\tNotes"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr "Configuration value (key=value)"
 
@@ -239,12 +309,14 @@
 msgid "Connects a plug to a slot"
 msgstr "Connects a plug to a slot"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr "Constrain listing to a specific snap or snap:name"
 
 msgid "Constrain listing to specific interfaces"
 msgstr "Constrain listing to specific interfaces"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr "Constrain listing to those matching header=value"
 
@@ -329,8 +401,9 @@
 msgid "Enables a snap in the system"
 msgstr "Enables a snap in the system"
 
-msgid "Entering classic dimension"
-msgstr "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr "Ensure prerequisites for %q are available"
 
 msgid ""
 "Export a public key assertion body that may be imported by other systems."
@@ -352,6 +425,7 @@
 msgid "Fetching snap %q\n"
 msgstr "Fetching snap %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr "Filename of the snap you want to assert a build for"
 
@@ -398,6 +472,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr "Identifier of the snap package associated with the build"
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr "Ignore validation by other snaps blocking the refresh"
 
@@ -480,9 +557,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr "Install the given snap without enabling its automatic aliases"
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr "Installs a snap to the system"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr "Key of interest within the configuration"
 
@@ -504,6 +590,9 @@
 msgid "Lists aliases in the system"
 msgstr "Lists aliases in the system"
 
+msgid "Lists all repairs"
+msgstr "Lists all repairs"
+
 msgid "Lists interfaces in the system"
 msgstr "Lists interfaces in the system"
 
@@ -543,12 +632,15 @@
 msgid "Mount snap %q%s"
 msgstr "Mount snap %q%s"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr "Name of key to create; defaults to 'default'"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr "Name of key to be deleted"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr "Name of key to export"
 
@@ -570,15 +662,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr "Name\tVersion\tRev\tDeveloper\tNotes"
 
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
 msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr "No snaps are installed yet. Try \"snap install hello-world\"."
 
-msgid "No snaps to auto-refresh found"
-msgstr "No snaps to auto-refresh found"
-
 msgid "Output results in JSON format"
 msgstr "Output results in JSON format"
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr "Passphrase: "
 
@@ -595,6 +733,9 @@
 "Please re-enter your Ubuntu One password to purchase %q from %q\n"
 "for %s. Press ctrl-c to cancel."
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr "Prefer aliases for snap %q"
@@ -626,8 +767,8 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr "Prints the confinement mode the system operates in"
 
-msgid "Prints the email the user is logged in with."
-msgstr "Prints the e-mail the user is logged in with."
+msgid "Prints the email the user is logged in with"
+msgstr ""
 
 msgid "Prints whether system is managed"
 msgstr "Prints whether system is managed"
@@ -754,6 +895,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr "Run a shell instead of the command (useful for debugging)"
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr "Run configure hook of %q snap"
@@ -774,6 +918,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr "Run post-refresh hook of %q snap if present"
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr "Run prepare-device hook"
 
@@ -781,6 +929,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr "Run remove hook of %q snap if present"
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr "Run the given snap command"
 
@@ -801,6 +957,9 @@
 "Select last change of given type (install, refresh, remove, try, auto-"
 "refresh etc.)"
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr "Set automatic aliases for snap %q"
@@ -841,15 +1000,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr "Show available snaps for refresh but do not perform a refresh"
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr "Show details of a specific interface"
 
 msgid "Show interface attributes"
 msgstr "Show interface attributes"
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr "Shows known assertions of the provided type"
 
+msgid "Shows specific repairs"
+msgstr "Shows specific repairs"
+
 msgid "Shows version details"
 msgstr "Shows version details"
 
@@ -868,12 +1037,16 @@
 msgid "Slot\tPlug"
 msgstr "Slot\tPlug"
 
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Snap name"
 msgstr "Snap name"
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr "Snap\tService\tStartup\tCurrent"
-
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
 "your\n"
@@ -961,23 +1134,27 @@
 msgstr ""
 "The get command prints configuration and interface connection settings."
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr "The login.ubuntu.com e-mail to login as"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr "The model assertion name"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr "The output directory"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
-msgstr "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr "The snap to configure (e.g. hello-world)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr "The snap whose conf is being requested"
 
@@ -987,6 +1164,13 @@
 msgid "This command logs the current user out of the store"
 msgstr "This command logs the current user out of the store"
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr "Tool to interact with snaps"
 
@@ -1001,6 +1185,9 @@
 msgid "Try %q snap from %s"
 msgstr "Try %q snap from %s"
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr "Two-factor code: "
 
@@ -1013,13 +1200,26 @@
 msgid "Use known assertions for user creation"
 msgstr "Use known assertions for user creation"
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr "Use this channel instead of stable"
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr "WARNING: failed to activate logging: %v\n"
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr "Waiting for server to restart"
 
@@ -1083,6 +1283,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 "\n"
@@ -1114,6 +1319,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1574,6 +1785,12 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
@@ -1583,6 +1800,13 @@
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1653,6 +1877,39 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1670,6 +1927,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1732,6 +1995,36 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1838,14 +2131,8 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
-"\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
 
 msgid "a single snap name is needed to specify mode or channel flags"
 msgstr "a single snap name is needed to specify mode or channel flags"
@@ -1859,6 +2146,9 @@
 msgid "active"
 msgstr "active"
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr "bought"
 
@@ -1867,6 +2157,10 @@
 msgstr "broken"
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr "cannot %s without a context"
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr "cannot buy snap: %v"
 
@@ -1899,7 +2193,6 @@
 msgstr "cannot find hook %q in %q"
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr "cannot get data for %q: %v"
@@ -1951,9 +2244,6 @@
 msgid "cannot use %q key: %v"
 msgstr "cannot use %q key: %v"
 
-msgid "cannot use --hook and --command together"
-msgstr "cannot use --hook and --command together"
-
 msgid "cannot use change ID and type together"
 msgstr "cannot use change ID and type together"
 
@@ -1982,6 +2272,10 @@
 msgid "created user %q\n"
 msgstr "created user %q\n"
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr "disabled"
@@ -2004,6 +2298,13 @@
 msgid "get which option?"
 msgstr "get which option?"
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr "inactive"
 
@@ -2065,6 +2366,14 @@
 msgstr ""
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr "missing snap-confine: try updating your snapd package"
 
@@ -2093,9 +2402,6 @@
 msgid "no valid snaps given"
 msgstr "no valid snaps given"
 
-msgid "not a valid snap"
-msgstr "not a valid snap"
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr "please provide change ID or type with --last=<type>"
 
@@ -2110,6 +2416,14 @@
 "reboot scheduled to update the system - temporarily cancel with 'sudo "
 "shutdown -c'"
 
+msgid "repairs are not available on a classic system"
+msgstr "repairs are not available on a classic system"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr "set failed: %v"
@@ -2117,9 +2431,6 @@
 msgid "set which option?"
 msgstr "set which option?"
 
-msgid "show detailed information about a snap"
-msgstr "show detailed information about a snap"
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -2139,10 +2450,6 @@
 msgstr "snap %q is already installed, see \"snap refresh --help\""
 
 #, c-format
-msgid "snap %q is local"
-msgstr "snap %q is local"
-
-#, c-format
 msgid "snap %q not found"
 msgstr "snap %q not found"
 
@@ -2163,6 +2470,9 @@
 msgid "too many arguments: %s"
 msgstr "too many arguments: %s"
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr "unavailable"
 
@@ -2179,28 +2489,31 @@
 msgstr "unknown plug or slot %q"
 
 #, c-format
-msgid "unsupported shell %v"
-msgstr "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr "unknown service: %q"
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "Authenticate on snap daemon"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "Authorisation is required to authenticate on the snap daemon"
+
+msgid "Install, update, or remove packages"
+msgstr "Install, update, or remove packages"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr "Authentication is required to install, update, or remove packages"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Connect, disconnect interfaces"
 
-#~ msgid ""
-#~ "\n"
-#~ "The change command displays a summary of tasks associated to an individual "
-#~ "change."
-#~ msgstr ""
-#~ "\n"
-#~ "The change command displays a summary of tasks associated to an individual "
-#~ "change."
-
-#~ msgid ""
-#~ "\n"
-#~ "The find command queries the store for available packages.\n"
-#~ msgstr ""
-#~ "\n"
-#~ "The find command queries the store for available packages.\n"
-
-#~ msgid ""
-#~ "Show last change of given type (install, refresh, remove, try, auto-refresh "
-#~ "etc.)"
-#~ msgstr ""
-#~ "Show last change of given type (install, refresh, remove, try, auto-refresh "
-#~ "etc.)"
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr "Authentication is required to connect or disconnect interfaces"
diff -Nru snapd-2.32.3.2~14.04/po/eo.po snapd-2.37~rc1~14.04/po/eo.po
--- snapd-2.32.3.2~14.04/po/eo.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/eo.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Esperanto translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Esperanto <eo@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/es.po snapd-2.37~rc1~14.04/po/es.po
--- snapd-2.32.3.2~14.04/po/es.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/es.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
-# Spanish translation for snappy
-# Copyright (c) 2015 Rosetta Contributors and Canonical Ltd 2015
-# This file is distributed under the same license as the snappy package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2015.
+# Spanish translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: snappy\n"
+"Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-01-15 06:39+0000\n"
-"Last-Translator: Paco Molinero <paco@byasl.com>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Spanish <es@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -23,10 +23,14 @@
 "\n"
 "Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
 msgstr ""
+"%q no contiene un snap desempaquetado.\n"
+"\n"
+"Intente «snapcraft prime» en su directorio de proyecto y luego intente «snap "
+"try» nuevamente."
 
 #, c-format
 msgid "%q switched to the %q channel\n"
-msgstr ""
+msgstr "%q cambiado al canal %q\n"
 
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
@@ -35,7 +39,7 @@
 
 #, c-format
 msgid "%s (delta)"
-msgstr ""
+msgstr "%s (delta)"
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
@@ -67,22 +71,27 @@
 msgid "%s removed\n"
 msgstr "%s eliminado\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s revertido a %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s%s %s de «%s» instalado\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr "%s%s %s desde «%s» actualizado\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s instalado\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr "%s%s %s actualizado\n"
@@ -91,137 +100,205 @@
 msgstr "--list no usa los indicadores modo ni canal"
 
 msgid "--time does not take mode nor channel flags"
-msgstr ""
+msgstr "--time no recibe modos o indicadores de canal"
 
 msgid "-r can only be used with --hook"
 msgstr "-r solo se puede usar con --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
-msgstr ""
+msgstr "<alias-o-snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr "<alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
-msgstr ""
+msgstr "<archivo de afirmación>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
-msgstr ""
+msgstr "<tipo de afirmación>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
-msgstr ""
+msgstr "<cambiar-id>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
-msgstr ""
+msgstr "<valor conf>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<email>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<nombredearchivo>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
-msgstr ""
+msgstr "<filtro cabecera>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<interfaz>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
-msgstr ""
+msgstr "<nombre-clave>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<clave>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
-msgstr ""
+msgstr "<afirmación-modelo>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
-msgstr ""
+msgstr "<consulta>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
+msgstr "<dir-raíz>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
-msgstr ""
+msgstr "<snap>:<enchufe>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
-msgstr ""
+msgstr "<snap>:<ranura o enchufe>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr "<snap>:<slot>"
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr "Abortar un cambio pendiente"
 
 msgid "Added"
-msgstr ""
+msgstr "Añadido"
 
 msgid "Adds an assertion to the system"
 msgstr "Añadir una aserción al sistema"
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr "Alias para --dangerous (OBSOLETO)"
 
 msgid "All snaps up to date."
 msgstr "Todos los snaps están actualizados."
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr "Orden alternativa a ejecutar"
 
 msgid "Always return document, even with single key"
 msgstr "Devolver siempre un documento, incluso con clave única"
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr "Siempre devolver la lista, incluso con una sola clave"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr "Una dirección de correo de un usuario en login.ubuntu.com"
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
-msgstr "Fichero de aserción"
+msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr "Nombre del tipo de aserción"
 
 msgid "Authenticates on snapd and the store"
-msgstr ""
+msgstr "Se autentifica en snapd y en la tienda"
 
 #, c-format
 msgid "Auto-refresh %d snaps"
-msgstr ""
+msgstr "Autorefrescar %d snaps"
 
 #, c-format
 msgid "Auto-refresh snap %q"
-msgstr ""
+msgstr "Autorefrescar el snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Auto-refresh snaps %s"
+msgstr "Autorefrescar los snaps %s"
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
 msgstr ""
 
 msgid "Bad code. Try again: "
 msgstr "Código incorrecto. Inténtelo de nuevo: "
 
 msgid "Buys a snap"
-msgstr ""
+msgstr "Compra un snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
-msgstr "Cambiar ID"
+msgstr ""
 
 msgid "Changes configuration options"
 msgstr "Opciones de configuración de cambios"
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
-msgstr ""
+msgstr "Orden\tAlias\tNotas"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
-msgstr ""
+msgstr "Valor de configuración (clave=valor)"
 
 msgid "Confirm passphrase: "
 msgstr "Confirmar contraseña: "
@@ -233,31 +310,35 @@
 msgid "Connects a plug to a slot"
 msgstr "Conectar un enchufe al zócalo"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
-msgstr ""
+msgstr "Restringir el listado a una snap específica o snap:nombre"
 
 msgid "Constrain listing to specific interfaces"
-msgstr ""
+msgstr "Restringir el listado a interfaces específicas"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
-msgstr ""
+msgstr "Restringir el listado a aquellos que coincidan en encabezado=valor"
 
 #, c-format
 msgid "Copy snap %q data"
-msgstr ""
+msgstr "Copiar los datos del snap %q"
 
 msgid ""
 "Create a cryptographic key pair that can be used for signing assertions."
-msgstr ""
+msgstr "Crear un par de claves criptográficas para firmar aseveraciones."
 
 msgid "Create cryptographic key pair"
 msgstr "Crear un par de claves de cifrado"
 
 msgid "Create snap build assertion"
-msgstr ""
+msgstr "Crear una afirmación de construcción de snap"
 
 msgid "Create snap-build assertion for the provided snap file."
 msgstr ""
+"Crear una afirmación de construcción de snap para el archivo snap "
+"proporcionado."
 
 msgid "Creates a local system user"
 msgstr "Crear un usuario local de sistema"
@@ -266,7 +347,7 @@
 msgstr "Eliminar par de claves de cifrado"
 
 msgid "Delete the local cryptographic key pair with the given name."
-msgstr ""
+msgstr "Eliminar el par de claves criptográficas locales con el nombre dado."
 
 #, c-format
 msgid "Disable %q snap"
@@ -278,14 +359,14 @@
 
 #, c-format
 msgid "Disable all aliases for snap %q"
-msgstr ""
+msgstr "Desactivar todos los alias para el snap %q"
 
 msgid "Disables a snap in the system"
 msgstr "Desactivar un snap en el sistema"
 
 #, c-format
 msgid "Discard interface connections for snap %q (%s)"
-msgstr ""
+msgstr "Descartar las conexiones de interfaz para el snap %q (%s)"
 
 #, c-format
 msgid "Disconnect %s:%s from %s:%s"
@@ -296,6 +377,7 @@
 
 msgid "Do not wait for the operation to finish but just print the change id."
 msgstr ""
+"En vez de esperar a que finalice la operación, imprimir el id de cambio."
 
 #, c-format
 msgid "Download snap %q%s from channel %q"
@@ -305,6 +387,8 @@
 "Download the given revision of a snap, to which you must have developer "
 "access"
 msgstr ""
+"Descargar la revisión proporcionada de un snap, para lo cual debe tener "
+"acceso de desarrollador"
 
 msgid "Downloads the given snap"
 msgstr "Descargar el snap dado"
@@ -319,36 +403,41 @@
 msgid "Enables a snap in the system"
 msgstr "Activa un snap en el sistema"
 
-msgid "Entering classic dimension"
-msgstr "Introducir la dimensión clásica"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr "Garantizar que los prerequisitos para %q están disponibles"
 
 msgid ""
 "Export a public key assertion body that may be imported by other systems."
 msgstr ""
+"Exportar un cuerpo de afirmación de clave pública que podría ser importado "
+"por otros sistemas."
 
 msgid "Export cryptographic public key"
 msgstr "Exportar clave pública de cifrado"
 
 #, c-format
 msgid "Fetch and check assertions for snap %q%s"
-msgstr ""
+msgstr "Buscar y comprobar las afirmaciones para el snap %q%s"
 
 #, c-format
 msgid "Fetching assertions for %q\n"
-msgstr ""
+msgstr "Buscando afirmaciones para %q\n"
 
 #, c-format
 msgid "Fetching snap %q\n"
 msgstr "Traer snap %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
-msgstr ""
+msgstr "Nombre del archivo snap para el que desea afirmar su construcción"
 
 msgid "Finds packages to install"
 msgstr "Buscar paquetes para instalar"
 
 msgid "Force adding the user, even if the device is already managed"
 msgstr ""
+"Forzar a añadir el usuario, incluso si el dispositivo ya está administrado"
 
 msgid "Force import on classic systems"
 msgstr "Forzar importación en sistemas clásicos"
@@ -357,6 +446,8 @@
 "Format public key material as a request for an account-key for this account-"
 "id"
 msgstr ""
+"Dar formato al material de clave pública como una solicitud de la clave de "
+"la cuenta para este id de cuenta"
 
 msgid "Generate device key"
 msgstr "Generar clave de dispositivo"
@@ -366,6 +457,8 @@
 
 msgid "Grade states the build quality of the snap (defaults to 'stable')"
 msgstr ""
+"Califica por estados la calidad de construcción del snap (por defecto es "
+"«stable»)"
 
 msgid "Grant sudo access to the created user"
 msgstr "Garantizar acceso de sudo al usuario creado"
@@ -374,10 +467,10 @@
 msgstr "Ayuda"
 
 msgid "Hook to run"
-msgstr ""
+msgstr "Enganchar para ejecutar"
 
 msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
-msgstr ""
+msgstr "ID\tEstado\tGenerado\tListo\tResumen\n"
 
 msgid "Identifier of the signer"
 msgstr "Identificador del firmante"
@@ -385,9 +478,12 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr "Identificador del paquete de snap asociado con la construcción"
 
-msgid "Ignore validation by other snaps blocking the refresh"
+msgid "If the service has a reload command, use it instead of restarting."
 msgstr ""
 
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr "Ignorar la validación por otras snaps bloqueando el refresco"
+
 #, c-format
 msgid ""
 "In order to buy %q, you need to agree to the latest terms and conditions. "
@@ -395,18 +491,23 @@
 "\n"
 "Once completed, return here and run 'snap buy %s' again."
 msgstr ""
+"Para comprar %q, debe aceptar los últimos términos y condiciones. Para ello "
+"visite https://my.ubuntu.com/payment/edit .\n"
+"\n"
+"Una vez hecho esto, vuelva aquí y ejecute «snap buy %s» nuevamente."
 
 msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
 msgstr ""
+"Incluir una lista amplia de notas de snap (de otra forma, resumir las notas)"
 
 msgid "Include unused interfaces"
-msgstr ""
+msgstr "Incluir interfaces sin usar"
 
 msgid "Initialize device"
 msgstr "Inicializar dispositivo"
 
 msgid "Inspects devices for actionable information"
-msgstr ""
+msgstr "Inspecciona los dispositivos para obtener información procesable"
 
 #, c-format
 msgid "Install %q snap"
@@ -418,11 +519,11 @@
 
 #, c-format
 msgid "Install %q snap from file"
-msgstr ""
+msgstr "Instalar snap %q desde un archivo"
 
 #, c-format
 msgid "Install %q snap from file %q"
-msgstr ""
+msgstr "Instalar snap %q desde el archivo %q"
 
 msgid "Install from the beta channel"
 msgstr "Instalar desde el canal beta"
@@ -431,7 +532,7 @@
 msgstr "Instalar desde el canal candidato"
 
 msgid "Install from the edge channel"
-msgstr ""
+msgstr "Instalar desde el canal vanguardia"
 
 msgid "Install from the stable channel"
 msgstr "Instalar desde el canal estable"
@@ -448,21 +549,35 @@
 msgid ""
 "Install the given revision of a snap, to which you must have developer access"
 msgstr ""
+"Instalar la revisión dada de un snap, para lo cual debe tener acceso de "
+"desarrollador"
 
 msgid ""
 "Install the given snap file even if there are no pre-acknowledged signatures "
 "for it, meaning it was not verified and could be dangerous (--devmode "
 "implies this)"
 msgstr ""
+"Instalar el archivo snap dado incluso si no hay firmas preadmitidas para él, "
+"lo cual significa que no se verificó y podría ser peligroso (--devmode "
+"implica esto)"
 
 msgid "Install the given snap without enabling its automatic aliases"
+msgstr "Instalar el snap dado sin activar sus aliases automáticos"
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
 msgstr ""
 
 msgid "Installs a snap to the system"
 msgstr "Instalar un snap en el sistema"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
-msgstr ""
+msgstr "Clave de interés en la configuración"
 
 msgid "List a change's tasks"
 msgstr "Listar tareas de cambio"
@@ -472,6 +587,7 @@
 
 msgid "List cryptographic keys that can be used for signing assertions."
 msgstr ""
+"Listar claves criptográficas que se pueden usar para firmar aseveraciones."
 
 msgid "List installed snaps"
 msgstr "Listar snaps instalados"
@@ -480,13 +596,16 @@
 msgstr "Listar cambios de sistema"
 
 msgid "Lists aliases in the system"
-msgstr ""
+msgstr "Lista aliases en el sistema"
+
+msgid "Lists all repairs"
+msgstr "Lista todas las reparaciones"
 
 msgid "Lists interfaces in the system"
 msgstr "Listar interfaces en el sistema"
 
 msgid "Lists snap interfaces"
-msgstr ""
+msgstr "Lista las interfaces de snap"
 
 msgid "Log out of the store"
 msgstr "Salir de la tienda"
@@ -496,7 +615,7 @@
 
 #, c-format
 msgid "Make current revision for snap %q unavailable"
-msgstr ""
+msgstr "Hacer que la revisión actual del snap %q no esté disponible"
 
 #, c-format
 msgid "Make snap %q (%s) available to the system"
@@ -512,51 +631,104 @@
 
 #, c-format
 msgid "Make snap %q%s available to the system"
-msgstr ""
+msgstr "Hacer que el snap %q%s esté disponible para el sistema"
 
 msgid "Mark system seeded"
-msgstr ""
+msgstr "Marcar el sistema como sembrado"
 
 #, c-format
 msgid "Mount snap %q%s"
 msgstr "Montar snap %q%s"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
-msgstr ""
+msgstr "Nombre de la clave a crear; el predeterminado es «default»"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr "Nombre de la clave a eliminar"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr "Nombre de la clave a exportar"
 
 msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
 msgstr ""
+"Nombre de la clave GnuPG a usar (el predeterminado es «default» para el "
+"nombre de clave)"
 
 msgid "Name of the key to use, otherwise use the default key"
 msgstr ""
+"Nombre de la clave a utilizar, de otro modo usar la clave predeterminada"
 
 msgid "Name\tSHA3-384"
 msgstr "Nombre \tSHA3-384"
 
 msgid "Name\tSummary"
-msgstr ""
+msgstr "Nombre\tResumen"
 
 msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
-msgstr ""
+msgstr "Nombre\tVersión\tDesarrollador\tNotas\tResumen"
 
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr "Nombre\tVersión\tRev\tDesarrollador\tNotas"
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+msgid "No connections to disconnect"
 msgstr ""
 
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+"Aun no se han instalado snaps. Pruebe con «snap install hello-world»."
+
 msgid "Output results in JSON format"
 msgstr "Resultados de salida en formato JSON"
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr "Frase de paso: "
 
@@ -570,17 +742,22 @@
 "Please re-enter your Ubuntu One password to purchase %q from %q\n"
 "for %s. Press ctrl-c to cancel."
 msgstr ""
+"Vuelva a introducir su contraseña de Ubuntu One para comprar %q de %q\n"
+"por %s. Presione ctrl-c para cancelar."
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
 
 #, c-format
 msgid "Prefer aliases for snap %q"
-msgstr ""
+msgstr "Preferir los aliases del snap %q"
 
 msgid "Prefer aliases from a snap and disable conflicts"
-msgstr ""
+msgstr "Preferir los aliases del snap y desactivar conflictos"
 
 #, c-format
 msgid "Prefer aliases of snap %q"
-msgstr ""
+msgstr "Preferir alias para el snap %q"
 
 msgid "Prepare a snappy image"
 msgstr "Preparar una imagen de snappy"
@@ -600,29 +777,31 @@
 msgstr "Imprimir las opciones de configuración"
 
 msgid "Prints the confinement mode the system operates in"
-msgstr ""
+msgstr "Imprime el modo de confinamiento en el cual el sistema está operando"
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
-msgstr ""
+msgstr "Imprime si el sistema está administrado"
 
 #, c-format
 msgid "Prune automatic aliases for snap %q"
-msgstr ""
+msgstr "Quitar los aliases automáticos del snap %q"
 
 msgid "Put snap in classic mode and disable security confinement"
 msgstr ""
+"Poner snap en modo clásico y desactivar el confinamiento de seguridad"
 
 msgid "Put snap in development mode and disable security confinement"
 msgstr ""
+"Poner snap en modo de desarrollo y desactivar el confinamiento de seguridad"
 
 msgid "Put snap in enforced confinement mode"
-msgstr ""
+msgstr "Poner snap en modo de confinamiento forzado"
 
 msgid "Query the status of services"
-msgstr ""
+msgstr "Consultar el estado de los servicios"
 
 #, c-format
 msgid "Refresh %q snap"
@@ -630,14 +809,14 @@
 
 #, c-format
 msgid "Refresh %q snap from %q channel"
-msgstr ""
+msgstr "Refrescar snap %q desde el canal %q"
 
 #, c-format
 msgid "Refresh aliases for snap %q"
-msgstr ""
+msgstr "Refrescar los aliases del snap %q"
 
 msgid "Refresh all snaps: no updates"
-msgstr ""
+msgstr "Refrescar todas las snaps: sin actualizaciones"
 
 #, c-format
 msgid "Refresh snap %q"
@@ -651,7 +830,7 @@
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s: no updates"
-msgstr ""
+msgstr "Refrescar snaps %s: sin actualizaciones"
 
 msgid "Refresh to the given revision"
 msgstr "Actualizar a la versión dada"
@@ -673,18 +852,18 @@
 
 #, c-format
 msgid "Remove manual alias %q for snap %q"
-msgstr ""
+msgstr "Eliminar alias manual %q para el snap %q"
 
 msgid "Remove only the given revision"
-msgstr ""
+msgstr "Eliminar solo la revisión dada"
 
 #, c-format
 msgid "Remove security profile for snap %q (%s)"
-msgstr ""
+msgstr "Eliminar el prefil de seguridad del snap %q (%s)"
 
 #, c-format
 msgid "Remove security profiles of snap %q"
-msgstr ""
+msgstr "Eliminar los perfiles de seguridad del snap %q"
 
 #, c-format
 msgid "Remove snap %q"
@@ -692,7 +871,7 @@
 
 #, c-format
 msgid "Remove snap %q (%s) from the system"
-msgstr ""
+msgstr "Eliminar el snap %q (%s) del sistema"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
@@ -700,71 +879,87 @@
 msgstr "Eliminar snaps %s"
 
 msgid "Removed"
-msgstr ""
+msgstr "Eliminado"
 
 msgid "Removes a snap from the system"
 msgstr "Eliminar un snap del sistema"
 
 msgid "Request device serial"
-msgstr ""
+msgstr "Solicitar la serie del dispositivo"
 
 msgid "Restart services"
-msgstr ""
+msgstr "Reiniciar servicios"
 
 msgid "Restarted.\n"
-msgstr ""
+msgstr "Reiniciado.\n"
 
 msgid "Restrict the search to a given section"
-msgstr ""
+msgstr "Restringir la búsqueda a una sección dada"
 
 msgid "Retrieve logs of services"
-msgstr ""
+msgstr "Recuperar registros de los servicios"
 
 #, c-format
 msgid "Revert %q snap"
-msgstr ""
+msgstr "Revertir snap %q"
 
 msgid "Reverts the given snap to the previous state"
-msgstr ""
+msgstr "Revierte el snap dado a su estado previo"
 
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
+"Ejecutar un intérprete de ordenes en vez de la orden (útil para depurar)"
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
 
 #, c-format
 msgid "Run configure hook of %q snap"
-msgstr ""
+msgstr "Ejecutar el enchanche de configuración del snap %q"
 
 #, c-format
 msgid "Run configure hook of %q snap if present"
-msgstr ""
+msgstr "Ejecutar el enganche de configuración del snap %q  si está presente"
 
 #, c-format
 msgid "Run hook %s of snap %q"
-msgstr ""
+msgstr "Ejecutar el enganche %s del snap %q"
 
 #, c-format
 msgid "Run install hook of %q snap if present"
-msgstr ""
+msgstr "Ejecutar el enganche de instalación del snap %q si está presente"
 
 #, c-format
 msgid "Run post-refresh hook of %q snap if present"
+msgstr "Ejecutar el enganche de post-refresco del snap %q si está presente"
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
 msgstr ""
 
 msgid "Run prepare-device hook"
-msgstr ""
+msgstr "Ejecutar el enganche de preparar-dispositivo"
 
 #, c-format
 msgid "Run remove hook of %q snap if present"
+msgstr "Ejecutar el enganche de eliminación del snap %q si está presente"
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
 msgstr ""
 
-msgid "Run the given snap command"
+msgid "Run the command with gdb"
 msgstr ""
 
+msgid "Run the given snap command"
+msgstr "Ejecutar la orden snap dada"
+
 msgid "Run the given snap command with the right confinement and environment"
-msgstr ""
+msgstr "Ejecutar la orden snap dada con el confinamiento y entorno apropiado"
 
 msgid "Runs debug commands"
-msgstr ""
+msgstr "Ejecuta ordenes de depurado"
 
 msgid "Search private snaps"
 msgstr "Buscar snaps privados"
@@ -773,85 +968,111 @@
 "Select last change of given type (install, refresh, remove, try, auto-"
 "refresh etc.)"
 msgstr ""
+"Seleccionar el último cambio de tipo dado (install, refresh, remove, try, "
+"auto-refresh, etc.)"
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
 
 #, c-format
 msgid "Set automatic aliases for snap %q"
-msgstr ""
+msgstr "Asignar aliases automáticos al snap %q"
 
 msgid "Sets up a manual alias"
-msgstr ""
+msgstr "Configurar un alias manual"
 
 #, c-format
 msgid "Setup alias %q => %q for snap %q"
-msgstr ""
+msgstr "Configurar el alias %q => %q para el snap %q"
 
 #, c-format
 msgid "Setup manual alias %q => %q for snap %q"
-msgstr ""
+msgstr "Configurar el alias manual %q => %q para el snap %q"
 
 #, c-format
 msgid "Setup snap %q (%s) security profiles"
-msgstr ""
+msgstr "Configurar los perfiles de seguridad del snap %q (%s)"
 
 #, c-format
 msgid "Setup snap %q aliases"
-msgstr ""
+msgstr "Configurar los aliases del snap %q"
 
 #, c-format
 msgid "Setup snap %q%s security profiles"
-msgstr ""
+msgstr "Configurar los perfiles de seguridad del snap %q%s"
 
 #, c-format
 msgid "Setup snap %q%s security profiles (phase 2)"
-msgstr ""
+msgstr "Configurar los perfiles de seguridad del snap %q%s (fase 2)"
 
 msgid "Show all revisions"
 msgstr "Mostrar todas las revisiones"
 
 msgid "Show auto refresh information but do not perform a refresh"
-msgstr ""
+msgstr "Mostrar la información de auto refresco sin realizar un refresco"
 
 msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr "Mostrar snaps disponibles para refresco sin realizar un refresco"
+
+msgid "Show detailed information about a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
-msgstr ""
+msgstr "Mostrar detalles de una interfaz específica"
 
 msgid "Show interface attributes"
+msgstr "Mostrar atributos de la interfaz"
+
+msgid "Show only the given number of lines, or 'all'."
 msgstr ""
 
 msgid "Shows known assertions of the provided type"
-msgstr ""
+msgstr "Mostrar afirmaciones conocidas del tipo proporcionado"
+
+msgid "Shows specific repairs"
+msgstr "Mostrar reparaciones específicas"
 
 msgid "Shows version details"
 msgstr "Mostrar los detalles de la versión"
 
 msgid "Sign an assertion"
-msgstr ""
+msgstr "Firmar una aseveración"
 
 msgid ""
 "Sign an assertion using the specified key, using the input for headers from "
 "a JSON mapping provided through stdin, the body of the assertion can be "
 "specified through a \"body\" pseudo-header.\n"
 msgstr ""
+"Firmar una aseveración utilizando la clave especificada, usando la entrada "
+"para cabeceras desde un trazado JSON proporcionado a través de stdin, el "
+"cuerpo de la afirmación se puede especificar a través de un pseudo-"
+"encabezado «body».\n"
 
 msgid "Slot\tPlug"
+msgstr "Ranura\tEnchufe"
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Snap name"
 msgstr "Nombre de snap"
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr ""
-
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
 "your\n"
 "payment details at https://my.ubuntu.com/payment/edit and try again."
 msgstr ""
+"Lo sentimos, su método de pago ha sido rechazado por el distribuidor. Revise "
+"sus\n"
+"detalles de pago en https://my.ubuntu.com/payment/edit e inténtelo de nuevo."
 
 msgid "Start services"
-msgstr ""
+msgstr "Iniciar servicios"
 
 #, c-format
 msgid "Start snap %q (%s) services"
@@ -865,16 +1086,16 @@
 msgstr "Iniciar servicios snap"
 
 msgid "Start the userd service"
-msgstr ""
+msgstr "Iniciar el servicio userd"
 
 msgid "Started.\n"
-msgstr ""
+msgstr "Iniciado.\n"
 
 msgid "Status\tSpawn\tReady\tSummary\n"
-msgstr ""
+msgstr "Estado\tGenerado\tListo\tResumen\n"
 
 msgid "Stop services"
-msgstr ""
+msgstr "Detener servicios"
 
 #, c-format
 msgid "Stop snap %q (%s) services"
@@ -882,34 +1103,34 @@
 
 #, c-format
 msgid "Stop snap %q services"
-msgstr ""
+msgstr "Detener los servicios del snap %q"
 
 msgid "Stop snap services"
 msgstr "Parar los servicios de snap"
 
 msgid "Stopped.\n"
-msgstr ""
+msgstr "Detenido.\n"
 
 msgid "Strict typing with nulls and quoted strings"
-msgstr ""
+msgstr "Escritura estricta con cadenas nulas y citadas"
 
 #, c-format
 msgid "Switch %q snap to %s"
-msgstr ""
+msgstr "Cambiar el snap %q a %s"
 
 #, c-format
 msgid "Switch snap %q from %s to %s"
-msgstr ""
+msgstr "Cambiar el snap %q de %s a %s"
 
 #, c-format
 msgid "Switch snap %q to %s"
-msgstr ""
+msgstr "Cambiar el snap %q a %s"
 
 msgid "Switches snap to a different channel"
-msgstr ""
+msgstr "Cambia el snap a un canal diferente"
 
 msgid "Temporarily mount device before inspecting"
-msgstr ""
+msgstr "Montar el dispositivo temporalmente antes de inspeccionar"
 
 msgid "Tests a snap in the system"
 msgstr "Probar un snap en el sistema"
@@ -920,35 +1141,49 @@
 "Thanks for purchasing %q. You may now install it on any of your devices\n"
 "with 'snap install %s'."
 msgstr ""
+"Gracias por comprar %q. Ahora puede instalarlo en cualquiera de sus\n"
+"dispositivos con «snap install %s»."
 
 msgid ""
 "The get command prints configuration and interface connection settings."
 msgstr ""
+"La orden get imprime los ajustes de configuración e interfaz de conexión."
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr "El email con el que acceder a login.ubuntu.com"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
-msgstr ""
+msgstr "El nombre de afirmación del modelo"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr "DIrectorio de salida"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr "El snap a configurar (p.ej.: hello-world)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
-msgstr ""
+msgstr "El snap para el que se solicita su conf"
 
 msgid "The userd command starts the snap user session service."
-msgstr ""
+msgstr "La orden userd inicia el servicio del snap en la sesión del usuario."
 
 msgid "This command logs the current user out of the store"
+msgstr "Esta orden cierra la sesión actual del usuario en la tienda"
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
 msgstr ""
 
 msgid "Tool to interact with snaps"
@@ -956,46 +1191,62 @@
 
 #, c-format
 msgid "Transition security profiles from %q to %q"
-msgstr ""
+msgstr "Transición de perfiles de seguridad de %q a %q"
 
 msgid "Transition ubuntu-core to core"
-msgstr ""
+msgstr "Transición de ubuntu-core a core"
 
 #, c-format
 msgid "Try %q snap from %s"
+msgstr "Probar snap %q desde %s"
+
+msgid "Try: snap install <selected snap>\n"
 msgstr ""
 
 msgid "Two-factor code: "
 msgstr "Código de dos factores: "
 
 msgid "Unalias a manual alias or an entire snap"
-msgstr ""
+msgstr "Desactivar un alias manual o un snap completo"
 
 msgid "Use a specific snap revision when running hook"
-msgstr ""
+msgstr "Usar una revisión específica de un snap al ejecutar un enganche"
 
 msgid "Use known assertions for user creation"
+msgstr "Usar afirmaciones conocidas para crear el usuario"
+
+msgid "Use the given output format (pretty or json)"
 msgstr ""
 
 msgid "Use this channel instead of stable"
+msgstr "Usar este canal en lugar del estable"
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
 msgstr ""
+"AVISO: La salida de «snap get» se convertirá en una lista con columnas - use "
+"-d o -l para forzar el formato de salida.\n"
 
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
+msgstr "AVISO: no se ha podido activar el registro: %v\n"
+
+msgid "Wait for new lines and print them as they come in."
 msgstr ""
 
 msgid "Waiting for server to restart"
 msgstr "Esperando al servidor para reiniciar"
 
 msgid "Watch a change in progress"
-msgstr ""
+msgstr "Observar un cambio en progreso"
 
 msgid "Wrong again. Once more: "
 msgstr "Incorrecto de nuevo. Una vez más: "
 
 #, c-format
 msgid "Xauthority file isn't owned by the current user %s"
-msgstr ""
+msgstr "El archivo Xauthority no pertenece al usuario actual %s"
 
 msgid "Yes, yes it does."
 msgstr "Sí, sí lo hace."
@@ -1004,6 +1255,8 @@
 "You need to be logged in to purchase software. Please run 'snap login' and "
 "try again."
 msgstr ""
+"Debe iniciar sesión para comprar software. Ejecute «snap login» e intente "
+"nuevamente."
 
 #, c-format
 msgid ""
@@ -1013,11 +1266,16 @@
 "Once you’ve added your payment details, you just need to run 'snap buy %s' "
 "again."
 msgstr ""
+"Debe tener un método de pago asociado con su cuenta para comprar un snap, "
+"visite https://my.ubuntu.com/payment/edit para añadir uno.\n"
+"\n"
+"Una vez añadidos sus detalles de pago, vuelva a ejecutar «snap buy %s»."
 
 #. TRANSLATORS: the %s is the argument given by the user to "snap changes"
 #, c-format
 msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
 msgstr ""
+"La orden «snap changes» espera un nombre de snap, intente: «snap tasks %s»"
 
 msgid ""
 "\n"
@@ -1029,11 +1287,28 @@
 "This is the CLI for snapd, a background service that takes care of\n"
 "snaps on the system. Start with 'snap list' to see installed snaps.\n"
 msgstr ""
+"\n"
+"Instalar, configurar, refrescar y eliminar paquetes snap. Los Snaps\n"
+"son paquetes «universales» que trabajan sobre varios y distintos sistemas\n"
+"Linux, permitiendo la distribución segura de las últimas aplicaciones y\n"
+"utilidades para la nube, servidores, escritorios y el internet de las "
+"cosas.\n"
+"\n"
+"Este es la CLI para snapd, un servicio en segundo plano que se ocupa de\n"
+"los snaps en el sistema. Comience con «snap list» para ver los snaps "
+"instalados.\n"
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
 
 msgid ""
 "\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
+"\n"
+"La orden abort intenta abortar un cambio que aun tiene tareas pendientes.\n"
 
 msgid ""
 "\n"
@@ -1047,6 +1322,23 @@
 "public key and the assertion consistent with and its prerequisite in the\n"
 "database.\n"
 msgstr ""
+"\n"
+"La orden ack intenta añadir una afirmación a la base de datos del sistema\n"
+"de afirmaciones.\n"
+"\n"
+"La afirmación también puede ser una nueva revisión de una afirmación ya\n"
+"existente que lo reemplazará.\n"
+"\n"
+"Para tener éxito, la afirmación debe ser válida, su firma verificada con "
+"una\n"
+"clave pública conocida y la afirmación y su prerequisito consistente en la\n"
+"base de datos.\n"
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
 
 msgid ""
 "\n"
@@ -1055,6 +1347,11 @@
 "Once this manual alias is setup the respective application command can be "
 "invoked just using the alias.\n"
 msgstr ""
+"\n"
+"La orden alias asigna el alias especificado a la aplicación snap dada.\n"
+"\n"
+"Una vez que este alias manual está configurado la orden respectiva de la "
+"aplicación se puede invocar tan solo utilizando el alias.\n"
 
 msgid ""
 "\n"
@@ -1070,6 +1367,18 @@
 "not defined in the current revision of the snap; possibly temporarely (e.g\n"
 "because of a revert), if not this can be cleared with snap alias --reset.\n"
 msgstr ""
+"\n"
+"La orden aliases lista todos los aliases disponibles en el sistema y sus\n"
+"estados.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lista solo los aliases definidos por el snap especificado.\n"
+"\n"
+"Un alias marcado como no definido significa que se activo o desactivó\n"
+"explicitamente pero no está definido en la revisión actual del snap;\n"
+"posiblemente temporal (p.ej. debido a una reversión), sino se puede\n"
+"borrar con snap alias --reset.\n"
 
 msgid ""
 "\n"
@@ -1084,17 +1393,34 @@
 "Imported assertions must be made available in the auto-import.assert file\n"
 "in the root of the filesystem.\n"
 msgstr ""
+"\n"
+"La orden auto-import busca dispositivos montados disponibles buscando\n"
+"afirmaciones firmadas por autoridades confiables, y potencialmente\n"
+"realiza cambios en el sistema basados en ellos.\n"
+"\n"
+"Si una o más rutas de dispositivos se proporcionan mediante --mount, estos\n"
+"se montan temporalmente para que también sean inspeccionados. Incluso\n"
+"en este caso la orden seguirá considerando todos los dispositivos montados\n"
+"disponibles para inspección.\n"
+"\n"
+"Las afirmaciones importadas se deben marcar como disponibles en el archivo\n"
+"auto-import.assert en la raíz del sistema de archivos.\n"
 
 msgid ""
 "\n"
 "The buy command buys a snap from the store.\n"
 msgstr ""
+"\n"
+"La orden buy compra un snap de la tienda.\n"
 
 msgid ""
 "\n"
 "The changes command displays a summary of the recent system changes "
 "performed."
 msgstr ""
+"\n"
+"La orden changes muestra un resumen de los cambios recientes realizados del "
+"sistema."
 
 msgid ""
 "\n"
@@ -1102,6 +1428,10 @@
 "none)\n"
 "the system operates in.\n"
 msgstr ""
+"\n"
+"La orden confinement imprimirá el modo de confinamiento (strict, partial o "
+"none)\n"
+"en el cual el sistema está operando.\n"
 
 msgid ""
 "\n"
@@ -1126,6 +1456,25 @@
 "matching\n"
 "the plug name.\n"
 msgstr ""
+"\n"
+"La orden connect conecta un enchufe a una ranura.\n"
+"Se puede llamar de las siguientes maneras:\n"
+"\n"
+"$ snap connect <snap>:<enchufe> <snap>:<ranura>\n"
+"\n"
+"Conecta el enchufe dado a una ranura dada.\n"
+"\n"
+"$ snap connect <snap>:<enchufe> <snap>\n"
+"\n"
+"Conecta el enchufe especificado a la única ranura en el snap proporcionado\n"
+"que coincide con la interfaz conectada. Si existe más de una ranura "
+"potencial,\n"
+"la orden falla.\n"
+"\n"
+"$ snap connect <snap>:<enchufe>\n"
+"\n"
+"Conecta el enchufe proporcionado a la ranura en el snap principal con un\n"
+"nombre que coincide con el nombre del enchufe.\n"
 
 msgid ""
 "\n"
@@ -1136,6 +1485,14 @@
 "\n"
 "An account can be setup at https://login.ubuntu.com.\n"
 msgstr ""
+"\n"
+"La orden create-user crea un usuario de sistema local con nombre de usuario "
+"y\n"
+"claves SSH registradas en la cuenta de la tienda identificadas por la "
+"dirección de\n"
+"correo electrónico proporcionado.\n"
+"\n"
+"Puede configurar su cuenta en https://login.ubuntu.com.\n"
 
 msgid ""
 "\n"
@@ -1144,6 +1501,11 @@
 "Debug commands can be removed without notice and may not work on\n"
 "non-development systems.\n"
 msgstr ""
+"\n"
+"La orden debug contiene una selección de subordenes adicionales.\n"
+"\n"
+"Las ordenes de depurado se pueden eliminar sin problema y podrían\n"
+"no funcionar en sistemas que no son para desarrollo.\n"
 
 msgid ""
 "\n"
@@ -1151,6 +1513,10 @@
 "snap will no longer be available. But all the data is still available\n"
 "and the snap can easily be enabled again.\n"
 msgstr ""
+"\n"
+"La orden disable desactiva un snap. Los binarios y servicios del snap\n"
+"ya no estarán disponibles. Pero todos los datos aun se conservan y\n"
+"el snap puede ser reactivado fácilmente.\n"
 
 msgid ""
 "\n"
@@ -1166,6 +1532,18 @@
 "Disconnects everything from the provided plug or slot.\n"
 "The snap name may be omitted for the core snap.\n"
 msgstr ""
+"\n"
+"La orden disconnect desconecta un enchufe de una ranura.\n"
+"Se puede llamar de las siguientes maneras:\n"
+"\n"
+"$ snap disconnect <snap>:<enchufe> <snap>:<ranura>\n"
+"\n"
+"Desconecta el enchufe específico de la ranura específica.\n"
+"\n"
+"$ snap disconnect <snap>:<ranura o enchufe>\n"
+"\n"
+"Desconecta todo del enchufe o la ranura proporcionada.\n"
+"El nombre de snap se puede omitir para el snap principal.\n"
 
 msgid ""
 "\n"
@@ -1173,17 +1551,26 @@
 "to the current directory under .snap and .assert file extensions, "
 "respectively.\n"
 msgstr ""
+"\n"
+"La orden download descarga el snap dado y las afirmaciones que lo soportan\n"
+"al directorio actual bajo las extensiones de archivo .snap y .assert, "
+"respectivamente.\n"
 
 msgid ""
 "\n"
 "The enable command enables a snap that was previously disabled.\n"
 msgstr ""
+"\n"
+"La orden enable activa un snap que ha sido desactivado previamente.\n"
 
 msgid ""
 "\n"
 "The find command queries the store for available packages in the stable "
 "channel.\n"
 msgstr ""
+"\n"
+"La orden find consulta la tienda sobre los paquetes disponibles en el canal "
+"estable.\n"
 
 msgid ""
 "\n"
@@ -1222,6 +1609,41 @@
 "This requests the \"usb-vendor\" setting from the slot that is connected to "
 "\"myplug\".\n"
 msgstr ""
+"\n"
+"La orden get imprime opciones de configuración para el snap actual.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"Si se proporcionan múltiples nombres de opción, se devuelve un documento:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Los valores anidados se pueden recuperar mediante una ruta con puntos:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Los valores de los ajustes de la interfaz de conexión se pueden imprimir "
+"con:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"Esto devolverá el ajuste nombrado desde el extremo de interfaz local, ya sea "
+"un enchufe\n"
+"o una ranura. También es posible devolver el ajuste desde el extremo del "
+"snap conectado\n"
+"solicitándolo explícitamente mediante las opciones de la línea de ordenes --"
+"plug y --slot:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"Esto solicita el ajuste «usb-vendor» desde la ranura conectada a «myplug».\n"
 
 msgid ""
 "\n"
@@ -1243,17 +1665,40 @@
 "    $ snap get snap-name author.name\n"
 "    frank\n"
 msgstr ""
+"\n"
+"La orden get imprime opciones de configuración para el snap proporcionado.\n"
+"\n"
+"    $ snap get nombre-snap username\n"
+"    frank\n"
+"\n"
+"Si se proporcionan varios nombre de opciones, se devuelve un documento:\n"
+"\n"
+"    $ snap get nombre-snap username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Los valores anidados se pueden recuperar mediante una ruta con puntos:\n"
+"\n"
+"    $ snap get nombre-snap author.name\n"
+"    frank\n"
 
 msgid ""
 "\n"
 "The help command shows helpful information. Unlike this. ;-)\n"
 msgstr ""
+"\n"
+"La orden help muestra información útil. No como esta. ;-)\n"
 
 msgid ""
 "\n"
 "The info command shows detailed information about a snap, be it by name or "
 "by path."
 msgstr ""
+"\n"
+"La orden info muestra información detallada sobre un snap, ya sea por nombre "
+"o por ruta."
 
 msgid ""
 "\n"
@@ -1269,6 +1714,12 @@
 "If no interface name is provided, a list of interface names with at least\n"
 "one connection is shown, or a list of all interfaces if --all is provided.\n"
 msgstr ""
+"\n"
+"La orden interface muestra detalles de interfaces de snap.\n"
+"\n"
+"Si no se proporciona nombre de interfaz, se muestra una lista de\n"
+"nombres de interfaces con al menos una conexión, o una lista de\n"
+"todas las interfaces si se proporciona --all.\n"
 
 msgid ""
 "\n"
@@ -1290,6 +1741,25 @@
 "Filters the complete output so only plugs and/or slots matching the provided "
 "details are listed.\n"
 msgstr ""
+"\n"
+"La orden interfaces lista las interfaces disponibles en el sistema.\n"
+"\n"
+"Por defecto se muestran todas las ranuras y enchufes, utilizados y ofrecidos "
+"por todos los snaps.\n"
+" \n"
+"$ snap interfaces <snap>:<ranura o enchufe>\n"
+"\n"
+"Lista solo las ranuras o enchufes especificados.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lista las ranuras ofrecidas y los enchufes utilizados por el snap "
+"especificado.\n"
+"\n"
+"$ snap interfaces -i=<interfaz> [<snap>]\n"
+"\n"
+"Filtra la salida completa de forma que solo se listan los enchufes y/o "
+"ranuras coincidentes con los detalles proporcionados.\n"
 
 msgid ""
 "\n"
@@ -1297,11 +1767,18 @@
 "If header=value pairs are provided after the assertion type, the assertions\n"
 "shown must also have the specified headers matching the provided values.\n"
 msgstr ""
+"\n"
+"La orden known muestra afirmaciones conocidas del tipo proporcionado.\n"
+"Si se proporcionan pares encabezado=valor después del tipo de afirmación,\n"
+"las afirmaciones mostradas también deben tener los encabezados\n"
+"especificados coincidiendo con los valores proporcionados.\n"
 
 msgid ""
 "\n"
 "The list command displays a summary of snaps installed in the current system."
 msgstr ""
+"\n"
+"La orden list muestra un resumen de snaps instaladas en el sistema actual."
 
 msgid ""
 "\n"
@@ -1315,12 +1792,39 @@
 "\n"
 "An account can be setup at https://login.ubuntu.com\n"
 msgstr ""
+"\n"
+"La orden login autentifica en snapd y la tienda snap y guarda las "
+"credenciales\n"
+"en el archivo ~/.snap/auth.json. Las futuras comunicaciones con snapd se "
+"realizarán\n"
+"usando esas credenciales.\n"
+"\n"
+"Iniciar sesión solo funciona para usuarios locales en los grupos sudo, admin "
+"o wheel.\n"
+"\n"
+"Puede configurar su cuenta en https://login.ubuntu.com\n"
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
 
 msgid ""
 "\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
+"\n"
+"La orden managed imprimirá verdadero o falso informando si\n"
+"snapd tiene usuarios registrados.\n"
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+"\n"
+"La orden pack empaqueta el snap-dir dado como un snap."
 
 msgid ""
 "\n"
@@ -1328,6 +1832,10 @@
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
 msgstr ""
+"\n"
+"La orden prefer activa todos los aliases del snap dado, dando preferencia\n"
+"sobre aliases conflictivos de otros snaps cuyos aliases se desactivarán\n"
+"(se eliminan para los manuales).\n"
 
 #, c-format
 msgid ""
@@ -1346,11 +1854,28 @@
 "if instead you want to install the snap forcing it into strict confinement\n"
 "repeat the command including --jailmode."
 msgstr ""
+"\n"
+"El editor del snap %q ha indicado que no consideran que esta revisión sea "
+"de\n"
+"calidad suficiente para producción y solo es adecuada para desarrollo y "
+"pruebas\n"
+"por el momento. Como consecuencia este snap no se refrescará "
+"automáticamente\n"
+"y podría realizar cambios arbitrarios en el sistema fuera de la caja de "
+"seguridad\n"
+"en la cual los snaps están generalmente confinados, lo cual podría poner su\n"
+"sistema en riesgo.\n"
+"\n"
+"Si lo entiende y desea continuar, repita la orden incluyendo --devmode;\n"
+"si en lugar de eso desea instalar el snap forzándolo a confinamiento\n"
+"estricto, repita la orden incluyendo --jailmode."
 
 msgid ""
 "\n"
 "The refresh command refreshes (updates) the named snap.\n"
 msgstr ""
+"\n"
+"La orden refresh refresca (actualiza) el snap nombrado.\n"
 
 msgid ""
 "\n"
@@ -1362,6 +1887,48 @@
 "revision is\n"
 "removed.\n"
 msgstr ""
+"\n"
+"La orden remove elimina el snap nombrado del sistema.\n"
+"\n"
+"Por defecto todas las revisiones de snap se eliminan, incluyendo los datos y "
+"el\n"
+"directorio de datos comunes. Cuando se incluye la opción --revision solo se "
+"elimina\n"
+"la revisión especificada.\n"
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+"\n"
+"La orden repair muestra los detalles sobre una o múltiples reparaciones.\n"
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+"\n"
+"La orden repairs lista todas las reparaciones procesadas para este "
+"dispositivo.\n"
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+"\n"
+"La orden restart reinicia los servicios dados del snap. Si se ejecuta desde\n"
+"el enganche «configurar», se reiniciarán los servicios después de que\n"
+"finalice el enganche."
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
 
 msgid ""
 "\n"
@@ -1372,6 +1939,20 @@
 "an exception, data which the snap explicitly chooses to share across\n"
 "revisions is not touched by the revert process.\n"
 msgstr ""
+"\n"
+"La orden revert revierte el snap dado al estado anterior al último\n"
+"refresco. Esto reactivará la revisión anterior del snap, y usará los\n"
+"datos originales que se asociaron con esa revisión, descartando\n"
+"cualquier cambio en los datos que se hicieron en la última revisión.\n"
+"Como excepción, los datos que fueron elegidos estrictamente por\n"
+"el snap para compartir entre revisiones no son alterados por el\n"
+"proceso de reversión.\n"
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
 
 msgid ""
 "\n"
@@ -1386,6 +1967,18 @@
 "\n"
 "    $ snap set author.name=frank\n"
 msgstr ""
+"\n"
+"La orden set cambia las opciones de configuración proporcionadas\n"
+"en la forma solicitada.\n"
+"\n"
+"    $ snap set nombre-snap username=frank password=$PASSWORD\n"
+"\n"
+"Todos los cambios en la configuración persisten a la vez, y solo después\n"
+"de que el enganche de configuración del snap devuelva con éxito.\n"
+"\n"
+"Los valores anidados se pueden modificar mediante una ruta con puntos:\n"
+"\n"
+"    $ snap set author.name=frank\n"
 
 msgid ""
 "\n"
@@ -1406,18 +1999,74 @@
 "\n"
 "    $ snapctl set :myplug path=/dev/ttyS0\n"
 msgstr ""
+"\n"
+"La orden set cambia las opciones de configuración proporcionadas como se "
+"solicita.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"Todos los cambios en la configuración son persistentes al mismo tiempo, y "
+"solo después\n"
+"de que el enganche devuelva con éxito.\n"
+"\n"
+"Los valores anidados se pueden modificar mediante una ruta con puntos:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Los atributos de enchufe y ranura se pueden asignar en los enganches de "
+"preparación y\n"
+"conexión respectivos nombrando el enchufe o ranura respectivo:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+"\n"
+"La orden start inicia los servicios dados del snap. Si se ejecuta desde\n"
+"el enganche «configurar», los servicios se iniciarán después de que el\n"
+"enganche finalice."
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+"\n"
+"La orden stop detiene los servicios dados del snap. Si se ejecuta desde\n"
+"el enganche «configurar», los servicios se iniciarán después de que el\n"
+"enganche finalice."
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
 
 msgid ""
 "\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
+"\n"
+"La orden switch cambia el snap dado a un canal diferente sin\n"
+"hacer un refresco.\n"
 
 msgid ""
 "\n"
 "The tasks command displays a summary of tasks associated to an individual "
 "change."
 msgstr ""
+"\n"
+"La orden tasks muestra un resumen de las tareas asociadas con un cambio "
+"individual."
 
 msgid ""
 "\n"
@@ -1434,18 +2083,37 @@
 "be\n"
 "found relative to current working directory.\n"
 msgstr ""
+"\n"
+"La orden try instala un snap sin empaquetar en el sistema para realizar "
+"pruebas.\n"
+"El contenido del snap sin empaquetar se sigue usando incluso después de la\n"
+"instalación, de forma que los cambios que no son de metadatos se producen\n"
+"inmediatamente. Los cambios en metadatos tales como los que se realizan\n"
+"en snap.yaml necesitan de una reinstalación para estar activos.\n"
+"\n"
+"Si se omite el argumento snap-dir, la orden try intentará inferirlo si el\n"
+"archivo snapcraft.yaml y el directorio principal o el archivo "
+"meta/snap.yaml\n"
+"se pueden encontrar relativos al directorio de trabajo actual.\n"
 
 msgid ""
 "\n"
 "The unalias command tears down a manual alias when given one or disables all "
 "aliases of a snap, removing also all manual ones, when given a snap name.\n"
 msgstr ""
+"\n"
+"La orden unalias arranca un alias manual cuando se le da uno o desactiva "
+"todos los alias de un snap, eliminando también todos los manuales, cuando se "
+"le da un nombre de snap.\n"
 
 msgid ""
 "\n"
 "The version command displays the versions of the running client, server,\n"
 "and operating system.\n"
 msgstr ""
+"\n"
+"La orden version muestra las versiones del cliente, servidor\n"
+"y sistema operativo en ejecución.\n"
 
 msgid ""
 "\n"
@@ -1453,11 +2121,17 @@
 "progress\n"
 "(if available).\n"
 msgstr ""
+"\n"
+"La orden watch espera a que el change-id dado finalice y muestra el "
+"progreso\n"
+"(si esta disponible).\n"
 
 msgid ""
 "\n"
 "The whoami command prints the email the user is logged in with.\n"
 msgstr ""
+"\n"
+"La orden whoami imprime el correo con el cual el usuario inició sesión.\n"
 
 #, c-format
 msgid ""
@@ -1471,42 +2145,58 @@
 "If you understand and want to proceed repeat the command including --"
 "classic.\n"
 msgstr ""
+"\n"
+"Esta revisión del snap %q se publicó usando el confinamiento clásico por lo "
+"cual\n"
+"podría realizar cambios arbitrarios del sistema fuera de la caja de "
+"seguridad en el que\n"
+"los snaps suelen estar confinados, lo cual podría suponer un riesgo para su "
+"sistema.\n"
+"\n"
+"Si lo entiende y desea continuar repita la orden incluyendo --classic.\n"
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
 msgstr ""
+"se necesita un nombre de snap único para especificar modo o indicadores de "
+"canal"
 
 msgid "a single snap name is needed to specify the revision"
-msgstr ""
+msgstr "se necesita un nombre de snap único para especificar la revisión"
 
 msgid "a single snap name must be specified when ignoring validation"
-msgstr ""
+msgstr "se debe especificar un nombre de snap único al ignorar la validación"
 
 msgid "active"
+msgstr "activo"
+
+msgid "auto-refresh: all snaps are up-to-date"
 msgstr ""
 
 msgid "bought"
-msgstr ""
+msgstr "comprado"
 
 #. TRANSLATORS: if possible, a single short word
 msgid "broken"
 msgstr "roto"
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr "no se puede %s sin un contexto"
+
+#, c-format
 msgid "cannot buy snap: %v"
-msgstr ""
+msgstr "no se puede comprar el snap: %v"
 
 msgid "cannot buy snap: invalid characters in name"
-msgstr ""
+msgstr "no se puede comprar el snap: caracteres no válidos en el nombre"
 
 msgid "cannot buy snap: it has already been bought"
-msgstr ""
+msgstr "no se puede comprar el snap: ya se ha comprado"
 
 #. TRANSLATORS: %q is the directory whose creation failed, %v the error message
 #, c-format
@@ -1515,12 +2205,12 @@
 
 #, c-format
 msgid "cannot create assertions file: %v"
-msgstr ""
+msgstr "no se puede crear el archivo de afirmaciones: %v"
 
 #. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
 #, c-format
 msgid "cannot extract the snap-name from local file %q: %v"
-msgstr ""
+msgstr "no se puede extraer el nombre de snap del archivo local %q: %v"
 
 #, c-format
 msgid "cannot find app %q in %q"
@@ -1528,89 +2218,90 @@
 
 #, c-format
 msgid "cannot find hook %q in %q"
-msgstr ""
+msgstr "no se puede encontrar el enganche %q en %q"
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
-msgstr ""
+msgstr "no se pueden obtener los datos para %q: %v"
 
 #. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
 #, c-format
 msgid "cannot get full path for %q: %v"
-msgstr ""
+msgstr "no se puede obtener la ruta completa para %q: %v"
 
 #, c-format
 msgid "cannot get the current user: %s"
-msgstr ""
+msgstr "no se puede obtener el usuario actual: %s"
 
 #, c-format
 msgid "cannot get the current user: %v"
-msgstr ""
+msgstr "no se puede obtener el usuario actual: %v"
 
 #, c-format
 msgid "cannot mark boot successful: %s"
-msgstr ""
+msgstr "no se puede marcar el arranque con éxito: %s"
 
 #, c-format
 msgid "cannot open the assertions database: %v"
-msgstr ""
+msgstr "no se puede abrir la base de datos de afirmaciones: %v"
 
 #, c-format
 msgid "cannot read assertion input: %v"
-msgstr ""
+msgstr "no se puede leer la entrada de afirmación: %v"
 
 #. TRANSLATORS: %v the error message
 #, c-format
 msgid "cannot read symlink: %v"
-msgstr ""
+msgstr "no se puede leer symlink: %v"
 
 #, c-format
 msgid "cannot resolve snap app %q: %v"
-msgstr ""
+msgstr "no se puede resolver la app snap %q: %v"
 
 #, c-format
 msgid "cannot sign assertion: %v"
-msgstr ""
+msgstr "no se puede firmar la aseveración: %v"
 
 #, c-format
 msgid "cannot update the 'current' symlink of %q: %v"
-msgstr ""
+msgstr "no se puede actualizar el symlink «actual» de %q: %v"
 
 #. TRANSLATORS: %q is the key name, %v the error message
 #, c-format
 msgid "cannot use %q key: %v"
 msgstr "no se puede usar la clave %q : %v"
 
-msgid "cannot use --hook and --command together"
-msgstr "no se pueden usar --hook y --command juntos"
-
 msgid "cannot use change ID and type together"
-msgstr ""
+msgstr "no se puede usar un ID de cambio y tipo juntos"
 
 msgid "cannot use devmode and jailmode flags together"
-msgstr ""
+msgstr "no se pueden usar los indicadores devmode y jailmode juntos"
 
 #, c-format
 msgid "cannot validate owner of file %s"
-msgstr ""
+msgstr "no se puede validar el propietario del archivo %s"
 
 #, c-format
 msgid "cannot write new Xauthority file at %s: %s"
-msgstr ""
+msgstr "no se puede escribir un archivo Xauthority nuevo en %s: %s"
 
 #, c-format
 msgid "change finished in status %q with no error message"
-msgstr ""
+msgstr "cambio finalizado en estado %q sin mensaje de error"
 
 #, c-format
 msgid ""
 "classic confinement requires snaps under /snap or symlink from /snap to %s"
 msgstr ""
+"el confinamiento clásico requiere snaps bajo /snap o symlink desde /snap a %s"
 
 #, c-format
 msgid "created user %q\n"
+msgstr "usuario creado %q\n"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
@@ -1618,10 +2309,10 @@
 msgstr "desactivado"
 
 msgid "email:"
-msgstr ""
+msgstr "correo electrónico:"
 
 msgid "enabled"
-msgstr ""
+msgstr "activado"
 
 #, c-format
 msgid "error: %v\n"
@@ -1630,98 +2321,121 @@
 msgid ""
 "error: the `<snap-dir>` argument was not provided and couldn't be inferred"
 msgstr ""
+"error: el argumento «<snap-dir>» no se proporcionó y no se pudo inferir"
 
 msgid "get which option?"
+msgstr "¿Cual opción desea obtener?"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
 msgstr ""
 
-msgid "inactive"
+msgid "ignore-validation"
 msgstr ""
 
+msgid "inactive"
+msgstr "inactivo"
+
 msgid ""
 "interface attributes can only be read during the execution of interface hooks"
 msgstr ""
+"los atributos de interfaz solo se pueden leer durante la ejecución de "
+"enganches de interfaz"
 
 msgid ""
 "interface attributes can only be set during the execution of prepare hooks"
 msgstr ""
+"los atributos de interfaz solo se pueden establecer durante la ejecución de "
+"enganches de preparación"
 
 #, c-format
 msgid "internal error, please report: running %q failed: %v\n"
-msgstr ""
+msgstr "error interno, por favor repórtelo: falló al ejecutar %q : %v\n"
 
 msgid "internal error: cannot find attrs task"
-msgstr ""
+msgstr "error interno: no se encuentra la tarea attrs"
 
 msgid "internal error: cannot find plug or slot data in the appropriate task"
 msgstr ""
+"error interno: no se pueden encontrar los datos del enchufe o ranura en la "
+"tarea correspondiente"
 
 #, c-format
 msgid "internal error: cannot get %s from appropriate task"
-msgstr ""
+msgstr "error interno: no se puede obtener %s desde la tarea correspondiente"
 
 msgid ""
 "invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
 "“all”."
 msgstr ""
+"argumento no válido para el parámetro «-n»: se esperaba un entero no "
+"negativo como argumento, o «all»."
 
 #, c-format
 msgid "invalid attribute: %q (want key=value)"
-msgstr ""
+msgstr "atributo no válido: %q (quiere clave=valor)"
 
 #, c-format
 msgid "invalid configuration: %q (want key=value)"
-msgstr ""
+msgstr "configuración no válida: %q (quiere clave=valor)"
 
 #, c-format
 msgid "invalid header filter: %q (want key=value)"
-msgstr ""
+msgstr "filtro de cabecera no válido: %q (quiere clave=valor)"
 
 #, c-format
 msgid "invalid parameter: %q (want key=value)"
-msgstr ""
+msgstr "parámetro no válido: %q (quiere clave=valor)"
 
 #, c-format
 msgid "invalid value: %q (want snap:name or snap)"
-msgstr ""
+msgstr "valor no válido: %q (quiere snap:nombre o snap)"
 
 #, c-format
 msgid ""
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
+"el nombre de clave %q no es válido; solo se permiten letras, dígitos y "
+"guiones ASCII"
 
-msgid "missing snap-confine: try updating your snapd package"
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
 msgstr ""
 
-msgid "need the application to run as argument"
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
 msgstr ""
 
+msgid "missing snap-confine: try updating your snapd package"
+msgstr "snap-confine ausente: intente actualizar su paquete snapd"
+
+msgid "need the application to run as argument"
+msgstr "se necesita la aplicación para ejecutar como argumento"
+
 msgid "no changes found"
 msgstr "no se han encontrado cambios"
 
 #, c-format
 msgid "no changes of type %q found"
-msgstr ""
+msgstr "no se han encontrado cambios de tipo %q"
 
 msgid "no interfaces currently connected"
-msgstr ""
+msgstr "no hay interfaces conectadas actualmente"
 
 msgid "no interfaces found"
 msgstr "no mse han encontrado interfaces"
 
 msgid "no matching snaps installed"
-msgstr ""
+msgstr "no hay snaps instalados que coincidan"
 
 msgid "no such interface"
-msgstr ""
+msgstr "no hay tal interfaz"
 
 msgid "no valid snaps given"
-msgstr ""
-
-msgid "not a valid snap"
-msgstr ""
+msgstr "no se han proporcionado snaps validos"
 
 msgid "please provide change ID or type with --last=<type>"
-msgstr ""
+msgstr "proporcione un ID de cambio o tipo con --last=<tipo>"
 
 #. TRANSLATORS: if possible, a single short word
 msgid "private"
@@ -1731,66 +2445,72 @@
 "reboot scheduled to update the system - temporarily cancel with 'sudo "
 "shutdown -c'"
 msgstr ""
+"reinicio programado para actualizar el sistema - cancele temporalmente con "
+"«sudo shutdown -c»"
+
+msgid "repairs are not available on a classic system"
+msgstr "las reparaciones no están disponibles en sistemas clásicos"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
 
 #, c-format
 msgid "set failed: %v"
-msgstr ""
+msgstr "No se ha podido establecer: %v"
 
 msgid "set which option?"
-msgstr ""
-
-msgid "show detailed information about a snap"
-msgstr ""
+msgstr "¿Cual opción desea establecer?"
 
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
-msgstr ""
+msgstr "snap %%q no encontrado (al menos en la revisión %q)"
 
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
 #, c-format
 msgid "snap %%q not found (at least in channel %q)"
-msgstr ""
+msgstr "snap %%q no encontrado (al menos en el canal %q)"
 
 #, c-format
 msgid "snap %q has no updates available"
-msgstr ""
+msgstr "el snap %q no tiene actualizaciones disponibles"
 
 #, c-format
 msgid "snap %q is already installed, see \"snap refresh --help\""
-msgstr ""
-
-#, c-format
-msgid "snap %q is local"
-msgstr ""
+msgstr "snap %q ya se encuentra instalado, consulte «snap refresh --help»"
 
 #, c-format
 msgid "snap %q not found"
-msgstr ""
+msgstr "snap %q no encontrado"
 
 #. TRANSLATORS: free as in gratis
 msgid "snap is free"
 msgstr "snap es gratuito"
 
 msgid "too many arguments for command"
-msgstr ""
+msgstr "demasiados argumentos para la orden"
 
 #. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
 #, c-format
 msgid "too many arguments for hook %q: %s"
-msgstr ""
+msgstr "demasiados argumentos para el enganche %q: %s"
 
 #. TRANSLATORS: the %s is the list of extra arguments
 #, c-format
 msgid "too many arguments: %s"
 msgstr "demasiados argumentos: %s"
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr "no disponible"
 
 #, c-format
 msgid "unknown attribute %q"
-msgstr ""
+msgstr "atributo desconocido %q"
 
 #, c-format
 msgid "unknown command %q, see \"snap --help\""
@@ -1798,8 +2518,35 @@
 
 #, c-format
 msgid "unknown plug or slot %q"
-msgstr ""
+msgstr "enchufe o ranura desconocido %q"
+
+#, c-format
+msgid "unknown service: %q"
+msgstr "servicio desconocido: %q"
 
 #, c-format
-msgid "unsupported shell %v"
-msgstr "intérprete no permitido %w"
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "Autentificar en el demonio snap"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "Se requiere autentificación para autentificarse en el demonio snap"
+
+msgid "Install, update, or remove packages"
+msgstr "Instalar, actualizar, o eliminar paquetes"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+"Se requiere autentificación para instalar, actualizar, o eliminar paquetes"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Conectar, desconectar interfaces"
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr "Se requiere autentificación para conectar, desconectar interfaces"
diff -Nru snapd-2.32.3.2~14.04/po/fi.po snapd-2.37~rc1~14.04/po/fi.po
--- snapd-2.32.3.2~14.04/po/fi.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/fi.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Finnish translation for snapd
-# Copyright (c) 2017 Rosetta Contributors and Canonical Ltd 2017
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-09-19 07:05+0000\n"
-"Last-Translator: Jiri Grönroos <Unknown>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Finnish <fi@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -31,7 +31,7 @@
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
 msgid "%s %s mounted from %s\n"
-msgstr ""
+msgstr "%s %s liitetty polusta %s\n"
 
 #, c-format
 msgid "%s (delta)"
@@ -40,49 +40,54 @@
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (see \"snap login --help\")"
-msgstr ""
+msgstr "%s (katso \"snap login --help\")"
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (try with sudo)"
-msgstr ""
+msgstr "%s (kokeile suorittaa sudoa käyttäen)"
 
 #, c-format
 msgid "%s already installed\n"
-msgstr ""
+msgstr "%s on jo asennettu\n"
 
 #, c-format
 msgid "%s disabled\n"
-msgstr ""
+msgstr "%s poistettu käytöstä\n"
 
 #, c-format
 msgid "%s enabled\n"
-msgstr ""
+msgstr "%s otettu käyttöön\n"
 
 #, c-format
 msgid "%s not installed\n"
-msgstr ""
+msgstr "%s ei ole asennettu\n"
 
 #, c-format
 msgid "%s removed\n"
-msgstr ""
+msgstr "%s poistettu\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
-msgstr ""
+msgstr "%s%s %s asennettu\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,75 +101,129 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
 msgid "Added"
-msgstr ""
+msgstr "Lisätty"
 
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
+msgstr "Kaikki snapit ovat ajan tasalla."
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
 msgstr ""
 
 msgid "Alternative command to run"
@@ -173,13 +232,27 @@
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -251,7 +326,7 @@
 msgstr ""
 
 msgid "Create cryptographic key pair"
-msgstr ""
+msgstr "Luo kryptografinen avainpari"
 
 msgid "Create snap build assertion"
 msgstr ""
@@ -260,10 +335,10 @@
 msgstr ""
 
 msgid "Creates a local system user"
-msgstr ""
+msgstr "Luo paikallisen järjestelmäkäyttäjän"
 
 msgid "Delete cryptographic key pair"
-msgstr ""
+msgstr "Poista kryptografinen avainpari"
 
 msgid "Delete the local cryptographic key pair with the given name."
 msgstr ""
@@ -310,7 +385,7 @@
 msgstr ""
 
 msgid "Email address: "
-msgstr ""
+msgstr "Sähköpostiosoite: "
 
 #, c-format
 msgid "Enable %q snap"
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -327,7 +403,7 @@
 msgstr ""
 
 msgid "Export cryptographic public key"
-msgstr ""
+msgstr "Vie kryptografinen julkinen avain"
 
 #, c-format
 msgid "Fetch and check assertions for snap %q%s"
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -362,7 +439,7 @@
 msgstr ""
 
 msgid "Generate the manpage"
-msgstr ""
+msgstr "Luo man-sivu"
 
 msgid "Grade states the build quality of the snap (defaults to 'stable')"
 msgstr ""
@@ -371,7 +448,7 @@
 msgstr ""
 
 msgid "Help"
-msgstr ""
+msgstr "Ohje"
 
 msgid "Hook to run"
 msgstr ""
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -425,25 +505,25 @@
 msgstr ""
 
 msgid "Install from the beta channel"
-msgstr ""
+msgstr "Asenna betakanavalta"
 
 msgid "Install from the candidate channel"
-msgstr ""
+msgstr "Asenna ehdokaskanavalta"
 
 msgid "Install from the edge channel"
-msgstr ""
+msgstr "Asenna edge-kanavalta"
 
 msgid "Install from the stable channel"
-msgstr ""
+msgstr "Asenna vakaalta kanavalta"
 
 #, c-format
 msgid "Install snap %q"
-msgstr ""
+msgstr "Asenna snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Install snaps %s"
-msgstr ""
+msgstr "Asenna snapit %s"
 
 msgid ""
 "Install the given revision of a snap, to which you must have developer access"
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -468,20 +557,23 @@
 msgstr ""
 
 msgid "List cryptographic keys"
-msgstr ""
+msgstr "Listaa kryptografiset avaimet"
 
 msgid "List cryptographic keys that can be used for signing assertions."
 msgstr ""
 
 msgid "List installed snaps"
-msgstr ""
+msgstr "Listaa asennetut snapit"
 
 msgid "List system changes"
-msgstr ""
+msgstr "Listaa järjestelmämuutokset"
 
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -489,10 +581,10 @@
 msgstr ""
 
 msgid "Log out of the store"
-msgstr ""
+msgstr "Kirjaudu ulos kaupasta"
 
 msgid "Login successful"
-msgstr ""
+msgstr "Kirjautuminen onnistui"
 
 #, c-format
 msgid "Make current revision for snap %q unavailable"
@@ -521,14 +613,17 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
-msgstr ""
+msgstr "Poistettavan avaimen nimi"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
-msgstr ""
+msgstr "Vietävän avaimen nimi"
 
 msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
 msgstr ""
@@ -537,7 +632,7 @@
 msgstr ""
 
 msgid "Name\tSHA3-384"
-msgstr ""
+msgstr "Nimi\tSHA3-384"
 
 msgid "Name\tSummary"
 msgstr ""
@@ -548,18 +643,64 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
 msgstr ""
 
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr "Snapeja ei ole vielä asennettu. Yritä \"snap install hello-world\"."
+
 msgid "Output results in JSON format"
 msgstr ""
 
-msgid "Passphrase: "
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
 msgstr ""
 
+msgid "Passphrase: "
+msgstr "Tunnuslause: "
+
 #, c-format
 msgid "Password of %q: "
 msgstr ""
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -594,7 +738,7 @@
 msgstr ""
 
 msgid "Print the version and exit"
-msgstr ""
+msgstr "Tulosta versio ja poistu"
 
 msgid "Prints configuration options"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -688,7 +832,7 @@
 
 #, c-format
 msgid "Remove snap %q"
-msgstr ""
+msgstr "Poista snap %q"
 
 #, c-format
 msgid "Remove snap %q (%s) from the system"
@@ -697,22 +841,22 @@
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Remove snaps %s"
-msgstr ""
+msgstr "Poista snapit %s"
 
 msgid "Removed"
-msgstr ""
+msgstr "Poistettu"
 
 msgid "Removes a snap from the system"
-msgstr ""
+msgstr "Poistaa snapin järjestelmästä"
 
 msgid "Request device serial"
 msgstr ""
 
 msgid "Restart services"
-msgstr ""
+msgstr "Käynnistä uudelleen palvelut"
 
 msgid "Restarted.\n"
-msgstr ""
+msgstr "Käynnistetty uudelleen.\n"
 
 msgid "Restrict the search to a given section"
 msgstr ""
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,11 +1010,15 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr ""
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr "Snapin nimi"
 
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
@@ -851,7 +1027,7 @@
 msgstr ""
 
 msgid "Start services"
-msgstr ""
+msgstr "Käynnistä palvelut"
 
 #, c-format
 msgid "Start snap %q (%s) services"
@@ -865,16 +1041,16 @@
 msgstr ""
 
 msgid "Start the userd service"
-msgstr ""
+msgstr "Käynnistä userd-palvelu"
 
 msgid "Started.\n"
-msgstr ""
+msgstr "Käynnistetty.\n"
 
 msgid "Status\tSpawn\tReady\tSummary\n"
 msgstr ""
 
 msgid "Stop services"
-msgstr ""
+msgstr "Pysäytä palvelut"
 
 #, c-format
 msgid "Stop snap %q (%s) services"
@@ -888,7 +1064,7 @@
 msgstr ""
 
 msgid "Stopped.\n"
-msgstr ""
+msgstr "Pysäytetty.\n"
 
 msgid "Strict typing with nulls and quoted strings"
 msgstr ""
@@ -906,13 +1082,13 @@
 msgstr ""
 
 msgid "Switches snap to a different channel"
-msgstr ""
+msgstr "Vaihtaa snapin eri kanavaan"
 
 msgid "Temporarily mount device before inspecting"
 msgstr ""
 
 msgid "Tests a snap in the system"
-msgstr ""
+msgstr "Testaa snapia järjestelmässä"
 
 #. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
 #, c-format
@@ -920,28 +1096,34 @@
 "Thanks for purchasing %q. You may now install it on any of your devices\n"
 "with 'snap install %s'."
 msgstr ""
+"Kiitos kun ostit tuotteen %q. Voit asentaa  sen nyt kaikkiin laitteisiisi\n"
+"komennolla 'snap install %s'."
 
 msgid ""
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1133,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,9 +1154,12 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
-msgid "Two-factor code: "
+msgid "Try: snap install <selected snap>\n"
 msgstr ""
 
+msgid "Two-factor code: "
+msgstr "Kaksivaiheinen koodi: "
+
 msgid "Unalias a manual alias or an entire snap"
 msgstr ""
 
@@ -977,13 +1169,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
+msgstr "Käytä tätä kanavaa vakaan kanavan sijaan"
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
 msgstr ""
 
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1004,6 +1207,8 @@
 "You need to be logged in to purchase software. Please run 'snap login' and "
 "try again."
 msgstr ""
+"Sinun tulee olla kirjautunut sisään, jotta voit ostaa ohjelmistoja. Suorita "
+"'snap login' ja yritä uudelleen."
 
 #, c-format
 msgid ""
@@ -1013,6 +1218,11 @@
 "Once you’ve added your payment details, you just need to run 'snap buy %s' "
 "again."
 msgstr ""
+"Tilillesi tulee olla määritetty maksutapa, jotta voit ostaa snap-paketteja. "
+"Käy sivulla https://my.ubuntu.com/payment/edit ja lisää maksutapa "
+"tilillesi.\n"
+"\n"
+"Kun olen lisännyt tiedon maksutavasta, suorita 'snap buy %s' uudelleen."
 
 #. TRANSLATORS: the %s is the argument given by the user to "snap changes"
 #, c-format
@@ -1032,6 +1242,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1265,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1537,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1595,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1630,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1670,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1758,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1487,24 +1771,31 @@
 msgstr ""
 
 msgid "active"
+msgstr "aktiivinen"
+
+msgid "auto-refresh: all snaps are up-to-date"
 msgstr ""
 
 msgid "bought"
-msgstr ""
+msgstr "ostettu"
 
 #. TRANSLATORS: if possible, a single short word
 msgid "broken"
+msgstr "rikki"
+
+#, c-format
+msgid "cannot %s without a context"
 msgstr ""
 
 #, c-format
 msgid "cannot buy snap: %v"
-msgstr ""
+msgstr "ei voi ostaa snapia: %v"
 
 msgid "cannot buy snap: invalid characters in name"
-msgstr ""
+msgstr "ei voi ostaa snapia: virheellisiä merkkejä nimessä"
 
 msgid "cannot buy snap: it has already been bought"
-msgstr ""
+msgstr "ei voi ostaa snapia: se on jo ostettu"
 
 #. TRANSLATORS: %q is the directory whose creation failed, %v the error message
 #, c-format
@@ -1529,7 +1820,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1871,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1609,6 +1896,10 @@
 
 #, c-format
 msgid "created user %q\n"
+msgstr "luotiin käyttäjä %q\n"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
@@ -1616,14 +1907,14 @@
 msgstr ""
 
 msgid "email:"
-msgstr ""
+msgstr "sähköposti:"
 
 msgid "enabled"
 msgstr ""
 
 #, c-format
 msgid "error: %v\n"
-msgstr ""
+msgstr "virhe: %v\n"
 
 msgid ""
 "error: the `<snap-dir>` argument was not provided and couldn't be inferred"
@@ -1632,6 +1923,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1985,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1694,7 +2000,7 @@
 msgstr ""
 
 msgid "no changes found"
-msgstr ""
+msgstr "muutoksia ei löytynyt"
 
 #, c-format
 msgid "no changes of type %q found"
@@ -1715,21 +2021,26 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
 msgid "private"
-msgstr ""
+msgstr "yksityinen"
 
 msgid ""
 "reboot scheduled to update the system - temporarily cancel with 'sudo "
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2048,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1752,23 +2060,19 @@
 
 #, c-format
 msgid "snap %q has no updates available"
-msgstr ""
+msgstr "snapille %q ei ole päivityksiä saatavilla"
 
 #, c-format
 msgid "snap %q is already installed, see \"snap refresh --help\""
-msgstr ""
-
-#, c-format
-msgid "snap %q is local"
-msgstr ""
+msgstr "snap %q on jo asennettu, katso \"snap refresh --help\""
 
 #, c-format
 msgid "snap %q not found"
-msgstr ""
+msgstr "snapia %q ei löytynyt"
 
 #. TRANSLATORS: free as in gratis
 msgid "snap is free"
-msgstr ""
+msgstr "snap on ilmainen"
 
 msgid "too many arguments for command"
 msgstr ""
@@ -1783,6 +2087,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1792,12 +2099,39 @@
 
 #, c-format
 msgid "unknown command %q, see \"snap --help\""
-msgstr ""
+msgstr "tuntematon komento %q, katso \"snap --help\""
 
 #, c-format
 msgid "unknown plug or slot %q"
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr "Asenna, päivitä tai poista paketteja"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+"Pakettien asentaminen, päivittäminen tai poistaminen vaatii tunnistautumisen"
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/fr.po snapd-2.37~rc1~14.04/po/fr.po
--- snapd-2.32.3.2~14.04/po/fr.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/fr.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # French translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-08-17 17:23+0000\n"
-"Last-Translator: Anne017 <anneonyme017@openmailbox.org>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: French <fr@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -30,7 +30,7 @@
 
 #, c-format
 msgid "%q switched to the %q channel\n"
-msgstr ""
+msgstr "%q commuté sur le canal %q\n"
 
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
@@ -71,29 +71,33 @@
 msgid "%s removed\n"
 msgstr "%s supprimé\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s revenu à %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s%s %s de « %s » installé\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr "%s%s %s de « %s » actualisé\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s installé\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr "%s%s %s actualisé\n"
 
 msgid "--list does not take mode nor channel flags"
 msgstr ""
-"--list n'accepte ni les indicateurs de mode ni les indicateurs de canal"
 
 msgid "--time does not take mode nor channel flags"
 msgstr "--time n'accepte pas les options mode et/ou canal"
@@ -101,62 +105,93 @@
 msgid "-r can only be used with --hook"
 msgstr "-r ne peut être utilisé qu'avec --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr "<alias ou paquet Snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr "<alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr "<fichier d'assertion>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr "<type d'assertion>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr "<identifiant de changement>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr "<valeur de configuration>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<courriel>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<nom du fichier>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr "<filtre d'en-tête>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<interface>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr "<nom de la clé>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<clé>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr "<modèle d'assertion>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr "<requête>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr "<répertoire racine>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr "<snap>:<connecteur>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr "<snap>:<prise ou connecteur>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr "<snap>:<prise>"
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr "Annuler un changement en attente"
 
@@ -166,25 +201,62 @@
 msgid "Adds an assertion to the system"
 msgstr "Ajoute une assertion au système"
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr "Alias pour --dangerous (OBSOLÈTE)"
 
 msgid "All snaps up to date."
 msgstr "Tous les paquets Snaps sont à jour."
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr "Commande alternative à « run »"
 
 msgid "Always return document, even with single key"
 msgstr "Toujours retourner un document, même avec une clé unique"
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr "Toujours retourner la liste, même avec une clé unique"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
-msgstr "Un courriel d'un utilisateur sur login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
 
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr "Fichier d'assertion"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr "Nom du type d'assertion"
 
@@ -204,30 +276,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr "Actualiser automatiquement les paquets Snap %s"
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr "Code faux. Réessayez : "
 
 msgid "Buys a snap"
 msgstr "Achète un paquet Snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr "Changer l'identifiant"
 
 msgid "Changes configuration options"
 msgstr "Modifie les options de configuration"
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-"Dimension classique désactivée sur ce système.\n"
-"Utilisez « sudo snap install --devmode classic && sudo classic.create » pour "
-"l'activer."
-
 msgid "Command\tAlias\tNotes"
 msgstr "Commande\tAlias\tNotes"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr "Valeur de configuration (clé=valeur)"
 
@@ -241,12 +310,14 @@
 msgid "Connects a plug to a slot"
 msgstr "Connecte un connecteur à une prise"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr "Limite la liste à un paquet Snap spécifique ou snap:nom"
 
 msgid "Constrain listing to specific interfaces"
 msgstr "Limite la liste à des interfaces spécifiques"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr "Limite la liste aux éléments correspondant à en-tête=valeur"
 
@@ -336,8 +407,9 @@
 msgid "Enables a snap in the system"
 msgstr "Active un paquet Snap dans le système"
 
-msgid "Entering classic dimension"
-msgstr "Entrée dans la dimension classique"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr "Assurez-vous que les prérequis pour %q sont disponibles"
 
 msgid ""
 "Export a public key assertion body that may be imported by other systems."
@@ -360,6 +432,7 @@
 msgid "Fetching snap %q\n"
 msgstr "Récupération du paquet Snap %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 "Le nom du fichier du paquet Snap pour lequel vous voulez définir une version"
@@ -409,6 +482,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr "Identifiant du paquet Snap associé à la version"
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 "Ignorer la validation par d'autres paquets Snap bloquant l'actualisation"
@@ -431,7 +507,7 @@
 "dans le cas contraire)"
 
 msgid "Include unused interfaces"
-msgstr ""
+msgstr "Inclure les interfaces inutilisées"
 
 msgid "Initialize device"
 msgstr "Initialiser l'appareil"
@@ -492,11 +568,20 @@
 "pourrait être dangereux (--devmode implique cela)"
 
 msgid "Install the given snap without enabling its automatic aliases"
+msgstr "Installer le snap donné sans activer ses alias automatiques"
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
 msgstr ""
 
 msgid "Installs a snap to the system"
 msgstr "Installe un paquet Snap sur le système"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr "Clef d'intérêt dans le cadre de la configuration"
 
@@ -520,11 +605,14 @@
 msgid "Lists aliases in the system"
 msgstr "Afficher la liste des alias dans le système"
 
+msgid "Lists all repairs"
+msgstr "Liste toutes les réparations"
+
 msgid "Lists interfaces in the system"
 msgstr "Liste les interfaces dans le système"
 
 msgid "Lists snap interfaces"
-msgstr ""
+msgstr "Liste les interfaces snap"
 
 msgid "Log out of the store"
 msgstr "Se déconnecter de la logithèque"
@@ -559,12 +647,15 @@
 msgid "Mount snap %q%s"
 msgstr "Monter le paquet Snap %q%s"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr "Nom de la clé à créer ; « default » par défaut"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr "Nom de la clé à supprimer"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr "Nom de la clé à exporter"
 
@@ -578,7 +669,7 @@
 msgstr "Nom\tSHA3-384"
 
 msgid "Name\tSummary"
-msgstr ""
+msgstr "Nom\tRésumé"
 
 msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
 msgstr "Nom\tVersion\tDéveloppeur\tNotes\tRésumé"
@@ -586,17 +677,63 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr "Nom\tVersion\tRévision\tDéveloppeur\tNotes"
 
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
 msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 "Aucun paquet Snap n'est encore installé. Essayez « snap install hello-"
 "world »."
 
-msgid "No snaps to auto-refresh found"
-msgstr "Aucun paquet Snap à actualiser n'a été trouvé"
-
 msgid "Output results in JSON format"
 msgstr "Résultats de sortie en format JSON"
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr "Phrase de passe : "
 
@@ -613,6 +750,9 @@
 "Veuillez saisir à nouveau votre mot de passe Ubuntu One pour \n"
 "acheter %q de %q pour %s. Appuyez sur Ctrl-C pour annuler."
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr "Préfère les alias pour le paquet Snap %q"
@@ -642,11 +782,10 @@
 msgstr "Affiche les options de configuration"
 
 msgid "Prints the confinement mode the system operates in"
-msgstr ""
+msgstr "Imprime le mode de confinement dans lequel le système fonctionne"
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
-"Affiche l'adresse électronique avec laquelle l'utilisateur est authentifié."
 
 msgid "Prints whether system is managed"
 msgstr "Indique si le système est géré"
@@ -669,7 +808,7 @@
 msgstr "Placer le paquet Snap en mode de confinement forcé"
 
 msgid "Query the status of services"
-msgstr ""
+msgstr "Interroger l'état des services"
 
 #, c-format
 msgid "Refresh %q snap"
@@ -756,16 +895,16 @@
 msgstr "Demander le numéro de série de l'appareil"
 
 msgid "Restart services"
-msgstr ""
+msgstr "Redémarrer les services"
 
 msgid "Restarted.\n"
-msgstr ""
+msgstr "Redémarré.\n"
 
 msgid "Restrict the search to a given section"
 msgstr "Restreindre la recherche à une section donnée"
 
 msgid "Retrieve logs of services"
-msgstr ""
+msgstr "Récupérer les journaux de services"
 
 #, c-format
 msgid "Revert %q snap"
@@ -777,6 +916,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr "Exécuter un shell plutôt que la commande (utile pour le débogage)"
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr "Exécuter la configuration du point d'accroche du paquet Snap %q"
@@ -793,17 +935,30 @@
 
 #, c-format
 msgid "Run install hook of %q snap if present"
-msgstr ""
+msgstr "Lancer l'installation du point d'accroche du snap %q si existant"
 
 #, c-format
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
+"Lancer le post-rafraîchissement du point d'accroche du snap %q si existant"
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
 
 msgid "Run prepare-device hook"
 msgstr "Exécuter le point d'accroche prepare-device"
 
 #, c-format
 msgid "Run remove hook of %q snap if present"
+msgstr "Lancer la suppression du point d'accroche du snap %q si existant"
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
 msgstr ""
 
 msgid "Run the given snap command"
@@ -824,6 +979,11 @@
 "Select last change of given type (install, refresh, remove, try, auto-"
 "refresh etc.)"
 msgstr ""
+"Sélectionnez le dernier changement de type donné (installer, actualiser, "
+"supprimer, essayer, actualiser automatiquement, etc.)"
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
 
 #, c-format
 msgid "Set automatic aliases for snap %q"
@@ -868,15 +1028,25 @@
 "Affiche les paquets Snap disponibles pour un rafraîchissement sans effectuer "
 "d'actualisation"
 
-msgid "Show details of a specific interface"
+msgid "Show detailed information about a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr "Afficher les détails d'une interface spécifique"
+
 msgid "Show interface attributes"
+msgstr "Afficher les attributs de l'interface"
+
+msgid "Show only the given number of lines, or 'all'."
 msgstr ""
 
 msgid "Shows known assertions of the provided type"
 msgstr "Affiche les assertions connues du type fourni"
 
+msgid "Shows specific repairs"
+msgstr "Affiche les réparations spécifiques"
+
 msgid "Shows version details"
 msgstr "Afficher les détails de la version"
 
@@ -895,12 +1065,16 @@
 msgid "Slot\tPlug"
 msgstr "Prise\tConnecteur"
 
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Snap name"
 msgstr "Nom du paquet Snap"
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr ""
-
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
 "your\n"
@@ -910,7 +1084,7 @@
 "détails de paiement sur https://my.ubuntu.com/payment/edit et réessayez."
 
 msgid "Start services"
-msgstr ""
+msgstr "Démarrer les services"
 
 #, c-format
 msgid "Start snap %q (%s) services"
@@ -924,16 +1098,16 @@
 msgstr "Démarrer les services du paquet Snap"
 
 msgid "Start the userd service"
-msgstr ""
+msgstr "Démarrer le service userd"
 
 msgid "Started.\n"
-msgstr ""
+msgstr "Démarré.\n"
 
 msgid "Status\tSpawn\tReady\tSummary\n"
 msgstr "État\tDescendance\tPrêt\tRésumé\n"
 
 msgid "Stop services"
-msgstr ""
+msgstr "Stopper les services"
 
 #, c-format
 msgid "Stop snap %q (%s) services"
@@ -947,14 +1121,14 @@
 msgstr "Arrêter les services du paquet Snap"
 
 msgid "Stopped.\n"
-msgstr ""
+msgstr "Stoppé.\n"
 
 msgid "Strict typing with nulls and quoted strings"
 msgstr "Frappe exacte avec chaînes vides et entre guillemets"
 
 #, c-format
 msgid "Switch %q snap to %s"
-msgstr ""
+msgstr "Basculer le snap %q vers %s"
 
 #, c-format
 msgid "Switch snap %q from %s to %s"
@@ -962,10 +1136,10 @@
 
 #, c-format
 msgid "Switch snap %q to %s"
-msgstr ""
+msgstr "Basculer le snap %q sur %s"
 
 msgid "Switches snap to a different channel"
-msgstr ""
+msgstr "Bascule le snap sur un autre canal"
 
 msgid "Temporarily mount device before inspecting"
 msgstr "Monter le périphérique temporairement avant inspection"
@@ -989,32 +1163,44 @@
 "La commande « get » affiche les paramètres de configuration et de "
 "l'interface de connexion."
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr "L'adresse électronique login.ubuntu.com avec laquelle se connecter"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr "Le nom du modèle d'assertion"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr "Le répertoire de sortie"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
-msgstr "La recherche %q n'a renvoyé à aucun paquet Snap\n"
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr "Le paquet Snap à configurer (par exemple, hello-world)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr "Le paquet Snap dont la configuration est demandée"
 
 msgid "The userd command starts the snap user session service."
 msgstr ""
+"La commande userd démarre le service de session d'utilisateur de snap"
 
 msgid "This command logs the current user out of the store"
 msgstr "Cette commande déconnecte l'utilisateur actuel de la logithèque"
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr "Outil pour interagir avec les paquets Snap"
 
@@ -1029,6 +1215,9 @@
 msgid "Try %q snap from %s"
 msgstr "Essayer le paquet Snap %q de %s"
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr "Code à deux facteurs : "
 
@@ -1043,13 +1232,26 @@
 msgid "Use known assertions for user creation"
 msgstr "Utiliser les assertions connues pour la création d'utilisateur"
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr "Utiliser ce canal plutôt que le canal stable"
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+"AVERTISSEMENT : La sortie de « snap get » deviendra une liste avec des "
+"colonnes, utilisez -d ou -l pour forcer le format de sortie.\n"
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr "ATTENTION : échec de l'activation de la connexion : %v\n"
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr "En attente du redémarrage du serveur"
 
@@ -1120,6 +1322,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 "\n"
@@ -1152,6 +1359,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1241,6 +1454,10 @@
 "none)\n"
 "the system operates in.\n"
 msgstr ""
+"\n"
+"La commande de confinement imprimera le mode de confinement (strict, partiel "
+"ou aucun)\n"
+"dans lequel le système fonctionne.\n"
 
 msgid ""
 "\n"
@@ -1383,6 +1600,9 @@
 "The find command queries the store for available packages in the stable "
 "channel.\n"
 msgstr ""
+"\n"
+"La commande find interroge le magasin pour les paquets disponibles dans le "
+"canal stable.\n"
 
 msgid ""
 "\n"
@@ -1535,6 +1755,13 @@
 "If no interface name is provided, a list of interface names with at least\n"
 "one connection is shown, or a list of all interfaces if --all is provided.\n"
 msgstr ""
+"\n"
+"La commande interface affiche les détails des interfaces snap.\n"
+"\n"
+"Lorsqu'aucun nom d'interface n'est fourni, une liste de noms d'interface "
+"avec au moins \n"
+"une connexion est affichée, ou la liste de toutes les interfaces lorsque --"
+"all est spécifié.\n"
 
 msgid ""
 "\n"
@@ -1624,6 +1851,12 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
@@ -1633,10 +1866,21 @@
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+"\n"
+"La commande pack prépare le répertoire snap comme un snap."
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
 msgstr ""
+"\n"
+"La commande « prefer » active tous les alias du paquet Snap donné \n"
+"et désactive tous les alias des paquets Snap qui entrent en conflit avec \n"
+"ceux-ci (ou les supprime, dans le cas des alias manuels).\n"
 
 #, c-format
 msgid ""
@@ -1655,6 +1899,23 @@
 "if instead you want to install the snap forcing it into strict confinement\n"
 "repeat the command including --jailmode."
 msgstr ""
+"\n"
+"Les éditeurs du snap %q ont indiqué que la qualité de cette version est "
+"inférieure\n"
+"à celle de production et qu'elle n'est, à ce jour, destinée qu'à des fins de "
+"développement \n"
+"ou de test. Par conséquent, ce snap ne se met pas à jour automatiquement et "
+"pourrait\n"
+"entraîner des modifications arbitraires du système en dehors du bac à sable "
+"de sécurité où \n"
+"les snaps sont habituellement confinés, pouvant faire courir un risque à "
+"votre système.\n"
+"\n"
+"Si vous comprenez et que vous souhaitez continuer, répétez la commande en "
+"ajoutant --devmode ;\n"
+"sinon, si vous souhaitez installer le snap en le contraignant dans un "
+"confinement strict,\n"
+"répétez la commande en ajoutant --jailmode."
 
 msgid ""
 "\n"
@@ -1684,6 +1945,41 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+"\n"
+"La commande repair affiche les détails d'une ou de plusieurs réparations.\n"
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+"\n"
+"La commande repair répertorie toutes les réparations traitées pour ce "
+"périphérique.\n"
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+"\n"
+"La commande restart redémarre les services donnés du snap. Lorsqu'elle est "
+"exécutée depuis\n"
+"le point d'accroche « configuration », les services seront redémarrés à la "
+"fin du point d'accroche."
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1704,6 +2000,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1773,15 +2075,54 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+"\n"
+"La commande start démarre les services donnés du snap. Lorsqu'elle est "
+"exécutée depuis\n"
+"le point d'accroche « configuration », les services seront redémarrés à la "
+"fin du point d'accroche."
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+"\n"
+"La commande stop arrête les services donnés du snap. Lorsqu'elle est "
+"exécutée depuis\n"
+"le point d'accroche « configuration », les services seront redémarrés à la "
+"fin du point d'accroche."
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
+"\n"
+"La commande switch bascule le snap donné sur un canal différent sans\n"
+"réactualiser.\n"
 
 msgid ""
 "\n"
 "The tasks command displays a summary of tasks associated to an individual "
 "change."
 msgstr ""
+"\n"
+"La commande tasks affiche un résumé des tâches associées à un changement "
+"individuel."
 
 msgid ""
 "\n"
@@ -1819,6 +2160,10 @@
 "The unalias command tears down a manual alias when given one or disables all "
 "aliases of a snap, removing also all manual ones, when given a snap name.\n"
 msgstr ""
+"\n"
+"La commande « unalias » enlève l'alias manuel donné ou, si le nom d'un "
+"paquet Snap est donné, désactive tous les alias du paquet Snap, en "
+"supprimant ses alias manuels.\n"
 
 msgid ""
 "\n"
@@ -1843,6 +2188,10 @@
 "\n"
 "The whoami command prints the email the user is logged in with.\n"
 msgstr ""
+"\n"
+"La commande « whoami » affiche l'adresse électronique avec lequel "
+"l'utilisateur\n"
+"est connecté.\n"
 
 #, c-format
 msgid ""
@@ -1856,17 +2205,22 @@
 "If you understand and want to proceed repeat the command including --"
 "classic.\n"
 msgstr ""
+"\n"
+"Cette version du paquet Snap %q a été publiée avec un confinement "
+"classique.\n"
+"Elle pourrait donc apporter des modifications arbitraires au système, au-"
+"delà de\n"
+"l'espace mémoire protégé (« sandbox ») dans lequel les paquets Snap sont\n"
+"généralement confinés, ce qui peut créer un risque pour votre système.\n"
+"\n"
+"Si vous comprenez ceci et souhaitez néanmoins poursuivre, répétez la "
+"commande \n"
+"en y ajoutant l'option « --classic ».\n"
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
-"\n"
-"\n"
-"Le dossier personnel est partagé entre Snappy et la dimension classique.\n"
-"Exécutez « exit » pour quitter le shell classique.\n"
 
 msgid "a single snap name is needed to specify mode or channel flags"
 msgstr ""
@@ -1883,6 +2237,9 @@
 "ignorée"
 
 msgid "active"
+msgstr "actif"
+
+msgid "auto-refresh: all snaps are up-to-date"
 msgstr ""
 
 msgid "bought"
@@ -1893,6 +2250,10 @@
 msgstr "cassé"
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr "impossible d'acheter le paquet Snap : %v"
 
@@ -1927,7 +2288,6 @@
 msgstr "impossible de trouver le point d'accroche %q dans %s"
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr "impossible d'obtenir des données pour %q : %v"
@@ -1979,9 +2339,6 @@
 msgid "cannot use %q key: %v"
 msgstr "impossible d'utiliser la clé %q : %v"
 
-msgid "cannot use --hook and --command together"
-msgstr "Impossible d'utiliser --hook et --command ensemble"
-
 msgid "cannot use change ID and type together"
 msgstr "impossible de changer l'identifiant et le type en même temps"
 
@@ -1994,7 +2351,7 @@
 
 #, c-format
 msgid "cannot write new Xauthority file at %s: %s"
-msgstr ""
+msgstr "impossible d'écrire un nouveau fichier Xauthority sur %s : %s"
 
 #, c-format
 msgid "change finished in status %q with no error message"
@@ -2004,11 +2361,17 @@
 msgid ""
 "classic confinement requires snaps under /snap or symlink from /snap to %s"
 msgstr ""
+"un confinement classique nécessite des snaps sous /snap ou un lien "
+"symbolique depuis /snap vers %s"
 
 #, c-format
 msgid "created user %q\n"
 msgstr "utilisateur %q créé\n"
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr "désactivé"
@@ -2017,7 +2380,7 @@
 msgstr "courriel :"
 
 msgid "enabled"
-msgstr ""
+msgstr "activé"
 
 #, c-format
 msgid "error: %v\n"
@@ -2031,9 +2394,16 @@
 msgid "get which option?"
 msgstr "obtenir quelle option ?"
 
-msgid "inactive"
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
 msgstr ""
 
+msgid "inactive"
+msgstr "inactif"
+
 msgid ""
 "interface attributes can only be read during the execution of interface hooks"
 msgstr ""
@@ -2067,6 +2437,8 @@
 "invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
 "“all”."
 msgstr ""
+"argument invalide pour le marqueur « -n' » : un argument entier positif ou "
+"« all » est attendu."
 
 #, c-format
 msgid "invalid attribute: %q (want key=value)"
@@ -2095,6 +2467,14 @@
 "le nom de clé %q n'est pas valide ; seuls les nombres, les lettres ASCII et "
 "les tirets sont autorisés"
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr "Snap-confine manquant : essayez de mettre à jour votre paquet Snapd"
 
@@ -2109,7 +2489,7 @@
 msgstr "aucun changement trouvé pour le type %q"
 
 msgid "no interfaces currently connected"
-msgstr ""
+msgstr "aucune interface actuellement connectée"
 
 msgid "no interfaces found"
 msgstr "aucune interface trouvée"
@@ -2118,16 +2498,14 @@
 msgstr "aucun paquet Snap correspondant installé"
 
 msgid "no such interface"
-msgstr ""
+msgstr "pas une telle interface"
 
 msgid "no valid snaps given"
 msgstr "aucun paquet Snap valide n'a été indiqué"
 
-msgid "not a valid snap"
-msgstr "ceci n'est pas un paquet Snap valide"
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
+"veuillez fournir l'identifiant de modification ou le type avec --last=<type>"
 
 #. TRANSLATORS: if possible, a single short word
 msgid "private"
@@ -2140,41 +2518,42 @@
 "redémarrage programmé pour mettre à jour le système - annulation temporaire "
 "possible via « sudo shutdown -c »"
 
+msgid "repairs are not available on a classic system"
+msgstr "les réparations ne sont pas disponibles sur un système classique"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
-msgstr ""
+msgstr "le paramétrage a échoué : %v"
 
 msgid "set which option?"
 msgstr "définir quelle option ?"
 
-msgid "show detailed information about a snap"
-msgstr "afficher les informations détaillées à propos d'un paquet Snap"
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
-msgstr ""
+msgstr "snap %%q non trouvé (au moins à la révision %q)"
 
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
 #, c-format
 msgid "snap %%q not found (at least in channel %q)"
-msgstr ""
+msgstr "snap %%q non trouvé (au moins dans le canal %q)"
 
 #, c-format
 msgid "snap %q has no updates available"
-msgstr ""
+msgstr "le snap %q n'a aucune mise à jour disponible"
 
 #, c-format
 msgid "snap %q is already installed, see \"snap refresh --help\""
 msgstr "le paquet Snap %q est déjà installé, voir « snap refresh --help »"
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
-msgstr ""
+msgstr "snap %q non trouvé"
 
 #. TRANSLATORS: free as in gratis
 msgid "snap is free"
@@ -2193,6 +2572,9 @@
 msgid "too many arguments: %s"
 msgstr "trop d'arguments : %s"
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr "indisponible"
 
@@ -2209,29 +2591,34 @@
 msgstr "prise ou connecteur %q inconnu(e)"
 
 #, c-format
-msgid "unsupported shell %v"
-msgstr "shell %v non pris en charge"
+msgid "unknown service: %q"
+msgstr "service inconnu : %q"
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "S'authentifier sur le démon Snap"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "L'autorisation est requise pour l'authentification sur le démon snap"
+
+msgid "Install, update, or remove packages"
+msgstr "Installer, mettre à jour ou supprimer des paquets"
 
-#~ msgid ""
-#~ "\n"
-#~ "The change command displays a summary of tasks associated to an individual "
-#~ "change."
-#~ msgstr ""
-#~ "\n"
-#~ "La commande « change » affiche un résumé des tâches associées à un "
-#~ "changement individuel."
-
-#~ msgid ""
-#~ "\n"
-#~ "The find command queries the store for available packages.\n"
-#~ msgstr ""
-#~ "\n"
-#~ "La commande « find » interroge la logithèque au sujet des paquets "
-#~ "disponibles.\n"
-
-#~ msgid ""
-#~ "Show last change of given type (install, refresh, remove, try, auto-refresh "
-#~ "etc.)"
-#~ msgstr ""
-#~ "Affiche les derniers changements pour un type donné (installation, "
-#~ "actualisation, suppression, essai, actualisation automatique, etc.)"
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+"L'authentification est requise pour installer, mettre à jour ou supprimer "
+"des paquets"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Connecter, déconnecter les interfaces"
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
+"L'authentification est requise pour connecter ou déconnecter des interfaces"
diff -Nru snapd-2.32.3.2~14.04/po/gl.po snapd-2.37~rc1~14.04/po/gl.po
--- snapd-2.32.3.2~14.04/po/gl.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/gl.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
-# Galician translation for snappy
-# Copyright (c) 2015 Rosetta Contributors and Canonical Ltd 2015
-# This file is distributed under the same license as the snappy package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2015.
+# Galician translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: snappy\n"
+"Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-10-09 21:18+0000\n"
-"Last-Translator: Xosé <Unknown>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Galician <gl@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -23,10 +23,13 @@
 "\n"
 "Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
 msgstr ""
+"%q non contén un snap desempaquetado.\n"
+"\n"
+"Probe «snapcraft prime» no cartafol do proxecto, despois «snap try» de novo."
 
 #, c-format
 msgid "%q switched to the %q channel\n"
-msgstr ""
+msgstr "%q cambiou á canle %q\n"
 
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
@@ -40,7 +43,7 @@
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (see \"snap login --help\")"
-msgstr "%s (ver \"snap login --help\")"
+msgstr ""
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
@@ -53,11 +56,11 @@
 
 #, c-format
 msgid "%s disabled\n"
-msgstr "%s está desactivada\n"
+msgstr ""
 
 #, c-format
 msgid "%s enabled\n"
-msgstr "%s está activada\n"
+msgstr ""
 
 #, c-format
 msgid "%s not installed\n"
@@ -65,163 +68,236 @@
 
 #, c-format
 msgid "%s removed\n"
-msgstr "%s eliminada\n"
+msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
-msgstr "%s revertida a %s\n"
+msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
-msgstr "%s%s %s desde «%s» instalada\n"
+msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
-msgstr "%s%s %s de «%s» refrescado\n"
+msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
-msgstr "%s%s %s instalada\n"
+msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
-msgstr "%s%s %s refrescado\n"
+msgstr ""
 
 msgid "--list does not take mode nor channel flags"
-msgstr "--list non acepta bandeiras de modo nin de canle"
+msgstr ""
 
 msgid "--time does not take mode nor channel flags"
-msgstr ""
+msgstr "--time non acepta sinaladores de modo nin de canle"
 
 msgid "-r can only be used with --hook"
-msgstr "-r só pode ser empregado con --hook"
+msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
-msgstr ""
+msgstr "<alias-ou-snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
-msgstr "<alcume>"
+msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr "<ficheiro de aserción>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr "<tipo de aserción>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
-msgstr ""
+msgstr "<cambiar-id>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr "<valor de configuración>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<correo electrónico>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<nome de ficheiro>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr "<filtro de cabeceira>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<interface>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
-msgstr "<nome da clave>"
+msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
-msgstr "<clave>"
+msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
-msgstr ""
+msgstr "<modelo-aserción>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
-msgstr ""
+msgstr "<consulta>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr "<directorio raíz>"
 
-msgid "<snap>:<plug>"
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr "<snap>:<conector>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
-msgstr ""
+msgstr "<snap>:<rañura ou conector>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
+msgstr "<snap>:<rañura>"
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
 msgstr ""
 
 msgid "Abort a pending change"
 msgstr "Cancelar un cambio pendente"
 
 msgid "Added"
-msgstr ""
+msgstr "Engadido"
 
 msgid "Adds an assertion to the system"
+msgstr "Engade unha aserción ao sistema"
+
+msgid "Advise on available snaps."
 msgstr ""
 
-msgid "Alias for --dangerous (DEPRECATED)"
+msgid "Advise on snaps that provide the given command"
 msgstr ""
 
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr "Alias para --dangerous (DESFASADO)"
+
 msgid "All snaps up to date."
 msgstr "Todos os snaps está actualizados."
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr "Orde alternativa a executar"
 
 msgid "Always return document, even with single key"
-msgstr ""
+msgstr "Devolver sempre un documento, incluso cunha soa chave"
+
+msgid "Always return list, even with single key"
+msgstr "Devolver sempre unha lista, incluso cunha soa chave"
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
+msgstr "Correo electrónico dun usuario en login.ubuntu.com"
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
 msgstr ""
 
-msgid "Assertion file"
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr "Ficheiro de aserción"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
-msgstr ""
+msgstr "Nome do tipo de aserción"
 
 msgid "Authenticates on snapd and the store"
-msgstr ""
+msgstr "Autentica en snapd e na tenda"
 
 #, c-format
 msgid "Auto-refresh %d snaps"
-msgstr ""
+msgstr "Actualizar automaticamente %d snaps"
 
 #, c-format
 msgid "Auto-refresh snap %q"
-msgstr ""
+msgstr "Actualizar automaticamente o snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Auto-refresh snaps %s"
+msgstr "Actualizar automaticamente os snaps %s"
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
 msgstr ""
 
 msgid "Bad code. Try again: "
-msgstr "Codo errado. Tente de novo: "
+msgstr ""
 
 msgid "Buys a snap"
 msgstr "Compra unha snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
-msgstr "Cambiar o identificador"
+msgstr ""
 
 msgid "Changes configuration options"
 msgstr "Cambia as opcións de configuración"
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
-msgstr ""
+msgstr "Orde\tAlias\tNotas"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
-msgstr ""
+msgstr "Valor da configuración (chave=valor)"
 
 msgid "Confirm passphrase: "
 msgstr "Confirme a frase de paso: "
@@ -231,162 +307,182 @@
 msgstr "Conectar %s:%s a %s:%s"
 
 msgid "Connects a plug to a slot"
-msgstr ""
+msgstr "Conecta o conector nunha rañura"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
-msgstr ""
+msgstr "Restrinxir a lista a un snap específico ou snap:nome"
 
 msgid "Constrain listing to specific interfaces"
-msgstr ""
+msgstr "Restrinxir a lista a interfaces específicas"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
-msgstr ""
+msgstr "Restrinxir a lista ás coincidencias cabeceira=valor"
 
 #, c-format
 msgid "Copy snap %q data"
-msgstr ""
+msgstr "Copiar os datos do snap %q"
 
 msgid ""
 "Create a cryptographic key pair that can be used for signing assertions."
-msgstr ""
+msgstr "Crear un par de chaves de cifrado para asinar asercións."
 
 msgid "Create cryptographic key pair"
-msgstr ""
+msgstr "Crear par de chaves de cifrado"
 
 msgid "Create snap build assertion"
-msgstr ""
+msgstr "Crear unha aserción de construción de paquete snap"
 
 msgid "Create snap-build assertion for the provided snap file."
 msgstr ""
+"Crear unha aserción de construción de paquete snap para o ficheiro snap "
+"proporcionado."
 
 msgid "Creates a local system user"
-msgstr "Crea un usuario local do sistema"
+msgstr ""
 
 msgid "Delete cryptographic key pair"
-msgstr ""
+msgstr "Eliminar par de chaves de cifrado"
 
 msgid "Delete the local cryptographic key pair with the given name."
-msgstr ""
+msgstr "Eliminar o par de chaves de cifrado locais co nome indicado."
 
 #, c-format
 msgid "Disable %q snap"
-msgstr ""
+msgstr "Desactivar snap %q"
 
 #, c-format
 msgid "Disable aliases for snap %q"
-msgstr ""
+msgstr "Desactivar os alias para o snap %q"
 
 #, c-format
 msgid "Disable all aliases for snap %q"
-msgstr ""
+msgstr "Desactivar todos os alias do snap %q"
 
 msgid "Disables a snap in the system"
-msgstr ""
+msgstr "Desactivar un snap no sistema"
 
 #, c-format
 msgid "Discard interface connections for snap %q (%s)"
-msgstr ""
+msgstr "Desbotar as conexións de interface do snap %q (%s)"
 
 #, c-format
 msgid "Disconnect %s:%s from %s:%s"
 msgstr "Desconectar %s:%s de %s:%s"
 
 msgid "Disconnects a plug from a slot"
-msgstr ""
+msgstr "Desconecta un conector dunha rañura"
 
 msgid "Do not wait for the operation to finish but just print the change id."
 msgstr ""
+"Non agardar a que a operación remate, simplemente imprimir o identificador "
+"do cambio."
 
 #, c-format
 msgid "Download snap %q%s from channel %q"
-msgstr ""
+msgstr "Descargar o snap %q%s da canle %q"
 
 msgid ""
 "Download the given revision of a snap, to which you must have developer "
 "access"
 msgstr ""
+"Descargar a revisión dada dun snap, para isto debe ter acceso de "
+"desenvolvedor"
 
 msgid "Downloads the given snap"
-msgstr ""
+msgstr "Descarga o snap indicado"
 
 msgid "Email address: "
-msgstr ""
+msgstr "Enderezo de correo-e: "
 
 #, c-format
 msgid "Enable %q snap"
-msgstr ""
+msgstr "Activar snap %q"
 
 msgid "Enables a snap in the system"
-msgstr ""
+msgstr "Activa un snap do sistema"
 
-msgid "Entering classic dimension"
-msgstr ""
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr "Comprobar que os pre-requisitos para %q están dispoñíbeis"
 
 msgid ""
 "Export a public key assertion body that may be imported by other systems."
 msgstr ""
+"Exportar unha aserción de chave pública que pode ser importada por outros "
+"sistemas."
 
 msgid "Export cryptographic public key"
-msgstr ""
+msgstr "Exportar a chave pública de cifrado"
 
 #, c-format
 msgid "Fetch and check assertions for snap %q%s"
-msgstr ""
+msgstr "buscar e comprobar asercións para o snap %q%s"
 
 #, c-format
 msgid "Fetching assertions for %q\n"
-msgstr ""
+msgstr "Obtendo asercións para %q\n"
 
 #, c-format
 msgid "Fetching snap %q\n"
-msgstr ""
+msgstr "Obtendo o snap %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
+"Nome do ficheiro do paquete snap para o que desexa definir unha versión"
 
 msgid "Finds packages to install"
-msgstr ""
+msgstr "Busca paquetes para instalar"
 
 msgid "Force adding the user, even if the device is already managed"
 msgstr ""
+"Forzar a adición do usuario incluso se o dispositivo xa está administrado"
 
 msgid "Force import on classic systems"
-msgstr ""
+msgstr "Forzar importación en sistemas clásicos"
 
 msgid ""
 "Format public key material as a request for an account-key for this account-"
 "id"
 msgstr ""
+"Formatar o material da chave pública como unha petición de chave de conta "
+"para este identificador de conta."
 
 msgid "Generate device key"
-msgstr ""
+msgstr "Xerar chave do dispositivo"
 
 msgid "Generate the manpage"
-msgstr ""
+msgstr "Xerar o manual"
 
 msgid "Grade states the build quality of the snap (defaults to 'stable')"
 msgstr ""
+"O grao indica a calidade da versión do snap («estábel» como predeterminada)"
 
 msgid "Grant sudo access to the created user"
-msgstr ""
+msgstr "Conceder acceso sudo ao usuario creado"
 
 msgid "Help"
-msgstr ""
+msgstr "Axuda"
 
 msgid "Hook to run"
-msgstr ""
+msgstr "«Hook» a executar"
 
 msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
-msgstr ""
+msgstr "Identificador\tEstado\tDescendencia\tListo\tResumo\n"
 
 msgid "Identifier of the signer"
-msgstr ""
+msgstr "Identificador do asinante"
 
 msgid "Identifier of the snap package associated with the build"
+msgstr "Identificador do paquete snap asociado á versión"
+
+msgid "If the service has a reload command, use it instead of restarting."
 msgstr ""
 
 msgid "Ignore validation by other snaps blocking the refresh"
-msgstr ""
+msgstr "Ignorar a validación por outros snaps que bloquean a actualización"
 
 #, c-format
 msgid ""
@@ -395,174 +491,246 @@
 "\n"
 "Once completed, return here and run 'snap buy %s' again."
 msgstr ""
+"Para poder comprar %q debe aceptar os termos e condicións máis recentes. "
+"Visite https://my.ubuntu.com/payment/edit para facer isto.\n"
+"\n"
+"Unha vez completad o proceso, volva aquí e execute «snap buy %s» de novo."
 
 msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
 msgstr ""
+"Incluír unha lista detallada de notas dos snaps (do contrario, resumir notas)"
 
 msgid "Include unused interfaces"
-msgstr ""
+msgstr "Incluír interfaces non usadas"
 
 msgid "Initialize device"
-msgstr ""
+msgstr "Iniciar dispositivo"
 
 msgid "Inspects devices for actionable information"
-msgstr ""
+msgstr "Busca información nos dispositivos que permita iniciar accións."
 
 #, c-format
 msgid "Install %q snap"
-msgstr ""
+msgstr "Instalar o snap %q"
 
 #, c-format
 msgid "Install %q snap from %q channel"
-msgstr ""
+msgstr "Instalar o snap %q da canle %q"
 
 #, c-format
 msgid "Install %q snap from file"
-msgstr ""
+msgstr "Instalar o snap %q desde ficheiro"
 
 #, c-format
 msgid "Install %q snap from file %q"
-msgstr ""
+msgstr "Instalar o snap %q desde o ficheiro %q"
 
 msgid "Install from the beta channel"
-msgstr ""
+msgstr "Instalar da canle beta"
 
 msgid "Install from the candidate channel"
-msgstr ""
+msgstr "Instalar da canle candidata"
 
 msgid "Install from the edge channel"
-msgstr ""
+msgstr "Instalar da canle avanzada"
 
 msgid "Install from the stable channel"
-msgstr ""
+msgstr "Instalar da canle estábel"
 
 #, c-format
 msgid "Install snap %q"
-msgstr ""
+msgstr "Instalar snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Install snaps %s"
-msgstr ""
+msgstr "Instalar snaps %s"
 
 msgid ""
 "Install the given revision of a snap, to which you must have developer access"
 msgstr ""
+"Instalar a revisión indicada dun snap, para o cal debe ter acceso de "
+"desenvolvedor"
 
 msgid ""
 "Install the given snap file even if there are no pre-acknowledged signatures "
 "for it, meaning it was not verified and could be dangerous (--devmode "
 "implies this)"
 msgstr ""
+"Instalar o snap indicado incluso se non hai sinaturas pre-recoñecidas para "
+"el, o cal significa que non foi comprobado e podería ser perigoso (--devmode "
+"implica isto)"
 
 msgid "Install the given snap without enabling its automatic aliases"
+msgstr "Instalar o snap indicado sen activar os seus alias automáticos"
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
 msgstr ""
 
 msgid "Installs a snap to the system"
-msgstr ""
+msgstr "Instala un snap no sistema"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
-msgstr ""
+msgstr "Chave de interese na configuración"
 
 msgid "List a change's tasks"
-msgstr ""
+msgstr "Listar as tarefas dun cambio"
 
 msgid "List cryptographic keys"
-msgstr ""
+msgstr "Listar chaves de cifrado"
 
 msgid "List cryptographic keys that can be used for signing assertions."
-msgstr ""
+msgstr "Lista de chaves de cifrado que se poden usar para asinar asercións."
 
 msgid "List installed snaps"
-msgstr ""
+msgstr "Listar snaps instalados"
 
 msgid "List system changes"
-msgstr ""
+msgstr "Listar os cambios do sistema"
 
 msgid "Lists aliases in the system"
-msgstr ""
+msgstr "Lista os alias do sistema"
+
+msgid "Lists all repairs"
+msgstr "Lista todos os arranxos"
 
 msgid "Lists interfaces in the system"
-msgstr ""
+msgstr "Lista interfaces no sistema"
 
 msgid "Lists snap interfaces"
-msgstr ""
+msgstr "Lista as interfaces de snap"
 
 msgid "Log out of the store"
-msgstr ""
+msgstr "Saír da tenda"
 
 msgid "Login successful"
 msgstr "Inicio de sesión correcto"
 
 #, c-format
 msgid "Make current revision for snap %q unavailable"
-msgstr ""
+msgstr "Facer a revisión actual do snap %q non dispoñíbel"
 
 #, c-format
 msgid "Make snap %q (%s) available to the system"
-msgstr ""
+msgstr "Facer o snap %q (%s) dispoñíbel para o sistema"
 
 #, c-format
 msgid "Make snap %q (%s) unavailable to the system"
-msgstr ""
+msgstr "Facer o snap %q (%s) non dispoñíbel para o sistema"
 
 #, c-format
 msgid "Make snap %q unavailable to the system"
-msgstr ""
+msgstr "Facer o snap %q non dispoñíbel para o sistema"
 
 #, c-format
 msgid "Make snap %q%s available to the system"
-msgstr ""
+msgstr "Facer o snap %q%s dispoñíbel para o sistema"
 
 msgid "Mark system seeded"
-msgstr ""
+msgstr "Marcar o sistema como propagado"
 
 #, c-format
 msgid "Mount snap %q%s"
-msgstr ""
+msgstr "Montar o snap %q%s"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
-msgstr ""
+msgstr "Nome da chave a crear; a predeteminación é «predeterminada»"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
-msgstr ""
+msgstr "Nome da chave a eliminar"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
-msgstr ""
+msgstr "Nome da chave a exportar"
 
 msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
 msgstr ""
+"Nome da chave GnuPG a usar (nome da chave «predeterminada» por omisión)"
 
 msgid "Name of the key to use, otherwise use the default key"
-msgstr ""
+msgstr "Nome da chave a usar, do contrario usar a chave predeterminada"
 
 msgid "Name\tSHA3-384"
-msgstr ""
+msgstr "Nome\tSHA3-384"
 
 msgid "Name\tSummary"
-msgstr ""
+msgstr "Nome\tResumo"
 
 msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
-msgstr ""
+msgstr "Nome\tVersión\tDesenvolvedor\tNotas\tResumo"
 
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr "Nome\tVersión\tOpin.\tDesenvolvedor\tNotas"
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
 msgstr ""
 
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr "Aínda non hai snaps instalados. Probe «snap install hello-world»."
+
 msgid "Output results in JSON format"
+msgstr "Saída de resultados en formato JSON"
+
+msgid "Pack the given target dir as a snap"
 msgstr ""
 
-msgid "Passphrase: "
+#, c-format
+msgid "Packages matching %q:\n"
 msgstr ""
 
+msgid "Passphrase: "
+msgstr "Frase de paso: "
+
 #, c-format
 msgid "Password of %q: "
-msgstr ""
+msgstr "Contrasinal de %q: "
 
 #. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
 #, c-format
@@ -570,349 +738,402 @@
 "Please re-enter your Ubuntu One password to purchase %q from %q\n"
 "for %s. Press ctrl-c to cancel."
 msgstr ""
+"Introduza de novo o contrasinal de Ubuntu One para comprar %q en %q\n"
+"para %s. Prema ctrl-c para cancelar."
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
 
 #, c-format
 msgid "Prefer aliases for snap %q"
-msgstr ""
+msgstr "Preferir alias para o snap %q"
 
 msgid "Prefer aliases from a snap and disable conflicts"
-msgstr ""
+msgstr "Preferir alias dun snap e desactivar conflitos"
 
 #, c-format
 msgid "Prefer aliases of snap %q"
-msgstr ""
+msgstr "Preferir alias do snap %q"
 
 msgid "Prepare a snappy image"
-msgstr ""
+msgstr "Preparar unha imaxe snappy"
 
 #, c-format
 msgid "Prepare snap %q (%s)"
-msgstr ""
+msgstr "Preparar o snap %q (%s)"
 
 #, c-format
 msgid "Prepare snap %q%s"
-msgstr ""
+msgstr "Preparar o snap %q%s"
 
 msgid "Print the version and exit"
-msgstr ""
+msgstr "Imprimir a versión e saír"
 
 msgid "Prints configuration options"
-msgstr ""
+msgstr "Imprime as opcións de configuración"
 
 msgid "Prints the confinement mode the system operates in"
-msgstr ""
+msgstr "Imprime o modo confinado no que opera o sistema"
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
-msgstr ""
+msgstr "Imprime se o sistema está administrado"
 
 #, c-format
 msgid "Prune automatic aliases for snap %q"
-msgstr ""
+msgstr "Purgar os alias automáticos do snap %q"
 
 msgid "Put snap in classic mode and disable security confinement"
-msgstr ""
+msgstr "Poñer snap no  modo clásico e desactivar o confinamento de seguranza"
 
 msgid "Put snap in development mode and disable security confinement"
 msgstr ""
+"Poñer snap en modo desenvolvemento e desactivar o confinamento de seguranza"
 
 msgid "Put snap in enforced confinement mode"
-msgstr ""
+msgstr "Poñer snap en modo confinamento forzado"
 
 msgid "Query the status of services"
-msgstr ""
+msgstr "Consulta o estado dos servizos"
 
 #, c-format
 msgid "Refresh %q snap"
-msgstr ""
+msgstr "Actualizar %q snap"
 
 #, c-format
 msgid "Refresh %q snap from %q channel"
-msgstr ""
+msgstr "Actualizar %q snap desde a canle %q"
 
 #, c-format
 msgid "Refresh aliases for snap %q"
-msgstr ""
+msgstr "Actualizar os alias do snap %q"
 
 msgid "Refresh all snaps: no updates"
-msgstr ""
+msgstr "Actualizar todos os snaps: non hai actualizacións"
 
 #, c-format
 msgid "Refresh snap %q"
-msgstr ""
+msgstr "Actualizar snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s"
-msgstr ""
+msgstr "Actualizar snaps %s"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s: no updates"
-msgstr ""
+msgstr "Actualizar snaps %s: non hai actualizacións"
 
 msgid "Refresh to the given revision"
-msgstr ""
+msgstr "Actualizar á revisión indicada"
 
 msgid "Refreshes a snap in the system"
-msgstr ""
+msgstr "Actualiza un snap no sistema"
 
 #, c-format
 msgid "Remove %q snap"
-msgstr ""
+msgstr "Eliminar %q snap"
 
 #, c-format
 msgid "Remove aliases for snap %q"
-msgstr ""
+msgstr "Eliminar alias do snap %q"
 
 #, c-format
 msgid "Remove data for snap %q (%s)"
-msgstr ""
+msgstr "Eliminar datos do snap %q (%s)"
 
 #, c-format
 msgid "Remove manual alias %q for snap %q"
-msgstr ""
+msgstr "Retirar o alias manual %q do snap %q"
 
 msgid "Remove only the given revision"
-msgstr ""
+msgstr "Retirar só a revisión indicada"
 
 #, c-format
 msgid "Remove security profile for snap %q (%s)"
-msgstr ""
+msgstr "Retirar o perfil de seguranza do snap %q (%s)"
 
 #, c-format
 msgid "Remove security profiles of snap %q"
-msgstr ""
+msgstr "Retirar os perfís de seguranza do snap %q"
 
 #, c-format
 msgid "Remove snap %q"
-msgstr ""
+msgstr "Eliminar snap %q"
 
 #, c-format
 msgid "Remove snap %q (%s) from the system"
-msgstr ""
+msgstr "Eliminar o snap %q (%s) do sistema"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Remove snaps %s"
-msgstr ""
+msgstr "Eliminar snaps %s"
 
 msgid "Removed"
-msgstr ""
+msgstr "Retirado"
 
 msgid "Removes a snap from the system"
-msgstr ""
+msgstr "Retira un snap do sistema"
 
 msgid "Request device serial"
-msgstr ""
+msgstr "Solicitar a serie do dispositivo"
 
 msgid "Restart services"
-msgstr ""
+msgstr "Reiniciar servizos"
 
 msgid "Restarted.\n"
-msgstr ""
+msgstr "Reiniciado.\n"
 
 msgid "Restrict the search to a given section"
-msgstr ""
+msgstr "Restrinxir a busca a unha sección dada"
 
 msgid "Retrieve logs of services"
-msgstr ""
+msgstr "Recuperar os rexistros dos servizos"
 
 #, c-format
 msgid "Revert %q snap"
-msgstr ""
+msgstr "Reverter %q snap"
 
 msgid "Reverts the given snap to the previous state"
-msgstr ""
+msgstr "Reverte o snap indicado ao estado anterior"
 
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
+"Executar un intérprete de ordes no canto da orde (útil para depuración)"
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
 
 #, c-format
 msgid "Run configure hook of %q snap"
-msgstr ""
+msgstr "Executar o «hook» configure de %q snap"
 
 #, c-format
 msgid "Run configure hook of %q snap if present"
-msgstr ""
+msgstr "Executar o «hook»  configure de %q snap se está presente"
 
 #, c-format
 msgid "Run hook %s of snap %q"
-msgstr ""
+msgstr "Executar o «hook» %s do snap %q"
 
 #, c-format
 msgid "Run install hook of %q snap if present"
-msgstr ""
+msgstr "Executar o «hook» install de %q snap se está presente"
 
 #, c-format
 msgid "Run post-refresh hook of %q snap if present"
+msgstr "Executar o «hook» post-refresh de %q snap se está presente"
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
 msgstr ""
 
 msgid "Run prepare-device hook"
-msgstr ""
+msgstr "Executar o «hook» prepare-device"
 
 #, c-format
 msgid "Run remove hook of %q snap if present"
+msgstr "Executar o «hook» remove de %q snap se está presente"
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
 msgstr ""
 
-msgid "Run the given snap command"
+msgid "Run the command with gdb"
 msgstr ""
 
+msgid "Run the given snap command"
+msgstr "Executar a orde do snap indicada"
+
 msgid "Run the given snap command with the right confinement and environment"
 msgstr ""
+"Executar a orde do snap indicada co confinamento e contorno correctos"
 
 msgid "Runs debug commands"
-msgstr ""
+msgstr "Executa ordes do modo depuración"
 
 msgid "Search private snaps"
-msgstr ""
+msgstr "Buscar snaps privados"
 
 msgid ""
 "Select last change of given type (install, refresh, remove, try, auto-"
 "refresh etc.)"
 msgstr ""
+"Seleccione o último cambio do tipo especificado (instalar, actualizar, "
+"retirar, probar, actualizar automaticamente etc...)"
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
 
 #, c-format
 msgid "Set automatic aliases for snap %q"
-msgstr ""
+msgstr "Estabelecer os alias automáticos para o snap %q"
 
 msgid "Sets up a manual alias"
-msgstr ""
+msgstr "Configura un alias manual"
 
 #, c-format
 msgid "Setup alias %q => %q for snap %q"
-msgstr ""
+msgstr "Configurar o alias %q => %q para o snap %q"
 
 #, c-format
 msgid "Setup manual alias %q => %q for snap %q"
-msgstr ""
+msgstr "Configurar o alias manual %q => %q do snap %q"
 
 #, c-format
 msgid "Setup snap %q (%s) security profiles"
-msgstr ""
+msgstr "Configurar os perfís de seguranza do snap %q (%s)"
 
 #, c-format
 msgid "Setup snap %q aliases"
-msgstr ""
+msgstr "Configurar os alias do snap %q"
 
 #, c-format
 msgid "Setup snap %q%s security profiles"
-msgstr ""
+msgstr "Configurar os perfís de seguranza do snap %q%s"
 
 #, c-format
 msgid "Setup snap %q%s security profiles (phase 2)"
-msgstr ""
+msgstr "Configurar os perfís de seguranza do snap %q%s (fase 2)"
 
 msgid "Show all revisions"
-msgstr ""
+msgstr "Mostrar todas as opinións"
 
 msgid "Show auto refresh information but do not perform a refresh"
 msgstr ""
+"Mostrar a información da actualización automática pero non realizar ningunha "
+"actualización"
 
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
+"Mostrar snaps dispoñíbeis para actualizar pero non realizar ningunha "
+"actualización"
 
-msgid "Show details of a specific interface"
+msgid "Show detailed information about a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr "Mostrar os detalles dunha interface específica"
+
 msgid "Show interface attributes"
+msgstr "Mostrar atributos da interface"
+
+msgid "Show only the given number of lines, or 'all'."
 msgstr ""
 
 msgid "Shows known assertions of the provided type"
-msgstr ""
+msgstr "Mostra asercións coñecidas do tipo indicado"
+
+msgid "Shows specific repairs"
+msgstr "Mostra os arranxos específicos"
 
 msgid "Shows version details"
-msgstr ""
+msgstr "Mostrar detalles da versión"
 
 msgid "Sign an assertion"
-msgstr ""
+msgstr "Asinar unha aserción"
 
 msgid ""
 "Sign an assertion using the specified key, using the input for headers from "
 "a JSON mapping provided through stdin, the body of the assertion can be "
 "specified through a \"body\" pseudo-header.\n"
 msgstr ""
+"Asinar unha aserción coa chave específicada usando como entrada para as "
+"cabeceiras un modelo JSON proporcionado vía stdin. O corpo da aserción pode "
+"especificarse por medio dunha pseudocabeceira «body».\n"
 
 msgid "Slot\tPlug"
-msgstr ""
+msgstr "Rañura\tConector"
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr ""
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr "Nome do snap"
 
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
 "your\n"
 "payment details at https://my.ubuntu.com/payment/edit and try again."
 msgstr ""
+"Sentímolo pero o seu método de pagamento foi rexeitado polo emisor. Revise a "
+"súa\n"
+"información de pagamento en https://my.ubuntu.com/payment/edit e volva "
+"tentalo."
 
 msgid "Start services"
-msgstr ""
+msgstr "Iniciar servizos"
 
 #, c-format
 msgid "Start snap %q (%s) services"
-msgstr ""
+msgstr "Iniciar os servizos snap %q (%s)"
 
 #, c-format
 msgid "Start snap %q%s services"
-msgstr ""
+msgstr "Iniciar os servizos %q%s do snap"
 
 msgid "Start snap services"
-msgstr ""
+msgstr "Iniciar os servizos do snap"
 
 msgid "Start the userd service"
-msgstr ""
+msgstr "Iniciar o servizo userd"
 
 msgid "Started.\n"
-msgstr ""
+msgstr "Iniciado:\n"
 
 msgid "Status\tSpawn\tReady\tSummary\n"
-msgstr ""
+msgstr "Estado\tDescendencia\tListo\tResumo\n"
 
 msgid "Stop services"
-msgstr ""
+msgstr "Parar servizos"
 
 #, c-format
 msgid "Stop snap %q (%s) services"
-msgstr ""
+msgstr "Parar os servizos snap %q (%s)"
 
 #, c-format
 msgid "Stop snap %q services"
-msgstr ""
+msgstr "Iniciar os servizos snap %q"
 
 msgid "Stop snap services"
-msgstr ""
+msgstr "Parar os servizos do snap"
 
 msgid "Stopped.\n"
-msgstr ""
+msgstr "Parado.\n"
 
 msgid "Strict typing with nulls and quoted strings"
-msgstr ""
+msgstr "Escritura estrita con cadeas baleiras e entre comiñas"
 
 #, c-format
 msgid "Switch %q snap to %s"
-msgstr ""
+msgstr "Cambiar o snap %q a %s"
 
 #, c-format
 msgid "Switch snap %q from %s to %s"
-msgstr ""
+msgstr "Parar os servizos do snap %q"
 
 #, c-format
 msgid "Switch snap %q to %s"
-msgstr ""
+msgstr "Cambiar o snap %q a %s"
 
 msgid "Switches snap to a different channel"
-msgstr ""
+msgstr "Cambia o snap a unha canle diferente"
 
 msgid "Temporarily mount device before inspecting"
-msgstr ""
+msgstr "Montar temporalmente o dispositivo antes de inspeccionalo"
 
 msgid "Tests a snap in the system"
-msgstr ""
+msgstr "Proba un snap no sistema"
 
 #. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
 #, c-format
@@ -920,90 +1141,122 @@
 "Thanks for purchasing %q. You may now install it on any of your devices\n"
 "with 'snap install %s'."
 msgstr ""
+"Grazas pola compra de %q. Pode instalalo en calquera dos seus dispositivos\n"
+"con «snap install %s»."
 
 msgid ""
 "The get command prints configuration and interface connection settings."
 msgstr ""
+"A orde «get» imprime a configuración e os axustes de conexión da interface."
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
-msgstr ""
+msgstr "Correo electrónico de login.ubuntu.com para iniciar sesión"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
-msgstr ""
+msgstr "Nome da aserción do modelo"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
-msgstr ""
+msgstr "O cartafol de saída"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
-msgstr ""
+msgstr "O snap a configurar (p.e.: hello-world)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
-msgstr ""
+msgstr "O snap da configuración que está sendo solicitada"
 
 msgid "The userd command starts the snap user session service."
-msgstr ""
+msgstr "A orde «userd» inicia o servizo de sesión de usuario do snap."
 
 msgid "This command logs the current user out of the store"
+msgstr "Esta orde pecha a sesión do usuario actual na tenda"
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
 msgstr ""
 
-msgid "Tool to interact with snaps"
+#, c-format
+msgid "Toggle snap %q flags"
 msgstr ""
 
+msgid "Tool to interact with snaps"
+msgstr "Ferramenta para interactuar con snaps"
+
 #, c-format
 msgid "Transition security profiles from %q to %q"
-msgstr ""
+msgstr "Transición dos perfís de seguranza de %q a %q"
 
 msgid "Transition ubuntu-core to core"
-msgstr ""
+msgstr "Transición do ubuntu-core a core"
 
 #, c-format
 msgid "Try %q snap from %s"
+msgstr "Probar %q snap de %s"
+
+msgid "Try: snap install <selected snap>\n"
 msgstr ""
 
 msgid "Two-factor code: "
-msgstr ""
+msgstr "Código de dous factores: "
 
 msgid "Unalias a manual alias or an entire snap"
-msgstr ""
+msgstr "Eliminar un alias manual ou un snap completo"
 
 msgid "Use a specific snap revision when running hook"
-msgstr ""
+msgstr "Usar unha revisión específica do snap cando se execute o «hook»."
 
 msgid "Use known assertions for user creation"
+msgstr "Usar asercións coñecidas para a creación do usuario"
+
+msgid "Use the given output format (pretty or json)"
 msgstr ""
 
 msgid "Use this channel instead of stable"
+msgstr "Usar esta canle no canto da estábel"
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
 msgstr ""
+"AVISO: a saída de «snap get» converterase nunha lista con columnas. Use -d "
+"ou -l para forzar o formato de saída.\n"
 
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
+msgstr "AVISO: produciuse un fallo na activación do rexistro %v\n"
+
+msgid "Wait for new lines and print them as they come in."
 msgstr ""
 
 msgid "Waiting for server to restart"
-msgstr ""
+msgstr "Agardando polo reinicio do servidor"
 
 msgid "Watch a change in progress"
-msgstr ""
+msgstr "Ver un cambio en proceso"
 
 msgid "Wrong again. Once more: "
-msgstr ""
+msgstr "Incorrecto outra vez. Unha vez máis: "
 
 #, c-format
 msgid "Xauthority file isn't owned by the current user %s"
-msgstr ""
+msgstr "O ficheiro Xauthority non é propiedade do usuario actual %s"
 
 msgid "Yes, yes it does."
-msgstr ""
+msgstr "Si, si faino."
 
 msgid ""
 "You need to be logged in to purchase software. Please run 'snap login' and "
 "try again."
 msgstr ""
+"Precisa iniciar sesión para comprar software. Execute «snap login» e ténteo "
+"de novo."
 
 #, c-format
 msgid ""
@@ -1013,11 +1266,16 @@
 "Once you’ve added your payment details, you just need to run 'snap buy %s' "
 "again."
 msgstr ""
+"Debe ter un medio de pagamento asociado á súa conta para poder comprar un "
+"snap. Vaia a https://my.ubuntu.com/payment/edit para engadir un.\n"
+"\n"
+"Unha vez engadida a información de pagamento só necesitará executar «snap "
+"buy %s» de novo."
 
 #. TRANSLATORS: the %s is the argument given by the user to "snap changes"
 #, c-format
 msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
-msgstr ""
+msgstr "A orde «snap changes» espera un nome de snap, tente «snap tasks %s»"
 
 msgid ""
 "\n"
@@ -1029,11 +1287,26 @@
 "This is the CLI for snapd, a background service that takes care of\n"
 "snaps on the system. Start with 'snap list' to see installed snaps.\n"
 msgstr ""
+"\n"
+"Instale, configure, actualice e retire paquetes snap. Os snaps son \n"
+"paquetes «universal» que funcionan en moitos sistemas Linux,\n"
+"permitindo a distribución segura dos máis recentes aplicativos e utilidades\n"
+"para a nube, servidores, escritorios e o internet das cousas.\n"
+"\n"
+"Este é o CLI para snapd, un servizo en segundo plano que coida dos\n"
+"snaps do sistema. Inícieo con «snap list» para ver os snaps instalados.\n"
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
 
 msgid ""
 "\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
+"\n"
+"A orde «abort» tenta cancelar un cambio que aínda ten tarefas pendentes.\n"
 
 msgid ""
 "\n"
@@ -1047,6 +1320,23 @@
 "public key and the assertion consistent with and its prerequisite in the\n"
 "database.\n"
 msgstr ""
+"\n"
+"A orde «ack» tenta engadir unha aserción á base de datos de asercións do "
+"sistema.\n"
+"\n"
+"A aserción pode ser unha revisión máis nova da preexistente á que "
+"substituirá.\n"
+"\n"
+"Para ter éxito, a aserción debe ser válida, a súa sinatura comprobada cunha "
+"chave\n"
+"pública coñecida e a aserción debe ser consistente co seu prerequisito na "
+"base de datos.\n"
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
 
 msgid ""
 "\n"
@@ -1055,6 +1345,11 @@
 "Once this manual alias is setup the respective application command can be "
 "invoked just using the alias.\n"
 msgstr ""
+"\n"
+"A orde «alias» asigna o aplicativo snap ao alias indicado.\n"
+"\n"
+"Unha vez configurado o alias manual a orde do aplicativo correspondente pode "
+"invocarse usando só o alias.\n"
 
 msgid ""
 "\n"
@@ -1070,6 +1365,21 @@
 "not defined in the current revision of the snap; possibly temporarely (e.g\n"
 "because of a revert), if not this can be cleared with snap alias --reset.\n"
 msgstr ""
+"\n"
+"A orde «aliases» lista todos os alias dispoñíbeis no sistema e mais o seu "
+"estado.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lista só os alias definidos polo snap indicado.\n"
+"\n"
+"Un alias calificado como indefinido significa que foi activado ou "
+"desactivado\n"
+"explicitamente pero non está definido na revisión actual do snap, "
+"posiblemente\n"
+"de forma temporal (p.e.: por mor dunha reversión), noutro caso pode "
+"eliminarse\n"
+"con «snap alias --reset».\n"
 
 msgid ""
 "\n"
@@ -1084,17 +1394,35 @@
 "Imported assertions must be made available in the auto-import.assert file\n"
 "in the root of the filesystem.\n"
 msgstr ""
+"\n"
+"A orde «auto-import» busca nos dispositivos montados dispoñíbeis asercións\n"
+"asinadas por autoridades de confianza e pode realizar cambios no sistema \n"
+"baseados nelas.\n"
+"\n"
+"Se se indican unha ou máis rutas vía --mount, estes montaranse temporalmente "
+"para \n"
+"seren inspeccionados. Incluso neste caso a orde considerará para inspección "
+"todos os\n"
+"dispositivos montados.\n"
+"\n"
+"As asercións importadas deben estar dispoñíbeis no ficheiro auto-"
+"import.assert\n"
+"na raíz do sistema de ficheiros.\n"
 
 msgid ""
 "\n"
 "The buy command buys a snap from the store.\n"
 msgstr ""
+"\n"
+"A orde «buy» compra un snap na tenda.\n"
 
 msgid ""
 "\n"
 "The changes command displays a summary of the recent system changes "
 "performed."
 msgstr ""
+"\n"
+"A orde «changes» mostra un resumo dos cambios recentes no sistema."
 
 msgid ""
 "\n"
@@ -1102,6 +1430,10 @@
 "none)\n"
 "the system operates in.\n"
 msgstr ""
+"\n"
+"A orde «confinement» imprimirá o modo confinamento (estrito, parcial ou "
+"ningún)\n"
+"no que opera o sistema.\n"
 
 msgid ""
 "\n"
@@ -1126,6 +1458,24 @@
 "matching\n"
 "the plug name.\n"
 msgstr ""
+"\n"
+"A orde «connect» conecta un conector a unha rañura.\n"
+"Pode chamarse das seguintes formas:\n"
+"\n"
+" $ snap connect <snap>:<conector> <snap>:<rañura>\n"
+"\n"
+"Conecta o conector indicado na rañura dada.\n"
+"\n"
+" $ snap connect <snap>:<conector> <snap>\n"
+"\n"
+"Conecta o conector específico na única rañura do snap proporcionado que \n"
+"coincide coa interface conectada. Se existe máis dun slot potencial, a orde\n"
+"falla.\n"
+"\n"
+"$ snap connect <snap>:<conector>\n"
+"\n"
+"Conecta o conector proporcionado á rañura no snap principal co nome\n"
+"coincidente co nome do conector.\n"
 
 msgid ""
 "\n"
@@ -1136,6 +1486,12 @@
 "\n"
 "An account can be setup at https://login.ubuntu.com.\n"
 msgstr ""
+"\n"
+"A orde «create-user» crea un usuario no sistema local co nome e chaves SSH\n"
+"rexistrados na conta da tenda identificada polo enderezo de correo-e "
+"proporcionado.\n"
+"\n"
+"Pode configurar unha conta en https://login.ubuntu.com.\n"
 
 msgid ""
 "\n"
@@ -1144,6 +1500,12 @@
 "Debug commands can be removed without notice and may not work on\n"
 "non-development systems.\n"
 msgstr ""
+"\n"
+"A orde «debug» contén unha selección de subordes adicionais.\n"
+"\n"
+"As ordes de depuración poden retirarse sen aviso e é posíbel que non "
+"funcionen\n"
+"en sistemas que non son para desenvolvemento.\n"
 
 msgid ""
 "\n"
@@ -1151,6 +1513,10 @@
 "snap will no longer be available. But all the data is still available\n"
 "and the snap can easily be enabled again.\n"
 msgstr ""
+"\n"
+"A orde «disable» desactiva un snap. Os binarios e servizos do snap\n"
+"xa non estarán dispoñíbeis pero todos os datos do snap seguirán\n"
+"accesíbeis e o snap poderá ser activado de novo facilmente.\n"
 
 msgid ""
 "\n"
@@ -1166,6 +1532,18 @@
 "Disconnects everything from the provided plug or slot.\n"
 "The snap name may be omitted for the core snap.\n"
 msgstr ""
+"\n"
+"A orde «disconnect» desconecta un conector dunha rañura.\n"
+"Pode chamarse das seguintes formas:\n"
+"\n"
+" $ snap disconnect <snap>:<conector> <snap>:<rañura>\n"
+"\n"
+"Desconecta o conector específico da rañura específica.\n"
+"\n"
+" $ snap disconnect <snap>:<rañura ou conector>\n"
+"\n"
+"Desconecta todo do conector ou rañura indicados.\n"
+"O nome do snap pode omitirse no snap principal.\n"
 
 msgid ""
 "\n"
@@ -1173,17 +1551,25 @@
 "to the current directory under .snap and .assert file extensions, "
 "respectively.\n"
 msgstr ""
+"\n"
+"A orde «download» descarga o snap indicado e as súas asercións de apoio\n"
+"ao cartafol actual coas extensións .snap e .assert respectivamente.\n"
 
 msgid ""
 "\n"
 "The enable command enables a snap that was previously disabled.\n"
 msgstr ""
+"\n"
+"A orde «enable» activa un snap previamente desactivado.\n"
 
 msgid ""
 "\n"
 "The find command queries the store for available packages in the stable "
 "channel.\n"
 msgstr ""
+"\n"
+"A orde «find» pregunta polos paquetes dispoñíbeis na tenda na canle "
+"estábel.\n"
 
 msgid ""
 "\n"
@@ -1222,6 +1608,38 @@
 "This requests the \"usb-vendor\" setting from the slot that is connected to "
 "\"myplug\".\n"
 msgstr ""
+"\n"
+"A orde «get» imprime as opcións de configuración do snap actual.\n"
+"\n"
+"    $ snapctl get nome_do_usuario\n"
+"    catuxa\n"
+"\n"
+"Se se proporcionan varios nomes de opcións, devolve un documento:\n"
+"\n"
+"    $ snapctl get nome_do_usuario contrasinal\n"
+"    {\n"
+"        \"username\": \"catuxa\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Os valores aniñados poden obterse indicando a ruta con puntos:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    catuxa\n"
+"\n"
+"Os valores dos axustes da conexión da interface poden imprimirse con:\n"
+"\n"
+"    $ snapctl get :conector usb-vendor\n"
+"    $ snapctl get :rañura ruta\n"
+"\n"
+"Isto devolverá o parámetro indicado desde o extremo da interface local, sen "
+"un conector nin rañura. A devolución do parámetro desde o extremo do snap "
+"conectado tamén é posíbel por petición\n"
+"explícita por medio das opcións por liña de ordes --plug e --slot:\n"
+"\n"
+"    $ snapctl get :conector --slot usb-vendor\n"
+"\n"
+"Isto solicita o parámetro «usb-vendor» desde a rañura ligada ao «conector».\n"
 
 msgid ""
 "\n"
@@ -1243,22 +1661,47 @@
 "    $ snap get snap-name author.name\n"
 "    frank\n"
 msgstr ""
+"\n"
+"A orde «get» imprime as opcións de configuración do snap indicado.\n"
+"\n"
+"    $ snap get nome-do-snap nome-do-usuario\n"
+"    lois\n"
+"\n"
+"Se se indican varios nomes de opcións, xenera un documento:\n"
+"\n"
+"    $ snap get nome-do-snap nome-do-usuario contrasinal\n"
+"    {\n"
+"        \"username\": \"lois\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Os valores aniñados poden obterse indicando a ruta con puntos:\n"
+"\n"
+"    $ snap get nome-do-snap author.name\n"
+"    lois\n"
 
 msgid ""
 "\n"
 "The help command shows helpful information. Unlike this. ;-)\n"
 msgstr ""
+"\n"
+"A orde «help» mostra información útil. A diferenza desta. ;-)\n"
 
 msgid ""
 "\n"
 "The info command shows detailed information about a snap, be it by name or "
 "by path."
 msgstr ""
+"\n"
+"A orde «info» mostra información detallada sobre un snap, ben polo nome ou "
+"pola ruta."
 
 msgid ""
 "\n"
 "The install command installs the named snap in the system.\n"
 msgstr ""
+"\n"
+"A orde «install» instala o snap indicado no sistema.\n"
 
 msgid ""
 "\n"
@@ -1267,6 +1710,13 @@
 "If no interface name is provided, a list of interface names with at least\n"
 "one connection is shown, or a list of all interfaces if --all is provided.\n"
 msgstr ""
+"\n"
+"A orde «interface» mostra información das interfaces do snap.\n"
+"\n"
+"Se non se indica un nome de interface, mostrarase unha lista de nomes\n"
+"de interfaces con alomenos unha conexión ou unha lista de todas as "
+"interfaces\n"
+"se se especifia --all.\n"
 
 msgid ""
 "\n"
@@ -1288,6 +1738,25 @@
 "Filters the complete output so only plugs and/or slots matching the provided "
 "details are listed.\n"
 msgstr ""
+"\n"
+"A orde «interfaces» lista as interfaces dispoñíbeis no sistema.\n"
+"\n"
+"De forma predeterminada mostra todas as rañuras e conectores usados e "
+"ofrecidos\n"
+"polos paquetes snap.\n"
+"\n"
+"$ snap interfaces <snap>:<rañura ou conector>\n"
+"\n"
+"Lista só a rañura ou conector especificado.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lista as rañuras ofrecidas e os conectores usados polo snap indicado.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filtra toda a saída para listar só os conectores e/ou rañuras coincidentes "
+"cos datos proporcionados.\n"
 
 msgid ""
 "\n"
@@ -1295,11 +1764,19 @@
 "If header=value pairs are provided after the assertion type, the assertions\n"
 "shown must also have the specified headers matching the provided values.\n"
 msgstr ""
+"\n"
+"A orde «known» mostra asercións coñecidas do tipo indicado.\n"
+"Se os pares cabeceira=valor se indican despois do tipo de aserción, as "
+"asercións\n"
+"mostradas deben ter tamén as cabeceiras correspondentes aos valores "
+"proporcionados.\n"
 
 msgid ""
 "\n"
 "The list command displays a summary of snaps installed in the current system."
 msgstr ""
+"\n"
+"A orde «list» mostra un resumo dos snaps instalados no sistema actual."
 
 msgid ""
 "\n"
@@ -1313,12 +1790,37 @@
 "\n"
 "An account can be setup at https://login.ubuntu.com\n"
 msgstr ""
+"\n"
+"A orde «login» autentica no snapd e na tenda de snaps ademais de gardar as\n"
+"credenciais no ficheiro ~/.snap/auth.json. As comunicacións futuras con "
+"snapd\n"
+"usarán estas credenciais.\n"
+"\n"
+"«login» só funciona en grupos locais de usuarios sudo, admin ou wheel.\n"
+"\n"
+"Pode configurar unha conta en https://login.ubuntu.com\n"
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
 
 msgid ""
 "\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
+"\n"
+"A orde «managed» imprimirá «true» ou «false» informando se\n"
+"snapd ten usuarios rexistrados.\n"
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+"\n"
+"A orde «pack» empaqueta o snap-dir indicado como un snap."
 
 msgid ""
 "\n"
@@ -1326,6 +1828,10 @@
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
 msgstr ""
+"\n"
+"A orde «prefer» activa todos os alias do snap dado e desactiva os \n"
+"alias dos outros snaps que entran en conflito.\n"
+"(ou elimínaos se son alias manuais).\n"
 
 #, c-format
 msgid ""
@@ -1344,11 +1850,25 @@
 "if instead you want to install the snap forcing it into strict confinement\n"
 "repeat the command including --jailmode."
 msgstr ""
+"\n"
+"O publicador do snap %q indicou que non considera esta revisón con calidade\n"
+"para produción e que só está pensada para desenvolvemento ou probas.\n"
+"Como consecuencia este snap non se actualizará automaticamente e pode\n"
+"executar cambios arbitrarios no sistema fóra dos confinamentos de seguranza\n"
+"que xeralmente teñen os paquetes snap, así podería poñer o sistema en "
+"risco.\n"
+"\n"
+"Se entendeu isto e desexa continuar repita a orde incluíndo --devmode, se "
+"polo\n"
+"contrario desexa instalar o snap forzándoo no confinamento estrito repita\n"
+"a orde incluíndo --jailmode."
 
 msgid ""
 "\n"
 "The refresh command refreshes (updates) the named snap.\n"
 msgstr ""
+"\n"
+"A orde «refresh» actualiza o snap indicado.\n"
 
 msgid ""
 "\n"
@@ -1360,6 +1880,47 @@
 "revision is\n"
 "removed.\n"
 msgstr ""
+"\n"
+"A orde «remove» elimina do sistema o snap indicado.\n"
+"\n"
+"De xeito predeterminado retira todas as revisións do snap incluídos os seus "
+"datos e o\n"
+"cartafol común de datos. Cando se especifica a opción --revision só se "
+"elimina a revisión  indicada.\n"
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+"\n"
+"A orde «repair» mostra información sobre un ou varios arranxos.\n"
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+"\n"
+"A orde «repair» lista todos os arranxos procesados para este dispositivo.\n"
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+"\n"
+"A orde «restart» reinicia os servizos indicados do snap. Se se executa desde "
+"o\n"
+" «hook» «configure», os servizos reiniciaranse despois de que remate o  "
+"«hook»."
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
 
 msgid ""
 "\n"
@@ -1370,6 +1931,19 @@
 "an exception, data which the snap explicitly chooses to share across\n"
 "revisions is not touched by the revert process.\n"
 msgstr ""
+"\n"
+"A orde «revert» reverte o snap indicado ao seu estado previo á\n"
+"última actualización. Isto reactivará a revisión previa do snap, e\n"
+"usará os datos orixinais asociados a esa revisión, desbotando \n"
+"todos os cambios nos datos feitos pola última revisión. Como\n"
+"excepción, os datos que o snap escolle explicitamente para\n"
+"compartir entre revisións non se tocarán polo proceso de reversión.\n"
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
 
 msgid ""
 "\n"
@@ -1384,6 +1958,18 @@
 "\n"
 "    $ snap set author.name=frank\n"
 msgstr ""
+"\n"
+"A orde «set» cambia as opcións de configuración indicadas segundo o "
+"solicitado.\n"
+"\n"
+"    $ snap set nome-do-snap nome-do-usuario=lois contrasinal=$PASSWORD\n"
+"\n"
+"Todos os cambios na configuración consérvanse ao mesmo tempo e só despois\n"
+"de que o «hook» da configuración do snap se execute correctamente.\n"
+"\n"
+"Os valores aniñados poden modificarse mediante unha ruta con puntos:\n"
+"\n"
+"    $ snap set author.name=lois\n"
 
 msgid ""
 "\n"
@@ -1404,18 +1990,71 @@
 "\n"
 "    $ snapctl set :myplug path=/dev/ttyS0\n"
 msgstr ""
+"\n"
+"A orde «set» cambia as opcións de configuración proporcionadas segundo o "
+"solicitado.\n"
+"\n"
+"    $ snapctl set nome_do_usuario=brais contrasinal=$PASSWORD\n"
+"\n"
+"Todos os cambios na configuración consérvanse ao mesmo tempo e só despois de "
+"que o «hook» se execute\n"
+"correctamente.\n"
+"\n"
+" Os valores aniñados poden modificarse mediante unha ruta con puntos:\n"
+"\n"
+"    $ snapctl set author.name=brais\n"
+"\n"
+"Os atributos conector e rañura poden estabelecerse nos «prepare» respectivos "
+"e conectar os «hooks»\n"
+"nomeando o conector ou rañura respectivos.\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+"\n"
+"A orde «start» inicia os servizos indicados do snap. Se se executa desde o\n"
+" «hook» «configure», os servizos iniciaranse despois de que remate o  «hook»."
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+"\n"
+"A orde «stop» para os servizos indicados do snap. Se se executa desde o\n"
+" «hook» «configure», os servizos pararán despois de que remate o  «hook»."
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
 
 msgid ""
 "\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
+"\n"
+"A orde «switch» cambia o snap indicado a unha canle diferente sen\n"
+"facer unha actualización.\n"
 
 msgid ""
 "\n"
 "The tasks command displays a summary of tasks associated to an individual "
 "change."
 msgstr ""
+"\n"
+"A orde «tasks» mostra un resumo das tarefas asociadas a un cambio individual."
 
 msgid ""
 "\n"
@@ -1432,18 +2071,39 @@
 "be\n"
 "found relative to current working directory.\n"
 msgstr ""
+"\n"
+"A orde «try» instala un snap desempaquetado no sistema coa finalidade de "
+"facer probas.\n"
+"O contido do snap desempaquetado continúa usándose incluso despois da "
+"instalación, así\n"
+"que os cambios nos non-metadatos aplícanse instantaneamente. Os cambios nos "
+"metadatos\n"
+"como os executados en snap.yaml requerirán a reinstalación para aplicarse.\n"
+"\n"
+"Se se omite o argumento snap-dir, a orde «try» tentará deducilo se atopa o "
+"ficheiro snapcraft.yaml\n"
+"e o cartafol primario ou o ficheiro meta/snap.yaml relacionado co cartafol "
+"de traballo actual.\n"
 
 msgid ""
 "\n"
 "The unalias command tears down a manual alias when given one or disables all "
 "aliases of a snap, removing also all manual ones, when given a snap name.\n"
 msgstr ""
+"\n"
+"A orde «unalias» anula un alias manual cando se lle indica un ou desactiva "
+"todos os alias dun snap,\n"
+"retirando tamén todos os feitos manualmente cando se lle indica un nome de "
+"snap.\n"
 
 msgid ""
 "\n"
 "The version command displays the versions of the running client, server,\n"
 "and operating system.\n"
 msgstr ""
+"\n"
+"A orde «version» mostra as versións do cliente en execución, servidor\n"
+"e sistema operativo.\n"
 
 msgid ""
 "\n"
@@ -1451,11 +2111,16 @@
 "progress\n"
 "(if available).\n"
 msgstr ""
+"\n"
+"A orde «watch» agarda a que o identificador do cambio indicado remate e\n"
+"mostra o progreso (se está dispoñíbel).\n"
 
 msgid ""
 "\n"
 "The whoami command prints the email the user is logged in with.\n"
 msgstr ""
+"\n"
+"A orde «whoami» imprime o correo electrónico do usuario conectado.\n"
 
 #, c-format
 msgid ""
@@ -1469,335 +2134,407 @@
 "If you understand and want to proceed repeat the command including --"
 "classic.\n"
 msgstr ""
+"\n"
+"Esta revisión do snap %q publicouse usando un confinamento clásico e pode\n"
+"realizar cambios arbitrarios no sistema fóra do confinamento usado "
+"normalmente\n"
+"polos paquetes snap, así pode poñér en risco o seu sistema.\n"
+"\n"
+"Se o entendeu e desexa continuar repita a orde incluíndo --classic.\n"
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
 msgstr ""
+"é necesario un único nome de snap para indicar sinaladores de modo ou canle"
 
 msgid "a single snap name is needed to specify the revision"
-msgstr ""
+msgstr "precísase un único nome de snap para indicar a revisión"
 
 msgid "a single snap name must be specified when ignoring validation"
 msgstr ""
+"débese especificar un único nome de snap cando se ignore a validación"
 
 msgid "active"
+msgstr "activo"
+
+msgid "auto-refresh: all snaps are up-to-date"
 msgstr ""
 
 msgid "bought"
-msgstr ""
+msgstr "comprado"
 
 #. TRANSLATORS: if possible, a single short word
 msgid "broken"
-msgstr ""
+msgstr "roto"
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr "non é posíbel %s sen un contexto"
 
 #, c-format
 msgid "cannot buy snap: %v"
-msgstr ""
+msgstr "non é posíbel comprar o snap: %v"
 
 msgid "cannot buy snap: invalid characters in name"
-msgstr ""
+msgstr "non foi posíbel comprar o snap: hai caracteres incorrectos no nome"
 
 msgid "cannot buy snap: it has already been bought"
-msgstr ""
+msgstr "non foi posíbel comprar o snap: xa foi comprado"
 
 #. TRANSLATORS: %q is the directory whose creation failed, %v the error message
 #, c-format
 msgid "cannot create %q: %v"
-msgstr ""
+msgstr "non é posíbel crear %q: %v"
 
 #, c-format
 msgid "cannot create assertions file: %v"
-msgstr ""
+msgstr "non é posíbel crear o ficheiro de asercións: %v"
 
 #. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
 #, c-format
 msgid "cannot extract the snap-name from local file %q: %v"
-msgstr ""
+msgstr "non é posíbel extraer o nome do snap do ficheiro local %q: %v"
 
 #, c-format
 msgid "cannot find app %q in %q"
-msgstr ""
+msgstr "non é posíbel atopar o aplicativo %q en %q"
 
 #, c-format
 msgid "cannot find hook %q in %q"
-msgstr ""
+msgstr "non foi posíbel atopar o «hook» %q en %q"
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
-msgstr ""
+msgstr "non é posíbel obter datos de %q: %v"
 
 #. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
 #, c-format
 msgid "cannot get full path for %q: %v"
-msgstr ""
+msgstr "non foi posíbel obter a ruta completa de %q: %v"
 
 #, c-format
 msgid "cannot get the current user: %s"
-msgstr ""
+msgstr "non é posíbel obter o usuario actual: %s"
 
 #, c-format
 msgid "cannot get the current user: %v"
-msgstr ""
+msgstr "non é posíbel obter o usuario actual: %v"
 
 #, c-format
 msgid "cannot mark boot successful: %s"
-msgstr ""
+msgstr "non é posíbel marcar o arranque como correcto: %s"
 
 #, c-format
 msgid "cannot open the assertions database: %v"
-msgstr ""
+msgstr "non é posíbel abrir a base de dato de asercións: %v"
 
 #, c-format
 msgid "cannot read assertion input: %v"
-msgstr ""
+msgstr "non é posíbel ler a entrada da aserción: %v"
 
 #. TRANSLATORS: %v the error message
 #, c-format
 msgid "cannot read symlink: %v"
-msgstr ""
+msgstr "non é posíbel ler a ligazón simbólica: %v"
 
 #, c-format
 msgid "cannot resolve snap app %q: %v"
-msgstr ""
+msgstr "non é posíbel determinar o aplicativo snap %q: %v"
 
 #, c-format
 msgid "cannot sign assertion: %v"
-msgstr ""
+msgstr "non é posíbel asinar a aserción: %v"
 
 #, c-format
 msgid "cannot update the 'current' symlink of %q: %v"
-msgstr ""
+msgstr "non é posíbel actualizar a ligazón simbólica «actual» de %q: %v"
 
 #. TRANSLATORS: %q is the key name, %v the error message
 #, c-format
 msgid "cannot use %q key: %v"
-msgstr ""
-
-msgid "cannot use --hook and --command together"
-msgstr ""
+msgstr "non é posíbel usar a chave %q: %v"
 
 msgid "cannot use change ID and type together"
-msgstr ""
+msgstr "non é posíbel usar o identificador e o tipo do cambio xuntos"
 
 msgid "cannot use devmode and jailmode flags together"
-msgstr ""
+msgstr "non é posíbel usar os sinaladores devmode e jailmode xuntos"
 
 #, c-format
 msgid "cannot validate owner of file %s"
-msgstr ""
+msgstr "non é posíbel validar o propietario do ficheiro %s"
 
 #, c-format
 msgid "cannot write new Xauthority file at %s: %s"
-msgstr ""
+msgstr "non foi posíbel escribir o novo ficheiro de Xauthority en %s: %s"
 
 #, c-format
 msgid "change finished in status %q with no error message"
-msgstr ""
+msgstr "o cambio rematou co estado %q sen mensaxe de erro"
 
 #, c-format
 msgid ""
 "classic confinement requires snaps under /snap or symlink from /snap to %s"
 msgstr ""
+"o confinamento clásico require os snaps en /snap ou ligazóns simbólicas de "
+"/snap a %s"
 
 #, c-format
 msgid "created user %q\n"
+msgstr "creado o usuario %\n"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
-msgstr ""
+msgstr "desactivado"
 
 msgid "email:"
-msgstr ""
+msgstr "Correo electrónico:"
 
 msgid "enabled"
-msgstr ""
+msgstr "activado"
 
 #, c-format
 msgid "error: %v\n"
-msgstr ""
+msgstr "erro: %v\n"
 
 msgid ""
 "error: the `<snap-dir>` argument was not provided and couldn't be inferred"
 msgstr ""
+"erro: non se indicou o argumento «<snap-dir>» e non foi posíbel deducilo"
 
 msgid "get which option?"
+msgstr "obter que opción?"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
 msgstr ""
 
-msgid "inactive"
+msgid "ignore-validation"
 msgstr ""
 
+msgid "inactive"
+msgstr "inactivo"
+
 msgid ""
 "interface attributes can only be read during the execution of interface hooks"
 msgstr ""
+"os atributos da interface só se poden ler durante a execución dos «hooks» da "
+"interface"
 
 msgid ""
 "interface attributes can only be set during the execution of prepare hooks"
 msgstr ""
+"os atributos da interface só se poden estabelecer durante a execución dos "
+"«hooks» de «prepare»"
 
 #, c-format
 msgid "internal error, please report: running %q failed: %v\n"
-msgstr ""
+msgstr "erro interno, informe: a execución do %q fallou: %v\n"
 
 msgid "internal error: cannot find attrs task"
-msgstr ""
+msgstr "erro interno: non é posíbel atopar a tarefa attrs"
 
 msgid "internal error: cannot find plug or slot data in the appropriate task"
 msgstr ""
+"erro interno: non é posíbel atopar os datos do conector nin da rañura na "
+"tarefa apropiada"
 
 #, c-format
 msgid "internal error: cannot get %s from appropriate task"
-msgstr ""
+msgstr "erro interno: non é posíbel obter %s da tarefa apropiada"
 
 msgid ""
 "invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
 "“all”."
 msgstr ""
+"argumento non válido para o sinalador «-n»: agardábase un argumento enteiro "
+"non negativo ou «all»."
 
 #, c-format
 msgid "invalid attribute: %q (want key=value)"
-msgstr ""
+msgstr "atributo incorrecto: %q (agarda chave=valor)"
 
 #, c-format
 msgid "invalid configuration: %q (want key=value)"
-msgstr ""
+msgstr "configuración incorrecta: %q (agarda chave=valor)"
 
 #, c-format
 msgid "invalid header filter: %q (want key=value)"
-msgstr ""
+msgstr "filtro de cabeceira incorrecto: %q (agarda chave=valor)"
 
 #, c-format
 msgid "invalid parameter: %q (want key=value)"
-msgstr ""
+msgstr "parámetro incorrecto: %q (agárdase chave=valor)"
 
 #, c-format
 msgid "invalid value: %q (want snap:name or snap)"
-msgstr ""
+msgstr "valor incorrecto: %q (agarda snap:nome ou snap)"
 
 #, c-format
 msgid ""
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
+"o nome da chave %q non é correcto, só se permiten letras ASCII, díxitos e "
+"guións"
 
-msgid "missing snap-confine: try updating your snapd package"
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
 msgstr ""
 
-msgid "need the application to run as argument"
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
 msgstr ""
 
+msgid "missing snap-confine: try updating your snapd package"
+msgstr "falta snap-confine: tente actualizar o paquete snapd"
+
+msgid "need the application to run as argument"
+msgstr "precisa que o aplicativo se execute como argumento"
+
 msgid "no changes found"
-msgstr ""
+msgstr "non foi posíbel atopar cambios"
 
 #, c-format
 msgid "no changes of type %q found"
-msgstr ""
+msgstr "non foi posíbel atopar cambios do tipo %q"
 
 msgid "no interfaces currently connected"
-msgstr ""
+msgstr "actualmente non hai interfaces conectadas"
 
 msgid "no interfaces found"
-msgstr ""
+msgstr "non foi posíbel atopar interfaces"
 
 msgid "no matching snaps installed"
-msgstr ""
+msgstr "non hai snaps coincidentes instalados"
 
 msgid "no such interface"
-msgstr ""
+msgstr "non hai tal interface"
 
 msgid "no valid snaps given"
-msgstr ""
-
-msgid "not a valid snap"
-msgstr ""
+msgstr "non se indicaron snaps válidos"
 
 msgid "please provide change ID or type with --last=<type>"
-msgstr ""
+msgstr "proporcione o identificador ou tipo de cambio con --last=<tipo>"
 
 #. TRANSLATORS: if possible, a single short word
 msgid "private"
-msgstr ""
+msgstr "privado"
 
 msgid ""
 "reboot scheduled to update the system - temporarily cancel with 'sudo "
 "shutdown -c'"
 msgstr ""
+"reinicio programado para actualizar o sistema, cancelar temporalmente con "
+"«sudo shutdown -c»"
+
+msgid "repairs are not available on a classic system"
+msgstr "os arranxos non están dispoñíbeis nun sistema clásico"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
 
 #, c-format
 msgid "set failed: %v"
-msgstr ""
+msgstr "fallou «set»: %v"
 
 msgid "set which option?"
-msgstr ""
-
-msgid "show detailed information about a snap"
-msgstr ""
+msgstr "estabelecer que opción?"
 
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
-msgstr ""
+msgstr "non foi posíbel atopar o snap %%q (polo menos na revisión %q)"
 
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
 #, c-format
 msgid "snap %%q not found (at least in channel %q)"
-msgstr ""
+msgstr "non foi posíbel atopar o snap %%q (polo menos na canle %q)"
 
 #, c-format
 msgid "snap %q has no updates available"
-msgstr ""
+msgstr "o snap %q non ten actualizacións dispoñíbeis"
 
 #, c-format
 msgid "snap %q is already installed, see \"snap refresh --help\""
-msgstr ""
-
-#, c-format
-msgid "snap %q is local"
-msgstr ""
+msgstr "o snap %q xa está instalado, vexa «snap refresh --help»"
 
 #, c-format
 msgid "snap %q not found"
-msgstr ""
+msgstr "non foi posíbel atopar o snap %q"
 
 #. TRANSLATORS: free as in gratis
 msgid "snap is free"
-msgstr ""
+msgstr "o snap é de balde"
 
 msgid "too many arguments for command"
-msgstr ""
+msgstr "demasiados argumentos para a orde"
 
 #. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
 #, c-format
 msgid "too many arguments for hook %q: %s"
-msgstr ""
+msgstr "demasiados argumentos para o «hook» %q: %s"
 
 #. TRANSLATORS: the %s is the list of extra arguments
 #, c-format
 msgid "too many arguments: %s"
+msgstr "demasiados argumentos: %s"
+
+msgid "unable to contact snap store"
 msgstr ""
 
 msgid "unavailable"
-msgstr ""
+msgstr "non dispoñíbel"
 
 #, c-format
 msgid "unknown attribute %q"
-msgstr ""
+msgstr "atributo descoñecido %q"
 
 #, c-format
 msgid "unknown command %q, see \"snap --help\""
-msgstr ""
+msgstr "orde descoñecida %q, vexa «snap --help»"
 
 #, c-format
 msgid "unknown plug or slot %q"
-msgstr ""
+msgstr "conector ou rañura descoñecido %q"
+
+#, c-format
+msgid "unknown service: %q"
+msgstr "servizo descoñecido: %q"
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "Autenticarse no daemon do snap"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "Requírese autorización para autenticarse no daemon do snap"
+
+msgid "Install, update, or remove packages"
+msgstr "Instalar, actualizar ou eliminar paquetes"
+
+msgid "Authentication is required to install, update, or remove packages"
 msgstr ""
+"Requírese autenticación para instalar, actualizar ou eliminar paquetes"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Conectar, desconectar interfaces"
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr "Requírese autenticación para conectar ou desconectar interfaces"
diff -Nru snapd-2.32.3.2~14.04/po/hr.po snapd-2.37~rc1~14.04/po/hr.po
--- snapd-2.32.3.2~14.04/po/hr.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/hr.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Croatian translation for snapd
-# Copyright (c) 2017 Rosetta Contributors and Canonical Ltd 2017
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-10-16 16:20+0000\n"
-"Last-Translator: Ante Karamatić <ante.karamatic@canonical.com>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Croatian <hr@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -30,7 +30,7 @@
 
 #, c-format
 msgid "%q switched to the %q channel\n"
-msgstr ""
+msgstr "%q prebačen na %q kanal\n"
 
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
@@ -71,91 +71,127 @@
 msgid "%s removed\n"
 msgstr "%s uklonjen\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s je vraćen na %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s%s %s sa '%s' instaliran\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr "%s%s %s sa '%s' osvježen\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s instairan\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr "%s%s %s osvježeno\n"
 
 msgid "--list does not take mode nor channel flags"
-msgstr "--list ne uzima načni ni oznake kanala"
+msgstr ""
 
 msgid "--time does not take mode nor channel flags"
-msgstr ""
+msgstr "--time ne uzima način ni oznake kanala"
 
 msgid "-r can only be used with --hook"
 msgstr "-r se može samo koristiti s --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
-msgstr ""
+msgstr "<pseudonim-ili-snap paket>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr "<pseudonim>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr "<datoteka potvrde>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr "<naziv potvrde>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr "<id-promjene>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr "<vrijednost podešavanja>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<e-pošta>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<naziv datoteke>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr "<filter zaglavlja>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<sučelje>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr "<naziv-ključa>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<ključ>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr "<potvrda-modela>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr "<zahtjev>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr "<korijenski-dir>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr "<snap>:<priključak>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr "<snap>:<priključnica ili priključak>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr "<snap>:<priključnica>"
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr "Prekini očekivanu promjenu"
 
@@ -165,27 +201,64 @@
 msgid "Adds an assertion to the system"
 msgstr "Dodaj potvrde u sustav"
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr "Pseudonim za --dangerous (DEPRECATED)"
 
 msgid "All snaps up to date."
 msgstr "Svi snap paketi su nadopunjeni."
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr "Zamjenska naredba za pokretanje"
 
 msgid "Always return document, even with single key"
 msgstr "Uvijek vrati dokument, čak i s jednim ključem"
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr "Uvijek vrati popis, čak i s jednim ključem"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 "Adresa e-pošte korisnika na login.ubuntu.com može sadržvati više adresa e-"
 "pošte"
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr "Datoteka potvrde"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr "Naziv vrste potvrde"
 
@@ -205,30 +278,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr "Automatski osvježi snap pakete %s"
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr "Netočan kôd. Pokušajte ponovno: "
 
 msgid "Buys a snap"
 msgstr "Kupovanje snap paketa"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr "ID promjene"
 
 msgid "Changes configuration options"
 msgstr "Promjene mogućnosti podešavanja"
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-"Klasične dimenzije su onemogućene na ovom sustavu.\n"
-"Koristite \"sudo snap install --devmode classic && sudo classic.create\" "
-"kako bi ih omogućili."
-
 msgid "Command\tAlias\tNotes"
-msgstr ""
+msgstr "Naredba\tPseudonim\tBilješke"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr "Vrijednost podešavanja (ključ=vrijednost)"
 
@@ -242,12 +312,14 @@
 msgid "Connects a plug to a slot"
 msgstr "Povezuje priključak u priključnicu"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr "Ograniči prikazivanje na određeni snap paket ili snap:naziv"
 
 msgid "Constrain listing to specific interfaces"
 msgstr "Ograniči prikazivanje na određeno sučelje"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr "Ograniči prikazivanje onima koji odgovaraju zaglavlje=vrijednost"
 
@@ -289,7 +361,7 @@
 
 #, c-format
 msgid "Disable all aliases for snap %q"
-msgstr ""
+msgstr "Onemogući sve pseudonime za snap paket %q"
 
 msgid "Disables a snap in the system"
 msgstr "Onemogućuje snap pakete na sustavu"
@@ -332,8 +404,9 @@
 msgid "Enables a snap in the system"
 msgstr "Omogući snap pakete u sustavu"
 
-msgid "Entering classic dimension"
-msgstr "Ulaz u klasičnu dimenziju"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr "Osiguraj da su preduvjeti za %q dostupni"
 
 msgid ""
 "Export a public key assertion body that may be imported by other systems."
@@ -356,6 +429,7 @@
 msgid "Fetching snap %q\n"
 msgstr "Preuzimanje snap paketa %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr "Naziv datoteke snap paketa za koji želite potvrditi izgradnju"
 
@@ -391,7 +465,7 @@
 msgstr "Pomoć"
 
 msgid "Hook to run"
-msgstr "Zakači za pokretanje"
+msgstr ""
 
 msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
 msgstr ""
@@ -402,6 +476,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr "Identifikator snap paketa pridružen u izgradnji"
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr "Zanemari provjeru od blokiranja osvježvanja drugih snap paketa"
 
@@ -423,7 +500,7 @@
 "Uključi opširan popis bilješki snap paketa (u suprotnome, sažmi bilješke)"
 
 msgid "Include unused interfaces"
-msgstr ""
+msgstr "Uključi nekorištena sučelja"
 
 msgid "Initialize device"
 msgstr "Pokreni uređaj"
@@ -485,10 +562,20 @@
 
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
+"Instaliraj zadan snap paket bez omogućavanja njegovih automatskih pseudonima"
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
 
 msgid "Installs a snap to the system"
 msgstr "Instalira snap paket na sustav"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr "Ključ interesa s podešavanjem"
 
@@ -511,11 +598,14 @@
 msgid "Lists aliases in the system"
 msgstr "Popis pseudonima u sustavu"
 
+msgid "Lists all repairs"
+msgstr "Popis svih popravka"
+
 msgid "Lists interfaces in the system"
 msgstr "Popis sučelja u sustavu"
 
 msgid "Lists snap interfaces"
-msgstr ""
+msgstr "Popis snap sučelja"
 
 msgid "Log out of the store"
 msgstr "Odjavi se iz trgovine"
@@ -550,12 +640,15 @@
 msgid "Mount snap %q%s"
 msgstr "Montiram snap paket %q%s"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr "Naziv ključa za stvaranje; zadano je 'default'"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr "Naziv ključa za brisanje"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr "Naziv ključa za izvoz"
 
@@ -570,7 +663,7 @@
 msgstr "Naziv\tSHA3-384"
 
 msgid "Name\tSummary"
-msgstr ""
+msgstr "Naziv\tSažetak"
 
 msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
 msgstr "Naziv\tInačica\tRazvijatelj\tBilješke\tSažetak"
@@ -578,16 +671,62 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr "Naziv\tInačica\tRevizija\tRazvijatelj\tBilješke"
 
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
 msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 "Još nema instaliranih snap paketa. Pokušajte \"snap install hello-world\"."
 
-msgid "No snaps to auto-refresh found"
-msgstr "Nema pronađenog automatskog osvježvanja snap paketa"
-
 msgid "Output results in JSON format"
 msgstr "Izlazni rezultati u JSON formatu"
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr "Lozinka: "
 
@@ -604,16 +743,19 @@
 "Ponovno upišite vašu Ubuntu One lozinku za kupnju %q od %q\n"
 "za %s. Pritisnite ctrl-c za odustajanje."
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
-msgstr ""
+msgstr "Preferiraj pseudonime za snap pakete %q"
 
 msgid "Prefer aliases from a snap and disable conflicts"
-msgstr ""
+msgstr "Preferiraj pseudonime iz snap paketa i onemogući sukobe"
 
 #, c-format
 msgid "Prefer aliases of snap %q"
-msgstr ""
+msgstr "Preferiraj pseudonime iz snap paketa %q"
 
 msgid "Prepare a snappy image"
 msgstr "Pripremi snappy sliku"
@@ -630,12 +772,12 @@
 msgstr "Prikaži inačicu i zatvori"
 
 msgid "Prints configuration options"
-msgstr "Prikazuje mogućnosti podešavanja"
+msgstr ""
 
 msgid "Prints the confinement mode the system operates in"
-msgstr ""
+msgstr "Prikaži način ograničenja u kojem sustav radi"
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -655,7 +797,7 @@
 msgstr "Postavi snap u način prisilne izolacije"
 
 msgid "Query the status of services"
-msgstr ""
+msgstr "Upit o stanju usluga"
 
 #, c-format
 msgid "Refresh %q snap"
@@ -667,7 +809,7 @@
 
 #, c-format
 msgid "Refresh aliases for snap %q"
-msgstr ""
+msgstr "Osvježi pseudonime za snap pakete %q"
 
 msgid "Refresh all snaps: no updates"
 msgstr "Osvježi sve snap pakete: bez nadopuna"
@@ -706,7 +848,7 @@
 
 #, c-format
 msgid "Remove manual alias %q for snap %q"
-msgstr ""
+msgstr "Ukloni ručno pseudonim %q za snap paket %q"
 
 msgid "Remove only the given revision"
 msgstr "Uklanjam samo zadanu reviziju"
@@ -742,16 +884,16 @@
 msgstr "Zahtjevam serijski uređaj"
 
 msgid "Restart services"
-msgstr ""
+msgstr "Ponovno pokreni usluge"
 
 msgid "Restarted.\n"
-msgstr ""
+msgstr "Ponovno pokrenuto.\n"
 
 msgid "Restrict the search to a given section"
 msgstr "Ograniči pretragu u zadanom odjeljku"
 
 msgid "Retrieve logs of services"
-msgstr ""
+msgstr "Preuzmi zapise usluga"
 
 #, c-format
 msgid "Revert %q snap"
@@ -763,31 +905,47 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr "Pokreni ljusku umjesto naredbe (korisno za otklanjanje grešaka)"
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
-msgstr "Pokreni podešavanje za %q snap paket"
+msgstr ""
 
 #, c-format
 msgid "Run configure hook of %q snap if present"
-msgstr "Pokreni podešavanje za %q snap paket ako je prisutan"
+msgstr ""
 
 #, c-format
 msgid "Run hook %s of snap %q"
-msgstr "Pokreni podešavanje %s za snap paket %q"
+msgstr ""
 
 #, c-format
 msgid "Run install hook of %q snap if present"
-msgstr ""
+msgstr "Pokreni instalaciju kvačenja %q snap paketa ako je dostupan"
 
 #, c-format
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
+"Pokreni naknadno osvježavanje kvačenja %q snap paketa ako je dostupan"
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
 
 msgid "Run prepare-device hook"
-msgstr "Pokreni pripremanj uređaja"
+msgstr ""
 
 #, c-format
 msgid "Run remove hook of %q snap if present"
+msgstr "Pokreni uklanjanje kvačenja %q snap paketa ako je dostupan"
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
 msgstr ""
 
 msgid "Run the given snap command"
@@ -807,21 +965,26 @@
 "Select last change of given type (install, refresh, remove, try, auto-"
 "refresh etc.)"
 msgstr ""
+"Odaberi posljednju promjenu zadane vrste (install, refresh, remove, try, "
+"auto-refresh, itd.)"
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
 
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr "Postavljanje privatnih pseudonima za snap paket %q"
 
 msgid "Sets up a manual alias"
-msgstr ""
+msgstr "Postavlja ručni pseudonim"
 
 #, c-format
 msgid "Setup alias %q => %q for snap %q"
-msgstr ""
+msgstr "Postavi pseudonim %q => %q za snap paket %q"
 
 #, c-format
 msgid "Setup manual alias %q => %q for snap %q"
-msgstr ""
+msgstr "Postavi ručno pseudonim %q => %q za snap paket %q"
 
 #, c-format
 msgid "Setup snap %q (%s) security profiles"
@@ -844,19 +1007,31 @@
 
 msgid "Show auto refresh information but do not perform a refresh"
 msgstr ""
+"Prikaži informacije automatskog osvježavanja ali ne pokreći osvježavanje"
 
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
+"Prikaži dostupne snap pakete za osvježavanje ali ne pokreći osvježavanje"
 
-msgid "Show details of a specific interface"
+msgid "Show detailed information about a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr "Prikaži pojedinosti određenog sučelja"
+
 msgid "Show interface attributes"
+msgstr "Prikaži svojstva sučelja"
+
+msgid "Show only the given number of lines, or 'all'."
 msgstr ""
 
 msgid "Shows known assertions of the provided type"
 msgstr "Prikazuje poznate potvrde pružanih vrsta"
 
+msgid "Shows specific repairs"
+msgstr "Prikaži određne popravke"
+
 msgid "Shows version details"
 msgstr "Prikazuje pojedinosti inačice"
 
@@ -875,12 +1050,16 @@
 msgid "Slot\tPlug"
 msgstr "Priključak\tPriključnica"
 
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Snap name"
 msgstr "Naziv snap paketa"
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr ""
-
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
 "your\n"
@@ -891,7 +1070,7 @@
 "plaćanja na https://my.ubuntu.com/payment/edit i pokušajte ponovno."
 
 msgid "Start services"
-msgstr ""
+msgstr "Pokreni usluge"
 
 #, c-format
 msgid "Start snap %q (%s) services"
@@ -905,16 +1084,16 @@
 msgstr "Pokrećem snap usluge"
 
 msgid "Start the userd service"
-msgstr ""
+msgstr "Pokreni userd uslugu"
 
 msgid "Started.\n"
-msgstr ""
+msgstr "Pokrenuto.\n"
 
 msgid "Status\tSpawn\tReady\tSummary\n"
 msgstr ""
 
 msgid "Stop services"
-msgstr ""
+msgstr "Zaustavi usluge"
 
 #, c-format
 msgid "Stop snap %q (%s) services"
@@ -928,14 +1107,14 @@
 msgstr "Zaustavljam snap usluge"
 
 msgid "Stopped.\n"
-msgstr ""
+msgstr "Zaustavljeno.\n"
 
 msgid "Strict typing with nulls and quoted strings"
 msgstr "Ograniči upisivanje nula i znakova navoda"
 
 #, c-format
 msgid "Switch %q snap to %s"
-msgstr ""
+msgstr "Prebaci %q snap paket na %s"
 
 #, c-format
 msgid "Switch snap %q from %s to %s"
@@ -943,10 +1122,10 @@
 
 #, c-format
 msgid "Switch snap %q to %s"
-msgstr ""
+msgstr "Prebaci snap paket %q na %s"
 
 msgid "Switches snap to a different channel"
-msgstr ""
+msgstr "Prebaci snap paket na drugi kanal"
 
 msgid "Temporarily mount device before inspecting"
 msgstr "Privremeno montiram uređaj prije provjere"
@@ -969,32 +1148,43 @@
 msgstr ""
 "Za dobivanje podešavanje naredbi prikaza i postavki sučelja povezivanja."
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr "Adresa e-pošte pri login.ubuntu.com"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr "Naziv modela potvrđivanja"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr "Izlazni direktorij"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
-msgstr "Pretraga %q je vratila 0 snap paketa\n"
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr "Snap paket za podešavanje (npr. hello-world)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr "Snap paket čije je podešavanje zatraženo"
 
 msgid "The userd command starts the snap user session service."
-msgstr ""
+msgstr "userd naredba pokreće uslugu sesije snap korisnika."
 
 msgid "This command logs the current user out of the store"
 msgstr "Ova naredba prijavljuje trenutnog korisnika izvan trgovine"
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr "Alat za interakciju sa snap paketima"
 
@@ -1009,11 +1199,14 @@
 msgid "Try %q snap from %s"
 msgstr "Pokušavam %q snap paket iz %s"
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr "Dvofaktorni kôd: "
 
 msgid "Unalias a manual alias or an entire snap"
-msgstr ""
+msgstr "Ukloni ručni pseudonim ili cjelokupan snap paket"
 
 msgid "Use a specific snap revision when running hook"
 msgstr "Koristi određenu snap reviziju pri pokretanju kvačenja"
@@ -1021,13 +1214,26 @@
 msgid "Use known assertions for user creation"
 msgstr "Koristi poznate potvrde za stvaranje korisnika"
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr "Koristi ovaj kanal umjesto stabilnog"
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+"UPOZORENJE: Izlaz \"snap get\" postati će popis sa stupcima - koristite -d "
+"ili -l za prisilu izlaznog formata.\n"
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr "UPOZORENJE: neuspješno aktiviranje zapisivanje: %v\n"
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr "Čekanje ponovnog pokretanja poslužitelja"
 
@@ -1039,7 +1245,7 @@
 
 #, c-format
 msgid "Xauthority file isn't owned by the current user %s"
-msgstr ""
+msgstr "Xauthority nije u vlasništvu trenutnog korisnika %s"
 
 msgid "Yes, yes it does."
 msgstr "Da, da sada radi."
@@ -1070,6 +1276,8 @@
 #, c-format
 msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
 msgstr ""
+"\"snap changes\" naredba očekuje naziv snap paketa, pokušajte: \"snap tasks "
+"%s\""
 
 msgid ""
 "\n"
@@ -1094,6 +1302,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 "\n"
@@ -1122,11 +1335,22 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
 "invoked just using the alias.\n"
 msgstr ""
+"\n"
+"alias naredba dodaje zadanu snap aplikaciju zadanom pseudonimu.\n"
+"\n"
+"Jednom kada je taj ručni pseudonim postavljen određena naredba aplikacije se "
+"može pozvati samo korištenjem pseudonima.\n"
 
 msgid ""
 "\n"
@@ -1205,6 +1429,10 @@
 "none)\n"
 "the system operates in.\n"
 msgstr ""
+"\n"
+"confinement - naredba će prikazati načine ograničenja (strict, partial ili "
+"none)\n"
+"u kojemu sustav radi.\n"
 
 msgid ""
 "\n"
@@ -1340,6 +1568,8 @@
 "The find command queries the store for available packages in the stable "
 "channel.\n"
 msgstr ""
+"\n"
+"find - naredba upita trgovine za dostupne pakete u stabilnom kanalu.\n"
 
 msgid ""
 "\n"
@@ -1482,6 +1712,12 @@
 "If no interface name is provided, a list of interface names with at least\n"
 "one connection is shown, or a list of all interfaces if --all is provided.\n"
 msgstr ""
+"\n"
+"interface - naredba prikazuje pojedinosti snap sučelja.\n"
+"\n"
+"Ako nije dostupan naziv sučelja, popis naziva sučelja s najmanje\n"
+"jednim povezivanjem je prikazan, ili popis svih sučelja ako je --all "
+"naveden.\n"
 
 msgid ""
 "\n"
@@ -1569,6 +1805,12 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
@@ -1578,10 +1820,22 @@
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+"\n"
+"pack - naredba pakira zadani snap-dir kao snap paket."
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
 msgstr ""
+"\n"
+"prefer - naredba omogućuje sve pseudonime zadanog snap paketa u prednosti\n"
+"nad sukobljenim pseudonimima drugih snap paketa čiji će pseudonimi biti "
+"onemogućeni\n"
+"(uklonjeni za ručne).\n"
 
 #, c-format
 msgid ""
@@ -1600,6 +1854,19 @@
 "if instead you want to install the snap forcing it into strict confinement\n"
 "repeat the command including --jailmode."
 msgstr ""
+"\n"
+"Izdavač snap paketa %q ukazuje da ne smatra ovu reviziju\n"
+"kvalitetnim proizvodom i da je namijenjena samo za razvoj i testiranje\n"
+"na ovoj točki razvoja. Kao posljedica ovaj snap paket se neće osvježavati "
+"automatski\n"
+"i može izazvati proizvoljne promjene sustava izvan sigurnosti snap "
+"okruženja\n"
+"kojemu je namijenjeno, što može ugroziti vaš sustav.\n"
+"\n"
+"Ako ste razumjeli i želite nastaviti ponovite naredbu uključujući --"
+"devmode;\n"
+"Ako umjesto želite instalirati snap paket prisileći ga u strict ograničenje\n"
+"ponovite naredbu uključujući --jailmode."
 
 msgid ""
 "\n"
@@ -1629,6 +1896,40 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+"\n"
+"repair - naredba prikazuje pojedinosti o jednoj ili više popravci.\n"
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+"\n"
+"repairs - naredba prikazuje sve izvršene popravke ovog uređaja.\n"
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+"\n"
+"restart - naredba ponovno pokreće zadanu uslugu snap paketa. Ako je "
+"pokrenuta iz\n"
+"\"podešavanja\" kvačenja, usluga će se ponovno pokrenuti nakon što kvačenje "
+"završi."
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1648,6 +1949,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1659,18 +1966,6 @@
 "\n"
 "    $ snap set author.name=frank\n"
 msgstr ""
-"\n"
-"set - naredba mijenja pružene mogućnosti podešavanja kao što je "
-"zahtijevano.\n"
-"\n"
-"    $ snap set snap-name username=goran password=$PASSWORD\n"
-"\n"
-"Sve promjene podešavanja su ustrajane odjednom, i to samo ako se\n"
-"postupak podešavanja vrati uspješno.\n"
-"\n"
-"Vrijednosti smještene unutar mogu se preuzeti putem točkaste putanje:\n"
-"\n"
-"    $ snap set author.name=goran\n"
 
 msgid ""
 "\n"
@@ -1691,36 +1986,52 @@
 "\n"
 "    $ snapctl set :myplug path=/dev/ttyS0\n"
 msgstr ""
+
+msgid ""
 "\n"
-"set - naredba mijenja pružene mogućnosti podešavanja kao što je "
-"zahtijevano.\n"
-"\n"
-"    $ snap set snap-name username=goran password=$PASSWORD\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
 "\n"
-"Sve promjene podešavanja su ustrajane odjednom, i to samo ako se\n"
-"postupak podešavanja vrati uspješno.\n"
+"start - naredba pokreće zadanu uslugu snap paketa. Ako je pokrenuta iz\n"
+"\"podešavanja\" kvačenja, usluga će se pokrenuti nakon što kvačenje završi."
+
+msgid ""
 "\n"
-"Vrijednosti smještene unutar mogu se preuzeti putem točkaste putanje:\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
 "\n"
-"    $ snap set author.name=goran\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
 "\n"
-"Svojstva priključka i priključnice mogu se postaviti odgovarajućom pripremom "
-"i povezivanjem zakvačiti\n"
-"imenovanjem odgovarajućeg priključka ili priključnice:\n"
+"stop - naredba zaustavlja zadanu uslugu snap paketa. Ako je pokrenuta iz\n"
+"\"podešavanja\" kvačenja, usluga će se zaustaviti nakon što kvačenje završi."
+
+msgid ""
 "\n"
-"    $ snapctl set :myplug path=/dev/ttyS0\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
 
 msgid ""
 "\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
+"\n"
+"switch - naredba prebacuje zadani snap paket na drugi kanal bez\n"
+"obavljanja osvježavanja.\n"
 
 msgid ""
 "\n"
 "The tasks command displays a summary of tasks associated to an individual "
 "change."
 msgstr ""
+"\n"
+"tasks - naredba prikazuje sažetak zadataka povezanih s pojedinom promjenom."
 
 msgid ""
 "\n"
@@ -1758,6 +2069,10 @@
 "The unalias command tears down a manual alias when given one or disables all "
 "aliases of a snap, removing also all manual ones, when given a snap name.\n"
 msgstr ""
+"\n"
+"unalias - naredba uklanja ručne pseudonime kada je zadan jedan ili "
+"onemogućuje sve pseudonime snap paketa, uklanjajući isto sve ručne, kada je "
+"zadan naziv snap paketa.\n"
 
 msgid ""
 "\n"
@@ -1783,6 +2098,8 @@
 "\n"
 "The whoami command prints the email the user is logged in with.\n"
 msgstr ""
+"\n"
+"whoami - naredba prikazuje adresu e-pošte s kojom je korisnik prijavljen.\n"
 
 #, c-format
 msgid ""
@@ -1796,17 +2113,18 @@
 "If you understand and want to proceed repeat the command including --"
 "classic.\n"
 msgstr ""
+"\n"
+"Ova revizija snap paketa %q je objavljena koristeći klasično ograničenje i\n"
+"može izazvati proizvoljne promjene sustava izvan sigurnosti snap okruženja\n"
+"kojemu je namijenjeno, što može ugroziti vaš sustav.\n"
+"\n"
+"Ako ste razumjeli i želite nastaviti ponovite naredbu uključujući --"
+"classic.\n"
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
-"\n"
-"\n"
-"Osobni direktorij je dijeljen između snappy i klasične dimenzije.\n"
-"Pokrenite \"exit\" za napuštanje klasične ljuske.\n"
 
 msgid "a single snap name is needed to specify mode or channel flags"
 msgstr ""
@@ -1821,6 +2139,9 @@
 "pojedinačni naziv snap paketa mora biti određen pri zanemarivanju provjere"
 
 msgid "active"
+msgstr "aktivno"
+
+msgid "auto-refresh: all snaps are up-to-date"
 msgstr ""
 
 msgid "bought"
@@ -1831,6 +2152,10 @@
 msgstr "slomljeno"
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr "nemoguće %s biti bez sadržaja"
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr "nemogće je kupiti snap paket: %v"
 
@@ -1863,7 +2188,6 @@
 msgstr "nemoguće je pronaći kvačilo %q u %q"
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr "nemoguće je nabaviti podatak za %q: %v"
@@ -1875,7 +2199,7 @@
 
 #, c-format
 msgid "cannot get the current user: %s"
-msgstr ""
+msgstr "nemoguće je dobiti trenutnog korisnika: %s"
 
 #, c-format
 msgid "cannot get the current user: %v"
@@ -1891,46 +2215,43 @@
 
 #, c-format
 msgid "cannot read assertion input: %v"
-msgstr "nemoguće čitanje ulaza potvrde: %v"
+msgstr ""
 
 #. TRANSLATORS: %v the error message
 #, c-format
 msgid "cannot read symlink: %v"
-msgstr "nemoguće čitanje simboličke poveznice: %v"
+msgstr ""
 
 #, c-format
 msgid "cannot resolve snap app %q: %v"
-msgstr "nemoguće razrješvanje snap aplikacije %q: %v"
+msgstr ""
 
 #, c-format
 msgid "cannot sign assertion: %v"
-msgstr "nemoguće potpisivanje potvrde: %v"
+msgstr ""
 
 #, c-format
 msgid "cannot update the 'current' symlink of %q: %v"
-msgstr "nemoguća nadopuna 'trenutne' simboličke poveznice za %q: %v"
+msgstr ""
 
 #. TRANSLATORS: %q is the key name, %v the error message
 #, c-format
 msgid "cannot use %q key: %v"
-msgstr "nemoguće korištenje %q ključa: %v"
-
-msgid "cannot use --hook and --command together"
-msgstr "nemoguće korištenje --hook i --command argumenta zajedno"
+msgstr ""
 
 msgid "cannot use change ID and type together"
-msgstr ""
+msgstr "nemoguće je promijeniti ID i vrstu zajedno"
 
 msgid "cannot use devmode and jailmode flags together"
-msgstr "nemoguće korištenje devmode i jailmode oznaka zajedno"
+msgstr ""
 
 #, c-format
 msgid "cannot validate owner of file %s"
-msgstr ""
+msgstr "nemoguće je provjeriti vlasnika datoteke %s"
 
 #, c-format
 msgid "cannot write new Xauthority file at %s: %s"
-msgstr ""
+msgstr "nemoguće je zapisati novu Xauthority datoteku u %s: %s"
 
 #, c-format
 msgid "change finished in status %q with no error message"
@@ -1940,20 +2261,26 @@
 msgid ""
 "classic confinement requires snaps under /snap or symlink from /snap to %s"
 msgstr ""
+"klasično ograničenje zahtijeva snap pakete u /snap ili simboličke poveznice "
+"iz /snap u %s"
 
 #, c-format
 msgid "created user %q\n"
 msgstr "stvorio korisnik %q\n"
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr "onemogućeno"
 
 msgid "email:"
-msgstr ""
+msgstr "e-pošta:"
 
 msgid "enabled"
-msgstr ""
+msgstr "omogućeno"
 
 #, c-format
 msgid "error: %v\n"
@@ -1966,9 +2293,16 @@
 msgid "get which option?"
 msgstr "nabaviti koju mogućnost?"
 
-msgid "inactive"
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
 msgstr ""
 
+msgid "inactive"
+msgstr "neaktivno"
+
 msgid ""
 "interface attributes can only be read during the execution of interface hooks"
 msgstr ""
@@ -2000,6 +2334,8 @@
 "invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
 "“all”."
 msgstr ""
+"neispravan argument za oznaku ‘-n’: očekivan je pozitivan cjelobrojni "
+"argument, ili “all”."
 
 #, c-format
 msgid "invalid attribute: %q (want key=value)"
@@ -2027,6 +2363,14 @@
 msgstr ""
 "naziv ključa %q nije valjan; samo ASCII slova, brojevi i povlake su dopušteni"
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr "nedostaje snap-confine: pokušajte nadopuniti vaš snap paket"
 
@@ -2038,10 +2382,10 @@
 
 #, c-format
 msgid "no changes of type %q found"
-msgstr ""
+msgstr "nema pronađenih promjena vrste %q"
 
 msgid "no interfaces currently connected"
-msgstr ""
+msgstr "trenutno nema povezanih sučelja"
 
 msgid "no interfaces found"
 msgstr "nema pronađenih sučelja"
@@ -2050,16 +2394,13 @@
 msgstr "nema odgovarajućih snap paketa instaliranih"
 
 msgid "no such interface"
-msgstr ""
+msgstr "nema takvog sučelja"
 
 msgid "no valid snaps given"
 msgstr "nema odgovarajućih snap paketa zadanih"
 
-msgid "not a valid snap"
-msgstr "nema valjanih snap paketa"
-
 msgid "please provide change ID or type with --last=<type>"
-msgstr ""
+msgstr "omogućite ID promjene ili vrstu sa --last=<vrsta>"
 
 #. TRANSLATORS: if possible, a single short word
 msgid "private"
@@ -2072,41 +2413,42 @@
 "zakazano ponovno pokretanje za nadopunu sustava - privremeno se prekida sa "
 "'sudo shutdown -c'"
 
+msgid "repairs are not available on a classic system"
+msgstr "popravci nisu dopstupni na klasičnom sustavu"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
-msgstr ""
+msgstr "postavljanje neuspjelo: %v"
 
 msgid "set which option?"
 msgstr "postaviti koju mogućnost?"
 
-msgid "show detailed information about a snap"
-msgstr "prikaži opširnije informacije o snap paketu"
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
-msgstr ""
+msgstr "snap paket %%q nije pronađen (bar pri reviziji %q)"
 
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
 #, c-format
 msgid "snap %%q not found (at least in channel %q)"
-msgstr ""
+msgstr "snap paket %%q nije pronađen (bar u kanalu %q)"
 
 #, c-format
 msgid "snap %q has no updates available"
-msgstr ""
+msgstr "snap paket %q nema dostupnih nadopuna"
 
 #, c-format
 msgid "snap %q is already installed, see \"snap refresh --help\""
-msgstr ""
-
-#, c-format
-msgid "snap %q is local"
-msgstr ""
+msgstr "snap paket %q je već instaliran, pogledajte \"snap refresh --help\""
 
 #, c-format
 msgid "snap %q not found"
-msgstr ""
+msgstr "snap paket %q nije pronađen"
 
 #. TRANSLATORS: free as in gratis
 msgid "snap is free"
@@ -2125,6 +2467,9 @@
 msgid "too many arguments: %s"
 msgstr "previše argumenata: %s"
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr "nedostupno"
 
@@ -2141,21 +2486,31 @@
 msgstr "nepoznat priključak ili priključnica %q"
 
 #, c-format
-msgid "unsupported shell %v"
-msgstr "nepodržana ljuska %v"
+msgid "unknown service: %q"
+msgstr "nepoznata usluga: %q"
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "Ovjeri u snap pozadinskom programu"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "Potrebna je dozvola za ovjeru u snap pozadinskom programu"
+
+msgid "Install, update, or remove packages"
+msgstr "instaliraj, nadopuni ili ukloni pakete"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr "Potrebna je ovjera za instalaciju, nadopunu ili uklanjanje paketa"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Poveži, prekini povezivanje sučelja"
 
-#~ msgid ""
-#~ "\n"
-#~ "The change command displays a summary of tasks associated to an individual "
-#~ "change."
-#~ msgstr ""
-#~ "\n"
-#~ "change - naredba prikazuje sažetak zadataka povezanih s pojedinačnom "
-#~ "promjenom."
-
-#~ msgid ""
-#~ "\n"
-#~ "The find command queries the store for available packages.\n"
-#~ msgstr ""
-#~ "\n"
-#~ "find - naredba pretražuje dostupne pakete u trgovini.\n"
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr "Potrebna je ovjera za povezivanje ili prekidanje povezivanja sučelja"
diff -Nru snapd-2.32.3.2~14.04/po/hu.po snapd-2.37~rc1~14.04/po/hu.po
--- snapd-2.32.3.2~14.04/po/hu.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/hu.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Hungarian translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Hungarian <hu@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/ia.po snapd-2.37~rc1~14.04/po/ia.po
--- snapd-2.32.3.2~14.04/po/ia.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/ia.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Interlingua translation for snapd
-# Copyright (c) 2017 Rosetta Contributors and Canonical Ltd 2017
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-01-23 00:42+0000\n"
-"Last-Translator: karm <melo@carmu.com>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Interlingua <ia@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/id.po snapd-2.37~rc1~14.04/po/id.po
--- snapd-2.32.3.2~14.04/po/id.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/id.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Indonesian translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-10-18 01:38+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Indonesian <id@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/it.po snapd-2.37~rc1~14.04/po/it.po
--- snapd-2.32.3.2~14.04/po/it.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/it.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Italian translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-09-04 11:48+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Italian <it@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -35,57 +35,62 @@
 
 #, c-format
 msgid "%s (delta)"
-msgstr ""
+msgstr "%s (delta)"
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (see \"snap login --help\")"
-msgstr ""
+msgstr "%s (consultare \"snap login --help\")"
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (try with sudo)"
-msgstr ""
+msgstr "%s (provare con sudo)"
 
 #, c-format
 msgid "%s already installed\n"
-msgstr ""
+msgstr "%s già installata\n"
 
 #, c-format
 msgid "%s disabled\n"
-msgstr ""
+msgstr "%s disabilitata\n"
 
 #, c-format
 msgid "%s enabled\n"
-msgstr ""
+msgstr "%s abilitata\n"
 
 #, c-format
 msgid "%s not installed\n"
-msgstr ""
+msgstr "%s non installata\n"
 
 #, c-format
 msgid "%s removed\n"
-msgstr ""
+msgstr "%s rimossa\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
-msgstr ""
+msgstr "%s ripristinata a %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
-msgstr ""
+msgstr "%s%s %s da \"%s\" installata\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
-msgstr ""
+msgstr "%s%s %s da \"%s\" aggiornata\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
-msgstr ""
+msgstr "%s%s %s installata\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
-msgstr ""
+msgstr "%s%s %s aggiornata\n"
 
 msgid "--list does not take mode nor channel flags"
 msgstr ""
@@ -96,90 +101,158 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
-msgstr ""
+msgstr "<alias-o-snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
-msgstr ""
+msgstr "<alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
-msgstr ""
+msgstr "<id-modifica>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
-msgstr ""
+msgstr "<valore conf>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
-msgstr ""
+msgstr "<email>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
-msgstr ""
+msgstr "<nomefile>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<interfaccia>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
-msgstr ""
+msgstr "<nome-chiave>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
-msgstr ""
+msgstr "<chiave>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
+msgstr "<dir-root->"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
-msgid "Abort a pending change"
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
 msgstr ""
 
+msgid "Abort a pending change"
+msgstr "Annulla una modifica in corso"
+
 msgid "Added"
-msgstr ""
+msgstr "Aggiunta"
 
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
+msgstr "Tutte le snap aggiornate."
+
+msgid "Allow opening file?"
 msgstr ""
 
-msgid "Alternative command to run"
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
 msgstr ""
 
+msgid "Alternative command to run"
+msgstr "Comando alternativo da eseguire"
+
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,32 +272,32 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
-msgid "Bad code. Try again: "
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
 msgstr ""
 
+msgid "Bad code. Try again: "
+msgstr "Codice errato, riprovare: "
+
 msgid "Buys a snap"
-msgstr ""
+msgstr "Acquista una snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
-msgstr ""
+msgstr "Id modifica"
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
-msgstr ""
+msgstr "Comando\tAlias\tNote"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
 msgid "Confirm passphrase: "
-msgstr ""
+msgstr "Conferma passphrase: "
 
 #, c-format
 msgid "Connect %s:%s to %s:%s"
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -270,7 +345,7 @@
 
 #, c-format
 msgid "Disable %q snap"
-msgstr ""
+msgstr "Disabilita snap %q"
 
 #, c-format
 msgid "Disable aliases for snap %q"
@@ -281,7 +356,7 @@
 msgstr ""
 
 msgid "Disables a snap in the system"
-msgstr ""
+msgstr "Disabilita una snap nel sistema"
 
 #, c-format
 msgid "Discard interface connections for snap %q (%s)"
@@ -314,12 +389,13 @@
 
 #, c-format
 msgid "Enable %q snap"
-msgstr ""
+msgstr "Abilita snap %q"
 
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -410,19 +490,19 @@
 
 #, c-format
 msgid "Install %q snap"
-msgstr ""
+msgstr "Installa snap %q"
 
 #, c-format
 msgid "Install %q snap from %q channel"
-msgstr ""
+msgstr "Installa snap %q dal canale %q"
 
 #, c-format
 msgid "Install %q snap from file"
-msgstr ""
+msgstr "Installa snap %q da file"
 
 #, c-format
 msgid "Install %q snap from file %q"
-msgstr ""
+msgstr "Installa snap %q dal file %q"
 
 msgid "Install from the beta channel"
 msgstr ""
@@ -438,12 +518,12 @@
 
 #, c-format
 msgid "Install snap %q"
-msgstr ""
+msgstr "Installa snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Install snaps %s"
-msgstr ""
+msgstr "Installa snap %s"
 
 msgid ""
 "Install the given revision of a snap, to which you must have developer access"
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -963,6 +1150,9 @@
 
 #, c-format
 msgid "Try %q snap from %s"
+msgstr "Provcare %q snap da %s"
+
+msgid "Try: snap install <selected snap>\n"
 msgstr ""
 
 msgid "Two-factor code: "
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,32 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
 msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "Autenticazione col demone snap"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "È richiesto autenticarsi col demone snap"
+
+msgid "Install, update, or remove packages"
+msgstr "Installa, aggiorna o rimuove pacchetti"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+"È richiesto autenticarsi per installare, aggiornare o rimuovere pacchetti"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Connetti/Disconnetti interfacce"
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr "È richiesto autenticarsi per connettere/disconnettere interfacce"
diff -Nru snapd-2.32.3.2~14.04/po/ja.po snapd-2.37~rc1~14.04/po/ja.po
--- snapd-2.32.3.2~14.04/po/ja.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/ja.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Japanese translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-11-30 20:59+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Japanese <ja@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/km.po snapd-2.37~rc1~14.04/po/km.po
--- snapd-2.32.3.2~14.04/po/km.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/km.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Khmer translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Khmer <km@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/ko.po snapd-2.37~rc1~14.04/po/ko.po
--- snapd-2.32.3.2~14.04/po/ko.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/ko.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Korean translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Korean <ko@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/lt.po snapd-2.37~rc1~14.04/po/lt.po
--- snapd-2.32.3.2~14.04/po/lt.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/lt.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Lithuanian translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-09-23 15:49+0000\n"
-"Last-Translator: Moo <hazap@hotmail.com>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Lithuanian <lt@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr "%s pašalinta\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s sugrąžinta į %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s%s %s iš \"%s\" įdiegta\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s įdiegta\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<raktas>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr "Nutraukti laukiamą pakeitimą"
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/ms.po snapd-2.37~rc1~14.04/po/ms.po
--- snapd-2.32.3.2~14.04/po/ms.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/ms.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Malay translation for snapd
-# Copyright (c) 2017 Rosetta Contributors and Canonical Ltd 2017
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-10-09 14:23+0000\n"
-"Last-Translator: abuyop <Unknown>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Malay <ms@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/nb.po snapd-2.37~rc1~14.04/po/nb.po
--- snapd-2.32.3.2~14.04/po/nb.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/nb.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Norwegian Bokmal translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-10-25 11:43+0000\n"
-"Last-Translator: Åka Sikrom <Unknown>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Norwegian Bokmal <nb@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr "%s fjernet\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s tilbakestilt til %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s%s %s fra «%s» installert\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s installert\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr "«-r» kan bare brukes sammen med «--hook»"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr "<forutsetningsfil>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr "<forutsetningstype>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr "<endrings-ID>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr "<oppsettsverdi>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<e-post>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<filnavn>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr "<hodefilter>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr "<nøkkelnavn>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<nøkkel>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr "<modellforutsetning>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr "<spørring>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr "<rotmappe>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr "<snap>:<plugg>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr "<snap>:<spor eller or plugg>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr "<snap>:<spor>"
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr "Avbryt pågående endring"
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr "Legger til en forutsetning i systemet"
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr "Alias for «--dangerous» (UTGÅTT)"
 
 msgid "All snaps up to date."
 msgstr "Alle snap-pakker er oppdatert."
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr "Alternativ kommando som skal kjøres"
 
 msgid "Always return document, even with single key"
 msgstr "Vis alltid dokument, selv med enkeltknapp"
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr "E-postadresse til en bruker på login.ubuntu.com"
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr "Forutsetningsfil"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr "Forutsetningstypenavn"
 
@@ -199,30 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr "Ugyldig kode. Prøv igjen: "
 
 msgid "Buys a snap"
 msgstr "Kjøper en snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-"Klassisk dimensjon er slått av på dette systemet.\n"
-"Bruk «sudo snap install --devmode classic && sudo classic.create» for å slå "
-"på."
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr "Oppsettsverdi (nøkkel=verdi)"
 
@@ -236,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr "Kobler en plugg til et spor"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr "Begrens visning til bestemt snap eller snap:navn"
 
 msgid "Constrain listing to specific interfaces"
 msgstr "Begrens visning til bestemt grensesnitt"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr "Begrens visning til elementer som samsvarer med hode=verdi"
 
@@ -323,8 +395,9 @@
 msgid "Enables a snap in the system"
 msgstr "Slår på en snap i systemet"
 
-msgid "Entering classic dimension"
-msgstr "Går inn i klassisk dimensjon"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
 
 msgid ""
 "Export a public key assertion body that may be imported by other systems."
@@ -347,6 +420,7 @@
 msgid "Fetching snap %q\n"
 msgstr "Henter snap %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr "Filnavn på snap som du vil bygge for"
 
@@ -393,6 +467,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr "Identifisering av snap-pakke som er knyttet til bygget"
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -469,9 +546,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr "Installerer en snap på systemet"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr "Interessenøkkel i oppsettet"
 
@@ -494,6 +580,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr "Vis systemgrensesnitt"
 
@@ -533,12 +622,15 @@
 msgid "Mount snap %q%s"
 msgstr "Monter snap %q%s"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr "Navn på nøkkel som skal lages (standard er «default»)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr "Navn på nøkkel du vil slette"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr "Navn på nøkkel du vil eksportere"
 
@@ -561,15 +653,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr "Navn\tVersjon\tRev\tUtvikler\tMerknader"
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
-msgstr "Ingen snap-er er installert enda. Prøv «snap install hello-world»."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
 
-msgid "No snaps to auto-refresh found"
+msgid "No section specified. Available sections:\n"
 msgstr ""
 
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr "Ingen snap-er er installert enda. Prøv «snap install hello-world»."
+
 msgid "Output results in JSON format"
 msgstr "Skriv ut treff i JSON-format"
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr "Passordfrase: "
 
@@ -584,6 +722,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -615,7 +756,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -743,6 +884,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr "Kjør skall i stedet for kommando (nyttig ved feilsøking)"
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -763,6 +907,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -770,6 +918,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr "Kjør valgt snap-kommando"
 
@@ -787,6 +943,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -827,15 +986,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr "Viser kjente forutsetninger av aktuell type"
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -854,12 +1023,16 @@
 msgid "Slot\tPlug"
 msgstr "Spor\tPlugg"
 
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Snap name"
 msgstr "Snapnavn"
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr ""
-
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
 "your\n"
@@ -941,24 +1114,28 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 "Brukernavn/e-postadresse (login.ubuntu.com) som skal brukes til innlogging"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr "Modell-forutsetningsnavn"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr "Utdata-mappe"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr "Snap som skal settes opp (f.eks. «hello-world»)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr "Snap som oppsett blir forespurt for"
 
@@ -968,6 +1145,13 @@
 msgid "This command logs the current user out of the store"
 msgstr "Denne kommandoen logger gjeldende bruker ut av butikken"
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr "Interaksjonsverktøy for snap-er"
 
@@ -982,6 +1166,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr "Toveis-autentiseringskode: "
 
@@ -994,13 +1181,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr "Bruk denne kanalen i stedet for «stable» (stabil)"
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr "ADVARSEL: klarte ikke å slå på loggføring: %v\n"
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr "Venter på omstart av tjener"
 
@@ -1050,6 +1248,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 "\n"
@@ -1081,6 +1284,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1399,12 +1608,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1448,6 +1668,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1464,6 +1709,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1498,6 +1749,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1563,13 +1837,8 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
-"\n"
-"\n"
-"Hjemmemappe deles mellom dimensjonene «snappy» og «classic».\n"
 
 msgid "a single snap name is needed to specify mode or channel flags"
 msgstr "du må oppgi et snap-navn for å bruke modus- eller kanalvalg"
@@ -1583,6 +1852,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr "kjøpt"
 
@@ -1591,6 +1863,10 @@
 msgstr "ødelagt"
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1623,7 +1899,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr "klaret ikke å hente data for %q: %v"
@@ -1675,9 +1950,6 @@
 msgid "cannot use %q key: %v"
 msgstr "klarte ikke å bruke nøkkelen %q: %v"
 
-msgid "cannot use --hook and --command together"
-msgstr "du kan ikke velge både «--hook» og «--command» samtidig"
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1705,6 +1977,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr "slått av"
@@ -1726,6 +2002,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1785,6 +2068,14 @@
 "nøkkelnavn %q er ugyldig. Du kan bare bruke ASCII-bokstaver, sifre og "
 "bindestreker"
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1813,9 +2104,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1830,6 +2118,14 @@
 "omstart er planlagt for å oppdatere systemet. Avbryt dette midlertidig med "
 "kommandoen «sudo shutdown -c»"
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1837,9 +2133,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1859,10 +2152,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1883,6 +2172,9 @@
 msgid "too many arguments: %s"
 msgstr "du har brukt for mange argumenter: %s"
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr "utilgjengelig"
 
@@ -1899,21 +2191,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
-msgstr "skallet %v støttes ikke"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
 
-#~ msgid ""
-#~ "\n"
-#~ "The change command displays a summary of tasks associated to an individual "
-#~ "change."
-#~ msgstr ""
-#~ "\n"
-#~ "Kommandoen «change» viser sammendrag av oppgaver som er knyttet til en "
-#~ "enkeltendring."
-
-#~ msgid ""
-#~ "\n"
-#~ "The find command queries the store for available packages.\n"
-#~ msgstr ""
-#~ "\n"
-#~ "Kommandoen «find» ser etter tilgjengelige pakker i butikken.\n"
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/nl.po snapd-2.37~rc1~14.04/po/nl.po
--- snapd-2.32.3.2~14.04/po/nl.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/nl.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2195 @@
+# Dutch translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Dutch <nl@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+"%q bevat geen onverpakte snap.\n"
+"\n"
+"Probeer 'snapcraft prime' in uw projectmap en probeer daarna opnieuw 'snap "
+"try'."
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr "%q overgeschakeld naar het kanaal %q\n"
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr "%s %s gekoppeld vanaf %s\n"
+
+#, c-format
+msgid "%s (delta)"
+msgstr "%s (delta)"
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr "%s (zie \"snap login --help\")"
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr "%s (probeer met sudo)"
+
+#, c-format
+msgid "%s already installed\n"
+msgstr "%s reeds geïnstalleerd\n"
+
+#, c-format
+msgid "%s disabled\n"
+msgstr "%s uitgeschakeld\n"
+
+#, c-format
+msgid "%s enabled\n"
+msgstr "%s ingeschakeld\n"
+
+#, c-format
+msgid "%s not installed\n"
+msgstr "%s niet geïnstalleerd\n"
+
+#, c-format
+msgid "%s removed\n"
+msgstr "%s verwijderd\n"
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr "%s teruggedraaid naar %s\n"
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr "%s%s %s van '%s' geïnstalleerd\n"
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr "%s%s %s van '%s' ververst\n"
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr "%s%s %s geïnstalleerd\n"
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr "%s%s %s ververst\n"
+
+msgid "--list does not take mode nor channel flags"
+msgstr "--list kent geen modus of kanaalvlaggen"
+
+msgid "--time does not take mode nor channel flags"
+msgstr "--list kent geen modus of kanaalvlaggen"
+
+msgid "-r can only be used with --hook"
+msgstr "-r kan alleen worden gebruikt met --hook"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr "<alias-of-snap>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr "<alias>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr "<bevestigingsbestand>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr "<bevestigingstype>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr "<change-id>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr "<conf value>"
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr "<email>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr "<bestandsnaam>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr "<kopfilter>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr "<apparaat>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr "<key-name>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr "<sleutel>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr "<model-assertion>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr "<zoekopdracht>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr "<root-dir>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr "<snap>:<plug>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr "<snap>:<slot or plug>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr "<snap>:<slot>"
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr "Breek een wachtende verandering af"
+
+msgid "Added"
+msgstr "Toegevoegd"
+
+msgid "Adds an assertion to the system"
+msgstr "Voegt een bevestiging toe aan het systeem"
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr "Alias voor --dangerous (VEROUDERD)"
+
+msgid "All snaps up to date."
+msgstr "Alle snaps zijn bijgewerkt."
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr "Alternatieve opdracht om uit te voeren"
+
+msgid "Always return document, even with single key"
+msgstr "Toon altijd het document, zelfs met een enkele toets"
+
+msgid "Always return list, even with single key"
+msgstr "Toon altijd de lijst, zelfs met een enkele toets"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr "Een e-mail van een gebruiker op login.ubuntu.com"
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr "Bevestigingsbestand"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr "Naam van bevestigingstype"
+
+msgid "Authenticates on snapd and the store"
+msgstr "Authenticeert voor snapd en de winkel"
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr "%d snaps automatisch verversen"
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr "Snap %q automatisch verversen"
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr "Snaps %s automatisch verversen"
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr "Slechte code. Probeer opnieuw: "
+
+msgid "Buys a snap"
+msgstr "Koopt een snap"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr "ID veranderen"
+
+msgid "Changes configuration options"
+msgstr "Verandert instellingsopties"
+
+msgid "Command\tAlias\tNotes"
+msgstr "Opdracht\tAlias\tNotities"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr "Instellingswaarde (key=value)"
+
+msgid "Confirm passphrase: "
+msgstr "Wachtwoordzin bevestigen: "
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr "Aansluiten van %s: %s aan %s:%s"
+
+msgid "Connects a plug to a slot"
+msgstr "Verbindt een stekker met een contact"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr "Beperk lijstweergave tot een specifieke snap of snap:naam"
+
+msgid "Constrain listing to specific interfaces"
+msgstr "Beperk lijstweergave tot specifieke apparaten"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+"Maak een cryptografisch paar sleutels dat gebruikt kan worden voor het "
+"bevestigen van ondertekeningen."
+
+msgid "Create cryptographic key pair"
+msgstr "Maak een cryptografisch paar sleutels"
+
+msgid "Create snap build assertion"
+msgstr "Maak een bevesting voor snapbouwen"
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr "Maak een bevestiging voor snapbouwen voor het geleverde snapbestand."
+
+msgid "Creates a local system user"
+msgstr "Een gebruiker maken voor het lokale systeem"
+
+msgid "Delete cryptographic key pair"
+msgstr "Verwijder cryptografisch sleutelpaar"
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr "Verwijder het cryptografische sleutelpaar met de opgegeven naam."
+
+#, c-format
+msgid "Disable %q snap"
+msgstr "Schakel %q  snap uit"
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr "Schakel alle aliassen uit voor snap %q"
+
+msgid "Disables a snap in the system"
+msgstr "Schakelt een snap uit in het systeem"
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr "Trekt een stekker uit een contact"
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+"Wacht niet totdat de bewerking is voltooid maar druk gewoon de wijzigings-ID "
+"af."
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+"Haal de opgegeven revisie binnen van een snap, waarvoor u "
+"ontwikkelaarstoegang nodig hebt"
+
+msgid "Downloads the given snap"
+msgstr "Haalt de opgegeven snap binnen"
+
+msgid "Email address: "
+msgstr "E-mailadres: "
+
+#, c-format
+msgid "Enable %q snap"
+msgstr "Schakel %q snap in"
+
+msgid "Enables a snap in the system"
+msgstr "Schakelt een snap in uw systeem in"
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr "Exporteer cryptografische publieke sleutel"
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr "Bevestigingen aan het ophalen voor %q\n"
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr "Snap %q aan het ophalen\n"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr "Bestandsnaam van de snap waar u een bouwsel voor wilt bevestigen"
+
+msgid "Finds packages to install"
+msgstr "Zoekt pakketten om te installeren"
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+"Dwing toevoegen van de gebruiker af, zelfs indien het apparaat reeds wordt "
+"beheerd"
+
+msgid "Force import on classic systems"
+msgstr "Dwing invoeren af op klassieke systemen"
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr "Maak de hulppagina aan"
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr "Graad vermeldt de bouwkwaliteit van de snap (standaard is 'stabiel')"
+
+msgid "Grant sudo access to the created user"
+msgstr "Verleen sudo-toegang aan de aangemaakte gebruiker"
+
+msgid "Help"
+msgstr "Hulp"
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr "Negeer validatie door andere snaps die de verversing blokkeren"
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+"Om %q te kopen, moet u akkoord gaan met de nieuwste voorwaarden en "
+"bepalingen. Bezoek a.u.b. https://my.ubuntu.com/payment/edit om dit te "
+"doen.\n"
+"\n"
+"Wanneer dat achter de rug is, kom dan hier terug en voer 'snap buy %s' "
+"opnieuw uit."
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+"Neem een uitgebreide lijst op van de aantekeningen van een snap (zo niet: "
+"vat de aantekeningen samen)"
+
+msgid "Include unused interfaces"
+msgstr "Neem ongebruikte apparaten op"
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr "Installeer %q snap"
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr "Installeer %q snap vanuit %q kanaal"
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr "Installeer %q snap vanuit bestand"
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr "Installeer %q snap vanuit bestand %q"
+
+msgid "Install from the beta channel"
+msgstr "Installeer vanuit het bètakanaal"
+
+msgid "Install from the candidate channel"
+msgstr "Installeer vanuit het kandidatenkanaal"
+
+msgid "Install from the edge channel"
+msgstr "Installeer vanuit het onstabiele kanaal"
+
+msgid "Install from the stable channel"
+msgstr "Installeer vanuit het stabiele kanaal"
+
+#, c-format
+msgid "Install snap %q"
+msgstr "Installeer snap %q"
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr "Installeer snaps %s"
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+"Installeer de opgegeven revisie van een snap waarvoor u ontwikkelaarstoegang "
+"nodig hebt"
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+"Installeer het opgegeven snapbestand zelfs indien er geen vooraf erkende "
+"handtekeningen voor zijn, hetgeen betekent dat het niet werd geverifieerd en "
+"dus gevaarlijk zou kunnen zijn (--devmode impliceert dit)"
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+"Installeer de opgegeven snap zonder zijn automatische aliassen in te "
+"schakelen"
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr "Installeert een snap in uw systeem"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr "Maak een lijst van de taken van een verandering"
+
+msgid "List cryptographic keys"
+msgstr "Maak een lijst van cryptografische sleutels"
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+"Maak een lijst van cryptografische sleutels die kan worden gebruikt voor het "
+"tekenen van bevestigingen."
+
+msgid "List installed snaps"
+msgstr "Maak een lijst van geïnstalleerde snaps"
+
+msgid "List system changes"
+msgstr "Maak een lijst van systeemveranderingen"
+
+msgid "Lists aliases in the system"
+msgstr "Maak een lijst van aliassen in het systeem"
+
+msgid "Lists all repairs"
+msgstr "Maak een lijst van alle reparaties"
+
+msgid "Lists interfaces in the system"
+msgstr "Toon een lijst van apparaten in het systeem"
+
+msgid "Lists snap interfaces"
+msgstr "Toon een lijst van snap-apparaten"
+
+msgid "Log out of the store"
+msgstr "Meld u af bij de winkel"
+
+msgid "Login successful"
+msgstr "Aanmelding succesvol"
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr "Naam van te maken sleutel; valt standaard terug op 'default'"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr "Naam van te wissen sleutel"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr "Naam van te exporteren sleutel"
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+"Naam van de te gebruiken sleutel voor GnuPG (valt standaard terug op "
+"'default' als sleutelnaam)"
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr "Naam van de te gebruiken sleutel, gebruik anders de standaardsleutel"
+
+msgid "Name\tSHA3-384"
+msgstr "Naam\tSHA3-384"
+
+msgid "Name\tSummary"
+msgstr "Naam\tSamenvatting"
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr "Naam\tVersie\tOntwikkelaar\tNotities\tSamenvatting"
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr "Naam\tVersie\tRev\tOntwikkelaar\tNotities"
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+"Thans zijn er nog geen snaps geïnstalleerd. Probeer 'snap install hello-"
+"world'."
+
+msgid "Output results in JSON format"
+msgstr "Gefe resulaten weer in JSON-opmaak"
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr "Wachtwoordzin: "
+
+#, c-format
+msgid "Password of %q: "
+msgstr "Wachtwoord van %q: "
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+"Voer a.u.b. opnieuw uw Ubuntu One wachtwoord in om %q te kopen van %q\n"
+"voor %s. Druk op ctrl-c om af te breken."
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr "Toon de versie en sluit af"
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr "Zet snap in klassieke modus en schakel veiligheidsbeperking uit"
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr "Zet snap in ontwikkelingsmodus en schakel veiligheidsbeperking uit"
+
+msgid "Put snap in enforced confinement mode"
+msgstr "Zet snap in afgedwongen beperkte modus"
+
+msgid "Query the status of services"
+msgstr "Doorzoek de status van diensten"
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr "ververs %q snap"
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr "Ververs %q snap vanuit %q kanaal"
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr "Ververs alle snaps: geen bijgewerkte pakketten"
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr "Ververs snap %q"
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr "Ververs snaps %s"
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr "Ververs snaps %s: geen bijgewerkte pakketten"
+
+msgid "Refresh to the given revision"
+msgstr "Ververs naar de opgegeven revisie"
+
+msgid "Refreshes a snap in the system"
+msgstr "Ververst een snap in het systeem"
+
+#, c-format
+msgid "Remove %q snap"
+msgstr "Verwijder %q snap"
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr "Verwijder handmatige alias %q voor snap %q"
+
+msgid "Remove only the given revision"
+msgstr "Verwijder alleen de opgegeven revisie"
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr "Verwijder snap %q"
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr "Verwijder snaps %s"
+
+msgid "Removed"
+msgstr "Verwijderd"
+
+msgid "Removes a snap from the system"
+msgstr "Verwijdert een snap uit het systeem"
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr "Herstart diensten"
+
+msgid "Restarted.\n"
+msgstr "Herstart.\n"
+
+msgid "Restrict the search to a given section"
+msgstr "Beperk de zoekopdracht tot een opgegeven sectie"
+
+msgid "Retrieve logs of services"
+msgstr "Haal logboeken op van diensten"
+
+#, c-format
+msgid "Revert %q snap"
+msgstr "Draai %q snap terug"
+
+msgid "Reverts the given snap to the previous state"
+msgstr "Draait de opgegeven snap terug naar de vorige toestand"
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr "Draai de opgegeven snapopdracht"
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr "Draai de opgegeven snapopdracht met de juiste beperking en omgeving"
+
+msgid "Runs debug commands"
+msgstr "Draait foutopsporingsopdrachten"
+
+msgid "Search private snaps"
+msgstr "Doorzoek private snaps"
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+"Kies de laatste wijziging van opgegeven type (installeren, verversen, "
+"verwijderen, proberen, automatisch verversen enz.)"
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr "Stelt een handmatige alias in"
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr "Stel alias in %q => %q voor snap %q"
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr "Toon alle revisies"
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+"Toon automatische verversingsinformatie maar voer geen verversing uit"
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr "Toon beschikbare snaps voor verversen maar voer geen verversing uit"
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr "Toon bijzonderheden van een specifiek apparaat"
+
+msgid "Show interface attributes"
+msgstr "Toon attributen van apparaten"
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr "Toont bekende bevestigingen van het geleverde type"
+
+msgid "Shows specific repairs"
+msgstr "Toont specifieke reparaties"
+
+msgid "Shows version details"
+msgstr "Toont versiedetails"
+
+msgid "Sign an assertion"
+msgstr "Teken een bevestiging"
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr "Naam van snap"
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+"Helaas, uw betaalmethode werd door de uitgever geweigerd. Bekijk a.u.b. uw\n"
+"betalingsdetails op https://my.ubuntu.com/payment/edit en probeer het "
+"opnieuw."
+
+msgid "Start services"
+msgstr "Start diensten"
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr "Start de dienst userd"
+
+msgid "Started.\n"
+msgstr "Gestart.\n"
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr "Status\tSpawn\tKlaar\tSamenvatting\n"
+
+msgid "Stop services"
+msgstr "Zet diensten stil"
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr "Stilgezet.\n"
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr "Strict intikken met nullen en tekenreeksen tussen aanhalingstekens"
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr "Schakelt snap om naar een ander kanaal"
+
+msgid "Temporarily mount device before inspecting"
+msgstr "Koppel het apparaat tijdelijk aan alvorens het te inspecteren"
+
+msgid "Tests a snap in the system"
+msgstr "Beproeft een snap in het systeem"
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+"Bedankt voor het kopen van %q. U kunt hem nu installeren op één van uw\n"
+"apparaten met 'snap install %s'."
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr "Het e-mailadres voor login.ubuntu.com om mee aan te melden"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr "De uitvoermap"
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr "De in te stellen snap (bijv. hello-world)"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr "De snap waarvan de instellingen worden opgevraagd"
+
+msgid "The userd command starts the snap user session service."
+msgstr "De opdracht userd start de gebruikerssessiedienst van de snap."
+
+msgid "This command logs the current user out of the store"
+msgstr "Deze opdracht meldt de huidige gebruiker af bij de winkel"
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr "Hulpmiddel om interactie te plegen met snaps"
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr "Probeer %q snap van %s"
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr "Twee-factorcode: "
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr "Gebruik bekende bevestigingen voor het aanmaken van een gebruiker"
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr "Gebruik dit kanaal in plaats van stabiel"
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr "Waarschuwing: kon logboek niet activeren: %v\n"
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr "Aan het wachten op het herstarten van de server"
+
+msgid "Watch a change in progress"
+msgstr "Bekijk de voortgang van een verandering"
+
+msgid "Wrong again. Once more: "
+msgstr "Weer fout. Nog eens: "
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr "Bestand Xauthority is geen eigendom van de huidige gebruiker %s"
+
+msgid "Yes, yes it does."
+msgstr "Jazeker doet hij dat."
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+"U dient aangemeld te zijn om programmatuur aan te kopen. Draai a.u.b. 'snap "
+"login' en probeer het opnieuw."
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+"U dient een betalingsmethode te hebben verbonden met uw account ten einde "
+"een snap te kopen, bezoek a.u.b. https://my.ubuntu.com/payment/edit om er "
+"een toe te voegen.\n"
+"\n"
+"Wanneer u uw betalingsgegevens hebt toegevoegd, hoeft u alleen maar 'snap "
+"buy %s' opnieuw te draaien."
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+"De opdracht 'snap changes' verwacht een snapnaam, probeer: 'snap tasks %s'"
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+"\n"
+"Installeer, configureer, ververs en verwijder snap-pakketten. Snaps zijn\n"
+"'universele' pakketten die werken op veel verschillende Linuxsystemen,\n"
+"waardoor veilige distributie mogelijk wordt van de nieuwste hulp-\n"
+"middelen en toepassingen voor wolkdiensten, bureaucomputers,\n"
+"servers en het internet der dingen.\n"
+"\n"
+"Dit is de terminalomgeving voor snapd, een achtergronddienst die\n"
+"zorgt voor snaps in het systeem. Begin met 'snap list' om de\n"
+"geïnstalleerde snaps te zien.\n"
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+"\n"
+"De afbreekopdracht tracht om een verandering af te breken die nog wachtende "
+"taken heeft.\n"
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr "actief"
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr "gekocht"
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr "kapot"
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr "kan snap niet kopen: %v"
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr "kan snap niet kopen: ongeldige tekens in naam"
+
+msgid "cannot buy snap: it has already been bought"
+msgstr "kan snap niet kopen: hij is reeds gekocht"
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr "kan %q niet aanmaken: %v"
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr "kan toepassing %q niet vinden in %q"
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr "kan geen gegevens verkrijgen voor %q: %v"
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr "kan volledige pad niet verkrijgen voor %q: %v"
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr "kan de huidige gebruiker niet verkrijgen: %s"
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr "kan de huidige gebruiker niet verkrijgen: %v"
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr "kan de eigenaar van bestand %s niet valideren"
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr "verandering voltooid in status %q met geen enkele foutmelding"
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr "gebruiker %q aangemaakt\n"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr "uitgeschakeld"
+
+msgid "email:"
+msgstr "e-mail:"
+
+msgid "enabled"
+msgstr "ingeschakeld"
+
+#, c-format
+msgid "error: %v\n"
+msgstr "fout: %v\n"
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr "inactief"
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr "geen veranderingen gevonden"
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr "geen veranderingen gevonden van type %q"
+
+msgid "no interfaces currently connected"
+msgstr "thans geen apparaten verbonden"
+
+msgid "no interfaces found"
+msgstr "geen apparaten gevonden"
+
+msgid "no matching snaps installed"
+msgstr "geen overeenkomstige snaps geïnstalleerd"
+
+msgid "no such interface"
+msgstr "zulk een apparaat is er niet"
+
+msgid "no valid snaps given"
+msgstr "geen geldige snaps opgegeven"
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr "privé"
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr "reparaties zijn niet beschikbaar op een klassiek systeem"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr "snap %%q niet gevonden (althans revisie %q)"
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr "snap %%q niet gevonden (althans in kanaal %q)"
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr "snap %q heeft geen bijgewerkte pakketten beschikbaar"
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr "snap %q niet gevonden"
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr "snap is gratis"
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr "teveel argumenten: %s"
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr "niet beschikbaar"
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr "Pakketten installeren, bijwerken of verwijderen"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+"Authenticatie is vereist voor het installeren, bijwerken of verwijderen van "
+"pakketten"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Apparaten verbinden en loskoppelen"
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
+"Authenticatie is vereist voor het verbinden of loskoppelen van apparaten"
diff -Nru snapd-2.32.3.2~14.04/po/oc.po snapd-2.37~rc1~14.04/po/oc.po
--- snapd-2.32.3.2~14.04/po/oc.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/oc.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Occitan (post 1500) translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-12-04 08:58+0000\n"
-"Last-Translator: Cédric VALMARY (Tot en òc) <cvalmary@yahoo.fr>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Occitan (post 1500) <oc@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr "%s suprimit\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s%s %s de « %s » installat\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s installat\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr "desactivat"
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr "tròp d'arguments : %s"
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr "indisponible"
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/pl.po snapd-2.37~rc1~14.04/po/pl.po
--- snapd-2.32.3.2~14.04/po/pl.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/pl.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Polish translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Polish <pl@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/pt_BR.po snapd-2.37~rc1~14.04/po/pt_BR.po
--- snapd-2.32.3.2~14.04/po/pt_BR.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/pt_BR.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Brazilian Portuguese translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-09-04 11:48+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Brazilian Portuguese <pt_BR@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/pt.po snapd-2.37~rc1~14.04/po/pt.po
--- snapd-2.32.3.2~14.04/po/pt.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/pt.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Portuguese translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-04-04 18:47+0000\n"
-"Last-Translator: Ivo Xavier <ivoxavier.8@gmail.com>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Portuguese <pt@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr "%s removido\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr "%s revertido para %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr "%s%s %s a partir de '%s' instalado\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s instalado\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr "-r só pode ser usado com --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr "<alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr "<ficheiro de asserção>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr "<tipo de asserção>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr "<change-id>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr "<conf value>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr "<email>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr "<nome do ficheiro>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr "<filtro de cabeçalho>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr "<nome-chave>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr "<chave>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr "<modelo-asserção>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr "<pesquisa>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr "<root-dir>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr "<snap>:<ficha>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr "<snap>:<entrada ou ficha>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr "<snap>:<entrada>"
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr "Abortar uma alteração pendente"
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr "Adiciona uma asserção ao sistema"
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr "O mesmo que --perigoso (OBSOLETO)"
 
 msgid "All snaps up to date."
 msgstr "Todos os snaps atualizados."
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr "Comando alternativo a executar"
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr "Um email de utilizador em login.ubuntu.com"
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr "Ficheiro de asserção"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr "Nome do tipo de asserção"
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr "Compra um snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr "Alterar ID"
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr "Valor de configuração (chave=valor)"
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr "Instala um snap no sistema"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr "Montar o snap %q%s"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr "Nome da chave a eliminar"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,14 +643,60 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr "Nome\tVersão\tRev\tProgramador\tNotas"
 
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
 msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 "Ainda sem snaps instalados. Experimente \"snap install hello-world\"."
 
-msgid "No snaps to auto-refresh found"
+msgid "Output results in JSON format"
 msgstr ""
 
-msgid "Output results in JSON format"
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
 msgstr ""
 
 msgid "Passphrase: "
@@ -572,6 +713,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -603,7 +747,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -731,6 +875,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -751,6 +898,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -758,6 +909,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -775,6 +934,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -815,15 +977,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr "Mostrar detalhes da versão"
 
@@ -839,12 +1011,16 @@
 msgid "Slot\tPlug"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Snap name"
 msgstr "Nome do snap"
 
-msgid "Snap\tService\tStartup\tCurrent"
-msgstr ""
-
 msgid ""
 "Sorry, your payment method has been declined by the issuer. Please review "
 "your\n"
@@ -926,23 +1102,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr "O snap a configurar (ex: hello-world)"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr "O snap cuja configuração está a ser pedida"
 
@@ -952,6 +1132,13 @@
 msgid "This command logs the current user out of the store"
 msgstr "Este comando termina a sessão do utilizador atual na loja"
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr "Ferramentas para interagir com snaps"
 
@@ -966,6 +1153,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr "Código dois-fatores: "
 
@@ -978,13 +1168,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr "Usar este canal em vez do 'stable'"
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr "À espera que o servidor reinicie"
 
@@ -1033,6 +1234,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1051,6 +1257,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1317,12 +1529,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1364,6 +1587,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1374,6 +1622,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1408,6 +1662,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1473,9 +1750,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1490,6 +1765,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1498,6 +1776,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1530,7 +1812,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1582,9 +1863,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1612,6 +1890,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1633,6 +1915,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1688,6 +1977,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1716,9 +2013,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1731,6 +2025,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1738,9 +2040,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1760,10 +2059,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1784,6 +2079,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1800,5 +2098,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/ro.po snapd-2.37~rc1~14.04/po/ro.po
--- snapd-2.32.3.2~14.04/po/ro.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/ro.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Romanian translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Romanian <ro@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/ru.po snapd-2.37~rc1~14.04/po/ru.po
--- snapd-2.32.3.2~14.04/po/ru.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/ru.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Russian translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-02-04 19:27+0000\n"
-"Last-Translator: Eugene Marshal <Unknown>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Russian <ru@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr "-r можно использовать только с --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr "Парольная фраза: "
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr "Выходной каталог"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr "не удалось получить данные для %q: %v"
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr "нельзя использовать --hook и --command вместе"
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1688,6 +1977,14 @@
 msgstr ""
 "недопустимое имя ключа %q; разрешены только буквы ASCII, цифры и дефисы"
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1716,9 +2013,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1731,6 +2025,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1738,9 +2040,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1760,10 +2059,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1784,6 +2079,9 @@
 msgid "too many arguments: %s"
 msgstr "слишком много аргументов: %s"
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1800,5 +2098,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/sq.po snapd-2.37~rc1~14.04/po/sq.po
--- snapd-2.32.3.2~14.04/po/sq.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/sq.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2131 @@
+# Albanian translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Albanian <sq@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+"%q nuk përmban një snap të hapur.\n"
+"\n"
+"Provo \"snapcraft prime\" në drejtorinë tënde të projektit, pastaj përsëri "
+"\"snap try\"."
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr "%s (delta)"
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr "U Shtua"
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr "Ndihmë"
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/sv.po snapd-2.37~rc1~14.04/po/sv.po
--- snapd-2.32.3.2~14.04/po/sv.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/sv.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Swedish translation for snapd
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-12-22 04:44+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Swedish <sv@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -23,168 +23,244 @@
 "\n"
 "Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
 msgstr ""
+"%q innehåller inte ett uppackat snap-paket.\n"
+"\n"
+"Testa \"snapcraft prime\" i din projektmapp, sedan \"snap try\" igen."
 
 #, c-format
 msgid "%q switched to the %q channel\n"
-msgstr ""
+msgstr "%q bytte till kanalen %q\n"
 
 #. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
 #, c-format
 msgid "%s %s mounted from %s\n"
-msgstr ""
+msgstr "%s %s monterades från %s\n"
 
 #, c-format
 msgid "%s (delta)"
-msgstr ""
+msgstr "%s (delta)"
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (see \"snap login --help\")"
-msgstr ""
+msgstr "%s (se \"snap login --help\")"
 
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (try with sudo)"
-msgstr ""
+msgstr "%s (försök med sudo)"
 
 #, c-format
 msgid "%s already installed\n"
-msgstr ""
+msgstr "%s är redan installerad\n"
 
 #, c-format
 msgid "%s disabled\n"
-msgstr ""
+msgstr "%s inaktiverad\n"
 
 #, c-format
 msgid "%s enabled\n"
-msgstr ""
+msgstr "%s aktiverad\n"
 
 #, c-format
 msgid "%s not installed\n"
-msgstr ""
+msgstr "%s inte installerad\n"
 
 #, c-format
 msgid "%s removed\n"
-msgstr ""
+msgstr "%s borttagen\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
-msgstr ""
+msgstr "%s återställd till %s\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
-msgstr ""
+msgstr "%s%s %s från \"%s\" installerad\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
-msgstr ""
+msgstr "%s%s %s från \"%s\" uppdaterad\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
-msgstr ""
+msgstr "%s%s %s installerad\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
-msgstr ""
+msgstr "%s%s %s uppdaterad\n"
 
 msgid "--list does not take mode nor channel flags"
-msgstr ""
+msgstr "--list tar inte läges- eller kanalflaggor"
 
 msgid "--time does not take mode nor channel flags"
-msgstr ""
+msgstr "--time tar inte läges- eller kanalflaggor"
 
 msgid "-r can only be used with --hook"
-msgstr ""
+msgstr "-r kan bara användas med --hook"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
-msgstr ""
+msgstr "<alias-eller-snap>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
-msgstr ""
+msgstr "<alias>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
-msgstr ""
+msgstr "<assert-fil>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
-msgstr ""
+msgstr "<assert-typ>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
-msgstr ""
+msgstr "<ändra-id>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
-msgstr ""
+msgstr "<konf.värde>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
-msgstr ""
+msgstr "<epost>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
-msgstr ""
+msgstr "<filnamn>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
-msgstr ""
+msgstr "<rubrikfilter>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<gränssnitt>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
-msgstr ""
+msgstr "<nyckelnamn>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
-msgstr ""
+msgstr "<nyckel>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
-msgstr ""
+msgstr "<modell-assert>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
-msgstr ""
+msgstr "<fråga>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
+msgstr "<root-kat>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
-msgstr ""
+msgstr "<snap>:<plug>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
-msgstr ""
+msgstr "<snap>:<slot eller plug>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
+msgstr "<snap>:<slot>"
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
 msgstr ""
 
 msgid "Abort a pending change"
-msgstr ""
+msgstr "Avbryt en väntande ändring"
 
 msgid "Added"
-msgstr ""
+msgstr "Tillagd"
 
 msgid "Adds an assertion to the system"
+msgstr "Lägger till en assert i systemet"
+
+msgid "Advise on available snaps."
 msgstr ""
 
-msgid "Alias for --dangerous (DEPRECATED)"
+msgid "Advise on snaps that provide the given command"
 msgstr ""
 
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr "Alias för --dangerous (FÖRÅLDRAD)"
+
 msgid "All snaps up to date."
+msgstr "Alla snap-paket uppdaterade."
+
+msgid "Allow opening file?"
 msgstr ""
 
-msgid "Alternative command to run"
+msgid "Allow refresh attempt on snap unknown to the store"
 msgstr ""
 
-msgid "Always return document, even with single key"
+msgid "Allow settings change?"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr "Alternativt kommando att köra"
+
+msgid "Always return document, even with single key"
+msgstr "Returnera alltid dokument, även med enstaka nyckel"
+
+msgid "Always return list, even with single key"
+msgstr "Returnera alltid lista, även med enstaka nyckel"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
+msgstr "En e-postadress för en användare på login.ubuntu.com"
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
 msgstr ""
 
-msgid "Assertion file"
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr "Assert-fil"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
-msgstr ""
+msgstr "Assert-typnamn"
 
 msgid "Authenticates on snapd and the store"
-msgstr ""
+msgstr "Autentiseras på snapd och butiken"
 
 #, c-format
 msgid "Auto-refresh %d snaps"
@@ -199,32 +275,32 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
-msgid "Bad code. Try again: "
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
 msgstr ""
 
+msgid "Bad code. Try again: "
+msgstr "Felaktig kod. Försök igen: "
+
 msgid "Buys a snap"
-msgstr ""
+msgstr "Köper en snap"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
-msgstr ""
+msgstr "Ändra ID"
 
 msgid "Changes configuration options"
-msgstr ""
-
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
+msgstr "Ändrar konfigurationsalternativ"
 
 msgid "Command\tAlias\tNotes"
-msgstr ""
+msgstr "Kommando\tAlias\tAnteckningar"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
-msgstr ""
+msgstr "Konfigurationsvärde (nyckel=värde)"
 
 msgid "Confirm passphrase: "
-msgstr ""
+msgstr "Bekräfta lösenfras: "
 
 #, c-format
 msgid "Connect %s:%s to %s:%s"
@@ -233,14 +309,16 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
-msgstr ""
+msgstr "Begränsa lista till en specifik snap eller snapp:namn"
 
 msgid "Constrain listing to specific interfaces"
-msgstr ""
+msgstr "Begränsa lista till specifika gränssnitt"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
-msgstr ""
+msgstr "Begränsa lista till de som matchar rubrik=värde"
 
 #, c-format
 msgid "Copy snap %q data"
@@ -249,28 +327,29 @@
 msgid ""
 "Create a cryptographic key pair that can be used for signing assertions."
 msgstr ""
+"Skapa ett kryptografiskt nyckelpar som kan användas för att signera asserts."
 
 msgid "Create cryptographic key pair"
-msgstr ""
+msgstr "Skapa kryptografiskt nyckelpar"
 
 msgid "Create snap build assertion"
-msgstr ""
+msgstr "Skapa snap-bygges-assert"
 
 msgid "Create snap-build assertion for the provided snap file."
-msgstr ""
+msgstr "Skapa snap-bygges-assert för den givna snap-filen."
 
 msgid "Creates a local system user"
-msgstr ""
+msgstr "Skapar en lokal systemanvändare"
 
 msgid "Delete cryptographic key pair"
-msgstr ""
+msgstr "Radera kryptografiskt nyckelpar"
 
 msgid "Delete the local cryptographic key pair with the given name."
-msgstr ""
+msgstr "Radera det lokala kryptografiska nyckelparet med det givna namnet."
 
 #, c-format
 msgid "Disable %q snap"
-msgstr ""
+msgstr "Inaktivera %q-snap"
 
 #, c-format
 msgid "Disable aliases for snap %q"
@@ -278,10 +357,10 @@
 
 #, c-format
 msgid "Disable all aliases for snap %q"
-msgstr ""
+msgstr "Avaktiverar alla alias för snap %q"
 
 msgid "Disables a snap in the system"
-msgstr ""
+msgstr "Avaktiverar en snapp i systemet"
 
 #, c-format
 msgid "Discard interface connections for snap %q (%s)"
@@ -295,7 +374,7 @@
 msgstr ""
 
 msgid "Do not wait for the operation to finish but just print the change id."
-msgstr ""
+msgstr "Vänta inte på att åtgärden ska slutföras, skriv bara ut ändrat ID."
 
 #, c-format
 msgid "Download snap %q%s from channel %q"
@@ -305,29 +384,33 @@
 "Download the given revision of a snap, to which you must have developer "
 "access"
 msgstr ""
+"Hämta den givna revisionen av en snap, för vilket du behöver utvecklaråtkomst"
 
 msgid "Downloads the given snap"
-msgstr ""
+msgstr "Hämtar angiven snap"
 
 msgid "Email address: "
-msgstr ""
+msgstr "E-postadress: "
 
 #, c-format
 msgid "Enable %q snap"
-msgstr ""
+msgstr "Aktivera %q-snap"
 
 msgid "Enables a snap in the system"
-msgstr ""
+msgstr "Aktiverar en snapp i systemet"
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
 "Export a public key assertion body that may be imported by other systems."
 msgstr ""
+"Exportera en öppen nyckel assert-nyttolast som kan importeras av andra "
+"system."
 
 msgid "Export cryptographic public key"
-msgstr ""
+msgstr "Exportera kryptografisk öppen nyckel"
 
 #, c-format
 msgid "Fetch and check assertions for snap %q%s"
@@ -335,58 +418,64 @@
 
 #, c-format
 msgid "Fetching assertions for %q\n"
-msgstr ""
+msgstr "Hämtar asserts för %q\n"
 
 #, c-format
 msgid "Fetching snap %q\n"
-msgstr ""
+msgstr "Hämtar snap %q\n"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
-msgstr ""
+msgstr "Filnamn för snap du vill försäkra ett bygge för"
 
 msgid "Finds packages to install"
-msgstr ""
+msgstr "Söker efter paket att installera"
 
 msgid "Force adding the user, even if the device is already managed"
-msgstr ""
+msgstr "Tvinga tillägg av användare, även om enheten redan hanteras"
 
 msgid "Force import on classic systems"
-msgstr ""
+msgstr "Tvinga import på klassiska system"
 
 msgid ""
 "Format public key material as a request for an account-key for this account-"
 "id"
 msgstr ""
+"Formatera öppet nyckelmaterial som en begäran för en kontonyckel för detta "
+"konto-ID"
 
 msgid "Generate device key"
 msgstr ""
 
 msgid "Generate the manpage"
-msgstr ""
+msgstr "Generera manualsidan"
 
 msgid "Grade states the build quality of the snap (defaults to 'stable')"
 msgstr ""
 
 msgid "Grant sudo access to the created user"
-msgstr ""
+msgstr "Bevilja sudo-åtkomst för den skapade användaren"
 
 msgid "Help"
 msgstr ""
 
 msgid "Hook to run"
-msgstr ""
+msgstr "Krok att köra"
 
 msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
 msgstr ""
 
 msgid "Identifier of the signer"
-msgstr ""
+msgstr "Signerarens identifierare"
 
 msgid "Identifier of the snap package associated with the build"
+msgstr "Identifierare för snap-paket associerat med bygge"
+
+msgid "If the service has a reload command, use it instead of restarting."
 msgstr ""
 
 msgid "Ignore validation by other snaps blocking the refresh"
-msgstr ""
+msgstr "Ignorera validering av andra snap-paket som blockerar uppdatering"
 
 #, c-format
 msgid ""
@@ -395,104 +484,129 @@
 "\n"
 "Once completed, return here and run 'snap buy %s' again."
 msgstr ""
+"För att köpa %q, måste du godkänna de senaste villkoren. Gå till "
+"https://my.ubuntu.com/payment/edit för att göra detta.\n"
+"\n"
+"När du är färdig, kom tillbaka hit och kör \"snap buy %s\" igen."
 
 msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
 msgstr ""
+"Inkludera en utförlig lista över ett snap-pakets anteckningar (annars "
+"sammanfattas anteckningar)"
 
 msgid "Include unused interfaces"
-msgstr ""
+msgstr "Inkludera gränssnitt som inte används"
 
 msgid "Initialize device"
 msgstr ""
 
 msgid "Inspects devices for actionable information"
-msgstr ""
+msgstr "Inspekterar enheter för användbar information"
 
 #, c-format
 msgid "Install %q snap"
-msgstr ""
+msgstr "Installera snap-paketet %q"
 
 #, c-format
 msgid "Install %q snap from %q channel"
-msgstr ""
+msgstr "Installera snap %q från kanalen %q"
 
 #, c-format
 msgid "Install %q snap from file"
-msgstr ""
+msgstr "Installera snap  %q från fil"
 
 #, c-format
 msgid "Install %q snap from file %q"
-msgstr ""
+msgstr "Installera snap %q från fil %q"
 
 msgid "Install from the beta channel"
-msgstr ""
+msgstr "Installera från betakanalen"
 
 msgid "Install from the candidate channel"
-msgstr ""
+msgstr "Installera från kandidatkanalen"
 
 msgid "Install from the edge channel"
-msgstr ""
+msgstr "Installera från spetskanalen"
 
 msgid "Install from the stable channel"
-msgstr ""
+msgstr "Installera från stabila kanalen"
 
 #, c-format
 msgid "Install snap %q"
-msgstr ""
+msgstr "Installera snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Install snaps %s"
-msgstr ""
+msgstr "Installera snap-paket %s"
 
 msgid ""
 "Install the given revision of a snap, to which you must have developer access"
 msgstr ""
+"Installera den givna revisionen av en snap, för vilket du behöver ha "
+"utvecklaråtkomst"
 
 msgid ""
 "Install the given snap file even if there are no pre-acknowledged signatures "
 "for it, meaning it was not verified and could be dangerous (--devmode "
 "implies this)"
 msgstr ""
+"Installera den givna snap-filen även om det inte finns några tidigare kända "
+"signaturer för den, vilket innebär att den inte verifierades och kan vara "
+"farlig (--devmode antar detta)"
 
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
+"Installera det givna snap-paketet utan att aktivera dess automatiska alias"
 
-msgid "Installs a snap to the system"
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
 msgstr ""
 
+msgid "Installs a snap to the system"
+msgstr "Installerar en snap i systemet"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
-msgstr ""
+msgstr "Nyckel av intresse bland konfigurationen"
 
 msgid "List a change's tasks"
-msgstr ""
+msgstr "Lista en ändrings uppgifter"
 
 msgid "List cryptographic keys"
-msgstr ""
+msgstr "Lista kryptografiska nycklar"
 
 msgid "List cryptographic keys that can be used for signing assertions."
 msgstr ""
+"Lista kryptografiska nycklar som kan användas för att signera försäkran."
 
 msgid "List installed snaps"
-msgstr ""
+msgstr "Lista installerade snap-paket"
 
 msgid "List system changes"
-msgstr ""
+msgstr "Lista systemändringar"
 
 msgid "Lists aliases in the system"
-msgstr ""
+msgstr "Lista alias i systemet"
+
+msgid "Lists all repairs"
+msgstr "Lista alla reparationer"
 
 msgid "Lists interfaces in the system"
-msgstr ""
+msgstr "Lista gränssnitt i systemet"
 
 msgid "Lists snap interfaces"
-msgstr ""
+msgstr "Lista snap-gränssnitt"
 
 msgid "Log out of the store"
-msgstr ""
+msgstr "Logga ut från butiken"
 
 msgid "Login successful"
-msgstr ""
+msgstr "Inloggning lyckades"
 
 #, c-format
 msgid "Make current revision for snap %q unavailable"
@@ -521,48 +635,99 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
-msgstr ""
+msgstr "Nyckelnamn att skapa; förval är \"default\""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
-msgstr ""
+msgstr "Nyckelnamn att radera"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
-msgstr ""
+msgstr "Nyckelnamn att exportera"
 
 msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
 msgstr ""
+"Namnet som GnuPG-nyckeln ska använda (förvalt nyckelnamn är \"default\")"
 
 msgid "Name of the key to use, otherwise use the default key"
-msgstr ""
+msgstr "Nyckelnamn att använda, annars används förvald nyckel"
 
 msgid "Name\tSHA3-384"
-msgstr ""
+msgstr "Namn\tSHA3-384"
 
 msgid "Name\tSummary"
-msgstr ""
+msgstr "Namn\tSammanfattning"
 
 msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
-msgstr ""
+msgstr "Namn\tVersion\tUtvecklare\tAnteckningar\tSammanfattning"
 
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr "Namn\tVersion\tRev\tUtvecklare\tAnteckningar"
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
 msgstr ""
 
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+"Inga snap-paket har installerats än. Testa \"snap install hello-world\"."
+
 msgid "Output results in JSON format"
+msgstr "Utdata resulterar i JSON-format"
+
+msgid "Pack the given target dir as a snap"
 msgstr ""
 
-msgid "Passphrase: "
+#, c-format
+msgid "Packages matching %q:\n"
 msgstr ""
 
+msgid "Passphrase: "
+msgstr "Lösenfras: "
+
 #, c-format
 msgid "Password of %q: "
-msgstr ""
+msgstr "Lösenord för %q: "
 
 #. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
 #, c-format
@@ -570,232 +735,257 @@
 "Please re-enter your Ubuntu One password to purchase %q from %q\n"
 "for %s. Press ctrl-c to cancel."
 msgstr ""
+"Ange ditt Ubuntu One-lösenord igen för att köpa %q från %q\n"
+"för %s. Tryck ctrl-C för att avbryta."
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
 
 #, c-format
 msgid "Prefer aliases for snap %q"
-msgstr ""
+msgstr "Föredra alias för snap %q"
 
 msgid "Prefer aliases from a snap and disable conflicts"
-msgstr ""
+msgstr "Föredra alias från en snap och inaktivera konflikter"
 
 #, c-format
 msgid "Prefer aliases of snap %q"
-msgstr ""
+msgstr "Föredra alias för snap %q"
 
 msgid "Prepare a snappy image"
-msgstr ""
+msgstr "Förbered en snappy-avbild"
 
 #, c-format
 msgid "Prepare snap %q (%s)"
-msgstr ""
+msgstr "Förbered snap %q (%s)"
 
 #, c-format
 msgid "Prepare snap %q%s"
-msgstr ""
+msgstr "Förbered snap %q%s"
 
 msgid "Print the version and exit"
-msgstr ""
+msgstr "Skriv ut version och avsluta"
 
 msgid "Prints configuration options"
-msgstr ""
+msgstr "Skriver ut konfigurationsalternativ"
 
 msgid "Prints the confinement mode the system operates in"
-msgstr ""
+msgstr "Skriver ut vilket inneslutningsläge systemet arbetar i"
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
-msgstr ""
+msgstr "Skriver ut huruvida systemet är hanterat"
 
 #, c-format
 msgid "Prune automatic aliases for snap %q"
-msgstr ""
+msgstr "Städa upp automatiska alias för snap %q"
 
 msgid "Put snap in classic mode and disable security confinement"
-msgstr ""
+msgstr "Sätt snap i klassiskt läge och inaktivera säkerhetsinneslutning"
 
 msgid "Put snap in development mode and disable security confinement"
-msgstr ""
+msgstr "Sätt snap i utvecklarläge och inaktivera säkerhetsinneslutning"
 
 msgid "Put snap in enforced confinement mode"
-msgstr ""
+msgstr "Sätt snap i bevakat inneslutningsläge"
 
 msgid "Query the status of services"
-msgstr ""
+msgstr "Undersök status för tjänster"
 
 #, c-format
 msgid "Refresh %q snap"
-msgstr ""
+msgstr "Förnya snap %q"
 
 #, c-format
 msgid "Refresh %q snap from %q channel"
-msgstr ""
+msgstr "Förnya snap %q från kanalen %q"
 
 #, c-format
 msgid "Refresh aliases for snap %q"
-msgstr ""
+msgstr "Förnya alias för snap %q"
 
 msgid "Refresh all snaps: no updates"
-msgstr ""
+msgstr "Förnya alla snappar: inga uppdateringar"
 
 #, c-format
 msgid "Refresh snap %q"
-msgstr ""
+msgstr "Förnya snapp %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s"
-msgstr ""
+msgstr "Uppdatera snappar %s"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Refresh snaps %s: no updates"
-msgstr ""
+msgstr "Förnya snappar %s: inga uppdateringar"
 
 msgid "Refresh to the given revision"
-msgstr ""
+msgstr "Uppdatera den givna revisionen"
 
 msgid "Refreshes a snap in the system"
-msgstr ""
+msgstr "Uppdaterar en snap i systemet"
 
 #, c-format
 msgid "Remove %q snap"
-msgstr ""
+msgstr "Ta bort snap %q"
 
 #, c-format
 msgid "Remove aliases for snap %q"
-msgstr ""
+msgstr "Ta bort alias för snap %q"
 
 #, c-format
 msgid "Remove data for snap %q (%s)"
-msgstr ""
+msgstr "Ta bort data för snap %q (%s)"
 
 #, c-format
 msgid "Remove manual alias %q for snap %q"
-msgstr ""
+msgstr "Ta bort manuellt alias %q för snap %q"
 
 msgid "Remove only the given revision"
-msgstr ""
+msgstr "Ta endast bort den angivna revisionen"
 
 #, c-format
 msgid "Remove security profile for snap %q (%s)"
-msgstr ""
+msgstr "Ta bort säkerhetsprofil för snap %q (%s)"
 
 #, c-format
 msgid "Remove security profiles of snap %q"
-msgstr ""
+msgstr "Ta bort säkerhetsprofiler för snap %q"
 
 #, c-format
 msgid "Remove snap %q"
-msgstr ""
+msgstr "Ta bort snap %q"
 
 #, c-format
 msgid "Remove snap %q (%s) from the system"
-msgstr ""
+msgstr "Ta bort snap %q (%s) från systemet"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Remove snaps %s"
-msgstr ""
+msgstr "Ta bort snapp-paketen %s"
 
 msgid "Removed"
-msgstr ""
+msgstr "Borttagen"
 
 msgid "Removes a snap from the system"
-msgstr ""
+msgstr "Tar bort en snap från systemet"
 
 msgid "Request device serial"
-msgstr ""
+msgstr "Begär enhetens serienummer"
 
 msgid "Restart services"
-msgstr ""
+msgstr "Starta om tjänster"
 
 msgid "Restarted.\n"
-msgstr ""
+msgstr "Omstartad.\n"
 
 msgid "Restrict the search to a given section"
-msgstr ""
+msgstr "Begränsa sökningen till ett givet avsnitt"
 
 msgid "Retrieve logs of services"
-msgstr ""
+msgstr "Hämta logg för tjänster"
 
 #, c-format
 msgid "Revert %q snap"
-msgstr ""
+msgstr "Rulla tillbaka snap %q"
 
 msgid "Reverts the given snap to the previous state"
-msgstr ""
+msgstr "Rulla tillbaka det givna snap-paketet till föregående tillstånd"
 
 msgid "Run a shell instead of the command (useful for debugging)"
+msgstr "Kör ett skal istället för kommandot (hjälper vid felsökning)"
+
+msgid "Run as a timer service with given schedule"
 msgstr ""
 
 #, c-format
 msgid "Run configure hook of %q snap"
-msgstr ""
+msgstr "Kör konfigureringskrok för snap %q"
 
 #, c-format
 msgid "Run configure hook of %q snap if present"
-msgstr ""
+msgstr "Kör konfigureringskrok för snap %q om den finns"
 
 #, c-format
 msgid "Run hook %s of snap %q"
-msgstr ""
+msgstr "Kör krok %s för snap %q"
 
 #, c-format
 msgid "Run install hook of %q snap if present"
-msgstr ""
+msgstr "Kör installeringskrok för snap %q om den finns"
 
 #, c-format
 msgid "Run post-refresh hook of %q snap if present"
+msgstr "Kör post-förnyelsekrok för snap %q om den finns"
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
 msgstr ""
 
 msgid "Run prepare-device hook"
-msgstr ""
+msgstr "Kör förbered-enhets-krok"
 
 #, c-format
 msgid "Run remove hook of %q snap if present"
+msgstr "Kör borttagningskrok för snap %q om den finns"
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
 msgstr ""
 
-msgid "Run the given snap command"
+msgid "Run the command with gdb"
 msgstr ""
 
+msgid "Run the given snap command"
+msgstr "Kör det givna snap-kommandot"
+
 msgid "Run the given snap command with the right confinement and environment"
-msgstr ""
+msgstr "Kör det givna snap-kommandot med korrekt inneslutning och miljö"
 
 msgid "Runs debug commands"
-msgstr ""
+msgstr "Kör felsökningskommandon"
 
 msgid "Search private snaps"
-msgstr ""
+msgstr "Sök privata snap-paket"
 
 msgid ""
 "Select last change of given type (install, refresh, remove, try, auto-"
 "refresh etc.)"
 msgstr ""
+"Välj senaste ändring av given typ (installera, förnya, ta bort, testa, auto-"
+"förnya osv.)"
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
 
 #, c-format
 msgid "Set automatic aliases for snap %q"
-msgstr ""
+msgstr "Ange automatiska alias för snap %q"
 
 msgid "Sets up a manual alias"
-msgstr ""
+msgstr "Anger ett manuellt alias"
 
 #, c-format
 msgid "Setup alias %q => %q for snap %q"
-msgstr ""
+msgstr "Ställ in alias %q => %q för snap %q"
 
 #, c-format
 msgid "Setup manual alias %q => %q for snap %q"
-msgstr ""
+msgstr "Ställ in manuellt alias %q => %q för snap %q"
 
 #, c-format
 msgid "Setup snap %q (%s) security profiles"
-msgstr ""
+msgstr "Ställ in säkerhetsprofiler för snap %q (%s)"
 
 #, c-format
 msgid "Setup snap %q aliases"
-msgstr ""
+msgstr "Ställ in alias för snap %q"
 
 #, c-format
 msgid "Setup snap %q%s security profiles"
@@ -814,15 +1004,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1038,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1129,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1159,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1180,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1195,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1261,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1284,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1556,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1614,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1649,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1689,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1777,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1792,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1803,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1839,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1890,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1917,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1942,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +2004,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2040,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2052,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2067,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2086,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2106,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2125,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/th.po snapd-2.37~rc1~14.04/po/th.po
--- snapd-2.32.3.2~14.04/po/th.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/th.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Thai translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Thai <th@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr "%s กลับคืนเป็น %s แล้ว\n"
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/tr.po snapd-2.37~rc1~14.04/po/tr.po
--- snapd-2.32.3.2~14.04/po/tr.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/tr.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 # Turkish translation for snapd
-# Copyright (c) 2017 Rosetta Contributors and Canonical Ltd 2017
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
 # This file is distributed under the same license as the snapd package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2017.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2017-03-11 18:21+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Turkish <tr@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -45,7 +45,7 @@
 #. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
 #, c-format
 msgid "%s (try with sudo)"
-msgstr ""
+msgstr "%s (sudo ile dene)"
 
 #, c-format
 msgid "%s already installed\n"
@@ -67,98 +67,140 @@
 msgid "%s removed\n"
 msgstr "%s kaldırıldı\n"
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr "%s%s %s kuruldu\n"
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
-msgstr ""
+msgstr "%s%s %s yenilendi\n"
 
 msgid "--list does not take mode nor channel flags"
-msgstr ""
+msgstr "--liste kipi veya kanal bayrakları almıyor"
 
 msgid "--time does not take mode nor channel flags"
-msgstr ""
+msgstr "--zaman kipi veya kanal bayrakları almıyor"
 
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
-msgstr ""
+msgstr "<takma ad>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
-msgstr ""
+msgstr "<onay dosyası>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
-msgstr ""
+msgstr "<onay türü>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
-msgstr ""
+msgstr "<ayar değeri>"
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
-msgstr ""
+msgstr "<e-posta>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
-msgstr ""
+msgstr "<dosya adı>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
-msgstr ""
+msgstr "<başlık süzgeci>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
-msgstr ""
+msgstr "<arayüz>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
-msgstr ""
+msgstr "<anahtar-adı>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
-msgstr ""
+msgstr "<anahtar>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
-msgstr ""
+msgstr "<sorgu>"
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
-msgid "Abort a pending change"
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
 msgstr ""
 
+msgid "Abort a pending change"
+msgstr "Bekleyen bir değişikliği iptal edin"
+
 msgid "Added"
-msgstr ""
+msgstr "Eklendi"
 
 msgid "Adds an assertion to the system"
+msgstr "Sistemde bir onaylama ekler"
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
 msgstr ""
 
 msgid "Alias for --dangerous (DEPRECATED)"
@@ -167,22 +209,53 @@
 msgid "All snaps up to date."
 msgstr ""
 
-msgid "Alternative command to run"
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
 msgstr ""
 
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr "Çalıştırmak için alternatif komut"
+
 msgid "Always return document, even with single key"
+msgstr "Tek anahtarla daima belgeyi geri getirin"
+
+msgid "Always return list, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
-msgid "Assertion file"
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
 msgstr ""
 
-msgid "Assertion type name"
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr "Onaylama dosyası"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr "Onaylama türü adı"
+
 msgid "Authenticates on snapd and the store"
 msgstr ""
 
@@ -192,34 +265,34 @@
 
 #, c-format
 msgid "Auto-refresh snap %q"
-msgstr ""
+msgstr "Otomatik yenile snap %q"
 
 #. TRANSLATORS: the %s is a comma-separated list of quoted snap names
 #, c-format
 msgid "Auto-refresh snaps %s"
+msgstr "Otomatik yenile snap %s"
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
 msgstr ""
 
 msgid "Bad code. Try again: "
-msgstr ""
+msgstr "Kötü kod. Tekrar deneyin: "
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
-msgstr ""
-
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
+msgstr "Yapılandırma seçeneklerini değiştirir"
 
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -228,17 +301,19 @@
 
 #, c-format
 msgid "Connect %s:%s to %s:%s"
-msgstr ""
+msgstr "Bağlan %s:%s to %s:%s"
 
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -249,9 +324,11 @@
 msgid ""
 "Create a cryptographic key pair that can be used for signing assertions."
 msgstr ""
+"Onayları imzalamak için kullanılabilecek bir şifreleme anahtarı çifti "
+"oluşturun."
 
 msgid "Create cryptographic key pair"
-msgstr ""
+msgstr "Şifreleme anahtarı çifti oluştur"
 
 msgid "Create snap build assertion"
 msgstr ""
@@ -260,13 +337,13 @@
 msgstr ""
 
 msgid "Creates a local system user"
-msgstr ""
+msgstr "Yerel bir sistem kullanıcısı oluşturur"
 
 msgid "Delete cryptographic key pair"
-msgstr ""
+msgstr "Şifreleme anahtarı çiftini sil"
 
 msgid "Delete the local cryptographic key pair with the given name."
-msgstr ""
+msgstr "Verilen adla yerel şifreleme anahtarı çiftini silin."
 
 #, c-format
 msgid "Disable %q snap"
@@ -305,12 +382,13 @@
 "Download the given revision of a snap, to which you must have developer "
 "access"
 msgstr ""
+"Geliştiriciye erişiminizin olması gereken belirli bir revizyonunu indirin"
 
 msgid "Downloads the given snap"
 msgstr ""
 
 msgid "Email address: "
-msgstr ""
+msgstr "E-posta adresiniz: "
 
 #, c-format
 msgid "Enable %q snap"
@@ -319,15 +397,17 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
 "Export a public key assertion body that may be imported by other systems."
 msgstr ""
+"Diğer sistemlerin içe aktarabileceği bir açık anahtar beyanını dışa aktarın."
 
 msgid "Export cryptographic public key"
-msgstr ""
+msgstr "Şifreleme genel anahtarı verme"
 
 #, c-format
 msgid "Fetch and check assertions for snap %q%s"
@@ -335,56 +415,62 @@
 
 #, c-format
 msgid "Fetching assertions for %q\n"
-msgstr ""
+msgstr "%q için onaylar getiriliyor\n"
 
 #, c-format
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
 msgid "Finds packages to install"
-msgstr ""
+msgstr "Yüklenecek paketleri bulur"
 
 msgid "Force adding the user, even if the device is already managed"
-msgstr ""
+msgstr "Cihaz zaten yönetilmiş olsa dahi kullanıcıyı zorla ekleme"
 
 msgid "Force import on classic systems"
-msgstr ""
+msgstr "Klasik sistemlerde içe aktarmayı zorla"
 
 msgid ""
 "Format public key material as a request for an account-key for this account-"
 "id"
 msgstr ""
+"Ortak anahtar malzemesini, bu hesap kimliği için bir hesap anahtarı için bir "
+"istek olarak biçimlendirin"
 
 msgid "Generate device key"
-msgstr ""
+msgstr "Aygıt anahtarı oluştur"
 
 msgid "Generate the manpage"
-msgstr ""
+msgstr "Man sayfasını oluştur"
 
 msgid "Grade states the build quality of the snap (defaults to 'stable')"
 msgstr ""
 
 msgid "Grant sudo access to the created user"
-msgstr ""
+msgstr "Oluşturulan kullanıcıya sudo erişimi verin"
 
 msgid "Help"
-msgstr ""
+msgstr "Yardım"
 
 msgid "Hook to run"
-msgstr ""
+msgstr "Koşmak için kanca"
 
 msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
 msgstr ""
 
 msgid "Identifier of the signer"
-msgstr ""
+msgstr "İmzacı belirleyici"
 
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -400,13 +486,13 @@
 msgstr ""
 
 msgid "Include unused interfaces"
-msgstr ""
+msgstr "Kullanılmayan arabirimleri dahil et"
 
 msgid "Initialize device"
-msgstr ""
+msgstr "Aygıtı başlat"
 
 msgid "Inspects devices for actionable information"
-msgstr ""
+msgstr "Aygıtları eyleme geçirilebilecek bilgiler için denetler."
 
 #, c-format
 msgid "Install %q snap"
@@ -425,16 +511,16 @@
 msgstr ""
 
 msgid "Install from the beta channel"
-msgstr ""
+msgstr "Beta kanalından yükle"
 
 msgid "Install from the candidate channel"
-msgstr ""
+msgstr "Aday kanalından yükle"
 
 msgid "Install from the edge channel"
 msgstr ""
 
 msgid "Install from the stable channel"
-msgstr ""
+msgstr "Kararlı kanaldan yükleme"
 
 #, c-format
 msgid "Install snap %q"
@@ -458,41 +544,54 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
 msgid "List a change's tasks"
-msgstr ""
+msgstr "Değişikliğin görevlerini listele"
 
 msgid "List cryptographic keys"
-msgstr ""
+msgstr "Şifreleme anahtarlarını listele"
 
 msgid "List cryptographic keys that can be used for signing assertions."
 msgstr ""
+"Onayları imzalamak için kullanılabilecek şifreleme anahtarlarının listesi."
 
 msgid "List installed snaps"
 msgstr ""
 
 msgid "List system changes"
-msgstr ""
+msgstr "Sistem değişikliklerini listele"
 
 msgid "Lists aliases in the system"
+msgstr "Sistemdeki takma adları listeler"
+
+msgid "Lists all repairs"
 msgstr ""
 
 msgid "Lists interfaces in the system"
-msgstr ""
+msgstr "Sistemdeki arabirimleri listeler"
 
 msgid "Lists snap interfaces"
 msgstr ""
 
 msgid "Log out of the store"
-msgstr ""
+msgstr "Mağazadan çıkın"
 
 msgid "Login successful"
-msgstr ""
+msgstr "Giriş başarılı"
 
 #, c-format
 msgid "Make current revision for snap %q unavailable"
@@ -515,18 +614,21 @@
 msgstr ""
 
 msgid "Mark system seeded"
-msgstr ""
+msgstr "İşaretlenmiş sistem işaretle"
 
 #, c-format
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
-msgstr ""
+msgstr "Silinecek anahtarın adı"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -534,13 +636,13 @@
 msgstr ""
 
 msgid "Name of the key to use, otherwise use the default key"
-msgstr ""
+msgstr "Kullanılacak anahtarın adı, aksi takdirde varsayılan tuşu kullanın"
 
 msgid "Name\tSHA3-384"
-msgstr ""
+msgstr "Ad \tSHA3-384"
 
 msgid "Name\tSummary"
-msgstr ""
+msgstr "Ad \tÖzet"
 
 msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
 msgstr ""
@@ -548,18 +650,64 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
+msgstr "Çıktı sonuçları JSON formatında"
+
+msgid "Pack the given target dir as a snap"
 msgstr ""
 
-msgid "Passphrase: "
+#, c-format
+msgid "Packages matching %q:\n"
 msgstr ""
 
+msgid "Passphrase: "
+msgstr "Parola: "
+
 #, c-format
 msgid "Password of %q: "
 msgstr ""
@@ -571,6 +719,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -597,32 +748,32 @@
 msgstr ""
 
 msgid "Prints configuration options"
-msgstr ""
+msgstr "Yapılandırma seçeneklerini yazdırır"
 
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
-msgstr ""
+msgstr "Sistemin yönetilip yönetilmediğini yazdırır"
 
 #, c-format
 msgid "Prune automatic aliases for snap %q"
 msgstr ""
 
 msgid "Put snap in classic mode and disable security confinement"
-msgstr ""
+msgstr "Klasik kipe geçin ve güvenlik sınırlamasını devre dışı bırakın"
 
 msgid "Put snap in development mode and disable security confinement"
-msgstr ""
+msgstr "Grliştirme kipine geçin ve güvenlik sınırlamasını devre dışı bırakın"
 
 msgid "Put snap in enforced confinement mode"
 msgstr ""
 
 msgid "Query the status of services"
-msgstr ""
+msgstr "Hizmetlerin durumunu sorgulayın"
 
 #, c-format
 msgid "Refresh %q snap"
@@ -654,7 +805,7 @@
 msgstr ""
 
 msgid "Refresh to the given revision"
-msgstr ""
+msgstr "Verilen revizyona yenileyin"
 
 msgid "Refreshes a snap in the system"
 msgstr ""
@@ -700,25 +851,25 @@
 msgstr ""
 
 msgid "Removed"
-msgstr ""
+msgstr "Kaldırıldı"
 
 msgid "Removes a snap from the system"
 msgstr ""
 
 msgid "Request device serial"
-msgstr ""
+msgstr "Cihaz serisi iste"
 
 msgid "Restart services"
-msgstr ""
+msgstr "Servisleri Yeniden Başlat"
 
 msgid "Restarted.\n"
-msgstr ""
+msgstr "Yeniden Başlatıldı.\n"
 
 msgid "Restrict the search to a given section"
-msgstr ""
+msgstr "Aramayı belirli bir bölüme sınırla"
 
 msgid "Retrieve logs of services"
-msgstr ""
+msgstr "Servis kayıtlarını geri al"
 
 #, c-format
 msgid "Revert %q snap"
@@ -728,6 +879,9 @@
 msgstr ""
 
 msgid "Run a shell instead of the command (useful for debugging)"
+msgstr "Komut yerine bir kabuk çalıştırın (hata ayıklama için kullanışlıdır)"
+
+msgid "Run as a timer service with given schedule"
 msgstr ""
 
 #, c-format
@@ -750,6 +904,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +915,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -764,7 +930,7 @@
 msgstr ""
 
 msgid "Runs debug commands"
-msgstr ""
+msgstr "Hata ayıklama komutlarını çalıştırır"
 
 msgid "Search private snaps"
 msgstr ""
@@ -773,13 +939,18 @@
 "Select last change of given type (install, refresh, remove, try, auto-"
 "refresh etc.)"
 msgstr ""
+"Verilen türdeki son değişikliği seçin (yükleme, yenileme, kaldırma, otomatik "
+"yenile deneyin vb.)"
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
 
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
 
 msgid "Sets up a manual alias"
-msgstr ""
+msgstr "Elle takma ad oluşturur"
 
 #, c-format
 msgid "Setup alias %q => %q for snap %q"
@@ -806,25 +977,36 @@
 msgstr ""
 
 msgid "Show all revisions"
-msgstr ""
+msgstr "Tüm revizyonları göster"
 
 msgid "Show auto refresh information but do not perform a refresh"
 msgstr ""
+"Otomatik yenileme bilgilerini göster ancak yenileme işlemini gerçekleştirme"
 
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
-msgid "Show details of a specific interface"
+msgid "Show detailed information about a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr "Belirli bir arabirimin ayrıntılarını göster"
+
 msgid "Show interface attributes"
+msgstr "Arayüz özelliklerini göster"
+
+msgid "Show only the given number of lines, or 'all'."
 msgstr ""
 
 msgid "Shows known assertions of the provided type"
+msgstr "Sağlanan tipin bilinen iddialarını gösterir"
+
+msgid "Shows specific repairs"
 msgstr ""
 
 msgid "Shows version details"
-msgstr ""
+msgstr "Sürüm ayrıntılarını gösterir"
 
 msgid "Sign an assertion"
 msgstr ""
@@ -834,14 +1016,21 @@
 "a JSON mapping provided through stdin, the body of the assertion can be "
 "specified through a \"body\" pseudo-header.\n"
 msgstr ""
+"Belirtilen anahtarı kullanarak bir onaylama imzalayın, bir JSON "
+"eşleştirmesinden üstbilgiler için girdiyi kullanarak stdin aracılığıyla "
+"sağlanan, onaylama gövdesi \"gövde\" sözde üstbilgiyle belirtilebilir.\n"
 
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -851,7 +1040,7 @@
 msgstr ""
 
 msgid "Start services"
-msgstr ""
+msgstr "Servisleri Başlat"
 
 #, c-format
 msgid "Start snap %q (%s) services"
@@ -865,16 +1054,16 @@
 msgstr ""
 
 msgid "Start the userd service"
-msgstr ""
+msgstr "Kullanıcı servisini başlat"
 
 msgid "Started.\n"
-msgstr ""
+msgstr "Başlatıldı.\n"
 
 msgid "Status\tSpawn\tReady\tSummary\n"
 msgstr ""
 
 msgid "Stop services"
-msgstr ""
+msgstr "Servisleri Durdur"
 
 #, c-format
 msgid "Stop snap %q (%s) services"
@@ -888,10 +1077,10 @@
 msgstr ""
 
 msgid "Stopped.\n"
-msgstr ""
+msgstr "Durduruldu.\n"
 
 msgid "Strict typing with nulls and quoted strings"
-msgstr ""
+msgstr "Boşluklar ve tırnak işaretli dizgilerle sıkı yazma"
 
 #, c-format
 msgid "Switch %q snap to %s"
@@ -909,7 +1098,7 @@
 msgstr ""
 
 msgid "Temporarily mount device before inspecting"
-msgstr ""
+msgstr "İncelemeden önce geçici olarak cihaz bağlayın"
 
 msgid "Tests a snap in the system"
 msgstr ""
@@ -923,25 +1112,29 @@
 
 msgid ""
 "The get command prints configuration and interface connection settings."
-msgstr ""
+msgstr "Get komutu yapılandırma ve arabirim bağlantı ayarlarını yazdırır."
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
-msgstr ""
+msgstr "Model onaylama adı"
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
-msgstr ""
+msgstr "Çıktı dizini"
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -949,6 +1142,13 @@
 msgstr ""
 
 msgid "This command logs the current user out of the store"
+msgstr "Bu komut, geçerli kullanıcıyı mağazanın dışına çıkarır"
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
 msgstr ""
 
 msgid "Tool to interact with snaps"
@@ -956,15 +1156,18 @@
 
 #, c-format
 msgid "Transition security profiles from %q to %q"
-msgstr ""
+msgstr "Geçiş güvenlik profilleri %q'dan %q'ya"
 
 msgid "Transition ubuntu-core to core"
-msgstr ""
+msgstr "Çekirdekten ubuntu-çekirdeğe geçiş"
 
 #, c-format
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,18 +1180,29 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
+msgstr "Bu kanalı kararlı yerine kullanın"
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
 msgstr ""
 
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
+msgstr "UYARI: günlüğe kaydetmeyi etkinleştirmek başarısız: %v\n"
+
+msgid "Wait for new lines and print them as they come in."
 msgstr ""
 
 msgid "Waiting for server to restart"
-msgstr ""
+msgstr "Sunucunun yeniden başlatılmasını bekleme"
 
 msgid "Watch a change in progress"
-msgstr ""
+msgstr "Devam eden bir değişikliği izleyin"
 
 msgid "Wrong again. Once more: "
 msgstr ""
@@ -1004,6 +1218,8 @@
 "You need to be logged in to purchase software. Please run 'snap login' and "
 "try again."
 msgstr ""
+"Yazılım satın almak için giriş yapmanız gerekmektedir. Lütfen 'snap login' "
+"çalıştırıp tekrar deneyin."
 
 #, c-format
 msgid ""
@@ -1032,6 +1248,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1271,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1543,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1601,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1636,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1676,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1764,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1487,6 +1777,9 @@
 msgstr ""
 
 msgid "active"
+msgstr "etkin"
+
+msgid "auto-refresh: all snaps are up-to-date"
 msgstr ""
 
 msgid "bought"
@@ -1494,6 +1787,10 @@
 
 #. TRANSLATORS: if possible, a single short word
 msgid "broken"
+msgstr "bozuk paket"
+
+#, c-format
+msgid "cannot %s without a context"
 msgstr ""
 
 #, c-format
@@ -1529,7 +1826,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1541,28 +1837,28 @@
 
 #, c-format
 msgid "cannot get the current user: %s"
-msgstr ""
+msgstr "şu anki kullanıcıyı alınamıyor: %s"
 
 #, c-format
 msgid "cannot get the current user: %v"
-msgstr ""
+msgstr "geçerli kullanıcıyı alınamıyor:% v"
 
 #, c-format
 msgid "cannot mark boot successful: %s"
-msgstr ""
+msgstr "önyükleme başarıyla işaretlenemiyor: %s"
 
 #, c-format
 msgid "cannot open the assertions database: %v"
-msgstr ""
+msgstr "onaylama veritabanı açılamıyor: %v"
 
 #, c-format
 msgid "cannot read assertion input: %v"
-msgstr ""
+msgstr "onaylama girdisi okunamıyor: %v"
 
 #. TRANSLATORS: %v the error message
 #, c-format
 msgid "cannot read symlink: %v"
-msgstr ""
+msgstr "sembolik bağlantısı okunamıyor: %v"
 
 #, c-format
 msgid "cannot resolve snap app %q: %v"
@@ -1570,29 +1866,26 @@
 
 #, c-format
 msgid "cannot sign assertion: %v"
-msgstr ""
+msgstr "onaylama işaretini imzalayamıyorum: %v"
 
 #, c-format
 msgid "cannot update the 'current' symlink of %q: %v"
-msgstr ""
+msgstr "%q'nun 'geçerli' sembolik bağını güncellemiyor: %v"
 
 #. TRANSLATORS: %q is the key name, %v the error message
 #, c-format
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
 msgid "cannot use devmode and jailmode flags together"
-msgstr ""
+msgstr "devmode ve jailmode bayrakları birlikte kullanılamaz"
 
 #, c-format
 msgid "cannot validate owner of file %s"
-msgstr ""
+msgstr "%s dosyası sahibini doğrulayamıyor"
 
 #, c-format
 msgid "cannot write new Xauthority file at %s: %s"
@@ -1609,21 +1902,25 @@
 
 #, c-format
 msgid "created user %q\n"
+msgstr "kullanıcı %q oluşturdu\n"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
-msgstr ""
+msgstr "devre dışı"
 
 msgid "email:"
 msgstr ""
 
 msgid "enabled"
-msgstr ""
+msgstr "etkinleştirildi"
 
 #, c-format
 msgid "error: %v\n"
-msgstr ""
+msgstr "hata: %v\n"
 
 msgid ""
 "error: the `<snap-dir>` argument was not provided and couldn't be inferred"
@@ -1632,9 +1929,16 @@
 msgid "get which option?"
 msgstr ""
 
-msgid "inactive"
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
 msgstr ""
 
+msgid "inactive"
+msgstr "aktif değil"
+
 msgid ""
 "interface attributes can only be read during the execution of interface hooks"
 msgstr ""
@@ -1648,14 +1952,14 @@
 msgstr ""
 
 msgid "internal error: cannot find attrs task"
-msgstr ""
+msgstr "dahili hata: görev attık görev bulunamıyor"
 
 msgid "internal error: cannot find plug or slot data in the appropriate task"
-msgstr ""
+msgstr "dahili hata: ilgili görevde bir eklenti veya yuva veri bulunamıyor"
 
 #, c-format
 msgid "internal error: cannot get %s from appropriate task"
-msgstr ""
+msgstr "dahili hata: %s ilgili görevden alınamıyor"
 
 msgid ""
 "invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
@@ -1687,49 +1991,62 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
 msgid "need the application to run as argument"
-msgstr ""
+msgstr "argüman olarak çalıştırmak için uygulamanın olması gerekir"
 
 msgid "no changes found"
-msgstr ""
+msgstr "değişiklik bulunamadı"
 
 #, c-format
 msgid "no changes of type %q found"
-msgstr ""
+msgstr "%q türü değişiklikleri bulunamadı"
 
 msgid "no interfaces currently connected"
-msgstr ""
+msgstr "şu anda bağlı herhangi bir parazit yok"
 
 msgid "no interfaces found"
-msgstr ""
+msgstr "arabirim bulunamadı"
 
 msgid "no matching snaps installed"
 msgstr ""
 
 msgid "no such interface"
-msgstr ""
+msgstr "böyle bir arayüz yok"
 
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
 #. TRANSLATORS: if possible, a single short word
 msgid "private"
-msgstr ""
+msgstr "özel"
 
 msgid ""
 "reboot scheduled to update the system - temporarily cancel with 'sudo "
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2054,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2073,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,12 +2093,15 @@
 msgid "too many arguments: %s"
 msgstr ""
 
-msgid "unavailable"
+msgid "unable to contact snap store"
 msgstr ""
 
+msgid "unavailable"
+msgstr "mevcut değil"
+
 #, c-format
 msgid "unknown attribute %q"
-msgstr ""
+msgstr "bilinmeyen öznitelik %q"
 
 #, c-format
 msgid "unknown command %q, see \"snap --help\""
@@ -1799,5 +2112,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/ug.po snapd-2.37~rc1~14.04/po/ug.po
--- snapd-2.32.3.2~14.04/po/ug.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/ug.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
-# Uyghur translation for snappy
-# Copyright (c) 2015 Rosetta Contributors and Canonical Ltd 2015
-# This file is distributed under the same license as the snappy package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2015.
+# Uyghur translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: snappy\n"
+"Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-09-04 11:48+0000\n"
-"Last-Translator: Eltikin <eltikinuyghur@hotmail.com>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Uyghur <ug@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/uk.po snapd-2.37~rc1~14.04/po/uk.po
--- snapd-2.32.3.2~14.04/po/uk.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/uk.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2179 @@
+# Ukrainian translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Ukrainian <uk@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+"%q не містить розпакований snap-пакунок.\n"
+"\n"
+"Спробуйте виконати «snapcraft prime» у каталозі проекту, а потім знову «snap "
+"try»."
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr "%q перемкнувся на канал %q\n"
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr "%s %s змонтовано з %s\n"
+
+#, c-format
+msgid "%s (delta)"
+msgstr "%s (дельта)"
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr "%s (див. «snap login --help»)"
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr "%s (спробуйте з sudo)"
+
+#, c-format
+msgid "%s already installed\n"
+msgstr "%s вже встановлено\n"
+
+#, c-format
+msgid "%s disabled\n"
+msgstr "%s вимкнено\n"
+
+#, c-format
+msgid "%s enabled\n"
+msgstr "%s увімкнено\n"
+
+#, c-format
+msgid "%s not installed\n"
+msgstr "%s не встановлено\n"
+
+#, c-format
+msgid "%s removed\n"
+msgstr "%s вилучено\n"
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr "%s повернуто до %s\n"
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr "%s%s %s з «%s» встановлено\n"
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr "%s%s %s з «%s» оновлено\n"
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr "%s%s %s встановлено\n"
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr "%s%s %s оновлено\n"
+
+msgid "--list does not take mode nor channel flags"
+msgstr "--list не приймає ані прапори режиму, ані прапори каналу"
+
+msgid "--time does not take mode nor channel flags"
+msgstr "--time не приймає ані прапори режиму, ані прапори каналу"
+
+msgid "-r can only be used with --hook"
+msgstr "-r може бути використано лише з --hook"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr "<синонім-або-snap>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr "<синонім>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr "<файл перевірки>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr "<тип перевірки>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr "<змінити-id>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr "<значення конф>"
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr "<пошта>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr "<назва файлу>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr "<фільтр заголовку>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr "<інтерфейс>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr "<назва-ключа>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr "<ключ>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr "<модель-перевірки>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr "<запит>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr "<корен-кат>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr "<snap>:<plug>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr "<snap>:<slot чи plug>"
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr "<snap>:<slot>"
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr "Перервати очікувану зміну"
+
+msgid "Added"
+msgstr "Додано"
+
+msgid "Adds an assertion to the system"
+msgstr "Додає перевірку до системи"
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr "Синонім --dangerous (ЗАСТАРІЛО)"
+
+msgid "All snaps up to date."
+msgstr "Всі snap-пакунки актуальні."
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr "Альтернативна команда для запуску"
+
+msgid "Always return document, even with single key"
+msgstr "Завжди повертати документ, навіть з одним ключем"
+
+msgid "Always return list, even with single key"
+msgstr "Завжди повертати список, навіть з одним ключем"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr "Електронна пошта користувача на login.ubuntu.com"
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr "Файл перевірки"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr "Назва типу перевірки"
+
+msgid "Authenticates on snapd and the store"
+msgstr "Автентифікація в snapd та в магазині"
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr "Поганий код. Спробуйте ще раз: "
+
+msgid "Buys a snap"
+msgstr "Купівля snap-пакунку"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr "Змінюваний ідентифікатор"
+
+msgid "Changes configuration options"
+msgstr "Змінює параметри конфігурації"
+
+msgid "Command\tAlias\tNotes"
+msgstr "Команда\tСинонім\tПримітки"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr "Значення конфігурації (ключ=значення)"
+
+msgid "Confirm passphrase: "
+msgstr "Підтвердити пароль: "
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr "Приєднати %s:%s до %s:%s"
+
+msgid "Connects a plug to a slot"
+msgstr "Підключає надбудову до роз'єму"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr "Обмежити список зазначеним snap-пакунком або snap:назва"
+
+msgid "Constrain listing to specific interfaces"
+msgstr "Обмежити список зазначеними інтерфейсами"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr "Обмежити список тими, що відповідають заголовок=значення"
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr "Копіюва дані  snap-пакунку %q"
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+"Створити пару криптографічного ключа, який можна використовувати для "
+"перевірок підпису."
+
+msgid "Create cryptographic key pair"
+msgstr "Створити пару криптографічного ключа"
+
+msgid "Create snap build assertion"
+msgstr "Створити перевірку збірки snap-пакунку"
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr "Створити перевірку збірки snap-пакунку для наданого snap-файлу."
+
+msgid "Creates a local system user"
+msgstr "Створює користувача локальної системи"
+
+msgid "Delete cryptographic key pair"
+msgstr "Видалити пару криптографічного ключа"
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr "Видалити локальну пару криптографічного ключа з такою назвою."
+
+#, c-format
+msgid "Disable %q snap"
+msgstr "Вимкнути snap-пакунок %q"
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr "Вимкнути синоніми для snap-пакунку %q"
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr "Вимкнути всі синоніми для snap-пакунку %q"
+
+msgid "Disables a snap in the system"
+msgstr "Вимикає snap-пакета в системі"
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr "Відхилити інтерфейсні з'єднання для snap %q (%s)"
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr "Від'єднати %s:%s від %s:%s"
+
+msgid "Disconnects a plug from a slot"
+msgstr "Від'єднує надбудову від роз'єма"
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr "Не чекати закінчення операції, тільки вивести змінюваний id."
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr "Завантажити snap-пакунок %q%s з каналу %q"
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+"Завантажити задану ревізію snap-пакунку, до якої потрібен доступ розробника"
+
+msgid "Downloads the given snap"
+msgstr "Завантаження зазначеного snap-пакунку"
+
+msgid "Email address: "
+msgstr "Адреса ел. пошти: "
+
+#, c-format
+msgid "Enable %q snap"
+msgstr "Увімкнути %q snap-пакунок"
+
+msgid "Enables a snap in the system"
+msgstr "Вмикає snap-пакунок в системі"
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+"Експорт органу перевірки відкритого ключа, який може імпортуватися іншими "
+"системами."
+
+msgid "Export cryptographic public key"
+msgstr "Експорт криптографічного відкритого ключа"
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr "Видобування перевірок для %q\n"
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr "Отримання snap-пакунку %q\n"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr "Назва файла snap-пакунка, який ви хочете перевірити для збірки"
+
+msgid "Finds packages to install"
+msgstr "Пошук пакунків для встановлення"
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+"Примусове додавання користувача, навіть якщо пристрій вже під керуванням"
+
+msgid "Force import on classic systems"
+msgstr "Примусовий імпорт на класичних системах"
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+"Форматувати матеріали відкритого ключа як запит на ключ облікового запису "
+"для цього ідентифікатора облікового запису"
+
+msgid "Generate device key"
+msgstr "Генерувати ключ пристрою"
+
+msgid "Generate the manpage"
+msgstr "Генерувати довідкову сторінку (man)"
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+"Оцінка визначає якість збірки snap-пакунку (за умовчанням - «stable»)"
+
+msgid "Grant sudo access to the created user"
+msgstr "Надати доступ до команди sudo створеному користувачеві"
+
+msgid "Help"
+msgstr "Довідка"
+
+msgid "Hook to run"
+msgstr "Пастка для запуску"
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr "Ідентифікатор підписувача"
+
+msgid "Identifier of the snap package associated with the build"
+msgstr "Ідентифікатор snap-пакунка, асоційований зі збіркою"
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+"Пропускати перевірку іншими snap-пакунками, що перешкоджають оновленню"
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr "Долучити невикористані інтерфейси"
+
+msgid "Initialize device"
+msgstr "Ініціалізувати пристрій"
+
+msgid "Inspects devices for actionable information"
+msgstr "Оглядає пристрої для отримання інформації, що піддається діям"
+
+#, c-format
+msgid "Install %q snap"
+msgstr "Встановити snap-пакунок %q"
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr "Встановити snap-пакунок %q з каналу %q"
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr "Встановити snap-пакунок %q з файлу"
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr "Встановити snap-пакунок %q з файлу %q"
+
+msgid "Install from the beta channel"
+msgstr "Встановити з бета-каналу"
+
+msgid "Install from the candidate channel"
+msgstr "Встановити з каналу-кандидата"
+
+msgid "Install from the edge channel"
+msgstr "Встановити з крайнього каналу"
+
+msgid "Install from the stable channel"
+msgstr "Встановити з стабільного каналу"
+
+#, c-format
+msgid "Install snap %q"
+msgstr "Встановити snap-пакунок %q"
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr "Встановити snap-пакунки %s"
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+"Встановити задану ревізію snap-пакунку, до якої потрібен доступ розробника"
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+"Встановити такий  snap-пакунок, не вмикаючи його автоматичні синоніми"
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr "Встановлює snap-пакунок до системи"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr "Перерахувати завдання змін"
+
+msgid "List cryptographic keys"
+msgstr "Список криптографічних ключів"
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+"Перелічити криптографічні ключі, які можна використовувати для підписування "
+"перевірок."
+
+msgid "List installed snaps"
+msgstr "Список встановлених snap-пакунків"
+
+msgid "List system changes"
+msgstr "Список змін в системі"
+
+msgid "Lists aliases in the system"
+msgstr "Перерахувати синоніми в системі"
+
+msgid "Lists all repairs"
+msgstr "Список усіх відновлень"
+
+msgid "Lists interfaces in the system"
+msgstr "Перерахувати інтерфейси в системі"
+
+msgid "Lists snap interfaces"
+msgstr "Перерахувати інтерфейси snap-пакунків"
+
+msgid "Log out of the store"
+msgstr "Вийти з магазину"
+
+msgid "Login successful"
+msgstr "Вхід успішний"
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr "Зробити поточну редакцію для snap-пакунку %q недоступною"
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr "Зробити snap-пакунок %q (%s) доступним у системі"
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr "Зробити snap-пакунок %q (%s) недоступним у системі"
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr "Зробити snap-пакунок %q недоступним у системі"
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr "Зробити snap-пакунок %q%s доступним у системі"
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr "Змонтувати snap %q%s"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr "Назва створюваного ключа, типова назва «default»"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr "Назва ключа для видалення"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr "Назва ключа для експорту"
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+"Назва ключа GnuPG для використання (типове значення для назви ключа "
+"«default»)"
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+"Назва ключа для використання, в іншому випадку використовувати типовий ключ"
+
+msgid "Name\tSHA3-384"
+msgstr "Назва\tSHA3-384"
+
+msgid "Name\tSummary"
+msgstr "Назва\tПідсумок"
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr "Назва\tВерсія\tРозробник\tПримітки\tРезюме"
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr "Назва\tВерсія\tРедакція\tРозробник\tПримітки"
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+"Жодних snap-пакунків ще не встановлено. Спробуйте «snap install hello-world»"
+
+msgid "Output results in JSON format"
+msgstr "Вивести результати у форматі JSON"
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr "Парольна фраза: "
+
+#, c-format
+msgid "Password of %q: "
+msgstr "Пароль для %q: "
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+"Будь ласка, повторно введіть ваш пароль Ubuntu One пароль для покупки %q з "
+"%q\n"
+"для %s. Натисніть ctrl-c для скасування."
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr "Віддавати перевагу синонімам зі snap-пакунку та вимкнути конфлікти"
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr "Віддавати перевагу snap-пакунку %q"
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr "Підготувати snap-пакунок %q (%s)"
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr "Підготувати snap-пакунок %q%s"
+
+msgid "Print the version and exit"
+msgstr "Вивести версію та вийти"
+
+msgid "Prints configuration options"
+msgstr "Виведення параметрів конфігурації"
+
+msgid "Prints the confinement mode the system operates in"
+msgstr "Виведення режиму утримання, в якому працює система"
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr "Виведення того, чи система керована"
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr "Очистити автоматичні псевдоніми для snap-пакунку %q"
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr "Перевести snap у класичний режим і вимкнути обмеження безпеки"
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr "Перевести snap у режим розробника і вимкнути обмеження безпеки"
+
+msgid "Put snap in enforced confinement mode"
+msgstr "Перевести snap у примусовий режим обмеження"
+
+msgid "Query the status of services"
+msgstr "Запит на стан послуг"
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr "Перечитати snap-пакунок %q"
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr "Перечитати snap-пакунок %q з каналу %q"
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr "Перечитати синоніми для snap-пакунку %q"
+
+msgid "Refresh all snaps: no updates"
+msgstr "Перечитати всі snap-пакунки: немає оновлень"
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr "Перечитати snap-пакунок %q"
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr "Перечитати snap-пакунки %s"
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr "Перечитати snap-пакунки %s: немає оновлень"
+
+msgid "Refresh to the given revision"
+msgstr "Перечитати до такої редакції"
+
+msgid "Refreshes a snap in the system"
+msgstr "Перечитування snap-пакунків в системі"
+
+#, c-format
+msgid "Remove %q snap"
+msgstr "Вилучити snap-пакунок %q"
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr "Вилучити синоніми для snap-пакунку  %q"
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr "Вилучити дані для snap-пакунку  %q (%s)"
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr "Вилучити ручний синонім %q для  snap-пакунку %q"
+
+msgid "Remove only the given revision"
+msgstr "Вилучити лише таку редакцію"
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr "Вилучити профіль безпеки для snap-пакунку  %q (%s)"
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr "Вилучити профілі безпеки для snap-пакунку %q"
+
+#, c-format
+msgid "Remove snap %q"
+msgstr "Вилучити snap-пакунок %q"
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr "Вилучити snap-пакунок %q (%s) з системи"
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr "Вилучити snap-пакунки %s"
+
+msgid "Removed"
+msgstr "Вилучено"
+
+msgid "Removes a snap from the system"
+msgstr "Вилучення snap-пакунків з системи"
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr "Перезапустити служби"
+
+msgid "Restarted.\n"
+msgstr "Перезапущено.\n"
+
+msgid "Restrict the search to a given section"
+msgstr "Обмежити пошук певним розділом"
+
+msgid "Retrieve logs of services"
+msgstr "Видобути журнали служб"
+
+#, c-format
+msgid "Revert %q snap"
+msgstr "Повернути %q snap-пакунок"
+
+msgid "Reverts the given snap to the previous state"
+msgstr "Повертає даний snap-пакунок до попереднього стану"
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr "Запустити оболонку замість команди (стане в нагоді для зневадження)"
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr "Запустити таку snap-команду"
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr "Запустити дану команду snap з належним обмеженням та середовищем"
+
+msgid "Runs debug commands"
+msgstr "Виконання команд зневадження"
+
+msgid "Search private snaps"
+msgstr "Пошук серед приватних snap-пакунків"
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr "Встановлення ручного синоніму"
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr "Налаштувати синонім %q => %q для snap-пакунку %q"
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr "Показати всі редакції"
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+"Показувати інформацію про автоматичне перечитування, але не виконувати "
+"перечитування"
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+"Показати доступні snap-пакунки для перечитування, але не виконувати "
+"перечитування"
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr "Показати подробиці для певного інтерфейсу"
+
+msgid "Show interface attributes"
+msgstr "Показати атрибути інтерфейсу"
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr "Показує відомі перевірки наданого типу"
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr "Показ подробиць версії"
+
+msgid "Sign an assertion"
+msgstr "Підписати перевірку"
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+"Підписати перевірку, використовуючи зазначений ключ, використовуючи введення "
+"для заголовків із відображення JSON, наданого через стандартне введення, "
+"орган перевірки можна вказати через псевдозаголовок «body».\n"
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr "Назва snap-пакунку"
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+"Перепрошуємо, але ваш спосіб оплати не був прийнятий видавцем. Будь ласка, "
+"перегляньте\n"
+"деталі платежу на сторінці https://my.ubuntu.com/payment/edit і спробуйте "
+"знову."
+
+msgid "Start services"
+msgstr "Запустити служби"
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr "Запустити службу userd"
+
+msgid "Started.\n"
+msgstr "Запущено.\n"
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr "Зупинити служби"
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr "Зупинено.\n"
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr "Перемкнути snap-пакунок %q на %s"
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr "Перемикає snap-пакунок на інший канал"
+
+msgid "Temporarily mount device before inspecting"
+msgstr "Тимчасово змонтувати пристрій перед перевіркою"
+
+msgid "Tests a snap in the system"
+msgstr "Перевірка snap-пакунків в системі"
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+"Дякуємо за придбання %q. Тепер ви можете встановити його на будь-який з "
+"ваших пристроїв\n"
+"з командою «snap install %s»."
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr "Електронна адреса на login.ubuntu.com для входу як"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr "Назва моделі перевірки"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr "Вихідний каталог"
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr "Snap-пакунок для налаштування (наприклад, hello-world)"
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr "Ця команда здійснює вихід поточного користувача з магазину"
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr "Спробуйте snap-пакунок %q з %s"
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr "Двофакторний код: "
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr "Використовувати відомі перевірки для створення користувача"
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr "Використовувати цей канал замість стабільного"
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr "ПОПЕРЕДЖЕННЯ: не вдалося активувати журналювання: %v\n"
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr "Очікування перезапуску сервера"
+
+msgid "Watch a change in progress"
+msgstr "Спостерігати за поступом змін"
+
+msgid "Wrong again. Once more: "
+msgstr "Знову неправильно. Ще раз: "
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr "Файл Xauthority не належить поточному користувачеві %s"
+
+msgid "Yes, yes it does."
+msgstr "Так, це так."
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+"команда «snap changes» потребує назви snap-пакунку, спробуйте: «snap tasks "
+"%s»"
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+"\n"
+"Команда abort намагатиметься скасувати зміну, в якій все ще присутні "
+"завдання, що очікують на виконання.\n"
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+"\n"
+"Команда buy купує snap-пакунок в магазині.\n"
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+"\n"
+"Команда changes відображає звіт останніх внесених системних змін."
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr "активний"
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr "придбаний"
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr "пошкоджений"
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr "неможливо придбати snap-пакунок: %v"
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr "неможливо придбати snap-пакунок: неприпустимі символи в назві"
+
+msgid "cannot buy snap: it has already been bought"
+msgstr "неможливо придбати snap-пакунок: він вже придбаний"
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr "неможливо створити %q: %v"
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr "неможливо створити файл перевірок: %v"
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr "неможливо знайти програму %q в %q"
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr "неможливо отримати дані для %q: %v"
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr "неможливо отримати повний шлях для %q: %v"
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr "неможливо отримати поточного користувача: %s"
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr "неможливо отримати поточного користувача: %v"
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr "неможливо відкрити базу даних перевірок: %v"
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr "неможливо прочитати введення перевірки: %v"
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr "неможливо прочитати символічне посилання: %v"
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr "неможливо підписати перевірку: %v"
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr "неможливо використовувати разом прапори devmode та jailmode"
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr "неможливо перевірити власника файлу %s"
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr "неможливо записати файл Xauthority в %s: %s"
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr "зміна завершена зі станом %q без повідомлення про помилку"
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr "створено користувача %q\n"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr "вимкнено"
+
+msgid "email:"
+msgstr "електронна адреса:"
+
+msgid "enabled"
+msgstr "увімкнено"
+
+#, c-format
+msgid "error: %v\n"
+msgstr "помилка: %v\n"
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr "неактивне"
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr "внутрішня помилка, прохання повідомити: збій виконання %q: %v\n"
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr "неприпустимий аргумент: %q (потрібно key=value)"
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr "неприпустима конфігурація: %q (потрібно key=value)"
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr "неприпустимий фільтр заголовку: %q (потрібно key=value)"
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+"неприпустима назва ключа %q; дозволені лише літери ASCII, цифри та дефіси"
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr "відсутній snap-confine: спробуйте оновити пакунок snapd"
+
+msgid "need the application to run as argument"
+msgstr "потрібно, щоб програма запускалася як аргумент"
+
+msgid "no changes found"
+msgstr "жодних змін не знайдено"
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr "жодних змін для типу %q не знайдено"
+
+msgid "no interfaces currently connected"
+msgstr "наразі не приєднано жодного інтерфейсу"
+
+msgid "no interfaces found"
+msgstr "жодного інтерфейсу не знайдено"
+
+msgid "no matching snaps installed"
+msgstr "жодного відповідного snap-пакунку не встановлено"
+
+msgid "no such interface"
+msgstr "такий інтерфейс відсутній"
+
+msgid "no valid snaps given"
+msgstr "жодного припустимого snap-пакунку не надано"
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+"для оновлення системи заплановано перезавантаження - тимчасово скасувати за "
+"допомогою «sudo shutdown-c»"
+
+msgid "repairs are not available on a classic system"
+msgstr "в класичній системі відновлення недоступні"
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr "встановлення завершилося невдачею: %v"
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr "snap-пакунок %%q не знайдений (принаймні в редакції %q)"
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr "snap-пакунок %%q не знайдений (принаймні в каналі %q)"
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr "snap-пакунок %q не має оновлень"
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr "snap-пакунок %q вже встановлений, див. «snap refresh --help»"
+
+#, c-format
+msgid "snap %q not found"
+msgstr "snap-пакунок %q не знайдений"
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr "snap-пакунок безкоштовний"
+
+msgid "too many arguments for command"
+msgstr "забагато аргументів для команди"
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr "забагато аргументів для пастки %q: %s"
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr "забагато аргументів: %s"
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr "недоступно"
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr "невідома команда %q, див. «snap --help»"
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr "невідома служба: %q"
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr "Автентифікація демона snap"
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr "Для автентифікація демона snap необхідна авторизація"
+
+msgid "Install, update, or remove packages"
+msgstr "Встановлення, оновлення та видалення пакунків"
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+"Для встановлення, оновлення та видалення пакунків необхідна автентифікація"
+
+msgid "Connect, disconnect interfaces"
+msgstr "Приєднання, від'єднання інтерфейсів"
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr "Для приєднання чи від'єднання інтерфейсів необхідна автентифікація"
diff -Nru snapd-2.32.3.2~14.04/po/zh_CN.po snapd-2.37~rc1~14.04/po/zh_CN.po
--- snapd-2.32.3.2~14.04/po/zh_CN.po	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/zh_CN.po	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
-# Chinese (Simplified) translation for snappy
-# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
-# This file is distributed under the same license as the snappy package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
+# Chinese (Simplified) translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: snappy\n"
+"Project-Id-Version: snapd\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
-"POT-Creation-Date: 2017-10-14 00:51+0000\n"
-"PO-Revision-Date: 2016-10-16 19:13+0000\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Chinese (Simplified) <zh_CN@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-10-18 08:37+0000\n"
-"X-Generator: Launchpad (build 18476)\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
 
 #, c-format
 msgid ""
@@ -67,22 +67,27 @@
 msgid "%s removed\n"
 msgstr ""
 
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
 #, c-format
 msgid "%s reverted to %s\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
 #, c-format
 msgid "%s%s %s from '%s' installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
 #, c-format
 msgid "%s%s %s from '%s' refreshed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
 #, c-format
 msgid "%s%s %s installed\n"
 msgstr ""
 
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
 #, c-format
 msgid "%s%s %s refreshed\n"
 msgstr ""
@@ -96,62 +101,93 @@
 msgid "-r can only be used with --hook"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias-or-snap>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<alias>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion file>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<assertion type>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<change-id>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<conf value>"
 msgstr ""
 
-#. TRANSLATORS: noun
-#. TRANSLATORS: noun
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
 msgid "<email>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<filename>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<header filter>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<interface>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key-name>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<key>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<model-assertion>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<query>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<root-dir>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot or plug>"
 msgstr ""
 
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
 msgid "<snap>:<slot>"
 msgstr ""
 
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
 msgid "Abort a pending change"
 msgstr ""
 
@@ -161,25 +197,62 @@
 msgid "Adds an assertion to the system"
 msgstr ""
 
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
 msgid "Alias for --dangerous (DEPRECATED)"
 msgstr ""
 
 msgid "All snaps up to date."
 msgstr ""
 
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
 msgid "Alternative command to run"
 msgstr ""
 
 msgid "Always return document, even with single key"
 msgstr ""
 
-#. TRANSLATORS: note users on login.ubuntu.com can have multiple email addresses
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
 msgid "An email of a user on login.ubuntu.com"
 msgstr ""
 
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion file"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Assertion type name"
 msgstr ""
 
@@ -199,27 +272,27 @@
 msgid "Auto-refresh snaps %s"
 msgstr ""
 
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
 msgid "Bad code. Try again: "
 msgstr ""
 
 msgid "Buys a snap"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Change ID"
 msgstr ""
 
 msgid "Changes configuration options"
 msgstr ""
 
-msgid ""
-"Classic dimension disabled on this system.\n"
-"Use \"sudo snap install --devmode classic && sudo classic.create\" to enable "
-"it."
-msgstr ""
-
 msgid "Command\tAlias\tNotes"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Configuration value (key=value)"
 msgstr ""
 
@@ -233,12 +306,14 @@
 msgid "Connects a plug to a slot"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to a specific snap or snap:name"
 msgstr ""
 
 msgid "Constrain listing to specific interfaces"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Constrain listing to those matching header=value"
 msgstr ""
 
@@ -319,7 +394,8 @@
 msgid "Enables a snap in the system"
 msgstr ""
 
-msgid "Entering classic dimension"
+#, c-format
+msgid "Ensure prerequisites for %q are available"
 msgstr ""
 
 msgid ""
@@ -341,6 +417,7 @@
 msgid "Fetching snap %q\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Filename of the snap you want to assert a build for"
 msgstr ""
 
@@ -385,6 +462,9 @@
 msgid "Identifier of the snap package associated with the build"
 msgstr ""
 
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
 msgid "Ignore validation by other snaps blocking the refresh"
 msgstr ""
 
@@ -458,9 +538,18 @@
 msgid "Install the given snap without enabling its automatic aliases"
 msgstr ""
 
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
 msgid "Installs a snap to the system"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Key of interest within the configuration"
 msgstr ""
 
@@ -482,6 +571,9 @@
 msgid "Lists aliases in the system"
 msgstr ""
 
+msgid "Lists all repairs"
+msgstr ""
+
 msgid "Lists interfaces in the system"
 msgstr ""
 
@@ -521,12 +613,15 @@
 msgid "Mount snap %q%s"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to create; defaults to 'default'"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to delete"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Name of key to export"
 msgstr ""
 
@@ -548,15 +643,61 @@
 msgid "Name\tVersion\tRev\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
 msgstr ""
 
-msgid "No snaps to auto-refresh found"
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
 msgstr ""
 
 msgid "Output results in JSON format"
 msgstr ""
 
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
 msgid "Passphrase: "
 msgstr ""
 
@@ -571,6 +712,9 @@
 "for %s. Press ctrl-c to cancel."
 msgstr ""
 
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
 #, c-format
 msgid "Prefer aliases for snap %q"
 msgstr ""
@@ -602,7 +746,7 @@
 msgid "Prints the confinement mode the system operates in"
 msgstr ""
 
-msgid "Prints the email the user is logged in with."
+msgid "Prints the email the user is logged in with"
 msgstr ""
 
 msgid "Prints whether system is managed"
@@ -730,6 +874,9 @@
 msgid "Run a shell instead of the command (useful for debugging)"
 msgstr ""
 
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
 #, c-format
 msgid "Run configure hook of %q snap"
 msgstr ""
@@ -750,6 +897,10 @@
 msgid "Run post-refresh hook of %q snap if present"
 msgstr ""
 
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
 msgid "Run prepare-device hook"
 msgstr ""
 
@@ -757,6 +908,14 @@
 msgid "Run remove hook of %q snap if present"
 msgstr ""
 
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
 msgid "Run the given snap command"
 msgstr ""
 
@@ -774,6 +933,9 @@
 "refresh etc.)"
 msgstr ""
 
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
 #, c-format
 msgid "Set automatic aliases for snap %q"
 msgstr ""
@@ -814,15 +976,25 @@
 msgid "Show available snaps for refresh but do not perform a refresh"
 msgstr ""
 
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "Show details of a specific interface"
 msgstr ""
 
 msgid "Show interface attributes"
 msgstr ""
 
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
 msgid "Shows known assertions of the provided type"
 msgstr ""
 
+msgid "Shows specific repairs"
+msgstr ""
+
 msgid "Shows version details"
 msgstr ""
 
@@ -838,10 +1010,14 @@
 msgid "Slot\tPlug"
 msgstr ""
 
-msgid "Snap name"
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
 msgstr ""
 
-msgid "Snap\tService\tStartup\tCurrent"
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
 msgstr ""
 
 msgid ""
@@ -925,23 +1101,27 @@
 "The get command prints configuration and interface connection settings."
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The login.ubuntu.com email to login as"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The model assertion name"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The output directory"
 msgstr ""
 
-#. TRANSLATORS: the %q is the (quoted) query the user entered
 #, c-format
-msgid "The search %q returned 0 snaps\n"
+msgid "The program %q can be found in the following snaps:\n"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap to configure (e.g. hello-world)"
 msgstr ""
 
+#. TRANSLATORS: This should probably not start with a lowercase letter.
 msgid "The snap whose conf is being requested"
 msgstr ""
 
@@ -951,6 +1131,13 @@
 msgid "This command logs the current user out of the store"
 msgstr ""
 
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
 msgid "Tool to interact with snaps"
 msgstr ""
 
@@ -965,6 +1152,9 @@
 msgid "Try %q snap from %s"
 msgstr ""
 
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
 msgid "Two-factor code: "
 msgstr ""
 
@@ -977,13 +1167,24 @@
 msgid "Use known assertions for user creation"
 msgstr ""
 
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
 msgid "Use this channel instead of stable"
 msgstr ""
 
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
 #, c-format
 msgid "WARNING: failed to activate logging: %v\n"
 msgstr ""
 
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
 msgid "Waiting for server to restart"
 msgstr ""
 
@@ -1032,6 +1233,11 @@
 
 msgid ""
 "\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The abort command attempts to abort a change that still has pending tasks.\n"
 msgstr ""
 
@@ -1050,6 +1256,12 @@
 
 msgid ""
 "\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The alias command aliases the given snap application to the given alias.\n"
 "\n"
 "Once this manual alias is setup the respective application command can be "
@@ -1316,12 +1528,23 @@
 
 msgid ""
 "\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The managed command will print true or false informing whether\n"
 "snapd has registered users.\n"
 msgstr ""
 
 msgid ""
 "\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
 "The prefer command enables all aliases of the given snap in preference\n"
 "to conflicting aliases of other snaps whose aliases will be disabled\n"
 "(removed for manual ones).\n"
@@ -1363,6 +1586,31 @@
 
 msgid ""
 "\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The revert command reverts the given snap to its state before\n"
 "the latest refresh. This will reactivate the previous snap revision,\n"
 "and will use the original data that was associated with that revision,\n"
@@ -1373,6 +1621,12 @@
 
 msgid ""
 "\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The set command changes the provided configuration options as requested.\n"
 "\n"
 "    $ snap set snap-name username=frank password=$PASSWORD\n"
@@ -1407,6 +1661,29 @@
 
 msgid ""
 "\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
 "The switch command switches the given snap to a different channel without\n"
 "doing a refresh.\n"
 msgstr ""
@@ -1472,9 +1749,7 @@
 
 msgid ""
 "\n"
-"\n"
-"The home directory is shared between snappy and the classic dimension.\n"
-"Run \"exit\" to leave the classic shell.\n"
+"Use snap alias --help to learn how to create aliases manually."
 msgstr ""
 
 msgid "a single snap name is needed to specify mode or channel flags"
@@ -1489,6 +1764,9 @@
 msgid "active"
 msgstr ""
 
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
 msgid "bought"
 msgstr ""
 
@@ -1497,6 +1775,10 @@
 msgstr ""
 
 #, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
 msgid "cannot buy snap: %v"
 msgstr ""
 
@@ -1529,7 +1811,6 @@
 msgstr ""
 
 #. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
-#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
 #, c-format
 msgid "cannot get data for %q: %v"
 msgstr ""
@@ -1581,9 +1862,6 @@
 msgid "cannot use %q key: %v"
 msgstr ""
 
-msgid "cannot use --hook and --command together"
-msgstr ""
-
 msgid "cannot use change ID and type together"
 msgstr ""
 
@@ -1611,6 +1889,10 @@
 msgid "created user %q\n"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
 #. TRANSLATORS: if possible, a single short word
 msgid "disabled"
 msgstr ""
@@ -1632,6 +1914,13 @@
 msgid "get which option?"
 msgstr ""
 
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
 msgid "inactive"
 msgstr ""
 
@@ -1687,6 +1976,14 @@
 "key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
 msgstr ""
 
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
 msgid "missing snap-confine: try updating your snapd package"
 msgstr ""
 
@@ -1715,9 +2012,6 @@
 msgid "no valid snaps given"
 msgstr ""
 
-msgid "not a valid snap"
-msgstr ""
-
 msgid "please provide change ID or type with --last=<type>"
 msgstr ""
 
@@ -1730,6 +2024,14 @@
 "shutdown -c'"
 msgstr ""
 
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
 #, c-format
 msgid "set failed: %v"
 msgstr ""
@@ -1737,9 +2039,6 @@
 msgid "set which option?"
 msgstr ""
 
-msgid "show detailed information about a snap"
-msgstr ""
-
 #. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
 #, c-format
 msgid "snap %%q not found (at least at revision %q)"
@@ -1759,10 +2058,6 @@
 msgstr ""
 
 #, c-format
-msgid "snap %q is local"
-msgstr ""
-
-#, c-format
 msgid "snap %q not found"
 msgstr ""
 
@@ -1783,6 +2078,9 @@
 msgid "too many arguments: %s"
 msgstr ""
 
+msgid "unable to contact snap store"
+msgstr ""
+
 msgid "unavailable"
 msgstr ""
 
@@ -1799,5 +2097,31 @@
 msgstr ""
 
 #, c-format
-msgid "unsupported shell %v"
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
 msgstr ""
diff -Nru snapd-2.32.3.2~14.04/po/zh_TW.po snapd-2.37~rc1~14.04/po/zh_TW.po
--- snapd-2.32.3.2~14.04/po/zh_TW.po	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/po/zh_TW.po	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2127 @@
+# Chinese (Traditional) translation for snapd
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the snapd package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: snapd\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2018-04-03 12:06+0200\n"
+"PO-Revision-Date: 2018-09-27 14:02+0000\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: Chinese (Traditional) <zh_TW@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2018-10-05 14:20+0000\n"
+"X-Generator: Launchpad (build 18785)\n"
+
+#, c-format
+msgid ""
+"%q does not contain an unpacked snap.\n"
+"\n"
+"Try \"snapcraft prime\" in your project directory, then \"snap try\" again."
+msgstr ""
+
+#, c-format
+msgid "%q switched to the %q channel\n"
+msgstr ""
+
+#. TRANSLATORS: 1. snap name, 2. snap version (keep those together please). the 3rd %s is a path (where it's mounted from).
+#, c-format
+msgid "%s %s mounted from %s\n"
+msgstr ""
+
+#, c-format
+msgid "%s (delta)"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (see \"snap login --help\")"
+msgstr ""
+
+#. TRANSLATORS: %s is an error message (e.g. “cannot yadda yadda: permission denied”)
+#, c-format
+msgid "%s (try with sudo)"
+msgstr ""
+
+#, c-format
+msgid "%s already installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s disabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s enabled\n"
+msgstr ""
+
+#, c-format
+msgid "%s not installed\n"
+msgstr ""
+
+#, c-format
+msgid "%s removed\n"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, second %s is a revision
+#, c-format
+msgid "%s reverted to %s\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' installed")
+#, c-format
+msgid "%s%s %s from '%s' installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version, then the developer name (e.g. "some-snap (beta) 1.3 from 'alice' refreshed")
+#, c-format
+msgid "%s%s %s from '%s' refreshed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 installed")
+#, c-format
+msgid "%s%s %s installed\n"
+msgstr ""
+
+#. TRANSLATORS: the args are a snap name optionally followed by a channel, then a version (e.g. "some-snap (beta) 1.3 refreshed")
+#, c-format
+msgid "%s%s %s refreshed\n"
+msgstr ""
+
+msgid "--list does not take mode nor channel flags"
+msgstr ""
+
+msgid "--time does not take mode nor channel flags"
+msgstr ""
+
+msgid "-r can only be used with --hook"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias-or-snap>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<alias>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion file>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<assertion type>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<change-id>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<conf value>"
+msgstr ""
+
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+#. TRANSLATORS: This is a noun, and it needs to be wrapped in <>s.
+msgid "<email>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<filename>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<header filter>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<interface>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key-name>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<key>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<model-assertion>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<query>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<root-dir>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<service>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot or plug>"
+msgstr ""
+
+#. TRANSLATORS: This needs to be wrapped in <>s.
+#. TRANSLATORS: This needs to be wrapped in <>s.
+msgid "<snap>:<slot>"
+msgstr ""
+
+msgid ""
+"A service specification, which can be just a snap name (for all services in "
+"the snap), or <snap>.<app> for a single service."
+msgstr ""
+
+msgid "Abort a pending change"
+msgstr ""
+
+msgid "Added"
+msgstr ""
+
+msgid "Adds an assertion to the system"
+msgstr ""
+
+msgid "Advise on available snaps."
+msgstr ""
+
+msgid "Advise on snaps that provide the given command"
+msgstr ""
+
+msgid "Alias for --dangerous (DEPRECATED)"
+msgstr ""
+
+msgid "All snaps up to date."
+msgstr ""
+
+msgid "Allow opening file?"
+msgstr ""
+
+msgid "Allow refresh attempt on snap unknown to the store"
+msgstr ""
+
+msgid "Allow settings change?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to change %q to %q ?"
+msgstr ""
+
+#, c-format
+msgid "Allow snap %q to open file %q?"
+msgstr ""
+
+msgid "Alternative command to run"
+msgstr ""
+
+msgid "Always return document, even with single key"
+msgstr ""
+
+msgid "Always return list, even with single key"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter. Also, note users on login.ubuntu.com can have multiple email addresses.
+msgid "An email of a user on login.ubuntu.com"
+msgstr ""
+
+msgid ""
+"As well as starting the service now, arrange for it to be started on boot."
+msgstr ""
+
+msgid ""
+"As well as stopping the service now, arrange for it to no longer be started "
+"on boot."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion file"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Assertion type name"
+msgstr ""
+
+msgid "Authenticates on snapd and the store"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh %d snaps"
+msgstr ""
+
+#, c-format
+msgid "Auto-refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Auto-refresh snaps %s"
+msgstr ""
+
+#, c-format
+msgid "Automatically connect eligible plugs and slots of snap %q"
+msgstr ""
+
+msgid "Bad code. Try again: "
+msgstr ""
+
+msgid "Buys a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Change ID"
+msgstr ""
+
+msgid "Changes configuration options"
+msgstr ""
+
+msgid "Command\tAlias\tNotes"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Configuration value (key=value)"
+msgstr ""
+
+msgid "Confirm passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Connect %s:%s to %s:%s"
+msgstr ""
+
+msgid "Connects a plug to a slot"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to a specific snap or snap:name"
+msgstr ""
+
+msgid "Constrain listing to specific interfaces"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Constrain listing to those matching header=value"
+msgstr ""
+
+#, c-format
+msgid "Copy snap %q data"
+msgstr ""
+
+msgid ""
+"Create a cryptographic key pair that can be used for signing assertions."
+msgstr ""
+
+msgid "Create cryptographic key pair"
+msgstr ""
+
+msgid "Create snap build assertion"
+msgstr ""
+
+msgid "Create snap-build assertion for the provided snap file."
+msgstr ""
+
+msgid "Creates a local system user"
+msgstr ""
+
+msgid "Delete cryptographic key pair"
+msgstr ""
+
+msgid "Delete the local cryptographic key pair with the given name."
+msgstr ""
+
+#, c-format
+msgid "Disable %q snap"
+msgstr ""
+
+#, c-format
+msgid "Disable aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Disable all aliases for snap %q"
+msgstr ""
+
+msgid "Disables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Discard interface connections for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Disconnect %s:%s from %s:%s"
+msgstr ""
+
+msgid "Disconnects a plug from a slot"
+msgstr ""
+
+msgid "Do not wait for the operation to finish but just print the change id."
+msgstr ""
+
+#, c-format
+msgid "Download snap %q%s from channel %q"
+msgstr ""
+
+msgid ""
+"Download the given revision of a snap, to which you must have developer "
+"access"
+msgstr ""
+
+msgid "Downloads the given snap"
+msgstr ""
+
+msgid "Email address: "
+msgstr ""
+
+#, c-format
+msgid "Enable %q snap"
+msgstr ""
+
+msgid "Enables a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Ensure prerequisites for %q are available"
+msgstr ""
+
+msgid ""
+"Export a public key assertion body that may be imported by other systems."
+msgstr ""
+
+msgid "Export cryptographic public key"
+msgstr ""
+
+#, c-format
+msgid "Fetch and check assertions for snap %q%s"
+msgstr ""
+
+#, c-format
+msgid "Fetching assertions for %q\n"
+msgstr ""
+
+#, c-format
+msgid "Fetching snap %q\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Filename of the snap you want to assert a build for"
+msgstr ""
+
+msgid "Finds packages to install"
+msgstr ""
+
+msgid "Force adding the user, even if the device is already managed"
+msgstr ""
+
+msgid "Force import on classic systems"
+msgstr ""
+
+msgid ""
+"Format public key material as a request for an account-key for this account-"
+"id"
+msgstr ""
+
+msgid "Generate device key"
+msgstr ""
+
+msgid "Generate the manpage"
+msgstr ""
+
+msgid "Grade states the build quality of the snap (defaults to 'stable')"
+msgstr ""
+
+msgid "Grant sudo access to the created user"
+msgstr ""
+
+msgid "Help"
+msgstr ""
+
+msgid "Hook to run"
+msgstr ""
+
+msgid "ID\tStatus\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Identifier of the signer"
+msgstr ""
+
+msgid "Identifier of the snap package associated with the build"
+msgstr ""
+
+msgid "If the service has a reload command, use it instead of restarting."
+msgstr ""
+
+msgid "Ignore validation by other snaps blocking the refresh"
+msgstr ""
+
+#, c-format
+msgid ""
+"In order to buy %q, you need to agree to the latest terms and conditions. "
+"Please visit https://my.ubuntu.com/payment/edit to do this.\n"
+"\n"
+"Once completed, return here and run 'snap buy %s' again."
+msgstr ""
+
+msgid "Include a verbose list of a snap's notes (otherwise, summarise notes)"
+msgstr ""
+
+msgid "Include unused interfaces"
+msgstr ""
+
+msgid "Initialize device"
+msgstr ""
+
+msgid "Inspects devices for actionable information"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file"
+msgstr ""
+
+#, c-format
+msgid "Install %q snap from file %q"
+msgstr ""
+
+msgid "Install from the beta channel"
+msgstr ""
+
+msgid "Install from the candidate channel"
+msgstr ""
+
+msgid "Install from the edge channel"
+msgstr ""
+
+msgid "Install from the stable channel"
+msgstr ""
+
+#, c-format
+msgid "Install snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Install snaps %s"
+msgstr ""
+
+msgid ""
+"Install the given revision of a snap, to which you must have developer access"
+msgstr ""
+
+msgid ""
+"Install the given snap file even if there are no pre-acknowledged signatures "
+"for it, meaning it was not verified and could be dangerous (--devmode "
+"implies this)"
+msgstr ""
+
+msgid "Install the given snap without enabling its automatic aliases"
+msgstr ""
+
+#, c-format
+msgid ""
+"Install the snap with:\n"
+"   snap ack %s\n"
+"   snap install %s\n"
+msgstr ""
+
+msgid "Installs a snap to the system"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Key of interest within the configuration"
+msgstr ""
+
+msgid "List a change's tasks"
+msgstr ""
+
+msgid "List cryptographic keys"
+msgstr ""
+
+msgid "List cryptographic keys that can be used for signing assertions."
+msgstr ""
+
+msgid "List installed snaps"
+msgstr ""
+
+msgid "List system changes"
+msgstr ""
+
+msgid "Lists aliases in the system"
+msgstr ""
+
+msgid "Lists all repairs"
+msgstr ""
+
+msgid "Lists interfaces in the system"
+msgstr ""
+
+msgid "Lists snap interfaces"
+msgstr ""
+
+msgid "Log out of the store"
+msgstr ""
+
+msgid "Login successful"
+msgstr ""
+
+#, c-format
+msgid "Make current revision for snap %q unavailable"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) available to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q (%s) unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q unavailable to the system"
+msgstr ""
+
+#, c-format
+msgid "Make snap %q%s available to the system"
+msgstr ""
+
+msgid "Mark system seeded"
+msgstr ""
+
+#, c-format
+msgid "Mount snap %q%s"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to create; defaults to 'default'"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to delete"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Name of key to export"
+msgstr ""
+
+msgid "Name of the GnuPG key to use (defaults to 'default' as key name)"
+msgstr ""
+
+msgid "Name of the key to use, otherwise use the default key"
+msgstr ""
+
+msgid "Name\tSHA3-384"
+msgstr ""
+
+msgid "Name\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tDeveloper\tNotes\tSummary"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tDeveloper\tNotes"
+msgstr ""
+
+msgid "Name\tVersion\tRev\tTracking\tDeveloper\tNotes"
+msgstr ""
+
+#, c-format
+msgid "No aliases are currently defined for snap %q.\n"
+msgstr ""
+
+msgid "No aliases are currently defined."
+msgstr ""
+
+#, c-format
+msgid "No command %q found, did you mean:\n"
+msgstr ""
+
+msgid "No connections to disconnect"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) name of the section the user entered
+#, c-format
+msgid "No matching section %q, use --section to list existing sections"
+msgstr ""
+
+#. TRANSLATORS: the first %q is the (quoted) query, the
+#. second %q is the (quoted) name of the section the
+#. user entered
+#, c-format
+msgid "No matching snaps for %q in section %q\n"
+msgstr ""
+
+#. TRANSLATORS: the %q is the (quoted) query the user entered
+#, c-format
+msgid "No matching snaps for %q\n"
+msgstr ""
+
+msgid ""
+"No search term specified. Here are some interesting snaps:\n"
+"\n"
+msgstr ""
+
+msgid "No section specified. Available sections:\n"
+msgstr ""
+
+msgid "No snaps are installed yet. Try \"snap install hello-world\"."
+msgstr ""
+
+msgid "Output results in JSON format"
+msgstr ""
+
+msgid "Pack the given target dir as a snap"
+msgstr ""
+
+#, c-format
+msgid "Packages matching %q:\n"
+msgstr ""
+
+msgid "Passphrase: "
+msgstr ""
+
+#, c-format
+msgid "Password of %q: "
+msgstr ""
+
+#. TRANSLATORS: %q, %q and %s are the snap name, developer, and price. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Please re-enter your Ubuntu One password to purchase %q from %q\n"
+"for %s. Press ctrl-c to cancel."
+msgstr ""
+
+msgid "Please try: snap find --section=<selected section>\n"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases for snap %q"
+msgstr ""
+
+msgid "Prefer aliases from a snap and disable conflicts"
+msgstr ""
+
+#, c-format
+msgid "Prefer aliases of snap %q"
+msgstr ""
+
+msgid "Prepare a snappy image"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Prepare snap %q%s"
+msgstr ""
+
+msgid "Print the version and exit"
+msgstr ""
+
+msgid "Prints configuration options"
+msgstr ""
+
+msgid "Prints the confinement mode the system operates in"
+msgstr ""
+
+msgid "Prints the email the user is logged in with"
+msgstr ""
+
+msgid "Prints whether system is managed"
+msgstr ""
+
+#, c-format
+msgid "Prune automatic aliases for snap %q"
+msgstr ""
+
+msgid "Put snap in classic mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in development mode and disable security confinement"
+msgstr ""
+
+msgid "Put snap in enforced confinement mode"
+msgstr ""
+
+msgid "Query the status of services"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap"
+msgstr ""
+
+#, c-format
+msgid "Refresh %q snap from %q channel"
+msgstr ""
+
+#, c-format
+msgid "Refresh aliases for snap %q"
+msgstr ""
+
+msgid "Refresh all snaps: no updates"
+msgstr ""
+
+#, c-format
+msgid "Refresh snap %q"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Refresh snaps %s: no updates"
+msgstr ""
+
+msgid "Refresh to the given revision"
+msgstr ""
+
+msgid "Refreshes a snap in the system"
+msgstr ""
+
+#, c-format
+msgid "Remove %q snap"
+msgstr ""
+
+#, c-format
+msgid "Remove aliases for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove data for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove manual alias %q for snap %q"
+msgstr ""
+
+msgid "Remove only the given revision"
+msgstr ""
+
+#, c-format
+msgid "Remove security profile for snap %q (%s)"
+msgstr ""
+
+#, c-format
+msgid "Remove security profiles of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q"
+msgstr ""
+
+#, c-format
+msgid "Remove snap %q (%s) from the system"
+msgstr ""
+
+#. TRANSLATORS: the %s is a comma-separated list of quoted snap names
+#, c-format
+msgid "Remove snaps %s"
+msgstr ""
+
+msgid "Removed"
+msgstr ""
+
+msgid "Removes a snap from the system"
+msgstr ""
+
+msgid "Request device serial"
+msgstr ""
+
+msgid "Restart services"
+msgstr ""
+
+msgid "Restarted.\n"
+msgstr ""
+
+msgid "Restrict the search to a given section"
+msgstr ""
+
+msgid "Retrieve logs of services"
+msgstr ""
+
+#, c-format
+msgid "Revert %q snap"
+msgstr ""
+
+msgid "Reverts the given snap to the previous state"
+msgstr ""
+
+msgid "Run a shell instead of the command (useful for debugging)"
+msgstr ""
+
+msgid "Run as a timer service with given schedule"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap"
+msgstr ""
+
+#, c-format
+msgid "Run configure hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run hook %s of snap %q"
+msgstr ""
+
+#, c-format
+msgid "Run install hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run post-refresh hook of %q snap if present"
+msgstr ""
+
+#, c-format
+msgid "Run pre-refresh hook of %q snap if present"
+msgstr ""
+
+msgid "Run prepare-device hook"
+msgstr ""
+
+#, c-format
+msgid "Run remove hook of %q snap if present"
+msgstr ""
+
+msgid ""
+"Run the command under strace (useful for debugging). Extra strace options "
+"can be specified as well here."
+msgstr ""
+
+msgid "Run the command with gdb"
+msgstr ""
+
+msgid "Run the given snap command"
+msgstr ""
+
+msgid "Run the given snap command with the right confinement and environment"
+msgstr ""
+
+msgid "Runs debug commands"
+msgstr ""
+
+msgid "Search private snaps"
+msgstr ""
+
+msgid ""
+"Select last change of given type (install, refresh, remove, try, auto-"
+"refresh etc.)"
+msgstr ""
+
+msgid "Service\tStartup\tCurrent"
+msgstr ""
+
+#, c-format
+msgid "Set automatic aliases for snap %q"
+msgstr ""
+
+msgid "Sets up a manual alias"
+msgstr ""
+
+#, c-format
+msgid "Setup alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup manual alias %q => %q for snap %q"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q (%s) security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q aliases"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles"
+msgstr ""
+
+#, c-format
+msgid "Setup snap %q%s security profiles (phase 2)"
+msgstr ""
+
+msgid "Show all revisions"
+msgstr ""
+
+msgid "Show auto refresh information but do not perform a refresh"
+msgstr ""
+
+msgid "Show available snaps for refresh but do not perform a refresh"
+msgstr ""
+
+msgid "Show detailed information about a snap"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Show details of a specific interface"
+msgstr ""
+
+msgid "Show interface attributes"
+msgstr ""
+
+msgid "Show only the given number of lines, or 'all'."
+msgstr ""
+
+msgid "Shows known assertions of the provided type"
+msgstr ""
+
+msgid "Shows specific repairs"
+msgstr ""
+
+msgid "Shows version details"
+msgstr ""
+
+msgid "Sign an assertion"
+msgstr ""
+
+msgid ""
+"Sign an assertion using the specified key, using the input for headers from "
+"a JSON mapping provided through stdin, the body of the assertion can be "
+"specified through a \"body\" pseudo-header.\n"
+msgstr ""
+
+msgid "Slot\tPlug"
+msgstr ""
+
+#. TRANSLATORS: first %s is a snap name, following %s is a channel name
+#, c-format
+msgid "Snap %s is no longer tracking %s.\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "Snap name"
+msgstr ""
+
+msgid ""
+"Sorry, your payment method has been declined by the issuer. Please review "
+"your\n"
+"payment details at https://my.ubuntu.com/payment/edit and try again."
+msgstr ""
+
+msgid "Start services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Start snap %q%s services"
+msgstr ""
+
+msgid "Start snap services"
+msgstr ""
+
+msgid "Start the userd service"
+msgstr ""
+
+msgid "Started.\n"
+msgstr ""
+
+msgid "Status\tSpawn\tReady\tSummary\n"
+msgstr ""
+
+msgid "Stop services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q (%s) services"
+msgstr ""
+
+#, c-format
+msgid "Stop snap %q services"
+msgstr ""
+
+msgid "Stop snap services"
+msgstr ""
+
+msgid "Stopped.\n"
+msgstr ""
+
+msgid "Strict typing with nulls and quoted strings"
+msgstr ""
+
+#, c-format
+msgid "Switch %q snap to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q from %s to %s"
+msgstr ""
+
+#, c-format
+msgid "Switch snap %q to %s"
+msgstr ""
+
+msgid "Switches snap to a different channel"
+msgstr ""
+
+msgid "Temporarily mount device before inspecting"
+msgstr ""
+
+msgid "Tests a snap in the system"
+msgstr ""
+
+#. TRANSLATORS: %q and %s are the same snap name. Please wrap the translation at 80 characters.
+#, c-format
+msgid ""
+"Thanks for purchasing %q. You may now install it on any of your devices\n"
+"with 'snap install %s'."
+msgstr ""
+
+msgid ""
+"The get command prints configuration and interface connection settings."
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The login.ubuntu.com email to login as"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The model assertion name"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The output directory"
+msgstr ""
+
+#, c-format
+msgid "The program %q can be found in the following snaps:\n"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap to configure (e.g. hello-world)"
+msgstr ""
+
+#. TRANSLATORS: This should probably not start with a lowercase letter.
+msgid "The snap whose conf is being requested"
+msgstr ""
+
+msgid "The userd command starts the snap user session service."
+msgstr ""
+
+msgid "This command logs the current user out of the store"
+msgstr ""
+
+msgid "This dialog will close automatically after 5 minutes of inactivity."
+msgstr ""
+
+#, c-format
+msgid "Toggle snap %q flags"
+msgstr ""
+
+msgid "Tool to interact with snaps"
+msgstr ""
+
+#, c-format
+msgid "Transition security profiles from %q to %q"
+msgstr ""
+
+msgid "Transition ubuntu-core to core"
+msgstr ""
+
+#, c-format
+msgid "Try %q snap from %s"
+msgstr ""
+
+msgid "Try: snap install <selected snap>\n"
+msgstr ""
+
+msgid "Two-factor code: "
+msgstr ""
+
+msgid "Unalias a manual alias or an entire snap"
+msgstr ""
+
+msgid "Use a specific snap revision when running hook"
+msgstr ""
+
+msgid "Use known assertions for user creation"
+msgstr ""
+
+msgid "Use the given output format (pretty or json)"
+msgstr ""
+
+msgid "Use this channel instead of stable"
+msgstr ""
+
+msgid ""
+"WARNING: The output of \"snap get\" will become a list with columns - use -d "
+"or -l to force the output format.\n"
+msgstr ""
+
+#, c-format
+msgid "WARNING: failed to activate logging: %v\n"
+msgstr ""
+
+msgid "Wait for new lines and print them as they come in."
+msgstr ""
+
+msgid "Waiting for server to restart"
+msgstr ""
+
+msgid "Watch a change in progress"
+msgstr ""
+
+msgid "Wrong again. Once more: "
+msgstr ""
+
+#, c-format
+msgid "Xauthority file isn't owned by the current user %s"
+msgstr ""
+
+msgid "Yes, yes it does."
+msgstr ""
+
+msgid ""
+"You need to be logged in to purchase software. Please run 'snap login' and "
+"try again."
+msgstr ""
+
+#, c-format
+msgid ""
+"You need to have a payment method associated with your account in order to "
+"buy a snap, please visit https://my.ubuntu.com/payment/edit to add one.\n"
+"\n"
+"Once you’ve added your payment details, you just need to run 'snap buy %s' "
+"again."
+msgstr ""
+
+#. TRANSLATORS: the %s is the argument given by the user to "snap changes"
+#, c-format
+msgid "\"snap changes\" command expects a snap name, try: \"snap tasks %s\""
+msgstr ""
+
+msgid ""
+"\n"
+"Install, configure, refresh and remove snap packages. Snaps are\n"
+"'universal' packages that work across many different Linux systems,\n"
+"enabling secure distribution of the latest apps and utilities for\n"
+"cloud, servers, desktops and the internet of things.\n"
+"\n"
+"This is the CLI for snapd, a background service that takes care of\n"
+"snaps on the system. Start with 'snap list' to see installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Provide a search term for more specific results.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The abort command attempts to abort a change that still has pending tasks.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The ack command tries to add an assertion to the system assertion database.\n"
+"\n"
+"The assertion may also be a newer revision of a preexisting assertion that "
+"it\n"
+"will replace.\n"
+"\n"
+"To succeed the assertion must be valid, its signature verified with a known\n"
+"public key and the assertion consistent with and its prerequisite in the\n"
+"database.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The advise-snap command shows what snaps with the given command are\n"
+"available.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The alias command aliases the given snap application to the given alias.\n"
+"\n"
+"Once this manual alias is setup the respective application command can be "
+"invoked just using the alias.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The aliases command lists all aliases available in the system and their "
+"status.\n"
+"\n"
+"$ snap aliases <snap>\n"
+"\n"
+"Lists only the aliases defined by the specified snap.\n"
+"\n"
+"An alias noted as undefined means it was explicitly enabled or disabled but "
+"is\n"
+"not defined in the current revision of the snap; possibly temporarely (e.g\n"
+"because of a revert), if not this can be cleared with snap alias --reset.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The auto-import command searches available mounted devices looking for\n"
+"assertions that are signed by trusted authorities, and potentially\n"
+"performs system changes based on them.\n"
+"\n"
+"If one or more device paths are provided via --mount, these are temporariy\n"
+"mounted to be inspected as well. Even in that case the command will still\n"
+"consider all available mounted devices for inspection.\n"
+"\n"
+"Imported assertions must be made available in the auto-import.assert file\n"
+"in the root of the filesystem.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The buy command buys a snap from the store.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The changes command displays a summary of the recent system changes "
+"performed."
+msgstr ""
+
+msgid ""
+"\n"
+"The confinement command will print the confinement mode (strict, partial or "
+"none)\n"
+"the system operates in.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The connect command connects a plug to a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Connects the provided plug to the given slot.\n"
+"\n"
+"$ snap connect <snap>:<plug> <snap>\n"
+"\n"
+"Connects the specific plug to the only slot in the provided snap that "
+"matches\n"
+"the connected interface. If more than one potential slot exists, the "
+"command\n"
+"fails.\n"
+"\n"
+"$ snap connect <snap>:<plug>\n"
+"\n"
+"Connects the provided plug to the slot in the core snap with a name "
+"matching\n"
+"the plug name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The create-user command creates a local system user with the username and "
+"SSH\n"
+"keys registered on the store account identified by the provided email "
+"address.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The debug command contains a selection of additional sub-commands.\n"
+"\n"
+"Debug commands can be removed without notice and may not work on\n"
+"non-development systems.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disable command disables a snap. The binaries and services of the\n"
+"snap will no longer be available. But all the data is still available\n"
+"and the snap can easily be enabled again.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The disconnect command disconnects a plug from a slot.\n"
+"It may be called in the following ways:\n"
+"\n"
+"$ snap disconnect <snap>:<plug> <snap>:<slot>\n"
+"\n"
+"Disconnects the specific plug from the specific slot.\n"
+"\n"
+"$ snap disconnect <snap>:<slot or plug>\n"
+"\n"
+"Disconnects everything from the provided plug or slot.\n"
+"The snap name may be omitted for the core snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The download command downloads the given snap and its supporting assertions\n"
+"to the current directory under .snap and .assert file extensions, "
+"respectively.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The enable command enables a snap that was previously disabled.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The find command queries the store for available packages in the stable "
+"channel.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the current snap.\n"
+"\n"
+"    $ snapctl get username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snapctl get username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snapctl get author.name\n"
+"    frank\n"
+"\n"
+"Values of interface connection settings may be printed with:\n"
+"\n"
+"    $ snapctl get :myplug usb-vendor\n"
+"    $ snapctl get :myslot path\n"
+"\n"
+"This will return the named setting from the local interface endpoint, "
+"whether a plug\n"
+"or a slot. Returning the setting from the connected snap's endpoint is also "
+"possible\n"
+"by explicitly requesting that via the --plug and --slot command line "
+"options:\n"
+"\n"
+"    $ snapctl get :myplug --slot usb-vendor\n"
+"\n"
+"This requests the \"usb-vendor\" setting from the slot that is connected to "
+"\"myplug\".\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The get command prints configuration options for the provided snap.\n"
+"\n"
+"    $ snap get snap-name username\n"
+"    frank\n"
+"\n"
+"If multiple option names are provided, a document is returned:\n"
+"\n"
+"    $ snap get snap-name username password\n"
+"    {\n"
+"        \"username\": \"frank\",\n"
+"        \"password\": \"...\"\n"
+"    }\n"
+"\n"
+"Nested values may be retrieved via a dotted path:\n"
+"\n"
+"    $ snap get snap-name author.name\n"
+"    frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The help command shows helpful information. Unlike this. ;-)\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The info command shows detailed information about a snap, be it by name or "
+"by path."
+msgstr ""
+
+msgid ""
+"\n"
+"The install command installs the named snap in the system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interface command shows details of snap interfaces.\n"
+"\n"
+"If no interface name is provided, a list of interface names with at least\n"
+"one connection is shown, or a list of all interfaces if --all is provided.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The interfaces command lists interfaces available in the system.\n"
+"\n"
+"By default all slots and plugs, used and offered by all snaps, are "
+"displayed.\n"
+" \n"
+"$ snap interfaces <snap>:<slot or plug>\n"
+"\n"
+"Lists only the specified slot or plug.\n"
+"\n"
+"$ snap interfaces <snap>\n"
+"\n"
+"Lists the slots offered and plugs used by the specified snap.\n"
+"\n"
+"$ snap interfaces -i=<interface> [<snap>]\n"
+"\n"
+"Filters the complete output so only plugs and/or slots matching the provided "
+"details are listed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The known command shows known assertions of the provided type.\n"
+"If header=value pairs are provided after the assertion type, the assertions\n"
+"shown must also have the specified headers matching the provided values.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The list command displays a summary of snaps installed in the current system."
+msgstr ""
+
+msgid ""
+"\n"
+"The login command authenticates on snapd and the snap store and saves "
+"credentials\n"
+"into the ~/.snap/auth.json file. Further communication with snapd will then "
+"be made\n"
+"using those credentials.\n"
+"\n"
+"Login only works for local users in the sudo, admin or wheel groups.\n"
+"\n"
+"An account can be setup at https://login.ubuntu.com\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The logs command fetches logs of the given services and displays them in "
+"chronological order.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The managed command will print true or false informing whether\n"
+"snapd has registered users.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The pack command packs the given snap-dir as a snap."
+msgstr ""
+
+msgid ""
+"\n"
+"The prefer command enables all aliases of the given snap in preference\n"
+"to conflicting aliases of other snaps whose aliases will be disabled\n"
+"(removed for manual ones).\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"The publisher of snap %q has indicated that they do not consider this "
+"revision\n"
+"to be of production quality and that it is only meant for development or "
+"testing\n"
+"at this point. As a consequence this snap will not refresh automatically and "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox snaps are\n"
+"generally confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"devmode;\n"
+"if instead you want to install the snap forcing it into strict confinement\n"
+"repeat the command including --jailmode."
+msgstr ""
+
+msgid ""
+"\n"
+"The refresh command refreshes (updates) the named snap.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The remove command removes the named snap from the system.\n"
+"\n"
+"By default all the snap revisions are removed, including their data and the "
+"common\n"
+"data directory. When a --revision option is passed only the specified "
+"revision is\n"
+"removed.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repair command shows the details about one or multiple repairs.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The repairs command lists all processed repairs for this device.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services of the snap. If executed "
+"from the\n"
+"\"configure\" hook, the services will be restarted after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The restart command restarts the given services.\n"
+"\n"
+"If the --reload option is given, for each service whose app has a reload "
+"command, a reload is performed instead of a restart.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The revert command reverts the given snap to its state before\n"
+"the latest refresh. This will reactivate the previous snap revision,\n"
+"and will use the original data that was associated with that revision,\n"
+"discarding any data changes that were done by the latest revision. As\n"
+"an exception, data which the snap explicitly chooses to share across\n"
+"revisions is not touched by the revert process.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The services command lists information about the services specified, or "
+"about the services in all currently installed snaps.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snap set snap-name username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the\n"
+"snap's configuration hook returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snap set author.name=frank\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The set command changes the provided configuration options as requested.\n"
+"\n"
+"    $ snapctl set username=frank password=$PASSWORD\n"
+"\n"
+"All configuration changes are persisted at once, and only after the hook\n"
+"returns successfully.\n"
+"\n"
+"Nested values may be modified via a dotted path:\n"
+"\n"
+"    $ snapctl set author.name=frank\n"
+"\n"
+"Plug and slot attributes may be set in the respective prepare and connect "
+"hooks by\n"
+"naming the respective plug or slot:\n"
+"\n"
+"    $ snapctl set :myplug path=/dev/ttyS0\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts the given services of the snap. If executed from "
+"the\n"
+"\"configure\" hook, the services will be started after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The start command starts, and optionally enables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops the given services of the snap. If executed from the\n"
+"\"configure\" hook, the services will be stopped after the hook finishes."
+msgstr ""
+
+msgid ""
+"\n"
+"The stop command stops, and optionally disables, the given services.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The switch command switches the given snap to a different channel without\n"
+"doing a refresh.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The tasks command displays a summary of tasks associated to an individual "
+"change."
+msgstr ""
+
+msgid ""
+"\n"
+"The try command installs an unpacked snap into the system for testing "
+"purposes.\n"
+"The unpacked snap content continues to be used even after installation, so\n"
+"non-metadata changes there go live instantly. Metadata changes such as "
+"those\n"
+"performed in snap.yaml will require reinstallation to go live.\n"
+"\n"
+"If snap-dir argument is omitted, the try command will attempt to infer it "
+"if\n"
+"either snapcraft.yaml file and prime directory or meta/snap.yaml file can "
+"be\n"
+"found relative to current working directory.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The unalias command tears down a manual alias when given one or disables all "
+"aliases of a snap, removing also all manual ones, when given a snap name.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The version command displays the versions of the running client, server,\n"
+"and operating system.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The watch command waits for the given change-id to finish and shows "
+"progress\n"
+"(if available).\n"
+msgstr ""
+
+msgid ""
+"\n"
+"The whoami command prints the email the user is logged in with.\n"
+msgstr ""
+
+#, c-format
+msgid ""
+"\n"
+"This revision of snap %q was published using classic confinement and thus "
+"may\n"
+"perform arbitrary system changes outside of the security sandbox that snaps "
+"are\n"
+"usually confined to, which may put your system at risk.\n"
+"\n"
+"If you understand and want to proceed repeat the command including --"
+"classic.\n"
+msgstr ""
+
+msgid ""
+"\n"
+"Use snap alias --help to learn how to create aliases manually."
+msgstr ""
+
+msgid "a single snap name is needed to specify mode or channel flags"
+msgstr ""
+
+msgid "a single snap name is needed to specify the revision"
+msgstr ""
+
+msgid "a single snap name must be specified when ignoring validation"
+msgstr ""
+
+msgid "active"
+msgstr ""
+
+msgid "auto-refresh: all snaps are up-to-date"
+msgstr ""
+
+msgid "bought"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "broken"
+msgstr ""
+
+#, c-format
+msgid "cannot %s without a context"
+msgstr ""
+
+#, c-format
+msgid "cannot buy snap: %v"
+msgstr ""
+
+msgid "cannot buy snap: invalid characters in name"
+msgstr ""
+
+msgid "cannot buy snap: it has already been bought"
+msgstr ""
+
+#. TRANSLATORS: %q is the directory whose creation failed, %v the error message
+#, c-format
+msgid "cannot create %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot create assertions file: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v gets the resulting error message
+#, c-format
+msgid "cannot extract the snap-name from local file %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot find app %q in %q"
+msgstr ""
+
+#, c-format
+msgid "cannot find hook %q in %q"
+msgstr ""
+
+#. TRANSLATORS: %q gets the snap name, %v the list of things found when trying to list it
+#, c-format
+msgid "cannot get data for %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q gets what the user entered, %v gets the resulting error message
+#, c-format
+msgid "cannot get full path for %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot get the current user: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot mark boot successful: %s"
+msgstr ""
+
+#, c-format
+msgid "cannot open the assertions database: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot read assertion input: %v"
+msgstr ""
+
+#. TRANSLATORS: %v the error message
+#, c-format
+msgid "cannot read symlink: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot resolve snap app %q: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot sign assertion: %v"
+msgstr ""
+
+#, c-format
+msgid "cannot update the 'current' symlink of %q: %v"
+msgstr ""
+
+#. TRANSLATORS: %q is the key name, %v the error message
+#, c-format
+msgid "cannot use %q key: %v"
+msgstr ""
+
+msgid "cannot use change ID and type together"
+msgstr ""
+
+msgid "cannot use devmode and jailmode flags together"
+msgstr ""
+
+#, c-format
+msgid "cannot validate owner of file %s"
+msgstr ""
+
+#, c-format
+msgid "cannot write new Xauthority file at %s: %s"
+msgstr ""
+
+#, c-format
+msgid "change finished in status %q with no error message"
+msgstr ""
+
+#, c-format
+msgid ""
+"classic confinement requires snaps under /snap or symlink from /snap to %s"
+msgstr ""
+
+#, c-format
+msgid "created user %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "days" in e.g. 1d20h
+msgid "d"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "disabled"
+msgstr ""
+
+msgid "email:"
+msgstr ""
+
+msgid "enabled"
+msgstr ""
+
+#, c-format
+msgid "error: %v\n"
+msgstr ""
+
+msgid ""
+"error: the `<snap-dir>` argument was not provided and couldn't be inferred"
+msgstr ""
+
+msgid "get which option?"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "hours" in e.g. 1h30m
+msgid "h"
+msgstr ""
+
+msgid "ignore-validation"
+msgstr ""
+
+msgid "inactive"
+msgstr ""
+
+msgid ""
+"interface attributes can only be read during the execution of interface hooks"
+msgstr ""
+
+msgid ""
+"interface attributes can only be set during the execution of prepare hooks"
+msgstr ""
+
+#, c-format
+msgid "internal error, please report: running %q failed: %v\n"
+msgstr ""
+
+msgid "internal error: cannot find attrs task"
+msgstr ""
+
+msgid "internal error: cannot find plug or slot data in the appropriate task"
+msgstr ""
+
+#, c-format
+msgid "internal error: cannot get %s from appropriate task"
+msgstr ""
+
+msgid ""
+"invalid argument for flag ‘-n’: expected a non-negative integer argument, or "
+"“all”."
+msgstr ""
+
+#, c-format
+msgid "invalid attribute: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid configuration: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid header filter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid parameter: %q (want key=value)"
+msgstr ""
+
+#, c-format
+msgid "invalid value: %q (want snap:name or snap)"
+msgstr ""
+
+#, c-format
+msgid ""
+"key name %q is not valid; only ASCII letters, digits, and hyphens are allowed"
+msgstr ""
+
+#, c-format
+msgid "local snap %q is unknown to the store, use --amend to proceed anyway"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "minutes" in e.g. 1m30s
+msgid "m"
+msgstr ""
+
+msgid "missing snap-confine: try updating your snapd package"
+msgstr ""
+
+msgid "need the application to run as argument"
+msgstr ""
+
+msgid "no changes found"
+msgstr ""
+
+#, c-format
+msgid "no changes of type %q found"
+msgstr ""
+
+msgid "no interfaces currently connected"
+msgstr ""
+
+msgid "no interfaces found"
+msgstr ""
+
+msgid "no matching snaps installed"
+msgstr ""
+
+msgid "no such interface"
+msgstr ""
+
+msgid "no valid snaps given"
+msgstr ""
+
+msgid "please provide change ID or type with --last=<type>"
+msgstr ""
+
+#. TRANSLATORS: if possible, a single short word
+msgid "private"
+msgstr ""
+
+msgid ""
+"reboot scheduled to update the system - temporarily cancel with 'sudo "
+"shutdown -c'"
+msgstr ""
+
+msgid "repairs are not available on a classic system"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "seconds" in e.g. 1m30s
+#. (I fully expect this to always be "s", given it's a SI unit)
+msgid "s"
+msgstr ""
+
+#, c-format
+msgid "set failed: %v"
+msgstr ""
+
+msgid "set which option?"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --revision=foo
+#, c-format
+msgid "snap %%q not found (at least at revision %q)"
+msgstr ""
+
+#. TRANSLATORS: %%q will become a %q for the snap name; %q is whatever foo the user used for --channel=foo
+#, c-format
+msgid "snap %%q not found (at least in channel %q)"
+msgstr ""
+
+#, c-format
+msgid "snap %q has no updates available"
+msgstr ""
+
+#, c-format
+msgid "snap %q is already installed, see \"snap refresh --help\""
+msgstr ""
+
+#, c-format
+msgid "snap %q not found"
+msgstr ""
+
+#. TRANSLATORS: free as in gratis
+msgid "snap is free"
+msgstr ""
+
+msgid "too many arguments for command"
+msgstr ""
+
+#. TRANSLATORS: %q is the hook name; %s a space-separated list of extra arguments
+#, c-format
+msgid "too many arguments for hook %q: %s"
+msgstr ""
+
+#. TRANSLATORS: the %s is the list of extra arguments
+#, c-format
+msgid "too many arguments: %s"
+msgstr ""
+
+msgid "unable to contact snap store"
+msgstr ""
+
+msgid "unavailable"
+msgstr ""
+
+#, c-format
+msgid "unknown attribute %q"
+msgstr ""
+
+#, c-format
+msgid "unknown command %q, see \"snap --help\""
+msgstr ""
+
+#, c-format
+msgid "unknown plug or slot %q"
+msgstr ""
+
+#, c-format
+msgid "unknown service: %q"
+msgstr ""
+
+#, c-format
+msgid "warning:\tno snap found for %q\n"
+msgstr ""
+
+#. TRANSLATORS: this needs to be a single rune that is understood to mean "years" in e.g. 1y45d
+msgid "y"
+msgstr ""
+
+msgid "Authenticate on snap daemon"
+msgstr ""
+
+msgid "Authorization is required to authenticate on the snap daemon"
+msgstr ""
+
+msgid "Install, update, or remove packages"
+msgstr ""
+
+msgid "Authentication is required to install, update, or remove packages"
+msgstr ""
+
+msgid "Connect, disconnect interfaces"
+msgstr ""
+
+msgid "Authentication is required to connect or disconnect interfaces"
+msgstr ""
diff -Nru snapd-2.32.3.2~14.04/progress/ansimeter.go snapd-2.37~rc1~14.04/progress/ansimeter.go
--- snapd-2.32.3.2~14.04/progress/ansimeter.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/progress/ansimeter.go	2019-01-16 08:36:51.000000000 +0000
@@ -51,7 +51,7 @@
 	// make cursor invisible
 	cursorInvisible = "\033[?25l"
 	// make cursor visible
-	cursorVisible = "\033[?12;25h"
+	cursorVisible = "\033[?25h"
 	// turn on reverse video
 	enterReverseMode = "\033[7m"
 	// go back to normal video
@@ -152,7 +152,7 @@
 	fmt.Fprint(stdout, "\r", enterReverseMode, string(msg[:i]), exitAttributeMode, string(msg[i:]))
 }
 
-var spinner = []string{".", "o", "O", "o"}
+var spinner = []string{"/", "-", "\\", "|"}
 
 func (p *ANSIMeter) Spin(msgstr string) {
 	msg := []rune(msgstr)
diff -Nru snapd-2.32.3.2~14.04/release/apparmor.go snapd-2.37~rc1~14.04/release/apparmor.go
--- snapd-2.32.3.2~14.04/release/apparmor.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/apparmor.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2015 Canonical Ltd
+ * Copyright (C) 2014-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -20,20 +20,30 @@
 package release
 
 import (
+	"bytes"
 	"fmt"
 	"io/ioutil"
 	"os"
+	"os/exec"
 	"path/filepath"
+	"sort"
 	"strings"
+	"sync"
+
+	"github.com/snapcore/snapd/strutil"
 )
 
-// ApparmorLevelType encodes the kind of support for apparmor
+// AppArmorLevelType encodes the kind of support for apparmor
 // found on this system.
 type AppArmorLevelType int
 
 const (
+	// UnknownAppArmor indicates that apparmor was not probed yet.
+	UnknownAppArmor AppArmorLevelType = iota
 	// NoAppArmor indicates that apparmor is not enabled.
-	NoAppArmor AppArmorLevelType = iota
+	NoAppArmor
+	// UnusableAppArmor indicates that apparmor is enabled but cannot be used.
+	UnusableAppArmor
 	// PartialAppArmor indicates that apparmor is enabled but some
 	// features are missing.
 	PartialAppArmor
@@ -41,44 +51,88 @@
 	FullAppArmor
 )
 
-var (
-	appArmorLevel   AppArmorLevelType
-	appArmorSummary string
-)
-
-func init() {
-	appArmorLevel, appArmorSummary = probeAppArmor()
+func (level AppArmorLevelType) String() string {
+	switch level {
+	case UnknownAppArmor:
+		return "unknown"
+	case NoAppArmor:
+		return "none"
+	case UnusableAppArmor:
+		return "unusable"
+	case PartialAppArmor:
+		return "partial"
+	case FullAppArmor:
+		return "full"
+	}
+	return fmt.Sprintf("AppArmorLevelType:%d", level)
 }
 
-// AppArmorLevel quantifies how well apparmor is supported on the
-// current kernel.
+// appArmorAssessment represents what is supported AppArmor-wise by the system.
+var appArmorAssessment = &appArmorAssess{appArmorProber: &appArmorProbe{}}
+
+// AppArmorLevel quantifies how well apparmor is supported on the current
+// kernel. The computation is costly to perform. The result is cached internally.
 func AppArmorLevel() AppArmorLevelType {
-	return appArmorLevel
+	appArmorAssessment.assess()
+	return appArmorAssessment.level
 }
 
-// AppArmorSummary describes how well apparmor is supported on the
-// current kernel.
+// AppArmorSummary describes how well apparmor is supported on the current
+// kernel. The computation is costly to perform. The result is cached
+// internally.
 func AppArmorSummary() string {
-	return appArmorSummary
+	appArmorAssessment.assess()
+	return appArmorAssessment.summary
 }
 
-// MockAppArmorSupportLevel makes the system believe it has certain
-// level of apparmor support.
-func MockAppArmorLevel(level AppArmorLevelType) (restore func()) {
-	oldAppArmorLevel := appArmorLevel
-	oldAppArmorSummary := appArmorSummary
-	appArmorLevel = level
-	appArmorSummary = fmt.Sprintf("mocked apparmor level: %v", level)
-	return func() {
-		appArmorLevel = oldAppArmorLevel
-		appArmorSummary = oldAppArmorSummary
+// AppArmorKernelFeatures returns a sorted list of apparmor features like
+// []string{"dbus", "network"}. The result is cached internally.
+func AppArmorKernelFeatures() ([]string, error) {
+	return appArmorAssessment.KernelFeatures()
+}
+
+// AppArmorParserFeatures returns a sorted list of apparmor parser features
+// like []string{"unsafe", ...}. The computation is costly to perform. The
+// result is cached internally.
+func AppArmorParserFeatures() ([]string, error) {
+	return appArmorAssessment.ParserFeatures()
+}
+
+// AppArmorParserMtime returns the mtime of the parser, else 0.
+func AppArmorParserMtime() int64 {
+	var mtime int64
+	mtime = 0
+
+	if path, err := findAppArmorParser(); err == nil {
+		if fi, err := os.Stat(path); err == nil {
+			mtime = fi.ModTime().Unix()
+		}
 	}
+	return mtime
 }
 
 // probe related code
+
 var (
-	appArmorFeaturesSysPath  = "/sys/kernel/security/apparmor/features"
-	requiredAppArmorFeatures = []string{
+	// requiredAppArmorParserFeatures denotes the features that must be present in the parser.
+	// Absence of any of those features results in the effective level be at most UnusableAppArmor.
+	requiredAppArmorParserFeatures = []string{
+		"unsafe",
+	}
+	// preferredAppArmorParserFeatures denotes the features that should be present in the parser.
+	// Absence of any of those features results in the effective level be at most PartialAppArmor.
+	preferredAppArmorParserFeatures = []string{
+		"unsafe",
+	}
+	// requiredAppArmorKernelFeatures denotes the features that must be present in the kernel.
+	// Absence of any of those features results in the effective level be at most UnusableAppArmor.
+	requiredAppArmorKernelFeatures = []string{
+		// For now, require at least file and simply prefer the rest.
+		"file",
+	}
+	// preferredAppArmorKernelFeatures denotes the features that should be present in the kernel.
+	// Absence of any of those features results in the effective level be at most PartialAppArmor.
+	preferredAppArmorKernelFeatures = []string{
 		"caps",
 		"dbus",
 		"domain",
@@ -89,47 +143,240 @@
 		"ptrace",
 		"signal",
 	}
+	// Since AppArmorParserMtime() will be called by generateKey() in
+	// system-key and that could be called by different users on the
+	// system, use a predictable search path for finding the parser.
+	appArmorParserSearchPath = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+	// Each apparmor feature is manifested as a directory entry.
+	appArmorFeaturesSysPath = "/sys/kernel/security/apparmor/features"
 )
 
-// isDirectoy is like osutil.IsDirectory but we cannot import this
-// because of import cycles
-func isDirectory(path string) bool {
-	stat, err := os.Stat(path)
-	if err != nil {
-		return false
-	}
-	return stat.IsDir()
+type appArmorProber interface {
+	KernelFeatures() ([]string, error)
+	ParserFeatures() ([]string, error)
 }
 
-func probeAppArmor() (AppArmorLevelType, string) {
-	if !isDirectory(appArmorFeaturesSysPath) {
+type appArmorAssess struct {
+	appArmorProber
+	// level contains the assessment of the "level" of apparmor support.
+	level AppArmorLevelType
+	// summary contains a human readable description of the assessment.
+	summary string
+
+	once sync.Once
+}
+
+func (aaa *appArmorAssess) assess() {
+	aaa.once.Do(func() {
+		aaa.level, aaa.summary = aaa.doAssess()
+	})
+}
+
+func (aaa *appArmorAssess) doAssess() (level AppArmorLevelType, summary string) {
+	// First, quickly check if apparmor is available in the kernel at all.
+	kernelFeatures, err := aaa.KernelFeatures()
+	if os.IsNotExist(err) {
 		return NoAppArmor, "apparmor not enabled"
 	}
-	var missing []string
-	for _, feature := range requiredAppArmorFeatures {
-		if !isDirectory(filepath.Join(appArmorFeaturesSysPath, feature)) {
-			missing = append(missing, feature)
+	// Then check that the parser supports the required parser features.
+	// If we have any missing required features then apparmor is unusable.
+	parserFeatures, err := aaa.ParserFeatures()
+	if os.IsNotExist(err) {
+		return NoAppArmor, "apparmor_parser not found"
+	}
+	var missingParserFeatures []string
+	for _, feature := range requiredAppArmorParserFeatures {
+		if !strutil.SortedListContains(parserFeatures, feature) {
+			missingParserFeatures = append(missingParserFeatures, feature)
+		}
+	}
+	if len(missingParserFeatures) > 0 {
+		summary := fmt.Sprintf("apparmor_parser is available but required parser features are missing: %s",
+			strings.Join(missingParserFeatures, ", "))
+		return UnusableAppArmor, summary
+	}
+
+	// Next, check that the kernel supports the required kernel features.
+	var missingKernelFeatures []string
+	for _, feature := range requiredAppArmorKernelFeatures {
+		if !strutil.SortedListContains(kernelFeatures, feature) {
+			missingKernelFeatures = append(missingKernelFeatures, feature)
+		}
+	}
+	if len(missingKernelFeatures) > 0 {
+		summary := fmt.Sprintf("apparmor is enabled but required kernel features are missing: %s",
+			strings.Join(missingKernelFeatures, ", "))
+		return UnusableAppArmor, summary
+	}
+
+	// Next check that the parser supports preferred parser features.
+	// If we have any missing preferred features then apparmor is partially enabled.
+	for _, feature := range preferredAppArmorParserFeatures {
+		if !strutil.SortedListContains(parserFeatures, feature) {
+			missingParserFeatures = append(missingParserFeatures, feature)
+		}
+	}
+	if len(missingParserFeatures) > 0 {
+		summary := fmt.Sprintf("apparmor_parser is available but some features are missing: %s",
+			strings.Join(missingParserFeatures, ", "))
+		return PartialAppArmor, summary
+	}
+
+	// Lastly check that the kernel supports preferred kernel features.
+	for _, feature := range preferredAppArmorKernelFeatures {
+		if !strutil.SortedListContains(kernelFeatures, feature) {
+			missingKernelFeatures = append(missingKernelFeatures, feature)
 		}
 	}
-	if len(missing) > 0 {
-		return PartialAppArmor, fmt.Sprintf("apparmor is enabled but some features are missing: %s", strings.Join(missing, ", "))
+	if len(missingKernelFeatures) > 0 {
+		summary := fmt.Sprintf("apparmor is enabled but some kernel features are missing: %s",
+			strings.Join(missingKernelFeatures, ", "))
+		return PartialAppArmor, summary
 	}
+
+	// If we got here then all features are available and supported.
 	return FullAppArmor, "apparmor is enabled and all features are available"
 }
 
-// AppArmorFeatures returns a sorted list of apparmor features like
-// []string{"dbus", "network"}.
-func AppArmorFeatures() []string {
+type appArmorProbe struct {
+	// kernelFeatures contains a list of kernel features that are supported.
+	kernelFeatures []string
+	// kernelError contains an error, if any, encountered when
+	// discovering available kernel features.
+	kernelError error
+	// parserFeatures contains a list of parser features that are supported.
+	parserFeatures []string
+	// parserError contains an error, if any, encountered when
+	// discovering available parser features.
+	parserError error
+
+	probeKernelOnce sync.Once
+	probeParserOnce sync.Once
+}
+
+func (aap *appArmorProbe) KernelFeatures() ([]string, error) {
+	aap.probeKernelOnce.Do(func() {
+		aap.kernelFeatures, aap.kernelError = probeAppArmorKernelFeatures()
+	})
+	return aap.kernelFeatures, aap.kernelError
+}
+
+func (aap *appArmorProbe) ParserFeatures() ([]string, error) {
+	aap.probeParserOnce.Do(func() {
+		aap.parserFeatures, aap.parserError = probeAppArmorParserFeatures()
+	})
+	return aap.parserFeatures, aap.parserError
+}
+
+func probeAppArmorKernelFeatures() ([]string, error) {
 	// note that ioutil.ReadDir() is already sorted
 	dentries, err := ioutil.ReadDir(appArmorFeaturesSysPath)
 	if err != nil {
-		return nil
+		return []string{}, err
+	}
+	features := make([]string, 0, len(dentries))
+	for _, fi := range dentries {
+		if fi.IsDir() {
+			features = append(features, fi.Name())
+		}
+	}
+	return features, nil
+}
+
+func probeAppArmorParserFeatures() ([]string, error) {
+	parser, err := findAppArmorParser()
+	if err != nil {
+		return []string{}, err
+	}
+	features := make([]string, 0, 1)
+	if tryAppArmorParserFeature(parser, "change_profile unsafe /**,") {
+		features = append(features, "unsafe")
 	}
-	appArmorFeatures := make([]string, 0, len(dentries))
-	for _, f := range dentries {
-		if isDirectory(filepath.Join(appArmorFeaturesSysPath, f.Name())) {
-			appArmorFeatures = append(appArmorFeatures, f.Name())
+	sort.Strings(features)
+	return features, nil
+}
+
+// findAppArmorParser returns the path of the apparmor_parser binary if one is found.
+func findAppArmorParser() (string, error) {
+	for _, dir := range filepath.SplitList(appArmorParserSearchPath) {
+		path := filepath.Join(dir, "apparmor_parser")
+		if _, err := os.Stat(path); err == nil {
+			return path, nil
 		}
 	}
-	return appArmorFeatures
+	return "", os.ErrNotExist
+}
+
+// tryAppArmorParserFeature attempts to pre-process a bit of apparmor syntax with a given parser.
+func tryAppArmorParserFeature(parser, rule string) bool {
+	cmd := exec.Command(parser, "--preprocess")
+	cmd.Stdin = bytes.NewBufferString(fmt.Sprintf("profile snap-test {\n %s\n}", rule))
+	if err := cmd.Run(); err != nil {
+		return false
+	}
+	return true
+}
+
+// mocking
+
+type mockAppArmorProbe struct {
+	kernelFeatures []string
+	kernelError    error
+	parserFeatures []string
+	parserError    error
+}
+
+func (m *mockAppArmorProbe) KernelFeatures() ([]string, error) {
+	return m.kernelFeatures, m.kernelError
+}
+
+func (m *mockAppArmorProbe) ParserFeatures() ([]string, error) {
+	return m.parserFeatures, m.parserError
+}
+
+// MockAppArmorLevel makes the system believe it has certain level of apparmor
+// support.
+//
+// AppArmor kernel and parser features are set to unrealistic values that do
+// not match the requested level. Use this function to observe behavior that
+// relies solely on the apparmor level value.
+func MockAppArmorLevel(level AppArmorLevelType) (restore func()) {
+	oldAppArmorAssessment := appArmorAssessment
+	mockProbe := &mockAppArmorProbe{
+		kernelFeatures: []string{"mocked-kernel-feature"},
+		parserFeatures: []string{"mocked-parser-feature"},
+	}
+	appArmorAssessment = &appArmorAssess{
+		appArmorProber: mockProbe,
+		level:          level,
+		summary:        fmt.Sprintf("mocked apparmor level: %s", level),
+	}
+	appArmorAssessment.once.Do(func() {})
+	return func() {
+		appArmorAssessment = oldAppArmorAssessment
+	}
+}
+
+// MockAppArmorFeatures makes the system believe it has certain kernel and
+// parser features.
+//
+// AppArmor level and summary are automatically re-assessed as needed
+// on both the change and the restore process. Use this function to
+// observe real assessment of arbitrary features.
+func MockAppArmorFeatures(kernelFeatures []string, kernelError error, parserFeatures []string, parserError error) (restore func()) {
+	oldAppArmorAssessment := appArmorAssessment
+	mockProbe := &mockAppArmorProbe{
+		kernelFeatures: kernelFeatures,
+		kernelError:    kernelError,
+		parserFeatures: parserFeatures,
+		parserError:    parserError,
+	}
+	appArmorAssessment = &appArmorAssess{
+		appArmorProber: mockProbe,
+	}
+	appArmorAssessment.assess()
+	return func() {
+		appArmorAssessment = oldAppArmorAssessment
+	}
+
 }
diff -Nru snapd-2.32.3.2~14.04/release/apparmor_test.go snapd-2.37~rc1~14.04/release/apparmor_test.go
--- snapd-2.32.3.2~14.04/release/apparmor_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/apparmor_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,69 +20,254 @@
 package release_test
 
 import (
+	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/testutil"
 )
 
 type apparmorSuite struct{}
 
 var _ = Suite(&apparmorSuite{})
 
-func (s *apparmorSuite) TestMockAppArmorLevel(c *C) {
-	for _, lvl := range []release.AppArmorLevelType{release.NoAppArmor, release.PartialAppArmor, release.FullAppArmor} {
+func (*apparmorSuite) TestAppArmorLevelTypeStringer(c *C) {
+	c.Check(release.UnknownAppArmor.String(), Equals, "unknown")
+	c.Check(release.NoAppArmor.String(), Equals, "none")
+	c.Check(release.UnusableAppArmor.String(), Equals, "unusable")
+	c.Check(release.PartialAppArmor.String(), Equals, "partial")
+	c.Check(release.FullAppArmor.String(), Equals, "full")
+	c.Check(release.AppArmorLevelType(42).String(), Equals, "AppArmorLevelType:42")
+}
+
+func (*apparmorSuite) TestMockAppArmorLevel(c *C) {
+	for _, lvl := range []release.AppArmorLevelType{release.NoAppArmor, release.UnusableAppArmor, release.PartialAppArmor, release.FullAppArmor} {
 		restore := release.MockAppArmorLevel(lvl)
-		defer restore()
 		c.Check(release.AppArmorLevel(), Equals, lvl)
+		c.Check(release.AppArmorSummary(), testutil.Contains, "mocked apparmor level: ")
+		features, err := release.AppArmorKernelFeatures()
+		c.Check(err, IsNil)
+		c.Check(features, DeepEquals, []string{"mocked-kernel-feature"})
+		features, err = release.AppArmorParserFeatures()
+		c.Check(err, IsNil)
+		c.Check(features, DeepEquals, []string{"mocked-parser-feature"})
+		restore()
 	}
 }
 
-func (s *apparmorSuite) TestProbeAppArmorNoAppArmor(c *C) {
-	restore := release.MockAppArmorFeaturesSysPath("/does/not/exists")
-	defer restore()
+// Using MockAppArmorFeatures yields in apparmor assessment
+func (*apparmorSuite) TestMockAppArmorFeatures(c *C) {
+	// No apparmor in the kernel, apparmor is disabled.
+	restore := release.MockAppArmorFeatures([]string{}, os.ErrNotExist, []string{}, nil)
+	c.Check(release.AppArmorLevel(), Equals, release.NoAppArmor)
+	c.Check(release.AppArmorSummary(), Equals, "apparmor not enabled")
+	features, err := release.AppArmorKernelFeatures()
+	c.Assert(err, Equals, os.ErrNotExist)
+	c.Check(features, DeepEquals, []string{})
+	features, err = release.AppArmorParserFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, []string{})
+	restore()
+
+	// No apparmor_parser, apparmor is disabled.
+	restore = release.MockAppArmorFeatures([]string{}, nil, []string{}, os.ErrNotExist)
+	c.Check(release.AppArmorLevel(), Equals, release.NoAppArmor)
+	c.Check(release.AppArmorSummary(), Equals, "apparmor_parser not found")
+	features, err = release.AppArmorKernelFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, []string{})
+	features, err = release.AppArmorParserFeatures()
+	c.Assert(err, Equals, os.ErrNotExist)
+	c.Check(features, DeepEquals, []string{})
+	restore()
+
+	// Complete kernel features but apparmor is unusable because of missing required parser features.
+	restore = release.MockAppArmorFeatures(release.RequiredAppArmorKernelFeatures, nil, []string{}, nil)
+	c.Check(release.AppArmorLevel(), Equals, release.UnusableAppArmor)
+	c.Check(release.AppArmorSummary(), Equals, "apparmor_parser is available but required parser features are missing: unsafe")
+	features, err = release.AppArmorKernelFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, release.RequiredAppArmorKernelFeatures)
+	features, err = release.AppArmorParserFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, []string{})
+	restore()
+
+	// Complete parser features but apparmor is unusable because of missing required kernel features.
+	// The dummy feature is there to pretend that apparmor in the kernel is not entirely disabled.
+	restore = release.MockAppArmorFeatures([]string{"dummy-feature"}, nil, release.RequiredAppArmorParserFeatures, nil)
+	c.Check(release.AppArmorLevel(), Equals, release.UnusableAppArmor)
+	c.Check(release.AppArmorSummary(), Equals, "apparmor is enabled but required kernel features are missing: file")
+	features, err = release.AppArmorKernelFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, []string{"dummy-feature"})
+	features, err = release.AppArmorParserFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, release.RequiredAppArmorParserFeatures)
+	restore()
+
+	// Required kernel and parser features available, some optional features are missing though.
+	restore = release.MockAppArmorFeatures(release.RequiredAppArmorKernelFeatures, nil, release.RequiredAppArmorParserFeatures, nil)
+	c.Check(release.AppArmorLevel(), Equals, release.PartialAppArmor)
+	c.Check(release.AppArmorSummary(), Equals, "apparmor is enabled but some kernel features are missing: caps, dbus, domain, mount, namespaces, network, ptrace, signal")
+	features, err = release.AppArmorKernelFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, release.RequiredAppArmorKernelFeatures)
+	features, err = release.AppArmorParserFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, release.RequiredAppArmorParserFeatures)
+	restore()
 
-	level, summary := release.ProbeAppArmor()
-	c.Check(level, Equals, release.NoAppArmor)
-	c.Check(summary, Equals, "apparmor not enabled")
+	// Preferred kernel and parser features available.
+	restore = release.MockAppArmorFeatures(release.PreferredAppArmorKernelFeatures, nil, release.PreferredAppArmorParserFeatures, nil)
+	c.Check(release.AppArmorLevel(), Equals, release.FullAppArmor)
+	c.Check(release.AppArmorSummary(), Equals, "apparmor is enabled and all features are available")
+	features, err = release.AppArmorKernelFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, release.PreferredAppArmorKernelFeatures)
+	features, err = release.AppArmorParserFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, release.PreferredAppArmorParserFeatures)
+	restore()
 }
 
-func (s *apparmorSuite) TestProbeAppArmorPartialAppArmor(c *C) {
-	fakeSysPath := c.MkDir()
-	restore := release.MockAppArmorFeaturesSysPath(fakeSysPath)
+func (s *apparmorSuite) TestProbeAppArmorKernelFeatures(c *C) {
+	d := c.MkDir()
+
+	// Pretend that apparmor kernel features directory doesn't exist.
+	restore := release.MockAppArmorFeaturesSysPath(filepath.Join(d, "non-existent"))
 	defer restore()
+	features, err := release.ProbeAppArmorKernelFeatures()
+	c.Assert(os.IsNotExist(err), Equals, true)
+	c.Check(features, DeepEquals, []string{})
 
-	level, summary := release.ProbeAppArmor()
-	c.Check(level, Equals, release.PartialAppArmor)
-	c.Check(summary, Equals, "apparmor is enabled but some features are missing: caps, dbus, domain, file, mount, namespaces, network, ptrace, signal")
+	// Pretend that apparmor kernel features directory exists but is empty.
+	restore = release.MockAppArmorFeaturesSysPath(d)
+	defer restore()
+	features, err = release.ProbeAppArmorKernelFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, []string{})
+
+	// Pretend that apparmor kernel features directory contains some entries.
+	c.Assert(os.Mkdir(filepath.Join(d, "foo"), 0755), IsNil)
+	c.Assert(os.Mkdir(filepath.Join(d, "bar"), 0755), IsNil)
+	features, err = release.ProbeAppArmorKernelFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, []string{"bar", "foo"})
 }
 
-func (s *apparmorSuite) TestProbeAppArmorFullAppArmor(c *C) {
-	fakeSysPath := c.MkDir()
-	restore := release.MockAppArmorFeaturesSysPath(fakeSysPath)
-	defer restore()
+func (s *apparmorSuite) TestProbeAppArmorParserFeatures(c *C) {
+	d := c.MkDir()
+
+	var testcases = []struct {
+		exit     string
+		features []string
+	}{
+		{"exit 1", []string{}},
+		{"exit 0", []string{"unsafe"}},
+	}
 
-	for _, feature := range release.RequiredAppArmorFeatures {
-		err := os.Mkdir(filepath.Join(fakeSysPath, feature), 0755)
+	for _, t := range testcases {
+		mockParserCmd := testutil.MockCommand(c, "apparmor_parser", fmt.Sprintf("cat > %s/stdin; %s", d, t.exit))
+		defer mockParserCmd.Restore()
+		restore := release.MockAppArmorParserSearchPath(mockParserCmd.BinDir())
+		defer restore()
+
+		features, err := release.ProbeAppArmorParserFeatures()
+		c.Assert(err, IsNil)
+		c.Check(features, DeepEquals, t.features)
+		c.Check(mockParserCmd.Calls(), DeepEquals, [][]string{{"apparmor_parser", "--preprocess"}})
+		data, err := ioutil.ReadFile(filepath.Join(d, "stdin"))
 		c.Assert(err, IsNil)
+		c.Check(string(data), Equals, "profile snap-test {\n change_profile unsafe /**,\n}")
 	}
 
-	level, summary := release.ProbeAppArmor()
-	c.Check(level, Equals, release.FullAppArmor)
-	c.Check(summary, Equals, "apparmor is enabled and all features are available")
+	// Pretend that we just don't have apparmor_parser at all.
+	restore := release.MockAppArmorParserSearchPath(c.MkDir())
+	defer restore()
+	features, err := release.ProbeAppArmorParserFeatures()
+	c.Check(err, Equals, os.ErrNotExist)
+	c.Check(features, DeepEquals, []string{})
 }
 
 func (s *apparmorSuite) TestInterfaceSystemKey(c *C) {
-	fakeSysPath := c.MkDir()
-	restore := release.MockAppArmorFeaturesSysPath(fakeSysPath)
+	release.FreshAppArmorAssessment()
+
+	d := c.MkDir()
+	restore := release.MockAppArmorFeaturesSysPath(d)
+	defer restore()
+	c.Assert(os.MkdirAll(filepath.Join(d, "policy"), 0755), IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(d, "network"), 0755), IsNil)
+
+	mockParserCmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer mockParserCmd.Restore()
+	restore = release.MockAppArmorParserSearchPath(mockParserCmd.BinDir())
 	defer restore()
-	err := os.MkdirAll(filepath.Join(fakeSysPath, "policy"), 0755)
+
+	release.AppArmorLevel()
+
+	features, err := release.AppArmorKernelFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, []string{"network", "policy"})
+	features, err = release.AppArmorParserFeatures()
 	c.Assert(err, IsNil)
-	err = os.MkdirAll(filepath.Join(fakeSysPath, "network"), 0755)
+	c.Check(features, DeepEquals, []string{"unsafe"})
+}
+
+func (s *apparmorSuite) TestAppArmorParserMtime(c *C) {
+	// Pretend that we have apparmor_parser.
+	mockParserCmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer mockParserCmd.Restore()
+	restore := release.MockAppArmorParserSearchPath(mockParserCmd.BinDir())
+	defer restore()
+	mtime := release.AppArmorParserMtime()
+	fi, err := os.Stat(filepath.Join(mockParserCmd.BinDir(), "apparmor_parser"))
 	c.Assert(err, IsNil)
+	c.Check(mtime, Equals, fi.ModTime().Unix())
+
+	// Pretend that we don't have apparmor_parser.
+	restore = release.MockAppArmorParserSearchPath(c.MkDir())
+	defer restore()
+	mtime = release.AppArmorParserMtime()
+	c.Check(mtime, Equals, int64(0))
+}
+
+func (s *apparmorSuite) TestFeaturesProbedOnce(c *C) {
+	release.FreshAppArmorAssessment()
 
-	features := release.AppArmorFeatures()
+	d := c.MkDir()
+	restore := release.MockAppArmorFeaturesSysPath(d)
+	defer restore()
+	c.Assert(os.MkdirAll(filepath.Join(d, "policy"), 0755), IsNil)
+	c.Assert(os.MkdirAll(filepath.Join(d, "network"), 0755), IsNil)
+
+	mockParserCmd := testutil.MockCommand(c, "apparmor_parser", "")
+	defer mockParserCmd.Restore()
+	restore = release.MockAppArmorParserSearchPath(mockParserCmd.BinDir())
+	defer restore()
+
+	features, err := release.AppArmorKernelFeatures()
+	c.Assert(err, IsNil)
 	c.Check(features, DeepEquals, []string{"network", "policy"})
+	features, err = release.AppArmorParserFeatures()
+	c.Assert(err, IsNil)
+	c.Check(features, DeepEquals, []string{"unsafe"})
+
+	// this makes probing fails but is not done again
+	err = os.RemoveAll(d)
+	c.Assert(err, IsNil)
+
+	_, err = release.AppArmorKernelFeatures()
+	c.Assert(err, IsNil)
+
+	// this makes probing fails but is not done again
+	err = os.RemoveAll(mockParserCmd.BinDir())
+	c.Assert(err, IsNil)
+
+	_, err = release.AppArmorParserFeatures()
+	c.Assert(err, IsNil)
 }
diff -Nru snapd-2.32.3.2~14.04/release/export_linux_test.go snapd-2.37~rc1~14.04/release/export_linux_test.go
--- snapd-2.32.3.2~14.04/release/export_linux_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/export_linux_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,25 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package release
-
-var (
-	GetKernelRelease = getKernelRelease
-	GetMachineName   = getMachineName
-)
diff -Nru snapd-2.32.3.2~14.04/release/export_test.go snapd-2.37~rc1~14.04/release/export_test.go
--- snapd-2.32.3.2~14.04/release/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -19,7 +19,9 @@
 
 package release
 
-var ReadOSRelease = readOSRelease
+var (
+	ReadOSRelease = readOSRelease
+)
 
 func MockOSReleasePath(filename string) (restore func()) {
 	old := osReleasePath
@@ -40,7 +42,48 @@
 	}
 }
 
+func MockAppArmorParserSearchPath(new string) (restore func()) {
+	oldAppArmorParserSearchPath := appArmorParserSearchPath
+	appArmorParserSearchPath = new
+	return func() {
+		appArmorParserSearchPath = oldAppArmorParserSearchPath
+	}
+}
+
+func MockIoutilReadfile(newReadfile func(string) ([]byte, error)) (restorer func()) {
+	old := ioutilReadFile
+	ioutilReadFile = newReadfile
+	return func() {
+		ioutilReadFile = old
+	}
+}
+
+func MockSELinuxIsEnforcing(isEnforcing func() (bool, error)) (restore func()) {
+	old := selinuxIsEnforcing
+	selinuxIsEnforcing = isEnforcing
+	return func() {
+		selinuxIsEnforcing = old
+	}
+}
+
 var (
-	ProbeAppArmor            = probeAppArmor
-	RequiredAppArmorFeatures = requiredAppArmorFeatures
+	ProbeAppArmorKernelFeatures = probeAppArmorKernelFeatures
+	ProbeAppArmorParserFeatures = probeAppArmorParserFeatures
+
+	RequiredAppArmorKernelFeatures  = requiredAppArmorKernelFeatures
+	RequiredAppArmorParserFeatures  = requiredAppArmorParserFeatures
+	PreferredAppArmorKernelFeatures = preferredAppArmorKernelFeatures
+	PreferredAppArmorParserFeatures = preferredAppArmorParserFeatures
+
+	IsWSL = isWSL
+
+	ProbeSELinux = probeSELinux
 )
+
+func FreshAppArmorAssessment() {
+	appArmorAssessment = &appArmorAssess{appArmorProber: &appArmorProbe{}}
+}
+
+func FreshSecCompProbe() {
+	secCompProber = &secCompProbe{}
+}
diff -Nru snapd-2.32.3.2~14.04/release/release.go snapd-2.37~rc1~14.04/release/release.go
--- snapd-2.32.3.2~14.04/release/release.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/release.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,6 +21,8 @@
 
 import (
 	"bufio"
+	"bytes"
+	"io/ioutil"
 	"os"
 	"strings"
 	"unicode"
@@ -44,6 +46,7 @@
 	return AppArmorLevel() != FullAppArmor
 }
 
+// DistroLike checks if the distribution ID or ID_LIKE matches one of the given names.
 func DistroLike(distros ...string) bool {
 	for _, distro := range distros {
 		if ReleaseInfo.ID == distro || strutil.ListContains(ReleaseInfo.IDLike, distro) {
@@ -108,10 +111,25 @@
 	return osRelease
 }
 
+var ioutilReadFile = ioutil.ReadFile
+
+func isWSL() bool {
+	version, err := ioutilReadFile("/proc/version")
+	if err == nil && bytes.Contains(version, []byte("Microsoft")) {
+		return true
+	}
+
+	return false
+}
+
 // OnClassic states whether the process is running inside a
 // classic Ubuntu system or a native Ubuntu Core image.
 var OnClassic bool
 
+// OnWSL states whether the process is running inside the Windows
+// Subsystem for Linux
+var OnWSL bool
+
 // ReleaseInfo contains data loaded from /etc/os-release on startup.
 var ReleaseInfo OS
 
@@ -119,6 +137,8 @@
 	ReleaseInfo = readOSRelease()
 
 	OnClassic = (ReleaseInfo.ID != "ubuntu-core")
+
+	OnWSL = isWSL()
 }
 
 // MockOnClassic forces the process to appear inside a classic
diff -Nru snapd-2.32.3.2~14.04/release/release_test.go snapd-2.37~rc1~14.04/release/release_test.go
--- snapd-2.32.3.2~14.04/release/release_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/release_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -154,3 +154,21 @@
 		c.Assert(release.ReleaseInfo.ForceDevMode(), Equals, devmode, Commentf("wrong result for %#v", devmode))
 	}
 }
+
+func (s *ReleaseTestSuite) TestNonWSL(c *C) {
+	defer release.MockIoutilReadfile(func(s string) ([]byte, error) {
+		c.Check(s, Equals, "/proc/version")
+		return []byte("Linux version 2.2.19 (herbert@gondolin) (gcc version 2.7.2.3) #1 Wed Mar 20 19:41:41 EST 2002"), nil
+	})()
+
+	c.Check(release.IsWSL(), Equals, false)
+}
+
+func (s *ReleaseTestSuite) TestWSL(c *C) {
+	defer release.MockIoutilReadfile(func(s string) ([]byte, error) {
+		c.Check(s, Equals, "/proc/version")
+		return []byte("Linux version 3.4.0-Microsoft (Microsoft@Microsoft.com) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Wed Dec 31 14:42:53 PST 2014"), nil
+	})()
+
+	c.Check(release.IsWSL(), Equals, true)
+}
diff -Nru snapd-2.32.3.2~14.04/release/seccomp.go snapd-2.37~rc1~14.04/release/seccomp.go
--- snapd-2.32.3.2~14.04/release/seccomp.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/seccomp.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,37 +20,17 @@
 package release
 
 import (
-	"io/ioutil"
 	"sort"
 	"strings"
+	"sync"
 )
 
-var (
-	secCompAvailableActionsPath = "/proc/sys/kernel/seccomp/actions_avail"
-)
-
-var secCompActions []string
-
-func MockSecCompActions(actions []string) (restore func()) {
-	old := secCompActions
-	secCompActions = actions
-	return func() { secCompActions = old }
-}
+var secCompProber = &secCompProbe{}
 
 // SecCompActions returns a sorted list of seccomp actions like
 // []string{"allow", "errno", "kill", "log", "trace", "trap"}.
 func SecCompActions() []string {
-	if secCompActions == nil {
-		var actions []string
-		contents, err := ioutil.ReadFile(secCompAvailableActionsPath)
-		if err != nil {
-			return actions
-		}
-		actions = strings.Split(strings.TrimRight(string(contents), "\n"), " ")
-		sort.Strings(actions)
-		secCompActions = actions
-	}
-	return secCompActions
+	return secCompProber.actions()
 }
 
 func SecCompSupportsAction(action string) bool {
@@ -61,3 +41,41 @@
 	}
 	return false
 }
+
+// probing
+
+type secCompProbe struct {
+	probedActions []string
+
+	once sync.Once
+}
+
+func (scp *secCompProbe) actions() []string {
+	scp.once.Do(func() {
+		scp.probedActions = probeSecCompActions()
+	})
+	return scp.probedActions
+}
+
+func probeSecCompActions() []string {
+	contents, err := ioutilReadFile("/proc/sys/kernel/seccomp/actions_avail")
+	if err != nil {
+		return []string{}
+	}
+	actions := strings.Split(strings.TrimRight(string(contents), "\n"), " ")
+	sort.Strings(actions)
+	return actions
+}
+
+// mocking
+
+func MockSecCompActions(actions []string) (restore func()) {
+	old := secCompProber
+	secCompProber = &secCompProbe{
+		probedActions: actions,
+	}
+	secCompProber.once.Do(func() {})
+	return func() {
+		secCompProber = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/release/seccomp_test.go snapd-2.37~rc1~14.04/release/seccomp_test.go
--- snapd-2.32.3.2~14.04/release/seccomp_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/seccomp_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,8 @@
 package release_test
 
 import (
+	"io"
+
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/release"
@@ -48,3 +50,20 @@
 	defer reset()
 	c.Check(release.SecCompSupportsAction("log"), Equals, true)
 }
+
+func (s *seccompSuite) TestProbe(c *C) {
+	release.FreshSecCompProbe()
+	r1 := release.MockIoutilReadfile(func(string) ([]byte, error) {
+		return []byte("a b\n"), nil
+	})
+	defer r1()
+
+	c.Check(release.SecCompActions(), DeepEquals, []string{"a", "b"})
+
+	r2 := release.MockIoutilReadfile(func(string) ([]byte, error) {
+		return nil, io.ErrUnexpectedEOF
+	})
+	defer r2()
+
+	c.Check(release.SecCompActions(), DeepEquals, []string{"a", "b"})
+}
diff -Nru snapd-2.32.3.2~14.04/release/selinux.go snapd-2.37~rc1~14.04/release/selinux.go
--- snapd-2.32.3.2~14.04/release/selinux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/selinux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,90 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2014-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package release
+
+import (
+	"fmt"
+
+	"github.com/snapcore/snapd/selinux"
+)
+
+// SELinuxLevelType encodes the state of SELinux support found on this system.
+type SELinuxLevelType int
+
+const (
+	// NoSELinux indicates that SELinux is not enabled
+	NoSELinux SELinuxLevelType = iota
+	// SELinux is supported and in permissive mode
+	SELinuxPermissive
+	// SELinux is supported and in enforcing mode
+	SELinuxEnforcing
+)
+
+var (
+	selinuxIsEnabled   = selinux.IsEnabled
+	selinuxIsEnforcing = selinux.IsEnforcing
+)
+
+// SELinuxLevel tells what level of SELinux enforcement is currently used
+func SELinuxLevel() SELinuxLevelType {
+	level, _ := probeSELinux()
+	return level
+}
+
+// SELinuxSummary describes SELinux status
+func SELinuxSummary() string {
+	_, summary := probeSELinux()
+	return summary
+}
+
+// SELinuxStatus returns the current level of SELinux support and a descriptive
+// summary
+func SELinuxStatus() (level SELinuxLevelType, summary string) {
+	return probeSELinux()
+}
+
+func probeSELinux() (SELinuxLevelType, string) {
+	enabled, err := selinuxIsEnabled()
+	if err != nil {
+		return NoSELinux, err.Error()
+	}
+	if !enabled {
+		return NoSELinux, ""
+	}
+
+	enforcing, err := selinuxIsEnforcing()
+	if err != nil {
+		return NoSELinux, fmt.Sprintf("SELinux is enabled, but status cannot be determined: %v", err)
+	}
+	if !enforcing {
+		return SELinuxPermissive, "SELinux is enabled but in permissive mode"
+	}
+	return SELinuxEnforcing, "SELinux is enabled and in enforcing mode"
+}
+
+// MockSELinuxIsEnabled makes the system believe a certain SELinux state is
+// currently true
+func MockSELinuxIsEnabled(isEnabled func() (bool, error)) (restore func()) {
+	old := selinuxIsEnabled
+	selinuxIsEnabled = isEnabled
+	return func() {
+		selinuxIsEnabled = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/release/selinux_test.go snapd-2.37~rc1~14.04/release/selinux_test.go
--- snapd-2.32.3.2~14.04/release/selinux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/selinux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,98 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2014-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package release_test
+
+import (
+	"errors"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/release"
+)
+
+type selinuxSuite struct{}
+
+var _ = Suite(&selinuxSuite{})
+
+func (s *selinuxSuite) TestProbeNone(c *C) {
+	restore := release.MockSELinuxIsEnabled(func() (bool, error) { return false, nil })
+	defer restore()
+
+	level, status := release.ProbeSELinux()
+	c.Assert(level, Equals, release.NoSELinux)
+	c.Assert(status, Equals, "")
+
+	c.Assert(release.SELinuxLevel(), Equals, level)
+	c.Assert(release.SELinuxSummary(), Equals, status)
+}
+
+func (s *selinuxSuite) TestProbeEnforcingHappy(c *C) {
+	restore := release.MockSELinuxIsEnabled(func() (bool, error) { return true, nil })
+	defer restore()
+	restore = release.MockSELinuxIsEnforcing(func() (bool, error) { return true, nil })
+	defer restore()
+
+	level, status := release.ProbeSELinux()
+	c.Assert(level, Equals, release.SELinuxEnforcing)
+	c.Assert(status, Equals, "SELinux is enabled and in enforcing mode")
+
+	c.Assert(release.SELinuxLevel(), Equals, level)
+	c.Assert(release.SELinuxSummary(), Equals, status)
+}
+
+func (s *selinuxSuite) TestProbeEnabledError(c *C) {
+	restore := release.MockSELinuxIsEnabled(func() (bool, error) { return true, errors.New("so much fail") })
+	defer restore()
+
+	level, status := release.ProbeSELinux()
+	c.Assert(level, Equals, release.NoSELinux)
+	c.Assert(status, Equals, "so much fail")
+
+	c.Assert(release.SELinuxLevel(), Equals, level)
+	c.Assert(release.SELinuxSummary(), Equals, status)
+}
+
+func (s *selinuxSuite) TestProbeEnforcingError(c *C) {
+	restore := release.MockSELinuxIsEnabled(func() (bool, error) { return true, nil })
+	defer restore()
+	restore = release.MockSELinuxIsEnforcing(func() (bool, error) { return true, errors.New("so much fail") })
+	defer restore()
+
+	level, status := release.ProbeSELinux()
+	c.Assert(level, Equals, release.NoSELinux)
+	c.Assert(status, Equals, "SELinux is enabled, but status cannot be determined: so much fail")
+
+	c.Assert(release.SELinuxLevel(), Equals, level)
+	c.Assert(release.SELinuxSummary(), Equals, status)
+}
+
+func (s *selinuxSuite) TestProbePermissive(c *C) {
+	restore := release.MockSELinuxIsEnabled(func() (bool, error) { return true, nil })
+	defer restore()
+	restore = release.MockSELinuxIsEnforcing(func() (bool, error) { return false, nil })
+	defer restore()
+
+	level, status := release.ProbeSELinux()
+	c.Assert(level, Equals, release.SELinuxPermissive)
+	c.Assert(status, Equals, "SELinux is enabled but in permissive mode")
+
+	c.Assert(release.SELinuxLevel(), Equals, level)
+	c.Assert(release.SELinuxSummary(), Equals, status)
+}
diff -Nru snapd-2.32.3.2~14.04/release/uname_linux.go snapd-2.37~rc1~14.04/release/uname_linux.go
--- snapd-2.32.3.2~14.04/release/uname_linux.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/uname_linux.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,87 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package release
-
-import (
-	"syscall"
-)
-
-// We have to implement separate functions for the kernel version and the
-// machine name at the moment as the utsname struct is either using int8
-// or uint8 depending on the architecture the code is built for. As there
-// is no easy way to generlize this implements the same code twice. The
-// way to get this solved is by using []byte inside the utsname struct
-// instead of []int8/[]uint8. See https://github.com/golang/go/issues/20753
-// for details.
-
-func getKernelRelease(buf *syscall.Utsname) string {
-	// The Utsname structures uses [65]int8 or [65]uint8, depending on
-	// architecture, to represent various fields. We need to convert them to
-	// strings.
-	input := buf.Release[:]
-	output := make([]byte, 0, len(input))
-	for _, c := range input {
-		// The input buffer has fixed size but we want to break at the first
-		// zero we encounter.
-		if c == 0 {
-			break
-		}
-		output = append(output, byte(c))
-	}
-	return string(output)
-}
-
-func getMachineName(buf *syscall.Utsname) string {
-	// The Utsname structures uses [65]int8 or [65]uint8, depending on
-	// architecture, to represent various fields. We need to convert them to
-	// strings.
-	input := buf.Machine[:]
-	output := make([]byte, 0, len(input))
-	for _, c := range input {
-		// The input buffer has fixed size but we want to break at the first
-		// zero we encounter.
-		if c == 0 {
-			break
-		}
-		output = append(output, byte(c))
-	}
-	return string(output)
-}
-
-// KernelVersion returns the version of the kernel or the string "unknown" if one cannot be determined.
-func KernelVersion() string {
-	var buf syscall.Utsname
-	err := syscall.Uname(&buf)
-	if err != nil {
-		return "unknown"
-	}
-	// Release is more informative than Version.
-	return getKernelRelease(&buf)
-}
-
-// Machine returns the name of the machine or the string "unknown" if one cannot be determined.
-func Machine() string {
-	var buf syscall.Utsname
-	err := syscall.Uname(&buf)
-	if err != nil {
-		return "unknown"
-	}
-	return getMachineName(&buf)
-}
diff -Nru snapd-2.32.3.2~14.04/release/uname_linux_test.go snapd-2.37~rc1~14.04/release/uname_linux_test.go
--- snapd-2.32.3.2~14.04/release/uname_linux_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/release/uname_linux_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,73 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2017 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package release_test
-
-import (
-	"syscall"
-
-	. "gopkg.in/check.v1"
-
-	"github.com/snapcore/snapd/release"
-)
-
-func (s *ReleaseTestSuite) TestKernelVersion(c *C) {
-	ver := release.KernelVersion()
-	// Ensure that we got something.
-	c.Check(ver, Not(Equals), "")
-}
-
-func (s *ReleaseTestSuite) TestGetKernelRelease(c *C) {
-	var buf syscall.Utsname
-	c.Check(release.GetKernelRelease(&buf), Equals, "")
-
-	buf.Release[0] = 'f'
-	buf.Release[1] = 'o'
-	buf.Release[2] = 'o'
-	buf.Release[3] = 0
-	buf.Release[4] = 'u'
-	buf.Release[5] = 'n'
-	buf.Release[6] = 'u'
-	buf.Release[7] = 's'
-	buf.Release[8] = 'e'
-	buf.Release[9] = 'd'
-
-	c.Check(release.GetKernelRelease(&buf), Equals, "foo")
-}
-
-func (s *ReleaseTestSuite) TestGetKernelMachine(c *C) {
-	var buf syscall.Utsname
-	c.Check(release.GetMachineName(&buf), Equals, "")
-
-	buf.Machine[0] = 'a'
-	buf.Machine[1] = 'r'
-	buf.Machine[2] = 'm'
-	buf.Machine[3] = 'v'
-	buf.Machine[4] = '7'
-	buf.Machine[5] = 'a'
-	buf.Machine[6] = 0
-	buf.Machine[7] = 'u'
-	buf.Machine[8] = 'n'
-	buf.Machine[9] = 'u'
-	buf.Machine[10] = 's'
-	buf.Machine[11] = 'e'
-	buf.Machine[12] = 'd'
-
-	c.Check(release.GetMachineName(&buf), Equals, "armv7a")
-}
diff -Nru snapd-2.32.3.2~14.04/release-tools/repack-debian-tarball.sh snapd-2.37~rc1~14.04/release-tools/repack-debian-tarball.sh
--- snapd-2.32.3.2~14.04/release-tools/repack-debian-tarball.sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/release-tools/repack-debian-tarball.sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,92 @@
+#!/bin/sh
+#doc# This script is used to re-pack the "orig" tarball from the Debian package
+#doc# into a suitable upstream release. There are two changes applied: The Debian
+#doc# tarball contains the directory snapd.upstream/ which needs to become
+#doc# snapd-$VERSION. The Debian tarball contains the vendor/ directory which must
+#doc# be removed from one of those.
+#doc#
+#doc# Example usage, using tarball from the archive or from the image ppa:
+#doc#
+#doc# $ wget https://launchpad.net/ubuntu/+archive/primary/+files/snapd_2.31.2.tar.xz
+#doc# $ wget https://launchpad.net/~snappy-dev/+archive/ubuntu/image/+files/snapd_2.32.1.tar.xz
+#doc#
+#doc# $ repack-debian-tarball.sh snapd_2.31.2.tar.xz
+#doc#
+#doc# This will produce three files that need to be added to the github release page:
+#doc#
+#doc# - snapd_2.31.2.no-vendor.tar.xz
+#doc# - snapd_2.31.2.vendor.tar.xz
+#doc# - snapd_2.31.2.only-vendor.xz
+
+set -ue
+
+# Get the filename from argv[1]
+debian_tarball="${1:-}"
+if [ "$debian_tarball" = "" ]; then
+	echo "Usage: repack-debian-tarball.sh <snapd-debian-tarball>"
+	echo
+	grep -e '^#doc#' "$0" | cut -b 7-
+	exit 1
+fi
+
+if [ ! -f "$debian_tarball" ]; then
+	echo "cannot operate on $debian_tarball, no such file"
+	exit 1
+fi
+
+# Extract the upstream version from the filename.
+# For example: snapd_2.31.2.tar.xz => 2.32.2
+# NOTE: There is no dash (-) in the version because snapd is a native Debian package.
+upstream_version="$(echo "$debian_tarball" | cut -d _ -f 2 | sed -e 's/\.tar\..*//')"
+
+# Scratch directory is where the original tarball is unpacked.
+scratch_dir="$(mktemp -d)"
+cleanup() {
+	rm -rf "$scratch_dir"
+}
+trap cleanup EXIT
+
+# Unpack the original with fakeroot (to preserve ownership of files). 
+fakeroot tar \
+	--auto-compress \
+	--extract \
+	--file="$debian_tarball" \
+	--directory="$scratch_dir/"
+
+# Top-level directory may be either snappy.upstream or snapd.upstream, because
+# of small differences between the release manager's laptop and desktop machines.
+if [ -d "$scratch_dir/snapd.upstream" ]; then
+	top_dir=snapd.upstream
+elif [ -d "$scratch_dir/snappy.upstream" ]; then
+	top_dir=snappy.upstream
+elif [ -d "$scratch_dir/snapd-${upstream_version}" ]; then
+	top_dir=snapd-${upstream_version}
+else
+	echo "Unexpected contents of given tarball, expected snap{py,d}.upstream/"
+	exit 1
+fi
+
+# Pack a fully copy with vendor tree
+fakeroot tar \
+	--create \
+	--transform="s/$top_dir/snapd-$upstream_version/" \
+	--file=snapd_"$upstream_version".vendor.tar.xz \
+	--auto-compress \
+	--directory="$scratch_dir/" "$top_dir"
+
+# Pack a copy without vendor tree
+fakeroot tar \
+	--create \
+	--transform="s/$top_dir/snapd-$upstream_version/" \
+	--exclude='snapd*/vendor/*' \
+	--file=snapd_"$upstream_version".no-vendor.tar.xz \
+	--auto-compress \
+	--directory="$scratch_dir/" "$top_dir"
+
+# Pack a copy of the vendor tree
+fakeroot tar \
+	--create \
+	--transform="s/$top_dir/snapd-$upstream_version/" \
+	--file=snapd_"$upstream_version".only-vendor.tar.xz \
+	--auto-compress \
+	--directory="$scratch_dir/" "$top_dir"/vendor/
diff -Nru snapd-2.32.3.2~14.04/run-checks snapd-2.37~rc1~14.04/run-checks
--- snapd-2.32.3.2~14.04/run-checks	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/run-checks	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/bin/sh -eu
 
-if [ "$TRAVIS_BUILD_NUMBER" ]; then
+if [ -n "${TRAVIS_BUILD_NUMBER:-}" ]; then
     echo travis_fold:start:env
     printenv | sort
     echo travis_fold:end:env
@@ -8,9 +8,8 @@
 
 export LANG=C.UTF-8
 export LANGUAGE=en
-set -eu
 
-if which goctest >/dev/null; then
+if command -v goctest >/dev/null; then
     goctest="goctest"
 else
     goctest="go test"
@@ -29,16 +28,16 @@
 export GOPATH="${GOPATH:-$(realpath "$(dirname "$0")"/../../../../)}"
 export PATH="$PATH:${GOPATH%%:*}/bin"
 
+short=
+
 STATIC=
 UNIT=
 SPREAD=
-DEPRECATED=
 
 case "${1:-all}" in
     all)
         STATIC=1
         UNIT=1
-        DEPRECATED=1
         ;;
     --static)
         STATIC=1
@@ -46,6 +45,10 @@
     --unit)
         UNIT=1
         ;;
+    --short-unit)
+        UNIT=1
+        short=1
+        ;;
     --spread)
         SPREAD=1
         ;;
@@ -56,12 +59,15 @@
 
 CURRENTTRAP="true"
 EXIT_CODE=99
+
 store_exit_code() {
     EXIT_CODE=$?
 }
+
 exit_with_exit_code() {
     exit $EXIT_CODE
 }
+
 addtrap() {
     CURRENTTRAP="$CURRENTTRAP ; $1"
     # shellcheck disable=SC2064
@@ -99,7 +105,7 @@
     core_snap_yaml="tests/lib/snaps/test-snapd-policy-app-provider-core/meta/snap.yaml"
     classic_snap_yaml="tests/lib/snaps/test-snapd-policy-app-provider-classic/meta/snap.yaml"
     for iface in $(go run ./tests/lib/list-interfaces.go) ; do
-        search="plugs: \[ $iface \]"
+        search="plugs: \\[ $iface \\]"
         case "$iface" in
             bool-file|gpio|hidraw|i2c|iio|serial-port|spi)
                 # skip gadget provided interfaces for now
@@ -109,7 +115,7 @@
                 search="interface: $iface"
                 ;;
             autopilot)
-                search="plugs: \[ autopilot-introspection \]"
+                search='plugs: \[ autopilot-introspection \]'
                 ;;
         esac
         if ! grep -q "$search" "$snap_yaml" ; then
@@ -133,15 +139,15 @@
     echo Checking formatting
     fmt=""
     for dir in $(go list -f '{{.Dir}}' ./... | grep -v '/vendor/' ); do
-        s="$(gofmt -s -l "$dir")"
+        s="$(gofmt -s -l "$dir" | grep -v /vendor/ || true)"
         if [ -n "$s" ]; then
-            fmt="$s\n$fmt"
+            fmt="$s\\n$fmt"
         fi
     done
 
     if [ -n "$fmt" ]; then
         echo "Formatting wrong in following files:"
-        echo "$fmt"
+        echo "$fmt" | sed -e 's/\\n/\n/g'
         exit 1
     fi
 
@@ -154,7 +160,7 @@
     for dir in $(go list -f '{{.Dir}}' ./... | grep -v '/vendor/' ); do
         s="$(grep -nP 'http\.Status(?!Text)' "$dir"/*.go || true)"
         if [ -n "$s" ]; then
-            got="$s\n$got"
+            got="$s\\n$got"
         fi
     done
 
@@ -164,24 +170,25 @@
         exit 1
     fi
 
-    if which shellcheck >/dev/null; then
+    if command -v shellcheck >/dev/null; then
         echo Checking shell scripts...
         ( git ls-files -z 2>/dev/null ||
                 find . \( -name .git -o -name vendor \) -prune -o -print0 ) |
             xargs -0 file -N |
             awk -F": " '$2~/shell.script/{print $1}' |
             xargs shellcheck
-        regexp='GOPATH(?!%%:\*)(?!:)[^=]*/'
-        if grep -qPr --exclude HACKING.md --exclude-dir .git --exclude-dir vendor "$regexp"; then
+        regexp='GOPATH(?!%%:\*)(?!:)[^= ]*/'
+        if  grep -qPr                   --exclude HACKING.md --exclude 'Makefile.*' --exclude-dir .git --exclude-dir vendor "$regexp"; then
             echo "Using GOPATH as if it were a single entry and not a list:"
-            grep -PHrn -C1 --color=auto --exclude HACKING.md --exclude-dir .git --exclude-dir vendor "$regexp"
+            grep -PHrn -C1 --color=auto --exclude HACKING.md --exclude 'Makefile.*' --exclude-dir .git --exclude-dir vendor "$regexp"
+            echo "Use GOHOME, or {GOPATH%%:*}, instead."
             exit 1
         fi
         unset regexp
     fi
 
     echo Checking spelling errors
-    if ! which misspell >/dev/null; then
+    if ! command -v misspell >/dev/null; then
         go get -u github.com/client9/misspell/cmd/misspell
     fi
     for file in *; do
@@ -192,17 +199,17 @@
     done
 
     echo Checking for ineffective assignments
-    if ! which ineffassign >/dev/null; then
+    if ! command -v ineffassign >/dev/null; then
         go get -u github.com/gordonklaus/ineffassign
     fi
     # ineffassign knows about ignoring vendor/ \o/
     ineffassign .
 
     echo Checking for naked returns
-    if ! which nakedret >/dev/null; then
+    if ! command -v nakedret >/dev/null; then
         go get -u github.com/alexkohler/nakedret
     fi
-    got=$(nakedret ./... 2>&1)
+    got=$(go list ./... | grep -v '/osutil/udev/' | grep -v '/vendor/' | xargs nakedret 2>&1)
     if [ -n "$got" ]; then
         echo "$got"
         exit 1
@@ -210,34 +217,41 @@
 
     echo Checking all interfaces have minimal spread test
     missing_interface_spread_test
+
+    # FIXME: re-add staticcheck with a matching version for the used go-version
 fi
 
 if [ "$UNIT" = 1 ]; then
     ./get-deps.sh
 
-    # Prepare the coverage output profile.
-    rm -rf .coverage
-    mkdir .coverage
-    echo "mode: $COVERMODE" > .coverage/coverage.out
-
     echo Building
     go build -v github.com/snapcore/snapd/...
 
     # tests
     echo Running tests from "$PWD"
-    if dpkg --compare-versions "$(go version | awk '$3 ~ /^go[0-9]/ {print substr($3, 3)}')" ge 1.10; then
-        $goctest -v -coverprofile=.coverage/coverage.out -covermode="$COVERMODE" $(go list ./... | grep -v '/vendor/' )
+    if [ "$short" = 1 ]; then
+            # shellcheck disable=SC2046
+            $goctest -short -v $(go list ./... | grep -v '/vendor/' )
     else
-        for pkg in $(go list ./... | grep -v '/vendor/' ); do
-            go test -i "$pkg"
-            $goctest -v -coverprofile=.coverage/profile.out -covermode="$COVERMODE" "$pkg"
-            append_coverage .coverage/profile.out
-        done
-    fi
-
-    # upload to codecov.io if on travis
-    if [ "${TRAVIS_BUILD_NUMBER:-}" ]; then
-        curl -s https://codecov.io/bash | bash /dev/stdin -f .coverage/coverage.out
+        # Prepare the coverage output profile.
+        rm -rf .coverage
+        mkdir .coverage
+        echo "mode: $COVERMODE" > .coverage/coverage.out
+
+        if dpkg --compare-versions "$(go version | awk '$3 ~ /^go[0-9]/ {print substr($3, 3)}')" ge 1.10; then
+            # shellcheck disable=SC2046
+            $goctest -v -coverprofile=.coverage/coverage.out -covermode="$COVERMODE" $(go list ./... | grep -v '/vendor/' )
+        else
+            for pkg in $(go list ./... | grep -v '/vendor/' ); do
+                go test -i "$pkg"
+                $goctest -v -coverprofile=.coverage/profile.out -covermode="$COVERMODE" "$pkg"
+                append_coverage .coverage/profile.out
+            done
+        fi
+        # upload to codecov.io if on travis
+        if [ "${TRAVIS_BUILD_NUMBER:-}" ]; then
+            curl -s https://codecov.io/bash | bash /dev/stdin -f .coverage/coverage.out
+        fi
     fi
 fi
 
@@ -248,19 +262,15 @@
     export PATH=$TMP_SPREAD:$PATH
     ( cd "$TMP_SPREAD" && curl -s -O https://niemeyer.s3.amazonaws.com/spread-amd64.tar.gz && tar xzvf spread-amd64.tar.gz )
 
-    spread -v linode:
+    spread google: google-upgrade:tests/upgrade/
 
     # cleanup the debian-ubuntu-14.04
     rm -rf debian-ubuntu-14.04
 fi
 
-if [ "$DEPRECATED" = 1 ]; then
-    ./get-deps.sh
-
-fi
-
 UNCLEAN="$(git status -s|grep '^??')" || true
-if [ -n "$UNCLEAN" ]; then
+SKIP_UNCLEAN=${SKIP_UNCLEAN=}
+if [ -n "$UNCLEAN" ] && [ -z "$SKIP_UNCLEAN" ]; then
     cat <<EOF
 
 There are files left in the git tree after the tests:
diff -Nru snapd-2.32.3.2~14.04/sanity/apparmor_lxd.go snapd-2.37~rc1~14.04/sanity/apparmor_lxd.go
--- snapd-2.32.3.2~14.04/sanity/apparmor_lxd.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/apparmor_lxd.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,51 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity
+
+import (
+	"fmt"
+	"os"
+)
+
+func init() {
+	checks = append(checks, checkApparmorUsable)
+}
+
+var apparmorProfilesPath = "/sys/kernel/security/apparmor/profiles"
+
+func checkApparmorUsable() error {
+	// Check that apparmor is actually usable. In some
+	// configurations of lxd, apparmor looks available when in
+	// reality it isn't. Eg, this can happen when a container runs
+	// unprivileged (eg, root in the container is non-root
+	// outside) and also unconfined (where lxd doesn't set up an
+	// apparmor policy namespace). We can therefore simply check
+	// if /sys/kernel/security/apparmor/profiles is readable (like
+	// aa-status does), and if it isn't, we know we can't manipulate
+	// policy.
+	f, err := os.Open(apparmorProfilesPath)
+	if os.IsPermission(err) {
+		return fmt.Errorf("apparmor detected but insufficient permissions to use it")
+	}
+	if f != nil {
+		f.Close()
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/apparmor_lxd_test.go snapd-2.37~rc1~14.04/sanity/apparmor_lxd_test.go
--- snapd-2.32.3.2~14.04/sanity/apparmor_lxd_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/apparmor_lxd_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,40 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity_test
+
+import (
+	"os"
+	"path/filepath"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/sanity"
+)
+
+func (s *sanitySuite) TestCheckApparmorUsable(c *C) {
+	epermProfilePath := filepath.Join(c.MkDir(), "profiles")
+	restore := sanity.MockAppArmorProfilesPath(epermProfilePath)
+	defer restore()
+	err := os.Chmod(filepath.Dir(epermProfilePath), 0444)
+	c.Assert(err, IsNil)
+
+	err = sanity.CheckApparmorUsable()
+	c.Check(err, ErrorMatches, "apparmor detected but insufficient permissions to use it")
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/check.go snapd-2.37~rc1~14.04/sanity/check.go
--- snapd-2.32.3.2~14.04/sanity/check.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/check.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity
+
+var checks []func() error
+
+func Check() error {
+	for _, f := range checks {
+		if err := f(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/check_test.go snapd-2.37~rc1~14.04/sanity/check_test.go
--- snapd-2.32.3.2~14.04/sanity/check_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/check_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,123 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity_test
+
+import (
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"path/filepath"
+	"reflect"
+	"runtime"
+	"sort"
+	"strings"
+	"testing"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/sanity"
+)
+
+// Hook up check.v1 into the "go test" runner
+func Test(t *testing.T) { TestingT(t) }
+
+type sanitySuite struct{}
+
+var _ = Suite(&sanitySuite{})
+
+func (s *sanitySuite) TestRunHappy(c *C) {
+	var happyChecks []func() error
+	var happyCheckRan int
+
+	happyChecks = append(happyChecks, func() error {
+		happyCheckRan += 1
+		return nil
+	})
+
+	restore := sanity.MockChecks(happyChecks)
+	defer restore()
+
+	err := sanity.Check()
+	c.Check(err, IsNil)
+	c.Check(happyCheckRan, Equals, 1)
+}
+
+func (s *sanitySuite) TestRunNotHappy(c *C) {
+	var unhappyChecks []func() error
+	var unhappyCheckRan int
+
+	unhappyChecks = append(unhappyChecks, func() error {
+		unhappyCheckRan += 1
+		return nil
+	})
+
+	restore := sanity.MockChecks(unhappyChecks)
+	defer restore()
+
+	err := sanity.Check()
+	c.Check(err, IsNil)
+	c.Check(unhappyCheckRan, Equals, 1)
+}
+
+func (s *sanitySuite) TestUnexportedChecks(c *C) {
+	// collect what funcs we run in sanity.Check
+	var runCheckers []string
+	v := reflect.ValueOf(sanity.Checks())
+	for i := 0; i < v.Len(); i++ {
+		v := v.Index(i)
+		fname := runtime.FuncForPC(v.Pointer()).Name()
+		pos := strings.LastIndexByte(fname, '.')
+		checker := fname[pos+1:]
+		if !strings.HasPrefix(checker, "check") {
+			c.Fatalf(`%q in sanity.Checks does not have "check" prefix`, checker)
+		}
+		runCheckers = append(runCheckers, checker)
+	}
+
+	// collect all "check*" functions
+	goFiles, err := filepath.Glob("*.go")
+	c.Assert(err, IsNil)
+	fset := token.NewFileSet()
+
+	var checkers []string
+	for _, fn := range goFiles {
+		f, err := parser.ParseFile(fset, fn, nil, 0)
+		c.Assert(err, IsNil)
+		ast.Inspect(f, func(n ast.Node) bool {
+			switch x := n.(type) {
+			case *ast.File:
+				return true
+			case *ast.FuncDecl:
+				name := x.Name.Name
+				if strings.HasPrefix(name, "check") {
+					checkers = append(checkers, name)
+				}
+				return false
+			default:
+				return false
+			}
+		})
+	}
+
+	sort.Strings(checkers)
+	sort.Strings(runCheckers)
+
+	c.Check(checkers, DeepEquals, runCheckers)
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/export_test.go snapd-2.37~rc1~14.04/sanity/export_test.go
--- snapd-2.32.3.2~14.04/sanity/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,47 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity
+
+var (
+	CheckSquashfsMount  = checkSquashfsMount
+	CheckKernelVersion  = checkKernelVersion
+	CheckApparmorUsable = checkApparmorUsable
+	CheckWSL            = checkWSL
+)
+
+func Checks() []func() error {
+	return checks
+}
+
+func MockChecks(mockChecks []func() error) (restore func()) {
+	oldChecks := checks
+	checks = mockChecks
+	return func() {
+		checks = oldChecks
+	}
+}
+
+func MockAppArmorProfilesPath(path string) (restorer func()) {
+	old := apparmorProfilesPath
+	apparmorProfilesPath = path
+	return func() {
+		apparmorProfilesPath = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/squashfs.go snapd-2.37~rc1~14.04/sanity/squashfs.go
--- snapd-2.32.3.2~14.04/sanity/squashfs.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/squashfs.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,122 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"compress/gzip"
+	"encoding/base64"
+
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/squashfs"
+)
+
+func init() {
+	checks = append(checks, checkSquashfsMount)
+}
+
+/* This image was created using:
+
+#!/bin/sh
+
+cd $(mktemp -d)
+cat > canary.txt<<'EOF'
+This file is used to check that snapd can read a squashfs image.
+
+The squashfs was generated with:
+EOF
+cat $0 >> canary.txt
+
+mksquashfs . /tmp/canary.squashfs -noappend -comp xz -no-xattrs -no-fragments >/dev/nul
+cat /tmp/canary.squashfs | gzip - | base64
+
+*/
+var b64SquashfsImage = []byte(`
+H4sIAGxdFVsAA8soLixmYmBgyIkVjWZgALEYGFgYBBkuMDECaQYGFQYI4INIMbBB6f9Q0MAI4R+D
+0s+g9A8o/de8KiKKgYExU+meGfOB54wzmBUZuYDiVhPYbR4wTme4H8ugJcWpniK5waL4VLewwsUC
+PgdVnS/pCycWn34g1rpj6bIywdLqaQdZFYQcYr7/vR1w9dTbDivRH3GahXc578hdW3Ri7mu9+KeF
+PqYCrkk/5zepyFw0EjL+XxH/3ubc9E+/J0t0PxE+zv9J96pa0rt9CWyvX6aIvb3H65qo9mbikvjU
+LZxrOupvcr32+2yYFzt1wTe2HdFfrOSmKXFFPf1i5ep7Wv+q+U+nBNWs/nu+UosO6PFvfl991nVG
+R9XSJUxv/7/y2f2zid0+OnGi1+ey1/vatzDPvfbq+0LLwIu1Wx/u+m6/c8IN21vNCQwMX2dtWsHA
++BvodwaGpcmXftsZ8HaDg5ExMsqlgYlhCTisQDEAYiRAQxckNgMooADEjAwH4GqgEQCOK0UgBhrK
+INcAFWRghMtyMiQn5iUWVeqVVJQIwOVh8QmLJ5aGF8wMsIgfBaNgFIyCUTAKRsEoGAWjYBSMglEw
+bAEA+f+YuAAQAAA=
+`)
+
+func checkSquashfsMount() error {
+	tmpSquashfsFile, err := ioutil.TempFile("", "sanity-squashfs-")
+	if err != nil {
+		return err
+	}
+	defer os.Remove(tmpSquashfsFile.Name())
+
+	tmpMountDir, err := ioutil.TempDir("", "sanity-mountpoint-")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tmpMountDir)
+
+	// write the squashfs image
+	b64dec := base64.NewDecoder(base64.StdEncoding, bytes.NewBuffer(b64SquashfsImage))
+	gzReader, err := gzip.NewReader(b64dec)
+	if err != nil {
+		return err
+	}
+	if _, err := io.Copy(tmpSquashfsFile, gzReader); err != nil {
+		return err
+	}
+
+	// the fstype can be squashfs or fuse.{snap,squash}fuse
+	fstype, _, err := squashfs.FsType()
+	if err != nil {
+		return err
+	}
+	cmd := exec.Command("mount", "-t", fstype, tmpSquashfsFile.Name(), tmpMountDir)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("cannot mount squashfs image using %q: %v", fstype, osutil.OutputErr(output, err))
+	}
+
+	defer func() {
+		if output, err := exec.Command("umount", tmpMountDir).CombinedOutput(); err != nil {
+			// os.RemoveAll(tmpMountDir) will fail here if umount fails
+			logger.Noticef("cannot unmount sanity check squashfs image: %v", osutil.OutputErr(output, err))
+		}
+	}()
+
+	// sanity check the
+	content, err := ioutil.ReadFile(filepath.Join(tmpMountDir, "canary.txt"))
+	if err != nil {
+		return fmt.Errorf("squashfs mount returned no err but canary file cannot be read")
+	}
+	if !bytes.HasPrefix(content, []byte("This file is used to check that snapd can read a squashfs image.")) {
+		return fmt.Errorf("unexpected squashfs canary content: %q", content)
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/squashfs_test.go snapd-2.37~rc1~14.04/sanity/squashfs_test.go
--- snapd-2.32.3.2~14.04/sanity/squashfs_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/squashfs_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,95 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/osutil/squashfs"
+	"github.com/snapcore/snapd/sanity"
+	"github.com/snapcore/snapd/testutil"
+)
+
+func (s *sanitySuite) TestCheckSquashfsMountHappy(c *C) {
+	restore := squashfs.MockUseFuse(false)
+	defer restore()
+
+	// we create a canary.txt with the same prefix as the real one
+	mockMount := testutil.MockCommand(c, "mount", "echo 'This file is used to check that snapd can read a squashfs image.' > $4/canary.txt")
+	defer mockMount.Restore()
+
+	mockUmount := testutil.MockCommand(c, "umount", "")
+	defer mockUmount.Restore()
+
+	err := sanity.CheckSquashfsMount()
+	c.Check(err, IsNil)
+
+	c.Check(mockMount.Calls(), HasLen, 1)
+	c.Check(mockUmount.Calls(), HasLen, 1)
+
+	squashfsFile := mockMount.Calls()[0][3]
+	mountPoint := mockMount.Calls()[0][4]
+	c.Check(mockMount.Calls(), DeepEquals, [][]string{
+		{"mount", "-t", "squashfs", squashfsFile, mountPoint},
+	})
+	c.Check(mockUmount.Calls(), DeepEquals, [][]string{
+		{"umount", mountPoint},
+	})
+}
+
+func (s *sanitySuite) TestCheckSquashfsMountNotHappy(c *C) {
+	restore := squashfs.MockUseFuse(false)
+	defer restore()
+
+	mockMount := testutil.MockCommand(c, "mount", "echo iz-broken;false")
+	defer mockMount.Restore()
+
+	mockUmount := testutil.MockCommand(c, "umount", "")
+	defer mockUmount.Restore()
+
+	err := sanity.CheckSquashfsMount()
+	c.Check(err, ErrorMatches, "cannot mount squashfs image using.*")
+
+	c.Check(mockMount.Calls(), HasLen, 1)
+	c.Check(mockUmount.Calls(), HasLen, 0)
+
+	squashfsFile := mockMount.Calls()[0][3]
+	mountPoint := mockMount.Calls()[0][4]
+	c.Check(mockMount.Calls(), DeepEquals, [][]string{
+		{"mount", "-t", "squashfs", squashfsFile, mountPoint},
+	})
+}
+
+func (s *sanitySuite) TestCheckSquashfsMountWrongContent(c *C) {
+	restore := squashfs.MockUseFuse(false)
+	defer restore()
+
+	mockMount := testutil.MockCommand(c, "mount", "echo 'wrong content' > $4/canary.txt")
+	defer mockMount.Restore()
+
+	mockUmount := testutil.MockCommand(c, "umount", "")
+	defer mockUmount.Restore()
+
+	err := sanity.CheckSquashfsMount()
+	c.Check(err, ErrorMatches, `unexpected squashfs canary content: "wrong content\\n"`)
+
+	c.Check(mockMount.Calls(), HasLen, 1)
+	c.Check(mockUmount.Calls(), HasLen, 1)
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/version.go snapd-2.37~rc1~14.04/sanity/version.go
--- snapd-2.32.3.2~14.04/sanity/version.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/version.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,102 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"strings"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/strutil"
+)
+
+func init() {
+	checks = append(checks, checkKernelVersion)
+}
+
+// supportsMayDetachMounts checks whether a RHEL 7.4+ specific kernel knob is present
+// and set to proper value
+func supportsMayDetachMounts(kver string) error {
+	p := filepath.Join(dirs.GlobalRootDir, "/proc/sys/fs/may_detach_mounts")
+	value, err := ioutil.ReadFile(p)
+	if err != nil {
+		return fmt.Errorf("cannot read the value of fs.may_detach_mounts kernel parameter: %v", err)
+	}
+	if !bytes.Equal(value, []byte("1\n")) {
+		return fmt.Errorf("fs.may_detach_mounts kernel parameter is supported but disabled")
+	}
+	return nil
+}
+
+// checkKernelVersion looks for some unsupported configurations that users may
+// encounter and provides advice on how to resolve them.
+func checkKernelVersion() error {
+	if !release.OnClassic {
+		return nil
+	}
+
+	switch release.ReleaseInfo.ID {
+	case "ubuntu":
+		if release.ReleaseInfo.VersionID == "14.04" {
+			kver := osutil.KernelVersion()
+			// a kernel version looks like this: "4.4.0-112-generic" and
+			// we are only interested in the bits before the "-"
+			kver = strings.SplitN(kver, "-", 2)[0]
+			cmp, err := strutil.VersionCompare(kver, "3.13.0")
+			if err != nil {
+				logger.Noticef("cannot check kernel: %v", err)
+				return nil
+			}
+			if cmp <= 0 {
+				return fmt.Errorf("you need to reboot into a 4.4 kernel to start using snapd")
+			}
+		}
+	case "rhel", "centos":
+		// check for kernel tweaks on RHEL/CentOS 7.5+
+		// CentoS 7.5 has VERSION_ID="7", RHEL 7.6 has VERSION_ID="7.6"
+		if release.ReleaseInfo.VersionID == "" || release.ReleaseInfo.VersionID[0] != '7' {
+			return nil
+		}
+		fullKver := osutil.KernelVersion()
+		// kernel version looks like this: "3.10.0-957.el7.x86_64"
+		kver := strings.SplitN(fullKver, "-", 2)[0]
+		cmp, err := strutil.VersionCompare(kver, "3.18.0")
+		if err != nil {
+			logger.Noticef("cannot check kernel: %v", err)
+			return nil
+		}
+		if cmp < 0 {
+			// pre 3.18 kernels here
+			if idx := strings.Index(fullKver, ".el7."); idx == -1 {
+				// non stock kernel, assume it's not supported
+				return fmt.Errorf("unsupported kernel version %q, you need to switch to the stock kernel", fullKver)
+			}
+			// stock kernel had bugfixes backported to it
+			return supportsMayDetachMounts(kver)
+		}
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/version_test.go snapd-2.37~rc1~14.04/sanity/version_test.go
--- snapd-2.32.3.2~14.04/sanity/version_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/version_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,167 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity_test
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/sanity"
+)
+
+type versionSuite struct{}
+
+var _ = Suite(&versionSuite{})
+
+func (s *sanitySuite) TestFreshInstallOfSnapdOnTrusty(c *C) {
+	// Mock an Ubuntu 14.04 system running a 3.13.0 kernel
+	restore := release.MockOnClassic(true)
+	defer restore()
+	restore = release.MockReleaseInfo(&release.OS{ID: "ubuntu", VersionID: "14.04"})
+	defer restore()
+	restore = osutil.MockKernelVersion("3.13.0-35-generic")
+	defer restore()
+
+	// Check for the given advice.
+	err := sanity.CheckKernelVersion()
+	c.Assert(err, ErrorMatches, "you need to reboot into a 4.4 kernel to start using snapd")
+}
+
+func (s *sanitySuite) TestRebootedOnTrusty(c *C) {
+	// Mock an Ubuntu 14.04 system running a 4.4.0 kernel
+	restore := release.MockOnClassic(true)
+	defer restore()
+	restore = release.MockReleaseInfo(&release.OS{ID: "ubuntu", VersionID: "14.04"})
+	defer restore()
+	restore = osutil.MockKernelVersion("4.4.0-112-generic")
+	defer restore()
+
+	// Check for the given advice.
+	err := sanity.CheckKernelVersion()
+	c.Assert(err, IsNil)
+}
+
+func (s *sanitySuite) TestRHEL80OK(c *C) {
+	// Mock an Ubuntu 14.04 system running a 4.4.0 kernel
+	restore := release.MockOnClassic(true)
+	defer restore()
+	restore = release.MockReleaseInfo(&release.OS{ID: "rhel", VersionID: "8.0"})
+	defer restore()
+	// RHEL 8 beta
+	restore = osutil.MockKernelVersion("4.18.0-32.el8.x86_64")
+	defer restore()
+
+	// Check for the given advice.
+	err := sanity.CheckKernelVersion()
+	c.Assert(err, IsNil)
+}
+
+func (s *sanitySuite) TestRHEL7x(c *C) {
+	dir := c.MkDir()
+	dirs.SetRootDir(dir)
+	defer dirs.SetRootDir("/")
+	// mock RHEL 7.6
+	restore := release.MockOnClassic(true)
+	defer restore()
+	// VERSION="7.6 (Maipo)"
+	// ID="rhel"
+	// ID_LIKE="fedora"
+	// VERSION_ID="7.6"
+	restore = release.MockReleaseInfo(&release.OS{ID: "rhel", VersionID: "7.6"})
+	defer restore()
+	restore = osutil.MockKernelVersion("3.10.0-957.el7.x86_64")
+	defer restore()
+
+	// pretend the kernel knob is not there
+	err := sanity.CheckKernelVersion()
+	c.Assert(err, ErrorMatches, "cannot read the value of fs.may_detach_mounts kernel parameter: .*")
+
+	p := filepath.Join(dir, "/proc/sys/fs/may_detach_mounts")
+	err = os.MkdirAll(filepath.Dir(p), 0755)
+	c.Assert(err, IsNil)
+
+	// the knob is there, but disabled
+	err = ioutil.WriteFile(p, []byte("0\n"), 0644)
+	c.Assert(err, IsNil)
+
+	err = sanity.CheckKernelVersion()
+	c.Assert(err, ErrorMatches, "fs.may_detach_mounts kernel parameter is supported but disabled")
+
+	// actually enabled
+	err = ioutil.WriteFile(p, []byte("1\n"), 0644)
+	c.Assert(err, IsNil)
+
+	err = sanity.CheckKernelVersion()
+	c.Assert(err, IsNil)
+
+	// custom kernel version, which is old and we have no knowledge about
+	restore = osutil.MockKernelVersion("3.10.0-1024.foo.x86_64")
+	defer restore()
+	err = sanity.CheckKernelVersion()
+	c.Assert(err, ErrorMatches, `unsupported kernel version "3.10.0-1024.foo.x86_64", you need to switch to the stock kernel`)
+
+	// custom kernel version, but new enough
+	restore = osutil.MockKernelVersion("4.18.0-32.foo.x86_64")
+	defer restore()
+	err = sanity.CheckKernelVersion()
+	c.Assert(err, IsNil)
+}
+
+func (s *sanitySuite) TestCentOS7x(c *C) {
+	dir := c.MkDir()
+	dirs.SetRootDir(dir)
+	defer dirs.SetRootDir("/")
+	// mock CentOS 7.5
+	restore := release.MockOnClassic(true)
+	defer restore()
+	// NAME="CentOS Linux"
+	// VERSION="7 (Core)"
+	// ID="centos"
+	// ID_LIKE="rhel fedora"
+	// VERSION_ID="7"
+	restore = release.MockReleaseInfo(&release.OS{ID: "centos", VersionID: "7"})
+	defer restore()
+	restore = osutil.MockKernelVersion("3.10.0-862.14.4.el7.x86_64")
+	defer restore()
+
+	p := filepath.Join(dir, "/proc/sys/fs/may_detach_mounts")
+	err := os.MkdirAll(filepath.Dir(p), 0755)
+	c.Assert(err, IsNil)
+
+	// the knob there, but disabled
+	err = ioutil.WriteFile(p, []byte("0\n"), 0644)
+	c.Assert(err, IsNil)
+
+	err = sanity.CheckKernelVersion()
+	c.Assert(err, ErrorMatches, "fs.may_detach_mounts kernel parameter is supported but disabled")
+
+	// actually enabled
+	err = ioutil.WriteFile(p, []byte("1\n"), 0644)
+	c.Assert(err, IsNil)
+
+	err = sanity.CheckKernelVersion()
+	c.Assert(err, IsNil)
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/wsl.go snapd-2.37~rc1~14.04/sanity/wsl.go
--- snapd-2.32.3.2~14.04/sanity/wsl.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/wsl.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,38 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity
+
+import (
+	"errors"
+
+	"github.com/snapcore/snapd/release"
+)
+
+func init() {
+	checks = append(checks, checkWSL)
+}
+
+func checkWSL() error {
+	if release.OnWSL {
+		return errors.New("snapd does not work inside WSL")
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/sanity/wsl_test.go snapd-2.37~rc1~14.04/sanity/wsl_test.go
--- snapd-2.32.3.2~14.04/sanity/wsl_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/sanity/wsl_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,51 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package sanity_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/sanity"
+)
+
+type wslSuite struct{}
+
+var _ = Suite(&wslSuite{})
+
+func mockOnWSL(on bool) (restore func()) {
+	old := release.OnWSL
+	release.OnWSL = on
+	return func() {
+		release.OnWSL = old
+	}
+}
+
+func (s *wslSuite) TestNonWSL(c *C) {
+	defer mockOnWSL(false)()
+
+	c.Check(sanity.CheckWSL(), IsNil)
+}
+
+func (s *wslSuite) TestWSL(c *C) {
+	defer mockOnWSL(true)()
+
+	c.Check(sanity.CheckWSL(), ErrorMatches, "snapd does not work inside WSL")
+}
diff -Nru snapd-2.32.3.2~14.04/selinux/export_test.go snapd-2.37~rc1~14.04/selinux/export_test.go
--- snapd-2.32.3.2~14.04/selinux/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/selinux/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,43 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package selinux
+
+import (
+	"io/ioutil"
+
+	"gopkg.in/check.v1"
+)
+
+var (
+	GetSELinuxMount = getSELinuxMount
+)
+
+func MockMountInfo(c *check.C, text string) (where string, restore func()) {
+	old := procSelfMountInfo
+	dir := c.MkDir()
+	f, err := ioutil.TempFile(dir, "mountinfo")
+	c.Assert(err, check.IsNil)
+	err = ioutil.WriteFile(f.Name(), []byte(text), 0644)
+	c.Assert(err, check.IsNil)
+	procSelfMountInfo = f.Name()
+	restore = func() {
+		procSelfMountInfo = old
+	}
+	return procSelfMountInfo, restore
+}
diff -Nru snapd-2.32.3.2~14.04/selinux/label_darwin.go snapd-2.37~rc1~14.04/selinux/label_darwin.go
--- snapd-2.32.3.2~14.04/selinux/label_darwin.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/selinux/label_darwin.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,30 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package selinux
+
+// VerifyPathContext checks whether a given path is labeled according to its default
+// SELinux context
+func VerifyPathContext(aPath string) (bool, error) {
+	return true, nil
+}
+
+// RestoreContext restores the default SELinux context of given path
+func RestoreContext(aPath string, mode RestoreMode) error {
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/selinux/label.go snapd-2.37~rc1~14.04/selinux/label.go
--- snapd-2.32.3.2~14.04/selinux/label.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/selinux/label.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,26 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package selinux
+
+// RestoreMode configures how default path context is restored
+type RestoreMode struct {
+	// Recursive indicates whether the default context shall be restored
+	// recursively
+	Recursive bool
+}
diff -Nru snapd-2.32.3.2~14.04/selinux/label_linux.go snapd-2.37~rc1~14.04/selinux/label_linux.go
--- snapd-2.32.3.2~14.04/selinux/label_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/selinux/label_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,79 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package selinux
+
+import (
+	"os"
+	"os/exec"
+	"regexp"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+var (
+	// actual matchpathcon -V output:
+	// /home/guest/snap has context unconfined_u:object_r:user_home_t:s0, should be unconfined_u:object_r:snappy_home_t:s0
+	matchIncorrectLabel = regexp.MustCompile("^.* has context .* should be .*\n$")
+)
+
+// VerifyPathContext checks whether a given path is labeled according to its default
+// SELinux context
+func VerifyPathContext(aPath string) (bool, error) {
+	if _, err := os.Stat(aPath); err != nil {
+		// path that cannot be accessed cannot be verified
+		return false, err
+	}
+	// matchpathcon -V verifies whether the context of a path matches the
+	// default
+	cmd := exec.Command("matchpathcon", "-V", aPath)
+	cmd.Env = append(os.Environ(), "LC_ALL=C")
+	out, err := cmd.Output()
+	if err == nil {
+		// the path was verified
+		return true, nil
+	}
+	exit, _ := osutil.ExitCode(err)
+	// exits with 1 when the verification failed or other error occurred,
+	// when verification failed a message like this will be printed to
+	// stdout:
+	//   <the-path> has context <some-context>, should be <some-other-context>
+	// match the message so that we can distinguish a failed verification
+	// case from other errors
+	if exit == 1 && matchIncorrectLabel.Match(out) {
+		return false, nil
+	}
+	return false, err
+}
+
+// RestoreContext restores the default SELinux context of given path
+func RestoreContext(aPath string, mode RestoreMode) error {
+	if _, err := os.Stat(aPath); err != nil {
+		// path that cannot be accessed cannot be restored
+		return err
+	}
+
+	args := make([]string, 0, 2)
+	if mode.Recursive {
+		// -R: recursive
+		args = append(args, "-R")
+	}
+	args = append(args, aPath)
+
+	return exec.Command("restorecon", args...).Run()
+}
diff -Nru snapd-2.32.3.2~14.04/selinux/label_linux_test.go snapd-2.37~rc1~14.04/selinux/label_linux_test.go
--- snapd-2.32.3.2~14.04/selinux/label_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/selinux/label_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,139 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package selinux_test
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os/exec"
+	"path/filepath"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/selinux"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type labelSuite struct {
+	path string
+}
+
+var _ = check.Suite(&labelSuite{})
+
+func (l *labelSuite) SetUpTest(c *check.C) {
+	l.path = filepath.Join(c.MkDir(), "foo")
+	ioutil.WriteFile(l.path, []byte("foo"), 0644)
+}
+
+func (l *labelSuite) TestVerifyHappyOk(c *check.C) {
+	cmd := testutil.MockCommand(c, "matchpathcon", "")
+	defer cmd.Restore()
+
+	ok, err := selinux.VerifyPathContext(l.path)
+	c.Assert(err, check.IsNil)
+	c.Assert(ok, check.Equals, true)
+	c.Assert(cmd.Calls(), check.DeepEquals, [][]string{
+		{"matchpathcon", "-V", l.path},
+	})
+}
+
+func (l *labelSuite) TestVerifyFailGibberish(c *check.C) {
+	cmd := testutil.MockCommand(c, "matchpathcon", "echo gibberish; exit 1 ")
+	defer cmd.Restore()
+
+	ok, err := selinux.VerifyPathContext(l.path)
+	c.Assert(err, check.ErrorMatches, "exit status 1")
+	c.Assert(ok, check.Equals, false)
+}
+
+func (l *labelSuite) TestVerifyFailStatus(c *check.C) {
+	cmd := testutil.MockCommand(c, "matchpathcon", "echo gibberish; exit 5 ")
+	defer cmd.Restore()
+
+	ok, err := selinux.VerifyPathContext(l.path)
+	c.Assert(err, check.ErrorMatches, "exit status 5")
+	c.Assert(ok, check.Equals, false)
+}
+
+func (l *labelSuite) TestVerifyFailNoPath(c *check.C) {
+	cmd := testutil.MockCommand(c, "matchpathcon", ``)
+	defer cmd.Restore()
+
+	ok, err := selinux.VerifyPathContext("does-not-exist")
+	c.Assert(err, check.ErrorMatches, ".* does-not-exist: no such file or directory")
+	c.Assert(ok, check.Equals, false)
+}
+
+func (l *labelSuite) TestVerifyFailNoTool(c *check.C) {
+	if _, err := exec.LookPath("matchpathcon"); err == nil {
+		c.Skip("matchpathcon found in $PATH")
+	}
+	ok, err := selinux.VerifyPathContext(l.path)
+	c.Assert(err, check.ErrorMatches, `exec: "matchpathcon": executable file not found in \$PATH`)
+	c.Assert(ok, check.Equals, false)
+}
+
+func (l *labelSuite) TestVerifyHappyMismatch(c *check.C) {
+	cmd := testutil.MockCommand(c, "matchpathcon", fmt.Sprintf(`
+echo %s has context unconfined_u:object_r:user_home_t:s0, should be unconfined_u:object_r:snappy_home_t:s0
+exit 1`, l.path))
+	defer cmd.Restore()
+
+	ok, err := selinux.VerifyPathContext(l.path)
+	c.Assert(err, check.IsNil)
+	c.Assert(ok, check.Equals, false)
+}
+
+func (l *labelSuite) TestRestoreHappy(c *check.C) {
+	cmd := testutil.MockCommand(c, "restorecon", "")
+	defer cmd.Restore()
+
+	err := selinux.RestoreContext(l.path, selinux.RestoreMode{})
+	c.Assert(err, check.IsNil)
+	c.Assert(cmd.Calls(), check.DeepEquals, [][]string{
+		{"restorecon", l.path},
+	})
+
+	cmd.ForgetCalls()
+
+	err = selinux.RestoreContext(l.path, selinux.RestoreMode{Recursive: true})
+	c.Assert(err, check.IsNil)
+	c.Assert(cmd.Calls(), check.DeepEquals, [][]string{
+		{"restorecon", "-R", l.path},
+	})
+}
+
+func (l *labelSuite) TestRestoreFailNoTool(c *check.C) {
+	if _, err := exec.LookPath("matchpathcon"); err == nil {
+		c.Skip("matchpathcon found in $PATH")
+	}
+	err := selinux.RestoreContext(l.path, selinux.RestoreMode{})
+	c.Assert(err, check.ErrorMatches, `exec: "restorecon": executable file not found in \$PATH`)
+}
+
+func (l *labelSuite) TestRestoreFail(c *check.C) {
+	cmd := testutil.MockCommand(c, "restorecon", "exit 1")
+	defer cmd.Restore()
+
+	err := selinux.RestoreContext(l.path, selinux.RestoreMode{})
+	c.Assert(err, check.ErrorMatches, "exit status 1")
+
+	err = selinux.RestoreContext("does-not-exist", selinux.RestoreMode{})
+	c.Assert(err, check.ErrorMatches, ".* does-not-exist: no such file or directory")
+}
diff -Nru snapd-2.32.3.2~14.04/selinux/selinux_darwin.go snapd-2.37~rc1~14.04/selinux/selinux_darwin.go
--- snapd-2.32.3.2~14.04/selinux/selinux_darwin.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/selinux/selinux_darwin.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,29 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package selinux
+
+// IsEnabled checks whether SELinux is enabled
+func IsEnabled() (bool, error) {
+	return false, nil
+}
+
+// IsEnabled checks whether SELinux is in enforcing mode
+func IsEnforcing() (bool, error) {
+	return false, nil
+}
diff -Nru snapd-2.32.3.2~14.04/selinux/selinux_linux.go snapd-2.37~rc1~14.04/selinux/selinux_linux.go
--- snapd-2.32.3.2~14.04/selinux/selinux_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/selinux/selinux_linux.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,78 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package selinux
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+
+	"github.com/snapcore/snapd/osutil"
+)
+
+var (
+	procSelfMountInfo = osutil.ProcSelfMountInfo
+)
+
+// IsEnabled checks whether SELinux is enabled
+func IsEnabled() (bool, error) {
+	mnt, err := getSELinuxMount()
+	if err != nil {
+		return false, fmt.Errorf("failed to obtain SELinux mount path: %v", err)
+	}
+	return mnt != "", nil
+}
+
+// IsEnabled checks whether SELinux is in enforcing mode
+func IsEnforcing() (bool, error) {
+	mnt, err := getSELinuxMount()
+	if err != nil {
+		return false, fmt.Errorf("failed to obtain SELinux mount path: %v", err)
+	}
+	if mnt == "" {
+		// not enabled
+		return false, nil
+	}
+
+	rawState, err := ioutil.ReadFile(filepath.Join(mnt, "enforce"))
+	if err != nil {
+		return false, err
+	}
+	switch {
+	case bytes.Equal(rawState, []byte("0")):
+		return false, nil
+	case bytes.Equal(rawState, []byte("1")):
+		return true, nil
+	}
+	return false, fmt.Errorf("unknown SELinux status: %s", rawState)
+}
+
+func getSELinuxMount() (string, error) {
+	mountinfo, err := osutil.LoadMountInfo(procSelfMountInfo)
+	if err != nil {
+		return "", err
+	}
+	for _, entry := range mountinfo {
+		if entry.FsType == "selinuxfs" {
+			return entry.MountDir, nil
+		}
+	}
+	return "", nil
+}
diff -Nru snapd-2.32.3.2~14.04/selinux/selinux_linux_test.go snapd-2.37~rc1~14.04/selinux/selinux_linux_test.go
--- snapd-2.32.3.2~14.04/selinux/selinux_linux_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/selinux/selinux_linux_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,153 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+package selinux_test
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/selinux"
+)
+
+func Test(t *testing.T) { check.TestingT(t) }
+
+type selinuxSuite struct{}
+
+var _ = check.Suite(&selinuxSuite{})
+
+const selinuxMountInfo = `90 0 252:1 / / rw,relatime shared:1 - ext4 /dev/vda1 rw,seclabel
+41 19 0:18 / /sys/fs/selinux rw,relatime shared:20 - selinuxfs selinuxfs rw
+42 21 0:17 / /dev/mqueue rw,relatime shared:26 - mqueue mqueue rw,seclabel
+`
+
+func (s *selinuxSuite) TestGetMount(c *check.C) {
+	_, restore := selinux.MockMountInfo(c, selinuxMountInfo)
+	defer restore()
+
+	mnt, err := selinux.GetSELinuxMount()
+	c.Assert(err, check.IsNil)
+	c.Assert(mnt, check.Equals, "/sys/fs/selinux")
+}
+
+func (s *selinuxSuite) TestIsEnabledHappyEnabled(c *check.C) {
+	_, restore := selinux.MockMountInfo(c, selinuxMountInfo)
+	defer restore()
+
+	enabled, err := selinux.IsEnabled()
+	c.Assert(err, check.IsNil)
+	c.Assert(enabled, check.Equals, true)
+}
+
+func (s *selinuxSuite) TestIsEnabledHappyNoSelinux(c *check.C) {
+	_, restore := selinux.MockMountInfo(c, ``)
+	defer restore()
+
+	enabled, err := selinux.IsEnabled()
+	c.Assert(err, check.IsNil)
+	c.Assert(enabled, check.Equals, false)
+}
+
+func (s *selinuxSuite) TestIsEnabledFailMountInfo(c *check.C) {
+	mi, restore := selinux.MockMountInfo(c, ``)
+	defer restore()
+	err := os.Chmod(mi, 0000)
+	c.Assert(err, check.IsNil)
+
+	enabled, err := selinux.IsEnabled()
+	c.Assert(err, check.ErrorMatches, `failed to obtain SELinux mount path: .*`)
+	c.Assert(enabled, check.Equals, false)
+}
+
+func (s *selinuxSuite) TestIsEnabledFailGarbage(c *check.C) {
+	_, restore := selinux.MockMountInfo(c, `garbage`)
+	defer restore()
+
+	enabled, err := selinux.IsEnabled()
+	c.Assert(err, check.ErrorMatches, `failed to obtain SELinux mount path: .*`)
+	c.Assert(enabled, check.Equals, false)
+}
+
+func (s *selinuxSuite) TestIsEnforcingHappy(c *check.C) {
+	dir := c.MkDir()
+	miLine := fmt.Sprintf("41 19 0:18 / %s rw,relatime shared:20 - selinuxfs selinuxfs rw\n", dir)
+	_, restore := selinux.MockMountInfo(c, miLine)
+	defer restore()
+
+	enforcePath := filepath.Join(dir, "enforce")
+
+	err := ioutil.WriteFile(enforcePath, []byte("1"), 0644)
+	c.Assert(err, check.IsNil)
+
+	enforcing, err := selinux.IsEnforcing()
+	c.Assert(err, check.IsNil)
+	c.Assert(enforcing, check.Equals, true)
+
+	err = ioutil.WriteFile(enforcePath, []byte("0"), 0644)
+	c.Assert(err, check.IsNil)
+
+	enforcing, err = selinux.IsEnforcing()
+	c.Assert(err, check.IsNil)
+	c.Assert(enforcing, check.Equals, false)
+}
+
+func (s *selinuxSuite) TestIsEnforcingNoSELinux(c *check.C) {
+	_, restore := selinux.MockMountInfo(c, ``)
+	defer restore()
+
+	enforcing, err := selinux.IsEnforcing()
+	c.Assert(err, check.IsNil)
+	c.Assert(enforcing, check.Equals, false)
+}
+
+func (s *selinuxSuite) TestIsEnforcingFailGarbage(c *check.C) {
+	dir := c.MkDir()
+	miLine := fmt.Sprintf("41 19 0:18 / %s rw,relatime shared:20 - selinuxfs selinuxfs rw\n", dir)
+	_, restore := selinux.MockMountInfo(c, miLine)
+	defer restore()
+
+	enforcePath := filepath.Join(dir, "enforce")
+
+	err := ioutil.WriteFile(enforcePath, []byte("garbage"), 0644)
+	c.Assert(err, check.IsNil)
+
+	enforcing, err := selinux.IsEnforcing()
+	c.Assert(err, check.ErrorMatches, "unknown SELinux status: garbage")
+	c.Assert(enforcing, check.Equals, false)
+}
+
+func (s *selinuxSuite) TestIsEnforcingFailOther(c *check.C) {
+	dir := c.MkDir()
+	miLine := fmt.Sprintf("41 19 0:18 / %s rw,relatime shared:20 - selinuxfs selinuxfs rw\n", dir)
+	_, restore := selinux.MockMountInfo(c, miLine)
+	defer restore()
+
+	enforcePath := filepath.Join(dir, "enforce")
+
+	err := ioutil.WriteFile(enforcePath, []byte("not-readable"), 0000)
+	c.Assert(err, check.IsNil)
+
+	enforcing, err := selinux.IsEnforcing()
+	c.Assert(err, check.ErrorMatches, "open .*: permission denied")
+	c.Assert(enforcing, check.Equals, false)
+}
diff -Nru snapd-2.32.3.2~14.04/snap/broken.go snapd-2.37~rc1~14.04/snap/broken.go
--- snapd-2.32.3.2~14.04/snap/broken.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/broken.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,18 +27,26 @@
 	"github.com/snapcore/snapd/dirs"
 )
 
+// GuessAppsForBroken guesses what apps and services a broken snap has
+// on the system by searching for matches based on the snap name in
+// the snap binaries and service file directories. It returns a
+// mapping from app names to partial AppInfo.
 func GuessAppsForBroken(info *Info) map[string]*AppInfo {
 	out := make(map[string]*AppInfo)
 
 	// guess binaries first
-	name := info.SuggestedName
+	name := info.InstanceName()
 	for _, p := range []string{name, fmt.Sprintf("%s.*", name)} {
 		matches, _ := filepath.Glob(filepath.Join(dirs.SnapBinariesDir, p))
 		for _, m := range matches {
 			l := strings.SplitN(filepath.Base(m), ".", 2)
 			var appname string
 			if len(l) == 1 {
-				appname = l[0]
+				// when app is named the same as snap, it will
+				// be available under '<snap>' name, if the snap
+				// was installed with instance key, the app will
+				// be named `<snap>_<instance>'
+				appname = InstanceSnap(l[0])
 			} else {
 				appname = l[1]
 			}
@@ -70,15 +78,15 @@
 // was not validated before.  To avoid a flag day and any potential issues,
 // transparently rename the two clashing plugs by appending the "-plug" suffix.
 func (info *Info) renameClashingCorePlugs() {
-	if info.Name() == "core" && info.Type == TypeOS {
+	if info.InstanceName() == "core" && info.Type == TypeOS {
 		for _, plugName := range []string{"network-bind", "core-support"} {
-			info.renamePlug(plugName, plugName+"-plug")
+			info.forceRenamePlug(plugName, plugName+"-plug")
 		}
 	}
 }
 
-// renamePlug renames the plug from oldName to newName, if present.
-func (info *Info) renamePlug(oldName, newName string) {
+// forceRenamePlug renames the plug from oldName to newName, if present.
+func (info *Info) forceRenamePlug(oldName, newName string) {
 	if plugInfo, ok := info.Plugs[oldName]; ok {
 		delete(info.Plugs, oldName)
 		info.Plugs[newName] = plugInfo
diff -Nru snapd-2.32.3.2~14.04/snap/broken_test.go snapd-2.37~rc1~14.04/snap/broken_test.go
--- snapd-2.32.3.2~14.04/snap/broken_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/broken_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -53,26 +53,42 @@
 func (s *brokenSuite) TestGuessAppsForBrokenBinaries(c *C) {
 	touch(c, filepath.Join(dirs.SnapBinariesDir, "foo"))
 	touch(c, filepath.Join(dirs.SnapBinariesDir, "foo.bar"))
+	touch(c, filepath.Join(dirs.SnapBinariesDir, "foo_instance"))
+	touch(c, filepath.Join(dirs.SnapBinariesDir, "foo_instance.baz"))
 
 	info := &snap.Info{SuggestedName: "foo"}
 	apps := snap.GuessAppsForBroken(info)
 	c.Check(apps, HasLen, 2)
 	c.Check(apps["foo"], DeepEquals, &snap.AppInfo{Snap: info, Name: "foo"})
 	c.Check(apps["bar"], DeepEquals, &snap.AppInfo{Snap: info, Name: "bar"})
+
+	info = &snap.Info{SuggestedName: "foo", InstanceKey: "instance"}
+	apps = snap.GuessAppsForBroken(info)
+	c.Check(apps, HasLen, 2)
+	c.Check(apps["foo"], DeepEquals, &snap.AppInfo{Snap: info, Name: "foo"})
+	c.Check(apps["baz"], DeepEquals, &snap.AppInfo{Snap: info, Name: "baz"})
 }
 
 func (s *brokenSuite) TestGuessAppsForBrokenServices(c *C) {
 	touch(c, filepath.Join(dirs.SnapServicesDir, "snap.foo.foo.service"))
 	touch(c, filepath.Join(dirs.SnapServicesDir, "snap.foo.bar.service"))
+	touch(c, filepath.Join(dirs.SnapServicesDir, "snap.foo_instance.foo.service"))
+	touch(c, filepath.Join(dirs.SnapServicesDir, "snap.foo_instance.baz.service"))
 
 	info := &snap.Info{SuggestedName: "foo"}
 	apps := snap.GuessAppsForBroken(info)
 	c.Check(apps, HasLen, 2)
 	c.Check(apps["foo"], DeepEquals, &snap.AppInfo{Snap: info, Name: "foo", Daemon: "simple"})
 	c.Check(apps["bar"], DeepEquals, &snap.AppInfo{Snap: info, Name: "bar", Daemon: "simple"})
+
+	info = &snap.Info{SuggestedName: "foo", InstanceKey: "instance"}
+	apps = snap.GuessAppsForBroken(info)
+	c.Check(apps, HasLen, 2)
+	c.Check(apps["foo"], DeepEquals, &snap.AppInfo{Snap: info, Name: "foo", Daemon: "simple"})
+	c.Check(apps["baz"], DeepEquals, &snap.AppInfo{Snap: info, Name: "baz", Daemon: "simple"})
 }
 
-func (s *brokenSuite) TestRenamePlug(c *C) {
+func (s *brokenSuite) TestForceRenamePlug(c *C) {
 	snapInfo := snaptest.MockInvalidInfo(c, `name: core
 version: 0
 plugs:
@@ -95,7 +111,7 @@
 	c.Assert(snapInfo.Hooks["configure"].Plugs["old"], DeepEquals, snapInfo.Plugs["old"])
 
 	// Rename the plug now.
-	snapInfo.RenamePlug("old", "new")
+	snapInfo.ForceRenamePlug("old", "new")
 
 	// Check that there's no trace of the old plug name.
 	c.Assert(snapInfo.Plugs["old"], IsNil)
diff -Nru snapd-2.32.3.2~14.04/snap/channel.go snapd-2.37~rc1~14.04/snap/channel.go
--- snapd-2.32.3.2~14.04/snap/channel.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/channel.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,171 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package snap
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/snapcore/snapd/arch"
+	"github.com/snapcore/snapd/strutil"
+)
+
+var channelRisks = []string{"stable", "candidate", "beta", "edge"}
+
+// Channel identifies and describes completely a store channel.
+type Channel struct {
+	Architecture string `json:"architecture"`
+	Name         string `json:"name"`
+	Track        string `json:"track"`
+	Risk         string `json:"risk"`
+	Branch       string `json:"branch,omitempty"`
+}
+
+// ParseChannel parses a string representing a store channel and includes the given architecture, if architecture is "" the system architecture is included.
+func ParseChannel(s string, architecture string) (Channel, error) {
+	if s == "" {
+		return Channel{}, fmt.Errorf("channel name cannot be empty")
+	}
+	p := strings.Split(s, "/")
+	var risk, track, branch string
+	switch len(p) {
+	default:
+		return Channel{}, fmt.Errorf("channel name has too many components: %s", s)
+	case 3:
+		track, risk, branch = p[0], p[1], p[2]
+	case 2:
+		if strutil.ListContains(channelRisks, p[0]) {
+			risk, branch = p[0], p[1]
+		} else {
+			track, risk = p[0], p[1]
+		}
+	case 1:
+		if strutil.ListContains(channelRisks, p[0]) {
+			risk = p[0]
+		} else {
+			track = p[0]
+			risk = "stable"
+		}
+	}
+
+	if !strutil.ListContains(channelRisks, risk) {
+		return Channel{}, fmt.Errorf("invalid risk in channel name: %s", s)
+	}
+
+	if architecture == "" {
+		architecture = arch.UbuntuArchitecture()
+	}
+
+	return Channel{
+		Architecture: architecture,
+		Track:        track,
+		Risk:         risk,
+		Branch:       branch,
+	}.Clean(), nil
+}
+
+// Clean returns a Channel with a normalized track and name.
+func (c Channel) Clean() Channel {
+	track := c.Track
+
+	if track == "latest" {
+		track = ""
+	}
+
+	// normalized name
+	name := c.Risk
+	if track != "" {
+		name = track + "/" + name
+	}
+	if c.Branch != "" {
+		name = name + "/" + c.Branch
+	}
+
+	return Channel{
+		Architecture: c.Architecture,
+		Name:         name,
+		Track:        track,
+		Risk:         c.Risk,
+		Branch:       c.Branch,
+	}
+}
+
+func (c Channel) String() string {
+	return c.Name
+}
+
+// Full returns the full name of the channel, inclusive the default track "latest".
+func (c *Channel) Full() string {
+	if c.Track == "" {
+		return "latest/" + c.Name
+	}
+	return c.String()
+}
+
+func riskLevel(risk string) int {
+	for i, r := range channelRisks {
+		if r == risk {
+			return i
+		}
+	}
+	return -1
+}
+
+// ChannelMatch represents on which fields two channels are matching.
+type ChannelMatch struct {
+	Architecture bool
+	Track        bool
+	Risk         bool
+}
+
+// String returns the string represantion of the match, results can be:
+//  "architecture:track:risk"
+//  "architecture:track"
+//  "architecture:risk"
+//  "track:risk"
+//  "architecture"
+//  "track"
+//  "risk"
+//  ""
+func (cm ChannelMatch) String() string {
+	matching := []string{}
+	if cm.Architecture {
+		matching = append(matching, "architecture")
+	}
+	if cm.Track {
+		matching = append(matching, "track")
+	}
+	if cm.Risk {
+		matching = append(matching, "risk")
+	}
+	return strings.Join(matching, ":")
+
+}
+
+// Match returns a ChannelMatch of which fields among architecture,track,risk match between c and c1 store channels, risk is matched taking channel inheritance into account and considering c the requested channel.
+func (c *Channel) Match(c1 *Channel) ChannelMatch {
+	requestedRiskLevel := riskLevel(c.Risk)
+	rl1 := riskLevel(c1.Risk)
+	return ChannelMatch{
+		Architecture: c.Architecture == c1.Architecture,
+		Track:        c.Track == c1.Track,
+		Risk:         requestedRiskLevel >= rl1,
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/snap/channel_test.go snapd-2.37~rc1~14.04/snap/channel_test.go
--- snapd-2.32.3.2~14.04/snap/channel_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/channel_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,211 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package snap_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/arch"
+	"github.com/snapcore/snapd/snap"
+)
+
+type storeChannelSuite struct{}
+
+var _ = Suite(&storeChannelSuite{})
+
+func (s storeChannelSuite) TestParseChannel(c *C) {
+	ch, err := snap.ParseChannel("stable", "")
+	c.Assert(err, IsNil)
+	c.Check(ch, DeepEquals, snap.Channel{
+		Architecture: arch.UbuntuArchitecture(),
+		Name:         "stable",
+		Track:        "",
+		Risk:         "stable",
+		Branch:       "",
+	})
+
+	ch, err = snap.ParseChannel("latest/stable", "")
+	c.Assert(err, IsNil)
+	c.Check(ch, DeepEquals, snap.Channel{
+		Architecture: arch.UbuntuArchitecture(),
+		Name:         "stable",
+		Track:        "",
+		Risk:         "stable",
+		Branch:       "",
+	})
+
+	ch, err = snap.ParseChannel("1.0/edge", "")
+	c.Assert(err, IsNil)
+	c.Check(ch, DeepEquals, snap.Channel{
+		Architecture: arch.UbuntuArchitecture(),
+		Name:         "1.0/edge",
+		Track:        "1.0",
+		Risk:         "edge",
+		Branch:       "",
+	})
+
+	ch, err = snap.ParseChannel("1.0", "")
+	c.Assert(err, IsNil)
+	c.Check(ch, DeepEquals, snap.Channel{
+		Architecture: arch.UbuntuArchitecture(),
+		Name:         "1.0/stable",
+		Track:        "1.0",
+		Risk:         "stable",
+		Branch:       "",
+	})
+
+	ch, err = snap.ParseChannel("1.0/beta/foo", "")
+	c.Assert(err, IsNil)
+	c.Check(ch, DeepEquals, snap.Channel{
+		Architecture: arch.UbuntuArchitecture(),
+		Name:         "1.0/beta/foo",
+		Track:        "1.0",
+		Risk:         "beta",
+		Branch:       "foo",
+	})
+
+	ch, err = snap.ParseChannel("candidate/foo", "")
+	c.Assert(err, IsNil)
+	c.Check(ch, DeepEquals, snap.Channel{
+		Architecture: arch.UbuntuArchitecture(),
+		Name:         "candidate/foo",
+		Track:        "",
+		Risk:         "candidate",
+		Branch:       "foo",
+	})
+
+	ch, err = snap.ParseChannel("candidate/foo", "other-arch")
+	c.Assert(err, IsNil)
+	c.Check(ch, DeepEquals, snap.Channel{
+		Architecture: "other-arch",
+		Name:         "candidate/foo",
+		Track:        "",
+		Risk:         "candidate",
+		Branch:       "foo",
+	})
+}
+
+func (s storeChannelSuite) TestClean(c *C) {
+	ch := snap.Channel{
+		Architecture: "arm64",
+		Track:        "latest",
+		Name:         "latest/stable",
+		Risk:         "stable",
+	}
+
+	cleanedCh := ch.Clean()
+	c.Check(cleanedCh, Not(DeepEquals), c)
+	c.Check(cleanedCh, DeepEquals, snap.Channel{
+		Architecture: "arm64",
+		Track:        "",
+		Name:         "stable",
+		Risk:         "stable",
+	})
+}
+
+func (s storeChannelSuite) TestParseChannelErrors(c *C) {
+	_, err := snap.ParseChannel("", "")
+	c.Check(err, ErrorMatches, "channel name cannot be empty")
+
+	_, err = snap.ParseChannel("1.0////", "")
+	c.Check(err, ErrorMatches, "channel name has too many components: 1.0////")
+
+	_, err = snap.ParseChannel("1.0/cand", "invalid risk in channel name: 1.0/cand")
+	c.Check(err, ErrorMatches, "invalid risk in channel name: 1.0/cand")
+}
+
+func (s *storeChannelSuite) TestString(c *C) {
+	tests := []struct {
+		channel string
+		str     string
+	}{
+		{"stable", "stable"},
+		{"latest/stable", "stable"},
+		{"1.0/edge", "1.0/edge"},
+		{"1.0/beta/foo", "1.0/beta/foo"},
+		{"1.0", "1.0/stable"},
+		{"candidate/foo", "candidate/foo"},
+	}
+
+	for _, t := range tests {
+		ch, err := snap.ParseChannel(t.channel, "")
+		c.Assert(err, IsNil)
+
+		c.Check(ch.String(), Equals, t.str)
+	}
+}
+
+func (s *storeChannelSuite) TestFull(c *C) {
+	tests := []struct {
+		channel string
+		str     string
+	}{
+		{"stable", "latest/stable"},
+		{"latest/stable", "latest/stable"},
+		{"1.0/edge", "1.0/edge"},
+		{"1.0/beta/foo", "1.0/beta/foo"},
+		{"1.0", "1.0/stable"},
+		{"candidate/foo", "latest/candidate/foo"},
+	}
+
+	for _, t := range tests {
+		ch, err := snap.ParseChannel(t.channel, "")
+		c.Assert(err, IsNil)
+
+		c.Check(ch.Full(), Equals, t.str)
+	}
+}
+
+func (s *storeChannelSuite) TestMatch(c *C) {
+	tests := []struct {
+		req      string
+		c1       string
+		sameArch bool
+		res      string
+	}{
+		{"stable", "stable", true, "architecture:track:risk"},
+		{"stable", "beta", true, "architecture:track"},
+		{"beta", "stable", true, "architecture:track:risk"},
+		{"stable", "edge", false, "track"},
+		{"edge", "stable", false, "track:risk"},
+		{"1.0/stable", "1.0/edge", true, "architecture:track"},
+		{"1.0/edge", "stable", true, "architecture:risk"},
+		{"1.0/edge", "stable", false, "risk"},
+		{"1.0/stable", "stable", false, "risk"},
+		{"1.0/stable", "beta", false, ""},
+		{"1.0/stable", "2.0/beta", false, ""},
+		{"2.0/stable", "2.0/beta", false, "track"},
+		{"1.0/stable", "2.0/beta", true, "architecture"},
+	}
+
+	for _, t := range tests {
+		reqArch := "amd64"
+		c1Arch := "amd64"
+		if !t.sameArch {
+			c1Arch = "arm64"
+		}
+		req, err := snap.ParseChannel(t.req, reqArch)
+		c.Assert(err, IsNil)
+		c1, err := snap.ParseChannel(t.c1, c1Arch)
+		c.Assert(err, IsNil)
+
+		c.Check(req.Match(&c1).String(), Equals, t.res)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/snap/container.go snapd-2.37~rc1~14.04/snap/container.go
--- snapd-2.32.3.2~14.04/snap/container.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/container.go	2019-01-16 08:36:51.000000000 +0000
@@ -32,7 +32,7 @@
 	"github.com/snapcore/snapd/snap/squashfs"
 )
 
-// Container is the interface to interact with the low-level snap files
+// Container is the interface to interact with the low-level snap files.
 type Container interface {
 	// Size returns the size of the snap in bytes.
 	Size() (int64, error)
@@ -66,7 +66,7 @@
 	}},
 }
 
-// Open opens a given snap file with the right backend
+// Open opens a given snap file with the right backend.
 func Open(path string) (Container, error) {
 
 	if osutil.IsDirectory(path) {
@@ -201,7 +201,7 @@
 
 		if needsrx[path] || mode.IsDir() {
 			if mode.Perm()&0555 != 0555 {
-				logf("in snap %q: %q should be world-readable and executable, and isn't: %s", s.Name(), path, mode)
+				logf("in snap %q: %q should be world-readable and executable, and isn't: %s", s.InstanceName(), path, mode)
 				hasBadModes = true
 			}
 		} else {
@@ -213,19 +213,19 @@
 				// more than anything else, not worth it IMHO (as I can't
 				// imagine this happening by accident).
 				if mode&(os.ModeDir|os.ModeNamedPipe|os.ModeSocket|os.ModeDevice) != 0 {
-					logf("in snap %q: %q should be a regular file (or a symlink) and isn't", s.Name(), path)
+					logf("in snap %q: %q should be a regular file (or a symlink) and isn't", s.InstanceName(), path)
 					hasBadModes = true
 				}
 			}
 			if needsx[path] || strings.HasPrefix(path, "meta/hooks/") {
 				if mode.Perm()&0111 == 0 {
-					logf("in snap %q: %q should be executable, and isn't: %s", s.Name(), path, mode)
+					logf("in snap %q: %q should be executable, and isn't: %s", s.InstanceName(), path, mode)
 					hasBadModes = true
 				}
 			} else {
 				// in needsr, or under meta but not a hook
 				if mode.Perm()&0444 != 0444 {
-					logf("in snap %q: %q should be world-readable, and isn't: %s", s.Name(), path, mode)
+					logf("in snap %q: %q should be world-readable, and isn't: %s", s.InstanceName(), path, mode)
 					hasBadModes = true
 				}
 			}
@@ -239,7 +239,7 @@
 		for _, needs := range []map[string]bool{needsx, needsrx, needsr} {
 			for path := range needs {
 				if !seen[path] {
-					logf("in snap %q: path %q does not exist", s.Name(), path)
+					logf("in snap %q: path %q does not exist", s.InstanceName(), path)
 				}
 			}
 		}
diff -Nru snapd-2.32.3.2~14.04/snap/epoch.go snapd-2.37~rc1~14.04/snap/epoch.go
--- snapd-2.32.3.2~14.04/snap/epoch.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/epoch.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,7 +22,6 @@
 import (
 	"encoding/json"
 	"fmt"
-	"sort"
 	"strconv"
 
 	"github.com/snapcore/snapd/logger"
@@ -54,7 +53,7 @@
 // the read attribute defaults to the value of the write attribute, and the
 // write attribute defaults to the last item in the read attribute. If both are
 // unset, it's the same as not specifying an epoch at all (i.e. epoch: 0). The
-// lists must not have more than 10 elements, they must be in ascending order,
+// lists must not have more than 10 elements, they must be strictly increasing,
 // and there must be a non-empty intersection between them.
 //
 // Epoch numbers must be written in base 10, with no zero padding.
@@ -65,12 +64,12 @@
 
 // E returns the epoch represented by the expression s. It's meant for use in
 // testing, as it panics at the first sign of trouble.
-func E(s string) *Epoch {
+func E(s string) Epoch {
 	var e Epoch
 	if err := e.fromString(s); err != nil {
 		panic(fmt.Errorf("%q: %v", s, err))
 	}
-	return &e
+	return e
 }
 
 func (e *Epoch) fromString(s string) error {
@@ -146,38 +145,65 @@
 	return e.fromStructured(structured)
 }
 
+// IsZero checks whether a snap's epoch is not set (or is set to the default
+// value of "0").  Also zero are some epochs that would be normalized to "0",
+// such as {"read": 0}, as well as some invalid ones like {"read": []}.
+func (e *Epoch) IsZero() bool {
+	if e == nil {
+		return true
+	}
+
+	rZero := len(e.Read) == 0 || (len(e.Read) == 1 && e.Read[0] == 0)
+	wZero := len(e.Write) == 0 || (len(e.Write) == 1 && e.Write[0] == 0)
+
+	return rZero && wZero
+}
+
+func epochListEq(a, b []uint32) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func (e *Epoch) Equal(other *Epoch) bool {
+	if e.IsZero() {
+		return other.IsZero()
+	}
+	return epochListEq(e.Read, other.Read) && epochListEq(e.Write, other.Write)
+}
+
 // Validate checks that the epoch makes sense.
 func (e *Epoch) Validate() error {
-	if e == nil || (e.Read == nil && e.Write == nil) {
-		// (*Epoch)(nil) and &Epoch{} are valid epochs, equivalent to "0"
-		return nil
-	}
-	if len(e.Read) == 0 || len(e.Write) == 0 {
+	if (e.Read != nil && len(e.Read) == 0) || (e.Write != nil && len(e.Write) == 0) {
+		// these are invalid, but if both are true then IsZero will be true.
+		// In practice this check is redundant because it's caught in deserialise.
+		// Belts-and-suspenders all the way down.
 		return &EpochError{Message: emptyEpochList}
 	}
+	if e.IsZero() {
+		return nil
+	}
 	if len(e.Read) > 10 || len(e.Write) > 10 {
 		return &EpochError{Message: epochListJustRidiculouslyLong}
 	}
-	if !sort.IsSorted(uint32slice(e.Read)) || !sort.IsSorted(uint32slice(e.Write)) {
-		return &EpochError{Message: epochListNotSorted}
+	if !isIncreasing(e.Read) || !isIncreasing(e.Write) {
+		return &EpochError{Message: epochListNotIncreasing}
 	}
 
-	// O(𝑚𝑛) instead of O(𝑚log𝑛) for the binary search we could do, but
-	// 𝑚 and 𝑛 <10 per above, so the simple solution is good enough (and if
-	// that alone makes you nervous, know that it is ~2× faster in the
-	// worst case; bisect starts being faster at ~50 entries).
-	for _, r := range e.Read {
-		for _, w := range e.Write {
-			if r == w {
-				return nil
-			}
-		}
+	if intersect(e.Read, e.Write) {
+		return nil
 	}
 	return &EpochError{Message: noEpochIntersection}
 }
 
 func (e *Epoch) simplify() interface{} {
-	if e == nil || (e.Read == nil && e.Write == nil) {
+	if e.IsZero() {
 		return "0"
 	}
 	if len(e.Write) == 1 && len(e.Read) == 1 && e.Read[0] == e.Write[0] {
@@ -189,15 +215,22 @@
 	return &structuredEpoch{Read: e.Read, Write: e.Write}
 }
 
-func (e *Epoch) MarshalJSON() ([]byte, error) {
-	return json.Marshal(e.simplify())
+func (e Epoch) MarshalJSON() ([]byte, error) {
+	se := &structuredEpoch{Read: e.Read, Write: e.Write}
+	if len(se.Read) == 0 {
+		se.Read = uint32slice{0}
+	}
+	if len(se.Write) == 0 {
+		se.Write = uint32slice{0}
+	}
+	return json.Marshal(se)
 }
 
 func (Epoch) MarshalYAML() (interface{}, error) {
 	panic("unexpected attempt to marshal an Epoch to YAML")
 }
 
-func (e *Epoch) String() string {
+func (e Epoch) String() string {
 	i := e.simplify()
 	if s, ok := i.(string); ok {
 		return s
@@ -212,6 +245,42 @@
 	return string(buf)
 }
 
+// CanRead checks whether this epoch can read the data written by the
+// other one.
+func (e *Epoch) CanRead(other Epoch) bool {
+	// the intersection between e.Read and other.Write needs to be non-empty
+
+	// normalize (empty epoch should be treated like "0" here)
+	var rs, ws []uint32
+	if e != nil {
+		rs = e.Read
+	}
+	ws = other.Write
+	if len(rs) == 0 {
+		rs = []uint32{0}
+	}
+	if len(ws) == 0 {
+		ws = []uint32{0}
+	}
+
+	return intersect(rs, ws)
+}
+
+func intersect(rs, ws []uint32) bool {
+	// O(𝑚𝑛) instead of O(𝑚log𝑛) for the binary search we could do, but
+	// 𝑚 and 𝑛 < 10, so the simple solution is good enough (and if that
+	// alone makes you nervous, know that it is ~2× faster in the worst
+	// case; bisect starts being faster at ~50 entries).
+	for _, r := range rs {
+		for _, w := range ws {
+			if r == w {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // EpochError tracks the details of a failed epoch parse or validation.
 type EpochError struct {
 	Message string
@@ -227,7 +296,7 @@
 	badEpochNumber                = "epoch numbers must be base 10 with no zero padding, but got %q"
 	badEpochList                  = "epoch read/write attributes must be lists of epoch numbers"
 	emptyEpochList                = "epoch list cannot be explicitly empty"
-	epochListNotSorted            = "epoch list must be in ascending order"
+	epochListNotIncreasing        = "epoch list must be a strictly increasing sequence"
 	epochListJustRidiculouslyLong = "epoch list must not have more than 10 entries"
 	noEpochIntersection           = "epoch read and write lists must have a non-empty intersection"
 )
@@ -253,10 +322,6 @@
 
 type uint32slice []uint32
 
-func (ns uint32slice) Len() int           { return len(ns) }
-func (ns uint32slice) Less(i, j int) bool { return ns[i] < ns[j] }
-func (ns uint32slice) Swap(i, j int)      { panic("no reordering") }
-
 func (z *uint32slice) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	var ss []string
 	if err := unmarshal(&ss); err != nil {
@@ -291,6 +356,18 @@
 	return nil
 }
 
+func isIncreasing(z []uint32) bool {
+	if len(z) < 2 {
+		return true
+	}
+	for i := range z[1:] {
+		if z[i] >= z[i+1] {
+			return false
+		}
+	}
+	return true
+}
+
 type structuredEpoch struct {
 	Read  uint32slice `json:"read"`
 	Write uint32slice `json:"write"`
diff -Nru snapd-2.32.3.2~14.04/snap/epoch_test.go snapd-2.37~rc1~14.04/snap/epoch_test.go
--- snapd-2.32.3.2~14.04/snap/epoch_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/epoch_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -38,7 +38,7 @@
 	badEpochNumber                = `epoch numbers must be base 10 with no zero padding, but got .*`
 	badEpochList                  = "epoch read/write attributes must be lists of epoch numbers"
 	emptyEpochList                = "epoch list cannot be explicitly empty"
-	epochListNotSorted            = "epoch list must be in ascending order"
+	epochListNotIncreasing        = "epoch list must be a strictly increasing sequence"
 	epochListJustRidiculouslyLong = "epoch list must not have more than 10 entries"
 	noEpochIntersection           = "epoch read and write lists must have a non-empty intersection"
 )
@@ -75,8 +75,9 @@
 		{s: `"42**"`, e: badEpochNumber},                           // N** is dead
 		{s: `{"read": []}`, e: emptyEpochList},                     // explicitly empty is bad
 		{s: `{"write": []}`, e: emptyEpochList},                    //
-		{s: `{"read": [1,2,4,3]}`, e: epochListNotSorted},          // must be ordered
-		{s: `{"write": [4,3,2,1]}`, e: epochListNotSorted},         // ...in ascending order
+		{s: `{"read": [1,2,4,3]}`, e: epochListNotIncreasing},      // must be ordered
+		{s: `{"read": [1,2,2,3]}`, e: epochListNotIncreasing},      // must be strictly increasing
+		{s: `{"write": [4,3,2,1]}`, e: epochListNotIncreasing},     // ...*increasing*
 		{s: `{"read": [0], "write": [1]}`, e: noEpochIntersection}, // must have at least one in common
 		{s: `{"read": [0,1,2,3,4,5,6,7,8,9,10],
  "write": [0,1,2,3,4,5,6,7,8,9,10]}`, e: epochListJustRidiculouslyLong}, // must have <10 elements
@@ -131,9 +132,70 @@
 	}
 }
 
+func (s epochSuite) TestGoodEpochsInSnapYAML(c *check.C) {
+	defer snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {})()
+
+	type Tt struct {
+		s string
+		e snap.Epoch
+	}
+
+	tests := []Tt{
+		{s: ``, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `epoch: null`, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `epoch: 0`, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `epoch: "0"`, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `epoch: {}`, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `epoch: "2*"`, e: snap.Epoch{Read: []uint32{1, 2}, Write: []uint32{2}}},
+		{s: `epoch: {"read": [2]}`, e: snap.Epoch{Read: []uint32{2}, Write: []uint32{2}}},
+		{s: `epoch: {"read": [1, 2]}`, e: snap.Epoch{Read: []uint32{1, 2}, Write: []uint32{2}}},
+		{s: `epoch: {"write": [2]}`, e: snap.Epoch{Read: []uint32{2}, Write: []uint32{2}}},
+		{s: `epoch: {"write": [1, 2]}`, e: snap.Epoch{Read: []uint32{1, 2}, Write: []uint32{1, 2}}},
+		{s: `epoch: {"read": [2,4,8], "write": [2,3,5]}`, e: snap.Epoch{Read: []uint32{2, 4, 8}, Write: []uint32{2, 3, 5}}},
+	}
+
+	for _, test := range tests {
+		info, err := snap.InfoFromSnapYaml([]byte(test.s))
+		c.Check(err, check.IsNil, check.Commentf("YAML: %s", test.s))
+		c.Check(info.Epoch, check.DeepEquals, test.e)
+	}
+}
+
+func (s epochSuite) TestGoodEpochsInJSON(c *check.C) {
+	type Tt struct {
+		s string
+		e snap.Epoch
+	}
+
+	type Tinfo struct {
+		Epoch snap.Epoch `json:"epoch"`
+	}
+
+	tests := []Tt{
+		// {} should give snap.Epoch{Read: []uint32{0}, Write: []uint32{0}} but needs an UnmarshalJSON on the parent
+		{s: `{"epoch": null}`, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `{"epoch": "0"}`, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `{"epoch": {}}`, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `{"epoch": "2*"}`, e: snap.Epoch{Read: []uint32{1, 2}, Write: []uint32{2}}},
+		{s: `{"epoch": {"read": [0]}}`, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `{"epoch": {"write": [0]}}`, e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: `{"epoch": {"read": [2]}}`, e: snap.Epoch{Read: []uint32{2}, Write: []uint32{2}}},
+		{s: `{"epoch": {"read": [1, 2]}}`, e: snap.Epoch{Read: []uint32{1, 2}, Write: []uint32{2}}},
+		{s: `{"epoch": {"write": [2]}}`, e: snap.Epoch{Read: []uint32{2}, Write: []uint32{2}}},
+		{s: `{"epoch": {"write": [1, 2]}}`, e: snap.Epoch{Read: []uint32{1, 2}, Write: []uint32{1, 2}}},
+		{s: `{"epoch": {"read": [2,4,8], "write": [2,3,5]}}`, e: snap.Epoch{Read: []uint32{2, 4, 8}, Write: []uint32{2, 3, 5}}},
+	}
+
+	for _, test := range tests {
+		var info Tinfo
+		err := json.Unmarshal([]byte(test.s), &info)
+		c.Check(err, check.IsNil, check.Commentf("JSON: %s", test.s))
+		c.Check(info.Epoch, check.DeepEquals, test.e, check.Commentf("JSON: %s", test.s))
+	}
+}
+
 func (s *epochSuite) TestEpochValidate(c *check.C) {
-	validEpochs := []*snap.Epoch{
-		nil,
+	validEpochs := []snap.Epoch{
 		{},
 		{Read: []uint32{0}, Write: []uint32{0}},
 		{Read: []uint32{0, 1}, Write: []uint32{1}},
@@ -146,26 +208,29 @@
 		c.Check(err, check.IsNil, check.Commentf("%s", epoch))
 	}
 	invalidEpochs := []struct {
-		epoch *snap.Epoch
+		epoch snap.Epoch
 		err   string
 	}{
-		{epoch: &snap.Epoch{Read: []uint32{}}, err: emptyEpochList},
-		{epoch: &snap.Epoch{Write: []uint32{}}, err: emptyEpochList},
-		{epoch: &snap.Epoch{Read: []uint32{}, Write: []uint32{}}, err: emptyEpochList},
-		{epoch: &snap.Epoch{Read: []uint32{1}, Write: []uint32{2}}, err: noEpochIntersection},
-		{epoch: &snap.Epoch{Read: []uint32{1, 3, 5}, Write: []uint32{2, 4, 6}}, err: noEpochIntersection},
-		{epoch: &snap.Epoch{Read: []uint32{1, 2, 3}, Write: []uint32{3, 2, 1}}, err: epochListNotSorted},
-		{epoch: &snap.Epoch{Read: []uint32{3, 2, 1}, Write: []uint32{1, 2, 3}}, err: epochListNotSorted},
-		{epoch: &snap.Epoch{Read: []uint32{3, 2, 1}, Write: []uint32{3, 2, 1}}, err: epochListNotSorted},
-		{epoch: &snap.Epoch{
+		{epoch: snap.Epoch{Read: []uint32{}}, err: emptyEpochList},
+		{epoch: snap.Epoch{Write: []uint32{}}, err: emptyEpochList},
+		{epoch: snap.Epoch{Read: []uint32{}, Write: []uint32{}}, err: emptyEpochList},
+		{epoch: snap.Epoch{Read: []uint32{1}, Write: []uint32{2}}, err: noEpochIntersection},
+		{epoch: snap.Epoch{Read: []uint32{1, 3, 5}, Write: []uint32{2, 4, 6}}, err: noEpochIntersection},
+		{epoch: snap.Epoch{Read: []uint32{1, 2, 3}, Write: []uint32{3, 2, 1}}, err: epochListNotIncreasing},
+		{epoch: snap.Epoch{Read: []uint32{3, 2, 1}, Write: []uint32{1, 2, 3}}, err: epochListNotIncreasing},
+		{epoch: snap.Epoch{Read: []uint32{3, 2, 1}, Write: []uint32{3, 2, 1}}, err: epochListNotIncreasing},
+		{epoch: snap.Epoch{Read: []uint32{0, 0, 0}, Write: []uint32{0}}, err: epochListNotIncreasing},
+		{epoch: snap.Epoch{Read: []uint32{0}, Write: []uint32{0, 0, 0}}, err: epochListNotIncreasing},
+		{epoch: snap.Epoch{Read: []uint32{0, 0, 0}, Write: []uint32{0, 0, 0}}, err: epochListNotIncreasing},
+		{epoch: snap.Epoch{
 			Read:  []uint32{0},
 			Write: []uint32{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
 		}, err: epochListJustRidiculouslyLong},
-		{epoch: &snap.Epoch{
+		{epoch: snap.Epoch{
 			Read:  []uint32{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
 			Write: []uint32{0},
 		}, err: epochListJustRidiculouslyLong},
-		{epoch: &snap.Epoch{
+		{epoch: snap.Epoch{
 			Read:  []uint32{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
 			Write: []uint32{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10},
 		}, err: epochListJustRidiculouslyLong},
@@ -178,16 +243,20 @@
 
 func (s *epochSuite) TestEpochString(c *check.C) {
 	tests := []struct {
-		e *snap.Epoch
+		e snap.Epoch
 		s string
 	}{
-		{e: nil, s: "0"},
-		{e: &snap.Epoch{}, s: "0"},
-		{e: &snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}, s: "0"},
-		{e: &snap.Epoch{Read: []uint32{0, 1}, Write: []uint32{1}}, s: "1*"},
-		{e: &snap.Epoch{Read: []uint32{1}, Write: []uint32{1}}, s: "1"},
-		{e: &snap.Epoch{Read: []uint32{399, 400}, Write: []uint32{400}}, s: "400*"},
-		{e: &snap.Epoch{Read: []uint32{1, 2, 3}, Write: []uint32{1, 2, 3}}, s: `{"read":[1,2,3],"write":[1,2,3]}`},
+		{e: snap.Epoch{}, s: "0"},
+		{e: snap.Epoch{Read: []uint32{0}}, s: "0"},
+		{e: snap.Epoch{Write: []uint32{0}}, s: "0"},
+		{e: snap.Epoch{Read: []uint32{0}, Write: []uint32{}}, s: "0"},
+		{e: snap.Epoch{Read: []uint32{}, Write: []uint32{0}}, s: "0"},
+		{e: snap.Epoch{Read: []uint32{}, Write: []uint32{}}, s: "0"},
+		{e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}, s: "0"},
+		{e: snap.Epoch{Read: []uint32{0, 1}, Write: []uint32{1}}, s: "1*"},
+		{e: snap.Epoch{Read: []uint32{1}, Write: []uint32{1}}, s: "1"},
+		{e: snap.Epoch{Read: []uint32{399, 400}, Write: []uint32{400}}, s: "400*"},
+		{e: snap.Epoch{Read: []uint32{1, 2, 3}, Write: []uint32{1, 2, 3}}, s: `{"read":[1,2,3],"write":[1,2,3]}`},
 	}
 	for _, test := range tests {
 		c.Check(test.e.String(), check.Equals, test.s, check.Commentf(test.s))
@@ -196,19 +265,25 @@
 
 func (s *epochSuite) TestEpochMarshal(c *check.C) {
 	tests := []struct {
-		e *snap.Epoch
+		e snap.Epoch
 		s string
 	}{
-		//		{e: nil, s: `"0"`},
-		{e: &snap.Epoch{}, s: `"0"`},
-		{e: &snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}, s: `"0"`},
-		{e: &snap.Epoch{Read: []uint32{0, 1}, Write: []uint32{1}}, s: `"1*"`},
-		{e: &snap.Epoch{Read: []uint32{1}, Write: []uint32{1}}, s: `"1"`},
-		{e: &snap.Epoch{Read: []uint32{399, 400}, Write: []uint32{400}}, s: `"400*"`},
-		{e: &snap.Epoch{Read: []uint32{1, 2, 3}, Write: []uint32{1, 2, 3}}, s: `{"read":[1,2,3],"write":[1,2,3]}`},
+		{e: snap.Epoch{}, s: `{"read":[0],"write":[0]}`},
+		{e: snap.Epoch{Read: []uint32{0}}, s: `{"read":[0],"write":[0]}`},
+		{e: snap.Epoch{Write: []uint32{0}}, s: `{"read":[0],"write":[0]}`},
+		{e: snap.Epoch{Read: []uint32{0}, Write: []uint32{}}, s: `{"read":[0],"write":[0]}`},
+		{e: snap.Epoch{Read: []uint32{}, Write: []uint32{0}}, s: `{"read":[0],"write":[0]}`},
+		{e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}, s: `{"read":[0],"write":[0]}`},
+		{e: snap.Epoch{Read: []uint32{0, 1}, Write: []uint32{1}}, s: `{"read":[0,1],"write":[1]}`},
+		{e: snap.Epoch{Read: []uint32{1}, Write: []uint32{1}}, s: `{"read":[1],"write":[1]}`},
+		{e: snap.Epoch{Read: []uint32{399, 400}, Write: []uint32{400}}, s: `{"read":[399,400],"write":[400]}`},
+		{e: snap.Epoch{Read: []uint32{1, 2, 3}, Write: []uint32{1, 2, 3}}, s: `{"read":[1,2,3],"write":[1,2,3]}`},
 	}
 	for _, test := range tests {
-		bs, err := json.Marshal(test.e)
+		bs, err := test.e.MarshalJSON()
+		c.Assert(err, check.IsNil)
+		c.Check(string(bs), check.Equals, test.s, check.Commentf(test.s))
+		bs, err = json.Marshal(test.e)
 		c.Assert(err, check.IsNil)
 		c.Check(string(bs), check.Equals, test.s, check.Commentf(test.s))
 	}
@@ -216,16 +291,85 @@
 
 func (s *epochSuite) TestE(c *check.C) {
 	tests := []struct {
-		e *snap.Epoch
+		e snap.Epoch
 		s string
 	}{
-		{s: "0", e: &snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
-		{s: "1", e: &snap.Epoch{Read: []uint32{1}, Write: []uint32{1}}},
-		{s: "1*", e: &snap.Epoch{Read: []uint32{0, 1}, Write: []uint32{1}}},
-		{s: "400*", e: &snap.Epoch{Read: []uint32{399, 400}, Write: []uint32{400}}},
+		{s: "0", e: snap.Epoch{Read: []uint32{0}, Write: []uint32{0}}},
+		{s: "1", e: snap.Epoch{Read: []uint32{1}, Write: []uint32{1}}},
+		{s: "1*", e: snap.Epoch{Read: []uint32{0, 1}, Write: []uint32{1}}},
+		{s: "400*", e: snap.Epoch{Read: []uint32{399, 400}, Write: []uint32{400}}},
 	}
 	for _, test := range tests {
 		c.Check(snap.E(test.s), check.DeepEquals, test.e, check.Commentf(test.s))
 		c.Check(test.e.String(), check.Equals, test.s, check.Commentf(test.s))
 	}
 }
+
+func (s *epochSuite) TestIsZero(c *check.C) {
+	for _, e := range []*snap.Epoch{
+		nil,
+		{},
+		{Read: []uint32{0}},
+		{Write: []uint32{0}},
+		{Read: []uint32{0}, Write: []uint32{}},
+		{Read: []uint32{}, Write: []uint32{0}},
+		{Read: []uint32{0}, Write: []uint32{0}},
+	} {
+		c.Check(e.IsZero(), check.Equals, true, check.Commentf("%#v", e))
+	}
+	for _, e := range []*snap.Epoch{
+		{Read: []uint32{0, 1}, Write: []uint32{0}},
+		{Read: []uint32{1}, Write: []uint32{1, 2}},
+	} {
+		c.Check(e.IsZero(), check.Equals, false, check.Commentf("%#v", e))
+	}
+}
+
+func (s *epochSuite) TestCanRead(c *check.C) {
+	tests := []struct {
+		a, b   snap.Epoch
+		ab, ba bool
+	}{
+		{ab: true, ba: true},                 // test for empty epoch
+		{a: snap.E("0"), ab: true, ba: true}, // hybrid empty / zero
+		{a: snap.E("0"), b: snap.E("1"), ab: false, ba: false},
+		{a: snap.E("0"), b: snap.E("1*"), ab: false, ba: true},
+		{a: snap.E("0"), b: snap.E("2*"), ab: false, ba: false},
+
+		{
+			a:  snap.Epoch{Read: []uint32{1, 2, 3}, Write: []uint32{2}},
+			b:  snap.Epoch{Read: []uint32{1, 3, 4}, Write: []uint32{4}},
+			ab: false,
+			ba: false,
+		},
+		{
+			a:  snap.Epoch{Read: []uint32{1, 2, 3}, Write: []uint32{3}},
+			b:  snap.Epoch{Read: []uint32{1, 2, 3}, Write: []uint32{2}},
+			ab: true,
+			ba: true,
+		},
+	}
+	for i, test := range tests {
+		c.Assert(test.a.CanRead(test.b), check.Equals, test.ab, check.Commentf("ab/%d", i))
+		c.Assert(test.b.CanRead(test.a), check.Equals, test.ba, check.Commentf("ba/%d", i))
+	}
+}
+
+func (s *epochSuite) TestEqual(c *check.C) {
+	tests := []struct {
+		a, b *snap.Epoch
+		eq   bool
+	}{
+		{a: &snap.Epoch{}, b: nil, eq: true},
+		{a: &snap.Epoch{Read: []uint32{}, Write: []uint32{}}, b: nil, eq: true},
+		{a: &snap.Epoch{Read: []uint32{1}, Write: []uint32{1}}, b: &snap.Epoch{Read: []uint32{1}, Write: []uint32{1}}, eq: true},
+		{a: &snap.Epoch{Read: []uint32{0, 1}, Write: []uint32{1}}, b: &snap.Epoch{Read: []uint32{0, 1}, Write: []uint32{1}}, eq: true},
+		{a: &snap.Epoch{Read: []uint32{0, 1}, Write: []uint32{1}}, b: &snap.Epoch{Read: []uint32{1}, Write: []uint32{1}}, eq: false},
+		{a: &snap.Epoch{Read: []uint32{1, 2, 3, 4}, Write: []uint32{7}}, b: &snap.Epoch{Read: []uint32{1, 2, 3, 7}, Write: []uint32{7}}, eq: false},
+	}
+
+	for i, test := range tests {
+		c.Check(test.a.Equal(test.b), check.Equals, test.eq, check.Commentf("ab/%d", i))
+		c.Check(test.b.Equal(test.a), check.Equals, test.eq, check.Commentf("ab/%d", i))
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/snap/export_test.go snapd-2.37~rc1~14.04/snap/export_test.go
--- snapd-2.32.3.2~14.04/snap/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,17 +20,12 @@
 package snap
 
 var (
-	NewHookType                  = newHookType
 	ValidateSocketName           = validateSocketName
+	ValidateDescription          = validateDescription
+	ValidateTitle                = validateTitle
 	InfoFromSnapYamlWithSideInfo = infoFromSnapYamlWithSideInfo
 )
 
-func MockSupportedHookTypes(hookTypes []*HookType) (restore func()) {
-	old := supportedHooks
-	supportedHooks = hookTypes
-	return func() { supportedHooks = old }
-}
-
-func (info *Info) RenamePlug(oldName, newName string) {
-	info.renamePlug(oldName, newName)
+func (info *Info) ForceRenamePlug(oldName, newName string) {
+	info.forceRenamePlug(oldName, newName)
 }
diff -Nru snapd-2.32.3.2~14.04/snap/gadget.go snapd-2.37~rc1~14.04/snap/gadget.go
--- snapd-2.32.3.2~14.04/snap/gadget.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/gadget.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,6 +24,7 @@
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"gopkg.in/yaml.v2"
 )
@@ -33,6 +34,8 @@
 
 	// Default configuration for snaps (snap-id => key => value).
 	Defaults map[string]map[string]interface{} `yaml:"defaults,omitempty"`
+
+	Connections []GadgetConnection `yaml:"connections"`
 }
 
 type GadgetVolume struct {
@@ -69,6 +72,85 @@
 	Unpack bool `yaml:"unpack"`
 }
 
+// GadgetConnect describes an interface connection requested by the gadget
+// between seeded snaps. The syntax is of a mapping like:
+//
+//  plug: (<plug-snap-id>|system):plug
+//  [slot: (<slot-snap-id>|system):slot]
+//
+// "system" indicates a system plug or slot.
+// Fully omitting the slot part indicates a system slot with the same name
+// as the plug.
+type GadgetConnection struct {
+	Plug GadgetConnectionPlug `yaml:"plug"`
+	Slot GadgetConnectionSlot `yaml:"slot"`
+}
+
+type GadgetConnectionPlug struct {
+	SnapID string
+	Plug   string
+}
+
+func (gcplug *GadgetConnectionPlug) Empty() bool {
+	return gcplug.SnapID == "" && gcplug.Plug == ""
+}
+
+func (gcplug *GadgetConnectionPlug) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var s string
+	if err := unmarshal(&s); err != nil {
+		return err
+	}
+	snapID, name, err := parseSnapIDColonName(s)
+	if err != nil {
+		return fmt.Errorf("in gadget connection plug: %v", err)
+	}
+	gcplug.SnapID = snapID
+	gcplug.Plug = name
+	return nil
+}
+
+type GadgetConnectionSlot struct {
+	SnapID string
+	Slot   string
+}
+
+func (gcslot *GadgetConnectionSlot) Empty() bool {
+	return gcslot.SnapID == "" && gcslot.Slot == ""
+}
+
+func (gcslot *GadgetConnectionSlot) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var s string
+	if err := unmarshal(&s); err != nil {
+		return err
+	}
+	snapID, name, err := parseSnapIDColonName(s)
+	if err != nil {
+		return fmt.Errorf("in gadget connection slot: %v", err)
+	}
+	gcslot.SnapID = snapID
+	gcslot.Slot = name
+	return nil
+}
+
+func parseSnapIDColonName(s string) (snapID, name string, err error) {
+	parts := strings.Split(s, ":")
+	if len(parts) == 2 {
+		snapID = parts[0]
+		name = parts[1]
+	}
+	if snapID == "" || name == "" {
+		return "", "", fmt.Errorf(`expected "(<snap-id>|system):name" not %q`, s)
+	}
+	return snapID, name, nil
+}
+
+func systemOrSnapID(s string) bool {
+	if s != "system" && len(s) != validSnapIDLength {
+		return false
+	}
+	return true
+}
+
 // ReadGadgetInfo reads the gadget specific metadata from gadget.yaml
 // in the snap. classic set to true means classic rules apply,
 // i.e. content/presence of gadget.yaml is fully optional.
@@ -96,6 +178,9 @@
 	}
 
 	for k, v := range gi.Defaults {
+		if !systemOrSnapID(k) {
+			return nil, fmt.Errorf(`default stanza not keyed by "system" or snap-id: %s`, k)
+		}
 		dflt, err := normalizeYamlValue(v)
 		if err != nil {
 			return nil, fmt.Errorf("default value %q of %q: %v", v, k, err)
@@ -103,6 +188,16 @@
 		gi.Defaults[k] = dflt.(map[string]interface{})
 	}
 
+	for i, gconn := range gi.Connections {
+		if gconn.Plug.Empty() {
+			return nil, fmt.Errorf("gadget connection plug cannot be empty")
+		}
+		if gconn.Slot.Empty() {
+			gi.Connections[i].Slot.SnapID = "system"
+			gi.Connections[i].Slot.Slot = gconn.Plug.Plug
+		}
+	}
+
 	if classic && len(gi.Volumes) == 0 {
 		// volumes can be left out on classic
 		// can still specify defaults though
diff -Nru snapd-2.32.3.2~14.04/snap/gadget_test.go snapd-2.37~rc1~14.04/snap/gadget_test.go
--- snapd-2.32.3.2~14.04/snap/gadget_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/gadget_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 import (
 	"io/ioutil"
 	"path/filepath"
+	"strings"
 
 	. "gopkg.in/check.v1"
 
@@ -42,9 +43,16 @@
 
 var mockGadgetYaml = []byte(`
 defaults:
-  core:
+  system:
     something: true
 
+connections:
+  - plug: snapid1:plg1
+    slot: snapid2:slot
+  - plug: snapid3:process-control
+  - plug: snapid4:pctl4
+    slot: system:process-control
+
 volumes:
   volumename:
     schema: mbr
@@ -104,9 +112,9 @@
 
 var mockClassicGadgetYaml = []byte(`
 defaults:
-  core:
+  system:
     something: true
-  other:
+  otheridididididididididididididi:
     foo:
       bar: baz
 `)
@@ -160,8 +168,8 @@
 	c.Assert(err, IsNil)
 	c.Assert(ginfo, DeepEquals, &snap.GadgetInfo{
 		Defaults: map[string]map[string]interface{}{
-			"core":  {"something": true},
-			"other": {"foo": map[string]interface{}{"bar": "baz"}},
+			"system": {"something": true},
+			"otheridididididididididididididi": {"foo": map[string]interface{}{"bar": "baz"}},
 		},
 	})
 }
@@ -175,7 +183,12 @@
 	c.Assert(err, IsNil)
 	c.Assert(ginfo, DeepEquals, &snap.GadgetInfo{
 		Defaults: map[string]map[string]interface{}{
-			"core": {"something": true},
+			"system": {"something": true},
+		},
+		Connections: []snap.GadgetConnection{
+			{Plug: snap.GadgetConnectionPlug{SnapID: "snapid1", Plug: "plg1"}, Slot: snap.GadgetConnectionSlot{SnapID: "snapid2", Slot: "slot"}},
+			{Plug: snap.GadgetConnectionPlug{SnapID: "snapid3", Plug: "process-control"}, Slot: snap.GadgetConnectionSlot{SnapID: "system", Slot: "process-control"}},
+			{Plug: snap.GadgetConnectionPlug{SnapID: "snapid4", Plug: "pctl4"}, Slot: snap.GadgetConnectionSlot{SnapID: "system", Slot: "process-control"}},
 		},
 		Volumes: map[string]snap.GadgetVolume{
 			"volumename": {
@@ -303,3 +316,47 @@
 	_, err = snap.ReadGadgetInfo(info, false)
 	c.Assert(err, ErrorMatches, "cannot read gadget snap details: bootloader not declared in any volume")
 }
+
+func (s *gadgetYamlTestSuite) TestReadGadgetYamlInvalidDefaultsKey(c *C) {
+	info := snaptest.MockSnap(c, mockGadgetSnapYaml, &snap.SideInfo{Revision: snap.R(42)})
+	mockGadgetYamlBroken := []byte(`
+defaults:
+ foo:
+  x: 1
+`)
+
+	err := ioutil.WriteFile(filepath.Join(info.MountDir(), "meta", "gadget.yaml"), mockGadgetYamlBroken, 0644)
+	c.Assert(err, IsNil)
+
+	_, err = snap.ReadGadgetInfo(info, false)
+	c.Assert(err, ErrorMatches, `default stanza not keyed by "system" or snap-id: foo`)
+}
+
+func (s *gadgetYamlTestSuite) TestReadGadgetYamlInvalidConnection(c *C) {
+	info := snaptest.MockSnap(c, mockGadgetSnapYaml, &snap.SideInfo{Revision: snap.R(42)})
+	mockGadgetYamlBroken := `
+connections:
+ - @INVALID@
+`
+	tests := []struct {
+		invalidConn string
+		expectedErr string
+	}{
+		{``, `gadget connection plug cannot be empty`},
+		{`foo:bar baz:quux`, `(?s).*unmarshal errors:.*`},
+		{`plug: foo:`, `.*mapping values are not allowed in this context`},
+		{`plug: ":"`, `.*in gadget connection plug: expected "\(<snap-id>\|system\):name" not ":"`},
+		{`slot: "foo:"`, `.*in gadget connection slot: expected "\(<snap-id>\|system\):name" not "foo:"`},
+		{`slot: foo:bar`, `gadget connection plug cannot be empty`},
+	}
+
+	for _, t := range tests {
+		mockGadgetYamlBroken := strings.Replace(mockGadgetYamlBroken, "@INVALID@", t.invalidConn, 1)
+
+		err := ioutil.WriteFile(filepath.Join(info.MountDir(), "meta", "gadget.yaml"), []byte(mockGadgetYamlBroken), 0644)
+		c.Assert(err, IsNil)
+
+		_, err = snap.ReadGadgetInfo(info, false)
+		c.Check(err, ErrorMatches, t.expectedErr)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/snap/hooktypes.go snapd-2.37~rc1~14.04/snap/hooktypes.go
--- snapd-2.32.3.2~14.04/snap/hooktypes.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/hooktypes.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,14 +24,16 @@
 )
 
 var supportedHooks = []*HookType{
-	newHookType(regexp.MustCompile("^prepare-device$")),
-	newHookType(regexp.MustCompile("^configure$")),
-	newHookType(regexp.MustCompile("^install$")),
-	newHookType(regexp.MustCompile("^pre-refresh$")),
-	newHookType(regexp.MustCompile("^post-refresh$")),
-	newHookType(regexp.MustCompile("^remove$")),
-	newHookType(regexp.MustCompile("^prepare-(?:plug|slot)-[-a-z0-9]+$")),
-	newHookType(regexp.MustCompile("^connect-(?:plug|slot)-[-a-z0-9]+$")),
+	NewHookType(regexp.MustCompile("^prepare-device$")),
+	NewHookType(regexp.MustCompile("^configure$")),
+	NewHookType(regexp.MustCompile("^install$")),
+	NewHookType(regexp.MustCompile("^pre-refresh$")),
+	NewHookType(regexp.MustCompile("^post-refresh$")),
+	NewHookType(regexp.MustCompile("^remove$")),
+	NewHookType(regexp.MustCompile("^prepare-(?:plug|slot)-[-a-z0-9]+$")),
+	NewHookType(regexp.MustCompile("^unprepare-(?:plug|slot)-[-a-z0-9]+$")),
+	NewHookType(regexp.MustCompile("^connect-(?:plug|slot)-[-a-z0-9]+$")),
+	NewHookType(regexp.MustCompile("^disconnect-(?:plug|slot)-[-a-z0-9]+$")),
 }
 
 // HookType represents a pattern of supported hook names.
@@ -39,8 +41,8 @@
 	pattern *regexp.Regexp
 }
 
-// newHookType returns a new HookType with the given pattern.
-func newHookType(pattern *regexp.Regexp) *HookType {
+// NewHookType returns a new HookType with the given pattern.
+func NewHookType(pattern *regexp.Regexp) *HookType {
 	return &HookType{
 		pattern: pattern,
 	}
@@ -62,3 +64,15 @@
 
 	return false
 }
+
+func MockSupportedHookTypes(hookTypes []*HookType) (restore func()) {
+	old := supportedHooks
+	supportedHooks = hookTypes
+	return func() { supportedHooks = old }
+}
+
+func MockAppendSupportedHookTypes(hookTypes []*HookType) (restore func()) {
+	old := supportedHooks
+	supportedHooks = append(supportedHooks, hookTypes...)
+	return func() { supportedHooks = old }
+}
diff -Nru snapd-2.32.3.2~14.04/snap/info.go snapd-2.37~rc1~14.04/snap/info.go
--- snapd-2.32.3.2~14.04/snap/info.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/info.go	2019-01-16 08:36:51.000000000 +0000
@@ -38,8 +38,12 @@
 
 // PlaceInfo offers all the information about where a snap and its data are located and exposed in the filesystem.
 type PlaceInfo interface {
-	// Name returns the name of the snap.
-	Name() string
+	// InstanceName returns the name of the snap decorated with instance
+	// key, if any.
+	InstanceName() string
+
+	// SnapName returns the name of the snap.
+	SnapName() string
 
 	// MountDir returns the base directory of the snap.
 	MountDir() string
@@ -77,12 +81,18 @@
 
 // MinimalPlaceInfo returns a PlaceInfo with just the location information for a snap of the given name and revision.
 func MinimalPlaceInfo(name string, revision Revision) PlaceInfo {
-	return &Info{SideInfo: SideInfo{RealName: name, Revision: revision}}
+	storeName, instanceKey := SplitInstanceName(name)
+	return &Info{SideInfo: SideInfo{RealName: storeName, Revision: revision}, InstanceKey: instanceKey}
+}
+
+// BaseDir returns the system level directory of given snap.
+func BaseDir(name string) string {
+	return filepath.Join(dirs.SnapMountDir, name)
 }
 
 // MountDir returns the base directory where it gets mounted of the snap with the given name and revision.
 func MountDir(name string, revision Revision) string {
-	return filepath.Join(dirs.SnapMountDir, name, revision.String())
+	return filepath.Join(BaseDir(name), revision.String())
 }
 
 // MountFile returns the path where the snap file that is mounted is installed.
@@ -116,6 +126,53 @@
 	return ScopedSecurityTag(snapName, "none", uniqueName)
 }
 
+// BaseDataDir returns the base directory for snap data locations.
+func BaseDataDir(name string) string {
+	return filepath.Join(dirs.SnapDataDir, name)
+}
+
+// DataDir returns the data directory for given snap name and revision. The name can be
+// either a snap name or snap instance name.
+func DataDir(name string, revision Revision) string {
+	return filepath.Join(BaseDataDir(name), revision.String())
+}
+
+// CommonDataDir returns the common data directory for given snap name. The name
+// can be either a snap name or snap instance name.
+func CommonDataDir(name string) string {
+	return filepath.Join(dirs.SnapDataDir, name, "common")
+}
+
+// HooksDir returns the directory containing the snap's hooks for given snap
+// name. The name can be either a snap name or snap instance name.
+func HooksDir(name string, revision Revision) string {
+	return filepath.Join(MountDir(name, revision), "meta", "hooks")
+}
+
+// UserDataDir returns the user-specific data directory for given snap name. The
+// name can be either a snap name or snap instance name.
+func UserDataDir(home string, name string, revision Revision) string {
+	return filepath.Join(home, dirs.UserHomeSnapDir, name, revision.String())
+}
+
+// UserCommonDataDir returns the user-specific common data directory for given
+// snap name. The name can be either a snap name or snap instance name.
+func UserCommonDataDir(home string, name string) string {
+	return filepath.Join(home, dirs.UserHomeSnapDir, name, "common")
+}
+
+// UserSnapDir returns the user-specific directory for given
+// snap name. The name can be either a snap name or snap instance name.
+func UserSnapDir(home string, name string) string {
+	return filepath.Join(home, dirs.UserHomeSnapDir, name)
+}
+
+// UserXdgRuntimeDir returns the user-specific XDG_RUNTIME_DIR directory for
+// given snap name. The name can be either a snap name or snap instance name.
+func UserXdgRuntimeDir(euid sys.UserID, name string) string {
+	return filepath.Join(dirs.XdgRuntimeDirBase, fmt.Sprintf("%d/snap.%s", euid, name))
+}
+
 // SideInfo holds snap metadata that is crucial for the tracking of
 // snaps and for the working of the system offline and which is not
 // included in snap.yaml or for which the store is the canonical
@@ -144,6 +201,7 @@
 // Info provides information about snaps.
 type Info struct {
 	SuggestedName string
+	InstanceKey   string
 	Version       string
 	Type          Type
 	Architectures []string
@@ -167,26 +225,27 @@
 	Plugs            map[string]*PlugInfo
 	Slots            map[string]*SlotInfo
 
+	toplevelPlugs []*PlugInfo
+	toplevelSlots []*SlotInfo
+
 	// Plugs or slots with issues (they are not included in Plugs or Slots)
 	BadInterfaces map[string]string // slot or plug => message
 
 	// The information in all the remaining fields is not sourced from the snap blob itself.
 	SideInfo
 
-	// Broken marks if set whether the snap is broken and the reason.
+	// Broken marks whether the snap is broken and the reason.
 	Broken string
 
 	// The information in these fields is ephemeral, available only from the store.
 	DownloadInfo
 
-	IconURL string
 	Prices  map[string]float64
 	MustBuy bool
 
-	PublisherID string
-	Publisher   string
+	Publisher StoreAccount
 
-	Screenshots []ScreenshotInfo
+	Media MediaInfos
 
 	// The flattended channel map with $track/$risk
 	Channels map[string]*ChannelSnapInfo
@@ -195,6 +254,18 @@
 	Tracks []string
 
 	Layout map[string]*Layout
+
+	// The list of common-ids from all apps of the snap
+	CommonIDs []string
+}
+
+// StoreAccount holds information about a store account, for example
+// of snap publisher.
+type StoreAccount struct {
+	ID          string `json:"id"`
+	Username    string `json:"username"`
+	DisplayName string `json:"display-name"`
+	Validation  string `json:"validation,omitempty"`
 }
 
 // Layout describes a single element of the layout section.
@@ -248,10 +319,17 @@
 	Channel     string          `json:"channel"`
 	Epoch       Epoch           `json:"epoch"`
 	Size        int64           `json:"size"`
+	ReleasedAt  time.Time       `json:"released-at"`
+}
+
+// InstanceName returns the blessed name of the snap decorated with instance
+// key, if any.
+func (s *Info) InstanceName() string {
+	return InstanceName(s.SnapName(), s.InstanceKey)
 }
 
-// Name returns the blessed name for the snap.
-func (s *Info) Name() string {
+// SnapName returns the global blessed name of the snap.
+func (s *Info) SnapName() string {
 	if s.RealName != "" {
 		return s.RealName
 	}
@@ -284,57 +362,57 @@
 
 // MountDir returns the base directory of the snap where it gets mounted.
 func (s *Info) MountDir() string {
-	return MountDir(s.Name(), s.Revision)
+	return MountDir(s.InstanceName(), s.Revision)
 }
 
 // MountFile returns the path where the snap file that is mounted is installed.
 func (s *Info) MountFile() string {
-	return MountFile(s.Name(), s.Revision)
+	return MountFile(s.InstanceName(), s.Revision)
 }
 
 // HooksDir returns the directory containing the snap's hooks.
 func (s *Info) HooksDir() string {
-	return filepath.Join(s.MountDir(), "meta", "hooks")
+	return HooksDir(s.InstanceName(), s.Revision)
 }
 
 // DataDir returns the data directory of the snap.
 func (s *Info) DataDir() string {
-	return filepath.Join(dirs.SnapDataDir, s.Name(), s.Revision.String())
+	return DataDir(s.InstanceName(), s.Revision)
 }
 
 // UserDataDir returns the user-specific data directory of the snap.
 func (s *Info) UserDataDir(home string) string {
-	return filepath.Join(home, "snap", s.Name(), s.Revision.String())
+	return UserDataDir(home, s.InstanceName(), s.Revision)
 }
 
 // UserCommonDataDir returns the user-specific data directory common across revision of the snap.
 func (s *Info) UserCommonDataDir(home string) string {
-	return filepath.Join(home, "snap", s.Name(), "common")
+	return UserCommonDataDir(home, s.InstanceName())
 }
 
 // CommonDataDir returns the data directory common across revisions of the snap.
 func (s *Info) CommonDataDir() string {
-	return filepath.Join(dirs.SnapDataDir, s.Name(), "common")
+	return CommonDataDir(s.InstanceName())
 }
 
 // DataHomeDir returns the per user data directory of the snap.
 func (s *Info) DataHomeDir() string {
-	return filepath.Join(dirs.SnapDataHomeGlob, s.Name(), s.Revision.String())
+	return filepath.Join(dirs.SnapDataHomeGlob, s.InstanceName(), s.Revision.String())
 }
 
 // CommonDataHomeDir returns the per user data directory common across revisions of the snap.
 func (s *Info) CommonDataHomeDir() string {
-	return filepath.Join(dirs.SnapDataHomeGlob, s.Name(), "common")
+	return filepath.Join(dirs.SnapDataHomeGlob, s.InstanceName(), "common")
 }
 
 // UserXdgRuntimeDir returns the XDG_RUNTIME_DIR directory of the snap for a particular user.
 func (s *Info) UserXdgRuntimeDir(euid sys.UserID) string {
-	return filepath.Join("/run/user", fmt.Sprintf("%d/snap.%s", euid, s.Name()))
+	return UserXdgRuntimeDir(euid, s.InstanceName())
 }
 
 // XdgRuntimeDirs returns the XDG_RUNTIME_DIR directories for all users of the snap.
 func (s *Info) XdgRuntimeDirs() string {
-	return filepath.Join(dirs.XdgRuntimeDirGlob, fmt.Sprintf("snap.%s", s.Name()))
+	return filepath.Join(dirs.XdgRuntimeDirGlob, fmt.Sprintf("snap.%s", s.InstanceName()))
 }
 
 // NeedsDevMode returns whether the snap needs devmode.
@@ -360,7 +438,8 @@
 	return svcs
 }
 
-// ExpandSnapVariables resolves $SNAP, $SNAP_DATA and $SNAP_COMMON.
+// ExpandSnapVariables resolves $SNAP, $SNAP_DATA and $SNAP_COMMON inside the
+// snap's mount namespace.
 func (s *Info) ExpandSnapVariables(path string) string {
 	return os.Expand(path, func(v string) string {
 		switch v {
@@ -369,23 +448,49 @@
 			// inside the mount namespace snap-confine creates and there we will
 			// always have a /snap directory available regardless if the system
 			// we're running on supports this or not.
-			return filepath.Join(dirs.CoreSnapMountDir, s.Name(), s.Revision.String())
+			return filepath.Join(dirs.CoreSnapMountDir, s.SnapName(), s.Revision.String())
 		case "SNAP_DATA":
-			return s.DataDir()
+			return DataDir(s.SnapName(), s.Revision)
 		case "SNAP_COMMON":
-			return s.CommonDataDir()
+			return CommonDataDir(s.SnapName())
 		}
 		return ""
 	})
 }
 
+// InstallDate returns the "install date" of the snap.
+//
+// If the snap is not active, it'll return a zero time; otherwise
+// it'll return the modtime of the "current" symlink. Sneaky.
+func (s *Info) InstallDate() time.Time {
+	dir, rev := filepath.Split(s.MountDir())
+	cur := filepath.Join(dir, "current")
+	tag, err := os.Readlink(cur)
+	if err == nil && tag == rev {
+		if st, err := os.Lstat(cur); err == nil {
+			return st.ModTime()
+		}
+	}
+	return time.Time{}
+}
+
+// IsActive returns whether this snap revision is active.
+func (s *Info) IsActive() bool {
+	dir, rev := filepath.Split(s.MountDir())
+	cur := filepath.Join(dir, "current")
+	tag, err := os.Readlink(cur)
+	return err == nil && tag == rev
+}
+
+// BadInterfacesSummary returns a summary of the problems of bad plugs
+// and slots in the snap.
 func BadInterfacesSummary(snapInfo *Info) string {
 	inverted := make(map[string][]string)
 	for name, reason := range snapInfo.BadInterfaces {
 		inverted[reason] = append(inverted[reason], name)
 	}
 	var buf bytes.Buffer
-	fmt.Fprintf(&buf, "snap %q has bad plugs or slots: ", snapInfo.Name())
+	fmt.Fprintf(&buf, "snap %q has bad plugs or slots: ", snapInfo.InstanceName())
 	reasons := make([]string, 0, len(inverted))
 	for reason := range inverted {
 		reasons = append(reasons, reason)
@@ -448,25 +553,53 @@
 	Hooks     map[string]*HookInfo
 }
 
-func getAttribute(snapName string, ifaceName string, attrs map[string]interface{}, key string, val interface{}) error {
-	if v, ok := attrs[key]; ok {
-		rt := reflect.TypeOf(val)
-		if rt.Kind() != reflect.Ptr || val == nil {
-			return fmt.Errorf("internal error: cannot get %q attribute of interface %q with non-pointer value", key, ifaceName)
+func lookupAttr(attrs map[string]interface{}, path string) (interface{}, bool) {
+	var v interface{}
+	comps := strings.FieldsFunc(path, func(r rune) bool { return r == '.' })
+	if len(comps) == 0 {
+		return nil, false
+	}
+	v = attrs
+	for _, comp := range comps {
+		m, ok := v.(map[string]interface{})
+		if !ok {
+			return nil, false
 		}
-
-		if reflect.TypeOf(v) != rt.Elem() {
-			return fmt.Errorf("snap %q has interface %q with invalid value type for %q attribute", snapName, ifaceName, key)
+		v, ok = m[comp]
+		if !ok {
+			return nil, false
 		}
-		rv := reflect.ValueOf(val)
-		rv.Elem().Set(reflect.ValueOf(v))
-		return nil
 	}
-	return fmt.Errorf("snap %q does not have attribute %q for interface %q", snapName, key, ifaceName)
+
+	return v, true
+}
+
+func getAttribute(snapName string, ifaceName string, attrs map[string]interface{}, key string, val interface{}) error {
+	v, ok := lookupAttr(attrs, key)
+	if !ok {
+		return fmt.Errorf("snap %q does not have attribute %q for interface %q", snapName, key, ifaceName)
+	}
+
+	rt := reflect.TypeOf(val)
+	if rt.Kind() != reflect.Ptr || val == nil {
+		return fmt.Errorf("internal error: cannot get %q attribute of interface %q with non-pointer value", key, ifaceName)
+	}
+
+	if reflect.TypeOf(v) != rt.Elem() {
+		return fmt.Errorf("snap %q has interface %q with invalid value type for %q attribute", snapName, ifaceName, key)
+	}
+	rv := reflect.ValueOf(val)
+	rv.Elem().Set(reflect.ValueOf(v))
+
+	return nil
 }
 
 func (plug *PlugInfo) Attr(key string, val interface{}) error {
-	return getAttribute(plug.Snap.Name(), plug.Interface, plug.Attrs, key, val)
+	return getAttribute(plug.Snap.InstanceName(), plug.Interface, plug.Attrs, key, val)
+}
+
+func (plug *PlugInfo) Lookup(key string) (interface{}, bool) {
+	return lookupAttr(plug.Attrs, key)
 }
 
 // SecurityTags returns security tags associated with a given plug.
@@ -484,11 +617,15 @@
 
 // String returns the representation of the plug as snap:plug string.
 func (plug *PlugInfo) String() string {
-	return fmt.Sprintf("%s:%s", plug.Snap.Name(), plug.Name)
+	return fmt.Sprintf("%s:%s", plug.Snap.InstanceName(), plug.Name)
 }
 
 func (slot *SlotInfo) Attr(key string, val interface{}) error {
-	return getAttribute(slot.Snap.Name(), slot.Interface, slot.Attrs, key, val)
+	return getAttribute(slot.Snap.InstanceName(), slot.Interface, slot.Attrs, key, val)
+}
+
+func (slot *SlotInfo) Lookup(key string) (interface{}, bool) {
+	return lookupAttr(slot.Attrs, key)
 }
 
 // SecurityTags returns security tags associated with a given slot.
@@ -506,7 +643,7 @@
 
 // String returns the representation of the slot as snap:slot string.
 func (slot *SlotInfo) String() string {
-	return fmt.Sprintf("%s:%s", slot.Snap.Name(), slot.Name)
+	return fmt.Sprintf("%s:%s", slot.Snap.InstanceName(), slot.Name)
 }
 
 // SlotInfo provides information about a slot.
@@ -519,6 +656,12 @@
 	Label     string
 	Apps      map[string]*AppInfo
 	Hooks     map[string]*HookInfo
+
+	// HotplugKey is a unique key built by the slot's interface
+	// using properties of a hotplugged device so that the same
+	// slot may be made available if the device is reinserted.
+	// It's empty for regular slots.
+	HotplugKey string
 }
 
 // SocketInfo provides information on application sockets.
@@ -537,22 +680,54 @@
 	Timer string
 }
 
-// AppInfo provides information about a app.
+// StopModeType is the type for the "stop-mode:" of a snap app
+type StopModeType string
+
+// KillAll returns if the stop-mode means all processes should be killed
+// when the service is stopped or just the main process.
+func (st StopModeType) KillAll() bool {
+	return string(st) == "" || strings.HasSuffix(string(st), "-all")
+}
+
+// KillSignal returns the signal that should be used to kill the process
+// (or an empty string if no signal is needed)
+func (st StopModeType) KillSignal() string {
+	if st.Validate() != nil || st == "" {
+		return ""
+	}
+	return strings.ToUpper(strings.TrimSuffix(string(st), "-all"))
+}
+
+func (st StopModeType) Validate() error {
+	switch st {
+	case "", "sigterm", "sigterm-all", "sighup", "sighup-all", "sigusr1", "sigusr1-all", "sigusr2", "sigusr2-all":
+		// valid
+		return nil
+	}
+	return fmt.Errorf(`"stop-mode" field contains invalid value %q`, st)
+}
+
+// AppInfo provides information about an app.
 type AppInfo struct {
 	Snap *Info
 
 	Name          string
 	LegacyAliases []string // FIXME: eventually drop this
 	Command       string
+	CommandChain  []string
+	CommonID      string
 
 	Daemon          string
 	StopTimeout     timeout.Timeout
+	WatchdogTimeout timeout.Timeout
 	StopCommand     string
 	ReloadCommand   string
 	PostStopCommand string
 	RestartCond     RestartCondition
+	RestartDelay    timeout.Timeout
 	Completer       string
 	RefreshMode     string
+	StopMode        StopModeType
 
 	// TODO: this should go away once we have more plumbing and can change
 	// things vs refactor
@@ -571,13 +746,52 @@
 	Before []string
 
 	Timer *TimerInfo
+
+	Autostart string
 }
 
 // ScreenshotInfo provides information about a screenshot.
 type ScreenshotInfo struct {
-	URL    string
-	Width  int64
-	Height int64
+	URL    string `json:"url"`
+	Width  int64  `json:"width,omitempty"`
+	Height int64  `json:"height,omitempty"`
+	Note   string `json:"note,omitempty"`
+}
+
+type MediaInfo struct {
+	Type   string `json:"type"`
+	URL    string `json:"url"`
+	Width  int64  `json:"width,omitempty"`
+	Height int64  `json:"height,omitempty"`
+}
+
+type MediaInfos []MediaInfo
+
+const ScreenshotsDeprecationNotice = `'screenshots' is deprecated; use 'media' instead. More info at https://forum.snapcraft.io/t/8086`
+
+func (mis MediaInfos) Screenshots() []ScreenshotInfo {
+	shots := make([]ScreenshotInfo, 0, len(mis))
+	for _, mi := range mis {
+		if mi.Type != "screenshot" {
+			continue
+		}
+		shots = append(shots, ScreenshotInfo{
+			URL:    mi.URL,
+			Width:  mi.Width,
+			Height: mi.Height,
+			Note:   ScreenshotsDeprecationNotice,
+		})
+	}
+	return shots
+}
+
+func (mis MediaInfos) IconURL() string {
+	for _, mi := range mis {
+		if mi.Type == "icon" {
+			return mi.URL
+		}
+	}
+	return ""
 }
 
 // HookInfo provides information about a hook.
@@ -587,6 +801,11 @@
 	Name  string
 	Plugs map[string]*PlugInfo
 	Slots map[string]*SlotInfo
+
+	Environment  strutil.OrderedMap
+	CommandChain []string
+
+	Explicit bool
 }
 
 // File returns the path to the *.socket file
@@ -599,36 +818,41 @@
 	return filepath.Join(dirs.SnapServicesDir, timer.App.SecurityTag()+".timer")
 }
 
+func (app *AppInfo) String() string {
+	return JoinSnapApp(app.Snap.InstanceName(), app.Name)
+}
+
 // SecurityTag returns application-specific security tag.
 //
 // Security tags are used by various security subsystems as "profile names" and
 // sometimes also as a part of the file name.
 func (app *AppInfo) SecurityTag() string {
-	return AppSecurityTag(app.Snap.Name(), app.Name)
+	return AppSecurityTag(app.Snap.InstanceName(), app.Name)
 }
 
+// DesktopFile returns the path to the installed optional desktop file for the application.
 func (app *AppInfo) DesktopFile() string {
-	return filepath.Join(dirs.SnapDesktopFilesDir, fmt.Sprintf("%s_%s.desktop", app.Snap.Name(), app.Name))
+	return filepath.Join(dirs.SnapDesktopFilesDir, fmt.Sprintf("%s_%s.desktop", app.Snap.InstanceName(), app.Name))
 }
 
 // WrapperPath returns the path to wrapper invoking the app binary.
 func (app *AppInfo) WrapperPath() string {
-	return filepath.Join(dirs.SnapBinariesDir, JoinSnapApp(app.Snap.Name(), app.Name))
+	return filepath.Join(dirs.SnapBinariesDir, JoinSnapApp(app.Snap.InstanceName(), app.Name))
 }
 
 // CompleterPath returns the path to the completer snippet for the app binary.
 func (app *AppInfo) CompleterPath() string {
-	return filepath.Join(dirs.CompletersDir, JoinSnapApp(app.Snap.Name(), app.Name))
+	return filepath.Join(dirs.CompletersDir, JoinSnapApp(app.Snap.InstanceName(), app.Name))
 }
 
 func (app *AppInfo) launcherCommand(command string) string {
 	if command != "" {
 		command = " " + command
 	}
-	if app.Name == app.Snap.Name() {
-		return fmt.Sprintf("/usr/bin/snap run%s %s", command, app.Name)
+	if app.Name == app.Snap.SnapName() {
+		return fmt.Sprintf("/usr/bin/snap run%s %s", command, app.Snap.InstanceName())
 	}
-	return fmt.Sprintf("/usr/bin/snap run%s %s.%s", command, app.Snap.Name(), app.Name)
+	return fmt.Sprintf("/usr/bin/snap run%s %s.%s", command, app.Snap.InstanceName(), app.Name)
 }
 
 // LauncherCommand returns the launcher command line to use when invoking the app binary.
@@ -666,15 +890,12 @@
 
 // Env returns the app specific environment overrides
 func (app *AppInfo) Env() []string {
-	env := []string{}
 	appEnv := app.Snap.Environment.Copy()
 	for _, k := range app.Environment.Keys() {
 		appEnv.Set(k, app.Environment.Get(k))
 	}
-	for _, k := range appEnv.Keys() {
-		env = append(env, fmt.Sprintf("%s=%s", k, appEnv.Get(k)))
-	}
-	return env
+
+	return envFromMap(appEnv)
 }
 
 // IsService returns whether app represents a daemon/service.
@@ -687,16 +908,25 @@
 // Security tags are used by various security subsystems as "profile names" and
 // sometimes also as a part of the file name.
 func (hook *HookInfo) SecurityTag() string {
-	return HookSecurityTag(hook.Snap.Name(), hook.Name)
+	return HookSecurityTag(hook.Snap.InstanceName(), hook.Name)
 }
 
 // Env returns the hook-specific environment overrides
 func (hook *HookInfo) Env() []string {
-	env := []string{}
 	hookEnv := hook.Snap.Environment.Copy()
-	for _, k := range hookEnv.Keys() {
-		env = append(env, fmt.Sprintf("%s=%s\n", k, hookEnv.Get(k)))
+	for _, k := range hook.Environment.Keys() {
+		hookEnv.Set(k, hook.Environment.Get(k))
 	}
+
+	return envFromMap(hookEnv)
+}
+
+func envFromMap(envMap *strutil.OrderedMap) []string {
+	env := []string{}
+	for _, k := range envMap.Keys() {
+		env = append(env, fmt.Sprintf("%s=%s", k, envMap.Get(k)))
+	}
+
 	return env
 }
 
@@ -713,15 +943,45 @@
 	return info, nil
 }
 
+// BrokenSnapError describes an error that refers to a snap that warrants the "broken" note.
+type BrokenSnapError interface {
+	error
+	Broken() string
+}
+
 type NotFoundError struct {
 	Snap     string
 	Revision Revision
+	// Path encodes the path that triggered the not-found error.
+	// It may refer to a file inside the snap or to the snap file itself.
+	Path string
 }
 
 func (e NotFoundError) Error() string {
+	if e.Path != "" {
+		return fmt.Sprintf("cannot find installed snap %q at revision %s: missing file %s", e.Snap, e.Revision, e.Path)
+	}
 	return fmt.Sprintf("cannot find installed snap %q at revision %s", e.Snap, e.Revision)
 }
 
+func (e NotFoundError) Broken() string {
+	return e.Error()
+}
+
+type invalidMetaError struct {
+	Snap     string
+	Revision Revision
+	Msg      string
+}
+
+func (e invalidMetaError) Error() string {
+	return fmt.Sprintf("cannot use installed snap %q at revision %s: %s", e.Snap, e.Revision, e.Msg)
+}
+
+func (e invalidMetaError) Broken() string {
+	return e.Error()
+}
+
 func MockSanitizePlugsSlots(f func(snapInfo *Info)) (restore func()) {
 	old := SanitizePlugsSlots
 	SanitizePlugsSlots = f
@@ -737,7 +997,7 @@
 	snapYamlFn := filepath.Join(MountDir(name, si.Revision), "meta", "snap.yaml")
 	meta, err := ioutil.ReadFile(snapYamlFn)
 	if os.IsNotExist(err) {
-		return nil, &NotFoundError{Snap: name, Revision: si.Revision}
+		return nil, &NotFoundError{Snap: name, Revision: si.Revision, Path: snapYamlFn}
 	}
 	if err != nil {
 		return nil, err
@@ -745,24 +1005,58 @@
 
 	info, err := infoFromSnapYamlWithSideInfo(meta, si)
 	if err != nil {
-		return nil, err
+		return nil, &invalidMetaError{Snap: name, Revision: si.Revision, Msg: err.Error()}
 	}
 
-	st, err := os.Stat(MountFile(name, si.Revision))
+	err = addImplicitHooks(info)
 	if err != nil {
-		return nil, err
+		return nil, &invalidMetaError{Snap: name, Revision: si.Revision, Msg: err.Error()}
 	}
-	info.Size = st.Size()
 
-	err = addImplicitHooks(info)
+	bindImplicitHooks(info)
+
+	_, instanceKey := SplitInstanceName(name)
+	info.InstanceKey = instanceKey
+
+	mountFile := MountFile(name, si.Revision)
+	st, err := os.Lstat(mountFile)
+	if os.IsNotExist(err) {
+		// This can happen when "snap try" mode snap is moved around. The mount
+		// is still in place (it's a bind mount, it doesn't care about the
+		// source moving) but the symlink in /var/lib/snapd/snaps is now
+		// dangling.
+		return nil, &NotFoundError{Snap: name, Revision: si.Revision, Path: mountFile}
+	}
 	if err != nil {
 		return nil, err
 	}
+	// If the file is a regular file than it must be a squashfs file that is
+	// used as the backing store for the snap. The size of that file is the
+	// size of the snap.
+	if st.Mode().IsRegular() {
+		info.Size = st.Size()
+	}
 
 	return info, nil
 }
 
-// ReadInfoFromSnapFile reads the snap information from the given File
+// ReadCurrentInfo reads the snap information from the installed snap in 'current' revision
+func ReadCurrentInfo(snapName string) (*Info, error) {
+	curFn := filepath.Join(dirs.SnapMountDir, snapName, "current")
+	realFn, err := os.Readlink(curFn)
+	if err != nil {
+		return nil, fmt.Errorf("cannot find current revision for snap %s: %s", snapName, err)
+	}
+	rev := filepath.Base(realFn)
+	revision, err := ParseRevision(rev)
+	if err != nil {
+		return nil, fmt.Errorf("cannot read revision %s: %s", rev, err)
+	}
+
+	return ReadInfo(snapName, &SideInfo{Revision: revision})
+}
+
+// ReadInfoFromSnapFile reads the snap information from the given Container
 // and completes it with the given side-info if this is not nil.
 func ReadInfoFromSnapFile(snapf Container, si *SideInfo) (*Info, error) {
 	meta, err := snapf.ReadFile("meta/snap.yaml")
@@ -785,6 +1079,8 @@
 		return nil, err
 	}
 
+	bindImplicitHooks(info)
+
 	err = Validate(info)
 	if err != nil {
 		return nil, err
@@ -811,7 +1107,7 @@
 func SplitSnapApp(snapApp string) (snap, app string) {
 	l := strings.SplitN(snapApp, ".", 2)
 	if len(l) < 2 {
-		return l[0], l[0]
+		return l[0], InstanceSnap(l[0])
 	}
 	return l[0], l[1]
 }
@@ -820,8 +1116,112 @@
 // `snap` and the `app` part. It also deals with the special
 // case of snapName == appName.
 func JoinSnapApp(snap, app string) string {
-	if snap == app {
-		return app
+	storeName, instanceKey := SplitInstanceName(snap)
+	if storeName == app {
+		return InstanceName(app, instanceKey)
 	}
 	return fmt.Sprintf("%s.%s", snap, app)
 }
+
+// InstanceSnap splits the instance name and returns the name of the snap.
+func InstanceSnap(instanceName string) string {
+	snapName, _ := SplitInstanceName(instanceName)
+	return snapName
+}
+
+// SplitInstanceName splits the instance name and returns the snap name and the
+// instance key.
+func SplitInstanceName(instanceName string) (snapName, instanceKey string) {
+	split := strings.SplitN(instanceName, "_", 2)
+	snapName = split[0]
+	if len(split) > 1 {
+		instanceKey = split[1]
+	}
+	return snapName, instanceKey
+}
+
+// InstanceName takes the snap name and the instance key and returns an instance
+// name of the snap.
+func InstanceName(snapName, instanceKey string) string {
+	if instanceKey != "" {
+		return fmt.Sprintf("%s_%s", snapName, instanceKey)
+	}
+	return snapName
+}
+
+// ByType supports sorting the given slice of snap info by types. The most
+// important types will come first.
+type ByType []*Info
+
+func (r ByType) Len() int      { return len(r) }
+func (r ByType) Swap(i, j int) { r[i], r[j] = r[j], r[i] }
+func (r ByType) Less(i, j int) bool {
+	return r[i].Type.SortsBefore(r[j].Type)
+}
+
+func SortServices(apps []*AppInfo) (sorted []*AppInfo, err error) {
+	nameToApp := make(map[string]*AppInfo, len(apps))
+	for _, app := range apps {
+		nameToApp[app.Name] = app
+	}
+
+	// list of successors of given app
+	successors := make(map[string][]*AppInfo, len(apps))
+	// count of predecessors (i.e. incoming edges) of given app
+	predecessors := make(map[string]int, len(apps))
+
+	for _, app := range apps {
+		for _, other := range app.After {
+			predecessors[app.Name]++
+			successors[other] = append(successors[other], app)
+		}
+		for _, other := range app.Before {
+			predecessors[other]++
+			successors[app.Name] = append(successors[app.Name], nameToApp[other])
+		}
+	}
+
+	// list of apps without predecessors (no incoming edges)
+	queue := make([]*AppInfo, 0, len(apps))
+	for _, app := range apps {
+		if predecessors[app.Name] == 0 {
+			queue = append(queue, app)
+		}
+	}
+
+	// Kahn:
+	// see https://dl.acm.org/citation.cfm?doid=368996.369025
+	//     https://en.wikipedia.org/wiki/Topological_sorting#Kahn's_algorithm
+	//
+	// Apps without predecessors are 'top' nodes. On each iteration, take
+	// the next 'top' node, and decrease the predecessor count of each
+	// successor app. Once that successor app has no more predecessors, take
+	// it out of the predecessors set and add it to the queue of 'top'
+	// nodes.
+	for len(queue) > 0 {
+		app := queue[0]
+		queue = queue[1:]
+		for _, successor := range successors[app.Name] {
+			predecessors[successor.Name]--
+			if predecessors[successor.Name] == 0 {
+				delete(predecessors, successor.Name)
+				queue = append(queue, successor)
+			}
+		}
+		sorted = append(sorted, app)
+	}
+
+	if len(predecessors) != 0 {
+		// apps with predecessors unaccounted for are a part of
+		// dependency cycle
+		unsatisifed := bytes.Buffer{}
+		for name := range predecessors {
+			if unsatisifed.Len() > 0 {
+				unsatisifed.WriteString(", ")
+			}
+			unsatisifed.WriteString(name)
+		}
+		return nil, fmt.Errorf("applications are part of a before/after cycle: %s", unsatisifed.String())
+	}
+	return sorted, nil
+}
diff -Nru snapd-2.32.3.2~14.04/snap/info_snap_yaml.go snapd-2.37~rc1~14.04/snap/info_snap_yaml.go
--- snapd-2.32.3.2~14.04/snap/info_snap_yaml.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/info_snap_yaml.go	2019-01-16 08:36:51.000000000 +0000
@@ -53,12 +53,24 @@
 	Apps             map[string]appYaml     `yaml:"apps,omitempty"`
 	Hooks            map[string]hookYaml    `yaml:"hooks,omitempty"`
 	Layout           map[string]layoutYaml  `yaml:"layout,omitempty"`
+
+	// TypoLayouts is used to detect the use of the incorrect plural form of "layout"
+	TypoLayouts typoDetector `yaml:"layouts,omitempty"`
+}
+
+type typoDetector struct {
+	Hint string
+}
+
+func (td *typoDetector) UnmarshalYAML(func(interface{}) error) error {
+	return fmt.Errorf("typo detected: %s", td.Hint)
 }
 
 type appYaml struct {
 	Aliases []string `yaml:"aliases,omitempty"`
 
-	Command string `yaml:"command"`
+	Command      string   `yaml:"command"`
+	CommandChain []string `yaml:"command-chain,omitempty"`
 
 	Daemon string `yaml:"daemon"`
 
@@ -66,14 +78,18 @@
 	ReloadCommand   string          `yaml:"reload-command,omitempty"`
 	PostStopCommand string          `yaml:"post-stop-command,omitempty"`
 	StopTimeout     timeout.Timeout `yaml:"stop-timeout,omitempty"`
+	WatchdogTimeout timeout.Timeout `yaml:"watchdog-timeout,omitempty"`
 	Completer       string          `yaml:"completer,omitempty"`
 	RefreshMode     string          `yaml:"refresh-mode,omitempty"`
+	StopMode        StopModeType    `yaml:"stop-mode,omitempty"`
 
-	RestartCond RestartCondition `yaml:"restart-condition,omitempty"`
-	SlotNames   []string         `yaml:"slots,omitempty"`
-	PlugNames   []string         `yaml:"plugs,omitempty"`
+	RestartCond  RestartCondition `yaml:"restart-condition,omitempty"`
+	RestartDelay timeout.Timeout  `yaml:"restart-delay,omitempty"`
+	SlotNames    []string         `yaml:"slots,omitempty"`
+	PlugNames    []string         `yaml:"plugs,omitempty"`
 
-	BusName string `yaml:"bus-name,omitempty"`
+	BusName  string `yaml:"bus-name,omitempty"`
+	CommonID string `yaml:"common-id,omitempty"`
 
 	Environment strutil.OrderedMap `yaml:"environment,omitempty"`
 
@@ -83,11 +99,15 @@
 	Before []string `yaml:"before,omitempty"`
 
 	Timer string `yaml:"timer,omitempty"`
+
+	Autostart string `yaml:"autostart,omitempty"`
 }
 
 type hookYaml struct {
-	PlugNames []string `yaml:"plugs,omitempty"`
-	SlotNames []string `yaml:"slots,omitempty"`
+	PlugNames    []string           `yaml:"plugs,omitempty"`
+	SlotNames    []string           `yaml:"slots,omitempty"`
+	Environment  strutil.OrderedMap `yaml:"environment,omitempty"`
+	CommandChain []string           `yaml:"command-chain,omitempty"`
 }
 
 type layoutYaml struct {
@@ -108,9 +128,11 @@
 // InfoFromSnapYaml creates a new info based on the given snap.yaml data
 func InfoFromSnapYaml(yamlData []byte) (*Info, error) {
 	var y snapYaml
+	// Customize hints for the typo detector.
+	y.TypoLayouts.Hint = `use singular "layout" instead of plural "layouts"`
 	err := yaml.Unmarshal(yamlData, &y)
 	if err != nil {
-		return nil, fmt.Errorf("info failed to parse: %s", err)
+		return nil, fmt.Errorf("cannot parse snap.yaml: %s", err)
 	}
 
 	snap := infoSkeletonFromSnapYaml(y)
@@ -124,16 +146,14 @@
 	}
 
 	// At this point snap.Plugs and snap.Slots only contain globally-declared
-	// plugs and slots. We're about to change that, but we need to remember the
-	// global ones for later, so save their names.
-	globalPlugNames := make([]string, 0, len(snap.Plugs))
-	for plugName := range snap.Plugs {
-		globalPlugNames = append(globalPlugNames, plugName)
+	// plugs and slots, so copy them for later.
+	snap.toplevelPlugs = make([]*PlugInfo, 0, len(snap.Plugs))
+	snap.toplevelSlots = make([]*SlotInfo, 0, len(snap.Slots))
+	for _, plug := range snap.Plugs {
+		snap.toplevelPlugs = append(snap.toplevelPlugs, plug)
 	}
-
-	globalSlotNames := make([]string, 0, len(snap.Slots))
-	for slotName := range snap.Slots {
-		globalSlotNames = append(globalSlotNames, slotName)
+	for _, slot := range snap.Slots {
+		snap.toplevelSlots = append(snap.toplevelSlots, slot)
 	}
 
 	// Collect all apps, their aliases and hooks
@@ -143,10 +163,10 @@
 	setHooksFromSnapYaml(y, snap)
 
 	// Bind unbound plugs to all apps and hooks
-	bindUnboundPlugs(globalPlugNames, snap)
+	bindUnboundPlugs(snap)
 
 	// Bind unbound slots to all apps and hooks
-	bindUnboundSlots(globalSlotNames, snap)
+	bindUnboundSlots(snap)
 
 	// Collect layout elements.
 	if y.Layout != nil {
@@ -198,6 +218,17 @@
 	if y.Type != "" {
 		typ = y.Type
 	}
+	// TODO: once we have epochs transition to the snapd type for real
+	if y.Name == "snapd" {
+		typ = TypeSnapd
+	}
+
+	if len(y.Epoch.Read) == 0 {
+		// normalize
+		y.Epoch.Read = []uint32{0}
+		y.Epoch.Write = []uint32{0}
+	}
+
 	confinement := StrictConfinement
 	if y.Confinement != "" {
 		confinement = y.Confinement
@@ -288,18 +319,24 @@
 			Name:            appName,
 			LegacyAliases:   yApp.Aliases,
 			Command:         yApp.Command,
+			CommandChain:    yApp.CommandChain,
 			Daemon:          yApp.Daemon,
 			StopTimeout:     yApp.StopTimeout,
 			StopCommand:     yApp.StopCommand,
 			ReloadCommand:   yApp.ReloadCommand,
 			PostStopCommand: yApp.PostStopCommand,
 			RestartCond:     yApp.RestartCond,
+			RestartDelay:    yApp.RestartDelay,
 			BusName:         yApp.BusName,
+			CommonID:        yApp.CommonID,
 			Environment:     yApp.Environment,
 			Completer:       yApp.Completer,
+			StopMode:        yApp.StopMode,
 			RefreshMode:     yApp.RefreshMode,
 			Before:          yApp.Before,
 			After:           yApp.After,
+			Autostart:       yApp.Autostart,
+			WatchdogTimeout: yApp.WatchdogTimeout,
 		}
 		if len(y.Plugs) > 0 || len(yApp.PlugNames) > 0 {
 			app.Plugs = make(map[string]*PlugInfo)
@@ -362,6 +399,10 @@
 				Timer: yApp.Timer,
 			}
 		}
+		// collect all common IDs
+		if app.CommonID != "" {
+			snap.CommonIDs = append(snap.CommonIDs, app.CommonID)
+		}
 	}
 	return nil
 }
@@ -374,8 +415,11 @@
 
 		// Collect all hooks
 		hook := &HookInfo{
-			Snap: snap,
-			Name: hookName,
+			Snap:         snap,
+			Name:         hookName,
+			Environment:  yHook.Environment,
+			CommandChain: yHook.CommandChain,
+			Explicit:     true,
 		}
 		if len(y.Plugs) > 0 || len(yHook.PlugNames) > 0 {
 			hook.Plugs = make(map[string]*PlugInfo)
@@ -423,13 +467,8 @@
 	}
 }
 
-func bindUnboundPlugs(plugNames []string, snap *Info) error {
-	for _, plugName := range plugNames {
-		plug, ok := snap.Plugs[plugName]
-		if !ok {
-			return fmt.Errorf("no plug named %q", plugName)
-		}
-
+func bindUnboundPlugs(snap *Info) {
+	for plugName, plug := range snap.Plugs {
 		// A plug is considered unbound if it isn't being used by any apps
 		// or hooks. In which case we bind them to all apps and hooks.
 		if len(plug.Apps) == 0 && len(plug.Hooks) == 0 {
@@ -444,17 +483,10 @@
 			}
 		}
 	}
-
-	return nil
 }
 
-func bindUnboundSlots(slotNames []string, snap *Info) error {
-	for _, slotName := range slotNames {
-		slot, ok := snap.Slots[slotName]
-		if !ok {
-			return fmt.Errorf("no slot named %q", slotName)
-		}
-
+func bindUnboundSlots(snap *Info) {
+	for slotName, slot := range snap.Slots {
 		// A slot is considered unbound if it isn't being used by any apps
 		// or hooks. In which case we bind them to all apps and hooks.
 		if len(slot.Apps) == 0 && len(slot.Hooks) == 0 {
@@ -468,8 +500,41 @@
 			}
 		}
 	}
+}
 
-	return nil
+// bindImplicitHooks binds all global plugs and slots to implicit hooks
+func bindImplicitHooks(snap *Info) {
+	for _, plug := range snap.toplevelPlugs {
+		for hookName, hook := range snap.Hooks {
+			if hook.Explicit {
+				continue
+			}
+			if hook.Plugs == nil {
+				hook.Plugs = make(map[string]*PlugInfo)
+			}
+			hook.Plugs[plug.Name] = plug
+			if plug.Hooks == nil {
+				plug.Hooks = make(map[string]*HookInfo)
+			}
+			plug.Hooks[hookName] = hook
+		}
+	}
+
+	for _, slot := range snap.toplevelSlots {
+		for hookName, hook := range snap.Hooks {
+			if hook.Explicit {
+				continue
+			}
+			if hook.Slots == nil {
+				hook.Slots = make(map[string]*SlotInfo)
+			}
+			hook.Slots[slot.Name] = slot
+			if slot.Hooks == nil {
+				slot.Hooks = make(map[string]*HookInfo)
+			}
+			slot.Hooks[hookName] = hook
+		}
+	}
 }
 
 func convertToSlotOrPlugData(plugOrSlot, name string, data interface{}) (iface, label string, attrs map[string]interface{}, err error) {
diff -Nru snapd-2.32.3.2~14.04/snap/info_snap_yaml_test.go snapd-2.37~rc1~14.04/snap/info_snap_yaml_test.go
--- snapd-2.32.3.2~14.04/snap/info_snap_yaml_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/info_snap_yaml_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -59,14 +59,24 @@
 func (s *InfoSnapYamlTestSuite) TestSimple(c *C) {
 	info, err := snap.InfoFromSnapYaml(mockYaml)
 	c.Assert(err, IsNil)
-	c.Assert(info.Name(), Equals, "foo")
+	c.Assert(info.InstanceName(), Equals, "foo")
 	c.Assert(info.Version, Equals, "1.0")
 	c.Assert(info.Type, Equals, snap.TypeApp)
+	c.Assert(info.Epoch, DeepEquals, snap.E("0"))
+}
+
+func (s *InfoSnapYamlTestSuite) TestSnapdTypeAddedByMagic(c *C) {
+	info, err := snap.InfoFromSnapYaml([]byte(`name: snapd
+version: 1.0`))
+	c.Assert(err, IsNil)
+	c.Assert(info.InstanceName(), Equals, "snapd")
+	c.Assert(info.Version, Equals, "1.0")
+	c.Assert(info.Type, Equals, snap.TypeSnapd)
 }
 
 func (s *InfoSnapYamlTestSuite) TestFail(c *C) {
 	_, err := snap.InfoFromSnapYaml([]byte("random-crap"))
-	c.Assert(err, ErrorMatches, "(?m)info failed to parse:.*")
+	c.Assert(err, ErrorMatches, "(?m)cannot parse snap.yaml:.*")
 }
 
 type YamlSuite struct {
@@ -111,7 +121,7 @@
     network-client:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Assert(info.Plugs["network-client"], DeepEquals, &snap.PlugInfo{
@@ -129,7 +139,7 @@
     net: network-client
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Assert(info.Plugs["net"], DeepEquals, &snap.PlugInfo{
@@ -148,7 +158,7 @@
         interface: network-client
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Assert(info.Plugs["net"], DeepEquals, &snap.PlugInfo{
@@ -168,7 +178,7 @@
         ipv6-aware: true
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Assert(info.Plugs["net"], DeepEquals, &snap.PlugInfo{
@@ -193,7 +203,7 @@
           b: B
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Assert(info.Plugs["iface"], DeepEquals, &snap.PlugInfo{
@@ -221,7 +231,7 @@
         attr: 2
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Assert(info.Plugs["net"], DeepEquals, &snap.PlugInfo{
@@ -242,7 +252,7 @@
     app:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 1)
@@ -274,7 +284,7 @@
     without-plug:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 2)
@@ -311,7 +321,7 @@
         plugs: ["net"]
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 1)
@@ -339,7 +349,7 @@
         plugs: ["network-client"]
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 1)
@@ -367,7 +377,7 @@
         ipv6-aware: true
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 0)
@@ -388,7 +398,7 @@
         label: Disk I/O indicator
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 0)
@@ -492,7 +502,7 @@
     network-client:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Assert(info.Slots["network-client"], DeepEquals, &snap.SlotInfo{
@@ -510,7 +520,7 @@
     net: network-client
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Assert(info.Slots["net"], DeepEquals, &snap.SlotInfo{
@@ -529,7 +539,7 @@
         interface: network-client
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Assert(info.Slots["net"], DeepEquals, &snap.SlotInfo{
@@ -549,7 +559,7 @@
         ipv6-aware: true
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Assert(info.Slots["net"], DeepEquals, &snap.SlotInfo{
@@ -573,7 +583,7 @@
           a: "A"
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Assert(info.Slots["iface"], DeepEquals, &snap.SlotInfo{
@@ -601,7 +611,7 @@
         attr: 2
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Assert(info.Slots["net"], DeepEquals, &snap.SlotInfo{
@@ -622,7 +632,7 @@
     app:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Check(info.Apps, HasLen, 1)
@@ -652,7 +662,7 @@
         slots: ["net"]
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Check(info.Apps, HasLen, 1)
@@ -680,7 +690,7 @@
         slots: ["network-client"]
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Check(info.Apps, HasLen, 1)
@@ -708,7 +718,7 @@
         ipv6-aware: true
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Check(info.Apps, HasLen, 0)
@@ -730,7 +740,7 @@
         label: Front panel LED (red)
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Check(info.Apps, HasLen, 0)
@@ -752,7 +762,7 @@
     test-hook:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Check(info.Apps, HasLen, 0)
@@ -773,6 +783,8 @@
 		Snap:  info,
 		Name:  "test-hook",
 		Slots: map[string]*snap.SlotInfo{slot.Name: slot},
+
+		Explicit: true,
 	})
 }
 
@@ -785,7 +797,7 @@
         slots: [test-slot]
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 1)
 	c.Check(info.Apps, HasLen, 0)
@@ -806,6 +818,8 @@
 		Snap:  info,
 		Name:  "test-hook",
 		Slots: map[string]*snap.SlotInfo{slot.Name: slot},
+
+		Explicit: true,
 	})
 }
 
@@ -885,7 +899,7 @@
     test-hook:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 0)
@@ -898,6 +912,8 @@
 		Snap:  info,
 		Name:  "test-hook",
 		Plugs: nil,
+
+		Explicit: true,
 	})
 }
 
@@ -913,7 +929,7 @@
     test-hook:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 0)
@@ -933,7 +949,7 @@
     foo-hook:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 0)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 0)
@@ -946,6 +962,8 @@
 		Snap:  info,
 		Name:  "test-hook",
 		Plugs: nil,
+
+		Explicit: true,
 	})
 }
 
@@ -958,7 +976,7 @@
         plugs: [test-plug]
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 0)
@@ -979,6 +997,8 @@
 		Snap:  info,
 		Name:  "test-hook",
 		Plugs: map[string]*snap.PlugInfo{plug.Name: plug},
+
+		Explicit: true,
 	})
 }
 
@@ -992,7 +1012,7 @@
     test-hook:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 0)
@@ -1013,6 +1033,8 @@
 		Snap:  info,
 		Name:  "test-hook",
 		Plugs: map[string]*snap.PlugInfo{plug.Name: plug},
+
+		Explicit: true,
 	})
 }
 
@@ -1028,7 +1050,7 @@
     without-plug:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 0)
@@ -1047,11 +1069,15 @@
 		Snap:  info,
 		Name:  "with-plug",
 		Plugs: map[string]*snap.PlugInfo{plug.Name: plug},
+
+		Explicit: true,
 	})
 	c.Assert(withoutPlugHook, DeepEquals, &snap.HookInfo{
 		Snap:  info,
 		Name:  "without-plug",
 		Plugs: map[string]*snap.PlugInfo{},
+
+		Explicit: true,
 	})
 }
 
@@ -1066,7 +1092,7 @@
         plugs: ["test-plug"]
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 0)
@@ -1087,6 +1113,8 @@
 		Snap:  info,
 		Name:  "test-hook",
 		Plugs: map[string]*snap.PlugInfo{plug.Name: plug},
+
+		Explicit: true,
 	})
 }
 
@@ -1103,7 +1131,7 @@
     test-app:
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "snap")
+	c.Check(info.InstanceName(), Equals, "snap")
 	c.Check(info.Plugs, HasLen, 1)
 	c.Check(info.Slots, HasLen, 0)
 	c.Check(info.Apps, HasLen, 1)
@@ -1123,6 +1151,8 @@
 		Snap:  info,
 		Name:  "test-hook",
 		Plugs: map[string]*snap.PlugInfo{plug.Name: plug},
+
+		Explicit: true,
 	})
 	c.Assert(app, DeepEquals, &snap.AppInfo{
 		Snap:  info,
@@ -1171,10 +1201,10 @@
         interface: ptrace
 `))
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "foo")
+	c.Check(info.InstanceName(), Equals, "foo")
 	c.Check(info.Version, Equals, "1.2")
 	c.Check(info.Type, Equals, snap.TypeApp)
-	c.Check(info.Epoch.String(), Equals, "1*")
+	c.Check(info.Epoch, DeepEquals, snap.E("1*"))
 	c.Check(info.Confinement, Equals, snap.DevModeConfinement)
 	c.Check(info.Title(), Equals, "Foo")
 	c.Check(info.Summary(), Equals, "foo app")
@@ -1183,8 +1213,7 @@
 	c.Check(info.Plugs, HasLen, 4)
 	c.Check(info.Slots, HasLen, 2)
 	// these don't come from snap.yaml
-	c.Check(info.Publisher, Equals, "")
-	c.Check(info.PublisherID, Equals, "")
+	c.Check(info.Publisher, Equals, snap.StoreAccount{})
 	c.Check(info.Channel, Equals, "")
 	c.Check(info.License, Equals, "GPL-3.0")
 
@@ -1316,7 +1345,7 @@
 `)
 	info, err := snap.InfoFromSnapYaml(y)
 	c.Assert(err, IsNil)
-	c.Assert(info.Epoch.String(), Equals, "0")
+	c.Assert(info.Epoch, DeepEquals, snap.E("0"))
 }
 
 func (s *YamlSuite) TestSnapYamlConfinementDefault(c *C) {
@@ -1497,7 +1526,7 @@
        socket-mode: asdfasdf
 `)
 	_, err := snap.InfoFromSnapYaml(y)
-	c.Check(err.Error(), Equals, "info failed to parse: yaml: unmarshal errors:\n"+
+	c.Check(err.Error(), Equals, "cannot parse snap.yaml: yaml: unmarshal errors:\n"+
 		"  line 9: cannot unmarshal !!str `asdfasdf` into os.FileMode")
 }
 
@@ -1529,6 +1558,21 @@
 	c.Assert(info.Apps["foo"].Environment, DeepEquals, *strutil.NewOrderedMap("k1", "v1", "k2", "v2"))
 }
 
+func (s *YamlSuite) TestSnapYamlPerHookEnvironment(c *C) {
+	y := []byte(`
+name: foo
+version: 1.0
+hooks:
+ foo:
+  environment:
+   k1: v1
+   k2: v2
+`)
+	info, err := snap.InfoFromSnapYaml(y)
+	c.Assert(err, IsNil)
+	c.Assert(info.Hooks["foo"].Environment, DeepEquals, *strutil.NewOrderedMap("k1", "v1", "k2", "v2"))
+}
+
 // classic confinement
 func (s *YamlSuite) TestClassicConfinement(c *C) {
 	y := []byte(`
@@ -1616,6 +1660,20 @@
 	})
 }
 
+func (s *YamlSuite) TestSnapYamlWatchdog(c *C) {
+	y := []byte(`
+name: foo
+version: 1.0
+apps:
+  foo:
+    watchdog-timeout: 12s
+`)
+	info, err := snap.InfoFromSnapYaml(y)
+	c.Assert(err, IsNil)
+
+	c.Check(info.Apps["foo"].WatchdogTimeout, Equals, timeout.Timeout(12*time.Second))
+}
+
 func (s *YamlSuite) TestLayout(c *C) {
 	y := []byte(`
 name: foo
@@ -1656,6 +1714,19 @@
 	})
 }
 
+func (s *YamlSuite) TestLayoutsWithTypo(c *C) {
+	y := []byte(`
+name: foo
+version: 1.0
+layouts:
+  /usr/share/foo:
+    bind: $SNAP/usr/share/foo
+`)
+	info, err := snap.InfoFromSnapYaml(y)
+	c.Assert(err, ErrorMatches, `cannot parse snap.yaml: typo detected: use singular "layout" instead of plural "layouts"`)
+	c.Assert(info, IsNil)
+}
+
 func (s *YamlSuite) TestSnapYamlAppTimer(c *C) {
 	y := []byte(`name: wat
 version: 42
@@ -1670,3 +1741,91 @@
 	app := info.Apps["foo"]
 	c.Check(app.Timer, DeepEquals, &snap.TimerInfo{App: app, Timer: "mon,10:00-12:00"})
 }
+
+func (s *YamlSuite) TestSnapYamlAppAutostart(c *C) {
+	yAutostart := []byte(`name: wat
+version: 42
+apps:
+ foo:
+   command: bin/foo
+   autostart: foo.desktop
+
+`)
+	info, err := snap.InfoFromSnapYaml(yAutostart)
+	c.Assert(err, IsNil)
+	app := info.Apps["foo"]
+	c.Check(app.Autostart, Equals, "foo.desktop")
+
+	yNoAutostart := []byte(`name: wat
+version: 42
+apps:
+ foo:
+   command: bin/foo
+
+`)
+	info, err = snap.InfoFromSnapYaml(yNoAutostart)
+	c.Assert(err, IsNil)
+	app = info.Apps["foo"]
+	c.Check(app.Autostart, Equals, "")
+}
+
+func (s *YamlSuite) TestSnapYamlAppCommonID(c *C) {
+	yAutostart := []byte(`name: wat
+version: 42
+apps:
+ foo:
+   command: bin/foo
+   common-id: org.foo
+ bar:
+   command: bin/foo
+   common-id: org.bar
+ baz:
+   command: bin/foo
+
+`)
+	info, err := snap.InfoFromSnapYaml(yAutostart)
+	c.Assert(err, IsNil)
+	c.Check(info.Apps["foo"].CommonID, Equals, "org.foo")
+	c.Check(info.Apps["bar"].CommonID, Equals, "org.bar")
+	c.Check(info.Apps["baz"].CommonID, Equals, "")
+	c.Assert(info.CommonIDs, HasLen, 2)
+	c.Assert((info.CommonIDs[0] == "org.foo" && info.CommonIDs[1] == "org.bar") ||
+		(info.CommonIDs[1] == "org.foo" && info.CommonIDs[0] == "org.bar"),
+		Equals,
+		true)
+}
+
+func (s *YamlSuite) TestSnapYamlCommandChain(c *C) {
+	yAutostart := []byte(`name: wat
+version: 42
+apps:
+ foo:
+  command: bin/foo
+  command-chain: [chain1, chain2]
+hooks:
+ configure:
+  command-chain: [hookchain1, hookchain2]
+`)
+	info, err := snap.InfoFromSnapYaml(yAutostart)
+	c.Assert(err, IsNil)
+	app := info.Apps["foo"]
+	c.Check(app.CommandChain, DeepEquals, []string{"chain1", "chain2"})
+	hook := info.Hooks["configure"]
+	c.Check(hook.CommandChain, DeepEquals, []string{"hookchain1", "hookchain2"})
+}
+
+func (s *YamlSuite) TestSnapYamlRestartDelay(c *C) {
+	yAutostart := []byte(`name: wat
+version: 42
+apps:
+ foo:
+  command: bin/foo
+  daemon: simple
+  restart-delay: 12s
+`)
+	info, err := snap.InfoFromSnapYaml(yAutostart)
+	c.Assert(err, IsNil)
+	app := info.Apps["foo"]
+	c.Assert(app, NotNil)
+	c.Check(app.RestartDelay, Equals, timeout.Timeout(12*time.Second))
+}
diff -Nru snapd-2.32.3.2~14.04/snap/info_test.go snapd-2.37~rc1~14.04/snap/info_test.go
--- snapd-2.32.3.2~14.04/snap/info_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/info_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,6 +29,7 @@
 	"strings"
 
 	. "gopkg.in/check.v1"
+	"gopkg.in/yaml.v2"
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/snap"
@@ -88,7 +89,7 @@
 		SnapID:            "snapidsnapidsnapidsnapidsnapidsn",
 	}
 
-	c.Check(info.Name(), Equals, "newname")
+	c.Check(info.InstanceName(), Equals, "newname")
 	c.Check(info.Summary(), Equals, "fixed summary")
 	c.Check(info.Description(), Equals, "fixed desc")
 	c.Check(info.Revision, Equals, snap.R(1))
@@ -164,6 +165,15 @@
 	c.Check(info.Apps["bar"].LauncherPostStopCommand(), Equals, "/usr/bin/snap run --command=post-stop foo.bar")
 	c.Check(info.Apps["foo"].LauncherCommand(), Equals, "/usr/bin/snap run foo")
 	c.Check(info.Apps["baz"].LauncherCommand(), Equals, `/usr/bin/snap run --timer="10:00-12:00,,mon,12:00~14:00" foo.baz`)
+
+	// snap with instance key
+	info.InstanceKey = "instance"
+	c.Check(info.Apps["bar"].LauncherCommand(), Equals, "/usr/bin/snap run foo_instance.bar")
+	c.Check(info.Apps["bar"].LauncherStopCommand(), Equals, "/usr/bin/snap run --command=stop foo_instance.bar")
+	c.Check(info.Apps["bar"].LauncherReloadCommand(), Equals, "/usr/bin/snap run --command=reload foo_instance.bar")
+	c.Check(info.Apps["bar"].LauncherPostStopCommand(), Equals, "/usr/bin/snap run --command=post-stop foo_instance.bar")
+	c.Check(info.Apps["foo"].LauncherCommand(), Equals, "/usr/bin/snap run foo_instance")
+	c.Check(info.Apps["baz"].LauncherCommand(), Equals, `/usr/bin/snap run --timer="10:00-12:00,,mon,12:00~14:00" foo_instance.baz`)
 }
 
 const sampleYaml = `
@@ -176,6 +186,10 @@
    command: bar
  sample:
    command: foobar
+   command-chain: [chain]
+hooks:
+ configure:
+  command-chain: [hookchain]
 `
 
 func (s *infoSuite) TestReadInfo(c *C) {
@@ -186,20 +200,78 @@
 	snapInfo2, err := snap.ReadInfo("sample", si)
 	c.Assert(err, IsNil)
 
-	c.Check(snapInfo2.Name(), Equals, "sample")
+	c.Check(snapInfo2.InstanceName(), Equals, "sample")
 	c.Check(snapInfo2.Revision, Equals, snap.R(42))
 	c.Check(snapInfo2.Summary(), Equals, "esummary")
 
 	c.Check(snapInfo2.Apps["app"].Command, Equals, "foo")
+	c.Check(snapInfo2.Apps["sample"].CommandChain, DeepEquals, []string{"chain"})
+	c.Check(snapInfo2.Hooks["configure"].CommandChain, DeepEquals, []string{"hookchain"})
+
+	c.Check(snapInfo2, DeepEquals, snapInfo1)
+}
+
+func (s *infoSuite) TestReadInfoWithInstance(c *C) {
+	si := &snap.SideInfo{Revision: snap.R(42), EditedSummary: "instance summary"}
+
+	snapInfo1 := snaptest.MockSnapInstance(c, "sample_instance", sampleYaml, si)
+
+	snapInfo2, err := snap.ReadInfo("sample_instance", si)
+	c.Assert(err, IsNil)
+
+	c.Check(snapInfo2.InstanceName(), Equals, "sample_instance")
+	c.Check(snapInfo2.SnapName(), Equals, "sample")
+	c.Check(snapInfo2.Revision, Equals, snap.R(42))
+	c.Check(snapInfo2.Summary(), Equals, "instance summary")
+
+	c.Check(snapInfo2.Apps["app"].Command, Equals, "foo")
+	c.Check(snapInfo2.Apps["sample"].CommandChain, DeepEquals, []string{"chain"})
+	c.Check(snapInfo2.Hooks["configure"].CommandChain, DeepEquals, []string{"hookchain"})
+
+	c.Check(snapInfo2, DeepEquals, snapInfo1)
+}
+
+func (s *infoSuite) TestReadCurrentInfo(c *C) {
+	si := &snap.SideInfo{Revision: snap.R(42)}
+
+	snapInfo1 := snaptest.MockSnapCurrent(c, sampleYaml, si)
+
+	snapInfo2, err := snap.ReadCurrentInfo("sample")
+	c.Assert(err, IsNil)
 
+	c.Check(snapInfo2.InstanceName(), Equals, "sample")
+	c.Check(snapInfo2.Revision, Equals, snap.R(42))
 	c.Check(snapInfo2, DeepEquals, snapInfo1)
+
+	snapInfo3, err := snap.ReadCurrentInfo("not-sample")
+	c.Check(snapInfo3, IsNil)
+	c.Assert(err, ErrorMatches, `cannot find current revision for snap not-sample:.*`)
+}
+
+func (s *infoSuite) TestReadCurrentInfoWithInstance(c *C) {
+	si := &snap.SideInfo{Revision: snap.R(42)}
+
+	snapInfo1 := snaptest.MockSnapInstanceCurrent(c, "sample_instance", sampleYaml, si)
+
+	snapInfo2, err := snap.ReadCurrentInfo("sample_instance")
+	c.Assert(err, IsNil)
+
+	c.Check(snapInfo2.InstanceName(), Equals, "sample_instance")
+	c.Check(snapInfo2.SnapName(), Equals, "sample")
+	c.Check(snapInfo2.Revision, Equals, snap.R(42))
+	c.Check(snapInfo2, DeepEquals, snapInfo1)
+
+	snapInfo3, err := snap.ReadCurrentInfo("sample_other")
+	c.Check(snapInfo3, IsNil)
+	c.Assert(err, ErrorMatches, `cannot find current revision for snap sample_other:.*`)
 }
 
 func (s *infoSuite) TestInstallDate(c *C) {
 	si := &snap.SideInfo{Revision: snap.R(1)}
 	info := snaptest.MockSnap(c, sampleYaml, si)
 	// not current -> Zero
-	c.Check(snap.InstallDate(info.Name()).IsZero(), Equals, true)
+	c.Check(info.InstallDate().IsZero(), Equals, true)
+	c.Check(snap.InstallDate(info.InstanceName()).IsZero(), Equals, true)
 
 	mountdir := info.MountDir()
 	dir, rev := filepath.Split(mountdir)
@@ -212,14 +284,18 @@
 	// sanity
 	c.Check(instTime.IsZero(), Equals, false)
 
-	c.Check(snap.InstallDate(info.Name()).Equal(instTime), Equals, true)
+	c.Check(info.InstallDate().Equal(instTime), Equals, true)
+	c.Check(snap.InstallDate(info.InstanceName()).Equal(instTime), Equals, true)
 }
 
 func (s *infoSuite) TestReadInfoNotFound(c *C) {
 	si := &snap.SideInfo{Revision: snap.R(42), EditedSummary: "esummary"}
 	info, err := snap.ReadInfo("sample", si)
 	c.Check(info, IsNil)
-	c.Check(err, ErrorMatches, `cannot find installed snap "sample" at revision 42`)
+	c.Check(err, ErrorMatches, `cannot find installed snap "sample" at revision 42: missing file .*sample/42/meta/snap.yaml`)
+	bse, ok := err.(snap.BrokenSnapError)
+	c.Assert(ok, Equals, true)
+	c.Check(bse.Broken(), Equals, bse.Error())
 }
 
 func (s *infoSuite) TestReadInfoUnreadable(c *C) {
@@ -241,7 +317,10 @@
 	info, err := snap.ReadInfo("sample", si)
 	c.Check(info, IsNil)
 	// TODO: maybe improve this error message
-	c.Check(err, ErrorMatches, ".* failed to parse.*")
+	c.Check(err, ErrorMatches, `cannot use installed snap "sample" at revision 42: cannot parse snap.yaml: yaml: .*`)
+	bse, ok := err.(snap.BrokenSnapError)
+	c.Assert(ok, Equals, true)
+	c.Check(bse.Broken(), Equals, bse.Error())
 }
 
 func (s *infoSuite) TestReadInfoUnfindable(c *C) {
@@ -251,13 +330,34 @@
 	c.Assert(ioutil.WriteFile(p, []byte(``), 0644), IsNil)
 
 	info, err := snap.ReadInfo("sample", si)
+	c.Check(err, ErrorMatches, `cannot find installed snap "sample" at revision 42: missing file .*var/lib/snapd/snaps/sample_42.snap`)
 	c.Check(info, IsNil)
-	// TODO: maybe improve this error message
-	c.Check(err, ErrorMatches, ".* no such file or directory")
+}
+
+func (s *infoSuite) TestReadInfoDanglingSymlink(c *C) {
+	si := &snap.SideInfo{Revision: snap.R(42), EditedSummary: "esummary"}
+	mpi := snap.MinimalPlaceInfo("sample", si.Revision)
+	p := filepath.Join(mpi.MountDir(), "meta", "snap.yaml")
+	c.Assert(os.MkdirAll(filepath.Dir(p), 0755), IsNil)
+	c.Assert(ioutil.WriteFile(p, []byte(`name: test`), 0644), IsNil)
+	c.Assert(os.MkdirAll(filepath.Dir(mpi.MountFile()), 0755), IsNil)
+	c.Assert(os.Symlink("/dangling", mpi.MountFile()), IsNil)
+
+	info, err := snap.ReadInfo("sample", si)
+	c.Check(err, IsNil)
+	c.Check(info.SnapName(), Equals, "test")
+	c.Check(info.Revision, Equals, snap.R(42))
+	c.Check(info.Summary(), Equals, "esummary")
+	c.Check(info.Size, Equals, int64(0))
 }
 
 // makeTestSnap here can also be used to produce broken snaps (differently from snaptest.MakeTestSnapWithFiles)!
-func makeTestSnap(c *C, yaml string) string {
+func makeTestSnap(c *C, snapYaml string) string {
+	var m struct {
+		Type string `yaml:"type"`
+	}
+	yaml.Unmarshal([]byte(snapYaml), &m) // yes, ignore the error
+
 	tmp := c.MkDir()
 	snapSource := filepath.Join(tmp, "snapsrc")
 
@@ -265,12 +365,12 @@
 	c.Assert(err, IsNil)
 
 	// our regular snap.yaml
-	err = ioutil.WriteFile(filepath.Join(snapSource, "meta", "snap.yaml"), []byte(yaml), 0644)
+	err = ioutil.WriteFile(filepath.Join(snapSource, "meta", "snap.yaml"), []byte(snapYaml), 0644)
 	c.Assert(err, IsNil)
 
 	dest := filepath.Join(tmp, "foo.snap")
 	snap := squashfs.New(dest)
-	err = snap.Build(snapSource)
+	err = snap.Build(snapSource, m.Type)
 	c.Assert(err, IsNil)
 
 	return dest
@@ -297,7 +397,7 @@
 
 	info, err := snap.ReadInfoFromSnapFile(snapf, nil)
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "foo")
+	c.Check(info.InstanceName(), Equals, "foo")
 	c.Check(info.Version, Equals, "1.0")
 	c.Check(info.Type, Equals, snap.TypeApp)
 	c.Check(info.Revision, Equals, snap.R(0))
@@ -319,7 +419,7 @@
 
 	info, err := snap.ReadInfoFromSnapFile(snapf, nil)
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "foo")
+	c.Check(info.InstanceName(), Equals, "foo")
 	c.Check(info.Version, Equals, "1.0")
 	c.Check(info.Type, Equals, snap.TypeApp)
 	c.Check(info.Revision, Equals, snap.R(0))
@@ -339,7 +439,7 @@
 
 	info, err := snap.ReadInfoFromSnapFile(snapf, nil)
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "foo")
+	c.Check(info.InstanceName(), Equals, "foo")
 	c.Check(info.Version, Equals, "1.0")
 	c.Check(info.Type, Equals, snap.TypeApp)
 	c.Check(info.Revision, Equals, snap.R(0))
@@ -362,7 +462,7 @@
 		Revision: snap.R(42),
 	})
 	c.Assert(err, IsNil)
-	c.Check(info.Name(), Equals, "baz")
+	c.Check(info.InstanceName(), Equals, "baz")
 	c.Check(info.Version, Equals, "1.0")
 	c.Check(info.Type, Equals, snap.TypeApp)
 	c.Check(info.Revision, Equals, snap.R(42))
@@ -378,7 +478,7 @@
 	c.Assert(err, IsNil)
 
 	_, err = snap.ReadInfoFromSnapFile(snapf, nil)
-	c.Assert(err, ErrorMatches, "invalid snap name.*")
+	c.Assert(err, ErrorMatches, `invalid snap name.*`)
 }
 
 func (s *infoSuite) TestReadInfoFromSnapFileCatchesInvalidType(c *C) {
@@ -454,6 +554,53 @@
 	})
 }
 
+func (s *infoSuite) TestHookEnvSimple(c *C) {
+	yaml := `name: foo
+version: 1.0
+type: app
+environment:
+ global-k: global-v
+hooks:
+ foo:
+  environment:
+   app-k: app-v
+`
+	info, err := snap.InfoFromSnapYaml([]byte(yaml))
+	c.Assert(err, IsNil)
+
+	env := info.Hooks["foo"].Env()
+	sort.Strings(env)
+	c.Check(env, DeepEquals, []string{
+		"app-k=app-v",
+		"global-k=global-v",
+	})
+}
+
+func (s *infoSuite) TestHookEnvOverrideGlobal(c *C) {
+	yaml := `name: foo
+version: 1.0
+type: app
+environment:
+ global-k: global-v
+ global-and-local: global-v
+hooks:
+ foo:
+  environment:
+   app-k: app-v
+   global-and-local: local-v
+`
+	info, err := snap.InfoFromSnapYaml([]byte(yaml))
+	c.Assert(err, IsNil)
+
+	env := info.Hooks["foo"].Env()
+	sort.Strings(env)
+	c.Check(env, DeepEquals, []string{
+		"app-k=app-v",
+		"global-and-local=local-v",
+		"global-k=global-v",
+	})
+}
+
 func (s *infoSuite) TestSplitSnapApp(c *C) {
 	for _, t := range []struct {
 		in  string
@@ -464,6 +611,10 @@
 		{"foo.bar.baz", []string{"foo", "bar.baz"}},
 		// special case, snapName == appName
 		{"foo", []string{"foo", "foo"}},
+		// snap instance names
+		{"foo_instance.bar", []string{"foo_instance", "bar"}},
+		{"foo_instance.bar.baz", []string{"foo_instance", "bar.baz"}},
+		{"foo_instance", []string{"foo_instance", "foo"}},
 	} {
 		snap, app := snap.SplitSnapApp(t.in)
 		c.Check([]string{snap, app}, DeepEquals, t.out)
@@ -480,6 +631,10 @@
 		{[]string{"foo", "bar-baz"}, "foo.bar-baz"},
 		// special case, snapName == appName
 		{[]string{"foo", "foo"}, "foo"},
+		// snap instance names
+		{[]string{"foo_instance", "bar"}, "foo_instance.bar"},
+		{[]string{"foo_instance", "bar-baz"}, "foo_instance.bar-baz"},
+		{[]string{"foo_instance", "foo"}, "foo_instance"},
 	} {
 		snapApp := snap.JoinSnapApp(t.in[0], t.in[1])
 		c.Check(snapApp, Equals, t.out)
@@ -527,7 +682,7 @@
 	sideInfo := &snap.SideInfo{Revision: snap.R(42)}
 	info0 := snaptest.MockSnap(c, yaml, sideInfo)
 	snaptest.PopulateDir(info0.MountDir(), emptyHooks(hooks...))
-	info, err := snap.ReadInfo(info0.Name(), sideInfo)
+	info, err := snap.ReadInfo(info0.InstanceName(), sideInfo)
 	c.Check(err, IsNil)
 	checker(c, info)
 
@@ -556,7 +711,7 @@
 		// Verify that the `test-hook` hook has now been loaded, and that it has
 		// no associated plugs.
 		c.Check(info.Hooks, HasLen, 1)
-		verifyImplicitHook(c, info, "test-hook")
+		verifyImplicitHook(c, info, "test-hook", nil)
 	})
 }
 
@@ -567,8 +722,8 @@
 		// Verify that both hooks have now been loaded, and that neither have any
 		// associated plugs.
 		c.Check(info.Hooks, HasLen, 2)
-		verifyImplicitHook(c, info, "foo")
-		verifyImplicitHook(c, info, "bar")
+		verifyImplicitHook(c, info, "foo", nil)
+		verifyImplicitHook(c, info, "bar", nil)
 	})
 }
 
@@ -581,7 +736,7 @@
 	s.checkInstalledSnapAndSnapFile(c, yaml, "SNAP", []string{"foo", "bar"}, func(c *C, info *snap.Info) {
 		// Verify that only foo has been loaded, not bar
 		c.Check(info.Hooks, HasLen, 1)
-		verifyImplicitHook(c, info, "foo")
+		verifyImplicitHook(c, info, "foo", nil)
 	})
 }
 
@@ -597,16 +752,125 @@
 		// no associated plugs. Also verify that the `explicit` hook is still
 		// valid.
 		c.Check(info.Hooks, HasLen, 2)
-		verifyImplicitHook(c, info, "implicit")
+		verifyImplicitHook(c, info, "implicit", nil)
 		verifyExplicitHook(c, info, "explicit", []string{"test-plug"}, []string{"test-slot"})
 	})
 }
 
-func verifyImplicitHook(c *C, info *snap.Info, hookName string) {
+func (s *infoSuite) TestReadInfoExplicitHooks(c *C) {
+	yaml := `name: foo
+version: 1.0
+plugs:
+  test-plug:
+slots:
+  test-slot:
+hooks:
+  explicit:
+`
+	s.checkInstalledSnapAndSnapFile(c, yaml, "SNAP", []string{"explicit"}, func(c *C, info *snap.Info) {
+		c.Check(info.Hooks, HasLen, 1)
+		verifyExplicitHook(c, info, "explicit", []string{"test-plug"}, []string{"test-slot"})
+	})
+}
+
+func (s *infoSuite) TestReadInfoImplicitHookWithTopLevelPlugSlots(c *C) {
+	yaml := `name: foo
+version: 1.0
+plugs:
+  test-plug:
+slots:
+  test-slot:
+hooks:
+  explicit:
+    plugs: [test-plug,other-plug]
+    slots: [test-slot,other-slot]
+`
+
+	yaml2 := `name: foo
+version: 1.0
+plugs:
+  test-plug:
+slots:
+  test-slot:
+`
+	s.checkInstalledSnapAndSnapFile(c, yaml, "SNAP", []string{"implicit"}, func(c *C, info *snap.Info) {
+		c.Check(info.Hooks, HasLen, 2)
+		implicitHook := info.Hooks["implicit"]
+		c.Assert(implicitHook, NotNil)
+		c.Assert(implicitHook.Explicit, Equals, false)
+		c.Assert(implicitHook.Plugs, HasLen, 1)
+		c.Assert(implicitHook.Slots, HasLen, 1)
+
+		c.Check(info.Plugs, HasLen, 2)
+		c.Check(info.Slots, HasLen, 2)
+
+		plug := info.Plugs["test-plug"]
+		c.Assert(plug, NotNil)
+		c.Assert(implicitHook.Plugs["test-plug"], DeepEquals, plug)
+
+		slot := info.Slots["test-slot"]
+		c.Assert(slot, NotNil)
+		c.Assert(implicitHook.Slots["test-slot"], DeepEquals, slot)
+
+		explicitHook := info.Hooks["explicit"]
+		c.Assert(explicitHook, NotNil)
+		c.Assert(explicitHook.Explicit, Equals, true)
+		c.Assert(explicitHook.Plugs, HasLen, 2)
+		c.Assert(explicitHook.Slots, HasLen, 2)
+
+		plug = info.Plugs["test-plug"]
+		c.Assert(plug, NotNil)
+		c.Assert(explicitHook.Plugs["test-plug"], DeepEquals, plug)
+
+		slot = info.Slots["test-slot"]
+		c.Assert(slot, NotNil)
+		c.Assert(explicitHook.Slots["test-slot"], DeepEquals, slot)
+	})
+
+	s.checkInstalledSnapAndSnapFile(c, yaml2, "SNAP", []string{"implicit"}, func(c *C, info *snap.Info) {
+		c.Check(info.Hooks, HasLen, 1)
+		implicitHook := info.Hooks["implicit"]
+		c.Assert(implicitHook, NotNil)
+		c.Assert(implicitHook.Explicit, Equals, false)
+		c.Assert(implicitHook.Plugs, HasLen, 1)
+		c.Assert(implicitHook.Slots, HasLen, 1)
+
+		c.Check(info.Plugs, HasLen, 1)
+		c.Check(info.Slots, HasLen, 1)
+
+		plug := info.Plugs["test-plug"]
+		c.Assert(plug, NotNil)
+		c.Assert(implicitHook.Plugs["test-plug"], DeepEquals, plug)
+
+		slot := info.Slots["test-slot"]
+		c.Assert(slot, NotNil)
+		c.Assert(implicitHook.Slots["test-slot"], DeepEquals, slot)
+	})
+
+}
+
+func verifyImplicitHook(c *C, info *snap.Info, hookName string, plugNames []string) {
 	hook := info.Hooks[hookName]
 	c.Assert(hook, NotNil, Commentf("Expected hooks to contain %q", hookName))
 	c.Check(hook.Name, Equals, hookName)
-	c.Check(hook.Plugs, IsNil)
+
+	if len(plugNames) == 0 {
+		c.Check(hook.Plugs, IsNil)
+	}
+
+	for _, plugName := range plugNames {
+		// Verify that the HookInfo and PlugInfo point to each other
+		plug := hook.Plugs[plugName]
+		c.Assert(plug, NotNil, Commentf("Expected hook plugs to contain %q", plugName))
+		c.Check(plug.Name, Equals, plugName)
+		c.Check(plug.Hooks, HasLen, 1)
+		hook = plug.Hooks[hookName]
+		c.Assert(hook, NotNil, Commentf("Expected plug to be associated with hook %q", hookName))
+		c.Check(hook.Name, Equals, hookName)
+
+		// Verify also that the hook plug made it into info.Plugs
+		c.Check(info.Plugs[plugName], DeepEquals, plug)
+	}
 }
 
 func verifyExplicitHook(c *C, info *snap.Info, hookName string, plugNames []string, slotNames []string) {
@@ -674,6 +938,34 @@
 	c.Check(info.XdgRuntimeDirs(), Equals, "/run/user/*/snap.name")
 }
 
+func (s *infoSuite) TestMinimalInfoDirAndFileMethodsParallelInstall(c *C) {
+	dirs.SetRootDir("")
+	info := snap.MinimalPlaceInfo("name_instance", snap.R("1"))
+	s.testInstanceDirAndFileMethods(c, info)
+}
+
+func (s *infoSuite) TestDirAndFileMethodsParallelInstall(c *C) {
+	dirs.SetRootDir("")
+	info := &snap.Info{SuggestedName: "name", InstanceKey: "instance"}
+	info.SideInfo = snap.SideInfo{Revision: snap.R(1)}
+	s.testInstanceDirAndFileMethods(c, info)
+}
+
+func (s *infoSuite) testInstanceDirAndFileMethods(c *C, info snap.PlaceInfo) {
+	c.Check(info.MountDir(), Equals, fmt.Sprintf("%s/name_instance/1", dirs.SnapMountDir))
+	c.Check(info.MountFile(), Equals, "/var/lib/snapd/snaps/name_instance_1.snap")
+	c.Check(info.HooksDir(), Equals, fmt.Sprintf("%s/name_instance/1/meta/hooks", dirs.SnapMountDir))
+	c.Check(info.DataDir(), Equals, "/var/snap/name_instance/1")
+	c.Check(info.UserDataDir("/home/bob"), Equals, "/home/bob/snap/name_instance/1")
+	c.Check(info.UserCommonDataDir("/home/bob"), Equals, "/home/bob/snap/name_instance/common")
+	c.Check(info.CommonDataDir(), Equals, "/var/snap/name_instance/common")
+	c.Check(info.UserXdgRuntimeDir(12345), Equals, "/run/user/12345/snap.name_instance")
+	// XXX: Those are actually a globs, not directories
+	c.Check(info.DataHomeDir(), Equals, "/home/*/snap/name_instance/1")
+	c.Check(info.CommonDataHomeDir(), Equals, "/home/*/snap/name_instance/common")
+	c.Check(info.XdgRuntimeDirs(), Equals, "/run/user/*/snap.name_instance")
+}
+
 func makeFakeDesktopFile(c *C, name, content string) string {
 	df := filepath.Join(dirs.SnapDesktopFilesDir, name)
 	err := os.MkdirAll(filepath.Dir(df), 0755)
@@ -688,9 +980,16 @@
 	snapInfo, err := snap.ReadInfo("sample", &snap.SideInfo{})
 	c.Assert(err, IsNil)
 
-	c.Check(snapInfo.Name(), Equals, "sample")
+	c.Check(snapInfo.InstanceName(), Equals, "sample")
 	c.Check(snapInfo.Apps["app"].DesktopFile(), Matches, `.*/var/lib/snapd/desktop/applications/sample_app.desktop`)
 	c.Check(snapInfo.Apps["sample"].DesktopFile(), Matches, `.*/var/lib/snapd/desktop/applications/sample_sample.desktop`)
+
+	// snap with instance key
+	snapInfo.InstanceKey = "instance"
+	c.Check(snapInfo.InstanceName(), Equals, "sample_instance")
+	c.Check(snapInfo.Apps["app"].DesktopFile(), Matches, `.*/var/lib/snapd/desktop/applications/sample_instance_app.desktop`)
+	c.Check(snapInfo.Apps["sample"].DesktopFile(), Matches, `.*/var/lib/snapd/desktop/applications/sample_instance_sample.desktop`)
+
 }
 
 const coreSnapYaml = `name: core
@@ -759,6 +1058,18 @@
 		"snap.pans.svc1.service",
 		"snap.pans.svc2.service",
 	})
+
+	// snap with instance
+	info.InstanceKey = "instance"
+	svcNames = []string{}
+	for i := range info.Services() {
+		svcNames = append(svcNames, svcs[i].ServiceName())
+	}
+	sort.Strings(svcNames)
+	c.Check(svcNames, DeepEquals, []string{
+		"snap.pans_instance.svc1.service",
+		"snap.pans_instance.svc2.service",
+	})
 }
 
 func (s *infoSuite) TestAppInfoIsService(c *C) {
@@ -781,6 +1092,21 @@
 	c.Check(info.Apps["svc2"].IsService(), Equals, true)
 	c.Check(info.Apps["app1"].IsService(), Equals, false)
 	c.Check(info.Apps["app1"].IsService(), Equals, false)
+
+	// snap with instance key
+	info.InstanceKey = "instance"
+	c.Check(svc.ServiceName(), Equals, "snap.pans_instance.svc1.service")
+	c.Check(svc.ServiceFile(), Equals, dirs.GlobalRootDir+"/etc/systemd/system/snap.pans_instance.svc1.service")
+}
+
+func (s *infoSuite) TestAppInfoStringer(c *C) {
+	info, err := snap.InfoFromSnapYaml([]byte(`name: asnap
+apps:
+  one:
+   daemon: simple
+`))
+	c.Assert(err, IsNil)
+	c.Check(fmt.Sprintf("%q", info.Apps["one"].String()), Equals, `"asnap.one"`)
 }
 
 func (s *infoSuite) TestSocketFile(c *C) {
@@ -798,6 +1124,10 @@
 	app := info.Apps["app1"]
 	socket := app.Sockets["sock1"]
 	c.Check(socket.File(), Equals, dirs.GlobalRootDir+"/etc/systemd/system/snap.pans.app1.sock1.socket")
+
+	// snap with instance key
+	info.InstanceKey = "instance"
+	c.Check(socket.File(), Equals, dirs.GlobalRootDir+"/etc/systemd/system/snap.pans_instance.app1.sock1.socket")
 }
 
 func (s *infoSuite) TestTimerFile(c *C) {
@@ -814,6 +1144,10 @@
 	timerFile := app.Timer.File()
 	c.Check(timerFile, Equals, dirs.GlobalRootDir+"/etc/systemd/system/snap.pans.app1.timer")
 	c.Check(strings.TrimSuffix(app.ServiceFile(), ".service")+".timer", Equals, timerFile)
+
+	// snap with instance key
+	info.InstanceKey = "instance"
+	c.Check(app.Timer.File(), Equals, dirs.GlobalRootDir+"/etc/systemd/system/snap.pans_instance.app1.timer")
 }
 
 func (s *infoSuite) TestLayoutParsing(c *C) {
@@ -900,6 +1234,69 @@
 	c.Check(slot.Attr("key", intVal), ErrorMatches, `internal error: cannot get "key" attribute of interface "interface" with non-pointer value`)
 }
 
+func (s *infoSuite) TestDottedPathSlot(c *C) {
+	attrs := map[string]interface{}{
+		"nested": map[string]interface{}{
+			"foo": "bar",
+		},
+	}
+
+	slot := &snap.SlotInfo{Attrs: attrs}
+	c.Assert(slot, NotNil)
+
+	v, ok := slot.Lookup("nested.foo")
+	c.Assert(ok, Equals, true)
+	c.Assert(v, Equals, "bar")
+
+	v, ok = slot.Lookup("nested")
+	c.Assert(ok, Equals, true)
+	c.Assert(v, DeepEquals, map[string]interface{}{
+		"foo": "bar",
+	})
+
+	_, ok = slot.Lookup("x")
+	c.Assert(ok, Equals, false)
+
+	_, ok = slot.Lookup("..")
+	c.Assert(ok, Equals, false)
+
+	_, ok = slot.Lookup("nested.foo.x")
+	c.Assert(ok, Equals, false)
+
+	_, ok = slot.Lookup("nested.x")
+	c.Assert(ok, Equals, false)
+}
+
+func (s *infoSuite) TestDottedPathPlug(c *C) {
+	attrs := map[string]interface{}{
+		"nested": map[string]interface{}{
+			"foo": "bar",
+		},
+	}
+
+	plug := &snap.PlugInfo{Attrs: attrs}
+	c.Assert(plug, NotNil)
+
+	v, ok := plug.Lookup("nested")
+	c.Assert(ok, Equals, true)
+	c.Assert(v, DeepEquals, map[string]interface{}{
+		"foo": "bar",
+	})
+
+	v, ok = plug.Lookup("nested.foo")
+	c.Assert(ok, Equals, true)
+	c.Assert(v, Equals, "bar")
+
+	_, ok = plug.Lookup("x")
+	c.Assert(ok, Equals, false)
+
+	_, ok = plug.Lookup("..")
+	c.Assert(ok, Equals, false)
+
+	_, ok = plug.Lookup("nested.foo.x")
+	c.Assert(ok, Equals, false)
+}
+
 func (s *infoSuite) TestExpandSnapVariables(c *C) {
 	dirs.SetRootDir("")
 	info, err := snap.InfoFromSnapYaml([]byte(`name: foo`))
@@ -909,4 +1306,294 @@
 	c.Assert(info.ExpandSnapVariables("$SNAP_DATA/stuff"), Equals, "/var/snap/foo/42/stuff")
 	c.Assert(info.ExpandSnapVariables("$SNAP_COMMON/stuff"), Equals, "/var/snap/foo/common/stuff")
 	c.Assert(info.ExpandSnapVariables("$GARBAGE/rocks"), Equals, "/rocks")
+
+	info.InstanceKey = "instance"
+	// Despite setting the instance key the variables expand to the same
+	// value as before. This is because they are used from inside the mount
+	// namespace of the instantiated snap where the mount backend will
+	// ensure that the regular (non-instance) paths contain
+	// instance-specific code and data.
+	c.Assert(info.ExpandSnapVariables("$SNAP/stuff"), Equals, "/snap/foo/42/stuff")
+	c.Assert(info.ExpandSnapVariables("$SNAP_DATA/stuff"), Equals, "/var/snap/foo/42/stuff")
+	c.Assert(info.ExpandSnapVariables("$SNAP_COMMON/stuff"), Equals, "/var/snap/foo/common/stuff")
+	c.Assert(info.ExpandSnapVariables("$GARBAGE/rocks"), Equals, "/rocks")
+}
+
+func (s *infoSuite) TestStopModeTypeKillMode(c *C) {
+	for _, t := range []struct {
+		stopMode string
+		killall  bool
+	}{
+		{"", true},
+		{"sigterm", false},
+		{"sigterm-all", true},
+		{"sighup", false},
+		{"sighup-all", true},
+		{"sigusr1", false},
+		{"sigusr1-all", true},
+		{"sigusr2", false},
+		{"sigusr2-all", true},
+	} {
+		c.Check(snap.StopModeType(t.stopMode).KillAll(), Equals, t.killall, Commentf("wrong KillAll for %v", t.stopMode))
+	}
+}
+
+func (s *infoSuite) TestStopModeTypeKillSignal(c *C) {
+	for _, t := range []struct {
+		stopMode string
+		killSig  string
+	}{
+		{"", ""},
+		{"sigterm", "SIGTERM"},
+		{"sigterm-all", "SIGTERM"},
+		{"sighup", "SIGHUP"},
+		{"sighup-all", "SIGHUP"},
+		{"sigusr1", "SIGUSR1"},
+		{"sigusr1-all", "SIGUSR1"},
+		{"sigusr2", "SIGUSR2"},
+		{"sigusr2-all", "SIGUSR2"},
+	} {
+		c.Check(snap.StopModeType(t.stopMode).KillSignal(), Equals, t.killSig)
+	}
+}
+
+func (s *infoSuite) TestSplitInstanceName(c *C) {
+	snapName, instanceKey := snap.SplitInstanceName("foo_bar")
+	c.Check(snapName, Equals, "foo")
+	c.Check(instanceKey, Equals, "bar")
+
+	snapName, instanceKey = snap.SplitInstanceName("foo")
+	c.Check(snapName, Equals, "foo")
+	c.Check(instanceKey, Equals, "")
+
+	// all following instance names are invalid
+
+	snapName, instanceKey = snap.SplitInstanceName("_bar")
+	c.Check(snapName, Equals, "")
+	c.Check(instanceKey, Equals, "bar")
+
+	snapName, instanceKey = snap.SplitInstanceName("foo___bar_bar")
+	c.Check(snapName, Equals, "foo")
+	c.Check(instanceKey, Equals, "__bar_bar")
+
+	snapName, instanceKey = snap.SplitInstanceName("")
+	c.Check(snapName, Equals, "")
+	c.Check(instanceKey, Equals, "")
+}
+
+func (s *infoSuite) TestInstanceSnapName(c *C) {
+	c.Check(snap.InstanceSnap("foo_bar"), Equals, "foo")
+	c.Check(snap.InstanceSnap("foo"), Equals, "foo")
+
+	c.Check(snap.InstanceName("foo", "bar"), Equals, "foo_bar")
+	c.Check(snap.InstanceName("foo", ""), Equals, "foo")
+}
+
+func (s *infoSuite) TestInstanceNameInSnapInfo(c *C) {
+	info := &snap.Info{
+		SuggestedName: "snap-name",
+		InstanceKey:   "foo",
+	}
+
+	c.Check(info.InstanceName(), Equals, "snap-name_foo")
+	c.Check(info.SnapName(), Equals, "snap-name")
+
+	info.InstanceKey = ""
+	c.Check(info.InstanceName(), Equals, "snap-name")
+	c.Check(info.SnapName(), Equals, "snap-name")
+}
+
+func (s *infoSuite) TestIsActive(c *C) {
+	info1 := snaptest.MockSnap(c, sampleYaml, &snap.SideInfo{Revision: snap.R(1)})
+	info2 := snaptest.MockSnap(c, sampleYaml, &snap.SideInfo{Revision: snap.R(2)})
+	// no current -> not active
+	c.Check(info1.IsActive(), Equals, false)
+	c.Check(info2.IsActive(), Equals, false)
+
+	mountdir := info1.MountDir()
+	dir, rev := filepath.Split(mountdir)
+	c.Assert(os.MkdirAll(dir, 0755), IsNil)
+	cur := filepath.Join(dir, "current")
+	c.Assert(os.Symlink(rev, cur), IsNil)
+
+	// is current -> is active
+	c.Check(info1.IsActive(), Equals, true)
+	c.Check(info2.IsActive(), Equals, false)
+}
+
+func (s *infoSuite) TestDirAndFileHelpers(c *C) {
+	dirs.SetRootDir("")
+
+	c.Check(snap.MountDir("name", snap.R(1)), Equals, fmt.Sprintf("%s/name/1", dirs.SnapMountDir))
+	c.Check(snap.MountFile("name", snap.R(1)), Equals, "/var/lib/snapd/snaps/name_1.snap")
+	c.Check(snap.HooksDir("name", snap.R(1)), Equals, fmt.Sprintf("%s/name/1/meta/hooks", dirs.SnapMountDir))
+	c.Check(snap.DataDir("name", snap.R(1)), Equals, "/var/snap/name/1")
+	c.Check(snap.CommonDataDir("name"), Equals, "/var/snap/name/common")
+	c.Check(snap.UserDataDir("/home/bob", "name", snap.R(1)), Equals, "/home/bob/snap/name/1")
+	c.Check(snap.UserCommonDataDir("/home/bob", "name"), Equals, "/home/bob/snap/name/common")
+	c.Check(snap.UserXdgRuntimeDir(12345, "name"), Equals, "/run/user/12345/snap.name")
+	c.Check(snap.UserSnapDir("/home/bob", "name"), Equals, "/home/bob/snap/name")
+
+	c.Check(snap.MountDir("name_instance", snap.R(1)), Equals, fmt.Sprintf("%s/name_instance/1", dirs.SnapMountDir))
+	c.Check(snap.MountFile("name_instance", snap.R(1)), Equals, "/var/lib/snapd/snaps/name_instance_1.snap")
+	c.Check(snap.HooksDir("name_instance", snap.R(1)), Equals, fmt.Sprintf("%s/name_instance/1/meta/hooks", dirs.SnapMountDir))
+	c.Check(snap.DataDir("name_instance", snap.R(1)), Equals, "/var/snap/name_instance/1")
+	c.Check(snap.CommonDataDir("name_instance"), Equals, "/var/snap/name_instance/common")
+	c.Check(snap.UserDataDir("/home/bob", "name_instance", snap.R(1)), Equals, "/home/bob/snap/name_instance/1")
+	c.Check(snap.UserCommonDataDir("/home/bob", "name_instance"), Equals, "/home/bob/snap/name_instance/common")
+	c.Check(snap.UserXdgRuntimeDir(12345, "name_instance"), Equals, "/run/user/12345/snap.name_instance")
+	c.Check(snap.UserSnapDir("/home/bob", "name_instance"), Equals, "/home/bob/snap/name_instance")
+}
+
+func (s *infoSuite) TestSortByType(c *C) {
+	infos := []*snap.Info{
+		{SuggestedName: "app1", Type: "app"},
+		{SuggestedName: "os1", Type: "os"},
+		{SuggestedName: "base1", Type: "base"},
+		{SuggestedName: "gadget1", Type: "gadget"},
+		{SuggestedName: "kernel1", Type: "kernel"},
+		{SuggestedName: "app2", Type: "app"},
+		{SuggestedName: "os2", Type: "os"},
+		{SuggestedName: "snapd", Type: "snapd"},
+		{SuggestedName: "base2", Type: "base"},
+		{SuggestedName: "gadget2", Type: "gadget"},
+		{SuggestedName: "kernel2", Type: "kernel"},
+	}
+	sort.Stable(snap.ByType(infos))
+
+	c.Check(infos, DeepEquals, []*snap.Info{
+		{SuggestedName: "snapd", Type: "snapd"},
+		{SuggestedName: "os1", Type: "os"},
+		{SuggestedName: "os2", Type: "os"},
+		{SuggestedName: "kernel1", Type: "kernel"},
+		{SuggestedName: "kernel2", Type: "kernel"},
+		{SuggestedName: "base1", Type: "base"},
+		{SuggestedName: "base2", Type: "base"},
+		{SuggestedName: "gadget1", Type: "gadget"},
+		{SuggestedName: "gadget2", Type: "gadget"},
+		{SuggestedName: "app1", Type: "app"},
+		{SuggestedName: "app2", Type: "app"},
+	})
+}
+
+func (s *infoSuite) TestSortByTypeAgain(c *C) {
+	core := &snap.Info{Type: snap.TypeOS}
+	base := &snap.Info{Type: snap.TypeBase}
+	app := &snap.Info{Type: snap.TypeApp}
+	snapd := &snap.Info{}
+	snapd.SideInfo = snap.SideInfo{RealName: "snapd"}
+
+	byType := func(snaps ...*snap.Info) []*snap.Info {
+		sort.Stable(snap.ByType(snaps))
+		return snaps
+	}
+
+	c.Check(byType(base, core), DeepEquals, []*snap.Info{core, base})
+	c.Check(byType(app, core), DeepEquals, []*snap.Info{core, app})
+	c.Check(byType(app, base), DeepEquals, []*snap.Info{base, app})
+	c.Check(byType(app, base, core), DeepEquals, []*snap.Info{core, base, app})
+	c.Check(byType(app, core, base), DeepEquals, []*snap.Info{core, base, app})
+
+	c.Check(byType(app, core, base, snapd), DeepEquals, []*snap.Info{snapd, core, base, app})
+	c.Check(byType(app, snapd, core, base), DeepEquals, []*snap.Info{snapd, core, base, app})
+}
+
+func (s *infoSuite) TestMedia(c *C) {
+	c.Check(snap.MediaInfos{}.Screenshots(), HasLen, 0)
+	c.Check(snap.MediaInfos{}.IconURL(), Equals, "")
+
+	media := snap.MediaInfos{
+		{
+			Type: "screenshot",
+			URL:  "https://example.com/shot1.svg",
+		}, {
+			Type: "icon",
+			URL:  "https://example.com/icon.png",
+		}, {
+			Type:   "screenshot",
+			URL:    "https://example.com/shot2.svg",
+			Width:  42,
+			Height: 17,
+		},
+	}
+
+	c.Check(media.IconURL(), Equals, "https://example.com/icon.png")
+	c.Check(media.Screenshots(), DeepEquals, []snap.ScreenshotInfo{
+		{
+			URL:  "https://example.com/shot1.svg",
+			Note: snap.ScreenshotsDeprecationNotice,
+		}, {
+			URL:    "https://example.com/shot2.svg",
+			Width:  42,
+			Height: 17,
+			Note:   snap.ScreenshotsDeprecationNotice,
+		},
+	})
+}
+
+func (s *infoSuite) TestSortApps(c *C) {
+	tcs := []struct {
+		err    string
+		apps   []*snap.AppInfo
+		sorted []string
+	}{{
+		apps: []*snap.AppInfo{
+			{Name: "bar", Before: []string{"baz"}},
+			{Name: "baz", After: []string{"bar", "foo"}},
+			{Name: "foo"},
+		},
+		sorted: []string{"bar", "foo", "baz"},
+	}, {
+		apps: []*snap.AppInfo{
+			{Name: "foo", After: []string{"bar", "zed"}},
+			{Name: "bar", Before: []string{"foo"}},
+			{Name: "baz", After: []string{"foo"}},
+			{Name: "zed"},
+		},
+		sorted: []string{"bar", "zed", "foo", "baz"},
+	}, {
+		apps: []*snap.AppInfo{
+			{Name: "foo", After: []string{"baz"}},
+			{Name: "bar", Before: []string{"baz"}},
+			{Name: "baz"},
+			{Name: "zed", After: []string{"foo", "bar", "baz"}},
+		},
+		sorted: []string{"bar", "baz", "foo", "zed"},
+	}, {
+		apps: []*snap.AppInfo{
+			{Name: "foo", Before: []string{"bar"}, After: []string{"zed"}},
+			{Name: "bar", Before: []string{"baz"}},
+			{Name: "baz", Before: []string{"zed"}},
+			{Name: "zed"},
+		},
+		err: `applications are part of a before/after cycle: ((foo|bar|baz|zed)(, )?){4}`,
+	}, {
+		apps: []*snap.AppInfo{
+			{Name: "foo", Before: []string{"bar"}},
+			{Name: "bar", Before: []string{"foo"}},
+			{Name: "baz", Before: []string{"foo"}, After: []string{"bar"}},
+		},
+		err: `applications are part of a before/after cycle: ((foo|bar|baz)(, )?){3}`,
+	}, {
+		apps: []*snap.AppInfo{
+			{Name: "baz", After: []string{"bar"}},
+			{Name: "foo"},
+			{Name: "bar", After: []string{"foo"}},
+		},
+		sorted: []string{"foo", "bar", "baz"},
+	}}
+	for _, tc := range tcs {
+		sorted, err := snap.SortServices(tc.apps)
+		if tc.err != "" {
+			c.Assert(err, ErrorMatches, tc.err)
+		} else {
+			c.Assert(err, IsNil)
+			c.Assert(sorted, HasLen, len(tc.sorted))
+			sortedNames := make([]string, len(sorted))
+			for i, app := range sorted {
+				sortedNames[i] = app.Name
+			}
+			c.Assert(sortedNames, DeepEquals, tc.sorted)
+		}
+	}
 }
diff -Nru snapd-2.32.3.2~14.04/snap/pack/export_test.go snapd-2.37~rc1~14.04/snap/pack/export_test.go
--- snapd-2.32.3.2~14.04/snap/pack/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/pack/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,7 +20,5 @@
 package pack
 
 var (
-	CopyToBuildDir       = copyToBuildDir
-	ShouldExcludeDynamic = shouldExcludeDynamic
-	DebArchitecture      = debArchitecture
+	DebArchitecture = debArchitecture
 )
diff -Nru snapd-2.32.3.2~14.04/snap/pack/pack.go snapd-2.37~rc1~14.04/snap/pack/pack.go
--- snapd-2.32.3.2~14.04/snap/pack/pack.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/pack/pack.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,116 +20,66 @@
 package pack
 
 import (
-	"bufio"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"os"
 	"path/filepath"
-	"regexp"
-	"strings"
-	"syscall"
 
 	"github.com/snapcore/snapd/logger"
-	"github.com/snapcore/snapd/osutil"
-	"github.com/snapcore/snapd/osutil/sys"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snapdir"
 	"github.com/snapcore/snapd/snap/squashfs"
 )
 
+// this could be shipped as a file like "info", and save on the memory and the
+// overhead of creating and removing the tempfile, but on darwin we can't AFAIK
+// easily know where it's been placed. As it's not really that big, just
+// shipping it in memory seems fine for now.
 // from click's click.build.ClickBuilderBase, and there from
 // @Dpkg::Source::Package::tar_ignore_default_pattern;
-// changed to regexps from globs for sanity (hah)
+// changed to match squashfs's "-wildcards" syntax
 //
-// Please resist the temptation of optimizing the regexp by grouping
-// things by hand. People will find it unreadable enough as it is.
-var shouldExcludeDefault = regexp.MustCompile(strings.Join([]string{
-	`\.snap$`, // added
-	`\.click$`,
-	`^\..*\.sw.$`,
-	`~$`,
-	`^,,`,
-	`^\.[#~]`,
-	`^\.arch-ids$`,
-	`^\.arch-inventory$`,
-	`^\.bzr$`,
-	`^\.bzr-builddeb$`,
-	`^\.bzr\.backup$`,
-	`^\.bzr\.tags$`,
-	`^\.bzrignore$`,
-	`^\.cvsignore$`,
-	`^\.git$`,
-	`^\.gitattributes$`,
-	`^\.gitignore$`,
-	`^\.gitmodules$`,
-	`^\.hg$`,
-	`^\.hgignore$`,
-	`^\.hgsigs$`,
-	`^\.hgtags$`,
-	`^\.shelf$`,
-	`^\.svn$`,
-	`^CVS$`,
-	`^DEADJOE$`,
-	`^RCS$`,
-	`^_MTN$`,
-	`^_darcs$`,
-	`^{arch}$`,
-	`^\.snapignore$`,
-}, "|")).MatchString
-
-// fake static function variables
-type keep struct {
-	basedir string
-	exclude func(string) bool
-}
-
-func (k *keep) shouldExclude(basedir string, file string) bool {
-	if basedir == k.basedir {
-		if k.exclude == nil {
-			return false
-		}
-
-		return k.exclude(file)
-	}
-
-	k.basedir = basedir
-	k.exclude = nil
-
-	snapignore, err := os.Open(filepath.Join(basedir, ".snapignore"))
-	if err != nil {
-		return false
-	}
-
-	scanner := bufio.NewScanner(snapignore)
-	var lines []string
-	for scanner.Scan() {
-		line := scanner.Text()
-		if _, err := regexp.Compile(line); err != nil {
-			// not a regexp
-			line = regexp.QuoteMeta(line)
-		}
-		lines = append(lines, line)
-	}
-
-	fullRegex := strings.Join(lines, "|")
-	exclude, err := regexp.Compile(fullRegex)
-	if err == nil {
-		k.exclude = exclude.MatchString
-
-		return k.exclude(file)
-	}
-
-	// can't happen; can't even find a way to trigger it in testing.
-	panic(fmt.Sprintf("internal error: composition of valid regexps is invalid?!? Please report this bug: %#v", fullRegex))
-}
+// for anchored vs non-anchored syntax see RELEASE_README in squashfs-tools.
+const excludesContent = `
+# "anchored", only match at top level
+DEBIAN
+.arch-ids
+.arch-inventory
+.bzr
+.bzr-builddeb
+.bzr.backup
+.bzr.tags
+.bzrignore
+.cvsignore
+.git
+.gitattributes
+.gitignore
+.gitmodules
+.hg
+.hgignore
+.hgsigs
+.hgtags
+.shelf
+.svn
+CVS
+DEADJOE
+RCS
+_MTN
+_darcs
+{arch}
+.snapignore
+
+# "non-anchored", match anywhere
+... .[#~]*
+... *.snap
+... *.click
+... .*.sw?
+... *~
+... ,,*
+`
 
-var shouldExcludeDynamic = new(keep).shouldExclude
-
-func shouldExclude(basedir string, file string) bool {
-	return shouldExcludeDefault(file) || shouldExcludeDynamic(basedir, file)
-}
-
-// small helper that return the architecture or "multi" if its multiple arches
+// small helper that returns the architecture of the snap, or "multi" if it's multiple arches
 func debArchitecture(info *snap.Info) string {
 	switch len(info.Architectures) {
 	case 0:
@@ -141,134 +91,99 @@
 	}
 }
 
-func copyToBuildDir(sourceDir, buildDir string) error {
-	sourceDir, err := filepath.Abs(sourceDir)
+// CheckSkeleton attempts to validate snap data in source directory
+func CheckSkeleton(sourceDir string) error {
+	_, err := loadAndValidate(sourceDir)
+	return err
+}
+
+func loadAndValidate(sourceDir string) (*snap.Info, error) {
+	// ensure we have valid content
+	yaml, err := ioutil.ReadFile(filepath.Join(sourceDir, "meta", "snap.yaml"))
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	err = os.Remove(buildDir)
-	if err != nil && !os.IsNotExist(err) {
-		// this shouldn't happen, but.
-		return err
+	info, err := snap.InfoFromSnapYaml(yaml)
+	if err != nil {
+		return nil, err
 	}
 
-	// no umask here so that we get the permissions correct
-	oldUmask := syscall.Umask(0)
-	defer syscall.Umask(oldUmask)
-
-	return filepath.Walk(sourceDir, func(path string, info os.FileInfo, errin error) (err error) {
-		if errin != nil {
-			return errin
-		}
-
-		relpath := path[len(sourceDir):]
-		if relpath == "/DEBIAN" || shouldExclude(sourceDir, filepath.Base(path)) {
-			if info.IsDir() {
-				return filepath.SkipDir
-			}
-			return nil
-		}
-
-		dest := filepath.Join(buildDir, relpath)
-
-		// handle dirs
-		if info.IsDir() {
-			if err := os.Mkdir(dest, info.Mode()); err != nil {
-				return err
-			}
-			// ensure that permissions are preserved
-			uid := sys.UserID(info.Sys().(*syscall.Stat_t).Uid)
-			gid := sys.GroupID(info.Sys().(*syscall.Stat_t).Gid)
-			return sys.ChownPath(dest, uid, gid)
-		}
-
-		// handle char/block devices
-		if osutil.IsDevice(info.Mode()) {
-			return osutil.CopySpecialFile(path, dest)
-		}
-
-		if (info.Mode() & os.ModeSymlink) != 0 {
-			target, err := os.Readlink(path)
-			if err != nil {
-				return err
-			}
-			return os.Symlink(target, dest)
-		}
-
-		// fail if its unsupported
-		if !info.Mode().IsRegular() {
-			return fmt.Errorf("cannot handle type of file %s", path)
-		}
+	if err := snap.Validate(info); err != nil {
+		return nil, fmt.Errorf("cannot validate snap %q: %v", info.InstanceName(), err)
+	}
 
-		// it's a file. Maybe we can link it?
-		if os.Link(path, dest) == nil {
-			// whee
-			return nil
-		}
-		// sigh. ok, copy it is.
-		return osutil.CopyFile(path, dest, osutil.CopyFlagDefault)
-	})
+	if err := snap.ValidateContainer(snapdir.New(sourceDir), info, logger.Noticef); err != nil {
+		return nil, err
+	}
+	return info, nil
 }
 
-func prepare(sourceDir, targetDir, buildDir string) (snapName string, err error) {
-	// ensure we have valid content
-	yaml, err := ioutil.ReadFile(filepath.Join(sourceDir, "meta", "snap.yaml"))
-	if err != nil {
-		return "", err
+func snapPath(info *snap.Info, targetDir, snapName string) string {
+	if snapName == "" {
+		snapName = fmt.Sprintf("%s_%s_%v.snap", info.InstanceName(), info.Version, debArchitecture(info))
+	}
+	if targetDir != "" && !filepath.IsAbs(snapName) {
+		snapName = filepath.Join(targetDir, snapName)
 	}
+	return snapName
+}
 
-	info, err := snap.InfoFromSnapYaml(yaml)
+func prepare(sourceDir, targetDir string) (*snap.Info, error) {
+	info, err := loadAndValidate(sourceDir)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
-	err = snap.Validate(info)
-	if err != nil {
-		return "", err
+	if targetDir != "" {
+		if err := os.MkdirAll(targetDir, 0755); err != nil {
+			return nil, err
+		}
 	}
 
-	err = snap.ValidateContainer(snapdir.New(sourceDir), info, logger.Noticef)
+	return info, nil
+}
+
+func excludesFile() (filename string, err error) {
+	tmpf, err := ioutil.TempFile("", ".snap-pack-exclude-")
 	if err != nil {
 		return "", err
 	}
 
-	if err := copyToBuildDir(sourceDir, buildDir); err != nil {
-		return "", err
+	// inspited by ioutil.WriteFile
+	n, err := tmpf.Write([]byte(excludesContent))
+	if err == nil && n < len(excludesContent) {
+		err = io.ErrShortWrite
 	}
 
-	// build the package
-	snapName = fmt.Sprintf("%s_%s_%v.snap", info.Name(), info.Version, debArchitecture(info))
+	if err1 := tmpf.Close(); err == nil {
+		err = err1
+	}
 
-	if targetDir != "" {
-		snapName = filepath.Join(targetDir, snapName)
-		if _, err := os.Stat(targetDir); os.IsNotExist(err) {
-			if err := os.MkdirAll(targetDir, 0755); err != nil {
-				return "", err
-			}
-		}
+	if err == nil {
+		filename = tmpf.Name()
 	}
 
-	return snapName, nil
+	return filename, err
 }
 
 // Snap the given sourceDirectory and return the generated
 // snap file
-func Snap(sourceDir, targetDir string) (string, error) {
-	// create build dir
-	buildDir, err := ioutil.TempDir("", "snappy-build-")
+func Snap(sourceDir, targetDir, snapName string) (string, error) {
+	info, err := prepare(sourceDir, targetDir)
 	if err != nil {
 		return "", err
 	}
-	defer os.RemoveAll(buildDir)
 
-	snapName, err := prepare(sourceDir, targetDir, buildDir)
+	excludes, err := excludesFile()
 	if err != nil {
 		return "", err
 	}
+	defer os.Remove(excludes)
 
+	snapName = snapPath(info, targetDir, snapName)
 	d := squashfs.New(snapName)
-	if err = d.Build(buildDir); err != nil {
+	if err = d.Build(sourceDir, string(info.Type), excludes); err != nil {
 		return "", err
 	}
 
diff -Nru snapd-2.32.3.2~14.04/snap/pack/pack_test.go snapd-2.37~rc1~14.04/snap/pack/pack_test.go
--- snapd-2.32.3.2~14.04/snap/pack/pack_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/pack/pack_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,15 +27,15 @@
 	"path/filepath"
 	"regexp"
 	"strings"
-	"syscall"
 	"testing"
 
+	. "gopkg.in/check.v1"
+
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/pack"
+	"github.com/snapcore/snapd/snap/squashfs"
 	"github.com/snapcore/snapd/testutil"
-
-	. "gopkg.in/check.v1"
 )
 
 func Test(t *testing.T) { TestingT(t) }
@@ -112,7 +112,7 @@
 func (s *packSuite) TestPackNoManifestFails(c *C) {
 	sourceDir := makeExampleSnapSourceDir(c, "{name: hello, version: 0}")
 	c.Assert(os.Remove(filepath.Join(sourceDir, "meta", "snap.yaml")), IsNil)
-	_, err := pack.Snap(sourceDir, "")
+	_, err := pack.Snap(sourceDir, "", "")
 	c.Assert(err, ErrorMatches, `.*/meta/snap\.yaml: no such file or directory`)
 }
 
@@ -124,44 +124,31 @@
   command: bin/hello-world
 `)
 	c.Assert(os.Remove(filepath.Join(sourceDir, "bin", "hello-world")), IsNil)
-	_, err := pack.Snap(sourceDir, "")
+	_, err := pack.Snap(sourceDir, "", "")
 	c.Assert(err, Equals, snap.ErrMissingPaths)
 }
 
-func (s *packSuite) TestCopyCopies(c *C) {
-	sourceDir := makeExampleSnapSourceDir(c, "{name: hello, version: 0}")
-	// actually this'll be on /tmp so it'll be a link
-	target := c.MkDir()
-	c.Assert(pack.CopyToBuildDir(sourceDir, target), IsNil)
-	out, err := exec.Command("diff", "-qrN", sourceDir, target).Output()
-	c.Check(err, IsNil)
-	c.Check(out, DeepEquals, []byte{})
-}
-
-func (s *packSuite) TestCopyActuallyCopies(c *C) {
-	sourceDir := makeExampleSnapSourceDir(c, "{name: hello, version: 0}")
-
-	// hoping to get the non-linking behaviour via /dev/shm
-	target, err := ioutil.TempDir("/dev/shm", "copy")
-	// sbuild environments won't allow writing to /dev/shm, so its
-	// ok to skip there
-	if os.IsPermission(err) {
-		c.Skip("/dev/shm is not writable for us")
-	}
-	c.Assert(err, IsNil)
-
-	c.Assert(pack.CopyToBuildDir(sourceDir, target), IsNil)
-	out, err := exec.Command("diff", "-qrN", sourceDir, target).Output()
-	c.Check(err, IsNil)
-	c.Check(out, DeepEquals, []byte{})
+func (s *packSuite) TestValidateMissingAppFailsWithErrMissingPaths(c *C) {
+	sourceDir := makeExampleSnapSourceDir(c, `name: hello
+version: 0
+apps:
+ foo:
+  command: bin/hello-world
+`)
+	c.Assert(os.Remove(filepath.Join(sourceDir, "bin", "hello-world")), IsNil)
+	err := pack.CheckSkeleton(sourceDir)
+	c.Assert(err, Equals, snap.ErrMissingPaths)
 }
 
-func (s *packSuite) TestCopyExcludesBackups(c *C) {
+func (s *packSuite) TestPackExcludesBackups(c *C) {
 	sourceDir := makeExampleSnapSourceDir(c, "{name: hello, version: 0}")
 	target := c.MkDir()
 	// add a backup file
 	c.Assert(ioutil.WriteFile(filepath.Join(sourceDir, "foo~"), []byte("hi"), 0755), IsNil)
-	c.Assert(pack.CopyToBuildDir(sourceDir, target), IsNil)
+	snapfile, err := pack.Snap(sourceDir, c.MkDir(), "")
+	c.Assert(err, IsNil)
+	c.Assert(squashfs.New(snapfile).Unpack("*", target), IsNil)
+
 	cmd := exec.Command("diff", "-qr", sourceDir, target)
 	cmd.Env = append(cmd.Env, "LANG=C")
 	out, err := cmd.Output()
@@ -169,14 +156,16 @@
 	c.Check(string(out), Matches, `(?m)Only in \S+: foo~`)
 }
 
-func (s *packSuite) TestCopyExcludesTopLevelDEBIAN(c *C) {
+func (s *packSuite) TestPackExcludesTopLevelDEBIAN(c *C) {
 	sourceDir := makeExampleSnapSourceDir(c, "{name: hello, version: 0}")
 	target := c.MkDir()
 	// add a toplevel DEBIAN
 	c.Assert(os.MkdirAll(filepath.Join(sourceDir, "DEBIAN", "foo"), 0755), IsNil)
 	// and a non-toplevel DEBIAN
 	c.Assert(os.MkdirAll(filepath.Join(sourceDir, "bar", "DEBIAN", "baz"), 0755), IsNil)
-	c.Assert(pack.CopyToBuildDir(sourceDir, target), IsNil)
+	snapfile, err := pack.Snap(sourceDir, c.MkDir(), "")
+	c.Assert(err, IsNil)
+	c.Assert(squashfs.New(snapfile).Unpack("*", target), IsNil)
 	cmd := exec.Command("diff", "-qr", sourceDir, target)
 	cmd.Env = append(cmd.Env, "LANG=C")
 	out, err := cmd.Output()
@@ -186,61 +175,30 @@
 	c.Check(strings.Count(string(out), "Only in"), Equals, 1)
 }
 
-func (s *packSuite) TestCopyExcludesWholeDirs(c *C) {
+func (s *packSuite) TestPackExcludesWholeDirs(c *C) {
 	sourceDir := makeExampleSnapSourceDir(c, "{name: hello, version: 0}")
 	target := c.MkDir()
 	// add a file inside a skipped dir
 	c.Assert(os.Mkdir(filepath.Join(sourceDir, ".bzr"), 0755), IsNil)
 	c.Assert(ioutil.WriteFile(filepath.Join(sourceDir, ".bzr", "foo"), []byte("hi"), 0755), IsNil)
-	c.Assert(pack.CopyToBuildDir(sourceDir, target), IsNil)
+	snapfile, err := pack.Snap(sourceDir, c.MkDir(), "")
+	c.Assert(err, IsNil)
+	c.Assert(squashfs.New(snapfile).Unpack("*", target), IsNil)
 	out, _ := exec.Command("find", sourceDir).Output()
 	c.Check(string(out), Not(Equals), "")
 	cmd := exec.Command("diff", "-qr", sourceDir, target)
 	cmd.Env = append(cmd.Env, "LANG=C")
-	out, err := cmd.Output()
+	out, err = cmd.Output()
 	c.Check(err, NotNil)
 	c.Check(string(out), Matches, `(?m)Only in \S+: \.bzr`)
 }
 
-func (s *packSuite) TestExcludeDynamicFalseIfNoSnapignore(c *C) {
-	basedir := c.MkDir()
-	c.Check(pack.ShouldExcludeDynamic(basedir, "foo"), Equals, false)
-}
-
-func (s *packSuite) TestExcludeDynamicWorksIfSnapignore(c *C) {
-	basedir := c.MkDir()
-	c.Assert(ioutil.WriteFile(filepath.Join(basedir, ".snapignore"), []byte("foo\nb.r\n"), 0644), IsNil)
-	c.Check(pack.ShouldExcludeDynamic(basedir, "foo"), Equals, true)
-	c.Check(pack.ShouldExcludeDynamic(basedir, "bar"), Equals, true)
-	c.Check(pack.ShouldExcludeDynamic(basedir, "bzr"), Equals, true)
-	c.Check(pack.ShouldExcludeDynamic(basedir, "baz"), Equals, false)
-}
-
-func (s *packSuite) TestExcludeDynamicWeirdRegexps(c *C) {
-	basedir := c.MkDir()
-	c.Assert(ioutil.WriteFile(filepath.Join(basedir, ".snapignore"), []byte("*hello\n"), 0644), IsNil)
-	// note "*hello" is not a valid regexp, so will be taken literally (not globbed!)
-	c.Check(pack.ShouldExcludeDynamic(basedir, "ahello"), Equals, false)
-	c.Check(pack.ShouldExcludeDynamic(basedir, "*hello"), Equals, true)
-}
-
 func (s *packSuite) TestDebArchitecture(c *C) {
 	c.Check(pack.DebArchitecture(&snap.Info{Architectures: []string{"foo"}}), Equals, "foo")
 	c.Check(pack.DebArchitecture(&snap.Info{Architectures: []string{"foo", "bar"}}), Equals, "multi")
 	c.Check(pack.DebArchitecture(&snap.Info{Architectures: nil}), Equals, "all")
 }
 
-func (s *packSuite) TestPackFailsForUnknownType(c *C) {
-	sourceDir := makeExampleSnapSourceDir(c, `name: hello
-version: 1.0.1
-`)
-	err := syscall.Mkfifo(filepath.Join(sourceDir, "fifo"), 0644)
-	c.Assert(err, IsNil)
-
-	_, err = pack.Snap(sourceDir, "")
-	c.Assert(err, ErrorMatches, "cannot handle type of file .*")
-}
-
 func (s *packSuite) TestPackSimple(c *C) {
 	sourceDir := makeExampleSnapSourceDir(c, `name: hello
 version: 1.0.1
@@ -250,55 +208,49 @@
   apparmor-profile: meta/hello.apparmor
 `)
 
-	resultSnap, err := pack.Snap(sourceDir, "")
-	c.Assert(err, IsNil)
-
-	// check that there is result
-	_, err = os.Stat(resultSnap)
-	c.Assert(err, IsNil)
-	c.Assert(resultSnap, Equals, "hello_1.0.1_multi.snap")
+	outputDir := filepath.Join(c.MkDir(), "output")
+	absSnapFile := filepath.Join(c.MkDir(), "foo.snap")
 
-	// check that the content looks sane
-	output, err := exec.Command("unsquashfs", "-ll", "hello_1.0.1_multi.snap").CombinedOutput()
-	c.Assert(err, IsNil)
-	for _, needle := range []string{
-		"meta/snap.yaml",
-		"bin/hello-world",
-		"symlink -> bin/hello-world",
-	} {
-		expr := fmt.Sprintf(`(?ms).*%s.*`, regexp.QuoteMeta(needle))
-		c.Assert(string(output), Matches, expr)
+	type T struct {
+		outputDir, filename, expected string
 	}
-}
-
-func (s *packSuite) TestPackSimpleOutputDir(c *C) {
-	sourceDir := makeExampleSnapSourceDir(c, `name: hello
-version: 1.0.1
-architectures: ["i386", "amd64"]
-integration:
- app:
-  apparmor-profile: meta/hello.apparmor
-`)
 
-	outputDir := filepath.Join(c.MkDir(), "output")
-	snapOutput := filepath.Join(outputDir, "hello_1.0.1_multi.snap")
-	resultSnap, err := pack.Snap(sourceDir, outputDir)
-	c.Assert(err, IsNil)
-
-	// check that there is result
-	_, err = os.Stat(resultSnap)
-	c.Assert(err, IsNil)
-	c.Assert(resultSnap, Equals, snapOutput)
+	table := []T{
+		// no output dir, no filename -> default in .
+		{"", "", "hello_1.0.1_multi.snap"},
+		// no output dir, relative filename -> filename in .
+		{"", "foo.snap", "foo.snap"},
+		// no putput dir, absolute filename -> absolute filename
+		{"", absSnapFile, absSnapFile},
+		// output dir, no filename -> default in outputdir
+		{outputDir, "", filepath.Join(outputDir, "hello_1.0.1_multi.snap")},
+		// output dir, relative filename -> filename in outputDir
+		{filepath.Join(outputDir, "inner"), "../foo.snap", filepath.Join(outputDir, "foo.snap")},
+		// output dir, absolute filename -> absolute filename
+		{outputDir, absSnapFile, absSnapFile},
+	}
 
-	// check that the content looks sane
-	output, err := exec.Command("unsquashfs", "-ll", resultSnap).CombinedOutput()
-	c.Assert(err, IsNil)
-	for _, needle := range []string{
-		"meta/snap.yaml",
-		"bin/hello-world",
-		"symlink -> bin/hello-world",
-	} {
-		expr := fmt.Sprintf(`(?ms).*%s.*`, regexp.QuoteMeta(needle))
-		c.Assert(string(output), Matches, expr)
+	for i, t := range table {
+		comm := Commentf("%d", i)
+		resultSnap, err := pack.Snap(sourceDir, t.outputDir, t.filename)
+		c.Assert(err, IsNil, comm)
+
+		// check that there is result
+		_, err = os.Stat(resultSnap)
+		c.Assert(err, IsNil, comm)
+		c.Assert(resultSnap, Equals, t.expected, comm)
+
+		// check that the content looks sane
+		output, err := exec.Command("unsquashfs", "-ll", resultSnap).CombinedOutput()
+		c.Assert(err, IsNil, comm)
+		for _, needle := range []string{
+			"meta/snap.yaml",
+			"bin/hello-world",
+			"symlink -> bin/hello-world",
+		} {
+			expr := fmt.Sprintf(`(?ms).*%s.*`, regexp.QuoteMeta(needle))
+			c.Assert(string(output), Matches, expr, comm)
+		}
 	}
+
 }
diff -Nru snapd-2.32.3.2~14.04/snap/restartcond.go snapd-2.37~rc1~14.04/snap/restartcond.go
--- snapd-2.32.3.2~14.04/snap/restartcond.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/restartcond.go	2019-01-16 08:36:51.000000000 +0000
@@ -33,6 +33,7 @@
 	RestartOnFailure  RestartCondition = "on-failure"
 	RestartOnAbnormal RestartCondition = "on-abnormal"
 	RestartOnAbort    RestartCondition = "on-abort"
+	RestartOnWatchdog RestartCondition = "on-watchdog"
 	RestartAlways     RestartCondition = "always"
 )
 
@@ -43,6 +44,7 @@
 	"on-failure":  RestartOnFailure,
 	"on-abnormal": RestartOnAbnormal,
 	"on-abort":    RestartOnAbort,
+	"on-watchdog": RestartOnWatchdog,
 	"always":      RestartAlways,
 }
 
diff -Nru snapd-2.32.3.2~14.04/snap/snapenv/snapenv.go snapd-2.37~rc1~14.04/snap/snapenv/snapenv.go
--- snapd-2.32.3.2~14.04/snap/snapenv/snapenv.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/snapenv/snapenv.go	2019-01-16 08:36:51.000000000 +0000
@@ -99,13 +99,20 @@
 		// shall *either* execute with the new mount namespace where snaps are
 		// always mounted on /snap OR it is a classically confined snap where
 		// /snap is a part of the distribution package.
-		"SNAP":          filepath.Join(dirs.CoreSnapMountDir, info.Name(), info.Revision.String()),
-		"SNAP_COMMON":   info.CommonDataDir(),
-		"SNAP_DATA":     info.DataDir(),
-		"SNAP_NAME":     info.Name(),
-		"SNAP_VERSION":  info.Version,
-		"SNAP_REVISION": info.Revision.String(),
-		"SNAP_ARCH":     arch.UbuntuArchitecture(),
+		//
+		// For parallel-installs the mount namespace setup is making the
+		// environment of each snap instance appear as if it's the only
+		// snap, i.e. SNAP paths point to the same locations within the
+		// mount namespace
+		"SNAP":               filepath.Join(dirs.CoreSnapMountDir, info.SnapName(), info.Revision.String()),
+		"SNAP_COMMON":        snap.CommonDataDir(info.SnapName()),
+		"SNAP_DATA":          snap.DataDir(info.SnapName(), info.Revision),
+		"SNAP_NAME":          info.SnapName(),
+		"SNAP_INSTANCE_NAME": info.InstanceName(),
+		"SNAP_INSTANCE_KEY":  info.InstanceKey,
+		"SNAP_VERSION":       info.Version,
+		"SNAP_REVISION":      info.Revision.String(),
+		"SNAP_ARCH":          arch.UbuntuArchitecture(),
 		// see https://github.com/snapcore/snapd/pull/2732#pullrequestreview-18827193
 		"SNAP_LIBRARY_PATH": "/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void",
 		"SNAP_REEXEC":       os.Getenv("SNAP_REEXEC"),
@@ -117,6 +124,8 @@
 // used by so many other modules, we run into circular dependencies if it's
 // somewhere more reasonable like the snappy module.
 func userEnv(info *snap.Info, home string) map[string]string {
+	// To keep things simple the user variables always point to the
+	// instance-specific directories.
 	result := map[string]string{
 		"SNAP_USER_COMMON": info.UserCommonDataDir(home),
 		"SNAP_USER_DATA":   info.UserDataDir(home),
diff -Nru snapd-2.32.3.2~14.04/snap/snapenv/snapenv_test.go snapd-2.37~rc1~14.04/snap/snapenv/snapenv_test.go
--- snapd-2.32.3.2~14.04/snap/snapenv/snapenv_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/snapenv/snapenv_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -81,15 +81,17 @@
 	env := basicEnv(mockSnapInfo)
 
 	c.Assert(env, DeepEquals, map[string]string{
-		"SNAP":              fmt.Sprintf("%s/foo/17", dirs.CoreSnapMountDir),
-		"SNAP_ARCH":         arch.UbuntuArchitecture(),
-		"SNAP_COMMON":       "/var/snap/foo/common",
-		"SNAP_DATA":         "/var/snap/foo/17",
-		"SNAP_LIBRARY_PATH": "/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void",
-		"SNAP_NAME":         "foo",
-		"SNAP_REEXEC":       "",
-		"SNAP_REVISION":     "17",
-		"SNAP_VERSION":      "1.0",
+		"SNAP":               fmt.Sprintf("%s/foo/17", dirs.CoreSnapMountDir),
+		"SNAP_ARCH":          arch.UbuntuArchitecture(),
+		"SNAP_COMMON":        "/var/snap/foo/common",
+		"SNAP_DATA":          "/var/snap/foo/17",
+		"SNAP_LIBRARY_PATH":  "/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void",
+		"SNAP_NAME":          "foo",
+		"SNAP_INSTANCE_NAME": "foo",
+		"SNAP_INSTANCE_KEY":  "",
+		"SNAP_REEXEC":        "",
+		"SNAP_REVISION":      "17",
+		"SNAP_VERSION":       "1.0",
 	})
 
 }
@@ -134,23 +136,99 @@
 
 		env := snapEnv(info)
 		c.Check(env, DeepEquals, map[string]string{
-			"HOME":              fmt.Sprintf("%s/snap/snapname/42", usr.HomeDir),
-			"SNAP":              fmt.Sprintf("%s/snapname/42", dirs.CoreSnapMountDir),
-			"SNAP_ARCH":         arch.UbuntuArchitecture(),
-			"SNAP_COMMON":       "/var/snap/snapname/common",
-			"SNAP_DATA":         "/var/snap/snapname/42",
-			"SNAP_LIBRARY_PATH": "/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void",
-			"SNAP_NAME":         "snapname",
-			"SNAP_REEXEC":       "",
-			"SNAP_REVISION":     "42",
-			"SNAP_USER_COMMON":  fmt.Sprintf("%s/snap/snapname/common", usr.HomeDir),
-			"SNAP_USER_DATA":    fmt.Sprintf("%s/snap/snapname/42", usr.HomeDir),
-			"SNAP_VERSION":      "1.0",
-			"XDG_RUNTIME_DIR":   fmt.Sprintf("/run/user/%d/snap.snapname", sys.Geteuid()),
+			"SNAP_ARCH":          arch.UbuntuArchitecture(),
+			"SNAP_LIBRARY_PATH":  "/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void",
+			"SNAP_NAME":          "snapname",
+			"SNAP_INSTANCE_NAME": "snapname",
+			"SNAP_INSTANCE_KEY":  "",
+			"SNAP_REEXEC":        "",
+			"SNAP_REVISION":      "42",
+			"SNAP_VERSION":       "1.0",
+
+			"SNAP":        fmt.Sprintf("%s/snapname/42", dirs.CoreSnapMountDir),
+			"SNAP_COMMON": "/var/snap/snapname/common",
+			"SNAP_DATA":   "/var/snap/snapname/42",
+
+			"SNAP_USER_COMMON": fmt.Sprintf("%s/snap/snapname/common", usr.HomeDir),
+			"SNAP_USER_DATA":   fmt.Sprintf("%s/snap/snapname/42", usr.HomeDir),
+			"XDG_RUNTIME_DIR":  fmt.Sprintf("/run/user/%d/snap.snapname", sys.Geteuid()),
+			"HOME":             fmt.Sprintf("%s/snap/snapname/42", usr.HomeDir),
 		})
 	}
 }
 
+func (s *HTestSuite) TestParallelInstallSnapRunSnapExecEnv(c *C) {
+	info, err := snap.InfoFromSnapYaml(mockYaml)
+	c.Assert(err, IsNil)
+	info.SideInfo.Revision = snap.R(42)
+
+	usr, err := user.Current()
+	c.Assert(err, IsNil)
+
+	homeEnv := os.Getenv("HOME")
+	defer os.Setenv("HOME", homeEnv)
+
+	// pretend it's snapname_foo
+	info.InstanceKey = "foo"
+
+	for _, withHomeEnv := range []bool{true, false} {
+		if !withHomeEnv {
+			os.Setenv("HOME", "")
+		}
+
+		env := snapEnv(info)
+		c.Check(env, DeepEquals, map[string]string{
+			"SNAP_ARCH":          arch.UbuntuArchitecture(),
+			"SNAP_LIBRARY_PATH":  "/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void",
+			"SNAP_NAME":          "snapname",
+			"SNAP_INSTANCE_NAME": "snapname_foo",
+			"SNAP_INSTANCE_KEY":  "foo",
+			"SNAP_REEXEC":        "",
+			"SNAP_REVISION":      "42",
+			"SNAP_VERSION":       "1.0",
+
+			// Those are mapped to snap-specific directories by
+			// mount namespace setup
+			"SNAP":        fmt.Sprintf("%s/snapname/42", dirs.CoreSnapMountDir),
+			"SNAP_COMMON": "/var/snap/snapname/common",
+			"SNAP_DATA":   "/var/snap/snapname/42",
+
+			// User's data directories are not mapped to
+			// snap-specific ones
+			"SNAP_USER_COMMON": fmt.Sprintf("%s/snap/snapname_foo/common", usr.HomeDir),
+			"SNAP_USER_DATA":   fmt.Sprintf("%s/snap/snapname_foo/42", usr.HomeDir),
+			"XDG_RUNTIME_DIR":  fmt.Sprintf("/run/user/%d/snap.snapname_foo", sys.Geteuid()),
+			"HOME":             fmt.Sprintf("%s/snap/snapname_foo/42", usr.HomeDir),
+		})
+	}
+}
+
+func (ts *HTestSuite) TestParallelInstallUser(c *C) {
+	info := *mockSnapInfo
+	info.InstanceKey = "bar"
+	env := userEnv(&info, "/root")
+
+	c.Assert(env, DeepEquals, map[string]string{
+		"HOME":             "/root/snap/foo_bar/17",
+		"SNAP_USER_COMMON": "/root/snap/foo_bar/common",
+		"SNAP_USER_DATA":   "/root/snap/foo_bar/17",
+		"XDG_RUNTIME_DIR":  fmt.Sprintf("/run/user/%d/snap.foo_bar", sys.Geteuid()),
+	})
+}
+
+func (ts *HTestSuite) TestParallelInstallUserForClassicConfinement(c *C) {
+	info := *mockClassicSnapInfo
+	info.InstanceKey = "bar"
+	env := userEnv(&info, "/root")
+
+	c.Assert(env, DeepEquals, map[string]string{
+		// NOTE HOME Is absent! we no longer override it
+		"SNAP_USER_COMMON": "/root/snap/foo_bar/common",
+		"SNAP_USER_DATA":   "/root/snap/foo_bar/17",
+		"XDG_RUNTIME_DIR":  fmt.Sprintf("/run/user/%d/snap.foo_bar", sys.Geteuid()),
+	})
+}
+
 func envValue(env []string, key string) (bool, string) {
 	for _, item := range env {
 		if strings.HasPrefix(item, key+"=") {
diff -Nru snapd-2.32.3.2~14.04/snap/snaptest/snaptest.go snapd-2.37~rc1~14.04/snap/snaptest/snaptest.go
--- snapd-2.32.3.2~14.04/snap/snaptest/snaptest.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/snaptest/snaptest.go	2019-01-16 08:36:51.000000000 +0000
@@ -33,11 +33,7 @@
 	"github.com/snapcore/snapd/snap/pack"
 )
 
-// MockSnap puts a snap.yaml file on disk so to mock an installed snap, based on the provided arguments.
-//
-// The caller is responsible for mocking root directory with dirs.SetRootDir()
-// and for altering the overlord state if required.
-func MockSnap(c *check.C, yamlText string, sideInfo *snap.SideInfo) *snap.Info {
+func mockSnap(c *check.C, instanceName, yamlText string, sideInfo *snap.SideInfo) *snap.Info {
 	c.Assert(sideInfo, check.Not(check.IsNil))
 
 	restoreSanitize := snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {})
@@ -50,6 +46,16 @@
 	// Set SideInfo so that we can use MountDir below
 	snapInfo.SideInfo = *sideInfo
 
+	if instanceName != "" {
+		// Set the snap instance name
+		snapName, instanceKey := snap.SplitInstanceName(instanceName)
+		snapInfo.InstanceKey = instanceKey
+
+		// Make sure snap name/instance name checks out
+		c.Assert(snapInfo.InstanceName(), check.Equals, instanceName)
+		c.Assert(snapInfo.SnapName(), check.Equals, snapName)
+	}
+
 	// Put the YAML on disk, in the right spot.
 	metaDir := filepath.Join(snapInfo.MountDir(), "meta")
 	err = os.MkdirAll(metaDir, 0755)
@@ -68,6 +74,47 @@
 	return snapInfo
 }
 
+// MockSnap puts a snap.yaml file on disk so to mock an installed snap, based on the provided arguments.
+//
+// The caller is responsible for mocking root directory with dirs.SetRootDir()
+// and for altering the overlord state if required.
+func MockSnap(c *check.C, yamlText string, sideInfo *snap.SideInfo) *snap.Info {
+	return mockSnap(c, "", yamlText, sideInfo)
+}
+
+// MockSnapInstance puts a snap.yaml file on disk so to mock an installed snap
+// instance, based on the provided arguments.
+//
+// The caller is responsible for mocking root directory with dirs.SetRootDir()
+// and for altering the overlord state if required.
+func MockSnapInstance(c *check.C, instanceName, yamlText string, sideInfo *snap.SideInfo) *snap.Info {
+	return mockSnap(c, instanceName, yamlText, sideInfo)
+}
+
+// MockSnapCurrent does the same as MockSnap but additionally creates the
+// 'current' symlink.
+//
+// The caller is responsible for mocking root directory with dirs.SetRootDir()
+// and for altering the overlord state if required.
+func MockSnapCurrent(c *check.C, yamlText string, sideInfo *snap.SideInfo) *snap.Info {
+	si := MockSnap(c, yamlText, sideInfo)
+	err := os.Symlink(filepath.Base(si.MountDir()), filepath.Join(si.MountDir(), "../current"))
+	c.Assert(err, check.IsNil)
+	return si
+}
+
+// MockSnapInstanceCurrent does the same as MockSnapInstance but additionally
+// creates the 'current' symlink.
+//
+// The caller is responsible for mocking root directory with dirs.SetRootDir()
+// and for altering the overlord state if required.
+func MockSnapInstanceCurrent(c *check.C, instanceName, yamlText string, sideInfo *snap.SideInfo) *snap.Info {
+	si := MockSnapInstance(c, instanceName, yamlText, sideInfo)
+	err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current"))
+	c.Assert(err, check.IsNil)
+	return si
+}
+
 // MockInfo parses the given snap.yaml text and returns a validated snap.Info object including the optional SideInfo.
 //
 // The result is just kept in memory, there is nothing kept on disk. If that is
@@ -148,7 +195,7 @@
 
 	err = osutil.ChDir(snapSource, func() error {
 		var err error
-		snapFilePath, err = pack.Snap(snapSource, "")
+		snapFilePath, err = pack.Snap(snapSource, "", "")
 		return err
 	})
 	if err != nil {
@@ -156,3 +203,58 @@
 	}
 	return filepath.Join(snapSource, snapFilePath)
 }
+
+// MustParseChannel parses a string representing a store channel and
+// includes the given architecture, if architecture is "" the system
+// architecture is included. It panics on error.
+func MustParseChannel(s string, architecture string) snap.Channel {
+	c, err := snap.ParseChannel(s, architecture)
+	if err != nil {
+		panic(err)
+	}
+	return c
+}
+
+// RenameSlot renames gives an existing slot a new name.
+//
+// The new slot name cannot clash with an existing plug or slot and must
+// be a valid slot name.
+func RenameSlot(snapInfo *snap.Info, oldName, newName string) error {
+	if snapInfo.Slots[oldName] == nil {
+		return fmt.Errorf("cannot rename slot %q to %q: no such slot", oldName, newName)
+	}
+	if err := snap.ValidateSlotName(newName); err != nil {
+		return fmt.Errorf("cannot rename slot %q to %q: %s", oldName, newName, err)
+	}
+	if oldName == newName {
+		return nil
+	}
+	if snapInfo.Slots[newName] != nil {
+		return fmt.Errorf("cannot rename slot %q to %q: existing slot with that name", oldName, newName)
+	}
+	if snapInfo.Plugs[newName] != nil {
+		return fmt.Errorf("cannot rename slot %q to %q: existing plug with that name", oldName, newName)
+	}
+
+	// Rename the slot.
+	slotInfo := snapInfo.Slots[oldName]
+	snapInfo.Slots[newName] = slotInfo
+	delete(snapInfo.Slots, oldName)
+	slotInfo.Name = newName
+
+	// Update references to the slot in all applications and hooks.
+	for _, appInfo := range snapInfo.Apps {
+		if _, ok := appInfo.Slots[oldName]; ok {
+			delete(appInfo.Slots, oldName)
+			appInfo.Slots[newName] = slotInfo
+		}
+	}
+	for _, hookInfo := range snapInfo.Hooks {
+		if _, ok := hookInfo.Slots[oldName]; ok {
+			delete(hookInfo.Slots, oldName)
+			hookInfo.Slots[newName] = slotInfo
+		}
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/snap/snaptest/snaptest_test.go snapd-2.37~rc1~14.04/snap/snaptest/snaptest_test.go
--- snapd-2.32.3.2~14.04/snap/snaptest/snaptest_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/snaptest/snaptest_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -60,7 +60,7 @@
 func (s *snapTestSuite) TestMockSnap(c *C) {
 	snapInfo := snaptest.MockSnap(c, sampleYaml, &snap.SideInfo{Revision: snap.R(42)})
 	// Data from YAML is used
-	c.Check(snapInfo.Name(), Equals, "sample")
+	c.Check(snapInfo.InstanceName(), Equals, "sample")
 	// Data from SideInfo is used
 	c.Check(snapInfo.Revision, Equals, snap.R(42))
 	// The YAML is placed on disk
@@ -72,10 +72,58 @@
 	c.Check(snapInfo.Plugs["network"].Interface, Equals, "network")
 }
 
+func (s *snapTestSuite) TestMockSnapInstance(c *C) {
+	snapInfo := snaptest.MockSnapInstance(c, "sample_instance", sampleYaml, &snap.SideInfo{Revision: snap.R(42)})
+	// Data from YAML and parameters is used
+	c.Check(snapInfo.InstanceName(), Equals, "sample_instance")
+	c.Check(snapInfo.SnapName(), Equals, "sample")
+	c.Check(snapInfo.InstanceKey, Equals, "instance")
+
+	// Data from SideInfo is used
+	c.Check(snapInfo.Revision, Equals, snap.R(42))
+	// The YAML is placed on disk
+	c.Check(filepath.Join(dirs.SnapMountDir, "sample_instance", "42", "meta", "snap.yaml"),
+		testutil.FileEquals, sampleYaml)
+
+	// More
+	c.Check(snapInfo.Apps["app"].Command, Equals, "foo")
+	c.Check(snapInfo.Plugs["network"].Interface, Equals, "network")
+}
+
+func (s *snapTestSuite) TestMockSnapCurrent(c *C) {
+	snapInfo := snaptest.MockSnapCurrent(c, sampleYaml, &snap.SideInfo{Revision: snap.R(42)})
+	// Data from YAML is used
+	c.Check(snapInfo.InstanceName(), Equals, "sample")
+	// Data from SideInfo is used
+	c.Check(snapInfo.Revision, Equals, snap.R(42))
+	// The YAML is placed on disk
+	c.Check(filepath.Join(dirs.SnapMountDir, "sample", "42", "meta", "snap.yaml"),
+		testutil.FileEquals, sampleYaml)
+	link, err := os.Readlink(filepath.Join(dirs.SnapMountDir, "sample", "current"))
+	c.Check(err, IsNil)
+	c.Check(link, Equals, "42")
+}
+
+func (s *snapTestSuite) TestMockSnapInstanceCurrent(c *C) {
+	snapInfo := snaptest.MockSnapInstanceCurrent(c, "sample_instance", sampleYaml, &snap.SideInfo{Revision: snap.R(42)})
+	// Data from YAML and parameters is used
+	c.Check(snapInfo.InstanceName(), Equals, "sample_instance")
+	c.Check(snapInfo.SnapName(), Equals, "sample")
+	c.Check(snapInfo.InstanceKey, Equals, "instance")
+	// Data from SideInfo is used
+	c.Check(snapInfo.Revision, Equals, snap.R(42))
+	// The YAML is placed on disk
+	c.Check(filepath.Join(dirs.SnapMountDir, "sample_instance", "42", "meta", "snap.yaml"),
+		testutil.FileEquals, sampleYaml)
+	link, err := os.Readlink(filepath.Join(dirs.SnapMountDir, "sample_instance", "current"))
+	c.Check(err, IsNil)
+	c.Check(link, Equals, filepath.Join(dirs.SnapMountDir, "sample_instance", "42"))
+}
+
 func (s *snapTestSuite) TestMockInfo(c *C) {
 	snapInfo := snaptest.MockInfo(c, sampleYaml, &snap.SideInfo{Revision: snap.R(42)})
 	// Data from YAML is used
-	c.Check(snapInfo.Name(), Equals, "sample")
+	c.Check(snapInfo.InstanceName(), Equals, "sample")
 	// Data from SideInfo is used
 	c.Check(snapInfo.Revision, Equals, snap.R(42))
 	// The YAML is *not* placed on disk
@@ -89,7 +137,7 @@
 func (s *snapTestSuite) TestMockInvalidInfo(c *C) {
 	snapInfo := snaptest.MockInvalidInfo(c, sampleYaml+"\nslots:\n network:\n", &snap.SideInfo{Revision: snap.R(42)})
 	// Data from YAML is used
-	c.Check(snapInfo.Name(), Equals, "sample")
+	c.Check(snapInfo.InstanceName(), Equals, "sample")
 	// Data from SideInfo is used
 	c.Check(snapInfo.Revision, Equals, snap.R(42))
 	// The YAML is *not* placed on disk
@@ -102,3 +150,51 @@
 	// They info object is not valid
 	c.Check(snap.Validate(snapInfo), ErrorMatches, `cannot have plug and slot with the same name: "network"`)
 }
+
+func (s *snapTestSuite) TestRenameSlot(c *C) {
+	snapInfo := snaptest.MockInfo(c, `name: core
+version: 0
+slots:
+  old:
+    interface: interface
+  slot:
+    interface: interface
+plugs:
+  plug:
+    interface: interface
+apps:
+  app:
+hooks:
+  configure:
+`, nil)
+
+	// Rename "old" to "plug"
+	err := snaptest.RenameSlot(snapInfo, "old", "plug")
+	c.Assert(err, ErrorMatches, `cannot rename slot "old" to "plug": existing plug with that name`)
+
+	// Rename "old" to "slot"
+	err = snaptest.RenameSlot(snapInfo, "old", "slot")
+	c.Assert(err, ErrorMatches, `cannot rename slot "old" to "slot": existing slot with that name`)
+
+	// Rename "old" to "bad name"
+	err = snaptest.RenameSlot(snapInfo, "old", "bad name")
+	c.Assert(err, ErrorMatches, `cannot rename slot "old" to "bad name": invalid slot name: "bad name"`)
+
+	// Rename "old" to "new"
+	err = snaptest.RenameSlot(snapInfo, "old", "new")
+	c.Assert(err, IsNil)
+
+	// Check that there's no trace of the old slot name.
+	c.Assert(snapInfo.Slots["old"], IsNil)
+	c.Assert(snapInfo.Slots["new"], NotNil)
+	c.Assert(snapInfo.Slots["new"].Name, Equals, "new")
+	c.Assert(snapInfo.Apps["app"].Slots["old"], IsNil)
+	c.Assert(snapInfo.Apps["app"].Slots["new"], DeepEquals, snapInfo.Slots["new"])
+	c.Assert(snapInfo.Hooks["configure"].Slots["old"], IsNil)
+	c.Assert(snapInfo.Hooks["configure"].Slots["new"], DeepEquals, snapInfo.Slots["new"])
+
+	// Rename "old" to "new" (again)
+	err = snaptest.RenameSlot(snapInfo, "old", "new")
+	c.Assert(err, ErrorMatches, `cannot rename slot "old" to "new": no such slot`)
+
+}
diff -Nru snapd-2.32.3.2~14.04/snap/squashfs/export_test.go snapd-2.37~rc1~14.04/snap/squashfs/export_test.go
--- snapd-2.32.3.2~14.04/snap/squashfs/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/squashfs/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,77 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package squashfs
+
+import (
+	"os"
+	"os/exec"
+	"time"
+
+	"gopkg.in/check.v1"
+)
+
+var (
+	FromRaw                   = fromRaw
+	NewUnsquashfsStderrWriter = newUnsquashfsStderrWriter
+)
+
+func (s stat) User() string  { return s.user }
+func (s stat) Group() string { return s.group }
+
+func MockLink(newLink func(string, string) error) (restore func()) {
+	oldLink := osLink
+	osLink = newLink
+	return func() {
+		osLink = oldLink
+	}
+}
+
+func MockFromCore(newFromCore func(string, string, ...string) (*exec.Cmd, error)) (restore func()) {
+	oldFromCore := osutilCommandFromCore
+	osutilCommandFromCore = newFromCore
+	return func() {
+		osutilCommandFromCore = oldFromCore
+	}
+}
+
+// Alike compares to os.FileInfo to determine if they are sufficiently
+// alike to say they refer to the same thing.
+func Alike(a, b os.FileInfo, c *check.C, comment check.CommentInterface) {
+	c.Check(a, check.NotNil, comment)
+	c.Check(b, check.NotNil, comment)
+	if a == nil || b == nil {
+		return
+	}
+
+	// the .Name() of the root will be different on non-squashfs things
+	_, asq := a.(*stat)
+	_, bsq := b.(*stat)
+	if !((asq && a.Name() == "/") || (bsq && b.Name() == "/")) {
+		c.Check(a.Name(), check.Equals, b.Name(), comment)
+	}
+
+	c.Check(a.Mode(), check.Equals, b.Mode(), comment)
+	if a.Mode().IsRegular() {
+		c.Check(a.Size(), check.Equals, b.Size(), comment)
+	}
+	am := a.ModTime().UTC().Truncate(time.Minute)
+	bm := b.ModTime().UTC().Truncate(time.Minute)
+	c.Check(am.Equal(bm), check.Equals, true, check.Commentf("%s != %s (%s)", am, bm, comment))
+}
diff -Nru snapd-2.32.3.2~14.04/snap/squashfs/squashfs.go snapd-2.37~rc1~14.04/snap/squashfs/squashfs.go
--- snapd-2.32.3.2~14.04/snap/squashfs/squashfs.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/squashfs/squashfs.go	2019-01-16 08:36:51.000000000 +0000
@@ -28,6 +28,7 @@
 	"path"
 	"path/filepath"
 	"regexp"
+	"time"
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
@@ -53,6 +54,7 @@
 }
 
 var osLink = os.Link
+var osutilCommandFromCore = osutil.CommandFromCore
 
 func (s *Snap) Install(targetPath, mountDir string) error {
 
@@ -114,9 +116,11 @@
 	strutil.MatchCounter
 }
 
+var unsquashfsStderrRegexp = regexp.MustCompile(`(?m).*\b[Ff]ailed\b.*`)
+
 func newUnsquashfsStderrWriter() *unsquashfsStderrWriter {
 	return &unsquashfsStderrWriter{strutil.MatchCounter{
-		Regexp: regexp.MustCompile(`(?m).*\b[Ff]ailed\b.*`),
+		Regexp: unsquashfsStderrRegexp,
 		N:      4, // note Err below uses this value
 	}}
 }
@@ -141,7 +145,7 @@
 func (s *Snap) Unpack(src, dstDir string) error {
 	usw := newUnsquashfsStderrWriter()
 
-	cmd := exec.Command("unsquashfs", "-f", "-d", dstDir, s.path, src)
+	cmd := exec.Command("unsquashfs", "-n", "-f", "-d", dstDir, s.path, src)
 	cmd.Stderr = usw
 	if err := cmd.Run(); err != nil {
 		return err
@@ -171,7 +175,7 @@
 	defer os.RemoveAll(tmpdir)
 
 	unpackDir := filepath.Join(tmpdir, "unpack")
-	if err := exec.Command("unsquashfs", "-i", "-d", unpackDir, s.path, filePath).Run(); err != nil {
+	if err := exec.Command("unsquashfs", "-n", "-i", "-d", unpackDir, s.path, filePath).Run(); err != nil {
 		return nil, err
 	}
 
@@ -219,6 +223,7 @@
 	} else {
 		cmd = exec.Command("unsquashfs", "-no-progress", "-dest", ".", "-ll", s.path, relative)
 	}
+	cmd.Env = []string{"TZ=UTC"}
 	stdout, err := cmd.StdoutPipe()
 	if err != nil {
 		return walkFn(relative, nil, err)
@@ -295,20 +300,68 @@
 }
 
 // Build builds the snap.
-func (s *Snap) Build(buildDir string) error {
+func (s *Snap) Build(sourceDir, snapType string, excludeFiles ...string) error {
 	fullSnapPath, err := filepath.Abs(s.path)
 	if err != nil {
 		return err
 	}
+	cmd, err := osutilCommandFromCore(dirs.SnapMountDir, "/usr/bin/mksquashfs")
+	if err != nil {
+		cmd = exec.Command("mksquashfs")
+	}
+	cmd.Args = append(cmd.Args,
+		".", fullSnapPath,
+		"-noappend",
+		"-comp", "xz",
+		"-no-fragments",
+		"-no-progress",
+	)
+	if len(excludeFiles) > 0 {
+		cmd.Args = append(cmd.Args, "-wildcards")
+		for _, excludeFile := range excludeFiles {
+			cmd.Args = append(cmd.Args, "-ef", excludeFile)
+		}
+	}
+	if snapType != "os" && snapType != "core" && snapType != "base" {
+		cmd.Args = append(cmd.Args, "-all-root", "-no-xattrs")
+	}
 
-	return osutil.ChDir(buildDir, func() error {
-		return exec.Command(
-			"mksquashfs",
-			".", fullSnapPath,
-			"-noappend",
-			"-comp", "xz",
-			"-no-xattrs",
-			"-no-fragments",
-		).Run()
+	return osutil.ChDir(sourceDir, func() error {
+		output, err := cmd.CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("mksquashfs call failed: %s", osutil.OutputErr(output, err))
+		}
+
+		return nil
 	})
 }
+
+// BuildDate returns the "Creation or last append time" as reported by unsquashfs.
+func (s *Snap) BuildDate() time.Time {
+	return BuildDate(s.path)
+}
+
+// BuildDate returns the "Creation or last append time" as reported by unsquashfs.
+func BuildDate(path string) time.Time {
+	var t0 time.Time
+
+	const prefix = "Creation or last append time "
+	m := &strutil.MatchCounter{
+		Regexp: regexp.MustCompile("(?m)^" + prefix + ".*$"),
+		N:      1,
+	}
+
+	cmd := exec.Command("unsquashfs", "-n", "-s", path)
+	cmd.Env = []string{"TZ=UTC"}
+	cmd.Stdout = m
+	cmd.Stderr = m
+	if err := cmd.Run(); err != nil {
+		return t0
+	}
+	matches, count := m.Matches()
+	if count != 1 {
+		return t0
+	}
+	t0, _ = time.Parse(time.ANSIC, matches[0][len(prefix):])
+	return t0
+}
diff -Nru snapd-2.32.3.2~14.04/snap/squashfs/squashfs_test.go snapd-2.37~rc1~14.04/snap/squashfs/squashfs_test.go
--- snapd-2.32.3.2~14.04/snap/squashfs/squashfs_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/squashfs/squashfs_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -17,11 +17,12 @@
  *
  */
 
-package squashfs
+package squashfs_test
 
 import (
 	"errors"
 	"io/ioutil"
+	"math"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -30,10 +31,12 @@
 	"time"
 
 	. "gopkg.in/check.v1"
+	"gopkg.in/yaml.v2"
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/snap/snapdir"
+	"github.com/snapcore/snapd/snap/squashfs"
 	"github.com/snapcore/snapd/testutil"
 )
 
@@ -41,16 +44,17 @@
 func Test(t *testing.T) { TestingT(t) }
 
 type SquashfsTestSuite struct {
+	oldStdout, oldStderr, outf *os.File
 }
 
 var _ = Suite(&SquashfsTestSuite{})
 
-func makeSnap(c *C, manifest, data string) *Snap {
+func makeSnap(c *C, manifest, data string) *squashfs.Snap {
 	cur, _ := os.Getwd()
 	return makeSnapInDir(c, cur, manifest, data)
 }
 
-func makeSnapInDir(c *C, dir, manifest, data string) *Snap {
+func makeSnapContents(c *C, manifest, data string) string {
 	tmp := c.MkDir()
 	err := os.MkdirAll(filepath.Join(tmp, "meta", "hooks", "dir"), 0755)
 	c.Assert(err, IsNil)
@@ -77,9 +81,22 @@
 	err = ioutil.WriteFile(filepath.Join(tmp, "data.bin"), []byte(data), 0644)
 	c.Assert(err, IsNil)
 
+	return tmp
+}
+
+func makeSnapInDir(c *C, dir, manifest, data string) *squashfs.Snap {
+	snapType := "app"
+	var m struct {
+		Type string `yaml:"type"`
+	}
+	if err := yaml.Unmarshal([]byte(manifest), &m); err == nil && m.Type != "" {
+		snapType = m.Type
+	}
+
+	tmp := makeSnapContents(c, manifest, data)
 	// build it
-	snap := New(filepath.Join(dir, "foo.snap"))
-	err = snap.Build(tmp)
+	snap := squashfs.New(filepath.Join(dir, "foo.snap"))
+	err := snap.Build(tmp, snapType)
 	c.Assert(err, IsNil)
 
 	return snap
@@ -90,6 +107,22 @@
 	dirs.SetRootDir(d)
 	err := os.Chdir(d)
 	c.Assert(err, IsNil)
+
+	s.outf, err = ioutil.TempFile(c.MkDir(), "")
+	c.Assert(err, IsNil)
+	s.oldStdout, s.oldStderr = os.Stdout, os.Stderr
+	os.Stdout, os.Stderr = s.outf, s.outf
+}
+
+func (s *SquashfsTestSuite) TearDownTest(c *C) {
+	os.Stdout, os.Stderr = s.oldStdout, s.oldStderr
+
+	// this ensures things were quiet
+	_, err := s.outf.Seek(0, 0)
+	c.Assert(err, IsNil)
+	outbuf, err := ioutil.ReadAll(s.outf)
+	c.Assert(err, IsNil)
+	c.Check(string(outbuf), Equals, "")
 }
 
 func (s *SquashfsTestSuite) TestInstallSimpleNoCp(c *C) {
@@ -100,7 +133,7 @@
 	defer cmd.Restore()
 	// mock link but still link
 	linked := 0
-	r := mockLink(func(a, b string) error {
+	r := squashfs.MockLink(func(a, b string) error {
 		linked++
 		return os.Link(a, b)
 	})
@@ -116,16 +149,8 @@
 	c.Check(cmd.Calls(), HasLen, 0)
 }
 
-func mockLink(newLink func(string, string) error) (restore func()) {
-	oldLink := osLink
-	osLink = newLink
-	return func() {
-		osLink = oldLink
-	}
-}
-
 func noLink() func() {
-	return mockLink(func(string, string) error { return errors.New("no.") })
+	return squashfs.MockLink(func(string, string) error { return errors.New("no.") })
 }
 
 func (s *SquashfsTestSuite) TestInstallNotCopyTwice(c *C) {
@@ -166,7 +191,7 @@
 
 func (s *SquashfsTestSuite) TestPath(c *C) {
 	p := "/path/to/foo.snap"
-	snap := New("/path/to/foo.snap")
+	snap := squashfs.New("/path/to/foo.snap")
 	c.Assert(snap.Path(), Equals, p)
 }
 
@@ -189,29 +214,6 @@
 	c.Check(fileNames[2], Equals, "foo-hook")
 }
 
-func alike(a, b os.FileInfo, c *C, comment CommentInterface) {
-	c.Check(a, NotNil, comment)
-	c.Check(b, NotNil, comment)
-	if a == nil || b == nil {
-		return
-	}
-
-	// the .Name() of the root will be different on non-squashfs things
-	_, asq := a.(*stat)
-	_, bsq := b.(*stat)
-	if !((asq && a.Name() == "/") || (bsq && b.Name() == "/")) {
-		c.Check(a.Name(), Equals, b.Name(), comment)
-	}
-
-	c.Check(a.Mode(), Equals, b.Mode(), comment)
-	if a.Mode().IsRegular() {
-		c.Check(a.Size(), Equals, b.Size(), comment)
-	}
-	am := a.ModTime().UTC().Truncate(time.Minute)
-	bm := b.ModTime().UTC().Truncate(time.Minute)
-	c.Check(am.Equal(bm), Equals, true, Commentf("%s != %s (%s)", am, bm, comment))
-}
-
 func (s *SquashfsTestSuite) TestWalk(c *C) {
 	sub := "."
 	snap := makeSnap(c, "name: foo", "")
@@ -259,18 +261,18 @@
 	})
 
 	for k := range fpw {
-		alike(sqw[k], fpw[k], c, Commentf(k))
-		alike(sdw[k], fpw[k], c, Commentf(k))
+		squashfs.Alike(sqw[k], fpw[k], c, Commentf(k))
+		squashfs.Alike(sdw[k], fpw[k], c, Commentf(k))
 	}
 
 	for k := range sqw {
-		alike(fpw[k], sqw[k], c, Commentf(k))
-		alike(sdw[k], sqw[k], c, Commentf(k))
+		squashfs.Alike(fpw[k], sqw[k], c, Commentf(k))
+		squashfs.Alike(sdw[k], sqw[k], c, Commentf(k))
 	}
 
 	for k := range sdw {
-		alike(fpw[k], sdw[k], c, Commentf(k))
-		alike(sqw[k], sdw[k], c, Commentf(k))
+		squashfs.Alike(fpw[k], sdw[k], c, Commentf(k))
+		squashfs.Alike(sqw[k], sdw[k], c, Commentf(k))
 	}
 
 }
@@ -343,28 +345,206 @@
 }
 
 func (s *SquashfsTestSuite) TestBuild(c *C) {
+	// please keep TestBuildUsesExcludes in sync with this one so it makes sense.
 	buildDir := c.MkDir()
 	err := os.MkdirAll(filepath.Join(buildDir, "/random/dir"), 0755)
 	c.Assert(err, IsNil)
 	err = ioutil.WriteFile(filepath.Join(buildDir, "data.bin"), []byte("data"), 0644)
 	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(filepath.Join(buildDir, "random", "data.bin"), []byte("more data"), 0644)
+	c.Assert(err, IsNil)
 
-	snap := New(filepath.Join(c.MkDir(), "foo.snap"))
-	err = snap.Build(buildDir)
+	snap := squashfs.New(filepath.Join(c.MkDir(), "foo.snap"))
+	err = snap.Build(buildDir, "app")
 	c.Assert(err, IsNil)
 
 	// unsquashfs writes a funny header like:
 	//     "Parallel unsquashfs: Using 1 processor"
 	//     "1 inodes (1 blocks) to write"
-	outputWithHeader, err := exec.Command("unsquashfs", "-n", "-l", snap.path).Output()
+	outputWithHeader, err := exec.Command("unsquashfs", "-n", "-l", snap.Path()).Output()
 	c.Assert(err, IsNil)
 	split := strings.Split(string(outputWithHeader), "\n")
 	output := strings.Join(split[3:], "\n")
-	c.Assert(string(output), Equals, `squashfs-root
+	c.Assert(string(output), Equals, `
+squashfs-root
 squashfs-root/data.bin
 squashfs-root/random
+squashfs-root/random/data.bin
 squashfs-root/random/dir
+`[1:]) // skip the first newline :-)
+}
+
+func (s *SquashfsTestSuite) TestBuildUsesExcludes(c *C) {
+	// please keep TestBuild in sync with this one so it makes sense.
+	buildDir := c.MkDir()
+	err := os.MkdirAll(filepath.Join(buildDir, "/random/dir"), 0755)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(filepath.Join(buildDir, "data.bin"), []byte("data"), 0644)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(filepath.Join(buildDir, "random", "data.bin"), []byte("more data"), 0644)
+	c.Assert(err, IsNil)
+
+	excludesFilename := filepath.Join(buildDir, ".snapignore")
+	err = ioutil.WriteFile(excludesFilename, []byte(`
+# ignore just one of the data.bin files we just added (the toplevel one)
+data.bin
+# also ignore ourselves
+.snapignore
+# oh and anything called "dir" anywhere
+... dir
+`), 0644)
+	c.Assert(err, IsNil)
+
+	snap := squashfs.New(filepath.Join(c.MkDir(), "foo.snap"))
+	err = snap.Build(buildDir, "app", excludesFilename)
+	c.Assert(err, IsNil)
+
+	outputWithHeader, err := exec.Command("unsquashfs", "-n", "-l", snap.Path()).Output()
+	c.Assert(err, IsNil)
+	split := strings.Split(string(outputWithHeader), "\n")
+	output := strings.Join(split[3:], "\n")
+	// compare with TestBuild
+	c.Assert(string(output), Equals, `
+squashfs-root
+squashfs-root/random
+squashfs-root/random/data.bin
+`[1:]) // skip the first newline :-)
+}
+
+func (s *SquashfsTestSuite) TestBuildSupportsMultipleExcludesWithOnlyOneWildcardsFlag(c *C) {
+	defer squashfs.MockFromCore(func(mountDir, cmd string, args ...string) (*exec.Cmd, error) {
+		c.Check(mountDir, Equals, dirs.SnapMountDir)
+		c.Check(cmd, Equals, "/usr/bin/mksquashfs")
+		return nil, errors.New("bzzt")
+	})()
+	mksq := testutil.MockCommand(c, "mksquashfs", "")
+	defer mksq.Restore()
+
+	snapPath := filepath.Join(c.MkDir(), "foo.snap")
+	snap := squashfs.New(snapPath)
+	err := snap.Build(c.MkDir(), "core", "exclude1", "exclude2", "exclude3")
+	c.Assert(err, IsNil)
+	calls := mksq.Calls()
+	c.Assert(calls, HasLen, 1)
+	c.Check(calls[0], DeepEquals, []string{
+		// the usual:
+		"mksquashfs", ".", snapPath, "-noappend", "-comp", "xz", "-no-fragments", "-no-progress",
+		// the interesting bits:
+		"-wildcards", "-ef", "exclude1", "-ef", "exclude2", "-ef", "exclude3",
+	})
+}
+
+func (s *SquashfsTestSuite) TestBuildUsesMksquashfsFromCoreIfAvailable(c *C) {
+	usedFromCore := false
+	defer squashfs.MockFromCore(func(mountDir, cmd string, args ...string) (*exec.Cmd, error) {
+		usedFromCore = true
+		c.Check(mountDir, Equals, dirs.SnapMountDir)
+		c.Check(cmd, Equals, "/usr/bin/mksquashfs")
+		return &exec.Cmd{Path: "/bin/true"}, nil
+	})()
+	mksq := testutil.MockCommand(c, "mksquashfs", "exit 1")
+	defer mksq.Restore()
+
+	buildDir := c.MkDir()
+
+	snap := squashfs.New(filepath.Join(c.MkDir(), "foo.snap"))
+	err := snap.Build(buildDir, "app")
+	c.Assert(err, IsNil)
+	c.Check(usedFromCore, Equals, true)
+	c.Check(mksq.Calls(), HasLen, 0)
+}
+
+func (s *SquashfsTestSuite) TestBuildUsesMksquashfsFromClassicIfCoreUnavailable(c *C) {
+	triedFromCore := false
+	defer squashfs.MockFromCore(func(mountDir, cmd string, args ...string) (*exec.Cmd, error) {
+		triedFromCore = true
+		c.Check(mountDir, Equals, dirs.SnapMountDir)
+		c.Check(cmd, Equals, "/usr/bin/mksquashfs")
+		return nil, errors.New("bzzt")
+	})()
+	mksq := testutil.MockCommand(c, "mksquashfs", "")
+	defer mksq.Restore()
+
+	buildDir := c.MkDir()
+
+	snap := squashfs.New(filepath.Join(c.MkDir(), "foo.snap"))
+	err := snap.Build(buildDir, "app")
+	c.Assert(err, IsNil)
+	c.Check(triedFromCore, Equals, true)
+	c.Check(mksq.Calls(), HasLen, 1)
+}
+
+func (s *SquashfsTestSuite) TestBuildFailsIfNoMksquashfs(c *C) {
+	triedFromCore := false
+	defer squashfs.MockFromCore(func(mountDir, cmd string, args ...string) (*exec.Cmd, error) {
+		triedFromCore = true
+		c.Check(mountDir, Equals, dirs.SnapMountDir)
+		c.Check(cmd, Equals, "/usr/bin/mksquashfs")
+		return nil, errors.New("bzzt")
+	})()
+	mksq := testutil.MockCommand(c, "mksquashfs", "exit 1")
+	defer mksq.Restore()
+
+	buildDir := c.MkDir()
+
+	snap := squashfs.New(filepath.Join(c.MkDir(), "foo.snap"))
+	err := snap.Build(buildDir, "app")
+	c.Assert(err, ErrorMatches, "mksquashfs call failed:.*")
+	c.Check(triedFromCore, Equals, true)
+	c.Check(mksq.Calls(), HasLen, 1)
+}
+
+func (s *SquashfsTestSuite) TestBuildVariesArgsByType(c *C) {
+	defer squashfs.MockFromCore(func(mountDir, cmd string, args ...string) (*exec.Cmd, error) {
+		c.Check(mountDir, Equals, dirs.SnapMountDir)
+		return nil, errors.New("bzzt")
+	})()
+	mksq := testutil.MockCommand(c, "mksquashfs", "")
+	defer mksq.Restore()
+
+	buildDir := c.MkDir()
+	filename := filepath.Join(c.MkDir(), "foo.snap")
+	snap := squashfs.New(filename)
+
+	permissiveTypeArgs := []string{".", filename, "-noappend", "-comp", "xz", "-no-fragments", "-no-progress"}
+	restrictedTypeArgs := append(permissiveTypeArgs, "-all-root", "-no-xattrs")
+	tests := []struct {
+		snapType string
+		args     []string
+	}{
+		{"", restrictedTypeArgs},
+		{"app", restrictedTypeArgs},
+		{"gadget", restrictedTypeArgs},
+		{"kernel", restrictedTypeArgs},
+		{"snapd", restrictedTypeArgs},
+		{"base", permissiveTypeArgs},
+		{"os", permissiveTypeArgs},
+		{"core", permissiveTypeArgs},
+	}
+
+	for _, t := range tests {
+		mksq.ForgetCalls()
+		comm := Commentf("type: %s", t.snapType)
+
+		c.Check(snap.Build(buildDir, t.snapType), IsNil, comm)
+		c.Assert(mksq.Calls(), HasLen, 1, comm)
+		c.Assert(mksq.Calls()[0], HasLen, len(t.args)+1)
+		c.Check(mksq.Calls()[0][0], Equals, "mksquashfs", comm)
+		c.Check(mksq.Calls()[0][1:], DeepEquals, t.args, comm)
+	}
+}
+
+func (s *SquashfsTestSuite) TestBuildReportsFailures(c *C) {
+	mockUnsquashfs := testutil.MockCommand(c, "mksquashfs", `
+echo Yeah, nah. >&2
+exit 1
 `)
+	defer mockUnsquashfs.Restore()
+
+	data := "mock kernel snap"
+	dir := makeSnapContents(c, "", data)
+	snap := squashfs.New("foo.snap")
+	c.Check(snap.Build(dir, "kernel"), ErrorMatches, `mksquashfs call failed: Yeah, nah.`)
 }
 
 func (s *SquashfsTestSuite) TestUnsquashfsStderrWriter(c *C) {
@@ -397,7 +577,7 @@
 			expectedErr: `failed: "failed 1", "failed 2", "3 Failed", "4 Failed", and 1 more`,
 		},
 	} {
-		usw := newUnsquashfsStderrWriter()
+		usw := squashfs.NewUnsquashfsStderrWriter()
 		for _, l := range t.inp {
 			usw.Write([]byte(l))
 		}
@@ -408,3 +588,19 @@
 		}
 	}
 }
+
+func (s *SquashfsTestSuite) TestBuildDate(c *C) {
+	// make a directory
+	d := c.MkDir()
+	// set its time waaay back
+	now := time.Now()
+	then := now.Add(-10000 * time.Hour)
+	c.Assert(os.Chtimes(d, then, then), IsNil)
+	// make a snap using this directory
+	filename := filepath.Join(c.MkDir(), "foo.snap")
+	snap := squashfs.New(filename)
+	c.Assert(snap.Build(d, "app"), IsNil)
+	// and see it's BuildDate is _now_, not _then_.
+	c.Check(squashfs.BuildDate(filename), Equals, snap.BuildDate())
+	c.Check(math.Abs(now.Sub(snap.BuildDate()).Seconds()) <= 61, Equals, true, Commentf("Unexpected build date %s", snap.BuildDate()))
+}
diff -Nru snapd-2.32.3.2~14.04/snap/squashfs/stat.go snapd-2.37~rc1~14.04/snap/squashfs/stat.go
--- snapd-2.32.3.2~14.04/snap/squashfs/stat.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/squashfs/stat.go	2019-01-16 08:36:51.000000000 +0000
@@ -67,7 +67,7 @@
 		// next'll come the size or the node type
 		st.parseSize,
 		// and then the time
-		st.parseTime,
+		st.parseTimeUTC,
 		// and finally the path
 		st.parsePath,
 	}
@@ -157,9 +157,9 @@
 	}
 }
 
-func (st *stat) parseTime(raw []byte) (int, error) {
+func (st *stat) parseTimeUTC(raw []byte) (int, error) {
 	const timelen = 16
-	t, err := time.ParseInLocation("2006-01-02 15:04", string(raw[:timelen]), time.Local)
+	t, err := time.Parse("2006-01-02 15:04", string(raw[:timelen]))
 	if err != nil {
 		return 0, errBadTime(raw)
 	}
diff -Nru snapd-2.32.3.2~14.04/snap/squashfs/stat_test.go snapd-2.37~rc1~14.04/snap/squashfs/stat_test.go
--- snapd-2.32.3.2~14.04/snap/squashfs/stat_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/squashfs/stat_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,23 @@
-package squashfs
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2017-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package squashfs_test
 
 import (
 	"fmt"
@@ -7,6 +26,8 @@
 	"time"
 
 	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/snap/squashfs"
 )
 
 func (s *SquashfsTestSuite) TestStatBadNodes(c *C) {
@@ -88,7 +109,7 @@
 	for kind, lines := range badlines {
 		for _, line := range lines {
 			com := Commentf("%q (expected bad %s)", line, kind)
-			st, err := fromRaw([]byte(line))
+			st, err := squashfs.FromRaw([]byte(line))
 			c.Assert(err, NotNil, com)
 			c.Check(st, IsNil, com)
 			c.Check(err, ErrorMatches, fmt.Sprintf("cannot parse %s: .*", kind))
@@ -108,22 +129,18 @@
 		user, group := ug[0], ug[1]
 		raw := []byte(fmt.Sprintf("-rw-r--r-- %s/%s               20 2017-12-08 11:19 ./foo", user, group))
 
-		expected := &stat{
-			mode:  0644,
-			path:  "/foo",
-			user:  user,
-			group: group,
-			size:  20,
-			mtime: time.Date(2017, 12, 8, 11, 19, 0, 0, time.Local),
-		}
-
 		com := Commentf("%q", raw)
 		c.Assert(len(user) <= 32, Equals, true, com)
 		c.Assert(len(group) <= 32, Equals, true, com)
 
-		st, err := fromRaw(raw)
+		st, err := squashfs.FromRaw(raw)
 		c.Assert(err, IsNil, com)
-		c.Check(st, DeepEquals, expected, com)
+		c.Check(st.Mode(), Equals, os.FileMode(0644), com)
+		c.Check(st.Path(), Equals, "/foo", com)
+		c.Check(st.User(), Equals, user, com)
+		c.Check(st.Group(), Equals, group, com)
+		c.Check(st.Size(), Equals, int64(20), com)
+		c.Check(st.ModTime(), Equals, time.Date(2017, 12, 8, 11, 19, 0, 0, time.UTC), com)
 	}
 }
 
@@ -136,88 +153,79 @@
 	}
 	for _, path := range paths {
 		raw := []byte(fmt.Sprintf("-rw-r--r-- user/group               20 2017-12-08 11:19 ./%s", path))
-		expected := &stat{
-			mode:  0644,
-			path:  fmt.Sprintf("/%s", path),
-			user:  "user",
-			group: "group",
-			size:  20,
-			mtime: time.Date(2017, 12, 8, 11, 19, 0, 0, time.Local),
-		}
 
 		com := Commentf("%q", raw)
-		st, err := fromRaw(raw)
+		st, err := squashfs.FromRaw(raw)
 		c.Assert(err, IsNil, com)
-		c.Check(st, DeepEquals, expected, com)
+		c.Check(st.Mode(), Equals, os.FileMode(0644), com)
+		c.Check(st.Path(), Equals, fmt.Sprintf("/%s", path), com)
+		c.Check(st.User(), Equals, "user", com)
+		c.Check(st.Group(), Equals, "group", com)
+		c.Check(st.Size(), Equals, int64(20), com)
+		c.Check(st.ModTime(), Equals, time.Date(2017, 12, 8, 11, 19, 0, 0, time.UTC), com)
 	}
 }
 
 func (s *SquashfsTestSuite) TestStatBlock(c *C) {
 	line := "brw-rw---- root/disk             7,  0 2017-12-05 10:29 ./dev/loop0"
-	st, err := fromRaw([]byte(line))
+	st, err := squashfs.FromRaw([]byte(line))
 	c.Assert(err, IsNil)
-	c.Check(st, DeepEquals, &stat{
-		mode:  0660 | os.ModeDevice,
-		path:  "/dev/loop0",
-		user:  "root",
-		group: "disk",
-		mtime: time.Date(2017, 12, 5, 10, 29, 0, 0, time.Local),
-	})
+	c.Check(st.Mode(), Equals, os.FileMode(0660|os.ModeDevice))
+	c.Check(st.Path(), Equals, "/dev/loop0")
+	c.Check(st.User(), Equals, "root")
+	c.Check(st.Group(), Equals, "disk")
+	c.Check(st.Size(), Equals, int64(0))
+	c.Check(st.ModTime(), Equals, time.Date(2017, 12, 5, 10, 29, 0, 0, time.UTC))
 	// note the major and minor numbers are ignored (for now)
 }
 
 func (s *SquashfsTestSuite) TestStatCharacter(c *C) {
 	line := "crw-rw---- root/audio           14,  3 2017-12-05 10:29 ./dev/dsp"
-	st, err := fromRaw([]byte(line))
+	st, err := squashfs.FromRaw([]byte(line))
 	c.Assert(err, IsNil)
-	c.Check(st, DeepEquals, &stat{
-		mode:  0660 | os.ModeCharDevice,
-		path:  "/dev/dsp",
-		user:  "root",
-		group: "audio",
-		mtime: time.Date(2017, 12, 5, 10, 29, 0, 0, time.Local),
-	})
+	c.Check(st.Mode(), Equals, os.FileMode(0660|os.ModeCharDevice))
+	c.Check(st.Path(), Equals, "/dev/dsp")
+	c.Check(st.User(), Equals, "root")
+	c.Check(st.Group(), Equals, "audio")
+	c.Check(st.Size(), Equals, int64(0))
+	c.Check(st.ModTime(), Equals, time.Date(2017, 12, 5, 10, 29, 0, 0, time.UTC))
 	// note the major and minor numbers are ignored (for now)
 }
 
 func (s *SquashfsTestSuite) TestStatSymlink(c *C) {
 	line := "lrwxrwxrwx root/root                 4 2017-12-05 10:29 ./var/run -> /run"
-	st, err := fromRaw([]byte(line))
+	st, err := squashfs.FromRaw([]byte(line))
 	c.Assert(err, IsNil)
-	c.Check(st, DeepEquals, &stat{
-		mode:  0777 | os.ModeSymlink,
-		path:  "/var/run",
-		user:  "root",
-		group: "root",
-		size:  4,
-		mtime: time.Date(2017, 12, 5, 10, 29, 0, 0, time.Local),
-	})
+	c.Check(st.Mode(), Equals, os.FileMode(0777|os.ModeSymlink))
+	c.Check(st.Path(), Equals, "/var/run")
+	c.Check(st.User(), Equals, "root")
+	c.Check(st.Group(), Equals, "root")
+	c.Check(st.Size(), Equals, int64(4))
+	c.Check(st.ModTime(), Equals, time.Date(2017, 12, 5, 10, 29, 0, 0, time.UTC))
 }
 
 func (s *SquashfsTestSuite) TestStatNamedPipe(c *C) {
 	line := "prw-rw-r-- john/john                 0 2018-01-09 10:24 ./afifo"
-	st, err := fromRaw([]byte(line))
+	st, err := squashfs.FromRaw([]byte(line))
 	c.Assert(err, IsNil)
-	c.Check(st, DeepEquals, &stat{
-		mode:  0664 | os.ModeNamedPipe,
-		path:  "/afifo",
-		user:  "john",
-		group: "john",
-		mtime: time.Date(2018, 1, 9, 10, 24, 0, 0, time.Local),
-	})
+	c.Check(st.Mode(), Equals, os.FileMode(0664|os.ModeNamedPipe))
+	c.Check(st.Path(), Equals, "/afifo")
+	c.Check(st.User(), Equals, "john")
+	c.Check(st.Group(), Equals, "john")
+	c.Check(st.Size(), Equals, int64(0))
+	c.Check(st.ModTime(), Equals, time.Date(2018, 1, 9, 10, 24, 0, 0, time.UTC))
 }
 
 func (s *SquashfsTestSuite) TestStatSocket(c *C) {
 	line := "srwxrwxr-x john/john                 0 2018-01-09 10:24 ./asock"
-	st, err := fromRaw([]byte(line))
+	st, err := squashfs.FromRaw([]byte(line))
 	c.Assert(err, IsNil)
-	c.Check(st, DeepEquals, &stat{
-		mode:  0775 | os.ModeSocket,
-		path:  "/asock",
-		user:  "john",
-		group: "john",
-		mtime: time.Date(2018, 1, 9, 10, 24, 0, 0, time.Local),
-	})
+	c.Check(st.Mode(), Equals, os.FileMode(0775|os.ModeSocket))
+	c.Check(st.Path(), Equals, "/asock")
+	c.Check(st.User(), Equals, "john")
+	c.Check(st.Group(), Equals, "john")
+	c.Check(st.Size(), Equals, int64(0))
+	c.Check(st.ModTime(), Equals, time.Date(2018, 1, 9, 10, 24, 0, 0, time.UTC))
 }
 
 func (s *SquashfsTestSuite) TestStatLength(c *C) {
@@ -229,19 +237,16 @@
 	}
 	for _, n := range ns {
 		raw := []byte(fmt.Sprintf("-rw-r--r-- user/group %16d 2017-12-08 11:19 ./some filename", n))
-		expected := &stat{
-			mode:  0644,
-			path:  "/some filename",
-			user:  "user",
-			group: "group",
-			size:  n,
-			mtime: time.Date(2017, 12, 8, 11, 19, 0, 0, time.Local),
-		}
 
 		com := Commentf("%q", raw)
-		st, err := fromRaw(raw)
+		st, err := squashfs.FromRaw(raw)
 		c.Assert(err, IsNil, com)
-		c.Check(st, DeepEquals, expected, com)
+		c.Check(st.Mode(), Equals, os.FileMode(0644), com)
+		c.Check(st.Path(), Equals, "/some filename", com)
+		c.Check(st.User(), Equals, "user", com)
+		c.Check(st.Group(), Equals, "group", com)
+		c.Check(st.Size(), Equals, n, com)
+		c.Check(st.ModTime(), Equals, time.Date(2017, 12, 8, 11, 19, 0, 0, time.UTC), com)
 	}
 }
 
@@ -249,26 +254,21 @@
 	for i := os.FileMode(0); i <= 0777; i++ {
 		raw := []byte(fmt.Sprintf("%s user/group            53595 2017-12-08 11:19 ./yadda", i))
 
-		expected := &stat{
-			mode:  i,
-			path:  "/yadda",
-			user:  "user",
-			group: "group",
-			size:  int64(53595),
-			mtime: time.Date(2017, 12, 8, 11, 19, 0, 0, time.Local),
-		}
-
 		com := Commentf("%q vs %o", raw, i)
-		st, err := fromRaw(raw)
+		st, err := squashfs.FromRaw(raw)
 		c.Assert(err, IsNil, com)
-		c.Check(st, DeepEquals, expected, com)
+		c.Check(st.Mode(), Equals, i, com)
+		c.Check(st.Path(), Equals, "/yadda", com)
+		c.Check(st.User(), Equals, "user", com)
+		c.Check(st.Group(), Equals, "group", com)
+		c.Check(st.Size(), Equals, int64(53595), com)
+		c.Check(st.ModTime(), Equals, time.Date(2017, 12, 8, 11, 19, 0, 0, time.UTC), com)
 
 		jRaw := make([]byte, len(raw))
 
 		for j := 01000 + i; j <= 07777; j += 01000 {
 			// this silliness only needed because os.FileMode's String() throws away sticky/setuid/setgid bits
 			copy(jRaw, raw)
-			expected.mode = j
 			if j&01000 != 0 {
 				if j&0001 != 0 {
 					jRaw[9] = 't'
@@ -289,13 +289,11 @@
 				} else {
 					jRaw[3] = 'S'
 				}
-
-				com := Commentf("%q vs %o", jRaw, j)
-				st, err := fromRaw(jRaw)
-				c.Assert(err, IsNil, com)
-				c.Check(st, DeepEquals, expected, com)
-
 			}
+			com := Commentf("%q vs %o", jRaw, j)
+			st, err := squashfs.FromRaw(jRaw)
+			c.Assert(err, IsNil, com)
+			c.Check(st.Mode(), Equals, j, com)
 		}
 	}
 }
diff -Nru snapd-2.32.3.2~14.04/snap/types.go snapd-2.37~rc1~14.04/snap/types.go
--- snapd-2.32.3.2~14.04/snap/types.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/types.go	2019-01-16 08:36:51.000000000 +0000
@@ -33,11 +33,28 @@
 	TypeGadget Type = "gadget"
 	TypeKernel Type = "kernel"
 	TypeBase   Type = "base"
+	TypeSnapd  Type = "snapd"
 
 	// FIXME: this really should be TypeCore
 	TypeOS Type = "os"
 )
 
+// This is the sort order from least important to most important for
+// types. On e.g. firstboot this will be used to order the snaps this
+// way.
+var typeOrder = map[Type]int{
+	TypeApp:    50,
+	TypeGadget: 40,
+	TypeBase:   30,
+	TypeKernel: 20,
+	TypeOS:     10,
+	TypeSnapd:  0,
+}
+
+func (m Type) SortsBefore(other Type) bool {
+	return typeOrder[m] < typeOrder[other]
+}
+
 // UnmarshalJSON sets *m to a copy of data.
 func (m *Type) UnmarshalJSON(data []byte) error {
 	var str string
@@ -48,7 +65,7 @@
 	return m.fromString(str)
 }
 
-// UnmarshalYAML so ConfinementType implements yaml's Unmarshaler interface
+// UnmarshalYAML so Type implements yaml's Unmarshaler interface
 func (m *Type) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	var str string
 	if err := unmarshal(&str); err != nil {
@@ -68,7 +85,7 @@
 		t = TypeApp
 	}
 
-	if t != TypeApp && t != TypeGadget && t != TypeOS && t != TypeKernel && t != TypeBase {
+	if t != TypeApp && t != TypeGadget && t != TypeOS && t != TypeKernel && t != TypeBase && t != TypeSnapd {
 		return fmt.Errorf("invalid snap type: %q", str)
 	}
 
diff -Nru snapd-2.32.3.2~14.04/snap/types_test.go snapd-2.37~rc1~14.04/snap/types_test.go
--- snapd-2.32.3.2~14.04/snap/types_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/types_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -57,6 +57,10 @@
 	out, err = json.Marshal(TypeBase)
 	c.Assert(err, IsNil)
 	c.Check(string(out), Equals, "\"base\"")
+
+	out, err = json.Marshal(TypeSnapd)
+	c.Assert(err, IsNil)
+	c.Check(string(out), Equals, "\"snapd\"")
 }
 
 func (s *typeSuite) TestJsonUnmarshalTypes(c *C) {
@@ -85,6 +89,10 @@
 	err = json.Unmarshal([]byte("\"base\""), &st)
 	c.Assert(err, IsNil)
 	c.Check(st, Equals, TypeBase)
+
+	err = json.Unmarshal([]byte("\"snapd\""), &st)
+	c.Assert(err, IsNil)
+	c.Check(st, Equals, TypeSnapd)
 }
 
 func (s *typeSuite) TestJsonUnmarshalInvalidTypes(c *C) {
diff -Nru snapd-2.32.3.2~14.04/snap/validate.go snapd-2.37~rc1~14.04/snap/validate.go
--- snapd-2.32.3.2~14.04/snap/validate.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/validate.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,7 +20,7 @@
 package snap
 
 import (
-	"bytes"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -28,6 +28,7 @@
 	"sort"
 	"strconv"
 	"strings"
+	"unicode/utf8"
 
 	"github.com/snapcore/snapd/spdx"
 	"github.com/snapcore/snapd/strutil"
@@ -35,22 +36,105 @@
 )
 
 // Regular expressions describing correct identifiers.
-//
-// validSnapName is also used to validate socket identifiers.
-var validSnapName = regexp.MustCompile("^(?:[a-z0-9]+-?)*[a-z](?:-?[a-z0-9])*$")
 var validHookName = regexp.MustCompile("^[a-z](?:-?[a-z0-9])*$")
 
+// The fixed length of valid snap IDs.
+const validSnapIDLength = 32
+
+// almostValidName is part of snap and socket name validation.
+//   the full regexp we could use, "^(?:[a-z0-9]+-?)*[a-z](?:-?[a-z0-9])*$", is
+//   O(2ⁿ) on the length of the string in python. An equivalent regexp that
+//   doesn't have the nested quantifiers that trip up Python's re would be
+//   "^(?:[a-z0-9]|(?<=[a-z0-9])-)*[a-z](?:[a-z0-9]|-(?=[a-z0-9]))*$", but Go's
+//   regexp package doesn't support look-aheads nor look-behinds, so in order to
+//   have a unified implementation in the Go and Python bits of the project
+//   we're doing it this way instead. Check the length (if applicable), check
+//   this regexp, then check the dashes.
+//   This still leaves sc_snap_name_validate (in cmd/snap-confine/snap.c) and
+//   snap_validate (cmd/snap-update-ns/bootstrap.c) with their own handcrafted
+//   validators.
+var almostValidName = regexp.MustCompile("^[a-z0-9-]*[a-z][a-z0-9-]*$")
+
+// validInstanceKey is a regular expression describing valid snap instance key
+var validInstanceKey = regexp.MustCompile("^[a-z0-9]{1,10}$")
+
+// isValidName checks snap and socket socket identifiers.
+func isValidName(name string) bool {
+	if !almostValidName.MatchString(name) {
+		return false
+	}
+	if name[0] == '-' || name[len(name)-1] == '-' || strings.Contains(name, "--") {
+		return false
+	}
+	return true
+}
+
+// ValidateInstanceName checks if a string can be used as a snap instance name.
+func ValidateInstanceName(instanceName string) error {
+	// NOTE: This function should be synchronized with the two other
+	// implementations: sc_instance_name_validate and validate_instance_name .
+	pos := strings.IndexByte(instanceName, '_')
+	if pos == -1 {
+		// just store name
+		return ValidateName(instanceName)
+	}
+
+	storeName := instanceName[:pos]
+	instanceKey := instanceName[pos+1:]
+	if err := ValidateName(storeName); err != nil {
+		return err
+	}
+	if !validInstanceKey.MatchString(instanceKey) {
+		return fmt.Errorf("invalid instance key: %q", instanceKey)
+	}
+	return nil
+}
+
 // ValidateName checks if a string can be used as a snap name.
 func ValidateName(name string) error {
 	// NOTE: This function should be synchronized with the two other
 	// implementations: sc_snap_name_validate and validate_snap_name .
-	valid := validSnapName.MatchString(name)
-	if !valid {
+	if len(name) < 2 || len(name) > 40 || !isValidName(name) {
 		return fmt.Errorf("invalid snap name: %q", name)
 	}
 	return nil
 }
 
+// Regular expression describing correct plug, slot and interface names.
+var validPlugSlotIfaceName = regexp.MustCompile("^[a-z](?:-?[a-z0-9])*$")
+
+// ValidatePlugName checks if a string can be used as a slot name.
+//
+// Slot names and plug names within one snap must have unique names.
+// This is not enforced by this function but is enforced by snap-level
+// validation.
+func ValidatePlugName(name string) error {
+	if !validPlugSlotIfaceName.MatchString(name) {
+		return fmt.Errorf("invalid plug name: %q", name)
+	}
+	return nil
+}
+
+// ValidateSlotName checks if a string can be used as a slot name.
+//
+// Slot names and plug names within one snap must have unique names.
+// This is not enforced by this function but is enforced by snap-level
+// validation.
+func ValidateSlotName(name string) error {
+	if !validPlugSlotIfaceName.MatchString(name) {
+		return fmt.Errorf("invalid slot name: %q", name)
+	}
+	return nil
+}
+
+// ValidateInterfaceName checks if a string can be used as an interface name.
+func ValidateInterfaceName(name string) error {
+	if !validPlugSlotIfaceName.MatchString(name) {
+		return fmt.Errorf("invalid interface name: %q", name)
+	}
+	return nil
+}
+
 // NB keep this in sync with snapcraft and the review tools :-)
 var isValidVersion = regexp.MustCompile("^[a-zA-Z0-9](?:[a-zA-Z0-9:.+~-]{0,30}[a-zA-Z0-9+~])?$").MatchString
 
@@ -64,7 +148,7 @@
 	if !isValidVersion(version) {
 		// maybe it was too short?
 		if len(version) == 0 {
-			return fmt.Errorf("invalid snap version: cannot be empty")
+			return errors.New("invalid snap version: cannot be empty")
 		}
 		if isNonGraphicalASCII(version) {
 			// note that while this way of quoting the version can produce ugly
@@ -127,6 +211,14 @@
 	if !valid {
 		return fmt.Errorf("invalid hook name: %q", hook.Name)
 	}
+
+	// Also validate the command chain
+	for _, value := range hook.CommandChain {
+		if !commandChainContentWhitelist.MatchString(value) {
+			return fmt.Errorf("hook command-chain contains illegal %q (legal: '%s')", value, commandChainContentWhitelist)
+		}
+	}
+
 	return nil
 }
 
@@ -144,8 +236,7 @@
 // validateSocketName checks if a string ca be used as a name for a socket (for
 // socket activation).
 func validateSocketName(name string) error {
-	valid := validSnapName.MatchString(name)
-	if !valid {
+	if !isValidName(name) {
 		return fmt.Errorf("invalid socket name: %q", name)
 	}
 	return nil
@@ -154,7 +245,7 @@
 // validateSocketmode checks that the socket mode is a valid file mode.
 func validateSocketMode(mode os.FileMode) error {
 	if mode > 0777 {
-		return fmt.Errorf("cannot use socket mode: %04o", mode)
+		return fmt.Errorf("cannot use mode: %04o", mode)
 	}
 
 	return nil
@@ -163,7 +254,7 @@
 // validateSocketAddr checks that the value of socket addresses.
 func validateSocketAddr(socket *SocketInfo, fieldName string, address string) error {
 	if address == "" {
-		return fmt.Errorf("socket %q must define %q", socket.Name, fieldName)
+		return fmt.Errorf("%q is not defined", fieldName)
 	}
 
 	switch address[0] {
@@ -178,21 +269,23 @@
 
 func validateSocketAddrPath(socket *SocketInfo, fieldName string, path string) error {
 	if clean := filepath.Clean(path); clean != path {
-		return fmt.Errorf("socket %q has invalid %q: %q should be written as %q", socket.Name, fieldName, path, clean)
+		return fmt.Errorf("invalid %q: %q should be written as %q", fieldName, path, clean)
 	}
 
 	if !(strings.HasPrefix(path, "$SNAP_DATA/") || strings.HasPrefix(path, "$SNAP_COMMON/")) {
 		return fmt.Errorf(
-			"socket %q has invalid %q: only $SNAP_DATA and $SNAP_COMMON prefixes are allowed", socket.Name, fieldName)
+			"invalid %q: must have a prefix of $SNAP_DATA or $SNAP_COMMON", fieldName)
 	}
 
 	return nil
 }
 
 func validateSocketAddrAbstract(socket *SocketInfo, fieldName string, path string) error {
-	prefix := fmt.Sprintf("@snap.%s.", socket.App.Snap.Name())
+	// this comes from snap declaration, so the prefix can only be the snap
+	// name at this point
+	prefix := fmt.Sprintf("@snap.%s.", socket.App.Snap.SnapName())
 	if !strings.HasPrefix(path, prefix) {
-		return fmt.Errorf("socket %q path for %q must be prefixed with %q", socket.Name, fieldName, prefix)
+		return fmt.Errorf("path for %q must be prefixed with %q", fieldName, prefix)
 	}
 	return nil
 }
@@ -211,19 +304,20 @@
 }
 
 func validateSocketAddrNetHost(socket *SocketInfo, fieldName string, address string) error {
-	for _, validAddress := range []string{"127.0.0.1", "[::1]", "[::]"} {
-		if address == validAddress {
+	validAddresses := []string{"127.0.0.1", "[::1]", "[::]"}
+	for _, valid := range validAddresses {
+		if address == valid {
 			return nil
 		}
 	}
 
-	return fmt.Errorf("socket %q has invalid %q address %q", socket.Name, fieldName, address)
+	return fmt.Errorf("invalid %q address %q, must be one of: %s", fieldName, address, strings.Join(validAddresses, ", "))
 }
 
 func validateSocketAddrNetPort(socket *SocketInfo, fieldName string, port string) error {
 	var val uint64
 	var err error
-	retErr := fmt.Errorf("socket %q has invalid %q port number %q", socket.Name, fieldName, port)
+	retErr := fmt.Errorf("invalid %q port number %q", fieldName, port)
 	if val, err = strconv.ParseUint(port, 10, 16); err != nil {
 		return retErr
 	}
@@ -233,14 +327,39 @@
 	return nil
 }
 
+func validateDescription(descr string) error {
+	if count := utf8.RuneCountInString(descr); count > 4096 {
+		return fmt.Errorf("description can have up to 4096 codepoints, got %d", count)
+	}
+	return nil
+}
+
+func validateTitle(title string) error {
+	if count := utf8.RuneCountInString(title); count > 40 {
+		return fmt.Errorf("title can have up to 40 codepoints, got %d", count)
+	}
+	return nil
+}
+
 // Validate verifies the content in the info.
 func Validate(info *Info) error {
-	name := info.Name()
+	name := info.InstanceName()
 	if name == "" {
-		return fmt.Errorf("snap name cannot be empty")
+		return errors.New("snap name cannot be empty")
+	}
+
+	if err := ValidateName(info.SnapName()); err != nil {
+		return err
+	}
+	if err := ValidateInstanceName(name); err != nil {
+		return err
 	}
 
-	if err := ValidateName(name); err != nil {
+	if err := validateTitle(info.Title()); err != nil {
+		return err
+	}
+
+	if err := validateDescription(info.Description()); err != nil {
 		return err
 	}
 
@@ -261,12 +380,12 @@
 	// validate app entries
 	for _, app := range info.Apps {
 		if err := ValidateApp(app); err != nil {
-			return err
+			return fmt.Errorf("invalid definition of application %q: %v", app.Name, err)
 		}
 	}
 
 	// validate apps ordering according to after/before
-	if err := validateAppOrderCycles(info.Apps); err != nil {
+	if err := validateAppOrderCycles(info.Services()); err != nil {
 		return err
 	}
 
@@ -284,7 +403,12 @@
 		}
 	}
 
-	// ensure that plug and slot have unique names
+	// Ensure that plugs and slots have appropriate names and interface names.
+	if err := plugsSlotsInterfacesNames(info); err != nil {
+		return err
+	}
+
+	// Ensure that plug and slot have unique names.
 	if err := plugsSlotsUniqueNames(info); err != nil {
 		return err
 	}
@@ -292,10 +416,15 @@
 	// validate that bases do not have base fields
 	if info.Type == TypeOS || info.Type == TypeBase {
 		if info.Base != "" {
-			return fmt.Errorf(`cannot have "base" field on %q snap %q`, info.Type, info.Name())
+			return fmt.Errorf(`cannot have "base" field on %q snap %q`, info.Type, info.InstanceName())
 		}
 	}
 
+	// ensure that common-id(s) are unique
+	if err := ValidateCommonIDs(info); err != nil {
+		return err
+	}
+
 	return ValidateLayoutAll(info)
 }
 
@@ -345,6 +474,25 @@
 	return nil
 }
 
+func plugsSlotsInterfacesNames(info *Info) error {
+	for plugName, plug := range info.Plugs {
+		if err := ValidatePlugName(plugName); err != nil {
+			return err
+		}
+		if err := ValidateInterfaceName(plug.Interface); err != nil {
+			return fmt.Errorf("invalid interface name %q for plug %q", plug.Interface, plugName)
+		}
+	}
+	for slotName, slot := range info.Slots {
+		if err := ValidateSlotName(slotName); err != nil {
+			return err
+		}
+		if err := ValidateInterfaceName(slot.Interface); err != nil {
+			return fmt.Errorf("invalid interface name %q for slot %q", slot.Interface, slotName)
+		}
+	}
+	return nil
+}
 func plugsSlotsUniqueNames(info *Info) error {
 	// we could choose the smaller collection if we wanted to optimize this check
 	for plugName := range info.Plugs {
@@ -375,61 +523,9 @@
 }
 
 // validateAppOrderCycles checks for cycles in app ordering dependencies
-func validateAppOrderCycles(apps map[string]*AppInfo) error {
-	// list of successors of given app
-	successors := make(map[string][]string, len(apps))
-	// count of predecessors (i.e. incoming edges) of given app
-	predecessors := make(map[string]int, len(apps))
-
-	for _, app := range apps {
-		for _, other := range app.After {
-			predecessors[app.Name]++
-			successors[other] = append(successors[other], app.Name)
-		}
-		for _, other := range app.Before {
-			predecessors[other]++
-			successors[app.Name] = append(successors[app.Name], other)
-		}
-	}
-
-	// list of apps without predecessors (no incoming edges)
-	queue := make([]string, 0, len(apps))
-	for _, app := range apps {
-		if predecessors[app.Name] == 0 {
-			queue = append(queue, app.Name)
-		}
-	}
-
-	// Kahn:
-	//
-	// Apps without predecessors are 'top' nodes. On each iteration, take
-	// the next 'top' node, and decrease the predecessor count of each
-	// successor app. Once that successor app has no more predecessors, take
-	// it out of the predecessors set and add it to the queue of 'top'
-	// nodes.
-	for len(queue) > 0 {
-		app := queue[0]
-		queue = queue[1:]
-		for _, successor := range successors[app] {
-			predecessors[successor]--
-			if predecessors[successor] == 0 {
-				delete(predecessors, successor)
-				queue = append(queue, successor)
-			}
-		}
-	}
-
-	if len(predecessors) != 0 {
-		// apps with predecessors unaccounted for are a part of
-		// dependency cycle
-		unsatisifed := bytes.Buffer{}
-		for name := range predecessors {
-			if unsatisifed.Len() > 0 {
-				unsatisifed.WriteString(", ")
-			}
-			unsatisifed.WriteString(name)
-		}
-		return fmt.Errorf("applications are part of a before/after cycle: %s", unsatisifed.String())
+func validateAppOrderCycles(apps []*AppInfo) error {
+	if _, err := SortServices(apps); err != nil {
+		return err
 	}
 	return nil
 }
@@ -437,51 +533,92 @@
 func validateAppOrderNames(app *AppInfo, dependencies []string) error {
 	// we must be a service to request ordering
 	if len(dependencies) > 0 && !app.IsService() {
-		return fmt.Errorf("cannot define before/after in application %q as it's not a service", app.Name)
+		return errors.New("must be a service to define before/after ordering")
 	}
 
 	for _, dep := range dependencies {
 		// dependency is not defined
 		other, ok := app.Snap.Apps[dep]
 		if !ok {
-			return fmt.Errorf("application %q refers to missing application %q in before/after",
-				app.Name, dep)
+			return fmt.Errorf("before/after references a missing application %q", dep)
 		}
 
 		if !other.IsService() {
-			return fmt.Errorf("application %q refers to non-service application %q in before/after",
-				app.Name, dep)
+			return fmt.Errorf("before/after references a non-service application %q", dep)
 		}
 	}
 	return nil
 }
 
+func validateAppWatchdog(app *AppInfo) error {
+	if app.WatchdogTimeout == 0 {
+		// no watchdog
+		return nil
+	}
+
+	if !app.IsService() {
+		return errors.New("watchdog-timeout is only applicable to services")
+	}
+
+	if app.WatchdogTimeout < 0 {
+		return errors.New("watchdog-timeout cannot be negative")
+	}
+
+	return nil
+}
+
 func validateAppTimer(app *AppInfo) error {
 	if app.Timer == nil {
 		return nil
 	}
 
 	if !app.IsService() {
-		return fmt.Errorf("cannot use timer with application %q as it's not a service", app.Name)
+		return errors.New("timer is only applicable to services")
 	}
 
 	if _, err := timeutil.ParseSchedule(app.Timer.Timer); err != nil {
-		return fmt.Errorf("application %q timer has invalid format: %v", app.Name, err)
+		return fmt.Errorf("timer has invalid format: %v", err)
 	}
 
 	return nil
 }
 
+func validateAppRestart(app *AppInfo) error {
+	// app.RestartCond value is validated when unmarshalling
+
+	if app.RestartDelay == 0 && app.RestartCond == "" {
+		return nil
+	}
+
+	if app.RestartDelay != 0 {
+		if !app.IsService() {
+			return errors.New("restart-delay is only applicable to services")
+		}
+
+		if app.RestartDelay < 0 {
+			return errors.New("restart-delay cannot be negative")
+		}
+	}
+
+	if app.RestartCond != "" {
+		if !app.IsService() {
+			return errors.New("restart-condition is only applicable to services")
+		}
+	}
+	return nil
+}
+
 // appContentWhitelist is the whitelist of legal chars in the "apps"
 // section of snap.yaml. Do not allow any of [',",`] here or snap-exec
-// will get confused.
+// will get confused. chainContentWhitelist is the same, but for the
+// command-chain, which also doesn't allow whitespace.
 var appContentWhitelist = regexp.MustCompile(`^[A-Za-z0-9/. _#:$-]*$`)
+var commandChainContentWhitelist = regexp.MustCompile(`^[A-Za-z0-9/._#:$-]*$`)
+var validAppName = regexp.MustCompile("^[a-zA-Z0-9](?:-?[a-zA-Z0-9])*$").MatchString
 
 // ValidAppName tells whether a string is a valid application name.
 func ValidAppName(n string) bool {
-	var validAppName = regexp.MustCompile("^[a-zA-Z0-9](?:-?[a-zA-Z0-9])*$")
-
-	return validAppName.MatchString(n)
+	return validAppName(n)
 }
 
 // ValidateApp verifies the content in the app info.
@@ -513,6 +650,13 @@
 		}
 	}
 
+	// Also validate the command chain
+	for _, value := range app.CommandChain {
+		if err := validateField("command-chain", value, commandChainContentWhitelist); err != nil {
+			return err
+		}
+	}
+
 	// Socket activation requires the "network-bind" plug
 	if len(app.Sockets) > 0 {
 		if _, ok := app.Plugs["network-bind"]; !ok {
@@ -521,12 +665,14 @@
 	}
 
 	for _, socket := range app.Sockets {
-		err := validateAppSocket(socket)
-		if err != nil {
-			return err
+		if err := validateAppSocket(socket); err != nil {
+			return fmt.Errorf("invalid definition of socket %q: %v", socket.Name, err)
 		}
 	}
 
+	if err := validateAppRestart(app); err != nil {
+		return err
+	}
 	if err := validateAppOrderNames(app, app.Before); err != nil {
 		return err
 	}
@@ -534,13 +680,24 @@
 		return err
 	}
 
+	if err := validateAppWatchdog(app); err != nil {
+		return err
+	}
+
+	// validate stop-mode
+	if err := app.StopMode.Validate(); err != nil {
+		return err
+	}
 	// validate refresh-mode
 	switch app.RefreshMode {
-	case "", "endure", "restart", "sigterm", "sigterm-all", "sighup", "sighup-all", "sigusr1", "sigusr1-all", "sigusr2", "sigusr2-all":
+	case "", "endure", "restart":
 		// valid
 	default:
 		return fmt.Errorf(`"refresh-mode" field contains invalid value %q`, app.RefreshMode)
 	}
+	if app.StopMode != "" && app.Daemon == "" {
+		return fmt.Errorf(`"stop-mode" cannot be used for %q, only for services`, app.Name)
+	}
 	if app.RefreshMode != "" && app.Daemon == "" {
 		return fmt.Errorf(`"refresh-mode" cannot be used for %q, only for services`, app.Name)
 	}
@@ -626,7 +783,7 @@
 	mountPoint := layout.Path
 
 	if mountPoint == "" {
-		return fmt.Errorf("layout cannot use an empty path")
+		return errors.New("layout cannot use an empty path")
 	}
 
 	if err := ValidatePathVariables(mountPoint); err != nil {
@@ -637,7 +794,7 @@
 		return fmt.Errorf("layout %q uses invalid mount point: must be absolute and clean", layout.Path)
 	}
 
-	for _, path := range []string{"/proc", "/sys", "/dev", "/run", "/boot", "/lost+found", "/media"} {
+	for _, path := range []string{"/proc", "/sys", "/dev", "/run", "/boot", "/lost+found", "/media", "/var/lib/snapd", "/var/snap"} {
 		// We use the mountedTree constraint as this has the right semantics.
 		if mountedTree(path).IsOffLimits(mountPoint) {
 			return fmt.Errorf("layout %q in an off-limits area", layout.Path)
@@ -733,3 +890,17 @@
 	}
 	return nil
 }
+
+func ValidateCommonIDs(info *Info) error {
+	seen := make(map[string]string, len(info.Apps))
+	for _, app := range info.Apps {
+		if app.CommonID != "" {
+			if other, was := seen[app.CommonID]; was {
+				return fmt.Errorf("application %q common-id %q must be unique, already used by application %q",
+					app.Name, app.CommonID, other)
+			}
+			seen[app.CommonID] = app.Name
+		}
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/snap/validate_test.go snapd-2.37~rc1~14.04/snap/validate_test.go
--- snapd-2.32.3.2~14.04/snap/validate_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/snap/validate_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,7 @@
 	"fmt"
 	"regexp"
 	"strconv"
+	"strings"
 
 	. "gopkg.in/check.v1"
 
@@ -70,10 +71,12 @@
 
 func (s *ValidateSuite) TestValidateName(c *C) {
 	validNames := []string{
-		"a", "aa", "aaa", "aaaa",
+		"aa", "aaa", "aaaa",
 		"a-a", "aa-a", "a-aa", "a-b-c",
 		"a0", "a-0", "a-0a",
 		"01game", "1-or-2",
+		// a regexp stresser
+		"u-94903713687486543234157734673284536758",
 	}
 	for _, name := range validNames {
 		err := ValidateName(name)
@@ -82,6 +85,16 @@
 	invalidNames := []string{
 		// name cannot be empty
 		"",
+		// too short (min 2 chars)
+		"a",
+		// names cannot be too long
+		"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+		"xxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx",
+		"1111111111111111111111111111111111111111x",
+		"x1111111111111111111111111111111111111111",
+		"x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x",
+		// a regexp stresser
+		"u-9490371368748654323415773467328453675-",
 		// dashes alone are not a name
 		"-", "--",
 		// double dashes in a name are not allowed
@@ -101,6 +114,50 @@
 	}
 }
 
+func (s *ValidateSuite) TestValidateInstanceName(c *C) {
+	validNames := []string{
+		// plain names are also valid instance names
+		"aa", "aaa", "aaaa",
+		"a-a", "aa-a", "a-aa", "a-b-c",
+		// snap instance
+		"foo_bar",
+		"foo_0123456789",
+		"01game_0123456789",
+		"foo_1", "foo_1234abcd",
+	}
+	for _, name := range validNames {
+		err := ValidateInstanceName(name)
+		c.Assert(err, IsNil)
+	}
+	invalidNames := []string{
+		// invalid names are also invalid instance names, just a few
+		// samples
+		"",
+		"a",
+		"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+		"xxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxx",
+		"a--a",
+		"a-",
+		"a ", " a", "a a",
+		"_",
+		"ру́сский_язы́к",
+	}
+	for _, name := range invalidNames {
+		err := ValidateInstanceName(name)
+		c.Assert(err, ErrorMatches, `invalid snap name: ".*"`)
+	}
+	invalidInstanceKeys := []string{
+		// the snap names are valid, but instance keys are not
+		"foo_", "foo_1-23", "foo_01234567890", "foo_123_456",
+		"foo__bar",
+	}
+	for _, name := range invalidInstanceKeys {
+		err := ValidateInstanceName(name)
+		c.Assert(err, ErrorMatches, `invalid instance key: ".*"`)
+	}
+
+}
+
 func (s *ValidateSuite) TestValidateVersion(c *C) {
 	validVersions := []string{
 		"0", "v1.0", "0.12+16.04.20160126-0ubuntu1",
@@ -170,6 +227,7 @@
 		{Name: "aa-a"},
 		{Name: "a-aa"},
 		{Name: "a-b-c"},
+		{Name: "valid", CommandChain: []string{"valid"}},
 	}
 	for _, hook := range validHooks {
 		err := ValidateHook(hook)
@@ -190,6 +248,14 @@
 		err := ValidateHook(hook)
 		c.Assert(err, ErrorMatches, `invalid hook name: ".*"`)
 	}
+	invalidHooks = []*HookInfo{
+		{Name: "valid", CommandChain: []string{"in'valid"}},
+		{Name: "valid", CommandChain: []string{"in valid"}},
+	}
+	for _, hook := range invalidHooks {
+		err := ValidateHook(hook)
+		c.Assert(err, ErrorMatches, `hook command-chain contains illegal.*`)
+	}
 }
 
 // ValidateApp
@@ -227,7 +293,7 @@
 	app := createSampleApp()
 	app.Sockets["sock"].SocketMode = 1234
 	err := ValidateApp(app)
-	c.Assert(err, ErrorMatches, `cannot use socket mode: 2322`)
+	c.Assert(err, ErrorMatches, `invalid definition of socket "sock": cannot use mode: 2322`)
 }
 
 func (s *ValidateSuite) TestValidateAppSocketsMissingNetworkBindPlug(c *C) {
@@ -243,14 +309,14 @@
 	app := createSampleApp()
 	app.Sockets["sock"].ListenStream = ""
 	err := ValidateApp(app)
-	c.Assert(err, ErrorMatches, `socket "sock" must define "listen-stream"`)
+	c.Assert(err, ErrorMatches, `invalid definition of socket "sock": "listen-stream" is not defined`)
 }
 
 func (s *ValidateSuite) TestValidateAppSocketsInvalidName(c *C) {
 	app := createSampleApp()
 	app.Sockets["sock"].Name = "invalid name"
 	err := ValidateApp(app)
-	c.Assert(err, ErrorMatches, `invalid socket name: "invalid name"`)
+	c.Assert(err, ErrorMatches, `invalid definition of socket "invalid name": invalid socket name: "invalid name"`)
 }
 
 func (s *ValidateSuite) TestValidateAppSocketsValidListenStreamAddresses(c *C) {
@@ -289,7 +355,7 @@
 	for _, invalidAddress := range invalidListenAddresses {
 		socket.ListenStream = invalidAddress
 		err := ValidateApp(app)
-		c.Assert(err, ErrorMatches, `socket "sock" has invalid "listen-stream": only.*are allowed`)
+		c.Assert(err, ErrorMatches, `invalid definition of socket "sock": invalid "listen-stream": must have a prefix of .*`)
 	}
 }
 
@@ -299,7 +365,7 @@
 	err := ValidateApp(app)
 	c.Assert(
 		err, ErrorMatches,
-		`socket "sock" has invalid "listen-stream": "\$SNAP/../some.path" should be written as "some.path"`)
+		`invalid definition of socket "sock": invalid "listen-stream": "\$SNAP/../some.path" should be written as "some.path"`)
 }
 
 func (s *ValidateSuite) TestValidateAppSocketsInvalidListenStreamPathPrefix(c *C) {
@@ -314,7 +380,7 @@
 		err := ValidateApp(app)
 		c.Assert(
 			err, ErrorMatches,
-			`socket "sock" has invalid "listen-stream": only \$SNAP_DATA and \$SNAP_COMMON prefixes are allowed`)
+			`invalid definition of socket "sock": invalid "listen-stream": must have a prefix of \$SNAP_DATA or \$SNAP_COMMON`)
 	}
 }
 
@@ -331,7 +397,7 @@
 	for _, invalidAddress := range invalidListenAddresses {
 		socket.ListenStream = invalidAddress
 		err := ValidateApp(app)
-		c.Assert(err, ErrorMatches, `socket "sock" path for "listen-stream" must be prefixed with.*`)
+		c.Assert(err, ErrorMatches, `invalid definition of socket "sock": path for "listen-stream" must be prefixed with.*`)
 	}
 }
 
@@ -347,7 +413,7 @@
 	for _, invalidAddress := range invalidListenAddresses {
 		socket.ListenStream = invalidAddress
 		err := ValidateApp(app)
-		c.Assert(err, ErrorMatches, `socket "sock" has invalid "listen-stream" address.*`)
+		c.Assert(err, ErrorMatches, `invalid definition of socket "sock": invalid "listen-stream" address ".*", must be one of: 127\.0\.0\.1, \[::1\], \[::\]`)
 	}
 }
 
@@ -367,7 +433,7 @@
 	for _, invalidPort := range invalidPorts {
 		socket.ListenStream = invalidPort
 		err := ValidateApp(app)
-		c.Assert(err, ErrorMatches, `socket "sock" has invalid "listen-stream" port number.*`)
+		c.Assert(err, ErrorMatches, `invalid definition of socket "sock": invalid "listen-stream" port number.*`)
 	}
 }
 
@@ -386,10 +452,13 @@
 func (s *ValidateSuite) TestAppWhitelistIllegal(c *C) {
 	c.Check(ValidateApp(&AppInfo{Name: "x\n"}), NotNil)
 	c.Check(ValidateApp(&AppInfo{Name: "test!me"}), NotNil)
+	c.Check(ValidateApp(&AppInfo{Name: "test'me"}), NotNil)
 	c.Check(ValidateApp(&AppInfo{Name: "foo", Command: "foo\n"}), NotNil)
 	c.Check(ValidateApp(&AppInfo{Name: "foo", StopCommand: "foo\n"}), NotNil)
 	c.Check(ValidateApp(&AppInfo{Name: "foo", PostStopCommand: "foo\n"}), NotNil)
 	c.Check(ValidateApp(&AppInfo{Name: "foo", BusName: "foo\n"}), NotNil)
+	c.Check(ValidateApp(&AppInfo{Name: "foo", CommandChain: []string{"bar'baz"}}), NotNil)
+	c.Check(ValidateApp(&AppInfo{Name: "foo", CommandChain: []string{"bar baz"}}), NotNil)
 }
 
 func (s *ValidateSuite) TestAppDaemonValue(c *C) {
@@ -415,16 +484,14 @@
 	}
 }
 
-func (s *ValidateSuite) TestAppRefreshMode(c *C) {
+func (s *ValidateSuite) TestAppStopMode(c *C) {
 	// check services
 	for _, t := range []struct {
-		refresh string
-		ok      bool
+		stopMode StopModeType
+		ok       bool
 	}{
 		// good
 		{"", true},
-		{"endure", true},
-		{"restart", true},
 		{"sigterm", true},
 		{"sigterm-all", true},
 		{"sighup", true},
@@ -437,9 +504,34 @@
 		{"invalid-thing", false},
 	} {
 		if t.ok {
-			c.Check(ValidateApp(&AppInfo{Name: "foo", Daemon: "simple", RefreshMode: t.refresh}), IsNil)
+			c.Check(ValidateApp(&AppInfo{Name: "foo", Daemon: "simple", StopMode: t.stopMode}), IsNil)
 		} else {
-			c.Check(ValidateApp(&AppInfo{Name: "foo", Daemon: "simple", RefreshMode: t.refresh}), ErrorMatches, fmt.Sprintf(`"refresh-mode" field contains invalid value %q`, t.refresh))
+			c.Check(ValidateApp(&AppInfo{Name: "foo", Daemon: "simple", StopMode: t.stopMode}), ErrorMatches, fmt.Sprintf(`"stop-mode" field contains invalid value %q`, t.stopMode))
+		}
+	}
+
+	// non-services cannot have a stop-mode
+	err := ValidateApp(&AppInfo{Name: "foo", Daemon: "", StopMode: "sigterm"})
+	c.Check(err, ErrorMatches, `"stop-mode" cannot be used for "foo", only for services`)
+}
+
+func (s *ValidateSuite) TestAppRefreshMode(c *C) {
+	// check services
+	for _, t := range []struct {
+		refreshMode string
+		ok          bool
+	}{
+		// good
+		{"", true},
+		{"endure", true},
+		{"restart", true},
+		// bad
+		{"invalid-thing", false},
+	} {
+		if t.ok {
+			c.Check(ValidateApp(&AppInfo{Name: "foo", Daemon: "simple", RefreshMode: t.refreshMode}), IsNil)
+		} else {
+			c.Check(ValidateApp(&AppInfo{Name: "foo", Daemon: "simple", RefreshMode: t.refreshMode}), ErrorMatches, fmt.Sprintf(`"refresh-mode" field contains invalid value %q`, t.refreshMode))
 		}
 	}
 
@@ -607,6 +699,58 @@
 	}
 }
 
+func (s *ValidateSuite) TestValidatePlugSlotName(c *C) {
+	const yaml1 = `
+name: invalid-plugs
+version: 1
+plugs:
+  p--lug: null
+`
+	info, err := InfoFromSnapYamlWithSideInfo([]byte(yaml1), nil)
+	c.Assert(err, IsNil)
+	c.Assert(info.Plugs, HasLen, 1)
+	err = Validate(info)
+	c.Assert(err, ErrorMatches, `invalid plug name: "p--lug"`)
+
+	const yaml2 = `
+name: invalid-slots
+version: 1
+slots:
+  s--lot: null
+`
+	info, err = InfoFromSnapYamlWithSideInfo([]byte(yaml2), nil)
+	c.Assert(err, IsNil)
+	c.Assert(info.Slots, HasLen, 1)
+	err = Validate(info)
+	c.Assert(err, ErrorMatches, `invalid slot name: "s--lot"`)
+
+	const yaml3 = `
+name: invalid-plugs-iface
+version: 1
+plugs:
+  plug:
+    interface: i--face
+`
+	info, err = InfoFromSnapYamlWithSideInfo([]byte(yaml3), nil)
+	c.Assert(err, IsNil)
+	c.Assert(info.Plugs, HasLen, 1)
+	err = Validate(info)
+	c.Assert(err, ErrorMatches, `invalid interface name "i--face" for plug "plug"`)
+
+	const yaml4 = `
+name: invalid-slots-iface
+version: 1
+slots:
+  slot:
+    interface: i--face
+`
+	info, err = InfoFromSnapYamlWithSideInfo([]byte(yaml4), nil)
+	c.Assert(err, IsNil)
+	c.Assert(info.Slots, HasLen, 1)
+	err = Validate(info)
+	c.Assert(err, ErrorMatches, `invalid interface name "i--face" for slot "slot"`)
+}
+
 type testConstraint string
 
 func (constraint testConstraint) IsOffLimits(path string) bool {
@@ -669,6 +813,12 @@
 		ErrorMatches, `layout "/lost\+found" in an off-limits area`)
 	c.Check(ValidateLayout(&Layout{Snap: si, Path: "/media", Type: "tmpfs"}, nil),
 		ErrorMatches, `layout "/media" in an off-limits area`)
+	c.Check(ValidateLayout(&Layout{Snap: si, Path: "/var/snap", Type: "tmpfs"}, nil),
+		ErrorMatches, `layout "/var/snap" in an off-limits area`)
+	c.Check(ValidateLayout(&Layout{Snap: si, Path: "/var/lib/snapd", Type: "tmpfs"}, nil),
+		ErrorMatches, `layout "/var/lib/snapd" in an off-limits area`)
+	c.Check(ValidateLayout(&Layout{Snap: si, Path: "/var/lib/snapd/hostfs", Type: "tmpfs"}, nil),
+		ErrorMatches, `layout "/var/lib/snapd/hostfs" in an off-limits area`)
 
 	// Several valid layouts.
 	c.Check(ValidateLayout(&Layout{Snap: si, Path: "/foo", Type: "tmpfs", Mode: 01755}, nil), IsNil)
@@ -1060,19 +1210,19 @@
 	}{{
 		name: "foo after baz",
 		desc: fooAfterBaz,
-		err:  `application "foo" refers to missing application "baz" in before/after`,
+		err:  `invalid definition of application "foo": before/after references a missing application "baz"`,
 	}, {
 		name: "foo before baz",
 		desc: fooBeforeBaz,
-		err:  `application "foo" refers to missing application "baz" in before/after`,
+		err:  `invalid definition of application "foo": before/after references a missing application "baz"`,
 	}, {
 		name: "foo not a daemon",
 		desc: fooNotADaemon,
-		err:  `cannot define before/after in application "foo" as it's not a service`,
+		err:  `invalid definition of application "foo": must be a service to define before/after ordering`,
 	}, {
 		name: "foo wants bar, bar not a daemon",
 		desc: fooBarNotADaemon,
-		err:  `application "foo" refers to non-service application "bar" in before/after`,
+		err:  `invalid definition of application "foo": before/after references a non-service application "bar"`,
 	}, {
 		name: "bad order 1",
 		desc: badOrder1,
@@ -1110,6 +1260,61 @@
 	}
 }
 
+func (s *ValidateSuite) TestValidateAppWatchdog(c *C) {
+	meta := []byte(`
+name: foo
+version: 1.0
+`)
+	fooAllGood := []byte(`
+apps:
+  foo:
+    daemon: simple
+    watchdog-timeout: 12s
+`)
+	fooNotADaemon := []byte(`
+apps:
+  foo:
+    watchdog-timeout: 12s
+`)
+
+	fooNegative := []byte(`
+apps:
+  foo:
+    daemon: simple
+    watchdog-timeout: -12s
+`)
+
+	tcs := []struct {
+		name string
+		desc []byte
+		err  string
+	}{{
+		name: "foo all good",
+		desc: fooAllGood,
+	}, {
+		name: "foo not a service",
+		desc: fooNotADaemon,
+		err:  `watchdog-timeout is only applicable to services`,
+	}, {
+		name: "negative timeout",
+		desc: fooNegative,
+		err:  `watchdog-timeout cannot be negative`,
+	}}
+	for _, tc := range tcs {
+		c.Logf("trying %q", tc.name)
+		info, err := InfoFromSnapYaml(append(meta, tc.desc...))
+		c.Assert(err, IsNil)
+		c.Assert(info, NotNil)
+
+		err = Validate(info)
+		if tc.err != "" {
+			c.Assert(err, ErrorMatches, `invalid definition of application "foo": `+tc.err)
+		} else {
+			c.Assert(err, IsNil)
+		}
+	}
+}
+
 func (s *YamlSuite) TestValidateAppTimer(c *C) {
 	meta := []byte(`
 name: foo
@@ -1143,11 +1348,11 @@
 	}, {
 		name: "not a service",
 		desc: notAService,
-		err:  `cannot use timer with application "foo" as it's not a service`,
+		err:  `timer is only applicable to services`,
 	}, {
 		name: "invalid timer",
 		desc: badTimer,
-		err:  `application "foo" timer has invalid format: cannot parse "mon2-wed3": invalid schedule fragment`,
+		err:  `timer has invalid format: cannot parse "mon2-wed3": invalid schedule fragment`,
 	}}
 	for _, tc := range tcs {
 		c.Logf("trying %q", tc.name)
@@ -1156,7 +1361,7 @@
 
 		err = Validate(info)
 		if tc.err != "" {
-			c.Assert(err, ErrorMatches, tc.err)
+			c.Assert(err, ErrorMatches, `invalid definition of application "foo": `+tc.err)
 		} else {
 			c.Assert(err, IsNil)
 		}
@@ -1186,3 +1391,206 @@
 	err = Validate(info)
 	c.Check(err, ErrorMatches, `cannot have "base" field on "base" snap "foo"`)
 }
+
+func (s *ValidateSuite) TestValidateCommonIDs(c *C) {
+	meta := `
+name: foo
+version: 1.0
+`
+	good := meta + `
+apps:
+  foo:
+    common-id: org.foo.foo
+  bar:
+    common-id: org.foo.bar
+  baz:
+`
+	bad := meta + `
+apps:
+  foo:
+    common-id: org.foo.foo
+  bar:
+    common-id: org.foo.foo
+  baz:
+`
+	for i, tc := range []struct {
+		meta string
+		err  string
+	}{
+		{good, ""},
+		{bad, `application ("bar" common-id "org.foo.foo" must be unique, already used by application "foo"|"foo" common-id "org.foo.foo" must be unique, already used by application "bar")`},
+	} {
+		c.Logf("tc #%v", i)
+		info, err := InfoFromSnapYaml([]byte(tc.meta))
+		c.Assert(err, IsNil)
+
+		err = Validate(info)
+		if tc.err == "" {
+			c.Assert(err, IsNil)
+		} else {
+			c.Assert(err, NotNil)
+			c.Check(err, ErrorMatches, tc.err)
+		}
+	}
+}
+
+func (s *validateSuite) TestValidateDescription(c *C) {
+	for _, s := range []string{
+		"xx", // boringest ASCII
+		"🐧🐧", // len("🐧🐧") == 8
+		"á", // á (combining)
+	} {
+		c.Check(ValidateDescription(s), IsNil)
+		c.Check(ValidateDescription(strings.Repeat(s, 2049)), ErrorMatches, `description can have up to 4096 codepoints, got 4098`)
+		c.Check(ValidateDescription(strings.Repeat(s, 2048)), IsNil)
+	}
+}
+
+func (s *validateSuite) TestValidateTitle(c *C) {
+	for _, s := range []string{
+		"xx", // boringest ASCII
+		"🐧🐧", // len("🐧🐧") == 8
+		"á", // á (combining)
+	} {
+		c.Check(ValidateTitle(strings.Repeat(s, 21)), ErrorMatches, `title can have up to 40 codepoints, got 42`)
+		c.Check(ValidateTitle(strings.Repeat(s, 20)), IsNil)
+	}
+}
+
+func (s *validateSuite) TestValidatePlugSlotName(c *C) {
+	validNames := []string{
+		"a", "aa", "aaa", "aaaa",
+		"a-a", "aa-a", "a-aa", "a-b-c",
+		"a0", "a-0", "a-0a",
+	}
+	for _, name := range validNames {
+		c.Assert(ValidatePlugName(name), IsNil)
+		c.Assert(ValidateSlotName(name), IsNil)
+		c.Assert(ValidateInterfaceName(name), IsNil)
+	}
+	invalidNames := []string{
+		// name cannot be empty
+		"",
+		// dashes alone are not a name
+		"-", "--",
+		// double dashes in a name are not allowed
+		"a--a",
+		// name should not end with a dash
+		"a-",
+		// name cannot have any spaces in it
+		"a ", " a", "a a",
+		// a number alone is not a name
+		"0", "123",
+		// identifier must be plain ASCII
+		"日本語", "한글", "ру́сский язы́к",
+	}
+	for _, name := range invalidNames {
+		c.Assert(ValidatePlugName(name), ErrorMatches, `invalid plug name: ".*"`)
+		c.Assert(ValidateSlotName(name), ErrorMatches, `invalid slot name: ".*"`)
+		c.Assert(ValidateInterfaceName(name), ErrorMatches, `invalid interface name: ".*"`)
+	}
+}
+
+func (s *ValidateSuite) TestValidateSnapInstanceNameBadSnapName(c *C) {
+	info, err := InfoFromSnapYaml([]byte(`name: foo_bad
+version: 1.0
+`))
+	c.Assert(err, IsNil)
+
+	err = Validate(info)
+	c.Check(err, ErrorMatches, `invalid snap name: "foo_bad"`)
+}
+
+func (s *ValidateSuite) TestValidateSnapInstanceNameBadInstanceKey(c *C) {
+	info, err := InfoFromSnapYaml([]byte(`name: foo
+version: 1.0
+`))
+	c.Assert(err, IsNil)
+
+	for _, s := range []string{"toolonginstance", "ABCD", "_", "inst@nce", "012345678901"} {
+		info.InstanceKey = s
+		err = Validate(info)
+		c.Check(err, ErrorMatches, fmt.Sprintf(`invalid instance key: %q`, s))
+	}
+}
+
+func (s *ValidateSuite) TestValidateAppRestart(c *C) {
+	meta := []byte(`
+name: foo
+version: 1.0
+`)
+	fooAllGood := []byte(`
+apps:
+  foo:
+    daemon: simple
+    restart-condition: on-abort
+    restart-delay: 12s
+`)
+	fooAllGoodDefault := []byte(`
+apps:
+  foo:
+    daemon: simple
+`)
+	fooAllGoodJustDelay := []byte(`
+apps:
+  foo:
+    daemon: simple
+    restart-delay: 12s
+`)
+	fooConditionNotADaemon := []byte(`
+apps:
+  foo:
+    restart-condition: on-abort
+`)
+	fooDelayNotADaemon := []byte(`
+apps:
+  foo:
+    restart-delay: 12s
+`)
+	fooNegativeDelay := []byte(`
+apps:
+  foo:
+    daemon: simple
+    restart-delay: -12s
+`)
+
+	tcs := []struct {
+		name string
+		desc []byte
+		err  string
+	}{{
+		name: "foo all good",
+		desc: fooAllGood,
+	}, {
+		name: "foo all good with default values",
+		desc: fooAllGoodDefault,
+	}, {
+		name: "foo all good with restart-delay only",
+		desc: fooAllGoodJustDelay,
+	}, {
+		name: "foo restart-delay but not a service",
+		desc: fooDelayNotADaemon,
+		err:  `restart-delay is only applicable to services`,
+	}, {
+		name: "foo restart-delay but not a service",
+		desc: fooConditionNotADaemon,
+		err:  `restart-condition is only applicable to services`,
+	}, {
+		name: "negative restart-delay",
+		desc: fooNegativeDelay,
+		err:  `restart-delay cannot be negative`,
+	}}
+	for _, tc := range tcs {
+		c.Logf("trying %q", tc.name)
+		info, err := InfoFromSnapYaml(append(meta, tc.desc...))
+		c.Assert(err, IsNil)
+		c.Assert(info, NotNil)
+
+		err = Validate(info)
+		if tc.err != "" {
+			c.Assert(err, ErrorMatches, `invalid definition of application "foo": `+tc.err)
+		} else {
+			c.Assert(err, IsNil)
+		}
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/snapcraft.yaml snapd-2.37~rc1~14.04/snapcraft.yaml
--- snapd-2.32.3.2~14.04/snapcraft.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/snapcraft.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+name: snapd
+summary: Daemon and tooling that enable snap packages
+description: |
+ Install, configure, refresh and remove snap packages. Snaps are
+ 'universal' packages that work across many different Linux systems,
+ enabling secure distribution of the latest apps and utilities for
+ cloud, servers, desktops and the internet of things.
+ 
+ Start with 'snap list' to see installed snaps.
+version: set-by-version-script-thxbye
+version-script: |
+  ./mkversion.sh --output-only
+#FIXME: enable once snapcraft understands this
+#type: snapd
+grade: stable
+
+parts:
+  snapd:
+    # FIXME: this should probably go upstream
+    plugin: x-builddeb
+    source: .
+
+# Note that this snap is unusual in that it has no "apps" section.
+#
+# It is started via re-exec on classic systems and via special
+# handling in the core18 snap on Ubuntu Core Systems.
+#
+# Because snapd itself manages snaps it must currently run totally
+# unconfined (even devmode is not enough).
+#
+# See the comments from jdstrand in
+# https://forum.snapcraft.io/t/5547/10
diff -Nru snapd-2.32.3.2~14.04/spdx/licenses.go snapd-2.37~rc1~14.04/spdx/licenses.go
--- snapd-2.32.3.2~14.04/spdx/licenses.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/spdx/licenses.go	2019-01-16 08:36:51.000000000 +0000
@@ -484,7 +484,6 @@
 
 	// FIXME: non SPDX licenses that the snapstore uses
 	"Proprietary",
-	"Other Open Source",
 }
 
 // from https://www.google.com/url?q=https://docs.google.com/a/s.sfusd.edu/document/d/1wE_zvLU4c291ACi9wIJmQoE4ltKRW4rzM1TYiIvEVOs/edit?pli%3D1%23heading%3Dh.ruv3yl8g6czd&sa=D&ust=1473291615601000&usg=AFQjCNFyLcPLdEarX1TOesGWxg9Afb57mA
diff -Nru snapd-2.32.3.2~14.04/spdx/parser.go snapd-2.37~rc1~14.04/spdx/parser.go
--- snapd-2.32.3.2~14.04/spdx/parser.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/spdx/parser.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,13 +25,11 @@
 	"strings"
 )
 
-type operator string
-
 const (
-	opUNSET operator = ""
-	opAND            = "AND"
-	opOR             = "OR"
-	opWITH           = "WITH"
+	opUNSET = ""
+	opAND   = "AND"
+	opOR    = "OR"
+	opWITH  = "WITH"
 )
 
 func isOperator(tok string) bool {
diff -Nru snapd-2.32.3.2~14.04/spread-shellcheck snapd-2.37~rc1~14.04/spread-shellcheck
--- snapd-2.32.3.2~14.04/spread-shellcheck	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/spread-shellcheck	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,253 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2018 Canonical Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import logging
+import os
+import subprocess
+import argparse
+from concurrent.futures import ThreadPoolExecutor
+from multiprocessing import cpu_count
+
+import yaml
+
+
+# default shell for shellcheck
+SHELLCHECK_SHELL = os.getenv('SHELLCHECK_SHELL', 'bash')
+# set to non-empty to ignore all errors
+NO_FAIL = os.getenv('NO_FAIL')
+# set to non empty to enable 'set -x'
+D = os.getenv('D')
+# set to non-empty to enable verbose logging
+V = os.getenv('V')
+# set to a number to use these many threads
+N = int(os.getenv('N') or cpu_count())
+# file with list of files that can fail validation
+CAN_FAIL = os.getenv('CAN_FAIL')
+
+# names of sections
+SECTIONS = ['prepare', 'prepare-each', 'restore', 'restore-each',
+            'debug', 'debug-each', 'execute', 'repack']
+
+
+def parse_arguments():
+    parser = argparse.ArgumentParser(description='spread shellcheck helper')
+    parser.add_argument('-s', '--shell', default='bash',
+                        help='shell')
+    parser.add_argument('-n', '--no-errors', action='store_true',
+                        default=False, help='ignore all errors ')
+    parser.add_argument('-v', '--verbose', action='store_true',
+                        default=False, help='verbose logging')
+    parser.add_argument('--can-fail', default=None,
+                        help=('file with list of files that are can fail '
+                              'validation'))
+    parser.add_argument('-P', '--max-procs', default=N, type=int, metavar='N',
+                        help='run these many shellchecks in parallel (default: %(default)s)')
+    parser.add_argument('paths', nargs='+', help='paths to check')
+    return parser.parse_args()
+
+
+class ShellcheckRunError(Exception):
+    def __init__(self, stderr):
+        super().__init__()
+        self.stderr = stderr
+
+
+class ShellcheckError(Exception):
+    def __init__(self, path):
+        super().__init__()
+        self.sectionerrors = {}
+        self.path = path
+
+    def addfailure(self, section, error):
+        self.sectionerrors[section] = error
+
+    def __len__(self):
+        return len(self.sectionerrors)
+
+
+class ShellcheckFailures(Exception):
+    def __init__(self, failures=None):
+        super().__init__()
+        self.failures = set()
+        if failures:
+            self.failures = set(failures)
+
+    def merge(self, otherfailures):
+        self.failures = self.failures.union(otherfailures.failures)
+
+    def __len__(self):
+        return len(self.failures)
+
+    def intersection(self, other):
+        return self.failures.intersection(other)
+
+    def difference(self, other):
+        return self.failures.difference(other)
+
+    def __iter__(self):
+        return iter(self.failures)
+
+
+def checksection(data):
+    # spread shell snippets are executed under 'set -e' shell, make sure
+    # shellcheck knows about that
+    data = 'set -e\n' + data
+    proc = subprocess.Popen("shellcheck -s {} -x -".format(SHELLCHECK_SHELL),
+                            stdout=subprocess.PIPE,
+                            stdin=subprocess.PIPE,
+                            shell=True)
+    stdout, _ = proc.communicate(input=data.encode('utf-8'), timeout=10)
+    if proc.returncode != 0:
+        raise ShellcheckRunError(stdout)
+
+
+def checkfile(path):
+    logging.debug("checking file %s", path)
+    with open(path) as inf:
+        data = yaml.load(inf)
+
+    errors = ShellcheckError(path)
+
+    for section in SECTIONS:
+        if section not in data:
+            continue
+
+        try:
+            logging.debug("%s: checking section %s", path, section)
+            checksection(data[section])
+        except ShellcheckRunError as serr:
+            errors.addfailure(section, serr.stderr.decode('utf-8'))
+
+    if path.endswith('spread.yaml') and 'suites' in data:
+        # check suites
+        for suite in data['suites'].keys():
+            for section in SECTIONS:
+                if section not in data['suites'][suite]:
+                    continue
+                try:
+                    logging.debug("%s (suite %s): checking section %s", path, suite, section)
+                    checksection(data['suites'][suite][section])
+                except ShellcheckRunError as serr:
+                    errors.addfailure('suites/' + suite + '/' + section,
+                                      serr.stderr.decode('utf-8'))
+
+    if errors:
+        raise errors
+
+
+def findfiles(indir):
+    for root, _, files in os.walk(indir, topdown=True):
+        for name in files:
+            if name in ['spread.yaml', 'task.yaml']:
+                yield os.path.join(root, name)
+
+
+def checkpath(loc, max_workers):
+    if os.path.isdir(loc):
+        # setup iterator
+        locations = findfiles(loc)
+    else:
+        locations = [loc]
+
+    failed = []
+
+    def check1path(path):
+        try:
+            checkfile(path)
+        except ShellcheckError as err:
+            return err
+        return None
+
+    with ThreadPoolExecutor(max_workers=max_workers) as executor:
+        for serr in executor.map(check1path, locations):
+            if serr is None:
+                continue
+            logging.error(('shellcheck failed for file %s in sections: '
+                           '%s; error log follows'),
+                          serr.path, ', '.join(serr.sectionerrors.keys()))
+            for section, error in serr.sectionerrors.items():
+                logging.error("%s: section '%s':\n%s", serr.path, section, error)
+            failed.append(serr.path)
+
+    if failed:
+        raise ShellcheckFailures(failures=failed)
+
+
+def loadfilelist(flistpath):
+    flist = set()
+    with open(flistpath) as inf:
+        for line in inf:
+            if not line.startswith('#'):
+                flist.add(line.strip())
+    return flist
+
+
+def main(opts):
+    paths = opts.paths or ['.']
+    failures = ShellcheckFailures()
+    for pth in paths:
+        try:
+            checkpath(pth, opts.max_procs)
+        except ShellcheckFailures as sf:
+            failures.merge(sf)
+
+    if failures:
+        if opts.can_fail:
+            can_fail = loadfilelist(opts.can_fail)
+
+            unexpected = failures.difference(can_fail)
+            if unexpected:
+                logging.error(('validation failed for the following '
+                               'non-whitelisted files:\n%s'),
+                              '\n'.join([' - ' + f for f in
+                                         sorted(unexpected)]))
+                raise SystemExit(1)
+
+            did_not_fail = can_fail - failures.intersection(can_fail)
+            if did_not_fail:
+                logging.error(('the following files are whitelisted '
+                               'but validated successfully:\n%s'),
+                              '\n'.join([' - ' + f for f in
+                                         sorted(did_not_fail)]))
+                raise SystemExit(1)
+
+            # no unexpected failures
+            return
+
+        logging.error('validation failed for the following files:\n%s',
+                      '\n'.join([' - ' + f for f in sorted(failures)]))
+
+        if NO_FAIL or opts.no_errors:
+            logging.warning("ignoring errors")
+        else:
+            raise SystemExit(1)
+
+
+if __name__ == '__main__':
+    opts = parse_arguments()
+    if opts.verbose or D or V:
+        lvl = logging.DEBUG
+    else:
+        lvl = logging.INFO
+    logging.basicConfig(level=lvl)
+
+    if CAN_FAIL:
+        opts.can_fail = CAN_FAIL
+
+    if NO_FAIL:
+        opts.no_errors = True
+
+    main(opts)
diff -Nru snapd-2.32.3.2~14.04/spread.yaml snapd-2.37~rc1~14.04/spread.yaml
--- snapd-2.32.3.2~14.04/spread.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/spread.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -21,8 +21,8 @@
     SPREAD_STORE_EXPIRED_MACAROON: "$(HOST: echo $SPREAD_STORE_EXPIRED_MACAROON)"
     SPREAD_STORE_EXPIRED_DISCHARGE: "$(HOST: echo $SPREAD_STORE_EXPIRED_DISCHARGE)"
     SPREAD_DEBUG_EACH: "$(HOST: echo ${SPREAD_DEBUG_EACH:-1})"
-    LANG: "$(echo ${LANG:-C.UTF-8})"
-    LANGUAGE: "$(echo ${LANGUAGE:-en})"
+    LANG: "C.UTF-8"
+    LANGUAGE: "en"
     # important to ensure adhoc and linode/qemu behave the same
     SUDO_USER: ""
     SUDO_UID: ""
@@ -31,9 +31,10 @@
     CORE_CHANNEL: "$(HOST: echo ${SPREAD_CORE_CHANNEL:-edge})"
     KERNEL_CHANNEL: "$(HOST: echo ${SPREAD_KERNEL_CHANNEL:-edge})"
     GADGET_CHANNEL: "$(HOST: echo ${SPREAD_GADGET_CHANNEL:-edge})"
+    SNAPD_CHANNEL: "$(HOST: echo ${SPREAD_SNAPD_CHANNEL:-edge})"
     REMOTE_STORE: "$(HOST: echo ${SPREAD_REMOTE_STORE:-production})"
     SNAPPY_USE_STAGING_STORE: "$(HOST: if [ $SPREAD_REMOTE_STORE = staging ]; then echo 1; else echo 0; fi)"
-    DELTA_REF: 2.29
+    DELTA_REF: 2.32.5
     DELTA_PREFIX: snapd-$DELTA_REF/
     SNAPD_PUBLISHED_VERSION: "$(HOST: echo $SPREAD_SNAPD_PUBLISHED_VERSION)"
     HTTP_PROXY: "$(HOST: echo $SPREAD_HTTP_PROXY)"
@@ -42,57 +43,120 @@
     NEW_CORE_CHANNEL: "$(HOST: echo $SPREAD_NEW_CORE_CHANNEL)"
     SRU_VALIDATION: "$(HOST: echo ${SPREAD_SRU_VALIDATION:-0})"
     PRE_CACHE_SNAPS: core ubuntu-core test-snapd-tools
+    # always skip removing the rsync snap
+    SKIP_REMOVE_SNAPS: "$(HOST: echo ${SPREAD_SKIP_REMOVE_SNAPS:-}) test-snapd-rsync test-snapd-rsync-core18"
 
 backends:
-    linode:
-        key: "$(HOST: echo $SPREAD_LINODE_KEY)"
-        plan: 4GB
-        location: Fremont
+    google:
+        key: "$(HOST: echo $SPREAD_GOOGLE_KEY)"
+        location: computeengine/us-east1-b
         halt-timeout: 2h
-        environment:
-            # Using proxy can help to accelerate testing in local conditions
-            # but it is unlikely anyone has a proxy that is addressable from
-            # Linode network. As such, don't honor host's SPREAD_HTTP_PROXY
-            # that was set globally above.
-            HTTP_PROXY: null
-            HTTPS_PROXY: null
         systems:
+            - ubuntu-14.04-64:
+                workers: 6
+            - ubuntu-16.04-32:
+                workers: 6
             - ubuntu-16.04-64:
-                kernel: GRUB 2
                 workers: 8
-            - ubuntu-16.04-32:
-                kernel: GRUB 2
+            - ubuntu-18.04-64:
                 workers: 6
-            - ubuntu-14.04-64:
-                kernel: GRUB 2
+            - ubuntu-18.10-64:
+                image: ubuntu-1810
                 workers: 6
-
             - ubuntu-core-16-64:
-                kernel: Direct Disk
+                image: ubuntu-16.04-64
+                workers: 6
+            - ubuntu-core-18-64:
                 image: ubuntu-16.04-64
                 workers: 6
 
             - debian-9-64:
-                kernel: GRUB 2
                 workers: 6
             - debian-sid-64:
-                kernel: GRUB 2
                 workers: 6
                 manual: true
 
-            - fedora-27-64:
+            - fedora-28-64:
                 workers: 4
-                # Fedora CI disabled because of unexplained golang bug breaking every build.
                 manual: true
-            - fedora-26-64:
+            - fedora-29-64:
+                workers: 4
+            - opensuse-42.3-64:
                 workers: 4
+                # golang stack cannot compile anything, needs investigation
                 manual: true
-            - fedora-25-64:
+            - arch-linux-64:
+                workers: 4
+
+            - amazon-linux-2-64:
+                workers: 4
+                storage: preserve-size
+
+            - centos-7-64:
                 workers: 4
+                image: centos-7-64
+
+    google-upgrade:
+        type: google
+        key: "$(HOST: echo $SPREAD_GOOGLE_KEY)"
+        location: computeengine/us-east1-b
+        halt-timeout: 2h
+        systems:
+            - ubuntu-14.04-64:
+                workers: 1
+            - ubuntu-16.04-32:
+                workers: 1
+            - ubuntu-16.04-64:
+                workers: 1
+            - ubuntu-18.04-64:
+                workers: 1
+            - ubuntu-18.10-64:
+                image: ubuntu-1810
+                workers: 1
+            - debian-9-64:
+                workers: 1
+            - fedora-29-64:
+                workers: 1
+                # https://twitter.com/zygoon/status/1073629342884864000
                 manual: true
+            - arch-linux-64:
+                workers: 1
+            - amazon-linux-2-64:
+                workers: 1
+                storage: preserve-size
+            - centos-7-64:
+                workers: 1
 
-            - opensuse-42.2-64:
+
+    google-sru:
+        type: google
+        key: "$(HOST: echo $SPREAD_GOOGLE_KEY)"
+        location: computeengine/us-east1-b
+        halt-timeout: 2h
+        systems:
+            - ubuntu-14.04-64:
+                workers: 4
+            - ubuntu-16.04-64:
+                workers: 4
+            - ubuntu-17.10-64:
                 workers: 4
+            - ubuntu-18.04-64:
+                workers: 4
+
+    google-nested:
+        type: google
+        key: "$(HOST: echo $SPREAD_GOOGLE_KEY)"
+        location: computeengine/us-east1-b
+        plan: n1-standard-2
+        halt-timeout: 2h
+        systems:
+            - ubuntu-16.04-64:
+                image: ubuntu-1604-64-virt-enabled
+                workers: 1
+            - ubuntu-18.04-64:
+                image: ubuntu-1804-64-virt-enabled
+                workers: 1
+
     qemu:
         systems:
             - ubuntu-14.04-32:
@@ -111,6 +175,10 @@
                 image: ubuntu-16.04-64
                 username: ubuntu
                 password: ubuntu
+            - ubuntu-core-18-64:
+                image: ubuntu-16.04-64
+                username: ubuntu
+                password: ubuntu
             - ubuntu-17.10-64:
                 username: ubuntu
                 password: ubuntu
@@ -120,6 +188,30 @@
             - ubuntu-18.04-32:
                 username: ubuntu
                 password: ubuntu
+            - ubuntu-18.10-64:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-18.10-32:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.04-64:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.04-32:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.10-64:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.10-32:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-20.04-64:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-20.04-32:
+                username: ubuntu
+                password: ubuntu
             - debian-sid-64:
                 username: debian
                 password: debian
@@ -129,10 +221,10 @@
             - debian-sid-64:
                 username: debian
                 password: debian
-            - fedora-26-64:
+            - fedora-27-64:
                 username: fedora
                 password: fedora
-            - fedora-27-64:
+            - fedora-28-64:
                 username: fedora
                 password: fedora
     autopkgtest:
@@ -206,6 +298,83 @@
             - ubuntu-18.04-arm64:
                 username: ubuntu
                 password: ubuntu
+            # Cosmic
+            - ubuntu-18.10-amd64:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-18.10-i386:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-18.10-ppc64el:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-18.10-armhf:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-18.10-s390x:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-18.10-arm64:
+                username: ubuntu
+                password: ubuntu
+            # Disco
+            - ubuntu-19.04-amd64:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.04-i386:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.04-ppc64el:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.04-armhf:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.04-s390x:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.04-arm64:
+                username: ubuntu
+                password: ubuntu
+            # Eccentric Eel (not final name!)
+            - ubuntu-19.10-amd64:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.10-i386:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.10-ppc64el:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.10-armhf:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.10-s390x:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-19.10-arm64:
+                username: ubuntu
+                password: ubuntu
+            # Flaming Falcon (not final name!)
+            - ubuntu-20.04-amd64:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-20.04-i386:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-20.04-ppc64el:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-20.04-armhf:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-20.04-s390x:
+                username: ubuntu
+                password: ubuntu
+            - ubuntu-20.04-arm64:
+                username: ubuntu
+                password: ubuntu
+
     external:
         type: adhoc
         environment:
@@ -227,21 +396,18 @@
             - ubuntu-core-16-arm-32:
                 username: test
                 password: ubuntu
-
-    linode-sru:
-        type: linode
-        key: "$(HOST: echo $SPREAD_LINODE_KEY)"
-        halt-timeout: 2h
-        systems:
-            - ubuntu-14.04-64:
-                kernel: GRUB 2
-                workers: 2
-            - ubuntu-16.04-64:
-                kernel: GRUB 2
-                workers: 2
-            - ubuntu-17.10-64:
-                kernel: GRUB 2
-                workers: 2
+            - ubuntu-core-18-64:
+                username: test
+                password: ubuntu
+            - ubuntu-core-18-32:
+                username: test
+                password: ubuntu
+            - ubuntu-core-18-arm-64:
+                username: test
+                password: ubuntu
+            - ubuntu-core-18-arm-32:
+                username: test
+                password: ubuntu
 
 path: /home/gopath/src/github.com/snapcore/snapd
 
@@ -257,14 +423,34 @@
 
 debug-each: |
     if [ "$SPREAD_DEBUG_EACH" = 1 ]; then
+        # shellcheck source=tests/lib/journalctl.sh
+        . "$TESTSLIB/journalctl.sh"
+        #shellcheck source=tests/lib/state.sh
+        . "$TESTSLIB/state.sh"
+
         echo '# journal messages for snapd'
-        journalctl -u snapd
-        echo '# apparmor denials '
-        dmesg --ctime | grep DENIED || true
+        get_journalctl_log -u snapd
+        case "$SPREAD_SYSTEM" in
+            fedora-*|centos-*|amazon-*)
+                if [ -e "$RUNTIME_STATE_PATH/audit-stamp" ]; then
+                    ausearch -m AVC --checkpoint "$RUNTIME_STATE_PATH/audit-stamp" --start checkpoint || true
+                else
+                    ausearch -m AVC || true
+                fi
+                ;;
+            *)
+               echo '# apparmor denials '
+               dmesg --ctime | grep DENIED || true
+               ;;
+        esac
         echo '# seccomp denials (kills) '
         dmesg --ctime | grep type=1326 || true
         echo '# snap interfaces'
         snap interfaces || true
+        echo '# tasks executed on system'
+        cat "$RUNTIME_STATE_PATH/runs" || true
+        echo '# free space'
+        df -h || true
     fi
 
 rename:
@@ -277,13 +463,13 @@
     # obtained directly from GitHub. There's nothing special about that reference,
     # other than it will often be in the local repository's history already.
     # The more recent the reference, the smaller the delta.
-    if ! echo $SPREAD_BACKENDS | grep linode; then
+    if ! echo "$SPREAD_BACKENDS" | grep linode; then
         cat <&3 >&4
-    elif ! git show-ref $DELTA_REF > /dev/null; then
+    elif ! git show-ref "$DELTA_REF" > /dev/null; then
         cat <&3 >&4
     else
         trap "rm -f delta-ref.tar current.delta" EXIT
-        git archive -o delta-ref.tar --format=tar --prefix=$DELTA_PREFIX $DELTA_REF
+        git archive -o delta-ref.tar --format=tar --prefix="$DELTA_PREFIX" "$DELTA_REF"
         xdelta3 -s delta-ref.tar <&3 > current.delta
         tar c current.delta >&4
     fi
@@ -317,8 +503,34 @@
         #
         # https://forum.snapcraft.io/t/issues-with-the-fedora-mirror-network/3489/
         sed -i -s -E -e 's@^#?baseurl=http://download.fedoraproject.org/@baseurl=http://dl.fedoraproject.org/@g' -e 's@^metalink=@#metalink@g' /etc/yum.repos.d/fedora*.repo
-        dnf --refresh makecache
+        dnf --refresh -y makecache
+
+        # enable audit daemon
+        systemctl enable --now auditd.service
+    fi
+    if [[ "$SPREAD_SYSTEM" == opensuse-* ]]; then
+        # We seem to be hitting a flaky openSUSE mirror from time to time,
+        # increase the number of download attempts libzypp will try to
+        # workaround that.
+        cat <<-EOF >> /etc/zypp/zypp.conf
+    # added by spread tests
+    download.max_silent_tries = 20
+    EOF
+    fi
+
+    if [[ "$SPREAD_SYSTEM" == arch-* ]]; then
+        # Possible that AppArmor was not started and is not enabled in the
+        # image, do both now
+        if systemctl show -p LoadState apparmor.service | MATCH 'LoadState=loaded' ; then
+            if ! systemctl is-enabled apparmor.service; then
+                systemctl enable apparmor.service
+            fi
+            systemctl start apparmor.service
+        else
+            exit 1
+        fi
     fi
+
     # Unpack delta, or move content out of the prefixed directory (see rename and repack above).
     # (needs to be in spread.yaml directly because there's nothing else on the filesystem yet)
     if [ -f current.delta ]; then
@@ -333,9 +545,19 @@
             fedora-*)
                 dnf install --refresh -y xdelta curl &> "$tf" || (cat "$tf"; exit 1)
                 ;;
+            amazon-*|centos-*)
+                yum install -y xdelta curl &> "$tf" || (cat "$tf"; exit 1)
+                ;;
             opensuse-*)
+                zypper -q --gpg-auto-import-keys refresh
                 zypper -q install -y xdelta3 curl &> "$tf" || (cat "$tf"; exit 1)
                 ;;
+            arch-*)
+                # NOTE: we ought to do pacman -Syu, but this may update the
+                # kernel which we will not detect at this stage and fail to
+                # reboot; actual distro upgrade is done later in prepare
+                pacman -Sy --noconfirm xdelta3 curl &> "$tf" || (cat "$tf"; exit 1)
+                ;;
         esac
         rm -f "$tf"
         curl -sS -o - "https://codeload.github.com/snapcore/snapd/tar.gz/$DELTA_REF" | gunzip > delta-ref.tar
@@ -346,6 +568,10 @@
         rmdir "$DELTA_PREFIX"
     fi
 
+    # Take the MATCH and REBOOT functions from spread and allow our shell scripts to use them.
+    type MATCH | tail -n +2 > "$TESTSLIB"/spread-funcs.sh
+    type REBOOT | tail -n +2 >> "$TESTSLIB"/spread-funcs.sh
+
     # NOTE: At this stage the source tree is available and no more special
     # considerations apply.
     "$TESTSLIB"/prepare-restore.sh --prepare-project
@@ -355,52 +581,55 @@
     "$TESTSLIB"/prepare-restore.sh --restore-project
 restore-each: |
     "$TESTSLIB"/prepare-restore.sh --restore-project-each
-    # XXX: something is hosing the filesystem so look for signs of that
-    ! grep -F "//deleted /etc" /proc/self/mountinfo
+    if journalctl -u snapd.service | grep -F "signal: terminated"; then exit 1; fi
 
 suites:
     tests/main/:
         summary: Full-system tests for snapd
         prepare: |
-            . $TESTSLIB/prepare.sh
-            if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
-                prepare_all_snap
-            else
-                prepare_classic
-            fi
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite
         prepare-each: |
-            $TESTSLIB/reset.sh --reuse-core
-            . $TESTSLIB/prepare.sh
-            if [[ "$SPREAD_SYSTEM" != ubuntu-core-16-* ]]; then
-                prepare_each_classic
-            fi
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite-each
+        restore-each: |
+            "$TESTSLIB"/prepare-restore.sh --restore-suite-each
         restore: |
-            $TESTSLIB/reset.sh --store
-            if [[ "$SPREAD_SYSTEM" != ubuntu-core-16-* ]]; then
-                . $TESTSLIB/pkgdb.sh
-                distro_purge_package snapd
-                if [[ "$SPREAD_SYSTEM" != opensuse-* ]]; then
-                    # A snap-confine package never existed on openSUSE
-                    distro_purge_package snap-confine
-                fi
-            fi
-
+            "$TESTSLIB"/prepare-restore.sh --restore-suite
+    # Essential tests run inside the autopkgtest environment on each
+    # platform. Autopkgtest can be very slow so we cannot run all
+    # tests there without running into timeouts.
+    tests/smoke/:
+        summary: Essenial system level tests for snapd
+        prepare: |
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite
+        prepare-each: |
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite-each
+        restore-each: |
+            "$TESTSLIB"/prepare-restore.sh --restore-suite-each
+        restore: |
+            "$TESTSLIB"/prepare-restore.sh --restore-suite
+    tests/core18/:
+        summary: Subset of core18 specific tests
+        systems: [ubuntu-core-18-*]
+        prepare: |
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite
+        prepare-each: |
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite-each
+        restore-each: |
+            "$TESTSLIB"/prepare-restore.sh --restore-suite-each
+        restore: |
+            "$TESTSLIB"/prepare-restore.sh --restore-suite
     tests/completion/:
         summary: completion tests
         # ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
         systems: [-ubuntu-core-*, -ubuntu-*-ppc64el]
         prepare: |
-            . $TESTSLIB/prepare.sh
-            prepare_classic
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite
         prepare-each: |
-            $TESTSLIB/reset.sh --reuse-core
-            . $TESTSLIB/prepare.sh
-            prepare_each_classic
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite-each
+        restore-each: |
+            "$TESTSLIB"/prepare-restore.sh --restore-suite-each
         restore: |
-            $TESTSLIB/reset.sh --store
-            . $TESTSLIB/pkgdb.sh
-            distro_purge_package snapd
-
+            "$TESTSLIB"/prepare-restore.sh --restore-suite
         environment:
           _/plain: _
           _/plain_plusdirs: _
@@ -415,34 +644,37 @@
           # _/twisted: _
           _/func: _
           _/funkyfunc: _
+          _/funcarg: _
 
     tests/regression/:
         summary: Regression tests for snapd
         prepare: |
-            . $TESTSLIB/prepare.sh
-            if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
-                prepare_all_snap
-            else
-                prepare_classic
-            fi
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite
         prepare-each: |
-            $TESTSLIB/reset.sh --reuse-core
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite-each
+        restore-each: |
+            "$TESTSLIB"/prepare-restore.sh --restore-suite-each
         restore: |
-            $TESTSLIB/reset.sh
-            if [[ "$SPREAD_SYSTEM" != ubuntu-core-16-* ]]; then
-                . $TESTSLIB/pkgdb.sh
-                distro_purge_package snapd
-            fi
+            "$TESTSLIB"/prepare-restore.sh --restore-suite
 
     tests/upgrade/:
         summary: Tests for snapd upgrade
         # Test cases are not yet ported to openSUSE that is why we keep
         # it disabled. A later PR will enable most tests and
         # drop this blacklist.
-        systems: [-ubuntu-core-16-*, -opensuse-*]
+        systems: [-ubuntu-core-*, -opensuse-*]
         # autopkgtest runs against localhost which causes problems with
         # this test prepare
-        backends: [-autopkgtest]
+        backends: [google-upgrade]
+        prepare-each: |
+            # FIXME: this should really use prepare-restore.sh --prepare-suite-each
+            # like other suites, needs more investigation
+
+            # shellcheck source=tests/lib/state.sh
+            . "$TESTSLIB"/state.sh
+            mkdir -p "$RUNTIME_STATE_PATH"
+            # save the job which is going to be executed in the system
+            echo -n "$SPREAD_JOB " >> "$RUNTIME_STATE_PATH/runs"
         restore: |
             if [ "$REMOTE_STORE" = staging ]; then
                 echo "skip upgrade tests while talking to the staging store"
@@ -453,16 +685,20 @@
                 echo "skip upgrade tests while talking to the staging store"
                 exit 0
             fi
-            . $TESTSLIB/pkgdb.sh
+            #shellcheck source=tests/lib/pkgdb.sh
+            . "$TESTSLIB"/pkgdb.sh
             distro_purge_package snapd
             distro_purge_package snapd-xdg-open || true
+    tests/cross/:
+        summary: Cross-compile tests
+        systems: [ubuntu-16.04-64, ubuntu-18.04-64]
 
     tests/unit/:
         summary: Suite to run unit tests (non-go and different go runtimes)
-        # Test cases are not yet ported to Fedora/openSUSE that is why
+        # Test cases are not yet ported to Fedora/openSUSE/Arch that is why
         # we keep them disabled. A later PR will enable most tests and
         # drop this blacklist.
-        systems: [-ubuntu-core-16-*, -fedora-*, -opensuse-*]
+        systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
         # unittests are run as part of the autopkgtest build already
         backends: [-autopkgtest]
         environment:
@@ -477,60 +713,65 @@
             TRAVIS_TAG: "$(HOST: echo $TRAVIS_TAG)"
             COVERMODE: "$(HOST: echo $COVERMODE)"
         prepare: |
-            . $TESTSLIB/prepare.sh
+            #shellcheck source=tests/lib/prepare.sh
+            . "$TESTSLIB"/prepare.sh
             prepare_classic
         prepare-each: |
-            $TESTSLIB/reset.sh --reuse-core
-            . $TESTSLIB/prepare.sh
+            "$TESTSLIB"/reset.sh --reuse-core
+            #shellcheck source=tests/lib/prepare.sh
+            . "$TESTSLIB"/prepare.sh
             prepare_each_classic
         restore: |
-            $TESTSLIB/reset.sh --store
-            . $TESTSLIB/pkgdb.sh
-            distro_purge_package snapd snap-confine ubuntu-core-launcher
+            "$TESTSLIB"/reset.sh --store
+            #shellcheck source=tests/lib/pkgdb.sh
+            . "$TESTSLIB"/pkgdb.sh
+
+            distro_purge_package snapd
+            case "$SPREAD_SYSTEM" in
+                arch-*)
+                    # there is no snap-confine and ubuntu-core-launcher
+                    # in Arch
+                    ;;
+                *)
+                    distro_purge_package snap-confine ubuntu-core-launcher
+                    ;;
+            esac
 
     tests/nightly/:
         summary: Suite for nightly, expensive, tests
         manual: true
-        # Test cases are not yet ported to Fedora/openSUSE that is why
+        # Test cases are not yet ported to Fedora/openSUSE/Arch/AMZN2 that is why
         # we keep them disabled. A later PR will enable most tests and
         # drop this blacklist.
-        systems: [-fedora-*, -opensuse-*]
+        systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
         prepare: |
-            . $TESTSLIB/prepare.sh
-            if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
-                prepare_all_snap
-            else
-                prepare_classic
-            fi
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite
         prepare-each: |
-            $TESTSLIB/reset.sh --reuse-core
+            "$TESTSLIB"/prepare-restore.sh --prepare-suite-each
+        restore-each: |
+            "$TESTSLIB"/prepare-restore.sh --restore-suite-each
         restore: |
-            $TESTSLIB/reset.sh
-            if [[ "$SPREAD_SYSTEM" != ubuntu-core-16-* ]]; then
-                . $TESTSLIB/pkgdb.sh
-                distro_purge_package snapd
-            fi
+            "$TESTSLIB"/prepare-restore.sh --restore-suite
 
     tests/nested/:
         summary: Tests for nested images
         # Test cases are not yet ported to Fedora/openSUSE that is why
         # we keep them disabled. A later PR will enable most tests and
         # drop this blacklist.
-        systems: [-fedora-*, -opensuse-*]
+        backends: [google-nested]
         environment:
             NESTED_ARCH: "$(HOST: echo ${SPREAD_NESTED_ARCH:-amd64})"
+            NESTED_SYSTEM: "$(HOST: echo ${SPREAD_NESTED_SYSTEM:-xenial})"
             CORE_REFRESH_CHANNEL: "$(HOST: echo ${SPREAD_CORE_REFRESH_CHANNEL:-candidate})"
-        halt-timeout: 2h
-        kill-timeout: 2h
         manual: true
         prepare: |
-            . $TESTSLIB/pkgdb.sh
+            #shellcheck source=tests/lib/pkgdb.sh
+            . "$TESTSLIB"/pkgdb.sh
             distro_update_package_db
-            distro_install_package snapd qemu genisoimage sshpass
-            snap install --classic --beta ubuntu-image
+            distro_install_package snapd qemu genisoimage sshpass qemu-kvm cloud-image-utils ubuntu-image
         restore: |
-            . $TESTSLIB/pkgdb.sh
-            distro_purge_package qemu genisoimage sshpass
-            snap remove ubuntu-image
+            #shellcheck source=tests/lib/pkgdb.sh
+            . "$TESTSLIB"/pkgdb.sh
+            distro_purge_package qemu genisoimage sshpass qemu-kvm cloud-image-utils ubuntu-image
 
 # vim:ts=4:sw=4:et
diff -Nru snapd-2.32.3.2~14.04/store/auth.go snapd-2.37~rc1~14.04/store/auth.go
--- snapd-2.32.3.2~14.04/store/auth.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/auth.go	2019-01-16 08:36:51.000000000 +0000
@@ -100,14 +100,14 @@
 }
 
 // retryPostRequestDecodeJSON calls retryPostRequest and decodes the response into either success or failure.
-func retryPostRequestDecodeJSON(endpoint string, headers map[string]string, data []byte, success interface{}, failure interface{}) (resp *http.Response, err error) {
-	return retryPostRequest(endpoint, headers, data, func(resp *http.Response) error {
+func retryPostRequestDecodeJSON(httpClient *http.Client, endpoint string, headers map[string]string, data []byte, success interface{}, failure interface{}) (resp *http.Response, err error) {
+	return retryPostRequest(httpClient, endpoint, headers, data, func(resp *http.Response) error {
 		return decodeJSONBody(resp, success, failure)
 	})
 }
 
 // retryPostRequest calls doRequest and decodes the response in a retry loop.
-func retryPostRequest(endpoint string, headers map[string]string, data []byte, readResponseBody func(resp *http.Response) error) (*http.Response, error) {
+func retryPostRequest(httpClient *http.Client, endpoint string, headers map[string]string, data []byte, readResponseBody func(resp *http.Response) error) (*http.Response, error) {
 	return httputil.RetryRequest(endpoint, func() (*http.Response, error) {
 		req, err := http.NewRequest("POST", endpoint, bytes.NewBuffer(data))
 		if err != nil {
@@ -122,7 +122,7 @@
 }
 
 // requestStoreMacaroon requests a macaroon for accessing package data from the ubuntu store.
-func requestStoreMacaroon() (string, error) {
+func requestStoreMacaroon(httpClient *http.Client) (string, error) {
 	const errorPrefix = "cannot get snap access permission from store: "
 
 	data := map[string]interface{}{
@@ -144,7 +144,7 @@
 		"Accept":       "application/json",
 		"Content-Type": "application/json",
 	}
-	resp, err := retryPostRequestDecodeJSON(MacaroonACLAPI, headers, macaroonJSONData, &responseData, nil)
+	resp, err := retryPostRequestDecodeJSON(httpClient, MacaroonACLAPI, headers, macaroonJSONData, &responseData, nil)
 	if err != nil {
 		return "", fmt.Errorf(errorPrefix+"%v", err)
 	}
@@ -160,7 +160,7 @@
 	return responseData.Macaroon, nil
 }
 
-func requestDischargeMacaroon(endpoint string, data map[string]string) (string, error) {
+func requestDischargeMacaroon(httpClient *http.Client, endpoint string, data map[string]string) (string, error) {
 	const errorPrefix = "cannot authenticate to snap store: "
 
 	var err error
@@ -179,7 +179,7 @@
 		"Accept":       "application/json",
 		"Content-Type": "application/json",
 	}
-	resp, err := retryPostRequestDecodeJSON(endpoint, headers, dischargeJSONData, &responseData, &msg)
+	resp, err := retryPostRequestDecodeJSON(httpClient, endpoint, headers, dischargeJSONData, &responseData, &msg)
 	if err != nil {
 		return "", fmt.Errorf(errorPrefix+"%v", err)
 	}
@@ -216,7 +216,7 @@
 }
 
 // dischargeAuthCaveat returns a macaroon with the store auth caveat discharged.
-func dischargeAuthCaveat(caveat, username, password, otp string) (string, error) {
+func dischargeAuthCaveat(httpClient *http.Client, caveat, username, password, otp string) (string, error) {
 	data := map[string]string{
 		"email":     username,
 		"password":  password,
@@ -226,20 +226,20 @@
 		data["otp"] = otp
 	}
 
-	return requestDischargeMacaroon(UbuntuoneDischargeAPI, data)
+	return requestDischargeMacaroon(httpClient, UbuntuoneDischargeAPI, data)
 }
 
 // refreshDischargeMacaroon returns a soft-refreshed discharge macaroon.
-func refreshDischargeMacaroon(discharge string) (string, error) {
+func refreshDischargeMacaroon(httpClient *http.Client, discharge string) (string, error) {
 	data := map[string]string{
 		"discharge_macaroon": discharge,
 	}
 
-	return requestDischargeMacaroon(UbuntuoneRefreshDischargeAPI, data)
+	return requestDischargeMacaroon(httpClient, UbuntuoneRefreshDischargeAPI, data)
 }
 
 // requestStoreDeviceNonce requests a nonce for device authentication against the store.
-func requestStoreDeviceNonce(deviceNonceEndpoint string) (string, error) {
+func requestStoreDeviceNonce(httpClient *http.Client, deviceNonceEndpoint string) (string, error) {
 	const errorPrefix = "cannot get nonce from store: "
 
 	var responseData struct {
@@ -250,7 +250,7 @@
 		"User-Agent": httputil.UserAgent(),
 		"Accept":     "application/json",
 	}
-	resp, err := retryPostRequestDecodeJSON(deviceNonceEndpoint, headers, nil, &responseData, nil)
+	resp, err := retryPostRequestDecodeJSON(httpClient, deviceNonceEndpoint, headers, nil, &responseData, nil)
 	if err != nil {
 		return "", fmt.Errorf(errorPrefix+"%v", err)
 	}
@@ -273,7 +273,7 @@
 }
 
 // requestDeviceSession requests a device session macaroon from the store.
-func requestDeviceSession(deviceSessionEndpoint string, paramsEncoder deviceSessionRequestParamsEncoder, previousSession string) (string, error) {
+func requestDeviceSession(httpClient *http.Client, deviceSessionEndpoint string, paramsEncoder deviceSessionRequestParamsEncoder, previousSession string) (string, error) {
 	const errorPrefix = "cannot get device session from store: "
 
 	data := map[string]string{
@@ -300,7 +300,7 @@
 		headers["X-Device-Authorization"] = fmt.Sprintf(`Macaroon root="%s"`, previousSession)
 	}
 
-	_, err = retryPostRequest(deviceSessionEndpoint, headers, deviceJSONData, func(resp *http.Response) error {
+	_, err = retryPostRequest(httpClient, deviceSessionEndpoint, headers, deviceJSONData, func(resp *http.Response) error {
 		if resp.StatusCode == 200 || resp.StatusCode == 202 {
 			return json.NewDecoder(resp.Body).Decode(&responseData)
 		}
@@ -310,6 +310,7 @@
 	if err != nil {
 		return "", fmt.Errorf(errorPrefix+"%v", err)
 	}
+	// TODO: retry at least once on 400
 
 	if responseData.Macaroon == "" {
 		return "", fmt.Errorf(errorPrefix + "empty session returned")
diff -Nru snapd-2.32.3.2~14.04/store/auth_test.go snapd-2.37~rc1~14.04/store/auth_test.go
--- snapd-2.32.3.2~14.04/store/auth_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/auth_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -17,10 +17,9 @@
  *
  */
 
-package store
+package store_test
 
 import (
-	"encoding/json"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -31,6 +30,7 @@
 	"gopkg.in/macaroon.v1"
 	"gopkg.in/retry.v1"
 
+	"github.com/snapcore/snapd/store"
 	"github.com/snapcore/snapd/testutil"
 )
 
@@ -78,7 +78,7 @@
 const mockStoreReturnNoNonce = `{}`
 
 func (s *authTestSuite) SetUpTest(c *C) {
-	MockDefaultRetryStrategy(&s.BaseTest, retry.LimitCount(5, retry.LimitTime(1*time.Second,
+	store.MockDefaultRetryStrategy(&s.BaseTest, retry.LimitCount(5, retry.LimitTime(1*time.Second,
 		retry.Exponential{
 			Initial: 1 * time.Millisecond,
 			Factor:  1.1,
@@ -91,9 +91,9 @@
 		io.WriteString(w, mockStoreReturnMacaroon)
 	}))
 	defer mockServer.Close()
-	MacaroonACLAPI = mockServer.URL + "/acl/"
+	store.MacaroonACLAPI = mockServer.URL + "/acl/"
 
-	macaroon, err := requestStoreMacaroon()
+	macaroon, err := store.RequestStoreMacaroon(&http.Client{})
 	c.Assert(err, IsNil)
 	c.Assert(macaroon, Equals, "the-root-macaroon-serialized-data")
 }
@@ -103,9 +103,9 @@
 		io.WriteString(w, mockStoreReturnNoMacaroon)
 	}))
 	defer mockServer.Close()
-	MacaroonACLAPI = mockServer.URL + "/acl/"
+	store.MacaroonACLAPI = mockServer.URL + "/acl/"
 
-	macaroon, err := requestStoreMacaroon()
+	macaroon, err := store.RequestStoreMacaroon(&http.Client{})
 	c.Assert(err, ErrorMatches, "cannot get snap access permission from store: empty macaroon returned")
 	c.Assert(macaroon, Equals, "")
 }
@@ -117,9 +117,9 @@
 		n++
 	}))
 	defer mockServer.Close()
-	MacaroonACLAPI = mockServer.URL + "/acl/"
+	store.MacaroonACLAPI = mockServer.URL + "/acl/"
 
-	macaroon, err := requestStoreMacaroon()
+	macaroon, err := store.RequestStoreMacaroon(&http.Client{})
 	c.Assert(err, ErrorMatches, "cannot get snap access permission from store: store server returned status 500")
 	c.Assert(n, Equals, 5)
 	c.Assert(macaroon, Equals, "")
@@ -130,9 +130,9 @@
 		io.WriteString(w, mockStoreReturnDischarge)
 	}))
 	defer mockServer.Close()
-	UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
+	store.UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
 
-	discharge, err := dischargeAuthCaveat("third-party-caveat", "guy@example.com", "passwd", "")
+	discharge, err := store.DischargeAuthCaveat(&http.Client{}, "third-party-caveat", "guy@example.com", "passwd", "")
 	c.Assert(err, IsNil)
 	c.Assert(discharge, Equals, "the-discharge-macaroon-serialized-data")
 }
@@ -143,10 +143,10 @@
 		io.WriteString(w, mockStoreNeeds2fa)
 	}))
 	defer mockServer.Close()
-	UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
+	store.UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
 
-	discharge, err := dischargeAuthCaveat("third-party-caveat", "foo@example.com", "passwd", "")
-	c.Assert(err, Equals, ErrAuthenticationNeeds2fa)
+	discharge, err := store.DischargeAuthCaveat(&http.Client{}, "third-party-caveat", "foo@example.com", "passwd", "")
+	c.Assert(err, Equals, store.ErrAuthenticationNeeds2fa)
 	c.Assert(discharge, Equals, "")
 }
 
@@ -156,10 +156,10 @@
 		io.WriteString(w, mockStore2faFailedResponse)
 	}))
 	defer mockServer.Close()
-	UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
+	store.UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
 
-	discharge, err := dischargeAuthCaveat("third-party-caveat", "foo@example.com", "passwd", "")
-	c.Assert(err, Equals, Err2faFailed)
+	discharge, err := store.DischargeAuthCaveat(&http.Client{}, "third-party-caveat", "foo@example.com", "passwd", "")
+	c.Assert(err, Equals, store.Err2faFailed)
 	c.Assert(discharge, Equals, "")
 }
 
@@ -169,10 +169,10 @@
 		io.WriteString(w, mockStoreInvalidLogin)
 	}))
 	defer mockServer.Close()
-	UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
+	store.UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
 
-	discharge, err := dischargeAuthCaveat("third-party-caveat", "foo@example.com", "passwd", "")
-	c.Assert(err, Equals, ErrInvalidCredentials)
+	discharge, err := store.DischargeAuthCaveat(&http.Client{}, "third-party-caveat", "foo@example.com", "passwd", "")
+	c.Assert(err, Equals, store.ErrInvalidCredentials)
 	c.Assert(discharge, Equals, "")
 }
 
@@ -181,9 +181,9 @@
 		io.WriteString(w, mockStoreReturnNoMacaroon)
 	}))
 	defer mockServer.Close()
-	UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
+	store.UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
 
-	discharge, err := dischargeAuthCaveat("third-party-caveat", "foo@example.com", "passwd", "")
+	discharge, err := store.DischargeAuthCaveat(&http.Client{}, "third-party-caveat", "foo@example.com", "passwd", "")
 	c.Assert(err, ErrorMatches, "cannot authenticate to snap store: empty macaroon returned")
 	c.Assert(discharge, Equals, "")
 }
@@ -193,9 +193,9 @@
 		w.WriteHeader(500)
 	}))
 	defer mockServer.Close()
-	UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
+	store.UbuntuoneDischargeAPI = mockServer.URL + "/tokens/discharge"
 
-	discharge, err := dischargeAuthCaveat("third-party-caveat", "foo@example.com", "passwd", "")
+	discharge, err := store.DischargeAuthCaveat(&http.Client{}, "third-party-caveat", "foo@example.com", "passwd", "")
 	c.Assert(err, ErrorMatches, "cannot authenticate to snap store: server returned status 500")
 	c.Assert(discharge, Equals, "")
 }
@@ -205,9 +205,9 @@
 		io.WriteString(w, mockStoreReturnDischarge)
 	}))
 	defer mockServer.Close()
-	UbuntuoneRefreshDischargeAPI = mockServer.URL + "/tokens/refresh"
+	store.UbuntuoneRefreshDischargeAPI = mockServer.URL + "/tokens/refresh"
 
-	discharge, err := refreshDischargeMacaroon("soft-expired-serialized-discharge-macaroon")
+	discharge, err := store.RefreshDischargeMacaroon(&http.Client{}, "soft-expired-serialized-discharge-macaroon")
 	c.Assert(err, IsNil)
 	c.Assert(discharge, Equals, "the-discharge-macaroon-serialized-data")
 }
@@ -218,10 +218,10 @@
 		io.WriteString(w, mockStoreInvalidLogin)
 	}))
 	defer mockServer.Close()
-	UbuntuoneRefreshDischargeAPI = mockServer.URL + "/tokens/refresh"
+	store.UbuntuoneRefreshDischargeAPI = mockServer.URL + "/tokens/refresh"
 
-	discharge, err := refreshDischargeMacaroon("soft-expired-serialized-discharge-macaroon")
-	c.Assert(err, Equals, ErrInvalidCredentials)
+	discharge, err := store.RefreshDischargeMacaroon(&http.Client{}, "soft-expired-serialized-discharge-macaroon")
+	c.Assert(err, Equals, store.ErrInvalidCredentials)
 	c.Assert(discharge, Equals, "")
 }
 
@@ -230,9 +230,9 @@
 		io.WriteString(w, mockStoreReturnNoMacaroon)
 	}))
 	defer mockServer.Close()
-	UbuntuoneRefreshDischargeAPI = mockServer.URL + "/tokens/refresh"
+	store.UbuntuoneRefreshDischargeAPI = mockServer.URL + "/tokens/refresh"
 
-	discharge, err := refreshDischargeMacaroon("soft-expired-serialized-discharge-macaroon")
+	discharge, err := store.RefreshDischargeMacaroon(&http.Client{}, "soft-expired-serialized-discharge-macaroon")
 	c.Assert(err, ErrorMatches, "cannot authenticate to snap store: empty macaroon returned")
 	c.Assert(discharge, Equals, "")
 }
@@ -248,9 +248,9 @@
 		n++
 	}))
 	defer mockServer.Close()
-	UbuntuoneRefreshDischargeAPI = mockServer.URL + "/tokens/refresh"
+	store.UbuntuoneRefreshDischargeAPI = mockServer.URL + "/tokens/refresh"
 
-	discharge, err := refreshDischargeMacaroon("soft-expired-serialized-discharge-macaroon")
+	discharge, err := store.RefreshDischargeMacaroon(&http.Client{}, "soft-expired-serialized-discharge-macaroon")
 	c.Assert(err, ErrorMatches, "cannot authenticate to snap store: server returned status 500")
 	c.Assert(n, Equals, 5)
 	c.Assert(discharge, Equals, "")
@@ -259,10 +259,10 @@
 func (s *authTestSuite) TestLoginCaveatIDReturnCaveatID(c *C) {
 	m, err := macaroon.New([]byte("secret"), "some-id", "location")
 	c.Check(err, IsNil)
-	err = m.AddThirdPartyCaveat([]byte("shared-key"), "third-party-caveat", UbuntuoneLocation)
+	err = m.AddThirdPartyCaveat([]byte("shared-key"), "third-party-caveat", store.UbuntuoneLocation)
 	c.Check(err, IsNil)
 
-	caveat, err := loginCaveatID(m)
+	caveat, err := store.LoginCaveatID(m)
 	c.Check(err, IsNil)
 	c.Check(caveat, Equals, "third-party-caveat")
 }
@@ -273,7 +273,7 @@
 	err = m.AddThirdPartyCaveat([]byte("shared-key"), "third-party-caveat", "other-location")
 	c.Check(err, IsNil)
 
-	caveat, err := loginCaveatID(m)
+	caveat, err := store.LoginCaveatID(m)
 	c.Check(err, NotNil)
 	c.Check(caveat, Equals, "")
 }
@@ -285,7 +285,7 @@
 	defer mockServer.Close()
 
 	deviceNonceAPI := mockServer.URL + "/api/v1/snaps/auth/nonces"
-	nonce, err := requestStoreDeviceNonce(deviceNonceAPI)
+	nonce, err := store.RequestStoreDeviceNonce(&http.Client{}, deviceNonceAPI)
 	c.Assert(err, IsNil)
 	c.Assert(nonce, Equals, "the-nonce")
 }
@@ -303,7 +303,7 @@
 	defer mockServer.Close()
 
 	deviceNonceAPI := mockServer.URL + "/api/v1/snaps/auth/nonces"
-	nonce, err := requestStoreDeviceNonce(deviceNonceAPI)
+	nonce, err := store.RequestStoreDeviceNonce(&http.Client{}, deviceNonceAPI)
 	c.Assert(err, IsNil)
 	c.Assert(nonce, Equals, "the-nonce")
 	c.Assert(n, Equals, 4)
@@ -318,7 +318,7 @@
 	defer mockServer.Close()
 
 	deviceNonceAPI := mockServer.URL + "/api/v1/snaps/auth/nonces"
-	_, err := requestStoreDeviceNonce(deviceNonceAPI)
+	_, err := store.RequestStoreDeviceNonce(&http.Client{}, deviceNonceAPI)
 	c.Assert(err, NotNil)
 	c.Assert(err, ErrorMatches, `cannot get nonce from store: store server returned status 500`)
 	c.Assert(n, Equals, 5)
@@ -326,7 +326,7 @@
 
 func (s *authTestSuite) TestRequestStoreDeviceNonceFailureOnDNS(c *C) {
 	deviceNonceAPI := "http://nonexistingserver121321.com/api/v1/snaps/auth/nonces"
-	_, err := requestStoreDeviceNonce(deviceNonceAPI)
+	_, err := store.RequestStoreDeviceNonce(&http.Client{}, deviceNonceAPI)
 	c.Assert(err, NotNil)
 	c.Assert(err, ErrorMatches, `cannot get nonce from store.*`)
 }
@@ -338,7 +338,7 @@
 	defer mockServer.Close()
 
 	deviceNonceAPI := mockServer.URL + "/api/v1/snaps/auth/nonces"
-	nonce, err := requestStoreDeviceNonce(deviceNonceAPI)
+	nonce, err := store.RequestStoreDeviceNonce(&http.Client{}, deviceNonceAPI)
 	c.Assert(err, ErrorMatches, "cannot get nonce from store: empty nonce returned")
 	c.Assert(nonce, Equals, "")
 }
@@ -352,7 +352,7 @@
 	defer mockServer.Close()
 
 	deviceNonceAPI := mockServer.URL + "/api/v1/snaps/auth/nonces"
-	nonce, err := requestStoreDeviceNonce(deviceNonceAPI)
+	nonce, err := store.RequestStoreDeviceNonce(&http.Client{}, deviceNonceAPI)
 	c.Assert(err, ErrorMatches, "cannot get nonce from store: store server returned status 500")
 	c.Assert(n, Equals, 5)
 	c.Assert(nonce, Equals, "")
@@ -384,7 +384,7 @@
 	defer mockServer.Close()
 
 	deviceSessionAPI := mockServer.URL + "/api/v1/snaps/auth/sessions"
-	macaroon, err := requestDeviceSession(deviceSessionAPI, &testDeviceSessionRequestParamsEncoder{}, "")
+	macaroon, err := store.RequestDeviceSession(&http.Client{}, deviceSessionAPI, &testDeviceSessionRequestParamsEncoder{}, "")
 	c.Assert(err, IsNil)
 	c.Assert(macaroon, Equals, "the-root-macaroon-serialized-data")
 }
@@ -401,7 +401,7 @@
 	defer mockServer.Close()
 
 	deviceSessionAPI := mockServer.URL + "/api/v1/snaps/auth/sessions"
-	macaroon, err := requestDeviceSession(deviceSessionAPI, &testDeviceSessionRequestParamsEncoder{}, "previous-session")
+	macaroon, err := store.RequestDeviceSession(&http.Client{}, deviceSessionAPI, &testDeviceSessionRequestParamsEncoder{}, "previous-session")
 	c.Assert(err, IsNil)
 	c.Assert(macaroon, Equals, "the-root-macaroon-serialized-data")
 }
@@ -413,7 +413,7 @@
 	defer mockServer.Close()
 
 	deviceSessionAPI := mockServer.URL + "/api/v1/snaps/auth/sessions"
-	macaroon, err := requestDeviceSession(deviceSessionAPI, &testDeviceSessionRequestParamsEncoder{}, "")
+	macaroon, err := store.RequestDeviceSession(&http.Client{}, deviceSessionAPI, &testDeviceSessionRequestParamsEncoder{}, "")
 	c.Assert(err, ErrorMatches, "cannot get device session from store: empty session returned")
 	c.Assert(macaroon, Equals, "")
 }
@@ -428,18 +428,8 @@
 	defer mockServer.Close()
 
 	deviceSessionAPI := mockServer.URL + "/api/v1/snaps/auth/sessions"
-	macaroon, err := requestDeviceSession(deviceSessionAPI, &testDeviceSessionRequestParamsEncoder{}, "")
+	macaroon, err := store.RequestDeviceSession(&http.Client{}, deviceSessionAPI, &testDeviceSessionRequestParamsEncoder{}, "")
 	c.Assert(err, ErrorMatches, `cannot get device session from store: store server returned status 500 and body "error body"`)
 	c.Assert(n, Equals, 5)
 	c.Assert(macaroon, Equals, "")
 }
-
-func (s *authTestSuite) TestStringish(c *C) {
-	var x stringList
-
-	c.Check(json.Unmarshal([]byte(`"hello"`), &x), IsNil)
-	c.Check(x, DeepEquals, stringList([]string{"hello"}))
-
-	c.Check(json.Unmarshal([]byte(`["hello", "world"]`), &x), IsNil)
-	c.Check(x, DeepEquals, stringList([]string{"hello", "world"}))
-}
diff -Nru snapd-2.32.3.2~14.04/store/cache.go snapd-2.37~rc1~14.04/store/cache.go
--- snapd-2.32.3.2~14.04/store/cache.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/cache.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,12 +25,16 @@
 	"os"
 	"path/filepath"
 	"sort"
+	"syscall"
 	"time"
 
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 )
 
+// overridden in the unit tests
+var osRemove = os.Remove
+
 // downloadCache is the interface that a store download cache must provide
 type downloadCache interface {
 	// Get gets the given cacheKey content and puts it into targetPath
@@ -47,12 +51,12 @@
 }
 func (cm *nullCache) Put(cacheKey, sourcePath string) error { return nil }
 
-// changesByReverseMtime sorts by the mtime of files
-type changesByReverseMtime []os.FileInfo
+// changesByMtime sorts by the mtime of files
+type changesByMtime []os.FileInfo
 
-func (s changesByReverseMtime) Len() int           { return len(s) }
-func (s changesByReverseMtime) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
-func (s changesByReverseMtime) Less(i, j int) bool { return s[i].ModTime().After(s[j].ModTime()) }
+func (s changesByMtime) Len() int           { return len(s) }
+func (s changesByMtime) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+func (s changesByMtime) Less(i, j int) bool { return s[i].ModTime().Before(s[j].ModTime()) }
 
 // cacheManager implements a downloadCache via content based hard linking
 type CacheManager struct {
@@ -120,8 +124,10 @@
 	return cm.cleanup()
 }
 
-// Count returns the number of items in the cache
-func (cm *CacheManager) Count() int {
+// count returns the number of items in the cache
+func (cm *CacheManager) count() int {
+	// TODO: Use something more effective than a list of all entries
+	//       here. This will waste a lot of memory on large dirs.
 	if l, err := ioutil.ReadDir(cm.cacheDir); err == nil {
 		return len(l)
 	}
@@ -143,11 +149,56 @@
 		return nil
 	}
 
-	sort.Sort(changesByReverseMtime(fil))
-	for _, fi := range fil[cm.maxItems:] {
-		if err := os.Remove(cm.path(fi.Name())); err != nil && os.IsNotExist(err) {
-			return err
+	numOwned := 0
+	for _, fi := range fil {
+		n, err := hardLinkCount(fi)
+		if err != nil {
+			logger.Noticef("cannot inspect cache: %s", err)
+		}
+		// Only count the file if it is not referenced elsewhere in the filesystem
+		if n <= 1 {
+			numOwned++
+		}
+	}
+
+	if numOwned <= cm.maxItems {
+		return nil
+	}
+
+	var lastErr error
+	sort.Sort(changesByMtime(fil))
+	deleted := 0
+	for _, fi := range fil {
+		path := cm.path(fi.Name())
+		n, err := hardLinkCount(fi)
+		if err != nil {
+			logger.Noticef("cannot inspect cache: %s", err)
+		}
+		// If the file is referenced in the filesystem somewhere
+		// else our copy is "free" so skip it. If there is any
+		// error we cleanup the file (it is just a cache afterall).
+		if n > 1 {
+			continue
+		}
+		if err := osRemove(path); err != nil {
+			if !os.IsNotExist(err) {
+				logger.Noticef("cannot cleanup cache: %s", err)
+				lastErr = err
+			}
+			continue
+		}
+		deleted++
+		if numOwned-deleted <= cm.maxItems {
+			break
 		}
 	}
-	return nil
+	return lastErr
+}
+
+// hardLinkCount returns the number of hardlinks for the given path
+func hardLinkCount(fi os.FileInfo) (uint64, error) {
+	if stat, ok := fi.Sys().(*syscall.Stat_t); ok && stat != nil {
+		return uint64(stat.Nlink), nil
+	}
+	return 0, fmt.Errorf("internal error: cannot read hardlink count from %s", fi.Name())
 }
diff -Nru snapd-2.32.3.2~14.04/store/cache_test.go snapd-2.37~rc1~14.04/store/cache_test.go
--- snapd-2.32.3.2~14.04/store/cache_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/cache_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 import (
 	"fmt"
 	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strconv"
 	"time"
@@ -51,20 +52,46 @@
 }
 
 func (s *cacheSuite) makeTestFile(c *C, name, content string) string {
-	p := filepath.Join(c.MkDir(), name)
+	return s.makeTestFileInDir(c, c.MkDir(), name, content)
+}
+func (s *cacheSuite) makeTestFileInDir(c *C, dir, name, content string) string {
+	p := filepath.Join(dir, name)
 	err := ioutil.WriteFile(p, []byte(content), 0644)
 	c.Assert(err, IsNil)
 	return p
 }
 
 func (s *cacheSuite) TestPutMany(c *C) {
+	dataDir, err := os.Open(c.MkDir())
+	c.Assert(err, IsNil)
+	defer dataDir.Close()
+	cacheDir, err := os.Open(s.cm.CacheDir())
+	c.Assert(err, IsNil)
+	defer cacheDir.Close()
+
 	for i := 1; i < s.maxItems+10; i++ {
-		err := s.cm.Put(fmt.Sprintf("cacheKey-%d", i), s.makeTestFile(c, fmt.Sprintf("f%d", i), fmt.Sprintf("%d", i)))
+		p := s.makeTestFileInDir(c, dataDir.Name(), fmt.Sprintf("f%d", i), fmt.Sprintf("%d", i))
+		err := s.cm.Put(fmt.Sprintf("cacheKey-%d", i), p)
 		c.Check(err, IsNil)
-		if i < s.maxItems {
+
+		// Remove the test file again, it is now only in the cache
+		err = os.Remove(p)
+		c.Assert(err, IsNil)
+		// We need to sync the (meta)data here or the test is racy
+		c.Assert(dataDir.Sync(), IsNil)
+		c.Assert(cacheDir.Sync(), IsNil)
+
+		if i <= s.maxItems {
 			c.Check(s.cm.Count(), Equals, i)
 		} else {
-			c.Check(s.cm.Count(), Equals, s.maxItems)
+			// Count() will include the cache plus the
+			// newly added test file. This latest testfile
+			// had a link count of 2 when "cm.Put()" is
+			// called because it still exists outside of
+			// the cache dir so it's considered "free" in
+			// the cache. This is why we need to have
+			// Count()-1 here.
+			c.Check(s.cm.Count()-1, Equals, s.maxItems)
 		}
 	}
 }
@@ -87,19 +114,38 @@
 	c.Assert(targetPath, testutil.FileEquals, canary)
 }
 
-func (s *cacheSuite) TestClenaup(c *C) {
-	// add files, add more than
-	cacheKeys := make([]string, s.maxItems+2)
-	for i := 0; i < s.maxItems+2; i++ {
+func (s *cacheSuite) makeTestFiles(c *C, n int) (cacheKeys []string, testFiles []string) {
+	cacheKeys = make([]string, n)
+	testFiles = make([]string, n)
+	for i := 0; i < n; i++ {
 		p := s.makeTestFile(c, fmt.Sprintf("f%d", i), strconv.Itoa(i))
 		cacheKey := fmt.Sprintf("cacheKey-%d", i)
 		cacheKeys[i] = cacheKey
 		s.cm.Put(cacheKey, p)
 
+		// keep track of the test files
+		testFiles[i] = p
+
 		// mtime is not very granular
 		time.Sleep(10 * time.Millisecond)
 	}
-	c.Check(s.cm.Count(), Equals, s.maxItems)
+	return cacheKeys, testFiles
+}
+
+func (s *cacheSuite) TestClenaup(c *C) {
+	cacheKeys, testFiles := s.makeTestFiles(c, s.maxItems+2)
+
+	// Nothing was removed at this point because the test files are
+	// still in place and we just hardlink to them. The cache cleanup
+	// will only clean files with a link-count of 1.
+	c.Check(s.cm.Count(), Equals, s.maxItems+2)
+
+	// Remove the test files again, they are now only in the cache.
+	for _, p := range testFiles {
+		err := os.Remove(p)
+		c.Assert(err, IsNil)
+	}
+	s.cm.Cleanup()
 
 	// the oldest files are removed from the cache
 	c.Check(osutil.FileExists(filepath.Join(s.cm.CacheDir(), cacheKeys[0])), Equals, false)
@@ -108,5 +154,64 @@
 	// the newest files are still there
 	c.Check(osutil.FileExists(filepath.Join(s.cm.CacheDir(), cacheKeys[2])), Equals, true)
 	c.Check(osutil.FileExists(filepath.Join(s.cm.CacheDir(), cacheKeys[len(cacheKeys)-1])), Equals, true)
+}
+
+func (s *cacheSuite) TestClenaupContinuesOnError(c *C) {
+	cacheKeys, testFiles := s.makeTestFiles(c, s.maxItems+2)
+	for _, p := range testFiles {
+		err := os.Remove(p)
+		c.Assert(err, IsNil)
+	}
 
+	// simulate error with the removal of a file in cachedir
+	restore := store.MockOsRemove(func(name string) error {
+		if name == filepath.Join(s.cm.CacheDir(), cacheKeys[0]) {
+			return fmt.Errorf("simulated error")
+		}
+		return os.Remove(name)
+	})
+	defer restore()
+
+	// verify that cleanup returns the last error
+	err := s.cm.Cleanup()
+	c.Check(err, ErrorMatches, "simulated error")
+
+	// and also verify that the cache still got cleaned up
+	c.Check(s.cm.Count(), Equals, s.maxItems)
+
+	// even though the "unremovable" file is still in the cache
+	c.Check(osutil.FileExists(filepath.Join(s.cm.CacheDir(), cacheKeys[0])), Equals, true)
+}
+
+func (s *cacheSuite) TestHardLinkCount(c *C) {
+	p := filepath.Join(s.tmp, "foo")
+	err := ioutil.WriteFile(p, nil, 0644)
+	c.Assert(err, IsNil)
+
+	// trivial case
+	fi, err := os.Stat(p)
+	c.Assert(err, IsNil)
+	n, err := store.HardLinkCount(fi)
+	c.Assert(err, IsNil)
+	c.Check(n, Equals, uint64(1))
+
+	// add some hardlinks
+	for i := 0; i < 10; i++ {
+		err := os.Link(p, filepath.Join(s.tmp, strconv.Itoa(i)))
+		c.Assert(err, IsNil)
+	}
+	fi, err = os.Stat(p)
+	c.Assert(err, IsNil)
+	n, err = store.HardLinkCount(fi)
+	c.Assert(err, IsNil)
+	c.Check(n, Equals, uint64(11))
+
+	// and remove one
+	err = os.Remove(filepath.Join(s.tmp, "0"))
+	c.Assert(err, IsNil)
+	fi, err = os.Stat(p)
+	c.Assert(err, IsNil)
+	n, err = store.HardLinkCount(fi)
+	c.Assert(err, IsNil)
+	c.Check(n, Equals, uint64(10))
 }
diff -Nru snapd-2.32.3.2~14.04/store/details.go snapd-2.37~rc1~14.04/store/details.go
--- snapd-2.32.3.2~14.04/store/details.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/details.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,7 +20,9 @@
 package store
 
 import (
+	"github.com/snapcore/snapd/jsonutil/safejson"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
 )
 
 // snapDetails encapsulates the data sent to us from the store as JSON.
@@ -29,70 +31,92 @@
 	Architectures    []string           `json:"architecture"`
 	Channel          string             `json:"channel,omitempty"`
 	DownloadSha3_384 string             `json:"download_sha3_384,omitempty"`
-	Summary          string             `json:"summary,omitempty"`
-	Description      string             `json:"description,omitempty"`
-	Deltas           []snapDeltaDetail  `json:"deltas,omitempty"`
+	Summary          safejson.String    `json:"summary,omitempty"`
+	Description      safejson.Paragraph `json:"description,omitempty"`
 	DownloadSize     int64              `json:"binary_filesize,omitempty"`
 	DownloadURL      string             `json:"download_url,omitempty"`
-	Epoch            snap.Epoch         `json:"epoch"`
-	IconURL          string             `json:"icon_url"`
 	LastUpdated      string             `json:"last_updated,omitempty"`
 	Name             string             `json:"package_name"`
 	Prices           map[string]float64 `json:"prices,omitempty"`
 	// Note that the publisher is really the "display name" of the
 	// publisher
-	Publisher      string   `json:"publisher,omitempty"`
-	RatingsAverage float64  `json:"ratings_average,omitempty"`
-	Revision       int      `json:"revision"` // store revisions are ints starting at 1
-	ScreenshotURLs []string `json:"screenshot_urls,omitempty"`
-	SnapID         string   `json:"snap_id"`
-	SnapYAML       string   `json:"snap_yaml_raw"`
-	License        string   `json:"license,omitempty"`
-	Base           string   `json:"base,omitempty"`
+	Publisher      string           `json:"publisher,omitempty"`
+	RatingsAverage float64          `json:"ratings_average,omitempty"`
+	Revision       int              `json:"revision"` // store revisions are ints starting at 1
+	SnapID         string           `json:"snap_id"`
+	License        string           `json:"license,omitempty"`
+	Base           string           `json:"base,omitempty"`
+	Media          []storeSnapMedia `json:"media,omitempty"`
 
 	// FIXME: the store should send "contact" here, once it does we
 	//        can remove support_url
 	SupportURL string `json:"support_url"`
 	Contact    string `json:"contact"`
 
-	Title   string    `json:"title"`
-	Type    snap.Type `json:"content,omitempty"`
-	Version string    `json:"version"`
-
-	// TODO: have the store return a 'developer_username' for this
-	Developer   string `json:"origin"`
-	DeveloperID string `json:"developer_id"`
+	Title   safejson.String `json:"title"`
+	Type    snap.Type       `json:"content,omitempty"`
+	Version string          `json:"version"`
+
+	Developer           string `json:"origin"`
+	DeveloperID         string `json:"developer_id"`
+	DeveloperName       string `json:"developer_name"`
+	DeveloperValidation string `json:"developer_validation"`
 
 	Private     bool   `json:"private"`
 	Confinement string `json:"confinement"`
 
-	ChannelMapList []channelMap `json:"channel_maps_list,omitempty"`
+	CommonIDs []string `json:"common_ids,omitempty"`
 }
 
-// channelMap contains
-type channelMap struct {
-	Track       string                   `json:"track"`
-	SnapDetails []channelSnapInfoDetails `json:"map,omitempty"`
-}
-
-type snapDeltaDetail struct {
-	FromRevision    int    `json:"from_revision"`
-	ToRevision      int    `json:"to_revision"`
-	Format          string `json:"format"`
-	AnonDownloadURL string `json:"anon_download_url,omitempty"`
-	DownloadURL     string `json:"download_url,omitempty"`
-	Size            int64  `json:"binary_filesize,omitempty"`
-	Sha3_384        string `json:"download_sha3_384,omitempty"`
-}
+func infoFromRemote(d *snapDetails) *snap.Info {
+	info := &snap.Info{}
+	info.Architectures = d.Architectures
+	info.Type = d.Type
+	info.Version = d.Version
+	info.RealName = d.Name
+	info.SnapID = d.SnapID
+	info.Revision = snap.R(d.Revision)
+
+	// https://forum.snapcraft.io/t/title-length-in-snapcraft-yaml-snap-yaml/8625/10
+	info.EditedTitle = strutil.ElliptRight(d.Title.Clean(), 40)
+
+	info.EditedSummary = d.Summary.Clean()
+	info.EditedDescription = d.Description.Clean()
+	// Note that the store side is using confusing terminology here.
+	// What the store calls "developer" is actually the publisher
+	// username.
+	//
+	// It also sends "publisher" and "developer_name" which are
+	// the "publisher display name" which we cannot use currently
+	// because it is not validated (i.e. the publisher could put
+	// anything in there and mislead the users this way).
+	info.Publisher = snap.StoreAccount{
+		ID:          d.DeveloperID,
+		Username:    d.Developer,
+		DisplayName: d.DeveloperName,
+		Validation:  d.DeveloperValidation,
+	}
+	info.Channel = d.Channel
+	info.Sha3_384 = d.DownloadSha3_384
+	info.Size = d.DownloadSize
+	info.AnonDownloadURL = d.AnonDownloadURL
+	info.DownloadURL = d.DownloadURL
+	info.Prices = d.Prices
+	info.Private = d.Private
+	info.Paid = len(info.Prices) > 0
+	info.Confinement = snap.ConfinementType(d.Confinement)
+	info.Contact = d.Contact
+	info.License = d.License
+	info.Base = d.Base
+	info.CommonIDs = d.CommonIDs
+
+	addMedia(info, d.Media)
+
+	// FIXME: once the store sends "contact" for everything, remove
+	//        the "SupportURL" part of the if
+	if info.Contact == "" {
+		info.Contact = d.SupportURL
+	}
 
-// channelSnapInfoDetails is the subset of snapDetails we need to get
-// information about the snaps in the various channels
-type channelSnapInfoDetails struct {
-	Revision     int        `json:"revision"` // store revisions are ints starting at 1
-	Confinement  string     `json:"confinement"`
-	Version      string     `json:"version"`
-	Channel      string     `json:"channel"`
-	Epoch        snap.Epoch `json:"epoch"`
-	DownloadSize int64      `json:"binary_filesize"`
-	Info         string     `json:"info"`
+	return info
 }
diff -Nru snapd-2.32.3.2~14.04/store/details_v2.go snapd-2.37~rc1~14.04/store/details_v2.go
--- snapd-2.32.3.2~14.04/store/details_v2.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/details_v2.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,311 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package store
+
+import (
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/snapcore/snapd/jsonutil/safejson"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
+)
+
+// storeSnap holds the information sent as JSON by the store for a snap.
+type storeSnap struct {
+	Architectures []string           `json:"architectures"`
+	Base          string             `json:"base"`
+	Confinement   string             `json:"confinement"`
+	Contact       string             `json:"contact"`
+	CreatedAt     string             `json:"created-at"` // revision timestamp
+	Description   safejson.Paragraph `json:"description"`
+	Download      storeSnapDownload  `json:"download"`
+	Epoch         snap.Epoch         `json:"epoch"`
+	License       string             `json:"license"`
+	Name          string             `json:"name"`
+	Prices        map[string]string  `json:"prices"` // currency->price,  free: {"USD": "0"}
+	Private       bool               `json:"private"`
+	Publisher     snap.StoreAccount  `json:"publisher"`
+	Revision      int                `json:"revision"` // store revisions are ints starting at 1
+	SnapID        string             `json:"snap-id"`
+	SnapYAML      string             `json:"snap-yaml"` // optional
+	Summary       safejson.String    `json:"summary"`
+	Title         safejson.String    `json:"title"`
+	Type          snap.Type          `json:"type"`
+	Version       string             `json:"version"`
+
+	// TODO: not yet defined: channel map
+
+	// media
+	Media []storeSnapMedia `json:"media"`
+
+	CommonIDs []string `json:"common-ids"`
+}
+
+type storeSnapDownload struct {
+	Sha3_384 string           `json:"sha3-384"`
+	Size     int64            `json:"size"`
+	URL      string           `json:"url"`
+	Deltas   []storeSnapDelta `json:"deltas"`
+}
+
+type storeSnapDelta struct {
+	Format   string `json:"format"`
+	Sha3_384 string `json:"sha3-384"`
+	Size     int64  `json:"size"`
+	Source   int    `json:"source"`
+	Target   int    `json:"target"`
+	URL      string `json:"url"`
+}
+
+type storeSnapMedia struct {
+	Type   string `json:"type"` // icon/screenshot
+	URL    string `json:"url"`
+	Width  int64  `json:"width"`
+	Height int64  `json:"height"`
+}
+
+// storeInfoChannel is the channel description included in info results
+type storeInfoChannel struct {
+	Architecture string    `json:"architecture"`
+	Name         string    `json:"name"`
+	Risk         string    `json:"risk"`
+	Track        string    `json:"track"`
+	ReleasedAt   time.Time `json:"released-at"`
+}
+
+// storeInfoChannelSnap is the snap-in-a-channel of which the channel map is made
+type storeInfoChannelSnap struct {
+	storeSnap
+	Channel storeInfoChannel `json:"channel"`
+}
+
+// storeInfo is the result of v2/info calls
+type storeInfo struct {
+	ChannelMap []*storeInfoChannelSnap `json:"channel-map"`
+	Snap       storeSnap               `json:"snap"`
+	Name       string                  `json:"name"`
+	SnapID     string                  `json:"snap-id"`
+}
+
+func infoFromStoreInfo(si *storeInfo) (*snap.Info, error) {
+	if len(si.ChannelMap) == 0 {
+		// if a snap has no released revisions, it _could_ be returned
+		// (currently no, but spec is purposely ambiguous)
+		// we treat it as a 'not found' for now at least
+		return nil, ErrSnapNotFound
+	}
+
+	thisOne := si.ChannelMap[0]
+	thisSnap := thisOne.storeSnap // copy it as we're about to modify it
+	// here we assume that the ChannelSnapInfo can be populated with data
+	// that's in the channel map and not the outer snap. This is a
+	// reasonable assumption today, but copyNonZeroFrom can easily be
+	// changed to copy to a list if needed.
+	copyNonZeroFrom(&si.Snap, &thisSnap)
+
+	info, err := infoFromStoreSnap(&thisSnap)
+	if err != nil {
+		return nil, err
+	}
+	info.Channel = thisOne.Channel.Name
+	info.Channels = make(map[string]*snap.ChannelSnapInfo, len(si.ChannelMap))
+	seen := make(map[string]bool, len(si.ChannelMap))
+	for _, s := range si.ChannelMap {
+		ch := s.Channel
+		info.Channels[ch.Track+"/"+ch.Risk] = &snap.ChannelSnapInfo{
+			Revision:    snap.R(s.Revision),
+			Confinement: snap.ConfinementType(s.Confinement),
+			Version:     s.Version,
+			Channel:     ch.Name,
+			Epoch:       s.Epoch,
+			Size:        s.Download.Size,
+			ReleasedAt:  ch.ReleasedAt.UTC(),
+		}
+		if !seen[ch.Track] {
+			seen[ch.Track] = true
+			info.Tracks = append(info.Tracks, ch.Track)
+		}
+	}
+
+	return info, nil
+}
+
+// copy non-zero fields from src to dst
+func copyNonZeroFrom(src, dst *storeSnap) {
+	if len(src.Architectures) > 0 {
+		dst.Architectures = src.Architectures
+	}
+	if src.Base != "" {
+		dst.Base = src.Base
+	}
+	if src.Confinement != "" {
+		dst.Confinement = src.Confinement
+	}
+	if src.Contact != "" {
+		dst.Contact = src.Contact
+	}
+	if src.CreatedAt != "" {
+		dst.CreatedAt = src.CreatedAt
+	}
+	if src.Description.Clean() != "" {
+		dst.Description = src.Description
+	}
+	if src.Download.URL != "" {
+		dst.Download = src.Download
+	}
+	if src.Epoch.String() != "0" {
+		dst.Epoch = src.Epoch
+	}
+	if src.License != "" {
+		dst.License = src.License
+	}
+	if src.Name != "" {
+		dst.Name = src.Name
+	}
+	if len(src.Prices) > 0 {
+		dst.Prices = src.Prices
+	}
+	if src.Private {
+		dst.Private = src.Private
+	}
+	if src.Publisher.ID != "" {
+		dst.Publisher = src.Publisher
+	}
+	if src.Revision > 0 {
+		dst.Revision = src.Revision
+	}
+	if src.SnapID != "" {
+		dst.SnapID = src.SnapID
+	}
+	if src.SnapYAML != "" {
+		dst.SnapYAML = src.SnapYAML
+	}
+	if src.Summary.Clean() != "" {
+		dst.Summary = src.Summary
+	}
+	if src.Title.Clean() != "" {
+		dst.Title = src.Title
+	}
+	if src.Type != "" {
+		dst.Type = src.Type
+	}
+	if src.Version != "" {
+		dst.Version = src.Version
+	}
+	if len(src.Media) > 0 {
+		dst.Media = src.Media
+	}
+	if len(src.CommonIDs) > 0 {
+		dst.CommonIDs = src.CommonIDs
+	}
+}
+
+func infoFromStoreSnap(d *storeSnap) (*snap.Info, error) {
+	info := &snap.Info{}
+	info.RealName = d.Name
+	info.Revision = snap.R(d.Revision)
+	info.SnapID = d.SnapID
+
+	// https://forum.snapcraft.io/t/title-length-in-snapcraft-yaml-snap-yaml/8625/10
+	info.EditedTitle = strutil.ElliptRight(d.Title.Clean(), 40)
+
+	info.EditedSummary = d.Summary.Clean()
+	info.EditedDescription = d.Description.Clean()
+	info.Private = d.Private
+	info.Contact = d.Contact
+	info.Architectures = d.Architectures
+	info.Type = d.Type
+	info.Version = d.Version
+	info.Epoch = d.Epoch
+	info.Confinement = snap.ConfinementType(d.Confinement)
+	info.Base = d.Base
+	info.License = d.License
+	info.Publisher = d.Publisher
+	info.DownloadURL = d.Download.URL
+	info.Size = d.Download.Size
+	info.Sha3_384 = d.Download.Sha3_384
+	if len(d.Download.Deltas) > 0 {
+		deltas := make([]snap.DeltaInfo, len(d.Download.Deltas))
+		for i, d := range d.Download.Deltas {
+			deltas[i] = snap.DeltaInfo{
+				FromRevision: d.Source,
+				ToRevision:   d.Target,
+				Format:       d.Format,
+				DownloadURL:  d.URL,
+				Size:         d.Size,
+				Sha3_384:     d.Sha3_384,
+			}
+		}
+		info.Deltas = deltas
+	}
+	info.CommonIDs = d.CommonIDs
+
+	// fill in the plug/slot data
+	if rawYamlInfo, err := snap.InfoFromSnapYaml([]byte(d.SnapYAML)); err == nil {
+		if info.Plugs == nil {
+			info.Plugs = make(map[string]*snap.PlugInfo)
+		}
+		for k, v := range rawYamlInfo.Plugs {
+			info.Plugs[k] = v
+			info.Plugs[k].Snap = info
+		}
+		if info.Slots == nil {
+			info.Slots = make(map[string]*snap.SlotInfo)
+		}
+		for k, v := range rawYamlInfo.Slots {
+			info.Slots[k] = v
+			info.Slots[k].Snap = info
+		}
+	}
+
+	// convert prices
+	if len(d.Prices) > 0 {
+		prices := make(map[string]float64, len(d.Prices))
+		for currency, priceStr := range d.Prices {
+			price, err := strconv.ParseFloat(priceStr, 64)
+			if err != nil {
+				return nil, fmt.Errorf("cannot parse snap price: %v", err)
+			}
+			prices[currency] = price
+		}
+		info.Paid = true
+		info.Prices = prices
+	}
+
+	// media
+	addMedia(info, d.Media)
+
+	return info, nil
+}
+
+func addMedia(info *snap.Info, media []storeSnapMedia) {
+	if len(media) == 0 {
+		return
+	}
+	info.Media = make(snap.MediaInfos, len(media))
+	for i, mediaObj := range media {
+		info.Media[i].Type = mediaObj.Type
+		info.Media[i].URL = mediaObj.URL
+		info.Media[i].Width = mediaObj.Width
+		info.Media[i].Height = mediaObj.Height
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/store/details_v2_test.go snapd-2.37~rc1~14.04/store/details_v2_test.go
--- snapd-2.32.3.2~14.04/store/details_v2_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/details_v2_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,412 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+// not using store_test as this is a very low level test
+package store
+
+import (
+	"reflect"
+
+	"encoding/json"
+	"strings"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/jsonutil/safejson"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type detailsV2Suite struct {
+	testutil.BaseTest
+}
+
+var _ = Suite(&detailsV2Suite{})
+
+const (
+	coreStoreJSON = `{
+  "architectures": [
+    "amd64"
+  ],
+  "base": null,
+  "confinement": "strict",
+  "contact": "mailto:snappy-canonical-storeaccount@canonical.com",
+  "created-at": "2018-01-22T07:49:19.440720+00:00",
+  "description": "The core runtime environment for snapd",
+  "download": {
+     "sha3-384": "b691f6dde3d8022e4db563840f0ef82320cb824b6292ffd027dbc838535214dac31c3512c619beaf73f1aeaf35ac62d5",
+     "size": 85291008,
+     "url": "https://api.snapcraft.io/api/v1/snaps/download/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_3887.snap",
+     "deltas": []
+  },
+  "epoch": {
+     "read": [0],
+     "write": [0]
+  },
+  "license": null,
+  "name": "core",
+  "prices": {},
+  "private": false,
+  "publisher": {
+     "id": "canonical",
+     "username": "canonical",
+     "display-name": "Canonical",
+     "validation": "verified"
+  },
+  "revision": 3887,
+  "snap-id": "99T7MUlRhtI3U0QFgl5mXXESAiSwt776",
+  "summary": "snapd runtime environment",
+  "title": "core",
+  "type": "os",
+  "version": "16-2.30",
+  "media": []
+}`
+
+	thingyStoreJSON = `{
+  "architectures": [
+    "amd64"
+  ],
+  "base": "base-18",
+  "confinement": "strict",
+  "contact": "https://thingy.com",
+  "common-ids": ["org.thingy"],
+  "created-at": "2018-01-26T11:38:35.536410+00:00",
+  "description": "Useful thingy for thinging",
+  "download": {
+     "sha3-384": "a29f8d894c92ad19bb943764eb845c6bd7300f555ee9b9dbb460599fecf712775c0f3e2117b5c56b08fcb9d78fc8ae4d",
+     "size": 10000021,
+     "url": "https://api.snapcraft.io/api/v1/snaps/download/XYZEfjn4WJYnm0FzDKwqqRZZI77awQEV_21.snap",
+     "deltas": [
+       {
+         "format": "xdelta3",
+         "source": 19,
+         "target": 21,
+         "url": "https://api.snapcraft.io/api/v1/snaps/download/XYZEfjn4WJYnm0FzDKwqqRZZI77awQEV_19_21_xdelta3.delta",
+         "size": 9999,
+         "sha3-384": "29f8d894c92ad19bb943764eb845c6bd7300f555ee9b9dbb460599fecf712775c0f3e2117b5c56b08fcb9d78fc8ae4df"
+       }
+     ]
+  },
+  "epoch": {
+     "read": [0,1],
+     "write": [1]
+  },
+  "license": "Proprietary",
+  "name": "thingy",
+  "prices": {"USD": "9.99"},
+  "private": false,
+  "publisher": {
+     "id": "ZvtzsxbsHivZLdvzrt0iqW529riGLfXJ",
+     "username": "thingyinc",
+     "display-name": "Thingy Inc.",
+     "validation": "unproven"
+  },
+  "revision": 21,
+  "snap-id": "XYZEfjn4WJYnm0FzDKwqqRZZI77awQEV",
+  "snap-yaml": "name: test-snapd-content-plug\nversion: 1.0\napps:\n    content-plug:\n        command: bin/content-plug\n        plugs: [shared-content-plug]\nplugs:\n    shared-content-plug:\n        interface: content\n        target: import\n        content: mylib\n        default-provider: test-snapd-content-slot\nslots:\n    shared-content-slot:\n        interface: content\n        content: mylib\n        read:\n            - /\n",
+  "summary": "useful thingy",
+  "title": "This Is The Most Fantastical Snap of Thingy",
+  "type": "app",
+  "version": "9.50",
+  "media": [
+     {"type": "icon", "url": "https://dashboard.snapcraft.io/site_media/appmedia/2017/12/Thingy.png"},
+     {"type": "screenshot", "url": "https://dashboard.snapcraft.io/site_media/appmedia/2018/01/Thingy_01.png"},
+     {"type": "screenshot", "url": "https://dashboard.snapcraft.io/site_media/appmedia/2018/01/Thingy_02.png", "width": 600, "height": 200}
+  ]
+}`
+)
+
+func (s *detailsV2Suite) SetUpTest(c *C) {
+	s.BaseTest.SetUpTest(c)
+	s.BaseTest.AddCleanup(snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {}))
+}
+
+func (s *detailsV2Suite) TearDownTest(c *C) {
+	s.BaseTest.TearDownTest(c)
+}
+
+func (s *detailsV2Suite) TestInfoFromStoreSnapSimple(c *C) {
+	var snp storeSnap
+	err := json.Unmarshal([]byte(coreStoreJSON), &snp)
+	c.Assert(err, IsNil)
+
+	info, err := infoFromStoreSnap(&snp)
+	c.Assert(err, IsNil)
+	c.Check(snap.Validate(info), IsNil)
+
+	c.Check(info, DeepEquals, &snap.Info{
+		Architectures: []string{"amd64"},
+		SideInfo: snap.SideInfo{
+			RealName:          "core",
+			SnapID:            "99T7MUlRhtI3U0QFgl5mXXESAiSwt776",
+			Revision:          snap.R(3887),
+			Contact:           "mailto:snappy-canonical-storeaccount@canonical.com",
+			EditedTitle:       "core",
+			EditedSummary:     "snapd runtime environment",
+			EditedDescription: "The core runtime environment for snapd",
+			Private:           false,
+			Paid:              false,
+		},
+		Epoch:       snap.E("0"),
+		Type:        snap.TypeOS,
+		Version:     "16-2.30",
+		Confinement: snap.StrictConfinement,
+		Publisher: snap.StoreAccount{
+			ID:          "canonical",
+			Username:    "canonical",
+			DisplayName: "Canonical",
+			Validation:  "verified",
+		},
+		DownloadInfo: snap.DownloadInfo{
+			DownloadURL: "https://api.snapcraft.io/api/v1/snaps/download/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_3887.snap",
+			Sha3_384:    "b691f6dde3d8022e4db563840f0ef82320cb824b6292ffd027dbc838535214dac31c3512c619beaf73f1aeaf35ac62d5",
+			Size:        85291008,
+		},
+		Plugs: make(map[string]*snap.PlugInfo),
+		Slots: make(map[string]*snap.SlotInfo),
+	})
+}
+
+func (s *detailsV2Suite) TestInfoFromStoreSnap(c *C) {
+	var snp storeSnap
+	// base, prices, media
+	err := json.Unmarshal([]byte(thingyStoreJSON), &snp)
+	c.Assert(err, IsNil)
+
+	info, err := infoFromStoreSnap(&snp)
+	c.Assert(err, IsNil)
+	c.Check(snap.Validate(info), IsNil)
+
+	info2 := *info
+	// clear recursive bits
+	info2.Plugs = nil
+	info2.Slots = nil
+	c.Check(&info2, DeepEquals, &snap.Info{
+		Architectures: []string{"amd64"},
+		Base:          "base-18",
+		SideInfo: snap.SideInfo{
+			RealName:          "thingy",
+			SnapID:            "XYZEfjn4WJYnm0FzDKwqqRZZI77awQEV",
+			Revision:          snap.R(21),
+			Contact:           "https://thingy.com",
+			EditedTitle:       "This Is The Most Fantastical Snap of Th…",
+			EditedSummary:     "useful thingy",
+			EditedDescription: "Useful thingy for thinging",
+			Private:           false,
+			Paid:              true,
+		},
+		Epoch: snap.Epoch{
+			Read:  []uint32{0, 1},
+			Write: []uint32{1},
+		},
+		Type:        snap.TypeApp,
+		Version:     "9.50",
+		Confinement: snap.StrictConfinement,
+		License:     "Proprietary",
+		Publisher: snap.StoreAccount{
+			ID:          "ZvtzsxbsHivZLdvzrt0iqW529riGLfXJ",
+			Username:    "thingyinc",
+			DisplayName: "Thingy Inc.",
+			Validation:  "unproven",
+		},
+		DownloadInfo: snap.DownloadInfo{
+			DownloadURL: "https://api.snapcraft.io/api/v1/snaps/download/XYZEfjn4WJYnm0FzDKwqqRZZI77awQEV_21.snap",
+			Sha3_384:    "a29f8d894c92ad19bb943764eb845c6bd7300f555ee9b9dbb460599fecf712775c0f3e2117b5c56b08fcb9d78fc8ae4d",
+			Size:        10000021,
+			Deltas: []snap.DeltaInfo{
+				{
+					Format:       "xdelta3",
+					FromRevision: 19,
+					ToRevision:   21,
+					DownloadURL:  "https://api.snapcraft.io/api/v1/snaps/download/XYZEfjn4WJYnm0FzDKwqqRZZI77awQEV_19_21_xdelta3.delta",
+					Size:         9999,
+					Sha3_384:     "29f8d894c92ad19bb943764eb845c6bd7300f555ee9b9dbb460599fecf712775c0f3e2117b5c56b08fcb9d78fc8ae4df",
+				},
+			},
+		},
+		Prices: map[string]float64{
+			"USD": 9.99,
+		},
+		Media: []snap.MediaInfo{
+			{Type: "icon", URL: "https://dashboard.snapcraft.io/site_media/appmedia/2017/12/Thingy.png"},
+			{Type: "screenshot", URL: "https://dashboard.snapcraft.io/site_media/appmedia/2018/01/Thingy_01.png"},
+			{Type: "screenshot", URL: "https://dashboard.snapcraft.io/site_media/appmedia/2018/01/Thingy_02.png", Width: 600, Height: 200},
+		},
+		CommonIDs: []string{"org.thingy"},
+	})
+
+	// validate the plugs/slots
+	c.Assert(info.Plugs, HasLen, 1)
+	plug := info.Plugs["shared-content-plug"]
+	c.Check(plug.Name, Equals, "shared-content-plug")
+	c.Check(plug.Snap, Equals, info)
+	c.Check(plug.Apps, HasLen, 1)
+	c.Check(plug.Apps["content-plug"].Command, Equals, "bin/content-plug")
+
+	c.Assert(info.Slots, HasLen, 1)
+	slot := info.Slots["shared-content-slot"]
+	c.Check(slot.Name, Equals, "shared-content-slot")
+	c.Check(slot.Snap, Equals, info)
+	c.Check(slot.Apps, HasLen, 1)
+	c.Check(slot.Apps["content-plug"].Command, Equals, "bin/content-plug")
+
+	// private
+	err = json.Unmarshal([]byte(strings.Replace(thingyStoreJSON, `"private": false`, `"private": true`, 1)), &snp)
+	c.Assert(err, IsNil)
+
+	info, err = infoFromStoreSnap(&snp)
+	c.Assert(err, IsNil)
+	c.Check(snap.Validate(info), IsNil)
+
+	c.Check(info.Private, Equals, true)
+
+	// check that up to few exceptions info is filled
+	expectedZeroFields := []string{
+		"SuggestedName",
+		"InstanceKey",
+		"Assumes",
+		"OriginalTitle",
+		"OriginalSummary",
+		"OriginalDescription",
+		"Environment",
+		"LicenseAgreement", // XXX go away?
+		"LicenseVersion",   // XXX go away?
+		"Apps",
+		"LegacyAliases",
+		"Hooks",
+		"BadInterfaces",
+		"Broken",
+		"MustBuy",
+		"Channels", // handled at a different level (see TestInfo)
+		"Tracks",   // handled at a different level (see TestInfo)
+		"Layout",
+		"SideInfo.Channel",
+		"DownloadInfo.AnonDownloadURL", // TODO: going away at some point
+	}
+	var checker func(string, reflect.Value)
+	checker = func(pfx string, x reflect.Value) {
+		t := x.Type()
+		for i := 0; i < x.NumField(); i++ {
+			f := t.Field(i)
+			if f.PkgPath != "" {
+				// not exported, ignore
+				continue
+			}
+			v := x.Field(i)
+			if f.Anonymous {
+				checker(pfx+f.Name+".", v)
+				continue
+			}
+			if reflect.DeepEqual(v.Interface(), reflect.Zero(f.Type).Interface()) {
+				name := pfx + f.Name
+				c.Check(expectedZeroFields, testutil.Contains, name, Commentf("%s not set", name))
+			}
+		}
+	}
+	x := reflect.ValueOf(info).Elem()
+	checker("", x)
+}
+
+// arg must be a pointer to a struct
+func fillStruct(a interface{}, c *C) {
+	if t := reflect.TypeOf(a); t.Kind() != reflect.Ptr || t.Elem().Kind() != reflect.Struct {
+		k := t.Kind()
+		if k == reflect.Ptr {
+			k = t.Elem().Kind()
+		}
+		c.Fatalf("first argument must be expected a pointer to a struct, not %s", k)
+	}
+	va := reflect.ValueOf(a)
+	n := va.Elem().NumField()
+	for i := 0; i < n; i++ {
+		field := va.Elem().Field(i)
+		var x interface{}
+		switch field.Interface().(type) {
+		case string:
+			x = "foo"
+		case []string:
+			x = []string{"foo"}
+		case safejson.String:
+			var s safejson.String
+			c.Assert(json.Unmarshal([]byte(`"foo"`), &s), IsNil)
+			x = s
+		case safejson.Paragraph:
+			var p safejson.Paragraph
+			c.Assert(json.Unmarshal([]byte(`"foo"`), &p), IsNil)
+			x = p
+		case storeSnapDownload:
+			x = storeSnapDownload{
+				URL:      "http://example.com/foo",
+				Size:     42,
+				Sha3_384: "foo",
+			}
+		case snap.Epoch:
+			x = snap.E("1")
+		case map[string]string:
+			x = map[string]string{"foo": "bar"}
+		case bool:
+			x = true
+		case snap.StoreAccount:
+			x = snap.StoreAccount{
+				ID:          "foo-id",
+				Username:    "foo",
+				DisplayName: "Foo Bar",
+				Validation:  "VALIDATION",
+			}
+		case int:
+			x = 42
+		case snap.Type:
+			x = snap.Type("invalid")
+		case []storeSnapMedia:
+			x = []storeSnapMedia{{
+				Type: "potato",
+				URL:  "http://example.com/foo.pot",
+			}}
+		default:
+			c.Fatalf("unhandled field type %T", field.Interface())
+		}
+		field.Set(reflect.ValueOf(x))
+	}
+}
+
+func (s *detailsV2Suite) TestCopyNonZero(c *C) {
+	// a is a storeSnap with everything non-zero
+	a := storeSnap{}
+	fillStruct(&a, c)
+	// b is all zeros
+	b := storeSnap{}
+
+	aCopy := a
+	bCopy := b
+
+	// sanity check
+	c.Check(a, DeepEquals, aCopy)
+	c.Check(b, DeepEquals, bCopy)
+	c.Check(a, Not(DeepEquals), b)
+
+	// copying from b to a does nothing:
+	copyNonZeroFrom(&b, &a)
+	c.Check(a, DeepEquals, aCopy)
+	c.Check(b, DeepEquals, bCopy)
+
+	// copying from a to b does its thing:
+	copyNonZeroFrom(&a, &b)
+	c.Check(a, DeepEquals, b)
+	c.Check(b, Not(DeepEquals), bCopy)
+}
diff -Nru snapd-2.32.3.2~14.04/store/download_test.go snapd-2.37~rc1~14.04/store/download_test.go
--- snapd-2.32.3.2~14.04/store/download_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/download_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,512 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package store_test
+
+import (
+	"bytes"
+	"crypto"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/juju/ratelimit"
+	"golang.org/x/net/context"
+	. "gopkg.in/check.v1"
+	"gopkg.in/retry.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/overlord/auth"
+	"github.com/snapcore/snapd/progress"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/store"
+	"github.com/snapcore/snapd/testutil"
+)
+
+type downloadSuite struct {
+	testutil.BaseTest
+}
+
+var _ = Suite(&downloadSuite{})
+
+func (s *downloadSuite) SetUpTest(c *C) {
+	s.BaseTest.SetUpTest(c)
+
+	store.MockDownloadRetryStrategy(&s.BaseTest, retry.LimitCount(5, retry.Exponential{
+		Initial: time.Millisecond,
+		Factor:  2.5,
+	}))
+
+	mockXdelta := testutil.MockCommand(c, "xdelta3", "")
+	s.AddCleanup(mockXdelta.Restore)
+}
+
+func (s *downloadSuite) TestActualDownload(c *C) {
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Header.Get("Snap-CDN"), Equals, "")
+		n++
+		io.WriteString(w, "response-data")
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	theStore := store.New(&store.Config{}, nil)
+	var buf SillyBuffer
+	// keep tests happy
+	sha3 := ""
+	err := store.Download(context.TODO(), "foo", sha3, mockServer.URL, nil, theStore, &buf, 0, nil, nil)
+	c.Assert(err, IsNil)
+	c.Check(buf.String(), Equals, "response-data")
+	c.Check(n, Equals, 1)
+}
+
+func (s *downloadSuite) TestActualDownloadNoCDN(c *C) {
+	os.Setenv("SNAPPY_STORE_NO_CDN", "1")
+	defer os.Unsetenv("SNAPPY_STORE_NO_CDN")
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Header.Get("Snap-CDN"), Equals, "none")
+		io.WriteString(w, "response-data")
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	theStore := store.New(&store.Config{}, nil)
+	var buf SillyBuffer
+	// keep tests happy
+	sha3 := ""
+	err := store.Download(context.TODO(), "foo", sha3, mockServer.URL, nil, theStore, &buf, 0, nil, nil)
+	c.Assert(err, IsNil)
+	c.Check(buf.String(), Equals, "response-data")
+}
+
+func (s *downloadSuite) TestActualDownloadFullCloudInfoFromAuthContext(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Header.Get("Snap-CDN"), Equals, `cloud-name="aws" region="us-east-1" availability-zone="us-east-1c"`)
+
+		io.WriteString(w, "response-data")
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	device := createTestDevice()
+	theStore := store.New(&store.Config{}, &testAuthContext{c: c, device: device, cloudInfo: &auth.CloudInfo{Name: "aws", Region: "us-east-1", AvailabilityZone: "us-east-1c"}})
+
+	var buf SillyBuffer
+	// keep tests happy
+	sha3 := ""
+	err := store.Download(context.TODO(), "foo", sha3, mockServer.URL, nil, theStore, &buf, 0, nil, nil)
+	c.Assert(err, IsNil)
+	c.Check(buf.String(), Equals, "response-data")
+}
+
+func (s *downloadSuite) TestActualDownloadLessDetailedCloudInfoFromAuthContext(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Header.Get("Snap-CDN"), Equals, `cloud-name="openstack" availability-zone="nova"`)
+
+		io.WriteString(w, "response-data")
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	device := createTestDevice()
+	theStore := store.New(&store.Config{}, &testAuthContext{c: c, device: device, cloudInfo: &auth.CloudInfo{Name: "openstack", Region: "", AvailabilityZone: "nova"}})
+
+	var buf SillyBuffer
+	// keep tests happy
+	sha3 := ""
+	err := store.Download(context.TODO(), "foo", sha3, mockServer.URL, nil, theStore, &buf, 0, nil, nil)
+	c.Assert(err, IsNil)
+	c.Check(buf.String(), Equals, "response-data")
+}
+
+func (s *downloadSuite) TestDownloadCancellation(c *C) {
+	// the channel used by mock server to request cancellation from the test
+	syncCh := make(chan struct{})
+
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		io.WriteString(w, "foo")
+		syncCh <- struct{}{}
+		io.WriteString(w, "bar")
+		time.Sleep(10 * time.Millisecond)
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	theStore := store.New(&store.Config{}, nil)
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	result := make(chan string)
+	go func() {
+		sha3 := ""
+		var buf SillyBuffer
+		err := store.Download(ctx, "foo", sha3, mockServer.URL, nil, theStore, &buf, 0, nil, nil)
+		result <- err.Error()
+		close(result)
+	}()
+
+	<-syncCh
+	cancel()
+
+	err := <-result
+	c.Check(n, Equals, 1)
+	c.Assert(err, Equals, "The download has been cancelled: context canceled")
+}
+
+type nopeSeeker struct{ io.ReadWriter }
+
+func (nopeSeeker) Seek(int64, int) (int64, error) {
+	return -1, errors.New("what is this, quidditch?")
+}
+
+func (s *downloadSuite) TestActualDownloadNonPurchased402(c *C) {
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		// XXX: the server doesn't behave correctly ATM
+		// but 401 for paid snaps is the unlikely case so far
+		w.WriteHeader(402)
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	theStore := store.New(&store.Config{}, nil)
+	var buf bytes.Buffer
+	err := store.Download(context.TODO(), "foo", "sha3", mockServer.URL, nil, theStore, nopeSeeker{&buf}, -1, nil, nil)
+	c.Assert(err, NotNil)
+	c.Check(err.Error(), Equals, "please buy foo before installing it.")
+	c.Check(n, Equals, 1)
+}
+
+func (s *downloadSuite) TestActualDownload404(c *C) {
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		w.WriteHeader(404)
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	theStore := store.New(&store.Config{}, nil)
+	var buf SillyBuffer
+	err := store.Download(context.TODO(), "foo", "sha3", mockServer.URL, nil, theStore, &buf, 0, nil, nil)
+	c.Assert(err, NotNil)
+	c.Assert(err, FitsTypeOf, &store.DownloadError{})
+	c.Check(err.(*store.DownloadError).Code, Equals, 404)
+	c.Check(n, Equals, 1)
+}
+
+func (s *downloadSuite) TestActualDownload500(c *C) {
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		w.WriteHeader(500)
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	theStore := store.New(&store.Config{}, nil)
+	var buf SillyBuffer
+	err := store.Download(context.TODO(), "foo", "sha3", mockServer.URL, nil, theStore, &buf, 0, nil, nil)
+	c.Assert(err, NotNil)
+	c.Assert(err, FitsTypeOf, &store.DownloadError{})
+	c.Check(err.(*store.DownloadError).Code, Equals, 500)
+	c.Check(n, Equals, 5)
+}
+
+func (s *downloadSuite) TestActualDownload500Once(c *C) {
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		if n == 1 {
+			w.WriteHeader(500)
+		} else {
+			io.WriteString(w, "response-data")
+		}
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	theStore := store.New(&store.Config{}, nil)
+	var buf SillyBuffer
+	// keep tests happy
+	sha3 := ""
+	err := store.Download(context.TODO(), "foo", sha3, mockServer.URL, nil, theStore, &buf, 0, nil, nil)
+	c.Assert(err, IsNil)
+	c.Check(buf.String(), Equals, "response-data")
+	c.Check(n, Equals, 2)
+}
+
+// SillyBuffer is a ReadWriteSeeker buffer with a limited size for the tests
+// (bytes does not implement an ReadWriteSeeker)
+type SillyBuffer struct {
+	buf [1024]byte
+	pos int64
+	end int64
+}
+
+func NewSillyBufferString(s string) *SillyBuffer {
+	sb := &SillyBuffer{
+		pos: int64(len(s)),
+		end: int64(len(s)),
+	}
+	copy(sb.buf[0:], []byte(s))
+	return sb
+}
+func (sb *SillyBuffer) Read(b []byte) (n int, err error) {
+	if sb.pos >= int64(sb.end) {
+		return 0, io.EOF
+	}
+	n = copy(b, sb.buf[sb.pos:sb.end])
+	sb.pos += int64(n)
+	return n, nil
+}
+func (sb *SillyBuffer) Seek(offset int64, whence int) (int64, error) {
+	if whence != 0 {
+		panic("only io.SeekStart implemented in SillyBuffer")
+	}
+	if offset < 0 || offset > int64(sb.end) {
+		return 0, fmt.Errorf("seek out of bounds: %d", offset)
+	}
+	sb.pos = offset
+	return sb.pos, nil
+}
+func (sb *SillyBuffer) Write(p []byte) (n int, err error) {
+	n = copy(sb.buf[sb.pos:], p)
+	sb.pos += int64(n)
+	if sb.pos > sb.end {
+		sb.end = sb.pos
+	}
+	return n, nil
+}
+func (sb *SillyBuffer) String() string {
+	return string(sb.buf[0:sb.pos])
+}
+
+func (s *downloadSuite) TestActualDownloadResume(c *C) {
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		io.WriteString(w, "data")
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	theStore := store.New(&store.Config{}, nil)
+	buf := NewSillyBufferString("some ")
+	// calc the expected hash
+	h := crypto.SHA3_384.New()
+	h.Write([]byte("some data"))
+	sha3 := fmt.Sprintf("%x", h.Sum(nil))
+	err := store.Download(context.TODO(), "foo", sha3, mockServer.URL, nil, theStore, buf, int64(len("some ")), nil, nil)
+	c.Check(err, IsNil)
+	c.Check(buf.String(), Equals, "some data")
+	c.Check(n, Equals, 1)
+}
+
+func (s *downloadSuite) TestUseDeltas(c *C) {
+	origPath := os.Getenv("PATH")
+	defer os.Setenv("PATH", origPath)
+	origUseDeltas := os.Getenv("SNAPD_USE_DELTAS_EXPERIMENTAL")
+	defer os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", origUseDeltas)
+	restore := release.MockOnClassic(false)
+	defer restore()
+	altPath := c.MkDir()
+	origSnapMountDir := dirs.SnapMountDir
+	defer func() { dirs.SnapMountDir = origSnapMountDir }()
+	dirs.SnapMountDir = c.MkDir()
+	exeInCorePath := filepath.Join(dirs.SnapMountDir, "/core/current/usr/bin/xdelta3")
+	os.MkdirAll(filepath.Dir(exeInCorePath), 0755)
+
+	scenarios := []struct {
+		env       string
+		classic   bool
+		exeInHost bool
+		exeInCore bool
+
+		wantDelta bool
+	}{
+		{env: "", classic: false, exeInHost: false, exeInCore: false, wantDelta: false},
+		{env: "", classic: false, exeInHost: false, exeInCore: true, wantDelta: true},
+		{env: "", classic: false, exeInHost: true, exeInCore: false, wantDelta: true},
+		{env: "", classic: false, exeInHost: true, exeInCore: true, wantDelta: true},
+		{env: "", classic: true, exeInHost: false, exeInCore: false, wantDelta: false},
+		{env: "", classic: true, exeInHost: false, exeInCore: true, wantDelta: true},
+		{env: "", classic: true, exeInHost: true, exeInCore: false, wantDelta: true},
+		{env: "", classic: true, exeInHost: true, exeInCore: true, wantDelta: true},
+
+		{env: "0", classic: false, exeInHost: false, exeInCore: false, wantDelta: false},
+		{env: "0", classic: false, exeInHost: false, exeInCore: true, wantDelta: false},
+		{env: "0", classic: false, exeInHost: true, exeInCore: false, wantDelta: false},
+		{env: "0", classic: false, exeInHost: true, exeInCore: true, wantDelta: false},
+		{env: "0", classic: true, exeInHost: false, exeInCore: false, wantDelta: false},
+		{env: "0", classic: true, exeInHost: false, exeInCore: true, wantDelta: false},
+		{env: "0", classic: true, exeInHost: true, exeInCore: false, wantDelta: false},
+		{env: "0", classic: true, exeInHost: true, exeInCore: true, wantDelta: false},
+
+		{env: "1", classic: false, exeInHost: false, exeInCore: false, wantDelta: false},
+		{env: "1", classic: false, exeInHost: false, exeInCore: true, wantDelta: true},
+		{env: "1", classic: false, exeInHost: true, exeInCore: false, wantDelta: true},
+		{env: "1", classic: false, exeInHost: true, exeInCore: true, wantDelta: true},
+		{env: "1", classic: true, exeInHost: false, exeInCore: false, wantDelta: false},
+		{env: "1", classic: true, exeInHost: false, exeInCore: true, wantDelta: true},
+		{env: "1", classic: true, exeInHost: true, exeInCore: false, wantDelta: true},
+		{env: "1", classic: true, exeInHost: true, exeInCore: true, wantDelta: true},
+	}
+
+	for _, scenario := range scenarios {
+		if scenario.exeInCore {
+			osutil.CopyFile("/bin/true", exeInCorePath, 0)
+		} else {
+			os.Remove(exeInCorePath)
+		}
+		os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", scenario.env)
+		release.MockOnClassic(scenario.classic)
+		if scenario.exeInHost {
+			os.Setenv("PATH", origPath)
+		} else {
+			os.Setenv("PATH", altPath)
+		}
+
+		c.Check(store.UseDeltas(), Equals, scenario.wantDelta, Commentf("%#v", scenario))
+	}
+}
+
+type downloadBehaviour []struct {
+	url   string
+	error bool
+}
+
+var deltaTests = []struct {
+	downloads       downloadBehaviour
+	info            snap.DownloadInfo
+	expectedContent string
+}{{
+	// The full snap is not downloaded, but rather the delta
+	// is downloaded and applied.
+	downloads: downloadBehaviour{
+		{url: "delta-url"},
+	},
+	info: snap.DownloadInfo{
+		AnonDownloadURL: "full-snap-url",
+		Deltas: []snap.DeltaInfo{
+			{AnonDownloadURL: "delta-url", Format: "xdelta3"},
+		},
+	},
+	expectedContent: "snap-content-via-delta",
+}, {
+	// If there is an error during the delta download, the
+	// full snap is downloaded as per normal.
+	downloads: downloadBehaviour{
+		{error: true},
+		{url: "full-snap-url"},
+	},
+	info: snap.DownloadInfo{
+		AnonDownloadURL: "full-snap-url",
+		Deltas: []snap.DeltaInfo{
+			{AnonDownloadURL: "delta-url", Format: "xdelta3"},
+		},
+	},
+	expectedContent: "full-snap-url-content",
+}, {
+	// If more than one matching delta is returned by the store
+	// we ignore deltas and do the full download.
+	downloads: downloadBehaviour{
+		{url: "full-snap-url"},
+	},
+	info: snap.DownloadInfo{
+		AnonDownloadURL: "full-snap-url",
+		Deltas: []snap.DeltaInfo{
+			{AnonDownloadURL: "delta-url", Format: "xdelta3"},
+			{AnonDownloadURL: "delta-url-2", Format: "xdelta3"},
+		},
+	},
+	expectedContent: "full-snap-url-content",
+}}
+
+func (s *downloadSuite) TestDownloadWithDelta(c *C) {
+	origUseDeltas := os.Getenv("SNAPD_USE_DELTAS_EXPERIMENTAL")
+	defer os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", origUseDeltas)
+	c.Assert(os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", "1"), IsNil)
+
+	for _, testCase := range deltaTests {
+		testCase.info.Size = int64(len(testCase.expectedContent))
+		downloadIndex := 0
+		restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
+			if testCase.downloads[downloadIndex].error {
+				downloadIndex++
+				return errors.New("Bang")
+			}
+			c.Check(url, Equals, testCase.downloads[downloadIndex].url)
+			w.Write([]byte(testCase.downloads[downloadIndex].url + "-content"))
+			downloadIndex++
+			return nil
+		})
+		defer restore()
+		restore = store.MockApplyDelta(func(name string, deltaPath string, deltaInfo *snap.DeltaInfo, targetPath string, targetSha3_384 string) error {
+			c.Check(deltaInfo, Equals, &testCase.info.Deltas[0])
+			err := ioutil.WriteFile(targetPath, []byte("snap-content-via-delta"), 0644)
+			c.Assert(err, IsNil)
+			return nil
+		})
+		defer restore()
+
+		theStore := store.New(&store.Config{}, nil)
+		path := filepath.Join(c.MkDir(), "subdir", "downloaded-file")
+		err := theStore.Download(context.TODO(), "foo", path, &testCase.info, nil, nil, nil)
+
+		c.Assert(err, IsNil)
+		defer os.Remove(path)
+		c.Assert(path, testutil.FileEquals, testCase.expectedContent)
+	}
+}
+
+func (s *downloadSuite) TestActualDownloadRateLimited(c *C) {
+	var ratelimitReaderUsed bool
+	restore := store.MockRatelimitReader(func(r io.Reader, bucket *ratelimit.Bucket) io.Reader {
+		ratelimitReaderUsed = true
+		return r
+	})
+	defer restore()
+
+	canary := "downloaded data"
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, canary)
+	}))
+	defer ts.Close()
+
+	theStore := store.New(&store.Config{}, nil)
+	var buf SillyBuffer
+	err := store.Download(context.TODO(), "example-name", "", ts.URL, nil, theStore, &buf, 0, nil, &store.DownloadOptions{RateLimit: 1})
+	c.Assert(err, IsNil)
+	c.Check(buf.String(), Equals, canary)
+	c.Check(ratelimitReaderUsed, Equals, true)
+}
diff -Nru snapd-2.32.3.2~14.04/store/errors.go snapd-2.37~rc1~14.04/store/errors.go
--- snapd-2.32.3.2~14.04/store/errors.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/errors.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2015 Canonical Ltd
+ * Copyright (C) 2014-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -23,7 +23,11 @@
 	"errors"
 	"fmt"
 	"net/url"
+	"sort"
 	"strings"
+
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
 )
 
 var (
@@ -63,6 +67,17 @@
 	ErrNoUpdateAvailable = errors.New("snap has no updates available")
 )
 
+// RevisionNotAvailableError is returned when an install is attempted for a snap but the/a revision is not available (given install constraints).
+type RevisionNotAvailableError struct {
+	Action   string
+	Channel  string
+	Releases []snap.Channel
+}
+
+func (e *RevisionNotAvailableError) Error() string {
+	return "no snap revision available as specified"
+}
+
 // DownloadError represents a download error
 type DownloadError struct {
 	Code int
@@ -107,3 +122,145 @@
 	//      (empirically this checks out)
 	return strings.Join(es, "  ")
 }
+
+// SnapActionError conveys errors that were reported on otherwise overall successful snap action (install/refresh) request.
+type SnapActionError struct {
+	// NoResults is set if the there were no results in the response
+	NoResults bool
+	// Refresh errors by snap name.
+	Refresh map[string]error
+	// Install errors by snap name.
+	Install map[string]error
+	// Download errors by snap name.
+	Download map[string]error
+	// Other errors.
+	Other []error
+}
+
+func (e SnapActionError) Error() string {
+	nRefresh := len(e.Refresh)
+	nInstall := len(e.Install)
+	nDownload := len(e.Download)
+	nOther := len(e.Other)
+
+	// single error
+	switch nRefresh + nInstall + nDownload + nOther {
+	case 0:
+		if e.NoResults {
+			// this is an atypical result
+			return "no install/refresh information results from the store"
+		}
+	case 1:
+		if nOther == 0 {
+			var op string
+			var errs map[string]error
+			switch {
+			case nRefresh > 0:
+				op = "refresh"
+				errs = e.Refresh
+			case nInstall > 0:
+				op = "install"
+				errs = e.Install
+			case nDownload > 0:
+				op = "download"
+				errs = e.Download
+			}
+			for name, e := range errs {
+				return fmt.Sprintf("cannot %s snap %q: %v", op, name, e)
+			}
+		} else {
+			return fmt.Sprintf("cannot refresh, install, or download: %v", e.Other[0])
+		}
+	}
+
+	header := "cannot refresh, install, or download:"
+	if nOther == 0 {
+		// at least one of nDownload, nInstall, or nRefresh is > 0
+		switch {
+		case nDownload == 0 && nRefresh == 0:
+			header = "cannot install:"
+		case nDownload == 0 && nInstall == 0:
+			header = "cannot refresh:"
+		case nRefresh == 0 && nInstall == 0:
+			header = "cannot download:"
+		case nDownload == 0:
+			header = "cannot refresh or install:"
+		case nInstall == 0:
+			header = "cannot refresh or download:"
+		case nRefresh == 0:
+			header = "cannot install or download:"
+		}
+	}
+
+	// reverse the "snap->error" map to "error->snap", as the
+	// common case is that all snaps fail with the same error
+	// (e.g. "no refresh available")
+	errToSnaps := map[string][]string{}
+	errKeys := []string{} // poorman's ordered map
+
+	for _, m := range []map[string]error{e.Refresh, e.Install, e.Download} {
+		for snapName, err := range m {
+			k := err.Error()
+			v, ok := errToSnaps[k]
+			if !ok {
+				errKeys = append(errKeys, k)
+			}
+			errToSnaps[k] = append(v, snapName)
+		}
+	}
+
+	es := make([]string, 1, 1+len(errToSnaps)+nOther)
+	es[0] = header
+	for _, k := range errKeys {
+		sort.Strings(errToSnaps[k])
+		es = append(es, fmt.Sprintf("%s: %s", k, strutil.Quoted(errToSnaps[k])))
+	}
+
+	for _, e := range e.Other {
+		es = append(es, e.Error())
+	}
+
+	if len(es) == 2 {
+		// header + 1 reason
+		return strings.Join(es, " ")
+	}
+
+	return strings.Join(es, "\n")
+}
+
+// Authorization soft-expiry errors that get handled automatically.
+var (
+	errUserAuthorizationNeedsRefresh   = errors.New("soft-expired user authorization needs refresh")
+	errDeviceAuthorizationNeedsRefresh = errors.New("soft-expired device authorization needs refresh")
+)
+
+func translateSnapActionError(action, channel, code, message string, releases []snapRelease) error {
+	switch code {
+	case "revision-not-found":
+		e := &RevisionNotAvailableError{
+			Action:  action,
+			Channel: channel,
+		}
+		if len(releases) != 0 {
+			parsedReleases := make([]snap.Channel, len(releases))
+			for i := 0; i < len(releases); i++ {
+				var err error
+				parsedReleases[i], err = snap.ParseChannel(releases[i].Channel, releases[i].Architecture)
+				if err != nil {
+					// shouldn't happen, return error without Releases
+					return e
+				}
+			}
+			e.Releases = parsedReleases
+		}
+		return e
+	case "id-not-found", "name-not-found":
+		return ErrSnapNotFound
+	case "user-authorization-needs-refresh":
+		return errUserAuthorizationNeedsRefresh
+	case "device-authorization-needs-refresh":
+		return errDeviceAuthorizationNeedsRefresh
+	default:
+		return fmt.Errorf("%v", message)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/store/export_test.go snapd-2.37~rc1~14.04/store/export_test.go
--- snapd-2.32.3.2~14.04/store/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,9 +20,44 @@
 package store
 
 import (
-	"github.com/snapcore/snapd/testutil"
+	"io"
+
+	"net/http"
+	"net/url"
 
+	"github.com/juju/ratelimit"
+	"golang.org/x/net/context"
 	"gopkg.in/retry.v1"
+
+	"github.com/snapcore/snapd/overlord/auth"
+	"github.com/snapcore/snapd/progress"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
+)
+
+var (
+	HardLinkCount = hardLinkCount
+	ApiURL        = apiURL
+	Download      = download
+
+	UseDeltas  = useDeltas
+	ApplyDelta = applyDelta
+
+	AuthLocation      = authLocation
+	AuthURL           = authURL
+	StoreURL          = storeURL
+	StoreDeveloperURL = storeDeveloperURL
+	MustBuy           = mustBuy
+
+	RequestStoreMacaroon     = requestStoreMacaroon
+	DischargeAuthCaveat      = dischargeAuthCaveat
+	RefreshDischargeMacaroon = refreshDischargeMacaroon
+	RequestStoreDeviceNonce  = requestStoreDeviceNonce
+	RequestDeviceSession     = requestDeviceSession
+	LoginCaveatID            = loginCaveatID
+
+	JsonContentType  = jsonContentType
+	SnapActionFields = snapActionFields
 )
 
 // MockDefaultRetryStrategy mocks the retry strategy used by several store requests
@@ -34,6 +69,109 @@
 	})
 }
 
+func MockDownloadRetryStrategy(t *testutil.BaseTest, strategy retry.Strategy) {
+	originalDownloadRetryStrategy := downloadRetryStrategy
+	downloadRetryStrategy = strategy
+	t.AddCleanup(func() {
+		downloadRetryStrategy = originalDownloadRetryStrategy
+	})
+}
+
+func MockConnCheckStrategy(t *testutil.BaseTest, strategy retry.Strategy) {
+	originalConnCheckStrategy := connCheckStrategy
+	connCheckStrategy = strategy
+	t.AddCleanup(func() {
+		connCheckStrategy = originalConnCheckStrategy
+	})
+}
+
 func (cm *CacheManager) CacheDir() string {
 	return cm.cacheDir
 }
+
+func (cm *CacheManager) Cleanup() error {
+	return cm.cleanup()
+}
+
+func (cm *CacheManager) Count() int {
+	return cm.count()
+}
+
+func MockOsRemove(f func(name string) error) func() {
+	oldOsRemove := osRemove
+	osRemove = f
+	return func() {
+		osRemove = oldOsRemove
+	}
+}
+
+func MockDownload(f func(ctx context.Context, name, sha3_384, downloadURL string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *DownloadOptions) error) (restore func()) {
+	origDownload := download
+	download = f
+	return func() {
+		download = origDownload
+	}
+}
+
+func MockApplyDelta(f func(name string, deltaPath string, deltaInfo *snap.DeltaInfo, targetPath string, targetSha3_384 string) error) (restore func()) {
+	origApplyDelta := applyDelta
+	applyDelta = f
+	return func() {
+		applyDelta = origApplyDelta
+	}
+}
+
+func (sto *Store) MockCacher(obs downloadCache) (restore func()) {
+	oldCacher := sto.cacher
+	sto.cacher = obs
+	return func() {
+		sto.cacher = oldCacher
+	}
+}
+
+func (sto *Store) SetDeltaFormat(dfmt string) {
+	sto.deltaFormat = dfmt
+}
+
+func (sto *Store) DownloadDelta(deltaName string, downloadInfo *snap.DownloadInfo, w io.ReadWriteSeeker, pbar progress.Meter, user *auth.UserState) error {
+	return sto.downloadDelta(deltaName, downloadInfo, w, pbar, user)
+}
+
+func (sto *Store) DoRequest(ctx context.Context, client *http.Client, reqOptions *requestOptions, user *auth.UserState) (*http.Response, error) {
+	return sto.doRequest(ctx, client, reqOptions, user)
+}
+
+func (sto *Store) Client() *http.Client {
+	return sto.client
+}
+
+func (sto *Store) DetailFields() []string {
+	return sto.detailFields
+}
+
+func (sto *Store) DecorateOrders(snaps []*snap.Info, user *auth.UserState) error {
+	return sto.decorateOrders(snaps, user)
+}
+
+func (cfg *Config) SetBaseURL(u *url.URL) error {
+	return cfg.setBaseURL(u)
+}
+
+func NewHashError(name, sha3_384, targetSha3_384 string) HashError {
+	return HashError{name, sha3_384, targetSha3_384}
+}
+
+func NewRequestOptions(mth string, url *url.URL) *requestOptions {
+	return &requestOptions{
+		Method: mth,
+		URL:    url,
+	}
+}
+
+func MockRatelimitReader(f func(r io.Reader, bucket *ratelimit.Bucket) io.Reader) (restore func()) {
+	oldRatelimitReader := ratelimitReader
+	ratelimitReader = f
+	return func() {
+		ratelimitReader = oldRatelimitReader
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/store/store.go snapd-2.37~rc1~14.04/store/store.go
--- snapd-2.32.3.2~14.04/store/store.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/store.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2017 Canonical Ltd
+ * Copyright (C) 2014-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -23,6 +23,7 @@
 import (
 	"bytes"
 	"crypto"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -33,28 +34,29 @@
 	"os/exec"
 	"path"
 	"path/filepath"
-	"reflect"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
+	"github.com/juju/ratelimit"
 	"golang.org/x/net/context"
 	"golang.org/x/net/context/ctxhttp"
 	"gopkg.in/retry.v1"
 
 	"github.com/snapcore/snapd/arch"
 	"github.com/snapcore/snapd/asserts"
+	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/httputil"
 	"github.com/snapcore/snapd/i18n"
+	"github.com/snapcore/snapd/jsonutil"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/progress"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
-	"github.com/snapcore/snapd/strutil"
 )
 
 // TODO: better/shorter names are probably in order once fewer legacy places are using this
@@ -74,129 +76,32 @@
 	// RefreshManaged indicates to the store that the refresh is
 	// managed via snapd-control.
 	RefreshManaged bool
+
+	PrivacyKey string
 }
 
 // the LimitTime should be slightly more than 3 times of our http.Client
 // Timeout value
-var defaultRetryStrategy = retry.LimitCount(5, retry.LimitTime(38*time.Second,
+var defaultRetryStrategy = retry.LimitCount(6, retry.LimitTime(38*time.Second,
 	retry.Exponential{
-		Initial: 300 * time.Millisecond,
+		Initial: 350 * time.Millisecond,
 		Factor:  2.5,
 	},
 ))
 
-func infoFromRemote(d *snapDetails) *snap.Info {
-	info := &snap.Info{}
-	info.Architectures = d.Architectures
-	info.Type = d.Type
-	info.Version = d.Version
-	info.Epoch = d.Epoch
-	info.RealName = d.Name
-	info.SnapID = d.SnapID
-	info.Revision = snap.R(d.Revision)
-	info.EditedTitle = d.Title
-	info.EditedSummary = d.Summary
-	info.EditedDescription = d.Description
-	// Note that the store side is using confusing terminology here.
-	// What the store calls "developer" is actually the publisher
-	// username.
-	//
-	// It also sends "publisher" which is the "publisher display name"
-	// which we cannot use currently because it is not validated
-	// (i.e. the publisher could put anything in there and mislead
-	// the users this way).
-	info.Publisher = d.Developer
-	info.PublisherID = d.DeveloperID
-	info.Channel = d.Channel
-	info.Sha3_384 = d.DownloadSha3_384
-	info.Size = d.DownloadSize
-	info.IconURL = d.IconURL
-	info.AnonDownloadURL = d.AnonDownloadURL
-	info.DownloadURL = d.DownloadURL
-	info.Prices = d.Prices
-	info.Private = d.Private
-	info.Paid = len(info.Prices) > 0
-	info.Confinement = snap.ConfinementType(d.Confinement)
-	info.Contact = d.Contact
-	info.License = d.License
-	info.Base = d.Base
-
-	deltas := make([]snap.DeltaInfo, len(d.Deltas))
-	for i, d := range d.Deltas {
-		deltas[i] = snap.DeltaInfo{
-			FromRevision:    d.FromRevision,
-			ToRevision:      d.ToRevision,
-			Format:          d.Format,
-			AnonDownloadURL: d.AnonDownloadURL,
-			DownloadURL:     d.DownloadURL,
-			Size:            d.Size,
-			Sha3_384:        d.Sha3_384,
-		}
-	}
-	info.Deltas = deltas
-
-	screenshots := make([]snap.ScreenshotInfo, 0, len(d.ScreenshotURLs))
-	for _, url := range d.ScreenshotURLs {
-		screenshots = append(screenshots, snap.ScreenshotInfo{
-			URL: url,
-		})
-	}
-	info.Screenshots = screenshots
-	// FIXME: once the store sends "contact" for everything, remove
-	//        the "SupportURL" part of the if
-	if info.Contact == "" {
-		info.Contact = d.SupportURL
-	}
-
-	// fill in the plug/slot data
-	if rawYamlInfo, err := snap.InfoFromSnapYaml([]byte(d.SnapYAML)); err == nil {
-		if info.Plugs == nil {
-			info.Plugs = make(map[string]*snap.PlugInfo)
-		}
-		for k, v := range rawYamlInfo.Plugs {
-			info.Plugs[k] = v
-			info.Plugs[k].Snap = info
-		}
-		if info.Slots == nil {
-			info.Slots = make(map[string]*snap.SlotInfo)
-		}
-		for k, v := range rawYamlInfo.Slots {
-			info.Slots[k] = v
-			info.Slots[k].Snap = info
-		}
-	}
-
-	// fill in the tracks data
-	if len(d.ChannelMapList) > 0 {
-		info.Channels = make(map[string]*snap.ChannelSnapInfo)
-		info.Tracks = make([]string, len(d.ChannelMapList))
-		for i, cm := range d.ChannelMapList {
-			info.Tracks[i] = cm.Track
-			for _, ch := range cm.SnapDetails {
-				// nothing in this channel
-				if ch.Info == "" {
-					continue
-				}
-				var k string
-				if strings.HasPrefix(ch.Channel, cm.Track) {
-					k = ch.Channel
-				} else {
-					k = fmt.Sprintf("%s/%s", cm.Track, ch.Channel)
-				}
-				info.Channels[k] = &snap.ChannelSnapInfo{
-					Revision:    snap.R(ch.Revision),
-					Confinement: snap.ConfinementType(ch.Confinement),
-					Version:     ch.Version,
-					Channel:     ch.Channel,
-					Epoch:       ch.Epoch,
-					Size:        ch.DownloadSize,
-				}
-			}
-		}
-	}
+var downloadRetryStrategy = retry.LimitCount(7, retry.LimitTime(90*time.Second,
+	retry.Exponential{
+		Initial: 500 * time.Millisecond,
+		Factor:  2.5,
+	},
+))
 
-	return info
-}
+var connCheckStrategy = retry.LimitCount(3, retry.LimitTime(38*time.Second,
+	retry.Exponential{
+		Initial: 900 * time.Millisecond,
+		Factor:  1.3,
+	},
+))
 
 // Config represents the configuration to access the snap store
 type Config struct {
@@ -212,10 +117,14 @@
 	Series       string
 
 	DetailFields []string
+	InfoFields   []string
 	DeltaFormat  string
 
 	// CacheDownloads is the number of downloads that should be cached
 	CacheDownloads int
+
+	// Proxy returns the HTTP proxy to use when talking to the store
+	Proxy func(*http.Request) (*url.URL, error)
 }
 
 // setBaseURL updates the store API's base URL in the Config. Must not be used
@@ -249,6 +158,7 @@
 	fallbackStoreID string
 
 	detailFields []string
+	infoFields   []string
 	deltaFormat  string
 	// reused http client
 	client *http.Client
@@ -259,6 +169,7 @@
 	suggestedCurrency string
 
 	cacher downloadCache
+	proxy  func(*http.Request) (*url.URL, error)
 }
 
 func respToError(resp *http.Response, msg string) error {
@@ -271,24 +182,6 @@
 	return fmt.Errorf(tpl, msg, resp.StatusCode, resp.Request.Method, resp.Request.URL)
 }
 
-func getStructFields(s interface{}, exceptions ...string) []string {
-	st := reflect.TypeOf(s)
-	num := st.NumField()
-	fields := make([]string, 0, num)
-	for i := 0; i < num; i++ {
-		tag := st.Field(i).Tag.Get("json")
-		idx := strings.IndexRune(tag, ',')
-		if idx > -1 {
-			tag = tag[:idx]
-		}
-		if tag != "" && !strutil.ListContains(exceptions, tag) {
-			fields = append(fields, tag)
-		}
-	}
-
-	return fields
-}
-
 // Deltas enabled by default on classic, but allow opting in or out on both classic and core.
 func useDeltas() bool {
 	// only xdelta3 is supported for now, so check the binary exists here
@@ -297,8 +190,7 @@
 		return false
 	}
 
-	deltasDefault := release.OnClassic
-	return osutil.GetenvBool("SNAPD_USE_DELTAS_EXPERIMENTAL", deltasDefault)
+	return osutil.GetenvBool("SNAPD_USE_DELTAS_EXPERIMENTAL", true)
 }
 
 func useStaging() bool {
@@ -333,6 +225,7 @@
 func storeURL(api *url.URL) (*url.URL, error) {
 	var override string
 	var overrideName string
+	// XXX: time to drop FORCE_CPI support
 	// XXX: Deprecated but present for backward-compatibility: this used
 	// to be "Click Package Index".  Remove this once people have got
 	// used to SNAPPY_FORCE_API_URL instead.
@@ -380,11 +273,13 @@
 	return "https://" + authLocation() + "/api/v2"
 }
 
+var defaultStoreDeveloperURL = "https://dashboard.snapcraft.io/"
+
 func storeDeveloperURL() string {
 	if useStaging() {
 		return "https://dashboard.staging.snapcraft.io/"
 	}
-	return "https://dashboard.snapcraft.io/"
+	return defaultStoreDeveloperURL
 }
 
 var defaultConfig = Config{}
@@ -407,6 +302,8 @@
 	if err != nil {
 		panic(err)
 	}
+	defaultConfig.DetailFields = jsonutil.StructFields((*snapDetails)(nil), "snap_yaml_raw")
+	defaultConfig.InfoFields = jsonutil.StructFields((*storeSnap)(nil), "snap-yaml")
 }
 
 type searchResults struct {
@@ -421,9 +318,6 @@
 	} `json:"_embedded"`
 }
 
-// The fields we are interested in (not you, snap_yaml_raw)
-var detailFields = getStructFields(snapDetails{}, "snap_yaml_raw")
-
 // The default delta format if not configured.
 var defaultSupportedDeltaFormat = "xdelta3"
 
@@ -433,19 +327,24 @@
 		cfg = &defaultConfig
 	}
 
-	fields := cfg.DetailFields
-	if fields == nil {
-		fields = detailFields
+	detailFields := cfg.DetailFields
+	if detailFields == nil {
+		detailFields = defaultConfig.DetailFields
+	}
+
+	infoFields := cfg.InfoFields
+	if infoFields == nil {
+		infoFields = defaultConfig.InfoFields
 	}
 
-	architecture := arch.UbuntuArchitecture()
-	if cfg.Architecture != "" {
-		architecture = cfg.Architecture
+	architecture := cfg.Architecture
+	if cfg.Architecture == "" {
+		architecture = arch.UbuntuArchitecture()
 	}
 
-	series := release.Series
-	if cfg.Series != "" {
-		series = cfg.Series
+	series := cfg.Series
+	if cfg.Series == "" {
+		series = release.Series
 	}
 
 	deltaFormat := cfg.DeltaFormat
@@ -459,13 +358,16 @@
 		architecture:    architecture,
 		noCDN:           osutil.GetenvBool("SNAPPY_STORE_NO_CDN"),
 		fallbackStoreID: cfg.StoreID,
-		detailFields:    fields,
+		detailFields:    detailFields,
+		infoFields:      infoFields,
 		authContext:     authContext,
 		deltaFormat:     deltaFormat,
+		proxy:           cfg.Proxy,
 
-		client: httputil.NewHTTPClient(&httputil.ClientOpts{
+		client: httputil.NewHTTPClient(&httputil.ClientOptions{
 			Timeout:    10 * time.Second,
 			MayLogBody: true,
+			Proxy:      cfg.Proxy,
 		}),
 	}
 	store.SetCacheDownloads(cfg.CacheDownloads)
@@ -482,13 +384,14 @@
 	// one at a time; so it's better to consider that as part of
 	// individual endpoint paths.
 	searchEndpPath      = "api/v1/snaps/search"
-	detailsEndpPath     = "api/v1/snaps/details"
-	bulkEndpPath        = "api/v1/snaps/metadata"
 	ordersEndpPath      = "api/v1/snaps/purchases/orders"
 	buyEndpPath         = "api/v1/snaps/purchases/buy"
 	customersMeEndpPath = "api/v1/snaps/purchases/customers/me"
 	sectionsEndpPath    = "api/v1/snaps/sections"
 	commandsEndpPath    = "api/v1/snaps/names"
+	// v2
+	snapActionEndpPath = "v2/snaps/refresh"
+	snapInfoEndpPath   = "v2/snaps/info"
 
 	deviceNonceEndpPath   = "api/v1/snaps/auth/nonces"
 	deviceSessionEndpPath = "api/v1/snaps/auth/sessions"
@@ -504,16 +407,6 @@
 	return q
 }
 
-func (s *Store) queryForSnapInfo() url.Values {
-	// like defaultSnapQuery, plus a couple
-	q := url.Values{}
-	if len(s.detailFields) != 0 {
-		fields := append(s.detailFields, "snap_yaml_raw")
-		q.Set("fields", strings.Join(fields, ","))
-	}
-	return q
-}
-
 func (s *Store) baseURL(defaultURL *url.URL) *url.URL {
 	u := defaultURL
 	if s.authContext != nil {
@@ -543,8 +436,8 @@
 }
 
 // LoginUser logs user in the store and returns the authentication macaroons.
-func LoginUser(username, password, otp string) (string, string, error) {
-	macaroon, err := requestStoreMacaroon()
+func (s *Store) LoginUser(username, password, otp string) (string, string, error) {
+	macaroon, err := requestStoreMacaroon(s.client)
 	if err != nil {
 		return "", "", err
 	}
@@ -559,7 +452,7 @@
 		return "", "", err
 	}
 
-	discharge, err := dischargeAuthCaveat(loginCaveat, username, password, otp)
+	discharge, err := dischargeAuthCaveat(s.client, loginCaveat, username, password, otp)
 	if err != nil {
 		return "", "", err
 	}
@@ -567,14 +460,9 @@
 	return macaroon, discharge, nil
 }
 
-// hasStoreAuth returns true if given user has store macaroons setup
-func hasStoreAuth(user *auth.UserState) bool {
-	return user != nil && user.StoreMacaroon != ""
-}
-
 // authAvailable returns true if there is a user and/or device session setup
 func (s *Store) authAvailable(user *auth.UserState) (bool, error) {
-	if hasStoreAuth(user) {
+	if user.HasStoreAuth() {
 		return true, nil
 	} else {
 		var device *auth.DeviceState
@@ -621,7 +509,7 @@
 }
 
 // refreshDischarges will request refreshed discharge macaroons for the user
-func refreshDischarges(user *auth.UserState) ([]string, error) {
+func refreshDischarges(httpClient *http.Client, user *auth.UserState) ([]string, error) {
 	newDischarges := make([]string, len(user.StoreDischarges))
 	for i, d := range user.StoreDischarges {
 		discharge, err := auth.MacaroonDeserialize(d)
@@ -633,7 +521,7 @@
 			continue
 		}
 
-		refreshedDischarge, err := refreshDischargeMacaroon(d)
+		refreshedDischarge, err := refreshDischargeMacaroon(httpClient, d)
 		if err != nil {
 			return nil, err
 		}
@@ -647,7 +535,7 @@
 	if s.authContext == nil {
 		return fmt.Errorf("user credentials need to be refreshed but update in place only supported in snapd")
 	}
-	newDischarges, err := refreshDischarges(user)
+	newDischarges, err := refreshDischarges(s.client, user)
 	if err != nil {
 		return err
 	}
@@ -668,7 +556,7 @@
 		return fmt.Errorf("internal error: no authContext")
 	}
 
-	nonce, err := requestStoreDeviceNonce(s.endpointURL(deviceNonceEndpPath, nil).String())
+	nonce, err := requestStoreDeviceNonce(s.client, s.endpointURL(deviceNonceEndpPath, nil).String())
 	if err != nil {
 		return err
 	}
@@ -678,7 +566,7 @@
 		return err
 	}
 
-	session, err := requestDeviceSession(s.endpointURL(deviceSessionEndpPath, nil).String(), devSessReqParams, device.SessionMacaroon)
+	session, err := requestDeviceSession(s.client, s.endpointURL(deviceSessionEndpPath, nil).String(), devSessReqParams, device.SessionMacaroon)
 	if err != nil {
 		return err
 	}
@@ -693,13 +581,13 @@
 }
 
 // authenticateDevice will add the store expected Macaroon X-Device-Authorization header for device
-func authenticateDevice(r *http.Request, device *auth.DeviceState) {
+func authenticateDevice(r *http.Request, device *auth.DeviceState, apiLevel apiLevel) {
 	if device.SessionMacaroon != "" {
-		r.Header.Set("X-Device-Authorization", fmt.Sprintf(`Macaroon root="%s"`, device.SessionMacaroon))
+		r.Header.Set(hdrSnapDeviceAuthorization[apiLevel], fmt.Sprintf(`Macaroon root="%s"`, device.SessionMacaroon))
 	}
 }
 
-func (s *Store) setStoreID(r *http.Request) (customStore bool) {
+func (s *Store) setStoreID(r *http.Request, apiLevel apiLevel) (customStore bool) {
 	storeID := s.fallbackStoreID
 	if s.authContext != nil {
 		cand, err := s.authContext.StoreID(storeID)
@@ -710,12 +598,27 @@
 		}
 	}
 	if storeID != "" {
-		r.Header.Set("X-Ubuntu-Store", storeID)
+		r.Header.Set(hdrSnapDeviceStore[apiLevel], storeID)
 		return true
 	}
 	return false
 }
 
+type apiLevel int
+
+const (
+	apiV1Endps apiLevel = 0 // api/v1 endpoints
+	apiV2Endps apiLevel = 1 // v2 endpoints
+)
+
+var (
+	hdrSnapDeviceAuthorization = []string{"X-Device-Authorization", "Snap-Device-Authorization"}
+	hdrSnapDeviceStore         = []string{"X-Ubuntu-Store", "Snap-Device-Store"}
+	hdrSnapDeviceSeries        = []string{"X-Ubuntu-Series", "Snap-Device-Series"}
+	hdrSnapDeviceArchitecture  = []string{"X-Ubuntu-Architecture", "Snap-Device-Architecture"}
+	hdrSnapClassic             = []string{"X-Ubuntu-Classic", "Snap-Classic"}
+)
+
 type deviceAuthNeed int
 
 const (
@@ -729,6 +632,7 @@
 	URL          *url.URL
 	Accept       string
 	ContentType  string
+	APILevel     apiLevel
 	ExtraHeaders map[string]string
 	Data         []byte
 
@@ -770,13 +674,14 @@
 
 type catalogItem struct {
 	Name    string   `json:"package_name"`
+	Version string   `json:"version"`
 	Summary string   `json:"summary"`
 	Aliases []alias  `json:"aliases"`
 	Apps    []string `json:"apps"`
 }
 
 type SnapAdder interface {
-	AddSnap(snapName, summary string, commands []string) error
+	AddSnap(snapName, version, summary string, commands []string) error
 }
 
 func decodeCatalog(resp *http.Response, names io.Writer, db SnapAdder) error {
@@ -817,7 +722,7 @@
 			commands = append(commands, snap.JoinSnapApp(v.Name, app))
 		}
 
-		if err := db.AddSnap(v.Name, v.Summary, commands); err != nil {
+		if err := db.AddSnap(v.Name, v.Version, v.Summary, commands); err != nil {
 			return err
 		}
 	}
@@ -874,18 +779,15 @@
 			// 4 tries: 2 tries for each in case both user
 			// and device need refreshing
 			var refreshNeed authRefreshNeed
-			refresh := false
 			if user != nil && strings.Contains(wwwAuth, "needs_refresh=1") {
 				// refresh user
 				refreshNeed.user = true
-				refresh = true
 			}
 			if strings.Contains(wwwAuth, "refresh_device_session=1") {
 				// refresh device session
 				refreshNeed.device = true
-				refresh = true
 			}
-			if refresh {
+			if refreshNeed.needed() {
 				err := s.refreshAuth(user, refreshNeed)
 				if err != nil {
 					return nil, err
@@ -901,6 +803,41 @@
 	}
 }
 
+type authRefreshNeed struct {
+	device bool
+	user   bool
+}
+
+func (rn *authRefreshNeed) needed() bool {
+	return rn.device || rn.user
+}
+
+func (s *Store) refreshAuth(user *auth.UserState, need authRefreshNeed) error {
+	if need.user {
+		// refresh user
+		err := s.refreshUser(user)
+		if err != nil {
+			return err
+		}
+	}
+	if need.device {
+		// refresh device session
+		if s.authContext == nil {
+			return fmt.Errorf("internal error: no authContext")
+		}
+		device, err := s.authContext.Device()
+		if err != nil {
+			return err
+		}
+
+		err = s.refreshDeviceSession(device)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 // build a new http.Request with headers for the store
 func (s *Store) newRequest(reqOptions *requestOptions, user *auth.UserState) (*http.Request, error) {
 	var body io.Reader
@@ -913,7 +850,7 @@
 		return nil, err
 	}
 
-	customStore := s.setStoreID(req)
+	customStore := s.setStoreID(req, reqOptions.APILevel)
 
 	if s.authContext != nil && (customStore || reqOptions.DeviceAuthNeed != deviceAuthCustomStoreOnly) {
 		device, err := s.authContext.Device()
@@ -932,26 +869,21 @@
 				return nil, err
 			}
 		}
-		authenticateDevice(req, device)
+		authenticateDevice(req, device, reqOptions.APILevel)
 	}
 
 	// only set user authentication if user logged in to the store
-	if hasStoreAuth(user) {
+	if user.HasStoreAuth() {
 		authenticateUser(req, user)
 	}
 
 	req.Header.Set("User-Agent", httputil.UserAgent())
 	req.Header.Set("Accept", reqOptions.Accept)
-	req.Header.Set("X-Ubuntu-Architecture", s.architecture)
-	req.Header.Set("X-Ubuntu-Series", s.series)
-	req.Header.Set("X-Ubuntu-Classic", strconv.FormatBool(release.OnClassic))
-	req.Header.Set("X-Ubuntu-Wire-Protocol", UbuntuCoreWireProtocol)
-	// still send this for now
-	req.Header.Set("X-Ubuntu-No-CDN", strconv.FormatBool(s.noCDN))
-	// TODO: do this only for download
-	err = s.cdnHeader(req, reqOptions)
-	if err != nil {
-		return nil, err
+	req.Header.Set(hdrSnapDeviceArchitecture[reqOptions.APILevel], s.architecture)
+	req.Header.Set(hdrSnapDeviceSeries[reqOptions.APILevel], s.series)
+	req.Header.Set(hdrSnapClassic[reqOptions.APILevel], strconv.FormatBool(release.OnClassic))
+	if reqOptions.APILevel == apiV1Endps {
+		req.Header.Set("X-Ubuntu-Wire-Protocol", UbuntuCoreWireProtocol)
 	}
 
 	if reqOptions.ContentType != "" {
@@ -965,14 +897,13 @@
 	return req, nil
 }
 
-func (s *Store) cdnHeader(req *http.Request, reqOptions *requestOptions) error {
+func (s *Store) cdnHeader() (string, error) {
 	if s.noCDN {
-		req.Header.Set("Snap-CDN", "none")
-		return nil
+		return "none", nil
 	}
 
 	if s.authContext == nil {
-		return nil
+		return "", nil
 	}
 
 	// set Snap-CDN from cloud instance information
@@ -985,7 +916,7 @@
 
 	cloudInfo, err := s.authContext.CloudInfo()
 	if err != nil {
-		return err
+		return "", err
 	}
 
 	if cloudInfo != nil {
@@ -997,40 +928,10 @@
 			cdnParams = append(cdnParams, fmt.Sprintf("availability-zone=%q", cloudInfo.AvailabilityZone))
 		}
 
-		req.Header.Set("Snap-CDN", strings.Join(cdnParams, " "))
+		return strings.Join(cdnParams, " "), nil
 	}
-	return nil
-}
 
-type authRefreshNeed struct {
-	device bool
-	user   bool
-}
-
-func (s *Store) refreshAuth(user *auth.UserState, need authRefreshNeed) error {
-	if need.user {
-		// refresh user
-		err := s.refreshUser(user)
-		if err != nil {
-			return err
-		}
-	}
-	if need.device {
-		// refresh device session
-		if s.authContext == nil {
-			return fmt.Errorf("internal error: no authContext")
-		}
-		device, err := s.authContext.Device()
-		if err != nil {
-			return err
-		}
-
-		err = s.refreshDeviceSession(device)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
+	return "", nil
 }
 
 func (s *Store) extractSuggestedCurrency(resp *http.Response) {
@@ -1143,44 +1044,23 @@
 
 // A SnapSpec describes a single snap wanted from SnapInfo
 type SnapSpec struct {
-	Name    string
-	Channel string
-	// AnyChannel can be set to query for any revision independent of channel
-	AnyChannel bool
-	// Revision can be set to query for an exact revision
-	Revision snap.Revision
+	Name string
 }
 
 // SnapInfo returns the snap.Info for the store-hosted snap matching the given spec, or an error.
 func (s *Store) SnapInfo(snapSpec SnapSpec, user *auth.UserState) (*snap.Info, error) {
-	query := s.queryForSnapInfo()
+	query := url.Values{}
+	query.Set("fields", strings.Join(s.infoFields, ","))
+	query.Set("architecture", s.architecture)
 
-	channel := snapSpec.Channel
-	var sel string
-	if channel == "" {
-		channel = "stable" // default
-	}
-	if snapSpec.AnyChannel {
-		channel = ""
-	}
-	if !snapSpec.Revision.Unset() {
-		query.Set("revision", snapSpec.Revision.String())
-		channel = ""
-		sel = fmt.Sprintf(" at revision %s", snapSpec.Revision)
-	}
-	if channel != "" {
-		sel = fmt.Sprintf(" in channel %q", channel)
-	}
-	query.Set("channel", channel)
-
-	u := s.endpointURL(path.Join(detailsEndpPath, snapSpec.Name), query)
+	u := s.endpointURL(path.Join(snapInfoEndpPath, snapSpec.Name), query)
 	reqOptions := &requestOptions{
-		Method: "GET",
-		URL:    u,
-		Accept: halJsonContentType,
+		Method:   "GET",
+		URL:      u,
+		APILevel: apiV2Endps,
 	}
 
-	var remote *snapDetails
+	var remote storeInfo
 	resp, err := s.retryRequestDecodeJSON(context.TODO(), reqOptions, user, &remote, nil)
 	if err != nil {
 		return nil, err
@@ -1193,11 +1073,14 @@
 	case 404:
 		return nil, ErrSnapNotFound
 	default:
-		msg := fmt.Sprintf("get details for snap %q%s", snapSpec.Name, sel)
+		msg := fmt.Sprintf("get details for snap %q", snapSpec.Name)
 		return nil, respToError(resp, msg)
 	}
 
-	info := infoFromRemote(remote)
+	info, err := infoFromStoreInfo(&remote)
+	if err != nil {
+		return nil, err
+	}
 
 	err = s.decorateOrders([]*snap.Info{info}, user)
 	if err != nil {
@@ -1213,6 +1096,7 @@
 type Search struct {
 	Query   string
 	Section string
+	Scope   string
 	Private bool
 	Prefix  bool
 }
@@ -1258,6 +1142,9 @@
 	if search.Section != "" {
 		q.Set("section", search.Section)
 	}
+	if search.Scope != "" {
+		q.Set("scope", search.Scope)
+	}
 
 	if release.OnClassic {
 		q.Set("confinement", "strict,classic")
@@ -1353,9 +1240,10 @@
 	}
 
 	// do not log body for catalog updates (its huge)
-	client := httputil.NewHTTPClient(&httputil.ClientOpts{
+	client := httputil.NewHTTPClient(&httputil.ClientOptions{
 		MayLogBody: false,
 		Timeout:    10 * time.Second,
+		Proxy:      s.proxy,
 	})
 	doRequest := func() (*http.Response, error) {
 		return s.doRequest(ctx, client, reqOptions, nil)
@@ -1380,7 +1268,6 @@
 type RefreshCandidate struct {
 	SnapID   string
 	Revision snap.Revision
-	Epoch    snap.Epoch
 	Block    []snap.Revision
 
 	// the desired channel
@@ -1392,163 +1279,6 @@
 	Amend bool
 }
 
-// the exact bits that we need to send to the store
-type currentSnapJSON struct {
-	SnapID           string     `json:"snap_id"`
-	Channel          string     `json:"channel"`
-	Revision         int        `json:"revision,omitempty"`
-	Epoch            snap.Epoch `json:"epoch"`
-	Confinement      string     `json:"confinement"`
-	IgnoreValidation bool       `json:"ignore_validation,omitempty"`
-}
-
-type metadataWrapper struct {
-	Snaps  []*currentSnapJSON `json:"snaps"`
-	Fields []string           `json:"fields"`
-}
-
-func currentSnap(cs *RefreshCandidate) *currentSnapJSON {
-	// the store gets confused if we send snaps without a snapid
-	// (like local ones)
-	if cs.SnapID == "" {
-		if cs.Revision.Store() {
-			logger.Noticef("store.currentSnap got given a RefreshCandidate with an empty SnapID but a store revision!")
-		}
-		return nil
-	}
-	if !cs.Revision.Store() && !cs.Amend {
-		logger.Noticef("store.currentSnap got given a RefreshCandidate with a non-empty SnapID but a non-store revision!")
-		return nil
-	}
-
-	channel := cs.Channel
-	if channel == "" {
-		channel = "stable"
-	}
-
-	return &currentSnapJSON{
-		SnapID:           cs.SnapID,
-		Channel:          channel,
-		Epoch:            cs.Epoch,
-		Revision:         cs.Revision.N,
-		IgnoreValidation: cs.IgnoreValidation,
-		// confinement purposely left empty
-	}
-}
-
-// query the store for the information about currently offered revisions of snaps
-func (s *Store) refreshForCandidates(ctx context.Context, currentSnaps []*currentSnapJSON, user *auth.UserState, flags *RefreshOptions) ([]*snapDetails, error) {
-	if flags == nil {
-		flags = &RefreshOptions{}
-	}
-
-	if len(currentSnaps) == 0 {
-		// nothing to do
-		return nil, nil
-	}
-
-	// build input for the updates endpoint
-	jsonData, err := json.Marshal(metadataWrapper{
-		Snaps:  currentSnaps,
-		Fields: s.detailFields,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	reqOptions := &requestOptions{
-		Method:      "POST",
-		URL:         s.endpointURL(bulkEndpPath, nil),
-		Accept:      halJsonContentType,
-		ContentType: jsonContentType,
-		Data:        jsonData,
-	}
-
-	if useDeltas() {
-		logger.Debugf("Deltas enabled. Adding header X-Ubuntu-Delta-Formats: %v", s.deltaFormat)
-		reqOptions.addHeader("X-Ubuntu-Delta-Formats", s.deltaFormat)
-	}
-	if flags.RefreshManaged {
-		reqOptions.addHeader("X-Ubuntu-Refresh-Managed", "true")
-	}
-
-	var updateData searchResults
-	resp, err := s.retryRequestDecodeJSON(ctx, reqOptions, user, &updateData, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != 200 {
-		return nil, respToError(resp, "query the store for updates")
-	}
-
-	s.extractSuggestedCurrency(resp)
-
-	return updateData.Payload.Packages, nil
-}
-
-var refreshForCandidates = (*Store).refreshForCandidates
-
-// LookupRefresh returns a snap's store-offered revision information given its refresh candidate.
-func (s *Store) LookupRefresh(installed *RefreshCandidate, user *auth.UserState) (*snap.Info, error) {
-	cur := currentSnap(installed)
-	if cur == nil {
-		return nil, ErrLocalSnap
-	}
-
-	latest, err := refreshForCandidates(s, context.TODO(), []*currentSnapJSON{cur}, user, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(latest) != 1 {
-		return nil, ErrSnapNotFound
-	}
-
-	rsnap := latest[0]
-	if !acceptableUpdate(rsnap, installed) {
-		return nil, ErrNoUpdateAvailable
-	}
-
-	return infoFromRemote(rsnap), nil
-}
-
-// ListRefresh returns the available updates for a list of refresh candidates.
-// NOTE ListRefresh can return nil, nil if e.g. all local snaps are passed in
-func (s *Store) ListRefresh(ctx context.Context, installed []*RefreshCandidate, user *auth.UserState, flags *RefreshOptions) (snaps []*snap.Info, err error) {
-	candidateMap := map[string]*RefreshCandidate{}
-	currentSnaps := make([]*currentSnapJSON, 0, len(installed))
-	for _, cs := range installed {
-		cur := currentSnap(cs)
-		if cur == nil {
-			continue
-		}
-		currentSnaps = append(currentSnaps, cur)
-		candidateMap[cs.SnapID] = cs
-	}
-
-	latest, err := s.refreshForCandidates(ctx, currentSnaps, user, flags)
-	if err != nil {
-		return nil, err
-	}
-
-	toRefresh := make([]*snap.Info, 0, len(latest))
-	for _, rsnap := range latest {
-		if !acceptableUpdate(rsnap, candidateMap[rsnap.SnapID]) {
-			continue
-		}
-
-		toRefresh = append(toRefresh, infoFromRemote(rsnap))
-	}
-
-	return toRefresh, nil
-}
-
-func acceptableUpdate(remote *snapDetails, installed *RefreshCandidate) bool {
-	rrev := snap.R(remote.Revision)
-	return !(rrev == installed.Revision || findRev(rrev, installed.Block))
-}
-
 func findRev(needle snap.Revision, haystack []snap.Revision) bool {
 	for _, r := range haystack {
 		if needle == r {
@@ -1568,16 +1298,21 @@
 	return fmt.Sprintf("sha3-384 mismatch for %q: got %s but expected %s", e.name, e.sha3_384, e.targetSha3_384)
 }
 
+type DownloadOptions struct {
+	RateLimit int64
+}
+
 // Download downloads the snap addressed by download info and returns its
 // filename.
 // The file is saved in temporary storage, and should be removed
 // after use to prevent the disk from running out of space.
-func (s *Store) Download(ctx context.Context, name string, targetPath string, downloadInfo *snap.DownloadInfo, pbar progress.Meter, user *auth.UserState) error {
+func (s *Store) Download(ctx context.Context, name string, targetPath string, downloadInfo *snap.DownloadInfo, pbar progress.Meter, user *auth.UserState, dlOpts *DownloadOptions) error {
 	if err := os.MkdirAll(filepath.Dir(targetPath), 0755); err != nil {
 		return err
 	}
 
 	if err := s.cacher.Get(downloadInfo.Sha3_384, targetPath); err == nil {
+		logger.Debugf("Cache hit for SHA3_384 …%.5s.", downloadInfo.Sha3_384)
 		return nil
 	}
 
@@ -1595,7 +1330,7 @@
 	}
 
 	partialPath := targetPath + ".partial"
-	w, err := os.OpenFile(partialPath, os.O_RDWR|os.O_CREATE, 0644)
+	w, err := os.OpenFile(partialPath, os.O_RDWR|os.O_CREATE, 0600)
 	if err != nil {
 		return err
 	}
@@ -1611,6 +1346,11 @@
 			os.Remove(w.Name())
 		}
 	}()
+	if resume > 0 {
+		logger.Debugf("Resuming download of %q at %d.", partialPath, resume)
+	} else {
+		logger.Debugf("Starting download of %q.", partialPath)
+	}
 
 	authAvail, err := s.authAvailable(user)
 	if err != nil {
@@ -1623,7 +1363,10 @@
 	}
 
 	if downloadInfo.Size == 0 || resume < downloadInfo.Size {
-		err = download(ctx, name, downloadInfo.Sha3_384, url, user, s, w, resume, pbar)
+		err = download(ctx, name, downloadInfo.Sha3_384, url, user, s, w, resume, pbar, dlOpts)
+		if err != nil {
+			logger.Debugf("download of %q failed: %#v", url, err)
+		}
 	} else {
 		// we're done! check the hash though
 		h := crypto.SHA3_384.New()
@@ -1641,6 +1384,7 @@
 	// If hashsum is incorrect retry once
 	if _, ok := err.(HashError); ok {
 		logger.Debugf("Hashsum error on download: %v", err.Error())
+		logger.Debugf("Truncating and trying again from scratch.")
 		err = w.Truncate(0)
 		if err != nil {
 			return err
@@ -1649,7 +1393,10 @@
 		if err != nil {
 			return err
 		}
-		err = download(ctx, name, downloadInfo.Sha3_384, url, user, s, w, 0, pbar)
+		err = download(ctx, name, downloadInfo.Sha3_384, url, user, s, w, 0, pbar, nil)
+		if err != nil {
+			logger.Debugf("download of %q failed: %#v", url, err)
+		}
 	}
 
 	if err != nil {
@@ -1667,28 +1414,51 @@
 	return s.cacher.Put(downloadInfo.Sha3_384, targetPath)
 }
 
+func reqOptions(storeURL *url.URL, cdnHeader string) *requestOptions {
+	reqOptions := requestOptions{
+		Method:       "GET",
+		URL:          storeURL,
+		ExtraHeaders: map[string]string{},
+	}
+	if cdnHeader != "" {
+		reqOptions.ExtraHeaders["Snap-CDN"] = cdnHeader
+	}
+
+	return &reqOptions
+}
+
+var ratelimitReader = ratelimit.Reader
+
+var download = downloadImpl
+
 // download writes an http.Request showing a progress.Meter
-var download = func(ctx context.Context, name, sha3_384, downloadURL string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+func downloadImpl(ctx context.Context, name, sha3_384, downloadURL string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *DownloadOptions) error {
+	if dlOpts == nil {
+		dlOpts = &DownloadOptions{}
+	}
+
 	storeURL, err := url.Parse(downloadURL)
 	if err != nil {
 		return err
 	}
 
+	cdnHeader, err := s.cdnHeader()
+	if err != nil {
+		return err
+	}
+
 	var finalErr error
+	var dlSize float64
 	startTime := time.Now()
-	for attempt := retry.Start(defaultRetryStrategy, nil); attempt.Next(); {
-		reqOptions := &requestOptions{
-			Method: "GET",
-			URL:    storeURL,
-		}
+	for attempt := retry.Start(downloadRetryStrategy, nil); attempt.Next(); {
+		reqOptions := reqOptions(storeURL, cdnHeader)
+
 		httputil.MaybeLogRetryAttempt(reqOptions.URL.String(), attempt, startTime)
 
 		h := crypto.SHA3_384.New()
 
 		if resume > 0 {
-			reqOptions.ExtraHeaders = map[string]string{
-				"Range": fmt.Sprintf("bytes=%d-", resume),
-			}
+			reqOptions.ExtraHeaders["Range"] = fmt.Sprintf("bytes=%d-", resume)
 			// seed the sha3 with the already local file
 			if _, err := w.Seek(0, os.SEEK_SET); err != nil {
 				return err
@@ -1706,7 +1476,7 @@
 			return fmt.Errorf("The download has been cancelled: %s", ctx.Err())
 		}
 		var resp *http.Response
-		resp, finalErr = s.doRequest(ctx, httputil.NewHTTPClient(nil), reqOptions, user)
+		resp, finalErr = s.doRequest(ctx, httputil.NewHTTPClient(&httputil.ClientOptions{Proxy: s.proxy}), reqOptions, user)
 
 		if cancelled(ctx) {
 			return fmt.Errorf("The download has been cancelled: %s", ctx.Err())
@@ -1737,9 +1507,16 @@
 		if pbar == nil {
 			pbar = progress.Null
 		}
-		pbar.Start(name, float64(resp.ContentLength))
+		dlSize = float64(resp.ContentLength)
+		pbar.Start(name, dlSize)
 		mw := io.MultiWriter(w, h, pbar)
-		_, finalErr = io.Copy(mw, resp.Body)
+		var limiter io.Reader
+		limiter = resp.Body
+		if limit := dlOpts.RateLimit; limit > 0 {
+			bucket := ratelimit.NewBucketWithRate(float64(limit), 2*limit)
+			limiter = ratelimitReader(resp.Body, bucket)
+		}
+		_, finalErr = io.Copy(mw, limiter)
 		pbar.Finished()
 		if finalErr != nil {
 			if httputil.ShouldRetryError(attempt, finalErr) {
@@ -1764,6 +1541,20 @@
 		}
 		break
 	}
+	if finalErr == nil {
+		// not using quantity.FormatFoo as this is just for debug
+		dt := time.Since(startTime)
+		r := dlSize / dt.Seconds()
+		var p rune
+		for _, p = range " kMGTPEZY" {
+			if r < 1000 {
+				break
+			}
+			r /= 1000
+		}
+
+		logger.Debugf("Download succeeded in %.03fs (%.0f%cB/s).", dt.Seconds(), r, p)
+	}
 	return finalErr
 }
 
@@ -1790,7 +1581,7 @@
 		url = deltaInfo.DownloadURL
 	}
 
-	return download(context.TODO(), deltaName, deltaInfo.Sha3_384, url, user, s, w, 0, pbar)
+	return download(context.TODO(), deltaName, deltaInfo.Sha3_384, url, user, s, w, 0, pbar, nil)
 }
 
 func getXdelta3Cmd(args ...string) (*exec.Cmd, error) {
@@ -1798,7 +1589,7 @@
 	case osutil.ExecutableExists("xdelta3"):
 		return exec.Command("xdelta3", args...), nil
 	case osutil.FileExists(filepath.Join(dirs.SnapMountDir, "/core/current/usr/bin/xdelta3")):
-		return osutil.CommandFromCore("/usr/bin/xdelta3", args...)
+		return osutil.CommandFromCore(dirs.SnapMountDir, "/usr/bin/xdelta3", args...)
 	}
 	return nil, fmt.Errorf("cannot find xdelta3 binary in PATH or core snap")
 }
@@ -1831,6 +1622,10 @@
 		return err
 	}
 
+	if err := os.Chmod(partialTargetPath, 0600); err != nil {
+		return err
+	}
+
 	bsha3_384, _, err := osutil.FileDigest(partialTargetPath, crypto.SHA3_384)
 	if err != nil {
 		return err
@@ -1857,7 +1652,7 @@
 	deltaPath := fmt.Sprintf("%s.%s-%d-to-%d.partial", targetPath, deltaInfo.Format, deltaInfo.FromRevision, deltaInfo.ToRevision)
 	deltaName := fmt.Sprintf(i18n.G("%s (delta)"), name)
 
-	w, err := os.Create(deltaPath)
+	w, err := os.OpenFile(deltaPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
 	}
@@ -1955,18 +1750,6 @@
 	return s.suggestedCurrency
 }
 
-// BuyOptions specifies parameters to buy from the store.
-type BuyOptions struct {
-	SnapID   string  `json:"snap-id"`
-	Price    float64 `json:"price"`
-	Currency string  `json:"currency"` // ISO 4217 code as string
-}
-
-// BuyResult holds the state of a buy attempt.
-type BuyResult struct {
-	State string `json:"state,omitempty"`
-}
-
 // orderInstruction holds data sent to the store for orders.
 type orderInstruction struct {
 	SnapID   string `json:"snap_id"`
@@ -2001,13 +1784,13 @@
 	return s.Errors[0].Error()
 }
 
-func buyOptionError(message string) (*BuyResult, error) {
+func buyOptionError(message string) (*client.BuyResult, error) {
 	return nil, fmt.Errorf("cannot buy snap: %s", message)
 }
 
 // Buy sends a buy request for the specified snap.
 // Returns the state of the order: Complete, Cancelled.
-func (s *Store) Buy(options *BuyOptions, user *auth.UserState) (*BuyResult, error) {
+func (s *Store) Buy(options *client.BuyOptions, user *auth.UserState) (*client.BuyResult, error) {
 	if options.SnapID == "" {
 		return buyOptionError("snap ID missing")
 	}
@@ -2054,7 +1837,7 @@
 			return buyOptionError("payment cancelled")
 		}
 
-		return &BuyResult{
+		return &client.BuyResult{
 			State: orderDetails.State,
 		}, nil
 	case 400:
@@ -2143,3 +1926,522 @@
 		s.cacher = &nullCache{}
 	}
 }
+
+// snap action: install/refresh
+
+type CurrentSnap struct {
+	InstanceName     string
+	SnapID           string
+	Revision         snap.Revision
+	TrackingChannel  string
+	RefreshedDate    time.Time
+	IgnoreValidation bool
+	Block            []snap.Revision
+	Epoch            snap.Epoch
+}
+
+type currentSnapV2JSON struct {
+	SnapID           string     `json:"snap-id"`
+	InstanceKey      string     `json:"instance-key"`
+	Revision         int        `json:"revision"`
+	TrackingChannel  string     `json:"tracking-channel"`
+	Epoch            snap.Epoch `json:"epoch"`
+	RefreshedDate    *time.Time `json:"refreshed-date,omitempty"`
+	IgnoreValidation bool       `json:"ignore-validation,omitempty"`
+}
+
+type SnapActionFlags int
+
+const (
+	SnapActionIgnoreValidation SnapActionFlags = 1 << iota
+	SnapActionEnforceValidation
+)
+
+type SnapAction struct {
+	Action       string
+	InstanceName string
+	SnapID       string
+	Channel      string
+	Revision     snap.Revision
+	Flags        SnapActionFlags
+	Epoch        snap.Epoch
+}
+
+func isValidAction(action string) bool {
+	switch action {
+	case "download", "install", "refresh":
+		return true
+	default:
+		return false
+	}
+}
+
+type snapActionJSON struct {
+	Action           string `json:"action"`
+	InstanceKey      string `json:"instance-key"`
+	Name             string `json:"name,omitempty"`
+	SnapID           string `json:"snap-id,omitempty"`
+	Channel          string `json:"channel,omitempty"`
+	Revision         int    `json:"revision,omitempty"`
+	IgnoreValidation *bool  `json:"ignore-validation,omitempty"`
+
+	// NOTE the store needs an epoch (even if null) for the "install" and "download"
+	// actions, to know the client handles epochs at all.  "refresh" actions should
+	// send nothing, not even null -- the snap in the context should have the epoch
+	// already.  We achieve this by making Epoch be an `interface{}` with omitempty,
+	// and then setting it to a (possibly nil) epoch for install and download. As a
+	// nil epoch is not an empty interface{}, you'll get the null in the json.
+	Epoch interface{} `json:"epoch,omitempty"`
+}
+
+type snapRelease struct {
+	Architecture string `json:"architecture"`
+	Channel      string `json:"channel"`
+}
+
+type snapActionResult struct {
+	Result           string    `json:"result"`
+	InstanceKey      string    `json:"instance-key"`
+	SnapID           string    `json:"snap-id,omitempy"`
+	Name             string    `json:"name,omitempty"`
+	Snap             storeSnap `json:"snap"`
+	EffectiveChannel string    `json:"effective-channel,omitempty"`
+	Error            struct {
+		Code    string `json:"code"`
+		Message string `json:"message"`
+		Extra   struct {
+			Releases []snapRelease `json:"releases"`
+		} `json:"extra"`
+	} `json:"error"`
+}
+
+type snapActionRequest struct {
+	Context []*currentSnapV2JSON `json:"context"`
+	Actions []*snapActionJSON    `json:"actions"`
+	Fields  []string             `json:"fields"`
+}
+
+type snapActionResultList struct {
+	Results   []*snapActionResult `json:"results"`
+	ErrorList []struct {
+		Code    string `json:"code"`
+		Message string `json:"message"`
+	} `json:"error-list"`
+}
+
+var snapActionFields = jsonutil.StructFields((*storeSnap)(nil))
+
+// SnapAction queries the store for snap information for the given
+// install/refresh actions, given the context information about
+// current installed snaps in currentSnaps. If the request was overall
+// successul (200) but there were reported errors it will return both
+// the snap infos and an SnapActionError.
+func (s *Store) SnapAction(ctx context.Context, currentSnaps []*CurrentSnap, actions []*SnapAction, user *auth.UserState, opts *RefreshOptions) ([]*snap.Info, error) {
+	if opts == nil {
+		opts = &RefreshOptions{}
+	}
+
+	if len(currentSnaps) == 0 && len(actions) == 0 {
+		// nothing to do
+		return nil, &SnapActionError{NoResults: true}
+	}
+
+	authRefreshes := 0
+	for {
+		snaps, err := s.snapAction(ctx, currentSnaps, actions, user, opts)
+
+		if saErr, ok := err.(*SnapActionError); ok && authRefreshes < 2 && len(saErr.Other) > 0 {
+			// do we need to try to refresh auths?, 2 tries
+			var refreshNeed authRefreshNeed
+			for _, otherErr := range saErr.Other {
+				switch otherErr {
+				case errUserAuthorizationNeedsRefresh:
+					refreshNeed.user = true
+				case errDeviceAuthorizationNeedsRefresh:
+					refreshNeed.device = true
+				}
+			}
+			if refreshNeed.needed() {
+				err := s.refreshAuth(user, refreshNeed)
+				if err != nil {
+					// best effort
+					logger.Noticef("cannot refresh soft-expired authorisation: %v", err)
+				}
+				authRefreshes++
+				// TODO: we could avoid retrying here
+				// if refreshAuth gave no error we got
+				// as many non-error results from the
+				// store as actions anyway
+				continue
+			}
+		}
+
+		return snaps, err
+	}
+}
+
+func genInstanceKey(curSnap *CurrentSnap, salt string) (string, error) {
+	_, snapInstanceKey := snap.SplitInstanceName(curSnap.InstanceName)
+
+	if snapInstanceKey == "" {
+		return curSnap.SnapID, nil
+	}
+
+	if salt == "" {
+		return "", fmt.Errorf("internal error: request salt not provided")
+	}
+
+	// due to privacy concerns, avoid sending the local names to the
+	// backend, instead hash the snap ID and instance key together
+	h := crypto.SHA256.New()
+	h.Write([]byte(curSnap.SnapID))
+	h.Write([]byte(snapInstanceKey))
+	h.Write([]byte(salt))
+	enc := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
+	return fmt.Sprintf("%s:%s", curSnap.SnapID, enc), nil
+}
+
+func (s *Store) snapAction(ctx context.Context, currentSnaps []*CurrentSnap, actions []*SnapAction, user *auth.UserState, opts *RefreshOptions) ([]*snap.Info, error) {
+
+	// TODO: the store already requires instance-key but doesn't
+	// yet support repeating in context or sending actions for the
+	// same snap-id, for now we keep instance-key handling internal
+
+	requestSalt := ""
+	if opts != nil {
+		requestSalt = opts.PrivacyKey
+	}
+	curSnaps := make(map[string]*CurrentSnap, len(currentSnaps))
+	curSnapJSONs := make([]*currentSnapV2JSON, len(currentSnaps))
+	instanceNameToKey := make(map[string]string, len(currentSnaps))
+	for i, curSnap := range currentSnaps {
+		if curSnap.SnapID == "" || curSnap.InstanceName == "" || curSnap.Revision.Unset() {
+			return nil, fmt.Errorf("internal error: invalid current snap information")
+		}
+		instanceKey, err := genInstanceKey(curSnap, requestSalt)
+		if err != nil {
+			return nil, err
+		}
+		curSnaps[instanceKey] = curSnap
+		instanceNameToKey[curSnap.InstanceName] = instanceKey
+
+		channel := curSnap.TrackingChannel
+		if channel == "" {
+			channel = "stable"
+		}
+		var refreshedDate *time.Time
+		if !curSnap.RefreshedDate.IsZero() {
+			refreshedDate = &curSnap.RefreshedDate
+		}
+		curSnapJSONs[i] = &currentSnapV2JSON{
+			SnapID:           curSnap.SnapID,
+			InstanceKey:      instanceKey,
+			Revision:         curSnap.Revision.N,
+			TrackingChannel:  channel,
+			IgnoreValidation: curSnap.IgnoreValidation,
+			RefreshedDate:    refreshedDate,
+			Epoch:            curSnap.Epoch,
+		}
+	}
+
+	downloadNum := 0
+	installNum := 0
+	installs := make(map[string]*SnapAction, len(actions))
+	downloads := make(map[string]*SnapAction, len(actions))
+	refreshes := make(map[string]*SnapAction, len(actions))
+	actionJSONs := make([]*snapActionJSON, len(actions))
+	for i, a := range actions {
+		if !isValidAction(a.Action) {
+			return nil, fmt.Errorf("internal error: unsupported action %q", a.Action)
+		}
+		if a.InstanceName == "" {
+			return nil, fmt.Errorf("internal error: action without instance name")
+		}
+		var ignoreValidation *bool
+		if a.Flags&SnapActionIgnoreValidation != 0 {
+			var t = true
+			ignoreValidation = &t
+		} else if a.Flags&SnapActionEnforceValidation != 0 {
+			var f = false
+			ignoreValidation = &f
+		}
+
+		var instanceKey string
+		aJSON := &snapActionJSON{
+			Action:           a.Action,
+			SnapID:           a.SnapID,
+			Channel:          a.Channel,
+			Revision:         a.Revision.N,
+			IgnoreValidation: ignoreValidation,
+		}
+		if !a.Revision.Unset() {
+			a.Channel = ""
+		}
+
+		if a.Action == "install" {
+			installNum++
+			instanceKey = fmt.Sprintf("install-%d", installNum)
+			installs[instanceKey] = a
+		} else if a.Action == "download" {
+			downloadNum++
+			instanceKey = fmt.Sprintf("download-%d", downloadNum)
+			downloads[instanceKey] = a
+			if _, key := snap.SplitInstanceName(a.InstanceName); key != "" {
+				return nil, fmt.Errorf("internal error: unsupported download with instance name %q", a.InstanceName)
+			}
+		} else {
+			instanceKey = instanceNameToKey[a.InstanceName]
+			refreshes[instanceKey] = a
+		}
+
+		if a.Action != "refresh" {
+			aJSON.Name = snap.InstanceSnap(a.InstanceName)
+			if a.Epoch.IsZero() {
+				// Let the store know we can handle epochs, by sending the `epoch`
+				// field in the request.  A nil epoch is not an empty interface{},
+				// you'll get the null in the json. See comment in snapActionJSON.
+				aJSON.Epoch = (*snap.Epoch)(nil)
+			} else {
+				// this is the amend case
+				aJSON.Epoch = &a.Epoch
+			}
+		}
+
+		aJSON.InstanceKey = instanceKey
+
+		actionJSONs[i] = aJSON
+	}
+
+	// build input for the install/refresh endpoint
+	jsonData, err := json.Marshal(snapActionRequest{
+		Context: curSnapJSONs,
+		Actions: actionJSONs,
+		Fields:  snapActionFields,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	reqOptions := &requestOptions{
+		Method:      "POST",
+		URL:         s.endpointURL(snapActionEndpPath, nil),
+		Accept:      jsonContentType,
+		ContentType: jsonContentType,
+		Data:        jsonData,
+		APILevel:    apiV2Endps,
+	}
+
+	if useDeltas() {
+		logger.Debugf("Deltas enabled. Adding header Snap-Accept-Delta-Format: %v", s.deltaFormat)
+		reqOptions.addHeader("Snap-Accept-Delta-Format", s.deltaFormat)
+	}
+	if opts.RefreshManaged {
+		reqOptions.addHeader("Snap-Refresh-Managed", "true")
+	}
+
+	var results snapActionResultList
+	resp, err := s.retryRequestDecodeJSON(ctx, reqOptions, user, &results, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != 200 {
+		return nil, respToError(resp, "query the store for updates")
+	}
+
+	s.extractSuggestedCurrency(resp)
+
+	refreshErrors := make(map[string]error)
+	installErrors := make(map[string]error)
+	downloadErrors := make(map[string]error)
+	var otherErrors []error
+
+	var snaps []*snap.Info
+	for _, res := range results.Results {
+		if res.Result == "error" {
+			if a := installs[res.InstanceKey]; a != nil {
+				if res.Name != "" {
+					installErrors[a.InstanceName] = translateSnapActionError("install", a.Channel, res.Error.Code, res.Error.Message, res.Error.Extra.Releases)
+					continue
+				}
+			} else if a := downloads[res.InstanceKey]; a != nil {
+				if res.Name != "" {
+					downloadErrors[res.Name] = translateSnapActionError("download", a.Channel, res.Error.Code, res.Error.Message, res.Error.Extra.Releases)
+					continue
+				}
+			} else {
+				if cur := curSnaps[res.InstanceKey]; cur != nil {
+					a := refreshes[res.InstanceKey]
+					if a == nil {
+						// got an error for a snap that was not part of an 'action'
+						otherErrors = append(otherErrors, translateSnapActionError("", "", res.Error.Code, fmt.Sprintf("snap %q: %s", cur.InstanceName, res.Error.Message), nil))
+						logger.Debugf("Unexpected error for snap %q, instance key %v: [%v] %v", cur.InstanceName, res.InstanceKey, res.Error.Code, res.Error.Message)
+						continue
+					}
+					channel := a.Channel
+					if channel == "" && a.Revision.Unset() {
+						channel = cur.TrackingChannel
+					}
+					refreshErrors[cur.InstanceName] = translateSnapActionError("refresh", channel, res.Error.Code, res.Error.Message, res.Error.Extra.Releases)
+					continue
+				}
+			}
+			otherErrors = append(otherErrors, translateSnapActionError("", "", res.Error.Code, res.Error.Message, nil))
+			continue
+		}
+		snapInfo, err := infoFromStoreSnap(&res.Snap)
+		if err != nil {
+			return nil, fmt.Errorf("unexpected invalid install/refresh API result: %v", err)
+		}
+
+		snapInfo.Channel = res.EffectiveChannel
+
+		var instanceName string
+		if res.Result == "refresh" {
+			cur := curSnaps[res.InstanceKey]
+			if cur == nil {
+				return nil, fmt.Errorf("unexpected invalid install/refresh API result: unexpected refresh")
+			}
+			rrev := snap.R(res.Snap.Revision)
+			if rrev == cur.Revision || findRev(rrev, cur.Block) {
+				refreshErrors[cur.InstanceName] = ErrNoUpdateAvailable
+				continue
+			}
+			instanceName = cur.InstanceName
+		} else if res.Result == "install" {
+			if action := installs[res.InstanceKey]; action != nil {
+				instanceName = action.InstanceName
+			}
+		}
+
+		if res.Result != "download" && instanceName == "" {
+			return nil, fmt.Errorf("unexpected invalid install/refresh API result: unexpected instance-key %q", res.InstanceKey)
+		}
+
+		_, instanceKey := snap.SplitInstanceName(instanceName)
+		snapInfo.InstanceKey = instanceKey
+
+		snaps = append(snaps, snapInfo)
+	}
+
+	for _, errObj := range results.ErrorList {
+		otherErrors = append(otherErrors, translateSnapActionError("", "", errObj.Code, errObj.Message, nil))
+	}
+
+	if len(refreshErrors)+len(installErrors)+len(downloadErrors) != 0 || len(results.Results) == 0 || len(otherErrors) != 0 {
+		// normalize empty maps
+		if len(refreshErrors) == 0 {
+			refreshErrors = nil
+		}
+		if len(installErrors) == 0 {
+			installErrors = nil
+		}
+		if len(downloadErrors) == 0 {
+			downloadErrors = nil
+		}
+		return snaps, &SnapActionError{
+			NoResults: len(results.Results) == 0,
+			Refresh:   refreshErrors,
+			Install:   installErrors,
+			Download:  downloadErrors,
+			Other:     otherErrors,
+		}
+	}
+
+	return snaps, nil
+}
+
+// abbreviated info structs just for the download info
+type storeInfoChannelAbbrev struct {
+	Download storeSnapDownload `json:"download"`
+}
+
+type storeInfoAbbrev struct {
+	// discard anything beyond the first entry
+	ChannelMap [1]storeInfoChannelAbbrev `json:"channel-map"`
+}
+
+var errUnexpectedConnCheckResponse = errors.New("unexpected response during connection check")
+
+func (s *Store) snapConnCheck() ([]string, error) {
+	var hosts []string
+	// NOTE: "core" is possibly the only snap that's sure to be in all stores
+	//       when we drop "core" in the move to snapd/core18/etc, change this
+	infoURL := s.endpointURL(path.Join(snapInfoEndpPath, "core"), url.Values{
+		// we only want the download URL
+		"fields": {"download"},
+		// we only need *one* (but can't filter by channel ... yet)
+		"architecture": {s.architecture},
+	})
+	hosts = append(hosts, infoURL.Host)
+
+	var result storeInfoAbbrev
+	resp, err := httputil.RetryRequest(infoURL.String(), func() (*http.Response, error) {
+		return s.doRequest(context.TODO(), s.client, &requestOptions{
+			Method:   "GET",
+			URL:      infoURL,
+			APILevel: apiV2Endps,
+		}, nil)
+	}, func(resp *http.Response) error {
+		return decodeJSONBody(resp, &result, nil)
+	}, connCheckStrategy)
+
+	if err != nil {
+		return hosts, err
+	}
+	resp.Body.Close()
+
+	dlURLraw := result.ChannelMap[0].Download.URL
+	dlURL, err := url.ParseRequestURI(dlURLraw)
+	if err != nil {
+		return hosts, err
+	}
+	hosts = append(hosts, dlURL.Host)
+
+	cdnHeader, err := s.cdnHeader()
+	if err != nil {
+		return hosts, err
+	}
+
+	reqOptions := reqOptions(dlURL, cdnHeader)
+	reqOptions.Method = "HEAD" // not actually a download
+
+	// TODO: We need the HEAD here so that we get redirected to the
+	//       right CDN machine. Consider just doing a "net.Dial"
+	//       after the redirect here. Suggested in
+	// https://github.com/snapcore/snapd/pull/5176#discussion_r193437230
+	resp, err = httputil.RetryRequest(dlURLraw, func() (*http.Response, error) {
+		return s.doRequest(context.TODO(), s.client, reqOptions, nil)
+	}, func(resp *http.Response) error {
+		// account for redirect
+		hosts[len(hosts)-1] = resp.Request.URL.Host
+		return nil
+	}, connCheckStrategy)
+	if err != nil {
+		return hosts, err
+	}
+	resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return hosts, errUnexpectedConnCheckResponse
+	}
+
+	return hosts, nil
+}
+
+func (s *Store) ConnectivityCheck() (status map[string]bool, err error) {
+	status = make(map[string]bool)
+
+	checkers := []func() ([]string, error){
+		s.snapConnCheck,
+	}
+
+	for _, checker := range checkers {
+		hosts, err := checker()
+		for _, host := range hosts {
+			status[host] = (err == nil)
+		}
+	}
+
+	return status, nil
+}
diff -Nru snapd-2.32.3.2~14.04/store/storetest/storetest.go snapd-2.37~rc1~14.04/store/storetest/storetest.go
--- snapd-2.32.3.2~14.04/store/storetest/storetest.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/storetest/storetest.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2017 Canonical Ltd
+ * Copyright (C) 2014-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -25,6 +25,7 @@
 	"golang.org/x/net/context"
 
 	"github.com/snapcore/snapd/asserts"
+	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/overlord/auth"
 	"github.com/snapcore/snapd/overlord/snapstate"
 	"github.com/snapcore/snapd/progress"
@@ -49,15 +50,11 @@
 	panic("Store.Find not expected")
 }
 
-func (Store) LookupRefresh(*store.RefreshCandidate, *auth.UserState) (*snap.Info, error) {
-	panic("Store.LookupRefresh not expected")
+func (Store) SnapAction(context.Context, []*store.CurrentSnap, []*store.SnapAction, *auth.UserState, *store.RefreshOptions) ([]*snap.Info, error) {
+	panic("Store.SnapAction not expected")
 }
 
-func (Store) ListRefresh(context.Context, []*store.RefreshCandidate, *auth.UserState, *store.RefreshOptions) ([]*snap.Info, error) {
-	panic("Store.ListRefresh not expected")
-}
-
-func (Store) Download(context.Context, string, string, *snap.DownloadInfo, progress.Meter, *auth.UserState) error {
+func (Store) Download(context.Context, string, string, *snap.DownloadInfo, progress.Meter, *auth.UserState, *store.DownloadOptions) error {
 	panic("Store.Download not expected")
 }
 
@@ -65,7 +62,7 @@
 	panic("Store.SuggestedCurrency not expected")
 }
 
-func (Store) Buy(*store.BuyOptions, *auth.UserState) (*store.BuyResult, error) {
+func (Store) Buy(*client.BuyOptions, *auth.UserState) (*client.BuyResult, error) {
 	panic("Store.Buy not expected")
 }
 
@@ -84,3 +81,15 @@
 func (Store) WriteCatalogs(context.Context, io.Writer, store.SnapAdder) error {
 	panic("fakeStore.WriteCatalogs not expected")
 }
+
+func (Store) ConnectivityCheck() (map[string]bool, error) {
+	panic("ConnectivityCheck not expected")
+}
+
+func (Store) LoginUser(username, password, otp string) (string, string, error) {
+	panic("LoginUser not expected")
+}
+
+func (Store) UserInfo(email string) (userinfo *store.User, err error) {
+	panic("UserInfo not expected")
+}
diff -Nru snapd-2.32.3.2~14.04/store/store_test.go snapd-2.37~rc1~14.04/store/store_test.go
--- snapd-2.32.3.2~14.04/store/store_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/store_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -17,13 +17,12 @@
  *
  */
 
-package store
+package store_test
 
 import (
 	"bytes"
 	"crypto"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -46,6 +45,7 @@
 	"github.com/snapcore/snapd/advisor"
 	"github.com/snapcore/snapd/arch"
 	"github.com/snapcore/snapd/asserts"
+	"github.com/snapcore/snapd/client"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/httputil"
 	"github.com/snapcore/snapd/logger"
@@ -54,6 +54,8 @@
 	"github.com/snapcore/snapd/progress"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/store"
 	"github.com/snapcore/snapd/testutil"
 )
 
@@ -63,14 +65,27 @@
 
 var _ = Suite(&configTestSuite{})
 
+var (
+	// this is what snap.E("0") looks like when decoded into an interface{} (the /^i/ is for "interface")
+	iZeroEpoch = map[string]interface{}{
+		"read":  []interface{}{0.},
+		"write": []interface{}{0.},
+	}
+	// ...and this is snap.E("5*")
+	iFiveStarEpoch = map[string]interface{}{
+		"read":  []interface{}{4., 5.},
+		"write": []interface{}{5.},
+	}
+)
+
 func (suite *configTestSuite) TestSetBaseURL(c *C) {
 	// Sanity check to prove at least one URI changes.
-	cfg := DefaultConfig()
+	cfg := store.DefaultConfig()
 	c.Assert(cfg.StoreBaseURL.String(), Equals, "https://api.snapcraft.io/")
 
 	u, err := url.Parse("http://example.com/path/prefix/")
 	c.Assert(err, IsNil)
-	err = cfg.setBaseURL(u)
+	err = cfg.SetBaseURL(u)
 	c.Assert(err, IsNil)
 
 	c.Check(cfg.StoreBaseURL.String(), Equals, "http://example.com/path/prefix/")
@@ -78,14 +93,14 @@
 }
 
 func (suite *configTestSuite) TestSetBaseURLStoreOverrides(c *C) {
-	cfg := DefaultConfig()
-	c.Assert(cfg.setBaseURL(apiURL()), IsNil)
-	c.Check(cfg.StoreBaseURL, Matches, apiURL().String()+".*")
+	cfg := store.DefaultConfig()
+	c.Assert(cfg.SetBaseURL(store.ApiURL()), IsNil)
+	c.Check(cfg.StoreBaseURL, Matches, store.ApiURL().String()+".*")
 
 	c.Assert(os.Setenv("SNAPPY_FORCE_API_URL", "https://force-api.local/"), IsNil)
 	defer os.Setenv("SNAPPY_FORCE_API_URL", "")
-	cfg = DefaultConfig()
-	c.Assert(cfg.setBaseURL(apiURL()), IsNil)
+	cfg = store.DefaultConfig()
+	c.Assert(cfg.SetBaseURL(store.ApiURL()), IsNil)
 	c.Check(cfg.StoreBaseURL.String(), Equals, "https://force-api.local/")
 	c.Check(cfg.AssertionsBaseURL, IsNil)
 }
@@ -94,20 +109,20 @@
 	c.Assert(os.Setenv("SNAPPY_FORCE_API_URL", "://example.com"), IsNil)
 	defer os.Setenv("SNAPPY_FORCE_API_URL", "")
 
-	cfg := DefaultConfig()
-	err := cfg.setBaseURL(apiURL())
+	cfg := store.DefaultConfig()
+	err := cfg.SetBaseURL(store.ApiURL())
 	c.Check(err, ErrorMatches, "invalid SNAPPY_FORCE_API_URL: parse ://example.com: missing protocol scheme")
 }
 
 func (suite *configTestSuite) TestSetBaseURLAssertsOverrides(c *C) {
-	cfg := DefaultConfig()
-	c.Assert(cfg.setBaseURL(apiURL()), IsNil)
+	cfg := store.DefaultConfig()
+	c.Assert(cfg.SetBaseURL(store.ApiURL()), IsNil)
 	c.Check(cfg.AssertionsBaseURL, IsNil)
 
 	c.Assert(os.Setenv("SNAPPY_FORCE_SAS_URL", "https://force-sas.local/"), IsNil)
 	defer os.Setenv("SNAPPY_FORCE_SAS_URL", "")
-	cfg = DefaultConfig()
-	c.Assert(cfg.setBaseURL(apiURL()), IsNil)
+	cfg = store.DefaultConfig()
+	c.Assert(cfg.SetBaseURL(store.ApiURL()), IsNil)
 	c.Check(cfg.AssertionsBaseURL, Matches, "https://force-sas.local/.*")
 }
 
@@ -115,8 +130,8 @@
 	c.Assert(os.Setenv("SNAPPY_FORCE_SAS_URL", "://example.com"), IsNil)
 	defer os.Setenv("SNAPPY_FORCE_SAS_URL", "")
 
-	cfg := DefaultConfig()
-	err := cfg.setBaseURL(apiURL())
+	cfg := store.DefaultConfig()
+	err := cfg.SetBaseURL(store.ApiURL())
 	c.Check(err, ErrorMatches, "invalid SNAPPY_FORCE_SAS_URL: parse ://example.com: missing protocol scheme")
 }
 
@@ -127,10 +142,12 @@
 	buyPath            = "/api/v1/snaps/purchases/buy"
 	customersMePath    = "/api/v1/snaps/purchases/customers/me"
 	detailsPathPattern = "/api/v1/snaps/details/.*"
-	metadataPath       = "/api/v1/snaps/metadata"
 	ordersPath         = "/api/v1/snaps/purchases/orders"
 	searchPath         = "/api/v1/snaps/search"
 	sectionsPath       = "/api/v1/snaps/sections"
+	// v2
+	snapActionPath  = "/v2/snaps/refresh"
+	infoPathPattern = "/v2/snaps/info/.*"
 )
 
 // Build details path for a snap name.
@@ -138,6 +155,11 @@
 	return strings.Replace(detailsPathPattern, ".*", snapName, 1)
 }
 
+// Build info path for a snap name.
+func infoPath(snapName string) string {
+	return strings.Replace(infoPathPattern, ".*", snapName, 1)
+}
+
 // Assert that a request is roughly as expected. Useful in fakes that should
 // only attempt to handle a specific request.
 func assertRequest(c *C, r *http.Request, method, pathPattern string) {
@@ -150,14 +172,13 @@
 
 type storeTestSuite struct {
 	testutil.BaseTest
-	store     *Store
+	store     *store.Store
 	logbuf    *bytes.Buffer
 	user      *auth.UserState
 	localUser *auth.UserState
 	device    *auth.DeviceState
 
-	origDownloadFunc func(context.Context, string, string, string, *auth.UserState, *Store, io.ReadWriteSeeker, int64, progress.Meter) error
-	mockXDelta       *testutil.MockCmd
+	mockXDelta *testutil.MockCmd
 
 	restoreLogger func()
 }
@@ -294,7 +315,7 @@
 	if err != nil {
 		return nil, err
 	}
-	err = m.AddThirdPartyCaveat([]byte("shared-key"), "third-party-caveat", UbuntuoneLocation)
+	err = m.AddThirdPartyCaveat([]byte("shared-key"), "third-party-caveat", store.UbuntuoneLocation)
 	if err != nil {
 		return nil, err
 	}
@@ -303,7 +324,7 @@
 }
 
 func makeTestDischarge() (*macaroon.Macaroon, error) {
-	m, err := macaroon.New([]byte("shared-key"), "third-party-caveat", UbuntuoneLocation)
+	m, err := macaroon.New([]byte("shared-key"), "third-party-caveat", store.UbuntuoneLocation)
 	if err != nil {
 		return nil, err
 	}
@@ -312,7 +333,7 @@
 }
 
 func makeTestRefreshDischargeResponse() (string, error) {
-	m, err := macaroon.New([]byte("shared-key"), "refreshed-third-party-caveat", UbuntuoneLocation)
+	m, err := macaroon.New([]byte("shared-key"), "refreshed-third-party-caveat", store.UbuntuoneLocation)
 	if err != nil {
 		return "", err
 	}
@@ -352,8 +373,7 @@
 	s.BaseTest.SetUpTest(c)
 	s.BaseTest.AddCleanup(snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {}))
 
-	s.store = New(nil, nil)
-	s.origDownloadFunc = download
+	s.store = store.New(nil, nil)
 	dirs.SetRootDir(c.MkDir())
 	c.Assert(os.MkdirAll(dirs.SnapMountDir, 0755), IsNil)
 
@@ -376,7 +396,14 @@
 	s.device = createTestDevice()
 	s.mockXDelta = testutil.MockCommand(c, "xdelta3", "")
 
-	MockDefaultRetryStrategy(&s.BaseTest, retry.LimitCount(5, retry.LimitTime(1*time.Second,
+	store.MockDefaultRetryStrategy(&s.BaseTest, retry.LimitCount(5, retry.LimitTime(1*time.Second,
+		retry.Exponential{
+			Initial: 1 * time.Millisecond,
+			Factor:  1,
+		},
+	)))
+
+	store.MockDownloadRetryStrategy(&s.BaseTest, retry.LimitCount(5, retry.LimitTime(1*time.Second,
 		retry.Exponential{
 			Initial: 1 * time.Millisecond,
 			Factor:  1,
@@ -385,7 +412,6 @@
 }
 
 func (s *storeTestSuite) TearDownTest(c *C) {
-	download = s.origDownloadFunc
 	s.mockXDelta.Restore()
 	s.restoreLogger()
 	s.BaseTest.TearDownTest(c)
@@ -411,11 +437,13 @@
 
 func (s *storeTestSuite) TestDownloadOK(c *C) {
 	expectedContent := []byte("I was downloaded")
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+
+	restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 		c.Check(url, Equals, "anon-url")
 		w.Write(expectedContent)
 		return nil
-	}
+	})
+	defer restore()
 
 	snap := &snap.Info{}
 	snap.RealName = "foo"
@@ -424,7 +452,7 @@
 	snap.Size = int64(len(expectedContent))
 
 	path := filepath.Join(c.MkDir(), "downloaded-file")
-	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil)
+	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, IsNil)
 	defer os.Remove(path)
 
@@ -436,12 +464,13 @@
 	missingContentStr := "was downloaded"
 	expectedContentStr := partialContentStr + missingContentStr
 
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+	restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 		c.Check(resume, Equals, int64(len(partialContentStr)))
 		c.Check(url, Equals, "anon-url")
 		w.Write([]byte(missingContentStr))
 		return nil
-	}
+	})
+	defer restore()
 
 	snap := &snap.Info{}
 	snap.RealName = "foo"
@@ -454,7 +483,7 @@
 	err := ioutil.WriteFile(targetFn+".partial", []byte(partialContentStr), 0644)
 	c.Assert(err, IsNil)
 
-	err = s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil)
+	err = s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, IsNil)
 
 	c.Assert(targetFn, testutil.FileEquals, expectedContentStr)
@@ -463,8 +492,6 @@
 func (s *storeTestSuite) TestResumeOfCompleted(c *C) {
 	expectedContentStr := "nothing downloaded"
 
-	download = nil
-
 	snap := &snap.Info{}
 	snap.RealName = "foo"
 	snap.AnonDownloadURL = "anon-url"
@@ -476,7 +503,7 @@
 	err := ioutil.WriteFile(targetFn+".partial", []byte(expectedContentStr), 0644)
 	c.Assert(err, IsNil)
 
-	err = s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil)
+	err = s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, IsNil)
 
 	c.Assert(targetFn, testutil.FileEquals, expectedContentStr)
@@ -517,7 +544,7 @@
 	snap.Size = 50000
 
 	targetFn := filepath.Join(c.MkDir(), "foo_1.0_all.snap")
-	err := s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil)
+	err := s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, IsNil)
 	c.Assert(targetFn, testutil.FileEquals, buf)
 	c.Assert(s.logbuf.String(), Matches, "(?s).*Retrying .* attempt 2, .*")
@@ -561,7 +588,7 @@
 	snap.Size = 50000
 
 	targetFn := filepath.Join(c.MkDir(), "foo_1.0_all.snap")
-	err := s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil)
+	err := s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, IsNil)
 
 	c.Assert(targetFn, testutil.FileEquals, buf)
@@ -598,7 +625,7 @@
 
 	targetFn := filepath.Join(c.MkDir(), "foo_1.0_all.snap")
 	c.Assert(ioutil.WriteFile(targetFn+".partial", badbuf, 0644), IsNil)
-	err := s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil)
+	err := s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, IsNil)
 
 	c.Assert(targetFn, testutil.FileEquals, buf)
@@ -626,9 +653,9 @@
 	snap.Size = int64(len("something invalid"))
 
 	targetFn := filepath.Join(c.MkDir(), "foo_1.0_all.snap")
-	err := s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil)
+	err := s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil, nil)
 
-	_, ok := err.(HashError)
+	_, ok := err.(store.HashError)
 	c.Assert(ok, Equals, true)
 	// ensure we only retried once (as these downloads might be big)
 	c.Assert(n, Equals, 2)
@@ -639,16 +666,17 @@
 	partialContentStr := "partial content "
 
 	n := 0
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+	restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 		n++
 		if n == 1 {
 			// force sha3 error on first download
 			c.Check(resume, Equals, int64(len(partialContentStr)))
-			return HashError{"foo", "1234", "5678"}
+			return store.NewHashError("foo", "1234", "5678")
 		}
 		w.Write([]byte(expectedContentStr))
 		return nil
-	}
+	})
+	defer restore()
 
 	snap := &snap.Info{}
 	snap.RealName = "foo"
@@ -661,7 +689,7 @@
 	err := ioutil.WriteFile(targetFn+".partial", []byte(partialContentStr), 0644)
 	c.Assert(err, IsNil)
 
-	err = s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil)
+	err = s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, IsNil)
 	c.Assert(n, Equals, 2)
 
@@ -672,10 +700,11 @@
 	partialContentStr := "partial content "
 
 	n := 0
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+	restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 		n++
-		return HashError{"foo", "1234", "5678"}
-	}
+		return store.NewHashError("foo", "1234", "5678")
+	})
+	defer restore()
 
 	snap := &snap.Info{}
 	snap.RealName = "foo"
@@ -688,7 +717,7 @@
 	err := ioutil.WriteFile(targetFn+".partial", []byte(partialContentStr), 0644)
 	c.Assert(err, IsNil)
 
-	err = s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil)
+	err = s.store.Download(context.TODO(), "foo", targetFn, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, NotNil)
 	c.Assert(err, ErrorMatches, `sha3-384 mismatch for "foo": got 1234 but expected 5678`)
 	c.Assert(n, Equals, 2)
@@ -696,14 +725,15 @@
 
 func (s *storeTestSuite) TestAuthenticatedDownloadDoesNotUseAnonURL(c *C) {
 	expectedContent := []byte("I was downloaded")
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, _ *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+	restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, _ *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 		// check user is pass and auth url is used
 		c.Check(user, Equals, s.user)
 		c.Check(url, Equals, "AUTH-URL")
 
 		w.Write(expectedContent)
 		return nil
-	}
+	})
+	defer restore()
 
 	snap := &snap.Info{}
 	snap.RealName = "foo"
@@ -712,7 +742,7 @@
 	snap.Size = int64(len(expectedContent))
 
 	path := filepath.Join(c.MkDir(), "downloaded-file")
-	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, s.user)
+	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, s.user, nil)
 	c.Assert(err, IsNil)
 	defer os.Remove(path)
 
@@ -721,13 +751,14 @@
 
 func (s *storeTestSuite) TestAuthenticatedDeviceDoesNotUseAnonURL(c *C) {
 	expectedContent := []byte("I was downloaded")
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+	restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 		// check auth url is used
 		c.Check(url, Equals, "AUTH-URL")
 
 		w.Write(expectedContent)
 		return nil
-	}
+	})
+	defer restore()
 
 	snap := &snap.Info{}
 	snap.RealName = "foo"
@@ -736,10 +767,10 @@
 	snap.Size = int64(len(expectedContent))
 
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&Config{}, authContext)
+	sto := store.New(&store.Config{}, authContext)
 
 	path := filepath.Join(c.MkDir(), "downloaded-file")
-	err := sto.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil)
+	err := sto.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, IsNil)
 	defer os.Remove(path)
 
@@ -748,12 +779,13 @@
 
 func (s *storeTestSuite) TestLocalUserDownloadUsesAnonURL(c *C) {
 	expectedContentStr := "I was downloaded"
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+	restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 		c.Check(url, Equals, "anon-url")
 
 		w.Write([]byte(expectedContentStr))
 		return nil
-	}
+	})
+	defer restore()
 
 	snap := &snap.Info{}
 	snap.RealName = "foo"
@@ -762,7 +794,7 @@
 	snap.Size = int64(len(expectedContentStr))
 
 	path := filepath.Join(c.MkDir(), "downloaded-file")
-	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, s.localUser)
+	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, s.localUser, nil)
 	c.Assert(err, IsNil)
 	defer os.Remove(path)
 
@@ -771,10 +803,11 @@
 
 func (s *storeTestSuite) TestDownloadFails(c *C) {
 	var tmpfile *os.File
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+	restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 		tmpfile = w.(*os.File)
 		return fmt.Errorf("uh, it failed")
-	}
+	})
+	defer restore()
 
 	snap := &snap.Info{}
 	snap.RealName = "foo"
@@ -783,7 +816,7 @@
 	snap.Size = 1
 	// simulate a failed download
 	path := filepath.Join(c.MkDir(), "downloaded-file")
-	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil)
+	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, ErrorMatches, "uh, it failed")
 	// ... and ensure that the tempfile is removed
 	c.Assert(osutil.FileExists(tmpfile.Name()), Equals, false)
@@ -791,13 +824,14 @@
 
 func (s *storeTestSuite) TestDownloadSyncFails(c *C) {
 	var tmpfile *os.File
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+	restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 		tmpfile = w.(*os.File)
 		w.Write([]byte("sync will fail"))
 		err := tmpfile.Close()
 		c.Assert(err, IsNil)
 		return nil
-	}
+	})
+	defer restore()
 
 	snap := &snap.Info{}
 	snap.RealName = "foo"
@@ -807,372 +841,12 @@
 
 	// simulate a failed sync
 	path := filepath.Join(c.MkDir(), "downloaded-file")
-	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil)
+	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil, nil)
 	c.Assert(err, ErrorMatches, `(sync|fsync:) .*`)
 	// ... and ensure that the tempfile is removed
 	c.Assert(osutil.FileExists(tmpfile.Name()), Equals, false)
 }
 
-func (s *storeTestSuite) TestActualDownload(c *C) {
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		n++
-		io.WriteString(w, "response-data")
-	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	theStore := New(&Config{}, nil)
-	var buf SillyBuffer
-	// keep tests happy
-	sha3 := ""
-	err := download(context.TODO(), "foo", sha3, mockServer.URL, nil, theStore, &buf, 0, nil)
-	c.Assert(err, IsNil)
-	c.Check(buf.String(), Equals, "response-data")
-	c.Check(n, Equals, 1)
-}
-
-func (s *storeTestSuite) TestDownloadCancellation(c *C) {
-	// the channel used by mock server to request cancellation from the test
-	syncCh := make(chan struct{})
-
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		n++
-		io.WriteString(w, "foo")
-		syncCh <- struct{}{}
-		io.WriteString(w, "bar")
-		time.Sleep(time.Duration(1) * time.Second)
-	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	theStore := New(&Config{}, nil)
-
-	ctx, cancel := context.WithCancel(context.Background())
-
-	result := make(chan string)
-	go func() {
-		sha3 := ""
-		var buf SillyBuffer
-		err := download(ctx, "foo", sha3, mockServer.URL, nil, theStore, &buf, 0, nil)
-		result <- err.Error()
-		close(result)
-	}()
-
-	<-syncCh
-	cancel()
-
-	err := <-result
-	c.Check(n, Equals, 1)
-	c.Assert(err, Equals, "The download has been cancelled: context canceled")
-}
-
-type nopeSeeker struct{ io.ReadWriter }
-
-func (nopeSeeker) Seek(int64, int) (int64, error) {
-	return -1, errors.New("what is this, quidditch?")
-}
-
-func (s *storeTestSuite) TestActualDownloadNonPurchased402(c *C) {
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		n++
-		// XXX: the server doesn't behave correctly ATM
-		// but 401 for paid snaps is the unlikely case so far
-		w.WriteHeader(402)
-	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	theStore := New(&Config{}, nil)
-	var buf bytes.Buffer
-	err := download(context.TODO(), "foo", "sha3", mockServer.URL, nil, theStore, nopeSeeker{&buf}, -1, nil)
-	c.Assert(err, NotNil)
-	c.Check(err.Error(), Equals, "please buy foo before installing it.")
-	c.Check(n, Equals, 1)
-}
-
-func (s *storeTestSuite) TestActualDownload404(c *C) {
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		n++
-		w.WriteHeader(404)
-	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	theStore := New(&Config{}, nil)
-	var buf SillyBuffer
-	err := download(context.TODO(), "foo", "sha3", mockServer.URL, nil, theStore, &buf, 0, nil)
-	c.Assert(err, NotNil)
-	c.Assert(err, FitsTypeOf, &DownloadError{})
-	c.Check(err.(*DownloadError).Code, Equals, 404)
-	c.Check(n, Equals, 1)
-}
-
-func (s *storeTestSuite) TestActualDownload500(c *C) {
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		n++
-		w.WriteHeader(500)
-	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	theStore := New(&Config{}, nil)
-	var buf SillyBuffer
-	err := download(context.TODO(), "foo", "sha3", mockServer.URL, nil, theStore, &buf, 0, nil)
-	c.Assert(err, NotNil)
-	c.Assert(err, FitsTypeOf, &DownloadError{})
-	c.Check(err.(*DownloadError).Code, Equals, 500)
-	c.Check(n, Equals, 5)
-}
-
-func (s *storeTestSuite) TestActualDownload500Once(c *C) {
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		n++
-		if n == 1 {
-			w.WriteHeader(500)
-		} else {
-			io.WriteString(w, "response-data")
-		}
-	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	theStore := New(&Config{}, nil)
-	var buf SillyBuffer
-	// keep tests happy
-	sha3 := ""
-	err := download(context.TODO(), "foo", sha3, mockServer.URL, nil, theStore, &buf, 0, nil)
-	c.Assert(err, IsNil)
-	c.Check(buf.String(), Equals, "response-data")
-	c.Check(n, Equals, 2)
-}
-
-// SillyBuffer is a ReadWriteSeeker buffer with a limited size for the tests
-// (bytes does not implement an ReadWriteSeeker)
-type SillyBuffer struct {
-	buf [1024]byte
-	pos int64
-	end int64
-}
-
-func NewSillyBufferString(s string) *SillyBuffer {
-	sb := &SillyBuffer{
-		pos: int64(len(s)),
-		end: int64(len(s)),
-	}
-	copy(sb.buf[0:], []byte(s))
-	return sb
-}
-func (sb *SillyBuffer) Read(b []byte) (n int, err error) {
-	if sb.pos >= int64(sb.end) {
-		return 0, io.EOF
-	}
-	n = copy(b, sb.buf[sb.pos:sb.end])
-	sb.pos += int64(n)
-	return n, nil
-}
-func (sb *SillyBuffer) Seek(offset int64, whence int) (int64, error) {
-	if whence != 0 {
-		panic("only io.SeekStart implemented in SillyBuffer")
-	}
-	if offset < 0 || offset > int64(sb.end) {
-		return 0, fmt.Errorf("seek out of bounds: %d", offset)
-	}
-	sb.pos = offset
-	return sb.pos, nil
-}
-func (sb *SillyBuffer) Write(p []byte) (n int, err error) {
-	n = copy(sb.buf[sb.pos:], p)
-	sb.pos += int64(n)
-	if sb.pos > sb.end {
-		sb.end = sb.pos
-	}
-	return n, nil
-}
-func (sb *SillyBuffer) String() string {
-	return string(sb.buf[0:sb.pos])
-}
-
-func (s *storeTestSuite) TestActualDownloadResume(c *C) {
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		n++
-		io.WriteString(w, "data")
-	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	theStore := New(&Config{}, nil)
-	buf := NewSillyBufferString("some ")
-	// calc the expected hash
-	h := crypto.SHA3_384.New()
-	h.Write([]byte("some data"))
-	sha3 := fmt.Sprintf("%x", h.Sum(nil))
-	err := download(context.TODO(), "foo", sha3, mockServer.URL, nil, theStore, buf, int64(len("some ")), nil)
-	c.Check(err, IsNil)
-	c.Check(buf.String(), Equals, "some data")
-	c.Check(n, Equals, 1)
-}
-
-func (s *storeTestSuite) TestUseDeltas(c *C) {
-	origPath := os.Getenv("PATH")
-	defer os.Setenv("PATH", origPath)
-	origUseDeltas := os.Getenv("SNAPD_USE_DELTAS_EXPERIMENTAL")
-	defer os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", origUseDeltas)
-	restore := release.MockOnClassic(false)
-	defer restore()
-	altPath := c.MkDir()
-	origSnapMountDir := dirs.SnapMountDir
-	defer func() { dirs.SnapMountDir = origSnapMountDir }()
-	dirs.SnapMountDir = c.MkDir()
-	exeInCorePath := filepath.Join(dirs.SnapMountDir, "/core/current/usr/bin/xdelta3")
-	os.MkdirAll(filepath.Dir(exeInCorePath), 0755)
-
-	scenarios := []struct {
-		env       string
-		classic   bool
-		exeInHost bool
-		exeInCore bool
-
-		wantDelta bool
-	}{
-		{env: "", classic: false, exeInHost: false, exeInCore: false, wantDelta: false},
-		{env: "", classic: false, exeInHost: false, exeInCore: true, wantDelta: false},
-		{env: "", classic: false, exeInHost: true, exeInCore: false, wantDelta: false},
-		{env: "", classic: false, exeInHost: true, exeInCore: true, wantDelta: false},
-		{env: "", classic: true, exeInHost: false, exeInCore: false, wantDelta: false},
-		{env: "", classic: true, exeInHost: false, exeInCore: true, wantDelta: true},
-		{env: "", classic: true, exeInHost: true, exeInCore: false, wantDelta: true},
-		{env: "", classic: true, exeInHost: true, exeInCore: true, wantDelta: true},
-
-		{env: "0", classic: false, exeInHost: false, exeInCore: false, wantDelta: false},
-		{env: "0", classic: false, exeInHost: false, exeInCore: true, wantDelta: false},
-		{env: "0", classic: false, exeInHost: true, exeInCore: false, wantDelta: false},
-		{env: "0", classic: false, exeInHost: true, exeInCore: true, wantDelta: false},
-		{env: "0", classic: true, exeInHost: false, exeInCore: false, wantDelta: false},
-		{env: "0", classic: true, exeInHost: false, exeInCore: true, wantDelta: false},
-		{env: "0", classic: true, exeInHost: true, exeInCore: false, wantDelta: false},
-		{env: "0", classic: true, exeInHost: true, exeInCore: true, wantDelta: false},
-
-		{env: "1", classic: false, exeInHost: false, exeInCore: false, wantDelta: false},
-		{env: "1", classic: false, exeInHost: false, exeInCore: true, wantDelta: true},
-		{env: "1", classic: false, exeInHost: true, exeInCore: false, wantDelta: true},
-		{env: "1", classic: false, exeInHost: true, exeInCore: true, wantDelta: true},
-		{env: "1", classic: true, exeInHost: false, exeInCore: false, wantDelta: false},
-		{env: "1", classic: true, exeInHost: false, exeInCore: true, wantDelta: true},
-		{env: "1", classic: true, exeInHost: true, exeInCore: false, wantDelta: true},
-		{env: "1", classic: true, exeInHost: true, exeInCore: true, wantDelta: true},
-	}
-
-	for _, scenario := range scenarios {
-		if scenario.exeInCore {
-			osutil.CopyFile("/bin/true", exeInCorePath, 0)
-		} else {
-			os.Remove(exeInCorePath)
-		}
-		os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", scenario.env)
-		release.MockOnClassic(scenario.classic)
-		if scenario.exeInHost {
-			os.Setenv("PATH", origPath)
-		} else {
-			os.Setenv("PATH", altPath)
-		}
-
-		c.Check(useDeltas(), Equals, scenario.wantDelta, Commentf("%#v", scenario))
-	}
-}
-
-type downloadBehaviour []struct {
-	url   string
-	error bool
-}
-
-var deltaTests = []struct {
-	downloads       downloadBehaviour
-	info            snap.DownloadInfo
-	expectedContent string
-}{{
-	// The full snap is not downloaded, but rather the delta
-	// is downloaded and applied.
-	downloads: downloadBehaviour{
-		{url: "delta-url"},
-	},
-	info: snap.DownloadInfo{
-		AnonDownloadURL: "full-snap-url",
-		Deltas: []snap.DeltaInfo{
-			{AnonDownloadURL: "delta-url", Format: "xdelta3"},
-		},
-	},
-	expectedContent: "snap-content-via-delta",
-}, {
-	// If there is an error during the delta download, the
-	// full snap is downloaded as per normal.
-	downloads: downloadBehaviour{
-		{error: true},
-		{url: "full-snap-url"},
-	},
-	info: snap.DownloadInfo{
-		AnonDownloadURL: "full-snap-url",
-		Deltas: []snap.DeltaInfo{
-			{AnonDownloadURL: "delta-url", Format: "xdelta3"},
-		},
-	},
-	expectedContent: "full-snap-url-content",
-}, {
-	// If more than one matching delta is returned by the store
-	// we ignore deltas and do the full download.
-	downloads: downloadBehaviour{
-		{url: "full-snap-url"},
-	},
-	info: snap.DownloadInfo{
-		AnonDownloadURL: "full-snap-url",
-		Deltas: []snap.DeltaInfo{
-			{AnonDownloadURL: "delta-url", Format: "xdelta3"},
-			{AnonDownloadURL: "delta-url-2", Format: "xdelta3"},
-		},
-	},
-	expectedContent: "full-snap-url-content",
-}}
-
-func (s *storeTestSuite) TestDownloadWithDelta(c *C) {
-	origUseDeltas := os.Getenv("SNAPD_USE_DELTAS_EXPERIMENTAL")
-	defer os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", origUseDeltas)
-	c.Assert(os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", "1"), IsNil)
-
-	for _, testCase := range deltaTests {
-		testCase.info.Size = int64(len(testCase.expectedContent))
-		downloadIndex := 0
-		download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
-			if testCase.downloads[downloadIndex].error {
-				downloadIndex++
-				return errors.New("Bang")
-			}
-			c.Check(url, Equals, testCase.downloads[downloadIndex].url)
-			w.Write([]byte(testCase.downloads[downloadIndex].url + "-content"))
-			downloadIndex++
-			return nil
-		}
-		applyDelta = func(name string, deltaPath string, deltaInfo *snap.DeltaInfo, targetPath string, targetSha3_384 string) error {
-			c.Check(deltaInfo, Equals, &testCase.info.Deltas[0])
-			err := ioutil.WriteFile(targetPath, []byte("snap-content-via-delta"), 0644)
-			c.Assert(err, IsNil)
-			return nil
-		}
-
-		path := filepath.Join(c.MkDir(), "subdir", "downloaded-file")
-		err := s.store.Download(context.TODO(), "foo", path, &testCase.info, nil, nil)
-
-		c.Assert(err, IsNil)
-		defer os.Remove(path)
-		c.Assert(path, testutil.FileEquals, testCase.expectedContent)
-	}
-}
-
 var downloadDeltaTests = []struct {
 	info          snap.DownloadInfo
 	authenticated bool
@@ -1273,11 +947,11 @@
 	c.Assert(os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", "1"), IsNil)
 
 	authContext := &testAuthContext{c: c}
-	sto := New(nil, authContext)
+	sto := store.New(nil, authContext)
 
 	for _, testCase := range downloadDeltaTests {
-		sto.deltaFormat = testCase.format
-		download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, _ *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
+		sto.SetDeltaFormat(testCase.format)
+		restore := store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, _ *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
 			expectedUser := s.user
 			if testCase.useLocalUser {
 				expectedUser = s.localUser
@@ -1289,7 +963,8 @@
 			c.Check(url, Equals, testCase.expectedURL)
 			w.Write([]byte("I was downloaded"))
 			return nil
-		}
+		})
+		defer restore()
 
 		w, err := ioutil.TempFile("", "")
 		c.Assert(err, IsNil)
@@ -1308,7 +983,7 @@
 			authedUser = nil
 		}
 
-		err = sto.downloadDelta("snapname", &testCase.info, w, nil, authedUser)
+		err = sto.DownloadDelta("snapname", &testCase.info, w, nil, authedUser)
 
 		if testCase.expectError {
 			c.Assert(err, NotNil)
@@ -1362,7 +1037,7 @@
 			c.Assert(err, IsNil)
 		}
 
-		err = applyDelta(name, deltaPath, &testCase.deltaInfo, targetSnapPath, "")
+		err = store.ApplyDelta(name, deltaPath, &testCase.deltaInfo, targetSnapPath, "")
 
 		if testCase.error == "" {
 			c.Assert(err, IsNil)
@@ -1370,7 +1045,9 @@
 				{"xdelta3", "-d", "-s", currentSnapPath, deltaPath, targetSnapPath + ".partial"},
 			})
 			c.Assert(osutil.FileExists(targetSnapPath+".partial"), Equals, false)
-			c.Assert(osutil.FileExists(targetSnapPath), Equals, true)
+			st, err := os.Stat(targetSnapPath)
+			c.Assert(err, IsNil)
+			c.Check(st.Mode(), Equals, os.FileMode(0600))
 			c.Assert(os.Remove(targetSnapPath), IsNil)
 		} else {
 			c.Assert(err, NotNil)
@@ -1403,12 +1080,12 @@
 	defer mockServer.Close()
 
 	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	sto := New(&Config{}, authContext)
+	sto := store.New(&store.Config{}, authContext)
 
 	endpoint, _ := url.Parse(mockServer.URL)
-	reqOptions := &requestOptions{Method: "GET", URL: endpoint}
+	reqOptions := store.NewRequestOptions("GET", endpoint)
 
-	response, err := sto.doRequest(context.TODO(), sto.client, reqOptions, s.user)
+	response, err := sto.DoRequest(context.TODO(), sto.Client(), reqOptions, s.user)
 	defer response.Body.Close()
 	c.Assert(err, IsNil)
 
@@ -1433,12 +1110,12 @@
 	defer mockServer.Close()
 
 	authContext := &testAuthContext{c: c, device: s.device, user: s.localUser}
-	sto := New(&Config{}, authContext)
+	sto := store.New(&store.Config{}, authContext)
 
 	endpoint, _ := url.Parse(mockServer.URL)
-	reqOptions := &requestOptions{Method: "GET", URL: endpoint}
+	reqOptions := store.NewRequestOptions("GET", endpoint)
 
-	response, err := sto.doRequest(context.TODO(), sto.client, reqOptions, s.localUser)
+	response, err := sto.DoRequest(context.TODO(), sto.Client(), reqOptions, s.localUser)
 	defer response.Body.Close()
 	c.Assert(err, IsNil)
 
@@ -1466,12 +1143,12 @@
 	s.device.Serial = ""
 	s.device.SessionMacaroon = ""
 	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	sto := New(&Config{}, authContext)
+	sto := store.New(&store.Config{}, authContext)
 
 	endpoint, _ := url.Parse(mockServer.URL)
-	reqOptions := &requestOptions{Method: "GET", URL: endpoint}
+	reqOptions := store.NewRequestOptions("GET", endpoint)
 
-	response, err := sto.doRequest(context.TODO(), sto.client, reqOptions, s.user)
+	response, err := sto.DoRequest(context.TODO(), sto.Client(), reqOptions, s.user)
 	defer response.Body.Close()
 	c.Assert(err, IsNil)
 
@@ -1492,7 +1169,7 @@
 		refreshDischargeEndpointHit = true
 	}))
 	defer mockSSOServer.Close()
-	UbuntuoneRefreshDischargeAPI = mockSSOServer.URL + "/tokens/refresh"
+	store.UbuntuoneRefreshDischargeAPI = mockSSOServer.URL + "/tokens/refresh"
 
 	// mock store response (requiring auth refresh)
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -1511,12 +1188,12 @@
 	defer mockServer.Close()
 
 	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	sto := New(&Config{}, authContext)
+	sto := store.New(&store.Config{}, authContext)
 
 	endpoint, _ := url.Parse(mockServer.URL)
-	reqOptions := &requestOptions{Method: "GET", URL: endpoint}
+	reqOptions := store.NewRequestOptions("GET", endpoint)
 
-	response, err := sto.doRequest(context.TODO(), sto.client, reqOptions, s.user)
+	response, err := sto.DoRequest(context.TODO(), sto.Client(), reqOptions, s.user)
 	defer response.Body.Close()
 	c.Assert(err, IsNil)
 
@@ -1535,7 +1212,7 @@
 		refreshDischargeEndpointHit = true
 	}))
 	defer mockSSOServer.Close()
-	UbuntuoneRefreshDischargeAPI = mockSSOServer.URL + "/tokens/refresh"
+	store.UbuntuoneRefreshDischargeAPI = mockSSOServer.URL + "/tokens/refresh"
 
 	// mock store response (requiring auth refresh)
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -1550,13 +1227,13 @@
 	defer mockServer.Close()
 
 	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	sto := New(&Config{}, authContext)
+	sto := store.New(&store.Config{}, authContext)
 
 	endpoint, _ := url.Parse(mockServer.URL)
-	reqOptions := &requestOptions{Method: "GET", URL: endpoint}
+	reqOptions := store.NewRequestOptions("GET", endpoint)
 
-	response, err := sto.doRequest(context.TODO(), sto.client, reqOptions, s.user)
-	c.Assert(err, Equals, ErrInvalidCredentials)
+	response, err := sto.DoRequest(context.TODO(), sto.Client(), reqOptions, s.user)
+	c.Assert(err, Equals, store.ErrInvalidCredentials)
 	c.Check(response, IsNil)
 	c.Check(refreshDischargeEndpointHit, Equals, true)
 }
@@ -1615,13 +1292,13 @@
 	// make sure device session is not set
 	s.device.SessionMacaroon = ""
 	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	sto := New(&Config{
+	sto := store.New(&store.Config{
 		StoreBaseURL: mockServerURL,
 	}, authContext)
 
-	reqOptions := &requestOptions{Method: "GET", URL: mockServerURL}
+	reqOptions := store.NewRequestOptions("GET", mockServerURL)
 
-	response, err := sto.doRequest(context.TODO(), sto.client, reqOptions, s.user)
+	response, err := sto.DoRequest(context.TODO(), sto.Client(), reqOptions, s.user)
 	c.Assert(err, IsNil)
 	defer response.Body.Close()
 
@@ -1644,7 +1321,7 @@
 		refreshDischargeEndpointHit = true
 	}))
 	defer mockSSOServer.Close()
-	UbuntuoneRefreshDischargeAPI = mockSSOServer.URL + "/tokens/refresh"
+	store.UbuntuoneRefreshDischargeAPI = mockSSOServer.URL + "/tokens/refresh"
 
 	refreshSessionRequested := false
 	expiredAuth := `Macaroon root="expired-session-macaroon"`
@@ -1705,13 +1382,13 @@
 	// make sure device session is expired
 	s.device.SessionMacaroon = "expired-session-macaroon"
 	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	sto := New(&Config{
+	sto := store.New(&store.Config{
 		StoreBaseURL: mockServerURL,
 	}, authContext)
 
-	reqOptions := &requestOptions{Method: "GET", URL: mockServerURL}
+	reqOptions := store.NewRequestOptions("GET", mockServerURL)
 
-	resp, err := sto.doRequest(context.TODO(), sto.client, reqOptions, s.user)
+	resp, err := sto.DoRequest(context.TODO(), sto.Client(), reqOptions, s.user)
 	c.Assert(err, IsNil)
 	defer resp.Body.Close()
 
@@ -1736,20 +1413,17 @@
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
-	sto := New(&Config{}, nil)
+	sto := store.New(&store.Config{}, nil)
 	endpoint, _ := url.Parse(mockServer.URL)
-	reqOptions := &requestOptions{
-		Method: "GET",
-		URL:    endpoint,
-		ExtraHeaders: map[string]string{
-			"X-Foo-Header": "Bar",
-			"Content-Type": "application/bson",
-			"Accept":       "application/hal+bson",
-			"User-Agent":   "customAgent",
-		},
+	reqOptions := store.NewRequestOptions("GET", endpoint)
+	reqOptions.ExtraHeaders = map[string]string{
+		"X-Foo-Header": "Bar",
+		"Content-Type": "application/bson",
+		"Accept":       "application/hal+bson",
+		"User-Agent":   "customAgent",
 	}
 
-	response, err := sto.doRequest(context.TODO(), sto.client, reqOptions, s.user)
+	response, err := sto.DoRequest(context.TODO(), sto.Client(), reqOptions, s.user)
 	defer response.Body.Close()
 	c.Assert(err, IsNil)
 
@@ -1769,7 +1443,7 @@
 	}))
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
-	MacaroonACLAPI = mockServer.URL + "/acl/"
+	store.MacaroonACLAPI = mockServer.URL + "/acl/"
 
 	discharge, err := makeTestDischarge()
 	c.Assert(err, IsNil)
@@ -1781,9 +1455,9 @@
 	}))
 	c.Assert(mockSSOServer, NotNil)
 	defer mockSSOServer.Close()
-	UbuntuoneDischargeAPI = mockSSOServer.URL + "/tokens/discharge"
+	store.UbuntuoneDischargeAPI = mockSSOServer.URL + "/tokens/discharge"
 
-	userMacaroon, userDischarge, err := LoginUser("username", "password", "otp")
+	userMacaroon, userDischarge, err := s.store.LoginUser("username", "password", "otp")
 
 	c.Assert(err, IsNil)
 	c.Check(userMacaroon, Equals, serializedMacaroon)
@@ -1797,9 +1471,9 @@
 	}))
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
-	MacaroonACLAPI = mockServer.URL + "/acl/"
+	store.MacaroonACLAPI = mockServer.URL + "/acl/"
 
-	userMacaroon, userDischarge, err := LoginUser("username", "password", "otp")
+	userMacaroon, userDischarge, err := s.store.LoginUser("username", "password", "otp")
 
 	c.Assert(err, ErrorMatches, "cannot get snap access permission from store: .*")
 	c.Check(userMacaroon, Equals, "")
@@ -1817,7 +1491,7 @@
 	}))
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
-	MacaroonACLAPI = mockServer.URL + "/acl/"
+	store.MacaroonACLAPI = mockServer.URL + "/acl/"
 
 	errorResponse := `{"code": "some-error"}`
 	mockSSOServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -1826,9 +1500,9 @@
 	}))
 	c.Assert(mockSSOServer, NotNil)
 	defer mockSSOServer.Close()
-	UbuntuoneDischargeAPI = mockSSOServer.URL + "/tokens/discharge"
+	store.UbuntuoneDischargeAPI = mockSSOServer.URL + "/tokens/discharge"
 
-	userMacaroon, userDischarge, err := LoginUser("username", "password", "otp")
+	userMacaroon, userDischarge, err := s.store.LoginUser("username", "password", "otp")
 
 	c.Assert(err, ErrorMatches, "cannot authenticate to snap store: .*")
 	c.Check(userMacaroon, Equals, "")
@@ -1836,147 +1510,14 @@
 }
 
 const (
-	funkyAppName      = "8nzc1x4iim2xj1g2ul64"
-	funkyAppDeveloper = "chipaca"
-	funkyAppSnapID    = "1e21e12ex4iim2xj1g2ul6f12f1"
+	funkyAppSnapID = "1e21e12ex4iim2xj1g2ul6f12f1"
 
-	helloWorldSnapID      = "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ"
-	helloWorldDeveloperID = "canonical"
+	helloWorldSnapID = "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ"
+	// instance key used in refresh action of snap hello-world_foo, salt "123"
+	helloWorldFooInstanceKeyWithSalt = helloWorldSnapID + ":IDKVhLy-HUyfYGFKcsH4V-7FVG7hLGs4M5zsraZU5tk"
+	helloWorldDeveloperID            = "canonical"
 )
 
-/* acquired via
-
-http --pretty=format --print b https://api.snapcraft.io/api/v1/snaps/details/hello-world X-Ubuntu-Series:16 fields==anon_download_url,architecture,channel,download_sha3_384,summary,description,binary_filesize,download_url,icon_url,last_updated,license,package_name,prices,publisher,ratings_average,revision,screenshot_urls,snap_id,support_url,title,content,version,origin,developer_id,private,confinement,snap_yaml_raw channel==edge | xsel -b
-
-on 2016-07-03. Then, by hand:
- * set prices to {"EUR": 0.99, "USD": 1.23}.
- * Screenshot URLS set manually.
-
-on 2017-11-20. Then, by hand:
- * add "snap_yaml_raw" from "test-snapd-content-plug"
-
-On Ubuntu, apt install httpie xsel (although you could get http from
-the http snap instead).
-
-*/
-const MockDetailsJSON = `{
-    "_links": {
-        "self": {
-            "href": "https://api.snapcraft.io/api/v1/snaps/details/hello-world?fields=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha3_384%2Csummary%2Cdescription%2Cbinary_filesize%2Cdownload_url%2Cicon_url%2Clast_updated%2Clicense%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Cscreenshot_urls%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin%2Cdeveloper_id%2Cprivate%2Cconfinement&channel=edge"
-        }
-    },
-    "anon_download_url": "https://public.apps.ubuntu.com/anon/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_27.snap",
-    "architecture": [
-        "all"
-    ],
-    "base": "bare-base",
-    "binary_filesize": 20480,
-    "channel": "edge",
-    "confinement": "strict",
-    "content": "application",
-    "description": "This is a simple hello world example.",
-    "developer_id": "canonical",
-    "download_sha3_384": "eed62063c04a8c3819eb71ce7d929cc8d743b43be9e7d86b397b6d61b66b0c3a684f3148a9dbe5821360ae32105c1bd9",
-    "download_url": "https://public.apps.ubuntu.com/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_27.snap",
-    "icon_url": "https://myapps.developer.ubuntu.com/site_media/appmedia/2015/03/hello.svg_NZLfWbh.png",
-    "last_updated": "2016-07-12T16:37:23.960632Z",
-    "license": "GPL-3.0",
-    "origin": "canonical",
-    "package_name": "hello-world",
-    "prices": {"EUR": 0.99, "USD": 1.23},
-    "publisher": "Canonical",
-    "ratings_average": 0.0,
-    "revision": 27,
-    "screenshot_urls": ["https://myapps.developer.ubuntu.com/site_media/appmedia/2015/03/screenshot.png"],
-    "snap_id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
-    "summary": "The 'hello-world' of snaps",
-    "support_url": "mailto:snappy-devel@lists.ubuntu.com",
-    "title": "Hello World",
-    "version": "6.3",
-    "snap_yaml_raw": "name: test-snapd-content-plug\nversion: 1.0\napps:\n    content-plug:\n        command: bin/content-plug\n        plugs: [shared-content-plug]\nplugs:\n    shared-content-plug:\n        interface: content\n        target: import\n        content: mylib\n        default-provider: test-snapd-content-slot\nslots:\n    shared-content-slot:\n        interface: content\n        content: mylib\n        read:\n            - /\n",
-    "channel_maps_list": [
-      {
-        "track": "latest",
-        "map": [
-          {
-             "info": "released",
-             "version": "v1",
-             "binary_filesize": 12345,
-             "epoch": "0",
-             "confinement": "strict",
-             "channel": "stable",
-             "revision": 1
-          },
-          {
-             "info": "released",
-             "version": "v2",
-             "binary_filesize": 12345,
-             "epoch": "0",
-             "confinement": "strict",
-             "channel": "candidate",
-             "revision": 2
-          },
-          {
-             "info": "released",
-             "version": "v8",
-             "binary_filesize": 12345,
-             "epoch": "0",
-             "confinement": "devmode",
-             "channel": "beta",
-             "revision": 8
-          },
-          {
-             "info": "released",
-             "version": "v9",
-             "binary_filesize": 12345,
-             "epoch": "0",
-             "confinement": "devmode",
-             "channel": "edge",
-             "revision": 9
-          }
-        ]
-      }
-    ]
-}
-`
-
-// FIXME: this can go once the store always provides a channel_map_list
-const MockDetailsJSONnoChannelMapList = `{
-    "_links": {
-        "self": {
-            "href": "https://api.snapcraft.io/api/v1/snaps/details/hello-world?fields=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha3_384%2Csummary%2Cdescription%2Cbinary_filesize%2Cdownload_url%2Cicon_url%2Clast_updated%2Clicense%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Cscreenshot_urls%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin%2Cdeveloper_id%2Cprivate%2Cconfinement&channel=edge"
-        }
-    },
-    "anon_download_url": "https://public.apps.ubuntu.com/anon/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_27.snap",
-    "architecture": [
-        "all"
-    ],
-    "binary_filesize": 20480,
-    "channel": "edge",
-    "confinement": "strict",
-    "content": "application",
-    "description": "This is a simple hello world example.",
-    "developer_id": "canonical",
-    "download_sha3_384": "eed62063c04a8c3819eb71ce7d929cc8d743b43be9e7d86b397b6d61b66b0c3a684f3148a9dbe5821360ae32105c1bd9",
-    "download_url": "https://public.apps.ubuntu.com/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_27.snap",
-    "icon_url": "https://myapps.developer.ubuntu.com/site_media/appmedia/2015/03/hello.svg_NZLfWbh.png",
-    "last_updated": "2016-07-12T16:37:23.960632Z",
-    "license": "GPL-3.0",
-    "origin": "canonical",
-    "package_name": "hello-world",
-    "prices": {"EUR": 0.99, "USD": 1.23},
-    "publisher": "Canonical",
-    "ratings_average": 0.0,
-    "revision": 27,
-    "screenshot_urls": ["https://myapps.developer.ubuntu.com/site_media/appmedia/2015/03/screenshot.png"],
-    "snap_id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
-    "summary": "The 'hello-world' of snaps",
-    "support_url": "mailto:snappy-devel@lists.ubuntu.com",
-    "title": "Hello World",
-    "version": "6.3"
-}
-`
-
 const mockOrdersJSON = `{
   "orders": [
     {
@@ -2020,145 +1561,394 @@
   ]
 }`
 
-func (s *storeTestSuite) TestDetails(c *C) {
+/* acquired via
+
+http --pretty=format --print b https://api.snapcraft.io/v2/snaps/info/hello-world architecture==amd64 fields==architectures,base,confinement,contact,created-at,description,download,epoch,license,name,prices,private,publisher,revision,snap-id,snap-yaml,summary,title,type,version,media,common-ids Snap-Device-Series:16 | xsel -b
+
+on 2018-06-13 (note snap-yaml is currently excluded from that list). Then, by hand:
+- set prices to {"EUR": "0.99", "USD": "1.23"},
+- set base in first channel-map entry to "bogus-base",
+- set snap-yaml in first channel-map entry to the one from the 'edge', plus the following pastiche:
+apps:
+  content-plug:
+    command: bin/content-plug
+    plugs: [shared-content-plug]
+plugs:
+  shared-content-plug:
+    interface: content
+    target: import
+    content: mylib
+    default-provider: test-snapd-content-slot
+slots:
+  shared-content-slot:
+    interface: content
+    content: mylib
+    read:
+      - /
+
+- add "released-at" to something randomish
+
+*/
+const mockInfoJSON = `{
+    "channel-map": [
+        {
+            "architectures": [
+                "all"
+            ],
+            "base": "bogus-base",
+            "channel": {
+                "architecture": "amd64",
+                "name": "stable",
+                "released-at": "2019-01-01T10:11:12.123456789+00:00",
+                "risk": "stable",
+                "track": "latest"
+            },
+            "common-ids": [],
+            "confinement": "strict",
+            "created-at": "2016-07-12T16:37:23.960632+00:00",
+            "download": {
+                "deltas": [],
+                "sha3-384": "eed62063c04a8c3819eb71ce7d929cc8d743b43be9e7d86b397b6d61b66b0c3a684f3148a9dbe5821360ae32105c1bd9",
+                "size": 20480,
+                "url": "https://api.snapcraft.io/api/v1/snaps/download/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_27.snap"
+            },
+            "epoch": {
+                "read": [
+                    0
+                ],
+                "write": [
+                    0
+                ]
+            },
+            "revision": 27,
+            "snap-yaml": "name: hello-world\nversion: 6.3\narchitectures: [ all ]\nsummary: The 'hello-world' of snaps\ndescription: |\n    This is a simple snap example that includes a few interesting binaries\n    to demonstrate snaps and their confinement.\n    * hello-world.env  - dump the env of commands run inside app sandbox\n    * hello-world.evil - show how snappy sandboxes binaries\n    * hello-world.sh   - enter interactive shell that runs in app sandbox\n    * hello-world      - simply output text\napps:\n env:\n   command: bin/env\n evil:\n   command: bin/evil\n sh:\n   command: bin/sh\n hello-world:\n   command: bin/echo\n content-plug:\n   command: bin/content-plug\n   plugs: [shared-content-plug]\nplugs:\n  shared-content-plug:\n    interface: content\n    target: import\n    content: mylib\n    default-provider: test-snapd-content-slot\nslots:\n  shared-content-slot:\n    interface: content\n    content: mylib\n    read:\n      - /\n",
+            "type": "app",
+            "version": "6.3"
+        },
+        {
+            "architectures": [
+                "all"
+            ],
+            "base": null,
+            "channel": {
+                "architecture": "amd64",
+                "name": "candidate",
+                "released-at": "2019-01-02T10:11:12.123456789+00:00",
+                "risk": "candidate",
+                "track": "latest"
+            },
+            "common-ids": [],
+            "confinement": "strict",
+            "created-at": "2016-07-12T16:37:23.960632+00:00",
+            "download": {
+                "deltas": [],
+                "sha3-384": "eed62063c04a8c3819eb71ce7d929cc8d743b43be9e7d86b397b6d61b66b0c3a684f3148a9dbe5821360ae32105c1bd9",
+                "size": 20480,
+                "url": "https://api.snapcraft.io/api/v1/snaps/download/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_27.snap"
+            },
+            "epoch": {
+                "read": [
+                    0
+                ],
+                "write": [
+                    0
+                ]
+            },
+            "revision": 27,
+            "snap-yaml": "",
+            "type": "app",
+            "version": "6.3"
+        },
+        {
+            "architectures": [
+                "all"
+            ],
+            "base": null,
+            "channel": {
+                "architecture": "amd64",
+                "name": "beta",
+                "released-at": "2019-01-03T10:11:12.123456789+00:00",
+                "risk": "beta",
+                "track": "latest"
+            },
+            "common-ids": [],
+            "confinement": "strict",
+            "created-at": "2016-07-12T16:37:23.960632+00:00",
+            "download": {
+                "deltas": [],
+                "sha3-384": "eed62063c04a8c3819eb71ce7d929cc8d743b43be9e7d86b397b6d61b66b0c3a684f3148a9dbe5821360ae32105c1bd9",
+                "size": 20480,
+                "url": "https://api.snapcraft.io/api/v1/snaps/download/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_27.snap"
+            },
+            "epoch": {
+                "read": [
+                    0
+                ],
+                "write": [
+                    0
+                ]
+            },
+            "revision": 27,
+            "snap-yaml": "",
+            "type": "app",
+            "version": "6.3"
+        },
+        {
+            "architectures": [
+                "all"
+            ],
+            "base": null,
+            "channel": {
+                "architecture": "amd64",
+                "name": "edge",
+                "released-at": "2019-01-04T10:11:12.123456789+00:00",
+                "risk": "edge",
+                "track": "latest"
+            },
+            "common-ids": [],
+            "confinement": "strict",
+            "created-at": "2017-11-20T07:59:46.563940+00:00",
+            "download": {
+                "deltas": [],
+                "sha3-384": "d888ed75a9071ace39fed922aa799cad4081de79fda650fbbf75e1bae780dae2c24a19aab8db5059c6ad0d0533d90c04",
+                "size": 20480,
+                "url": "https://api.snapcraft.io/api/v1/snaps/download/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_28.snap"
+            },
+            "epoch": {
+                "read": [
+                    0
+                ],
+                "write": [
+                    0
+                ]
+            },
+            "revision": 28,
+            "snap-yaml": "",
+            "type": "app",
+            "version": "6.3"
+        }
+    ],
+    "name": "hello-world",
+    "snap": {
+        "contact": "mailto:snappy-devel@lists.ubuntu.com",
+        "description": "This is a simple hello world example.",
+        "license": "MIT",
+        "media": [
+            {
+                "height": null,
+                "type": "icon",
+                "url": "https://dashboard.snapcraft.io/site_media/appmedia/2015/03/hello.svg_NZLfWbh.png",
+                "width": null
+            },
+            {
+                "height": null,
+                "type": "screenshot",
+                "url": "https://dashboard.snapcraft.io/site_media/appmedia/2018/06/Screenshot_from_2018-06-14_09-33-31.png",
+                "width": null
+            }
+        ],
+        "name": "hello-world",
+        "prices": {"EUR": "0.99", "USD": "1.23"},
+        "private": true,
+        "publisher": {
+            "display-name": "Canonical",
+            "id": "canonical",
+            "username": "canonical",
+            "validation": "verified"
+        },
+        "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+        "summary": "The 'hello-world' of snaps",
+        "title": "Hello World"
+    },
+    "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ"
+}`
+
+func (s *storeTestSuite) TestInfo(c *C) {
 	restore := release.MockOnClassic(false)
 	defer restore()
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
+		assertRequest(c, r, "GET", infoPathPattern)
 		c.Check(r.UserAgent(), Equals, userAgent)
 
 		// check device authorization is set, implicitly checking doRequest was used
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
 		// no store ID by default
-		storeID := r.Header.Get("X-Ubuntu-Store")
+		storeID := r.Header.Get("Snap-Device-Store")
 		c.Check(storeID, Equals, "")
 
 		c.Check(r.URL.Path, Matches, ".*/hello-world")
 
-		c.Check(r.URL.Query().Get("channel"), Equals, "edge")
-		c.Check(r.URL.Query().Get("fields"), Equals, "abc,def,snap_yaml_raw")
-
-		c.Check(r.Header.Get("X-Ubuntu-Series"), Equals, release.Series)
-		c.Check(r.Header.Get("X-Ubuntu-Architecture"), Equals, arch.UbuntuArchitecture())
-		c.Check(r.Header.Get("X-Ubuntu-Classic"), Equals, "false")
-
-		c.Check(r.Header.Get("X-Ubuntu-Confinement"), Equals, "")
+		query := r.URL.Query()
+		c.Check(query.Get("fields"), Equals, "abc,def")
+		c.Check(query.Get("architecture"), Equals, arch.UbuntuArchitecture())
 
 		w.Header().Set("X-Suggested-Currency", "GBP")
 		w.WriteHeader(200)
-
-		io.WriteString(w, MockDetailsJSON)
+		io.WriteString(w, mockInfoJSON)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
-		DetailFields: []string{"abc", "def"},
+		InfoFields:   []string{"abc", "def"},
 	}
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
 	result, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
+	c.Check(result.InstanceName(), Equals, "hello-world")
 	c.Check(result.Architectures, DeepEquals, []string{"all"})
 	c.Check(result.Revision, Equals, snap.R(27))
 	c.Check(result.SnapID, Equals, helloWorldSnapID)
-	c.Check(result.Publisher, Equals, "canonical")
+	c.Check(result.Publisher, Equals, snap.StoreAccount{
+		ID:          "canonical",
+		Username:    "canonical",
+		DisplayName: "Canonical",
+		Validation:  "verified",
+	})
 	c.Check(result.Version, Equals, "6.3")
 	c.Check(result.Sha3_384, Matches, `[[:xdigit:]]{96}`)
 	c.Check(result.Size, Equals, int64(20480))
-	c.Check(result.Channel, Equals, "edge")
+	c.Check(result.Channel, Equals, "stable")
 	c.Check(result.Description(), Equals, "This is a simple hello world example.")
 	c.Check(result.Summary(), Equals, "The 'hello-world' of snaps")
-	c.Check(result.Title(), Equals, "Hello World")
-	c.Check(result.License, Equals, "GPL-3.0")
-	c.Assert(result.Prices, DeepEquals, map[string]float64{"EUR": 0.99, "USD": 1.23})
-	c.Assert(result.Paid, Equals, true)
-	c.Assert(result.Screenshots, DeepEquals, []snap.ScreenshotInfo{
+	c.Check(result.Title(), Equals, "Hello World") // TODO: have this updated to be different to the name
+	c.Check(result.License, Equals, "MIT")
+	c.Check(result.Prices, DeepEquals, map[string]float64{"EUR": 0.99, "USD": 1.23})
+	c.Check(result.Paid, Equals, true)
+	c.Check(result.Media, DeepEquals, snap.MediaInfos{
 		{
-			URL: "https://myapps.developer.ubuntu.com/site_media/appmedia/2015/03/screenshot.png",
+			Type: "icon",
+			URL:  "https://dashboard.snapcraft.io/site_media/appmedia/2015/03/hello.svg_NZLfWbh.png",
+		}, {
+			Type: "screenshot",
+			URL:  "https://dashboard.snapcraft.io/site_media/appmedia/2018/06/Screenshot_from_2018-06-14_09-33-31.png",
 		},
 	})
 	c.Check(result.MustBuy, Equals, true)
 	c.Check(result.Contact, Equals, "mailto:snappy-devel@lists.ubuntu.com")
-	c.Check(result.Base, Equals, "bare-base")
-
-	// Make sure the epoch (currently not sent by the store) defaults to "0"
+	c.Check(result.Base, Equals, "bogus-base")
 	c.Check(result.Epoch.String(), Equals, "0")
-
 	c.Check(sto.SuggestedCurrency(), Equals, "GBP")
-
-	// skip this one until the store supports it
-	// c.Check(result.Private, Equals, true)
+	c.Check(result.Private, Equals, true)
 
 	c.Check(snap.Validate(result), IsNil)
 
-	// validate the plugs/slots
-	c.Check(result.Plugs, HasLen, 1)
+	// validate the plugs/slots (only here because we faked stuff in the JSON)
+	c.Assert(result.Plugs, HasLen, 1)
 	plug := result.Plugs["shared-content-plug"]
 	c.Check(plug.Name, Equals, "shared-content-plug")
 	c.Check(plug.Snap, DeepEquals, result)
 	c.Check(plug.Apps, HasLen, 1)
 	c.Check(plug.Apps["content-plug"].Command, Equals, "bin/content-plug")
 
-	c.Check(result.Slots, HasLen, 1)
+	c.Assert(result.Slots, HasLen, 1)
 	slot := result.Slots["shared-content-slot"]
 	c.Check(slot.Name, Equals, "shared-content-slot")
 	c.Check(slot.Snap, DeepEquals, result)
-	c.Check(slot.Apps, HasLen, 1)
+	c.Check(slot.Apps, HasLen, 5)
 	c.Check(slot.Apps["content-plug"].Command, Equals, "bin/content-plug")
 }
 
-func (s *storeTestSuite) TestDetailsDefaultChannelIsStable(c *C) {
+func (s *storeTestSuite) TestInfoBadResponses(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		n++
+		switch n {
+		case 1:
+			// This one should work.
+			// (strictly speaking the channel map item should at least have a "channel" member)
+			io.WriteString(w, `{"channel-map": [{}], "snap": {"name":"hello"}}`)
+		case 2:
+			// "not found" (no channel map)
+			io.WriteString(w, `{"snap":{"name":"hello"}}`)
+		case 3:
+			// "not found" (same)
+			io.WriteString(w, `{"channel-map": [], "snap": {"name":"hello"}}`)
+		case 4:
+			// bad price
+			io.WriteString(w, `{"channel-map": [{}], "snap": {"name":"hello","prices":{"XPD": "Palladium?!?"}}}`)
+		default:
+			c.Errorf("expected at most 4 calls, now on #%d", n)
+		}
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+		InfoFields:   []string{},
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	info, err := sto.SnapInfo(store.SnapSpec{Name: "hello"}, nil)
+	c.Assert(err, IsNil)
+	c.Check(info.InstanceName(), Equals, "hello")
+
+	info, err = sto.SnapInfo(store.SnapSpec{Name: "hello"}, nil)
+	c.Check(err, Equals, store.ErrSnapNotFound)
+	c.Check(info, IsNil)
+
+	info, err = sto.SnapInfo(store.SnapSpec{Name: "hello"}, nil)
+	c.Check(err, Equals, store.ErrSnapNotFound)
+	c.Check(info, IsNil)
+
+	info, err = sto.SnapInfo(store.SnapSpec{Name: "hello"}, nil)
+	c.Check(err, ErrorMatches, `.* invalid syntax`)
+	c.Check(info, IsNil)
+}
+
+func (s *storeTestSuite) TestInfoDefaultChannelIsStable(c *C) {
 	restore := release.MockOnClassic(false)
 	defer restore()
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
+		assertRequest(c, r, "GET", infoPathPattern)
 		c.Check(r.URL.Path, Matches, ".*/hello-world")
 
-		c.Check(r.URL.Query().Get("channel"), Equals, "stable")
 		w.WriteHeader(200)
 
-		io.WriteString(w, strings.Replace(MockDetailsJSON, "edge", "stable", -1))
+		io.WriteString(w, mockInfoJSON)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 		DetailFields: []string{"abc", "def"},
 	}
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
 	// the actual test
-	spec := SnapSpec{
+	spec := store.SnapSpec{
 		Name: "hello-world",
 	}
 	result, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
+	c.Check(result.InstanceName(), Equals, "hello-world")
 	c.Check(result.SnapID, Equals, helloWorldSnapID)
 	c.Check(result.Channel, Equals, "stable")
 }
 
-func (s *storeTestSuite) TestDetails500(c *C) {
+func (s *storeTestSuite) TestInfo500(c *C) {
 	var n = 0
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
+		assertRequest(c, r, "GET", infoPathPattern)
 		n++
 		w.WriteHeader(500)
 	}))
@@ -2167,34 +1957,32 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 		DetailFields: []string{},
 	}
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
 	_, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, NotNil)
-	c.Assert(err, ErrorMatches, `cannot get details for snap "hello-world" in channel "edge": got unexpected HTTP status code 500 via GET to "http://.*?/details/hello-world\?channel=edge"`)
+	c.Assert(err, ErrorMatches, `cannot get details for snap "hello-world": got unexpected HTTP status code 500 via GET to "http://.*?/info/hello-world.*"`)
 	c.Assert(n, Equals, 5)
 }
 
-func (s *storeTestSuite) TestDetails500once(c *C) {
+func (s *storeTestSuite) TestInfo500once(c *C) {
 	var n = 0
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
+		assertRequest(c, r, "GET", infoPathPattern)
 		n++
 		if n > 1 {
 			w.Header().Set("X-Suggested-Currency", "GBP")
 			w.WriteHeader(200)
-			io.WriteString(w, MockDetailsJSON)
+			io.WriteString(w, mockInfoJSON)
 		} else {
 			w.WriteHeader(500)
 		}
@@ -2204,39 +1992,34 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
 	result, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
+	c.Check(result.InstanceName(), Equals, "hello-world")
 	c.Assert(n, Equals, 2)
 }
 
-func (s *storeTestSuite) TestDetailsAndChannels(c *C) {
-	// this test will break and should be melded into TestDetails,
-	// above, when the store provides the channels as part of details
-
+func (s *storeTestSuite) TestInfoAndChannels(c *C) {
 	n := 0
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
+		assertRequest(c, r, "GET", infoPathPattern)
 		switch n {
 		case 0:
 			c.Check(r.URL.Path, Matches, ".*/hello-world")
-			c.Check(r.URL.Query().Get("channel"), Equals, "")
+
 			w.Header().Set("X-Suggested-Currency", "GBP")
 			w.WriteHeader(200)
 
-			io.WriteString(w, MockDetailsJSON)
+			io.WriteString(w, mockInfoJSON)
 		default:
 			c.Fatalf("unexpected request to %q", r.URL.Path)
 		}
@@ -2247,207 +2030,190 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
 	// the actual test
-	spec := SnapSpec{
-		Name:       "hello-world",
-		AnyChannel: true,
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
 	result, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, IsNil)
 	c.Assert(n, Equals, 1)
-	c.Check(result.Name(), Equals, "hello-world")
-	c.Check(result.Channels, DeepEquals, map[string]*snap.ChannelSnapInfo{
+	c.Check(result.InstanceName(), Equals, "hello-world")
+	expected := map[string]*snap.ChannelSnapInfo{
 		"latest/stable": {
-			Revision:    snap.R(1),
-			Version:     "v1",
+			Revision:    snap.R(27),
+			Version:     "6.3",
 			Confinement: snap.StrictConfinement,
 			Channel:     "stable",
-			Size:        12345,
-			Epoch:       *snap.E("0"),
+			Size:        20480,
+			Epoch:       snap.E("0"),
+			ReleasedAt:  time.Date(2019, 1, 1, 10, 11, 12, 123456789, time.UTC),
 		},
 		"latest/candidate": {
-			Revision:    snap.R(2),
-			Version:     "v2",
+			Revision:    snap.R(27),
+			Version:     "6.3",
 			Confinement: snap.StrictConfinement,
 			Channel:     "candidate",
-			Size:        12345,
-			Epoch:       *snap.E("0"),
+			Size:        20480,
+			Epoch:       snap.E("0"),
+			ReleasedAt:  time.Date(2019, 1, 2, 10, 11, 12, 123456789, time.UTC),
 		},
 		"latest/beta": {
-			Revision:    snap.R(8),
-			Version:     "v8",
-			Confinement: snap.DevModeConfinement,
+			Revision:    snap.R(27),
+			Version:     "6.3",
+			Confinement: snap.StrictConfinement,
 			Channel:     "beta",
-			Size:        12345,
-			Epoch:       *snap.E("0"),
+			Size:        20480,
+			Epoch:       snap.E("0"),
+			ReleasedAt:  time.Date(2019, 1, 3, 10, 11, 12, 123456789, time.UTC),
 		},
 		"latest/edge": {
-			Revision:    snap.R(9),
-			Version:     "v9",
-			Confinement: snap.DevModeConfinement,
+			Revision:    snap.R(28),
+			Version:     "6.3",
+			Confinement: snap.StrictConfinement,
 			Channel:     "edge",
-			Size:        12345,
-			Epoch:       *snap.E("0"),
+			Size:        20480,
+			Epoch:       snap.E("0"),
+			ReleasedAt:  time.Date(2019, 1, 4, 10, 11, 12, 123456789, time.UTC),
 		},
-	})
+	}
+	for k, v := range result.Channels {
+		c.Check(v, DeepEquals, expected[k], Commentf("%q", k))
+	}
+	c.Check(result.Channels, HasLen, len(expected))
 
 	c.Check(snap.Validate(result), IsNil)
 }
 
-func (s *storeTestSuite) TestNonDefaults(c *C) {
-	restore := release.MockOnClassic(true)
-	defer restore()
-	os.Setenv("SNAPPY_STORE_NO_CDN", "1")
-	defer os.Unsetenv("SNAPPY_STORE_NO_CDN")
-
+func (s *storeTestSuite) TestInfoMoreChannels(c *C) {
+	// NB this tests more channels, but still only one architecture
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
-		storeID := r.Header.Get("X-Ubuntu-Store")
-		c.Check(storeID, Equals, "foo")
-
-		c.Check(r.URL.Path, Matches, ".*/details/hello-world")
-
-		c.Check(r.URL.Query().Get("channel"), Equals, "edge")
-
-		c.Check(r.Header.Get("X-Ubuntu-Series"), Equals, "21")
-		c.Check(r.Header.Get("X-Ubuntu-Architecture"), Equals, "archXYZ")
-		c.Check(r.Header.Get("X-Ubuntu-Classic"), Equals, "true")
-		// for now we have both
-		c.Check(r.Header.Get("X-Ubuntu-No-CDN"), Equals, "true")
-		c.Check(r.Header.Get("Snap-CDN"), Equals, "none")
-
-		w.WriteHeader(200)
-		io.WriteString(w, MockDetailsJSON)
+		assertRequest(c, r, "GET", infoPathPattern)
+		// following is just an aligned version of:
+		// http https://api.snapcraft.io/v2/snaps/info/go architecture==amd64 fields==channel Snap-Device-Series:16 | jq -c '.["channel-map"] | .[]'
+		io.WriteString(w, `{"channel-map": [
+{"channel":{"architecture":"amd64","name":"stable",        "released-at":"2018-12-17T09:17:16.288554+00:00","risk":"stable",   "track":"latest"}},
+{"channel":{"architecture":"amd64","name":"edge",          "released-at":"2018-11-06T00:46:03.348730+00:00","risk":"edge",     "track":"latest"}},
+{"channel":{"architecture":"amd64","name":"1.11/stable",   "released-at":"2018-12-17T09:17:48.847205+00:00","risk":"stable",   "track":"1.11"}},
+{"channel":{"architecture":"amd64","name":"1.11/candidate","released-at":"2018-12-17T00:10:05.864910+00:00","risk":"candidate","track":"1.11"}},
+{"channel":{"architecture":"amd64","name":"1.10/stable",   "released-at":"2018-12-17T06:53:57.915517+00:00","risk":"stable",   "track":"1.10"}},
+{"channel":{"architecture":"amd64","name":"1.10/candidate","released-at":"2018-12-17T00:04:13.413244+00:00","risk":"candidate","track":"1.10"}},
+{"channel":{"architecture":"amd64","name":"1.9/stable",    "released-at":"2018-06-13T02:23:06.338145+00:00","risk":"stable",   "track":"1.9"}},
+{"channel":{"architecture":"amd64","name":"1.8/stable",    "released-at":"2018-02-07T23:08:59.152984+00:00","risk":"stable",   "track":"1.8"}},
+{"channel":{"architecture":"amd64","name":"1.7/stable",    "released-at":"2017-06-02T01:16:52.640258+00:00","risk":"stable",   "track":"1.7"}},
+{"channel":{"architecture":"amd64","name":"1.6/stable",    "released-at":"2017-05-17T21:18:42.224979+00:00","risk":"stable",   "track":"1.6"}}
+]}`)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := DefaultConfig()
-	cfg.StoreBaseURL = mockServerURL
-	cfg.Series = "21"
-	cfg.Architecture = "archXYZ"
-	cfg.StoreID = "foo"
-	sto := New(cfg, nil)
-
-	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
 	}
-	result, err := sto.SnapInfo(spec, nil)
-	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
-}
-
-func (s *storeTestSuite) TestStoreIDFromAuthContext(c *C) {
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
-		storeID := r.Header.Get("X-Ubuntu-Store")
-		c.Check(storeID, Equals, "my-brand-store-id")
-
-		w.WriteHeader(200)
-		io.WriteString(w, MockDetailsJSON)
-	}))
-
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := DefaultConfig()
-	cfg.StoreBaseURL = mockServerURL
-	cfg.Series = "21"
-	cfg.Architecture = "archXYZ"
-	cfg.StoreID = "fallback"
-	sto := New(cfg, &testAuthContext{c: c, device: s.device, storeID: "my-brand-store-id"})
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
-	}
-	result, err := sto.SnapInfo(spec, nil)
+	result, err := sto.SnapInfo(store.SnapSpec{Name: "eh"}, nil)
 	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
+	expected := map[string]*snap.ChannelSnapInfo{
+		"latest/stable":  {Channel: "stable", ReleasedAt: time.Date(2018, 12, 17, 9, 17, 16, 288554000, time.UTC)},
+		"latest/edge":    {Channel: "edge", ReleasedAt: time.Date(2018, 11, 6, 0, 46, 3, 348730000, time.UTC)},
+		"1.6/stable":     {Channel: "1.6/stable", ReleasedAt: time.Date(2017, 5, 17, 21, 18, 42, 224979000, time.UTC)},
+		"1.7/stable":     {Channel: "1.7/stable", ReleasedAt: time.Date(2017, 6, 2, 1, 16, 52, 640258000, time.UTC)},
+		"1.8/stable":     {Channel: "1.8/stable", ReleasedAt: time.Date(2018, 2, 7, 23, 8, 59, 152984000, time.UTC)},
+		"1.9/stable":     {Channel: "1.9/stable", ReleasedAt: time.Date(2018, 6, 13, 2, 23, 6, 338145000, time.UTC)},
+		"1.10/stable":    {Channel: "1.10/stable", ReleasedAt: time.Date(2018, 12, 17, 6, 53, 57, 915517000, time.UTC)},
+		"1.10/candidate": {Channel: "1.10/candidate", ReleasedAt: time.Date(2018, 12, 17, 0, 4, 13, 413244000, time.UTC)},
+		"1.11/stable":    {Channel: "1.11/stable", ReleasedAt: time.Date(2018, 12, 17, 9, 17, 48, 847205000, time.UTC)},
+		"1.11/candidate": {Channel: "1.11/candidate", ReleasedAt: time.Date(2018, 12, 17, 0, 10, 5, 864910000, time.UTC)},
+	}
+	for k, v := range result.Channels {
+		c.Check(v, DeepEquals, expected[k], Commentf("%q", k))
+	}
+	c.Check(result.Channels, HasLen, len(expected))
+	c.Check(result.Tracks, DeepEquals, []string{"latest", "1.11", "1.10", "1.9", "1.8", "1.7", "1.6"})
 }
 
-func (s *storeTestSuite) TestFullCloudInfoFromAuthContext(c *C) {
+func (s *storeTestSuite) TestInfoNonDefaults(c *C) {
+	restore := release.MockOnClassic(true)
+	defer restore()
+
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
-		c.Check(r.Header.Get("Snap-CDN"), Equals, `cloud-name="aws" region="us-east-1" availability-zone="us-east-1c"`)
+		assertRequest(c, r, "GET", infoPathPattern)
+		c.Check(r.Header.Get("Snap-Device-Store"), Equals, "foo")
+		c.Check(r.URL.Path, Matches, ".*/hello-world$")
+
+		c.Check(r.Header.Get("Snap-Device-Series"), Equals, "21")
+		c.Check(r.URL.Query().Get("architecture"), Equals, "archXYZ")
 
 		w.WriteHeader(200)
-		io.WriteString(w, MockDetailsJSON)
+		io.WriteString(w, mockInfoJSON)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := DefaultConfig()
+	cfg := store.DefaultConfig()
 	cfg.StoreBaseURL = mockServerURL
 	cfg.Series = "21"
 	cfg.Architecture = "archXYZ"
-	cfg.StoreID = "fallback"
-	sto := New(cfg, &testAuthContext{c: c, device: s.device, cloudInfo: &auth.CloudInfo{Name: "aws", Region: "us-east-1", AvailabilityZone: "us-east-1c"}})
+	cfg.StoreID = "foo"
+	sto := store.New(cfg, nil)
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
 	result, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
+	c.Check(result.InstanceName(), Equals, "hello-world")
 }
 
-func (s *storeTestSuite) TestLessDetailedCloudInfoFromAuthContext(c *C) {
+func (s *storeTestSuite) TestStoreIDFromAuthContext(c *C) {
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
-		c.Check(r.Header.Get("Snap-CDN"), Equals, `cloud-name="openstack" availability-zone="nova"`)
+		assertRequest(c, r, "GET", infoPathPattern)
+		storeID := r.Header.Get("Snap-Device-Store")
+		c.Check(storeID, Equals, "my-brand-store-id")
 
 		w.WriteHeader(200)
-		io.WriteString(w, MockDetailsJSON)
+		io.WriteString(w, mockInfoJSON)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := DefaultConfig()
+	cfg := store.DefaultConfig()
 	cfg.StoreBaseURL = mockServerURL
 	cfg.Series = "21"
 	cfg.Architecture = "archXYZ"
 	cfg.StoreID = "fallback"
-	sto := New(cfg, &testAuthContext{c: c, device: s.device, cloudInfo: &auth.CloudInfo{Name: "openstack", Region: "", AvailabilityZone: "nova"}})
+	sto := store.New(cfg, &testAuthContext{c: c, device: s.device, storeID: "my-brand-store-id"})
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
 	result, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
+	c.Check(result.InstanceName(), Equals, "hello-world")
 }
 
 func (s *storeTestSuite) TestProxyStoreFromAuthContext(c *C) {
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
+		assertRequest(c, r, "GET", infoPathPattern)
 
 		w.WriteHeader(200)
-		io.WriteString(w, MockDetailsJSON)
+		io.WriteString(w, mockInfoJSON)
 	}))
 
 	c.Assert(mockServer, NotNil)
@@ -2456,9 +2222,9 @@
 	mockServerURL, _ := url.Parse(mockServer.URL)
 	nowhereURL, err := url.Parse("http://nowhere.invalid")
 	c.Assert(err, IsNil)
-	cfg := DefaultConfig()
+	cfg := store.DefaultConfig()
 	cfg.StoreBaseURL = nowhereURL
-	sto := New(cfg, &testAuthContext{
+	sto := store.New(cfg, &testAuthContext{
 		c:             c,
 		device:        s.device,
 		proxyStoreID:  "foo",
@@ -2466,31 +2232,29 @@
 	})
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
 	result, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
+	c.Check(result.InstanceName(), Equals, "hello-world")
 }
 
 func (s *storeTestSuite) TestProxyStoreFromAuthContextURLFallback(c *C) {
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
+		assertRequest(c, r, "GET", infoPathPattern)
 
 		w.WriteHeader(200)
-		io.WriteString(w, MockDetailsJSON)
+		io.WriteString(w, mockInfoJSON)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := DefaultConfig()
+	cfg := store.DefaultConfig()
 	cfg.StoreBaseURL = mockServerURL
-	sto := New(cfg, &testAuthContext{
+	sto := store.New(cfg, &testAuthContext{
 		c:      c,
 		device: s.device,
 		// mock an assertion that has id but no url
@@ -2499,58 +2263,18 @@
 	})
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
 	result, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
-}
-
-func (s *storeTestSuite) TestRevision(c *C) {
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.URL.Path {
-		case ordersPath:
-			w.WriteHeader(404)
-		case detailsPath("hello-world"):
-			c.Check(r.URL.Query(), DeepEquals, url.Values{
-				"channel":  []string{""},
-				"revision": []string{"26"},
-			})
-			w.WriteHeader(200)
-			io.WriteString(w, MockDetailsJSON)
-		default:
-			c.Fatalf("unexpected request to %q", r.URL.Path)
-		}
-	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := DefaultConfig()
-	cfg.StoreBaseURL = mockServerURL
-	cfg.DetailFields = []string{}
-	sto := New(cfg, nil)
-
-	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(26),
-	}
-	result, err := sto.SnapInfo(spec, s.user)
-	c.Assert(err, IsNil)
-	c.Check(result.Name(), Equals, "hello-world")
-	c.Check(result.Revision, DeepEquals, snap.R(27))
+	c.Check(result.InstanceName(), Equals, "hello-world")
 }
 
-func (s *storeTestSuite) TestDetailsOopses(c *C) {
+func (s *storeTestSuite) TestInfoOopses(c *C) {
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
+		assertRequest(c, r, "GET", infoPathPattern)
 		c.Check(r.URL.Path, Matches, ".*/hello-world")
-		c.Check(r.URL.Query().Get("channel"), Equals, "edge")
 
 		w.Header().Set("X-Oops-Id", "OOPS-d4f46f75a5bcc10edcacc87e1fc0119f")
 		w.WriteHeader(500)
@@ -2562,46 +2286,41 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, nil)
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
 	_, err := sto.SnapInfo(spec, nil)
-	c.Assert(err, ErrorMatches, `cannot get details for snap "hello-world" in channel "edge": got unexpected HTTP status code 5.. via GET to "http://\S+" \[OOPS-[[:xdigit:]]*\]`)
+	c.Assert(err, ErrorMatches, `cannot get details for snap "hello-world": got unexpected HTTP status code 5.. via GET to "http://\S+" \[OOPS-[[:xdigit:]]*\]`)
 }
 
 /*
 acquired via
 
-http --pretty=format --print b https://api.snapcraft.io/api/v1/snaps/details/no:such:package X-Ubuntu-Series:16 fields==anon_download_url,architecture,channel,download_sha512,summary,description,binary_filesize,download_url,icon_url,last_updated,license,package_name,prices,publisher,ratings_average,revision,snap_id,support_url,title,content,version,origin,developer_id,private,confinement channel==edge | xsel -b
+http --pretty=format --print b https://api.snapcraft.io/v2/snaps/info/no:such:package architecture==amd64 fields==architectures,base,confinement,contact,created-at,description,download,epoch,license,name,prices,private,publisher,revision,snap-id,snap-yaml,summary,title,type,version,media,common-ids Snap-Device-Series:16 | xsel -b
 
-on 2016-07-03
-
-On Ubuntu, apt install httpie xsel (although you could get http from
-the http snap instead).
+on 2018-06-14
 
 */
 const MockNoDetailsJSON = `{
-    "errors": [
-        "No such package"
-    ],
-    "result": "error"
+    "error-list": [
+        {
+            "code": "resource-not-found",
+            "message": "No snap named 'no:such:package' found in series '16'."
+        }
+    ]
 }`
 
-func (s *storeTestSuite) TestNoDetails(c *C) {
+func (s *storeTestSuite) TestNoInfo(c *C) {
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
+		assertRequest(c, r, "GET", infoPathPattern)
 		c.Check(r.URL.Path, Matches, ".*/no-such-pkg")
 
-		q := r.URL.Query()
-		c.Check(q.Get("channel"), Equals, "edge")
 		w.WriteHeader(404)
 		io.WriteString(w, MockNoDetailsJSON)
 	}))
@@ -2610,84 +2329,72 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, nil)
 
 	// the actual test
-	spec := SnapSpec{
-		Name:     "no-such-pkg",
-		Channel:  "edge",
-		Revision: snap.R(0),
+	spec := store.SnapSpec{
+		Name: "no-such-pkg",
 	}
 	result, err := sto.SnapInfo(spec, nil)
 	c.Assert(err, NotNil)
 	c.Assert(result, IsNil)
 }
 
-func (s *storeTestSuite) TestStructFields(c *C) {
-	type aStruct struct {
-		Foo int `json:"hello"`
-		Bar int `json:"potato,stuff"`
-	}
-	c.Assert(getStructFields(aStruct{}), DeepEquals, []string{"hello", "potato"})
-}
-
-func (s *storeTestSuite) TestStructFieldsExcept(c *C) {
-	type aStruct struct {
-		Foo int `json:"hello"`
-		Bar int `json:"potato,stuff"`
-	}
-	c.Assert(getStructFields(aStruct{}, "potato"), DeepEquals, []string{"hello"})
-}
+/* acquired via looking at the query snapd does for "snap find 'hello-world of snaps' --narrow" (on core) and adding size=1:
+curl -s -H "accept: application/hal+json" -H "X-Ubuntu-Release: 16" -H "X-Ubuntu-Wire-Protocol: 1" -H "X-Ubuntu-Architecture: amd64" 'https://api.snapcraft.io/api/v1/snaps/search?confinement=strict&fields=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha3_384%2Csummary%2Cdescription%2Cbinary_filesize%2Cdownload_url%2Clast_updated%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Csnap_id%2Clicense%2Cbase%2Cmedia%2Csupport_url%2Ccontact%2Ctitle%2Ccontent%2Cversion%2Corigin%2Cdeveloper_id%2Cdeveloper_name%2Cdeveloper_validation%2Cprivate%2Cconfinement%2Ccommon_ids&q=hello-world+of+snaps&size=1' | python -m json.tool | xsel -b
 
-/* acquired via:
-curl -s -H "accept: application/hal+json" -H "X-Ubuntu-Release: 16" -H "X-Ubuntu-Device-Channel: edge" -H "X-Ubuntu-Wire-Protocol: 1" -H "X-Ubuntu-Architecture: amd64"  'https://api.snapcraft.io/api/v1/snaps/search?fields=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha512%2Csummary%2Cdescription%2Cbinary_filesize%2Cdownload_url%2Cicon_url%2Clast_updated%2Clicense%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Cscreenshot_urls%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin&q=hello' | python -m json.tool | xsel -b
-Screenshot URLS set manually.
+And then add base and prices, increase title's length, and remove the _links dict
 */
 const MockSearchJSON = `{
     "_embedded": {
         "clickindex:package": [
             {
-                "anon_download_url": "https://public.apps.ubuntu.com/anon/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_25.snap",
+                "anon_download_url": "https://api.snapcraft.io/api/v1/snaps/download/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_27.snap",
                 "architecture": [
                     "all"
                 ],
+                "base": "bare-base",
                 "binary_filesize": 20480,
-                "channel": "edge",
+                "channel": "stable",
+                "common_ids": [],
+                "confinement": "strict",
+                "contact": "mailto:snappy-devel@lists.ubuntu.com",
                 "content": "application",
                 "description": "This is a simple hello world example.",
-                "download_sha512": "4bf23ce93efa1f32f0aeae7ec92564b7b0f9f8253a0bd39b2741219c1be119bb676c21208c6845ccf995e6aabe791d3f28a733ebcbbc3171bb23f67981f4068e",
-                "download_url": "https://public.apps.ubuntu.com/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_25.snap",
-                "icon_url": "https://myapps.developer.ubuntu.com/site_media/appmedia/2015/03/hello.svg_NZLfWbh.png",
-                "last_updated": "2016-04-19T19:50:50.435291Z",
-                "license": "GPL-3.0",
+                "developer_id": "canonical",
+                "developer_name": "Canonical",
+                "developer_validation": "verified",
+                "download_sha3_384": "eed62063c04a8c3819eb71ce7d929cc8d743b43be9e7d86b397b6d61b66b0c3a684f3148a9dbe5821360ae32105c1bd9",
+                "download_url": "https://api.snapcraft.io/api/v1/snaps/download/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_27.snap",
+                "last_updated": "2016-07-12T16:37:23.960632+00:00",
+                "license": "MIT",
+                "media": [
+                    {
+                        "type": "icon",
+                        "url": "https://dashboard.snapcraft.io/site_media/appmedia/2015/03/hello.svg_NZLfWbh.png"
+                    },
+                    {
+                        "type": "screenshot",
+                        "url": "https://dashboard.snapcraft.io/site_media/appmedia/2018/06/Screenshot_from_2018-06-14_09-33-31.png"
+                    }
+                ],
                 "origin": "canonical",
                 "package_name": "hello-world",
                 "prices": {"EUR": 2.99, "USD": 3.49},
+                "private": false,
                 "publisher": "Canonical",
                 "ratings_average": 0.0,
-                "revision": 25,
-                "screenshot_urls": ["https://myapps.developer.ubuntu.com/site_media/appmedia/2015/03/screenshot.png"],
+                "revision": 27,
                 "snap_id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
-                "summary": "Hello world example",
-                "support_url": "mailto:snappy-devel@lists.ubuntu.com",
-                "title": "Hello World",
-                "version": "6.0"
+                "summary": "The 'hello-world' of snaps",
+                "support_url": "",
+                "title": "This Is The Most Fantastical Snap of Hello World",
+                "version": "6.3"
             }
         ]
-    },
-    "_links": {
-        "first": {
-            "href": "https://api.snapcraft.io/api/v1/snaps/search?q=hello&fields=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha512%2Csummary%2Cdescription%2Cbinary_filesize%2Cdownload_url%2Cicon_url%2Clast_updated%2Clicense%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Cscreenshot_urls%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin&page=1"
-        },
-        "last": {
-            "href": "https://api.snapcraft.io/api/v1/snaps/search?q=hello&fields=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha512%2Csummary%2Cdescription%2Cbinary_filesize%2Cdownload_url%2Cicon_url%2Clast_updated%2Clicense%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Cscreenshot_urls%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin&page=1"
-        },
-        "self": {
-            "href": "https://api.snapcraft.io/api/v1/snaps/search?q=hello&fields=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha512%2Csummary%2Cdescription%2Cbinary_filesize%2Cdownload_url%2Cicon_url%2Clast_updated%2Clicense%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Cscreenshot_urls%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin&page=1"
-        }
     }
 }
 `
@@ -2715,18 +2422,22 @@
 		case 0:
 			c.Check(name, Equals, "hello")
 			c.Check(q, Equals, "")
+			c.Check(query.Get("scope"), Equals, "")
 			c.Check(section, Equals, "")
 		case 1:
 			c.Check(name, Equals, "")
 			c.Check(q, Equals, "hello")
+			c.Check(query.Get("scope"), Equals, "maastricht")
 			c.Check(section, Equals, "")
 		case 2:
 			c.Check(name, Equals, "")
 			c.Check(q, Equals, "")
+			c.Check(query.Get("scope"), Equals, "")
 			c.Check(section, Equals, "db")
 		case 3:
 			c.Check(name, Equals, "")
 			c.Check(q, Equals, "hello")
+			c.Check(query.Get("scope"), Equals, "")
 			c.Check(section, Equals, "db")
 		default:
 			c.Fatalf("what? %d", n)
@@ -2738,16 +2449,16 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 		DetailFields: []string{"abc", "def"},
 	}
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
-	for _, query := range []Search{
+	for _, query := range []store.Search{
 		{Query: "hello", Prefix: true},
-		{Query: "hello"},
+		{Query: "hello", Scope: "maastricht"},
 		{Section: "db"},
 		{Query: "hello", Section: "db"},
 	} {
@@ -2799,11 +2510,11 @@
 	defer mockServer.Close()
 
 	serverURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: serverURL,
 	}
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
 	sections, err := sto.Sections(context.TODO(), s.user)
 	c.Check(err, IsNil)
@@ -2832,11 +2543,11 @@
 	defer mockServer.Close()
 
 	serverURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: serverURL,
 	}
 	authContext := &testAuthContext{c: c, device: s.device, storeID: "my-brand-store"}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
 	sections, err := sto.Sections(context.TODO(), s.user)
 	c.Check(err, IsNil)
@@ -2861,12 +2572,14 @@
         "apps": ["baz"],
         "title": "a title",
         "summary": "oneary plus twoary",
-        "package_name": "bar"
+        "package_name": "bar",
+        "version": "2.0"
       },
       {
         "aliases": [{"name": "meh", "target": "foo"}],
         "apps": ["foo"],
-        "package_name": "foo"
+        "package_name": "foo",
+        "version": "1.0"
       }
     ]
   }
@@ -2913,7 +2626,7 @@
 
 	serverURL, _ := url.Parse(mockServer.URL)
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&Config{StoreBaseURL: serverURL}, authContext)
+	sto := store.New(&store.Config{StoreBaseURL: serverURL}, authContext)
 
 	db, err := advisor.Create()
 	c.Assert(err, IsNil)
@@ -2927,12 +2640,105 @@
 
 	dump, err := advisor.DumpCommands()
 	c.Assert(err, IsNil)
-	c.Check(dump, DeepEquals, map[string][]string{
-		"foo":     {"foo"},
-		"bar.baz": {"bar"},
-		"potato":  {"bar"},
-		"meh":     {"bar", "foo"},
+	c.Check(dump, DeepEquals, map[string]string{
+		"foo":     `[{"snap":"foo","version":"1.0"}]`,
+		"bar.baz": `[{"snap":"bar","version":"2.0"}]`,
+		"potato":  `[{"snap":"bar","version":"2.0"}]`,
+		"meh":     `[{"snap":"bar","version":"2.0"},{"snap":"foo","version":"1.0"}]`,
+	})
+}
+
+func (s *storeTestSuite) TestFind(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "GET", searchPath)
+		query := r.URL.Query()
+
+		q := query.Get("q")
+		c.Check(q, Equals, "hello")
+
+		c.Check(r.UserAgent(), Equals, userAgent)
+
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		// no store ID by default
+		storeID := r.Header.Get("X-Ubuntu-Store")
+		c.Check(storeID, Equals, "")
+
+		c.Check(r.URL.Query().Get("fields"), Equals, "abc,def")
+
+		c.Check(r.Header.Get("X-Ubuntu-Series"), Equals, release.Series)
+		c.Check(r.Header.Get("X-Ubuntu-Architecture"), Equals, arch.UbuntuArchitecture())
+		c.Check(r.Header.Get("X-Ubuntu-Classic"), Equals, "false")
+
+		c.Check(r.Header.Get("X-Ubuntu-Confinement"), Equals, "")
+
+		w.Header().Set("X-Suggested-Currency", "GBP")
+
+		w.Header().Set("Content-Type", "application/hal+json")
+		w.WriteHeader(200)
+
+		io.WriteString(w, MockSearchJSON)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+		DetailFields: []string{"abc", "def"},
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	snaps, err := sto.Find(&store.Search{Query: "hello"}, nil)
+	c.Assert(err, IsNil)
+	c.Assert(snaps, HasLen, 1)
+	snp := snaps[0]
+	c.Check(snp.InstanceName(), Equals, "hello-world")
+	c.Check(snp.Architectures, DeepEquals, []string{"all"})
+	c.Check(snp.Revision, Equals, snap.R(27))
+	c.Check(snp.SnapID, Equals, helloWorldSnapID)
+	c.Check(snp.Publisher, Equals, snap.StoreAccount{
+		ID:          "canonical",
+		Username:    "canonical",
+		DisplayName: "Canonical",
+		Validation:  "verified",
+	})
+	c.Check(snp.Version, Equals, "6.3")
+	c.Check(snp.Sha3_384, Matches, `[[:xdigit:]]{96}`)
+	c.Check(snp.Size, Equals, int64(20480))
+	c.Check(snp.Channel, Equals, "stable")
+	c.Check(snp.Description(), Equals, "This is a simple hello world example.")
+	c.Check(snp.Summary(), Equals, "The 'hello-world' of snaps")
+	c.Check(snp.Title(), Equals, "This Is The Most Fantastical Snap of He…")
+	c.Check(snp.License, Equals, "MIT")
+	// this is more a "we know this isn't there" than an actual test for a wanted feature
+	// NOTE snap.Epoch{} (which prints as "0", and is thus Unset) is not a valid Epoch.
+	c.Check(snp.Epoch, DeepEquals, snap.Epoch{})
+	c.Assert(snp.Prices, DeepEquals, map[string]float64{"EUR": 2.99, "USD": 3.49})
+	c.Assert(snp.Paid, Equals, true)
+	c.Assert(snp.Media, DeepEquals, snap.MediaInfos{
+		{
+			Type: "icon",
+			URL:  "https://dashboard.snapcraft.io/site_media/appmedia/2015/03/hello.svg_NZLfWbh.png",
+		}, {
+			Type: "screenshot",
+			URL:  "https://dashboard.snapcraft.io/site_media/appmedia/2018/06/Screenshot_from_2018-06-14_09-33-31.png",
+		},
 	})
+	c.Check(snp.MustBuy, Equals, true)
+	c.Check(snp.Contact, Equals, "mailto:snappy-devel@lists.ubuntu.com")
+	c.Check(snp.Base, Equals, "bare-base")
+
+	// Make sure the epoch (currently not sent by the store) defaults to "0"
+	c.Check(snp.Epoch.String(), Equals, "0")
+
+	c.Check(sto.SuggestedCurrency(), Equals, "GBP")
 }
 
 func (s *storeTestSuite) TestFindPrivate(c *C) {
@@ -2964,27 +2770,27 @@
 	defer mockServer.Close()
 
 	serverURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: serverURL,
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, nil)
 
-	_, err := sto.Find(&Search{Query: "foo", Private: true}, s.user)
+	_, err := sto.Find(&store.Search{Query: "foo", Private: true}, s.user)
 	c.Check(err, IsNil)
 
-	_, err = sto.Find(&Search{Query: "foo", Private: true}, nil)
-	c.Check(err, Equals, ErrUnauthenticated)
+	_, err = sto.Find(&store.Search{Query: "foo", Private: true}, nil)
+	c.Check(err, Equals, store.ErrUnauthenticated)
 
-	_, err = sto.Find(&Search{Query: "name:foo", Private: true}, s.user)
-	c.Check(err, Equals, ErrBadQuery)
+	_, err = sto.Find(&store.Search{Query: "name:foo", Private: true}, s.user)
+	c.Check(err, Equals, store.ErrBadQuery)
 }
 
 func (s *storeTestSuite) TestFindFailures(c *C) {
-	sto := New(&Config{StoreBaseURL: new(url.URL)}, nil)
-	_, err := sto.Find(&Search{Query: "foo:bar"}, nil)
-	c.Check(err, Equals, ErrBadQuery)
-	_, err = sto.Find(&Search{Query: "foo", Private: true, Prefix: true}, s.user)
-	c.Check(err, Equals, ErrBadQuery)
+	sto := store.New(&store.Config{StoreBaseURL: new(url.URL)}, nil)
+	_, err := sto.Find(&store.Search{Query: "foo:bar"}, nil)
+	c.Check(err, Equals, store.ErrBadQuery)
+	_, err = sto.Find(&store.Search{Query: "foo", Private: true, Prefix: true}, s.user)
+	c.Check(err, Equals, store.ErrBadQuery)
 }
 
 func (s *storeTestSuite) TestFindFails(c *C) {
@@ -2997,13 +2803,13 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 		DetailFields: []string{}, // make the error less noisy
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, nil)
 
-	snaps, err := sto.Find(&Search{Query: "hello"}, nil)
+	snaps, err := sto.Find(&store.Search{Query: "hello"}, nil)
 	c.Check(err, ErrorMatches, `cannot search: got unexpected HTTP status code 418 via GET to "http://\S+[?&]q=hello.*"`)
 	c.Check(snaps, HasLen, 0)
 }
@@ -3018,13 +2824,13 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 		DetailFields: []string{}, // make the error less noisy
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, nil)
 
-	snaps, err := sto.Find(&Search{Query: "hello"}, nil)
+	snaps, err := sto.Find(&store.Search{Query: "hello"}, nil)
 	c.Check(err, ErrorMatches, `received an unexpected content type \("text/plain[^"]+"\) when trying to search via "http://\S+[?&]q=hello.*"`)
 	c.Check(snaps, HasLen, 0)
 }
@@ -3041,13 +2847,13 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 		DetailFields: []string{}, // make the error less noisy
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, nil)
 
-	snaps, err := sto.Find(&Search{Query: "hello"}, nil)
+	snaps, err := sto.Find(&store.Search{Query: "hello"}, nil)
 	c.Check(err, ErrorMatches, `invalid character '<' looking for beginning of value`)
 	c.Check(snaps, HasLen, 0)
 }
@@ -3063,13 +2869,13 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 		DetailFields: []string{},
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, nil)
 
-	_, err := sto.Find(&Search{Query: "hello"}, nil)
+	_, err := sto.Find(&store.Search{Query: "hello"}, nil)
 	c.Check(err, ErrorMatches, `cannot search: got unexpected HTTP status code 500 via GET to "http://\S+[?&]q=hello.*"`)
 	c.Assert(n, Equals, 5)
 }
@@ -3091,13 +2897,13 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 		DetailFields: []string{},
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, nil)
 
-	snaps, err := sto.Find(&Search{Query: "hello"}, nil)
+	snaps, err := sto.Find(&store.Search{Query: "hello"}, nil)
 	c.Check(err, IsNil)
 	c.Assert(snaps, HasLen, 1)
 	c.Assert(n, Equals, 2)
@@ -3122,7 +2928,7 @@
 			io.WriteString(w, MockSearchJSON)
 		case ordersPath:
 			c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
-			c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
+			c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
 			c.Check(r.URL.Path, Equals, ordersPath)
 			w.WriteHeader(401)
 			io.WriteString(w, "{}")
@@ -3134,13 +2940,13 @@
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 		DetailFields: []string{}, // make the error less noisy
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, nil)
 
-	snaps, err := sto.Find(&Search{Query: "foo"}, s.user)
+	snaps, err := sto.Find(&store.Search{Query: "foo"}, s.user)
 	c.Assert(err, IsNil)
 
 	// Check that we log an error.
@@ -3153,2211 +2959,3947 @@
 	c.Check(snaps[0].MustBuy, Equals, true)
 }
 
-func (s *storeTestSuite) TestCurrentSnap(c *C) {
-	cand := &RefreshCandidate{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: snap.R(1),
-		Epoch:    *snap.E("1"),
-	}
-	cs := currentSnap(cand)
-	c.Assert(cs, NotNil)
-	c.Check(cs.SnapID, Equals, cand.SnapID)
-	c.Check(cs.Channel, Equals, cand.Channel)
-	c.Check(cs.Epoch, DeepEquals, cand.Epoch)
-	c.Check(cs.Revision, Equals, cand.Revision.N)
-	c.Check(cs.IgnoreValidation, Equals, cand.IgnoreValidation)
-	c.Check(s.logbuf.String(), Equals, "")
-}
-
-func (s *storeTestSuite) TestCurrentSnapIgnoreValidation(c *C) {
-	cand := &RefreshCandidate{
-		SnapID:           helloWorldSnapID,
-		Channel:          "stable",
-		Revision:         snap.R(1),
-		Epoch:            *snap.E("1"),
-		IgnoreValidation: true,
-	}
-	cs := currentSnap(cand)
-	c.Assert(cs, NotNil)
-	c.Check(cs.SnapID, Equals, cand.SnapID)
-	c.Check(cs.Channel, Equals, cand.Channel)
-	c.Check(cs.Epoch, DeepEquals, cand.Epoch)
-	c.Check(cs.Revision, Equals, cand.Revision.N)
-	c.Check(cs.IgnoreValidation, Equals, cand.IgnoreValidation)
-	c.Check(s.logbuf.String(), Equals, "")
-}
+func (s *storeTestSuite) TestFindCommonIDs(c *C) {
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "GET", searchPath)
+		query := r.URL.Query()
 
-func (s *storeTestSuite) TestCurrentSnapNoChannel(c *C) {
-	cand := &RefreshCandidate{
-		SnapID:   helloWorldSnapID,
-		Revision: snap.R(1),
-		Epoch:    *snap.E("1"),
+		name := query.Get("name")
+		q := query.Get("q")
+
+		switch n {
+		case 0:
+			c.Check(r.URL.Path, Matches, ".*/search")
+			c.Check(name, Equals, "")
+			c.Check(q, Equals, "foo")
+		default:
+			c.Fatalf("what? %d", n)
+		}
+
+		w.Header().Set("Content-Type", "application/hal+json")
+		w.WriteHeader(200)
+		io.WriteString(w, strings.Replace(MockSearchJSON,
+			`"common_ids": []`,
+			`"common_ids": ["org.hello"]`, -1))
+
+		n++
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	serverURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: serverURL,
 	}
-	cs := currentSnap(cand)
-	c.Assert(cs, NotNil)
-	c.Check(cs.SnapID, Equals, cand.SnapID)
-	c.Check(cs.Channel, Equals, "stable")
-	c.Check(cs.Epoch, DeepEquals, cand.Epoch)
-	c.Check(cs.Revision, Equals, cand.Revision.N)
-	c.Check(s.logbuf.String(), Equals, "")
-}
-
-func (s *storeTestSuite) TestCurrentSnapNilNoID(c *C) {
-	cand := &RefreshCandidate{
-		SnapID:   "",
-		Revision: snap.R(1),
-	}
-	cs := currentSnap(cand)
-	c.Assert(cs, IsNil)
-	c.Check(s.logbuf.String(), Matches, "(?m).* an empty SnapID but a store revision!")
+	sto := store.New(&cfg, nil)
+
+	infos, err := sto.Find(&store.Search{Query: "foo"}, nil)
+	c.Check(err, IsNil)
+	c.Assert(infos, HasLen, 1)
+	c.Check(infos[0].CommonIDs, DeepEquals, []string{"org.hello"})
 }
 
-func (s *storeTestSuite) TestCurrentSnapNilLocalRevision(c *C) {
-	cand := &RefreshCandidate{
-		SnapID:   helloWorldSnapID,
-		Revision: snap.R("x1"),
-	}
-	cs := currentSnap(cand)
-	c.Assert(cs, IsNil)
-	c.Check(s.logbuf.String(), Matches, "(?m).* a non-empty SnapID but a non-store revision!")
+func (s *storeTestSuite) TestAuthLocationDependsOnEnviron(c *C) {
+	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", ""), IsNil)
+	before := store.AuthLocation()
+
+	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", "1"), IsNil)
+	defer os.Setenv("SNAPPY_USE_STAGING_STORE", "")
+	after := store.AuthLocation()
+
+	c.Check(before, Not(Equals), after)
 }
 
-func (s *storeTestSuite) TestCurrentSnapNilLocalRevisionNoID(c *C) {
-	cand := &RefreshCandidate{
-		SnapID:   "",
-		Revision: snap.R("x1"),
-	}
-	cs := currentSnap(cand)
-	c.Assert(cs, IsNil)
-	c.Check(s.logbuf.String(), Equals, "")
+func (s *storeTestSuite) TestAuthURLDependsOnEnviron(c *C) {
+	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", ""), IsNil)
+	before := store.AuthURL()
+
+	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", "1"), IsNil)
+	defer os.Setenv("SNAPPY_USE_STAGING_STORE", "")
+	after := store.AuthURL()
+
+	c.Check(before, Not(Equals), after)
 }
 
-func (s *storeTestSuite) TestCurrentSnapRevLocalRevWithAmendHappy(c *C) {
-	cand := &RefreshCandidate{
-		SnapID:   helloWorldSnapID,
-		Revision: snap.R("x1"),
-		Amend:    true,
-	}
-	cs := currentSnap(cand)
-	c.Assert(cs, NotNil)
-	c.Check(cs.SnapID, Equals, cand.SnapID)
-	c.Check(cs.Revision, Equals, cand.Revision.N)
-	c.Check(s.logbuf.String(), Equals, "")
+func (s *storeTestSuite) TestApiURLDependsOnEnviron(c *C) {
+	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", ""), IsNil)
+	before := store.ApiURL()
+
+	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", "1"), IsNil)
+	defer os.Setenv("SNAPPY_USE_STAGING_STORE", "")
+	after := store.ApiURL()
+
+	c.Check(before, Not(Equals), after)
 }
 
-/* acquired via:
-(against production "hello-world")
-$ curl -s --data-binary '{"snaps":[{"snap_id":"buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ","channel":"stable","revision":25,"epoch":"0","confinement":"strict"}],"fields":["anon_download_url","architecture","channel","download_sha512","summary","description","binary_filesize","download_url","icon_url","last_updated","license","package_name","prices","publisher","ratings_average","revision","snap_id","support_url","title","content","version","origin","developer_id","private","confinement"]}'  -H 'content-type: application/json' -H 'X-Ubuntu-Release: 16' -H 'X-Ubuntu-Wire-Protocol: 1' -H "accept: application/hal+json" https://api.snapcraft.io/api/v1/snaps/metadata | python3 -m json.tool --sort-keys | xsel -b
-*/
-var MockUpdatesJSON = `
-{
-    "_embedded": {
-        "clickindex:package": [
-            {
-                "anon_download_url": "https://public.apps.ubuntu.com/anon/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_26.snap",
-                "architecture": [
-                    "all"
-                ],
-                "binary_filesize": 20480,
-                "channel": "stable",
-                "confinement": "strict",
-                "content": "application",
-                "description": "This is a simple hello world example.",
-                "developer_id": "canonical",
-                "download_sha512": "345f33c06373f799b64c497a778ef58931810dd7ae85279d6917d8b4f43d38abaf37e68239cb85914db276cb566a0ef83ea02b6f2fd064b54f9f2508fa4ca1f1",
-                "download_url": "https://public.apps.ubuntu.com/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_26.snap",
-                "icon_url": "https://myapps.developer.ubuntu.com/site_media/appmedia/2015/03/hello.svg_NZLfWbh.png",
-                "last_updated": "2016-05-31T07:02:32.586839Z",
-                "license": "GPL-3.0",
-                "origin": "canonical",
-                "package_name": "hello-world",
-                "prices": {},
-                "publisher": "Canonical",
-                "ratings_average": 0.0,
-                "revision": 26,
-                "snap_id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
-                "summary": "Hello world example",
-                "support_url": "mailto:snappy-devel@lists.ubuntu.com",
-                "title": "Hello World",
-                "version": "6.1"
-            }
-        ]
-    }
-}
-`
-
-func (s *storeTestSuite) TestRefreshForCandidates(c *C) {
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		// check device authorization is set, implicitly checking doRequest was used
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
-
-		jsonReq, err := ioutil.ReadAll(r.Body)
-		c.Assert(err, IsNil)
-		var resp struct {
-			Snaps  []map[string]interface{} `json:"snaps"`
-			Fields []string                 `json:"fields"`
-		}
-
-		err = json.Unmarshal(jsonReq, &resp)
-		c.Assert(err, IsNil)
-
-		c.Assert(resp.Snaps, HasLen, 1)
-		c.Assert(resp.Snaps[0], DeepEquals, map[string]interface{}{
-			"snap_id":     helloWorldSnapID,
-			"channel":     "stable",
-			"revision":    float64(1),
-			"epoch":       "0",
-			"confinement": "",
-		})
-		c.Assert(resp.Fields, DeepEquals, detailFields)
-
-		io.WriteString(w, MockUpdatesJSON)
-	}))
-
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
+func (s *storeTestSuite) TestStoreURLDependsOnEnviron(c *C) {
+	// This also depends on the API URL, but that's tested separately (see
+	// TestApiURLDependsOnEnviron).
+	api := store.ApiURL()
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
-	}
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	c.Assert(os.Setenv("SNAPPY_FORCE_CPI_URL", ""), IsNil)
+	c.Assert(os.Setenv("SNAPPY_FORCE_API_URL", ""), IsNil)
 
-	results, err := sto.refreshForCandidates(context.TODO(), []*currentSnapJSON{
-		{
-			SnapID:   helloWorldSnapID,
-			Channel:  "stable",
-			Revision: 1,
-		},
-	}, nil, nil)
+	// Test in order of precedence (low first) leaving env vars set as we go ...
 
+	u, err := store.StoreURL(api)
 	c.Assert(err, IsNil)
-	c.Assert(results, HasLen, 1)
-	c.Assert(results[0].Name, Equals, "hello-world")
-	c.Assert(results[0].Revision, Equals, 26)
-	c.Assert(results[0].Version, Equals, "6.1")
-	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
-	c.Assert(results[0].DeveloperID, Equals, helloWorldDeveloperID)
-	c.Assert(results[0].Deltas, HasLen, 0)
-}
-
-func (s *storeTestSuite) TestRefreshForCandidatesRetriesOnEOF(c *C) {
-	n := 0
-	var mockServer *httptest.Server
-	mockServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		n++
-		if n < 4 {
-			io.WriteString(w, "{")
-			mockServer.CloseClientConnections()
-			return
-		}
-		var resp struct {
-			Snaps  []map[string]interface{} `json:"snaps"`
-			Fields []string                 `json:"fields"`
-		}
-		err := json.NewDecoder(r.Body).Decode(&resp)
-		c.Assert(err, IsNil)
-		c.Assert(resp.Snaps, HasLen, 1)
-		io.WriteString(w, MockUpdatesJSON)
-	}))
-
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
-
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
-	}
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	c.Check(u.String(), Matches, api.String()+".*")
 
-	results, err := sto.refreshForCandidates(context.TODO(), []*currentSnapJSON{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: 1,
-	}}, nil, nil)
+	c.Assert(os.Setenv("SNAPPY_FORCE_API_URL", "https://force-api.local/"), IsNil)
+	defer os.Setenv("SNAPPY_FORCE_API_URL", "")
+	u, err = store.StoreURL(api)
 	c.Assert(err, IsNil)
-	c.Assert(n, Equals, 4)
-	c.Assert(results, HasLen, 1)
-	c.Assert(results[0].Name, Equals, "hello-world")
-}
-
-func mockRFC(newRFC func(*Store, context.Context, []*currentSnapJSON, *auth.UserState, *RefreshOptions) ([]*snapDetails, error)) func() {
-	oldRFC := refreshForCandidates
-	refreshForCandidates = newRFC
-	return func() {
-		refreshForCandidates = oldRFC
-	}
-}
-
-func (s *storeTestSuite) TestLookupRefresh(c *C) {
-	defer mockRFC(func(_ *Store, _ context.Context, currentSnaps []*currentSnapJSON, _ *auth.UserState, _ *RefreshOptions) ([]*snapDetails, error) {
-		c.Check(currentSnaps, DeepEquals, []*currentSnapJSON{{
-			SnapID:   helloWorldSnapID,
-			Channel:  "stable",
-			Revision: 1,
-			Epoch:    *snap.E("0"),
-		}})
-		return []*snapDetails{{
-			Name:        "hello-world",
-			Revision:    26,
-			Version:     "6.1",
-			SnapID:      helloWorldSnapID,
-			DeveloperID: helloWorldDeveloperID,
-		}}, nil
-	})()
-
-	sto := New(nil, &testAuthContext{c: c, device: s.device})
+	c.Check(u.String(), Matches, "https://force-api.local/.*")
 
-	result, err := sto.LookupRefresh(&RefreshCandidate{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: snap.R(1),
-		Epoch:    *snap.E("0"),
-	}, nil)
+	c.Assert(os.Setenv("SNAPPY_FORCE_CPI_URL", "https://force-cpi.local/api/v1/"), IsNil)
+	defer os.Setenv("SNAPPY_FORCE_CPI_URL", "")
+	u, err = store.StoreURL(api)
 	c.Assert(err, IsNil)
-	c.Assert(result.Name(), Equals, "hello-world")
-	c.Assert(result.Revision, Equals, snap.R(26))
-	c.Assert(result.Version, Equals, "6.1")
-	c.Assert(result.SnapID, Equals, helloWorldSnapID)
-	c.Assert(result.PublisherID, Equals, helloWorldDeveloperID)
-	c.Assert(result.Deltas, HasLen, 0)
+	c.Check(u.String(), Matches, "https://force-cpi.local/.*")
 }
 
-func (s *storeTestSuite) TestLookupRefreshIgnoreValidation(c *C) {
-	defer mockRFC(func(_ *Store, _ context.Context, currentSnaps []*currentSnapJSON, _ *auth.UserState, _ *RefreshOptions) ([]*snapDetails, error) {
-		c.Check(currentSnaps, DeepEquals, []*currentSnapJSON{{
-			SnapID:           helloWorldSnapID,
-			Channel:          "stable",
-			Revision:         1,
-			Epoch:            *snap.E("0"),
-			IgnoreValidation: true,
-		}})
-		return []*snapDetails{{
-			Name:        "hello-world",
-			Revision:    26,
-			Version:     "6.1",
-			SnapID:      helloWorldSnapID,
-			DeveloperID: helloWorldDeveloperID,
-		}}, nil
-	})()
-
-	sto := New(nil, &testAuthContext{c: c, device: s.device})
-
-	result, err := sto.LookupRefresh(&RefreshCandidate{
-		SnapID:           helloWorldSnapID,
-		Channel:          "stable",
-		Revision:         snap.R(1),
-		Epoch:            *snap.E("0"),
-		IgnoreValidation: true,
-	}, nil)
-	c.Assert(err, IsNil)
-	c.Assert(result.Name(), Equals, "hello-world")
-	c.Assert(result.Revision, Equals, snap.R(26))
-	c.Assert(result.SnapID, Equals, helloWorldSnapID)
+func (s *storeTestSuite) TestStoreURLBadEnvironAPI(c *C) {
+	c.Assert(os.Setenv("SNAPPY_FORCE_API_URL", "://force-api.local/"), IsNil)
+	defer os.Setenv("SNAPPY_FORCE_API_URL", "")
+	_, err := store.StoreURL(store.ApiURL())
+	c.Check(err, ErrorMatches, "invalid SNAPPY_FORCE_API_URL: parse ://force-api.local/: missing protocol scheme")
 }
 
-func (s *storeTestSuite) TestLookupRefreshLocalSnap(c *C) {
-	defer mockRFC(func(_ *Store, _ context.Context, _ []*currentSnapJSON, _ *auth.UserState, _ *RefreshOptions) ([]*snapDetails, error) {
-		panic("unexpected call to refreshForCandidates")
-	})()
-
-	sto := New(nil, &testAuthContext{c: c, device: s.device})
-
-	result, err := sto.LookupRefresh(&RefreshCandidate{
-		Revision: snap.R("x1"),
-	}, nil)
-	c.Assert(result, IsNil)
-	c.Check(err, Equals, ErrLocalSnap)
+func (s *storeTestSuite) TestStoreURLBadEnvironCPI(c *C) {
+	c.Assert(os.Setenv("SNAPPY_FORCE_CPI_URL", "://force-cpi.local/api/v1/"), IsNil)
+	defer os.Setenv("SNAPPY_FORCE_CPI_URL", "")
+	_, err := store.StoreURL(store.ApiURL())
+	c.Check(err, ErrorMatches, "invalid SNAPPY_FORCE_CPI_URL: parse ://force-cpi.local/: missing protocol scheme")
 }
 
-func (s *storeTestSuite) TestLookupRefreshRFCError(c *C) {
-	anError := errors.New("ouchie")
-	defer mockRFC(func(_ *Store, _ context.Context, _ []*currentSnapJSON, _ *auth.UserState, _ *RefreshOptions) ([]*snapDetails, error) {
-		return nil, anError
-	})()
+func (s *storeTestSuite) TestStoreDeveloperURLDependsOnEnviron(c *C) {
+	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", ""), IsNil)
+	before := store.StoreDeveloperURL()
 
-	sto := New(nil, &testAuthContext{c: c, device: s.device})
+	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", "1"), IsNil)
+	defer os.Setenv("SNAPPY_USE_STAGING_STORE", "")
+	after := store.StoreDeveloperURL()
 
-	result, err := sto.LookupRefresh(&RefreshCandidate{
-		SnapID:   helloWorldDeveloperID,
-		Revision: snap.R(1),
-	}, nil)
-	c.Assert(result, IsNil)
-	c.Check(err, Equals, anError)
+	c.Check(before, Not(Equals), after)
 }
 
-func (s *storeTestSuite) TestLookupRefreshEmptyResponse(c *C) {
-	defer mockRFC(func(_ *Store, _ context.Context, _ []*currentSnapJSON, _ *auth.UserState, _ *RefreshOptions) ([]*snapDetails, error) {
-		return nil, nil
-	})()
-
-	sto := New(nil, &testAuthContext{c: c, device: s.device})
-
-	result, err := sto.LookupRefresh(&RefreshCandidate{
-		SnapID:   helloWorldDeveloperID,
-		Revision: snap.R(1),
-	}, nil)
-	c.Assert(result, IsNil)
-	c.Check(err, Equals, ErrSnapNotFound)
+func (s *storeTestSuite) TeststoreDefaultConfig(c *C) {
+	c.Check(store.DefaultConfig().StoreBaseURL.String(), Equals, "https://api.snapcraft.io/")
+	c.Check(store.DefaultConfig().AssertionsBaseURL, IsNil)
 }
 
-func (s *storeTestSuite) TestLookupRefreshNoUpdate(c *C) {
-	defer mockRFC(func(_ *Store, _ context.Context, _ []*currentSnapJSON, _ *auth.UserState, _ *RefreshOptions) ([]*snapDetails, error) {
-		return []*snapDetails{{
-			SnapID:   helloWorldDeveloperID,
-			Revision: 1,
-		}}, nil
-	})()
-
-	sto := New(nil, &testAuthContext{c: c, device: s.device})
-
-	result, err := sto.LookupRefresh(&RefreshCandidate{
-		SnapID:   helloWorldDeveloperID,
-		Revision: snap.R(1),
-	}, nil)
-	c.Assert(result, IsNil)
-	c.Check(err, Equals, ErrNoUpdateAvailable)
+func (s *storeTestSuite) TestNew(c *C) {
+	aStore := store.New(nil, nil)
+	c.Assert(aStore, NotNil)
+	// check for fields
+	c.Check(aStore.DetailFields(), DeepEquals, store.DefaultConfig().DetailFields)
 }
 
-func (s *storeTestSuite) TestListRefresh(c *C) {
+var testAssertion = `type: snap-declaration
+authority-id: super
+series: 16
+snap-id: snapidfoo
+publisher-id: devidbaz
+snap-name: mysnap
+timestamp: 2016-03-30T12:22:16Z
+sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+
+openpgp wsBcBAABCAAQBQJW+8VBCRDWhXkqAWcrfgAAQ9gIABZFgMPByJZeUE835FkX3/y2hORn
+AzE3R1ktDkQEVe/nfVDMACAuaw1fKmUS4zQ7LIrx/AZYw5i0vKVmJszL42LBWVsqR0+p9Cxebzv9
+U2VUSIajEsUUKkBwzD8wxFzagepFlScif1NvCGZx0vcGUOu0Ent0v+gqgAv21of4efKqEW7crlI1
+T/A8LqZYmIzKRHGwCVucCyAUD8xnwt9nyWLgLB+LLPOVFNK8SR6YyNsX05Yz1BUSndBfaTN8j/k8
+8isKGZE6P0O9ozBbNIAE8v8NMWQegJ4uWuil7D3psLkzQIrxSypk9TrQ2GlIG2hJdUovc5zBuroe
+xS4u9rVT6UY=`
+
+func (s *storeTestSuite) TestAssertion(c *C) {
+	restore := asserts.MockMaxSupportedFormat(asserts.SnapDeclarationType, 88)
+	defer restore()
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
+		assertRequest(c, r, "GET", "/api/v1/snaps/assertions/.*")
 		// check device authorization is set, implicitly checking doRequest was used
 		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-		jsonReq, err := ioutil.ReadAll(r.Body)
-		c.Assert(err, IsNil)
-		var resp struct {
-			Snaps  []map[string]interface{} `json:"snaps"`
-			Fields []string                 `json:"fields"`
-		}
-
-		err = json.Unmarshal(jsonReq, &resp)
-		c.Assert(err, IsNil)
-
-		c.Assert(resp.Snaps, HasLen, 1)
-		c.Assert(resp.Snaps[0], DeepEquals, map[string]interface{}{
-			"snap_id":     helloWorldSnapID,
-			"channel":     "stable",
-			"revision":    float64(1),
-			"epoch":       "0",
-			"confinement": "",
-		})
-		c.Assert(resp.Fields, DeepEquals, detailFields)
-
-		io.WriteString(w, MockUpdatesJSON)
+		c.Check(r.Header.Get("Accept"), Equals, "application/x.ubuntu.assertion")
+		c.Check(r.URL.Path, Matches, ".*/snap-declaration/16/snapidfoo")
+		c.Check(r.URL.Query().Get("max-format"), Equals, "88")
+		io.WriteString(w, testAssertion)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
-	results, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{
-		{
-			SnapID:   helloWorldSnapID,
-			Channel:  "stable",
-			Revision: snap.R(1),
-		},
-	}, nil, nil)
+	a, err := sto.Assertion(asserts.SnapDeclarationType, []string{"16", "snapidfoo"}, nil)
 	c.Assert(err, IsNil)
-	c.Assert(results, HasLen, 1)
-	c.Assert(results[0].Name(), Equals, "hello-world")
-	c.Assert(results[0].Revision, Equals, snap.R(26))
-	c.Assert(results[0].Version, Equals, "6.1")
-	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
-	c.Assert(results[0].PublisherID, Equals, helloWorldDeveloperID)
-	c.Assert(results[0].Deltas, HasLen, 0)
+	c.Check(a, NotNil)
+	c.Check(a.Type(), Equals, asserts.SnapDeclarationType)
 }
 
-func (s *storeTestSuite) TestListRefreshIgnoreValidation(c *C) {
+func (s *storeTestSuite) TestAssertionProxyStoreFromAuthContext(c *C) {
+	restore := asserts.MockMaxSupportedFormat(asserts.SnapDeclarationType, 88)
+	defer restore()
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
+		assertRequest(c, r, "GET", "/api/v1/snaps/assertions/.*")
 		// check device authorization is set, implicitly checking doRequest was used
 		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-		jsonReq, err := ioutil.ReadAll(r.Body)
-		c.Assert(err, IsNil)
-		var resp struct {
-			Snaps  []map[string]interface{} `json:"snaps"`
-			Fields []string                 `json:"fields"`
-		}
-
-		err = json.Unmarshal(jsonReq, &resp)
-		c.Assert(err, IsNil)
-
-		c.Assert(resp.Snaps, HasLen, 1)
-		c.Assert(resp.Snaps[0], DeepEquals, map[string]interface{}{
-			"snap_id":           helloWorldSnapID,
-			"channel":           "stable",
-			"revision":          float64(1),
-			"epoch":             "0",
-			"confinement":       "",
-			"ignore_validation": true,
-		})
-		c.Assert(resp.Fields, DeepEquals, detailFields)
-
-		io.WriteString(w, MockUpdatesJSON)
+		c.Check(r.Header.Get("Accept"), Equals, "application/x.ubuntu.assertion")
+		c.Check(r.URL.Path, Matches, ".*/snap-declaration/16/snapidfoo")
+		c.Check(r.URL.Query().Get("max-format"), Equals, "88")
+		io.WriteString(w, testAssertion)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
+	nowhereURL, err := url.Parse("http://nowhere.invalid")
+	c.Assert(err, IsNil)
+	cfg := store.Config{
+		AssertionsBaseURL: nowhereURL,
 	}
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	authContext := &testAuthContext{
+		c:             c,
+		device:        s.device,
+		proxyStoreID:  "foo",
+		proxyStoreURL: mockServerURL,
+	}
+	sto := store.New(&cfg, authContext)
 
-	results, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{
-		{
-			SnapID:           helloWorldSnapID,
-			Channel:          "stable",
-			Revision:         snap.R(1),
-			IgnoreValidation: true,
-		},
-	}, nil, nil)
+	a, err := sto.Assertion(asserts.SnapDeclarationType, []string{"16", "snapidfoo"}, nil)
 	c.Assert(err, IsNil)
-	c.Assert(results, HasLen, 1)
-	c.Assert(results[0].Name(), Equals, "hello-world")
-	c.Assert(results[0].Revision, Equals, snap.R(26))
-	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
+	c.Check(a, NotNil)
+	c.Check(a.Type(), Equals, asserts.SnapDeclarationType)
 }
 
-func (s *storeTestSuite) TestListRefreshDefaultChannelIsStable(c *C) {
+func (s *storeTestSuite) TestAssertionNotFound(c *C) {
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		// check device authorization is set, implicitly checking doRequest was used
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+		assertRequest(c, r, "GET", "/api/v1/snaps/assertions/.*")
+		c.Check(r.Header.Get("Accept"), Equals, "application/x.ubuntu.assertion")
+		c.Check(r.URL.Path, Matches, ".*/snap-declaration/16/snapidfoo")
+		w.Header().Set("Content-Type", "application/problem+json")
+		w.WriteHeader(404)
+		io.WriteString(w, `{"status": 404,"title": "not found"}`)
+	}))
 
-		jsonReq, err := ioutil.ReadAll(r.Body)
-		c.Assert(err, IsNil)
-		var resp struct {
-			Snaps  []map[string]interface{} `json:"snaps"`
-			Fields []string                 `json:"fields"`
-		}
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-		err = json.Unmarshal(jsonReq, &resp)
-		c.Assert(err, IsNil)
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		AssertionsBaseURL: mockServerURL,
+	}
+	sto := store.New(&cfg, nil)
 
-		c.Assert(resp.Snaps, HasLen, 1)
-		c.Assert(resp.Snaps[0], DeepEquals, map[string]interface{}{
-			"snap_id":     helloWorldSnapID,
-			"channel":     "stable",
-			"revision":    float64(1),
-			"epoch":       "0",
-			"confinement": "",
-		})
-		c.Assert(resp.Fields, DeepEquals, detailFields)
+	_, err := sto.Assertion(asserts.SnapDeclarationType, []string{"16", "snapidfoo"}, nil)
+	c.Check(asserts.IsNotFound(err), Equals, true)
+	c.Check(err, DeepEquals, &asserts.NotFoundError{
+		Type: asserts.SnapDeclarationType,
+		Headers: map[string]string{
+			"series":  "16",
+			"snap-id": "snapidfoo",
+		},
+	})
+}
 
-		io.WriteString(w, MockUpdatesJSON)
+func (s *storeTestSuite) TestAssertion500(c *C) {
+	var n = 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "GET", "/api/v1/snaps/assertions/.*")
+		n++
+		w.WriteHeader(500)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
+	cfg := store.Config{
+		AssertionsBaseURL: mockServerURL,
 	}
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, nil)
 
-	results, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{
-		{
-			SnapID:   helloWorldSnapID,
-			Revision: snap.R(1),
-		},
-	}, nil, nil)
-	c.Assert(err, IsNil)
-	c.Assert(results, HasLen, 1)
-	c.Assert(results[0].Name(), Equals, "hello-world")
-	c.Assert(results[0].Revision, Equals, snap.R(26))
-	c.Assert(results[0].Version, Equals, "6.1")
-	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
-	c.Assert(results[0].PublisherID, Equals, helloWorldDeveloperID)
-	c.Assert(results[0].Deltas, HasLen, 0)
+	_, err := sto.Assertion(asserts.SnapDeclarationType, []string{"16", "snapidfoo"}, nil)
+	c.Assert(err, ErrorMatches, `cannot fetch assertion: got unexpected HTTP status code 500 via .+`)
+	c.Assert(n, Equals, 5)
 }
 
-func (s *storeTestSuite) TestListRefreshRetryOnEOF(c *C) {
-	n := 0
-	var mockServer *httptest.Server
-	mockServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		n++
-		if n < 4 {
-			io.WriteString(w, "{")
-			mockServer.CloseClientConnections()
-			return
-		}
-		var resp struct {
-			Snaps  []map[string]interface{} `json:"snaps"`
-			Fields []string                 `json:"fields"`
-		}
-		err := json.NewDecoder(r.Body).Decode(&resp)
-		c.Assert(err, IsNil)
-		c.Assert(resp.Snaps, HasLen, 1)
-		io.WriteString(w, MockUpdatesJSON)
+func (s *storeTestSuite) TestSuggestedCurrency(c *C) {
+	suggestedCurrency := "GBP"
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "GET", infoPathPattern)
+		w.Header().Set("X-Suggested-Currency", suggestedCurrency)
+		w.WriteHeader(200)
+
+		io.WriteString(w, mockInfoJSON)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
-
-	results, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: snap.R(1),
-	}}, nil, nil)
-	c.Assert(err, IsNil)
-	c.Assert(n, Equals, 4)
-	c.Assert(results, HasLen, 1)
-	c.Assert(results[0].Name(), Equals, "hello-world")
-}
-
-func (s *storeTestSuite) TestUnexpectedEOFhandling(c *C) {
-	permanentlyBrokenSrvCalls := 0
-	somewhatBrokenSrvCalls := 0
-
-	mockPermanentlyBrokenServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		permanentlyBrokenSrvCalls++
-		w.Header().Add("Content-Length", "1000")
-	}))
-	mockSomewhatBrokenServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		somewhatBrokenSrvCalls++
-		if somewhatBrokenSrvCalls > 3 {
-			io.WriteString(w, MockUpdatesJSON)
-			return
-		}
-		w.Header().Add("Content-Length", "1000")
-	}))
-
-	queryServer := func(mockServer *httptest.Server) error {
-		c.Assert(mockServer, NotNil)
-		defer mockServer.Close()
+	sto := store.New(&cfg, nil)
 
-		mockServerURL, _ := url.Parse(mockServer.URL)
-		cfg := Config{
-			StoreBaseURL: mockServerURL,
-		}
-		authContext := &testAuthContext{c: c, device: s.device}
-		sto := New(&cfg, authContext)
+	// the store doesn't know the currency until after the first search, so fall back to dollars
+	c.Check(sto.SuggestedCurrency(), Equals, "USD")
 
-		_, err := sto.refreshForCandidates(context.TODO(), []*currentSnapJSON{{
-			SnapID:   helloWorldSnapID,
-			Channel:  "stable",
-			Revision: 1,
-		}}, nil, nil)
-		return err
+	// we should soon have a suggested currency
+	spec := store.SnapSpec{
+		Name: "hello-world",
 	}
+	result, err := sto.SnapInfo(spec, nil)
+	c.Assert(err, IsNil)
+	c.Assert(result, NotNil)
+	c.Check(sto.SuggestedCurrency(), Equals, "GBP")
 
-	// Check that we really recognize unexpected EOF error by failing on all retries
-	err := queryServer(mockPermanentlyBrokenServer)
-	c.Assert(err, NotNil)
-	c.Assert(err, Equals, io.ErrUnexpectedEOF)
-	c.Assert(err, ErrorMatches, "unexpected EOF")
-	// check that we exhausted all retries (as defined by mocked retry strategy)
-	c.Assert(permanentlyBrokenSrvCalls, Equals, 5)
+	suggestedCurrency = "EUR"
 
-	// Check that we retry on unexpected EOF and eventually succeed
-	err = queryServer(mockSomewhatBrokenServer)
+	// checking the currency updates
+	result, err = sto.SnapInfo(spec, nil)
 	c.Assert(err, IsNil)
-	// check that we retried 4 times
-	c.Assert(somewhatBrokenSrvCalls, Equals, 4)
+	c.Assert(result, NotNil)
+	c.Check(sto.SuggestedCurrency(), Equals, "EUR")
 }
 
-func (s *storeTestSuite) TestRefreshForCandidatesEOF(c *C) {
-	n := 0
-	var mockServer *httptest.Server
-	mockServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		n++
-		io.WriteString(w, "{")
-		mockServer.CloseClientConnections()
-		return
+func (s *storeTestSuite) TestDecorateOrders(c *C) {
+	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "GET", ordersPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+		c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
+		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
+		c.Check(r.URL.Path, Equals, ordersPath)
+		io.WriteString(w, mockOrdersJSON)
 	}))
 
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
+	c.Assert(mockPurchasesServer, NotNil)
+	defer mockPurchasesServer.Close()
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
+	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
-
-	_, err := sto.refreshForCandidates(context.TODO(), []*currentSnapJSON{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: 1,
-	}}, nil, nil)
-	c.Assert(err, NotNil)
-	c.Assert(err, ErrorMatches, `^Post http://127.0.0.1:.*?/metadata: EOF$`)
-	c.Assert(n, Equals, 5)
-}
+	sto := store.New(&cfg, authContext)
 
-func (s *storeTestSuite) TestRefreshForCandidatesUnauthorised(c *C) {
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		n++
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
-		w.WriteHeader(401)
-		io.WriteString(w, "")
-	}))
+	helloWorld := &snap.Info{}
+	helloWorld.SnapID = helloWorldSnapID
+	helloWorld.Prices = map[string]float64{"USD": 1.23}
+	helloWorld.Paid = true
 
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
+	funkyApp := &snap.Info{}
+	funkyApp.SnapID = funkyAppSnapID
+	funkyApp.Prices = map[string]float64{"USD": 2.34}
+	funkyApp.Paid = true
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
-	}
+	otherApp := &snap.Info{}
+	otherApp.SnapID = "other"
+	otherApp.Prices = map[string]float64{"USD": 3.45}
+	otherApp.Paid = true
 
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	otherApp2 := &snap.Info{}
+	otherApp2.SnapID = "other2"
 
-	_, err := sto.refreshForCandidates(context.TODO(), []*currentSnapJSON{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: 24,
-	}}, nil, nil)
-	c.Assert(n, Equals, 1)
-	c.Assert(err, ErrorMatches, `cannot query the store for updates: got unexpected HTTP status code 401 via POST to "http://.*?/metadata"`)
-}
+	snaps := []*snap.Info{helloWorld, funkyApp, otherApp, otherApp2}
 
-func (s *storeTestSuite) TestRefreshForCandidatesFailOnDNS(c *C) {
-	baseURL, err := url.Parse("http://nonexistingserver909123.com/")
+	err := sto.DecorateOrders(snaps, s.user)
 	c.Assert(err, IsNil)
-	cfg := Config{
-		StoreBaseURL: baseURL,
-	}
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
 
-	_, err = sto.refreshForCandidates(context.TODO(), []*currentSnapJSON{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: 24,
-	}}, nil, nil)
-	// the error differs depending on whether a proxy is in use (e.g. on travis), so don't inspect error message
-	c.Assert(err, NotNil)
+	c.Check(helloWorld.MustBuy, Equals, false)
+	c.Check(funkyApp.MustBuy, Equals, false)
+	c.Check(otherApp.MustBuy, Equals, true)
+	c.Check(otherApp2.MustBuy, Equals, false)
 }
 
-func (s *storeTestSuite) TestRefreshForCandidates500(c *C) {
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		n++
-		w.WriteHeader(500)
+func (s *storeTestSuite) TestDecorateOrdersFailedAccess(c *C) {
+	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "GET", ordersPath)
+		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
+		c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
+		c.Check(r.URL.Path, Equals, ordersPath)
+		w.WriteHeader(401)
+		io.WriteString(w, "{}")
 	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	c.Assert(mockPurchasesServer, NotNil)
+	defer mockPurchasesServer.Close()
+
+	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, nil)
 
-	_, err := sto.refreshForCandidates(context.TODO(), []*currentSnapJSON{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: 24,
-	}}, nil, nil)
-	c.Assert(err, ErrorMatches, `cannot query the store for updates: got unexpected HTTP status code 500 via POST to "http://.*?/metadata"`)
-	c.Assert(n, Equals, 5)
-}
+	helloWorld := &snap.Info{}
+	helloWorld.SnapID = helloWorldSnapID
+	helloWorld.Prices = map[string]float64{"USD": 1.23}
+	helloWorld.Paid = true
 
-func (s *storeTestSuite) TestRefreshForCandidates500DurationExceeded(c *C) {
-	n := 0
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		n++
-		time.Sleep(time.Duration(2) * time.Second)
-		w.WriteHeader(500)
-	}))
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
+	funkyApp := &snap.Info{}
+	funkyApp.SnapID = funkyAppSnapID
+	funkyApp.Prices = map[string]float64{"USD": 2.34}
+	funkyApp.Paid = true
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
-	}
-	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	otherApp := &snap.Info{}
+	otherApp.SnapID = "other"
+	otherApp.Prices = map[string]float64{"USD": 3.45}
+	otherApp.Paid = true
 
-	_, err := sto.refreshForCandidates(context.TODO(), []*currentSnapJSON{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: 24,
-	}}, nil, nil)
-	c.Assert(err, ErrorMatches, `cannot query the store for updates: got unexpected HTTP status code 500 via POST to "http://.*?/metadata"`)
-	c.Assert(n, Equals, 1)
-}
+	otherApp2 := &snap.Info{}
+	otherApp2.SnapID = "other2"
 
-func (s *storeTestSuite) TestAcceptableUpdateWorks(c *C) {
-	c.Check(acceptableUpdate(&snapDetails{Revision: 42}, &RefreshCandidate{Revision: snap.R("1")}), Equals, true)
-}
-func (s *storeTestSuite) TestAcceptableUpdateSkipsCurrent(c *C) {
-	c.Check(acceptableUpdate(&snapDetails{Revision: 42}, &RefreshCandidate{Revision: snap.R("42")}), Equals, false)
-}
-func (s *storeTestSuite) TestAcceptableUpdateSkipsBlocked(c *C) {
-	c.Check(acceptableUpdate(&snapDetails{Revision: 42}, &RefreshCandidate{Revision: snap.R("1"), Block: []snap.Revision{snap.R("42")}}), Equals, false)
-}
-func (s *storeTestSuite) TestAcceptableUpdateSkipsBoth(c *C) {
-	// belts-and-suspenders
-	c.Check(acceptableUpdate(&snapDetails{Revision: 42}, &RefreshCandidate{Revision: snap.R("42"), Block: []snap.Revision{snap.R("42")}}), Equals, false)
-}
+	snaps := []*snap.Info{helloWorld, funkyApp, otherApp, otherApp2}
 
-func (s *storeTestSuite) TestListRefreshSkipCurrent(c *C) {
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		jsonReq, err := ioutil.ReadAll(r.Body)
-		c.Assert(err, IsNil)
-		var resp struct {
-			Snaps []map[string]interface{} `json:"snaps"`
-		}
+	err := sto.DecorateOrders(snaps, s.user)
+	c.Assert(err, NotNil)
 
-		err = json.Unmarshal(jsonReq, &resp)
-		c.Assert(err, IsNil)
+	c.Check(helloWorld.MustBuy, Equals, true)
+	c.Check(funkyApp.MustBuy, Equals, true)
+	c.Check(otherApp.MustBuy, Equals, true)
+	c.Check(otherApp2.MustBuy, Equals, false)
+}
 
-		c.Assert(resp.Snaps, HasLen, 1)
-		c.Assert(resp.Snaps[0], DeepEquals, map[string]interface{}{
-			"snap_id":     helloWorldSnapID,
-			"channel":     "stable",
-			"revision":    float64(26),
-			"epoch":       "0",
-			"confinement": "",
-		})
+func (s *storeTestSuite) TestDecorateOrdersNoAuth(c *C) {
+	cfg := store.Config{}
+	sto := store.New(&cfg, nil)
 
-		io.WriteString(w, MockUpdatesJSON)
-	}))
+	helloWorld := &snap.Info{}
+	helloWorld.SnapID = helloWorldSnapID
+	helloWorld.Prices = map[string]float64{"USD": 1.23}
+	helloWorld.Paid = true
 
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
+	funkyApp := &snap.Info{}
+	funkyApp.SnapID = funkyAppSnapID
+	funkyApp.Prices = map[string]float64{"USD": 2.34}
+	funkyApp.Paid = true
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
-	}
-	sto := New(&cfg, nil)
+	otherApp := &snap.Info{}
+	otherApp.SnapID = "other"
+	otherApp.Prices = map[string]float64{"USD": 3.45}
+	otherApp.Paid = true
 
-	results, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: snap.R(26),
-	}}, nil, nil)
-	c.Assert(err, IsNil)
-	c.Assert(results, HasLen, 0)
-}
+	otherApp2 := &snap.Info{}
+	otherApp2.SnapID = "other2"
 
-func (s *storeTestSuite) TestListRefreshSkipBlocked(c *C) {
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		jsonReq, err := ioutil.ReadAll(r.Body)
-		c.Assert(err, IsNil)
+	snaps := []*snap.Info{helloWorld, funkyApp, otherApp, otherApp2}
 
-		var resp struct {
-			Snaps []map[string]interface{} `json:"snaps"`
-		}
+	err := sto.DecorateOrders(snaps, nil)
+	c.Assert(err, IsNil)
 
-		err = json.Unmarshal(jsonReq, &resp)
-		c.Assert(err, IsNil)
+	c.Check(helloWorld.MustBuy, Equals, true)
+	c.Check(funkyApp.MustBuy, Equals, true)
+	c.Check(otherApp.MustBuy, Equals, true)
+	c.Check(otherApp2.MustBuy, Equals, false)
+}
 
-		c.Assert(resp.Snaps, HasLen, 1)
-		c.Assert(resp.Snaps[0], DeepEquals, map[string]interface{}{
-			"snap_id":     helloWorldSnapID,
-			"channel":     "stable",
-			"revision":    float64(25),
-			"epoch":       "0",
-			"confinement": "",
-		})
+func (s *storeTestSuite) TestDecorateOrdersAllFree(c *C) {
+	requestRecieved := false
 
-		io.WriteString(w, MockUpdatesJSON)
+	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Error(r.URL.Path)
+		c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
+		requestRecieved = true
+		io.WriteString(w, `{"orders": []}`)
 	}))
 
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
+	c.Assert(mockPurchasesServer, NotNil)
+	defer mockPurchasesServer.Close()
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
 
-	results, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: snap.R(25),
-		Block:    []snap.Revision{snap.R(26)},
-	}}, nil, nil)
+	sto := store.New(&cfg, nil)
+
+	// This snap is free
+	helloWorld := &snap.Info{}
+	helloWorld.SnapID = helloWorldSnapID
+
+	// This snap is also free
+	funkyApp := &snap.Info{}
+	funkyApp.SnapID = funkyAppSnapID
+
+	snaps := []*snap.Info{helloWorld, funkyApp}
+
+	// There should be no request to the purchase server.
+	err := sto.DecorateOrders(snaps, s.user)
 	c.Assert(err, IsNil)
-	c.Assert(results, HasLen, 0)
+	c.Check(requestRecieved, Equals, false)
 }
 
-/* XXX Currently this is just MockUpdatesJSON with the deltas that we're
-planning to add to the stores /api/v1/snaps/metadata response.
-*/
-var MockUpdatesWithDeltasJSON = `
-{
-    "_embedded": {
-        "clickindex:package": [
-            {
-                "anon_download_url": "https://public.apps.ubuntu.com/anon/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_26.snap",
-                "architecture": [
-                    "all"
-                ],
-                "binary_filesize": 20480,
-                "channel": "stable",
-                "confinement": "strict",
-                "content": "application",
-                "description": "This is a simple hello world example.",
-                "developer_id": "canonical",
-                "download_sha512": "345f33c06373f799b64c497a778ef58931810dd7ae85279d6917d8b4f43d38abaf37e68239cb85914db276cb566a0ef83ea02b6f2fd064b54f9f2508fa4ca1f1",
-                "download_url": "https://public.apps.ubuntu.com/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_26.snap",
-                "icon_url": "https://myapps.developer.ubuntu.com/site_media/appmedia/2015/03/hello.svg_NZLfWbh.png",
-                "last_updated": "2016-05-31T07:02:32.586839Z",
-                "license": "GPL-3.0",
-                "origin": "canonical",
-                "package_name": "hello-world",
-                "prices": {},
-                "publisher": "Canonical",
-                "ratings_average": 0.0,
-                "revision": 26,
-                "snap_id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
-                "summary": "Hello world example",
-                "support_url": "mailto:snappy-devel@lists.ubuntu.com",
-                "title": "Hello World",
-                "version": "6.1",
-                "deltas": [{
-                    "from_revision": 24,
-                    "to_revision": 25,
-                    "format": "xdelta3",
-                    "binary_filesize": 204,
-                    "download_sha3_384": "sha3_384_hash",
-                    "anon_download_url": "https://public.apps.ubuntu.com/anon/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_24_25_xdelta3.delta",
-                    "download_url": "https://public.apps.ubuntu.com/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_24_25_xdelta3.delta"
-                }, {
-                    "from_revision": 25,
-                    "to_revision": 26,
-                    "format": "xdelta3",
-                    "binary_filesize": 206,
-                    "download_sha3_384": "sha3_384_hash",
-                    "anon_download_url": "https://public.apps.ubuntu.com/anon/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_25_26_xdelta3.delta",
-                    "download_url": "https://public.apps.ubuntu.com/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_25_26_xdelta3.delta"
-                }]
-            }
-        ]
-    }
-}
-`
+func (s *storeTestSuite) TestDecorateOrdersSingle(c *C) {
+	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
+		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+		c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
+		c.Check(r.URL.Path, Equals, ordersPath)
+		io.WriteString(w, mockSingleOrderJSON)
+	}))
 
-func (s *storeTestSuite) TestDefaultsDeltasOnClassicOnly(c *C) {
-	for _, t := range []struct {
-		onClassic      bool
-		deltaFormatStr string
-	}{
-		{false, ""},
-		{true, "xdelta3"},
-	} {
-		restore := release.MockOnClassic(t.onClassic)
-		defer restore()
+	c.Assert(mockPurchasesServer, NotNil)
+	defer mockPurchasesServer.Close()
 
-		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			assertRequest(c, r, "POST", metadataPath)
-			c.Check(r.Header.Get("X-Ubuntu-Delta-Formats"), Equals, t.deltaFormatStr)
-		}))
-		defer mockServer.Close()
+	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
+	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	sto := store.New(&cfg, authContext)
 
-		mockServerURL, _ := url.Parse(mockServer.URL)
-		cfg := Config{
-			StoreBaseURL: mockServerURL,
-		}
-		sto := New(&cfg, nil)
+	helloWorld := &snap.Info{}
+	helloWorld.SnapID = helloWorldSnapID
+	helloWorld.Prices = map[string]float64{"USD": 1.23}
+	helloWorld.Paid = true
 
-		sto.refreshForCandidates(context.TODO(), []*currentSnapJSON{{
-			SnapID:   helloWorldSnapID,
-			Channel:  "stable",
-			Revision: 1,
-		}}, nil, nil)
-	}
+	snaps := []*snap.Info{helloWorld}
+
+	err := sto.DecorateOrders(snaps, s.user)
+	c.Assert(err, IsNil)
+	c.Check(helloWorld.MustBuy, Equals, false)
 }
 
-func (s *storeTestSuite) TestListRefreshWithDeltas(c *C) {
-	origUseDeltas := os.Getenv("SNAPD_USE_DELTAS_EXPERIMENTAL")
-	defer os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", origUseDeltas)
-	c.Assert(os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", "1"), IsNil)
+func (s *storeTestSuite) TestDecorateOrdersSingleFreeSnap(c *C) {
+	cfg := store.Config{}
+	sto := store.New(&cfg, nil)
 
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		c.Check(r.Header.Get("X-Ubuntu-Delta-Formats"), Equals, `xdelta3`)
-		jsonReq, err := ioutil.ReadAll(r.Body)
-		c.Assert(err, IsNil)
-		var resp struct {
-			Snaps  []map[string]interface{} `json:"snaps"`
-			Fields []string                 `json:"fields"`
-		}
+	helloWorld := &snap.Info{}
+	helloWorld.SnapID = helloWorldSnapID
 
-		err = json.Unmarshal(jsonReq, &resp)
-		c.Assert(err, IsNil)
+	snaps := []*snap.Info{helloWorld}
 
-		c.Assert(resp.Snaps, HasLen, 1)
-		c.Assert(resp.Snaps[0], DeepEquals, map[string]interface{}{
-			"snap_id":     helloWorldSnapID,
-			"channel":     "stable",
-			"revision":    float64(24),
-			"epoch":       "0",
-			"confinement": "",
-		})
-		c.Assert(resp.Fields, DeepEquals, getStructFields(snapDetails{}, "snap_yaml_raw"))
+	err := sto.DecorateOrders(snaps, s.user)
+	c.Assert(err, IsNil)
+	c.Check(helloWorld.MustBuy, Equals, false)
+}
 
-		io.WriteString(w, MockUpdatesWithDeltasJSON)
+func (s *storeTestSuite) TestDecorateOrdersSingleNotFound(c *C) {
+	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "GET", ordersPath)
+		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
+		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+		c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
+		c.Check(r.URL.Path, Equals, ordersPath)
+		w.WriteHeader(404)
+		io.WriteString(w, "{}")
 	}))
 
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
+	c.Assert(mockPurchasesServer, NotNil)
+	defer mockPurchasesServer.Close()
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
+	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
-
-	results, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: snap.R(24),
-	}}, nil, nil)
-	c.Assert(err, IsNil)
-	c.Assert(results, HasLen, 1)
-	c.Assert(results[0].Deltas, HasLen, 2)
-	c.Assert(results[0].Deltas[0], Equals, snap.DeltaInfo{
-		FromRevision:    24,
-		ToRevision:      25,
-		Format:          "xdelta3",
-		AnonDownloadURL: "https://public.apps.ubuntu.com/anon/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_24_25_xdelta3.delta",
-		DownloadURL:     "https://public.apps.ubuntu.com/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_24_25_xdelta3.delta",
-		Size:            204,
-		Sha3_384:        "sha3_384_hash",
-	})
-	c.Assert(results[0].Deltas[1], Equals, snap.DeltaInfo{
-		FromRevision:    25,
-		ToRevision:      26,
-		Format:          "xdelta3",
-		AnonDownloadURL: "https://public.apps.ubuntu.com/anon/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_25_26_xdelta3.delta",
-		DownloadURL:     "https://public.apps.ubuntu.com/download-snap/buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ_25_26_xdelta3.delta",
-		Size:            206,
-		Sha3_384:        "sha3_384_hash",
-	})
-}
-
-func (s *storeTestSuite) TestListRefreshWithoutDeltas(c *C) {
-	// Verify the X-Delta-Format header is not set.
-	origUseDeltas := os.Getenv("SNAPD_USE_DELTAS_EXPERIMENTAL")
-	defer os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", origUseDeltas)
-	c.Assert(os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", "0"), IsNil)
+	sto := store.New(&cfg, authContext)
 
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "POST", metadataPath)
-		c.Check(r.Header.Get("X-Ubuntu-Delta-Formats"), Equals, ``)
-		jsonReq, err := ioutil.ReadAll(r.Body)
-		c.Assert(err, IsNil)
-		var resp struct {
-			Snaps  []map[string]interface{} `json:"snaps"`
-			Fields []string                 `json:"fields"`
-		}
+	helloWorld := &snap.Info{}
+	helloWorld.SnapID = helloWorldSnapID
+	helloWorld.Prices = map[string]float64{"USD": 1.23}
+	helloWorld.Paid = true
 
-		err = json.Unmarshal(jsonReq, &resp)
-		c.Assert(err, IsNil)
+	snaps := []*snap.Info{helloWorld}
 
-		c.Assert(resp.Snaps, HasLen, 1)
-		c.Assert(resp.Snaps[0], DeepEquals, map[string]interface{}{
-			"snap_id":     helloWorldSnapID,
-			"channel":     "stable",
-			"revision":    float64(24),
-			"epoch":       "0",
-			"confinement": "",
-		})
-		c.Assert(resp.Fields, DeepEquals, detailFields)
+	err := sto.DecorateOrders(snaps, s.user)
+	c.Assert(err, NotNil)
+	c.Check(helloWorld.MustBuy, Equals, true)
+}
 
-		io.WriteString(w, MockUpdatesJSON)
+func (s *storeTestSuite) TestDecorateOrdersTokenExpired(c *C) {
+	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
+		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+		c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
+		c.Check(r.URL.Path, Equals, ordersPath)
+		w.WriteHeader(401)
+		io.WriteString(w, "")
 	}))
 
-	c.Assert(mockServer, NotNil)
-	defer mockServer.Close()
+	c.Assert(mockPurchasesServer, NotNil)
+	defer mockPurchasesServer.Close()
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
+	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, authContext)
 
-	results, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{{
-		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: snap.R(24),
-	}}, nil, nil)
-	c.Assert(err, IsNil)
-	c.Assert(results, HasLen, 1)
-	c.Assert(results[0].Deltas, HasLen, 0)
+	helloWorld := &snap.Info{}
+	helloWorld.SnapID = helloWorldSnapID
+	helloWorld.Prices = map[string]float64{"USD": 1.23}
+	helloWorld.Paid = true
+
+	snaps := []*snap.Info{helloWorld}
+
+	err := sto.DecorateOrders(snaps, s.user)
+	c.Assert(err, NotNil)
+	c.Check(helloWorld.MustBuy, Equals, true)
+}
+
+func (s *storeTestSuite) TestMustBuy(c *C) {
+	// Never need to buy a free snap.
+	c.Check(store.MustBuy(false, true), Equals, false)
+	c.Check(store.MustBuy(false, false), Equals, false)
+
+	// Don't need to buy snaps that have been bought.
+	c.Check(store.MustBuy(true, true), Equals, false)
+
+	// Need to buy snaps that aren't bought.
+	c.Check(store.MustBuy(true, false), Equals, true)
+}
+
+var buyTests = []struct {
+	suggestedCurrency string
+	expectedInput     string
+	buyStatus         int
+	buyResponse       string
+	buyErrorMessage   string
+	buyErrorCode      string
+	snapID            string
+	price             float64
+	currency          string
+	expectedResult    *client.BuyResult
+	expectedError     string
+}{
+	{
+		// successful buying
+		suggestedCurrency: "EUR",
+		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"0.99","currency":"EUR"}`,
+		buyResponse:       mockOrderResponseJSON,
+		expectedResult:    &client.BuyResult{State: "Complete"},
+	},
+	{
+		// failure due to invalid price
+		suggestedCurrency: "USD",
+		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"5.99","currency":"USD"}`,
+		buyStatus:         400,
+		buyErrorCode:      "invalid-field",
+		buyErrorMessage:   "invalid price specified",
+		price:             5.99,
+		expectedError:     "cannot buy snap: bad request: invalid price specified",
+	},
+	{
+		// failure due to unknown snap ID
+		suggestedCurrency: "USD",
+		expectedInput:     `{"snap_id":"invalid snap ID","amount":"0.99","currency":"EUR"}`,
+		buyStatus:         404,
+		buyErrorCode:      "not-found",
+		buyErrorMessage:   "Snap package not found",
+		snapID:            "invalid snap ID",
+		price:             0.99,
+		currency:          "EUR",
+		expectedError:     "cannot buy snap: server says not found: Snap package not found",
+	},
+	{
+		// failure due to "Purchase failed"
+		suggestedCurrency: "USD",
+		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"1.23","currency":"USD"}`,
+		buyStatus:         402, // Payment Required
+		buyErrorCode:      "request-failed",
+		buyErrorMessage:   "Purchase failed",
+		expectedError:     "payment declined",
+	},
+	{
+		// failure due to no payment methods
+		suggestedCurrency: "USD",
+		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"1.23","currency":"USD"}`,
+		buyStatus:         403,
+		buyErrorCode:      "no-payment-methods",
+		buyErrorMessage:   "No payment methods associated with your account.",
+		expectedError:     "no payment methods",
+	},
+	{
+		// failure due to terms of service not accepted
+		suggestedCurrency: "USD",
+		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"1.23","currency":"USD"}`,
+		buyStatus:         403,
+		buyErrorCode:      "tos-not-accepted",
+		buyErrorMessage:   "You must accept the latest terms of service first.",
+		expectedError:     "terms of service not accepted",
+	},
 }
 
-func (s *storeTestSuite) TestUpdateNotSendLocalRevs(c *C) {
+func (s *storeTestSuite) TestBuy500(c *C) {
+	n := 0
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		c.Error(r.URL.Path)
-		c.Fatal("no network request expected")
+		switch r.URL.Path {
+		case detailsPath("hello-world"):
+			n++
+			w.WriteHeader(500)
+		case buyPath:
+		case customersMePath:
+			// default 200 response
+		default:
+			c.Fatalf("unexpected query %s %s", r.Method, r.URL.Path)
+		}
 	}))
-
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
+	sto := store.New(&cfg, authContext)
 
-	_, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{{
+	buyOptions := &client.BuyOptions{
 		SnapID:   helloWorldSnapID,
-		Channel:  "stable",
-		Revision: snap.R(-2),
-	}}, nil, nil)
-	c.Assert(err, IsNil)
-}
-
-func (s *storeTestSuite) TestListRefreshOptions(c *C) {
-	for _, t := range []struct {
-		flag   *RefreshOptions
-		header string
-	}{
-		{nil, ""},
-		{&RefreshOptions{RefreshManaged: true}, "X-Ubuntu-Refresh-Managed"},
-	} {
-
-		mockServerHit := false
-		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			assertRequest(c, r, "POST", metadataPath)
-			if t.header != "" {
-				c.Check(r.Header.Get(t.header), Equals, "true")
-			}
-			mockServerHit = true
-			io.WriteString(w, `{}`)
-		}))
-
-		c.Assert(mockServer, NotNil)
-		defer mockServer.Close()
-
-		mockServerURL, _ := url.Parse(mockServer.URL)
-		cfg := Config{
-			StoreBaseURL: mockServerURL,
-		}
-		sto := New(&cfg, nil)
-
-		_, err := sto.ListRefresh(context.TODO(), []*RefreshCandidate{{
-			SnapID:   helloWorldSnapID,
-			Channel:  "stable",
-			Revision: snap.R(24),
-		}}, nil, t.flag)
-		c.Assert(err, IsNil)
-		c.Check(mockServerHit, Equals, true)
-	}
-}
-
-func (s *storeTestSuite) TestStructFieldsSurvivesNoTag(c *C) {
-	type aStruct struct {
-		Foo int `json:"hello"`
-		Bar int
+		Currency: "USD",
+		Price:    1,
 	}
-	c.Assert(getStructFields(aStruct{}), DeepEquals, []string{"hello"})
+	_, err := sto.Buy(buyOptions, s.user)
+	c.Assert(err, NotNil)
 }
 
-func (s *storeTestSuite) TestAuthLocationDependsOnEnviron(c *C) {
-	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", ""), IsNil)
-	before := authLocation()
-
-	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", "1"), IsNil)
-	defer os.Setenv("SNAPPY_USE_STAGING_STORE", "")
-	after := authLocation()
-
-	c.Check(before, Not(Equals), after)
+func (s *storeTestSuite) TestBuy(c *C) {
+	for _, test := range buyTests {
+		searchServerCalled := false
+		purchaseServerGetCalled := false
+		purchaseServerPostCalled := false
+		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch r.URL.Path {
+			case infoPath("hello-world"):
+				c.Assert(r.Method, Equals, "GET")
+				w.Header().Set("Content-Type", "application/json")
+				w.Header().Set("X-Suggested-Currency", test.suggestedCurrency)
+				w.WriteHeader(200)
+				io.WriteString(w, mockInfoJSON)
+				searchServerCalled = true
+			case ordersPath:
+				c.Assert(r.Method, Equals, "GET")
+				c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+				c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
+				c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
+				io.WriteString(w, `{"orders": []}`)
+				purchaseServerGetCalled = true
+			case buyPath:
+				c.Assert(r.Method, Equals, "POST")
+				// check device authorization is set, implicitly checking doRequest was used
+				c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+				c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
+				c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
+				c.Check(r.Header.Get("Content-Type"), Equals, store.JsonContentType)
+				c.Check(r.URL.Path, Equals, buyPath)
+				jsonReq, err := ioutil.ReadAll(r.Body)
+				c.Assert(err, IsNil)
+				c.Check(string(jsonReq), Equals, test.expectedInput)
+				if test.buyErrorCode == "" {
+					io.WriteString(w, test.buyResponse)
+				} else {
+					w.WriteHeader(test.buyStatus)
+					// TODO(matt): this is fugly!
+					fmt.Fprintf(w, `
+{
+	"error_list": [
+		{
+			"code": "%s",
+			"message": "%s"
+		}
+	]
+}`, test.buyErrorCode, test.buyErrorMessage)
+				}
+
+				purchaseServerPostCalled = true
+			default:
+				c.Fatalf("unexpected query %s %s", r.Method, r.URL.Path)
+			}
+		}))
+		c.Assert(mockServer, NotNil)
+		defer mockServer.Close()
+
+		mockServerURL, _ := url.Parse(mockServer.URL)
+		authContext := &testAuthContext{c: c, device: s.device, user: s.user}
+		cfg := store.Config{
+			StoreBaseURL: mockServerURL,
+		}
+		sto := store.New(&cfg, authContext)
+
+		// Find the snap first
+		spec := store.SnapSpec{
+			Name: "hello-world",
+		}
+		snap, err := sto.SnapInfo(spec, s.user)
+		c.Assert(snap, NotNil)
+		c.Assert(err, IsNil)
+
+		buyOptions := &client.BuyOptions{
+			SnapID:   snap.SnapID,
+			Currency: sto.SuggestedCurrency(),
+			Price:    snap.Prices[sto.SuggestedCurrency()],
+		}
+		if test.snapID != "" {
+			buyOptions.SnapID = test.snapID
+		}
+		if test.currency != "" {
+			buyOptions.Currency = test.currency
+		}
+		if test.price > 0 {
+			buyOptions.Price = test.price
+		}
+		result, err := sto.Buy(buyOptions, s.user)
+
+		c.Check(result, DeepEquals, test.expectedResult)
+		if test.expectedError == "" {
+			c.Check(err, IsNil)
+		} else {
+			c.Assert(err, NotNil)
+			c.Check(err.Error(), Equals, test.expectedError)
+		}
+
+		c.Check(searchServerCalled, Equals, true)
+		c.Check(purchaseServerGetCalled, Equals, true)
+		c.Check(purchaseServerPostCalled, Equals, true)
+	}
+}
+
+func (s *storeTestSuite) TestBuyFailArgumentChecking(c *C) {
+	sto := store.New(&store.Config{}, nil)
+
+	// no snap ID
+	result, err := sto.Buy(&client.BuyOptions{
+		Price:    1.0,
+		Currency: "USD",
+	}, s.user)
+	c.Assert(result, IsNil)
+	c.Assert(err, NotNil)
+	c.Check(err.Error(), Equals, "cannot buy snap: snap ID missing")
+
+	// no price
+	result, err = sto.Buy(&client.BuyOptions{
+		SnapID:   "snap ID",
+		Currency: "USD",
+	}, s.user)
+	c.Assert(result, IsNil)
+	c.Assert(err, NotNil)
+	c.Check(err.Error(), Equals, "cannot buy snap: invalid expected price")
+
+	// no currency
+	result, err = sto.Buy(&client.BuyOptions{
+		SnapID: "snap ID",
+		Price:  1.0,
+	}, s.user)
+	c.Assert(result, IsNil)
+	c.Assert(err, NotNil)
+	c.Check(err.Error(), Equals, "cannot buy snap: currency missing")
+
+	// no user
+	result, err = sto.Buy(&client.BuyOptions{
+		SnapID:   "snap ID",
+		Price:    1.0,
+		Currency: "USD",
+	}, nil)
+	c.Assert(result, IsNil)
+	c.Assert(err, NotNil)
+	c.Check(err.Error(), Equals, "you need to log in first")
+}
+
+var readyToBuyTests = []struct {
+	Input      func(w http.ResponseWriter)
+	Test       func(c *C, err error)
+	NumOfCalls int
+}{
+	{
+		// A user account the is ready for buying
+		Input: func(w http.ResponseWriter) {
+			io.WriteString(w, `
+{
+  "latest_tos_date": "2016-09-14T00:00:00+00:00",
+  "accepted_tos_date": "2016-09-14T15:56:49+00:00",
+  "latest_tos_accepted": true,
+  "has_payment_method": true
+}
+`)
+		},
+		Test: func(c *C, err error) {
+			c.Check(err, IsNil)
+		},
+		NumOfCalls: 1,
+	},
+	{
+		// A user account that hasn't accepted the TOS
+		Input: func(w http.ResponseWriter) {
+			io.WriteString(w, `
+{
+  "latest_tos_date": "2016-10-14T00:00:00+00:00",
+  "accepted_tos_date": "2016-09-14T15:56:49+00:00",
+  "latest_tos_accepted": false,
+  "has_payment_method": true
+}
+`)
+		},
+		Test: func(c *C, err error) {
+			c.Assert(err, NotNil)
+			c.Check(err.Error(), Equals, "terms of service not accepted")
+		},
+		NumOfCalls: 1,
+	},
+	{
+		// A user account that has no payment method
+		Input: func(w http.ResponseWriter) {
+			io.WriteString(w, `
+{
+  "latest_tos_date": "2016-10-14T00:00:00+00:00",
+  "accepted_tos_date": "2016-09-14T15:56:49+00:00",
+  "latest_tos_accepted": true,
+  "has_payment_method": false
+}
+`)
+		},
+		Test: func(c *C, err error) {
+			c.Assert(err, NotNil)
+			c.Check(err.Error(), Equals, "no payment methods")
+		},
+		NumOfCalls: 1,
+	},
+	{
+		// A user account that has no payment method and has not accepted the TOS
+		Input: func(w http.ResponseWriter) {
+			io.WriteString(w, `
+{
+  "latest_tos_date": "2016-10-14T00:00:00+00:00",
+  "accepted_tos_date": "2016-09-14T15:56:49+00:00",
+  "latest_tos_accepted": false,
+  "has_payment_method": false
+}
+`)
+		},
+		Test: func(c *C, err error) {
+			c.Assert(err, NotNil)
+			c.Check(err.Error(), Equals, "no payment methods")
+		},
+		NumOfCalls: 1,
+	},
+	{
+		// No user account exists
+		Input: func(w http.ResponseWriter) {
+			w.WriteHeader(404)
+			io.WriteString(w, "{}")
+		},
+		Test: func(c *C, err error) {
+			c.Assert(err, NotNil)
+			c.Check(err.Error(), Equals, "cannot get customer details: server says no account exists")
+		},
+		NumOfCalls: 1,
+	},
+	{
+		// An unknown set of errors occurs
+		Input: func(w http.ResponseWriter) {
+			w.WriteHeader(500)
+			io.WriteString(w, `
+{
+	"error_list": [
+		{
+			"code": "code 1",
+			"message": "message 1"
+		},
+		{
+			"code": "code 2",
+			"message": "message 2"
+		}
+	]
+}`)
+		},
+		Test: func(c *C, err error) {
+			c.Assert(err, NotNil)
+			c.Check(err.Error(), Equals, `message 1`)
+		},
+		NumOfCalls: 5,
+	},
+}
+
+func (s *storeTestSuite) TestReadyToBuy(c *C) {
+	for _, test := range readyToBuyTests {
+		purchaseServerGetCalled := 0
+		mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			assertRequest(c, r, "GET", customersMePath)
+			switch r.Method {
+			case "GET":
+				// check device authorization is set, implicitly checking doRequest was used
+				c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+				c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
+				c.Check(r.Header.Get("Accept"), Equals, store.JsonContentType)
+				c.Check(r.URL.Path, Equals, customersMePath)
+				test.Input(w)
+				purchaseServerGetCalled++
+			default:
+				c.Error("Unexpected request method: ", r.Method)
+			}
+		}))
+
+		c.Assert(mockPurchasesServer, NotNil)
+		defer mockPurchasesServer.Close()
+
+		mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
+		authContext := &testAuthContext{c: c, device: s.device, user: s.user}
+		cfg := store.Config{
+			StoreBaseURL: mockServerURL,
+		}
+		sto := store.New(&cfg, authContext)
+
+		err := sto.ReadyToBuy(s.user)
+		test.Test(c, err)
+		c.Check(purchaseServerGetCalled, Equals, test.NumOfCalls)
+	}
+}
+
+func (s *storeTestSuite) TestDoRequestSetRangeHeaderOnRedirect(c *C) {
+	n := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch n {
+		case 0:
+			http.Redirect(w, r, r.URL.Path+"-else", 302)
+			n++
+		case 1:
+			c.Check(r.URL.Path, Equals, "/somewhere-else")
+			rg := r.Header.Get("Range")
+			c.Check(rg, Equals, "bytes=5-")
+		default:
+			panic("got more than 2 requests in this test")
+		}
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	url, err := url.Parse(mockServer.URL + "/somewhere")
+	c.Assert(err, IsNil)
+	reqOptions := store.NewRequestOptions("GET", url)
+	reqOptions.ExtraHeaders = map[string]string{
+		"Range": "bytes=5-",
+	}
+
+	sto := store.New(&store.Config{}, nil)
+	_, err = sto.DoRequest(context.TODO(), sto.Client(), reqOptions, s.user)
+	c.Assert(err, IsNil)
+}
+
+type cacheObserver struct {
+	inCache map[string]bool
+
+	gets []string
+	puts []string
+}
+
+func (co *cacheObserver) Get(cacheKey, targetPath string) error {
+	co.gets = append(co.gets, fmt.Sprintf("%s:%s", cacheKey, targetPath))
+	if !co.inCache[cacheKey] {
+		return fmt.Errorf("cannot find %s in cache", cacheKey)
+	}
+	return nil
+}
+func (co *cacheObserver) Put(cacheKey, sourcePath string) error {
+	co.puts = append(co.puts, fmt.Sprintf("%s:%s", cacheKey, sourcePath))
+	return nil
+}
+
+func (s *storeTestSuite) TestDownloadCacheHit(c *C) {
+	obs := &cacheObserver{inCache: map[string]bool{"the-snaps-sha3_384": true}}
+	restore := s.store.MockCacher(obs)
+	defer restore()
+
+	restore = store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
+		c.Fatalf("download should not be called when results come from the cache")
+		return nil
+	})
+	defer restore()
+
+	snap := &snap.Info{}
+	snap.Sha3_384 = "the-snaps-sha3_384"
+
+	path := filepath.Join(c.MkDir(), "downloaded-file")
+	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil, nil)
+	c.Assert(err, IsNil)
+
+	c.Check(obs.gets, DeepEquals, []string{fmt.Sprintf("%s:%s", snap.Sha3_384, path)})
+	c.Check(obs.puts, IsNil)
+}
+
+func (s *storeTestSuite) TestDownloadCacheMiss(c *C) {
+	obs := &cacheObserver{inCache: map[string]bool{}}
+	restore := s.store.MockCacher(obs)
+	defer restore()
+
+	downloadWasCalled := false
+	restore = store.MockDownload(func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *store.Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter, dlOpts *store.DownloadOptions) error {
+		downloadWasCalled = true
+		return nil
+	})
+	defer restore()
+
+	snap := &snap.Info{}
+	snap.Sha3_384 = "the-snaps-sha3_384"
+
+	path := filepath.Join(c.MkDir(), "downloaded-file")
+	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil, nil)
+	c.Assert(err, IsNil)
+	c.Check(downloadWasCalled, Equals, true)
+
+	c.Check(obs.gets, DeepEquals, []string{fmt.Sprintf("the-snaps-sha3_384:%s", path)})
+	c.Check(obs.puts, DeepEquals, []string{fmt.Sprintf("the-snaps-sha3_384:%s", path)})
+}
+
+var (
+	helloRefreshedDateStr = "2018-02-27T11:00:00Z"
+	helloRefreshedDate    time.Time
+)
+
+func init() {
+	t, err := time.Parse(time.RFC3339, helloRefreshedDateStr)
+	if err != nil {
+		panic(err)
+	}
+	helloRefreshedDate = t
+}
+
+func (s *storeTestSuite) TestSnapAction(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		c.Check(r.Header.Get("Snap-Refresh-Managed"), Equals, "")
+
+		// no store ID by default
+		storeID := r.Header.Get("Snap-Device-Store")
+		c.Check(storeID, Equals, "")
+
+		c.Check(r.Header.Get("Snap-Device-Series"), Equals, release.Series)
+		c.Check(r.Header.Get("Snap-Device-Architecture"), Equals, arch.UbuntuArchitecture())
+		c.Check(r.Header.Get("Snap-Classic"), Equals, "false")
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Fields  []string                 `json:"fields"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Check(req.Fields, DeepEquals, store.SnapActionFields)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(1),
+			"tracking-channel": "beta",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "epoch": {"read": [0], "write": [0]},
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "beta",
+			Revision:        snap.R(1),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+		},
+	}, nil, nil)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
+	c.Assert(results[0].Version, Equals, "6.1")
+	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
+	c.Assert(results[0].Publisher.ID, Equals, helloWorldDeveloperID)
+	c.Assert(results[0].Deltas, HasLen, 0)
+	c.Assert(results[0].Epoch, DeepEquals, snap.E("0"))
+}
+
+func (s *storeTestSuite) TestSnapActionNonZeroEpochAndEpochBump(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	numReqs := 0
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		numReqs++
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		c.Check(r.Header.Get("Snap-Refresh-Managed"), Equals, "")
+
+		// no store ID by default
+		storeID := r.Header.Get("Snap-Device-Store")
+		c.Check(storeID, Equals, "")
+
+		c.Check(r.Header.Get("Snap-Device-Series"), Equals, release.Series)
+		c.Check(r.Header.Get("Snap-Device-Architecture"), Equals, arch.UbuntuArchitecture())
+		c.Check(r.Header.Get("Snap-Classic"), Equals, "false")
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Fields  []string                 `json:"fields"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Check(req.Fields, DeepEquals, store.SnapActionFields)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(1),
+			"tracking-channel": "beta",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iFiveStarEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "epoch": {"read": [5, 6], "write": [6]},
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "beta",
+			Revision:        snap.R(1),
+			RefreshedDate:   helloRefreshedDate,
+			Epoch:           snap.E("5*"),
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+		},
+	}, nil, nil)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
+	c.Assert(results[0].Version, Equals, "6.1")
+	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
+	c.Assert(results[0].Publisher.ID, Equals, helloWorldDeveloperID)
+	c.Assert(results[0].Deltas, HasLen, 0)
+	c.Assert(results[0].Epoch, DeepEquals, snap.E("6*"))
+
+	c.Assert(numReqs, Equals, 1) // should be >1 soon :-)
+}
+
+func (s *storeTestSuite) TestSnapActionNoResults(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(1),
+			"tracking-channel": "beta",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 0)
+		io.WriteString(w, `{
+  "results": []
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "beta",
+			Revision:        snap.R(1),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, nil, nil, nil)
+	c.Check(results, HasLen, 0)
+	c.Check(err, DeepEquals, &store.SnapActionError{NoResults: true})
+
+	// local no-op
+	results, err = sto.SnapAction(context.TODO(), nil, nil, nil, nil)
+	c.Check(results, HasLen, 0)
+	c.Check(err, DeepEquals, &store.SnapActionError{NoResults: true})
+
+	c.Check(err.Error(), Equals, "no install/refresh information results from the store")
+}
+
+func (s *storeTestSuite) TestSnapActionRefreshedDateIsOptional(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":      helloWorldSnapID,
+			"instance-key": helloWorldSnapID,
+
+			"revision":         float64(1),
+			"tracking-channel": "beta",
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 0)
+		io.WriteString(w, `{
+  "results": []
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "beta",
+			Revision:        snap.R(1),
+		},
+	}, nil, nil, nil)
+	c.Check(results, HasLen, 0)
+	c.Check(err, DeepEquals, &store.SnapActionError{NoResults: true})
+}
+
+func (s *storeTestSuite) TestSnapActionSkipBlocked(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(1),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+			"channel":      "stable",
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(1),
+			RefreshedDate:   helloRefreshedDate,
+			Block:           []snap.Revision{snap.R(26)},
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+			Channel:      "stable",
+		},
+	}, nil, nil)
+	c.Assert(results, HasLen, 0)
+	c.Check(err, DeepEquals, &store.SnapActionError{
+		Refresh: map[string]error{
+			"hello-world": store.ErrNoUpdateAvailable,
+		},
+	})
+}
+
+func (s *storeTestSuite) TestSnapActionSkipCurrent(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+			"channel":      "stable",
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+			Channel:      "stable",
+		},
+	}, nil, nil)
+	c.Assert(results, HasLen, 0)
+	c.Check(err, DeepEquals, &store.SnapActionError{
+		Refresh: map[string]error{
+			"hello-world": store.ErrNoUpdateAvailable,
+		},
+	})
+}
+
+func (s *storeTestSuite) TestSnapActionRetryOnEOF(c *C) {
+	n := 0
+	var mockServer *httptest.Server
+	mockServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		n++
+		if n < 4 {
+			io.WriteString(w, "{")
+			mockServer.CloseClientConnections()
+			return
+		}
+
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err := json.NewDecoder(r.Body).Decode(&req)
+		c.Assert(err, IsNil)
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Actions, HasLen, 1)
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(1),
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+			Channel:      "stable",
+		},
+	}, nil, nil)
+	c.Assert(err, IsNil)
+	c.Assert(n, Equals, 4)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+}
+
+func (s *storeTestSuite) TestSnapActionIgnoreValidation(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":           helloWorldSnapID,
+			"instance-key":      helloWorldSnapID,
+			"revision":          float64(1),
+			"tracking-channel":  "stable",
+			"refreshed-date":    helloRefreshedDateStr,
+			"ignore-validation": true,
+			"epoch":             iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":            "refresh",
+			"instance-key":      helloWorldSnapID,
+			"snap-id":           helloWorldSnapID,
+			"channel":           "stable",
+			"ignore-validation": false,
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:     "hello-world",
+			SnapID:           helloWorldSnapID,
+			TrackingChannel:  "stable",
+			Revision:         snap.R(1),
+			RefreshedDate:    helloRefreshedDate,
+			IgnoreValidation: true,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+			Channel:      "stable",
+			Flags:        store.SnapActionEnforceValidation,
+		},
+	}, nil, nil)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
 }
 
-func (s *storeTestSuite) TestAuthURLDependsOnEnviron(c *C) {
-	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", ""), IsNil)
-	before := authURL()
+func (s *storeTestSuite) TestInstallFallbackChannelIsStable(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
 
-	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", "1"), IsNil)
-	defer os.Setenv("SNAPPY_USE_STAGING_STORE", "")
-	after := authURL()
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
 
-	c.Check(before, Not(Equals), after)
-}
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(1),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+		})
 
-func (s *storeTestSuite) TestApiURLDependsOnEnviron(c *C) {
-	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", ""), IsNil)
-	before := apiURL()
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
 
-	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", "1"), IsNil)
-	defer os.Setenv("SNAPPY_USE_STAGING_STORE", "")
-	after := apiURL()
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-	c.Check(before, Not(Equals), after)
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:  "hello-world",
+			SnapID:        helloWorldSnapID,
+			RefreshedDate: helloRefreshedDate,
+			Revision:      snap.R(1),
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+		},
+	}, nil, nil)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
+	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
 }
 
-func (s *storeTestSuite) TestStoreURLDependsOnEnviron(c *C) {
-	// This also depends on the API URL, but that's tested separately (see
-	// TestApiURLDependsOnEnviron).
-	api := apiURL()
+func (s *storeTestSuite) TestSnapActionNonDefaultsHeaders(c *C) {
+	restore := release.MockOnClassic(true)
+	defer restore()
 
-	c.Assert(os.Setenv("SNAPPY_FORCE_CPI_URL", ""), IsNil)
-	c.Assert(os.Setenv("SNAPPY_FORCE_API_URL", ""), IsNil)
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-	// Test in order of precedence (low first) leaving env vars set as we go ...
+		storeID := r.Header.Get("Snap-Device-Store")
+		c.Check(storeID, Equals, "foo")
 
-	u, err := storeURL(api)
-	c.Assert(err, IsNil)
-	c.Check(u.String(), Matches, api.String()+".*")
+		c.Check(r.Header.Get("Snap-Device-Series"), Equals, "21")
+		c.Check(r.Header.Get("Snap-Device-Architecture"), Equals, "archXYZ")
+		c.Check(r.Header.Get("Snap-Classic"), Equals, "true")
 
-	c.Assert(os.Setenv("SNAPPY_FORCE_API_URL", "https://force-api.local/"), IsNil)
-	defer os.Setenv("SNAPPY_FORCE_API_URL", "")
-	u, err = storeURL(api)
-	c.Assert(err, IsNil)
-	c.Check(u.String(), Matches, "https://force-api.local/.*")
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
 
-	c.Assert(os.Setenv("SNAPPY_FORCE_CPI_URL", "https://force-cpi.local/api/v1/"), IsNil)
-	defer os.Setenv("SNAPPY_FORCE_CPI_URL", "")
-	u, err = storeURL(api)
-	c.Assert(err, IsNil)
-	c.Check(u.String(), Matches, "https://force-cpi.local/.*")
-}
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
 
-func (s *storeTestSuite) TestStoreURLBadEnvironAPI(c *C) {
-	c.Assert(os.Setenv("SNAPPY_FORCE_API_URL", "://force-api.local/"), IsNil)
-	defer os.Setenv("SNAPPY_FORCE_API_URL", "")
-	_, err := storeURL(apiURL())
-	c.Check(err, ErrorMatches, "invalid SNAPPY_FORCE_API_URL: parse ://force-api.local/: missing protocol scheme")
-}
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(1),
+			"tracking-channel": "beta",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+		})
 
-func (s *storeTestSuite) TestStoreURLBadEnvironCPI(c *C) {
-	c.Assert(os.Setenv("SNAPPY_FORCE_CPI_URL", "://force-cpi.local/api/v1/"), IsNil)
-	defer os.Setenv("SNAPPY_FORCE_CPI_URL", "")
-	_, err := storeURL(apiURL())
-	c.Check(err, ErrorMatches, "invalid SNAPPY_FORCE_CPI_URL: parse ://force-cpi.local/: missing protocol scheme")
-}
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
 
-func (s *storeTestSuite) TestStoreDeveloperURLDependsOnEnviron(c *C) {
-	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", ""), IsNil)
-	before := storeDeveloperURL()
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-	c.Assert(os.Setenv("SNAPPY_USE_STAGING_STORE", "1"), IsNil)
-	defer os.Setenv("SNAPPY_USE_STAGING_STORE", "")
-	after := storeDeveloperURL()
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.DefaultConfig()
+	cfg.StoreBaseURL = mockServerURL
+	cfg.Series = "21"
+	cfg.Architecture = "archXYZ"
+	cfg.StoreID = "foo"
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(cfg, authContext)
 
-	c.Check(before, Not(Equals), after)
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "beta",
+			RefreshedDate:   helloRefreshedDate,
+			Revision:        snap.R(1),
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+		},
+	}, nil, nil)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
+	c.Assert(results[0].Version, Equals, "6.1")
+	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
+	c.Assert(results[0].Publisher.ID, Equals, helloWorldDeveloperID)
+	c.Assert(results[0].Deltas, HasLen, 0)
 }
 
-func (s *storeTestSuite) TestDefaultConfig(c *C) {
-	c.Check(defaultConfig.StoreBaseURL.String(), Equals, "https://api.snapcraft.io/")
-	c.Check(defaultConfig.AssertionsBaseURL, IsNil)
-}
+func (s *storeTestSuite) TestSnapActionWithDeltas(c *C) {
+	origUseDeltas := os.Getenv("SNAPD_USE_DELTAS_EXPERIMENTAL")
+	defer os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", origUseDeltas)
+	c.Assert(os.Setenv("SNAPD_USE_DELTAS_EXPERIMENTAL", "1"), IsNil)
 
-func (s *storeTestSuite) TestNew(c *C) {
-	aStore := New(nil, nil)
-	c.Assert(aStore, NotNil)
-	// check for fields
-	c.Check(aStore.detailFields, DeepEquals, detailFields)
-}
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-var testAssertion = `type: snap-declaration
-authority-id: super
-series: 16
-snap-id: snapidfoo
-publisher-id: devidbaz
-snap-name: mysnap
-timestamp: 2016-03-30T12:22:16Z
-sign-key-sha3-384: Jv8_JiHiIzJVcO9M55pPdqSDWUvuhfDIBJUS-3VW7F_idjix7Ffn5qMxB21ZQuij
+		c.Check(r.Header.Get("Snap-Accept-Delta-Format"), Equals, "xdelta3")
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
 
-openpgp wsBcBAABCAAQBQJW+8VBCRDWhXkqAWcrfgAAQ9gIABZFgMPByJZeUE835FkX3/y2hORn
-AzE3R1ktDkQEVe/nfVDMACAuaw1fKmUS4zQ7LIrx/AZYw5i0vKVmJszL42LBWVsqR0+p9Cxebzv9
-U2VUSIajEsUUKkBwzD8wxFzagepFlScif1NvCGZx0vcGUOu0Ent0v+gqgAv21of4efKqEW7crlI1
-T/A8LqZYmIzKRHGwCVucCyAUD8xnwt9nyWLgLB+LLPOVFNK8SR6YyNsX05Yz1BUSndBfaTN8j/k8
-8isKGZE6P0O9ozBbNIAE8v8NMWQegJ4uWuil7D3psLkzQIrxSypk9TrQ2GlIG2hJdUovc5zBuroe
-xS4u9rVT6UY=`
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
 
-func (s *storeTestSuite) TestAssertion(c *C) {
-	restore := asserts.MockMaxSupportedFormat(asserts.SnapDeclarationType, 88)
-	defer restore()
-	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", "/api/v1/snaps/assertions/.*")
-		// check device authorization is set, implicitly checking doRequest was used
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(1),
+			"tracking-channel": "beta",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+		})
 
-		c.Check(r.Header.Get("Accept"), Equals, "application/x.ubuntu.assertion")
-		c.Check(r.URL.Path, Matches, ".*/snap-declaration/16/snapidfoo")
-		c.Check(r.URL.Query().Get("max-format"), Equals, "88")
-		io.WriteString(w, testAssertion)
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
 	authContext := &testAuthContext{c: c, device: s.device}
-	sto := New(&cfg, authContext)
+	sto := store.New(&cfg, authContext)
 
-	a, err := sto.Assertion(asserts.SnapDeclarationType, []string{"16", "snapidfoo"}, nil)
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "beta",
+			Revision:        snap.R(1),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+		},
+	}, nil, nil)
 	c.Assert(err, IsNil)
-	c.Check(a, NotNil)
-	c.Check(a.Type(), Equals, asserts.SnapDeclarationType)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
 }
 
-func (s *storeTestSuite) TestAssertionProxyStoreFromAuthContext(c *C) {
-	restore := asserts.MockMaxSupportedFormat(asserts.SnapDeclarationType, 88)
-	defer restore()
+func (s *storeTestSuite) TestSnapActionOptions(c *C) {
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", "/api/v1/snaps/assertions/.*")
+		assertRequest(c, r, "POST", snapActionPath)
 		// check device authorization is set, implicitly checking doRequest was used
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-		c.Check(r.Header.Get("Accept"), Equals, "application/x.ubuntu.assertion")
-		c.Check(r.URL.Path, Matches, ".*/snap-declaration/16/snapidfoo")
-		c.Check(r.URL.Query().Get("max-format"), Equals, "88")
-		io.WriteString(w, testAssertion)
+		c.Check(r.Header.Get("Snap-Refresh-Managed"), Equals, "true")
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(1),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+			"channel":      "stable",
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	nowhereURL, err := url.Parse("http://nowhere.invalid")
-	c.Assert(err, IsNil)
-	cfg := Config{
-		AssertionsBaseURL: nowhereURL,
-	}
-	authContext := &testAuthContext{
-		c:             c,
-		device:        s.device,
-		proxyStoreID:  "foo",
-		proxyStoreURL: mockServerURL,
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, authContext)
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	a, err := sto.Assertion(asserts.SnapDeclarationType, []string{"16", "snapidfoo"}, nil)
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(1),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+			Channel:      "stable",
+		},
+	}, nil, &store.RefreshOptions{RefreshManaged: true})
 	c.Assert(err, IsNil)
-	c.Check(a, NotNil)
-	c.Check(a.Type(), Equals, asserts.SnapDeclarationType)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
 }
 
-func (s *storeTestSuite) TestAssertionNotFound(c *C) {
+func (s *storeTestSuite) TestSnapActionInstall(c *C) {
+	s.testSnapActionGet("install", c)
+}
+func (s *storeTestSuite) TestSnapActionDownload(c *C) {
+	s.testSnapActionGet("download", c)
+}
+func (s *storeTestSuite) testSnapActionGet(action string, c *C) {
+	// action here is one of install or download
+	restore := release.MockOnClassic(false)
+	defer restore()
+
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", "/api/v1/snaps/assertions/.*")
-		c.Check(r.Header.Get("Accept"), Equals, "application/x.ubuntu.assertion")
-		c.Check(r.URL.Path, Matches, ".*/snap-declaration/16/snapidfoo")
-		w.Header().Set("Content-Type", "application/problem+json")
-		w.WriteHeader(404)
-		io.WriteString(w, `{"status": 404,"title": "not found"}`)
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		c.Check(r.Header.Get("Snap-Refresh-Managed"), Equals, "")
+
+		// no store ID by default
+		storeID := r.Header.Get("Snap-Device-Store")
+		c.Check(storeID, Equals, "")
+
+		c.Check(r.Header.Get("Snap-Device-Series"), Equals, release.Series)
+		c.Check(r.Header.Get("Snap-Device-Architecture"), Equals, arch.UbuntuArchitecture())
+		c.Check(r.Header.Get("Snap-Classic"), Equals, "false")
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 0)
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       action,
+			"instance-key": action + "-1",
+			"name":         "hello-world",
+			"channel":      "beta",
+			"epoch":        nil,
+		})
+
+		fmt.Fprintf(w, `{
+  "results": [{
+     "result": "%s",
+     "instance-key": "%[1]s-1",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "effective-channel": "candidate",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`, action)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
-		AssertionsBaseURL: mockServerURL,
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	_, err := sto.Assertion(asserts.SnapDeclarationType, []string{"16", "snapidfoo"}, nil)
-	c.Check(asserts.IsNotFound(err), Equals, true)
-	c.Check(err, DeepEquals, &asserts.NotFoundError{
-		Type: asserts.SnapDeclarationType,
-		Headers: map[string]string{
-			"series":  "16",
-			"snap-id": "snapidfoo",
-		},
-	})
+	results, err := sto.SnapAction(context.TODO(), nil,
+		[]*store.SnapAction{
+			{
+				Action:       action,
+				InstanceName: "hello-world",
+				Channel:      "beta",
+			},
+		}, nil, nil)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
+	c.Assert(results[0].Version, Equals, "6.1")
+	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
+	c.Assert(results[0].Publisher.ID, Equals, helloWorldDeveloperID)
+	c.Assert(results[0].Deltas, HasLen, 0)
+	// effective-channel
+	c.Assert(results[0].Channel, Equals, "candidate")
 }
 
-func (s *storeTestSuite) TestAssertion500(c *C) {
-	var n = 0
+func (s *storeTestSuite) TestSnapActionInstallAmend(c *C) {
+	// this is what amend would look like
+	restore := release.MockOnClassic(false)
+	defer restore()
+
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", "/api/v1/snaps/assertions/.*")
-		n++
-		w.WriteHeader(500)
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		c.Check(r.Header.Get("Snap-Refresh-Managed"), Equals, "")
+
+		// no store ID by default
+		storeID := r.Header.Get("Snap-Device-Store")
+		c.Check(storeID, Equals, "")
+
+		c.Check(r.Header.Get("Snap-Device-Series"), Equals, release.Series)
+		c.Check(r.Header.Get("Snap-Device-Architecture"), Equals, arch.UbuntuArchitecture())
+		c.Check(r.Header.Get("Snap-Classic"), Equals, "false")
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 0)
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "install",
+			"instance-key": "install-1",
+			"name":         "hello-world",
+			"channel":      "beta",
+			"epoch":        map[string]interface{}{"read": []interface{}{0., 1.}, "write": []interface{}{1.}},
+		})
+
+		fmt.Fprint(w, `{
+  "results": [{
+     "result": "install",
+     "instance-key": "install-1",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "effective-channel": "candidate",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
-		AssertionsBaseURL: mockServerURL,
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	_, err := sto.Assertion(asserts.SnapDeclarationType, []string{"16", "snapidfoo"}, nil)
-	c.Assert(err, ErrorMatches, `cannot fetch assertion: got unexpected HTTP status code 500 via .+`)
-	c.Assert(n, Equals, 5)
+	results, err := sto.SnapAction(context.TODO(), nil,
+		[]*store.SnapAction{
+			{
+				Action:       "install",
+				InstanceName: "hello-world",
+				Channel:      "beta",
+				Epoch:        snap.E("1*"),
+			},
+		}, nil, nil)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
+	c.Assert(results[0].Version, Equals, "6.1")
+	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
+	c.Assert(results[0].Publisher.ID, Equals, helloWorldDeveloperID)
+	c.Assert(results[0].Deltas, HasLen, 0)
+	// effective-channel
+	c.Assert(results[0].Channel, Equals, "candidate")
 }
 
-func (s *storeTestSuite) TestSuggestedCurrency(c *C) {
-	suggestedCurrency := "GBP"
+func (s *storeTestSuite) TestSnapActionDownloadParallelInstanceKey(c *C) {
+	// action here is one of install or download
+	restore := release.MockOnClassic(false)
+	defer restore()
 
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", detailsPathPattern)
-		w.Header().Set("X-Suggested-Currency", suggestedCurrency)
-		w.WriteHeader(200)
-
-		io.WriteString(w, MockDetailsJSON)
+		c.Fatal("should not be reached")
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
 	mockServerURL, _ := url.Parse(mockServer.URL)
-	cfg := Config{
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
-
-	// the store doesn't know the currency until after the first search, so fall back to dollars
-	c.Check(sto.SuggestedCurrency(), Equals, "USD")
-
-	// we should soon have a suggested currency
-	spec := SnapSpec{
-		Name:     "hello-world",
-		Channel:  "edge",
-		Revision: snap.R(0),
-	}
-	result, err := sto.SnapInfo(spec, nil)
-	c.Assert(err, IsNil)
-	c.Assert(result, NotNil)
-	c.Check(sto.SuggestedCurrency(), Equals, "GBP")
-
-	suggestedCurrency = "EUR"
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	// checking the currency updates
-	result, err = sto.SnapInfo(spec, nil)
-	c.Assert(err, IsNil)
-	c.Assert(result, NotNil)
-	c.Check(sto.SuggestedCurrency(), Equals, "EUR")
+	_, err := sto.SnapAction(context.TODO(), nil,
+		[]*store.SnapAction{
+			{
+				Action:       "download",
+				InstanceName: "hello-world_foo",
+				Channel:      "beta",
+			},
+		}, nil, nil)
+	c.Assert(err, ErrorMatches, `internal error: unsupported download with instance name "hello-world_foo"`)
 }
 
-func (s *storeTestSuite) TestDecorateOrders(c *C) {
-	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", ordersPath)
-		// check device authorization is set, implicitly checking doRequest was used
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
-		c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
-		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
-		c.Check(r.URL.Path, Equals, ordersPath)
-		io.WriteString(w, mockOrdersJSON)
-	}))
+func (s *storeTestSuite) TestSnapActionInstallWithRevision(c *C) {
+	s.testSnapActionGetWithRevision("install", c)
+}
 
-	c.Assert(mockPurchasesServer, NotNil)
-	defer mockPurchasesServer.Close()
+func (s *storeTestSuite) TestSnapActionDownloadWithRevision(c *C) {
+	s.testSnapActionGetWithRevision("download", c)
+}
 
-	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
-	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
-	}
-	sto := New(&cfg, authContext)
+func (s *storeTestSuite) testSnapActionGetWithRevision(action string, c *C) {
+	// action here is one of install or download
+	restore := release.MockOnClassic(false)
+	defer restore()
 
-	helloWorld := &snap.Info{}
-	helloWorld.SnapID = helloWorldSnapID
-	helloWorld.Prices = map[string]float64{"USD": 1.23}
-	helloWorld.Paid = true
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-	funkyApp := &snap.Info{}
-	funkyApp.SnapID = funkyAppSnapID
-	funkyApp.Prices = map[string]float64{"USD": 2.34}
-	funkyApp.Paid = true
+		c.Check(r.Header.Get("Snap-Refresh-Managed"), Equals, "")
 
-	otherApp := &snap.Info{}
-	otherApp.SnapID = "other"
-	otherApp.Prices = map[string]float64{"USD": 3.45}
-	otherApp.Paid = true
+		// no store ID by default
+		storeID := r.Header.Get("Snap-Device-Store")
+		c.Check(storeID, Equals, "")
 
-	otherApp2 := &snap.Info{}
-	otherApp2.SnapID = "other2"
+		c.Check(r.Header.Get("Snap-Device-Series"), Equals, release.Series)
+		c.Check(r.Header.Get("Snap-Device-Architecture"), Equals, arch.UbuntuArchitecture())
+		c.Check(r.Header.Get("Snap-Classic"), Equals, "false")
 
-	snaps := []*snap.Info{helloWorld, funkyApp, otherApp, otherApp2}
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
 
-	err := sto.decorateOrders(snaps, s.user)
-	c.Assert(err, IsNil)
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
 
-	c.Check(helloWorld.MustBuy, Equals, false)
-	c.Check(funkyApp.MustBuy, Equals, false)
-	c.Check(otherApp.MustBuy, Equals, true)
-	c.Check(otherApp2.MustBuy, Equals, false)
-}
+		c.Assert(req.Context, HasLen, 0)
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       action,
+			"instance-key": action + "-1",
+			"name":         "hello-world",
+			"revision":     float64(28),
+			"epoch":        nil,
+		})
 
-func (s *storeTestSuite) TestDecorateOrdersFailedAccess(c *C) {
-	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", ordersPath)
-		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
-		c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
-		c.Check(r.URL.Path, Equals, ordersPath)
-		w.WriteHeader(401)
-		io.WriteString(w, "{}")
+		fmt.Fprintf(w, `{
+  "results": [{
+     "result": "%s",
+     "instance-key": "%[1]s-1",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 28,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`, action)
 	}))
 
-	c.Assert(mockPurchasesServer, NotNil)
-	defer mockPurchasesServer.Close()
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
-	cfg := Config{
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, nil)
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	helloWorld := &snap.Info{}
-	helloWorld.SnapID = helloWorldSnapID
-	helloWorld.Prices = map[string]float64{"USD": 1.23}
-	helloWorld.Paid = true
+	results, err := sto.SnapAction(context.TODO(), nil,
+		[]*store.SnapAction{
+			{
+				Action:       action,
+				InstanceName: "hello-world",
+				Revision:     snap.R(28),
+			},
+		}, nil, nil)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(28))
+	c.Assert(results[0].Version, Equals, "6.1")
+	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
+	c.Assert(results[0].Publisher.ID, Equals, helloWorldDeveloperID)
+	c.Assert(results[0].Deltas, HasLen, 0)
+	// effective-channel is not set
+	c.Assert(results[0].Channel, Equals, "")
+}
 
-	funkyApp := &snap.Info{}
-	funkyApp.SnapID = funkyAppSnapID
-	funkyApp.Prices = map[string]float64{"USD": 2.34}
-	funkyApp.Paid = true
+func (s *storeTestSuite) TestSnapActionRevisionNotAvailable(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-	otherApp := &snap.Info{}
-	otherApp.SnapID = "other"
-	otherApp.Prices = map[string]float64{"USD": 3.45}
-	otherApp.Paid = true
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
 
-	otherApp2 := &snap.Info{}
-	otherApp2.SnapID = "other2"
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
 
-	snaps := []*snap.Info{helloWorld, funkyApp, otherApp, otherApp2}
+		c.Assert(req.Context, HasLen, 2)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Context[1], DeepEquals, map[string]interface{}{
+			"snap-id":          "snap2-id",
+			"instance-key":     "snap2-id",
+			"revision":         float64(2),
+			"tracking-channel": "edge",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 4)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+		})
+		c.Assert(req.Actions[1], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": "snap2-id",
+			"snap-id":      "snap2-id",
+			"channel":      "candidate",
+		})
+		c.Assert(req.Actions[2], DeepEquals, map[string]interface{}{
+			"action":       "install",
+			"instance-key": "install-1",
+			"name":         "foo",
+			"channel":      "stable",
+			"epoch":        nil,
+		})
+		c.Assert(req.Actions[3], DeepEquals, map[string]interface{}{
+			"action":       "download",
+			"instance-key": "download-1",
+			"name":         "bar",
+			"revision":     42.,
+			"epoch":        nil,
+		})
 
-	err := sto.decorateOrders(snaps, s.user)
-	c.Assert(err, NotNil)
+		io.WriteString(w, `{
+  "results": [{
+     "result": "error",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "error": {
+       "code": "revision-not-found",
+       "message": "msg1"
+     }
+  }, {
+     "result": "error",
+     "instance-key": "snap2-id",
+     "snap-id": "snap2-id",
+     "name": "snap2",
+     "error": {
+       "code": "revision-not-found",
+       "message": "msg1",
+       "extra": {
+         "releases": [{"architecture": "amd64", "channel": "beta"},
+                      {"architecture": "arm64", "channel": "beta"}]
+       }
+     }
+  }, {
+     "result": "error",
+     "instance-key": "install-1",
+     "snap-id": "foo-id",
+     "name": "foo",
+     "error": {
+       "code": "revision-not-found",
+       "message": "msg2"
+     }
+  }, {
+     "result": "error",
+     "instance-key": "download-1",
+     "snap-id": "bar-id",
+     "name": "bar",
+     "error": {
+       "code": "revision-not-found",
+       "message": "msg3"
+     }
+  }]
+}`)
+	}))
 
-	c.Check(helloWorld.MustBuy, Equals, true)
-	c.Check(funkyApp.MustBuy, Equals, true)
-	c.Check(otherApp.MustBuy, Equals, true)
-	c.Check(otherApp2.MustBuy, Equals, false)
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		},
+		{
+			InstanceName:    "snap2",
+			SnapID:          "snap2-id",
+			TrackingChannel: "edge",
+			Revision:        snap.R(2),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			InstanceName: "hello-world",
+			SnapID:       helloWorldSnapID,
+		}, {
+			Action:       "refresh",
+			InstanceName: "snap2",
+			SnapID:       "snap2-id",
+			Channel:      "candidate",
+		}, {
+			Action:       "install",
+			InstanceName: "foo",
+			Channel:      "stable",
+		}, {
+			Action:       "download",
+			InstanceName: "bar",
+			Revision:     snap.R(42),
+		},
+	}, nil, nil)
+	c.Assert(results, HasLen, 0)
+	c.Check(err, DeepEquals, &store.SnapActionError{
+		Refresh: map[string]error{
+			"hello-world": &store.RevisionNotAvailableError{
+				Action:  "refresh",
+				Channel: "stable",
+			},
+			"snap2": &store.RevisionNotAvailableError{
+				Action:  "refresh",
+				Channel: "candidate",
+				Releases: []snap.Channel{
+					snaptest.MustParseChannel("beta", "amd64"),
+					snaptest.MustParseChannel("beta", "arm64"),
+				},
+			},
+		},
+		Install: map[string]error{
+			"foo": &store.RevisionNotAvailableError{
+				Action:  "install",
+				Channel: "stable",
+			},
+		},
+		Download: map[string]error{
+			"bar": &store.RevisionNotAvailableError{
+				Action:  "download",
+				Channel: "",
+			},
+		},
+	})
 }
 
-func (s *storeTestSuite) TestDecorateOrdersNoAuth(c *C) {
-	cfg := Config{}
-	sto := New(&cfg, nil)
+func (s *storeTestSuite) TestSnapActionSnapNotFound(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-	helloWorld := &snap.Info{}
-	helloWorld.SnapID = helloWorldSnapID
-	helloWorld.Prices = map[string]float64{"USD": 1.23}
-	helloWorld.Paid = true
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
 
-	funkyApp := &snap.Info{}
-	funkyApp.SnapID = funkyAppSnapID
-	funkyApp.Prices = map[string]float64{"USD": 2.34}
-	funkyApp.Paid = true
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
 
-	otherApp := &snap.Info{}
-	otherApp.SnapID = "other"
-	otherApp.Prices = map[string]float64{"USD": 3.45}
-	otherApp.Paid = true
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 3)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+			"channel":      "stable",
+		})
+		c.Assert(req.Actions[1], DeepEquals, map[string]interface{}{
+			"action":       "install",
+			"instance-key": "install-1",
+			"name":         "foo",
+			"channel":      "stable",
+			"epoch":        nil,
+		})
+		c.Assert(req.Actions[2], DeepEquals, map[string]interface{}{
+			"action":       "download",
+			"instance-key": "download-1",
+			"name":         "bar",
+			"revision":     42.,
+			"epoch":        nil,
+		})
 
-	otherApp2 := &snap.Info{}
-	otherApp2.SnapID = "other2"
+		io.WriteString(w, `{
+  "results": [{
+     "result": "error",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "error": {
+       "code": "id-not-found",
+       "message": "msg1"
+     }
+  }, {
+     "result": "error",
+     "instance-key": "install-1",
+     "name": "foo",
+     "error": {
+       "code": "name-not-found",
+       "message": "msg2"
+     }
+  }, {
+     "result": "error",
+     "instance-key": "download-1",
+     "name": "bar",
+     "error": {
+       "code": "name-not-found",
+       "message": "msg3"
+     }
+  }]
+}`)
+	}))
 
-	snaps := []*snap.Info{helloWorld, funkyApp, otherApp, otherApp2}
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-	err := sto.decorateOrders(snaps, nil)
-	c.Assert(err, IsNil)
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	c.Check(helloWorld.MustBuy, Equals, true)
-	c.Check(funkyApp.MustBuy, Equals, true)
-	c.Check(otherApp.MustBuy, Equals, true)
-	c.Check(otherApp2.MustBuy, Equals, false)
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+			Channel:      "stable",
+		}, {
+			Action:       "install",
+			InstanceName: "foo",
+			Channel:      "stable",
+		}, {
+			Action:       "download",
+			InstanceName: "bar",
+			Revision:     snap.R(42),
+		},
+	}, nil, nil)
+	c.Assert(results, HasLen, 0)
+	c.Check(err, DeepEquals, &store.SnapActionError{
+		Refresh: map[string]error{
+			"hello-world": store.ErrSnapNotFound,
+		},
+		Install: map[string]error{
+			"foo": store.ErrSnapNotFound,
+		},
+		Download: map[string]error{
+			"bar": store.ErrSnapNotFound,
+		},
+	})
 }
 
-func (s *storeTestSuite) TestDecorateOrdersAllFree(c *C) {
-	requestRecieved := false
-
-	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		c.Error(r.URL.Path)
-		c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
-		requestRecieved = true
-		io.WriteString(w, `{"orders": []}`)
-	}))
+func (s *storeTestSuite) TestSnapActionOtherErrors(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-	c.Assert(mockPurchasesServer, NotNil)
-	defer mockPurchasesServer.Close()
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
 
-	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
-	}
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
 
-	sto := New(&cfg, nil)
+		c.Assert(req.Context, HasLen, 0)
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "install",
+			"instance-key": "install-1",
+			"name":         "foo",
+			"channel":      "stable",
+			"epoch":        nil,
+		})
 
-	// This snap is free
-	helloWorld := &snap.Info{}
-	helloWorld.SnapID = helloWorldSnapID
+		io.WriteString(w, `{
+  "results": [{
+     "result": "error",
+     "error": {
+       "code": "other1",
+       "message": "other error one"
+     }
+  }],
+  "error-list": [
+     {"code": "global-error", "message": "global error"}
+  ]
+}`)
+	}))
 
-	// This snap is also free
-	funkyApp := &snap.Info{}
-	funkyApp.SnapID = funkyAppSnapID
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-	snaps := []*snap.Info{helloWorld, funkyApp}
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	// There should be no request to the purchase server.
-	err := sto.decorateOrders(snaps, s.user)
-	c.Assert(err, IsNil)
-	c.Check(requestRecieved, Equals, false)
+	results, err := sto.SnapAction(context.TODO(), nil, []*store.SnapAction{
+		{
+			Action:       "install",
+			InstanceName: "foo",
+			Channel:      "stable",
+		},
+	}, nil, nil)
+	c.Assert(results, HasLen, 0)
+	c.Check(err, DeepEquals, &store.SnapActionError{
+		Other: []error{
+			fmt.Errorf("other error one"),
+			fmt.Errorf("global error"),
+		},
+	})
 }
 
-func (s *storeTestSuite) TestDecorateOrdersSingle(c *C) {
-	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
-		c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
-		c.Check(r.URL.Path, Equals, ordersPath)
-		io.WriteString(w, mockSingleOrderJSON)
+func (s *storeTestSuite) TestSnapActionUnknownAction(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Fatal("should not have made it to the server")
 	}))
 
-	c.Assert(mockPurchasesServer, NotNil)
-	defer mockPurchasesServer.Close()
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
-	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	cfg := Config{
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
 		StoreBaseURL: mockServerURL,
 	}
-	sto := New(&cfg, authContext)
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	helloWorld := &snap.Info{}
-	helloWorld.SnapID = helloWorldSnapID
-	helloWorld.Prices = map[string]float64{"USD": 1.23}
-	helloWorld.Paid = true
+	results, err := sto.SnapAction(context.TODO(), nil,
+		[]*store.SnapAction{
+			{
+				Action:       "something unexpected",
+				InstanceName: "hello-world",
+			},
+		}, nil, nil)
+	c.Assert(err, ErrorMatches, `.* unsupported action .*`)
+	c.Assert(results, IsNil)
+}
+
+func (s *storeTestSuite) TestSnapActionErrorError(c *C) {
+	e := &store.SnapActionError{Refresh: map[string]error{
+		"foo": fmt.Errorf("sad refresh"),
+	}}
+	c.Check(e.Error(), Equals, `cannot refresh snap "foo": sad refresh`)
+
+	e = &store.SnapActionError{Refresh: map[string]error{
+		"foo": fmt.Errorf("sad refresh 1"),
+		"bar": fmt.Errorf("sad refresh 2"),
+	}}
+	errMsg := e.Error()
+	c.Check(strings.HasPrefix(errMsg, "cannot refresh:"), Equals, true)
+	c.Check(errMsg, testutil.Contains, "\nsad refresh 1: \"foo\"")
+	c.Check(errMsg, testutil.Contains, "\nsad refresh 2: \"bar\"")
+
+	e = &store.SnapActionError{Install: map[string]error{
+		"foo": fmt.Errorf("sad install"),
+	}}
+	c.Check(e.Error(), Equals, `cannot install snap "foo": sad install`)
+
+	e = &store.SnapActionError{Install: map[string]error{
+		"foo": fmt.Errorf("sad install 1"),
+		"bar": fmt.Errorf("sad install 2"),
+	}}
+	errMsg = e.Error()
+	c.Check(strings.HasPrefix(errMsg, "cannot install:\n"), Equals, true)
+	c.Check(errMsg, testutil.Contains, "\nsad install 1: \"foo\"")
+	c.Check(errMsg, testutil.Contains, "\nsad install 2: \"bar\"")
+
+	e = &store.SnapActionError{Download: map[string]error{
+		"foo": fmt.Errorf("sad download"),
+	}}
+	c.Check(e.Error(), Equals, `cannot download snap "foo": sad download`)
+
+	e = &store.SnapActionError{Download: map[string]error{
+		"foo": fmt.Errorf("sad download 1"),
+		"bar": fmt.Errorf("sad download 2"),
+	}}
+	errMsg = e.Error()
+	c.Check(strings.HasPrefix(errMsg, "cannot download:\n"), Equals, true)
+	c.Check(errMsg, testutil.Contains, "\nsad download 1: \"foo\"")
+	c.Check(errMsg, testutil.Contains, "\nsad download 2: \"bar\"")
 
-	snaps := []*snap.Info{helloWorld}
+	e = &store.SnapActionError{Refresh: map[string]error{
+		"foo": fmt.Errorf("sad refresh 1"),
+	},
+		Install: map[string]error{
+			"bar": fmt.Errorf("sad install 2"),
+		}}
+	c.Check(e.Error(), Equals, `cannot refresh or install:
+sad refresh 1: "foo"
+sad install 2: "bar"`)
 
-	err := sto.decorateOrders(snaps, s.user)
-	c.Assert(err, IsNil)
-	c.Check(helloWorld.MustBuy, Equals, false)
-}
+	e = &store.SnapActionError{Refresh: map[string]error{
+		"foo": fmt.Errorf("sad refresh 1"),
+	},
+		Download: map[string]error{
+			"bar": fmt.Errorf("sad download 2"),
+		}}
+	c.Check(e.Error(), Equals, `cannot refresh or download:
+sad refresh 1: "foo"
+sad download 2: "bar"`)
 
-func (s *storeTestSuite) TestDecorateOrdersSingleFreeSnap(c *C) {
-	cfg := Config{}
-	sto := New(&cfg, nil)
+	e = &store.SnapActionError{Install: map[string]error{
+		"foo": fmt.Errorf("sad install 1"),
+	},
+		Download: map[string]error{
+			"bar": fmt.Errorf("sad download 2"),
+		}}
+	c.Check(e.Error(), Equals, `cannot install or download:
+sad install 1: "foo"
+sad download 2: "bar"`)
 
-	helloWorld := &snap.Info{}
-	helloWorld.SnapID = helloWorldSnapID
+	e = &store.SnapActionError{Refresh: map[string]error{
+		"foo": fmt.Errorf("sad refresh 1"),
+	},
+		Install: map[string]error{
+			"bar": fmt.Errorf("sad install 2"),
+		},
+		Download: map[string]error{
+			"baz": fmt.Errorf("sad download 3"),
+		}}
+	c.Check(e.Error(), Equals, `cannot refresh, install, or download:
+sad refresh 1: "foo"
+sad install 2: "bar"
+sad download 3: "baz"`)
+
+	e = &store.SnapActionError{
+		NoResults: true,
+		Other:     []error{fmt.Errorf("other error")},
+	}
+	c.Check(e.Error(), Equals, `cannot refresh, install, or download: other error`)
+
+	e = &store.SnapActionError{
+		Other: []error{fmt.Errorf("other error 1"), fmt.Errorf("other error 2")},
+	}
+	c.Check(e.Error(), Equals, `cannot refresh, install, or download:
+other error 1
+other error 2`)
+
+	e = &store.SnapActionError{
+		Install: map[string]error{
+			"bar": fmt.Errorf("sad install"),
+		},
+		Other: []error{fmt.Errorf("other error 1"), fmt.Errorf("other error 2")},
+	}
+	c.Check(e.Error(), Equals, `cannot refresh, install, or download:
+sad install: "bar"
+other error 1
+other error 2`)
 
-	snaps := []*snap.Info{helloWorld}
+	e = &store.SnapActionError{
+		NoResults: true,
+	}
+	c.Check(e.Error(), Equals, "no install/refresh information results from the store")
+}
+
+func (s *storeTestSuite) TestSnapActionRefreshesBothAuths(c *C) {
+	// snap action (install/refresh) has is its own custom way to
+	// signal macaroon refreshes that allows to do a best effort
+	// with the available results
 
-	err := sto.decorateOrders(snaps, s.user)
+	refresh, err := makeTestRefreshDischargeResponse()
 	c.Assert(err, IsNil)
-	c.Check(helloWorld.MustBuy, Equals, false)
-}
+	c.Check(s.user.StoreDischarges[0], Not(Equals), refresh)
 
-func (s *storeTestSuite) TestDecorateOrdersSingleNotFound(c *C) {
-	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assertRequest(c, r, "GET", ordersPath)
-		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
-		c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
-		c.Check(r.URL.Path, Equals, ordersPath)
-		w.WriteHeader(404)
-		io.WriteString(w, "{}")
+	// mock refresh response
+	refreshDischargeEndpointHit := false
+	mockSSOServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		io.WriteString(w, fmt.Sprintf(`{"discharge_macaroon": "%s"}`, refresh))
+		refreshDischargeEndpointHit = true
 	}))
+	defer mockSSOServer.Close()
+	store.UbuntuoneRefreshDischargeAPI = mockSSOServer.URL + "/tokens/refresh"
 
-	c.Assert(mockPurchasesServer, NotNil)
-	defer mockPurchasesServer.Close()
+	refreshSessionRequested := false
+	expiredAuth := `Macaroon root="expired-session-macaroon"`
+	n := 0
+	// mock store response
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		c.Check(r.UserAgent(), Equals, userAgent)
 
-	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
-	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	cfg := Config{
-		StoreBaseURL: mockServerURL,
-	}
-	sto := New(&cfg, authContext)
+		switch r.URL.Path {
+		case snapActionPath:
+			n++
+			type errObj struct {
+				Code    string `json:"code"`
+				Message string `json:"message"`
+			}
+			var errors []errObj
 
-	helloWorld := &snap.Info{}
-	helloWorld.SnapID = helloWorldSnapID
-	helloWorld.Prices = map[string]float64{"USD": 1.23}
-	helloWorld.Paid = true
+			authorization := r.Header.Get("Authorization")
+			c.Check(authorization, Equals, s.expectedAuthorization(c, s.user))
+			if s.user.StoreDischarges[0] != refresh {
+				errors = append(errors, errObj{Code: "user-authorization-needs-refresh"})
+			}
 
-	snaps := []*snap.Info{helloWorld}
+			devAuthorization := r.Header.Get("Snap-Device-Authorization")
+			if devAuthorization == "" {
+				c.Fatalf("device authentication missing")
+			} else if devAuthorization == expiredAuth {
+				errors = append(errors, errObj{Code: "device-authorization-needs-refresh"})
+			} else {
+				c.Check(devAuthorization, Equals, `Macaroon root="refreshed-session-macaroon"`)
+			}
 
-	err := sto.decorateOrders(snaps, s.user)
-	c.Assert(err, NotNil)
-	c.Check(helloWorld.MustBuy, Equals, true)
-}
+			errorsJSON, err := json.Marshal(errors)
+			c.Assert(err, IsNil)
 
-func (s *storeTestSuite) TestDecorateOrdersTokenExpired(c *C) {
-	mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
-		c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
-		c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
-		c.Check(r.URL.Path, Equals, ordersPath)
-		w.WriteHeader(401)
-		io.WriteString(w, "")
+			io.WriteString(w, fmt.Sprintf(`{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "name": "canonical",
+          "title": "Canonical"
+       }
+     }
+  }],
+  "error-list": %s
+}`, errorsJSON))
+		case authNoncesPath:
+			io.WriteString(w, `{"nonce": "1234567890:9876543210"}`)
+		case authSessionPath:
+			// sanity of request
+			jsonReq, err := ioutil.ReadAll(r.Body)
+			c.Assert(err, IsNil)
+			var req map[string]string
+			err = json.Unmarshal(jsonReq, &req)
+			c.Assert(err, IsNil)
+			c.Check(strings.HasPrefix(req["device-session-request"], "type: device-session-request\n"), Equals, true)
+			c.Check(strings.HasPrefix(req["serial-assertion"], "type: serial\n"), Equals, true)
+			c.Check(strings.HasPrefix(req["model-assertion"], "type: model\n"), Equals, true)
+
+			authorization := r.Header.Get("X-Device-Authorization")
+			if authorization == "" {
+				c.Fatalf("expecting only refresh")
+			} else {
+				c.Check(authorization, Equals, expiredAuth)
+				io.WriteString(w, `{"macaroon": "refreshed-session-macaroon"}`)
+				refreshSessionRequested = true
+			}
+		default:
+			c.Fatalf("unexpected path %q", r.URL.Path)
+		}
 	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-	c.Assert(mockPurchasesServer, NotNil)
-	defer mockPurchasesServer.Close()
+	mockServerURL, _ := url.Parse(mockServer.URL)
 
-	mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
+	// make sure device session is expired
+	s.device.SessionMacaroon = "expired-session-macaroon"
 	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	cfg := Config{
+	sto := store.New(&store.Config{
 		StoreBaseURL: mockServerURL,
-	}
-	sto := New(&cfg, authContext)
-
-	helloWorld := &snap.Info{}
-	helloWorld.SnapID = helloWorldSnapID
-	helloWorld.Prices = map[string]float64{"USD": 1.23}
-	helloWorld.Paid = true
-
-	snaps := []*snap.Info{helloWorld}
+	}, authContext)
 
-	err := sto.decorateOrders(snaps, s.user)
-	c.Assert(err, NotNil)
-	c.Check(helloWorld.MustBuy, Equals, true)
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "beta",
+			Revision:        snap.R(1),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			InstanceName: "hello-world",
+		},
+	}, s.user, nil)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world")
+	c.Check(refreshDischargeEndpointHit, Equals, true)
+	c.Check(refreshSessionRequested, Equals, true)
+	c.Check(n, Equals, 2)
 }
 
-func (s *storeTestSuite) TestMustBuy(c *C) {
-	// Never need to buy a free snap.
-	c.Check(mustBuy(false, true), Equals, false)
-	c.Check(mustBuy(false, false), Equals, false)
-
-	// Don't need to buy snaps that have been bought.
-	c.Check(mustBuy(true, true), Equals, false)
-
-	// Need to buy snaps that aren't bought.
-	c.Check(mustBuy(true, false), Equals, true)
-}
+func (s *storeTestSuite) TestConnectivityCheckHappy(c *C) {
+	seenPaths := make(map[string]int, 2)
+	var mockServerURL *url.URL
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/v2/snaps/info/core":
+			c.Check(r.Method, Equals, "GET")
+			c.Check(r.URL.Query(), DeepEquals, url.Values{"fields": {"download"}, "architecture": {arch.UbuntuArchitecture()}})
+			u, err := url.Parse("/download/core")
+			c.Assert(err, IsNil)
+			io.WriteString(w,
+				fmt.Sprintf(`{"channel-map": [{"download": {"url": %q}}, {"download": {"url": %q}}, {"download": {"url": %q}}]}`,
+					mockServerURL.ResolveReference(u).String(),
+					mockServerURL.String()+"/bogus1/",
+					mockServerURL.String()+"/bogus2/",
+				))
+		case "/download/core":
+			c.Check(r.Method, Equals, "HEAD")
+			w.WriteHeader(200)
+		default:
+			c.Fatalf("unexpected request: %s", r.URL.String())
+			return
+		}
+		seenPaths[r.URL.Path]++
+	}))
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+	mockServerURL, _ = url.Parse(mockServer.URL)
 
-const customersMeValid = `
-{
-  "latest_tos_date": "2016-09-14T00:00:00+00:00",
-  "accepted_tos_date": "2016-09-14T15:56:49+00:00",
-  "latest_tos_accepted": true,
-  "has_payment_method": true
+	sto := store.New(&store.Config{
+		StoreBaseURL: mockServerURL,
+	}, nil)
+	connectivity, err := sto.ConnectivityCheck()
+	c.Assert(err, IsNil)
+	// everything is the test server, here
+	c.Check(connectivity, DeepEquals, map[string]bool{
+		mockServerURL.Host: true,
+	})
+	c.Check(seenPaths, DeepEquals, map[string]int{
+		"/v2/snaps/info/core": 1,
+		"/download/core":      1,
+	})
 }
-`
 
-var buyTests = []struct {
-	suggestedCurrency string
-	expectedInput     string
-	buyStatus         int
-	buyResponse       string
-	buyErrorMessage   string
-	buyErrorCode      string
-	snapID            string
-	price             float64
-	currency          string
-	expectedResult    *BuyResult
-	expectedError     string
-}{
-	{
-		// successful buying
-		suggestedCurrency: "EUR",
-		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"0.99","currency":"EUR"}`,
-		buyResponse:       mockOrderResponseJSON,
-		expectedResult:    &BuyResult{State: "Complete"},
-	},
-	{
-		// failure due to invalid price
-		suggestedCurrency: "USD",
-		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"5.99","currency":"USD"}`,
-		buyStatus:         400,
-		buyErrorCode:      "invalid-field",
-		buyErrorMessage:   "invalid price specified",
-		price:             5.99,
-		expectedError:     "cannot buy snap: bad request: invalid price specified",
-	},
-	{
-		// failure due to unknown snap ID
-		suggestedCurrency: "USD",
-		expectedInput:     `{"snap_id":"invalid snap ID","amount":"0.99","currency":"EUR"}`,
-		buyStatus:         404,
-		buyErrorCode:      "not-found",
-		buyErrorMessage:   "Snap package not found",
-		snapID:            "invalid snap ID",
-		price:             0.99,
-		currency:          "EUR",
-		expectedError:     "cannot buy snap: server says not found: Snap package not found",
-	},
-	{
-		// failure due to "Purchase failed"
-		suggestedCurrency: "USD",
-		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"1.23","currency":"USD"}`,
-		buyStatus:         402, // Payment Required
-		buyErrorCode:      "request-failed",
-		buyErrorMessage:   "Purchase failed",
-		expectedError:     "payment declined",
-	},
-	{
-		// failure due to no payment methods
-		suggestedCurrency: "USD",
-		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"1.23","currency":"USD"}`,
-		buyStatus:         403,
-		buyErrorCode:      "no-payment-methods",
-		buyErrorMessage:   "No payment methods associated with your account.",
-		expectedError:     "no payment methods",
-	},
-	{
-		// failure due to terms of service not accepted
-		suggestedCurrency: "USD",
-		expectedInput:     `{"snap_id":"` + helloWorldSnapID + `","amount":"1.23","currency":"USD"}`,
-		buyStatus:         403,
-		buyErrorCode:      "tos-not-accepted",
-		buyErrorMessage:   "You must accept the latest terms of service first.",
-		expectedError:     "terms of service not accepted",
-	},
-}
+func (s *storeTestSuite) TestConnectivityCheckUnhappy(c *C) {
+	store.MockConnCheckStrategy(&s.BaseTest, retry.LimitCount(3, retry.Exponential{
+		Initial: time.Millisecond,
+		Factor:  1.3,
+	}))
 
-func (s *storeTestSuite) TestBuy500(c *C) {
-	n := 0
+	seenPaths := make(map[string]int, 2)
+	var mockServerURL *url.URL
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
-		case detailsPath("hello-world"):
-			n++
+		case "/v2/snaps/info/core":
 			w.WriteHeader(500)
-		case buyPath:
-		case customersMePath:
-			// default 200 response
 		default:
-			c.Fatalf("unexpected query %s %s", r.Method, r.URL.Path)
+			c.Fatalf("unexpected request: %s", r.URL.String())
+			return
 		}
+		seenPaths[r.URL.Path]++
 	}))
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
+	mockServerURL, _ = url.Parse(mockServer.URL)
 
-	mockServerURL, _ := url.Parse(mockServer.URL)
-	authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-	cfg := Config{
+	sto := store.New(&store.Config{
 		StoreBaseURL: mockServerURL,
-	}
-	sto := New(&cfg, authContext)
-
-	buyOptions := &BuyOptions{
-		SnapID:   helloWorldSnapID,
-		Currency: "USD",
-		Price:    1,
-	}
-	_, err := sto.Buy(buyOptions, s.user)
-	c.Assert(err, NotNil)
+	}, nil)
+	connectivity, err := sto.ConnectivityCheck()
+	c.Assert(err, IsNil)
+	// everything is the test server, here
+	c.Check(connectivity, DeepEquals, map[string]bool{
+		mockServerURL.Host: false,
+	})
+	// three because retries
+	c.Check(seenPaths, DeepEquals, map[string]int{
+		"/v2/snaps/info/core": 3,
+	})
 }
 
-func (s *storeTestSuite) TestBuy(c *C) {
-	for _, test := range buyTests {
-		searchServerCalled := false
-		purchaseServerGetCalled := false
-		purchaseServerPostCalled := false
-		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			switch r.URL.Path {
-			case detailsPath("hello-world"):
-				c.Assert(r.Method, Equals, "GET")
-				w.Header().Set("Content-Type", "application/hal+json")
-				w.Header().Set("X-Suggested-Currency", test.suggestedCurrency)
-				w.WriteHeader(200)
-				io.WriteString(w, MockDetailsJSON)
-				searchServerCalled = true
-			case ordersPath:
-				c.Assert(r.Method, Equals, "GET")
-				c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
-				c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
-				c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
-				io.WriteString(w, `{"orders": []}`)
-				purchaseServerGetCalled = true
-			case buyPath:
-				c.Assert(r.Method, Equals, "POST")
-				// check device authorization is set, implicitly checking doRequest was used
-				c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
-				c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
-				c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
-				c.Check(r.Header.Get("Content-Type"), Equals, jsonContentType)
-				c.Check(r.URL.Path, Equals, buyPath)
-				jsonReq, err := ioutil.ReadAll(r.Body)
-				c.Assert(err, IsNil)
-				c.Check(string(jsonReq), Equals, test.expectedInput)
-				if test.buyErrorCode == "" {
-					io.WriteString(w, test.buyResponse)
-				} else {
-					w.WriteHeader(test.buyStatus)
-					// TODO(matt): this is fugly!
-					fmt.Fprintf(w, `
-{
-	"error_list": [
-		{
-			"code": "%s",
-			"message": "%s"
-		}
-	]
-}`, test.buyErrorCode, test.buyErrorMessage)
-				}
-
-				purchaseServerPostCalled = true
-			default:
-				c.Fatalf("unexpected query %s %s", r.Method, r.URL.Path)
-			}
-		}))
-		c.Assert(mockServer, NotNil)
-		defer mockServer.Close()
-
-		mockServerURL, _ := url.Parse(mockServer.URL)
-		authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-		cfg := Config{
-			StoreBaseURL: mockServerURL,
-		}
-		sto := New(&cfg, authContext)
+func (s *storeTestSuite) TestSnapActionRefreshParallelInstall(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-		// Find the snap first
-		spec := SnapSpec{
-			Name:     "hello-world",
-			Channel:  "edge",
-			Revision: snap.R(0),
-		}
-		snap, err := sto.SnapInfo(spec, s.user)
-		c.Assert(snap, NotNil)
+		jsonReq, err := ioutil.ReadAll(r.Body)
 		c.Assert(err, IsNil)
-
-		buyOptions := &BuyOptions{
-			SnapID:   snap.SnapID,
-			Currency: sto.SuggestedCurrency(),
-			Price:    snap.Prices[sto.SuggestedCurrency()],
-		}
-		if test.snapID != "" {
-			buyOptions.SnapID = test.snapID
-		}
-		if test.currency != "" {
-			buyOptions.Currency = test.currency
-		}
-		if test.price > 0 {
-			buyOptions.Price = test.price
-		}
-		result, err := sto.Buy(buyOptions, s.user)
-
-		c.Check(result, DeepEquals, test.expectedResult)
-		if test.expectedError == "" {
-			c.Check(err, IsNil)
-		} else {
-			c.Assert(err, NotNil)
-			c.Check(err.Error(), Equals, test.expectedError)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
 		}
 
-		c.Check(searchServerCalled, Equals, true)
-		c.Check(purchaseServerGetCalled, Equals, true)
-		c.Check(purchaseServerPostCalled, Equals, true)
-	}
-}
-
-func (s *storeTestSuite) TestBuyFailArgumentChecking(c *C) {
-	sto := New(&Config{}, nil)
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
 
-	// no snap ID
-	result, err := sto.Buy(&BuyOptions{
-		Price:    1.0,
-		Currency: "USD",
-	}, s.user)
-	c.Assert(result, IsNil)
-	c.Assert(err, NotNil)
-	c.Check(err.Error(), Equals, "cannot buy snap: snap ID missing")
+		c.Assert(req.Context, HasLen, 2)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Context[1], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldFooInstanceKeyWithSalt,
+			"revision":         float64(2),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldFooInstanceKeyWithSalt,
+			"snap-id":      helloWorldSnapID,
+			"channel":      "stable",
+		})
 
-	// no price
-	result, err = sto.Buy(&BuyOptions{
-		SnapID:   "snap ID",
-		Currency: "USD",
-	}, s.user)
-	c.Assert(result, IsNil)
-	c.Assert(err, NotNil)
-	c.Check(err.Error(), Equals, "cannot buy snap: invalid expected price")
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ:IDKVhLy-HUyfYGFKcsH4V-7FVG7hLGs4M5zsraZU5tk",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
 
-	// no currency
-	result, err = sto.Buy(&BuyOptions{
-		SnapID: "snap ID",
-		Price:  1.0,
-	}, s.user)
-	c.Assert(result, IsNil)
-	c.Assert(err, NotNil)
-	c.Check(err.Error(), Equals, "cannot buy snap: currency missing")
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-	// no user
-	result, err = sto.Buy(&BuyOptions{
-		SnapID:   "snap ID",
-		Price:    1.0,
-		Currency: "USD",
-	}, nil)
-	c.Assert(result, IsNil)
-	c.Assert(err, NotNil)
-	c.Check(err.Error(), Equals, "you need to log in first")
-}
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-var readyToBuyTests = []struct {
-	Input      func(w http.ResponseWriter)
-	Test       func(c *C, err error)
-	NumOfCalls int
-}{
-	{
-		// A user account the is ready for buying
-		Input: func(w http.ResponseWriter) {
-			io.WriteString(w, `
-{
-  "latest_tos_date": "2016-09-14T00:00:00+00:00",
-  "accepted_tos_date": "2016-09-14T15:56:49+00:00",
-  "latest_tos_accepted": true,
-  "has_payment_method": true
-}
-`)
-		},
-		Test: func(c *C, err error) {
-			c.Check(err, IsNil)
-		},
-		NumOfCalls: 1,
-	},
-	{
-		// A user account that hasn't accepted the TOS
-		Input: func(w http.ResponseWriter) {
-			io.WriteString(w, `
-{
-  "latest_tos_date": "2016-10-14T00:00:00+00:00",
-  "accepted_tos_date": "2016-09-14T15:56:49+00:00",
-  "latest_tos_accepted": false,
-  "has_payment_method": true
-}
-`)
-		},
-		Test: func(c *C, err error) {
-			c.Assert(err, NotNil)
-			c.Check(err.Error(), Equals, "terms of service not accepted")
-		},
-		NumOfCalls: 1,
-	},
-	{
-		// A user account that has no payment method
-		Input: func(w http.ResponseWriter) {
-			io.WriteString(w, `
-{
-  "latest_tos_date": "2016-10-14T00:00:00+00:00",
-  "accepted_tos_date": "2016-09-14T15:56:49+00:00",
-  "latest_tos_accepted": true,
-  "has_payment_method": false
-}
-`)
-		},
-		Test: func(c *C, err error) {
-			c.Assert(err, NotNil)
-			c.Check(err.Error(), Equals, "no payment methods")
-		},
-		NumOfCalls: 1,
-	},
-	{
-		// A user account that has no payment method and has not accepted the TOS
-		Input: func(w http.ResponseWriter) {
-			io.WriteString(w, `
-{
-  "latest_tos_date": "2016-10-14T00:00:00+00:00",
-  "accepted_tos_date": "2016-09-14T15:56:49+00:00",
-  "latest_tos_accepted": false,
-  "has_payment_method": false
-}
-`)
-		},
-		Test: func(c *C, err error) {
-			c.Assert(err, NotNil)
-			c.Check(err.Error(), Equals, "no payment methods")
-		},
-		NumOfCalls: 1,
-	},
-	{
-		// No user account exists
-		Input: func(w http.ResponseWriter) {
-			w.WriteHeader(404)
-			io.WriteString(w, "{}")
-		},
-		Test: func(c *C, err error) {
-			c.Assert(err, NotNil)
-			c.Check(err.Error(), Equals, "cannot get customer details: server says no account exists")
-		},
-		NumOfCalls: 1,
-	},
-	{
-		// An unknown set of errors occurs
-		Input: func(w http.ResponseWriter) {
-			w.WriteHeader(500)
-			io.WriteString(w, `
-{
-	"error_list": [
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
 		{
-			"code": "code 1",
-			"message": "message 1"
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		}, {
+			InstanceName:    "hello-world_foo",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(2),
+			RefreshedDate:   helloRefreshedDate,
 		},
+	}, []*store.SnapAction{
 		{
-			"code": "code 2",
-			"message": "message 2"
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			Channel:      "stable",
+			InstanceName: "hello-world_foo",
+		},
+	}, nil, &store.RefreshOptions{PrivacyKey: "123"})
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].SnapName(), Equals, "hello-world")
+	c.Assert(results[0].InstanceName(), Equals, "hello-world_foo")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
+}
+
+func (s *storeTestSuite) TestSnapActionRefreshStableInstanceKey(c *C) {
+	// salt "foo"
+	helloWorldFooInstanceKeyWithSaltFoo := helloWorldSnapID + ":CY2pHZ7nlQDuiO5DxIsdRttcqqBoD2ZCQiEtCJSdVcI"
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
 		}
-	]
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 2)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Context[1], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldFooInstanceKeyWithSaltFoo,
+			"revision":         float64(2),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldFooInstanceKeyWithSaltFoo,
+			"snap-id":      helloWorldSnapID,
+			"channel":      "stable",
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ:CY2pHZ7nlQDuiO5DxIsdRttcqqBoD2ZCQiEtCJSdVcI",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
 }`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	opts := &store.RefreshOptions{PrivacyKey: "foo"}
+	currentSnaps := []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		}, {
+			InstanceName:    "hello-world_foo",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(2),
+			RefreshedDate:   helloRefreshedDate,
 		},
-		Test: func(c *C, err error) {
-			c.Assert(err, NotNil)
-			c.Check(err.Error(), Equals, `message 1`)
+	}
+	action := []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			Channel:      "stable",
+			InstanceName: "hello-world_foo",
 		},
-		NumOfCalls: 5,
-	},
-}
+	}
+	results, err := sto.SnapAction(context.TODO(), currentSnaps, action, nil, opts)
+	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].SnapName(), Equals, "hello-world")
+	c.Assert(results[0].InstanceName(), Equals, "hello-world_foo")
+	c.Assert(results[0].Revision, Equals, snap.R(26))
 
-func (s *storeTestSuite) TestReadyToBuy(c *C) {
-	for _, test := range readyToBuyTests {
-		purchaseServerGetCalled := 0
-		mockPurchasesServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			assertRequest(c, r, "GET", customersMePath)
-			switch r.Method {
-			case "GET":
-				// check device authorization is set, implicitly checking doRequest was used
-				c.Check(r.Header.Get("X-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
-				c.Check(r.Header.Get("Authorization"), Equals, s.expectedAuthorization(c, s.user))
-				c.Check(r.Header.Get("Accept"), Equals, jsonContentType)
-				c.Check(r.URL.Path, Equals, customersMePath)
-				test.Input(w)
-				purchaseServerGetCalled++
-			default:
-				c.Error("Unexpected request method: ", r.Method)
-			}
-		}))
+	// another request with the same seed, gives same result
+	resultsAgain, err := sto.SnapAction(context.TODO(), currentSnaps, action, nil, opts)
+	c.Assert(err, IsNil)
+	c.Assert(resultsAgain, DeepEquals, results)
+}
 
-		c.Assert(mockPurchasesServer, NotNil)
-		defer mockPurchasesServer.Close()
+func (s *storeTestSuite) TestSnapActionRevisionNotAvailableParallelInstall(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-		mockServerURL, _ := url.Parse(mockPurchasesServer.URL)
-		authContext := &testAuthContext{c: c, device: s.device, user: s.user}
-		cfg := Config{
-			StoreBaseURL: mockServerURL,
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
 		}
-		sto := New(&cfg, authContext)
 
-		err := sto.ReadyToBuy(s.user)
-		test.Test(c, err)
-		c.Check(purchaseServerGetCalled, Equals, test.NumOfCalls)
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 2)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Context[1], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldFooInstanceKeyWithSalt,
+			"revision":         float64(2),
+			"tracking-channel": "edge",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 3)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+		})
+		c.Assert(req.Actions[1], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldFooInstanceKeyWithSalt,
+			"snap-id":      helloWorldSnapID,
+		})
+		c.Assert(req.Actions[2], DeepEquals, map[string]interface{}{
+			"action":       "install",
+			"instance-key": "install-1",
+			"name":         "other",
+			"channel":      "stable",
+			"epoch":        nil,
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "error",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "error": {
+       "code": "revision-not-found",
+       "message": "msg1"
+     }
+  }, {
+     "result": "error",
+     "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ:IDKVhLy-HUyfYGFKcsH4V-7FVG7hLGs4M5zsraZU5tk",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "error": {
+       "code": "revision-not-found",
+       "message": "msg2"
+     }
+  },  {
+     "result": "error",
+     "instance-key": "install-1",
+     "snap-id": "foo-id",
+     "name": "other",
+     "error": {
+       "code": "revision-not-found",
+       "message": "msg3"
+     }
+  }
+  ]
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
 	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		},
+		{
+			InstanceName:    "hello-world_foo",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "edge",
+			Revision:        snap.R(2),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			InstanceName: "hello-world",
+			SnapID:       helloWorldSnapID,
+		}, {
+			Action:       "refresh",
+			InstanceName: "hello-world_foo",
+			SnapID:       helloWorldSnapID,
+		}, {
+			Action:       "install",
+			InstanceName: "other_foo",
+			Channel:      "stable",
+		},
+	}, nil, &store.RefreshOptions{PrivacyKey: "123"})
+	c.Assert(results, HasLen, 0)
+	c.Check(err, DeepEquals, &store.SnapActionError{
+		Refresh: map[string]error{
+			"hello-world": &store.RevisionNotAvailableError{
+				Action:  "refresh",
+				Channel: "stable",
+			},
+			"hello-world_foo": &store.RevisionNotAvailableError{
+				Action:  "refresh",
+				Channel: "edge",
+			},
+		},
+		Install: map[string]error{
+			"other_foo": &store.RevisionNotAvailableError{
+				Action:  "install",
+				Channel: "stable",
+			},
+		},
+	})
 }
 
-func (s *storeTestSuite) TestDoRequestSetRangeHeaderOnRedirect(c *C) {
-	n := 0
+func (s *storeTestSuite) TestSnapActionInstallParallelInstall(c *C) {
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch n {
-		case 0:
-			http.Redirect(w, r, r.URL.Path+"-else", 302)
-			n++
-		case 1:
-			c.Check(r.URL.Path, Equals, "/somewhere-else")
-			rg := r.Header.Get("Range")
-			c.Check(rg, Equals, "bytes=5-")
-		default:
-			panic("got more than 2 requests in this test")
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
 		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "install",
+			"instance-key": "install-1",
+			"name":         "hello-world",
+			"channel":      "stable",
+			"epoch":        nil,
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "install",
+     "instance-key": "install-1",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 28,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
 	}))
 
 	c.Assert(mockServer, NotNil)
 	defer mockServer.Close()
 
-	url, err := url.Parse(mockServer.URL + "/somewhere")
-	c.Assert(err, IsNil)
-	reqOptions := &requestOptions{
-		Method: "GET",
-		URL:    url,
-		ExtraHeaders: map[string]string{
-			"Range": "bytes=5-",
-		},
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
 	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	sto := New(&Config{}, nil)
-	_, err = sto.doRequest(context.TODO(), sto.client, reqOptions, s.user)
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "install",
+			InstanceName: "hello-world_foo",
+			Channel:      "stable",
+		},
+	}, nil, nil)
 	c.Assert(err, IsNil)
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "hello-world_foo")
+	c.Assert(results[0].SnapName(), Equals, "hello-world")
+	c.Assert(results[0].Revision, Equals, snap.R(28))
+	c.Assert(results[0].Version, Equals, "6.1")
+	c.Assert(results[0].SnapID, Equals, helloWorldSnapID)
+	c.Assert(results[0].Deltas, HasLen, 0)
+	// effective-channel is not set
+	c.Assert(results[0].Channel, Equals, "")
 }
 
-type cacheObserver struct {
-	inCache map[string]bool
+func (s *storeTestSuite) TestSnapActionErrorsWhenNoInstanceName(c *C) {
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&store.Config{}, authContext)
 
-	gets []string
-	puts []string
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:  "install",
+			Channel: "stable",
+		},
+	}, nil, nil)
+	c.Assert(err, ErrorMatches, "internal error: action without instance name")
+	c.Assert(results, IsNil)
 }
 
-func (co *cacheObserver) Get(cacheKey, targetPath string) error {
-	co.gets = append(co.gets, fmt.Sprintf("%s:%s", cacheKey, targetPath))
-	if !co.inCache[cacheKey] {
-		return fmt.Errorf("cannot find %s in cache", cacheKey)
+func (s *storeTestSuite) TestSnapActionInstallUnexpectedInstallKey(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
+
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "install",
+			"instance-key": "install-1",
+			"name":         "hello-world",
+			"channel":      "stable",
+			"epoch":        nil,
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "install",
+     "instance-key": "foo-2",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 28,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
 	}
-	return nil
-}
-func (co *cacheObserver) Put(cacheKey, sourcePath string) error {
-	co.puts = append(co.puts, fmt.Sprintf("%s:%s", cacheKey, sourcePath))
-	return nil
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "install",
+			InstanceName: "hello-world_foo",
+			Channel:      "stable",
+		},
+	}, nil, nil)
+	c.Assert(err, ErrorMatches, `unexpected invalid install/refresh API result: unexpected instance-key "foo-2"`)
+	c.Assert(results, IsNil)
 }
 
-func (s *storeTestSuite) TestDownloadCacheHit(c *C) {
-	oldCache := s.store.cacher
-	defer func() { s.store.cacher = oldCache }()
-	obs := &cacheObserver{inCache: map[string]bool{"the-snaps-sha3_384": true}}
-	s.store.cacher = obs
+func (s *storeTestSuite) TestSnapActionRefreshUnexpectedInstanceKey(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
-		c.Fatalf("download should not be called when results come from the cache")
-		return nil
-	}
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
 
-	snap := &snap.Info{}
-	snap.Sha3_384 = "the-snaps-sha3_384"
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
 
-	path := filepath.Join(c.MkDir(), "downloaded-file")
-	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil)
-	c.Assert(err, IsNil)
+		c.Assert(req.Context, HasLen, 1)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "refresh",
+			"instance-key": helloWorldSnapID,
+			"snap-id":      helloWorldSnapID,
+			"channel":      "stable",
+		})
 
-	c.Check(obs.gets, DeepEquals, []string{fmt.Sprintf("%s:%s", snap.Sha3_384, path)})
-	c.Check(obs.puts, IsNil)
-}
+		io.WriteString(w, `{
+  "results": [{
+     "result": "refresh",
+     "instance-key": "foo-5",
+     "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+     "name": "hello-world",
+     "snap": {
+       "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ",
+       "name": "hello-world",
+       "revision": 26,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  }]
+}`)
+	}))
 
-func (s *storeTestSuite) TestDownloadCacheMiss(c *C) {
-	oldCache := s.store.cacher
-	defer func() { s.store.cacher = oldCache }()
-	obs := &cacheObserver{inCache: map[string]bool{}}
-	s.store.cacher = obs
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
 
-	downloadWasCalled := false
-	download = func(ctx context.Context, name, sha3, url string, user *auth.UserState, s *Store, w io.ReadWriteSeeker, resume int64, pbar progress.Meter) error {
-		downloadWasCalled = true
-		return nil
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
 	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
 
-	snap := &snap.Info{}
-	snap.Sha3_384 = "the-snaps-sha3_384"
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "refresh",
+			SnapID:       helloWorldSnapID,
+			Channel:      "stable",
+			InstanceName: "hello-world",
+		},
+	}, nil, nil)
+	c.Assert(err, ErrorMatches, `unexpected invalid install/refresh API result: unexpected refresh`)
+	c.Assert(results, IsNil)
+}
 
-	path := filepath.Join(c.MkDir(), "downloaded-file")
-	err := s.store.Download(context.TODO(), "foo", path, &snap.DownloadInfo, nil, nil)
-	c.Assert(err, IsNil)
-	c.Check(downloadWasCalled, Equals, true)
+func (s *storeTestSuite) TestSnapActionUnexpectedErrorKey(c *C) {
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assertRequest(c, r, "POST", snapActionPath)
+		// check device authorization is set, implicitly checking doRequest was used
+		c.Check(r.Header.Get("Snap-Device-Authorization"), Equals, `Macaroon root="device-macaroon"`)
 
-	c.Check(obs.gets, DeepEquals, []string{fmt.Sprintf("the-snaps-sha3_384:%s", path)})
-	c.Check(obs.puts, DeepEquals, []string{fmt.Sprintf("the-snaps-sha3_384:%s", path)})
+		jsonReq, err := ioutil.ReadAll(r.Body)
+		c.Assert(err, IsNil)
+		var req struct {
+			Context []map[string]interface{} `json:"context"`
+			Actions []map[string]interface{} `json:"actions"`
+		}
+
+		err = json.Unmarshal(jsonReq, &req)
+		c.Assert(err, IsNil)
+
+		c.Assert(req.Context, HasLen, 2)
+		c.Assert(req.Context[0], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldSnapID,
+			"revision":         float64(26),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Context[1], DeepEquals, map[string]interface{}{
+			"snap-id":          helloWorldSnapID,
+			"instance-key":     helloWorldFooInstanceKeyWithSalt,
+			"revision":         float64(2),
+			"tracking-channel": "stable",
+			"refreshed-date":   helloRefreshedDateStr,
+			"epoch":            iZeroEpoch,
+		})
+		c.Assert(req.Actions, HasLen, 1)
+		c.Assert(req.Actions[0], DeepEquals, map[string]interface{}{
+			"action":       "install",
+			"instance-key": "install-1",
+			"name":         "foo-2",
+			"epoch":        nil,
+		})
+
+		io.WriteString(w, `{
+  "results": [{
+     "result": "install",
+     "instance-key": "install-1",
+     "snap-id": "foo-2-id",
+     "name": "foo-2",
+     "snap": {
+       "snap-id": "foo-2-id",
+       "name": "foo-2",
+       "revision": 28,
+       "version": "6.1",
+       "publisher": {
+          "id": "canonical",
+          "username": "canonical",
+          "display-name": "Canonical"
+       }
+     }
+  },{
+      "error": {
+        "code": "duplicated-snap",
+         "message": "The Snap is present more than once in the request."
+      },
+      "instance-key": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ:IDKVhLy-HUyfYGFKcsH4V-7FVG7hLGs4M5zsraZU5tk",
+      "name": null,
+      "result": "error",
+      "snap": null,
+      "snap-id": "buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ"
+  }]
+}`)
+	}))
+
+	c.Assert(mockServer, NotNil)
+	defer mockServer.Close()
+
+	mockServerURL, _ := url.Parse(mockServer.URL)
+	cfg := store.Config{
+		StoreBaseURL: mockServerURL,
+	}
+	authContext := &testAuthContext{c: c, device: s.device}
+	sto := store.New(&cfg, authContext)
+
+	results, err := sto.SnapAction(context.TODO(), []*store.CurrentSnap{
+		{
+			InstanceName:    "hello-world",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(26),
+			RefreshedDate:   helloRefreshedDate,
+		}, {
+			InstanceName:    "hello-world_foo",
+			SnapID:          helloWorldSnapID,
+			TrackingChannel: "stable",
+			Revision:        snap.R(2),
+			RefreshedDate:   helloRefreshedDate,
+		},
+	}, []*store.SnapAction{
+		{
+			Action:       "install",
+			InstanceName: "foo-2",
+		},
+	}, nil, &store.RefreshOptions{PrivacyKey: "123"})
+	c.Assert(err, DeepEquals, &store.SnapActionError{
+		Other: []error{fmt.Errorf(`snap "hello-world_foo": The Snap is present more than once in the request.`)},
+	})
+	c.Assert(results, HasLen, 1)
+	c.Assert(results[0].InstanceName(), Equals, "foo-2")
+	c.Assert(results[0].SnapID, Equals, "foo-2-id")
 }
diff -Nru snapd-2.32.3.2~14.04/store/stringlist_test.go snapd-2.37~rc1~14.04/store/stringlist_test.go
--- snapd-2.32.3.2~14.04/store/stringlist_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/stringlist_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,41 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+// not using store_test as this is a very low level test
+package store
+
+import (
+	"encoding/json"
+
+	. "gopkg.in/check.v1"
+)
+
+type stringListSuite struct{}
+
+var _ = Suite(&stringListSuite{})
+
+func (s *stringListSuite) TestStringish(c *C) {
+	var x stringList
+
+	c.Check(json.Unmarshal([]byte(`"hello"`), &x), IsNil)
+	c.Check(x, DeepEquals, stringList([]string{"hello"}))
+
+	c.Check(json.Unmarshal([]byte(`["hello", "world"]`), &x), IsNil)
+	c.Check(x, DeepEquals, stringList([]string{"hello", "world"}))
+}
diff -Nru snapd-2.32.3.2~14.04/store/userinfo.go snapd-2.37~rc1~14.04/store/userinfo.go
--- snapd-2.32.3.2~14.04/store/userinfo.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/userinfo.go	2019-01-16 08:36:51.000000000 +0000
@@ -24,18 +24,10 @@
 	"fmt"
 	"net/http"
 	"net/url"
-	"time"
 
 	"github.com/snapcore/snapd/httputil"
 )
 
-var (
-	httpClient = httputil.NewHTTPClient(&httputil.ClientOpts{
-		Timeout:    10 * time.Second,
-		MayLogBody: true,
-	})
-)
-
 type keysReply struct {
 	Username         string   `json:"username"`
 	SSHKeys          []string `json:"ssh_keys"`
@@ -48,12 +40,12 @@
 	OpenIDIdentifier string
 }
 
-func UserInfo(email string) (userinfo *User, err error) {
+func (s *Store) UserInfo(email string) (userinfo *User, err error) {
 	var v keysReply
 	ssourl := fmt.Sprintf("%s/keys/%s", authURL(), url.QueryEscape(email))
 
 	resp, err := httputil.RetryRequest(ssourl, func() (*http.Response, error) {
-		return httpClient.Get(ssourl)
+		return s.client.Get(ssourl)
 	}, func(resp *http.Response) error {
 		if resp.StatusCode != 200 {
 			// we recheck the status
diff -Nru snapd-2.32.3.2~14.04/store/userinfo_test.go snapd-2.37~rc1~14.04/store/userinfo_test.go
--- snapd-2.32.3.2~14.04/store/userinfo_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/store/userinfo_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -17,7 +17,7 @@
  *
  */
 
-package store
+package store_test
 
 import (
 	"fmt"
@@ -30,12 +30,14 @@
 	"gopkg.in/retry.v1"
 
 	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/store"
 	"github.com/snapcore/snapd/testutil"
 )
 
 type userInfoSuite struct {
 	testutil.BaseTest
 
+	store         *store.Store
 	restoreLogger func()
 }
 
@@ -53,10 +55,18 @@
     "openid_identifier": "xDPXBdB"
 }`
 
+var mockServerNoSSHJSON = `{
+    "username": "mvo",
+    "openid_identifier": "xDPXBdB"
+}`
+
 func (t *userInfoSuite) SetUpTest(c *check.C) {
+	t.BaseTest.SetUpTest(c)
+
 	_, t.restoreLogger = logger.MockLogger()
+	t.store = store.New(nil, nil)
 
-	MockDefaultRetryStrategy(&t.BaseTest, retry.LimitCount(6, retry.LimitTime(1*time.Second,
+	store.MockDefaultRetryStrategy(&t.BaseTest, retry.LimitCount(6, retry.LimitTime(1*time.Second,
 		retry.Exponential{
 			Initial: 1 * time.Millisecond,
 			Factor:  1.1,
@@ -65,6 +75,8 @@
 }
 
 func (t *userInfoSuite) TearDownTest(c *check.C) {
+	t.BaseTest.TearDownTest(c)
+
 	t.restoreLogger()
 }
 
@@ -75,6 +87,31 @@
 	s.BaseTest.AddCleanup(func() { os.Unsetenv("SNAPPY_FORCE_SSO_URL") })
 }
 
+func (s *userInfoSuite) TestCreateUserNoSSHKeys(c *check.C) {
+	n := 0
+	s.redirectToTestSSO(func(w http.ResponseWriter, r *http.Request) {
+		switch n {
+		case 0, 1:
+			w.WriteHeader(500) // force retry of the request
+		case 2:
+			c.Check(r.Method, check.Equals, "GET")
+			c.Check(r.URL.Path, check.Equals, "/api/v2/keys/popper@lse.ac.uk")
+			fmt.Fprintln(w, mockServerNoSSHJSON)
+		default:
+			c.Fatalf("expected to get 1 requests, now on %d", n+1)
+		}
+
+		n++
+	})
+
+	info, err := s.store.UserInfo("popper@lse.ac.uk")
+	c.Assert(err, check.IsNil)
+	c.Assert(n, check.Equals, 3) // number of requests after retries
+	c.Check(info.Username, check.Equals, "mvo")
+	c.Check(info.OpenIDIdentifier, check.Equals, "xDPXBdB")
+	c.Check(info.SSHKeys, check.HasLen, 0)
+}
+
 func (s *userInfoSuite) TestCreateUser(c *check.C) {
 	n := 0
 	s.redirectToTestSSO(func(w http.ResponseWriter, r *http.Request) {
@@ -92,7 +129,7 @@
 		n++
 	})
 
-	info, err := UserInfo("popper@lse.ac.uk")
+	info, err := s.store.UserInfo("popper@lse.ac.uk")
 	c.Assert(err, check.IsNil)
 	c.Assert(n, check.Equals, 3) // number of requests after retries
 	c.Check(info.Username, check.Equals, "mvo")
@@ -108,7 +145,7 @@
 		n++
 	})
 
-	_, err := UserInfo("popper@lse.ac.uk")
+	_, err := s.store.UserInfo("popper@lse.ac.uk")
 	c.Assert(err, check.NotNil)
 	c.Assert(err, check.ErrorMatches, `cannot look up user.*?got unexpected HTTP status code 500.*`)
 	c.Assert(n, check.Equals, 6)
diff -Nru snapd-2.32.3.2~14.04/strutil/chrorder/main.go snapd-2.37~rc1~14.04/strutil/chrorder/main.go
--- snapd-2.32.3.2~14.04/strutil/chrorder/main.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/chrorder/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,74 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"regexp"
+)
+
+var (
+	matchDigit = regexp.MustCompile("[0-9]").Match
+	matchAlpha = regexp.MustCompile("[a-zA-Z]").Match
+)
+
+func chOrder(ch uint8) int {
+	// "~" is lower than everything else
+	if ch == '~' {
+		return -10
+	}
+	// empty is higher than "~" but lower than everything else
+	if ch == 0 {
+		return -5
+	}
+	if matchAlpha([]byte{ch}) {
+		return int(ch)
+	}
+
+	// can only happen if cmpString sets '0' because there is no fragment
+	if matchDigit([]byte{ch}) {
+		return 0
+	}
+
+	return int(ch) + 256
+}
+
+func main() {
+	var outFile string
+	var pkgName string
+	flag.StringVar(&outFile, "output", "-", "output file")
+	flag.StringVar(&pkgName, "package", "foo", "package name")
+	flag.Parse()
+
+	out := os.Stdout
+	if outFile != "" && outFile != "-" {
+		var err error
+		out, err = os.Create(outFile)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v", err)
+			os.Exit(1)
+		}
+		defer out.Close()
+	}
+
+	if pkgName == "" {
+		pkgName = "foo"
+	}
+
+	fmt.Fprintln(out, "// auto-generated, DO NOT EDIT!")
+	fmt.Fprintf(out, "package %v\n", pkgName)
+	fmt.Fprintf(out, "\n")
+	fmt.Fprintln(out, "var chOrder = [...]int{")
+	for i := 0; i < 16; i++ {
+		fmt.Fprintf(out, "\t")
+		for j := 0; j < 16; j++ {
+			if j != 0 {
+				fmt.Fprintf(out, " ")
+			}
+			fmt.Fprintf(out, "%d,", chOrder(uint8(i*16+j)))
+
+		}
+		fmt.Fprintf(out, "\n")
+	}
+	fmt.Fprintln(out, "}")
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/chrorder.go snapd-2.37~rc1~14.04/strutil/chrorder.go
--- snapd-2.32.3.2~14.04/strutil/chrorder.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/chrorder.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,21 @@
+// auto-generated, DO NOT EDIT!
+package strutil
+
+var chOrder = [...]int{
+	-5, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271,
+	272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287,
+	288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 314, 315, 316, 317, 318, 319,
+	320, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79,
+	80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 347, 348, 349, 350, 351,
+	352, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111,
+	112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 379, 380, 381, -10, 383,
+	384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399,
+	400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415,
+	416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431,
+	432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447,
+	448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463,
+	464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479,
+	480, 481, 482, 483, 484, 485, 486, 487, 488, 489, 490, 491, 492, 493, 494, 495,
+	496, 497, 498, 499, 500, 501, 502, 503, 504, 505, 506, 507, 508, 509, 510, 511,
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/ctrl16.go snapd-2.37~rc1~14.04/strutil/ctrl16.go
--- snapd-2.32.3.2~14.04/strutil/ctrl16.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/ctrl16.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,51 @@
+// +build !go1.7
+
+package strutil
+
+// This is a generated file, editing would be silly.
+// Go edit github.com/chipaca/term/gen/merged_rangetable.go instead.
+
+import "unicode"
+
+// using golang.org/x/text/unicode/rangetable do
+// rangetable.Merge(unicode.Co, unicode.Cf, unicode.Cs, unicode.Noncharacter_Code_Point)
+// (we also care about unicode.Cc but that's handled by hand)
+// this makes the lookup in escape quite a bit faster (over 5×)
+var Ctrl = &unicode.RangeTable{
+	R16: []unicode.Range16{
+		{Lo: 0x00ad, Hi: 0x0600, Stride: 1363},
+		{Lo: 0x0601, Hi: 0x0605, Stride: 1},
+		{Lo: 0x061c, Hi: 0x06dd, Stride: 193},
+		{Lo: 0x070f, Hi: 0x180e, Stride: 4351},
+		{Lo: 0x200b, Hi: 0x200f, Stride: 1},
+		{Lo: 0x202a, Hi: 0x202e, Stride: 1},
+		{Lo: 0x2060, Hi: 0x2064, Stride: 1},
+		{Lo: 0x2066, Hi: 0x206f, Stride: 1},
+		{Lo: 0xd800, Hi: 0xf8ff, Stride: 1},
+		{Lo: 0xfdd0, Hi: 0xfdef, Stride: 1},
+		{Lo: 0xfeff, Hi: 0xfff9, Stride: 250},
+		{Lo: 0xfffa, Hi: 0xfffb, Stride: 1},
+		{Lo: 0xfffe, Hi: 0xffff, Stride: 1},
+	},
+	R32: []unicode.Range32{
+		{Lo: 0x110bd, Hi: 0x1bca0, Stride: 44003},
+		{Lo: 0x1bca1, Hi: 0x1bca3, Stride: 1},
+		{Lo: 0x1d173, Hi: 0x1d17a, Stride: 1},
+		{Lo: 0x1fffe, Hi: 0x1ffff, Stride: 1},
+		{Lo: 0x2fffe, Hi: 0x2ffff, Stride: 1},
+		{Lo: 0x3fffe, Hi: 0x3ffff, Stride: 1},
+		{Lo: 0x4fffe, Hi: 0x4ffff, Stride: 1},
+		{Lo: 0x5fffe, Hi: 0x5ffff, Stride: 1},
+		{Lo: 0x6fffe, Hi: 0x6ffff, Stride: 1},
+		{Lo: 0x7fffe, Hi: 0x7ffff, Stride: 1},
+		{Lo: 0x8fffe, Hi: 0x8ffff, Stride: 1},
+		{Lo: 0x9fffe, Hi: 0x9ffff, Stride: 1},
+		{Lo: 0xafffe, Hi: 0xaffff, Stride: 1},
+		{Lo: 0xbfffe, Hi: 0xbffff, Stride: 1},
+		{Lo: 0xcfffe, Hi: 0xcffff, Stride: 1},
+		{Lo: 0xdfffe, Hi: 0xdffff, Stride: 1},
+		{Lo: 0xe0001, Hi: 0xe0020, Stride: 31},
+		{Lo: 0xe0021, Hi: 0xe007f, Stride: 1},
+		{Lo: 0xefffe, Hi: 0x10ffff, Stride: 1},
+	},
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/ctrl17.go snapd-2.37~rc1~14.04/strutil/ctrl17.go
--- snapd-2.32.3.2~14.04/strutil/ctrl17.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/ctrl17.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+// +build go1.7
+
+package strutil
+
+// This is a generated file, editing would be silly.
+// Go edit github.com/chipaca/term/gen/merged_rangetable.go instead.
+
+import "unicode"
+
+// using golang.org/x/text/unicode/rangetable do
+// rangetable.Merge(unicode.Co, unicode.Cf, unicode.Cs, unicode.Noncharacter_Code_Point)
+// (we also care about unicode.Cc but that's handled by hand)
+// this makes the lookup in escape quite a bit faster (over 5×)
+var Ctrl = &unicode.RangeTable{
+	R16: []unicode.Range16{
+		{Lo: 0x00ad, Hi: 0x0600, Stride: 1363},
+		{Lo: 0x0601, Hi: 0x0605, Stride: 1},
+		{Lo: 0x061c, Hi: 0x06dd, Stride: 193},
+		{Lo: 0x070f, Hi: 0x08e2, Stride: 467},
+		{Lo: 0x180e, Hi: 0x200b, Stride: 2045},
+		{Lo: 0x200c, Hi: 0x200f, Stride: 1},
+		{Lo: 0x202a, Hi: 0x202e, Stride: 1},
+		{Lo: 0x2060, Hi: 0x2064, Stride: 1},
+		{Lo: 0x2066, Hi: 0x206f, Stride: 1},
+		{Lo: 0xd800, Hi: 0xf8ff, Stride: 1},
+		{Lo: 0xfdd0, Hi: 0xfdef, Stride: 1},
+		{Lo: 0xfeff, Hi: 0xfff9, Stride: 250},
+		{Lo: 0xfffa, Hi: 0xfffb, Stride: 1},
+		{Lo: 0xfffe, Hi: 0xffff, Stride: 1},
+	},
+	R32: []unicode.Range32{
+		{Lo: 0x110bd, Hi: 0x1bca0, Stride: 44003},
+		{Lo: 0x1bca1, Hi: 0x1bca3, Stride: 1},
+		{Lo: 0x1d173, Hi: 0x1d17a, Stride: 1},
+		{Lo: 0x1fffe, Hi: 0x1ffff, Stride: 1},
+		{Lo: 0x2fffe, Hi: 0x2ffff, Stride: 1},
+		{Lo: 0x3fffe, Hi: 0x3ffff, Stride: 1},
+		{Lo: 0x4fffe, Hi: 0x4ffff, Stride: 1},
+		{Lo: 0x5fffe, Hi: 0x5ffff, Stride: 1},
+		{Lo: 0x6fffe, Hi: 0x6ffff, Stride: 1},
+		{Lo: 0x7fffe, Hi: 0x7ffff, Stride: 1},
+		{Lo: 0x8fffe, Hi: 0x8ffff, Stride: 1},
+		{Lo: 0x9fffe, Hi: 0x9ffff, Stride: 1},
+		{Lo: 0xafffe, Hi: 0xaffff, Stride: 1},
+		{Lo: 0xbfffe, Hi: 0xbffff, Stride: 1},
+		{Lo: 0xcfffe, Hi: 0xcffff, Stride: 1},
+		{Lo: 0xdfffe, Hi: 0xdffff, Stride: 1},
+		{Lo: 0xe0001, Hi: 0xe0020, Stride: 31},
+		{Lo: 0xe0021, Hi: 0xe007f, Stride: 1},
+		{Lo: 0xefffe, Hi: 0x10ffff, Stride: 1},
+	},
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/map.go snapd-2.37~rc1~14.04/strutil/map.go
--- snapd-2.32.3.2~14.04/strutil/map.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/map.go	2019-01-16 08:36:51.000000000 +0000
@@ -109,6 +109,9 @@
 		if !ok || !good {
 			return fmt.Errorf("cannot read %q", item.Key)
 		}
+		if seen[k] {
+			return fmt.Errorf("found duplicate key %q", k)
+		}
 		seen[k] = true
 		keys[i] = k
 	}
diff -Nru snapd-2.32.3.2~14.04/strutil/map_test.go snapd-2.37~rc1~14.04/strutil/map_test.go
--- snapd-2.32.3.2~14.04/strutil/map_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/map_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -74,6 +74,17 @@
 	c.Check(om.Keys(), DeepEquals, []string{"k", "k2", "k0"})
 }
 
+func (s *orderedMapSuite) TestYamlDupe(c *C) {
+	yamlStr := []byte(`
+k: v
+k0: v0
+k: v
+`)
+	var om strutil.OrderedMap
+	err := yaml.Unmarshal(yamlStr, &om)
+	c.Assert(err, ErrorMatches, `found duplicate key "k"`)
+}
+
 func (s *orderedMapSuite) TestYamlErr(c *C) {
 	yamlStr := []byte(`
 k: 
diff -Nru snapd-2.32.3.2~14.04/strutil/matchcounter_benchmark_test.go snapd-2.37~rc1~14.04/strutil/matchcounter_benchmark_test.go
--- snapd-2.32.3.2~14.04/strutil/matchcounter_benchmark_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/matchcounter_benchmark_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package strutil_test
+
+import (
+	"regexp"
+	"testing"
+
+	"github.com/snapcore/snapd/strutil"
+)
+
+func benchmarkMatchCounter(b *testing.B, wrx *regexp.Regexp, wn int) {
+	buf := []byte(out)
+	for n := 0; n < b.N; n++ {
+		for step := 1; step < 100; step++ {
+			w := &strutil.MatchCounter{Regexp: wrx, N: wn}
+			var i int
+			for i = 0; i+step < len(buf); i += step {
+				_, err := w.Write(buf[i : i+step])
+				if err != nil {
+					b.Fatalf("step:%d i:%d: %v", step, i, err)
+				}
+			}
+			_, err := w.Write(buf[i:])
+			if err != nil {
+				b.Fatalf("step:%d tail: %v", step, err)
+			}
+		}
+	}
+}
+
+func BenchmarkNil(b *testing.B)         { benchmarkMatchCounter(b, nil, 3) }
+func BenchmarkNilAll(b *testing.B)      { benchmarkMatchCounter(b, nil, -1) }
+func BenchmarkNilEquiv(b *testing.B)    { benchmarkMatchCounter(b, nilRegexpEquiv, 3) }
+func BenchmarkNilEquivAll(b *testing.B) { benchmarkMatchCounter(b, nilRegexpEquiv, -1) }
diff -Nru snapd-2.32.3.2~14.04/strutil/matchcounter.go snapd-2.37~rc1~14.04/strutil/matchcounter.go
--- snapd-2.32.3.2~14.04/strutil/matchcounter.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/matchcounter.go	2019-01-16 08:36:51.000000000 +0000
@@ -29,6 +29,8 @@
 //
 // It does not work with regexps that cross newlines; in fact it will
 // probably not work if the data written isn't line-orineted.
+//
+// If Regexp is not set (or nil), it matches whole non-empty lines.
 type MatchCounter struct {
 	// Regexp to use to find matches in the stream
 	Regexp *regexp.Regexp
@@ -37,34 +39,54 @@
 
 	count   int
 	matches []string
-	partial []byte
+	partial bytes.Buffer
 }
 
 func (w *MatchCounter) Write(p []byte) (int, error) {
 	n := len(p)
-	if len(w.partial) > 0 {
+	if w.partial.Len() > 0 {
 		idx := bytes.IndexByte(p, '\n')
 		if idx < 0 {
-			w.partial = append(w.partial, p...)
+			// no newline yet, carry on accumulating
+			w.partial.Write(p)
 			return n, nil
 		}
 		idx++
-		w.check(append(w.partial, p[:idx]...))
+		w.partial.Write(p[:idx])
+		w.check(w.partial.Bytes())
 		p = p[idx:]
-		w.partial = nil
 	}
+	w.partial.Reset()
 	idx := bytes.LastIndexByte(p, '\n')
 	if idx < 0 {
-		w.partial = p
+		w.partial.Write(p)
 		return n, nil
 	}
 	idx++
-	w.partial = p[idx:]
+	w.partial.Write(p[idx:])
 	w.check(p[:idx])
 	return n, nil
 }
 
 func (w *MatchCounter) check(p []byte) {
+	if w.Regexp == nil {
+		for {
+			idx := bytes.IndexByte(p, '\n')
+			if idx < 0 {
+				return
+			}
+			if idx == 0 {
+				// empty line
+				p = p[1:]
+				continue
+			}
+			if w.N < 0 || len(w.matches) < w.N {
+				w.matches = append(w.matches, string(p[:idx]))
+			}
+			w.count++
+			p = p[idx+1:]
+		}
+	}
 	matches := w.Regexp.FindAll(p, -1)
 	for _, match := range matches {
 		if w.N >= 0 && len(w.matches) >= w.N {
diff -Nru snapd-2.32.3.2~14.04/strutil/matchcounter_test.go snapd-2.37~rc1~14.04/strutil/matchcounter_test.go
--- snapd-2.32.3.2~14.04/strutil/matchcounter_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/matchcounter_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -79,6 +79,7 @@
 `
 
 var thisRegexp = regexp.MustCompile("(?m).*[Ff]ailed.*")
+var nilRegexpEquiv = regexp.MustCompile("(?m).+")
 
 func (mcSuite) TestMatchCounterFull(c *check.C) {
 	// check a single write
@@ -115,6 +116,34 @@
 	}
 }
 
+func (mcSuite) TestMatchCounterPartialsReusingBuffer(c *check.C) {
+	// now we know the whole thing matches expected, we check partials
+	buf := []byte(out)
+	expected := []string{
+		"Failed to write /tmp/1/modules/4.4.0-112-generic/modules.symbols, skipping",
+		"Write on output file failed because No space left on device",
+		"writer: failed to write data block 0",
+	}
+
+	for step := 1; step < 100; step++ {
+		wbuf := make([]byte, step)
+		w := &strutil.MatchCounter{Regexp: thisRegexp, N: 3}
+		var i int
+		for i = 0; i+step < len(buf); i += step {
+			copy(wbuf, buf[i:])
+			_, err := w.Write(wbuf)
+			c.Assert(err, check.IsNil, check.Commentf("step:%d i:%d", step, i))
+		}
+		wbuf = wbuf[:len(buf[i:])]
+		copy(wbuf, buf[i:])
+		_, err := w.Write(wbuf)
+		c.Assert(err, check.IsNil, check.Commentf("step:%d tail", step))
+		matches, count := w.Matches()
+		c.Assert(count, check.Equals, 19, check.Commentf("step:%d", step))
+		c.Assert(matches, check.DeepEquals, expected, check.Commentf("step:%d", step))
+	}
+}
+
 func (mcSuite) TestMatchCounterZero(c *check.C) {
 	w := &strutil.MatchCounter{Regexp: thisRegexp, N: 0}
 	_, err := w.Write([]byte(out))
@@ -135,3 +164,44 @@
 	c.Check(count, check.Equals, len(matches))
 	c.Assert(matches, check.DeepEquals, expected)
 }
+
+func (mcSuite) TestMatchCounterNilRegexpFull(c *check.C) {
+	expected := nilRegexpEquiv.FindAllString(out, -1)
+	w := &strutil.MatchCounter{N: -1}
+	_, err := w.Write([]byte(out))
+	c.Assert(err, check.IsNil)
+	matches, count := w.Matches()
+	c.Check(count, check.Equals, len(matches))
+	c.Check(len(matches), check.Equals, len(expected))
+	c.Assert(matches, check.DeepEquals, expected)
+}
+
+func (mcSuite) TestMatchCounterNilRegexpLimited(c *check.C) {
+	expected := nilRegexpEquiv.FindAllString(out, 10)
+	w := &strutil.MatchCounter{N: 10}
+	_, err := w.Write([]byte(out))
+	c.Assert(err, check.IsNil)
+	matches, count := w.Matches()
+	c.Check(count, check.Equals, 22)
+	c.Check(len(matches), check.Equals, len(expected))
+	c.Assert(matches, check.DeepEquals, expected)
+}
+
+func (mcSuite) TestMatchCounterNilRegexpPartials(c *check.C) {
+	expected := nilRegexpEquiv.FindAllString(out, 3)
+
+	buf := []byte(out)
+	for step := 1; step < 100; step++ {
+		w := &strutil.MatchCounter{N: 3}
+		var i int
+		for i = 0; i+step < len(buf); i += step {
+			_, err := w.Write(buf[i : i+step])
+			c.Assert(err, check.IsNil, check.Commentf("step:%d i:%d", step, i))
+		}
+		_, err := w.Write(buf[i:])
+		c.Assert(err, check.IsNil, check.Commentf("step:%d tail", step))
+		matches, count := w.Matches()
+		c.Check(count, check.Equals, 22, check.Commentf("step:%d", step))
+		c.Check(matches, check.DeepEquals, expected, check.Commentf("step:%d", step))
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/pathiter.go snapd-2.37~rc1~14.04/strutil/pathiter.go
--- snapd-2.32.3.2~14.04/strutil/pathiter.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/pathiter.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,138 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package strutil
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+)
+
+// PathIterator traverses through parts (directories and files) of some
+// path. The filesystem is never consulted, traversal is done purely in memory.
+//
+// The iterator is useful in implementing secure traversal of absolute paths
+// using the common idiom of opening the root directory followed by a chain of
+// openat calls.
+//
+// A simple example on how to use the iterator:
+// ```
+// iter:= NewPathIterator(path)
+// for iter.Next() {
+//    // Use iter.CurrentName() with openat(2) family of functions.
+//    // Use iter.CurrentPath() or iter.CurrentBase() for context.
+// }
+// ```
+type PathIterator struct {
+	path        string
+	left, right int
+	depth       int
+}
+
+// NewPathIterator returns an iterator for traversing the given path.
+// The path is passed through filepath.Clean automatically.
+func NewPathIterator(path string) (*PathIterator, error) {
+	cleanPath := filepath.Clean(path)
+	if cleanPath != path && cleanPath+"/" != path {
+		return nil, fmt.Errorf("cannot iterate over unclean path %q", path)
+	}
+	return &PathIterator{path: path}, nil
+}
+
+// Path returns the path being traversed.
+func (iter *PathIterator) Path() string {
+	return iter.path
+}
+
+// CurrentName returns the name of the current path element.
+// The return value may end with '/'. Use CleanName to avoid that.
+func (iter *PathIterator) CurrentName() string {
+	return iter.path[iter.left:iter.right]
+}
+
+// CurrentCleanName returns the same value as Name with right slash trimmed.
+func (iter *PathIterator) CurrentCleanName() string {
+	if iter.right > 0 && iter.path[iter.right-1:iter.right] == "/" {
+		return iter.path[iter.left : iter.right-1]
+	}
+	return iter.path[iter.left:iter.right]
+}
+
+// CurrentPath returns the prefix of path that was traversed, including the current name.
+func (iter *PathIterator) CurrentPath() string {
+	return iter.path[:iter.right]
+}
+
+// CurrentBase returns the prefix of the path that was traversed, excluding the current name.
+func (iter *PathIterator) CurrentBase() string {
+	return iter.path[:iter.left]
+}
+
+// Depth returns the directory depth of the current path.
+//
+// This is equal to the number of traversed directories, including that of the
+// root directory.
+func (iter *PathIterator) Depth() int {
+	return iter.depth
+}
+
+// Next advances the iterator to the next name, returning true if one is found.
+//
+// If this method returns false then no change is made and all helper methods
+// retain their previous return values.
+func (iter *PathIterator) Next() bool {
+	// Initial state
+	// P: "foo/bar"
+	// L:  ^
+	// R:  ^
+	//
+	// Next is called
+	// P: "foo/bar"
+	// L:  ^  |
+	// R:     ^
+	//
+	// Next is called
+	// P: "foo/bar"
+	// L:     ^   |
+	// R:         ^
+
+	// Next is called but returns false
+	// P: "foo/bar"
+	// L:     ^   |
+	// R:         ^
+	if iter.right >= len(iter.path) {
+		return false
+	}
+	iter.left = iter.right
+	if idx := strings.IndexRune(iter.path[iter.right:], '/'); idx != -1 {
+		iter.right += idx + 1
+	} else {
+		iter.right = len(iter.path)
+	}
+	iter.depth++
+	return true
+}
+
+// Rewind returns the iterator the the initial state, allowing the path to be traversed again.
+func (iter *PathIterator) Rewind() {
+	iter.left = 0
+	iter.right = 0
+	iter.depth = 0
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/pathiter_test.go snapd-2.37~rc1~14.04/strutil/pathiter_test.go
--- snapd-2.32.3.2~14.04/strutil/pathiter_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/pathiter_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,226 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package strutil_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/strutil"
+)
+
+type pathIterSuite struct{}
+
+var _ = Suite(&pathIterSuite{})
+
+func (s *pathIterSuite) TestPathIteratorEmpty(c *C) {
+	iter, err := strutil.NewPathIterator("")
+	c.Assert(err, ErrorMatches, `cannot iterate over unclean path ""`)
+	c.Assert(iter, IsNil)
+}
+
+func (s *pathIterSuite) TestPathIteratorFilename(c *C) {
+	iter, err := strutil.NewPathIterator("foo")
+	c.Assert(err, IsNil)
+	c.Assert(iter.Path(), Equals, "foo")
+	c.Assert(iter.Depth(), Equals, 0)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "")
+	c.Assert(iter.CurrentPath(), Equals, "foo")
+	c.Assert(iter.CurrentName(), Equals, "foo")
+	c.Assert(iter.CurrentCleanName(), Equals, "foo")
+	c.Assert(iter.Depth(), Equals, 1)
+
+	c.Assert(iter.Next(), Equals, false)
+	c.Assert(iter.Depth(), Equals, 1)
+}
+
+func (s *pathIterSuite) TestPathIteratorRelative(c *C) {
+	iter, err := strutil.NewPathIterator("foo/bar")
+	c.Assert(err, IsNil)
+	c.Assert(iter.Path(), Equals, "foo/bar")
+	c.Assert(iter.Depth(), Equals, 0)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "")
+	c.Assert(iter.CurrentPath(), Equals, "foo/")
+	c.Assert(iter.CurrentName(), Equals, "foo/")
+	c.Assert(iter.CurrentCleanName(), Equals, "foo")
+	c.Assert(iter.Depth(), Equals, 1)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "foo/")
+	c.Assert(iter.CurrentPath(), Equals, "foo/bar")
+	c.Assert(iter.CurrentName(), Equals, "bar")
+	c.Assert(iter.CurrentCleanName(), Equals, "bar")
+	c.Assert(iter.Depth(), Equals, 2)
+
+	c.Assert(iter.Next(), Equals, false)
+	c.Assert(iter.Depth(), Equals, 2)
+}
+
+func (s *pathIterSuite) TestPathIteratorAbsoluteAlmostClean(c *C) {
+	iter, err := strutil.NewPathIterator("/foo/bar/")
+	c.Assert(err, IsNil)
+	c.Assert(iter.Path(), Equals, "/foo/bar/")
+	c.Assert(iter.Depth(), Equals, 0)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "")
+	c.Assert(iter.CurrentPath(), Equals, "/")
+	c.Assert(iter.CurrentName(), Equals, "/")
+	c.Assert(iter.CurrentCleanName(), Equals, "")
+	c.Assert(iter.Depth(), Equals, 1)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "/")
+	c.Assert(iter.CurrentPath(), Equals, "/foo/")
+	c.Assert(iter.CurrentName(), Equals, "foo/")
+	c.Assert(iter.CurrentCleanName(), Equals, "foo")
+	c.Assert(iter.Depth(), Equals, 2)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "/foo/")
+	c.Assert(iter.CurrentPath(), Equals, "/foo/bar/")
+	c.Assert(iter.CurrentName(), Equals, "bar/")
+	c.Assert(iter.CurrentCleanName(), Equals, "bar")
+	c.Assert(iter.Depth(), Equals, 3)
+
+	c.Assert(iter.Next(), Equals, false)
+	c.Assert(iter.Depth(), Equals, 3)
+}
+
+func (s *pathIterSuite) TestPathIteratorAbsoluteClean(c *C) {
+	iter, err := strutil.NewPathIterator("/foo/bar")
+	c.Assert(err, IsNil)
+	c.Assert(iter.Path(), Equals, "/foo/bar")
+	c.Assert(iter.Depth(), Equals, 0)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "")
+	c.Assert(iter.CurrentPath(), Equals, "/")
+	c.Assert(iter.CurrentName(), Equals, "/")
+	c.Assert(iter.CurrentCleanName(), Equals, "")
+	c.Assert(iter.Depth(), Equals, 1)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "/")
+	c.Assert(iter.CurrentPath(), Equals, "/foo/")
+	c.Assert(iter.CurrentName(), Equals, "foo/")
+	c.Assert(iter.CurrentCleanName(), Equals, "foo")
+	c.Assert(iter.Depth(), Equals, 2)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "/foo/")
+	c.Assert(iter.CurrentPath(), Equals, "/foo/bar")
+	c.Assert(iter.CurrentName(), Equals, "bar")
+	c.Assert(iter.CurrentCleanName(), Equals, "bar")
+	c.Assert(iter.Depth(), Equals, 3)
+
+	c.Assert(iter.Next(), Equals, false)
+	c.Assert(iter.Depth(), Equals, 3)
+}
+
+func (s *pathIterSuite) TestPathIteratorRootDir(c *C) {
+	iter, err := strutil.NewPathIterator("/")
+	c.Assert(err, IsNil)
+	c.Assert(iter.Path(), Equals, "/")
+	c.Assert(iter.Depth(), Equals, 0)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "")
+	c.Assert(iter.CurrentPath(), Equals, "/")
+	c.Assert(iter.CurrentName(), Equals, "/")
+	c.Assert(iter.CurrentCleanName(), Equals, "")
+	c.Assert(iter.Depth(), Equals, 1)
+
+	c.Assert(iter.Next(), Equals, false)
+	c.Assert(iter.Depth(), Equals, 1)
+}
+
+func (s *pathIterSuite) TestPathIteratorUncleanPath(c *C) {
+	iter, err := strutil.NewPathIterator("///some/../junk")
+	c.Assert(err, ErrorMatches, `cannot iterate over unclean path ".*"`)
+	c.Assert(iter, IsNil)
+}
+
+func (s *pathIterSuite) TestPathIteratorUnicode(c *C) {
+	iter, err := strutil.NewPathIterator("/zażółć/gęślą/jaźń")
+	c.Assert(err, IsNil)
+	c.Assert(iter.Path(), Equals, "/zażółć/gęślą/jaźń")
+	c.Assert(iter.Depth(), Equals, 0)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "")
+	c.Assert(iter.CurrentPath(), Equals, "/")
+	c.Assert(iter.CurrentName(), Equals, "/")
+	c.Assert(iter.CurrentCleanName(), Equals, "")
+	c.Assert(iter.Depth(), Equals, 1)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "/")
+	c.Assert(iter.CurrentPath(), Equals, "/zażółć/")
+	c.Assert(iter.CurrentName(), Equals, "zażółć/")
+	c.Assert(iter.CurrentCleanName(), Equals, "zażółć")
+	c.Assert(iter.Depth(), Equals, 2)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "/zażółć/")
+	c.Assert(iter.CurrentPath(), Equals, "/zażółć/gęślą/")
+	c.Assert(iter.CurrentName(), Equals, "gęślą/")
+	c.Assert(iter.CurrentCleanName(), Equals, "gęślą")
+	c.Assert(iter.Depth(), Equals, 3)
+
+	c.Assert(iter.Next(), Equals, true)
+	c.Assert(iter.CurrentBase(), Equals, "/zażółć/gęślą/")
+	c.Assert(iter.CurrentPath(), Equals, "/zażółć/gęślą/jaźń")
+	c.Assert(iter.CurrentName(), Equals, "jaźń")
+	c.Assert(iter.CurrentCleanName(), Equals, "jaźń")
+	c.Assert(iter.Depth(), Equals, 4)
+
+	c.Assert(iter.Next(), Equals, false)
+	c.Assert(iter.Depth(), Equals, 4)
+}
+
+func (s *pathIterSuite) TestPathIteratorRewind(c *C) {
+	iter, err := strutil.NewPathIterator("/foo/bar")
+	c.Assert(err, IsNil)
+	for i := 0; i < 2; i++ {
+		c.Assert(iter.Next(), Equals, true)
+		c.Assert(iter.Depth(), Equals, 1)
+		c.Assert(iter.CurrentPath(), Equals, "/")
+		c.Assert(iter.Next(), Equals, true)
+		c.Assert(iter.Depth(), Equals, 2)
+		c.Assert(iter.CurrentPath(), Equals, "/foo/")
+		iter.Rewind()
+	}
+}
+
+func (s *pathIterSuite) TestPathIteratorExample(c *C) {
+	iter, err := strutil.NewPathIterator("/some/path/there")
+	c.Assert(err, IsNil)
+	for iter.Next() {
+		_ = iter.CurrentBase()
+		_ = iter.CurrentPath()
+		_ = iter.CurrentName()
+		_ = iter.CurrentCleanName()
+		_ = iter.Depth()
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/shlex/shlex.go snapd-2.37~rc1~14.04/strutil/shlex/shlex.go
--- snapd-2.32.3.2~14.04/strutil/shlex/shlex.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/shlex/shlex.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,417 @@
+/*
+Copyright 2012 Google Inc. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package shlex implements a simple lexer which splits input in to tokens using
+shell-style rules for quoting and commenting.
+
+The basic use case uses the default ASCII lexer to split a string into sub-strings:
+
+  shlex.Split("one \"two three\" four") -> []string{"one", "two three", "four"}
+
+To process a stream of strings:
+
+  l := NewLexer(os.Stdin)
+  for ; token, err := l.Next(); err != nil {
+  	// process token
+  }
+
+To access the raw token stream (which includes tokens for comments):
+
+  t := NewTokenizer(os.Stdin)
+  for ; token, err := t.Next(); err != nil {
+	// process token
+  }
+
+*/
+package shlex
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"strings"
+)
+
+// TokenType is a top-level token classification: A word, space, comment, unknown.
+type TokenType int
+
+// runeTokenClass is the type of a UTF-8 character classification: A quote, space, escape.
+type runeTokenClass int
+
+// the internal state used by the lexer state machine
+type lexerState int
+
+// Token is a (type, value) pair representing a lexographical token.
+type Token struct {
+	tokenType TokenType
+	value     string
+}
+
+// Equal reports whether tokens a, and b, are equal.
+// Two tokens are equal if both their types and values are equal. A nil token can
+// never be equal to another token.
+func (a *Token) Equal(b *Token) bool {
+	if a == nil || b == nil {
+		return false
+	}
+	if a.tokenType != b.tokenType {
+		return false
+	}
+	return a.value == b.value
+}
+
+// Named classes of UTF-8 runes
+const (
+	spaceRunes            = " \t\r\n"
+	escapingQuoteRunes    = `"`
+	nonEscapingQuoteRunes = "'"
+	escapeRunes           = `\`
+	commentRunes          = "#"
+)
+
+// Classes of rune token
+const (
+	unknownRuneClass runeTokenClass = iota
+	spaceRuneClass
+	escapingQuoteRuneClass
+	nonEscapingQuoteRuneClass
+	escapeRuneClass
+	commentRuneClass
+	eofRuneClass
+)
+
+// Classes of lexographic token
+const (
+	UnknownToken TokenType = iota
+	WordToken
+	SpaceToken
+	CommentToken
+)
+
+// Lexer state machine states
+const (
+	startState           lexerState = iota // no runes have been seen
+	inWordState                            // processing regular runes in a word
+	escapingState                          // we have just consumed an escape rune; the next rune is literal
+	escapingQuotedState                    // we have just consumed an escape rune within a quoted string
+	quotingEscapingState                   // we are within a quoted string that supports escaping ("...")
+	quotingState                           // we are within a string that does not support escaping ('...')
+	commentState                           // we are within a comment (everything following an unquoted or unescaped #
+)
+
+// tokenClassifier is used for classifying rune characters.
+type tokenClassifier map[rune]runeTokenClass
+
+func (typeMap tokenClassifier) addRuneClass(runes string, tokenType runeTokenClass) {
+	for _, runeChar := range runes {
+		typeMap[runeChar] = tokenType
+	}
+}
+
+// newDefaultClassifier creates a new classifier for ASCII characters.
+func newDefaultClassifier() tokenClassifier {
+	t := tokenClassifier{}
+	t.addRuneClass(spaceRunes, spaceRuneClass)
+	t.addRuneClass(escapingQuoteRunes, escapingQuoteRuneClass)
+	t.addRuneClass(nonEscapingQuoteRunes, nonEscapingQuoteRuneClass)
+	t.addRuneClass(escapeRunes, escapeRuneClass)
+	t.addRuneClass(commentRunes, commentRuneClass)
+	return t
+}
+
+// ClassifyRune classifiees a rune
+func (t tokenClassifier) ClassifyRune(runeVal rune) runeTokenClass {
+	return t[runeVal]
+}
+
+// Lexer turns an input stream into a sequence of tokens. Whitespace and comments are skipped.
+type Lexer Tokenizer
+
+// NewLexer creates a new lexer from an input stream.
+func NewLexer(r io.Reader) *Lexer {
+
+	return (*Lexer)(NewTokenizer(r))
+}
+
+// Next returns the next word, or an error. If there are no more words,
+// the error will be io.EOF.
+func (l *Lexer) Next() (string, error) {
+	for {
+		token, err := (*Tokenizer)(l).Next()
+		if err != nil {
+			return "", err
+		}
+		switch token.tokenType {
+		case WordToken:
+			return token.value, nil
+		case CommentToken:
+			// skip comments
+		default:
+			return "", fmt.Errorf("Unknown token type: %v", token.tokenType)
+		}
+	}
+}
+
+// Tokenizer turns an input stream into a sequence of typed tokens
+type Tokenizer struct {
+	input      bufio.Reader
+	classifier tokenClassifier
+}
+
+// NewTokenizer creates a new tokenizer from an input stream.
+func NewTokenizer(r io.Reader) *Tokenizer {
+	input := bufio.NewReader(r)
+	classifier := newDefaultClassifier()
+	return &Tokenizer{
+		input:      *input,
+		classifier: classifier}
+}
+
+// scanStream scans the stream for the next token using the internal state machine.
+// It will panic if it encounters a rune which it does not know how to handle.
+func (t *Tokenizer) scanStream() (*Token, error) {
+	state := startState
+	var tokenType TokenType
+	var value []rune
+	var nextRune rune
+	var nextRuneType runeTokenClass
+	var err error
+
+	for {
+		nextRune, _, err = t.input.ReadRune()
+		nextRuneType = t.classifier.ClassifyRune(nextRune)
+
+		if err == io.EOF {
+			nextRuneType = eofRuneClass
+			err = nil
+		} else if err != nil {
+			return nil, err
+		}
+
+		switch state {
+		case startState: // no runes read yet
+			{
+				switch nextRuneType {
+				case eofRuneClass:
+					{
+						return nil, io.EOF
+					}
+				case spaceRuneClass:
+					{
+					}
+				case escapingQuoteRuneClass:
+					{
+						tokenType = WordToken
+						state = quotingEscapingState
+					}
+				case nonEscapingQuoteRuneClass:
+					{
+						tokenType = WordToken
+						state = quotingState
+					}
+				case escapeRuneClass:
+					{
+						tokenType = WordToken
+						state = escapingState
+					}
+				case commentRuneClass:
+					{
+						tokenType = CommentToken
+						state = commentState
+					}
+				default:
+					{
+						tokenType = WordToken
+						value = append(value, nextRune)
+						state = inWordState
+					}
+				}
+			}
+		case inWordState: // in a regular word
+			{
+				switch nextRuneType {
+				case eofRuneClass:
+					{
+						token := &Token{
+							tokenType: tokenType,
+							value:     string(value)}
+						return token, err
+					}
+				case spaceRuneClass:
+					{
+						t.input.UnreadRune()
+						token := &Token{
+							tokenType: tokenType,
+							value:     string(value)}
+						return token, err
+					}
+				case escapingQuoteRuneClass:
+					{
+						state = quotingEscapingState
+					}
+				case nonEscapingQuoteRuneClass:
+					{
+						state = quotingState
+					}
+				case escapeRuneClass:
+					{
+						state = escapingState
+					}
+				default:
+					{
+						value = append(value, nextRune)
+					}
+				}
+			}
+		case escapingState: // the rune after an escape character
+			{
+				switch nextRuneType {
+				case eofRuneClass:
+					{
+						err = fmt.Errorf("EOF found after escape character")
+						token := &Token{
+							tokenType: tokenType,
+							value:     string(value)}
+						return token, err
+					}
+				default:
+					{
+						state = inWordState
+						value = append(value, nextRune)
+					}
+				}
+			}
+		case escapingQuotedState: // the next rune after an escape character, in double quotes
+			{
+				switch nextRuneType {
+				case eofRuneClass:
+					{
+						err = fmt.Errorf("EOF found after escape character")
+						token := &Token{
+							tokenType: tokenType,
+							value:     string(value)}
+						return token, err
+					}
+				default:
+					{
+						state = quotingEscapingState
+						value = append(value, nextRune)
+					}
+				}
+			}
+		case quotingEscapingState: // in escaping double quotes
+			{
+				switch nextRuneType {
+				case eofRuneClass:
+					{
+						err = fmt.Errorf("EOF found when expecting closing quote")
+						token := &Token{
+							tokenType: tokenType,
+							value:     string(value)}
+						return token, err
+					}
+				case escapingQuoteRuneClass:
+					{
+						state = inWordState
+					}
+				case escapeRuneClass:
+					{
+						state = escapingQuotedState
+					}
+				default:
+					{
+						value = append(value, nextRune)
+					}
+				}
+			}
+		case quotingState: // in non-escaping single quotes
+			{
+				switch nextRuneType {
+				case eofRuneClass:
+					{
+						err = fmt.Errorf("EOF found when expecting closing quote")
+						token := &Token{
+							tokenType: tokenType,
+							value:     string(value)}
+						return token, err
+					}
+				case nonEscapingQuoteRuneClass:
+					{
+						state = inWordState
+					}
+				default:
+					{
+						value = append(value, nextRune)
+					}
+				}
+			}
+		case commentState: // in a comment
+			{
+				switch nextRuneType {
+				case eofRuneClass:
+					{
+						token := &Token{
+							tokenType: tokenType,
+							value:     string(value)}
+						return token, err
+					}
+				case spaceRuneClass:
+					{
+						if nextRune == '\n' {
+							state = startState
+							token := &Token{
+								tokenType: tokenType,
+								value:     string(value)}
+							return token, err
+						} else {
+							value = append(value, nextRune)
+						}
+					}
+				default:
+					{
+						value = append(value, nextRune)
+					}
+				}
+			}
+		default:
+			{
+				return nil, fmt.Errorf("Unexpected state: %v", state)
+			}
+		}
+	}
+}
+
+// Next returns the next token in the stream.
+func (t *Tokenizer) Next() (*Token, error) {
+	return t.scanStream()
+}
+
+// Split partitions a string into a slice of strings.
+func Split(s string) ([]string, error) {
+	l := NewLexer(strings.NewReader(s))
+	subStrings := make([]string, 0)
+	for {
+		word, err := l.Next()
+		if err != nil {
+			if err == io.EOF {
+				return subStrings, nil
+			}
+			return subStrings, err
+		}
+		subStrings = append(subStrings, word)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/shlex/shlex_test.go snapd-2.37~rc1~14.04/strutil/shlex/shlex_test.go
--- snapd-2.32.3.2~14.04/strutil/shlex/shlex_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/shlex/shlex_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,155 @@
+/*
+Copyright 2012 Google Inc. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package shlex
+
+import (
+	"errors"
+	"strings"
+	"testing"
+)
+
+var (
+	// one two "three four" "five \"six\"" seven#eight # nine # ten
+	// eleven 'twelve\'
+	testString = "\\one two \"three four\" \"five \\\"six\\\"\" seven#eight # nine # ten\n eleven 'twelve\\' thirteen=13 fourteen/14"
+)
+
+func TestClassifier(t *testing.T) {
+	classifier := newDefaultClassifier()
+	tests := map[rune]runeTokenClass{
+		' ':  spaceRuneClass,
+		'"':  escapingQuoteRuneClass,
+		'\'': nonEscapingQuoteRuneClass,
+		'#':  commentRuneClass}
+	for runeChar, want := range tests {
+		got := classifier.ClassifyRune(runeChar)
+		if got != want {
+			t.Errorf("ClassifyRune(%v) -> %v. Want: %v", runeChar, got, want)
+		}
+	}
+}
+
+func TestTokenizer(t *testing.T) {
+	testInput := strings.NewReader(testString)
+	expectedTokens := []*Token{
+		{WordToken, "one"},
+		{WordToken, "two"},
+		{WordToken, "three four"},
+		{WordToken, "five \"six\""},
+		{WordToken, "seven#eight"},
+		{CommentToken, " nine # ten"},
+		{WordToken, "eleven"},
+		{WordToken, "twelve\\"},
+		{WordToken, "thirteen=13"},
+		{WordToken, "fourteen/14"}}
+
+	tokenizer := NewTokenizer(testInput)
+	for i, want := range expectedTokens {
+		got, err := tokenizer.Next()
+		if err != nil {
+			t.Error(err)
+		}
+		if !got.Equal(want) {
+			t.Errorf("Tokenizer.Next()[%v] of %q -> %v. Want: %v", i, testString, got, want)
+		}
+	}
+}
+
+func TestLexer(t *testing.T) {
+	testInput := strings.NewReader(testString)
+	expectedStrings := []string{"one", "two", "three four", "five \"six\"", "seven#eight", "eleven", "twelve\\", "thirteen=13", "fourteen/14"}
+
+	lexer := NewLexer(testInput)
+	for i, want := range expectedStrings {
+		got, err := lexer.Next()
+		if err != nil {
+			t.Error(err)
+		}
+		if got != want {
+			t.Errorf("Lexer.Next()[%v] of %q -> %v. Want: %v", i, testString, got, want)
+		}
+	}
+}
+
+func TestSplit(t *testing.T) {
+	want := []string{"one", "two", "three four", "five \"six\"", "seven#eight", "eleven", "twelve\\", "thirteen=13", "fourteen/14"}
+	got, err := Split(testString)
+	if err != nil {
+		t.Error(err)
+	}
+	if len(want) != len(got) {
+		t.Errorf("Split(%q) -> %v. Want: %v", testString, got, want)
+	}
+	for i := range got {
+		if got[i] != want[i] {
+			t.Errorf("Split(%q)[%v] -> %v. Want: %v", testString, i, got[i], want[i])
+		}
+	}
+}
+
+func TestEOFAfterEscape(t *testing.T) {
+	_, err := Split(testString + "\\")
+	if err == nil {
+		t.Error(err)
+	}
+}
+
+func TestEOFInQuotingEscape(t *testing.T) {
+	_, err := Split(`foo"`)
+	if err == nil {
+		t.Error(err)
+	}
+
+	_, err = Split(`foo'`)
+	if err == nil {
+		t.Error(err)
+	}
+
+	_, err = Split(`"foo\`)
+	if err == nil {
+		t.Error(err)
+	}
+}
+
+func TestEOFInComment(t *testing.T) {
+	got, err := Split("#")
+	if err != nil {
+		t.Error(err)
+	}
+	if len(got) > 1 {
+		t.Errorf("Split(%q) -> %v", testString, got)
+	}
+}
+
+type nastyReader struct{}
+
+var nastyReaderErr = errors.New("foo")
+
+func (*nastyReader) Read(_ []byte) (int, error) {
+	return 0, nastyReaderErr
+}
+
+func TestNastyReader(t *testing.T) {
+	l := NewLexer(&nastyReader{})
+	_, err := l.Next()
+	if err == nil {
+		t.Errorf("expected an error, got nil instead")
+	}
+	if err != nastyReaderErr {
+		t.Errorf("unexpected error")
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/strutil.go snapd-2.37~rc1~14.04/strutil/strutil.go
--- snapd-2.32.3.2~14.04/strutil/strutil.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/strutil.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,13 +20,14 @@
 package strutil
 
 import (
-	"bytes"
 	"fmt"
 	"math/rand"
 	"sort"
 	"strconv"
 	"strings"
 	"time"
+	"unicode"
+	"unicode/utf8"
 )
 
 func init() {
@@ -72,41 +73,6 @@
 	return strings.Join(quoted, ", ")
 }
 
-// WordWrap takes a input string and word wraps after `n` chars
-// into a new slice.
-//
-// Caveats:
-// - If a single word that is biger than max will not get wrapped
-// - Extra whitespace will be removed
-func WordWrap(s string, max int) []string {
-	n := 0
-
-	var out []string
-	line := bytes.NewBuffer(nil)
-	// FIXME: we want to be smarter here. to quote Gustavo: "The
-	// logic here is corrupting the spacing of the original line,
-	// which means indentation and tabling will be gone. A better
-	// approach would be finding the break point and then using
-	// the original content instead of rewriting it."
-	for _, word := range strings.Fields(s) {
-		if n+len(word) > max && n > 0 {
-			out = append(out, line.String())
-			line.Truncate(0)
-			n = 0
-		} else if n > 0 {
-			fmt.Fprintf(line, " ")
-			n += 1
-		}
-		fmt.Fprintf(line, word)
-		n += len(word)
-	}
-	if line.Len() > 0 {
-		out = append(out, line.String())
-	}
-
-	return out
-}
-
 // ListContains determines whether the given string is contained in the
 // given list of strings.
 func ListContains(list []string, str string) bool {
@@ -147,3 +113,88 @@
 	}
 	return data
 }
+
+// splitUnit takes a string of the form "123unit" and splits
+// it into the number and non-number parts (123,"unit").
+func splitUnit(inp string) (number int64, unit string, err error) {
+	// go after the number first, break on first non-digit
+	var nonDigit int
+	for i, c := range inp {
+		if !unicode.IsDigit(c) {
+			number, err = strconv.ParseInt(inp[0:i], 10, 64)
+			if err != nil {
+				return 0, "", err
+			}
+			nonDigit = i
+			break
+		}
+	}
+	if nonDigit == 0 {
+		return 0, "", fmt.Errorf("need a number with a unit as input")
+	}
+
+	return number, inp[nonDigit:], nil
+}
+
+// ParseByteSize parses a value like 500kB and returns the number
+// in bytes. The case of the unit will be ignored for user convenience.
+func ParseByteSize(inp string) (int64, error) {
+	unitMultiplier := map[string]int64{
+		"B": 1,
+		// strictly speaking this is "kB" but we ignore cases
+		"KB": 1000,
+		"MB": 1000 * 1000,
+		"GB": 1000 * 1000 * 1000,
+		"TB": 1000 * 1000 * 1000 * 1000,
+		"PB": 1000 * 1000 * 1000 * 1000 * 1000,
+		"EB": 1000 * 1000 * 1000 * 1000 * 1000 * 1000,
+	}
+
+	errPrefix := fmt.Sprintf("cannot parse %q: ", inp)
+
+	val, unit, err := splitUnit(inp)
+	if err != nil {
+		return 0, fmt.Errorf(errPrefix+"%s", err)
+	}
+	if unit == "" {
+		return 0, fmt.Errorf(errPrefix + "need a number with a unit as input")
+	}
+
+	mul, ok := unitMultiplier[strings.ToUpper(unit)]
+	if !ok {
+		return 0, fmt.Errorf(errPrefix + "try 'kB' or 'MB'")
+	}
+
+	return val * mul, nil
+}
+
+// CommaSeparatedList takes a comman-separated series of identifiers,
+// and returns a slice of the space-trimmed identifiers, without empty
+// entries.
+// So " foo ,, bar,baz" -> {"foo", "bar", "baz"}
+func CommaSeparatedList(str string) []string {
+	fields := strings.FieldsFunc(str, func(r rune) bool { return r == ',' })
+	filtered := fields[:0]
+	for _, field := range fields {
+		field = strings.TrimSpace(field)
+		if field != "" {
+			filtered = append(filtered, field)
+		}
+	}
+	return filtered
+}
+
+// ElliptRight returns a string that is at most n runes long,
+// replacing the last rune with an ellipsis if necessary. If N is less
+// than 1 it's treated as a 1.
+func ElliptRight(str string, n int) string {
+	if n < 1 {
+		n = 1
+	}
+	if utf8.RuneCountInString(str) <= n {
+		return str
+	}
+
+	// this is expensive; look into a cheaper way maybe sometime
+	return string([]rune(str)[:n-1]) + "…"
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/strutil_test.go snapd-2.37~rc1~14.04/strutil/strutil_test.go
--- snapd-2.32.3.2~14.04/strutil/strutil_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/strutil_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -83,26 +83,6 @@
 	}
 }
 
-func (ts *strutilSuite) TestWordWrap(c *check.C) {
-	for _, t := range []struct {
-		in  string
-		out []string
-		n   int
-	}{
-		// pathological
-		{"12345", []string{"12345"}, 3},
-		{"123 456789", []string{"123", "456789"}, 3},
-		// valid
-		{"abc def ghi", []string{"abc", "def", "ghi"}, 3},
-		{"a b c d e f", []string{"a b", "c d", "e f"}, 3},
-		{"ab cd ef", []string{"ab cd", "ef"}, 5},
-		// intentional (but slightly strange)
-		{"ab            cd", []string{"ab", "cd"}, 2},
-	} {
-		c.Check(strutil.WordWrap(t.in, t.n), check.DeepEquals, t.out)
-	}
-}
-
 func (ts *strutilSuite) TestListContains(c *check.C) {
 	for _, xs := range [][]string{
 		{},
@@ -157,3 +137,88 @@
 	out = strutil.TruncateOutput(data, 0, 0)
 	c.Assert(out, check.HasLen, 0)
 }
+
+func (ts *strutilSuite) TestParseByteSizeHappy(c *check.C) {
+	for _, t := range []struct {
+		str      string
+		expected int64
+	}{
+		{"0B", 0},
+		{"1B", 1},
+		{"400B", 400},
+		{"1kB", 1000},
+		// note the upper-case
+		{"1KB", 1000},
+		{"900kB", 900 * 1000},
+		{"1MB", 1000 * 1000},
+		{"20MB", 20 * 1000 * 1000},
+		{"1GB", 1000 * 1000 * 1000},
+		{"31GB", 31 * 1000 * 1000 * 1000},
+		{"4TB", 4 * 1000 * 1000 * 1000 * 1000},
+		{"6PB", 6 * 1000 * 1000 * 1000 * 1000 * 1000},
+		{"8EB", 8 * 1000 * 1000 * 1000 * 1000 * 1000 * 1000},
+	} {
+		val, err := strutil.ParseByteSize(t.str)
+		c.Check(err, check.IsNil)
+		c.Check(val, check.Equals, t.expected, check.Commentf("incorrect result for input %q", t.str))
+	}
+}
+
+func (ts *strutilSuite) TestParseByteSizeUnhappy(c *check.C) {
+	for _, t := range []struct {
+		str    string
+		errStr string
+	}{
+		{"", `cannot parse "": need a number with a unit as input`},
+		{"1", `cannot parse "1": need a number with a unit as input`},
+		{"11", `cannot parse "11": need a number with a unit as input`},
+		{"400x", `cannot parse "400x": try 'kB' or 'MB'`},
+		{"400xx", `cannot parse "400xx": try 'kB' or 'MB'`},
+		{"1k", `cannot parse "1k": try 'kB' or 'MB'`},
+		{"200KiB", `cannot parse "200KiB": try 'kB' or 'MB'`},
+	} {
+		_, err := strutil.ParseByteSize(t.str)
+		c.Check(err, check.ErrorMatches, t.errStr, check.Commentf("incorrect error for %q", t.str))
+	}
+}
+
+func (strutilSuite) TestCommaSeparatedList(c *check.C) {
+	table := []struct {
+		in  string
+		out []string
+	}{
+		{"", []string{}},
+		{",", []string{}},
+		{"foo,bar", []string{"foo", "bar"}},
+		{"foo , bar", []string{"foo", "bar"}},
+		{"foo ,, bar", []string{"foo", "bar"}},
+		{" foo ,, bar,baz", []string{"foo", "bar", "baz"}},
+		{" foo bar ,,,baz", []string{"foo bar", "baz"}},
+	}
+
+	for _, test := range table {
+		c.Check(strutil.CommaSeparatedList(test.in), check.DeepEquals, test.out, check.Commentf("%q", test.in))
+	}
+}
+
+func (strutilSuite) TestElliptRight(c *check.C) {
+	type T struct {
+		in  string
+		n   int
+		out string
+	}
+	for _, t := range []T{
+		{"", 10, ""},
+		{"", -1, ""},
+		{"hello", 10, "hello"},
+		{"hello", 5, "hello"},
+		{"hello", 3, "he…"},
+		{"hello", 0, "…"},
+		{"héllo", 4, "hé…"},
+		{"héllo", 3, "he…"},
+		{"he🐧lo", 4, "he🐧…"},
+		{"he🐧lo", 3, "he…"},
+	} {
+		c.Check(strutil.ElliptRight(t.in, t.n), check.Equals, t.out, check.Commentf("%q[:%d] -> %q", t.in, t.n, t.out))
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/version_benchmark_test.go snapd-2.37~rc1~14.04/strutil/version_benchmark_test.go
--- snapd-2.32.3.2~14.04/strutil/version_benchmark_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/version_benchmark_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,111 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2014-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package strutil_test
+
+import (
+	"testing"
+
+	"github.com/snapcore/snapd/strutil"
+)
+
+var versions = []string{
+	"~",
+	"",
+	"0",
+	"00",
+	"009",
+	"009ab5",
+	"0.10.0",
+	"0.2",
+	"0.4",
+	"0.4-1",
+	"0.4a6",
+	"0.4a6-2",
+	"0.5.0~git",
+	"0.5.0~git2",
+	"0.8.7",
+	"0-pre",
+	"0pre",
+	"0-pree",
+	"0pree",
+	"1.0~",
+	"1.0",
+	"1.0-0~",
+	"1.0-0",
+	"1.00",
+	"1.002-1+b2",
+	"1.0-0+b1",
+	"1.0-1",
+	"1.0-1.1",
+	"1.0-2",
+	"1.1.6r-1",
+	"1.1.6r2-2",
+	"1.18.36:5.4",
+	"1.18.36:5.5",
+	"1.18.37:1.1",
+	"1.2.2.2",
+	"1.2.24",
+	"1.2.3",
+	"1.2.3-0",
+	"1.2.3-1",
+	"1.2.4",
+	"1.2a+~",
+	"1.2a++",
+	"1.2a+~bCd3",
+	"1.3",
+	"1.3.1",
+	"1.3.2",
+	"1.3.2a",
+	"1.4+OOo3.0.0~",
+	"1.4+OOo3.0.0-4",
+	"2.0",
+	"2.0.7pre1",
+	"2.0.7r",
+	"21",
+	"2.3",
+	"2.4.7-1",
+	"2.4.7-z",
+	"2.6b-2",
+	"2.6b2-1",
+	"2a",
+	"3.0-1",
+	"3.0~rc1-1",
+	"3~10",
+	"3.10.2",
+	"3.2",
+	"3a9.8",
+	"4.4.3-2",
+	"5.005",
+	"5.10.0",
+	"7.2",
+	"7.2p2",
+	"9",
+	"9ab5",
+}
+
+func BenchmarkVersionCompare(b *testing.B) {
+	for n := 0; n < b.N; n++ {
+		for i := range versions {
+			for j := range versions {
+				strutil.VersionCompare(versions[i], versions[j])
+			}
+		}
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/strutil/version.go snapd-2.37~rc1~14.04/strutil/version.go
--- snapd-2.32.3.2~14.04/strutil/version.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/version.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,26 +21,9 @@
 
 import (
 	"fmt"
-	"regexp"
-	"strconv"
 	"strings"
 )
 
-const (
-	reDigit           = "[0-9]"
-	reAlpha           = "[a-zA-Z]"
-	reDigitOrNonDigit = "[0-9]+|[^0-9]+"
-
-	reHasEpoch = "^[0-9]+:"
-)
-
-var (
-	matchDigit = regexp.MustCompile(reDigit).Match
-	matchAlpha = regexp.MustCompile(reAlpha).Match
-	findFrags  = regexp.MustCompile(reDigitOrNonDigit).FindAllString
-	matchEpoch = regexp.MustCompile(reHasEpoch).MatchString
-)
-
 // golang: seriously? that's sad!
 func max(a, b int) int {
 	if a < b {
@@ -49,36 +32,7 @@
 	return a
 }
 
-// version number compare, inspired by the libapt/python-debian code
-func cmpInt(intA, intB int) int {
-	if intA < intB {
-		return -1
-	} else if intA > intB {
-		return 1
-	}
-	return 0
-}
-
-func chOrder(ch uint8) int {
-	// "~" is lower than everything else
-	if ch == '~' {
-		return -10
-	}
-	// empty is higher than "~" but lower than everything else
-	if ch == 0 {
-		return -5
-	}
-	if matchAlpha([]byte{ch}) {
-		return int(ch)
-	}
-
-	// can only happen if cmpString sets '0' because there is no fragment
-	if matchDigit([]byte{ch}) {
-		return 0
-	}
-
-	return int(ch) + 256
-}
+//go:generate go run ./chrorder/main.go -package=strutil -output=chrorder.go
 
 func cmpString(as, bs string) int {
 	for i := 0; i < max(len(as), len(bs)); i++ {
@@ -90,29 +44,71 @@
 		if i < len(bs) {
 			b = bs[i]
 		}
-		if chOrder(a) < chOrder(b) {
+		if chOrder[a] < chOrder[b] {
 			return -1
 		}
-		if chOrder(a) > chOrder(b) {
+		if chOrder[a] > chOrder[b] {
 			return +1
 		}
 	}
 	return 0
 }
 
-func cmpFragment(a, b string) int {
-	intA, errA := strconv.Atoi(a)
-	intB, errB := strconv.Atoi(b)
-	if errA == nil && errB == nil {
-		return cmpInt(intA, intB)
+func trimLeadingZeroes(a string) string {
+	for i := 0; i < len(a); i++ {
+		if a[i] != '0' {
+			return a[i:]
+		}
 	}
-	res := cmpString(a, b)
-	//fmt.Println(a, b, res)
-	return res
+	return ""
+}
+
+// a and b both match /[0-9]+/
+func cmpNumeric(a, b string) int {
+	a = trimLeadingZeroes(a)
+	b = trimLeadingZeroes(b)
+
+	switch d := len(a) - len(b); {
+	case d > 0:
+		return 1
+	case d < 0:
+		return -1
+	}
+	for i := 0; i < len(a); i++ {
+		switch {
+		case a[i] > b[i]:
+			return 1
+		case a[i] < b[i]:
+			return -1
+		}
+	}
+	return 0
 }
 
-func getFragments(a string) []string {
-	return findFrags(a, -1)
+func matchEpoch(a string) bool {
+	if len(a) == 0 {
+		return false
+	}
+	if a[0] < '0' || a[0] > '9' {
+		return false
+	}
+	var i int
+	for i = 1; i < len(a) && a[i] >= '0' && a[i] <= '9'; i++ {
+	}
+	return i < len(a) && a[i] == ':'
+}
+
+func atMostOneDash(a string) bool {
+	seen := false
+	for i := 0; i < len(a); i++ {
+		if a[i] == '-' {
+			if seen {
+				return false
+			}
+			seen = true
+		}
+	}
+	return true
 }
 
 // VersionIsValid returns true if the given string is a valid
@@ -121,32 +117,45 @@
 	if matchEpoch(a) {
 		return false
 	}
-	if strings.Count(a, "-") > 1 {
-		return false
+	return atMostOneDash(a)
+}
+
+func nextFrag(s string) (frag, rest string, numeric bool) {
+	if len(s) == 0 {
+		return "", "", false
 	}
-	return true
+
+	var i int
+	if s[0] >= '0' && s[0] <= '9' {
+		// is digit
+		for i = 1; i < len(s) && s[i] >= '0' && s[i] <= '9'; i++ {
+		}
+		numeric = true
+	} else {
+		// not digit
+		for i = 1; i < len(s) && (s[i] < '0' || s[i] > '9'); i++ {
+		}
+	}
+	return s[:i], s[i:], numeric
 }
 
 func compareSubversion(va, vb string) int {
-	fragsA := getFragments(va)
-	fragsB := getFragments(vb)
-
-	for i := 0; i < max(len(fragsA), len(fragsB)); i++ {
-		a := ""
-		b := ""
-		if i < len(fragsA) {
-			a = fragsA[i]
-		}
-		if i < len(fragsB) {
-			b = fragsB[i]
-		}
-		res := cmpFragment(a, b)
-		//fmt.Println(a, b, res)
-		if res != 0 {
-			return res
+	var a, b string
+	var anum, bnum bool
+	var res int
+	for res == 0 {
+		a, va, anum = nextFrag(va)
+		b, vb, bnum = nextFrag(vb)
+		if a == "" && b == "" {
+			break
+		}
+		if anum && bnum {
+			res = cmpNumeric(a, b)
+		} else {
+			res = cmpString(a, b)
 		}
 	}
-	return 0
+	return res
 }
 
 // VersionCompare compare two version strings that follow the debian
@@ -164,23 +173,24 @@
 		return 0, fmt.Errorf("invalid version %q", vb)
 	}
 
-	if !strings.Contains(va, "-") {
-		va += "-0"
-	}
-	if !strings.Contains(vb, "-") {
-		vb += "-0"
+	var sa, sb string
+	if ia := strings.IndexByte(va, '-'); ia < 0 {
+		sa = "0"
+	} else {
+		va, sa = va[:ia], va[ia+1:]
+	}
+	if ib := strings.IndexByte(vb, '-'); ib < 0 {
+		sb = "0"
+	} else {
+		vb, sb = vb[:ib], vb[ib+1:]
 	}
 
 	// the main version number (before the "-")
-	mainA := strings.Split(va, "-")[0]
-	mainB := strings.Split(vb, "-")[0]
-	res = compareSubversion(mainA, mainB)
+	res = compareSubversion(va, vb)
 	if res != 0 {
 		return res, nil
 	}
 
 	// the subversion revision behind the "-"
-	revA := strings.Split(va, "-")[1]
-	revB := strings.Split(vb, "-")[1]
-	return compareSubversion(revA, revB), nil
+	return compareSubversion(sa, sb), nil
 }
diff -Nru snapd-2.32.3.2~14.04/strutil/version_test.go snapd-2.37~rc1~14.04/strutil/version_test.go
--- snapd-2.32.3.2~14.04/strutil/version_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/strutil/version_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -37,6 +37,7 @@
 		res  int
 		err  error
 	}{
+		{"20000000000000000000", "020000000000000000000", 0, nil},
 		{"1.0", "2.0", -1, nil},
 		{"1.3", "1.2.2.2", 1, nil},
 		{"1.3", "1.3.1", -1, nil},
@@ -115,8 +116,11 @@
 		valid bool
 	}{
 		{"1:2", false},
+		{"12:34", false},
+		{"1234:", false},
 		{"1--1", false},
 		{"1.0", true},
+		{"1234", true},
 	} {
 		res := strutil.VersionIsValid(t.ver)
 		c.Check(res, Equals, t.valid, Commentf("%q: %v but expected %v", t.ver, res, t.valid))
diff -Nru snapd-2.32.3.2~14.04/systemd/export_test.go snapd-2.37~rc1~14.04/systemd/export_test.go
--- snapd-2.32.3.2~14.04/systemd/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/systemd/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,24 +21,12 @@
 
 import (
 	"io"
-	"time"
 )
 
 var (
 	Jctl = jctl
 )
 
-func MockStopDelays(checkDelay, notifyDelay time.Duration) func() {
-	oldCheckDelay := stopCheckDelay
-	oldNotifyDelay := stopNotifyDelay
-	stopCheckDelay = checkDelay
-	stopNotifyDelay = notifyDelay
-	return func() {
-		stopCheckDelay = oldCheckDelay
-		stopNotifyDelay = oldNotifyDelay
-	}
-}
-
 func MockOsGetenv(f func(string) string) func() {
 	oldOsGetenv := osGetenv
 	osGetenv = f
@@ -50,3 +38,19 @@
 	osutilStreamCommand = f
 	return func() { osutilStreamCommand = old }
 }
+
+func MockJournalStdoutPath(path string) func() {
+	oldPath := journalStdoutPath
+	journalStdoutPath = path
+	return func() {
+		journalStdoutPath = oldPath
+	}
+}
+
+func (e *Error) SetExitCode(i int) {
+	e.exitCode = i
+}
+
+func (e *Error) SetMsg(msg []byte) {
+	e.msg = msg
+}
diff -Nru snapd-2.32.3.2~14.04/systemd/journal.go snapd-2.37~rc1~14.04/systemd/journal.go
--- snapd-2.32.3.2~14.04/systemd/journal.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/systemd/journal.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,72 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package systemd
+
+import (
+	"bytes"
+	"fmt"
+	"log/syslog"
+	"net"
+	"os"
+)
+
+var journalStdoutPath = "/run/systemd/journal/stdout"
+
+// NewJournalStreamFile creates log stream file descriptor to the journal. The
+// semantics is identical to that of sd_journal_stream_fd(3) call.
+func NewJournalStreamFile(identifier string, priority syslog.Priority, levelPrefix bool) (*os.File, error) {
+	conn, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: journalStdoutPath})
+	if err != nil {
+		return nil, err
+	}
+	// does not affect *os.File created through conn.File() later on
+	defer conn.Close()
+
+	if err := conn.CloseRead(); err != nil {
+		return nil, err
+	}
+
+	// header contents taken from the original systemd code:
+	// https://github.com/systemd/systemd/blob/97a33b126c845327a3a19d6e66f05684823868fb/src/journal/journal-send.c#L395
+	header := bytes.Buffer{}
+	header.WriteString(identifier)
+	header.WriteByte('\n')
+	header.WriteByte('\n')
+	header.WriteByte(byte('0') + byte(priority))
+	header.WriteByte('\n')
+	var prefix int
+	if levelPrefix {
+		prefix = 1
+	}
+	header.WriteByte(byte('0') + byte(prefix))
+	header.WriteByte('\n')
+	header.WriteByte('0')
+	header.WriteByte('\n')
+	header.WriteByte('0')
+	header.WriteByte('\n')
+	header.WriteByte('0')
+	header.WriteByte('\n')
+
+	if _, err := conn.Write(header.Bytes()); err != nil {
+		return nil, fmt.Errorf("failed to write header: %v", err)
+	}
+
+	return conn.File()
+}
diff -Nru snapd-2.32.3.2~14.04/systemd/journal_test.go snapd-2.37~rc1~14.04/systemd/journal_test.go
--- snapd-2.32.3.2~14.04/systemd/journal_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/systemd/journal_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,89 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package systemd_test
+
+import (
+	"log/syslog"
+	"net"
+	"path"
+
+	. "gopkg.in/check.v1"
+
+	. "github.com/snapcore/snapd/systemd"
+)
+
+type journalTestSuite struct{}
+
+var _ = Suite(&journalTestSuite{})
+
+func (j *journalTestSuite) TestStreamFileErrorNoPath(c *C) {
+	restore := MockJournalStdoutPath(path.Join(c.MkDir(), "fake-journal"))
+	defer restore()
+
+	jout, err := NewJournalStreamFile("foobar", syslog.LOG_INFO, false)
+	c.Assert(err, ErrorMatches, ".*no such file or directory")
+	c.Assert(jout, IsNil)
+}
+
+func (j *journalTestSuite) TestStreamFileHeader(c *C) {
+	fakePath := path.Join(c.MkDir(), "fake-journal")
+	restore := MockJournalStdoutPath(fakePath)
+	defer restore()
+
+	listener, err := net.ListenUnix("unix", &net.UnixAddr{Name: fakePath})
+	c.Assert(err, IsNil)
+	defer listener.Close()
+
+	doneCh := make(chan struct{}, 1)
+
+	go func() {
+		defer func() { close(doneCh) }()
+
+		// see https://github.com/systemd/systemd/blob/97a33b126c845327a3a19d6e66f05684823868fb/src/journal/journal-send.c#L424
+		conn, err := listener.AcceptUnix()
+		c.Assert(err, IsNil)
+		defer conn.Close()
+
+		expectedHdrLen := len("foobar") + 1 + 1 + 2 + 2 + 2 + 2 + 2
+		hdrBuf := make([]byte, expectedHdrLen)
+		hdrLen, err := conn.Read(hdrBuf)
+		c.Assert(err, IsNil)
+		c.Assert(hdrLen, Equals, expectedHdrLen)
+		c.Check(hdrBuf, DeepEquals, []byte("foobar\n\n6\n0\n0\n0\n0\n"))
+
+		data := make([]byte, 4096)
+		sz, err := conn.Read(data)
+		c.Assert(err, IsNil)
+		c.Assert(sz > 0, Equals, true)
+		c.Check(data[0:sz], DeepEquals, []byte("hello from unit tests"))
+
+		doneCh <- struct{}{}
+	}()
+
+	jout, err := NewJournalStreamFile("foobar", syslog.LOG_INFO, false)
+	c.Assert(err, IsNil)
+	c.Assert(jout, NotNil)
+
+	_, err = jout.WriteString("hello from unit tests")
+	c.Assert(err, IsNil)
+	defer jout.Close()
+
+	<-doneCh
+}
diff -Nru snapd-2.32.3.2~14.04/systemd/systemd.go snapd-2.37~rc1~14.04/systemd/systemd.go
--- snapd-2.32.3.2~14.04/systemd/systemd.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/systemd/systemd.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,17 +23,21 @@
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"time"
 
 	_ "github.com/snapcore/squashfuse"
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/squashfs"
 )
 
 var (
@@ -45,8 +49,44 @@
 
 	// how much time should Stop wait between notifying the user of the waiting
 	stopNotifyDelay = 20 * time.Second
+
+	// daemonReloadLock is a package level lock to ensure that we
+	// do not run any `systemd daemon-reload` while a
+	// daemon-reload is in progress or a mount unit is
+	// generated/activated.
+	//
+	// See https://github.com/systemd/systemd/issues/10872 for the
+	// upstream systemd bug
+	daemonReloadLock extMutex
 )
 
+// mu is a sync.Mutex that also supports to check if the lock is taken
+type extMutex struct {
+	lock sync.Mutex
+	muC  int32
+}
+
+// Lock acquires the mutex
+func (m *extMutex) Lock() {
+	m.lock.Lock()
+	atomic.AddInt32(&m.muC, 1)
+}
+
+// Unlock releases the mutex
+func (m *extMutex) Unlock() {
+	m.lock.Unlock()
+	atomic.AddInt32(&m.muC, -1)
+}
+
+// Taken will panic with the given error message if the lock is not
+// taken when this code runs. This is useful to internally check if
+// something is accessed without a valid lock.
+func (m *extMutex) Taken(errMsg string) {
+	if atomic.LoadInt32(&m.muC) != 1 {
+		panic("internal error: " + errMsg)
+	}
+}
+
 // systemctlCmd calls systemctl with the given args, returning its standard output (and wrapped error)
 var systemctlCmd = func(args ...string) ([]byte, error) {
 	bs, err := exec.Command("systemctl", args...).CombinedOutput()
@@ -68,6 +108,19 @@
 	}
 }
 
+// MockStopDelays is used from tests so that Stop can be less
+// forgiving there.
+func MockStopDelays(checkDelay, notifyDelay time.Duration) func() {
+	oldCheckDelay := stopCheckDelay
+	oldNotifyDelay := stopNotifyDelay
+	stopCheckDelay = checkDelay
+	stopNotifyDelay = notifyDelay
+	return func() {
+		stopCheckDelay = oldCheckDelay
+		stopNotifyDelay = oldNotifyDelay
+	}
+}
+
 func Available() error {
 	_, err := systemctlCmd("--version")
 	return err
@@ -76,13 +129,18 @@
 var osutilStreamCommand = osutil.StreamCommand
 
 // jctl calls journalctl to get the JSON logs of the given services.
-var jctl = func(svcs []string, n string, follow bool) (io.ReadCloser, error) {
+var jctl = func(svcs []string, n int, follow bool) (io.ReadCloser, error) {
 	// args will need two entries per service, plus a fixed number (give or take
 	// one) for the initial options.
-	args := make([]string, 0, 2*len(svcs)+6)
-	args = append(args, "-o", "json", "-n", n, "--no-pager") // len(this)+1 == that ^ fixed number
+	args := make([]string, 0, 2*len(svcs)+6)        // the fixed number is 6
+	args = append(args, "-o", "json", "--no-pager") //   3...
+	if n < 0 {
+		args = append(args, "--no-tail") // < 2
+	} else {
+		args = append(args, "-n", strconv.Itoa(n)) // ... + 2 ...
+	}
 	if follow {
-		args = append(args, "-f") // this is the +1 :-)
+		args = append(args, "-f") // ... + 1 == 6
 	}
 
 	for i := range svcs {
@@ -92,7 +150,7 @@
 	return osutilStreamCommand("journalctl", args...)
 }
 
-func MockJournalctl(f func(svcs []string, n string, follow bool) (io.ReadCloser, error)) func() {
+func MockJournalctl(f func(svcs []string, n int, follow bool) (io.ReadCloser, error)) func() {
 	oldJctl := jctl
 	jctl = f
 	return func() {
@@ -106,12 +164,16 @@
 	Enable(service string) error
 	Disable(service string) error
 	Start(service ...string) error
+	StartNoBlock(service ...string) error
 	Stop(service string, timeout time.Duration) error
 	Kill(service, signal, who string) error
 	Restart(service string, timeout time.Duration) error
-	Status(services ...string) ([]*ServiceStatus, error)
-	LogReader(services []string, n string, follow bool) (io.ReadCloser, error)
-	WriteMountUnitFile(name, what, where, fstype string) (string, error)
+	Status(units ...string) ([]*UnitStatus, error)
+	IsEnabled(service string) (bool, error)
+	IsActive(service string) (bool, error)
+	LogReader(services []string, n int, follow bool) (io.ReadCloser, error)
+	AddMountUnitFile(name, revision, what, where, fstype string) (string, error)
+	RemoveMountUnitFile(baseDir string) error
 	Mask(service string) error
 	Unmask(service string) error
 }
@@ -124,7 +186,7 @@
 	ServicesTarget = "multi-user.target"
 
 	// the target prerequisite for systemd units we generate
-	PrerequisiteTarget = "network-online.target"
+	PrerequisiteTarget = "network.target"
 
 	// the default target for systemd socket units that we generate
 	SocketsTarget = "sockets.target"
@@ -148,7 +210,16 @@
 }
 
 // DaemonReload reloads systemd's configuration.
-func (*systemd) DaemonReload() error {
+func (s *systemd) DaemonReload() error {
+	daemonReloadLock.Lock()
+	defer daemonReloadLock.Unlock()
+
+	return s.daemonReloadNoLock()
+}
+
+func (s *systemd) daemonReloadNoLock() error {
+	daemonReloadLock.Taken("cannot use daemon-reload without lock")
+
 	_, err := systemctlCmd("daemon-reload")
 	return err
 }
@@ -183,38 +254,63 @@
 	return err
 }
 
+// StartNoBlock starts the given service or services non-blocking
+func (*systemd) StartNoBlock(serviceNames ...string) error {
+	_, err := systemctlCmd(append([]string{"start", "--no-block"}, serviceNames...)...)
+	return err
+}
+
 // LogReader for the given services
-func (*systemd) LogReader(serviceNames []string, n string, follow bool) (io.ReadCloser, error) {
+func (*systemd) LogReader(serviceNames []string, n int, follow bool) (io.ReadCloser, error) {
 	return jctl(serviceNames, n, follow)
 }
 
 var statusregex = regexp.MustCompile(`(?m)^(?:(.+?)=(.*)|(.*))?$`)
 
-type ServiceStatus struct {
-	Daemon          string
-	ServiceFileName string
-	Enabled         bool
-	Active          bool
-}
-
-func (s *systemd) Status(serviceNames ...string) ([]*ServiceStatus, error) {
-	expected := []string{"Id", "Type", "ActiveState", "UnitFileState"}
-	cmd := make([]string, len(serviceNames)+2)
+type UnitStatus struct {
+	Daemon   string
+	UnitName string
+	Enabled  bool
+	Active   bool
+}
+
+var baseProperties = []string{"Id", "ActiveState", "UnitFileState"}
+var extendedProperties = []string{"Id", "ActiveState", "UnitFileState", "Type"}
+var unitProperties = map[string][]string{
+	".timer":  baseProperties,
+	".socket": baseProperties,
+	// in service units, Type is the daemon type
+	".service": extendedProperties,
+	// in mount units, Type is the fs type
+	".mount": extendedProperties,
+}
+
+// Status fetches the status of given units. Statuses are returned in the same
+// order as unit names passed in argument.
+func (s *systemd) Status(unitNames ...string) ([]*UnitStatus, error) {
+	cmd := make([]string, len(unitNames)+2)
 	cmd[0] = "show"
-	cmd[1] = "--property=" + strings.Join(expected, ",")
-	copy(cmd[2:], serviceNames)
+	// ask for all properties, regardless of unit type
+	cmd[1] = "--property=" + strings.Join(extendedProperties, ",")
+	copy(cmd[2:], unitNames)
 	bs, err := systemctlCmd(cmd...)
 	if err != nil {
 		return nil, err
 	}
 
-	sts := make([]*ServiceStatus, 0, len(serviceNames))
-	cur := &ServiceStatus{}
+	sts := make([]*UnitStatus, 0, len(unitNames))
+	cur := &UnitStatus{}
 	seen := map[string]bool{}
 
 	for _, bs := range statusregex.FindAllSubmatch(bs, -1) {
 		if len(bs[0]) == 0 {
 			// systemctl separates data pertaining to particular services by an empty line
+			unitType := filepath.Ext(cur.UnitName)
+			expected := unitProperties[unitType]
+			if expected == nil {
+				expected = baseProperties
+			}
+
 			missing := make([]string, 0, len(expected))
 			for _, k := range expected {
 				if !seen[k] {
@@ -222,34 +318,33 @@
 				}
 			}
 			if len(missing) > 0 {
-				return nil, fmt.Errorf("cannot get service status: missing %s in ‘systemctl show’ output", strings.Join(missing, ", "))
-
+				return nil, fmt.Errorf("cannot get unit %q status: missing %s in ‘systemctl show’ output", cur.UnitName, strings.Join(missing, ", "))
 			}
 			sts = append(sts, cur)
-			if len(sts) > len(serviceNames) {
+			if len(sts) > len(unitNames) {
 				break // wut
 			}
-			if cur.ServiceFileName != serviceNames[len(sts)-1] {
-				return nil, fmt.Errorf("cannot get service status: queried status of %q but got status of %q", serviceNames[len(sts)-1], cur.ServiceFileName)
+			if cur.UnitName != unitNames[len(sts)-1] {
+				return nil, fmt.Errorf("cannot get unit status: queried status of %q but got status of %q", unitNames[len(sts)-1], cur.UnitName)
 			}
 
-			cur = &ServiceStatus{}
+			cur = &UnitStatus{}
 			seen = map[string]bool{}
 			continue
 		}
 		if len(bs[3]) > 0 {
-			return nil, fmt.Errorf("cannot get service status: bad line %q in ‘systemctl show’ output", bs[3])
+			return nil, fmt.Errorf("cannot get unit status: bad line %q in ‘systemctl show’ output", bs[3])
 		}
 		k := string(bs[1])
 		v := string(bs[2])
 
 		if v == "" {
-			return nil, fmt.Errorf("cannot get service status: empty field %q in ‘systemctl show’ output", k)
+			return nil, fmt.Errorf("cannot get unit status: empty field %q in ‘systemctl show’ output", k)
 		}
 
 		switch k {
 		case "Id":
-			cur.ServiceFileName = v
+			cur.UnitName = v
 		case "Type":
 			cur.Daemon = v
 		case "ActiveState":
@@ -259,22 +354,51 @@
 			// "static" means it can't be disabled
 			cur.Enabled = v == "enabled" || v == "static"
 		default:
-			return nil, fmt.Errorf("cannot get service status: unexpected field %q in ‘systemctl show’ output", k)
+			return nil, fmt.Errorf("cannot get unit status: unexpected field %q in ‘systemctl show’ output", k)
 		}
 
 		if seen[k] {
-			return nil, fmt.Errorf("cannot get service status: duplicate field %q in ‘systemctl show’ output", k)
+			return nil, fmt.Errorf("cannot get unit status: duplicate field %q in ‘systemctl show’ output", k)
 		}
 		seen[k] = true
 	}
 
-	if len(sts) != len(serviceNames) {
-		return nil, fmt.Errorf("cannot get service status: expected %d results, got %d", len(serviceNames), len(sts))
+	if len(sts) != len(unitNames) {
+		return nil, fmt.Errorf("cannot get unit status: expected %d results, got %d", len(unitNames), len(sts))
 	}
 
 	return sts, nil
 }
 
+// IsEnabled checkes whether the given service is enabled
+func (s *systemd) IsEnabled(serviceName string) (bool, error) {
+	_, err := systemctlCmd("--root", s.rootDir, "is-enabled", serviceName)
+	if err == nil {
+		return true, nil
+	}
+	// "systemctl is-enabled <name>" prints `disabled\n` to stderr and returns exit code 1
+	// for disabled services
+	sysdErr, ok := err.(*Error)
+	if ok && sysdErr.exitCode == 1 && strings.TrimSpace(string(sysdErr.msg)) == "disabled" {
+		return false, nil
+	}
+	return false, err
+}
+
+// IsActive checkes whether the given service is Active
+func (s *systemd) IsActive(serviceName string) (bool, error) {
+	_, err := systemctlCmd("--root", s.rootDir, "is-active", serviceName)
+	if err == nil {
+		return true, nil
+	}
+	// "systemctl is-active <name>" prints `inactive\n` to stderr and returns exit code 1 for inactive services
+	sysdErr, ok := err.(*Error)
+	if ok && sysdErr.exitCode > 0 && strings.TrimSpace(string(sysdErr.msg)) == "inactive" {
+		return false, nil
+	}
+	return false, err
+}
+
 // Stop the given service, and wait until it has stopped.
 func (s *systemd) Stop(serviceName string, timeout time.Duration) error {
 	if _, err := systemctlCmd("stop", serviceName); err != nil {
@@ -405,57 +529,33 @@
 	return "-"
 }
 
-// useFuse detects if we should be using squashfuse instead
-func useFuse() bool {
-	if !osutil.FileExists("/dev/fuse") {
-		return false
-	}
-
-	if !osutil.ExecutableExists("squashfuse") && !osutil.ExecutableExists("snapfuse") {
-		return false
-	}
-
-	out, err := exec.Command("systemd-detect-virt", "--container").Output()
-	if err != nil {
-		return false
-	}
-
-	virt := strings.TrimSpace(string(out))
-	if virt != "none" {
-		return true
-	}
-
-	return false
-}
-
 // MountUnitPath returns the path of a {,auto}mount unit
 func MountUnitPath(baseDir string) string {
 	escapedPath := EscapeUnitNamePath(baseDir)
 	return filepath.Join(dirs.SnapServicesDir, escapedPath+".mount")
 }
 
-func (s *systemd) WriteMountUnitFile(name, what, where, fstype string) (string, error) {
+// AddMountUnitFile adds/enables/starts a mount unit.
+func (s *systemd) AddMountUnitFile(snapName, revision, what, where, fstype string) (string, error) {
+	daemonReloadLock.Lock()
+	defer daemonReloadLock.Unlock()
+
 	options := []string{"nodev"}
 	if fstype == "squashfs" {
-		options = append(options, "ro", "x-gdu.hide")
+		newFsType, newOptions, err := squashfs.FsType()
+		if err != nil {
+			return "", err
+		}
+		options = append(options, newOptions...)
+		fstype = newFsType
 	}
 	if osutil.IsDirectory(what) {
 		options = append(options, "bind")
 		fstype = "none"
-	} else if fstype == "squashfs" && useFuse() {
-		options = append(options, "allow_other")
-		switch {
-		case osutil.ExecutableExists("squashfuse"):
-			fstype = "fuse.squashfuse"
-		case osutil.ExecutableExists("snapfuse"):
-			fstype = "fuse.snapfuse"
-		default:
-			panic("cannot happen because useFuse() ensures on of the two executables is there")
-		}
 	}
 
 	c := fmt.Sprintf(`[Unit]
-Description=Mount unit for %s
+Description=Mount unit for %s, revision %s
 Before=snapd.service
 
 [Mount]
@@ -466,8 +566,67 @@
 
 [Install]
 WantedBy=multi-user.target
-`, name, what, where, fstype, strings.Join(options, ","))
+`, snapName, revision, what, where, fstype, strings.Join(options, ","))
 
 	mu := MountUnitPath(where)
-	return filepath.Base(mu), osutil.AtomicWriteFile(mu, []byte(c), 0644, 0)
+	mountUnitName, err := filepath.Base(mu), osutil.AtomicWriteFile(mu, []byte(c), 0644, 0)
+	if err != nil {
+		return "", err
+	}
+
+	// we need to do a daemon-reload here to ensure that systemd really
+	// knows about this new mount unit file
+	if err := s.daemonReloadNoLock(); err != nil {
+		return "", err
+	}
+
+	if err := s.Enable(mountUnitName); err != nil {
+		return "", err
+	}
+	if err := s.Start(mountUnitName); err != nil {
+		return "", err
+	}
+
+	return mountUnitName, nil
+}
+
+func (s *systemd) RemoveMountUnitFile(mountedDir string) error {
+	daemonReloadLock.Lock()
+	defer daemonReloadLock.Unlock()
+
+	unit := MountUnitPath(dirs.StripRootDir(mountedDir))
+	if !osutil.FileExists(unit) {
+		return nil
+	}
+
+	// use umount -d (cleanup loopback devices) -l (lazy) to ensure that even busy mount points
+	// can be unmounted.
+	// note that the long option --lazy is not supported on trusty.
+	// the explicit -d is only needed on trusty.
+	isMounted, err := osutil.IsMounted(mountedDir)
+	if err != nil {
+		return err
+	}
+	if isMounted {
+		if output, err := exec.Command("umount", "-d", "-l", mountedDir).CombinedOutput(); err != nil {
+			return osutil.OutputErr(output, err)
+		}
+
+		if err := s.Stop(filepath.Base(unit), time.Duration(1*time.Second)); err != nil {
+			return err
+		}
+	}
+	if err := s.Disable(filepath.Base(unit)); err != nil {
+		return err
+	}
+	if err := os.Remove(unit); err != nil {
+		return err
+	}
+	// daemon-reload to ensure that systemd actually really
+	// forgets about this mount unit
+	if err := s.daemonReloadNoLock(); err != nil {
+		return err
+	}
+
+	return nil
 }
diff -Nru snapd-2.32.3.2~14.04/systemd/systemd_test.go snapd-2.37~rc1~14.04/systemd/systemd_test.go
--- snapd-2.32.3.2~14.04/systemd/systemd_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/systemd/systemd_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,6 +26,7 @@
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strconv"
 	"testing"
 	"time"
 
@@ -33,6 +34,7 @@
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/osutil/squashfs"
 	"github.com/snapcore/snapd/testutil"
 
 	. "github.com/snapcore/snapd/systemd"
@@ -113,11 +115,11 @@
 	return out, err
 }
 
-func (s *SystemdTestSuite) myJctl(svcs []string, n string, follow bool) (io.ReadCloser, error) {
+func (s *SystemdTestSuite) myJctl(svcs []string, n int, follow bool) (io.ReadCloser, error) {
 	var err error
 	var out []byte
 
-	s.jns = append(s.jns, n)
+	s.jns = append(s.jns, strconv.Itoa(n))
 	s.jsvcs = append(s.jsvcs, svcs)
 	s.jfollows = append(s.jfollows, follow)
 
@@ -190,31 +192,47 @@
 Id=baz.service
 ActiveState=inactive
 UnitFileState=disabled
+
+Id=some.timer
+ActiveState=active
+UnitFileState=enabled
+
+Id=other.socket
+ActiveState=active
+UnitFileState=disabled
 `[1:]),
 	}
 	s.errors = []error{nil}
-	out, err := New("", s.rep).Status("foo.service", "bar.service", "baz.service")
+	out, err := New("", s.rep).Status("foo.service", "bar.service", "baz.service", "some.timer", "other.socket")
 	c.Assert(err, IsNil)
-	c.Check(out, DeepEquals, []*ServiceStatus{
+	c.Check(out, DeepEquals, []*UnitStatus{
 		{
-			Daemon:          "simple",
-			ServiceFileName: "foo.service",
-			Active:          true,
-			Enabled:         true,
+			Daemon:   "simple",
+			UnitName: "foo.service",
+			Active:   true,
+			Enabled:  true,
+		}, {
+			Daemon:   "simple",
+			UnitName: "bar.service",
+			Active:   true,
+			Enabled:  true,
+		}, {
+			Daemon:   "potato",
+			UnitName: "baz.service",
+			Active:   false,
+			Enabled:  false,
 		}, {
-			Daemon:          "simple",
-			ServiceFileName: "bar.service",
-			Active:          true,
-			Enabled:         true,
+			UnitName: "some.timer",
+			Active:   true,
+			Enabled:  true,
 		}, {
-			Daemon:          "potato",
-			ServiceFileName: "baz.service",
-			Active:          false,
-			Enabled:         false,
+			UnitName: "other.socket",
+			Active:   true,
+			Enabled:  false,
 		},
 	})
 	c.Check(s.rep.msgs, IsNil)
-	c.Assert(s.argses, DeepEquals, [][]string{{"show", "--property=Id,Type,ActiveState,UnitFileState", "foo.service", "bar.service", "baz.service"}})
+	c.Assert(s.argses, DeepEquals, [][]string{{"show", "--property=Id,ActiveState,UnitFileState,Type", "foo.service", "bar.service", "baz.service", "some.timer", "other.socket"}})
 }
 
 func (s *SystemdTestSuite) TestStatusBadNumberOfValues(c *C) {
@@ -233,7 +251,7 @@
 	}
 	s.errors = []error{nil}
 	out, err := New("", s.rep).Status("foo.service")
-	c.Check(err, ErrorMatches, "cannot get service status: expected 1 results, got 2")
+	c.Check(err, ErrorMatches, "cannot get unit status: expected 1 results, got 2")
 	c.Check(out, IsNil)
 	c.Check(s.rep.msgs, IsNil)
 }
@@ -285,16 +303,28 @@
 	c.Check(out, IsNil)
 }
 
-func (s *SystemdTestSuite) TestStatusMissingField(c *C) {
+func (s *SystemdTestSuite) TestStatusMissingRequiredFieldService(c *C) {
 	s.outs = [][]byte{
 		[]byte(`
-Type=simple
 Id=foo.service
 ActiveState=active
 `[1:]),
 	}
 	s.errors = []error{nil}
 	out, err := New("", s.rep).Status("foo.service")
+	c.Assert(err, ErrorMatches, `.* missing UnitFileState, Type .*`)
+	c.Check(out, IsNil)
+}
+
+func (s *SystemdTestSuite) TestStatusMissingRequiredFieldTimer(c *C) {
+	s.outs = [][]byte{
+		[]byte(`
+Id=foo.timer
+ActiveState=active
+`[1:]),
+	}
+	s.errors = []error{nil}
+	out, err := New("", s.rep).Status("foo.timer")
 	c.Assert(err, ErrorMatches, `.* missing UnitFileState .*`)
 	c.Check(out, IsNil)
 }
@@ -399,7 +429,7 @@
 func (s *SystemdTestSuite) TestLogErrJctl(c *C) {
 	s.jerrs = []error{&Timeout{}}
 
-	reader, err := New("", s.rep).LogReader([]string{"foo"}, "24", false)
+	reader, err := New("", s.rep).LogReader([]string{"foo"}, 24, false)
 	c.Check(err, NotNil)
 	c.Check(reader, IsNil)
 	c.Check(s.jns, DeepEquals, []string{"24"})
@@ -414,7 +444,7 @@
 `
 	s.jouts = [][]byte{[]byte(expected)}
 
-	reader, err := New("", s.rep).LogReader([]string{"foo"}, "24", false)
+	reader, err := New("", s.rep).LogReader([]string{"foo"}, 24, false)
 	c.Check(err, IsNil)
 	logs, err := ioutil.ReadAll(reader)
 	c.Assert(err, IsNil)
@@ -456,54 +486,78 @@
 	c.Assert(MountUnitPath("/apps/hello/1.1"), Equals, filepath.Join(dirs.SnapServicesDir, "apps-hello-1.1.mount"))
 }
 
-func (s *SystemdTestSuite) TestWriteMountUnit(c *C) {
-	mockSnapPath := filepath.Join(c.MkDir(), "/var/lib/snappy/snaps/foo_1.0.snap")
-	err := os.MkdirAll(filepath.Dir(mockSnapPath), 0755)
+func makeMockFile(c *C, path string) {
+	err := os.MkdirAll(filepath.Dir(path), 0755)
 	c.Assert(err, IsNil)
-	err = ioutil.WriteFile(mockSnapPath, nil, 0644)
+	err = ioutil.WriteFile(path, nil, 0644)
 	c.Assert(err, IsNil)
+}
 
-	mountUnitName, err := New("", nil).WriteMountUnitFile("foo", mockSnapPath, "/apps/foo/1.0", "squashfs")
+func (s *SystemdTestSuite) TestAddMountUnit(c *C) {
+	rootDir := dirs.GlobalRootDir
+
+	restore := squashfs.MockUseFuse(false)
+	defer restore()
+
+	mockSnapPath := filepath.Join(c.MkDir(), "/var/lib/snappy/snaps/foo_1.0.snap")
+	makeMockFile(c, mockSnapPath)
+
+	mountUnitName, err := New(rootDir, nil).AddMountUnitFile("foo", "42", mockSnapPath, "/snap/snapname/123", "squashfs")
 	c.Assert(err, IsNil)
 	defer os.Remove(mountUnitName)
 
 	c.Assert(filepath.Join(dirs.SnapServicesDir, mountUnitName), testutil.FileEquals, fmt.Sprintf(`
 [Unit]
-Description=Mount unit for foo
+Description=Mount unit for foo, revision 42
 Before=snapd.service
 
 [Mount]
 What=%s
-Where=/apps/foo/1.0
+Where=/snap/snapname/123
 Type=squashfs
 Options=nodev,ro,x-gdu.hide
 
 [Install]
 WantedBy=multi-user.target
 `[1:], mockSnapPath))
+
+	c.Assert(s.argses, DeepEquals, [][]string{
+		{"daemon-reload"},
+		{"--root", rootDir, "enable", "snap-snapname-123.mount"},
+		{"start", "snap-snapname-123.mount"},
+	})
 }
 
-func (s *SystemdTestSuite) TestWriteMountUnitForDirs(c *C) {
+func (s *SystemdTestSuite) TestAddMountUnitForDirs(c *C) {
+	restore := squashfs.MockUseFuse(false)
+	defer restore()
+
 	// a directory instead of a file produces a different output
 	snapDir := c.MkDir()
-	mountUnitName, err := New("", nil).WriteMountUnitFile("foodir", snapDir, "/apps/foo/1.0", "squashfs")
+	mountUnitName, err := New("", nil).AddMountUnitFile("foodir", "x1", snapDir, "/snap/snapname/x1", "squashfs")
 	c.Assert(err, IsNil)
 	defer os.Remove(mountUnitName)
 
 	c.Assert(filepath.Join(dirs.SnapServicesDir, mountUnitName), testutil.FileEquals, fmt.Sprintf(`
 [Unit]
-Description=Mount unit for foodir
+Description=Mount unit for foodir, revision x1
 Before=snapd.service
 
 [Mount]
 What=%s
-Where=/apps/foo/1.0
+Where=/snap/snapname/x1
 Type=none
 Options=nodev,ro,x-gdu.hide,bind
 
 [Install]
 WantedBy=multi-user.target
 `[1:], snapDir))
+
+	c.Assert(s.argses, DeepEquals, [][]string{
+		{"daemon-reload"},
+		{"--root", "", "enable", "snap-snapname-x1.mount"},
+		{"start", "snap-snapname-x1.mount"},
+	})
 }
 
 func (s *SystemdTestSuite) TestFuseInContainer(c *C) {
@@ -528,18 +582,18 @@
 	err = ioutil.WriteFile(mockSnapPath, nil, 0644)
 	c.Assert(err, IsNil)
 
-	mountUnitName, err := New("", nil).WriteMountUnitFile("foo", mockSnapPath, "/apps/foo/1.0", "squashfs")
+	mountUnitName, err := New("", nil).AddMountUnitFile("foo", "x1", mockSnapPath, "/snap/snapname/123", "squashfs")
 	c.Assert(err, IsNil)
 	defer os.Remove(mountUnitName)
 
 	c.Check(filepath.Join(dirs.SnapServicesDir, mountUnitName), testutil.FileEquals, fmt.Sprintf(`
 [Unit]
-Description=Mount unit for foo
+Description=Mount unit for foo, revision x1
 Before=snapd.service
 
 [Mount]
 What=%s
-Where=/apps/foo/1.0
+Where=/snap/snapname/123
 Type=fuse.squashfuse
 Options=nodev,ro,x-gdu.hide,allow_other
 
@@ -566,18 +620,18 @@
 	err = ioutil.WriteFile(mockSnapPath, nil, 0644)
 	c.Assert(err, IsNil)
 
-	mountUnitName, err := New("", nil).WriteMountUnitFile("foo", mockSnapPath, "/apps/foo/1.0", "squashfs")
+	mountUnitName, err := New("", nil).AddMountUnitFile("foo", "x1", mockSnapPath, "/snap/snapname/123", "squashfs")
 	c.Assert(err, IsNil)
 	defer os.Remove(mountUnitName)
 
 	c.Assert(filepath.Join(dirs.SnapServicesDir, mountUnitName), testutil.FileEquals, fmt.Sprintf(`
 [Unit]
-Description=Mount unit for foo
+Description=Mount unit for foo, revision x1
 Before=snapd.service
 
 [Mount]
 What=%s
-Where=/apps/foo/1.0
+Where=/snap/snapname/123
 Type=squashfs
 Options=nodev,ro,x-gdu.hide
 
@@ -590,15 +644,108 @@
 	var args []string
 	var err error
 	MockOsutilStreamCommand(func(name string, myargs ...string) (io.ReadCloser, error) {
-		c.Check(cap(myargs) <= len(myargs)+1, Equals, true, Commentf("cap:%d, len:%d", cap(myargs), len(myargs)))
+		c.Check(cap(myargs) <= len(myargs)+2, Equals, true, Commentf("cap:%d, len:%d", cap(myargs), len(myargs)))
 		args = myargs
 		return nil, nil
 	})
 
-	_, err = Jctl([]string{"foo", "bar"}, "10", false)
+	_, err = Jctl([]string{"foo", "bar"}, 10, false)
+	c.Assert(err, IsNil)
+	c.Check(args, DeepEquals, []string{"-o", "json", "--no-pager", "-n", "10", "-u", "foo", "-u", "bar"})
+	_, err = Jctl([]string{"foo", "bar", "baz"}, 99, true)
+	c.Assert(err, IsNil)
+	c.Check(args, DeepEquals, []string{"-o", "json", "--no-pager", "-n", "99", "-f", "-u", "foo", "-u", "bar", "-u", "baz"})
+	_, err = Jctl([]string{"foo", "bar"}, -1, false)
+	c.Assert(err, IsNil)
+	c.Check(args, DeepEquals, []string{"-o", "json", "--no-pager", "--no-tail", "-u", "foo", "-u", "bar"})
+}
+
+func (s *SystemdTestSuite) TestIsActiveIsInactive(c *C) {
+	sysErr := &Error{}
+	sysErr.SetExitCode(1)
+	sysErr.SetMsg([]byte("inactive\n"))
+	s.errors = []error{sysErr}
+
+	active, err := New("xyzzy", s.rep).IsActive("foo")
+	c.Assert(active, Equals, false)
+	c.Assert(err, IsNil)
+	c.Check(s.argses, DeepEquals, [][]string{{"--root", "xyzzy", "is-active", "foo"}})
+}
+
+func (s *SystemdTestSuite) TestIsActiveIsActive(c *C) {
+	s.errors = []error{nil}
+
+	active, err := New("xyzzy", s.rep).IsActive("foo")
+	c.Assert(active, Equals, true)
+	c.Assert(err, IsNil)
+	c.Check(s.argses, DeepEquals, [][]string{{"--root", "xyzzy", "is-active", "foo"}})
+}
+
+func (s *SystemdTestSuite) TestIsActiveErr(c *C) {
+	sysErr := &Error{}
+	sysErr.SetExitCode(1)
+	sysErr.SetMsg([]byte("random-failure\n"))
+	s.errors = []error{sysErr}
+
+	active, err := New("xyzzy", s.rep).IsActive("foo")
+	c.Assert(active, Equals, false)
+	c.Assert(err, ErrorMatches, ".* failed with exit status 1: random-failure\n")
+}
+
+func makeMockMountUnit(c *C, mountDir string) string {
+	mountUnit := MountUnitPath(dirs.StripRootDir(mountDir))
+	err := ioutil.WriteFile(mountUnit, nil, 0644)
 	c.Assert(err, IsNil)
-	c.Check(args, DeepEquals, []string{"-o", "json", "-n", "10", "--no-pager", "-u", "foo", "-u", "bar"})
-	_, err = Jctl([]string{"foo", "bar", "baz"}, "99", true)
+	return mountUnit
+}
+
+// FIXME: also test for the "IsMounted" case
+func (s *SystemdTestSuite) TestRemoveMountUnit(c *C) {
+	rootDir := dirs.GlobalRootDir
+
+	mountDir := rootDir + "/snap/foo/42"
+	mountUnit := makeMockMountUnit(c, mountDir)
+	err := New(rootDir, nil).RemoveMountUnitFile(mountDir)
+
+	c.Assert(err, IsNil)
+	// the file is gone
+	c.Check(osutil.FileExists(mountUnit), Equals, false)
+	// and the unit is disabled and the daemon reloaded
+	c.Check(s.argses, DeepEquals, [][]string{
+		{"--root", rootDir, "disable", "snap-foo-42.mount"},
+		{"daemon-reload"},
+	})
+}
+
+func (s *SystemdTestSuite) TestDaemonReloadMutex(c *C) {
+	rootDir := dirs.GlobalRootDir
+	sysd := New(rootDir, nil)
+
+	mockSnapPath := filepath.Join(c.MkDir(), "/var/lib/snappy/snaps/foo_1.0.snap")
+	makeMockFile(c, mockSnapPath)
+
+	// create a go-routine that will try to daemon-reload like crazy
+	stopCh := make(chan bool, 1)
+	stoppedCh := make(chan bool, 1)
+	go func() {
+		for {
+			sysd.DaemonReload()
+			select {
+			case <-stopCh:
+				close(stoppedCh)
+				return
+			default:
+				//pass
+			}
+		}
+	}()
+
+	// And now add a mount unit file while the go-routine tries to
+	// daemon-reload. This will be serialized, if not this would
+	// panic because systemd.daemonReloadNoLock ensures the lock is
+	// taken when this happens.
+	_, err := sysd.AddMountUnitFile("foo", "42", mockSnapPath, "/snap/foo/42", "squashfs")
 	c.Assert(err, IsNil)
-	c.Check(args, DeepEquals, []string{"-o", "json", "-n", "99", "--no-pager", "-f", "-u", "foo", "-u", "bar", "-u", "baz"})
+	close(stopCh)
+	<-stoppedCh
 }
diff -Nru snapd-2.32.3.2~14.04/tests/completion/funcarg.complete snapd-2.37~rc1~14.04/tests/completion/funcarg.complete
--- snapd-2.32.3.2~14.04/tests/completion/funcarg.complete	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/completion/funcarg.complete	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,12 @@
+# -*- sh -*-
+
+# this is about stopping lp:1802721 (the second part, about the python
+# tab completion failing)
+
+_complete() {
+    if [[ ! "$1" =~ ^test-snapd-complexion ]]; then exit 1; fi
+    COMPREPLY=($( compgen -W "won too tree" "${COMP_WORDS[$COMP_CWORD]}" ))
+}
+
+complete -F _complete test-snapd-complexion
+complete -F _complete test-snapd-complexion.two
diff -Nru snapd-2.32.3.2~14.04/tests/completion/funcarg.vars snapd-2.37~rc1~14.04/tests/completion/funcarg.vars
--- snapd-2.32.3.2~14.04/tests/completion/funcarg.vars	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/completion/funcarg.vars	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,7 @@
+# -*- sh -*-
+
+_OUT0="too   tree  won"
+_KEY1="w"
+_OUT1="won"
+_KEY2="t"
+_OUT2="too   tree"
diff -Nru snapd-2.32.3.2~14.04/tests/completion/indirect/task.yaml snapd-2.37~rc1~14.04/tests/completion/indirect/task.yaml
--- snapd-2.32.3.2~14.04/tests/completion/indirect/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/completion/indirect/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,7 +2,7 @@
 
 prepare: |
   (
-      cd ../../lib/snaps/test-snapd-complexion
+      cd ../../lib/snaps/test-snapd-complexion || exit 1
       snap try
       mv test-snapd-complexion.bash-completer test-snapd-complexion.bash-completer.orig
       cp "${SPREAD_PATH}/${SPREAD_SUITE}/${SPREAD_VARIANT}.complete" test-snapd-complexion.bash-completer
@@ -12,16 +12,17 @@
 
 restore: |
   (
-      cd ../../lib/snaps/test-snapd-complexion
+      cd ../../lib/snaps/test-snapd-complexion || exit 1
       mv test-snapd-complexion.bash-completer.orig test-snapd-complexion.bash-completer
       snap remove test-snapd-complexion
   )
 
 execute: |
   d="$PWD"
+  #shellcheck disable=SC1090
   source "${SPREAD_PATH}/${SPREAD_SUITE}/${SPREAD_VARIANT}.vars"
   export _OUT0 _OUT1 _OUT2 _KEY1 _KEY2 _COMP
   for c in test-snapd-complexion test-snapd-complexion.two cplx cplx2; do
-    sudo CMD=$c PATH=$PATH _COMPLETE_SH=true -E -u test expect -d -f "$d"/task.exp
-    sudo CMD=$c PATH=$PATH _COMPLETE_SH=false -E -u test expect -d -f "$d"/task.exp
+    sudo CMD=$c "PATH=$PATH" _COMPLETE_SH=true -E -u test expect -d -f "$d"/task.exp
+    sudo CMD=$c "PATH=$PATH" _COMPLETE_SH=false -E -u test expect -d -f "$d"/task.exp
   done
diff -Nru snapd-2.32.3.2~14.04/tests/completion/simple/task.yaml snapd-2.37~rc1~14.04/tests/completion/simple/task.yaml
--- snapd-2.32.3.2~14.04/tests/completion/simple/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/completion/simple/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,6 +2,7 @@
 
 execute: |
   d="$PWD"
+  #shellcheck disable=SC1090
   source "${SPREAD_PATH}/${SPREAD_SUITE}/${SPREAD_VARIANT}.vars"
   export _OUT0 _OUT1 _OUT2 _KEY1 _KEY2 _COMP
   expect -d -f "$d"/task.exp
diff -Nru snapd-2.32.3.2~14.04/tests/completion/snippets/task.yaml snapd-2.37~rc1~14.04/tests/completion/snippets/task.yaml
--- snapd-2.32.3.2~14.04/tests/completion/snippets/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/completion/snippets/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,7 +2,7 @@
 
 prepare: |
   (
-      cd ../../lib/snaps/test-snapd-complexion
+      cd ../../lib/snaps/test-snapd-complexion || exit 1
       snap try
       mv test-snapd-complexion.bash-completer test-snapd-complexion.bash-completer.orig
       cp "${SPREAD_PATH}/${SPREAD_SUITE}/${SPREAD_VARIANT}.complete" test-snapd-complexion.bash-completer
@@ -10,13 +10,14 @@
 
 restore: |
   (
-      cd ../../lib/snaps/test-snapd-complexion
+      cd ../../lib/snaps/test-snapd-complexion || exit 1
       mv test-snapd-complexion.bash-completer.orig test-snapd-complexion.bash-completer
       snap remove test-snapd-complexion
   )
 
 execute: |
   d="$PWD"
+  #shellcheck disable=SC1090
   source "${SPREAD_PATH}/${SPREAD_SUITE}/${SPREAD_VARIANT}.vars"
   export _OUT0 _OUT1 _OUT2 _KEY1 _KEY2 _COMP
-  sudo PATH=$PATH -E -u test expect -d -f "$d"/task.exp
+  sudo PATH="$PATH" -E -u test expect -d -f "$d"/task.exp
diff -Nru snapd-2.32.3.2~14.04/tests/core18/basic/task.yaml snapd-2.37~rc1~14.04/tests/core18/basic/task.yaml
--- snapd-2.32.3.2~14.04/tests/core18/basic/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/core18/basic/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,25 @@
+summary: Check basic core18 system functionality
+
+execute: |
+    echo "Check that the system snaps are there"
+    snap list | MATCH core18
+    snap list | MATCH snapd
+    if snap list | grep '^core +'; then
+        echo "The old core snap is installed but should not"
+        exit 1
+    fi
+
+    echo "Ensure that the system is fully seeded"
+    snap changes | MATCH "Done.*Initialize system state"
+
+    echo "Check that snapd tools for core18 works"
+    snap install test-snapd-tools-core18
+    test-snapd-tools-core18.echo hello | MATCH hello
+
+    if python3 -m json.tool < /var/lib/snapd/system-key | grep '"build-id": ""'; then
+        echo "The build-id of snapd must not be empty."
+        exit 1
+    fi
+
+    echo "Ensure passwd/group is available for snaps"
+    test-snapd-tools-core18.cat /var/lib/extrausers/passwd | MATCH test
diff -Nru snapd-2.32.3.2~14.04/tests/core18/compat/task.yaml snapd-2.37~rc1~14.04/tests/core18/compat/task.yaml
--- snapd-2.32.3.2~14.04/tests/core18/compat/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/core18/compat/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,11 @@
+summary: Ensure that core(16) compatibility is there
+
+execute: |
+    echo "Install test-snapd-tools (which uses the core snap)"
+    snap install test-snapd-tools
+
+    echo "Ensure that this pulled in core"
+    snap list | MATCH "^core +"
+
+    echo "Check test-snapd-tools see the core16 environment"
+    test-snapd-tools.cat /etc/os-release | MATCH "Ubuntu Core 16"
diff -Nru snapd-2.32.3.2~14.04/tests/core18/kernel/task.yaml snapd-2.37~rc1~14.04/tests/core18/kernel/task.yaml
--- snapd-2.32.3.2~14.04/tests/core18/kernel/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/core18/kernel/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,5 @@
+summary: Ensure that we have the right kernel
+
+execute: |
+    echo "Check kernel version"
+    uname -r | MATCH "^4.15"
diff -Nru snapd-2.32.3.2~14.04/tests/core18/remove/task.yaml snapd-2.37~rc1~14.04/tests/core18/remove/task.yaml
--- snapd-2.32.3.2~14.04/tests/core18/remove/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/core18/remove/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,25 @@
+summary: Check that removal of essential snaps does not work
+
+execute: |
+    echo "Ensure snapd cannot be removed"
+    if snap remove snapd; then
+        echo "The snapd snap should not be removable"
+        exit 1
+    fi
+    echo "Ensure core18 cannot be removed"
+    if snap remove core18; then
+        echo "The core18 snap should not removable"
+        exit 1
+    fi
+
+    echo "Install a snap that requires core as the base"
+    snap install test-snapd-tools
+    snap list | MATCH core
+    if snap remove core; then
+        echo "core should not be removalble because test-snapd-tools needs it"
+        exit 1
+    fi
+
+    echo "But core can be removed again once nothing on the system needs it"
+    snap remove test-snapd-tools
+    snap remove core
diff -Nru snapd-2.32.3.2~14.04/tests/core18/snapd-failover/task.yaml snapd-2.37~rc1~14.04/tests/core18/snapd-failover/task.yaml
--- snapd-2.32.3.2~14.04/tests/core18/snapd-failover/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/core18/snapd-failover/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,36 @@
+summary: Check that snapd failure handling works
+
+restore: |
+    rm -rf ./snapd-broken
+
+debug: |
+    # dump failure data
+    journalctl -u snapd.failure.service
+
+execute: |
+    echo "Testing failover handling of the snapd snap"
+    current=$(readlink /snap/snapd/current)
+    SNAPD_SNAP=$(ls /var/lib/snapd/snaps/snapd_"$current".snap)
+
+    echo "Verify that a random signal does not trigger the failure handling"
+    echo "and snapd is just restarted"
+    systemctl kill --signal=SIGSEGV snapd.service
+    systemctl status snapd.failure.service | MATCH inactive
+    echo "Snap list is working still"
+    snap list | MATCH "^snapd .* $current .*"
+
+    echo "Break snapd"
+    unsquashfs -d ./snapd-broken "$SNAPD_SNAP"
+    echo "" > ./snapd-broken/usr/lib/snapd/snapd
+    (cd ./snapd-broken && snap pack .)
+    echo "Now install the broken snapd"
+    if snap install --dangerous ./snapd-broken/snapd_*.snap; then
+        echo "installing a broken snapd should not work, test broken"
+        exit 1
+    fi
+
+    echo "And verify that snap commands still work and snapd is reverted"
+    snap list | MATCH "^snapd .* $current .*"
+
+    echo "Verify we got the expected error message"
+    snap change --last=install|MATCH "there was a snapd rollback across the restart"
diff -Nru snapd-2.32.3.2~14.04/tests/core18/snapd-refresh/task.yaml snapd-2.37~rc1~14.04/tests/core18/snapd-refresh/task.yaml
--- snapd-2.32.3.2~14.04/tests/core18/snapd-refresh/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/core18/snapd-refresh/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,40 @@
+summary: Test refreshing snapd and running new units
+
+execute: |
+    echo "Testing refresh/revert of snapd"
+    current=$(readlink /snap/snapd/current)
+    SNAPD_SNAP=$(ls /var/lib/snapd/snaps/snapd_"$current".snap)
+    for _ in $(seq 10); do
+
+        echo "Installing a new snapd snap"
+        snap install --dangerous "$SNAPD_SNAP"
+        echo "Still leaves 'snap list' working"
+        if snap list | grep "snapd.*$current "; then
+            echo "snap install of new snapd did not update to new snapd"
+            exit 1
+        fi
+        running="$(readlink -f /proc/"$(pidof snapd)"/exe)"
+        if echo "$running" | grep "/snap/snapd/$current/usr/lib/"; then
+            echo "The current running snapd is not $running"
+            exit 1
+        fi
+
+        echo "And reverting snapd"
+        snap revert snapd
+        echo "Also gives us a working snapd"
+        snap list | MATCH "snapd.*$current "
+        echo "And we see the original snapd running"
+        running="$(readlink -f /proc/"$(pidof snapd)"/exe)"
+        echo "$running" | MATCH "/snap/snapd/$current/usr/lib/"
+    done
+    snap changes | MATCH 'Install "snapd"'
+    snap changes | MATCH 'Revert "snapd" snap'
+
+    # ensure snapd is working after a reboot
+    if [ "$SPREAD_REBOOT" = 0 ]; then
+        REBOOT
+    fi
+
+    snap list | MATCH "snapd.*$current "
+    snap install test-snapd-tools-core18
+    test-snapd-tools-core18.echo hello | MATCH hello
diff -Nru snapd-2.32.3.2~14.04/tests/cross/go-build/task.yaml snapd-2.37~rc1~14.04/tests/cross/go-build/task.yaml
--- snapd-2.32.3.2~14.04/tests/cross/go-build/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/cross/go-build/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,57 @@
+summary: Build Go commands across multiple arches
+
+environment:
+    X_DEBARCH/armhf: armhf
+    X_GOARCH/armhf: arm
+    X_GCC/armhf: gcc-arm-linux-gnueabihf
+    X_CC/armhf: arm-linux-gnueabihf-gcc
+
+    X_DEBARCH/arm64: arm64
+    X_GOARCH/arm64: arm64
+    X_GCC/arm64: gcc-aarch64-linux-gnu
+    X_CC/arm64: aarch64-linux-gnu-gcc
+
+    X_DEBARCH/s390x: s390x
+    X_GOARCH/s390x: s390x
+    X_GCC/s390x: gcc-s390x-linux-gnu
+    X_CC/s390x: s390x-linux-gnu-gcc
+
+    X_DEBARCH/ppc64el: ppc64el
+    X_GOARCH/ppc64el: ppc64le
+    X_GCC/ppc64el: gcc-powerpc64le-linux-gnu
+    X_CC/ppc64el: powerpc64le-linux-gnu-gcc
+
+restore: |
+    rm -rf /tmp/cross-build
+    dpkg -l | awk "/^ii.*$X_DEBARCH/{print \$2}" | xargs apt --yes --quiet -o Dpkg::Progress-Fancy=false autoremove --purge
+    dpkg --remove-architecture "$X_DEBARCH"
+    mv /etc/apt/sources.list.orig /etc/apt/sources.list
+    apt --quiet -o Dpkg::Progress-Fancy=false update
+
+prepare: |
+    source /etc/os-release
+    mkdir -p /tmp/cross-build/src/github.com/snapcore
+    cp -ar "$PROJECT_PATH" /tmp/cross-build/src/github.com/snapcore
+    chown -R test:12345 /tmp/cross-build
+
+    mv /etc/apt/sources.list /etc/apt/sources.list.orig
+    cat > /etc/apt/sources.list <<-EOF
+          deb [arch=amd64,i386] http://archive.ubuntu.com/ubuntu/  $UBUNTU_CODENAME           main universe
+          deb [arch=amd64,i386] http://archive.ubuntu.com/ubuntu/  $UBUNTU_CODENAME-updates   main universe
+          deb [arch=amd64,i386] http://archive.ubuntu.com/ubuntu/  $UBUNTU_CODENAME-backports main universe
+          deb [arch=amd64,i386] http://security.ubuntu.com/ubuntu/ $UBUNTU_CODENAME-security  main universe
+
+          deb [arch=armhf,arm64,powerpc,ppc64el,s390x] http://ports.ubuntu.com/ $UBUNTU_CODENAME           main universe
+          deb [arch=armhf,arm64,powerpc,ppc64el,s390x] http://ports.ubuntu.com/ $UBUNTU_CODENAME-updates   main universe
+          deb [arch=armhf,arm64,powerpc,ppc64el,s390x] http://ports.ubuntu.com/ $UBUNTU_CODENAME-backports main universe
+          deb [arch=armhf,arm64,powerpc,ppc64el,s390x] http://ports.ubuntu.com/ $UBUNTU_CODENAME-security  main universe
+    EOF
+    dpkg --add-architecture "$X_DEBARCH"
+    apt --quiet -o Dpkg::Progress-Fancy=false update
+    apt --yes --quiet -o Dpkg::Progress-Fancy=false install "$X_GCC" libseccomp-dev:"$X_DEBARCH"
+
+execute: |
+    cd /tmp/cross-build/src/github.com/snapcore/snapd
+    for cmd in $( find ./cmd -mindepth 2 -maxdepth 2 -name \*.go -printf '%h\n' | sort -u ); do
+      su -c "GOPATH=/tmp/cross-build CGO_ENABLED=1 GOARCH=$X_GOARCH CC=$X_CC go build -v -o /dev/null $cmd" test
+    done
diff -Nru snapd-2.32.3.2~14.04/tests/lib/assertions/auto-import.assert snapd-2.37~rc1~14.04/tests/lib/assertions/auto-import.assert
--- snapd-2.32.3.2~14.04/tests/lib/assertions/auto-import.assert	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/assertions/auto-import.assert	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,6 @@
 type: system-user
-authority-id: ezPmSahqWjPQWhv3o4cY0MG0JkqpKIoL
-revision: 1
-brand-id: ezPmSahqWjPQWhv3o4cY0MG0JkqpKIoL
+authority-id: BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz
+brand-id: BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz
 email: snappy-dev@lists.launchpad.net
 models:
   - pc
@@ -11,18 +10,18 @@
 password: $6$o5er943Y$cngsJHutSgACVbR65WAnhaUPC9.vENj8locb50hvMdMRMK8cQ3Zbu6WPh5Al2JrnHzpR63osPCwE/IFG/2s6K1
 series:
   - 16
-since: 2016-10-10T15:03:21+00:00
-until: 2017-10-09T15:03:21+00:00
+since: 2018-09-11T15:03:21+00:00
+until: 2019-09-10T15:03:21+00:00
 username: user1
-sign-key-sha3-384: uv2i3nctwgiMQQ2rd_9mhwHsQbTRJPHnpeQjpRbSfs4m3lxhH2E89wkKKqYp_8i5
+sign-key-sha3-384: GviipVKTtx3xUSQUQJ4BgzicfuXo4-P8j3Tdbkj1ipVZURJ84rT_ub_pMZjpP2Ii
 
-AcLBXAQAAQoABgUCWD1lgAAKCRCi4irWmF+hRcO6D/9FpYFqLxz8mzyI31js9TfmsVOuaWpe6DBn
-Nu2Ay168waDgOMtTU1MBONn5qeX44mukSz0v5XL6SIRcrVPRavM1Epfda/IRizysLcPe1cMoh1iq
-hEarVS6V63MZgmGPgrfv9NXL7eoU+w+OXOcrxonZnIMiq4EwRY4udBYCMWAXRO4tQkIyNmXXdJqd
-8JVo0pUfZDkRq8SAOt2FzSxVVpPcUyos7rLExzAsN6YCflatcW23gjfjx8EVzka+Pg25pyevz11x
-srsg641cXTSVznN9k62BhOgrTgZXuunrhYRoe6/sAfq2By8yzsf9rv9bNYBDyH1CTk3ejUt/NJyu
-Xs2mv6pXERrIz2SXJoz7VO6UnzNte4vVni0vs117wJevOnVdymjxcbDwseHs2PgZag+lCdSADwGI
-NhMHzB/XZ+eMaGv3yPSsHZ9nU+YgwiuR5QeI6AqfoQqbi3HF1LVNMptsnbMX346zgI8iKKL22bqA
-bXC21F22aotXsaLo6v/TlaBStIggxY5HQ0+FHLR4sfYtiFFGF277eIuDSN8EHv1S/4klDBv2qXzu
-PtSUE+u9HMCAum8arnGzpgPW8KZBHLdA9pp/ibLsRJrbuqGWZPHGLkBjLWBCSd/a19mYyD5GzeUf
-FwdVIDMvilpIPzKm2HzX5SLJrbIz0eMeGR7dqOK7ug==
+AcLBXAQAAQoABgUCW5hHBQAKCRBG7jdDygWV0VvAEACKM2hH7Os5H3pO73IWPZ3jREWzgMsswTlA
+erCUS7Xr86QW4TzJ9zry0HqQzJPlBVsjxPTvNG8+kF6MQ0ZKK4LKRDmnQ8kxgvogBwWVMfn0W/iT
+uyiCCROd2x4Q2RvrohAgzlTnfCSmd2/U7dhxvLKLgFYLpkbx8NJ4SbVQ/kHaZu2cWICRI8EO47iJ
+XVE4+TTBEkjNMdXbm8/mb3EFckbVpaX0HXk2QXAQLSvOwktRefuJujVzGyTD1eFySawPH5s9zGE5
+TRSeIpDrSdMNRvK+6xh1WqxLa+CiMq+0HfncSSnMxOVwYva3xx8MLPKtzCxwSFM2odGumm/TkCpw
+i7MdGWI24UTT5STmw2OeJZNVo3wNjwRgr3jpRNMqzkm/S63Kuts0yS33yUqf6v0eaHeL8BPNTrOK
+5M9rbTq5mQv2b5UTshLX2X+0WI5f4IKWjcL+ZrJ0G1s++2aCw8zPfCzYTeo3tQIcHtnyVc09MoK8
+o+kCtDjIdU+ddhSHiDAqYbf4BTg1QxDKZboU8jnBR3bDIGmnizu4qutNcgixLpHpU8u2Asq1btyv
+c5ZaBhbrlrB/n+/vzptdprKrR1QpvuW4EQN1Z4DK0SFfVni9sdVeG6KqGu7DD3Vxiq1Qk4Aq3sbo
+kD+edYrBvGP90J66GfZDLA6HCLY1n8mX+K3VLE9FWw==
diff -Nru snapd-2.32.3.2~14.04/tests/lib/assertions/auto-import.assert.json snapd-2.37~rc1~14.04/tests/lib/assertions/auto-import.assert.json
--- snapd-2.32.3.2~14.04/tests/lib/assertions/auto-import.assert.json	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/assertions/auto-import.assert.json	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,13 @@
+{
+    "type": "system-user",
+    "authority-id": "BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz",
+    "series": ["16"],
+    "brand-id": "BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz",
+    "email": "snappy-dev@lists.launchpad.net",
+    "models": ["pc","pc-i386","pi2"],
+    "name": "user1",
+    "username": "user1",
+    "password": "$6$o5er943Y$cngsJHutSgACVbR65WAnhaUPC9.vENj8locb50hvMdMRMK8cQ3Zbu6WPh5Al2JrnHzpR63osPCwE/IFG/2s6K1",
+    "since": "2018-09-11T15:03:21+00:00",
+    "until": "2019-09-10T15:03:21+00:00"
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/assertions/nested-amd64.model snapd-2.37~rc1~14.04/tests/lib/assertions/nested-amd64.model
--- snapd-2.32.3.2~14.04/tests/lib/assertions/nested-amd64.model	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/assertions/nested-amd64.model	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 type: model
-authority-id: ezPmSahqWjPQWhv3o4cY0MG0JkqpKIoL
+authority-id: BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz
 series: 16
-brand-id: ezPmSahqWjPQWhv3o4cY0MG0JkqpKIoL
+brand-id: BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz
 model: pc
 architecture: amd64
 gadget: pc
 kernel: pc-kernel
-timestamp: 2016-09-16T15:03:21+00:00
-sign-key-sha3-384: uv2i3nctwgiMQQ2rd_9mhwHsQbTRJPHnpeQjpRbSfs4m3lxhH2E89wkKKqYp_8i5
+timestamp: 2018-09-11T22:00:00+00:00
+sign-key-sha3-384: GviipVKTtx3xUSQUQJ4BgzicfuXo4-P8j3Tdbkj1ipVZURJ84rT_ub_pMZjpP2Ii
 
-AcLBXAQAAQoABgUCV+JS/QAKCRCi4irWmF+hRWiBD/43ZWNoYff2lQXdmqAHGmfnCp13GqaSNBvf
-rfOYw7rOoQK1FeAdijfzLfoBEaP+CfPB7WdenTQGRxwX2z1p8sSxPyD9eXjw/spzdhIh6/8lp8yC
-4Dq3G9r9ySbokExwsV4XQnly9dWPzZP+DejxyroUFERsj3drEEI94b7aN/fUEYeqU1QEIOi+VCmT
-t9iGV+fUYuk7UBIOOVqLmSKgqOw3NsmSjLbASsl4SsyQ3eMQoNs8hzCmp2N/IrwMXPoUu7Ivi/zZ
-bOIiCGC1YPrWJzUZ4C/B89EiilOPHnk98Umr76tIM7X0EnS8cYnyuLx9hDczLC5a2uE0PC45rmZB
-abjkTVea6i735RrE6Ffw/aWLMfp32vL7JOnOqkyzp/2g0IyYAyY3wvVea2IyWhI2wz532Es71gEa
-MAu8jiWn3rncvQNf0j2eCzhg0ZJ7G0+Qe19D7heLCP+/tpt+kOYDT0o8+drezRMuIiU5JE4/sxan
-YVRjpYzQPuNx13elAzJXy+24wnKMOwUuHCm25TMUPI1j/3Fw2xPqqYnkhkR6OaBF0ZuAxRYMUsWw
-gKWGS2nim2+DVh2d4NbAQtYDVRqAm/jCY0180aZ9/G2iqk66pMGDW9Njy9Rl+YgXyyqn6PYpSt6r
-v0ZF1XkDWGLaB2ohNugO6j8fp0MiKWs3WPWdnsXVIw==
+AcLBXAQAAQoABgUCW5hHBQAKCRBG7jdDygWV0cB9EACQQgH6QlhsSYm02kTstlQZQ33kNpS3uUck
+z4sedNCxcKxHJhBXUINzlkYFVNN2rAs/uXDacCOH14MSKp59UPgI6XwuhmXBdzjqL5R4XMSoquDa
+8+TZeKHw9jVkUZUhJc7dmxJmHVtjITfBnAcdqlesljOHF2WsGIw/gxvx+1w84QyJBpMOXDbkvK2H
+l8WIRAahTHJlGu6kRSU3DwWsGbMuPVmQ3Nv2Ljy0Z9ssUtguJLEif3EUMLfrwMfXMOwhvpWDzagT
+mgU++DK3vVNJUYIGAnYx1rppVw8+hbFf1Y8wBiPBcElSwGjJE/qqarcNVVGL8ec3uUlCXGhd/rqV
+DcQUbgD6lDjMqPuZkf85xcBUkcemZB5NVdrsKCTQz9BsQS0mZL/c8D1TdUnh/mAPfFAChOkEc2tz
+o3bH1fA7/SM25Wo5/fDB1DWaJIYT2lBMD1tP3uswYBAy42L4mOO6aL11KYeF3YnE1WopCsrzH47n
+vk4JNPvkh3rYU5d2etPeNmpbHvVf2cmVJFYWIeDkKfbxT2+Cj1y71coKmHLj+QR6X26rc7eXhrKe
+AklAaaBoS7kDHr3sRoSeD+KP7lKsCn2HIIH83Psml6E+RxHDlPmnz69B5mQOvfTyu31geyJDBlj5
+QpShVWUxxN6IY1x39XkBEkSArIgwKdsD9FF7jlFDNQ==
diff -Nru snapd-2.32.3.2~14.04/tests/lib/assertions/nested-amd64.model.json snapd-2.37~rc1~14.04/tests/lib/assertions/nested-amd64.model.json
--- snapd-2.32.3.2~14.04/tests/lib/assertions/nested-amd64.model.json	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/assertions/nested-amd64.model.json	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,11 @@
+{
+    "type": "model",
+    "authority-id": "BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz",
+    "series": "16",
+    "brand-id": "BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz",
+    "model": "pc",
+    "architecture": "amd64",
+    "gadget": "pc",
+    "kernel": "pc-kernel",
+    "timestamp": "2018-09-11T22:00:00+00:00"
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/assertions/nested-i386.model snapd-2.37~rc1~14.04/tests/lib/assertions/nested-i386.model
--- snapd-2.32.3.2~14.04/tests/lib/assertions/nested-i386.model	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/assertions/nested-i386.model	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 type: model
-authority-id: ezPmSahqWjPQWhv3o4cY0MG0JkqpKIoL
+authority-id: BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz
 series: 16
-brand-id: ezPmSahqWjPQWhv3o4cY0MG0JkqpKIoL
+brand-id: BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz
 model: pc-i386
 architecture: i386
 gadget: pc
 kernel: pc-kernel
-timestamp: 2016-10-17T15:03:21+00:00
-sign-key-sha3-384: uv2i3nctwgiMQQ2rd_9mhwHsQbTRJPHnpeQjpRbSfs4m3lxhH2E89wkKKqYp_8i5
+timestamp: 2018-09-11T22:00:00+00:00
+sign-key-sha3-384: GviipVKTtx3xUSQUQJ4BgzicfuXo4-P8j3Tdbkj1ipVZURJ84rT_ub_pMZjpP2Ii
 
-AcLBXAQAAQoABgUCWDWJMgAKCRCi4irWmF+hReubEACMULpTI/ofsj+lhOEoI1E5LzygXmpqDnrg
-3PG4hv4V0URKRSv9vZwjEi49TgMXkG6MWg/A6XuszIftHjifbbvdb8mqtwqlWpFWKMH6ueugwMqn
-BVj0Ja/APr/xlVTtMaWCxiAdVfhz9ZEuFHESZ7l2Ok8E9JXD2tan7QZNSfQN+p2eX9fhNIH7tQGK
-+nDxc97VRLUy8yGTPZpDsLTXE73RYsgDwbbeXrXORwz4mr/BZN8btzOHs5myRh5Tt3clA7Xqyh9j
-xOiNx+v8h6tpKG77ONN5yY3S7lp5DQEBMjTkuRBjQ2/JCp4mYwgw5j+tvbMFGRL82yTyVWi5re3P
-Kjw/PKxtmtDYdgOiuLpsTYU0O4zXxK8bQq6Fxmm2zXFnQ+yFWzRGQa2kNRSM45/Y4913ilBt5+rS
-cs8c0lYJGM+3Ei5AjQo93r0KKrh7zu2b6P+38AH+2/RrNB7+ZCOrHK2tYBgkjUkqcuXNzj5/xhMc
-izCiIuRu+LlmTLmT9QSsbxQJXFRZOlTAnnp0RjfdFHHyGVsNDB8glk5iqSeqp9ACjIJcEgFOM807
-GdYX/0ssj6XzKPaaI8a7+n7Z05uo2gvuIU6o+RWc4f7ZWulbdARfM3ht05E/FaSO+wnzeR28X6bE
-so23WNyYy0o3GYcmbMmI4McWobg4cmpz+tViZtu5iQ==
+AcLBXAQAAQoABgUCW5hHBQAKCRBG7jdDygWV0aDGEACR7tKr92vFWtXs9E0PG48dDi+P5+/7CsvI
+S4lx/JpaHR8EQrTDd1QHuNphV+EtQujCbGfS1OcemQxk9oOwdEkStaswhhPXC0MH2KVvJtFmitfl
+Gyz390GoiigYfxVlV0oO3EJZhUDptBnPO511vDGiUgAOGRT9a7C25e4+UQ5jkD5x+PPkFgbliJok
+tVYv5tdVbs/rrPZjZOPbiCKEvd+osxZETzjPVYfI7f42rHT5LRMcU7u5BXuHlzulJ/Bvgp3bJeoS
+8c4e9bTfB/9KfsxXPXgCWH4vtAyrsOPWIP51SvGfY0ADzXm1qkpczQumoZZVlyyHuhbe5NKbP5LG
+xGJIbUKjzjOuLUc90tkMqx8Zl/qmfxR5hC6NFqVD2inAJMmRAsHK8IUOISSSQK8aTcVu+fqGuXKX
+occ4TGqQ3DmidlhwiuZSQOwPlJDOFzVz42TFNR5mYQaBUCUogE4DLzAeaJr8EIDbL2noyBs5rYq1
+PIo/kW6hJD6WMhIbiut68EDRIKhoR9I2MuWAp3PFSieTqODygzXznew68kB25Ksmb4aRAzxkf21D
+m1VRe07p01njzIaICccdr+Q250fi2s6PpC3hA2TTxAm37220f6xn2hi1T3NqnP0+YrjUFMOlEfUO
+EfiCySS5qhbjMK19TbVpnsvwm6pD/VjhvJRR1s3OrQ==
diff -Nru snapd-2.32.3.2~14.04/tests/lib/assertions/nested-i386.model.json snapd-2.37~rc1~14.04/tests/lib/assertions/nested-i386.model.json
--- snapd-2.32.3.2~14.04/tests/lib/assertions/nested-i386.model.json	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/assertions/nested-i386.model.json	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,11 @@
+{
+    "type": "model",
+    "authority-id": "BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz",
+    "series": "16",
+    "brand-id": "BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz",
+    "model": "pc-i386",
+    "architecture": "i386",
+    "gadget": "pc",
+    "kernel": "pc-kernel",
+    "timestamp": "2018-09-11T22:00:00+00:00"
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/assertions/pi2.model snapd-2.37~rc1~14.04/tests/lib/assertions/pi2.model
--- snapd-2.32.3.2~14.04/tests/lib/assertions/pi2.model	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/assertions/pi2.model	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
 type: model
-authority-id: ezPmSahqWjPQWhv3o4cY0MG0JkqpKIoL
+authority-id: BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz
 series: 16
-brand-id: ezPmSahqWjPQWhv3o4cY0MG0JkqpKIoL
+brand-id: BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz
 model: pi2
 architecture: armhf
 gadget: pi2
 kernel: pi2-kernel
-timestamp: 2016-09-16T15:03:21+00:00
-sign-key-sha3-384: uv2i3nctwgiMQQ2rd_9mhwHsQbTRJPHnpeQjpRbSfs4m3lxhH2E89wkKKqYp_8i5
+timestamp: 2018-09-11T22:00:00+00:00
+sign-key-sha3-384: GviipVKTtx3xUSQUQJ4BgzicfuXo4-P8j3Tdbkj1ipVZURJ84rT_ub_pMZjpP2Ii
 
-AcLBXAQAAQoABgUCV+JS8AAKCRCi4irWmF+hRXa3EACwVgcYNRrnAOeAzybAWy7M8HHB2j7xultB
-ESO/HTvw3e8dIB2mF8SyVtLWZG611ZNoa59Q4kjZAm8bGqE7Qq44oRRBRak5QhBG4AlU/PKAhot1
-2vRTFzNeWZRW6Tvc60mA9GvVA98Ck9QeTAtixYifP+032PdRj9hdIimeCAuCfl2QMms0C6+FFgVO
-dyE67AzZpiQzTytr01U/ScVkJCyJJKGAZaJ/8DDgELSkZEcuJ6EkOnKdcnyPgo6+KppIdK9AT3hL
-E2ZNEHap1FMxcutxRvXyO4PvJlNenHjg1TZIbX4Tw6/TwRCKEvoaRMglTKiUJ9PNAOp9AU11kekl
-j8+dyWjCNUEC4t2RrTuVS0c77Zxfj1zf31a9HyM9DWtiTytgF6kkpy7g/fpNweJc/P2ikQh21hYm
-9Epu9iVsb3baD3KTIrNypsBqnWkQJC+BE1M+vywZD941QXfH5qgZpUYHn9pk6WfXa3ROfp4y7iaD
-K1xp+tYwToSzv8gtQz77sVF9FMzcPnZYnDbUO2yVCZsYWBtSHRFbL2iHDyWPYi0Be0c/VyeJ5LIG
-ydzjNelbF+5kOSowWVD8vDlt7nx3hl4HYJKkrAAtWXwPJFMAKdyMLA5QdP1lRMDZ+vZweuoZiKz5
-Q8upmKnwU0deeYTVC6BzZcq6m8VyVBVZ5rB5NhAJUw==
+AcLBXAQAAQoABgUCW5hHBgAKCRBG7jdDygWV0SycEACMjwswmkO4OT8l4Q68aWRsmF6QjwF0vkS5
+/htDfJvStet3+UcvoPbgOtCC6aaQ8gGJV8IrMb7BaSkvudYV6Tvv6fX4mk0Xen6+vfDLDOp4bn3E
+17NAOZF6CuAu3788aylnXzunHBwh/uPKkvQX4PvCVdS8qibW+H6ByqfbgbAzhJ1TROiQzdvmxlOc
+T9SlAug+8LNN49G47vFcNhN4VIwLfo508COqy2lqYQAW8SDoKgBqrLKbBZUOdWqwXdKo9COO6gXY
+29NmAQ0zvD3PJaeMp8U2O8A2+qVCQD8Kc8oSBee7m2FsO9QMuSVFvkzcaLg76ctI90tV70Aw9YuD
+UFXOJn4iKcDQ62Z2fyegtD1i4ynKIPROg1zCiMbmwjftAgprNJJ7rLUJv20dehNt6wHTEqRzNRqX
+AknIgYdrRFgxMccXOgXycxZoZNc1mpxuq5o8SpxYwjmL/v7FoFb5xU5NwwproIT4i2LG1SKRMPGr
+crzgGVCmCLWOrARO6S9EAPkdGoKNeKopqw+b3Fc1Zg4ir+942qi0aPgngRTnO1f7w45sDaFdgu7i
+zBtmjaFMXlYqaxRVptyc+zgKEgXfcXsUn0QShK0vtnViWgrtJtpq1WkxZQjkFuQc5za80LYccq6l
+U7s5MAkX6i+S00UMc84MFUirol9NjKTXrDAW6DpuOg==
diff -Nru snapd-2.32.3.2~14.04/tests/lib/assertions/pi2.model.json snapd-2.37~rc1~14.04/tests/lib/assertions/pi2.model.json
--- snapd-2.32.3.2~14.04/tests/lib/assertions/pi2.model.json	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/assertions/pi2.model.json	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,11 @@
+{
+    "type": "model",
+    "authority-id": "BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz",
+    "series": "16",
+    "brand-id": "BhgbYoDtThegqVkEU7oiZP8GQwCoUIxz",
+    "model": "pi2",
+    "architecture": "armhf",
+    "gadget": "pi2",
+    "kernel": "pi2-kernel",
+    "timestamp": "2018-09-11T22:00:00+00:00"
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/assertions/ubuntu-core-18-amd64.model snapd-2.37~rc1~14.04/tests/lib/assertions/ubuntu-core-18-amd64.model
--- snapd-2.32.3.2~14.04/tests/lib/assertions/ubuntu-core-18-amd64.model	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/assertions/ubuntu-core-18-amd64.model	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,23 @@
+type: model
+authority-id: canonical
+series: 16
+brand-id: canonical
+model: ubuntu-core-18-amd64
+architecture: amd64
+base: core18
+display-name: Ubuntu Core 18 (amd64)
+gadget: pc=18
+kernel: pc-kernel=18
+timestamp: 2018-08-13T09:00:00+00:00
+sign-key-sha3-384: 9tydnLa6MTJ-jaQTFUXEwHl1yRx7ZS4K5cyFDhYDcPzhS7uyEkDxdUjg9g08BtNn
+
+AcLBXAQAAQoABgUCW37NBwAKCRDgT5vottzAEut9D/4u9lD3lFWXoHx1VQT+mUCROcFHdXQBY/PJ
+NriRiDwBaOjEo5mvHMRJ2UulWvHnwqyMJctJKBP+RCKlrJEPX8eaLP/lmihwIiFfmzm49BLaNwli
+si0entond1sVWfiNr7azXoEuAIgYvxmJIvE+GZADDT0/OTFQRcLU69bhNEAQKBnkT0y/HTpuXwlJ
+TuwwJtDR0vZuFtwzj6Bdx7W42+vGmuXE7M4Ni6HUySNKYByB5BsrDf3/79p8huXyBtnWp+HBsHtb
+fgjzQoBcspj65Gi+crBrJ4jS+nfowRRVXLL1clXJOJLz12za+kN0/FC0PhussiQb5UI7USXJ+RvA
+Y8U1vrqG7bG5GYGqe1KB9GbLEm+GBPQZcZI3jRmm9V7tm9OWQzK98/uPwTD73IW7LrDT35WQrIYM
+fBfThJcRqpgzwZD/CBx82maLB9tmsRF5Mhcj2H1v7cn8nSkbv7+cCzh25lKv48Vqz1WTgO3HMPWW
+0kb6BSoC+YGpstSUslqtpLdY/MfFI0DhshH2Y+h0c9/g4mux/Zb8Gs9V55HGn9mr2KKDmHsU2k+C
+maZWcXOxRpverZ2Pi9L4fZxhZ9H+FDcMGiHn2vJFQhI3u+LiK3aUUAov4k3vNRPGSvi1AGhuEtUa
+NG54bznx12KgOT3+YiHtfE95WiXUcJUrEXAgfVBVoA==
diff -Nru snapd-2.32.3.2~14.04/tests/lib/boot.sh snapd-2.37~rc1~14.04/tests/lib/boot.sh
--- snapd-2.32.3.2~14.04/tests/lib/boot.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/boot.sh	2019-01-16 08:36:51.000000000 +0000
@@ -2,7 +2,7 @@
 
 GRUB_EDITENV=grub-editenv
 case "$SPREAD_SYSTEM" in
-    fedora-*|opensuse-*)
+    fedora-*|opensuse-*|amazon-*|centos-*)
         GRUB_EDITENV=grub2-editenv
         ;;
 esac
@@ -33,3 +33,15 @@
         fw_setenv "$var"
     fi
 }
+
+get_boot_path() {
+    if [ -f /boot/uboot/uboot.env ]; then
+        echo "/boot/uboot/"
+    elif [ -f /boot/grub/grubenv ]; then
+        echo "/boot/grub/"
+    else
+        echo "Cannot determine boot path"
+        ls -alR /boot
+        exit 1
+    fi
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/cache/README.txt snapd-2.37~rc1~14.04/tests/lib/cache/README.txt
--- snapd-2.32.3.2~14.04/tests/lib/cache/README.txt	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/cache/README.txt	1970-01-01 00:00:00.000000000 +0000
@@ -1,3 +0,0 @@
-Any snap files present in this directory will be reused for tests and will save
-bandwidth. This is cost-effective when using qemu back-end as LAN bandwidth is
-faster and cheaper than internet traffic.
diff -Nru snapd-2.32.3.2~14.04/tests/lib/changes.sh snapd-2.37~rc1~14.04/tests/lib/changes.sh
--- snapd-2.32.3.2~14.04/tests/lib/changes.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/changes.sh	2019-01-16 08:36:51.000000000 +0000
@@ -4,5 +4,5 @@
     # takes <summary pattern> [<status>]
     local SUMMARY_PAT=$1
     local STATUS=${2:-}
-    snap changes|grep -o -P "^\d+(?= *${STATUS}.*${SUMMARY_PAT}.*)"
+    snap changes|grep -o -P "^\\d+(?= *${STATUS}.*${SUMMARY_PAT}.*)"
 }
diff -Nru snapd-2.32.3.2~14.04/tests/lib/cla_check.py snapd-2.37~rc1~14.04/tests/lib/cla_check.py
--- snapd-2.32.3.2~14.04/tests/lib/cla_check.py	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/cla_check.py	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,136 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+from __future__ import print_function
+
+# XXX copied from https://github.com/kyrofa/cla-check
+# (and then heavily modified)
+import os
+import re
+import sys
+from subprocess import check_call, check_output
+
+
+try:
+    from launchpadlib.launchpad import Launchpad
+except ImportError:
+    sys.exit("Install launchpadlib: sudo apt install python-launchpadlib")
+
+shortlog_email_rx = re.compile("^\s*\d+\s+.*<(\S+)>$", re.M)
+
+
+def get_emails_for_range(r):
+    output = check_output(["git", "shortlog", "-se", r])
+    return set(m.group(1) for m in shortlog_email_rx.finditer(output))
+
+
+if sys.stdout.isatty():
+    green = "\033[32;1m"
+    red = "\033[31;1m"
+    yellow = "\033[33;1m"
+    reset = "\033[0m"
+    clear = "\033[0K"
+else:
+    green = ""
+    red = ""
+    yellow = ""
+    reset = ""
+    clear = ""
+
+
+def static_email_check(email, master_emails, width):
+    if email in master_emails:
+        print("{}✓{} {:<{}} already on master".format(green, reset, email, width))
+        return True
+    if email.endswith("@canonical.com"):
+        print("{}✓{} {:<{}} @canonical.com account".format(green, reset, email, width))
+        return True
+    if email.endswith("@mozilla.com"):
+        print(
+            "{}✓{} {:<{}} @mozilla.com account (mozilla corp has signed the corp CLA)".format(
+                green, reset, email, width
+            )
+        )
+        return True
+    if email.endswith("@users.noreply.github.com"):
+        print(
+            "{}‽{} {:<{}} privacy-enabled github web edit email address".format(
+                yellow, reset, email, width
+            )
+        )
+        return True
+    return False
+
+
+def lp_email_check(email, lp, cla_folks, width):
+    contributor = lp.people.getByEmail(email=email)
+    if not contributor:
+        print("{}🛇{} {:<{}} has no Launchpad account".format(red, reset, email, width))
+        return False
+
+    if contributor in cla_folks:
+        print(
+            "{}✓{} {:<{}} ({}) has signed the CLA".format(
+                green, reset, email, width, contributor
+            )
+        )
+        return True
+    else:
+        print(
+            "{}🛇{} {:<{}} ({}) has NOT signed the CLA".format(
+                red, reset, email, width, contributor
+            )
+        )
+        return False
+
+
+def print_checkout_info(travis_commit_range):
+    # This is just to have information in case things go wrong
+    if clear:
+        print("travis_fold:start:checkout_info\r" + clear, end="")
+    print("{}Debug information{}".format(yellow, reset))
+    print("Commit range:", travis_commit_range)
+    print("Remotes:")
+    sys.stdout.flush()
+    check_call(["git", "remote", "-v"])
+    print("Branches:")
+    sys.stdout.flush()
+    check_call(["git", "branch", "-v"])
+    sys.stdout.flush()
+    if clear:
+        print("travis_fold:end:checkout_info\r" + clear)
+
+
+def main():
+    travis_commit_range = os.getenv("TRAVIS_COMMIT_RANGE", "")
+    print_checkout_info(travis_commit_range)
+
+    if travis_commit_range == "":
+        sys.exit("No TRAVIS_COMMIT_RANGE set.")
+
+    emails = get_emails_for_range(travis_commit_range)
+    if len(emails) == 0:
+        sys.exit("No emails found in in the given commit range.")
+
+    master_emails = get_emails_for_range("master")
+
+    width = max(map(len, emails))
+    lp = None
+    failed = False
+    print("Need to check {} emails:".format(len(emails)))
+    for email in emails:
+        if static_email_check(email, master_emails, width):
+            continue
+        # in the normal case this isn't reached
+        if lp is None:
+            print("Logging into Launchpad...")
+            lp = Launchpad.login_anonymously("check CLA", "production")
+            cla_folks = lp.people["contributor-agreement-canonical"].participants
+        if not lp_email_check(email, lp, cla_folks, width):
+            failed = True
+
+    if failed:
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()
diff -Nru snapd-2.32.3.2~14.04/tests/lib/dirs.sh snapd-2.37~rc1~14.04/tests/lib/dirs.sh
--- snapd-2.32.3.2~14.04/tests/lib/dirs.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/dirs.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,22 @@
-#!/bin/sh
+#!/bin/bash
 
 export SNAP_MOUNT_DIR=/snap
 export LIBEXECDIR=/usr/lib
+export MEDIA_DIR=/media
 
 case "$SPREAD_SYSTEM" in
-    fedora-*)
+    fedora-*|amazon-*|centos-*)
         export SNAP_MOUNT_DIR=/var/lib/snapd/snap
         export LIBEXECDIR=/usr/libexec
+        export MEDIA_DIR=/run/media
+        ;;
+    arch-*)
+        export SNAP_MOUNT_DIR=/var/lib/snapd/snap
+        export MEDIA_DIR=/run/media
+        ;;
+    opensuse-*)
+        export SNAP_MOUNT_DIR=/snap
+        export MEDIA_DIR=/run/media
         ;;
     *)
         ;;
diff -Nru snapd-2.32.3.2~14.04/tests/lib/fakedevicesvc/main.go snapd-2.37~rc1~14.04/tests/lib/fakedevicesvc/main.go
--- snapd-2.32.3.2~14.04/tests/lib/fakedevicesvc/main.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/fakedevicesvc/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -51,7 +51,7 @@
 	s := &http.Server{Handler: http.HandlerFunc(handle)}
 	go s.Serve(l)
 
-	ch := make(chan os.Signal)
+	ch := make(chan os.Signal, 2)
 	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
 	<-ch
 
diff -Nru snapd-2.32.3.2~14.04/tests/lib/fakegpio/fake-gpio.py snapd-2.37~rc1~14.04/tests/lib/fakegpio/fake-gpio.py
--- snapd-2.32.3.2~14.04/tests/lib/fakegpio/fake-gpio.py	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/fakegpio/fake-gpio.py	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,108 @@
+#!/usr/bin/python3
+"""Mock the /sys/class/gpio subsystem"""
+
+import atexit
+import logging
+import os
+import selectors
+import shutil
+import socket
+import subprocess
+import sys
+import tempfile
+
+from typing import Type
+
+
+def read_gpio_pin(read_fd: int) -> str:
+    """
+    read_gpio_pin reads from the given fd and return a string with the
+    numeric pin or "" if an invalid pin was specified.
+    """
+    data = os.read(read_fd, 128)
+    pin = data.decode().strip()
+    if not pin.isnumeric():
+        logging.warning("invalid gpio pin %s", pin)
+        return ""
+    return "gpio{}".format(pin)
+
+
+def export_ready(read_fd: int, _) -> bool:
+    """export_ready is run when the "export" file is ready for reading"""
+    pin = read_gpio_pin(read_fd)
+    # allow quit
+    if pin == 'quit':
+        return False
+    if pin:
+        with open(pin, "w"):
+            pass
+    return True
+
+
+def unexport_ready(read_fd: int, _) -> bool:
+    """export_ready is run when the "unexport" file is ready for reading"""
+    pin = read_gpio_pin(read_fd)
+    try:
+        os.remove(pin)
+    except OSError as err:
+        logging.warning("got exception %s", err)
+    return True
+
+
+def dispatch(sel):
+    """
+    dispatch dispatches the events from the "sel" source
+    """
+    for key, mask in sel.select():
+        callback = key.data
+        if not callback(key.fileobj, mask):
+            return False
+    return True
+
+
+def maybe_sd_notify(s: str) -> None:
+    addr = os.getenv('NOTIFY_SOCKET')
+    if not addr:
+        return
+    soc = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
+    soc.connect(addr)
+    soc.sendall(s.encode())
+
+
+def main():
+    """the main method"""
+    if os.getuid() != 0:
+        print("must run as root")
+        sys.exit(1)
+
+    # setup mock env
+    mock_gpio_dir = tempfile.mkdtemp("mock-gpio")
+    atexit.register(shutil.rmtree, mock_gpio_dir)
+    os.chdir(mock_gpio_dir)
+    subprocess.check_call(
+        ["mount", "--bind", mock_gpio_dir, "/sys/class/gpio"])
+    atexit.register(lambda: subprocess.call(["umount", "/sys/class/gpio"]))
+
+    # fake gpio export/unexport files
+    os.mkfifo("export")
+    os.mkfifo("unexport")
+
+    # react to the export/unexport calls
+    sel = selectors.DefaultSelector()
+    efd = os.open("export", os.O_RDWR | os.O_NONBLOCK)
+    ufd = os.open("unexport", os.O_RDWR | os.O_NONBLOCK)
+    sel.register(efd, selectors.EVENT_READ, export_ready)
+    sel.register(ufd, selectors.EVENT_READ, unexport_ready)
+    # notify
+    maybe_sd_notify("READY=1")
+    while True:
+        if not dispatch(sel):
+            break
+
+    # cleanup when we get a quit call
+    os.close(efd)
+    os.close(ufd)
+
+
+if __name__ == "__main__":
+    main()
diff -Nru snapd-2.32.3.2~14.04/tests/lib/fakestore/cmd/fakestore/cmd_run.go snapd-2.37~rc1~14.04/tests/lib/fakestore/cmd/fakestore/cmd_run.go
--- snapd-2.32.3.2~14.04/tests/lib/fakestore/cmd/fakestore/cmd_run.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/fakestore/cmd/fakestore/cmd_run.go	2019-01-16 08:36:51.000000000 +0000
@@ -62,7 +62,7 @@
 		return err
 	}
 
-	ch := make(chan os.Signal)
+	ch := make(chan os.Signal, 2)
 	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
 	<-ch
 
diff -Nru snapd-2.32.3.2~14.04/tests/lib/fakestore/store/store.go snapd-2.37~rc1~14.04/tests/lib/fakestore/store/store.go
--- snapd-2.32.3.2~14.04/tests/lib/fakestore/store/store.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/fakestore/store/store.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2016 Canonical Ltd
+ * Copyright (C) 2016-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -99,6 +99,8 @@
 	mux.HandleFunc("/api/v1/snaps/metadata", store.bulkEndpoint)
 	mux.Handle("/download/", http.StripPrefix("/download/", http.FileServer(http.Dir(topDir))))
 	mux.HandleFunc("/api/v1/snaps/assertions/", store.assertionsEndpoint)
+	// v2
+	mux.HandleFunc("/v2/snaps/refresh", store.snapActionEndpoint)
 
 	return store
 }
@@ -169,6 +171,8 @@
 	Version     string
 	Size        uint64
 	Digest      string
+	Confinement string
+	Type        string
 }
 
 var errInfo = errors.New("cannot get info")
@@ -185,19 +189,19 @@
 
 	info, err := snap.ReadInfoFromSnapFile(snapFile, nil)
 	if err != nil {
-		http.Error(w, fmt.Sprintf("can get info for: %v: %v", fn, err), 400)
+		http.Error(w, fmt.Sprintf("cannot get info for: %v: %v", fn, err), 400)
 		return nil, errInfo
 	}
 
 	snapDigest, size, err := asserts.SnapFileSHA3_384(fn)
 	if err != nil {
-		http.Error(w, fmt.Sprintf("can get digest for: %v: %v", fn, err), 400)
+		http.Error(w, fmt.Sprintf("cannot get digest for: %v: %v", fn, err), 400)
 		return nil, errInfo
 	}
 
 	snapRev, devAcct, err := findSnapRevision(snapDigest, bs)
 	if err != nil && !asserts.IsNotFound(err) {
-		http.Error(w, fmt.Sprintf("can get info for: %v: %v", fn, err), 400)
+		http.Error(w, fmt.Sprintf("cannot get info for: %v: %v", fn, err), 400)
 		return nil, errInfo
 	}
 
@@ -216,7 +220,7 @@
 	}
 
 	return &essentialInfo{
-		Name:        info.Name(),
+		Name:        info.SnapName(),
 		SnapID:      snapID,
 		DeveloperID: develID,
 		DevelName:   devel,
@@ -224,6 +228,8 @@
 		Version:     info.Version,
 		Digest:      snapDigest,
 		Size:        size,
+		Confinement: string(info.Confinement),
+		Type:        string(info.Type),
 	}, nil
 }
 
@@ -231,10 +237,6 @@
 	Packages []detailsReplyJSON `json:"clickindex:package"`
 }
 
-type searchReplyJSON struct {
-	Payload searchPayloadJSON `json:"_embedded"`
-}
-
 type detailsReplyJSON struct {
 	Architectures   []string `json:"architecture"`
 	SnapID          string   `json:"snap_id"`
@@ -246,6 +248,8 @@
 	Version         string   `json:"version"`
 	Revision        int      `json:"revision"`
 	DownloadDigest  string   `json:"download_sha3_384"`
+	Confinement     string   `json:"confinement"`
+	Type            string   `json:"type"`
 }
 
 func (s *Store) searchEndpoint(w http.ResponseWriter, req *http.Request) {
@@ -295,6 +299,8 @@
 		Version:         essInfo.Version,
 		Revision:        essInfo.Revision,
 		DownloadDigest:  hexify(essInfo.Digest),
+		Confinement:     essInfo.Confinement,
+		Type:            essInfo.Type,
 	}
 
 	// use indent because this is a development tool, output
@@ -327,7 +333,7 @@
 		if err != nil {
 			return nil, err
 		}
-		snaps[info.Name()] = fn
+		snaps[info.SnapName()] = fn
 	}
 
 	return snaps, err
@@ -407,7 +413,7 @@
 
 		name := snapIDtoName[pkg.SnapID]
 		if name == "" {
-			http.Error(w, fmt.Sprintf("unknown snapid: %q", pkg.SnapID), 400)
+			http.Error(w, fmt.Sprintf("unknown snap-id: %q", pkg.SnapID), 400)
 			return
 		}
 
@@ -431,6 +437,8 @@
 				Version:         essInfo.Version,
 				Revision:        essInfo.Revision,
 				DownloadDigest:  hexify(essInfo.Digest),
+				Confinement:     essInfo.Confinement,
+				Type:            essInfo.Type,
 			})
 		}
 	}
@@ -439,7 +447,7 @@
 	// should look nice
 	out, err := json.MarshalIndent(replyData, "", "    ")
 	if err != nil {
-		http.Error(w, fmt.Sprintf("can marshal: %v: %v", replyData, err), 400)
+		http.Error(w, fmt.Sprintf("cannot marshal: %v: %v", replyData, err), 400)
 		return
 	}
 	w.Write(out)
@@ -482,6 +490,157 @@
 	return bs, nil
 }
 
+type currentSnap struct {
+	SnapID      string `json:"snap-id"`
+	InstanceKey string `json:"instance-key"`
+}
+
+type snapAction struct {
+	Action      string `json:"action"`
+	InstanceKey string `json:"instance-key"`
+	SnapID      string `json:"snap-id"`
+	Name        string `json:"name"`
+}
+
+type snapActionRequest struct {
+	Context []currentSnap `json:"context"`
+	Fields  []string      `json:"fields"`
+	Actions []snapAction  `json:"actions"`
+}
+
+type snapActionResult struct {
+	Result      string          `json:"result"`
+	InstanceKey string          `json:"instance-key"`
+	SnapID      string          `json:"snap-id"`
+	Name        string          `json:"name"`
+	Snap        detailsResultV2 `json:"snap"`
+}
+
+type snapActionResultList struct {
+	Results []*snapActionResult `json:"results"`
+}
+
+type detailsResultV2 struct {
+	Architectures []string `json:"architectures"`
+	SnapID        string   `json:"snap-id"`
+	Name          string   `json:"name"`
+	Publisher     struct {
+		ID       string `json:"id"`
+		Username string `json:"username"`
+	} `json:"publisher"`
+	Download struct {
+		URL      string `json:"url"`
+		Sha3_384 string `json:"sha3-384"`
+		Size     uint64 `json:"size"`
+	} `json:"download"`
+	Version     string `json:"version"`
+	Revision    int    `json:"revision"`
+	Confinement string `json:"confinement"`
+	Type        string `json:"type"`
+}
+
+func (s *Store) snapActionEndpoint(w http.ResponseWriter, req *http.Request) {
+	var reqData snapActionRequest
+	var replyData snapActionResultList
+
+	decoder := json.NewDecoder(req.Body)
+	if err := decoder.Decode(&reqData); err != nil {
+		http.Error(w, fmt.Sprintf("cannot decode request body: %v", err), 400)
+		return
+	}
+
+	bs, err := s.collectAssertions()
+	if err != nil {
+		http.Error(w, fmt.Sprintf("internal error collecting assertions: %v", err), 500)
+		return
+	}
+
+	var remoteStore string
+	if osutil.GetenvBool("SNAPPY_USE_STAGING_STORE") {
+		remoteStore = "staging"
+	} else {
+		remoteStore = "production"
+	}
+	snapIDtoName, err := addSnapIDs(bs, someSnapIDtoName[remoteStore])
+	if err != nil {
+		http.Error(w, fmt.Sprintf("internal error collecting snapIDs: %v", err), 500)
+		return
+	}
+
+	snaps, err := s.collectSnaps()
+	if err != nil {
+		http.Error(w, fmt.Sprintf("internal error collecting snaps: %v", err), 500)
+		return
+	}
+
+	actions := reqData.Actions
+	if len(actions) == 1 && actions[0].Action == "refresh-all" {
+		actions = make([]snapAction, len(reqData.Context))
+		for i, s := range reqData.Context {
+			actions[i] = snapAction{
+				Action:      "refresh",
+				SnapID:      s.SnapID,
+				InstanceKey: s.InstanceKey,
+			}
+		}
+	}
+
+	// check if we have downloadable snap of the given SnapID or name
+	for _, a := range actions {
+		name := a.Name
+		snapID := a.SnapID
+		if a.Action == "refresh" {
+			name = snapIDtoName[snapID]
+		}
+
+		if name == "" {
+			http.Error(w, fmt.Sprintf("unknown snap-id: %q", snapID), 400)
+			return
+		}
+
+		if fn, ok := snaps[name]; ok {
+			essInfo, err := snapEssentialInfo(w, fn, snapID, bs)
+			if essInfo == nil {
+				if err != errInfo {
+					panic(err)
+				}
+				return
+			}
+
+			res := &snapActionResult{
+				Result:      a.Action,
+				InstanceKey: a.InstanceKey,
+				SnapID:      essInfo.SnapID,
+				Name:        essInfo.Name,
+				Snap: detailsResultV2{
+					Architectures: []string{"all"},
+					SnapID:        essInfo.SnapID,
+					Name:          essInfo.Name,
+					Version:       essInfo.Version,
+					Revision:      essInfo.Revision,
+					Confinement:   essInfo.Confinement,
+					Type:          essInfo.Type,
+				},
+			}
+			res.Snap.Publisher.ID = essInfo.DeveloperID
+			res.Snap.Publisher.Username = essInfo.DevelName
+			res.Snap.Download.URL = fmt.Sprintf("%s/download/%s", s.URL(), filepath.Base(fn))
+			res.Snap.Download.Sha3_384 = hexify(essInfo.Digest)
+			res.Snap.Download.Size = essInfo.Size
+			replyData.Results = append(replyData.Results, res)
+		}
+	}
+
+	// use indent because this is a development tool, output
+	// should look nice
+	out, err := json.MarshalIndent(replyData, "", "    ")
+	if err != nil {
+		http.Error(w, fmt.Sprintf("cannot marshal: %v: %v", replyData, err), 400)
+		return
+	}
+	w.Write(out)
+}
+
 func (s *Store) retrieveAssertion(bs asserts.Backstore, assertType *asserts.AssertionType, primaryKey []string) (asserts.Assertion, error) {
 	a, err := bs.Get(assertType, primaryKey, assertType.MaxSupportedFormat())
 	if asserts.IsNotFound(err) && s.assertFallback {
diff -Nru snapd-2.32.3.2~14.04/tests/lib/fakestore/store/store_test.go snapd-2.37~rc1~14.04/tests/lib/fakestore/store/store_test.go
--- snapd-2.32.3.2~14.04/tests/lib/fakestore/store/store_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/fakestore/store/store_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2015 Canonical Ltd
+ * Copyright (C) 2014-2018 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -49,12 +49,12 @@
 
 var defaultAddr = "localhost:23321"
 
-func getSha(fn string) string {
-	snapDigest, _, err := asserts.SnapFileSHA3_384(fn)
+func getSha(fn string) (string, uint64) {
+	snapDigest, size, err := asserts.SnapFileSHA3_384(fn)
 	if err != nil {
 		panic(err)
 	}
-	return hexify(snapDigest)
+	return hexify(snapDigest), size
 }
 
 func (s *storeTestSuite) SetUpTest(c *C) {
@@ -127,6 +127,7 @@
 
 	var body map[string]interface{}
 	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	sha3_384, _ := getSha(snapFn)
 	c.Check(body, DeepEquals, map[string]interface{}{
 		"architecture":      []interface{}{"all"},
 		"snap_id":           "xidididididididididididididididid",
@@ -137,7 +138,9 @@
 		"download_url":      s.store.URL() + "/download/foo_7_all.snap",
 		"version":           "7",
 		"revision":          float64(77),
-		"download_sha3_384": getSha(snapFn),
+		"download_sha3_384": sha3_384,
+		"confinement":       "strict",
+		"type":              "app",
 	})
 }
 
@@ -151,6 +154,7 @@
 
 	var body map[string]interface{}
 	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	sha3_384, _ := getSha(snapFn)
 	c.Check(body, DeepEquals, map[string]interface{}{
 		"architecture":      []interface{}{"all"},
 		"snap_id":           "",
@@ -161,7 +165,55 @@
 		"download_url":      s.store.URL() + "/download/foo_1_all.snap",
 		"version":           "1",
 		"revision":          float64(424242),
-		"download_sha3_384": getSha(snapFn),
+		"download_sha3_384": sha3_384,
+		"confinement":       "strict",
+		"type":              "app",
+	})
+
+	snapFn = s.makeTestSnap(c, "name: foo-classic\nversion: 1\nconfinement: classic")
+	resp, err = s.StoreGet(`/api/v1/snaps/details/foo-classic`)
+	c.Assert(err, IsNil)
+	defer resp.Body.Close()
+
+	c.Assert(resp.StatusCode, Equals, 200)
+	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	sha3_384, _ = getSha(snapFn)
+	c.Check(body, DeepEquals, map[string]interface{}{
+		"architecture":      []interface{}{"all"},
+		"snap_id":           "",
+		"package_name":      "foo-classic",
+		"origin":            "canonical",
+		"developer_id":      "canonical",
+		"anon_download_url": s.store.URL() + "/download/foo-classic_1_all.snap",
+		"download_url":      s.store.URL() + "/download/foo-classic_1_all.snap",
+		"version":           "1",
+		"revision":          float64(424242),
+		"download_sha3_384": sha3_384,
+		"confinement":       "classic",
+		"type":              "app",
+	})
+
+	snapFn = s.makeTestSnap(c, "name: foo-base\nversion: 1\ntype: base")
+	resp, err = s.StoreGet(`/api/v1/snaps/details/foo-base`)
+	c.Assert(err, IsNil)
+	defer resp.Body.Close()
+
+	c.Assert(resp.StatusCode, Equals, 200)
+	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	sha3_384, _ = getSha(snapFn)
+	c.Check(body, DeepEquals, map[string]interface{}{
+		"architecture":      []interface{}{"all"},
+		"snap_id":           "",
+		"package_name":      "foo-base",
+		"origin":            "canonical",
+		"developer_id":      "canonical",
+		"anon_download_url": s.store.URL() + "/download/foo-base_1_all.snap",
+		"download_url":      s.store.URL() + "/download/foo-base_1_all.snap",
+		"version":           "1",
+		"revision":          float64(424242),
+		"download_sha3_384": sha3_384,
+		"confinement":       "strict",
+		"type":              "base",
 	})
 }
 
@@ -183,6 +235,7 @@
 		} `json:"_embedded"`
 	}
 	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	sha3_384, _ := getSha(snapFn)
 	c.Check(body.Top.Cat, DeepEquals, []map[string]interface{}{{
 		"architecture":      []interface{}{"all"},
 		"snap_id":           "eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw",
@@ -193,7 +246,9 @@
 		"download_url":      s.store.URL() + "/download/test-snapd-tools_1_all.snap",
 		"version":           "1",
 		"revision":          float64(424242),
-		"download_sha3_384": getSha(snapFn),
+		"download_sha3_384": sha3_384,
+		"confinement":       "strict",
+		"type":              "app",
 	}})
 }
 
@@ -214,6 +269,7 @@
 		} `json:"_embedded"`
 	}
 	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	sha3_384, _ := getSha(snapFn)
 	c.Check(body.Top.Cat, DeepEquals, []map[string]interface{}{{
 		"architecture":      []interface{}{"all"},
 		"snap_id":           "xidididididididididididididididid",
@@ -224,7 +280,9 @@
 		"download_url":      s.store.URL() + "/download/foo_10_all.snap",
 		"version":           "10",
 		"revision":          float64(99),
-		"download_sha3_384": getSha(snapFn),
+		"download_sha3_384": sha3_384,
+		"confinement":       "strict",
+		"type":              "app",
 	}})
 }
 
@@ -390,3 +448,177 @@
 	c.Assert(err, IsNil)
 	c.Check(respObj["status"], Equals, float64(404))
 }
+
+func (s *storeTestSuite) TestSnapActionEndpoint(c *C) {
+	snapFn := s.makeTestSnap(c, "name: test-snapd-tools\nversion: 1")
+
+	resp, err := s.StorePostJSON("/v2/snaps/refresh", []byte(`{
+"context": [{"instance-key":"eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw","snap-id":"eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw","tracking-channel":"stable","revision":1}],
+"actions": [{"action":"refresh","instance-key":"eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw","snap-id":"eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw"}]
+}`))
+	c.Assert(err, IsNil)
+	defer resp.Body.Close()
+
+	c.Assert(resp.StatusCode, Equals, 200)
+	var body struct {
+		Results []map[string]interface{}
+	}
+	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	c.Check(body.Results, HasLen, 1)
+	sha3_384, size := getSha(snapFn)
+	c.Check(body.Results[0], DeepEquals, map[string]interface{}{
+		"result":       "refresh",
+		"instance-key": "eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw",
+		"snap-id":      "eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw",
+		"name":         "test-snapd-tools",
+		"snap": map[string]interface{}{
+			"architectures": []interface{}{"all"},
+			"snap-id":       "eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw",
+			"name":          "test-snapd-tools",
+			"publisher": map[string]interface{}{
+				"username": "canonical",
+				"id":       "canonical",
+			},
+			"download": map[string]interface{}{
+				"url":      s.store.URL() + "/download/test-snapd-tools_1_all.snap",
+				"sha3-384": sha3_384,
+				"size":     float64(size),
+			},
+			"version":     "1",
+			"revision":    float64(424242),
+			"confinement": "strict",
+			"type":        "app",
+		},
+	})
+}
+
+func (s *storeTestSuite) TestSnapActionEndpointWithAssertions(c *C) {
+	snapFn := s.makeTestSnap(c, "name: foo\nversion: 10")
+	s.makeAssertions(c, snapFn, "foo", "xidididididididididididididididid", "foo-devel", "foo-devel-id", 99)
+
+	resp, err := s.StorePostJSON("/v2/snaps/refresh", []byte(`{
+"context": [{"instance-key":"eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw","snap-id":"xidididididididididididididididid","tracking-channel":"stable","revision":1}],
+"actions": [{"action":"refresh","instance-key":"eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw","snap-id":"xidididididididididididididididid"}]
+}`))
+	c.Assert(err, IsNil)
+	defer resp.Body.Close()
+
+	c.Assert(resp.StatusCode, Equals, 200)
+	var body struct {
+		Results []map[string]interface{}
+	}
+	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	c.Check(body.Results, HasLen, 1)
+	sha3_384, size := getSha(snapFn)
+	c.Check(body.Results[0], DeepEquals, map[string]interface{}{
+		"result":       "refresh",
+		"instance-key": "eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw",
+		"snap-id":      "xidididididididididididididididid",
+		"name":         "foo",
+		"snap": map[string]interface{}{
+			"architectures": []interface{}{"all"},
+			"snap-id":       "xidididididididididididididididid",
+			"name":          "foo",
+			"publisher": map[string]interface{}{
+				"username": "foo-devel",
+				"id":       "foo-devel-id",
+			},
+			"download": map[string]interface{}{
+				"url":      s.store.URL() + "/download/foo_10_all.snap",
+				"sha3-384": sha3_384,
+				"size":     float64(size),
+			},
+			"version":     "10",
+			"revision":    float64(99),
+			"confinement": "strict",
+			"type":        "app",
+		},
+	})
+}
+
+func (s *storeTestSuite) TestSnapActionEndpointRefreshAll(c *C) {
+	snapFn := s.makeTestSnap(c, "name: test-snapd-tools\nversion: 1")
+
+	resp, err := s.StorePostJSON("/v2/snaps/refresh", []byte(`{
+"context": [{"instance-key":"eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw","snap-id":"eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw","tracking-channel":"stable","revision":1}],
+"actions": [{"action":"refresh-all"}]
+}`))
+	c.Assert(err, IsNil)
+	defer resp.Body.Close()
+
+	c.Assert(resp.StatusCode, Equals, 200)
+	var body struct {
+		Results []map[string]interface{}
+	}
+	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	c.Check(body.Results, HasLen, 1)
+	sha3_384, size := getSha(snapFn)
+	c.Check(body.Results[0], DeepEquals, map[string]interface{}{
+		"result":       "refresh",
+		"instance-key": "eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw",
+		"snap-id":      "eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw",
+		"name":         "test-snapd-tools",
+		"snap": map[string]interface{}{
+			"architectures": []interface{}{"all"},
+			"snap-id":       "eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw",
+			"name":          "test-snapd-tools",
+			"publisher": map[string]interface{}{
+				"username": "canonical",
+				"id":       "canonical",
+			},
+			"download": map[string]interface{}{
+				"url":      s.store.URL() + "/download/test-snapd-tools_1_all.snap",
+				"sha3-384": sha3_384,
+				"size":     float64(size),
+			},
+			"version":     "1",
+			"revision":    float64(424242),
+			"confinement": "strict",
+			"type":        "app",
+		},
+	})
+}
+
+func (s *storeTestSuite) TestSnapActionEndpointWithAssertionsInstall(c *C) {
+	snapFn := s.makeTestSnap(c, "name: foo\nversion: 10")
+	s.makeAssertions(c, snapFn, "foo", "xidididididididididididididididid", "foo-devel", "foo-devel-id", 99)
+
+	resp, err := s.StorePostJSON("/v2/snaps/refresh", []byte(`{
+"context": [],
+"actions": [{"action":"install","instance-key":"foo","name":"foo"}]
+}`))
+	c.Assert(err, IsNil)
+	defer resp.Body.Close()
+
+	c.Assert(resp.StatusCode, Equals, 200)
+	var body struct {
+		Results []map[string]interface{}
+	}
+	c.Assert(json.NewDecoder(resp.Body).Decode(&body), IsNil)
+	c.Check(body.Results, HasLen, 1)
+	sha3_384, size := getSha(snapFn)
+	c.Check(body.Results[0], DeepEquals, map[string]interface{}{
+		"result":       "install",
+		"instance-key": "foo",
+		"snap-id":      "xidididididididididididididididid",
+		"name":         "foo",
+		"snap": map[string]interface{}{
+			"architectures": []interface{}{"all"},
+			"snap-id":       "xidididididididididididididididid",
+			"name":          "foo",
+			"publisher": map[string]interface{}{
+				"username": "foo-devel",
+				"id":       "foo-devel-id",
+			},
+			"download": map[string]interface{}{
+				"url":      s.store.URL() + "/download/foo_10_all.snap",
+				"sha3-384": sha3_384,
+				"size":     float64(size),
+			},
+			"version":     "10",
+			"revision":    float64(99),
+			"confinement": "strict",
+			"type":        "app",
+		},
+	})
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/files.sh snapd-2.37~rc1~14.04/tests/lib/files.sh
--- snapd-2.32.3.2~14.04/tests/lib/files.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/files.sh	2019-01-16 08:36:51.000000000 +0000
@@ -6,7 +6,7 @@
     sleep_time="$3"
 
     for _ in $(seq "$iters"); do
-        if [ -f "$the_file" ]; then
+        if [ -e "$the_file" ]; then
             return 0
         fi
         sleep "$sleep_time"
@@ -22,38 +22,53 @@
     fi
 }
 
+ensure_dir_exists_backup_real() {
+    dir="$1"
+    if [ -d "$dir" ]; then
+        mv "$dir" "$dir.back"
+    fi
+    mkdir -p "$dir"
+    touch "$dir.fake"
+}
+
 clean_dir() {
     dir="$1"
     if [ -f "$dir.fake" ]; then
         rm -rf "$dir"
         rm -f "$dir.fake"
     fi
+    if [ -d "$dir.back" ]; then
+        mv "$dir.back" "$dir"
+    fi
 }
 
 ensure_file_exists() {
     file="$1"
-    if ! [ -f "$file" ]; then
-        touch "$file"
-        touch "$file.fake"
+    if ! [ -e "$file" ]; then
+        echo "content for $file" > "$file"
+        echo "content for fake $file" > "$file.fake"
     fi
 }
 
 ensure_file_exists_backup_real() {
     file="$1"
-    if [ -f "$file" ]; then
+    if [ -e "$file" ]; then
         mv "$file" "$file.back"
     fi
-    touch "$file"
-    touch "$file.fake"
+    # ensure the parent dir is available
+    if [ ! -d "$(dirname "$file")" ]; then
+        mkdir -p "$(dirname "$file")"
+    fi
+    ensure_file_exists "$file"
 }
 
 clean_file() {
     file="$1"
-    if [ -f "$file.fake" ]; then
+    if [ -e "$file.fake" ]; then
         rm -f "$file"
         rm -f "$file.fake"
     fi
-    if [ -f "$file.back" ]; then
+    if [ -e "$file.back" ]; then
         mv "$file.back" "$file"
     fi
 }
diff -Nru snapd-2.32.3.2~14.04/tests/lib/journalctl.sh snapd-2.37~rc1~14.04/tests/lib/journalctl.sh
--- snapd-2.32.3.2~14.04/tests/lib/journalctl.sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/journalctl.sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# shellcheck source=tests/lib/state.sh
+. "$TESTSLIB/state.sh"
+
+# This file contains all the cursors used for the different tests
+JOURNALCTL_CURSOR_FILE="$RUNTIME_STATE_PATH"/journalctl_cursor
+
+get_last_journalctl_cursor(){
+    journalctl --output=export -n1 | grep --binary-files=text -o '__CURSOR=.*' | sed -e 's/^__CURSOR=//'
+}
+
+start_new_journalctl_log(){
+    echo "New test starts here - $SPREAD_JOB" | systemd-cat -t snapd-test
+    cursor=$(get_last_journalctl_cursor)
+    if [ -z "$cursor" ]; then
+        echo "Empty journalctl cursor, exiting..."
+        exit 1
+    else
+        echo "$SPREAD_JOB " >> "$JOURNALCTL_CURSOR_FILE"
+        echo "$cursor" >> "$JOURNALCTL_CURSOR_FILE"
+    fi
+}
+
+check_journalctl_ready(){
+    marker="test-${RANDOM}${RANDOM}"
+    echo "Running test: $marker" | systemd-cat -t snapd-test
+    if check_journalctl_log "$marker"; then
+        return 0
+    fi
+    echo "Test id not found in journalctl, exiting..."
+    exit 1
+}
+
+check_journalctl_log(){
+    expression=$1
+    shift
+    for _ in $(seq 20); do
+        log=$(get_journalctl_log "$@")
+        if echo "$log" | grep -q -E "$expression"; then
+            return 0
+        fi
+        echo "Match failed, retrying"
+        sleep .5
+    done
+    return 1
+}
+
+get_journalctl_log(){
+    cursor=""
+    if [ -f "$JOURNALCTL_CURSOR_FILE" ]; then
+        cursor=$(tail -n1 "$JOURNALCTL_CURSOR_FILE")
+    fi
+    get_journalctl_log_from_cursor "$cursor" "$@"
+}
+
+get_journalctl_log_from_cursor(){
+    cursor=$1
+    shift
+    if [ -z "$cursor" ]; then
+        journalctl "$@"
+    else
+        journalctl "$@" --cursor "$cursor"
+    fi
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/mkpinentry.sh snapd-2.37~rc1~14.04/tests/lib/mkpinentry.sh
--- snapd-2.32.3.2~14.04/tests/lib/mkpinentry.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/mkpinentry.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,21 @@
-#!/bin/sh
+#!/bin/bash
 
-if gpg --version | MATCH "gpg \(GnuPG\) 1."; then
+if gpg --version | MATCH 'gpg \(GnuPG\) 1.'; then
     echo "fake gpg pinentry not used for gpg v1"
 else
     echo "setup fake gpg pinentry environment for gpg v2 or higher"
-    case "$SPREAD_SYSTEM" in
-        opensuse-*)
-            mkdir -p ~/.gnupg
-            echo pinentry-program "$TESTSLIB/pinentry-fake.sh" > ~/.gnupg/gpg-agent.conf
-            ;;
-        *)
-            mkdir -p ~/.snap/gnupg/
-            # It is just created once by gpg-agent, then if this dir does not exist gpg will
-            # fail to create the key
-            mkdir -p ~/.snap/gnupg/private-keys-v1.d
-            echo pinentry-program "$TESTSLIB/pinentry-fake.sh" > ~/.snap/gnupg/gpg-agent.conf
-            chmod -R go-rwx ~/.snap
-            ;;
-    esac
+    gpgdir=~/.snap/gnupg
+    if gpg --version | MATCH 'gpg \(GnuPG\) 2.0'; then
+        gpgdir=~/.gnupg
+    fi
+    mkdir -p "$gpgdir"
+    # It is just created once by gpg-agent, then if this dir does not exist gpg will
+    # fail to create the key
+    mkdir -p "$gpgdir/private-keys-v1.d"
+    echo pinentry-program "$TESTSLIB/pinentry-fake.sh" > "$gpgdir/gpg-agent.conf"
+    chmod -R go-rwx "$gpgdir"
+    if [ -d ~/.snap ]; then
+        chmod -R go-rwx ~/.snap
+    fi
 fi
+
diff -Nru snapd-2.32.3.2~14.04/tests/lib/names.sh snapd-2.37~rc1~14.04/tests/lib/names.sh
--- snapd-2.32.3.2~14.04/tests/lib/names.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/names.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,10 @@
 #!/bin/bash
+# shellcheck disable=SC2034
 
 gadget_name=$(snap list | grep 'gadget$' | awk '{ print $1 }')
 kernel_name=$(snap list | grep 'kernel$' | awk '{ print $1 }')
+
+core_name="$(snap known model | awk '/^base: / { print $2 }' || true)"
+if [ -z "$core_name" ]; then
+    core_name="core"
+fi
diff -Nru snapd-2.32.3.2~14.04/tests/lib/nested.sh snapd-2.37~rc1~14.04/tests/lib/nested.sh
--- snapd-2.32.3.2~14.04/tests/lib/nested.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/nested.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,15 +1,19 @@
-#!/bin/sh
+#!/bin/bash
 
 # shellcheck source=tests/lib/systemd.sh
-. $TESTSLIB/systemd.sh
+. "$TESTSLIB"/systemd.sh
+
+WORK_DIR=/tmp/work-dir
+SSH_PORT=8022
+MON_PORT=8888
 
 wait_for_ssh(){
-    retry=300
+    retry=150
     while ! execute_remote true; do
         retry=$(( retry - 1 ))
         if [ $retry -le 0 ]; then
             echo "Timed out waiting for ssh. Aborting!"
-            exit 1
+            return 1
         fi
         sleep 1
     done
@@ -30,39 +34,156 @@
     umount /mnt/assertions && rm -rf /mnt/assertions
 }
 
-create_nested_core_vm(){
-    # determine arch related vars
+get_qemu_for_nested_vm(){
     case "$NESTED_ARCH" in
     amd64)
-        QEMU="$(which qemu-system-x86_64)"
+        command -v qemu-system-x86_64
         ;;
     i386)
-        QEMU="$(which qemu-system-i386)"
+        command -v qemu-system-i386
         ;;
     *)
         echo "unsupported architecture"
         exit 1
         ;;
     esac
+}
+
+get_image_url_for_nested_vm(){
+    case "$NESTED_SYSTEM" in
+    xenial|trusty)
+        echo "https://cloud-images.ubuntu.com/${NESTED_SYSTEM}/current/${NESTED_SYSTEM}-server-cloudimg-${NESTED_ARCH}-disk1.img"
+        ;;
+    bionic)
+        echo "https://cloud-images.ubuntu.com/bionic/current/bionic-server-cloudimg-${NESTED_ARCH}.img"
+        ;;
+    *)
+        echo "unsupported system"
+        exit 1
+        ;;
+    esac
+
+}
+
+create_nested_core_vm(){
+    local UBUNTU_IMAGE
+    UBUNTU_IMAGE=$(command -v ubuntu-image)
 
     # create ubuntu-core image
-    mkdir -p /tmp/work-dir
-    /snap/bin/ubuntu-image --image-size 3G "$TESTSLIB/assertions/nested-${NESTED_ARCH}.model" --channel "$CORE_CHANNEL" --output ubuntu-core.img
-    mv ubuntu-core.img /tmp/work-dir
+    local EXTRA_SNAPS=""
+    if [ -d "${PWD}/extra-snaps" ] && [ "$(find "${PWD}/extra-snaps/" -type f -name "*.snap" | wc -l)" -gt 0 ]; then
+        EXTRA_SNAPS="--extra-snaps ${PWD}/extra-snaps/*.snap"
+    fi
+    mkdir -p "$WORK_DIR"
+
+    "$UBUNTU_IMAGE" --image-size 3G "$TESTSLIB/assertions/nested-${NESTED_ARCH}.model" \
+        --channel "$CORE_CHANNEL" \
+        --output "$WORK_DIR/ubuntu-core.img" "$EXTRA_SNAPS"
 
     create_assertions_disk
+    start_nested_core_vm
+    if wait_for_ssh; then
+        prepare_ssh
+    else
+        echo "ssh not stablished, exiting..."
+        exit 1
+    fi
+}
 
-    systemd_create_and_start_unit nested-vm "${QEMU} -m 1024 -nographic -net nic,model=virtio -net user,hostfwd=tcp::8022-:22 -drive file=/tmp/work-dir/ubuntu-core.img,if=virtio,cache=none -drive file=${PWD}/assertions.disk,if=virtio,cache=none"
-
+start_nested_core_vm(){
+    local QEMU
+    QEMU=$(get_qemu_for_nested_vm)
+    systemd_create_and_start_unit nested-vm "${QEMU} -m 2048 -nographic \
+        -net nic,model=virtio -net user,hostfwd=tcp::$SSH_PORT-:22 \
+        -drive file=$WORK_DIR/ubuntu-core.img,if=virtio,cache=none,format=raw \
+        -drive file=${PWD}/assertions.disk,if=virtio,cache=none,format=raw \
+        -monitor tcp:127.0.0.1:$MON_PORT,server,nowait -usb \
+        -machine accel=kvm"
+    if ! wait_for_ssh; then
+        systemctl restart nested-vm
+    fi
+}
+
+create_nested_classic_vm(){
+    mkdir -p "$WORK_DIR"
+
+    # Get the cloud image
+    local IMAGE_URL
+    IMAGE_URL=$(get_image_url_for_nested_vm)
+    wget -P "$WORK_DIR" "$IMAGE_URL"
+    # Check the image
+    local IMAGE
+    IMAGE=$(ls $WORK_DIR/*.img)
+    test "$(echo "$IMAGE" | wc -l)" = "1"
+
+    # Prepare the cloud-init configuration
+    cat <<EOF > "$WORK_DIR/seed"
+#cloud-config
+  ssh_pwauth: True
+  users:
+   - name: user1
+     sudo: ALL=(ALL) NOPASSWD:ALL
+     shell: /bin/bash
+  chpasswd:
+   list: |
+    user1:ubuntu
+   expire: False
+EOF
+    cloud-localds -H "$(hostname)" "$WORK_DIR/seed.img" "$WORK_DIR/seed"
+
+    # Start the vm
+    start_nested_classic_vm "$IMAGE"
+}
+
+start_nested_classic_vm(){
+    local IMAGE=$1
+    local QEMU
+    QEMU=$(get_qemu_for_nested_vm)
+
+    systemd_create_and_start_unit nested-vm "${QEMU} -m 2048 -nographic \
+        -net nic,model=virtio -net user,hostfwd=tcp::$SSH_PORT-:22 \
+        -drive file=$IMAGE,if=virtio \
+        -drive file=$WORK_DIR/seed.img,if=virtio \
+        -monitor tcp:127.0.0.1:$MON_PORT,server,nowait -usb \
+        -machine accel=kvm"
     wait_for_ssh
-    prepare_ssh
 }
 
-destroy_nested_core_vm(){
+destroy_nested_vm(){
     systemd_stop_and_destroy_unit nested-vm
-    rm -rf /tmp/work-dir
+    rm -rf "$WORK_DIR"
 }
 
 execute_remote(){
-    sshpass -p ubuntu ssh -p 8022 -q -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user1@localhost "$*"
+    sshpass -p ubuntu ssh -p "$SSH_PORT" -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user1@localhost "$*"
+}
+
+copy_remote(){
+    sshpass -p ubuntu scp -P "$SSH_PORT" -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$*" user1@localhost:~
+}
+
+add_tty_chardev(){
+    local CHARDEV_ID=$1
+    local CHARDEV_PATH=$2
+    echo "chardev-add tty,path=$CHARDEV_PATH,id=$CHARDEV_ID" | nc -q 0 127.0.0.1 "$MON_PORT"
+    echo "chardev added"
+}
+
+remove_chardev(){
+    local CHARDEV_ID=$1
+    echo "chardev-remove $CHARDEV_ID" | nc -q 0 127.0.0.1 "$MON_PORT"
+    echo "chardev added"
+}
+
+add_usb_serial_device(){
+    local DEVICE_ID=$1
+    local CHARDEV_ID=$2
+    echo "device_add usb-serial,chardev=$CHARDEV_ID,id=$DEVICE_ID" | nc -q 0 127.0.0.1 "$MON_PORT"
+    echo "device added"
+}
+
+del_device(){
+    local DEVICE_ID=$1
+    echo "device_del $DEVICE_ID" | nc -q 0 127.0.0.1 "$MON_PORT"
+    echo "device deleted"
 }
diff -Nru snapd-2.32.3.2~14.04/tests/lib/network.sh snapd-2.37~rc1~14.04/tests/lib/network.sh
--- snapd-2.32.3.2~14.04/tests/lib/network.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/network.sh	2019-01-16 08:36:51.000000000 +0000
@@ -3,3 +3,32 @@
 get_default_iface(){
     ip route get 8.8.8.8 | awk '{ print $5; exit }'
 }
+
+wait_listen_port(){
+    PORT="$1"
+
+    for _ in $(seq 120); do
+        if ss -lnt | grep -Pq "LISTEN.*?:$PORT +.*?\\n*"; then
+            break
+        fi
+        sleep 0.5
+    done
+
+    # Ensure we really have the listen port, this will fail with an
+    # exit code if the port is not available.
+    ss -lnt | grep -Pq "LISTEN.*?:$PORT +.*?\\n*"
+}
+
+make_network_service() {
+    SERVICE_NAME="$1"
+    SERVICE_FILE="$2"
+    PORT="$3"
+
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
+
+    printf '#!/bin/sh -e\nwhile true; do printf '\''HTTP/1.1 200 OK\\n\\nok\\n'\'' |  nc -l -p %s -w 1; done' "$PORT" > "$SERVICE_FILE"
+    chmod a+x "$SERVICE_FILE"
+    systemd_create_and_start_unit "$SERVICE_NAME" "$(readlink -f "$SERVICE_FILE")"
+    wait_listen_port "$PORT"
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/pinentry-fake.sh snapd-2.37~rc1~14.04/tests/lib/pinentry-fake.sh
--- snapd-2.32.3.2~14.04/tests/lib/pinentry-fake.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/pinentry-fake.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
diff -Nru snapd-2.32.3.2~14.04/tests/lib/pkgdb.sh snapd-2.37~rc1~14.04/tests/lib/pkgdb.sh
--- snapd-2.32.3.2~14.04/tests/lib/pkgdb.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/pkgdb.sh	2019-01-16 08:36:51.000000000 +0000
@@ -6,9 +6,6 @@
 debian_name_package() {
     for i in "$@"; do
         case "$i" in
-            xdelta3|curl|python3-yaml|kpartx|busybox-static|nfs-kernel-server)
-                echo "$i"
-                ;;
             man)
                 echo "man-db"
                 ;;
@@ -35,15 +32,28 @@
 fedora_name_package() {
     for i in "$@"; do
         case "$i" in
-            xdelta3|jq|curl|python3-yaml)
-                echo "$i"
-                ;;
             openvswitch-switch)
                 echo "openvswitch"
                 ;;
             printer-driver-cups-pdf)
                 echo "cups-pdf"
                 ;;
+            python3-gi)
+                echo "python3-gobject"
+                ;;
+            *)
+                echo "$i"
+                ;;
+        esac
+    done
+}
+
+amazon_name_package() {
+    for i in "$@"; do
+        case "$i" in
+            xdelta3)
+                echo "xdelta"
+                ;;
             *)
                 echo "$i"
                 ;;
@@ -63,6 +73,13 @@
             printer-driver-cups-pdf)
                 echo "cups-pdf"
                 ;;
+            python3-dbus)
+                # In OpenSUSE Leap 15, this is renamed to python3-dbus-python
+                echo "dbus-1-python3"
+                ;;
+            python3-gi)
+                echo "python3-gobject"
+                ;;
             *)
                 echo "$i"
                 ;;
@@ -70,6 +87,36 @@
     done
 }
 
+arch_name_package() {
+    case "$1" in
+        python3-yaml)
+            echo "python-yaml"
+            ;;
+        dbus-x11)
+            # no separate dbus-x11 package in arch
+            echo "dbus"
+            ;;
+        printer-driver-cups-pdf)
+            echo "cups-pdf"
+            ;;
+        openvswitch-switch)
+            echo "openvswitch"
+            ;;
+        man)
+            echo "man-db"
+            ;;
+        python3-dbus)
+            echo "python-dbus"
+            ;;
+        python3-gi)
+            echo "python-gobject"
+            ;;
+        *)
+            echo "$1"
+            ;;
+    esac
+}
+
 distro_name_package() {
     case "$SPREAD_SYSTEM" in
         ubuntu-14.04-*)
@@ -81,9 +128,15 @@
         fedora-*)
             fedora_name_package "$@"
             ;;
+        amazon-*|centos-*)
+            amazon_name_package "$@"
+            ;;
         opensuse-*)
             opensuse_name_package "$@"
             ;;
+        arch-*)
+            arch_name_package "$1"
+            ;;
         *)
             echo "ERROR: Unsupported distribution $SPREAD_SYSTEM"
             exit 1
@@ -119,10 +172,16 @@
             apt install $flags "$@"
             ;;
         fedora-*)
-            quiet dnf -y install "$@"
+            quiet dnf -y install --setopt=install_weak_deps=False "$@"
+            ;;
+        amazon-*|centos-*)
+            quiet yum -y localinstall "$@"
             ;;
         opensuse-*)
-            quiet zypper install -y "$@"
+            quiet rpm -i "$@"
+            ;;
+        arch-*)
+            pacman -U --noconfirm "$@"
             ;;
         *)
             echo "ERROR: Unsupported distribution $SPREAD_SYSTEM"
@@ -132,11 +191,27 @@
 }
 
 distro_install_package() {
+    orig_xtrace=$(set -o | awk '/xtrace / { print $2 }')
+    set +x
+    echo "distro_install_package $*"
     # Parse additional arguments; once we find the first unknown
     # part we break argument parsing and process all further
     # arguments as package names.
     APT_FLAGS=
     DNF_FLAGS=
+    if [[ "$SPREAD_SYSTEM" == fedora-* ]]; then
+        # Fedora images we use come with a number of preinstalled package, among
+        # them gtk3. Those packages are needed to run the tests. The
+        # xdg-desktop-portal-gtk package uses this in the spec:
+        #
+        #   Supplements:    (gtk3 and (flatpak or snapd))
+        #
+        # As a result, when snapd is installed, we will unintentionally pull in
+        # xdg-desktop-portal-gtk and its dependencies breaking tests. For this
+        # reason, disable weak deps altogether.
+        DNF_FLAGS="--setopt=install_weak_deps=False"
+    fi
+    YUM_FLAGS=
     ZYPPER_FLAGS=
     while [ -n "$1" ]; do
         case "$1" in
@@ -144,6 +219,7 @@
                 APT_FLAGS="$APT_FLAGS --no-install-recommends"
                 DNF_FLAGS="$DNF_FLAGS --setopt=install_weak_deps=False"
                 ZYPPER_FLAGS="$ZYPPER_FLAGS --no-recommends"
+                # TODO no way to set this for yum?
                 shift
                 ;;
             *)
@@ -172,6 +248,7 @@
         ;;
     esac
 
+    # shellcheck disable=SC2207
     pkg_names=($(
         for pkg in "$@" ; do
             package_name=$(distro_name_package "$pkg")
@@ -192,19 +269,29 @@
         fedora-*)
             # shellcheck disable=SC2086
             quiet dnf -y --refresh install $DNF_FLAGS "${pkg_names[@]}"
-                ;;
+            ;;
+        amazon-*|centos-*)
+            # shellcheck disable=SC2086
+            quiet yum -y install $YUM_FLAGS "${pkg_names[@]}"
+            ;;
         opensuse-*)
             # shellcheck disable=SC2086
             quiet zypper install -y $ZYPPER_FLAGS "${pkg_names[@]}"
             ;;
+        arch-*)
+            # shellcheck disable=SC2086
+            pacman -Suq --needed --noconfirm "${pkg_names[@]}"
+            ;;
         *)
             echo "ERROR: Unsupported distribution $SPREAD_SYSTEM"
             exit 1
             ;;
     esac
+    test "$orig_xtrace" = on && set -x
 }
 
 distro_purge_package() {
+    # shellcheck disable=SC2046
     set -- $(
         for pkg in "$@" ; do
             package_name=$(distro_name_package "$pkg")
@@ -225,9 +312,15 @@
             quiet dnf -y remove "$@"
             quiet dnf clean all
             ;;
+        amazon-*|centos-*)
+            quiet yum -y remove "$@"
+            ;;
         opensuse-*)
             quiet zypper remove -y "$@"
             ;;
+        arch-*)
+            pacman -Rnsc --noconfirm "$@"
+            ;;
         *)
             echo "ERROR: Unsupported distribution $SPREAD_SYSTEM"
             exit 1
@@ -244,8 +337,15 @@
             quiet dnf clean all
             quiet dnf makecache
             ;;
+        amazon-*|centos-*)
+            quiet yum clean all
+            quiet yum makecache
+            ;;
         opensuse-*)
-            quiet zypper refresh
+            quiet zypper --gpg-auto-import-keys refresh
+            ;;
+        arch-*)
+            pacman -Syq
             ;;
         *)
             echo "ERROR: Unsupported distribution $SPREAD_SYSTEM"
@@ -259,9 +359,18 @@
         ubuntu-*|debian-*)
             quiet apt-get clean
             ;;
+        fedora-*)
+            dnf clean all
+            ;;
+        amazon-*|centos-*)
+            yum clean all
+            ;;
         opensuse-*)
             zypper -q clean --all
             ;;
+        arch-*)
+            pacman -Sccq --noconfirm
+            ;;
         *)
             echo "ERROR: Unsupported distribution $SPREAD_SYSTEM"
             exit 1
@@ -277,8 +386,13 @@
         fedora-*)
             quiet dnf -y autoremove
             ;;
+        amazon-*|centos-*)
+            quiet yum -y autoremove
+            ;;
         opensuse-*)
             ;;
+        arch-*)
+            ;;
         *)
             echo "ERROR: Unsupported distribution '$SPREAD_SYSTEM'"
             exit 1
@@ -294,9 +408,19 @@
         fedora-*)
             dnf info "$1"
             ;;
+        amazon-*|centos-*)
+            yum info "$1"
+            ;;
         opensuse-*)
             zypper info "$1"
             ;;
+        arch-*)
+            pacman -Si "$1"
+            ;;
+        *)
+            echo "ERROR: Unsupported distribution '$SPREAD_SYSTEM'"
+            exit 1
+            ;;
     esac
 }
 
@@ -321,14 +445,18 @@
                 # shellcheck disable=SC2125
                 packages="${GOHOME}"/snapd_*.deb
                 ;;
-            fedora-*)
+            fedora-*|amazon-*|centos-*)
                 # shellcheck disable=SC2125
-                packages="${GOHOME}"/snap-confine*.rpm\ "${GOPATH}"/snapd*.rpm
+                packages="${GOHOME}"/snap-confine*.rpm\ "${GOPATH%%:*}"/snapd*.rpm
                 ;;
             opensuse-*)
                 # shellcheck disable=SC2125
                 packages="${GOHOME}"/snapd*.rpm
                 ;;
+            arch-*)
+                # shellcheck disable=SC2125
+                packages="${GOHOME}"/snapd*.pkg.tar.xz
+                ;;
             *)
                 exit 1
                 ;;
@@ -337,6 +465,17 @@
         # shellcheck disable=SC2086
         distro_install_local_package $packages
 
+        if [[ "$SPREAD_SYSTEM" == arch-* ]]; then
+            # Arch policy does not allow calling daemon-reloads in package
+            # install scripts
+            systemctl daemon-reload
+
+            # AppArmor policy needs to be reloaded
+            if systemctl show -p ActiveState apparmor.service | MATCH 'ActiveState=active'; then
+                systemctl restart apparmor.service
+            fi
+        fi
+
         # On some distributions the snapd.socket is not yet automatically
         # enabled as we don't have a systemd present configuration approved
         # by the distribution for it in place yet.
@@ -353,9 +492,13 @@
         ubuntu-*|debian-*)
             echo "deb"
             ;;
-        fedora-*|opensuse-*)
+        fedora-*|opensuse-*|amazon-*|centos-*)
             echo "rpm"
             ;;
+        arch-*)
+            # default /etc/makepkg.conf setting
+            echo "pkg.tar.xz"
+            ;;
     esac
 }
 
@@ -365,6 +508,7 @@
         automake
         autotools-dev
         build-essential
+        clang
         curl
         devscripts
         expect
@@ -378,21 +522,26 @@
         libglib2.0-dev
         libseccomp-dev
         libudev-dev
+        man
         netcat-openbsd
         pkg-config
         python3-docutils
         udev
+        udisks2
+        upower
         uuid-runtime
         "
 }
 
 pkg_dependencies_ubuntu_classic(){
     echo "
+        avahi-daemon
         cups
         dbus-x11
         gnome-keyring
         jq
         man
+        nfs-kernel-server
         printer-driver-cups-pdf
         python3-yaml
         upower
@@ -403,77 +552,180 @@
 
     case "$SPREAD_SYSTEM" in
         ubuntu-14.04-*)
-            echo "
-                linux-image-extra-$(uname -r)
-                "
+                pkg_linux_image_extra
             ;;
         ubuntu-16.04-32)
             echo "
-                linux-image-extra-$(uname -r)
+                gccgo-6
+                evolution-data-server
+                gnome-online-accounts
                 "
+                pkg_linux_image_extra
             ;;
         ubuntu-16.04-64)
             echo "
+                evolution-data-server
                 gccgo-6
+                gnome-online-accounts
                 kpartx
                 libvirt-bin
-                linux-image-extra-$(uname -r)
                 qemu
                 x11-utils
                 xvfb
                 "
+                pkg_linux_image_extra
+            ;;
+        ubuntu-17.10-64)
+                pkg_linux_image_extra
+            ;;
+        ubuntu-18.04-64)
+            echo "
+                gccgo-8
+                evolution-data-server
+                "
+            ;;
+        ubuntu-18.10-64)
+            echo "
+                evolution-data-server
+                "
             ;;
         ubuntu-*)
             echo "
-                linux-image-extra-$(uname -r)
+                squashfs-tools
                 "
             ;;
         debian-*)
             echo "
+                evolution-data-server
                 net-tools
                 "
             ;;
     esac
 }
 
+pkg_linux_image_extra (){
+    if apt-cache show "linux-image-extra-$(uname -r)" > /dev/null 2>&1; then
+        echo "linux-image-extra-$(uname -r)";
+    else
+        if apt-cache show "linux-modules-extra-$(uname -r)" > /dev/null 2>&1; then
+            echo "linux-modules-extra-$(uname -r)";
+        else
+            echo "cannot find a matching kernel modules package";
+            exit 1;
+        fi;
+    fi
+}
+
 pkg_dependencies_ubuntu_core(){
     echo "
-        linux-image-extra-$(uname -r)
         pollinate
         "
+        pkg_linux_image_extra
 }
 
 pkg_dependencies_fedora(){
     echo "
+        clang
         curl
         dbus-x11
+        evolution-data-server
         expect
         git
         golang
         jq
+        iptables-services
+        man
         mock
+        net-tools
+        nfs-utils
+        python3-yaml
         redhat-lsb-core
         rpm-build
+        udisks2
+        xdg-user-dirs
+        xdg-utils
+        strace
+        "
+}
+
+pkg_dependencies_amazon(){
+    echo "
+        curl
+        dbus-x11
+        expect
+        git
+        golang
+        grub2-tools
+        jq
+        iptables-services
+        man
+        mock
+        nc
+        net-tools
+        nfs-utils
+        system-lsb-core
+        rpm-build
         xdg-user-dirs
+        xdg-utils
+        udisks2
         "
 }
 
 pkg_dependencies_opensuse(){
     echo "
+        apparmor-profiles
+        clang
         curl
+        evolution-data-server
         expect
         git
         golang-packaging
         jq
         lsb-release
+        man
+        nfs-kernel-server
+        python3-yaml
         netcat-openbsd
         osc
+        udisks2
         uuidd
-        xdg-utils
         xdg-user-dirs
+        xdg-utils
         "
 }
 
+pkg_dependencies_arch(){
+    echo "
+    base-devel
+    bash-completion
+    clang
+    curl
+    evolution-data-server
+    expect
+    git
+    go
+    go-tools
+    jq
+    libseccomp
+    libcap
+    libx11
+    net-tools
+    nfs-utils
+    openbsd-netcat
+    python
+    python-docutils
+    python3-yaml
+    squashfs-tools
+    shellcheck
+    strace
+    udisks2
+    xdg-user-dirs
+    xdg-utils
+    xfsprogs
+    apparmor
+    "
+}
+
 pkg_dependencies(){
     case "$SPREAD_SYSTEM" in
         ubuntu-core-16-*)
@@ -487,9 +739,15 @@
         fedora-*)
             pkg_dependencies_fedora
             ;;
+        amazon-*|centos-*)
+            pkg_dependencies_amazon
+            ;;
         opensuse-*)
             pkg_dependencies_opensuse
             ;;
+        arch-*)
+            pkg_dependencies_arch
+            ;;
         *)
             ;;
     esac
@@ -500,3 +758,34 @@
     # shellcheck disable=SC2086
     distro_install_package $pkgs
 }
+
+# upgrade distribution and indicate if reboot is needed by outputting 'reboot'
+# to stdout
+distro_upgrade() {
+    case "$SPREAD_SYSTEM" in
+        arch-*)
+            # Arch does not support partial upgrades. On top of this, the image
+            # we are running in may have been built some time ago and we need to
+            # upgrade so that the tests are run with the same package versions
+            # as the users will have. We basically need to run pacman -Syu.
+            # Since there is no way to tell if we can continue after upgrading
+            # (eg. the kernel package or systemd got updated ) issue a reboot
+            # instead.
+            #
+            # pacman -Syu --noconfirm on an updated system:
+            # :: Synchronizing package databases...
+            #  core is up to date
+            #  extra is up to date
+            #  community is up to date
+            #  multilib is up to date
+            # :: Starting full system upgrade...
+            #  there is nothing to do  <--- needle
+            if ! pacman -Syu --noconfirm 2>&1 | grep -q "there is nothing to do" ; then
+                echo "reboot"
+            fi
+            ;;
+        *)
+            echo "WARNING: distro upgrade not supported on $SPREAD_SYSTEM"
+            ;;
+    esac
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/prepare-restore.sh snapd-2.37~rc1~14.04/tests/lib/prepare-restore.sh
--- snapd-2.32.3.2~14.04/tests/lib/prepare-restore.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/prepare-restore.sh	2019-01-16 08:36:51.000000000 +0000
@@ -25,6 +25,19 @@
 # shellcheck source=tests/lib/random.sh
 . "$TESTSLIB/random.sh"
 
+# shellcheck source=tests/lib/spread-funcs.sh
+. "$TESTSLIB/spread-funcs.sh"
+
+# shellcheck source=tests/lib/journalctl.sh
+. "$TESTSLIB/journalctl.sh"
+
+# shellcheck source=tests/lib/state.sh
+. "$TESTSLIB/state.sh"
+
+# shellcheck source=tests/lib/systems.sh
+. "$TESTSLIB/systems.sh"
+
+
 ###
 ### Utility functions reused below.
 ###
@@ -41,7 +54,7 @@
                 # unlikely to ever clash with anything, and easy to remember.
                 quiet adduser --uid 12345 --gid 12345 --disabled-password --gecos '' test
                 ;;
-            debian-*|fedora-*|opensuse-*)
+            debian-*|fedora-*|opensuse-*|arch-*|amazon-*|centos-*)
                 quiet useradd -m --uid 12345 --gid 12345 test
                 ;;
             *)
@@ -75,6 +88,10 @@
 build_rpm() {
     distro=$(echo "$SPREAD_SYSTEM" | awk '{split($0,a,"-");print a[1]}')
     release=$(echo "$SPREAD_SYSTEM" | awk '{split($0,a,"-");print a[2]}')
+    if [[ "$SPREAD_SYSTEM" == amazon-linux-2-* ]]; then
+        distro=amzn
+        release=2
+    fi
     arch=x86_64
     base_version="$(head -1 debian/changelog | awk -F '[()]' '{print $2}')"
     version="1337.$base_version"
@@ -85,8 +102,8 @@
     rpm_dir=$(rpm --eval "%_topdir")
 
     case "$SPREAD_SYSTEM" in
-        fedora-*)
-            extra_tar_args="$extra_tar_args --exclude=vendor/"
+        fedora-*|amazon-*|centos-*)
+            extra_tar_args="$extra_tar_args --exclude=vendor/*"
             ;;
         opensuse-*)
             archive_name=snapd_$version.vendor.tar.xz
@@ -104,7 +121,11 @@
     cp -ra -- * "/tmp/pkg/snapd-$version/"
     mkdir -p "$rpm_dir/SOURCES"
     # shellcheck disable=SC2086
-    (cd /tmp/pkg && tar "c${archive_compression}f" "$rpm_dir/SOURCES/$archive_name" "snapd-$version" $extra_tar_args)
+    (cd /tmp/pkg && tar "-c${archive_compression}f" "$rpm_dir/SOURCES/$archive_name" $extra_tar_args "snapd-$version")
+    if [[ "$SPREAD_SYSTEM" == amazon-linux-2-* || "$SPREAD_SYSTEM" == centos-* ]]; then
+        # need to build the vendor tree
+        (cd /tmp/pkg && tar "-cJf" "$rpm_dir/SOURCES/snapd_${version}.only-vendor.tar.xz" "snapd-$version/vendor")
+    fi
     cp "$packaging_path"/* "$rpm_dir/SOURCES/"
 
     # Cleanup all artifacts from previous builds
@@ -131,11 +152,49 @@
         -ba \
         "$packaging_path/snapd.spec"
 
-    cp "$rpm_dir"/RPMS/$arch/snap*.rpm "$GOPATH"
-    if [[ "$SPREAD_SYSTEM" = fedora-* ]]; then
-        # On Fedora we have an additional package for SELinux
-        cp "$rpm_dir"/RPMS/noarch/snap*.rpm "$GOPATH"
-    fi
+    find "$rpm_dir"/RPMS -name '*.rpm' -exec cp -v {} "${GOPATH%%:*}" \;
+}
+
+build_arch_pkg() {
+    base_version="$(head -1 debian/changelog | awk -F '[()]' '{print $2}')"
+    version="1337.$base_version"
+    packaging_path=packaging/arch
+    archive_name=snapd-$version.tar
+
+    rm -rf /tmp/pkg
+    mkdir -p /tmp/pkg/sources/snapd
+    cp -ra -- * /tmp/pkg/sources/snapd/
+
+    # shellcheck disable=SC2086
+    tar -C /tmp/pkg/sources -cf "/tmp/pkg/$archive_name" "snapd"
+    cp "$packaging_path"/* "/tmp/pkg"
+
+    # fixup PKGBUILD which builds a package named snapd-git with dynamic version
+    #  - update pkgname to use snapd
+    #  - kill dynamic version
+    #  - packaging functions are named package_<pkgname>(), update it to package_snapd()
+    #  - update source path to point to local archive instead of git
+    #  - fix package version to $version
+    sed -i \
+        -e "s/^source=.*/source=(\"$archive_name\")/" \
+        -e "s/pkgname=snapd.*/pkgname=snapd/" \
+        -e "s/pkgver=.*/pkgver=$version/" \
+        -e "s/package_snapd-git()/package_snapd()/" \
+        /tmp/pkg/PKGBUILD
+    # comment out automatic package version update block `pkgver() { ... }` as
+    # it's only useful when building the package manually
+    awk '
+    /BEGIN/ { strip = 0; last = 0 }
+    /pkgver\(\)/ { strip = 1 }
+    /^}/ { if (strip) last = 1 }
+    // { if (strip) { print "#" $0; if (last) { last = 0; strip = 0}} else { print $0}}
+    ' < /tmp/pkg/PKGBUILD > /tmp/pkg/PKGBUILD.tmp
+    mv /tmp/pkg/PKGBUILD.tmp /tmp/pkg/PKGBUILD
+
+    chown -R test:test /tmp/pkg
+    su -l -c "cd /tmp/pkg && WITH_TEST_KEYS=1 makepkg -f --nocheck" test
+
+    cp /tmp/pkg/snapd*.pkg.tar.xz "${GOPATH%%:*}"
 }
 
 download_from_published(){
@@ -183,6 +242,9 @@
         exit 1
     fi
 
+    # Prepare the state directories for execution
+    prepare_state
+
     # declare the "quiet" wrapper
 
     if [ "$SPREAD_BACKEND" = external ]; then
@@ -214,6 +276,34 @@
 
     distro_update_package_db
 
+    if [[ "$SPREAD_SYSTEM" == arch-* ]]; then
+        # perform system upgrade on Arch so that we run with most recent kernel
+        # and userspace
+        if [[ "$SPREAD_REBOOT" == 0 ]]; then
+            if distro_upgrade | MATCH "reboot"; then
+                echo "system upgraded, reboot required"
+                REBOOT
+            fi
+            # arch uses a single kernel package which could have gotten updated
+            # just now, reboot in case we're still on the old kernel
+            if [ ! -d "/lib/modules/$(uname -r)" ]; then
+                echo "rebooting to new kernel"
+                REBOOT
+            fi
+        fi
+        # double check we are running the installed kernel
+        # NOTE: LOCALVERSION is set by scripts/setlocalversion and loos like
+        # 4.17.11-arch1, since this may not match pacman -Qi output, we'll list
+        # the files within the package instead
+        # pacman -Ql linux output:
+        # ...
+        # linux /usr/lib/modules/4.17.11-arch1/modules.alias
+        if [[ "$(pacman -Ql linux | cut -f2 -d' ' |grep '/usr/lib/modules/.*/modules'|cut -f5 -d/ | uniq)" != "$(uname -r)" ]]; then
+            echo "running unexpected kernel version $(uname -r)"
+            exit 1
+        fi
+    fi
+
     if [[ "$SPREAD_SYSTEM" == ubuntu-14.04-* ]]; then
         if [ ! -d packaging/ubuntu-14.04 ]; then
             echo "no packaging/ubuntu-14.04/ directory "
@@ -247,8 +337,8 @@
     esac
 
     # update vendoring
-    if [ -z "$(which govendor)" ]; then
-        rm -rf "$GOPATH/src/github.com/kardianos/govendor"
+    if [ -z "$(command -v govendor)" ]; then
+        rm -rf "${GOPATH%%:*}/src/github.com/kardianos/govendor"
         go get -u github.com/kardianos/govendor
     fi
     quiet govendor sync
@@ -260,9 +350,12 @@
             ubuntu-*|debian-*)
                 build_deb
                 ;;
-            fedora-*|opensuse-*)
+            fedora-*|opensuse-*|amazon-*|centos-*)
                 build_rpm
                 ;;
+            arch-*)
+                build_arch_pkg
+                ;;
             *)
                 echo "ERROR: No build instructions available for system $SPREAD_SYSTEM"
                 exit 1
@@ -286,53 +379,75 @@
     go get ./tests/lib/fakedevicesvc
     go get ./tests/lib/systemd-escape
 
-    # disable journald rate limiting
-    mkdir -p /etc/systemd/journald.conf.d/
+    # Disable journald rate limiting
+    mkdir -p /etc/systemd/journald.conf.d
+    # The RateLimitIntervalSec key is not supported on some systemd versions causing
+    # the journal rate limit could be considered as not valid and discarded in concecuence.
+    # RateLimitInterval key is supported in old systemd versions and in new ones as well,
+    # maintaining backward compatibility.
     cat <<-EOF > /etc/systemd/journald.conf.d/no-rate-limit.conf
     [Journal]
-    RateLimitIntervalSec=0
+    RateLimitInterval=0
     RateLimitBurst=0
 EOF
     systemctl restart systemd-journald.service
 }
 
 prepare_project_each() {
-    # We want to rotate the logs so that when inspecting or dumping them we
-    # will just see logs since the test has started.
+    # Clear the kernel ring buffer.
+    dmesg -c > /dev/null
+
+    fixup_dev_random
+}
+
+prepare_suite() {
+    # shellcheck source=tests/lib/prepare.sh
+    . "$TESTSLIB"/prepare.sh
+    if is_core_system; then
+        prepare_ubuntu_core
+    else
+        prepare_classic
+    fi
+}
+
+prepare_suite_each() {
+    # save the job which is going to be executed in the system
+    echo -n "$SPREAD_JOB " >> "$RUNTIME_STATE_PATH/runs"
+    # shellcheck source=tests/lib/reset.sh
+    "$TESTSLIB"/reset.sh --reuse-core
+    # Reset systemd journal cursor.
+    start_new_journalctl_log
+    # shellcheck source=tests/lib/prepare.sh
+    . "$TESTSLIB"/prepare.sh
+    if is_classic_system; then
+        prepare_each_classic
+    fi
+    # Check if journalctl is ready to run the test
+    check_journalctl_ready
 
-    # Clear the systemd journal. Unfortunately the deputy-systemd on Ubuntu
-    # 14.04 does not know about --rotate or --vacuum-time so we need to remove
-    # the journal the hard way.
     case "$SPREAD_SYSTEM" in
-        ubuntu-14.04-*)
-            # Force a log rotation with small size
-            sed -i.bak s/#SystemMaxUse=/SystemMaxUse=1K/g /etc/systemd/journald.conf
-            systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald.service
-
-            # Restore the initial configuration and rotate logs
-            mv /etc/systemd/journald.conf.bak /etc/systemd/journald.conf
-            systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald.service
-
-            # Remove rotated journal logs
-            systemctl stop systemd-journald.service
-            find /run/log/journal/ -name "*@*.journal" -delete
-            systemctl start systemd-journald.service
-            ;;
-        *)
-            # per journalctl's implementation, --rotate and --sync 'override'
-            # each other if used in a single command, with the one appearing
-            # later being effective
-            journalctl --sync
-            journalctl --rotate
-            sleep .1
-            journalctl --vacuum-time=1ms
+        fedora-*|centos-*|amazon-*)
+            ausearch -m AVC --checkpoint "$RUNTIME_STATE_PATH/audit-stamp" || true
             ;;
     esac
+}
 
-    # Clear the kernel ring buffer.
-    dmesg -c > /dev/null
+restore_suite_each() {
+    rm -f "$RUNTIME_STATE_PATH/audit-stamp"
+}
 
-    fixup_dev_random
+restore_suite() {
+    # shellcheck source=tests/lib/reset.sh
+    "$TESTSLIB"/reset.sh --store
+    if is_classic_system; then
+        # shellcheck source=tests/lib/pkgdb.sh
+        . "$TESTSLIB"/pkgdb.sh
+        distro_purge_package snapd
+        if [[ "$SPREAD_SYSTEM" != opensuse-* && "$SPREAD_SYSTEM" != arch-* ]]; then
+            # A snap-confine package never existed on openSUSE or Arch
+            distro_purge_package snap-confine
+        fi
+    fi
 }
 
 restore_project_each() {
@@ -359,13 +474,30 @@
         cat /proc/meminfo
         exit 1
     fi
+
+    # check if there is a shutdown pending, no test should trigger this
+    # and it leads to very confusing test failures
+    if [ -e /run/systemd/shutdown/scheduled ]; then
+        echo "Test triggered a shutdown, this should not happen"
+        snap changes
+        exit 1
+    fi
+
+    # Check for kernel oops during the tests
+    if dmesg|grep "Oops: "; then
+        echo "A kernel oops happened during the tests, test results will be unreliable"
+        echo "Dmesg debug output:"
+        dmesg
+        exit 1
+    fi
+
+    # Something is hosing the filesystem so look for signs of that
+    ! grep -F "//deleted /etc" /proc/self/mountinfo
 }
 
 restore_project() {
-    # We use a trick to accelerate prepare/restore code in certain suites. That
-    # code uses a tarball to store the vanilla state. Here we just remove this
-    # tarball.
-    rm -f "$SPREAD_PATH/snapd-state.tar.gz"
+    # Delete the snapd state used to accelerate prepare/restore code in certain suites. 
+    delete_snapd_state
 
     # Remove all of the code we pushed and any build results. This removes
     # stale files and we cannot do incremental builds anyway so there's little
@@ -385,6 +517,18 @@
     --prepare-project-each)
         prepare_project_each
         ;;
+    --prepare-suite)
+        prepare_suite
+        ;;
+    --prepare-suite-each)
+        prepare_suite_each
+        ;;
+    --restore-suite-each)
+        restore_suite_each
+        ;;
+    --restore-suite)
+        restore_suite
+        ;;
     --restore-project-each)
         restore_project_each
         ;;
@@ -393,7 +537,7 @@
         ;;
     *)
         echo "unsupported argument: $1"
-        echo "try one of --{prepare,restore}-project{,-each}"
+        echo "try one of --{prepare,restore}-{project,suite}{,-each}"
         exit 1
         ;;
 esac
diff -Nru snapd-2.32.3.2~14.04/tests/lib/prepare.sh snapd-2.37~rc1~14.04/tests/lib/prepare.sh
--- snapd-2.32.3.2~14.04/tests/lib/prepare.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/prepare.sh	2019-01-16 08:36:51.000000000 +0000
@@ -10,6 +10,13 @@
 . "$TESTSLIB/pkgdb.sh"
 # shellcheck source=tests/lib/boot.sh
 . "$TESTSLIB/boot.sh"
+# shellcheck source=tests/lib/spread-funcs.sh
+. "$TESTSLIB/spread-funcs.sh"
+# shellcheck source=tests/lib/state.sh
+. "$TESTSLIB/state.sh"
+# shellcheck source=tests/lib/systems.sh
+. "$TESTSLIB/systems.sh"
+
 
 disable_kernel_rate_limiting() {
     # kernel rate limiting hinders debugging security policy so turn it off
@@ -20,11 +27,22 @@
     #sysctl -w kernel.printk_ratelimit=0
 }
 
-disable_refreshes() {
-    echo "Ensure jq is available"
-    if ! which jq; then
+ensure_jq() {
+    if command -v jq; then
+        return
+    fi
+
+    if is_core18_system; then
+        snap install --devmode jq-core18
+        snap alias jq-core18.jq jq
+    else
         snap install --devmode jq
     fi
+}
+
+disable_refreshes() {
+    echo "Ensure jq is available"
+    ensure_jq
 
     echo "Modify state to make it look like the last refresh just happened"
     systemctl stop snapd.socket snapd.service
@@ -34,17 +52,17 @@
 
     echo "Minimize risk of hitting refresh schedule"
     snap set core refresh.schedule=00:00-23:59
-    snap refresh --time|MATCH "last: 2[0-9]{3}"
+    snap refresh --time --abs-time | MATCH "last: 2[0-9]{3}"
 
     echo "Ensure jq is gone"
-    snap remove jq
+    snap remove jq jq-core18
 }
 
 setup_systemd_snapd_overrides() {
     START_LIMIT_INTERVAL="StartLimitInterval=0"
-    if [[ "$SPREAD_SYSTEM" = opensuse-42.2-* ]]; then
+    if [[ "$SPREAD_SYSTEM" =~ opensuse-42.[23]-* ]]; then
         # StartLimitInterval is not supported by the systemd version
-        # openSUSE 42.2 ships.
+        # openSUSE 42.2/3 ship.
         START_LIMIT_INTERVAL=""
     fi
 
@@ -53,7 +71,7 @@
 [Unit]
 $START_LIMIT_INTERVAL
 [Service]
-Environment=SNAPD_DEBUG_HTTP=7 SNAPD_DEBUG=1 SNAPPY_TESTING=1 SNAPD_CONFIGURE_HOOK_TIMEOUT=30s SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE
+Environment=SNAPD_DEBUG_HTTP=7 SNAPD_DEBUG=1 SNAPPY_TESTING=1 SNAPD_REBOOT_DELAY=10m SNAPD_CONFIGURE_HOOK_TIMEOUT=30s SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE
 ExecStartPre=/bin/touch /dev/iio:device0
 EOF
     mkdir -p /etc/systemd/system/snapd.socket.d
@@ -63,9 +81,12 @@
 EOF
 
     # We change the service configuration so reload and restart
-    # the snapd socket unit to get them applied
+    # the units to get them applied
     systemctl daemon-reload
-    systemctl restart snapd.socket
+    # stop the socket (it pulls down the service)
+    systemctl stop snapd.socket
+    # start the service (it pulls up the socket)
+    systemctl start snapd.service
 }
 
 update_core_snap_for_classic_reexec() {
@@ -87,13 +108,24 @@
     umount --verbose "$core"
 
     # Now unpack the core, inject the new snap-exec/snapctl into it
-    unsquashfs "$snap"
-    # clean the old snapd libexec binaries, just in case
-    rm squashfs-root/usr/lib/snapd/*
-    # and copy in the current ones
+    unsquashfs -no-progress "$snap"
+    # clean the old snapd binaries, just in case
+    rm squashfs-root/usr/lib/snapd/* squashfs-root/usr/bin/snap
+    # and copy in the current libexec
     cp -a "$LIBEXECDIR"/snapd/* squashfs-root/usr/lib/snapd/
+    case "$SPREAD_SYSTEM" in
+        fedora-*|centos-*|amazon-*)
+            # RPM can rewrite shebang to #!/usr/bin/sh
+            sed -i -e '1 s;#!/usr/bin/sh;#!/bin/sh;' squashfs-root/usr/lib/snapd/snap-device-helper
+            ;;
+    esac
     # also the binaries themselves
-    cp -a /usr/bin/{snap,snapctl} squashfs-root/usr/bin/
+    cp -a /usr/bin/snap squashfs-root/usr/bin/
+    # make sure bin/snapctl is a symlink to lib/
+    if [ ! -L squashfs-root/usr/bin/snapctl ]; then
+        rm -f squashfs-root/usr/bin/snapctl
+        ln -s ../lib/snapd/snapctl squashfs-root/usr/bin/snapctl
+    fi
 
     case "$SPREAD_SYSTEM" in
         ubuntu-*|debian-*)
@@ -113,9 +145,23 @@
             ;;
     esac
 
+    case "$SPREAD_SYSTEM" in
+        fedora-*|centos-*|amazon-*)
+            if selinuxenabled ; then
+                # On these systems just unpacking core snap to $HOME will
+                # automatically apply user_home_t label on all the contents of the
+                # snap; since we cannot drop xattrs when calling mksquashfs, make
+                # sure that we relabel the contents in way that a squashfs image
+                # without any labels would look like: system_u:object_r:unlabeled_t
+                chcon -R -u system_u -r object_r -t unlabeled_t squashfs-root
+            fi
+            ;;
+    esac
+
     # repack, cheating to speed things up (4sec vs 1.5min)
     mv "$snap" "${snap}.orig"
     mksnap_fast "squashfs-root" "$snap"
+    chmod --reference="${snap}.orig" "$snap"
     rm -rf squashfs-root
 
     # Now mount the new core snap, first discarding the old mount namespace
@@ -181,6 +227,17 @@
         exit 1
     fi
 
+    # Some systems (google:ubuntu-16.04-64) ship with a broken sshguard
+    # unit. Stop the broken unit to not confuse the "degraded-boot" test.
+    #
+    # FIXME: fix the ubuntu-16.04-64 image
+    if systemctl list-unit-files | grep sshguard.service; then
+        if ! systemctl status sshguard.service; then
+            systemctl stop sshguard.service
+	    systemctl reset-failed sshguard.service
+        fi
+    fi
+
     setup_systemd_snapd_overrides
 
     if [ "$REMOTE_STORE" = staging ]; then
@@ -194,7 +251,10 @@
     fi
 
     # Snapshot the state including core.
-    if [ ! -f "$SPREAD_PATH/snapd-state.tar.gz" ]; then
+    if ! is_snapd_state_saved; then
+        # need to be seeded to proceed with snap install
+        # also make sure the captured state is seeded
+        snap wait system seed.loaded
         # Pre-cache a few heavy snaps so that they can be installed by tests
         # quickly. This relies on a behavior of snapd where .partial files are
         # used for resuming downloads.
@@ -208,7 +268,7 @@
             done
             # Copy all of the snaps back to the spool directory. From there we
             # will reuse them during subsequent `snap install` operations.
-            cp *.snap /var/lib/snapd/snaps/
+            cp -- *.snap /var/lib/snapd/snaps/
             set +x
         )
 
@@ -235,65 +295,78 @@
         fi
 
         systemctl stop snapd.{service,socket}
-        systemctl daemon-reload
-        escaped_snap_mount_dir="$(systemd-escape --path "$SNAP_MOUNT_DIR")"
-        units="$(systemctl list-unit-files --full | grep -e "^$escaped_snap_mount_dir[-.].*\.mount" -e "^$escaped_snap_mount_dir[-.].*\.service" | cut -f1 -d ' ')"
-        for unit in $units; do
-            systemctl stop "$unit"
-        done
-        snapd_env="/etc/environment /etc/systemd/system/snapd.service.d /etc/systemd/system/snapd.socket.d"
-        snap_confine_profiles="$(ls /etc/apparmor.d/snap.core.* || true)"
-        # shellcheck disable=SC2086
-        tar cf "$SPREAD_PATH"/snapd-state.tar.gz /var/lib/snapd "$SNAP_MOUNT_DIR" /etc/systemd/system/"$escaped_snap_mount_dir"-*core*.mount /etc/systemd/system/multi-user.target.wants/"$escaped_snap_mount_dir"-*core*.mount $snap_confine_profiles $snapd_env
-        systemctl daemon-reload # Workaround for http://paste.ubuntu.com/17735820/
-        core="$(readlink -f "$SNAP_MOUNT_DIR/core/current")"
-        # on 14.04 it is possible that the core snap is still mounted at this point, unmount
-        # to prevent errors starting the mount unit
-        if [[ "$SPREAD_SYSTEM" = ubuntu-14.04-* ]] && mount | grep -q "$core"; then
-            umount "$core" || true
-        fi
-        for unit in $units; do
-            systemctl start "$unit"
-        done
+        save_snapd_state
         systemctl start snapd.socket
     fi
 
     disable_kernel_rate_limiting
+
+    if [[ "$SPREAD_SYSTEM" == arch-* ]]; then
+        # Arch packages do not ship empty directories by default, hence there is
+        # no /etc/dbus-1/system.d what prevents dbus from properly establishing
+        # inotify watch on that path
+        mkdir -p /etc/dbus-1/system.d
+        systemctl reload dbus.service
+    fi
 }
 
 setup_reflash_magic() {
-        # install the stuff we need
-        distro_install_package kpartx busybox-static
-        distro_install_local_package "$GOHOME"/snapd_*.deb
-        distro_clean_package_cache
-
-        snap install "--${CORE_CHANNEL}" core
-
-        # install ubuntu-image
-        snap install --classic --edge ubuntu-image
-
-        # needs to be under /home because ubuntu-device-flash
-        # uses snap-confine and that will hide parts of the hostfs
-        IMAGE_HOME=/home/image
-        mkdir -p "$IMAGE_HOME"
-
+    # install the stuff we need
+    distro_install_package kpartx busybox-static
+    distro_install_local_package "$GOHOME"/snapd_*.deb
+    distro_clean_package_cache
+
+    # need to be seeded to proceed with snap install
+    snap wait system seed.loaded
+
+    # we cannot use "names.sh" here because no snaps are installed yet
+    core_name="core"
+    if is_core18_system; then
+        snap download "--channel=${SNAPD_CHANNEL}" snapd
+        core_name="core18"
+    fi
+    snap install "--channel=${CORE_CHANNEL}" "$core_name"
+
+    # install ubuntu-image
+    snap install --classic --edge ubuntu-image
+
+    # needs to be under /home because ubuntu-device-flash
+    # uses snap-confine and that will hide parts of the hostfs
+    IMAGE_HOME=/home/image
+    mkdir -p "$IMAGE_HOME"
+
+    # ensure that ubuntu-image is using our test-build of snapd with the
+    # test keys and not the bundled version of usr/bin/snap from the snap.
+    # Note that we can not put it into /usr/bin as '/usr' is different
+    # when the snap uses confinement.
+    cp /usr/bin/snap "$IMAGE_HOME"
+    export UBUNTU_IMAGE_SNAP_CMD="$IMAGE_HOME/snap"
+
+    if is_core18_system; then
+        # modify the snapd snap so that it has our snapd
+        UNPACK_DIR="/tmp/snapd-snap"
+        unsquashfs -no-progress -d "$UNPACK_DIR" snapd_*.snap
+        dpkg-deb -x "$SPREAD_PATH"/../snapd_*.deb "$UNPACK_DIR"
+        snap pack "$UNPACK_DIR" "$IMAGE_HOME"
+        
+        # FIXME: fetch directly once its in the assertion service
+        cp "$TESTSLIB/assertions/ubuntu-core-18-amd64.model" "$IMAGE_HOME/pc.model"
+        IMAGE=core18-amd64.img
+    else
         # modify the core snap so that the current root-pw works there
         # for spread to do the first login
-        UNPACKD="/tmp/core-snap"
-        unsquashfs -d "$UNPACKD" /var/lib/snapd/snaps/core_*.snap
-
-        # FIXME: netplan workaround
-        mkdir -p "$UNPACKD/etc/netplan"
+        UNPACK_DIR="/tmp/core-snap"
+        unsquashfs -no-progress -d "$UNPACK_DIR" /var/lib/snapd/snaps/core_*.snap
 
         # FIXME: install would be better but we don't have dpkg on
         #        the image
-        # unpack our freshly build snapd into the new core snap
-        dpkg-deb -x "$SPREAD_PATH"/../snapd_*.deb "$UNPACKD"
+        # unpack our freshly build snapd into the new snapd snap
+        dpkg-deb -x "$SPREAD_PATH"/../snapd_*.deb "$UNPACK_DIR"
         # ensure any new timer units are available
-        cp -a /etc/systemd/system/timers.target.wants/*.timer "$UNPACKD/etc/systemd/system/timers.target.wants"
+        cp -a /etc/systemd/system/timers.target.wants/*.timer "$UNPACK_DIR/etc/systemd/system/timers.target.wants"
 
         # add gpio and iio slots
-        cat >> "$UNPACKD/meta/snap.yaml" <<-EOF
+        cat >> "$UNPACK_DIR/meta/snap.yaml" <<-EOF
 slots:
     gpio-pin:
         interface: gpio
@@ -305,89 +378,126 @@
 EOF
 
         # build new core snap for the image
-        snap pack "$UNPACKD" "$IMAGE_HOME"
+        snap pack "$UNPACK_DIR" "$IMAGE_HOME"
 
         # FIXME: fetch directly once its in the assertion service
         cp "$TESTSLIB/assertions/pc-${REMOTE_STORE}.model" "$IMAGE_HOME/pc.model"
 
         # FIXME: how to test store updated of ubuntu-core with sideloaded snap?
         IMAGE=all-snap-amd64.img
+    fi
 
-        # ensure that ubuntu-image is using our test-build of snapd with the
-        # test keys and not the bundled version of usr/bin/snap from the snap.
-        # Note that we can not put it into /usr/bin as '/usr' is different
-        # when the snap uses confinement.
-        cp /usr/bin/snap "$IMAGE_HOME"
-        export UBUNTU_IMAGE_SNAP_CMD="$IMAGE_HOME/snap"
-
-        EXTRA_FUNDAMENTAL=
-        IMAGE_CHANNEL=edge
-        if [ "$KERNEL_CHANNEL" = "$GADGET_CHANNEL" ]; then
-            IMAGE_CHANNEL="$KERNEL_CHANNEL"
-        else
-            # download pc-kernel snap for the specified channel and set ubuntu-image channel
-            # to gadget, so that we don't need to download it
-            snap download --channel="$KERNEL_CHANNEL" pc-kernel
+    EXTRA_FUNDAMENTAL=
+    IMAGE_CHANNEL=edge
+    if [ "$KERNEL_CHANNEL" = "$GADGET_CHANNEL" ]; then
+        IMAGE_CHANNEL="$KERNEL_CHANNEL"
+    else
+        # download pc-kernel snap for the specified channel and set
+        # ubuntu-image channel to that of the gadget, so that we don't
+        # need to download it
+        snap download --channel="$KERNEL_CHANNEL" pc-kernel
+        
+        EXTRA_FUNDAMENTAL="--extra-snaps $PWD/pc-kernel_*.snap"
+        IMAGE_CHANNEL="$GADGET_CHANNEL"
+    fi
+
+    # 'snap pack' creates snaps 0644, and ubuntu-image just copies those in
+    # maybe we should fix one or both of those, but for now this'll do
+    chmod 0600 "$IMAGE_HOME"/*.snap
+
+    # on core18 we need to use the modified snapd snap and on core16
+    # it is the modified core that contains our freshly build snapd
+    if is_core18_system; then
+        extra_snap=("$IMAGE_HOME"/snapd_*.snap)
+    else
+        extra_snap=("$IMAGE_HOME"/core_*.snap)
+    fi
 
-            EXTRA_FUNDAMENTAL="--extra-snaps $PWD/pc-kernel_*.snap"
-            IMAGE_CHANNEL="$GADGET_CHANNEL"
-        fi
+    # extra_snap should contain only ONE snap
+    if [ "${#extra_snap[@]}" -ne 1 ]; then
+        echo "unexpected number of globbed snaps: ${extra_snap[*]}"
+        exit 1
+    fi
 
-        /snap/bin/ubuntu-image -w "$IMAGE_HOME" "$IMAGE_HOME/pc.model" \
-                               --channel "$IMAGE_CHANNEL" \
-                               "$EXTRA_FUNDAMENTAL" \
-                               --extra-snaps "$IMAGE_HOME"/core_*.snap \
-                               --output "$IMAGE_HOME/$IMAGE"
-        rm -f ./pc-kernel_*.{snap,assert} ./pc_*.{snap,assert}
-
-        # mount fresh image and add all our SPREAD_PROJECT data
-        kpartx -avs "$IMAGE_HOME/$IMAGE"
-        # FIXME: hardcoded mapper location, parse from kpartx
+    /snap/bin/ubuntu-image -w "$IMAGE_HOME" "$IMAGE_HOME/pc.model" \
+                           --channel "$IMAGE_CHANNEL" \
+                           "$EXTRA_FUNDAMENTAL" \
+                           --extra-snaps "${extra_snap[0]}" \
+                           --output "$IMAGE_HOME/$IMAGE"
+    rm -f ./pc-kernel_*.{snap,assert} ./pc_*.{snap,assert}
+
+    # mount fresh image and add all our SPREAD_PROJECT data
+    kpartx -avs "$IMAGE_HOME/$IMAGE"
+    # FIXME: hardcoded mapper location, parse from kpartx
+    if is_core18_system; then
+        mount /dev/mapper/loop3p3 /mnt
+    else
         mount /dev/mapper/loop2p3 /mnt
-        mkdir -p /mnt/user-data/
-        cp -ar /home/gopath /mnt/user-data/
-
-        # create test user and ubuntu user inside the writable partition
-        # so that we can use a stock core in tests
-        mkdir -p /mnt/user-data/test
-
-        # create test user, see the comment in spread.yaml about 12345
-        mkdir -p /mnt/system-data/etc/sudoers.d/
-        echo 'test ALL=(ALL) NOPASSWD:ALL' >> /mnt/system-data/etc/sudoers.d/99-test-user
-        echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' >> /mnt/system-data/etc/sudoers.d/99-ubuntu-user
-        # modify sshd so that we can connect as root
-        mkdir -p /mnt/system-data/etc/ssh
-        cp -a "$UNPACKD"/etc/ssh/* /mnt/system-data/etc/ssh/
-        sed -i 's/\(PermitRootLogin\|PasswordAuthentication\)\>.*/\1 yes/' /mnt/system-data/etc/ssh/sshd_config
-
-        # build the user database - this is complicated because:
-        # - spread on linode wants to login as "root"
-        # - "root" login on the stock core snap is disabled
-        # - uids between classic/core differ
-        # - passwd,shadow on core are read-only
-        # - we cannot add root to extrausers as system passwd is searched first
-        # - we need to add our ubuntu and test users too
-        # So we create the user db we need in /root/test-etc/*:
-        # - take core passwd without "root"
-        # - append root
-        # - make sure the group matches
-        # - bind mount /root/test-etc/* to /etc/* via custom systemd job
-        # We also create /var/lib/extrausers/* and append ubuntu,test there
-        mkdir -p /mnt/system-data/root/test-etc
-        mkdir -p /mnt/system-data/var/lib/extrausers/
-        touch /mnt/system-data/var/lib/extrausers/sub{uid,gid}
-        mkdir -p /mnt/system-data/etc/systemd/system/multi-user.target.wants
-        for f in group gshadow passwd shadow; do
-            # the passwd from core without root
-            tail -n +2 "$UNPACKD/etc/$f" > /mnt/system-data/root/test-etc/$f
-            # append this systems root user so that linode can connect
-            head -n1 /etc/$f >> /mnt/system-data/root/test-etc/$f
-
-            # make sure the group is as expected
-            chgrp --reference "$UNPACKD/etc/$f" /mnt/system-data/root/test-etc/$f
-            # now bind mount read-only those passwd files on boot
-            cat <<EOF > /mnt/system-data/etc/systemd/system/etc-$f.mount
-[Unit]
+    fi
+    mkdir -p /mnt/user-data/
+    # copy over everything from gopath to user-data, exclude:
+    # - VCS files
+    # - built debs
+    # - golang archive files and built packages dir
+    # - govendor .cache directory and the binary,
+    rsync -a -C \
+          --exclude '*.a' \
+          --exclude '*.deb' \
+          --exclude /gopath/.cache/ \
+          --exclude /gopath/bin/govendor \
+          --exclude /gopath/pkg/ \
+          /home/gopath /mnt/user-data/
+        
+    # now modify the image
+    if is_core18_system; then
+        UNPACK_DIR="/tmp/core18-snap"
+        unsquashfs -no-progress -d "$UNPACK_DIR" /var/lib/snapd/snaps/core18_*.snap
+    fi
+
+    # create test user and ubuntu user inside the writable partition
+    # so that we can use a stock core in tests
+    mkdir -p /mnt/user-data/test
+
+    # create test user, see the comment in spread.yaml about 12345
+    mkdir -p /mnt/system-data/etc/sudoers.d/
+    echo 'test ALL=(ALL) NOPASSWD:ALL' >> /mnt/system-data/etc/sudoers.d/99-test-user
+    echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' >> /mnt/system-data/etc/sudoers.d/99-ubuntu-user
+    # modify sshd so that we can connect as root
+    mkdir -p /mnt/system-data/etc/ssh
+    cp -a "$UNPACK_DIR"/etc/ssh/* /mnt/system-data/etc/ssh/
+    # core18 is different here than core16
+    sed -i 's/\#\?\(PermitRootLogin\|PasswordAuthentication\)\>.*/\1 yes/' /mnt/system-data/etc/ssh/sshd_config
+    # ensure the setting is correct
+    grep '^PermitRootLogin yes' /mnt/system-data/etc/ssh/sshd_config
+
+    # build the user database - this is complicated because:
+    # - spread on linode wants to login as "root"
+    # - "root" login on the stock core snap is disabled
+    # - uids between classic/core differ
+    # - passwd,shadow on core are read-only
+    # - we cannot add root to extrausers as system passwd is searched first
+    # - we need to add our ubuntu and test users too
+    # So we create the user db we need in /root/test-etc/*:
+    # - take core passwd without "root"
+    # - append root
+    # - make sure the group matches
+    # - bind mount /root/test-etc/* to /etc/* via custom systemd job
+    # We also create /var/lib/extrausers/* and append ubuntu,test there
+    mkdir -p /mnt/system-data/root/test-etc
+    mkdir -p /mnt/system-data/var/lib/extrausers/
+    touch /mnt/system-data/var/lib/extrausers/sub{uid,gid}
+    mkdir -p /mnt/system-data/etc/systemd/system/multi-user.target.wants
+    for f in group gshadow passwd shadow; do
+        # the passwd from core without root
+        grep -v "^root:" "$UNPACK_DIR/etc/$f" > /mnt/system-data/root/test-etc/"$f"
+        # append this systems root user so that linode can connect
+        grep "^root:" /etc/"$f" >> /mnt/system-data/root/test-etc/"$f"
+        
+        # make sure the group is as expected
+        chgrp --reference "$UNPACK_DIR/etc/$f" /mnt/system-data/root/test-etc/"$f"
+        # now bind mount read-only those passwd files on boot
+        cat >/mnt/system-data/etc/systemd/system/etc-"$f".mount <<EOF
+[Unit]  
 Description=Mount root/test-etc/$f over system etc/$f
 Before=ssh.service
 
@@ -400,39 +510,40 @@
 [Install]
 WantedBy=multi-user.target
 EOF
-            ln -s /etc/systemd/system/etc-$f.mount /mnt/system-data/etc/systemd/system/multi-user.target.wants/etc-$f.mount
-
-            # create /var/lib/extrausers/$f
-            # append ubuntu, test user for the testing
-            cp -a "$UNPACKD/var/lib/extrausers/$f" /mnt/system-data/var/lib/extrausers/$f
-            tail -n2 /etc/$f >> /mnt/system-data/var/lib/extrausers/$f
-
-        done
-
-        # ensure spread -reuse works in the core image as well
-        if [ -e /.spread.yaml ]; then
-            cp -av /.spread.yaml /mnt/system-data
-        fi
+        ln -s /etc/systemd/system/etc-"$f".mount /mnt/system-data/etc/systemd/system/multi-user.target.wants/etc-"$f".mount
+        
+        # create /var/lib/extrausers/$f
+        # append ubuntu, test user for the testing
+        grep "^test:" /etc/$f >> /mnt/system-data/var/lib/extrausers/"$f"
+        grep "^ubuntu:" /etc/$f >> /mnt/system-data/var/lib/extrausers/"$f"
+        # check test was copied
+        MATCH "^test:" </mnt/system-data/var/lib/extrausers/"$f"
+        MATCH "^ubuntu:" </mnt/system-data/var/lib/extrausers/"$f"
+    done
 
-        # using symbolic names requires test:test have the same ids
-        # inside and outside which is a pain (see 12345 above), but
-        # using the ids directly is the wrong kind of fragile
-        chown --verbose test:test /mnt/user-data/test
-
-        # we do what sync-dirs is normally doing on boot, but because
-        # we have subdirs/files in /etc/systemd/system (created below)
-        # the writeable-path sync-boot won't work
-        mkdir -p /mnt/system-data/etc/systemd
-        (cd /tmp ; unsquashfs -v "$IMAGE_HOME"/core_*.snap etc/systemd/system)
-        cp -avr /tmp/squashfs-root/etc/systemd/system /mnt/system-data/etc/systemd/
-
-
-        umount /mnt
-        kpartx -d  "$IMAGE_HOME/$IMAGE"
-
-        # the reflash magic
-        # FIXME: ideally in initrd, but this is good enough for now
-        cat > "$IMAGE_HOME/reflash.sh" << EOF
+    # ensure spread -reuse works in the core image as well
+    if [ -e /.spread.yaml ]; then
+        cp -av /.spread.yaml /mnt/system-data
+    fi
+
+    # using symbolic names requires test:test have the same ids
+    # inside and outside which is a pain (see 12345 above), but
+    # using the ids directly is the wrong kind of fragile
+    chown --verbose test:test /mnt/user-data/test
+    
+    # we do what sync-dirs is normally doing on boot, but because
+    # we have subdirs/files in /etc/systemd/system (created below)
+    # the writeable-path sync-boot won't work
+    mkdir -p /mnt/system-data/etc/systemd
+
+    (cd /tmp ; unsquashfs -no-progress -v  /var/lib/snapd/snaps/"$core_name"_*.snap etc/systemd/system)
+    cp -avr /tmp/squashfs-root/etc/systemd/system /mnt/system-data/etc/systemd/
+    umount /mnt
+    kpartx -d  "$IMAGE_HOME/$IMAGE"
+
+    # the reflash magic
+    # FIXME: ideally in initrd, but this is good enough for now
+    cat > "$IMAGE_HOME/reflash.sh" << EOF
 #!/bin/sh -ex
 mount -t tmpfs none /tmp
 cp /bin/busybox /tmp
@@ -444,11 +555,11 @@
 /tmp/busybox sync
 /tmp/busybox echo b > /proc/sysrq-trigger
 EOF
-        chmod +x "$IMAGE_HOME/reflash.sh"
+    chmod +x "$IMAGE_HOME/reflash.sh"
 
-        # extract ROOT from /proc/cmdline
-        ROOT=$(sed -e 's/^.*root=//' -e 's/ .*$//' /proc/cmdline)
-        cat >/boot/grub/grub.cfg <<EOF
+    # extract ROOT from /proc/cmdline
+    ROOT=$(sed -e 's/^.*root=//' -e 's/ .*$//' /proc/cmdline)
+    cat >/boot/grub/grub.cfg <<EOF
 set default=0
 set timeout=2
 menuentry 'flash-all-snaps' {
@@ -458,14 +569,15 @@
 EOF
 }
 
-prepare_all_snap() {
+# prepare_ubuntu_core will prepare ubuntu-core 16 and 18
+prepare_ubuntu_core() {
     # we are still a "classic" image, prepare the surgery
     if [ -e /var/lib/dpkg/status ]; then
         setup_reflash_magic
         REBOOT
     fi
 
-    # verify after the first reboot that we are now in the all-snap world
+    # verify after the first reboot that we are now in core18 world
     if [ "$SPREAD_REBOOT" = 1 ]; then
         echo "Ensure we are now in an all-snap world"
         if [ -e /var/lib/dpkg/status ]; then
@@ -484,7 +596,7 @@
     echo "Ensure fundamental snaps are still present"
     # shellcheck source=tests/lib/names.sh
     . "$TESTSLIB/names.sh"
-    for name in "$gadget_name" "$kernel_name" core; do
+    for name in "$gadget_name" "$kernel_name" "$core_name"; do
         if ! snap list "$name"; then
             echo "Not all fundamental snaps are available, all-snap image not valid"
             echo "Currently installed snaps"
@@ -493,26 +605,32 @@
         fi
     done
 
+    echo "Ensure the snapd snap is available"
+    if is_core18_system; then
+        if ! snap list snapd; then
+            echo "snapd snap on core18 is missing"
+            snap list
+            exit 1
+        fi
+    fi
+
+    echo "Ensure rsync is available"
+    if ! command -v rsync; then
+        rsync_snap="test-snapd-rsync"
+        if is_core18_system; then
+            rsync_snap="test-snapd-rsync-core18"
+        fi
+        snap install --devmode "$rsync_snap"
+        snap alias "$rsync_snap".rsync rsync
+    fi
+
     disable_refreshes
     setup_systemd_snapd_overrides
 
     # Snapshot the fresh state (including boot/bootenv)
-    if [ ! -f "$SPREAD_PATH/snapd-state.tar.gz" ]; then
-        # we need to ensure that we also restore the boot environment
-        # fully for tests that break it
-        BOOT=""
-        if ls /boot/uboot/*; then
-            BOOT=/boot/uboot/
-        elif ls /boot/grub/*; then
-            BOOT=/boot/grub/
-        else
-            echo "Cannot determine bootdir in /boot:"
-            ls /boot
-            exit 1
-        fi
-
+    if ! is_snapd_state_saved; then
         systemctl stop snapd.service snapd.socket
-        tar cf "$SPREAD_PATH/snapd-state.tar.gz" /var/lib/snapd $BOOT /etc/systemd/system/snap-*core*.mount
+        save_snapd_state
         systemctl start snapd.socket
     fi
 
diff -Nru snapd-2.32.3.2~14.04/tests/lib/ramdisk.sh snapd-2.37~rc1~14.04/tests/lib/ramdisk.sh
--- snapd-2.32.3.2~14.04/tests/lib/ramdisk.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/ramdisk.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
-#!/bin/sh
+#!/bin/bash
+
 setup_ramdisk(){
     if [ ! -e /dev/ram0 ]; then
         mknod -m 660 /dev/ram0 b 1 0
diff -Nru snapd-2.32.3.2~14.04/tests/lib/reset.sh snapd-2.37~rc1~14.04/tests/lib/reset.sh
--- snapd-2.32.3.2~14.04/tests/lib/reset.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/reset.sh	2019-01-16 08:36:51.000000000 +0000
@@ -4,6 +4,15 @@
 
 # shellcheck source=tests/lib/dirs.sh
 . "$TESTSLIB/dirs.sh"
+# shellcheck source=tests/lib/state.sh
+. "$TESTSLIB/state.sh"
+
+
+# shellcheck source=tests/lib/systemd.sh
+. "$TESTSLIB/systemd.sh"
+
+#shellcheck source=tests/lib/systems.sh
+. "$TESTSLIB"/systems.sh
 
 reset_classic() {
     # Reload all service units as in some situations the unit might
@@ -18,17 +27,17 @@
             echo "snapd service or socket not active"
             exit 1
         fi
-        retries=$(( $retries - 1 ))
+        retries=$(( retries - 1 ))
         sleep 1
     done
 
-    systemctl stop snapd.service snapd.socket
+    systemd_stop_units snapd.service snapd.socket
 
     case "$SPREAD_SYSTEM" in
         ubuntu-*|debian-*)
             sh -x "${SPREAD_PATH}/debian/snapd.postrm" purge
             ;;
-        fedora-*|opensuse-*)
+        fedora-*|opensuse-*|arch-*|amazon-*|centos-*)
             # We don't know if snap-mgmt was built, so call the *.in file
             # directly and pass arguments that will override the placeholders
             sh -x "${SPREAD_PATH}/cmd/snap-mgmt/snap-mgmt.sh.in" \
@@ -39,6 +48,7 @@
             rm -rf /var/lib/snapd
             ;;
         *)
+            echo "don't know how to reset $SPREAD_SYSTEM"
             exit 1
             ;;
     esac
@@ -51,6 +61,15 @@
         exit 1
     fi
 
+    case "$SPREAD_SYSTEM" in
+        fedora-*|centos-*)
+            # On systems running SELinux we need to restore the context of the
+            # directories we just recreated. Otherwise, the entries created
+            # inside will be incorrectly labeled.
+            restorecon -F -v -R "$SNAP_MOUNT_DIR" /var/snap /var/lib/snapd
+            ;;
+    esac
+
     if [[ "$SPREAD_SYSTEM" == ubuntu-14.04-* ]]; then
         systemctl start snap.mount.service
     fi
@@ -59,15 +78,11 @@
     rm -f /tmp/core* /tmp/ubuntu-core*
 
     if [ "$1" = "--reuse-core" ]; then
-        # Purge all the systemd service units config
-        rm -rf /etc/systemd/system/snapd.service.d
-        rm -rf /etc/systemd/system/snapd.socket.d
-
         # Restore snapd state and start systemd service units
-        tar -C/ -xf "$SPREAD_PATH/snapd-state.tar.gz"
+        restore_snapd_state
         escaped_snap_mount_dir="$(systemd-escape --path "$SNAP_MOUNT_DIR")"
-        mounts="$(systemctl list-unit-files --full | grep "^$escaped_snap_mount_dir[-.].*\.mount" | cut -f1 -d ' ')"
-        services="$(systemctl list-unit-files --full | grep "^$escaped_snap_mount_dir[-.].*\.service" | cut -f1 -d ' ')"
+        mounts="$(systemctl list-unit-files --full | grep "^${escaped_snap_mount_dir}[-.].*\\.mount" | cut -f1 -d ' ')"
+        services="$(systemctl list-unit-files --full | grep "^${escaped_snap_mount_dir}[-.].*\\.service" | cut -f1 -d ' ')"
         systemctl daemon-reload # Workaround for http://paste.ubuntu.com/17735820/
         for unit in $mounts $services; do
             systemctl start "$unit"
@@ -75,17 +90,19 @@
 
         # force all profiles to be re-generated
         rm -f /var/lib/snapd/system-key
-     fi
+    fi
 
     if [ "$1" != "--keep-stopped" ]; then
         systemctl start snapd.socket
 
         # wait for snapd listening
         EXTRA_NC_ARGS="-q 1"
-        if [[ "$SPREAD_SYSTEM" = fedora-* ]]; then
-            EXTRA_NC_ARGS=""
-        fi
-        while ! printf "GET / HTTP/1.0\r\n\r\n" | nc -U $EXTRA_NC_ARGS /run/snapd.socket; do sleep 0.5; done
+        case "$SPREAD_SYSTEM" in
+            fedora-*|amazon-*|centos-*)
+                EXTRA_NC_ARGS=""
+                ;;
+        esac
+        while ! printf 'GET / HTTP/1.0\r\n\r\n' | nc -U $EXTRA_NC_ARGS /run/snapd.socket; do sleep 0.5; done
     fi
 }
 
@@ -94,39 +111,61 @@
     # shellcheck source=tests/lib/names.sh
     . "$TESTSLIB/names.sh"
 
+    remove_bases=""
+    # remove all app snaps first
     for snap in "$SNAP_MOUNT_DIR"/*; do
         snap="${snap:6}"
         case "$snap" in
-            "bin" | "$gadget_name" | "$kernel_name" | core | README)
+            "bin" | "$gadget_name" | "$kernel_name" | "$core_name" | "core" | "snapd" |README)
                 ;;
             *)
                 # make sure snapd is running before we attempt to remove snaps, in case a test stopped it
                 if ! systemctl status snapd.service snapd.socket; then
                     systemctl start snapd.service snapd.socket
                 fi
-                snap remove "$snap"
+                if ! echo "$SKIP_REMOVE_SNAPS" | grep -w "$snap"; then
+                    if snap info "$snap" | grep -E '^type: +(base|core)'; then
+                        remove_bases="$remove_bases $snap"
+                    else
+                        snap remove "$snap"
+                    fi
+                fi
                 ;;
         esac
     done
+    # remove all base/os snaps at the end
+    if [ -n "$remove_bases" ]; then
+        snap remove "$remove_bases"
+    fi
 
     # ensure we have the same state as initially
     systemctl stop snapd.service snapd.socket
-    rm -rf /var/lib/snapd/*
-    tar -C/ -xf "$SPREAD_PATH/snapd-state.tar.gz"
+    restore_snapd_state
     rm -rf /root/.snap
     if [ "$1" != "--keep-stopped" ]; then
         systemctl start snapd.service snapd.socket
     fi
 }
 
-if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+if is_core_system; then
     reset_all_snap "$@"
 else
     reset_classic "$@"
 fi
 
+# Discard all mount namespaces and active mount profiles.
+# This is duplicating logic in snap-discard-ns but it doesn't
+# support --all switch yet so we cannot use it.
+if [ -d /run/snapd/ns ]; then
+    for mnt in /run/snapd/ns/*.mnt; do
+        umount -l "$mnt" || true
+        rm -f "$mnt"
+    done
+    rm -f /run/snapd/ns/*.fstab
+fi
+
 if [ "$REMOTE_STORE" = staging ] && [ "$1" = "--store" ]; then
     # shellcheck source=tests/lib/store.sh
-    . $TESTSLIB/store.sh
+    . "$TESTSLIB"/store.sh
     teardown_staging_store
 fi
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/account-control-consumer-core18/bin/chpasswd snapd-2.37~rc1~14.04/tests/lib/snaps/account-control-consumer-core18/bin/chpasswd
--- snapd-2.32.3.2~14.04/tests/lib/snaps/account-control-consumer-core18/bin/chpasswd	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/account-control-consumer-core18/bin/chpasswd	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /usr/sbin/chpasswd "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/account-control-consumer-core18/bin/deluser snapd-2.37~rc1~14.04/tests/lib/snaps/account-control-consumer-core18/bin/deluser
--- snapd-2.32.3.2~14.04/tests/lib/snaps/account-control-consumer-core18/bin/deluser	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/account-control-consumer-core18/bin/deluser	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /usr/sbin/deluser "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/account-control-consumer-core18/bin/useradd snapd-2.37~rc1~14.04/tests/lib/snaps/account-control-consumer-core18/bin/useradd
--- snapd-2.32.3.2~14.04/tests/lib/snaps/account-control-consumer-core18/bin/useradd	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/account-control-consumer-core18/bin/useradd	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /usr/sbin/useradd "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/account-control-consumer-core18/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/account-control-consumer-core18/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/account-control-consumer-core18/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/account-control-consumer-core18/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,16 @@
+name: account-control-consumer-core18
+version: 1.0
+summary: Basic account-control consumer snap
+description: A basic snap declaring a plug on a account-control slot
+base: core18
+
+apps:
+  useradd:
+    command: bin/useradd
+    plugs: [account-control]
+  deluser:
+    command: bin/deluser
+    plugs: [account-control]
+  chpasswd:
+    command: bin/chpasswd
+    plugs: [account-control]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-desktop/meta/gui/echo.desktop snapd-2.37~rc1~14.04/tests/lib/snaps/basic-desktop/meta/gui/echo.desktop
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-desktop/meta/gui/echo.desktop	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-desktop/meta/gui/echo.desktop	2019-01-16 08:36:51.000000000 +0000
@@ -5,6 +5,6 @@
 Icon=${SNAP}/meta/gui/icon.png
 Terminal=true
 Type=Application
-Categories=Utilities;Useless;
+Categories=Utilities;Useful;
 Keywords=echo;echo;
 StartupNotify=false
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-desktop/meta/gui/io.snapcraft.echoecho.desktop snapd-2.37~rc1~14.04/tests/lib/snaps/basic-desktop/meta/gui/io.snapcraft.echoecho.desktop
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-desktop/meta/gui/io.snapcraft.echoecho.desktop	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-desktop/meta/gui/io.snapcraft.echoecho.desktop	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=Echoecho
+Comment=It echos echos stuff
+Exec=basic-desktop.echo echo
+Icon=${SNAP}/meta/gui/icon.png
+Terminal=true
+Type=Application
+Categories=Utilities;Useful;
+Keywords=echo;echo;
+StartupNotify=false
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-desktop/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/basic-desktop/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-desktop/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-desktop/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,3 +4,5 @@
 apps:
  echo:
   command: bin/echo
+ echoecho:
+  command: bin/echo echo
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-hooks/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/basic-hooks/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-hooks/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-hooks/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,3 +4,8 @@
   TEST_SNAP: $SNAP
   TEST_COMMON: $SNAP_COMMON
   TEST_DATA: $SNAP_DATA
+
+hooks:
+  configure:
+    environment:
+      TEST_EXTRA: extra-stuff
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/configure snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/configure
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/configure	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/configure	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+# intentionally empty, needed to drive the tests via snapctl.
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/connect-plug-consumer snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/connect-plug-consumer
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/connect-plug-consumer	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/connect-plug-consumer	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,68 @@
+#!/bin/sh
+
+set -ue
+
+echo "Getting attributes from connect-plug-consumer hook"
+
+if ! output=$(snapctl get --slot :consumer producer-attr-1); then
+    echo "Expected connect-plug-consumer to be able to read the value of 'producer-attr-1' attribute of the slot"
+    exit 1
+fi
+expected_output="producer-value-1"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read 'before-connect' attribute of the slot
+if ! output=$(snapctl get --slot :consumer before-connect); then
+    echo "Expected connect-plug-consumer be able to read the value of the 'producer-attr-3' attribute of the slot"
+    exit 1
+fi
+expected_output="slot-changed(producer-value)"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read own 'consumer-attr-1' attribute
+if ! output=$(snapctl get :consumer consumer-attr-1); then
+    echo "Expected connect-plug-foo be able to read the value of own 'consumer-attr-1' attribute"
+    exit 1
+fi
+expected_output="consumer-value-1"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read own 'before-connect' attribute
+if ! output=$(snapctl get :consumer before-connect); then
+    echo "Expected connect-plug-consumer be able to read the value of own 'before-connect' attribute"
+    exit 1
+fi
+expected_output="plug-changed(consumer-value)"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Failure on unknown plug
+if snapctl get :unknown target; then
+    echo "Expected snapctl get to fail on unknown plug"
+    exit 1
+fi
+
+# Attributes cannot be set in connect- hooks
+if snapctl set :consumer consumer-attr-4=foo; then
+    echo "Expected snapctl set to fail when run from connect-plug hook"
+    exit 1
+fi
+
+output=$(snapctl get fail)
+if [ "$output" = "connect" ]; then
+    echo "Failing connect hook as requested"
+    exit 1
+fi
+
+touch "$SNAP_COMMON/connect-plug-consumer-done"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/connect-plug-foo snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/connect-plug-foo
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/connect-plug-foo	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/connect-plug-foo	1970-01-01 00:00:00.000000000 +0000
@@ -1,57 +0,0 @@
-#!/bin/sh
-
-echo "Getting attributes from connect-plug-foo hook"
-
-if ! output=$(snapctl get --slot :foo read); then
-    echo "Expected connect-plug-foo to be able to read the value of 'read' attribute of the slot"
-    exit 1
-fi
-
-PATTERN="read.:\s*.*?/etc"
-
-echo "$output" | grep -Pzq "$PATTERN"
-
-# Read 'newslotattribute' attribute of the slot
-if ! output=$(snapctl get --slot :foo newslotattribute); then
-    echo "Expected connect-plug-foo be able to read the value of the 'newslotattribute' attribute of the slot"
-    exit 1
-fi
-expected_output="bar"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Read 'target' attribute of the slot
-if ! output=$(snapctl get --slot :foo target); then
-    echo "Expected connect-plug-foo be able to read the value of the 'target' attribute of the slot"
-    exit 1
-fi
-expected_output="slottarget"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Read own 'target' attribute
-if ! output=$(snapctl get :foo target); then
-    echo "Expected connect-plug-foo be able to read the value of own 'target' attribute"
-    exit 1
-fi
-expected_output="plugtarget"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Failure on unknown plug
-if snapctl get :unknown target; then
-    echo "Expected snapctl get to fail on unknown plug"
-    exit 1
-fi
-
-# Attributes cannot be set in connect- hooks
-if snapctl set :foo target=slottarget; then
-    echo "Expected snapctl set to fail when run from connect-plug hook"
-    exit 1
-fi
\ No newline at end of file
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/disconnect-plug-consumer snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/disconnect-plug-consumer
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/disconnect-plug-consumer	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/disconnect-plug-consumer	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,61 @@
+#!/bin/sh
+set -x
+
+echo "Getting attributes from disconnect-plug-consumer hook"
+
+if ! output=$(snapctl get --slot :consumer producer-attr-1); then
+    echo "Expected disconnect-plug-consumer to be able to read the value of 'producer-attr-1' attribute of the slot"
+    exit 1
+fi
+expected_output="producer-value-1"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read 'before-connect' attribute of the slot
+if ! output=$(snapctl get --slot :consumer before-connect); then
+    echo "Expected disconnect-plug-consumer be able to read the value of the 'before-connect' attribute of the slot"
+    exit 1
+fi
+expected_output="slot-changed(producer-value)"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read own 'consumer-attr-1' attribute
+if ! output=$(snapctl get :consumer consumer-attr-1); then
+    echo "Expected connect-plug-foo be able to read the value of own 'consumer-attr-1' attribute"
+    exit 1
+fi
+expected_output="consumer-value-1"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read own 'before-connect' attribute
+if ! output=$(snapctl get :consumer before-connect); then
+    echo "Expected disconnect-plug-consumer be able to read the value of own 'before-connect' attribute"
+    exit 1
+fi
+expected_output="plug-changed(consumer-value)"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Failure on unknown plug
+if snapctl get :unknown target; then
+    echo "Expected snapctl get to fail on unknown plug"
+    exit 1
+fi
+
+# Attributes cannot be set in connect- or disconnect- hooks
+if snapctl set :consumer consumer-attr-4=foo; then
+    echo "Expected snapctl set to fail when run from connect-plug or disconnect-plug hook"
+    exit 1
+fi
+
+touch "$SNAP_COMMON/disconnect-plug-consumer-done"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/prepare-plug-consumer snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/prepare-plug-consumer
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/prepare-plug-consumer	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/prepare-plug-consumer	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+set -ue
+
+echo "Setting and getting attribute value from prepare-plug-consumer hook"
+
+# Read the value of static 'consumer-attr-1' attribute
+if ! output=$(snapctl get :consumer consumer-attr-1); then
+    echo "Expected snapctl get to be able to read the value of own 'consumer-attr1' attribute"
+    exit 1
+fi
+expected_output="consumer-value-1"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Set a dynamic attribute.
+if ! snapctl set :consumer before-connect=consumer-value; then
+    echo "Expected snapctl set to be able to set the value of own 'before-connect' attribute"
+    exit 1
+fi
+
+# Read dynamic attribute
+if ! output=$(snapctl get :consumer before-connect); then
+    echo "Expected snapctl get to be able to read the value of own dynamic attribute"
+    exit 1
+fi
+expected_output="consumer-value"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Count executions of the hook using snap config; store exec-count in the config and in the dynamic attribute of the interface
+count=$(snapctl get exec-count)
+count=$((count + 1))
+snapctl set "exec-count=$count"
+snapctl set :consumer "exec-count=$count"
+
+touch "$SNAP_COMMON/prepare-plug-consumer-done"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/prepare-plug-foo snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/prepare-plug-foo
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/prepare-plug-foo	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/prepare-plug-foo	1970-01-01 00:00:00.000000000 +0000
@@ -1,36 +0,0 @@
-#!/bin/sh
-
-echo "Setting and getting attribute value from prepare-plug-foo hook"
-
-# Read the initial value of 'target' attribute
-if ! output=$(snapctl get :foo target); then
-    echo "Expected snapctl get to be able to read the value of own 'target' attribute"
-    exit 1
-fi
-expected_output="initialtarget"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Set own 'target' attribute.
-if ! snapctl set :foo target=plugtarget; then
-    echo "Expected snapctl set to be able to set the value of own 'target' attribute"
-    exit 1
-fi
-
-# Read own 'target' attribute
-if ! output=$(snapctl get :foo target); then
-    echo "Expected snapctl get to be able to read the value of own 'target' attribute"
-    exit 1
-fi
-expected_output="plugtarget"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Create (set) a completely new attribute
-if ! snapctl set :foo newplugattribute=foo; then
-    echo "Expected prepare-plug-foo hook to be able to create a new attribte"
-fi
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/unprepare-plug-consumer snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/unprepare-plug-consumer
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/unprepare-plug-consumer	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/hooks/unprepare-plug-consumer	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# Read own 'before-connect' attribute
+output=$(snapctl get :consumer before-connect)
+echo "$output" > "$SNAP_COMMON/unprepare-plug-consumer-done"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-consumer/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 name: basic-iface-hooks-consumer
 version: 1.0
 plugs:
-    foo:
-        interface: content
-        target: initialtarget
-        content: xyz
+    consumer:
+        interface: dummy
+        consumer-attr-1: consumer-value-1
+        consumer-attr-2: consumer-value-2
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/configure snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/configure
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/configure	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/configure	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+#!/bin/sh
\ No newline at end of file
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/connect-slot-bar snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/connect-slot-bar
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/connect-slot-bar	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/connect-slot-bar	1970-01-01 00:00:00.000000000 +0000
@@ -1,48 +0,0 @@
-#!/bin/sh
-
-echo "Getting attributes from connect-slot-bar hook"
-
-# Read 'newplugattribute' attribute of the plug
-if ! output=$(snapctl get --plug :bar newplugattribute); then
-    echo "Expected connect-plug-foo be able to read the value of the 'newplugattribute' attribute of the plug"
-    exit 1
-fi
-expected_output="foo"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Read own 'target' attribute
-if ! output=$(snapctl get :bar target); then
-    echo "Expected connect-slot-bar to be able to read the value of own 'target' attribute"
-    exit 1
-fi
-expected_output="slottarget"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Read 'target' attribute of the plug
-if ! output=$(snapctl get --plug :bar target); then
-    echo "Expected connect-slot-bar to be able to read the value of 'target' attribute of the plug"
-    exit 1
-fi
-expected_output="plugtarget"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Failure on unknown slot
-if snapctl get :unknown target; then
-    echo "Expected snapctl get to fail on unknown slot"
-    exit 1
-fi
-
-# Attributes cannot be set in connect- hooks
-if snapctl set :bar target=slottarget; then
-    echo "Expected snapctl set to fail when run from connect-slot hook"
-    exit 1
-fi
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/connect-slot-producer snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/connect-slot-producer
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/connect-slot-producer	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/connect-slot-producer	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+set -ue
+
+echo "Getting attributes from connect-slot-producer hook"
+
+# Read 'consumer-attr-1' attribute of the plug
+if ! output=$(snapctl get --plug :producer consumer-attr-1); then
+    echo "Expected connect-slot-producer be able to read the value of the 'consumer-attr-3' attribute of the plug"
+    exit 1
+fi
+expected_output="consumer-value-1"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read own 'before-connect' attribute
+if ! output=$(snapctl get :producer before-connect); then
+    echo "Expected connect-slot-producer to be able to read the value of own 'before-connect' attribute"
+    exit 1
+fi
+expected_output="slot-changed(producer-value)"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read 'before-connect' attribute of the plug
+if ! output=$(snapctl get --plug :producer before-connect); then
+    echo "Expected connect-slot-producer to be able to read the value of 'before-connect' attribute of the plug"
+    exit 1
+fi
+expected_output="plug-changed(consumer-value)"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Failure on unknown slot
+if snapctl get :unknown consumer-attr-1; then
+    echo "Expected snapctl get to fail on unknown slot"
+    exit 1
+fi
+
+# Attributes cannot be set in connect- hooks
+if snapctl set :producer consumer-attr-4=foo; then
+    echo "Expected snapctl set to fail when run from connect-slot hook"
+    exit 1
+fi
+
+touch "$SNAP_COMMON/connect-slot-producer-done"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/disconnect-slot-producer snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/disconnect-slot-producer
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/disconnect-slot-producer	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/disconnect-slot-producer	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+#!/bin/sh
+set -x
+
+echo "Getting attributes from disconnect-slot-producer hook"
+
+# Read 'consumer-attr-1' attribute of the plug
+if ! output=$(snapctl get --plug :producer consumer-attr-1); then
+    echo "Expected disconnect-slot-producer be able to read the value of the 'consumer-attr-1' attribute of the plug"
+    exit 1
+fi
+expected_output="consumer-value-1"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read own 'before-connect' attribute
+if ! output=$(snapctl get :producer before-connect); then
+    echo "Expected disconnect-slot-producer to be able to read the value of own 'before-connect' attribute"
+    exit 1
+fi
+expected_output="slot-changed(producer-value)"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read 'before-connect' attribute of the plug
+if ! output=$(snapctl get --plug :producer before-connect); then
+    echo "Expected disconnect-slot-producer to be able to read the value of 'before-connect' attribute of the plug"
+    exit 1
+fi
+expected_output="plug-changed(consumer-value)"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Failure on unknown slot
+if snapctl get :unknown consumer-attr-1; then
+    echo "Expected snapctl get to fail on unknown slot"
+    exit 1
+fi
+
+# Attributes cannot be set in connect- or disconnect- hooks
+if snapctl set :producer consumer-attr-4=foo; then
+    echo "Expected snapctl set to fail when run from connect-slot or disconnect-slot hook"
+    exit 1
+fi
+
+touch "$SNAP_COMMON/disconnect-slot-producer-done"
+
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/prepare-slot-bar snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/prepare-slot-bar
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/prepare-slot-bar	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/prepare-slot-bar	1970-01-01 00:00:00.000000000 +0000
@@ -1,36 +0,0 @@
-#!/bin/sh
-
-echo "Getting and setting attribute value from prepare-slot-bar hook"
-
-# Set own (slot's) 'target' attribute
-if ! snapctl set :bar target=slottarget; then
-    echo "Expected prepare-slot-bar hook to be able to set the value of 'target' attribute"
-    exit 1
-fi
-
-# Read own 'target' attribute
-if ! output=$(snapctl get :bar target); then
-    echo "Expected prepare-slot-bar hook to be able to read the value of own 'target' attribute"
-    exit 1
-fi
-expected_output="slottarget"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Read attribute of the plug set by prepare-plug- hook
-if ! output=$(snapctl get --plug :bar target); then
-    echo "Expected prepare-slot-bar hook to be able to read the value of 'target' attribute of the plug"
-    exit 1
-fi
-expected_output="plugtarget"
-if [ "$output" != "$expected_output" ]; then
-    echo "Expected output to be '$expected_output', but it was '$output'"
-    exit 1
-fi
-
-# Create (set) a completely new attribute
-if ! snapctl set :bar newslotattribute=bar; then
-    echo "Expected prepare-slot-bar hook to be able to create a new attribute"
-fi
\ No newline at end of file
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/prepare-slot-producer snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/prepare-slot-producer
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/prepare-slot-producer	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/prepare-slot-producer	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+set -ue
+
+echo "Getting and setting attribute value from prepare-slot-producer hook"
+
+# Set own (slot's) attribute
+if ! snapctl set :producer before-connect=producer-value; then
+    echo "Expected prepare-slot-producer hook to be able to set the value of 'before-connect' attribute"
+    exit 1
+fi
+
+# Read own 'before-connect' attribute
+if ! output=$(snapctl get :producer before-connect); then
+    echo "Expected prepare-slot-producer hook to be able to read the value of own 'before-connect' attribute"
+    exit 1
+fi
+expected_output="producer-value"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+# Read attribute of the plug set by prepare-plug- hook
+if ! output=$(snapctl get --plug :producer before-connect); then
+    echo "Expected prepare-slot-producer hook to be able to read the value of 'before-connect' attribute of the plug"
+    exit 1
+fi
+expected_output="consumer-value"
+if [ "$output" != "$expected_output" ]; then
+    echo "Expected output to be '$expected_output', but it was '$output'"
+    exit 1
+fi
+
+touch "$SNAP_COMMON/prepare-slot-producer-done"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/unprepare-slot-producer snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/unprepare-slot-producer
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/unprepare-slot-producer	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/hooks/unprepare-slot-producer	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+touch "$SNAP_COMMON/unprepare-slot-producer-done"
\ No newline at end of file
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/basic-iface-hooks-producer/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,8 +1,8 @@
 name: basic-iface-hooks-producer
 version: 1.0
 slots:
-    bar:
-        interface: content
-        content: abc
-        read:
-            - $SNAP/etc
\ No newline at end of file
+    producer:
+        interface: dummy
+        producer-attr-1: producer-value-1
+        producer-attr-2: producer-value-2
+        producer-num-1: 1
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/chain1 snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/chain1
--- snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/chain1	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/chain1	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+export CHAIN_1_RAN=1
+printf "chain1 "
+printf "chain1 " > "$SNAP_DATA/breadcrumb"
+exec "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/chain2 snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/chain2
--- snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/chain2	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/chain2	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+export CHAIN_2_RAN=1
+printf "chain2 "
+printf "chain2 " >> "$SNAP_DATA/breadcrumb"
+exec "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/hello snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/hello
--- snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/hello	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/hello	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "hello"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/meta/hooks/configure snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/meta/hooks/configure
--- snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/meta/hooks/configure	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/meta/hooks/configure	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+env > "$SNAP_DATA/env"
+printf "configure" >> "$SNAP_DATA/breadcrumb"
Binary files /tmp/tmpLYQvtJ/X5YHf4eBTA/snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/meta/icon.png and /tmp/tmpLYQvtJ/MitOjr4n0s/snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/meta/icon.png differ
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/command-chain/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/command-chain/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,13 @@
+name: command-chain
+version: 1.0
+summary: Command chain snap
+description: A buildable snap that uses command chain
+
+apps:
+  hello:
+    command: hello
+    command-chain: [chain1, chain2]
+
+hooks:
+  configure:
+    command-chain: [chain1, chain2]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/config-versions/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/config-versions/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/config-versions/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/config-versions/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/config-versions/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/config-versions/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/config-versions/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/config-versions/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,2 +1,7 @@
 name: config-versions
 version: 1.0
+
+apps:
+  sh:
+    command: bin/sh
+    plugs: [home]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/config-versions-v2/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/config-versions-v2/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/config-versions-v2/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/config-versions-v2/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/config-versions-v2/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/config-versions-v2/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/config-versions-v2/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/config-versions-v2/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,2 +1,7 @@
 name: config-versions
 version: 2.0
+
+apps:
+  sh:
+    command: bin/sh
+    plugs: [home]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/network-observe-consumer/bin/consumer snapd-2.37~rc1~14.04/tests/lib/snaps/network-observe-consumer/bin/consumer
--- snapd-2.32.3.2~14.04/tests/lib/snaps/network-observe-consumer/bin/consumer	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/network-observe-consumer/bin/consumer	2019-01-16 08:36:51.000000000 +0000
@@ -4,7 +4,7 @@
 import sys
 
 def run():
-    subprocess.check_call("netstat -lnt", shell=True)
+    subprocess.check_call("ss -lnt", shell=True)
 
 if __name__ == '__main__':
     sys.exit(run())
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/snapctl-from-snap-core18/bin/snapctl-get snapd-2.37~rc1~14.04/tests/lib/snaps/snapctl-from-snap-core18/bin/snapctl-get
--- snapd-2.32.3.2~14.04/tests/lib/snaps/snapctl-from-snap-core18/bin/snapctl-get	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/snapctl-from-snap-core18/bin/snapctl-get	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+#!/bin/sh
+snapctl get "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/snapctl-from-snap-core18/bin/snapctl-set snapd-2.37~rc1~14.04/tests/lib/snaps/snapctl-from-snap-core18/bin/snapctl-set
--- snapd-2.32.3.2~14.04/tests/lib/snaps/snapctl-from-snap-core18/bin/snapctl-set	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/snapctl-from-snap-core18/bin/snapctl-set	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+#!/bin/sh
+snapctl set "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/snapctl-from-snap-core18/meta/hooks/configure snapd-2.37~rc1~14.04/tests/lib/snaps/snapctl-from-snap-core18/meta/hooks/configure
--- snapd-2.32.3.2~14.04/tests/lib/snaps/snapctl-from-snap-core18/meta/hooks/configure	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/snapctl-from-snap-core18/meta/hooks/configure	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+snapctl set foo=bar
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/snapctl-from-snap-core18/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/snapctl-from-snap-core18/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/snapctl-from-snap-core18/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/snapctl-from-snap-core18/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,8 @@
+name: snapctl-from-snap-core18
+version: 1.0
+base: core18
+apps:
+    snapctl-get:
+        command: bin/snapctl-get
+    snapctl-set:
+        command: bin/snapctl-set
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/snap-hooks/meta/hooks/remove snapd-2.37~rc1~14.04/tests/lib/snaps/snap-hooks/meta/hooks/remove
--- snapd-2.32.3.2~14.04/tests/lib/snaps/snap-hooks/meta/hooks/remove	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/snap-hooks/meta/hooks/remove	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,5 @@
 #!/bin/sh
 
 RETVAL=$(snapctl get exitcode)
-echo "$RETVAL" > /root/remove-hook-executed
+echo "$RETVAL" > "$SNAP_USER_COMMON/remove-hook-executed"
 exit "$RETVAL"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/snap-store/bin/snap-store snapd-2.37~rc1~14.04/tests/lib/snaps/snap-store/bin/snap-store
--- snapd-2.32.3.2~14.04/tests/lib/snaps/snap-store/bin/snap-store	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/snap-store/bin/snap-store	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+#!/bin/sh
+echo "Fake snap got $1"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/snap-store/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/snap-store/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/snap-store/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/snap-store/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,8 @@
+name: snap-store
+version: 1.0
+summary: Fake snap-store
+description: A fake snap-store snap to test the snap URI handler
+
+apps:
+    snap-store:
+        command: bin/snap-store
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-dev snapd-2.37~rc1~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-dev
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-dev	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-dev	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+#!/bin/sh -eu
+
+device="$1"
+dd if="/dev/$device" of=/dev/null count=10
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-fb snapd-2.37~rc1~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-fb
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-fb	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-fb	1970-01-01 00:00:00.000000000 +0000
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-cat /dev/fb0
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-kmsg snapd-2.37~rc1~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-kmsg
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-kmsg	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-devmode-cgroup/bin/read-kmsg	1970-01-01 00:00:00.000000000 +0000
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-head -1 /dev/kmsg
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-devmode-cgroup/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-devmode-cgroup/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-devmode-cgroup/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-devmode-cgroup/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -6,9 +6,6 @@
 confinement: devmode
 
 apps:
-  read-fb:
-    command: bin/read-fb
-    plugs: [framebuffer]
-  read-kmsg:
-    command: bin/read-kmsg
+  read-dev:
+    command: bin/read-dev
     plugs: [framebuffer]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-adb-support/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-adb-support/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-adb-support/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-adb-support/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-adb-support/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-adb-support/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-adb-support/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-adb-support/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,7 @@
+name: test-snapd-adb-support
+summary: A non-functional test snap for testing aspects of adb-support interface
+version: 1.0
+apps:
+    sh:
+        command: bin/sh
+        plugs: [adb-support]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-after-before-service/bin/start snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-after-before-service/bin/start
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-after-before-service/bin/start	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-after-before-service/bin/start	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,10 @@
 #!/bin/sh
 
+echo "before notify"
+sleep 5
+echo "notify ready"
+systemd-notify --ready
+
 while true; do
     echo "running"
     sleep 10
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-after-before-service/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-after-before-service/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-after-before-service/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-after-before-service/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,14 +3,17 @@
 apps:
   before-middle:
     command: bin/start
-    daemon: simple
+    daemon: notify
     before:
       - middle
+    plugs: [daemon-notify]
   middle:
     command: bin/start
-    daemon: simple
+    daemon: notify
+    plugs: [daemon-notify]
   after-middle:
     command: bin/start
-    daemon: simple
+    daemon: notify
     after:
       - middle
+    plugs: [daemon-notify]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-appstreamid/bin/run snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-appstreamid/bin/run
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-appstreamid/bin/run	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-appstreamid/bin/run	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-appstreamid/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-appstreamid/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-appstreamid/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-appstreamid/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,14 @@
+name: test-snapd-appstreamid
+version: 1.1
+architectures: ["all"]
+summary: Snap for testing snapd AppStream ID support
+
+apps:
+  foo:
+   command: bin/run
+   common-id: io.snapcraft.test-snapd-appstreamid.foo
+  bar:
+   command: bin/run
+   common-id: io.snapcraft.test-snapd-appstreamid.bar
+  baz:
+   command: bin/run
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-broadcom-asic-control/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-broadcom-asic-control/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-broadcom-asic-control/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-broadcom-asic-control/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-name: test-snapd-broadcom-asic-control
-version: 1.0
-summary: Basic broadcom-asic-control snap
-description: A basic snap which allow access to broadcom asic kernel module
-
-apps:
-  sh:
-    command: ../../../bin/sh
-    plugs: [broadcom-asic-control]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/read-dir snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/read-dir
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/read-dir	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/read-dir	1970-01-01 00:00:00.000000000 +0000
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-if [ "$#" -ne 1 ]; then
-    echo "Illegal number of parameters"
-    exit 1
-fi
-
-dir="$1"
-if [ ! -d "$dir" ]; then
-    echo "Directory does not exist"
-    exit 1
-fi
-
-ls "$dir"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/read-file snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/read-file
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/read-file	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/read-file	1970-01-01 00:00:00.000000000 +0000
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-if [ "$#" -ne 1 ]; then
-    echo "Illegal number of parameters"
-    exit 1
-fi
-
-file="$1"
-if [ ! -f "$file" ]; then
-    echo "File does not exist"
-    exit 1
-fi
-
-cat "$file"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/write-dir snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/write-dir
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/write-dir	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/write-dir	1970-01-01 00:00:00.000000000 +0000
@@ -1,20 +0,0 @@
-#!/bin/sh
-
-if [ "$#" -ne 1 ]; then
-    echo "Illegal number of parameters"
-    exit 1
-fi
-
-dir="$1"
-if [ ! -d "$dir" ]; then
-    echo "Directory does not exist"
-    exit 1
-fi
-
-filename=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 ; echo '')
-file=$(echo "$dir/$filename" | sed 's/\/\//\//g')
-
-touch "$file" || exit 1
-
-echo "File created $file, now deleting..."
-rm -f "$file"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/write-file snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/write-file
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/write-file	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/bin/write-file	1970-01-01 00:00:00.000000000 +0000
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-if [ "$#" -ne 1 ]; then
-    echo "Illegal number of parameters"
-    exit 1
-fi
-
-file="$1"
-if [ ! -f "$file" ]; then
-    echo "File does not exist"
-    exit 1
-fi
-
-sed -i 's/ / /g' "$file"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-check-fs-access/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-check-fs-access/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,18 +0,0 @@
-name: test-snapd-check-fs-access
-version: 1.0
-summary: Basic snap to check access to file system
-description: A basic snap to check access to file system
-
-apps:
-    read-file:
-        command: bin/read-file
-        plugs: [] #read-file
-    read-dir:
-        command: bin/read-dir
-        plugs: [] #read-dir
-    write-file:
-        command: bin/write-file
-        plugs: [] #write-file
-    write-dir:
-        command: bin/write-dir
-        plugs: [] #write-dir
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-complexion/bin/test-snapd-complexion snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-complexion/bin/test-snapd-complexion
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-complexion/bin/test-snapd-complexion	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-complexion/bin/test-snapd-complexion	2019-01-16 08:36:51.000000000 +0000
@@ -2,6 +2,6 @@
 echo "Greetings from inside ${SNAP:?}."
 if [ "$#" -gt "0" ]; then
     echo "Arguments given:"
-    printf "> %q\n" "$@"
+    printf '> %q\n' "$@"
 fi
 echo "That is all. Have a nice day."
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-advanced-plug/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-advanced-plug/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-advanced-plug/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-advanced-plug/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-advanced-plug/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-advanced-plug/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-advanced-plug/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-advanced-plug/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,7 +3,7 @@
 version: 1.0
 apps:
     sh:
-        command: ../../../bin/sh
+        command: bin/sh
 plugs:
     # NOTE: The following content interface relies on the fact that when
     # content interface attribute "content" is not provided it defaults to the
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-advanced-slot/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-advanced-slot/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-advanced-slot/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-advanced-slot/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-advanced-slot/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-advanced-slot/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-advanced-slot/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-advanced-slot/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,7 +3,7 @@
 version: 1.0
 apps:
     sh:
-        command: ../../../bin/sh
+        command: bin/sh
 slots:
     data:
         interface: content
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-mimic-plug/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-mimic-plug/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-mimic-plug/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-mimic-plug/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-mimic-plug/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-mimic-plug/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-mimic-plug/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-mimic-plug/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,7 +3,7 @@
 version: 1.0
 apps:
     sh:
-        command: ../../../bin/sh
+        command: bin/sh
 plugs:
     # NOTE: The following content interface relies on the fact that when
     # content interface attribute "content" is not provided it defaults to the
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-mimic-slot/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-mimic-slot/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-mimic-slot/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-mimic-slot/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-mimic-slot/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-mimic-slot/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-content-mimic-slot/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-content-mimic-slot/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,7 +3,7 @@
 version: 1.0
 apps:
     sh:
-        command: ../../../bin/sh
+        command: bin/sh
 slots:
     content:
         interface: content
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-daemon-notify/bin/notify snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-daemon-notify/bin/notify
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-daemon-notify/bin/notify	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-daemon-notify/bin/notify	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+systemd-notify --ready --status="Test service ready" || true
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-daemon-notify/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-daemon-notify/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-daemon-notify/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-daemon-notify/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,10 @@
+name: test-snapd-daemon-notify
+version: 1.0
+summary: Basic daemon-notify snap
+description: A basic snap which allow sending notification messages to systemd through the notify socket
+
+apps:
+  notify:
+    command: bin/notify
+    plugs: [daemon-notify]
+    daemon: simple
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-eds/calendar.c snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-eds/calendar.c
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-eds/calendar.c	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-eds/calendar.c	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,201 @@
+#include <stdio.h>
+#include <string.h>
+
+#include <glib.h>
+#include <libecal/libecal.h>
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(ECalClient, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(ECalComponent, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(ESource, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(ESourceRegistry, g_object_unref)
+
+
+struct open_data {
+    GMainLoop *main_loop;
+    const char *source_id;
+    GError **error;
+    ECalClient **calendar;
+    gboolean should_quit;
+};
+
+static void
+source_added(ESourceRegistry *registry, ESource *source, gpointer user_data)
+{
+    struct open_data *data = user_data;
+
+    // Ignore sources with the wrong ID
+    if (g_strcmp0(e_source_get_uid(source), data->source_id) != 0)
+        return;
+
+    *data->calendar = (ECalClient*)e_cal_client_connect_sync(
+        source, E_CAL_CLIENT_SOURCE_TYPE_EVENTS, 30, NULL, data->error);
+
+    if (data->should_quit)
+        g_main_loop_quit(data->main_loop);
+}
+
+static gboolean
+source_added_timeout(gpointer user_data)
+{
+    struct open_data *data = user_data;
+
+    g_set_error_literal(data->error, G_IO_ERROR, G_IO_ERROR_TIMED_OUT,
+        "Timed out while waiting for ESource creation from the registry");
+
+    if (data->should_quit)
+        g_main_loop_quit(data->main_loop);
+    // open_or_create removes us
+    return G_SOURCE_CONTINUE;
+}
+
+static ECalClient *
+open_or_create (ESourceRegistry *registry, const char *source_id,
+                GError **error)
+{
+    g_autoptr(GMainLoop) main_loop = NULL;
+    g_autoptr(ECalClient) calendar = NULL;
+    g_autoptr(ESource) scratch = NULL;
+    g_autoptr(GError) commit_error = NULL;
+
+    main_loop = g_main_loop_new (NULL, FALSE);
+    // Listen to registry for added sources
+    struct open_data data = {
+        .main_loop = main_loop,
+        .source_id = source_id,
+        .error = error,
+        .calendar = &calendar,
+        .should_quit = FALSE,
+    };
+    guint source_added_id = g_signal_connect(registry, "source-added",
+                                             G_CALLBACK(source_added), &data);
+
+    // Create a new local calendar with the desired source ID
+    scratch = e_source_new_with_uid(source_id, NULL, error);
+    if (!scratch)
+        goto end;
+    e_source_set_display_name(scratch, source_id);
+    ESourceBackend *backend = e_source_get_extension(
+        scratch, E_SOURCE_EXTENSION_CALENDAR);
+    e_source_backend_set_backend_name(backend, "local");
+
+    // Try to commit the new source to the registry, which will fail
+    // if it already exists
+    if (!e_source_registry_commit_source_sync(
+            registry, scratch, NULL, &commit_error)) {
+        if (g_error_matches(commit_error, G_IO_ERROR, G_IO_ERROR_EXISTS)) {
+            g_autoptr(ESource) source = e_source_registry_ref_source(
+                registry, source_id);
+            source_added(registry, source, &data);
+        } else {
+            g_propagate_error(error, commit_error);
+            commit_error = NULL;
+            goto end;
+        }
+    }
+
+    // If we don't have the calendar at this point, wait on the
+    // source-added signal for it to be created.  Set a timer so we
+    // don't wait forever.
+    if (!calendar) {
+        guint timeout_id = g_timeout_add_seconds(
+            20, source_added_timeout, &data);
+        data.should_quit = TRUE;
+        g_main_loop_run (main_loop);
+        g_source_remove(timeout_id);
+    }
+
+end:
+    if (source_added_id) {
+        g_signal_handler_disconnect(registry, source_added_id);
+    }
+    return g_steal_pointer(&calendar);
+}
+
+static gboolean
+load_event_from_stdin(ECalClient *calendar, GError **error)
+{
+    g_autoptr(GString) ics_data = g_string_new(NULL);
+    char buffer[4092];
+    size_t n_read = fread(buffer, 1, sizeof(buffer), stdin);
+    while (n_read > 0) {
+        g_string_append_len(ics_data, buffer, n_read);
+        n_read = fread(buffer, 1, sizeof(buffer), stdin);
+    }
+
+    g_autoptr(ECalComponent) component = e_cal_component_new_from_string(ics_data->str);
+    if (!component) {
+        g_set_error_literal(error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA,
+                            "could not parse iCalendar data");
+        return FALSE;
+    }
+
+    return e_cal_client_create_object_sync(
+        calendar, e_cal_component_get_icalcomponent(component), NULL,
+        NULL, error);
+}
+
+static gboolean
+list_events(ECalClient *calendar, GError **error)
+{
+    GSList *results = NULL;
+    if (!e_cal_client_get_object_list_as_comps_sync(calendar, "#t", &results,
+                                                    NULL, error)) {
+        return FALSE;
+    }
+
+    const GSList *l;
+    for (l = results; l != NULL; l = l->next) {
+        ECalComponent *component = l->data;
+        g_autofree char *ical = e_cal_component_get_as_string(component);
+        g_print("%s\n", ical);
+    }
+    e_cal_client_free_icalcomp_slist(results);
+    return TRUE;
+}
+
+static gboolean
+remove_calendar(ECalClient *calendar, GError **error)
+{
+    return e_client_remove_sync(E_CLIENT(calendar), NULL, error);
+}
+
+int main(int argc, char **argv)
+{
+    g_autoptr(GError) error = NULL;
+    g_autoptr(ESourceRegistry) registry = NULL;
+    g_autoptr(ECalClient) calendar = NULL;
+
+    if (argc != 3 || !(!strcmp(argv[1], "load") ||
+                       !strcmp(argv[1], "list") ||
+                       !strcmp(argv[1], "remove"))) {
+        g_printerr("usage: calendar {load|list|remove} CALENDAR-ID\n");
+        return 1;
+    }
+
+    // Connect to the EDS registry service
+    registry = e_source_registry_new_sync(NULL, &error);
+    if (!registry) {
+        goto end;
+    }
+
+    calendar = open_or_create(registry, argv[2], &error);
+    if (!calendar) {
+        goto end;
+    }
+
+    if (!strcmp(argv[1], "load")) {
+        load_event_from_stdin(calendar, &error);
+    } else if (!strcmp(argv[1], "list")) {
+        list_events(calendar, &error);
+    } else if (!strcmp(argv[1], "remove")) {
+        remove_calendar(calendar, &error);
+    }
+
+end:
+    if (error) {
+        g_printerr("error: %s[%d] %s\n", g_quark_to_string(error->domain),
+                   error->code, error->message);
+        return 1;
+    }
+    return 0;
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-eds/contacts.c snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-eds/contacts.c
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-eds/contacts.c	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-eds/contacts.c	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,222 @@
+#include <stdio.h>
+#include <string.h>
+
+#include <glib.h>
+#include <libebook/libebook.h>
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(EBookClient, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(EBookClientCursor, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(ESource, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(ESourceRegistry, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(EContact, g_object_unref)
+
+
+struct open_data {
+    GMainLoop *main_loop;
+    const char *source_id;
+    GError **error;
+    EBookClient **address_book;
+    gboolean should_quit;
+};
+
+static void
+source_added(ESourceRegistry *registry, ESource *source, gpointer user_data)
+{
+    struct open_data *data = user_data;
+
+    // Ignore sources with the wrong ID
+    if (g_strcmp0(e_source_get_uid(source), data->source_id) != 0)
+        return;
+
+    *data->address_book = (EBookClient*)e_book_client_connect_sync(
+        source, 30, NULL, data->error);
+
+    if (data->should_quit)
+        g_main_loop_quit(data->main_loop);
+}
+
+static gboolean
+source_added_timeout(gpointer user_data)
+{
+    struct open_data *data = user_data;
+
+    g_set_error_literal(data->error, G_IO_ERROR, G_IO_ERROR_TIMED_OUT,
+        "Timed out while waiting for ESource creation from the registry");
+
+    if (data->should_quit)
+        g_main_loop_quit(data->main_loop);
+    // open_or_create removes us
+    return G_SOURCE_CONTINUE;
+}
+
+static EBookClient *
+open_or_create (ESourceRegistry *registry, const char *source_id,
+                GError **error)
+{
+    g_autoptr(GMainLoop) main_loop = NULL;
+    g_autoptr(EBookClient) address_book = NULL;
+    g_autoptr(ESource) scratch = NULL;
+    g_autoptr(GError) commit_error = NULL;
+
+    main_loop = g_main_loop_new (NULL, FALSE);
+    // Listen to registry for added sources
+    struct open_data data = {
+        .main_loop = main_loop,
+        .source_id = source_id,
+        .error = error,
+        .address_book = &address_book,
+        .should_quit = FALSE,
+    };
+    guint source_added_id = g_signal_connect(registry, "source-added",
+                                             G_CALLBACK(source_added), &data);
+
+    // Create a new local address book with the desired source ID
+    scratch = e_source_new_with_uid(source_id, NULL, error);
+    if (!scratch)
+        goto end;
+    e_source_set_display_name(scratch, source_id);
+    ESourceBackend *backend = e_source_get_extension(
+        scratch, E_SOURCE_EXTENSION_ADDRESS_BOOK);
+    e_source_backend_set_backend_name(backend, "local");
+
+    // Try to commit the new source to the registry, which will fail
+    // if it already exists
+    if (!e_source_registry_commit_source_sync(
+            registry, scratch, NULL, &commit_error)) {
+        if (g_error_matches(commit_error, G_IO_ERROR, G_IO_ERROR_EXISTS)) {
+            g_autoptr(ESource) source = e_source_registry_ref_source(
+                registry, source_id);
+            source_added(registry, source, &data);
+        } else {
+            g_propagate_error(error, commit_error);
+            commit_error = NULL;
+            goto end;
+        }
+    }
+
+    // If we don't have the address book at this point, wait on the
+    // source-added signal for it to be created.  Set a timer so we
+    // don't wait forever.
+    if (!address_book) {
+        guint timeout_id = g_timeout_add_seconds(
+            20, source_added_timeout, &data);
+        data.should_quit = TRUE;
+        g_main_loop_run (main_loop);
+        g_source_remove(timeout_id);
+    }
+
+end:
+    if (source_added_id) {
+        g_signal_handler_disconnect(registry, source_added_id);
+    }
+    return g_steal_pointer(&address_book);
+}
+
+static gboolean
+load_contact_from_stdin(EBookClient *address_book, GError **error)
+{
+    g_autoptr(GString) vcard_data = g_string_new(NULL);
+    char buffer[4092];
+    size_t n_read = fread(buffer, 1, sizeof(buffer), stdin);
+    while (n_read > 0) {
+        g_string_append_len(vcard_data, buffer, n_read);
+        n_read = fread(buffer, 1, sizeof(buffer), stdin);
+    }
+
+    g_autoptr(EContact) contact = e_contact_new_from_vcard(vcard_data->str);
+    if (!contact) {
+        g_set_error_literal(error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA,
+                            "could not parse vcard");
+        return FALSE;
+    }
+
+    return e_book_client_add_contact_sync(
+        address_book, contact, NULL, NULL, error);
+}
+
+static gboolean
+list_contacts(EBookClient *address_book, GError **error)
+{
+    EContactField sort_fields[] = { E_CONTACT_FAMILY_NAME, E_CONTACT_GIVEN_NAME };
+    EBookCursorSortType sort_types[] = { E_BOOK_CURSOR_SORT_ASCENDING, E_BOOK_CURSOR_SORT_ASCENDING };
+    g_autoptr(EBookClientCursor) cursor = NULL;
+
+    if (!e_book_client_get_cursor_sync(
+            address_book, NULL,
+            sort_fields, sort_types, G_N_ELEMENTS(sort_fields),
+            &cursor, NULL, error)) {
+        return FALSE;
+    }
+
+    int n_fetched = 0;
+    const int chunk_size = 100;
+    do {
+        GSList *results = NULL;
+
+        n_fetched = e_book_client_cursor_step_sync(
+            cursor, E_BOOK_CURSOR_STEP_FETCH | E_BOOK_CURSOR_STEP_MOVE, E_BOOK_CURSOR_ORIGIN_CURRENT,
+            chunk_size, &results, NULL, error);
+        if (n_fetched < 0) {
+            return FALSE;
+        }
+
+        const GSList *l;
+        for (l = results; l != NULL; l = l->next) {
+            EContact *contact = l->data;
+            g_autofree char *vcard = e_vcard_to_string (
+                E_VCARD(contact), EVC_FORMAT_VCARD_30);
+
+            g_print("%s\n", vcard);
+        }
+        g_slist_free_full(results, (GDestroyNotify)g_object_unref);
+    } while (n_fetched >= chunk_size);
+
+    return TRUE;
+}
+
+static gboolean
+remove_address_book(EBookClient *address_book, GError **error)
+{
+    return e_client_remove_sync(E_CLIENT(address_book), NULL, error);
+}
+
+int main(int argc, char **argv)
+{
+    g_autoptr(GError) error = NULL;
+    g_autoptr(ESourceRegistry) registry = NULL;
+    g_autoptr(EBookClient) address_book = NULL;
+
+    if (argc != 3 || !(!strcmp(argv[1], "load") ||
+                       !strcmp(argv[1], "list") ||
+                       !strcmp(argv[1], "remove"))) {
+        g_printerr("usage: contacts {load|list|remove} ADDRESS-BOOK-ID\n");
+        return 1;
+    }
+
+    // Connect to the EDS registry service
+    registry = e_source_registry_new_sync(NULL, &error);
+    if (!registry) {
+        goto end;
+    }
+
+    address_book = open_or_create(registry, argv[2], &error);
+    if (!address_book) {
+        goto end;
+    }
+
+    if (!strcmp(argv[1], "load")) {
+        load_contact_from_stdin(address_book, &error);
+    } else if (!strcmp(argv[1], "list")) {
+        list_contacts(address_book, &error);
+    } else if (!strcmp(argv[1], "remove")) {
+        remove_address_book(address_book, &error);
+    }
+
+end:
+    if (error) {
+        g_printerr("error: %s[%d] %s\n", g_quark_to_string(error->domain),
+                   error->code, error->message);
+        return 1;
+    }
+    return 0;
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-eds/meson.build snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-eds/meson.build
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-eds/meson.build	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-eds/meson.build	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,14 @@
+project('test-snapd-eds', 'c', version: '0.1')
+
+ebook_deps = dependency('libebook-1.2')
+ecal_deps = dependency('libecal-1.2')
+
+executable('contacts',
+  'contacts.c',
+  dependencies: ebook_deps,
+  install: true)
+
+executable('calendar',
+  'calendar.c',
+  dependencies: ecal_deps,
+  install: true)
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-eds/snap/snapcraft.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-eds/snap/snapcraft.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-eds/snap/snapcraft.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-eds/snap/snapcraft.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,47 @@
+name: test-snapd-eds
+version: '0.1'
+summary: utilities to test evolution-data-server interfaces of snapd
+description: |
+  This package contains utilities designed to test a confined
+  application's ability to access addressbooks and calendars managed
+  by evolution-data-server.
+
+grade: stable
+confinement: strict
+
+apps:
+  contacts:
+    command: bin/contacts
+    plugs:
+      - contacts-service
+  calendar:
+    command: bin/calendar
+    plugs:
+      - calendar-service
+
+environment:
+  GSETTINGS_BACKEND: memory
+  EDS_CAMEL_PROVIDER_DIR: $SNAP/usr/lib/evolution-data-server/camel-providers
+  XDG_DATA_DIRS: $SNAP/usr/share:$XDG_DATA_DIRS
+
+parts:
+  main:
+    plugin: meson
+    source: .
+    meson-parameters:
+      - --prefix=/
+    build-packages:
+      - libebook1.2-dev
+      - libecal1.2-dev
+      - pkg-config
+  evolution-data-server:
+    plugin: nil
+    install: |
+      glib-compile-schemas $SNAPCRAFT_PART_INSTALL/usr/share/glib-2.0/schemas
+    stage:
+      - usr/share/glib-2.0/schemas/*
+      - usr/lib/evolution-data-server/camel-providers/*
+    build-packages:
+      - libglib2.0-bin
+    stage-packages:
+      - evolution-data-server
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-epoch-1/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-epoch-1/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-epoch-1/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-epoch-1/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,5 @@
+name: test-snapd-epoch
+version: 1
+summary: Basic snap with epochs
+description: A basic snap that has epochs
+epoch: 1
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-epoch-2/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-epoch-2/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-epoch-2/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-epoch-2/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,5 @@
+name: test-snapd-epoch
+version: 2
+summary: Basic snap with epochs
+description: A basic snap that has epochs
+epoch: 2
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-event/bin/read-evdev-device snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-event/bin/read-evdev-device
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-event/bin/read-evdev-device	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-event/bin/read-evdev-device	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -e
+
+cd "$SNAP"
+
+device_type="-event-kbd"
+if [ -n "$1" ]; then
+    device_type="$1"
+fi
+
+# Detect a device by looking in /dev/input/by-path to find the first device
+# matching the specified device_type
+evdev=$(find /dev/input/by-path/ -name "*$device_type" -ls | head -1 | sed 's#.* -> ../##')
+
+if [ -z "$evdev" ]; then
+    echo "No device detected. Aborting"
+    exit 1
+fi
+
+dev="/dev/input/$evdev"
+if [ ! -c "$dev" ]; then
+    echo "Detected device is not a character device. Aborting"
+    exit 1
+fi
+
+# Obtain an fd for the file
+exec 3<> "$dev"
+# Close the file
+exec 3>&-
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-event/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-event/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-event/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-event/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,12 @@
+name: test-snapd-event
+version: 1.0
+summary: Test opening /dev/input/event* devices
+confinement: strict
+description: |
+  Trivial snap for testing opening /dev/input/event* devices
+apps:
+  test-snapd-event:
+    command: bin/read-evdev-device
+    plugs:
+    - joystick
+    - device-buttons
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-framebuffer/bin/write snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-framebuffer/bin/write
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-framebuffer/bin/write	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-framebuffer/bin/write	2019-01-16 08:36:51.000000000 +0000
@@ -1,3 +1,3 @@
 #!/bin/sh
 
-echo "$1" | dd bs=4 seek=$((100 * 1024 + 200)) of=/dev/fb0
\ No newline at end of file
+echo "$1" | dd bs=4 seek=1024 of=/dev/fb0
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-gpg-keys/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-gpg-keys/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-gpg-keys/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-gpg-keys/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-name: test-snapd-gpg-keys
-summary: Basic snap to access to gpg keys
-description: A basic snap used to access to gpg keys
-version: 1.0
-
-apps:
-  sh:
-    command: ../../../bin/sh
-    plugs: [gpg-keys]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-gpg-public-keys/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-gpg-public-keys/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-gpg-public-keys/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-gpg-public-keys/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-name: test-snapd-gpg-public-keys
-version: 1.0
-summary: Basic gpg-public-keys snap
-description: A basic snap which access to public gpg keys
-
-apps:
-  sh:
-    command: ../../../bin/sh
-    plugs: [gpg-public-keys]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-just-beta/snapcraft.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-just-beta/snapcraft.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-just-beta/snapcraft.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-just-beta/snapcraft.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,15 @@
+name: test-snapd-just-beta
+version: 1.0
+summary: Basic snap published just on beta channel
+description: A basic snap published just on beta channel
+confinement: strict
+grade: stable
+
+apps:
+    snap-name:
+        command: snap-name
+
+parts:
+    copy:
+        plugin: dump
+        source: .
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-just-beta/snap-name snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-just-beta/snap-name
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-just-beta/snap-name	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-just-beta/snap-name	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "test-snapd-just-beta"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-just-edge/snapcraft.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-just-edge/snapcraft.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-just-edge/snapcraft.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-just-edge/snapcraft.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,15 @@
+name: test-snapd-just-edge
+version: 1.0
+summary: Basic snap published just on edge channel
+description: A basic snap published just on edge channel
+confinement: strict
+grade: stable
+
+apps:
+    snap-name:
+        command: snap-name
+
+parts:
+    copy:
+        plugin: dump
+        source: .
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-just-edge/snap-name snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-just-edge/snap-name
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-just-edge/snap-name	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-just-edge/snap-name	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "test-snapd-just-edge"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-kvm/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-kvm/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-kvm/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-kvm/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-name: test-snapd-kvm
-version: 1.0
-summary: Basic kvm snap
-description: A basic snap which access to kvm device
-
-apps:
-  sh:
-    command: ../../../bin/sh
-    plugs: [kvm]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-layout/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-layout/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-layout/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-layout/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-layout/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-layout/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-layout/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-layout/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,7 +3,7 @@
 summary: Sample illustrating very basic layout support
 apps:
     sh:
-        command: ../../../bin/sh
+        command: bin/sh
 layout:
   # Layouts can be used to inject configuration files and directories.
   /etc/demo:
@@ -23,3 +23,17 @@
   # Layouts can help with applications designed for /opt
   /opt/demo:
     bind: $SNAP/opt/demo
+  # Layouts can poke holes and preserve DAC permissions while doing so
+  # notably /var/spool/rsyslog is owned by syslog:adm and has mode 700
+  /var/spool/rsyslog/demo:
+    bind: $SNAP_DATA/var/spool/rsyslog/demo
+  # Layout can refer to non-existing source path.
+  /bin/very/weird/place:
+    bind: $SNAP/bin/very/weird/place
+  # Layout can safely construct a path underneath a mimic established by
+  # another layout item. Here a writable mimic of /bin is established and both
+  # of the layout items using it can write to deeply nested entires therein
+  # (not directly under the tmpfs mount point). This takes advantage of the
+  # improved tmpfs detection and tracking logic in snap-update-ns.
+  /bin/very/weird/space:
+    bind: $SNAP/bin/very/weird/space
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-lp-1803535/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-lp-1803535/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-lp-1803535/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-lp-1803535/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-lp-1803535/etc/OpenCL/vendors/foo.icd snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-lp-1803535/etc/OpenCL/vendors/foo.icd
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-lp-1803535/etc/OpenCL/vendors/foo.icd	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-lp-1803535/etc/OpenCL/vendors/foo.icd	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+canary
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-lp-1803535/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-lp-1803535/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-lp-1803535/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-lp-1803535/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,9 @@
+name: test-snapd-lp-1803535
+version: 1.0
+summary: Regression test for https://bugs.launchpad.net/snapd/+bug/1803535
+apps:
+    sh:
+        command: bin/sh
+layout:
+  /etc/OpenCL/vendors/foo.icd:
+    bind-file: $SNAP/etc/OpenCL/vendors/foo.icd
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-policy-app-consumer/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-policy-app-consumer/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-policy-app-consumer/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-policy-app-consumer/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -8,6 +8,9 @@
   account-control:
     command: bin/run
     plugs: [ account-control ]
+  adb-support:
+    command: bin/run
+    plugs: [ adb-support ]
   alsa:
     command: bin/run
     plugs: [ alsa ]
@@ -35,18 +38,30 @@
   browser-support:
     command: bin/run
     plugs: [ browser-support ]
+  calendar-service:
+    command: bin/run
+    plugs: [ calendar-service ]
   camera:
     command: bin/run
     plugs: [ camera ]
+  cifs-mount:
+    command: bin/run
+    plugs: [ cifs-mount ]
   classic-support:
     command: bin/run
     plugs: [ classic-support ]
+  contacts-service:
+    command: bin/run
+    plugs: [ contacts-service ]
   content-read:
     command: bin/run
     plugs: [ content-read ]
   core-support:
     command: bin/run
     plugs: [ core-support ]
+  cpu-control:
+    command: bin/run
+    plugs: [ cpu-control ]
   cups-control:
     command: bin/run
     plugs: [ cups-control ]
@@ -65,12 +80,24 @@
   desktop-legacy:
     command: bin/run
     plugs: [ desktop-legacy ]
+  device-buttons:
+    command: bin/run
+    plugs: [ device-buttons ]
   docker:
     command: bin/run
     plugs: [ docker ]
   docker-support:
     command: bin/run
     plugs: [ docker-support ]
+  system-files:
+    command: bin/run
+    plugs: [ system-files ]
+  personal-files:
+    command: bin/run
+    plugs: [ personal-files ]
+  dvb:
+    command: bin/run
+    plugs: [ dvb ]
   firewall-control:
     command: bin/run
     plugs: [ firewall-control ]
@@ -113,15 +140,24 @@
   home:
     command: bin/run
     plugs: [ home ]
+  hostname-control:
+    command: bin/run
+    plugs: [ hostname-control ]
   io-ports-control:
     command: bin/run
     plugs: [ io-ports-control ]
   joystick:
     command: bin/run
     plugs: [ joystick ]
+  juju-client-observe:
+    command: bin/run
+    plugs: [ juju-client-observe ]
   kernel-module-control:
     command: bin/run
     plugs: [ kernel-module-control ]
+  kernel-module-observe:
+    command: bin/run
+    plugs: [ kernel-module-observe ]
   kubernetes-support:
     command: bin/run
     plugs: [ kubernetes-support ]
@@ -242,12 +278,21 @@
   screen-inhibit-control:
     command: bin/run
     plugs: [ screen-inhibit-control ]
+  screencast-legacy:
+    command: bin/run
+    plugs: [ screencast-legacy ]
   shutdown:
     command: bin/run
     plugs: [ shutdown ]
   snapd-control:
     command: bin/run
     plugs: [ snapd-control ]
+  service-watchdog:
+    command: bin/run
+    plugs: [ daemon-notify ]
+  can-bus:
+    command: bin/run
+    plugs: [ can-bus ]
   ssh-keys:
     command: bin/run
     plugs: [ ssh-keys ]
@@ -263,6 +308,9 @@
   system-trace:
     command: bin/run
     plugs: [ system-trace ]
+  dummy:
+    command: bin/run
+    plugs: [ dummy ]
   thumbnailer-service:
     command: bin/run
     plugs: [ thumbnailer-service ]
@@ -325,3 +373,13 @@
     interface: dbus
     bus: system
     name: test.system
+  system-files:
+    interface: system-files
+    read: [/file1]
+    write: [/dir1]
+  personal-files:
+    interface: personal-files
+    read: [$HOME/file1]
+    write: [$HOME/dir1]
+  dummy:
+    interface: dummy
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-policy-app-provider-classic/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-policy-app-provider-classic/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-policy-app-provider-classic/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-policy-app-provider-classic/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -18,6 +18,7 @@
     interface: dbus
     bus: system
     name: test.system
+  fwupd: null
   location-control: null
   location-observe: null
   lxd: null
@@ -48,6 +49,9 @@
   docker:
     command: bin/run
     slots: [ docker ]
+  fwupd:
+    command: bin/run
+    slots: [ fwupd ]
   location-control:
     command: bin/run
     slots: [ location-control ]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-policy-app-provider-core/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-policy-app-provider-core/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-policy-app-provider-core/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-policy-app-provider-core/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -43,6 +43,8 @@
   unity8-calendar: null
   unity8-contacts: null
   upower-observe: null
+  wayland: null
+  x11: null
 
 apps:
   avahi-control:
@@ -129,3 +131,9 @@
   upower-observe:
     command: bin/run
     slots: [ upower-observe ]
+  wayland:
+    command: bin/run
+    slots: [ wayland ]
+  x11:
+    command: bin/run
+    slots: [ x11 ]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-raw-usb/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-raw-usb/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-raw-usb/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-raw-usb/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-name: test-snapd-raw-usb
-version: 1.0
-summary: Basic raw-usb snap
-description: A basic snap which access to raw usb
-
-apps:
-  sh:
-    command: ../../../bin/sh
-    plugs: [raw-usb]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-requires-base-bare/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-requires-base-bare/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-requires-base-bare/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-requires-base-bare/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+name: test-snapd-requires-base-bare
+base: test-snapd-base-bare
+version: 1.0
+summary: A test snap that requires a specific base snap
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-rsync/snapcraft.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-rsync/snapcraft.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-rsync/snapcraft.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-rsync/snapcraft.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,16 @@
+name: test-snapd-rsync
+version: 3.1.3
+summary: Copying and synchronizing files and directories in Linux/Unix systems.  
+description: |
+  Rsync (Remote Sync) is a most commonly used command for copying and synchronizing files and 
+  directories remotely as well as locally in Linux/Unix systems. 
+grade: stable
+confinement: strict
+
+apps:
+    rsync:
+        command: rsync
+parts:
+    rsync:
+        plugin: nil
+        stage-packages: [rsync]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/reload snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/reload
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/reload	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/reload	2019-01-16 08:36:51.000000000 +0000
@@ -5,4 +5,4 @@
     exit 1
 fi
 echo "reloading main PID: $MAINPID"
-kill -HUP $MAINPID
+kill -HUP "$MAINPID"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/start-refresh-mode snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/start-refresh-mode
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/start-refresh-mode	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/start-refresh-mode	1970-01-01 00:00:00.000000000 +0000
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-trap "echo got sigusr1" USR1
-trap "echo got sigusr2" USR2
-trap "echo got sighup" HUP
-
-while true; do
-    echo "running $1 process"
-    sleep 1
-done
-
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/start-stop-mode snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/start-stop-mode
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/start-stop-mode	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/start-stop-mode	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,68 @@
+#!/usr/bin/python3
+import os
+import signal
+import socket
+import subprocess
+import sys
+import time
+import types
+
+
+# Re-implement sd_notify to avoid the need to tweak apparmor permissions to run systemd-notify(1)
+def sd_notify(unset_environment: bool, state: str) -> bool:
+    addr = os.getenv("NOTIFY_SOCKET")
+    if addr is None:
+        return False
+    with socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM) as sock:
+        sock.connect(addr)
+        sock.sendmsg([state.encode("UTF-8")])
+    if unset_environment:
+        os.unsetenv("NOTIFY_SOCKET")
+    return True
+
+def write_file(name: str) -> bool:
+    SNAP_COMMON = os.getenv("SNAP_COMMON")
+    if SNAP_COMMON is None:
+        return False
+    with open(os.path.join(SNAP_COMMON, name), "w") as stream:
+        pass
+    return True
+
+def main() -> None:
+    # Keep track of the need to keep waiting for signals
+    loop = True
+
+    # Keep track of the signal that killed us so that we don't attempt IO from
+    # the signal handler.
+    incoming_signum = None
+
+    # When one of the signals given below arrives, record this fact and stop the loop.
+    def on_signal(signum: int, tb: types.FrameType) -> None:
+        nonlocal incoming_signum
+        incoming_signum = signum
+        nonlocal loop
+        loop = False
+
+    for signum in signal.SIGUSR1, signal.SIGUSR2, signal.SIGHUP:
+        signal.signal(signum, on_signal)
+
+    # Tell systemd that we are considered ready now or touch a file in
+    # $SNAP_COMMON/ready that conveys the same message. The tests can use that
+    # to synchronize.
+    try:
+        sd_notify(False, "READY=1\n") or write_file("ready")
+    except PermissionError:
+        raise SystemExit("cannot send systemd notification message")
+
+    # Keep looping until a signal arrives, logging message to show we are alive.
+    while loop:
+        print("running {} process".format(sys.argv[1] if len(sys.argv) > 1 else "???"))
+        time.sleep(1)
+        if incoming_signum is not None:
+            signame = signal.Signals(incoming_signum).name.lower()
+            print("got {}".format(signame))
+            write_file("{}-{}".format(sys.argv[1],signame))
+
+
+if __name__ == "__main__":
+    main()
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/start-stop-mode-sigterm snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/start-stop-mode-sigterm
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/start-stop-mode-sigterm	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/start-stop-mode-sigterm	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,15 @@
+#!/usr/bin/python3
+import signal
+import subprocess
+
+def main() -> None:
+	print("start-refresh-mode-sigkill")
+	print("running a process")
+	# This actual sleep process is (ahem) actually needed because the test is
+	# looking for it. In addition this actually checks how children are (or
+	# are not) killed by systemd.
+	subprocess.call(["sleep", "3133731337"])
+
+
+if __name__ == "__main__":
+    main()
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/stop snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/stop
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/stop	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/stop	2019-01-16 08:36:51.000000000 +0000
@@ -1,3 +1,7 @@
 #!/bin/sh
 
 echo "stop service"
+
+if [ -n "$1" ]; then
+    sleep "$1"
+fi
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/stop-refresh-mode snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/stop-refresh-mode
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/stop-refresh-mode	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/stop-refresh-mode	1970-01-01 00:00:00.000000000 +0000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-echo "stop $1 process"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/stop-stop-mode snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/stop-stop-mode
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/bin/stop-stop-mode	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/bin/stop-stop-mode	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+echo "stop $1 process"
+rm -f "$SNAP_COMMON/ready"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -9,48 +9,51 @@
     test-snapd-other-service:
         command: bin/start-other
         daemon: simple
-    test-snapd-endure-service:
-        command: bin/start-refresh-mode endure
-        stop-command: bin/stop-refresh-mode endure
-        daemon: simple
-        refresh-mode: endure
-    test-snapd-sigterm-service:
-        command: bin/start-refresh-mode sigterm
-        stop-command: bin/stop-refresh-mode sigterm
-        daemon: simple
-        refresh-mode: sigterm
-    test-snapd-sigterm-all-service:
-        command: bin/start-refresh-mode sigterm-all
-        stop-command: bin/stop-refresh-mode sigterm-all
-        daemon: simple
-        refresh-mode: sigterm
     test-snapd-sighup-service:
-        command: bin/start-refresh-mode sighup
-        stop-command: bin/stop-refresh-mode sighup
+        command: bin/start-stop-mode sighup
+        stop-command: bin/stop-stop-mode sighup
         daemon: simple
-        refresh-mode: sighup
+        stop-mode: sighup
     test-snapd-sighup-all-service:
-        command: bin/start-refresh-mode sighup-all
-        stop-command: bin/stop-refresh-mode sighup-all
+        command: bin/start-stop-mode sighup-all
+        stop-command: bin/stop-stop-mode sighup-all
         daemon: simple
-        refresh-mode: sighup-all
+        stop-mode: sighup-all
     test-snapd-sigusr1-service:
-        command: bin/start-refresh-mode sigusr1
-        stop-command: bin/stop-refresh-mode sigusr1
+        command: bin/start-stop-mode sigusr1
+        stop-command: bin/stop-stop-mode sigusr1
         daemon: simple
-        refresh-mode: sigusr1
+        stop-mode: sigusr1
     test-snapd-sigusr1-all-service:
-        command: bin/start-refresh-mode sigusr1-all
-        stop-command: bin/stop-refresh-mode sigusr1-all
+        command: bin/start-stop-mode sigusr1-all
+        stop-command: bin/stop-stop-mode sigusr1-all
         daemon: simple
-        refresh-mode: sigusr1-all
+        stop-mode: sigusr1-all
     test-snapd-sigusr2-service:
-        command: bin/start-refresh-mode sigusr2
-        stop-command: bin/stop-refresh-mode sigusr2
+        command: bin/start-stop-mode sigusr2
+        stop-command: bin/stop-stop-mode sigusr2
         daemon: simple
-        refresh-mode: sigusr2
+        stop-mode: sigusr2
     test-snapd-sigusr2-all-service:
-        command: bin/start-refresh-mode sigusr2-all
-        stop-command: bin/stop-refresh-mode sigusr2-all
+        command: bin/start-stop-mode sigusr2-all
+        stop-command: bin/stop-stop-mode sigusr2-all
+        daemon: simple
+        stop-mode: sigusr2-all
+    test-snapd-sigterm-service:
+        command: bin/start-stop-mode-sigterm
+        daemon: simple
+        stop-mode: sigterm
+    test-snapd-sigterm-all-service:
+        command: bin/start-stop-mode-sigterm
+        daemon: simple
+        stop-mode: sigterm-all
+    test-snapd-endure-service:
+        command: bin/start-stop-mode endure
+        stop-command: bin/stop-stop-mode endure
+        daemon: simple
+        refresh-mode: endure
+    test-snapd-service-refuses-to-stop:
+        command: bin/start
         daemon: simple
-        refresh-mode: sigusr2-all
+        stop-command: bin/stop 60
+        stop-timeout: 10s
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service-watchdog/bin/direct snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service-watchdog/bin/direct
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service-watchdog/bin/direct	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service-watchdog/bin/direct	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+
+import socket
+import time
+import os
+import argparse
+import logging
+
+from contextlib import closing
+
+
+def parse_arguments():
+    parser = argparse.ArgumentParser(description='watchdog notification test')
+    parser.add_argument('--bad', action='store_true', help='bad mode')
+    return parser.parse_args()
+
+
+def main(opts):
+    notify_addr = os.getenv('NOTIFY_SOCKET')
+    if not notify_addr:
+        raise RuntimeError('NOTIFY_SOCKET not set')
+
+    watchdog_usec = os.getenv('WATCHDOG_USEC')
+    if not watchdog_usec:
+        raise RuntimeError('WATCHDOG_USEC not set')
+
+    # convert to seconds
+    watchdog_timeout = int(watchdog_usec) / 1000000
+
+    logging.info('watchdog timeout: %us', watchdog_timeout)
+    logging.info('notification socket address: %s', notify_addr)
+
+    if notify_addr.startswith('@'):
+        # abstract socket address is represented by a bytes-like object, with
+        # an initial null byte
+        notify_addr = notify_addr.encode().replace(b'@', b'\x00')
+
+    if opts.bad:
+        sleep_time = 2 * watchdog_timeout
+        logging.warning('running in "bad" mode')
+    else:
+        sleep_time = watchdog_timeout / 2
+
+    logging.info('watchdog notification every %ss', sleep_time)
+
+    with closing(socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)) as sock:
+        sock.connect(notify_addr)
+
+        while True:
+            logging.info('watchdog kick')
+            sock.sendall(b'WATCHDOG=1')
+            time.sleep(sleep_time)
+
+
+if __name__ == '__main__':
+    opts = parse_arguments()
+    logging.basicConfig(level=logging.DEBUG)
+    main(opts)
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service-watchdog/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service-watchdog/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-service-watchdog/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-service-watchdog/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,15 @@
+name: test-snapd-service-watchdog
+version: 1.0
+apps:
+  direct-watchdog-ok:
+    command: bin/direct
+    daemon: simple
+    watchdog-timeout: 1s
+    restart-condition: never
+    plugs: [daemon-notify]
+  direct-watchdog-bad:
+    command: bin/direct --bad
+    daemon: simple
+    watchdog-timeout: 1s
+    restart-condition: never
+    plugs: [daemon-notify]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-sh/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-sh/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-sh/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-sh/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-sh/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-sh/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-sh/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-sh/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,9 +1,69 @@
 name: test-snapd-sh
 summary: A no-strings-attached, no-fuss shell for writing tests
 version: 1.0
+
+plugs:
+    personal-files:
+        read: [$HOME/.testdir1, $HOME/.testfile1, $HOME/testfile1, $HOME/testdir1]
+        write: [$HOME/.testdir1, $HOME/.testfile1]
+    system-files:
+        read: [/mnt/testdir]
+        write: [/mnt/testdir/.testdir1, /mnt/testdir/.testfile1]
+
 apps:
     test-snapd-sh:
-        command: ../../../bin/sh
+        command: bin/sh
+    with-broadcom-asic-control-plug:
+        command: bin/sh
+        plugs: [broadcom-asic-control]
+    with-device-buttons-plug:
+        command: bin/sh
+        plugs: [device-buttons]
+    with-dvb-plug:
+        command: bin/sh
+        plugs: [dvb]
+    with-gpg-keys-plug:
+        command: bin/sh
+        plugs: [gpg-keys]
+    with-gpg-public-keys-plug:
+        command: bin/sh
+        plugs: [gpg-public-keys]
     with-home-plug:
-        command: ../../../bin/sh
+        command: bin/sh
         plugs: [home]
+    with-hostname-control-plug:
+        command: bin/sh
+        plugs: [hostname-control]
+    with-joystick-plug:
+        command: bin/sh
+        plugs: [joystick]
+    with-juju-client-observe-plug:
+        command: bin/sh
+        plugs: [juju-client-observe]
+    with-kvm-plug:
+        command: bin/sh
+        plugs: [kvm]
+    with-network-setup-control-plug:
+        command: bin/sh
+        plugs: [network-setup-control]
+    with-network-setup-observe-plug:
+        command: bin/sh
+        plugs: [network-setup-observe]
+    with-personal-files-plug:
+        command: bin/sh
+        plugs: [personal-files]
+    with-raw-usb-plug:
+        command: bin/sh
+        plugs: [raw-usb]
+    with-removable-media-plug:
+        command: bin/sh
+        plugs: [removable-media]
+    with-ssh-keys-plug:
+        command: bin/sh
+        plugs: [ssh-keys]
+    with-ssh-public-keys-plug:
+        command: bin/sh
+        plugs: [ssh-public-keys]
+    with-system-files-plug:
+        command: bin/sh
+        plugs: [system-files]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-sh-core16/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-sh-core16/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-sh-core16/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-sh-core16/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
+
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-sh-core16/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-sh-core16/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-sh-core16/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-sh-core16/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,7 @@
+name: test-snapd-sh-core16
+version: 1.0
+architectures: ["all"]
+base: core16
+apps:
+    sh:
+        command: bin/sh
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-snapctl-core18/bin/service snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-snapctl-core18/bin/service
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-snapctl-core18/bin/service	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-snapctl-core18/bin/service	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+echo "hello"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-snapctl-core18/meta/hooks/install snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-snapctl-core18/meta/hooks/install
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-snapctl-core18/meta/hooks/install	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-snapctl-core18/meta/hooks/install	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+snapctl stop --disable test-snapd-snapctl-core18.service
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-snapctl-core18/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-snapctl-core18/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-snapctl-core18/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-snapctl-core18/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,10 @@
+name: test-snapd-snapctl-core18
+version: '0.1'
+summary: Test snapctl on core18
+description: Test snapctl on core18
+base: core18
+
+apps:
+  service:
+    command: bin/service
+    daemon: oneshot
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-ssh-keys/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-ssh-keys/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-ssh-keys/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-ssh-keys/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-name: test-snapd-ssh-keys
-version: 1.0
-summary: Basic ssh-keys snap
-description: A basic snap which access to ssh keys
-
-apps:
-  sh:
-    command: ../../../bin/sh
-    plugs: [ssh-keys]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-ssh-public-keys/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-ssh-public-keys/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-ssh-public-keys/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-ssh-public-keys/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-name: test-snapd-ssh-public-keys
-version: 1.0
-summary: Basic ssh-public-keys snap
-description: A basic snap which access to public ssh keys
-
-apps:
-  sh:
-    command: ../../../bin/sh
-    plugs: [ssh-public-keys]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-statx/bin/statx.py snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-statx/bin/statx.py
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-statx/bin/statx.py	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-statx/bin/statx.py	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+"""
+Pure-python implementation of the status of the stax() system call.
+"""
+from ctypes import CDLL, c_char, c_long, create_string_buffer, get_errno
+from ctypes.util import find_library
+from enum import Enum
+from errno import ENOSYS, EPERM
+from os import uname
+
+
+__all__ = ('SyscallStatus', 'evaluate_statx_support')
+
+
+class SyscallStatus(Enum):
+    """Syscall status encodes the status of a system call."""
+    SUPPORTED = "supported"
+    MISSING = "missing"
+    BLOCKED = "blocked"
+
+
+def evaluate_statx_support() -> SyscallStatus:
+    """
+    Evaluate status of the statx system call.
+
+    The statx system call was introduced in the Linux kernel 4.11.  A snap
+    application running under seccomp confinement may experience one of three
+    results when accessing statx: Supported, namely implemented by the kernel
+    and allowed by the seccomp filter. Missing, namely not implemented by the
+    kernel but not blocked by seccomp. Blocked namely not allowed by seccomp
+    and either implemented or not by the kernel.
+    """
+    machine = uname()[4]
+    sys_statx_table = {
+        "i686": 383,
+        "i386": 383,
+        "x86_64": 332,
+
+        "arm": 397,
+        "aarch64": 291,
+
+        "ppc": 383,
+        "ppcel64": 383,
+
+        "s390x": 379,
+    }
+    try:
+        SYS_STATX = sys_statx_table[machine]
+    except KeyError:
+        raise Exception("unsupported architecture {}".format(machine))
+    libc_name = find_library("c")
+    if libc_name is None:
+        raise Exception("cannot find the C library")
+    libc = CDLL(libc_name, use_errno=True)
+    syscall = libc.syscall
+    buf_4k = c_char * 4096
+    dummy_buf = buf_4k()
+    empty_string = create_string_buffer(b"")
+    AT_FDCWD = -100
+    AT_EMPTY_PATH = 0x1000
+    # statx(2) prototype:
+    #
+    # int statx(int dirfd, const char *pathname, int flags,
+    #           unsigned int mask, struct statx *statxbuf);
+    #
+    # We don't attempt to define struct statx here, instead we just
+    # provide a buffer with ample space, so that the system call has sufficient
+    # space to write the result to.
+    #
+    # Python equivalent of:
+    #
+    #   char dummy_buf[4096];
+    #   syscall(SYS_STATX, AT_FDCWD, "", AT_EMPTY_PATH, 0, dummy_buf);
+    retval = syscall(c_long(SYS_STATX), c_long(AT_FDCWD), empty_string,
+                     c_long(AT_EMPTY_PATH), c_long(0), dummy_buf)
+    errno = get_errno()
+    if retval == 0:
+        return SyscallStatus.SUPPORTED
+    elif retval == -1 and errno == ENOSYS:
+        return SyscallStatus.MISSING
+    elif retval == -1 and errno == EPERM:
+        return SyscallStatus.BLOCKED
+    raise Exception("unexpected result of statx, retval: {}, errno: {}".format(
+        retval, errno))
+
+
+def main() -> None:
+    try:
+        print("statx: {}".format(evaluate_statx_support().value))
+    except Exception as exc:
+        print("statx: error: {}".format(exc))
+
+
+if __name__ == "__main__":
+    main()
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-statx/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-statx/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-statx/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-statx/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,7 @@
+name: test-snapd-statx
+version: 1.0
+summary: Support snap for determining the status of the statx system call
+
+apps:
+  test-snapd-statx:
+    command: bin/statx.py
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/bin/forking.sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/bin/forking.sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/bin/forking.sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/bin/forking.sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+sleep 60 &
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/bin/simple.sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/bin/simple.sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/bin/simple.sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/bin/simple.sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+sleep 60
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/meta/hooks/install snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/meta/hooks/install
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/meta/hooks/install	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/meta/hooks/install	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,6 @@
+#!/bin/bash -e
+
+for service in simple forking; do
+    echo "Disabling $service service from install hook"
+    snapctl stop --disable "test-snapd-svcs-disable-install-hook.$service"
+done
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-svcs-disable-install-hook/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,9 @@
+name: test-snapd-svcs-disable-install-hook
+version: 1.0
+apps:
+    simple:
+        daemon: simple
+        command: bin/simple.sh
+    forking:
+        daemon: forking
+        command: bin/forking.sh
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-timer-service/bin/loop snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-timer-service/bin/loop
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-timer-service/bin/loop	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-timer-service/bin/loop	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+echo "called on $(date) as $1"
+
+for _ in $(seq 10); do
+    echo "looping"
+    sleep 0.5
+done
+
+echo "finishing on $(date)"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-timer-service/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-timer-service/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-timer-service/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-timer-service/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,13 @@
+name: test-snapd-timer-service
+version: 1.0
+apps:
+  regular-timer:
+    command: bin/loop regular-timer
+    daemon: simple
+    # Run every 15 minutes
+    timer: 0:00-24:00/96
+  random-timer:
+    command: bin/loop random-timer
+    daemon: simple
+    # Run roughly every 15 minutes, with (some) random distribution
+    timer: 0:00~24:00/96
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/block snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/block
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/block	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/block	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -ex
+
+cd "$SNAP"
+echo "blocking dir $(pwd)"
+
+# add a marker so that applications that rely on this blocker
+# can detect when its ready
+touch "$SNAP_DATA/block-running"
+
+echo "waiting, press ctrl-c to stop"
+sleep 999999
+exit 0
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/cat snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/cat
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/cat	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/cat	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cat "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/cmd snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/cmd
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/cmd	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/cmd	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+command="$1"
+shift
+
+"$command" "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/echo snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/echo
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/echo	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/echo	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/env snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/env
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/env	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/env	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/bin/env
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/fail snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/fail
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/fail	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/fail	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exit 1
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/head snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/head
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/head	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/head	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+head "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+cat <<EOM
+Launching a shell inside the default app confinement. Navigate to your
+app-specific directories with:
+
+  $ cd \$SNAP
+  $ cd \$SNAP_DATA
+  $ cd \$SNAP_USER_DATA
+
+EOM
+
+/bin/bash --norc -i
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/success snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/success
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/success	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/bin/success	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exit 0
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-tools-core18/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-tools-core18/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,30 @@
+name: test-snapd-tools-core18
+version: 1.0
+architectures: ["all"]
+base: core18
+environment:
+  EXTRA_GLOBAL: extra-global
+  EXTRA_CACHE_DIR: $SNAP_USER_DATA/.cache
+apps:
+    echo:
+        command: bin/echo
+    success:
+        command: bin/success
+    fail:
+        command: bin/fail
+    block:
+        command: bin/block
+    cat:
+        command: bin/cat
+    head:
+        command: bin/head
+    env:
+        command: bin/env
+        environment:
+          EXTRA_LOCAL: extra-local
+          EXTRA_LOCAL_NESTED: ${EXTRA_GLOBAL}-nested
+          EXTRA_LOCAL_PATH: $SNAP/bin:$SNAP/usr/bin:/usr/bin
+    sh:
+        command: bin/sh
+    cmd:
+        command: bin/cmd
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-udev-input-subsystem/bin/read-evdev-kbd snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-udev-input-subsystem/bin/read-evdev-kbd
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-udev-input-subsystem/bin/read-evdev-kbd	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-udev-input-subsystem/bin/read-evdev-kbd	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,24 @@
+#!/bin/bash
+set -e
+
+cd "$SNAP"
+
+# Detect a keyboard by looking in /dev/input/by-path to find the first
+# '-event-kbd'
+evdev_kbd=$(find /dev/input/by-path/ -name '*-event-kbd' -ls | head -1 | sed 's#.* -> ../##')
+
+if [ -z "$evdev_kbd" ]; then
+    echo "No keyboard detected. Aborting"
+    exit 1
+fi
+
+dev="/dev/input/$evdev_kbd"
+if [ ! -c "$dev" ]; then
+    echo "Detected keyboard is not a character device. Aborting"
+    exit 1
+fi
+
+# Obtain an fd for the file
+exec 3<> "$dev"
+# Close the file
+exec 3>&-
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-udev-input-subsystem/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-udev-input-subsystem/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-udev-input-subsystem/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-udev-input-subsystem/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,24 @@
+name: test-snapd-udev-input-subsystem
+version: 1.0
+summary: Basic input subsystem tester
+description: A basic snap declaring a slot to a udev tagged interface (input)
+confinement: strict
+
+slots:
+  mir-slot:
+    interface: mir
+
+plugs:
+  mir-plug:
+    interface: mir
+
+apps:
+  slot:
+    command: bin/read-evdev-kbd
+    slots: [mir-slot]
+  plug:
+    command: bin/read-evdev-kbd
+    plugs: [mir-plug]
+  plug-with-time-control:
+    command: bin/read-evdev-kbd
+    plugs: [mir-plug, time-control]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-udisks2/snapcraft.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-udisks2/snapcraft.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-udisks2/snapcraft.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-udisks2/snapcraft.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,17 @@
+name: test-snapd-udisks2
+version: 1.0
+summary: Basic udisks2 snap
+description: A basic snap which allow operating as or interacting with the UDisks2 service
+grade: stable
+confinement: strict
+
+apps:
+  udisksctl:
+    command: udisksctl
+    plugs: [udisks2]
+
+parts:
+    copy:
+        plugin: dump
+        source: .
+        stage-packages: [udisks2]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-udisks2/udisksctl snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-udisks2/udisksctl
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-udisks2/udisksctl	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-udisks2/udisksctl	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+udisksctl "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-unknown-interfaces/bin/sh snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-unknown-interfaces/bin/sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-unknown-interfaces/bin/sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-unknown-interfaces/bin/sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /bin/sh "$@"
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-unknown-interfaces/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-unknown-interfaces/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-unknown-interfaces/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-unknown-interfaces/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,7 +3,7 @@
 version: 1.0
 apps:
     test-snapd-unknown-interfaces:
-        command: ../../../bin/sh
+        command: bin/sh
 plugs:
     bogus-plug:
 slots:
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-with-configure-core18/meta/hooks/configure snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-with-configure-core18/meta/hooks/configure
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-with-configure-core18/meta/hooks/configure	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-with-configure-core18/meta/hooks/configure	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+touch "$SNAP_COMMON"/configure-ran
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-with-configure-core18/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-with-configure-core18/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-with-configure-core18/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-with-configure-core18/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,5 @@
+name: test-snapd-with-configure-core18
+version: 1.0
+summary: Basic snap with a configure hook for core18
+description: A basic snap with a passthrough configure hook for core18
+base: core18
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-xdg-autostart/bin/foobar snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-xdg-autostart/bin/foobar
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-xdg-autostart/bin/foobar	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-xdg-autostart/bin/foobar	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+dump_autostart() {
+    dfpath="$SNAP_USER_DATA/.config/autostart/foo.desktop"
+
+    test -e "$dfpath" && return
+
+    echo "generating autostart file $dfpath"
+
+    mkdir -p "$SNAP_USER_DATA"/.config/autostart
+    cat >"$dfpath" <<EOF
+[Desktop Entry]
+Name=foo autostart
+Exec=/foo/bar/baz/bin/foobar --autostart a b c
+EOF
+}
+
+case "$1" in
+    --autostart)
+        echo "autostarting with args '$*'" | tee "$SNAP_USER_DATA"/foo-autostarted
+        ;;
+    *)
+        echo "regular run with args '$*'"
+        dump_autostart
+        ;;
+esac
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-xdg-autostart/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-xdg-autostart/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-snapd-xdg-autostart/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-snapd-xdg-autostart/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,6 @@
+name: test-snapd-xdg-autostart
+version: 1.0
+apps:
+  foo:
+    command: bin/foobar
+    autostart: foo.desktop
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-dev snapd-2.37~rc1~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-dev
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-dev	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-dev	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,4 @@
+#!/bin/sh -eu
+
+device="$1"
+dd if="/dev/$device" of=/dev/null count=10
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-fb snapd-2.37~rc1~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-fb
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-fb	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-fb	1970-01-01 00:00:00.000000000 +0000
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-cat /dev/fb0
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-kmsg snapd-2.37~rc1~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-kmsg
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-kmsg	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-strict-cgroup/bin/read-kmsg	1970-01-01 00:00:00.000000000 +0000
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-head -1 /dev/kmsg
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps/test-strict-cgroup/meta/snap.yaml snapd-2.37~rc1~14.04/tests/lib/snaps/test-strict-cgroup/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/lib/snaps/test-strict-cgroup/meta/snap.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps/test-strict-cgroup/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -6,9 +6,6 @@
 confinement: strict
 
 apps:
-  read-fb:
-    command: bin/read-fb
-    plugs: [framebuffer]
-  read-kmsg:
-    command: bin/read-kmsg
+  read-dev:
+    command: bin/read-dev
     plugs: [framebuffer]
diff -Nru snapd-2.32.3.2~14.04/tests/lib/snaps.sh snapd-2.37~rc1~14.04/tests/lib/snaps.sh
--- snapd-2.32.3.2~14.04/tests/lib/snaps.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/snaps.sh	2019-01-16 08:36:51.000000000 +0000
@@ -8,9 +8,14 @@
     # assigned in a separate step to avoid hiding a failure
     SNAP_DIR="$(dirname "$SNAP_FILE")"
     if [ ! -f "$SNAP_FILE" ]; then
-        snap pack "$SNAP_DIR" "$SNAP_DIR" >/dev/null
+        snap pack "$SNAP_DIR" "$SNAP_DIR" >/dev/null || return 1
+    fi
+    # echo the snap name
+    if [ -f "$SNAP_FILE" ]; then
+        echo "$SNAP_FILE"
+    else
+        find "$TESTSLIB/snaps/${SNAP_NAME}" -name '*.snap' | head -n1
     fi
-    echo "$SNAP_FILE"
 }
 
 install_local() {
@@ -21,6 +26,13 @@
     snap install --dangerous "$@" "$SNAP_FILE"
 }
 
+install_local_as() {
+    local snap="$1"
+    local name="$2"
+    shift 2
+    install_local "$snap" --name "$name" "$@"
+}
+
 install_local_devmode() {
     install_local "$1" --devmode
 }
@@ -39,12 +51,15 @@
     dir="$1"
     snap="$2"
 
-    if [[ "$SPREAD_SYSTEM" == ubuntu-14.04-* ]]; then
-        # trusty does not support  -Xcompression-level 1
-        mksquashfs "$dir" "$snap" -comp gzip -no-fragments
-    else
-        mksquashfs "$dir" "$snap" -comp gzip -Xcompression-level 1 -no-fragments
-    fi
+    case "$SPREAD_SYSTEM" in
+        ubuntu-14.04-*|amazon-*|centos-*)
+            # trusty, AMZN2 and CentOS 7 do not support -Xcompression-level 1
+            mksquashfs "$dir" "$snap" -comp gzip -no-fragments -no-progress
+            ;;
+        *)
+            mksquashfs "$dir" "$snap" -comp gzip -Xcompression-level 1 -no-fragments -no-progress
+            ;;
+    esac
 }
 
 install_generic_consumer() {
@@ -58,13 +73,13 @@
 
 is_classic_confinement_supported() {
     case "$SPREAD_SYSTEM" in
-        ubuntu-core-16-*)
+        ubuntu-core-*)
             return 1
             ;;
         ubuntu-*|debian-*)
             return 0
             ;;
-        fedora-*)
+        fedora-*|centos-*)
             return 1
             ;;
         opensuse-*)
diff -Nru snapd-2.32.3.2~14.04/tests/lib/spread-funcs.sh snapd-2.37~rc1~14.04/tests/lib/spread-funcs.sh
--- snapd-2.32.3.2~14.04/tests/lib/spread-funcs.sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/spread-funcs.sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Define a dummy MATCH and REBOOT functions. This file is replaced by real
+# functions, as defined by spread, on project prepare (in spread.yaml).
+
+MATCH() {
+	echo "dummy MATCH function invoked"
+	false
+}
+
+REBOOT() {
+	echo "dummy REBOOT function invoked"
+	false
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/state.sh snapd-2.37~rc1~14.04/tests/lib/state.sh
--- snapd-2.32.3.2~14.04/tests/lib/state.sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/state.sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,122 @@
+#!/bin/bash
+
+SNAPD_STATE_PATH="$SPREAD_PATH/tests/snapd-state"
+SNAPD_STATE_FILE="$SPREAD_PATH/tests/snapd-state/snapd-state.tar"
+RUNTIME_STATE_PATH="$SPREAD_PATH/tests/runtime-state"
+SNAPD_ACTIVE_UNITS="$RUNTIME_STATE_PATH/snapd-active-units"
+
+# shellcheck source=tests/lib/dirs.sh
+. "$TESTSLIB/dirs.sh"
+
+# shellcheck source=tests/lib/boot.sh
+. "$TESTSLIB/boot.sh"
+
+# shellcheck source=tests/lib/systemd.sh
+. "$TESTSLIB/systemd.sh"
+
+# shellcheck source=tests/lib/systems.sh
+. "$TESTSLIB/systems.sh"
+
+delete_snapd_state() {
+    rm -rf "$SNAPD_STATE_PATH"
+}
+
+prepare_state() {
+    mkdir -p "$SNAPD_STATE_PATH" "$RUNTIME_STATE_PATH"
+}
+
+is_snapd_state_saved() {
+    if is_core_system && [ -d "$SNAPD_STATE_PATH"/snapd-lib ]; then
+        return 0
+    elif is_classic_system && [ -f "$SNAPD_STATE_FILE" ]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+save_snapd_state() {
+    if is_core_system; then
+        boot_path="$(get_boot_path)"
+        test -n "$boot_path" || return 1
+
+        mkdir -p "$SNAPD_STATE_PATH"/system-units
+
+        # Copy the state preserving the timestamps
+        cp -a /var/lib/snapd "$SNAPD_STATE_PATH"/snapd-lib
+        cp -rf "$boot_path" "$SNAPD_STATE_PATH"/boot
+        cp -f /etc/systemd/system/snap-*core*.mount "$SNAPD_STATE_PATH"/system-units
+    else
+        systemctl daemon-reload
+        escaped_snap_mount_dir="$(systemd-escape --path "$SNAP_MOUNT_DIR")"
+        units="$(systemctl list-unit-files --full | grep -e "^${escaped_snap_mount_dir}[-.].*\\.mount" -e "^${escaped_snap_mount_dir}[-.].*\\.service" | cut -f1 -d ' ')"
+        for unit in $units; do
+            systemctl stop "$unit"
+        done
+        snapd_env="/etc/environment /etc/systemd/system/snapd.service.d /etc/systemd/system/snapd.socket.d"
+        snap_confine_profiles="$(ls /etc/apparmor.d/snap.core.* || true)"
+
+        # shellcheck disable=SC2086
+        tar cf "$SNAPD_STATE_FILE" \
+            /var/lib/snapd \
+            "$SNAP_MOUNT_DIR" \
+            /etc/systemd/system/"$escaped_snap_mount_dir"-*core*.mount \
+            /etc/systemd/system/multi-user.target.wants/"$escaped_snap_mount_dir"-*core*.mount \
+            $snap_confine_profiles \
+            $snapd_env
+
+        systemctl daemon-reload # Workaround for http://paste.ubuntu.com/17735820/
+        core="$(readlink -f "$SNAP_MOUNT_DIR/core/current")"
+        # on 14.04 it is possible that the core snap is still mounted at this point, unmount
+        # to prevent errors starting the mount unit
+        if is_ubuntu_14_system && mount | grep -q "$core"; then
+            umount "$core" || true
+        fi
+        for unit in $units; do
+            systemctl start "$unit"
+        done
+    fi
+
+    # Save the snapd active units
+    systemd_get_active_snapd_units > "$SNAPD_ACTIVE_UNITS"
+}
+
+restore_snapd_state() {
+    if is_core_system; then
+        # we need to ensure that we also restore the boot environment
+        # fully for tests that break it
+        boot_path="$(get_boot_path)"
+        test -n "$boot_path" || return 1
+
+        restore_snapd_lib
+        cp -rf "$SNAPD_STATE_PATH"/boot/* "$boot_path"
+        cp -f "$SNAPD_STATE_PATH"/system-units/*  /etc/systemd/system
+    else
+        # Purge all the systemd service units config
+        rm -rf /etc/systemd/system/snapd.service.d
+        rm -rf /etc/systemd/system/snapd.socket.d
+
+        tar -C/ -xf "$SNAPD_STATE_FILE"
+    fi
+
+    # Start all the units which have to be active
+    while read -r unit; do
+        if ! systemctl is-active "$unit"; then
+            systemctl start "$unit"
+        fi
+    done  < "$SNAPD_ACTIVE_UNITS"
+}
+
+restore_snapd_lib() {
+    # Clean all the state but the snaps and seed dirs. Then make a selective clean for 
+    # snaps and seed dirs leaving the .snap files which then are going to be synchronized.
+    find /var/lib/snapd/* -maxdepth 0 ! \( -name 'snaps' -o -name 'seed' \) -exec rm -rf {} \;
+
+    # Copy the whole state but the snaps and seed dirs
+    find "$SNAPD_STATE_PATH"/snapd-lib/* -maxdepth 0 ! \( -name 'snaps' -o -name 'seed' \) -exec cp -rf {} /var/lib/snapd \;
+
+    # Synchronize snaps and seed directories. The this is done separately in order to avoid copying 
+    # the snap files due to it is a heavy task and take most of the time of the restore phase.
+    rsync -av --delete "$SNAPD_STATE_PATH"/snapd-lib/snaps /var/lib/snapd
+    rsync -av --delete "$SNAPD_STATE_PATH"/snapd-lib/seed /var/lib/snapd
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/store.sh snapd-2.37~rc1~14.04/tests/lib/store.sh
--- snapd-2.32.3.2~14.04/tests/lib/store.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/store.sh	2019-01-16 08:36:51.000000000 +0000
@@ -5,6 +5,9 @@
 # shellcheck source=tests/lib/systemd.sh
 . "$TESTSLIB/systemd.sh"
 
+# shellcheck source=tests/lib/journalctl.sh
+. "$TESTSLIB/journalctl.sh"
+
 _configure_store_backends(){
     systemctl stop snapd.service snapd.socket
     mkdir -p "$(dirname $STORE_CONFIG)"
@@ -61,22 +64,23 @@
     https_proxy=${https_proxy:-}
     http_proxy=${http_proxy:-}
 
-    systemd_create_and_start_unit fakestore "$(which fakestore) run --dir $top_dir --addr localhost:11028 --https-proxy=${https_proxy} --http-proxy=${http_proxy} --assert-fallback" "SNAPD_DEBUG=1 SNAPD_DEBUG_HTTP=7 SNAPPY_TESTING=1 SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE"
+    echo "Create fakestore at the given port"
+    PORT="11028"
+    systemd_create_and_start_unit fakestore "$(command -v fakestore) run --dir $top_dir --addr localhost:$PORT --https-proxy=${https_proxy} --http-proxy=${http_proxy} --assert-fallback" "SNAPD_DEBUG=1 SNAPD_DEBUG_HTTP=7 SNAPPY_TESTING=1 SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE"
 
     echo "And snapd is configured to use the controlled store"
-    _configure_store_backends "SNAPPY_FORCE_API_URL=http://localhost:11028" "SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE"
+    _configure_store_backends "SNAPPY_FORCE_API_URL=http://localhost:$PORT" "SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE"
 
     echo "Wait until fake store is ready"
-    for _ in $(seq 15); do
-        if netstat -ntlp | MATCH "127.0.0.1:11028*.*LISTEN"; then
-            return 0
-        fi
-        sleep 1
-    done
+    # shellcheck source=tests/lib/network.sh
+    . "$TESTSLIB"/network.sh
+    if wait_listen_port "$PORT"; then
+        return 0
+    fi
 
     echo "fakestore service not started properly"
-    netstat -ntlp | grep "127.0.0.1:11028" || true
-    journalctl -u fakestore || true
+    ss -ntlp | grep "127.0.0.1:$PORT" || true
+    get_journalctl_log -u fakestore || true
     systemctl status fakestore || true
     exit 1
 }
diff -Nru snapd-2.32.3.2~14.04/tests/lib/strings.sh snapd-2.37~rc1~14.04/tests/lib/strings.sh
--- snapd-2.32.3.2~14.04/tests/lib/strings.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/strings.sh	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 str_to_one_line(){
     echo "$1" | tr '\r\n' ' ' | tr -s ' '
diff -Nru snapd-2.32.3.2~14.04/tests/lib/systemd-escape/main.go snapd-2.37~rc1~14.04/tests/lib/systemd-escape/main.go
--- snapd-2.32.3.2~14.04/tests/lib/systemd-escape/main.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/systemd-escape/main.go	2019-01-16 08:36:51.000000000 +0000
@@ -43,7 +43,7 @@
 	}
 
 	for i, arg := range args[1:] {
-		fmt.Printf(systemd.EscapeUnitNamePath(arg))
+		fmt.Print(systemd.EscapeUnitNamePath(arg))
 		if i < len(args[1:])-1 {
 			fmt.Printf(" ")
 		}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/systemd.sh snapd-2.37~rc1~14.04/tests/lib/systemd.sh
--- snapd-2.32.3.2~14.04/tests/lib/systemd.sh	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/systemd.sh	2019-01-16 08:36:51.000000000 +0000
@@ -2,7 +2,7 @@
 
 # Use like systemd_create_and_start_unit(fakestore, "$(which fakestore) -start -dir $top_dir -addr localhost:11028 $@")
 systemd_create_and_start_unit() {
-    printf "[Unit]\nDescription=For testing purposes\n[Service]\nType=simple\nExecStart=%s\n" "$2" > "/run/systemd/system/$1.service"
+    printf '[Unit]\nDescription=Support for test %s\n[Service]\nType=simple\nExecStart=%s\n' "${SPREAD_JOB:-unknown}" "$2" > "/run/systemd/system/$1.service"
     if [ -n "${3:-}" ]; then
         echo "Environment=$3" >> "/run/systemd/system/$1.service"
     fi
@@ -10,6 +10,31 @@
     systemctl start "$1"
 }
 
+# Create and start a persistent systemd unit that survives reboots. Use as:
+#   systemd_create_and_start_persistent_unit "name" "my-service --args"
+# The third arg supports "overrides" which allow to customize the service
+# as needed, e.g.:
+#   systemd_create_and_start_persistent_unit "name" "start" "[Unit]\nAfter=foo"
+systemd_create_and_start_persistent_unit() {
+    printf '[Unit]\nDescription=Support for test %s\n[Service]\nType=simple\nExecStart=%s\n[Install]\nWantedBy=multi-user.target\n' "${SPREAD_JOB:-unknown}" "$2" > "/etc/systemd/system/$1.service"
+    if [ -n "${3:-}" ]; then
+        mkdir -p "/etc/systemd/system/$1.service.d"
+        # shellcheck disable=SC2059
+        printf "$3" >> "/etc/systemd/system/$1.service.d/override.conf"
+    fi
+    systemctl daemon-reload
+    systemctl enable "$1"
+    systemctl start "$1"
+    wait_for_service "$1"
+}
+
+system_stop_and_remove_persistent_unit() {
+    systemctl stop "$1" || true
+    systemctl disable "$1" || true
+    rm -f "/etc/systemd/system/$1.service"
+    rm -rf "/etc/systemd/system/$1.service.d"
+}
+
 # Use like systemd_stop_and_destroy_unit(fakestore)
 systemd_stop_and_destroy_unit() {
     if systemctl is-active "$1"; then
@@ -36,3 +61,27 @@
     echo "service $service_name did not start"
     exit 1
 }
+
+systemd_stop_units() {
+    for unit in "$@"; do
+        if systemctl is-active "$unit"; then
+            echo "Ensure the service is active before stopping it"
+            retries=20
+            systemctl status "$unit" || true
+            while systemctl status "$unit" | grep "Active: activating"; do
+                if [ $retries -eq 0 ]; then
+                    echo "$unit unit not active"
+                    exit 1
+                fi
+                retries=$(( retries - 1 ))
+                sleep 1
+            done
+
+            systemctl stop "$unit"
+        fi
+    done
+}
+
+systemd_get_active_snapd_units() {
+    systemctl list-units --plain --state=active|grep -Eo '^snapd\..*(socket|service|timer)' || true
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/systems.sh snapd-2.37~rc1~14.04/tests/lib/systems.sh
--- snapd-2.32.3.2~14.04/tests/lib/systems.sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/systems.sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+is_core_system(){
+    if [[ "$SPREAD_SYSTEM" == ubuntu-core-* ]]; then
+        return 0
+    fi
+    return 1
+}
+
+is_core18_system(){
+    if [[ "$SPREAD_SYSTEM" == ubuntu-core-18-* ]]; then
+        return 0
+    fi
+    return 1
+}
+
+is_classic_system(){
+    if [[ "$SPREAD_SYSTEM" != ubuntu-core-* ]]; then
+        return 0
+    fi
+    return 1
+}
+
+is_ubuntu_14_system(){
+    if [[ "$SPREAD_SYSTEM" == ubuntu-14.04-* ]]; then
+        return 0
+    fi
+    return 1
+}
diff -Nru snapd-2.32.3.2~14.04/tests/lib/tinyproxy/tinyproxy.py snapd-2.37~rc1~14.04/tests/lib/tinyproxy/tinyproxy.py
--- snapd-2.32.3.2~14.04/tests/lib/tinyproxy/tinyproxy.py	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/lib/tinyproxy/tinyproxy.py	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,135 @@
+#!/usr/bin/python3
+
+# Tiny HTTP Proxy. Based on the work of SUZUKI Hisao.
+#
+# Ported to py3 and modified to remove the bits we don't need
+# and modernized.
+
+import os
+import http.server
+import select
+import socket
+import socketserver
+import sys
+import urllib.parse
+
+
+class ProxyHandler (http.server.BaseHTTPRequestHandler):
+    server_version = "testsproxy/1.0"
+
+    def log_request(self, m=""):
+        super().log_request(m)
+        sys.stdout.flush()
+        sys.stderr.flush()
+
+    def handle(self):
+        (ip, port) =  self.client_address
+        super().handle()
+
+    def _connect_to(self, netloc, soc):
+        i = netloc.find(':')
+        if i >= 0:
+            host_port = netloc[:i], int(netloc[i+1:])
+        else:
+            host_port = netloc, 80
+        try:
+            soc.connect(host_port)
+        except socket.error as arg:
+            try:
+                msg = arg[1]
+            except:
+                msg = arg
+            self.send_error(404, msg)
+            return False
+        return True
+
+    def do_CONNECT(self):
+        soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        try:
+            if self._connect_to(self.path, soc):
+                self.log_request(200)
+                s = self.protocol_version + " 200 Connection established\r\n"
+                self.wfile.write(s.encode())
+                s = "Proxy-agent: {}\r\n".format(self.version_string())
+                self.wfile.write(s.encode())
+                self.wfile.write("\r\n".encode())
+                self._read_write(soc, 300)
+        finally:
+            soc.close()
+            self.connection.close()
+
+    def do_GET(self):
+        (scm, netloc, path, params, query, fragment) = urllib.parse.urlparse(
+            self.path, 'http')
+        if scm != 'http' or fragment or not netloc:
+            s = "bad url {}".format(self.path)
+            self.send_error(400, s.encode())
+            return
+        soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        try:
+            if self._connect_to(netloc, soc):
+                self.log_request()
+                s = "{} {} {}\r\n".format(
+                    self.command,
+                    urllib.parse.urlunparse(('', '', path, params, query, '')),
+                    self.request_version)
+                soc.send(s.encode())
+                self.headers['Connection'] = 'close'
+                del self.headers['Proxy-Connection']
+                for key, val in self.headers.items():
+                    s = "{}: {}\r\n".format(key, val)
+                    soc.send(s.encode())
+                soc.send("\r\n".encode())
+                self._read_write(soc)
+        finally:
+            soc.close()
+            self.connection.close()
+
+    def _read_write(self, soc, max_idling=20):
+        iw = [self.connection, soc]
+        ow = []
+        count = 0
+        while True:
+            count += 1
+            (ins, _, exs) = select.select(iw, ow, iw, 3)
+            if exs:
+                break
+            if ins:
+                for i in ins:
+                    if i is soc:
+                        out = self.connection
+                    else:
+                        out = soc
+                    data = i.recv(8192)
+                    if data:
+                        out.send(data)
+                        count = 0
+            if count == max_idling:
+                break
+
+    do_HEAD = do_GET
+    do_POST = do_GET
+    do_PUT  = do_GET
+    do_DELETE=do_GET
+
+
+def maybe_sd_notify(s: str) -> None:
+    addr = os.getenv('NOTIFY_SOCKET')
+    if not addr:
+        return
+    soc = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
+    soc.connect(addr)
+    soc.sendall(s.encode())
+
+
+class ThreadingHTTPServer (socketserver.ThreadingMixIn,
+                           http.server.HTTPServer):
+    def __init__(self, *args):
+        super().__init__(*args)
+        maybe_sd_notify("READY=1")
+
+
+if __name__ == '__main__':
+    port=3128
+    print("starting tinyproxy on port {}".format(port))
+    http.server.test(ProxyHandler, ThreadingHTTPServer, port=port)
diff -Nru snapd-2.32.3.2~14.04/tests/main/abort/task.yaml snapd-2.37~rc1~14.04/tests/main/abort/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/abort/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/abort/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,6 +4,7 @@
     SNAP_NAME: test-snapd-tools
 
 execute: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     echo "Abort with invalid id"
@@ -12,17 +13,16 @@
         exit 1
     fi
 
-    echo "===================================="
-
     echo "Abort with valid id - error"
     subdirPath="$SNAP_MOUNT_DIR/$SNAP_NAME/current/foo"
     mkdir -p "$subdirPath"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     if install_local "$SNAP_NAME"; then
         echo "install should fail when the target directory exists"
         exit 1
     fi
-    idPattern="\d+(?= +Error.*?Install \"$SNAP_NAME\" snap)"
+    idPattern="\\d+(?= +Error.*?Install \"$SNAP_NAME\" snap)"
     id=$(snap changes | grep -Pzo "$idPattern")
     if snap abort "$id"; then
         echo "abort with valid failed id should fail"
@@ -30,11 +30,9 @@
     fi
     rm -rf "$subdirPath"
 
-    echo "===================================="
-
     echo "Abort with valid id - done"
     install_local "$SNAP_NAME"
-    idPattern="\d+(?= +Done.*?Install \"$SNAP_NAME\" snap)"
+    idPattern="\\d+(?= +Done.*?Install \"$SNAP_NAME\" snap)"
     id=$(snap changes | grep -Pzo "$idPattern")
     if snap abort "$id"; then
         echo "abort with valid done id should fail"
diff -Nru snapd-2.32.3.2~14.04/tests/main/ack/task.yaml snapd-2.37~rc1~14.04/tests/main/ack/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ack/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ack/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: Check snap ack
-systems: [-ubuntu-core-16-arm-*]
+
+systems: [-ubuntu-core-*-arm-*]
+
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
diff -Nru snapd-2.32.3.2~14.04/tests/main/alias/task.yaml snapd-2.37~rc1~14.04/tests/main/alias/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/alias/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/alias/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,12 @@
 summary: Check snap alias and snap unalias
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local aliases
 
 execute: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     echo "Sanity check"
diff -Nru snapd-2.32.3.2~14.04/tests/main/appstream-id/task.yaml snapd-2.37~rc1~14.04/tests/main/appstream-id/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/appstream-id/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/appstream-id/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,28 @@
+summary: Verify AppStream ID integration
+
+# fedora-*, amazon-*, centos-*: use nmap netcat by default (https://nmap.org/ncat/)
+systems: [-fedora-*, -amazon-*, -centos-*]
+
+prepare: |
+    snap install jq
+
+execute: |
+    echo "Verify that search results contain common-ids"
+    printf 'GET /v2/find?name=test-snapd-appstreamid HTTP/1.0\r\n\r\n' | \
+        nc -U -q 1 /run/snapd.socket| grep '{'| \
+        jq -r ' .result[0]["common-ids"] | sort | join (",")' | \
+        MATCH 'io.snapcraft.test-snapd-appstreamid.bar,io.snapcraft.test-snapd-appstreamid.foo'
+
+    snap install --edge test-snapd-appstreamid
+
+    echo "Verify that installed snap info contains common-ids"
+    printf 'GET /v2/snaps/test-snapd-appstreamid HTTP/1.0\r\n\r\n' | \
+        nc -U -q 1 /run/snapd.socket| grep '{'| \
+        jq -r ' .result["common-ids"] | sort | join(",")' | \
+        MATCH 'io.snapcraft.test-snapd-appstreamid.bar,io.snapcraft.test-snapd-appstreamid.foo'
+
+    echo "Verify that apps have their common-id set"
+    printf 'GET /v2/apps?names=test-snapd-appstreamid HTTP/1.0\r\n\r\n' | \
+        nc -U -q 1 /run/snapd.socket| grep '{'| \
+        jq -r ' .result | sort_by(.name) | [.[]."common-id"] | join(",")' | \
+        MATCH 'io.snapcraft.test-snapd-appstreamid.bar,,io.snapcraft.test-snapd-appstreamid.foo'
diff -Nru snapd-2.32.3.2~14.04/tests/main/apt-hooks/task.yaml snapd-2.37~rc1~14.04/tests/main/apt-hooks/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/apt-hooks/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/apt-hooks/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,47 @@
+summary: Ensure apt hooks work
+
+# apt hook only available on 18.04+ and aws-cli only for amd64
+systems: [ubuntu-18.04-64, ubuntu-18.10-64]
+
+restore: |
+    rm -f expected out apt.stderr
+
+debug: |
+    ls -lh /var/cache/snapd
+    # low tech dump of db
+    strings /var/cache/snapd/commands.db | sed  -e 's#"}\(]\)\?#"}\1\n#g'
+    
+execute: |
+    echo "Ensure we have a snap catalog in our cache"
+    while ! test -s /var/cache/snapd/commands.db; do
+        sleep 1
+    done
+
+    echo "Creating expected file"
+    cat > expected <<EOF
+
+    WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
+    
+    No apt package "aws-cli", but there is a snap with that name.
+    Try "snap install aws-cli"
+    
+    E: Unable to locate package aws-cli
+    EOF
+
+    echo "Checking apt hook"
+    if apt install -qq aws-cli > out 2>&1; then
+        res=$?
+        echo "apt should return a non-zero exit code but it returned $res"
+        exit 1
+    fi
+
+    echo "Verify the result"
+    diff -uB out expected
+
+    echo "Ensure that apt install does not show any errors from the hook"
+    apt install -o Apt::Cmd::Disable-Script-Warning=true -qq -s petname 2>apt.stderr
+    if [ "$(cat apt.stderr)" != "" ]; then
+        echo "Errors when doing an apt install"
+        cat apt.stderr
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/auth-errors/task.yaml snapd-2.37~rc1~14.04/tests/main/auth-errors/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/auth-errors/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/auth-errors/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,17 +1,18 @@
 summary: Check that the authentication errors are properly reported.
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 prepare: |
     mkdir -p /home/test/.snap
     echo -n "{\"macaroon\":\"yummy\",\"discharges\":[ \"some \"]}" > /home/test/.snap/auth.json
+    chown -R test:test /home/test/.snap
 
 restore: |
     rm -rf /home/test/.snap install.output connect.output
 
 execute: |
     echo "An unauthenticated user cannot install snaps"
-    if su - -c "snap install test-snapd-tools 2>${PWD}/install.output" test; then
+    if su - -c "snap install test-snapd-tools" test 2>"${PWD}/install.output" ; then
         echo "Expected error installing snap from unauthenticated account"
         exit 1
     fi
@@ -19,7 +20,7 @@
     [ "$(cat install.output)" = "$expected" ]
 
     echo "An unauthenticated user cannot connect plugs to slots"
-    if su - -c "snap connect foo:bar baz:fromp 2>${PWD}/connect.output" test; then
+    if su - -c "snap connect foo:bar baz:fromp" test 2>"${PWD}/connect.output" ; then
         echo "Expected error connecting plugs to slots from unauthenticated account"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/auto-aliases/task.yaml snapd-2.37~rc1~14.04/tests/main/auto-aliases/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/auto-aliases/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/auto-aliases/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: Check auto-aliases mechanism
+
 execute: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     echo "Install the snap with auto-aliases"
diff -Nru snapd-2.32.3.2~14.04/tests/main/auto-refresh/task.yaml snapd-2.37~rc1~14.04/tests/main/auto-refresh/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/auto-refresh/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/auto-refresh/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,20 +1,41 @@
 summary: Check that auto-refresh works
 
+# FIXME: core18 right now does not have a canonical model. This means
+# that it will not get a serial. We code in devicestate.go that will only
+# try to auto-refresh after the systems has tried at least 3 times to get
+# a serial. But this means this test will timeout because the first retry
+# for the serial happens after 5min, then 10min, then 20min.
+systems: [-ubuntu-core-18-*]
+
+environment:
+    SNAP_NAME/regular: test-snapd-tools
+    SNAP_NAME/parallel: test-snapd-tools_instance
+
 prepare: |
     snap install --devmode jq
+    if [[ "$SPREAD_VARIANT" =~ parallel ]]; then
+        snap set system experimental.parallel-instances=true
+    fi
 
 restore: |
-    . "$TESTSLIB/dirs.sh"
+    if [[ "$SPREAD_VARIANT" =~ parallel ]]; then
+        snap set system experimental.parallel-instances=null
+    fi
 
 execute: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB/systems.sh"
+
     echo "Auto refresh information is shown"
     output=$(snap refresh --time)
     for expected in ^schedule: ^last: ^next:; do
         echo "$output" | MATCH "$expected"
     done
-    if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+
+    if is_core_system; then
         # no holding
         ! echo "$output" | MATCH "^hold:"
     else
@@ -23,14 +44,14 @@
     fi
 
     echo "Install a snap from stable"
-    snap install test-snapd-tools
-    snap list | MATCH 'test-snapd-tools +[0-9]+\.[0-9]+'
+    snap install "$SNAP_NAME"
+    snap list | MATCH "$SNAP_NAME +[0-9]+\\.[0-9]+"
 
     snap set core refresh.schedule="0:00-23:59"
     systemctl stop snapd.{service,socket}
 
     echo "Modify the snap to track the edge channel"
-    jq '.data.snaps["test-snapd-tools"].channel = "edge"' /var/lib/snapd/state.json > /var/lib/snapd/state.json.new
+    jq ".data.snaps[\"$SNAP_NAME\"].channel = \"edge\"" /var/lib/snapd/state.json > /var/lib/snapd/state.json.new
     mv /var/lib/snapd/state.json.new /var/lib/snapd/state.json
 
     echo "And force auto-refresh to happen"
@@ -41,7 +62,7 @@
 
     echo "wait for auto-refresh to happen"
     for _ in $(seq 120); do
-        if snap changes|grep -q "Done.*Auto-refresh snap \"test-snapd-tools\""; then
+        if snap changes|grep -q "Done.*Auto-refresh snap \"$SNAP_NAME\""; then
             break
         fi
         echo "Ensure refresh"
@@ -50,9 +71,10 @@
     done
 
     echo "Ensure our snap got updated"
-    snap list|MATCH "test-snapd-tools +[0-9]+\.[0-9]+\+fake1"
+    snap list|MATCH "$SNAP_NAME +[0-9]+\\.[0-9]+\\+fake1"
 
     echo "Ensure refresh.last is set"
     jq ".data[\"last-refresh\"]" /var/lib/snapd/state.json | MATCH "$(date +%Y)"
+
     echo "No refresh hold at this point"
     ! snap refresh --time| MATCH "^hold:"
diff -Nru snapd-2.32.3.2~14.04/tests/main/auto-refresh-private/task.yaml snapd-2.37~rc1~14.04/tests/main/auto-refresh-private/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/auto-refresh-private/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/auto-refresh-private/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 summary: Check that auto-refresh works with private snaps.
 
 # we don't have expect available on ubuntu-core, so the authenticated check need to be skipped on those systems
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 details: |
     These tests rely on the existence of a snap in the remote store set to private.
@@ -20,7 +20,7 @@
     fi
 
     echo "And the user has logged in"
-    expect -f $TESTSLIB/successful_login.exp
+    expect -f "$TESTSLIB"/successful_login.exp
 
     echo "Install a private snap together with a public snap"
     snap install test-snapd-private test-snapd-public
@@ -28,8 +28,8 @@
     echo "Switch both to edge"
     snap switch --edge test-snapd-private
     snap switch --edge test-snapd-public
-    snap list|MATCH "test-snapd-private +1\.0.*private"
-    snap list|MATCH "test-snapd-public +1\.0"
+    snap list|MATCH 'test-snapd-private +1\.0.*private'
+    snap list|MATCH 'test-snapd-public +1\.0'
 
     echo "Force auto-refresh to happen"
     snap set core refresh.schedule="0:00-23:59"
@@ -52,18 +52,20 @@
     done
 
     echo "Check they were both refreshed"
-    snap list|MATCH "test-snapd-public +2\.0"
-    snap list|MATCH "test-snapd-private +2\.0.*private"
+    snap list|MATCH 'test-snapd-public +2\.0'
+    snap list|MATCH 'test-snapd-private +2\.0.*private'
 
     if [ -z "$SPREAD_STORE_EXPIRED_MACAROON" ] || [  -z "$SPREAD_STORE_EXPIRED_DISCHARGE" ]; then
         if [[ "$SPREAD_STORE_USER" =~ .*dummydev.* ]] ; then
             # we should have hard-coded ones for this user
+            #shellcheck source=tests/main/auto-refresh-private/expired_macaroons.sh
             . expired_macaroons.sh
         else
             exit 0
         fi
     fi
 
+    #shellcheck source=tests/lib/changes.sh
     . "$TESTSLIB/changes.sh"
     AUTO_REFRESH_ID=$(change_id "Auto-refresh.*test-snapd-public.*" Done)
 
@@ -74,11 +76,10 @@
     echo "Switch both to edge"
     snap switch --edge test-snapd-private
     snap switch --edge test-snapd-public
-    snap list|MATCH "test-snapd-private +1\.0.*private"
-    snap list|MATCH "test-snapd-public +1\.0"
+    snap list|MATCH 'test-snapd-private +1\.0.*private'
+    snap list|MATCH 'test-snapd-public +1\.0'
 
     echo "Force auto-refresh to happen with expired creds"
-
     M="$SPREAD_STORE_EXPIRED_MACAROON"
     D="$SPREAD_STORE_EXPIRED_DISCHARGE"
 
@@ -103,8 +104,8 @@
     done
 
     echo "Check exactly test-snapd-public was refreshed"
-    snap list|MATCH "test-snapd-public +2\.0"
-    snap list|MATCH "test-snapd-private +1\.0.*private"
+    snap list|MATCH 'test-snapd-public +2\.0'
+    snap list|MATCH 'test-snapd-private +1\.0.*private'
 
     # sanity check there is no access
     snap find --private test-snapd-private 2>&1|MATCH 'No matching snaps for "test-snapd-private"'
diff -Nru snapd-2.32.3.2~14.04/tests/main/base-snaps/task.yaml snapd-2.37~rc1~14.04/tests/main/base-snaps/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/base-snaps/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/base-snaps/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,18 +1,18 @@
 summary: Check that base snaps work
+
 systems: [-opensuse-*]
 
 execute: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
     echo "Ensure a snap that requires a unavailable base snap can not be installed"
-    snap pack $TESTSLIB/snaps/test-snapd-requires-base
     if install_local test-snapd-requires-base; then
         echo "ERROR: test-snapd-requires-base should not be installable without test-snapd-base"
         exit 1
     fi
 
     echo "Ensure a base snap can be installed"
-    snap pack $TESTSLIB/snaps/test-snapd-base
     install_local test-snapd-base
     snap list | MATCH test-snapd-base
 
@@ -21,7 +21,6 @@
     snap list | MATCH test-snapd-requires-base
 
     echo "Ensure the bare base works"
-
     if [ "$(uname -m)" != "x86_64" ]; then
         echo "This test can only run on amd64 right now because snapcraft "
         echo "cannot current generate binaries without wrapper scripts."
@@ -34,8 +33,12 @@
     echo "Ensure we can run a statically linked binary from an empty base"
     test-snapd-busybox-static.busybox-static echo hello | MATCH hello
 
+    echo "Ensure the test-snapd-base-bare that test-snapd-busybox-static uses got pulled in"
+    snap list | grep test-snapd-base-bare
+    snap info --verbose test-snapd-busybox-static|MATCH "base:[ ]+test-snapd-base-bare"
+
     if test-snapd-busybox-static.busybox-static ls /bin/dd; then
         echo "bare should be empty but it is not:"
         test-snapd-busybox-static.busybox-static ls /bin
         exit 1
-    fi
\ No newline at end of file
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/base-snaps-refresh/task.yaml snapd-2.37~rc1~14.04/tests/main/base-snaps-refresh/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/base-snaps-refresh/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/base-snaps-refresh/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,23 @@
+summary: Check that refreshes that require new base snaps work
+
+systems: [-opensuse-*]
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    echo "Install a snap that requires no base snap"
+    cp -a "$TESTSLIB"/snaps/test-snapd-requires-base-bare .
+    sed -i '/^base:/d' test-snapd-requires-base-bare/meta/snap.yaml
+    snap pack test-snapd-requires-base-bare
+    snap install --dangerous test-snapd-requires-base-bare_1.0_all.snap
+    if snap list | grep test-snapd-base-bare; then
+        echo "ERROR: test-snapd-base-bare got pulled in"
+        exit 1
+    fi
+
+    echo "Now refresh to the version in the store that has a base"
+    snap refresh --edge --amend test-snapd-requires-base-bare
+
+    echo "And ensure the base got pulled in"
+    snap list | grep test-snapd-base-bare
diff -Nru snapd-2.32.3.2~14.04/tests/main/canonical-livepatch/task.yaml snapd-2.37~rc1~14.04/tests/main/canonical-livepatch/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/canonical-livepatch/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/canonical-livepatch/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -8,7 +8,7 @@
     snap install canonical-livepatch
 
     echo "Wait for it to respond"
-    for i in $(seq 30); do
+    for _ in $(seq 30); do
         if canonical-livepatch status > /dev/null 2>&1 ; then
             break
         fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/catalog-update/task.yaml snapd-2.37~rc1~14.04/tests/main/catalog-update/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/catalog-update/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/catalog-update/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,17 +1,33 @@
 summary: Ensure catalog update works
 
+prepare: |
+    echo "Remove cached catalog files from disk"
+    rm -f /var/cache/snapd/names
+    rm -f /var/cache/snapd/sections
+
 execute: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
+    echo "We count how many catalog refreshes are logged before starting snapd"
+    refreshes_before="$(get_journalctl_log -u snapd | grep -c 'Catalog refresh' || true)"
+
+    systemctl restart snapd.{socket,service}
+
     echo "Ensure that catalog refresh happens on startup"
-    for i in $(seq 60); do
-        if journalctl -u snapd | MATCH "Catalog refresh"; then
+    for _ in $(seq 60); do
+        refreshes_after="$(get_journalctl_log -u snapd | grep -c 'Catalog refresh' || true)"
+        if [ "$refreshes_after" -gt "$refreshes_before" ]; then
             break
         fi
         sleep 1
     done
-    journalctl -u snapd | MATCH "Catalog refresh"
+
+    echo "Ensure the current number of refreshes is greater than before restarting snapd"
+    [ "$refreshes_after" -gt "$refreshes_before" ]
 
     echo "Ensure that we don't log all catalog body data"
-    if journalctl -u snapd | MATCH "Tools for testing the snapd application"; then
+    if get_journalctl_log -u snapd | MATCH "Tools for testing the snapd application"; then
         echo "Catalog update is doing verbose http logging (it should not)."
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/cgroup-freezer/task.yaml snapd-2.37~rc1~14.04/tests/main/cgroup-freezer/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/cgroup-freezer/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/cgroup-freezer/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,42 +1,49 @@
 summary: Each snap process is moved to appropriate freezer cgroup
+
 details: |
     This test creates a snap process that suspends itself and ensures that it
     placed into the appropriate hierarchy under the freezer cgroup.
+
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-sh
+
+restore: |
+    rmdir /sys/fs/cgroup/freezer/snap.test-snapd-sh || true
+
 execute: |
     # Start a "sleep" process in the background
+    #shellcheck disable=SC2016
     test-snapd-sh -c 'touch $SNAP_DATA/1.stamp && exec sleep 1h' &
     pid1=$!
     # Ensure that snap-confine has finished its task and that the snap process
     # is active. Note that we don't want to wait forever either.
-    for i in $(seq 30); do
+    for _ in $(seq 30); do
         test -e /var/snap/test-snapd-sh/current/1.stamp && break
         sleep 0.1
     done
     # While the process is alive its PID can be seen in the tasks file of the
     # control group.
-    cat /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks | MATCH "$pid1"
+    MATCH "$pid1" < /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks
 
     # Start a second process so that we can check adding tasks to an existing
     # control group.
+    #shellcheck disable=SC2016
     test-snapd-sh -c 'touch $SNAP_DATA/2.stamp && exec sleep 1h' &
     pid2=$!
-    for i in $(seq 30); do
+    for _ in $(seq 30); do
         test -e /var/snap/test-snapd-sh/current/2.stamp && break
         sleep 0.1
     done
-    cat /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks | MATCH "$pid2"
+    MATCH "$pid2" < /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks
 
     # When the process terminates the control group is updated and the task no
     # longer registers there.
     kill "$pid1"
-    wait -n || true  # wait returns the exit code and we kill the process
-    cat /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks | MATCH -v "$pid1"
+    wait "$pid1" || true  # wait returns the exit code and we kill the process
+    MATCH -v "$pid1" < /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks
 
     kill "$pid2"
-    wait -n || true  # same as above
-    cat /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks | MATCH -v "$pid2"
-restore: |
-    rmdir /sys/fs/cgroup/freezer/snap.test-snapd-sh || true
+    wait "$pid2" || true  # same as above
+    MATCH -v "$pid2" < /sys/fs/cgroup/freezer/snap.test-snapd-sh/tasks
diff -Nru snapd-2.32.3.2~14.04/tests/main/chattr/task.yaml snapd-2.37~rc1~14.04/tests/main/chattr/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/chattr/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/chattr/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,9 +1,16 @@
 summary: test chattr
+
 # ubuntu-core doesn't have go :-)
 # ppc64el disabled because of https://github.com/snapcore/snapd/issues/2503
-systems: [-ubuntu-core-16-*, -ubuntu-*-ppc64el]
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el]
+
 prepare: |
   go build -o toggle ./toggle.go
+
+restore: |
+    rm -f foo
+    rm -f toggle
+
 execute: |
   touch foo
   # no immutable flag:
@@ -14,6 +21,3 @@
   test "$(./toggle foo)" = "immutable -> mutable"
   # no immutable flag again:
   lsattr foo | MATCH -v i
-restore: |
-    rm -f foo
-    rm -f toggle
diff -Nru snapd-2.32.3.2~14.04/tests/main/classic-confinement/task.yaml snapd-2.37~rc1~14.04/tests/main/classic-confinement/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/classic-confinement/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/classic-confinement/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -7,16 +7,27 @@
 systems: [-ubuntu-core-*]
 
 prepare: |
-    . $TESTSLIB/snaps.sh
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     snap pack "$TESTSLIB/snaps/$CLASSIC_SNAP/"
 
-    if [[ "$SPREAD_SYSTEM" == fedora-* ]]; then
-        # although classic snaps do not work out of the box on fedora,
-        # we still want to verify if the basics do work if the user
-        # symlinks /snap to $SNAP_MOUNT_DIR themselves
-        ln -sf $SNAP_MOUNT_DIR /snap
-    fi
+    case "$SPREAD_SYSTEM" in
+        fedora-*|arch-*|centos-*)
+            # although classic snaps do not work out of the box on fedora,
+            # we still want to verify if the basics do work if the user
+            # symlinks /snap to $SNAP_MOUNT_DIR themselves
+            ln -sf $SNAP_MOUNT_DIR /snap
+            ;;
+    esac
+
+restore: |
+    case "$SPREAD_SYSTEM" in
+        fedora-*|arch-*|centos-*)
+            rm -f /snap
+            ;;
+    esac
 
 execute: |
     echo "Check that classic snaps work only with --classic"
@@ -48,7 +59,7 @@
     snap info "$CLASSIC_SNAP"|MATCH "installed:.* 2.0 .*classic"
     "$CLASSIC_SNAP" | MATCH lala
 
-restore: |
-    if [[ "$SPREAD_SYSTEM" == fedora-* ]]; then
-        rm -f /snap
+    if [[ "$SPREAD_SYSTEM" == ubuntu-* ]]; then
+        echo "Verify we get 'change_profile unsafe' for classic confinement"
+        MATCH "change_profile unsafe" < /var/lib/snapd/apparmor/profiles/snap.test-snapd-classic-confinement.test-snapd-classic-confinement
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/classic-confinement-not-supported/task.yaml snapd-2.37~rc1~14.04/tests/main/classic-confinement-not-supported/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/classic-confinement-not-supported/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/classic-confinement-not-supported/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,14 +3,16 @@
 environment:
     CLASSIC_SNAP: test-snapd-classic-confinement
 
-systems: [ubuntu-core-*, fedora-*]
+systems: [ubuntu-core-16-*, fedora-*]
 
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     snap pack "$TESTSLIB/snaps/$CLASSIC_SNAP/"
 
 execute: |
-    . $TESTSLIB/strings.sh
+    #shellcheck source=tests/lib/strings.sh
+    . "$TESTSLIB"/strings.sh
 
     echo "Check that classic snaps work only with --classic"
     if snap install --dangerous "${CLASSIC_SNAP}_1.0_all.snap"; then
@@ -18,21 +20,20 @@
         exit 1
     fi
 
-    if snap install $CLASSIC_SNAP; then
+    if snap install "$CLASSIC_SNAP"; then
         echo "snap install needs --classic to install remote snaps with classic confinment"
         exit 1
     fi
 
     echo "Check that the classic snap is not installable even with --classic"
-    EXPECTED_TEXT="cannot install snap file: classic confinement is only supported on classic systems"
+    EXPECTED_TEXT="snap \"$CLASSIC_SNAP\" requires classic confinement which is only available on classic systems"
     if [[ "$SPREAD_SYSTEM" = fedora-* ]]; then
         EXPECTED_TEXT="classic confinement requires snaps under /snap or symlink from /snap to /var/lib/snapd/snap"
     fi
-    str_to_one_line "$( snap install --dangerous --classic "${CLASSIC_SNAP}_1.0_all.snap" 2>&1 && exit 1 || true )" | MATCH "$EXPECTED_TEXT"
+    str_to_one_line "$( snap install --dangerous --classic "${CLASSIC_SNAP}_1.0_all.snap" 2>&1 )" | MATCH "$EXPECTED_TEXT"
 
     echo "Not from the store either"
-    EXPECTED_TEXT="snap \"$CLASSIC_SNAP\" requires classic confinement which is only available on classic systems"
     if [[ "$SPREAD_SYSTEM" = fedora-* ]]; then
         EXPECTED_TEXT="cannot install \"$CLASSIC_SNAP\": classic confinement requires snaps under /snap or symlink from /snap to /var/lib/snapd/snap"
     fi
-    str_to_one_line "$( snap install --classic "$CLASSIC_SNAP" 2>&1 && exit 1 || true )" | MATCH "$EXPECTED_TEXT"
+    str_to_one_line "$( snap install --classic "$CLASSIC_SNAP" 2>&1 )" | MATCH "$EXPECTED_TEXT"
diff -Nru snapd-2.32.3.2~14.04/tests/main/classic-custom-device-reg/task.yaml snapd-2.37~rc1~14.04/tests/main/classic-custom-device-reg/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/classic-custom-device-reg/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/classic-custom-device-reg/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,19 @@
 summary: |
    Test gadget customized device initialisation and registration also on classic
-systems: [-ubuntu-core-16-*]
+
+systems: [-ubuntu-core-*]
+
 environment:
     SEED_DIR: /var/lib/snapd/seed
+
+kill-timeout: 3m
+
 prepare: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
+    #shellcheck source=tests/lib/systemd.sh
     . "$TESTSLIB/systemd.sh"
 
     snap pack "$TESTSLIB/snaps/classic-gadget"
@@ -36,12 +42,14 @@
     cp ./core_*.snap "$SEED_DIR/snaps/core.snap"
     cp ./classic-gadget_1.0_all.snap "$SEED_DIR/snaps/classic-gadget.snap"
     # start fake device svc
-    systemd_create_and_start_unit fakedevicesvc "$(which fakedevicesvc) localhost:11029"
+    systemd_create_and_start_unit fakedevicesvc "$(command -v fakedevicesvc) localhost:11029"
+
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
+    #shellcheck source=tests/lib/systemd.sh
     . "$TESTSLIB/systemd.sh"
     systemctl stop snapd.service snapd.socket
     systemd_stop_and_destroy_unit fakedevicesvc
@@ -50,7 +58,7 @@
     rm -f -- *.snap
     rm -f -- *.assert
     systemctl start snapd.socket snapd.service
-kill-timeout: 3m
+
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
diff -Nru snapd-2.32.3.2~14.04/tests/main/classic-firstboot/task.yaml snapd-2.37~rc1~14.04/tests/main/classic-firstboot/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/classic-firstboot/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/classic-firstboot/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,10 @@
 summary: Check that firstboot assertions are imported and snaps installed also on classic
-systems: [-ubuntu-core-16-*]
+
+systems: [-ubuntu-core-*]
+
 environment:
     SEED_DIR: /var/lib/snapd/seed
+
 prepare: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
@@ -33,6 +36,7 @@
     echo "Copy the needed snaps to $SEED_DIR/snaps"
     cp ./core_*.snap "$SEED_DIR/snaps/core.snap"
     cp ./basic_1.0_all.snap "$SEED_DIR/snaps/basic.snap"
+
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
@@ -43,6 +47,7 @@
     rm -f -- *.snap
     rm -f -- *.assert
     systemctl start snapd.socket snapd.service
+
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
@@ -52,7 +57,7 @@
     echo "Start the daemon with an empty state, this will make it import "
     echo "assertions from the $SEED_DIR/assertions subdirectory and "
     echo "install the seed snaps."
-    systemctl start snapd.socket snapd.service
+    systemctl start snapd.seeded.service
 
     echo "Wait for Seed change to be finished"
     for _ in $(seq 120); do
@@ -62,6 +67,9 @@
         sleep 1
     done
 
+    echo "Ensure snapd.seeded.service is active"
+    systemctl status snapd.seeded.service
+
     echo "Verifying the imported assertions"
     if ! snap known model | MATCH "model: my-classic" ; then
         echo "Model assertion was not imported on firstboot"
diff -Nru snapd-2.32.3.2~14.04/tests/main/classic-ubuntu-core-transition/task.yaml snapd-2.37~rc1~14.04/tests/main/classic-ubuntu-core-transition/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/classic-ubuntu-core-transition/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/classic-ubuntu-core-transition/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,10 @@
 summary: Ensure that the ubuntu-core -> core transition works
 
-# we never test on core because the transition can only happen on "classic"
-# we disable on ppc64el because the downloads are very slow there
-# Both Fedora and openSUSE are disabled at the moment as there is something
-# fishy going on and the snapd service gets terminated during the process.
-systems: [-ubuntu-core-16-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -ubuntu-*-i386]
+# we never test on core because the transition can only happen on "classic" we
+# disable on ppc64el because the downloads are very slow there Fedora, openSUSE,
+# Arch, CentOS are disabled at the moment as there is something fishy going on
+# and the snapd service gets terminated during the process.
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -ubuntu-*-i386, -arch-*, -amazon-*, -centos-*]
 
 # autopkgtest run only a subset of tests that deals with the integration
 # with the distro
@@ -21,27 +21,35 @@
     snap info core || true
     snap info ubuntu-core || true
     snap changes
+    #shellcheck source=tests/lib/changes.sh
     . "$TESTSLIB/changes.sh"
     snap change "$(change_id 'Transition ubuntu-core to core')" || true
+
 execute: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
-    . $TESTSLIB/systemd.sh
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
     curl() {
         local url="$1"
         # sadly systemd active means not that its really ready so we wait
         # here for the socket to be available
-        while ! netstat -t -l -n|grep :80; do
-            netstat -l -l -n
+        while ! ss -t -l -n|grep :80; do
+            ss -l -l -n
             sleep 1
         done
         python3 -c "import urllib.request; print(urllib.request.urlopen(\"$url\").read().decode(\"utf-8\"))"
     }
 
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
     echo "Ensure core is gone and we have ubuntu-core instead"
     distro_purge_package snapd
     distro_install_build_snapd
 
+    # need to be seeded to allow snap install
+    snap wait system seed.loaded
+
     # modify daemon state to set ubuntu-core-transition-last-retry-time to the
     # current time to prevent the ubuntu-core transition before the test snap is
     # installed
@@ -56,8 +64,8 @@
     snap install ./ubuntu-core_*.snap
 
     snap install test-snapd-python-webserver
-    snap interfaces | MATCH ":network +test-snapd-python-webserver"
-    snap interfaces | MATCH ":network-bind +.*test-snapd-python-webserver"
+    snap interfaces -i network | MATCH ":network +test-snapd-python-webserver"
+    snap interfaces -i network-bind | MATCH ":network-bind +.*test-snapd-python-webserver"
 
     echo "Ensure the webserver is working"
     wait_for_service snap.test-snapd-python-webserver.test-snapd-python-webserver
@@ -103,8 +111,8 @@
         echo "ubuntu-core still installed, transition failed"
         exit 1
     fi
-    snap interfaces | MATCH ":network +test-snapd-python-webserver"
-    snap interfaces | MATCH ":network-bind +.*test-snapd-python-webserver"
+    snap interfaces -i network | MATCH ":network +test-snapd-python-webserver"
+    snap interfaces -i network-bind | MATCH ":network-bind +.*test-snapd-python-webserver"
     echo "Ensure the webserver is still working"
     wait_for_service snap.test-snapd-python-webserver.test-snapd-python-webserver
     curl http://localhost | MATCH "XKCD rocks"
@@ -114,9 +122,6 @@
     echo "Ensure the webserver is working after a snap restart"
     curl http://localhost | MATCH "XKCD rocks"
 
-    echo "Ensure interfaces are connected"
-    snap interfaces | MATCH ":core-support.*core:core-support-plug"
-
     echo "Ensure snap set core works"
     snap set core system.power-key-action=ignore
     if [ "$(snap get core system.power-key-action)" != "ignore" ]; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/classic-ubuntu-core-transition-auth/task.yaml snapd-2.37~rc1~14.04/tests/main/classic-ubuntu-core-transition-auth/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/classic-ubuntu-core-transition-auth/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/classic-ubuntu-core-transition-auth/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,27 +2,35 @@
 
 # we never test on core because the transition can only happen on "classic"
 # we disable on ppc64el because the downloads are very slow there
-# Both Fedora and openSUSE are disabled at the moment as there is something
+# Fedora, openSUSE and Arch are disabled at the moment as there is something
 # fishy going on and the snapd service gets terminated during the process.
-systems: [-ubuntu-core-16-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*]
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -arch-*]
 
 # autopkgtest run only a subset of tests that deals with the integration
 # with the distro
 backends: [-autopkgtest]
 
 warn-timeout: 1m
+
 kill-timeout: 5m
+
 debug: |
     snap changes
+    #shellcheck source=tests/lib/changes.sh
     . "$TESTSLIB/changes.sh"
     snap change "$(change_id 'Transition ubuntu-core to core')" || true
+
 execute: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
     echo "Ensure core is gone and we have ubuntu-core instead"
     distro_purge_package snapd
     distro_install_build_snapd
 
-    snap download --${CORE_CHANNEL} ubuntu-core
+    # need to be seeded to allow snap install
+    snap wait system seed.loaded
+
+    snap download "--${CORE_CHANNEL}" ubuntu-core
     snap ack ./ubuntu-core_*.assert
     snap install ./ubuntu-core_*.snap
 
@@ -66,6 +74,3 @@
         echo "ubuntu-core still installed, transition failed"
         exit 1
     fi
-
-    echo "Ensure interfaces are connected"
-    snap interfaces | MATCH ":core-support.*core:core-support-plug"
diff -Nru snapd-2.32.3.2~14.04/tests/main/classic-ubuntu-core-transition-two-cores/task.yaml snapd-2.37~rc1~14.04/tests/main/classic-ubuntu-core-transition-two-cores/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/classic-ubuntu-core-transition-two-cores/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/classic-ubuntu-core-transition-two-cores/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,36 +2,41 @@
 
 # we never test on core because the transition can only happen on "classic"
 # we disable on ppc64el because the downloads are very slow there
-systems: [-ubuntu-core-16-*, -ubuntu-*-ppc64el]
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el]
 
 # autopkgtest run only a subset of tests that deals with the integration
 # with the distro
 backends: [-autopkgtest]
 
 warn-timeout: 1m
+
 kill-timeout: 5m
+
 debug: |
     snap changes
-    . $TESTSLIB/changes.sh
+    #shellcheck source=tests/lib/changes.sh
+    . "$TESTSLIB"/changes.sh
     snap change "$(change_id 'Transition ubuntu-core to core')" || true
+
 execute: |
     echo "install a snap"
     snap install test-snapd-python-webserver
-    snap interfaces |MATCH ":network.*test-snapd-python-webserver"
+    snap interfaces -i network | MATCH ":network.*test-snapd-python-webserver"
 
+    #shellcheck source=tests/lib/names.sh
     . "$TESTSLIB/names.sh"
     cp /var/lib/snapd/state.json /var/lib/snapd/state.json.old
-    cat /var/lib/snapd/state.json.old |jq -r '.data.snaps["core"].type="xxx"' > /var/lib/snapd/state.json
+    jq -r '.data.snaps["core"].type="xxx"' < /var/lib/snapd/state.json.old > /var/lib/snapd/state.json
 
     systemctl stop snapd.service snapd.socket
     systemctl start snapd.service snapd.socket
 
-    snap download --${CORE_CHANNEL} ubuntu-core
+    snap download "--${CORE_CHANNEL}" ubuntu-core
     snap ack ./ubuntu-core_*.assert
     snap install ./ubuntu-core_*.snap
 
     cp /var/lib/snapd/state.json /var/lib/snapd/state.json.old
-    cat /var/lib/snapd/state.json.old |jq -r '.data.snaps["core"].type="os"' > /var/lib/snapd/state.json
+    jq -r '.data.snaps["core"].type="os"' < /var/lib/snapd/state.json.old > /var/lib/snapd/state.json
 
     snap list | MATCH "ubuntu-core "
     snap list | MATCH "core "
@@ -39,7 +44,7 @@
     echo "Ensure transition is triggered"
     # wait for steady state or ensure-state-soon will be pointless
     ok=0
-    for i in $(seq 40); do
+    for _ in $(seq 40); do
         if ! snap changes|grep -q ".*.Doing.*" ; then
             ok=1
             break
@@ -54,7 +59,7 @@
 
     # wait for transition
     ok=0
-    for i in $(seq 240); do
+    for _ in $(seq 240); do
         if snap changes|grep -q ".*Done.*Transition ubuntu-core to core" ; then
             ok=1
             break
@@ -70,7 +75,4 @@
         echo "ubuntu-core still installed, transition failed"
         exit 1
     fi
-    snap interfaces |MATCH ":network.*test-snapd-python-webserver"
-
-    echo "Ensure interfaces are connected"
-    snap interfaces | MATCH ":core-support.*core:core-support-plug"
+    snap interfaces -i network | MATCH ":network.*test-snapd-python-webserver"
diff -Nru snapd-2.32.3.2~14.04/tests/main/cloud-init/task.yaml snapd-2.37~rc1~14.04/tests/main/cloud-init/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/cloud-init/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/cloud-init/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,74 @@
+summary: Ensure that cloud-init integration works
+
+description: |
+    snapd picks up basic cloud information from the host and makes it available
+    to the snaps. Run the test on a live backend which sets instance data
+    properly.
+
+# GCE backend sets instance data
+backends: [google]
+
+prepare: |
+    if ! command -v jq; then
+        snap install --devmode jq
+    fi
+
+execute: |
+    if [[ ! -e /run/cloud-init/instance-data.json ]]; then
+        echo "cloud-init instance data is required to execute the test"
+
+        if [[ "$SPREAD_SYSTEM" == ubuntu-* && "$SPREAD_SYSTEM" != ubuntu-14.04-* ]]; then
+            # we expect the test to run on all Ubuntu images, excluding 14.04
+            echo "the test expected to run on $SPREAD_SYSTEM"
+            exit 1
+        fi
+        exit 0
+    fi
+
+    get_conf() {
+        # we could use cloud-init query <key>, but that requires cloud-init 18.4+
+        # which is not available in all images we use
+        local kname="$1"
+        if jq -r '.v1 | keys[]' < /run/cloud-init/instance-data.json | grep -q _; then
+            kname=${kname/-/_}
+        else
+            kname=${kname/_/-}
+        fi
+
+       jq -r ".[\"v1\"][\"$kname\"]" < /run/cloud-init/instance-data.json
+    }
+    # GCE sets the following in Ubuntu images:
+    # {
+    #    ...
+    #    "v1": {
+    #      "availability-zone": "us-east1-b",
+    #      "availability_zone": "us-east1-b",
+    #      "cloud-name": "gce",
+    #      "cloud_name": "gce",
+    #      "region": "us-east1"
+    #      ...
+    #   }
+    # }
+
+    # keys can be queried only using underscore names
+    cloud_name=$(get_conf cloud_name)
+    test -n "$cloud_name"
+    # this shouldn't happen under GCE
+    if [[ "$cloud_name" == "nocloud" ||  "$cloud_name" == "none" ]]; then
+        echo "not a cloud instance, config should be empty"
+
+        nocloud=$(snap get core -d | jq -r '.cloud')
+        test "$nocloud" = null
+        exit 0
+    fi
+
+    snap_cloud_name=$(snap get core cloud.name)
+    test "$cloud_name" = "$snap_cloud_name"
+
+    cloud_avzone=$(get_conf availability_zone)
+    snap_cloud_avzone=$(snap get core cloud.availability-zone)
+    test "$cloud_avzone" = "$snap_cloud_avzone"
+
+    cloud_region=$(get_conf region)
+    snap_cloud_region=$(snap get core cloud.region)
+    test "$cloud_region" = "$snap_cloud_region"
diff -Nru snapd-2.32.3.2~14.04/tests/main/cmdline/task.yaml snapd-2.37~rc1~14.04/tests/main/cmdline/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/cmdline/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/cmdline/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
 summary: Check that cmdline for channel shortcuts work
+
 execute: |
     echo Conflicting channel commandline errors correctly
     if snap install --beta --edge test-snapd-tools 2>err.msg; then
@@ -6,5 +7,6 @@
         exit 1
     fi
     MATCH "Please specify a single channel" < err.msg
+
 restore: |
     rm -f err.msg
diff -Nru snapd-2.32.3.2~14.04/tests/main/command-chain/task.yaml snapd-2.37~rc1~14.04/tests/main/command-chain/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/command-chain/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/command-chain/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+summary: Check that command-chain is properly supported
+
+environment:
+    # Ensure that running purely from the deb (without re-exec) works
+    # correctly
+    SNAP_REEXEC/reexec0: 0
+    SNAP_REEXEC/reexec1: 1
+    BREADCRUMB: /var/snap/command-chain/current/breadcrumb
+    ENVDUMP: /var/snap/command-chain/current/env
+
+prepare: |
+    echo "Build command chain snap"
+    snap pack "$TESTSLIB/snaps/command-chain"
+    snap install --dangerous command-chain_1.0_all.snap
+
+restore: |
+    rm -f command-chain_1.0_all.snap
+
+execute: |
+    echo "Test that command-chain runs for hooks"
+    [ "$(cat "$BREADCRUMB")" = "chain1 chain2 configure" ]
+    MATCH '^CHAIN_1_RAN=1$' < "$ENVDUMP"
+    MATCH '^CHAIN_2_RAN=1$' < "$ENVDUMP"
+
+    echo "Test that command-chain runs for apps"
+    [ "$(command-chain.hello)" = "chain1 chain2 hello" ]
+
+    echo "Ensure that the command-chain is run with 'snap run --shell' as well"
+    [ "$(snap run --shell command-chain.hello -c 'echo "shell"')" = "chain1 chain2 shell" ]
+    env="$(snap run --shell command-chain.hello -c 'env')"
+    echo "$env" | MATCH '^CHAIN_1_RAN=1$'
+    echo "$env" | MATCH '^CHAIN_2_RAN=1$'
\ No newline at end of file
diff -Nru snapd-2.32.3.2~14.04/tests/main/completion/task.yaml snapd-2.37~rc1~14.04/tests/main/completion/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/completion/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/completion/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,15 +1,19 @@
 summary: Check different completions
 
-systems:
-    - -ubuntu-core-16-*
-    # ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
-    - -ubuntu-*-ppc64el
+# ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el]
+
+# takes >6min to run in total
+backends: [-autopkgtest]
 
 environment:
     NAMES: /var/cache/snapd/names
 
 prepare: |
-    systemctl stop snapd.service snapd.socket
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+
+    systemd_stop_units snapd.service snapd.socket
     [ -e "$NAMES" ] && mv "$NAMES" "$NAMES.orig"
     cat >"$NAMES" <<EOF
     test-assumes
@@ -23,7 +27,9 @@
     touch bar.snap
     snap install core
     snap install test-snapd-tools
+    #shellcheck source=tests/lib/mkpinentry.sh
     . "$TESTSLIB"/mkpinentry.sh
+    #shellcheck source=tests/lib/random.sh
     . "$TESTSLIB"/random.sh
     kill_gpg_agent
     expect -d -f key.exp0
@@ -38,11 +44,12 @@
     rmdir testdir
 
 debug: |
+    #shellcheck source=tests/lib/random.sh
     . "$TESTSLIB"/random.sh
     debug_random
 
 execute: |
     for i in *.exp; do
-        echo $i
-        expect -d -f $i
+        echo "$i"
+        expect -d -f "$i"
     done
diff -Nru snapd-2.32.3.2~14.04/tests/main/completion/toplevel.exp snapd-2.37~rc1~14.04/tests/main/completion/toplevel.exp
--- snapd-2.32.3.2~14.04/tests/main/completion/toplevel.exp	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/completion/toplevel.exp	2019-01-16 08:36:51.000000000 +0000
@@ -1,17 +1,5 @@
 source lib.exp0
 
-# --help completes
-chat "snap --h\t" "snap --help $" true
-# but no more
-chat "\t\t" "snap --help $"
-cancel
-
-# --version completes
-chat "snap --v\t" "snap --version $" true
-# but no more
-chat "\t\t" "snap --version $"
-cancel
-
 # commands complete
 rechat "snap in\t\t" "\[\n ]info\[\r ]" true
 rechat "" "\[\n ]install\[\r ]" true
diff -Nru snapd-2.32.3.2~14.04/tests/main/config-versions/task.yaml snapd-2.37~rc1~14.04/tests/main/config-versions/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/config-versions/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/config-versions/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,19 +1,11 @@
 summary: Check that snap configuration is maintained on per-revision basis.
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 details: |
     This test ensures that snap configuration is mainted per snap revision
     and is restored on revert.
 
-prepare: |
-    snap pack $TESTSLIB/snaps/config-versions
-    snap pack $TESTSLIB/snaps/config-versions-v2
-
-restore: |
-    rm -f config-versions_1.0_all.snap
-    rm -f config-versions_2.0_all.snap
-
 execute: |
     verify_config_value() {
       expected="$1"
@@ -24,14 +16,17 @@
       fi
     }
 
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
     echo "Install test snap"
-    snap install --dangerous config-versions_1.0_all.snap
+    install_local config-versions
 
     echo "Setting config value affecting rev 1"
     snap set config-versions value=100
 
     echo "Install a new version of the test snap"
-    snap install --dangerous config-versions_2.0_all.snap
+    install_local config-versions-v2
 
     echo "Expecting config value to be carried over to the new version 2"
     verify_config_value 100
diff -Nru snapd-2.32.3.2~14.04/tests/main/confinement-classic/task.yaml snapd-2.37~rc1~14.04/tests/main/confinement-classic/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/confinement-classic/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/confinement-classic/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 summary: trivial snap with classic confinement runs correctly
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 details: |
     This test checks that a very much trivial "hello-world"-like snap using
@@ -9,16 +9,28 @@
     function correctly in both cases.
 
 prepare: |
-    . $TESTSLIB/dirs.sh
-    if [[ "$SPREAD_SYSTEM" == fedora-* ]]; then
-        # although classic snaps do not work out of the box on fedora,
-        # we still want to verify if the basics do work if the user
-        # symlinks /snap to $SNAP_MOUNT_DIR themselves
-        ln -sf $SNAP_MOUNT_DIR /snap
-    fi
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+    case "$SPREAD_SYSTEM" in
+        fedora-*|arch-*|centos-*)
+            # although classic snaps do not work out of the box on fedora,
+            # we still want to verify if the basics do work if the user
+            # symlinks /snap to $SNAP_MOUNT_DIR themselves
+            ln -sf $SNAP_MOUNT_DIR /snap
+            ;;
+    esac
+
+
+restore: |
+    case "$SPREAD_SYSTEM" in
+        fedora-*|arch-*|centos-*)
+            rm -f /snap
+            ;;
+    esac
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     snap install --classic test-snapd-hello-classic
     $SNAP_MOUNT_DIR/bin/test-snapd-hello-classic | MATCH 'Hello Classic!'
@@ -34,9 +46,3 @@
     snap install --classic --jailmode test-snapd-hello-classic
 
     $SNAP_MOUNT_DIR/bin/test-snapd-hello-classic | MATCH 'Hello Classic!'
-
-restore: |
-    snap remove test-snapd-hello-classic
-    if [[ "$SPREAD_SYSTEM" == fedora-* ]]; then
-        rm -f /snap
-    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/core16-base/task.yaml snapd-2.37~rc1~14.04/tests/main/core16-base/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/core16-base/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/core16-base/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,11 @@
+summary: Ensure that core16 works
+
+execute: |
+    echo "Ensure core16 can be installed"
+    snap install --edge core16
+
+    echo "Ensure core16 is usable"
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh-core16
+    test-snapd-sh-core16.sh -c "echo hello" | MATCH hello
diff -Nru snapd-2.32.3.2~14.04/tests/main/core18-configure-hook/task.yaml snapd-2.37~rc1~14.04/tests/main/core18-configure-hook/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/core18-configure-hook/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/core18-configure-hook/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+summary: Check that snaps with configure work on core18 only
+
+systems: [-ubuntu-core-*]
+
+prepare: |
+    echo "Ensure empty state"
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB/dirs.sh"
+    echo "Ensure all snaps are gone"
+    $LIBEXECDIR/snapd/snap-mgmt --purge
+
+    systemd_stop_units snapd.service
+    rm -f /var/lib/snapd/state.json
+    systemctl start snapd
+    snap wait system seed.loaded
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    echo "Install test snap"
+    install_local test-snapd-with-configure-core18
+
+    snap list | MATCH core18
+    if snap list | grep -E -q "^core "; then
+        echo "core got installed but shouldn't. test broken"
+        exit 1
+    fi
+
+    test -e /var/snap/test-snapd-with-configure-core18/common/configure-ran
diff -Nru snapd-2.32.3.2~14.04/tests/main/core18-with-hooks/task.yaml snapd-2.37~rc1~14.04/tests/main/core18-with-hooks/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/core18-with-hooks/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/core18-with-hooks/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,12 @@
+summary: Ensure that snaps with hooks work with base core18
+
+execute: |
+    # FIXME: we need at least beta of core18 for this to work
+    snap install --beta core18
+  
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-snapctl-core18
+
+    journalctl -u test-snapd-snapctl-core18.service
+
diff -Nru snapd-2.32.3.2~14.04/tests/main/core-snap-not-test-test/task.yaml snapd-2.37~rc1~14.04/tests/main/core-snap-not-test-test/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/core-snap-not-test-test/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/core-snap-not-test-test/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: Files inside the core snap are not owned by test.test
+
 execute: |
-    [ $(find /snap/core/current/ -user test | wc -l) = 0 ]
+    [ "$(find /snap/core/current/ -user test | wc -l)" = 0 ]
+
 debug: |
     find /snap/core/current/ -user test
diff -Nru snapd-2.32.3.2~14.04/tests/main/core-snap-refresh/task.yaml snapd-2.37~rc1~14.04/tests/main/core-snap-refresh/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/core-snap-refresh/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/core-snap-refresh/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -11,18 +11,23 @@
     rm -f prevBoot nextBoot
 
 execute: |
-    . $TESTSLIB/boot.sh
+    #shellcheck source=tests/lib/boot.sh
+    . "$TESTSLIB"/boot.sh
+
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$SPREAD_REBOOT" = 0 ]; then
         # save current core revision
         snap list | awk "/^core / {print(\$3)}" > prevBoot
 
         # refresh
-        snap refresh core --${NEW_CORE_CHANNEL}
+        snap refresh core "--${NEW_CORE_CHANNEL}"
 
         # check boot env vars
         snap list | awk "/^core / {print(\$3)}" > nextBoot
 
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             test "$(bootenv snap_core)" = "core_$(cat prevBoot).snap"
             test "$(bootenv snap_try_core)" = "core_$(cat nextBoot).snap"
         fi
@@ -39,7 +44,7 @@
         sleep 1
     done
 
-    if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+    if is_core_system; then
         test "$(bootenv snap_core)" = "core_$(cat nextBoot).snap"
         test "$(bootenv snap_try_core)" = ""
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/core-snap-refresh-on-core/task.yaml snapd-2.37~rc1~14.04/tests/main/core-snap-refresh-on-core/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/core-snap-refresh-on-core/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/core-snap-refresh-on-core/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,30 +1,30 @@
 summary: Check that the core snap can be refreshed on a core device
 
-systems: [ubuntu-core-16-64]
-
 details: |
     This test checks that the core snap can be refreshed from an installed
     revision to a new one. It expects to find a new snap revision in the
     channel pointed by the NEW_CORE_CHANNEL env var.
 
+systems: [ubuntu-core-16-64]
+
 manual: true
 
+prepare: |
+    snap install test-snapd-tools
+
 restore: |
     rm -f prevBoot nextBoot
     rm -f core_*.{assert,snap}
-        
-prepare: |
-    snap install test-snapd-tools
 
 execute: |
     wait_core_pre_boot() {
         chg_id="$1"
 
         # save change id to wait later or abort
-        echo ${chg_id} >curChg
+        echo "${chg_id}" >curChg
 
         # wait for the link task to be done
-        while ! snap change ${chg_id}|grep -q "^Done.*Make snap.*available to the system" ; do sleep 1 ; done
+        while ! snap change "${chg_id}"|grep -q "^Done.*Make snap.*available to the system" ; do sleep 1 ; done
 
     }
     wait_core_post_boot() {
@@ -43,7 +43,8 @@
         exit 1
     fi
   
-    . $TESTSLIB/boot.sh
+    #shellcheck source=tests/lib/boot.sh
+    . "$TESTSLIB"/boot.sh
     if [ "$SPREAD_REBOOT" = 0 ]; then
         # ensure we have a good starting place
     
@@ -51,9 +52,9 @@
         test-snapd-tools.echo hello | MATCH hello
 
         # go to known good starting place
-        snap download core --${CORE_CHANNEL}
+        snap download core "--${CORE_CHANNEL}"
         snap ack core_*.assert
-        wait_core_pre_boot $(snap install --no-wait core_*.snap)
+        wait_core_pre_boot "$(snap install --no-wait core_*.snap)"
         REBOOT
         
     elif [ "$SPREAD_REBOOT" = 1 ]; then
@@ -65,7 +66,7 @@
         snap list | awk "/^core / {print(\$3)}" > prevBoot
 
         # refresh
-        wait_core_pre_boot $(snap refresh core --${NEW_CORE_CHANNEL} --no-wait)
+        wait_core_pre_boot "$(snap refresh core "--${NEW_CORE_CHANNEL}" --no-wait)"
 
         # check boot env vars
         snap list | awk "/^core / {print(\$3)}" > nextBoot
@@ -96,7 +97,7 @@
         test-snapd-tools.echo hello | MATCH hello
 
         # revert core
-        wait_core_pre_boot $(snap revert core --no-wait)
+        wait_core_pre_boot "$(snap revert core --no-wait)"
 
         test "$(bootenv snap_core)" = "core_$(cat nextBoot).snap"
         test "$(bootenv snap_try_core)" = "core_$(cat prevBoot).snap"
diff -Nru snapd-2.32.3.2~14.04/tests/main/core-watchdog/task.yaml snapd-2.37~rc1~14.04/tests/main/core-watchdog/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/core-watchdog/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/core-watchdog/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,31 @@
+summary: Check that the core.watchdog settings work
+
+environment:
+    WATCHDOG_FILE: /etc/systemd/system.conf.d/10-snapd-watchdog.conf
+
+systems: [ubuntu-core-16-*]
+
+prepare: |
+    if [ -f "$WATCHDOG_FILE" ]; then
+        echo "Watchdog file already present, testbed not clean"
+        exit 1
+    fi
+
+restore: |
+    rm -f "$WATCHDOG_FILE"
+
+execute: |
+    echo "Ensure snap service watchdog works"
+    snap set core watchdog.runtime-timeout=1m
+    MATCH RuntimeWatchdogSec=60 < "$WATCHDOG_FILE"
+    
+    snap set core watchdog.shutdown-timeout=1h
+    MATCH ShutdownWatchdogSec=3600 <  "$WATCHDOG_FILE"
+
+    echo "Unsetting removes the file"
+    snap set core watchdog.runtime-timeout=
+    snap set core watchdog.shutdown-timeout=0s
+    if [ -f "$WATCHDOG_FILE" ]; then
+        echo "Empty watchdog config should remove config file but did not"
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/create-key/task.yaml snapd-2.37~rc1~14.04/tests/main/create-key/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/create-key/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/create-key/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,21 @@
 summary: Checks for snap create-key
+
 # ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
-systems: [-ubuntu-core-16-*, -ubuntu-*-ppc64el]
+# amazon: requires extra gpg-agent setup
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -amazon-*, -centos-*]
+
+# slow in autopkgtest (>1m)
+backends: [-autopkgtest]
 
 prepare: |
+    #shellcheck source=tests/lib/mkpinentry.sh
     . "$TESTSLIB"/mkpinentry.sh
+    #shellcheck source=tests/lib/random.sh
     . "$TESTSLIB"/random.sh
     kill_gpg_agent
 
 debug: |
+    #shellcheck source=tests/lib/random.sh
     . "$TESTSLIB"/random.sh
     debug_random
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/create-user/task.yaml snapd-2.37~rc1~14.04/tests/main/create-user/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/create-user/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/create-user/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,16 +1,16 @@
 summary: Ensure create-user functionality
 
-# Disabled for Fedora, openSUSE as both have not all options for add user
-# available the `snap create-user` command requires. Needs code rework.
-systems: [-ubuntu-core-16-*, -fedora-*, -opensuse-*]
+# Disabled for Fedora, openSUSE, Arch, AMZN2 as none have all options for add user
+# the `snap create-user` command requires. Needs code rework.
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 environment:
     USER_EMAIL: mvo@ubuntu.com
     USER_NAME: mvo
 
 restore: |
-    userdel -r $USER_NAME || true
-    rm -rf /etc/sudoers.d/create-user-$USER_NAME
+    userdel -r "$USER_NAME" || true
+    rm -rf "/etc/sudoers.d/create-user-$USER_NAME"
 
 execute: |
     echo "snap create-user -- ensure failure when run as non-root user without sudo"
@@ -18,24 +18,24 @@
     if obtained=$(su - test /bin/sh -c "snap create-user $USER_EMAIL 2>&1"); then
         echo "create-user command should have failed"
     fi
-    [[ "$obtained" =~ "$expected" ]]
+    [[ "$obtained" =~ $expected ]]
 
     echo "snap create-user -- ensure success when run as non-root user with sudo"
     expected="created user \"$USER_NAME\""
     obtained=$(su - test /bin/sh -c "sudo snap create-user --force-managed --sudoer $USER_EMAIL 2>&1")
-    [[ "$obtained" =~ "$expected" ]]
+    [[ "$obtained" =~ $expected ]]
 
     echo "ensure user exists in /etc/passwd"
     MATCH "^$USER_NAME:x:[0-9]+:[0-9]+:$USER_EMAIL" < /etc/passwd
 
     echo "ensure proper sudoers.d file"
-    MATCH "$USER_NAME ALL=\(ALL\) NOPASSWD:ALL" < /etc/sudoers.d/create-user-$USER_NAME
+    MATCH "$USER_NAME ALL=\\(ALL\\) NOPASSWD:ALL" < "/etc/sudoers.d/create-user-$USER_NAME"
 
     echo "ensure the user's home directory exists"
-    test -d /home/$USER_NAME
+    test -d "/home/$USER_NAME"
 
     echo "ensure ~/.snap/auth.json was created"
-    test -f /home/$USER_NAME/.snap/auth.json
+    test -f "/home/$USER_NAME/.snap/auth.json"
 
     echo "ensure user's email was stored in ~/.snap/auth.json"
-    MATCH "\"email\":\"$USER_EMAIL\"" < /home/$USER_NAME/.snap/auth.json
+    MATCH "\"email\":\"$USER_EMAIL\"" < "/home/$USER_NAME/.snap/auth.json"
diff -Nru snapd-2.32.3.2~14.04/tests/main/debs-have-built-using/task.yaml snapd-2.37~rc1~14.04/tests/main/debs-have-built-using/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/debs-have-built-using/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/debs-have-built-using/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,12 @@
 summary: Ensure that our debs have the "built-using" header
 
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 execute: |
-    out=$(dpkg -I $GOHOME/snapd_*.deb)
+    out=$(dpkg -I "$GOHOME"/snapd_*.deb)
     if [[ "$SPREAD_SYSTEM" = ubuntu-* ]]; then
         # Apparmor & seccomp is only compiled in on Ubuntu for now.
-        echo $out | MATCH "Built-Using:.*apparmor \(="
-        echo $out | MATCH "Built-Using:.*libseccomp \(="
+        echo "$out" | MATCH 'Built-Using:.*apparmor \(='
+        echo "$out" | MATCH 'Built-Using:.*libseccomp \(='
     fi
-    echo $out | MATCH "Built-Using:.*libcap2 \(="
+    echo "$out" | MATCH 'Built-Using:.*libcap2 \(='
diff -Nru snapd-2.32.3.2~14.04/tests/main/debug-paths/task.yaml snapd-2.37~rc1~14.04/tests/main/debug-paths/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/debug-paths/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/debug-paths/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,13 @@
+summary: Verify paths are correctly reported
+
+execute: |
+    # shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+
+    snap debug paths | MATCH "^SNAPD_MOUNT=${SNAP_MOUNT_DIR}$"
+    snap debug paths | MATCH "^SNAPD_BIN=${SNAP_MOUNT_DIR}/bin$"
+    snap debug paths | MATCH "^SNAPD_LIBEXEC=${LIBEXECDIR}/snapd$"
+
+    # double check we can eval it as shell
+    eval "$(snap debug paths)"
+    test "${SNAPD_MOUNT}" = "${SNAP_MOUNT_DIR}"
diff -Nru snapd-2.32.3.2~14.04/tests/main/debug-sandbox/task.yaml snapd-2.37~rc1~14.04/tests/main/debug-sandbox/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/debug-sandbox/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/debug-sandbox/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,25 @@
+summary: Verify sandbox is correctly reported
+
+execute: |
+    case "$SPREAD_SYSTEM" in
+    ubuntu-*)
+        snap debug sandbox-features | MATCH "apparmor: .+"
+        ;;
+    fedora-*|debian-*|opensuse-*)
+        # Fedora because it uses SELinux
+        # Debian and openSUSE because partial apparmor is not enabled
+        snap debug sandbox-features | MATCH -v "apparmor: .+"
+        ;;
+    esac
+    snap debug sandbox-features | MATCH "dbus: .+"
+    snap debug sandbox-features | MATCH "kmod: .+"
+    snap debug sandbox-features | MATCH "mount: .+"
+    snap debug sandbox-features | MATCH "seccomp: .+"
+    snap debug sandbox-features | MATCH "udev: .+"
+
+    # The command can be used as script helper
+    snap debug sandbox-features --required kmod:mediated-modprobe
+    ! snap debug sandbox-features --required magic:evil-bit
+
+    # Multiple requirements may be listed
+    snap debug sandbox-features --required kmod:mediated-modprobe --required mount:stale-base-invalidation
diff -Nru snapd-2.32.3.2~14.04/tests/main/degraded/task.yaml snapd-2.37~rc1~14.04/tests/main/degraded/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/degraded/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/degraded/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,31 @@
+summary: Check that the system is not in "degraded" state
+
+# autopkgtest images sometimes have failing services (cosmic/s390x)
+# in their images so this test is not useful there.
+backends: [-autopkgtest]
+
+# run this early to ensure no test created failed units yet
+priority: 500
+
+debug: |
+    # Print the status for the failed units
+    for unit_type in service socket device mount automount swap target path timer slice scope; do
+        units="$(systemctl --failed --type=$unit_type --no-pager | grep -o -E ".*.$unit_type" | tr '●' ' ' )"
+        for unit in $units; do
+            echo " -- systemctl status $unit --"
+            systemctl status "$unit" || true
+        done
+    done
+
+execute: |
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
+    wait_for_service "multi-user.target"
+
+    if systemctl status | grep "State: [d]egraded"; then
+        echo "systemctl reports the system is in degraded mode"
+        # add debug output
+        systemctl --failed
+        systemctl status
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/dirs-not-shared-with-host/task.yaml snapd-2.37~rc1~14.04/tests/main/dirs-not-shared-with-host/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/dirs-not-shared-with-host/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/dirs-not-shared-with-host/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,30 +1,35 @@
 summary: Ensure that certain directories are coming from the core snap
+
 details: |
   The snap-confine program bind mounts the /etc directory from the
   classic distribution into the snap execution environment.
   Certain directories however, if they exist on the host's /etc
   are actually, bind-mounted from the core snap for a more
   consistent behaviour across various distributions.
-systems:
-    # This test only applies to classic systems
-    - -ubuntu-core-16-*
+
+environment:
+    DIRECTORY/ssl: /etc/ssl
+
+# This test only applies to classic systems
+systems: [-ubuntu-core-*]
+
 prepare: |
     echo "Having installed the test snap"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
-environment:
-    DIRECTORY/alternatives: /etc/alternatives
-    DIRECTORY/ssl: /etc/ssl
+
 execute: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
     echo "We can check the inode number of $DIRECTORY"
-    host_inode="$(stat -c '%i' $DIRECTORY)"
+    host_inode=$(stat -c '%i' "$DIRECTORY")
     if [ -e $SNAP_MOUNT_DIR/core/current ]; then
-        core_inode="$(stat -c '%i' $SNAP_MOUNT_DIR/core/current/$DIRECTORY)"
+        core_inode=$(stat -c '%i' "$SNAP_MOUNT_DIR/core/current/$DIRECTORY")
     else
-        core_inode="$(stat -c '%i' $SNAP_MOUNT_DIR/ubuntu-core/current/$DIRECTORY)"
+        core_inode=$(stat -c '%i' "$SNAP_MOUNT_DIR/ubuntu-core/current/$DIRECTORY")
     fi
-    effective_inode="$(test-snapd-tools.cmd stat -c '%i' $DIRECTORY)"
+    effective_inode=$(test-snapd-tools.cmd stat -c '%i' "$DIRECTORY")
     echo "The inode number as seen from a confined snap should be that of the $DIRECTORY from the core snap"
     [ "$host_inode" != "$core_inode" ]
     [ "$effective_inode" = "$core_inode" ]
diff -Nru snapd-2.32.3.2~14.04/tests/main/disable-autoconnect/task.yaml snapd-2.37~rc1~14.04/tests/main/disable-autoconnect/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/disable-autoconnect/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/disable-autoconnect/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,48 @@
+summary: Check that auto-connections are not re-connected if disabled by the user
+
+details: |
+    This test ensures that auto-connections are not restored if manually disconnected
+    by the user.
+
+systems: [-ubuntu-core-*]
+
+prepare: |
+    snap pack "$TESTSLIB"/snaps/config-versions
+    snap pack "$TESTSLIB"/snaps/config-versions-v2
+
+restore: |
+    rm -f config-versions_1.0_all.snap
+    rm -f config-versions_2.0_all.snap
+
+execute: |
+    CONNECTED_PATTERN=':home .* config-versions'
+    DISCONNECTED_PATTERN='\- .* config-versions:home'
+
+    echo "Install test snap"
+    snap install --dangerous config-versions_1.0_all.snap
+
+    echo "Expecting home interface to be automatically connected"
+    snap interfaces|MATCH "$CONNECTED_PATTERN"
+
+    echo "Manually disconnect home interface"
+    snap disconnect config-versions:home
+    snap interfaces|MATCH "$DISCONNECTED_PATTERN"
+
+    echo "Install a new version of the snap, expect home interface to remain disconnected"
+    snap install --dangerous config-versions_2.0_all.snap
+    snap interfaces|MATCH "$DISCONNECTED_PATTERN"
+
+    echo "Revert to the rev 1, expect home interface to remain disconnected"
+    snap revert config-versions
+    snap interfaces|MATCH "$DISCONNECTED_PATTERN"
+
+    systemctl stop snapd.{service,socket}
+    systemctl start snapd.{service,socket}
+
+    echo "Manually connect home interface"
+    snap connect config-versions:home
+    snap interfaces|MATCH "$CONNECTED_PATTERN"
+
+    echo "Revert to the rev 2, expect home interface to remain connected"
+    snap revert --revision=x2 config-versions
+    snap interfaces|MATCH "$CONNECTED_PATTERN"
diff -Nru snapd-2.32.3.2~14.04/tests/main/document-portal-activation/fake-document-portal.py snapd-2.37~rc1~14.04/tests/main/document-portal-activation/fake-document-portal.py
--- snapd-2.32.3.2~14.04/tests/main/document-portal-activation/fake-document-portal.py	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/document-portal-activation/fake-document-portal.py	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,56 @@
+#!/usr/bin/python3
+
+import os
+import sys
+
+import dbus.service
+import dbus.mainloop.glib
+from gi.repository import GLib
+
+BUS_NAME = "org.freedesktop.portal.Documents"
+OBJECT_PATH = "/org/freedesktop/portal/documents"
+DOC_IFACE = "org.freedesktop.portal.Documents"
+
+class DocPortal(dbus.service.Object):
+    def __init__(self, connection, object_path, logfile, errorfile):
+        super(DocPortal, self).__init__(connection, object_path)
+        self._logfile = logfile
+        self._errorfile = errorfile
+
+    @property
+    def _report_error(self):
+        with open(self._errorfile, 'r') as fp:
+            return 'error' in fp.read()
+
+    @dbus.service.method(dbus_interface=DOC_IFACE, in_signature="",
+                         out_signature="ay")
+    def GetMountPoint(self):
+        with open(self._logfile, "a") as fp:
+            fp.write("GetMountPoint called\n")
+        if self._report_error:
+            raise dbus.DBusException("failure", name=DOC_IFACE + ".Error.Failed")
+        return '/run/user/{}/doc\x00'.format(os.getuid()).encode('ASCII')
+
+def main(argv):
+    logfile, errorfile = argv[1:]
+    dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
+    main_loop = GLib.MainLoop()
+
+    bus = dbus.SessionBus()
+    # Make sure we quit when the bus shuts down
+    bus.add_signal_receiver(
+        main_loop.quit, signal_name="Disconnected",
+        path="/org/freedesktop/DBus/Local",
+        dbus_interface="org.freedesktop.DBus.Local")
+
+    portal = DocPortal(bus, OBJECT_PATH, logfile, errorfile)
+
+    # Allow other services to assume our bus name
+    bus_name = dbus.service.BusName(
+        BUS_NAME, bus, allow_replacement=True, replace_existing=True,
+        do_not_queue=True)
+
+    main_loop.run()
+
+if __name__ == '__main__':
+    sys.exit(main(sys.argv))
diff -Nru snapd-2.32.3.2~14.04/tests/main/document-portal-activation/task.yaml snapd-2.37~rc1~14.04/tests/main/document-portal-activation/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/document-portal-activation/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/document-portal-activation/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,99 @@
+summary: Check that the document portal is activated when needed
+description: |
+    In order for xdg-document-portal to securely share files with a
+    confined applications, it must be started prior to setting up the
+    user mount namespace.  This is due to the daemon providing a FUSE
+    file system that needs to be bind mounted in the sandbox.
+
+    With that in mind, we don't want every snap invocation to try and
+    start the document portal.  Only in the following cases:
+
+        - a session bus is running
+        - the snap plugs the "desktop" interface
+
+    Furthermore, we don't want to print an error on systems where
+    xdg-document-portal is not available.
+
+# Disabled on Ubuntu Core because it doesn't provide the "desktop"
+# slot, and Amazon Linux because it doesn't have the required Python 3
+# packages to run the test.
+systems: [ -ubuntu-core-*, -amazon-linux-2-*, -centos-* ]
+
+environment:
+    XDG_RUNTIME_DIR: /run/user/$(id -u)
+
+prepare: |
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB"/pkgdb.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    distro_install_package python3-dbus python3-gi
+    install_local test-snapd-desktop
+    install_local test-snapd-tools
+    rm -f /usr/share/dbus-1/services/fake-document-portal.service
+    mkdir -p "$XDG_RUNTIME_DIR"
+    rm -rf "${XDG_RUNTIME_DIR:?}/*" "${XDG_RUNTIME_DIR:?}/.[!.]*"
+
+restore: |
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB"/pkgdb.sh
+    [ -f dbus-launch.pid ] && kill "$(cat dbus-launch.pid)"
+    rm -f dbus-launch.pid
+    rm -f stderr.log doc-portal.log report-error.txt
+    rm -f /usr/share/dbus-1/services/fake-document-portal.service
+    distro_purge_package python3-dbus python3-gi
+    distro_auto_remove_packages
+    rm -rf "${XDG_RUNTIME_DIR:?}/*" "${XDG_RUNTIME_DIR:?}/.[!.]*"
+
+execute: |
+    echo "No output on stderr when running without a session bus"
+    user_data="$HOME/snap/test-snapd-desktop/current"
+    test-snapd-desktop.check-dirs "$user_data" 2>stderr.log
+    [ "$(wc -c < stderr.log)" -eq 0 ]
+
+    echo "Starting session bus"
+    eval "$(dbus-launch --sh-syntax)"
+    echo "$DBUS_SESSION_BUS_PID" > dbus-launch.pid
+
+    echo "No output on stderr when running with a session bus, when xdg-document-portal is not present."
+    test-snapd-desktop.check-dirs "$user_data" 2>stderr.log
+    [ "$(wc -c < stderr.log)" -eq 0 ]
+
+    echo "The absence of the document portal service was recorded"
+    [ -f "$XDG_RUNTIME_DIR/.portals-unavailable" ]
+
+    echo "Make the fake document portal activatable"
+    cat << EOF > /usr/share/dbus-1/services/fake-document-portal.service
+    [D-BUS Service]
+    Name=org.freedesktop.portal.Documents
+    Exec=$(pwd)/fake-document-portal.py $(pwd)/doc-portal.log $(pwd)/report-error.txt
+    EOF
+    : > doc-portal.log
+    : > report-error.txt
+
+    echo "No attempt is made to activate the document portal due to the previous failure"
+    test-snapd-desktop.check-dirs "$user_data"
+    ! MATCH "GetMountPoint called" < doc-portal.log
+
+    echo "Remove the .portals-unavailable file to force a recheck"
+    rm "$XDG_RUNTIME_DIR/.portals-unavailable"
+
+    echo "No output on stderr when running with a session bus and xdg-document-portal is present".
+    test-snapd-desktop.check-dirs "$user_data" 2>stderr.log
+    MATCH "GetMountPoint called" < doc-portal.log
+    [ "$(wc -c < stderr.log)" -eq 0 ]
+
+    echo "Putting fake document portal into failure mode"
+    echo "error" > report-error.txt
+    : > doc-portal.log
+
+    echo "Failures from a running xdg-document-portal are reported"
+    test-snapd-desktop.check-dirs "$user_data" 2>stderr.log
+    MATCH "GetMountPoint called" < doc-portal.log
+    MATCH "WARNING: cannot start document portal: failure" < stderr.log
+
+    echo "Snaps not using the desktop interface will not try to contact the document portal"
+    : > doc-portal.log
+    test-snapd-tools.success 2>stderr.log
+    [ "$(wc -c < stderr.log)" -eq 0 ]
+    [ "$(wc -c < doc-portal.log)" -eq 0 ]
diff -Nru snapd-2.32.3.2~14.04/tests/main/econnreset/task.yaml snapd-2.37~rc1~14.04/tests/main/econnreset/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/econnreset/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/econnreset/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,13 @@
 summary: Ensure that ECONNRESET is handled
 restore: |
+    echo "Stop the snap download command"
+    kill -9 "$(pgrep -f 'snap download')" || true
+
     echo "Remove the firewall rule again"
-    iptables -D OUTPUT -m owner --uid-owner $(id -u test) -j REJECT -p tcp --reject-with tcp-reset || true
+    iptables -D OUTPUT -m owner --uid-owner "$(id -u test)" -j REJECT -p tcp --reject-with tcp-reset || true
+    echo "Remove ingress traffic policing rule"
+    iptables -D INPUT -p tcp --match hashlimit --hashlimit-mode srcip,dstip,srcport,dstport --hashlimit-above 512kb/s \
+             --hashlimit-name 'econnreset' -j DROP
 
     rm -f test-snapd-huge_*
 
@@ -9,38 +15,53 @@
 # with the distro
 backends: [-autopkgtest]
 
+# no iptables on core18 yet
+systems: [-ubuntu-core-18-*]
+
+debug: |
+    echo "Partial download status"
+    ls -lh test-snapd-huge_* || true
+    echo "other dir content"
+    ls -lh
+    echo "download log:"
+    cat snap-download.log
+    echo "iptables rules and counters"
+    iptables -L -n -v
+
 execute: |
     echo "Downloading a large snap in the background"
-    su -c "/usr/bin/env SNAPD_DEBUG=1 snap download --edge test-snapd-huge 2>snap-download.log" test &
-
-    echo "Wait until the download started and downloaded more than 1 MB"
-    for i in $(seq 40); do
-        if partial=$(ls test-snapd-huge_*.snap.partial | head -1); then
-            if [ $(stat -c%s "$partial") -gt $(( 1024 * 1024 )) ]; then
-                break
-            fi
+    rm -f test-snapd-huge_*
+    # what happens in this test is that when running in GCE backend, the
+    # downloads is very fast, ~100MB/s and it may finish 'before' we insert the
+    # OUTPUT chain rule that drops outgoing TCP packets and triggers retries, to
+    # remedy this apply policing of ingress traffic down to 512kB/s
+    iptables -I INPUT -p tcp --match hashlimit --hashlimit-mode srcip,dstip,srcport,dstport --hashlimit-above 512kb/s \
+             --hashlimit-name 'econnreset' -j DROP
+
+    su -c "/usr/bin/env SNAPD_DEBUG=1 SNAPD_DEBUG_HTTP=3 snap download --edge test-snapd-huge" test 2>snap-download.log &
+
+    for _ in $(seq 120); do
+        partial=$(find . -name 'test-snapd-huge_*.snap.partial' | head -1)
+        if [ -n "$partial" ]; then
+            break
         fi
-        sleep .5
+        sleep 0.2
     done
 
-    if [ ! -f "$partial" ] || [ $(stat -c%s "$partial") -eq 0 ]; then
-        echo "Partial file $partial did not start downloading, test broken"
-        kill -9 $(pidof snap)
+    if [ ! -f "$partial" ]; then
+        echo "Partial file not found, test broken"
+        kill -9 "$(pgrep -f 'snap download')" || true
         exit 1
     fi
 
     echo "Block the download using iptables"
-    iptables -I OUTPUT -m owner --uid-owner $(id -u test) -j REJECT -p tcp --reject-with tcp-reset
+    iptables -I OUTPUT -m owner --uid-owner "$(id -u test)" -j REJECT -p tcp --reject-with tcp-reset
 
     echo "Check that we retried"
-    for i in $(seq 20); do
-        if MATCH "Retrying.*\.snap, attempt 2" < snap-download.log; then
+    for _ in $(seq 20); do
+        if MATCH 'Retrying.*\.snap, attempt 2' < snap-download.log; then
             break
         fi
+        echo "Attempt 2 not found, retrying..."
         sleep .5
     done
-    MATCH "Retrying.*\.snap, attempt 2" < snap-download.log
-
-    # Note that the download will not be successful because of the nature of
-    # the netfilter testbed. When snap download retries the next attempt will
-    # end up with a "connection refused" error, something we do not retry
diff -Nru snapd-2.32.3.2~14.04/tests/main/enable-disable/task.yaml snapd-2.37~rc1~14.04/tests/main/enable-disable/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/enable-disable/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/enable-disable/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,11 +1,15 @@
 summary: Check that enable/disable works
 
-execute: |
-    . $TESTSLIB/dirs.sh
+prepare: |
     echo "Install test-snapd-tools and ensure it runs"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
-    test-snapd-tools.echo Hello|MATCH Hello
+    test-snapd-tools.echo Hello | MATCH Hello
+
+execute: |
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     echo "Disable test-snapd-tools and ensure it is listed as disabled"
     snap disable test-snapd-tools|MATCH disabled
 
@@ -15,28 +19,33 @@
         exit 1
     fi
 
-    echo "Ensure the test-snapd-tools security profiles are no longer there"
-    if ls /var/lib/snapd/apparmor/profiles/snap.test-snapd-tools*; then
-        echo "test-snapd-tools securiry profiles are not disabled"
-        exit 1
+    if [ "$(snap debug confinement)" = strict ]; then
+        echo "Ensure the test-snapd-tools security profiles are no longer there"
+        if ls /var/lib/snapd/apparmor/profiles/snap.test-snapd-tools*; then
+            echo "test-snapd-tools securiry profiles are not disabled"
+            exit 1
+        fi
     fi
 
     echo "Enable test-snapd-tools again and ensure it is no longer listed as disabled"
     snap enable test-snapd-tools|MATCH -v disabled
 
-    echo "Ensure the test-snapd-tools security profiles are present"
-    if !ls /var/lib/snapd/apparmor/profiles/snap.test-snapd-tools*; then
-        echo "test-snapd-tools securiry profiles are not present"
-        exit 1
+    if [ "$(snap debug confinement)" = strict ]; then
+        echo "Ensure the test-snapd-tools security profiles are present"
+        if ! ls /var/lib/snapd/apparmor/profiles/snap.test-snapd-tools*; then
+            echo "test-snapd-tools securiry profiles are not present"
+            exit 1
+        fi
     fi
 
     echo "Ensure test-snapd-tools runs normally after it was enabled"
     test-snapd-tools.echo Hello |MATCH Hello
 
     echo "Ensure the important snaps can not be disabled"
-    . $TESTSLIB/names.sh
+    #shellcheck source=tests/lib/names.sh
+    . "$TESTSLIB"/names.sh
     for sn in core $kernel_name $gadget_name; do
-        if snap disable $sn; then
+        if snap disable "$sn"; then
             echo "It should not be possible to disable $sn"
             exit 1
         fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/enable-disable-units-gpio/task.yaml snapd-2.37~rc1~14.04/tests/main/enable-disable-units-gpio/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/enable-disable-units-gpio/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/enable-disable-units-gpio/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -12,76 +12,65 @@
 
 systems: [ubuntu-core-16-64]
 
-environment:
-    GPIO_MOCK_DIR: /home/test/gpio-mock
-
 prepare: |
-    if [ "$TRUST_TEST_KEYS" = "false" ]; then
-        echo "This test needs test keys to be trusted"
-        exit
+    # Core image that were created using spread will have a fake "gpio-pin".
+    # Other (e.g. official) images will not have that and there we can't use
+    # this test.
+    if ! snap interfaces|grep -q gpio-pin; then
+        echo "SKIP: this tests needs a fake 'gpio-pin' interface"
+        exit 0
     fi
+
+    # shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+    echo "Create/enable fake gpio"
+    systemd_create_and_start_persistent_unit fake-gpio "$TESTSLIB/fakegpio/fake-gpio.py" "[Unit]\\nBefore=snap.core.interface.gpio-100.service\\n[Service]\\nType=notify"
+
     echo "Given a snap declaring a plug on gpio is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local gpio-consumer
 
-    echo "And a mocked gpio device is in place"
-    cat > /home/test/gpio-mock.sh <<-EOF
-    #!/bin/sh
-    if [ ! -d "$GPIO_MOCK_DIR" ]; then
-        # the service has just been created
-        mkdir -p $GPIO_MOCK_DIR
-        touch $GPIO_MOCK_DIR/gpio100 $GPIO_MOCK_DIR/export $GPIO_MOCK_DIR/unexport
-    else
-        # after reboot, remove device node to test export
-        rm $GPIO_MOCK_DIR/gpio100
-        truncate -s 0 $GPIO_MOCK_DIR/export
-    fi
-    mount --bind $GPIO_MOCK_DIR /sys/class/gpio
-    EOF
-    chmod a+x /home/test/gpio-mock.sh
-
-    cat > /etc/systemd/system/gpio-mock.service <<-EOF
-    [Unit]
-    Description=Set up mock for gpio test
-    Before=snap.core.interface.gpio-100.service
-
-    [Service]
-    Type=oneshot
-    RemainAfterExit=true
-    ExecStart=/home/test/gpio-mock.sh
-    ExecStop=
-
-    [Install]
-    WantedBy=multi-user.target
-    EOF
-    systemctl enable --now gpio-mock.service
-
     echo "And the gpio plug is connected"
     snap connect gpio-consumer:gpio :gpio-pin
 
 restore: |
-    if [ "$TRUST_TEST_KEYS" = "false" ]; then
-        echo "This test needs test keys to be trusted"
-        exit
+    # Core image that were created using spread will have a fake "gpio-pin".
+    # Other (e.g. official) images will not have that and there we can't use
+    # this test.
+    if ! snap interfaces|grep -q gpio-pin; then
+        echo "SKIP: this tests needs a fake 'gpio-pin' interface"
+        exit 0
     fi
+
+    # shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+    system_stop_and_remove_persistent_unit fake-gpio
     umount /sys/class/gpio || true
-    systemctl disable gpio-mock.service
-    rm -rf $GPIO_MOCK_DIR /etc/systemd/system/gpio-mock.service /home/test/gpio-mock.sh
 
 execute: |
-    if [ "$TRUST_TEST_KEYS" = "false" ]; then
-        echo "This test needs test keys to be trusted"
-        exit
+    # Core image that were created using spread will have a fake "gpio-pin".
+    # Other (e.g. official) images will not have that and there we can't use
+    # this test.
+    if ! snap interfaces|grep -q gpio-pin; then
+        echo "SKIP: this tests needs a fake 'gpio-pin' interface"
+        exit 0
     fi
 
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     echo "Then the snap service units concerning the gpio device must be run before and after a reboot"
     expected="Unit snap.core.interface.gpio-100.service has finished starting up"
-    journalctl -xe --no-pager | MATCH "$expected"
-
-    if [ "$SPREAD_REBOOT" = "1" ]; then
-        cat $GPIO_MOCK_DIR/export | MATCH "^100$"
-    fi
+    for i in $(seq 120); do
+        get_journalctl_log -xe --no-pager | MATCH "$expected"
+        sleep 0.5
+    done
 
     if [ "$SPREAD_REBOOT" = "0" ]; then
         REBOOT
     fi
+
+    if [ "$SPREAD_REBOOT" = "1" ]; then
+        test -e /sys/class/gpio/gpio100
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/experimental-features/task.yaml snapd-2.37~rc1~14.04/tests/main/experimental-features/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/experimental-features/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/experimental-features/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,17 @@
+summary: Experimental features are exported by snapd
+details: |
+    Some of the experimental features are exported as flag files that can be
+    easily read by snap-confine and snap-update-ns that otherwise don't have
+    access to the system state.
+execute: |
+    # When a feature that is exported is enabled, a file is created.
+    snap set core experimental.per-user-mount-namespace=true
+    test -f /var/lib/snapd/features/per-user-mount-namespace
+
+    # When a feature that is exported is disabled, a file is removed.
+    snap set core experimental.per-user-mount-namespace=false
+    test ! -f /var/lib/snapd/features/per-user-mount-namespace
+
+    # When a feature that is not exported is enabled, a file is not created.
+    snap set core experimental.layouts=true
+    test ! -f /var/lib/snapd/features/layouts
diff -Nru snapd-2.32.3.2~14.04/tests/main/failover/task.yaml snapd-2.37~rc1~14.04/tests/main/failover/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/failover/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/failover/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,5 @@
 summary: check that the core and kernel snaps roll back correctly after a failed upgrade
 
-systems: [ubuntu-core-16-*]
-
-# Start early as it takes a long time.
-priority: 100
-
 details: |
     This test ensures that the system can survive to a failed upgrade of a fundamental
     snap, rolling back to the last good known version.
@@ -15,6 +10,11 @@
     reboots, one for trying the upgrade and another for rolling back) the installed
     fundamental snap is the good one and the boot environment variables are correctly set.
 
+systems: [ubuntu-core-16-*]
+
+# Start early as it takes a long time.
+priority: 100
+
 environment:
     INJECT_FAILURE/rclocalcrash: inject_rclocalcrash_failure
     INJECT_FAILURE/emptysystemd: inject_emptysystemd_failure
@@ -27,42 +27,50 @@
     BUILD_DIR: /home/tmp
 
 prepare: |
-    mkdir -p $BUILD_DIR
+    mkdir -p "$BUILD_DIR"
 
 restore: |
     rm -f failing.snap failBoot currentBoot prevBoot
-    rm -rf $BUILD_DIR
+    rm -rf "$BUILD_DIR"
 
     # FIXME: remove the unset when we reset properly snap_try_{core,kernel} on rollback
-    . $TESTSLIB/boot.sh
+    #shellcheck source=tests/lib/boot.sh
+    . "$TESTSLIB"/boot.sh
     bootenv_unset snap_try_core
     bootenv_unset snap_try_kernel
 
 debug: |
-    . $TESTSLIB/boot.sh
+    #shellcheck source=tests/lib/boot.sh
+    . "$TESTSLIB"/boot.sh
+    #shellcheck disable=SC2119
     bootenv
     snap list
     snap changes
 
 execute: |
     inject_rclocalcrash_failure(){
-        chmod a+x $BUILD_DIR/unpack/etc/rc.local
-        cat <<EOF > $BUILD_DIR/unpack/etc/rc.local
+        chmod a+x "$BUILD_DIR/unpack/etc/rc.local"
+        cat <<EOF > "$BUILD_DIR/unpack/etc/rc.local"
     #!bin/sh
     printf c > /proc/sysrq-trigger
     EOF
     }
 
     inject_emptysystemd_failure(){
-        truncate -s 0 $BUILD_DIR/unpack/lib/systemd/systemd
+        truncate -s 0 "$BUILD_DIR/unpack/lib/systemd/systemd"
     }
 
     inject_emptyinitrd_failure(){
-        truncate -s 0 $BUILD_DIR/unpack/initrd.img
+        truncate -s 0 "$BUILD_DIR/unpack/initrd.img"
     }
 
-    . $TESTSLIB/names.sh
-    . $TESTSLIB/boot.sh
+    #shellcheck source=tests/lib/names.sh
+    . "$TESTSLIB"/names.sh
+    #shellcheck source=tests/lib/boot.sh
+    . "$TESTSLIB"/boot.sh
+    #shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB"/journalctl.sh
+
     if [ "$TARGET_SNAP" = kernel ]; then
         TARGET_SNAP_NAME=$kernel_name
     else
@@ -74,23 +82,32 @@
         snap list | awk "/^${TARGET_SNAP_NAME} / {print(\$3)}" > prevBoot
 
         # unpack current target snap
-        unsquashfs -d $BUILD_DIR/unpack /var/lib/snapd/snaps/${TARGET_SNAP_NAME}_$(cat prevBoot).snap
+        unsquashfs -no-progress -d "$BUILD_DIR/unpack" "/var/lib/snapd/snaps/${TARGET_SNAP_NAME}_$(cat prevBoot).snap"
 
         # set failure condition
-        eval ${INJECT_FAILURE}
+        eval "${INJECT_FAILURE}"
 
         # repack new target snap
-        snap pack $BUILD_DIR/unpack && mv ${TARGET_SNAP_NAME}_*.snap failing.snap
+        snap pack "$BUILD_DIR/unpack" && mv ${TARGET_SNAP_NAME}_*.snap failing.snap
+
+        # use journalctl wrapper to grep only the logs collected while the test is running
+        if get_journalctl_log | MATCH "Waiting for system reboot"; then
+            echo "Already waiting for system reboot, exiting..."
+            exit 1
+        fi
 
         # install new target snap
-        chg_id=$(snap install --dangerous failing.snap --no-wait)
+        snap install --dangerous failing.snap
 
-        while ! snap change ${chg_id}|grep -q "^Done.*Make snap.*available to the system" ; do sleep 1 ; done
+        # use journalctl wrapper to grep only the logs collected while the test is running
+        while ! check_journalctl_log "Waiting for system reboot"; do
+            sleep 1
+        done
 
         # check boot env vars
-        snap list | awk "/^${TARGET_SNAP_NAME} / {print(\$3)}" > failBoot
-        test "$(bootenv snap_${TARGET_SNAP})" = "${TARGET_SNAP_NAME}_$(cat prevBoot).snap"
-        test "$(bootenv snap_try_${TARGET_SNAP})" = "${TARGET_SNAP_NAME}_$(cat failBoot).snap"
+        readlink /snap/core/current > failBoot
+        test "$(bootenv snap_"${TARGET_SNAP}")" = "${TARGET_SNAP_NAME}_$(cat prevBoot).snap"
+        test "$(bootenv snap_try_"${TARGET_SNAP}")" = "${TARGET_SNAP_NAME}_$(cat failBoot).snap"
 
         REBOOT
     fi
@@ -105,12 +122,16 @@
         sleep 1
     done
 
+    # ensure the last install change failed as expected
+    snap change --last=install | MATCH "cannot finish core installation, there was a rollback across reboot"
+    snap change --last=install | MATCH "^Error.*Automatically connect"
+
     # and the boot env vars are correctly set
     echo "Waiting for snapd to clean snap_mode"
     while [ "$(bootenv snap_mode)" != "" ]; do
         sleep 1
     done
 
-    test "$(bootenv snap_${TARGET_SNAP})" = "${TARGET_SNAP_NAME}_$(cat prevBoot).snap"
+    test "$(bootenv snap_"${TARGET_SNAP}")" = "${TARGET_SNAP_NAME}_$(cat prevBoot).snap"
     # FIXME: reenable the last check when we reset properly snap_try_{core,kernel} on rollback
     # test "$(bootenv snap_try_${TARGET_SNAP})" = ""
diff -Nru snapd-2.32.3.2~14.04/tests/main/fakestore-install/task.yaml snapd-2.37~rc1~14.04/tests/main/fakestore-install/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/fakestore-install/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/fakestore-install/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -8,8 +8,9 @@
         echo "This test needs test keys to be trusted"
         exit
     fi
-    . $TESTSLIB/store.sh
-    teardown_fake_store $BLOB_DIR
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    teardown_fake_store "$BLOB_DIR"
   
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -19,12 +20,19 @@
 
     snap ack "$TESTSLIB/assertions/testrootorg-store.account-key"
 
-    . $TESTSLIB/store.sh
-    setup_fake_store $BLOB_DIR
 
-    . $TESTSLIB/snaps.sh
+    # Ensure that "core" is installed as it is a pre-requisite of the base but
+    # cannot be fetched from the fake store (important for core18).
+    snap install core
+
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    setup_fake_store "$BLOB_DIR"
+
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     snap_path=$(make_snap basic)
-    make_snap_installable $BLOB_DIR ${snap_path}
+    make_snap_installable "$BLOB_DIR" "${snap_path}"
 
     snap install basic
     snap info basic | MATCH "snap-id:[ ]+basic-id"
diff -Nru snapd-2.32.3.2~14.04/tests/main/fedora-base-smoke/task.yaml snapd-2.37~rc1~14.04/tests/main/fedora-base-smoke/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/fedora-base-smoke/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/fedora-base-smoke/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,17 @@
+summary: smoke test for Fedora 29 base snap
+
+details: |
+  Smoke test for checking if we can run hello-world like application against a
+  Fedora 29 base snap correctly.
+
+# not available on most arches in autopkgtest
+backends: [-autopkgtest]
+
+# The hello-fedora snap is just available for amd64 architecture
+systems: [-*-32, -*-arm*, -*-ppc64el, -*-s390x]
+
+execute: |
+  # This is explicit because fedora29 snap is still in edge.
+  snap install --edge fedora29
+  snap install hello-fedora
+  hello-fedora
diff -Nru snapd-2.32.3.2~14.04/tests/main/find-private/task.yaml snapd-2.37~rc1~14.04/tests/main/find-private/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/find-private/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/find-private/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -16,33 +16,36 @@
     snap logout || true
 
 execute: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     echo "When a snap is private it doesn't show up in the find without login and without specifying private search"
-    ! snap find test-snapd-private | MATCH "test-snapd-private +[0-9]+\.[0-9]+"
+    ! snap find test-snapd-private | MATCH 'test-snapd-private +[0-9]+\.[0-9]+'
 
     echo "When a snap is private it doesn't show up in the find --private results without login"
-    ! snap find test-snapd-private --private | MATCH "test-snapd-private +[0-9]+\.[0-9]+"
+    ! snap find test-snapd-private --private | MATCH 'test-snapd-private +[0-9]+\.[0-9]+'
 
     echo "Given account store credentials are available"
     # we don't have expect available on ubuntu-core, so the authenticated check need to be skipped on those systems
-    if [ ! -z "$SPREAD_STORE_USER" ] && [ ! -z "$SPREAD_STORE_PASSWORD" ] && [[ ! "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+    if [ -n "$SPREAD_STORE_USER" ] && [ -n "$SPREAD_STORE_PASSWORD" ] && is_classic_system; then
         echo "And the user has logged in"
-        expect -f $TESTSLIB/successful_login.exp
+        expect -f "$TESTSLIB"/successful_login.exp
 
         echo "Then a private snap belonging to that user shows up in the find results and nothing else"
         result=$(snap find test-snapd-private2 --private)
-        echo "$result" | MATCH "test-snapd-private2 +[0-9]+\.[0-9]+"
-        echo "$result" | MATCH -v "test-snapd-private +[0-9]+\.[0-9]+"
-        echo "$result" | MATCH -v "test-snapd-public +[0-9]+\.[0-9]+"
+        echo "$result" | MATCH 'test-snapd-private2 +[0-9]+\.[0-9]+'
+        echo "$result" | MATCH -v 'test-snapd-private +[0-9]+\.[0-9]+'
+        echo "$result" | MATCH -v 'test-snapd-public +[0-9]+\.[0-9]+'
 
         echo "And searching for private snaps shows all of them and anything else"
         result=$(snap find --private)
-        echo "$result" | MATCH "test-snapd-private2 +[0-9]+\.[0-9]+"
-        echo "$result" | MATCH "test-snapd-private +[0-9]+\.[0-9]+"
-        echo "$result" | MATCH -v "test-snapd-public +[0-9]+\.[0-9]+"
+        echo "$result" | MATCH 'test-snapd-private2 +[0-9]+\.[0-9]+'
+        echo "$result" | MATCH 'test-snapd-private +[0-9]+\.[0-9]+'
+        echo "$result" | MATCH -v 'test-snapd-public +[0-9]+\.[0-9]+'
 
         echo "And searching for public snaps does not show private ones"
         result=$(snap find test-snapd)
-        echo "$result" | MATCH -v "test-snapd-private2 +[0-9]+\.[0-9]+"
-        echo "$result" | MATCH -v "test-snapd-private +[0-9]+\.[0-9]+"
-        echo "$result" | MATCH "test-snapd-public +[0-9]+\.[0-9]+"
+        echo "$result" | MATCH -v 'test-snapd-private2 +[0-9]+\.[0-9]+'
+        echo "$result" | MATCH -v 'test-snapd-private +[0-9]+\.[0-9]+'
+        echo "$result" | MATCH 'test-snapd-public +[0-9]+\.[0-9]+'
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/generic-classic-reg/task.yaml snapd-2.37~rc1~14.04/tests/main/generic-classic-reg/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/generic-classic-reg/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/generic-classic-reg/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,7 +2,9 @@
     Ensure device initialisation registration works with the fallback
     generic/generi-classic model and we have a serial and can acquire
     a session macaroon
-systems: [-ubuntu-core-16-*]
+
+systems: [-ubuntu-core-*]
+
 execute: |
     echo "Wait for device initialisation to have been done"
     # this was in fact triggered around when core was installed
diff -Nru snapd-2.32.3.2~14.04/tests/main/help/task.yaml snapd-2.37~rc1~14.04/tests/main/help/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/help/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/help/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,24 @@
 summary: Check commands help
+
 systems: [+fedora-*]
-environment:
-    CMD/abort: abort
-    CMD/changes: changes
-    CMD/find: find
-    CMD/install: install
-    CMD/interfaces: interfaces
-    CMD/remove: remove
+
 execute: |
-    echo "Checking help for command $CMD"
-    expected="(?s)Usage:\n  snap \[OPTIONS\] $CMD.*?\n\nThe $CMD command .*?\nHelp Options:\n  -h, --help +Show this help message\n.*?"
-    snap $CMD --help | grep -Pzq "$expected"
+    bad=""
+    for CMD in $( GO_FLAGS_COMPLETION=1 snap | grep -evFx 'help|blame' ); do
+        printf "Checking help for command %-16s" "'$CMD':"
+        expected="Usage:\\n\\s+snap $CMD\\b.*\\n\\nThe $CMD command (?s).*\\.\\n"
+        actual="$( snap "$CMD" --help )"
+        if ! grep -Pzq "$expected" <<<"$actual"; then
+            bad=1
+            echo
+            echo "The output of 'snap $CMD --help' does not match the regular expression"
+            echo "'$expected':"
+            echo
+            echo "----------------"
+            echo "$actual"
+            echo "----------------"
+        else
+            echo " Ok."
+        fi
+    done
+    test ! "$bad"
diff -Nru snapd-2.32.3.2~14.04/tests/main/high-user-handling/task.yaml snapd-2.37~rc1~14.04/tests/main/high-user-handling/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/high-user-handling/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/high-user-handling/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -9,4 +9,4 @@
     userdel hightest
 
 execute: |
-    sudo -E -u hightest "$(which go)" run test.go
+    sudo -E -u hightest "$(command -v go)" run test.go
diff -Nru snapd-2.32.3.2~14.04/tests/main/i18n/task.yaml snapd-2.37~rc1~14.04/tests/main/i18n/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/i18n/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/i18n/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -17,10 +17,9 @@
 
     echo "Basic smoke test to ensure no locale causes crashes nor warnings"
     for p in /usr/share/locale/*; do
-        out=$( LANG=$(basename $p) snap 2>&1 >/dev/null )
-        if [ -n "$out" ]; then
-            echo "$p"
-            echo "$out"
-            exit 1
+        b=$( basename "$p" )
+        if ! SNAPPY_TESTING=1 LANG="$b" snap >/dev/null 2>&1; then
+            SNAPPY_TESTING=0 LANG="$b" snap 2>&1 >/dev/null | sed -e "s/[^ ]* [^ ]* /${b^^}: /" >> bad
         fi
     done
+    ! cat bad
diff -Nru snapd-2.32.3.2~14.04/tests/main/install/task.yaml snapd-2.37~rc1~14.04/tests/main/install/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,20 @@
+summary: Check that install works
+
+# limiting to ubuntu because we need a known fonts package
+# to install so that actual caches get generated
+systems: [ubuntu-16.04-64, ubuntu-18.04-64]
+
+prepare: |
+    apt install -y fonts-kiloji
+
+restore: |
+    apt autoremove -y fonts-kiloji
+
+execute: |
+    echo "With no fontconfig cache"
+    rm /var/cache/fontconfig/*
+
+    echo "Installing a snap generates a fontconfig cache"
+    snap install test-snapd-tools
+    ls /var/cache/fontconfig/*.cache-6
+    ls /var/cache/fontconfig/*.cache-7
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-cache/task.yaml snapd-2.37~rc1~14.04/tests/main/install-cache/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-cache/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-cache/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,10 @@
 summary: Check that download caching works
 
 execute: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     snap install test-snapd-tools
     snap remove test-snapd-tools
     snap install test-snapd-tools
-    for i in $(seq 10); do
-        if journalctl -u snapd | MATCH "using cache for .*/test-snapd-tools.*\.snap"; then
-            break
-        fi
-        sleep 1
-    done
-    journalctl -u snapd | MATCH "using cache for .*/test-snapd-tools.*\.snap"
+    check_journalctl_log 'using cache for .*/test-snapd-tools.*\.snap' -u snapd
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-closed-channel/task.yaml snapd-2.37~rc1~14.04/tests/main/install-closed-channel/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-closed-channel/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-closed-channel/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,9 @@
+summary: Check that installing a snap from a closed channel DTRT
+
+details: |
+    When a snap is installed from a closed channel, we're supposed to
+    "forward" to the next available risk level.
+
+execute: |
+    snap install --beta test-snapd-tools | MATCH '^Channel beta for test-snapd-tools is closed; temporarily forwarding to stable\.$'
+    snap info test-snapd-tools | MATCH 'tracking:.*beta'
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-errors/task.yaml snapd-2.37~rc1~14.04/tests/main/install-errors/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-errors/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-errors/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 summary: Checks for cli errors installing snaps
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 environment:
     SNAP_NAME: test-snapd-tools
@@ -11,8 +11,9 @@
 
 prepare: |
     echo "Given a snap with a failing command is installed"
-    . $TESTSLIB/snaps.sh
-    install_local $SNAP_NAME
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local "$SNAP_NAME"
 
 execute: |
     echo "Install unexisting snap prints error"
@@ -21,16 +22,12 @@
         exit 1
     fi
 
-    echo "============================================"
-
     echo "Install without snap name shows error"
     if snap install; then
         echo "Installing without snap name should fail"
         exit 1
     fi
 
-    echo "============================================"
-
     echo "Install points to sudo when not authenticated"
     if su - -c "snap install $SNAP_NAME" test 2>install.output; then
         echo "Unauthenticated install should fail"
@@ -38,26 +35,58 @@
     fi
     MATCH "try with sudo" < install.output
 
-    echo "============================================"
-
     echo "Calling a failing command from a snap should fail"
     if test-snapd-tools.fail; then
         echo "Failing snap commands should keep failing after installed"
         exit 1
     fi
 
-    echo "============================================"
-
     echo "Install a snap that is already installed shows a message"
     echo "but does "exit 0" (LP: #1622782)"
-    snap install $SNAP_NAME 2> stderr.out
+    snap install "$SNAP_NAME" 2> stderr.out
     MATCH "snap \"$SNAP_NAME\" is already installed" < stderr.out
 
-    echo "============================================"
-
     echo "Install ubuntu-core"
     if snap install ubuntu-core 2> stderr.out; then
         echo "Installing ubuntu-core should fail"
         exit 1
     fi
     MATCH 'cannot install "ubuntu-core", please use "core" instead' < stderr.out
+
+    echo "Install a snap that is only available in the edge channel"
+    if snap install test-snapd-just-edge 2>stderr.out; then
+        echo "Installing test-snapd-just-edge should fail but did not"
+        exit 1
+    fi
+    MATCH 'error: snap "test-snapd-just-edge" is not available on stable but' < stderr.out
+    MATCH "snap install --edge test-snapd-just-edge" < stderr.out
+
+    echo "Install a snap not available for the given architecture"
+    if [ "$(uname -m)" = "x86_64" ]; then
+        if snap install pi2-kernel 2>stderr.out; then
+            echo "Installing pi2-kernel should fail on amd64 systems but did not"
+            exit 1
+        fi
+        MATCH 'error: snap "pi2-kernel" is not available on stable for this architecture' < stderr.out
+    fi
+
+    echo "Install a snap with suspicious characters in its name"
+    if snap install atom ––classic 2>stderr.out; then
+        echo "snap install atom ––classic should have failed but did not"
+        exit 1
+    fi
+    MATCH 'characters that look like dashes but are not' < stderr.out
+
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    #shellcheck source=tests/lib/strings.sh
+    . "$TESTSLIB"/strings.sh
+
+    if is_classic_confinement_supported ; then
+        echo "Installing a strict snap in classic mode does not work"
+        if snap install --classic test-snapd-busybox-static 2>stderr.out; then
+            echo "snap install ––classic test-snapd-busybox-static should have failed but did not"
+            exit 1
+        fi
+        MATCH 'error: snap "test-snapd-busybox-static" is not compatible with --classic' < stderr.out
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-refresh-private/task.yaml snapd-2.37~rc1~14.04/tests/main/install-refresh-private/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-refresh-private/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-refresh-private/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,8 +1,5 @@
 summary: Check that install and refresh work with private snaps.
 
-# we don't have expect available on ubuntu-core, so the authenticated check need to be skipped on those systems
-systems: [-ubuntu-core-16-*]
-
 details: |
     These tests rely on the existence of a snap in the remote store set to private.
 
@@ -10,6 +7,9 @@
     snap set in the environment variables SPREAD_STORE_USER and SPREAD_STORE_PASSWORD, if
     they are not present then only the negative check is performed.
 
+# we don't have expect available on ubuntu-core, so the authenticated check need to be skipped on those systems
+systems: [-ubuntu-core-*]
+
 restore: |
     snap logout || true
 
@@ -19,17 +19,17 @@
 
     echo "Given account store credentials are available"
     # we don't have expect available on ubuntu-core, so the authenticated check need to be skipped on those systems
-    if [ ! -z "$SPREAD_STORE_USER" ] && [ ! -z "$SPREAD_STORE_PASSWORD" ]; then
+    if [ -n "$SPREAD_STORE_USER" ] && [ -n "$SPREAD_STORE_PASSWORD" ]; then
         echo "And the user has logged in"
-        expect -f $TESTSLIB/successful_login.exp
+        expect -f "$TESTSLIB"/successful_login.exp
 
         echo "Check that after login it can be installed"
         snap install test-snapd-private
-        snap list|MATCH "test-snapd-private +1\.0.*private"
+        snap list|MATCH 'test-snapd-private +1\.0.*private'
 
         echo "Check that refreshing also works"
         snap refresh --edge test-snapd-private
-        snap list|MATCH "test-snapd-private +2\.0.*private"
+        snap list|MATCH 'test-snapd-private +2\.0.*private'
 
         echo "After removing it"
         snap remove test-snapd-private
@@ -40,13 +40,13 @@
         echo "Switch both to edge"
         snap switch --edge test-snapd-private
         snap switch --edge test-snapd-public
-        snap list|MATCH "test-snapd-private +1\.0.*private"
-        snap list|MATCH "test-snapd-public +1\.0"
+        snap list|MATCH 'test-snapd-private +1\.0.*private'
+        snap list|MATCH 'test-snapd-public +1\.0'
 
         echo "Proceed to refresh all, in particular both of them"
         snap refresh
 
         echo "Check they were both refreshed"
-        snap list|MATCH "test-snapd-private +2\.0.*private"
-        snap list|MATCH "test-snapd-public +2\.0"
+        snap list|MATCH 'test-snapd-private +2\.0.*private'
+        snap list|MATCH 'test-snapd-public +2\.0'
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-refresh-remove-hooks/task.yaml snapd-2.37~rc1~14.04/tests/main/install-refresh-remove-hooks/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-refresh-remove-hooks/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-refresh-remove-hooks/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,17 @@
 summary: Check install, remove and pre-refresh/post-refresh hooks.
 
+# slow in autopkgtest (>1m)
+backends: [-autopkgtest]
+
 environment:
-    REMOVE_HOOK_FILE: "$HOME/remove-hook-executed"
+    REMOVE_HOOK_FILE: "$HOME/snap/snap-hooks/common/remove-hook-executed"
 
 restore: |
-    rm -f $REMOVE_HOOK_FILE
+    rm -f "$REMOVE_HOOK_FILE"
 
 execute: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local snap-hooks
 
     echo "Verify configuration value with snap get"
@@ -42,7 +46,7 @@
     echo "Verify that remove hook is not executed when removing single revision"
     snap set snap-hooks exitcode=0
     snap remove --revision=x1 snap-hooks
-    if test -f $REMOVE_HOOK_FILE; then
+    if test -f "$REMOVE_HOOK_FILE"; then
         echo "Remove hook was executed. It shouldn't."
         exit 1
     fi
@@ -50,20 +54,20 @@
     echo "Verify that remove hook is executed"
     snap set snap-hooks exitcode=0
     snap remove snap-hooks
-    if ! test -f $REMOVE_HOOK_FILE; then
+    if ! test -f "$REMOVE_HOOK_FILE"; then
         echo "Remove hook was not executed"
         exit 1
     fi
 
     echo "Installing a snap with hooks again"
-    rm -f "$REMOVE_HOOK_FILE" 2>&1 > /dev/null
+    rm -f "$REMOVE_HOOK_FILE" > /dev/null 2>&1
     install_local snap-hooks
     snap connect snap-hooks:home
 
     echo "Forcing remove script to fail"
     snap set snap-hooks exitcode=1
     snap remove snap-hooks
-    EXITCODE_VALUE=$(cat $REMOVE_HOOK_FILE)
+    EXITCODE_VALUE=$(cat "$REMOVE_HOOK_FILE")
     if test "x$EXITCODE_VALUE" != "x1"; then
         echo "Remove hook was not executed"
         exit 1
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-remove-multi/task.yaml snapd-2.37~rc1~14.04/tests/main/install-remove-multi/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-remove-multi/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-remove-multi/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,3 +10,12 @@
     snap remove test-snapd-tools test-snapd-control-consumer
     snap list | MATCH -v test-snapd-tools
     snap list | MATCH -v test-snapd-control-consumer
+
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    echo "Installing of a snap with a desktop file creates the desktop file"
+    install_local basic-desktop 
+    test -e /var/lib/snapd/desktop/applications/basic-desktop_io.snapcraft.echoecho.desktop
+    echo "Removing a snap with a desktop file removes the desktop file again"
+    snap remove  basic-desktop
+    ! test -e /var/lib/snapd/desktop/applications/basic-desktop_io.snapcraft.echoecho.desktop
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-sideload/task.yaml snapd-2.37~rc1~14.04/tests/main/install-sideload/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-sideload/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-sideload/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,7 @@
 summary: Checks for snap sideload install
 
-prepare: |
-    for snap in basic test-snapd-tools basic-desktop test-snapd-devmode
-    do
-        snap pack $TESTSLIB/snaps/$snap
-    done
+# slow in autopkgtest (>1m)
+backends: [-autopkgtest]
 
 environment:
     # Ensure that running purely from the deb (without re-exec) works
@@ -12,63 +9,74 @@
     SNAP_REEXEC/reexec0: 0
     SNAP_REEXEC/reexec1: 1
 
+prepare: |
+    for snap in basic test-snapd-tools basic-desktop test-snapd-devmode; do
+        snap pack "$TESTSLIB"/snaps/$snap
+    done
+
 restore: |
-    for snap in basic test-snapd-tools basic-desktop
-    do
+    for snap in basic test-snapd-tools basic-desktop; do
         rm -f ./${snap}_1.0_all.snap
     done
 
 execute: |
     echo "Sideloaded snap shows status"
-    expected="(?s)basic 1.0 installed\n\
-    .*"
-    snap install --dangerous ./basic_1.0_all.snap | grep -Pzq "$expected"
+    expected='^basic 1.0 installed$'
+    snap install --dangerous ./basic_1.0_all.snap | MATCH "$expected"
 
     echo "Sideloaded snap with (deprecated) --force-dangerous option"
     snap remove basic
-    snap install --force-dangerous ./basic_1.0_all.snap | grep -Pzq "$expected"
+    snap install --force-dangerous ./basic_1.0_all.snap | MATCH "$expected"
 
     echo "Sideloaded snap executes commands"
     snap install --dangerous ./test-snapd-tools_1.0_all.snap
     test-snapd-tools.success
     [ "$(test-snapd-tools.echo Hello World)" = "Hello World" ]
 
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo "Sideload desktop snap"
     snap install --dangerous ./basic-desktop_1.0_all.snap
-    expected="\[Desktop Entry\]\n\
-    Name=Echo\n\
-    Comment=It echos stuff\n\
-    Exec=env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/basic-desktop_echo.desktop $SNAP_MOUNT_DIR/bin/basic-desktop.echo\n"
-    cat /var/lib/snapd/desktop/applications/basic-desktop_echo.desktop | grep -Pzq "$expected"
+    diff -u <(head -n4 /var/lib/snapd/desktop/applications/basic-desktop_echo.desktop) - <<-EOF
+    	[Desktop Entry]
+    	Name=Echo
+    	Comment=It echos stuff
+    	Exec=env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/basic-desktop_echo.desktop $SNAP_MOUNT_DIR/bin/basic-desktop.echo
+    EOF
+
+    #shellcheck source=tests/lib/strings.sh
+    . "$TESTSLIB"/strings.sh
 
     echo "Sideload devmode snap fails without flags"
     expected="requires devmode or confinement override"
-    ( snap install --dangerous ./test-snapd-devmode_1.0_all.snap 2>&1 || true ) | grep -Pzq "$expected"
+    str_to_one_line "$( snap install --dangerous ./test-snapd-devmode_1.0_all.snap 2>&1 )" | MATCH "$expected"
 
     echo "Sideload devmode snap succeeds with --devmode"
     expected="test-snapd-devmode 1.0 installed"
-    snap install --devmode ./test-snapd-devmode_1.0_all.snap | grep -Pq "$expected"
+    snap install --devmode ./test-snapd-devmode_1.0_all.snap | MATCH "$expected"
     expected="^test-snapd-devmode +.* +devmode"
-    snap list | grep -Pq  "$expected"
+    snap list | MATCH  "$expected"
 
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "Sideload devmode snap succeeds with --jailmode"
         expected="test-snapd-devmode 1.0 installed"
-        snap install --dangerous --jailmode ./test-snapd-devmode_1.0_all.snap | grep -Pq "$expected"
+        snap install --dangerous --jailmode ./test-snapd-devmode_1.0_all.snap | MATCH "$expected"
         expected="^test-snapd-devmode +.* +jailmode"
-        snap list | grep -Pq  "$expected"
+        snap list | MATCH "$expected"
     fi
 
     echo "Sideload devmode snap fails with both --devmode and --jailmode"
     expected="cannot use devmode and jailmode flags together"
-    ( snap install --devmode --jailmode ./test-snapd-devmode_1.0_all.snap 2>&1 || true ) | grep -Pzq "$expected"
+    ( snap install --devmode --jailmode ./test-snapd-devmode_1.0_all.snap 2>&1 || true ) | MATCH "$expected"
 
     echo "Sideload a second time succeeds"
     snap install --dangerous ./test-snapd-tools_1.0_all.snap
     test-snapd-tools.success
 
+    echo "All snap blobs are 0600"
+    test "$( find /var/lib/snapd/{snaps,cache,seed/snaps}/ -type f -printf '%#m\n' | sort -u | xargs )" = "0600"
+
     # TODO: check we copy the data directory over
 
     echo "Remove --revision works"
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-sideload-epochs/task.yaml snapd-2.37~rc1~14.04/tests/main/install-sideload-epochs/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-sideload-epochs/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-sideload-epochs/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,30 @@
+summary: Checks for snap sideload install w/mismatched epochs
+
+environment:
+    # Ensure that running purely from the deb (without re-exec) works
+    # correctly
+    SNAP_REEXEC/reexec0: 0
+    SNAP_REEXEC/reexec1: 1
+
+prepare: |
+    snap pack "$TESTSLIB"/snaps/test-snapd-epoch-1
+    snap pack "$TESTSLIB"/snaps/test-snapd-epoch-2
+
+restore: |
+    rm -v test-snapd-epoch_{1,2}_all.snap
+
+execute: |
+    rx="cannot refresh \"[^ \"]*\" to local snap with epoch [^ ]*, because it can't read the current epoch"
+    snap try "$TESTSLIB"/snaps/test-snapd-epoch-1
+    ! snap try "$TESTSLIB"/snaps/test-snapd-epoch-2 2> try.err
+    tr -s "\n " "  "  < try.err      | MATCH "$rx"
+
+    ! snap install --dangerous test-snapd-epoch_2_all.snap 2>install.err
+    tr -s "\n " "  "  < install.err  | MATCH "$rx"
+
+    snap remove test-snapd-epoch
+    snap install --dangerous test-snapd-epoch_2_all.snap
+    ! snap install --dangerous test-snapd-epoch_1_all.snap 2>install1.err
+    tr -s "\n " "  "  < install1.err  | MATCH "$rx"
+
+    snap remove test-snapd-epoch
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-snaps/task.yaml snapd-2.37~rc1~14.04/tests/main/install-snaps/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-snaps/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-snaps/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -75,48 +75,60 @@
     systemctl daemon-reload
     systemctl restart snapd.socket
 
+    if [ ! -d '/snap' ]; then
+        #shellcheck source=tests/lib/dirs.sh
+        . "$TESTSLIB/dirs.sh"
+        ln -s "$SNAP_MOUNT_DIR" /snap
+    fi
+
 restore: |
     mv /etc/systemd/system/snapd.service.d/local.conf.bak /etc/systemd/system/snapd.service.d/local.conf
     systemctl daemon-reload
     systemctl restart snapd.socket
 
+    if [ -L /snap ]; then
+        unlink /snap
+    fi
+
 execute: |
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
 
     CHANNELS="stable candidate beta edge"
     for CHANNEL in $CHANNELS; do
-        if ! CHANNEL_INFO="$(snap info $SNAP | grep " $CHANNEL: ")"; then
+        # shellcheck disable=SC2153
+        if ! CHANNEL_INFO="$(snap info "$SNAP" | grep " $CHANNEL: ")"; then
             echo "Snap $SNAP not found"
             exit
         fi
-        if echo $CHANNEL_INFO | MATCH "$CHANNEL:.*–"; then
+        if echo "$CHANNEL_INFO" | MATCH "$CHANNEL:.*–"; then
             continue
         fi
 
-        if echo $CHANNEL_INFO | MATCH "$CHANNEL:.*classic"; then
+        if echo "$CHANNEL_INFO" | MATCH "$CHANNEL:.*classic"; then
             if is_classic_confinement_supported; then
-                snap install $SNAP --$CHANNEL --classic
+                snap install "$SNAP" "--$CHANNEL" --classic
             else
                 echo "The snap $SNAP requires classic confinement which is not supported yet"
                 exit
             fi
-        elif echo $CHANNEL_INFO | MATCH "$CHANNEL:.*jailmode"; then
-            snap install $SNAP --$CHANNEL --jailmode
-        elif echo $CHANNEL_INFO | MATCH "$CHANNEL:.*devmode"; then
-            snap install $SNAP --$CHANNEL --devmode
+        elif echo "$CHANNEL_INFO" | MATCH "$CHANNEL:.*jailmode"; then
+            snap install "$SNAP" "--$CHANNEL" --jailmode
+        elif echo "$CHANNEL_INFO" | MATCH "$CHANNEL:.*devmode"; then
+            snap install "$SNAP" "--$CHANNEL" --devmode
         else
-            snap install $SNAP --$CHANNEL
+            snap install "$SNAP" "--$CHANNEL"
         fi
         break
     done
 
     echo "Check the snap is properly installed"
-    snap list | MATCH $SNAP
+    snap list | MATCH "$SNAP"
 
     echo "Check the snap is properly removed"
-    snap remove $SNAP
+    snap remove "$SNAP"
 
-    if snap list | MATCH $SNAP; then
+    if snap list | MATCH "$SNAP"; then
         echo "Snap $SNAP not removed properly"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-socket-activation/task.yaml snapd-2.37~rc1~14.04/tests/main/install-socket-activation/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-socket-activation/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-socket-activation/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,11 +4,11 @@
     This installs a snap which define sockets for systemd socket activation.
 
 prepare: |
-    snap pack $TESTSLIB/snaps/socket-activation
-    snap install --dangerous socket-activation_1.0_all.snap
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local socket-activation
 
 restore: |
-    rm -f socket-activation_1.0_all.snap
     systemctl daemon-reload
 
 execute: |
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-store/task.yaml snapd-2.37~rc1~14.04/tests/main/install-store/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-store/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-store/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,7 @@
 summary: Checks for special cases of snap install from the store
 
-systems: [ubuntu-*]
+# run on ubuntu-14,16,18,20+ but not on ubuntu-core, fedora etc
+systems: [ubuntu-1*, ubuntu-2*, ubuntu-3*]
 
 environment:
     SNAP_NAME: test-snapd-tools
@@ -12,30 +13,35 @@
 
 execute: |
     echo "Install from different channels"
-    expected="(?s)$SNAP_NAME .* from 'canonical' installed\n"
+    expected="(?s)$SNAP_NAME .* from Canonical\\* installed\\n"
     for channel in edge beta candidate stable
     do
-        snap install $SNAP_NAME --channel=$channel | grep -Pzq "$expected"
-        snap remove $SNAP_NAME
+        snap install --unicode=never "$SNAP_NAME" --channel=$channel | grep -Pzq "$expected"
+        snap remove "$SNAP_NAME"
     done
 
     echo "Install non-devmode snap with devmode option"
-    expected="(?s)$SNAP_NAME .* from 'canonical' installed\n"
-    snap install $SNAP_NAME --devmode | grep -Pzq "$expected"
+    expected="(?s)$SNAP_NAME .* from Canonical\\* installed\\n"
+    snap install --unicode=never "$SNAP_NAME" --devmode | grep -Pzq "$expected"
 
     echo "Install devmode snap without devmode option"
     expected="repeat the command including --devmode"
-    ( snap install --channel beta $DEVMODE_SNAP 2>&1 && exit 1 || true ) | MATCH -z "${expected// /[[:space:]]+}"
+    #shellcheck disable=SC2015
+    ( snap install --channel beta "$DEVMODE_SNAP" 2>&1 && exit 1 || true ) | MATCH -z "${expected// /[[:space:]]+}"
 
     echo "Install devmode snap from stable"
-    expected="snap \"${DEVMODE_SNAP}\" not found"
-    actual=$(snap install --devmode $DEVMODE_SNAP 2>&1 && exit 1 || true)
+    expected='error: snap "'"$DEVMODE_SNAP"'" is not available on stable but'
+    #shellcheck disable=SC2015
+    actual=$(snap install --devmode "$DEVMODE_SNAP" 2>&1 && exit 1 || true)
     echo "$actual" | grep -Pzq "$expected"
 
     echo "Install devmode snap from beta with devmode option"
     expected="(?s)$DEVMODE_SNAP .*"
-    actual=$(snap install --channel beta --devmode $DEVMODE_SNAP)
+    actual=$(snap install --channel beta --devmode "$DEVMODE_SNAP")
     echo "$actual" | grep -Pzq "$expected"
 
     echo "Install a snap that contains bash-completion scripts"
     snap install --edge test-snapd-complexion
+
+    echo "All snap blobs are 0600"
+    test "$( find /var/lib/snapd/{snaps,cache,seed/snaps}/ -type f -printf '%#m\n' | sort -u | xargs )" = "0600"
diff -Nru snapd-2.32.3.2~14.04/tests/main/install-store-laaaarge/task.yaml snapd-2.37~rc1~14.04/tests/main/install-store-laaaarge/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/install-store-laaaarge/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/install-store-laaaarge/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,20 @@
 summary: snap install a large snap from the store (bigger than tmpfs)
 
 prepare: |
-    systemctl stop snapd.{service,socket}
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+
+    systemd_stop_units snapd.service snapd.socket
     mount -t tmpfs -o rw,nosuid,nodev,size=4 none /tmp
     systemctl start snapd.{socket,service}
 
 restore: |
-    systemctl stop snapd.{service,socket}
-    umount /tmp || true
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+
+    systemd_stop_units snapd.service snapd.socket
+    # Umount lazy to avoid busy device error
+    umount -l /tmp
     systemctl start snapd.{socket,service}
 
 execute: |
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-account-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-account-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-account-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-account-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,27 +4,33 @@
     This test makes sure that a snap using the account-control interface
     can handle the user accounts properly.
 
-systems: [ubuntu-core-16-64]
+systems: [ubuntu-core-16-64, ubuntu-core-18-64]
+
+environment:
+    TSNAP/ac: account-control-consumer
+    TSNAP/accore18: account-control-consumer-core18
 
 prepare: |
     echo "Given a snap declaring a plug on account-control is installed"
-    . $TESTSLIB/snaps.sh
-    install_local account-control-consumer
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local "$TSNAP"
 
     echo "And the account-control plug is connected"
-    snap connect account-control-consumer:account-control
+    snap connect "$TSNAP":account-control
 
 restore: |
     echo "Ensure alice is gone from the system"
     for f in /var/lib/extrausers/*; do
-        sed -i '/^alice:/d' $f
+        sed -i '/^alice:/d' "$f"
     done
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
-    $SNAP_MOUNT_DIR/bin/account-control-consumer.useradd --extrausers alice
-    echo alice:password | $SNAP_MOUNT_DIR/bin/account-control-consumer.chpasswd
+    "$SNAP_MOUNT_DIR"/bin/"$TSNAP".useradd --extrausers alice
+    echo alice:password | "$SNAP_MOUNT_DIR"/bin/"$TSNAP".chpasswd
 
     # User deletion is unsupported yet on Core: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1659534
-    # $SNAP_MOUNT_DIR/bin/account-control-consumer.userdel --extrausers alice
+    # $SNAP_MOUNT_DIR/bin/"$TSNAP".userdel --extrausers alice
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-accounts-service/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-accounts-service/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-accounts-service/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-accounts-service/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -11,47 +11,70 @@
     XDG_CACHE_HOME: $(pwd)/cache
 
 prepare: |
-    . $TESTSLIB/pkgdb.sh
-    echo "Ensure we have a working goa-daemon"
-    distro_install_package gnome-online-accounts
+    if pgrep goa-daemon; then
+        echo "precondtion failed, goa-daemon already running!"
+        exit 1
+    fi
+
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB"/pkgdb.sh
     snap install --edge test-snapd-accounts-service
-    mkdir -p $XDG_CONFIG_HOME $XDG_DATA_HOME $XDG_CACHE_HOME
+    mkdir -p "$XDG_CONFIG_HOME" "$XDG_DATA_HOME" "$XDG_CACHE_HOME"
 
 restore: |
-    . $TESTSLIB/pkgdb.sh
-    kill $(cat dbus-launch.pid)
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB"/pkgdb.sh
+    # this will also kill the "gdbus monitor" command
+    kill "$(cat dbus-launch.pid)"
     rm -f dbus-launch.pid
-    rm -rf $XDG_CONFIG_HOME $XDG_DATA_HOME $XDG_CACHE_HOME
+    rm -f dbus.env
+    rm -rf "$XDG_CONFIG_HOME" "$XDG_DATA_HOME" "$XDG_CACHE_HOME"
+    # usually not needed, this should die when dbus goes down
+    kill "$(cat gdbus-monitor.pid)" || true
+    pkill goa-daemon || true
+debug: |
+    ps aux
+    cat gdbus.log || true
+    if [[ -f dbus.env ]]; then
+        #shellcheck disable=SC1091
+        source dbus.env
+        busctl --user status org.gnome.OnlineAccounts
+    fi
 
 execute: |
-    CONNECTED_PATTERN=":accounts-service +test-snapd-accounts-service"
-    DISCONNECTED_PATTERN="\- +test-snapd-accounts-service:accounts-service"
-
     echo "Ensure things run"
-    eval $(dbus-launch --sh-syntax)
+    dbus-launch --sh-syntax > dbus.env
+    #shellcheck disable=SC1091
+    source dbus.env
     echo "$DBUS_SESSION_BUS_PID" > dbus-launch.pid
-    eval $(printf password|gnome-keyring-daemon --login)
-    eval $(gnome-keyring-daemon --start)
+
+    # the test failed often in the past, log all dbus activity to ease debugging
+    dbus-monitor --session >gdbus.log 2>&1 &
+    echo "$!" > gdbus-monitor.pid
+
+    eval "$(printf password|gnome-keyring-daemon --login)"
+    eval "$(gnome-keyring-daemon --start)"
 
     echo "Creating account"
     # We set a long timeout here because goa-daemon will be activated
     # by the method call, and this can take a while on heavily loaded
     # or IO constrianed VMs.
-    gdbus call --session --timeout 300 \
-      --dest=org.gnome.OnlineAccounts \
-      --object-path=/org/gnome/OnlineAccounts/Manager \
-      --method=org.gnome.OnlineAccounts.Manager.AddAccount \
+    busctl call --verbose --user --timeout 300 \
+      org.gnome.OnlineAccounts \
+      /org/gnome/OnlineAccounts/Manager \
+      org.gnome.OnlineAccounts.Manager AddAccount \
+      'sssa{sv}a{ss}' \
       "imap_smtp" \
       "test@example.com" \
       "Display Name" \
-      "{}" \
-      "{'Enabled': 'true', 'EmailAddress': 'test@example.com', 'Name': 'Test User', 'ImapHost': 'imap.example.com', 'SmtpHost': 'mail.example.com'}"
+      0 \
+      5 'Enabled' 'true' 'EmailAddress' 'test@example.com' 'Name' 'Test User' 'ImapHost' 'imap.example.com' 'SmtpHost': 'mail.example.com'
 
     echo "The interface is initially disconnected"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i accounts-service | MATCH '\- +test-snapd-accounts-service:accounts-service'
+    #shellcheck disable=SC2015
     test-snapd-accounts-service.list-accounts && exit 1 || true
 
     echo "When the plug is connected"
     snap connect test-snapd-accounts-service:accounts-service
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
     test-snapd-accounts-service.list-accounts | MATCH "Display Name at IMAP and SMTP"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-adb-support/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-adb-support/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-adb-support/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-adb-support/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,23 @@
+summary: Ensure that adb-support creates udev rules
+details: |
+    Connecting the adb-support plug to a matching slot adds appropriate udev
+    rules to the system. Before such connection is placed there are no
+    wide-open, write-access rules present.
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-adb-support
+execute: |
+    # If there are any udev rules from existing snaps they are not granting
+    # writable-to-all permission to anything. This part is conditional because
+    # some systems have the network manager installed and such systems will get
+    # additional rules.
+    if [ "$(find /etc/udev/rules.d -name '70-snap.*.rules' | wc -l)" -gt 0 ]; then
+        MATCH -v adb-support /etc/udev/rules.d/70-snap.*.rules
+        MATCH -v 'MODE="0666"' /etc/udev/rules.d/70-snap.*.rules
+    fi
+    snap connect test-snapd-adb-support:adb-support
+    # Once the snap is connected there are adb-support udev rules that grant
+    # write-all permissions.
+    MATCH "Concatenation of all adb-support udev rules" /etc/udev/rules.d/70-snap.*.rules
+    MATCH 'MODE="0666"' /etc/udev/rules.d/70-snap.*.rules
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-alsa/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-alsa/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-alsa/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-alsa/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 summary: Ensure that the alsa interface works.
 
-# Spread system for Fedora, openSUSE doesn't seem to provide any /dev/snd entries
-systems: [-fedora-*, -opensuse-*]
+# Spread system for Fedora, openSUSE and AMZN2 don't seem to provide any /dev/snd entries
+systems: [-fedora-*, -opensuse-*, -amazon-*, -centos-*]
 
 details: |
     The alsa interface allows connected plugs to access raw ALSA devices.
@@ -18,24 +18,16 @@
 
 prepare: |
     echo "Given a snap declaring a plug on the alsa interface is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_generic_consumer alsa
 
 restore: |
-    rm -f *.error /dev/snd/mysnd-dev
+    rm -f ./*.error /dev/snd/mysnd-dev
 
 execute: |
-    CONNECTED_PATTERN=":alsa +generic-consumer"
-    DISCONNECTED_PATTERN="\- +generic-consumer:alsa"
-
-    echo "The plug is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-    echo "==================================="
-
     echo "When the plug is connected"
     snap connect generic-consumer:alsa
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     if ! [ -d /dev/snd/ ]; then
         echo "No sound devices available in the system"
@@ -65,11 +57,8 @@
         exit 0
     fi
 
-    echo "==================================="
-
     echo "When the plug is disconnected"
     snap disconnect generic-consumer:alsa
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "The snap is not able to access snd devices"
     if generic-consumer.cmd touch /dev/snd/mysnd-dev 2>snd-create.error; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-autopilot-introspection/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-autopilot-introspection/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-autopilot-introspection/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-autopilot-introspection/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -7,46 +7,47 @@
     The test uses an snap that declares a plug on autopilot-intrsopection, it
     needs to request a dbus name on start so that its state can be queried.
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 prepare: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     echo "Given a snap declaring an autopilot-intrspection plug in installed"
     snap install --edge test-snapd-autopilot-consumer
 
     echo "And the provider dbus loop is started"
+    #shellcheck source=tests/lib/dbus.sh
     . "$TESTSLIB/dbus.sh"
     start_dbus_unit $SNAP_MOUNT_DIR/bin/test-snapd-autopilot-consumer.provider
 
 restore: |
-    rm -f *.error
+    rm -f ./*.error
+    #shellcheck source=tests/lib/dbus.sh
     . "$TESTSLIB/dbus.sh"
     stop_dbus_unit
 
 execute: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     dbus_send(){
         local method="$1"
-        echo $(dbus-send --print-reply --dest=com.canonical.Autopilot.Introspection /com/canonical/Autopilot/Introspection com.canonical.Autopilot.Introspection.${method})
+        dbus-send --print-reply --dest=com.canonical.Autopilot.Introspection /com/canonical/Autopilot/Introspection "com.canonical.Autopilot.Introspection.${method}"
     }
 
-    CONNECTED_PATTERN=":autopilot-introspection +test-snapd-autopilot-consumer"
-    DISCONNECTED_PATTERN="^\- +test-snapd-autopilot-consumer:autopilot-introspection"
-
+    #shellcheck disable=SC2046
     export $(cat dbus.env)
 
     echo "Then the plug is disconnected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i autopilot-introspection | MATCH '^\- +test-snapd-autopilot-consumer:autopilot-introspection'
 
     echo "When the plug is connected"
     snap connect test-snapd-autopilot-consumer:autopilot-introspection
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the dbus name is properly reserved and the snap app version can be introspected"
 
-    for i in $(seq 10); do
+    for _ in $(seq 10); do
         if ! dbus_send GetVersion | MATCH "my-ap-version"; then
             sleep 1
         else
@@ -62,22 +63,19 @@
         exit 0
     fi
 
-    echo "================================="
-
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "When the plug is disconnected"
         snap disconnect test-snapd-autopilot-consumer:autopilot-introspection
-        snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
         echo "Then the snap version is not introspectable"
-        if $SNAP_MOUNT_DIR/bin/test-snapd-autopilot-consumer.consumer GetVersion 2>${PWD}/getversion.error ; then
+        if $SNAP_MOUNT_DIR/bin/test-snapd-autopilot-consumer.consumer GetVersion 2>"${PWD}"/getversion.error ; then
             echo "Expected permission error trying to introspect version with disconnected plug"
             exit 1
         fi
         MATCH "Permission denied" < getversion.error
 
         echo "And the snap state is not introspectable"
-        if $SNAP_MOUNT_DIR/bin/test-snapd-autopilot-consumer.consumer GetState 2>${PWD}/getstate.error; then
+        if $SNAP_MOUNT_DIR/bin/test-snapd-autopilot-consumer.consumer GetState 2>"${PWD}"/getstate.error; then
             echo "Expected permission error trying to introspect state with disconnected plug"
             exit 1
         fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-avahi-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-avahi-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-avahi-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-avahi-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,15 +1,14 @@
 summary: check that avahi-observe interface works
 
-systems: [-ubuntu-core-*, -fedora-*, -opensuse-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 prepare: |
     echo "Given a snap with an avahi-observe interface plug is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_generic_consumer avahi-observe,unity7
 
-    echo "And avahi-daemon is installed and configured"
-    . $TESTSLIB/pkgdb.sh
-    distro_install_package avahi-daemon
+    echo "And avahi-daemon is configured"
     sed -i 's/^#enable-dbus=yes/enable-dbus=yes/' /etc/avahi/avahi-daemon.conf
     if [[ "$SPREAD_SYSTEM" = ubuntu-14.04-* ]]; then
         initctl reload-configuration
@@ -20,23 +19,19 @@
     fi
 
 restore: |
-    rm -f *.error
-    . $TESTSLIB/pkgdb.sh
-    distro_purge_package avahi-daemon
-    distro_auto_remove_packages
+    rm -f ./*.error
 
 execute: |
-    CONNECTED_PATTERN=":avahi-observe +generic-consumer"
-    DISCONNECTED_PATTERN="^\- +generic-consumer:avahi-observe"
-
-    avahi_dbus_call="dbus-send --system --print-reply --dest=org.freedesktop.Avahi / org.freedesktop.Avahi.Server.GetHostName"
+    avahi_dbus_call() {
+        generic-consumer.cmd dbus-send --system --print-reply --dest=org.freedesktop.Avahi / org.freedesktop.Avahi.Server.GetHostName
+    }
 
     echo "Then the plug is disconnected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i avahi-observe | MATCH '^\- +generic-consumer:avahi-observe'
 
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "And the snap is not able to access avahi provided info"
-        if generic-consumer.cmd $avahi_dbus_call 2>avahi.error; then
+        if avahi_dbus_call 2>avahi.error; then
             echo "Expected error with disconnected plug didn't happen"
             exit 1
         fi
@@ -45,8 +40,7 @@
 
     echo "When the plug is connected"
     snap connect generic-consumer:avahi-observe
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to access avahi provided info"
-    hostname=$(cat /etc/hostname)
-    generic-consumer.cmd $avahi_dbus_call | MATCH "$hostname"
+    hostname=$(hostname)
+    avahi_dbus_call | MATCH "$hostname"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-bluetooth-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-bluetooth-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-bluetooth-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-bluetooth-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -5,56 +5,56 @@
 
 prepare: |
     echo "Given a snap declaring a plug on bluetooth-control is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_generic_consumer bluetooth-control
 
 restore: |
-    rm -f *.error version class control
+    rm -f ./*.error version class control
 
 execute: |
-    CONNECTED_PATTERN=":bluetooth-control +generic-consumer"
-    DISCONNECTED_PATTERN="^\- +generic-consumer:bluetooth-control"
     BTDEV="$(find /sys/devices/ -type d -name bluetooth)"
 
     echo "Then the plug is disconnected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    #shellcheck disable=SC1117
+    snap interfaces -i bluetooth-control | MATCH "^\- +generic-consumer:bluetooth-control"
 
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "And the snap is not able to read usb"
-        if su -l -c "/snap/bin/generic-consumer.cmd cat /sys/bus/usb/drivers/btusb/module/version 2>${PWD}/btusb.error" test; then
+        if su -l -c "/snap/bin/generic-consumer.cmd cat /sys/bus/usb/drivers/btusb/module/version" test 2>"${PWD}/btusb.error"; then
             echo "Expected error with disconnected plug didn't happen"
             exit 1
         fi
-        cat btusb.error | MATCH "Permission denied"
+        MATCH "Permission denied" < btusb.error
 
         echo "And the snap is not able to read class"
-        if su -l -c "/snap/bin/generic-consumer.cmd cat /sys/class/bluetooth/*/name 2>${PWD}/btclass.error" test; then
+        if su -l -c "/snap/bin/generic-consumer.cmd cat /sys/class/bluetooth/*/name" test 2>"${PWD}/btclass.error"; then
             echo "Expected error with disconnected plug didn't happen"
             exit 1
         fi
-        cat btclass.error | MATCH "Permission denied"
+        MATCH "Permission denied" < btclass.error
 
         echo "And the snap is not able to read dev"
-        if su -l -c "/snap/bin/generic-consumer.cmd cat $BTDEV/*/power/control 2>${PWD}/btdev-read.error" test; then
+        if su -l -c "/snap/bin/generic-consumer.cmd cat $BTDEV/*/power/control" test 2>"${PWD}/btdev-read.error"; then
             echo "Expected error with disconnected plug didn't happen"
             exit 1
         fi
-        cat btdev-read.error | MATCH "Permission denied"
+        MATCH "Permission denied" < btdev-read.error
     fi
 
     echo "When the plug is connected"
     snap connect generic-consumer:bluetooth-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to read usb"
+    #shellcheck disable=SC2002
     cat /sys/bus/usb/drivers/btusb/module/version | tee version
     # the next check is disabled because of https://bugs.launchpad.net/snapd/+bug/1698412
-    # [ $(su -l -c "/snap/bin/generic-consumer.cmd cat /sys/bus/usb/drivers/btusb/module/version" test) = $(cat version) ]
+    # [ "$(su -l -c '/snap/bin/generic-consumer.cmd cat /sys/bus/usb/drivers/btusb/module/version' test)" = "$(cat version)" ]
 
     echo "And the snap is able to read class"
     cat /sys/class/bluetooth/*/name | tee class
-    [ $(su -l -c "/snap/bin/generic-consumer.cmd cat /sys/class/bluetooth/*/name" test) = $(cat class) ]
+    [ "$(su -l -c '/snap/bin/generic-consumer.cmd cat /sys/class/bluetooth/*/name' test)" = "$(cat class)" ]
 
     echo "And the snap is able to read dev"
-    cat $BTDEV/*/power/control | tee control
-    [ $(su -l -c "/snap/bin/generic-consumer.cmd cat $BTDEV/*/power/control" test) = $(cat control) ]
+    cat "$BTDEV"/*/power/control | tee control
+    [ "$(su -l -c '/snap/bin/generic-consumer.cmd cat '"$BTDEV"'/*/power/control' test)" = "$(cat control)" ]
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-bluez/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-bluez/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-bluez/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-bluez/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -11,9 +11,11 @@
     SNAP_NAME: bluez
 
 execute: |
-    echo "Installing bluez snap from the store ..."
-    expected="(?s)$SNAP_NAME .* from 'canonical' installed\n"
-    snap install $SNAP_NAME | grep -Pzq "$expected"
+    if ! snap list --unicode=never bluez &> /dev/null ; then
+        echo "Installing bluez snap from the store ..."
+        expected="(?s)$SNAP_NAME .* from Canonical\\* installed\\n"
+        snap install "$SNAP_NAME" | grep -Pzq "$expected"
+    fi
 
     echo "Connecting bluez snap plugs/slots ..."
     snap connect bluez:client bluez:service
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-broadcom-asic-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-broadcom-asic-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-broadcom-asic-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-broadcom-asic-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,22 @@
 summary: Ensure that the broadcom-asic-control interface works.
 
+# We need to run the broadcom-asic-control test very early. The reason is
+# that this test will modprobe linux-*-bde which will try to allocate a
+# huge page. One the system ran for a while no chunk of memory like this
+# will be not be available and the kernel will oops with:
+#   "modprobe: page allocation failure: order:7, mode:0xxxx"
+priority: 200
+
 details: |
     The broadcom-asic-control interface allow access to broadcom asic kernel module.
 
 prepare: |
-    . $TESTSLIB/snaps.sh
-    install_local test-snapd-broadcom-asic-control
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-sh
 
-    . $TESTSLIB/files.sh
+    #shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB"/files.sh
     ensure_file_exists_backup_real /dev/linux-user-bde
     ensure_file_exists_backup_real /dev/linux-kernel-bde
     ensure_file_exists_backup_real /dev/linux-bcm-knet
@@ -17,7 +26,8 @@
 restore: |
     rm -f call.error
 
-    . $TESTSLIB/files.sh
+    #shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB"/files.sh
     clean_file /dev/linux-user-bde
     clean_file /dev/linux-kernel-bde
     clean_file /dev/linux-bcm-knet
@@ -26,19 +36,19 @@
 
 execute: |
     echo "When the interface is connected"
-    snap connect test-snapd-broadcom-asic-control:broadcom-asic-control
+    snap connect test-snapd-sh:broadcom-asic-control
 
     echo "Then the snap is able to read the system modules directories"
     for module in "linux_bcm_knet" "linux_kernel_bde" "linux_user_bde"; do
         if [ -d /sys/module/$module ]; then
-            test-snapd-broadcom-asic-control.sh -c "ls /sys/module/$module"
+            test-snapd-sh.with-broadcom-asic-control-plug -c "ls /sys/module/$module"
         fi
     done
 
     echo "Then the snap is able to read/write the system modules devices"
     for device in "linux-bcm-knet" "linux-kernel-bde" "linux-user-bde"; do
-        test-snapd-broadcom-asic-control.sh -c "cat /dev/$device"
-        test-snapd-broadcom-asic-control.sh -c "echo test >> /dev/$device"
+        test-snapd-sh.with-broadcom-asic-control-plug -c "cat /dev/$device"
+        test-snapd-sh.with-broadcom-asic-control-plug -c "echo test >> /dev/$device"
     done
 
     echo "Then the snap is able to read pci devices info"
@@ -50,26 +60,26 @@
         subsystem_device="$(find /sys/devices/pci0000:00/ -name subsystem_device | head -n1)"
 
         for file in "$config" "$vendor" "$device" "$subsystem_vendor" "$subsystem_device"; do
-            if ! [ -z $file ]; then
-                test-snapd-broadcom-asic-control.sh -c "cat $file"
+            if [ -n "$file" ]; then
+                test-snapd-sh.with-broadcom-asic-control-plug -c "cat $file"
             fi
         done
     fi
 
     if [ -d /sys/bus/pci/devices ]; then
-        test-snapd-broadcom-asic-control.sh -c "ls /sys/bus/pci/devices/"
+        test-snapd-sh.with-broadcom-asic-control-plug -c "ls /sys/bus/pci/devices/"
     fi
-    test-snapd-broadcom-asic-control.sh -c "cat /run/udev/data/+pci:0test"
+    test-snapd-sh.with-broadcom-asic-control-plug -c "cat /run/udev/data/+pci:0test"
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
     echo "When the plug is disconnected"
-    snap disconnect test-snapd-broadcom-asic-control:broadcom-asic-control
+    snap disconnect test-snapd-sh:broadcom-asic-control
 
     echo "Then the snap is not able to read the device"
-    if test-snapd-broadcom-asic-control.sh -c "cat /dev/linux-bcm-knet" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-broadcom-asic-control-plug -c "cat /dev/linux-bcm-knet" 2>"${PWD}"/call.error; then
         echo "Expected permission error accessing to device"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-browser-support/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-browser-support/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-browser-support/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-browser-support/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -34,33 +34,32 @@
     echo "Given a snap declaring a plug on browser-support with allow-sandbox set to $ALLOW_SANDBOX is installed"
     cp -ar "$TESTSLIB/snaps/browser-support-consumer" .
     sed "s/@ALLOW_SANDBOX@/$ALLOW_SANDBOX/" browser-support-consumer/meta/snap.yaml.in > browser-support-consumer/meta/snap.yaml
+    chmod 644 browser-support-consumer/meta/snap.yaml
     snap pack browser-support-consumer browser-support-consumer
     snap install --dangerous browser-support-consumer/*.snap
     rm -rf browser-support-consumer
 
 restore: |
-    rm -f *.error /var/tmp/test
+    rm -f ./*.error /var/tmp/test
     for file in $OWNED_FILES $READABLE_FILES $READABLE_WITH_SANDBOX_FILES; do
-        rm -f $file
+        rm -f "$file"
     done
 
-    for dir in $(cat created_dirs); do
-        rm -rf $dir
-    done
+    while read -r dir; do
+        rm -rf "$dir"
+    done < created_dirs
     rm -f created_dirs
 
 execute: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
-    CONNECTED_PATTERN=":browser-support +browser-support-consumer"
-    DISCONNECTED_PATTERN="^\- +browser-support-consumer:browser-support"
-
     if [ "$ALLOW_SANDBOX" = "false" ]; then
        echo "If allow-sandbox is false then the plug is connected by default"
-       snap interfaces | MATCH "$CONNECTED_PATTERN"
     else
        echo "If allow-sandbox is true then the plug is not connected by default"
-       ! snap interfaces | MATCH "$CONNECTED_PATTERN"
+       snap interfaces -i browser-support | MATCH '\- +browser-support-consumer:browser-support'
+
        echo "Do connect it manually"
        snap connect browser-support-consumer:browser-support
     fi
@@ -79,9 +78,9 @@
 
     echo "And the snap is able to access readable files"
     for readable_file in $READABLE_FILES; do
-        parent_dir=$(dirname $readable_file)
-        if [ ! -d $parent_dir ]; then
-            if mkdir -p $parent_dir; then
+        parent_dir=$(dirname "$readable_file")
+        if [ ! -d "$parent_dir" ]; then
+            if mkdir -p "$parent_dir"; then
                 echo "$parent_dir" >> created_dirs
             else
                 echo "$parent_dir couldn't be created, write-only partition?"
@@ -93,9 +92,9 @@
     done
 
     for readable_file in $READABLE_WITH_SANDBOX_FILES; do
-        parent_dir=$(dirname $readable_file)
-        if [ ! -d $parent_dir ]; then
-            mkdir -p $parent_dir
+        parent_dir=$(dirname "$readable_file")
+        if [ ! -d "$parent_dir" ]; then
+            mkdir -p "$parent_dir"
             echo "$parent_dir" >> created_dirs
         fi
         echo "test" > "$readable_file"
@@ -108,10 +107,18 @@
     fi
 
     if [ "$(snap debug confinement)" = strict ] ; then
+        if [ "$ALLOW_SANDBOX" = "false" ]; then
+            echo "And the policy has the ptrace suppression rule without sandbox"
+            MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.browser-support-consumer.cmd
+        else
+            echo "And the policy has the ptrace suppression rule with sandbox"
+            MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.browser-support-consumer.cmd && echo "Found ptrace rule, but shouldn't have" && exit 1
+        fi
+
         echo "And the resources available with sandbox are not reachable without it"
         if [ "$ALLOW_SANDBOX" = "false" ]; then
             for readable_file in $READABLE_WITH_SANDBOX_FILES; do
-                if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file 2>${PWD}/readable-without-sandbox-read.err" test; then
+                if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test 2>"${PWD}/readable-without-sandbox-read.err"; then
                     echo "Expected error without sandbox didn't happen"
                     exit 1
                 fi
@@ -121,29 +128,28 @@
 
         echo "When the plug is disconnected"
         snap disconnect browser-support-consumer:browser-support
-        snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
         echo "Then the snap is not able to access tmp"
-        if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd ls /var/tmp/ 2>${PWD}/tmpdir-access.err" test; then
+        if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd ls /var/tmp/" test 2>"${PWD}/tmpdir-access.err"; then
             echo "Expected error with disconnected plug didn't happen"
             exit 1
         fi
         MATCH "Permission denied" < tmpdir-access.err
-        if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat /var/tmp/etilqs_test 2>${PWD}/tmpfile-read.err" test; then
+        if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat /var/tmp/etilqs_test" test 2>"${PWD}/tmpfile-read.err"; then
             echo "Expected error with disconnected plug didn't happen"
             exit 1
         fi
         MATCH "Permission denied" < tmpfile-read.err
 
         for owned_file in $OWNED_FILES; do
-            if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $owned_file 2>${PWD}/owned-read.err" test; then
+            if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $owned_file" test 2>"${PWD}/owned-read.err"; then
                 echo "Expected error with disconnected plug didn't happen"
                 exit 1
             fi
             MATCH "Permission denied" < owned-read.err
         done
         for readable_file in $READABLE_FILES; do
-            if [ -f "$readable_file" ] && su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file 2>${PWD}/readable-read.err" test; then
+            if [ -f "$readable_file" ] && su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test 2>"${PWD}/readable-read.err"; then
                 echo "Expected error with disconnected plug didn't happen"
                 exit 1
             fi
@@ -151,7 +157,7 @@
         done
         if [ "$ALLOW_SANDBOX" = "true" ]; then
             for readable_file in $READABLE_WITH_SANDBOX_FILES; do
-                if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file 2>${PWD}/readable-with-sandbox-read.err" test; then
+                if su -l -c "$SNAP_MOUNT_DIR/bin/browser-support-consumer.cmd cat $readable_file" test 2>"${PWD}/readable-with-sandbox-read.err"; then
                     echo "Expected error with disconnected plug didn't happen"
                     exit 1
                 fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-calendar-service/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-calendar-service/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-calendar-service/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-calendar-service/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,78 @@
+summary: Ensure that the calendar-service interface works
+
+# Only test on classic systems.  Don't test on Ubuntu 14.04, which
+# does not ship a new enough evolution-data-server. Don't test on AMZN2.
+systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*, -centos-*]
+
+# fails in the autopkgtest env with:
+# [Wed Aug 15 16:34:12 2018] audit: type=1400
+# audit(1534350852.923:58499): apparmor="DENIED" operation="connect"
+# profile="snap.test-snapd-eds.calendar" pid=19219 comm="calendar"
+# family="unix" sock_type="stream" protocol=0 requested_mask="send
+# receive connect" denied_mask="send connect" addr=none
+# peer_addr="@/tmp/dbus-5FUilMiW8U" peer="unconfined"
+backends: [-autopkgtest]
+
+environment:
+    XDG: $(pwd)/xdg
+    XDG_CONFIG_HOME: $XDG/config
+    XDG_DATA_HOME: $XDG/share
+    XDG_CACHE_HOME: $XDG/cache
+
+prepare: |
+    snap install --edge test-snapd-eds
+    mkdir -p "$XDG_CONFIG_HOME" "$XDG_DATA_HOME" "$XDG_CACHE_HOME"
+
+restore: |
+    kill "$(cat dbus-launch.pid)"
+    rm -f dbus-launch.pid
+
+    # In case the process gvfsd-metadata does not finish by itself, it is manually stopped
+    # The reason is that gvfsd-metadata locks the xdg/share/gvfs-metadata directory content
+    # producing an error when the xdg directory is removed.
+    if pid="$(pidof gvfsd-metadata)"; then
+        kill -9 "$pid" || true
+    fi
+    rm -rf "$XDG"
+
+execute: |
+    echo "Setting up D-Bus session bus"
+    eval "$(dbus-launch --sh-syntax)"
+    echo "$DBUS_SESSION_BUS_PID" > dbus-launch.pid
+
+    echo "The interface is initially disconnected"
+    snap interfaces -i calendar-service | MATCH -- '- +test-snapd-eds:calendar-service'
+    if [ "$(snap debug confinement)" = strict ]; then
+      ! test-snapd-eds.calendar list test-calendar
+    fi
+
+    echo "When the plug is connected, we can add events to calendars"
+    snap connect test-snapd-eds:calendar-service
+    test-snapd-eds.calendar load test-calendar << EOF
+    BEGIN:VEVENT
+    UID:19970610T172345Z-AF23B2@example.com
+    DTSTAMP:19970610T172345Z
+    DTSTART:19970714T170000Z
+    DTEND:19970715T040000Z
+    SUMMARY:Bastille Day Party
+    END:VEVENT
+    EOF
+
+    echo "We can also retrieve those contacts"
+    # Filter out creation/modification date fields, which are unpredictable
+    test-snapd-eds.calendar list test-calendar | sed -E 's/^(CREATED|LAST-MODIFIED):.*/\1:.../' > /tmp/calendar.ics
+    diff -uw - /tmp/calendar.ics << EOF
+    BEGIN:VEVENT
+    UID:19970610T172345Z-AF23B2@example.com
+    DTSTAMP:19970610T172345Z
+    DTSTART:19970714T170000Z
+    DTEND:19970715T040000Z
+    SUMMARY:Bastille Day Party
+    CREATED:...
+    LAST-MODIFIED:...
+    END:VEVENT
+
+    EOF
+
+    echo "Finally, remove the calendar we created"
+    test-snapd-eds.calendar remove test-calendar
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-cli/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-cli/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-cli/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-cli/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -6,23 +6,25 @@
     PLUG: network
 
 prepare: |
-    echo "Given a snap with the $PLUG plug is installed"
-    snap pack $TESTSLIB/snaps/$SNAP_NAME
-    snap install --dangerous $SNAP_FILE
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
 
-restore: |
-    rm -f $SNAP_FILE
+    echo "Given a snap with the $PLUG plug is installed"
+    install_local "$SNAP_NAME"
 
 execute: |
-    expected="(?s)Slot +Plug\n\
-    :$PLUG +$SNAP_NAME"
+    expected="(?s)Slot +Plug\\n\
+    :$PLUG .*$SNAP_NAME"
 
     echo "When the interfaces list is restricted by slot"
     echo "Then only the requested slots are shown"
-    snap interfaces -i $PLUG | grep -Pzq "$expected"
-
-    echo "==============================================="
+    snap interfaces -i "$PLUG" | grep -Pzq "$expected"
 
     echo "When the interfaces list is restricted by slot and snap"
     echo "Then only the requested slots are shown"
-    snap interfaces -i $PLUG $SNAP_NAME | grep -Pzq "$expected"
+    snap interfaces -i "$PLUG" "$SNAP_NAME" | grep -Pzq "$expected"
+
+    echo "Implicit slots are exposed by a snap holding the nickname 'system'"
+    echo "but for compatibility they can also be listed when asking for 'core'"
+    snap interfaces -i network system | MATCH '^:network .*'
+    snap interfaces -i network core | MATCH '^:network .*'
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-contacts-service/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-contacts-service/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-contacts-service/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-contacts-service/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,101 @@
+summary: Ensure that the contacts-service interface works
+
+# Only test on classic systems.  Don't test on Ubuntu 14.04, which
+# does not ship a new enough evolution-data-server.
+# amazon: no need to run this on amazon
+systems: [-ubuntu-core-*, -ubuntu-14.04-*, -amazon-*, -centos-*]
+
+# fails in autopkgtest environment with:
+# [Wed Aug 15 16:08:23 2018] audit: type=1400
+# audit(1534349304.173:1681): apparmor="DENIED" operation="connect"
+# profile="snap.test-snapd-eds.contacts" pid=18321 comm="contacts"
+# family="unix" sock_type="stream" protocol=0 requested_mask="send
+# receive connect" denied_mask="send connect" addr=none
+# peer_addr="@/tmp/dbus-GZTRALrYYm" peer="unconfined"
+backends: [-autopkgtest]
+
+environment:
+    XDG: $(pwd)/xdg
+    XDG_CONFIG_HOME: $XDG/config
+    XDG_DATA_HOME: $XDG/share
+    XDG_CACHE_HOME: $XDG/cache
+
+restore: |
+    if [ -e dbus-launch.pid ]; then
+        kill "$(cat dbus-launch.pid)"
+        rm -f dbus-launch.pid
+    fi
+
+    # In case the process gvfsd-metadata does not finish by itself, it is manually stopped
+    # The reason is that gvfsd-metadata locks the xdg/share/gvfs-metadata directory content
+    # producing an error when the xdg directory is removed.
+    if pid="$(pidof gvfsd-metadata)"; then
+        kill -9 "$pid" || true
+    fi
+    rm -rf "$XDG"
+
+execute: |
+    if ! snap install --edge test-snapd-eds ; then
+        if [ "$SPREAD_SYSTEM" = ubuntu-16.04-64 ]; then
+            echo "The test-snapd-eds must be available on ubuntu-16.04-64"
+            exit 1
+        fi
+        echo "SKIP: test-snapd-eds not available"
+        exit 0
+    fi
+    mkdir -p "$XDG_CONFIG_HOME" "$XDG_DATA_HOME" "$XDG_CACHE_HOME"
+
+    echo "Setting up D-Bus session bus"
+    eval "$(dbus-launch --sh-syntax)"
+    echo "$DBUS_SESSION_BUS_PID" > dbus-launch.pid
+
+    echo "The interface is initially disconnected"
+    snap interfaces -i contacts-service | MATCH -- '- +test-snapd-eds:contacts-service'
+    if [ "$(snap debug confinement)" = strict ]; then
+      ! test-snapd-eds.contacts list test-address-book
+    fi
+
+    echo "When the plug is connected, we can add contacts to address books"
+    snap connect test-snapd-eds:contacts-service
+    test-snapd-eds.contacts load test-address-book << EOF
+    BEGIN:VCARD
+    VERSION:3.0
+    FN:Fred Smith
+    N:Smith;Fred;;;
+    EMAIL;type=HOME:fred@example.org
+    END:VCARD
+    EOF
+
+    test-snapd-eds.contacts load test-address-book << EOF
+    BEGIN:VCARD
+    VERSION:3.0
+    FN:John Doe
+    N:Doe;John;;;
+    EMAIL;type=WORK:john@example.com
+    END:VCARD
+    EOF
+
+    echo "We can also retrieve those contacts"
+    # Filter out ID and revision, which are unpredictable
+    test-snapd-eds.contacts list test-address-book | sed -E 's/^(UID|REV):.*/\1:.../' > /tmp/contacts.vcf
+    diff -uw - /tmp/contacts.vcf << EOF
+    BEGIN:VCARD
+    VERSION:3.0
+    FN:John Doe
+    N:Doe;John;;;
+    EMAIL;type=WORK:john@example.com
+    UID:...
+    REV:...
+    END:VCARD
+    BEGIN:VCARD
+    VERSION:3.0
+    FN:Fred Smith
+    N:Smith;Fred;;;
+    EMAIL;type=HOME:fred@example.org
+    UID:...
+    REV:...
+    END:VCARD
+    EOF
+
+    echo "Finally, remove the address book we created"
+    test-snapd-eds.contacts remove test-address-book
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-content/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-content/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-content/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-content/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,8 @@
 summary: Ensure that the content sharing interface works.
 
+# slow in autopkgtest (>4m)
+backends: [-autopkgtest]
+
 details: |
     The content-sharing interface interface allows a snap to access contents from
     other snap
@@ -8,12 +11,23 @@
     The plug must be autoconnected on install and, as usual, must be able to be
     reconnected.
 
+# This test purges the state which causes the device to reinitialize
+# with (potentially) a different core snap. Running this on core will
+# also trigger a reboot in the middle of the tests because the new
+# core will be applied. So skip the test on core devices.
+systems: [-ubuntu-core-*]
+
 prepare: |
     echo "Ensure an empty state so that installing test-snapd-content-plug"
     echo "will pull in test-snapd-content-slot *and* core"
-    systemctl stop snapd
+
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+
+    systemd_stop_units snapd.service
     rm -f /var/lib/snapd/state.json
     systemctl start snapd
+    snap wait system seed.loaded
 
 execute: |
     echo "When a snap declaring a content sharing plug is installed"
@@ -21,14 +35,11 @@
     echo "Then this pulls in the default provider"
     snap list | MATCH  test-snapd-content-slot
 
-    CONNECTED_PATTERN="test-snapd-content-slot:shared-content-slot +test-snapd-content-plug:shared-content-plug"
-    DISCONNECTED_PATTERN="(?s).*?test-snapd-content-slot:shared-content-slot +-.*?- +test-snapd-content-plug:shared-content-plug"
-
     echo "Then the snap is listed as connected"
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
+    snap interfaces -i content | grep -Pzq "test-snapd-content-slot:shared-content-slot +test-snapd-content-plug:shared-content-plug"
 
     echo "And fstab files are created"
-    [ $(find /var/lib/snapd/mount -type f -name "*.fstab" | wc -l) -gt 0 ]
+    [ "$(find /var/lib/snapd/mount -type f -name "*.fstab" | wc -l)" -gt 0 ]
 
     echo "And we can use the shared content"
     test-snapd-content-plug.content-plug | grep "Some shared content"
@@ -36,18 +47,14 @@
     echo "And the current mount profile is the same as the desired mount profile"
     diff -u /run/snapd/ns/snap.test-snapd-content-plug.fstab /var/lib/snapd/mount/snap.test-snapd-content-plug.fstab
 
-    echo "============================================"
-
     echo "When the plug is disconnected"
     snap disconnect test-snapd-content-plug:shared-content-plug test-snapd-content-slot:shared-content-slot
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
     echo "Then the fstab files are removed"
-    [ $(find /var/lib/snapd/mount -type f -name "*.fstab" | wc -l) -eq 0 ]
+    [ "$(find /var/lib/snapd/mount -type f -name "*.fstab" | wc -l)" -eq 0 ]
 
     echo "When the plug is reconnected"
     snap connect test-snapd-content-plug:shared-content-plug test-snapd-content-slot:shared-content-slot
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the fstab files are recreated"
-    [ $(find /var/lib/snapd/mount -type f -name "*.fstab" | wc -l) -gt 0 ]
+    [ "$(find /var/lib/snapd/mount -type f -name "*.fstab" | wc -l)" -gt 0 ]
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-content-default-provider/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-content-default-provider/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-content-default-provider/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-content-default-provider/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,23 @@
+summary: Ensure that the content default-provider download works
+
+# This test purges the state which causes the device to reinitialize
+# with (potentially) a different core snap. Running this on core will
+# also trigger a reboot in the middle of the tests because the new
+# core will be applied. So skip the test on core devices.
+systems: [-ubuntu-core-*]
+
+execute: |
+    echo "A snap with no default-provider is installed"
+    cp -a "$TESTSLIB"/snaps/test-snapd-content-plug .
+    sed -i '/default-provider:/d' test-snapd-content-plug/meta/snap.yaml
+    snap pack test-snapd-content-plug
+    snap install --dangerous ./test-snapd-content-plug_1.0_all.snap
+    if snap list | grep test-snapd-content-slot; then
+        echo "test broken: test-snapd-content-slot should not be installed yet"
+        exit 1
+    fi
+
+    echo "A new default-provider will get pulled in on refresh"
+    snap refresh --edge --amend test-snapd-content-plug
+    echo "And ensure the default-provider got pulled in"
+    snap list | grep test-snapd-content-slot
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-content-empty-content-attr/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-content-empty-content-attr/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-content-empty-content-attr/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-content-empty-content-attr/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -8,14 +8,11 @@
     snap install --edge test-snapd-content-plug-no-content-attr
 
 execute: |
-    CONNECTED_PATTERN="test-snapd-content-slot-no-content-attr:shared-content +test-snapd-content-plug-no-content-attr"
-    DISCONNECTED_PATTERN="(?s).*?test-snapd-content-slot-no-content-attr:shared-content +-.*?- +test-snapd-content-plug-no-content-attr"
-
     echo "Then the snap is listed as connected"
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
+    snap interfaces -i content | MATCH "test-snapd-content-slot-no-content-attr:shared-content +test-snapd-content-plug-no-content-attr"
 
     echo "And fstab files are created"
-    [ $(find /var/lib/snapd/mount -type f -name "*.fstab" | wc -l) -gt 0 ]
+    [ "$(find /var/lib/snapd/mount -type f -name '*.fstab' | wc -l)" -gt 0 ]
 
     echo "And we can use the shared content"
     test-snapd-content-plug-no-content-attr.content-plug | grep "Some shared content"
@@ -24,18 +21,14 @@
         exit 0
     fi
 
-    echo "============================================"
-
     echo "When the plug is disconnected"
     snap disconnect test-snapd-content-plug-no-content-attr:shared-content test-snapd-content-slot-no-content-attr:shared-content
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
     echo "Then the fstab files are removed"
-    [ $(find /var/lib/snapd/mount -type f -name "*.fstab" | wc -l) -eq 0 ]
+    [ "$(find /var/lib/snapd/mount -type f -name '*.fstab' | wc -l)" -eq 0 ]
 
     echo "When the plug is reconnected"
     snap connect test-snapd-content-plug-no-content-attr:shared-content test-snapd-content-slot-no-content-attr:shared-content
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the fstab files are recreated"
-    [ $(find /var/lib/snapd/mount -type f -name "*.fstab" | wc -l) -gt 0 ]
+    [ "$(find /var/lib/snapd/mount -type f -name '*.fstab' | wc -l)" -gt 0 ]
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-content-mimic/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-content-mimic/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-content-mimic/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-content-mimic/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,27 +1,38 @@
 summary: mimic test for the hole-poking code in snap-update-ns
+
 details: |
     When snap-confine cannot create a mount point because of read-only
     filesystem it will use a "writable mimic" constructed out of tmpfs and a
     farm of bind mounts.  This test contains a mimic snap that has various
     kinds of elements that must be correctly handled by the mimic code.
-prepare: |
-    . $TESTSLIB/snaps.sh
-    install_local test-snapd-content-mimic-plug
-    install_local test-snapd-content-mimic-slot
+
 environment:
     PLUG: test-snapd-content-mimic-plug:content
     SLOT: test-snapd-content-mimic-slot:content
+
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-content-mimic-plug
+    install_local test-snapd-content-mimic-slot
+
 execute: |
     # Before the content interface is connected we expect to see certain files
     # in the $SNAP directory. Those files represent various kinds of filesystem
     # entries that should be correctly replicated inside the mimic.
     
     check_existing_files() {
+        #shellcheck disable=SC2016
         test-snapd-content-mimic-plug.sh -c 'test -f $SNAP/file'
+        #shellcheck disable=SC2016
         test-snapd-content-mimic-plug.sh -c 'test -d $SNAP/dir'
+        #shellcheck disable=SC2016
         test-snapd-content-mimic-plug.sh -c 'test -h $SNAP/symlink'
+        #shellcheck disable=SC2016
         test-snapd-content-mimic-plug.sh -c 'cat $SNAP/file' | MATCH 'content-of-file'
+        #shellcheck disable=SC2016
         test-snapd-content-mimic-plug.sh -c 'ls $SNAP/dir' | MATCH 'stuff-in-dir'
+        #shellcheck disable=SC2016
         test-snapd-content-mimic-plug.sh -c 'readlink $SNAP/symlink' | MATCH 'symlink-target'
     }
 
@@ -32,17 +43,21 @@
     # it's not in the snap! It's added dynamically at runtime). Not only we get
     # access to the new things (we'll check those shortly) but we also retain
     # access to the same old stuff that was there before.
+    #shellcheck disable=SC2016
     test-snapd-content-mimic-plug.sh -c 'test ! -e $SNAP/content'
     snap connect "$PLUG" "$SLOT"
     check_existing_files
+    #shellcheck disable=SC2016
     test-snapd-content-mimic-plug.sh -c 'test -d $SNAP/content'
 
     # The content connection also means we should see shared content inside the
     # newly created directory. 
+    #shellcheck disable=SC2016
     test-snapd-content-mimic-plug.sh -c 'test -e $SNAP/content/canary'
 
     # The content interface is fully undoable so as soon as we disconnect all
     # of that goes away without a trace.
     snap disconnect "$PLUG" "$SLOT"
     check_existing_files
+    #shellcheck disable=SC2016
     test-snapd-content-mimic-plug.sh -c 'test ! -e $SNAP/content'
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-content-mkdir-writable/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-content-mkdir-writable/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-content-mkdir-writable/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-content-mkdir-writable/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
 summary: check that snap-update-ns can create mkdir in $SNAP_{DATA,COMMON}
+
 details: |
     When snap-update-ns is invoked by snap-confine to construct a mount
     namespace it will create missing directories for the mount target.
@@ -7,6 +8,7 @@
     too can be modified for the calling snap. The test is divided into variants
     for one of each $SNAP, $SNAP_DATA and $SNAP_COMMON. There's a slight
     variation for the $SNAP variable, see below for details.
+
 environment:
     PLUG/data: test-snapd-content-advanced-plug:data
     PLUG/common: test-snapd-content-advanced-plug:common
@@ -17,15 +19,19 @@
     VAR/data: SNAP_DATA
     VAR/common: SNAP_COMMON
     VAR/snap: SNAP
+
 prepare: |
     # Install a pair of snaps that both have two content interfaces as
     # sub-directories of $SNAP_DATA and $SNAP_COMMON.
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-content-advanced-plug
     install_local test-snapd-content-advanced-slot
+
 execute: |
     # Put our internal tools on PATH so that we can call snap-discard-ns easily.
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     PATH=$LIBEXECDIR/snapd:$PATH
 
     # Test that initially there are no mount points on the plug side (because
@@ -78,16 +84,10 @@
     test-snapd-content-advanced-plug.sh -c "$(printf 'test -f $%s/target/canary' "$VAR")"
 
     # Without discarding the namespace disconnect the content interface. This
-    # should undo the bind mounts but keep the directories around. The canary
-    # file is thus no longer accessible but all the directories are in place
-    # because we never remove them explicitly.
+    # should undo the bind mounts and remove the placeholder files and
+    # directories.
     snap disconnect "$PLUG" "$SLOT"
-
-    if [ "$VAR" != "SNAP" ]; then
-        test-snapd-content-advanced-plug.sh -c "$(printf 'test -d $%s/target' "$VAR")"
-    else
-        test-snapd-content-advanced-plug.sh -c "$(printf 'test ! -d $%s/target' "$VAR")"
-    fi
+    test-snapd-content-advanced-plug.sh -c "$(printf 'test ! -d $%s/target' "$VAR")"
     test-snapd-content-advanced-plug.sh -c "$(printf 'test ! -e $%s/target/canary' "$VAR")"
     test-snapd-content-advanced-slot.sh -c "$(printf 'test -d $%s/source' "$VAR")"
     test-snapd-content-advanced-slot.sh -c "$(printf 'test -e $%s/source/canary' "$VAR")"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-cups-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-cups-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-cups-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-cups-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,9 +1,5 @@
 summary: Ensure that the cups interface works.
 
-# Default cups/cups-pdf configuration on these distributions isn't
-# working yet without further tweaks.
-systems: [-ubuntu-core-16-*, -opensuse-*, -fedora-*]
-
 details: |
     The cups-control interface allows a snap to access the locale configuration.
 
@@ -17,6 +13,10 @@
     The test checks for the existence of a pdf file generated by the lpr command in the
     snap.
 
+# Default cups/cups-pdf configuration on these distributions isn't
+# working yet without further tweaks.
+systems: [-ubuntu-core-*, -opensuse-*, -fedora-*, -arch-*, -amazon-*, -centos-*]
+
 environment:
     TEST_FILE: /var/snap/test-snapd-cups-control-consumer/current/test_file.txt
 
@@ -39,42 +39,36 @@
     fi
 
 restore: |
-    rm -rf $HOME/PDF $TEST_FILE print.error
+    rm -rf "$HOME"/PDF "$TEST_FILE" print.error
 
 debug: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     systemctl status cups || true
-    journalctl -u cpus || true
+    get_journalctl_log -u cpus || true
 
 execute: |
-    CONNECTED_PATTERN=":cups-control +test-snapd-cups-control-consumer"
-    DISCONNECTED_PATTERN="(?s).*?\n- +test-snapd-cups-control-consumer:cups-control"
-
-    echo "Then it is not shown as connected"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
-
-    echo "===================================="
+    echo "Then the plug is disconnected by default"
+    snap interfaces -i cups-control | MATCH '^- +test-snapd-cups-control-consumer:cups-control'
 
     echo "When the plug is connected"
     snap connect test-snapd-cups-control-consumer:cups-control
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the snap command is able to print files"
-    echo "Hello World" > $TEST_FILE
-    test-snapd-cups-control-consumer.lpr $TEST_FILE
-    while ! test -e $HOME/PDF/*.pdf; do sleep 1; done
+    echo "Hello World" > "$TEST_FILE"
+    test-snapd-cups-control-consumer.lpr "$TEST_FILE"
+    while "$(find "$HOME"/PDF -name '*.pdf' | wc -l)" -lt 1 ; do sleep 1; done
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
-    echo "===================================="
-
     echo "When the plug is disconnected"
     snap disconnect test-snapd-cups-control-consumer:cups-control
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
     echo "Then the snap command is not able to print files"
-    if test-snapd-cups-control-consumer.lpr $TEST_FILE 2>print.error; then
+    if test-snapd-cups-control-consumer.lpr "$TEST_FILE" 2>print.error; then
         echo "Expected error with plug disconnected"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-daemon-notify/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-daemon-notify/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-daemon-notify/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-daemon-notify/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,55 @@
+# It is not possible to test it with "daemon: notify" yet, for more details please see the forum thread:
+# https://forum.snapcraft.io/t/its-a-little-bit-hard-to-use-daemon-notify-for-sd-notify/6366
+summary: Ensure that the daemon-notify interface works.
+
+# test is timing dependant and may fail on very slow systems
+backends: [-autopkgtest]
+
+details: |
+    The daemon-notify interface allows sending notification messages 
+    to systemd through the notify socket
+
+prepare: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-daemon-notify
+
+execute: |
+    echo "The interface is not connected by default"
+    snap interfaces -i daemon-notify | MATCH -- "- +test-snapd-daemon-notify:daemon-notify"
+
+    echo "When the interface is connected"
+    snap connect test-snapd-daemon-notify:daemon-notify
+
+    echo "Then after we restart the servive there is not denials"
+    denials_before="$(snap logs -n=100 test-snapd-daemon-notify.notify | grep -c 'Permission denied' || true)"
+    snap stop test-snapd-daemon-notify.notify
+    for _ in $(seq 10); do
+        if snap start test-snapd-daemon-notify.notify; then
+            break
+        fi
+        sleep 1
+    done
+    denials_after="$(snap logs -n=100 test-snapd-daemon-notify.notify | grep -c 'Permission denied' || true)"
+
+    [ "$denials_before" -eq "$denials_after" ]
+
+    if [ "$(snap debug confinement)" = partial ] ; then
+        exit 0
+    fi
+
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-daemon-notify:daemon-notify
+
+    echo "Then the snap is not able to sending notification messages"
+    denials_before="$(snap logs -n=100 test-snapd-daemon-notify.notify | grep -c 'Permission denied' || true)"
+    snap stop test-snapd-daemon-notify.notify
+    for _ in $(seq 10); do
+        if snap start test-snapd-daemon-notify.notify; then
+            break
+        fi
+        sleep 1
+    done
+    denials_after="$(snap logs -n=100 test-snapd-daemon-notify.notify | grep -c 'Permission denied' || true)"
+
+    [ "$denials_before" -ne "$denials_after" ]
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-dbus/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-dbus/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-dbus/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-dbus/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -11,9 +11,10 @@
 environment:
     DISPLAY: :0
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 prepare: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     echo "Give a snap declaring a dbus slot in installed"
@@ -23,18 +24,18 @@
     snap install --edge test-snapd-dbus-consumer
 
     echo "And the provider dbus loop is started"
+    #shellcheck source=tests/lib/dbus.sh
     . "$TESTSLIB/dbus.sh"
     start_dbus_unit $SNAP_MOUNT_DIR/bin/test-snapd-dbus-provider.provider
 
 restore: |
     rm -f call.error
+    #shellcheck source=tests/lib/dbus.sh
     . "$TESTSLIB/dbus.sh"
     stop_dbus_unit || true
 
 execute: |
-    CONNECTED_PATTERN="test-snapd-dbus-provider:dbus-test +test-snapd-dbus-consumer"
-    DISCONNECTED_PATTERN="^\- +test-snapd-dbus-consumer:dbus-test"
-
+    #shellcheck disable=SC2046
     export $(cat dbus.env)
 
     echo "Then the dbus name is properly reserved by the provider and the method is accessible"
@@ -43,22 +44,21 @@
     done
 
     echo "And plug is disconnected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i dbus | MATCH '^- +test-snapd-dbus-consumer:dbus-test'
 
     if [ "$(snap debug confinement)" = partial ]; then
         exit 0
     fi
 
     echo "And the consumer is not able to access the provided method"
-    if test-snapd-dbus-consumer.dbus-consumer 2>${PWD}/call.error; then
+    if test-snapd-dbus-consumer.dbus-consumer 2> call.error; then
         echo "Expected permission error calling dbus method with disconnected plug"
         exit 1
     fi
-    cat call.error | MATCH "Permission denied"
+    MATCH "Permission denied" < call.error
 
     echo "When the plug is connected"
     snap connect test-snapd-dbus-consumer:dbus-test test-snapd-dbus-provider:dbus-test
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the consumer is able to call the provided method"
     test-snapd-dbus-consumer.dbus-consumer | MATCH "hello world"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-desktop/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-desktop/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-desktop/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-desktop/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,41 +10,31 @@
 
 prepare: |
     echo "Given the desktop snap is installed"
-    snap try $TESTSLIB/snaps/test-snapd-desktop
+    snap try "$TESTSLIB"/snaps/test-snapd-desktop
 
 execute: |
-    CONNECTED_PATTERN=":desktop +test-snapd-desktop"
-    DISCONNECTED_PATTERN="\- +test-snapd-desktop:desktop"
-
     dirs="/var/cache/fontconfig /usr/share/icons /usr/share/pixmaps"
     files="/etc/xdg/user-dirs.conf /etc/xdg/user-dirs.defaults"
 
     echo "The plug is connected by default"
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    snap interfaces -i desktop | MATCH ":desktop .*test-snapd-desktop"
 
     echo "Then the snap is able to desktop files and directories"
+    # shellcheck disable=SC2086
     test-snapd-desktop.check-files $files
+    # shellcheck disable=SC2086
     test-snapd-desktop.check-dirs $dirs
 
-    echo "The mount namespace contains shared font directories"
-    for d in /usr/share/fonts /usr/local/share/fonts /var/cache/fontconfig; do
-        if [ -d "$d" ]; then
-                cat /run/snapd/ns/snap.test-snapd-desktop.fstab | MATCH "$d"
-                test-snapd-desktop.check-dirs "$d"
-        fi
-    done
-
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
     echo "When the plug is disconnected"
     snap disconnect test-snapd-desktop:desktop
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to access the desktop files"
     for file in $files; do
-        if test-snapd-desktop.check-files $file 2>${PWD}/call.error; then
+        if test-snapd-desktop.check-files "$file" 2> call.error; then
             echo "Expected permission error calling desktop with disconnected plug"
             exit 1
         fi
@@ -53,7 +43,7 @@
 
     echo "Then the snap is not able to access the desktop dirs"
     for dir in $dirs; do
-        if test-snapd-desktop.check-dirs $dir 2>${PWD}/call.error; then
+        if test-snapd-desktop.check-dirs "$dir" 2> call.error; then
             echo "Expected permission error calling desktop with disconnected plug"
             exit 1
         fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-desktop-document-portal/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-desktop-document-portal/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-desktop-document-portal/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-desktop-document-portal/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,69 @@
+summary: The document portal is mounted by snaps using the desktop interface
+
+details: |
+    The document portal is a component of xdg-desktop-portal that
+    provides a way to share files with a confined application in a
+    controlled fashion.  To provide proper security, a subtree of the
+    portal needs to be mounted over $XDG_RUNTIME_DIR/doc inside the
+    sandbox.
+
+systems: [-ubuntu-core-*]
+
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    install_local test-snapd-desktop
+    snap disconnect test-snapd-desktop:desktop
+
+restore: |
+    rm -rf /run/user/12345/*
+    rm -f /tmp/check-doc-portal.sh
+
+execute: |
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+
+    echo "Create XDG_RUNTIME_DIR for test user"
+    USER_RUNTIME_DIR=/run/user/12345
+    mkdir -p $USER_RUNTIME_DIR || true
+    #shellcheck disable=SC2115
+    rm -rf $USER_RUNTIME_DIR/*
+    chmod u=rwX,go= $USER_RUNTIME_DIR
+    chown test:test $USER_RUNTIME_DIR
+
+    cat << EOF > /tmp/check-doc-portal.sh
+    set -eu
+    mkdir -p /run/user/12345/doc/by-app/snap.test-snapd-desktop
+    touch /run/user/12345/doc/is-unconfined
+    touch /run/user/12345/doc/by-app/snap.test-snapd-desktop/is-confined
+    test-snapd-desktop.check-dirs /run/user/12345/doc
+    EOF
+    chown test:test /tmp/check-doc-portal.sh
+
+    if [ "$(snap debug confinement)" = strict ]; then
+      echo "Without desktop interface connected"
+      if su -l -c "sh /tmp/check-doc-portal.sh" test 2> check.error; then
+        cat check.error >&2
+        echo "Expected permission error when checking document portal dir"
+        exit 1
+      fi
+      MATCH "Permission denied" < check.error
+    fi
+
+    "$LIBEXECDIR"/snapd/snap-discard-ns test-snapd-desktop
+
+    echo "With desktop connected, we see confined version"
+    snap connect test-snapd-desktop:desktop
+    su -l -c "sh /tmp/check-doc-portal.sh" test | MATCH is-confined
+
+    "$LIBEXECDIR"/snapd/snap-discard-ns test-snapd-desktop
+
+    echo "It is not an error if the document portal is missing"
+    rm -rf /run/user/12345/*
+    if su -l -c "test-snapd-desktop.check-dirs /run/user/12345/doc" test 2> check.error; then
+      cat check.error >&2
+      echo "Expected not found error when checking document portal dir"
+      exit 1
+    fi
+    MATCH "No such file or directory" < check.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-desktop-host-fonts/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-desktop-host-fonts/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-desktop-host-fonts/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-desktop-host-fonts/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,62 @@
+summary: Ensure that the desktop interface gives access to host fonts
+
+details: |
+    In order to ensure that confined applications have access to fonts
+    covering the user's spoken language, the host system's fonts are
+    bind mounted into the sandbox.
+
+systems: [-ubuntu-core-*]
+
+restore: |
+    rm -f /usr/share/fonts/dist-font.txt
+    rm -f /usr/local/share/fonts/local-font.txt
+    rm -f "$HOME"/.fonts/user-font1.txt
+    rm -f "$HOME"/.local/share/fonts/user-font2.txt
+    rm -f /var/cache/fontconfig/cache.txt
+    rm -f /usr/lib/fontconfig/cache/cache.txt
+
+execute: |
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB"/pkgdb.sh
+    distro_install_package fontconfig
+
+    echo "Distribution font" > /usr/share/fonts/dist-font.txt
+
+    # this may not exist across all distributions
+    mkdir -p /usr/local/share/fonts
+    echo "Local font" > /usr/local/share/fonts/local-font.txt
+
+    cache_dir=/var/cache/fontconfig
+    case "$SPREAD_SYSTEM" in
+        fedora-*|centos-*)
+            cache_dir=/usr/lib/fontconfig/cache
+            ;;
+    esac
+    echo "Cache file" > "$cache_dir"/cache.txt
+
+    mkdir -p "$HOME"/.fonts
+    echo "User font 1" > "$HOME"/.fonts/user-font1.txt
+
+    mkdir -p "$HOME"/.local/share/fonts
+    echo "User font 2" > "$HOME"/.local/share/fonts/user-font2.txt
+
+    echo "Install the test-snapd-desktop snap"
+    snap try "$TESTSLIB"/snaps/test-snapd-desktop
+
+    echo "The plug is connected by default"
+    snap interfaces -i desktop | MATCH ":desktop .*test-snapd-desktop"
+
+    echo "Checking access to host /usr/share/fonts"
+    test-snapd-desktop.check-files /usr/share/fonts/dist-font.txt | MATCH "Distribution font"
+
+    echo "Checking access to host /usr/local/share/fonts"
+    test-snapd-desktop.check-files /usr/local/share/fonts/local-font.txt | MATCH "Local font"
+
+    echo "Checking access to host $cache_dir"
+    test-snapd-desktop.check-files "$cache_dir"/cache.txt | MATCH "Cache file"
+
+    echo "Checking access to host ~/.fonts"
+    test-snapd-desktop.check-files "$HOME"/.fonts/user-font1.txt | MATCH "User font 1"
+
+    echo "Checking access to host ~/.local/share/fonts"
+    test-snapd-desktop.check-files "$HOME"/.local/share/fonts/user-font2.txt | MATCH "User font 2"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-device-buttons/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-device-buttons/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-device-buttons/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-device-buttons/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,58 @@
+summary: Ensure that the device-buttons interface works.
+
+details: |
+    The device-buttons interface allows reading and writing to gpio-keys
+    devices.
+
+prepare: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    # Create device files which are going to be used so simulate a real device
+    # and input data. In case the device already exists, it is going to be
+    # backed up. Devices used following documentation:
+    # the https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/devices.txt#L408
+    ensure_file_exists_backup_real /dev/input/event1
+
+restore: |
+    rm -f call.error
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    # Delete the created device files and restore backed up files
+    clean_file /dev/input/event1
+
+execute: |
+    echo "The interface is not connected by default"
+    snap interfaces -i device-buttons | MATCH "\\- +test-snapd-sh:device-buttons"
+
+    echo "When the interface is connected"
+    snap connect test-snapd-sh:device-buttons
+
+    echo "Then the snap is able to access the device input for the new interface"
+    test-snapd-sh.with-device-buttons-plug -c "echo test >> /dev/input/event1"
+
+    echo "Then the snap is able to read the supported event reports for the input device"
+    capabilities="$(find /sys/devices/ -type d -name capabilities | grep -E "/sys/devices/.*/input[0-9].*/capabilities" | head -n1)"
+    if [ -n "$capabilities" ]; then
+        test-snapd-sh.with-device-buttons-plug -c "ls $capabilities"
+    fi
+
+    if [ "$(snap debug confinement)" = partial ] ; then
+        exit 0
+    fi
+
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-sh:device-buttons
+
+    echo "Then the snap is not able to read the input device"
+    if test-snapd-sh.with-device-buttons-plug -c "cat /dev/input/event1" 2>"${PWD}"/call.error; then
+        echo "Expected permission error accessing to input device"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-dvb/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-dvb/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-dvb/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-dvb/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+summary: Ensure that the dvb interface works.
+
+details: |
+    The dvb interface allows access to all DVB (Digital Video Broadcasting) devices and APIs.
+
+prepare: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    ensure_dir_exists_backup_real /dev/dvb/adapter9
+    ensure_file_exists_backup_real /dev/dvb/adapter9/video9
+    ensure_file_exists_backup_real /run/udev/data/c212:9
+
+restore: |
+    rm -f call.error
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    # Delete the created device files and restore backed up files
+    clean_file /run/udev/data/c212:9
+    clean_file /dev/dvb/adapter9/video9
+    clean_dir /dev/dvb/adapter9
+
+execute: |
+    echo "The interface is not connected by default"
+    snap interfaces -i dvb | MATCH -- '- +test-snapd-sh:dvb'
+
+    echo "When the interface is connected"
+    snap connect test-snapd-sh:dvb
+
+    echo "Then the snap is able to access the device input"
+    test-snapd-sh.with-dvb-plug -c "echo test >> /dev/dvb/adapter9/video9"
+    test-snapd-sh.with-dvb-plug -c "cat /run/udev/data/c212:9"
+
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-sh:dvb
+
+    if [ "$(snap debug confinement)" = partial ]; then
+        exit 0
+    fi
+
+    echo "Then the snap is not able to read the input device"
+    if test-snapd-sh.with-dvb-plug -c 'cat /dev/dvb/adapter9/video9' 2>call.error; then
+        echo "Expected permission error accessing to input device"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-firewall-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-firewall-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-firewall-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-firewall-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 summary: Ensure that the firewall-control interface works.
 
-systems: [-fedora-*, -opensuse-*]
+systems: [-fedora-*, -opensuse-*, -arch-*]
 
 details: |
     The firewall-control interface allows a snap to configure the firewall.
@@ -23,63 +23,60 @@
     DESTINATION_IP: "172.26.0.15"
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
     echo "Given a snap declaring a plug on the firewall-control interface is installed"
-    snap pack $TESTSLIB/snaps/firewall-control-consumer
-    snap install --dangerous firewall-control-consumer_1.0_all.snap
+    install_local firewall-control-consumer
 
     echo "And a service is listening"
-    printf "#!/bin/sh -e\nwhile true; do echo \"HTTP/1.1 200 OK\n\nok\n\" |  nc -l -p $PORT -w 1; done" > $SERVICE_FILE
-    chmod a+x $SERVICE_FILE
+    printf '#!/bin/sh -e\nwhile true; do echo "HTTP/1.1 200 OK\n\nok\n" |  nc -l -p %s -w 1; done' "$PORT" > "$SERVICE_FILE"
+    chmod a+x "$SERVICE_FILE"
+    #shellcheck source=tests/lib/systemd.sh
     . "$TESTSLIB/systemd.sh"
-    systemd_create_and_start_unit $SERVICE_NAME "$(readlink -f $SERVICE_FILE)"
-
-    while ! netstat -lnt | grep -Pq "tcp.*?:$PORT +.*?LISTEN\n*"; do sleep 0.5; done
+    #shellcheck disable=SC2153
+    systemd_create_and_start_unit "$SERVICE_NAME" "$(readlink -f "$SERVICE_FILE")"
+    # shellcheck source=tests/lib/network.sh
+    . "$TESTSLIB"/network.sh
+    wait_listen_port "$PORT"
 
     echo "And we store a basic HTTP request"
-    cat > $REQUEST_FILE <<EOF
+    cat > "$REQUEST_FILE" <<EOF
     GET / HTTP/1.0
 
     EOF
 
 restore: |
+    #shellcheck source=tests/lib/systemd.sh
     . "$TESTSLIB/systemd.sh"
-    systemd_stop_and_destroy_unit $SERVICE_NAME
-    rm -f firewall-control-consumer_1.0_all.snap firewall-create.error $SERVICE_FILE $REQUEST_FILE
+    #shellcheck disable=SC2153
+    systemd_stop_and_destroy_unit "$SERVICE_NAME"
+    rm -f firewall-create.error "$SERVICE_FILE" "$REQUEST_FILE"
 
 execute: |
-    CONNECTED_PATTERN='^:firewall-control +firewall-control-consumer$'
-    DISCONNECTED_PATTERN='^- +firewall-control-consumer:firewall-control$'
-
-    echo "Then it is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-    echo "==================================="
+    echo "Then the plug is disconnected by default"
+    snap interfaces -i firewall-control | MATCH '^- +firewall-control-consumer:firewall-control'
 
     echo "When the plug is connected"
     snap connect firewall-control-consumer:firewall-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "And the snap creates a firewall rule"
     firewall-control-consumer.create
 
     echo "Then the service listening on localhost is accessible through the destination IP in the rule"
-    nc -w 2 "$DESTINATION_IP" "$PORT" < $REQUEST_FILE | MATCH 'ok$'
+    nc -w 2 "$DESTINATION_IP" "$PORT" < "$REQUEST_FILE" | MATCH 'ok$'
 
     echo "When the snap deletes the firewall rule"
     firewall-control-consumer.delete
 
     echo "Then the service listening on localhost is no longer accessible through the destination IP in the rule"
-    ! nc -w 2 "$DESTINATION_IP" "$PORT" < $REQUEST_FILE
+    ! nc -w 2 "$DESTINATION_IP" "$PORT" < "$REQUEST_FILE"
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
-    echo "==================================="
-
     echo "When the plug is disconnected"
     snap disconnect firewall-control-consumer:firewall-control
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to configure the firewall"
     if firewall-control-consumer.create 2>firewall-create.error; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-framebuffer/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-framebuffer/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-framebuffer/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-framebuffer/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -8,29 +8,30 @@
     The test also checks the interface connection and disconnection works properly.
 
 prepare: |
-    snap try $TESTSLIB/snaps/test-snapd-framebuffer
+    snap try "$TESTSLIB"/snaps/test-snapd-framebuffer
 
 execute: |
-    CONNECTED_PATTERN=":framebuffer +test-snapd-framebuffer"
-    DISCONNECTED_PATTERN="\- +test-snapd-framebuffer:framebuffer"
+    echo "The plug is not connected by default"
+    snap interfaces -i framebuffer | MATCH '^- +test-snapd-framebuffer:framebuffer'
 
     if [ ! -e /dev/fb0 ]; then
-        echo "Framebuffer not available on /dev/fb0"
+        # ensure this test runs on at least one system
+        if [[ "$SPREAD_SYSTEM" = ubuntu-core-16-arm-* ]]; then
+            echo "ubuntu-core-16-arm-32 must have a framebuffer"
+            exit 1
+        fi
+        echo "SKIP: Framebuffer not available on /dev/fb0"
         exit 0
     fi
 
-    echo "The plug is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
     echo "When the interface is connected"
     snap connect test-snapd-framebuffer:framebuffer
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
-    echo "Then the snap is able to write in the framebuffer
+    echo "Then the snap is able to write in the framebuffer"
     test-snapd-framebuffer.write "123"
     MATCH "123" < /dev/fb0
 
-    echo "Then the snap is able to read from the framebuffer
+    echo "Then the snap is able to read from the framebuffer"
     test-snapd-framebuffer.read
 
     if [ "$(snap debug confinement)" = partial ] ; then
@@ -41,7 +42,7 @@
     snap disconnect test-snapd-framebuffer:framebuffer
 
     echo "Then the snap is not able to access the framebuffer"
-    if test-snapd-framebuffer.write "123" 2>${PWD}/call.error; then
+    if test-snapd-framebuffer.write "123" 2> call.error; then
         echo "Expected permission error trying to write the framebuffer"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-fuse_support/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-fuse_support/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-fuse_support/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-fuse_support/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,7 @@
 summary: Ensure that the fuse-support interface works.
 
 # no support for fuse on 14.04
-systems:
-    # no support for fuse on 14.04
-    - -ubuntu-14.04-64
-    - -ubuntu-14.04-32
+systems: [-ubuntu-14.04-*]
 
 details: |
     The fuse-support interface allows a snap to manage FUSE file systems.
@@ -18,63 +15,71 @@
     name and content in the mount point given to the command.
 
 environment:
-    MOUNT_POINT: /var/snap/test-snapd-fuse-consumer/current/mount_point
+    MOUNT_POINT/regular: /var/snap/test-snapd-fuse-consumer/current/mount_point
+    MOUNT_POINT_OUTSIDE/regular: /var/snap/test-snapd-fuse-consumer/current/mount_point
+    NAME/regular: test-snapd-fuse-consumer
+    # snap with instance key 'foo'
+    MOUNT_POINT/parallel: /var/snap/test-snapd-fuse-consumer/current/mount_point
+    MOUNT_POINT_OUTSIDE/parallel: /var/snap/test-snapd-fuse-consumer_foo/current/mount_point
+    NAME/parallel: test-snapd-fuse-consumer_foo
 
 prepare: |
+    if [[ "$SPREAD_VARIANT" == "parallel" ]]; then
+        snap set system experimental.parallel-instances=true
+    fi
     echo "Given a snap declaring a fuse plug is installed"
-    snap install test-snapd-fuse-consumer
+    snap install "$NAME"
 
     echo "And a user writable mount point is created"
-    mkdir -p $MOUNT_POINT
+    mkdir -p "$MOUNT_POINT_OUTSIDE"
 
 restore: |
     # remove the mount point
-    mounts=$(nsenter --mount=/run/snapd/ns/test-snapd-fuse-consumer.mnt cat /proc/mounts | \
-             grep "$(basename $MOUNT_POINT) fuse" | cut -f2 -d' ')
+    mounts=$(nsenter "--mount=/run/snapd/ns/$NAME.mnt" cat /proc/mounts | \
+             grep "$(basename "$MOUNT_POINT") fuse" | cut -f2 -d' ')
     for m in $mounts; do
-        nsenter --mount=/run/snapd/ns/test-snapd-fuse-consumer.mnt umount "$m"
+        nsenter "--mount=/run/snapd/ns/$NAME.mnt" umount "$m"
     done
-    rm -rf $MOUNT_POINT fuse.error
+    rm -rf "$MOUNT_POINT_OUTSIDE" fuse.error
 
-execute: |
-    CONNECTED_PATTERN=":fuse-support +test-snapd-fuse-consumer"
-    DISCONNECTED_PATTERN="(?s).*?\n- +test-snapd-fuse-consumer:fuse-support"
+    if [[ "$SPREAD_VARIANT" == "parallel" ]]; then
+        snap set system experimental.parallel-instances=null
+    fi
 
-    echo "Then the fuse plug is not connected by default"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
+execute: |
+    echo "The interface is disconnected by default"
+    snap interfaces -i fuse-support | MATCH "^- +$NAME:fuse-support"
 
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "Then the snap is not able to create a fuse file system"
-        if test-snapd-fuse-consumer.create -f $MOUNT_POINT 2>${PWD}/fuse.error; then
+        if "$NAME.create" -f "$MOUNT_POINT" 2> fuse.error; then
             echo "Expected permission error creating fuse filesystem with disconnected plug"
             exit 1
         fi
         MATCH "Permission denied" < fuse.error
-
-        echo "==================================="
     fi
 
     echo "When the plug is connected"
-    snap connect test-snapd-fuse-consumer:fuse-support
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
+    snap connect "$NAME:fuse-support"
 
     echo "Then the snap is able to create a fuse filesystem"
     # start fuse consumer in foreground and make it a background job
-    test-snapd-fuse-consumer.create -f $MOUNT_POINT &
+    "$NAME.create" -f "$MOUNT_POINT" &
     createpid=$!
     # cleanup the background job on exit
     trap 'kill $createpid; wait $createpid' EXIT
 
     # it may take a while for hello file to appear
-    for i in $(seq 100); do
-        if test -r /proc/${createpid}/root/${MOUNT_POINT}/hello; then
+    for _ in $(seq 100); do
+        if test -r "/proc/${createpid}/root/${MOUNT_POINT}/hello"; then
             break
         fi
         sleep .1
     done
-    test -r /proc/${createpid}/root/${MOUNT_POINT}/hello
+    test -r "/proc/${createpid}/root/${MOUNT_POINT}/hello"
     # prefer cat ... | MATCH so that we can see which PID is used
-    cat /proc/${createpid}/root/${MOUNT_POINT}/hello | MATCH "Hello World!"
+    #shellcheck disable=SC2002
+    cat "/proc/${createpid}/root/${MOUNT_POINT}/hello" | MATCH "Hello World!"
 
     # SIGTERM triggers a clean exit
     kill $createpid
@@ -87,7 +92,7 @@
     wait $createpid || test "$?" = "159"
 
     # verify that the mount_point was not removed from mount namespace of the snap
-    mountpath=$(nsenter --mount=/run/snapd/ns/test-snapd-fuse-consumer.mnt cat /proc/mounts | \
-                grep "$(basename $MOUNT_POINT) fuse" | cut -f2 -d' ')
+    mountpath=$(nsenter "--mount=/run/snapd/ns/$NAME.mnt" cat /proc/mounts | \
+                grep "$(basename "$MOUNT_POINT") fuse" | cut -f2 -d' ')
     test -n "$mountpath"
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-gpg-keys/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-gpg-keys/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-gpg-keys/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-gpg-keys/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,8 @@
 summary: Ensure that the gpg-keys interface works.
 
+# core18 has no gpg
+systems: [-ubuntu-core-18-*]
+
 details: |
     The gpg-keys interface allows to access gpg binary and keys.
 
@@ -7,12 +10,11 @@
     KEYSDIR: "$HOME/.gnupg"
     TRUSTDB: "$HOME/.gnupg/trustdb.gpg"
     TESTKEY: "$HOME/.gnupg/testkey"
-    CONNECTED_PATTERN: ':gpg-keys +test-snapd-gpg-keys'
-    DISCONNECTED_PATTERN: '\- +test-snapd-gpg-keys:gpg-keys'
 
 prepare: |
-    . $TESTSLIB/snaps.sh
-    install_local test-snapd-gpg-keys
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-sh
 
     if [ -d "$KEYSDIR" ]; then
         cp -rf "$KEYSDIR" "$KEYSDIR".old
@@ -20,7 +22,7 @@
         mkdir "$KEYSDIR"
     fi
 
-    if ! [ -f $TRUSTDB ]; then
+    if ! [ -f "$TRUSTDB" ]; then
         echo "trustdb" > "$TRUSTDB"
     fi
 
@@ -35,38 +37,37 @@
 
 execute: |
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i gpg-keys | MATCH '^- +test-snapd-sh:gpg-keys'
 
     echo "When the interface is connected"
-    snap connect test-snapd-gpg-keys:gpg-keys
+    snap connect test-snapd-sh:gpg-keys
 
     echo "Then the snap is able to run gpg"
-    test-snapd-gpg-keys.sh -c "gpg --list-keys"
+    test-snapd-sh.with-gpg-keys-plug -c "gpg --list-keys"
 
     echo "And the snap is able to access to config files"
-    test-snapd-gpg-keys.sh -c "cat /usr/share/gnupg/options.skel"
+    test-snapd-sh.with-gpg-keys-plug -c "cat /usr/share/gnupg/options.skel"
 
     echo "And the snap is able to read gpg keys and db"
-    test-snapd-gpg-keys.sh -c "cat $TESTKEY"
-    test-snapd-gpg-keys.sh -c "cat $TRUSTDB"
+    test-snapd-sh.with-gpg-keys-plug -c "cat $TESTKEY"
+    test-snapd-sh.with-gpg-keys-plug -c "cat $TRUSTDB"
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
     echo "And then the snap is not able to write the trust.db file"
-    if test-snapd-gpg-keys.sh -c "sed -i 's/ / /g' $TRUSTDB" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-gpg-keys-plug -c "sed -i 's/ / /g' $TRUSTDB" 2> call.error; then
         echo "Expected permission error accessing to trust db"
         exit 1
     fi
     MATCH "Permission denied" < call.error
 
     echo "When the plug is disconnected"
-    snap disconnect test-snapd-gpg-keys:gpg-keys
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap disconnect test-snapd-sh:gpg-keys
 
     echo "Then the snap is not able to read gpg keys"
-    if test-snapd-gpg-keys.sh -c "cat $TESTKEY" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-gpg-keys-plug -c "cat $TESTKEY" 2> call.error; then
         echo "Expected permission error accessing to gpg keys"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-gpg-public-keys/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-gpg-public-keys/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-gpg-public-keys/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-gpg-public-keys/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,17 +3,19 @@
 details: |
     The gpg-public-keys interface allows to access gpg binary and public keys.
 
+# no gpg on core18
+systems: [-ubuntu-core-18-*]
+
 environment:
     KEYSDIR: "$HOME/.gnupg"
     TRUSTDB: "$HOME/.gnupg/trustdb.gpg"
     TRUSTEDKEYS: "$HOME/.gnupg/trustedkeys.gpg"
     CONFIG: "$HOME/.gnupg/gpg.conf"
-    CONNECTED_PATTERN: ':gpg-public-keys +test-snapd-gpg-public-keys'
-    DISCONNECTED_PATTERN: '\- +test-snapd-gpg-public-keys:gpg-public-keys'
 
 prepare: |
-    . $TESTSLIB/snaps.sh
-    install_local test-snapd-gpg-public-keys
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-sh
 
     if [ -d "$KEYSDIR" ]; then
         cp -rf "$KEYSDIR" "$KEYSDIR".old
@@ -21,9 +23,9 @@
         mkdir "$KEYSDIR"
     fi
 
-    touch $TRUSTEDKEYS || true
-    touch $TRUSTDB || true
-    touch $CONFIG || true
+    touch "$TRUSTEDKEYS" || true
+    touch "$TRUSTDB" || true
+    touch "$CONFIG" || true
 
 restore: |
     rm -f call.error
@@ -34,36 +36,35 @@
 
 execute: |
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i gpg-public-keys | MATCH '^- +test-snapd-sh:gpg-public-keys'
 
     echo "When the interface is connected"
-    snap connect test-snapd-gpg-public-keys:gpg-public-keys
+    snap connect test-snapd-sh:gpg-public-keys
 
     echo "Then the snap is able to run gpg"
-    test-snapd-gpg-public-keys.sh -c "gpg --list-keys"
+    test-snapd-sh.with-gpg-public-keys-plug -c "gpg --list-keys"
 
     echo "And the snap is able to access to config files and keys"
-    test-snapd-gpg-public-keys.sh -c "cat /usr/share/gnupg/options.skel"
-    test-snapd-gpg-public-keys.sh -c "cat $CONFIG"
-    test-snapd-gpg-public-keys.sh -c "cat $TRUSTEDKEYS"
+    test-snapd-sh.with-gpg-public-keys-plug -c "cat /usr/share/gnupg/options.skel"
+    test-snapd-sh.with-gpg-public-keys-plug -c "cat $CONFIG"
+    test-snapd-sh.with-gpg-public-keys-plug -c "cat $TRUSTEDKEYS"
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
     echo "And then the snap is not able to write the trust.db file"
-    if test-snapd-gpg-public-keys.sh -c "sed -i 's/ / /g' $TRUSTDB" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-gpg-public-keys-plug -c "sed -i 's/ / /g' $TRUSTDB" 2> call.error; then
         echo "Expected permission error accessing to trust db"
         exit 1
     fi
     MATCH "Permission denied" < call.error
 
     echo "When the plug is disconnected"
-    snap disconnect test-snapd-gpg-public-keys:gpg-public-keys
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap disconnect test-snapd-sh:gpg-public-keys
 
     echo "Then the snap is not able to read gpg keys"
-    if test-snapd-gpg-public-keys.sh -c "cat $TRUSTEDKEYS" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-gpg-public-keys-plug -c "cat $TRUSTEDKEYS" 2> call.error; then
         echo "Expected permission error accessing to gpg keys"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-gpio-memory-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-gpio-memory-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-gpio-memory-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-gpio-memory-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -5,10 +5,6 @@
 
 systems: [ubuntu-core-16-arm-*]
 
-environment:
-    CONNECTED_PATTERN: ':gpio-memory-control +test-snapd-gpio-memory-control'
-    DISCONNECTED_PATTERN: '\- +test-snapd-gpio-memory-control:gpio-memory-control'
-
 prepare: |
     echo "Given the test-snapd-gpio-memory-control snap is installed"
     snap install test-snapd-gpio-memory-control
@@ -23,11 +19,11 @@
     fi
 
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    #shellcheck disable=SC1117
+    snap interfaces -i gpio-memory-control | MATCH '^- +test-snapd-gpio-memory-control:gpio-memory-control'
 
     echo "When the interface is connected"
     snap connect test-snapd-gpio-memory-control:gpio-memory-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able read and write the physical memory"
     test-snapd-gpio-memory-control.gpiomem
@@ -38,10 +34,9 @@
 
     echo "When the plug is disconnected"
     snap disconnect test-snapd-gpio-memory-control:gpio-memory-control
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to access the gpio physical memory"
-    if test-snapd-gpio-memory-control.gpiomem 2>${PWD}/call.error; then
+    if test-snapd-gpio-memory-control.gpiomem 2> call.error; then
         echo "Expected permission error reading the gpio physical memory with disconnected plug"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-hardware-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-hardware-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-hardware-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-hardware-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,25 +10,21 @@
     A snap declaring a plug on this interface must be able to read files in /sys/{block,bus,class,devices}
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
     echo "Given a snap declaring a plug on the hardware-observe interface is installed"
-    snap pack $TESTSLIB/snaps/hardware-observe-consumer
-    snap install --dangerous hardware-observe-consumer_1.0_all.snap
+    install_local hardware-observe-consumer
 
 restore: |
-    rm -f hardware-observe-consumer_1.0_all.snap hw.error
+    rm -f hw.error
 
 execute: |
-    CONNECTED_PATTERN=":hardware-observe +hardware-observe-consumer"
-    DISCONNECTED_PATTERN="(?s).*?\n- +hardware-observe-consumer:hardware-observe"
-
-    echo "Then it is not connected by default"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
-
-    echo "==================================="
+    echo "The interface is not connected by default"
+    snap interfaces -i hardware-observe | MATCH '^- +hardware-observe-consumer:hardware-observe'
 
     echo "When the plug is connected"
     snap connect hardware-observe-consumer:hardware-observe
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to read hardware information"
     hardware-observe-consumer.consumer
@@ -37,8 +33,6 @@
         exit 0
     fi
 
-    echo "==================================="
-
     echo "When the plug is disconnected"
     snap disconnect hardware-observe-consumer:hardware-observe
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-hardware-random-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-hardware-random-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-hardware-random-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-hardware-random-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,10 +10,12 @@
     A snap declaring a plug on this interface must be able to read files in
     /sys/class/misc/hw_random/{rng_available,rng_current} and write /dev/hwrng
 
-# Execution skipped on debian due to device /dev/hwrng not created by default
-systems: [-debian-*]
+# Execution skipped on debian, arch and amazon due to device /dev/hwrng not
+# created by default
+systems: [-debian-*, -arch-*, -amazon-*, -centos-*]
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
 
     echo "Given a snap declaring a plug on the hardware-random-control interface is installed"
@@ -23,15 +25,11 @@
     rm -f hw.error
 
 execute: |
-    CONNECTED_PATTERN=":hardware-random-control +test-snapd-hardware-random-control"
-    DISCONNECTED_PATTERN="(?s).*?\n- +test-snapd-hardware-random-control:hardware-random-control"
-
-    echo "Then it is not connected by default"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
+    echo "The interface is not connected by default"
+    snap interfaces -i hardware-random-control | MATCH '^- +test-snapd-hardware-random-control:hardware-random-control'
 
     echo "When the plug is connected"
     snap connect test-snapd-hardware-random-control:hardware-random-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to read hardware random information"
     test-snapd-hardware-random-control.check 2>hw.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-hardware-random-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-hardware-random-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-hardware-random-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-hardware-random-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,10 +10,12 @@
     A snap declaring a plug on this interface must be able to read files in
     /sys/class/misc/hw_random/{rng_available,rng_current} and /dev/hwrng
 
-# Execution skipped on debian due to device /dev/hwrng not created by default
-systems: [-debian-*]
+# Execution skipped on debian, arch and amazon due to device /dev/hwrng not
+# created by default
+systems: [-debian-*, -arch-*, -amazon-*, -centos-*]
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
 
     echo "Given a snap declaring a plug on the hardware-random-observe interface is installed"
@@ -23,15 +25,11 @@
     rm -f hw.error
 
 execute: |
-    CONNECTED_PATTERN=":hardware-random-observe +test-snapd-hardware-random-observe"
-    DISCONNECTED_PATTERN="(?s).*?\n- +test-snapd-hardware-random-observe:hardware-random-observe"
-
-    echo "Then it is not connected by default"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
+    echo "The interface is not connected by default"
+    snap interfaces -i hardware-random-observe | MATCH '^- +test-snapd-hardware-random-observe:hardware-random-observe'
 
     echo "When the plug is connected"
     snap connect test-snapd-hardware-random-observe:hardware-random-observe
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to read hardware random information"
     test-snapd-hardware-random-observe.check 2>hw.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-home/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-home/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-home/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-home/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -17,9 +17,11 @@
     HIDDEN_READABLE_FILE: "$HOME/.readable"
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
     echo "Given a snap declaring the home plug is installed"
-    snap pack $TESTSLIB/snaps/home-consumer
-    snap install --dangerous $SNAP_FILE
+    install_local home-consumer
 
     echo "And there is a readable file in HOME"
     echo ok > "$READABLE_FILE"
@@ -31,93 +33,68 @@
     echo ok > "$HIDDEN_READABLE_FILE"
 
 restore: |
-    rm -f $SNAP_FILE $READABLE_FILE $WRITABLE_FILE $CREATABLE_FILE $HIDDEN_READABLE_FILE
+    rm -f "$READABLE_FILE" "$WRITABLE_FILE" "$CREATABLE_FILE" "$HIDDEN_READABLE_FILE"
 
 execute: |
-    CONNECTED_PATTERN="(?s)Slot +Plug\n\
-    .*?\n\
-    :home +home-consumer"
-    DISCONNECTED_PATTERN="(?s)Slot +Plug\n\
-    .*?\n\
-    - +home-consumer:home"
-
-    if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
-        echo "Then the snap is listed as disconnected"
-        snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
+    if is_core_system; then
+        echo "The interface is not connected by default"
+        snap interfaces -i home | MATCH '^- +home-consumer:home'
 
         echo "And the plug can be connected"
         snap connect home-consumer:home
-        snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
     else
-        echo "Then the snap is listed as connected"
-        snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
-
-        echo "============================================"
+        echo "The interface is connected by default"
+        snap interfaces -i home | MATCH ":home .*home-consumer"
 
         echo "When the plug is disconnected"
         snap disconnect home-consumer:home
-        snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
         echo "Then the plug can be connected again"
         snap connect home-consumer:home
-        snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
     fi
-    echo "============================================"
 
     echo "When the plug is connected"
     snap connect home-consumer:home
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to read home files"
-    home-consumer.reader $READABLE_FILE | grep -Pqz ok
-
-    echo "============================================"
+    home-consumer.reader "$READABLE_FILE" | grep -Pqz ok
 
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "When the plug is disconnected"
         snap disconnect home-consumer:home
-        snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
         echo "Then snap can't read home files"
-        if home-consumer.reader $READABLE_FILE; then
+        if home-consumer.reader "$READABLE_FILE"; then
             echo "Home files shouldn't be readable" && exit 1
         fi
-
-        echo "============================================"
     fi
 
     echo "When the plug is connected"
     snap connect home-consumer:home
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to append to home files"
     home-consumer.writer "$WRITABLE_FILE"
-    cat "$WRITABLE_FILE" | grep -Pqz "ok\nok"
-
-    echo "============================================"
+    grep -Pqz 'ok\nok' < "$WRITABLE_FILE"
 
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "When the plug is disconnected"
         snap disconnect home-consumer:home
-        snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
         echo "Then snap can't append to home files"
         if home-consumer.writer "$WRITABLE_FILE"; then
             echo "Home files shouldn't be writable" && exit 1
         fi
-
-        echo "============================================"
     fi
 
     echo "When the plug is connected"
     snap connect home-consumer:home
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to create home files"
     home-consumer.writer "$CREATABLE_FILE"
-    cat "$CREATABLE_FILE" | grep -Pqz "ok"
-
-    echo "============================================"
+    grep -Pqz "ok" < "$CREATABLE_FILE"
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
@@ -125,29 +102,22 @@
 
     echo "When the plug is disconnected"
     snap disconnect home-consumer:home
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
     echo "Then snap can't create home files"
     if home-consumer.writer "$CREATABLE_FILE"; then
         echo "It should be impossible to create home files" && exit 1
     fi
 
-    echo "============================================"
-
     echo "When the plug is connected"
     snap connect home-consumer:home
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the snap is not able to read hidden home files"
     if home-consumer.reader "$HIDDEN_READABLE_FILE"; then
         echo "Hidden home files shouldn't be readable" && exit 1
     fi
 
-    echo "============================================"
-
     echo "When the plug is connected"
     snap connect home-consumer:home
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the snap is not able to write hidden home files"
     if home-consumer.writer "$HIDDEN_CREATABLE_FILE"; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-hooks/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-hooks/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-hooks/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-hooks/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,17 +1,102 @@
-summary: Check that `snap connect` runs interface hook
+summary: Check that `snap connect` runs interface hooks
+
+environment:
+    CONSUMER_DATA: /var/snap/basic-iface-hooks-consumer/common
+    PRODUCER_DATA: /var/snap/basic-iface-hooks-producer/common
 
 prepare: |
-    echo "Build test hooks package"
-    snap pack $TESTSLIB/snaps/basic-iface-hooks-consumer
-    snap pack $TESTSLIB/snaps/basic-iface-hooks-producer
-    snap install --dangerous basic-iface-hooks-consumer_1.0_all.snap
-    snap install --dangerous basic-iface-hooks-producer_1.0_all.snap
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    snap install --devmode jq
+
+    echo "Install test hooks snaps"
+    install_local basic-iface-hooks-consumer
+    install_local basic-iface-hooks-producer
 
 restore: |
-    rm -f basic-iface-hooks-consumer_1.0_all.snap
-    rm -f basic-iface-hooks-producer_1.0_all.snap
+    rm -f "$CONSUMER_DATA/prepare-plug-consumer-done"
+    rm -f "$PRODUCER_DATA/prepare-slot-producer-done"
+    rm -f "$CONSUMER_DATA/connect-plug-consumer-done"
+    rm -f "$PRODUCER_DATA/connect-slot-producer-done"
+    rm -f "$CONSUMER_DATA/disconnect-plug-consumer-done"
+    rm -f "$PRODUCER_DATA/disconnect-slot-producer-done"
+    rm -f "$CONSUMER_DATA/unprepare-plug-consumer-done"
+    rm -f "$PRODUCER_DATA/unprepare-slot-producer-done"
+    snap remove basic-iface-hooks-consumer
+    snap remove basic-iface-hooks-producer
 
 execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    remove_markers() {
+        rm -f "$CONSUMER_DATA"/*-plug-*done
+        rm -f "$PRODUCER_DATA"/*-slot-*done
+    }
+    check_attributes(){
+        # static values should have the values defined in snap's yaml
+        jq -r '.data["conns"]["basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer"]["plug-static"]["consumer-attr-1"]' /var/lib/snapd/state.json | MATCH "consumer-value-1"
+        jq -r '.data["conns"]["basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer"]["plug-static"]["consumer-attr-2"]' /var/lib/snapd/state.json | MATCH "consumer-value-2"
+        jq -r '.data["conns"]["basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer"]["slot-static"]["producer-attr-1"]' /var/lib/snapd/state.json | MATCH "producer-value-1"
+        jq -r '.data["conns"]["basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer"]["slot-static"]["producer-attr-2"]' /var/lib/snapd/state.json | MATCH "producer-value-2"
+        # dynamic attributes have values created by the hooks, the "-validated" suffix is added by our test interface
+        jq -r '.data["conns"]["basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer"]["plug-dynamic"]["before-connect"]' /var/lib/snapd/state.json | MATCH 'plug-changed\(consumer-value\)'
+        jq -r '.data["conns"]["basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer"]["slot-dynamic"]["before-connect"]' /var/lib/snapd/state.json | MATCH 'slot-changed\(producer-value\)'
+    }
+
+    check_hooks_were_run(){
+        # producer/consumer hooks dump marker files, check if they exist to verify hooks were run
+        [ -f "$CONSUMER_DATA/prepare-plug-consumer-done" ]
+        [ -f "$PRODUCER_DATA/prepare-slot-producer-done" ]
+        [ -f "$CONSUMER_DATA/connect-plug-consumer-done" ]
+        [ -f "$PRODUCER_DATA/connect-slot-producer-done" ]
+    }
+
     echo "Test that snap connect with plug and slot hooks succeeds"
 
-    snap connect basic-iface-hooks-consumer:foo basic-iface-hooks-producer:bar
+    snap connect basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer
+
+    echo "Ensure the hooks were actually executed"
+    check_hooks_were_run
+  
+    # stop snapd before inspecting state.json
+    systemctl stop snapd.service snapd.socket
+
+    echo "Verify static and dynamic attributes have expected values"
+    check_attributes
+    systemctl start snapd.service snapd.socket
+
+    remove_markers
+
+    # make sure disconnect hooks are executed
+    snap disconnect basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer
+    snap change --last=disconnect | MATCH "Run hook disconnect-slot-producer of snap \"basic-iface-hooks-producer"
+    snap change --last=disconnect | MATCH "Run hook disconnect-plug-consumer of snap \"basic-iface-hooks-consumer"
+
+    [ -f "$CONSUMER_DATA/disconnect-plug-consumer-done" ]
+    [ -f "$PRODUCER_DATA/disconnect-slot-producer-done" ]
+
+    remove_markers
+
+    # make connect hooks fail, check that undo hooks were executed
+    snap set basic-iface-hooks-consumer fail=connect
+    if snap connect basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer ; then
+        echo "Expected snap connect to fail"
+        exit 1
+    fi
+
+    [ -f "$CONSUMER_DATA/unprepare-plug-consumer-done" ]
+    [ -f "$PRODUCER_DATA/unprepare-slot-producer-done" ]
+    [ -f "$PRODUCER_DATA/connect-slot-producer-done" ]
+    [ -f "$PRODUCER_DATA/disconnect-slot-producer-done" ]
+
+    MATCH "plug-changed.consumer-value" < "$CONSUMER_DATA/unprepare-plug-consumer-done" 
+
+    remove_markers
+
+    # disconnect hooks should be executed on snap removal
+    snap set basic-iface-hooks-consumer fail=none
+    snap connect basic-iface-hooks-consumer:consumer basic-iface-hooks-producer:producer
+    snap remove basic-iface-hooks-consumer
+    [ -f "$PRODUCER_DATA/disconnect-slot-producer-done" ]
+    snap change --last=remove | MATCH "Run hook disconnect-slot-producer of snap \"basic-iface-hooks-producer"
+    snap change --last=remove | MATCH "Run hook disconnect-plug-consumer of snap \"basic-iface-hooks-consumer"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-hooks-misbehaving/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-hooks-misbehaving/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-hooks-misbehaving/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-hooks-misbehaving/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 summary: Check that the output of noisy install hook is truncated.
 
 execute: |
-    if snap try $TESTSLIB/snaps/snap-hooks-bad-install; then
+    if snap try "$TESTSLIB"/snaps/snap-hooks-bad-install; then
         echo "Expected snap try to fail"
     fi
     if snap change --last=try|grep "start of noisy output"; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-hostname-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-hostname-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-hostname-control/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-hostname-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,67 @@
+summary: Ensure that the hostname-control interface works
+
+details: |
+    The hostname-control interface allows to configure the system hostname
+
+# ubuntu-core-18 is skipped until hostnamectl is fixed
+systems: [-ubuntu-core-18-*]
+
+prepare: |
+    echo "Install test hostname-control snap"
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+
+restore: |
+    rm -f ./*.error
+
+execute: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB/systems.sh"
+
+    hostname="$(hostname)"
+
+    echo "The plug is disconnected by default"
+    snap interfaces -i hostname-control | MATCH -- '- +test-snapd-sh:hostname-control'
+    
+    echo "When the plug is connected"
+    snap connect test-snapd-sh:hostname-control
+
+    echo "The hostname command can be used"
+    snap_hostname="$(test-snapd-sh.with-hostname-control-plug -c "/bin/hostname")"
+    [ "$hostname" = "$snap_hostname" ]
+
+    # On core systems /etc/hostname is not writable
+    if is_classic_system; then
+        echo "And the /etc/hostname file can be written"
+        test-snapd-sh.with-hostname-control-plug -c "echo $hostname > /etc/hostname"
+    fi
+
+    echo "And hostname can be get/set through dbus"
+    test-snapd-sh.with-hostname-control-plug -c "hostnamectl" | MATCH "$hostname"
+    test-snapd-sh.with-hostname-control-plug -c "hostnamectl set-hostname $hostname"
+    
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-sh:hostname-control
+    
+    if [ "$(snap debug confinement)" = partial ]; then
+        exit 0
+    fi
+
+    echo "Then the hostname method cannot be accessed through dbus"
+    if test-snapd-sh.with-hostname-control-plug -c "hostnamectl set-hostname $hostname" 2>access.error; then
+        echo "Expected permission error trying to set hostname with disconnected plug"
+        exit 1
+    fi
+    MATCH "Permission denied" < access.error
+
+    echo "And the /etc/hostname file cannot be written"
+    if test-snapd-sh.with-hostname-control-plug -c "echo $hostname > /etc/hostname" 2>hostname.error; then
+        echo "Expected permission error trying to acess to /etc/hostname with disconnected plug"
+        exit 1
+    fi
+    MATCH "Permission denied" < hostname.error
+
+    echo "And the /etc/hostname file and the hostname command are still available even without the connection."
+    test-snapd-sh.with-hostname-control-plug -c "test -f /etc/hostname"
+    test-snapd-sh.with-hostname-control-plug -c "test -x /bin/hostname"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-iio/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-iio/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-iio/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-iio/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -22,7 +22,8 @@
     echo "iio-0" > /dev/iio:device0
 
     echo "Given a snap declaring a plug on iio is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local iio-consumer
 
     echo "And the iio plug is connected"
@@ -36,13 +37,14 @@
     rm -f /dev/iio:device0
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
-    test "`$SNAP_MOUNT_DIR/bin/iio-consumer.read`" = "iio-0"
+    test "$($SNAP_MOUNT_DIR/bin/iio-consumer.read)" = "iio-0"
 
     $SNAP_MOUNT_DIR/bin/iio-consumer.write "hello"
-    test "`$SNAP_MOUNT_DIR/bin/iio-consumer.read`" = "hello"
+    test "$($SNAP_MOUNT_DIR/bin/iio-consumer.read)" = "hello"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-joystick/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-joystick/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-joystick/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-joystick/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,68 @@
+summary: Ensure that the joystick interface works.
+
+details: |
+    The joystick interface allows reading and writing to joystick devices.
+
+prepare: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    # Create device files which are going to be used so simulate a real device and input data
+    # In case the device already exists, it is going to be backed up
+    # Devices used following documentation:
+    # the https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/devices.txt#L408
+    ensure_file_exists_backup_real /dev/input/js31
+    ensure_file_exists_backup_real /run/udev/data/c13:31
+    ensure_file_exists_backup_real /run/udev/data/c13:67
+    ensure_file_exists_backup_real /dev/input/event67
+
+restore: |
+    rm -f call.error
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    # Delete the created device files and restore backed up files
+    clean_file /dev/input/js31
+    clean_file /run/udev/data/c13:31
+    clean_file /run/udev/data/c13:67
+    clean_file /dev/input/event67
+
+execute: |
+    echo "The interface is not connected by default"
+    snap interfaces -i joystick | MATCH "\\- +test-snapd-sh:joystick"
+
+    echo "When the interface is connected"
+    snap connect test-snapd-sh:joystick
+
+    echo "Then the snap is able to access the device input for the old interface"
+    test-snapd-sh.with-joystick-plug -c "echo test >> /dev/input/js31"
+    test-snapd-sh.with-joystick-plug -c "cat /run/udev/data/c13:31"
+
+    echo "Then the snap is able to access the device input for the new interface"
+    test-snapd-sh.with-joystick-plug -c "cat /run/udev/data/c13:67"
+    test-snapd-sh.with-joystick-plug -c "echo test >> /dev/input/event67"
+
+    echo "Then the snap is able to read the supported event reports for the input device"
+    capabilities="$(find /sys/devices/ -type d -name capabilities | grep -E "/sys/devices/.*/input[0-9].*/capabilities" | head -n1)"
+    if [ -n "$capabilities" ]; then
+        test-snapd-sh.with-joystick-plug -c "ls $capabilities"
+    fi
+
+    if [ "$(snap debug confinement)" = partial ] ; then
+        exit 0
+    fi
+
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-sh:joystick
+
+    echo "Then the snap is not able to read the input device"
+    if test-snapd-sh.with-joystick-plug -c "cat /dev/input/js31" 2>"${PWD}"/call.error; then
+        echo "Expected permission error accessing to input device"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-juju-client-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-juju-client-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-juju-client-observe/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-juju-client-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+summary: Ensure that the juju client observe interface works.
+
+details: |
+    The juju-client-observe interface allows access to the juju client configuration
+
+# The interface is not defined for ubuntu core systems
+systems: [-ubuntu-core-*]
+
+prepare: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    ensure_dir_exists_backup_real "$HOME"/.local/share/juju
+    ensure_file_exists_backup_real "$HOME"/.local/share/juju/juju.conf
+
+restore: |
+    rm -f call.error
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    # Delete the created juju dir and configuration files
+    clean_file "$HOME"/.local/share/juju/juju.conf
+    clean_dir "$HOME"/.local/share/juju
+
+execute: |
+    echo "The interface is not connected by default"
+    snap interfaces -i juju-client-observe | MATCH -- '- +test-snapd-sh:juju-client-observe'
+
+    echo "When the interface is connected"
+    snap connect test-snapd-sh:juju-client-observe
+
+    echo "Then the snap is able to access the juju client configuration"
+    test-snapd-sh.with-juju-client-observe-plug -c "cat $HOME/.local/share/juju/juju.conf"
+
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-sh:juju-client-observe
+
+    if [ "$(snap debug confinement)" = partial ]; then
+        exit 0
+    fi
+
+    echo "Then the snap is not able to read the juju client configuration"
+    if test-snapd-sh.with-juju-client-observe-plug -c "cat $HOME/.local/share/juju/juju.conf" 2>call.error; then
+        echo "Expected permission error accessing to input device"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-kernel-module-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-kernel-module-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-kernel-module-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-kernel-module-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 summary: Ensure that the kernel-module-control interface works.
 
 # the s390x kernel has no minix module
-systems: [-fedora-*, -opensuse-*, -ubuntu-*-s390x]
+systems: [-fedora-*, -opensuse-*, -ubuntu-*-s390x, -arch-*, -amazon-*, -centos-*]
 
 environment:
     MODULE: minix
@@ -21,107 +21,103 @@
 prepare: |
     echo "Given a snap declaring a plug on the kernel-module-control interface is installed"
     snap install --edge test-snapd-kernel-module-consumer
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_generic_consumer kernel-module-control
 
 restore: |
-    rm -f *.error
-    if lsmod | MATCH $MODULE && ! -f module_present; then
-        rmmod $MODULE
-    elif [ -f module_present ]; then
-        insmod $MODULE_PATH
+    rm -f ./*.error
+    if lsmod | MATCH "$MODULE" && [ ! -f module_present ]; then
+        rmmod "$MODULE"
+    elif [ -f module_present ] && ! lsmod | MATCH "$MODULE" ; then
+        insmod "$MODULE_PATH"
     fi
     rm -f module_present
 
 debug: |
     lsmod
-    ls -R /lib/modules/$(uname -r)/kernel/fs
+    ls -R /lib/modules/"$(uname -r)"/kernel/fs
 
 execute: |
-    CONNECTED_PATTERN=":kernel-module-control +.*test-snapd-kernel-module-consumer"
-    DISCONNECTED_PATTERN="\- +test-snapd-kernel-module-consumer:kernel-module-control"
+    if ! [ -f "/lib/modules/$(uname -r)/kernel/fs/$MODULE/$MODULE.ko" ]; then
+        echo "$MODULE module not available in the system"
+        exit 0
+    fi
 
     echo "The plug is disconnected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-    echo "==================================="
+    snap interfaces -i kernel-module-control | MATCH '^- +test-snapd-kernel-module-consumer:kernel-module-control'
 
     echo "When the plug is connected"
     snap connect test-snapd-kernel-module-consumer:kernel-module-control
     snap connect generic-consumer:kernel-module-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
-
 
     echo "Then the snap is able to list the existing modules"
-    [ $(su -l -c "test-snapd-kernel-module-consumer.lsmod" test | wc -l) -gt 2 ]
+    [ "$(su -l -c "test-snapd-kernel-module-consumer.lsmod" test | wc -l)" -gt 2 ]
 
     echo "And the snap is able to insert a module"
-    if lsmod | MATCH $MODULE; then
+    if lsmod | MATCH "$MODULE"; then
         touch module_present
-        rmmod minix
+        rmmod "$MODULE"
     fi
-    lsmod | MATCH -v $MODULE
-    test-snapd-kernel-module-consumer.insmod $MODULE_PATH
+    lsmod | MATCH -v "$MODULE"
+    test-snapd-kernel-module-consumer.insmod "$MODULE_PATH"
 
     echo "And the snap is able to read /sys/module"
-    generic-consumer.cmd ls /sys/module | MATCH $MODULE
+    generic-consumer.cmd ls /sys/module | MATCH "$MODULE"
 
     echo "And the snap is not able to write to /sys/module"
-    if su -l -c "generic-consumer.cmd touch /sys/module/test 2>${PWD}/touch.error" test; then
+    if su -l -c "generic-consumer.cmd touch /sys/module/test" test 2>"${PWD}/touch.error"; then
         echo "Expected permission error writing to /sys/module"
         exit 1
     fi
-    cat touch.error | MATCH "Permission denied"
+    MATCH "Permission denied" < touch.error
 
     echo "And the snap is able to remove a module"
-    test-snapd-kernel-module-consumer.rmmod $MODULE
-    lsmod | MATCH -v $MODULE
+    test-snapd-kernel-module-consumer.rmmod "$MODULE"
+    lsmod | MATCH -v "$MODULE"
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
-    echo "==================================="
-
     echo "When the plug is disconnected"
     snap disconnect test-snapd-kernel-module-consumer:kernel-module-control
     snap disconnect generic-consumer:kernel-module-control
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to list modules"
-    if su -l -c "test-snapd-kernel-module-consumer.lsmod 2>${PWD}/list.error" test; then
+    if su -l -c "test-snapd-kernel-module-consumer.lsmod" test 2>"${PWD}/list.error"; then
         echo "Expected permission error listing modules with disconnected plug"
         exit 1
     fi
-    cat list.error | MATCH "Permission denied"
+    MATCH "Permission denied" < list.error
 
     echo "And the snap is not able to insert a module"
-    if test-snapd-kernel-module-consumer.insmod $MODULE_PATH; then
+    if test-snapd-kernel-module-consumer.insmod "$MODULE_PATH"; then
         echo "Expected permission error inserting module with disconnected plug"
         exit 1
     fi
 
     echo "And the snap is not able to remove a module"
     # first we need to insert the module
-    lsmod | MATCH -v $MODULE
-    insmod $MODULE_PATH
-    lsmod | MATCH $MODULE
-    if test-snapd-kernel-module-consumer.rmmod $MODULE 2>${PWD}/remove.error; then
+    lsmod | MATCH -v "$MODULE"
+    insmod "$MODULE_PATH"
+    lsmod | MATCH "$MODULE"
+    if test-snapd-kernel-module-consumer.rmmod "$MODULE" 2> remove.error; then
         echo "Expected permission error removing module with disconnected plug"
         exit 1
     fi
-    cat remove.error | MATCH "Permission denied"
+    MATCH "Permission denied" < remove.error
 
     echo "And the snap is not able to read /sys/module"
-    if su -l -c "generic-consumer.cmd ls /sys/module 2>${PWD}/read.error" test; then
+    if su -l -c "generic-consumer.cmd ls /sys/module" test 2>"${PWD}/read.error"; then
         echo "Expected permission error reading /sys/module with disconnected plug"
         exit 1
     fi
-    cat read.error | MATCH "Permission denied"
+    MATCH "Permission denied" < read.error
 
     echo "And the snap is not able to write to /sys/module"
-    if su -l -c "generic-consumer.cmd touch /sys/module/test 2>${PWD}/touch.error" test; then
+    if su -l -c "generic-consumer.cmd touch /sys/module/test" test 2>"${PWD}/touch.error"; then
         echo "Expected permission error writing to /sys/module"
         exit 1
     fi
-    cat touch.error | MATCH "Permission denied"
+    MATCH "Permission denied" < touch.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-kvm/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-kvm/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-kvm/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-kvm/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,13 +3,10 @@
 details: |
     The kvm interface allows read/write access to kvm.
 
-environment:
-    CONNECTED_PATTERN: ':kvm +test-snapd-kvm'
-    DISCONNECTED_PATTERN: '\- +test-snapd-kvm:kvm'
-
 prepare: |
-    . $TESTSLIB/snaps.sh
-    install_local test-snapd-kvm
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-sh
 
     if [ -e /dev/kvm ]; then
         mv /dev/kvm /dev/kvm.bak
@@ -20,32 +17,30 @@
     rm -f call.error
     rm -f /dev/kvm
 
-    if [ -e /dev/kvm.bak]; then
+    if [ -e /dev/kvm.bak ]; then
         mv /dev/kvm.bak /dev/kvm
     fi
 
 execute: |
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i kvm | MATCH '^- +test-snapd-sh:kvm'
 
     echo "When the interface is connected"
-    snap connect test-snapd-kvm:kvm
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    snap connect test-snapd-sh:kvm
 
     echo "Then the snap is able to read/write on /dev/kvm"
-    test-snapd-kvm.sh -c "cat /dev/kvm"
-    test-snapd-kvm.sh -c "echo 'test' >> /dev/kvm"
+    test-snapd-sh.with-kvm-plug -c "cat /dev/kvm"
+    test-snapd-sh.with-kvm-plug -c "echo 'test' >> /dev/kvm"
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
     echo "When the plug is disconnected"
-    snap disconnect test-snapd-kvm:kvm
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap disconnect test-snapd-sh:kvm
 
     echo "Then the snap is not able to read the kvm device"
-    if test-snapd-kvm.sh -c "cat /dev/kvm" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-kvm-plug -c "cat /dev/kvm" 2> call.error; then
         echo "Expected permission error accessing to kvm device"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-libvirt/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-libvirt/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-libvirt/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-libvirt/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -41,17 +41,11 @@
     deluser test libvirtd
 
 execute: |
-    CONNECTED_PATTERN=":libvirt +test-snapd-libvirt-consumer"
-    DISCONNECTED_PATTERN="\- +test-snapd-libvirt-consumer:libvirt"
-
-    echo "The plug is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-    echo "==================================="
+    echo "The interface is not connected by default"
+    snap interfaces -i libvirt | MATCH '^- +test-snapd-libvirt-consumer:libvirt'
 
     echo "When the plug is connected"
     snap connect test-snapd-libvirt-consumer:libvirt
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to create the unikernel domain"
     su -l -c "test-snapd-libvirt-consumer.machine-up" test
@@ -64,15 +58,12 @@
     su -l -c "test-snapd-libvirt-consumer.machine-down" test
     virsh list | MATCH -v ping-unikernel
 
-    echo "==================================="
-
     echo "When the plug is disconnected"
     snap disconnect test-snapd-libvirt-consumer:libvirt
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to create a domain"
-    if su -l -c "test-snapd-libvirt-consumer.machine-up 2>${PWD}/creation.error" test; then
+    if su -l -c "test-snapd-libvirt-consumer.machine-up" test 2>"${PWD}/creation.error"; then
         echo "Expected permission error accessing libvirtd socket with disconnected plug"
         exit 1
     fi
-    cat creation.error | MATCH "Failed to connect socket to '/var/run/libvirt/libvirt-sock': Permission denied"
+    MATCH "Failed to connect socket to '/var/run/libvirt/libvirt-sock': Permission denied" < creation.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-locale-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-locale-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-locale-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-locale-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 summary: Ensure that the locale-control interface works.
 
-systems: [-fedora-*, -opensuse-*]
+systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 summary: |
     The locale-control interface allows a snap to access the locale configuration.
@@ -22,9 +22,12 @@
         fi
     fi
 
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
     echo "Given a snap declaring a plug on the locale-control interface is installed"
-    snap pack $TESTSLIB/snaps/locale-control-consumer
-    snap install --dangerous locale-control-consumer_1.0_all.snap
+    install_local locale-control-consumer
+
     mv /etc/default/locale locale.back
     cat > /etc/default/locale <<EOF
     LANG="$LANG"
@@ -41,7 +44,7 @@
         fi
     fi
 
-    rm -f locale-control-consumer_1.0_all.snap locale-read.error locale-write.error
+    rm -f locale-read.error locale-write.error
     mv locale.back /etc/default/locale
 
 execute: |
@@ -54,13 +57,8 @@
         fi
     fi
 
-    CONNECTED_PATTERN=":locale-control +locale-control-consumer"
-    DISCONNECTED_PATTERN="(?s).*?\n- +locale-control-consumer:locale-control"
-
-    echo "Then it is not connected by default"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
-
-    echo "==================================="
+    echo "The interface is not connected by default"
+    snap interfaces -i locale-control | MATCH '^- +locale-control-consumer:locale-control'
 
     echo "When the plug is connected"
     snap connect locale-control-consumer:locale-control
@@ -68,20 +66,16 @@
     echo "Then the snap is able to read the locale configuration"
     [ "$(su -l -c 'locale-control-consumer.get LANG' test)" = "$LANG" ]
 
-    echo "==================================="
-
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "When the plug is disconnected"
         snap disconnect locale-control-consumer:locale-control
 
         echo "Then the snap is not able to read the locale configuration"
-        if su -l -c "locale-control-consumer.get LANG 2>${PWD}/locale-read.error" test; then
+        if su -l -c "locale-control-consumer.get LANG" test 2>"${PWD}/locale-read.error"; then
             echo "Expected permission error accessing locale configuration with disconnected plug"
             exit 1
         fi
         grep -q "Permission denied" locale-read.error
-
-        echo "==================================="
     fi
 
     echo "When the plug is connected"
@@ -92,13 +86,11 @@
     grep -q "LANG=\"mylang\"" /etc/default/locale
 
     if [ "$(snap debug confinement)" = strict ] ; then
-        echo "==================================="
-
         echo "When the plug is disconnected"
         snap disconnect locale-control-consumer:locale-control
 
         echo "Then the snap is not able to read the locale configuration"
-        if locale-control-consumer.set LANG mysecondlang 2>${PWD}/locale-write.error; then
+        if locale-control-consumer.set LANG mysecondlang 2> locale-write.error; then
             echo "Expected permission error accessing locale configuration with disconnected plug"
             exit 1
         fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-location-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-location-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-location-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-location-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,10 +10,12 @@
 
 # dbus-launch not supported in ubuntu-core
 # s390x does not support locationd
-systems: [-ubuntu-core-16-*, -ubuntu-*-s390x]
+systems: [-ubuntu-core-*, -ubuntu-*-s390x]
 
 prepare: |
+    #shellcheck source=tests/lib/dbus.sh
     . "$TESTSLIB/dbus.sh"
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
     echo "Given a snap declaring a plug on the location-control interface is installed"
     snap install test-snapd-location-control-provider
@@ -24,22 +26,19 @@
 restore: |
     rm -f getprop.error
 
+    #shellcheck source=tests/lib/dbus.sh
     . "$TESTSLIB/dbus.sh"
     stop_dbus_unit
 
 execute: |
-    CONNECTED_PATTERN="^test-snapd-location-control-provider:location-control-test +test-snapd-location-control-provider:location-control"
-    DISCONNECTED_PATTERN="^- +test-snapd-location-control-provider:location-control$"
-
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i location-control | MATCH "^- +test-snapd-location-control-provider:location-control$"
 
     echo "The interface can be connected"
     snap connect test-snapd-location-control-provider:location-control test-snapd-location-control-provider:location-control-test
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then wait until the dbus name is properly reserved"
-    for i in $(seq 10); do
+    for _ in $(seq 10); do
         if test-snapd-location-control-provider.consumer Get | MATCH "location-provider-added"; then
             break
         else
@@ -56,15 +55,13 @@
     
     echo "When the plug is disconnected"
     snap disconnect test-snapd-location-control-provider:location-control test-snapd-location-control-provider:location-control-test
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "And the location provider props cannot be accessed"
-    if test-snapd-location-control-provider.consumer Get 2>${PWD}/getprop.error; then
+    if test-snapd-location-control-provider.consumer Get 2>"${PWD}"/getprop.error; then
         echo "Expected permission error trying to get props with disconnected plug"
         exit 1
     fi
     MATCH "Permission denied" < getprop.error
 
-    echo "When the plug is re-connected the interfaces show the connection"
+    echo "And the plug can be re-connected"
     snap connect test-snapd-location-control-provider:location-control test-snapd-location-control-provider:location-control-test
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-log-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-log-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-log-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-log-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,56 +10,37 @@
 
 environment:
     SNAP_NAME: log-observe-consumer
-    SNAP_FILE: "${SNAP_NAME}_1.0_all.snap"
     PLUG: log-observe
 
 prepare: |
-    echo "Given a snap declaring the $PLUG plug is installed"
-    snap pack $TESTSLIB/snaps/$SNAP_NAME
-    snap install --dangerous $SNAP_FILE
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
 
-restore: |
-    rm -f $SNAP_FILE
+    echo "Given a snap declaring the $PLUG plug is installed"
+    install_local log-observe-consumer
 
 execute: |
-    CONNECTED_PATTERN="(?s)Slot +Plug\n\
-    .*?\n\
-    :$PLUG +$SNAP_NAME"
-    DISCONNECTED_PATTERN="(?s)Slot +Plug\n\
-    .*?\n\
-    - +$SNAP_NAME:$PLUG"
-
-    echo "Then the snap is not listed as connected"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
-
-    echo "============================================"
+    echo "The interface is not connected by default"
+    snap interfaces -i log-observe | MATCH "^- +$SNAP_NAME:$PLUG"
 
     echo "When the plug is connected"
-    snap connect $SNAP_NAME:$PLUG
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
+    snap connect "$SNAP_NAME:$PLUG"
 
     echo "Then the plug can be disconnected again"
-    snap disconnect $SNAP_NAME:$PLUG
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
-
-    echo "============================================"
+    snap disconnect "$SNAP_NAME:$PLUG"
 
     echo "When the plug is connected"
-    snap connect $SNAP_NAME:$PLUG
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
+    snap connect "$SNAP_NAME:$PLUG"
 
     echo "Then the snap is able to access the system logs"
-    log-observe-consumer | grep -Pqz "ok\n"
+    log-observe-consumer | MATCH 'ok$'
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
-    echo "============================================"
-
     echo "When the plug is disconnected"
-    snap disconnect $SNAP_NAME:$PLUG
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
+    snap disconnect "$SNAP_NAME:$PLUG"
 
     echo "Then snap can't access the system logs"
     if log-observe-consumer; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-many/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-many/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-many/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-many/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,5 @@
 summary: Ensure that commands run when their interfaces are connected
 
-# Start early as it takes a long time.
-priority: 100
-
-debug: |
-    # get the full journal to see any out-of-memory errors
-    journalctl
-
 details: |
     Install a test snap that plugs as many interfaces as is possible and
     verify the command can run (ie, don't test the interface functionality
@@ -28,8 +21,20 @@
 # memory issue inside the adt environment
 backends: [-autopkgtest]
 
+# Start early as it takes a long time.
+priority: 100
+
+debug: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
+    # get the full journal to see any out-of-memory errors
+    # shellcheck disable=SC2119
+    get_journalctl_log
+
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     PROVIDER_SNAP="test-snapd-policy-app-provider-classic"
     # quick test to see if on a core system or not
@@ -38,7 +43,8 @@
     fi
 
     echo "Given a snap is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local "$PROVIDER_SNAP"
 
     CONSUMER_SNAP="test-snapd-policy-app-consumer"
@@ -49,7 +55,8 @@
         slotcmd_bn=$(basename "$slotcmd")
         slot_iface=$(echo "$slotcmd_bn" | tr '.' ':')
 
-        plugcmd=$(echo $slotcmd | sed "s/$PROVIDER_SNAP/$CONSUMER_SNAP/")
+        #shellcheck disable=SC2001
+        plugcmd=$(echo "$slotcmd" | sed "s/$PROVIDER_SNAP/$CONSUMER_SNAP/")
         plugcmd_bn=$(basename "$plugcmd")
         plug_iface=$(echo "$plugcmd_bn" | tr '.' ':')
 
@@ -57,11 +64,7 @@
         DISCONNECTED_PATTERN="$slot_iface +-"
 
         echo "When slot $slot_iface is connected"
-        if snap interfaces | MATCH "$DISCONNECTED_PATTERN" ; then
-            snap connect "$plug_iface" "$slot_iface"
-        else
-            echo "$plug_iface already connected"
-        fi
+        snap connect "$plug_iface" "$slot_iface"
         snap interfaces | MATCH "$CONNECTED_PATTERN"
 
         echo "Then $slotcmd_bn should succeed"
@@ -75,6 +78,7 @@
     for plugcmd in "$SNAP_MOUNT_DIR"/bin/"$CONSUMER_SNAP".* ; do
         plugcmd_bn=$(basename "$plugcmd")
         plug_iface=$(echo "$plugcmd_bn" | tr '.' ':')
+        #shellcheck disable=SC2001
         slot_iface=$(echo "$plug_iface" | sed "s/$CONSUMER_SNAP//")
 
         # we test browser-support two different ways, so account for that
@@ -82,24 +86,17 @@
             slot_iface=":browser-support"
         fi
 
-        CONNECTED_PATTERN="$slot_iface +$CONSUMER_SNAP"
+        CONNECTED_PATTERN="$slot_iface +.*$CONSUMER_SNAP"
         DISCONNECTED_PATTERN="$slot_iface +-"
 
-        # The core-support plug is connected by the core snap, so account for
-        # that
-        if [ "$plug_iface" = "$CONSUMER_SNAP:core-support" ]; then
-            CONNECTED_PATTERN="$slot_iface +core:core-support-plug,$CONSUMER_SNAP"
-            DISCONNECTED_PATTERN="$slot_iface +core:core-support-plug$"
-        fi
-
         # Skip any interfaces that core doesn't ship
-        if ! snap interfaces | MATCH "$slot_iface +" ; then
+        if ! snap interfaces | grep -E -q "$slot_iface +"; then
             echo "$slot_iface not present, skipping"
             continue
         fi
 
         echo "When slot $slot_iface is connected"
-        if snap interfaces | MATCH "$DISCONNECTED_PATTERN" ; then
+        if snap interfaces | grep -E -q "$DISCONNECTED_PATTERN"; then
             if [ "$slot_iface" = ":broadcom-asic-control" ] || [ "$slot_iface" = ":firewall-control" ] || [ "$slot_iface" = ":kubernetes-support" ] || [ "$slot_iface" = ":openvswitch-support" ] || [ "$slot_iface" = ":ppp" ]; then
                 # TODO: when the kmod backend no longer fails on missing
                 # modules, we can remove this
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-mount-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-mount-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-mount-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-mount-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -12,38 +12,29 @@
     is also shown when the plug is connected.
 
 prepare: |
-    echo "Given a snap declaring a plug on the mount-observe interface is installed"
-    snap pack $TESTSLIB/snaps/mount-observe-consumer
-    snap install --dangerous mount-observe-consumer_1.0_all.snap
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
 
-restore: |
-    rm -f mount-observe-consumer_1.0_all.snap
+    echo "Given a snap declaring a plug on the mount-observe interface is installed"
+    install_local mount-observe-consumer
 
 execute: |
-    . $TESTSLIB/dirs.sh
-
-    CONNECTED_PATTERN=":mount-observe +mount-observe-consumer"
-    DISCONNECTED_PATTERN="(?s).*?\n- +mount-observe-consumer:mount-observe"
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
-    echo "Then the plug is shown as disconnected"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
-
-    echo "========================================="
+    echo "The interface is not connected by default"
+    snap interfaces -i mount-observe | MATCH -- '- +mount-observe-consumer:mount-observe'
 
     echo "When the plug is connected"
     snap connect mount-observe-consumer:mount-observe
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the mount info is reachable"
     expected="$SNAP_MOUNT_DIR/mount-observe-consumer"
     su -l -c "mount-observe-consumer" test | grep -Pq "$expected"
 
     if [ "$(snap debug confinement)" = strict ] ; then
-        echo "========================================="
-
         echo "When the plug is disconnected"
         snap disconnect mount-observe-consumer:mount-observe
-        snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
         echo "Then the mount info is not reachable"
         if su -l -c "mount-observe-consumer" test; then
@@ -52,13 +43,11 @@
         fi
     fi
 
-    echo "========================================="
-
     echo "When the plug is connected"
     snap connect mount-observe-consumer:mount-observe
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "And a new mount is created"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local test-snapd-tools
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-netlink-audit/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-netlink-audit/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-netlink-audit/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-netlink-audit/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,26 +2,22 @@
 
 details: |
     The netlink-audit interface allows read/write to kernel audit system.
-
     The test-snapd-netlink-audit snap creates a netlink socket and binds it. 
 
-# Ubuntu 14.04-64 is skipped due to the capability CAP_AUDIT_READ
-# is not available in its kernel
-systems: [-ubuntu-14.04-*]
-
-environment:
-    CONNECTED_PATTERN: ':netlink-audit +test-snapd-netlink-audit'
-    DISCONNECTED_PATTERN: '\- +test-snapd-netlink-audit:netlink-audit'
+# Ubuntu 14.04: CAP_AUDIT_READ is not available in its kernel
+# arch: CONFIG_AUDIT is not enabled in the default kernel
+systems: [-ubuntu-14.04-*, -arch-*]
 
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
     # Install a snap declaring a plug on netlink-audit
     install_local test-snapd-netlink-audit
 
 execute: |
-    echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    echo "The interface is disconnected by default"
+    snap interfaces -i netlink-audit | MATCH -- '- +test-snapd-netlink-audit:netlink-audit'
 
     echo "When the interface is connected"
     snap connect test-snapd-netlink-audit:netlink-audit
@@ -35,7 +31,6 @@
 
     echo "When the plug is disconnected"
     snap disconnect test-snapd-netlink-audit:netlink-audit
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to bind the netlink socket"
     if test-snapd-netlink-audit.bind; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-netlink-connector/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-netlink-connector/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-netlink-connector/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-netlink-connector/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -5,23 +5,19 @@
 
     The test-snapd-netlink-connector snap creates a netlink socket and binds it. 
 
-environment:
-    CONNECTED_PATTERN: ':netlink-connector +test-snapd-netlink-connector'
-    DISCONNECTED_PATTERN: '\- +test-snapd-netlink-connector:netlink-connector'
-
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
     # Install a snap declaring a plug on netlink-connector
     install_local test-snapd-netlink-connector
 
 execute: |
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i netlink-connector | MATCH -- '- +test-snapd-netlink-connector:netlink-connector'
 
     echo "When the interface is connected"
     snap connect test-snapd-netlink-connector:netlink-connector
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to create and bind a netlink socket"
     test-snapd-netlink-connector.bind
@@ -32,7 +28,6 @@
 
     echo "When the plug is disconnected"
     snap disconnect test-snapd-netlink-connector:netlink-connector
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to bind the netlink socket"
     if test-snapd-netlink-connector.bind; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,5 @@
 summary: Ensure network interface works.
 
-systems: [-fedora-*, -opensuse-*]
-
 details: |
     The network interface allows a snap to access the network as a client.
 
@@ -11,69 +9,57 @@
 
     A snap declaring a plug on this interface must be able to access network services.
 
+# amazon: uses nmap-netcat
+systems: [-fedora-*, -opensuse-*, -amazon-*, -centos-*]
+
 environment:
     SNAP_NAME: network-consumer
-    SNAP_FILE: ${SNAP_NAME}_1.0_all.snap
     PORT: 8081
     SERVICE_FILE: "./service.sh"
     SERVICE_NAME: "test-service"
 
 prepare: |
-    . $TESTSLIB/systemd.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
     echo "Given a snap declaring the network plug is installed"
-    snap pack $TESTSLIB/snaps/$SNAP_NAME
-    snap install --dangerous $SNAP_FILE
+    install_local "$SNAP_NAME"
 
     echo "And a service is listening"
-    printf "#!/bin/sh -e\nwhile true; do echo \"HTTP/1.1 200 OK\n\nok\n\" |  nc -l -p $PORT -q 1; done" > $SERVICE_FILE
-    chmod a+x $SERVICE_FILE
-    systemd_create_and_start_unit $SERVICE_NAME "$(readlink -f $SERVICE_FILE)"
-
-    while ! netstat -lnt | grep -Pq "tcp.*?:$PORT +.*?LISTEN\n*"; do sleep 0.5; done
+    # shellcheck source=tests/lib/network.sh
+    . "$TESTSLIB"/network.sh
+    make_network_service "$SERVICE_NAME" "$SERVICE_FILE" "$PORT"
 
 restore: |
-    . $TESTSLIB/systemd.sh
-    systemd_stop_and_destroy_unit $SERVICE_NAME
-    rm -f $SNAP_FILE $SERVICE_FILE
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
+    #shellcheck disable=SC2153
+    systemd_stop_and_destroy_unit "$SERVICE_NAME"
+    rm -f "$SERVICE_FILE"
 
 execute: |
-    CONNECTED_PATTERN="(?s)Slot +Plug\n\
-    .*?\n\
-    :network +$SNAP_NAME"
-    DISCONNECTED_PATTERN="(?s)Slot +Plug\n\
-    .*?\n\
-    - +$SNAP_NAME:network"
-
-    echo "Then the snap is listed as connected"
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
-
-    echo "============================================"
+    echo "The interface is connected by default"
+    snap interfaces -i network | MATCH ":network .*$SNAP_NAME"
 
     echo "When the plug is disconnected"
-    snap disconnect $SNAP_NAME:network
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
+    snap disconnect "$SNAP_NAME:network"
 
     echo "Then the plug can be connected again"
-    snap connect $SNAP_NAME:network
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
-
-    echo "============================================"
-
-    echo "When the plug is connected"
-    snap connect $SNAP_NAME:network
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
+    snap connect "$SNAP_NAME:network"
 
     echo "Then the snap is able to access a network service"
-    network-consumer http://127.0.0.1:$PORT | grep -Pqz "ok\n"
+    network-consumer http://127.0.0.1:"$PORT" | grep -Pqz 'ok\n'
 
-    echo "============================================"
+    if [ "$(snap debug confinement)" = partial ] ; then
+        exit 0
+    fi
 
     echo "When the plug is disconnected"
-    snap disconnect $SNAP_NAME:network
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
+    snap disconnect "$SNAP_NAME:network"
 
     echo "Then snap can't access a network service"
-    if network-consumer http://127.0.0.1:$PORT; then
+    if network-consumer "http://127.0.0.1:$PORT"; then
         echo "Network shouldn't be accessible"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network-bind/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network-bind/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network-bind/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network-bind/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -11,67 +11,50 @@
 
 environment:
     SNAP_NAME: network-bind-consumer
-    SNAP_FILE: ${SNAP_NAME}_1.0_all.snap
     PORT: 8081
     REQUEST_FILE: ./request.txt
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
     echo "Given a snap declaring the network-bind plug is installed"
-    snap pack $TESTSLIB/snaps/$SNAP_NAME
-    snap install --dangerous $SNAP_FILE
+    install_local "$SNAP_NAME"
 
     echo "Given the snap's service is listening"
-    while ! netstat -lnt | grep -Pq "tcp.*?:$PORT +.*?LISTEN\n*"; do sleep 0.5; done
+    # shellcheck source=tests/lib/network.sh
+    . "$TESTSLIB"/network.sh
+    wait_listen_port "$PORT"
 
     echo "Given we store a basic HTTP request"
-    cat > $REQUEST_FILE <<EOF
+    cat > "$REQUEST_FILE" <<EOF
     GET / HTTP/1.0
 
     EOF
 
 restore: |
-    rm -f $SNAP_FILE $REQUEST_FILE
+    # This snap is removed because it generates thousands of DENIALS in the journal. Most of those
+    # are sent after the journalctl cursor for following test is determined producing errors while
+    # preparing the test.
+    snap remove network-bind-consumer
 
 execute: |
-    CONNECTED_PATTERN="(?s)Slot +Plug\n\
-    .*?\n\
-    :network-bind +.*$SNAP_NAME"
-    DISCONNECTED_PATTERN="(?s)Slot +Plug\n\
-    .*?\n\
-    - +$SNAP_NAME:network-bind"
-
-    echo "Then the snap is listed as connected"
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
-
-    echo "============================================"
-
-    echo "When the plug is disconnected"
-    snap disconnect $SNAP_NAME:network-bind
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
-
-    echo "Then the plug can be connected again"
-    snap connect $SNAP_NAME:network-bind
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
-
-    echo "============================================"
-
-    echo "When the plug is connected"
-    snap connect $SNAP_NAME:network-bind
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
+    echo "The interface is connected by default"
+    snap interfaces -i network-bind | MATCH ":network-bind .*$SNAP_NAME"
 
     echo "Then the service is accessible by a client"
-    nc -w 2 localhost "$PORT" < $REQUEST_FILE | grep -Pqz "ok\n"
+    nc -w 1 localhost "$PORT" < "$REQUEST_FILE" | grep -Pqz 'ok\n'
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
-    echo "============================================"
-
     echo "When the plug is disconnected"
-    snap disconnect $SNAP_NAME:network-bind
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
+    snap disconnect "$SNAP_NAME:network-bind"
 
     echo "Then the service is not accessible by a client"
-    response=$(nc -w 2 localhost "$PORT" < $REQUEST_FILE)
+    response=$(nc -w 1 localhost "$PORT" < "$REQUEST_FILE")
     [ "$response" = "" ]
+
+    echo "Then the plug can be connected again"
+    snap connect "$SNAP_NAME:network-bind"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -20,95 +20,83 @@
     ARP_ENTRY_ADDR: "30.30.30.30"
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    #shellcheck source=tests/lib/systemd.sh
     . "$TESTSLIB/systemd.sh"
-
     echo "Given a snap declaring a plug on the network-control interface is installed"
-    snap pack $TESTSLIB/snaps/network-control-consumer
-    snap install --dangerous network-control-consumer_1.0_all.snap
+    install_local network-control-consumer
 
     echo "And a network service is up"
-    printf "#!/bin/sh -e\nwhile true; do echo \"HTTP/1.1 200 OK\n\nok\n\" |  nc -l -p $PORT; done" > $SERVICE_FILE
-    chmod a+x $SERVICE_FILE
-    systemd_create_and_start_unit $SERVICE_NAME "$(readlink -f $SERVICE_FILE)"
-
-    while ! netstat -lnt | grep -Pq "tcp.*?:$PORT +.*?LISTEN\n*"; do sleep 0.5; done
+    # shellcheck source=tests/lib/network.sh
+    . "$TESTSLIB"/network.sh
+    make_network_service "$SERVICE_NAME" "$SERVICE_FILE" "$PORT"
 
 restore: |
+    #shellcheck source=tests/lib/systemd.sh
     . "$TESTSLIB/systemd.sh"
+    #shellcheck source=tests/lib/network.sh
     . "$TESTSLIB/network.sh"
 
-    systemd_stop_and_destroy_unit $SERVICE_NAME
-    rm -f network-control-consumer_1.0_all.snap *.output $SERVICE_FILE
-    arp -d $ARP_ENTRY_ADDR -i $(get_default_iface) || true
+    #shellcheck disable=SC2153
+    systemd_stop_and_destroy_unit "$SERVICE_NAME"
+    rm -f ./*.output "$SERVICE_FILE"
+    arp -d "$ARP_ENTRY_ADDR" -i "$(get_default_iface)" || true
 
     ip netns delete test-ns || true
     ip link delete veth0 || true
 
 execute: |
+    #shellcheck source=tests/lib/network.sh
     . "$TESTSLIB/network.sh"
 
-    CONNECTED_PATTERN=":network-control +network-control-consumer"
-    DISCONNECTED_PATTERN="^- +network-control-consumer:network-control$"
     INTERFACE=$(get_default_iface)
 
     echo "Then the plug disconnected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-    echo "===================================="
+    snap interfaces -i network-control | MATCH "^- +network-control-consumer:network-control$"
 
     echo "When the plug is connected"
     snap connect network-control-consumer:network-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap command can query network status information"
-    network-control-consumer.cmd netstat -lnt | MATCH "0.0.0.0:$PORT.*?LISTEN"
-
-    echo "===================================="
+    network-control-consumer.cmd ss -lnt | MATCH "LISTEN.*:$PORT"
 
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "When the plug is disconnected"
         snap disconnect network-control-consumer:network-control
-        snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
         echo "Then the snap command can not query network status information"
-        if network-control-consumer.cmd netstat -lnt 2>net-query.output; then
+        if network-control-consumer.cmd ss -lnt 2>net-query.output; then
             echo "Expected error caling command with disconnected plug"
             exit 1
         fi
-        cat net-query.output | MATCH "Permission denied"
-
-        echo "===================================="
+        MATCH "Permission denied" < net-query.output
     fi
 
     echo "When the plug is connected"
     snap connect network-control-consumer:network-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
-
-    echo "Then the snap command can modify the network configuration"
-    network-control-consumer.cmd arp -s "$ARP_ENTRY_ADDR" aa:aa:aa:aa:aa:aa -i "$INTERFACE"
-    expected="(?s)br0.*?state UP.*?bridge.*?foo@bar.*?veth.*?bar@foo.*?veth"
-    arp | MATCH "$ARP_ENTRY_ADDR.*?ether.*?CM"
-
-    echo "===================================="
 
-    if [ "$(snap debug confinement)" = strict ] ; then
-        echo "When the plug is disconnected"
-        snap disconnect network-control-consumer:network-control
-        snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-        echo "Then the snap command can not modify the network configuration"
-        if network-control-consumer.cmd arp -s "$ARP_ENTRY_ADDR" aa:aa:aa:aa:aa:aa -i "$INTERFACE" 2>net-command.output; then
-            echo "Expected error calling command with disconnected plug"
-            exit 1
+    # core18 has no "arp" utility
+    if [ "$(comamnd -v arp)" != "" ]; then
+        echo "Then the snap command can modify the network configuration"
+        network-control-consumer.cmd arp -s "$ARP_ENTRY_ADDR" aa:aa:aa:aa:aa:aa -i "$INTERFACE"
+        arp | MATCH "$ARP_ENTRY_ADDR.*?ether.*?CM"
+
+        if [ "$(snap debug confinement)" = strict ] ; then
+            echo "When the plug is disconnected"
+            snap disconnect network-control-consumer:network-control
+
+            echo "Then the snap command can not modify the network configuration"
+            if network-control-consumer.cmd arp -s "$ARP_ENTRY_ADDR" aa:aa:aa:aa:aa:aa -i "$INTERFACE" 2>net-command.output; then
+                echo "Expected error calling command with disconnected plug"
+                exit 1
+            fi
+            MATCH "Permission denied" < net-command.output
         fi
-        cat net-command.output | MATCH "Permission denied"
-
-        echo "===================================="
     fi
 
     echo "When the plug is connected"
     snap connect network-control-consumer:network-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "A network namespace can be created"
     network-control-consumer.cmd ip netns add test-ns
@@ -128,17 +116,17 @@
     network-control-consumer.cmd ip netns exec test-ns ip link list | MATCH "veth1"
 
     if [ "$(snap debug confinement)" = strict ] ; then
-        echo "===================================="
+        echo "And the policy has the ptrace suppression rule"
+        MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.network-control-consumer.cmd
 
         echo "When the plug is disconnected"
         snap disconnect network-control-consumer:network-control
-        snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
         echo "The snap is not able to create a network namespace"
         if network-control-consumer.cmd ip netns add test-ns-2 2>ns-create.output; then
             echo "Expected error calling ns create command with disconnected plug"
         fi
-        cat ns-create.output | MATCH "Permission denied"
+        MATCH "Permission denied" < ns-create.output
 
         echo "And the snap can't add a veth interface to an existing namespace"
         # first, move veth1 back to the root namespace
@@ -147,7 +135,7 @@
             echo "Expected error trying to move veth to network namespace with disconnected plug"
             exit 1
         fi
-        cat ns-move.output | MATCH "Permission denied"
+        MATCH "Permission denied" < ns-move.output
 
 
         echo "And the snap can't execute a command in the context of the namespace"
@@ -155,5 +143,5 @@
             echo "Expected error trying to execute command in a network namespace context with disconnected plug"
             exit 1
         fi
-        cat ns-exec.output | MATCH "Permission denied"
+        MATCH "Permission denied" < ns-exec.output
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network-control-ip-netns/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network-control-ip-netns/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network-control-ip-netns/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network-control-ip-netns/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,8 +1,10 @@
 summary: The /run/netns directory propagates events outwards
+
 details: |
     The /run/netns directory is special in that mount events propagate outward
     from the mount namespace used by snap applications into the main mount
     namespace.
+
 prepare: |
     snap install --devmode snapd-hacker-toolbelt
     if [ "$(snap debug confinement)" = strict ] ; then
@@ -10,24 +12,30 @@
         sed -i 's#^}#/{,usr/}{,s}bin/ip ixr,\n}#' /var/lib/snapd/apparmor/profiles/snap.snapd-hacker-toolbelt.busybox
         apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.snapd-hacker-toolbelt.busybox
     fi
+
 execute: |
     export PATH=$PATH:/snap/bin
     test ! -e /run/netns/canary
+
     echo "Network namespace created within a snap exists in global"
     snapd-hacker-toolbelt.busybox sh -c '/bin/ip netns add canary'
     test -e /run/netns/canary
     ip netns list | MATCH canary
+
     echo "Network namespace deleted from global is removed from snap"
     ip netns delete canary
     test ! -e /run/netns/canary
     snapd-hacker-toolbelt.busybox sh -c '/bin/ip netns list' | MATCH -v canary
+
     echo "Network namespace created from global exists in snap"
     ip netns add canary
     test -e /run/netns/canary
     snapd-hacker-toolbelt.busybox sh -c '/bin/ip netns list' | MATCH canary
+
     echo "Network namespace deleted from snap is removed from global"
     snapd-hacker-toolbelt.busybox sh -c '/bin/ip netns delete canary'
     test ! -e /run/netns/canary
+
 restore: |
     snap remove snapd-hacker-toolbelt
     # If this doesn't work maybe it is because the test didn't execute correctly
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network-control-tuntap/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network-control-tuntap/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network-control-tuntap/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network-control-tuntap/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -17,27 +17,27 @@
     DEV/tun: tun255
     DEV/tap: tap255
 
-execute: |
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
     echo "Given a snap declaring a plug on the network-control interface is installed"
-    . $TESTSLIB/snaps.sh
     install_local test-snapd-tuntap
 
+execute: |
+    #shellcheck source=tests/lib/network.sh
     . "$TESTSLIB/network.sh"
 
-    CONNECTED_PATTERN=":network-control +test-snapd-tuntap"
-    DISCONNECTED_PATTERN="^- +test-snapd-tuntap:network-control$"
-
-    echo "Then the plug disconnected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    echo "The interface is disconnected by default"
+    snap interfaces -i network-control | MATCH -- '^- +test-snapd-tuntap:network-control$'
 
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "And cannot allocate the $DEV device"
-        test-snapd-tuntap.tuntap $DEV 2>&1 | MATCH "Permission denied"
+        test-snapd-tuntap.tuntap "$DEV" 2>&1 | MATCH "Permission denied"
     fi
 
     echo "When the plug is connected"
     snap connect test-snapd-tuntap:network-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap command can allocate the $DEV device"
-    test-snapd-tuntap.tuntap $DEV | MATCH "PASS"
+    test-snapd-tuntap.tuntap "$DEV" | MATCH "PASS"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network-manager/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network-manager/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network-manager/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network-manager/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 summary: Ensure that the network-manager interface works
 
-description: |
+details: |
     The network-manager interface gives privileged access to configure and
     observe networking.
     The test uses a snap which plugs the network manager interface. Then it is
@@ -14,24 +14,22 @@
 # trying to deconfigure the wifi network which is already owned.
 systems: [ubuntu-core-16-64, ubuntu-core-16-32]
 
-execute: |
-    CONNECTED_PATTERN="^network-manager:service +network-manager:nmcli"
-    DISCONNECTED_PATTERN="^network-manager:service +-$"
-
+prepare: |
     echo "Give a network-manager snap is installed"
     snap install network-manager
 
+execute: |
     # using wait_for_service is not enough, systemd considers the service
     # active even when it is not (yet) listening to dbus
-    for i in $(seq 300); do
+    for _ in $(seq 300); do
         if network-manager.nmcli general; then
             break
         fi
         sleep 1
     done
 
-    echo "Then the plug is connected by default"
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    echo "The interface is connected by default"
+    snap interfaces -i network-manager | MATCH "network-manager:service .*network-manager:nmcli"
 
     echo "And allows to add a new connection"
     conn_name=nmtest
@@ -46,10 +44,9 @@
 
     echo "When the plug is disconnected"
     snap disconnect network-manager:nmcli
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the consumer is not able to access the provided methods"
-    if network-manager.nmcli general 2>${PWD}/call.error; then
+    if network-manager.nmcli general 2>"${PWD}"/call.error; then
         echo "Expected permission error calling nmcli method with disconnected plug"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -18,51 +18,44 @@
     SERVICE_NAME: "test-service"
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    #shellcheck source=tests/lib/systemd.sh
     . "$TESTSLIB/systemd.sh"
 
     echo "Given a snap declaring a plug on the network-observe interface is installed"
-    snap pack $TESTSLIB/snaps/network-observe-consumer
-    snap install --dangerous network-observe-consumer_1.0_all.snap
+    install_local network-observe-consumer
 
     echo "And a network service is up"
-    printf "#!/bin/sh -e\nwhile true; do echo \"HTTP/1.1 200 OK\n\nok\n\" |  nc -l -p $PORT; done" > $SERVICE_FILE
-    chmod a+x $SERVICE_FILE
-    systemd_create_and_start_unit $SERVICE_NAME "$(readlink -f $SERVICE_FILE)"
-
-    while ! netstat -lnt | grep -Pq "tcp.*?:$PORT +.*?LISTEN\n*"; do sleep 0.5; done
+    # shellcheck source=tests/lib/network.sh
+    . "$TESTSLIB"/network.sh
+    make_network_service "$SERVICE_NAME" "$SERVICE_FILE" "$PORT"
 
 restore: |
+    #shellcheck source=tests/lib/systemd.sh
     . "$TESTSLIB/systemd.sh"
 
-    systemd_stop_and_destroy_unit $SERVICE_NAME
-    rm -f network-observe-consumer_1.0_all.snap net-query.output $SERVICE_FILE
+    #shellcheck disable=SC2153
+    systemd_stop_and_destroy_unit "$SERVICE_NAME"
+    rm -f net-query.output "$SERVICE_FILE"
 
 execute: |
-    CONNECTED_PATTERN=":network-observe +network-observe-consumer"
-    DISCONNECTED_PATTERN="(?s).*?\n- +network-observe-consumer:network-observe"
-
-    echo "Then the plug disconnected by default"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
-
-    echo "===================================="
+    echo "The interface is disconnected by default"
+    snap interfaces -i network-observe | MATCH -- '^- +network-observe-consumer:network-observe'
 
     echo "When the plug is connected"
     snap connect network-observe-consumer:network-observe
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the snap command can query network status information"
-    network-observe-consumer | grep -P "0.0.0.0:$PORT.*?LISTEN"
+    network-observe-consumer | MATCH "LISTEN.*:$PORT"
 
     if [ "$(snap debug confinement)" = strict ] ; then
-        echo "===================================="
-
         echo "When the plug is disconnected"
         snap disconnect network-observe-consumer:network-observe
-        snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
         echo "Then the snap command can not query network status information"
         if network-observe-consumer 2>net-query.output; then
             echo "Expected error caling command with disconnected plug"
         fi
-        cat net-query.output | grep -Pq "Permission denied"
+        grep -Pq "Permission denied" < net-query.output
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network-setup-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network-setup-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network-setup-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network-setup-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,40 +1,33 @@
-summary: Ensure that the desktop interface works.
+summary: Ensure that the network-setup-control interface works.
 
 details: |
     The network setup control interface allows to access the different netplan
     configuration files.
 
-    The test uses the test-snapd-check-fs-access snap to checks files and dirs
-    are accessible through the interface.
-
 systems: [-ubuntu-core-*]
 
 prepare: |
-    echo "Given the test-snapd-check-fs-access snap is installed"
-    cp $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml.orig
-    sed 's/\[\]/\[network-setup-control\]/g' -i $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml
-    snap try $TESTSLIB/snaps/test-snapd-check-fs-access
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-sh
 
 restore: |
-    cp $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml.orig $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml
+    rm -f call.error
+    rm -f /etc/network/test001 /etc/network/test002
 
 execute: |
-    CONNECTED_PATTERN=":network-setup-control +test-snapd-check-fs-access"
-    DISCONNECTED_PATTERN="\- +test-snapd-check-fs-access:network-setup-control"
-
     dirs="/etc/netplan /etc/network"
 
-    echo "The plug is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    echo "The interface is disconnected by default"
+    snap interfaces -i network-setup-control | MATCH -- '^- +test-snapd-sh:network-setup-control'
 
     echo "When the interface is connected"
-    snap connect test-snapd-check-fs-access:network-setup-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    snap connect test-snapd-sh:network-setup-control
 
     echo "Then the snap is able to write in the network and netplan directories"
     for dir in $dirs; do
-        if [ -d $dir ]; then
-            test-snapd-check-fs-access.write-dir $dir
+        if [ -d "$dir" ]; then
+            test-snapd-sh.with-network-setup-control-plug -c "touch $dir/test001"
         fi
     done
 
@@ -43,12 +36,12 @@
     fi
 
     echo "When the plug is disconnected"
-    snap disconnect test-snapd-check-fs-access:network-setup-control
+    snap disconnect test-snapd-sh:network-setup-control
 
     echo "Then the snap is not able to access the networking configuration dirs"
     for dir in $dirs; do
-        if [ -d $dir ]; then
-            if test-snapd-check-fs-access.write-dir $dir 2>${PWD}/call.error; then
+        if [ -d "$dir" ]; then
+            if test-snapd-sh.with-network-setup-control-plug -c "touch $dir/test002" 2>call.error; then
                 echo "Expected permission error calling desktop with disconnected plug"
                 exit 1
             fi
@@ -57,4 +50,4 @@
     done
 
     echo "Then the interface can be connected again"
-    snap connect test-snapd-check-fs-access:network-setup-control
+    snap connect test-snapd-sh:network-setup-control
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network-setup-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network-setup-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network-setup-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network-setup-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,38 +1,30 @@
-summary: Ensure that the desktop interface works.
+summary: Ensure that the network-setup-observe interface works.
 
 details: |
     The network setup observe interface allows to access the different netplan
     configuration files.
 
-    The test uses the test-snapd-check-fs-access snap to checks files and dirs
-    are accessible through the interface.
-
 prepare: |
-    echo "Given the test-snapd-check-fs-access snap is installed"
-    cp $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml.orig
-    sed 's/\[\]/\[network-setup-observe\]/g' -i $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml
-    snap try $TESTSLIB/snaps/test-snapd-check-fs-access
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-sh
 
 restore: |
-    cp $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml.orig $TESTSLIB/snaps/test-snapd-check-fs-access/meta/snap.yaml
+    rm -f call.error
 
 execute: |
-    CONNECTED_PATTERN=":network-setup-observe +test-snapd-check-fs-access"
-    DISCONNECTED_PATTERN="\- +test-snapd-check-fs-access:network-setup-observe"
-
     dirs="/etc/netplan /etc/network"
 
-    echo "The plug is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    echo "The interface is disconnected by default"
+    snap interfaces -i network-setup-observe| MATCH -- '^- +test-snapd-sh:network-setup-observe'
 
     echo "When the interface is connected"
-    snap connect test-snapd-check-fs-access:network-setup-observe
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    snap connect test-snapd-sh:network-setup-observe
 
     echo "Then the snap is able to read the network and netplan directories"
     for dir in $dirs; do
-        if [ -d $dir ]; then
-            test-snapd-check-fs-access.read-dir $dir
+        if [ -d "$dir" ]; then
+            test-snapd-sh.with-network-setup-observe-plug -c "ls $dir"
         fi
     done
 
@@ -41,13 +33,13 @@
     fi
 
     echo "When the plug is disconnected"
-    snap disconnect test-snapd-check-fs-access:network-setup-observe
+    snap disconnect test-snapd-sh:network-setup-observe
 
     echo "Then the snap is not able to read the network and netplan directories"
     for dir in $dirs; do
-        if [ -d $dir ]; then
-            if test-snapd-check-fs-access.read-dir $dir 2>${PWD}/call.error; then
-                echo "Expected permission error calling desktop with disconnected plug"
+        if [ -d "$dir" ]; then
+            if test-snapd-sh.with-network-setup-observe-plug -c "ls $dir" 2>call.error; then
+                echo "Expected permission error reading network directory with disconnected plug"
                 exit 1
             fi
             MATCH "Permission denied" < call.error
@@ -55,4 +47,4 @@
     done
 
     echo "Then the interface can be connected again"
-    snap connect test-snapd-check-fs-access:network-setup-observe
+    snap connect test-snapd-sh:network-setup-observe
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-network-status/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-network-status/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-network-status/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-network-status/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -9,10 +9,12 @@
     The snap is also declaring a plug on this interface must be able to ask for its status.
 
 # dbus-launch not supported in ubuntu-core
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 prepare: |
+    #shellcheck source=tests/lib/dbus.sh
     . "$TESTSLIB/dbus.sh"
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     echo "Given a snap declaring a plug on the network-status interface is installed"
@@ -24,18 +26,16 @@
 restore: |
     rm -f getstate.error
 
+    #shellcheck source=tests/lib/dbus.sh
     . "$TESTSLIB/dbus.sh"
     stop_dbus_unit
 
 execute: |
-    CONNECTED_PATTERN="^test-snapd-network-status-provider:network-status-test +test-snapd-network-status-provider:network-status"
-    DISCONNECTED_PATTERN="^- +test-snapd-network-status-provider:network-status$"
-
     echo "The interface is connected by default"
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    snap interfaces -i network-status | MATCH "test-snapd-network-status-provider:network-status-test .*test-snapd-network-status-provider:network-status"
 
     echo "Then wait until the dbus name is properly reserved"
-    for i in $(seq 10); do
+    for _ in $(seq 10); do
         if ! test-snapd-network-status-provider.consumer GetVersion | MATCH "my-ap-version"; then
             sleep 1
         else
@@ -53,10 +53,9 @@
 
     echo "When the plug is disconnected"
     snap disconnect test-snapd-network-status-provider:network-status test-snapd-network-status-provider:network-status-test
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "And the snap state cannot be accessed"
-    if test-snapd-network-status-provider.consumer GetState 2>${PWD}/getstate.error; then
+    if test-snapd-network-status-provider.consumer GetState 2>"${PWD}"/getstate.error; then
         echo "Expected permission error trying to introspect state with disconnected plug"
         exit 1
     fi
@@ -64,4 +63,3 @@
 
     echo "When the plug is re-connected the interfaces show the connection"
     snap connect test-snapd-network-status-provider:network-status test-snapd-network-status-provider:network-status-test
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-opengl-nvidia/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-opengl-nvidia/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-opengl-nvidia/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-opengl-nvidia/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -14,25 +14,84 @@
     mkdir -p /usr/share/vulkan/icd.d
     echo "canary-vulkan" > /usr/share/vulkan/icd.d/nvidia_icd.json
 
+    if [[ "$SPREAD_SYSTEM" == ubuntu-18.04-* ]]; then
+        # mock GLVND EGL vendor file
+        echo "Test GLVND EGL vendor files access"
+        mkdir -p /usr/share/glvnd/egl_vendor.d
+        echo "canary-egl" > /usr/share/glvnd/egl_vendor.d/10_nvidia.json
+    fi
+
     # mock nvidia libraries
     if [[ "$SPREAD_SYSTEM" == ubuntu-18.04-* ]]; then
-        mkdir -p /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/tls
-        echo "canary-triplet" >> /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libGLX.so.0.0.1
-        echo "canary-triplet" >> /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libGLX_nvidia.so.0.0.1
-        echo "canary-triplet" >> /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libnvidia-glcore.so.123.456
-        echo "canary-triplet" >> /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/tls/libnvidia-tls.so.123.456
-        echo "canary-triplet" >> /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libnvidia-tls.so.123.456
+        mkdir -p /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/tls
+        mkdir -p /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/vdpau
+        echo "canary-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/libGLX.so.0.0.1
+        echo "canary-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/libGLX_nvidia.so.0.0.1
+        echo "canary-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/libnvidia-glcore.so.123.456
+        echo "canary-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/tls/libnvidia-tls.so.123.456
+        echo "canary-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/libnvidia-tls.so.123.456
+        echo "canary-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/vdpau/libvdpau_nvidia.so.123.456
+        if [[ "$(uname -m)" == x86_64 ]]; then
+            mkdir -p /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/tls
+            mkdir -p /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/vdpau
+            echo "canary-32-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/libGLX.so.0.0.1
+            echo "canary-32-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/libGLX_nvidia.so.0.0.1
+            echo "canary-32-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/libnvidia-glcore.so.123.456
+            echo "canary-32-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/tls/libnvidia-tls.so.123.456
+            echo "canary-32-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/libnvidia-tls.so.123.456
+            echo "canary-32-triplet" >> /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/vdpau/libvdpau_nvidia.so.123.456
+        fi
     fi
     mkdir -p /usr/lib/nvidia-123/tls
+    mkdir -p /usr/lib/nvidia-123/vdpau
     echo "canary-legacy" >> /usr/lib/nvidia-123/libGLX.so.0.0.1
     echo "canary-legacy" >> /usr/lib/nvidia-123/libGLX_nvidia.so.0.0.1
     echo "canary-legacy" >> /usr/lib/nvidia-123/libnvidia-glcore.so.123.456
     echo "canary-legacy" >> /usr/lib/nvidia-123/tls/libnvidia-tls.so.123.456
     echo "canary-legacy" >> /usr/lib/nvidia-123/libnvidia-tls.so.123.456
+    echo "canary-legacy" >> /usr/lib/nvidia-123/vdpau/libvdpau_nvidia.so.123.456
+    if [[ "$(uname -m)" == x86_64 ]]; then
+        mkdir -p /usr/lib32/nvidia-123/tls
+        mkdir -p /usr/lib32/nvidia-123/vdpau
+        echo "canary-32-legacy" >> /usr/lib32/nvidia-123/libGLX.so.0.0.1
+        echo "canary-32-legacy" >> /usr/lib32/nvidia-123/libGLX_nvidia.so.0.0.1
+        echo "canary-32-legacy" >> /usr/lib32/nvidia-123/libnvidia-glcore.so.123.456
+        echo "canary-32-legacy" >> /usr/lib32/nvidia-123/tls/libnvidia-tls.so.123.456
+        echo "canary-32-legacy" >> /usr/lib32/nvidia-123/libnvidia-tls.so.123.456
+        echo "canary-32-legacy" >> /usr/lib32/nvidia-123/vdpau/libvdpau_nvidia.so.123.456
+    fi
+
+restore: |
+    umount -t tmpfs /sys/module
+    rm -rf /usr/share/vulkan
+    if [[ "$SPREAD_SYSTEM" == ubuntu-18.04-* ]]; then
+        rm -rf /usr/share/glvnd/egl_vendor.d/10_nvidia.json
+    fi
+
+    if [[ "$SPREAD_SYSTEM" == ubuntu-18.04-* ]]; then
+        rm -rf /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/tls
+        rm -rf /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/vdpau
+        rm -f /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/libGLX.so.0.0.1
+        rm -f /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/libGLX_nvidia.so.0.0.1
+        rm -f /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/libnvidia-glcore.so.123.456
+        rm -f /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH)"/libnvidia-tls.so.123.456
+        if [[ "$(uname -m)" == x86_64 ]]; then
+            rm -rf /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/tls
+            rm -rf /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/vdpau
+            rm -f /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/libGLX.so.0.0.1
+            rm -f /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/libGLX_nvidia.so.0.0.1
+            rm -f /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/libnvidia-glcore.so.123.456
+            rm -f /usr/lib/"$(dpkg-architecture -qDEB_HOST_MULTIARCH -ai386)"/libnvidia-tls.so.123.456
+        fi
+    fi
+    rm -rf /usr/lib/nvidia-123
+    rm -rf /usr/lib32/nvidia-123
 
 execute: |
-    . $TESTSLIB/dirs.sh
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
     install_local test-snapd-policy-app-consumer
 
@@ -44,24 +103,25 @@
     if [[ "$SPREAD_SYSTEM" == ubuntu-18.04-* ]]; then
         expected="canary-triplet"
     fi
-    files="libGLX.so.0.0.1 libGLX_nvidia.so.0.0.1 libnvidia-glcore.so.123.456 tls/libnvidia-tls.so.123.456 libnvidia-tls.so.123.456"
+    files="libGLX.so.0.0.1 libGLX_nvidia.so.0.0.1 libnvidia-glcore.so.123.456 tls/libnvidia-tls.so.123.456 libnvidia-tls.so.123.456 vdpau/libvdpau_nvidia.so.123.456"
     for f in $files; do
        snap run test-snapd-policy-app-consumer.opengl -c "cat /var/lib/snapd/lib/gl/$f" | MATCH "$expected"
     done
 
+    if [[ "$(uname -m)" == x86_64 ]]; then
+        expected32="canary-32-legacy"
+        if [[ "$SPREAD_SYSTEM" == ubuntu-18.04-* ]]; then
+            expected32="canary-32-triplet"
+        fi
+        for f in $files; do
+            snap run test-snapd-policy-app-consumer.opengl -c "cat /var/lib/snapd/lib/gl32/$f" | MATCH "$expected32"
+        done
+    fi
+
     echo "And vulkan ICD file"
     snap run test-snapd-policy-app-consumer.opengl -c "cat /var/lib/snapd/lib/vulkan/icd.d/nvidia_icd.json" | MATCH canary-vulkan
 
-restore: |
-    umount -t tmpfs /sys/module
-    rm -rf /usr/share/vulkan
-
     if [[ "$SPREAD_SYSTEM" == ubuntu-18.04-* ]]; then
-        rm -rf /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/tls
-        rm -f /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libGLX.so.0.0.1
-        rm -f /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libGLX_nvidia.so.0.0.1
-        rm -f /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libnvidia-glcore.so.123.456
-        rm -f /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/tls/libnvidia-tls.so.123.456
-        rm -f /usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libnvidia-tls.so.123.456
+        echo "And GLVND EGL vendor file"
+        snap run test-snapd-policy-app-consumer.opengl -c "cat /var/lib/snapd/lib/glvnd/egl_vendor.d/10_nvidia.json" | MATCH canary-egl
     fi
-    rm -rf /usr/lib/nvidia-123
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-openvswitch/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-openvswitch/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-openvswitch/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-openvswitch/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,9 @@
 summary: Ensure that the openvswitch interface works.
 
+# amazon: no openvswitch package
 systems:
     - -ubuntu-core-*
+    - -amazon-*
 
 details: |
     The openvswitch interface allows to task to the openvswitch socket (rw mode).
@@ -18,6 +20,7 @@
 manual: true
 
 prepare: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
 
     echo "Given openvswitch is installed"
@@ -34,6 +37,7 @@
     ip tuntap add tap1 mode tap
 
 restore: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
 
     ovs-vsctl del-port br0 tap1 || true
@@ -42,22 +46,16 @@
     distro_purge_package openvswitch-switch
     distro_auto_remove_packages
 
-    rm -f *.error
+    rm -f ./*.error
 
     ip link delete tap1 || true
 
 execute: |
-    CONNECTED_PATTERN=":openvswitch +test-snapd-openvswitch-consumer"
-    DISCONNECTED_PATTERN="\- +test-snapd-openvswitch-consumer:openvswitch"
-
-    echo "The plug is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-    echo "==================================="
+    echo "The interface is disconnected by default"
+    snap interfaces -i openvswitch | MATCH -- '^- +test-snapd-openvswitch-consumer:openvswitch'
 
     echo "When the plug is connected"
     snap connect test-snapd-openvswitch-consumer:openvswitch
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to create a bridge"
     test-snapd-openvswitch-consumer.ovs-vsctl add-br br0
@@ -79,40 +77,37 @@
         exit 0
     fi
 
-    echo "==================================="
-
     echo "When the plug is disconnected"
     snap disconnect test-snapd-openvswitch-consumer:openvswitch
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to create a bridge"
-    if test-snapd-openvswitch-consumer.ovs-vsctl add-br br0 2>${PWD}/bridge-creation.error; then
+    if test-snapd-openvswitch-consumer.ovs-vsctl add-br br0 2>"${PWD}"/bridge-creation.error; then
         echo "Expected permission error accessing openvswitch socket with disconnected plug"
         exit 1
     fi
-    cat bridge-creation.error | MATCH "database connection failed \(Permission denied\)"
+    MATCH 'database connection failed \(Permission denied\)' < bridge-creation.error
 
     ovs-vsctl add-br br0
 
     echo "And the snap is not able to create a port"
-    if test-snapd-openvswitch-consumer.ovs-vsctl add-port br0 tap1 2>${PWD}/port-creation.error; then
+    if test-snapd-openvswitch-consumer.ovs-vsctl add-port br0 tap1 2>"${PWD}"/port-creation.error; then
         echo "Expected permission error accessing openvswitch socket with disconnected plug"
         exit 1
     fi
-    cat port-creation.error | MATCH "database connection failed \(Permission denied\)"
+    MATCH 'database connection failed \(Permission denied\)' < port-creation.error
 
     ovs-vsctl add-port br0 tap1
 
     echo "And the snap is not able to delete a port"
-    if test-snapd-openvswitch-consumer.ovs-vsctl del-port br0 tap1 2>${PWD}/port-deletion.error; then
+    if test-snapd-openvswitch-consumer.ovs-vsctl del-port br0 tap1 2>"${PWD}"/port-deletion.error; then
         echo "Expected permission error accessing openvswitch socket with disconnected plug"
         exit 1
     fi
-    cat port-deletion.error | MATCH "database connection failed \(Permission denied\)"
+    MATCH 'database connection failed \(Permission denied\)' < port-deletion.error
 
     echo "And the snap is not able to delete a bridge"
-    if test-snapd-openvswitch-consumer.ovs-vsctl del-br br0 2>${PWD}/br-creation.error; then
+    if test-snapd-openvswitch-consumer.ovs-vsctl del-br br0 2>"${PWD}"/br-creation.error; then
         echo "Expected permission error accessing openvswitch socket with disconnected plug"
         exit 1
     fi
-    cat br-creation.error | MATCH "database connection failed \(Permission denied\)"
+    MATCH 'database connection failed \(Permission denied\)' < br-creation.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-openvswitch-support/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-openvswitch-support/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-openvswitch-support/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-openvswitch-support/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,13 +3,10 @@
 details: |
     The openvswitch-support interface allows to access to /run/uuidd/request
 
-# ubuntu-core, ubuntu-14 and fedora are skipped due to /run/uuidd/request file does not
+# ubuntu-core, ubuntu-14, fedora, amazon are skipped as /run/uuidd/request file does not
 # exist. On those systems different files are being used instead.
-systems: [-ubuntu-14.04-*,-ubuntu-core-16-*,-fedora-*]
-
-environment:
-    CONNECTED_PATTERN: ':openvswitch-support +test-snapd-openvswitch-support'
-    DISCONNECTED_PATTERN: '\- +test-snapd-openvswitch-support:openvswitch-support'
+# arch, opensuse: uses /run/run/uuidd/request, filed a bug report https://bugs.archlinux.org/task/58122
+systems: [-ubuntu-14.04-*,-ubuntu-core-*,-fedora-*, -arch-*, -amazon-*, -opensuse-*, -centos-*]
 
 prepare: |
     snap install test-snapd-openvswitch-support
@@ -19,11 +16,11 @@
 
 execute: |
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    #shellcheck disable=SC1117
+    snap interfaces -i openvswitch-support | MATCH -- '^- +test-snapd-openvswitch-support:openvswitch-support'
 
     echo "When the interface is connected"
     snap connect test-snapd-openvswitch-support:openvswitch-support
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     # This is to start the uuidd daemon in case it not active. By default in opensuse the
     # daemon is not automatically started as it happens in the other systems.
@@ -40,10 +37,9 @@
 
     echo "When the plug is disconnected"
     snap disconnect test-snapd-openvswitch-support:openvswitch-support
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to get a random uuid"
-    if test-snapd-openvswitch-support.random-uuid 2>${PWD}/call.error; then
+    if test-snapd-openvswitch-support.random-uuid 2>"${PWD}"/call.error; then
         echo "Expected permission error getting random uuid"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-password-manager-service/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-password-manager-service/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-password-manager-service/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-password-manager-service/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,35 +4,31 @@
 systems: [ ubuntu-1* ]
 
 prepare: |
-    . $TESTSLIB/pkgdb.sh
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB"/pkgdb.sh
     echo "Ensure we have a working gnome-keyring"
     snap install --edge test-snapd-password-manager-consumer
 
 restore: |
-    . $TESTSLIB/pkgdb.sh
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB"/pkgdb.sh
     if [ -f dbus-launch.pid ]; then
-        kill $(cat dbus-launch.pid)
+        kill "$(cat dbus-launch.pid)"
     fi
     rm -f  dbus-launch.pid
 
 execute: |
-    CONNECTED_PATTERN=":password-manager-service +test-snapd-password-manager-consumer"
-    DISCONNECTED_PATTERN="\- +test-snapd-password-manager-consumer:password-manager-service"
-
     echo "Ensure things run"
-    eval $(dbus-launch --sh-syntax)
-    eval $(printf password|gnome-keyring-daemon --login)
-    eval $(gnome-keyring-daemon --start)
+    eval "$(dbus-launch --sh-syntax)"
+    eval "$(printf password|gnome-keyring-daemon --login)"
+    eval "$(gnome-keyring-daemon --start)"
     echo "$DBUS_SESSION_BUS_PID" > dbus-launch.pid
 
-    echo "Then it is not shown as connected"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-    echo "===================================="
+    echo "The interface is disconnected by default"
+    snap interfaces -i password-manager-service | MATCH -- '- +test-snapd-password-manager-consumer:password-manager-service'
 
     echo "When the plug is connected"
     snap connect test-snapd-password-manager-consumer:password-manager-service
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap command is able use the libsecret service"
     test-snapd-password-manager-consumer.secret-tool clear foo bar
@@ -41,11 +37,8 @@
         exit 0
     fi
 
-    echo "===================================="
-
     echo "When the plug is disconnected"
     snap disconnect test-snapd-password-manager-consumer:password-manager-service
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap command is not able to use the secret-tool"
     if test-snapd-password-manager-consumer.secret-tool clear foo bar; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-personal-files/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-personal-files/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-personal-files/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-personal-files/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,98 @@
+summary: Ensure that the personal-files interface works.
+
+details: |
+    The personal-files interface allows access specific personal files or directories.
+
+prepare: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    # Fist layer of dirs and files
+    ensure_file_exists_backup_real /root/.testfile1
+    ensure_file_exists_backup_real /root/testfile1
+    ensure_dir_exists_backup_real /root/.testdir1
+    ensure_dir_exists_backup_real /root/testdir1
+
+    # Second layer of dirs and files
+    ensure_file_exists_backup_real /root/.testdir1/.testfilé2
+    ensure_file_exists_backup_real "/root/.testdir1/test file2"
+    ensure_dir_exists_backup_real /root/.testdir1/.testdir2
+
+    # Not accessible dirs and files
+    ensure_dir_exists_backup_real /var/tmp/.testdir1
+    ensure_file_exists_backup_real /var/tmp/.testfile1
+    ensure_dir_exists_backup_real /var/tmp/root/
+    ensure_file_exists_backup_real /var/tmp/root/testfile2
+    ensure_file_exists_backup_real /var/tmp/root/.testfile2
+
+restore: |
+    rm -f call.error
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    clean_file /root/.testfile1
+    clean_file /root/testfile1
+    clean_dir /root/.testdir1
+    clean_dir /root/testdir1
+    clean_dir /var/tmp/root
+
+execute: |
+    echo "The interface is not connected by default"
+    snap interfaces -i personal-files | MATCH "\\- +test-snapd-sh:personal-files"
+
+    echo "When the interface is connected"
+    snap connect test-snapd-sh:personal-files
+
+    echo "And not other interfaces are connected"
+    snap disconnect test-snapd-sh:home
+
+    echo "Then the snap is able to access all the files and dirs in $HOME"
+    test-snapd-sh.with-personal-files-plug -c "cat /root/.testfile1" | MATCH "content for /root/.testfile1"
+    test-snapd-sh.with-personal-files-plug -c "cat /root/testfile1" | MATCH "content for /root/testfile1"
+    test-snapd-sh.with-personal-files-plug -c "ls /root/.testdir1"
+    test-snapd-sh.with-personal-files-plug -c "ls /root/testdir1"
+    test-snapd-sh.with-personal-files-plug -c "cat /root/.testdir1/.testfilé2" | MATCH "content for /root/.testdir1/.testfilé2"
+    test-snapd-sh.with-personal-files-plug -c "cat '/root/.testdir1/test file2'" | MATCH "content for /root/.testdir1/test file2"
+    test-snapd-sh.with-personal-files-plug -c "ls  /root/.testdir1/.testdir2/"
+
+    echo "Then the snap is able to write on /root/.testdir1 and /root/.testfile1"
+    test-snapd-sh.with-personal-files-plug -c "echo test >> /root/.testfile1"
+    test-snapd-sh.with-personal-files-plug -c "touch /root/.testdir1/testfilé2"
+
+    if [ "$(snap debug confinement)" = partial ] ; then
+        exit 0
+    fi
+
+    echo "Then the snap is no able to write outside /root/.testdir1 and /root/.testfile1"
+    if test-snapd-sh.with-personal-files-plug -c "echo test >> /root/testfile1" 2> call.error; then
+        echo "Expected permission error writing the personal file"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
+
+    echo "Then the snap is not able to to access files and dirs outside $HOME"
+    test-snapd-sh.with-personal-files-plug -c "ls /var/tmp/.testdir1" 2>&1| MATCH "Permission denied"
+    test-snapd-sh.with-personal-files-plug -c "cat /var/tmp/.testfile1" 2>&1| MATCH "Permission denied"
+    test-snapd-sh.with-personal-files-plug -c "ls /var/tmp/root/" 2>&1| MATCH "Permission denied"
+    test-snapd-sh.with-personal-files-plug -c "cat /var/tmp/root/testfile2" 2>&1| MATCH "Permission denied"
+    test-snapd-sh.with-personal-files-plug -c "cat /var/tmp/root/.testfile2" 2>&1| MATCH "Permission denied"
+
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-sh:personal-files
+
+    echo "Then the snap is not able to read files and dirs in $HOME"
+    if test-snapd-sh.with-personal-files-plug -c "ls /root/.testdir1" 2> call.error; then
+        echo "Expected permission error accessing the personal dir"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
+    if test-snapd-sh.with-personal-files-plug -c "cat /root/.testfile1" 2> call.error; then
+        echo "Expected permission error accessing the personal file"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-physical-memory-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-physical-memory-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-physical-memory-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-physical-memory-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -11,24 +11,24 @@
 systems: [-ubuntu-*]
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
     echo "Given the physical-memory-observe snap is installed"
-    snap try $TESTSLIB/snaps/test-snapd-physical-memory-observe
+    install_local test-snapd-physical-memory-observe
 
 restore: |
     rm -f call.error
 
 execute: |
     config="/boot/config-$(uname -r)"
-    if ([ -f $config ] && MATCH "CONFIG_STRICT_DEVMEM=y" < $config) || ([ -f /proc/config.gz ] && zcat /proc/config.gz | MATCH "CONFIG_STRICT_DEVMEM=y"); then
+    if ([ -f "$config" ] && MATCH "CONFIG_STRICT_DEVMEM=y" < "$config") || ([ -f /proc/config.gz ] && zcat /proc/config.gz | MATCH "CONFIG_STRICT_DEVMEM=y"); then
         echo "Kernel option CONFIG_STRICT_DEVMEM=y, it is not possible to write in /dev/mem, exiting..."
         exit 0
     fi
 
-    CONNECTED_PATTERN=":physical-memory-observe +test-snapd-physical-memory-observe"
-    DISCONNECTED_PATTERN="\- +test-snapd-physical-memory-observe:physical-memory-observe"
-
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i physical-memory-observe | MATCH -- '- +test-snapd-physical-memory-observe:physical-memory-observe'
 
     echo "When the interface is connected"
     snap connect test-snapd-physical-memory-observe:physical-memory-observe
@@ -42,10 +42,9 @@
 
     echo "When the plug is disconnected"
     snap disconnect test-snapd-physical-memory-observe:physical-memory-observe
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap is not able to access the physical memory"
-    if test-snapd-physical-memory-observe.head 2>${PWD}/call.error; then
+    if test-snapd-physical-memory-observe.head 2>"${PWD}"/call.error; then
         echo "Expected permission error accessing to physical memory with disconnected plug"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-process-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-process-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-process-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-process-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -13,21 +13,18 @@
     extended later.
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
     echo "Given a snap declaring a plug on the process-control interface is installed"
-    snap pack $TESTSLIB/snaps/process-control-consumer
-    snap install --dangerous process-control-consumer_1.0_all.snap
+    install_local process-control-consumer
 
 restore: |
-    rm -f process-control-consumer_1.0_all.snap process-kill.error process-nice.error
+    rm -f process-kill.error process-nice.error
 
 execute: |
-    CONNECTED_PATTERN=":process-control +process-control-consumer"
-    DISCONNECTED_PATTERN="(?s).*?\n- +process-control-consumer:process-control"
-
-    echo "Then it is not connected by default"
-    snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
-
-    echo "==================================="
+    echo "The interface is disconnected by default"
+    snap interfaces -i process-control | MATCH -- '- +process-control-consumer:process-control'
 
     echo "When the plug is connected"
     snap connect process-control-consumer:process-control
@@ -35,27 +32,29 @@
     echo "Then the snap is able to kill an existing process"
     while :; do sleep 1; done &
     pid=$!
+    #shellcheck disable=SC2009
     ps ax | grep -Pq "^ *$pid"
     process-control-consumer.signal "SIGTERM" $pid
+    #shellcheck disable=SC2009
     ! ps ax | grep -Pq "^ *$pid"
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
-    echo "==================================="
-
     echo "When the plug is disconnected"
     snap disconnect process-control-consumer:process-control
 
     echo "Then the snap is not able to kill an existing process"
     while :; do sleep 1; done &
     pid=$!
-    if process-control-consumer.signal SIGTERM $pid 2>${PWD}/process-kill.error; then
+    if process-control-consumer.signal SIGTERM $pid 2>"${PWD}"/process-kill.error; then
         echo "Expected permission error accessing killing a process with disconnected plug"
         exit 1
     fi
     grep -q "Permission denied" process-kill.error
+    #shellcheck disable=SC2009
     ps ax | grep -Pq "^ *$pid"
     kill -9 $pid
+    #shellcheck disable=SC2009
     ! ps ax | grep -Pq "^ *$pid"
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-raw-usb/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-raw-usb/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-raw-usb/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-raw-usb/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,24 +3,20 @@
 details: |
     The raw-usb interface allows detection and grants access to all connected USB devices.
 
-environment:
-    CONNECTED_PATTERN: ':raw-usb +test-snapd-raw-usb'
-    DISCONNECTED_PATTERN: '\- +test-snapd-raw-usb:raw-usb'
-
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
-    install_local test-snapd-raw-usb
+    install_local test-snapd-sh
 
 restore: |
     rm -f call.error
 
 execute: |
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i raw-usb | MATCH -- '^- +test-snapd-sh:raw-usb'
 
     echo "When the interface is connected"
-    snap connect test-snapd-raw-usb:raw-usb
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    snap connect test-snapd-sh:raw-usb
 
     if ! [ -d /sys/bus/usb/devices/usb1 ]; then
         echo "No usb devices registered"
@@ -28,16 +24,16 @@
     fi
 
     echo "Then the snap is able to check for USB devices"
-    test-snapd-raw-usb.sh -c "test -d /sys/bus/usb/devices/usb1"
+    test-snapd-sh.with-raw-usb-plug -c "test -d /sys/bus/usb/devices/usb1"
 
     echo "And the snap has raw access to a connected USB device"
-    test-snapd-raw-usb.sh -c "dd if=/dev/bus/usb/001/001 of=/dev/null count=10"
+    test-snapd-sh.with-raw-usb-plug -c "dd if=/dev/bus/usb/001/001 of=/dev/null count=10"
 
     echo "And the snap has read access to ACM USB modems and various USB devices"
     for exp in 'c166:*' 'c167:*' 'b180:*' 'c180:*' 'c188:*' 'c189:*' '+usb:*'; do
         file=$(find /run/udev/data/ -name "$exp" | head -1)
-        if ! [ -z "$file" ]; then 
-            test-snapd-raw-usb.sh -c "cat \"$file\""
+        if [ -n "$file" ]; then 
+            test-snapd-sh.with-raw-usb-plug -c "cat \"$file\""
         fi
     done
 
@@ -46,11 +42,10 @@
     fi
 
     echo "When the plug is disconnected"
-    snap disconnect test-snapd-raw-usb:raw-usb
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap disconnect test-snapd-sh:raw-usb
 
     echo "Then the snap is not able to check for USB devices"
-    if test-snapd-raw-usb.sh -c "cat /sys/bus/usb/devices/usb1/serial" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-raw-usb-plug -c "cat /sys/bus/usb/devices/usb1/serial" 2>"${PWD}"/call.error; then
         echo "Expected permission error accessing to check for USB devices"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-removable-media/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-removable-media/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-removable-media/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-removable-media/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,88 @@
+summary: Ensure that the removable-media interface works.
+
+details: |
+    The removable-media interface allows to access to removable storage filesystems.
+
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-sh
+
+    if ! [ -d /media ]; then
+        mkdir -p /media
+        touch /media/fake
+    fi
+    mkdir -p /media/testdir
+    touch /media/testdir/testfile
+
+    if ! [ -d /run/media ]; then
+        mkdir -p /run/media
+        touch /run/media/fake
+    fi
+    mkdir -p /run/media/testdir
+    touch /run/media/testdir/testfile
+
+    echo "Mount a filesystem in /tmp/testing and put some data there"
+    mkdir -p /mnt/testing/
+    mount -t tmpfs none /mnt/testing
+    echo canary > /mnt/testing/data
+
+restore: |
+    rm -f call.error
+
+    rm -rf /media/testdir
+    if [ -f /media/fake ]; then
+        #shellcheck disable=SC2114
+        rm -rf /media
+    fi
+
+    rm -rf /run/media/testdir
+    if [ -f /run/media/fake ]; then
+        rm -rf /run/media/
+    fi
+
+    umount /mnt/testing
+    rmdir /mnt/testing || true # in case the user had /mnt/testing
+
+execute: |
+    echo "The interface is not connected by default"
+    snap interfaces -i removable-media | MATCH -- '- +test-snapd-sh:removable-media'
+
+    echo "When the interface is connected"
+    snap connect test-snapd-sh:removable-media
+
+    echo "Then the snap is able to read inside /run"
+    test-snapd-sh.with-removable-media-plug -c "ls /run"
+
+    echo "And the snap is able to access to read/write removable storage filesystems"
+    test-snapd-sh.with-removable-media-plug -c "ls /media"
+    test-snapd-sh.with-removable-media-plug -c "ls /media/testdir"
+    test-snapd-sh.with-removable-media-plug -c "echo test >> /media/testdir/testfile"
+
+    test-snapd-sh.with-removable-media-plug -c "ls /run/media"
+    test-snapd-sh.with-removable-media-plug -c "ls /run/media/testdir"
+    test-snapd-sh.with-removable-media-plug -c "echo test >> /run/media/testdir/testfile"
+
+    echo "And the snap has read-write access to /mnt/testing/data"
+    test-snapd-sh.with-removable-media-plug -c 'cat /mnt/testing/data' | MATCH canary
+    test-snapd-sh.with-removable-media-plug -c 'echo modified > /mnt/testing/data'
+    MATCH modified < /mnt/testing/data
+
+    if [ "$(snap debug confinement)" = partial ]; then
+        exit 0
+    fi
+
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-sh:removable-media
+
+    echo "Then the snap is not able to access read the test media file"
+    if test-snapd-sh.with-removable-media-plug -c "ls /run" 2>"${PWD}"/call.error; then
+        echo "Expected permission error accessing to removable storage filesystems"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
+
+    echo "Then /mnt/testing/data is no longer readable"
+    if test-snapd-sh.with-removable-media-plug -c 'cat /mnt/testing/data'; then
+        echo "/mnt/testing/data should no longer be readable" && exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-shutdown-introspection/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-shutdown-introspection/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-shutdown-introspection/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-shutdown-introspection/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,42 +1,33 @@
 summary: Ensures that introspection of login1 of the shutdown interface works.
 
-systems:
-    # No confinement (AppArmor, Seccomp) available on these systems
-    - -debian-*
-    # unity7 implicit classic slot needed (used to access dbus-send) not
-    # available on core
-    - -ubuntu-core-*
+#debian: no confinement (AppArmor, Seccomp) available on these systems
+#ubuntu-core: unity7 implicit classic slot needed (used to access dbus-send) not available on core
+systems: [-debian-*, -ubuntu-core-*]
 
 details: |
     A snap declaring the shutdown plug is defined, its command just calls
     the Introspect method on org.freedesktop.login1.
 
-execute: |
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
     echo "Given a snap declaring a plug on the shutdown interface is installed"
-    . $TESTSLIB/snaps.sh
     install_local shutdown-introspection-consumer
 
-    CONNECTED_PATTERN=":shutdown +shutdown-introspection-consumer"
-    DISCONNECTED_PATTERN="\- +shutdown-introspection-consumer:shutdown"
-
-    echo "Then the plug is shown as disconnected"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-    echo "==========================================="
+execute: |
+    echo "The interface is disconnected by default"
+    snap interfaces -i shutdown | MATCH -- '- +shutdown-introspection-consumer:shutdown'
 
     echo "When the plug is connected"
     snap connect shutdown-introspection-consumer:shutdown
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to get introspect org.freedesktop.login1"
     expected="<interface name=\"org.freedesktop.login1.Manager\">"
     su -l -c "shutdown-introspection-consumer" test | MATCH "$expected"
 
-    echo "==========================================="
-
     echo "When the plug is disconnected"
     snap disconnect shutdown-introspection-consumer:shutdown
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     if [ "$(snap debug confinement)" = partial ]; then
         exit
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-snapd-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-snapd-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-snapd-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-snapd-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -22,18 +22,12 @@
     rm -f snapd.error
 
 execute: |
-    CONNECTED_PATTERN=":snapd-control +test-snapd-control-consumer"
-    DISCONNECTED_PATTERN="(?s).*?\n- +test-snapd-control-consumer:snapd-control"
-
-    echo "Then it is connected by default"
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
+    echo "The interface is connected by default"
+    snap interfaces -i snapd-control | MATCH ":snapd-control .*test-snapd-control-consumer"
 
     if [ "$(snap debug confinement)" = strict ] ; then
-        echo "================================================"
-
         echo "When the plug is disconnected"
         snap disconnect test-snapd-control-consumer:snapd-control
-        snap interfaces | grep -Pzq "$DISCONNECTED_PATTERN"
 
         echo "Then the snap command is not able to control snapd"
         if test-snapd-control-consumer.list 2>snapd.error; then
@@ -43,11 +37,8 @@
         grep -q "Permission denied" snapd.error
     fi
 
-    echo "================================================"
-
     echo "When the plug is connected"
     snap connect test-snapd-control-consumer:snapd-control
-    snap interfaces | grep -Pzq "$CONNECTED_PATTERN"
 
     echo "Then the snap command is able to control snapd"
     ! test-snapd-control-consumer.list | grep -q test-snapd-tools
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-snapd-control-with-manage/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-snapd-control-with-manage/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-snapd-control-with-manage/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-snapd-control-with-manage/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,12 @@
 summary: Ensure that the snapd-control "refresh-schedule" attribute works.
 
+# FIXME: core18 right now does not have a canonical model. This means that it
+# will not get a serial. We have code in devicestate.go that will only try to
+# auto-refresh after the system has tried at least 3 times to get a serial.
+# But this means this test will timeout because the first retry for the serial
+# happens after 5min, then 10min, then 20min.
+systems: [-ubuntu-core-18-*]
+
 environment:
   BLOB_DIR: $(pwd)/fake-store-blobdir
 
@@ -10,7 +17,7 @@
     fi
 
     echo "Ensure jq is installed"
-    if ! which jq; then
+    if ! command -v jq; then
         snap install --devmode jq
     fi
 
@@ -18,12 +25,14 @@
 
     snap ack "$TESTSLIB/assertions/testrootorg-store.account-key"
 
-    . $TESTSLIB/store.sh
-    setup_fake_store $BLOB_DIR
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    setup_fake_store "$BLOB_DIR"
 
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     snap_path=$(make_snap test-snapd-control-consumer)
-    make_snap_installable $BLOB_DIR ${snap_path}
+    make_snap_installable "$BLOB_DIR" "${snap_path}"
     cat > snap-decl.json <<'EOF'
     {
       "format": "1",
@@ -40,27 +49,33 @@
     }
     EOF
     fakestore new-snap-declaration --dir "${BLOB_DIR}" --snap-decl-json snap-decl.json
-    snap ack ${BLOB_DIR}/asserts/*.snap-declaration
+    snap ack "${BLOB_DIR}"/asserts/*.snap-declaration
 
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
-    . $TESTSLIB/store.sh
-    teardown_fake_store $BLOB_DIR
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    teardown_fake_store "$BLOB_DIR"
 
 debug: |
     jq .data.auth.device /var/lib/snapd/state.json
 
 execute: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
 
     snap install test-snapd-control-consumer
-    snap interfaces
+
+    echo "The interface is connected by default"
+    snap interfaces -i snapd-control | MATCH ":snapd-control .*test-snapd-control-consumer:snapd-control-with-manage"
 
     echo "When the snapd-control-with-manage plug is connected"
     snap connect test-snapd-control-consumer:snapd-control-with-manage
@@ -70,12 +85,22 @@
 
     echo "Then the core refresh.schedule can be set to 'managed'"
     snap set core refresh.schedule=managed
-    if journalctl -u snapd |grep 'cannot parse "managed"'; then
-        echo "refresh.schedule=managed was not rejected as it should be"
+    if get_journalctl_log -u snapd |grep 'cannot parse "managed"'; then
+        echo "refresh.schedule=managed was not accepted as it should be"
         exit 1
     fi
     snap refresh --time | MATCH 'schedule: managed'
 
+    echo "Reset refresh.schedule"
+    snap set core refresh.schedule=
+    if snap refresh --time | grep -q -E 'schedule: managed'; then
+        echo "Refresh schedule not reset, test broken"
+        exit 1
+    fi
+    echo "Then the core refresh.timer can be set to 'managed'"
+    snap set core refresh.timer=managed
+    snap refresh --time | MATCH 'timer: managed'
+
     # make sure we trigger a refresh for hints at least once
     systemctl stop snapd.socket snapd.service
     jq ".data[\"last-refresh\"] = \"2007-08-22T09:30:44.449455783+01:00\"" /var/lib/snapd/state.json > /var/lib/snapd/state.json.new
@@ -83,13 +108,13 @@
     systemctl start snapd.socket snapd.service
 
     echo "Ensure that last-refresh-hit happens"
-    for i in $(seq 120); do
-        if jq '.data["last-refresh-hints"]' /var/lib/snapd/state.json | grep $(date +%Y); then
+    for _ in $(seq 120); do
+        if jq '.data["last-refresh-hints"]' /var/lib/snapd/state.json | grep "$(date +%Y)"; then
             break
         fi
         sleep 1
     done
-    jq '.data["last-refresh-hints"]' /var/lib/snapd/state.json | grep $(date +%Y)
+    jq '.data["last-refresh-hints"]' /var/lib/snapd/state.json | grep "$(date +%Y)"
 
     # prevent refreshes again
     systemctl stop snapd.socket snapd.service
@@ -105,3 +130,8 @@
        echo "refresh.schedule=managed was not rejected as it should be"
        exit 1
     fi
+    echo "Then the snap refresh timer cannot be set to managed"
+    if snap set core refresh.timer=managed; then
+       echo "refresh.timer=managed was not rejected as it should be"
+       exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-ssh-keys/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-ssh-keys/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-ssh-keys/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-ssh-keys/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -7,12 +7,11 @@
 environment:
     KEYSDIR: "/$HOME/.ssh"
     TESTKEY: "$HOME/.ssh/testkey"
-    CONNECTED_PATTERN: ':ssh-keys +test-snapd-ssh-keys'
-    DISCONNECTED_PATTERN: '\- +test-snapd-ssh-keys:ssh-keys'
 
 prepare: |
-    . $TESTSLIB/snaps.sh
-    install_local test-snapd-ssh-keys
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-sh
 
     if [ -d "$KEYSDIR" ]; then
         cp -rf "$KEYSDIR" "$KEYSDIR".old
@@ -31,30 +30,28 @@
 
 execute: |
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i ssh-keys | MATCH -- '^- +test-snapd-sh:ssh-keys'
 
     echo "When the interface is connected"
-    snap connect test-snapd-ssh-keys:ssh-keys
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    snap connect test-snapd-sh:ssh-keys
 
     echo "Then the snap is able to check the ssh version"
-    test-snapd-ssh-keys.sh -c "ssh -V"
+    test-snapd-sh.with-ssh-keys-plug -c "ssh -V"
 
     echo "And the snap is able to read public/private keys and ssh configuration files as well"
-    test-snapd-ssh-keys.sh -c "cat $TESTKEY"
-    test-snapd-ssh-keys.sh -c "cat $TESTKEY.pub"
-    test-snapd-ssh-keys.sh -c "cat /etc/ssh/ssh_config"
+    test-snapd-sh.with-ssh-keys-plug -c "cat $TESTKEY"
+    test-snapd-sh.with-ssh-keys-plug -c "cat $TESTKEY.pub"
+    test-snapd-sh.with-ssh-keys-plug -c "cat /etc/ssh/ssh_config"
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
     fi
 
     echo "When the plug is disconnected"
-    snap disconnect test-snapd-ssh-keys:ssh-keys
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap disconnect test-snapd-sh:ssh-keys
 
     echo "Then the snap is not able to read a ssh private key"
-    if test-snapd-ssh-keys.sh -c "cat $TESTKEY" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-ssh-keys-plug -c "cat $TESTKEY" 2>"${PWD}"/call.error; then
         echo "Expected permission error accessing to ssh"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-ssh-public-keys/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-ssh-public-keys/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-ssh-public-keys/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-ssh-public-keys/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -7,14 +7,12 @@
 environment:
     KEYSDIR: "/$HOME/.ssh"
     TESTKEY: "/$HOME/.ssh/testkey"
-    CONNECTED_PATTERN: ':ssh-public-keys +test-snapd-ssh-public-keys'
-    DISCONNECTED_PATTERN: '\- +test-snapd-ssh-public-keys:ssh-public-keys'
-
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
 
-    install_local test-snapd-ssh-public-keys
+    install_local test-snapd-sh
 
     if [ -d "$KEYSDIR" ]; then
         cp -rf "$KEYSDIR" "$KEYSDIR".old
@@ -33,35 +31,33 @@
 
 execute: |
     echo "The interface is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-    
+    snap interfaces -i ssh-public-keys | MATCH -- '^- +test-snapd-sh:ssh-public-keys'
+
     echo "When the interface is connected"
-    snap connect test-snapd-ssh-public-keys:ssh-public-keys
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    snap connect test-snapd-sh:ssh-public-keys
     
     echo "Then the snap is able to see ssh version"
-    test-snapd-ssh-public-keys.sh -c "ssh -V"
+    test-snapd-sh.with-ssh-public-keys-plug -c "ssh -V"
 
     echo "And the snap is able to read a public key"
-    test-snapd-ssh-public-keys.sh -c "cat $TESTKEY.pub"
+    test-snapd-sh.with-ssh-public-keys-plug -c "cat $TESTKEY.pub"
 
     if [ "$(snap debug confinement)" = partial ]; then
         exit 0
     fi
 
     echo "And then the snap is not able to access to private keys"
-    if test-snapd-ssh-public-keys.sh -c "cat $TESTKEY" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-ssh-public-keys-plug -c "cat $TESTKEY" 2>"${PWD}"/call.error; then
         echo "Expected permission error accessing to ssh"
         exit 1
     fi
     MATCH "Permission denied" < call.error
 
     echo "When the plug is disconnected"
-    snap disconnect test-snapd-ssh-public-keys:ssh-public-keys
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap disconnect test-snapd-sh:ssh-public-keys
     
     echo "Then the snap is not able to access the ssh public keys"
-    if test-snapd-ssh-public-keys.sh -c "cat $TESTKEY.pub" 2>${PWD}/call.error; then
+    if test-snapd-sh.with-ssh-public-keys-plug -c "cat $TESTKEY.pub" 2>"${PWD}"/call.error; then
         echo "Expected permission error accessing to ssh"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-system-files/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-system-files/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-system-files/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-system-files/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,94 @@
+summary: Ensure that the system-files interface works.
+
+details: |
+    The system-files interface allows access specific system files or directories.
+
+environment:
+    # keep in sync with tests/lib/snaps/test-snapd-sh/meta/snap.yaml
+    TESTDIR: /mnt/testdir
+
+prepare: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    # Fist layer of dirs and files
+    ensure_dir_exists_backup_real "$TESTDIR"
+    ensure_file_exists_backup_real "$TESTDIR"/.testfile1
+    ensure_file_exists_backup_real "$TESTDIR"/readonly_file1
+    ensure_dir_exists_backup_real "$TESTDIR"/.testdir1
+    ensure_dir_exists_backup_real "$TESTDIR"/testdir1
+
+    # Second layer of dirs and files
+    ensure_file_exists_backup_real "$TESTDIR"/.testdir1/.testfilé2
+    ensure_file_exists_backup_real "$TESTDIR/.testdir1/test file2"
+    ensure_dir_exists_backup_real "$TESTDIR"/root
+
+    # Not accessible dirs and files
+    ensure_dir_exists_backup_real /root/.testdir1
+    ensure_file_exists_backup_real /root/.testfile1
+
+restore: |
+    rm -f call.error
+
+    # shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB/files.sh"
+
+    clean_dir "$TESTDIR"
+    clean_dir /root/.testdira1
+    clean_dir /root/.testfile1
+
+execute: |
+    echo "The interface is not connected by default"
+    snap interfaces -i system-files | MATCH "\\- +test-snapd-sh:system-files"
+
+    echo "When the interface is connected"
+    snap connect test-snapd-sh:system-files
+
+    echo "And not other interfaces are connected"
+    snap disconnect test-snapd-sh:home
+
+    echo "Then the snap is able to access all the files and dirs in /testdir"
+    test-snapd-sh.with-system-files-plug -c "cat $TESTDIR/.testfile1" | MATCH "content for $TESTDIR/.testfile1"
+    test-snapd-sh.with-system-files-plug -c "cat $TESTDIR/readonly_file1" MATCH "content for $TESTDIR/readonly_file1"
+    test-snapd-sh.with-system-files-plug -c "ls $TESTDIR/.testdir1"
+    test-snapd-sh.with-system-files-plug -c "ls $TESTDIR/testdir1"
+    test-snapd-sh.with-system-files-plug -c "cat $TESTDIR/.testdir1/.testfilé2" | MATCH "content for $TESTDIR/.testdir1/.testfilé2"
+    test-snapd-sh.with-system-files-plug -c "cat $TESTDIR'/.testdir1/test file2'" | MATCH "content for $TESTDIR/.testdir1/test file2"
+    test-snapd-sh.with-system-files-plug -c "ls $TESTDIR/root/"
+
+    echo "Then the snap is able to write just $TESTDIR/.testdir1 and $TESTDIR/.testfile1"
+    test-snapd-sh.with-system-files-plug -c "echo test >> $TESTDIR/.testfile1"
+    test-snapd-sh.with-system-files-plug -c "touch $TESTDIR/.testdir1/testfilé2"
+
+    if [ "$(snap debug confinement)" = partial ] ; then
+        exit 0
+    fi
+
+    if test-snapd-sh.with-system-files-plug -c "echo test >> $TESTDIR/readonly_file1" 2> call.error; then
+        echo "Expected permission error writing the system file"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
+
+    echo "Then the snap is not able to to access files and dirs in $HOME"
+    test-snapd-sh.with-system-files-plug -c "ls /root/.testdir1" 2>&1| MATCH "Permission denied"
+    test-snapd-sh.with-system-files-plug -c "cat /root/.testfile1" 2>&1| MATCH "Permission denied"
+
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-sh:system-files
+
+    echo "Then the snap is not able to read files and dirs in $HOME"
+    if test-snapd-sh.with-system-files-plug -c "ls $TESTDIR/.testdir1" 2> call.error; then
+        echo "Expected permission error accessing the system dir"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
+    if test-snapd-sh.with-system-files-plug -c "cat $TESTDIR/.testfile1" 2> call.error; then
+        echo "Expected permission error accessing the system file"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-system-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-system-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-system-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-system-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -21,23 +21,17 @@
     fi
 
 restore: |
-    rm -f *.error
+    rm -f ./*.error
     if [[ "$SPREAD_SYSTEM" != ubuntu-14.04-* ]]; then
         systemctl stop systemd-hostnamed
     fi
 
 execute: |
-    CONNECTED_PATTERN=":system-observe +test-snapd-system-observe-consumer"
-    DISCONNECTED_PATTERN="^\- +test-snapd-system-observe-consumer:system-observe"
+    echo "The interface is disconnected by default"
+    snap interfaces -i system-observe | MATCH -- '^- +test-snapd-system-observe-consumer:system-observe'
 
-    echo "Then the plug is shown as disconnected"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
-
-    echo "==========================================="
-
-    echo "When the plug is connected"
+    echo "When the interface is connected"
     snap connect test-snapd-system-observe-consumer:system-observe
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then the snap is able to get system information"
     expected="/dev/tty.*?serial"
@@ -50,25 +44,25 @@
     fi
 
     if [ "$(snap debug confinement)" = strict ] ; then
-        echo "==========================================="
+        echo "And the policy has the ptrace suppression rule"
+        MATCH '^deny ptrace \(trace\),' < /var/lib/snapd/apparmor/profiles/snap.test-snapd-system-observe-consumer.consumer
 
         echo "When the plug is disconnected"
         snap disconnect test-snapd-system-observe-consumer:system-observe
-        snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
         echo "Then the snap is not able to get system information"
-        if su -l -c "test-snapd-system-observe-consumer.consumer 2>${PWD}/consumer.error" test; then
+        if su -l -c "test-snapd-system-observe-consumer.consumer" test 2>"${PWD}/consumer.error"; then
             echo "Expected error with plug disconnected"
             exit 1
         fi
-        cat consumer.error | MATCH "Permission denied"
+        MATCH "Permission denied" < consumer.error
 
         if [[ "$SPREAD_SYSTEM" != ubuntu-14.04-* ]]; then
             echo "And the snap is not able to introspect hostname1"
-            if su -l -c "test-snapd-system-observe-consumer.dbus-introspect 2>${PWD}/introspect.error" test; then
+            if su -l -c "test-snapd-system-observe-consumer.dbus-introspect" test 2>"${PWD}/introspect.error"; then
                 echo "Expected error with plug disconnected"
                 exit 1
             fi
-            cat introspect.error | MATCH "Permission denied"
+            MATCH "Permission denied" < introspect.error
         fi
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-time-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-time-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-time-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-time-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -6,10 +6,11 @@
     snap properly.
 
 # s390x virtualization does not support hwclock
-systems: [-opensuse-*,-fedora-*,-ubuntu-core-*,-ubuntu-14.04-*,-*-s390x]
+systems: [-opensuse-*,-fedora-*,-ubuntu-core-*,-ubuntu-14.04-*,-*-s390x,-arch-*]
 
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
     # Install a snap declaring a plug on time-control
     install_local test-snapd-timedate-control-consumer
@@ -23,20 +24,16 @@
     rm -f call.error
 
 execute: |
-    CONNECTED_PATTERN=":time-control +test-snapd-timedate-control-consumer"
-    DISCONNECTED_PATTERN="\- +test-snapd-timedate-control-consumer:time-control"
-
     # hwclock with libaudit (ie, core 16) also needs netlink-audit connected.
     # This interface is tested elsewhere, so simply connect it here so we can
     # test the time-control interface in isolation.
     snap connect test-snapd-timedate-control-consumer:netlink-audit
 
-    # Check the interface is disconnected by detault
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    echo "The interface is disconnected by default"
+    snap interfaces -i time-control | MATCH -- '^- +test-snapd-timedate-control-consumer:time-control'
 
-    # Connect the interface and check it is connected
+    # When the interface is connected
     snap connect test-snapd-timedate-control-consumer:time-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     # Read/write to hwclock access should be possible
     test-snapd-timedate-control-consumer.hwclock-time -r -f /dev/rtc
@@ -62,7 +59,7 @@
 
     # Disconnect the interface and check access to timedatectl status
     snap disconnect test-snapd-timedate-control-consumer:time-control
-    if test-snapd-timedate-control-consumer.timedatectl-time status 2>${PWD}/call.error; then
+    if test-snapd-timedate-control-consumer.timedatectl-time status 2>"${PWD}"/call.error; then
         echo "Expected permission error calling timedatectl status with disconnected plug"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-timeserver-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-timeserver-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-timeserver-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-timeserver-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,8 +4,14 @@
     This test makes sure that a snap using the timeserver-control interface
     can access timeserver information and update it.
 
+# Debian sid is skipped because "timedatectl set-ntp" fails with the error:
+# "Failed to set ntp: Message recipient disconnected from message bus without replying"
+# A workaround is to make "systemctl enable --now systemd-timesyncd.service" instead
+systems: [-debian-sid-*]
+
 prepare: |
-    . $TESTSLIB/snaps.sh
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
     # Install a snap declaring a plug on timeserver-control
     install_local test-snapd-timedate-control-consumer
@@ -19,26 +25,42 @@
     rm -f call.error
 
 execute: |
-    CONNECTED_PATTERN=":timeserver-control +test-snapd-timedate-control-consumer"
-    DISCONNECTED_PATTERN="\- +test-snapd-timedate-control-consumer:timeserver-control"
-
-    # Check the interface is disconnected by detault
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    echo "The interface is disconnected by default"
+    snap interfaces -i timeserver-control | MATCH -- '- +test-snapd-timedate-control-consumer:timeserver-control'
 
-    # Connect the interfaces for both snaps
+    echo "When the interface is connected"
     snap connect test-snapd-timedate-control-consumer:timeserver-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     # Save the default timeserver to be restored at the end
-    test-snapd-timedate-control-consumer.timedatectl-timeserver status | grep -oP 'Network time on: \K(.*)' > timeserver.txt
+    test-snapd-timedate-control-consumer.timedatectl-timeserver status | grep -oP '(Network time on|systemd-timesyncd.service active): \K(.*)' > timeserver.txt
+
+    get_ntp_status() {
+        test-snapd-timedate-control-consumer.timedatectl-timeserver status | \
+            grep -oP '(Network time on|System clock synchronized): \K(.*)'
+    }
+
+    # NOTE: with systemd >= 239, switching the ntp setting it takes a while for
+    # it to become visible
 
     # Set the ntp value and check the status
     test-snapd-timedate-control-consumer.timedatectl-timeserver set-ntp yes
-    [ "$(test-snapd-timedate-control-consumer.timedatectl-timeserver status | grep -oP 'Network time on: \K(.*)')" = "yes" ]
+    for _ in $(seq 10); do
+        if [ "$(get_ntp_status)" = "yes" ] ; then
+            break
+        fi
+        sleep 1
+    done
+    [ "$(get_ntp_status)" = "yes" ]
 
     # Set the ntp value and check the status
     test-snapd-timedate-control-consumer.timedatectl-timeserver set-ntp no
-    [ "$(test-snapd-timedate-control-consumer.timedatectl-timeserver status | grep -oP 'Network time on: \K(.*)')" = "no" ]
+    for _ in $(seq 10); do
+        if [ "$(get_ntp_status)" = "no" ]; then
+            break
+        fi
+        sleep 1
+    done
+    [ "$(get_ntp_status)" = "no" ]
 
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
@@ -46,7 +68,7 @@
 
     # Disconnect the interface and check access to timedatectl status
     snap disconnect test-snapd-timedate-control-consumer:timeserver-control
-    if test-snapd-timedate-control-consumer.timedatectl-timeserver status 2>${PWD}/call.error; then
+    if test-snapd-timedate-control-consumer.timedatectl-timeserver status 2> call.error; then
         echo "Expected permission error calling timedatectl status with disconnected plug"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-timezone-control/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-timezone-control/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-timezone-control/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-timezone-control/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,8 +4,15 @@
     This test makes sure that a snap using the timezone-control interface
     can access timezone information and update it.
 
+# FIXME:
+# core18 lacks support in systemd for the /etc/writable/timezone, once
+# https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1778936 is fixed
+# we need to re-enable it.
+systems: [-ubuntu-core-18-*]
+
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
     # Install a snap declaring a plug on timezone-control
     install_local test-snapd-timedate-control-consumer
@@ -13,21 +20,17 @@
 restore: |
     # Restore the initial timezone
     if [ -f timezone.txt ]; then
-        timedatectl set-timezone "$(cat timezone.txt)"
+        timedatectl set-timezone "$(cat timezone.txt)" || true
         rm -f timezone.txt
     fi
     rm -f call.error
 
 execute: |
-    CONNECTED_PATTERN=":timezone-control +test-snapd-timedate-control-consumer"
-    DISCONNECTED_PATTERN="\- +test-snapd-timedate-control-consumer:timezone-control"
-
-    # Check the interface is disconnected by detault
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    echo "The interface is disconnected by default"
+    snap interfaces -i timezone-control | MATCH -- '^- +test-snapd-timedate-control-consumer:timezone-control'
 
-    # Connect the interfaces for both snaps
+    echo "When the interface is connected"
     snap connect test-snapd-timedate-control-consumer:timezone-control
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     # Read timezones information should be allowed
     timezone1=$(test-snapd-timedate-control-consumer.timedatectl-timezone list-timezones | sed -n 1p)
@@ -42,13 +45,11 @@
     fi
 
     # Set the timezone1 as timezone and check the status
-    # The set-timezone command works but fails in some images (lp: #1650688)
-    test-snapd-timedate-control-consumer.timedatectl-timezone set-timezone $timezone1 || true
+    test-snapd-timedate-control-consumer.timedatectl-timezone set-timezone "$timezone1"
     [ "$(test-snapd-timedate-control-consumer.timedatectl-timezone status | grep -oP 'Time zone: \K(.*)(?= \()')" = "$timezone1" ]
 
     # Set the timezone2 as timezone and check the status
-    # The set-timezone command works but fails in some images (lp: #1650688)
-    test-snapd-timedate-control-consumer.timedatectl-timezone set-timezone $timezone2 || true
+    test-snapd-timedate-control-consumer.timedatectl-timezone set-timezone "$timezone2"
     [ "$(test-snapd-timedate-control-consumer.timedatectl-timezone status | grep -oP 'Time zone: \K(.*)(?= \()')" = "$timezone2" ]
 
     if [ "$(snap debug confinement)" = partial ] ; then
@@ -57,7 +58,7 @@
 
     # Disconnect the interface and check access to timedatectl status
     snap disconnect test-snapd-timedate-control-consumer:timezone-control
-    if test-snapd-timedate-control-consumer.timedatectl-timezone status 2>${PWD}/call.error; then
+    if test-snapd-timedate-control-consumer.timedatectl-timezone status 2>"${PWD}"/call.error; then
         echo "Expected permission error calling timedatectl status with disconnected plug"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-udev/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-udev/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-udev/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-udev/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -11,12 +11,11 @@
     more interfaces declare udev snippets.
 
 prepare: |
-    echo "Given a snap declaring a slot with associated udev rules is installed"
-    snap pack $TESTSLIB/snaps/modem-manager-consumer
-    snap install --dangerous modem-manager-consumer_1.0_all.snap
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
-restore: |
-    rm -f modem-manager-consumer_1.0_all.snap
+    echo "Given a snap declaring a slot with associated udev rules is installed"
+    install_local modem-manager-consumer
 
 execute: |
     echo "Then the udev rules files specific to it are created"
@@ -24,8 +23,6 @@
     expected="ATTRS{idVendor}==\".*?\", ATTRS{idProduct}==\".*?\""
     grep -Pq "$expected" /etc/udev/rules.d/70-snap.modem-manager-consumer.rules
 
-    echo "======================================="
-
     echo "When the snap is removed"
     snap remove modem-manager-consumer
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-udisks2/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-udisks2/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-udisks2/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-udisks2/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,59 @@
+summary: Ensure that the udisks2 interface works.
+
+details: |
+    The udisks2 interface allows operating as or interacting with the UDisks2 service
+
+# Interfaces not defined for ubuntu core systems
+systems: [-ubuntu-core-*]
+
+prepare: |
+    snap install test-snapd-udisks2
+
+environment:
+    FS_PATH: "$(pwd)/dev0-fake0"
+    MMCBLK_PATH: /dev/mmcblk-fake0
+
+restore: |
+    rm -f call.error
+    losetup -d "$MMCBLK_PATH" || true
+    rm -f "$MMCBLK_PATH" "$FS_PATH"
+
+execute: |
+    echo "The interface is not connected by default"
+    snap interfaces -i udisks2 | MATCH -- "- +test-snapd-udisks2:udisks2"
+
+    echo "When the interface is connected"
+    snap connect test-snapd-udisks2:udisks2
+
+    echo "Check it is possible to see the udisks2 stauts"
+    test-snapd-udisks2.udisksctl status | MATCH "MODEL"
+
+    echo "Check it is possible to dump all the udisks objects info"
+    test-snapd-udisks2.udisksctl dump | MATCH "org.freedesktop.UDisks2.Manager"
+
+    echo "Check we can mount/unmount a block device using the snap"
+    # create a 10M filesystem in pwd
+    dd if=/dev/zero of="$FS_PATH" bs=1M count=10
+    mkfs.ext4 -F "$FS_PATH"
+    # create the loopback block device
+    mknod "$MMCBLK_PATH" b 7 200
+    losetup "$MMCBLK_PATH" "$FS_PATH"
+
+    device="$(losetup -j "$FS_PATH" | cut -d: -f1)"
+
+    test-snapd-udisks2.udisksctl mount -b "$device" -t ext4 | MATCH "Mounted /dev/"
+    test-snapd-udisks2.udisksctl unmount -b "$device" | MATCH "Unmounted /dev/"
+
+    if [ "$(snap debug confinement)" = partial ] ; then
+        exit 0
+    fi
+
+    echo "When the plug is disconnected"
+    snap disconnect test-snapd-udisks2:udisks2
+
+    echo "Then the snap is not able to check udisks2 status"
+    if test-snapd-udisks2.udisksctl status 2> call.error; then
+        echo "Expected permission error calling udisksctl status with disconnected plug"
+        exit 1
+    fi
+    MATCH "Permission denied" < call.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-uhid/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-uhid/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-uhid/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-uhid/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -16,15 +16,11 @@
     rm -f call.error
 
 execute: |
-    CONNECTED_PATTERN=":uhid +test-snapd-uhid"
-    DISCONNECTED_PATTERN="\- +test-snapd-uhid:uhid"
-
     echo "The plug is not connected by default"
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
+    snap interfaces -i uhid | MATCH -- '^- +test-snapd-uhid:uhid'
 
     echo "When the plug is connected"
     snap connect test-snapd-uhid:uhid
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Exit when uhid is not supported, specially on cloud images"
     if [ ! -d /dev/uhid ]; then
@@ -42,7 +38,7 @@
     snap disconnect test-snapd-uhid:uhid
 
     echo "Then the snap is not able to create/destroy a device on /dev/uhid"
-    if test-snapd-uhid.test-device 2>${PWD}/call.error; then
+    if test-snapd-uhid.test-device 2>"${PWD}"/call.error; then
         echo "Expected permission error calling uhid with disconnected plug"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-upower-observe/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-upower-observe/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-upower-observe/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-upower-observe/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,11 +1,5 @@
 summary: Ensure that the upower-observe interface works.
 
-systems:
-    # ppc64el disabled because of https://github.com/snapcore/snapd/issues/2504
-    - -ubuntu-*-ppc64el
-    - -fedora-*
-    - -opensuse-*
-
 details: |
     The upower-observe interface allows a snap to query UPower for power devices, history
     and statistics.
@@ -16,24 +10,22 @@
     The test uses a snap wrapping the upower command line utility, and checks that it can query
     it without error while the plug is connected.
 
+# ppc64el disabled because of https://github.com/snapcore/snapd/issues/2504
+systems: [-ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
+
 prepare: |
     echo "Given a snap declaring a plug on the upower-observe interface is installed"
     snap install --edge test-snapd-upower-observe-consumer
 
-    if [[ "$SPREAD_SYSTEM" = ubuntu-core-* ]]; then
+    # shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB/systems.sh"
+    if is_core_system; then
         echo "And a snap providing a upower-observe slot is installed"
         snap install upower
-    else
-        . "$TESTSLIB/pkgdb.sh"
-        distro_install_package upower
     fi
 
 restore: |
     rm -f upower.error
-    if [[ "$SPREAD_SYSTEM" != ubuntu-core-* ]]; then
-        . "$TESTSLIB/pkgdb.sh"
-        distro_purge_package upower
-    fi
 
 execute: |
     SLOT_PROVIDER=
@@ -43,32 +35,26 @@
         SLOT_NAME=service
     fi
 
-    CONNECTED_PATTERN="$SLOT_PROVIDER:$SLOT_NAME +test-snapd-upower-observe-consumer"
-    DISCONNECTED_PATTERN="\- +test-snapd-upower-observe-consumer:upower-observe"
-
-    echo "The snap is connected by default"
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
+    echo "The interface is connected by default"
+    snap interfaces -i upower-observe | MATCH "$SLOT_PROVIDER:$SLOT_NAME .*test-snapd-upower-observe-consumer"
 
     echo "When the plug is connected the snap is able to dump info about the upower devices"
     expected="/org/freedesktop/UPower/devices/DisplayDevice.*"
-    for i in $(seq 20); do
+    for _ in $(seq 20); do
         if ! test-snapd-upower-observe-consumer.upower --dump | MATCH "$expected"; then
             sleep 1
         fi
     done
     test-snapd-upower-observe-consumer.upower --dump | MATCH "$expected"
 
-    echo "==================================="
-
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "When the plug is disconnected"
         snap disconnect test-snapd-upower-observe-consumer:upower-observe
-        snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
         echo "Then the snap is not able to dump info about the upower devices"
-        if test-snapd-upower-observe-consumer.upower --dump 2>${PWD}/upower.error; then
+        if test-snapd-upower-observe-consumer.upower --dump 2>"${PWD}"/upower.error; then
             echo "Expected permission error accessing upower info with disconnected plug"
             exit 1
         fi
-        cat upower.error | MATCH "Permission denied"
+        MATCH "Permission denied" < upower.error
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/interfaces-wayland/task.yaml snapd-2.37~rc1~14.04/tests/main/interfaces-wayland/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/interfaces-wayland/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/interfaces-wayland/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,27 +4,25 @@
 systems: [ ubuntu-1*-*64 ]
 
 prepare: |
-    . $TESTSLIB/pkgdb.sh
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB"/pkgdb.sh
     snap install --edge test-snapd-wayland
 
 restore: |
     echo "Stop weston compositor"
-    /usr/bin/killall -9 /usr/bin/weston || true
+    pkill -SIGKILL weston || true
 
 execute: |
-    CONNECTED_PATTERN=":wayland +test-snapd-wayland"
-    DISCONNECTED_PATTERN="\- +test-snapd-wayland:wayland"
+    echo "The interface is connected by default"
+    snap interfaces -i wayland | MATCH ":wayland .*test-snapd-wayland"
 
     echo "When the plug is connected"
     snap connect test-snapd-wayland:wayland
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     if [ "$(snap debug confinement)" = "partial" ] ; then
         exit 0
     fi
 
-    echo "===================================="
-
     echo "Create XDG_RUNTIME_DIR=/run/user/12345"
     mkdir -p /run/user/12345 || true
     chmod 700 /run/user/12345
@@ -47,11 +45,8 @@
     echo "Then the snap command under the test user is able connect to the wayland socket"
     XDG_RUNTIME_DIR=/run/user/12345 su -p -l -c test-snapd-wayland test | MATCH wl_compositor
 
-    echo "===================================="
-
     echo "When the plug is disconnected"
     snap disconnect test-snapd-wayland:wayland
-    snap interfaces | MATCH "$DISCONNECTED_PATTERN"
 
     echo "Then the snap command is not able to connect to the wayland socket"
     if XDG_RUNTIME_DIR=/run/user/12345 su -p -l -c test-snapd-wayland test; then
@@ -62,4 +57,4 @@
     # If this is in 'restore', execute doesn't exit and spread must timeout
     # the test.
     echo "Stop weston compositor"
-    /usr/bin/killall -9 /usr/bin/weston || true
+    pkill -SIGKILL weston || true
diff -Nru snapd-2.32.3.2~14.04/tests/main/kernel-snap-refresh-on-core/task.yaml snapd-2.37~rc1~14.04/tests/main/kernel-snap-refresh-on-core/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/kernel-snap-refresh-on-core/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/kernel-snap-refresh-on-core/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -39,7 +39,8 @@
         exit 0
     fi
 
-    . $TESTSLIB/boot.sh
+    #shellcheck source=tests/lib/boot.sh
+    . "$TESTSLIB"/boot.sh
     if [ "$SPREAD_REBOOT" = 0 ]; then
         # ensure we have a good starting place
     
@@ -47,7 +48,7 @@
         test-snapd-tools.echo hello | MATCH hello
 
         # go to known good starting place
-        snap refresh pc-kernel --${KERNEL_CHANNEL}
+        snap refresh pc-kernel "--${KERNEL_CHANNEL}"
         REBOOT
     elif [ "$SPREAD_REBOOT" = 1 ]; then
         # from our good starting place we refresh
@@ -58,7 +59,7 @@
         cat /proc/version_signature > prevKernelSignature
 
         # refresh
-        snap refresh pc-kernel --${NEW_KERNEL_CHANNEL}
+        snap refresh pc-kernel "--${NEW_KERNEL_CHANNEL}"
 
         # check boot env vars
         snap list | awk "/^pc-kernel / {print(\$3)}" > nextBoot
diff -Nru snapd-2.32.3.2~14.04/tests/main/known/task.yaml snapd-2.37~rc1~14.04/tests/main/known/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/known/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/known/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
 summary: Check snap known
+
 execute: |
     echo "Listing all account assertions"
     snap known account|MATCH "^type: account$"
diff -Nru snapd-2.32.3.2~14.04/tests/main/known-remote/task.yaml snapd-2.37~rc1~14.04/tests/main/known-remote/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/known-remote/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/known-remote/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,8 +1,9 @@
 summary: Check snap known --store
+
 execute: |
     echo "Check getting assertion from the store"
     output=$(snap known --remote model series=16 brand-id=canonical model=pi2)
-    echo $output |MATCH "type: model"
-    echo $output |MATCH "series: 16"
-    echo $output |MATCH "brand-id: canonical"
-    echo $output |MATCH "model: pi2"
+    echo "$output" |MATCH "type: model"
+    echo "$output" |MATCH "series: 16"
+    echo "$output" |MATCH "brand-id: canonical"
+    echo "$output" |MATCH "model: pi2"
diff -Nru snapd-2.32.3.2~14.04/tests/main/layout/task.yaml snapd-2.37~rc1~14.04/tests/main/layout/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/layout/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/layout/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,25 @@
 summary: Ensure that snap layouts are applied
+
 details: |
     This test installs a test snap that uses layout declarations.
     The layout changes which directories and files exist in the filesystem
     in the area beyond the $SNAP directory. In addition all applications and
     hooks get permissions to access those areas.
+
 prepare: |
-    echo "Ensure feature flag is enabled"
-    snap set core experimental.layouts=true
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-layout
+
 debug: |
     ls -ld /etc || :
     ls -ld /etc/demo || :
     ls -ld /etc/demo.conf || :
     ls -ld /etc/demo.cfg || :
+
 execute: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     for i in $(seq 2); do
         if [ "$i" -eq 2 ]; then
             echo "The snap works across refreshes"
@@ -26,37 +30,73 @@
         test-snapd-layout.sh -c "true"
 
         echo "layout declarations are honored"
-
         test-snapd-layout.sh -c "test -d /etc/demo"
         test-snapd-layout.sh -c "test -f /etc/demo.conf"
         test-snapd-layout.sh -c "test -h /etc/demo.cfg"
+        #shellcheck disable=SC2016
         test "$(test-snapd-layout.sh -c "readlink /etc/demo.cfg")" = "$(test-snapd-layout.sh -c 'echo $SNAP_COMMON/etc/demo.conf')"
         test-snapd-layout.sh -c "test -d /usr/share/demo"
         test-snapd-layout.sh -c "test -d /var/lib/demo"
         test-snapd-layout.sh -c "test -d /var/cache/demo"
         test-snapd-layout.sh -c "test -d /opt/demo"
+        test-snapd-layout.sh -c "test -d /bin/very/weird/place"
+        # Ideally we'd perform this test but the rsyslog directory has mode 700 and user mode 108:4
+        # test-snapd-layout.sh -c "test -d /var/spool/rsyslog/demo"
+
+        echo "layout constructed a mimic using tmpfs as aid (/opt)"
+        [ "$(test-snapd-layout.sh -c "stat -f /opt -c '%T'")" = "tmpfs" ]
+        echo "and the tmpfs was mounted with 0755 and root/root user/group to mimic /opt in core"
+        [ "$(test-snapd-layout.sh -c "stat /opt -c '%a'")" = "755" ]
+        [ "$(test-snapd-layout.sh -c "stat /opt -c '%u'")" = "0" ]
+        [ "$(test-snapd-layout.sh -c "stat /opt -c '%g'")" = "0" ]
+
+        echo "layout constructed a mimic using tmpfs as aid (/var/spool/rsyslog)"
+        [ "$(test-snapd-layout.sh -c "stat -f /var/spool/rsyslog -c '%T'")" = "tmpfs" ]
+        echo "and the tmpfs was mounted with 0700 and syslog/adm user/group to mimic /var/spool/rsyslog in core"
+        [ "$(test-snapd-layout.sh -c "stat /var/spool/rsyslog -c '%a'")" = "700" ]
+        [ "$(test-snapd-layout.sh -c "stat /var/spool/rsyslog -c '%u'")" = "108" ]
+        [ "$(test-snapd-layout.sh -c "stat /var/spool/rsyslog -c '%g'")" = "4" ]
+
+        echo "layout declarations didn't leak to the host"
+        test ! -e /etc/demo
+        test ! -e /etc/demo.conf
+        test ! -e /etc/demo.cfg
+        test ! -e /usr/share/demo
+        test ! -e /var/lib/demo
+        test ! -e /var/cache/demo
+        test ! -e /opt/demo
 
         echo "layout locations pointing to SNAP_DATA and SNAP_COMMON are writable"
         echo "and the writes go to the right place in the backing store"
 
         test-snapd-layout.sh -c "echo foo-1 > /etc/demo/writable"
+        #shellcheck disable=SC2016
         test "$(test-snapd-layout.sh -c 'cat $SNAP_COMMON/etc/demo/writable')" = "foo-1"
 
         test-snapd-layout.sh -c "echo foo-2 > /etc/demo.conf"
+        #shellcheck disable=SC2016
         test "$(test-snapd-layout.sh -c 'cat $SNAP_COMMON/etc/demo.conf')" = "foo-2"
 
         # NOTE: this is a symlink to demo.conf, effectively
         test-snapd-layout.sh -c "echo foo-3 > /etc/demo.cfg"
+        #shellcheck disable=SC2016
         test "$(test-snapd-layout.sh -c 'cat $SNAP_COMMON/etc/demo.conf')" = "foo-3"
 
         test-snapd-layout.sh -c "echo foo-4 > /var/lib/demo/writable"
+        #shellcheck disable=SC2016
         test "$(test-snapd-layout.sh -c 'cat $SNAP_DATA/var/lib/demo/writable')" = "foo-4"
 
         test-snapd-layout.sh -c "echo foo-5 > /var/cache/demo/writable"
+        #shellcheck disable=SC2016
         test "$(test-snapd-layout.sh -c 'cat $SNAP_DATA/var/cache/demo/writable')" = "foo-5"
 
         echo "layout locations pointing to SNAP are readable"
 
         test-snapd-layout.sh -c "test -r /usr/share/demo/file"
         test-snapd-layout.sh -c "test -r /opt/demo/file"
+
+        echo "layout locations in dynamically created SNAP directories are writable"
+        # shellcheck disable=SC2016
+        test-snapd-layout.sh -c 'test -w $SNAP/bin/very/weird/place'
+        test-snapd-layout.sh -c 'test -w /bin/very/weird/place'
     done
diff -Nru snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/app.v1/bin/app snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/app.v1/bin/app
--- snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/app.v1/bin/app	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/app.v1/bin/app	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+#!/bin/sh
+/opt/runtime/runner "Hello from the app"
diff -Nru snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/app.v1/meta/snap.yaml snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/app.v1/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/app.v1/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/app.v1/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,18 @@
+name: app
+version: 1
+# The application expects the runtime to be installed in /opt/runtime
+# We are using the layout system to put $SNAP/runtime in /opt/runtime but at
+# the same time the content interface allows us to mount the runtime in
+# $SNAP/runtime. With the right propagation options the mount event in
+# $SNAP/runtime is propagated into /opt/runtime
+layout:
+    /opt/runtime:
+        symlink: $SNAP/runtime
+apps:
+    app:
+        command: bin/app
+plugs:
+    runtime:
+        interface: content
+        content: runtime-1
+        target: $SNAP/runtime
diff -Nru snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/app.v2/bin/app snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/app.v2/bin/app
--- snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/app.v2/bin/app	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/app.v2/bin/app	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+#!/bin/sh
+/opt/runtime/runner "Hello from the app"
diff -Nru snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/app.v2/meta/snap.yaml snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/app.v2/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/app.v2/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/app.v2/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,18 @@
+name: app
+version: 2
+# The application expects the runtime to be installed in /opt/runtime
+# We are using the layout system to put $SNAP/runtime in /opt/runtime but at
+# the same time the content interface allows us to mount the runtime in
+# $SNAP/runtime. With the right propagation options the mount event in
+# $SNAP/runtime is propagated into /opt/runtime
+layout:
+    /opt/runtime:
+        bind: $SNAP/runtime
+apps:
+    app:
+        command: bin/app
+plugs:
+    runtime:
+        interface: content
+        content: runtime-1
+        target: $SNAP/runtime
diff -Nru snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/runtime/meta/snap.yaml snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/runtime/meta/snap.yaml
--- snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/runtime/meta/snap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/runtime/meta/snap.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,7 @@
+name: runtime 
+version: 1
+slots:
+    runtime:
+        interface: content
+        content: runtime-1
+        read: [ $SNAP/opt/runtime ] 
diff -Nru snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/runtime/opt/runtime/runner snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/runtime/opt/runtime/runner
--- snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/runtime/opt/runtime/runner	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/runtime/opt/runtime/runner	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,2 @@
+#!/bin/sh
+echo "RUNTIME: $*"
diff -Nru snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/task.yaml snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/layout-symlink-bind-revert/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/layout-symlink-bind-revert/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,24 @@
+summary: TBD
+prepare: |
+    echo "Ensure feature flag is enabled"
+    snap set core experimental.layouts=true
+    echo "Prepare the snaps we're going to use"
+    snap pack ./runtime .
+    snap pack ./app.v1 .
+    snap pack ./app.v2 .
+restore: |
+    rm -f "*.snap"
+execute: |
+    echo "The runtime and the application are installed and connected"
+    snap install --dangerous ./runtime_1_all.snap
+    snap install --dangerous ./app_1_all.snap
+    snap connect app:runtime runtime:runtime
+    app 2>&1 | MATCH "RUNTIME: Hello from the app"
+
+    echo "The application is refreshed with another layout"
+    snap install --dangerous ./app_2_all.snap
+    app 2>&1 | MATCH '/snap/app/x2/bin/app: 2: /snap/app/x2/bin/app: /opt/runtime/runner: not found'
+
+    echo "The broken application is reverted"
+    snap revert app 2>&1 | MATCH 'app reverted to 1'
+    app 2>&1 | MATCH "RUNTIME: Hello from the app"
diff -Nru snapd-2.32.3.2~14.04/tests/main/listing/task.yaml snapd-2.37~rc1~14.04/tests/main/listing/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/listing/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/listing/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,9 +1,19 @@
 summary: Check snap listings
 
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
 
+    snap set system experimental.parallel-instances=true
+    install_local_as test-snapd-tools test-snapd-tools_foo
+
+restore:
+    snap set system experimental.parallel-instances=null
+
+# TODO: update test for core18 but its already pretty confusing as is
+systems: [-ubuntu-core-18-*]
+
 # autopkgtest run only a subset of tests that deals with the integration
 # with the distro
 backends: [-autopkgtest]
@@ -13,34 +23,40 @@
     # most core versions should be like "16-2", so [0-9]{2}-[0-9.]+
     # but edge will have a timestamp in there, "16.2+201701010932", so add an optional \+[0-9]+ to the end
     # *current* edge also has .git. and a hash snippet, so add an optional .git.[0-9a-f]+ to the already optional timestamp
-    if [ "$SPREAD_BACKEND" = "linode" -o "$SPREAD_BACKEND" == "qemu" ] && [ "$SPREAD_SYSTEM" = "ubuntu-core-16-64" ]; then
+    #shellcheck disable=SC2166
+    if [ "$SPREAD_BACKEND" = "linode" -o "$SPREAD_BACKEND" = "google" -o "$SPREAD_BACKEND" == "qemu" ] && [ "$SPREAD_SYSTEM" = "ubuntu-core-16-64" ]; then
         echo "With customized images the core snap is sideloaded"
-        expected='^core .* [0-9]{2}-[0-9.]+(~[a-z0-9]+)?(\+git[0-9]+\.[0-9a-f]+)? +x[0-9]+ +- +- +core *$'
+        expected='^core .* [0-9]{2}-[0-9.]+(~[a-z0-9]+)?(\+git[0-9]+\.[0-9a-f]+)? +x[0-9]+ +- +- +core.*$'
     elif [ "$SRU_VALIDATION" = "1" ]; then
         echo "When sru validation is done the core snap is installed from the store"
-        expected='^core .* [0-9]{2}-[0-9.]+(~[a-z0-9]+)?(\+[0-9]+\.[0-9a-f]+)? +[0-9]+ +stable +canonical +core *$'
+        expected='^core .* [0-9]{2}-[0-9.]+(~[a-z0-9]+)?(\+[0-9]+\.[0-9a-f]+)? +[0-9]+ +stable +canonical\\* +core.*$'
     elif [ "$SPREAD_BACKEND" = "external" ] || [ "$SPREAD_BACKEND" = "autopkgtest" ]; then
-        expected='^core .* [0-9]{2}-[0-9.]+(~[a-z0-9]+)?(\+git[0-9]+\.[0-9a-f]+)? +[0-9]+ +(edge|beta|candidate|stable) +canonical +core *$'
+        expected='^core .* [0-9]{2}-[0-9.]+(~[a-z0-9]+)?(\+git[0-9]+\.[0-9a-f]+)? +[0-9]+ +(edge|beta|candidate|stable) +canonical\\* +core.*$'
     else
-        expected='^core .* [0-9]{2}-[0-9.]+(~[a-z0-9]+)?(\+git[0-9]+\.[0-9a-f]+)? +[0-9]+ +edge +canonical +core *$'
+        expected="^core .* [0-9]{2}-[0-9.]+(~[a-z0-9]+)?(\\+git[0-9]+\\.[0-9a-f]+)? +[0-9]+ +$CORE_CHANNEL +canonical\\* +core.*$"
     fi
-    snap list | MATCH "$expected"
+    snap list --unicode=never | MATCH "$expected"
 
-    echo "List prints installed snap version"
+    echo "List prints installed snaps and versions"
     snap list | MATCH '^test-snapd-tools +[0-9]+(\.[0-9]+)* +x[0-9]+ +- +- +- *$'
+    snap list | MATCH '^test-snapd-tools_foo +[0-9]+(\.[0-9]+)* +x[0-9]+ +- +- +- *$'
 
     echo "Install test-snapd-tools again"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
+
     echo "And run snap list --all"
-    output=$(snap list --all |grep test-snapd-tools)
+    output=$(snap list --all |grep 'test-snapd-tools ')
     if [ "$(grep -c test-snapd-tools <<< "$output")" != "2" ]; then
         echo "Expected two test-snapd-tools in the output, got:"
-        echo $output
+        echo "$output"
         exit 1
     fi
     if [ "$(grep -c disabled <<< "$output")" != "1" ]; then
         echo "Expected one disabled line in in the output, got:"
-        echo $output
+        echo "$output"
         exit 1
     fi
+
+    snap list --all | MATCH 'test-snapd-tools_foo '
diff -Nru snapd-2.32.3.2~14.04/tests/main/local-install-w-metadata/task.yaml snapd-2.37~rc1~14.04/tests/main/local-install-w-metadata/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/local-install-w-metadata/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/local-install-w-metadata/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,8 +1,11 @@
 summary: Checks for local install with metadata from assertions
+
 # XXX we would need to bother with curl there atm
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
+
 restore: |
     rm -f test-snapd-tools_*.{snap,assert}
+
 execute: |
     echo "Get the snap"
     snap download test-snapd-tools
diff -Nru snapd-2.32.3.2~14.04/tests/main/login/task.yaml snapd-2.37~rc1~14.04/tests/main/login/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/login/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/login/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 summary: Checks for snap login
 
 # ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
-systems: [-ubuntu-core-16-*, -ubuntu-*-ppc64el]
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el]
 
 restore: |
     snap logout || true
@@ -21,7 +21,7 @@
 
     if [ -n "$SPREAD_STORE_USER" ] && [ -n "$SPREAD_STORE_PASSWORD" ]; then
         echo "Checking successful login"
-        expect -d -f $TESTSLIB/successful_login.exp
+        expect -d -f "$TESTSLIB"/successful_login.exp
 
         output=$(snap managed)
         if [ "$output" != "true" ]; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/lxd/task.yaml snapd-2.37~rc1~14.04/tests/main/lxd/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/lxd/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/lxd/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,8 +1,9 @@
 summary: Ensure that lxd works
 
-# only run this on ubuntu 16+, lxd will not work on !ubuntu systems
+# Only run this on ubuntu 16+, lxd will not work on !ubuntu systems
 # currently nor on ubuntu 14.04
-systems: [ubuntu-16*, ubuntu-core-*]
+# No ubuntu 18.10 imaga available so far
+systems: [ubuntu-16*, ubuntu-18.04*, ubuntu-2*, ubuntu-core-*]
 
 # autopkgtest run only a subset of tests that deals with the integration
 # with the distro
@@ -11,60 +12,69 @@
 # lxd downloads can be quite slow
 kill-timeout: 25m
 
+# Start before anything else as it can take a really long time.
+priority: 1000
+
+prepare: |
+    # using apt here is ok because this test only runs on ubuntu
+    echo "Remove any installed debs (some images carry them) to ensure we test the snap"
+    if command -v apt; then
+        apt autoremove -y lxd
+    fi
+
 restore: |
-    if  [[ $(ls -1 "$GOHOME"/snapd_*.deb | wc -l || echo 0) -eq 0 ]]; then
+    if  [[ "$(find "$GOHOME" -name 'snapd_*.deb' | wc -l || echo 0)" -eq 0 ]]; then
         exit
     fi
 
-    lxd.lxc stop my-ubuntu
+    lxd.lxc stop my-ubuntu --force
     lxd.lxc delete my-ubuntu
+    rm -f conf.yaml 
 
 debug: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     # debug output from lxd
-    journalctl -u snap.lxd.daemon.service
+    get_journalctl_log -u snap.lxd.daemon.service
 
 execute: |
-    if  [[ $(ls -1 "$GOHOME"/snapd_*.deb | wc -l || echo 0) -eq 0 ]]; then
+    if  [[ "$(find "$GOHOME" -name 'snapd_*.deb' | wc -l || echo 0)" -eq 0 ]]; then
         echo "No run lxd test when there are not .deb files built"
         exit
     fi
 
-    wait_for_lxd(){
-        while ! printf "GET / HTTP/1.0\n\n" | nc -U /var/snap/lxd/common/lxd/unix.socket | MATCH "200 OK"; do sleep 1; done
-    }
-
     echo "Install lxd"
-    snap install lxd
+    snap install --candidate lxd
 
     echo "Create a trivial container using the lxd snap"
-    wait_for_lxd
+    snap set lxd waitready.timeout=240
+    lxd waitready
     lxd init --auto
 
     echo "Setting up proxy for lxc"
     if [ -n "${http_proxy:-}" ]; then
-        lxd.lxc config set core.proxy_http $http_proxy
+        lxd.lxc config set core.proxy_http "$http_proxy"
     fi
     if [ -n "${https_proxy:-}" ]; then
-        lxd.lxc config set core.proxy_https $http_proxy
+        lxd.lxc config set core.proxy_https "$http_proxy"
     fi
 
-    lxd.lxc launch ubuntu:16.04 my-ubuntu
+    # The snapd package we build as part of the tests will only run on the
+    # distro we build on. So we need to launch the right ubuntu version.
+    . /etc/os-release
+    lxd.lxc launch "ubuntu:${VERSION_ID}" my-ubuntu
 
     echo "Ensure we can run things inside"
     lxd.lxc exec my-ubuntu echo hello | MATCH hello
 
-    echo "Ensure we can get network"
-    lxd.lxc network create testbr0
-    lxd.lxc network attach testbr0 my-ubuntu eth0
-    lxd.lxc exec my-ubuntu dhclient eth0
-
     echo "Cleanup container"
     lxd.lxc exec my-ubuntu -- apt autoremove --purge -y snapd ubuntu-core-launcher
 
     echo "Install snapd"
     lxd.lxc exec my-ubuntu -- mkdir -p "$GOHOME"
-    lxd.lxc file push "$GOHOME"/snapd_*.deb my-ubuntu/$GOPATH/
-    lxd.lxc exec my-ubuntu -- dpkg -i "$GOHOME"/snapd_*.deb
+    lxd.lxc file push "$GOHOME"/snapd_*.deb "my-ubuntu/$GOHOME/"
+    lxd.lxc exec my-ubuntu -- apt install -y "$GOHOME"/snapd_*.deb
 
     echo "Setting up proxy *inside* the container"
     if [ -n "${http_proxy:-}" ]; then
@@ -75,6 +85,7 @@
     fi
     lxd.lxc exec my-ubuntu -- systemctl daemon-reload
     lxd.lxc exec my-ubuntu -- systemctl restart snapd.service
+    lxd.lxc exec my-ubuntu -- snap wait system seed.loaded
     lxd.lxc exec my-ubuntu -- cat /etc/environment
 
     # FIXME: ensure that the kernel running is recent enough, this
@@ -92,3 +103,17 @@
     echo "Install lxd-demo server to exercise the lxd interface"
     snap install lxd-demo-server
     snap connect lxd-demo-server:lxd lxd:lxd
+
+    echo "Check that we error in 'unconfined' lxd containers"
+    lxd.lxc config show my-ubuntu > conf.yaml
+    cat <<EOF >> conf.yaml
+    config:
+      raw.lxc: |
+        lxc.apparmor.profile=unconfined
+    EOF
+    lxd.lxc stop --force my-ubuntu
+    lxd.lxc config edit my-ubuntu < conf.yaml
+    lxd.lxc start my-ubuntu
+    # shellcheck disable=SC2016
+    lxd.lxc exec my-ubuntu -- sh -c 'set -x;for i in $(seq 120); do if journalctl -u snapd.service | grep -E "apparmor detected but insufficient permissions to use it"; then break; fi; sleep 1; done'
+    lxd.lxc exec my-ubuntu -- journalctl -u snapd | MATCH "apparmor detected but insufficient permissions to use it"
diff -Nru snapd-2.32.3.2~14.04/tests/main/manpages/task.yaml snapd-2.37~rc1~14.04/tests/main/manpages/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/manpages/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/manpages/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,17 +1,31 @@
 summary: the essential manual pages are installed by the native package
+
 # core systems don't ship man or manual pages
-systems: [-ubuntu-core-16-*]
-prepare: |
-    . "$TESTSLIB/pkgdb.sh"
-    distro_install_package man
-restore: |
-    . "$TESTSLIB/pkgdb.sh"
-    distro_purge_package man
+systems: [-ubuntu-core-*]
+
 execute: |
-    for manpage in snap snap-confine snap-discard-ns; do
-        if ! LC_ALL=C man --what $manpage; then
-            echo "Expected to see manual page for $manpage"
-            exit 1
-        fi
-    done
+
+    # This check for opensuse is done to avoid an issue on man command where
+    # "nothing appropriate" message is shown when the "--what" parameter
+    # is used for packages installed after man is installed. A workaround is
+    # to the machine or force a cache consistency calling the man page with '-u'
+    # This issue happens with any package, not just with snap related ones
+    # The command "man snap" works well in this case (man 2.6.6)
+    case "$SPREAD_SYSTEM" in
+        opensuse-*|arch-*|amazon-*|centos-*)
+            for manpage in snap snap-confine snap-discard-ns; do
+                if ! LC_ALL=C man -u --where $manpage; then
+                    echo "Expected to see manual page path for $manpage"
+                    exit 1
+                fi
+              done
+              ;;
+        *)
+            for manpage in snap snap-confine snap-discard-ns; do
+                if ! LC_ALL=C man --what $manpage; then
+                    echo "Expected to see manual page for $manpage"
+                    exit 1
+                fi
+            done
+    esac
 # TODO: add manual pages for snapctl, snap-exec and snapd
diff -Nru snapd-2.32.3.2~14.04/tests/main/media-sharing/task.yaml snapd-2.37~rc1~14.04/tests/main/media-sharing/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/media-sharing/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/media-sharing/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,33 @@
-summary: The /media directory propagates events outwards
+summary: The media directory propagates events outwards
+
 details: |
     The /media directory is special in that mount events propagate outward from
-    the mount namespace used by snap applications into the main mount
-    namespace.
+    the mount namespace used by snap applications into the main mount namespace.
+    Fedora and other systems that build udisks without --enable-fhs-media flag
+    use /run/media path instead.
+
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     install_local_devmode test-snapd-tools
-    mkdir -p /media/src
-    mkdir -p /media/dst
-    touch /media/src/canary
+    mkdir -p ${MEDIA_DIR}/src
+    mkdir -p ${MEDIA_DIR}/dst
+    touch ${MEDIA_DIR}/src/canary
+
 execute: |
-    test ! -e /media/dst/canary
-    test-snapd-tools.cmd mount --bind /media/src /media/dst
-    test -e /media/dst/canary
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+    test ! -e ${MEDIA_DIR}/dst/canary
+    test-snapd-tools.cmd mount --bind ${MEDIA_DIR}/src ${MEDIA_DIR}/dst
+    test -e ${MEDIA_DIR}/dst/canary
+
 restore: |
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     # If this doesn't work maybe it is because the test didn't execute correctly
-    umount /media/dst || true
-    rm -f /media/src/canary
-    rmdir /media/src
-    rmdir /media/dst
+    umount ${MEDIA_DIR}/dst || true
+    rm -f ${MEDIA_DIR}/src/canary
+    rmdir ${MEDIA_DIR}/src
+    rmdir ${MEDIA_DIR}/dst
diff -Nru snapd-2.32.3.2~14.04/tests/main/mount-protocol-error/task.yaml snapd-2.37~rc1~14.04/tests/main/mount-protocol-error/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/mount-protocol-error/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/mount-protocol-error/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,28 @@
+summary: Check mount bug https://forum.snapcraft.io/t/5682
+
+description: |
+   Regression test for systemd mount race that produces a protocol
+   error. We added a workaround to snapd for the upstream bug
+   https://github.com/systemd/systemd/issues/10872
+
+   For more discussion on the issue see
+   https://forum.snapcraft.io/t/5682
+   https://launchpad.net/bugs/1772016
+
+backends: [-autopkgtest]
+
+# only run on a subset of systems because this test takes a long time to run
+systems: [ubuntu-18.04-64, ubuntu-18.10-64, arch-linux-64]
+
+execute: |
+    snap set system experimental.parallel-instances=true
+
+    names=(test-snapd-tools)
+    for n in $(seq 9); do
+        names+=("test-snapd-tools_$n")
+    done
+    for i in $(seq 10); do
+       echo "Install $i"
+       snap install "${names[@]}"
+       snap remove "${names[@]}"
+    done
diff -Nru snapd-2.32.3.2~14.04/tests/main/network-retry/task.yaml snapd-2.37~rc1~14.04/tests/main/network-retry/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/network-retry/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/network-retry/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,40 @@
+summary: Ensure network retry works correctly
+
+prepare: |
+    echo "Break DNS"
+    if [[ "$SPREAD_SYSTEM" = ubuntu-core-* ]]; then
+       resolvConf=$(realpath /etc/resolv.conf)
+       mv "${resolvConf}" "${resolvConf}.save"
+       echo "${resolvConf}" > resolvConf.txt
+    else
+        mv /etc/resolv.conf /etc/resolv.conf.save
+    fi
+restore: |
+    echo "Unbreak DNS"
+    if [[ "$SPREAD_SYSTEM" = ubuntu-core-* ]]; then
+       resolvConf=$(cat resolvConf.txt)
+       mv "${resolvConf}.save" "${resolvConf}"
+       rm resolvConf.txt
+    else
+       mv /etc/resolv.conf.save /etc/resolv.conf
+    fi
+
+execute: |
+    if [ -n "${http_proxy:-}" ] || [ -n "${https_proxy:-}" ] ||
+       [ -n "${HTTPS_PROXY:-}" ] || [ -n "${HTTPS_PROXY:-}" ]; then
+       # all querries will go through the proxy so breaking DNS will not work
+       echo "SKIP: cannot run when there is a http proxy set"
+       exit 0
+    fi
+
+    echo "Try to install a snap with broken DNS"
+    if snap install test-snapd-tools; then
+        echo "Installing test-snapd-tools with broken DNS should not work"
+        echo "Test broken"
+        exit 1
+    fi
+
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+    echo "Ensure we tried to retry this operation"
+    check_journalctl_log 'Retrying because of temporary net error'
diff -Nru snapd-2.32.3.2~14.04/tests/main/nfs-support/task.yaml snapd-2.37~rc1~14.04/tests/main/nfs-support/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/nfs-support/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/nfs-support/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,32 +1,107 @@
 summary: Test that snaps still work when /home is a NFS mount
+
 details: |
     Snapd now contains a feature where NFS-mounted /home (or any sub-directory)
     initializes a workaround mode where all snaps gain minimal amount of network
     permissions sufficient for NFS to operate.
-systems: [ubuntu-16.04-64]  # TODO: expand this list
+
+# ubuntu-core: nfs service not available on core
+# opensuse: the test is failing after retry several times the snapd service reaching the systemd start-limit.
+systems: [-ubuntu-core-*, -opensuse-*]
+
+# takes >1.5min to run
+backends: [-autopkgtest]
+
 prepare: |
-    . "$TESTSLIB/pkgdb.sh"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
-
-    # Install NFS server and a simple shell snap.
-    distro_install_package nfs-kernel-server
     install_local test-snapd-sh
+
+restore: |
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB/pkgdb.sh"
+
+    # Unmount NFS mount over /home if one exists.
+    umount /home || true
+
+    # Restore the fstab backup file if one exists.
+    if [ -e fstab.orig ]; then
+        mv fstab.orig /etc/fstab
+    fi
+
+    # Remove the NFS server and its configuration data.
+    rm -f /etc/exports.d/test.exports
+    rm -f -d /etc/exports.d
+    exportfs -r
+
+    # Restart snapd in to ensure it doesn't know about NFS configuration anymore.
+    systemctl stop snapd.service snapd.socket
+    systemctl reset-failed snapd.service
+    systemctl start snapd.service
+
 execute: |
+    # only needed because we do it 11 times (!)
+    restart_snapd() {
+        systemctl stop snapd.service snapd.socket
+        systemctl reset-failed snapd.service
+        systemctl start snapd.service
+    }
     ensure_extra_perms() {
-        MATCH 'network inet,' < /var/lib/snapd/apparmor/snap-confine/nfs-support
-        MATCH 'network inet,' < /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh.with-home-plug
+        if [ "$(snap debug confinement)" = strict ]; then
+            MATCH 'network inet,' < /var/lib/snapd/apparmor/snap-confine/nfs-support
+            MATCH 'network inet,' < /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh.with-home-plug
+        fi
     }
 
     ensure_normal_perms() {
-        test ! -e /var/lib/snapd/apparmor/snap-confine/nfs-support
-        MATCH -v 'network inet,' < /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh.with-home-plug
+        if [ "$(snap debug confinement)" = strict ]; then
+            test ! -e /var/lib/snapd/apparmor/snap-confine/nfs-support
+            MATCH -v 'network inet,' < /var/lib/snapd/apparmor/profiles/snap.test-snapd-sh.with-home-plug
+        fi
     }
 
     # Export /home over NFS.
     mkdir -p /etc/exports.d/
     echo '/home localhost(rw,no_subtree_check,no_root_squash)' > /etc/exports.d/test.exports
-    systemctl restart nfs-kernel-server
-    exportfs -r
+    
+    # Make sure the nfs service is running
+    case "$SPREAD_SYSTEM" in
+        ubuntu-14.04-*)
+            service nfs-kernel-server start
+            ;;
+        ubuntu-*|debian-*)
+            systemctl restart nfs-kernel-server
+            ;;
+        fedora-*)
+            # Enable udp protocol for nfs on fedora which is disable by default           
+            sed -i -e 's/RPCNFSDARGS=.*/RPCNFSDARGS="--udp"/g' /etc/sysconfig/nfs
+            systemctl restart nfs
+            ;;
+        arch-*)
+            systemctl enable nfs-server.service
+            systemctl start nfs-server.service
+            ;;
+        opensuse-*)
+            systemctl enable nfsserver.service
+            systemctl start nfsserver.service
+            ;;
+        amazon-*|centos-*)
+            systemctl enable nfs
+            systemctl restart nfs
+            ;;
+    esac
+
+    # Synchronize the nfs directories
+    nfs_sync=0
+    for _ in $(seq 5); do
+        if exportfs -r; then
+            nfs_sync=1
+            break
+        fi
+        sleep 1
+    done
+    # Check synchronization for the nfs directories is done
+    [ $nfs_sync = 1 ]
 
     # Ensure that apparmor profiles don't permit network access
     ensure_normal_perms
@@ -35,58 +110,65 @@
     mount -t nfs localhost:/home /home -o nfsvers=3,proto=tcp
 
     # Restart snapd to observe the active NFS mount.
-    systemctl restart snapd
+    restart_snapd
 
     # Ensure that snap-confine's apparmor profile and the test snap's apparmor
     # profile now permit network access.
     ensure_extra_perms
 
     # As a non-root user perform a write over NFS-mounted /home
+    #shellcheck disable=SC2016
     su -c 'snap run test-snapd-sh.with-home-plug -c "touch \$SNAP_USER_DATA/smoke-nfs3-tcp"' test
 
     # Unmount /home and restart snapd so that we can check another thing.
     umount /home
-    systemctl restart snapd
+    restart_snapd
 
     # Ensure that this removed the extra permissions.
     ensure_normal_perms
 
-    # Mount NFS-exported /home over real /home using NFSv3 and UDP transport
-    mount -t nfs localhost:/home /home -o nfsvers=3,proto=udp
-
-    # Restart snapd to observe the active NFS mount.
-    systemctl restart snapd
-
-    # Ensure that snap-confine's apparmor profile and the test snap's apparmor
-    # profile now permit network access.
-    ensure_extra_perms
-
-    # As a non-root user perform a write over NFS-mounted /home
-    su -c 'snap run test-snapd-sh.with-home-plug -c "touch \$SNAP_USER_DATA/smoke-nfs3-udp"' test
-
-    # Unmount /home and restart snapd so that we can check another thing.
-    umount /home
-    systemctl restart snapd
+    # Skip udp protocol on arch-linux because it is not supported
+    # Error displayed: mount.nfs: requested NFS version or transport protocol is not supported
+    if [[ ! "$SPREAD_SYSTEM" =~ arch-* ]]; then
+        # Mount NFS-exported /home over real /home using NFSv3 and UDP transport
+        mount -t nfs localhost:/home /home -o nfsvers=3,proto=udp
+
+        # Restart snapd to observe the active NFS mount.
+        restart_snapd
+
+        # Ensure that snap-confine's apparmor profile and the test snap's apparmor
+        # profile now permit network access.
+        ensure_extra_perms
+
+        # As a non-root user perform a write over NFS-mounted /home
+        #shellcheck disable=SC2016
+        su -c 'snap run test-snapd-sh.with-home-plug -c "touch \$SNAP_USER_DATA/smoke-nfs3-udp"' test
+
+        # Unmount /home and restart snapd so that we can check another thing.
+        umount /home
+        restart_snapd
 
-    # Ensure that this removed the extra permissions.
-    ensure_normal_perms
+        # Ensure that this removed the extra permissions.
+        ensure_normal_perms
+    fi
 
     # Mount NFS-exported /home over real /home using NFSv4
     mount -t nfs localhost:/home /home -o nfsvers=4
 
     # Restart snapd to observe the active NFS mount.
-    systemctl restart snapd
+    restart_snapd
 
     # Ensure that snap-confine's apparmor profile and the test snap's apparmor
     # profile now permit network access.
     ensure_extra_perms
 
     # As a non-root user perform a write over NFS-mounted /home
+    #shellcheck disable=SC2016
     su -c 'snap run test-snapd-sh.with-home-plug -c "touch \$SNAP_USER_DATA/smoke-nfs4"' test
 
     # Unmount /home and restart snapd so that we can check another thing.
     umount /home
-    systemctl restart snapd
+    restart_snapd
 
     # Ensure that this removed the extra permissions.
     ensure_normal_perms
@@ -100,24 +182,5 @@
     # Note that at this time /home is not mounted as NFS yet but the mere
     # presence of the entry in /etc/fstab is sufficient to grant extra
     # permissions.
-    systemctl restart snapd
+    restart_snapd
     ensure_extra_perms
-restore: |
-    . "$TESTSLIB/pkgdb.sh"
-
-    # Unmount NFS mount over /home if one exists.
-    umount /home || true
-
-    # Restore the fstab backup file if one exists.
-    if [ -e fstab.orig ]; then
-        mv fstab.orig /etc/fstab
-    fi
-
-    # Remove the NFS server and its configuration data.
-    rm -f /etc/exports.d/test.exports
-    rm -f -d /etc/exports.d
-    exportfs -r
-    distro_purge_package nfs-kernel-server bsdgames
-
-    # Restart snapd in to ensure it doesn't know about NFS anymore.
-    systemctl restart snapd.service
diff -Nru snapd-2.32.3.2~14.04/tests/main/op-install-failed-undone/task.yaml snapd-2.37~rc1~14.04/tests/main/op-install-failed-undone/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/op-install-failed-undone/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/op-install-failed-undone/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,25 +1,28 @@
 summary: Check that all tasks of a failed installtion are undone
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 restore: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     rm -rf $SNAP_MOUNT_DIR/test-snapd-tools
 
 execute: |
     check_empty_glob(){
         local base_path=$1
         local glob=$2
-        [ $(find $base_path -maxdepth 1 -name "$glob" | wc -l) -eq 0 ]
+        [ "$(find "$base_path" -maxdepth 1 -name "$glob" | wc -l)" -eq 0 ]
     }
 
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo "Given we make a snap uninstallable"
     mkdir -p $SNAP_MOUNT_DIR/test-snapd-tools/current/foo
 
     echo "And we try to install it"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     if install_local test-snapd-tools; then
         echo "A snap shouldn't be installable if its mount point is busy"
         exit 1
@@ -30,23 +33,23 @@
 
     echo "And the installation task is reported as an error"
     failed_task_id=$(snap changes | perl -ne 'print $1 if /(\d+) +Error.*?Install \"test-snapd-tools\" snap/')
-    if [ -z $failed_task_id ]; then
+    if [ -z "$failed_task_id" ]; then
         echo "Installation task should be reported as error"
         exit 1
     fi
 
     echo "And the Mount subtask is actually undone"
-    snap change $failed_task_id | grep -Pq "Undone +.*?Mount snap \"test-snapd-tools\""
+    snap change "$failed_task_id" | grep -Pq "Undone +.*?Mount snap \"test-snapd-tools\""
     check_empty_glob $SNAP_MOUNT_DIR/test-snapd-tools [0-9]+
     check_empty_glob /var/lib/snapd/snaps test-snapd-tools_[0-9]+.snap
 
     echo "And the Data Copy subtask is actually undone"
-    snap change $failed_task_id | grep -Pq "Undone +.*?Copy snap \"test-snapd-tools\" data"
-    check_empty_glob $HOME/snap/test-snapd-tools [0-9]+
+    snap change "$failed_task_id" | grep -Pq "Undone +.*?Copy snap \"test-snapd-tools\" data"
+    check_empty_glob "$HOME"/snap/test-snapd-tools [0-9]+
     check_empty_glob /var/snap/test-snapd-tools [0-9]+
 
     echo "And the Security Profiles Setup subtask is actually undone"
-    snap change $failed_task_id | grep -Pq "Undone +.*?Setup snap \"test-snapd-tools\" \(unset\) security profiles"
+    snap change "$failed_task_id" | grep -Pq 'Undone +.*?Setup snap "test-snapd-tools" \(unset\) security profiles'
     check_empty_glob /var/lib/snapd/apparmor/profiles snap.test-snapd-tools.*
     check_empty_glob /var/lib/snapd/seccomp/bpf snap.test-snapd-tools.*
     check_empty_glob /etc/dbus-1/system.d snap.test-snapd-tools.*.conf
diff -Nru snapd-2.32.3.2~14.04/tests/main/op-remove/task.yaml snapd-2.37~rc1~14.04/tests/main/op-remove/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/op-remove/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/op-remove/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -5,28 +5,40 @@
     rm -f stderr.out
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     snap_revisions(){
         local snap_name=$1
-        echo -n $(find $SNAP_MOUNT_DIR/"$snap_name"/ -maxdepth 1 -type d -name "x*" | wc -l)
+        echo -n "$(find "$SNAP_MOUNT_DIR/$snap_name/" -maxdepth 1 -type d -name "x*" | wc -l)"
     }
 
     echo "Given two revisions of a snap have been installed"
-    snap pack $TESTSLIB/snaps/basic
+    snap pack "$TESTSLIB"/snaps/basic
     snap install --dangerous basic_1.0_all.snap
     snap install --dangerous basic_1.0_all.snap
 
     echo "Then the two revisions are available on disk"
-    [ $(snap_revisions basic) = "2" ]
+    [ "$(snap_revisions basic)" = "2" ]
 
     echo "When the snap is removed"
     snap remove basic
 
     echo "Then the two revisions are removed from disk"
-    [ $(snap_revisions basic) = "0" ]
+    [ "$(snap_revisions basic)" = "0" ]
 
     echo "When the snap is removed again, snap exits with status 0"
     snap remove basic 2> stderr.out
-    cat stderr.out | MATCH 'snap "basic" is not installed'
+    MATCH 'snap "basic" is not installed' < stderr.out
 
+
+    echo "Install a snap that uses a base"
+    # test-snapd-busybox-static uses test-snapd-base-bare
+    snap install test-snapd-busybox-static
+    snap list | MATCH test-snapd-base-bare
+    if snap remove test-snapd-base-bare; then
+        echo "test-snapd-base-bare should not be removable because test-snapd-busybox-static needs it"
+        exit 1
+    fi
+    snap remove test-snapd-busybox-static
+    snap remove test-snapd-base-bare
diff -Nru snapd-2.32.3.2~14.04/tests/main/op-remove-retry/task.yaml snapd-2.37~rc1~14.04/tests/main/op-remove-retry/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/op-remove-retry/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/op-remove-retry/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,10 +10,12 @@
         while ! snap changes | grep -Pq "$expected"; do sleep 1; done
     }
 
-    . $TESTSLIB/systemd.sh
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
 
     echo "Given a snap is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
 
     echo "And its mount point is kept busy"
@@ -23,7 +25,7 @@
     MARKER=/var/snap/test-snapd-tools/current/block-running
     rm -f $MARKER
 
-    systemd_create_and_start_unit unmount-blocker "$(which test-snapd-tools.block)"
+    systemd_create_and_start_unit unmount-blocker "$(command -v test-snapd-tools.block)"
 
     wait_for_service unmount-blocker active
     while [ ! -f $MARKER ]; do sleep 1; done
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-aliases/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-aliases/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-aliases/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-aliases/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,81 @@
+summary: Check snap alias and snap unalias across different instances of the same snap
+
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
+    snap set system experimental.parallel-instances=true
+
+    install_local aliases
+    install_local_as aliases aliases_foo
+
+restore: |
+    snap set system experimental.parallel-instances=null
+    rm -f aliases.out
+
+execute: |
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB/dirs.sh"
+
+    echo "Create manual aliases"
+    snap alias aliases.cmd1 alias1|MATCH ".*- aliases.cmd1 as alias1.*"
+    snap alias aliases.cmd2 alias2
+
+    echo "Test the aliases"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/alias1)" = "aliases.cmd1"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/alias2)" = "aliases.cmd2"
+    alias1|MATCH "ok command 1"
+    alias2|MATCH "ok command 2"
+
+    echo "Attempting to create the same aliases for aliases_foo should conflict"
+    ! snap alias aliases_foo.cmd1 alias1
+    snap change --last=alias | MATCH 'cannot enable alias "alias1" for "aliases_foo", already enabled for "aliases"'
+    ! snap alias aliases_foo.cmd2 alias2
+    snap change --last=alias | MATCH 'cannot enable alias "alias2" for "aliases_foo", already enabled for "aliases"'
+
+    echo "Check listing"
+    snap aliases > aliases.out
+    MATCH "aliases.cmd1 +alias1 +manual" < aliases.out
+    MATCH "aliases.cmd2 +alias2 +manual" < aliases.out
+    ! MATCH aliases_foo                  < aliases.out
+
+    echo "Disable one alias for aliases snap"
+    snap unalias alias2|MATCH ".*- aliases.cmd2 as alias2.*"
+
+    echo "Creating an alias for aliases_foo should work now"
+    snap alias aliases_foo.cmd2 alias2
+
+    echo "The symlinks should be updated and pointing to the right snaps"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/alias1)" = "aliases.cmd1"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/alias2)" = "aliases_foo.cmd2"
+
+    # sanity check if apps can still be run
+    alias1|MATCH "ok command 1"
+    alias2|MATCH "ok command 2"
+
+    echo "Listing should show both snaps having aliases"
+    snap aliases > aliases.out
+    MATCH "aliases.cmd1 +alias1 +manual"     < aliases.out
+    MATCH "aliases_foo.cmd2 +alias2 +manual" < aliases.out
+
+    echo "Disable all aliases of aliases snap"
+    snap unalias aliases|MATCH ".*- aliases.cmd1 as alias1*"
+    test ! -h "$SNAP_MOUNT_DIR"/bin/alias1
+
+    echo "Aliases of aliases_foo remain unchanged"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/alias2)" = "aliases_foo.cmd2"
+    snap aliases | MATCH "aliases_foo.cmd2 +alias2 +manual"
+
+    echo "Recreate an alias1 for aliases snap"
+    snap alias aliases.cmd1 alias1
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/alias1)" = "aliases.cmd1"
+
+    echo "Removing the aliases snap should remove its aliases"
+    snap remove aliases
+    test ! -e "$SNAP_MOUNT_DIR/bin/alias1"
+
+    echo "Aliases of aliases_foo remain unchanged"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/alias2)" = "aliases_foo.cmd2"
+
+    snap remove aliases_foo
+    test ! -e "$SNAP_MOUNT_DIR/bin/alias2"
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-auto-aliases/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-auto-aliases/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-auto-aliases/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-auto-aliases/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,90 @@
+summary: Check auto-aliases mechanism across different instances of the same snap
+
+prepare: |
+    snap set system experimental.parallel-instances=true
+
+restore: |
+    snap set system experimental.parallel-instances=null
+    rm -f ./*.snap
+    rm -f aliases.out
+
+execute: |
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB/dirs.sh"
+
+    echo "Install the snap with auto-aliases"
+    snap install test-snapd-auto-aliases
+
+    echo "Test the auto-aliases"
+    test -h "$SNAP_MOUNT_DIR/bin/test_snapd_wellknown1"
+    test -h "$SNAP_MOUNT_DIR/bin/test_snapd_wellknown2"
+    test_snapd_wellknown1|MATCH "ok wellknown 1"
+    test_snapd_wellknown2|MATCH "ok wellknown 2"
+
+    # TODO parallel-install: due to store not supporting actions when more than
+    # one snap with given snap ID is sent in the request, use a workaround and
+    # install the snap directly from the file, but still let snapd fetch the
+    # assertions from the store, leave a canary to catch when the store starts
+    # supporting parallel installations
+    ! snap install test-snapd-auto-aliases_foo
+
+    fname=$(find /var/lib/snapd/snaps -name 'test-snapd-auto-aliases*.snap')
+    test "$(echo "$fname" | wc -l)" = "1"
+    # make a copy, we'll remove the snap later on
+    cp "$fname" .
+    name="$(basename "$fname")"
+
+    snap install --unaliased --name test-snapd-auto-aliases_foo "$name"
+
+    # aliases are unchanged
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/test_snapd_wellknown1)" = "test-snapd-auto-aliases.wellknown1"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/test_snapd_wellknown2)" = "test-snapd-auto-aliases.wellknown2"
+
+    echo "When test-snapd-auto-aliases_foo is preferred"
+    snap prefer test-snapd-auto-aliases_foo
+
+    echo "The symlinks should be updated accordingly"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/test_snapd_wellknown1)" = "test-snapd-auto-aliases_foo.wellknown1"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/test_snapd_wellknown2)" = "test-snapd-auto-aliases_foo.wellknown2"
+
+    echo "And so is the list of aliases"
+    snap aliases > aliases.out
+    MATCH "test-snapd-auto-aliases_foo.wellknown1 +test_snapd_wellknown1 +-"    < aliases.out
+    MATCH "test-snapd-auto-aliases_foo.wellknown2 +test_snapd_wellknown2 +-"    < aliases.out
+    MATCH "test-snapd-auto-aliases.wellknown1 +test_snapd_wellknown1 +disabled" < aliases.out
+    MATCH "test-snapd-auto-aliases.wellknown2 +test_snapd_wellknown2 +disabled" < aliases.out
+
+    echo "Removing the snap should remove the aliases"
+    snap remove test-snapd-auto-aliases_foo
+    test ! -e "$SNAP_MOUNT_DIR/bin/test_snapd_wellknown1"
+    test ! -e "$SNAP_MOUNT_DIR/bin/test_snapd_wellknown2"
+    snap aliases > aliases.out
+    # test-snapd-auto-aliases_foo instance aliases are no more
+    ! MATCH "test-snapd-auto-aliases_foo.wellknown1 +test_snapd_wellknown1"       < aliases.out
+    ! MATCH "test-snapd-auto-aliases_foo.wellknown2 +test_snapd_wellknown2"       < aliases.out
+    # test-snapd-auto-aliases aliases are still disabled
+    MATCH "test-snapd-auto-aliases.wellknown1 +test_snapd_wellknown1 +disabled" < aliases.out
+    MATCH "test-snapd-auto-aliases.wellknown2 +test_snapd_wellknown2 +disabled" < aliases.out
+
+    echo "Switching back to test-snapd-auto-aliases"
+    snap prefer test-snapd-auto-aliases
+    echo "... they are created once again"
+    snap aliases|MATCH "test-snapd-auto-aliases.wellknown1 +test_snapd_wellknown1 +-"
+    snap aliases|MATCH "test-snapd-auto-aliases.wellknown2 +test_snapd_wellknown2 +-"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/test_snapd_wellknown1)" = "test-snapd-auto-aliases.wellknown1"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/test_snapd_wellknown2)" = "test-snapd-auto-aliases.wellknown2"
+
+    # clean slate
+    snap remove test-snapd-auto-aliases
+
+    echo "When test-snapd-auto-aliases_foo is installed"
+    snap install test-snapd-auto-aliases_foo
+
+    echo "Installing test-snapd-auto-aliases will conflict"
+    # TODO parallel-install: need to install using file
+    ! snap install "$name"
+    snap change --last=install | MATCH 'cannot enable aliases .* for "test-snapd-auto-aliases", already enabled for "test-snapd-auto-aliases_foo"'
+
+    # make sure that symlinks are in place
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/test_snapd_wellknown1)" = "test-snapd-auto-aliases_foo.wellknown1"
+    test "$(readlink "$SNAP_MOUNT_DIR"/bin/test_snapd_wellknown2)" = "test-snapd-auto-aliases_foo.wellknown2"
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-basic/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-basic/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-basic/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-basic/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,85 @@
+summary: Checks for parallel installation of a local snap files
+
+prepare: |
+    # ensure we have no snap user data directory yet
+    rm -rf /home/test/snap
+    rm -rf /var/snap/test-snapd-tools /var/snap/test-snapd-tools_foo
+
+    snap set system experimental.parallel-instances=true
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    install_local test-snapd-tools
+    install_local_as test-snapd-tools test-snapd-tools_foo
+
+    su -l -c '! test -d ~/snap/test-snapd-tools' test
+    su -l -c '! test -d ~/snap/test-snapd-tools_foo' test
+
+    su -l -c 'test-snapd-tools_foo.cmd echo foo' test | MATCH foo
+    su -l -c 'test -d ~/snap/test-snapd-tools' test
+    su -l -c 'test -d ~/snap/test-snapd-tools_foo' test
+
+    # instance environment variables are correctly set up
+    su -l -c 'test-snapd-tools_foo.env' test > snap_foo-env.txt
+    MATCH 'SNAP_INSTANCE_NAME=test-snapd-tools_foo'                      < snap_foo-env.txt
+    MATCH 'SNAP_NAME=test-snapd-tools'                                   < snap_foo-env.txt
+    MATCH 'SNAP_INSTANCE_KEY=foo'                                        < snap_foo-env.txt
+    MATCH 'SNAP=/snap/test-snapd-tools/x1'                               < snap_foo-env.txt
+    MATCH 'SNAP_COMMON=/var/snap/test-snapd-tools/common'                < snap_foo-env.txt
+    MATCH 'SNAP_DATA=/var/snap/test-snapd-tools/x1'                      < snap_foo-env.txt
+    MATCH 'SNAP_USER_DATA=/home/test/snap/test-snapd-tools_foo/x1'       < snap_foo-env.txt
+    MATCH 'SNAP_USER_COMMON=/home/test/snap/test-snapd-tools_foo/common' < snap_foo-env.txt
+
+    # and non-instance one's are too
+    su -l -c 'test-snapd-tools.env' test > snap-env.txt
+    MATCH 'SNAP_INSTANCE_NAME=test-snapd-tools'           < snap-env.txt
+    MATCH 'SNAP_NAME=test-snapd-tools'                    < snap-env.txt
+    MATCH 'SNAP_INSTANCE_KEY=$'                           < snap-env.txt
+    MATCH 'SNAP=/snap/test-snapd-tools/x1'                < snap-env.txt
+
+    mkdir /var/snap/test-snapd-tools_foo/common/foobar
+    echo canary-instance > /var/snap/test-snapd-tools_foo/common/foobar/data
+    chown -R test:test /var/snap/test-snapd-tools_foo/common/foobar
+
+    mkdir /var/snap/test-snapd-tools/common/foobar
+    echo canary-regular > /var/snap/test-snapd-tools/common/foobar/data
+    chown -R test:test /var/snap/test-snapd-tools/common/foobar
+
+    echo "Make sure snap data writes and reads work"
+
+    # instance can access its data
+    su -l -c "test-snapd-tools_foo.cmd sh -c 'cat \$SNAP_COMMON/foobar/data'" test | MATCH canary-instance
+    # non-instance sees its data
+    su -l -c "test-snapd-tools.cmd sh -c 'cat \$SNAP_COMMON/foobar/data'" test | MATCH canary-regular
+
+    # instance can write data
+    su -l -c "test-snapd-tools_foo.cmd sh -c 'echo hello from instance \$SNAP_INSTANCE_NAME > \$SNAP_COMMON/foobar/hello'" test
+    MATCH 'hello from instance test-snapd-tools_foo' < /var/snap/test-snapd-tools_foo/common/foobar/hello
+    # and the file is not visible in non instance snap
+    su -l -c "test-snapd-tools.cmd sh -c 'cat \$SNAP_COMMON/foobar/hello || true'" test 2>&1 | MATCH 'cat: /var/snap/test-snapd-tools/common/foobar/hello: No such file or directory'
+
+    echo "Make sure snap user data writes work"
+    echo canary-instance-snap > /home/test/snap/test-snapd-tools_foo/x1/canary
+    chown test:test /home/test/snap/test-snapd-tools_foo/x1/canary
+    echo canary-instance-common > /home/test/snap/test-snapd-tools_foo/common/canary
+    chown test:test /home/test/snap/test-snapd-tools_foo/common/canary
+
+    # instance snap can write to user data
+    su -l -c "test-snapd-tools_foo.cmd sh -c 'echo hello user data from \$SNAP_INSTANCE_NAME > \$SNAP_USER_DATA/data'" test
+    MATCH 'hello user data from test-snapd-tools_foo' < /home/test/snap/test-snapd-tools_foo/x1/data
+    # the file not present in non-instance snap data
+    ! test -f /home/test/snap/test-snapd-tools/x1/data
+
+    # instance snap can write to common user data
+    su -l -c "test-snapd-tools_foo.cmd sh -c 'echo hello user data from \$SNAP_INSTANCE_NAME > \$SNAP_USER_COMMON/data'" test
+    MATCH 'hello user data from test-snapd-tools_foo' < /home/test/snap/test-snapd-tools_foo/common/data
+    # the file not present in non-instance snap data
+    ! test -f /home/test/snap/test-snapd-tools/common/data
+
+    su -l -c "test-snapd-tools_foo.cmd sh -c 'cat \$SNAP_USER_COMMON/canary'" test | MATCH canary-instance-common
+    su -l -c "test-snapd-tools_foo.cmd sh -c 'cat \$SNAP_USER_DATA/canary'" test | MATCH canary-instance-snap
+
+restore:
+    snap set system experimental.parallel-instances=null
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-common-dirs/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-common-dirs/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-common-dirs/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-common-dirs/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,84 @@
+summary: Checks handling of common snap directories of parallel installed snaps
+
+# slow in autopkgtest (>1m)
+backends: [-autopkgtest]
+
+prepare: |
+    snap set system experimental.parallel-instances=true
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+
+    echo "Install a snap with instance key set"
+    install_local_as test-snapd-tools test-snapd-tools_foo
+
+    # foo instance directories are present
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools_foo"
+    test -d "/var/snap/test-snapd-tools_foo"
+
+    # and so are the common directories
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools"
+    test -d "/var/snap/test-snapd-tools"
+
+    # get another revision of test-snapd-tools_foo
+    install_local_as test-snapd-tools test-snapd-tools_foo
+
+    # install instance-key-less snap
+    install_local test-snapd-tools
+
+    # and a bar instance
+    install_local_as test-snapd-tools test-snapd-tools_bar
+    # bar instance directories are present
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools_bar"
+    test -d "/var/snap/test-snapd-tools_bar"
+
+    # remove foo instance, rev x1
+    snap remove --revision=x1 test-snapd-tools_foo
+    # foo instance directories are present
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools_foo"
+    test -d "/var/snap/test-snapd-tools_foo"
+    # and so are the common directories, required by other revision of foo
+    # instance and other snaps
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools"
+    test -d "/var/snap/test-snapd-tools"
+
+    # remove foo instance snap
+    snap remove test-snapd-tools_foo
+    # foo instance directories should be gone now
+    ! test -d "$SNAP_MOUNT_DIR/test-snapd-tools_foo"
+    ! test -d "/var/snap/test-snapd-tools_foo"
+    # common directories are still around, required by test-snapd-tools and
+    # test-snapd-tools_bar
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools"
+    test -d "/var/snap/test-snapd-tools"
+
+    # remove instance-key-less one
+    snap remove test-snapd-tools
+    # common directories are still around, required by test-snapd-tools_bar
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools"
+    test -d "/var/snap/test-snapd-tools"
+
+    # remove bar instance
+    snap remove test-snapd-tools_bar
+    ! test -d "$SNAP_MOUNT_DIR/test-snapd-tools_bar"
+    ! test -d "/var/snap/test-snapd-tools_bar"
+
+    # common directors should be gone now too
+    ! test -d "$SNAP_MOUNT_DIR/test-snapd-tools"
+    ! test -d "/var/snap/test-snapd-tools"
+
+    # make sure that the sole snap without instance key is handled correctly too
+    install_local test-snapd-tools
+    # another revision
+    install_local test-snapd-tools
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools"
+    test -d "/var/snap/test-snapd-tools"
+    snap remove test-snapd-tools
+    ! test -d "$SNAP_MOUNT_DIR/test-snapd-tools"
+    ! test -d "/var/snap/test-snapd-tools"
+
+restore:
+    snap set system experimental.parallel-instances=null
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-common-dirs-undo/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-common-dirs-undo/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-common-dirs-undo/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-common-dirs-undo/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,37 @@
+summary: Checks handling of common snap directories of parallel installed snaps
+
+prepare: |
+    snap set system experimental.parallel-instances=true
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+
+    # the snap is named 'test-snapd-service'
+    path="$(make_snap test-snapd-service-v2-bad)"
+    test -n "$path"
+
+    echo "Given a snap that fails to install"
+    ! snap install --dangerous "$path"
+    snap change --last=install | MATCH 'Error.*Start snap "test-snapd-service" \(unset\) services'
+
+    echo "Shared snap directories are cleaned up in undo"
+    ! test -d "$SNAP_MOUNT_DIR/test-snapd-service"
+    ! test -d "/var/snap/test-snapd-service"
+
+    echo "Given a snap with instance key foo that fails to install"
+    ! snap install --dangerous --name test-snapd-service_foo "$path"
+    snap change --last=install | MATCH 'Error.*Start snap "test-snapd-service_foo" \(unset\) services'
+
+    echo "Instance foo directories are cleaned up"
+    ! test -d "$SNAP_MOUNT_DIR/test-snapd-service_foo"
+    ! test -d "/var/snap/test-snapd-service_foo"
+
+    echo "Shared snap directories are cleaned up as well"
+    ! test -d "$SNAP_MOUNT_DIR/test-snapd-service"
+    ! test -d "/var/snap/test-snapd-service"
+
+restore:
+    snap set system experimental.parallel-instances=null
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-desktop/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-desktop/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-desktop/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-desktop/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,44 @@
+summary: Checks for parallel installation of sideloaded snaps containing desktop applications
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    echo "Sideload the regular snap"
+    install_local basic-desktop
+
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+
+    snap set system experimental.parallel-instances=true
+
+    for instance in foo longname; do
+        echo "Sideload same snap as different instance named basic-desktop+$instance"
+        expected="^basic-desktop_$instance 1.0 installed\$"
+        install_local_as basic-desktop "basic-desktop_$instance" | MATCH "$expected"
+
+        diff -u <(head -n4 "/var/lib/snapd/desktop/applications/basic-desktop+${instance}_echo.desktop") - <<-EOF
+    [Desktop Entry]
+    Name=Echo
+    Comment=It echos stuff
+    Exec=env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/basic-desktop+${instance}_echo.desktop $SNAP_MOUNT_DIR/bin/basic-desktop_$instance.echo
+    EOF
+
+        test -d "$SNAP_MOUNT_DIR/basic-desktop_$instance/x1"
+    done
+
+    echo "All snaps are listed"
+    snap list | MATCH '^basic-desktop '
+    snap list | MATCH '^basic-desktop_foo '
+    snap list | MATCH '^basic-desktop_longname '
+
+    echo "Removing one instance does not remove other instances' data"
+    snap remove basic-desktop_foo
+    test -f /var/lib/snapd/desktop/applications/basic-desktop+longname_echo.desktop
+    test -f /var/lib/snapd/desktop/applications/basic-desktop_echo.desktop
+
+    snap remove basic-desktop
+    test -f /var/lib/snapd/desktop/applications/basic-desktop+longname_echo.desktop
+
+restore:
+    snap set system experimental.parallel-instances=null
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-interfaces/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-interfaces/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-interfaces/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-interfaces/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,71 @@
+summary: Check that snap connect with parallel installs works
+
+# slow in autopkgtest (>1m)
+backends: [-autopkgtest]
+
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    snap set system experimental.parallel-instances=true
+
+    echo "Install test snaps"
+    install_local home-consumer
+    install_local_as home-consumer home-consumer_foo
+
+    # the home interface is not autoconnected on all-snap systems
+    if [[ ! "$SPREAD_SYSTEM" == ubuntu-core-* ]]; then
+        snap disconnect home-consumer:home
+        snap disconnect home-consumer_foo:home
+    fi
+
+restore: |
+    snap set system experimental.parallel-instances=null
+
+execute: |
+    echo "The plug can be connected to a matching slot of OS snap without snap:slot argument"
+    snap connect home-consumer:home
+    snap interfaces | MATCH ':home .*home-consumer$'
+    snap tasks --last=connect| MATCH "Connect home-consumer:home to (core|snapd):home"
+
+    echo "Instance snap plug can be connected as well"
+    snap connect home-consumer_foo:home
+    snap interfaces | MATCH ':home .*home-consumer_foo$'
+    snap tasks --last=connect| MATCH "Connect home-consumer_foo:home to (core|snapd):home"
+
+    echo "When non-instance snap plug is disconnected"
+    snap disconnect home-consumer:home
+    snap tasks --last=disconnect| MATCH "Disconnect home-consumer:home from (core|snapd):home"
+
+    echo "The instance snap plug remains connected"
+    snap interfaces | MATCH ':home .*home-consumer_foo$'
+
+    snap disconnect home-consumer_foo:home
+    snap tasks --last=disconnect| MATCH "Disconnect home-consumer_foo:home from (core|snapd):home"
+
+    # NOTE: Those only work when installed from the store as otherwise we don't
+    # have snap declaration assertion and cannot check if a given connection
+    # should be allowed.
+    CONTENT_CONNECTED_PATTERN='test-snapd-content-slot:shared-content-slot +test-snapd-content-plug_foo:shared-content-plug'
+
+    echo "The plug side auto-connects when content is installed"
+    snap install --edge test-snapd-content-slot
+    snap install --edge test-snapd-content-plug_foo
+
+    snap tasks --last=install| MATCH "Mount snap \"test-snapd-content-plug_foo\""
+
+    snap interfaces | MATCH "$CONTENT_CONNECTED_PATTERN"
+
+    # Remove the content snaps so that we can reinstall them the other way around
+    snap remove test-snapd-content-plug_foo
+    snap remove test-snapd-content-slot
+
+    echo "The slot side auto-connects when content snap is installed"
+    snap install --edge test-snapd-content-plug_foo
+    # test-snapd-content-slot is installed as a dependency
+    # snap install --edge test-snapd-content-slot
+    snap interfaces | MATCH "$CONTENT_CONNECTED_PATTERN"
+    echo "The interface is disconnected when content snap provider is removed"
+    snap remove test-snapd-content-slot
+
+    snap interfaces | MATCH -- '^-\s+test-snapd-content-plug_foo:shared-content-plug$'
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-interfaces-content/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-interfaces-content/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-interfaces-content/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-interfaces-content/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,77 @@
+summary: check that content interface works with parallel instances
+
+# takes >1.5min to run in total
+backends: [-autopkgtest]
+
+details: |
+    Use the content interface along with parallel instances of snaps. Verify
+    that the content is made available to each snap instance when connected.
+    Make sure that data access works.
+
+environment:
+    VAR/data: SNAP_DATA
+    VAR/common: SNAP_COMMON
+    VAR/snap: SNAP
+    CONTENT/data: data
+    CONTENT/common: common
+    CONTENT/snap: snap
+
+prepare: |
+    snap set system experimental.parallel-instances=true
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    install_local test-snapd-content-advanced-slot
+
+    install_local test-snapd-content-advanced-plug
+    install_local_as test-snapd-content-advanced-plug test-snapd-content-advanced-plug_foo
+    install_local_as test-snapd-content-advanced-plug test-snapd-content-advanced-plug_bar
+
+    test-snapd-content-advanced-plug.sh -c "$(printf 'test ! -e $%s/target' "$VAR")"
+
+    # connect one of the instances
+    snap connect "test-snapd-content-advanced-plug_foo:$CONTENT" "test-snapd-content-advanced-slot:$CONTENT"
+
+    # the target directory must exist in this instance only
+    test-snapd-content-advanced-plug_foo.sh -c "$(printf 'test -d $%s/target' "$VAR")"
+    test-snapd-content-advanced-plug.sh     -c "$(printf 'test ! -e $%s/target' "$VAR")"
+    test-snapd-content-advanced-plug_bar.sh -c "$(printf 'test ! -e $%s/target' "$VAR")"
+    # and the source directory exists too
+    test-snapd-content-advanced-slot.sh     -c "$(printf 'test -d $%s/source' "$VAR")"
+
+    # connect the rest
+    snap connect "test-snapd-content-advanced-plug:$CONTENT" "test-snapd-content-advanced-slot:$CONTENT"
+    snap connect "test-snapd-content-advanced-plug_bar:$CONTENT" "test-snapd-content-advanced-slot:$CONTENT"
+
+    if [[ "$VAR" != "SNAP" ]]; then
+        # write some test data in one of the instances
+        # shellcheck disable=SC2016
+        test-snapd-content-advanced-plug_bar.sh -c "$(printf 'echo hello from $SNAP_INSTANCE_NAME >> $%s/target/canary' "$VAR")"
+        # should be visible in the other one now
+        test-snapd-content-advanced-plug_foo.sh -c "$(printf 'cat $%s/target/canary' "$VAR")" | MATCH 'hello from test-snapd-content-advanced-plug_bar'
+        # some more data
+        # shellcheck disable=SC2016
+        test-snapd-content-advanced-plug_foo.sh -c "$(printf 'echo hello from $SNAP_INSTANCE_NAME >> $%s/target/canary' "$VAR")"
+        # all of it is visible
+        test-snapd-content-advanced-plug.sh     -c "$(printf 'cat $%s/target/canary' "$VAR")" | MATCH 'hello from test-snapd-content-advanced-plug_bar
+    hello from test-snapd-content-advanced-plug_foo'
+
+        test-snapd-content-advanced-slot.sh     -c "$(printf 'cat $%s/source/canary' "$VAR")" | MATCH 'hello from test-snapd-content-advanced-plug_bar
+    hello from test-snapd-content-advanced-plug_foo'
+
+    else
+        test-snapd-content-advanced-plug_foo.sh -c "$(printf 'cat $%s/target/canary' "$VAR")" | MATCH 'just some data'
+        test-snapd-content-advanced-plug_bar.sh -c "$(printf 'cat $%s/target/canary' "$VAR")" | MATCH 'just some data'
+        test-snapd-content-advanced-plug.sh     -c "$(printf 'cat $%s/target/canary' "$VAR")" | MATCH 'just some data'
+    fi
+
+    # when the interface is disconnected
+    snap disconnect "test-snapd-content-advanced-plug:$CONTENT" "test-snapd-content-advanced-slot:$CONTENT"
+    snap disconnect "test-snapd-content-advanced-plug_bar:$CONTENT" "test-snapd-content-advanced-slot:$CONTENT"
+    snap disconnect "test-snapd-content-advanced-plug_foo:$CONTENT" "test-snapd-content-advanced-slot:$CONTENT"
+    # the content is not visible anymore
+    test-snapd-content-advanced-plug_bar.sh -c "$(printf 'test ! -e $%s/target/canary' "$VAR")"
+    test-snapd-content-advanced-plug_foo.sh -c "$(printf 'test ! -e $%s/target/canary' "$VAR")"
+    test-snapd-content-advanced-plug.sh     -c "$(printf 'test ! -e $%s/target/canary' "$VAR")"
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-layout/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-layout/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-layout/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-layout/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,86 @@
+summary: Ensure that snap layouts work with parallel installed snaps
+details: |
+    This test installs a test snap that uses layout declarations. The snap is
+    installed under its regular name as well as a parallel instance. The test
+    verifies that the layout requested by snap works and operates only on the
+    data owned by given snap instance.
+
+prepare: |
+    echo "Ensure feature flags are enabled"
+    snap set system experimental.parallel-instances=true
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    echo "Install the regular snap"
+    install_local test-snapd-layout
+
+    echo "Sideload the parallel installed snap"
+    install_local_as test-snapd-layout test-snapd-layout_foo
+
+    for name in test-snapd-layout test-snapd-layout_foo; do
+        # workaround trespassing bug
+        rm -rf /etc/demo /etc/demo.conf /etc/demo.cfg
+
+        echo "snap declaring layouts doesn't explode on startup"
+        $name.sh -c "true"
+
+        echo "layout declarations are honored"
+
+        $name.sh -c "test -d /etc/demo"
+        $name.sh -c "test -f /etc/demo.conf"
+        $name.sh -c "test -h /etc/demo.cfg"
+        #shellcheck disable=SC2016
+        test "$($name.sh -c "readlink /etc/demo.cfg")" = "$($name.sh -c 'echo /var/snap/$SNAP_NAME/common/etc/demo.conf')"
+        $name.sh -c "test -d /usr/share/demo"
+        $name.sh -c "test -d /var/lib/demo"
+        $name.sh -c "test -d /var/cache/demo"
+        $name.sh -c "test -d /opt/demo"
+        $name.sh -c "test -d /bin/very/weird/place"
+        # Ideally we'd perform this test but the rsyslog directory has mode 700 and user mode 108:4
+        # test-snapd-layout.sh -c "test -d /var/spool/rsyslog/demo"
+
+        echo "layout locations pointing to SNAP_DATA and SNAP_COMMON of $name are writable"
+        echo "and the writes go to the right place in the backing store"
+
+        $name.sh -c "echo $name foo-1 > /etc/demo/writable"
+        #shellcheck disable=SC2016
+        $name.sh -c 'cat $SNAP_COMMON/etc/demo/writable' | MATCH "$name foo-1"
+
+        $name.sh -c "echo $name foo-2 > /etc/demo.conf"
+        #shellcheck disable=SC2016
+        $name.sh -c 'cat $SNAP_COMMON/etc/demo.conf' | MATCH "$name foo-2"
+
+        # NOTE: this is a symlink to demo.conf, effectively
+        $name.sh -c "echo $name foo-3 > /etc/demo.cfg"
+        #shellcheck disable=SC2016
+        $name.sh -c 'cat $SNAP_COMMON/etc/demo.conf' | MATCH "$name foo-3"
+
+        $name.sh -c "echo $name foo-4 > /var/lib/demo/writable"
+        #shellcheck disable=SC2016
+        $name.sh -c 'cat $SNAP_DATA/var/lib/demo/writable' | MATCH "$name foo-4"
+
+        $name.sh -c "echo $name foo-5 > /var/cache/demo/writable"
+        #shellcheck disable=SC2016
+        $name.sh -c 'cat $SNAP_DATA/var/cache/demo/writable' | MATCH "$name foo-5"
+
+        echo "layout locations pointing to $name \$SNAP are readable"
+
+        $name.sh -c "test -r /usr/share/demo/file"
+        $name.sh -c "test -r /opt/demo/file"
+
+        echo "layout locations in dynamically created $name \$SNAP directories are writable"
+        # shellcheck disable=SC2016
+        $name.sh -c 'test -w $SNAP/bin/very/weird/place'
+        $name.sh -c 'test -w /bin/very/weird/place'
+    done
+
+    echo "verify snap data is correct on the outside of snap mount namespace"
+    for name in test-snapd-layout test-snapd-layout_foo; do
+        MATCH "$name foo-1" < "/var/snap/$name/common/etc/demo/writable"
+        # demo.cfg was a symlink to demo.conf
+        MATCH "$name foo-3" < "/var/snap/$name/common/etc/demo.conf"
+        MATCH "$name foo-4" < "/var/snap/$name/x1/var/lib/demo/writable"
+        MATCH "$name foo-5" < "/var/snap/$name/x1/var/cache/demo/writable"
+    done
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-local/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-local/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-local/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-local/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,45 @@
+summary: Checks parallel installation of snaps from local files
+
+restore: |
+    snap set system experimental.parallel-instances=null
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    echo "Install the regular snap"
+    install_local test-snapd-tools
+
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+
+    ! install_local_as test-snapd-tools test-snapd-tools_foo 2> run.err
+    MATCH 'experimental feature disabled' < run.err
+
+    snap set system experimental.parallel-instances=true
+
+    for instance in foo longname; do
+        echo "Install snap instance named test-snapd-tools_$instance"
+        expected="^test-snapd-tools_$instance 1.0 installed\$"
+        install_local_as test-snapd-tools "test-snapd-tools_$instance" | MATCH "$expected"
+
+        test -d "$SNAP_MOUNT_DIR/test-snapd-tools_$instance/x1"
+
+        #shellcheck disable=SC2016
+        "test-snapd-tools_$instance.cmd" sh -c 'echo hello data from $SNAP_INSTANCE_NAME > $SNAP_DATA/data'
+        MATCH "hello data from test-snapd-tools_$instance" < "/var/snap/test-snapd-tools_$instance/x1/data"
+
+        su -l -c "test-snapd-tools_$instance.cmd sh -c 'echo hello user data from \$SNAP_INSTANCE_NAME > \$SNAP_USER_DATA/data'" test
+        MATCH "hello user data from test-snapd-tools_$instance" < "/home/test/snap/test-snapd-tools_$instance/x1/data"
+    done
+
+    echo "All snaps are listed"
+    snap list | MATCH '^test-snapd-tools '
+    snap list | MATCH '^test-snapd-tools_foo '
+    snap list | MATCH '^test-snapd-tools_longname '
+
+    echo "Removing one instance does not remove other instances' directories"
+    snap remove test-snapd-tools_foo
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools_longname/x1"
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools/x1"
+
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-services/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-services/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-services/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-services/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,63 @@
+summary: Checks for parallel installation of sideloaded snaps containing services
+
+# takes >3min to run
+backends: [-autopkgtest]
+
+prepare: |
+    snap set system experimental.parallel-instances=true
+
+restore: |
+    snap set system experimental.parallel-instances=null
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    install_local test-snapd-service
+
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+
+    check_services_active() {
+       test -n "$1"
+       systemctl is-active "snap.$1.test-snapd-service.service"
+       systemctl is-active "snap.$1.test-snapd-other-service.service"
+    }
+
+    for instance in foo longname; do
+        echo "Install a snap as instance named test-snapd-service_$instance"
+        expected="^test-snapd-service_$instance 1.0 installed\$"
+        install_local_as test-snapd-service "test-snapd-service_$instance" | MATCH "$expected"
+
+        test -d "$SNAP_MOUNT_DIR/test-snapd-service_$instance/x1"
+
+        test -f /etc/systemd/system/snap.test-snapd-service_$instance.test-snapd-service.service
+        test -f /etc/systemd/system/snap.test-snapd-service_$instance.test-snapd-other-service.service
+        check_services_active "test-snapd-service_$instance"
+    done
+
+    check_services_active test-snapd-service
+
+    echo "All snaps are listed"
+    snap list | MATCH '^test-snapd-service '
+    snap list | MATCH '^test-snapd-service_foo '
+    snap list | MATCH '^test-snapd-service_longname '
+
+    echo "Removing one instance does not remove services from other instances"
+    snap remove test-snapd-service_foo
+    ! test -f /etc/systemd/system/snap.test-snapd-service_foo.test-snapd-service.service
+    test -f /etc/systemd/system/snap.test-snapd-service_longname.test-snapd-service.service
+    test -f /etc/systemd/system/snap.test-snapd-service.test-snapd-service.service
+
+    echo "The services of remaining snaps are still active"
+    check_services_active test-snapd-service
+    check_services_active test-snapd-service_longname
+
+    snap remove test-snapd-service
+    ! test -f /etc/systemd/system/snap.test-snapd-service.test-snapd-service.service
+    test -f /etc/systemd/system/snap.test-snapd-service_longname.test-snapd-service.service
+    echo "The services of remaining snap are active"
+    check_services_active test-snapd-service_longname
+
+    snap remove test-snapd-service_longname
+    ! test -f /etc/systemd/system/snap.test-snapd-service_longname.test-snapd-service.service
diff -Nru snapd-2.32.3.2~14.04/tests/main/parallel-install-store/task.yaml snapd-2.37~rc1~14.04/tests/main/parallel-install-store/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/parallel-install-store/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/parallel-install-store/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,31 @@
+summary: Checks for parallel installation of snaps from the store
+
+execute: |
+    ! snap install test-snapd-tools_foo 2> run.err
+    MATCH 'experimental feature disabled' < run.err
+
+    snap set system experimental.parallel-instances=true
+
+    snap install test-snapd-tools_foo | MATCH '^test-snapd-tools_foo .* installed'
+
+    echo "The snap is listed"
+    snap list | MATCH '^test-snapd-tools_foo '
+
+    echo "The snap application can be run"
+    #shellcheck disable=SC2016
+    test-snapd-tools_foo.cmd sh -c 'echo hello data from $SNAP_INSTANCE_NAME > $SNAP_DATA/data'
+    MATCH 'hello data from test-snapd-tools_foo' < /var/snap/test-snapd-tools_foo/current/data
+    su -l -c "test-snapd-tools_foo.cmd sh -c 'echo hello user data from \$SNAP_INSTANCE_NAME > \$SNAP_USER_DATA/data'" test
+    MATCH 'hello user data from test-snapd-tools_foo' < /home/test/snap/test-snapd-tools_foo/current/data
+
+    echo "Installing another instance, without instance key, succeeds"
+    snap install test-snapd-tools
+
+    echo "And so does another one, but with different instance key"
+    snap install test-snapd-tools_bar
+
+    echo "Installing more than one instance at a time works too"
+    snap install test-snapd-tools_baz test-snapd-tools_zed
+
+restore: |
+    snap set system experimental.parallel-instances=
diff -Nru snapd-2.32.3.2~14.04/tests/main/postrm-purge/task.yaml snapd-2.37~rc1~14.04/tests/main/postrm-purge/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/postrm-purge/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/postrm-purge/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,15 +1,17 @@
 summary: Check that postrm purge works
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 execute: |
     echo "When some snaps are installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
     snap install test-snapd-control-consumer
     snap install test-snapd-auto-aliases
 
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     # purge is performed while/after removing the package
     systemctl stop snapd.service snapd.socket
@@ -18,10 +20,10 @@
     # tool
     if [[ "$SPREAD_SYSTEM" = ubuntu-* || "$SPREAD_SYSTEM" = debian-* ]]; then
         # only available on trusty
-        if [ -x ${SPREAD_PATH}/debian/snapd.prerm ]; then
-            sh -x ${SPREAD_PATH}/debian/snapd.prerm
+        if [ -x "${SPREAD_PATH}/debian/snapd.prerm" ]; then
+            sh -x "${SPREAD_PATH}/debian/snapd.prerm"
         fi
-        sh -x ${SPREAD_PATH}/debian/snapd.postrm purge
+        sh -x "${SPREAD_PATH}/debian/snapd.postrm" purge
     else
         ${LIBEXECDIR}/snapd/snap-mgmt --purge
     fi
@@ -30,7 +32,7 @@
     for d in $SNAP_MOUNT_DIR /var/snap; do
         if [ -d "$d" ]; then
             echo "$d is not removed"
-            ls -lR $d
+            ls -lR "$d"
             exit 1
         fi
     done
diff -Nru snapd-2.32.3.2~14.04/tests/main/prefer/task.yaml snapd-2.37~rc1~14.04/tests/main/prefer/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/prefer/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/prefer/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,8 @@
 summary: Simple snap prefer test
+
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo "Install the snap with auto-aliases"
     snap install test-snapd-auto-aliases
diff -Nru snapd-2.32.3.2~14.04/tests/main/prepare-image-grub/task.yaml snapd-2.37~rc1~14.04/tests/main/prepare-image-grub/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/prepare-image-grub/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/prepare-image-grub/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 summary: Check that prepare-image works for grub-systems
 
-systems: [-ubuntu-core-16-*, -fedora-*, -opensuse-*]
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 backends: [-autopkgtest]
 
@@ -19,8 +19,9 @@
         exit
     fi
 
-    . $TESTSLIB/store.sh
-    setup_fake_store $STORE_DIR
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    setup_fake_store "$STORE_DIR"
 
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -28,9 +29,10 @@
         exit
     fi
 
-    . $TESTSLIB/store.sh
-    teardown_fake_store $STORE_DIR
-    rm -rf $ROOT
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    teardown_fake_store "$STORE_DIR"
+    rm -rf "$ROOT"
 
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -39,32 +41,33 @@
     fi
 
     echo Expose the needed assertions through the fakestore
-    cp $TESTSLIB/assertions/developer1.account $STORE_DIR/asserts
-    cp $TESTSLIB/assertions/developer1.account-key $STORE_DIR/asserts
+    cp "$TESTSLIB"/assertions/developer1.account "$STORE_DIR/asserts"
+    cp "$TESTSLIB"/assertions/developer1.account-key "$STORE_DIR/asserts"
     # have snap use the fakestore for assertions (but nothing else)
     export SNAPPY_FORCE_SAS_URL=http://$STORE_ADDR
 
     echo Running prepare-image
+    #shellcheck disable=SC2086
     su -c "SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE snap prepare-image --channel edge --extra-snaps snapweb $TESTSLIB/assertions/developer1-pc.model $ROOT" test
 
     echo Verifying the result
-    ls -lR $IMAGE
+    ls -lR "$IMAGE"
     for f in pc pc-kernel core snapweb; do
-        ls $IMAGE/var/lib/snapd/seed/snaps/${f}*.snap
+        ls "$IMAGE"/var/lib/snapd/seed/snaps/"${f}"*.snap
     done
-    MATCH snap_core=core < $IMAGE/boot/grub/grubenv
-    MATCH snap_kernel=pc-kernel < $IMAGE/boot/grub/grubenv
+    MATCH snap_core=core < "$IMAGE/boot/grub/grubenv"
+    MATCH snap_kernel=pc-kernel < "$IMAGE/boot/grub/grubenv"
 
     # check copied assertions
-    cmp $TESTSLIB/assertions/developer1-pc.model $IMAGE/var/lib/snapd/seed/assertions/model
-    cmp $TESTSLIB/assertions/developer1.account $IMAGE/var/lib/snapd/seed/assertions/developer1.account
+    cmp "$TESTSLIB"/assertions/developer1-pc.model "$IMAGE/var/lib/snapd/seed/assertions/model"
+    cmp "$TESTSLIB"/assertions/developer1.account "$IMAGE/var/lib/snapd/seed/assertions/developer1.account"
 
     echo Verify the unpacked gadget
-    ls -lR $GADGET
-    ls $GADGET/meta/snap.yaml
+    ls -lR "$GADGET"
+    ls "$GADGET/meta/snap.yaml"
 
     echo "Verify that we have valid looking seed.yaml"
-    cat $IMAGE/var/lib/snapd/seed/seed.yaml
+    cat "$IMAGE/var/lib/snapd/seed/seed.yaml"
 
     # snap-id of core
     if [ "$REMOTE_STORE" = production ]; then
@@ -72,13 +75,13 @@
     else
         core_snap_id="xMNMpEm0COPZy7jq9YRwWVLCD9q5peow"
     fi
-    MATCH "snap-id: ${core_snap_id}" < $IMAGE/var/lib/snapd/seed/seed.yaml
+    MATCH "snap-id: ${core_snap_id}" < "$IMAGE/var/lib/snapd/seed/seed.yaml"
 
     for snap in pc pc-kernel core; do
-        MATCH "name: $snap" < $IMAGE/var/lib/snapd/seed/seed.yaml
+        MATCH "name: $snap" < "$IMAGE/var/lib/snapd/seed/seed.yaml"
     done
 
     echo "Verify that we got some snap assertions"
     for name in pc pc-kernel core; do
-        cat $IMAGE/var/lib/snapd/seed/assertions/* | MATCH "snap-name: $name"
+        cat "$IMAGE"/var/lib/snapd/seed/assertions/* | MATCH "snap-name: $name"
     done
diff -Nru snapd-2.32.3.2~14.04/tests/main/prepare-image-grub-core18/task.yaml snapd-2.37~rc1~14.04/tests/main/prepare-image-grub-core18/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/prepare-image-grub-core18/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/prepare-image-grub-core18/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,50 @@
+summary: Check that prepare-image works for grub-systems
+
+systems: [-ubuntu-core-16-*, -fedora-*, -opensuse-*, -arch-*]
+
+backends: [-autopkgtest]
+
+environment:
+    ROOT: /tmp/root
+    IMAGE: /tmp/root/image
+    GADGET: /tmp/root/gadget
+
+restore: |
+    rm -rf "$ROOT"
+    
+execute: |
+    echo Running prepare-image
+    su -c "SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE snap prepare-image --channel edge --extra-snaps snapweb $TESTSLIB/assertions/ubuntu-core-18-amd64.model $ROOT" test
+
+    echo Verifying the result
+    ls -lR "$IMAGE"
+    for f in pc pc-kernel core18 snapd snapweb; do
+        ls "$IMAGE"/var/lib/snapd/seed/snaps/"${f}"*.snap
+    done
+    MATCH snap_core=core18 < "$IMAGE"/boot/grub/grubenv
+    MATCH snap_kernel=pc-kernel < "$IMAGE"/boot/grub/grubenv
+
+    # snap-id of core18
+    if [ "$REMOTE_STORE" = production ]; then
+        core18_snap_id="CSO04Jhav2yK0uz97cr0ipQRyqg0qQL6"
+    else
+        core18_snap_id="FIXME"
+    fi
+    MATCH "snap-id: ${core18_snap_id}" < "$IMAGE"/var/lib/snapd/seed/seed.yaml
+
+    for snap in pc pc-kernel core18 snapd; do
+        MATCH "name: $snap" < "$IMAGE"/var/lib/snapd/seed/seed.yaml
+    done
+
+    echo "Verify that we got some snap assertions"
+    for name in pc pc-kernel core18 snapd; do
+        cat "$IMAGE"/var/lib/snapd/seed/assertions/* | MATCH "snap-name: $name"
+    done
+
+    echo "Ensure the core snap is absent"
+    if ls "$IMAGE"/var/lib/snapd/seed/snaps/core_*.snap; then
+        echo "Unexpected core snap found in the seed directory. Test broken."
+        echo "Seed directory content:"
+        ls "$IMAGE"/var/lib/snapd/seed/snaps/
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/prepare-image-uboot/task.yaml snapd-2.37~rc1~14.04/tests/main/prepare-image-uboot/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/prepare-image-uboot/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/prepare-image-uboot/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,16 +10,16 @@
     GADGET: /home/test/tmp/gadget
 
 prepare: |
-    mkdir -p $ROOT
-    chown test:test $ROOT
+    mkdir -p "$ROOT"
+    chown test:test "$ROOT"
 
 restore: |
-    rm -rf $ROOT
+    rm -rf "$ROOT"
 
 execute: |
     # TODO: switch to a prebuilt properly signed model assertion once we can do that consistently
     echo Creating model assertion
-    cat > $ROOT/model.assertion <<EOF
+    cat > "$ROOT/model.assertion" <<EOF
     type: model
     series: 16
     authority-id: my-brand
@@ -41,24 +41,24 @@
     su -c "SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE snap prepare-image --channel edge --extra-snaps snapweb $ROOT/model.assertion $ROOT" test
 
     echo Verifying the result
-    ls -lR $IMAGE
+    ls -lR "$IMAGE"
     for f in pi2 pi2-kernel core snapweb; do
-        ls $IMAGE/var/lib/snapd/seed/snaps/${f}*.snap
+        ls "$IMAGE/var/lib/snapd/seed/snaps/${f}"*.snap
     done
-    MATCH snap_core=core < $IMAGE/boot/uboot/uboot.env
-    MATCH snap_kernel=pi2-kernel < $IMAGE/boot/uboot/uboot.env
+    MATCH snap_core=core < "$IMAGE/boot/uboot/uboot.env"
+    MATCH snap_kernel=pi2-kernel < "$IMAGE/boot/uboot/uboot.env"
 
     echo Verify that the kernel is available unpacked
-    ls $IMAGE/boot/uboot/pi2-kernel_*.snap/kernel.img
-    ls $IMAGE/boot/uboot/pi2-kernel_*.snap/initrd.img
-    ls $IMAGE/boot/uboot/pi2-kernel_*.snap/dtbs/
+    ls "$IMAGE"/boot/uboot/pi2-kernel_*.snap/kernel.img
+    ls "$IMAGE"/boot/uboot/pi2-kernel_*.snap/initrd.img
+    ls "$IMAGE"/boot/uboot/pi2-kernel_*.snap/dtbs/
 
     echo Verify the unpacked gadget
-    ls -lR $GADGET
-    ls $GADGET/meta/snap.yaml
+    ls -lR "$GADGET"
+    ls "$GADGET/meta/snap.yaml"
 
     echo Verify that we have valid looking seed.yaml
-    cat $IMAGE/var/lib/snapd/seed/seed.yaml
+    cat "$IMAGE/var/lib/snapd/seed/seed.yaml"
     # snap-id of core
     if [ "$REMOTE_STORE" = staging ]; then
         core_id="xMNMpEm0COPZy7jq9YRwWVLCD9q5peow"
@@ -66,12 +66,12 @@
         core_id="99T7MUlRhtI3U0QFgl5mXXESAiSwt776"
     fi
 
-    MATCH "snap-id: $core_id" < $IMAGE/var/lib/snapd/seed/seed.yaml
+    MATCH "snap-id: $core_id" < "$IMAGE/var/lib/snapd/seed/seed.yaml"
     for snap in pi2 pi2-kernel core; do
-      MATCH "name: $snap" < $IMAGE/var/lib/snapd/seed/seed.yaml
+      MATCH "name: $snap" < "$IMAGE/var/lib/snapd/seed/seed.yaml"
     done
 
     echo "Verify that we got some snap assertions"
     for name in pi2 pi2-kernel core; do
-        cat $IMAGE/var/lib/snapd/seed/assertions/* | MATCH "snap-name: $name"
+        cat "$IMAGE"/var/lib/snapd/seed/assertions/* | MATCH "snap-name: $name"
     done
diff -Nru snapd-2.32.3.2~14.04/tests/main/proxy/task.yaml snapd-2.37~rc1~14.04/tests/main/proxy/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/proxy/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/proxy/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,35 @@
+summary: Ensure that the core.proxy.* settings are honored
+
+# ubuntu-14.04 does not have systemd-run
+systems: [-ubuntu-14.04-*]
+
+restore: |
+    snap set core proxy.https=
+    systemctl stop tinyproxy || true
+
+execute: |
+    if ! command -v python3; then
+       echo "SKIP: need python3"
+       exit 0
+    fi
+    if [ -n "${http_proxy:-}" ] || [ -n "${https_proxy:-}" ] ||
+       [ -n "${HTTPS_PROXY:-}" ] || [ -n "${HTTPS_PROXY:-}" ]; then
+       echo "SKIP: cannot run when there is another http proxy"
+       exit 0
+    fi
+
+    systemd-run --service-type=notify --unit tinyproxy -- python3 "$TESTSLIB/tinyproxy/tinyproxy.py"
+    # shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+    wait_for_service tinyproxy
+
+    echo "Setup proxy config"
+    snap set core proxy.https=http://localhost:3128
+
+    echo "Check that the commands go through the proxy"
+    snap find test-snapd-tools | MATCH test-snapd-tools
+
+    # check unit output
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+    check_journalctl_log 'CONNECT api.snapcraft.io' -u tinyproxy
diff -Nru snapd-2.32.3.2~14.04/tests/main/proxy-no-core/task.yaml snapd-2.37~rc1~14.04/tests/main/proxy-no-core/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/proxy-no-core/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/proxy-no-core/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,49 @@
+summary: Ensure that the core.proxy.* settings are honored without core
+
+# only needs a test on classic
+systems: [ubuntu-16.04-64, ubuntu-18.04-64]
+
+restore: |
+    iptables -D OUTPUT -m owner --uid-owner "$(id -u test)" -j ACCEPT -p tcp
+    iptables -D OUTPUT -j REJECT -p tcp --dport http --reject-with tcp-reset
+    iptables -D OUTPUT -j REJECT -p tcp --dport https --reject-with tcp-reset
+    snap set core proxy.https=
+    systemctl stop tinyproxy || true
+
+execute: |
+    if ! command -v python3; then
+       echo "SKIP: need python3"
+       exit 0
+    fi
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
+    systemctl stop snapd.socket snapd.service
+    rm -rf /var/lib/snapd/state.json
+    systemctl start snapd.socket snapd.service
+
+    # only allow test user to connect to http/https
+    iptables -I OUTPUT -j REJECT -p tcp --dport http --reject-with tcp-reset
+    iptables -I OUTPUT -j REJECT -p tcp --dport https --reject-with tcp-reset
+    iptables -I OUTPUT -j ACCEPT -p tcp -m owner --uid-owner "$(id -u test)"
+
+    # run a proxy that can access http/https (via the owner rule)
+    systemd-run --service-type=notify --uid=test --unit tinyproxy -- python3 "$TESTSLIB/tinyproxy/tinyproxy.py"
+    # shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+    wait_for_service tinyproxy
+
+    echo "Ensure normal install without proxy does not work"
+    if snap install core; then
+        echo "without a proxy core install should fail, test broken"
+        exit 1
+    fi
+
+    echo "Setup proxy config"
+    snap set core proxy.https=http://localhost:3128
+
+    echo "Ensure that snap install works even without an installed core to install core"
+    snap install core
+
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+    check_journalctl_log 'CONNECT fastly.cdn.snapcraft.io' -u tinyproxy
diff -Nru snapd-2.32.3.2~14.04/tests/main/refresh/task.yaml snapd-2.37~rc1~14.04/tests/main/refresh/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/refresh/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/refresh/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
 summary: Check that the refresh command works.
+
 details: |
     These tests exercise the refresh command using different store backends.
     The concrete store to be used is controlled with the STORE_TYPE variant,
@@ -9,16 +10,20 @@
     edge channel.
 
 environment:
+    SNAP_NAME/parallel_strict_fake,parallel_strict_remote: test-snapd-tools_instance
     SNAP_NAME/strict_fake,strict_remote: test-snapd-tools
     SNAP_NAME/classic_fake,classic_remote: test-snapd-classic-confinement
     SNAP_VERSION_PATTERN: \d+\.\d+\+fake1
     BLOB_DIR: $(pwd)/fake-store-blobdir
-    STORE_TYPE/strict_fake,classic_fake: fake
-    STORE_TYPE/strict_remote,classic_remote: ${REMOTE_STORE}
+    STORE_TYPE/parallel_strict_fake,strict_fake,classic_fake: fake
+    STORE_TYPE/parallel_strict_remote,strict_remote,classic_remote: ${REMOTE_STORE}
 
 prepare: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -28,44 +33,61 @@
     fi
 
     flags=
-    if [[ $SNAP_NAME =~ classic ]]; then
+    if [[ "$SNAP_NAME" =~ classic ]]; then
         case "$SPREAD_SYSTEM" in
-            ubuntu-core-*|fedora-*)
+            ubuntu-core-*|fedora-*|arch-*|centos-*)
                 exit
                 ;;
         esac
         flags=--classic
     fi
 
+    if [[ "$SPREAD_VARIANT" =~ parallel ]]; then
+        snap set system experimental.parallel-instances=true
+    fi
+
     echo "Given a snap is installed"
-    snap install $flags $SNAP_NAME
+    snap install $flags "$SNAP_NAME"
 
     if [ "$STORE_TYPE" = "fake" ]; then
-        . $TESTSLIB/store.sh
-        setup_fake_store $BLOB_DIR
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        setup_fake_store "$BLOB_DIR"
 
         echo "And a new version of that snap put in the controlled store"
-        . $TESTSLIB/store.sh
-        init_fake_refreshes $BLOB_DIR $SNAP_NAME
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        init_fake_refreshes "$BLOB_DIR" "$SNAP_NAME"
     fi
 
 restore: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     rm -f stderr.out
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
             echo "This test needs test keys to be trusted"
             exit
         fi
-        . $TESTSLIB/store.sh
-        teardown_fake_store $BLOB_DIR
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        teardown_fake_store "$BLOB_DIR"
+    fi
+
+    if [[ "$SPREAD_VARIANT" =~ parallel ]]; then
+        snap set system experimental.parallel-instances=null
     fi
 
 execute: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -74,9 +96,9 @@
         fi
     fi
 
-    if [[ $SNAP_NAME =~ classic ]]; then
+    if [[ "$SNAP_NAME" =~ classic ]]; then
         case "$SPREAD_SYSTEM" in
-            ubuntu-core-*|fedora-*)
+            ubuntu-core-*|fedora-*|arch-*|centos-*)
                 exit
                 ;;
         esac
@@ -90,33 +112,34 @@
     # echo "================================="
 
     echo "When the snap is refreshed"
-    snap refresh --channel=edge $SNAP_NAME
+    snap refresh --channel=edge "$SNAP_NAME"
 
     echo "Then the new version is listed"
     expected="$SNAP_NAME +$SNAP_VERSION_PATTERN"
     snap list | grep -Pzq "$expected"
 
     echo "When a snap is refreshed and has no update it exit 0"
-    snap refresh $SNAP_NAME 2>stderr.out
-    cat stderr.out | MATCH "snap \"$SNAP_NAME\" has no updates available"
+    snap refresh "$SNAP_NAME" 2>stderr.out
+    MATCH "snap \"$SNAP_NAME\" has no updates available" < stderr.out
 
     echo "classic snaps "
 
     echo "When multiple snaps have no update we have a good message"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local basic
-    snap refresh $SNAP_NAME basic 2>&1 | MATCH "All snaps up to date."
+    snap refresh "$SNAP_NAME" basic 2>&1 | MATCH "All snaps up to date."
 
     echo "When moving to stable"
-    snap refresh --stable $SNAP_NAME
-    snap info $SNAP_NAME | MATCH "tracking: +stable"
+    snap refresh --stable "$SNAP_NAME"
+    snap info "$SNAP_NAME" | MATCH "tracking: +stable"
 
-    snap refresh --candidate $SNAP_NAME 2>&1 | MATCH "$SNAP_NAME \(candidate\).*"
-    snap info $SNAP_NAME | MATCH "tracking: +candidate"
+    snap refresh --candidate "$SNAP_NAME" 2>&1 | MATCH "$SNAP_NAME \\(candidate\\).*"
+    snap info "$SNAP_NAME" | MATCH "tracking: +candidate"
 
     echo "When multiple snaps are refreshed we error if we have unknown names"
     if snap refresh core invälid-snap-name 2> out.err; then
         echo "snap refresh invalid-snap-name should fail but it did not?"
         exit 1
     fi
-    cat out.err | tr '\n' ' ' | tr -s ' ' | MATCH 'cannot refresh .* is not installed'
+    tr '\n' ' ' < out.err | tr -s ' ' | MATCH 'cannot refresh .* is not installed'
diff -Nru snapd-2.32.3.2~14.04/tests/main/refresh-all/task.yaml snapd-2.37~rc1~14.04/tests/main/refresh-all/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/refresh-all/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/refresh-all/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 summary: Check that more than one snap is refreshed.
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 details: |
     We use only the fake store for this test because we currently
@@ -16,15 +16,19 @@
         exit
     fi
 
-    . $TESTSLIB/store.sh
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
 
-    echo "Given two snaps are installed"
-    for snap in test-snapd-tools test-snapd-python-webserver; do
+    # needed for test-snapd-tools_instance
+    snap set system experimental.parallel-instances=true
+
+    echo "Given snaps installed"
+    for snap in test-snapd-tools test-snapd-tools_instance test-snapd-python-webserver; do
         snap install $snap
     done
 
     echo "And the daemon is configured to point to the fake store"
-    setup_fake_store $BLOB_DIR
+    setup_fake_store "$BLOB_DIR"
 
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -32,9 +36,12 @@
         exit
     fi
 
-    . $TESTSLIB/store.sh
-    teardown_fake_store $BLOB_DIR
-    rm -rf $BLOB_DIR
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    teardown_fake_store "$BLOB_DIR"
+    rm -rf "$BLOB_DIR"
+
+    snap set system experimental.parallel-instances=null
 
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -46,17 +53,19 @@
     snap refresh 2>&1 | MATCH "All snaps up to date."
 
     echo "When the store is configured to make them refreshable"
-    . $TESTSLIB/files.sh
-    . $TESTSLIB/store.sh
-    init_fake_refreshes $BLOB_DIR test-snapd-tools 
-    wait_for_file $BLOB_DIR/test-snapd-tools*fake1*.snap 4 .5
-    init_fake_refreshes  $BLOB_DIR test-snapd-python-webserver
-    wait_for_file $BLOB_DIR/test-snapd-python-webserver*fake1*.snap 4 .5
+    #shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB"/files.sh
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    init_fake_refreshes "$BLOB_DIR" test-snapd-tools
+    wait_for_file "$BLOB_DIR"/test-snapd-tools*fake1*.snap 4 .5
+    init_fake_refreshes  "$BLOB_DIR" test-snapd-python-webserver
+    wait_for_file "$BLOB_DIR"/test-snapd-python-webserver*fake1*.snap 4 .5
 
     echo "And a refresh is performed"
     snap refresh
 
     echo "Then the new versions are installed"
-    for snap in test-snapd-tools test-snapd-python-webserver; do
-        snap list | MATCH "$snap.*fake1"
+    for snap in test-snapd-tools test-snapd-tools_instance test-snapd-python-webserver; do
+        snap list | MATCH "$snap .*fake1"
     done
diff -Nru snapd-2.32.3.2~14.04/tests/main/refresh-all-undo/task.yaml snapd-2.37~rc1~14.04/tests/main/refresh-all-undo/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/refresh-all-undo/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/refresh-all-undo/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 summary: Check that undo for snap refresh works
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 environment:
     BLOB_DIR: $(pwd)/fake-store-blobdir
@@ -13,15 +13,16 @@
         exit
     fi
 
-    . $TESTSLIB/store.sh
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
 
     echo "Given two snaps are installed"
     for snap in $GOOD_SNAP $BAD_SNAP; do
-        snap install $snap
+        snap install "$snap"
     done
 
     echo "And the daemon is configured to point to the fake store"
-    setup_fake_store $BLOB_DIR
+    setup_fake_store "$BLOB_DIR"
 
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -29,9 +30,10 @@
         exit
     fi
 
-    . $TESTSLIB/store.sh
-    teardown_fake_store $BLOB_DIR
-    rm -rf $BLOB_DIR
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    teardown_fake_store "$BLOB_DIR"
+    rm -rf "$BLOB_DIR"
 
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -43,15 +45,17 @@
     snap refresh 2>&1 | MATCH "All snaps up to date"
 
     echo "When the store is configured to make them refreshable"
-    . $TESTSLIB/files.sh
-    . $TESTSLIB/store.sh
+    #shellcheck source=tests/lib/files.sh
+    . "$TESTSLIB"/files.sh
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
     init_fake_refreshes "$BLOB_DIR" "$GOOD_SNAP"
-    wait_for_file "$BLOB_DIR"/"${GOOD_SNAP}"*fake1*.snap 4 .5
+    wait_for_file "$BLOB_DIR/${GOOD_SNAP}"*fake1*.snap 4 .5
     init_fake_refreshes "$BLOB_DIR" "$BAD_SNAP"
-    wait_for_file "$BLOB_DIR"/"${BAD_SNAP}"*fake1*.snap 4 .5
+    wait_for_file "$BLOB_DIR/${BAD_SNAP}"*fake1*.snap 4 .5
 
     echo "When a snap is broken"
-    echo "i-am-broken-now" >> $BLOB_DIR/${BAD_SNAP}*fake1*.snap
+    echo "i-am-broken-now" >> "$BLOB_DIR/${BAD_SNAP}"*fake1*.snap
 
     echo "And a refresh is performed"
     if snap refresh ; then
@@ -65,16 +69,17 @@
     echo "But the bad snap did not get updated"
     snap list | MATCH -E "${BAD_SNAP}"| MATCH -v "fake"
 
-    . $TESTSLIB/changes.sh
+    #shellcheck source=tests/lib/changes.sh
+    . "$TESTSLIB"/changes.sh
     chg_id=$(change_id "Refresh snap" Error)
 
     echo "Verify the snap change"
-    snap change $chg_id | MATCH "Undone.*Download snap \"${BAD_SNAP}\""
-    snap change $chg_id | MATCH "Done.*Download snap \"${GOOD_SNAP}\""
-    snap change $chg_id | MATCH "ERROR cannot verify snap \"test-snapd-tools\", no matching signatures found"
+    snap change "$chg_id" | MATCH "Undone.*Download snap \"${BAD_SNAP}\""
+    snap change "$chg_id" | MATCH "Done.*Download snap \"${GOOD_SNAP}\""
+    snap change "$chg_id" | MATCH "ERROR cannot verify snap \"test-snapd-tools\", no matching signatures found"
 
     echo "Verify the 'snap tasks' is the same as 'snap change'"
-    snap tasks $chg_id | MATCH "Undone.*Download snap \"${BAD_SNAP}\""
+    snap tasks "$chg_id" | MATCH "Undone.*Download snap \"${BAD_SNAP}\""
 
     echo "Verify the 'snap tasks --last' shows last refresh change"
     snap tasks --last=refresh | MATCH "Undone.*Download snap \"${BAD_SNAP}\""
diff -Nru snapd-2.32.3.2~14.04/tests/main/refresh-amend/task.yaml snapd-2.37~rc1~14.04/tests/main/refresh-amend/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/refresh-amend/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/refresh-amend/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,22 +1,28 @@
 summary: Ensure that refresh --amend works
 
 restore: |
-    rm -f test-snapd-tools_*.snap
+    rm -f test-snapd-just-edge_*.snap
 
 execute: |
     echo "When installing a local snap"
-    snap download test-snapd-tools
-    snap install --dangerous ./test-snapd-tools_*.snap
-    snap list |MATCH "test-snapd-tools.*x1"
+    snap download --edge test-snapd-just-edge
+    snap install --dangerous ./test-snapd-just-edge_*.snap
+    snap list |MATCH "test-snapd-just-edge.*x1"
 
     echo "A normal refresh will not refresh it to the store rev"
-    if snap refresh test-snapd-tools 2> stderr.out; then
+    if snap refresh test-snapd-just-edge 2> stderr.out; then
         echo "snap refresh should error but did not"
         exit 1
     fi
-    cat stderr.out | MATCH 'local snap "test-snapd-tools" is unknown to the store'
+    MATCH 'local snap "test-snapd-just-edge" is unknown to the store' < stderr.out
 
+    echo "A refresh with --amend is not enough, the channel needs to be added"
+    if snap refresh --amend test-snapd-just-edge 2> stderr.out; then
+       echo "snap refresh --amend without --edge should error but it did not"
+       exit 1
+    fi
+ 
     echo "A refresh with --amend refreshes it to the store revision"
-    snap refresh --amend test-snapd-tools
+    snap refresh --edge --amend test-snapd-just-edge
     echo "And we have a store revision now"
-    snap info test-snapd-tools | MATCH "^snap-id:.*[a-zA-Z0-9]+$"
+    snap info test-snapd-just-edge | MATCH "^snap-id:.*[a-zA-Z0-9]+$"
diff -Nru snapd-2.32.3.2~14.04/tests/main/refresh-delta/task.yaml snapd-2.37~rc1~14.04/tests/main/refresh-delta/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/refresh-delta/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/refresh-delta/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -16,11 +16,14 @@
     # r3 -> r5b
     #
     echo "Given a snap is installed"
-    snap install --edge $SNAP_NAME
+    snap install --edge "$SNAP_NAME"
 
 execute: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     echo "When the snap is refreshed"
-    snap refresh --beta $SNAP_NAME
+    snap refresh --beta "$SNAP_NAME"
 
     echo "Then deltas are successfully applied"
-    journalctl -u snapd | MATCH "Successfully applied delta"
+    get_journalctl_log -u snapd | MATCH "Successfully applied delta"
diff -Nru snapd-2.32.3.2~14.04/tests/main/refresh-delta-from-core/task.yaml snapd-2.37~rc1~14.04/tests/main/refresh-delta-from-core/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/refresh-delta-from-core/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/refresh-delta-from-core/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -13,7 +13,7 @@
     fi
 
     echo "Given a snap is installed"
-    snap install --edge $SNAP_NAME
+    snap install --edge "$SNAP_NAME"
 
 restore: |
     if [ -e /usr/bin/xdelta3.disabled ]; then
@@ -21,7 +21,10 @@
     fi
 
 execute: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     echo "When the snap is refreshed"
-    snap refresh --beta $SNAP_NAME
+    snap refresh --beta "$SNAP_NAME"
     echo "Then deltas are successfully applied"
-    journalctl -u snapd | MATCH "Successfully applied delta"
+    get_journalctl_log -u snapd | MATCH "Successfully applied delta"
diff -Nru snapd-2.32.3.2~14.04/tests/main/refresh-devmode/task.yaml snapd-2.37~rc1~14.04/tests/main/refresh-devmode/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/refresh-devmode/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/refresh-devmode/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
 summary: Check that the refresh command works.
+
 details: |
     These tests exercise the refresh command using different store backends.
     The concrete store to be used is controlled with the STORE_TYPE variant,
@@ -16,8 +17,11 @@
     STORE_TYPE/remote: ${REMOTE_STORE}
 
 prepare: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -30,30 +34,39 @@
     snap install --devmode test-snapd-tools
 
     if [ "$STORE_TYPE" = "fake" ]; then
-        . $TESTSLIB/store.sh
-        setup_fake_store $BLOB_DIR
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        setup_fake_store "$BLOB_DIR"
 
         echo "And a new version of that snap put in the controlled store"
-        . $TESTSLIB/store.sh
-        init_fake_refreshes $BLOB_DIR test-snapd-tools
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        init_fake_refreshes "$BLOB_DIR" test-snapd-tools
     fi
 
 restore: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
             echo "This test needs test keys to be trusted"
             exit
         fi
-        . $TESTSLIB/store.sh
-        teardown_fake_store $BLOB_DIR
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        teardown_fake_store "$BLOB_DIR"
     fi
 
 execute: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -66,11 +79,9 @@
     # echo "Then the new version is available for the snap to be refreshed"
     # expected="$SNAP_NAME +$SNAP_VERSION_PATTERN"
     # snap refresh --list | grep -Pzq "$expected"
-    #
-    # echo "================================="
 
     echo "When the snap is refreshed"
-    snap refresh --devmode --channel=edge $SNAP_NAME
+    snap refresh --devmode --channel=edge "$SNAP_NAME"
 
     echo "Then the new version is listed"
     expected="$SNAP_NAME +$SNAP_VERSION_PATTERN .*devmode"
diff -Nru snapd-2.32.3.2~14.04/tests/main/refresh-hold/task.yaml snapd-2.37~rc1~14.04/tests/main/refresh-hold/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/refresh-hold/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/refresh-hold/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,20 @@
+summary: Check that the refresh hold works
+
+# date had a bug where extended format would not be used for --iso-8601, this
+# got fixed in 2015 (released in 8.25), see
+# https://git.savannah.gnu.org/cgit/coreutils.git/commit/src/date.c?id=17bbf6ce44eb543a95695fa9d2cbd70fb52c6f42 for details
+#
+# the manifestation is running `date --iso-8601=seconds -d 'tomorrow 8:05 UTC'`
+# would produce:
+# - buggy version: 2018-07-27T08:05:00+0000
+# - fixed version: 2018-07-27T08:05:00+00:00
+
+# ubuntu-14.04 and amazon are shipped with buggy date
+systems: [-ubuntu-14.04-*, -amazon-*, -centos-*]
+
+execute: |
+    echo "Ensure snap set core refresh.hold works"
+    when="$(date --iso-8601=seconds -d 'tomorrow 8:05 UTC')"
+    when_nice="$(date -d "$when" +'tomorrow at %H:%M %Z')"
+    snap set core refresh.hold="$when"
+    snap refresh --time | MATCH "^hold: $when_nice"
diff -Nru snapd-2.32.3.2~14.04/tests/main/refresh-undo/task.yaml snapd-2.37~rc1~14.04/tests/main/refresh-undo/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/refresh-undo/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/refresh-undo/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -15,11 +15,13 @@
 
 prepare: |
     echo "Given a good (v1) and a bad (v2) snap"
-    snap pack $TESTSLIB/snaps/$SNAP_NAME_GOOD
-    snap pack $TESTSLIB/snaps/$SNAP_NAME_BAD
+    snap pack "$TESTSLIB/snaps/$SNAP_NAME_GOOD"
+    snap pack "$TESTSLIB/snaps/$SNAP_NAME_BAD"
 
 debug: |
-    journalctl -u snap.test-snapd-service.service.service
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB"/journalctl.sh
+    get_journalctl_log -u snap.test-snapd-service.service.service
 
 execute: |
     wait_for_service_status() {
@@ -35,12 +37,12 @@
         done
     }
     echo "When we install v1"
-    snap install --dangerous ${SNAP_FILE_GOOD}
+    snap install --dangerous "${SNAP_FILE_GOOD}"
     echo "The v1 service started correctly"
     wait_for_service_status "service v1"
 
     echo "When we refresh to v2"
-    if snap install --dangerous ${SNAP_FILE_BAD}; then
+    if snap install --dangerous "${SNAP_FILE_BAD}"; then
        echo "The ${SNAP_FILE_BAD} snap should not install cleanly, test broken"
        exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/regression-home-snap-root-owned/task.yaml snapd-2.37~rc1~14.04/tests/main/regression-home-snap-root-owned/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/regression-home-snap-root-owned/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/regression-home-snap-root-owned/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,22 +4,24 @@
     # ensure we have no snap user data directory yet
     rm -rf /home/test/snap
     rm -rf /root/snap
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     # run a snap command via sudo
     output=$(su -l -c "sudo $SNAP_MOUNT_DIR/bin/test-snapd-tools.env" test)
 
     # ensure SNAP_USER_DATA points to the right place
-    echo $output | MATCH SNAP_USER_DATA=/root/snap/test-snapd-tools/x[0-9]+
-    echo $output | MATCH HOME=/root/snap/test-snapd-tools/x[0-9]+
-    echo $output | MATCH SNAP_USER_COMMON=/root/snap/test-snapd-tools/common
+    echo "$output" | MATCH SNAP_USER_DATA=/root/snap/test-snapd-tools/x[0-9]+
+    echo "$output" | MATCH HOME=/root/snap/test-snapd-tools/x[0-9]+
+    echo "$output" | MATCH SNAP_USER_COMMON=/root/snap/test-snapd-tools/common
 
     echo "Verify that the /root/snap directory created and root owned"
-    if [ $(stat -c '%U' /root/snap) != "root" ]; then
+    if [ "$(stat -c '%U' /root/snap)" != "root" ]; then
         echo "The /root/snap directory is not owned by root"
         ls -ld $SNAP_MOUNT_DIR/snap
         exit 1
@@ -27,7 +29,7 @@
 
     echo "Verify that there is no /home/test/snap appearing"
     if [ -e /home/test/snap ]; then
-        user=$(stat -c '%U' /home/test/snap)
+        user="$(stat -c '%U' /home/test/snap)"
         echo "An unexpected /home/test/snap directory got created (owner $user)"
         ls -ld /home/test/snap
         exit 1
diff -Nru snapd-2.32.3.2~14.04/tests/main/remove-errors/task.yaml snapd-2.37~rc1~14.04/tests/main/remove-errors/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/remove-errors/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/remove-errors/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,14 +1,19 @@
 summary: Check remove command errors
 
+# core18: on core18 the "core" snap is removable
+systems: [-ubuntu-core-18-*]
+
 execute: |
     echo "Given a core snap is installed"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local test-snapd-tools
 
+    #shellcheck source=tests/lib/names.sh
     . "$TESTSLIB/names.sh"
     echo "Ensure the important snaps can not be removed"
     for sn in core $kernel_name $gadget_name; do
-        if snap remove $sn; then
+        if snap remove "$sn"; then
             echo "It should not be possible to remove $sn"
             exit 1
         fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/retryable-error/task.yaml snapd-2.37~rc1~14.04/tests/main/retryable-error/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/retryable-error/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/retryable-error/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,28 @@
+summary: Ensure exit code for retryable error works
+
+# autopkgtest is sometimes super slow and this test is timing dependent
+backends: [-autopkgtest]
+
+execute: |
+    echo "Install a snap"
+    snap install test-snapd-tools &
+
+    echo "And try to install it again which results in a change confict error"
+    while true; do
+        if snap changes |grep "Doing.*Install"; then
+            if snap install test-snapd-tools; then
+                echo "snap install should return a change-conflict: test broken"
+                exit 1
+            else
+                errCode=$?
+                if [ $errCode != 10 ]; then
+                    echo "go unexpected err code $errCode (expecting 10)"
+                    exit 1
+                fi
+            fi
+        break
+    fi
+    sleep 0.1
+    done
+    # "Ensure background processes are finished"
+    wait
diff -Nru snapd-2.32.3.2~14.04/tests/main/revert/task.yaml snapd-2.37~rc1~14.04/tests/main/revert/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/revert/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/revert/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -6,8 +6,11 @@
     BLOB_DIR: $(pwd)/fake-store-blobdir
 
 prepare: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -20,30 +23,39 @@
     snap install test-snapd-tools
 
     if [ "$STORE_TYPE" = "fake" ]; then
-        . $TESTSLIB/store.sh
-        setup_fake_store $BLOB_DIR
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        setup_fake_store "$BLOB_DIR"
 
         echo "And a new version of that snap put in the controlled store"
-        . $TESTSLIB/store.sh
-        init_fake_refreshes $BLOB_DIR test-snapd-tools
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        init_fake_refreshes "$BLOB_DIR" test-snapd-tools
     fi
 
 restore: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
             echo "This test needs test keys to be trusted"
             exit
         fi
-        . $TESTSLIB/store.sh
-        teardown_fake_store $BLOB_DIR
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        teardown_fake_store "$BLOB_DIR"
     fi
 
 execute: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -58,13 +70,14 @@
         exit 1
     fi
 
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo "When a refresh is made"
     snap refresh --edge test-snapd-tools
 
     echo "Then the new version is installed"
-    snap list | MATCH "test-snapd-tools +[0-9]+\.[0-9]+\+fake1"
+    snap list | MATCH --  'test-snapd-tools +[0-9]+\.[0-9]+\+fake1'
 
     echo "And the snap runs"
     test-snapd-tools.echo hello|MATCH hello
@@ -73,11 +86,11 @@
     snap revert test-snapd-tools
 
     echo "Then the old version is active"
-    snap list | MATCH "test-snapd-tools +[0-9]+\.[0-9]+ "
+    snap list | MATCH -- 'test-snapd-tools +[0-9]+\.[0-9]+ '
 
     echo "And the data directories are present"
-    ls $SNAP_MOUNT_DIR/test-snapd-tools | MATCH current
-    ls /var/snap/test-snapd-tools | MATCH current
+    find $SNAP_MOUNT_DIR/test-snapd-tools -maxdepth 1 | MATCH current
+    find /var/snap/test-snapd-tools -maxdepth 1 | MATCH current
 
     echo "And the snap runs confined"
     snap list|MATCH 'test-snapd-tools.* -$'
@@ -93,8 +106,8 @@
 
     echo "And a refresh doesn't update the snap"
     snap refresh
-    snap list | MATCH "test-snapd-tools +[0-9]+\.[0-9]+ "
+    snap list | MATCH -- 'test-snapd-tools +[0-9]+\.[0-9]+ '
 
     echo "Unless the snap is asked for explicitly"
     snap refresh --edge test-snapd-tools
-    snap list | MATCH "test-snapd-tools +[0-9]+\.[0-9]+\+fake1"
+    snap list | MATCH -- 'test-snapd-tools +[0-9]+\.[0-9]+\+fake1'
diff -Nru snapd-2.32.3.2~14.04/tests/main/revert-devmode/task.yaml snapd-2.37~rc1~14.04/tests/main/revert-devmode/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/revert-devmode/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/revert-devmode/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,19 @@
 summary: Check that revert of a snap in devmode restores devmode
 
+# slow in autopkgtest (>1m)
+backends: [-autopkgtest]
+
 environment:
     STORE_TYPE/fake: fake
     STORE_TYPE/remote: ${REMOTE_STORE}
     BLOB_DIR: $(pwd)/fake-store-blobdir
 
 prepare: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -20,30 +26,39 @@
     snap install --devmode test-snapd-tools
 
     if [ "$STORE_TYPE" = "fake" ]; then
-        . $TESTSLIB/store.sh
-        setup_fake_store $BLOB_DIR
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        setup_fake_store "$BLOB_DIR"
 
         echo "And a new version of that snap put in the controlled store"
-        . $TESTSLIB/store.sh
-        init_fake_refreshes $BLOB_DIR test-snapd-tools
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        init_fake_refreshes "$BLOB_DIR" test-snapd-tools
     fi
 
 restore: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
             echo "This test needs test keys to be trusted"
             exit
         fi
-        . $TESTSLIB/store.sh
-        teardown_fake_store $BLOB_DIR
+        #shellcheck source=tests/lib/store.sh
+        . "$TESTSLIB"/store.sh
+        teardown_fake_store "$BLOB_DIR"
     fi
 
 execute: |
+    #shellcheck source=tests/lib/systems.sh
+    . "$TESTSLIB"/systems.sh
+
     if [ "$STORE_TYPE" = "fake" ]; then
-        if [[ "$SPREAD_SYSTEM" == ubuntu-core-16-* ]]; then
+        if is_core_system; then
             exit
         fi
         if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -52,7 +67,8 @@
         fi
     fi
 
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo "When a refresh is made"
     snap refresh --devmode --edge test-snapd-tools
@@ -71,7 +87,7 @@
     snap list|MATCH 'test-snapd-tools .* devmode'
 
     echo "When the latest revision is installed again"
-    snap remove --revision=$LATEST test-snapd-tools
+    snap remove --revision="$LATEST" test-snapd-tools
     snap refresh --edge test-snapd-tools
 
     if [ "$(snap debug confinement)" = strict ] ; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/revert-sideload/task.yaml snapd-2.37~rc1~14.04/tests/main/revert-sideload/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/revert-sideload/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/revert-sideload/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 summary: Checks for snap sideload reverts
 
 prepare: |
-    snap pack $TESTSLIB/snaps/basic
+    snap pack "$TESTSLIB"/snaps/basic
 
 restore: |
     rm -f ./basic_1.0_all.snap
diff -Nru snapd-2.32.3.2~14.04/tests/main/sanitycheck/task.yaml snapd-2.37~rc1~14.04/tests/main/sanitycheck/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/sanitycheck/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/sanitycheck/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,33 @@
+summary: Ensure that the sanity check works
+
+prepare: |
+    echo "Break mounting so that the sanity check of a squashfs mount fails"
+    mount -o bind /bin/false /bin/mount
+
+restore: |
+    echo "Undoing the mount breakage"
+    umount /bin/mount
+    systemctl restart snapd
+
+execute: |
+    echo "Restart snapd so that the sanity check runs"
+    systemctl restart snapd
+    # shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+    wait_for_service snapd
+
+    for _ in $(seq 120); do
+        if journalctl -u snapd | grep "system does not fully support snapd: cannot mount squashfs image"; then
+            break
+        fi
+        sleep 1
+    done
+
+    echo "Ensure sanity check error is reported in the journal"
+    journalctl -u snapd | MATCH "system does not fully support snapd: cannot mount squashfs image"
+
+    echo "Ensure GET commands still work"
+    snap list | MATCH core
+    
+    echo "Ensure snap commands reply with sanity check error"
+    snap install test-snapd-tools 2>&1 | MATCH "system does not fully support snapd: cannot mount squashfs image"
diff -Nru snapd-2.32.3.2~14.04/tests/main/searching/task.yaml snapd-2.37~rc1~14.04/tests/main/searching/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/searching/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/searching/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -12,9 +12,7 @@
 
 execute: |
     echo "List all featured snaps"
-    expected="(?s).*Name +Version +Developer +Notes +Summary *\n\
-    (.*?\n)?\
-    .*"
+    expected='(?s).*Name +Version +Publisher +Notes +Summary *\n(.*?\n)?.*'
     snap find > featured.txt
     if ! grep -Pzq "$expected" < featured.txt; then
         echo "expected out put $expected not found in:"
@@ -24,12 +22,12 @@
     MATCH "No search term specified. Here are some interesting snaps" < featured.txt
     MATCH "Provide a search term for more specific results." < featured.txt
 
-    if [ $(snap find | wc -l) -gt 50 ]; then
+    if [ "$(snap find | wc -l)" -gt 50 ]; then
         echo "Found more than 50 featured apps, this seems bogus:"
         snap find
         exit 1
     fi
-    if [ $(snap find | wc -l) -lt 2 ]; then
+    if [ "$(snap find | wc -l)" -lt 2 ]; then
         echo "Not found any featured app, this seems bogus:"
         snap find
         exit 1
@@ -38,28 +36,22 @@
     echo "Exact matches"
     for snapName in test-snapd-tools test-snapd-python-webserver
     do
-        expected="(?s)Name +Version +Developer +Notes +Summary *\n\
-    (.*?\n)?\
-    $snapName +.*? *\n\
-    .*"
+        expected="(?s)Name +Version +Publisher +Notes +Summary *\\n(.*?\\n)?${snapName} +.*? *\\n.*"
         snap find $snapName | grep -Pzq "$expected"
     done
 
     echo "Partial terms work too"
-    expected="(?s)Name +Version +Developer +Notes +Summary *\n\
-    (.*?\n)?\
-    test-snapd-tools +.*? *\n\
-    .*"
+    expected='(?s)Name +Version +Publisher +Notes +Summary *\n(.*?\n)?test-snapd-tools +.*? *\n.*'
     snap find test-snapd- | grep -Pzq "$expected"
 
     echo "List of snaps in a section works"
     # NOTE: this shows featured snaps which change all the time, do not
     # make any assumptions about the contents
-    test $(snap find --section=featured | wc -l) -gt 1
+    test "$(snap find --section=featured | wc -l)" -gt 1
 
     # TODO: discuss with the store how we can make this test stable, i.e.
     #       that section/snap changes do not break us
-    if [ $(uname -m) = "x86_64" ]; then
+    if [ "$(uname -m)" = "x86_64" ]; then
         snap find --section=video vlc | MATCH vlc
     else
         snap find --section=video vlc 2>&1 | MATCH 'No matching snaps'
@@ -69,4 +61,8 @@
     if snap find " " | grep "status code 403"; then
         echo 'snap find " " returns non user friendly error with whitespace query'
         exit 1
-    fi
\ No newline at end of file
+    fi
+
+    echo "List of snaps in edge and beta channels"
+    snap find test-snapd-just- | MATCH "test-snapd-just-edge"
+    snap find test-snapd-just- | MATCH "test-snapd-just-beta"
diff -Nru snapd-2.32.3.2~14.04/tests/main/seccomp-statx/task.yaml snapd-2.37~rc1~14.04/tests/main/seccomp-statx/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/seccomp-statx/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/seccomp-statx/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,16 @@
+summary: the statx system call is not blocked by seccomp
+details: |
+    The statx(2) system call is a relatively new addition and is not
+    available on each kernel but should not be blocked by seccomp
+    when the kernel implements it
+# This test will only pass on Ubuntu 18.10 and on other systems with seccomp
+# 2.3.3 or newer. Eventually with some tricks we should be able to support all
+# systems but for the purpose of snapd 2.36 this is the best we can do.
+systems: [ubuntu-18.10-*]
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-statx
+execute: |
+    # Notably, this doesn't print statx: blocked anymore
+    test-snapd-statx | MATCH 'statx: (supported|missing)'
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-apparmor/task.yaml snapd-2.37~rc1~14.04/tests/main/security-apparmor/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-apparmor/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-apparmor/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,8 +2,13 @@
 
 prepare: |
     echo "Given a basic snap is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
+
+restore: |
+    rm -f touch.error
+
 execute: |
     if [ "$(snap debug confinement)" = partial ] ; then
         exit 0
@@ -18,5 +23,3 @@
         exit 1
     fi
     [ "$(cat touch.error)" = "touch: cannot touch '/dev/shm/snap.not-test-snapd-tools.foo': Permission denied" ]
-restore: |
-    rm -f touch.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-device-cgroups/task.yaml snapd-2.37~rc1~14.04/tests/main/security-device-cgroups/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-device-cgroups/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-device-cgroups/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -77,11 +77,12 @@
     fi
 
     echo "Given a snap is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
 
     echo "Then the device is not assigned to that snap"
-    ! udevadm info $UDEVADM_PATH | MATCH "E: TAGS=.*snap_test-snapd-tools_env"
+    ! udevadm info "$UDEVADM_PATH" | MATCH "E: TAGS=.*snap_test-snapd-tools_env"
 
     echo "And the device is not shown in the snap device list"
     # FIXME: this is, apparently, a layered can of worms. Zyga says he needs to fix it.
@@ -89,8 +90,6 @@
         MATCH -v "$DEVICE_ID" < /sys/fs/cgroup/devices/snap.test-snapd-tools.env/devices.list
     fi
 
-    echo "================================================="
-
     echo "When a udev rule assigning the device to the snap is added"
     content="KERNEL==\"$DEVICE_NAME\", TAG+=\"snap_test-snapd-tools_env\""
     echo "$content" > /etc/udev/rules.d/70-snap.test-snapd-tools.rules
@@ -100,12 +99,10 @@
     udevadm settle
 
     echo "Then the device is shown as assigned to the snap"
-    udevadm info $UDEVADM_PATH | MATCH "E: TAGS=.*snap_test-snapd-tools_env"
+    udevadm info "$UDEVADM_PATH" | MATCH "E: TAGS=.*snap_test-snapd-tools_env"
 
     echo "And other devices are not shown as assigned to the snap"
-    udevadm info $OTHER_UDEVADM_PATH | MATCH -v "E: TAGS=.*snap_test-snapd-tools_env"
-
-    echo "================================================="
+    udevadm info "$OTHER_UDEVADM_PATH" | MATCH -v "E: TAGS=.*snap_test-snapd-tools_env"
 
     echo "When a snap command is called"
     test-snapd-tools.env
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-classic/task.yaml snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-classic/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-classic/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-classic/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -5,9 +5,9 @@
     sure that other devices are still accessible (ie, the cgroup is not in
     effect).
 
-# Disabled on Fedora and Ubuntu Core because they don't support classic
+# Disabled on Fedora, Ubuntu Core and Arch because they don't support classic
 # confinement.
-systems: [-fedora-*, -ubuntu-core-*]
+systems: [-fedora-*, -ubuntu-core-*, -arch-*, -amazon-*, -centos-*]
 
 prepare: |
     # Create framebuffer device node and give it some content we can verify
@@ -18,7 +18,8 @@
     fi
 
     echo "Given a snap declaring a plug on framebuffer is installed in classic"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local_classic test-classic-cgroup
 
 restore: |
@@ -27,11 +28,12 @@
     fi
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     # classic snaps don't use 'plugs', so just test the accesses after install
     echo "the classic snap can access the framebuffer"
     "$SNAP_MOUNT_DIR"/bin/test-classic-cgroup.read-fb 2>&1 | MATCH -v '(Permission denied|Operation not permitted)'
 
     echo "the classic snap can access other devices"
-    test "`$SNAP_MOUNT_DIR/bin/test-classic-cgroup.read-kmsg`"
+    test "$($SNAP_MOUNT_DIR/bin/test-classic-cgroup.read-kmsg)"
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-devmode/task.yaml snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-devmode/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-devmode/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-devmode/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -13,30 +13,40 @@
         touch /dev/fb0.spread
     fi
 
+    # Create a test char device so we can verify the test snap cannot read.
+    if [ ! -e /dev/test1 ]; then
+        mknod /dev/test1 c 29 1
+        touch /dev/test1.spread
+    fi
+
     echo "Given a snap declaring a plug on framebuffer is installed in devmode"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local_devmode test-devmode-cgroup
 
 restore: |
     if [ -e /dev/fb0.spread ]; then
         rm -f /dev/fb0 /dev/fb0.spread
     fi
+    if [ -e /dev/test1.spread ]; then
+        rm -f /dev/test1 /dev/test1.spread
+    fi
 
 execute: |
-    . $TESTSLIB/dirs.sh
-
     echo "And the framebuffer plug is connected"
     snap connect test-devmode-cgroup:framebuffer
+
     echo "the devmode snap can access the framebuffer"
-    "$SNAP_MOUNT_DIR"/bin/test-devmode-cgroup.read-fb 2>&1 | MATCH -v '(Permission denied|Operation not permitted)'
+    test-devmode-cgroup.read-dev fb0 2>&1 | MATCH -v '(Permission denied|Operation not permitted)'
 
     echo "the devmode snap can access other devices"
-    test "`$SNAP_MOUNT_DIR/bin/test-devmode-cgroup.read-kmsg`"
+    test-devmode-cgroup.read-dev test1 | MATCH -v '(Permission denied|Operation not permitted)'
 
     echo "And the framebuffer plug is disconnected"
     snap disconnect test-devmode-cgroup:framebuffer
+
     echo "the devmode snap can access the framebuffer"
-    "$SNAP_MOUNT_DIR"/bin/test-devmode-cgroup.read-fb 2>&1 | MATCH -v '(Permission denied|Operation not permitted)'
+    test-devmode-cgroup.read-dev fb0 2>&1 | MATCH -v '(Permission denied|Operation not permitted)'
 
     echo "the devmode snap can access other devices"
-    test "`$SNAP_MOUNT_DIR/bin/test-devmode-cgroup.read-kmsg`"
+    test-devmode-cgroup.read-dev test1 | MATCH -v '(Permission denied|Operation not permitted)'
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-jailmode/task.yaml snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-jailmode/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-jailmode/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-jailmode/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -6,7 +6,7 @@
     still accessible (ie, the cgroup is not in effect).
 
 # None of those systems support strict confinement which is required to formally enable jailmode.
-systems: [-fedora-*, -opensuse-*, -debian-*]
+systems: [-fedora-*, -opensuse-*, -debian-*, -arch-*, -amazon-*, -centos-*]
 
 prepare: |
     # Create framebuffer device node and give it some content we can verify
@@ -16,30 +16,40 @@
         touch /dev/fb0.spread
     fi
 
+    # Create a test char device so we can verify the test snap cannot read.
+    if [ ! -e /dev/test1 ]; then
+        mknod /dev/test1 c 29 1
+        touch /dev/test1.spread
+    fi
+
     echo "Given a snap declaring a plug on framebuffer is installed in jailmode"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local_jailmode test-devmode-cgroup
 
 restore: |
     if [ -e /dev/fb0.spread ]; then
         rm -f /dev/fb0 /dev/fb0.spread
     fi
+    if [ -e /dev/test1.spread ]; then
+        rm -f /dev/test1 /dev/test1.spread
+    fi
 
 execute: |
-    . $TESTSLIB/dirs.sh
-
     echo "And the framebuffer plug is connected"
     snap connect test-devmode-cgroup:framebuffer
+
     echo "the jailmode snap can access the framebuffer"
-    "$SNAP_MOUNT_DIR"/bin/test-devmode-cgroup.read-fb 2>&1 | MATCH -v '(Permission denied|Operation not permitted)'
+    test-devmode-cgroup.read-dev fb0 2>&1 | MATCH -v '(Permission denied|Operation not permitted)'
 
     echo "the jailmode snap cannot access other devices"
-    "$SNAP_MOUNT_DIR"/bin/test-devmode-cgroup.read-kmsg 2>&1 | MATCH '(Permission denied|Operation not permitted)'
+    test-devmode-cgroup.read-dev test1 2>&1 | MATCH '(Permission denied|Operation not permitted)'
 
     echo "And the framebuffer plug is disconnected"
     snap disconnect test-devmode-cgroup:framebuffer
+
     echo "the jailmode snap cannot access the framebuffer"
-    "$SNAP_MOUNT_DIR"/bin/test-devmode-cgroup.read-fb 2>&1 | MATCH '(Permission denied|Operation not permitted)'
+    test-devmode-cgroup.read-dev fb0 2>&1 | MATCH '(Permission denied|Operation not permitted)'
 
     echo "the jailmode snap cannot access other devices"
-    "$SNAP_MOUNT_DIR"/bin/test-devmode-cgroup.read-kmsg 2>&1 | MATCH '(Permission denied|Operation not permitted)'
+    test-devmode-cgroup.read-dev test1 2>&1 | MATCH '(Permission denied|Operation not permitted)'
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-serial-port/task.yaml snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-serial-port/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-serial-port/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-serial-port/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -22,7 +22,8 @@
 
 execute: |
     echo "Given a snap is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
 
     echo "Then the device is not assigned to that snap"
@@ -39,8 +40,6 @@
         MATCH -v "c 4:68 rwm" < /sys/fs/cgroup/devices/snap.test-snapd-tools.env/devices.list
     fi
 
-    echo "================================================="
-
     echo "When a udev rule assigning the device to the snap is added"
     content="SUBSYSTEM==\"tty\", KERNEL==\"ttyS4\", TAG+=\"snap_test-snapd-tools_env\""
     echo "$content" > /etc/udev/rules.d/70-snap.test-snapd-tools.rules
@@ -52,8 +51,6 @@
     echo "Then the device is shown as assigned to the snap"
     udevadm info /dev/ttyS4 | MATCH "E: TAGS=.*snap_test-snapd-tools_env"
 
-    echo "================================================="
-
     echo "When a snap command is called"
     test-snapd-tools.env
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-strict/task.yaml snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-strict/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-device-cgroups-strict/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-device-cgroups-strict/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -5,7 +5,7 @@
     sure that other devices not included in the snap's plugged interfaces are
     still accessible (ie, the cgroup is not in effect).
 
-systems: [-fedora-*, -opensuse-*,-debian-*]
+systems: [-fedora-*, -opensuse-*,-debian-*, -arch-*, -amazon-*, -centos-*]
 
 prepare: |
     # Create framebuffer device node and give it some content we can verify
@@ -16,7 +16,8 @@
     fi
 
     echo "Given a snap declaring a plug on framebuffer is installed in strict"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-strict-cgroup
 
 restore: |
@@ -25,20 +26,20 @@
     fi
 
 execute: |
-    . $TESTSLIB/dirs.sh
-
     echo "And the framebuffer plug is connected"
     snap connect test-strict-cgroup:framebuffer
+
     echo "the strict snap can access the framebuffer"
-    "$SNAP_MOUNT_DIR"/bin/test-strict-cgroup.read-fb 2>&1 | MATCH -v '(Permission denied|Operation not permitted)'
+    test-strict-cgroup.read-dev fb0 2>&1 | MATCH -v '(Permission denied|Operation not permitted)'
 
     echo "the strict snap cannot access other devices"
-    "$SNAP_MOUNT_DIR"/bin/test-strict-cgroup.read-kmsg 2>&1 | MATCH '(Permission denied|Operation not permitted)'
+    test-strict-cgroup.read-dev mem 2>&1 | MATCH '(Permission denied|Operation not permitted)'
 
     echo "And the framebuffer plug is disconnected"
     snap disconnect test-strict-cgroup:framebuffer
+
     echo "the strict snap cannot access the framebuffer"
-    "$SNAP_MOUNT_DIR"/bin/test-strict-cgroup.read-fb 2>&1 | MATCH '(Permission denied|Operation not permitted)'
+    test-strict-cgroup.read-dev fb0 2>&1 | MATCH '(Permission denied|Operation not permitted)'
 
     echo "the strict snap cannot access other devices"
-    "$SNAP_MOUNT_DIR"/bin/test-strict-cgroup.read-kmsg 2>&1 | MATCH '(Permission denied|Operation not permitted)'
+    test-strict-cgroup.read-dev mem 2>&1 | MATCH '(Permission denied|Operation not permitted)'
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-dev-input-event-denied/task.yaml snapd-2.37~rc1~14.04/tests/main/security-dev-input-event-denied/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-dev-input-event-denied/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-dev-input-event-denied/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,108 @@
+summary: Ensure that /dev/input/event* is denied by default.
+
+details: |
+    The default policy disallows access to /dev/input/event*.
+
+    The joystick interface disallows access to /dev/input/event* for
+    non-joysticks.
+
+    The device-buttons interface disallows access to /dev/input/event* for
+    non-device-keys.
+
+    The test checks the snap is not able to access /dev/input/event* with or
+    without the joystick or device-buttons interface(s) connected. We do this
+    since the /dev/input/event* devices are sensitive and because these
+    interfaces add a /dev/input/event* AppArmor glob rule that relies entirely
+    on the device cgroup for enforcement.
+
+prepare: |
+    echo "Given the test-snapd-event snap is installed"
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-event
+
+restore: |
+    rm -f call.error
+
+execute: |
+    if [ -z "$(find /dev/input/by-path -name '*-event-kbd')" ]; then
+        if [ "$SPREAD_SYSTEM" = "ubuntu-16.04-64" ]; then
+            # ensure the test runs at least on this spread system
+            echo "No /dev/input/by-path but this test cannot be skipped on ubuntu-16.04-64"
+            exit 1
+        fi
+        echo "SKIP: no /dev/input/by-path"
+        exit 0
+    fi
+
+    # Default state of both interfaces
+
+    echo "The joystick plug is not connected by default"
+    snap interfaces -i joystick | MATCH '\- +test-snapd-event:joystick'
+
+    echo "The device-buttons plug is not connected by default"
+    snap interfaces -i device-buttons | MATCH '\- +test-snapd-event:device-buttons'
+
+    if [ "$(snap debug confinement)" != "strict" ]; then
+        exit 0
+    fi
+
+    # 1. Joystick
+
+    echo "Then the snap is not able to access an evdev keyboard"
+    if test-snapd-event "-event-kbd" 2>"${PWD}"/call.error; then
+        echo "Expected permission error calling evtest with disconnected plug"
+        exit 1
+    fi
+    # AppArmor is 'Permission denied' which is expected with default policy
+    MATCH "Permission denied" < call.error
+
+    echo "When the joystick plug is connected"
+    snap connect test-snapd-event:joystick
+    udevadm settle
+
+    # Note, '-event-kbd' devices aren't joysticks (those are -event-joystick
+    # (evdev event*) and -joystick (js*)) and therefore shouldn't be added to
+    # the device cgroup when the joystick interface is plugged.
+    echo "Then the snap is still not able to access an evdev keyboard"
+    if test-snapd-event "-event-kbd" 2>"${PWD}"/call.error; then
+        echo "Expected permission error calling evtest with connected joystick plug"
+        exit 1
+    fi
+    # device cgroup is 'Operation not permitted' which is expected when the
+    # joystick interface is connected since a keyboard shouldn't be added to
+    # the device cgroup.
+    MATCH "Operation not permitted" < call.error
+
+    # joystick AppArmor profile allows access to devices which are also included
+    # in device buttons, make sure we start in clean state and disconnect the
+    # joystick interface
+    snap disconnect test-snapd-event:joystick
+    udevadm settle
+
+    # 2. Device Buttons
+
+    echo "Then the snap is not able to access an evdev keyboard"
+    if test-snapd-event "-event-kbd" 2>"${PWD}"/call.error; then
+        echo "Expected permission error calling evtest with disconnected plug"
+        exit 1
+    fi
+    # AppArmor is 'Permission denied' which is expected with default policy
+    MATCH "Permission denied" < call.error
+
+    echo "When the device-buttons plug is connected"
+    snap connect test-snapd-event:device-buttons
+    udevadm settle
+
+    # Note, '-event-kbd' devices aren't device buttons (those are
+    # -gpio-keys-event (evdev event*) and therefore shouldn't be added to
+    # the device cgroup when the device-buttons interface is plugged.
+    echo "Then the snap is still not able to access an evdev keyboard"
+    if test-snapd-event "-event-kbd" 2>"${PWD}"/call.error; then
+        echo "Expected permission error calling evtest with connected device-buttons plug"
+        exit 1
+    fi
+    # device cgroup is 'Operation not permitted' which is expected when the
+    # device-buttons interface is connected since a keyboard shouldn't be added
+    # to the device cgroup.
+    MATCH "Operation not permitted" < call.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-devpts/task.yaml snapd-2.37~rc1~14.04/tests/main/security-devpts/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-devpts/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-devpts/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -6,16 +6,13 @@
     fi
 
     echo "Given a basic snap is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-devpts
 
-    CONNECTED_PATTERN=":physical-memory-observe +test-snapd-devpts"
-    DISCONNECTED_PATTERN="\- +test-snapd-devpts:physical-memory-observe"
-
     echo "When no plugs are not connected"
-    if snap interfaces | MATCH "$CONNECTED_PATTERN" ; then
+    if snap interfaces -i physical-memory-observe | MATCH ":physical-memory-observe .*test-snapd-devpts" ; then
         snap disconnect test-snapd-devpts:physical-memory-observe
-        snap interfaces | MATCH "$DISCONNECTED_PATTERN"
     fi
 
     echo "Then can openpty"
@@ -26,7 +23,6 @@
 
     echo "When a udev tagging plug is connected"
     snap connect test-snapd-devpts:physical-memory-observe
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
 
     echo "Then can openpty"
     test-snapd-devpts.openpty | MATCH PASS
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-private-tmp/task.yaml snapd-2.37~rc1~14.04/tests/main/security-private-tmp/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-private-tmp/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-private-tmp/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,28 +1,30 @@
 summary: Ensure that the security rules for private tmp are in place.
 
 # ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
-systems: [-ubuntu-core-16-*, -ubuntu-*-ppc64el]
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el]
 
 environment:
     SNAP_INSTALL_DIR: $(pwd)/snap-install-dir
 
 prepare: |
     echo "Given a basic snap is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
 
     echo "And another basic snap is installed"
-    mkdir -p $SNAP_INSTALL_DIR
-    cp -ra $TESTSLIB/snaps/test-snapd-tools/* $SNAP_INSTALL_DIR
-    sed -i 's/test-snapd-tools/not-test-snapd-tools/g' $SNAP_INSTALL_DIR/meta/snap.yaml
-    snap pack $SNAP_INSTALL_DIR
+    mkdir -p "$SNAP_INSTALL_DIR"
+    cp -ra "$TESTSLIB"/snaps/test-snapd-tools/* "$SNAP_INSTALL_DIR"
+    sed -i 's/test-snapd-tools/not-test-snapd-tools/g' "$SNAP_INSTALL_DIR/meta/snap.yaml"
+    snap pack "$SNAP_INSTALL_DIR"
     snap install --dangerous not-test-snapd-tools_1.0_all.snap
 
 restore: |
-    rm -rf not-test-snapd-tools_1.0_all.snap "$SNAP_INSTALL_DIR" /tmp/foo *stat.error
+    rm -rf not-test-snapd-tools_1.0_all.snap "$SNAP_INSTALL_DIR" /tmp/foo ./*stat.error
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo "When a temporary file is created by one snap"
     expect -d -f tmp-create.exp
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-profiles/task.yaml snapd-2.37~rc1~14.04/tests/main/security-profiles/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-profiles/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-profiles/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,8 @@
 summary: Check security profile generation for apps and hooks.
 
 prepare: |
-    snap pack $TESTSLIB/snaps/basic-hooks
+    snap pack "$TESTSLIB"/snaps/basic-hooks
+
 restore: |
     rm -f basic-hooks_1.0_all.snap
 
@@ -13,13 +14,14 @@
     seccomp_profile_directory="/var/lib/snapd/seccomp/bpf"
 
     echo "Security profiles are generated and loaded for apps"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
     loaded_profiles=$(cat /sys/kernel/security/apparmor/profiles)
 
     for profile in snap.test-snapd-tools.block snap.test-snapd-tools.cat snap.test-snapd-tools.echo snap.test-snapd-tools.fail snap.test-snapd-tools.success
     do
-        MATCH "^${profile} \(enforce\)$" <<<"$loaded_profiles"
+        MATCH "^${profile} \\(enforce\\)$" <<<"$loaded_profiles"
         [ -f "$seccomp_profile_directory/${profile}.bin" ]
     done
 
@@ -27,5 +29,5 @@
     snap install --dangerous basic-hooks_1.0_all.snap
     loaded_profiles=$(cat /sys/kernel/security/apparmor/profiles)
 
-    echo "$loaded_profiles" | MATCH "^snap.basic-hooks.hook.configure \(enforce\)$"
+    echo "$loaded_profiles" | MATCH '^snap.basic-hooks.hook.configure \(enforce\)$'
     [ -f "$seccomp_profile_directory/snap.basic-hooks.hook.configure.bin" ]
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-setuid-root/task.yaml snapd-2.37~rc1~14.04/tests/main/security-setuid-root/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-setuid-root/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-setuid-root/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,41 +1,44 @@
 summary: Check that snap-confine refuses to run unconfined
 
-systems:
-    # No confinement (AppArmor, Seccomp) available on these systems
-    - -debian-*
-    - -fedora-*
-    - -opensuse-*
-
 details: |
     snap-confine is setuid root but is only confined with an apparmor profile
     when invoked as a system-installed package or when running in the core from
     the usual location (/usr/lib/snapd/snap-confine). As a security precaution
     it should detect and refuse to run if invoked from the core snap.
+
+# No confinement (AppArmor, Seccomp) available on these systems
+systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
+
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
     echo "Ensure the snap-confine profiles on core are not loaded"
-    for p in /etc/apparmor.d/snap.core.*.usr.lib.snapd.snap-confine; do
+    for p in /var/lib/snapd/apparmor/profiles/snap-confine.*; do
         apparmor_parser -R "$p"
     done
+
 restore: |
     echo "Ensure the snap-confine profiles are restored"
-    for p in /etc/apparmor.d/snap.core.*.usr.lib.snapd.snap-confine; do
-        apparmor_parser -r $p
+    for p in /var/lib/snapd/apparmor/profiles/snap-confine.*; do
+        apparmor_parser -r "$p"
     done
+
+debug: |
+    ls -ld "$SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-confine" || true
+    ls -ld "$SNAP_MOUNT_DIR/ubuntu-core/current/usr/lib/snapd/snap-confine" || true
+    ls -ld /usr/lib/snapd/snap-confine || true
+    snap list
+
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     # NOTE: This has to run as the test user because the protection is only
     # active if user gains elevated permissions as a result of using setuid
     # root snap-confine.
-    if su test -c "sh -c \"SNAP_NAME=test-snapd-tools $SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-confine snap.test-snapd-tools.cmd /bin/true 2>/dev/null\""; then
+    if su test -c "sh -c \"SNAP_NAME=test-snapd-tools SNAP_INSTANCE_NAME=test-snapd-tools $SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-confine snap.test-snapd-tools.cmd /bin/true 2>/dev/null\""; then
         echo "snap-confine didn't refuse to run!"
         exit 1
     fi
-    su test -c "sh -c \"SNAP_NAME=test-snapd-tools $SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-confine snap.test-snapd-tools.cmd /bin/true 2>&1\"" | MATCH "Refusing to continue to avoid permission escalation attacks"
-debug: |
-    ls -ld $SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-confine || true
-    ls -ld $SNAP_MOUNT_DIR/ubuntu-core/current/usr/lib/snapd/snap-confine || true
-    ls -ld /usr/lib/snapd/snap-confine || true
-    snap list
+    su test -c "sh -c \"SNAP_NAME=test-snapd-tools SNAP_INSTANCE_NAME=test-snapd-tools $SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-confine snap.test-snapd-tools.cmd /bin/true 2>&1\"" | MATCH "Refusing to continue to avoid permission escalation attacks"
diff -Nru snapd-2.32.3.2~14.04/tests/main/security-udev-input-subsystem/task.yaml snapd-2.37~rc1~14.04/tests/main/security-udev-input-subsystem/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/security-udev-input-subsystem/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/security-udev-input-subsystem/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,87 @@
+summary: Ensure that /dev/input/event* is allowed to slot snaps that need it
+
+details: |
+        The default policy disallows access to /dev/input/event* and snapd
+        by default uses 'udevadm trigger --subsystem-nomatch=input'. Some slots
+        like mir, wayland and x11 actually need access to /dev/input/event* and
+        request snapd perform 'udevadm trigger --subsystem-match=input'. For
+        this test, use a snap that slots 'mir' since it is allowed on Core and
+        classic distro. Also test that simply plugging 'mir' does not grant the
+        access and that plugging mir with another interface (specifically,
+        time-control) that trigger the device cgroup also does not.
+
+prepare: |
+    echo "Given the test-snapd-udev-input-subsystem is installed"
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-udev-input-subsystem
+
+restore: |
+    rm -f call.error
+
+execute: |
+    if [ -z "$(find /dev/input/by-path -name '*-event-kbd')" ]; then
+        if [ "$SPREAD_SYSTEM" = "ubuntu-16.04-64" ]; then
+            # ensure the test runs at least on this spread system
+            echo "No /dev/input/by-path but this test cannot be skipped on ubuntu-16.04-64"
+            exit 1
+        fi
+        echo "SKIP: no /dev/input/by-path or keyboard input detected"
+        exit 0
+    fi
+
+    echo "The mir slot and plug are available by default and connected"
+    snap interfaces -i mir | MATCH "test-snapd-udev-input-subsystem:mir-slot +test-snapd-udev-input-subsystem:mir-plug"
+
+    echo "The snap's slot can access an evdev keyboard"
+    test-snapd-udev-input-subsystem.slot
+
+    if [ "$(snap debug confinement)" != "strict" ]; then
+        exit 0
+    fi
+
+    echo "The snap's plug cannot access an evdev keyboard when connected"
+    if test-snapd-udev-input-subsystem.plug 2>"${PWD}"/call.error; then
+        echo "Expected permission error with connected plug"
+        exit 1
+    fi
+    # AppArmor is 'Permission denied' which is expected with default policy
+    MATCH "Permission denied" < call.error
+
+    echo "When the mir plug is disconnected"
+    snap disconnect test-snapd-udev-input-subsystem:mir-plug test-snapd-udev-input-subsystem:mir-slot
+    snap interfaces -i mir | MATCH -- '- +test-snapd-udev-input-subsystem:mir-plug'
+
+    echo "The snap's plug still cannot access an evdev keyboard"
+    if test-snapd-udev-input-subsystem.plug 2>"${PWD}"/call.error; then
+        echo "Expected permission error with disconnected plug"
+        exit 1
+    fi
+    # AppArmor is 'Permission denied' which is expected with default policy
+    MATCH "Permission denied" < call.error
+
+    echo "When the time-control plug is disconnected"
+    snap interfaces -i time-control | MATCH ':time-control +-'
+
+    echo "The snap's time-control plug cannot access an evdev keyboard when disconnected"
+    if test-snapd-udev-input-subsystem.plug-with-time-control 2>"${PWD}"/call.error; then
+        echo "Expected permission error with disconnected time-control plug"
+        exit 1
+    fi
+    # AppArmor is 'Permission denied' which is expected with default policy
+    MATCH "Permission denied" < call.error
+
+    echo "When the time-control plug is connected"
+    snap connect test-snapd-udev-input-subsystem:time-control
+    snap interfaces -i time-control | MATCH ":time-control +test-snapd-udev-input-subsystem"
+
+    echo "The snap's plug still cannot access an evdev keyboard"
+    if test-snapd-udev-input-subsystem.plug-with-time-control 2>"${PWD}"/call.error; then
+        echo "Expected permission error with disconnected time-control plug"
+        exit 1
+    fi
+    # device cgroup is 'Operation not permitted' which is expected since the
+    # device cgroup is in effect (because of rtc) and the device isn't in the
+    # cgroup. DAC is evaluated before AppArmor so since the device wasn't added
+    # to the cgroup, we see a DAC denial.
+    MATCH "Operation not permitted" < call.error
diff -Nru snapd-2.32.3.2~14.04/tests/main/selinux-snap-restorecon/task.yaml snapd-2.37~rc1~14.04/tests/main/selinux-snap-restorecon/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/selinux-snap-restorecon/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/selinux-snap-restorecon/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,55 @@
+summary: Check that snap run automatically restores SELinux context
+
+description: |
+    Verify that snap run automatically restores the SELinux context of $HOME/snap.
+
+systems: [fedora-*, centos-*]
+prepare: |
+    snap install test-snapd-tools
+    if [ -d /home/test/snap ]; then
+        mv /home/test/snap /home/test/snap.old
+    fi
+
+restore: |
+    if [ -d /home/test/snap.old ]; then
+        rm -rf /home/test/snap
+        mv /home/test/snap.old /home/test/snap
+    fi
+
+execute: |
+    # TODO: extend the test to work for root when the policy is fixed for admin_home_t
+    # TODO: use snap debug sandbox-features once selinux backend is added
+
+    test ! -d /home/test/snap
+    su -c "test-snapd-tools.cmd sh -c 'touch \$SNAP_USER_DATA/foo'" test
+    test -d /home/test/snap
+
+    echo "The snap user directory and data inside has the right context"
+
+    ls -dZ /home/test/snap /home/test/snap/test-snapd-tools /home/test/snap/test-snapd-tools/current/foo > test-labels
+    MATCH '^.*:snappy_home_t:.*/home/test/snap$'                              < test-labels
+    MATCH '^.*:snappy_home_t:.*/home/test/snap/test-snapd-tools$'             < test-labels
+    MATCH '^.*:snappy_home_t:.*/home/test/snap/test-snapd-tools/current/foo$' < test-labels
+
+    echo "When the context of \$HOME/snap is changed"
+    chcon -t unlabeled_t -R /home/test/snap
+    chcon -t unlabeled_t -R /home/test/snap/test-snapd-tools/current/foo
+    #shellcheck disable=SC2012
+    ls -dZ /home/test/snap | MATCH ':unlabeled_t:'
+
+    echo "It gets restored recursively"
+    su -c 'test-snapd-tools.cmd id -Z' test
+
+    ls -dZ /home/test/snap /home/test/snap/test-snapd-tools /home/test/snap/test-snapd-tools/current/foo > test-labels
+    MATCH '^.*:snappy_home_t:.*/home/test/snap$'                              < test-labels
+    MATCH '^.*:snappy_home_t:.*/home/test/snap/test-snapd-tools$'             < test-labels
+    MATCH '^.*:snappy_home_t:.*/home/test/snap/test-snapd-tools/current/foo$' < test-labels
+
+    echo "Restoring happens only when the context of \$HOME/snap is incorrect"
+    chcon -t unlabeled_t -R /home/test/snap/test-snapd-tools/current/foo
+    su -c 'test-snapd-tools.cmd id -Z' test
+
+    ls -dZ /home/test/snap /home/test/snap/test-snapd-tools /home/test/snap/test-snapd-tools/current/foo > test-labels
+    MATCH '^.*:snappy_home_t:.*/home/test/snap$'                            < test-labels
+    MATCH '^.*:snappy_home_t:.*/home/test/snap/test-snapd-tools$'           < test-labels
+    MATCH '^.*:unlabeled_t:.*/home/test/snap/test-snapd-tools/current/foo$' < test-labels
diff -Nru snapd-2.32.3.2~14.04/tests/main/server-snap/task.yaml snapd-2.37~rc1~14.04/tests/main/server-snap/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/server-snap/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/server-snap/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,7 @@
 summary: Check snap web servers
 
-systems: [-fedora-*, -opensuse-*]
+# arch: there is no ip6-localhost
+systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 environment:
     SNAP_NAME/pythonServer: test-snapd-python-webserver
@@ -17,13 +18,15 @@
 warn-timeout: 3m
 
 prepare: |
-    snap install $SNAP_NAME
+    snap install "$SNAP_NAME"
     cat > request.txt <<EOF
     GET / HTTP/1.0
 
     EOF
     echo "Wait for the service to be listening, limited to the task kill-timeout"
-    while ! netstat -lnt | grep -Pq "tcp.*?:$PORT +.*?LISTEN\n*"; do sleep 0.5; done
+    # shellcheck source=tests/lib/network.sh
+    . "$TESTSLIB"/network.sh
+    wait_listen_port "$PORT"
 
 restore: |
     rm -f request.txt
@@ -31,6 +34,6 @@
 execute: |
     response=$(nc -w 5 -"$IP_VERSION" "$LOCALHOST" "$PORT" < request.txt)
 
-    statusPattern="(?s)HTTP\/1\.0 200 OK\n*"
+    statusPattern='(?s)HTTP\/1\.0 200 OK\n*'
     echo "$response" | grep -Pzq "$statusPattern"
     echo "$response" | grep -Pzq "$TEXT"
diff -Nru snapd-2.32.3.2~14.04/tests/main/set-proxy-store/task.yaml snapd-2.37~rc1~14.04/tests/main/set-proxy-store/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/set-proxy-store/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/set-proxy-store/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: Check that the setting proxy.store config works
-systems: [-ubuntu-core-16-*]
+
+systems: [-ubuntu-core-*]
+
 environment:
     SNAP_NAME: test-snapd-tools
     SNAP_VERSION_PATTERN: \d+\.\d+\+fake1
@@ -12,10 +14,11 @@
     fi
 
     echo "Given a snap is installed"
-    snap install $SNAP_NAME
+    snap install "$SNAP_NAME"
 
-    . $TESTSLIB/store.sh
-    setup_fake_store $BLOB_DIR
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    setup_fake_store "$BLOB_DIR"
     # undo the setup through envvars
     systemctl stop snapd.service snapd.socket
     rm /etc/systemd/system/snapd.service.d/store.conf
@@ -23,16 +26,18 @@
     systemctl start snapd.socket
 
     # prepare bundle
-    cat $TESTSLIB/assertions/testrootorg-store.account-key >fake.store
+    cat "$TESTSLIB"/assertions/testrootorg-store.account-key >fake.store
+    #shellcheck disable=SC2129
     echo >>fake.store
-    cat $TESTSLIB/assertions/developer1.account >>fake.store
+    cat "$TESTSLIB"/assertions/developer1.account >>fake.store
+    #shellcheck disable=SC2129
     echo >>fake.store
-    cat $TESTSLIB/assertions/fake.store >>fake.store
+    cat "$TESTSLIB"/assertions/fake.store >>fake.store
     echo "Ack fake store assertion"
     snap ack fake.store
 
     echo "And a new version of that snap put in the controlled store"
-    init_fake_refreshes $BLOB_DIR $SNAP_NAME
+    init_fake_refreshes "$BLOB_DIR" "$SNAP_NAME"
 
 restore: |
     rm -f fake.store
@@ -44,8 +49,9 @@
 
     snap set core proxy.store=
 
-    . $TESTSLIB/store.sh
-    teardown_fake_store $BLOB_DIR
+    #shellcheck source=tests/lib/store.sh
+    . "$TESTSLIB"/store.sh
+    teardown_fake_store "$BLOB_DIR"
 
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
@@ -68,7 +74,7 @@
     snap set core proxy.store=fake
 
     echo "Now we can proceed with the refresh from the fakestore"
-    snap refresh $SNAP_NAME
+    snap refresh "$SNAP_NAME"
 
     echo "Then the new version is listed"
     snap list | grep -Pzq "$expected"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-advise-command/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-advise-command/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-advise-command/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-advise-command/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -15,7 +15,7 @@
 execute: |
     echo "wait for snapd to pull in the commands data"
     echo "(it will do that on startup)"
-    for i in $(seq 120); do
+    for _ in $(seq 120); do
        if stat /var/cache/snapd/commands.db; then
            break
        fi
@@ -23,17 +23,17 @@
     done
     stat /var/cache/snapd/commands.db
     echo "Ensure the database is readable by a regular user"
-    if [ $(stat -c "%a" /var/cache/snapd/commands.db) != "644" ]; then
+    if [ "$(stat -c '%a' /var/cache/snapd/commands.db)" != "644" ]; then
         echo "incorrect permissions for /var/cache/snapd/commands.db"
         echo "expected 0644 got:"
         stat /var/cache/snapd/commands.db
         exit 1
     fi
 
-    echo "Ensure `snap advise-snap --command` lookup works"
+    echo "Ensure 'snap advise-snap --command' lookup works"
     snap advise-snap --command test-snapd-tools.echo | MATCH test-snapd-tools
 
-    echo "Ensure `advise-snap --command` works as command-not-found symlink"
+    echo "Ensure 'advise-snap --command' works as command-not-found symlink"
     ln -s /usr/bin/snap /usr/lib/command-not-found
     /usr/lib/command-not-found test-snapd-tools.echo | MATCH test-snapd-tools
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-auto-import-asserts/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-auto-import-asserts/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-auto-import-asserts/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-auto-import-asserts/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -14,11 +14,12 @@
             exit 1
     fi
     echo "Create a ramdisk with the testrootorg-store.account-key assertion"
+    #shellcheck source=tests/lib/ramdisk.sh
     . "$TESTSLIB/ramdisk.sh"
     setup_ramdisk
     mkfs.vfat /dev/ram0
     mount /dev/ram0 /mnt
-    cp $TESTSLIB/assertions/testrootorg-store.account-key /mnt/auto-import.assert
+    cp "$TESTSLIB"/assertions/testrootorg-store.account-key /mnt/auto-import.assert
     sync
 
 restore: |
@@ -33,6 +34,6 @@
         echo "This test needs test keys to be trusted"
         exit
     fi
-    echo "`snap auto-import` imports assertions from the mounted ramdisk"
+    echo "$(snap auto-import) imports assertions from the mounted ramdisk"
     snap auto-import
     snap known account-key | MATCH "name: test-store"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-auto-import-asserts-spools/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-auto-import-asserts-spools/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-auto-import-asserts-spools/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-auto-import-asserts-spools/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -14,11 +14,12 @@
             exit 1
     fi
     echo "Create a ramdisk with the testrootorg-store.account-key assertion"
+    #shellcheck source=tests/lib/ramdisk.sh
     . "$TESTSLIB/ramdisk.sh"
     setup_ramdisk
     mkfs.vfat /dev/ram0
     mount /dev/ram0 /mnt
-    cp $TESTSLIB/assertions/testrootorg-store.account-key /mnt/auto-import.assert
+    cp "$TESTSLIB"/assertions/testrootorg-store.account-key /mnt/auto-import.assert
     sync
 
 restore: |
@@ -36,17 +37,17 @@
     echo "Simulate a not running snapd (happens on e.g. early boot)"
     systemctl stop snapd.service snapd.socket
 
-    echo "`snap auto-import` spooled assertions if it can not talk to snapd"
+    echo "'snap auto-import' spooled assertions if it can not talk to snapd"
     snap auto-import
     ls /run/snapd/auto-import
     umount /mnt
     systemctl start snapd.service snapd.socket
 
-    echo "`snap auto-import` reads from the auto-import dir"
+    echo "'snap auto-import' reads from the auto-import dir"
     snap auto-import
     snap known account-key | MATCH "name: test-store"
 
-    nr=$(ls /run/snapd/auto-import|wc -l)
+    nr=$(find /run/snapd/auto-import -maxdepth 1 -mindepth 1 |wc -l)
     if [ "$nr" != "0" ]; then
         echo "Expected an empty /run/snapd/auto-import got:"
         ls /run/snapd/auto-import
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-auto-mount/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-auto-mount/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-auto-mount/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-auto-mount/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -17,11 +17,12 @@
             exit 1
     fi
     echo "Create a ramdisk with the testrootorg-store.account-key assertion"
+    #shellcheck source=tests/lib/ramdisk.sh
     . "$TESTSLIB/ramdisk.sh"
     setup_ramdisk
     mkfs.vfat /dev/ram0
     mount /dev/ram0 /mnt
-    cp $TESTSLIB/assertions/testrootorg-store.account-key /mnt/auto-import.assert
+    cp "$TESTSLIB"/assertions/testrootorg-store.account-key /mnt/auto-import.assert
     sync
     umount /mnt
     echo "Create new block device to trigger auto-import mount"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-confine/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-confine/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-confine/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-confine/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,28 +2,30 @@
 
 # the error message can only happen on classic systems
 # our debian image does not have fully working apprmor
-systems: [-ubuntu-core-16-*, -debian-*]
+systems: [-ubuntu-core-*, -debian-*]
 
 prepare: |
     echo "Install test snap"
     snap install test-snapd-tools
 
 restore: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo "Restore current symlink"
     mv $SNAP_MOUNT_DIR/core/current.renamed $SNAP_MOUNT_DIR/core/current ||  true
     rm -f snap-confine.stderr
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo "Simulating broken current symlink for core"
     mv $SNAP_MOUNT_DIR/core/current $SNAP_MOUNT_DIR/core/current.renamed
     if test-snapd-tools.echo hello 2>snap-confine.stderr; then
         echo "test-snapd-tools.echo should fail to run, test broken"
     fi
-    cat snap-confine.stderr | MATCH 'cannot locate the core or legacy core snap \(current symlink missing\?\):'
+    MATCH 'cannot locate the core or legacy core snap \(current symlink missing\?\):' < snap-confine.stderr
     mv $SNAP_MOUNT_DIR/core/current.renamed $SNAP_MOUNT_DIR/core/current
 
     echo "Test nvidia device fix"
@@ -42,11 +44,11 @@
 
     echo "Ensure apparmor profile for snap-confine is parsable"
     for f in /etc/apparmor.d/usr.lib.snapd.snap-confine*; do
-        if which apparmor_parser 2>/dev/null; then
-            apparmor_parser -QTK $f
+        if command -v apparmor_parser 2>/dev/null; then
+            apparmor_parser -QTK "$f"
         fi
-        if which aa-enforce 2>/dev/null; then
-            aa-enforce $f
+        if command -v aa-enforce 2>/dev/null; then
+            aa-enforce "$f"
         fi
     done
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-confine-from-core/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-confine-from-core/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-confine-from-core/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-confine-from-core/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 summary: Test that snap-confine is run from core on re-exec
 
-# Disable for Fedora, openSUSE as re-exec is not support there yet
-systems: [-ubuntu-core-16-*, -fedora-*, -opensuse-*]
+# Disable for Fedora, openSUSE, Arch and Amazon Linux 2 as re-exec is not support there yet
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 prepare: |
     echo "Installing test-snapd-tools"
@@ -14,6 +14,11 @@
     chmod 4755 /usr/lib/snapd/snap-confine
 
 execute: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+    # shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+
     if [ "${SNAP_REEXEC:-}" = "0" ]; then
         echo "skipping test when SNAP_REEXEC is disabled"
         exit 0
@@ -21,8 +26,44 @@
 
     echo "Ensure we re-exec by default"
     snap list
-    journalctl | MATCH "DEBUG: restarting into"
+
+    check_journalctl_log "DEBUG: restarting into"
 
     echo "Ensure snap-confine from the core snap is run"
-    # do not use "strace -f" for unknown reasons that hangs
     test-snapd-tools.echo hello
+
+
+    echo "Check if snap-confine profile generation test is applicable"
+    if [ "$(aa-enabled)" != "Yes" ]; then
+        if [ "$SPREAD_SYSTEM" = "ubuntu-16.04-64" ]; then
+            echo "No apparmor on ubuntu-16.04-64 is impossible"
+            echo "Test broken"
+            exit 1
+        fi
+        echo "SKIP: apparmor not enabled"
+        exit 0
+    fi
+
+    echo "Ensure snapd generates the right apparmor profile on restart"
+    PROFILES="$(find /var/lib/snapd/apparmor/profiles/ -maxdepth 1 -name "snap-confine.*")"
+    if [ -z "$PROFILES" ]; then
+        echo "cannot find apparmor profiles for snap-confine from core"
+        echo "test broken"
+        ls -al /var/lib/snapd/apparmor/profiles
+        exit 1
+    fi
+
+    echo "Force system-key change"
+    systemd_stop_units snapd.service snapd.socket
+    printf '{"version":1}' > /var/lib/snapd/system-key
+    rm -f /var/lib/snapd/apparmor/profiles/snap-confine.*
+    systemctl start snapd.service snapd.socket
+    wait_for_service snapd.service
+
+    echo "Ensure this also re-generates the snap-confine from core profile"
+    PROFILES="$(find /var/lib/snapd/apparmor/profiles/ -maxdepth 1 -name "snap-confine.*")"
+    if [ -z "$PROFILES" ]; then
+        echo "apparmor profiles for snap-confine from core were not re-generated"
+        echo "test broken"
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-confine-privs/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-confine-privs/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-confine-privs/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-confine-privs/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,44 +1,53 @@
 summary: ensure that snap-confine handles group and user privileges correctly
+
 details: |
     The openSUSE security team has made a remark about a particular part of
     snap-confine's UID/GID handling. The code there was correct but this test
     is here to demonstrate that and ensure it never regresses.
 
     Security review https://bugzilla.opensuse.org/show_bug.cgi?id=986050
+
 # This test is not executed on a core system simply because of the hassle of
 # building the support C program. In the future it might be improved with the
 # use of the classic snap where we just use classic to build the helper.
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
+
 environment:
     # This is used to abbreviate some of the paths below.
     P: /var/snap/test-snapd-sh/common
+
 prepare: |
     echo "Install a helper snap (for confinement testing)"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-sh
 
     echo "Compile and prepare the support program"
     # Because we use the snap data directory we don't need to clean it up
     # manually as all snaps and their data are reset after each test.
-    gcc -Wall -Wextra -Werror ./uids-and-gids.c -o $P/uids-and-gids
-    cp $P/uids-and-gids $P/uids-and-gids-setuid
-    chown root $P/uids-and-gids-setuid
-    chmod 4755 $P/uids-and-gids-setuid
-    cp $P/uids-and-gids $P/uids-and-gids-setgid
-    chgrp root $P/uids-and-gids-setgid
-    chmod 2755 $P/uids-and-gids-setgid
+    gcc -Wall -Wextra -Werror ./uids-and-gids.c -o "$P/uids-and-gids"
+    cp "$P/uids-and-gids" "$P/uids-and-gids-setuid"
+    chown root "$P/uids-and-gids-setuid"
+    chmod 4755 "$P/uids-and-gids-setuid"
+    cp "$P/uids-and-gids" "$P/uids-and-gids-setgid"
+    chgrp root "$P/uids-and-gids-setgid"
+    chmod 2755 "$P/uids-and-gids-setgid"
+
 execute: |
     echo "The test executables files have the expected mode and ownership"
-    ls -l $P | MATCH -- '-rwxr-xr-x 1 root root [0-9]+ [A-Z][a-z]+ +[0-9]+ [0-9]+:[0-9]+ uids-and-gids'
-    ls -l $P | MATCH -- '-rwxr-sr-x 1 root root [0-9]+ [A-Z][a-z]+ +[0-9]+ [0-9]+:[0-9]+ uids-and-gids-setgid'
-    ls -l $P | MATCH -- '-rwsr-xr-x 1 root root [0-9]+ [A-Z][a-z]+ +[0-9]+ [0-9]+:[0-9]+ uids-and-gids-setuid'
+    #shellcheck disable=SC2012
+    ls -l "$P" | MATCH -- '-rwxr-xr-x(.|) 1 root root [0-9]+ [A-Z][a-z]+ +[0-9]+ [0-9]+:[0-9]+ uids-and-gids'
+    #shellcheck disable=SC2012
+    ls -l "$P" | MATCH -- '-rwxr-sr-x(.|) 1 root root [0-9]+ [A-Z][a-z]+ +[0-9]+ [0-9]+:[0-9]+ uids-and-gids-setgid'
+    #shellcheck disable=SC2012
+    ls -l "$P" | MATCH -- '-rwsr-xr-x(.|) 1 root root [0-9]+ [A-Z][a-z]+ +[0-9]+ [0-9]+:[0-9]+ uids-and-gids-setuid'
 
     echo "Running as regular user"
     # Spread runs all tests as root so we're using su to switch to the "test" user.
     # The "test" user inside the spread suite is guaranteed to have UID/GID of 12345.
-    su -l -c $P/uids-and-gids        test        | MATCH 'ruid=12345 euid=12345 suid=12345 rgid=12345 egid=12345 sgid=12345'
-    su -l -c $P/uids-and-gids-setuid test        | MATCH 'ruid=12345 euid=0     suid=0     rgid=12345 egid=12345 sgid=12345'
-    su -l -c $P/uids-and-gids-setgid test        | MATCH 'ruid=12345 euid=12345 suid=12345 rgid=12345 egid=0     sgid=0    '
+    su -l -c "$P/uids-and-gids"        test        | MATCH 'ruid=12345 euid=12345 suid=12345 rgid=12345 egid=12345 sgid=12345'
+    su -l -c "$P/uids-and-gids-setuid" test        | MATCH 'ruid=12345 euid=0     suid=0     rgid=12345 egid=12345 sgid=12345'
+    su -l -c "$P/uids-and-gids-setgid" test        | MATCH 'ruid=12345 euid=12345 suid=12345 rgid=12345 egid=0     sgid=0    '
 
     echo "Running as regular user via sudo"
     # This is same as above except that we're also using sudo
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-connect/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-connect/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-connect/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-connect/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,8 @@
 summary: Check that snap connect works
 
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
     echo "Install a test snap"
     install_local home-consumer
@@ -11,7 +12,7 @@
     fi
 
 execute: |
-    CONNECTED_PATTERN=':home +home-consumer'
+    CONNECTED_PATTERN=':home .*home-consumer'
 
     echo "The plug can be connected to a matching slot of OS snap without snap:slot argument"
     snap connect home-consumer:home
@@ -23,15 +24,24 @@
     snap connect home-consumer:home
     snap interfaces | MATCH "$CONNECTED_PATTERN"
 
+    echo "Connecting already connected interface does nothing"
+    snap connect home-consumer:home system:home
+
+    OUTPUT=$(snap change --last=connect)
+    if [ "$(echo "$OUTPUT" | wc -l)" -ne 1 ]; then
+        echo "Expected no tasks, got: $OUTPUT"
+        exit 1
+    fi
+
     snap disconnect home-consumer:home
-    snap tasks --last=disconnect| MATCH "Disconnect .* from core:home"
+    snap tasks --last=disconnect| MATCH "Disconnect .* from (core|snapd):home"
 
     echo "The plug can be connected to a slot on the core snap using abbreviated syntax"
     snap connect home-consumer:home :home
 
     snap interfaces | MATCH "$CONNECTED_PATTERN"
 
-    snap tasks --last=connect| MATCH "Connect home-consumer:home to core:home"
+    snap tasks --last=connect| MATCH "Connect home-consumer:home to (core|snapd):home"
 
     # NOTE: Those only work when installed from the store as otherwise we don't
     # have snap declaration assertion and cannot check if a given connection
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-connectivity-check/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-connectivity-check/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-connectivity-check/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-connectivity-check/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,5 @@
+summary: Check that "snap connectivity-check" works
+
+execute: |
+    echo "Ensure the snap connectivity-check command works"
+    snap debug connectivity | MATCH " * PASS"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-core-fixup/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-core-fixup/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-core-fixup/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-core-fixup/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,46 @@
+summary: Check that the core-fixup-sh script works
+
+systems: [ubuntu-core-16-*]
+
+restore: |
+    umount /boot/uboot
+    rm -f test.img
+
+execute: |
+    echo "Ensure we have a clean and writable /boot/uboot to mess around"
+    mount -t tmpfs none /boot/uboot
+    touch /boot/uboot/uboot.env.unrelated
+    touch /boot/uboot/unrelated.uboot.env
+    touch /boot/uboot/uboot.env
+
+    systemctl restart snapd.core-fixup.service
+
+    if [ ! -f /boot/uboot/uboot.env.unrelated ] || [ ! -f /boot/uboot/unrelated.uboot.env ]; then
+        echo "snapd.core-fixup.service destroyed unrelated files"
+        exit 1
+    fi
+    if [ ! -f /boot/uboot/uboot.env ]; then
+        echo "snapd.core-fixup.service destroyed the uboot.env file"
+        exit 1
+    fi
+    umount /boot/uboot
+
+    echo "Now test with the real corrupted image"
+    unxz -c -d test.img.xz >test.img
+    mount -t vfat test.img /boot/uboot
+    n=$(find /boot/uboot -name uboot.env| wc -l)
+    if [ "$n" != "2" ]; then
+        echo "Image not broken in the right way, expected two uboot.env files"
+        ls /boot/uboot
+        exit 1
+    fi
+
+    echo "Trigger cleanup"
+    systemctl restart snapd.core-fixup.service
+
+    n=$(find /boot/uboot -name uboot.env| wc -l)
+    if [ "$n" != "1" ]; then
+        echo "Image not repaired"
+        ls /boot/uboot
+        exit 1
+    fi
Binary files /tmp/tmpLYQvtJ/X5YHf4eBTA/snapd-2.32.3.2~14.04/tests/main/snap-core-fixup/test.img.xz and /tmp/tmpLYQvtJ/MitOjr4n0s/snapd-2.37~rc1~14.04/tests/main/snap-core-fixup/test.img.xz differ
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-core-symlinks/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-core-symlinks/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-core-symlinks/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-core-symlinks/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,12 @@
+summary: Check that the seed symlinks work
+
+systems: [ubuntu-core-16-*]
+
+execute: |
+    echo "Ensure that the core snap is a symlink into the seed"
+    core_symlink="$(readlink -f /var/lib/snapd/snaps/core_*.snap)"
+    if [[ "${core_symlink}" != /var/lib/snapd/seed/snaps/* ]]; then
+        echo "The initial core snap should symlink into the seed directory"
+        echo "but it does not."
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapctl/task.yaml snapd-2.37~rc1~14.04/tests/main/snapctl/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapctl/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapctl/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,8 +1,13 @@
 summary: Check that `snapctl` can be run from within hooks
 
 prepare: |
-    snap pack $TESTSLIB/snaps/snapctl-hooks
+    snap pack "$TESTSLIB"/snaps/snapctl-hooks
     snap install --dangerous snapctl-hooks_1.0_all.snap
+    # ensure curl is available (needed for e.g. core18)
+    if ! command -v curl; then
+        snap install --devmode --edge test-snapd-curl
+        snap alias test-snapd-curl.curl curl
+    fi
 
 restore: |
     rm -f snapctl-hooks_1.0_all.snap
@@ -14,14 +19,30 @@
         exit 1
     fi
 
+    echo "Verify that snapctl -h and --help run for regular users"
+    for arg in "-h" "--help"; do
+        if ! su -c "snapctl $arg" test ; then
+            echo "Expected snapctl -h to be successful for regular user"
+            exit 1
+        fi
+    done
+    echo "Verify that snapctl set -h run for regular user"
+    if ! su -c "snapctl get -h" test ; then
+            echo "Expected snapctl get -h to be successful for test user"
+            exit 1
+    fi
+
+    echo "Verify that snapctl set is forbidden for regular user"
+    su -c "snapctl set snapctl-hooks foo=bar" test 2>&1 | MATCH "cannot use \"set\" with uid .*, try with sudo"
+
     echo "Verify that the snapd API is only available via the snapd socket"
-    if ! printf "GET /v2/snaps HTTP/1.0\r\n\r\n" | nc -U -w 1 /run/snapd.socket | grep "200 OK"; then
+    if ! printf 'GET /v2/snaps HTTP/1.0\r\n\r\n' | nc -U -w 1 /run/snapd.socket | grep '200 OK'; then
         echo "Expected snapd API to be available on the snapd socket"
         echo "Got: $(curl -s --unix-socket /run/snapd.socket http:/v2/snaps)"
         exit 1
     fi
 
-    if ! printf "GET /v2/snaps HTTP/1.0\r\n\r\n" | nc -U -w 1 /run/snapd-snap.socket | grep "401 Unauthorized"; then
+    if ! printf 'GET /v2/snaps HTTP/1.0\r\n\r\n' | nc -U -w 1 /run/snapd-snap.socket | grep '401 Unauthorized'; then
         echo "Expected snapd API to be unauthorized on the snap socket"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapctl-configure-core/task.yaml snapd-2.37~rc1~14.04/tests/main/snapctl-configure-core/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapctl-configure-core/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapctl-configure-core/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 summary: Ensure "snapctl core-configure" works
 
 # the test is only meaningful on core devices
-systems: [ubuntu-core-*]
+systems: [ubuntu-core-16-*]
 
 prepare: |
     cat > new-configure-core  <<EOF
@@ -28,7 +28,7 @@
     
     echo "Check that powerkey handling works"
     snap set core system.power-key-action=reboot
-    cat /etc/systemd/logind.conf.d/00-snap-core.conf | MATCH HandlePowerKey=reboot
+    MATCH HandlePowerKey=reboot < /etc/systemd/logind.conf.d/00-snap-core.conf
     echo "Ensure unsetting cleans the file again"
     snap set core system.power-key-action=""
     if test -f /etc/systemd/logind.conf.d/00-snap-core.conf; then
@@ -42,9 +42,9 @@
         cp /boot/uboot/config.txt config.txt.save
 
         snap set core pi-config.hdmi-mode=1
-        cat /boot/uboot/config.txt | MATCH ^hdmi_mode=1
+        MATCH ^hdmi_mode=1 < /boot/uboot/config.txt
         snap set core pi-config.hdmi-mode=""
-        cat /boot/uboot/config.txt | MATCH ^#hdmi_mode=1
+        MATCH ^#hdmi_mode=1 < /boot/uboot/config.txt
 
         echo "Ensure the config.txt are fully undo when an option is unset"
         if ! diff -u /boot/uboot/config.txt config.txt.save; then
@@ -56,9 +56,9 @@
     echo "Check that the proxy config handling works"
     for proto in http https ftp; do
         snap set core proxy.${proto}=http://example.com:8021/
-        cat /etc/environment | MATCH "^${proto}_proxy=http://example.com:8021"
+        MATCH "^${proto}_proxy=http://example.com:8021" < /etc/environment
         snap set core proxy.${proto}=""
-        if cat /etc/environment | grep "^{proto}_proxy="; then
+        if grep "^{proto}_proxy=" /etc/environment; then
             echo "proxy setting was not properly cleaned up"
             cat /etc/environment
             exit 1
@@ -67,9 +67,9 @@
 
     echo "Check that the no_proxy config handling works"
     snap set core proxy.no-proxy="example.com,bar.com"
-    cat /etc/environment | MATCH "^no_proxy=example.com,bar.com"
+    MATCH "^no_proxy=example.com,bar.com" < /etc/environment
     snap set core proxy.no-proxy=""
-    if cat /etc/environment | grep "^no_proxy="; then
+    if grep "^no_proxy=" /etc/environment ; then
         echo "proxy setting was not properly cleaned up"
         cat /etc/environment
         exit 1
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapctl-from-snap/task.yaml snapd-2.37~rc1~14.04/tests/main/snapctl-from-snap/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapctl-from-snap/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapctl-from-snap/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,18 +1,23 @@
 summary: Check that `snapctl` can be run from the snap
 
+environment:
+    SNAP/nobase: snapctl-from-snap
+    SNAP/wcore18: snapctl-from-snap-core18
+
 prepare: |
     snap install --devmode jq
     echo "Build basic test package"
-    snap pack $TESTSLIB/snaps/snapctl-from-snap
-  
+    snap pack "$TESTSLIB"/snaps/snapctl-from-snap
+
 restore: |
     rm -f snapctl-from-snap_1.0_all.snap
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     check_single_cookie() {
-        cnt=$(jq -r '.data["snap-cookies"]' /var/lib/snapd/state.json | grep "$1" | wc -l)
+        cnt=$(jq -r '.data["snap-cookies"]' /var/lib/snapd/state.json | grep -c "$1" || true)
         if [ "$cnt" -ne 1 ]; then
             echo "Expected single cookie for snap $1, found $cnt"
             exit 1
@@ -21,70 +26,78 @@
 
     check_cookie() {
         COOKIE_FILE=/var/lib/snapd/cookie/snap.$1
-        if ! test -f $COOKIE_FILE ; then
+        if ! test -f "$COOKIE_FILE" ; then
             echo "Cookie file $COOKIE_FILE is missing"
             exit 1
         fi
-        if [ $(stat -c %a $COOKIE_FILE) != "600" ]; then
+        if [ "$(stat -c %a "$COOKIE_FILE")" != "600" ]; then
             echo "Incorrect permissions of file $COOKIE_FILE"
             exit 1
         fi
-        wc -c $COOKIE_FILE | MATCH 44
+        wc -c "$COOKIE_FILE" | MATCH 44
 
-        check_single_cookie $1
+        check_single_cookie "$1"
     }
 
-    snap install --dangerous snapctl-from-snap_1.0_all.snap
+    # FIXME: remove once core18 stable has /usr/bin/snapctl symlink
+    # shellcheck disable=SC2153
+    if [ "$SNAP" = "snapctl-from-snap-core18" ]; then
+        snap install --edge core18
+    fi
+
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local "$SNAP"
 
     echo "Verify that cookie file exists and has proper permissions and size"
-    check_cookie snapctl-from-snap
+    check_cookie "$SNAP"
 
     echo "Verify that a single cookie remains on restart"
     systemctl stop snapd.{service,socket}
-    check_cookie snapctl-from-snap
+    check_cookie "$SNAP"
     systemctl start snapd.{service,socket}
 
-    COOKIE_FILE=/var/lib/snapd/cookie/snap.snapctl-from-snap
+    COOKIE_FILE=/var/lib/snapd/cookie/snap."$SNAP"
 
     echo "Simulate upgrade from old snapd with no cookie support"
     systemctl stop snapd.{service,socket}
-    rm -f $COOKIE_FILE
+    rm -f "$COOKIE_FILE"
     jq -c 'del(.data["snap-cookies"])' /var/lib/snapd/state.json > /var/lib/snapd/state.json.new
     mv /var/lib/snapd/state.json.new /var/lib/snapd/state.json
     systemctl start snapd.{service,socket}
 
     echo "Verify that cookie file was re-created"
-    check_cookie snapctl-from-snap
+    check_cookie "$SNAP"
 
     echo "Verify that snapctl get can be executed by the app and shows the value set by configure hook"
-    $SNAP_MOUNT_DIR/bin/snapctl-from-snap.snapctl-get foo | MATCH bar
+    $SNAP_MOUNT_DIR/bin/"$SNAP".snapctl-get foo | MATCH bar
 
     echo "Verify that snapctl set can modify configuration values"
-    $SNAP_MOUNT_DIR/bin/snapctl-from-snap.snapctl-set foo=123
-    $SNAP_MOUNT_DIR/bin/snapctl-from-snap.snapctl-get foo | MATCH 123
+    $SNAP_MOUNT_DIR/bin/"$SNAP".snapctl-set foo=123
+    $SNAP_MOUNT_DIR/bin/"$SNAP".snapctl-get foo | MATCH 123
 
     echo "Verify configuration value with snap get"
-    snap get snapctl-from-snap foo | MATCH 123
+    snap get "$SNAP" foo | MATCH 123
 
     echo "Given two revisions of a snap have been installed"
-    snap install --dangerous snapctl-from-snap_1.0_all.snap
-    check_cookie snapctl-from-snap
+    install_local "$SNAP"
+    check_cookie "$SNAP"
 
     echo "And a single revision gets removed"
-    snap remove snapctl-from-snap --revision=x1
+    snap remove "$SNAP" --revision=x1
 
     echo "Verify that cookie file is still present"
-    check_cookie snapctl-from-snap
+    check_cookie "$SNAP"
 
     echo "Verify that cookie is not removed when snap is disabled"
-    snap disable snapctl-from-snap
-    check_cookie snapctl-from-snap
-    snap enable snapctl-from-snap
-    check_cookie snapctl-from-snap
+    snap disable "$SNAP"
+    check_cookie "$SNAP"
+    snap enable "$SNAP"
+    check_cookie "$SNAP"
 
     echo "Verify that snap cookie is removed on snap removal"
-    snap remove snapctl-from-snap
-    if test -f $COOKIE_FILE ; then
+    snap remove "$SNAP"
+    if test -f "$COOKIE_FILE" ; then
         echo "Cookie file $COOKIE_FILE still exists"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapctl-services/task.yaml snapd-2.37~rc1~14.04/tests/main/snapctl-services/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapctl-services/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapctl-services/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,16 +2,21 @@
 
 kill-timeout: 5m
 
+# takes >1.5min to run
+backends: [-autopkgtest]
+
 environment:
     SERVICEOPTIONFILE: /var/snap/test-snapd-service/current/service-option
 
 restore: |
-    rm -f $SERVICEOPTIONFILE
+    rm -f "$SERVICEOPTIONFILE"
 
 execute: |
-    wait_for_service() {
+    # there is wait_for_service defined in systemd.sh, use a different name to
+    # avoid redefining or being obscured by the other one
+    _wait_for_service() {
         retry=5
-        while ! snap services $1 | MATCH $2; do
+        while ! snap services "$1" | MATCH "$2"; do
             retry=$(( retry - 1 ))
             if [ $retry -le 0 ]; then
                 echo "Failed to match the status of service $1, expected: $2"
@@ -23,7 +28,7 @@
 
     wait_for_file_change() {
         retry=5
-        while ! cat $1 | MATCH $2; do
+        while ! MATCH "$2" < "$1"  ; do
             retry=$(( retry - 1 ))
             if [ $retry -le 0 ]; then
                 echo "Failed to match the content of file $1, expected: $2"
@@ -33,47 +38,52 @@
         done
     }
 
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     echo "When the service snap is installed"
-    . $TESTSLIB/snaps.sh
     install_local test-snapd-service
 
     echo "We can see it running"
-    wait_for_service "test-snapd-service.test-snapd-service" " active"
+    _wait_for_service "test-snapd-service.test-snapd-service" " active"
 
     echo "When we stop the service via configure hook"
     snap set test-snapd-service command=stop
 
     echo "It's stopped"
-    wait_for_service "test-snapd-service.test-snapd-service" " inactive"
+    _wait_for_service "test-snapd-service.test-snapd-service" " inactive"
 
     echo "When we start the service via configure hook"
     snap set test-snapd-service command=start
 
     echo "It's running again"
-    wait_for_service "test-snapd-service.test-snapd-service" " active"
+    _wait_for_service "test-snapd-service.test-snapd-service" " active"
 
     echo "When we stop it again"
     snap set test-snapd-service command=stop
 
     echo "It's stopped"
-    wait_for_service "test-snapd-service.test-snapd-service" " inactive"
+    _wait_for_service "test-snapd-service.test-snapd-service" " inactive"
 
     echo "And then restart"
     snap set test-snapd-service service-option-source=foo command=restart
 
     echo "It's running"
-    wait_for_service "test-snapd-service.test-snapd-service" " active"
+    _wait_for_service "test-snapd-service.test-snapd-service" " active"
 
     echo "And restart command was executed as part of configure hook change"
     snap tasks --last=configure|MATCH -z "restart of .test-snapd-service.test-snapd-service.+restart of .test-snapd-service.test-snapd-other-service"
 
     echo "And service could get the new service-option set from the hook"
-    wait_for_file_change $SERVICEOPTIONFILE "^foo$"
+    wait_for_file_change "$SERVICEOPTIONFILE" "^foo$"
 
     echo "Reinstalling the snap with configure hook calling snapctl restart works"
     snap set test-snapd-service command=restart
     install_local test-snapd-service
-    if journalctl|grep -q "error running snapctl"; then
+    # shellcheck disable=SC2119
+    if get_journalctl_log | MATCH "error running snapctl"; then
         echo "snapctl should not report errors"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-debug-get-base-declaration/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-debug-get-base-declaration/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-debug-get-base-declaration/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-debug-get-base-declaration/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,9 +1,12 @@
 summary: check that snap debug get-base-declaration works
+
 details: |
     The get-base-declaration debug action is intended for the security team so
     that they can easily review the whole base declaration, however it is
     stored inside the snapd code.
+
 execute: |
     snap debug get-base-declaration | MATCH 'type: base-declaration'
     # The string "$builtin" terminates the declaration
+    #shellcheck disable=SC2016
     snap debug get-base-declaration | MATCH '^\$builtin$'
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapd-go-socket-activated/task.yaml snapd-2.37~rc1~14.04/tests/main/snapd-go-socket-activated/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapd-go-socket-activated/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapd-go-socket-activated/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,39 @@
+summary: Check that snapd goes into socket activated mode if there are no snaps
+
+systems: [ubuntu-18.04-64]
+
+prepare: |
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+    systemd_stop_units snapd.service snapd.socket
+    rm -f /var/lib/snapd/state.json
+
+execute: |
+    echo "Check that snapd initializes the system"
+    systemctl start snapd.service snapd.socket
+    for _ in $(seq 120); do
+        if snap changes | grep -q -E "Done.*Initialize system state"; then
+            break
+        fi
+        sleep 1
+    done
+    snap changes | MATCH "Done.*Initialize system state"
+
+    echo "And then goes into socket activation mode"
+    for _ in $(seq 120); do
+        if systemctl status snapd.service | grep -q -E "Active: inactive"; then
+            break
+        fi
+        sleep 1
+    done
+    systemctl status snapd.service | MATCH "Active: inactive"
+
+    echo "But the snap command keeps working"
+    snap list
+    snap find
+    echo "And install works as well"
+    snap install test-snapd-tools
+    test-snapd-tools.echo hello | MATCH hello
+
+    echo "And snapd is running"
+    systemctl status snapd.service | MATCH "Active: active"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-discard-ns/mount.py snapd-2.37~rc1~14.04/tests/main/snap-discard-ns/mount.py
--- snapd-2.32.3.2~14.04/tests/main/snap-discard-ns/mount.py	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-discard-ns/mount.py	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,72 @@
+"""
+Pure-python limited-use wrapper around the mount library function.
+"""
+from __future__ import print_function, absolute_import, unicode_literals
+
+from argparse import ArgumentParser
+from ctypes import CDLL, c_char_p, c_long, get_errno
+from ctypes.util import find_library
+from os import strerror
+from sys import stderr, version_info
+
+try:
+    from typing import Text
+except ImportError:
+    pass
+
+__all__ = ('mount', )
+
+
+PY2 = version_info[0] == 2
+
+
+class MountOpts(object):
+    """MountOpts contain various flags for the mount system call."""
+
+    Bind = 4096
+
+
+def mount(source, target, fstype, flags=0, data=""):
+    # type: (Text, Text, Text, int, Text) -> None
+    """mount is a thin wrapper around the mount library function."""
+    if PY2:
+        c = b"c"
+    else:
+        c = "c"
+    libc_name = find_library(c)
+    if libc_name is None:
+        raise Exception("cannot find the C library")
+    libc = CDLL(libc_name, use_errno=True)
+    retval = libc.mount(
+            c_char_p(source.encode("UTF-8")),
+            c_char_p(target.encode("UTF-8")),
+            c_char_p(fstype.encode("UTF-8")),
+            c_long(flags),
+            None if data == "" else c_char_p(data.encode("UTF-8")))
+    if retval < 0:
+        errno = get_errno()
+        raise OSError(errno, strerror(errno))
+
+
+def main():
+    # type: () -> None
+    parser = ArgumentParser()
+    parser.add_argument("source", help="path of the device or bind source")
+    parser.add_argument("target", help="path of the new mount point")
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument("--bind", action="store_const", const="bind",
+                       help="create a new mount point of existing path")
+    group.add_argument("-t", "--type", help="filesystem type to mount")
+    opts = parser.parse_args()
+    if opts.bind is not None:
+        mount(opts.source, opts.target, "", MountOpts.Bind)
+    else:
+        mount(opts.source, opts.target, opts.fstype)
+
+
+if __name__ == "__main__":
+    try:
+        main()
+    except OSError as err:
+        print(err, file=stderr)
+        raise SystemExit(1)
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-discard-ns/mount.sh snapd-2.37~rc1~14.04/tests/main/snap-discard-ns/mount.sh
--- snapd-2.32.3.2~14.04/tests/main/snap-discard-ns/mount.sh	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-discard-ns/mount.sh	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,9 @@
+#!/bin/sh
+if [ "$(command -v python3)" != "" ]; then
+	exec python3 ./mount.py "$@";
+elif [ "$(command -v python2)" != "" ]; then
+	exec python2 ./mount.py "$@";
+else
+	echo "cannot mount: Python 2 or 3 required"
+	exit 1
+fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-discard-ns/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-discard-ns/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-discard-ns/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-discard-ns/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,18 @@
 summary: check basic operation of snap-discard-ns
+
 details: |
     The internal command snap-discard-ns discards (unmounts) the
     /run/snapd/ns/$SNAP_NAME.mnt file and removes the current mount profile
     /run/snapd/ns/snap.$SNAP_NAME.fstab. The profile removal is optional and it
     is not an error if it doesn't exist.
+
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
     install_local test-snapd-tools
+
 execute: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     echo "We can try to discard a namespace before snap runs"
@@ -23,14 +28,25 @@
 
     echo "We can discard the namespace after a snap runs"
     test-snapd-tools.success
+    # NOTE: the per-user profile is faked but we test that it is removed correctly.
+    touch /run/snapd/ns/test-snapd-tools.1000.mnt
+    # NOTE: use a low-level mount operation to avoid interacting with the
+    # /etc/mtab file.  On pre-systemd systems mtab was a regular file and
+    # libmount can be confused into misbehaving because none of the snapd
+    # low-level mount tooling uses it.
+    ./mount.sh --bind /run/snapd/ns/test-snapd-tools.mnt /run/snapd/ns/test-snapd-tools.1000.mnt
     # The last hex is the same as nsfs but older stat on ubuntu 14.04 doesn't know
     # proc is there because on older kernels /proc/*/ns/mnt is not on nsfs but still on procfs.
     stat -f -c %T /run/snapd/ns/test-snapd-tools.mnt | MATCH 'proc|nsfs|0x6e736673'
+    stat -f -c %T /run/snapd/ns/test-snapd-tools.1000.mnt | MATCH 'proc|nsfs|0x6e736673'
     $LIBEXECDIR/snapd/snap-discard-ns test-snapd-tools
-    stat -f -c %T /run/snapd/ns/test-snapd-tools.mnt | MATCH 'tmpfs'
+    test ! -e /run/snapd/ns/test-snapd-tools.mnt
+    test ! -e /run/snapd/ns/test-snapd-tools.1000.mnt
 
     echo "We can fake a current mount profile and see that it is removed too"
     test-snapd-tools.success
     touch /run/snapd/ns/snap.test-snapd-tools.fstab
+    touch /run/snapd/ns/snap.test-snapd-tools.1000.fstab
     $LIBEXECDIR/snapd/snap-discard-ns test-snapd-tools
     test ! -e /run/snapd/ns/snap.test-snapd-tools.fstab
+    test ! -e /run/snapd/ns/snap.test-snapd-tools.1000.fstab
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-disconnect/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-disconnect/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-disconnect/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-disconnect/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -7,14 +7,14 @@
 
 prepare: |
     echo "Install a test snap"
-    snap pack $TESTSLIB/snaps/home-consumer
-    snap install --dangerous $SNAP_FILE
+    snap pack "$TESTSLIB"/snaps/home-consumer
+    snap install --dangerous "$SNAP_FILE"
 
 restore: |
-    rm -f *.snap
+    rm -f ./*.snap
 
 execute: |
-    DISCONNECTED_PATTERN="\-\s+home-consumer:home"
+    DISCONNECTED_PATTERN='-\s+home-consumer:home'
 
     echo "Disconnect everything from given slot"
     snap connect home-consumer:home core:home
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapd-notify/task.yaml snapd-2.37~rc1~14.04/tests/main/snapd-notify/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapd-notify/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapd-notify/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -5,12 +5,32 @@
 backends: [-external]
 
 execute: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
+    echo "Check that snapd uses notifications"
+    systemctl show -p Type snapd.service | MATCH Type=notify
+
     for _ in $(seq 5); do
-      if systemctl status snapd.service | MATCH "Active: active"; then
-          journalctl -u snapd | MATCH "activation done in"
-          exit
-      fi
-      sleep 1
+        if systemctl is-active snapd.service; then
+            # ExecMainStartTimestampMonotonic=35275661308
+            mainstart="$(systemctl show -p ExecMainStartTimestampMonotonic snapd.service | cut -f2 -d=)"
+            # ActiveEnterTimestampMonotonic=35275819212
+            activeenter="$(systemctl show -p ActiveEnterTimestampMonotonic snapd.service | cut -f2 -d=)"
+            # WatchdogTimestampMonotonic=35275819210
+            # NOTE: always 0 with systemd 204 on Ubuntu 14.04
+            watchdog="$(systemctl show -p WatchdogTimestampMonotonic snapd.service | cut -f2 -d=)"
+            # service became active after it was started
+            test "$activeenter" -gt "$mainstart"
+            if [[ "$SPREAD_SYSTEM" != ubuntu-14.04-* ]]; then
+                # service pinged systemd after start
+                test "$watchdog" -gt "$mainstart"
+                # and became active after having pinged the daemon
+                test "$activeenter" -ge "$watchdog"
+            fi
+            exit 0
+        fi
+        sleep 1
     done
 
     echo "Snapd service status not active"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-download/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-download/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-download/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-download/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,11 @@
 summary: Check that snap download works
+
+restore: |
+    rm -f ./*.snap
+    rm -f ./*.assert
+    rm -f ~test/*.snap
+    rm -f ~test/*.assert
+
 execute: |
     verify_asserts() {
         fn="$1"
@@ -28,8 +35,3 @@
     su -l -c "SNAPPY_USE_STAGING_STORE=$SNAPPY_USE_STAGING_STORE HTTPS_PROXY=$HTTPS_PROXY snap download test-snapd-tools" test
     ls /home/test/test-snapd-tools_*.snap
     verify_asserts /home/test/test-snapd-tools_*.assert
-restore: |
-    rm -f *.snap
-    rm -f *.assert
-    rm -f ~test/*.snap
-    rm -f ~test/*.assert
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapd-reexec/task.yaml snapd-2.37~rc1~14.04/tests/main/snapd-reexec/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapd-reexec/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapd-reexec/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,11 @@
 summary: Test that snapd reexecs itself into core
 
-# Disable for Fedora, openSUSE as re-exec is not support there yet
-systems: [-ubuntu-core-16-*, -fedora-*, -opensuse-*]
+# Disable for Fedora, openSUSE and Arch as re-exec is not support there yet
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 restore: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     # extra cleanup in case something in this test went wrong
     rm -f /etc/systemd/system/snapd.service.d/no-reexec.conf
     systemctl stop snapd.service snapd.socket
@@ -29,7 +30,10 @@
     echo "Ensure we re-exec by default"
     /usr/bin/env SNAPD_DEBUG=1 snap list 2>&1 | MATCH "DEBUG: restarting into"
 
-    . $TESTSLIB/dirs.sh
+    # shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB/dirs.sh"
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
 
     echo "Ensure that we do not re-exec into older versions"
     systemctl stop snapd.service snapd.socket
@@ -38,7 +42,7 @@
     mount --bind /tmp/old-info $SNAP_MOUNT_DIR/core/current/usr/lib/snapd/info
     systemctl start snapd.service snapd.socket
     snap list
-    journalctl | MATCH "core snap \(at .*\) is older \(.*\) than distribution package"
+    check_journalctl_log 'core snap \(at .*\) is older \(.*\) than distribution package'
 
     echo "Revert back to normal"
     systemctl stop snapd.service snapd.socket
@@ -78,16 +82,16 @@
 
     echo "Ensure a core refresh restart snapd"
     prev_core=$(snap list | awk "/^core / {print(\$3)}")
-    snap install --dangerous /var/lib/snapd/snaps/core_${prev_core}.snap
+    snap install --dangerous "/var/lib/snapd/snaps/core_${prev_core}.snap"
     snap change --last=install | MATCH "Requested daemon restart"
 
     echo "Ensure the right snapd (from the new core) is running"
     now_core=$(snap list | awk "/^core / {print(\$3)}")
     if [ "$now_core" = "$prev_core" ]; then
-        echo "Test broken $now_core and $prev_Core are the same"
+        echo "Test broken $now_core and $prev_core are the same"
         exit 1
     fi
-    SNAPD_PATH=$(readlink -f /proc/$(pidof snapd)/exe)
+    SNAPD_PATH=$(readlink -f "/proc/$(pidof snapd)/exe")
     if [ "$SNAPD_PATH" != "/snap/core/${now_core}/usr/lib/snapd/snapd" ]; then
         echo "unexpected $SNAPD_PATH for $now_core snap (previous $prev_core)"
         exit 1
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapd-reexec-snapd-snap/task.yaml snapd-2.37~rc1~14.04/tests/main/snapd-reexec-snapd-snap/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapd-reexec-snapd-snap/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapd-reexec-snapd-snap/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,26 @@
+summary: Test that snapd reexecs itself into the snapd snap
+
+# Disable for Fedora, openSUSE and Arch as re-exec is not support there yet
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
+
+restore: |
+    umount /snap/snapd/current/usr/lib/snapd/info || true
+
+execute: |
+    if [ "${SNAP_REEXEC:-}" = "0" ]; then
+        echo "skipping test when SNAP_REEXEC is disabled"
+        exit 0
+    fi
+
+    echo "Enable installing the snapd snap"
+    snap set core experimental.snapd-snap=true
+    snap install --edge snapd
+    # We need to pretend the version of snapd in the snapd snap is the same
+    # as the installed one so that it re-execs. We use a higher version in
+    # the local snap and "tweak" the core snap to get re-exec but this will
+    # only work with core re-exec not snapd-reexec.
+    mount -o bind /usr/lib/snapd/info /snap/snapd/current/usr/lib/snapd/info
+
+    echo "Ensure we re-exec by default"
+    /usr/bin/env SNAPD_DEBUG=1 snap list 2>&1 | MATCH 'DEBUG: restarting into "/snap/snapd/current/usr/bin/snap"'
+
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapd-snap/task.yaml snapd-2.37~rc1~14.04/tests/main/snapd-snap/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapd-snap/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapd-snap/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,17 @@
+summary: Ensure snapd builds as a snap
+
+# This is what the snapcraft builder on launchpad uses.
+systems: [ubuntu-16.04-64]
+
+# Start early as it takes a long time.
+priority: 100
+
+restore: |
+    apt autoremove -y snapcraft
+
+execute: |
+    echo "Installing snapscraft"
+    apt install -y snapcraft
+    # shellcheck disable=SC2164
+    cd "$PROJECT_PATH"
+    snapcraft
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-env/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-env/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-env/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-env/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,55 +1,85 @@
 summary: inspect all the set environment variables prefixed with SNAP_ and XDG_
+
+environment:
+    NAME/regular: test-snapd-tools
+    INSTANCE_KEY/regular:
+    NAME/parallel: test-snapd-tools_foo
+    INSTANCE_KEY/parallel: foo
+
 prepare: |
-    snap pack $TESTSLIB/snaps/test-snapd-tools
-    snap install --dangerous test-snapd-tools_1.0_all.snap
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
+    if [[ "$SPREAD_VARIANT" == "parallel" ]]; then
+        snap set system experimental.parallel-instances=true
+    fi
+    # shellcheck disable=SC2153
+    install_local_as test-snapd-tools "$NAME"
+
 restore: |
-    rm -f *.snap
-    rm -f *-vars.txt
+    rm -f ./*.snap
+    rm -f ./*-vars.txt
+
+    if [[ "$SPREAD_VARIANT" == "parallel" ]]; then
+        snap set system experimental.parallel-instances=null
+    fi
+
 debug: |
-    cat *-vars.txt
+    cat ./*-vars.txt
+
 execute: |
     echo "Collect SNAP and XDG environment variables"
-    test-snapd-tools.env | egrep '^SNAP_' | sort > snap-vars.txt
-    test-snapd-tools.env | egrep '^XDG_' | sort > xdg-vars.txt
-    test-snapd-tools.env | egrep '^EXTRA_' | sort > extra-vars.txt 
+    "$NAME".env | grep -E '^SNAP_' | sort > snap-vars.txt
+    "$NAME".env | grep -E '^XDG_' | sort > xdg-vars.txt
+    "$NAME".env | grep -E '^EXTRA_' | sort > extra-vars.txt
 
     echo "Collect PATH and HOME environment variables"
-    test-snapd-tools.env | egrep '^(SNAP|PATH|HOME)=' | sort > misc-vars.txt
+    "$NAME".env | grep -E '^(SNAP|PATH|HOME)=' | sort > misc-vars.txt
 
     echo "Ensure that SNAP environment variables are what we expect"
     MATCH '^SNAP_ARCH=(amd64|i386|arm64|armhf|ppc64el|s390x)$'            < snap-vars.txt
+    # parallel-installs: global snap directories are remapped to $SNAP_NAME
     MATCH '^SNAP_COMMON=/var/snap/test-snapd-tools/common$'               < snap-vars.txt
     MATCH '^SNAP_DATA=/var/snap/test-snapd-tools/x1$'                     < snap-vars.txt
     MATCH '^SNAP_LIBRARY_PATH=/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:/var/lib/snapd/void$' < snap-vars.txt
-    MATCH '^SNAP_NAME=test-snapd-tools$'                                  < snap-vars.txt
     # XXX: probably not something we ought to test
     # egrep -q '^SNAP_REEXEC=0$' snap-vars.txt
     MATCH '^SNAP_REVISION=x1$'                                            < snap-vars.txt
-    MATCH '^SNAP_USER_COMMON=/root/snap/test-snapd-tools/common$'         < snap-vars.txt
-    MATCH '^SNAP_USER_DATA=/root/snap/test-snapd-tools/x1$'               < snap-vars.txt
+    # parallel-installs: user directories are instance specific
+    MATCH "^SNAP_USER_COMMON=/root/snap/$NAME/common$"                    < snap-vars.txt
+    MATCH "^SNAP_USER_DATA=/root/snap/$NAME/x1$"                          < snap-vars.txt
     MATCH '^SNAP_VERSION=1.0$'                                            < snap-vars.txt
-    CTX=$(cat /var/lib/snapd/cookie/snap.test-snapd-tools)
+    CTX=$(cat "/var/lib/snapd/cookie/snap.$NAME")
     MATCH "^SNAP_COOKIE=$CTX"                                             < snap-vars.txt
     MATCH "^SNAP_CONTEXT=$CTX"                                            < snap-vars.txt
-    test $(wc -l < snap-vars.txt) -eq 12
+    # parallel-installs: $SNAP_NAME is always _the_ snap name
+    MATCH '^SNAP_NAME=test-snapd-tools$'                                  < snap-vars.txt
+    # parallel-install: name of a particular instance
+    MATCH "^SNAP_INSTANCE_NAME=$NAME$"                                    < snap-vars.txt
+    # parallel-installs: empty if none is set
+    MATCH "^SNAP_INSTANCE_KEY=$INSTANCE_KEY$"                             < snap-vars.txt
+    test "$(wc -l < snap-vars.txt)" -eq 14
 
     echo "Enure that XDG environment variables are what we expect"
-    MATCH '^XDG_RUNTIME_DIR=/run/user/0/snap.test-snapd-tools$'  < xdg-vars.txt
-    test $(wc -l < xdg-vars.txt) -ge 1
+    # parallel-installs: xdg directory is instance specific
+    MATCH "^XDG_RUNTIME_DIR=/run/user/0/snap.$NAME$"  < xdg-vars.txt
+    test "$(wc -l < xdg-vars.txt)" -ge 1
 
     echo "Enure that EXTRA environment variables are what we expect"
     MATCH '^EXTRA_GLOBAL=extra-global'                             < extra-vars.txt
     MATCH '^EXTRA_LOCAL=extra-local'                               < extra-vars.txt
     MATCH '^EXTRA_LOCAL_NESTED=extra-global-nested'                < extra-vars.txt
-    MATCH "^EXTRA_CACHE_DIR=$HOME/snap/test-snapd-tools/x1/.cache" < extra-vars.txt
+    MATCH "^EXTRA_CACHE_DIR=$HOME/snap/$NAME/x1/.cache"            < extra-vars.txt
     MATCH '^EXTRA_LOCAL_PATH=/snap/test-snapd-tools/x1/bin:/snap/test-snapd-tools/x1/usr/bin:/usr/bin' < extra-vars.txt
-    test $(wc -l < extra-vars.txt) -eq 5
+    test "$(wc -l < extra-vars.txt)" -eq 5
 
     echo "Ensure that TMPDIR is not passed through to a confined snap"
-    TMPDIR=/foobar test-snapd-tools.env | grep -qv ^TMPDIR=
+    TMPDIR=/foobar "$NAME".env | grep -qv ^TMPDIR=
 
     echo "Ensure that SNAP, PATH and HOME are what we expect"
+    # parallel-installs: $SNAP is remapped to appear under $SNAP_NAME
     MATCH "^SNAP=/snap/test-snapd-tools/x1$"                                                                < misc-vars.txt
     MATCH '^PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games$' < misc-vars.txt
-    MATCH '^HOME=/root/snap/test-snapd-tools/x1$'                                                           < misc-vars.txt
-    test $(wc -l < misc-vars.txt) -eq 3
+    # parallel-installs: $HOME is set to instance specific path
+    MATCH "^HOME=/root/snap/$NAME/x1$"                                                                      < misc-vars.txt
+    test "$(wc -l < misc-vars.txt)" -eq 3
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-get/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-get/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-get/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-get/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,11 +4,11 @@
     snap install --devmode jq
 
     echo "Build basic test package (without hooks)"
-    snap pack $TESTSLIB/snaps/basic
+    snap pack "$TESTSLIB"/snaps/basic
     snap install --dangerous basic_1.0_all.snap
 
     echo "Build package with hook to run snapctl set"
-    snap pack $TESTSLIB/snaps/snapctl-hooks
+    snap pack "$TESTSLIB"/snaps/snapctl-hooks
     snap install --dangerous snapctl-hooks_1.0_all.snap
 
 restore: |
@@ -66,14 +66,14 @@
         exit 1
     fi
     snap get snapctl-hooks bar 2>&1 | MATCH -z "WARNING"
-    snap get snapctl-hooks -l bar 2>&1 | MATCH -z "^Key.*Value.*bar.a.*{\.\.\.}.*bar.b.*3"
+    snap get snapctl-hooks -l bar 2>&1 | MATCH -z '^Key.*Value.*bar.a.*{\.\.\.}.*bar.b.*3'
     snap get snapctl-hooks -d bar | MATCH -z "^{.*\"bar\": {.*\"a\": {.*\"aa\": 1,.*\"ab\": 2.*},.*\"b\": 3.*}.*}"
 
     snap get snapctl-hooks bar.a.aa | MATCH "^1$"
     snap get snapctl-hooks bar.a.ab | MATCH "^2$"
 
     echo "Test that root document can be obtained via snap get"
-    snap get snapctl-hooks -l 2>&1 | MATCH -z "^Key.*Value.*bar.*{\.\.\.}.*command.*test-snapctl-set-bar-doc.*foo.*bar"
+    snap get snapctl-hooks -l 2>&1 | MATCH -z '^Key.*Value.*bar.*{\.\.\.}.*command.*test-snapctl-set-bar-doc.*foo.*bar'
     snap get snapctl-hooks -d | MATCH -z "^{.*\"bar\": {.*\"a\": {.*\"aa\": 1,.*\"ab\": 2.*},.*\"b\": 3.*}.*,.*\"command\": \"test-snapctl-set-bar-doc\",.*\"foo\": \"bar\".*}"
 
     echo "Test number formats"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-handle-link/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-handle-link/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-handle-link/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-handle-link/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,44 @@
+summary: Ensure the "snap handle-link" command works
+
+# We don't run on ubuntu-core, since we are testing the behaviour of
+# xdg-open on the host system.
+systems: [-ubuntu-core-*]
+
+# xdg-open doesn't seem to check desktop files if it doesn't think it
+# has a display.
+environment:
+    DISPLAY: :placeholder
+
+prepare: |
+    touch /usr/bin/zenity
+
+restore: |
+    umount -f /usr/bin/zenity || :
+
+execute: |
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB/pkgdb.sh"
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
+    echo "URI Handler fails if snap-store is not installed and user refuses to install it"
+    mount --bind /bin/false /usr/bin/zenity
+    if snap handle-link snap://package 2>errors.log; then
+        cat errors.log >&2
+        echo "Expected URI handler to fail"
+        exit 1
+    fi
+    MATCH "Snap Store required" < errors.log
+
+    echo "Now with snap-store installed"
+    install_local snap-store
+    snap handle-link snap://package | MATCH "Fake snap got snap://package"
+
+    if [[ "$SPREAD_SYSTEM" != ubuntu-1[46].04-* ]]; then
+        # Ubuntu 14.04 ships with an ancient xdg-open shell script
+        # that doesn't look up scheme handlers.  Other xdg-mime
+        # implementations on the system (e.g. GLib) should be fine
+        # though.
+        echo "The same should work with xdg-open"
+        xdg-open snap://package | MATCH "Fake snap got snap://package"
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-info/check.py snapd-2.37~rc1~14.04/tests/main/snap-info/check.py
--- snapd-2.32.3.2~14.04/tests/main/snap-info/check.py	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-info/check.py	2019-01-16 08:36:51.000000000 +0000
@@ -39,6 +39,9 @@
 def verRevNotesRx(s):
     return re.compile(r"^\w\S*\s+\(\d+\)\s+[1-9][0-9]*\w+\s+" + s + "$")
 
+def verRelRevNotesRx(s):
+    return re.compile(r"^\w\S*\s+\d{4}-\d{2}-\d{2}\s+\(\d+\)\s+[1-9][0-9]*\w+\s+" + s + "$")
+
 if os.environ['SNAPPY_USE_STAGING_STORE'] == '1':
     snap_ids={
         "test-snapd-tools": "02AHdOomTzby7gTaiLX3M3SGMmXDfLJp",
@@ -72,41 +75,41 @@
 
 check("test-snapd-tools", res[2],
    ("name", equals, "test-snapd-tools"),
-   ("publisher", equals, "canonical"),
-   ("contact", equals, "snappy-canonical-storeaccount@canonical.com"),
+   ("publisher", matches, r"(Canonical✓|canonical)"),
+   ("contact", equals, "snaps@canonical.com"),
    ("summary", equals, "Tools for testing the snapd application"),
    ("description", equals, "A tool to test snapd\n"),
    ("commands", exists),
    ("tracking", equals, "stable"),
    ("installed", matches, verRevNotesRx("-")),
-   ("refreshed", exists),
+   ("refresh-date", exists),
    ("channels", check,
-    ("stable", matches, verRevNotesRx("-")),
+    ("stable", matches, verRelRevNotesRx("-")),
     ("candidate", equals, "↑"),
     ("beta", equals, "↑"),
-    ("edge", matches, verRevNotesRx("-")),
+    ("edge", matches, verRelRevNotesRx("-")),
    ),
    ("snap-id", equals, snap_ids["test-snapd-tools"]),
-   ("license", equals, "unknown"), # TODO: update once snap.yaml contains the right license
+   ("license", matches, r"(unknown|unset)"), # TODO: update once snap.yaml contains the right license
 )
 
 check("test-snapd-devmode", res[3],
    ("name", equals, "test-snapd-devmode"),
-   ("publisher", equals, "canonical"),
-   ("contact", equals, "snappy-canonical-storeaccount@canonical.com"),
+   ("publisher", matches, r"(Canonical✓|canonical)"),
+   ("contact", equals, "snaps@canonical.com"),
    ("summary", equals, "Basic snap with devmode confinement"),
    ("description", equals, "A basic buildable snap that asks for devmode confinement\n"),
    ("tracking", equals, "beta"),
    ("installed", matches, verRevNotesRx("devmode")),
-   ("refreshed", exists),
+   ("refresh-date", exists),
    ("channels", check,
     ("stable", equals, "–"),
     ("candidate", equals, "–"),
-    ("beta", matches, verRevNotesRx("devmode")),
-    ("edge", matches, verRevNotesRx("devmode")),
+    ("beta", matches, verRelRevNotesRx("devmode")),
+    ("edge", matches, verRelRevNotesRx("devmode")),
    ),
    ("snap-id", equals, snap_ids["test-snapd-devmode"]),
-   ("license", equals, "unknown"), # TODO: update once snap.yaml contains the right license
+   ("license", matches, r"(unknown|unset)"), # TODO: update once snap.yaml contains the right license
 )
 
 check("core", res[4],
@@ -115,15 +118,16 @@
       ("publisher", exists),
       ("summary", exists),
       ("description", exists),
-      ("tracking", exists),
+      # tracking not there for local snaps
+      ("tracking", maybe),
       ("installed", exists),
-      ("refreshed", exists),
+      ("refresh-date", exists),
       ("channels", exists),
       # contacts is set on classic but not on Ubuntu Core where we
       # sideload "core"
       ("contact", maybe),
       ("snap-id", maybe),
-      ("license", equals, "unknown"), # TODO: update once snap.yaml contains the right license
+      ("license", matches, r"(unknown|unset)"), # TODO: update once snap.yaml contains the right license
 )
 
 check("error", res[5],
@@ -133,8 +137,8 @@
 # not installed snaps have "contact" information
 check("test-snapd-python-webserver", res[6],
    ("name", equals, "test-snapd-python-webserver"),
-   ("publisher", equals, "canonical"),
-   ("contact", equals, "snappy-canonical-storeaccount@canonical.com"),
+   ("publisher", matches, r"(Canonical✓|canonical)"),
+   ("contact", equals, "snaps@canonical.com"),
    ("summary", exists),
    ("description", exists),
    ("channels", exists),
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-info/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-info/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-info/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-info/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,31 +1,39 @@
 summary: Check that snap info works
 
-prepare: |
-    . $TESTSLIB/pkgdb.sh
-    distro_install_package python3-yaml
+# core18 has no python3-yaml
+# amazon: no PyYAML is not packaged for python3
+systems: [-ubuntu-core-18-*, -amazon-*, -centos-*]
 
-    snap pack $TESTSLIB/snaps/basic
+prepare: |
+    snap pack "$TESTSLIB"/snaps/basic
     snap install test-snapd-tools
     snap install --channel beta --devmode test-snapd-devmode
 
 restore: |
     rm -f basic_1.0_all.snap
-    . $TESTSLIB/pkgdb.sh
-    distro_purge_package python3-yaml
     rm -f out
 
 execute: |
     echo "With no arguments, errors out"
-    snap info && exit 1 || true
+    ! snap info
 
     echo "With one non-snap argument, errors out"
-    snap info /etc/passwd && exit 1 || true
-
-    snap info basic_1.0_all.snap $TESTSLIB/snaps/basic-desktop test-snapd-tools test-snapd-devmode core /etc/passwd test-snapd-python-webserver > out
-    python3 check.py < out
+    ! snap info /etc/passwd
 
-    . $TESTSLIB/snaps.sh
-    snap info --verbose $TESTSLIB/snaps/basic-desktop|MATCH "path: "
+    snap info --unicode=always        \
+      basic_1.0_all.snap              \
+      "$TESTSLIB"/snaps/basic-desktop \
+      test-snapd-tools                \
+      test-snapd-devmode              \
+      core                            \
+      /etc/passwd                     \
+      test-snapd-python-webserver     \
+      > out
+    PYTHONIOENCODING=utf8 python3 check.py < out
+
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    snap info --verbose "$TESTSLIB"/snaps/basic-desktop|MATCH "path: "
     install_local basic-desktop
     snap info basic-desktop|MATCH "license:[ ]+GPL-3.0"
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-interface/snap-interface-core-support.yaml snapd-2.37~rc1~14.04/tests/main/snap-interface/snap-interface-core-support.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-interface/snap-interface-core-support.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-interface/snap-interface-core-support.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,6 +0,0 @@
-name:    core-support
-summary: special permissions for the core snap
-plugs:
-  - core:core-support-plug
-slots:
-  - core
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-interface/snap-interface-network-core.yaml snapd-2.37~rc1~14.04/tests/main/snap-interface/snap-interface-network-core.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-interface/snap-interface-network-core.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-interface/snap-interface-network-core.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,6 @@
+name:    network
+summary: allows access to the network
+plugs:
+  - network-consumer
+slots:
+  - core
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-interface/snap-interface-network-snapd.yaml snapd-2.37~rc1~14.04/tests/main/snap-interface/snap-interface-network-snapd.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-interface/snap-interface-network-snapd.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-interface/snap-interface-network-snapd.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,6 @@
+name:    network
+summary: allows access to the network
+plugs:
+  - network-consumer
+slots:
+  - snapd
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-interface/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-interface/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-interface/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-interface/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,10 +2,17 @@
 details: |
     The "snap interface" command displays a listing of used interfaces
 execute: |
-    snap interface | MATCH 'core-support\s+ special permissions for the core snap'
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local network-consumer
+    snap interface | MATCH 'network\s+ allows access to the network'
     snap interface --all | MATCH 'classic-support\s+ special permissions for the classic snap'
-    snap interface core-support > out.yaml
-    diff -u out.yaml snap-interface-core-support.yaml
+    snap interface network > out.yaml
+    if snap list snapd 2>/dev/null; then
+        diff -u out.yaml snap-interface-network-snapd.yaml
+    else
+        diff -u out.yaml snap-interface-network-core.yaml
+    fi
 restore: |
     rm -f out.yaml
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-logs/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-logs/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-logs/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-logs/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,37 @@
+summary: Ensure that the snap logs command works.
+
+details: |
+    Validate the logs command fetches logs of the given services and displays them in chronological order
+    for all supported systems.
+
+prepare: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-service
+
+restore: |
+    rm -f service.log
+
+execute: |
+    echo "check the logs are displayed by service-name and service-name.app"
+    snap logs test-snapd-service | MATCH "running"
+    snap logs test-snapd-service.test-snapd-service | MATCH "running"
+    snap logs test-snapd-service.test-snapd-other-service | MATCH "running"
+
+    echo "check output lines for the logs"
+    snap logs -n=1 test-snapd-service | MATCH "running"
+    snap logs -n=all test-snapd-service | MATCH "running"
+    
+    echo "check -f option works"
+    snap logs -f test-snapd-service > service.log &    
+    snap stop test-snapd-service
+    for _ in $(seq 10); do
+        if MATCH "stop service" < service.log; then
+            break
+        fi
+        sleep 1
+    done
+    MATCH "stop service" < service.log
+
+    echo "stop the logs command"
+    kill $!
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-mgmt/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-mgmt/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-mgmt/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-mgmt/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,9 +3,14 @@
 # purging everything on core devices will not work
 systems: [-ubuntu-core-*]
 
+# slow in autopkgtest (>1m)
+backends: [-autopkgtest]
+
 prepare: |
-    . $TESTSLIB/dirs.sh
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
 
     snap install test-snapd-tools
     snap list | MATCH test-snapd-tools
@@ -14,6 +19,10 @@
     install_local test-snapd-service
     snap list | MATCH test-snapd-service
 
+    # a snap with timers
+    install_local test-snapd-timer-service
+    snap list | MATCH test-snapd-timer-service
+
     # a snap with DBus policy files
     snap install test-snapd-network-status-provider
     snap list | MATCH test-snapd-network-status-provider
@@ -28,14 +37,16 @@
     systemctl list-unit-files --type service --no-legend | MATCH 'snap.test-snapd-service\..*\.service\s+enabled'
 
     # expecting to find various files that snap installation produced
-    test $(find /etc/udev/rules.d -name '*-snap.*.rules' | wc -l) -gt 0
-    test $(find /etc/dbus-1/system.d -name 'snap.*.conf' | wc -l) -gt 0
+    test "$(find /etc/udev/rules.d -name '*-snap.*.rules' | wc -l)" -gt 0
+    test "$(find /etc/dbus-1/system.d -name 'snap.*.conf' | wc -l)" -gt 0
+    test "$(find /etc/systemd/system -name 'snap.*.timer' | wc -l)" -gt 0
 
 execute: |
     echo "Stop snapd before purging"
     systemctl stop snapd.service snapd.socket
 
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo "A purge will really purge things"
     $LIBEXECDIR/snapd/snap-mgmt --purge
@@ -51,26 +62,29 @@
                /var/lib/snapd/cache/ \
                "
     for d in $emptydirs ; do
-        n=$(find $d  | wc -l)
+        n=$(find "$d"  | wc -l)
         if [ "$n" -gt 1 ]; then
             echo "$d not empty after snap-mgmt.sh purge"
-            ls -lR $d
+            ls -lR "$d"
             exit 1
         fi
     done
 
     echo "State file is gone"
     ! test -f /var/lib/snapd/state.json
+    echo "And so is the system key"
+    ! test -f /var/lib/snapd/system-key
 
     echo "Preserved namespaces directory is not mounted"
-    ! cat /proc/mounts | MATCH "/run/snapd/ns"
+    ! MATCH "/run/snapd/ns" < /proc/mounts
 
     systemctl daemon-reload
     echo "Snap *.service files are removed"
-    ! systemctl list-unit-files --type service | MATCH "^snap.test-snapd-service.*\.service"
+    ! systemctl list-unit-files --type service | MATCH '^snap.test-snapd-service.*\.service'
 
     echo "No dangling service symlinks are left behind"
     test -z "$(find /etc/systemd/system/multi-user.target.wants/ -name 'snap.test-snapd-service.*')"
 
-    test $(find /etc/udev/rules.d -name '*-snap.*.rules' | wc -l) -eq 0
-    test $(find /etc/dbus-1/system.d -name 'snap.*.conf' | wc -l) -eq 0
+    test "$(find /etc/udev/rules.d -name '*-snap.*.rules' | wc -l)" -eq 0
+    test "$(find /etc/dbus-1/system.d -name 'snap.*.conf' | wc -l)" -eq 0
+    test "$(find /etc/systemd/system -name 'snap.*.timer' | wc -l)" -eq 0
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-multi-service-failing/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-multi-service-failing/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-multi-service-failing/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-multi-service-failing/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,7 +2,8 @@
   Check that `snap install` doesn't leave a service running when the install fails.
 
 execute: |
-  . $TESTSLIB/snaps.sh
+  #shellcheck source=tests/lib/snaps.sh
+  . "$TESTSLIB"/snaps.sh
   echo "when a snap install fails"
   ! install_local test-snapd-multi-service
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-network-errors/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-network-errors/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-network-errors/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-network-errors/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+summary: Ensure network errors are handled gracefully
+
+# autopkgtest run only a subset of tests that deals with the integration
+# with the distro
+backends: [-autopkgtest]
+
+# no iptables on core18 yet
+systems: [-ubuntu-core-18-*]
+
+restore: |
+    echo "Restoring iptables rules"
+    iptables -D OUTPUT -p udp --dport 53 -j REJECT --reject-with icmp-port-unreachable || true
+
+debug: |
+    echo "iptables rules:"
+    iptables -L -n -v
+
+execute: |
+    # Do a store op to avoid an unexpected device auth refresh on snap find
+    # below, which would produce different kind of error.
+    snap refresh
+
+    systemctl stop snapd.{socket,service}
+
+    echo "Disabling DNS queries"
+    iptables -I OUTPUT -p udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
+
+    systemctl start snapd.{socket,service}
+
+    OUT=$(snap find test 2>&1 || true)
+    iptables -D OUTPUT -p udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
+    echo "$OUT" | MATCH "error: unable to contact snap store"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-readme/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-readme/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-readme/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-readme/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,13 @@
 summary: the /snap directory has a magic README file
-details: >
+
+details: |
     We found that some users are genuinely confused and concerned about the
     /snap directory or the disk space it appears to be using. Snapd now
     maintains a README file with some useful hints about what is going on that
     will, hopefully, help people understand this better.
+
 execute: |
     snap version # To ensure that snapd is awake
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     MATCH "https://forum.snapcraft.io/t/the-snap-directory/2817" "$SNAP_MOUNT_DIR/README"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-remove-not-mounted/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-remove-not-mounted/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-remove-not-mounted/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-remove-not-mounted/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,11 @@
 summary: Ensure remove with unmounted base dir works
 
 execute: |
-    cp -ar $TESTSLIB/snaps/test-snapd-tools /tmp
+    cp -ar "$TESTSLIB"/snaps/test-snapd-tools /tmp
     snap try /tmp/test-snapd-tools
 
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     # simulate what happens if someone "snap try /tmp/something" and then
     # reboots: the dir is gone and nothing can be mounted anymore
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-repair/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-repair/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-repair/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-repair/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,9 +1,10 @@
 summary: Ensure that snap-repair is available
 
-systems: [-fedora-*, -opensuse-*]
+systems: [-fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     if ! grep -q "ID=ubuntu-core" /etc/os-release; then
         echo "Ensure snap-repair is disabled on classic"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-run/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-run/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-run/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-run/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -5,7 +5,8 @@
 systems: [-*-s390x]
 
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local basic-run
     install_local test-snapd-tools
 
@@ -28,7 +29,7 @@
         snap install strace-static
     fi
     # install the snap if no system strace is found
-    if ! which strace; then
+    if ! command -v strace; then
         snap install strace-static
     fi
 
@@ -54,10 +55,15 @@
     fi
     MATCH "Can't stat 'invalid': No such file or directory" < stderr
 
-    if which gdb; then
+    if command -v gdb; then
        echo "Test snap run --gdb works"
        echo "c" | snap run --gdb test-snapd-tools.echo hello > stdout
-       cat stdout | MATCH 'Continuing.'
-       cat stdout | MATCH hello
+       MATCH 'Continuing.' < stdout
+       MATCH hello < stdout
     fi
 
+    snap run --trace-exec test-snapd-tools.echo hello 2> stderr
+    MATCH "Slowest [0-9]+ exec calls during snap run" < stderr
+    MATCH "  [0-9.]+s .*/snap-exec" < stderr
+    MATCH "  [0-9.]+s .*/snap-confine" < stderr
+    MATCH "Total time: [0-9.]+s" < stderr
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-run-alias/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-run-alias/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-run-alias/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-run-alias/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,29 +1,29 @@
 summary: Check that alias symlinks work correctly
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
+
+environment:
+    APP/testsnapdtoolsecho: test-snapd-tools.echo
+    APP/testsnapdtoolscat: test-snapd-tools.cat
+    ALIAS/testsnapdtoolsecho: test_echo
+    ALIAS/testsnapdtoolscat: test_cat
 
 prepare: |
-    echo Ensure we have a os snap with snap run
-    $TESTSLIB/reset.sh
-    snap install --channel=beta core
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
 
 restore: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     rm -f $SNAP_MOUNT_DIR/bin/test_echo
     rm -f $SNAP_MOUNT_DIR/bin/test_cat
     rm -f orig.txt
     rm -f new.txt
 
-environment:
-    APP/testsnapdtoolsecho: test-snapd-tools.echo
-    APP/testsnapdtoolscat: test-snapd-tools.cat
-    ALIAS/testsnapdtoolsecho: test_echo
-    ALIAS/testsnapdtoolscat: test_cat
-
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     SNAP=$SNAP_MOUNT_DIR/test-snapd-tools/current
 
@@ -31,7 +31,7 @@
     $APP $SNAP/bin/cat
     $APP $SNAP/bin/cat > orig.txt 2>&1
 
-    ln -s $APP $SNAP_MOUNT_DIR/bin/$ALIAS
+    ln -s "$APP" "$SNAP_MOUNT_DIR/bin/$ALIAS"
 
     $ALIAS $SNAP/bin/cat
     $ALIAS $SNAP/bin/cat > new.txt 2>&1
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-run-hook/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-run-hook/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-run-hook/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-run-hook/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -8,12 +8,9 @@
     ENVDUMP: /var/snap/basic-hooks/current/hooks-env
 
 prepare: |
-    echo "Build test hooks package"
-    snap pack $TESTSLIB/snaps/basic-hooks
-    snap install --dangerous basic-hooks_1.0_all.snap
-
-restore: |
-    rm -f basic-hooks_1.0_all.snap
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local basic-hooks
 
 execute: |
     # Note that `snap run` doesn't exit non-zero if the hook is missing, so we
@@ -47,6 +44,7 @@
 
     snap set basic-hooks command=dump-env
     echo "Test that environment variables were interpolated"
-    cat $ENVDUMP | MATCH "^TEST_COMMON=/var/snap/basic-hooks/common$"
-    cat $ENVDUMP | MATCH "^TEST_DATA=/var/snap/basic-hooks/.*$"
-    cat $ENVDUMP | MATCH "^TEST_SNAP=/snap/basic-hooks/.*$"
+    MATCH "^TEST_COMMON=/var/snap/basic-hooks/common$" < "$ENVDUMP"
+    MATCH "^TEST_DATA=/var/snap/basic-hooks/.*$" < "$ENVDUMP"
+    MATCH "^TEST_SNAP=/snap/basic-hooks/.*$" < "$ENVDUMP"
+    MATCH "^TEST_EXTRA=extra-stuff$" < "$ENVDUMP"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-run-symlink/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-run-symlink/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-run-symlink/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-run-symlink/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,34 +1,33 @@
 summary: Check that symlinks to /usr/bin/snap trigger `snap run`
 
-systems: [-ubuntu-core-16-*]
-
-prepare: |
-    echo Ensure we have a os snap with snap run
-    $TESTSLIB/reset.sh
-    snap install --channel=beta core
-    . $TESTSLIB/snaps.sh
-    install_local test-snapd-tools
+systems: [-ubuntu-core-*]
 
 environment:
     APP/testsnapdtoolsecho: test-snapd-tools.echo
     APP/testsnapdtoolscat: test-snapd-tools.cat
 
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-tools
+
+restore: |
+    rm -f orig.txt
+    rm -f new.txt
+
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     SNAP=$SNAP_MOUNT_DIR/test-snapd-tools/current
 
     echo Testing that replacing the wrapper with a symlink works
     $APP $SNAP/bin/cat
     $APP $SNAP/bin/cat > orig.txt 2>&1
 
-    rm $SNAP_MOUNT_DIR/bin/$APP
-    ln -s /usr/bin/snap $SNAP_MOUNT_DIR/bin/$APP
+    rm "$SNAP_MOUNT_DIR/bin/$APP"
+    ln -s /usr/bin/snap "$SNAP_MOUNT_DIR/bin/$APP"
 
     $APP $SNAP/bin/cat
     $APP $SNAP/bin/cat > new.txt 2>&1
 
     diff -u orig.txt new.txt
-
-restore: |
-    rm -f orig.txt
-    rm -f new.txt
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-run-symlink-error/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-run-symlink-error/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-run-symlink-error/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-run-symlink-error/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,23 @@
 summary: Check error handling in symlinks to /usr/bin/snap
+
 restore: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     rm -f $SNAP_MOUNT_DIR/bin/xxx
-    rmdir $SNAP_MOUNT_DIR/bin
+
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     echo Setting up incorrect symlink for snap run
     mkdir -p $SNAP_MOUNT_DIR/bin
     ln -s /usr/bin/snap $SNAP_MOUNT_DIR/bin/xxx
     echo Running unknown command
     expected="internal error, please report: running \"xxx\" failed: cannot find current revision for snap xxx: readlink $SNAP_MOUNT_DIR/xxx/current: no such file or directory"
     output="$($SNAP_MOUNT_DIR/bin/xxx 2>&1 )" && exit 1
-    echo $output
+    echo "$output"
     err=$?
     echo Verifying error message
     if [ $err -ne 46 ]; then
        echo Wrong error code $err
     fi
-    [ "$output" = "$expected" ] || exit 1
-
+    [ "$output" = "$expected" ]
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-run-userdata-current/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-run-userdata-current/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-run-userdata-current/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-run-userdata-current/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,15 @@
 summary: Check that 'current' symlink is created with 'snap run'
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
 
 execute: |
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
     echo "Test that 'current' symlink is created in user data dir"
     CURRENT=$(readlink $SNAP_MOUNT_DIR/test-snapd-tools/current)
     if [ -z "$CURRENT" ]; then
@@ -16,24 +18,24 @@
     fi
 
     $SNAP_MOUNT_DIR/bin/test-snapd-tools.echo -n
-    UDATA_CURRENT=$(readlink $HOME/snap/test-snapd-tools/current)
+    UDATA_CURRENT=$(readlink "$HOME/snap/test-snapd-tools/current")
     if [ "$CURRENT" != "$UDATA_CURRENT" ]; then
       echo "Invalid 'current' symlink in user-data directory, expected $CURRENT, got $UDATA_CURRENT"
       exit 1
     fi
 
     echo "Test that 'current' symlink is recreated"
-    rm -rf $HOME/snap/test-snapd-tools/current
+    rm -rf "$HOME/snap/test-snapd-tools/current"
     $SNAP_MOUNT_DIR/bin/test-snapd-tools.echo -n
-    if [ ! -L $HOME/snap/test-snapd-tools/current ]; then
+    if [ ! -L "$HOME/snap/test-snapd-tools/current" ]; then
       echo "The 'current' symlink not present in user-data directory"
       exit 1
     fi
 
     echo "Test that 'current' symlink is updated if incorrect"
-    ln -fs $HOME/snap/test-snapd-tools/wrong $HOME/snap/test-snapd-tools/current
+    ln -fs "$HOME/snap/test-snapd-tools/wrong" "$HOME/snap/test-snapd-tools/current"
     $SNAP_MOUNT_DIR/bin/test-snapd-tools.echo -n
-    UDATA_CURRENT=$(readlink $HOME/snap/test-snapd-tools/current)
+    UDATA_CURRENT=$(readlink "$HOME/snap/test-snapd-tools/current")
     if [ "$CURRENT" != "$UDATA_CURRENT" ]; then
       echo "Invalid 'current' symlink in user-data directory, expected $CURRENT, got $UDATA_CURRENT"
       exit 1
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-seccomp/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-seccomp/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-seccomp/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-seccomp/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -25,17 +25,17 @@
 
     # from the old test_complain
     echo "Test that the @complain keyword works"
-    rm -f ${PROFILE}.bin
+    rm -f "${PROFILE}.bin"
     cat >"${PROFILE}.src" <<EOF
     # some comment
     @complain
     EOF
-    $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
+    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin"
     echo "Ensure the code still runs"
     test-snapd-tools.echo hello | MATCH hello
 
     # from the old test_complain_missed
-    rm -f ${PROFILE}.bin
+    rm -f "${PROFILE}.bin"
     cat >"${PROFILE}.src" <<EOF
     # super strict filter
     @complai
@@ -44,7 +44,7 @@
     @COMPLAIN
     complain
     EOF
-    $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
+    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin"
     echo "Ensure the code cannot not run due to impossible filtering"
     if test-snapd-tools.echo hello; then
         echo "filtering broken: program should have failed to run"
@@ -53,17 +53,17 @@
     
     # from the old test_unrestricted
     echo "Test that the @unrestricted keyword works"
-    rm -f ${PROFILE}.bin
+    rm -f "${PROFILE}.bin"
     cat >"${PROFILE}.src" <<EOF
     # some comment
     @unrestricted
     EOF
-    $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
+    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin"
     echo "Ensure the code still runs"
     test-snapd-tools.echo hello | MATCH hello
 
     # from the old test_unrestricted_missed
-    rm -f ${PROFILE}.bin
+    rm -f "${PROFILE}.bin"
     cat >"${PROFILE}.src" <<EOF
     # super strict filter
     @unrestricte
@@ -72,7 +72,7 @@
     @UNRESTRICTED
     unrestricted
     EOF
-    $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
+    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin"
     echo "Ensure the code cannot not run due to impossible filtering"
     if test-snapd-tools.echo hello; then
         echo "filtering broken: program should have failed to run"
@@ -80,7 +80,7 @@
     fi
 
     # from the old test_noprofile
-    rm -f ${PROFILE}.bin
+    rm -f "${PROFILE}.bin"
     echo "Ensure the code cannot not run due to missing filter"
     if SNAP_CONFINE_MAX_PROFILE_WAIT=3 test-snapd-tools.echo hello; then
         echo "filtering broken: program should have failed to run"
@@ -88,44 +88,44 @@
     fi
 
     echo "Break snapd.test-snapd-tools.bin to ensure (kernel) validation works"
-    dd if=/dev/urandom of=${PROFILE}.bin count=1 bs=1024
+    dd if=/dev/urandom of="${PROFILE}.bin" count=1 bs=1024
     if output=$(test-snapd-tools.echo hello 2>&1 ); then
         echo "test-snapd-tools.echo should fail with invalid seccomp profile"
         exit 1
     fi
-    echo $output | MATCH "cannot apply seccomp profile: Invalid argument"
+    echo "$output" | MATCH "cannot apply seccomp profile: Invalid argument"
 
     echo "Add huge snapd.test-snapd-tools.bin to ensure size limit works"
-    dd if=/dev/zero of=${PROFILE}.bin count=50 bs=1M
+    dd if=/dev/zero of="${PROFILE}.bin" count=50 bs=1M
     if output=$(test-snapd-tools.echo hello 2>&1 ); then
         echo "test-snapd-tools.echo should fail with big seccomp profile"
         exit 1
     fi
-    echo $output | MATCH "profile .* exceeds .* bytes"
+    echo "$output" | MATCH "profile .* exceeds .* bytes"
 
     
     echo "Ensure the code cannot not run with a missing .bin profile"
-    rm -f ${PROFILE}.bin
+    rm -f "${PROFILE}.bin"
     if test-snapd-tools.echo hello; then
         echo "filtering broken: program should have failed to run"
         exit 1
     fi
 
     echo "Ensure the code cannot not run with an empty seccomp profile"
-    rm -f ${PROFILE}.bin
-    echo "" > ${PROFILE}.src
-    $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
+    rm -f "${PROFILE}.bin"
+    echo "" > "${PROFILE}.src"
+    $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin"
     if test-snapd-tools.echo hello; then
         echo "filtering broken: program should have failed to run"
         exit 1
     fi
 
     echo "Ensure snap-confine waits for security profiles to appear"
-    rm -f ${PROFILE}.bin
+    rm -f "${PROFILE}.bin"
     cat >"${PROFILE}.src" <<EOF
     @unrestricted
     EOF
-    ( (sleep 3; $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin) &)
+    ( (sleep 3; $SNAP_SECCOMP compile "${PROFILE}.src" "${PROFILE}.bin") &)
     echo "Ensure the code still runs"
     test-snapd-tools.echo hello | MATCH hello
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-service/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-service/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-service/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-service/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,7 +4,8 @@
 
 execute: |
     echo "When the service snap is installed"
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-service
 
     echo "We can see it running"
@@ -17,3 +18,12 @@
     while ! systemctl status snap.test-snapd-service.test-snapd-service|grep "reloading reloading reloading"; do
         sleep 1
     done
+
+    echo "A snap that refuses to stop is killed eventually"
+    snap stop test-snapd-service.test-snapd-service-refuses-to-stop
+    # systemd in 14.04 does not provide the "Result: timeout" information
+    if [[ "$SPREAD_SYSTEM" == ubuntu-14.04-* ]]; then
+        systemctl status snap.test-snapd-service.test-snapd-service-refuses-to-stop|MATCH "code=killed"
+    else
+        systemctl status snap.test-snapd-service.test-snapd-service-refuses-to-stop|MATCH "Result: timeout"
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-service-after-before/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-service-after-before/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-service-after-before/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-service-after-before/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,8 +2,12 @@
 
 execute: |
     echo "When the service snap is installed"
-    . $TESTSLIB/snaps.sh
-    install_local test-snapd-after-before-service
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    # we are using systemd-notify indicate the service is active, this is
+    # currently not allowed by daemon-notify interface, so we may as well just
+    # install in devmode
+    install_local test-snapd-after-before-service --devmode
 
     echo "We can see all services running"
     for service in before-middle middle after-middle; do
@@ -12,8 +16,8 @@
 
     echo "Service 'middle' is started after 'before-middle'"
     systemctl list-dependencies --plain --after snap.test-snapd-after-before-service.middle.service | \
-        MATCH "\s*snap.test-snapd-after-before-service.before-middle.service"
+        MATCH '\s*snap.test-snapd-after-before-service.before-middle.service'
 
     echo "Service 'middle' is started before 'after-middle'"
     systemctl list-dependencies --plain --before snap.test-snapd-after-before-service.middle.service | \
-        MATCH "\s*snap.test-snapd-after-before-service.after-middle.service"
+        MATCH '\s*snap.test-snapd-after-before-service.after-middle.service'
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-service-after-before-install/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-service-after-before-install/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-service-after-before-install/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-service-after-before-install/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,76 @@
+summary: Check that snap install respects after/before ordering of services
+
+# slow in autopkgtest (>3m)
+backends: [-autopkgtest]
+
+debug: |
+    for name in $(snap list | grep '^test-snapd-after-before-service' | awk '{print $1}'); do
+        for service in before-middle middle after-middle; do
+            systemctl status "snap.$name.$service" || true
+        done
+    done
+
+prepare: |
+    snap set system experimental.parallel-instances=true
+
+restore: |
+    snap set system experimental.parallel-instances=null
+
+execute: |
+    echo "When the service snap is installed"
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    get_prop() {
+        prop=$(systemctl show -p "$1" "$2")
+        test -n "$prop"
+        # the format is:
+        # InactiveExitTimestamp=Mon 2018-10-22 10:41:53 CEST
+        echo "$prop" | cut -f2 -d=
+    }
+
+    # try to rule out any cases when things accidentally work by repeating the
+    # test a number of times
+    for _ in $(seq 10); do
+        # install each snap under separate instance name, this makes debugging
+        # easier
+        INSTANCE=$RANDOM
+        # we are using systemd-notify indicate the service is active, this is
+        # currently not allowed by daemon-notify interface, so we may as well
+        # just install in devmode
+        install_local_as test-snapd-after-before-service "test-snapd-after-before-service_$INSTANCE" --devmode
+
+        service_prefix="snap.test-snapd-after-before-service_$INSTANCE"
+
+        echo "We can see all services running"
+        for service in before-middle middle after-middle; do
+            systemctl status "$service_prefix.$service" | MATCH "running"
+        done
+
+        inactive_leave="$(get_prop "InactiveExitTimestampMonotonic" "$service_prefix.before-middle")"
+        active_enter="$(get_prop "ActiveEnterTimestampMonotonic" "$service_prefix.before-middle")"
+        test -n "$inactive_leave"
+        test -n "$active_enter"
+
+        # sanity check
+        test "$active_enter" -gt "$inactive_leave"
+        test -n "$inactive_leave"
+        test -n "$active_enter"
+
+        inactive_leave="$(get_prop "InactiveExitTimestampMonotonic" "$service_prefix.middle")"
+        test -n "$inactive_leave"
+
+        echo "middle service was started after before-middle became active"
+        test "$inactive_leave" -ge "$active_enter"
+
+        active_enter="$(get_prop "ActiveEnterTimestampMonotonic" "$service_prefix.middle")"
+        test -n "$active_enter"
+
+        inactive_leave="$(get_prop "InactiveExitTimestampMonotonic" "$service_prefix.after-middle")"
+        test -n "$inactive_leave"
+
+        echo "after-middle service was started after middle became active"
+        test "$inactive_leave" -ge "$active_enter"
+
+        snap remove "test-snapd-after-before_$INSTANCE"
+    done
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-service-refresh-mode/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-service-refresh-mode/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-service-refresh-mode/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-service-refresh-mode/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,46 +1,39 @@
 summary: "Check that refresh-modes works"
 
-kill-timeout: 3m
+# takes >1.5min to run
+backends: [-autopkgtest]
+
+kill-timeout: 5m
+
+restore:
+    rm -f ./*.pid || true
 
 debug: |
-    journalctl -u snap.test-snapd-service.test-snapd-endure-service
+    grep -n '' ./*.pid || true
+    systemctl status snap.test-snapd-service.test-snapd-endure-service || true
 
 execute: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     echo "When the service snap is installed"
-    . $TESTSLIB/snaps.sh
     install_local test-snapd-service
 
     echo "We can see it running"
     systemctl status snap.test-snapd-service.test-snapd-endure-service|MATCH "running"
+    systemctl show -p MainPID snap.test-snapd-service.test-snapd-endure-service > old-main.pid
 
     echo "When it is re-installed"
     install_local test-snapd-service
 
-    # note that we do not spread test sigterm{,-all} because catching this
-    # signal in the service means the stop will timeout with a 90s delay
-    refresh_modes="endure sighup sighup-all sigusr1 sigusr1-all sigusr2 sigusr2-all"
-    for s in $refresh_modes; do
-        echo "We can still see it running"
-        systemctl status snap.test-snapd-service.test-snapd-${s}-service|MATCH "running"
-
-        echo "And it is not re-started"
-        if journalctl -u snap.test-snapd-service.test-snapd-${s}-service | grep "stop ${s}"; then
-            echo "reinstall did stop a service that shouldn't"
-            exit 1
-        fi
-
-        if [[ "$s" == sig* ]]; then
-            echo "checking that the right signal was sent"
-            sleep 1
-            journalctl -u snap.test-snapd-service.test-snapd-${s}-service | MATCH "got ${s%%-all}"
-        fi
-    done
+    echo "We can still see it running with the same PID"
+    systemctl show -p MainPID snap.test-snapd-service.test-snapd-endure-service > new-main.pid
 
-    echo "But regular services are restarted"
-    journalctl -u snap.test-snapd-service.test-snapd-service | MATCH "stop service"
+    test "$(cat new-endure.pid)" = "$(cat old-endure.pid)"
 
     echo "Once the snap is removed, the service is stopped"
     snap remove test-snapd-service
-    for s in $refresh_modes; do
-        journalctl | MATCH "stop ${s}"
-    done
+    # shellcheck disable=SC2119
+    get_journalctl_log | MATCH "stop endure"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-service-stop-mode/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-service-stop-mode/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-service-stop-mode/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-service-stop-mode/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,70 @@
+summary: "Check that stop-modes works"
+
+kill-timeout: 5m
+
+# journald in ubuntu-14.04 not reliable
+systems: [-ubuntu-14.04-*]
+
+# takes >1.5min to run
+backends: [-autopkgtest]
+
+restore: |
+    rm -f ./*.pid || true
+    # remove to ensure all services are stopped
+    snap remove test-snapd-service || true
+
+debug: |
+    stop_modes="sighup sighup-all sigusr1 sigusr1-all sigusr2 sigusr2-all"
+    for s in $stop_modes; do
+        systemctl status "snap.test-snapd-service.test-snapd-${s}-service" || true
+    done
+
+execute: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
+    echo "When the service snap is installed"
+    install_local test-snapd-service
+    # Because we cannot use daemon: notify easily yet just wait for a "ready"
+    # file to show up.  The file is removed when the service is stopped. This
+    # pattern repeats around the test without additional comments.
+    while ! test -f /var/snap/test-snapd-service/common/ready; do sleep 1; done
+
+    echo "We can see it running"
+    systemctl status snap.test-snapd-service.test-snapd-service|MATCH "running"
+    systemctl show -p MainPID snap.test-snapd-service.test-snapd-service > old-main.pid
+
+    stop_modes="sighup sighup-all sigusr1 sigusr1-all sigusr2 sigusr2-all"
+    for s in $stop_modes; do
+        systemctl show -p ActiveState "snap.test-snapd-service.test-snapd-${s}-service" | MATCH "ActiveState=active"
+    done
+
+    echo "When it is re-installed"
+    install_local test-snapd-service
+    while ! test -f /var/snap/test-snapd-service/common/ready; do sleep 1; done
+
+    # note that sigterm{,-all} is tested separately
+    for s in $stop_modes; do
+        echo "We can see it is running"
+        systemctl show -p ActiveState "snap.test-snapd-service.test-snapd-${s}-service" | MATCH "ActiveState=active"
+
+        echo "and it got the right signal"
+        echo "checking that the right signal was sent"
+        test -f "/var/snap/test-snapd-service/common/${s}-${s%%-all}"
+    done
+
+    echo "Regular services are restarted normally"
+    get_journalctl_log -u snap.test-snapd-service.test-snapd-service | MATCH "stop service"
+    systemctl show -p MainPID snap.test-snapd-service.test-snapd-service > new-main.pid
+    test -e new-main.pid && test -e old-main.pid
+    test "$(cat new-main.pid)" != "$(cat old-main.pid)"
+
+    echo "Once the snap is removed, all services are stopped"
+    snap remove test-snapd-service
+    for s in $stop_modes; do
+        get_journalctl_log | MATCH "stop ${s}"
+    done
+
+    rm -f /var/snap/test-snapd-service/common/*
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-service-stop-mode-sigkill/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-service-stop-mode-sigkill/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-service-stop-mode-sigkill/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-service-stop-mode-sigkill/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,46 @@
+summary: "Check that refresh-modes sigkill works"
+
+kill-timeout: 5m
+
+# slow in autopkgtest (>1m)
+backends: [-autopkgtest]
+
+restore: |
+    # remove to ensure all services are stopped
+    snap remove test-snapd-service || true
+    pkill sleep || true
+
+debug: |
+    ps afx
+
+execute: |
+    echo "Ensure no stray sleep processes are around"
+    pkill sleep || true
+
+    echo "When the service snap is installed"
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-service
+    # Because we cannot use daemon: notify easily yet just wait for a "ready"
+    # file to show up.  The file is removed when the service is stopped. This
+    # pattern repeats around the test without additional comments.
+    while ! test -f /var/snap/test-snapd-service/common/ready; do sleep 1; done
+
+    refresh_modes="sigterm sigterm-all"
+    for s in $refresh_modes; do
+        systemctl show -p ActiveState "snap.test-snapd-service.test-snapd-${s}-service" | MATCH "ActiveState=active"
+    done
+
+    echo "we expect two sleep processes (children) from the two sigterm services"
+    n=$(pgrep -c -f 3133731337)
+    [ "$n" = "2" ]
+
+    echo "When it is re-installed one process uses sigterm, the other sigterm-all"
+    install_local test-snapd-service
+    while ! test -f /var/snap/test-snapd-service/common/ready; do sleep 1; done
+
+    echo "After reinstall the sigterm-all service and all children got killed"
+    echo "but the sigterm service only got a kill for the main process "
+    echo "and one sleep is still alive"
+    n=$(pgrep -c -f 3133731337)
+    [ "$n" = "3" ]
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-service-timer/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-service-timer/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-service-timer/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-service-timer/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,52 @@
+summary: Check that snap timer services work
+
+execute: |
+    echo "When the service snap is installed"
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-timer-service
+
+    echo "We can see the timers being active"
+    for service in regular-timer random-timer; do
+        systemctl show -p ActiveState snap.test-snapd-timer-service.$service.timer | MATCH "ActiveState=active"
+        systemctl show -p SubState snap.test-snapd-timer-service.$service.timer | MATCH "SubState=(waiting|running)"
+        systemctl show -p Triggers snap.test-snapd-timer-service.$service.timer | \
+            MATCH "snap.test-snapd-timer-service.$service.service"
+        systemctl show -p UnitFileState snap.test-snapd-timer-service.$service.timer | MATCH "UnitFileState=enabled"
+    done
+    # systemctl list-timers output:
+    # NEXT                         LEFT          LAST                         PASSED        UNIT                                        ACTIVATES
+    # Fri 2018-02-23 11:00:00 CET  3min 25s left Fri 2018-02-23 10:45:36 CET  10min ago     snap.timer-service-snap.regular-timer.timer snap.timer-service-snap.regular-timer.service
+    # Fri 2018-02-23 11:01:00 CET  4min 25s left Fri 2018-02-23 10:51:36 CET  4min 58s ago  snap.timer-service-snap.random-timer.timer  snap.timer-service-snap.random-timer.service
+    echo "When disabled, times are not listed by systemd"
+    snap disable test-snapd-timer-service
+    if [[ "$SPREAD_SYSTEM" == ubuntu-14.04-* ]]; then
+        for service in regular-timer random-timer; do
+            systemctl show -p UnitFileState snap.test-snapd-timer-service.$service.timer | MATCH "UnitFileState="
+        done
+    else
+        ! systemctl list-timers | MATCH "test-snapd-timer-service"
+    fi
+
+    echo "When reenabled, the timers are present again"
+    snap enable test-snapd-timer-service
+    if [[ "$SPREAD_SYSTEM" == ubuntu-14.04-* ]]; then
+        for service in regular-timer random-timer; do
+            systemctl show -p UnitFileState snap.test-snapd-timer-service.$service.timer | MATCH "UnitFileState=enabled"
+        done
+    else
+        systemctl list-timers | MATCH "test-snapd-timer-service"
+    fi
+
+    echo "When removed, times are not listed by systemd"
+    snap remove test-snapd-timer-service
+    if [[ "$SPREAD_SYSTEM" == ubuntu-14.04-* ]]; then
+        for service in regular-timer random-timer; do
+            systemctl show -p UnitFileState snap.test-snapd-timer-service.$service.timer | MATCH "UnitFileState="
+        done
+    else
+        ! systemctl list-timers | MATCH "test-snapd-timer-service"
+    fi
+
+    echo "No timer files are left behind"
+    test "$(find /etc/systemd/system -name 'snap.test-snapd-timer-service.*.timer' | wc -l)" -eq "0"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-service-watchdog/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-service-watchdog/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-service-watchdog/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-service-watchdog/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,59 @@
+summary: Check that snaps can use service-watchdog provided by systemd
+
+# skip autopkgtest as this test is timing dependent and ADT is often
+# very slow
+backends: [-autopkgtest]
+
+debug: |
+    for service in direct-watchdog-ok direct-watchdog-bad; do
+        systemctl status snap.test-snapd-service-watchdog.$service || true
+    done
+
+execute: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
+    echo "When the service snap  is installed"
+    install_local test-snapd-service-watchdog
+
+    # the interface is disconnected by default
+    snap connect test-snapd-service-watchdog:daemon-notify
+
+    for service in direct-watchdog-ok direct-watchdog-bad; do
+        systemctl restart snap.test-snapd-service-watchdog.$service
+    done
+
+    echo "We can see all services running"
+    for service in direct-watchdog-ok direct-watchdog-bad; do
+        ! systemctl show -p SubState snap.test-snapd-service-watchdog.$service | MATCH "SubState=dead"
+    done
+
+    echo "Services that are correctly poking the watchdog remain running"
+    cnt=0
+    while true; do
+        wdk=$(journalctl -u snap.test-snapd-service-watchdog.direct-watchdog-ok | grep -c 'watchdog kick' || true)
+        # shellcheck disable=SC2015
+        test "$wdk" -ge 4 && break || true
+        cnt=$((cnt + 1))
+        test "$cnt" -lt 20
+        sleep 1
+    done
+    systemctl show -p SubState snap.test-snapd-service-watchdog.direct-watchdog-ok | MATCH 'SubState=running'
+
+    if [[ "$SPREAD_SYSTEM" == ubuntu-14.04-* ]]; then
+        # service watchdog does not appear to work in Ubuntu 14.04 at all
+        exit 0
+    fi
+
+    echo "Services not poking the watchdog fail due to watchdog"
+    service=direct-watchdog-bad
+    for _ in $(seq 1 20); do
+        if systemctl show -p SubState snap.test-snapd-service-watchdog.$service | MATCH 'SubState=(failed|stop-sigabrt)'; then
+            break
+        fi
+        sleep 1
+    done
+    systemctl show -p SubState snap.test-snapd-service-watchdog.$service | MATCH 'SubState=(failed|stop-sigabrt)'
+    # reported differently by different systemd versions
+    systemctl show -p Result snap.test-snapd-service-watchdog.$service | MATCH 'Result=(watchdog|signal|core-dump)'
+    journalctl -u snap.test-snapd-service-watchdog.$service | MATCH "systemd.*: snap.test-snapd-service-watchdog.$service.service:? [Ww]atchdog timeout"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-set/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-set/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-set/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-set/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,21 +1,20 @@
 summary: Check that `snap set` runs configure hook.
 
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+
     echo "Build basic test package (without hooks)"
-    snap pack $TESTSLIB/snaps/basic
-    snap install --dangerous basic_1.0_all.snap
+    install_local basic
 
     echo "Build failing hooks package"
-    snap pack $TESTSLIB/snaps/failing-config-hooks
+    snap pack "$TESTSLIB"/snaps/failing-config-hooks
 
     echo "Build package with hook to run snapctl set"
-    snap pack $TESTSLIB/snaps/snapctl-hooks
-    snap install --dangerous snapctl-hooks_1.0_all.snap
+    install_local snapctl-hooks
 
 restore: |
-    rm -f basic_1.0_all.snap
     rm -f failing-config-hooks_1.0_all.snap
-    rm -f snapctl-hooks_1.0_all.snap
 
 execute: |
     echo "Test that snap set fails without configure hook"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-set-core-w-no-core/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-set-core-w-no-core/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-set-core-w-no-core/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-set-core-w-no-core/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,11 +1,13 @@
 summary: Ensure core can be configure before being installed
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 warn-timeout: 1m
+
 kill-timeout: 5m
 
 execute: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
 
     echo "Ensure core is gone"
@@ -13,4 +15,10 @@
     distro_install_build_snapd
 
     echo "Check that we can set core config nevertheless"
-    snap set core test-config=true
+    snap set core system.power-key-action="ignore"
+
+    echo "Ensure that unknown options are rejected"
+    if snap set core unknown.option=1; then
+        echo "snap set core must error for unknown options"
+        exit 1
+    fi
\ No newline at end of file
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapshot-basic/task.yaml snapd-2.37~rc1~14.04/tests/main/snapshot-basic/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapshot-basic/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapshot-basic/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,47 @@
+summary: Check that the basic snapshots functionality is ok
+
+prepare: |
+    snap install test-snapd-tools
+    snap install test-snapd-rsync
+
+execute: |
+    # use the snaps, so they create the dirs:
+    test-snapd-tools.echo
+    test-snapd-rsync.rsync --version >/dev/null
+    # drop in canaries:
+    for snap in test-snapd-tools test-snapd-rsync; do
+       echo "hello versioned $snap"  > ~/snap/$snap/current/canary.txt
+       echo "hello common $snap" > ~/snap/$snap/common/canary.txt
+    done
+    # create snapshot, grab its id
+    SET_ID=$( snap save test-snapd-tools test-snapd-rsync | cut -d\  -f1 | tail -n1 )
+
+    # check it includes both snaps
+    snap saved --id="$SET_ID" | grep test-snapd-tools
+    snap saved --id="$SET_ID" | grep test-snapd-rsync
+    # and is valid
+    snap check-snapshot "$SET_ID"
+
+    # remove the canaries
+    rm ~/snap/*/{current,common}/canary.txt
+
+    # restore one of them
+    snap restore "$SET_ID" test-snapd-tools
+    test -e ~/snap/test-snapd-tools/current/canary.txt
+    test -e ~/snap/test-snapd-tools/common/canary.txt
+    # it didn't restore the other one
+    test ! -e ~/snap/test-snapd-rsync/current/canary.txt
+    test ! -e ~/snap/test-snapd-rsync/common/canary.txt
+
+    # restore the other
+    snap restore "$SET_ID" test-snapd-rsync
+
+    # now check everything's as we expect
+    for snap in test-snapd-tools test-snapd-rsync; do
+        test "$( cat ~/snap/$snap/current/canary.txt )" = "hello versioned $snap"
+        test "$( cat ~/snap/$snap/common/canary.txt )" = "hello common $snap"
+    done
+
+    # check removal works
+    snap forget "$SET_ID"
+    snap saved --id="$SET_ID" | grep "No snapshots found"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snapshot-cross-revno/task.yaml snapd-2.37~rc1~14.04/tests/main/snapshot-cross-revno/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snapshot-cross-revno/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snapshot-cross-revno/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,59 @@
+summary: Check that cross-revision snapshot functionality is ok
+
+prepare: |
+    # clean up just in case
+    for d in {/root,/home/test}/snap/test-snapd-tools/; do
+        if [ -d "$d" ]; then
+            find "$d" -name canary.txt -delete -printf '%p deleted\n'
+        fi
+    done
+    snap install --edge test-snapd-tools
+
+execute: |
+    revno=$( snap list test-snapd-tools | awk '/^test-snapd/{print $3}' )
+
+    for u in root test; do
+        su -l -c "
+            set -e
+            # use the snap so it creates the directories
+            test-snapd-tools.echo OK
+            # drop a canary in there
+            echo 'hello revision $revno' > ~/snap/test-snapd-tools/current/canary.txt" "$u"
+    done
+
+    # sanity check :)
+    test "$revno" = "$( readlink ~/snap/test-snapd-tools/current )"
+
+    # take a snapshot
+    set_id=$( snap save test-snapd-tools | cut -d\  -f1 | tail -n1 )
+    
+    # remove the canary
+    find {/root,/home/test}/snap/test-snapd-tools/ -name canary.txt -delete -printf '%p deleted\n'
+
+    # change revision
+    snap refresh --stable test-snapd-tools
+    new_revno=$( snap list test-snapd-tools | awk '/^test-snapd/{print $3}' )
+    # confirm it changed
+    test "$revno" != "$new_revno"
+
+    for u in root test; do
+        su -l -c "
+            set -e
+            # update the current symlink
+            test-snapd-tools.echo OK
+
+            # confirm no canary
+            test ! -e ~/snap/test-snapd-tools/current/canary.txt" "$u"
+    done
+
+    # restore
+    snap restore "$set_id"
+    # revno is still new
+    test "$new_revno" = "$( readlink ~/snap/test-snapd-tools/current )"
+
+    for u in root test; do
+        su -l -c "
+            set -e
+            # canary is back
+            test -e ~/snap/test-snapd-tools/current/canary.txt" "$u"
+    done
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-sign/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-sign/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-sign/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-sign/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,14 +1,22 @@
 summary: Run snap sign to sign a model assertion
 
 # ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
-systems: [-ubuntu-core-16-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*]
+# amazon: requires extra gpg-agent setup
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el, -fedora-*, -opensuse-*, -amazon-*, -centos-*]
 
 prepare: |
+    #shellcheck source=tests/lib/mkpinentry.sh
     . "$TESTSLIB"/mkpinentry.sh
+    #shellcheck source=tests/lib/random.sh
     . "$TESTSLIB"/random.sh
     kill_gpg_agent
 
+restore: |
+    rm -f pi3.model
+    rm -f pi3-model.json
+
 debug: |
+    #shellcheck source=tests/lib/random.sh
     . "$TESTSLIB"/random.sh
     debug_random
 
@@ -39,7 +47,3 @@
 
     echo "Verify that the resulting model assertion is signed"
     MATCH "sign-key-sha3-384: $key" < pi3.model
-
-restore: |
-    rm -f pi3.model
-    rm -f pi3-model.json
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-system-env/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-system-env/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-system-env/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-system-env/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,38 @@
+summary: Ensure systemd environment generator works
+
+# systemd environment generators are only supported on 17.10+
+systems: [ubuntu-18.04-*]
+
+execute: |
+    # integration test to ensure it works on the real system
+
+    # FIXME: we can avoid the reboot once issue:
+    #   https://github.com/systemd/systemd/issues/9972
+    # is fixed
+    echo "Ensure to reboot at least once"
+    if [ "$SPREAD_REBOOT" = 0 ]; then
+        REBOOT
+    fi
+
+    echo "Ensure PATH is correct in systemd system units"
+    systemd-run --unit testenv env
+    for _ in $(seq 30); do
+        if journalctl -u testenv | grep -E 'PATH=.*:/snap/bin.*'; then
+            break
+        fi
+        sleep 1
+    done
+    journalctl -u testenv | MATCH 'PATH=.*:/snap/bin.*'
+
+
+    # some unit tests
+    SENV=/usr/lib/systemd/system-environment-generators/snapd-env-generator
+
+    PATH=/bin:/sbin $SENV         | MATCH /bin:/sbin:/snap/bin
+    PATH=/bin:/snap/bin/bar $SENV | MATCH /bin:/snap/bin/bar:/snap/bin
+
+    echo "/snap/bin already part of the PATH should not generate output"
+    [ -z "$(PATH=/bin:/snap/bin:/sbin $SENV)" ] || exit 1
+
+    # regression test for LP: #1791691
+    PATH="" $SENV | MATCH '^$'
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-system-key/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-system-key/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-system-key/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-system-key/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,11 +1,14 @@
 summary: Ensure security profile re-generation works with system-key
+
 prepare: |
     echo "Make backup of fstab"
     cp /etc/fstab /tmp/fstab.save
+
 restore: |
     echo "Restore fstab copy"
     cp /tmp/fstab.save /etc/fstab
     rm -f /tmp/fstab.save
+
 execute: |
     stop_snapd() {
         systemctl stop snapd.service snapd.socket
@@ -27,9 +30,8 @@
     }
 
     echo "Ensure a valid system-key file is on-disk"
-    cat /var/lib/snapd/system-key | MATCH '"build-id":"[0-9a-z]+"'
+    MATCH '"build-id":"[0-9a-z]+"' < /var/lib/snapd/system-key
     buf="$(stat /var/lib/snapd/system-key)"
-    system_key_content="$(cat /var/lib/snapd/system-key)"
 
     echo "Ensure that the system-key is not rewritten if system-key is unchanged"
     restart_snapd
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-update-ns/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-update-ns/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-update-ns/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-update-ns/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
 summary: smoke test for snap-update-ns
+
 details: |
     Snapd is growing a new executable, snap-update-ns, to modify an existing
     mount namespace.  This is further documented on the forum here
@@ -7,71 +8,80 @@
     While the implementation matures this test checks that we call setns
     correctly (and it doesn't fail) enough that we reach the "not implemented"
     message that is currently in snap-updates-ns
+
 environment:
     # I made far too many typos when those were literals in the code below.
     PLUG_SNAP: test-snapd-content-plug
     SLOT_SNAP: test-snapd-content-slot
+
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     # NOTE: those are installed locally so that they are not connected because
     # of missing assertions. We are installing the slot before the plug snap so
     # that there's no attempt to load the default provider. Just in case
     # something changes we're disconnecting them so that tests are predictable.
-    install_local $SLOT_SNAP
-    install_local $PLUG_SNAP
-    snap disconnect $PLUG_SNAP:shared-content-plug || :
+    install_local "$SLOT_SNAP"
+    install_local "$PLUG_SNAP"
+    snap disconnect "$PLUG_SNAP:shared-content-plug" || :
     # Ensure there is no preserved mount namespace of the -plug snap.
     # (This one gets created because by connect hooks).
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
-    $LIBEXECDIR/snapd/snap-discard-ns $PLUG_SNAP
-    rm -f /run/snapd/ns/$PLUG_SNAP.mnt
+    $LIBEXECDIR/snapd/snap-discard-ns "$PLUG_SNAP"
+    rm -f "/run/snapd/ns/$PLUG_SNAP.mnt"
+
 execute: |
     # NOTE: All the commands here will focus on the -plug snap as this is where
     # the mount namespace is going to be altered. The -slot snap is just there
     # inert, as a way to provide content, but it does not execute and does not
     # need a namespace namespace.
 
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     # Check that update tool doesn't fail if there is no namespace yet.
-    $LIBEXECDIR/snapd/snap-update-ns $PLUG_SNAP
+    $LIBEXECDIR/snapd/snap-update-ns "$PLUG_SNAP"
 
     # Run a trivial command to build and preserve a mount namespace.
-    snap run --shell $PLUG_SNAP.content-plug -c 'true'
+    snap run --shell "$PLUG_SNAP.content-plug" -c 'true'
 
     # Check that the shared content is not mounted.
-    snap run --shell $PLUG_SNAP.content-plug -c 'test ! -e $SNAP/import/shared-content'
+    #shellcheck disable=SC2016
+    snap run --shell "$PLUG_SNAP.content-plug" -c 'test ! -e $SNAP/import/shared-content'
 
     # Run snap-update-ns to see that we managed to switch namespaces correctly
     # and did nothing more. We did nothing more because the namespace already
     # is exactly as it needs to be. The snap-confine program has just
     # constructed it according to the desired description.
-    diff -Nu /var/lib/snapd/mount/snap.$PLUG_SNAP.fstab /run/snapd/ns/snap.$PLUG_SNAP.fstab
-    $LIBEXECDIR/snapd/snap-update-ns $PLUG_SNAP
-    diff -Nu /var/lib/snapd/mount/snap.$PLUG_SNAP.fstab /run/snapd/ns/snap.$PLUG_SNAP.fstab
+    diff -Nu "/var/lib/snapd/mount/snap.$PLUG_SNAP.fstab" "/run/snapd/ns/snap.$PLUG_SNAP.fstab"
+    $LIBEXECDIR/snapd/snap-update-ns "$PLUG_SNAP"
+    diff -Nu "/var/lib/snapd/mount/snap.$PLUG_SNAP.fstab" "/run/snapd/ns/snap.$PLUG_SNAP.fstab"
 
     # Connect the plug to the slot.
-    snap connect $PLUG_SNAP:shared-content-plug $SLOT_SNAP:shared-content-slot
+    snap connect "$PLUG_SNAP:shared-content-plug" "$SLOT_SNAP:shared-content-slot"
 
     # Run the update tool manually to see that it is idempotent.
-    diff -Nu /var/lib/snapd/mount/snap.$PLUG_SNAP.fstab /run/snapd/ns/snap.$PLUG_SNAP.fstab
-    $LIBEXECDIR/snapd/snap-update-ns $PLUG_SNAP
-    diff -Nu /var/lib/snapd/mount/snap.$PLUG_SNAP.fstab /run/snapd/ns/snap.$PLUG_SNAP.fstab
+    diff -Nu "/var/lib/snapd/mount/snap.$PLUG_SNAP.fstab" "/run/snapd/ns/snap.$PLUG_SNAP.fstab"
+    $LIBEXECDIR/snapd/snap-update-ns "$PLUG_SNAP"
+    diff -Nu "/var/lib/snapd/mount/snap.$PLUG_SNAP.fstab" "/run/snapd/ns/snap.$PLUG_SNAP.fstab"
 
     # Check that the shared content is mounted.
-    snap run --shell $PLUG_SNAP.content-plug -c 'test -e $SNAP/import/shared-content'
+    #shellcheck disable=SC2016
+    snap run --shell "$PLUG_SNAP.content-plug" -c 'test -e $SNAP/import/shared-content'
 
     # Disconnect the plug from the slot so that we can test the other way.
-    snap disconnect $PLUG_SNAP:shared-content-plug $SLOT_SNAP:shared-content-slot
+    snap disconnect "$PLUG_SNAP:shared-content-plug" "$SLOT_SNAP:shared-content-slot"
 
     # Run the update tool manually to see that it is idempotent.
-    diff -uN /var/lib/snapd/mount/snap.$PLUG_SNAP.fstab /run/snapd/ns/snap.$PLUG_SNAP.fstab
-    $LIBEXECDIR/snapd/snap-update-ns $PLUG_SNAP
-    diff -uN /var/lib/snapd/mount/snap.$PLUG_SNAP.fstab /run/snapd/ns/snap.$PLUG_SNAP.fstab
+    diff -uN "/var/lib/snapd/mount/snap.$PLUG_SNAP.fstab" "/run/snapd/ns/snap.$PLUG_SNAP.fstab"
+    $LIBEXECDIR/snapd/snap-update-ns "$PLUG_SNAP"
+    diff -uN "/var/lib/snapd/mount/snap.$PLUG_SNAP.fstab" "/run/snapd/ns/snap.$PLUG_SNAP.fstab"
 
     # Check that the shared content is not mounted.
-    snap run --shell $PLUG_SNAP.content-plug -c 'test ! -e $SNAP/import/shared-content'
+    #shellcheck disable=SC2016
+    snap run --shell "$PLUG_SNAP.content-plug" -c 'test ! -e $SNAP/import/shared-content'
 
     # Discard the namespace so that update has nothing useful to do.
-    $LIBEXECDIR/snapd/snap-discard-ns $PLUG_SNAP
-    $LIBEXECDIR/snapd/snap-update-ns $PLUG_SNAP
+    $LIBEXECDIR/snapd/snap-discard-ns "$PLUG_SNAP"
+    $LIBEXECDIR/snapd/snap-update-ns "$PLUG_SNAP"
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-userd-desktop-app-autostart/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-userd-desktop-app-autostart/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-userd-desktop-app-autostart/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-userd-desktop-app-autostart/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,36 @@
+summary: Check that snap userd can autostart user session applications
+
+restore: |
+    rm -f ~/snap/test-snapd-xdg-autostart/current/foo-autostarted
+    rm -f ~/snap/test-snapd-xdg-autostart/current/.config/autostart/foo.desktop
+
+execute: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
+    echo "When the snap is installed"
+    install_local test-snapd-xdg-autostart
+
+    # run the app directly, it will dump a *.desktop file
+    snap run test-snapd-xdg-autostart.foo
+
+    echo "And snap application autostart file exists"
+    test -e ~/snap/test-snapd-xdg-autostart/current/.config/autostart/foo.desktop
+
+    echo "Applications can be automatically started by snap userd --autostart"
+
+    test ! -e ~/snap/test-xdg-snap-autostart/current/foo-autostarted
+    cursor=$(get_last_journalctl_cursor)
+    snap userd --autostart > autostart.log 2>&1
+
+    # when app is autostarted it dumps a file at $SNAP_USER_DATA/foo-autostarted,
+    # applications are forked by userd, but userd does not wait for them
+    for _ in $(seq 20); do
+        test -e ~/snap/test-snapd-xdg-autostart/current/foo-autostarted && break
+        sleep 1
+    done
+    test -e ~/snap/test-snapd-xdg-autostart/current/foo-autostarted
+
+    test "$(get_journalctl_log_from_cursor "$cursor" | grep -c foo.desktop)" -gt 0
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-userd-reexec/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-userd-reexec/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-userd-reexec/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-userd-reexec/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,8 +10,8 @@
     mv /usr/share/dbus-1/services/io.snapcraft.Launcher.service /usr/share/dbus-1/services/io.snapcraft.Launcher.service.orig
 
     echo "Install new core"
-    snap install --dangerous /var/lib/snapd/snaps/core_$(cat prevBoot).snap
+    snap install --dangerous "/var/lib/snapd/snaps/core_$(cat prevBoot).snap"
 
     echo "Ensure the dbus service file got created"
     test -f /usr/share/dbus-1/services/io.snapcraft.Launcher.service
-    diff -u /usr/share/dbus-1/services/io.snapcraft.Launcher.service.orig /usr/share/dbus-1/services/io.snapcraft.Launcher.service
\ No newline at end of file
+    diff -u /usr/share/dbus-1/services/io.snapcraft.Launcher.service.orig /usr/share/dbus-1/services/io.snapcraft.Launcher.service
diff -Nru snapd-2.32.3.2~14.04/tests/main/snap-wait/task.yaml snapd-2.37~rc1~14.04/tests/main/snap-wait/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/snap-wait/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/snap-wait/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,27 @@
+summary: Check that `snap wait` works
+
+kill-timeout: 2m
+
+prepare: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local basic-hooks
+
+execute: |
+    echo "Ensure snap wait for seeding works"
+    snap wait system seed.loaded
+
+    echo "Ensure snap wait for arbitrary stuff works"
+    # set to a false value
+    snap set basic-hooks foo=0
+    # keep track
+    start=$(date +%s)
+    # ensure we wait 3s before the false value becomes true
+    ( (sleep 3; snap set basic-hooks foo=1)& )
+    snap wait basic-hooks foo
+    end=$(date +%s)
+    # ensure we waited 
+    if [ $((end-start)) -lt 2 ]; then
+        echo "snap wait returned too early"
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/stale-base-snap/task.yaml snapd-2.37~rc1~14.04/tests/main/stale-base-snap/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/stale-base-snap/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/stale-base-snap/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,8 @@
 summary: when the base snap changes revision apps are not stuck on the stale one
+
+# slow in autopkgtest (>1m)
+backends: [-autopkgtest]
+
 details: |
     When a snap application starts running the mount namespace it inhabits is
     preserved and cached across all the applications belonging to a given snap.
@@ -14,27 +18,35 @@
 # soon as the new core snap is installed. A variant of this using a non-core
 # base snap is possible but that is a separate test.
 systems: [-ubuntu-core-*]
+
 prepare: |
     # We will need the Swiss-army-knife shell snap. We want to use it in
     # devmode so that we can look at /customized file which is non-standard.
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local_devmode test-snapd-sh
 
     # We will also need to prepare a hacked core snap that just differs from
     # our own in some detail that we can measure.
-    unsquashfs $(ls /var/lib/snapd/snaps/core_*.snap | sort -r -n | head -n 1)
+    unsquashfs -no-progress "$(find /var/lib/snapd/snaps -name 'core_*.snap' | sort -r -n | head -n 1)"
     touch squashfs-root/customized
     sed -i -e 's/version: .*/version: customized/' squashfs-root/meta/snap.yaml
 
     mksnap_fast squashfs-root core-customized.snap
+
+restore: |
+    rm -rf squashfs-root
+    rm -f core-customized.snap
+
 execute: |
     # Start a "sleep" process in the background
+    #shellcheck disable=SC2016
     test-snapd-sh -c 'touch $SNAP_DATA/stamp && exec sleep 1h' &
     pid=$!
 
     # Ensure that snap-confine has finished its task and that the snap process
     # is active. Note that we don't want to wait forever either.
-    for i in $(seq 30); do
+    for _ in $(seq 30); do
         test -e /var/snap/test-snapd-sh/current/stamp && break
         sleep 0.1
     done
@@ -62,6 +74,3 @@
     # the stamp file in /tmp because /tmp is now empty.
     test-snapd-sh -c "test ! -e /tmp/stamp"
     test-snapd-sh -c "test -e /customized"
-restore: |
-    rm -rf squashfs-root
-    rm -f core-customized.snap
diff -Nru snapd-2.32.3.2~14.04/tests/main/static/task.yaml snapd-2.37~rc1~14.04/tests/main/static/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/static/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/static/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: Check that snapd can be built without cgo
-systems: [-ubuntu-core-16-*]
+
+systems: [-ubuntu-core-*]
+
 execute: |
     CGO_ENABLED=0 go build -o snapd.static github.com/snapcore/snapd/cmd/snapd
-    ldd snapd.static && exit 1 || true
+    ldd snapd.static | MATCH 'not a dynamic executable'
diff -Nru snapd-2.32.3.2~14.04/tests/main/svcs-disable-install-hook/task.yaml snapd-2.37~rc1~14.04/tests/main/svcs-disable-install-hook/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/svcs-disable-install-hook/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/svcs-disable-install-hook/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,11 @@
+summary: Check that `snapctl stop --disable` actually stops services on install
+
+execute: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local test-snapd-svcs-disable-install-hook
+
+    for service in simple forking; do
+        echo "Verify that the $service service isn't running"
+        snap services | MATCH "test-snapd-svcs-disable-install-hook\\.$service\\s+disabled\\s+inactive"
+    done
diff -Nru snapd-2.32.3.2~14.04/tests/main/system-core-alias/task.yaml snapd-2.37~rc1~14.04/tests/main/system-core-alias/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/system-core-alias/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/system-core-alias/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,20 @@
+summary: Verify that 'system' can be used as an alias for 'core'
+
+debug: |
+    snap get core -d || true
+    snap get system -d || true
+
+execute: |
+    echo "When a configuration is set for the core snap"
+    snap set core proxy.ftp=http://needle
+    snap get core proxy.ftp | MATCH "http://needle"
+
+    echo "It can be retrieved using system alias"
+    snap get system proxy.ftp | MATCH "http://needle"
+
+    echo "When a configuration is set using the system alias"
+    snap set system proxy.ftp=http://needle2
+    snap get system proxy.ftp | MATCH "http://needle2"
+
+    echo "It is also visible through the core snap"
+    snap get core proxy.ftp | MATCH "http://needle2"
diff -Nru snapd-2.32.3.2~14.04/tests/main/systemd-service/task.yaml snapd-2.37~rc1~14.04/tests/main/systemd-service/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/systemd-service/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/systemd-service/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,18 +1,21 @@
 summary: Check that a service installed by a snap is reported as active by systemd
 
 environment:
-    SERVICE_NAME: snap.network-bind-consumer.network-consumer.service
+    SERVICE_NAME: snap.test-snapd-service.test-snapd-service.service
+
+restore: |
+    rm -f ./*.snap
 
 execute: |
+    # shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+
     echo "Given a service snap is installed"
-    snap pack $TESTSLIB/snaps/network-bind-consumer
-    snap install --dangerous network-bind-consumer_1.0_all.snap
+    install_local test-snapd-service
 
     echo "When the service state is reported as active"
-    while ! systemctl show -p ActiveState $SERVICE_NAME | grep -Pq "ActiveState=active"; do sleep 0.5; done
+    while ! systemctl show -p ActiveState "$SERVICE_NAME" | grep -Pq "ActiveState=active"; do sleep 0.5; done
 
     echo "Then systemctl reports the status of the service as loaded, active and running"
-    expected="(?s).*?Loaded: loaded .*?Active: active \(running\)"
-    systemctl status $SERVICE_NAME | grep -Pqz "$expected"
-restore: |
-    rm -f *.snap
+    expected='(?s).*?Loaded: loaded .*?Active: active \(running\)'
+    systemctl status "$SERVICE_NAME" | grep -Pqz "$expected"
diff -Nru snapd-2.32.3.2~14.04/tests/main/try/task.yaml snapd-2.37~rc1~14.04/tests/main/try/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/try/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/try/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,7 @@
 summary: Check that try command works
 
-systems: [-ubuntu-core-16-*, -fedora-*, -opensuse-*]
+# s390x does not have /dev/kmsg
+systems: [-ubuntu-core-*, -fedora-*, -opensuse-*, -arch-*, -ubuntu-*-s390x, -centos-*]
 
 environment:
     PORT: 8081
@@ -9,23 +10,21 @@
     SERVICE_NAME: "test-service"
 
 prepare: |
-    . $TESTSLIB/systemd.sh
-    echo "Given a service listening on a port"
-    printf "#!/bin/sh -e\nwhile true; do printf \"HTTP/1.1 200 OK\n\nok\n\" |  nc -l -p $PORT -w 1; done" > $SERVICE_FILE
-    chmod a+x $SERVICE_FILE
-    systemd_create_and_start_unit $SERVICE_NAME "$(readlink -f $SERVICE_FILE)"
-
-    while ! netstat -lnt | grep -Pq "tcp.*?:$PORT +.*?LISTEN\n*"; do sleep 0.5; done
+    # shellcheck source=tests/lib/network.sh
+    . "$TESTSLIB"/network.sh
+    make_network_service "$SERVICE_NAME" "$SERVICE_FILE" "$PORT"
 
 restore: |
-    . $TESTSLIB/systemd.sh
-    systemd_stop_and_destroy_unit $SERVICE_NAME
-    rm -f $SERVICE_FILE $READABLE_FILE
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
+    #shellcheck disable=SC2153
+    systemd_stop_and_destroy_unit "$SERVICE_NAME"
+    rm -f "$SERVICE_FILE" "$READABLE_FILE"
 
 execute: |
     echo "Given a buildable snap in a known directory"
     echo "When try is executed on that directory"
-    snap try $TESTSLIB/snaps/test-snapd-tools
+    snap try "$TESTSLIB"/snaps/test-snapd-tools
 
     echo "Then the snap is listed as installed with try in the notes"
     snap list | MATCH '^test-snapd-tools .* try'
@@ -34,14 +33,12 @@
     test-snapd-tools.success
 
     echo "And commands from the snap-try binary can read in a readable dir"
-    echo -n "Hello World" > $READABLE_FILE
-    test-snapd-tools.cat $READABLE_FILE | MATCH "Hello World"
-
-    echo "====================================="
+    echo -n "Hello World" > "$READABLE_FILE"
+    test-snapd-tools.cat "$READABLE_FILE" | MATCH "Hello World"
 
     echo "Given a buildable snap which access confinement-protected resources in a known directory"
     echo "When try is executed on that directory"
-    snap try $TESTSLIB/snaps/test-snapd-tools
+    snap try "$TESTSLIB"/snaps/test-snapd-tools
 
     if [ "$(snap debug confinement)" = strict ] ; then
         echo "Then the snap command is not able to access the protected resource"
@@ -51,37 +48,32 @@
         fi
     fi
 
-    echo "====================================="
-
     echo "Given a buildable snap which access confinement-protected resources in a known directory"
     echo "When try is executed on that directory with devmode enabled"
-    snap try $TESTSLIB/snaps/test-snapd-tools --devmode
+    snap try "$TESTSLIB"/snaps/test-snapd-tools --devmode
 
     echo "Then the snap command is able to access the protected resource"
     test-snapd-tools.head -1 /dev/kmsg
 
-    echo "====================================="
-
     echo "Given a buildable snap which access confinement-enabled network resources in a known directory"
     echo "When try is executed on that directory"
-    snap try $TESTSLIB/snaps/network-consumer
+    snap try "$TESTSLIB"/snaps/network-consumer
 
     echo "Then the snap is able to access the network resource"
-    network-consumer http://127.0.0.1:$PORT | MATCH "ok"
+    network-consumer http://127.0.0.1:"$PORT" | MATCH "ok"
 
-    echo "====================================="
     n=test-snapd-classic-confinement
     s=$TESTSLIB/snaps/$n
     echo "Given a buildable snap with classic confinement:"
     echo " - you can't try it without --classic:"
-    snap try $s && exit 1 || true
-    snap try --jailmode $s && exit 1 || true
-    snap try --devmode $s && exit 1 || true
+    ! snap try "$s"
+    ! snap try --jailmode "$s"
+    ! snap try --devmode "$s"
 
     touch /tmp/lala
 
     echo " - you can try it with --classic:"
-    snap try --classic $s
+    snap try --classic "$s"
     snap list $n | MATCH $n.*classic
     $n | MATCH lala
     snap remove $n
diff -Nru snapd-2.32.3.2~14.04/tests/main/try-non-fatal/task.yaml snapd-2.37~rc1~14.04/tests/main/try-non-fatal/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/try-non-fatal/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/try-non-fatal/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,19 +1,19 @@
 summary: Checks that removing the base directory of a tried snap works.
 
-systems: [-ubuntu-core-16-*]
+systems: [-ubuntu-core-*]
 
 execute: |
     echo "Given a tried snap"
     base_dir=$(mktemp -d)
     chmod 0755 "$base_dir"
-    cp -R $TESTSLIB/snaps/test-snapd-tools/* $base_dir
-    snap try $base_dir
+    cp -a "$TESTSLIB"/snaps/test-snapd-tools/* "$base_dir"
+    snap try "$base_dir"
 
     echo "Then it is listed as installed"
     snap list | grep -Pq "^test-snapd-tools +.*?try"
 
     echo "When its base directory is removed"
-    rm -rf $base_dir
+    rm -rf "$base_dir"
 
     echo "Then the snap is listed as a broken install"
     snap list | grep -Pq "^test-snapd-tools +.*?broken"
diff -Nru snapd-2.32.3.2~14.04/tests/main/try-snap-goes-away/task.yaml snapd-2.37~rc1~14.04/tests/main/try-snap-goes-away/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/try-snap-goes-away/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/try-snap-goes-away/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,43 +1,50 @@
 summary: Check that snaps vanishing are handled gracefully
+details: |
+    Note that this test is subtly different from tests/regression/lp-1764977.
+    See the description of that test for details.
 
 environment:
     SNAP_NAME/test_snapd_tools: test-snapd-tools
-    SNAP_NAME/network_bind_consumer: network-bind-consumer
+    SNAP_NAME/test_snapd_service: test-snapd-service
     TRYDIR: $(pwd)/trydir
 
 restore: |
-    rm -rf $TRYDIR
+    rm -rf "$TRYDIR"
 
 execute: |
-    mkdir -p $TRYDIR
+    mkdir -p "$TRYDIR"
+    # make sure the dir has correct permissions in case the default umask is
+    # different
+    chmod 0755 "$TRYDIR"
 
-    cp -ar  $TESTSLIB/snaps/$SNAP_NAME/* $TRYDIR
+    cp -ar  "$TESTSLIB"/snaps/"$SNAP_NAME"/* "$TRYDIR"
 
     echo Trying a snap
-    snap try $TRYDIR
-    snap list |MATCH $SNAP_NAME
+    snap try "$TRYDIR"
+    snap list |MATCH "$SNAP_NAME"
 
     echo Removing a snap try dir does not break everything
-    rm -rf $TRYDIR
+    rm -rf "$TRYDIR"
     snap list |MATCH core
 
     echo A snap in broken state can be removed
-    snap remove $SNAP_NAME
+    snap remove "$SNAP_NAME"
 
     echo And is gone afterwards
-    snap list |MATCH -v $SNAP_NAME
+    snap list |MATCH -v "$SNAP_NAME"
 
-    . $TESTSLIB/dirs.sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
 
     echo And all its binaries
-    N="$(ls $SNAP_MOUNT_DIR/bin/$SNAP_NAME*|wc -l)"
+    N="$(find $SNAP_MOUNT_DIR/bin -name "$SNAP_NAME*"|wc -l)"
     if [ "$N" -ne 0 ]; then
        echo "Some binaries are not cleaned"
        exit 1
     fi
 
     echo And all its services
-    N="$(ls /etc/systemd/system/snap.$SNAP_NAME.*|wc -l)"
+    N="$(find /etc/systemd/system -name "snap.$SNAP_NAME*" |wc -l)"
     if [ "$N" -ne 0 ]; then
        echo "Some services are not cleaned"
        exit 1
diff -Nru snapd-2.32.3.2~14.04/tests/main/try-snap-is-optional/task.yaml snapd-2.37~rc1~14.04/tests/main/try-snap-is-optional/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/try-snap-is-optional/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/try-snap-is-optional/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,9 +1,12 @@
 summary: Check that try command works when snap dir is omitted
-systems: [-ubuntu-core-16-*]
+
+systems: [-ubuntu-core-*]
+
 execute: |
     echo "When try is executed inside a snap directory"
-    cd $TESTSLIB/snaps/test-snapd-tools
+    # shellcheck disable=SC2164
+    cd "$TESTSLIB"/snaps/test-snapd-tools
     snap try
 
     echo "Then the snap is listed as installed with try in the notes"
-    snap list | grep -Pq "^test-snapd-tools +.*?try"
+    snap list | grep -Pq '^test-snapd-tools +.*?try'
diff -Nru snapd-2.32.3.2~14.04/tests/main/try-twice-with-daemon/task.yaml snapd-2.37~rc1~14.04/tests/main/try-twice-with-daemon/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/try-twice-with-daemon/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/try-twice-with-daemon/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,35 +1,36 @@
 summary: Check that try command works when daemon line is added to snap.yaml
-systems: [-ubuntu-core-16-*]
+
+systems: [-ubuntu-core-*]
 
 environment:
   SERVICE: snap.test-snapd-service-try.service.service
 
 execute: |
-  echo "Given a buildable snap in a known directory"
-  echo "When try is executed on that directory"
-  snap try $TESTSLIB/snaps/test-snapd-service-try-v1
-
-  echo "Then the snap is listed as installed with try in the notes"
-  snap list | MATCH "^test-snapd-service-try .* try"
-
-  # Sanity check just to ensure the test and its input yaml are correct
-  echo "And it doesn't have a systemd service just yet"
-  # Note: systemctl in yakkety doesn't report LoadState=not-found for unknown services
-  # so need to grep all the services
-  if systemctl|grep -q $SERVICE ; then
-    echo "Unexpected service $SERVICE"
-    exit 1
-  fi
-
-  echo "When snap.yaml is updated with the daemon line added"
-  echo "Then it can be tried again"
-  snap try $TESTSLIB/snaps/test-snapd-service-try-v2
-  snap list | MATCH "^test-snapd-service-try .* try"
-  echo "And a service is now loaded with systemd"
-
-  expected_output="LoadState=loaded"
-  output=$(systemctl show --property=LoadState $SERVICE)
-  if [ "$output" != "$expected_output" ]; then
-    echo "Expected systemctl show output to be '$expected_output', but it was '$output'"
-    exit 1
-  fi
+    echo "Given a buildable snap in a known directory"
+    echo "When try is executed on that directory"
+    snap try "$TESTSLIB"/snaps/test-snapd-service-try-v1
+
+    echo "Then the snap is listed as installed with try in the notes"
+    snap list | MATCH "^test-snapd-service-try .* try"
+
+    # Sanity check just to ensure the test and its input yaml are correct
+    echo "And it doesn't have a systemd service just yet"
+    # Note: systemctl in yakkety doesn't report LoadState=not-found for unknown services
+    # so need to grep all the services
+    if systemctl|grep -q "$SERVICE" ; then
+        echo "Unexpected service $SERVICE"
+        exit 1
+    fi
+
+    echo "When snap.yaml is updated with the daemon line added"
+    echo "Then it can be tried again"
+    snap try "$TESTSLIB"/snaps/test-snapd-service-try-v2
+    snap list | MATCH "^test-snapd-service-try .* try"
+    echo "And a service is now loaded with systemd"
+
+    expected_output="LoadState=loaded"
+    output=$(systemctl show --property=LoadState "$SERVICE")
+    if [ "$output" != "$expected_output" ]; then
+        echo "Expected systemctl show output to be '$expected_output', but it was '$output'"
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/try-with-hooks/task.yaml snapd-2.37~rc1~14.04/tests/main/try-with-hooks/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/try-with-hooks/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/try-with-hooks/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,32 @@
+summary: Reproduce a known issue of snap try failure with hooks
+
+prepare: |
+  cp -a "$TESTSLIB"/snaps/basic ./
+  # in case the snap is modified to have the hook
+  rm -f basic/meta/hooks/pre-refresh
+
+execute: |
+    echo "Snap try a snap without pre-refresh hook"
+    snap try basic
+
+    echo "Snap try again"
+    snap try basic
+
+    echo "Remove the snap and snap try again"
+    snap remove basic
+
+    snap try basic
+
+    echo "Snap try, now with pre-refresh hook"
+    mkdir -p basic/meta/hooks
+    echo "#!/bin/sh" > basic/meta/hooks/pre-refresh
+    chmod +x basic/meta/hooks/pre-refresh
+
+    # TODO: This should not fail, but it does. Update the test once the issue of second snap try with a new hook is fixed.
+    echo "Expecting snap try to fail"
+    if snap try basic; then
+        echo "Expected snap try with a new hook to fail"
+        exit 1
+    fi
+
+    snap remove basic
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-apt/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-apt/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-apt/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-apt/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: Ensure that the apt output on ubuntu-core is correct
+
 systems: [ubuntu-core-16-*]
+
 execute: |
     expected="Ubuntu Core does not use apt-get, see 'snap --help'!"
     output=$(apt-get update)
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-classic/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-classic/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-classic/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-classic/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,15 +1,20 @@
 summary: Ensure classic dimension works correctly
+
 systems: [ubuntu-core-16-*]
+
 environment:
     # We need to set the SUDO_USER here to simulate the real
     # behavior. I.e. when entering classic it happens via
     # `sudo classic` and the user gets a user shell inside
     # the classic environment that has sudo support.
     SUDO_USER: test
+
 prepare: |
     echo "test ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/create-test
+
 restore: |
     rm -f /etc/sudoers.d/create-test
+
 execute: |
     echo "Ensure classic can be installed"
     snap install --devmode --beta classic
@@ -21,7 +26,7 @@
     echo "Ensure that after classic exits no processes are left behind"
     classic "sleep 133713371337&"
     # use "[f]oo" to search for "foo" in ps output without having to filter yourself out
-    if ps afx|grep '[1]33713371337'; then
+    if pgrep -f 133713371337; then
         echo "The sleep process was not killed when classic exited"
         echo "Something is wrong with the cleanup"
         exit 1
@@ -32,7 +37,7 @@
     # tty reports "no tty" inside snaps (LP: #1611493)
     #
     # "script" adds extra \r into the output that we need to filter here
-    if [ "$(classic sudo id -u|tr -d "\r")" != "0" ]; then
+    if [ "$(classic sudo id -u|tr -d '\r')" != "0" ]; then
         echo "sudo inside classic did not work as expected"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-create-user/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-create-user/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-create-user/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-create-user/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: Ensure that snap create-user works in ubuntu-core
+
 systems: [ubuntu-core-16-*]
+
 restore: |
     # meh, deluser has no --extrausers support
     sed -i '/^mvo/d' /var/lib/extrausers/passwd
@@ -7,6 +9,7 @@
     sed -i '/^mvo/d' /var/lib/extrausers/group
     rm -rf /home/mvo
     rm -f create.error
+
 execute: |
     if [ "$MANAGED_DEVICE" = "true" ]; then
         if snap create-user --sudoer mvo@ubuntu.com 2>create.error; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-custom-device-reg/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-custom-device-reg/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-custom-device-reg/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-custom-device-reg/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,40 +1,45 @@
 summary: |
    Test that device initialisation and registration can be customized
    with the prepare-device gadget hook
+
 systems: [ubuntu-core-16-64]
+
 prepare: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
-    . $TESTSLIB/systemd.sh
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
     systemctl stop snapd.service snapd.socket
     rm -rf /var/lib/snapd/assertions/*
     rm -rf /var/lib/snapd/device
     rm -rf /var/lib/snapd/state.json
-    unsquashfs /var/lib/snapd/snaps/pc_*.snap
+    unsquashfs -no-progress /var/lib/snapd/snaps/pc_*.snap
     mkdir -p squashfs-root/meta/hooks
     cp prepare-device squashfs-root/meta/hooks
-    mksquashfs squashfs-root pc_x1.snap -comp xz -no-fragments
+    mksquashfs squashfs-root pc_x1.snap -comp xz -no-fragments -no-progress
     rm -rf squashfs-root
     cp pc_x1.snap /var/lib/snapd/seed/snaps/
     mv /var/lib/snapd/seed/assertions/model model.bak
     cp /var/lib/snapd/seed/seed.yaml seed.yaml.bak
     python3 ./manip_seed.py /var/lib/snapd/seed/seed.yaml
-    cp $TESTSLIB/assertions/developer1.account /var/lib/snapd/seed/assertions
-    cp $TESTSLIB/assertions/developer1.account-key /var/lib/snapd/seed/assertions
-    cp $TESTSLIB/assertions/developer1-pc.model /var/lib/snapd/seed/assertions
-    cp $TESTSLIB/assertions/testrootorg-store.account-key /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/developer1.account /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/developer1.account-key /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/developer1-pc.model /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/testrootorg-store.account-key /var/lib/snapd/seed/assertions
     # start fake device svc
-    systemd_create_and_start_unit fakedevicesvc "$(which fakedevicesvc) localhost:11029"
+    systemd_create_and_start_unit fakedevicesvc "$(command -v fakedevicesvc) localhost:11029"
     # kick first boot again
     systemctl start snapd.service snapd.socket
+
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
-    . $TESTSLIB/systemd.sh
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
     systemctl stop snapd.service snapd.socket
     systemd_stop_and_destroy_unit fakedevicesvc
     rm -rf /var/lib/snapd/assertions/*
@@ -54,11 +59,12 @@
     rm -f /var/lib/snapd/seed/assertions/developer1-pc.model
     rm -f /var/lib/snapd/seed/assertions/testrootorg-store.account-key
     cp model.bak /var/lib/snapd/seed/assertions/model
-    rm -f *.bak
+    rm -f ./*.bak
     # kick first boot again
     systemctl start snapd.service snapd.socket
     # wait for first boot to be done
     while ! snap changes | grep -q "Done.*Initialize system state"; do sleep 1; done
+
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-custom-device-reg-extras/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-custom-device-reg-extras/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-custom-device-reg-extras/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-custom-device-reg-extras/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -2,40 +2,45 @@
    Test that device initialisation and registration can be customized
    with the prepare-device gadget hook and this can set request headers,
    a proposed serial and the body of the serial assertion
+
 systems: [ubuntu-core-16-64]
+
 prepare: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
-    . $TESTSLIB/systemd.sh
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
     systemctl stop snapd.service snapd.socket
     rm -rf /var/lib/snapd/assertions/*
     rm -rf /var/lib/snapd/device
     rm -rf /var/lib/snapd/state.json
-    unsquashfs /var/lib/snapd/snaps/pc_*.snap
+    unsquashfs -no-progress /var/lib/snapd/snaps/pc_*.snap
     mkdir -p squashfs-root/meta/hooks
     cp prepare-device squashfs-root/meta/hooks
-    mksquashfs squashfs-root pc_x1.snap -comp xz -no-fragments
+    mksquashfs squashfs-root pc_x1.snap -comp xz -no-fragments -no-progress
     rm -rf squashfs-root
     cp pc_x1.snap /var/lib/snapd/seed/snaps/
     mv /var/lib/snapd/seed/assertions/model model.bak
     cp /var/lib/snapd/seed/seed.yaml seed.yaml.bak
     python3 ./manip_seed.py /var/lib/snapd/seed/seed.yaml
-    cp $TESTSLIB/assertions/developer1.account /var/lib/snapd/seed/assertions
-    cp $TESTSLIB/assertions/developer1.account-key /var/lib/snapd/seed/assertions
-    cp $TESTSLIB/assertions/developer1-pc.model /var/lib/snapd/seed/assertions
-    cp $TESTSLIB/assertions/testrootorg-store.account-key /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/developer1.account /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/developer1.account-key /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/developer1-pc.model /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/testrootorg-store.account-key /var/lib/snapd/seed/assertions
     # start fake device svc
-    systemd_create_and_start_unit fakedevicesvc "$(which fakedevicesvc) localhost:11029"
+    systemd_create_and_start_unit fakedevicesvc "$(command -v fakedevicesvc) localhost:11029"
     # kick first boot again
     systemctl start snapd.service snapd.socket
+
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
-    . $TESTSLIB/systemd.sh
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
     systemctl stop snapd.service snapd.socket
     systemd_stop_and_destroy_unit fakedevicesvc
     rm -rf /var/lib/snapd/assertions/*
@@ -55,11 +60,12 @@
     rm -f /var/lib/snapd/seed/assertions/developer1-pc.model
     rm -f /var/lib/snapd/seed/assertions/testrootorg-store.account-key
     cp model.bak /var/lib/snapd/seed/assertions/model
-    rm -f *.bak
+    rm -f ./*.bak
     # kick first boot again
     systemctl start snapd.service snapd.socket
     # wait for first boot to be done
     while ! snap changes | grep -q "Done.*Initialize system state"; do sleep 1; done
+
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-device-reg/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-device-reg/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-device-reg/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-device-reg/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,9 @@
 summary: |
     Ensure after device initialisation registration worked and
     we have a serial and can acquire a session macaroon
+
 systems: [ubuntu-core-16-*]
+
 execute: |
     echo "Wait for first boot to be done"
     while ! snap changes | grep -q "Done.*Initialize system state"; do sleep 1; done
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-fan/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-fan/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-fan/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-fan/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,14 @@
 summary: Test ubuntu-fan
+
 systems: [ubuntu-core-16-*]
+
 prepare: |
     IP=$(ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | cut -d' ' -f1|head -1)
-    fanctl up 241.0.0.0/8 $IP/16
+    fanctl up 241.0.0.0/8 "$IP/16"
+
 restore: |
     fanctl down -e
+
 execute: |
     echo "Test that fanctl exists"
     command -v fanctl
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-gadget-config-defaults/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-gadget-config-defaults/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-gadget-config-defaults/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-gadget-config-defaults/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,19 +1,22 @@
 summary: |
    Test that config defaults specified in the gadget are picked up
    for first boot snaps
+
 systems: [ubuntu-core-16-64]
+
 prepare: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
-    . $TESTSLIB/systemd.sh
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
     systemctl stop snapd.service snapd.socket
     rm -rf /var/lib/snapd/assertions/*
     rm -rf /var/lib/snapd/device
     rm -rf /var/lib/snapd/state.json
     snap download --edge test-snapd-with-configure
-    unsquashfs /var/lib/snapd/snaps/pc_*.snap
+    unsquashfs -no-progress /var/lib/snapd/snaps/pc_*.snap
     # fill in defaults
     TEST_SNAP_ID=
     if [ "$SNAPPY_USE_STAGING_STORE" = 1 ]; then
@@ -27,27 +30,38 @@
        ${TEST_SNAP_ID}:
          a: A
          b: B
+       system:
+         service:
+           rsyslog:
+             disable: true
     EOF
-    mksquashfs squashfs-root pc_x1.snap -comp xz -no-fragments
+    mksquashfs squashfs-root pc_x1.snap -comp xz -no-fragments -no-progress
     rm -rf squashfs-root
     cp pc_x1.snap /var/lib/snapd/seed/snaps/
     cp test-snapd-with-configure_*.snap /var/lib/snapd/seed/snaps/
     mv /var/lib/snapd/seed/assertions/model model.bak
     cp /var/lib/snapd/seed/seed.yaml seed.yaml.bak
     python3 ./manip_seed.py /var/lib/snapd/seed/seed.yaml test-snapd-with-configure_*.snap
-    cp $TESTSLIB/assertions/developer1.account /var/lib/snapd/seed/assertions
-    cp $TESTSLIB/assertions/developer1.account-key /var/lib/snapd/seed/assertions
-    cp $TESTSLIB/assertions/developer1-pc-w-config.model /var/lib/snapd/seed/assertions
-    cp $TESTSLIB/assertions/testrootorg-store.account-key /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/developer1.account /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/developer1.account-key /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/developer1-pc-w-config.model /var/lib/snapd/seed/assertions
+    cp "$TESTSLIB"/assertions/testrootorg-store.account-key /var/lib/snapd/seed/assertions
     cp test-snapd-with-configure_*.assert /var/lib/snapd/seed/assertions
     # kick first boot again
     systemctl start snapd.service snapd.socket
+
 restore: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
         exit
     fi
-    . $TESTSLIB/systemd.sh
+    echo "Undo the rsyslog disable"
+    systemctl unmask rsyslog.service || true
+    systemctl enable rsyslog.service || true
+    systemctl start rsyslog.service || true
+
+    #shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB"/systemd.sh
     systemctl stop snapd.service snapd.socket
     rm -rf /var/lib/snapd/assertions/*
     rm -rf /var/lib/snapd/device
@@ -63,10 +77,10 @@
     rm /var/lib/snapd/seed/snaps/pc_x1.snap
 
     TEST_REVNO=$(awk "/^snap-revision: / {print \$2}" test-snapd-with-configure_*.assert)
-    if systemctl status snap-test-snapd-with-configure-${TEST_REVNO}.mount ; then
-       systemctl stop snap-test-snapd-with-configure-${TEST_REVNO}.mount
-       rm -f /etc/systemd/system/snap-test-snapd-with-configure-${TEST_REVNO}.mount
-       rm -f /etc/systemd/system/multi-user.target.wants/snap-test-snapd-with-configure-${TEST_REVNO}.mount
+    if systemctl status "snap-test-snapd-with-configure-${TEST_REVNO}.mount" ; then
+       systemctl stop "snap-test-snapd-with-configure-${TEST_REVNO}.mount"
+       rm -f "/etc/systemd/system/snap-test-snapd-with-configure-${TEST_REVNO}.mount"
+       rm -f "/etc/systemd/system/multi-user.target.wants/snap-test-snapd-with-configure-${TEST_REVNO}.mount"
        rm -f /var/lib/snapd/snaps/test-snapd-with-configure_*.snap
        systemctl daemon-reload
     fi
@@ -79,11 +93,12 @@
     rm -f /var/lib/snapd/seed/assertions/testrootorg-store.account-key
     rm -f /var/lib/snapd/seed/assertions/test-snapd-with-configure_*.assert
     cp model.bak /var/lib/snapd/seed/assertions/model
-    rm -f *.bak
+    rm -f ./*.bak
     # kick first boot again
     systemctl start snapd.service snapd.socket
     # wait for first boot to be done
     while ! snap changes | grep -q "Done.*Initialize system state"; do sleep 1; done
+
 execute: |
     if [ "$TRUST_TEST_KEYS" = "false" ]; then
         echo "This test needs test keys to be trusted"
@@ -100,3 +115,8 @@
     echo "The configuration defaults from the gadget where applied"
     snap get test-snapd-with-configure a|MATCH "^A$"
     snap get test-snapd-with-configure b|MATCH "^B$"
+
+    echo "The configuration for core is applied"
+    snap get core service.rsyslog.disable|MATCH true
+    echo "And the service is masked"
+    systemctl status rsyslog.service|MATCH masked
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-grub/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-grub/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-grub/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-grub/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,9 +1,12 @@
 summary: Ensure we have no unpacked kernel.img/initrd.img on grub systems
+
 systems: [ubuntu-core-16-64]
+
 environment:
     NAME/initrdimg: initrd.img*
     NAME/kernelimg: kernel.img*
     NAME/vmlinuz: vmlinuz*
+
 execute: |
     output=$(find /boot/grub -name "$NAME" )
     if [ -n "$output" ]; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-network-config/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-network-config/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-network-config/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-network-config/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,30 @@
+summary: Check that `snap set {system,core} network.disable-ipv6` works
+
+systems: [ubuntu-core-*]
+
+environment:
+    snap_nick/system: system
+    snap_nick/core: core
+
+execute: |
+    echo "Ensure we have inet6"
+    ip addr | MATCH inet6
+    
+    echo "Disable ipv6"
+    # shellcheck disable=SC2154
+    snap set "$snap_nick" network.disable-ipv6=true
+    MATCH "net.ipv6.conf.all.disable_ipv6=1" < /etc/sysctl.d/10-snapd-network.conf
+    if ip addr | grep -q inet6; then
+        echo "Disable of ipv6 did not work"
+        ip addr
+        exit 1
+    fi
+
+    echo "Enable ipv6"
+    snap set "$snap_nick" network.disable-ipv6=false
+    ! test -f /etc/sysctl.d/10-snapd-network.conf
+    sysctl net.ipv6.conf.all.disable_ipv6 | MATCH "net.ipv6.conf.all.disable_ipv6 = 0"
+
+    echo "Reset ipv6"
+    snap set "$snap_nick" network.disable-ipv6=""
+    ! test -f /etc/sysctl.d/10-snapd-network.conf 
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-os-release/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-os-release/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-os-release/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-os-release/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: check that os-release is correct
+
 systems: [ubuntu-core-16-*]
+
 execute: |
     MATCH "ID=ubuntu-core" < /etc/os-release
     MATCH "DISTRIB_RELEASE=16" < /etc/lsb-release
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-reboot/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-reboot/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-reboot/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-reboot/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -10,29 +10,30 @@
 priority: 100
 
 prepare: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local test-snapd-tools
-    install_local network-bind-consumer
+    install_local test-snapd-service
 
 execute: |
     echo "Ensure snaps are (still) there."
     snap list | MATCH test-snapd-tools
-    snap list | MATCH network-bind-consumer
+    snap list | MATCH test-snapd-service
 
     echo "Ensure the service is (still) running."
     retries=120
-    while ! systemctl is-active snap.network-bind-consumer.network-consumer.service; do
-        if [ $retries -eq 0 ]; then
+    while ! systemctl is-active snap.test-snapd-service.test-snapd-service.service; do
+        if [ "$retries" -eq 0 ]; then
             echo "Service did not activate."
             exit 1
         fi
-        retries=$(( $retries - 1 ))
+        retries=$(( retries - 1 ))
         sleep 1
     done
 
     echo "Ensure apparmor profiles are (still) loaded."
     for app in success fail echo head env block cat; do
-        MATCH "snap.test-snapd-tools.$app \(enforce\)" < /sys/kernel/security/apparmor/profiles
+        MATCH "snap.test-snapd-tools.$app \\(enforce\\)" < /sys/kernel/security/apparmor/profiles
     done
 
     if [ "$SPREAD_REBOOT" = "0" ]; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-services/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-services/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-services/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-services/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,17 +1,15 @@
 summary: Ensure all services on Core are active
 
-systems: [ubuntu-core-*]
+systems: [ubuntu-core-16-*]
 
 execute: |
     echo "Ensure one-shot services are working"
     for oneshot in snapd.autoimport.service snapd.sshd-keygen.service; do
-        systemctl status $oneshot |MATCH SUCCESS
+        systemctl status "$oneshot" |MATCH SUCCESS
     done
 
     echo "Ensure services are working"
     systemctl status snapd.service |MATCH active
     
     echo "Ensure timers are working"
-    for timer in snapd.snap-repair.timer; do
-        systemctl is-active $timer
-    done
+    systemctl is-active snapd.snap-repair.timer
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-uboot/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-uboot/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-uboot/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-uboot/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: Ensure we have unpacked kernel.img/initrd.img on uboot systems
+
 systems: [ubuntu-core-16-arm-*]
+
 environment:
     NAME/initrdimg: initrd.img*
     NAME/kernelimg: kernel.img*
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-upgrade/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-upgrade/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-upgrade/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-upgrade/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -7,13 +7,16 @@
 
 debug: |
     snap list
-    . $TESTSLIB/boot.sh
+    #shellcheck source=tests/lib/boot.sh
+    . "$TESTSLIB"/boot.sh
+    #shellcheck disable=SC2119
     bootenv
     cat /proc/cmdline
 
 restore: |
+    systemctl restart snapd
     if [ -f curChg ] ; then
-        snap abort $(cat curChg) || true
+        snap abort "$(cat curChg)" || true
     fi
     rm -f prevBoot nextBoot curChg
 
@@ -22,12 +25,13 @@
     snap install test-snapd-tools
 
 execute: |
-    . $TESTSLIB/boot.sh
+    #shellcheck source=tests/lib/boot.sh
+    . "$TESTSLIB"/boot.sh
 
     # FIXME Why it starting with snap_mode=try the first time?
     # Perhaps because core is installed after seeding? Do we
     # want that on pristine images?
-    if [ $SPREAD_REBOOT != 0 ]; then
+    if [ "$SPREAD_REBOOT" != 0 ]; then
         echo "Waiting for snapd to clean snap_mode"
         while [ "$(bootenv snap_mode)" != "" ]; do
             sleep 1
@@ -43,11 +47,11 @@
 
     # wait for ongoing change if there is one
     if [ -f curChg ] ; then
-       snap watch $(cat curChg)
+       snap watch "$(cat curChg)"
        rm -f curChg
     fi
 
-    case $SPREAD_REBOOT in
+    case "$SPREAD_REBOOT" in
 
     0) cmd="snap install --dangerous /var/lib/snapd/snaps/core_$(cat prevBoot).snap" ;;
     1) cmd="snap revert core" ;;
@@ -58,19 +62,20 @@
     esac
 
     # start the op and get the change id
-    chg_id=$(eval ${cmd} --no-wait)
+    #shellcheck disable=SC2086
+    chg_id="$(eval ${cmd} --no-wait)"
 
     # save change id to wait later or abort
-    echo ${chg_id} >curChg
+    echo "${chg_id}" >curChg
 
     # wait for the link task to be done
-    while ! snap change ${chg_id}|grep -q "^Done.*Make snap.*available to the system" ; do sleep 1 ; done
+    while ! journalctl -b -u snapd|grep -q "Waiting for system reboot" ; do sleep 1 ; done
 
     echo "Ensure the test snap still runs"
     test-snapd-tools.echo hello | MATCH hello
 
     echo "Ensure the bootloader is correct before reboot"
-    snap list | awk "/^core / {print(\$3)}" > nextBoot
+    readlink /snap/core/current > nextBoot
     test "$(cat prevBoot)" != "$(cat nextBoot)"
     test "$(bootenv snap_try_core)" = "core_$(cat nextBoot).snap"
     test "$(bootenv snap_mode)" = "try"
@@ -83,7 +88,7 @@
         /org/freedesktop/login1 \
         org.freedesktop.DBus.Properties.Get \
         string:org.freedesktop.login1.Manager string:ScheduledShutdown)
-    if ! echo $output | MATCH 'string "reboot"'; then
+    if ! echo "$output" | MATCH 'string "reboot"'; then
         echo "Failed to detect scheduled reboot in logind output"
         exit 1
     fi
diff -Nru snapd-2.32.3.2~14.04/tests/main/ubuntu-core-writablepaths/task.yaml snapd-2.37~rc1~14.04/tests/main/ubuntu-core-writablepaths/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/ubuntu-core-writablepaths/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/ubuntu-core-writablepaths/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,14 +1,17 @@
 summary: Ensure that the writable paths on the image are correct
+
 systems: [ubuntu-core-16-*]
+
 execute: |
     echo "Ensure everything in writable-paths is actually writable"
+    #shellcheck disable=SC2002
     cat /etc/system-image/writable-paths | while read -r line; do
-        line=$(echo $line | sed -e '/\s*#.*$/d')
+        line=$(echo "$line" | sed -e '/\s*#.*$/d')
         if [ -z "$line" ]; then
             continue;
         fi
         # a writable-path may be either a file or a directory
-        dir_or_file=$(echo $line|cut -f1 -d' ')
+        dir_or_file=$(echo "$line"|cut -f1 -d' ')
         if [ ! -e "$dir_or_file" ]; then
             echo "$dir_or_file" >> missing
         elif [ -f "$dir_or_file" ]; then
@@ -18,7 +21,7 @@
         elif ! touch "$dir_or_file"/random-name-that-I-made-up; then
             echo "$dir_or_file" >> broken
         fi
-        rm -f $dir_or_file/random-name-that-I-made-up
+        rm -f "$dir_or_file"/random-name-that-I-made-up
     done
 
     if [ -s "broken" ]; then
diff -Nru snapd-2.32.3.2~14.04/tests/main/unhandled-task/task.yaml snapd-2.37~rc1~14.04/tests/main/unhandled-task/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/unhandled-task/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/unhandled-task/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -22,7 +22,7 @@
     systemctl start snapd.{service,socket}
 
     echo "Ensure that unknown task was ignored"
-    for i in $(seq 10); do
+    for _ in $(seq 10); do
         snap changes|MATCH ".*80999.*Done" && break
         sleep 1
     done 
diff -Nru snapd-2.32.3.2~14.04/tests/main/user-mounts/task.yaml snapd-2.37~rc1~14.04/tests/main/user-mounts/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/user-mounts/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/user-mounts/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,53 @@
+summary: smoke tests for user mounts
+
+details: |
+    When a confined snap has a user-fstab file, additional bind mounts will
+    be performed prior to running the application.  These mounts are private
+    to the invocation of the application, so can be used to manipulate how
+    per-user data is presented.
+
+# This test makes use of the user mount provided by the desktop
+# interface.  When we have an interface providing user mounts that is
+# available on core, we can switch to that.
+systems: [-ubuntu-core-*]
+
+prepare: |
+    snap try "$TESTSLIB"/snaps/test-snapd-desktop
+    snap disconnect test-snapd-desktop:desktop
+
+restore: |
+    rm -rf /run/user/12345/*
+    rm -f /tmp/check-user-mount.sh
+
+execute: |
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+
+    echo "Create XDG_RUNTIME_DIR for test user"
+    USER_RUNTIME_DIR=/run/user/"$(id -u test)"
+    mkdir -p "$USER_RUNTIME_DIR" || true
+    #shellcheck disable=SC2115
+    rm -rf "$USER_RUNTIME_DIR"/*
+    chmod u=rwX,go= "$USER_RUNTIME_DIR"
+    chown test:test "$USER_RUNTIME_DIR"
+
+    echo "Without desktop interface connected, there is no user-fstab file"
+    [ ! -f /var/lib/snapd/mount/snap.test-snapd-desktop.user-fstab ]
+
+    echo "With desktop interface connected, it is created"
+    snap connect test-snapd-desktop:desktop
+    [ -f /var/lib/snapd/mount/snap.test-snapd-desktop.user-fstab ]
+    diff -u /var/lib/snapd/mount/snap.test-snapd-desktop.user-fstab - << \EOF
+    $XDG_RUNTIME_DIR/doc/by-app/snap.test-snapd-desktop $XDG_RUNTIME_DIR/doc none bind,rw,x-snapd.ignore-missing 0 0
+    EOF
+
+    "$LIBEXECDIR"/snapd/snap-discard-ns test-snapd-sh
+
+    echo "The user-fstab file is used to prepare the confinement sandbox"
+    cat << \EOF > /tmp/check-user-mount.sh
+    mkdir -p /run/user/12345/doc/by-app/snap.test-snapd-desktop
+    touch /run/user/12345/doc/by-app/snap.test-snapd-desktop/in-source
+    touch /run/user/12345/doc/in-target
+    test-snapd-desktop.check-dirs /run/user/12345/doc
+    EOF
+    su -l -c "sh /tmp/check-user-mount.sh" test | MATCH in-source
diff -Nru snapd-2.32.3.2~14.04/tests/main/validate-container-failures/task.yaml snapd-2.37~rc1~14.04/tests/main/validate-container-failures/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/validate-container-failures/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/validate-container-failures/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -15,16 +15,18 @@
     chmod 0644 "$p/meta/hooks/what"
 
 execute: |
+    # shellcheck source=tests/lib/journalctl.sh
+    . "$TESTSLIB/journalctl.sh"
+
     echo "Snap refuses to install"
-    snap try $TESTSLIB/snaps/$SNAP 2>error.log && exit 1 || true
+    ! snap try "$TESTSLIB/snaps/$SNAP" 2>error.log
     echo "The error tells you to ask the dev"
-    tr -s "\n " " " < error.log | MATCH 'contact developer'
+    tr -s '\n ' ' ' < error.log | MATCH 'contact developer'
 
     echo "And the journal counts the ways"
-    journalctl -u snapd > journal.log
-    MATCH '"comp.sh" should be world-readable' < journal.log
-    MATCH '"bin/bar" should be executable' < journal.log
-    MATCH '"bin/foo" should be world-readable and executable' < journal.log
-    MATCH '"meta/unreadable" should be world-readable' < journal.log
-    MATCH '"meta/hooks/what" should be executable' < journal.log
-    MATCH '"bin/stahp" does not exist' < journal.log
+    check_journalctl_log '"comp.sh" should be world-readable' -u snapd
+    check_journalctl_log '"bin/bar" should be executable' -u snapd
+    check_journalctl_log '"bin/foo" should be world-readable and executable' -u snapd
+    check_journalctl_log '"meta/unreadable" should be world-readable' -u snapd
+    check_journalctl_log '"meta/hooks/what" should be executable' -u snapd
+    check_journalctl_log '"bin/stahp" does not exist' -u snapd
diff -Nru snapd-2.32.3.2~14.04/tests/main/whoami/task.yaml snapd-2.37~rc1~14.04/tests/main/whoami/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/whoami/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/whoami/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,7 @@
 summary: Checks for snap whoami
 
 # ppc64el disabled because of https://bugs.launchpad.net/snappy/+bug/1655594
-systems: [-ubuntu-core-16-*, -ubuntu-*-ppc64el]
+systems: [-ubuntu-core-*, -ubuntu-*-ppc64el]
 
 restore: |
     snap logout || true
@@ -11,7 +11,7 @@
     snap whoami | MATCH "email: -"
 
     if [ -n "$SPREAD_STORE_USER" ] && [ -n "$SPREAD_STORE_PASSWORD" ]; then
-        expect -d -f $TESTSLIB/successful_login.exp
+        expect -d -f "$TESTSLIB"/successful_login.exp
 
         echo "whoami after login"
         # use -F because the email can contain regexp metachars
diff -Nru snapd-2.32.3.2~14.04/tests/main/writable-areas/task.yaml snapd-2.37~rc1~14.04/tests/main/writable-areas/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/writable-areas/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/writable-areas/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -7,7 +7,7 @@
     SNAP_REEXEC/reexec1: 1
 
 prepare: |
-    snap pack $TESTSLIB/snaps/data-writer
+    snap pack "$TESTSLIB"/snaps/data-writer
 
 restore: |
     rm -f data-writer_1.0_all.snap
diff -Nru snapd-2.32.3.2~14.04/tests/main/xauth-migration/task.yaml snapd-2.37~rc1~14.04/tests/main/xauth-migration/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/xauth-migration/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/xauth-migration/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,6 @@
 summary: Check file XAUTHORITY env variable points to is migrated into the snap environment
-description: |
+
+details: |
     The XAUTHORITY environment variable points to a file which is located
     in HOME, /run or /tmp depending on the distribution and desktop being
     used. If the file ends up in /tmp then it wont be visible inside the
@@ -25,25 +26,27 @@
     EOF
         env_path="$(cat /var/snap/test-snapd-tools/common/xauth-content)"
         test "$env_path" = "$2" || exit 1
-        test "$(sh256sum $env_path)" = "$(sh256sum $1)"
+        test "$(sh256sum "$env_path")" = "$(sh256sum "$1")"
         unset XAUTHORITY
     }
 
     mock_xauthority() {
         # Generate valid Xauthority file which `snap run` will accept
-        rm -f $1; touch $1
+        rm -f "$1"; touch "$1"
         for ((c=0; c<=$2; c++))
         do
-            # Family
-            echo -n -e \\x01\\x00 >> $1
-            # Address
-            echo -n -e \\x00\\x04\\x73\\x6e\\x61\\x70 >> $1
-            # Number
-            echo -n -e \\x00\\x01\\xff >> $1
-            # Name
-            echo -n -e \\x00\\x05\\x73\\x6e\\x61\\x70\\x64 >> $1
-            # Data
-            echo -n -e \\x00\\x01\\xff >> $1
+            {
+                # Family
+                echo -n -e \\x01\\x00
+                # Address
+                echo -n -e \\x00\\x04\\x73\\x6e\\x61\\x70
+                # Number
+                echo -n -e \\x00\\x01\\xff
+                # Name
+                echo -n -e \\x00\\x05\\x73\\x6e\\x61\\x70\\x64
+                # Data
+                echo -n -e \\x00\\x01\\xff
+            } >> "$1"
         done
     }
 
diff -Nru snapd-2.32.3.2~14.04/tests/main/xdg-open/task.yaml snapd-2.37~rc1~14.04/tests/main/xdg-open/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/xdg-open/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/xdg-open/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,25 +1,33 @@
 summary: Ensure snap userd allows opening a URL via xdg-open
 
-systems:
-    # Not supposed to work on Ubuntu Core systems as we don't have
-    # a user session environment there
-    - -ubuntu-core-*
+# Not supposed to work on Ubuntu Core systems as we don't have
+# a user session environment there
+systems: [-ubuntu-core-*]
 
 environment:
     DISPLAY: :0
 
 restore: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
     rm -f dbus.env
     umount -f /usr/bin/xdg-open || true
+    rm /usr/bin/xdg-open
+    if [ -e /usr/bin/xdg-open.orig ]; then
+        mv /usr/bin/xdg-open.orig /usr/bin/xdg-open
+    fi
 
 execute: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     dbus-launch > dbus.env
-    export $(cat dbus.env | xargs)
+    #shellcheck disable=SC2046
+    export $(xargs < dbus.env)
 
     # wait for session to be ready
     ping_launcher() {
@@ -41,21 +49,25 @@
     echo "$@" > /tmp/xdg-open-output
     EOF
     chmod +x /tmp/xdg-open
+    if [ -e /usr/bin/xdg-open ]; then
+        mv /usr/bin/xdg-open /usr/bin/xdg-open.orig
+    fi
     touch /usr/bin/xdg-open
     mount --bind /tmp/xdg-open /usr/bin/xdg-open
 
     ensure_xdg_open_output() {
         rm -f /tmp/xdg-open-output
         export DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS
-        $SNAP_MOUNT_DIR/core/current/usr/bin/xdg-open $1
+        chroot $SNAP_MOUNT_DIR/core/current /usr/bin/xdg-open "$1"
         test -e /tmp/xdg-open-output
-        test "$(cat /tmp/xdg-open-output)" = $1
+        test "$(cat /tmp/xdg-open-output)" = "$1"
     }
 
     # Ensure http, https and mailto work
     ensure_xdg_open_output "https://snapcraft.io"
     ensure_xdg_open_output "http://snapcraft.io"
     ensure_xdg_open_output "mailto:talk@snapcraft.io"
+    ensure_xdg_open_output "snap://snapcraft"
 
     # Ensure other schemes are not passed through
     rm /tmp/xdg-open-output
diff -Nru snapd-2.32.3.2~14.04/tests/main/xdg-open-compat/task.yaml snapd-2.37~rc1~14.04/tests/main/xdg-open-compat/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/xdg-open-compat/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/xdg-open-compat/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,6 @@
 summary: Ensure the xdg-open still works in compatibility mode
 
-description: |
+details: |
     The core snap has a xdg-open binary that sends both to the
     new io.snapcraft.Launcher and the old com.canonical.SafeLauncher
     dbus session bus. This test ensures the compatibility with
@@ -16,16 +16,20 @@
     XDG_OPEN_OUTPUT: /tmp/xdg-open-output
 
 restore: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
     rm -f /usr/bin/xdg-open
-    rm -f $XDG_OPEN_OUTPUT
+    rm -f "$XDG_OPEN_OUTPUT"
     dpkg -r snapd-xdg-open
     rm -f /usr/share/applications/defaults.list
     rm -f /usr/share/applications/xdg-open.desktop
 
 execute: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
 
     # download from LP, it is not available in the archive anymore
@@ -52,6 +56,7 @@
     EOF
     
     echo "Launch user dbus session"
+    #shellcheck disable=SC2046
     export $(dbus-launch)
 
     echo "Ensure snapd-xdg-open is available"
@@ -76,18 +81,18 @@
     chmod +x /usr/bin/xdg-open
 
     ensure_xdg_open_output() {
-        rm -f $XDG_OPEN_OUTPUT
+        rm -f "$XDG_OPEN_OUTPUT"
         export DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS
         $SNAP_MOUNT_DIR/core/current/usr/bin/xdg-open "$1"
         # xdg-open is async so we need to give it a little bit of time
-        for i in $(seq 10); do
-            if [ -e $XDG_OPEN_OUTPUT ]; then
+        for _ in $(seq 10); do
+            if [ -e "$XDG_OPEN_OUTPUT" ]; then
                 break
             fi
             sleep .5
         done
-        test -e $XDG_OPEN_OUTPUT
-        test "$(cat $XDG_OPEN_OUTPUT)" = "$1"
+        test -e "$XDG_OPEN_OUTPUT"
+        test "$(cat "$XDG_OPEN_OUTPUT")" = "$1"
     }
 
     # Ensure http, https and mailto work
@@ -96,8 +101,8 @@
     ensure_xdg_open_output "mailto:talk@snapcraft.io"
 
     # Ensure other schemes are not passed through
-    rm $XDG_OPEN_OUTPUT
+    rm "$XDG_OPEN_OUTPUT"
     ! $SNAP_MOUNT_DIR/core/current/usr/bin/xdg-open ftp://snapcraft.io
-    test ! -e $XDG_OPEN_OUTPUT
+    test ! -e "$XDG_OPEN_OUTPUT"
     ! $SNAP_MOUNT_DIR/core/current/usr/bin/xdg-open aabbcc
-    test ! -e $XDG_OPEN_OUTPUT
+    test ! -e "$XDG_OPEN_OUTPUT"
diff -Nru snapd-2.32.3.2~14.04/tests/main/xdg-settings/task.yaml snapd-2.37~rc1~14.04/tests/main/xdg-settings/task.yaml
--- snapd-2.32.3.2~14.04/tests/main/xdg-settings/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/main/xdg-settings/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,30 +1,35 @@
 summary: Ensure snap userd allows settings via xdg-settings
 
-systems:
-    # Not supposed to work on Ubuntu Core systems as we don't have
-    # a user session environment there
-    - -ubuntu-core-*
+# Not supposed to work on Ubuntu Core systems as we don't have
+# a user session environment there
+systems: [-ubuntu-core-*]
 
 environment:
     DISPLAY: :0
 
 restore: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
     rm -f dbus.env
     umount -f /usr/bin/xdg-settings || true
     umount -f /usr/bin/zenity || true
 
 execute: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
 
     install_local test-snapd-xdg-settings
 
     # setup dbus
     dbus-launch > dbus.env
-    export $(cat dbus.env | xargs)
+    #shellcheck disable=SC2046
+    export $(xargs < dbus.env)
 
     # wait for session to be ready
     ping_settings() {
diff -Nru snapd-2.32.3.2~14.04/tests/nested/core-revert/task.yaml snapd-2.37~rc1~14.04/tests/nested/core-revert/task.yaml
--- snapd-2.32.3.2~14.04/tests/nested/core-revert/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/nested/core-revert/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,14 +1,16 @@
 summary: core revert test
 
-systems: [ubuntu-16.04-64]
+kill-timeout: 30m
 
 prepare: |
+    #shellcheck source=tests/lib/nested.sh
     . "$TESTSLIB/nested.sh"
     create_nested_core_vm
 
 restore: |
+    #shellcheck source=tests/lib/nested.sh
     . "$TESTSLIB/nested.sh"
-    destroy_nested_core_vm
+    destroy_nested_vm
 
 debug: |
     systemctl stop nested-vm || true
@@ -27,15 +29,13 @@
         kpartx -ds /tmp/work-dir/ubuntu-core.img
     fi
 
-kill-timeout: 40m
-
 execute: |
+    #shellcheck source=tests/lib/nested.sh
     . "$TESTSLIB/nested.sh"
 
+    #shellcheck disable=SC2164
     cd "$SPREAD_PATH"
     execute_remote "sudo snap install network-manager"
-    execute_remote "sudo snap install bluez"
-    execute_remote "sudo bluez.bluetoothctl -a"
     execute_remote "snap aliases" | MATCH "nmcli"
 
     # configure network-manager to take over the connection control on next reboot
@@ -45,14 +45,19 @@
     execute_remote "snap info core" | MATCH "tracking: +${CORE_CHANNEL}"
     execute_remote "sudo snap refresh --${CORE_REFRESH_CHANNEL} core" || true
 
-    wait_for_ssh
+    if ! wait_for_ssh; then
+        echo "ssh not stablished, exiting..."
+        exit 1
+    fi
 
-    while ! execute_remote "snap changes" | MATCH "Done.*Refresh \"core\" snap from \"${CORE_REFRESH_CHANNEL}\" channel"; do sleep 1 ; done
+    while ! execute_remote "snap changes" | MATCH "Done.*Refresh \"core\" snap from \"${CORE_REFRESH_CHANNEL}\" channel"; do
+        sleep 1
+    done
     execute_remote "snap info core" | MATCH "tracking: +${CORE_REFRESH_CHANNEL}"
     # make sure network-manager is on charge of eth0
     execute_remote "nmcli c" | MATCH eth0
     execute_remote "nmcli d" | MATCH "eth0 +ethernet +connected"
-    execute_remote "sudo bluez.bluetoothctl -a"
+
     # sanity check, no refresh should be done here but the command shouldn't fail
     execute_remote "sudo snap refresh"
 
@@ -60,14 +65,16 @@
 
     execute_remote "sudo snap revert core" || true
 
-    wait_for_ssh
+    if ! wait_for_ssh; then
+        echo "ssh not stablished, exiting..."
+        exit 1
+    fi
 
     while ! execute_remote "snap changes" | MATCH "Done.*Revert \"core\" snap"; do sleep 1 ; done
     execute_remote "snap aliases" | MATCH "nmcli"
     execute_remote "snap info core" | MATCH "tracking: +${CORE_REFRESH_CHANNEL}"
     execute_remote "ifconfig" | MATCH eth0
-    execute_remote "sudo bluez.bluetoothctl -a"
-    # this currently fails, refresh from the old version conflicts with aliases
-    # execute_remote "sudo snap refresh"
 
+
+    execute_remote "sudo snap refresh"
     execute_remote "sudo cat /var/log/syslog" | MATCH -v "hsearch_r failed for.* No such process"
diff -Nru snapd-2.32.3.2~14.04/tests/nested/extra-snaps-assertions/task.yaml snapd-2.37~rc1~14.04/tests/nested/extra-snaps-assertions/task.yaml
--- snapd-2.32.3.2~14.04/tests/nested/extra-snaps-assertions/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/nested/extra-snaps-assertions/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,61 +1,25 @@
 summary: create ubuntu-core image and execute the suite in a nested qemu instance
 
-systems: [ubuntu-16.04-64, ubuntu-16.04-32]
-
 prepare: |
-    # FIXME: until https://github.com/snapcore/snapd/pull/3263 is available from
-    # the archive we need to build snapd from branch so that it can be used by
-    # ubuntu-image
-
-    # first, remove snapd, in the prepare stage of the nested suite ubuntu-image is installed,
-    # before building snapd from the branch we check that the core is not present
-    apt remove -y --purge snapd
-
-    . "$TESTSLIB/prepare.sh"
-    prepare_classic
-    prepare_each_classic
-
-    snap install --classic --beta ubuntu-image
-
-    # determine arch related vars
-    case "$NESTED_ARCH" in
-    amd64)
-        QEMU="$(which qemu-system-x86_64)"
-        ;;
-    i386)
-        QEMU="$(which qemu-system-i386)"
-        ;;
-    *)
-        echo "unsupported architecture"
-        exit 1
-        ;;
-    esac
-
-    # create ubuntu-core image
-    mkdir -p /tmp/work-dir
-
+    # download core and save it as extra snap
+    mkdir -p extra-snaps
     snap download core
+    mv core_*.snap extra-snaps/
 
-    /snap/bin/ubuntu-image --image-size 3G "$TESTSLIB/assertions/nested-${NESTED_ARCH}.model" --channel "$CORE_CHANNEL" --output ubuntu-core.img --extra-snaps core_*.snap
-    mv ubuntu-core.img /tmp/work-dir
-
+    #shellcheck source=tests/lib/nested.sh
     . "$TESTSLIB/nested.sh"
-    create_assertions_disk
-
-    . "$TESTSLIB/systemd.sh"
-    systemd_create_and_start_unit nested-vm "${QEMU} -m 1024 -nographic -net nic,model=virtio -net user,hostfwd=tcp::8022-:22 -drive file=/tmp/work-dir/ubuntu-core.img,if=virtio,cache=none -drive file=${PWD}/assertions.disk,if=virtio,cache=none"
+    create_nested_core_vm
 
 restore: |
-    . "$TESTSLIB/systemd.sh"
-    systemd_stop_and_destroy_unit nested-vm
-    rm -rf /tmp/work-dir
+    rm -rf extra-snaps
 
-execute: |
+    #shellcheck source=tests/lib/nested.sh
     . "$TESTSLIB/nested.sh"
-    wait_for_ssh
-    prepare_ssh
+    destroy_nested_vm
 
-    cd "$SPREAD_PATH"
+execute: |
+    #shellcheck source=tests/lib/nested.sh
+    . "$TESTSLIB/nested.sh"
 
     echo "Wait for first boot to be done"
     while ! execute_remote "snap changes" | MATCH "Done.*Initialize system state"; do sleep 1; done
@@ -64,4 +28,4 @@
     execute_remote "snap known model" | MATCH "series: 16"
 
     echo "Make sure core has an actual revision"
-    execute_remote "snap list" | MATCH "^core +[0-9]+\-[0-9.]+ +[0-9]+ +canonical +"
+    execute_remote "snap list --unicode=never" | MATCH "^core +[0-9]+\\-[0-9.]+ +[0-9]+ +$CORE_CHANNEL +canonical\\* +core"
diff -Nru snapd-2.32.3.2~14.04/tests/nested/hot-plug/task.yaml snapd-2.37~rc1~14.04/tests/nested/hot-plug/task.yaml
--- snapd-2.32.3.2~14.04/tests/nested/hot-plug/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/nested/hot-plug/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,63 @@
+summary: create ubuntu classic image, install snapd and test hot plug feature
+
+prepare: |
+    "$TESTSLIB"/prepare-restore.sh --prepare-suite
+    "$TESTSLIB"/prepare-restore.sh --prepare-suite-each
+
+    #shellcheck source=tests/lib/nested.sh
+    . "$TESTSLIB/nested.sh"
+    create_nested_classic_vm
+    copy_remote "${GOHOME}"/snapd_*.deb
+    execute_remote "sudo apt update"
+    execute_remote "sudo apt install -y ./snapd_*.deb"
+    #shellcheck disable=SC2016
+    execute_remote 'sudo apt install -y linux-image-extra-$(uname -r) || sudo apt install -y linux-modules-extra-$(uname -r)'
+
+restore: |
+    #shellcheck source=tests/lib/nested.sh
+    . "$TESTSLIB/nested.sh"
+    destroy_nested_vm
+
+    "$TESTSLIB"/prepare-restore.sh --restore-suite-each
+    "$TESTSLIB"/prepare-restore.sh --restore-suite
+
+    #shellcheck source=tests/lib/pkgdb.sh
+    . "$TESTSLIB/pkgdb.sh"
+    distro_install_package snapd
+
+execute: |
+    #shellcheck source=tests/lib/nested.sh
+    . "$TESTSLIB/nested.sh"
+
+    if execute_remote "udevadm info -e" | MATCH "ID_MODEL=QEMU_USB_SERIAL"; then
+        echo "Usb serial already registered, exiting..."
+        exit 1
+    fi
+
+    add_tty_chardev my-chardev /dev/tty5
+    add_usb_serial_device my-usb-serial my-chardev
+
+    for _ in $(seq 5); do
+        if execute_remote "udevadm info -e" | MATCH "ID_MODEL=QEMU_USB_SERIAL"; then
+            break
+        fi
+        sleep 1
+    done
+    execute_remote "udevadm info -e" | MATCH "ID_MODEL=QEMU_USB_SERIAL"
+    execute_remote "ls /dev/tty*" | MATCH "ttyUSB0"
+
+    del_device my-usb-serial
+    remove_chardev my-chardev
+
+    for _ in $(seq 5); do
+        if execute_remote "udevadm info -e" | MATCH "ID_MODEL=QEMU_USB_SERIAL"; then
+            sleep 1
+        else
+            break
+        fi
+    done
+
+    if execute_remote "udevadm info -e" | MATCH "ID_MODEL=QEMU_USB_SERIAL"; then
+        echo "Usb serial should not be registered anymore, exiting..."
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/nested/image-build/task.yaml snapd-2.37~rc1~14.04/tests/nested/image-build/task.yaml
--- snapd-2.32.3.2~14.04/tests/nested/image-build/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/nested/image-build/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -3,12 +3,14 @@
 systems: [ubuntu-16.04-64]
 
 prepare: |
+    #shellcheck source=tests/lib/nested.sh
     . "$TESTSLIB/nested.sh"
     create_nested_core_vm
 
 restore: |
+    #shellcheck source=tests/lib/nested.sh
     . "$TESTSLIB/nested.sh"
-    destroy_nested_core_vm
+    destroy_nested_vm
 
 execute: |
     cd "$SPREAD_PATH"
diff -Nru snapd-2.32.3.2~14.04/tests/nightly/docker/task.yaml snapd-2.37~rc1~14.04/tests/nightly/docker/task.yaml
--- snapd-2.32.3.2~14.04/tests/nightly/docker/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/nightly/docker/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
 summary: Check that the docker snap works
+
 systems: [ubuntu-16.04-*, ubuntu-core-16-*, ubuntu-14.04-64]
 
 prepare: |
diff -Nru snapd-2.32.3.2~14.04/tests/nightly/unity/task.yaml snapd-2.37~rc1~14.04/tests/nightly/unity/task.yaml
--- snapd-2.32.3.2~14.04/tests/nightly/unity/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/nightly/unity/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -9,7 +9,9 @@
     # the file /etc/init/tty1.conf is present in the default images, upstart
     # (which is installed as a dependency of the required packages) ships it
     # and doesn't install cleanly if that file is in place
-    mv /etc/init/tty1.conf /etc/init/tty1.conf.back
+    if [ -f /etc/init/tty1.conf ]; then
+        mv /etc/init/tty1.conf /etc/init/tty1.conf.back
+    fi
 
     apt install -y --no-install-recommends unity
 
@@ -17,15 +19,19 @@
     systemctl stop unity-app
     apt autoremove -y --purge unity
 
-    mv /etc/init/tty1.conf.back /etc/init/tty1.conf
+    if [ -f /etc/init/tty1.conf.back ]; then
+        mv /etc/init/tty1.conf.back /etc/init/tty1.conf
+    fi
 
 execute: |
     echo "Given a unity snap is installed"
     snap install ubuntu-clock-app
 
     echo "When the app is started"
-    systemd-run --unit unity-app --setenv=DISPLAY="$DISPLAY" --uid "$(id -u test)" "$(which xvfb-run)" --server-args="$DISPLAY -screen 0 1200x960x24 -ac +extension RANDR" "$(which ubuntu-clock-app.clock)"
+    systemd-run --unit unity-app --setenv=DISPLAY="$DISPLAY" --uid "$(id -u test)" "$(command -v xvfb-run)" --server-args="$DISPLAY -screen 0 1200x960x24 -ac +extension RANDR" "$(command -v ubuntu-clock-app.clock)"
 
     echo "Then the app window is created"
-    expected=".*?\"qmlscene: clockMainView\": \(\"qmlscene\" \"com\.ubuntu\.clock\"\)"
-    while ! xwininfo -tree -root | grep -Pq "$expected"; do sleep 1; done
+    expected='.*?\"qmlscene: clockMainView\": \(\"qmlscene\" \"com\.ubuntu\.clock\"\)'
+    while ! xwininfo -tree -root | grep -Pq "$expected"; do
+        sleep 1;
+    done
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1595444/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1595444/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1595444/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1595444/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -4,21 +4,23 @@
     This task checks the behavior of snap-confine when it is started from
     a directory that doesn't exist in the execution environment (chroot).
 
-systems:
-    # This test only applies to classic systems
-    - -ubuntu-core-16-*
-    # No confinement (AppArmor, Seccomp) available on these systems
-    - -debian-*
-    - -fedora-*
-    - -opensuse-*
+#ubuntu-core: this test only applies to classic systems
+#debian, fedora, opensuse, arch, amazon-linux-2, centos: just available for systems with confinement (AppArmor, Seccomp)
+systems: [-ubuntu-core-*, -debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
 
 prepare: |
     echo "Having installed the test snap"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local test-snapd-tools
     echo "Hanving created a directory not present in the core snap"
     mkdir -p "/foo"
 
+restore: |
+    rm -f -d /foo
+    # NOTE: the snap is blocked by apparmor from reading /var/lib/snapd/void
+    dmesg -c
+
 execute: |
     echo "We can go to a location that is available in all snaps (/tmp)"
     echo "We can run the 'pwd' tool and it reports /tmp"
@@ -28,8 +30,3 @@
     [ "$(cd /foo && test-snapd-tools.cmd pwd)" = "/var/lib/snapd/void" ]
     echo "And that directory is not readable or writable"
     [ "$(cd /foo && test-snapd-tools.cmd ls 2>&1)" = "ls: cannot open directory '.': Permission denied" ];
-
-restore: |
-    rm -f -d /foo
-    # NOTE: the snap is blocked by apparmor from reading /var/lib/snapd/void
-    dmesg -c
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1597839/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1597839/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1597839/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1597839/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,18 @@
 summary: Regression check for https://bugs.launchpad.net/snap-confine/+bug/1597839
+
 # This test only applies to classic systems
-systems: [-ubuntu-core-16-*, -fedora-*]
+systems: [-ubuntu-core-*, -fedora-*, -arch-*]
+
 details: |
     The snappy execution environment should contain the /lib/modules directory
     from the host filesystem when running on a classic distribution
+
 prepare: |
     echo "Having installed the test snap"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local test-snapd-tools
+
 execute: |
     echo "We can ensure that the /lib/modules/$(uname -r) directory exists"
     test-snapd-tools.cmd test -d "/lib/modules/$(uname -r)"
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1597842/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1597842/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1597842/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1597842/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,16 @@
 summary: Regression test for https://bugs.launchpad.net/snap-confine/+bug/1597842
+
 details: |
     The snap execution environment is expected to contain the /usr/src
     directory from the classic distribution. Certain snaps may use that to
     access kernel sources.
+
 # This test only applies to classic systems
-systems: [-ubuntu-core-16-*, -fedora-*]
+systems: [-ubuntu-core-*, -fedora-*, -arch-*]
+
 prepare: |
     echo "Having installed the test snap"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     # NOTE: devmode is required because there's no interface for reading /usr/src/.canary
     install_local_devmode test-snapd-tools
@@ -14,9 +18,11 @@
     mv /usr/src /usr/src.orig || true
     mkdir -p /usr/src
     echo canary > /usr/src/.canary
+
 execute: |
     echo "The canary file in /usr/src can be read"
     [ "$(test-snapd-tools.cmd cat /usr/src/.canary)" = "canary" ]
+
 restore: |
     rm -f /usr/src/.canary
     rm -f -d /usr/src
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1599891/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1599891/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1599891/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1599891/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,11 @@
 summary: Regression check for https://bugs.launchpad.net/snap-confine/+bug/1599891
-systems:
-    # No confinement (AppArmor, Seccomp) available on these systems
-    - -debian-*
-    - -fedora-*
-    - -opensuse-*
+
+# No confinement (AppArmor, Seccomp) available on these systems
+systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
+
 execute: |
     snap_confine=/usr/lib/snapd/snap-confine
     echo "Seeing that snap-confine is in $snap_confine"
 
     echo "I also see a corresponding apparmor profile"
-    MATCH "$snap_confine \(enforce\)" < /sys/kernel/security/apparmor/profiles
+    MATCH "$snap_confine \\(enforce\\)" < /sys/kernel/security/apparmor/profiles
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1606277/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1606277/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1606277/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1606277/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,17 @@
 summary: Regression check for https://bugs.launchpad.net/snap-confine/+bug/1606277 
+
 details: |
     A missing bind mount for /var/log prevents access to system log files
     even if the log-observe interface is being used.
+
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     echo "Having installed a test snap"
     install_local log-observe-consumer
     echo "And having connected the log-observe interface"
     snap connect log-observe-consumer:log-observe :log-observe
+
 execute: |
     echo "We can now see a non-empty /var/log directory"
     [ "$(log-observe-consumer.cmd ls /var/log | wc -l)" != 0 ]
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1607796/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1607796/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1607796/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1607796/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,12 +1,16 @@
 summary: Check that /root is bind mounted to the real /root
+
 prepare: |
     echo "Having installed a test snap in devmode"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local_devmode test-snapd-tools
     echo "Having added a canary file in /root"
     echo "test" > /root/canary
+
 execute: |
     echo "We can see the canary file in /root"
     [ "$(test-snapd-tools.cmd cat /root/canary)" = "test" ]
+
 restore: |
     rm -f /root/canary
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1613845/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1613845/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1613845/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1613845/task.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,22 +0,0 @@
-summary: Check that /var/lib/lxd is bind mounted to the real thing if one exists
-details: |
-    After switching to the chroot-based snap-confine the LXD snap stopped
-    working (even in devmode) because it relied on access to /var/lib/lxd from
-    the host filesystem. While this would never work in an all-snap image it is
-    still important to ensure that it works in classic devmode environment.
-# This test only applies to classic systems
-systems: [-ubuntu-core-16-*, -fedora-*]
-prepare: |
-    echo "Having installed the test snap in devmode"
-    . "$TESTSLIB/snaps.sh"
-    install_local_devmode test-snapd-tools
-    echo "Having created a canary file in /var/lib/lxd"
-    mkdir -p /var/lib/lxd
-    echo "test" > /var/lib/lxd/canary
-execute: |
-    echo "We can see the canary file in /var/lib/lxd"
-    [ "$(test-snapd-tools.cmd cat /var/lib/lxd/canary)" = "test" ]
-restore: |
-    rm -f /var/lib/lxd/canary
-    # When the host already has LXD installed we cannot just remove this
-    rmdir /var/lib/lxd || :
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1615113/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1615113/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1615113/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1615113/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,11 +1,14 @@
 summary: Check that entire snap can be shared with the content interface
+
 prepare: |
     echo "Having installed a pair of snaps that share content"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local test-snapd-content-slot
     install_local test-snapd-content-plug
     echo "We can connect them together"
     snap connect test-snapd-content-plug:shared-content-plug test-snapd-content-slot:shared-content-slot
+
 execute: |
     echo "We can now see that the content is shared"
     test-snapd-content-plug.content-plug | grep "Some shared content"
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1618683/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1618683/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1618683/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1618683/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,13 +1,31 @@
-summary: Check that user namespace can be unshared within snap apps 
+summary: Check that user namespace can be unshared within snap apps
+
 details: |
     Snap-confine used to "leak" the root filesystem directory across the
     pivot_root call. This caused checks in the kernel to fail and resulted in
     the inability to create user namespaces from sufficiently privileged or
     devmode snaps.
+
 prepare: |
     echo "Having installed a test snap in devmode"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local_devmode test-snapd-tools
+
+    if [[ "$SPREAD_SYSTEM" == centos-* ]]; then
+        # RHEL/Centos 7.4+ set this to 0 by default
+        # see: https://access.redhat.com/solutions/3188102
+        cat /proc/sys/user/max_user_namespaces > old_max_user_ns
+        echo 1500 > /proc/sys/user/max_user_namespaces
+    fi
+
+restore: |
+    if [[ "$SPREAD_SYSTEM" == centos-* ]]; then
+        # RHEL/Centos 7.4+ set this to 0 by default
+        cat old_max_user_ns > /proc/sys/user/max_user_namespaces
+        rm -f old_max_user_ns
+    fi
+
 execute: |
     echo "We can run unshare -U as a regular user and expect it to work"
     test-snapd-tools.cmd unshare -U true
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1630479/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1630479/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1630479/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1630479/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,19 +1,25 @@
 summary: Regression check for https://bugs.launchpad.net/snap-confine/+bug/1630479
+
 details: |
     The PATH environment variable needs to make sense for the layout of the
     core snap. Snap-confine contains code that sets it accordingly but during
     the introduction of the namespace sharing feature that code would run only
     when the namespace was initially constructed. Subsequent calls would not
     see the correct path. 
+
 prepare: |
     echo "Having installed a test snap"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local_devmode test-snapd-tools
+
 execute: |
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
     echo "We can observe the value of PATH twice"
-    revision=$(readlink "$SNAP_MOUNT_DIR/test-snapd-tools/current")
+    #shellcheck disable=SC2016
     one="$(test-snapd-tools.cmd sh -c 'echo $PATH')"
+    #shellcheck disable=SC2016
     two="$(test-snapd-tools.cmd sh -c 'echo $PATH')"
     echo "We can see that PATH is stable across calls"
     [ "$one" = "$two" ]
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1641885/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1641885/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1641885/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1641885/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,19 +1,20 @@
 summary: snaps installed with --jailmode are not in devmode
-systems:
-    # No confinement (AppArmor, Seccomp) available on these systems
-    - -debian-*
-    - -fedora-*
-    - -opensuse-*
+
+# No confinement (AppArmor, Seccomp) available on these systems
+systems: [-debian-*, -fedora-*, -opensuse-*, -arch-*, -amazon-*, -centos-*]
+
 details: |
     Users found that a snap that uses "confinement: devmode", even when
     installed with "snap install --jailmode" is effectively in devmode (the
     apparmor profile is in complain mode) even if "snap list" reports it as
     "jailmode".
     This has been reported as https://bugs.launchpad.net/snappy/+bug/1641885
+
 prepare: |
     snap pack "$TESTSLIB/snaps/test-snapd-devmode"
     echo "Install a test snap that uses 'confinement: devmode' in jailmode"
     snap install --jailmode --dangerous ./test-snapd-devmode_1.0_all.snap
+
 execute: |
     echo "Ensure that the snap is installed in jailmode"
     snap list | MATCH 'test-snapd-devmode.*jailmode'
@@ -21,8 +22,10 @@
     grep attach_disconnected /var/lib/snapd/apparmor/profiles/snap.test-snapd-devmode.test-snapd-devmode | MATCH -v complain
     echo "Ensure that the seccomp profile doesn't use the complain mode"
     MATCH -v '@complain' < /var/lib/snapd/seccomp/bpf/snap.test-snapd-devmode.test-snapd-devmode.src
+
 restore: |
     rm -f ./test-snapd-devmode_1.0_all.snap
+
 debug: |
     echo "Apparmor profile (first 30 lines)"
     head -n 30 /var/lib/snapd/apparmor/profiles/snap.test-snapd-devmode.test-snapd-devmode || true
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1644439/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1644439/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1644439/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1644439/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,5 @@
 summary: Regression test for https://bugs.launchpad.net/snap-confine/+bug/1644439
-manual: true  # see https://github.com/snapcore/snapd/pull/3076
+
 details: |
     snap-confine uses privately-shared /run/snapd/ns to store bind-mounted
     mount namespaces of each snap. In the case that snap-confine is invoked
@@ -10,10 +10,19 @@
     another namespace in which the /run/snapd/ns directory is visible.
     The most obvious candidate is pid one, which definitely doesn't run in a
     snap-specific namespace, has a predictable PID and is long lived.
+
+manual: true  # see https://github.com/snapcore/snapd/pull/3076
+
 prepare: |
     echo "Having installed the test snap in devmode"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local_devmode test-snapd-tools
+
+debug: |
+    # Kernel version is an important input in understing failures of this test
+    uname -a
+
 execute: |
     # This test is meaningful only on Ubuntu for now as this is where we have
     # the complete apparmor patch-set.
@@ -35,6 +44,7 @@
         echo "This test is not supported on kernels older than 4.4.0-67"
         exit 0
     fi
+    #shellcheck source=tests/lib/dirs.sh
     . "$TESTSLIB/dirs.sh"
     echo "We can now run a snap command from the namespace of a snap command and see it work"
     test-snapd-tools.cmd /bin/true
@@ -43,6 +53,3 @@
     /usr/lib/snapd/snap-discard-ns test-snapd-tools
     su -l -c 'test-snapd-tools.cmd /bin/true' test
     su -l -c "test-snapd-tools.cmd /bin/sh -c \"SNAP_CONFINE_DEBUG=yes $SNAP_MOUNT_DIR/bin/test-snapd-tools.cmd /bin/true\"" test
-debug: |
-    # Kernel version is an important input in understing failures of this test
-    uname -a
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1665004/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1665004/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1665004/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1665004/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,15 +1,19 @@
 summary: ensure that /var/lib/snapd/hostfs is group-owned by root
+
 details: |
     On a system that never ran any snap before the /var/lib/snapd/hostfs
     directory does not exist. When snap-confine is used it will create the
     directory on demand but that directory will retain the group identity of
     the user.
+
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local test-snapd-tools
     if [ -d /var/lib/snapd/hostfs ]; then
         rmdir /var/lib/snapd/hostfs;
     fi
+
 execute: |
     test-snapd-tools.cmd true
     [ "$(stat -c '%g' /var/lib/snapd/hostfs)" -eq 0 ]
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1667385/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1667385/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1667385/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1667385/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,17 +1,23 @@
 summary: Regression check for https://bugs.launchpad.net/snappy/+bug/1667385
-systems: [ubuntu-*]
+
 details: |
   When disabling and then enabling a snap, the flags saved in state
   (e.g. from when the user installed it) should be preserved.
+
+# run on ubuntu-{14,16,18,20+} and ubuntu-core-16-*
+systems: [ubuntu-1*, ubuntu-2*, ubuntu-3*, ubuntu-core-16-*]
+
 environment:
   FLAG/jailmode: jailmode
   FLAG/devmode: devmode
   SNAP: test-snapd-devmode
+
 prepare: |
   snap install --edge "--$FLAG" "$SNAP"
+
 execute: |
   # sanity check
-  snap list $SNAP | MATCH "$FLAG$"
+  snap list "$SNAP" | MATCH "$FLAG$"
   snap disable "$SNAP"
   snap enable "$SNAP"
   snap list "$SNAP" | MATCH "$FLAG$"
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1693042/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1693042/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1693042/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1693042/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,14 +1,18 @@
 summary: Regression check for https://bugs.launchpad.net/snapd/+bug/1693042
+
 details: |
   When attempting to refresh to a bogus channel, detect it and fail.
+
 execute: |
+  # shellcheck source=tests/lib/names.sh
+  . "$TESTSLIB/names.sh"
   # sanity check
-  snap list core
+  snap list "$core_name"
 
-  out=$(! snap refresh core --channel bogus 2>&1 1>- )
-  revno=$( snap info core | awk '/^installed:/{print $3}' )
+  out=$(! snap refresh "$core_name" --channel bogus 2>&1 1>- )
+  revno=$( snap info "$core_name" | awk '/^installed:/{print $3}' )
   if [[ "$revno" =~ x[0-9]+ ]]; then
-      MATCH 'error: local snap "core" is unknown to the store' <<< "$out"
+      MATCH "error: local snap \"$core_name\" is unknown to the store" <<< "$out"
   else
-      MATCH not.found <<< "$out"
+      MATCH not.available <<< "$out"
   fi
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1704860/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1704860/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1704860/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1704860/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,5 +1,7 @@
 summary: Work-in-progress on reproducing lp:1704860
+
 systems: [ubuntu-16.04-64]
+
 details: |
     In this bug, an app belonging go a snap using classic confinement confuses
     the re-execution system in a way that causes distribution version of
@@ -15,8 +17,10 @@
     --shell.  Since neither snap-confine nor snap-exec re-execute themselves
     (instead they rely on snap run to run the right tool in the first place)
     this is safe to do.
+
 execute: |
-    . $TESTSLIB/snaps.sh
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
     install_local_classic test-snapd-classic-confinement
     # We don't want to see SNAP_DID_REEXEC being set.
     if snap run --shell test-snapd-classic-confinement ./snap-env-query.sh | grep 'SNAP_DID_REEXEC='; then
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1721518/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1721518/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1721518/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1721518/task.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,26 +0,0 @@
-summary: Check that interfaces are listed after reboot the machine
-
-# do not run on autopkgtest, we need to reboot here and ADT does
-# not support our reboot logic
-backends: [-autopkgtest]
-
-details: |
-    This test checks if the interfaces are listed after the machine
-    is rebooted. The test is also checking the interfaces after a 
-    snap is installed and removed.
-
-debug: |
-    snap list
-
-execute: |
-    CONNECTED_PATTERN=":core-support +core:core-support-plug"
-
-    # install test-snapd-tools and reboot
-    if [ "$SPREAD_REBOOT" = 0 ]; then
-        snap install test-snapd-tools
-        snap interfaces | MATCH "$CONNECTED_PATTERN"
-        REBOOT
-    fi
-
-    # Check interfaces are shown after install a snap and reboot
-    snap interfaces | MATCH "$CONNECTED_PATTERN"
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1732555/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1732555/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1732555/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1732555/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,10 +1,14 @@
 summary: installing a snap with unknown plugs and slots is harmless
-details: >
+
+details: |
     Users have painfully found that a version of snapd crashed when a snap
     contained unknown interfaces in either plugs or slots.
+
 prepare: |
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
     install_local_devmode test-snapd-unknown-interfaces
+
 execute: |
     echo "Snapd did not die on us"
     snap version
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1764977/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1764977/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1764977/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1764977/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,30 @@
+summary: Broken snap doesn't break "snap list" and other operations
+
+details: |
+    Snap can enter the "broken" state when its meta/snap.yaml cannot be found.
+    Typically this means the snap is unmounted or that "snap try"-mode snap was
+    moved on disk and the symlink in /var/lib/snapd/snaps/ is no longer
+    working.
+
+    Broken snaps should not affect snapd operations though, as that forms a
+    denial-of-service attack and may keep machines from refreshing core.
+
+    Note that this test is subtly different from
+    tests/main/try-snap-goes-away. In our case the meta/snap.yaml file is
+    still present and can be read. In the other case it is removed when the
+    snap is removed (individual files are unlinked and disappear from the
+    bind-mounted view of the mounted snap).
+
+execute: |
+    cp -a  "$TESTSLIB"/snaps/test-snapd-sh .
+    snap try test-snapd-sh
+
+    snap list | MATCH test-snapd-sh
+    mv test-snapd-sh/meta/snap.yaml test-snapd-sh/meta/snap.yaml.moved
+    snap list # should not break
+    snap list test-snapd-sh | MATCH broken
+
+    mv test-snapd-sh/meta/snap.yaml.moved test-snapd-sh/meta/snap.yaml
+    snap list # should still just work
+    snap list test-snapd-sh | MATCH -v broken
+
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1797556/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1797556/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1797556/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1797556/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,28 @@
+summary: snaps cannot write to ~/bin
+details: |
+    On some distributions the ~/bin directory is in the default PATH for the
+    user. To avoid hijacking commands and allow sandbox escape, writing to this
+    directory is denied.
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+    su -l -c 'mkdir -p /home/test/bin/' test
+    su -l -c 'mkdir -p /home/test/snap/test-snapd-sh/common/' test
+    su -l -c 'touch /home/test/snap/test-snapd-sh/common/evil-2' test
+    sysctl -w kernel.printk_ratelimit=0
+restore: |
+    su -l -c 'rmdir /home/test/bin/ || true' test
+    sysctl -w kernel.printk_ratelimit=5
+execute: |
+    test -d /home/test/bin
+    test ! -e /home/test/bin/evil-1
+    test ! -e /home/test/bin/evil-2
+    if [ "$(snap debug confinement)" = "strict" ]; then
+        ! su -l -c 'test-snapd-sh.with-home-plug -c "touch /home/test/bin/evil-1"' test 2>&1 | MATCH '.* Permission denied'
+        dmesg | grep 'apparmor="DENIED" operation="mknod".* name="/home/test/bin/evil-1"'
+        ! su -l -c 'test-snapd-sh.with-home-plug -c "ln /home/test/snap/test-snapd-sh/common/evil-2 /home/test/bin/evil-2"' test 2>&1 | MATCH '.* Permission denied'
+        dmesg | grep 'apparmor="DENIED" operation="link".* name="/home/test/bin/evil-2"'
+    fi
+    test ! -e /home/test/bin/evil-1
+    test ! -e /home/test/bin/evil-2
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1800004/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1800004/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1800004/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1800004/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,11 @@
+summary: Check that snap try can be used for snaps in /tmp 
+
+prepare: |
+    cp -a "$TESTSLIB"/snaps/test-snapd-sh /tmp
+
+restore: |
+    rm -rf /tmp/test-snapd-sh
+
+execute: |
+    ( cd /tmp && snap try test-snapd-sh )
+    test-snapd-sh -c /bin/true
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1801955/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1801955/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1801955/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1801955/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,13 @@
+summary: Check that snapshot works with unknown users in /home/*/snap
+
+prepare: |
+    snap install test-snapd-tools
+    ! grep :9999: /etc/passwd
+    mkdir -pv /home/potato/snap/
+    chown -vR 9999:9999 /home/potato
+
+restore: |
+    rm -rv /home/potato
+
+execute: |
+    snap save test-snapd-tools
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1802581/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1802581/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1802581/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1802581/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,57 @@
+summary: Regression test for LP 1802581
+
+description: |
+    When using the snapd GPIO interface the slot side needs to export the GPIO
+    pint so that a file appears under /sys/class/gpio/gpioNNN. That file is a
+    symbolic link to a special, platform specific device path. The symbolic
+    link needs to be evaluated so that apparmor rules for the plug side can be
+    constructed.
+
+    A customer has reported that when a snap is disabled and then re-enabled
+    the GPIO pin is not exported and apparmor backend cannot setup security
+    of the snap being enabled.
+
+    A similar issue has occurred once in the past where the order in which
+    security backends operated was not deterministic. We fixed the issue by
+    applying a fixed order so that the systemd backend, responsible for
+    exporting the pin, would always run before the apparmor backend, which
+    could now rely on the pin being exposed to userspace.
+
+systems: [ubuntu-core-16-64]
+
+prepare: |
+    # shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+    echo "Create/enable fake gpio"
+    systemd_create_and_start_persistent_unit fake-gpio "$TESTSLIB/fakegpio/fake-gpio.py"  '[Unit]\nBefore=snap.core.interface.gpio-100.service\n[Service]\nType=notify'
+
+restore: |
+    # shellcheck source=tests/lib/systemd.sh
+    . "$TESTSLIB/systemd.sh"
+    system_stop_and_remove_persistent_unit fake-gpio
+    # for good measure, fake-gpio.py does this umount already on exit
+    umount /sys/class/gpio || true
+
+debug: |
+    journalctl -u fake-gpio.service
+
+execute: |
+    echo "Install a snap that uses the gpio consumer"
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB"/snaps.sh
+    install_local gpio-consumer
+
+    echo "And connect the gpio pin"
+    snap connect gpio-consumer:gpio :gpio-pin
+    snap interfaces | MATCH ":gpio-pin.*gpio-consumer:gpio"
+
+    # LP-1802581
+    echo "Now disable and enable the snap to ensure lp: #1802581 is fixed"
+    snap disable gpio-consumer
+    snap enable gpio-consumer
+
+    echo "Check that the connection is still here after enable"
+    snap interfaces | MATCH ":gpio-pin.*gpio-consumer:gpio"
+
+    echo "Ensure that our mock service is full functional"
+    systemctl status fake-gpio.service | MATCH "Active: active"
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1803535/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1803535/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1803535/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1803535/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,8 @@
+summary: regression test for https://bugs.launchpad.net/snapd/+bug/1803535
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-lp-1803535
+execute: |
+    # If we can construct the layout and execute /bin/true we are fine.
+    test-snapd-lp-1803535.sh -c /bin/true
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1803542/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1803542/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1803542/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1803542/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,53 @@
+summary: Regression test for https://bugs.launchpad.net/snapd/+bug/1803542
+environment:
+    VARIANT/absent: absent
+    VARIANT/present: present
+    VARIANT/shared: shared
+    VARIANT/private: private
+prepare: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB/dirs.sh"
+    # Ensure that every snap namespace is discarded.
+    for name in $(snap list | awk '!/Name/ {print $1}'); do
+        "$LIBEXECDIR"/snapd/snap-discard-ns "$name"
+    done
+    if findmnt --noheadings /run/snapd/ns >/dev/null; then
+        umount /run/snapd/ns
+    fi
+    ! findmnt --noheadings /run/snapd/ns
+debug: |
+    cat /proc/self/mountinfo
+execute: |
+    case "$VARIANT" in
+       absent)
+            test -d /run/snapd/ns && rmdir /run/snapd/ns
+            ;;
+       present)
+            mkdir -p /run/snapd/ns
+            ;;
+       shared)
+            mkdir -p /run/snapd/ns
+            mount --bind /run/snapd/ns /run/snapd/ns
+            mount --make-shared /run/snapd/ns
+            # verify mount tags to ensure the mount point has shared propagation (format shared:<nnnn>)
+            test "$(grep '/snapd/ns /run/snapd/ns' < /proc/self/mountinfo | awk '{print $7}' | cut -d : -f 1)" = shared
+            ;;
+        private)
+            mkdir -p /run/snapd/ns
+            mount --bind /run/snapd/ns /run/snapd/ns
+            mount --make-private /run/snapd/ns
+            # verify mount tags to ensure the mount point has private propagation (no mount tags set)
+            test "$(grep '/snapd/ns /run/snapd/ns' < /proc/self/mountinfo | awk '{print $7}')" = -
+            ;;
+        *)
+            echo "unknown variant: $VARIANT"
+            exit 1
+            ;;
+    esac
+    # We can run snap-confine and it will do the right thing.
+    test-snapd-sh -c /bin/true
+    # verify that no mount tags are set, private propagation does not set any
+    test "$(grep '/snapd/ns /run/snapd/ns' < /proc/self/mountinfo | awk '{print $7}')" = -
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1805485/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1805485/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1805485/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1805485/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,15 @@
+summary: apparmor backend is not used on openSUSE Leap 42.3
+details: |
+    AppArmor on openSUSE Leap 43.2 is too old to parse the snap-confine
+    apparmor profile.  Because of "relaxed" error handling snapd was enabling
+    apparmor backend even though it resulted in constant problems with setting
+    up security for the core snap. With this bug fixed the old version of
+    apparmor_parser makes snapd disable the relevant security backend. 
+systems: [ubuntu-*, opensuse-*, arch-linux-*]
+execute: |
+    if [[ "$SPREAD_SYSTEM" == opensuse-42.3* ]]; then
+        # openSUSE 43.2 has AppArmor parser in version too old to parse snap-confine profile
+        snap debug sandbox-features | MATCH -v "^apparmor:"
+    else
+        snap debug sandbox-features | MATCH "^apparmor:"
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/regression/lp-1805838/task.yaml snapd-2.37~rc1~14.04/tests/regression/lp-1805838/task.yaml
--- snapd-2.32.3.2~14.04/tests/regression/lp-1805838/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/regression/lp-1805838/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,26 @@
+summary: system key is not written if security setup fails
+details: |
+    When snapd is started up and the system key needs regeneration errors from
+    establishing the new security profiles should not stop snapd from running
+    but should prevent snapd from writing the system key.
+prepare: |
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+    mount --bind /bin/false "$LIBEXECDIR/snapd/snap-seccomp"
+    test -d "$SNAP_MOUNT_DIR/core" && mount --bind /bin/false "$SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-seccomp"
+    test -d "$SNAP_MOUNT_DIR/snapd" && mount --bind /bin/false "$SNAP_MOUNT_DIR/snapd/current/usr/lib/snapd/snap-seccomp"
+    mv /var/lib/snapd/system-key /var/lib/snapd/system-key.orig
+    echo '{}' > /var/lib/snapd/system-key
+restore: |
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB"/dirs.sh
+    umount "$LIBEXECDIR/snapd/snap-seccomp" || true
+    test -d "$SNAP_MOUNT_DIR/core" && ( umount "$SNAP_MOUNT_DIR/core/current/usr/lib/snapd/snap-seccomp" || true )
+    test -d "$SNAP_MOUNT_DIR/snapd" && ( umount "$SNAP_MOUNT_DIR/snapd/current/usr/lib/snapd/snap-seccomp" || true )
+    mv /var/lib/snapd/system-key.orig /var/lib/snapd/system-key || true
+execute: |
+    systemctl stop snapd.socket snapd.service
+    systemctl start snapd.socket snapd.service
+    journalctl -u snapd | MATCH 'cannot regenerate seccomp profile for snap "(core|snapd|test-snapd-rsync-core18)"'
+    snap list | MATCH "(core|snapd)"
+    test ! -e /var/lib/snapd/system-key
diff -Nru snapd-2.32.3.2~14.04/tests/smoke/find-info/task.yaml snapd-2.37~rc1~14.04/tests/smoke/find-info/task.yaml
--- snapd-2.32.3.2~14.04/tests/smoke/find-info/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/smoke/find-info/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,9 @@
+summary: Check that find works correctly
+
+execute: |
+  echo "Ensure 'snap find' works"
+  snap find test-snapd-tools | MATCH ^test-snapd-tools
+
+  echo "Ensure we can see useful info for it"
+  snap info test-snapd-tools | MATCH '^name:\ +test-snapd-tools'
+  
diff -Nru snapd-2.32.3.2~14.04/tests/smoke/install/task.yaml snapd-2.37~rc1~14.04/tests/smoke/install/task.yaml
--- snapd-2.32.3.2~14.04/tests/smoke/install/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/smoke/install/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,20 @@
+summary: Check that installing and running a snap works
+
+execute: |
+    echo "Ensure install from the store works"
+    snap install test-snapd-tools
+
+    echo "Ensure that the snap can be run"
+    test-snapd-tools.echo hello > stdout.log 2> stderr.log
+    MATCH "^hello$" < stdout.log
+    if [ -s stderr.log ]; then
+        echo "stderr.log must be empty but it is not:"
+        cat stderr.log
+        exit 1
+    fi
+
+    echo "Ensure the snap is listed"
+    snap list | grep ^test-snapd-tools
+
+    echo "Ensure a change was generated for the install"
+    snap changes | MATCH 'Install "test-snapd-tools" snap'
diff -Nru snapd-2.32.3.2~14.04/tests/smoke/remove/task.yaml snapd-2.37~rc1~14.04/tests/smoke/remove/task.yaml
--- snapd-2.32.3.2~14.04/tests/smoke/remove/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/smoke/remove/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,20 @@
+summary: Check that install/remove works
+
+execute: |
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-tools
+
+    #shellcheck source=tests/lib/dirs.sh
+    . "$TESTSLIB/dirs.sh"
+    test -d "$SNAP_MOUNT_DIR/test-snapd-tools"
+
+    echo "Ensure remove works"
+    snap remove test-snapd-tools
+    test ! -d "$SNAP_MOUNT_DIR/test-snapd-tools"
+
+    if snap list | grep -E ^test-snapd-tools; then
+        echo "test-snapd-tools should be removed but it is not"
+        snap list
+        exit 1
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/smoke/sandbox/task.yaml snapd-2.37~rc1~14.04/tests/smoke/sandbox/task.yaml
--- snapd-2.32.3.2~14.04/tests/smoke/sandbox/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/smoke/sandbox/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,74 @@
+summary: Sandboxing of the snaps works
+
+restore: |
+    rm -f /home/test/foo
+
+execute: |
+    if [ "$(snap debug confinement)" != "strict" ]; then
+        if [[ "$SPREAD_SYSTEM" == ubuntu-* ]]; then
+            echo "all ubuntu systems must have strict confinement"
+            exit 1
+        fi
+        echo "SKIP: no sandboxing"
+        exit 0
+    fi
+
+    #shellcheck source=tests/lib/snaps.sh
+    . "$TESTSLIB/snaps.sh"
+    install_local test-snapd-sh
+
+    # home is not auto-connected on core
+    if grep -q ID=ubuntu-core /etc/os-release; then
+        snap connect test-snapd-sh:home
+    fi
+
+    ############## APPARMOR
+    echo "Ensure the apparmor sandbox for snaps works for root"
+    for p in "/root/foo" "/home/foo" "/home/test/foo"; do
+        # no writing
+        ! test-snapd-sh -c "touch $p" 2>stderr.log
+        MATCH <stderr.log 'touch: .* Permission denied'
+
+        # no reading
+        touch "$p"
+        ! test-snapd-sh -c "cat $p" 2>stderr.log
+        MATCH <stderr.log 'cat: .* Permission denied'
+        rm -f "$p"
+    done
+
+    echo "Ensure the apparmor sandbox for snaps works for users"
+    ! su -l -c 'test-snapd-sh -c "touch /home/test/foo"' test 2>stderr.log
+    MATCH <stderr.log '.* Permission denied'
+
+    echo "But with the right plug the user can put files into home"
+    su -l -c  'test-snapd-sh.with-home-plug -c "echo good >/home/test/foo"' test
+    test -e /home/test/foo
+    echo "and also read them back"
+    su -l -c  'test-snapd-sh.with-home-plug -c "cat /home/test/foo"' test | MATCH good
+
+
+    ############## SECCOMP
+    echo "Ensure seccomp sandbox works"
+    cat >sec.py <<'EOF'
+    #!/usr/bin/python3
+    from ctypes import c_long, CDLL, get_errno
+    from ctypes.util import find_library
+    import errno, sys
+    if __name__ == "__main__":
+        libc_name = find_library("c")
+        libc = CDLL(libc_name, use_errno=True)
+        retval = libc.syscall(c_long(int(sys.argv[1])), c_long(0), c_long(0), c_long(0), c_long(0), c_long(0))
+        if retval < 0:
+            print(errno.errorcode[get_errno()])
+    EOF
+    echo "Running random syscall gives ENOSYS normally"
+    python3 sec.py 22082007 | MATCH ENOSYS
+    echo "But in the sandbox we get a EPERM"
+    test-snapd-sh.with-home-plug -c "python3 $(pwd)/sec.py 22082007" | MATCH EPERM
+
+    if [ "$(uname -p)" = "x86_64" ]; then
+        echo "Ensure secondary arch works for amd64 with i386 binaries"
+        snap install --edge test-snapd-hello-multi-arch
+        # this will fail if the seccomp seconardy arch handling is broken
+        test-snapd-hello-multi-arch.hello-i386 | MATCH Hello
+    fi
diff -Nru snapd-2.32.3.2~14.04/tests/snapd-state.md snapd-2.37~rc1~14.04/tests/snapd-state.md
--- snapd-2.32.3.2~14.04/tests/snapd-state.md	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/snapd-state.md	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,5 @@
+# The snapd state
+
+Snapd state is saved during the project prepare and it is restored when any test is prepared to make sure the initial state is the same for all the tests executed on the snapd test suite. 
+
+The snapd state is dropped in this "tests/" directory and restored from there. For classic systems the snapd state is saved in a single file "$SPREAD_PATH/tests/snapd-state.tar" and for all-snaps systems it is saved in a "$SPREAD_PATH/tests/snapd-state" directory which is done to get better performance on boards.
diff -Nru snapd-2.32.3.2~14.04/tests/unit/c-unit-tests-clang/task.yaml snapd-2.37~rc1~14.04/tests/unit/c-unit-tests-clang/task.yaml
--- snapd-2.32.3.2~14.04/tests/unit/c-unit-tests-clang/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/unit/c-unit-tests-clang/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
 summary: Build the test suite for C code using clang and run it
+
 prepare: |
     # Sanity check, the core snap is installed
     snap info core | MATCH "installed:"
@@ -7,16 +8,7 @@
     # Remove any autogarbage from sent by developer
     rm -rf "$SPREAD_PATH/cmd/"{autom4te.cache,configure,test-driver,config.status,config.guess,config.sub,config.h.in,compile,install-sh,depcomp,build,missing,aclocal.m4,Makefile,Makefile.in}
     make -C "$SPREAD_PATH/cmd" distclean || true
-    # install clang
-    . "$TESTSLIB/pkgdb.sh"
-    distro_install_package clang
-execute: |
-    cd "$SPREAD_PATH/cmd/"
-    build_dir="$SPREAD_PATH/cmd/autogarbage"
-    BUILD_DIR=$build_dir CC=clang ./autogen.sh
-    cd $build_dir
-    # Build and run unit tests
-    make check
+
 restore: |
     # Remove autogarbage leftover from testing
     rm -rf "$SPREAD_PATH/cmd/"{autom4te.cache,configure,test-driver,config.status,config.guess,config.sub,config.h.in,compile,install-sh,depcomp,build,missing,aclocal.m4,Makefile,Makefile.in}
@@ -25,6 +17,15 @@
     # Remove any installed packages
     dpkg --set-selections < pkg-list
     rm -f pkg-list
+
 debug: |
     # Show the test suite failure log if there's one
     cat "$SPREAD_PATH/cmd/autogarbage/test-suite.log" || true
+
+execute: |
+    cd "$SPREAD_PATH/cmd/"
+    build_dir="$SPREAD_PATH/cmd/autogarbage"
+    BUILD_DIR=$build_dir CC=clang ./autogen.sh
+    cd "$build_dir"
+    # Build and run unit tests
+    make check
diff -Nru snapd-2.32.3.2~14.04/tests/unit/c-unit-tests-gcc/task.yaml snapd-2.37~rc1~14.04/tests/unit/c-unit-tests-gcc/task.yaml
--- snapd-2.32.3.2~14.04/tests/unit/c-unit-tests-gcc/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/unit/c-unit-tests-gcc/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,4 +1,5 @@
 summary: Build the test suite for C code using gcc and run it
+
 prepare: |
     # Sanity check, the core snap is installed
     snap info core | MATCH "installed:"
@@ -7,13 +8,7 @@
     # Remove any autogarbage from sent by developer
     rm -rf "$SPREAD_PATH/cmd/"{autom4te.cache,configure,test-driver,config.status,config.guess,config.sub,config.h.in,compile,install-sh,depcomp,build,missing,aclocal.m4,Makefile,Makefile.in}
     make -C "$SPREAD_PATH/cmd" distclean || true
-execute: |
-    cd "$SPREAD_PATH/cmd/"
-    build_dir="$SPREAD_PATH/cmd/autogarbage"
-    BUILD_DIR=$build_dir ./autogen.sh
-    cd $build_dir
-    # Build and run unit tests
-    make check
+
 restore: |
     # Remove autogarbage leftover from testing
     rm -rf "$SPREAD_PATH/cmd/"{autom4te.cache,configure,test-driver,config.status,config.guess,config.sub,config.h.in,compile,install-sh,depcomp,build,missing,aclocal.m4,Makefile,Makefile.in}
@@ -22,6 +17,15 @@
     # Remove any installed packages
     dpkg --set-selections < pkg-list
     rm -f pkg-list
+
 debug: |
     # Show the test suite failure log if there's one
     cat "$SPREAD_PATH/cmd/autogarbage/test-suite.log" || true
+
+execute: |
+    cd "$SPREAD_PATH/cmd/"
+    build_dir="$SPREAD_PATH/cmd/autogarbage"
+    BUILD_DIR=$build_dir ./autogen.sh
+    cd "$build_dir"
+    # Build and run unit tests
+    make check
diff -Nru snapd-2.32.3.2~14.04/tests/unit/gccgo/task.yaml snapd-2.37~rc1~14.04/tests/unit/gccgo/task.yaml
--- snapd-2.32.3.2~14.04/tests/unit/gccgo/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/unit/gccgo/task.yaml	1970-01-01 00:00:00.000000000 +0000
@@ -1,22 +0,0 @@
-summary: Check that snapd builds with gccgo
-
-# Only check that gccgo is vaguely happy once.
-systems: [ubuntu-16.04-64]
-
-# Start before anything else as it takes a long time.
-priority: 1000
-
-prepare: |
-    echo Installing gccgo-6 and pretending it is the default go
-    ln -s /usr/bin/go-6 /usr/local/bin/go
-restore: |
-    rm -f /usr/local/bin/go
-execute: |
-    echo Ensure we really build with gccgo
-    go version|MATCH gccgo
-    echo Build the deb with gccgo and run the tests as part of the build
-    su - -c "cd $GOHOME/src/github.com/snapcore/snapd && dpkg-buildpackage -tc -Zgzip" test
-
-# Tests run during package build take a while.
-warn-timeout: 8m
-kill-timeout: 20m
diff -Nru snapd-2.32.3.2~14.04/tests/unit/spread-shellcheck/can-fail snapd-2.37~rc1~14.04/tests/unit/spread-shellcheck/can-fail
--- snapd-2.32.3.2~14.04/tests/unit/spread-shellcheck/can-fail	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/unit/spread-shellcheck/can-fail	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1 @@
+
diff -Nru snapd-2.32.3.2~14.04/tests/unit/spread-shellcheck/task.yaml snapd-2.37~rc1~14.04/tests/unit/spread-shellcheck/task.yaml
--- snapd-2.32.3.2~14.04/tests/unit/spread-shellcheck/task.yaml	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/unit/spread-shellcheck/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,15 @@
+summary: Verify spread task scripts with shellcheck
+
+# need a recent shellcheck version
+systems: [ubuntu-18.04-64]
+
+prepare: |
+    # need to install shellcheck in devmode, the tests are run by 'root', the
+    # source code is under /home/gopath, all file accesses to the source code
+    # will end up getting DENIED even though shellcheck uses home interface
+    snap install --edge --devmode shellcheck
+
+execute: |
+    testdir=$PWD
+    cd "$SPREAD_PATH" || exit 1
+    CAN_FAIL="$testdir/can-fail" ./spread-shellcheck spread.yaml tests
diff -Nru snapd-2.32.3.2~14.04/tests/upgrade/basic/task.yaml snapd-2.37~rc1~14.04/tests/upgrade/basic/task.yaml
--- snapd-2.32.3.2~14.04/tests/upgrade/basic/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/upgrade/basic/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,6 +1,8 @@
 summary: Check that upgrade works
 
-systems: [-debian-sid-*]
+# arch: there is no snapd in arch repos
+# amazon, centos: enable when snapd hits EPEL
+systems: [-debian-sid-*, -arch-*, -amazon-*, -centos-*]
 
 restore: |
     if [ "$REMOTE_STORE" = staging ]; then
@@ -14,15 +16,32 @@
         echo "skip upgrade tests while talking to the staging store"
         exit 0
     fi
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
+    #shellcheck source=tests/lib/snaps.sh
     . "$TESTSLIB/snaps.sh"
 
     echo "Remove snapd and snap-confine"
-    distro_purge_package snapd snapd-selinux snap-confine || true
+    distro_purge_package snapd snap-confine || true
+    if [[ "$SPREAD_SYSTEM" = fedora-* ]] ; then
+        distro_purge_package snapd-selinux || true
+    fi
 
     echo "Install previous snapd version from the store"
     distro_install_package snap-confine snapd
 
+    if [[ "$SPREAD_SYSTEM" == arch-* ]]; then
+        # Services are not auto enabled or started on Arch
+        systemctl daemon-reload
+        systemctl restart snapd.socket
+        systemctl enable snapd.socket
+    fi
+
+    # need to be seeded to allow snap install
+    if ! snap wait 2>&1|MATCH "unknown command" ; then
+        snap wait system seed.loaded
+    fi
+
     prevsnapdver=$(snap --version|grep "snapd ")
 
     if [[ "$SPREAD_SYSTEM" = debian-* ]] ; then
@@ -51,7 +70,17 @@
     # allow-downgrades prevents errors when new versions hit the archive, for instance,
     # trying to install 2.11ubuntu1 over 2.11+0.16.04
     pkg_extension="$(distro_get_package_extension)"
-    distro_install_local_package --allow-downgrades "$GOHOME"/snap*."$pkg_extension"
+    if [[ "$SPREAD_SYSTEM" == arch-* ]]; then
+        # Arch's pacman is a bit funky here, the command that's run is:
+        #    pacman -U --noconfirm --force /home/gopath/snapd-*.pkg.tar.xz
+        # The official repo package contains snapd and snap-confine. The local test package
+        # conflicts with snap-confine, thus pacman will ask to remove snap-confine, displaying
+        # a question, but at the same time it completely ignores --noconfirm and aborts the upgrade.
+        # As a workaround, drop --noconfirm and pass 'y' to all the questions.
+        yes | pacman -U "$GOHOME"/snap*."$pkg_extension"
+    else
+        distro_install_local_package --allow-downgrades "$GOHOME"/snap*."$pkg_extension"
+    fi
 
     snapdver=$(snap --version|grep "snapd ")
     [ "$snapdver" != "$prevsnapdver" ]
diff -Nru snapd-2.32.3.2~14.04/tests/upgrade/snapd-xdg-open/task.yaml snapd-2.37~rc1~14.04/tests/upgrade/snapd-xdg-open/task.yaml
--- snapd-2.32.3.2~14.04/tests/upgrade/snapd-xdg-open/task.yaml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/tests/upgrade/snapd-xdg-open/task.yaml	2019-01-16 08:36:51.000000000 +0000
@@ -1,19 +1,25 @@
 summary: Verify snapd-xdg-open package is properly replaced with the snapd one
-description: |
+
+details: |
     snapd-xdg-open was formerly provided by the snapd-xdg-open package
     and is now part of the snapd package. This test case verifies that
     the snapd-xdg-open package from the archive is properly replaced.
 # Test case only applies to Ubuntu as that is the only distribution where
 # we had a snapd-xdg-open package ever.
-systems: [-ubuntu-core-*, -debian-*, -ubuntu-14.04-*, -fedora-*]
+
+systems: [-ubuntu-core-*, -debian-*, -ubuntu-14.04-*, -fedora-*, -arch-*, -amazon-*, -centos-*]
+
 restore: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
     if [ "$REMOTE_STORE" = staging ]; then
         echo "skip upgrade tests while talking to the staging store"
         exit 0
     fi
     distro_purge_package snapd-xdg-open || true
+
 execute: |
+    #shellcheck source=tests/lib/pkgdb.sh
     . "$TESTSLIB/pkgdb.sh"
 
     # Original version of snapd-xdg-open in 16.04 which was not
@@ -28,11 +34,11 @@
         fi
     fi
 
-    prevsnapdxdgver=$(dpkg-query --showformat='${Version}' --show snapd-xdg-open)
+    prevsnapdxdgver=$(dpkg-query --showformat='${Version}' --show snapd-xdg-open || true)
 
     # allow-downgrades prevents errors when new versions hit the archive, for instance,
     # trying to install 2.11ubuntu1 over 2.11+0.16.04
-    distro_install_local_package --allow-downgrades $GOHOME/snapd*.deb
+    distro_install_local_package --allow-downgrades "$GOHOME"/snapd*.deb
 
-    snapdxdgver=$(dpkg-query --showformat='${Version}' --show snapd-xdg-open)
+    snapdxdgver=$(dpkg-query --showformat='${Version}' --show snapd-xdg-open || true)
     [ "$snapdxdgver" != "$prevsnapdxdgver" ]
diff -Nru snapd-2.32.3.2~14.04/testutil/checkers.go snapd-2.37~rc1~14.04/testutil/checkers.go
--- snapd-2.32.3.2~14.04/testutil/checkers.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/checkers.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,227 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-
-/*
- * Copyright (C) 2015 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package testutil
-
-import (
-	"bytes"
-	"fmt"
-	"io/ioutil"
-	"reflect"
-	"regexp"
-	"strings"
-
-	"gopkg.in/check.v1"
-)
-
-type fileContentChecker struct {
-	*check.CheckerInfo
-	exact bool
-}
-
-// FileEquals verifies that the given file's content is equal
-// to the string (or fmt.Stringer) or []byte provided.
-var FileEquals check.Checker = &fileContentChecker{
-	CheckerInfo: &check.CheckerInfo{Name: "FileEquals", Params: []string{"filename", "contents"}},
-	exact:       true,
-}
-
-// FileContains verifies that the given file's content contains
-// the string (or fmt.Stringer) or []byte provided.
-var FileContains check.Checker = &fileContentChecker{
-	CheckerInfo: &check.CheckerInfo{Name: "FileContains", Params: []string{"filename", "contents"}},
-}
-
-// FileMatches verifies that the given file's content matches
-// the string provided.
-var FileMatches check.Checker = &fileContentChecker{
-	CheckerInfo: &check.CheckerInfo{Name: "FileMatches", Params: []string{"filename", "regex"}},
-}
-
-func (c *fileContentChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	filename, ok := params[0].(string)
-	if !ok {
-		return false, "Filename must be a string"
-	}
-	if names[1] == "regex" {
-		regexpr, ok := params[1].(string)
-		if !ok {
-			return false, "Regex must be a string"
-		}
-		rx, err := regexp.Compile(regexpr)
-		if err != nil {
-			return false, fmt.Sprintf("Can't compile regexp %q: %v", regexpr, err)
-		}
-		params[1] = rx
-	}
-	return fileContentCheck(filename, params[1], c.exact)
-}
-
-func fileContentCheck(filename string, content interface{}, exact bool) (result bool, error string) {
-	buf, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return false, fmt.Sprintf("Can't read file %q: %v", filename, err)
-	}
-	if exact {
-		switch content := content.(type) {
-		case string:
-			return string(buf) == content, ""
-		case []byte:
-			return bytes.Equal(buf, content), ""
-		case fmt.Stringer:
-			return string(buf) == content.String(), ""
-		}
-	} else {
-		switch content := content.(type) {
-		case string:
-			return strings.Contains(string(buf), content), ""
-		case []byte:
-			return bytes.Contains(buf, content), ""
-		case *regexp.Regexp:
-			return content.Match(buf), ""
-		case fmt.Stringer:
-			return strings.Contains(string(buf), content.String()), ""
-		}
-	}
-	return false, fmt.Sprintf("Can't compare file contents with something of type %T", content)
-}
-
-type containsChecker struct {
-	*check.CheckerInfo
-}
-
-// Contains is a Checker that looks for a elem in a container.
-// The elem can be any object. The container can be an array, slice or string.
-var Contains check.Checker = &containsChecker{
-	&check.CheckerInfo{Name: "Contains", Params: []string{"container", "elem"}},
-}
-
-func commonEquals(container, elem interface{}, result *bool, error *string) bool {
-	containerV := reflect.ValueOf(container)
-	elemV := reflect.ValueOf(elem)
-	switch containerV.Kind() {
-	case reflect.Slice, reflect.Array, reflect.Map:
-		containerElemType := containerV.Type().Elem()
-		if containerElemType.Kind() == reflect.Interface {
-			// Ensure that element implements the type of elements stored in the container.
-			if !elemV.Type().Implements(containerElemType) {
-				*result = false
-				*error = fmt.Sprintf(""+
-					"container has items of interface type %s but expected"+
-					" element does not implement it", containerElemType)
-				return true
-			}
-		} else {
-			// Ensure that type of elements in container is compatible with elem
-			if containerElemType != elemV.Type() {
-				*result = false
-				*error = fmt.Sprintf(
-					"container has items of type %s but expected element is a %s",
-					containerElemType, elemV.Type())
-				return true
-			}
-		}
-	case reflect.String:
-		// When container is a string, we expect elem to be a string as well
-		if elemV.Kind() != reflect.String {
-			*result = false
-			*error = fmt.Sprintf("element is a %T but expected a string", elem)
-		} else {
-			*result = strings.Contains(containerV.String(), elemV.String())
-			*error = ""
-		}
-		return true
-	}
-	return false
-}
-
-func (c *containsChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	defer func() {
-		if v := recover(); v != nil {
-			result = false
-			error = fmt.Sprint(v)
-		}
-	}()
-	var container interface{} = params[0]
-	var elem interface{} = params[1]
-	if commonEquals(container, elem, &result, &error) {
-		return
-	}
-	// Do the actual test using ==
-	switch containerV := reflect.ValueOf(container); containerV.Kind() {
-	case reflect.Slice, reflect.Array:
-		for length, i := containerV.Len(), 0; i < length; i++ {
-			itemV := containerV.Index(i)
-			if itemV.Interface() == elem {
-				return true, ""
-			}
-		}
-		return false, ""
-	case reflect.Map:
-		for _, keyV := range containerV.MapKeys() {
-			itemV := containerV.MapIndex(keyV)
-			if itemV.Interface() == elem {
-				return true, ""
-			}
-		}
-		return false, ""
-	default:
-		return false, fmt.Sprintf("%T is not a supported container", container)
-	}
-}
-
-type deepContainsChecker struct {
-	*check.CheckerInfo
-}
-
-// DeepContains is a Checker that looks for a elem in a container using
-// DeepEqual.  The elem can be any object. The container can be an array, slice
-// or string.
-var DeepContains check.Checker = &deepContainsChecker{
-	&check.CheckerInfo{Name: "DeepContains", Params: []string{"container", "elem"}},
-}
-
-func (c *deepContainsChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	var container interface{} = params[0]
-	var elem interface{} = params[1]
-	if commonEquals(container, elem, &result, &error) {
-		return
-	}
-	// Do the actual test using reflect.DeepEqual
-	switch containerV := reflect.ValueOf(container); containerV.Kind() {
-	case reflect.Slice, reflect.Array:
-		for length, i := containerV.Len(), 0; i < length; i++ {
-			itemV := containerV.Index(i)
-			if reflect.DeepEqual(itemV.Interface(), elem) {
-				return true, ""
-			}
-		}
-		return false, ""
-	case reflect.Map:
-		for _, keyV := range containerV.MapKeys() {
-			itemV := containerV.MapIndex(keyV)
-			if reflect.DeepEqual(itemV.Interface(), elem) {
-				return true, ""
-			}
-		}
-		return false, ""
-	default:
-		return false, fmt.Sprintf("%T is not a supported container", container)
-	}
-}
diff -Nru snapd-2.32.3.2~14.04/testutil/checkers_test.go snapd-2.37~rc1~14.04/testutil/checkers_test.go
--- snapd-2.32.3.2~14.04/testutil/checkers_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/checkers_test.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,331 +0,0 @@
-// -*- Mode: Go; indent-tabs-mode: t -*-
-//
-// 20160229: The tests with gccgo on powerpc fail for this file
-//           and it will loop endlessly. This is not reproducible
-//           with gccgo on amd64. Given that it's a relatively little
-//           used arch we disable the tests in here to workaround this
-//           gccgo bug.
-// +build !ppc
-
-/*
- * Copyright (C) 2015 Canonical Ltd
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 3 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package testutil
-
-import (
-	"io/ioutil"
-	"path/filepath"
-	"reflect"
-	"regexp"
-	"runtime"
-	"testing"
-
-	. "gopkg.in/check.v1"
-
-	"github.com/snapcore/snapd/strutil"
-)
-
-func Test(t *testing.T) {
-	TestingT(t)
-}
-
-type CheckersS struct{}
-
-var _ = Suite(&CheckersS{})
-
-func testInfo(c *C, checker Checker, name string, paramNames []string) {
-	info := checker.Info()
-	if info.Name != name {
-		c.Fatalf("Got name %s, expected %s", info.Name, name)
-	}
-	if !reflect.DeepEqual(info.Params, paramNames) {
-		c.Fatalf("Got param names %#v, expected %#v", info.Params, paramNames)
-	}
-}
-
-func testCheck(c *C, checker Checker, result bool, error string, params ...interface{}) ([]interface{}, []string) {
-	info := checker.Info()
-	if len(params) != len(info.Params) {
-		c.Fatalf("unexpected param count in test; expected %d got %d", len(info.Params), len(params))
-	}
-	names := append([]string{}, info.Params...)
-	resultActual, errorActual := checker.Check(params, names)
-	if resultActual != result || errorActual != error {
-		c.Fatalf("%s.Check(%#v) returned (%#v, %#v) rather than (%#v, %#v)",
-			info.Name, params, resultActual, errorActual, result, error)
-	}
-	return params, names
-}
-
-func (s *CheckersS) TestUnsupportedTypes(c *C) {
-	testInfo(c, Contains, "Contains", []string{"container", "elem"})
-	testCheck(c, Contains, false, "int is not a supported container", 5, nil)
-	testCheck(c, Contains, false, "bool is not a supported container", false, nil)
-	testCheck(c, Contains, false, "element is a int but expected a string", "container", 1)
-}
-
-func (s *CheckersS) TestContainsVerifiesTypes(c *C) {
-	testInfo(c, Contains, "Contains", []string{"container", "elem"})
-	testCheck(c, Contains,
-		false, "container has items of type int but expected element is a string",
-		[...]int{1, 2, 3}, "foo")
-	testCheck(c, Contains,
-		false, "container has items of type int but expected element is a string",
-		[]int{1, 2, 3}, "foo")
-	// This looks tricky, Contains looks at _values_, not at keys
-	testCheck(c, Contains,
-		false, "container has items of type int but expected element is a string",
-		map[string]int{"foo": 1, "bar": 2}, "foo")
-	testCheck(c, Contains,
-		false, "container has items of type int but expected element is a string",
-		map[string]int{"foo": 1, "bar": 2}, "foo")
-}
-
-type animal interface {
-	Sound() string
-}
-
-type dog struct{}
-
-func (d *dog) Sound() string {
-	return "bark"
-}
-
-type cat struct{}
-
-func (c *cat) Sound() string {
-	return "meow"
-}
-
-type tree struct{}
-
-func (s *CheckersS) TestContainsVerifiesInterfaceTypes(c *C) {
-	testCheck(c, Contains,
-		false, "container has items of interface type testutil.animal but expected element does not implement it",
-		[...]animal{&dog{}, &cat{}}, &tree{})
-	testCheck(c, Contains,
-		false, "container has items of interface type testutil.animal but expected element does not implement it",
-		[]animal{&dog{}, &cat{}}, &tree{})
-	testCheck(c, Contains,
-		false, "container has items of interface type testutil.animal but expected element does not implement it",
-		map[string]animal{"dog": &dog{}, "cat": &cat{}}, &tree{})
-}
-
-func (s *CheckersS) TestContainsString(c *C) {
-	c.Assert("foo", Contains, "f")
-	c.Assert("foo", Contains, "fo")
-	c.Assert("foo", Not(Contains), "foobar")
-}
-
-type myString string
-
-func (s *CheckersS) TestContainsCustomString(c *C) {
-	c.Assert(myString("foo"), Contains, myString("f"))
-	c.Assert(myString("foo"), Contains, myString("fo"))
-	c.Assert(myString("foo"), Not(Contains), myString("foobar"))
-	c.Assert("foo", Contains, myString("f"))
-	c.Assert("foo", Contains, myString("fo"))
-	c.Assert("foo", Not(Contains), myString("foobar"))
-	c.Assert(myString("foo"), Contains, "f")
-	c.Assert(myString("foo"), Contains, "fo")
-	c.Assert(myString("foo"), Not(Contains), "foobar")
-}
-
-func (s *CheckersS) TestContainsArray(c *C) {
-	c.Assert([...]int{1, 2, 3}, Contains, 1)
-	c.Assert([...]int{1, 2, 3}, Contains, 2)
-	c.Assert([...]int{1, 2, 3}, Contains, 3)
-	c.Assert([...]int{1, 2, 3}, Not(Contains), 4)
-	c.Assert([...]animal{&dog{}, &cat{}}, Contains, &dog{})
-	c.Assert([...]animal{&cat{}}, Not(Contains), &dog{})
-}
-
-func (s *CheckersS) TestContainsSlice(c *C) {
-	c.Assert([]int{1, 2, 3}, Contains, 1)
-	c.Assert([]int{1, 2, 3}, Contains, 2)
-	c.Assert([]int{1, 2, 3}, Contains, 3)
-	c.Assert([]int{1, 2, 3}, Not(Contains), 4)
-	c.Assert([]animal{&dog{}, &cat{}}, Contains, &dog{})
-	c.Assert([]animal{&cat{}}, Not(Contains), &dog{})
-}
-
-func (s *CheckersS) TestContainsMap(c *C) {
-	c.Assert(map[string]int{"foo": 1, "bar": 2}, Contains, 1)
-	c.Assert(map[string]int{"foo": 1, "bar": 2}, Contains, 2)
-	c.Assert(map[string]int{"foo": 1, "bar": 2}, Not(Contains), 3)
-	c.Assert(map[string]animal{"dog": &dog{}, "cat": &cat{}}, Contains, &dog{})
-	c.Assert(map[string]animal{"cat": &cat{}}, Not(Contains), &dog{})
-}
-
-// Arbitrary type that is not comparable
-type myStruct struct {
-	attrs map[string]string
-}
-
-func (s *CheckersS) TestContainsUncomparableType(c *C) {
-	if runtime.Compiler != "go" {
-		c.Skip("this test only works on go (not gccgo)")
-	}
-
-	elem := myStruct{map[string]string{"k": "v"}}
-	containerArray := [...]myStruct{elem}
-	containerSlice := []myStruct{elem}
-	containerMap := map[string]myStruct{"foo": elem}
-	errMsg := "runtime error: comparing uncomparable type testutil.myStruct"
-	testInfo(c, Contains, "Contains", []string{"container", "elem"})
-	testCheck(c, Contains, false, errMsg, containerArray, elem)
-	testCheck(c, Contains, false, errMsg, containerSlice, elem)
-	testCheck(c, Contains, false, errMsg, containerMap, elem)
-}
-
-func (s *CheckersS) TestDeepContainsUnsupportedTypes(c *C) {
-	testInfo(c, DeepContains, "DeepContains", []string{"container", "elem"})
-	testCheck(c, DeepContains, false, "int is not a supported container", 5, nil)
-	testCheck(c, DeepContains, false, "bool is not a supported container", false, nil)
-	testCheck(c, DeepContains, false, "element is a int but expected a string", "container", 1)
-}
-
-func (s *CheckersS) TestDeepContainsVerifiesTypes(c *C) {
-	testInfo(c, DeepContains, "DeepContains", []string{"container", "elem"})
-	testCheck(c, DeepContains,
-		false, "container has items of type int but expected element is a string",
-		[...]int{1, 2, 3}, "foo")
-	testCheck(c, DeepContains,
-		false, "container has items of type int but expected element is a string",
-		[]int{1, 2, 3}, "foo")
-	// This looks tricky, DeepContains looks at _values_, not at keys
-	testCheck(c, DeepContains,
-		false, "container has items of type int but expected element is a string",
-		map[string]int{"foo": 1, "bar": 2}, "foo")
-}
-
-func (s *CheckersS) TestDeepContainsString(c *C) {
-	c.Assert("foo", DeepContains, "f")
-	c.Assert("foo", DeepContains, "fo")
-	c.Assert("foo", Not(DeepContains), "foobar")
-}
-
-func (s *CheckersS) TestDeepContainsCustomString(c *C) {
-	c.Assert(myString("foo"), DeepContains, myString("f"))
-	c.Assert(myString("foo"), DeepContains, myString("fo"))
-	c.Assert(myString("foo"), Not(DeepContains), myString("foobar"))
-	c.Assert("foo", DeepContains, myString("f"))
-	c.Assert("foo", DeepContains, myString("fo"))
-	c.Assert("foo", Not(DeepContains), myString("foobar"))
-	c.Assert(myString("foo"), DeepContains, "f")
-	c.Assert(myString("foo"), DeepContains, "fo")
-	c.Assert(myString("foo"), Not(DeepContains), "foobar")
-}
-
-func (s *CheckersS) TestDeepContainsArray(c *C) {
-	c.Assert([...]int{1, 2, 3}, DeepContains, 1)
-	c.Assert([...]int{1, 2, 3}, DeepContains, 2)
-	c.Assert([...]int{1, 2, 3}, DeepContains, 3)
-	c.Assert([...]int{1, 2, 3}, Not(DeepContains), 4)
-}
-
-func (s *CheckersS) TestDeepContainsSlice(c *C) {
-	c.Assert([]int{1, 2, 3}, DeepContains, 1)
-	c.Assert([]int{1, 2, 3}, DeepContains, 2)
-	c.Assert([]int{1, 2, 3}, DeepContains, 3)
-	c.Assert([]int{1, 2, 3}, Not(DeepContains), 4)
-}
-
-func (s *CheckersS) TestDeepContainsMap(c *C) {
-	c.Assert(map[string]int{"foo": 1, "bar": 2}, DeepContains, 1)
-	c.Assert(map[string]int{"foo": 1, "bar": 2}, DeepContains, 2)
-	c.Assert(map[string]int{"foo": 1, "bar": 2}, Not(DeepContains), 3)
-}
-
-func (s *CheckersS) TestDeepContainsUncomparableType(c *C) {
-	elem := myStruct{map[string]string{"k": "v"}}
-	containerArray := [...]myStruct{elem}
-	containerSlice := []myStruct{elem}
-	containerMap := map[string]myStruct{"foo": elem}
-	testInfo(c, DeepContains, "DeepContains", []string{"container", "elem"})
-	testCheck(c, DeepContains, true, "", containerArray, elem)
-	testCheck(c, DeepContains, true, "", containerSlice, elem)
-	testCheck(c, DeepContains, true, "", containerMap, elem)
-}
-
-type myStringer struct{ str string }
-
-func (m myStringer) String() string { return m.str }
-
-func (s *CheckersS) TestFileEquals(c *C) {
-	d := c.MkDir()
-	content := strutil.MakeRandomString(10)
-	filename := filepath.Join(d, "canary")
-	c.Assert(ioutil.WriteFile(filename, []byte(content), 0644), IsNil)
-
-	testInfo(c, FileEquals, "FileEquals", []string{"filename", "contents"})
-	testCheck(c, FileEquals, true, "", filename, content)
-	testCheck(c, FileEquals, true, "", filename, []byte(content))
-	testCheck(c, FileEquals, true, "", filename, myStringer{content})
-
-	twofer := content + content
-	testCheck(c, FileEquals, false, "", filename, twofer)
-	testCheck(c, FileEquals, false, "", filename, []byte(twofer))
-	testCheck(c, FileEquals, false, "", filename, myStringer{twofer})
-
-	testCheck(c, FileEquals, false, `Can't read file "": open : no such file or directory`, "", "")
-	testCheck(c, FileEquals, false, "Filename must be a string", 42, "")
-	testCheck(c, FileEquals, false, "Can't compare file contents with something of type int", filename, 1)
-}
-
-func (s *CheckersS) TestFileContains(c *C) {
-	d := c.MkDir()
-	content := strutil.MakeRandomString(10)
-	filename := filepath.Join(d, "canary")
-	c.Assert(ioutil.WriteFile(filename, []byte(content), 0644), IsNil)
-
-	testInfo(c, FileContains, "FileContains", []string{"filename", "contents"})
-	testCheck(c, FileContains, true, "", filename, content[1:])
-	testCheck(c, FileContains, true, "", filename, []byte(content[1:]))
-	testCheck(c, FileContains, true, "", filename, myStringer{content[1:]})
-	// undocumented
-	testCheck(c, FileContains, true, "", filename, regexp.MustCompile(".*"))
-
-	twofer := content + content
-	testCheck(c, FileContains, false, "", filename, twofer)
-	testCheck(c, FileContains, false, "", filename, []byte(twofer))
-	testCheck(c, FileContains, false, "", filename, myStringer{twofer})
-	// undocumented
-	testCheck(c, FileContains, false, "", filename, regexp.MustCompile("^$"))
-
-	testCheck(c, FileContains, false, `Can't read file "": open : no such file or directory`, "", "")
-	testCheck(c, FileContains, false, "Filename must be a string", 42, "")
-	testCheck(c, FileContains, false, "Can't compare file contents with something of type int", filename, 1)
-}
-
-func (s *CheckersS) TestFileMatches(c *C) {
-	d := c.MkDir()
-	content := strutil.MakeRandomString(10)
-	filename := filepath.Join(d, "canary")
-	c.Assert(ioutil.WriteFile(filename, []byte(content), 0644), IsNil)
-
-	testInfo(c, FileMatches, "FileMatches", []string{"filename", "regex"})
-	testCheck(c, FileMatches, true, "", filename, ".*")
-	testCheck(c, FileMatches, true, "", filename, "^"+regexp.QuoteMeta(content)+"$")
-
-	testCheck(c, FileMatches, false, "", filename, "^$")
-	testCheck(c, FileMatches, false, "", filename, "123"+regexp.QuoteMeta(content))
-
-	testCheck(c, FileMatches, false, `Can't read file "": open : no such file or directory`, "", "")
-	testCheck(c, FileMatches, false, "Filename must be a string", 42, ".*")
-	testCheck(c, FileMatches, false, "Regex must be a string", filename, 1)
-}
diff -Nru snapd-2.32.3.2~14.04/testutil/containschecker.go snapd-2.37~rc1~14.04/testutil/containschecker.go
--- snapd-2.32.3.2~14.04/testutil/containschecker.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/containschecker.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,152 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+
+	"gopkg.in/check.v1"
+)
+
+type containsChecker struct {
+	*check.CheckerInfo
+}
+
+// Contains is a Checker that looks for a elem in a container.
+// The elem can be any object. The container can be an array, slice or string.
+var Contains check.Checker = &containsChecker{
+	&check.CheckerInfo{Name: "Contains", Params: []string{"container", "elem"}},
+}
+
+func commonEquals(container, elem interface{}, result *bool, error *string) bool {
+	containerV := reflect.ValueOf(container)
+	elemV := reflect.ValueOf(elem)
+	switch containerV.Kind() {
+	case reflect.Slice, reflect.Array, reflect.Map:
+		containerElemType := containerV.Type().Elem()
+		if containerElemType.Kind() == reflect.Interface {
+			// Ensure that element implements the type of elements stored in the container.
+			if !elemV.Type().Implements(containerElemType) {
+				*result = false
+				*error = fmt.Sprintf(""+
+					"container has items of interface type %s but expected"+
+					" element does not implement it", containerElemType)
+				return true
+			}
+		} else {
+			// Ensure that type of elements in container is compatible with elem
+			if containerElemType != elemV.Type() {
+				*result = false
+				*error = fmt.Sprintf(
+					"container has items of type %s but expected element is a %s",
+					containerElemType, elemV.Type())
+				return true
+			}
+		}
+	case reflect.String:
+		// When container is a string, we expect elem to be a string as well
+		if elemV.Kind() != reflect.String {
+			*result = false
+			*error = fmt.Sprintf("element is a %T but expected a string", elem)
+		} else {
+			*result = strings.Contains(containerV.String(), elemV.String())
+			*error = ""
+		}
+		return true
+	}
+	return false
+}
+
+func (c *containsChecker) Check(params []interface{}, names []string) (result bool, error string) {
+	defer func() {
+		if v := recover(); v != nil {
+			result = false
+			error = fmt.Sprint(v)
+		}
+	}()
+	var container interface{} = params[0]
+	var elem interface{} = params[1]
+	if commonEquals(container, elem, &result, &error) {
+		return
+	}
+	// Do the actual test using ==
+	switch containerV := reflect.ValueOf(container); containerV.Kind() {
+	case reflect.Slice, reflect.Array:
+		for length, i := containerV.Len(), 0; i < length; i++ {
+			itemV := containerV.Index(i)
+			if itemV.Interface() == elem {
+				return true, ""
+			}
+		}
+		return false, ""
+	case reflect.Map:
+		for _, keyV := range containerV.MapKeys() {
+			itemV := containerV.MapIndex(keyV)
+			if itemV.Interface() == elem {
+				return true, ""
+			}
+		}
+		return false, ""
+	default:
+		return false, fmt.Sprintf("%T is not a supported container", container)
+	}
+}
+
+type deepContainsChecker struct {
+	*check.CheckerInfo
+}
+
+// DeepContains is a Checker that looks for a elem in a container using
+// DeepEqual.  The elem can be any object. The container can be an array, slice
+// or string.
+var DeepContains check.Checker = &deepContainsChecker{
+	&check.CheckerInfo{Name: "DeepContains", Params: []string{"container", "elem"}},
+}
+
+func (c *deepContainsChecker) Check(params []interface{}, names []string) (result bool, error string) {
+	var container interface{} = params[0]
+	var elem interface{} = params[1]
+	if commonEquals(container, elem, &result, &error) {
+		return
+	}
+	// Do the actual test using reflect.DeepEqual
+	switch containerV := reflect.ValueOf(container); containerV.Kind() {
+	case reflect.Slice, reflect.Array:
+		for length, i := containerV.Len(), 0; i < length; i++ {
+			itemV := containerV.Index(i)
+			if reflect.DeepEqual(itemV.Interface(), elem) {
+				return true, ""
+			}
+		}
+		return false, ""
+	case reflect.Map:
+		for _, keyV := range containerV.MapKeys() {
+			itemV := containerV.MapIndex(keyV)
+			if reflect.DeepEqual(itemV.Interface(), elem) {
+				return true, ""
+			}
+		}
+		return false, ""
+	default:
+		return false, fmt.Sprintf("%T is not a supported container", container)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/containschecker_test.go snapd-2.37~rc1~14.04/testutil/containschecker_test.go
--- snapd-2.32.3.2~14.04/testutil/containschecker_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/containschecker_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,223 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil_test
+
+import (
+	"runtime"
+
+	"gopkg.in/check.v1"
+
+	. "github.com/snapcore/snapd/testutil"
+)
+
+type containsCheckerSuite struct{}
+
+var _ = check.Suite(&containsCheckerSuite{})
+
+func (*containsCheckerSuite) TestUnsupportedTypes(c *check.C) {
+	testInfo(c, Contains, "Contains", []string{"container", "elem"})
+	testCheck(c, Contains, false, "int is not a supported container", 5, nil)
+	testCheck(c, Contains, false, "bool is not a supported container", false, nil)
+	testCheck(c, Contains, false, "element is a int but expected a string", "container", 1)
+}
+
+func (*containsCheckerSuite) TestContainsVerifiesTypes(c *check.C) {
+	testInfo(c, Contains, "Contains", []string{"container", "elem"})
+	testCheck(c, Contains,
+		false, "container has items of type int but expected element is a string",
+		[...]int{1, 2, 3}, "foo")
+	testCheck(c, Contains,
+		false, "container has items of type int but expected element is a string",
+		[]int{1, 2, 3}, "foo")
+	// This looks tricky, Contains looks at _values_, not at keys
+	testCheck(c, Contains,
+		false, "container has items of type int but expected element is a string",
+		map[string]int{"foo": 1, "bar": 2}, "foo")
+	testCheck(c, Contains,
+		false, "container has items of type int but expected element is a string",
+		map[string]int{"foo": 1, "bar": 2}, "foo")
+}
+
+type animal interface {
+	Sound() string
+}
+
+type dog struct{}
+
+func (d *dog) Sound() string {
+	return "bark"
+}
+
+type cat struct{}
+
+func (c *cat) Sound() string {
+	return "meow"
+}
+
+type tree struct{}
+
+func (*containsCheckerSuite) TestContainsVerifiesInterfaceTypes(c *check.C) {
+	testCheck(c, Contains,
+		false, "container has items of interface type testutil_test.animal but expected element does not implement it",
+		[...]animal{&dog{}, &cat{}}, &tree{})
+	testCheck(c, Contains,
+		false, "container has items of interface type testutil_test.animal but expected element does not implement it",
+		[]animal{&dog{}, &cat{}}, &tree{})
+	testCheck(c, Contains,
+		false, "container has items of interface type testutil_test.animal but expected element does not implement it",
+		map[string]animal{"dog": &dog{}, "cat": &cat{}}, &tree{})
+}
+
+func (*containsCheckerSuite) TestContainsString(c *check.C) {
+	c.Assert("foo", Contains, "f")
+	c.Assert("foo", Contains, "fo")
+	c.Assert("foo", check.Not(Contains), "foobar")
+}
+
+type myString string
+
+func (*containsCheckerSuite) TestContainsCustomString(c *check.C) {
+	c.Assert(myString("foo"), Contains, myString("f"))
+	c.Assert(myString("foo"), Contains, myString("fo"))
+	c.Assert(myString("foo"), check.Not(Contains), myString("foobar"))
+	c.Assert("foo", Contains, myString("f"))
+	c.Assert("foo", Contains, myString("fo"))
+	c.Assert("foo", check.Not(Contains), myString("foobar"))
+	c.Assert(myString("foo"), Contains, "f")
+	c.Assert(myString("foo"), Contains, "fo")
+	c.Assert(myString("foo"), check.Not(Contains), "foobar")
+}
+
+func (*containsCheckerSuite) TestContainsArray(c *check.C) {
+	c.Assert([...]int{1, 2, 3}, Contains, 1)
+	c.Assert([...]int{1, 2, 3}, Contains, 2)
+	c.Assert([...]int{1, 2, 3}, Contains, 3)
+	c.Assert([...]int{1, 2, 3}, check.Not(Contains), 4)
+	c.Assert([...]animal{&dog{}, &cat{}}, Contains, &dog{})
+	c.Assert([...]animal{&cat{}}, check.Not(Contains), &dog{})
+}
+
+func (*containsCheckerSuite) TestContainsSlice(c *check.C) {
+	c.Assert([]int{1, 2, 3}, Contains, 1)
+	c.Assert([]int{1, 2, 3}, Contains, 2)
+	c.Assert([]int{1, 2, 3}, Contains, 3)
+	c.Assert([]int{1, 2, 3}, check.Not(Contains), 4)
+	c.Assert([]animal{&dog{}, &cat{}}, Contains, &dog{})
+	c.Assert([]animal{&cat{}}, check.Not(Contains), &dog{})
+}
+
+func (*containsCheckerSuite) TestContainsMap(c *check.C) {
+	c.Assert(map[string]int{"foo": 1, "bar": 2}, Contains, 1)
+	c.Assert(map[string]int{"foo": 1, "bar": 2}, Contains, 2)
+	c.Assert(map[string]int{"foo": 1, "bar": 2}, check.Not(Contains), 3)
+	c.Assert(map[string]animal{"dog": &dog{}, "cat": &cat{}}, Contains, &dog{})
+	c.Assert(map[string]animal{"cat": &cat{}}, check.Not(Contains), &dog{})
+}
+
+// Arbitrary type that is not comparable
+type myStruct struct {
+	attrs map[string]string
+}
+
+func (*containsCheckerSuite) TestContainsUncomparableType(c *check.C) {
+	if runtime.Compiler != "go" {
+		c.Skip("this test only works on go (not gccgo)")
+	}
+
+	elem := myStruct{map[string]string{"k": "v"}}
+	containerArray := [...]myStruct{elem}
+	containerSlice := []myStruct{elem}
+	containerMap := map[string]myStruct{"foo": elem}
+	errMsg := "runtime error: comparing uncomparable type testutil_test.myStruct"
+	testInfo(c, Contains, "Contains", []string{"container", "elem"})
+	testCheck(c, Contains, false, errMsg, containerArray, elem)
+	testCheck(c, Contains, false, errMsg, containerSlice, elem)
+	testCheck(c, Contains, false, errMsg, containerMap, elem)
+}
+
+func (*containsCheckerSuite) TestDeepContainsUnsupportedTypes(c *check.C) {
+	testInfo(c, DeepContains, "DeepContains", []string{"container", "elem"})
+	testCheck(c, DeepContains, false, "int is not a supported container", 5, nil)
+	testCheck(c, DeepContains, false, "bool is not a supported container", false, nil)
+	testCheck(c, DeepContains, false, "element is a int but expected a string", "container", 1)
+}
+
+func (*containsCheckerSuite) TestDeepContainsVerifiesTypes(c *check.C) {
+	testInfo(c, DeepContains, "DeepContains", []string{"container", "elem"})
+	testCheck(c, DeepContains,
+		false, "container has items of type int but expected element is a string",
+		[...]int{1, 2, 3}, "foo")
+	testCheck(c, DeepContains,
+		false, "container has items of type int but expected element is a string",
+		[]int{1, 2, 3}, "foo")
+	// This looks tricky, DeepContains looks at _values_, not at keys
+	testCheck(c, DeepContains,
+		false, "container has items of type int but expected element is a string",
+		map[string]int{"foo": 1, "bar": 2}, "foo")
+}
+
+func (*containsCheckerSuite) TestDeepContainsString(c *check.C) {
+	c.Assert("foo", DeepContains, "f")
+	c.Assert("foo", DeepContains, "fo")
+	c.Assert("foo", check.Not(DeepContains), "foobar")
+}
+
+func (*containsCheckerSuite) TestDeepContainsCustomString(c *check.C) {
+	c.Assert(myString("foo"), DeepContains, myString("f"))
+	c.Assert(myString("foo"), DeepContains, myString("fo"))
+	c.Assert(myString("foo"), check.Not(DeepContains), myString("foobar"))
+	c.Assert("foo", DeepContains, myString("f"))
+	c.Assert("foo", DeepContains, myString("fo"))
+	c.Assert("foo", check.Not(DeepContains), myString("foobar"))
+	c.Assert(myString("foo"), DeepContains, "f")
+	c.Assert(myString("foo"), DeepContains, "fo")
+	c.Assert(myString("foo"), check.Not(DeepContains), "foobar")
+}
+
+func (*containsCheckerSuite) TestDeepContainsArray(c *check.C) {
+	c.Assert([...]int{1, 2, 3}, DeepContains, 1)
+	c.Assert([...]int{1, 2, 3}, DeepContains, 2)
+	c.Assert([...]int{1, 2, 3}, DeepContains, 3)
+	c.Assert([...]int{1, 2, 3}, check.Not(DeepContains), 4)
+}
+
+func (*containsCheckerSuite) TestDeepContainsSlice(c *check.C) {
+	c.Assert([]int{1, 2, 3}, DeepContains, 1)
+	c.Assert([]int{1, 2, 3}, DeepContains, 2)
+	c.Assert([]int{1, 2, 3}, DeepContains, 3)
+	c.Assert([]int{1, 2, 3}, check.Not(DeepContains), 4)
+}
+
+func (*containsCheckerSuite) TestDeepContainsMap(c *check.C) {
+	c.Assert(map[string]int{"foo": 1, "bar": 2}, DeepContains, 1)
+	c.Assert(map[string]int{"foo": 1, "bar": 2}, DeepContains, 2)
+	c.Assert(map[string]int{"foo": 1, "bar": 2}, check.Not(DeepContains), 3)
+}
+
+func (*containsCheckerSuite) TestDeepContainsUncomparableType(c *check.C) {
+	elem := myStruct{map[string]string{"k": "v"}}
+	containerArray := [...]myStruct{elem}
+	containerSlice := []myStruct{elem}
+	containerMap := map[string]myStruct{"foo": elem}
+	testInfo(c, DeepContains, "DeepContains", []string{"container", "elem"})
+	testCheck(c, DeepContains, true, "", containerArray, elem)
+	testCheck(c, DeepContains, true, "", containerSlice, elem)
+	testCheck(c, DeepContains, true, "", containerMap, elem)
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/dbustest.go snapd-2.37~rc1~14.04/testutil/dbustest.go
--- snapd-2.32.3.2~14.04/testutil/dbustest.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/dbustest.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,6 +20,7 @@
 package testutil
 
 import (
+	"bufio"
 	"fmt"
 	"os"
 	"os/exec"
@@ -29,6 +30,24 @@
 	. "gopkg.in/check.v1"
 )
 
+func dbusSessionBus() (*dbus.Conn, error) {
+	// the test suite *must* use a private connection to the bus to avoid
+	// breaking things for code that might use a shared connection
+	conn, err := dbus.SessionBusPrivate()
+	if err != nil {
+		return nil, err
+	}
+	if err := conn.Auth(nil); err != nil {
+		conn.Close()
+		return nil, err
+	}
+	if err := conn.Hello(); err != nil {
+		conn.Close()
+		return nil, err
+	}
+	return conn, nil
+}
+
 // DBusTest provides a separate dbus session bus for running tests
 type DBusTest struct {
 	tmpdir           string
@@ -50,23 +69,42 @@
 	}
 
 	s.tmpdir = c.MkDir()
-	s.dbusDaemon = exec.Command("dbus-daemon", "--session", fmt.Sprintf("--address=unix:%s/user_bus_socket", s.tmpdir))
-	err := s.dbusDaemon.Start()
+	s.dbusDaemon = exec.Command("dbus-daemon", "--session", "--print-address", fmt.Sprintf("--address=unix:path=%s/user_bus_socket", s.tmpdir))
+	pout, err := s.dbusDaemon.StdoutPipe()
+	c.Assert(err, IsNil)
+	err = s.dbusDaemon.Start()
 	c.Assert(err, IsNil)
+
+	scanner := bufio.NewScanner(pout)
+	scanner.Scan()
+	c.Assert(scanner.Err(), IsNil)
 	s.oldSessionBusEnv = os.Getenv("DBUS_SESSION_BUS_ADDRESS")
+	os.Setenv("DBUS_SESSION_BUS_ADDRESS", scanner.Text())
 
-	s.SessionBus, err = dbus.SessionBus()
+	s.SessionBus, err = dbusSessionBus()
 	c.Assert(err, IsNil)
 }
 
 func (s *DBusTest) TearDownSuite(c *C) {
+	if s.SessionBus != nil {
+		s.SessionBus.Close()
+	}
+
 	os.Setenv("DBUS_SESSION_BUS_ADDRESS", s.oldSessionBusEnv)
 	if s.dbusDaemon != nil && s.dbusDaemon.Process != nil {
 		err := s.dbusDaemon.Process.Kill()
 		c.Assert(err, IsNil)
+		err = s.dbusDaemon.Wait() // do cleanup
+		c.Assert(err, ErrorMatches, `(?i)signal: killed`)
 	}
-
 }
 
 func (s *DBusTest) SetUpTest(c *C)    {}
 func (s *DBusTest) TearDownTest(c *C) {}
+
+func DBusGetConnectionUnixProcessID(conn *dbus.Conn, name string) (pid int, err error) {
+	obj := conn.Object("org.freedesktop.DBus", "/org/freedesktop/DBus")
+
+	err = obj.Call("org.freedesktop.DBus.GetConnectionUnixProcessID", 0, name).Store(&pid)
+	return pid, err
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/exec.go snapd-2.37~rc1~14.04/testutil/exec.go
--- snapd-2.32.3.2~14.04/testutil/exec.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/exec.go	2019-01-16 08:36:51.000000000 +0000
@@ -147,3 +147,8 @@
 func (cmd *MockCmd) BinDir() string {
 	return cmd.binDir
 }
+
+// Exe return the full path of the mock binary
+func (cmd *MockCmd) Exe() string {
+	return filepath.Join(cmd.exeFile)
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/exec_test.go snapd-2.37~rc1~14.04/testutil/exec_test.go
--- snapd-2.32.3.2~14.04/testutil/exec_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/exec_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,43 +22,47 @@
 import (
 	"os/exec"
 
-	. "gopkg.in/check.v1"
+	"gopkg.in/check.v1"
 )
 
 type mockCommandSuite struct{}
 
-var _ = Suite(&mockCommandSuite{})
+var _ = check.Suite(&mockCommandSuite{})
 
-func (s *mockCommandSuite) TestMockCommand(c *C) {
+const (
+	UmountNoFollow = umountNoFollow
+)
+
+func (s *mockCommandSuite) TestMockCommand(c *check.C) {
 	mock := MockCommand(c, "cmd", "true")
 	defer mock.Restore()
 	err := exec.Command("cmd", "first-run", "--arg1", "arg2", "a space").Run()
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	err = exec.Command("cmd", "second-run", "--arg1", "arg2", "a %s").Run()
-	c.Assert(err, IsNil)
-	c.Assert(mock.Calls(), DeepEquals, [][]string{
+	c.Assert(err, check.IsNil)
+	c.Assert(mock.Calls(), check.DeepEquals, [][]string{
 		{"cmd", "first-run", "--arg1", "arg2", "a space"},
 		{"cmd", "second-run", "--arg1", "arg2", "a %s"},
 	})
 }
 
-func (s *mockCommandSuite) TestMockCommandAlso(c *C) {
+func (s *mockCommandSuite) TestMockCommandAlso(c *check.C) {
 	mock := MockCommand(c, "fst", "")
 	also := mock.Also("snd", "")
 	defer mock.Restore()
 
-	c.Assert(exec.Command("fst").Run(), IsNil)
-	c.Assert(exec.Command("snd").Run(), IsNil)
-	c.Check(mock.Calls(), DeepEquals, [][]string{{"fst"}, {"snd"}})
-	c.Check(mock.Calls(), DeepEquals, also.Calls())
+	c.Assert(exec.Command("fst").Run(), check.IsNil)
+	c.Assert(exec.Command("snd").Run(), check.IsNil)
+	c.Check(mock.Calls(), check.DeepEquals, [][]string{{"fst"}, {"snd"}})
+	c.Check(mock.Calls(), check.DeepEquals, also.Calls())
 }
 
-func (s *mockCommandSuite) TestMockCommandConflictEcho(c *C) {
+func (s *mockCommandSuite) TestMockCommandConflictEcho(c *check.C) {
 	mock := MockCommand(c, "do-not-swallow-echo-args", "")
 	defer mock.Restore()
 
-	c.Assert(exec.Command("do-not-swallow-echo-args", "-E", "-n", "-e").Run(), IsNil)
-	c.Assert(mock.Calls(), DeepEquals, [][]string{
+	c.Assert(exec.Command("do-not-swallow-echo-args", "-E", "-n", "-e").Run(), check.IsNil)
+	c.Assert(mock.Calls(), check.DeepEquals, [][]string{
 		{"do-not-swallow-echo-args", "-E", "-n", "-e"},
 	})
 }
diff -Nru snapd-2.32.3.2~14.04/testutil/export_test.go snapd-2.37~rc1~14.04/testutil/export_test.go
--- snapd-2.32.3.2~14.04/testutil/export_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,28 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil
+
+import (
+	"gopkg.in/check.v1"
+)
+
+func UnexpectedIntChecker(relation string) *intChecker {
+	return &intChecker{CheckerInfo: &check.CheckerInfo{Name: "unexpected", Params: []string{"a", "b"}}, rel: relation}
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/filecontentchecker.go snapd-2.37~rc1~14.04/testutil/filecontentchecker.go
--- snapd-2.32.3.2~14.04/testutil/filecontentchecker.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/filecontentchecker.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,115 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"regexp"
+	"strings"
+
+	"gopkg.in/check.v1"
+)
+
+type fileContentChecker struct {
+	*check.CheckerInfo
+	exact bool
+}
+
+// FileEquals verifies that the given file's content is equal
+// to the string (or fmt.Stringer) or []byte provided.
+var FileEquals check.Checker = &fileContentChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "FileEquals", Params: []string{"filename", "contents"}},
+	exact:       true,
+}
+
+// FileContains verifies that the given file's content contains
+// the string (or fmt.Stringer) or []byte provided.
+var FileContains check.Checker = &fileContentChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "FileContains", Params: []string{"filename", "contents"}},
+}
+
+// FileMatches verifies that the given file's content matches
+// the string provided.
+var FileMatches check.Checker = &fileContentChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "FileMatches", Params: []string{"filename", "regex"}},
+}
+
+func (c *fileContentChecker) Check(params []interface{}, names []string) (result bool, error string) {
+	filename, ok := params[0].(string)
+	if !ok {
+		return false, "Filename must be a string"
+	}
+	if names[1] == "regex" {
+		regexpr, ok := params[1].(string)
+		if !ok {
+			return false, "Regex must be a string"
+		}
+		rx, err := regexp.Compile(regexpr)
+		if err != nil {
+			return false, fmt.Sprintf("Cannot compile regexp %q: %v", regexpr, err)
+		}
+		params[1] = rx
+	}
+	return fileContentCheck(filename, params[1], c.exact)
+}
+
+func fileContentCheck(filename string, content interface{}, exact bool) (result bool, error string) {
+	buf, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return false, fmt.Sprintf("Cannot read file %q: %v", filename, err)
+	}
+	presentableBuf := string(buf)
+	if exact {
+		switch content := content.(type) {
+		case string:
+			result = presentableBuf == content
+		case []byte:
+			result = bytes.Equal(buf, content)
+			presentableBuf = "<binary data>"
+		case fmt.Stringer:
+			result = presentableBuf == content.String()
+		default:
+			error = fmt.Sprintf("Cannot compare file contents with something of type %T", content)
+		}
+	} else {
+		switch content := content.(type) {
+		case string:
+			result = strings.Contains(presentableBuf, content)
+		case []byte:
+			result = bytes.Contains(buf, content)
+			presentableBuf = "<binary data>"
+		case *regexp.Regexp:
+			result = content.Match(buf)
+		case fmt.Stringer:
+			result = strings.Contains(presentableBuf, content.String())
+		default:
+			error = fmt.Sprintf("Cannot compare file contents with something of type %T", content)
+		}
+	}
+	if !result {
+		if error == "" {
+			error = fmt.Sprintf("Failed to match with file contents:\n%v", presentableBuf)
+		}
+		return result, error
+	}
+	return result, ""
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/filecontentchecker_test.go snapd-2.37~rc1~14.04/testutil/filecontentchecker_test.go
--- snapd-2.32.3.2~14.04/testutil/filecontentchecker_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/filecontentchecker_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,102 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil_test
+
+import (
+	"io/ioutil"
+	"path/filepath"
+	"regexp"
+
+	"gopkg.in/check.v1"
+
+	. "github.com/snapcore/snapd/testutil"
+)
+
+type fileContentCheckerSuite struct{}
+
+var _ = check.Suite(&fileContentCheckerSuite{})
+
+type myStringer struct{ str string }
+
+func (m myStringer) String() string { return m.str }
+
+func (s *fileContentCheckerSuite) TestFileEquals(c *check.C) {
+	d := c.MkDir()
+	content := "not-so-random-string"
+	filename := filepath.Join(d, "canary")
+	c.Assert(ioutil.WriteFile(filename, []byte(content), 0644), check.IsNil)
+
+	testInfo(c, FileEquals, "FileEquals", []string{"filename", "contents"})
+	testCheck(c, FileEquals, true, "", filename, content)
+	testCheck(c, FileEquals, true, "", filename, []byte(content))
+	testCheck(c, FileEquals, true, "", filename, myStringer{content})
+
+	twofer := content + content
+	testCheck(c, FileEquals, false, "Failed to match with file contents:\nnot-so-random-string", filename, twofer)
+	testCheck(c, FileEquals, false, "Failed to match with file contents:\n<binary data>", filename, []byte(twofer))
+	testCheck(c, FileEquals, false, "Failed to match with file contents:\nnot-so-random-string", filename, myStringer{twofer})
+
+	testCheck(c, FileEquals, false, `Cannot read file "": open : no such file or directory`, "", "")
+	testCheck(c, FileEquals, false, "Filename must be a string", 42, "")
+	testCheck(c, FileEquals, false, "Cannot compare file contents with something of type int", filename, 1)
+}
+
+func (s *fileContentCheckerSuite) TestFileContains(c *check.C) {
+	d := c.MkDir()
+	content := "not-so-random-string"
+	filename := filepath.Join(d, "canary")
+	c.Assert(ioutil.WriteFile(filename, []byte(content), 0644), check.IsNil)
+
+	testInfo(c, FileContains, "FileContains", []string{"filename", "contents"})
+	testCheck(c, FileContains, true, "", filename, content[1:])
+	testCheck(c, FileContains, true, "", filename, []byte(content[1:]))
+	testCheck(c, FileContains, true, "", filename, myStringer{content[1:]})
+	// undocumented
+	testCheck(c, FileContains, true, "", filename, regexp.MustCompile(".*"))
+
+	twofer := content + content
+	testCheck(c, FileContains, false, "Failed to match with file contents:\nnot-so-random-string", filename, twofer)
+	testCheck(c, FileContains, false, "Failed to match with file contents:\n<binary data>", filename, []byte(twofer))
+	testCheck(c, FileContains, false, "Failed to match with file contents:\nnot-so-random-string", filename, myStringer{twofer})
+	// undocumented
+	testCheck(c, FileContains, false, "Failed to match with file contents:\nnot-so-random-string", filename, regexp.MustCompile("^$"))
+
+	testCheck(c, FileContains, false, `Cannot read file "": open : no such file or directory`, "", "")
+	testCheck(c, FileContains, false, "Filename must be a string", 42, "")
+	testCheck(c, FileContains, false, "Cannot compare file contents with something of type int", filename, 1)
+}
+
+func (s *fileContentCheckerSuite) TestFileMatches(c *check.C) {
+	d := c.MkDir()
+	content := "not-so-random-string"
+	filename := filepath.Join(d, "canary")
+	c.Assert(ioutil.WriteFile(filename, []byte(content), 0644), check.IsNil)
+
+	testInfo(c, FileMatches, "FileMatches", []string{"filename", "regex"})
+	testCheck(c, FileMatches, true, "", filename, ".*")
+	testCheck(c, FileMatches, true, "", filename, "^"+regexp.QuoteMeta(content)+"$")
+
+	testCheck(c, FileMatches, false, "Failed to match with file contents:\nnot-so-random-string", filename, "^$")
+	testCheck(c, FileMatches, false, "Failed to match with file contents:\nnot-so-random-string", filename, "123"+regexp.QuoteMeta(content))
+
+	testCheck(c, FileMatches, false, `Cannot read file "": open : no such file or directory`, "", "")
+	testCheck(c, FileMatches, false, "Filename must be a string", 42, ".*")
+	testCheck(c, FileMatches, false, "Regex must be a string", filename, 1)
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/filepresencechecker.go snapd-2.37~rc1~14.04/testutil/filepresencechecker.go
--- snapd-2.32.3.2~14.04/testutil/filepresencechecker.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/filepresencechecker.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,59 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil
+
+import (
+	"fmt"
+	"os"
+
+	"gopkg.in/check.v1"
+)
+
+type filePresenceChecker struct {
+	*check.CheckerInfo
+	present bool
+}
+
+// FilePresent verifies that the given file exists.
+var FilePresent check.Checker = &filePresenceChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "FilePresent", Params: []string{"filename"}},
+	present:     true,
+}
+
+// FileAbsent verifies that the given file does not exist.
+var FileAbsent check.Checker = &filePresenceChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "FileAbsent", Params: []string{"filename"}},
+	present:     false,
+}
+
+func (c *filePresenceChecker) Check(params []interface{}, names []string) (result bool, error string) {
+	filename, ok := params[0].(string)
+	if !ok {
+		return false, "filename must be a string"
+	}
+	_, err := os.Stat(filename)
+	if os.IsNotExist(err) && c.present {
+		return false, fmt.Sprintf("file %q is absent but should exist", filename)
+	}
+	if err == nil && !c.present {
+		return false, fmt.Sprintf("file %q is present but should not exist", filename)
+	}
+	return true, ""
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/filepresencechecker_test.go snapd-2.37~rc1~14.04/testutil/filepresencechecker_test.go
--- snapd-2.32.3.2~14.04/testutil/filepresencechecker_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/filepresencechecker_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,54 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil_test
+
+import (
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+
+	"gopkg.in/check.v1"
+
+	. "github.com/snapcore/snapd/testutil"
+)
+
+type filePresenceCheckerSuite struct{}
+
+var _ = check.Suite(&filePresenceCheckerSuite{})
+
+func (*filePresenceCheckerSuite) TestFilePresent(c *check.C) {
+	d := c.MkDir()
+	filename := filepath.Join(d, "foo")
+	testInfo(c, FilePresent, "FilePresent", []string{"filename"})
+	testCheck(c, FilePresent, false, `filename must be a string`, 42)
+	testCheck(c, FilePresent, false, fmt.Sprintf(`file %q is absent but should exist`, filename), filename)
+	c.Assert(ioutil.WriteFile(filename, nil, 0644), check.IsNil)
+	testCheck(c, FilePresent, true, "", filename)
+}
+
+func (*filePresenceCheckerSuite) TestFileAbsent(c *check.C) {
+	d := c.MkDir()
+	filename := filepath.Join(d, "foo")
+	testInfo(c, FileAbsent, "FileAbsent", []string{"filename"})
+	testCheck(c, FileAbsent, false, `filename must be a string`, 42)
+	testCheck(c, FileAbsent, true, "", filename)
+	c.Assert(ioutil.WriteFile(filename, nil, 0644), check.IsNil)
+	testCheck(c, FileAbsent, false, fmt.Sprintf(`file %q is present but should not exist`, filename), filename)
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/intcheckers.go snapd-2.37~rc1~14.04/testutil/intcheckers.go
--- snapd-2.32.3.2~14.04/testutil/intcheckers.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/intcheckers.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,98 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil
+
+import (
+	"fmt"
+
+	"gopkg.in/check.v1"
+)
+
+type intChecker struct {
+	*check.CheckerInfo
+	rel string
+}
+
+func (checker *intChecker) Check(params []interface{}, names []string) (result bool, error string) {
+	a, ok := params[0].(int)
+	if !ok {
+		return false, "left-hand-side argument must be an int"
+	}
+	b, ok := params[1].(int)
+	if !ok {
+		return false, "right-hand-side argument must be an int"
+	}
+	switch checker.rel {
+	case "<":
+		result = a < b
+	case "<=":
+		result = a <= b
+	case "==":
+		result = a == b
+	case "!=":
+		result = a != b
+	case ">":
+		result = a > b
+	case ">=":
+		result = a >= b
+	default:
+		return false, fmt.Sprintf("unexpected relation %q", checker.rel)
+	}
+	if !result {
+		error = fmt.Sprintf("relation %d %s %d is not true", a, checker.rel, b)
+	}
+	return result, error
+}
+
+// IntLessThan checker verifies that one integer is less than other integer.
+//
+// For example:
+//     c.Assert(1, IntLessThan, 2)
+var IntLessThan = &intChecker{CheckerInfo: &check.CheckerInfo{Name: "IntLessThan", Params: []string{"a", "b"}}, rel: "<"}
+
+// IntLessEqual checker verifies that one integer is less than or equal to other integer.
+//
+// For example:
+//     c.Assert(1, IntLessEqual, 1)
+var IntLessEqual = &intChecker{CheckerInfo: &check.CheckerInfo{Name: "IntLessEqual", Params: []string{"a", "b"}}, rel: "<="}
+
+// IntEqual checker verifies that one integer is equal to other integer.
+//
+// For example:
+//     c.Assert(1, IntEqual, 1)
+var IntEqual = &intChecker{CheckerInfo: &check.CheckerInfo{Name: "IntEqual", Params: []string{"a", "b"}}, rel: "=="}
+
+// IntNotEqual checker verifies that one integer is not equal to other integer.
+//
+// For example:
+//     c.Assert(1, IntNotEqual, 2)
+var IntNotEqual = &intChecker{CheckerInfo: &check.CheckerInfo{Name: "IntNotEqual", Params: []string{"a", "b"}}, rel: "!="}
+
+// IntGreaterThan checker verifies that one integer is greater than other integer.
+//
+// For example:
+//     c.Assert(2, IntGreaterThan, 1)
+var IntGreaterThan = &intChecker{CheckerInfo: &check.CheckerInfo{Name: "IntGreaterThan", Params: []string{"a", "b"}}, rel: ">"}
+
+// IntGreaterEqual checker verifies that one integer is greater than or equal to other integer.
+//
+// For example:
+//     c.Assert(1, IntGreaterEqual, 2)
+var IntGreaterEqual = &intChecker{CheckerInfo: &check.CheckerInfo{Name: "IntGreaterEqual", Params: []string{"a", "b"}}, rel: ">="}
diff -Nru snapd-2.32.3.2~14.04/testutil/intcheckers_test.go snapd-2.37~rc1~14.04/testutil/intcheckers_test.go
--- snapd-2.32.3.2~14.04/testutil/intcheckers_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/intcheckers_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,55 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil_test
+
+import (
+	"gopkg.in/check.v1"
+
+	. "github.com/snapcore/snapd/testutil"
+)
+
+type intCheckersSuite struct{}
+
+var _ = check.Suite(&intCheckersSuite{})
+
+func (*intCheckersSuite) TestIntChecker(c *check.C) {
+	c.Assert(1, IntLessThan, 2)
+	c.Assert(1, IntLessEqual, 1)
+	c.Assert(1, IntEqual, 1)
+	c.Assert(2, IntNotEqual, 1)
+	c.Assert(2, IntGreaterThan, 1)
+	c.Assert(2, IntGreaterEqual, 2)
+
+	// Wrong argument types.
+	testCheck(c, IntLessThan, false, "left-hand-side argument must be an int", false, 1)
+	testCheck(c, IntLessThan, false, "right-hand-side argument must be an int", 1, false)
+
+	// Relationship error.
+	testCheck(c, IntLessThan, false, "relation 2 < 1 is not true", 2, 1)
+	testCheck(c, IntLessEqual, false, "relation 2 <= 1 is not true", 2, 1)
+	testCheck(c, IntEqual, false, "relation 2 == 1 is not true", 2, 1)
+	testCheck(c, IntNotEqual, false, "relation 2 != 2 is not true", 2, 2)
+	testCheck(c, IntGreaterThan, false, "relation 1 > 2 is not true", 1, 2)
+	testCheck(c, IntGreaterEqual, false, "relation 1 >= 2 is not true", 1, 2)
+
+	// Unexpected relation.
+	unexpected := UnexpectedIntChecker("===")
+	testCheck(c, unexpected, false, `unexpected relation "==="`, 1, 2)
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/lowlevel.go snapd-2.37~rc1~14.04/testutil/lowlevel.go
--- snapd-2.32.3.2~14.04/testutil/lowlevel.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/lowlevel.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,12 +26,12 @@
 	"syscall"
 	"time"
 
-	. "gopkg.in/check.v1"
+	"gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/osutil/sys"
 )
 
-const UMOUNT_NOFOLLOW = 8
+const umountNoFollow = 8
 
 // fakeFileInfo implements os.FileInfo for testing.
 //
@@ -49,6 +49,7 @@
 func (fi *fakeFileInfo) IsDir() bool       { return fi.Mode().IsDir() }
 func (*fakeFileInfo) Sys() interface{}     { panic("unexpected call") }
 
+// FakeFileInfo returns a fake object implementing os.FileInfo
 func FakeFileInfo(name string, mode os.FileMode) os.FileInfo {
 	return &fakeFileInfo{name: name, mode: mode}
 }
@@ -109,6 +110,10 @@
 // Please expand the set of recognized flags as tests require.
 func formatMountFlags(flags int) string {
 	var fl []string
+	if flags&syscall.MS_REMOUNT == syscall.MS_REMOUNT {
+		flags ^= syscall.MS_REMOUNT
+		fl = append(fl, "MS_REMOUNT")
+	}
 	if flags&syscall.MS_BIND == syscall.MS_BIND {
 		flags ^= syscall.MS_BIND
 		fl = append(fl, "MS_BIND")
@@ -136,8 +141,8 @@
 // Please expand the set of recognized flags as tests require.
 func formatUnmountFlags(flags int) string {
 	var fl []string
-	if flags&UMOUNT_NOFOLLOW == UMOUNT_NOFOLLOW {
-		flags ^= UMOUNT_NOFOLLOW
+	if flags&umountNoFollow == umountNoFollow {
+		flags ^= umountNoFollow
 		fl = append(fl, "UMOUNT_NOFOLLOW")
 	}
 	if flags&syscall.MNT_DETACH == syscall.MNT_DETACH {
@@ -153,6 +158,16 @@
 	return strings.Join(fl, "|")
 }
 
+// CallResultError describes a system call and the corresponding result or error.
+//
+// The field names stand for Call, Result and Error respectively. They are
+// abbreviated due to the nature of their use (in large quantity).
+type CallResultError struct {
+	C string
+	R interface{}
+	E error
+}
+
 // SyscallRecorder stores which system calls were invoked.
 //
 // The recorder supports a small set of features useful for testing: injecting
@@ -160,12 +175,14 @@
 // verification of file descriptors.
 type SyscallRecorder struct {
 	// History of all the system calls made.
-	calls []string
+	rcalls []CallResultError
 	// Error function for a given system call.
 	errors map[string]func() error
 	// pre-arranged result of lstat, fstat and readdir calls.
-	lstats      map[string]os.FileInfo
+	osLstats    map[string]os.FileInfo
+	sysLstats   map[string]syscall.Stat_t
 	fstats      map[string]syscall.Stat_t
+	fstatfses   map[string]func() syscall.Statfs_t
 	readdirs    map[string][]os.FileInfo
 	readlinkats map[string]string
 	// allocated file descriptors
@@ -199,6 +216,10 @@
 	}
 }
 
+// InsertFaultFunc arranges given function to be called whenever given call is made.
+//
+// The main purpose is to allow to vary the behavior of a given system call over time.
+// The provided function can return an error or nil to indicate success.
 func (sys *SyscallRecorder) InsertFaultFunc(call string, fn func() error) {
 	if sys.errors == nil {
 		sys.errors = make(map[string]func() error)
@@ -208,16 +229,35 @@
 
 // Calls returns the sequence of mocked calls that have been made.
 func (sys *SyscallRecorder) Calls() []string {
-	return sys.calls
+	if len(sys.rcalls) == 0 {
+		return nil
+	}
+	calls := make([]string, 0, len(sys.rcalls))
+	for _, rc := range sys.rcalls {
+		calls = append(calls, rc.C)
+	}
+	return calls
+}
+
+// RCalls returns the sequence of mocked calls that have been made along with their results.
+func (sys *SyscallRecorder) RCalls() []CallResultError {
+	return sys.rcalls
 }
 
-// call remembers that a given call has occurred and returns a pre-arranged error, if any
-func (sys *SyscallRecorder) call(call string) error {
-	sys.calls = append(sys.calls, call)
-	if fn := sys.errors[call]; fn != nil {
-		return fn()
+// rcall remembers that a given call has occurred and returns a pre-arranged error or value, if any
+func (sys *SyscallRecorder) rcall(call string, resultFn func(call string) (interface{}, error)) (val interface{}, err error) {
+	if errorFn := sys.errors[call]; errorFn != nil {
+		err = errorFn()
 	}
-	return nil
+	if err == nil && resultFn != nil {
+		val, err = resultFn(call)
+	}
+	if err != nil {
+		sys.rcalls = append(sys.rcalls, CallResultError{C: call, E: err})
+	} else {
+		sys.rcalls = append(sys.rcalls, CallResultError{C: call, R: val})
+	}
+	return val, err
 }
 
 // allocFd assigns a file descriptor to a given operation.
@@ -253,80 +293,131 @@
 	return nil
 }
 
-func (sys *SyscallRecorder) CheckForStrayDescriptors(c *C) {
-	c.Assert(sys.StrayDescriptorsError(), IsNil)
+// CheckForStrayDescriptors ensures that all fake file descriptors are closed.
+func (sys *SyscallRecorder) CheckForStrayDescriptors(c *check.C) {
+	c.Assert(sys.StrayDescriptorsError(), check.IsNil)
 }
 
+// Open is a fake implementation of syscall.Open
 func (sys *SyscallRecorder) Open(path string, flags int, mode uint32) (int, error) {
 	call := fmt.Sprintf("open %q %s %#o", path, formatOpenFlags(flags), mode)
-	if err := sys.call(call); err != nil {
+	fd, err := sys.rcall(call, func(call string) (interface{}, error) {
+		return sys.allocFd(call), nil
+	})
+	if err != nil {
 		return -1, err
 	}
-	return sys.allocFd(call), nil
+	return fd.(int), nil
 }
 
+// Openat is a fake implementation of syscall.Openat
 func (sys *SyscallRecorder) Openat(dirfd int, path string, flags int, mode uint32) (int, error) {
 	call := fmt.Sprintf("openat %d %q %s %#o", dirfd, path, formatOpenFlags(flags), mode)
-	if _, ok := sys.fds[dirfd]; !ok {
-		sys.calls = append(sys.calls, call)
-		return -1, fmt.Errorf("attempting to openat with an invalid file descriptor %d", dirfd)
-	}
-	if err := sys.call(call); err != nil {
+	fd, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if _, ok := sys.fds[dirfd]; !ok {
+			return -1, fmt.Errorf("attempting to openat with an invalid file descriptor %d", dirfd)
+		}
+		return sys.allocFd(call), nil
+	})
+	if err != nil {
 		return -1, err
 	}
-	return sys.allocFd(call), nil
+	return fd.(int), nil
 }
 
+// Close is a fake implementation of syscall.Close
 func (sys *SyscallRecorder) Close(fd int) error {
-	if err := sys.call(fmt.Sprintf("close %d", fd)); err != nil {
-		return err
-	}
-	return sys.freeFd(fd)
+	call := fmt.Sprintf("close %d", fd)
+	_, err := sys.rcall(call, func(call string) (interface{}, error) {
+		return nil, sys.freeFd(fd)
+	})
+	return err
 }
 
+// Fchown is a fake implementation of syscall.Fchown
 func (sys *SyscallRecorder) Fchown(fd int, uid sys.UserID, gid sys.GroupID) error {
 	call := fmt.Sprintf("fchown %d %d %d", fd, uid, gid)
-	if _, ok := sys.fds[fd]; !ok {
-		sys.calls = append(sys.calls, call)
-		return fmt.Errorf("attempting to fchown an invalid file descriptor %d", fd)
-	}
-	return sys.call(call)
+	_, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if _, ok := sys.fds[fd]; !ok {
+			return nil, fmt.Errorf("attempting to fchown an invalid file descriptor %d", fd)
+		}
+		return nil, nil
+	})
+	return err
 }
 
+// Mkdirat is a fake implementation of syscall.Mkdirat
 func (sys *SyscallRecorder) Mkdirat(dirfd int, path string, mode uint32) error {
 	call := fmt.Sprintf("mkdirat %d %q %#o", dirfd, path, mode)
-	if _, ok := sys.fds[dirfd]; !ok {
-		sys.calls = append(sys.calls, call)
-		return fmt.Errorf("attempting to mkdirat with an invalid file descriptor %d", dirfd)
-	}
-	return sys.call(call)
+	_, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if _, ok := sys.fds[dirfd]; !ok {
+			return nil, fmt.Errorf("attempting to mkdirat with an invalid file descriptor %d", dirfd)
+		}
+		return nil, nil
+	})
+	return err
+}
+
+// Mount is a fake implementation of syscall.Mount
+func (sys *SyscallRecorder) Mount(source string, target string, fstype string, flags uintptr, data string) error {
+	call := fmt.Sprintf("mount %q %q %q %s %q", source, target, fstype, formatMountFlags(int(flags)), data)
+	_, err := sys.rcall(call, nil)
+	return err
 }
 
-func (sys *SyscallRecorder) Mount(source string, target string, fstype string, flags uintptr, data string) (err error) {
-	return sys.call(fmt.Sprintf("mount %q %q %q %s %q", source, target, fstype, formatMountFlags(int(flags)), data))
+// Unmount is a fake implementation of syscall.Unmount
+func (sys *SyscallRecorder) Unmount(target string, flags int) error {
+	call := fmt.Sprintf("unmount %q %s", target, formatUnmountFlags(flags))
+	_, err := sys.rcall(call, nil)
+	return err
 }
 
-func (sys *SyscallRecorder) Unmount(target string, flags int) (err error) {
-	return sys.call(fmt.Sprintf("unmount %q %s", target, formatUnmountFlags(flags)))
+// InsertOsLstatResult makes given subsequent call to OsLstat return the specified fake file info.
+func (sys *SyscallRecorder) InsertOsLstatResult(call string, fi os.FileInfo) {
+	if sys.osLstats == nil {
+		sys.osLstats = make(map[string]os.FileInfo)
+	}
+	sys.osLstats[call] = fi
 }
 
-// InsertLstatResult makes given subsequent call lstat return the specified fake file info.
-func (sys *SyscallRecorder) InsertLstatResult(call string, fi os.FileInfo) {
-	if sys.lstats == nil {
-		sys.lstats = make(map[string]os.FileInfo)
+// InsertSysLstatResult makes given subsequent call to SysLstat return the specified fake file info.
+func (sys *SyscallRecorder) InsertSysLstatResult(call string, sb syscall.Stat_t) {
+	if sys.sysLstats == nil {
+		sys.sysLstats = make(map[string]syscall.Stat_t)
 	}
-	sys.lstats[call] = fi
+	sys.sysLstats[call] = sb
 }
 
-func (sys *SyscallRecorder) Lstat(name string) (os.FileInfo, error) {
+// OsLstat is a fake implementation of os.Lstat
+func (sys *SyscallRecorder) OsLstat(name string) (os.FileInfo, error) {
+	// NOTE the syscall.Lstat uses a different signature `lstat %q <ptr>`.
 	call := fmt.Sprintf("lstat %q", name)
-	if err := sys.call(call); err != nil {
+	val, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if fi, ok := sys.osLstats[call]; ok {
+			return fi, nil
+		}
+		panic(fmt.Sprintf("one of InsertOsLstatResult() or InsertFault() for %s must be used", call))
+	})
+	if err != nil {
 		return nil, err
 	}
-	if fi, ok := sys.lstats[call]; ok {
-		return fi, nil
+	return val.(os.FileInfo), err
+}
+
+// SysLstat is a fake implementation of syscall.Lstat
+func (sys *SyscallRecorder) SysLstat(name string, sb *syscall.Stat_t) error {
+	// NOTE the os.Lstat uses a different signature `lstat %q`.
+	call := fmt.Sprintf("lstat %q <ptr>", name)
+	val, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if buf, ok := sys.sysLstats[call]; ok {
+			return buf, nil
+		}
+		panic(fmt.Sprintf("one of InsertSysLstatResult() or InsertFault() for %s must be used", call))
+	})
+	if err == nil && sb != nil {
+		*sb = val.(syscall.Stat_t)
 	}
-	panic(fmt.Sprintf("one of InsertLstatResult() or InsertFault() for %s must be used", call))
+	return err
 }
 
 // InsertFstatResult makes given subsequent call fstat return the specified stat buffer.
@@ -337,20 +428,65 @@
 	sys.fstats[call] = buf
 }
 
+// Fstat is a fake implementation of syscall.Fstat
 func (sys *SyscallRecorder) Fstat(fd int, buf *syscall.Stat_t) error {
 	call := fmt.Sprintf("fstat %d <ptr>", fd)
-	if _, ok := sys.fds[fd]; !ok {
-		sys.calls = append(sys.calls, call)
-		return fmt.Errorf("attempting to fstat with an invalid file descriptor %d", fd)
-	}
-	if err := sys.call(call); err != nil {
-		return err
+	val, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if _, ok := sys.fds[fd]; !ok {
+			return nil, fmt.Errorf("attempting to fstat with an invalid file descriptor %d", fd)
+		}
+		if buf, ok := sys.fstats[call]; ok {
+			return buf, nil
+		}
+		panic(fmt.Sprintf("one of InsertFstatResult() or InsertFault() for %s must be used", call))
+	})
+	if err == nil && buf != nil {
+		*buf = val.(syscall.Stat_t)
+	}
+	return err
+}
+
+// InsertFstatfsResult makes given subsequent call fstatfs return the specified stat buffer.
+func (sys *SyscallRecorder) InsertFstatfsResult(call string, bufs ...syscall.Statfs_t) {
+	if sys.fstatfses == nil {
+		sys.fstatfses = make(map[string]func() syscall.Statfs_t)
+	}
+	if len(bufs) == 0 {
+		panic("cannot provide zero results to InsertFstatfsResult")
+	}
+	if len(bufs) == 1 {
+		// deterministic behavior
+		sys.fstatfses[call] = func() syscall.Statfs_t {
+			return bufs[0]
+		}
+	} else {
+		// sequential results with the last element repeated forever.
+		sys.fstatfses[call] = func() syscall.Statfs_t {
+			buf := bufs[0]
+			if len(bufs) > 1 {
+				bufs = bufs[1:]
+			}
+			return buf
+		}
 	}
-	if b, ok := sys.fstats[call]; ok {
-		*buf = b
-		return nil
+}
+
+// Fstatfs is a fake implementation of syscall.Fstatfs
+func (sys *SyscallRecorder) Fstatfs(fd int, buf *syscall.Statfs_t) error {
+	call := fmt.Sprintf("fstatfs %d <ptr>", fd)
+	val, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if _, ok := sys.fds[fd]; !ok {
+			return nil, fmt.Errorf("attempting to fstatfs with an invalid file descriptor %d", fd)
+		}
+		if bufFn, ok := sys.fstatfses[call]; ok {
+			return bufFn(), nil
+		}
+		panic(fmt.Sprintf("one of InsertFstatfsResult() or InsertFault() for %s must be used", call))
+	})
+	if err == nil && buf != nil {
+		*buf = val.(syscall.Statfs_t)
 	}
-	panic(fmt.Sprintf("one of InsertFstatResult() or InsertFault() for %s must be used", call))
+	return err
 }
 
 // InsertReadDirResult makes given subsequent call readdir return the specified fake file infos.
@@ -361,29 +497,38 @@
 	sys.readdirs[call] = infos
 }
 
+// ReadDir is a fake implementation of os.ReadDir
 func (sys *SyscallRecorder) ReadDir(dirname string) ([]os.FileInfo, error) {
 	call := fmt.Sprintf("readdir %q", dirname)
-	if err := sys.call(call); err != nil {
-		return nil, err
-	}
-	if fi, ok := sys.readdirs[call]; ok {
-		return fi, nil
+	val, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if fi, ok := sys.readdirs[call]; ok {
+			return fi, nil
+		}
+		panic(fmt.Sprintf("one of InsertReadDirResult() or InsertFault() for %s must be used", call))
+	})
+	if err == nil {
+		return val.([]os.FileInfo), nil
 	}
-	panic(fmt.Sprintf("one of InsertReadDirResult() or InsertFault() for %s must be used", call))
+	return nil, err
 }
 
+// Symlink is a fake implementation of syscall.Symlink
 func (sys *SyscallRecorder) Symlink(oldname, newname string) error {
 	call := fmt.Sprintf("symlink %q -> %q", newname, oldname)
-	return sys.call(call)
+	_, err := sys.rcall(call, nil)
+	return err
 }
 
+// Symlinkat is a fake implementation of osutil.Symlinkat (syscall.Symlinkat is not exposed)
 func (sys *SyscallRecorder) Symlinkat(oldname string, dirfd int, newname string) error {
 	call := fmt.Sprintf("symlinkat %q %d %q", oldname, dirfd, newname)
-	if _, ok := sys.fds[dirfd]; !ok {
-		sys.calls = append(sys.calls, call)
-		return fmt.Errorf("attempting to symlinkat with an invalid file descriptor %d", dirfd)
-	}
-	return sys.call(call)
+	_, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if _, ok := sys.fds[dirfd]; !ok {
+			return nil, fmt.Errorf("attempting to symlinkat with an invalid file descriptor %d", dirfd)
+		}
+		return nil, nil
+	})
+	return err
 }
 
 // InsertReadlinkatResult makes given subsequent call to readlinkat return the specified oldname.
@@ -394,23 +539,40 @@
 	sys.readlinkats[call] = oldname
 }
 
+// Readlinkat is a fake implementation of osutil.Readlinkat (syscall.Readlinkat is not exposed)
 func (sys *SyscallRecorder) Readlinkat(dirfd int, path string, buf []byte) (int, error) {
 	call := fmt.Sprintf("readlinkat %d %q <ptr>", dirfd, path)
-	if _, ok := sys.fds[dirfd]; !ok {
-		sys.calls = append(sys.calls, call)
-		return 0, fmt.Errorf("attempting to readlinkat with an invalid file descriptor %d", dirfd)
-	}
-	if err := sys.call(call); err != nil {
-		return 0, err
-	}
-	if oldname, ok := sys.readlinkats[call]; ok {
-		n := copy(buf, oldname)
+	val, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if _, ok := sys.fds[dirfd]; !ok {
+			return nil, fmt.Errorf("attempting to readlinkat with an invalid file descriptor %d", dirfd)
+		}
+		if oldname, ok := sys.readlinkats[call]; ok {
+			return oldname, nil
+		}
+		panic(fmt.Sprintf("one of InsertReadlinkatResult() or InsertFault() for %s must be used", call))
+	})
+	if err == nil {
+		n := copy(buf, val.(string))
 		return n, nil
 	}
-	panic(fmt.Sprintf("one of InsertReadlinkatResult() or InsertFault() for %s must be used", call))
+	return 0, err
 }
 
+// Remove is a fake implementation of os.Remove
 func (sys *SyscallRecorder) Remove(name string) error {
 	call := fmt.Sprintf("remove %q", name)
-	return sys.call(call)
+	_, err := sys.rcall(call, nil)
+	return err
+}
+
+// Fchdir is a fake implementation of syscall.Fchdir
+func (sys *SyscallRecorder) Fchdir(fd int) error {
+	call := fmt.Sprintf("fchdir %d", fd)
+	_, err := sys.rcall(call, func(call string) (interface{}, error) {
+		if _, ok := sys.fds[fd]; !ok {
+			return nil, fmt.Errorf("attempting to fchdir with an invalid file descriptor %d", fd)
+		}
+		return nil, nil
+	})
+	return err
 }
diff -Nru snapd-2.32.3.2~14.04/testutil/lowlevel_test.go snapd-2.37~rc1~14.04/testutil/lowlevel_test.go
--- snapd-2.32.3.2~14.04/testutil/lowlevel_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/lowlevel_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -26,73 +26,92 @@
 	"os"
 	"syscall"
 
-	. "gopkg.in/check.v1"
+	"gopkg.in/check.v1"
 )
 
 type lowLevelSuite struct {
 	sys *testutil.SyscallRecorder
 }
 
-var _ = Suite(&lowLevelSuite{})
+var _ = check.Suite(&lowLevelSuite{})
 
-func (s *lowLevelSuite) SetUpTest(c *C) {
+func (s *lowLevelSuite) SetUpTest(c *check.C) {
 	s.sys = &testutil.SyscallRecorder{}
 }
 
-func (s *lowLevelSuite) TestFakeFileInfo(c *C) {
+func (s *lowLevelSuite) TestFakeFileInfo(c *check.C) {
 	ffi := testutil.FakeFileInfo("name", 0755)
-	c.Assert(ffi.Name(), Equals, "name")
-	c.Assert(ffi.Mode(), Equals, os.FileMode(0755))
+	c.Assert(ffi.Name(), check.Equals, "name")
+	c.Assert(ffi.Mode(), check.Equals, os.FileMode(0755))
 
-	c.Assert(testutil.FileInfoFile.Mode().IsDir(), Equals, false)
-	c.Assert(testutil.FileInfoFile.Mode().IsRegular(), Equals, true)
-	c.Assert(testutil.FileInfoFile.IsDir(), Equals, false)
+	c.Assert(testutil.FileInfoFile.Mode().IsDir(), check.Equals, false)
+	c.Assert(testutil.FileInfoFile.Mode().IsRegular(), check.Equals, true)
+	c.Assert(testutil.FileInfoFile.IsDir(), check.Equals, false)
 
-	c.Assert(testutil.FileInfoDir.Mode().IsDir(), Equals, true)
-	c.Assert(testutil.FileInfoDir.Mode().IsRegular(), Equals, false)
-	c.Assert(testutil.FileInfoDir.IsDir(), Equals, true)
+	c.Assert(testutil.FileInfoDir.Mode().IsDir(), check.Equals, true)
+	c.Assert(testutil.FileInfoDir.Mode().IsRegular(), check.Equals, false)
+	c.Assert(testutil.FileInfoDir.IsDir(), check.Equals, true)
 
-	c.Assert(testutil.FileInfoSymlink.Mode().IsDir(), Equals, false)
-	c.Assert(testutil.FileInfoSymlink.Mode().IsRegular(), Equals, false)
-	c.Assert(testutil.FileInfoSymlink.IsDir(), Equals, false)
+	c.Assert(testutil.FileInfoSymlink.Mode().IsDir(), check.Equals, false)
+	c.Assert(testutil.FileInfoSymlink.Mode().IsRegular(), check.Equals, false)
+	c.Assert(testutil.FileInfoSymlink.IsDir(), check.Equals, false)
 }
 
-func (s *lowLevelSuite) TestOpenSuccess(c *C) {
+func (s *lowLevelSuite) TestOpenSuccess(c *check.C) {
 	// By default system calls succeed and get recorded for inspection.
 	fd, err := s.sys.Open("/some/path", syscall.O_NOFOLLOW|syscall.O_CLOEXEC|syscall.O_RDWR|syscall.O_CREAT|syscall.O_EXCL, 0)
-	c.Assert(err, IsNil)
-	c.Assert(fd, Equals, 3)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.IsNil)
+	c.Assert(fd, check.Equals, 3)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/some/path" O_NOFOLLOW|O_CLOEXEC|O_RDWR|O_CREAT|O_EXCL 0`, // -> 3
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/some/path" O_NOFOLLOW|O_CLOEXEC|O_RDWR|O_CREAT|O_EXCL 0`, R: 3},
+	})
 }
 
-func (s *lowLevelSuite) TestOpenFailure(c *C) {
+func (s *lowLevelSuite) TestOpenFailure(c *check.C) {
 	// Any call can be made to fail using InsertFault()
 	s.sys.InsertFault(`open "/some/path" 0 0`, syscall.ENOENT)
 	fd, err := s.sys.Open("/some/path", 0, 0)
-	c.Assert(err, ErrorMatches, "no such file or directory")
-	c.Assert(fd, Equals, -1)
+	c.Assert(err, check.ErrorMatches, "no such file or directory")
+	c.Assert(fd, check.Equals, -1)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`open "/some/path" 0 0`, // -> ENOENT
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/some/path" 0 0`, E: syscall.ENOENT},
+	})
 }
 
-func (s *lowLevelSuite) TestOpenVariableFailure(c *C) {
+func (s *lowLevelSuite) TestOpenVariableFailure(c *check.C) {
 	// The way a particular call fails may vary over time.
 	// Subsequent errors are returned on subsequent calls.
 	s.sys.InsertFault(`open "/some/path" O_RDWR 0`, syscall.ENOENT, syscall.EPERM)
 	fd, err := s.sys.Open("/some/path", syscall.O_RDWR, 0)
-	c.Assert(err, ErrorMatches, "no such file or directory")
-	c.Assert(fd, Equals, -1)
+	c.Assert(err, check.ErrorMatches, "no such file or directory")
+	c.Assert(fd, check.Equals, -1)
 	// 2nd attempt
 	fd, err = s.sys.Open("/some/path", syscall.O_RDWR, 0)
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(fd, Equals, -1)
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(fd, check.Equals, -1)
 	// 3rd attempt
 	fd, err = s.sys.Open("/some/path", syscall.O_RDWR, 0)
-	c.Assert(err, IsNil)
-	c.Assert(fd, Equals, 3)
+	c.Assert(err, check.IsNil)
+	c.Assert(fd, check.Equals, 3)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`open "/some/path" O_RDWR 0`, // -> ENOENT
+		`open "/some/path" O_RDWR 0`, // -> EPERM
+		`open "/some/path" O_RDWR 0`, // -> 3
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/some/path" O_RDWR 0`, E: syscall.ENOENT},
+		{C: `open "/some/path" O_RDWR 0`, E: syscall.EPERM},
+		{C: `open "/some/path" O_RDWR 0`, R: 3},
+	})
 }
 
-func (s *lowLevelSuite) TestOpenCustomFailure(c *C) {
+func (s *lowLevelSuite) TestOpenCustomFailure(c *check.C) {
 	// The way a particular call may also be arbitrarily programmed.
 	n := 3
 	s.sys.InsertFaultFunc(`open "/some/path" O_RDWR 0`, func() error {
@@ -104,375 +123,656 @@
 		return nil
 	})
 	_, err := s.sys.Open("/some/path", syscall.O_RDWR, 0)
-	c.Assert(err, ErrorMatches, "3 more")
+	c.Assert(err, check.ErrorMatches, "3 more")
 	_, err = s.sys.Open("/some/path", syscall.O_RDWR, 0)
-	c.Assert(err, ErrorMatches, "2 more")
+	c.Assert(err, check.ErrorMatches, "2 more")
 	_, err = s.sys.Open("/some/path", syscall.O_RDWR, 0)
-	c.Assert(err, ErrorMatches, "1 more")
+	c.Assert(err, check.ErrorMatches, "1 more")
 	fd, err := s.sys.Open("/some/path", syscall.O_RDWR, 0)
-	c.Assert(err, IsNil)
-	c.Assert(fd, Equals, 3)
+	c.Assert(err, check.IsNil)
+	c.Assert(fd, check.Equals, 3)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`open "/some/path" O_RDWR 0`, // -> 3 more
+		`open "/some/path" O_RDWR 0`, // -> 2 more
+		`open "/some/path" O_RDWR 0`, // -> 1 more
+		`open "/some/path" O_RDWR 0`, // -> 3
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/some/path" O_RDWR 0`, E: fmt.Errorf("3 more")},
+		{C: `open "/some/path" O_RDWR 0`, E: fmt.Errorf("2 more")},
+		{C: `open "/some/path" O_RDWR 0`, E: fmt.Errorf("1 more")},
+		{C: `open "/some/path" O_RDWR 0`, R: 3},
+	})
 }
 
-func (s *lowLevelSuite) TestUnclosedFile(c *C) {
+func (s *lowLevelSuite) TestUnclosedFile(c *check.C) {
 	// Open file descriptors can be detected in suite teardown using either
 	// StrayDescriptorError or CheckForStrayDescriptors.
 	fd, err := s.sys.Open("/some/path", syscall.O_RDWR, 0)
-	c.Assert(err, IsNil)
-	c.Assert(fd, Equals, 3)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.IsNil)
+	c.Assert(fd, check.Equals, 3)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/some/path" O_RDWR 0`, // -> 3
 	})
-	c.Assert(s.sys.StrayDescriptorsError(), ErrorMatches,
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/some/path" O_RDWR 0`, R: 3},
+	})
+	c.Assert(s.sys.StrayDescriptorsError(), check.ErrorMatches,
 		`unclosed file descriptor 3 \(open "/some/path" O_RDWR 0\)`)
 }
 
-func (s *lowLevelSuite) TestUnopenedFile(c *C) {
+func (s *lowLevelSuite) TestUnopenedFile(c *check.C) {
 	// Closing unopened file descriptors is an error.
 	err := s.sys.Close(7)
-	c.Assert(err, ErrorMatches, "attempting to close a closed file descriptor 7")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`close 7`})
+	c.Assert(err, check.ErrorMatches, "attempting to close a closed file descriptor 7")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{`close 7`})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `close 7`, E: fmt.Errorf("attempting to close a closed file descriptor 7")},
+	})
 }
 
-func (s *lowLevelSuite) TestCloseSuccess(c *C) {
+func (s *lowLevelSuite) TestCloseSuccess(c *check.C) {
 	// Closing file descriptors handles the bookkeeping.
 	fd, err := s.sys.Open("/some/path", syscall.O_RDWR, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	err = s.sys.Close(fd)
-	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/some/path" O_RDWR 0`, // -> 3
 		`close 3`,
 	})
-	c.Assert(s.sys.StrayDescriptorsError(), IsNil)
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/some/path" O_RDWR 0`, R: 3},
+		{C: `close 3`},
+	})
+	c.Assert(s.sys.StrayDescriptorsError(), check.IsNil)
 }
 
-func (s *lowLevelSuite) TestCloseFailure(c *C) {
+func (s *lowLevelSuite) TestCloseFailure(c *check.C) {
 	// Close can be made to fail just like any other function.
 	s.sys.InsertFault(`close 3`, syscall.ENOSYS)
 	err := s.sys.Close(3)
-	c.Assert(err, ErrorMatches, "function not implemented")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.ErrorMatches, "function not implemented")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`close 3`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `close 3`, E: syscall.ENOSYS},
+	})
 }
 
-func (s *lowLevelSuite) TestOpenatSuccess(c *C) {
+func (s *lowLevelSuite) TestOpenatSuccess(c *check.C) {
 	dirfd, err := s.sys.Open("/", syscall.O_DIRECTORY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	fd, err := s.sys.Openat(dirfd, "foo", syscall.O_DIRECTORY, 0)
-	c.Assert(err, IsNil)
-	c.Assert(s.sys.Close(fd), IsNil)
-	c.Assert(s.sys.Close(dirfd), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.IsNil)
+	c.Assert(s.sys.Close(fd), check.IsNil)
+	c.Assert(s.sys.Close(dirfd), check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/" O_DIRECTORY 0`,       // -> 3
 		`openat 3 "foo" O_DIRECTORY 0`, // -> 4
 		`close 4`,
 		`close 3`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/" O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "foo" O_DIRECTORY 0`, R: 4},
+		{C: `close 4`},
+		{C: `close 3`},
+	})
 }
 
-func (s *lowLevelSuite) TestOpenatFailure(c *C) {
+func (s *lowLevelSuite) TestOpenatFailure(c *check.C) {
 	dirfd, err := s.sys.Open("/", syscall.O_DIRECTORY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	s.sys.InsertFault(`openat 3 "foo" O_DIRECTORY 0`, syscall.ENOENT)
 	fd, err := s.sys.Openat(dirfd, "foo", syscall.O_DIRECTORY, 0)
-	c.Assert(err, ErrorMatches, "no such file or directory")
-	c.Assert(fd, Equals, -1)
-	c.Assert(s.sys.Close(dirfd), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.ErrorMatches, "no such file or directory")
+	c.Assert(fd, check.Equals, -1)
+	c.Assert(s.sys.Close(dirfd), check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/" O_DIRECTORY 0`,       // -> 3
 		`openat 3 "foo" O_DIRECTORY 0`, // -> ENOENT
 		`close 3`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/" O_DIRECTORY 0`, R: 3},
+		{C: `openat 3 "foo" O_DIRECTORY 0`, E: syscall.ENOENT},
+		{C: `close 3`},
+	})
 }
 
-func (s *lowLevelSuite) TestOpenatBadFd(c *C) {
+func (s *lowLevelSuite) TestOpenatBadFd(c *check.C) {
 	fd, err := s.sys.Openat(3, "foo", syscall.O_DIRECTORY, 0)
-	c.Assert(err, ErrorMatches, "attempting to openat with an invalid file descriptor 3")
-	c.Assert(fd, Equals, -1)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.ErrorMatches, "attempting to openat with an invalid file descriptor 3")
+	c.Assert(fd, check.Equals, -1)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`openat 3 "foo" O_DIRECTORY 0`, // -> error
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `openat 3 "foo" O_DIRECTORY 0`, E: fmt.Errorf("attempting to openat with an invalid file descriptor 3")},
+	})
 }
 
-func (s *lowLevelSuite) TestFchownSuccess(c *C) {
+func (s *lowLevelSuite) TestFchownSuccess(c *check.C) {
 	fd, err := s.sys.Open("/", syscall.O_DIRECTORY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	err = s.sys.Fchown(fd, 0, 0)
-	c.Assert(err, IsNil)
-	c.Assert(s.sys.Close(fd), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.IsNil)
+	c.Assert(s.sys.Close(fd), check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/" O_DIRECTORY 0`, // -> 3
 		`fchown 3 0 0`,
 		`close 3`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/" O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`},
+		{C: `close 3`},
+	})
 }
 
-func (s *lowLevelSuite) TestFchownFailure(c *C) {
+func (s *lowLevelSuite) TestFchownFailure(c *check.C) {
 	fd, err := s.sys.Open("/", syscall.O_DIRECTORY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	s.sys.InsertFault(`fchown 3 0 0`, syscall.EPERM)
 	err = s.sys.Fchown(fd, 0, 0)
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(s.sys.Close(fd), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(s.sys.Close(fd), check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/" O_DIRECTORY 0`, // -> 3
 		`fchown 3 0 0`,           // -> EPERM
 		`close 3`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/" O_DIRECTORY 0`, R: 3},
+		{C: `fchown 3 0 0`, E: syscall.EPERM},
+		{C: `close 3`},
+	})
 }
 
-func (s *lowLevelSuite) TestFchownBadFd(c *C) {
+func (s *lowLevelSuite) TestFchownBadFd(c *check.C) {
 	err := s.sys.Fchown(3, 0, 0)
-	c.Assert(err, ErrorMatches, "attempting to fchown an invalid file descriptor 3")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.ErrorMatches, "attempting to fchown an invalid file descriptor 3")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`fchown 3 0 0`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `fchown 3 0 0`, E: fmt.Errorf("attempting to fchown an invalid file descriptor 3")},
+	})
 }
 
-func (s *lowLevelSuite) TestMkdiratSuccess(c *C) {
+func (s *lowLevelSuite) TestMkdiratSuccess(c *check.C) {
 	fd, err := s.sys.Open("/", syscall.O_DIRECTORY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	err = s.sys.Mkdirat(fd, "foo", 0755)
-	c.Assert(err, IsNil)
-	c.Assert(s.sys.Close(fd), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.IsNil)
+	c.Assert(s.sys.Close(fd), check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/" O_DIRECTORY 0`, // -> 3
 		`mkdirat 3 "foo" 0755`,
 		`close 3`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/" O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "foo" 0755`},
+		{C: `close 3`},
+	})
 }
 
-func (s *lowLevelSuite) TestMkdiratFailure(c *C) {
+func (s *lowLevelSuite) TestMkdiratFailure(c *check.C) {
 	fd, err := s.sys.Open("/", syscall.O_DIRECTORY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	s.sys.InsertFault(`mkdirat 3 "foo" 0755`, syscall.EPERM)
 	err = s.sys.Mkdirat(fd, "foo", 0755)
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(s.sys.Close(fd), IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(s.sys.Close(fd), check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/" O_DIRECTORY 0`, // -> 3
 		`mkdirat 3 "foo" 0755`,   // -> EPERM
 		`close 3`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/" O_DIRECTORY 0`, R: 3},
+		{C: `mkdirat 3 "foo" 0755`, E: syscall.EPERM},
+		{C: `close 3`},
+	})
 }
 
-func (s *lowLevelSuite) TestMkdiratBadFd(c *C) {
+func (s *lowLevelSuite) TestMkdiratBadFd(c *check.C) {
 	err := s.sys.Mkdirat(3, "foo", 0755)
-	c.Assert(err, ErrorMatches, "attempting to mkdirat with an invalid file descriptor 3")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`mkdirat 3 "foo" 0755`})
+	c.Assert(err, check.ErrorMatches, "attempting to mkdirat with an invalid file descriptor 3")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`mkdirat 3 "foo" 0755`,
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `mkdirat 3 "foo" 0755`, E: fmt.Errorf("attempting to mkdirat with an invalid file descriptor 3")},
+	})
 }
 
-func (s *lowLevelSuite) TestMountSuccess(c *C) {
+func (s *lowLevelSuite) TestMountSuccess(c *check.C) {
 	err := s.sys.Mount("source", "target", "fstype", syscall.MS_BIND|syscall.MS_REC|syscall.MS_RDONLY, "")
-	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`mount "source" "target" "fstype" MS_BIND|MS_REC|MS_RDONLY ""`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `mount "source" "target" "fstype" MS_BIND|MS_REC|MS_RDONLY ""`},
+	})
 }
 
-func (s *lowLevelSuite) TestMountFailure(c *C) {
+func (s *lowLevelSuite) TestMountFailure(c *check.C) {
 	s.sys.InsertFault(`mount "source" "target" "fstype" 0 ""`, syscall.EPERM)
 	err := s.sys.Mount("source", "target", "fstype", 0, "")
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`mount "source" "target" "fstype" 0 ""`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `mount "source" "target" "fstype" 0 ""`, E: syscall.EPERM},
+	})
 }
 
-func (s *lowLevelSuite) TestUnmountSuccess(c *C) {
-	err := s.sys.Unmount("target", testutil.UMOUNT_NOFOLLOW|syscall.MNT_DETACH)
-	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`unmount "target" UMOUNT_NOFOLLOW|MNT_DETACH`})
+func (s *lowLevelSuite) TestUnmountSuccess(c *check.C) {
+	err := s.sys.Unmount("target", testutil.UmountNoFollow|syscall.MNT_DETACH)
+	c.Assert(err, check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{`unmount "target" UMOUNT_NOFOLLOW|MNT_DETACH`})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `unmount "target" UMOUNT_NOFOLLOW|MNT_DETACH`},
+	})
 }
 
-func (s *lowLevelSuite) TestUnmountFailure(c *C) {
+func (s *lowLevelSuite) TestUnmountFailure(c *check.C) {
 	s.sys.InsertFault(`unmount "target" 0`, syscall.EPERM)
 	err := s.sys.Unmount("target", 0)
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`unmount "target" 0`})
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{`unmount "target" 0`})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `unmount "target" 0`, E: syscall.EPERM},
+	})
 }
 
-func (s *lowLevelSuite) TestLstat(c *C) {
+func (s *lowLevelSuite) TestOsLstat(c *check.C) {
 	// When a function returns some data it must be fed either an error or a result.
-	c.Assert(func() { s.sys.Lstat("/foo") }, PanicMatches,
-		`one of InsertLstatResult\(\) or InsertFault\(\) for lstat "/foo" must be used`)
+	c.Assert(func() { s.sys.OsLstat("/foo") }, check.PanicMatches,
+		`one of InsertOsLstatResult\(\) or InsertFault\(\) for lstat "/foo" must be used`)
 }
 
-func (s *lowLevelSuite) TestLstatSuccess(c *C) {
+func (s *lowLevelSuite) TestOsLstatSuccess(c *check.C) {
 	// The fed data is returned in absence of errors.
-	s.sys.InsertLstatResult(`lstat "/foo"`, testutil.FileInfoFile)
-	fi, err := s.sys.Lstat("/foo")
-	c.Assert(err, IsNil)
-	c.Assert(fi, DeepEquals, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/foo"`, testutil.FileInfoFile)
+	fi, err := s.sys.OsLstat("/foo")
+	c.Assert(err, check.IsNil)
+	c.Assert(fi, check.DeepEquals, testutil.FileInfoFile)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{`lstat "/foo"`})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `lstat "/foo"`, R: testutil.FileInfoFile},
+	})
 }
 
-func (s *lowLevelSuite) TestLstatFailure(c *C) {
+func (s *lowLevelSuite) TestOsLstatFailure(c *check.C) {
 	// Errors take priority over data.
-	s.sys.InsertLstatResult(`lstat "/foo"`, testutil.FileInfoFile)
+	s.sys.InsertOsLstatResult(`lstat "/foo"`, testutil.FileInfoFile)
 	s.sys.InsertFault(`lstat "/foo"`, syscall.ENOENT)
-	fi, err := s.sys.Lstat("/foo")
-	c.Assert(err, ErrorMatches, "no such file or directory")
-	c.Assert(fi, IsNil)
+	fi, err := s.sys.OsLstat("/foo")
+	c.Assert(err, check.ErrorMatches, "no such file or directory")
+	c.Assert(fi, check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{`lstat "/foo"`})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `lstat "/foo"`, E: syscall.ENOENT},
+	})
+}
+
+func (s *lowLevelSuite) TestSysLstat(c *check.C) {
+	// When a function returns some data it must be fed either an error or a result.
+	var buf syscall.Stat_t
+	c.Assert(func() { s.sys.SysLstat("/foo", &buf) }, check.PanicMatches,
+		`one of InsertSysLstatResult\(\) or InsertFault\(\) for lstat "/foo" <ptr> must be used`)
+}
+
+func (s *lowLevelSuite) TestSysLstatSuccess(c *check.C) {
+	// The fed data is returned in absence of errors.
+	var buf syscall.Stat_t
+	s.sys.InsertSysLstatResult(`lstat "/foo" <ptr>`, syscall.Stat_t{Uid: 123})
+	err := s.sys.SysLstat("/foo", &buf)
+	c.Assert(err, check.IsNil)
+	c.Assert(buf, check.DeepEquals, syscall.Stat_t{Uid: 123})
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`lstat "/foo" <ptr>`,
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `lstat "/foo" <ptr>`, R: syscall.Stat_t{Uid: 123}},
+	})
+}
+
+func (s *lowLevelSuite) TestSysLstatFailure(c *check.C) {
+	// Errors take priority over data.
+	var buf syscall.Stat_t
+	s.sys.InsertSysLstatResult(`lstat "/foo" <ptr>`, syscall.Stat_t{Uid: 123})
+	s.sys.InsertFault(`lstat "/foo" <ptr>`, syscall.ENOENT)
+	err := s.sys.SysLstat("/foo", &buf)
+	c.Assert(err, check.ErrorMatches, "no such file or directory")
+	c.Assert(buf, check.DeepEquals, syscall.Stat_t{})
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`lstat "/foo" <ptr>`, // -> ENOENT
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `lstat "/foo" <ptr>`, E: syscall.ENOENT},
+	})
 }
 
-func (s *lowLevelSuite) TestFstat(c *C) {
+func (s *lowLevelSuite) TestFstat(c *check.C) {
 	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	var buf syscall.Stat_t
-	c.Assert(func() { s.sys.Fstat(fd, &buf) }, PanicMatches,
+	c.Assert(func() { s.sys.Fstat(fd, &buf) }, check.PanicMatches,
 		`one of InsertFstatResult\(\) or InsertFault\(\) for fstat 3 <ptr> must be used`)
 }
 
-func (s *lowLevelSuite) TestFstatBadFd(c *C) {
+func (s *lowLevelSuite) TestFstatBadFd(c *check.C) {
 	var buf syscall.Stat_t
 	err := s.sys.Fstat(3, &buf)
-	c.Assert(err, ErrorMatches, "attempting to fstat with an invalid file descriptor 3")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`fstat 3 <ptr>`})
+	c.Assert(err, check.ErrorMatches, "attempting to fstat with an invalid file descriptor 3")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`fstat 3 <ptr>`,
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `fstat 3 <ptr>`, E: fmt.Errorf("attempting to fstat with an invalid file descriptor 3")},
+	})
 }
 
-func (s *lowLevelSuite) TestFstatSuccess(c *C) {
+func (s *lowLevelSuite) TestFstatSuccess(c *check.C) {
 	s.sys.InsertFstatResult(`fstat 3 <ptr>`, syscall.Stat_t{Dev: 0xC0FE})
 	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	var buf syscall.Stat_t
 	err = s.sys.Fstat(fd, &buf)
-	c.Assert(err, IsNil)
-	c.Assert(buf, Equals, syscall.Stat_t{Dev: 0xC0FE})
+	c.Assert(err, check.IsNil)
+	c.Assert(buf, check.Equals, syscall.Stat_t{Dev: 0xC0FE})
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`open "/foo" 0 0`, // -> 3
+		`fstat 3 <ptr>`,
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/foo" 0 0`, R: 3},
+		{C: `fstat 3 <ptr>`, R: syscall.Stat_t{Dev: 0xC0FE}},
+	})
 }
 
-func (s *lowLevelSuite) TestFstatFailure(c *C) {
+func (s *lowLevelSuite) TestFstatFailure(c *check.C) {
 	s.sys.InsertFault(`fstat 3 <ptr>`, syscall.EPERM)
 	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	var buf syscall.Stat_t
 	err = s.sys.Fstat(fd, &buf)
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(buf, Equals, syscall.Stat_t{})
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(buf, check.Equals, syscall.Stat_t{})
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`open "/foo" 0 0`, // -> 3
+		`fstat 3 <ptr>`,   // -> EPERM
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/foo" 0 0`, R: 3},
+		{C: `fstat 3 <ptr>`, E: syscall.EPERM},
+	})
+}
+
+func (s *lowLevelSuite) TestFstatfs(c *check.C) {
+	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
+	c.Assert(err, check.IsNil)
+	var buf syscall.Statfs_t
+	c.Assert(func() { s.sys.Fstatfs(fd, &buf) }, check.PanicMatches,
+		`one of InsertFstatfsResult\(\) or InsertFault\(\) for fstatfs 3 <ptr> must be used`)
+}
+
+func (s *lowLevelSuite) TestFstatfsBadFd(c *check.C) {
+	var buf syscall.Statfs_t
+	err := s.sys.Fstatfs(3, &buf)
+	c.Assert(err, check.ErrorMatches, "attempting to fstatfs with an invalid file descriptor 3")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{`fstatfs 3 <ptr>`})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `fstatfs 3 <ptr>`, E: fmt.Errorf("attempting to fstatfs with an invalid file descriptor 3")},
+	})
 }
 
-func (s *lowLevelSuite) TestReadDir(c *C) {
-	c.Assert(func() { s.sys.ReadDir("/foo") }, PanicMatches,
+func (s *lowLevelSuite) TestFstatfsSuccess(c *check.C) {
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`, syscall.Statfs_t{Type: 0x123})
+	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
+	c.Assert(err, check.IsNil)
+	var buf syscall.Statfs_t
+	err = s.sys.Fstatfs(fd, &buf)
+	c.Assert(err, check.IsNil)
+	c.Assert(buf, check.Equals, syscall.Statfs_t{Type: 0x123})
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`open "/foo" 0 0`, // -> 3
+		`fstatfs 3 <ptr>`, // -> Type: 0x123
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/foo" 0 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: 0x123}},
+	})
+}
+
+func (s *lowLevelSuite) TestFstatfsChain(c *check.C) {
+	s.sys.InsertFstatfsResult(`fstatfs 3 <ptr>`,
+		syscall.Statfs_t{Type: 0x123}, syscall.Statfs_t{Type: 0x456})
+	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
+	c.Assert(err, check.IsNil)
+	var buf syscall.Statfs_t
+	err = s.sys.Fstatfs(fd, &buf)
+	c.Assert(err, check.IsNil)
+	c.Assert(buf, check.Equals, syscall.Statfs_t{Type: 0x123})
+	err = s.sys.Fstatfs(fd, &buf)
+	c.Assert(err, check.IsNil)
+	c.Assert(buf, check.Equals, syscall.Statfs_t{Type: 0x456})
+	err = s.sys.Fstatfs(fd, &buf)
+	c.Assert(err, check.IsNil)
+	c.Assert(buf, check.Equals, syscall.Statfs_t{Type: 0x456})
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`open "/foo" 0 0`, // -> 3
+		`fstatfs 3 <ptr>`, // -> Type: 0x123
+		`fstatfs 3 <ptr>`, // -> Type: 0x456
+		`fstatfs 3 <ptr>`, // -> Type: 0x456
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/foo" 0 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: 0x123}},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: 0x456}},
+		{C: `fstatfs 3 <ptr>`, R: syscall.Statfs_t{Type: 0x456}},
+	})
+}
+
+func (s *lowLevelSuite) TestFstatfsFailure(c *check.C) {
+	s.sys.InsertFault(`fstatfs 3 <ptr>`, syscall.EPERM)
+	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
+	c.Assert(err, check.IsNil)
+	var buf syscall.Statfs_t
+	err = s.sys.Fstatfs(fd, &buf)
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(buf, check.Equals, syscall.Statfs_t{})
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`open "/foo" 0 0`, // -> 3
+		`fstatfs 3 <ptr>`, // -> EPERM
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/foo" 0 0`, R: 3},
+		{C: `fstatfs 3 <ptr>`, E: syscall.EPERM},
+	})
+}
+
+func (s *lowLevelSuite) TestReadDir(c *check.C) {
+	c.Assert(func() { s.sys.ReadDir("/foo") }, check.PanicMatches,
 		`one of InsertReadDirResult\(\) or InsertFault\(\) for readdir "/foo" must be used`)
 }
 
-func (s *lowLevelSuite) TestReadDirSuccess(c *C) {
-	s.sys.InsertReadDirResult(`readdir "/foo"`, []os.FileInfo{
+func (s *lowLevelSuite) TestReadDirSuccess(c *check.C) {
+	files := []os.FileInfo{
 		testutil.FakeFileInfo("file", 0644),
 		testutil.FakeFileInfo("dir", 0755|os.ModeDir),
-	})
+	}
+	s.sys.InsertReadDirResult(`readdir "/foo"`, files)
 	files, err := s.sys.ReadDir("/foo")
-	c.Assert(err, IsNil)
-	c.Assert(files, HasLen, 2)
+	c.Assert(err, check.IsNil)
+	c.Assert(files, check.HasLen, 2)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`readdir "/foo"`,
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `readdir "/foo"`, R: files},
+	})
 }
 
-func (s *lowLevelSuite) TestReadDirFailure(c *C) {
+func (s *lowLevelSuite) TestReadDirFailure(c *check.C) {
 	s.sys.InsertFault(`readdir "/foo"`, syscall.ENOENT)
 	files, err := s.sys.ReadDir("/foo")
-	c.Assert(err, ErrorMatches, "no such file or directory")
-	c.Assert(files, IsNil)
+	c.Assert(err, check.ErrorMatches, "no such file or directory")
+	c.Assert(files, check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`readdir "/foo"`, // -> ENOENT
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `readdir "/foo"`, E: syscall.ENOENT},
+	})
 }
 
-func (s *lowLevelSuite) TestSymlinkSuccess(c *C) {
+func (s *lowLevelSuite) TestSymlinkSuccess(c *check.C) {
 	err := s.sys.Symlink("oldname", "newname")
-	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`symlink "newname" -> "oldname"`})
+	c.Assert(err, check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`symlink "newname" -> "oldname"`,
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `symlink "newname" -> "oldname"`},
+	})
 }
 
-func (s *lowLevelSuite) TestSymlinkFailure(c *C) {
+func (s *lowLevelSuite) TestSymlinkFailure(c *check.C) {
 	s.sys.InsertFault(`symlink "newname" -> "oldname"`, syscall.EPERM)
 	err := s.sys.Symlink("oldname", "newname")
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`symlink "newname" -> "oldname"`})
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`symlink "newname" -> "oldname"`, // -> EPERM
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `symlink "newname" -> "oldname"`, E: syscall.EPERM},
+	})
 }
 
-func (s *lowLevelSuite) TestRemoveSuccess(c *C) {
+func (s *lowLevelSuite) TestRemoveSuccess(c *check.C) {
 	err := s.sys.Remove("file")
-	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`remove "file"`})
+	c.Assert(err, check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`remove "file"`,
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `remove "file"`},
+	})
 }
 
-func (s *lowLevelSuite) TestRemoveFailure(c *C) {
+func (s *lowLevelSuite) TestRemoveFailure(c *check.C) {
 	s.sys.InsertFault(`remove "file"`, syscall.EPERM)
 	err := s.sys.Remove("file")
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`remove "file"`})
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{`remove "file"`})
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`remove "file"`, // -> EPERM
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `remove "file"`, E: syscall.EPERM},
+	})
 }
 
-func (s *lowLevelSuite) TestSymlinkatBadFd(c *C) {
+func (s *lowLevelSuite) TestSymlinkatBadFd(c *check.C) {
 	err := s.sys.Symlinkat("/old", 3, "new")
-	c.Assert(err, ErrorMatches, "attempting to symlinkat with an invalid file descriptor 3")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`symlinkat "/old" 3 "new"`})
+	c.Assert(err, check.ErrorMatches, "attempting to symlinkat with an invalid file descriptor 3")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`symlinkat "/old" 3 "new"`,
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `symlinkat "/old" 3 "new"`, E: fmt.Errorf("attempting to symlinkat with an invalid file descriptor 3")},
+	})
 }
 
-func (s *lowLevelSuite) TestSymlinkatSuccess(c *C) {
+func (s *lowLevelSuite) TestSymlinkatSuccess(c *check.C) {
 	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	err = s.sys.Symlinkat("/old", fd, "new")
-	c.Assert(err, IsNil)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
+	c.Assert(err, check.IsNil)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
 		`open "/foo" 0 0`,
 		`symlinkat "/old" 3 "new"`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/foo" 0 0`, R: 3},
+		{C: `symlinkat "/old" 3 "new"`},
+	})
 }
 
-func (s *lowLevelSuite) TestSymlinkatFailure(c *C) {
+func (s *lowLevelSuite) TestSymlinkatFailure(c *check.C) {
 	s.sys.InsertFault(`symlinkat "/old" 3 "new"`, syscall.EPERM)
 	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	err = s.sys.Symlinkat("/old", fd, "new")
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(s.sys.Calls(), DeepEquals, []string{
-		`open "/foo" 0 0`,
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`open "/foo" 0 0`, // -> 3
 		`symlinkat "/old" 3 "new"`,
 	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `open "/foo" 0 0`, R: 3},
+		{C: `symlinkat "/old" 3 "new"`, E: syscall.EPERM},
+	})
 }
 
-func (s *lowLevelSuite) TestReadlinkat(c *C) {
+func (s *lowLevelSuite) TestReadlinkat(c *check.C) {
 	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 	buf := make([]byte, 10)
-	c.Assert(func() { s.sys.Readlinkat(fd, "new", buf) }, PanicMatches,
+	c.Assert(func() { s.sys.Readlinkat(fd, "new", buf) }, check.PanicMatches,
 		`one of InsertReadlinkatResult\(\) or InsertFault\(\) for readlinkat 3 "new" <ptr> must be used`)
 }
 
-func (s *lowLevelSuite) TestReadlinkatBadFd(c *C) {
+func (s *lowLevelSuite) TestReadlinkatBadFd(c *check.C) {
 	buf := make([]byte, 10)
 	n, err := s.sys.Readlinkat(3, "new", buf)
-	c.Assert(err, ErrorMatches, "attempting to readlinkat with an invalid file descriptor 3")
-	c.Assert(n, Equals, 0)
-	c.Assert(s.sys.Calls(), DeepEquals, []string{`readlinkat 3 "new" <ptr>`})
+	c.Assert(err, check.ErrorMatches, "attempting to readlinkat with an invalid file descriptor 3")
+	c.Assert(n, check.Equals, 0)
+	c.Assert(s.sys.Calls(), check.DeepEquals, []string{
+		`readlinkat 3 "new" <ptr>`,
+	})
+	c.Assert(s.sys.RCalls(), check.DeepEquals, []testutil.CallResultError{
+		{C: `readlinkat 3 "new" <ptr>`, E: fmt.Errorf("attempting to readlinkat with an invalid file descriptor 3")},
+	})
 }
 
-func (s *lowLevelSuite) TestReadlinkatSuccess(c *C) {
+func (s *lowLevelSuite) TestReadlinkatSuccess(c *check.C) {
 	s.sys.InsertReadlinkatResult(`readlinkat 3 "new" <ptr>`, "/old")
 	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 
 	// Buffer has enough room
 	buf := make([]byte, 10)
 	n, err := s.sys.Readlinkat(fd, "new", buf)
-	c.Assert(err, IsNil)
-	c.Assert(n, Equals, 4)
-	c.Assert(buf, DeepEquals, []byte{'/', 'o', 'l', 'd', 0, 0, 0, 0, 0, 0})
+	c.Assert(err, check.IsNil)
+	c.Assert(n, check.Equals, 4)
+	c.Assert(buf, check.DeepEquals, []byte{'/', 'o', 'l', 'd', 0, 0, 0, 0, 0, 0})
 
 	// Buffer is too short
 	buf = make([]byte, 2)
 	n, err = s.sys.Readlinkat(fd, "new", buf)
-	c.Assert(err, IsNil)
-	c.Assert(n, Equals, 2)
-	c.Assert(buf, DeepEquals, []byte{'/', 'o'})
+	c.Assert(err, check.IsNil)
+	c.Assert(n, check.Equals, 2)
+	c.Assert(buf, check.DeepEquals, []byte{'/', 'o'})
 }
 
-func (s *lowLevelSuite) TestReadlinkatFailure(c *C) {
+func (s *lowLevelSuite) TestReadlinkatFailure(c *check.C) {
 	s.sys.InsertFault(`readlinkat 3 "new" <ptr>`, syscall.EPERM)
 	fd, err := s.sys.Open("/foo", syscall.O_RDONLY, 0)
-	c.Assert(err, IsNil)
+	c.Assert(err, check.IsNil)
 
 	buf := make([]byte, 10)
 	n, err := s.sys.Readlinkat(fd, "new", buf)
-	c.Assert(err, ErrorMatches, "operation not permitted")
-	c.Assert(n, Equals, 0)
-	c.Assert(buf, DeepEquals, []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0})
+	c.Assert(err, check.ErrorMatches, "operation not permitted")
+	c.Assert(n, check.Equals, 0)
+	c.Assert(buf, check.DeepEquals, []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0})
 }
diff -Nru snapd-2.32.3.2~14.04/testutil/paddedchecker.go snapd-2.37~rc1~14.04/testutil/paddedchecker.go
--- snapd-2.32.3.2~14.04/testutil/paddedchecker.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/paddedchecker.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,147 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+
+	"gopkg.in/check.v1"
+)
+
+type paddedChecker struct {
+	*check.CheckerInfo
+	isRegexp  bool
+	isPartial bool
+	isLine    bool
+}
+
+// EqualsPadded is a Checker that looks for an expected string to
+// be equal to another except that the other might have been padded
+// out to align with something else (so arbitrary amounts of
+// horizontal whitespace is ok at the ends, and between non-whitespace
+// bits).
+var EqualsPadded = &paddedChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "EqualsPadded", Params: []string{"padded", "expected"}},
+	isLine:      true,
+}
+
+// MatchesPadded is a Checker that looks for an expected regexp in
+// a string that might have been padded out to align with something
+// else (so whitespace in the regexp is changed to [ \t]+, and ^[ \t]*
+// is added to the beginning, and [ \t]*$ to the end of it).
+var MatchesPadded = &paddedChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "MatchesPadded", Params: []string{"padded", "expected"}},
+	isRegexp:    true,
+	isLine:      true,
+}
+
+// ContainsPadded is a Checker that looks for an expected string
+// in another that might have been padded out to align with something
+// else (so arbitrary amounts of horizontal whitespace is ok between
+// non-whitespace bits).
+var ContainsPadded = &paddedChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "ContainsPadded", Params: []string{"padded", "expected"}},
+	isPartial:   true,
+	isLine:      true,
+}
+
+// EqualsWrapped is a Checker that looks for an expected string to be
+// equal to another except that the other might have been padded out
+// and wrapped (so arbitrary amounts of whitespace is ok at the ends,
+// and between non-whitespace bits).
+var EqualsWrapped = &paddedChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "EqualsWrapped", Params: []string{"wrapped", "expected"}},
+}
+
+// MatchesWrapped is a Checker that looks for an expected regexp in a
+// string that might have been padded and wrapped (so whitespace in
+// the regexp is changed to \s+, and (?s)^\s* is added to the
+// beginning, and \s*$ to the end of it).
+var MatchesWrapped = &paddedChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "MatchesWrapped", Params: []string{"wrapped", "expected"}},
+	isRegexp:    true,
+}
+
+// ContainsWrapped is a Checker that looks for an expected string in
+// another that might have been padded out and wrapped (so arbitrary
+// amounts of whitespace is ok between non-whitespace bits).
+var ContainsWrapped = &paddedChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "EqualsWrapped", Params: []string{"wrapped", "expected"}},
+	isRegexp:    false,
+	isPartial:   true,
+}
+
+var spaceinator = regexp.MustCompile(`\s+`).ReplaceAllLiteralString
+
+func (c *paddedChecker) Check(params []interface{}, names []string) (result bool, errstr string) {
+	var other string
+	switch v := params[0].(type) {
+	case string:
+		other = v
+	case []byte:
+		other = string(v)
+	case error:
+		if v != nil {
+			other = v.Error()
+		}
+	default:
+		return false, "left-hand value must be a string or []byte or error"
+	}
+	expected, ok := params[1].(string)
+	if !ok {
+		ebuf, ok := params[1].([]byte)
+		if !ok {
+			return false, "right-hand value must be a string or []byte"
+		}
+		expected = string(ebuf)
+	}
+	ws := `\s`
+	if c.isLine {
+		ws = `[\t ]`
+	}
+	if c.isRegexp {
+		_, err := regexp.Compile(expected)
+		if err != nil {
+			return false, fmt.Sprintf("right-hand value must be a valid regexp: %v", err)
+		}
+		expected = spaceinator(expected, ws+"+")
+	} else {
+		fields := strings.Fields(expected)
+		for i := range fields {
+			fields[i] = regexp.QuoteMeta(fields[i])
+		}
+		expected = strings.Join(fields, ws+"+")
+	}
+	if !c.isPartial {
+		expected = "^" + ws + "*" + expected + ws + "*$"
+	}
+	if !c.isLine {
+		expected = "(?s)" + expected
+	}
+
+	matches, err := regexp.MatchString(expected, other)
+	if err != nil {
+		// can't happen (really)
+		panic(err)
+	}
+	return matches, ""
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/paddedchecker_test.go snapd-2.37~rc1~14.04/testutil/paddedchecker_test.go
--- snapd-2.32.3.2~14.04/testutil/paddedchecker_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/paddedchecker_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,77 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil_test
+
+import (
+	"errors"
+
+	"gopkg.in/check.v1"
+
+	. "github.com/snapcore/snapd/testutil"
+)
+
+type paddedCheckerSuite struct{}
+
+var _ = check.Suite(&paddedCheckerSuite{})
+
+func (*paddedCheckerSuite) TestPaddedChecker(c *check.C) {
+	type row struct {
+		lhs     string
+		checker check.Checker
+		rhs     string
+	}
+
+	table := []row{
+		{" a  b\tc", EqualsPadded, "a b c"},
+		{" a  b\nc", check.Not(EqualsPadded), "a b c"},
+
+		{" a  b\tc", EqualsWrapped, "a b c"},
+		{" a  b\nc", EqualsWrapped, "a b c"},
+
+		{" a  b\tc    d\t\te", ContainsPadded, "b c d"},
+		{" a  b\nc    d\t\te", check.Not(ContainsPadded), "b c d"},
+
+		{" a  b\tc    d\t\te", ContainsWrapped, "b c d"},
+		{" a  b\nc    d\t\te", ContainsWrapped, "b c d"},
+
+		{"\tfoo baah ", MatchesPadded, `fo+ b\S+`},
+		{"\tfoo\nbaah ", check.Not(MatchesPadded), `fo+ b\S+`},
+
+		{"\tfoo baah ", MatchesWrapped, `fo+ b\S+`},
+		{"\tfoo\nbaah ", MatchesWrapped, `fo+ b\S+`},
+	}
+
+	for i, test := range table {
+		for _, lhs := range []interface{}{test.lhs, []byte(test.lhs), errors.New(test.lhs)} {
+			for _, rhs := range []interface{}{test.rhs, []byte(test.rhs)} {
+				comm := check.Commentf("%d:%s:%T/%T", i, test.checker.Info().Name, lhs, rhs)
+				c.Check(lhs, test.checker, rhs, comm)
+			}
+		}
+	}
+
+	for _, checker := range []check.Checker{EqualsPadded, EqualsWrapped, ContainsPadded, ContainsWrapped, MatchesPadded, MatchesWrapped} {
+		testCheck(c, checker, false, "right-hand value must be a string or []byte", "a b c", 42)
+		testCheck(c, checker, false, "left-hand value must be a string or []byte or error", 42, "a b c")
+	}
+	for _, checker := range []check.Checker{MatchesPadded, MatchesWrapped} {
+		testCheck(c, checker, false, "right-hand value must be a valid regexp: error parsing regexp: missing argument to repetition operator: `+`", "a b c", "+a b c")
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/syscallschecker.go snapd-2.37~rc1~14.04/testutil/syscallschecker.go
--- snapd-2.32.3.2~14.04/testutil/syscallschecker.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/syscallschecker.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,89 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil
+
+import (
+	"fmt"
+	"reflect"
+
+	"gopkg.in/check.v1"
+)
+
+type syscallsEqualChecker struct {
+	*check.CheckerInfo
+}
+
+// SyscallsEqual checks that one sequence of system calls is equal to another.
+var SyscallsEqual check.Checker = &syscallsEqualChecker{
+	CheckerInfo: &check.CheckerInfo{Name: "SyscallsEqual", Params: []string{"actualList", "expectedList"}},
+}
+
+func (c *syscallsEqualChecker) Check(params []interface{}, names []string) (result bool, error string) {
+	actualList, ok := params[0].([]CallResultError)
+	if !ok {
+		return false, "left-hand-side argument must be of type []CallResultError"
+	}
+	expectedList, ok := params[1].([]CallResultError)
+	if !ok {
+		return false, "right-hand-side argument must be of type []CallResultError"
+	}
+
+	for i, actual := range actualList {
+		if i >= len(expectedList) {
+			return false, fmt.Sprintf("system call #%d %#q unexpectedly present, got %d system call(s) but expected only %d",
+				i, actual.C, len(actualList), len(expectedList))
+		}
+		expected := expectedList[i]
+		if actual.C != expected.C {
+			return false, fmt.Sprintf("system call #%d differs in operation, actual %#q, expected %#q", i, actual.C, expected.C)
+		}
+		if !reflect.DeepEqual(actual, expected) {
+			switch {
+			case actual.E == nil && expected.E == nil && !reflect.DeepEqual(actual.R, expected.R):
+				// The call succeeded but not like we expected.
+				return false, fmt.Sprintf("system call #%d %#q differs in result, actual: %#v, expected: %#v",
+					i, actual.C, actual.R, expected.R)
+			case actual.E != nil && expected.E != nil && !reflect.DeepEqual(actual.E, expected.E):
+				// The call failed but not like we expected.
+				return false, fmt.Sprintf("system call #%d %#q differs in error, actual: %s, expected: %s",
+					i, actual.C, actual.E, expected.E)
+			case actual.E != nil && expected.E == nil && expected.R == nil:
+				// The call failed but we expected it to succeed.
+				return false, fmt.Sprintf("system call #%d %#q unexpectedly failed, actual error: %s", i, actual.C, actual.E)
+			case actual.E != nil && expected.E == nil && expected.R != nil:
+				// The call failed but we expected it to succeed with some result.
+				return false, fmt.Sprintf("system call #%d %#q unexpectedly failed, actual error: %s, expected result: %#v", i, actual.C, actual.E, expected.R)
+			case actual.E == nil && expected.E != nil && actual.R == nil:
+				// The call succeeded with some result but we expected it to fail.
+				return false, fmt.Sprintf("system call #%d %#q unexpectedly succeeded, expected error: %s", i, actual.C, expected.E)
+			case actual.E == nil && expected.E != nil && actual.R != nil:
+				// The call succeeded but we expected it to fail.
+				return false, fmt.Sprintf("system call #%d %#q unexpectedly succeeded, actual result: %#v, expected error: %s", i, actual.C, actual.R, expected.E)
+			default:
+				panic("unexpected call-result-error case")
+			}
+		}
+	}
+	if len(actualList) < len(expectedList) && len(expectedList) > 0 {
+		return false, fmt.Sprintf("system call #%d %#q unexpectedly absent, got only %d system call(s) but expected %d",
+			len(actualList), expectedList[len(actualList)].C, len(actualList), len(expectedList))
+	}
+	return true, ""
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/syscallschecker_test.go snapd-2.37~rc1~14.04/testutil/syscallschecker_test.go
--- snapd-2.32.3.2~14.04/testutil/syscallschecker_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/syscallschecker_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,78 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil_test
+
+import (
+	"errors"
+
+	"gopkg.in/check.v1"
+
+	. "github.com/snapcore/snapd/testutil"
+)
+
+type syscallsCheckerSuite struct{}
+
+var _ = check.Suite(&syscallsCheckerSuite{})
+
+func (*syscallsCheckerSuite) TestSystemCallSequenceEqual(c *check.C) {
+	c.Assert([]CallResultError{}, SyscallsEqual, []CallResultError{})
+	c.Assert([]CallResultError{}, SyscallsEqual, []CallResultError(nil))
+	c.Assert([]CallResultError{{C: `foo`}}, SyscallsEqual, []CallResultError{{C: `foo`}})
+	c.Assert([]CallResultError{{C: `foo`}, {C: `bar`}}, SyscallsEqual, []CallResultError{{C: `foo`}, {C: `bar`}})
+	c.Assert([]CallResultError{{C: `foo`, R: 123}}, SyscallsEqual, []CallResultError{{C: `foo`, R: 123}})
+	c.Assert([]CallResultError{{C: `foo`, E: errors.New("bad")}}, SyscallsEqual, []CallResultError{{C: `foo`, E: errors.New("bad")}})
+
+	// Wrong argument types.
+	testCheck(c, SyscallsEqual, false, "left-hand-side argument must be of type []CallResultError",
+		true, []CallResultError{{C: `bar`}})
+	testCheck(c, SyscallsEqual, false, "right-hand-side argument must be of type []CallResultError",
+		[]CallResultError{{C: `bar`}}, true)
+	// Different system call operations.
+	testCheck(c, SyscallsEqual, false, "system call #0 differs in operation, actual `foo`, expected `bar`",
+		[]CallResultError{{C: `foo`}}, []CallResultError{{C: `bar`}})
+	// Different system call results.
+	testCheck(c, SyscallsEqual, false, "system call #0 `foo` differs in result, actual: 1, expected: 2",
+		[]CallResultError{{C: `foo`, R: 1}}, []CallResultError{{C: `foo`, R: 2}})
+	// Different system call errors.
+	testCheck(c, SyscallsEqual, false, "system call #0 `foo` differs in error, actual: barf, expected: bork",
+		[]CallResultError{{C: `foo`, E: errors.New("barf")}}, []CallResultError{{C: `foo`, E: errors.New("bork")}})
+	// Unexpected success with non-nil result.
+	testCheck(c, SyscallsEqual, false, "system call #0 `foo` unexpectedly succeeded, actual result: 1, expected error: broken",
+		[]CallResultError{{C: `foo`, R: 1}}, []CallResultError{{C: `foo`, E: errors.New("broken")}})
+	// Unexpected success with nil result.
+	testCheck(c, SyscallsEqual, false, "system call #0 `foo` unexpectedly succeeded, expected error: broken",
+		[]CallResultError{{C: `foo`}}, []CallResultError{{C: `foo`, E: errors.New("broken")}})
+	// Unexpected failure with expected non-nil result.
+	testCheck(c, SyscallsEqual, false, "system call #0 `foo` unexpectedly failed, actual error: broken, expected result: 1",
+		[]CallResultError{{C: `foo`, E: errors.New("broken")}}, []CallResultError{{C: `foo`, R: 1}})
+	// Unexpected failure with expected nil result.
+	testCheck(c, SyscallsEqual, false, "system call #0 `foo` unexpectedly failed, actual error: broken",
+		[]CallResultError{{C: `foo`, E: errors.New("broken")}}, []CallResultError{{C: `foo`}})
+	// More system calls than expected.
+	testCheck(c, SyscallsEqual, false, "system call #1 `bar` unexpectedly present, got 2 system call(s) but expected only 1",
+		[]CallResultError{{C: `foo`}, {C: `bar`}}, []CallResultError{{C: `foo`}})
+	testCheck(c, SyscallsEqual, false, "system call #0 `foo` unexpectedly present, got 2 system call(s) but expected only 0",
+		[]CallResultError{{C: `foo`}, {C: `bar`}}, []CallResultError{})
+	// Fewer system calls than expected.
+	testCheck(c, SyscallsEqual, false, "system call #1 `bar` unexpectedly absent, got only 1 system call(s) but expected 2",
+		[]CallResultError{{C: `foo`}}, []CallResultError{{C: `foo`}, {C: `bar`}})
+	testCheck(c, SyscallsEqual, false, "system call #0 `foo` unexpectedly absent, got only 0 system call(s) but expected 1",
+		[]CallResultError{}, []CallResultError{{C: `foo`}})
+}
diff -Nru snapd-2.32.3.2~14.04/testutil/testutil_test.go snapd-2.37~rc1~14.04/testutil/testutil_test.go
--- snapd-2.32.3.2~14.04/testutil/testutil_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/testutil/testutil_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,55 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2015-2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package testutil_test
+
+import (
+	"reflect"
+	"testing"
+
+	"gopkg.in/check.v1"
+)
+
+func Test(t *testing.T) {
+	check.TestingT(t)
+}
+
+func testInfo(c *check.C, checker check.Checker, name string, paramNames []string) {
+	info := checker.Info()
+	if info.Name != name {
+		c.Fatalf("Got name %s, expected %s", info.Name, name)
+	}
+	if !reflect.DeepEqual(info.Params, paramNames) {
+		c.Fatalf("Got param names %#v, expected %#v", info.Params, paramNames)
+	}
+}
+
+func testCheck(c *check.C, checker check.Checker, result bool, error string, params ...interface{}) ([]interface{}, []string) {
+	info := checker.Info()
+	if len(params) != len(info.Params) {
+		c.Fatalf("unexpected param count in test; expected %d got %d", len(info.Params), len(params))
+	}
+	names := append([]string{}, info.Params...)
+	resultActual, errorActual := checker.Check(params, names)
+	if resultActual != result || errorActual != error {
+		c.Fatalf("%s.Check(%#v) returned (%#v, %#v) rather than (%#v, %#v)",
+			info.Name, params, resultActual, errorActual, result, error)
+	}
+	return params, names
+}
diff -Nru snapd-2.32.3.2~14.04/timeutil/export_test.go snapd-2.37~rc1~14.04/timeutil/export_test.go
--- snapd-2.32.3.2~14.04/timeutil/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/timeutil/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -23,6 +23,8 @@
 
 var (
 	ParseClockSpan = parseClockSpan
+	ParseWeekSpan  = parseWeekSpan
+	HumanTimeSince = humanTimeSince
 )
 
 func MockTimeNow(f func() time.Time) (restorer func()) {
diff -Nru snapd-2.32.3.2~14.04/timeutil/human.go snapd-2.37~rc1~14.04/timeutil/human.go
--- snapd-2.32.3.2~14.04/timeutil/human.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/timeutil/human.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,80 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package timeutil
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/snapcore/snapd/i18n"
+)
+
+// start-of-day
+func sod(t time.Time) time.Time {
+	y, m, d := t.Date()
+	return time.Date(y, m, d, 0, 0, 0, 0, t.Location())
+}
+
+// Human turns the time into a relative expression of time meant for human
+// consumption.
+// Human(t)  --> "today at 07:47"
+func Human(then time.Time) string {
+	return humanTimeSince(then.Local(), time.Now().Local(), 60)
+}
+
+func delta(then, now time.Time) int {
+	if then.After(now) {
+		return -delta(now, then)
+	}
+
+	then = sod(then)
+	now = sod(now)
+
+	n := int(then.Sub(now).Hours() / 24)
+	now = now.AddDate(0, 0, n)
+	for then.Before(now) {
+		then = then.AddDate(0, 0, 1)
+		n--
+	}
+	return n
+}
+
+func humanTimeSince(then, now time.Time, cutoffDays int) string {
+	d := delta(then, now)
+	switch {
+	case d < -cutoffDays || d > cutoffDays:
+		return then.Format("2006-01-02")
+	case d < -1:
+		// TRANSLATORS: %d will be at least 2; the singular is only included to help gettext
+		return fmt.Sprintf(then.Format(i18n.NG("%d day ago, at 15:04 MST", "%d days ago, at 15:04 MST", -d)), -d)
+	case d == -1:
+		return then.Format(i18n.G("yesterday at 15:04 MST"))
+	case d == 0:
+		return then.Format(i18n.G("today at 15:04 MST"))
+	case d == 1:
+		return then.Format(i18n.G("tomorrow at 15:04 MST"))
+	case d > 1:
+		// TRANSLATORS: %d will be at least 2; the singular is only included to help gettext
+		return fmt.Sprintf(then.Format(i18n.NG("in %d day, at 15:04 MST", "in %d days, at 15:04 MST", d)), d)
+	default:
+		// the following message is brought to you by Joel Armando, the self-described awesome and sexy mathematician.
+		panic("you have broken the law of trichotomy! ℤ is no longer totally ordered! chaos ensues!")
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/timeutil/human_test.go snapd-2.37~rc1~14.04/timeutil/human_test.go
--- snapd-2.32.3.2~14.04/timeutil/human_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/timeutil/human_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,93 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package timeutil_test
+
+import (
+	"time"
+
+	"gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/timeutil"
+)
+
+type humanSuite struct {
+	beforeDSTbegins, afterDSTbegins, beforeDSTends, afterDSTends time.Time
+}
+
+var _ = check.Suite(&humanSuite{})
+
+func (s *humanSuite) SetUpSuite(c *check.C) {
+	loc, err := time.LoadLocation("Europe/London")
+	c.Assert(err, check.IsNil)
+
+	s.beforeDSTbegins = time.Date(2017, 3, 26, 0, 59, 0, 0, loc)
+	// note this is actually 2:01am DST
+	s.afterDSTbegins = time.Date(2017, 3, 26, 1, 1, 0, 0, loc)
+
+	// apparently no way to straight out initialise a time inside the DST overlap
+	s.beforeDSTends = time.Date(2017, 10, 29, 0, 59, 0, 0, loc).Add(60 * time.Minute)
+	s.afterDSTends = time.Date(2017, 10, 29, 1, 1, 0, 0, loc)
+
+	// sanity check
+	c.Check(s.beforeDSTbegins.Format("MST"), check.Equals, s.afterDSTends.Format("MST"))
+	c.Check(s.beforeDSTbegins.Format("MST"), check.Equals, "GMT")
+	c.Check(s.afterDSTbegins.Format("MST"), check.Equals, s.beforeDSTends.Format("MST"))
+	c.Check(s.afterDSTbegins.Format("MST"), check.Equals, "BST")
+
+	// “The month, day, hour, min, sec, and nsec values may be outside their
+	//  usual ranges and will be normalized during the conversion.”
+	// so you can always add or subtract 1 from a day and it'll just work \o/
+	c.Check(time.Date(2017, -1, -1, -1, -1, -1, 0, loc), check.DeepEquals, time.Date(2016, 10, 29, 22, 58, 59, 0, loc))
+	c.Check(time.Date(2017, 13, 32, 25, 61, 63, 0, loc), check.DeepEquals, time.Date(2018, 2, 2, 2, 2, 3, 0, loc))
+}
+
+func (s *humanSuite) TestHumanTimeDST(c *check.C) {
+	c.Check(timeutil.HumanTimeSince(s.beforeDSTbegins, s.afterDSTbegins, 300), check.Equals, "today at 00:59 GMT")
+	c.Check(timeutil.HumanTimeSince(s.beforeDSTends, s.afterDSTends, 300), check.Equals, "today at 01:59 BST")
+	c.Check(timeutil.HumanTimeSince(s.beforeDSTbegins, s.afterDSTends, 300), check.Equals, "217 days ago, at 00:59 GMT")
+}
+
+func (s *humanSuite) TestHumanTimeDSTMore(c *check.C) {
+	loc, err := time.LoadLocation("Europe/London")
+	c.Assert(err, check.IsNil)
+	d0 := time.Date(2018, 3, 23, 13, 14, 15, 0, loc)
+	df := time.Date(2018, 3, 25, 13, 14, 15, 0, loc)
+	c.Check(timeutil.HumanTimeSince(d0, df, 300), check.Equals, "2 days ago, at 13:14 GMT")
+	c.Check(timeutil.HumanTimeSince(df, d0, 300), check.Equals, "in 2 days, at 13:14 BST")
+}
+
+func (*humanSuite) TestHuman(c *check.C) {
+	now := time.Now()
+
+	for i, expected := range []string{
+		"2 days ago, at ", "yesterday at ", "today at ", "tomorrow at ", "in 2 days, at ",
+	} {
+		t := now.AddDate(0, 0, i-2)
+		timePart := t.Format("15:04 MST")
+		c.Check(timeutil.Human(t), check.Equals, expected+timePart)
+	}
+
+	// two outside of the 60-day cutoff:
+	d1 := now.AddDate(0, -3, 0)
+	d2 := now.AddDate(0, 3, 0)
+	c.Check(timeutil.Human(d1), check.Equals, d1.Format("2006-01-02"))
+	c.Check(timeutil.Human(d2), check.Equals, d2.Format("2006-01-02"))
+
+}
diff -Nru snapd-2.32.3.2~14.04/timeutil/schedule.go snapd-2.37~rc1~14.04/timeutil/schedule.go
--- snapd-2.32.3.2~14.04/timeutil/schedule.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/timeutil/schedule.go	2019-01-16 08:36:51.000000000 +0000
@@ -137,11 +137,15 @@
 	// move to the beginning of the month
 	t = t.AddDate(0, 0, -t.Day()+1)
 
-	for nth := uint(0); t.Weekday() != weekday || nth != nthInMonth; {
-		t = t.Add(24 * time.Hour)
+	var nth uint
+	for {
 		if t.Weekday() == weekday {
 			nth++
+			if nth == nthInMonth {
+				break
+			}
 		}
+		t = t.Add(24 * time.Hour)
 	}
 	return t
 }
diff -Nru snapd-2.32.3.2~14.04/timeutil/schedule_test.go snapd-2.37~rc1~14.04/timeutil/schedule_test.go
--- snapd-2.32.3.2~14.04/timeutil/schedule_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/timeutil/schedule_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -738,6 +738,14 @@
 			now:        "2017-02-06 9:30",
 			next:       "30m-90m",
 			randomized: true,
+		}, {
+			// first Wednesday at 13:00
+			schedule: "wed1,13:00",
+			now:      "2018-07-30 9:00",
+			// yesterday
+			last: "2018-07-29 13:00",
+			// next one on 2018-08-01 13:00
+			next: "52h-52h",
 		},
 	} {
 		c.Logf("trying %+v", t)
@@ -774,8 +782,8 @@
 
 			c.Check(next >= minDist && next <= maxDist,
 				Equals, true,
-				Commentf("invalid  distance for schedule %q with last refresh %q, now %q, expected %v, got %v",
-					t.schedule, t.last, t.now, t.next, next))
+				Commentf("invalid  distance for schedule %q with last refresh %q, now %q, expected %v, got %v, date %s",
+					t.schedule, t.last, t.now, t.next, next, fakeNow.Add(next)))
 			previous = next
 		}
 	}
@@ -953,3 +961,74 @@
 		c.Assert(spanStrings, DeepEquals, t.flattenend)
 	}
 }
+
+func (ts *timeutilSuite) TestWeekSpans(c *C) {
+	const shortForm = "2006-01-02"
+
+	//     July 2018            August 2018
+	// Su Mo Tu We Th Fr Sa  Su Mo Tu We Th Fr Sa
+	//  1  2  3  4  5  6  7            1  2  3  4
+	//  8  9 10 11 12 13 14   5  6  7  8  9 10 11
+	// 15 16 17 18 19 20 21  12 13 14 15 16 17 18
+	// 22 23 24 25 26 27 28  19 20 21 22 23 24 25
+	// 29 30 31              26 27 28 29 30 31
+
+	for _, t := range []struct {
+		week  string
+		when  string
+		match bool
+	}{
+		{
+			// first Wednesday
+			week:  "wed1",
+			when:  "2018-08-01",
+			match: true,
+		}, {
+			// first Wednesday
+			week: "wed1",
+			// actually 2nd Wednesday
+			when:  "2018-08-08",
+			match: false,
+		}, {
+			// second Wednesday
+			week:  "wed2",
+			when:  "2018-08-08",
+			match: true,
+		}, {
+			// first Tuesday
+			week:  "tue1",
+			when:  "2018-08-07",
+			match: true,
+		}, {
+			// first Sunday
+			week:  "sun1",
+			when:  "2018-07-01",
+			match: true,
+		}, {
+			// last Tuesday
+			week:  "tue5",
+			when:  "2018-07-31",
+			match: true,
+		}, {
+			// last Tuesday
+			week:  "tue5",
+			when:  "2018-07-24",
+			match: false,
+		}, {
+			// last Thursday
+			week:  "thu5",
+			when:  "2018-07-26",
+			match: true,
+		},
+	} {
+		c.Logf("trying %+v", t)
+		ws, err := timeutil.ParseWeekSpan(t.week)
+		c.Assert(err, IsNil)
+
+		when, err := time.ParseInLocation(shortForm, t.when, time.Local)
+		c.Assert(err, IsNil)
+		c.Logf("when: %v %s", when, when.Weekday())
+
+		c.Check(ws.Match(when), Equals, t.match)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/.travis.yml snapd-2.37~rc1~14.04/.travis.yml
--- snapd-2.32.3.2~14.04/.travis.yml	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/.travis.yml	2019-01-16 08:36:51.000000000 +0000
@@ -1,7 +1,61 @@
 language: go
-go:        
-  - 1.6
-
+git:
+  quiet: true
+jobs:
+  include:
+    - stage: quick
+      name: go 1.6/xenial static and unit test suites
+      dist: xenial
+      go: 1.6
+      before_install:
+        - sudo apt --quiet -o Dpkg::Progress-Fancy=false update
+      install:
+        - sudo apt --quiet -o Dpkg::Progress-Fancy=false build-dep snapd
+        - ./get-deps.sh
+      script:
+        - set -e
+        - ./run-checks --static
+        - ./run-checks --short-unit
+    - stage: quick
+      go: 1.10
+      name: OSX build and minimal runtime sanity check
+      os: osx
+      addons:
+        homebrew:
+          packages: [squashfs]
+      install:
+        - ./get-deps.sh
+        # extra dependency on darwin:
+        - go get golang.org/x/sys/unix
+      before_script:
+        - ./mkversion.sh
+        - go build -o /tmp/snp ./cmd/snap
+      script:
+        - /tmp/snp download hello
+        - /tmp/snp version
+        - /tmp/snp pack tests/lib/snaps/test-snapd-tools/ /tmp
+    - stage: quick
+      name: CLA check
+      if: type = pull_request
+      language: bash
+      addons:
+        apt:
+          packages:
+            python-launchpadlib
+      script:
+        - ./tests/lib/cla_check.py
+    - stage: integration
+      name: spread
+      os: linux
+      addons:
+        apt:
+          packages:
+          - xdelta3
+      install:
+        # override the default install for language:go
+        - true
+      script:
+        - ./run-checks --spread
 env:
   global:
     # SPREAD_LINODE_KEY
@@ -10,17 +64,5 @@
     - secure: "LjqfvJ2xz/7cxt1Cywaw5l8gaj5jOhUsf502UeaH+rOnj+9tCdWTtyP8U4nOjjQwiJ0xuygba+FgdnXEyxV+THeXHOF69SRF/1N8JIc3i9G6JK/CqDfFTRMqiRaCf5u7KuOrYZ0ssYNBXyZ8X4Ahls3uFu2DgEuAim1J6wOVSgIoUkduLVrbsn6uB9G5Uuc+C4NMA3TH21IJ6ct35t3T+/EjvoGUHcKtoOsPXdBZvz96xw5mKGIBaLpZdy5WxmhPUsz3MIlZgvi4DR3YIa/9u+QoGNU05f8upJRhwdwkuu9vJwqekXNXDJi/ZGlpkkAPx0feJbyhtz68551Pn1TtmA3TS5JtuMeMZWxCL9SudA7/C3oBRNGnKI3LwvP20pPjdlEYMOCq/oHlxoJylGVdpynZXTtaFS+s4Qhnr+WuNcG3zFa9bJvXPyy1vxPKcjI2DojneTrCTW/L6zg7tBIVQGzTxmC7QWsbTvOQzu+YICyeeS3g+iJ+QyP6+/oTyER3a3vmZCtXqsBJTznesS0SL5AkK+8moBGct96S6kT55XCDVgThWV0OGH6l4LwVSOjPioNzXNhVLZ8GKkXrMZXKSaWAeYptzWl4Gfz0Y4nFCu3aqIOyie7janPPgeEL0E2ZjndIs+ZigtN1LCol+GJN7fXzUFy8Fichqhhwvb3YLyE="
     # SPREAD_STORE_PASSWORD
     - secure: "Le4CMhklfadi4aBQIEaEMbsFIB608GOvSHjVUxkDxkkUAVwl/Ov4Dni5d0Tn4e/xcxPkcm+pPg64dn0Jxzwx6XfWlxhWC10vYh+/GjpZW1znahtb/Gf9CNZOJJEy5LSeI7/uJ3LYcFd0FU0EJSerNeQJc5d8jmJH8UnuqObHOk29YD//XILiLRa1XALEimwXeQyGQePBmDTxPQQv1VLFjgfaJa5Xy55Us7AKTML2V7lhaeKCSEIp3x9liLAtnKlJhyXaXO/e4b3ZJTgXwYh+vENK1E2pxalpjBNPaJNkvtbsjFtYNXJoXca+hBVs5Sq1PCBhkEGxqFUsD8VLQd+MEXp4MYOF5fBhxIa3qOSjtuR+WmZ9G6fEysEBV6Y3F3D6HYWTpNkcHNXJCwdtOM+n92zNEBDIrufwzTPpyJXpoxZCCXrk3HHRdyDktvJYLrHdn1bM19mgYguesMZHTC5xMD6ifwdRoylmApjImXOvVxf2HdQiNvNLDqvaHgmYwNfl0+KbaVz+O2EDPCRnT5wOCpSeSUet47EPITdjr5OnTwLpOVaY+iSvn90EUB/8+ZU01TRYgc+6VNPHokLVjuiQJSrE4yTx/c2MnY9eRaOosVXngYfoS/L3XwDwZiQoeLZs04bScvxzGQIGCJ+CBzNPENtZ4AUh55Yl/vVNReZJeaY="
-
-git:
-    quiet: true
-
-install:
-    - true
-
-script:
-    - ./run-checks --spread
-
-addons:
-  apt:
-    packages:
-    - xdelta3
+    # SPREAD_GOOGLE_KEY
+    - secure: "dIA2HrartowFL2Gl5jXiVMd9hIJyIeummYwxeBL9MzO48E/BIJyIGHudEOo8oCnZ5a0yb8TqYgND2FCgJU1V5I2LyxH6T9kizHjtmIGgeM4qlEGKRlptb2v7DFkaHeW4Mpp4gLk8hYIeWyq9OR+SlK6f0Jj049LLKfQoX6GzTPug5+MMEQOJs55OJ6f6gvCv2o3oj6WFybaohMCO4GbNYQSPLwheyTSkT0efnW9QqTN0w62pDMqscVURO90/CUeZyCcXw2uOBegwPNTBoo/+4+nZsfSNeupV8wX4vVYL0ZFL6IO3mViDoZBD4SGTNF/9x8Lc1WeKm9HlELzy5krdLqsvdV/fQSWhBzwkdykKVA3Aae5dAMIGRt7e5bJaUg+/HdtOgA5jr+qey/c/BN11MyaSOMNPNGjRuv9NAcEjxoN2JkiDXfpA3lE9kjd7TBTexGe4RJGJLJjT9s8XxdKufBfruC/yhVGdVkRoc2tsAJPZ72Ds9qH0FH28zNFAgAitCLDfInjhPMPvZJhb3Bqx5P/0DE5zUbduE9kYK0iiZRJ4AaytQy+R4nJCXE42mWv5cxoE84opVqO9cBu1TPCC8gTRQFWpJt1rP+DvwjaFiswvptG8obxNpHmkhcItPGmRVN9P9Yjd9nHvegS83tsbrd2KOyMmCk3/1KWhLufisHE="
diff -Nru snapd-2.32.3.2~14.04/update-pot snapd-2.37~rc1~14.04/update-pot
--- snapd-2.32.3.2~14.04/update-pot	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/update-pot	2019-01-16 08:36:51.000000000 +0000
@@ -3,7 +3,26 @@
 
 set -e
 
-HERE="$(dirname "$0")"
+# In LP#1758684 we got reports that the pot file generation
+# is broken. To get to the bottom of this add checks here
+# so that we error the build if this happens. Note that the
+# strings may be update if those change but spread tests will
+# tell us when it is needed.
+check_canaries() {
+    c1="Alternative command to run"
+    c2="Name of the key to use, otherwise use the default key"
+    c3="too many arguments for command"
+
+    for canary in "$c1" "$c2" "$c3"; do
+	if ! grep -q "$canary" "$OUTPUT"; then
+	    echo "canary '$canary' not found, pot extraction broken"
+	    ls -lh "$OUTPUT"
+	    exit 1
+	fi
+    done
+}
+
+HERE="$(readlink -f "$(dirname "$0")")"
 
 OUTPUT="$HERE/po/snappy.pot"
 if [ -n "$1" ]; then
@@ -13,8 +32,14 @@
 # ensure we have our xgettext-go
 go install github.com/snapcore/snapd/i18n/xgettext-go
 
-find "$HERE" -name "*.go" -type f -print0 | xargs -0 \
-    "${GOPATH%%:*}/bin/xgettext-go" \
+# exclude vendor and _build subdir
+I18N_FILES="$(mktemp -d)/i18n.files"
+find "$HERE" -type d \( -name "vendor" -o -name "_build" \) -prune -o -name "*.go" -type f -print > "$I18N_FILES"
+# shellcheck disable=SC2064
+trap "rm -rf $(dirname "$I18N_FILES")" EXIT
+
+"${GOPATH%%:*}/bin/xgettext-go" \
+    -f "$I18N_FILES" \
     -o "$OUTPUT" \
     --add-comments-tag=TRANSLATORS: \
     --no-location \
@@ -24,26 +49,25 @@
     --keyword=i18n.G \
     --keyword-plural=i18n.DG
 
+# check canary
+check_canaries
+
 sed -i 's/charset=CHARSET/charset=UTF-8/' "$OUTPUT"
 
+# we need the || true because of
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891347
 xgettext "$HERE"/data/polkit/*.policy \
     -o "$OUTPUT" \
     --its="$HERE/po/its/polkit.its" \
     --no-location \
     --package-name=snappy \
     --msgid-bugs-address=snappy-devel@lists.ubuntu.com \
-    --join-existing \
-    || true
+    --join-existing || true
 
-#xgettext -d snappy -o "$OUTPUT" --c++ --from-code=UTF-8 \
-#	--indent --add-comments=TRANSLATORS: --no-location --sort-output \
-#	--package-name=snappy \
-#	--msgid-bugs-address=snappy-devel@lists.ubuntu.com \
-#	--keyword=NG:1,2 --keyword=G \
-#	$HERE/*/*.go $HERE/cmd/*/*.go
+check_canaries
 
 # language packs
-for p in ${HERE}/po/*.po; do
+for p in "${HERE}"/po/*.po; do
 	lang=$(basename "$p" .po)
 	mkdir -p "$HERE/share/locale/$lang/LC_MESSAGES"
 	msgfmt -v -o "$HERE/share/locale/$lang/LC_MESSAGES/snappy.mo" "$p"
diff -Nru snapd-2.32.3.2~14.04/userd/autostart.go snapd-2.37~rc1~14.04/userd/autostart.go
--- snapd-2.32.3.2~14.04/userd/autostart.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/autostart.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,278 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package userd
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"log/syslog"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/strutil"
+	"github.com/snapcore/snapd/strutil/shlex"
+	"github.com/snapcore/snapd/systemd"
+)
+
+var (
+	currentDesktop = splitSkippingEmpty(os.Getenv("XDG_CURRENT_DESKTOP"), ':')
+)
+
+func splitSkippingEmpty(s string, sep rune) []string {
+	return strings.FieldsFunc(s, func(r rune) bool { return r == sep })
+}
+
+// expandDesktopFields processes the input string and expands any %<char>
+// patterns. '%%' expands to '%', all other patterns expand to empty strings.
+func expandDesktopFields(in string) string {
+	raw := []rune(in)
+	out := make([]rune, 0, len(raw))
+
+	var hasKey bool
+	for _, r := range raw {
+		if hasKey {
+			hasKey = false
+			// only allow %% -> % expansion, drop other keys
+			if r == '%' {
+				out = append(out, r)
+			}
+			continue
+		} else if r == '%' {
+			hasKey = true
+			continue
+		}
+		out = append(out, r)
+	}
+	return string(out)
+}
+
+type skipDesktopFileError struct {
+	reason string
+}
+
+func (s *skipDesktopFileError) Error() string {
+	return s.reason
+}
+
+func isOneOfIn(of []string, other []string) bool {
+	for _, one := range of {
+		if strutil.ListContains(other, one) {
+			return true
+		}
+	}
+	return false
+}
+
+func loadAutostartDesktopFile(path string) (command string, err error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		bline := scanner.Bytes()
+		if bytes.HasPrefix(bline, []byte("#")) {
+			continue
+		}
+		split := bytes.SplitN(bline, []byte("="), 2)
+		if len(split) != 2 {
+			continue
+		}
+		// See https://standards.freedesktop.org/autostart-spec/autostart-spec-latest.html
+		// for details on how Hidden, OnlyShowIn, NotShownIn are handled.
+		switch string(split[0]) {
+		case "Exec":
+			command = strings.TrimSpace(expandDesktopFields(string(split[1])))
+		case "Hidden":
+			if bytes.Equal(split[1], []byte("true")) {
+				return "", &skipDesktopFileError{"desktop file is hidden"}
+			}
+		case "OnlyShowIn":
+			onlyIn := splitSkippingEmpty(string(split[1]), ';')
+			if !isOneOfIn(currentDesktop, onlyIn) {
+				return "", &skipDesktopFileError{fmt.Sprintf("current desktop %q not included in %q", currentDesktop, onlyIn)}
+			}
+		case "NotShownIn":
+			notIn := splitSkippingEmpty(string(split[1]), ';')
+			if isOneOfIn(currentDesktop, notIn) {
+				return "", &skipDesktopFileError{fmt.Sprintf("current desktop %q excluded by %q", currentDesktop, notIn)}
+			}
+		case "X-GNOME-Autostart-enabled":
+			// GNOME specific extension, see gnome-session:
+			// https://github.com/GNOME/gnome-session/blob/c449df5269e02c59ae83021a3110ec1b338a2bba/gnome-session/gsm-autostart-app.c#L110..L145
+			if !strutil.ListContains(currentDesktop, "GNOME") {
+				// not GNOME
+				continue
+			}
+			if !bytes.Equal(split[1], []byte("true")) {
+				return "", &skipDesktopFileError{"desktop file is hidden by X-GNOME-Autostart-enabled extension"}
+			}
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return "", err
+	}
+
+	command = strings.TrimSpace(command)
+	if command == "" {
+		return "", fmt.Errorf("Exec not found or invalid")
+	}
+	return command, nil
+
+}
+
+func autostartCmd(snapName, desktopFilePath string) (*exec.Cmd, error) {
+	desktopFile := filepath.Base(desktopFilePath)
+
+	info, err := snap.ReadCurrentInfo(snapName)
+	if err != nil {
+		return nil, err
+	}
+
+	var app *snap.AppInfo
+	for _, candidate := range info.Apps {
+		if candidate.Autostart == desktopFile {
+			app = candidate
+			break
+		}
+	}
+	if app == nil {
+		return nil, fmt.Errorf("cannot match desktop file with snap %s applications", snapName)
+	}
+
+	command, err := loadAutostartDesktopFile(desktopFilePath)
+	if err != nil {
+		if _, ok := err.(*skipDesktopFileError); ok {
+			return nil, fmt.Errorf("skipped: %v", err)
+		}
+		return nil, fmt.Errorf("cannot determine startup command for application %s in snap %s: %v", app.Name, snapName, err)
+	}
+	logger.Debugf("exec line: %v", command)
+
+	split, err := shlex.Split(command)
+	if err != nil {
+		return nil, fmt.Errorf("invalid application startup command: %v", err)
+	}
+
+	// NOTE: Ignore the actual argv[0] in Exec=.. line and replace it with a
+	// command of the snap application. Any arguments passed in the Exec=..
+	// line to the original command are preserved.
+	cmd := exec.Command(app.WrapperPath(), split[1:]...)
+	return cmd, nil
+}
+
+// failedAutostartError keeps track of errors that occurred when starting an
+// application for a specific desktop file, desktop file name is as a key
+type failedAutostartError map[string]error
+
+func (f failedAutostartError) Error() string {
+	var out bytes.Buffer
+
+	dfiles := make([]string, 0, len(f))
+	for desktopFile := range f {
+		dfiles = append(dfiles, desktopFile)
+	}
+	sort.Strings(dfiles)
+	for _, desktopFile := range dfiles {
+		fmt.Fprintf(&out, "- %q: %v\n", desktopFile, f[desktopFile])
+	}
+	return out.String()
+}
+
+func makeStdStreams(identifier string) (stdout *os.File, stderr *os.File) {
+	var err error
+
+	stdout, err = systemd.NewJournalStreamFile(identifier, syslog.LOG_INFO, false)
+	if err != nil {
+		logger.Noticef("failed to set up stdout journal stream for %q: %v", identifier, err)
+		stdout = os.Stdout
+	}
+
+	stderr, err = systemd.NewJournalStreamFile(identifier, syslog.LOG_WARNING, false)
+	if err != nil {
+		logger.Noticef("failed to set up stderr journal stream for %q: %v", identifier, err)
+		stderr = os.Stderr
+	}
+
+	return stdout, stderr
+}
+
+var userCurrent = user.Current
+
+// AutostartSessionApps starts applications which have placed their desktop
+// files in $SNAP_USER_DATA/.config/autostart
+//
+// NOTE: By the spec, the actual path is $SNAP_USER_DATA/${XDG_CONFIG_DIR}/autostart
+func AutostartSessionApps() error {
+	usr, err := userCurrent()
+	if err != nil {
+		return err
+	}
+
+	usrSnapDir := filepath.Join(usr.HomeDir, dirs.UserHomeSnapDir)
+
+	glob := filepath.Join(usrSnapDir, "*/current/.config/autostart/*.desktop")
+	matches, err := filepath.Glob(glob)
+	if err != nil {
+		return err
+	}
+
+	failedApps := make(failedAutostartError)
+	for _, desktopFilePath := range matches {
+		desktopFile := filepath.Base(desktopFilePath)
+		logger.Debugf("autostart desktop file %v", desktopFile)
+
+		// /home/foo/snap/some-snap/current/.config/autostart/some-app.desktop ->
+		//    some-snap/current/.config/autostart/some-app.desktop
+		noHomePrefix := strings.TrimPrefix(desktopFilePath, usrSnapDir+"/")
+		// some-snap/current/.config/autostart/some-app.desktop -> some-snap
+		snapName := noHomePrefix[0:strings.IndexByte(noHomePrefix, '/')]
+
+		logger.Debugf("snap name: %q", snapName)
+
+		cmd, err := autostartCmd(snapName, desktopFilePath)
+		if err != nil {
+			failedApps[desktopFile] = err
+			continue
+		}
+
+		// similarly to gnome-session, use the desktop file name as
+		// identifier, see:
+		// https://github.com/GNOME/gnome-session/blob/099c19099de8e351f6cc0f2110ad27648780a0fe/gnome-session/gsm-autostart-app.c#L948
+		cmd.Stdout, cmd.Stderr = makeStdStreams(desktopFile)
+		if err := cmd.Start(); err != nil {
+			failedApps[desktopFile] = fmt.Errorf("cannot autostart %q: %v", desktopFile, err)
+		}
+	}
+	if len(failedApps) > 0 {
+		return failedApps
+	}
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/userd/autostart_test.go snapd-2.37~rc1~14.04/userd/autostart_test.go
--- snapd-2.32.3.2~14.04/userd/autostart_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/autostart_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,325 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package userd_test
+
+import (
+	"io/ioutil"
+	"os"
+	"os/user"
+	"path"
+	"path/filepath"
+	"strings"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/testutil"
+	"github.com/snapcore/snapd/userd"
+)
+
+type autostartSuite struct {
+	dir                string
+	autostartDir       string
+	userDir            string
+	userCurrentRestore func()
+}
+
+var _ = Suite(&autostartSuite{})
+
+func (s *autostartSuite) SetUpTest(c *C) {
+	s.dir = c.MkDir()
+	dirs.SetRootDir(s.dir)
+	snap.MockSanitizePlugsSlots(func(snapInfo *snap.Info) {})
+
+	s.userDir = path.Join(s.dir, "home")
+	s.autostartDir = path.Join(s.userDir, ".config", "autostart")
+	s.userCurrentRestore = userd.MockUserCurrent(func() (*user.User, error) {
+		return &user.User{HomeDir: s.userDir}, nil
+	})
+
+	err := os.MkdirAll(s.autostartDir, 0755)
+	c.Assert(err, IsNil)
+}
+
+func (s *autostartSuite) TearDownTest(c *C) {
+	s.dir = c.MkDir()
+	dirs.SetRootDir("/")
+	if s.userCurrentRestore != nil {
+		s.userCurrentRestore()
+	}
+}
+
+func (s *autostartSuite) TestLoadAutostartDesktopFile(c *C) {
+	allGood := `[Desktop Entry]
+Exec=foo --bar
+`
+	allGoodWithFlags := `[Desktop Entry]
+Exec=foo --bar "%%p" %U %D +%s %%
+`
+	noExec := `[Desktop Entry]
+Type=Application
+`
+	emptyExec := `[Desktop Entry]
+Exec=
+`
+	onlySpacesExec := `[Desktop Entry]
+Exec=
+`
+	hidden := `[Desktop Entry]
+Exec=foo --bar
+Hidden=true
+`
+	hiddenFalse := `[Desktop Entry]
+Exec=foo --bar
+Hidden=false
+`
+	justGNOME := `[Desktop Entry]
+Exec=foo --bar
+OnlyShowIn=GNOME;
+`
+	notInGNOME := `[Desktop Entry]
+Exec=foo --bar
+NotShownIn=GNOME;
+`
+	notInGNOMEAndKDE := `[Desktop Entry]
+Exec=foo --bar
+NotShownIn=GNOME;KDE;
+`
+	hiddenGNOMEextension := `[Desktop Entry]
+Exec=foo --bar
+X-GNOME-Autostart-enabled=false
+`
+	GNOMEextension := `[Desktop Entry]
+Exec=foo --bar
+X-GNOME-Autostart-enabled=true
+`
+
+	for i, tc := range []struct {
+		in      string
+		out     string
+		err     string
+		current string
+	}{{
+		in:  allGood,
+		out: "foo --bar",
+	}, {
+		in:  noExec,
+		err: "Exec not found or invalid",
+	}, {
+		in:  emptyExec,
+		err: "Exec not found or invalid",
+	}, {
+		in:  onlySpacesExec,
+		err: "Exec not found or invalid",
+	}, {
+		in:  allGoodWithFlags,
+		out: `foo --bar "%p"   + %`,
+	}, {
+		in:  hidden,
+		err: `desktop file is hidden`,
+	}, {
+		in:  hiddenFalse,
+		out: `foo --bar`,
+	}, {
+		in:      justGNOME,
+		out:     "foo --bar",
+		current: "GNOME",
+	}, {
+		in:      justGNOME,
+		current: "KDE",
+		err:     `current desktop \["KDE"\] not included in \["GNOME"\]`,
+	}, {
+		in:      notInGNOME,
+		current: "GNOME",
+		err:     `current desktop \["GNOME"\] excluded by \["GNOME"\]`,
+	}, {
+		in:      notInGNOME,
+		current: "KDE",
+		out:     "foo --bar",
+	}, {
+		in:      notInGNOMEAndKDE,
+		current: "XFCE",
+		out:     "foo --bar",
+	}, {
+		in:      hiddenGNOMEextension,
+		current: "KDE",
+		out:     "foo --bar",
+	}, {
+		in:      hiddenGNOMEextension,
+		current: "GNOME",
+		err:     `desktop file is hidden by X-GNOME-Autostart-enabled extension`,
+	}, {
+		in:      GNOMEextension,
+		current: "GNOME",
+		out:     "foo --bar",
+	}, {
+		in:      GNOMEextension,
+		current: "KDE",
+		out:     "foo --bar",
+	}} {
+		c.Logf("tc %d", i)
+
+		path := filepath.Join(c.MkDir(), "foo.desktop")
+		err := ioutil.WriteFile(path, []byte(tc.in), 0644)
+		c.Assert(err, IsNil)
+
+		run := func() {
+			defer userd.MockCurrentDesktop(tc.current)()
+
+			cmd, err := userd.LoadAutostartDesktopFile(path)
+			if tc.err != "" {
+				c.Check(cmd, Equals, "")
+				c.Check(err, ErrorMatches, tc.err)
+			} else {
+				c.Check(err, IsNil)
+				c.Check(cmd, Equals, tc.out)
+			}
+		}
+		run()
+	}
+}
+
+var mockYaml = `name: snapname
+version: 1.0
+apps:
+ foo:
+  command: run-app
+  autostart: foo-stable.desktop
+`
+
+func (s *autostartSuite) TestTryAutostartAppValid(c *C) {
+	si := snaptest.MockSnapCurrent(c, mockYaml, &snap.SideInfo{Revision: snap.R("x2")})
+
+	appWrapperPath := si.Apps["foo"].WrapperPath()
+	err := os.MkdirAll(filepath.Dir(appWrapperPath), 0755)
+	c.Assert(err, IsNil)
+
+	appCmd := testutil.MockCommand(c, appWrapperPath, "")
+	defer appCmd.Restore()
+
+	fooDesktopFile := filepath.Join(s.autostartDir, "foo-stable.desktop")
+	writeFile(c, fooDesktopFile,
+		[]byte(`[Desktop Entry]
+Exec=this-is-ignored -a -b --foo="a b c" -z "dev"
+`))
+
+	cmd, err := userd.AutostartCmd("snapname", fooDesktopFile)
+	c.Assert(err, IsNil)
+	c.Assert(cmd.Path, Equals, appWrapperPath)
+
+	err = cmd.Start()
+	c.Assert(err, IsNil)
+	cmd.Wait()
+
+	c.Assert(appCmd.Calls(), DeepEquals,
+		[][]string{
+			{
+				filepath.Base(appWrapperPath),
+				"-a",
+				"-b",
+				"--foo=a b c",
+				"-z",
+				"dev",
+			},
+		})
+}
+
+func (s *autostartSuite) TestTryAutostartAppNoMatchingApp(c *C) {
+	snaptest.MockSnapCurrent(c, mockYaml, &snap.SideInfo{Revision: snap.R("x2")})
+
+	fooDesktopFile := filepath.Join(s.autostartDir, "foo-no-match.desktop")
+	writeFile(c, fooDesktopFile,
+		[]byte(`[Desktop Entry]
+Exec=this-is-ignored -a -b --foo="a b c" -z "dev"
+`))
+
+	cmd, err := userd.AutostartCmd("snapname", fooDesktopFile)
+	c.Assert(cmd, IsNil)
+	c.Assert(err, ErrorMatches, `cannot match desktop file with snap snapname applications`)
+}
+
+func (s *autostartSuite) TestTryAutostartAppNoSnap(c *C) {
+	fooDesktopFile := filepath.Join(s.autostartDir, "foo-stable.desktop")
+	writeFile(c, fooDesktopFile,
+		[]byte(`[Desktop Entry]
+Exec=this-is-ignored -a -b --foo="a b c" -z "dev"
+`))
+
+	cmd, err := userd.AutostartCmd("snapname", fooDesktopFile)
+	c.Assert(cmd, IsNil)
+	c.Assert(err, ErrorMatches, `cannot find current revision for snap snapname.*`)
+}
+
+func (s *autostartSuite) TestTryAutostartAppBadExec(c *C) {
+	snaptest.MockSnapCurrent(c, mockYaml, &snap.SideInfo{Revision: snap.R("x2")})
+
+	fooDesktopFile := filepath.Join(s.autostartDir, "foo-stable.desktop")
+	writeFile(c, fooDesktopFile,
+		[]byte(`[Desktop Entry]
+Foo=bar
+`))
+
+	cmd, err := userd.AutostartCmd("snapname", fooDesktopFile)
+	c.Assert(cmd, IsNil)
+	c.Assert(err, ErrorMatches, `cannot determine startup command for application foo in snap snapname: Exec not found or invalid`)
+}
+
+func writeFile(c *C, path string, content []byte) {
+	err := os.MkdirAll(filepath.Dir(path), 0755)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(path, content, 0644)
+	c.Assert(err, IsNil)
+}
+
+func (s *autostartSuite) TestTryAutostartMany(c *C) {
+	var mockYamlTemplate = `name: {snap}
+version: 1.0
+apps:
+ foo:
+  command: run-app
+  autostart: foo-stable.desktop
+`
+
+	snaptest.MockSnapCurrent(c, strings.Replace(mockYamlTemplate, "{snap}", "a-foo", -1),
+		&snap.SideInfo{Revision: snap.R("x2")})
+	snaptest.MockSnapCurrent(c, strings.Replace(mockYamlTemplate, "{snap}", "b-foo", -1),
+		&snap.SideInfo{Revision: snap.R("x2")})
+	writeFile(c, filepath.Join(s.userDir, "snap/a-foo/current/.config/autostart/foo-stable.desktop"),
+		[]byte(`[Desktop Entry]
+Foo=bar
+`))
+	writeFile(c, filepath.Join(s.userDir, "snap/b-foo/current/.config/autostart/no-match.desktop"),
+		[]byte(`[Desktop Entry]
+Exec=no-snap
+`))
+	writeFile(c, filepath.Join(s.userDir, "snap/c-foo/current/.config/autostart/no-snap.desktop"),
+		[]byte(`[Desktop Entry]
+Exec=no-snap
+`))
+
+	err := userd.AutostartSessionApps()
+	c.Assert(err, NotNil)
+	c.Check(err, ErrorMatches, `- "foo-stable.desktop": cannot determine startup command for application foo in snap a-foo: Exec not found or invalid
+- "no-match.desktop": cannot match desktop file with snap b-foo applications
+- "no-snap.desktop": cannot find current revision for snap c-foo: readlink.*no such file or directory
+`)
+}
diff -Nru snapd-2.32.3.2~14.04/userd/export_test.go snapd-2.37~rc1~14.04/userd/export_test.go
--- snapd-2.32.3.2~14.04/userd/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -20,11 +20,16 @@
 package userd
 
 import (
+	"os/user"
+
 	"github.com/godbus/dbus"
 )
 
 var (
 	SnapFromPid = snapFromPid
+
+	LoadAutostartDesktopFile = loadAutostartDesktopFile
+	AutostartCmd             = autostartCmd
 )
 
 func MockSnapFromSender(f func(*dbus.Conn, dbus.Sender) (string, error)) func() {
@@ -34,3 +39,19 @@
 		snapFromSender = origSnapFromSender
 	}
 }
+
+func MockUserCurrent(f func() (*user.User, error)) func() {
+	origUserCurrent := userCurrent
+	userCurrent = f
+	return func() {
+		userCurrent = origUserCurrent
+	}
+}
+
+func MockCurrentDesktop(current string) func() {
+	old := currentDesktop
+	currentDesktop = splitSkippingEmpty(current, ':')
+	return func() {
+		currentDesktop = old
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/userd/launcher.go snapd-2.37~rc1~14.04/userd/launcher.go
--- snapd-2.32.3.2~14.04/userd/launcher.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/launcher.go	2019-01-16 08:36:51.000000000 +0000
@@ -53,7 +53,7 @@
 </interface>`
 
 var (
-	allowedURLSchemes = []string{"http", "https", "mailto"}
+	allowedURLSchemes = []string{"http", "https", "mailto", "snap"}
 )
 
 // Launcher implements the 'io.snapcraft.Launcher' DBus interface.
diff -Nru snapd-2.32.3.2~14.04/userd/launcher_test.go snapd-2.37~rc1~14.04/userd/launcher_test.go
--- snapd-2.32.3.2~14.04/userd/launcher_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/launcher_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -75,7 +75,7 @@
 }
 
 func (s *launcherSuite) TestOpenURLWithAllowedSchemeHappy(c *C) {
-	for _, schema := range []string{"http", "https", "mailto"} {
+	for _, schema := range []string{"http", "https", "mailto", "snap"} {
 		err := s.launcher.OpenURL(schema + "://snapcraft.io")
 		c.Assert(err, IsNil)
 		c.Assert(s.mockXdgOpen.Calls(), DeepEquals, [][]string{
@@ -94,9 +94,18 @@
 	c.Assert(err, ErrorMatches, "cannot open supplied URL")
 }
 
+func mockUICommands(c *C, script string) (restore func()) {
+	mock := testutil.MockCommand(c, "zenity", script)
+	mock.Also("kdialog", script)
+
+	return func() {
+		mock.Restore()
+	}
+}
+
 func (s *launcherSuite) TestOpenFileUserAccepts(c *C) {
-	mockZenity := testutil.MockCommand(c, "zenity", "true")
-	defer mockZenity.Restore()
+	restore := mockUICommands(c, "true")
+	defer restore()
 
 	path := filepath.Join(c.MkDir(), "test.txt")
 	c.Assert(ioutil.WriteFile(path, []byte("Hello world"), 0644), IsNil)
@@ -116,8 +125,8 @@
 }
 
 func (s *launcherSuite) TestOpenFileUserDeclines(c *C) {
-	mockZenity := testutil.MockCommand(c, "zenity", "false")
-	defer mockZenity.Restore()
+	restore := mockUICommands(c, "false")
+	defer restore()
 
 	path := filepath.Join(c.MkDir(), "test.txt")
 	c.Assert(ioutil.WriteFile(path, []byte("Hello world"), 0644), IsNil)
@@ -136,8 +145,8 @@
 }
 
 func (s *launcherSuite) TestOpenFileSucceedsWithDirectory(c *C) {
-	mockZenity := testutil.MockCommand(c, "zenity", "true")
-	defer mockZenity.Restore()
+	restore := mockUICommands(c, "true")
+	defer restore()
 
 	dir := c.MkDir()
 	fd, err := syscall.Open(dir, syscall.O_RDONLY|syscall.O_DIRECTORY, 0755)
@@ -155,8 +164,8 @@
 }
 
 func (s *launcherSuite) TestOpenFileFailsWithDeviceFile(c *C) {
-	mockZenity := testutil.MockCommand(c, "zenity", "true")
-	defer mockZenity.Restore()
+	restore := mockUICommands(c, "true")
+	defer restore()
 
 	file, err := os.Open("/dev/null")
 	c.Assert(err, IsNil)
@@ -172,8 +181,8 @@
 }
 
 func (s *launcherSuite) TestOpenFileFailsWithPathDescriptor(c *C) {
-	mockZenity := testutil.MockCommand(c, "zenity", "true")
-	defer mockZenity.Restore()
+	restore := mockUICommands(c, "true")
+	defer restore()
 
 	dir := c.MkDir()
 	fd, err := syscall.Open(dir, sys.O_PATH, 0755)
diff -Nru snapd-2.32.3.2~14.04/userd/settings.go snapd-2.37~rc1~14.04/userd/settings.go
--- snapd-2.32.3.2~14.04/userd/settings.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/settings.go	2019-01-16 08:36:51.000000000 +0000
@@ -208,7 +208,7 @@
 		i18n.G("Allow settings change?"),
 		fmt.Sprintf(i18n.G("Allow snap %q to change %q to %q ?"), snap, setting, new),
 		&ui.DialogOptions{
-			Timeout: 5 * 60 * time.Second,
+			Timeout: defaultConfirmDialogTimeout,
 			Footer:  i18n.G("This dialog will close automatically after 5 minutes of inactivity."),
 		},
 	)
diff -Nru snapd-2.32.3.2~14.04/userd/settings_test.go snapd-2.37~rc1~14.04/userd/settings_test.go
--- snapd-2.32.3.2~14.04/userd/settings_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/settings_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -30,6 +30,7 @@
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/testutil"
 	"github.com/snapcore/snapd/userd"
+	"github.com/snapcore/snapd/userd/ui"
 )
 
 type settingsSuite struct {
@@ -69,6 +70,15 @@
 	s.restoreSnapFromSender()
 }
 
+func mockUIcommands(c *C, script string) func() {
+	mockZenity := testutil.MockCommand(c, "zenity", script)
+	mockKDialog := testutil.MockCommand(c, "kdialog", script)
+	return func() {
+		mockZenity.Restore()
+		mockKDialog.Restore()
+	}
+}
+
 func (s *settingsSuite) TestGetUnhappy(c *C) {
 	for _, t := range []struct {
 		setting    string
@@ -123,10 +133,7 @@
 	c.Assert(s.mockXdgSettings.Calls(), IsNil)
 }
 
-func (s *settingsSuite) TestSetUserDeclined(c *C) {
-	mockZenity := testutil.MockCommand(c, "zenity", "false")
-	defer mockZenity.Restore()
-
+func (s *settingsSuite) testSetUserDeclined(c *C) {
 	df := filepath.Join(dirs.SnapDesktopFilesDir, "some-snap_bar.desktop")
 	err := os.MkdirAll(filepath.Dir(df), 0755)
 	c.Assert(err, IsNil)
@@ -144,10 +151,31 @@
 	*/
 }
 
-func (s *settingsSuite) TestSetUserAccepts(c *C) {
-	mockZenity := testutil.MockCommand(c, "zenity", "true")
-	defer mockZenity.Restore()
+func (s *settingsSuite) TestSetUserDeclinedKDialog(c *C) {
+	// force zenity exec missing
+	restoreZenity := ui.MockHasZenityExecutable(func() bool { return false })
+	restoreCmds := mockUIcommands(c, "false")
+	defer func() {
+		restoreZenity()
+		restoreCmds()
+	}()
+
+	s.testSetUserDeclined(c)
+}
+
+func (s *settingsSuite) TestSetUserDeclinedZenity(c *C) {
+	// force kdialog exec missing
+	restoreKDialog := ui.MockHasKDialogExecutable(func() bool { return false })
+	restoreCmds := mockUIcommands(c, "false")
+	defer func() {
+		restoreKDialog()
+		restoreCmds()
+	}()
 
+	s.testSetUserDeclined(c)
+}
+
+func (s *settingsSuite) testSetUserAccepts(c *C) {
 	df := filepath.Join(dirs.SnapDesktopFilesDir, "some-snap_foo.desktop")
 	err := os.MkdirAll(filepath.Dir(df), 0755)
 	c.Assert(err, IsNil)
@@ -165,5 +193,28 @@
 				{"zenity", "--question", "--text=Allow changing setting \"default-web-browser\" to \"foo.desktop\" ?"},
 		})
 	*/
+}
+
+func (s *settingsSuite) TestSetUserAcceptsZenity(c *C) {
+	// force kdialog exec missing
+	restoreKDialog := ui.MockHasKDialogExecutable(func() bool { return false })
+	restoreCmds := mockUIcommands(c, "true")
+	defer func() {
+		restoreKDialog()
+		restoreCmds()
+	}()
+
+	s.testSetUserAccepts(c)
+}
+
+func (s *settingsSuite) TestSetUserAcceptsKDialog(c *C) {
+	// force zenity exec missing
+	restoreZenity := ui.MockHasZenityExecutable(func() bool { return false })
+	restoreCmds := mockUIcommands(c, "true")
+	defer func() {
+		restoreZenity()
+		restoreCmds()
+	}()
 
+	s.testSetUserAccepts(c)
 }
diff -Nru snapd-2.32.3.2~14.04/userd/ui/ui.go snapd-2.37~rc1~14.04/userd/ui/ui.go
--- snapd-2.32.3.2~14.04/userd/ui/ui.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/ui/ui.go	2019-01-16 08:36:51.000000000 +0000
@@ -46,11 +46,35 @@
 	Timeout time.Duration
 }
 
+var hasZenityExecutable = func() bool {
+	return osutil.ExecutableExists("zenity")
+}
+
+var hasKDialogExecutable = func() bool {
+	return osutil.ExecutableExists("kdialog")
+}
+
+func MockHasZenityExecutable(f func() bool) func() {
+	oldHasZenityExecutable := hasZenityExecutable
+	hasZenityExecutable = f
+	return func() {
+		hasZenityExecutable = oldHasZenityExecutable
+	}
+}
+
+func MockHasKDialogExecutable(f func() bool) func() {
+	oldHasKDialogExecutable := hasKDialogExecutable
+	hasKDialogExecutable = f
+	return func() {
+		hasKDialogExecutable = oldHasKDialogExecutable
+	}
+}
+
 // New returns the best matching UI interface for the given system
 // or an error if no ui can be created.
 func New() (UI, error) {
-	hasZenity := osutil.ExecutableExists("zenity")
-	hasKDialog := osutil.ExecutableExists("kdialog")
+	hasZenity := hasZenityExecutable()
+	hasKDialog := hasKDialogExecutable()
 
 	switch {
 	case hasZenity && hasKDialog:
diff -Nru snapd-2.32.3.2~14.04/userd/ui/zenity.go snapd-2.37~rc1~14.04/userd/ui/zenity.go
--- snapd-2.32.3.2~14.04/userd/ui/zenity.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/ui/zenity.go	2019-01-16 08:36:51.000000000 +0000
@@ -42,6 +42,15 @@
 	if options.Timeout > 0 {
 		args = append(args, fmt.Sprintf("--timeout=%d", int(options.Timeout/time.Second)))
 	}
+	// Gtk is not doing a good job with long labels. It will
+	// create a very narrow and long window (minimal width to fit
+	// the buttons).  So force a bigger width here. See also LP:
+	// 1778484. The primary number is lower because the header is
+	// in a bigger font.
+	if len(primary) > 10 || len(secondary) > 20 {
+		args = append(args, "--width=500")
+	}
+
 	cmd := exec.Command("zenity", args...)
 	if err := cmd.Start(); err != nil {
 		return false
diff -Nru snapd-2.32.3.2~14.04/userd/ui/zenity_test.go snapd-2.37~rc1~14.04/userd/ui/zenity_test.go
--- snapd-2.32.3.2~14.04/userd/ui/zenity_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/ui/zenity_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -62,6 +62,17 @@
 	})
 }
 
+func (s *zenitySuite) TestYesNoLong(c *C) {
+	mock := testutil.MockCommand(c, "zenity", "true")
+	defer mock.Restore()
+
+	z := &ui.Zenity{}
+	_ = z.YesNo("01234567890", "01234567890", nil)
+	c.Check(mock.Calls(), DeepEquals, [][]string{
+		{"zenity", "--question", "--modal", "--text=<big><b>01234567890</b></big>\n\n01234567890", "--width=500"},
+	})
+}
+
 func (s *zenitySuite) TestYesNoSimpleFooter(c *C) {
 	mock := testutil.MockCommand(c, "zenity", "")
 	defer mock.Restore()
diff -Nru snapd-2.32.3.2~14.04/userd/userd.go snapd-2.37~rc1~14.04/userd/userd.go
--- snapd-2.32.3.2~14.04/userd/userd.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/userd/userd.go	2019-01-16 08:36:51.000000000 +0000
@@ -41,10 +41,28 @@
 	dbusIfaces []dbusInterface
 }
 
+func dbusSessionBus() (*dbus.Conn, error) {
+	// use a private connection to the session bus, this way we can manage
+	// its lifetime without worrying of breaking other code
+	conn, err := dbus.SessionBusPrivate()
+	if err != nil {
+		return nil, err
+	}
+	if err := conn.Auth(nil); err != nil {
+		conn.Close()
+		return nil, err
+	}
+	if err := conn.Hello(); err != nil {
+		conn.Close()
+		return nil, err
+	}
+	return conn, nil
+}
+
 func (ud *Userd) Init() error {
 	var err error
 
-	ud.conn, err = dbus.SessionBus()
+	ud.conn, err = dbusSessionBus()
 	if err != nil {
 		return err
 	}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/coreos/go-systemd/activation/files.go snapd-2.37~rc1~14.04/vendor/github.com/coreos/go-systemd/activation/files.go
--- snapd-2.32.3.2~14.04/vendor/github.com/coreos/go-systemd/activation/files.go	2017-09-07 12:49:04.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/coreos/go-systemd/activation/files.go	2018-11-29 09:57:40.000000000 +0000
@@ -18,18 +18,26 @@
 import (
 	"os"
 	"strconv"
+	"strings"
 	"syscall"
 )
 
-// based on: https://gist.github.com/alberts/4640792
 const (
+	// listenFdsStart corresponds to `SD_LISTEN_FDS_START`.
 	listenFdsStart = 3
 )
 
+// Files returns a slice containing a `os.File` object for each
+// file descriptor passed to this process via systemd fd-passing protocol.
+//
+// The order of the file descriptors is preserved in the returned slice.
+// `unsetEnv` is typically set to `true` in order to avoid clashes in
+// fd usage and to avoid leaking environment flags to child processes.
 func Files(unsetEnv bool) []*os.File {
 	if unsetEnv {
 		defer os.Unsetenv("LISTEN_PID")
 		defer os.Unsetenv("LISTEN_FDS")
+		defer os.Unsetenv("LISTEN_FDNAMES")
 	}
 
 	pid, err := strconv.Atoi(os.Getenv("LISTEN_PID"))
@@ -42,10 +50,17 @@
 		return nil
 	}
 
+	names := strings.Split(os.Getenv("LISTEN_FDNAMES"), ":")
+
 	files := make([]*os.File, 0, nfds)
 	for fd := listenFdsStart; fd < listenFdsStart+nfds; fd++ {
 		syscall.CloseOnExec(fd)
-		files = append(files, os.NewFile(uintptr(fd), "LISTEN_FD_"+strconv.Itoa(fd)))
+		name := "LISTEN_FD_" + strconv.Itoa(fd)
+		offset := fd - listenFdsStart
+		if offset < len(names) && len(names[offset]) > 0 {
+			name = names[offset]
+		}
+		files = append(files, os.NewFile(uintptr(fd), name))
 	}
 
 	return files
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/coreos/go-systemd/activation/listeners.go snapd-2.37~rc1~14.04/vendor/github.com/coreos/go-systemd/activation/listeners.go
--- snapd-2.32.3.2~14.04/vendor/github.com/coreos/go-systemd/activation/listeners.go	2017-09-07 12:49:04.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/coreos/go-systemd/activation/listeners.go	2018-11-29 09:57:40.000000000 +0000
@@ -25,13 +25,33 @@
 // The order of the file descriptors is preserved in the returned slice.
 // Nil values are used to fill any gaps. For example if systemd were to return file descriptors
 // corresponding with "udp, tcp, tcp", then the slice would contain {nil, net.Listener, net.Listener}
-func Listeners(unsetEnv bool) ([]net.Listener, error) {
-	files := Files(unsetEnv)
+func Listeners() ([]net.Listener, error) {
+	files := Files(true)
 	listeners := make([]net.Listener, len(files))
 
 	for i, f := range files {
 		if pc, err := net.FileListener(f); err == nil {
 			listeners[i] = pc
+			f.Close()
+		}
+	}
+	return listeners, nil
+}
+
+// ListenersWithNames maps a listener name to a set of net.Listener instances.
+func ListenersWithNames() (map[string][]net.Listener, error) {
+	files := Files(true)
+	listeners := map[string][]net.Listener{}
+
+	for _, f := range files {
+		if pc, err := net.FileListener(f); err == nil {
+			current, ok := listeners[f.Name()]
+			if !ok {
+				listeners[f.Name()] = []net.Listener{pc}
+			} else {
+				listeners[f.Name()] = append(current, pc)
+			}
+			f.Close()
 		}
 	}
 	return listeners, nil
@@ -40,8 +60,8 @@
 // TLSListeners returns a slice containing a net.listener for each matching TCP socket type
 // passed to this process.
 // It uses default Listeners func and forces TCP sockets handlers to use TLS based on tlsConfig.
-func TLSListeners(unsetEnv bool, tlsConfig *tls.Config) ([]net.Listener, error) {
-	listeners, err := Listeners(unsetEnv)
+func TLSListeners(tlsConfig *tls.Config) ([]net.Listener, error) {
+	listeners, err := Listeners()
 
 	if listeners == nil || err != nil {
 		return nil, err
@@ -55,6 +75,29 @@
 			}
 		}
 	}
+
+	return listeners, err
+}
+
+// TLSListenersWithNames maps a listener name to a net.Listener with
+// the associated TLS configuration.
+func TLSListenersWithNames(tlsConfig *tls.Config) (map[string][]net.Listener, error) {
+	listeners, err := ListenersWithNames()
+
+	if listeners == nil || err != nil {
+		return nil, err
+	}
+
+	if tlsConfig != nil && err == nil {
+		for _, ll := range listeners {
+			// Activate TLS only for TCP sockets
+			for i, l := range ll {
+				if l.Addr().Network() == "tcp" {
+					ll[i] = tls.NewListener(l, tlsConfig)
+				}
+			}
+		}
+	}
 
 	return listeners, err
 }
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/coreos/go-systemd/activation/packetconns.go snapd-2.37~rc1~14.04/vendor/github.com/coreos/go-systemd/activation/packetconns.go
--- snapd-2.32.3.2~14.04/vendor/github.com/coreos/go-systemd/activation/packetconns.go	2017-09-07 12:49:04.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/coreos/go-systemd/activation/packetconns.go	2018-11-29 09:57:40.000000000 +0000
@@ -24,13 +24,14 @@
 // The order of the file descriptors is preserved in the returned slice.
 // Nil values are used to fill any gaps. For example if systemd were to return file descriptors
 // corresponding with "udp, tcp, udp", then the slice would contain {net.PacketConn, nil, net.PacketConn}
-func PacketConns(unsetEnv bool) ([]net.PacketConn, error) {
-	files := Files(unsetEnv)
+func PacketConns() ([]net.PacketConn, error) {
+	files := Files(true)
 	conns := make([]net.PacketConn, len(files))
 
 	for i, f := range files {
 		if pc, err := net.FilePacketConn(f); err == nil {
 			conns[i] = pc
+			f.Close()
 		}
 	}
 	return conns, nil
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/coreos/go-systemd/NOTICE snapd-2.37~rc1~14.04/vendor/github.com/coreos/go-systemd/NOTICE
--- snapd-2.32.3.2~14.04/vendor/github.com/coreos/go-systemd/NOTICE	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/coreos/go-systemd/NOTICE	2018-11-29 09:57:40.000000000 +0000
@@ -0,0 +1,5 @@
+CoreOS Project
+Copyright 2018 CoreOS, Inc
+
+This product includes software developed at CoreOS, Inc.
+(http://www.coreos.com/).
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/command.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/command.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/command.go	2017-09-07 12:49:06.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/command.go	2018-10-16 07:03:23.000000000 +0000
@@ -5,7 +5,6 @@
 	"sort"
 	"strconv"
 	"strings"
-	"unsafe"
 )
 
 // Command represents an application command. Commands can be added to the
@@ -229,7 +228,17 @@
 		subcommand := mtag.Get("command")
 
 		if len(subcommand) != 0 {
-			ptrval := reflect.NewAt(realval.Type(), unsafe.Pointer(realval.UnsafeAddr()))
+			var ptrval reflect.Value
+
+			if realval.Kind() == reflect.Ptr {
+				ptrval = realval
+
+				if ptrval.IsNil() {
+					ptrval.Set(reflect.New(ptrval.Type().Elem()))
+				}
+			} else {
+				ptrval = realval.Addr()
+			}
 
 			shortDescription := mtag.Get("description")
 			longDescription := mtag.Get("long-description")
@@ -237,6 +246,7 @@
 			aliases := mtag.GetMany("alias")
 
 			subc, err := c.AddCommand(subcommand, shortDescription, longDescription, ptrval.Interface())
+
 			if err != nil {
 				return true, err
 			}
@@ -428,7 +438,7 @@
 	return false
 }
 
-func (c *Command) hasCliOptions() bool {
+func (c *Command) hasHelpOptions() bool {
 	ret := false
 
 	c.eachGroup(func(g *Group) {
@@ -437,7 +447,7 @@
 		}
 
 		for _, opt := range g.options {
-			if opt.canCli() {
+			if opt.showInHelp() {
 				ret = true
 			}
 		}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/completion.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/completion.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/completion.go	2017-09-07 12:49:06.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/completion.go	2018-10-16 07:03:23.000000000 +0000
@@ -2,6 +2,7 @@
 
 import (
 	"fmt"
+	"os"
 	"path/filepath"
 	"reflect"
 	"sort"
@@ -62,6 +63,11 @@
 // prefix.
 func (f *Filename) Complete(match string) []Completion {
 	ret, _ := filepath.Glob(match + "*")
+	if len(ret) == 1 {
+		if info, err := os.Stat(ret[0]); err == nil && info.IsDir() {
+			ret[0] = ret[0] + "/"
+		}
+	}
 	return completionsWithoutDescriptions(ret)
 }
 
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/flags.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/flags.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/flags.go	2017-09-07 12:49:06.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/flags.go	2018-10-16 07:03:23.000000000 +0000
@@ -109,7 +109,8 @@
     value-name:     the name of the argument value (to be shown in the help)
                     (optional)
     choice:         limits the values for an option to a set of values.
-                    This tag can be specified multiple times (optional)
+                    Repeat this tag once for each allowable value.
+                    e.g. `long:"animal" choice:"cat" choice:"dog"`
     hidden:         if non-empty, the option is not visible in the help or man page.
 
     base: a base (radix) used to convert strings to integer values, the
@@ -125,6 +126,10 @@
                           gets prepended to every option's long name and
                           subgroup's namespace of this group, separated by
                           the parser's namespace delimiter (optional)
+    env-namespace:        when specified on a group struct field, the env-namespace
+                          gets prepended to every option's env key and
+                          subgroup's env-namespace of this group, separated by
+                          the parser's env-namespace delimiter (optional)
     command:              when specified on a struct field, makes the struct
                           field a (sub)command with the given name (optional)
     subcommands-optional: when specified on a command struct field, makes
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/group.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/group.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/group.go	2017-09-07 12:49:06.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/group.go	2018-10-16 07:03:23.000000000 +0000
@@ -9,7 +9,6 @@
 	"reflect"
 	"strings"
 	"unicode/utf8"
-	"unsafe"
 )
 
 // ErrNotPointerToStruct indicates that a provided data container is not
@@ -35,6 +34,9 @@
 	// The namespace of the group
 	Namespace string
 
+	// The environment namespace of the group
+	EnvNamespace string
+
 	// If true, the group is not displayed in the help or man page
 	Hidden bool
 
@@ -166,6 +168,18 @@
 	return retopt
 }
 
+func (g *Group) showInHelp() bool {
+	if g.Hidden {
+		return false
+	}
+	for _, opt := range g.options {
+		if opt.showInHelp() {
+			return true
+		}
+	}
+	return false
+}
+
 func (g *Group) eachGroup(f func(*Group)) {
 	f(g)
 
@@ -338,15 +352,28 @@
 	subgroup := mtag.Get("group")
 
 	if len(subgroup) != 0 {
-		ptrval := reflect.NewAt(realval.Type(), unsafe.Pointer(realval.UnsafeAddr()))
+		var ptrval reflect.Value
+
+		if realval.Kind() == reflect.Ptr {
+			ptrval = realval
+
+			if ptrval.IsNil() {
+				ptrval.Set(reflect.New(ptrval.Type()))
+			}
+		} else {
+			ptrval = realval.Addr()
+		}
+
 		description := mtag.Get("description")
 
 		group, err := g.AddGroup(subgroup, description, ptrval.Interface())
+
 		if err != nil {
 			return true, err
 		}
 
 		group.Namespace = mtag.Get("namespace")
+		group.EnvNamespace = mtag.Get("env-namespace")
 		group.Hidden = mtag.Get("hidden") != ""
 
 		return true, nil
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/help.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/help.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/help.go	2017-09-07 12:49:06.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/help.go	2018-10-16 07:03:23.000000000 +0000
@@ -79,7 +79,7 @@
 		}
 
 		for _, info := range grp.options {
-			if !info.canCli() {
+			if !info.showInHelp() {
 				continue
 			}
 
@@ -225,12 +225,12 @@
 		}
 
 		var envDef string
-		if option.EnvDefaultKey != "" {
+		if option.EnvKeyWithNamespace() != "" {
 			var envPrintable string
 			if runtime.GOOS == "windows" {
-				envPrintable = "%" + option.EnvDefaultKey + "%"
+				envPrintable = "%" + option.EnvKeyWithNamespace() + "%"
 			} else {
-				envPrintable = "$" + option.EnvDefaultKey
+				envPrintable = "$" + option.EnvKeyWithNamespace()
 			}
 			envDef = fmt.Sprintf(" [%s]", envPrintable)
 		}
@@ -305,7 +305,7 @@
 				}
 			} else if us, ok := allcmd.data.(Usage); ok {
 				usage = us.Usage()
-			} else if allcmd.hasCliOptions() {
+			} else if allcmd.hasHelpOptions() {
 				usage = fmt.Sprintf("[%s-OPTIONS]", allcmd.Name)
 			}
 
@@ -393,7 +393,7 @@
 			}
 
 			for _, info := range grp.options {
-				if !info.canCli() || info.Hidden {
+				if !info.showInHelp() {
 					continue
 				}
 
@@ -489,3 +489,23 @@
 
 	wr.Flush()
 }
+
+// WroteHelp is a helper to test the error from ParseArgs() to
+// determine if the help message was written. It is safe to
+// call without first checking that error is nil.
+func WroteHelp(err error) bool {
+	if err == nil { // No error
+		return false
+	}
+
+	flagError, ok := err.(*Error)
+	if !ok { // Not a go-flag error
+		return false
+	}
+
+	if flagError.Type != ErrHelp { // Did not print the help message
+		return false
+	}
+
+	return true
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/man.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/man.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/man.go	2017-09-07 12:49:06.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/man.go	2018-10-16 07:03:23.000000000 +0000
@@ -38,7 +38,7 @@
 
 func writeManPageOptions(wr io.Writer, grp *Group) {
 	grp.eachGroup(func(group *Group) {
-		if group.Hidden || len(group.options) == 0 {
+		if !group.showInHelp() {
 			return
 		}
 
@@ -54,7 +54,7 @@
 		}
 
 		for _, opt := range group.options {
-			if !opt.canCli() || opt.Hidden {
+			if !opt.showInHelp() {
 				continue
 			}
 
@@ -83,11 +83,11 @@
 
 			if len(opt.Default) != 0 {
 				fmt.Fprintf(wr, " <default: \\fI%s\\fR>", manQuote(strings.Join(quoteV(opt.Default), ", ")))
-			} else if len(opt.EnvDefaultKey) != 0 {
+			} else if len(opt.EnvKeyWithNamespace()) != 0 {
 				if runtime.GOOS == "windows" {
-					fmt.Fprintf(wr, " <default: \\fI%%%s%%\\fR>", manQuote(opt.EnvDefaultKey))
+					fmt.Fprintf(wr, " <default: \\fI%%%s%%\\fR>", manQuote(opt.EnvKeyWithNamespace()))
 				} else {
-					fmt.Fprintf(wr, " <default: \\fI$%s\\fR>", manQuote(opt.EnvDefaultKey))
+					fmt.Fprintf(wr, " <default: \\fI$%s\\fR>", manQuote(opt.EnvKeyWithNamespace()))
 				}
 			}
 
@@ -148,12 +148,12 @@
 	var usage string
 	if us, ok := command.data.(Usage); ok {
 		usage = us.Usage()
-	} else if command.hasCliOptions() {
+	} else if command.hasHelpOptions() {
 		usage = fmt.Sprintf("[%s-OPTIONS]", command.Name)
 	}
 
 	var pre string
-	if root.hasCliOptions() {
+	if root.hasHelpOptions() {
 		pre = fmt.Sprintf("%s [OPTIONS] %s", root.Name, command.Name)
 	} else {
 		pre = fmt.Sprintf("%s %s", root.Name, command.Name)
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/option.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/option.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/option.go	2017-09-07 12:49:06.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/option.go	2018-10-16 07:03:23.000000000 +0000
@@ -3,9 +3,9 @@
 import (
 	"bytes"
 	"fmt"
+	"os"
 	"reflect"
 	"strings"
-	"syscall"
 	"unicode/utf8"
 )
 
@@ -139,6 +139,57 @@
 	return longName
 }
 
+// EnvKeyWithNamespace returns the option's env key with the group namespaces
+// prepended by walking up the option's group tree. Namespaces and the env key
+// itself are separated by the parser's namespace delimiter. If the env key is
+// empty an empty string is returned.
+func (option *Option) EnvKeyWithNamespace() string {
+	if len(option.EnvDefaultKey) == 0 {
+		return ""
+	}
+
+	// fetch the namespace delimiter from the parser which is always at the
+	// end of the group hierarchy
+	namespaceDelimiter := ""
+	g := option.group
+
+	for {
+		if p, ok := g.parent.(*Parser); ok {
+			namespaceDelimiter = p.EnvNamespaceDelimiter
+
+			break
+		}
+
+		switch i := g.parent.(type) {
+		case *Command:
+			g = i.Group
+		case *Group:
+			g = i
+		}
+	}
+
+	// concatenate long name with namespace
+	key := option.EnvDefaultKey
+	g = option.group
+
+	for g != nil {
+		if g.EnvNamespace != "" {
+			key = g.EnvNamespace + namespaceDelimiter + key
+		}
+
+		switch i := g.parent.(type) {
+		case *Command:
+			g = i.Group
+		case *Group:
+			g = i
+		case *Parser:
+			g = nil
+		}
+	}
+
+	return key
+}
+
 // String converts an option to a human friendly readable string describing the
 // option.
 func (option *Option) String() string {
@@ -229,8 +280,8 @@
 	return convert("", option.value, option.tag)
 }
 
-func (option *Option) canCli() bool {
-	return option.ShortName != 0 || len(option.LongName) != 0
+func (option *Option) showInHelp() bool {
+	return !option.Hidden && (option.ShortName != 0 || len(option.LongName) != 0)
 }
 
 func (option *Option) canArgument() bool {
@@ -260,13 +311,10 @@
 func (option *Option) clearDefault() {
 	usedDefault := option.Default
 
-	if envKey := option.EnvDefaultKey; envKey != "" {
-		// os.Getenv() makes no distinction between undefined and
-		// empty values, so we use syscall.Getenv()
-		if value, ok := syscall.Getenv(envKey); ok {
+	if envKey := option.EnvKeyWithNamespace(); envKey != "" {
+		if value, ok := os.LookupEnv(envKey); ok {
 			if option.EnvDefaultDelim != "" {
-				usedDefault = strings.Split(value,
-					option.EnvDefaultDelim)
+				usedDefault = strings.Split(value, option.EnvDefaultDelim)
 			} else {
 				usedDefault = []string{value}
 			}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/parser.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/parser.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/parser.go	2017-09-07 12:49:06.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/parser.go	2018-10-16 07:03:23.000000000 +0000
@@ -29,6 +29,9 @@
 	// NamespaceDelimiter separates group namespaces and option long names
 	NamespaceDelimiter string
 
+	// EnvNamespaceDelimiter separates group env namespaces and env keys
+	EnvNamespaceDelimiter string
+
 	// UnknownOptionsHandler is a function which gets called when the parser
 	// encounters an unknown option. The function receives the unknown option
 	// name, a SplitArgument which specifies its value if set with an argument
@@ -170,9 +173,10 @@
 // be added to this parser by using AddGroup and AddCommand.
 func NewNamedParser(appname string, options Options) *Parser {
 	p := &Parser{
-		Command:            newCommand(appname, "", "", nil),
-		Options:            options,
-		NamespaceDelimiter: ".",
+		Command:               newCommand(appname, "", "", nil),
+		Options:               options,
+		NamespaceDelimiter:    ".",
+		EnvNamespaceDelimiter: "_",
 	}
 
 	p.Command.parent = p
@@ -237,6 +241,7 @@
 	p.fillParseState(s)
 
 	for !s.eof() {
+		var err error
 		arg := s.pop()
 
 		// When PassDoubleDash is set and we encounter a --, then
@@ -247,6 +252,20 @@
 		}
 
 		if !argumentIsOption(arg) {
+			if (p.Options&PassAfterNonOption) != None && s.lookup.commands[arg] == nil {
+				// If PassAfterNonOption is set then all remaining arguments
+				// are considered positional
+				if err = s.addArgs(s.arg); err != nil {
+					break
+				}
+
+				if err = s.addArgs(s.args...); err != nil {
+					break
+				}
+
+				break
+			}
+
 			// Note: this also sets s.err, so we can just check for
 			// nil here and use s.err later
 			if p.parseNonOption(s) != nil {
@@ -256,8 +275,6 @@
 			continue
 		}
 
-		var err error
-
 		prefix, optname, islong := stripOptionPrefix(arg)
 		optname, _, argument := splitOption(prefix, optname, islong)
 
@@ -649,23 +666,7 @@
 		}
 	}
 
-	if (p.Options & PassAfterNonOption) != None {
-		// If PassAfterNonOption is set then all remaining arguments
-		// are considered positional
-		if err := s.addArgs(s.arg); err != nil {
-			return err
-		}
-
-		if err := s.addArgs(s.args...); err != nil {
-			return err
-		}
-
-		s.args = []string{}
-	} else {
-		return s.addArgs(s.arg)
-	}
-
-	return nil
+	return s.addArgs(s.arg)
 }
 
 func (p *Parser) showBuiltinHelp() error {
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/README.md snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/README.md
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/README.md	2016-08-30 12:27:41.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/README.md	2018-10-16 07:03:23.000000000 +0000
@@ -61,6 +61,9 @@
 	// Example of a required flag
 	Name string `short:"n" long:"name" description:"A name" required:"true"`
 
+	// Example of a flag restricted to a pre-defined set of strings
+	Name string `long:"animal" choice:"cat" choice:"dog"`
+
 	// Example of a value name
 	File string `short:"f" long:"file" description:"A file" value-name:"FILE"`
 
@@ -110,7 +113,6 @@
 
 if err != nil {
 	panic(err)
-	os.Exit(1)
 }
 
 fmt.Printf("Verbosity: %v\n", opts.Verbose)
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize.go	2016-08-30 12:27:41.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize.go	2018-10-16 07:03:23.000000000 +0000
@@ -1,4 +1,4 @@
-// +build !windows,!plan9,!solaris
+// +build !windows,!plan9,!solaris,!appengine,!wasm
 
 package flags
 
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_linux.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_linux.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_linux.go	2016-08-30 12:27:41.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_linux.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,7 +0,0 @@
-// +build linux
-
-package flags
-
-const (
-	tIOCGWINSZ = 0x5413
-)
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_nosysioctl.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_nosysioctl.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_nosysioctl.go	2016-08-30 12:27:41.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_nosysioctl.go	2018-10-16 07:03:23.000000000 +0000
@@ -1,4 +1,4 @@
-// +build windows plan9 solaris
+// +build plan9 solaris appengine wasm
 
 package flags
 
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_other.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_other.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_other.go	2016-08-30 12:27:41.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_other.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,7 +0,0 @@
-// +build !darwin,!freebsd,!netbsd,!openbsd,!linux
-
-package flags
-
-const (
-	tIOCGWINSZ = 0
-)
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_unix.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_unix.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_unix.go	2016-08-30 12:27:41.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_unix.go	1970-01-01 00:00:00.000000000 +0000
@@ -1,7 +0,0 @@
-// +build darwin freebsd netbsd openbsd
-
-package flags
-
-const (
-	tIOCGWINSZ = 0x40087468
-)
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_windows.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_windows.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/termsize_windows.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/termsize_windows.go	2018-10-16 07:03:23.000000000 +0000
@@ -0,0 +1,85 @@
+// +build windows
+
+package flags
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+type (
+	SHORT int16
+	WORD  uint16
+
+	SMALL_RECT struct {
+		Left   SHORT
+		Top    SHORT
+		Right  SHORT
+		Bottom SHORT
+	}
+
+	COORD struct {
+		X SHORT
+		Y SHORT
+	}
+
+	CONSOLE_SCREEN_BUFFER_INFO struct {
+		Size              COORD
+		CursorPosition    COORD
+		Attributes        WORD
+		Window            SMALL_RECT
+		MaximumWindowSize COORD
+	}
+)
+
+var kernel32DLL = syscall.NewLazyDLL("kernel32.dll")
+var getConsoleScreenBufferInfoProc = kernel32DLL.NewProc("GetConsoleScreenBufferInfo")
+
+func getError(r1, r2 uintptr, lastErr error) error {
+	// If the function fails, the return value is zero.
+	if r1 == 0 {
+		if lastErr != nil {
+			return lastErr
+		}
+		return syscall.EINVAL
+	}
+	return nil
+}
+
+func getStdHandle(stdhandle int) (uintptr, error) {
+	handle, err := syscall.GetStdHandle(stdhandle)
+	if err != nil {
+		return 0, err
+	}
+	return uintptr(handle), nil
+}
+
+// GetConsoleScreenBufferInfo retrieves information about the specified console screen buffer.
+// http://msdn.microsoft.com/en-us/library/windows/desktop/ms683171(v=vs.85).aspx
+func GetConsoleScreenBufferInfo(handle uintptr) (*CONSOLE_SCREEN_BUFFER_INFO, error) {
+	var info CONSOLE_SCREEN_BUFFER_INFO
+	if err := getError(getConsoleScreenBufferInfoProc.Call(handle, uintptr(unsafe.Pointer(&info)), 0)); err != nil {
+		return nil, err
+	}
+	return &info, nil
+}
+
+func getTerminalColumns() int {
+	defaultWidth := 80
+
+	stdoutHandle, err := getStdHandle(syscall.STD_OUTPUT_HANDLE)
+	if err != nil {
+		return defaultWidth
+	}
+
+	info, err := GetConsoleScreenBufferInfo(stdoutHandle)
+	if err != nil {
+		return defaultWidth
+	}
+
+	if info.MaximumWindowSize.X > 0 {
+		return int(info.MaximumWindowSize.X)
+	}
+
+	return defaultWidth
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_bsdish.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_bsdish.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_bsdish.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_bsdish.go	2018-10-16 07:03:23.000000000 +0000
@@ -0,0 +1,7 @@
+// +build darwin freebsd netbsd openbsd
+
+package flags
+
+const (
+	tIOCGWINSZ = 0x40087468
+)
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_linux.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_linux.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_linux.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_linux.go	2018-10-16 07:03:23.000000000 +0000
@@ -0,0 +1,7 @@
+// +build linux
+
+package flags
+
+const (
+	tIOCGWINSZ = 0x5413
+)
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_other.go snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_other.go
--- snapd-2.32.3.2~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_other.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/jessevdk/go-flags/tiocgwinsz_other.go	2018-10-16 07:03:23.000000000 +0000
@@ -0,0 +1,7 @@
+// +build !darwin,!freebsd,!netbsd,!openbsd,!linux
+
+package flags
+
+const (
+	tIOCGWINSZ = 0
+)
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/juju/ratelimit/LICENSE snapd-2.37~rc1~14.04/vendor/github.com/juju/ratelimit/LICENSE
--- snapd-2.32.3.2~14.04/vendor/github.com/juju/ratelimit/LICENSE	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/juju/ratelimit/LICENSE	2018-08-22 06:40:59.000000000 +0000
@@ -0,0 +1,191 @@
+All files in this repository are licensed as follows. If you contribute
+to this repository, it is assumed that you license your contribution
+under the same license unless you state otherwise.
+
+All files Copyright (C) 2015 Canonical Ltd. unless otherwise specified in the file.
+
+This software is licensed under the LGPLv3, included below.
+
+As a special exception to the GNU Lesser General Public License version 3
+("LGPL3"), the copyright holders of this Library give you permission to
+convey to a third party a Combined Work that links statically or dynamically
+to this Library without providing any Minimal Corresponding Source or
+Minimal Application Code as set out in 4d or providing the installation
+information set out in section 4e, provided that you comply with the other
+provisions of LGPL3 and provided that you meet, for the Application the
+terms and conditions of the license(s) which apply to the Application.
+
+Except as stated in this special exception, the provisions of LGPL3 will
+continue to comply in full to this Library. If you modify this Library, you
+may apply this exception to your version of this Library, but you are not
+obliged to do so. If you do not wish to do so, delete this exception
+statement from your version. This exception does not (and cannot) modify any
+license terms which apply to the Application, with which you must still
+comply.
+
+
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions.
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/juju/ratelimit/ratelimit.go snapd-2.37~rc1~14.04/vendor/github.com/juju/ratelimit/ratelimit.go
--- snapd-2.32.3.2~14.04/vendor/github.com/juju/ratelimit/ratelimit.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/juju/ratelimit/ratelimit.go	2018-08-22 06:40:59.000000000 +0000
@@ -0,0 +1,344 @@
+// Copyright 2014 Canonical Ltd.
+// Licensed under the LGPLv3 with static-linking exception.
+// See LICENCE file for details.
+
+// Package ratelimit provides an efficient token bucket implementation
+// that can be used to limit the rate of arbitrary things.
+// See http://en.wikipedia.org/wiki/Token_bucket.
+package ratelimit
+
+import (
+	"math"
+	"strconv"
+	"sync"
+	"time"
+)
+
+// The algorithm that this implementation uses does computational work
+// only when tokens are removed from the bucket, and that work completes
+// in short, bounded-constant time (Bucket.Wait benchmarks at 175ns on
+// my laptop).
+//
+// Time is measured in equal measured ticks, a given interval
+// (fillInterval) apart. On each tick a number of tokens (quantum) are
+// added to the bucket.
+//
+// When any of the methods are called the bucket updates the number of
+// tokens that are in the bucket, and it records the current tick
+// number too. Note that it doesn't record the current time - by
+// keeping things in units of whole ticks, it's easy to dish out tokens
+// at exactly the right intervals as measured from the start time.
+//
+// This allows us to calculate the number of tokens that will be
+// available at some time in the future with a few simple arithmetic
+// operations.
+//
+// The main reason for being able to transfer multiple tokens on each tick
+// is so that we can represent rates greater than 1e9 (the resolution of the Go
+// time package) tokens per second, but it's also useful because
+// it means we can easily represent situations like "a person gets
+// five tokens an hour, replenished on the hour".
+
+// Bucket represents a token bucket that fills at a predetermined rate.
+// Methods on Bucket may be called concurrently.
+type Bucket struct {
+	clock Clock
+
+	// startTime holds the moment when the bucket was
+	// first created and ticks began.
+	startTime time.Time
+
+	// capacity holds the overall capacity of the bucket.
+	capacity int64
+
+	// quantum holds how many tokens are added on
+	// each tick.
+	quantum int64
+
+	// fillInterval holds the interval between each tick.
+	fillInterval time.Duration
+
+	// mu guards the fields below it.
+	mu sync.Mutex
+
+	// availableTokens holds the number of available
+	// tokens as of the associated latestTick.
+	// It will be negative when there are consumers
+	// waiting for tokens.
+	availableTokens int64
+
+	// latestTick holds the latest tick for which
+	// we know the number of tokens in the bucket.
+	latestTick int64
+}
+
+// NewBucket returns a new token bucket that fills at the
+// rate of one token every fillInterval, up to the given
+// maximum capacity. Both arguments must be
+// positive. The bucket is initially full.
+func NewBucket(fillInterval time.Duration, capacity int64) *Bucket {
+	return NewBucketWithClock(fillInterval, capacity, nil)
+}
+
+// NewBucketWithClock is identical to NewBucket but injects a testable clock
+// interface.
+func NewBucketWithClock(fillInterval time.Duration, capacity int64, clock Clock) *Bucket {
+	return NewBucketWithQuantumAndClock(fillInterval, capacity, 1, clock)
+}
+
+// rateMargin specifes the allowed variance of actual
+// rate from specified rate. 1% seems reasonable.
+const rateMargin = 0.01
+
+// NewBucketWithRate returns a token bucket that fills the bucket
+// at the rate of rate tokens per second up to the given
+// maximum capacity. Because of limited clock resolution,
+// at high rates, the actual rate may be up to 1% different from the
+// specified rate.
+func NewBucketWithRate(rate float64, capacity int64) *Bucket {
+	return NewBucketWithRateAndClock(rate, capacity, nil)
+}
+
+// NewBucketWithRateAndClock is identical to NewBucketWithRate but injects a
+// testable clock interface.
+func NewBucketWithRateAndClock(rate float64, capacity int64, clock Clock) *Bucket {
+	// Use the same bucket each time through the loop
+	// to save allocations.
+	tb := NewBucketWithQuantumAndClock(1, capacity, 1, clock)
+	for quantum := int64(1); quantum < 1<<50; quantum = nextQuantum(quantum) {
+		fillInterval := time.Duration(1e9 * float64(quantum) / rate)
+		if fillInterval <= 0 {
+			continue
+		}
+		tb.fillInterval = fillInterval
+		tb.quantum = quantum
+		if diff := math.Abs(tb.Rate() - rate); diff/rate <= rateMargin {
+			return tb
+		}
+	}
+	panic("cannot find suitable quantum for " + strconv.FormatFloat(rate, 'g', -1, 64))
+}
+
+// nextQuantum returns the next quantum to try after q.
+// We grow the quantum exponentially, but slowly, so we
+// get a good fit in the lower numbers.
+func nextQuantum(q int64) int64 {
+	q1 := q * 11 / 10
+	if q1 == q {
+		q1++
+	}
+	return q1
+}
+
+// NewBucketWithQuantum is similar to NewBucket, but allows
+// the specification of the quantum size - quantum tokens
+// are added every fillInterval.
+func NewBucketWithQuantum(fillInterval time.Duration, capacity, quantum int64) *Bucket {
+	return NewBucketWithQuantumAndClock(fillInterval, capacity, quantum, nil)
+}
+
+// NewBucketWithQuantumAndClock is like NewBucketWithQuantum, but
+// also has a clock argument that allows clients to fake the passing
+// of time. If clock is nil, the system clock will be used.
+func NewBucketWithQuantumAndClock(fillInterval time.Duration, capacity, quantum int64, clock Clock) *Bucket {
+	if clock == nil {
+		clock = realClock{}
+	}
+	if fillInterval <= 0 {
+		panic("token bucket fill interval is not > 0")
+	}
+	if capacity <= 0 {
+		panic("token bucket capacity is not > 0")
+	}
+	if quantum <= 0 {
+		panic("token bucket quantum is not > 0")
+	}
+	return &Bucket{
+		clock:           clock,
+		startTime:       clock.Now(),
+		latestTick:      0,
+		fillInterval:    fillInterval,
+		capacity:        capacity,
+		quantum:         quantum,
+		availableTokens: capacity,
+	}
+}
+
+// Wait takes count tokens from the bucket, waiting until they are
+// available.
+func (tb *Bucket) Wait(count int64) {
+	if d := tb.Take(count); d > 0 {
+		tb.clock.Sleep(d)
+	}
+}
+
+// WaitMaxDuration is like Wait except that it will
+// only take tokens from the bucket if it needs to wait
+// for no greater than maxWait. It reports whether
+// any tokens have been removed from the bucket
+// If no tokens have been removed, it returns immediately.
+func (tb *Bucket) WaitMaxDuration(count int64, maxWait time.Duration) bool {
+	d, ok := tb.TakeMaxDuration(count, maxWait)
+	if d > 0 {
+		tb.clock.Sleep(d)
+	}
+	return ok
+}
+
+const infinityDuration time.Duration = 0x7fffffffffffffff
+
+// Take takes count tokens from the bucket without blocking. It returns
+// the time that the caller should wait until the tokens are actually
+// available.
+//
+// Note that if the request is irrevocable - there is no way to return
+// tokens to the bucket once this method commits us to taking them.
+func (tb *Bucket) Take(count int64) time.Duration {
+	tb.mu.Lock()
+	defer tb.mu.Unlock()
+	d, _ := tb.take(tb.clock.Now(), count, infinityDuration)
+	return d
+}
+
+// TakeMaxDuration is like Take, except that
+// it will only take tokens from the bucket if the wait
+// time for the tokens is no greater than maxWait.
+//
+// If it would take longer than maxWait for the tokens
+// to become available, it does nothing and reports false,
+// otherwise it returns the time that the caller should
+// wait until the tokens are actually available, and reports
+// true.
+func (tb *Bucket) TakeMaxDuration(count int64, maxWait time.Duration) (time.Duration, bool) {
+	tb.mu.Lock()
+	defer tb.mu.Unlock()
+	return tb.take(tb.clock.Now(), count, maxWait)
+}
+
+// TakeAvailable takes up to count immediately available tokens from the
+// bucket. It returns the number of tokens removed, or zero if there are
+// no available tokens. It does not block.
+func (tb *Bucket) TakeAvailable(count int64) int64 {
+	tb.mu.Lock()
+	defer tb.mu.Unlock()
+	return tb.takeAvailable(tb.clock.Now(), count)
+}
+
+// takeAvailable is the internal version of TakeAvailable - it takes the
+// current time as an argument to enable easy testing.
+func (tb *Bucket) takeAvailable(now time.Time, count int64) int64 {
+	if count <= 0 {
+		return 0
+	}
+	tb.adjustavailableTokens(tb.currentTick(now))
+	if tb.availableTokens <= 0 {
+		return 0
+	}
+	if count > tb.availableTokens {
+		count = tb.availableTokens
+	}
+	tb.availableTokens -= count
+	return count
+}
+
+// Available returns the number of available tokens. It will be negative
+// when there are consumers waiting for tokens. Note that if this
+// returns greater than zero, it does not guarantee that calls that take
+// tokens from the buffer will succeed, as the number of available
+// tokens could have changed in the meantime. This method is intended
+// primarily for metrics reporting and debugging.
+func (tb *Bucket) Available() int64 {
+	return tb.available(tb.clock.Now())
+}
+
+// available is the internal version of available - it takes the current time as
+// an argument to enable easy testing.
+func (tb *Bucket) available(now time.Time) int64 {
+	tb.mu.Lock()
+	defer tb.mu.Unlock()
+	tb.adjustavailableTokens(tb.currentTick(now))
+	return tb.availableTokens
+}
+
+// Capacity returns the capacity that the bucket was created with.
+func (tb *Bucket) Capacity() int64 {
+	return tb.capacity
+}
+
+// Rate returns the fill rate of the bucket, in tokens per second.
+func (tb *Bucket) Rate() float64 {
+	return 1e9 * float64(tb.quantum) / float64(tb.fillInterval)
+}
+
+// take is the internal version of Take - it takes the current time as
+// an argument to enable easy testing.
+func (tb *Bucket) take(now time.Time, count int64, maxWait time.Duration) (time.Duration, bool) {
+	if count <= 0 {
+		return 0, true
+	}
+
+	tick := tb.currentTick(now)
+	tb.adjustavailableTokens(tick)
+	avail := tb.availableTokens - count
+	if avail >= 0 {
+		tb.availableTokens = avail
+		return 0, true
+	}
+	// Round up the missing tokens to the nearest multiple
+	// of quantum - the tokens won't be available until
+	// that tick.
+
+	// endTick holds the tick when all the requested tokens will
+	// become available.
+	endTick := tick + (-avail+tb.quantum-1)/tb.quantum
+	endTime := tb.startTime.Add(time.Duration(endTick) * tb.fillInterval)
+	waitTime := endTime.Sub(now)
+	if waitTime > maxWait {
+		return 0, false
+	}
+	tb.availableTokens = avail
+	return waitTime, true
+}
+
+// currentTick returns the current time tick, measured
+// from tb.startTime.
+func (tb *Bucket) currentTick(now time.Time) int64 {
+	return int64(now.Sub(tb.startTime) / tb.fillInterval)
+}
+
+// adjustavailableTokens adjusts the current number of tokens
+// available in the bucket at the given time, which must
+// be in the future (positive) with respect to tb.latestTick.
+func (tb *Bucket) adjustavailableTokens(tick int64) {
+	if tb.availableTokens >= tb.capacity {
+		return
+	}
+	tb.availableTokens += (tick - tb.latestTick) * tb.quantum
+	if tb.availableTokens > tb.capacity {
+		tb.availableTokens = tb.capacity
+	}
+	tb.latestTick = tick
+	return
+}
+
+// Clock represents the passage of time in a way that
+// can be faked out for tests.
+type Clock interface {
+	// Now returns the current time.
+	Now() time.Time
+	// Sleep sleeps for at least the given duration.
+	Sleep(d time.Duration)
+}
+
+// realClock implements Clock in terms of standard time functions.
+type realClock struct{}
+
+// Now implements Clock.Now by calling time.Now.
+func (realClock) Now() time.Time {
+	return time.Now()
+}
+
+// Now implements Clock.Sleep by calling time.Sleep.
+func (realClock) Sleep(d time.Duration) {
+	time.Sleep(d)
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/juju/ratelimit/reader.go snapd-2.37~rc1~14.04/vendor/github.com/juju/ratelimit/reader.go
--- snapd-2.32.3.2~14.04/vendor/github.com/juju/ratelimit/reader.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/juju/ratelimit/reader.go	2018-08-22 06:40:59.000000000 +0000
@@ -0,0 +1,51 @@
+// Copyright 2014 Canonical Ltd.
+// Licensed under the LGPLv3 with static-linking exception.
+// See LICENCE file for details.
+
+package ratelimit
+
+import "io"
+
+type reader struct {
+	r      io.Reader
+	bucket *Bucket
+}
+
+// Reader returns a reader that is rate limited by
+// the given token bucket. Each token in the bucket
+// represents one byte.
+func Reader(r io.Reader, bucket *Bucket) io.Reader {
+	return &reader{
+		r:      r,
+		bucket: bucket,
+	}
+}
+
+func (r *reader) Read(buf []byte) (int, error) {
+	n, err := r.r.Read(buf)
+	if n <= 0 {
+		return n, err
+	}
+	r.bucket.Wait(int64(n))
+	return n, err
+}
+
+type writer struct {
+	w      io.Writer
+	bucket *Bucket
+}
+
+// Writer returns a reader that is rate limited by
+// the given token bucket. Each token in the bucket
+// represents one byte.
+func Writer(w io.Writer, bucket *Bucket) io.Writer {
+	return &writer{
+		w:      w,
+		bucket: bucket,
+	}
+}
+
+func (w *writer) Write(buf []byte) (int, error) {
+	w.bucket.Wait(int64(len(buf)))
+	return w.w.Write(buf)
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/juju/ratelimit/README.md snapd-2.37~rc1~14.04/vendor/github.com/juju/ratelimit/README.md
--- snapd-2.32.3.2~14.04/vendor/github.com/juju/ratelimit/README.md	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/juju/ratelimit/README.md	2018-08-22 06:40:59.000000000 +0000
@@ -0,0 +1,117 @@
+# ratelimit
+--
+    import "github.com/juju/ratelimit"
+
+The ratelimit package provides an efficient token bucket implementation. See
+http://en.wikipedia.org/wiki/Token_bucket.
+
+## Usage
+
+#### func  Reader
+
+```go
+func Reader(r io.Reader, bucket *Bucket) io.Reader
+```
+Reader returns a reader that is rate limited by the given token bucket. Each
+token in the bucket represents one byte.
+
+#### func  Writer
+
+```go
+func Writer(w io.Writer, bucket *Bucket) io.Writer
+```
+Writer returns a writer that is rate limited by the given token bucket. Each
+token in the bucket represents one byte.
+
+#### type Bucket
+
+```go
+type Bucket struct {
+}
+```
+
+Bucket represents a token bucket that fills at a predetermined rate. Methods on
+Bucket may be called concurrently.
+
+#### func  NewBucket
+
+```go
+func NewBucket(fillInterval time.Duration, capacity int64) *Bucket
+```
+NewBucket returns a new token bucket that fills at the rate of one token every
+fillInterval, up to the given maximum capacity. Both arguments must be positive.
+The bucket is initially full.
+
+#### func  NewBucketWithQuantum
+
+```go
+func NewBucketWithQuantum(fillInterval time.Duration, capacity, quantum int64) *Bucket
+```
+NewBucketWithQuantum is similar to NewBucket, but allows the specification of
+the quantum size - quantum tokens are added every fillInterval.
+
+#### func  NewBucketWithRate
+
+```go
+func NewBucketWithRate(rate float64, capacity int64) *Bucket
+```
+NewBucketWithRate returns a token bucket that fills the bucket at the rate of
+rate tokens per second up to the given maximum capacity. Because of limited
+clock resolution, at high rates, the actual rate may be up to 1% different from
+the specified rate.
+
+#### func (*Bucket) Rate
+
+```go
+func (tb *Bucket) Rate() float64
+```
+Rate returns the fill rate of the bucket, in tokens per second.
+
+#### func (*Bucket) Take
+
+```go
+func (tb *Bucket) Take(count int64) time.Duration
+```
+Take takes count tokens from the bucket without blocking. It returns the time
+that the caller should wait until the tokens are actually available.
+
+Note that if the request is irrevocable - there is no way to return tokens to
+the bucket once this method commits us to taking them.
+
+#### func (*Bucket) TakeAvailable
+
+```go
+func (tb *Bucket) TakeAvailable(count int64) int64
+```
+TakeAvailable takes up to count immediately available tokens from the bucket. It
+returns the number of tokens removed, or zero if there are no available tokens.
+It does not block.
+
+#### func (*Bucket) TakeMaxDuration
+
+```go
+func (tb *Bucket) TakeMaxDuration(count int64, maxWait time.Duration) (time.Duration, bool)
+```
+TakeMaxDuration is like Take, except that it will only take tokens from the
+bucket if the wait time for the tokens is no greater than maxWait.
+
+If it would take longer than maxWait for the tokens to become available, it does
+nothing and reports false, otherwise it returns the time that the caller should
+wait until the tokens are actually available, and reports true.
+
+#### func (*Bucket) Wait
+
+```go
+func (tb *Bucket) Wait(count int64)
+```
+Wait takes count tokens from the bucket, waiting until they are available.
+
+#### func (*Bucket) WaitMaxDuration
+
+```go
+func (tb *Bucket) WaitMaxDuration(count int64, maxWait time.Duration) bool
+```
+WaitMaxDuration is like Wait except that it will only take tokens from the
+bucket if it needs to wait for no greater than maxWait. It reports whether any
+tokens have been removed from the bucket If no tokens have been removed, it
+returns immediately.
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/diff.go snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/diff.go
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/diff.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/diff.go	2018-08-24 07:51:03.000000000 +0000
@@ -0,0 +1,265 @@
+package pretty
+
+import (
+	"fmt"
+	"io"
+	"reflect"
+)
+
+type sbuf []string
+
+func (p *sbuf) Printf(format string, a ...interface{}) {
+	s := fmt.Sprintf(format, a...)
+	*p = append(*p, s)
+}
+
+// Diff returns a slice where each element describes
+// a difference between a and b.
+func Diff(a, b interface{}) (desc []string) {
+	Pdiff((*sbuf)(&desc), a, b)
+	return desc
+}
+
+// wprintfer calls Fprintf on w for each Printf call
+// with a trailing newline.
+type wprintfer struct{ w io.Writer }
+
+func (p *wprintfer) Printf(format string, a ...interface{}) {
+	fmt.Fprintf(p.w, format+"\n", a...)
+}
+
+// Fdiff writes to w a description of the differences between a and b.
+func Fdiff(w io.Writer, a, b interface{}) {
+	Pdiff(&wprintfer{w}, a, b)
+}
+
+type Printfer interface {
+	Printf(format string, a ...interface{})
+}
+
+// Pdiff prints to p a description of the differences between a and b.
+// It calls Printf once for each difference, with no trailing newline.
+// The standard library log.Logger is a Printfer.
+func Pdiff(p Printfer, a, b interface{}) {
+	diffPrinter{w: p}.diff(reflect.ValueOf(a), reflect.ValueOf(b))
+}
+
+type Logfer interface {
+	Logf(format string, a ...interface{})
+}
+
+// logprintfer calls Fprintf on w for each Printf call
+// with a trailing newline.
+type logprintfer struct{ l Logfer }
+
+func (p *logprintfer) Printf(format string, a ...interface{}) {
+	p.l.Logf(format, a...)
+}
+
+// Ldiff prints to l a description of the differences between a and b.
+// It calls Logf once for each difference, with no trailing newline.
+// The standard library testing.T and testing.B are Logfers.
+func Ldiff(l Logfer, a, b interface{}) {
+	Pdiff(&logprintfer{l}, a, b)
+}
+
+type diffPrinter struct {
+	w Printfer
+	l string // label
+}
+
+func (w diffPrinter) printf(f string, a ...interface{}) {
+	var l string
+	if w.l != "" {
+		l = w.l + ": "
+	}
+	w.w.Printf(l+f, a...)
+}
+
+func (w diffPrinter) diff(av, bv reflect.Value) {
+	if !av.IsValid() && bv.IsValid() {
+		w.printf("nil != %# v", formatter{v: bv, quote: true})
+		return
+	}
+	if av.IsValid() && !bv.IsValid() {
+		w.printf("%# v != nil", formatter{v: av, quote: true})
+		return
+	}
+	if !av.IsValid() && !bv.IsValid() {
+		return
+	}
+
+	at := av.Type()
+	bt := bv.Type()
+	if at != bt {
+		w.printf("%v != %v", at, bt)
+		return
+	}
+
+	switch kind := at.Kind(); kind {
+	case reflect.Bool:
+		if a, b := av.Bool(), bv.Bool(); a != b {
+			w.printf("%v != %v", a, b)
+		}
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		if a, b := av.Int(), bv.Int(); a != b {
+			w.printf("%d != %d", a, b)
+		}
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		if a, b := av.Uint(), bv.Uint(); a != b {
+			w.printf("%d != %d", a, b)
+		}
+	case reflect.Float32, reflect.Float64:
+		if a, b := av.Float(), bv.Float(); a != b {
+			w.printf("%v != %v", a, b)
+		}
+	case reflect.Complex64, reflect.Complex128:
+		if a, b := av.Complex(), bv.Complex(); a != b {
+			w.printf("%v != %v", a, b)
+		}
+	case reflect.Array:
+		n := av.Len()
+		for i := 0; i < n; i++ {
+			w.relabel(fmt.Sprintf("[%d]", i)).diff(av.Index(i), bv.Index(i))
+		}
+	case reflect.Chan, reflect.Func, reflect.UnsafePointer:
+		if a, b := av.Pointer(), bv.Pointer(); a != b {
+			w.printf("%#x != %#x", a, b)
+		}
+	case reflect.Interface:
+		w.diff(av.Elem(), bv.Elem())
+	case reflect.Map:
+		ak, both, bk := keyDiff(av.MapKeys(), bv.MapKeys())
+		for _, k := range ak {
+			w := w.relabel(fmt.Sprintf("[%#v]", k))
+			w.printf("%q != (missing)", av.MapIndex(k))
+		}
+		for _, k := range both {
+			w := w.relabel(fmt.Sprintf("[%#v]", k))
+			w.diff(av.MapIndex(k), bv.MapIndex(k))
+		}
+		for _, k := range bk {
+			w := w.relabel(fmt.Sprintf("[%#v]", k))
+			w.printf("(missing) != %q", bv.MapIndex(k))
+		}
+	case reflect.Ptr:
+		switch {
+		case av.IsNil() && !bv.IsNil():
+			w.printf("nil != %# v", formatter{v: bv, quote: true})
+		case !av.IsNil() && bv.IsNil():
+			w.printf("%# v != nil", formatter{v: av, quote: true})
+		case !av.IsNil() && !bv.IsNil():
+			w.diff(av.Elem(), bv.Elem())
+		}
+	case reflect.Slice:
+		lenA := av.Len()
+		lenB := bv.Len()
+		if lenA != lenB {
+			w.printf("%s[%d] != %s[%d]", av.Type(), lenA, bv.Type(), lenB)
+			break
+		}
+		for i := 0; i < lenA; i++ {
+			w.relabel(fmt.Sprintf("[%d]", i)).diff(av.Index(i), bv.Index(i))
+		}
+	case reflect.String:
+		if a, b := av.String(), bv.String(); a != b {
+			w.printf("%q != %q", a, b)
+		}
+	case reflect.Struct:
+		for i := 0; i < av.NumField(); i++ {
+			w.relabel(at.Field(i).Name).diff(av.Field(i), bv.Field(i))
+		}
+	default:
+		panic("unknown reflect Kind: " + kind.String())
+	}
+}
+
+func (d diffPrinter) relabel(name string) (d1 diffPrinter) {
+	d1 = d
+	if d.l != "" && name[0] != '[' {
+		d1.l += "."
+	}
+	d1.l += name
+	return d1
+}
+
+// keyEqual compares a and b for equality.
+// Both a and b must be valid map keys.
+func keyEqual(av, bv reflect.Value) bool {
+	if !av.IsValid() && !bv.IsValid() {
+		return true
+	}
+	if !av.IsValid() || !bv.IsValid() || av.Type() != bv.Type() {
+		return false
+	}
+	switch kind := av.Kind(); kind {
+	case reflect.Bool:
+		a, b := av.Bool(), bv.Bool()
+		return a == b
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		a, b := av.Int(), bv.Int()
+		return a == b
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		a, b := av.Uint(), bv.Uint()
+		return a == b
+	case reflect.Float32, reflect.Float64:
+		a, b := av.Float(), bv.Float()
+		return a == b
+	case reflect.Complex64, reflect.Complex128:
+		a, b := av.Complex(), bv.Complex()
+		return a == b
+	case reflect.Array:
+		for i := 0; i < av.Len(); i++ {
+			if !keyEqual(av.Index(i), bv.Index(i)) {
+				return false
+			}
+		}
+		return true
+	case reflect.Chan, reflect.UnsafePointer, reflect.Ptr:
+		a, b := av.Pointer(), bv.Pointer()
+		return a == b
+	case reflect.Interface:
+		return keyEqual(av.Elem(), bv.Elem())
+	case reflect.String:
+		a, b := av.String(), bv.String()
+		return a == b
+	case reflect.Struct:
+		for i := 0; i < av.NumField(); i++ {
+			if !keyEqual(av.Field(i), bv.Field(i)) {
+				return false
+			}
+		}
+		return true
+	default:
+		panic("invalid map key type " + av.Type().String())
+	}
+}
+
+func keyDiff(a, b []reflect.Value) (ak, both, bk []reflect.Value) {
+	for _, av := range a {
+		inBoth := false
+		for _, bv := range b {
+			if keyEqual(av, bv) {
+				inBoth = true
+				both = append(both, av)
+				break
+			}
+		}
+		if !inBoth {
+			ak = append(ak, av)
+		}
+	}
+	for _, bv := range b {
+		inBoth := false
+		for _, av := range a {
+			if keyEqual(av, bv) {
+				inBoth = true
+				break
+			}
+		}
+		if !inBoth {
+			bk = append(bk, bv)
+		}
+	}
+	return
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/formatter.go snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/formatter.go
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/formatter.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/formatter.go	2018-08-24 07:51:03.000000000 +0000
@@ -0,0 +1,328 @@
+package pretty
+
+import (
+	"fmt"
+	"io"
+	"reflect"
+	"strconv"
+	"text/tabwriter"
+
+	"github.com/kr/text"
+)
+
+type formatter struct {
+	v     reflect.Value
+	force bool
+	quote bool
+}
+
+// Formatter makes a wrapper, f, that will format x as go source with line
+// breaks and tabs. Object f responds to the "%v" formatting verb when both the
+// "#" and " " (space) flags are set, for example:
+//
+//     fmt.Sprintf("%# v", Formatter(x))
+//
+// If one of these two flags is not set, or any other verb is used, f will
+// format x according to the usual rules of package fmt.
+// In particular, if x satisfies fmt.Formatter, then x.Format will be called.
+func Formatter(x interface{}) (f fmt.Formatter) {
+	return formatter{v: reflect.ValueOf(x), quote: true}
+}
+
+func (fo formatter) String() string {
+	return fmt.Sprint(fo.v.Interface()) // unwrap it
+}
+
+func (fo formatter) passThrough(f fmt.State, c rune) {
+	s := "%"
+	for i := 0; i < 128; i++ {
+		if f.Flag(i) {
+			s += string(i)
+		}
+	}
+	if w, ok := f.Width(); ok {
+		s += fmt.Sprintf("%d", w)
+	}
+	if p, ok := f.Precision(); ok {
+		s += fmt.Sprintf(".%d", p)
+	}
+	s += string(c)
+	fmt.Fprintf(f, s, fo.v.Interface())
+}
+
+func (fo formatter) Format(f fmt.State, c rune) {
+	if fo.force || c == 'v' && f.Flag('#') && f.Flag(' ') {
+		w := tabwriter.NewWriter(f, 4, 4, 1, ' ', 0)
+		p := &printer{tw: w, Writer: w, visited: make(map[visit]int)}
+		p.printValue(fo.v, true, fo.quote)
+		w.Flush()
+		return
+	}
+	fo.passThrough(f, c)
+}
+
+type printer struct {
+	io.Writer
+	tw      *tabwriter.Writer
+	visited map[visit]int
+	depth   int
+}
+
+func (p *printer) indent() *printer {
+	q := *p
+	q.tw = tabwriter.NewWriter(p.Writer, 4, 4, 1, ' ', 0)
+	q.Writer = text.NewIndentWriter(q.tw, []byte{'\t'})
+	return &q
+}
+
+func (p *printer) printInline(v reflect.Value, x interface{}, showType bool) {
+	if showType {
+		io.WriteString(p, v.Type().String())
+		fmt.Fprintf(p, "(%#v)", x)
+	} else {
+		fmt.Fprintf(p, "%#v", x)
+	}
+}
+
+// printValue must keep track of already-printed pointer values to avoid
+// infinite recursion.
+type visit struct {
+	v   uintptr
+	typ reflect.Type
+}
+
+func (p *printer) printValue(v reflect.Value, showType, quote bool) {
+	if p.depth > 10 {
+		io.WriteString(p, "!%v(DEPTH EXCEEDED)")
+		return
+	}
+
+	switch v.Kind() {
+	case reflect.Bool:
+		p.printInline(v, v.Bool(), showType)
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		p.printInline(v, v.Int(), showType)
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		p.printInline(v, v.Uint(), showType)
+	case reflect.Float32, reflect.Float64:
+		p.printInline(v, v.Float(), showType)
+	case reflect.Complex64, reflect.Complex128:
+		fmt.Fprintf(p, "%#v", v.Complex())
+	case reflect.String:
+		p.fmtString(v.String(), quote)
+	case reflect.Map:
+		t := v.Type()
+		if showType {
+			io.WriteString(p, t.String())
+		}
+		writeByte(p, '{')
+		if nonzero(v) {
+			expand := !canInline(v.Type())
+			pp := p
+			if expand {
+				writeByte(p, '\n')
+				pp = p.indent()
+			}
+			keys := v.MapKeys()
+			for i := 0; i < v.Len(); i++ {
+				showTypeInStruct := true
+				k := keys[i]
+				mv := v.MapIndex(k)
+				pp.printValue(k, false, true)
+				writeByte(pp, ':')
+				if expand {
+					writeByte(pp, '\t')
+				}
+				showTypeInStruct = t.Elem().Kind() == reflect.Interface
+				pp.printValue(mv, showTypeInStruct, true)
+				if expand {
+					io.WriteString(pp, ",\n")
+				} else if i < v.Len()-1 {
+					io.WriteString(pp, ", ")
+				}
+			}
+			if expand {
+				pp.tw.Flush()
+			}
+		}
+		writeByte(p, '}')
+	case reflect.Struct:
+		t := v.Type()
+		if v.CanAddr() {
+			addr := v.UnsafeAddr()
+			vis := visit{addr, t}
+			if vd, ok := p.visited[vis]; ok && vd < p.depth {
+				p.fmtString(t.String()+"{(CYCLIC REFERENCE)}", false)
+				break // don't print v again
+			}
+			p.visited[vis] = p.depth
+		}
+
+		if showType {
+			io.WriteString(p, t.String())
+		}
+		writeByte(p, '{')
+		if nonzero(v) {
+			expand := !canInline(v.Type())
+			pp := p
+			if expand {
+				writeByte(p, '\n')
+				pp = p.indent()
+			}
+			for i := 0; i < v.NumField(); i++ {
+				showTypeInStruct := true
+				if f := t.Field(i); f.Name != "" {
+					io.WriteString(pp, f.Name)
+					writeByte(pp, ':')
+					if expand {
+						writeByte(pp, '\t')
+					}
+					showTypeInStruct = labelType(f.Type)
+				}
+				pp.printValue(getField(v, i), showTypeInStruct, true)
+				if expand {
+					io.WriteString(pp, ",\n")
+				} else if i < v.NumField()-1 {
+					io.WriteString(pp, ", ")
+				}
+			}
+			if expand {
+				pp.tw.Flush()
+			}
+		}
+		writeByte(p, '}')
+	case reflect.Interface:
+		switch e := v.Elem(); {
+		case e.Kind() == reflect.Invalid:
+			io.WriteString(p, "nil")
+		case e.IsValid():
+			pp := *p
+			pp.depth++
+			pp.printValue(e, showType, true)
+		default:
+			io.WriteString(p, v.Type().String())
+			io.WriteString(p, "(nil)")
+		}
+	case reflect.Array, reflect.Slice:
+		t := v.Type()
+		if showType {
+			io.WriteString(p, t.String())
+		}
+		if v.Kind() == reflect.Slice && v.IsNil() && showType {
+			io.WriteString(p, "(nil)")
+			break
+		}
+		if v.Kind() == reflect.Slice && v.IsNil() {
+			io.WriteString(p, "nil")
+			break
+		}
+		writeByte(p, '{')
+		expand := !canInline(v.Type())
+		pp := p
+		if expand {
+			writeByte(p, '\n')
+			pp = p.indent()
+		}
+		for i := 0; i < v.Len(); i++ {
+			showTypeInSlice := t.Elem().Kind() == reflect.Interface
+			pp.printValue(v.Index(i), showTypeInSlice, true)
+			if expand {
+				io.WriteString(pp, ",\n")
+			} else if i < v.Len()-1 {
+				io.WriteString(pp, ", ")
+			}
+		}
+		if expand {
+			pp.tw.Flush()
+		}
+		writeByte(p, '}')
+	case reflect.Ptr:
+		e := v.Elem()
+		if !e.IsValid() {
+			writeByte(p, '(')
+			io.WriteString(p, v.Type().String())
+			io.WriteString(p, ")(nil)")
+		} else {
+			pp := *p
+			pp.depth++
+			writeByte(pp, '&')
+			pp.printValue(e, true, true)
+		}
+	case reflect.Chan:
+		x := v.Pointer()
+		if showType {
+			writeByte(p, '(')
+			io.WriteString(p, v.Type().String())
+			fmt.Fprintf(p, ")(%#v)", x)
+		} else {
+			fmt.Fprintf(p, "%#v", x)
+		}
+	case reflect.Func:
+		io.WriteString(p, v.Type().String())
+		io.WriteString(p, " {...}")
+	case reflect.UnsafePointer:
+		p.printInline(v, v.Pointer(), showType)
+	case reflect.Invalid:
+		io.WriteString(p, "nil")
+	}
+}
+
+func canInline(t reflect.Type) bool {
+	switch t.Kind() {
+	case reflect.Map:
+		return !canExpand(t.Elem())
+	case reflect.Struct:
+		for i := 0; i < t.NumField(); i++ {
+			if canExpand(t.Field(i).Type) {
+				return false
+			}
+		}
+		return true
+	case reflect.Interface:
+		return false
+	case reflect.Array, reflect.Slice:
+		return !canExpand(t.Elem())
+	case reflect.Ptr:
+		return false
+	case reflect.Chan, reflect.Func, reflect.UnsafePointer:
+		return false
+	}
+	return true
+}
+
+func canExpand(t reflect.Type) bool {
+	switch t.Kind() {
+	case reflect.Map, reflect.Struct,
+		reflect.Interface, reflect.Array, reflect.Slice,
+		reflect.Ptr:
+		return true
+	}
+	return false
+}
+
+func labelType(t reflect.Type) bool {
+	switch t.Kind() {
+	case reflect.Interface, reflect.Struct:
+		return true
+	}
+	return false
+}
+
+func (p *printer) fmtString(s string, quote bool) {
+	if quote {
+		s = strconv.Quote(s)
+	}
+	io.WriteString(p, s)
+}
+
+func writeByte(w io.Writer, b byte) {
+	w.Write([]byte{b})
+}
+
+func getField(v reflect.Value, i int) reflect.Value {
+	val := v.Field(i)
+	if val.Kind() == reflect.Interface && !val.IsNil() {
+		val = val.Elem()
+	}
+	return val
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/go.mod snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/go.mod
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/go.mod	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/go.mod	2018-08-24 07:51:03.000000000 +0000
@@ -0,0 +1,3 @@
+module "github.com/kr/pretty"
+
+require "github.com/kr/text" v0.1.0
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/License snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/License
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/License	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/License	2018-08-24 07:51:03.000000000 +0000
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright 2012 Keith Rarick
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/pretty.go snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/pretty.go
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/pretty.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/pretty.go	2018-08-24 07:51:03.000000000 +0000
@@ -0,0 +1,108 @@
+// Package pretty provides pretty-printing for Go values. This is
+// useful during debugging, to avoid wrapping long output lines in
+// the terminal.
+//
+// It provides a function, Formatter, that can be used with any
+// function that accepts a format string. It also provides
+// convenience wrappers for functions in packages fmt and log.
+package pretty
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"reflect"
+)
+
+// Errorf is a convenience wrapper for fmt.Errorf.
+//
+// Calling Errorf(f, x, y) is equivalent to
+// fmt.Errorf(f, Formatter(x), Formatter(y)).
+func Errorf(format string, a ...interface{}) error {
+	return fmt.Errorf(format, wrap(a, false)...)
+}
+
+// Fprintf is a convenience wrapper for fmt.Fprintf.
+//
+// Calling Fprintf(w, f, x, y) is equivalent to
+// fmt.Fprintf(w, f, Formatter(x), Formatter(y)).
+func Fprintf(w io.Writer, format string, a ...interface{}) (n int, error error) {
+	return fmt.Fprintf(w, format, wrap(a, false)...)
+}
+
+// Log is a convenience wrapper for log.Printf.
+//
+// Calling Log(x, y) is equivalent to
+// log.Print(Formatter(x), Formatter(y)), but each operand is
+// formatted with "%# v".
+func Log(a ...interface{}) {
+	log.Print(wrap(a, true)...)
+}
+
+// Logf is a convenience wrapper for log.Printf.
+//
+// Calling Logf(f, x, y) is equivalent to
+// log.Printf(f, Formatter(x), Formatter(y)).
+func Logf(format string, a ...interface{}) {
+	log.Printf(format, wrap(a, false)...)
+}
+
+// Logln is a convenience wrapper for log.Printf.
+//
+// Calling Logln(x, y) is equivalent to
+// log.Println(Formatter(x), Formatter(y)), but each operand is
+// formatted with "%# v".
+func Logln(a ...interface{}) {
+	log.Println(wrap(a, true)...)
+}
+
+// Print pretty-prints its operands and writes to standard output.
+//
+// Calling Print(x, y) is equivalent to
+// fmt.Print(Formatter(x), Formatter(y)), but each operand is
+// formatted with "%# v".
+func Print(a ...interface{}) (n int, errno error) {
+	return fmt.Print(wrap(a, true)...)
+}
+
+// Printf is a convenience wrapper for fmt.Printf.
+//
+// Calling Printf(f, x, y) is equivalent to
+// fmt.Printf(f, Formatter(x), Formatter(y)).
+func Printf(format string, a ...interface{}) (n int, errno error) {
+	return fmt.Printf(format, wrap(a, false)...)
+}
+
+// Println pretty-prints its operands and writes to standard output.
+//
+// Calling Print(x, y) is equivalent to
+// fmt.Println(Formatter(x), Formatter(y)), but each operand is
+// formatted with "%# v".
+func Println(a ...interface{}) (n int, errno error) {
+	return fmt.Println(wrap(a, true)...)
+}
+
+// Sprint is a convenience wrapper for fmt.Sprintf.
+//
+// Calling Sprint(x, y) is equivalent to
+// fmt.Sprint(Formatter(x), Formatter(y)), but each operand is
+// formatted with "%# v".
+func Sprint(a ...interface{}) string {
+	return fmt.Sprint(wrap(a, true)...)
+}
+
+// Sprintf is a convenience wrapper for fmt.Sprintf.
+//
+// Calling Sprintf(f, x, y) is equivalent to
+// fmt.Sprintf(f, Formatter(x), Formatter(y)).
+func Sprintf(format string, a ...interface{}) string {
+	return fmt.Sprintf(format, wrap(a, false)...)
+}
+
+func wrap(a []interface{}, force bool) []interface{} {
+	w := make([]interface{}, len(a))
+	for i, x := range a {
+		w[i] = formatter{v: reflect.ValueOf(x), force: force}
+	}
+	return w
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/Readme snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/Readme
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/Readme	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/Readme	2018-08-24 07:51:03.000000000 +0000
@@ -0,0 +1,9 @@
+package pretty
+
+    import "github.com/kr/pretty"
+
+    Package pretty provides pretty-printing for Go values.
+
+Documentation
+
+    http://godoc.org/github.com/kr/pretty
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/zero.go snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/zero.go
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/pretty/zero.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/pretty/zero.go	2018-08-24 07:51:03.000000000 +0000
@@ -0,0 +1,41 @@
+package pretty
+
+import (
+	"reflect"
+)
+
+func nonzero(v reflect.Value) bool {
+	switch v.Kind() {
+	case reflect.Bool:
+		return v.Bool()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return v.Int() != 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return v.Uint() != 0
+	case reflect.Float32, reflect.Float64:
+		return v.Float() != 0
+	case reflect.Complex64, reflect.Complex128:
+		return v.Complex() != complex(0, 0)
+	case reflect.String:
+		return v.String() != ""
+	case reflect.Struct:
+		for i := 0; i < v.NumField(); i++ {
+			if nonzero(getField(v, i)) {
+				return true
+			}
+		}
+		return false
+	case reflect.Array:
+		for i := 0; i < v.Len(); i++ {
+			if nonzero(v.Index(i)) {
+				return true
+			}
+		}
+		return false
+	case reflect.Map, reflect.Interface, reflect.Slice, reflect.Ptr, reflect.Chan, reflect.Func:
+		return !v.IsNil()
+	case reflect.UnsafePointer:
+		return v.Pointer() != 0
+	}
+	return true
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/text/doc.go snapd-2.37~rc1~14.04/vendor/github.com/kr/text/doc.go
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/text/doc.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/text/doc.go	2018-08-24 07:51:04.000000000 +0000
@@ -0,0 +1,3 @@
+// Package text provides rudimentary functions for manipulating text in
+// paragraphs.
+package text
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/text/go.mod snapd-2.37~rc1~14.04/vendor/github.com/kr/text/go.mod
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/text/go.mod	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/text/go.mod	2018-08-24 07:51:04.000000000 +0000
@@ -0,0 +1,3 @@
+module "github.com/kr/text"
+
+require "github.com/kr/pty" v1.1.1
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/text/indent.go snapd-2.37~rc1~14.04/vendor/github.com/kr/text/indent.go
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/text/indent.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/text/indent.go	2018-08-24 07:51:04.000000000 +0000
@@ -0,0 +1,74 @@
+package text
+
+import (
+	"io"
+)
+
+// Indent inserts prefix at the beginning of each non-empty line of s. The
+// end-of-line marker is NL.
+func Indent(s, prefix string) string {
+	return string(IndentBytes([]byte(s), []byte(prefix)))
+}
+
+// IndentBytes inserts prefix at the beginning of each non-empty line of b.
+// The end-of-line marker is NL.
+func IndentBytes(b, prefix []byte) []byte {
+	var res []byte
+	bol := true
+	for _, c := range b {
+		if bol && c != '\n' {
+			res = append(res, prefix...)
+		}
+		res = append(res, c)
+		bol = c == '\n'
+	}
+	return res
+}
+
+// Writer indents each line of its input.
+type indentWriter struct {
+	w   io.Writer
+	bol bool
+	pre [][]byte
+	sel int
+	off int
+}
+
+// NewIndentWriter makes a new write filter that indents the input
+// lines. Each line is prefixed in order with the corresponding
+// element of pre. If there are more lines than elements, the last
+// element of pre is repeated for each subsequent line.
+func NewIndentWriter(w io.Writer, pre ...[]byte) io.Writer {
+	return &indentWriter{
+		w:   w,
+		pre: pre,
+		bol: true,
+	}
+}
+
+// The only errors returned are from the underlying indentWriter.
+func (w *indentWriter) Write(p []byte) (n int, err error) {
+	for _, c := range p {
+		if w.bol {
+			var i int
+			i, err = w.w.Write(w.pre[w.sel][w.off:])
+			w.off += i
+			if err != nil {
+				return n, err
+			}
+		}
+		_, err = w.w.Write([]byte{c})
+		if err != nil {
+			return n, err
+		}
+		n++
+		w.bol = c == '\n'
+		if w.bol {
+			w.off = 0
+			if w.sel < len(w.pre)-1 {
+				w.sel++
+			}
+		}
+	}
+	return n, nil
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/text/License snapd-2.37~rc1~14.04/vendor/github.com/kr/text/License
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/text/License	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/text/License	2018-08-24 07:51:04.000000000 +0000
@@ -0,0 +1,19 @@
+Copyright 2012 Keith Rarick
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/text/Readme snapd-2.37~rc1~14.04/vendor/github.com/kr/text/Readme
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/text/Readme	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/text/Readme	2018-08-24 07:51:04.000000000 +0000
@@ -0,0 +1,3 @@
+This is a Go package for manipulating paragraphs of text.
+
+See http://go.pkgdoc.org/github.com/kr/text for full documentation.
diff -Nru snapd-2.32.3.2~14.04/vendor/github.com/kr/text/wrap.go snapd-2.37~rc1~14.04/vendor/github.com/kr/text/wrap.go
--- snapd-2.32.3.2~14.04/vendor/github.com/kr/text/wrap.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/github.com/kr/text/wrap.go	2018-08-24 07:51:04.000000000 +0000
@@ -0,0 +1,86 @@
+package text
+
+import (
+	"bytes"
+	"math"
+)
+
+var (
+	nl = []byte{'\n'}
+	sp = []byte{' '}
+)
+
+const defaultPenalty = 1e5
+
+// Wrap wraps s into a paragraph of lines of length lim, with minimal
+// raggedness.
+func Wrap(s string, lim int) string {
+	return string(WrapBytes([]byte(s), lim))
+}
+
+// WrapBytes wraps b into a paragraph of lines of length lim, with minimal
+// raggedness.
+func WrapBytes(b []byte, lim int) []byte {
+	words := bytes.Split(bytes.Replace(bytes.TrimSpace(b), nl, sp, -1), sp)
+	var lines [][]byte
+	for _, line := range WrapWords(words, 1, lim, defaultPenalty) {
+		lines = append(lines, bytes.Join(line, sp))
+	}
+	return bytes.Join(lines, nl)
+}
+
+// WrapWords is the low-level line-breaking algorithm, useful if you need more
+// control over the details of the text wrapping process. For most uses, either
+// Wrap or WrapBytes will be sufficient and more convenient.
+//
+// WrapWords splits a list of words into lines with minimal "raggedness",
+// treating each byte as one unit, accounting for spc units between adjacent
+// words on each line, and attempting to limit lines to lim units. Raggedness
+// is the total error over all lines, where error is the square of the
+// difference of the length of the line and lim. Too-long lines (which only
+// happen when a single word is longer than lim units) have pen penalty units
+// added to the error.
+func WrapWords(words [][]byte, spc, lim, pen int) [][][]byte {
+	n := len(words)
+
+	length := make([][]int, n)
+	for i := 0; i < n; i++ {
+		length[i] = make([]int, n)
+		length[i][i] = len(words[i])
+		for j := i + 1; j < n; j++ {
+			length[i][j] = length[i][j-1] + spc + len(words[j])
+		}
+	}
+
+	nbrk := make([]int, n)
+	cost := make([]int, n)
+	for i := range cost {
+		cost[i] = math.MaxInt32
+	}
+	for i := n - 1; i >= 0; i-- {
+		if length[i][n-1] <= lim || i == n-1 {
+			cost[i] = 0
+			nbrk[i] = n
+		} else {
+			for j := i + 1; j < n; j++ {
+				d := lim - length[i][j-1]
+				c := d*d + cost[j]
+				if length[i][j-1] > lim {
+					c += pen // too-long lines get a worse penalty
+				}
+				if c < cost[i] {
+					cost[i] = c
+					nbrk[i] = j
+				}
+			}
+		}
+	}
+
+	var lines [][][]byte
+	i := 0
+	for i < n {
+		lines = append(lines, words[i:nbrk[i]])
+		i = nbrk[i]
+	}
+	return lines
+}
diff -Nru snapd-2.32.3.2~14.04/vendor/gopkg.in/check.v1/checkers.go snapd-2.37~rc1~14.04/vendor/gopkg.in/check.v1/checkers.go
--- snapd-2.32.3.2~14.04/vendor/gopkg.in/check.v1/checkers.go	2017-09-07 12:49:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/gopkg.in/check.v1/checkers.go	2018-11-09 09:35:28.000000000 +0000
@@ -4,6 +4,9 @@
 	"fmt"
 	"reflect"
 	"regexp"
+	"strings"
+
+	"github.com/kr/pretty"
 )
 
 // -----------------------------------------------------------------------
@@ -90,6 +93,10 @@
 func (checker *notChecker) Check(params []interface{}, names []string) (result bool, error string) {
 	result, error = checker.sub.Check(params, names)
 	result = !result
+	if result {
+		// clear error message if the new result is true
+		error = ""
+	}
 	return
 }
 
@@ -153,6 +160,56 @@
 // -----------------------------------------------------------------------
 // Equals checker.
 
+func diffworthy(a interface{}) bool {
+	t := reflect.TypeOf(a)
+	switch t.Kind() {
+	case reflect.Array, reflect.Map, reflect.Slice, reflect.Struct, reflect.String, reflect.Ptr:
+		return true
+	}
+	return false
+}
+
+// formatUnequal will dump the actual and expected values into a textual
+// representation and return an error message containing a diff.
+func formatUnequal(obtained interface{}, expected interface{}) string {
+	// We do not do diffs for basic types because go-check already
+	// shows them very cleanly.
+	if !diffworthy(obtained) || !diffworthy(expected) {
+		return ""
+	}
+
+	// Handle strings, short strings are ignored (go-check formats
+	// them very nicely already). We do multi-line strings by
+	// generating two string slices and using kr.Diff to compare
+	// those (kr.Diff does not do string diffs by itself).
+	aStr, aOK := obtained.(string)
+	bStr, bOK := expected.(string)
+	if aOK && bOK {
+		l1 := strings.Split(aStr, "\n")
+		l2 := strings.Split(bStr, "\n")
+		// the "2" here is a bit arbitrary
+		if len(l1) > 2 && len(l2) > 2 {
+			diff := pretty.Diff(l1, l2)
+			return fmt.Sprintf(`String difference:
+%s`, formatMultiLine(strings.Join(diff, "\n"), false))
+		}
+		// string too short
+		return ""
+	}
+
+	// generic diff
+	diff := pretty.Diff(obtained, expected)
+	if len(diff) == 0 {
+		// No diff, this happens when e.g. just struct
+		// pointers are different but the structs have
+		// identical values.
+		return ""
+	}
+
+	return fmt.Sprintf(`Difference:
+%s`, formatMultiLine(strings.Join(diff, "\n"), false))
+}
+
 type equalsChecker struct {
 	*CheckerInfo
 }
@@ -175,7 +232,12 @@
 			error = fmt.Sprint(v)
 		}
 	}()
-	return params[0] == params[1], ""
+
+	result = params[0] == params[1]
+	if !result {
+		error = formatUnequal(params[0], params[1])
+	}
+	return
 }
 
 // -----------------------------------------------------------------------
@@ -200,7 +262,11 @@
 }
 
 func (checker *deepEqualsChecker) Check(params []interface{}, names []string) (result bool, error string) {
-	return reflect.DeepEqual(params[0], params[1]), ""
+	result = reflect.DeepEqual(params[0], params[1])
+	if !result {
+		error = formatUnequal(params[0], params[1])
+	}
+	return
 }
 
 // -----------------------------------------------------------------------
diff -Nru snapd-2.32.3.2~14.04/vendor/gopkg.in/check.v1/check.go snapd-2.37~rc1~14.04/vendor/gopkg.in/check.v1/check.go
--- snapd-2.32.3.2~14.04/vendor/gopkg.in/check.v1/check.go	2017-09-07 12:49:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/gopkg.in/check.v1/check.go	2018-11-09 09:35:28.000000000 +0000
@@ -239,7 +239,7 @@
 	}
 }
 
-func (c *C) logMultiLine(s string) {
+func formatMultiLine(s string, quote bool) []byte {
 	b := make([]byte, 0, len(s)*2)
 	i := 0
 	n := len(s)
@@ -249,14 +249,23 @@
 			j++
 		}
 		b = append(b, "...     "...)
-		b = strconv.AppendQuote(b, s[i:j])
-		if j < n {
+		if quote {
+			b = strconv.AppendQuote(b, s[i:j])
+		} else {
+			b = append(b, s[i:j]...)
+			b = bytes.TrimSpace(b)
+		}
+		if quote && j < n {
 			b = append(b, " +"...)
 		}
 		b = append(b, '\n')
 		i = j
 	}
-	c.writeLog(b)
+	return b
+}
+
+func (c *C) logMultiLine(s string) {
+	c.writeLog(formatMultiLine(s, true))
 }
 
 func isMultiLine(s string) bool {
diff -Nru snapd-2.32.3.2~14.04/vendor/gopkg.in/mgo.v2/bson/bson.go snapd-2.37~rc1~14.04/vendor/gopkg.in/mgo.v2/bson/bson.go
--- snapd-2.32.3.2~14.04/vendor/gopkg.in/mgo.v2/bson/bson.go	2017-02-20 21:47:37.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/gopkg.in/mgo.v2/bson/bson.go	2019-01-16 08:36:51.000000000 +0000
@@ -35,13 +35,11 @@
 import (
 	"bytes"
 	"crypto/md5"
-	"crypto/rand"
 	"encoding/binary"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
 	"os"
 	"reflect"
 	"runtime"
@@ -194,12 +192,10 @@
 
 // readRandomUint32 returns a random objectIdCounter.
 func readRandomUint32() uint32 {
-	var b [4]byte
-	_, err := io.ReadFull(rand.Reader, b[:])
-	if err != nil {
-		panic(fmt.Errorf("cannot read random object id: %v", err))
-	}
-	return uint32((uint32(b[0]) << 0) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24))
+	// We've found systems hanging in this function due to lack of entropy.
+	// The randomness of these bytes is just preventing nearby clashes, so
+	// just look at the time.
+	return uint32(time.Now().UnixNano())
 }
 
 // machineId stores machine id generated once and used in subsequent calls
@@ -214,10 +210,10 @@
 	id := sum[:]
 	hostname, err1 := os.Hostname()
 	if err1 != nil {
-		_, err2 := io.ReadFull(rand.Reader, id)
-		if err2 != nil {
-			panic(fmt.Errorf("cannot get hostname: %v; %v", err1, err2))
-		}
+		n := uint32(time.Now().UnixNano())
+		sum[0] = byte(n >> 0)
+		sum[1] = byte(n >> 8)
+		sum[2] = byte(n >> 16)
 		return id
 	}
 	hw := md5.New()
@@ -279,7 +275,7 @@
 func (id *ObjectId) UnmarshalJSON(data []byte) error {
 	if len(data) > 0 && (data[0] == '{' || data[0] == 'O') {
 		var v struct {
-			Id json.RawMessage `json:"$oid"`
+			Id   json.RawMessage `json:"$oid"`
 			Func struct {
 				Id json.RawMessage
 			} `json:"$oidFunc"`
diff -Nru snapd-2.32.3.2~14.04/vendor/vendor.json snapd-2.37~rc1~14.04/vendor/vendor.json
--- snapd-2.32.3.2~14.04/vendor/vendor.json	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/vendor/vendor.json	2019-01-16 08:36:51.000000000 +0000
@@ -7,10 +7,10 @@
 			"revision": ""
 		},
 		{
-			"checksumSHA1": "RBwpnMpfQt7Jo7YWrRph0Vwe+f0=",
+			"checksumSHA1": "zg16zjZTQ9R89+UOLmEZxHgxDtM=",
 			"path": "github.com/coreos/go-systemd/activation",
-			"revision": "48702e0da86bd25e76cfef347e2adeb434a0d0a6",
-			"revisionTime": "2016-11-14T12:22:54Z"
+			"revision": "39ca1b05acc7ad1220e09f133283b8859a8b71ab",
+			"revisionTime": "2018-05-11T13:34:05Z"
 		},
 		{
 			"checksumSHA1": "h77tT8kVh8x/J5ikkZReONPUjU0=",
@@ -37,10 +37,28 @@
 			"revisionTime": "2016-03-17T21:34:30Z"
 		},
 		{
-			"checksumSHA1": "Ihm00CfTHuuTYXgXJkgH7TFP0L4=",
+			"checksumSHA1": "GcYF2BhpiQkshVVXxHPS/Oq491c=",
 			"path": "github.com/jessevdk/go-flags",
-			"revision": "96dc06278ce32a0e9d957d590bb987c81ee66407",
-			"revisionTime": "2017-07-20T12:40:56Z"
+			"revision": "7309ec74f752d05ce2c62b8fd5755c4a2e3913cb",
+			"revisionTime": "2018-09-27T14:32:58Z"
+		},
+		{
+			"checksumSHA1": "dqtKfXGotqkiYaS328PpWeusig8=",
+			"path": "github.com/juju/ratelimit",
+			"revision": "59fac5042749a5afb9af70e813da1dd5474f0167",
+			"revisionTime": "2017-10-26T09:04:26Z"
+		},
+		{
+			"checksumSHA1": "3ohk4dFYrERZ6WTdKkIwnTA0HSI=",
+			"path": "github.com/kr/pretty",
+			"revision": "73f6ac0b30a98e433b289500d779f50c1a6f0712",
+			"revisionTime": "2018-05-06T08:33:45Z"
+		},
+		{
+			"checksumSHA1": "SbguDK5lY8uhaHNrmJmNbiWIGM0=",
+			"path": "github.com/kr/text",
+			"revision": "e2ffdb16a802fe2bb95e2e35ff34f0e53aeef34f",
+			"revisionTime": "2018-05-06T08:24:08Z"
 		},
 		{
 			"checksumSHA1": "bzUdFxQ29mPK0lwgFVcF0GFN74Q=",
@@ -159,10 +177,10 @@
 			"revisionTime": "2017-06-28T23:42:41Z"
 		},
 		{
-			"checksumSHA1": "CEFTYXtWmgSh+3Ik1NmDaJcz4E0=",
+			"checksumSHA1": "9gypWnVZJEaH3jMK9KqOp4xgQD4=",
 			"path": "gopkg.in/check.v1",
-			"revision": "20d25e2804050c1cd24a7eea1e7a6447dd0e74ec",
-			"revisionTime": "2016-12-08T18:13:25Z"
+			"revision": "788fd78401277ebd861206a03c884797c6ec5541",
+			"revisionTime": "2018-06-28T17:31:08Z"
 		},
 		{
 			"checksumSHA1": "mWrTCVjXPLevlqKUqpzSoEM3tu8=",
@@ -171,10 +189,10 @@
 			"revisionTime": "2015-01-21T11:42:31Z"
 		},
 		{
-			"checksumSHA1": "YsB2DChSV9HxdzHaKATllAUKWSI=",
+			"checksumSHA1": "/xRHTpN8WOK4nmZjJ1f96ER1b/o=",
 			"path": "gopkg.in/mgo.v2/bson",
-			"revision": "3f83fa5005286a7fe593b055f0d7771a7dce4655",
-			"revisionTime": "2016-08-18T02:01:20Z"
+			"revision": "a7e2c1d573e19a65a0caa1c2f70758cd889c416e",
+			"revisionTime": "2018-07-04T14:44:55Z"
 		},
 		{
 			"checksumSHA1": "XQsrqoNT1U0KzLxOFcAZVvqhLfk=",
diff -Nru snapd-2.32.3.2~14.04/wrappers/binaries.go snapd-2.37~rc1~14.04/wrappers/binaries.go
--- snapd-2.32.3.2~14.04/wrappers/binaries.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/binaries.go	2019-01-16 08:36:51.000000000 +0000
@@ -44,7 +44,8 @@
 		return err
 	}
 
-	noCompletion := !osutil.IsWritable(dirs.CompletersDir) || !osutil.FileExists(dirs.CompletersDir) || !osutil.FileExists(dirs.CompleteSh)
+	completeSh := dirs.CompleteShPath(s.Base)
+	noCompletion := !osutil.IsWritable(dirs.CompletersDir) || !osutil.FileExists(completeSh)
 	for _, app := range s.Apps {
 		if app.IsService() {
 			continue
@@ -64,7 +65,7 @@
 		}
 		// symlink the completion snippet
 		compPath := app.CompleterPath()
-		if err := os.Symlink(dirs.CompleteSh, compPath); err == nil {
+		if err := os.Symlink(completeSh, compPath); err == nil {
 			created = append(created, compPath)
 		} else if !os.IsExist(err) {
 			return err
@@ -82,7 +83,7 @@
 			continue
 		}
 		compPath := app.CompleterPath()
-		if target, err := os.Readlink(compPath); err == nil && target == dirs.CompleteSh {
+		if dirs.IsCompleteShSymlink(compPath) {
 			os.Remove(compPath)
 		}
 	}
diff -Nru snapd-2.32.3.2~14.04/wrappers/binaries_test.go snapd-2.37~rc1~14.04/wrappers/binaries_test.go
--- snapd-2.32.3.2~14.04/wrappers/binaries_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/binaries_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -38,9 +38,17 @@
 
 type binariesTestSuite struct {
 	tempdir string
+	base    string
 }
 
-var _ = Suite(&binariesTestSuite{})
+// silly wrappers to get better failure messages
+type noBaseBinariesSuite struct{ binariesTestSuite }
+type withBaseBinariesSuite struct{ binariesTestSuite }
+type withSnapdBinariesSuite struct{ binariesTestSuite }
+
+var _ = Suite(&noBaseBinariesSuite{})
+var _ = Suite(&withBaseBinariesSuite{binariesTestSuite{base: "core99"}})
+var _ = Suite(&withSnapdBinariesSuite{binariesTestSuite{base: "core-with-snapd"}})
 
 func (s *binariesTestSuite) SetUpTest(c *C) {
 	s.tempdir = c.MkDir()
@@ -77,8 +85,11 @@
 
 func (s *binariesTestSuite) TestAddSnapBinariesAndRemoveWithCompleters(c *C) {
 	c.Assert(os.MkdirAll(dirs.CompletersDir, 0755), IsNil)
-	c.Assert(os.MkdirAll(filepath.Dir(dirs.CompleteSh), 0755), IsNil)
-	c.Assert(ioutil.WriteFile(dirs.CompleteSh, nil, 0644), IsNil)
+	if s.base == "core-with-snapd" {
+		c.Check(os.MkdirAll(filepath.Join(dirs.SnapMountDir, "snapd/current/usr/lib/snapd"), 0755), IsNil)
+	}
+	c.Assert(os.MkdirAll(filepath.Dir(dirs.CompleteShPath(s.base)), 0755), IsNil)
+	c.Assert(ioutil.WriteFile(dirs.CompleteShPath(s.base), nil, 0644), IsNil)
 	// full completers support -> we get completers \o/
 
 	s.testAddSnapBinariesAndRemove(c)
@@ -86,8 +97,11 @@
 
 func (s *binariesTestSuite) TestAddSnapBinariesAndRemoveWithExistingCompleters(c *C) {
 	c.Assert(os.MkdirAll(dirs.CompletersDir, 0755), IsNil)
-	c.Assert(os.MkdirAll(filepath.Dir(dirs.CompleteSh), 0755), IsNil)
-	c.Assert(ioutil.WriteFile(dirs.CompleteSh, nil, 0644), IsNil)
+	if s.base == "core-with-snapd" {
+		c.Check(os.MkdirAll(filepath.Join(dirs.SnapMountDir, "snapd/current/usr/lib/snapd"), 0755), IsNil)
+	}
+	c.Assert(os.MkdirAll(filepath.Dir(dirs.CompleteShPath(s.base)), 0755), IsNil)
+	c.Assert(ioutil.WriteFile(dirs.CompleteShPath(s.base), nil, 0644), IsNil)
 	// existing completers -> they're left alone \o/
 	c.Assert(ioutil.WriteFile(filepath.Join(dirs.CompletersDir, "hello-snap.world"), nil, 0644), IsNil)
 
@@ -95,7 +109,7 @@
 }
 
 func (s *binariesTestSuite) testAddSnapBinariesAndRemove(c *C) {
-	info := snaptest.MockSnap(c, packageHello, &snap.SideInfo{Revision: snap.R(11)})
+	info := snaptest.MockSnap(c, packageHello+"base: "+s.base+"\n", &snap.SideInfo{Revision: snap.R(11)})
 	completer := filepath.Join(dirs.CompletersDir, "hello-snap.world")
 	completerExisted := osutil.FileExists(completer)
 
@@ -118,7 +132,7 @@
 		} else {
 			target, err := os.Readlink(completer)
 			c.Assert(err, IsNil)
-			c.Check(target, Equals, dirs.CompleteSh)
+			c.Check(target, Equals, dirs.CompleteShPath(s.base))
 		}
 	}
 
diff -Nru snapd-2.32.3.2~14.04/wrappers/core18.go snapd-2.37~rc1~14.04/wrappers/core18.go
--- snapd-2.32.3.2~14.04/wrappers/core18.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/core18.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,208 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package wrappers
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"regexp"
+	"time"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/systemd"
+)
+
+// catches units that run /usr/bin/snap (with args), or things in /usr/lib/snapd/
+var execStartRe = regexp.MustCompile(`(?m)^ExecStart=(/usr/bin/snap\s+.*|/usr/lib/snapd/.*)$`)
+
+func writeSnapdToolingMountUnit(sysd systemd.Systemd, prefix string) error {
+	// Not using AddMountUnitFile() because we need
+	// "RequiredBy=snapd.service"
+	content := []byte(fmt.Sprintf(`[Unit]
+Description=Make the snapd snap tooling available for the system
+Before=snapd.service
+
+[Mount]
+What=%s/usr/lib/snapd
+Where=/usr/lib/snapd
+Type=none
+Options=bind
+
+[Install]
+WantedBy=snapd.service
+`, prefix))
+	unit := "usr-lib-snapd.mount"
+	fullPath := filepath.Join(dirs.SnapServicesDir, unit)
+
+	err := osutil.EnsureFileState(fullPath,
+		&osutil.FileState{
+			Content: content,
+			Mode:    0644,
+		},
+	)
+	if err == osutil.ErrSameState {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+	if err := sysd.DaemonReload(); err != nil {
+		return err
+	}
+	if err := sysd.Enable(unit); err != nil {
+		return err
+	}
+
+	if err := sysd.Restart(unit, 5*time.Second); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func writeSnapdServicesOnCore(s *snap.Info, inter interacter) error {
+	// we never write
+	if release.OnClassic {
+		return nil
+	}
+	sysd := systemd.New(dirs.GlobalRootDir, inter)
+
+	if err := writeSnapdToolingMountUnit(sysd, s.MountDir()); err != nil {
+		return err
+	}
+
+	serviceUnits, err := filepath.Glob(filepath.Join(s.MountDir(), "lib/systemd/system/*.service"))
+	if err != nil {
+		return err
+	}
+	socketUnits, err := filepath.Glob(filepath.Join(s.MountDir(), "lib/systemd/system/*.socket"))
+	if err != nil {
+		return err
+	}
+	timerUnits, err := filepath.Glob(filepath.Join(s.MountDir(), "lib/systemd/system/*.timer"))
+	if err != nil {
+		return err
+	}
+	units := append(socketUnits, serviceUnits...)
+	units = append(units, timerUnits...)
+
+	snapdUnits := make(map[string]*osutil.FileState, len(units)+1)
+	for _, unit := range units {
+		st, err := os.Stat(unit)
+		if err != nil {
+			return err
+		}
+		content, err := ioutil.ReadFile(unit)
+		if err != nil {
+			return err
+		}
+		content = execStartRe.ReplaceAll(content, []byte(fmt.Sprintf(`ExecStart=%s$1`, s.MountDir())))
+
+		snapdUnits[filepath.Base(unit)] = &osutil.FileState{
+			Content: content,
+			Mode:    st.Mode(),
+		}
+	}
+	changed, removed, err := osutil.EnsureDirStateGlobs(dirs.SnapServicesDir, []string{"snapd.service", "snapd.socket", "snapd.*.service", "snapd.*.timer"}, snapdUnits)
+	if err != nil {
+		// TODO: uhhhh, what do we do in this case?
+		return err
+	}
+	if (len(changed) + len(removed)) == 0 {
+		// nothing to do
+		return nil
+	}
+	// stop all removed units first
+	for _, unit := range removed {
+		if err := sysd.Stop(unit, 5*time.Second); err != nil {
+			logger.Noticef("failed to stop %q: %v", unit, err)
+		}
+		if err := sysd.Disable(unit); err != nil {
+			logger.Noticef("failed to disable %q: %v", unit, err)
+		}
+	}
+
+	// daemon-reload so that we get the new services
+	if len(changed) > 0 {
+		if err := sysd.DaemonReload(); err != nil {
+			return err
+		}
+	}
+
+	// enable/start all the new services
+	for _, unit := range changed {
+		if err := sysd.Enable(unit); err != nil {
+			return err
+		}
+	}
+
+	for _, unit := range changed {
+		// Some units (like the snapd.system-shutdown.service) cannot
+		// be started. Others like "snapd.seeded.service" are started
+		// as dependencies of snapd.service.
+		if bytes.Contains(snapdUnits[unit].Content, []byte("X-Snapd-Snap: do-not-start")) {
+			continue
+		}
+		// Ensure to only restart if the unit was previously
+		// active. This ensures we DTRT on firstboot and do
+		// not stop e.g. snapd.socket because doing that
+		// would mean that the snapd.seeded.service is also
+		// stopped (independently of snapd.socket being
+		// active) which confuses the boot order (the unit
+		// exists before we are fully seeded).
+		isActive, err := sysd.IsActive(unit)
+		if err != nil {
+			return err
+		}
+		if isActive {
+			if err := sysd.Restart(unit, 5*time.Second); err != nil {
+				return err
+			}
+		} else {
+			if err := sysd.Start(unit); err != nil {
+				return err
+			}
+		}
+	}
+	// and finally start snapd.service (it will stop by itself and gets
+	// started by systemd then)
+	if err := sysd.Start("snapd.service"); err != nil {
+		return err
+	}
+	if err := sysd.StartNoBlock("snapd.seeded.service"); err != nil {
+		return err
+	}
+	// we cannot start snapd.autoimport in blocking mode because
+	// it has a "After=snapd.seeded.service" which means that on
+	// seeding a "systemctl start" that blocks would hang forever
+	// and we deadlock.
+	if err := sysd.StartNoBlock("snapd.autoimport.service"); err != nil {
+		return err
+	}
+
+	return nil
+}
diff -Nru snapd-2.32.3.2~14.04/wrappers/core18_test.go snapd-2.37~rc1~14.04/wrappers/core18_test.go
--- snapd-2.32.3.2~14.04/wrappers/core18_test.go	1970-01-01 00:00:00.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/core18_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -0,0 +1,158 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2018 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package wrappers_test
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/dirs"
+	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/release"
+	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/systemd"
+	"github.com/snapcore/snapd/wrappers"
+)
+
+func makeMockSnapdSnap(c *C) *snap.Info {
+	err := os.MkdirAll(dirs.SnapServicesDir, 0755)
+	c.Assert(err, IsNil)
+
+	info := snaptest.MockSnap(c, snapdYaml, &snap.SideInfo{Revision: snap.R(1)})
+	snapdDir := filepath.Join(info.MountDir(), "lib", "systemd", "system")
+	err = os.MkdirAll(snapdDir, 0755)
+	c.Assert(err, IsNil)
+	snapdSrv := filepath.Join(snapdDir, "snapd.service")
+	err = ioutil.WriteFile(snapdSrv, []byte("[Unit]\nExecStart=/usr/lib/snapd/snapd\n# X-Snapd-Snap: do-not-start"), 0644)
+	c.Assert(err, IsNil)
+	snapdShutdown := filepath.Join(snapdDir, "snapd.system-shutdown.service")
+	err = ioutil.WriteFile(snapdShutdown, []byte("[Unit]\nExecStart=/bin/umount --everything\n# X-Snapd-Snap: do-not-start"), 0644)
+	c.Assert(err, IsNil)
+	snapdAutoimport := filepath.Join(snapdDir, "snapd.autoimport.service")
+	err = ioutil.WriteFile(snapdAutoimport, []byte("[Unit]\nExecStart=/usr/bin/snap auto-import"), 0644)
+	c.Assert(err, IsNil)
+
+	return info
+}
+
+func (s *servicesTestSuite) TestAddSnapServicesForSnapdOnCore(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	restore = release.MockReleaseInfo(&release.OS{ID: "ubuntu"})
+	defer restore()
+
+	// reset root dir
+	dirs.SetRootDir(s.tempdir)
+
+	systemctlRestorer := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
+		s.sysdLog = append(s.sysdLog, cmd)
+		if cmd[0] == "show" && cmd[1] == "--property=Id,ActiveState,UnitFileState,Type" {
+			s := fmt.Sprintf("Type=oneshot\nId=%s\nActiveState=inactive\nUnitFileState=enabled\n", cmd[2])
+			return []byte(s), nil
+		}
+		return []byte("ActiveState=inactive\n"), nil
+	})
+	defer systemctlRestorer()
+
+	info := makeMockSnapdSnap(c)
+	// add the snapd service
+	err := wrappers.AddSnapServices(info, nil)
+	c.Assert(err, IsNil)
+
+	// check that snapd.service is created
+	content, err := ioutil.ReadFile(filepath.Join(dirs.SnapServicesDir, "snapd.service"))
+	c.Assert(err, IsNil)
+	// and paths get re-written
+	c.Check(string(content), Equals, fmt.Sprintf("[Unit]\nExecStart=%s/snapd/1/usr/lib/snapd/snapd\n# X-Snapd-Snap: do-not-start", dirs.SnapMountDir))
+
+	// check that snapd.autoimport.service is created
+	content, err = ioutil.ReadFile(filepath.Join(dirs.SnapServicesDir, "snapd.autoimport.service"))
+	c.Assert(err, IsNil)
+	// and paths get re-written
+	c.Check(string(content), Equals, fmt.Sprintf("[Unit]\nExecStart=%s/snapd/1/usr/bin/snap auto-import", dirs.SnapMountDir))
+
+	// check that snapd.system-shutdown.service is created
+	content, err = ioutil.ReadFile(filepath.Join(dirs.SnapServicesDir, "snapd.system-shutdown.service"))
+	c.Assert(err, IsNil)
+	// and paths *do not* get re-written
+	c.Check(string(content), Equals, "[Unit]\nExecStart=/bin/umount --everything\n# X-Snapd-Snap: do-not-start")
+
+	// check that usr-lib-snapd.mount is created
+	content, err = ioutil.ReadFile(filepath.Join(dirs.SnapServicesDir, "usr-lib-snapd.mount"))
+	c.Assert(err, IsNil)
+	c.Check(string(content), Equals, fmt.Sprintf(`[Unit]
+Description=Make the snapd snap tooling available for the system
+Before=snapd.service
+
+[Mount]
+What=%s/snap/snapd/1/usr/lib/snapd
+Where=/usr/lib/snapd
+Type=none
+Options=bind
+
+[Install]
+WantedBy=snapd.service
+`, dirs.GlobalRootDir))
+
+	// check the systemctl calls
+	c.Check(s.sysdLog, DeepEquals, [][]string{
+		{"daemon-reload"},
+		{"--root", dirs.GlobalRootDir, "enable", "usr-lib-snapd.mount"},
+		{"stop", "usr-lib-snapd.mount"},
+		{"show", "--property=ActiveState", "usr-lib-snapd.mount"},
+		{"start", "usr-lib-snapd.mount"},
+		{"daemon-reload"},
+		{"--root", dirs.GlobalRootDir, "enable", "snapd.autoimport.service"},
+		{"--root", dirs.GlobalRootDir, "enable", "snapd.service"},
+		{"--root", dirs.GlobalRootDir, "enable", "snapd.system-shutdown.service"},
+		{"--root", dirs.GlobalRootDir, "is-active", "snapd.autoimport.service"},
+		{"stop", "snapd.autoimport.service"},
+		{"show", "--property=ActiveState", "snapd.autoimport.service"},
+		{"start", "snapd.autoimport.service"},
+		{"start", "snapd.service"},
+		{"start", "--no-block", "snapd.seeded.service"},
+		{"start", "--no-block", "snapd.autoimport.service"},
+	})
+}
+
+func (s *servicesTestSuite) TestAddSnapServicesForSnapdOnClassic(c *C) {
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	info := makeMockSnapdSnap(c)
+	// add the snapd service
+	err := wrappers.AddSnapServices(info, nil)
+	c.Assert(err, IsNil)
+
+	// check that snapd services were *not* created
+	c.Check(osutil.FileExists(filepath.Join(dirs.SnapServicesDir, "snapd.service")), Equals, false)
+	c.Check(osutil.FileExists(filepath.Join(dirs.SnapServicesDir, "snapd.autoimport.service")), Equals, false)
+	c.Check(osutil.FileExists(filepath.Join(dirs.SnapServicesDir, "snapd.system-shutdown.service")), Equals, false)
+	c.Check(osutil.FileExists(filepath.Join(dirs.SnapServicesDir, "usr-lib-snapd.mount")), Equals, false)
+
+	// check that no systemctl calls happened
+	c.Check(s.sysdLog, IsNil)
+}
diff -Nru snapd-2.32.3.2~14.04/wrappers/desktop.go snapd-2.37~rc1~14.04/wrappers/desktop.go
--- snapd-2.32.3.2~14.04/wrappers/desktop.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/desktop.go	2019-01-16 08:36:51.000000000 +0000
@@ -110,6 +110,12 @@
 	for _, app := range s.Apps {
 		wrapper := app.WrapperPath()
 		validCmd := filepath.Base(wrapper)
+		if s.InstanceKey != "" {
+			// wrapper uses s.InstanceName(), with the instance key
+			// set the command will be 'snap_foo.app' instead of
+			// 'snap.app', need to account for that
+			validCmd = snap.JoinSnapApp(s.SnapName(), app.Name)
+		}
 		// check the prefix to allow %flag style args
 		// this is ok because desktop files are not run through sh
 		// so we don't have to worry about the arguments too much
@@ -120,7 +126,7 @@
 		}
 	}
 
-	logger.Noticef("cannot use line %q for desktop file %q (snap %s)", line, desktopFile, s.Name())
+	logger.Noticef("cannot use line %q for desktop file %q (snap %s)", line, desktopFile, s.InstanceName())
 	// The Exec= line in the desktop file is invalid. Instead of failing
 	// hard we rewrite the Exec= line. The convention is that the desktop
 	// file has the same name as the application we can use this fact here.
@@ -184,6 +190,21 @@
 	return nil
 }
 
+// desktopPrefix returns the prefix string for the desktop files that
+// belongs to the given snapInstance. We need to do something custom
+// here because a) we need to be compatible with the world before we had
+// parallel installs b) we can't just use the usual "_" parallel installs
+// separator because that is already used as the separator between snap
+// and desktop filename.
+func desktopPrefix(s *snap.Info) string {
+	if s.SnapName() == s.InstanceName() {
+		return s.SnapName()
+	}
+	// we cannot use the usual "_" separator because that is also used
+	// to separate "$snap_$desktopfile"
+	return fmt.Sprintf("%s+%s", s.SnapName(), s.InstanceKey)
+}
+
 // AddSnapDesktopFiles puts in place the desktop files for the applications from the snap.
 func AddSnapDesktopFiles(s *snap.Info) (err error) {
 	var created []string
@@ -214,7 +235,11 @@
 			return err
 		}
 
-		installedDesktopFileName := filepath.Join(dirs.SnapDesktopFilesDir, fmt.Sprintf("%s_%s", s.Name(), filepath.Base(df)))
+		// FIXME: don't blindly use the snap desktop filename, mangle it
+		// but we can't just use the app name because a desktop file
+		// may call the same app with multiple parameters, e.g.
+		// --create-new, --open-existing etc
+		installedDesktopFileName := filepath.Join(dirs.SnapDesktopFilesDir, fmt.Sprintf("%s_%s", desktopPrefix(s), filepath.Base(df)))
 		content = sanitizeDesktopFile(s, installedDesktopFileName, content)
 		if err := osutil.AtomicWriteFile(installedDesktopFileName, content, 0755, 0); err != nil {
 			return err
@@ -232,17 +257,24 @@
 
 // RemoveSnapDesktopFiles removes the added desktop files for the applications in the snap.
 func RemoveSnapDesktopFiles(s *snap.Info) error {
-	glob := filepath.Join(dirs.SnapDesktopFilesDir, s.Name()+"_*.desktop")
-	activeDesktopFiles, err := filepath.Glob(glob)
+	removedDesktopFiles := make([]string, 0, len(s.Apps))
+
+	desktopFiles, err := filepath.Glob(filepath.Join(dirs.SnapDesktopFilesDir, fmt.Sprintf("%s_*.desktop", desktopPrefix(s))))
 	if err != nil {
-		return fmt.Errorf("cannot get desktop files for %v: %s", glob, err)
+		return nil
 	}
-	for _, f := range activeDesktopFiles {
-		os.Remove(f)
+	for _, df := range desktopFiles {
+		if err := os.Remove(df); err != nil {
+			if !os.IsNotExist(err) {
+				return err
+			}
+		} else {
+			removedDesktopFiles = append(removedDesktopFiles, df)
+		}
 	}
 
 	// updates mime info etc
-	if err := updateDesktopDatabase(activeDesktopFiles); err != nil {
+	if err := updateDesktopDatabase(removedDesktopFiles); err != nil {
 		return err
 	}
 
diff -Nru snapd-2.32.3.2~14.04/wrappers/desktop_test.go snapd-2.37~rc1~14.04/wrappers/desktop_test.go
--- snapd-2.32.3.2~14.04/wrappers/desktop_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/desktop_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -62,6 +62,8 @@
 var desktopAppYaml = `
 name: foo
 version: 1.0
+apps:
+    foobar:
 `
 
 var mockDesktopFile = []byte(`
@@ -110,11 +112,57 @@
 	})
 }
 
+func (s *desktopSuite) TestParallelInstancesRemovePackageDesktopFiles(c *C) {
+	mockDesktopFilePath := filepath.Join(dirs.SnapDesktopFilesDir, "foo_foobar.desktop")
+	mockDesktopInstanceFilePath := filepath.Join(dirs.SnapDesktopFilesDir, "foo+instance_foobar.desktop")
+
+	err := os.MkdirAll(dirs.SnapDesktopFilesDir, 0755)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(mockDesktopFilePath, mockDesktopFile, 0644)
+	c.Assert(err, IsNil)
+	err = ioutil.WriteFile(mockDesktopInstanceFilePath, mockDesktopFile, 0644)
+	c.Assert(err, IsNil)
+	info, err := snap.InfoFromSnapYaml([]byte(desktopAppYaml))
+	c.Assert(err, IsNil)
+
+	err = wrappers.RemoveSnapDesktopFiles(info)
+	c.Assert(err, IsNil)
+	c.Assert(osutil.FileExists(mockDesktopFilePath), Equals, false)
+	c.Assert(s.mockUpdateDesktopDatabase.Calls(), DeepEquals, [][]string{
+		{"update-desktop-database", dirs.SnapDesktopFilesDir},
+	})
+	// foo+instance file is still there
+	c.Assert(osutil.FileExists(mockDesktopInstanceFilePath), Equals, true)
+
+	// restore the non-instance file
+	err = ioutil.WriteFile(mockDesktopFilePath, mockDesktopFile, 0644)
+	c.Assert(err, IsNil)
+
+	s.mockUpdateDesktopDatabase.ForgetCalls()
+
+	info.InstanceKey = "instance"
+	err = wrappers.RemoveSnapDesktopFiles(info)
+	c.Assert(err, IsNil)
+	c.Assert(osutil.FileExists(mockDesktopInstanceFilePath), Equals, false)
+	c.Assert(s.mockUpdateDesktopDatabase.Calls(), DeepEquals, [][]string{
+		{"update-desktop-database", dirs.SnapDesktopFilesDir},
+	})
+	// foo file is still there
+	c.Assert(osutil.FileExists(mockDesktopFilePath), Equals, true)
+}
+
 func (s *desktopSuite) TestAddPackageDesktopFilesCleanup(c *C) {
 	mockDesktopFilePath := filepath.Join(dirs.SnapDesktopFilesDir, "foo_foobar1.desktop")
 	c.Assert(osutil.FileExists(mockDesktopFilePath), Equals, false)
 
-	err := os.MkdirAll(filepath.Join(dirs.SnapDesktopFilesDir, "foo_foobar2.desktop", "potato"), 0755)
+	err := os.MkdirAll(dirs.SnapDesktopFilesDir, 0755)
+	c.Assert(err, IsNil)
+
+	mockDesktopInstanceFilePath := filepath.Join(dirs.SnapDesktopFilesDir, "foo_instance_foobar.desktop")
+	err = ioutil.WriteFile(mockDesktopInstanceFilePath, mockDesktopFile, 0644)
+	c.Assert(err, IsNil)
+
+	err = os.MkdirAll(filepath.Join(dirs.SnapDesktopFilesDir, "foo_foobar2.desktop", "potato"), 0755)
 	c.Assert(err, IsNil)
 
 	info := snaptest.MockSnap(c, desktopAppYaml, &snap.SideInfo{Revision: snap.R(11)})
@@ -133,6 +181,8 @@
 	c.Check(err, NotNil)
 	c.Check(osutil.FileExists(mockDesktopFilePath), Equals, false)
 	c.Check(s.mockUpdateDesktopDatabase.Calls(), HasLen, 0)
+	// foo_instance file was not removed by cleanup
+	c.Check(osutil.FileExists(mockDesktopInstanceFilePath), Equals, true)
 }
 
 // sanitize
@@ -326,6 +376,51 @@
 	c.Assert(string(e), Equals, string(desktopContent))
 }
 
+func (s *sanitizeDesktopFileSuite) TestSanitizeParallelInstancesPlain(c *C) {
+	snap, err := snap.InfoFromSnapYaml([]byte(`
+name: snap
+version: 1.0
+apps:
+ app:
+  command: cmd
+`))
+	snap.InstanceKey = "bar"
+	c.Assert(err, IsNil)
+	desktopContent := []byte(`[Desktop Entry]
+Name=foo
+Exec=snap.app
+`)
+	df := filepath.Base(snap.Apps["app"].DesktopFile())
+	e := wrappers.SanitizeDesktopFile(snap, df, desktopContent)
+	c.Assert(string(e), Equals, fmt.Sprintf(`[Desktop Entry]
+Name=foo
+Exec=env BAMF_DESKTOP_FILE_HINT=snap_bar_app.desktop %s/bin/snap_bar.app
+`, dirs.SnapMountDir))
+}
+
+func (s *sanitizeDesktopFileSuite) TestSanitizeParallelInstancesWithArgs(c *C) {
+	snap, err := snap.InfoFromSnapYaml([]byte(`
+name: snap
+version: 1.0
+apps:
+ app:
+  command: cmd
+`))
+	snap.InstanceKey = "bar"
+	c.Assert(err, IsNil)
+	desktopContent := []byte(`[Desktop Entry]
+Name=foo
+Exec=snap.app %U
+`)
+
+	df := filepath.Base(snap.Apps["app"].DesktopFile())
+	e := wrappers.SanitizeDesktopFile(snap, df, desktopContent)
+	c.Assert(string(e), Equals, fmt.Sprintf(`[Desktop Entry]
+Name=foo
+Exec=env BAMF_DESKTOP_FILE_HINT=snap_bar_app.desktop %s/bin/snap_bar.app %%U
+`, dirs.SnapMountDir))
+}
+
 func (s *sanitizeDesktopFileSuite) TestRewriteExecLineInvalid(c *C) {
 	snap := &snap.Info{}
 	_, err := wrappers.RewriteExecLine(snap, "foo.desktop", "Exec=invalid")
@@ -374,3 +469,44 @@
 		c.Assert(wrappers.IsValidDesktopFileLine([]byte(t.line)), Equals, t.isValid)
 	}
 }
+
+func (s *desktopSuite) TestAddRemoveDesktopFiles(c *C) {
+	var tests = []struct {
+		instance                string
+		upstreamDesktopFileName string
+
+		expectedDesktopFileName string
+	}{
+		// normal cases
+		{"", "upstream.desktop", "foo_upstream.desktop"},
+		{"instance", "upstream.desktop", "foo+instance_upstream.desktop"},
+		// pathological cases are handled
+		{"", "instance.desktop", "foo_instance.desktop"},
+		{"instance", "instance.desktop", "foo+instance_instance.desktop"},
+	}
+
+	for _, t := range tests {
+		expectedDesktopFilePath := filepath.Join(dirs.SnapDesktopFilesDir, t.expectedDesktopFileName)
+		c.Assert(osutil.FileExists(expectedDesktopFilePath), Equals, false)
+
+		info := snaptest.MockSnap(c, desktopAppYaml, &snap.SideInfo{Revision: snap.R(11)})
+		info.InstanceKey = t.instance
+
+		// generate .desktop file in the package baseDir
+		baseDir := info.MountDir()
+		err := os.MkdirAll(filepath.Join(baseDir, "meta", "gui"), 0755)
+		c.Assert(err, IsNil)
+
+		err = ioutil.WriteFile(filepath.Join(baseDir, "meta", "gui", t.upstreamDesktopFileName), mockDesktopFile, 0644)
+		c.Assert(err, IsNil)
+
+		err = wrappers.AddSnapDesktopFiles(info)
+		c.Assert(err, IsNil)
+		c.Assert(osutil.FileExists(expectedDesktopFilePath), Equals, true)
+
+		// remove it again
+		err = wrappers.RemoveSnapDesktopFiles(info)
+		c.Assert(err, IsNil)
+		c.Assert(osutil.FileExists(expectedDesktopFilePath), Equals, false)
+	}
+}
diff -Nru snapd-2.32.3.2~14.04/wrappers/export_test.go snapd-2.37~rc1~14.04/wrappers/export_test.go
--- snapd-2.32.3.2~14.04/wrappers/export_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/export_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -27,11 +27,16 @@
 var (
 	// services
 	GenerateSnapServiceFile = generateSnapServiceFile
+	GenerateSnapSocketFiles = generateSnapSocketFiles
+	GenerateSnapTimerFile   = generateSnapTimerFile
 
 	// desktop
 	SanitizeDesktopFile    = sanitizeDesktopFile
 	RewriteExecLine        = rewriteExecLine
 	IsValidDesktopFileLine = isValidDesktopFileLine
+
+	// timers
+	GenerateOnCalendarSchedules = generateOnCalendarSchedules
 )
 
 func MockKillWait(wait time.Duration) (restore func()) {
diff -Nru snapd-2.32.3.2~14.04/wrappers/services_gen_test.go snapd-2.37~rc1~14.04/wrappers/services_gen_test.go
--- snapd-2.32.3.2~14.04/wrappers/services_gen_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/services_gen_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -21,16 +21,20 @@
 
 import (
 	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
 
 	. "gopkg.in/check.v1"
 
-	"strings"
-
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 	"github.com/snapcore/snapd/testutil"
 	"github.com/snapcore/snapd/timeout"
+	"github.com/snapcore/snapd/timeutil"
 	"github.com/snapcore/snapd/wrappers"
 )
 
@@ -44,8 +48,8 @@
 # Auto-generated, DO NOT EDIT
 Description=Service for snap application snap.app
 Requires=%s-snap-44.mount
-Wants=network-online.target
-After=%s-snap-44.mount network-online.target
+Wants=network.target
+After=%s-snap-44.mount network.target
 X-Snappy=yes
 
 [Service]
@@ -78,8 +82,8 @@
 # Auto-generated, DO NOT EDIT
 Description=Service for snap application xkcd-webserver.xkcd-webserver
 Requires=%s-xkcd\x2dwebserver-44.mount
-Wants=network-online.target
-After=%s-xkcd\x2dwebserver-44.mount network-online.target
+Wants=network.target
+After=%s-xkcd\x2dwebserver-44.mount network.target
 X-Snappy=yes
 
 [Service]
@@ -133,6 +137,7 @@
 name: snap
 apps:
     app:
+        daemon: simple
         restart-condition: %s
 `
 	for name, cond := range snap.RestartMap {
@@ -248,13 +253,46 @@
 }
 
 func (s *servicesWrapperGenSuite) TestGenerateSnapServiceWithSockets(c *C) {
+	const sock1ExpectedFmt = `[Unit]
+# Auto-generated, DO NOT EDIT
+Description=Socket sock1 for snap application some-snap.app
+Requires=%s-some\x2dsnap-44.mount
+After=%s-some\x2dsnap-44.mount
+X-Snappy=yes
+
+[Socket]
+Service=snap.some-snap.app.service
+FileDescriptorName=sock1
+ListenStream=%s/sock1.socket
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
+`
+	const sock2ExpectedFmt = `[Unit]
+# Auto-generated, DO NOT EDIT
+Description=Socket sock2 for snap application some-snap.app
+Requires=%s-some\x2dsnap-44.mount
+After=%s-some\x2dsnap-44.mount
+X-Snappy=yes
+
+[Socket]
+Service=snap.some-snap.app.service
+FileDescriptorName=sock2
+ListenStream=%s/sock2.socket
+
+[Install]
+WantedBy=sockets.target
+`
+
+	si := &snap.Info{
+		SuggestedName: "some-snap",
+		Version:       "1.0",
+		SideInfo:      snap.SideInfo{Revision: snap.R(44)},
+	}
 	service := &snap.AppInfo{
-		Snap: &snap.Info{
-			SuggestedName: "xkcd-webserver",
-			Version:       "0.3.4",
-			SideInfo:      snap.SideInfo{Revision: snap.R(44)},
-		},
-		Name:    "xkcd-webserver",
+		Snap:    si,
+		Name:    "app",
 		Command: "bin/foo start",
 		Daemon:  "simple",
 		Plugs:   map[string]*snap.PlugInfo{"network-bind": {}},
@@ -264,13 +302,33 @@
 				ListenStream: "$SNAP_DATA/sock1.socket",
 				SocketMode:   0666,
 			},
+			"sock2": {
+				Name:         "sock2",
+				ListenStream: "$SNAP_DATA/sock2.socket",
+			},
 		},
 	}
+	service.Sockets["sock1"].App = service
+	service.Sockets["sock2"].App = service
+
+	sock1Path := filepath.Join(dirs.SnapServicesDir, "snap.some-snap.app.sock1.socket")
+	sock2Path := filepath.Join(dirs.SnapServicesDir, "snap.some-snap.app.sock2.socket")
+	sock1Expected := fmt.Sprintf(sock1ExpectedFmt, mountUnitPrefix, mountUnitPrefix, si.DataDir())
+	sock2Expected := fmt.Sprintf(sock2ExpectedFmt, mountUnitPrefix, mountUnitPrefix, si.DataDir())
 
 	generatedWrapper, err := wrappers.GenerateSnapServiceFile(service)
 	c.Assert(err, IsNil)
 	c.Assert(strings.Contains(string(generatedWrapper), "[Install]"), Equals, false)
 	c.Assert(strings.Contains(string(generatedWrapper), "WantedBy=multi-user.target"), Equals, false)
+
+	generatedSockets, err := wrappers.GenerateSnapSocketFiles(service)
+	c.Assert(err, IsNil)
+	c.Assert(generatedSockets, Not(IsNil))
+	c.Assert(*generatedSockets, HasLen, 2)
+	c.Assert(*generatedSockets, DeepEquals, map[string][]byte{
+		sock1Path: []byte(sock1Expected),
+		sock2Path: []byte(sock2Expected),
+	})
 }
 
 func (s *servicesWrapperGenSuite) TestServiceAfterBefore(c *C) {
@@ -278,9 +336,9 @@
 # Auto-generated, DO NOT EDIT
 Description=Service for snap application snap.app
 Requires=%s-snap-44.mount
-Wants=network-online.target
-After=%s-snap-44.mount network-online.target snap.snap.bar.service snap.snap.zed.service
-Before=snap.snap.foo.service
+Wants=network.target
+After=%s-snap-44.mount network.target %s
+Before=%s
 X-Snappy=yes
 
 [Service]
@@ -295,7 +353,6 @@
 WantedBy=multi-user.target
 `
 
-	expectedService := fmt.Sprintf(expectedServiceFmt, mountUnitPrefix, mountUnitPrefix, "on-failure", "simple")
 	service := &snap.AppInfo{
 		Snap: &snap.Info{
 			SuggestedName: "snap",
@@ -317,19 +374,330 @@
 					Snap:   &snap.Info{SuggestedName: "snap"},
 					Daemon: "forking",
 				},
+				"baz": {
+					Name:   "baz",
+					Snap:   &snap.Info{SuggestedName: "snap"},
+					Daemon: "forking",
+				},
 			},
 		},
 		Name:        "app",
 		Command:     "bin/foo start",
 		Daemon:      "simple",
-		Before:      []string{"foo"},
-		After:       []string{"bar", "zed"},
 		StopTimeout: timeout.DefaultTimeout,
 	}
 
+	for _, tc := range []struct {
+		after           []string
+		before          []string
+		generatedAfter  string
+		generatedBefore string
+	}{{
+		after:           []string{"bar", "zed"},
+		generatedAfter:  "snap.snap.bar.service snap.snap.zed.service",
+		before:          []string{"foo", "baz"},
+		generatedBefore: "snap.snap.foo.service snap.snap.baz.service",
+	}, {
+		after:           []string{"bar"},
+		generatedAfter:  "snap.snap.bar.service",
+		before:          []string{"foo"},
+		generatedBefore: "snap.snap.foo.service",
+	},
+	} {
+		c.Logf("tc: %v", tc)
+		service.After = tc.after
+		service.Before = tc.before
+		generatedWrapper, err := wrappers.GenerateSnapServiceFile(service)
+		c.Assert(err, IsNil)
+
+		expectedService := fmt.Sprintf(expectedServiceFmt, mountUnitPrefix, mountUnitPrefix,
+			tc.generatedAfter, tc.generatedBefore, "on-failure", "simple")
+		c.Assert(string(generatedWrapper), Equals, expectedService)
+	}
+}
+
+func (s *servicesWrapperGenSuite) TestServiceTimerUnit(c *C) {
+	const expectedServiceFmt = `[Unit]
+# Auto-generated, DO NOT EDIT
+Description=Timer app for snap application snap.app
+Requires=%s-snap-44.mount
+After=%s-snap-44.mount
+X-Snappy=yes
+
+[Timer]
+Unit=snap.snap.app.service
+OnCalendar=*-*-* 10:00
+OnCalendar=*-*-* 11:00
+
+[Install]
+WantedBy=timers.target
+`
+
+	expectedService := fmt.Sprintf(expectedServiceFmt, mountUnitPrefix, mountUnitPrefix)
+	service := &snap.AppInfo{
+		Snap: &snap.Info{
+			SuggestedName: "snap",
+			Version:       "0.3.4",
+			SideInfo:      snap.SideInfo{Revision: snap.R(44)},
+		},
+		Name:        "app",
+		Command:     "bin/foo start",
+		Daemon:      "simple",
+		StopTimeout: timeout.DefaultTimeout,
+		Timer: &snap.TimerInfo{
+			Timer: "10:00-12:00/2",
+		},
+	}
+	service.Timer.App = service
+
+	generatedWrapper, err := wrappers.GenerateSnapTimerFile(service)
+	c.Assert(err, IsNil)
+
+	c.Logf("timer: \n%v\n", string(generatedWrapper))
+	c.Assert(string(generatedWrapper), Equals, expectedService)
+}
+
+func (s *servicesWrapperGenSuite) TestServiceTimerUnitBadTimer(c *C) {
+	service := &snap.AppInfo{
+		Snap: &snap.Info{
+			SuggestedName: "snap",
+			Version:       "0.3.4",
+			SideInfo:      snap.SideInfo{Revision: snap.R(44)},
+		},
+		Name:        "app",
+		Command:     "bin/foo start",
+		Daemon:      "simple",
+		StopTimeout: timeout.DefaultTimeout,
+		Timer: &snap.TimerInfo{
+			Timer: "bad-timer",
+		},
+	}
+	service.Timer.App = service
+
+	generatedWrapper, err := wrappers.GenerateSnapTimerFile(service)
+	c.Assert(err, ErrorMatches, `cannot parse "bad-timer": "bad" is not a valid weekday`)
+	c.Assert(generatedWrapper, IsNil)
+}
+
+func (s *servicesWrapperGenSuite) TestServiceTimerServiceUnit(c *C) {
+	const expectedServiceFmt = `[Unit]
+# Auto-generated, DO NOT EDIT
+Description=Service for snap application snap.app
+Requires=%s-snap-44.mount
+Wants=network.target
+After=%s-snap-44.mount network.target
+X-Snappy=yes
+
+[Service]
+ExecStart=/usr/bin/snap run --timer="10:00-12:00,,mon,23:00~01:00/2" snap.app
+SyslogIdentifier=snap.app
+Restart=%s
+WorkingDirectory=/var/snap/snap/44
+TimeoutStopSec=30
+Type=%s
+
+[Install]
+WantedBy=multi-user.target
+`
+
+	expectedService := fmt.Sprintf(expectedServiceFmt, mountUnitPrefix, mountUnitPrefix, "on-failure", "simple")
+	service := &snap.AppInfo{
+		Snap: &snap.Info{
+			SuggestedName: "snap",
+			Version:       "0.3.4",
+			SideInfo:      snap.SideInfo{Revision: snap.R(44)},
+		},
+		Name:        "app",
+		Command:     "bin/foo start",
+		Daemon:      "simple",
+		StopTimeout: timeout.DefaultTimeout,
+		Timer: &snap.TimerInfo{
+			Timer: "10:00-12:00,,mon,23:00~01:00/2",
+		},
+	}
+
 	generatedWrapper, err := wrappers.GenerateSnapServiceFile(service)
 	c.Assert(err, IsNil)
 
 	c.Logf("service: \n%v\n", string(generatedWrapper))
 	c.Assert(string(generatedWrapper), Equals, expectedService)
 }
+
+func (s *servicesWrapperGenSuite) TestTimerGenerateSchedules(c *C) {
+	systemdAnalyzePath, _ := exec.LookPath("systemd-analyze")
+	if systemdAnalyzePath != "" {
+		// systemd-analyze is in the path, but it will fail if the
+		// daemon is not running (as it happens in LP builds) and writes
+		// the following to stderr:
+		//   Failed to create bus connection: No such file or directory
+		cmd := exec.Command(systemdAnalyzePath, "calendar", "12:00")
+		err := cmd.Run()
+		if err != nil {
+			// turns out it's not usable, disable extra verification
+			fmt.Fprintln(os.Stderr, `WARNING: systemd-analyze not usable, cannot validate a known schedule "12:00"`)
+			systemdAnalyzePath = ""
+		}
+	}
+
+	if systemdAnalyzePath == "" {
+		fmt.Fprintln(os.Stderr, "WARNING: generated schedules will not be validated by systemd-analyze")
+	}
+
+	for _, t := range []struct {
+		in         string
+		expected   []string
+		randomized bool
+	}{{
+		in:       "9:00-11:00,,20:00-22:00",
+		expected: []string{"*-*-* 09:00", "*-*-* 20:00"},
+	}, {
+		in:       "9:00-11:00/2,,20:00",
+		expected: []string{"*-*-* 09:00", "*-*-* 10:00", "*-*-* 20:00"},
+	}, {
+		in:         "9:00~11:00/2,,20:00",
+		expected:   []string{`\*-\*-\* 09:[0-5][0-9]`, `\*-\*-\* 10:[0-5][0-9]`, `\*-\*-\* 20:00`},
+		randomized: true,
+	}, {
+		in:       "mon,10:00,,fri,15:00",
+		expected: []string{"Mon *-*-* 10:00", "Fri *-*-* 15:00"},
+	}, {
+		in:       "mon-fri,10:00-11:00",
+		expected: []string{"Mon,Tue,Wed,Thu,Fri *-*-* 10:00"},
+	}, {
+		in:       "fri-mon,10:00-11:00",
+		expected: []string{"Fri,Sat,Sun,Mon *-*-* 10:00"},
+	}, {
+		in:       "mon5,10:00",
+		expected: []string{"Mon *-*~7/1 10:00"},
+	}, {
+		in:       "mon2,10:00",
+		expected: []string{"Mon *-*-8..14/1 10:00"},
+	}, {
+		in:       "mon2,mon1,10:00",
+		expected: []string{"Mon *-*-8..14/1 10:00", "Mon *-*-1..7/1 10:00"},
+	}, {
+		// NOTE: non-representable, assumes that service runner does the
+		// filtering of when to run the timer
+		in:       "mon1-mon3,10:00",
+		expected: []string{"*-*-1..21/1 10:00"},
+	}, {
+		in:         "mon,10:00~12:00,,fri,15:00",
+		expected:   []string{`Mon \*-\*-\* 1[01]:[0-5][0-9]`, `Fri \*-\*-\* 15:00`},
+		randomized: true,
+	}, {
+		in:         "23:00~24:00/4",
+		expected:   []string{`\*-\*-\* 23:[01][0-9]`, `\*-\*-\* 23:[12][0-9]`, `\*-\*-\* 23:[34][0-9]`, `*-*-* 23:[45][0-9]`},
+		randomized: true,
+	}, {
+		in:         "23:00~01:00/4",
+		expected:   []string{`\*-\*-\* 23:[0-2][0-9]`, `\*-\*-\* 23:[3-5][0-9]`, `\*-\*-\* 00:[0-2][0-9]`, `\*-\*-\* 00:[3-5][0-9]`},
+		randomized: true,
+	}, {
+		in:       "23:00-01:00/4",
+		expected: []string{`*-*-* 23:00`, `*-*-* 23:30`, `*-*-* 00:00`, `*-*-* 00:30`},
+	}, {
+		in:       "24:00",
+		expected: []string{`*-*-* 00:00`},
+	}} {
+		c.Logf("trying %+v", t)
+
+		schedule, err := timeutil.ParseSchedule(t.in)
+		c.Check(err, IsNil)
+
+		timer := wrappers.GenerateOnCalendarSchedules(schedule)
+		c.Check(timer, Not(IsNil))
+		if !t.randomized {
+			c.Check(timer, DeepEquals, t.expected)
+		} else {
+			c.Assert(timer, HasLen, len(t.expected))
+			for i := range timer {
+				c.Check(timer[i], Matches, t.expected[i])
+			}
+		}
+
+		if systemdAnalyzePath != "" {
+			cmd := exec.Command(systemdAnalyzePath, append([]string{"calendar"}, timer...)...)
+			out, err := cmd.CombinedOutput()
+			c.Check(err, IsNil, Commentf("systemd-analyze failed with output:\n%s", string(out)))
+		}
+	}
+}
+
+func (s *servicesWrapperGenSuite) TestKillModeSig(c *C) {
+	for _, rm := range []string{"sigterm", "sighup", "sigusr1", "sigusr2"} {
+		service := &snap.AppInfo{
+			Snap: &snap.Info{
+				SuggestedName: "snap",
+				Version:       "0.3.4",
+				SideInfo:      snap.SideInfo{Revision: snap.R(44)},
+			},
+			Name:     "app",
+			Command:  "bin/foo start",
+			Daemon:   "simple",
+			StopMode: snap.StopModeType(rm),
+		}
+
+		generatedWrapper, err := wrappers.GenerateSnapServiceFile(service)
+		c.Assert(err, IsNil)
+
+		c.Check(string(generatedWrapper), Equals, fmt.Sprintf(`[Unit]
+# Auto-generated, DO NOT EDIT
+Description=Service for snap application snap.app
+Requires=%s-snap-44.mount
+Wants=network.target
+After=%s-snap-44.mount network.target
+X-Snappy=yes
+
+[Service]
+ExecStart=/usr/bin/snap run snap.app
+SyslogIdentifier=snap.app
+Restart=on-failure
+WorkingDirectory=/var/snap/snap/44
+TimeoutStopSec=30
+Type=simple
+KillMode=process
+KillSignal=%s
+
+[Install]
+WantedBy=multi-user.target
+`, mountUnitPrefix, mountUnitPrefix, strings.ToUpper(rm)))
+	}
+}
+
+func (s *servicesWrapperGenSuite) TestRestartDelay(c *C) {
+	service := &snap.AppInfo{
+		Snap: &snap.Info{
+			SuggestedName: "snap",
+			Version:       "0.3.4",
+			SideInfo:      snap.SideInfo{Revision: snap.R(44)},
+		},
+		Name:         "app",
+		Command:      "bin/foo start",
+		Daemon:       "simple",
+		RestartDelay: timeout.Timeout(20 * time.Second),
+	}
+
+	generatedWrapper, err := wrappers.GenerateSnapServiceFile(service)
+	c.Assert(err, IsNil)
+
+	c.Check(string(generatedWrapper), Equals, fmt.Sprintf(`[Unit]
+# Auto-generated, DO NOT EDIT
+Description=Service for snap application snap.app
+Requires=%s-snap-44.mount
+Wants=network.target
+After=%s-snap-44.mount network.target
+X-Snappy=yes
+
+[Service]
+ExecStart=/usr/bin/snap run snap.app
+SyslogIdentifier=snap.app
+Restart=on-failure
+RestartSec=20
+WorkingDirectory=/var/snap/snap/44
+TimeoutStopSec=30
+Type=simple
+
+[Install]
+WantedBy=multi-user.target
+`, mountUnitPrefix, mountUnitPrefix))
+}
diff -Nru snapd-2.32.3.2~14.04/wrappers/services.go snapd-2.37~rc1~14.04/wrappers/services.go
--- snapd-2.32.3.2~14.04/wrappers/services.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/services.go	2019-01-16 08:36:51.000000000 +0000
@@ -22,6 +22,7 @@
 import (
 	"bytes"
 	"fmt"
+	"math/rand"
 	"os"
 	"path/filepath"
 	"strings"
@@ -34,6 +35,7 @@
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/systemd"
 	"github.com/snapcore/snapd/timeout"
+	"github.com/snapcore/snapd/timeutil"
 )
 
 type interacter interface {
@@ -63,10 +65,16 @@
 	serviceName := app.ServiceName()
 	tout := serviceStopTimeout(app)
 
-	socketErrors := []error{}
+	stopErrors := []error{}
 	for _, socket := range app.Sockets {
 		if err := sysd.Stop(filepath.Base(socket.File()), tout); err != nil {
-			socketErrors = append(socketErrors, err)
+			stopErrors = append(stopErrors, err)
+		}
+	}
+
+	if app.Timer != nil {
+		if err := sysd.Stop(filepath.Base(app.Timer.File()), tout); err != nil {
+			stopErrors = append(stopErrors, err)
 		}
 	}
 
@@ -82,14 +90,16 @@
 
 	}
 
-	if len(socketErrors) > 0 {
-		return socketErrors[0]
+	if len(stopErrors) > 0 {
+		return stopErrors[0]
 	}
 
 	return nil
 }
 
-// StartServices starts service units for the applications from the snap which are services.
+// StartServices starts service units for the applications from the snap which
+// are services. Service units will be started in the order provided by the
+// caller.
 func StartServices(apps []*snap.AppInfo, inter interacter) (err error) {
 	sysd := systemd.New(dirs.GlobalRootDir, inter)
 
@@ -113,10 +123,27 @@
 					inter.Notify(fmt.Sprintf("While trying to disable previously enabled socket service %q: %v", socketService, e))
 				}
 			}
+			if app.Timer != nil {
+				timerService := filepath.Base(app.Timer.File())
+				if e := sysd.Disable(timerService); e != nil {
+					inter.Notify(fmt.Sprintf("While trying to disable previously enabled timer service %q: %v", timerService, e))
+				}
+			}
 		}(app)
 
-		if len(app.Sockets) == 0 {
-			services = append(services, app.ServiceName())
+		if len(app.Sockets) == 0 && app.Timer == nil {
+			// check if the service is disabled, if so don't start it up
+			// this could happen for example if the service was disabled in
+			// the install hook by snapctl or if the service was disabled in
+			// the previous installation
+			isEnabled, err := sysd.IsEnabled(app.ServiceName())
+			if err != nil {
+				return err
+			}
+
+			if isEnabled {
+				services = append(services, app.ServiceName())
+			}
 		}
 
 		for _, socket := range app.Sockets {
@@ -131,10 +158,27 @@
 			}
 		}
 
+		if app.Timer != nil {
+			timerService := filepath.Base(app.Timer.File())
+			// enable the timer
+			if err := sysd.Enable(timerService); err != nil {
+				return err
+			}
+
+			if err := sysd.Start(timerService); err != nil {
+				return err
+			}
+		}
 	}
 
-	if len(services) > 0 {
-		if err := sysd.Start(services...); err != nil {
+	for _, srv := range services {
+		// starting all services at once does not create a single
+		// transaction, but instead spawns multiple jobs, make sure the
+		// services started in the original order by bring them up one
+		// by one, see:
+		// https://github.com/systemd/systemd/issues/8102
+		// https://lists.freedesktop.org/archives/systemd-devel/2018-January/040152.html
+		if err := sysd.Start(srv); err != nil {
 			// cleanup was set up by iterating over apps
 			return err
 		}
@@ -145,6 +189,10 @@
 
 // AddSnapServices adds service units for the applications from the snap which are services.
 func AddSnapServices(s *snap.Info, inter interacter) (err error) {
+	if s.SnapName() == "snapd" {
+		return writeSnapdServicesOnCore(s, inter)
+	}
+
 	sysd := systemd.New(dirs.GlobalRootDir, inter)
 	var written []string
 	var enabled []string
@@ -198,8 +246,22 @@
 			written = append(written, path)
 		}
 
-		if len(app.Sockets) != 0 {
-			// service is socket activated, not during the boot
+		if app.Timer != nil {
+			content, err := generateSnapTimerFile(app)
+			if err != nil {
+				return err
+			}
+			path := app.Timer.File()
+			os.MkdirAll(filepath.Dir(path), 0755)
+			if err := osutil.AtomicWriteFile(path, content, 0644, 0); err != nil {
+				return err
+			}
+			written = append(written, path)
+		}
+
+		if app.Timer != nil || len(app.Sockets) != 0 {
+			// service is socket or timer activated, not during the
+			// boot
 			continue
 		}
 
@@ -210,7 +272,7 @@
 		enabled = append(enabled, svcName)
 	}
 
-	if len(enabled) > 0 {
+	if len(written) > 0 {
 		if err := sysd.DaemonReload(); err != nil {
 			return err
 		}
@@ -233,42 +295,27 @@
 		// Skip stop on refresh when refresh mode is set to something
 		// other than "restart" (or "" which is the same)
 		if reason == snap.StopReasonRefresh {
-			logger.Debugf(" %s refresh-mode: %v", app.Name, app.RefreshMode)
+			logger.Debugf(" %s refresh-mode: %v", app.Name, app.StopMode)
 			switch app.RefreshMode {
 			case "endure":
 				// skip this service
 				continue
-			case "sigterm":
-				sysd.Kill(app.ServiceName(), "TERM", "main")
-				continue
-			case "sigterm-all":
-				sysd.Kill(app.ServiceName(), "TERM", "all")
-				continue
-			case "sighup":
-				sysd.Kill(app.ServiceName(), "HUP", "main")
-				continue
-			case "sighup-all":
-				sysd.Kill(app.ServiceName(), "HUP", "all")
-				continue
-			case "sigusr1":
-				sysd.Kill(app.ServiceName(), "USR1", "main")
-				continue
-			case "sigusr1-all":
-				sysd.Kill(app.ServiceName(), "USR1", "all")
-				continue
-			case "sigusr2":
-				sysd.Kill(app.ServiceName(), "USR2", "main")
-				continue
-			case "sigusr2-all":
-				sysd.Kill(app.ServiceName(), "USR2", "all")
-				continue
-			case "", "restart":
-				// do nothing here, the default below to stop
 			}
 		}
 		if err := stopService(sysd, app, inter); err != nil {
 			return err
 		}
+
+		// ensure the service is really stopped on remove regardless
+		// of stop-mode
+		if reason == snap.StopReasonRemove && !app.StopMode.KillAll() {
+			// FIXME: make this smarter and avoid the killWait
+			//        delay if not needed (i.e. if all processes
+			//        have died)
+			sysd.Kill(app.ServiceName(), "TERM", "all")
+			time.Sleep(killWait)
+			sysd.Kill(app.ServiceName(), "KILL", "")
+		}
 	}
 
 	return nil
@@ -300,6 +347,19 @@
 			}
 		}
 
+		if app.Timer != nil {
+			path := app.Timer.File()
+
+			timerName := filepath.Base(path)
+			if err := sysd.Disable(timerName); err != nil {
+				return err
+			}
+
+			if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+				logger.Noticef("Failed to remove timer file %q for %q: %v", path, serviceName, err)
+			}
+		}
+
 		if err := sysd.Disable(serviceName); err != nil {
 			return err
 		}
@@ -334,19 +394,22 @@
 func genServiceFile(appInfo *snap.AppInfo) []byte {
 	serviceTemplate := `[Unit]
 # Auto-generated, DO NOT EDIT
-Description=Service for snap application {{.App.Snap.Name}}.{{.App.Name}}
+Description=Service for snap application {{.App.Snap.InstanceName}}.{{.App.Name}}
 Requires={{.MountUnit}}
 Wants={{.PrerequisiteTarget}}
-After={{.MountUnit}} {{.PrerequisiteTarget}}{{range .After}} {{.}}{{end}}
+After={{.MountUnit}} {{.PrerequisiteTarget}}{{if .After}} {{ stringsJoin .After " " }}{{end}}
 {{- if .Before}}
-Before={{ range .Before -}}{{.}} {{- end}}
+Before={{ stringsJoin .Before " "}}
 {{- end}}
 X-Snappy=yes
 
 [Service]
 ExecStart={{.App.LauncherCommand}}
-SyslogIdentifier={{.App.Snap.Name}}.{{.App.Name}}
+SyslogIdentifier={{.App.Snap.InstanceName}}.{{.App.Name}}
 Restart={{.Restart}}
+{{- if .App.RestartDelay}}
+RestartSec={{.App.RestartDelay.Seconds}}
+{{- end}}
 WorkingDirectory={{.App.Snap.DataDir}}
 {{- if .App.StopCommand}}
 ExecStop={{.App.LauncherStopCommand}}
@@ -367,6 +430,15 @@
 {{- if .App.BusName}}
 BusName={{.App.BusName}}
 {{- end}}
+{{- if .App.WatchdogTimeout}}
+WatchdogSec={{.App.WatchdogTimeout.Seconds}}
+{{- end}}
+{{- if .KillMode}}
+KillMode={{.KillMode}}
+{{- end}}
+{{- if .KillSignal}}
+KillSignal={{.KillSignal}}
+{{- end}}
 {{- if not .App.Sockets}}
 
 [Install]
@@ -374,7 +446,11 @@
 {{- end}}
 `
 	var templateOut bytes.Buffer
-	t := template.Must(template.New("service-wrapper").Parse(serviceTemplate))
+	tmpl := template.New("service-wrapper")
+	tmpl.Funcs(template.FuncMap{
+		"stringsJoin": strings.Join,
+	})
+	t := template.Must(tmpl.Parse(serviceTemplate))
 
 	restartCond := appInfo.RestartCond.String()
 	if restartCond == "" {
@@ -391,6 +467,10 @@
 			remain = "yes"
 		}
 	}
+	var killMode string
+	if !appInfo.StopMode.KillAll() {
+		killMode = "process"
+	}
 
 	wrapperData := struct {
 		App *snap.AppInfo
@@ -401,6 +481,8 @@
 		PrerequisiteTarget string
 		MountUnit          string
 		Remain             string
+		KillMode           string
+		KillSignal         string
 		Before             []string
 		After              []string
 
@@ -415,8 +497,11 @@
 		PrerequisiteTarget: systemd.PrerequisiteTarget,
 		MountUnit:          filepath.Base(systemd.MountUnitPath(appInfo.Snap.MountDir())),
 		Remain:             remain,
-		Before:             genServiceNames(appInfo.Snap, appInfo.Before),
-		After:              genServiceNames(appInfo.Snap, appInfo.After),
+		KillMode:           killMode,
+		KillSignal:         appInfo.StopMode.KillSignal(),
+
+		Before: genServiceNames(appInfo.Snap, appInfo.Before),
+		After:  genServiceNames(appInfo.Snap, appInfo.After),
 
 		// systemd runs as PID 1 so %h will not work.
 		Home: "/root",
@@ -432,18 +517,19 @@
 
 func genServiceSocketFile(appInfo *snap.AppInfo, socketName string) []byte {
 	socketTemplate := `[Unit]
-# Auto-generated, DO NO EDIT
-Description=Socket {{.SocketName}} for snap application {{.App.Snap.Name}}.{{.App.Name}}
+# Auto-generated, DO NOT EDIT
+Description=Socket {{.SocketName}} for snap application {{.App.Snap.InstanceName}}.{{.App.Name}}
 Requires={{.MountUnit}}
-Wants={{.PrerequisiteTarget}}
-After={{.MountUnit}} {{.PrerequisiteTarget}}
+After={{.MountUnit}}
 X-Snappy=yes
 
 [Socket]
 Service={{.ServiceFileName}}
 FileDescriptorName={{.SocketInfo.Name}}
 ListenStream={{.ListenStream}}
-{{if .SocketInfo.SocketMode}}SocketMode={{.SocketInfo.SocketMode | printf "%04o"}}{{end}}
+{{- if .SocketInfo.SocketMode}}
+SocketMode={{.SocketInfo.SocketMode | printf "%04o"}}
+{{- end}}
 
 [Install]
 WantedBy={{.SocketsTarget}}
@@ -454,23 +540,21 @@
 	socket := appInfo.Sockets[socketName]
 	listenStream := renderListenStream(socket)
 	wrapperData := struct {
-		App                *snap.AppInfo
-		ServiceFileName    string
-		PrerequisiteTarget string
-		SocketsTarget      string
-		MountUnit          string
-		SocketName         string
-		SocketInfo         *snap.SocketInfo
-		ListenStream       string
+		App             *snap.AppInfo
+		ServiceFileName string
+		SocketsTarget   string
+		MountUnit       string
+		SocketName      string
+		SocketInfo      *snap.SocketInfo
+		ListenStream    string
 	}{
-		App:                appInfo,
-		ServiceFileName:    filepath.Base(appInfo.ServiceFile()),
-		SocketsTarget:      systemd.SocketsTarget,
-		PrerequisiteTarget: systemd.PrerequisiteTarget,
-		MountUnit:          filepath.Base(systemd.MountUnitPath(appInfo.Snap.MountDir())),
-		SocketName:         socketName,
-		SocketInfo:         socket,
-		ListenStream:       listenStream,
+		App:             appInfo,
+		ServiceFileName: filepath.Base(appInfo.ServiceFile()),
+		SocketsTarget:   systemd.SocketsTarget,
+		MountUnit:       filepath.Base(systemd.MountUnitPath(appInfo.Snap.MountDir())),
+		SocketName:      socketName,
+		SocketInfo:      socket,
+		ListenStream:    listenStream,
 	}
 
 	if err := t.Execute(&templateOut, wrapperData); err != nil {
@@ -498,3 +582,144 @@
 	listenStream := strings.Replace(socket.ListenStream, "$SNAP_DATA", snap.DataDir(), -1)
 	return strings.Replace(listenStream, "$SNAP_COMMON", snap.CommonDataDir(), -1)
 }
+
+func generateSnapTimerFile(app *snap.AppInfo) ([]byte, error) {
+	timerTemplate := `[Unit]
+# Auto-generated, DO NOT EDIT
+Description=Timer {{.TimerName}} for snap application {{.App.Snap.InstanceName}}.{{.App.Name}}
+Requires={{.MountUnit}}
+After={{.MountUnit}}
+X-Snappy=yes
+
+[Timer]
+Unit={{.ServiceFileName}}
+{{ range .Schedules }}OnCalendar={{ . }}
+{{ end }}
+[Install]
+WantedBy={{.TimersTarget}}
+`
+	var templateOut bytes.Buffer
+	t := template.Must(template.New("timer-wrapper").Parse(timerTemplate))
+
+	timerSchedule, err := timeutil.ParseSchedule(app.Timer.Timer)
+	if err != nil {
+		return nil, err
+	}
+
+	schedules := generateOnCalendarSchedules(timerSchedule)
+
+	wrapperData := struct {
+		App             *snap.AppInfo
+		ServiceFileName string
+		TimersTarget    string
+		TimerName       string
+		MountUnit       string
+		Schedules       []string
+	}{
+		App:             app,
+		ServiceFileName: filepath.Base(app.ServiceFile()),
+		TimersTarget:    systemd.TimersTarget,
+		TimerName:       app.Name,
+		MountUnit:       filepath.Base(systemd.MountUnitPath(app.Snap.MountDir())),
+		Schedules:       schedules,
+	}
+
+	if err := t.Execute(&templateOut, wrapperData); err != nil {
+		// this can never happen, except we forget a variable
+		logger.Panicf("Unable to execute template: %v", err)
+	}
+
+	return templateOut.Bytes(), nil
+
+}
+
+func makeAbbrevWeekdays(start time.Weekday, end time.Weekday) []string {
+	out := make([]string, 0, 7)
+	for w := start; w%7 != (end + 1); w++ {
+		out = append(out, time.Weekday(w % 7).String()[0:3])
+	}
+	return out
+}
+
+// generateOnCalendarSchedules converts a schedule into OnCalendar schedules
+// suitable for use in systemd *.timer units using systemd.time(7)
+// https://www.freedesktop.org/software/systemd/man/systemd.time.html
+func generateOnCalendarSchedules(schedule []*timeutil.Schedule) []string {
+	calendarEvents := make([]string, 0, len(schedule))
+	for _, sched := range schedule {
+		days := make([]string, 0, len(sched.WeekSpans))
+		for _, week := range sched.WeekSpans {
+			abbrev := strings.Join(makeAbbrevWeekdays(week.Start.Weekday, week.End.Weekday), ",")
+			switch week.Start.Pos {
+			case timeutil.EveryWeek:
+				// eg: mon, mon-fri, fri-mon
+				days = append(days, fmt.Sprintf("%s *-*-*", abbrev))
+			case timeutil.LastWeek:
+				// eg: mon5
+				days = append(days, fmt.Sprintf("%s *-*~7/1", abbrev))
+			default:
+				// eg: mon1, fri1, mon1-tue2
+				startDay := (week.Start.Pos-1)*7 + 1
+				endDay := week.End.Pos * 7
+
+				// NOTE: schedule mon1-tue2 (all weekdays
+				// between the first Monday of the month, until
+				// the second Tuesday of the month) is not
+				// translatable to systemd.time(7) format, for
+				// this assume all weekdays and allow the runner
+				// to do the filtering
+				if week.Start != week.End {
+					days = append(days,
+						fmt.Sprintf("*-*-%d..%d/1", startDay, endDay))
+				} else {
+					days = append(days,
+						fmt.Sprintf("%s *-*-%d..%d/1", abbrev, startDay, endDay))
+				}
+
+			}
+		}
+
+		if len(days) == 0 {
+			// no weekday spec, meaning the timer runs every day
+			days = []string{"*-*-*"}
+		}
+
+		startTimes := make([]string, 0, len(sched.ClockSpans))
+		for _, clocks := range sched.ClockSpans {
+			// use expanded clock spans
+			for _, span := range clocks.ClockSpans() {
+				when := span.Start
+				if span.Spread {
+					length := span.End.Sub(span.Start)
+					if length < 0 {
+						// span Start wraps around, so we have '00:00.Sub(23:45)'
+						length = -length
+					}
+					if length > 5*time.Minute {
+						// replicate what timeutil.Next() does
+						// and cut some time at the end of the
+						// window so that events do not happen
+						// directly one after another
+						length -= 5 * time.Minute
+					}
+					when = when.Add(time.Duration(rand.Int63n(int64(length))))
+				}
+				if when.Hour == 24 {
+					// 24:00 for us means the other end of
+					// the day, for systemd we need to
+					// adjust it to the 0-23 hour range
+					when.Hour -= 24
+				}
+
+				startTimes = append(startTimes, when.String())
+			}
+		}
+
+		for _, day := range days {
+			for _, startTime := range startTimes {
+				calendarEvents = append(calendarEvents, fmt.Sprintf("%s %s", day, startTime))
+			}
+		}
+	}
+	return calendarEvents
+}
diff -Nru snapd-2.32.3.2~14.04/wrappers/services_test.go snapd-2.37~rc1~14.04/wrappers/services_test.go
--- snapd-2.32.3.2~14.04/wrappers/services_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/wrappers/services_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -25,6 +25,7 @@
 	"path/filepath"
 	"regexp"
 	"sort"
+	"strings"
 	"time"
 
 	. "gopkg.in/check.v1"
@@ -34,6 +35,7 @@
 	"github.com/snapcore/snapd/progress"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
+	"github.com/snapcore/snapd/strutil"
 	"github.com/snapcore/snapd/systemd"
 	"github.com/snapcore/snapd/testutil"
 	"github.com/snapcore/snapd/wrappers"
@@ -42,39 +44,39 @@
 type servicesTestSuite struct {
 	tempdir string
 
-	restorer func()
+	sysdLog [][]string
+
+	systemctlRestorer, delaysRestorer func()
 }
 
 var _ = Suite(&servicesTestSuite{})
 
 func (s *servicesTestSuite) SetUpTest(c *C) {
 	s.tempdir = c.MkDir()
+	s.sysdLog = nil
 	dirs.SetRootDir(s.tempdir)
 
-	s.restorer = systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
+	s.systemctlRestorer = systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
+		s.sysdLog = append(s.sysdLog, cmd)
 		return []byte("ActiveState=inactive\n"), nil
 	})
+	s.delaysRestorer = systemd.MockStopDelays(time.Millisecond, 25*time.Second)
+
 }
 
 func (s *servicesTestSuite) TearDownTest(c *C) {
 	dirs.SetRootDir("")
-	s.restorer()
+	s.systemctlRestorer()
+	s.delaysRestorer()
 }
 
 func (s *servicesTestSuite) TestAddSnapServicesAndRemove(c *C) {
-	var sysdLog [][]string
-	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
-		sysdLog = append(sysdLog, cmd)
-		return []byte("ActiveState=inactive\n"), nil
-	})
-	defer r()
-
 	info := snaptest.MockSnap(c, packageHello, &snap.SideInfo{Revision: snap.R(12)})
 	svcFile := filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc1.service")
 
 	err := wrappers.AddSnapServices(info, nil)
 	c.Assert(err, IsNil)
-	c.Check(sysdLog, DeepEquals, [][]string{
+	c.Check(s.sysdLog, DeepEquals, [][]string{
 		{"--root", dirs.GlobalRootDir, "enable", filepath.Base(svcFile)},
 		{"daemon-reload"},
 	})
@@ -89,24 +91,28 @@
 		c.Check(string(content), Matches, "(?ms).*^"+regexp.QuoteMeta(expected)) // check.v1 adds ^ and $ around the regexp provided
 	}
 
-	sysdLog = nil
+	s.sysdLog = nil
 	err = wrappers.StopServices(info.Services(), "", progress.Null)
 	c.Assert(err, IsNil)
-	c.Assert(sysdLog, HasLen, 2)
-	c.Check(sysdLog, DeepEquals, [][]string{
+	c.Assert(s.sysdLog, HasLen, 2)
+	c.Check(s.sysdLog, DeepEquals, [][]string{
 		{"stop", filepath.Base(svcFile)},
 		{"show", "--property=ActiveState", "snap.hello-snap.svc1.service"},
 	})
 
-	sysdLog = nil
+	s.sysdLog = nil
 	err = wrappers.RemoveSnapServices(info, progress.Null)
 	c.Assert(err, IsNil)
 	c.Check(osutil.FileExists(svcFile), Equals, false)
-	c.Assert(sysdLog, HasLen, 2)
-	c.Check(sysdLog[0], DeepEquals, []string{"--root", dirs.GlobalRootDir, "disable", filepath.Base(svcFile)})
-	c.Check(sysdLog[1], DeepEquals, []string{"daemon-reload"})
+	c.Assert(s.sysdLog, HasLen, 2)
+	c.Check(s.sysdLog[0], DeepEquals, []string{"--root", dirs.GlobalRootDir, "disable", filepath.Base(svcFile)})
+	c.Check(s.sysdLog[1], DeepEquals, []string{"daemon-reload"})
 }
 
+var snapdYaml = `name: snapd
+version: 1.0
+`
+
 func (s *servicesTestSuite) TestRemoveSnapWithSocketsRemovesSocketsService(c *C) {
 	info := snaptest.MockSnap(c, packageHello+`
  svc1:
@@ -137,7 +143,7 @@
 }
 
 func (s *servicesTestSuite) TestRemoveSnapPackageFallbackToKill(c *C) {
-	restore := wrappers.MockKillWait(200 * time.Millisecond)
+	restore := wrappers.MockKillWait(time.Millisecond)
 	defer restore()
 
 	var sysdLog [][]string
@@ -156,7 +162,7 @@
 apps:
  wat:
    command: wat
-   stop-timeout: 250ms
+   stop-timeout: 20ms
    daemon: forking
 `, &snap.SideInfo{Revision: snap.R(11)})
 
@@ -214,35 +220,58 @@
 }
 
 func (s *servicesTestSuite) TestStartServices(c *C) {
-	var sysdLog [][]string
-	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
-		sysdLog = append(sysdLog, cmd)
-		return []byte("ActiveState=inactive\n"), nil
+	info := snaptest.MockSnap(c, packageHello, &snap.SideInfo{Revision: snap.R(12)})
+	svcFile := filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc1.service")
+
+	err := wrappers.StartServices(info.Services(), nil)
+	c.Assert(err, IsNil)
+
+	c.Assert(s.sysdLog, DeepEquals, [][]string{
+		{"--root", s.tempdir, "is-enabled", filepath.Base(svcFile)},
+		{"start", filepath.Base(svcFile)},
 	})
-	defer r()
+}
 
+func (s *servicesTestSuite) TestNoStartDisabledServices(c *C) {
 	info := snaptest.MockSnap(c, packageHello, &snap.SideInfo{Revision: snap.R(12)})
 	svcFile := filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc1.service")
 
+	s.systemctlRestorer()
+	r := testutil.MockCommand(c, "systemctl", `#!/bin/sh
+	if [ "$1" = "--root" ]; then
+	    shift 2
+	fi
+	
+	case "$1" in
+	    is-enabled)
+	        if [ "$2" = "snap.hello-snap.svc1.service" ]; then
+	            echo "disabled"
+	            exit 1
+	        else
+	            echo "unexpected call $*"
+	            exit 2
+	        fi
+	        ;;
+	    *)
+	        echo "unexpected call $*"
+	        exit 2
+	esac
+	`)
+	defer r.Restore()
+
 	err := wrappers.StartServices(info.Services(), nil)
 	c.Assert(err, IsNil)
 
-	c.Assert(sysdLog, DeepEquals, [][]string{{"start", filepath.Base(svcFile)}})
+	c.Assert(r.Calls(), DeepEquals, [][]string{
+		{"systemctl", "--root", s.tempdir, "is-enabled", filepath.Base(svcFile)},
+	})
 }
 
 func (s *servicesTestSuite) TestAddSnapMultiServicesFailCreateCleanup(c *C) {
-	var sysdLog [][]string
-
 	// sanity check: there are no service files
 	svcFiles, _ := filepath.Glob(filepath.Join(dirs.SnapServicesDir, "snap.hello-snap.*.service"))
 	c.Check(svcFiles, HasLen, 0)
 
-	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
-		sysdLog = append(sysdLog, cmd)
-		return nil, nil
-	})
-	defer r()
-
 	info := snaptest.MockSnap(c, packageHello+`
  svc2:
   daemon: potato
@@ -258,9 +287,9 @@
 	// *either* the first service failed validation, and nothing
 	// was done, *or* the second one failed, and the first one was
 	// enabled before the second failed, and disabled after.
-	if len(sysdLog) > 0 {
+	if len(s.sysdLog) > 0 {
 		// the second service failed validation
-		c.Check(sysdLog, DeepEquals, [][]string{
+		c.Check(s.sysdLog, DeepEquals, [][]string{
 			{"--root", dirs.GlobalRootDir, "enable", "snap.hello-snap.svc1.service"},
 			{"--root", dirs.GlobalRootDir, "disable", "snap.hello-snap.svc1.service"},
 			{"daemon-reload"},
@@ -378,14 +407,6 @@
 }
 
 func (s *servicesTestSuite) TestAddSnapSocketFiles(c *C) {
-	var sysdLog [][]string
-
-	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
-		sysdLog = append(sysdLog, cmd)
-		return nil, nil
-	})
-	defer r()
-
 	info := snaptest.MockSnap(c, packageHello+`
  svc1:
   daemon: simple
@@ -433,11 +454,9 @@
 		sysdLog = append(sysdLog, cmd)
 		if len(cmd) >= 2 && cmd[0] == "start" {
 			name := cmd[len(cmd)-1]
-			if name == svc1Name {
-				// the services are being iterated in the "wrong" order
-				svc1Name, svc2Name = svc2Name, svc1Name
+			if name == svc2Name {
+				return nil, fmt.Errorf("failed")
 			}
-			return nil, fmt.Errorf("failed")
 		}
 		return []byte("ActiveState=inactive\n"), nil
 	})
@@ -449,11 +468,19 @@
   daemon: simple
 `, &snap.SideInfo{Revision: snap.R(12)})
 
-	err := wrappers.StartServices(info.Services(), nil)
+	svcs := info.Services()
+	c.Assert(svcs, HasLen, 2)
+	if svcs[0].Name == "svc2" {
+		svcs[0], svcs[1] = svcs[1], svcs[0]
+	}
+	err := wrappers.StartServices(svcs, nil)
 	c.Assert(err, ErrorMatches, "failed")
-	c.Assert(sysdLog, HasLen, 5, Commentf("len: %v calls: %v", len(sysdLog), sysdLog))
+	c.Assert(sysdLog, HasLen, 8, Commentf("len: %v calls: %v", len(sysdLog), sysdLog))
 	c.Check(sysdLog, DeepEquals, [][]string{
-		{"start", svc1Name, svc2Name}, // one of the services fails
+		{"--root", s.tempdir, "is-enabled", svc1Name},
+		{"--root", s.tempdir, "is-enabled", svc2Name},
+		{"start", svc1Name},
+		{"start", svc2Name}, // one of the services fails
 		{"stop", svc2Name},
 		{"show", "--property=ActiveState", svc2Name},
 		{"stop", svc1Name},
@@ -503,8 +530,9 @@
 	err := wrappers.StartServices(apps, nil)
 	c.Assert(err, ErrorMatches, "failed")
 	c.Logf("sysdlog: %v", sysdLog)
-	c.Assert(sysdLog, HasLen, 16, Commentf("len: %v calls: %v", len(sysdLog), sysdLog))
+	c.Assert(sysdLog, HasLen, 17, Commentf("len: %v calls: %v", len(sysdLog), sysdLog))
 	c.Check(sysdLog, DeepEquals, [][]string{
+		{"--root", s.tempdir, "is-enabled", svc1Name},
 		{"--root", s.tempdir, "enable", svc2SocketName},
 		{"start", svc2SocketName},
 		{"--root", s.tempdir, "enable", svc3SocketName},
@@ -524,15 +552,67 @@
 	}, Commentf("calls: %v", sysdLog))
 }
 
-func (s *servicesTestSuite) TestServiceAfterBefore(c *C) {
+func (s *servicesTestSuite) TestStartSnapServicesKeepsOrder(c *C) {
 	var sysdLog [][]string
+	svc1Name := "snap.services-snap.svc1.service"
+	svc2Name := "snap.services-snap.svc2.service"
+	svc3Name := "snap.services-snap.svc3.service"
 
 	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
 		sysdLog = append(sysdLog, cmd)
-		return nil, nil
+		return []byte("ActiveState=inactive\n"), nil
 	})
 	defer r()
 
+	info := snaptest.MockSnap(c, `name: services-snap
+apps:
+  svc1:
+    daemon: simple
+    before: [svc3]
+  svc2:
+    daemon: simple
+    after: [svc1]
+  svc3:
+    daemon: simple
+    before: [svc2]
+`, &snap.SideInfo{Revision: snap.R(12)})
+
+	svcs := info.Services()
+	c.Assert(svcs, HasLen, 3)
+
+	sorted, err := snap.SortServices(svcs)
+	c.Assert(err, IsNil)
+
+	err = wrappers.StartServices(sorted, nil)
+	c.Assert(err, IsNil)
+	c.Assert(sysdLog, HasLen, 6, Commentf("len: %v calls: %v", len(sysdLog), sysdLog))
+	c.Check(sysdLog, DeepEquals, [][]string{
+		{"--root", s.tempdir, "is-enabled", svc1Name},
+		{"--root", s.tempdir, "is-enabled", svc3Name},
+		{"--root", s.tempdir, "is-enabled", svc2Name},
+		{"start", svc1Name},
+		{"start", svc3Name},
+		{"start", svc2Name},
+	}, Commentf("calls: %v", sysdLog))
+
+	// change the order
+	sorted[1], sorted[0] = sorted[0], sorted[1]
+
+	// we should observe the calls done in the same order as services
+	err = wrappers.StartServices(sorted, nil)
+	c.Assert(err, IsNil)
+	c.Assert(sysdLog, HasLen, 12, Commentf("len: %v calls: %v", len(sysdLog), sysdLog))
+	c.Check(sysdLog[6:], DeepEquals, [][]string{
+		{"--root", s.tempdir, "is-enabled", svc3Name},
+		{"--root", s.tempdir, "is-enabled", svc1Name},
+		{"--root", s.tempdir, "is-enabled", svc2Name},
+		{"start", svc3Name},
+		{"start", svc1Name},
+		{"start", svc2Name},
+	}, Commentf("calls: %v", sysdLog))
+}
+
+func (s *servicesTestSuite) TestServiceAfterBefore(c *C) {
 	snapYaml := packageHello + `
  svc2:
    daemon: forking
@@ -603,14 +683,38 @@
 
 }
 
-func (s *servicesTestSuite) TestStopServiceEndure(c *C) {
-	var sysdLog [][]string
-	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
-		sysdLog = append(sysdLog, cmd)
-		return []byte("ActiveState=inactive\n"), nil
-	})
-	defer r()
+func (s *servicesTestSuite) TestServiceWatchdog(c *C) {
+	snapYaml := packageHello + `
+ svc2:
+   daemon: forking
+   watchdog-timeout: 12s
+ svc3:
+   daemon: forking
+   watchdog-timeout: 0s
+ svc4:
+   daemon: forking
+`
+	info := snaptest.MockSnap(c, snapYaml, &snap.SideInfo{Revision: snap.R(12)})
+
+	err := wrappers.AddSnapServices(info, nil)
+	c.Assert(err, IsNil)
+
+	content, err := ioutil.ReadFile(filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc2.service"))
+	c.Assert(err, IsNil)
+	c.Check(strings.Contains(string(content), "\nWatchdogSec=12\n"), Equals, true)
+
+	noWatchdog := []string{
+		filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc3.service"),
+		filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc4.service"),
+	}
+	for _, svcPath := range noWatchdog {
+		content, err := ioutil.ReadFile(svcPath)
+		c.Assert(err, IsNil)
+		c.Check(strings.Contains(string(content), "WatchdogSec="), Equals, false)
+	}
+}
 
+func (s *servicesTestSuite) TestStopServiceEndure(c *C) {
 	const surviveYaml = `name: survive-snap
 version: 1.0
 apps:
@@ -624,20 +728,20 @@
 
 	err := wrappers.AddSnapServices(info, nil)
 	c.Assert(err, IsNil)
-	c.Check(sysdLog, DeepEquals, [][]string{
+	c.Check(s.sysdLog, DeepEquals, [][]string{
 		{"--root", dirs.GlobalRootDir, "enable", filepath.Base(survivorFile)},
 		{"daemon-reload"},
 	})
 
-	sysdLog = nil
+	s.sysdLog = nil
 	err = wrappers.StopServices(info.Services(), snap.StopReasonRefresh, progress.Null)
 	c.Assert(err, IsNil)
-	c.Assert(sysdLog, HasLen, 0)
+	c.Assert(s.sysdLog, HasLen, 0)
 
-	sysdLog = nil
+	s.sysdLog = nil
 	err = wrappers.StopServices(info.Services(), snap.StopReasonRemove, progress.Null)
 	c.Assert(err, IsNil)
-	c.Check(sysdLog, DeepEquals, [][]string{
+	c.Check(s.sysdLog, DeepEquals, [][]string{
 		{"stop", filepath.Base(survivorFile)},
 		{"show", "--property=ActiveState", "snap.survive-snap.survivor.service"},
 	})
@@ -645,11 +749,7 @@
 }
 
 func (s *servicesTestSuite) TestStopServiceSigs(c *C) {
-	var sysdLog [][]string
-	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
-		sysdLog = append(sysdLog, cmd)
-		return []byte("ActiveState=inactive\n"), nil
-	})
+	r := wrappers.MockKillWait(1 * time.Millisecond)
 	defer r()
 
 	survivorFile := filepath.Join(s.tempdir, "/etc/systemd/system/snap.survive-snap.srv.service")
@@ -672,37 +772,226 @@
 apps:
  srv:
   command: bin/survivor
-  refresh-mode: %s
+  stop-mode: %s
   daemon: simple
 `, t.mode)
 		info := snaptest.MockSnap(c, surviveYaml, &snap.SideInfo{Revision: snap.R(1)})
 
-		sysdLog = nil
+		s.sysdLog = nil
 		err := wrappers.AddSnapServices(info, nil)
 		c.Assert(err, IsNil)
-		c.Check(sysdLog, DeepEquals, [][]string{
+		c.Check(s.sysdLog, DeepEquals, [][]string{
 			{"--root", dirs.GlobalRootDir, "enable", filepath.Base(survivorFile)},
 			{"daemon-reload"},
 		})
 
-		sysdLog = nil
+		s.sysdLog = nil
 		err = wrappers.StopServices(info.Services(), snap.StopReasonRefresh, progress.Null)
 		c.Assert(err, IsNil)
-		c.Check(sysdLog, DeepEquals, [][]string{
-			{"kill", filepath.Base(survivorFile), "-s", t.expectedSig, "--kill-who=" + t.expectedWho},
+		c.Check(s.sysdLog, DeepEquals, [][]string{
+			{"stop", filepath.Base(survivorFile)},
+			{"show", "--property=ActiveState", "snap.survive-snap.srv.service"},
 		}, Commentf("failure in %s", t.mode))
 
-		sysdLog = nil
+		s.sysdLog = nil
 		err = wrappers.StopServices(info.Services(), snap.StopReasonRemove, progress.Null)
 		c.Assert(err, IsNil)
-		c.Check(sysdLog, DeepEquals, [][]string{
-			{"stop", filepath.Base(survivorFile)},
-			{"show", "--property=ActiveState", "snap.survive-snap.srv.service"},
-		})
+		switch t.expectedWho {
+		case "all":
+			c.Check(s.sysdLog, DeepEquals, [][]string{
+				{"stop", filepath.Base(survivorFile)},
+				{"show", "--property=ActiveState", "snap.survive-snap.srv.service"},
+			})
+		case "main":
+			c.Check(s.sysdLog, DeepEquals, [][]string{
+				{"stop", filepath.Base(survivorFile)},
+				{"show", "--property=ActiveState", "snap.survive-snap.srv.service"},
+				{"kill", filepath.Base(survivorFile), "-s", "TERM", "--kill-who=all"},
+				{"kill", filepath.Base(survivorFile), "-s", "KILL", "--kill-who=all"},
+			})
+		default:
+			panic("not reached")
+		}
 	}
 
 }
 
+func (s *servicesTestSuite) TestStartSnapTimerEnableStart(c *C) {
+	svc1Name := "snap.hello-snap.svc1.service"
+	// svc2Name := "snap.hello-snap.svc2.service"
+	svc2Timer := "snap.hello-snap.svc2.timer"
+
+	info := snaptest.MockSnap(c, packageHello+`
+ svc2:
+  command: bin/hello
+  daemon: simple
+  timer: 10:00-12:00
+`, &snap.SideInfo{Revision: snap.R(12)})
+
+	// fix the apps order to make the test stable
+	apps := []*snap.AppInfo{info.Apps["svc1"], info.Apps["svc2"]}
+	err := wrappers.StartServices(apps, nil)
+	c.Assert(err, IsNil)
+	c.Assert(s.sysdLog, HasLen, 4, Commentf("len: %v calls: %v", len(s.sysdLog), s.sysdLog))
+	c.Check(s.sysdLog, DeepEquals, [][]string{
+		{"--root", dirs.GlobalRootDir, "is-enabled", svc1Name},
+		{"--root", dirs.GlobalRootDir, "enable", svc2Timer},
+		{"start", svc2Timer},
+		{"start", svc1Name},
+	}, Commentf("calls: %v", s.sysdLog))
+}
+
+func (s *servicesTestSuite) TestStartSnapTimerCleanup(c *C) {
+	var sysdLog [][]string
+	svc1Name := "snap.hello-snap.svc1.service"
+	svc2Name := "snap.hello-snap.svc2.service"
+	svc2Timer := "snap.hello-snap.svc2.timer"
+
+	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
+		sysdLog = append(sysdLog, cmd)
+		if len(cmd) >= 2 && cmd[0] == "start" && cmd[1] == svc2Timer {
+			return nil, fmt.Errorf("failed")
+		}
+		return []byte("ActiveState=inactive\n"), nil
+	})
+	defer r()
+
+	info := snaptest.MockSnap(c, packageHello+`
+ svc2:
+  command: bin/hello
+  daemon: simple
+  timer: 10:00-12:00
+`, &snap.SideInfo{Revision: snap.R(12)})
+
+	// fix the apps order to make the test stable
+	apps := []*snap.AppInfo{info.Apps["svc1"], info.Apps["svc2"]}
+	err := wrappers.StartServices(apps, nil)
+	c.Assert(err, ErrorMatches, "failed")
+	c.Assert(sysdLog, HasLen, 10, Commentf("len: %v calls: %v", len(sysdLog), sysdLog))
+	c.Check(sysdLog, DeepEquals, [][]string{
+		{"--root", dirs.GlobalRootDir, "is-enabled", svc1Name},
+		{"--root", dirs.GlobalRootDir, "enable", svc2Timer},
+		{"start", svc2Timer}, // this call fails
+		{"stop", svc2Timer},
+		{"show", "--property=ActiveState", svc2Timer},
+		{"stop", svc2Name},
+		{"show", "--property=ActiveState", svc2Name},
+		{"--root", dirs.GlobalRootDir, "disable", svc2Timer},
+		{"stop", svc1Name},
+		{"show", "--property=ActiveState", svc1Name},
+	}, Commentf("calls: %v", sysdLog))
+}
+
+func (s *servicesTestSuite) TestAddRemoveSnapWithTimersAddsRemovesTimerFiles(c *C) {
+	info := snaptest.MockSnap(c, packageHello+`
+ svc2:
+  command: bin/hello
+  daemon: simple
+  timer: 10:00-12:00
+`, &snap.SideInfo{Revision: snap.R(12)})
+
+	err := wrappers.AddSnapServices(info, nil)
+	c.Assert(err, IsNil)
+
+	app := info.Apps["svc2"]
+	c.Assert(app.Timer, NotNil)
+
+	c.Check(osutil.FileExists(app.Timer.File()), Equals, true)
+	c.Check(osutil.FileExists(app.ServiceFile()), Equals, true)
+
+	err = wrappers.StopServices(info.Services(), "", &progress.Null)
+	c.Assert(err, IsNil)
+
+	err = wrappers.RemoveSnapServices(info, &progress.Null)
+	c.Assert(err, IsNil)
+
+	c.Check(osutil.FileExists(app.Timer.File()), Equals, false)
+	c.Check(osutil.FileExists(app.ServiceFile()), Equals, false)
+}
+
+func (s *servicesTestSuite) TestFailedAddSnapCleansUp(c *C) {
+	info := snaptest.MockSnap(c, packageHello+`
+ svc2:
+  command: bin/hello
+  daemon: simple
+  timer: 10:00-12:00
+ svc3:
+  command: bin/hello
+  daemon: simple
+  plugs: [network-bind]
+  sockets:
+    sock1:
+      listen-stream: $SNAP_COMMON/sock1.socket
+      socket-mode: 0666
+`, &snap.SideInfo{Revision: snap.R(12)})
+
+	calls := 0
+	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
+		if len(cmd) == 1 && cmd[0] == "daemon-reload" && calls == 0 {
+			// only fail the first systemd daemon-reload call, the
+			// second one is at the end of cleanup
+			calls += 1
+			return nil, fmt.Errorf("failed")
+		}
+		return []byte("ActiveState=inactive\n"), nil
+	})
+	defer r()
+
+	err := wrappers.AddSnapServices(info, &progress.Null)
+	c.Assert(err, NotNil)
+
+	c.Logf("services dir: %v", dirs.SnapServicesDir)
+	matches, err := filepath.Glob(dirs.SnapServicesDir + "/*")
+	c.Assert(err, IsNil)
+	c.Assert(matches, HasLen, 0, Commentf("the following autogenerated files were left behind: %v", matches))
+}
+
+func (s *servicesTestSuite) TestAddServicesDidReload(c *C) {
+	const base = `name: hello-snap
+version: 1.10
+summary: hello
+description: Hello...
+apps:
+`
+	onlyServices := snaptest.MockSnap(c, base+`
+ svc1:
+  command: bin/hello
+  daemon: simple
+`, &snap.SideInfo{Revision: snap.R(12)})
+
+	onlySockets := snaptest.MockSnap(c, base+`
+ svc1:
+  command: bin/hello
+  daemon: simple
+  plugs: [network-bind]
+  sockets:
+    sock1:
+      listen-stream: $SNAP_COMMON/sock1.socket
+      socket-mode: 0666
+`, &snap.SideInfo{Revision: snap.R(12)})
+
+	onlyTimers := snaptest.MockSnap(c, base+`
+ svc1:
+  command: bin/hello
+  daemon: oneshot
+  timer: 10:00-12:00
+`, &snap.SideInfo{Revision: snap.R(12)})
+
+	for i, info := range []*snap.Info{onlyServices, onlySockets, onlyTimers} {
+		s.sysdLog = nil
+		err := wrappers.AddSnapServices(info, &progress.Null)
+		c.Assert(err, IsNil)
+		reloads := 0
+		c.Logf("calls: %v", s.sysdLog)
+		for _, call := range s.sysdLog {
+			if strutil.ListContains(call, "daemon-reload") {
+				reloads += 1
+			}
+		}
+		c.Check(reloads >= 1, Equals, true, Commentf("test-case %v did not reload services as expected", i))
+	}
+}
+
 func (s *servicesTestSuite) TestSnapServicesActivation(c *C) {
 	const snapYaml = `name: hello-snap
 version: 1.10
@@ -717,18 +1006,15 @@
     sock1:
       listen-stream: $SNAP_COMMON/sock1.socket
       socket-mode: 0666
+ svc2:
+  command: bin/hello
+  daemon: oneshot
+  timer: 10:00-12:00
  svc3:
   command: bin/hello
   daemon: simple
 `
 
-	var sysdLog [][]string
-	r := systemd.MockSystemctl(func(cmd ...string) ([]byte, error) {
-		sysdLog = append(sysdLog, cmd)
-		return []byte("ActiveState=inactive\n"), nil
-	})
-	defer r()
-
 	svc3Name := "snap.hello-snap.svc3.service"
 
 	info := snaptest.MockSnap(c, snapYaml, &snap.SideInfo{Revision: snap.R(12)})
@@ -736,10 +1022,32 @@
 	// fix the apps order to make the test stable
 	err := wrappers.AddSnapServices(info, nil)
 	c.Assert(err, IsNil)
-	c.Assert(sysdLog, HasLen, 2, Commentf("len: %v calls: %v", len(sysdLog), sysdLog))
-	c.Check(sysdLog, DeepEquals, [][]string{
+	c.Assert(s.sysdLog, HasLen, 2, Commentf("len: %v calls: %v", len(s.sysdLog), s.sysdLog))
+	c.Check(s.sysdLog, DeepEquals, [][]string{
 		// only svc3 gets started during boot
 		{"--root", dirs.GlobalRootDir, "enable", svc3Name},
 		{"daemon-reload"},
-	}, Commentf("calls: %v", sysdLog))
+	}, Commentf("calls: %v", s.sysdLog))
+}
+
+func (s *servicesTestSuite) TestServiceRestartDelay(c *C) {
+	snapYaml := packageHello + `
+ svc2:
+   daemon: forking
+   restart-delay: 12s
+ svc3:
+   daemon: forking
+`
+	info := snaptest.MockSnap(c, snapYaml, &snap.SideInfo{Revision: snap.R(12)})
+
+	err := wrappers.AddSnapServices(info, nil)
+	c.Assert(err, IsNil)
+
+	content, err := ioutil.ReadFile(filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc2.service"))
+	c.Assert(err, IsNil)
+	c.Check(strings.Contains(string(content), "\nRestartSec=12\n"), Equals, true)
+
+	content, err = ioutil.ReadFile(filepath.Join(s.tempdir, "/etc/systemd/system/snap.hello-snap.svc3.service"))
+	c.Assert(err, IsNil)
+	c.Check(strings.Contains(string(content), "RestartSec="), Equals, false)
 }
diff -Nru snapd-2.32.3.2~14.04/xdgopenproxy/xdgopenproxy_test.go snapd-2.37~rc1~14.04/xdgopenproxy/xdgopenproxy_test.go
--- snapd-2.32.3.2~14.04/xdgopenproxy/xdgopenproxy_test.go	2018-04-11 10:40:09.000000000 +0000
+++ snapd-2.37~rc1~14.04/xdgopenproxy/xdgopenproxy_test.go	2019-01-16 08:36:51.000000000 +0000
@@ -104,6 +104,10 @@
 }
 
 func (s *xdgOpenSuite) TestOpenUnreadableFile(c *C) {
+	if os.Getuid() == 0 {
+		c.Skip("test will not work for root")
+	}
+
 	path := filepath.Join(c.MkDir(), "test.txt")
 	c.Assert(ioutil.WriteFile(path, []byte("Hello world"), 0644), IsNil)
 	c.Assert(os.Chmod(path, 0), IsNil)